Commit ac61bffe authored by Emil Tsalapatis's avatar Emil Tsalapatis Committed by Alexei Starovoitov
Browse files

bpf: Allow instructions with arena source and non-arena dest registers 



The compiler sometimes stores the result of a PTR_TO_ARENA and SCALAR
operation into the scalar register rather than the pointer register.
Relax the verifier to allow operations between a source arena register
and a destination non-arena register, marking the destination's value
as a PTR_TO_ARENA.

Signed-off-by: default avatarEmil Tsalapatis <emil@etsalapatis.com>
Acked-by: default avatarSong Liu <song@kernel.org>
Fixes: 6082b6c3 ("bpf: Recognize addr_space_cast instruction in the verifier.")
Link: https://lore.kernel.org/r/20260412174546.18684-2-emil@etsalapatis.com


Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
parent 9623c3c6

kernel/bpf/verifier.c

+11 −3
Original line number Diff line number Diff line
@@ -15051,11 +15051,20 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, 
	int err;









	dst_reg = &regs[insn->dst_reg];









	if (BPF_SRC(insn->code) == BPF_X)









		src_reg = &regs[insn->src_reg];









	else









		src_reg = NULL;

















	if (dst_reg->type == PTR_TO_ARENA) {









	/* Case where at least one operand is an arena. */









	if (dst_reg->type == PTR_TO_ARENA || (src_reg && src_reg->type == PTR_TO_ARENA)) {









		struct bpf_insn_aux_data *aux = cur_aux(env);

















		if (dst_reg->type != PTR_TO_ARENA)









			*dst_reg = *src_reg;

















		dst_reg->subreg_def = env->insn_idx + 1;

















		if (BPF_CLASS(insn->code) == BPF_ALU64)









			/*









			 * 32-bit operations zero upper bits automatically.








@@ -15071,7 +15080,6 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env,







		ptr_reg = dst_reg;

















	if (BPF_SRC(insn->code) == BPF_X) {









		src_reg = &regs[insn->src_reg];









		if (src_reg->type != SCALAR_VALUE) {









			if (dst_reg->type != SCALAR_VALUE) {









				/* Combining two pointers by any ALU op yields