Eduard Zingerman 6361cd26e4 selftests/bpf: check states pruning for deeply nested iterator ... A test case with ridiculously deep bpf_for() nesting and a conditional update of a stack location. Consider the innermost loop structure: 1: bpf_for(o, 0, 10) 2: if (unlikely(bpf_get_prandom_u32())) 3: buf[0] = 42; 4: <exit> Assuming that verifier.c:clean_live_states() operates w/o change from the previous patch (e.g. as on current master) verification would proceed as follows: - at (1) state {buf[0]=?,o=drained}: - checkpoint - push visit to (2) for later - at (4) {buf[0]=?,o=drained} - pop (2) {buf[0]=?,o=active}, push visit to (3) for later - at (1) {buf[0]=?,o=active} - checkpoint - push visit to (2) for later - at (4) {buf[0]=?,o=drained} - pop (2) {buf[0]=?,o=active}, push visit to (3) for later - at (1) {buf[0]=?,o=active}: - checkpoint reached, checkpoint's branch count becomes 0 - checkpoint is processed by clean_live_states() and becomes {o=active} - pop (3) {buf[0]=42,o=active} - at (1), {buf[0]=42,o=active} - checkpoint - push visit to (2) for later - at (4) {buf[0]=42,o=drained} - pop (2) {buf[0]=42,o=active}, push visit to (3) for later - at (1) {buf[0]=42,o=active}, checkpoint reached - pop (3) {buf[0]=42,o=active} - at (1) {buf[0]=42,o=active}: - checkpoint reached, checkpoint's branch count becomes 0 - checkpoint is processed by clean_live_states() and becomes {o=active} - ... Note how clean_live_states() converted the checkpoint {buf[0]=42,o=active} to {o=active} and it can no longer be matched against {buf[0]=<any>,o=active}, because iterator based states are compared using stacksafe(... RANGE_WITHIN), that requires stack slots to have same types. At the same time there are still states {buf[0]=42,o=active} pushed to DFS stack. This behaviour becomes exacerbated with multiple nesting levels, here are veristat results: - nesting level 1: 69 insns - nesting level 2: 258 insns - nesting level 3: 900 insns - nesting level 4: 4754 insns - nesting level 5: 35944 insns - nesting level 6: 312558 insns - nesting level 7: 1M limit Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20250215110411.3236773-5-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>		2025-02-18 19:22:59 -08:00
..
accounting	delayacct: add delay min to record delay peak	2025-01-12 20:21:16 -08:00
arch	arm64/sysreg/tools: Move TRFCR definitions to sysreg	2025-01-12 12:50:11 +00:00
bootconfig	tools/bootconfig: Fix the wrong format specifier	2025-01-28 23:27:01 +09:00
bpf	bpftool: Check map name length when map create	2025-02-13 20:11:38 -08:00
build	perf tools: Expose quiet/verbose variables in Makefile.perf	2025-01-16 10:59:20 -08:00
certs
cgroup
counter
crypto
debugging
firewire
firmware
gpio
hv
iio
include	bpf: Sync uapi bpf.h header for the tooling infra	2025-02-12 21:56:30 -08:00
kvm/kvm_stat
laptop
leds
lib	libbpf: fix LDX/STX/ST CO-RE relocation size adjustment logic	2025-02-14 19:58:05 -08:00
memory-model
mm
net	tools: ynl: c: correct reverse decode of empty attrs	2025-01-27 14:30:23 -08:00
objtool	Objtool changes for v6.14:	2025-01-21 10:13:11 -08:00
pcmcia
perf	perf-tools fixes for 6.14	2025-01-30 17:38:20 -08:00
power	Turbostat 2025.02.02 updates since 2024.11.30	2025-02-02 10:49:13 -08:00
rcu
sched_ext	sched_ext: Use time helpers in BPF schedulers	2025-01-10 08:04:40 -10:00
scripts	perf tools: Create generic syscall table support	2025-01-09 12:49:49 -03:00
sound
spi
testing	selftests/bpf: check states pruning for deeply nested iterator	2025-02-18 19:22:59 -08:00
thermal
time
tracing	rv: tools/rtla: Updates for 6.14	2025-01-26 14:25:58 -08:00
usb
verification	verification/dot2k: Implement event type detection	2024-12-27 14:41:01 -05:00
virtio
wmi
workqueue
writeback
Makefile