From 70ec69a1b0c47fce11d3707bdbcbb200201ad337 Mon Sep 17 00:00:00 2001
From: Jiri Olsa <jolsa@kernel.org>
Date: Tue, 20 Jun 2023 14:14:19 +0000
Subject: [PATCH] tetragon: Use asm in process_filter_namespace

The new clang use some new optimalization that uses &= as part
for '>' operator code. This messes up with maximum we setup with
&= for verifier ending up with verifier error:

  1328: (77) r1 >>= 2
  1329: (57) r1 &= 1023
  1330: (bf) r1 = r2
  1331: (57) r1 &= 8188
  1332: (79) r2 = *(u64 *)(r10 -48)
  1333: (0f) r2 += r1
  1334: (61) r2 = *(u32 *)(r2 +0)
  ...
  invalid access to map value, value_size=4096 off=8188 size=4
  R2 max value is outside of the array range

Moving the exact size check into assembly that seems to prevent the
new optimalization.

Signed-off-by: Jiri Olsa <jolsa@kernel.org>
---
 bpf/process/pfilter.h | 21 ++++++++++++---------
 1 file changed, 12 insertions(+), 9 deletions(-)

diff --git a/bpf/process/pfilter.h b/bpf/process/pfilter.h
index e0a01e694af..ad03fafed3c 100644
--- a/bpf/process/pfilter.h
+++ b/bpf/process/pfilter.h
@@ -141,16 +141,19 @@ process_filter_namespace(__u32 i, __u32 off, __u32 *f, __u64 ty, __u64 nsid,
 			 struct msg_capabilities *c)
 {
 	__u32 sel, inum = 0;
+	__u64 o = (__u64)off;
 
-	if (off > 1000)
-		sel = 0;
-	else {
-		__u64 o = (__u64)off;
-		o = o / 4;
-		asm volatile("%[o] &= 0x3ff;\n" ::[o] "+r"(o)
-			     :);
-		sel = f[o];
-	}
+	o = o / 4;
+
+	asm volatile("if %[off] > 1000 goto +2\n;"
+		     "%[o] &= 0x3ff;\n"
+		     "goto +1\n"
+		     "%[o] = 0;\n"
+		     :
+		     : [o] "+r"(o), [off] "+r"(off)
+		     :);
+
+	sel = f[o];
 
 	nsid &= 0xf;
 	inum = n->inum[nsid];