XDP12 Verifier: cannot add integer value with 0 upper zero bits to ptr_to_packet

[williamtu]

This is related to #4
encounter the following verifier error. I guess this is similar to the previous one, but when spill the register to stack and restore, the imm upper zero bits state is missing?

 R0=imm0,min_value=0,max_value=0 R1=imm58,min_value=58,max_value=58 R3=pkt(id=0,off=58,r=58) R4=inv61 R5=pkt_end R6=imm144,min_value=144,max_value=144 R7=imm0,min_value=0,max_value=0 R8=ctx R9=pkt(id=0,off=0,r=58) R10=fp
260: (bf) r5 = r6
261: (47) r5 |= 12
262: (bf) r1 = r5
263: (07) r1 += 44
264: (77) r1 >>= 3
265: (7b) *(u64 *)(r10 -64) = r1
266: (bf) r7 = r5
267: (07) r7 += 36
268: (77) r7 >>= 3
269: (bf) r0 = r5
270: (07) r0 += 20
271: (77) r0 >>= 3
272: (bf) r1 = r5
273: (07) r1 += 52
274: (77) r1 >>= 3
275: (77) r6 >>= 3
276: (79) r2 = *(u64 *)(r10 -24)
277: (bf) r2 = r5
278: (77) r2 >>= 3
279: (7b) *(u64 *)(r10 -184) = r2
280: (07) r5 += 180
281: (77) r5 >>= 3
282: (bf) r4 = r9
283: (0f) r4 += r5
284: (47) r5 |= 1
285: (bf) r3 = r9
286: (0f) r3 += r6
287: (bf) r6 = r9
288: (0f) r6 += r1
289: (47) r1 |= 1
290: (bf) r2 = r9
291: (0f) r2 += r0
292: (7b) *(u64 *)(r10 -312) = r2
293: (bf) r2 = r9
294: (79) r0 = *(u64 *)(r10 -184)
295: (0f) r2 += r0
cannot add integer value with 0 upper zero bits to ptr_to_packet

The objdump

; hd.ipv6.version = (u8)((load_byte(ebpf_packetStart, BYTES(ebpf_packetOffsetInBits)) >> 4) & EBPF_MASK(u8, 4));
     285:	r3 = r9
     286:	r3 += r6
     287:	r6 = r9
     288:	r6 += r1
; hd.ipv6.srcAddr[1] = (u8)((load_byte(ebpf_packetStart, BYTES(ebpf_packetOffsetInBits) + 1) >> 0));
     289:	r1 |= 1
; hd.ipv6.payloadLen = (u16)((load_half(ebpf_packetStart, BYTES(ebpf_packetOffsetInBits))));
     290:	r2 = r9
     291:	r2 += r0
     292:	*(u64 *)(r10 - 312) = r2
; hd.ipv6.flowLabel = (u32)((load_word(ebpf_packetStart, BYTES(ebpf_packetOffsetInBits)) >> 8) & EBPF_MASK(u32, 20));
     293:	r2 = r9
     294:	r0 = *(u64 *)(r10 - 184)
     295:	r2 += r0
     296:	*(u64 *)(r10 - 336) = r2
; hd.ipv6.nextHdr = (u8)((load_byte(ebpf_packetStart, BYTES(ebpf_packetOffsetInBits))));

[williamtu]

post on iovisor
https://lists.iovisor.org/pipermail/iovisor-dev/2017-February/000655.html

[williamtu]

patch with the following, but encounter another error

--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -547,6 +547,11 @@ static bool is_spillable_regtype(enum bpf_reg_type type)
        case FRAME_PTR:
        case CONST_PTR_TO_MAP:
                return true;
+       case CONST_IMM: {
+               dump_stack();
+               printk("spill type const_imm\n");
+               return true;
+       }
        default:
                return false;
        }
@@ -567,7 +572,13 @@ static int check_stack_write(struct bpf_verifier_state *state, int off,
            is_spillable_regtype(state->regs[value_regno].type)) {
 
                /* register containing pointer is being spilled into stack */
-               if (size != BPF_REG_SIZE) {
+               //if (size != BPF_REG_SIZE) {
+/*
+4: (63) *(u32 *)(r10 -4) = r0
+invalid size of register spill
+FAILED: 0: (bf) r8 = r1
+*/
+               if (size > BPF_REG_SIZE) {
                        verbose("invalid size of register spill\n");
                        return -EACCES;
                }