[PATCH bpf-next 1/3] bpf: verifier: Store null elision decision in insn_aux_data
From: Daniel Xu
Date: Mon Jan 20 2025 - 23:35:54 EST
Save the null elision decision from verification so that it can be
reused later during bpf_map_lookup_elem inlining. There's a generated
jump that can be omitted if the null was elided.
Signed-off-by: Daniel Xu <dxu@xxxxxxxxx>
---
include/linux/bpf_verifier.h | 4 ++++
kernel/bpf/verifier.c | 4 +++-
2 files changed, 7 insertions(+), 1 deletion(-)
diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
index 32c23f2a3086..1bcd6d66e546 100644
--- a/include/linux/bpf_verifier.h
+++ b/include/linux/bpf_verifier.h
@@ -515,6 +515,10 @@ struct bpf_map_ptr_state {
struct bpf_map *map_ptr;
bool poison;
bool unpriv;
+ /* true if instruction is a bpf_map_lookup_elem() with statically
+ * known in-bounds key.
+ */
+ bool inbounds;
};
/* Possible states for alu_state member. */
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 74525392714e..e83145c2260d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11265,8 +11265,10 @@ static int check_helper_call(struct bpf_verifier_env *env, struct bpf_insn *insn
if (func_id == BPF_FUNC_map_lookup_elem &&
can_elide_value_nullness(meta.map_ptr->map_type) &&
meta.const_map_key >= 0 &&
- meta.const_map_key < meta.map_ptr->max_entries)
+ meta.const_map_key < meta.map_ptr->max_entries) {
ret_flag &= ~PTR_MAYBE_NULL;
+ env->insn_aux_data[insn_idx].map_ptr_state.inbounds = true;
+ }
regs[BPF_REG_0].map_ptr = meta.map_ptr;
regs[BPF_REG_0].map_uid = meta.map_uid;
--
2.47.1