bpf: verifier: fix WARNING in reg_bounds_sanity_check (2)

KRIISHSHARMA · Kernel Patches Daemon · commit bd210008c676 · 2025-09-15T10:57:29.000-07:00
syzbot reported a "REG INVARIANTS VIOLATION" triggered in reg_bounds_sanity_check() due to inconsistent umin/umax and var_off state after min/max updates. reg_set_min_max() and adjust_reg_min_max_vals() could leave a register state partially updated before syncing the bounds, causing verifier_bug() to fire. This patch ensures reg_bounds_sync() is called after updates, and additionally marks registers unbounded if min/max values are inconsistent, so that umin/umax, smin/smax, and var_off remain consistent. Fixes: d69eb20 ("Merge tag 'net-6.17-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net") Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=c950cc277150935cc0b5 Signed-off-by: Kriish Sharma <kriish.sharma2006@gmail.com>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -16318,6 +16318,19 @@ static void regs_refine_cond_op(struct bpf_reg_state *reg1, struct bpf_reg_state
 	}
 }
 
+/* Ensure that a register's min/max bounds are sane.
+ * If any of the unsigned/signed bounds are inconsistent, mark the
+ * register as unbounded to prevent verifier invariant violations.
+ */
+static void __maybe_normalize_reg(struct bpf_reg_state *reg)
+{
+	if (reg->umin_value > reg->umax_value ||
+		reg->smin_value > reg->smax_value ||
+		reg->u32_min_value > reg->u32_max_value ||
+		reg->s32_min_value > reg->s32_max_value)
+			__mark_reg_unbounded(reg);
+}
+
 /* Adjusts the register min/max values in the case that the dst_reg and
  * src_reg are both SCALAR_VALUE registers (or we are simply doing a BPF_K
  * check, in which case we have a fake SCALAR_VALUE representing insn->imm).
@@ -16344,11 +16357,15 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
 	regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
 	reg_bounds_sync(false_reg1);
 	reg_bounds_sync(false_reg2);
+	__maybe_normalize_reg(false_reg1);
+	__maybe_normalize_reg(false_reg2);
 
 	/* jump (TRUE) branch */
 	regs_refine_cond_op(true_reg1, true_reg2, opcode, is_jmp32);
 	reg_bounds_sync(true_reg1);
 	reg_bounds_sync(true_reg2);
+	__maybe_normalize_reg(true_reg1);
+	__maybe_normalize_reg(true_reg2);
 
 	err = reg_bounds_sanity_check(env, true_reg1, "true_reg1");
 	err = err ?: reg_bounds_sanity_check(env, true_reg2, "true_reg2");
