On Sun, Aug 09, 2020 at 06:21:01PM -0700, Yonghong Song wrote: > > > On 8/7/20 10:30 AM, Jiri Olsa wrote: > > hi, > > we have a customer facing some odd verifier fails on following > > sk_skb program: > > > > 0. r2 = *(u32 *)(r1 + data_end) > > 1. r4 = *(u32 *)(r1 + data) > > 2. r3 = r4 > > 3. r3 += 42 > > 4. r1 = 0 > > 5. if r3 > r2 goto 8 > > 6. r4 += 14 > > 7. r1 = r4 > > 8. if r3 > r2 goto 10 > > 9. r2 = *(u8 *)(r1 + 9) > > 10. r0 = 0 > > 11. exit > > > > The code checks if the skb data is big enough (5) and if it is, > > it prepares pointer in r1 (7), then there's again size check (8) > > and finally data load from r1 (9). > > > > It's and odd code, but apparently this is something that can > > get produced by clang. > > Could you provide a test case where clang generates the above code? > I would like to see whether clang can do a better job to avoid > such codes. I get that code genrated by using recent enough upstream clang on the attached source. /opt/clang/bin/clang --version clang version 11.0.0 (https://github.com/llvm/llvm-project.git 4cbfb98eb362b0629d5d1cd113af4427e2904763) Target: x86_64-unknown-linux-gnu Thread model: posix InstalledDir: /opt/clang/bin $ llvm-objdump -d verifier-cond-repro.o verifier-cond-repro.o: file format ELF64-BPF Disassembly of section .text: 0000000000000000 my_prog: 0: 61 12 50 00 00 00 00 00 r2 = *(u32 *)(r1 + 80) 1: 61 14 4c 00 00 00 00 00 r4 = *(u32 *)(r1 + 76) 2: bf 43 00 00 00 00 00 00 r3 = r4 3: 07 03 00 00 2a 00 00 00 r3 += 42 4: b7 01 00 00 00 00 00 00 r1 = 0 5: 2d 23 02 00 00 00 00 00 if r3 > r2 goto +2 <LBB0_2> 6: 07 04 00 00 0e 00 00 00 r4 += 14 7: bf 41 00 00 00 00 00 00 r1 = r4 0000000000000040 LBB0_2: 8: 2d 23 05 00 00 00 00 00 if r3 > r2 goto +5 <LBB0_5> 9: 71 12 09 00 00 00 00 00 r2 = *(u8 *)(r1 + 9) 10: 56 02 03 00 11 00 00 00 if w2 != 17 goto +3 <LBB0_5> 11: b4 00 00 00 d2 04 00 00 w0 = 1234 12: 69 11 16 00 00 00 00 00 r1 = *(u16 *)(r1 + 22) 13: 16 01 01 00 d2 04 00 00 if w1 == 1234 goto +1 <LBB0_6> 0000000000000070 LBB0_5: 14: b4 00 00 00 ff ff ff ff w0 = -1 0000000000000078 LBB0_6: 15: 95 00 00 00 00 00 00 00 exit thanks, jirka --- // Copyright (c) 2019 Tigera, Inc. All rights reserved. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. #include <stddef.h> #include <string.h> #include <linux/bpf.h> #include <linux/if_ether.h> #include <linux/if_packet.h> #include <linux/ip.h> #include <linux/ipv6.h> #include <linux/in.h> #include <linux/udp.h> #include <linux/tcp.h> #include <linux/pkt_cls.h> #include <sys/socket.h> #include <bpf/bpf_helpers.h> #include <bpf/bpf_endian.h> #include <stddef.h> #define INLINE inline __attribute__((always_inline)) #define skb_shorter(skb, len) ((void *)(long)(skb)->data + (len) > (void *)(long)skb->data_end) #define ETH_IPV4_UDP_SIZE (14+20+8) static INLINE struct iphdr *get_iphdr (struct __sk_buff *skb) { struct iphdr *ip = NULL; struct ethhdr *eth; if (skb_shorter(skb, ETH_IPV4_UDP_SIZE)) goto out; eth = (void *)(long)skb->data; ip = (void *)(eth + 1); out: return ip; } int my_prog(struct __sk_buff *skb) { struct iphdr *ip = NULL; struct udphdr *udp; __u8 proto = 0; if (!(ip = get_iphdr(skb))) goto out; proto = ip->protocol; if (proto != IPPROTO_UDP) goto out; udp = (void*)(ip + 1); if (udp->dest != 1234) goto out; if (!udp) goto out; return udp->dest; out: return -1; }
