Commit b7a0d65d80a0 ("bpf, testing: Workaround a verifier failure
for test_progs") worked around a verifier failure where the
register is copied to another later refined register, but the
original register is used after refinement. The pattern
looks like:
call ...
w1 = w0
w1 += -1
if w1 > 6 goto -24
w0 += w8
...
Register "w1" is refined, but "w0" is used later without taking
advantage of new "w1" range, and eventually leading verifier to
reject the program.
Instead of complicating verifier for such analysis,
llvm patch https://reviews.llvm.org/D72787 added a phase to
undo some original optimization and produces the code like below:
call ...
if w0 s< 0x1 goto pc-22
if w0 s> 0x7 goto pc-23
w0 += w8
...
Current verifier still rejects the above code. This patch
intends to enhance verifier to handle the above pattern.
Note that the verifier is able to handle the case at non-alu32 mode,
call ...
if r0 s< 0x1 goto pc-22
if r0 s> 0x7 goto pc-23
r0 += r8
So the problem as described in
https://lore.kernel.org/netdev/871019a0-71f8-c26d-0ae8-c7fd8c8867fc@xxxxxx/
can be resolved with just compiler change.
The implementation in this patch set is just to cater the above pattern
or similar to the above pattern. If you have some cases where the compiler
generates a copy of register to refine but still use the original register
later, please let me know, we could improve llvm/kernel to accommodate
your use case.
Yonghong Song (2):
bpf: improve verifier handling for 32bit signed compare operations
selftests/bpf: add selftests for verifier handling 32bit signed
compares
include/linux/bpf_verifier.h | 2 +
kernel/bpf/verifier.c | 73 +++++++++++++++---
.../selftests/bpf/progs/test_sysctl_loop1.c | 5 +-
tools/testing/selftests/bpf/verifier/jmp32.c | 76 +++++++++++++++++++
4 files changed, 142 insertions(+), 14 deletions(-)
--
2.17.1
