From nobody Sat Feb 7 22:21:32 2026 Received: from out-182.mta0.migadu.com (out-182.mta0.migadu.com [91.218.175.182]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 05A6B1FBEB0 for ; Wed, 22 Oct 2025 16:46:21 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.182 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761151584; cv=none; b=e/bXq22bPklFGG/F5feDvQxGiNyLvm1YI9R57HJLqWNW29qQp6a0+I+fdJmFzjgVdAhZaa2dyU8u9kAfnERQkWnPs/6bN6K4sJTEUCurR1csVzU+xaEtAdiR+03hBeV6Qe/+kOMoSmP1AIGxR8uR+PTF2pOhcuzN/RPRegmPySQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761151584; c=relaxed/simple; bh=Og7Afz0y84kh3PCRyhT21PX40s4Ey/kKnquD3IaHpcQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=pWGkTS6QILOnTsGSJyzdKiFRzdxSkpcVXZSrlhbnafTx97nzSqEUIxcpGFuz0in54WYvhBiVq5i+NBJ5xx+ut3cwY59XNk+X3lGTPBp+SyuVrk7okTaamXLiRFm2ivtBYgi+WcKVB8V7qMR3X79XZinJXVpTZCU5Rc8G74ye6TY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=wVgrFwGg; arc=none smtp.client-ip=91.218.175.182 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="wVgrFwGg" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1761151579; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=n5YHSfe0I86BaZgDlDp2zuQzKHrMTOgU+I9FSbZgluc=; b=wVgrFwGgZ+tEI3kAVhwc6vBfvjSjkn2u09FLM914n/wy+QJPl3diG65eLbfKKqw0bEzKOu tzrqsYC2Y6WVPj/AFimVgPRzB1DDKBzncG1Rz8hUlp7Wdm7JCMKC0KnnAgB57gdrlSjGtp /oTE+DDIyPGHCc2nf2vi/24CwKlxc+U= From: KaFai Wan To: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, shuah@kernel.org, paul.chaignon@gmail.com, m.shachnai@gmail.com, luis.gerhorst@fau.de, colin.i.king@gmail.com, harishankar.vishwanathan@gmail.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Cc: KaFai Wan , Kaiyan Mei , Yinhao Hu Subject: [PATCH bpf-next 1/2] bpf: Skip bounds adjustment for conditional jumps on same register Date: Thu, 23 Oct 2025 00:44:56 +0800 Message-ID: <20251022164457.1203756-2-kafai.wan@linux.dev> In-Reply-To: <20251022164457.1203756-1-kafai.wan@linux.dev> References: <20251022164457.1203756-1-kafai.wan@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" When conditional jumps are performed on the same register (e.g., r0 <=3D r0, r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier incorrectly attempts to adjust the register's min/max bounds. This leads to invalid range bounds and triggers a BUG warning: verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation = u64=3D[0x1, 0x0] s64=3D[0x1, 0x0] u32=3D[0x1, 0x0] s32=3D[0x1, 0x0] var_off= =3D(0x0, 0x0) WARNING: CPU: 0 PID: 93 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_che= ck+0x163/0x220 Modules linked in: CPU: 0 UID: 0 PID: 93 Comm: repro-x-3 Tainted: G W 6.18.0-= rc1-ge7586577b75f-dirty #218 PREEMPT(full) Tainted: [W]=3DWARN Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debi= an-1.16.3-2 04/01/2014 RIP: 0010:reg_bounds_sanity_check+0x163/0x220 Call Trace: reg_set_min_max.part.0+0x1b1/0x360 check_cond_jmp_op+0x1195/0x1a60 do_check_common+0x33ac/0x33c0 ... The issue occurs in reg_set_min_max() function where bounds adjustment logic is applied even when both registers being compared are the same. Comparing a register with itself should not change its bounds since the comparison resu= lt is always known (e.g., r0 =3D=3D r0 is always true, r0 < r0 is always false= ). Fix this by adding an early return in reg_set_min_max() when false_reg1 and false_reg2 point to the same register, skipping the unnecessary bounds adjustment that leads to the verifier bug. Reported-by: Kaiyan Mei Reported-by: Yinhao Hu Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kai= yanm@hust.edu.cn/ Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors") Signed-off-by: KaFai Wan --- kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 6d175849e57a..420ad512d1af 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16429,6 +16429,10 @@ static int reg_set_min_max(struct bpf_verifier_env= *env, if (false_reg1->type !=3D SCALAR_VALUE || false_reg2->type !=3D SCALAR_VA= LUE) return 0; =20 + /* If conditional jumps on the same register, skip the adjustment */ + if (false_reg1 =3D=3D false_reg2) + return 0; + /* fallthrough (FALSE) branch */ regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32); reg_bounds_sync(false_reg1); --=20 2.43.0 From nobody Sat Feb 7 22:21:32 2026 Received: from out-185.mta0.migadu.com (out-185.mta0.migadu.com [91.218.175.185]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A4DEA27CB04 for ; Wed, 22 Oct 2025 16:46:29 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=91.218.175.185 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761151591; cv=none; b=GIYMr8mLBZwgXCTVzjGSHc8Bbf/wEOU9OmlIAQbI7lrogKD438vYMeVJzi3RQYXosW2Y8OZBi8NLrGM2IzvXwi7sD5bnHTYRYgq+6LWejIk0EjmPWZ61tbJtTPHMJVNipfyIfhOcrutZWxjZRs/IyPN2M85m3QejjwiVMJafRI8= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1761151591; c=relaxed/simple; bh=wrsQAp0TGs8gJXBhL+Pm/Ez5V7kMDw/AHC3OiikOpMQ=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=X2qxBebv4KF+KdC4HYSjGrcyf46kZAkrP40PkWZjSdagwnVxMOk/pggnK6xw3tkNrVrP4HubfHc1B3nw3hbFqC6oqfLFQYdwuXoqalN3VC2mc/oKZlJC5XO39BIfRF0E3m9hQoFYc9ZlzzCDy37G3BUoCJTKyaZzcgRrlloXjKU= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev; spf=pass smtp.mailfrom=linux.dev; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b=VoFBlYf/; arc=none smtp.client-ip=91.218.175.185 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=linux.dev Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=linux.dev Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=linux.dev header.i=@linux.dev header.b="VoFBlYf/" X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers. DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.dev; s=key1; t=1761151587; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=tE0qJy2M/AZrZXVbIbayGvBfV5fR9ey5S78aB6UPd6Y=; b=VoFBlYf/alWqPDOqivJXzjjBUpQ3M2YCxCaxiBivgUp3LrNSG5JbaoDyskPlf+7cMhPSFE gxV6E+zta7cYYyC3KgBWKE6iEd1bjb0KXNWwHe1TIvo+ZJnNEiYkiAq6MhSkF3V43/nQsu VUDRCNdsnRJ4EXpSLCcbujeIGzweTxs= From: KaFai Wan To: ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com, andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com, song@kernel.org, yonghong.song@linux.dev, kpsingh@kernel.org, sdf@fomichev.me, haoluo@google.com, jolsa@kernel.org, shuah@kernel.org, paul.chaignon@gmail.com, m.shachnai@gmail.com, luis.gerhorst@fau.de, colin.i.king@gmail.com, harishankar.vishwanathan@gmail.com, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org Cc: KaFai Wan Subject: [PATCH bpf-next 2/2] selftests/bpf: Add test for conditional jumps on same register Date: Thu, 23 Oct 2025 00:44:57 +0800 Message-ID: <20251022164457.1203756-3-kafai.wan@linux.dev> In-Reply-To: <20251022164457.1203756-1-kafai.wan@linux.dev> References: <20251022164457.1203756-1-kafai.wan@linux.dev> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Migadu-Flow: FLOW_OUT Content-Type: text/plain; charset="utf-8" Add a test case to verify that conditional jumps on the same register (e.g., JGT r0 > r0) do not trigger verifier BUG warnings when the register holds a scalar with range. Signed-off-by: KaFai Wan --- .../selftests/bpf/progs/verifier_bounds.c | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/te= sting/selftests/bpf/progs/verifier_bounds.c index 0a72e0228ea9..620095635af5 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c @@ -1709,4 +1709,21 @@ __naked void jeq_disagreeing_tnums(void *ctx) : __clobber_all); } =20 +SEC("socket") +__description("JGT on same register") +__success __log_level(2) +__naked void jgt_same_register(void *ctx) +{ + asm volatile(" \ + call %[bpf_get_prandom_u32]; \ + w8 =3D 0x80000000; \ + r0 &=3D r8; \ + if r0 > r0 goto +1; \ + call %[bpf_get_prandom_u32]; \ + exit; \ +" : + : __imm(bpf_get_prandom_u32) + : __clobber_all); +} + char _license[] SEC("license") =3D "GPL"; --=20 2.43.0