Commit ea198974 authored Mar 04, 2026 by Yazhou Tang Committed by Alexei Starovoitov Mar 10, 2026

selftests/bpf: Add test for BPF_END register ID reset



Add a test case to ensure that BPF_END operations correctly break
register's scalar ID ties.

The test creates a scenario where r1 is a copy of r0, r0 undergoes a
byte swap, and then r0 is checked against a constant.

- Without the fix in the verifier, the bounds learned from r0 are
  incorrectly propagated to r1, making the verifier believe r1 is
  bounded and wrongly allowing subsequent pointer arithmetic.

- With the fix, r1 remains an unbounded scalar, and the verifier
  correctly rejects the arithmetic operation between the frame pointer
  and the unbounded register.

Co-developed-by: Tianci Cao <ziye@zju.edu.cn>
Signed-off-by: Tianci Cao <ziye@zju.edu.cn>
Co-developed-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Shenghao Yuan <shenghaoyuan0928@163.com>
Signed-off-by: Yazhou Tang <tangyazhou518@outlook.com>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260304083228.142016-3-tangyazhou@zju.edu.cn


Signed-off-by: Alexei Starovoitov <ast@kernel.org>

parent a3125bc0

tools/testing/selftests/bpf/progs/verifier_bswap.c

+22 −0

Original line number	Diff line number	Diff line
		@@ -91,6 +91,28 @@ BSWAP_RANGE_TEST(le32_range, "le32", 0x3f00, 0x3f0000)
		BSWAP_RANGE_TEST(le64_range, "le64", 0x3f00, 0x3f000000000000)
		#endif

		SEC("socket")
		__description("BSWAP, reset reg id")
		__failure __msg("math between fp pointer and register with unbounded min value is not allowed")
		__naked void bswap_reset_reg_id(void)
		{
		asm volatile (" \
		call %[bpf_ktime_get_ns]; \
		r1 = r0; \
		r0 = be16 r0; \
		if r0 != 1 goto l0_%=; \
		r2 = r10; \
		r2 += -512; \
		r2 += r1; \
		(u8 )(r2 + 0) = 0; \
		l0_%=: \
		r0 = 0; \
		exit; \
		" :
		: __imm(bpf_ktime_get_ns)
		: __clobber_all);
		}

		#else

		SEC("socket")