Received: by 2002:a05:7412:8d10:b0:f3:1519:9f41 with SMTP id bj16csp4401873rdb; Mon, 11 Dec 2023 19:52:12 -0800 (PST) X-Google-Smtp-Source: AGHT+IH8Ajdvr0sXOOnZIUjc7lirAeFjwDKkqTyw0ECtmfJ4yVzyj5Py6aXHkL0Ko/wRvrCef9yr X-Received: by 2002:a05:6e02:1a2d:b0:35d:5995:1d5c with SMTP id g13-20020a056e021a2d00b0035d59951d5cmr9017068ile.33.1702353131991; Mon, 11 Dec 2023 19:52:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1702353131; cv=none; d=google.com; s=arc-20160816; b=Dhu38ioVoVmda/Yr8N7AxxDQEf1aAM2OyrL0JqvlbZToPs+6dyQyP2LFjWnDmM6WBZ TWpXhOM/rU2bq+zE0Qmcqxx08xeG1y0B6FX/4LHt2+umHY3kfRlhB3TamYKwKsRpd1Dn rH8GxYhjMnFzCOkweyyZZNpCjm9TzDYZ7WgQGqtuoS5TQgGDALq1ZhMBCnFRKv4TvPAo AdZg/BUcsMujH9tRDExtIO/1FbEM3+T0Cd7GsSe67D3eM1ILmueGLINEHE6qIq/mwenb w4IQ9NKG+vky7FzKcIBPq/qqWtx2otiLAE4PUVZ0HkeBuQdOmBYMe9MeCPyt5fjWZh/6 kkGQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=E9t8Uh8nCCzyBLBlXBQ6+uw2FgST0ZLpI7SAIJDg4Lo=; fh=dw/AqKXZ6zRWnGb7USNb16i6PGDXYKm55QDCe46yh9o=; b=ecWgKRUbuFxktkNp+0UdXlaCAZolzgv48OSdN8VkV9e9W3bEHuB84EaFUsyi4/IHsN RCMm11f3DcVDfyYicuVBIIXFGQ5i1UMr7nB7P6t25bJzLY7Z+Xs3h0/nsvo7baecQzdC b1C3UuDel7BQSg3nb6lPpgJdoTEmq2/s67FmsWoGQTtX47oSNLeN8WpCjEdOTT97HuCy Vr/MT6x0WJG562RI4W/OhwcotyWsHb1qMyCIYh1Ik+A5rsVwNAn58aEGtqFbOcKvSe+R 3J8HnqBbKLyhzG2yazYS0mJ3ptXETG7zHhCzIgySYF+kMFb41VMcLQF57qaptF7dlnLY prjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ldrVlpko; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from fry.vger.email (fry.vger.email. [2620:137:e000::3:8]) by mx.google.com with ESMTPS id m10-20020a170902db0a00b001cf8e9e8813si7174050plx.315.2023.12.11.19.52.11 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 11 Dec 2023 19:52:11 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) client-ip=2620:137:e000::3:8; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20230601 header.b=ldrVlpko; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:8 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 5736880782A9; Mon, 11 Dec 2023 19:52:09 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232511AbjLLDvt (ORCPT + 99 others); Mon, 11 Dec 2023 22:51:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34674 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232500AbjLLDvq (ORCPT ); Mon, 11 Dec 2023 22:51:46 -0500 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6460DA9; Mon, 11 Dec 2023 19:51:52 -0800 (PST) Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-40c4846847eso15732305e9.1; Mon, 11 Dec 2023 19:51:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1702353111; x=1702957911; darn=vger.kernel.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=E9t8Uh8nCCzyBLBlXBQ6+uw2FgST0ZLpI7SAIJDg4Lo=; b=ldrVlpkoBM0CL6nHJM0sxg6+7ZqliGKSiNfbuuYPYJ6oOkXPnYq36Dt/dvpK6gk6Cs 78WIVAX7qqI2XP5fxeAZBLGJuu2Nx1JbnH6GaShfCoFB7XrAqZH3srjms/nlX7MOUniC qeBwIcN4nz+K2KtIUvJZpsLCoAl0UZwT9IhDsHSQ3eGz0n1sQ/xt8jJnS7yEz586+df6 CgCJCCBzQw0ECQ37lrXUKEgJjZX3eXbxeLTjLYXUMUCTjHzFtPX60oRoQVzc/dRFkOf3 ecQcT5Gp4ppUtZwtq8NtoMwOxTOxctJAQIAUSoFmmydDdXRExZ/lZlflj24BGrzICTbC KLrQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1702353111; x=1702957911; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=E9t8Uh8nCCzyBLBlXBQ6+uw2FgST0ZLpI7SAIJDg4Lo=; b=RIr4+b7Iojpx3sLQ7XhQVfTHBz9SFcbKj9x7gyNw6rUg2xtUFePPlmvWYrdi98XmkV aE336eThoZy4AiGqjrh6gVto1DWrgfTEGOwCb7C34gO40/ahXPS2JP6G6ikhEs/Kh6lk 3C+GM013pvPT13nvLyDryM8j6VpEz+C47z4POGdBVEwMdAmmCLtgziA71DXlmSG+DfCQ xvzTXW1eicq+LD3RKg7E4GuFg6yJipgwLmf3TAbXJh0XGDaAcq+oXILWriFdUlp32eY/ sfAwrNStEQSJBLF8i/rkXqXhcOHgXS9k1u5cRzGCRIVNUwcz2UUKrg5JfCo+Znqq1bGF cXpg== X-Gm-Message-State: AOJu0YzKN3EdEJCdqIOE/iGD3tGbYei8Z2YmuEYvh7r+pKz436odtYRT GIAaE3u6WWAnNv10hI5lRsddYcBzT9NdXdxuWVlkm8r+ X-Received: by 2002:a05:600c:228c:b0:40c:f4d:60a6 with SMTP id 12-20020a05600c228c00b0040c0f4d60a6mr2735018wmf.44.1702353110492; Mon, 11 Dec 2023 19:51:50 -0800 (PST) MIME-Version: 1.0 References: <20231210130001.2050847-1-menglong8.dong@gmail.com> In-Reply-To: From: Andrii Nakryiko Date: Mon, 11 Dec 2023 19:51:38 -0800 Message-ID: Subject: Re: [PATCH bpf-next] bpf: make the verifier trace the "not qeual" for regs To: Menglong Dong Cc: andrii@kernel.org, ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, martin.lau@linux.dev, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com, haoluo@google.com, jolsa@kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Mon, 11 Dec 2023 19:52:09 -0800 (PST) On Mon, Dec 11, 2023 at 6:16=E2=80=AFPM Menglong Dong wrote: > > On Tue, Dec 12, 2023 at 3:16=E2=80=AFAM Andrii Nakryiko > wrote: > > > > On Sun, Dec 10, 2023 at 5:00=E2=80=AFAM Menglong Dong wrote: > > > > > > We can derive some new information for BPF_JNE in regs_refine_cond_op= (). > > > Take following code for example: > > > > > > /* The type of "a" is u16 */ > > > if (a > 0 && a < 100) { > > > /* the range of the register for a is [0, 99], not [1, 99], > > > * and will cause the following error: > > > * > > > * invalid zero-sized read > > > * > > > * as a can be 0. > > > */ > > > bpf_skb_store_bytes(skb, xx, xx, a, 0); > > > } > > > > > > In the code above, "a > 0" will be compiled to "jmp xxx if a =3D=3D 0= ". In the > > > TRUE branch, the dst_reg will be marked as known to 0. However, in th= e > > > fallthrough(FALSE) branch, the dst_reg will not be handled, which mak= es > > > the [min, max] for a is [0, 99], not [1, 99]. > > > > > > For BPF_JNE, we can reduce the range of the dst reg if the src reg is= a > > > const and is exactly the edge of the dst reg. > > > > > > Signed-off-by: Menglong Dong > > > --- > > > kernel/bpf/verifier.c | 45 +++++++++++++++++++++++++++++++++++++++++= +- > > > 1 file changed, 44 insertions(+), 1 deletion(-) > > > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > > index 727a59e4a647..7b074ac93190 100644 > > > --- a/kernel/bpf/verifier.c > > > +++ b/kernel/bpf/verifier.c > > > @@ -1764,6 +1764,40 @@ static void __mark_reg_const_zero(struct bpf_r= eg_state *reg) > > > reg->type =3D SCALAR_VALUE; > > > } > > > > > > +#define CHECK_REG_MIN(value) \ > > > +do { \ > > > + if ((value) =3D=3D (typeof(value))imm) \ > > > + value++; \ > > > +} while (0) > > > + > > > +#define CHECK_REG_MAX(value) \ > > > +do { \ > > > + if ((value) =3D=3D (typeof(value))imm) \ > > > + value--; \ > > > +} while (0) > > > + > > > +static void mark_reg32_not_equal(struct bpf_reg_state *reg, u64 imm) > > > +{ > > > + CHECK_REG_MIN(reg->s32_min_value); > > > + CHECK_REG_MAX(reg->s32_max_value); > > > + CHECK_REG_MIN(reg->u32_min_value); > > > + CHECK_REG_MAX(reg->u32_max_value); > > > +} > > > + > > > +static void mark_reg_not_equal(struct bpf_reg_state *reg, u64 imm) > > > +{ > > > + CHECK_REG_MIN(reg->smin_value); > > > + CHECK_REG_MAX(reg->smax_value); > > > + > > > + CHECK_REG_MIN(reg->umin_value); > > > + CHECK_REG_MAX(reg->umax_value); > > > + > > > + CHECK_REG_MIN(reg->s32_min_value); > > > + CHECK_REG_MAX(reg->s32_max_value); > > > + CHECK_REG_MIN(reg->u32_min_value); > > > + CHECK_REG_MAX(reg->u32_max_value); > > > +} > > > > please don't use macros for this, this code is tricky enough without > > having to jump around double-checking what exactly macros are doing. > > Just code it explicitly. > > > > Okay! > > > Also I don't see the need for mark_reg32_not_equal() and > > mark_reg_not_equal() helper functions, there is just one place where > > this logic is going to be called from, so let's add code right there. > > > > Yeah, you are right. And I just found that you have already > implemented the test case for this logic in reg_bounds.c/range_cond(). > I wonder why this logic is not implemented in the verifier yet? > Am I missing something? No, I just didn't want to add yet more verifier changes in my original patch set on extending reg bounds logic. > > Thanks! > Menglong Dong > > > > + > > > static void mark_reg_known_zero(struct bpf_verifier_env *env, > > > struct bpf_reg_state *regs, u32 regno= ) > > > { > > > @@ -14332,7 +14366,16 @@ static void regs_refine_cond_op(struct bpf_r= eg_state *reg1, struct bpf_reg_state > > > } > > > break; > > > case BPF_JNE: > > > - /* we don't derive any new information for inequality= yet */ > > > + /* try to recompute the bound of reg1 if reg2 is a co= nst and > > > + * is exactly the edge of reg1. > > > + */ > > > + if (is_reg_const(reg2, is_jmp32)) { > > > + val =3D reg_const_value(reg2, is_jmp32); > > > + if (is_jmp32) > > > + mark_reg32_not_equal(reg1, val); > > > + else > > > + mark_reg_not_equal(reg1, val); > > > + } > > > break; > > > case BPF_JSET: > > > if (!is_reg_const(reg2, is_jmp32)) > > > -- > > > 2.39.2 > > >