From patchwork Thu Mar 30 14:52:02 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Vernet X-Patchwork-Id: 77243 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1233025vqo; Thu, 30 Mar 2023 09:02:27 -0700 (PDT) X-Google-Smtp-Source: AKy350bBjRfTx0+kbgLngWdrEpOsAFBC0mUk4rpabr1a4I7mK96SkaeQzIPJkUACF+SL7RDi5qnw X-Received: by 2002:a17:907:3f82:b0:92e:c4c9:7a43 with SMTP id hr2-20020a1709073f8200b0092ec4c97a43mr29233685ejc.25.1680192147319; Thu, 30 Mar 2023 09:02:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680192147; cv=none; d=google.com; s=arc-20160816; b=MbIqW+n4WB8J1Gt/C7W41KoeFwdrL5bSFkk5mMnaTrxXRQ9YuOsDqqVkO1e4BQ2DUO R0ws9tNofZP3ygEUbTVYycNKcOhhSNdp7GYEtZLaFt7EbcU5noEWQBMIOvDPPzmvupo0 +b7RgE8+HDXYi/oZ2TQcAqkoEMtDniVIUgoe7aAnK+ml/UsFPQO6OOSt2C8qGEvJl0x3 C6gmqBdm518B6G//QGpFZM3MAnrpIunHKbBMA9cyboObgCjanoDHfBvmKAKAYBqMKw2l EUGwdo/DhxChCE4DWrr66ait1F83eGDq2YpbExwUgNvDqBPXSWo5pIb6pAuqEzJzR3yf 5hag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=/ZYKdU7edcggf788yfZLdWl4nPAu93UTKZlfVfQz6qs=; b=qzmoUgoCrZIzco1mB6MzXflFikF6sRHctZB/AfSgFaN8Z/de0mcVv5xAmEmarjXVXK alXZAk/ZkpH8dDxuv+0GHqv6aHB7mfyu5ay3uZ4l9OBEi8DdEIc7px243Ju6f1m9eRcH Xc142rBeTT8LSb1ltnwM0A/op6oy+mudyiaY+KA/lXj/t+4g5na0ugFlYE+VjRmJgppP KU72pjXBfZjwg0wjwVQadzSNdpVNJPG9zW/03M2x4AYo6VcA8DaBFXraZvJ091ge+eXh Wp4R5uebR6I6YU9DV58VMQlj+UQ3PWuWHJ/RYondCBcpgyk9UbfEGawc9D7pPlztCj3w QrdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sd6-20020a1709076e0600b009476a8cb01esi1286094ejc.654.2023.03.30.09.01.34; Thu, 30 Mar 2023 09:02:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231845AbjC3OwL (ORCPT + 99 others); Thu, 30 Mar 2023 10:52:11 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231377AbjC3OwK (ORCPT ); Thu, 30 Mar 2023 10:52:10 -0400 Received: from mail-qt1-f182.google.com (mail-qt1-f182.google.com [209.85.160.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 85BF58A7B; Thu, 30 Mar 2023 07:52:08 -0700 (PDT) Received: by mail-qt1-f182.google.com with SMTP id n14so18660012qta.10; Thu, 30 Mar 2023 07:52:08 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680187927; x=1682779927; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=/ZYKdU7edcggf788yfZLdWl4nPAu93UTKZlfVfQz6qs=; b=6XV0z3nB2pOP2OTNQRoT/aYjiiC/Hqvhma5qewRtLM3nwcS0CNXIcdeX2ub3XK/KV2 O85MU/8yRpNtr4DmHZgcfnwqlAwfG8hiVM3xVRfPupDYfjynSV5wadO70mA2hVF2pErY xS30DGBnEFffXhAr4Mll5MP1Y93RskOQHkeDBt5orKsBdle1AFyNU6TKGLef16b/jcld T3hbdITmHbh8/wTtiY1lj6QlSlOcCQprnavlgsuioTH+0aia+l9I3CXlalNyUiVhcKJG g2bK1eSpg+RGsM4V0cGxlxuOkZQ2G50qOZXmBX/8pQl9PmeuKbhQPu1nY87JsLt0iYL1 lm7A== X-Gm-Message-State: AO0yUKUT5mIdlT6L/acgai7rqDj6oZ9pSxuiKQuW3ZcM/ROQHaVMszyK 57HJRP/UV/SOhzAZgpWjlnG8CJu1yHAfLGis X-Received: by 2002:a05:622a:4c:b0:3e3:7d6d:f5 with SMTP id y12-20020a05622a004c00b003e37d6d00f5mr36619507qtw.29.1680187927141; Thu, 30 Mar 2023 07:52:07 -0700 (PDT) Received: from localhost ([2620:10d:c091:400::5:d9ee]) by smtp.gmail.com with ESMTPSA id