From: Helen Koike <koike@igalia.com>
To: Eduard Zingerman <eddyz87@gmail.com>,
andrii@kernel.org, shung-hsi.yu@suse.com,
yonghong.song@linux.dev, ast@kernel.org, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, kernel-dev@igalia.com
Subject: Re: [PATCH] bpf: fix umin/umax when lower bits fall outside u32 range
Date: Mon, 30 Mar 2026 09:09:16 -0300 [thread overview]
Message-ID: <7fb97184-baaa-4639-a0b9-ac289bf2e54d@igalia.com> (raw)
In-Reply-To: <74e65b463d1f992bc0e4846085394a440796f563.camel@gmail.com>
Hi Eduard,
Thanks for your replies and pointers, please see my comments below.
On 3/27/26 5:46 PM, Eduard Zingerman wrote:
> On Fri, 2026-03-27 at 16:48 -0300, Helen Koike wrote:
>
> [...]
>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index a965b2c45bbe..ddac09c8a9e5 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -2702,9 +2702,29 @@ static void __reg_deduce_mixed_bounds(struct bpf_reg_state *reg)
>> __u64 new_umin, new_umax;
>> __s64 new_smin, new_smax;
>>
>> - /* u32 -> u64 tightening, it's always well-formed */
>> - new_umin = (reg->umin_value & ~0xffffffffULL) | reg->u32_min_value;
>> - new_umax = (reg->umax_value & ~0xffffffffULL) | reg->u32_max_value;
>> + /*
>> + * If (u32)umin > u32_max, no value in the current upper-32-bit block
>> + * satisfies [u32_min, u32_max] while being >= umin; advance umin to
>> + * the next block. Otherwise apply standard u32->u64 tightening.
>> + */
>> + if ((u32)reg->umin_value > reg->u32_max_value)
>> + new_umin = (reg->umin_value & ~0xffffffffULL) + (1ULL << 32) |
>> + reg->u32_min_value;
>> + else
>> + new_umin = (reg->umin_value & ~0xffffffffULL) |
>> + reg->u32_min_value;
>
> What would happen if there is no next or previous 32-bit block?
> E.g. if (reg->umin_value & ~0xffffffffULL) + (1ULL << 32) wraps around.
> I guess the argument is that if this happens, there is an invariant
> violation already, will the final register still bin in invariant
> violation state?
I thought about it and my conclusion was that we would be in trouble
anyway and the error is elsewhere (unless my understanding is wrong).
We could add a check here, but I guess reg_bounds_sanity_check() already
does that.
>
> Useful picture:
>
> N*2^32 (N+1)*2^32 (N+2)*2^32 (N+3)*2^32
> ||----|=====|--|----------||----|=====|-------------||--|-|=====|-------------||
> |< b >| | |< b >| | |< b >|
> | | | |
> |<---------------+- a -+---------------->|
> | |
> |< t >| refined r0 range
>
> Also, as this is based solely on unsigned ranges, the following case
> is not covered, right?
Right, this case is not covered.
>
> N*2^32 (N+1)*2^32 (N+2)*2^32 (N+3)*2^32
> ||===|---------|------|===||===|----------------|===||===|---------|------|===||
> |b >| | |< b||b >| |< b||b >| | |< b|
> | | | |
> |<-----+----------------- a --------------+-------->|
> | |
> |<---------------- t ------------->| refined r0 range
>
> Would it be hard to implementing something in the same line as [2] to cover it?
I'll check and get back to you.
>
>> +
>> + /*
>> + * Symmetrically, if (u32)umax < u32_min, retreat umax to the
>> + * previous block. Otherwise apply standard u32->u64 tightening.
>> + */
>> + if ((u32)reg->umax_value < reg->u32_min_value)
>> + new_umax = (reg->umax_value & ~0xffffffffULL) - (1ULL << 32) |
>> + reg->u32_max_value;
>> + else
>> + new_umax = (reg->umax_value & ~0xffffffffULL) |
>> + reg->u32_max_value;
>> +
>> reg->umin_value = max_t(u64, reg->umin_value, new_umin);
>> reg->umax_value = min_t(u64, reg->umax_value, new_umax);
>> /* u32 -> s64 tightening, u32 range embedded into s64 preserves range validity */
>
> I think we can move forward with this, as the fate of my RFC is
> uncertain. Please add some selftests, e.g. from [1].
Ack, I'll check the signed case, test against your selftests and
re-submit the patches.
Thanks again!
Helen
>
> [1] https://lore.kernel.org/bpf/20260318-cnum-sync-bounds-v1-4-1f2e455ea711@gmail.com/
> [2] https://github.com/eddyz87/cnum-verif/blob/master/cnum.c#L242
next prev parent reply other threads:[~2026-03-30 12:09 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-27 19:48 Helen Koike
2026-03-27 20:18 ` Eduard Zingerman
2026-03-27 20:46 ` Eduard Zingerman
2026-03-30 12:09 ` Helen Koike [this message]
2026-03-30 16:24 ` kernel test robot
2026-03-30 17:53 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=7fb97184-baaa-4639-a0b9-ac289bf2e54d@igalia.com \
--to=koike@igalia.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=eddyz87@gmail.com \
--cc=kernel-dev@igalia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=shung-hsi.yu@suse.com \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome