From: Paul Chaignon <paul.chaignon@gmail.com>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Harishankar Vishwanathan <harishankar.vishwanathan@gmail.com>,
Srinivas Narayana <srinivas.narayana@rutgers.edu>,
Santosh Nagarakatte <santosh.nagarakatte@rutgers.edu>
Subject: [PATCH v2 bpf 0/4] Fix invariant violation for single-value tnums
Date: Fri, 20 Feb 2026 14:55:04 +0100 [thread overview]
Message-ID: <cover.1771594636.git.paul.chaignon@gmail.com> (raw)
We're hitting an invariant violation in Cilium that sometimes leads to
BPF programs being rejected and Cilium failing to start [1]. As far as
I know this is the first case of invariant violation found in a real
program (i.e., not by a fuzzer). The following extract from verifier
logs shows what's happening:
from 201 to 236: R1=0 R6=ctx() R7=1 R9=scalar(smin=umin=smin32=umin32=3584,smax=umax=smax32=umax32=3840,var_off=(0xe00; 0x100)) R10=fp0
236: R1=0 R6=ctx() R7=1 R9=scalar(smin=umin=smin32=umin32=3584,smax=umax=smax32=umax32=3840,var_off=(0xe00; 0x100)) R10=fp0
; if (magic == MARK_MAGIC_HOST || magic == MARK_MAGIC_OVERLAY || magic == MARK_MAGIC_ENCRYPT) @ bpf_host.c:1337
236: (16) if w9 == 0xe00 goto pc+45 ; R9=scalar(smin=umin=smin32=umin32=3585,smax=umax=smax32=umax32=3840,var_off=(0xe00; 0x100))
237: (16) if w9 == 0xf00 goto pc+1
verifier bug: REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0xe01, 0xe00] s64=[0xe01, 0xe00] u32=[0xe01, 0xe00] s32=[0xe01, 0xe00] var_off=(0xe00, 0x0)
More details are given in the second patch, but in short, the verifier
should be able to detect that the false branch of instruction 237 is
never true. After instruction 236, the u64 range and the tnum overlap
in a single value, 0xf00.
The long-term solution to invariant violation is likely to rely on the
refinement + invariant violation check to detect dead branches, as
started by Eduard. To fix the current issue, we need something with
less refactoring that we can backport to affected kernels.
The solution implemented in the second patch is to improve the bounds
refinement to avoid this case. It relies on a new tnum helper,
tnum_step, first sent as an RFC in [2]. The last two patches extend and
update the selftests.
Link: https://github.com/cilium/cilium/issues/44216 [1]
Link: https://lore.kernel.org/bpf/20251107192328.2190680-2-harishankar.vishwanathan@gmail.com/ [2]
Changes in v2:
- Add guard suggested by Hari in tnum_step, to avoid undefined
behavior spotted by AI code review.
- Add explanation diagrams in code as suggested by Eduard.
- Rework conditions for readability as suggested by Eduard.
- Updated reference to SMT formula.
- Rebased.
Harishankar Vishwanathan (1):
bpf: Introduce tnum_step to step through tnum's members
Paul Chaignon (3):
bpf: Improve bounds when tnum has a single possible value
selftests/bpf: Test refinement of single-value tnum
selftests/bpf: Avoid simplification of crafted bounds test
include/linux/tnum.h | 3 +
kernel/bpf/tnum.c | 56 ++++++++++++
kernel/bpf/verifier.c | 30 ++++++
.../selftests/bpf/prog_tests/reg_bounds.c | 2 +-
.../selftests/bpf/progs/verifier_bounds.c | 91 +++++++++++++++++++
5 files changed, 181 insertions(+), 1 deletion(-)
--
2.43.0
next reply other threads:[~2026-02-20 13:55 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 13:55 Paul Chaignon [this message]
2026-02-20 13:56 ` [PATCH v2 bpf 1/4] bpf: Introduce tnum_step to step through tnum's members Paul Chaignon
2026-02-20 13:57 ` [PATCH v2 bpf 2/4] bpf: Improve bounds when tnum has a single possible value Paul Chaignon
2026-02-20 14:29 ` bot+bpf-ci
2026-02-20 23:27 ` Eduard Zingerman
2026-02-20 13:57 ` [PATCH v2 bpf 3/4] selftests/bpf: Test refinement of single-value tnum Paul Chaignon
2026-02-21 0:20 ` Eduard Zingerman
2026-02-25 10:21 ` Paul Chaignon
2026-02-26 9:27 ` Eduard Zingerman
2026-02-20 13:58 ` [PATCH v2 bpf 4/4] selftests/bpf: Avoid simplification of crafted bounds test Paul Chaignon
2026-02-21 0:34 ` Eduard Zingerman
2026-02-20 19:45 ` [PATCH v2 bpf 0/4] Fix invariant violation for single-value tnums Marco Schirrmeister
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1771594636.git.paul.chaignon@gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=harishankar.vishwanathan@gmail.com \
--cc=santosh.nagarakatte@rutgers.edu \
--cc=srinivas.narayana@rutgers.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox