* [PATCH bpf-next 0/2] bpf: Fix tnum_overlap to check for zero mask first @ 2025-10-26 16:38 KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 1/2] " KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan 0 siblings, 2 replies; 4+ messages in thread From: KaFai Wan @ 2025-10-26 16:38 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, memxor, harishankar.vishwanathan, colin.i.king, kafai.wan, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest This small patchset is about avoid verifier bug warning when tnum_overlap() is called with zero mask. --- KaFai Wan (2): bpf: Fix tnum_overlap to check for zero mask first selftests/bpf: Range analysis test case for JEQ kernel/bpf/tnum.c | 2 ++ .../selftests/bpf/progs/verifier_bounds.c | 23 +++++++++++++++++++ 2 files changed, 25 insertions(+) -- 2.43.0 ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf-next 1/2] bpf: Fix tnum_overlap to check for zero mask first 2025-10-26 16:38 [PATCH bpf-next 0/2] bpf: Fix tnum_overlap to check for zero mask first KaFai Wan @ 2025-10-26 16:38 ` KaFai Wan 2025-10-27 15:35 ` KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan 1 sibling, 1 reply; 4+ messages in thread From: KaFai Wan @ 2025-10-26 16:38 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, memxor, harishankar.vishwanathan, colin.i.king, kafai.wan, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest Cc: syzbot+c950cc277150935cc0b5 Syzbot reported a kernel warning due to a range invariant violation in the BPF verifier. The issue occurs when tnum_overlap() fails to detect that two tnums don't have any overlapping bits. The problematic BPF program: 0: call bpf_get_prandom_u32 1: r6 = r0 2: r6 &= 0xFFFFFFFFFFFFFFF0 3: r7 = r0 4: r7 &= 0x07 5: r7 -= 0xFF 6: if r6 == r7 goto <exit> After instruction 5, R7 has the range: R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf) R6 and R7 don't overlap since they have no agreeing bits. However, is_branch_taken() fails to recognize this, causing the verifier to refine register bounds and end up with inconsistent bounds: 6: if r6 == r7 goto <exit> R6: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) R7: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) The root cause is that tnum_overlap() doesn't properly handle the case where the masks have no overlapping bits. Fix this by adding an early check for zero mask intersection in tnum_overlap(). Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com Fixes: f41345f47fb2 ("bpf: Use tnums for JEQ/JNE is_branch_taken logic") Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- kernel/bpf/tnum.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c index f8e70e9c3998..af2f38b4f840 100644 --- a/kernel/bpf/tnum.c +++ b/kernel/bpf/tnum.c @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) { u64 mu; + if ((a.mask & b.mask) == 0) + return false; mu = ~a.mask & ~b.mask; return (a.value & mu) == (b.value & mu); } -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH bpf-next 1/2] bpf: Fix tnum_overlap to check for zero mask first 2025-10-26 16:38 ` [PATCH bpf-next 1/2] " KaFai Wan @ 2025-10-27 15:35 ` KaFai Wan 0 siblings, 0 replies; 4+ messages in thread From: KaFai Wan @ 2025-10-27 15:35 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, memxor, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest Cc: syzbot+c950cc277150935cc0b5 Sorry, this patch is wrong, please ignore. On Mon, 2025-10-27 at 00:38 +0800, KaFai Wan wrote: > Syzbot reported a kernel warning due to a range invariant violation in > the BPF verifier. The issue occurs when tnum_overlap() fails to detect > that two tnums don't have any overlapping bits. > > The problematic BPF program: > 0: call bpf_get_prandom_u32 > 1: r6 = r0 > 2: r6 &= 0xFFFFFFFFFFFFFFF0 > 3: r7 = r0 > 4: r7 &= 0x07 > 5: r7 -= 0xFF > 6: if r6 == r7 goto <exit> > > After instruction 5, R7 has the range: > R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf) > > R6 and R7 don't overlap since they have no agreeing bits. However, > is_branch_taken() fails to recognize this, causing the verifier to > refine register bounds and end up with inconsistent bounds: > > 6: if r6 == r7 goto <exit> > R6: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) > R7: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) > > The root cause is that tnum_overlap() doesn't properly handle the case > where the masks have no overlapping bits. > > Fix this by adding an early check for zero mask intersection in tnum_overlap(). > > Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com > Fixes: f41345f47fb2 ("bpf: Use tnums for JEQ/JNE is_branch_taken logic") > Signed-off-by: KaFai Wan <kafai.wan@linux.dev> > --- > kernel/bpf/tnum.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c > index f8e70e9c3998..af2f38b4f840 100644 > --- a/kernel/bpf/tnum.c > +++ b/kernel/bpf/tnum.c > @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) > { > u64 mu; > > + if ((a.mask & b.mask) == 0) > + return false; > mu = ~a.mask & ~b.mask; > return (a.value & mu) == (b.value & mu); > } -- Thanks, KaFai ^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH bpf-next 2/2] selftests/bpf: Range analysis test case for JEQ 2025-10-26 16:38 [PATCH bpf-next 0/2] bpf: Fix tnum_overlap to check for zero mask first KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 1/2] " KaFai Wan @ 2025-10-26 16:38 ` KaFai Wan 1 sibling, 0 replies; 4+ messages in thread From: KaFai Wan @ 2025-10-26 16:38 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, memxor, harishankar.vishwanathan, colin.i.king, kafai.wan, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest This patch adds coverage for the warning detected by syzkaller and fixed in the previous patch. Without the previous patch, this test fails with: verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0xffffffffffffff01, 0xffffffffffffff00] s64=[0xffffffffffffff01, 0xffffffffffffff00] u32=[0xffffff01, 0xffffff00] s32=[0xffffff00, 0xffffff00] var_off=(0xffffffffffffff00, 0x0) verifier bug: REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0xffffffffffffff01, 0xffffffffffffff00] s64=[0xffffffffffffff01, 0xffffffffffffff00] u32=[0xffffff01, 0xffffff00] s32=[0xffffff01, 0xffffff00] var_off=(0xffffffffffffff00, 0x0) Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- .../selftests/bpf/progs/verifier_bounds.c | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c index 0a72e0228ea9..304ab5a07a3b 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c @@ -1550,6 +1550,29 @@ l0_%=: r0 = 0; \ : __clobber_all); } +SEC("socket") +__description("dead branch on jeq, does not result in invariants violation error") +__success __log_level(2) +__retval(0) __flag(BPF_F_TEST_REG_INVARIANTS) +__naked void jeq_range_analysis(void) +{ + asm volatile (" \ + call %[bpf_get_prandom_u32]; \ + r6 = r0; \ + r6 &= 0xFFFFFFFFFFFFFFF0; \ + r7 = r0; \ + r7 &= 0x07; \ + r7 -= 0xFF; \ + if r6 == r7 goto l1_%=; \ +l0_%=: r0 = 0; \ + exit; \ +l1_%=: r0 = 1; \ + exit; \ +" : + : __imm(bpf_get_prandom_u32) + : __clobber_all); +} + /* This test covers the bounds deduction on 64bits when the s64 and u64 ranges * overlap on the negative side. At instruction 7, the ranges look as follows: * -- 2.43.0 ^ permalink raw reply related [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-10-27 15:35 UTC | newest] Thread overview: 4+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-10-26 16:38 [PATCH bpf-next 0/2] bpf: Fix tnum_overlap to check for zero mask first KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 1/2] " KaFai Wan 2025-10-27 15:35 ` KaFai Wan 2025-10-26 16:38 ` [PATCH bpf-next 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).