Skip to content

bpf: Skip bounds adjustment for conditional jumps on same scalar register #6267

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 2 commits into from
Closed

bpf: Skip bounds adjustment for conditional jumps on same scalar register #6267

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
2ed6cc7
bpf: Skip bounds adjustment for conditional jumps on same scalar regi…
mannkafai Oct 31, 2025
5754bd9
selftests/bpf: Add test for conditional jumps on same scalar register
mannkafai Oct 31, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
33 changes: 33 additions & 0 deletions kernel/bpf/verifier.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15995,6 +15995,8 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta

switch (opcode) {
case BPF_JEQ:
if (reg1 == reg2)
return 1;
/* constants, umin/umax and smin/smax checks would be
* redundant in this case because they all should match
*/
Expand All @@ -16021,6 +16023,8 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
}
break;
case BPF_JNE:
if (reg1 == reg2)
return 0;
/* constants, umin/umax and smin/smax checks would be
* redundant in this case because they all should match
*/
Expand All @@ -16047,6 +16051,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
}
break;
case BPF_JSET:
if (reg1 == reg2) {
if (tnum_is_const(t1))
return t1.value != 0;
else
return (smin1 <= 0 && smax1 >= 0) ? -1 : 1;
}
if (!is_reg_const(reg2, is_jmp32)) {
swap(reg1, reg2);
swap(t1, t2);
Expand All @@ -16059,48 +16069,64 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
return 0;
break;
case BPF_JGT:
if (reg1 == reg2)
return 0;
if (umin1 > umax2)
return 1;
else if (umax1 <= umin2)
return 0;
break;
case BPF_JSGT:
if (reg1 == reg2)
return 0;
if (smin1 > smax2)
return 1;
else if (smax1 <= smin2)
return 0;
break;
case BPF_JLT:
if (reg1 == reg2)
return 0;
if (umax1 < umin2)
return 1;
else if (umin1 >= umax2)
return 0;
break;
case BPF_JSLT:
if (reg1 == reg2)
return 0;
if (smax1 < smin2)
return 1;
else if (smin1 >= smax2)
return 0;
break;
case BPF_JGE:
if (reg1 == reg2)
return 1;
if (umin1 >= umax2)
return 1;
else if (umax1 < umin2)
return 0;
break;
case BPF_JSGE:
if (reg1 == reg2)
return 1;
if (smin1 >= smax2)
return 1;
else if (smax1 < smin2)
return 0;
break;
case BPF_JLE:
if (reg1 == reg2)
return 1;
if (umax1 <= umin2)
return 1;
else if (umin1 > umax2)
return 0;
break;
case BPF_JSLE:
if (reg1 == reg2)
return 1;
if (smax1 <= smin2)
return 1;
else if (smin1 > smax2)
Expand Down Expand Up @@ -16439,6 +16465,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
return 0;

/* We compute branch direction for same SCALAR_VALUE registers in
* is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET)
* on the same registers, we don't need to adjust the min/max values.
*/
if (false_reg1 == false_reg2)
return 0;

/* fallthrough (FALSE) branch */
regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
reg_bounds_sync(false_reg1);
Expand Down
154 changes: 154 additions & 0 deletions tools/testing/selftests/bpf/progs/verifier_bounds.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1709,4 +1709,158 @@ __naked void jeq_disagreeing_tnums(void *ctx)
: __clobber_all);
}

SEC("socket")
__description("conditional jump on same register, branch taken")
__not_msg("20: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__retval(0) __flag(BPF_F_TEST_REG_INVARIANTS)
__naked void condition_jump_on_same_register(void *ctx)
{
asm volatile(" \
call %[bpf_get_prandom_u32]; \
w8 = 0x80000000; \
r0 &= r8; \
if r0 == r0 goto +1; \
goto l1_%=; \
if r0 >= r0 goto +1; \
goto l1_%=; \
if r0 s>= r0 goto +1; \
goto l1_%=; \
if r0 <= r0 goto +1; \
goto l1_%=; \
if r0 s<= r0 goto +1; \
goto l1_%=; \
if r0 != r0 goto l1_%=; \
if r0 > r0 goto l1_%=; \
if r0 s> r0 goto l1_%=; \
if r0 < r0 goto l1_%=; \
if r0 s< r0 goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

SEC("socket")
__description("jset on same register, constant value branch taken")
__not_msg("7: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__retval(0) __flag(BPF_F_TEST_REG_INVARIANTS)
__naked void jset_on_same_register_1(void *ctx)
{
asm volatile(" \
r0 = 0; \
if r0 & r0 goto l1_%=; \
r0 = 1; \
if r0 & r0 goto +1; \
goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

SEC("socket")
__description("jset on same register, scalar value branch taken")
__not_msg("12: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__retval(0) __flag(BPF_F_TEST_REG_INVARIANTS)
__naked void jset_on_same_register_2(void *ctx)
{
asm volatile(" \
/* range [1;2] */ \
call %[bpf_get_prandom_u32]; \
r0 &= 0x1; \
r0 += 1; \
if r0 & r0 goto +1; \
goto l1_%=; \
/* range [-2;-1] */ \
call %[bpf_get_prandom_u32]; \
r0 &= 0x1; \
r0 -= 2; \
if r0 & r0 goto +1; \
goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

SEC("socket")
__description("jset on same register, scalar value unknown branch 1")
__msg("3: (b7) r0 = 0 {{.*}} R0=0")
__msg("5: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__flag(BPF_F_TEST_REG_INVARIANTS)
__naked void jset_on_same_register_3(void *ctx)
{
asm volatile(" \
/* range [0;1] */ \
call %[bpf_get_prandom_u32]; \
r0 &= 0x1; \
if r0 & r0 goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

SEC("socket")
__description("jset on same register, scalar value unknown branch 2")
__msg("4: (b7) r0 = 0 {{.*}} R0=0")
__msg("6: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__flag(BPF_F_TEST_REG_INVARIANTS)
__naked void jset_on_same_register_4(void *ctx)
{
asm volatile(" \
/* range [-1;0] */ \
call %[bpf_get_prandom_u32]; \
r0 &= 0x1; \
r0 -= 1; \
if r0 & r0 goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

SEC("socket")
__description("jset on same register, scalar value unknown branch 3")
__msg("4: (b7) r0 = 0 {{.*}} R0=0")
__msg("6: (b7) r0 = 1 {{.*}} R0=1")
__success __log_level(2)
__flag(BPF_F_TEST_REG_INVARIANTS)
__naked void jset_on_same_register_5(void *ctx)
{
asm volatile(" \
/* range [-1;-1] */ \
call %[bpf_get_prandom_u32]; \
r0 &= 0x2; \
r0 -= 1; \
if r0 & r0 goto l1_%=; \
l0_%=: r0 = 0; \
exit; \
l1_%=: r0 = 1; \
exit; \
" :
: __imm(bpf_get_prandom_u32)
: __clobber_all);
}

char _license[] SEC("license") = "GPL";
Loading