On Wed, 2025-06-11 at 23:07 +0200, Luis Gerhorst wrote:
[...]
> Signed-off-by: Luis Gerhorst <luis.gerhorst@xxxxxx>
I reproduced the error locally and this patch fixes it.
Also double-checked places where free_verifier_state is called
and error codes used in error_recoverable_with_nospec() are used.
Looks like env->cur_state should be always ok if
error_recoverable_with_nospec() recovers, env internal structures
in healthy state.
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
> ---
> kernel/bpf/verifier.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index b1f797616f20..d3bff0385a55 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -14229,7 +14229,7 @@ static int sanitize_err(struct bpf_verifier_env *env,
> case REASON_STACK:
> verbose(env, "R%d could not be pushed for speculative verification, %s\n",
> dst, err);
> - break;
> + return -ENOMEM;
Good catch, I would have probably missed it.
> default:
> verbose(env, "verifier internal error: unknown reason (%d)\n",
> reason);
> @@ -19753,7 +19753,7 @@ static int do_check(struct bpf_verifier_env *env)
> goto process_bpf_exit;
>
> err = do_check_insn(env, &do_print_state);
> - if (state->speculative && error_recoverable_with_nospec(err)) {
> + if (error_recoverable_with_nospec(err) && state->speculative) {
> /* Prevent this speculative path from ever reaching the
> * insn that would have been unsafe to execute.
> */
>
> base-commit: 2d72dd14d77f31a7caa619fe0b889304844e612e
