From: Paul Chaignon <paul.chaignon@gmail.com>
To: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Cc: bpf@vger.kernel.org,
Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>
Subject: Re: [PATCH bpf-next 2/4] bpf: Simulate branches to prune based on range violations
Date: Thu, 19 Mar 2026 00:50:34 +0100 [thread overview]
Message-ID: <abs6SmlOId9IVidk@mail.gmail.com> (raw)
In-Reply-To: <swmeukekw55emiwcduoq4jpjk6hwqk7nzxbcs4xgw4mir5ldd7@mqyinrubwmlo>
On Tue, Mar 17, 2026 at 02:14:48PM +0800, Shung-Hsi Yu wrote:
> On Fri, Mar 13, 2026 at 11:54:43PM +0100, Paul Chaignon wrote:
> > From: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>
> >
> > This patch fixes the invariant violation warnings. These warnings
>
> Nit: I would say this patch fix the invariant violation (minus the
> warning part), warning are gone after this, but that because we have
> fixed the caused of the warning.
I wondered about the same when writing this :) I thought it best to not
claim too much and be specific to the invariant violation we currently
warn about as technically there could be others.
>
> > happen after we refine ranges & tnum based on an incorrectly-detected
> > branch condition. For example, the branch is always true, but we miss
> > it in is_branch_taken; we then refine based on the branch being false
> > and end up with incoherent ranges (e.g. umax < umin).
> ...
> > Fixes: 5f99f312bd3b ("bpf: add register bounds sanity checks and sanitization")
>
> Following the thought above, I am uncertain about the fixes tag here.
> Commit 5f99f312bd3b surface the invariant violation as warning, but
> invariant violation still happens before that, we just don't catch it.
> That actual root cause would probably go even further back, but probably
> would be too much of a hassle to figure out. Maybe drop the tag?
Yep, that has been a question even for the previous invariant violation
fixes I've sent. On one hand, what is usually being reported as the bug
is the unecessary warning. But on the other hand, as you say, the
warning just surfaces an existing bug which we are fixing.
>
> Put it in another way. If a tool uses this fixes tag to determine where
> this fix needs to be applied in stable, it would determine it is only
> needed for anything v6.8+, when 5f99f312bd3b is merged. But this patch
> probably should was be applied to stable kernel before v6.8, because
> IIUC invariant violation likely also happens there.
Yes, that's definitely a good point. We probably don't even want to
backport this to stable kernels (at least not until we've built more
confidence via syzbot). We'll drop the tag.
>
> > Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com
> > Closes: https://syzkaller.appspot.com/bug?extid=c950cc277150935cc0b5
> > Co-developed-by: Paul Chaignon <paul.chaignon@gmail.com>
> > Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
> > Signed-off-by: Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>
> ...
next prev parent reply other threads:[~2026-03-18 23:50 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-13 22:53 [PATCH bpf-next 0/4] Fix invariant violations and improve branch detection Paul Chaignon
2026-03-13 22:54 ` [PATCH bpf-next 1/4] bpf: Refactor reg_bounds_sanity_check Paul Chaignon
2026-03-13 22:54 ` [PATCH bpf-next 2/4] bpf: Simulate branches to prune based on range violations Paul Chaignon
2026-03-13 23:35 ` bot+bpf-ci
2026-03-14 0:05 ` Eduard Zingerman
2026-03-14 5:01 ` Harishankar Vishwanathan
2026-03-16 17:09 ` Eduard Zingerman
2026-03-19 0:13 ` Paul Chaignon
2026-03-17 6:14 ` Shung-Hsi Yu
2026-03-18 23:50 ` Paul Chaignon [this message]
2026-03-19 7:09 ` Shung-Hsi Yu
2026-03-19 17:13 ` Paul Chaignon
2026-03-19 17:17 ` Paul Chaignon
2026-03-20 5:49 ` Shung-Hsi Yu
2026-03-13 22:55 ` [PATCH bpf-next 3/4] selftests/bpf: Cover invariant violation cases from syzbot Paul Chaignon
2026-03-13 23:35 ` bot+bpf-ci
2026-03-13 22:55 ` [PATCH bpf-next 4/4] selftests/bpf: Remove invariant violation flags Paul Chaignon
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=abs6SmlOId9IVidk@mail.gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=harishankar.vishwanathan@gmail.com \
--cc=shung-hsi.yu@suse.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox