tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge branch 'bpf-improve-linked-register-tracking'

Puranjay Mohan says:

====================
bpf: Improve linked register tracking

V3: https://lore.kernel.org/all/20260203222643.994713-1-puranjay@kernel.org/
Changes in v3->v4:
- Add a call to reg_bounds_sync() in sync_linked_regs() to sync bounds after alu op.
- Add a __sink(path[0]); in the C selftest so compiler doesn't say "error: variable 'path' set but
not used"

V2: https://lore.kernel.org/all/20260113152529.3217648-1-puranjay@kernel.org/
Changes in v2->v3:
- Added another selftest showing a real usage pattern
- Rebased on bpf-next/master

v1: https://lore.kernel.org/bpf/20260107203941.1063754-1-puranjay@kernel.org/
Changes in v1->v2:
- Add support for alu32 operations in linked register tracking (Alexei)
- Squash the selftest fix with the first patch (Eduard)
- Add more selftests to detect edge cases

This series extends the BPF verifier's linked register tracking to handle
negative offsets, BPF_SUB operations, and alu32 operations, enabling better bounds propagation for
common arithmetic patterns.

The verifier previously only tracked positive constant deltas between linked
registers using BPF_ADD. This meant patterns using negative offsets or
subtraction couldn't benefit from bounds propagation:

void alu32_negative_offset(void)
{
volatile char path[5];
volatile int offset = bpf_get_prandom_u32();
int off = offset;

if (off >= 5 && off < 10)
path[off - 5] = '.';
}

this gets compiled to:

0000000000000478 <alu32_negative_offset>:
143: call 0x7
144: *(u32 *)(r10 - 0xc) = w0
145: w1 = *(u32 *)(r10 - 0xc)
146: w2 = w1 // w2 and w1 share the same id
147: w2 += -0x5 // verifier knows w1 = w2 + 5
148: if w2 > 0x4 goto +0x5 <L0> // in fall-through: verifier knows w2 ∈ [0,4] => w1 ∈ [5, 9]
149: r2 = r10
150: r2 += -0x5 // r2 = fp - 5
151: r2 += r1 // r2 = fp - 5 + r1 (∈ [5, 9]) => r2 ∈ [fp, fp + 4]
152: w1 = 0x2e
153: *(u8 *)(r2 - 0x5) = w1 // r2 ∈ [fp, fp + 4] => r2 - 5 ∈ [fp - 5, fp - 1]
<L0>:
154: exit

After the changes, the verifier could link 32-bit scalars and also supported -ve offsets for linking:

146: w2 = w1
147: w2 += -0x5

It allowed the verifier to correctly propagate bounds, without the
changes in this patchset, verifier would reject this program with:

invalid unbounded variable-offset write to stack R2

This program has been added as a selftest in the second patch.

Veristat comparison on programs from sched_ext, selftests, and some meta internal programs:

Scx Progs
File Program Verdict (A) Verdict (B) Verdict (DIFF) Insns (A) Insns (B) Insns (DIFF)
----------------- ---------------- ----------- ----------- -------------- --------- --------- -------------
scx_layered.bpf.o layered_runnable success success MATCH 5674 6077 +403 (+7.10%)

FB Progs
File Program Verdict (A) Verdict (B) Verdict (DIFF) Insns (A) Insns (B) Insns (DIFF)
------------ ---------------- ----------- ----------- -------------- --------- --------- -----------------
bpf232.bpf.o layered_dump success success MATCH 1151 1218 +67 (+5.82%)
bpf257.bpf.o layered_runnable success success MATCH 5743 6143 +400 (+6.97%)
bpf252.bpf.o layered_runnable success success MATCH 5677 6075 +398 (+7.01%)
bpf227.bpf.o layered_dump success success MATCH 915 982 +67 (+7.32%)
bpf239.bpf.o layered_runnable success success MATCH 5459 5861 +402 (+7.36%)
bpf246.bpf.o layered_runnable success success MATCH 5562 6008 +446 (+8.02%)
bpf229.bpf.o layered_runnable success success MATCH 2559 3011 +452 (+17.66%)
bpf231.bpf.o layered_runnable success success MATCH 2559 3011 +452 (+17.66%)
bpf234.bpf.o layered_runnable success success MATCH 2549 3001 +452 (+17.73%)
bpf019.bpf.o do_sendmsg success success MATCH 124823 153523 +28700 (+22.99%)
bpf019.bpf.o do_parse success success MATCH 124809 153509 +28700 (+23.00%)
bpf227.bpf.o layered_runnable success success MATCH 1915 2356 +441 (+23.03%)
bpf228.bpf.o layered_runnable success success MATCH 1700 2152 +452 (+26.59%)
bpf232.bpf.o layered_runnable success success MATCH 1499 1951 +452 (+30.15%)

bpf312.bpf.o mount_exit success success MATCH 19253 62883 +43630 (+226.61%)
bpf312.bpf.o umount_exit success success MATCH 19253 62883 +43630 (+226.61%)
bpf311.bpf.o mount_exit success success MATCH 19226 62863 +43637 (+226.97%)
bpf311.bpf.o umount_exit success success MATCH 19226 62863 +43637 (+226.97%)

The above four programs have specific patters that make the verifier explore a lot more states:

for (; depth < MAX_DIR_DEPTH; depth++) {
const unsigned char* name = BPF_CORE_READ(dentry, d_name.name);
if (offset >= MAX_PATH_LEN - MAX_DIR_LEN) {
return depth;
}
int len = bpf_probe_read_kernel_str(&path[offset], MAX_DIR_LEN, name);
offset += len;
if (len == MAX_DIR_LEN) {
if (offset - 2 < MAX_PATH_LEN) { // <---- (a)
path[offset - 2] = '.';
}
if (offset - 3 < MAX_PATH_LEN) { // <---- (b)
path[offset - 3] = '.';
}
if (offset - 4 < MAX_PATH_LEN) { // <---- (c)
path[offset - 4] = '.';
}
}
}

When at some depth == N false branches of conditions (a), (b) and (c) are scheduled for
verification, constraints for offset at depth == N+1 are:
1. offset >= MAX_PATH_LEN + 2
2. offset >= MAX_PATH_LEN + 3
3. offset >= MAX_PATH_LEN + 4 (visited before others)

And after offset += len it becomes:
1. offset >= MAX_PATH_LEN - 4093
2. offset >= MAX_PATH_LEN - 4092
3. offset >= MAX_PATH_LEN - 4091 (visited before others)

Because of the DFS states exploration logic, the states above are visited in order 3, 2, 1; 3 is not
a subset of 2 and 1 is not a subset of 2, so pruning logic does not kick in.
Previously this was not a problem, because range for offset was not propagated through the
statements (a), (b), (c).

As the root cause of this regression is understood, this is not a blocker for this change.

Selftest Progs
File Program Verdict (A) Verdict (B) Verdict (DIFF) Insns (A) Insns (B) Insns (DIFF)
---------------------------------- ------------------------ ----------- ----------- -------------- --------- --------- --------------
linked_list_peek.bpf.o list_peek success success MATCH 152 88 -64 (-42.11%)
verifier_iterating_callbacks.bpf.o cond_break2 success success MATCH 110 88 -22 (-20.00%)

These are the added selftests that failed earlier but are passing now:

verifier_linked_scalars.bpf.o alu32_negative_offset failure success MISMATCH 11 13 +2 (+18.18%)
verifier_linked_scalars.bpf.o scalars_alu32_big_offset failure success MISMATCH 7 10 +3 (+42.86%)
verifier_linked_scalars.bpf.o scalars_neg_alu32_add failure success MISMATCH 7 10 +3 (+42.86%)
verifier_linked_scalars.bpf.o scalars_neg_alu32_sub failure success MISMATCH 7 10 +3 (+42.86%)
verifier_linked_scalars.bpf.o scalars_neg failure success MISMATCH 7 10 +3 (+42.86%)
verifier_linked_scalars.bpf.o scalars_neg_sub failure success MISMATCH 7 10 +3 (+42.86%)
verifier_linked_scalars.bpf.o scalars_sub_neg_imm failure success MISMATCH 7 10 +3 (+42.86%)

iters.bpf.o iter_obfuscate_counter success success MATCH 83 119 +36 (+43.37%)
bpf_cubic.bpf.o bpf_cubic_acked success success MATCH 243 430 +187 (+76.95%)
====================

Link: https://patch.msgid.link/20260204151741.2678118-1-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov 6e951a9b b2821311

+346 -15
+5 -1
include/linux/bpf_verifier.h
··· 147 147 * registers. Example: 148 148 * r1 = r2; both will have r1->id == r2->id == N 149 149 * r1 += 10; r1->id == N | BPF_ADD_CONST and r1->off == 10 150 + * r3 = r2; both will have r3->id == r2->id == N 151 + * w3 += 10; r3->id == N | BPF_ADD_CONST32 and r3->off == 10 150 152 */ 151 - #define BPF_ADD_CONST (1U << 31) 153 + #define BPF_ADD_CONST64 (1U << 31) 154 + #define BPF_ADD_CONST32 (1U << 30) 155 + #define BPF_ADD_CONST (BPF_ADD_CONST64 | BPF_ADD_CONST32) 152 156 u32 id; 153 157 /* PTR_TO_SOCKET and PTR_TO_TCP_SOCK could be a ptr returned 154 158 * from a pointer-cast helper, bpf_sk_fullsock() and
+39 -11
kernel/bpf/verifier.c
··· 16209 16209 verbose(env, "verifier internal error: no src_reg\n"); 16210 16210 return -EFAULT; 16211 16211 } 16212 + /* 16213 + * For alu32 linked register tracking, we need to check dst_reg's 16214 + * umax_value before the ALU operation. After adjust_scalar_min_max_vals(), 16215 + * alu32 ops will have zero-extended the result, making umax_value <= U32_MAX. 16216 + */ 16217 + u64 dst_umax = dst_reg->umax_value; 16218 + 16212 16219 err = adjust_scalar_min_max_vals(env, insn, dst_reg, *src_reg); 16213 16220 if (err) 16214 16221 return err; ··· 16225 16218 * r1 += 0x1 16226 16219 * if r2 < 1000 goto ... 16227 16220 * use r1 in memory access 16228 - * So for 64-bit alu remember constant delta between r2 and r1 and 16229 - * update r1 after 'if' condition. 16221 + * So remember constant delta between r2 and r1 and update r1 after 16222 + * 'if' condition. 16230 16223 */ 16231 16224 if (env->bpf_capable && 16232 - BPF_OP(insn->code) == BPF_ADD && !alu32 && 16233 - dst_reg->id && is_reg_const(src_reg, false)) { 16234 - u64 val = reg_const_value(src_reg, false); 16225 + (BPF_OP(insn->code) == BPF_ADD || BPF_OP(insn->code) == BPF_SUB) && 16226 + dst_reg->id && is_reg_const(src_reg, alu32)) { 16227 + u64 val = reg_const_value(src_reg, alu32); 16228 + s32 off; 16235 16229 16236 - if ((dst_reg->id & BPF_ADD_CONST) || 16237 - /* prevent overflow in sync_linked_regs() later */ 16238 - val > (u32)S32_MAX) { 16230 + if (!alu32 && ((s64)val < S32_MIN || (s64)val > S32_MAX)) 16231 + goto clear_id; 16232 + 16233 + if (alu32 && (dst_umax > U32_MAX)) 16234 + goto clear_id; 16235 + 16236 + off = (s32)val; 16237 + 16238 + if (BPF_OP(insn->code) == BPF_SUB) { 16239 + /* Negating S32_MIN would overflow */ 16240 + if (off == S32_MIN) 16241 + goto clear_id; 16242 + off = -off; 16243 + } 16244 + 16245 + if (dst_reg->id & BPF_ADD_CONST) { 16239 16246 /* 16240 16247 * If the register already went through rX += val 16241 16248 * we cannot accumulate another val into rx->off. 16242 16249 */ 16250 + clear_id: 16243 16251 dst_reg->off = 0; 16244 16252 dst_reg->id = 0; 16245 16253 } else { 16246 - dst_reg->id |= BPF_ADD_CONST; 16247 - dst_reg->off = val; 16254 + if (alu32) 16255 + dst_reg->id |= BPF_ADD_CONST32; 16256 + else 16257 + dst_reg->id |= BPF_ADD_CONST64; 16258 + dst_reg->off = off; 16248 16259 } 16249 16260 } else { 16250 16261 /* ··· 17359 17334 u32 saved_id = reg->id; 17360 17335 17361 17336 fake_reg.type = SCALAR_VALUE; 17362 - __mark_reg_known(&fake_reg, (s32)reg->off - (s32)known_reg->off); 17337 + __mark_reg_known(&fake_reg, (s64)reg->off - (s64)known_reg->off); 17363 17338 17364 17339 /* reg = known_reg; reg += delta */ 17365 17340 copy_register_state(reg, known_reg); ··· 17374 17349 scalar32_min_max_add(reg, &fake_reg); 17375 17350 scalar_min_max_add(reg, &fake_reg); 17376 17351 reg->var_off = tnum_add(reg->var_off, fake_reg.var_off); 17352 + if (known_reg->id & BPF_ADD_CONST32) 17353 + zext_32_to_64(reg); 17354 + reg_bounds_sync(reg); 17377 17355 } 17378 17356 if (e->is_reg) 17379 17357 mark_reg_scratched(env, e->regno);
+1 -1
tools/testing/selftests/bpf/progs/verifier_bounds.c
··· 1477 1477 SEC("socket") 1478 1478 __description("64-bit subtraction, partial overflow, result in unbounded reg") 1479 1479 __success __log_level(2) 1480 - __msg("3: (1f) r3 -= r2 {{.*}} R3=scalar()") 1480 + __msg("3: (1f) r3 -= r2 {{.*}} R3=scalar(id=1-1)") 1481 1481 __retval(0) 1482 1482 __naked void sub64_partial_overflow(void) 1483 1483 {
+301 -2
tools/testing/selftests/bpf/progs/verifier_linked_scalars.c
··· 1 1 // SPDX-License-Identifier: GPL-2.0 2 2 3 3 #include <linux/bpf.h> 4 + #include <limits.h> 4 5 #include <bpf/bpf_helpers.h> 5 6 #include "bpf_misc.h" 6 7 ··· 19 18 r4 = r1; \ 20 19 w2 += 0x7FFFFFFF; \ 21 20 w4 += 0; \ 22 - if r2 == 0 goto l1; \ 21 + if r2 == 0 goto l0_%=; \ 23 22 exit; \ 24 - l1: \ 23 + l0_%=: \ 25 24 r4 >>= 63; \ 26 25 r3 = 1; \ 27 26 r3 -= r4; \ ··· 63 62 " : 64 63 : __imm(bpf_get_prandom_u32) 65 64 : __clobber_all); 65 + } 66 + 67 + SEC("socket") 68 + __success 69 + __naked void scalars_neg(void) 70 + { 71 + asm volatile (" \ 72 + call %[bpf_get_prandom_u32]; \ 73 + r0 &= 0xff; \ 74 + r1 = r0; \ 75 + r1 += -4; \ 76 + if r1 s< 0 goto l0_%=; \ 77 + if r0 != 0 goto l0_%=; \ 78 + r0 /= 0; \ 79 + l0_%=: \ 80 + r0 = 0; \ 81 + exit; \ 82 + " : 83 + : __imm(bpf_get_prandom_u32) 84 + : __clobber_all); 85 + } 86 + 87 + /* Same test but using BPF_SUB instead of BPF_ADD with negative immediate */ 88 + SEC("socket") 89 + __success 90 + __naked void scalars_neg_sub(void) 91 + { 92 + asm volatile (" \ 93 + call %[bpf_get_prandom_u32]; \ 94 + r0 &= 0xff; \ 95 + r1 = r0; \ 96 + r1 -= 4; \ 97 + if r1 s< 0 goto l0_%=; \ 98 + if r0 != 0 goto l0_%=; \ 99 + r0 /= 0; \ 100 + l0_%=: \ 101 + r0 = 0; \ 102 + exit; \ 103 + " : 104 + : __imm(bpf_get_prandom_u32) 105 + : __clobber_all); 106 + } 107 + 108 + /* alu32 with negative offset */ 109 + SEC("socket") 110 + __success 111 + __naked void scalars_neg_alu32_add(void) 112 + { 113 + asm volatile (" \ 114 + call %[bpf_get_prandom_u32]; \ 115 + w0 &= 0xff; \ 116 + w1 = w0; \ 117 + w1 += -4; \ 118 + if w1 s< 0 goto l0_%=; \ 119 + if w0 != 0 goto l0_%=; \ 120 + r0 /= 0; \ 121 + l0_%=: \ 122 + r0 = 0; \ 123 + exit; \ 124 + " : 125 + : __imm(bpf_get_prandom_u32) 126 + : __clobber_all); 127 + } 128 + 129 + /* alu32 with negative offset using SUB */ 130 + SEC("socket") 131 + __success 132 + __naked void scalars_neg_alu32_sub(void) 133 + { 134 + asm volatile (" \ 135 + call %[bpf_get_prandom_u32]; \ 136 + w0 &= 0xff; \ 137 + w1 = w0; \ 138 + w1 -= 4; \ 139 + if w1 s< 0 goto l0_%=; \ 140 + if w0 != 0 goto l0_%=; \ 141 + r0 /= 0; \ 142 + l0_%=: \ 143 + r0 = 0; \ 144 + exit; \ 145 + " : 146 + : __imm(bpf_get_prandom_u32) 147 + : __clobber_all); 148 + } 149 + 150 + /* Positive offset: r1 = r0 + 4, then if r1 >= 6, r0 >= 2, so r0 != 0 */ 151 + SEC("socket") 152 + __success 153 + __naked void scalars_pos(void) 154 + { 155 + asm volatile (" \ 156 + call %[bpf_get_prandom_u32]; \ 157 + r0 &= 0xff; \ 158 + r1 = r0; \ 159 + r1 += 4; \ 160 + if r1 < 6 goto l0_%=; \ 161 + if r0 != 0 goto l0_%=; \ 162 + r0 /= 0; \ 163 + l0_%=: \ 164 + r0 = 0; \ 165 + exit; \ 166 + " : 167 + : __imm(bpf_get_prandom_u32) 168 + : __clobber_all); 169 + } 170 + 171 + /* SUB with negative immediate: r1 -= -4 is equivalent to r1 += 4 */ 172 + SEC("socket") 173 + __success 174 + __naked void scalars_sub_neg_imm(void) 175 + { 176 + asm volatile (" \ 177 + call %[bpf_get_prandom_u32]; \ 178 + r0 &= 0xff; \ 179 + r1 = r0; \ 180 + r1 -= -4; \ 181 + if r1 < 6 goto l0_%=; \ 182 + if r0 != 0 goto l0_%=; \ 183 + r0 /= 0; \ 184 + l0_%=: \ 185 + r0 = 0; \ 186 + exit; \ 187 + " : 188 + : __imm(bpf_get_prandom_u32) 189 + : __clobber_all); 190 + } 191 + 192 + /* Double ADD clears the ID (can't accumulate offsets) */ 193 + SEC("socket") 194 + __failure 195 + __msg("div by zero") 196 + __naked void scalars_double_add(void) 197 + { 198 + asm volatile (" \ 199 + call %[bpf_get_prandom_u32]; \ 200 + r0 &= 0xff; \ 201 + r1 = r0; \ 202 + r1 += 2; \ 203 + r1 += 2; \ 204 + if r1 < 6 goto l0_%=; \ 205 + if r0 != 0 goto l0_%=; \ 206 + r0 /= 0; \ 207 + l0_%=: \ 208 + r0 = 0; \ 209 + exit; \ 210 + " : 211 + : __imm(bpf_get_prandom_u32) 212 + : __clobber_all); 213 + } 214 + 215 + /* 216 + * Test that sync_linked_regs() correctly handles large offset differences. 217 + * r1.off = S32_MIN, r2.off = 1, delta = S32_MIN - 1 requires 64-bit math. 218 + */ 219 + SEC("socket") 220 + __success 221 + __naked void scalars_sync_delta_overflow(void) 222 + { 223 + asm volatile (" \ 224 + call %[bpf_get_prandom_u32]; \ 225 + r0 &= 0xff; \ 226 + r1 = r0; \ 227 + r2 = r0; \ 228 + r1 += %[s32_min]; \ 229 + r2 += 1; \ 230 + if r2 s< 100 goto l0_%=; \ 231 + if r1 s< 0 goto l0_%=; \ 232 + r0 /= 0; \ 233 + l0_%=: \ 234 + r0 = 0; \ 235 + exit; \ 236 + " : 237 + : __imm(bpf_get_prandom_u32), 238 + [s32_min]"i"(INT_MIN) 239 + : __clobber_all); 240 + } 241 + 242 + /* 243 + * Another large delta case: r1.off = S32_MAX, r2.off = -1. 