* [PATCH] bpf/verifier: factor BPF_F_TEST_RND_HI32 flag check out of opt_subreg_zext_lo32_rnd_hi32
@ 2025-07-11 20:11 Emil Tsalapatis
2025-07-11 20:40 ` Emil Tsalapatis
0 siblings, 1 reply; 2+ messages in thread
From: Emil Tsalapatis @ 2025-07-11 20:11 UTC (permalink / raw)
To: bpf
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, memxor,
yonghong.song, sched-ext, Emil Tsalapatis
BPF programs can be loaded with the BPF_F_TEST_RND_HI32 flag to instruct
the verifier to randomize the high 32 bits of a register being used as a
subregister. This is done in the opt_subreg_zext_lo32_rnd_hi32 pass that
scans the BPF program instruction by instruction, regardless of whether
the flag is set or not, and testing the flag on every iteration. However,
the flag is not modified at verification time, and the function is a no-op
if it is unset.
Gate the randomization pass behind a single flag check instead of
testing the flag in the main loop of the pass.
Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
---
kernel/bpf/verifier.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index e2fcea860755..dc0981205d6a 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -21062,9 +21062,7 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
int i, patch_len, delta = 0, len = env->prog->len;
struct bpf_insn *insns = env->prog->insnsi;
struct bpf_prog *new_prog;
- bool rnd_hi32;
- rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
zext_patch[1] = BPF_ZEXT_REG(0);
rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
@@ -21080,9 +21078,6 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
u8 code, class;
u32 imm_rnd;
- if (!rnd_hi32)
- continue;
-
code = insn.code;
class = BPF_CLASS(code);
if (load_reg == -1)
@@ -24700,7 +24695,9 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3
* insns could be handled correctly.
*/
if (ret == 0 && !bpf_prog_is_offloaded(env->prog->aux)) {
- ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
+ if (attr->prog_flags & BPF_F_TEST_RND_HI32)
+ ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
+
env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
: false;
}
--
2.49.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH] bpf/verifier: factor BPF_F_TEST_RND_HI32 flag check out of opt_subreg_zext_lo32_rnd_hi32
2025-07-11 20:11 [PATCH] bpf/verifier: factor BPF_F_TEST_RND_HI32 flag check out of opt_subreg_zext_lo32_rnd_hi32 Emil Tsalapatis
@ 2025-07-11 20:40 ` Emil Tsalapatis
0 siblings, 0 replies; 2+ messages in thread
From: Emil Tsalapatis @ 2025-07-11 20:40 UTC (permalink / raw)
To: bpf
Cc: ast, daniel, andrii, martin.lau, eddyz87, song, memxor,
yonghong.song, sched-ext
This patch is wrong, please disregard. Sorry about the noise.
On Fri, Jul 11, 2025 at 4:12 PM Emil Tsalapatis <emil@etsalapatis.com> wrote:
>
> BPF programs can be loaded with the BPF_F_TEST_RND_HI32 flag to instruct
> the verifier to randomize the high 32 bits of a register being used as a
> subregister. This is done in the opt_subreg_zext_lo32_rnd_hi32 pass that
> scans the BPF program instruction by instruction, regardless of whether
> the flag is set or not, and testing the flag on every iteration. However,
> the flag is not modified at verification time, and the function is a no-op
> if it is unset.
>
> Gate the randomization pass behind a single flag check instead of
> testing the flag in the main loop of the pass.
>
> Signed-off-by: Emil Tsalapatis <emil@etsalapatis.com>
> ---
> kernel/bpf/verifier.c | 9 +++------
> 1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e2fcea860755..dc0981205d6a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -21062,9 +21062,7 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
> int i, patch_len, delta = 0, len = env->prog->len;
> struct bpf_insn *insns = env->prog->insnsi;
> struct bpf_prog *new_prog;
> - bool rnd_hi32;
>
> - rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
> zext_patch[1] = BPF_ZEXT_REG(0);
> rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
> rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
> @@ -21080,9 +21078,6 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
> u8 code, class;
> u32 imm_rnd;
>
> - if (!rnd_hi32)
> - continue;
> -
> code = insn.code;
> class = BPF_CLASS(code);
> if (load_reg == -1)
> @@ -24700,7 +24695,9 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3
> * insns could be handled correctly.
> */
> if (ret == 0 && !bpf_prog_is_offloaded(env->prog->aux)) {
> - ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
> + if (attr->prog_flags & BPF_F_TEST_RND_HI32)
> + ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
> +
> env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
> : false;
> }
> --
> 2.49.0
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2025-07-11 20:40 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-07-11 20:11 [PATCH] bpf/verifier: factor BPF_F_TEST_RND_HI32 flag check out of opt_subreg_zext_lo32_rnd_hi32 Emil Tsalapatis
2025-07-11 20:40 ` Emil Tsalapatis
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).