On Thu, 2025-07-10 at 00:26 +0200, Paul Chaignon wrote: > Syzbot reported a kernel warning due to a range invariant violation on > the following BPF program. > > 0: call bpf_get_netns_cookie > 1: if r0 == 0 goto <exit> > 2: if r0 & Oxffffffff goto <exit> > > The issue is on the path where we fall through both jumps. > > That path is unreachable at runtime: after insn 1, we know r0 != 0, but > with the sign extension on the jset, we would only fallthrough insn 2 > if r0 == 0. Unfortunately, is_branch_taken() isn't currently able to > figure this out, so the verifier walks all branches. The verifier then > refines the register bounds using the second condition and we end > up with inconsistent bounds on this unreachable path: > > 1: if r0 == 0 goto <exit> > r0: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0xffffffffffffffff) > 2: if r0 & 0xffffffff goto <exit> > r0 before reg_bounds_sync: u64=[0x1, 0xffffffffffffffff] var_off=(0, 0) > r0 after reg_bounds_sync: u64=[0x1, 0] var_off=(0, 0) > > Improving the range refinement for JSET to cover all cases is tricky. We > also don't expect many users to rely on JSET given LLVM doesn't generate > those instructions. So instead of reducing false positives due to JSETs, > Eduard suggested we forget the ranges whenever we're narrowing tnums > after a JSET. This patch implements that approach. > > Reported-by: syzbot+c711ce17dd78e5d4fdcf@xxxxxxxxxxxxxxxxxxxxxxxxx > Suggested-by: Eduard Zingerman <eddyz87@xxxxxxxxx> > Signed-off-by: Paul Chaignon <paul.chaignon@xxxxxxxxx> > --- Acked-by: Eduard Zingerman <eddyz87@xxxxxxxxx>
