* [PATCH bpf-next v2 0/2] bpf: Skip bounds adjustment for conditional jumps on same register @ 2025-10-25 5:30 KaFai Wan 2025-10-25 5:30 ` [PATCH bpf-next v2 1/2] " KaFai Wan 2025-10-25 5:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT " KaFai Wan 0 siblings, 2 replies; 7+ messages in thread From: KaFai Wan @ 2025-10-25 5:30 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest Cc: KaFai Wan This small patchset is about avoid verifier bug warning when conditional jumps on same register when the register holds a scalar with range. v2: - Enhance is_branch_taken() and is_scalar_branch_taken() to handle branch direction computation for same register. (Eduard and Alexei) - Update the selftest. v1: https://lore.kernel.org/bpf/20251022164457.1203756-1-kafai.wan@linux.dev/ --- KaFai Wan (2): bpf: Skip bounds adjustment for conditional jumps on same register selftests/bpf: Add test for BPF_JGT on same register kernel/bpf/verifier.c | 32 +++++++++++++++++++ .../selftests/bpf/progs/verifier_bounds.c | 18 +++++++++++ 2 files changed, 50 insertions(+) -- 2.43.0 ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH bpf-next v2 1/2] bpf: Skip bounds adjustment for conditional jumps on same register 2025-10-25 5:30 [PATCH bpf-next v2 0/2] bpf: Skip bounds adjustment for conditional jumps on same register KaFai Wan @ 2025-10-25 5:30 ` KaFai Wan 2025-10-27 20:09 ` Eduard Zingerman 2025-10-25 5:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT " KaFai Wan 1 sibling, 1 reply; 7+ messages in thread From: KaFai Wan @ 2025-10-25 5:30 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest Cc: KaFai Wan, Kaiyan Mei, Yinhao Hu When conditional jumps are performed on the same register (e.g., r0 <= r0, r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier incorrectly attempts to adjust the register's min/max bounds. This leads to invalid range bounds and triggers a BUG warning: verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0) WARNING: CPU: 0 PID: 92 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220 Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:reg_bounds_sanity_check+0x163/0x220 Call Trace: <TASK> reg_set_min_max+0xf7/0x1d0 check_cond_jmp_op+0x57b/0x1730 ? print_bpf_insn+0x3d5/0xa50 do_check_common+0x33ac/0x33c0 ... The root cause is in regs_refine_cond_op() where BPF_JLT/BPF_JSLT operations adjust both min/max bounds on the same register, causing invalid bounds. Since comparing a register with itself should not change its bounds (the comparison result is always known: r0 == r0 is always true, r0 < r0 is always false), the bounds adjustment is unnecessary. Fix this by: 1. Enhance is_branch_taken() and is_scalar_branch_taken() to properly handle branch direction computation for same register comparisons across all BPF jump operations 2. For unknown branch directions (e.g., BPF_JSET), add early return in reg_set_min_max() to avoid bounds adjustment on the same register The fix ensures that unnecessary bounds adjustments are skipped, preventing the verifier bug while maintaining correct branch direction analysis. Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> Reported-by: Yinhao Hu <dddddd@hust.edu.cn> Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/ Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors") Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 6d175849e57a..653fa96ed0df 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16037,6 +16037,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta } break; case BPF_JSET: + if (reg1 == reg2) { + if (tnum_is_const(t1)) + return t1.value != 0; + else + return (smin1 <= 0 && smax1 >= 0) ? -1 : 1; + } if (!is_reg_const(reg2, is_jmp32)) { swap(reg1, reg2); swap(t1, t2); @@ -16172,6 +16178,25 @@ static int is_pkt_ptr_branch_taken(struct bpf_reg_state *dst_reg, static int is_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_state *reg2, u8 opcode, bool