Re: [PATCH v2 bpf-next 1/6] bpf: Refactor reg_bounds_sanity_check

public inbox for bpf@vger.kernel.org
 help / color / mirror / Atom feed

From: Mykyta Yatsenko <mykyta.yatsenko5@gmail.com>
To: Paul Chaignon <paul.chaignon@gmail.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>,
	Shung-Hsi Yu <shung-hsi.yu@suse.com>,
	Srinivas Narayana <srinivas.narayana@rutgers.edu>,
	Santosh Nagarakatte <santosh.nagarakatte@rutgers.edu>
Subject: Re: [PATCH v2 bpf-next 1/6] bpf: Refactor reg_bounds_sanity_check
Date: Mon, 23 Mar 2026 14:16:19 +0000	[thread overview]
Message-ID: <87qzpak4wc.fsf@gmail.com> (raw)
In-Reply-To: <d328e04c67b520973e295d0f1c2fd88715a6390e.1774025082.git.paul.chaignon@gmail.com>

Paul Chaignon <paul.chaignon@gmail.com> writes:

> From: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>
>
> This commit refactors reg_bounds_sanity_check to factor out the logic
> that performs the sanity check from the logic that does the reporting.
>
> Signed-off-by: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>
> Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> ---
>  kernel/bpf/verifier.c | 50 ++++++++++++++++++++++++++++++-------------
>  1 file changed, 35 insertions(+), 15 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 01c18f4268de..b638ab841c10 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -2802,40 +2802,60 @@ static void reg_bounds_sync(struct bpf_reg_state *reg)
>  	__update_reg_bounds(reg);
>  }
>  
> -static int reg_bounds_sanity_check(struct bpf_verifier_env *env,
> -				   struct bpf_reg_state *reg, const char *ctx)
> +static bool range_bounds_violation(struct bpf_reg_state *reg)
>  {
> -	const char *msg;
> -
> -	if (reg->umin_value > reg->umax_value ||
> -	    reg->smin_value > reg->smax_value ||
> -	    reg->u32_min_value > reg->u32_max_value ||
> -	    reg->s32_min_value > reg->s32_max_value) {
> -		    msg = "range bounds violation";
> -		    goto out;
> -	}
> +	return (reg->umin_value > reg->umax_value || reg->smin_value > reg->smax_value ||
> +		reg->u32_min_value > reg->u32_max_value ||
> +		reg->s32_min_value > reg->s32_max_value);
> +}
>  
> +static bool const_tnum_out_of_sync_with_range_bounds(struct bpf_reg_state *reg)
> +{
>  	if (tnum_is_const(reg->var_off)) {
>  		u64 uval = reg->var_off.value;
>  		s64 sval = (s64)uval;
>  
>  		if (reg->umin_value != uval || reg->umax_value != uval ||
>  		    reg->smin_value != sval || reg->smax_value != sval) {
> -			msg = "const tnum out of sync with range bounds";
> -			goto out;
> +			return true;
nit: maybe it's going to look simpler if you rewrite it with early return?
static bool const_tnum_out_of_sync_with_range_bounds(struct bpf_reg_state *reg)
{
	u64 uval = reg->var_off.value;
	s64 sval = (s64)uval;

  	if (!tnum_is_const(reg->var_off))
                return false;

        return reg->umin_value != uval || reg->umax_value != uval ||
               reg->smin_value != sval || reg->smax_value != sval;
}

same principle can be applied to
const_subreg_tnum_out_of_sync_with_range_bounds(), which looks like a
very long function name, will something like
subreg_tnum_range_mismatch() capture the idea?
>  
> +static bool const_subreg_tnum_out_of_sync_with_range_bounds(struct bpf_reg_state *reg)
> +{
>  	if (tnum_subreg_is_const(reg->var_off)) {
>  		u32 uval32 = tnum_subreg(reg->var_off).value;
>  		s32 sval32 = (s32)uval32;
>  
>  		if (reg->u32_min_value != uval32 || reg->u32_max_value != uval32 ||
>  		    reg->s32_min_value != sval32 || reg->s32_max_value != sval32) {
> -			msg = "const subreg tnum out of sync with range bounds";
> -			goto out;
> +			return true;
>  		}
>  	}
> +	return false;
> +}
> +
> +static int reg_bounds_sanity_check(struct bpf_verifier_env *env,
> +				   struct bpf_reg_state *reg, const char *ctx)
> +{
> +	const char *msg;
> +
> +	if (range_bounds_violation(reg)) {
> +		msg = "range bounds violation";
> +		goto out;
> +	}
> +
> +	if (const_tnum_out_of_sync_with_range_bounds(reg)) {
> +		msg = "const tnum out of sync with range bounds";
> +		goto out;
> +	}
> +
> +	if (const_subreg_tnum_out_of_sync_with_range_bounds(reg)) {
> +		msg = "const subreg tnum out of sync with range bounds";
> +		goto out;
> +	}
Other than those few nits, the change looks good.
>  
>  	return 0;
>  out:
> -- 
> 2.43.0

next prev parent reply	other threads:[~2026-03-23 14:16 UTC|newest]

Thread overview: 31+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-20 16:45 [PATCH v2 bpf-next 0/6] Fix invariant violations and improve branch detection Paul Chaignon
2026-03-20 16:47 ` [PATCH v2 bpf-next 1/6] bpf: Refactor reg_bounds_sanity_check Paul Chaignon
2026-03-23  8:01   ` Shung-Hsi Yu
2026-03-23 14:16   ` Mykyta Yatsenko [this message]
2026-03-24 16:56     ` Harishankar Vishwanathan
2026-03-24 18:16       ` Mykyta Yatsenko
2026-03-20 16:49 ` [PATCH v2 bpf-next 2/6] bpf: Use bpf_verifier_env buffers for reg_set_min_max Paul Chaignon
2026-03-23  8:15   ` Shung-Hsi Yu
2026-03-23 15:33   ` Mykyta Yatsenko
2026-03-23 18:42   ` Eduard Zingerman
2026-03-30 12:05     ` Paul Chaignon
2026-03-20 16:49 ` [PATCH v2 bpf-next 3/6] bpf: Exit early if reg_bounds_sync gets invalid inputs Paul Chaignon
2026-03-23 12:12   ` Shung-Hsi Yu
2026-03-24 17:46     ` Harishankar Vishwanathan
2026-03-23 18:47   ` Eduard Zingerman
2026-03-24 19:28     ` Harishankar Vishwanathan
2026-03-24 19:33       ` Eduard Zingerman
2026-03-20 16:49 ` [PATCH v2 bpf-next 4/6] bpf: Simulate branches to prune based on range violations Paul Chaignon
2026-03-23 12:23   ` Shung-Hsi Yu
2026-03-23 16:19   ` Mykyta Yatsenko
2026-03-24 20:36     ` Harishankar Vishwanathan
2026-03-25 13:52       ` Mykyta Yatsenko
2026-03-23 19:05   ` Eduard Zingerman
2026-03-24 23:59     ` Harishankar Vishwanathan
2026-03-25  0:08       ` Eduard Zingerman
2026-03-20 16:50 ` [PATCH v2 bpf-next 5/6] selftests/bpf: Cover invariant violation cases from syzbot Paul Chaignon
2026-03-23 17:46   ` Mykyta Yatsenko
2026-03-28 16:20     ` Paul Chaignon
2026-03-28 17:31       ` Alexei Starovoitov
2026-03-20 16:50 ` [PATCH v2 bpf-next 6/6] selftests/bpf: Remove invariant violation flags Paul Chaignon
2026-03-23 18:04   ` Mykyta Yatsenko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87qzpak4wc.fsf@gmail.com \
    --to=mykyta.yatsenko5@gmail.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=harishankar.vishwanathan@gmail.com \
    --cc=paul.chaignon@gmail.com \
    --cc=santosh.nagarakatte@rutgers.edu \
    --cc=shung-hsi.yu@suse.com \
    --cc=srinivas.narayana@rutgers.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox