selftests/bpf: Cover invariant violation case from syzbot

This patch adds a selftest for the change in the previous patch. The selftest is derived from a syzbot reproducer from [1] (among the 22 reproducers on that page, only 4 still reproduced on latest bpf tree, all being small variants of the same invariant violation). The test case failure without the previous patch is shown below. 0: R1=ctx() R10=fp0 0: (85) call bpf_get_prandom_u32#7 ; R0=scalar() 1: (bf) r5 = r0 ; R0=scalar(id=1) R5=scalar(id=1) 2: (57) r5 &= -4 ; R5=scalar(smax=0x7ffffffffffffffc,umax=0xfffffffffffffffc,smax32=0x7ffffffc,umax32=0xfffffffc,var_off=(0x0; 0xfffffffffffffffc)) 3: (bf) r7 = r0 ; R0=scalar(id=1) R7=scalar(id=1) 4: (57) r7 &= 1 ; R7=scalar(smin=smin32=0,smax=umax=smax32=umax32=1,var_off=(0x0; 0x1)) 5: (07) r7 += -43 ; R7=scalar(smin=smin32=-43,smax=smax32=-42,umin=0xffffffffffffffd5,umax=0xffffffffffffffd6,umin32=0xffffffd5,umax32=0xffffffd6,var_off=(0xffffffffffffffd4; 0x3)) 6: (5e) if w5 != w7 goto pc+1 verifier bug: REG INVARIANTS VIOLATION (false_reg1): range bounds violation u64=[0xffffffd5, 0xffffffffffffffd4] s64=[0x80000000ffffffd5, 0x7fffffffffffffd4] u32=[0xffffffd5, 0xffffffd4] s32=[0xffffffd5, 0xffffffd4] var_off=(0xffffffd4, 0xffffffff00000000) R5 and R7 are prepared such that their tnums intersection results in a known constant but that constant isn't within R7's u32 bounds. is_branch_taken isn't able to detect this case today, so the verifier walks the impossible fallthrough branch. After regs_refine_cond_op and reg_bounds_sync refine R5 on the assumption that the branch is taken, the impossibility becomes apparent and results in an invariant violation for R5: umin32 is greater than umax32. The previous patch fixes this by using regs_refine_cond_op and reg_bounds_sync in is_branch_taken to detect the impossible branch. The fallthrough branch is therefore correctly detected as dead code. Link: https://syzkaller.appspot.com/bug?extid=c950cc277150935cc0b5 [1] Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com> Acked-by: Mykyta Yatsenko <yatsenko@meta.com> Link: https://lore.kernel.org/r/b1e22233a3206ead522f02eda27b9c5c991a0de9.1775142354.git.paul.chaignon@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2026-05-16 10:11:38 -04:00 · 2026-04-02 17:11:41 +02:00
parent b254c6d816
commit 2ba199067b
1 changed files with 29 additions and 0 deletions
--- a/tools/testing/selftests/bpf/progs/verifier_bounds.c
+++ b/tools/testing/selftests/bpf/progs/verifier_bounds.c
@@ -2165,4 +2165,33 @@ l0_%=:	r0 = 0;						\
 	: __clobber_all);
 }

+/*
+ * Last jump can be detected as always taken because the intersection of R5 and
+ * R7 32bit tnums produces a constant that isn't within R7's s32 bounds.
+ */
+SEC("socket")
+__description("dead branch: tnums give impossible constant if equal")
+__success
+__flag(BPF_F_TEST_REG_INVARIANTS)
+__naked void tnums_equal_impossible_constant(void *ctx)
+{
+	asm volatile("						\
+	call %[bpf_get_prandom_u32];				\
+	r5 = r0;						\
+	/* Set r5's var_off32 to (0; 0xfffffffc) */		\
+	r5 &= 0xfffffffffffffffc;				\
+	r7 = r0;						\
+	/* Set r7's var_off32 to (0x0; 0x1) */			\
+	r7 &= 0x1;						\
+	/* Now, s32=[-43; -42], var_off32=(0xffffffd4; 0x3) */	\
+	r7 += -43;						\
+	/* On fallthrough, var_off32=-44, not in s32 */		\
+	if w5 != w7 goto +1;					\
+	r10 = 0;						\
+	exit;							\
+"	:
+	: __imm(bpf_get_prandom_u32)
+	: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";