From patchwork Mon Sep 21 12:12:17 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenz Bauer <lmb@cloudflare.com>
X-Patchwork-Id: 260497
Return-Path: <SRS0=ouO7=C6=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,
 SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 28E99C43463
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:23 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id E9462216C4
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:22 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (1024-bit key) header.d=cloudflare.com
 header.i=@cloudflare.com header.b="nVYvS9pR"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726748AbgIUMNW (ORCPT <rfc822;netdev@archiver.kernel.org>);
 Mon, 21 Sep 2020 08:13:22 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48310 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1726355AbgIUMNS (ORCPT
 <rfc822;netdev@vger.kernel.org>); Mon, 21 Sep 2020 08:13:18 -0400
Received: from mail-wm1-x344.google.com (mail-wm1-x344.google.com
 [IPv6:2a00:1450:4864:20::344])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 78B3CC061755
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:17 -0700 (PDT)
Received: by mail-wm1-x344.google.com with SMTP id d4so11896609wmd.5
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=+vyryLmkPcir5gGX7IxM9tzcLD9cCThO7+XXSg/AftU=;
 b=nVYvS9pRuUcZ77st4OjUMgypY2LMph8l0ypZo8J4/rsj7gGO2w21SZ7oABfuIRcF6L
 MEZwA6oqRj8Pz+v2+JcaEatwcA5OZdyxGWSr+WlxAGOsTu6x4sZGxoHEXu/m8jO7P8KT
 Uy7s86K2W75zjKIuQEyJb1YAttluhCF6gyx/4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=+vyryLmkPcir5gGX7IxM9tzcLD9cCThO7+XXSg/AftU=;
 b=qiaL0JjYByG5ofOBq1/JXT6VhcnfJEWbfipI6ioMkHbVR2K+uJCv9qdtYQl9F/5LY5
 n/1dKpde4NRKoGWsyrZ9rUcAXfsVzEVENsYESgd824imhebt58SIv0YGXbMyQgY+0cM3
 WbSRW9EvMY385YqpBrX8xHRrtl879ngdiHNApX7k/ai4eN8DpPAyxWKMXuk8MYERAI8p
 pOIp1VAbL6OV1xHIVkMJGZZrdWceDncASYAomuPQDuvdDEQFxaVDW5xrURW4l8h89CeX
 1FnnAgcV9WVVOYGGAQfJ0HzJy+Fk3PEJVEEEGqiCUzs/k025N/4QWBk5//O+ugvlFOcX
 NLxQ==
X-Gm-Message-State: AOAM531m+jVE3In/8EvH1G4Lmc4axTh1WKJBzBdnC9BjH5Wex1LSqPYe
 pgv8Va4sw2tnKcusmgMEgmi0LA==
X-Google-Smtp-Source: ABdhPJwJKMyaohhIsUwmbvcHOyNrD3vMO+xgFeVXNCv9nOcvSiBRSrSRLyZZxxFO60HvaoPoAGZGCg==
X-Received: by 2002:a1c:4886:: with SMTP id
 v128mr30531141wma.139.1600690396155; 
 Mon, 21 Sep 2020 05:13:16 -0700 (PDT)
Received: from antares.lan
 (5.4.6.2.d.5.3.3.f.8.1.6.b.2.d.8.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa.
 [2001:8b0:7a5a:26ff:8d2b:618f:335d:2645])
 by smtp.gmail.com with ESMTPSA id
 t15sm18466557wmj.15.2020.09.21.05.13.14
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Sep 2020 05:13:15 -0700 (PDT)
From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
 Lorenz Bauer <lmb@cloudflare.com>, Andrii Nakryiko <andriin@fb.com>
Subject: [PATCH bpf-next v4 01/11] btf: make btf_set_contains take a const
 pointer
Date: Mon, 21 Sep 2020 13:12:17 +0100
Message-Id: <20200921121227.255763-2-lmb@cloudflare.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200921121227.255763-1-lmb@cloudflare.com>
References: <20200921121227.255763-1-lmb@cloudflare.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

bsearch doesn't modify the contents of the array, so we can take a const pointer.

Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Acked-by: Andrii Nakryiko <andriin@fb.com>
---
 include/linux/bpf.h | 2 +-
 kernel/bpf/btf.c    | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/bpf.h b/include/linux/bpf.h
index 5dcce0364634..4cbf92f5ecdb 100644
--- a/include/linux/bpf.h
+++ b/include/linux/bpf.h
@@ -1901,6 +1901,6 @@ int bpf_arch_text_poke(void *ip, enum bpf_text_poke_type t,
 		       void *addr1, void *addr2);
 
 struct btf_id_set;
-bool btf_id_set_contains(struct btf_id_set *set, u32 id);
+bool btf_id_set_contains(const struct btf_id_set *set, u32 id);
 
 #endif /* _LINUX_BPF_H */
diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
index f9ac6935ab3c..a2330f6fe2e6 100644
--- a/kernel/bpf/btf.c
+++ b/kernel/bpf/btf.c
@@ -4772,7 +4772,7 @@ static int btf_id_cmp_func(const void *a, const void *b)
 	return *pa - *pb;
 }
 
-bool btf_id_set_contains(struct btf_id_set *set, u32 id)
+bool btf_id_set_contains(const struct btf_id_set *set, u32 id)
 {
 	return bsearch(&id, set->ids, set->cnt, sizeof(u32), btf_id_cmp_func) != NULL;
 }

From patchwork Mon Sep 21 12:12:21 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenz Bauer <lmb@cloudflare.com>
X-Patchwork-Id: 260493
Return-Path: <SRS0=ouO7=C6=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,
 SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id EB767C4346A
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:44 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id B6F87206D9
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:44 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (1024-bit key) header.d=cloudflare.com
 header.i=@cloudflare.com header.b="BUKKdNfh"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726818AbgIUMN3 (ORCPT <rfc822;netdev@archiver.kernel.org>);
 Mon, 21 Sep 2020 08:13:29 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48344 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1726756AbgIUMNY (ORCPT
 <rfc822;netdev@vger.kernel.org>); Mon, 21 Sep 2020 08:13:24 -0400
Received: from mail-wm1-x343.google.com (mail-wm1-x343.google.com
 [IPv6:2a00:1450:4864:20::343])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id ABB34C0613D1
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:22 -0700 (PDT)
Received: by mail-wm1-x343.google.com with SMTP id y15so12401327wmi.0
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=ReOPTCTBI89zUNcN9aZJisi4S7TTo39X4bWkAmOczYk=;
 b=BUKKdNfhkrFr8+QFBgF7oDEnyUFywcrt2x94/PKwiJtYV+CKEv97YK+TKZOdy94ANZ
 kjKQ1kurSlIpzVE+/9slxlPmChzWtyF8O83ui1P4zddpJ0DvTE/VJjIGzRCQoev3guAX
 8L3+UmZXUQyI7//JYub1n/o3CBB4S7P7nkGJY=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=ReOPTCTBI89zUNcN9aZJisi4S7TTo39X4bWkAmOczYk=;
 b=EE/u89M1o3QIYnN72lnRgM4nopOFJduXiQEO4vE+TRLUKVH4y2VjmQ3nR+69vzI6rg
 umL3eaiENcgr+e9j3FniwbEoAAGZYvN8u4xAihm5HBNXW5YMweB5G1d1BDbXux7fNEf6
 VBEWbm8DE/XAlV9morNNbukPGB36o4n2pNTfmUcecqvqq1QTHe0YGpK0qNnzHse+b+UG
 NGfQ1XZMcbbaa/yAhlgNGtVw6flykfdoocVjuLyT4/mjao2KvRN99FA5DECYH346auac
 H3eIH65XAVFbr7lM73fOyu06tbFLFTIFX8Qg9W0bTOfuLzy4vECFbjMM+JqC/9CWip9f
 Z22w==
X-Gm-Message-State: AOAM531LoVPUSsr1JkDdrG11CyPNxmsBkCfS8zzQWi4rM35mtkITPoBC
 Uf8KzyZs2ZU/I0Ws+MJ2f5Ui17ysZHdxBw==
X-Google-Smtp-Source: ABdhPJzl/LJ/BwumR/eFyLYdKcUTfD8bMu+ABbnSiTZH9KhFmUJRtjXHa0O5fbPkcUWdj29WprB7Dw==
X-Received: by 2002:a1c:3d44:: with SMTP id
 k65mr29025265wma.132.1600690401340; 
 Mon, 21 Sep 2020 05:13:21 -0700 (PDT)
Received: from antares.lan
 (5.4.6.2.d.5.3.3.f.8.1.6.b.2.d.8.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa.
 [2001:8b0:7a5a:26ff:8d2b:618f:335d:2645])
 by smtp.gmail.com with ESMTPSA id
 t15sm18466557wmj.15.2020.09.21.05.13.20
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Sep 2020 05:13:20 -0700 (PDT)
From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
 Lorenz Bauer <lmb@cloudflare.com>, Martin KaFai Lau <kafai@fb.com>
Subject: [PATCH bpf-next v4 05/11] bpf: make BTF pointer type checking generic
Date: Mon, 21 Sep 2020 13:12:21 +0100
Message-Id: <20200921121227.255763-6-lmb@cloudflare.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200921121227.255763-1-lmb@cloudflare.com>
References: <20200921121227.255763-1-lmb@cloudflare.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Perform BTF type checks if the register we're working on contains a BTF
pointer, rather than if the argument is for a BTF pointer. This is easier
to understand, and allows removing the code from the arg_type checking
section of the function.

Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 kernel/bpf/verifier.c | 38 ++++++++++++++++++++------------------
 1 file changed, 20 insertions(+), 18 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 9f95d6d55c5f..99c0d7adcb1e 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4001,27 +4001,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 				goto err_type;
 		}
 	} else if (arg_type == ARG_PTR_TO_BTF_ID) {
-		const u32 *btf_id = fn->arg_btf_id[arg];
-
 		expected_type = PTR_TO_BTF_ID;
 		if (type != expected_type)
 			goto err_type;
-
-		if (!btf_id) {
-			verbose(env, "verifier internal error: missing BTF ID\n");
-			return -EFAULT;
-		}
-
-		if (!btf_struct_ids_match(&env->log, reg->off, reg->btf_id, *btf_id)) {
-			verbose(env, "R%d is of type %s but %s is expected\n",
-				regno, kernel_type_name(reg->btf_id), kernel_type_name(*btf_id));
-			return -EACCES;
-		}
-		if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
-			verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n",
-				regno);
-			return -EACCES;
-		}
 	} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
 		if (meta->func_id == BPF_FUNC_spin_lock) {
 			if (process_spin_lock(env, regno, true))
@@ -4076,6 +4058,26 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		return -EFAULT;
 	}
 
+	if (type == PTR_TO_BTF_ID) {
+		const u32 *btf_id = fn->arg_btf_id[arg];
+
+		if (!btf_id) {
+			verbose(env, "verifier internal error: missing BTF ID\n");
+			return -EFAULT;
+		}
+
+		if (!btf_struct_ids_match(&env->log, reg->off, reg->btf_id, *btf_id)) {
+			verbose(env, "R%d is of type %s but %s is expected\n",
+				regno, kernel_type_name(reg->btf_id), kernel_type_name(*btf_id));
+			return -EACCES;
+		}
+		if (!tnum_is_const(reg->var_off) || reg->var_off.value) {
+			verbose(env, "R%d is a pointer to in-kernel struct with non-zero offset\n",
+				regno);
+			return -EACCES;
+		}
+	}
+
 	if (arg_type == ARG_CONST_MAP_PTR) {
 		/* bpf_map_xxx(map_ptr) call: remember that map_ptr */
 		meta->map_ptr = reg->map_ptr;