is_jmp32) { + if (reg1 == reg2) { + switch (opcode) { + case BPF_JGE: + case BPF_JLE: + case BPF_JSGE: + case BPF_JSLE: + case BPF_JEQ: + return 1; + case BPF_JGT: + case BPF_JLT: + case BPF_JSGT: + case BPF_JSLT: + case BPF_JNE: + return 0; + default: + break; + } + } + if (reg_is_pkt_pointer_any(reg1) && reg_is_pkt_pointer_any(reg2) && !is_jmp32) return is_pkt_ptr_branch_taken(reg1, reg2, opcode); @@ -16429,6 +16454,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env, if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE) return 0; + /* We compute branch direction for same registers in is_branch_taken() and + * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET) + * on the same registers, we don't need to adjusts the min/max values. + */ + if (false_reg1 == false_reg2) + return 0; + /* fallthrough (FALSE) branch */ regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32); reg_bounds_sync(false_reg1); -- 2.43.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Skip bounds adjustment for conditional jumps on same register 2025-10-25 5:30 ` [PATCH bpf-next v2 1/2] " KaFai Wan @ 2025-10-27 20:09 ` Eduard Zingerman 2025-10-28 14:01 ` KaFai Wan 0 siblings, 1 reply; 7+ messages in thread From: Eduard Zingerman @ 2025-10-27 20:09 UTC (permalink / raw) To: KaFai Wan, ast, daniel, john.fastabend, andrii, martin.lau, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest Cc: Kaiyan Mei, Yinhao Hu On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote: > When conditional jumps are performed on the same register (e.g., r0 <= r0, > r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier > incorrectly attempts to adjust the register's min/max bounds. This leads to > invalid range bounds and triggers a BUG warning: > > verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0) > WARNING: CPU: 0 PID: 92 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220 > Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 > RIP: 0010:reg_bounds_sanity_check+0x163/0x220 > Call Trace: > <TASK> > reg_set_min_max+0xf7/0x1d0 > check_cond_jmp_op+0x57b/0x1730 > ? print_bpf_insn+0x3d5/0xa50 > do_check_common+0x33ac/0x33c0 > ... > > The root cause is in regs_refine_cond_op() where BPF_JLT/BPF_JSLT operations > adjust both min/max bounds on the same register, causing invalid bounds. > > Since comparing a register with itself should not change its bounds (the > comparison result is always known: r0 == r0 is always true, r0 < r0 is > always false), the bounds adjustment is unnecessary. > > Fix this by: > 1. Enhance is_branch_taken() and is_scalar_branch_taken() to properly > handle branch direction computation for same register comparisons > across all BPF jump operations > 2. For unknown branch directions (e.g., BPF_JSET), add early return in > reg_set_min_max() to avoid bounds adjustment on the same register > > The fix ensures that unnecessary bounds adjustments are skipped, preventing > the verifier bug while maintaining correct branch direction analysis. > > Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> > Reported-by: Yinhao Hu <dddddd@hust.edu.cn> > Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/ > Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors") > Signed-off-by: KaFai Wan <kafai.wan@linux.dev> > --- > kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++ > 1 file changed, 32 insertions(+) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 6d175849e57a..653fa96ed0df 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -16037,6 +16037,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta > } > break; > case BPF_JSET: > + if (reg1 == reg2) { > + if (tnum_is_const(t1)) > + return t1.value != 0; > + else > + return (smin1 <= 0 && smax1 >= 0) ? -1 : 1; > + } I think this logic is fine, but it needs tests for multiple cases. > if (!is_reg_const(reg2, is_jmp32)) { > swap(reg1, reg2); > swap(t1, t2); > @@ -16172,6 +16178,25 @@ static int is_pkt_ptr_branch_taken(struct bpf_reg_state *dst_reg, > static int is_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_state *reg2, > u8 opcode, bool is_jmp32) > { > + if (reg1 == reg2) { > + switch (opcode) { > + case BPF_JGE: > + case BPF_JLE: > + case BPF_JSGE: > + case BPF_JSLE: > + case BPF_JEQ: > + return 1; > + case BPF_JGT: > + case BPF_JLT: > + case BPF_JSGT: > + case BPF_JSLT: > + case BPF_JNE: > + return 0; > + default: > + break; > + } > + } > + I think Alexei was against my suggestion to put it in is_branch_taken() and preferred is_scalar_branch_taken() instead. > if (reg_is_pkt_pointer_any(reg1) && reg_is_pkt_pointer_any(reg2) && !is_jmp32) > return is_pkt_ptr_branch_taken(reg1, reg2, opcode); > > @@ -16429,6 +16454,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env, > if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE) > return 0; > > + /* We compute branch direction for same registers in is_branch_taken() and > + * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET) > + * on the same registers, we don't need to adjusts the min/max values. > + */ > + if (false_reg1 == false_reg2) > + return 0; > + > /* fallthrough (FALSE) branch */ > regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32); > reg_bounds_sync(false_reg1); ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH bpf-next v2 1/2] bpf: Skip bounds adjustment for conditional jumps on same register 2025-10-27 20:09 ` Eduard Zingerman @ 2025-10-28 14:01 ` KaFai Wan 0 siblings, 0 replies; 7+ messages in thread From: KaFai Wan @ 2025-10-28 14:01 UTC (permalink / raw) To: Eduard Zingerman, ast, daniel, john.fastabend, andrii, martin.lau, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest Cc: Kaiyan Mei, Yinhao Hu On Mon, 2025-10-27 at 13:09 -0700, Eduard Zingerman wrote: > On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote: > > When conditional jumps are performed on the same register (e.g., r0 <= r0, > > r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier > > incorrectly attempts to adjust the register's min/max bounds. This leads to > > invalid range bounds and triggers a BUG warning: > > > > verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] > > s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0) > > WARNING: CPU: 0 PID: 92 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220 > > Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 > > 04/01/2014 > > RIP: 0010:reg_bounds_sanity_check+0x163/0x220 > > Call Trace: > > <TASK> > > reg_set_min_max+0xf7/0x1d0 > > check_cond_jmp_op+0x57b/0x1730 > > ? print_bpf_insn+0x3d5/0xa50 > > do_check_common+0x33ac/0x33c0 > > ... > > > > The root cause is in regs_refine_cond_op() where BPF_JLT/BPF_JSLT operations > > adjust both min/max bounds on the same register, causing invalid bounds. > > > > Since comparing a register with itself should not change its bounds (the > > comparison result is always known: r0 == r0 is always true, r0 < r0 is > > always false), the bounds adjustment is unnecessary. > > > > Fix this by: > > 1. Enhance is_branch_taken() and is_scalar_branch_taken() to properly > > handle branch direction computation for same register comparisons > > across all BPF jump operations > > 2. For unknown branch directions (e.g., BPF_JSET), add early return in > > reg_set_min_max() to avoid bounds adjustment on the same register > > > > The fix ensures that unnecessary bounds adjustments are skipped, preventing > > the verifier bug while maintaining correct branch direction analysis. > > > > Reported-by: Kaiyan Mei <M202472210@hust.edu.cn> > > Reported-by: Yinhao Hu <dddddd@hust.edu.cn> > > Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust.edu.cn/ > > Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors") > > Signed-off-by: KaFai Wan <kafai.wan@linux.dev> > > --- > > kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++ > > 1 file changed, 32 insertions(+) > > > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > > index 6d175849e57a..653fa96ed0df 100644 > > --- a/kernel/bpf/verifier.c > > +++ b/kernel/bpf/verifier.c > > @@ -16037,6 +16037,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct > > bpf_reg_sta > > } > > break; > > case BPF_JSET: > > + if (reg1 == reg2) { > > + if (tnum_is_const(t1)) > > + return t1.value != 0; > > + else > > + return (smin1 <= 0 && smax1 >= 0) ? -1 : 1; > > + } > > I think this logic is fine, but it needs tests for multiple cases. > ok, I'll add tests for that. > > if (!is_reg_const(reg2, is_jmp32)) { > > swap(reg1, reg2); > > swap(t1, t2); > > @@ -16172,6 +16178,25 @@ static int is_pkt_ptr_branch_taken(struct bpf_reg_state *dst_reg, > > static int is_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_state *reg2, > > u8 opcode, bool is_jmp32) > > { > > + if (reg1 == reg2) { > > + switch (opcode) { > > + case BPF_JGE: > > + case BPF_JLE: > > + case BPF_JSGE: > > + case BPF_JSLE: > > + case BPF_JEQ: > > + return 1; > > + case BPF_JGT: > > + case BPF_JLT: > > + case BPF_JSGT: > > + case BPF_JSLT: > > + case BPF_JNE: > > + return 0; > > + default: > > + break; > > + } > > + } > > + > > I think Alexei was against my suggestion to put it in > is_branch_taken() and preferred is_scalar_branch_taken() instead. > Hmm, I misunderstood that. If put in is_scalar_branch_taken() then just for scalar cases, just confirm that. > > if (reg_is_pkt_pointer_any(reg1) && reg_is_pkt_pointer_any(reg2) && !is_jmp32) > > return is_pkt_ptr_branch_taken(reg1, reg2, opcode); > > > > @@ -16429,6 +16454,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env, > > if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE) > > return 0; > > > > + /* We compute branch direction for same registers in is_branch_taken() and > > + * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET) > > + * on the same registers, we don't need to adjusts the min/max values. > > + */ > > + if (false_reg1 == false_reg2) > > + return 0; > > + > > /* fallthrough (FALSE) branch */ > > regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32); > > reg_bounds_sync(false_reg1); -- Thanks, KaFai ^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT on same register 2025-10-25 5:30 [PATCH bpf-next v2 0/2] bpf: Skip bounds adjustment for conditional jumps on same register KaFai Wan 2025-10-25 5:30 ` [PATCH bpf-next v2 1/2] " KaFai Wan @ 2025-10-25 5:30 ` KaFai Wan 2025-10-27 19:40 ` Eduard Zingerman 1 sibling, 1 reply; 7+ messages in thread From: KaFai Wan @ 2025-10-25 5:30 UTC (permalink / raw) To: ast, daniel, john.fastabend, andrii, martin.lau, eddyz87, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest Cc: KaFai Wan Add a test to verify that conditional jumps using the BPF_JGT opcode on the same register (e.g., "if r0 > r0") do not trigger verifier BUG warnings when the register contains a scalar value with range information. Signed-off-by: KaFai Wan <kafai.wan@linux.dev> --- .../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c index 0a72e0228ea9..1536235c3e87 100644 --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c @@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx) : __clobber_all); } +SEC("socket") +__description("JGT on same register") +__success __log_level(2) +__retval(0) +__naked void jgt_same_register(void *ctx) +{ + asm volatile(" \ + call %[bpf_get_prandom_u32]; \ + w8 = 0x80000000; \ + r0 &= r8; \ + if r0 > r0 goto +1; \ + r0 = 0; \ + exit; \ +" : + : __imm(bpf_get_prandom_u32) + : __clobber_all); +} + char _license[] SEC("license") = "GPL"; -- 2.43.0 ^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT on same register 2025-10-25 5:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT " KaFai Wan @ 2025-10-27 19:40 ` Eduard Zingerman 2025-10-28 14:04 ` KaFai Wan 0 siblings, 1 reply; 7+ messages in thread From: Eduard Zingerman @ 2025-10-27 19:40 UTC (permalink / raw) To: KaFai Wan, ast, daniel, john.fastabend, andrii, martin.lau, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote: > Add a test to verify that conditional jumps using the BPF_JGT opcode on > the same register (e.g., "if r0 > r0") do not trigger verifier BUG > warnings when the register contains a scalar value with range information. > > Signed-off-by: KaFai Wan <kafai.wan@linux.dev> > --- Could you please add test cases for JSET and for one of the *E variants? > .../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++ > 1 file changed, 18 insertions(+) > > diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c b/tools/testing/selftests/bpf/progs/verifier_bounds.c > index 0a72e0228ea9..1536235c3e87 100644 > --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c > +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c > @@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx) > : __clobber_all); > } > > +SEC("socket") > +__description("JGT on same register") > +__success __log_level(2) > +__retval(0) > +__naked void jgt_same_register(void *ctx) > +{ > + asm volatile(" \ > + call %[bpf_get_prandom_u32]; \ > + w8 = 0x80000000; \ > + r0 &= r8; \ > + if r0 > r0 goto +1; \ > + r0 = 0; \ > + exit; \ > +" : > + : __imm(bpf_get_prandom_u32) > + : __clobber_all); > +} > + > char _license[] SEC("license") = "GPL"; ^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT on same register 2025-10-27 19:40 ` Eduard Zingerman @ 2025-10-28 14:04 ` KaFai Wan 0 siblings, 0 replies; 7+ messages in thread From: KaFai Wan @ 2025-10-28 14:04 UTC (permalink / raw) To: Eduard Zingerman, ast, daniel, john.fastabend, andrii, martin.lau, song, yonghong.song, kpsingh, sdf, haoluo, jolsa, shuah, paul.chaignon, m.shachnai, harishankar.vishwanathan, colin.i.king, luis.gerhorst, bpf, linux-kernel, linux-kselftest On Mon, 2025-10-27 at 12:40 -0700, Eduard Zingerman wrote: > On Sat, 2025-10-25 at 13:30 +0800, KaFai Wan wrote: > > Add a test to verify that conditional jumps using the BPF_JGT opcode on > > the same register (e.g., "if r0 > r0") do not trigger verifier BUG > > warnings when the register contains a scalar value with range information. > > > > Signed-off-by: KaFai Wan <kafai.wan@linux.dev> > > --- > > Could you please add test cases for JSET and for one of the *E > variants? ok, i will add the tests in v3. > > > .../selftests/bpf/progs/verifier_bounds.c | 18 ++++++++++++++++++ > > 1 file changed, 18 insertions(+) > > > > diff --git a/tools/testing/selftests/bpf/progs/verifier_bounds.c > > b/tools/testing/selftests/bpf/progs/verifier_bounds.c > > index 0a72e0228ea9..1536235c3e87 100644 > > --- a/tools/testing/selftests/bpf/progs/verifier_bounds.c > > +++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c > > @@ -1709,4 +1709,22 @@ __naked void jeq_disagreeing_tnums(void *ctx) > > : __clobber_all); > > } > > > > +SEC("socket") > > +__description("JGT on same register") > > +__success __log_level(2) > > +__retval(0) > > +__naked void jgt_same_register(void *ctx) > > +{ > > + asm volatile(" \ > > + call %[bpf_get_prandom_u32]; \ > > + w8 = 0x80000000; \ > > + r0 &= r8; \ > > + if r0 > r0 goto +1; \ > > + r0 = 0; \ > > + exit; \ > > +" : > > + : __imm(bpf_get_prandom_u32) > > + : __clobber_all); > > +} > > + > > char _license[] SEC("license") = "GPL"; -- Thanks, KaFai ^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2025-10-28 14:04 UTC | newest] Thread overview: 7+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2025-10-25 5:30 [PATCH bpf-next v2 0/2] bpf: Skip bounds adjustment for conditional jumps on same register KaFai Wan 2025-10-25 5:30 ` [PATCH bpf-next v2 1/2] " KaFai Wan 2025-10-27 20:09 ` Eduard Zingerman 2025-10-28 14:01 ` KaFai Wan 2025-10-25 5:30 ` [PATCH bpf-next v2 2/2] selftests/bpf: Add test for BPF_JGT " KaFai Wan 2025-10-27 19:40 ` Eduard Zingerman 2025-10-28 14:04 ` KaFai Wan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox