From: Eduard Zingerman <eddyz87@gmail.com>
To: Andrea Righi <arighi@nvidia.com>,
Alexei Starovoitov <ast@kernel.org>,
Daniel Borkmann <daniel@iogearbox.net>,
Andrii Nakryiko <andrii@kernel.org>
Cc: John Fastabend <john.fastabend@gmail.com>,
Martin KaFai Lau <martin.lau@linux.dev>,
Song Liu <song@kernel.org>,
Yonghong Song <yonghong.song@linux.dev>,
KP Singh <kpsingh@kernel.org>,
Stanislav Fomichev <sdf@fomichev.me>,
Hao Luo <haoluo@google.com>, Jiri Olsa <jolsa@kernel.org>,
Emil Tsalapatis <emil@etsalapatis.com>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] bpf: Prevent invalid u32 bounds in __reg32_deduce_bounds()
Date: Wed, 04 Mar 2026 11:23:13 -0800 [thread overview]
Message-ID: <e8cc28373cd122f041a71f5818e41b7e3e4cffa2.camel@gmail.com> (raw)
In-Reply-To: <20260220190736.230329-1-arighi@nvidia.com>
On Fri, 2026-02-20 at 20:07 +0100, Andrea Righi wrote:
> When refining register bounds, __reg32_deduce_bounds can derive u32
> min/max from 64-bit or s32 bounds and assign them with max_t/min_t.
>
> If the existing u32 range and the derived range do not overlap (e.g.,
> u64 says [0, 1] while u32 was [2, 2] from an earlier path), the
> intersection is empty and the new u32_min_value can end up greater than
> u32_max_value, triggering the following warning:
>
> verifier bug: REG INVARIANTS VIOLATION (false_reg1): range bounds violation
> u64=[0x0, 0x1] s64=[0x0, 0x1] u32=[0x3, 0x1] s32=[0x0, 0x1] var_off=(0x0, 0x1)
> WARNING: kernel/bpf/verifier.c:2742 at reg_bounds_sanity_check
> Call Trace:
> reg_bounds_sanity_check+0xbc/0x1e0
> reg_set_min_max+0x1a2/0x1f0
> check_cond_jmp_op+0x5d2/0x1980
> do_check_common+0x2b0f/0x3410
> do_check_subprogs+0xcd/0x180
> bpf_check+0x33fe/0x3850
> bpf_prog_load+0x7d7/0xee0
> __sys_bpf+0xea2/0x2e30
>
> This was triggered by the scx CI while loading the scx_layered sched_ext
> scheduler [1].
>
> Fix by only applying the derived u32 bounds when the resulting range is
> valid (u32_min <= u32_max).
>
> [1] https://github.com/sched-ext/scx/pull/3349
>
> Fixes: c1efab6468fd5 ("bpf: derive subreg bounds from full bounds when upper 32 bits are constant")
> Signed-off-by: Andrea Righi <arighi@nvidia.com>
> ---
Hi Andrea,
Sorry for delayed response.
Currently the assumption is that all ranges/tnum tracked as a part of
a register state are valid, and I don't think we'd like to sidestep
this assumption. Eventually is_scalar_branch_taken() and
adjust_scalar_min_max_vals() should be unified to avoid possibility
for mismatch between is_scalar_branch_taken() predictions (when it
assumes that some branch can be taken by failing to predict jump)
and adjust_scalar_min_max_vals() adjustments (when it infers that in
fact register state is empty for the branch).
As it turns out, the problem you report is a bit easier to fix.
After minimizing the failing file with Emil's help I derived the
following test case that captures the problem:
SEC("socket")
__success
__flag(BPF_F_TEST_REG_INVARIANTS)
__naked void signed_unsined_intersection32(void *ctx)
{
asm volatile(" \
call %[bpf_get_prandom_u32]; \
w0 &= 0xffffffff; \
if w0 < 0x3 goto 1f; \ /* on fall-through u32 range [3..U32_MAX] */
if w0 s> 0x1 goto 1f; \ /* on fall-through s32 range [S32_MIN..1] *
if w0 s< 0x0 goto 1f; \ /* the above ranges can be narrowed to [S32_MIN..-1] */
r10 = 0; \ /* meaning that condition can be predicted, */
1: exit; \ /* but verifier is not smart enough at the moment. */
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}
This branch has verifier modifications making it smart enough to
process this case: https://github.com/eddyz87/bpf/tree/cnum-sync-bounds .
With some additional verification: https://github.com/eddyz87/cnum-verif .
I'm working towards submitting the fix, need to decide on what to do
with reg_bounds.c, as this test is now not smart enough.
Thanks,
Eduard
[...]
next prev parent reply other threads:[~2026-03-04 19:23 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-20 19:07 Andrea Righi
2026-03-04 19:23 ` Eduard Zingerman [this message]
2026-03-05 7:03 ` Andrea Righi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=e8cc28373cd122f041a71f5818e41b7e3e4cffa2.camel@gmail.com \
--to=eddyz87@gmail.com \
--cc=andrii@kernel.org \
--cc=arighi@nvidia.com \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=emil@etsalapatis.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=sdf@fomichev.me \
--cc=song@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Powered by JetHome