linux/tools
Daniel Borkmann a08dd0da53 bpf: fix regression on verifier pruning wrt map lookups
Commit 57a09bf0a4 ("bpf: Detect identical PTR_TO_MAP_VALUE_OR_NULL
registers") introduced a regression where existing programs stopped
loading due to reaching the verifier's maximum complexity limit,
whereas prior to this commit they were loading just fine; the affected
program has roughly 2k instructions.

What was found is that state pruning couldn't be performed effectively
anymore due to mismatches of the verifier's register state, in particular
in the id tracking. It doesn't mean that 57a09bf0a4 is incorrect per
se, but rather that verifier needs to perform a lot more work for the
same program with regards to involved map lookups.

Since commit 57a09bf0a4 is only about tracking registers with type
PTR_TO_MAP_VALUE_OR_NULL, the id is only needed to follow registers
until they are promoted through pattern matching with a NULL check to
either PTR_TO_MAP_VALUE or UNKNOWN_VALUE type. After that point, the
id becomes irrelevant for the transitioned types.

For UNKNOWN_VALUE, id is already reset to 0 via mark_reg_unknown_value(),
but not so for PTR_TO_MAP_VALUE where id is becoming stale. It's even
transferred further into other types that don't make use of it. Among
others, one example is where UNKNOWN_VALUE is set on function call
return with RET_INTEGER return type.

states_equal() will then fall through the memcmp() on register state;
note that the second memcmp() uses offsetofend(), so the id is part of
that since d2a4dd37f6 ("bpf: fix state equivalence"). But the bisect
pointed already to 57a09bf0a4, where we really reach beyond complexity
limit. What I found was that states_equal() often failed in this
case due to id mismatches in spilled regs with registers in type
PTR_TO_MAP_VALUE. Unlike non-spilled regs, spilled regs just perform
a memcmp() on their reg state and don't have any other optimizations
in place, therefore also id was relevant in this case for making a
pruning decision.

We can safely reset id to 0 as well when converting to PTR_TO_MAP_VALUE.
For the affected program, it resulted in a ~17 fold reduction of
complexity and let the program load fine again. Selftest suite also
runs fine. The only other place where env->id_gen is used currently is
through direct packet access, but for these cases id is long living, thus
a different scenario.

Also, the current logic in mark_map_regs() is not fully correct when
marking NULL branch with UNKNOWN_VALUE. We need to cache the destination
reg's id in any case. Otherwise, once we marked that reg as UNKNOWN_VALUE,
it's id is reset and any subsequent registers that hold the original id
and are of type PTR_TO_MAP_VALUE_OR_NULL won't be marked UNKNOWN_VALUE
anymore, since mark_map_reg() reuses the uncached regs[regno].id that
was just overridden. Note, we don't need to cache it outside of
mark_map_regs(), since it's called once on this_branch and the other
time on other_branch, which are both two independent verifier states.
A test case for this is added here, too.

Fixes: 57a09bf0a4 ("bpf: Detect identical PTR_TO_MAP_VALUE_OR_NULL registers")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Thomas Graf <tgraf@suug.ch>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-12-17 10:51:31 -05:00
..
accounting tools: move accounting tool from Documentation 2016-09-23 13:07:15 -06:00
arch x86/cpufeature: Add AVX512_4VNNIW and AVX512_4FMAPS features 2016-10-19 17:37:13 +02:00
build tools build: Add feature detection for g++ 2016-10-05 19:59:35 -03:00
cgroup
firewire
gpio tools/gpio: fix gpio-event-mon header comment 2016-08-08 09:50:22 +02:00
hv tools: hv: Enable network manager for bonding scripts on RHEL 2016-12-06 10:13:55 -05:00
iio Second set of iio new device support, features and cleanups for the 4.9 cycle. 2016-09-14 20:42:03 +02:00
include bpf: add initial suite for selftests 2016-10-18 11:35:55 -04:00
kvm/kvm_stat
laptop tools: move laptops dslm tool from Documentation 2016-09-23 13:07:21 -06:00
lguest tools/lguest: Don't bork the terminal in case of wrong args 2016-09-08 08:05:24 +02:00
lib tools lib traceevent: Fix kbuffer_read_at_offset() 2016-10-05 11:36:22 -03:00
net
nfsd
objtool objtool: Fix bytes check of lea's rex_prefix 2016-12-06 09:20:59 +01:00
pcmcia tools: move pcmcia crc32hash tool from Documentation 2016-09-23 13:07:27 -06:00
perf perf hists: Fix column length on --hierarchy 2016-11-09 11:55:29 -03:00
power tools/power/acpi: Remove direct kernel source include reference 2016-11-16 22:31:26 +01:00
scripts tools build: Fix objtool build with ARCH=x86_64 2016-07-22 16:37:44 -03:00
spi Merge remote-tracking branches 'spi/topic/ti-qspi', 'spi/topic/tools', 'spi/topic/txx9' and 'spi/topic/xlp' into spi-next 2016-09-30 09:14:22 -07:00
testing bpf: fix regression on verifier pruning wrt map lookups 2016-12-17 10:51:31 -05:00
thermal/tmon
time
usb
virtio ringtest: poll for new buffers once before updating event index 2016-10-31 00:21:43 +02:00
vm tools/vm/page_owner: increase temporary buffer size 2016-07-26 16:19:19 -07:00
Makefile