Merge branch 'bpf-verifier-fixes'

Edward Cree says:

====================
bpf: verifier fixes

Fix a couple of bugs introduced in my recent verifier patches.
Patch #2 does slightly increase the insn count on bpf_lxc.o, but only by
 about a hundred insns (i.e. 0.2%).

v2: added test for write-marks bug (patch #1); reworded comment on
 propagate_liveness() for clarity.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 46 insertions, 32 deletions

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e42c096ba20d..d690c7dd1f1a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -832,11 +832,6 @@ static int check_map_access(struct bpf_verifier_env *env, u32 regno,
          */
         if (log_level)
                 print_verifier_state(state);
-        /* If the offset is variable, we will need to be stricter in state
-         * pruning from now on.
-         */
-        if (!tnum_is_const(reg->var_off))
-                env->varlen_map_value_access = true;
         /* The minimum value is only important with signed
          * comparisons where we can't assume the floor of a
          * value is 0.  If we are using signed variables for our
@@ -3247,9 +3242,8 @@ static bool check_ids(u32 old_id, u32 cur_id, struct idpair *idmap)
 }
 
 /* Returns true if (rold safe implies rcur safe) */
-static bool regsafe(struct bpf_reg_state *rold,
-                    struct bpf_reg_state *rcur,
-                    bool varlen_map_access, struct idpair *idmap)
+static bool regsafe(struct bpf_reg_state *rold, struct bpf_reg_state *rcur,
+                    struct idpair *idmap)
 {
         if (!(rold->live & REG_LIVE_READ))
                 /* explored state didn't use this */
@@ -3281,22 +3275,14 @@ static bool regsafe(struct bpf_reg_state *rold,
                                tnum_is_unknown(rold->var_off);
                 }
         case PTR_TO_MAP_VALUE:
-                if (varlen_map_access) {
-                        /* If the new min/max/var_off satisfy the old ones and
-                         * everything else matches, we are OK.
-                         * We don't care about the 'id' value, because nothing
-                         * uses it for PTR_TO_MAP_VALUE (only for ..._OR_NULL)
-                         */
-                        return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 &&
-                               range_within(rold, rcur) &&
-                               tnum_in(rold->var_off, rcur->var_off);
-                } else {
-                        /* If the ranges/var_off were not the same, but
-                         * everything else was and we didn't do a variable
-                         * access into a map then we are a-ok.
-                         */
-                        return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0;
-                }
+                /* If the new min/max/var_off satisfy the old ones and
+                 * everything else matches, we are OK.
+                 * We don't care about the 'id' value, because nothing
+                 * uses it for PTR_TO_MAP_VALUE (only for ..._OR_NULL)
+                 */
+                return memcmp(rold, rcur, offsetof(struct bpf_reg_state, id)) == 0 &&
+                       range_within(rold, rcur) &&
+                       tnum_in(rold->var_off, rcur->var_off);
         case PTR_TO_MAP_VALUE_OR_NULL:
                 /* a PTR_TO_MAP_VALUE could be safe to use as a
                  * PTR_TO_MAP_VALUE_OR_NULL into the same map.
@@ -3380,7 +3366,6 @@ static bool states_equal(struct bpf_verifier_env *env,
                          struct bpf_verifier_state *old,
                          struct bpf_verifier_state *cur)
 {
-        bool varlen_map_access = env->varlen_map_value_access;
         struct idpair *idmap;
         bool ret = false;
         int i;
@@ -3391,8 +3376,7 @@ static bool states_equal(struct bpf_verifier_env *env,
                 return false;
 
         for (i = 0; i < MAX_BPF_REG; i++) {
-                if (!regsafe(&old->regs[i], &cur->regs[i], varlen_map_access,
-                             idmap))
+                if (!regsafe(&old->regs[i], &cur->regs[i], idmap))
                         goto out_free;
         }
 
@@ -3412,7 +3396,7 @@ static bool states_equal(struct bpf_verifier_env *env,
                         continue;
                 if (!regsafe(&old->spilled_regs[i / BPF_REG_SIZE],
                              &cur->spilled_regs[i / BPF_REG_SIZE],
-                             varlen_map_access, idmap))
+                             idmap))
                         /* when explored and current stack slot are both storing
                          * spilled registers, check that stored pointers types
                          * are the same as well.
@@ -3433,9 +3417,16 @@ out_free:
         return ret;
 }
 
+/* A write screens off any subsequent reads; but write marks come from the
+ * straight-line code between a state and its parent.  When we arrive at a
+ * jump target (in the first iteration of the propagate_liveness() loop),
+ * we didn't arrive by the straight-line code, so read marks in state must
+ * propagate to parent regardless of state's write marks.
+ */
 static bool do_propagate_liveness(const struct bpf_verifier_state *state,
                                   struct bpf_verifier_state *parent)
 {
+        bool writes = parent == state->parent; /* Observe write marks */
         bool touched = false; /* any changes made? */
         int i;
 
@@ -3447,7 +3438,9 @@ static bool do_propagate_liveness(const struct bpf_verifier_state *state,
         for (i = 0; i < BPF_REG_FP; i++) {
                 if (parent->regs[i].live & REG_LIVE_READ)
                         continue;
-                if (state->regs[i].live == REG_LIVE_READ) {
+                if (writes && (state->regs[i].live & REG_LIVE_WRITTEN))
+                        continue;
+                if (state->regs[i].live & REG_LIVE_READ) {
                         parent->regs[i].live |= REG_LIVE_READ;
                         touched = true;
                 }
@@ -3460,7 +3453,9 @@ static bool do_propagate_liveness(const struct bpf_verifier_state *state,
                         continue;
                 if (parent->spilled_regs[i].live & REG_LIVE_READ)
                         continue;
-                if (state->spilled_regs[i].live == REG_LIVE_READ) {
+                if (writes && (state->spilled_regs[i].live & REG_LIVE_WRITTEN))
+                        continue;
+                if (state->spilled_regs[i].live & REG_LIVE_READ) {
                         parent->spilled_regs[i].live |= REG_LIVE_READ;
                         touched = true;
                 }
@@ -3468,6 +3463,15 @@ static bool do_propagate_liveness(const struct bpf_verifier_state *state,
         return touched;
 }
 
+/* "parent" is "a state from which we reach the current state", but initially
+ * it is not the state->parent (i.e. "the state whose straight-line code leads
+ * to the current state"), instead it is the state that happened to arrive at
+ * a (prunable) equivalent of the current state.  See comment above
+ * do_propagate_liveness() for consequences of this.
+ * This function is just a more efficient way of calling mark_reg_read() or
+ * mark_stack_slot_read() on each reg in "parent" that is read in "state",
+ * though it requires that parent != state->parent in the call arguments.
+ */
 static void propagate_liveness(const struct bpf_verifier_state *state,
                                struct bpf_verifier_state *parent)
 {
@@ -3496,6 +3500,12 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
                         /* reached equivalent register/stack state,
                          * prune the search.
                          * Registers read by the continuation are read by us.
+                         * If we have any write marks in env->cur_state, they
+                         * will prevent corresponding reads in the continuation
+                         * from reaching our parent (an explored_state).  Our
+                         * own state will get the read marks recorded, but
+                         * they'll be immediately forgotten as we're pruning
+                         * this state and will pop a new one.
                          */
                         propagate_liveness(&sl->state, &env->cur_state);
                         return 1;
@@ -3519,7 +3529,12 @@ static int is_state_visited(struct bpf_verifier_env *env, int insn_idx)
         env->explored_states[insn_idx] = new_sl;
         /* connect new state to parentage chain */
         env->cur_state.parent = &new_sl->state;
-        /* clear liveness marks in current state */
+        /* clear write marks in current state: the writes we did are not writes
+         * our child did, so they don't screen off its reads from us.
+         * (There are no read marks in current state, because reads always mark
+         * their parent and current state never has children yet.  Only
+         * explored_states can get read marks.)
+         */
         for (i = 0; i < BPF_REG_FP; i++)
                 env->cur_state.regs[i].live = REG_LIVE_NONE;
         for (i = 0; i < MAX_BPF_STACK / BPF_REG_SIZE; i++)
@@ -3550,7 +3565,6 @@ static int do_check(struct bpf_verifier_env *env)
         init_reg_state(regs);
         state->parent = NULL;
         insn_idx = 0;
-        env->varlen_map_value_access = false;
         for (;;) {
                 struct bpf_insn *insn;
                 u8 class;