bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Yonghong Song <yonghong.song@linux.dev>
To: Ihor Solodrai <ihor.solodrai@linux.dev>, andrii@kernel.org
Cc: bpf@vger.kernel.org, ast@kernel.org, daniel@iogearbox.net,
	eddyz87@gmail.com, mykolal@fb.com, kernel-team@meta.com
Subject: Re: [PATCH bpf-next v2 2/3] selftests/bpf: add cmp_map_pointer_with_const test
Date: Thu, 5 Jun 2025 08:25:59 -0700	[thread overview]
Message-ID: <a12a01df-a449-4d2b-bf46-2e6b1001f16c@linux.dev> (raw)
In-Reply-To: <af401134-2475-44bd-b387-4e37575bede8@linux.dev>



On 6/4/25 1:58 PM, Ihor Solodrai wrote:
> On 6/4/25 1:42 PM, Yonghong Song wrote:
>>
>>
>> On 6/4/25 9:44 AM, Ihor Solodrai wrote:
>>> On 6/3/25 5:37 PM, Ihor Solodrai wrote:
>>>> Add a test for CONST_PTR_TO_MAP comparison with a non-0 constant. A
>>>> BPF program with this code must not pass verification in unpriv.
>>>>
>>>> Signed-off-by: Ihor Solodrai <isolodrai@meta.com>
>>>> ---
>>>>   .../selftests/bpf/progs/verifier_unpriv.c       | 17 
>>>> +++++++++++++++++
>>>>   1 file changed, 17 insertions(+)
>>>>
>>>> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/ 
>>>> tools/testing/selftests/bpf/progs/verifier_unpriv.c
>>>> index 28200f068ce5..85b41f927272 100644
>>>> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
>>>> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
>>>> @@ -634,6 +634,23 @@ l0_%=:    r0 = 0;                        \
>>>>       : __clobber_all);
>>>>   }
>>>>   +SEC("socket")
>>>> +__description("unpriv: cmp map pointer with const")
>>>> +__success __failure_unpriv __msg_unpriv("R1 pointer comparison 
>>>> prohibited")
>>>> +__retval(0)
>>>> +__naked void cmp_map_pointer_with_const(void)
>>>> +{
>>>> +    asm volatile ("                    \
>>>> +    r1 = 0;                        \
>>>> +    r1 = %[map_hash_8b] ll;                \
>>>> +    if r1 == 0xcafefeeddeadbeef goto l0_%=;        \
>>>
>>> GCC BPF caught (correctly) that this is not a valid instruction 
>>> because imm is supposed to be 32bit [1]:
>>>
>>>     progs/verifier_unpriv.c: Assembler messages:
>>>     progs/verifier_unpriv.c:643: Error: immediate out of range, 
>>> shall fit in 32 bits
>>>     make: *** [Makefile:751: /tmp/work/bpf/bpf/src/tools/testing/ 
>>> selftests/bpf/bpf_gcc/verifier_unpriv.bpf.o] Error 1
>>>
>>> But LLVM 20 let it compile and the test passes. I wonder whether 
>>> it's a bug in LLVM worth reporting?
>>>
>>> [1] https://github.com/kernel-patches/bpf/actions/runs/15430930573/ 
>>> job/43428666342
>>
>> This is a missed case for llvm. See:
>> https://github.com/llvm/llvm-project/blob/main/llvm/lib/Target/BPF/ 
>> MCTargetDesc/BPFMCCodeEmitter.cpp#L82-L85
>> Basically for the following code,
>>
>> unsigned BPFMCCodeEmitter::getMachineOpValue(const MCInst &MI,
>>                                               const MCOperand &MO,
>> SmallVectorImpl<MCFixup> &Fixups,
>>                                               const MCSubtargetInfo 
>> &STI) const {
>>    if (MO.isReg())
>>      return MRI.getEncodingValue(MO.getReg());
>>    if (MO.isImm())
>>      return static_cast<unsigned>(MO.getImm());
>>
>> For 'static_cast<unsigned>(MO.getImm())', MO.getImm() value is a s64, 
>> so casting to u32 should check
>> the value range and we didn't check them, hence didn't report an error.
>
> I see. Out of curiosity I looked at llvm-objdump and indeed only lower
> 32 bits are in the binary:
>
> 0000000000000320 <cmp_map_pointer_with_const>:
>      100:       b7 01 00 00 00 00 00 00 r1 = 0x0
>      101:       18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 r1 = 
> 0x0 ll
>      103:       15 01 00 00 ef be ad de if r1 == -0x21524111 goto +0x0 
> <l0_11>

FYI, I just submitted a fix https://github.com/llvm/llvm-project/pull/142989
which will emit the same error messages as gcc if the value cannot fit into
32bit (32bit value will do sign extension to 64bit value).


  reply	other threads:[~2025-06-05 15:26 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-06-04  0:37 [PATCH bpf-next v2 1/3] bpf: make reg_not_null() true for CONST_PTR_TO_MAP Ihor Solodrai
2025-06-04  0:37 ` [PATCH bpf-next v2 2/3] selftests/bpf: add cmp_map_pointer_with_const test Ihor Solodrai
2025-06-04 16:44   ` Ihor Solodrai
2025-06-04 20:42     ` Yonghong Song
2025-06-04 20:58       ` Ihor Solodrai
2025-06-05 15:25         ` Yonghong Song [this message]
2025-06-04  0:37 ` [PATCH bpf-next v2 3/3] selftests/bpf: add test cases with CONST_PTR_TO_MAP null checks Ihor Solodrai

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=a12a01df-a449-4d2b-bf46-2e6b1001f16c@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=ihor.solodrai@linux.dev \
    --cc=kernel-team@meta.com \
    --cc=mykolal@fb.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).