bpf: fix liveness propagation to parent in spilled stack slots

Using parent->regs[] when propagating REG_LIVE_READ for spilled regs
doesn't work since parent->regs[] denote the set of normal registers
but not spilled ones. Propagate to the correct regs.

Fixes: dc503a8ad984 ("bpf/verifier: track liveness for pruning")
Reported-by: Dan Carpenter <[email protected]>
Signed-off-by: Daniel Borkmann <[email protected]>
Acked-by: Edward Cree <[email protected]>
Signed-off-by: David S. Miller <[email protected]>

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 958ba84a99955093581a008c9296238c1a281303..40f669ddb571a3c9525098c6566de42d69de2012 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3460,7 +3460,7 @@ static bool do_propagate_liveness(const struct bpf_verifier_state *state,
                if (parent->spilled_regs[i].live & REG_LIVE_READ)
                        continue;
                if (state->spilled_regs[i].live == REG_LIVE_READ) {
-                       parent->regs[i].live |= REG_LIVE_READ;
+                       parent->spilled_regs[i].live |= REG_LIVE_READ;
                        touched = true;
                }
        }