From: Andrii Nakryiko <andrii@kernel.org>
Date: Thu, 2 Mar 2023 23:50:05 +0000 (-0800)
Subject: bpf: fix visit_insn()'s detection of BPF_FUNC_timer_set_callback helper
X-Git-Tag: v6.6.17~4755^2~413^2~7
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=c1ee85a9806a720aa054f68fe7f9c79418f36c2b;p=platform%2Fkernel%2Flinux-rpi.git

bpf: fix visit_insn()'s detection of BPF_FUNC_timer_set_callback helper

It's not correct to assume that any BPF_CALL instruction is a helper
call. Fix visit_insn()'s detection of bpf_timer_set_callback() helper by
also checking insn->code == 0. For kfuncs insn->code would be set to
BPF_PSEUDO_KFUNC_CALL, and for subprog calls it will be BPF_PSEUDO_CALL.

Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20230302235015.2044271-8-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 6188d56..34fd808 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -13500,7 +13500,7 @@ static int visit_insn(int t, struct bpf_verifier_env *env)
 		return DONE_EXPLORING;
 
 	case BPF_CALL:
-		if (insn->imm == BPF_FUNC_timer_set_callback)
+		if (insn->src_reg == 0 && insn->imm == BPF_FUNC_timer_set_callback)
 			/* Mark this call insn as a prune point to trigger
 			 * is_state_visited() check before call itself is
 			 * processed by __check_func_call(). Otherwise new