h22-20020ac85056000000b003d5aae2182dsm9301250qtm.29.2023.03.30.07.52.06 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Mar 2023 07:52:06 -0700 (PDT) From: David Vernet To: bpf@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, linux-kernel@vger.kernel.org, kernel-team@meta.com, memxor@gmail.com Subject: [PATCH bpf-next 1/2] bpf: Handle PTR_MAYBE_NULL case in PTR_TO_BTF_ID helper call arg Date: Thu, 30 Mar 2023 09:52:02 -0500 Message-Id: <20230330145203.80506-1-void@manifault.com> X-Mailer: git-send-email 2.39.0 MIME-Version: 1.0 X-Spam-Status: No, score=0.5 required=5.0 tests=FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761809160986388236?= X-GMAIL-MSGID: =?utf-8?q?1761809160986388236?= When validating a helper function argument, we use check_reg_type() to ensure that the register containing the argument is of the correct type. When the register's base type is PTR_TO_BTF_ID, there is some supplemental logic where we do extra checks for various combinations of PTR_TO_BTF_ID type modifiers. For example, for PTR_TO_BTF_ID, PTR_TO_BTF_ID | PTR_TRUSTED, and PTR_TO_BTF_ID | MEM_RCU, we call map_kptr_match_type() for bpf_kptr_xchg() calls, and btf_struct_ids_match() for other helper calls. When an unhandled PTR_TO_BTF_ID type modifier combination is passed to check_reg_type(), the verifier fails with an internal verifier error message. This can currently be triggered by passing a PTR_MAYBE_NULL pointer to helper functions (currently just bpf_kptr_xchg()) with an ARG_PTR_TO_BTF_ID_OR_NULL arg type. For example, by callin bpf_kptr_xchg(&v->kptr, bpf_cpumask_create()). Whether or not passing a PTR_MAYBE_NULL arg to an ARG_PTR_TO_BTF_ID_OR_NULL argument is valid is an interesting question. In a vacuum, it seems fine. A helper function with an ARG_PTR_TO_BTF_ID_OR_NULL arg would seem to be implying that it can handle either a NULL or non-NULL arg, and has logic in place to detect and gracefully handle each. This is the case for bpf_kptr_xchg(), which of course simply does an xchg(). On the other hand, bpf_kptr_xchg() also specifies OBJ_RELEASE, and refcounting semantics for a PTR_MAYBE_NULL pointer is different than handling it for a NULL _OR_ non-NULL pointer. For example, with a non-NULL arg, we should always fail if there was not a nonzero refcount for the value in the register being passed to the helper. For PTR_MAYBE_NULL on the other hand, it's unclear. If the pointer is NULL it would be fine, but if it's not NULL, it would be incorrect to load the program. The current solution to this is to just fail if PTR_MAYBE_NULL is passed, and to instead require programs to have a NULL check to explicitly handle the NULL and non-NULL cases. This seems reasonable. Not only would it possibly be quite complicated to correctly handle PTR_MAYBE_NULL refcounting in the verifier, but it's also an arguably odd programming pattern in general to not explicitly handle the NULL case anyways. For example, it seems odd to not care about whether a pointer you're passing to bpf_kptr_xchg() was successfully allocated in a program such as the following: private(MASK) static struct bpf_cpumask __kptr * global_mask; SEC("tp_btf/task_newtask") int BPF_PROG(example, struct task_struct *task, u64 clone_flags) { struct bpf_cpumask *prev; /* bpf_cpumask_create() returns PTR_MAYBE_NULL */ prev = bpf_kptr_xchg(&global_mask, bpf_cpumask_create()); if (prev) bpf_cpumask_release(prev); return 0; } This patch therefore updates the verifier to explicitly check for PTR_MAYBE_NULL in check_reg_type(), and fail gracefully if it's observed. This isn't really "fixing" anything unsafe or incorrect. We're just updating the verifier to fail gracefully, and explicitly handle this pattern rather than unintentionally falling back to an internal verifier error path. A subsequent patch will update selftests. Signed-off-by: David Vernet --- kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 20eb2015842f..52738f9dcb15 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -7204,6 +7204,10 @@ static int check_reg_type(struct bpf_verifier_env *env, u32 regno, } break; } + case PTR_TO_BTF_ID | PTR_MAYBE_NULL: + case PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU: + verbose(env, "Possibly NULL pointer passed to helper arg%d\n", regno); + return -EACCES; case PTR_TO_BTF_ID | MEM_ALLOC: if (meta->func_id != BPF_FUNC_spin_lock && meta->func_id != BPF_FUNC_spin_unlock && meta->func_id != BPF_FUNC_kptr_xchg) { From patchwork Thu Mar 30 14:52:03 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Vernet X-Patchwork-Id: 77222 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1184672vqo; Thu, 30 Mar 2023 07:53:35 -0700 (PDT) X-Google-Smtp-Source: AKy350aAXcDdj7Ns96Dz+7GjDoPXYk0P3t0ezyNCeKAlmz8G8qJWOMuzBrRgPTNmfxzK5Slay3hO X-Received: by 2002:a05:6402:8cf:b0:501:d43e:d1e3 with SMTP id d15-20020a05640208cf00b00501d43ed1e3mr24684347edz.8.1680188015132; Thu, 30 Mar 2023 07:53:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1680188015; cv=none; d=google.com; s=arc-20160816; b=y34ErVzH7O6K9ta5sEGkBsG+9NJRvVjfxOFrEdflJLZ6w9mzg5v5tvRG+oop70vvcN M5lVrCWVosSQ3TPiTZI8fYYP1fRdepJVQbOhzmMqq6ujbw3VRUAXYiTD6Teuq0A1HlzO WURmUIaj4ONQB8f+XDdSPDbJNqcFGftU/kMslqH6goA3aRE4Otw41bunccxytdGzKTHf s7cYdsLOkiz00NkmbCQGH1HwfF8EbHquSjdTgtrctjZsw6o9vW98T8mXJw5fv3D2VbzF zEUOhZa99FNQP7CeChHnv1sxpgHaKy11HXmQqGqVsD/p/iw+d34aPm9H6vCE10pOjTmQ tkqg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=9hN4YpD3U3sRZPulOttvL6oVrqEryb/pVBJ8w7pJKAg=; b=tzKzL9CCf9oL/6XHhZ/hxCiRWmkGvAYu9yqLeK4sUH+lrn3scdvgzHdBATZ9oc5Vcy aLPNYOWDDIEY1MSvT1Z1WN7a8u296Uzv+Vgi+TIO/7uq21jZ1Y/3YIQffyCBTqWJXCVX pjwOl7Urrs17efZ6h8iDeV94AcsquzV7lPJIYUvXmBljg3G54Unv9JUv7UQaAKtg0u7X VDHc4fmstzJR+ylfoAmnSLb+Wb8IvYwfOCzcjMMWlUT8gY909Av6g+A+GlxrcG9zqcYz unm759koACkMSuOlzLzt8SmsQIhMcH/L+JueMqf/O7x4shHzyFg1ueKXI+e5/803BDc6 YpXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id u10-20020a05640207ca00b004bb9ff4b733si797962edy.353.2023.03.30.07.53.10; Thu, 30 Mar 2023 07:53:35 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232464AbjC3OwP (ORCPT + 99 others); Thu, 30 Mar 2023 10:52:15 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58880 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231639AbjC3OwK (ORCPT ); Thu, 30 Mar 2023 10:52:10 -0400 Received: from mail-qv1-f41.google.com (mail-qv1-f41.google.com [209.85.219.41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD6C91FE8; Thu, 30 Mar 2023 07:52:09 -0700 (PDT) Received: by mail-qv1-f41.google.com with SMTP id o44so14203242qvo.4; Thu, 30 Mar 2023 07:52:09 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; t=1680187928; x=1682779928; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=9hN4YpD3U3sRZPulOttvL6oVrqEryb/pVBJ8w7pJKAg=; b=EXnDaT/dFZV4LQ+PtQX1xCezzJhjEcJwUwekjb4T1czTVuhXPdqe4vSK4KW2huj94p Wt7AHOKXHOFQfaVD3SVSHf1fuOFa04BrcSK6lOpeWmexQWPd3kQLFc2l1HDqsVOrWnNb /ct72PYixjUeQusyU2iuucWj4aOXv7pkLxYTj13mJNzdn+lXASD6f+B23hvI3ZNz5YbM oWP7eAp4QUufHQrc3pdf4Edbr7LsA5KtSQxs/MQ5EYlTga8DSKHUeEHHONrTHeUYJAH3 uQ2H8MYz3GdKgc35oNpCo5jb60I3Pbd1H4BNSVAghM3PbPLDfrAlePaUp4tKU5DLHa5a hBUg== X-Gm-Message-State: AAQBX9flgsZuhueeepe8w7Wf7QXmTEIJ8+WVtSHTL9xB9N/kBy5+anW1 6FGa/V0/oryxztcX8uOd3jipAfyTL6aNx9CK X-Received: by 2002:a05:6214:f22:b0:5df:5167:c420 with SMTP id iw2-20020a0562140f2200b005df5167c420mr11051724qvb.38.1680187928464; Thu, 30 Mar 2023 07:52:08 -0700 (PDT) Received: from localhost ([2620:10d:c091:400::5:d9ee]) by smtp.gmail.com with ESMTPSA id dm4-20020ad44e24000000b005dd8b934569sm5530533qvb.1.2023.03.30.07.52.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 30 Mar 2023 07:52:08 -0700 (PDT) From: David Vernet To: bpf@vger.kernel.org Cc: ast@kernel.org, daniel@iogearbox.net, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, john.fastabend@gmail.com, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, linux-kernel@vger.kernel.org, kernel-team@meta.com, memxor@gmail.com Subject: [PATCH bpf-next 2/2] selftests/bpf: Add testcases for ptr_*_or_null_ in bpf_kptr_xchg Date: Thu, 30 Mar 2023 09:52:03 -0500 Message-Id: <20230330145203.80506-2-void@manifault.com> X-Mailer: git-send-email 2.39.0 In-Reply-To: <20230330145203.80506-1-void@manifault.com> References: <20230330145203.80506-1-void@manifault.com> MIME-Version: 1.0 X-Spam-Status: No, score=0.5 required=5.0 tests=FREEMAIL_FORGED_FROMDOMAIN, FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1761804828171786930?= X-GMAIL-MSGID: =?utf-8?q?1761804828171786930?= The second argument of the bpf_kptr_xchg() helper function is ARG_PTR_TO_BTF_ID_OR_NULL. A recent patch fixed a bug whereby the verifier would fail with an internal error message if a program invoked the helper with a PTR_TO_BTF_ID | PTR_MAYBE_NULL register. This testcase adds some testcases to ensure that it fails gracefully moving forward. Before the fix, these testcases would have failed an error resembling the following: ; p = bpf_kfunc_call_test_acquire(&(unsigned long){0}); 99: (7b) *(u64 *)(r10 -16) = r7 ; frame1: ... 100: (bf) r1 = r10 ; frame1: ... 101: (07) r1 += -16 ; frame1: ... ; p = bpf_kfunc_call_test_acquire(&(unsigned long){0}); 102: (85) call bpf_kfunc_call_test_acquire#13908 ; frame1: R0_w=ptr_or_null_prog_test_ref_kfunc... ; p = bpf_kptr_xchg(&v->ref_ptr, p); 103: (bf) r1 = r6 ; frame1: ... 104: (bf) r2 = r0 ; frame1: R0_w=ptr_or_null_prog_test_ref_kfunc... 105: (85) call bpf_kptr_xchg#194 verifier internal error: invalid PTR_TO_BTF_ID register for type match Signed-off-by: David Vernet --- .../selftests/bpf/progs/cpumask_failure.c | 25 +++++++++++++++++++ .../selftests/bpf/progs/map_kptr_fail.c | 23 +++++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/cpumask_failure.c b/tools/testing/selftests/bpf/progs/cpumask_failure.c index db4f94e72b61..a9bf6ea336cf 100644 --- a/tools/testing/selftests/bpf/progs/cpumask_failure.c +++ b/tools/testing/selftests/bpf/progs/cpumask_failure.c @@ -165,3 +165,28 @@ int BPF_PROG(test_global_mask_no_null_check, struct task_struct *task, u64 clone return 0; } + +SEC("tp_btf/task_newtask") +__failure __msg("Possibly NULL pointer passed to helper arg2") +int BPF_PROG(test_global_mask_rcu_no_null_check, struct task_struct *task, u64 clone_flags) +{ + struct bpf_cpumask *prev, *curr; + + curr = bpf_cpumask_create(); + if (!curr) + return 0; + + prev = bpf_kptr_xchg(&global_mask, curr); + if (prev) + bpf_cpumask_release(prev); + + bpf_rcu_read_lock(); + curr = global_mask; + /* PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU passed to bpf_kptr_xchg() */ + prev = bpf_kptr_xchg(&global_mask, curr); + bpf_rcu_read_unlock(); + if (prev) + bpf_cpumask_release(prev); + + return 0; +} diff --git a/tools/testing/selftests/bpf/progs/map_kptr_fail.c b/tools/testing/selftests/bpf/progs/map_kptr_fail.c index 08f9ec18c345..15bf3127dba3 100644 --- a/tools/testing/selftests/bpf/progs/map_kptr_fail.c +++ b/tools/testing/selftests/bpf/progs/map_kptr_fail.c @@ -20,6 +20,7 @@ struct array_map { } array_map SEC(".maps"); extern struct prog_test_ref_kfunc *bpf_kfunc_call_test_acquire(unsigned long *sp) __ksym; +extern void bpf_kfunc_call_test_release(struct prog_test_ref_kfunc *p) __ksym; extern struct prog_test_ref_kfunc * bpf_kfunc_call_test_kptr_get(struct prog_test_ref_kfunc **p, int a, int b) __ksym; @@ -442,4 +443,26 @@ int kptr_get_ref_state(struct __sk_buff *ctx) return 0; } +SEC("?tc") +__failure __msg("Possibly NULL pointer passed to helper arg2") +int kptr_xchg_possibly_null(struct __sk_buff *ctx) +{ + struct prog_test_ref_kfunc *p; + struct map_value *v; + int key = 0; + + v = bpf_map_lookup_elem(&array_map, &key); + if (!v) + return 0; + + p = bpf_kfunc_call_test_acquire(&(unsigned long){0}); + + /* PTR_TO_BTF_ID | PTR_MAYBE_NULL passed to bpf_kptr_xchg() */ + p = bpf_kptr_xchg(&v->ref_ptr, p); + if (p) + bpf_kfunc_call_test_release(p); + + return 0; +} + char _license[] SEC("license") = "GPL";