• Alexei Starovoitov's avatar
    bpf: fix precision tracking in presence of bpf2bpf calls · 6754172c
    Alexei Starovoitov authored
    While adding extra tests for precision tracking and extra infra
    to adjust verifier heuristics the existing test
    "calls: cross frame pruning - liveness propagation" started to fail.
    The root cause is the same as described in verifer.c comment:
    
     * Also if parent's curframe > frame where backtracking started,
     * the verifier need to mark registers in both frames, otherwise callees
     * may incorrectly prune callers. This is similar to
     * commit 7640ead9 ("bpf: verifier: make sure callees don't prune with caller differences")
     * For now backtracking falls back into conservative marking.
    
    Turned out though that returning -ENOTSUPP from backtrack_insn() and
    doing mark_all_scalars_precise() in the current parentage chain is not enough.
    Depending on how is_state_visited() heuristic is creating parentage chain
    it's possible that callee will incorrectly prune caller.
    Fix the issue by setting precise=true earlier and more aggressively.
    Before this fix the precision tracking _within_ functions that don't do
    bpf2bpf calls would still work. Whereas now precision tracking is completely
    disabled when bpf2bpf calls are present anywhere in the program.
    
    No difference in cilium tests (they don't have bpf2bpf calls).
    No difference in test_progs though some of them have bpf2bpf calls,
    but precision tracking wasn't effective there.
    
    Fixes: b5dc0163 ("bpf: precise scalar_value tracking")
    Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    6754172c
verifier.c 268 KB