bpf, verifier: fix register type dump in xadd and st

Using reg_type_str[insn->dst_reg] is incorrect since insn->dst_reg
contains the register number but not the actual register type. Add
a small reg_state() helper and use it to get to the type. Also fix
up the test_verifier test cases that have an incorrect errstr.

Fixes: 9d2be44a7f33 ("bpf: Reuse canonical string formatter for ctx errs")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7d6d9cf..64e0981 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1528,14 +1528,19 @@ static bool __is_pointer_value(bool allow_ptr_leaks,
        return reg->type != SCALAR_VALUE;
 }
 
+static struct bpf_reg_state *reg_state(struct bpf_verifier_env *env, int regno)
+{
+       return cur_regs(env) + regno;
+}
+
 static bool is_pointer_value(struct bpf_verifier_env *env, int regno)
 {
-       return __is_pointer_value(env->allow_ptr_leaks, cur_regs(env) + regno);
+       return __is_pointer_value(env->allow_ptr_leaks, reg_state(env, regno));
 }
 
 static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
 {
-       const struct bpf_reg_state *reg = cur_regs(env) + regno;
+       const struct bpf_reg_state *reg = reg_state(env, regno);
 
        return reg->type == PTR_TO_CTX ||
               reg->type == PTR_TO_SOCKET;
@@ -1543,7 +1548,7 @@ static bool is_ctx_reg(struct bpf_verifier_env *env, int regno)
 
 static bool is_pkt_reg(struct bpf_verifier_env *env, int regno)
 {
-       const struct bpf_reg_state *reg = cur_regs(env) + regno;
+       const struct bpf_reg_state *reg = reg_state(env, regno);
 
        return type_is_pkt_pointer(reg->type);
 }
@@ -1958,7 +1963,8 @@ static int check_xadd(struct bpf_verifier_env *env, int insn_idx, struct bpf_ins
        if (is_ctx_reg(env, insn->dst_reg) ||
            is_pkt_reg(env, insn->dst_reg)) {
                verbose(env, "BPF_XADD stores into R%d %s is not allowed\n",
-                       insn->dst_reg, reg_type_str[insn->dst_reg]);
+                       insn->dst_reg,
+                       reg_type_str[reg_state(env, insn->dst_reg)->type]);
                return -EACCES;
        }
 
@@ -1983,7 +1989,7 @@ static int check_stack_boundary(struct bpf_verifier_env *env, int regno,
                                int access_size, bool zero_size_allowed,
                                struct bpf_call_arg_meta *meta)
 {
-       struct bpf_reg_state *reg = cur_regs(env) + regno;
+       struct bpf_reg_state *reg = reg_state(env, regno);
        struct bpf_func_state *state = func(env, reg);
        int off, i, slot, spi;
 
@@ -5264,7 +5270,8 @@ static int do_check(struct bpf_verifier_env *env)
 
                        if (is_ctx_reg(env, insn->dst_reg)) {
                                verbose(env, "BPF_ST stores into R%d %s is not allowed\n",
-                                       insn->dst_reg, reg_type_str[insn->dst_reg]);
+                                       insn->dst_reg,
+                                       reg_type_str[reg_state(env, insn->dst_reg)->type]);
                                return -EACCES;
                        }
 

diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c
index f1ae8d0..769d68a 100644 (file)
--- a/tools/testing/selftests/bpf/test_verifier.c
+++ b/tools/testing/selftests/bpf/test_verifier.c
@@ -3430,7 +3430,7 @@ static struct bpf_test tests[] = {
                        BPF_ST_MEM(BPF_DW, BPF_REG_1, offsetof(struct __sk_buff, mark), 0),
                        BPF_EXIT_INSN(),
                },
-               .errstr = "BPF_ST stores into R1 inv is not allowed",
+               .errstr = "BPF_ST stores into R1 ctx is not allowed",
                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
@@ -3442,7 +3442,7 @@ static struct bpf_test tests[] = {
                                     BPF_REG_0, offsetof(struct __sk_buff, mark), 0),
                        BPF_EXIT_INSN(),
                },
-               .errstr = "BPF_XADD stores into R1 inv is not allowed",
+               .errstr = "BPF_XADD stores into R1 ctx is not allowed",
                .result = REJECT,
                .prog_type = BPF_PROG_TYPE_SCHED_CLS,
        },
@@ -5670,7 +5670,7 @@ static struct bpf_test tests[] = {
                .errstr_unpriv = "R2 leaks addr into mem",
                .result_unpriv = REJECT,
                .result = REJECT,
-               .errstr = "BPF_XADD stores into R1 inv is not allowed",
+               .errstr = "BPF_XADD stores into R1 ctx is not allowed",
        },
        {
                "leak pointer into ctx 2",
@@ -5685,7 +5685,7 @@ static struct bpf_test tests[] = {
                .errstr_unpriv = "R10 leaks addr into mem",
                .result_unpriv = REJECT,
                .result = REJECT,
-               .errstr = "BPF_XADD stores into R1 inv is not allowed",
+               .errstr = "BPF_XADD stores into R1 ctx is not allowed",
        },
        {
                "leak pointer into ctx 3",
@@ -12634,7 +12634,7 @@ static struct bpf_test tests[] = {
                        BPF_EXIT_INSN(),
                },
                .result = REJECT,
-               .errstr = "BPF_XADD stores into R2 ctx",
+               .errstr = "BPF_XADD stores into R2 pkt is not allowed",
                .prog_type = BPF_PROG_TYPE_XDP,
        },
        {