Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5238471rwb; Wed, 17 Aug 2022 13:48:25 -0700 (PDT) X-Google-Smtp-Source: AA6agR4i6Ul1a7qatQji/aOSfTJ0CKB8mvPjqi/H6TwyNF+KDQBCXAw1IByvUOxJ+e2iw25vDkpu X-Received: by 2002:a17:90b:3b85:b0:1f4:f76a:d5f6 with SMTP id pc5-20020a17090b3b8500b001f4f76ad5f6mr5537362pjb.156.1660769304833; Wed, 17 Aug 2022 13:48:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660769304; cv=none; d=google.com; s=arc-20160816; b=h8onjwhmmw5v70R8JzMTd/xm/ClL0ULTSH9gpDjDVbG54eoft7cp8XYdKhXwNISroY 3nPfSmK/mSk0rgrSx7pyR39FpLuDXm3rvlSOf5Tk68jNAjwic/vBCsO4VNRRnmOPXObI WBxY6CKcYjwoXPJmC4yyZat+Ee2OewgEKSkbIiQ1KLdE4wZQxpWBp8DopXLpYOtbNj2B fpvUzUiIYnHweROOHAsv58YmsYLHENhhe8Nh7cXiteW9daTy1IomTU+0PmJ3PBpO/M1a qKFhngCFf5+HVUUPOKWpHoojC64RBTWwW5RemSBBaKVvzaNlKt8Icbmo9t5Pi36r/nmC pj5Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=wxLR9qdC/C+OD171AvAcY8rUqrx97zUiNJtR+oAGM1E=; b=r6KuXQRss79Yh2p9u2jcdMY9FzfHQsrHqqSYj2fVUR5SBFqfZl9dQzL53TCQ0Ruki2 /xHa4R5aKf4Vqbti/Zo1Kmrs1hLbki0VHAhCjH1JxdcyuonjJsqMUPOzl6zXT1BZbVNt MVaTRl3ksNLH2Ywczg5Iq64dv7zT+vq5iPOo2CNQaWK/LcxxddBFslj/fX5YDrJKUHti bJt3tEyalOsaZ2uJnAkUOM8v7kmi8l9g0HQHyMAAuqRha1+BK4KCEjTEEWqFoAp/2Oz+ mxbGVxmhkvM/oBQ92Noi3gGMHL+g88tjs0mmuXCxSAlnqeX5SSLuElj2oxSEt74pDmrt I6QQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h63-20020a638342000000b0041b4079be13si5934366pge.624.2022.08.17.13.48.13; Wed, 17 Aug 2022 13:48:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242028AbiHQUbm (ORCPT + 99 others); Wed, 17 Aug 2022 16:31:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:51612 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S242016AbiHQUbl (ORCPT ); Wed, 17 Aug 2022 16:31:41 -0400 Received: from www62.your-server.de (www62.your-server.de [213.133.104.62]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E67D39DB49; Wed, 17 Aug 2022 13:31:39 -0700 (PDT) Received: from sslproxy04.your-server.de ([78.46.152.42]) by www62.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92.3) (envelope-from ) id 1oOPhL-000F88-8X; Wed, 17 Aug 2022 22:31:31 +0200 Received: from [85.1.206.226] (helo=linux-4.home) by sslproxy04.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1oOPhK-0009zo-Ty; Wed, 17 Aug 2022 22:31:30 +0200 Subject: Re: [PATCH 1/2] bpf: Fix 32bit bounds update in ALU64 To: Youlin Li , haoluo@google.com Cc: ast@kernel.org, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, song@kernel.org, yhs@fb.com, kpsingh@kernel.org, sdf@google.com, jolsa@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org References: <9f954e67-67fc-e3b9-d810-22bfea95d2aa@iogearbox.net> <20220810100849.25710-1-liulin063@gmail.com> From: Daniel Borkmann Message-ID: <5d2addca-10e5-f7a6-9efd-43322eec8347@iogearbox.net> Date: Wed, 17 Aug 2022 22:31:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <20220810100849.25710-1-liulin063@gmail.com> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.103.6/26630/Wed Aug 17 09:53:39 2022) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 8/10/22 12:08 PM, Youlin Li wrote: > The commit ("bpf: Do more tight ALU bounds tracking") introduces a bug > that fails some selftests. > > in previous versions of the code, when > __reg_combine_64_into_32() was called, the 32bit boundary was > completely deduced from the 64bit boundary, so there was a call to > __mark_reg32_unbounded() in __reg_combine_64_into_32(). But before > adjust_scalar_min_max_vals() calls > __reg_combine_64_into_32() , the 32bit bounds are already calculated > to some extent, and __mark_reg32_unbounded() will eliminate these > information. > > Simply remove the call to __reg_combine_64_into_32() and copying a code > without __mark_reg32_unbounded() should work. > > Before: > ./test_verifier 142 > #142/p bounds check after truncation of non-boundary-crossing range FAIL > Failed to load prog 'Permission denied'! > invalid access to map value, value_size=8 off=16777215 size=1 > R0 max value is outside of the allowed memory range > verification time 149 usec > stack depth 8 > processed 15 insns (limit 1000000) max_states_per_insn 0 > total_states 0 peak_states 0 mark_read 0 > Summary: 0 PASSED, 1 SKIPPED, 1 FAILED > > After: > ./test_verifier 142 > #142/p bounds check after truncation of non-boundary-crossing range OK > Summary: 1 PASSED, 1 SKIPPED, 0 FAILED > > Signed-off-by: Youlin Li > --- > kernel/bpf/verifier.c | 12 +++++++++++- > 1 file changed, 11 insertions(+), 1 deletion(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 11d8bb54ba6b..7ea6e0372d62 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -9014,7 +9014,17 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, > /* ALU32 ops are zero extended into 64bit register */ > zext_32_to_64(dst_reg); > } else { > - __reg_combine_64_into_32(dst_reg); > + if (__reg64_bound_s32(dst_reg->smin_value) && > + __reg64_bound_s32(dst_reg->smax_value)) { > + dst_reg->s32_min_value = (s32)dst_reg->smin_value; > + dst_reg->s32_max_value = (s32)dst_reg->smax_value; > + } > + if (__reg64_bound_u32(dst_reg->umin_value) && > + __reg64_bound_u32(dst_reg->umax_value)) { > + dst_reg->u32_min_value = (u32)dst_reg->umin_value; > + dst_reg->u32_max_value = (u32)dst_reg->umax_value; > + } > + reg_bounds_sync(dst_reg); Hm, this doesn't apply to the bpf tree. Is this on top of your previous patch [0]? Please squash both together in that case and resubmit your previous one as a v2. [0] https://lore.kernel.org/bpf/9f954e67-67fc-e3b9-d810-22bfea95d2aa@iogearbox.net/ Thanks, Daniel