All of lore.kernel.org
 help / color / mirror / Atom feed
From: Luis Gerhorst <luis.gerhorst@fau.de>
To: Eduard Zingerman <eddyz87@gmail.com>
Cc: Paul Chaignon <paul.chaignon@gmail.com>,
	 bpf@vger.kernel.org,  Alexei Starovoitov <ast@kernel.org>,
	 Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>
Subject: Re: [PATCH bpf-next] bpf: Fix unwarranted warning on speculative path
Date: Thu, 26 Jun 2025 14:45:26 +0200	[thread overview]
Message-ID: <8734bmoemx.fsf@fau.de> (raw)
In-Reply-To: <4266fd5de04092aa4971cbef14f1b4b96961f432.camel@gmail.com> (Eduard Zingerman's message of "Wed, 25 Jun 2025 15:13:27 -0700")

Eduard Zingerman <eddyz87@gmail.com> writes:

> On Wed, 2025-06-25 at 23:43 +0200, Paul Chaignon wrote:
>
> [...]
>
>> > So, suppose there is a program:
>> > 
>> >      15: (18) r1 = 0x2020200005642020
>> >      17: (7b) *(u64 *)(r10 -264) = r1
>> > 
>> > Insn processing sequence would look like (starting from 15):
>> > - prev_insn_idx <- 15
>> > - do_check_insn()
>> >   - env->insn_idx <- 17
>> > - prev_insn_idx <- 17
>> > - do_check_insn():
>> >   - nospec_result <- true
>> >   - env->insn_idx <- 18
>> > - state->speculative && cur_aux(env)->nospec_result == true:
>> >   - WARN_ON_ONCE(18 != 17 + 1) // no warning
>> > 
>> > What do I miss?
>> 
>> In the if condition, "cur_aux(env)" points to the aux data of the next
>> instruction (#17 here) because we incremented "insn_idx" in
>> do_check_insn(). In my fix, "insn" points to the previous instruction
>> because we retrieved it before calling do_check_insn().
>> 
>> Therefore, the processing sequence would look like:
>> - prev_insn_idx <- 15
>> - do_check_insn()
>>   - env->insn_idx <- 17
>> - state->speculative && cur_aux(env)->nospec_result == true:
>>   - WARN_ON_ONCE(17 != 15 + 1) // warning
>
> I'm sorry, I'm a bit slow today (well, maybe not only today).
> Isn't it a slightly different bug in the original check?
> Suppose current insn is ST/STX that do_check_insn() marked as
> nospec_result. I think the intent was to stop branch processing right
> at that point, as nospec instruction would be inserted after this
> store => no need to speculate further.
> In other words, cur_aux(env)->nospec_result pointing to instruction
> after ST/STX was not anticipated. (Luis, wdyt?)

That's a very good point, nospec_result should only stop the path
analysis after the insn that has it set was analyzed. Otherwise, a
nospec required before the insn may not be added.

In reply to this you find a RFC fix and test that shows a nospec might
be missing. If this makes sense I will send a polished version.

The tests fail without the fix [1] (the offset no longer matches because
the nospec before the stack-write is missing, which is the main point),
but succeed otherwise [2].

I manually verified the fix resolves the warning in the reproducer, but
I can add a test for the polished version.

[1] https://github.com/kernel-patches/bpf/actions/runs/15901586938/job/44846011518?pr=9199#step:5:11308
[2] https://github.com/kernel-patches/bpf/pull/9198

  reply	other threads:[~2025-06-26 12:45 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-25 18:01 [PATCH bpf-next] bpf: Fix unwarranted warning on speculative path Paul Chaignon
2025-06-25 20:19 ` Eduard Zingerman
2025-06-25 21:18   ` Luis Gerhorst
2025-06-25 21:43   ` Paul Chaignon
2025-06-25 22:13     ` Eduard Zingerman
2025-06-26 12:45       ` Luis Gerhorst [this message]
2025-06-26 12:49         ` [RFC PATCH 1/3] bpf: Fix aux usage after do_check_insn() Luis Gerhorst
2025-06-26 18:40           ` Eduard Zingerman
2025-06-26 18:41           ` Alexei Starovoitov
2025-06-26 13:00         ` [RFC PATCH 2/3] selftests/bpf: Add ldimm64 nospec test Luis Gerhorst
2025-06-26 13:01         ` [RFC PATCH 3/3] selftests/bpf: Add nospec_result test Luis Gerhorst

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8734bmoemx.fsf@fau.de \
    --to=luis.gerhorst@fau.de \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=paul.chaignon@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.