bpf: handle trusted PTR_TO_BTF_ID_OR_NULL in argument check logic

Add PTR_TRUSTED | PTR_MAYBE_NULL modifiers for PTR_TO_BTF_ID to
check_reg_type() to support passing trusted nullable PTR_TO_BTF_ID
registers into global functions accepting `__arg_trusted __arg_nullable`
arguments. This hasn't been caught earlier because tests were either
passing known non-NULL PTR_TO_BTF_ID registers or known NULL (SCALAR)
registers.

When utilizing this functionality in complicated real-world BPF
application that passes around PTR_TO_BTF_ID_OR_NULL, it became apparent
that verifier rejects valid case because check_reg_type() doesn't handle
this case explicitly. Existing check_reg_type() logic is already
anticipating this combination, so we just need to explicitly list this
combo in the switch statement.

Fixes: e2b3c4ff5d18 ("bpf: add __arg_trusted global func arg tag")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20240202190529.2374377-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index a0b8e400b3dfd1642b4e80ae30164e1dcdff74ab..64fa188d00ad9bded897874e35adaf62b8d756d4 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -8242,6 +8242,7 @@ found:
        switch ((int)reg->type) {
        case PTR_TO_BTF_ID:
        case PTR_TO_BTF_ID | PTR_TRUSTED:
+       case PTR_TO_BTF_ID | PTR_TRUSTED | PTR_MAYBE_NULL:
        case PTR_TO_BTF_ID | MEM_RCU:
        case PTR_TO_BTF_ID | PTR_MAYBE_NULL:
        case PTR_TO_BTF_ID | PTR_MAYBE_NULL | MEM_RCU: