bpf: incorrectly reject program with `back-edge insn from 7 to 8`

From: Hao Sun
Date: Wed Nov 01 2023 - 09:56:50 EST

Next message: Laurent Pinchart: "Re: [PATCH 04/10] drm/tidss: Move reset to the end of dispc_init()"
Previous message: Ryan Roberts: "Re: [PATCH v6 5/9] mm: thp: Extend THP to allocate anonymous large folios"
Next in thread: Andrii Nakryiko: "Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

The verifier incorrectly rejects the following prog in check_cfg() when
loading with root with confusing log `back-edge insn from 7 to 8`:
/* 0: r9 = 2
* 1: r3 = 0x20
* 2: r4 = 0x35
* 3: r8 = r4
* 4: goto+3
* 5: r9 -= r3
* 6: r9 -= r4
* 7: r9 -= r8
* 8: r8 += r4
* 9: if r8 < 0x64 goto-5
* 10: r0 = r9
* 11: exit
* */
BPF_MOV64_IMM(BPF_REG_9, 2),
BPF_MOV64_IMM(BPF_REG_3, 0x20),
BPF_MOV64_IMM(BPF_REG_4, 0x35),
BPF_MOV64_REG(BPF_REG_8, BPF_REG_4),
BPF_JMP_IMM(BPF_JA, 0, 0, 3),
BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_3),
BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_4),
BPF_ALU64_REG(BPF_SUB, BPF_REG_9, BPF_REG_8),
BPF_ALU64_REG(BPF_ADD, BPF_REG_8, BPF_REG_4),
BPF_JMP32_IMM(BPF_JLT, BPF_REG_8, 0x68, -5),
BPF_MOV64_REG(BPF_REG_0, BPF_REG_9),
BPF_EXIT_INSN()

-------- Verifier Log --------
func#0 @0
back-edge from insn 7 to 8
processed 0 insns (limit 1000000) max_states_per_insn 0 total_states 0
peak_states 0 mark_read 0

This is not intentionally rejected, right?

Best
Hao

Next message: Laurent Pinchart: "Re: [PATCH 04/10] drm/tidss: Move reset to the end of dispc_init()"
Previous message: Ryan Roberts: "Re: [PATCH v6 5/9] mm: thp: Extend THP to allocate anonymous large folios"
Next in thread: Andrii Nakryiko: "Re: bpf: incorrectly reject program with `back-edge insn from 7 to 8`"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]