On Wed, 2025-06-25 at 09:40 -0700, Song Liu wrote:
> Add range tracking for instruction BPF_NEG. Without this logic, a trivial
> program like the following will fail
>
> volatile bool found_value_b;
> SEC("lsm.s/socket_connect")
> int BPF_PROG(test_socket_connect)
> {
> if (!found_value_b)
> return -1;
> return 0;
> }
>
> with verifier log:
>
> "At program exit the register R0 has smin=0 smax=4294967295 should have
> been in [-4095, 0]".
>
> This is because range information is lost in BPF_NEG:
>
> 0: R1=ctx() R10=fp0
> ; if (!found_value_b) @ xxxx.c:24
> 0: (18) r1 = 0xffa00000011e7048 ; R1_w=map_value(...)
> 2: (71) r0 = *(u8 *)(r1 +0) ; R0_w=scalar(smin32=0,smax=255)
> 3: (a4) w0 ^= 1 ; R0_w=scalar(smin32=0,smax=255)
> 4: (84) w0 = -w0 ; R0_w=scalar(range info lost)
>
> Note that, the log above is manually modified to highlight relevant bits.
>
> Fix this by maintaining proper range information with BPF_NEG, so that
> the verifier will know:
>
> 4: (84) w0 = -w0 ; R0_w=scalar(smin32=-255,smax=0)
>
> Also updated selftests based on the expected behavior.
>
> Signed-off-by: Song Liu <song@xxxxxxxxxx>
> ---
Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
[...]
