From: Zhenzhong Wu <jt26wzz@gmail.com>
To: bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
ast@kernel.org, daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, kpsingh@kernel.org, sdf@google.com,
haoluo@google.com, jolsa@kernel.org, menglong8.dong@gmail.com,
eddyz87@gmail.com, shung-hsi.yu@suse.com, stable@vger.kernel.org,
mykolal@fb.com, tamird@kernel.org
Subject: [PATCH stable 6.6.y v2 2/3] bpf: make the verifier tracks the "not equal" for regs
Date: Mon, 8 Jun 2026 01:09:57 +0800 [thread overview]
Message-ID: <20260607170959.823755-3-jt26wzz@gmail.com> (raw)
In-Reply-To: <20260607170959.823755-1-jt26wzz@gmail.com>
From: Menglong Dong <menglong8.dong@gmail.com>
[ Upstream commit d028f87517d6775dccff4ddbca2740826f9e53f1 ]
We can derive useful information for BPF_JNE when one side is a constant
and the constant is exactly at the edge of the other register range.
For example, a > 0 can be compiled as a jump if a == 0. The equal branch
marks the register as known zero, but the fallthrough branch also needs to
preserve that the register is not zero. Without this, the range can remain
[0, max] and later verifier state pruning can keep an impossible scalar
path.
The upstream fix lives in regs_refine_cond_op(). The 6.6.y verifier still
uses the older reg_set_min_max() layout, so express the same branch-edge
refinement there: for BPF_JEQ, preserve the known-equal true branch and
exclude the constant from false_reg; for BPF_JNE, preserve the known-equal
false branch and exclude the constant from true_reg.
Signed-off-by: Menglong Dong <menglong8.dong@gmail.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Link: https://lore.kernel.org/r/20231219134800.1550388-2-menglong8.dong@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
[ zhenzhong: backport to 6.6.y reg_set_min_max() layout. ]
Signed-off-by: Zhenzhong Wu <jt26wzz@gmail.com>
---
kernel/bpf/verifier.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 5f94bff12..de4f46796 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -14169,18 +14169,50 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg,
if (is_jmp32) {
__mark_reg32_known(true_reg, val32);
true_32off = tnum_subreg(true_reg->var_off);
+ if (false_reg->u32_min_value == val32)
+ false_reg->u32_min_value++;
+ if (false_reg->u32_max_value == val32)
+ false_reg->u32_max_value--;
+ if (false_reg->s32_min_value == sval32)
+ false_reg->s32_min_value++;
+ if (false_reg->s32_max_value == sval32)
+ false_reg->s32_max_value--;
} else {
___mark_reg_known(true_reg, val);
true_64off = true_reg->var_off;
+ if (false_reg->umin_value == val)
+ false_reg->umin_value++;
+ if (false_reg->umax_value == val)
+ false_reg->umax_value--;
+ if (false_reg->smin_value == sval)
+ false_reg->smin_value++;
+ if (false_reg->smax_value == sval)
+ false_reg->smax_value--;
}
break;
case BPF_JNE:
if (is_jmp32) {
__mark_reg32_known(false_reg, val32);
false_32off = tnum_subreg(false_reg->var_off);
+ if (true_reg->u32_min_value == val32)
+ true_reg->u32_min_value++;
+ if (true_reg->u32_max_value == val32)
+ true_reg->u32_max_value--;
+ if (true_reg->s32_min_value == sval32)
+ true_reg->s32_min_value++;
+ if (true_reg->s32_max_value == sval32)
+ true_reg->s32_max_value--;
} else {
___mark_reg_known(false_reg, val);
false_64off = false_reg->var_off;
+ if (true_reg->umin_value == val)
+ true_reg->umin_value++;
+ if (true_reg->umax_value == val)
+ true_reg->umax_value--;
+ if (true_reg->smin_value == sval)
+ true_reg->smin_value++;
+ if (true_reg->smax_value == sval)
+ true_reg->smax_value--;
}
break;
case BPF_JSET:
--
2.43.0
next prev parent reply other threads:[~2026-06-07 17:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-07 17:09 [PATCH stable 6.6.y v2 0/3] bpf: backport scalar not-equal tracking fixes Zhenzhong Wu
2026-06-07 17:09 ` [PATCH stable 6.6.y v2 1/3] bpf: drop knowledge-losing __reg_combine_{32,64}_into_{64,32} logic Zhenzhong Wu
2026-06-07 17:09 ` Zhenzhong Wu [this message]
2026-06-07 17:09 ` [PATCH stable 6.6.y v2 3/3] selftests/bpf: add helper retval linked scalar pruning test Zhenzhong Wu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260607170959.823755-3-jt26wzz@gmail.com \
--to=jt26wzz@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=menglong8.dong@gmail.com \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=sdf@google.com \
--cc=shung-hsi.yu@suse.com \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tamird@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox