From: Puranjay Mohan <puranjay12@gmail.com>
To: Ilya Leoshkevich <iii@linux.ibm.com>
Cc: Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>,
bpf@vger.kernel.org, Heiko Carstens <hca@linux.ibm.com>,
Vasily Gorbik <gor@linux.ibm.com>,
Alexander Gordeev <agordeev@linux.ibm.com>
Subject: Re: [PATCH bpf-next 01/11] bpf: Disable zero-extension for BPF_MEMSX
Date: Fri, 1 Sep 2023 16:19:53 +0200 [thread overview]
Message-ID: <CANk7y0iNnOCZ_KmXBH_xJTG=BKzkDM_jZ+hc_NXcQbbZj-c33Q@mail.gmail.com> (raw)
In-Reply-To: <20230830011128.1415752-2-iii@linux.ibm.com>
Hi Ilya
On Wed, Aug 30, 2023 at 3:12 AM Ilya Leoshkevich <iii@linux.ibm.com> wrote:
>
> On the architectures that use bpf_jit_needs_zext(), e.g., s390x, the
> verifier incorrectly inserts a zero-extension after BPF_MEMSX, leading
> to miscompilations like the one below:
>
> 24: 89 1a ff fe 00 00 00 00 "r1 = *(s16 *)(r10 - 2);" # zext_dst set
> 0x3ff7fdb910e: lgh %r2,-2(%r13,%r0) # load halfword
> 0x3ff7fdb9114: llgfr %r2,%r2 # wrong!
> 25: 65 10 00 03 00 00 7f ff if r1 s> 32767 goto +3 <l0_1> # check_cond_jmp_op()
>
> Disable such zero-extensions. The JITs need to insert sign-extension
> themselves, if necessary.
>
> Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
> ---
> kernel/bpf/verifier.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index bb78212fa5b2..097985a46edc 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3110,7 +3110,9 @@ static void mark_insn_zext(struct bpf_verifier_env *env,
> {
> s32 def_idx = reg->subreg_def;
>
> - if (def_idx == DEF_NOT_SUBREG)
The problem here is that reg->subreg_def should be set as DEF_NOT_SUBREG for
registers that are used as destination registers of BPF_LDX |
BPF_MEMSX. I am seeing
the same problem on ARM32 and was going to send a patch today.
The problem is that is_reg64() returns false for destination registers
of BPF_LDX | BPF_MEMSX.
But BPF_LDX | BPF_MEMSX always loads a 64 bit value because of the
sign extension so
is_reg64() should return true.
I have written a patch that I will be sending as a reply to this.
Please let me know if that makes sense.
> + if (def_idx == DEF_NOT_SUBREG ||
> + (BPF_CLASS(env->prog->insnsi[def_idx - 1].code) == BPF_LDX &&
> + BPF_MODE(env->prog->insnsi[def_idx - 1].code) == BPF_MEMSX))
> return;
>
> env->insn_aux_data[def_idx - 1].zext_dst = true;
> --
> 2.41.0
>
>
Thanks,
Puranjay
next prev parent reply other threads:[~2023-09-01 14:20 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-30 1:07 [PATCH bpf-next 00/11] Implement cpuv4 support for s390x Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 01/11] bpf: Disable zero-extension for BPF_MEMSX Ilya Leoshkevich
2023-09-01 10:40 ` Yonghong Song
2023-09-01 14:19 ` Puranjay Mohan [this message]
2023-09-01 14:56 ` Puranjay Mohan
2023-09-07 0:39 ` Alexei Starovoitov
2023-09-07 7:33 ` Puranjay Mohan
2023-09-07 15:36 ` Alexei Starovoitov
2023-09-07 16:39 ` Puranjay Mohan
2023-09-07 22:45 ` Alexei Starovoitov
2023-09-07 22:57 ` Puranjay Mohan
2023-09-12 22:49 ` Puranjay Mohan
2023-09-13 0:09 ` Alexei Starovoitov
2023-09-13 0:22 ` Puranjay Mohan
2023-09-13 1:49 ` Alexei Starovoitov
2023-09-13 6:10 ` Christophe Leroy
2023-09-03 8:16 ` Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 02/11] net: netfilter: Adjust timeouts of non-confirmed CTs in bpf_ct_insert_entry() Ilya Leoshkevich
2023-08-31 15:30 ` Daniel Borkmann
2023-09-03 8:23 ` Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 03/11] selftests/bpf: Unmount the cgroup2 work directory Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 04/11] selftests/bpf: Add big-endian support to the ldsx test Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 05/11] s390/bpf: Implement BPF_MOV | BPF_X with sign-extension Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 06/11] s390/bpf: Implement BPF_MEMSX Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 07/11] s390/bpf: Implement unconditional byte swap Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 08/11] s390/bpf: Implement unconditional jump with 32-bit offset Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 09/11] s390/bpf: Implement signed division Ilya Leoshkevich
2023-08-30 1:07 ` [PATCH bpf-next 10/11] selftests/bpf: Enable the cpuv4 tests for s390x Ilya Leoshkevich
2023-09-01 10:41 ` Yonghong Song
2023-08-30 1:07 ` [PATCH bpf-next 11/11] selftests/bpf: Trim DENYLIST.s390x Ilya Leoshkevich
2023-09-14 13:00 ` [PATCH bpf-next 00/11] Implement cpuv4 support for s390x patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANk7y0iNnOCZ_KmXBH_xJTG=BKzkDM_jZ+hc_NXcQbbZj-c33Q@mail.gmail.com' \
--to=puranjay12@gmail.com \
--cc=agordeev@linux.ibm.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=gor@linux.ibm.com \
--cc=hca@linux.ibm.com \
--cc=iii@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.