tetragon: Use asm in process_filter_namespace

The new clang use some new optimalization that uses &= as part for '>' operator code. This messes up with maximum we setup with &= for verifier ending up with verifier error: 1328: (77) r1 >>= 2 1329: (57) r1 &= 1023 1330: (bf) r1 = r2 1331: (57) r1 &= 8188 1332: (79) r2 = *(u64 *)(r10 -48) 1333: (0f) r2 += r1 1334: (61) r2 = *(u32 *)(r2 +0) ... invalid access to map value, value_size=4096 off=8188 size=4 R2 max value is outside of the array range Moving the exact size check into assembly that seems to prevent the new optimalization. Signed-off-by: Jiri Olsa <jolsa@kernel.org>
cilium · Jun 20, 2023 · 70ec69a · 70ec69a
1 parent 5e79e5d
commit 70ec69a
Showing 1 changed file with 12 additions and 9 deletions.
diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h
@@ -141,16 +141,19 @@ process_filter_namespace(__u32 i, __u32 off, __u32 *f, __u64 ty, __u64 nsid,
 			 struct msg_capabilities *c)
 {
 	__u32 sel, inum = 0;
+	__u64 o = (__u64)off;
 
-	if (off > 1000)
-		sel = 0;
-	else {
-		__u64 o = (__u64)off;
-		o = o / 4;
-		asm volatile("%[o] &= 0x3ff;\n" ::[o] "+r"(o)
-			     :);
-		sel = f[o];
-	}
+	o = o / 4;
+
+	asm volatile("if %[off] > 1000 goto +2\n;"
+		     "%[o] &= 0x3ff;\n"
+		     "goto +1\n"
+		     "%[o] = 0;\n"
+		     :
+		     : [o] "+r"(o), [off] "+r"(off)
+		     :);
+
+	sel = f[o];
 
 	nsid &= 0xf;
 	inum = n->inum[nsid];