From: Dave Marchevsky <davemarchevsky@meta.com>
To: Yonghong Song <yhs@fb.com>, bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
Andrii Nakryiko <andrii@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
kernel-team@fb.com, Martin KaFai Lau <martin.lau@kernel.org>
Subject: Re: [PATCH bpf-next 3/7] bpf: Improve handling of pattern '<const> <cond_op> <non_const>' in verifier
Date: Thu, 30 Mar 2023 18:54:53 -0400 [thread overview]
Message-ID: <57694299-9960-0ab7-be61-4f6ba903b72b@meta.com> (raw)
In-Reply-To: <20230330055615.89935-1-yhs@fb.com>
On 3/30/23 1:56 AM, Yonghong Song wrote:
> Currently, the verifier does not handle '<const> <cond_op> <non_const>' well.
> For example,
> ...
> 10: (79) r1 = *(u64 *)(r10 -16) ; R1_w=scalar() R10=fp0
> 11: (b7) r2 = 0 ; R2_w=0
> 12: (2d) if r2 > r1 goto pc+2
> 13: (b7) r0 = 0
> 14: (95) exit
> 15: (65) if r1 s> 0x1 goto pc+3
> 16: (0f) r0 += r1
> ...
> At insn 12, verifier decides both true and false branch are possible, but
> actually only false branch is possible.
>
> Currently, the verifier already supports patterns '<non_const> <cond_op> <const>.
> Add support for patterns '<const> <cond_op> <non_const>' in a similar way.
>
> Also fix selftest 'verifier_bounds_mix_sign_unsign/bounds checks mixing signed and unsigned, variant 10'
> due to this change.
>
> Signed-off-by: Yonghong Song <yhs@fb.com>
> ---
> kernel/bpf/verifier.c | 12 ++++++++++++
> .../bpf/progs/verifier_bounds_mix_sign_unsign.c | 2 +-
> 2 files changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 90bb6d25bc9c..d070943a8ba1 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -13302,6 +13302,18 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
> src_reg->var_off.value,
> opcode,
> is_jmp32);
> + } else if (dst_reg->type == SCALAR_VALUE &&
> + is_jmp32 && tnum_is_const(tnum_subreg(dst_reg->var_off))) {
> + pred = is_branch_taken(src_reg,
> + tnum_subreg(dst_reg->var_off).value,
> + flip_opcode(opcode),
> + is_jmp32);
> + } else if (dst_reg->type == SCALAR_VALUE &&
> + !is_jmp32 && tnum_is_const(dst_reg->var_off)) {
> + pred = is_branch_taken(src_reg,
> + dst_reg->var_off.value,
> + flip_opcode(opcode),
> + is_jmp32);
> } else if (reg_is_pkt_pointer_any(dst_reg) &&
> reg_is_pkt_pointer_any(src_reg) &&
> !is_jmp32) {
Looking at the two SCALAR_VALUE 'else if's above these added lines, these
additions make sense. Having four separate 'else if' checks for essentially
similar logic makes this hard to read, though, maybe it's an opportunity to
refactor a bit.
While trying to make sense of the logic here I attempted to simplify with
a helper:
@@ -13234,6 +13234,21 @@ static void find_equal_scalars(struct bpf_verifier_state *vstate,
}));
}
+static int maybe_const_operand_branch(struct tnum maybe_const_op,
+ struct bpf_reg_state *other_op_reg,
+ u8 opcode, bool is_jmp32)
+{
+ struct tnum jmp_tnum = is_jmp32 ? tnum_subreg(maybe_const_op) :
+ maybe_const_op;
+ if (!tnum_is_const(jmp_tnum))
+ return -1;
+
+ return is_branch_taken(other_op_reg,
+ jmp_tnum.value,
+ opcode,
+ is_jmp32);
+}
+
static int check_cond_jmp_op(struct bpf_verifier_env *env,
struct bpf_insn *insn, int *insn_idx)
{
@@ -13287,18 +13302,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
if (BPF_SRC(insn->code) == BPF_K) {
pred = is_branch_taken(dst_reg, insn->imm, opcode, is_jmp32);
- } else if (src_reg->type == SCALAR_VALUE &&
- is_jmp32 && tnum_is_const(tnum_subreg(src_reg->var_off))) {
- pred = is_branch_taken(dst_reg,
- tnum_subreg(src_reg->var_off).value,
- opcode,
- is_jmp32);
- } else if (src_reg->type == SCALAR_VALUE &&
- !is_jmp32 && tnum_is_const(src_reg->var_off)) {
- pred = is_branch_taken(dst_reg,
- src_reg->var_off.value,
- opcode,
- is_jmp32);
+ } else if (src_reg->type == SCALAR_VALUE) {
+ pred = maybe_const_operand_branch(src_reg->var_off, dst_reg,
+ opcode, is_jmp32);
+ } else if (dst_reg->type == SCALAR_VALUE) {
+ pred = maybe_const_operand_branch(dst_reg->var_off, src_reg,
+ flip_opcode(opcode), is_jmp32);
} else if (reg_is_pkt_pointer_any(dst_reg) &&
reg_is_pkt_pointer_any(src_reg) &&
!is_jmp32) {
I think the resultant logic is the same as your patch, but it's easier to
understand, for me at least. Note that I didn't test the above.
next prev parent reply other threads:[~2023-03-30 22:55 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-30 5:56 [PATCH bpf-next 0/7] bpf: Improve verifier for cond_op and spilled loop index variables Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 1/7] bpf: Improve verifier JEQ/JNE insn branch taken checking Yonghong Song
2023-03-30 21:14 ` Dave Marchevsky
2023-03-31 6:40 ` Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 2/7] selftests/bpf: Add tests for non-constant cond_op NE/EQ bound deduction Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 3/7] bpf: Improve handling of pattern '<const> <cond_op> <non_const>' in verifier Yonghong Song
2023-03-30 22:54 ` Dave Marchevsky [this message]
2023-03-31 15:26 ` Yonghong Song
2023-04-04 22:04 ` Andrii Nakryiko
2023-04-06 16:51 ` Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 4/7] selftests/bpf: Add verifier tests for code pattern '<const> <cond_op> <non_const>' Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 5/7] bpf: Mark potential spilled loop index variable as precise Yonghong Song
2023-03-31 21:54 ` Eduard Zingerman
2023-03-31 23:39 ` Yonghong Song
2023-04-03 1:48 ` Alexei Starovoitov
2023-04-03 4:04 ` Yonghong Song
2023-04-04 22:09 ` Andrii Nakryiko
2023-04-06 16:55 ` Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 6/7] selftests/bpf: Remove previous workaround for test verif_scale_loop6 Yonghong Song
2023-03-30 5:56 ` [PATCH bpf-next 7/7] selftests/bpf: Add a new test based on loop6.c Yonghong Song
2023-04-03 1:39 ` Alexei Starovoitov
2023-04-03 3:59 ` Yonghong Song
2023-04-04 21:46 ` [PATCH bpf-next 0/7] bpf: Improve verifier for cond_op and spilled loop index variables Andrii Nakryiko
2023-04-06 16:49 ` Yonghong Song
2023-04-06 18:38 ` Andrii Nakryiko
2023-04-06 19:54 ` Alexei Starovoitov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=57694299-9960-0ab7-be61-4f6ba903b72b@meta.com \
--to=davemarchevsky@meta.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).