From patchwork Mon Sep 21 12:12:24 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenz Bauer <lmb@cloudflare.com>
X-Patchwork-Id: 260496
Return-Path: <SRS0=ouO7=C6=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,
 SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 646D2C43463
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:31 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 236F5206D9
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:31 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (1024-bit key) header.d=cloudflare.com
 header.i=@cloudflare.com header.b="MEYK9hz7"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726853AbgIUMNa (ORCPT <rfc822;netdev@archiver.kernel.org>);
 Mon, 21 Sep 2020 08:13:30 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48334 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1726782AbgIUMN2 (ORCPT
 <rfc822;netdev@vger.kernel.org>); Mon, 21 Sep 2020 08:13:28 -0400
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com
 [IPv6:2a00:1450:4864:20::444])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id AE1C9C0613D7
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:26 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id j2so12495233wrx.7
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=kjCcJGj2jbSvcO5ugPvqsSQEkXN07N/VLAM4UYxhIGc=;
 b=MEYK9hz73AsJDa+xR2IMx1Ao4GplNoLwQ9YgnFqSLE4mPdOxTtrOnV95dVFKJb2LCz
 IkavBm5oeKk/JfSsKRez9i+N0pZGUmEUsvgsd91WxFpK/RSsT7z0Udf8uOGO0l7QMz6p
 wxzYqv6XS7FcpffJwXvhM8Ue+FWWMHUXnougE=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=kjCcJGj2jbSvcO5ugPvqsSQEkXN07N/VLAM4UYxhIGc=;
 b=Tv/1D8WDp9XwbWS4i17mTL9glz9Fce7C9ioqQXh7MLCih3yKaPzLnZUqXlkrqG10QA
 pk7spVxb54Kiquu5mYWT4hvvKhL7dO8W3t4FqKNdNCukzrLAbDkDp6NKL/hnl3hxsGoO
 h6KoDojG2MRsU/RD1UPby+3PvKfixLTc3s8e1ZtY9k7p4oP10s2UsZJlY9HIbtul/87M
 JTlJ28RIg/Rb2D1YgmeXR8wjhG/FSARIaFNLA+oCYEMHhjfT0Xm2/uhlqgr9+nfKle83
 DdRY+Xm7q5clFwX34pWGDR6Fw8gd92f41KAD17pPUxyvv5vrRm3a0lU0tsO1KzPhmqtZ
 DvEA==
X-Gm-Message-State: AOAM530I0obB0LrpWVP87aoyPk9UUOMZghMYHEU4TbWvVy/aM+982+eu
 oOsZlLKJlaSwsoMc9tx5Du3tWA==
X-Google-Smtp-Source: ABdhPJw83QENrSKGXPzIbGywqHbg92R6KMSBFNx5yxHhzcBSTNbRPElrwKntoenSM6uOmJn1M7jibQ==
X-Received: by 2002:a5d:4a4a:: with SMTP id v10mr47600466wrs.72.1600690405438; 
 Mon, 21 Sep 2020 05:13:25 -0700 (PDT)
Received: from antares.lan
 (5.4.6.2.d.5.3.3.f.8.1.6.b.2.d.8.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa.
 [2001:8b0:7a5a:26ff:8d2b:618f:335d:2645])
 by smtp.gmail.com with ESMTPSA id
 t15sm18466557wmj.15.2020.09.21.05.13.24
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Sep 2020 05:13:24 -0700 (PDT)
From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
 Lorenz Bauer <lmb@cloudflare.com>, Martin KaFai Lau <kafai@fb.com>
Subject: [PATCH bpf-next v4 08/11] bpf: set meta->raw_mode for pointers
 close to use
Date: Mon, 21 Sep 2020 13:12:24 +0100
Message-Id: <20200921121227.255763-9-lmb@cloudflare.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200921121227.255763-1-lmb@cloudflare.com>
References: <20200921121227.255763-1-lmb@cloudflare.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

If we encounter a pointer to memory, we set meta->raw_mode depending
on the type of memory we point at. What isn't obvious is that this
information is only used when the next memory size argument is
encountered.

Move the assignment closer to where it's used, and add a comment that
explains what is going on.

Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 kernel/bpf/verifier.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 7d0f9ba18916..e09eedb30117 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -4020,7 +4020,6 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			 type != PTR_TO_RDWR_BUF &&
 			 type != expected_type)
 			goto err_type;
-		meta->raw_mode = arg_type == ARG_PTR_TO_UNINIT_MEM;
 	} else if (arg_type_is_alloc_mem_ptr(arg_type)) {
 		expected_type = PTR_TO_MEM;
 		if (register_is_null(reg) &&
@@ -4109,6 +4108,11 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		err = check_helper_mem_access(env, regno,
 					      meta->map_ptr->value_size, false,
 					      meta);
+	} else if (arg_type_is_mem_ptr(arg_type)) {
+		/* The access to this pointer is only checked when we hit the
+		 * next is_mem_size argument below.
+		 */
+		meta->raw_mode = (arg_type == ARG_PTR_TO_UNINIT_MEM);
 	} else if (arg_type_is_mem_size(arg_type)) {
 		bool zero_size_allowed = (arg_type == ARG_CONST_SIZE_OR_ZERO);
 

From patchwork Mon Sep 21 12:12:25 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenz Bauer <lmb@cloudflare.com>
X-Patchwork-Id: 260495
Return-Path: <SRS0=ouO7=C6=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,
 SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id BBCB6C43468
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:35 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 88C8B206D9
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:35 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (1024-bit key) header.d=cloudflare.com
 header.i=@cloudflare.com header.b="UAi/yLDs"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726873AbgIUMNc (ORCPT <rfc822;netdev@archiver.kernel.org>);
 Mon, 21 Sep 2020 08:13:32 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48362 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1726803AbgIUMN2 (ORCPT
 <rfc822;netdev@vger.kernel.org>); Mon, 21 Sep 2020 08:13:28 -0400
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com
 [IPv6:2a00:1450:4864:20::444])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 09EFDC0613DA
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:28 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id w5so12488642wrp.8
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:27 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=Z1qkwm2krC1me1PC4GrW1m2JsGuP3YU0jl8TIW9fAOc=;
 b=UAi/yLDszYNy5gCkGiBbaFbX+d6AMkK/sK+i1sJuzEBIqUuAOc88L46L78IpbtUU17
 bcfU+/bM8XRCtGCeERLi9jGzcp8AQDX+ijb63RJYECN0yyrQFbzJnuSqvYWUQ23EchT/
 eWSI/mTs8Rw4ZmkQXfuGu9sjH5cUwoB3Fer3Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=Z1qkwm2krC1me1PC4GrW1m2JsGuP3YU0jl8TIW9fAOc=;
 b=nXSNQpGVMDTqUdpFiO8k0uRxh/MTrTDqJKaXv2gRKqMUUik2lDoLrNgpZy+jSlhu98
 nXOTWJ3EkzxqBfftjDSpudoC+fm+oL8hpDhzMzZH9afq1GlRSX2pqernbpu6nqD8ptch
 mG9rndv8l9/TRlvugQpiUZPC3aO4sKyq3i1sJCd7AHJC2xenCFkMBZgCxeC2S87sE/8Z
 C5CgEy/Tkn2cdv7izmcXjrPVaSNtFRsfjrPZyGbqZK6MlLg3OWXrQLFO6wlomSIeXr3j
 sCQByq21N9fCGOj4mpoWsm/7rQTfvcVW5IDnvTsaa9l9FoeUwDz9UoK2ic6HL+vg7Oet
 FgIw==
X-Gm-Message-State: AOAM532SxZevYDjLrOJQyshysJxqJXL10WlcNk3DlP+jMhtIuTQyoSg7
 I2FJJR8XxMv9RSYLnNM8JX9Vrg==
X-Google-Smtp-Source: ABdhPJzB03iZrwErF6A85yImydtBAUcLxSEfJuYInGDV6SOBaE+86fIGW79JMXozZ5AU7qLSYmeqrA==
X-Received: by 2002:a5d:4949:: with SMTP id r9mr54258422wrs.27.1600690406684; 
 Mon, 21 Sep 2020 05:13:26 -0700 (PDT)
Received: from antares.lan
 (5.4.6.2.d.5.3.3.f.8.1.6.b.2.d.8.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa.
 [2001:8b0:7a5a:26ff:8d2b:618f:335d:2645])
 by smtp.gmail.com with ESMTPSA id
 t15sm18466557wmj.15.2020.09.21.05.13.25
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Sep 2020 05:13:26 -0700 (PDT)
From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
 Lorenz Bauer <lmb@cloudflare.com>, Martin KaFai Lau <kafai@fb.com>
Subject: [PATCH bpf-next v4 09/11] bpf: check ARG_PTR_TO_SPINLOCK register
 type in check_func_arg
Date: Mon, 21 Sep 2020 13:12:25 +0100
Message-Id: <20200921121227.255763-10-lmb@cloudflare.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200921121227.255763-1-lmb@cloudflare.com>
References: <20200921121227.255763-1-lmb@cloudflare.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Move the check for PTR_TO_MAP_VALUE to check_func_arg, where all other
checking is done as well. Move the invocation of process_spin_lock away
from the register type checking, to allow a future refactoring.

Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 kernel/bpf/verifier.c | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e09eedb30117..eefc8256df1c 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3781,10 +3781,6 @@ static int process_spin_lock(struct bpf_verifier_env *env, int regno,
 	struct bpf_map *map = reg->map_ptr;
 	u64 val = reg->var_off.value;
 
-	if (reg->type != PTR_TO_MAP_VALUE) {
-		verbose(env, "R%d is not a pointer to map_value\n", regno);
-		return -EINVAL;
-	}
 	if (!is_const) {
 		verbose(env,
 			"R%d doesn't have constant offset. bpf_spin_lock has to be at the constant offset\n",
@@ -3993,16 +3989,9 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		if (type != expected_type)
 			goto err_type;
 	} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
-		if (meta->func_id == BPF_FUNC_spin_lock) {
-			if (process_spin_lock(env, regno, true))
-				return -EACCES;
-		} else if (meta->func_id == BPF_FUNC_spin_unlock) {
-			if (process_spin_lock(env, regno, false))
-				return -EACCES;
-		} else {
-			verbose(env, "verifier internal error\n");
-			return -EFAULT;
-		}
+		expected_type = PTR_TO_MAP_VALUE;
+		if (type != expected_type)
+			goto err_type;
 	} else if (arg_type_is_mem_ptr(arg_type)) {
 		expected_type = PTR_TO_STACK;
 		/* One exception here. In case function allows for NULL to be
@@ -4108,6 +4097,17 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 		err = check_helper_mem_access(env, regno,
 					      meta->map_ptr->value_size, false,
 					      meta);
+	} else if (arg_type == ARG_PTR_TO_SPIN_LOCK) {
+		if (meta->func_id == BPF_FUNC_spin_lock) {
+			if (process_spin_lock(env, regno, true))
+				return -EACCES;
+		} else if (meta->func_id == BPF_FUNC_spin_unlock) {
+			if (process_spin_lock(env, regno, false))
+				return -EACCES;
+		} else {
+			verbose(env, "verifier internal error\n");
+			return -EFAULT;
+		}
 	} else if (arg_type_is_mem_ptr(arg_type)) {
 		/* The access to this pointer is only checked when we hit the
 		 * next is_mem_size argument below.

From patchwork Mon Sep 21 12:12:26 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Lorenz Bauer <lmb@cloudflare.com>
X-Patchwork-Id: 260494
Return-Path: <SRS0=ouO7=C6=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
 aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-14.3 required=3.0 tests=BAYES_00,DKIMWL_WL_HIGH,
 DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
 INCLUDES_PATCH, MAILING_LIST_MULTI, SIGNED_OFF_BY, SPF_HELO_NONE,
 SPF_PASS, URIBL_BLOCKED,
 USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
 by smtp.lore.kernel.org (Postfix) with ESMTP id 77E25C43465
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:41 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
 by mail.kernel.org (Postfix) with ESMTP id 42B5720EDD
 for <netdev@archiver.kernel.org>;
 Mon, 21 Sep 2020 12:13:41 +0000 (UTC)
Authentication-Results: mail.kernel.org;
 dkim=pass (1024-bit key) header.d=cloudflare.com
 header.i=@cloudflare.com header.b="tQOOfjW0"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
 id S1726882AbgIUMNk (ORCPT <rfc822;netdev@archiver.kernel.org>);
 Mon, 21 Sep 2020 08:13:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48368 "EHLO
 lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by
 vger.kernel.org with ESMTP id S1726743AbgIUMN3 (ORCPT
 <rfc822;netdev@vger.kernel.org>); Mon, 21 Sep 2020 08:13:29 -0400
Received: from mail-wr1-x444.google.com (mail-wr1-x444.google.com
 [IPv6:2a00:1450:4864:20::444])
 by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 70E60C061755
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:29 -0700 (PDT)
Received: by mail-wr1-x444.google.com with SMTP id s12so12477068wrw.11
 for <netdev@vger.kernel.org>; Mon, 21 Sep 2020 05:13:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=cloudflare.com; s=google;
 h=from:to:cc:subject:date:message-id:in-reply-to:references
 :mime-version:content-transfer-encoding;
 bh=Ox5PpRMqd4iaf2Pybu9UcxXx6CAUb2mn6YIDK6B9Ras=;
 b=tQOOfjW0iEsr0j90OgVQGhqy6X008zkqUe5qyFXNT7xKVoRPg6TeJQY3+nk9H9mBPh
 +LpPzskAkg2t51k6Q8trvupC4F6a8ZboD3wrFaPCvQHDXoh2BROfItCJFXWYKXu2B2oQ
 q8n70yRhZuyOiqQGP7T/7Giv07JD6iyNXhv4E=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
 :references:mime-version:content-transfer-encoding;
 bh=Ox5PpRMqd4iaf2Pybu9UcxXx6CAUb2mn6YIDK6B9Ras=;
 b=cX9RNSWsUAvu3zeABdAt8cymeWfeDZBXUnQaoUc9vo+4LEBHMXaueJGTNnw1LKO2rz
 dKIq9FzdoGKxzLYJoVGulayem9qFQTy8fS11fOTBbIVbn97jz+eBhx8CiZRJ1ztgvUcs
 nXotVJSFndXxtDr6VgHX1XQ8L//eMptQt3Mc6uFjCQONdKcaEcMEH5FZQCZwoLg3XEq5
 e6S6U2sSelNgbzOH/IT579pCpA+/EKBBdrZQCP4tq5hhBlOQ75hwMz0xIbYxHDU5wRcM
 YV3eb/+eunYgNaC6rVdG7GimHcVevKeUHfPdauke01PuUui4d+hun2uM4J1HMxTqSybR
 Q1Mg==
X-Gm-Message-State: AOAM531E8ckNjl7ZvSa7wF/mnIxWDkelaj77ormoaYclJDWCVY1GOo3b
 JBX1amuOQlf+ldhoeGdnsCpRjg==
X-Google-Smtp-Source: ABdhPJyBwgoZ3If3ZbQ7kDTHIshhwzItWfJ8mjEqF/dC9SM9G7mVE4s/40+3f6a5ZhK/JV4kgeL0/g==
X-Received: by 2002:a5d:4081:: with SMTP id o1mr53800608wrp.338.1600690408155; 
 Mon, 21 Sep 2020 05:13:28 -0700 (PDT)
Received: from antares.lan
 (5.4.6.2.d.5.3.3.f.8.1.6.b.2.d.8.f.f.6.2.a.5.a.7.0.b.8.0.1.0.0.2.ip6.arpa.
 [2001:8b0:7a5a:26ff:8d2b:618f:335d:2645])
 by smtp.gmail.com with ESMTPSA id
 t15sm18466557wmj.15.2020.09.21.05.13.26
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Mon, 21 Sep 2020 05:13:27 -0700 (PDT)
From: Lorenz Bauer <lmb@cloudflare.com>
To: ast@kernel.org, daniel@iogearbox.net
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
 Lorenz Bauer <lmb@cloudflare.com>, Andrii Nakryiko <andriin@fb.com>,
 Martin KaFai Lau <kafai@fb.com>
Subject: [PATCH bpf-next v4 10/11] bpf: hoist type checking for nullable arg
 types
Date: Mon, 21 Sep 2020 13:12:26 +0100
Message-Id: <20200921121227.255763-11-lmb@cloudflare.com>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <20200921121227.255763-1-lmb@cloudflare.com>
References: <20200921121227.255763-1-lmb@cloudflare.com>
MIME-Version: 1.0
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

check_func_arg has a plethora of weird if statements with empty branches.
They work around the fact that *_OR_NULL argument types should accept a
SCALAR_VALUE register, as long as it's value is 0. These statements make
it difficult to reason about the type checking logic.

Instead, skip more detailed type checking logic iff the register is 0,
and the function expects a nullable type. This allows simplifying the type
checking itself.

Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 kernel/bpf/verifier.c | 64 ++++++++++++++++++++-----------------------
 1 file changed, 30 insertions(+), 34 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index eefc8256df1c..d64ac79982ad 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -435,6 +435,15 @@ static bool arg_type_may_be_refcounted(enum bpf_arg_type type)
 	return type == ARG_PTR_TO_SOCK_COMMON;
 }
 
+static bool arg_type_may_be_null(enum bpf_arg_type type)
+{
+	return type == ARG_PTR_TO_MAP_VALUE_OR_NULL ||
+	       type == ARG_PTR_TO_MEM_OR_NULL ||
+	       type == ARG_PTR_TO_CTX_OR_NULL ||
+	       type == ARG_PTR_TO_SOCKET_OR_NULL ||
+	       type == ARG_PTR_TO_ALLOC_MEM_OR_NULL;
+}
+
 /* Determine whether the function releases some resources allocated by another
  * function call. The first reference type argument will be assumed to be
  * released by release_reference().
@@ -3941,17 +3950,20 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 	}
 
+	if (register_is_null(reg) && arg_type_may_be_null(arg_type))
+		/* A NULL register has a SCALAR_VALUE type, so skip
+		 * type checking.
+		 */
+		goto skip_type_check;
+
 	if (arg_type == ARG_PTR_TO_MAP_KEY ||
 	    arg_type == ARG_PTR_TO_MAP_VALUE ||
 	    arg_type == ARG_PTR_TO_UNINIT_MAP_VALUE ||
 	    arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL) {
 		expected_type = PTR_TO_STACK;
-		if (register_is_null(reg) &&
-		    arg_type == ARG_PTR_TO_MAP_VALUE_OR_NULL)
-			/* final test in check_stack_boundary() */;
-		else if (!type_is_pkt_pointer(type) &&
-			 type != PTR_TO_MAP_VALUE &&
-			 type != expected_type)
+		if (!type_is_pkt_pointer(type) &&
+		    type != PTR_TO_MAP_VALUE &&
+		    type != expected_type)
 			goto err_type;
 	} else if (arg_type == ARG_CONST_SIZE ||
 		   arg_type == ARG_CONST_SIZE_OR_ZERO ||
@@ -3966,11 +3978,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 	} else if (arg_type == ARG_PTR_TO_CTX ||
 		   arg_type == ARG_PTR_TO_CTX_OR_NULL) {
 		expected_type = PTR_TO_CTX;
-		if (!(register_is_null(reg) &&
-		      arg_type == ARG_PTR_TO_CTX_OR_NULL)) {
-			if (type != expected_type)
-				goto err_type;
-		}
+		if (type != expected_type)
+			goto err_type;
 	} else if (arg_type == ARG_PTR_TO_SOCK_COMMON) {
 		expected_type = PTR_TO_SOCK_COMMON;
 		/* Any sk pointer can be ARG_PTR_TO_SOCK_COMMON */
@@ -3979,11 +3988,8 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 	} else if (arg_type == ARG_PTR_TO_SOCKET ||
 		   arg_type == ARG_PTR_TO_SOCKET_OR_NULL) {
 		expected_type = PTR_TO_SOCKET;
-		if (!(register_is_null(reg) &&
-		      arg_type == ARG_PTR_TO_SOCKET_OR_NULL)) {
-			if (type != expected_type)
-				goto err_type;
-		}
+		if (type != expected_type)
+			goto err_type;
 	} else if (arg_type == ARG_PTR_TO_BTF_ID) {
 		expected_type = PTR_TO_BTF_ID;
 		if (type != expected_type)
@@ -3994,27 +4000,16 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			goto err_type;
 	} else if (arg_type_is_mem_ptr(arg_type)) {
 		expected_type = PTR_TO_STACK;
-		/* One exception here. In case function allows for NULL to be
-		 * passed in as argument, it's a SCALAR_VALUE type. Final test
-		 * happens during stack boundary checking.
-		 */
-		if (register_is_null(reg) &&
-		    (arg_type == ARG_PTR_TO_MEM_OR_NULL ||
-		     arg_type == ARG_PTR_TO_ALLOC_MEM_OR_NULL))
-			/* final test in check_stack_boundary() */;
-		else if (!type_is_pkt_pointer(type) &&
-			 type != PTR_TO_MAP_VALUE &&
-			 type != PTR_TO_MEM &&
-			 type != PTR_TO_RDONLY_BUF &&
-			 type != PTR_TO_RDWR_BUF &&
-			 type != expected_type)
+		if (!type_is_pkt_pointer(type) &&
+		    type != PTR_TO_MAP_VALUE &&
+		    type != PTR_TO_MEM &&
+		    type != PTR_TO_RDONLY_BUF &&
+		    type != PTR_TO_RDWR_BUF &&
+		    type != expected_type)
 			goto err_type;
 	} else if (arg_type_is_alloc_mem_ptr(arg_type)) {
 		expected_type = PTR_TO_MEM;
-		if (register_is_null(reg) &&
-		    arg_type == ARG_PTR_TO_ALLOC_MEM_OR_NULL)
-			/* final test in check_stack_boundary() */;
-		else if (type != expected_type)
+		if (type != expected_type)
 			goto err_type;
 	} else if (arg_type_is_int_ptr(arg_type)) {
 		expected_type = PTR_TO_STACK;
@@ -4051,6 +4046,7 @@ static int check_func_arg(struct bpf_verifier_env *env, u32 arg,
 			return err;
 	}
 
+skip_type_check:
 	if (reg->ref_obj_id) {
 		if (meta->ref_obj_id) {
 			verbose(env, "verifier internal error: more than one arg with ref_obj_id R%d %u %u\n",