Re: [PATCH] bpf/verifier: factor BPF_F_TEST_RND_HI32 flag check out of opt_subreg_zext_lo32_rnd_hi32

Emil Tsalapatis <emil@xxxxxxxxxxxxxxx> · Fri, 11 Jul 2025 16:40:27 -0400

This patch is wrong, please disregard. Sorry about the noise.

On Fri, Jul 11, 2025 at 4:12 PM Emil Tsalapatis <emil@xxxxxxxxxxxxxxx> wrote:
>
> BPF programs can be loaded with the BPF_F_TEST_RND_HI32 flag to instruct
> the verifier to randomize the high 32 bits of a register being used as a
> subregister. This is done in the opt_subreg_zext_lo32_rnd_hi32 pass that
> scans the BPF program instruction by instruction, regardless of whether
> the flag is set or not, and testing the flag on every iteration. However,
> the flag is not modified at verification time, and the function is a no-op
> if it is unset.
>
> Gate the randomization pass behind a single flag check instead of
> testing the flag in the main loop of the pass.
>
> Signed-off-by: Emil Tsalapatis <emil@xxxxxxxxxxxxxxx>
> ---
>  kernel/bpf/verifier.c | 9 +++------
>  1 file changed, 3 insertions(+), 6 deletions(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index e2fcea860755..dc0981205d6a 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -21062,9 +21062,7 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
>         int i, patch_len, delta = 0, len = env->prog->len;
>         struct bpf_insn *insns = env->prog->insnsi;
>         struct bpf_prog *new_prog;
> -       bool rnd_hi32;
>
> -       rnd_hi32 = attr->prog_flags & BPF_F_TEST_RND_HI32;
>         zext_patch[1] = BPF_ZEXT_REG(0);
>         rnd_hi32_patch[1] = BPF_ALU64_IMM(BPF_MOV, BPF_REG_AX, 0);
>         rnd_hi32_patch[2] = BPF_ALU64_IMM(BPF_LSH, BPF_REG_AX, 32);
> @@ -21080,9 +21078,6 @@ static int opt_subreg_zext_lo32_rnd_hi32(struct bpf_verifier_env *env,
>                         u8 code, class;
>                         u32 imm_rnd;
>
> -                       if (!rnd_hi32)
> -                               continue;
> -
>                         code = insn.code;
>                         class = BPF_CLASS(code);
>                         if (load_reg == -1)
> @@ -24700,7 +24695,9 @@ int bpf_check(struct bpf_prog **prog, union bpf_attr *attr, bpfptr_t uattr, __u3
>          * insns could be handled correctly.
>          */
>         if (ret == 0 && !bpf_prog_is_offloaded(env->prog->aux)) {
> -               ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
> +               if (attr->prog_flags & BPF_F_TEST_RND_HI32)
> +                       ret = opt_subreg_zext_lo32_rnd_hi32(env, attr);
> +
>                 env->prog->aux->verifier_zext = bpf_jit_needs_zext() ? !ret
>                                                                      : false;
>         }
> --
> 2.49.0
>