bpf: Recognize special arithmetic shift in the verifier #6362
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Author
|
Upstream branch: 4f7bc83 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
22f76ea to
d766c2f
Compare
Author
|
Upstream branch: 6cc73f3 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
f86ce54 to
211a946
Compare
Author
|
Upstream branch: 6cc73f3 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
211a946 to
ff15f01
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
d766c2f to
86f62c3
Compare
Author
|
Upstream branch: 4722981 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
ff15f01 to
d96174f
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
86f62c3 to
c8a7e22
Compare
Author
|
Upstream branch: 7dc211c |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
d96174f to
4feaad4
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
c8a7e22 to
c919396
Compare
Author
|
Upstream branch: ec12ab2 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
4feaad4 to
7c455e0
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
c919396 to
73c6b0b
Compare
Author
|
Upstream branch: d6ec090 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
7c455e0 to
faffa05
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
73c6b0b to
0bdd2b9
Compare
Author
|
Upstream branch: d6ec090 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
faffa05 to
99b7b6a
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
0bdd2b9 to
729c7ba
Compare
Author
|
Upstream branch: d088da9 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
99b7b6a to
4c3a39b
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
729c7ba to
623bab9
Compare
Author
|
Upstream branch: e0940c6 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
4c3a39b to
259d64d
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
623bab9 to
fe03c14
Compare
Author
|
Upstream branch: 792f258 |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
259d64d to
2f88f1f
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
fe03c14 to
65bfb85
Compare
added 2 commits
November 21, 2025 16:42
cilium bpf_wiregard.bpf.c when compiled with -O1 fails to load
with the following verifier log:
192: (79) r2 = *(u64 *)(r10 -304) ; R2=pkt(r=40) R10=fp0 fp-304=pkt(r=40)
...
227: (85) call bpf_skb_store_bytes#9 ; R0=scalar()
228: (bc) w2 = w0 ; R0=scalar() R2=scalar(smin=0,smax=umax=0xffffffff,var_off=(0x0; 0xffffffff))
229: (c4) w2 s>>= 31 ; R2=scalar(smin=0,smax=umax=0xffffffff,smin32=-1,smax32=0,var_off=(0x0; 0xffffffff))
230: (54) w2 &= -134 ; R2=scalar(smin=0,smax=umax=umax32=0xffffff7a,smax32=0x7fffff7a,var_off=(0x0; 0xffffff7a))
...
232: (66) if w2 s> 0xffffffff goto pc+125 ; R2=scalar(smin=umin=umin32=0x80000000,smax=umax=umax32=0xffffff7a,smax32=-134,var_off=(0x80000000; 0x7fffff7a))
...
238: (79) r4 = *(u64 *)(r10 -304) ; R4=scalar() R10=fp0 fp-304=scalar()
239: (56) if w2 != 0xffffff78 goto pc+210 ; R2=0xffffff78 // -136
...
258: (71) r1 = *(u8 *)(r4 +0)
R4 invalid mem access 'scalar'
The error might confuse most bpf authors, since fp-304 slot had 'pkt'
pointer at insn 192 and became 'scalar' at 238. That happened because
bpf_skb_store_bytes() clears all packet pointers including those in
the stack. On the first glance it might look like a bug in the source
code, since ctx->data pointer should have been reloaded after the call
to bpf_skb_store_bytes().
The relevant part of cilium source code looks like this:
// bpf/lib/nodeport.h
int dsr_set_ipip6()
{
if (ctx_adjust_hroom(...))
return DROP_INVALID; // -134
if (ctx_store_bytes(...))
return DROP_WRITE_ERROR; // -141
return 0;
}
bool dsr_fail_needs_reply(int code)
{
if (code == DROP_FRAG_NEEDED) // -136
return true;
return false;
}
tail_nodeport_ipv6_dsr()
{
ret = dsr_set_ipip6(...);
if (!IS_ERR(ret)) {
...
} else {
if (dsr_fail_needs_reply(ret))
return dsr_reply_icmp6(...);
}
}
The code doesn't have arithmetic shift by 31 and it reloads ctx->data
every time it needs to access it. So it's not a bug in the source code.
The reason is DAGCombiner::foldSelectCCToShiftAnd() LLVM transformation:
// If this is a select where the false operand is zero and the compare is a
// check of the sign bit, see if we can perform the "gzip trick":
// select_cc setlt X, 0, A, 0 -> and (sra X, size(X)-1), A
// select_cc setgt X, 0, A, 0 -> and (not (sra X, size(X)-1)), A
The conditional branch in dsr_set_ipip6() and its return values
are optimized into BPF_ARSH plus BPF_AND:
227: (85) call bpf_skb_store_bytes#9
228: (bc) w2 = w0
229: (c4) w2 s>>= 31 ; R2=scalar(smin=0,smax=umax=0xffffffff,smin32=-1,smax32=0,var_off=(0x0; 0xffffffff))
230: (54) w2 &= -134 ; R2=scalar(smin=0,smax=umax=umax32=0xffffff7a,smax32=0x7fffff7a,var_off=(0x0; 0xffffff7a))
after insn 230 the register w2 can only be 0 or -134,
but the verifier approximates it, since there is no way to
represent two scalars in bpf_reg_state.
After fallthough at insn 232 the w2 can only be -134,
hence the branch at insn
239: (56) if w2 != -136 goto pc+210
should be always taken, and trapping insn 258 should never execute.
LLVM generated correct code, but the verifier follows impossible
path and rejects valid program. To fix this issue recognize this
special LLVM optimization and fork the verifier state.
So after insn 229: (c4) w2 s>>= 31
the verifier has two states to explore:
one with w2 = 0 and another with w2 = 0xffffffff
which makes the verifier accept bpf_wiregard.c
Note there are 20+ such patterns in bpf_wiregard.o compiled
with -O1 and -O2, but they're rarely seen in other production
bpf programs, so push_stack() approach is not a concern.
Reported-by: Hao Sun <[email protected]>
Signed-off-by: Alexei Starovoitov <[email protected]>
Acked-by: Eduard Zingerman <[email protected]>
Add tests for special arithmetic shift right. Signed-off-by: Alexei Starovoitov <[email protected]> Acked-by: Eduard Zingerman <[email protected]>
Author
|
Upstream branch: 878ee3c |
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
series/1023786=>bpf-next
branch
from
2f88f1f to
3e6400c
Compare
kernel-patches-daemon-bpf-rc
bot
force-pushed
the
bpf-next_base
branch
from
65bfb85 to
b1f8b58
Compare
Author
|
At least one diff in series https://patchwork.kernel.org/project/netdevbpf/list/?series=1023786 expired. Closing PR. |
kernel-patches-daemon-bpf-rc
bot
deleted the
series/1023786=>bpf-next
branch
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: bpf: Recognize special arithmetic shift in the verifier
version: 2
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=1023786