From: Yonghong Song <yonghong.song@linux.dev>
To: KaFai Wan <kafai.wan@linux.dev>,
ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, eddyz87@gmail.com,
song@kernel.org, kpsingh@kernel.org, sdf@fomichev.me,
haoluo@google.com, jolsa@kernel.org, shuah@kernel.org,
paul.chaignon@gmail.com, m.shachnai@gmail.com,
luis.gerhorst@fau.de, colin.i.king@gmail.com,
harishankar.vishwanathan@gmail.com, bpf@vger.kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org
Cc: Kaiyan Mei <M202472210@hust.edu.cn>, Yinhao Hu <dddddd@hust.edu.cn>
Subject: Re: [PATCH bpf-next 1/2] bpf: Skip bounds adjustment for conditional jumps on same register
Date: Wed, 22 Oct 2025 11:14:56 -0700 [thread overview]
Message-ID: <39af9321-fb9b-4cee-84f1-77248a375e85@linux.dev> (raw)
In-Reply-To: <20251022164457.1203756-2-kafai.wan@linux.dev>
On 10/22/25 9:44 AM, KaFai Wan wrote:
> When conditional jumps are performed on the same register (e.g., r0 <= r0,
> r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier
> incorrectly attempts to adjust the register's min/max bounds. This leads to
> invalid range bounds and triggers a BUG warning:
>
> verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
> WARNING: CPU: 0 PID: 93 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220
> Modules linked in:
> CPU: 0 UID: 0 PID: 93 Comm: repro-x-3 Tainted: G W 6.18.0-rc1-ge7586577b75f-dirty #218 PREEMPT(full)
> Tainted: [W]=WARN
> Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
> RIP: 0010:reg_bounds_sanity_check+0x163/0x220
> Call Trace:
> <TASK>
> reg_set_min_max.part.0+0x1b1/0x360
> check_cond_jmp_op+0x1195/0x1a60
> do_check_common+0x33ac/0x33c0
> ...
>
> The issue occurs in reg_set_min_max() function where bounds adjustment logic
> is applied even when both registers being compared are the same. Comparing a
> register with itself should not change its bounds since the comparison result
> is always known (e.g., r0 == r0 is always true, r0 < r0 is always false).
>
> Fix this by adding an early return in reg_set_min_max() when false_reg1 and
> false_reg2 point to the same register, skipping the unnecessary bounds
> adjustment that leads to the verifier bug.
>
> Reported-by: Kaiyan Mei <M202472210@hust.edu.cn>
> Reported-by: Yinhao Hu <dddddd@hust.edu.cn>
> Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/
> Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors")
> Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
> ---
> kernel/bpf/verifier.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 6d175849e57a..420ad512d1af 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -16429,6 +16429,10 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
> if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
> return 0;
>
> + /* If conditional jumps on the same register, skip the adjustment */
> + if (false_reg1 == false_reg2)
> + return 0;
Your change looks good. But this is a special case and it should not
happen for any compiler generated code. So could you investigate
why regs_refine_cond_op() does not work? Since false_reg1 and false_reg2
is the same, so register refinement should keep the same. Probably
some minor change in regs_refine_cond_op(...) should work?
> +
> /* fallthrough (FALSE) branch */
> regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
> reg_bounds_sync(false_reg1);
next prev parent reply other threads:[~2025-10-22 18:15 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-10-22 16:44 [PATCH bpf-next 0/2] bpf: Skip bounds adjustment for conditional jumps on same register KaFai Wan
2025-10-22 16:44 ` [PATCH bpf-next 1/2] " KaFai Wan
2025-10-22 18:14 ` Yonghong Song [this message]
2025-10-22 19:46 ` Eduard Zingerman
2025-10-22 20:12 ` Alexei Starovoitov
2025-10-22 20:30 ` Eduard Zingerman
2025-10-22 20:34 ` Alexei Starovoitov
2025-10-23 11:26 ` KaFai Wan
2025-10-23 17:38 ` Eduard Zingerman
2025-10-24 16:13 ` KaFai Wan
2025-10-24 16:21 ` Eduard Zingerman
2025-10-24 16:37 ` KaFai Wan
2025-10-24 16:40 ` Alexei Starovoitov
2025-10-24 16:53 ` KaFai Wan
2025-10-22 16:44 ` [PATCH bpf-next 2/2] selftests/bpf: Add test " KaFai Wan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=39af9321-fb9b-4cee-84f1-77248a375e85@linux.dev \
--to=yonghong.song@linux.dev \
--cc=M202472210@hust.edu.cn \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=colin.i.king@gmail.com \
--cc=daniel@iogearbox.net \
--cc=dddddd@hust.edu.cn \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=harishankar.vishwanathan@gmail.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kafai.wan@linux.dev \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=luis.gerhorst@fau.de \
--cc=m.shachnai@gmail.com \
--cc=martin.lau@linux.dev \
--cc=paul.chaignon@gmail.com \
--cc=sdf@fomichev.me \
--cc=shuah@kernel.org \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.