git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Daniel Borkmann <daniel@iogearbox.net>
	Tue, 7 Apr 2026 19:24:19 +0000 (21:24 +0200)
committer	Alexei Starovoitov <ast@kernel.org>
	Wed, 8 Apr 2026 01:15:42 +0000 (18:15 -0700)
commit	1b327732c84640c1e3da487eefe9d00cc9f2dd34
tree	e0751559ee6248f6357376c7cd6b7c927eabb57c	tree \| snapshot
parent	d7f14173c0d5866c3cae759dee560ad1bed10d2e	commit \| diff

bpf: Clear delta when clearing reg id for non-{add,sub} ops

When a non-{add,sub} alu op such as xor is performed on a scalar
register that previously had a BPF_ADD_CONST delta, the else path
in adjust_reg_min_max_vals() only clears dst_reg->id but leaves
dst_reg->delta unchanged.

This stale delta can propagate via assign_scalar_id_before_mov()
when the register is later used in a mov. It gets a fresh id but
keeps the stale delta from the old (now-cleared) BPF_ADD_CONST.
This stale delta can later propagate leading to a verifier-vs-
runtime value mismatch.

The clear_id label already correctly clears both delta and id.
Make the else path consistent by also zeroing the delta when id
is cleared. More generally, this introduces a helper clear_scalar_id()
which internally takes care of zeroing. There are various other
locations in the verifier where only the id is cleared. By using
the helper we catch all current and future locations.

Fixes: 98d7ca374ba4 ("bpf: Track delta between "linked" registers.")
Reported-by: STAR Labs SG <info@starlabs.sg>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20260407192421.508817-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>