Received: by 2002:a05:7412:419a:b0:f3:1519:9f41 with SMTP id i26csp4361935rdh;
        Tue, 28 Nov 2023 21:46:41 -0800 (PST)
X-Google-Smtp-Source: AGHT+IEtdaGtitqYRFyWNk1nkeuTG+pGovbqKsnvQQFboqbGhbCary8iHOvaq7IqJNU6/UaRs6bV
X-Received: by 2002:a9d:6a59:0:b0:6d7:f8c7:5ab8 with SMTP id h25-20020a9d6a59000000b006d7f8c75ab8mr16571166otn.38.1701236800852;
        Tue, 28 Nov 2023 21:46:40 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1701236800; cv=none;
        d=google.com; s=arc-20160816;
        b=ttqpQlZWvhZsGX7GGahcQ6nipqogAuphYm9pwye6H/PHmRALwl/TldidIkUJdEj4Hz
         471qI6KTX1nNzWk21GlOZayW+/37xA0WH1xTtFHveEl2+nZ8AXuoVSEkCFkI+DHRAWZ+
         fp4FLCfyQYXYbJteO/iEFCb0Sz/v0UhF1uGKYgtJtoRs8KKPyPhtj+Y7Q317ak8nYty+
         Eqwwzc/l1mQ07N/K2Q64k70it7ZDJLojWwVhuEQ+oUOoHkrZswUgh7qrjiE+UPjjlEx7
         gENDDwWILQClBs1M98Vvc5wPunzfmzO2LDlBaLASDZfrTaVr0BME9Bx7lS5A4vR8jsBj
         c68g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:cc:to:subject
         :message-id:date:from:in-reply-to:references:mime-version
         :dkim-signature;
        bh=ueXoKt71z3XuYUBIRdhazyfZxt2NDv9TI5Vbp/wAPOE=;
        fh=s7uMTih8k99JCtXQo5QU3wnDL7TxmSdJNPP9j9RZEwA=;
        b=mCKe+Yx0m7a1PLHmpPwk7K6OG1qgS5QVsChJ8MS+SYsyl08pbOi4EAm0SyepKxAQCn
         DMyr6iFEUP1tf5Pd84/DtofKD7mAehxr7W2Qe9oa+3Q3+LYsPUbDXZSHdnpJMHFOmXwB
         Z+A+dh+OH8FGhLELGsrKQRGQoKm6/vTBHagHO/3gAV4b/IGwnnDmTaUI5xfhdPnUl5M+
         Ud96QpgVKV5+xznuSSQoSyUHQe/kJ2nn80UR0s7ywzZDLH+6s4Wf9IJbAqvjKIuAAj0t
         r94r0fAM2xA5+qas8gLZJ/xcNroc2wtvyaxpZ769HCo4KTlD8SiZIOIujQX7J0+T+wrH
         xFTg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=RuNuh1zf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from howler.vger.email (howler.vger.email. [2620:137:e000::3:4])
        by mx.google.com with ESMTPS id e17-20020a656891000000b005bdf5961588si13840964pgt.19.2023.11.28.21.46.40
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Tue, 28 Nov 2023 21:46:40 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) client-ip=2620:137:e000::3:4;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20230601 header.b=RuNuh1zf;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:4 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by howler.vger.email (Postfix) with ESMTP id 0A383807861E;
	Tue, 28 Nov 2023 21:46:38 -0800 (PST)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.11 at howler.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1376965AbjK2FqX (ORCPT <rfc822;aadipersonal10@gmail.com>
        + 99 others); Wed, 29 Nov 2023 00:46:23 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50768 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229766AbjK2FqV (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 29 Nov 2023 00:46:21 -0500
Received: from mail-ej1-x62b.google.com (mail-ej1-x62b.google.com [IPv6:2a00:1450:4864:20::62b])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CD38E1AE;
        Tue, 28 Nov 2023 21:46:27 -0800 (PST)
Received: by mail-ej1-x62b.google.com with SMTP id a640c23a62f3a-a03a900956dso100378666b.1;
        Tue, 28 Nov 2023 21:46:27 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1701236786; x=1701841586; darn=vger.kernel.org;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:from:to:cc:subject:date
         :message-id:reply-to;
        bh=ueXoKt71z3XuYUBIRdhazyfZxt2NDv9TI5Vbp/wAPOE=;
        b=RuNuh1zfM82ZNwMY3BcThel4suOHA66vhNXDWJxJJAOmVsT7SiRE3fmQBw2Nv5Z+uH
         R0QvuB0Y6JgMCW0vb0SqpJ1z+gAH4+0hF3/nZ9yZdAYFc5hHAuak9onBpfgakLoJ9vQh
         pO0ssZE0LOXsm5AgJs9P8MJ+L48Ef48DL8kiLN0montLyOkMVVWwx2aNe8Qi9tMqw70i
         fwCe5nk4LPy04CKUZSGWDFlJHgLoimXmxuxqfEnmM/1eDV7PJFHBUGPeKglnjVyxHAmf
         V6JWVQp8wCtV0kMvb/6T554Ad5AHqEV+vanPXjwYC7qFF06SAPBYKAEHr0Vrgv+h/Aru
         zt+Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1701236786; x=1701841586;
        h=content-transfer-encoding:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=ueXoKt71z3XuYUBIRdhazyfZxt2NDv9TI5Vbp/wAPOE=;
        b=h3SBdHarS5sJ/GoLH9sj3xlE98Niz3CKw1g1+PCGYY+vUWzhZo/T/Zu01s+/X7//uy
         0iw6u8J4ybw2lCFf/NckLJ0vxHYp9T3Sqc65GI1MO1X/qgLFPocZOLicFSo2HaAprA2N
         5O+Rtd6fg6abEIpIGQcN+03Z4SkYdum7icspeLjs2Di3Agbqg+GaU9a0X7cR2FLEnbNi
         MfduBClmh6kDzgdHhnnAFm/bIsRthu+cR/NYE5BwTqcRgGNvX+AJsNzQFdtOb4/0XOjY
         qf1/97HS+0AIlC2e/HNW0oGYELrNTQOdCanldJVn6d56GhtdzQPzqG942XH1dRGfy4J5
         Vudg==
X-Gm-Message-State: AOJu0YxvpRPv8Ucd93aTHU1TeD+ucEzzFV+mL6wcR9Os+AQRu9L4zDXd
        dirDqM832+W1b4M/qieoPoOclRXI35jwo3hZhKs=
X-Received: by 2002:a17:906:2bd1:b0:9e8:2441:5cd4 with SMTP id
 n17-20020a1709062bd100b009e824415cd4mr12413558ejg.17.1701236785791; Tue, 28
 Nov 2023 21:46:25 -0800 (PST)
MIME-Version: 1.0
References: <CACkBjsZ-M=1Yj2PQZM7JN4=9rnDLP36fVO35o9fuAvAMKe=9Nw@mail.gmail.com>
In-Reply-To: <CACkBjsZ-M=1Yj2PQZM7JN4=9rnDLP36fVO35o9fuAvAMKe=9Nw@mail.gmail.com>
From:   Andrii Nakryiko <andrii.nakryiko@gmail.com>
Date:   Tue, 28 Nov 2023 21:46:14 -0800
Message-ID: <CAEf4BzYkc-4kk6gVJPY50txLV_5keNkOruJREKMbew7+Qp71YA@mail.gmail.com>
Subject: Re: [Bug Report] bpf: reg invariant voilation after JSET
To:     Hao Sun <sunhao.th@gmail.com>
Cc:     Andrii Nakryiko <andrii@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Martin KaFai Lau <martin.lau@linux.dev>,
        Song Liu <song@kernel.org>,
        Yonghong Song <yonghong.song@linux.dev>,
        KP Singh <kpsingh@kernel.org>,
        Stanislav Fomichev <sdf@google.com>,
        Jiri Olsa <jolsa@kernel.org>, bpf <bpf@vger.kernel.org>,
        Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
	SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on howler.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Tue, 28 Nov 2023 21:46:38 -0800 (PST)

On Tue, Nov 21, 2023 at 4:57=E2=80=AFAM Hao Sun <sunhao.th@gmail.com> wrote=
:
>
> Hi,
>
> The following program (reduced) breaks reg invariant:
>
> C Repro: https://pastebin.com/raw/FmM9q9D4
>
> -------- Verifier Log --------
> func#0 @0
> 0: R1=3Dctx() R10=3Dfp0
> 0: (18) r8 =3D 0x3d                     ; R8_w=3D61
> 2: (85) call bpf_ktime_get_ns#5       ; R0_w=3Dscalar()
> 3: (ce) if w8 s< w0 goto pc+1         ; R0_w=3Dscalar(smax32=3D61) R8_w=
=3D61
> 4: (95) exit
>
> from 3 to 5: R0_w=3Dscalar(smin=3D0x800000000000003e,smax=3D0x7fffffff7ff=
fffff,umin=3Dsmin32=3Dumin32=3D62,umax=3D0xffffffff7fffffff,umax32=3D0x7fff=
ffff,var_off=3D(0x0;
> 0xffffffff7fffffff)) R8_w=3D61 R10=3Dfp0
> 5: R0_w=3Dscalar(smin=3D0x800000000000003e,smax=3D0x7fffffff7fffffff,umin=
=3Dsmin32=3Dumin32=3D62,umax=3D0xffffffff7fffffff,umax32=3D0x7fffffff,var_o=
ff=3D(0x0;
> 0xffffffff7fffffff)) R8_w=3D61 R10=3Dfp0
> 5: (45) if r0 & 0xfffffff7 goto pc+2
> REG INVARIANTS VIOLATION (false_reg1): range bounds violation
> u64=3D[0x3e, 0x8] s64=3D[0x3e, 0x8] u32=3D[0x3e, 0x8] s32=3D[0x3e, 0x8]
> var_off=3D(0x0, 0x8)
> 5: R0_w=3Dscalar(var_off=3D(0x0; 0x8))
> 6: (dd) if r0 s<=3D r8 goto pc+1
> REG INVARIANTS VIOLATION (false_reg1): range bounds violation
> u64=3D[0x0, 0x8] s64=3D[0x3e, 0x8] u32=3D[0x0, 0x8] s32=3D[0x0, 0x8]
> var_off=3D(0x0, 0x8)
> 6: R0_w=3Dscalar(var_off=3D(0x0; 0x8)) R8_w=3D61
> 7: (bc) w1 =3D w0                       ; R0=3Dscalar(var_off=3D(0x0; 0x8=
))
> R1=3Dscalar(smin=3Dsmin32=3D0,smax=3Dumax=3Dsmax32=3Dumax32=3D8,var_off=
=3D(0x0; 0x8))
> 8: (95) exit
>
> from 6 to 8: safe
>
> from 5 to 8: safe
> processed 10 insns (limit 1000000) max_states_per_insn 0 total_states
> 1 peak_states 1 mark_read 1
>
> The tnum after #5 is correct, but the ranges are incorrect, which seems a=
 bug in
> reg_bounds_sync().  Thoughts?
>

It would be great if in addition to reporting the bug and repro
program, you could also try to analyse why this is happening and
suggest fixes in the verifier.

As I mentioned in another email, when we see REG INVARIANTS VIOLATION,
verifier reverts to conservative unknown scalar register state. We
should try to avoid this pessimistic outcome, but generally speaking
it should not be a critical bug.

> Best
> Hao Sun