* [PATCH bpf-next v2 0/2] bpf: Fix tnum_overlap to check for zero mask intersection @ 2025-10-28 15:19 KaFai Wan 2025-10-28 15:19 ` [PATCH bpf-next v2 1/2] " KaFai Wan 2025-10-28 15:19 ` [PATCH bpf-next v2 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan 0 siblings, 2 replies; 5+ messages in thread From: KaFai Wan @ 2025-10-28 15:19 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, kafai.wan, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest This small patchset is about avoid verifier bug warning when tnum_overlap() is called with zero mask intersection. v2: - fix runtime error v1: https://lore.kernel.org/all/20251026163806.3300636-1-kafai.wan@linux.dev/ --- KaFai Wan (2): bpf: Fix tnum_overlap to check for zero mask intersection selftests/bpf: Range analysis test case for JEQ kernel/bpf/tnum.c | 2 ++ .../selftests/bpf/progs/verifier_bounds.c | 23 +++++++++++++++++++ 2 files changed, 25 insertions(+) -- 2.43.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf-next v2 1/2] bpf: Fix tnum_overlap to check for zero mask intersection 2025-10-28 15:19 [PATCH bpf-next v2 0/2] bpf: Fix tnum_overlap to check for zero mask intersection KaFai Wan @ 2025-10-28 15:19 ` KaFai Wan 2025-10-28 15:45 ` bot+bpf-ci 2025-10-28 15:19 ` [PATCH bpf-next v2 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan 1 sibling, 1 reply; 5+ messages in thread From: KaFai Wan @ 2025-10-28 15:19 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, kafai.wan, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest Cc: syzbot+c950cc277150935cc0b5 Syzbot reported a kernel warning due to a range invariant violation in the BPF verifier. The issue occurs when tnum_overlap() fails to detect that two tnums don't have any overlapping bits. The problematic BPF program: 0: call bpf_get_prandom_u32 1: r6 = r0 2: r6 &= 0xFFFFFFFFFFFFFFF0 3: r7 = r0 4: r7 &= 0x07 5: r7 -= 0xFF 6: if r6 == r7 goto <exit> After instruction 5, R7 has the range: R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf) R6 and R7 don't overlap since they have no agreeing bits. However, is_branch_taken() fails to recognize this, causing the verifier to refine register bounds and trigger range bounds violation: 6: if r6 == r7 goto <exit> true_reg1: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) true_reg2: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) The root cause is that tnum_overlap() doesn't properly handle the case where the masks have no overlapping bits. Fix this by adding an early check for zero mask intersection in tnum_overlap(). Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com Fixes: f41345f47fb2 ("bpf: Use tnums for JEQ/JNE is_branch_taken logic") Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- kernel/bpf/tnum.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c index f8e70e9c3998..1a75b7c9a73a 100644 --- a/kernel/bpf/tnum.c +++ b/kernel/bpf/tnum.c @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) { u64 mu; + if (a.mask && b.mask && !(a.mask & b.mask)) + return false; mu = ~a.mask & ~b.mask; return (a.value & mu) == (b.value & mu); } -- 2.43.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Fix tnum_overlap to check for zero mask intersection 2025-10-28 15:19 ` [PATCH bpf-next v2 1/2] " KaFai Wan @ 2025-10-28 15:45 ` bot+bpf-ci 2025-10-28 17:18 ` Eduard Zingerman 0 siblings, 1 reply; 5+ messages in thread From: bot+bpf-ci @ 2025-10-28 15:45 UTC (permalink / raw) To: kafai.wan, ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, kafai.wan, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest Cc: syzbot+c950cc277150935cc0b5, ast, andrii, daniel, martin.lau, eddyz87, yonghong.song, clm, ihor.solodrai [-- Attachment #1: Type: text/plain, Size: 1887 bytes --] ``` commit 16cbc4520eb13d2065d145c76b97fb93035d81e8 Author: KaFai Wan <kafai.wan@linux.dev> bpf: Fix tnum_overlap to check for zero mask intersection This patch adds an early return check in tnum_overlap() to detect non-overlapping tnums when their masks have no overlapping bits. The fix addresses a syzbot report where the verifier failed to recognize that two tnums couldn't represent the same value. Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com > diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c > index f8e70e9c3..1a75b7c9a 100644 > --- a/kernel/bpf/tnum.c > +++ b/kernel/bpf/tnum.c > @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) > { > u64 mu; > > + if (a.mask && b.mask && !(a.mask & b.mask)) > + return false; ^^^^^ Does this logic correctly detect non-overlapping tnums? Consider this counter-example: a = (value=0x5, mask=0xA) // binary: value=0101, mask=1010 b = (value=0xA, mask=0x5) // binary: value=1010, mask=0101 The masks are disjoint: (0xA & 0x5) == 0, so the new check returns false (no overlap). However, these tnums actually represent overlapping sets: a represents: {5, 7, 13, 15} // 0b0101, 0b0111, 0b1101, 0b1111 b represents: {10, 11, 14, 15} // 0b1010, 0b1011, 0b1110, 0b1111 Both sets contain 15, so they do overlap. Can this cause incorrect verifier behavior when is_branch_taken() calls tnum_overlap() to determine if JEQ/JNE branches are reachable? > mu = ~a.mask & ~b.mask; > return (a.value & mu) == (b.value & mu); > } ``` --- AI reviewed your patch. Please fix the bug or email reply why it's not a bug. See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md In-Reply-To-Subject: `bpf: Fix tnum_overlap to check for zero mask intersection` CI run summary: https://github.com/kernel-patches/bpf/actions/runs/18880108453 ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Fix tnum_overlap to check for zero mask intersection 2025-10-28 15:45 ` bot+bpf-ci @ 2025-10-28 17:18 ` Eduard Zingerman 0 siblings, 0 replies; 5+ messages in thread From: Eduard Zingerman @ 2025-10-28 17:18 UTC (permalink / raw) To: bot+bpf-ci, kafai.wan, ast, daniel, john.fastabend, andrii, martin.lau, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest Cc: syzbot+c950cc277150935cc0b5, martin.lau, clm, ihor.solodrai On Tue, 2025-10-28 at 15:45 +0000, bot+bpf-ci@kernel.org wrote: > ``` > commit 16cbc4520eb13d2065d145c76b97fb93035d81e8 > Author: KaFai Wan <kafai.wan@linux.dev> > > bpf: Fix tnum_overlap to check for zero mask intersection > > This patch adds an early return check in tnum_overlap() to detect > non-overlapping tnums when their masks have no overlapping bits. The > fix addresses a syzbot report where the verifier failed to recognize > that two tnums couldn't represent the same value. > > Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com > > > diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c > > index f8e70e9c3..1a75b7c9a 100644 > > --- a/kernel/bpf/tnum.c > > +++ b/kernel/bpf/tnum.c > > @@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b) > > { > > u64 mu; > > > > + if (a.mask && b.mask && !(a.mask & b.mask)) > > + return false; > ^^^^^ > > Does this logic correctly detect non-overlapping tnums? Consider this > counter-example: > > a = (value=0x5, mask=0xA) // binary: value=0101, mask=1010 > b = (value=0xA, mask=0x5) // binary: value=1010, mask=0101 > > The masks are disjoint: (0xA & 0x5) == 0, so the new check returns > false (no overlap). > > However, these tnums actually represent overlapping sets: > a represents: {5, 7, 13, 15} // 0b0101, 0b0111, 0b1101, 0b1111 > b represents: {10, 11, 14, 15} // 0b1010, 0b1011, 0b1110, 0b1111 > > Both sets contain 15, so they do overlap. Can this cause incorrect > verifier behavior when is_branch_taken() calls tnum_overlap() to > determine if JEQ/JNE branches are reachable? This is a legit bug, please address. > > mu = ~a.mask & ~b.mask; > > return (a.value & mu) == (b.value & mu); > > } > > > ``` > > --- > AI reviewed your patch. Please fix the bug or email reply why it's not a bug. > See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md > > In-Reply-To-Subject: `bpf: Fix tnum_overlap to check for zero mask intersection` > CI run summary: https://github.com/kernel-patches/bpf/actions/runs/18880108453 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH bpf-next v2 2/2] selftests/bpf: Range analysis test case for JEQ 2025-10-28 15:19 [PATCH bpf-next v2 0/2] bpf: Fix tnum_overlap to check for zero mask intersection KaFai Wan 2025-10-28 15:19 ` [PATCH bpf-next v2 1/2] " KaFai Wan @ 2025-10-28 15:19 ` KaFai Wan 1 sibling, 0 replies; 5+ messages in thread From: KaFai Wan @ 2025-10-28 15:19 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, kafai.wan, harishankar.vishwanathan, colin.i.king, luis.gerhorst, shung-hsi.yu, bpf, linux-kernel, linux-kselftest This patch adds coverage for the warning detected by syzkaller and fixed in the previous patch. Without the previous patch, this test fails with: verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0xffffffffffffff01, 0xffffffffffffff00] s64=[0xffffffffffffff01, 0xffffffffffffff00] u32=[0xffffff01, 0xffffff00] s32=[0xffffff00, 0xffffff00] var_off=(0xffffffffffffff00, 0x0) verifier bug: REG INVARIANTS VIOLATION (true_reg2): range bounds violation u64=[0xffffffffffffff01, 0xffffffffffffff00] s64=[0xffffffffffffff01, 0xffffffffffffff00] u32=[0xffffff01, 0xffffff00] s32=[0xffffff01, 0xffffff00] var_off=(0xffffffffffffff00, 0x0) Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- .../selftests/bpf/progs/verifier_bounds.c | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c index 0a72e0228ea9..304ab5a07a3b 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c @@ -1550,6 +1550,29 @@ l0_%=: r0 = 0; \ : __clobber_all); } +SEC("socket") +__description("dead branch on jeq, does not result in invariants violation error") +__success __log_level(2) +__retval(0) __flag(BPF_F_TEST_REG_INVARIANTS) +__naked void jeq_range_analysis(void) +{ + asm volatile (" \ + call %[bpf_get_prandom_u32]; \ + r6 = r0; \ + r6 &= 0xFFFFFFFFFFFFFFF0; \ + r7 = r0; \ + r7 &= 0x07; \ + r7 -= 0xFF; \ + if r6 == r7 goto l1_%=; \ +l0_%=: r0 = 0; \ + exit; \ +l1_%=: r0 = 1; \ + exit; \ +" : + : __imm(bpf_get_prandom_u32) + : __clobber_all); +} + /* This test covers the bounds deduction on 64bits when the s64 and u64 ranges * overlap on the negative side. At instruction 7, the ranges look as follows: * -- 2.43.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2025-10-28 17:18 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-10-28 15:19 [PATCH bpf-next v2 0/2] bpf: Fix tnum_overlap to check for zero mask intersection KaFai Wan 2025-10-28 15:19 ` [PATCH bpf-next v2 1/2] " KaFai Wan 2025-10-28 15:45 ` bot+bpf-ci 2025-10-28 17:18 ` Eduard Zingerman 2025-10-28 15:19 ` [PATCH bpf-next v2 2/2] selftests/bpf: Range analysis test case for JEQ KaFai Wan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).