bpf: Skip bounds adjustment for conditional jumps on same register

When conditional jumps are performed on the same register (e.g., r0 <= r0,
r0 > r0, r0 < r0) where the register holds a scalar with range, the verifier
incorrectly attempts to adjust the register's min/max bounds. This leads to
invalid range bounds and triggers a BUG warning:

verifier bug: REG INVARIANTS VIOLATION (true_reg1): range bounds violation u64=[0x1, 0x0] s64=[0x1, 0x0] u32=[0x1, 0x0] s32=[0x1, 0x0] var_off=(0x0, 0x0)
WARNING: CPU: 0 PID: 92 at kernel/bpf/verifier.c:2731 reg_bounds_sanity_check+0x163/0x220
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:reg_bounds_sanity_check+0x163/0x220
Call Trace:
 <TASK>
 reg_set_min_max+0xf7/0x1d0
 check_cond_jmp_op+0x57b/0x1730
 ? print_bpf_insn+0x3d5/0xa50
 do_check_common+0x33ac/0x33c0
 ...

The root cause is in regs_refine_cond_op() where BPF_JLT/BPF_JSLT operations
adjust both min/max bounds on the same register, causing invalid bounds.

Since comparing a register with itself should not change its bounds (the
comparison result is always known: r0 == r0 is always true, r0 < r0 is
always false), the bounds adjustment is unnecessary.

Fix this by:
1. Enhance is_branch_taken() and is_scalar_branch_taken() to properly
   handle branch direction computation for same register comparisons
   across all BPF jump operations
2. For unknown branch directions (e.g., BPF_JSET), add early return in
   reg_set_min_max() to avoid bounds adjustment on the same register

The fix ensures that unnecessary bounds adjustments are skipped, preventing
the verifier bug while maintaining correct branch direction analysis.

Reported-by: Kaiyan Mei <[email protected]>
Reported-by: Yinhao Hu <[email protected]>
Closes: https://lore.kernel.org/all/[email protected]/
Fixes: 0df1a55 ("bpf: Warn on internal verifier errors")
Signed-off-by: KaFai Wan <[email protected]>

Author: mannkafai

kernel/bpf/verifier.c

@@ -16047,6 +16047,12 @@ static int is_scalar_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_sta
 		}
 		break;
 	case BPF_JSET:
+		if (reg1 == reg2) {
+			if (tnum_is_const(t1))
+				return t1.value != 0;
+			else
+				return (smin1 <= 0 && smax1 >= 0) ? -1 : 1;
+		}
 		if (!is_reg_const(reg2, is_jmp32)) {
 			swap(reg1, reg2);
 			swap(t1, t2);
@@ -16182,6 +16188,25 @@ static int is_pkt_ptr_branch_taken(struct bpf_reg_state *dst_reg,
 static int is_branch_taken(struct bpf_reg_state *reg1, struct bpf_reg_state *reg2,
 			   u8 opcode, bool is_jmp32)
 {
+	if (reg1 == reg2) {
+		switch (opcode) {
+		case BPF_JGE:
+		case BPF_JLE:
+		case BPF_JSGE:
+		case BPF_JSLE:
+		case BPF_JEQ:
+			return 1;
+		case BPF_JGT:
+		case BPF_JLT:
+		case BPF_JSGT:
+		case BPF_JSLT:
+		case BPF_JNE:
+			return 0;
+		default:
+			break;
+		}
+	}
+
 	if (reg_is_pkt_pointer_any(reg1) && reg_is_pkt_pointer_any(reg2) && !is_jmp32)
 		return is_pkt_ptr_branch_taken(reg1, reg2, opcode);
 
@@ -16439,6 +16464,13 @@ static int reg_set_min_max(struct bpf_verifier_env *env,
 	if (false_reg1->type != SCALAR_VALUE || false_reg2->type != SCALAR_VALUE)
 		return 0;
 
+	/* We compute branch direction for same registers in is_branch_taken() and
+	 * is_scalar_branch_taken(). For unknown branch directions (e.g., BPF_JSET)
+	 * on the same registers, we don't need to adjusts the min/max values.
+	 */
+	if (false_reg1 == false_reg2)
+		return 0;
+
 	/* fallthrough (FALSE) branch */
 	regs_refine_cond_op(false_reg1, false_reg2, rev_opcode(opcode), is_jmp32);
 	reg_bounds_sync(false_reg1);