bpf: Fix tnum_overlap to check for zero mask first

mannkafai · Kernel Patches Daemon · commit 9d35d6d3b485 · 2025-10-27T19:52:41.000-07:00
Syzbot reported a kernel warning due to a range invariant violation in the BPF verifier. The issue occurs when tnum_overlap() fails to detect that two tnums don't have any overlapping bits. The problematic BPF program: 0: call bpf_get_prandom_u32 1: r6 = r0 2: r6 &= 0xFFFFFFFFFFFFFFF0 3: r7 = r0 4: r7 &= 0x07 5: r7 -= 0xFF 6: if r6 == r7 goto <exit> After instruction 5, R7 has the range: R7: u64=[0xffffffffffffff01, 0xffffffffffffff08] var_off=(0xffffffffffffff00; 0xf) R6 and R7 don't overlap since they have no agreeing bits. However, is_branch_taken() fails to recognize this, causing the verifier to refine register bounds and end up with inconsistent bounds: 6: if r6 == r7 goto <exit> R6: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) R7: u64=[0xffffffffffffff01, 0xffffffffffffff00] var_off=(0xffffffffffffff00, 0x0) The root cause is that tnum_overlap() doesn't properly handle the case where the masks have no overlapping bits. Fix this by adding an early check for zero mask intersection in tnum_overlap(). Reported-by: syzbot+c950cc277150935cc0b5@syzkaller.appspotmail.com Fixes: f41345f ("bpf: Use tnums for JEQ/JNE is_branch_taken logic") Signed-off-by: KaFai Wan <kafai.wan@linux.dev>
diff --git a/kernel/bpf/tnum.c b/kernel/bpf/tnum.c
@@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b)
 {
 	u64 mu;
 
+	if ((a.mask & b.mask) == 0)
+		return false;
 	mu = ~a.mask & ~b.mask;
 	return (a.value & mu) == (b.value & mu);
 }

Original file line number	Diff line number	Diff line change
`@@ -163,6 +163,8 @@ bool tnum_overlap(struct tnum a, struct tnum b)`
`163`	`163`	`{`
`164`	`164`	`u64 mu;`
`165`	`165`
	`166`	`+ if ((a.mask & b.mask) == 0)`
	`167`	`+ return false;`
`166`	`168`	`mu = ~a.mask & ~b.mask;`
`167`	`169`	`return (a.value & mu) == (b.value & mu);`
`168`	`170`	`}`