244 + * delta = S32_MAX - (-1) = S32_MAX + 1 requires 64-bit math. 245 + */ 246 + SEC("socket") 247 + __success 248 + __naked void scalars_sync_delta_overflow_large_range(void) 249 + { 250 + asm volatile (" \ 251 + call %[bpf_get_prandom_u32]; \ 252 + r0 &= 0xff; \ 253 + r1 = r0; \ 254 + r2 = r0; \ 255 + r1 += %[s32_max]; \ 256 + r2 += -1; \ 257 + if r2 s< 0 goto l0_%=; \ 258 + if r1 s>= 0 goto l0_%=; \ 259 + r0 /= 0; \ 260 + l0_%=: \ 261 + r0 = 0; \ 262 + exit; \ 263 + " : 264 + : __imm(bpf_get_prandom_u32), 265 + [s32_max]"i"(INT_MAX) 266 + : __clobber_all); 267 + } 268 + 269 + /* 270 + * Test linked scalar tracking with alu32 and large positive offset (0x7FFFFFFF). 271 + * After w1 += 0x7FFFFFFF, w1 wraps to negative for any r0 >= 1. 272 + * If w1 is signed-negative, then r0 >= 1, so r0 != 0. 273 + */ 274 + SEC("socket") 275 + __success 276 + __naked void scalars_alu32_big_offset(void) 277 + { 278 + asm volatile (" \ 279 + call %[bpf_get_prandom_u32]; \ 280 + w0 &= 0xff; \ 281 + w1 = w0; \ 282 + w1 += 0x7FFFFFFF; \ 283 + if w1 s>= 0 goto l0_%=; \ 284 + if w0 != 0 goto l0_%=; \ 285 + r0 /= 0; \ 286 + l0_%=: \ 287 + r0 = 0; \ 288 + exit; \ 289 + " : 290 + : __imm(bpf_get_prandom_u32) 291 + : __clobber_all); 292 + } 293 + 294 + SEC("socket") 295 + __failure 296 + __msg("div by zero") 297 + __naked void scalars_alu32_basic(void) 298 + { 299 + asm volatile (" \ 300 + call %[bpf_get_prandom_u32]; \ 301 + r1 = r0; \ 302 + w1 += 1; \ 303 + if r1 > 10 goto 1f; \ 304 + r0 >>= 32; \ 305 + if r0 == 0 goto 1f; \ 306 + r0 /= 0; \ 307 + 1: \ 308 + r0 = 0; \ 309 + exit; \ 310 + " : 311 + : __imm(bpf_get_prandom_u32) 312 + : __clobber_all); 313 + } 314 + 315 + /* 316 + * Test alu32 linked register tracking with wrapping. 317 + * R0 is bounded to [0xffffff00, 0xffffffff] (high 32-bit values) 318 + * w1 += 0x100 causes R1 to wrap to [0, 0xff] 319 + * 320 + * After sync_linked_regs, if bounds are computed correctly: 321 + * R0 should be [0x00000000_ffffff00, 0x00000000_ffffff80] 322 + * R0 >> 32 == 0, so div by zero is unreachable 323 + * 324 + * If bounds are computed incorrectly (64-bit underflow): 325 + * R0 becomes [0xffffffff_ffffff00, 0xffffffff_ffffff80] 326 + * R0 >> 32 == 0xffffffff != 0, so div by zero is reachable 327 + */ 328 + SEC("socket") 329 + __success 330 + __naked void scalars_alu32_wrap(void) 331 + { 332 + asm volatile (" \ 333 + call %[bpf_get_prandom_u32]; \ 334 + w0 |= 0xffffff00; \ 335 + r1 = r0; \ 336 + w1 += 0x100; \ 337 + if r1 > 0x80 goto l0_%=; \ 338 + r2 = r0; \ 339 + r2 >>= 32; \ 340 + if r2 == 0 goto l0_%=; \ 341 + r0 /= 0; \ 342 + l0_%=: \ 343 + r0 = 0; \ 344 + exit; \ 345 + " : 346 + : __imm(bpf_get_prandom_u32) 347 + : __clobber_all); 348 + } 349 + 350 + SEC("socket") 351 + __success 352 + void alu32_negative_offset(void) 353 + { 354 + volatile char path[5]; 355 + volatile int offset = bpf_get_prandom_u32(); 356 + int off = offset; 357 + 358 + if (off >= 5 && off < 10) 359 + path[off - 5] = '.'; 360 + 361 + /* So compiler doesn't say: error: variable 'path' set but not used */ 362 + __sink(path[0]); 66 363 } 67 364 68 365 char _license[] SEC("license") = "GPL";