When conditional jumps are performed on the same register (e.g., r0 <= r0, r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier incorrectly attempts to adjust the register's min/max bounds. This leads to invalid range bounds and triggers a BUG warning:
verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0) WARNING: CPU: 0 PID: 93 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220 Modules linked in: CPU: 0 UID: 0 PID: 93 Comm: repro-x-3 Tainted: G W 6.18.0-rc1-ge7586577b75f-dirty #218 PREEMPT(full) Tainted: [W]=WARN Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014 RIP: 0010:reg_bounds_sanity_check+0x163/0x220 Call Trace: <TASK> reg_set_min_max.part.0+0x1b1/0x360 check_cond_jmp_op+0x1195/0x1a60 do_check_common+0x33ac/0x33c0 ...
The issue occurs in reg_set_min_max() function where bounds adjustment logic is applied even when both registers being compared are the same. Comparing a register with itself should not change its bounds since the comparison result is always known (e.g., r0 == r0 is always true, r0 < r0 is always false).
Fix this by adding an early return in reg_set_min_max() when false_reg1 and false_reg2 point to the same register, skipping the unnecessary bounds adjustment that leads to the verifier bug.
Reported-by: Kaiyan Mei M202472210@hust.edu.cn Reported-by: Yinhao Hu dddddd@hust.edu.cn Closes: https://lore.kernel.org/all/1881f0f5.300df.199f2576a01.Coremail.kaiyanm@hust... Fixes: 0df1a55afa83 ("bpf: Warn on internal verifier errors") Signed-off-by: KaFai Wan kafai.wan@linux.dev --- kernel/bpf/verifier.c | 4 ++++ 1 file changed, 4 insertions(+)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index 6d175849e57a..420ad512d1af 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -16429,6 +16429,10 @@ static int reg_set_min_max(struct bpf_verifier_env *env, if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE) return 0;
+ /* If conditional jumps on the same register, skip the adjustment */ + if (false_reg1 == false_reg2) + return 0; + /* fallthrough (FALSE) branch */ regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32); reg_bounds_sync(false_reg1);