tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

selftests/bpf: Test 32-bit scalar spill pruning in stacksafe()

Add a test verifying that stacksafe() correctly handles 32-bit scalar
spills when comparing stack states for equivalence during state pruning.

A 32-bit scalar spill creates slot[0-3] = STACK_INVALID and
slot[4-7] = STACK_SPILL. Without the im=4 check in stacksafe(), the
STACK_SPILL vs STACK_MISC mismatch at byte 4 causes pruning to fail,
forcing the verifier to re-explore a path that is provably safe.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260323022410.75444-2-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

Alexei Starovoitov 7b4f1a29 596bef1d

+37
+37
tools/testing/selftests/bpf/progs/verifier_spill_fill.c
··· 1279 1279 : __clobber_all); 1280 1280 } 1281 1281 1282 + /* 1283 + * stacksafe(): check if 32-bit scalar spill in old state is considered 1284 + * equivalent to STACK_MISC in cur state. 1285 + * 32-bit scalar spill creates slot[0-3] = STACK_MISC, slot[4-7] = STACK_SPILL. 1286 + * Without 32-bit spill support in stacksafe(), the STACK_SPILL vs STACK_MISC 1287 + * mismatch at slot[4] causes pruning to fail. 1288 + */ 1289 + SEC("socket") 1290 + __success __log_level(2) 1291 + __msg("8: (79) r1 = *(u64 *)(r10 -8)") 1292 + __msg("8: safe") 1293 + __msg("processed 11 insns") 1294 + __flag(BPF_F_TEST_STATE_FREQ) 1295 + __naked void old_imprecise_scalar32_vs_cur_stack_misc(void) 1296 + { 1297 + asm volatile( 1298 + /* get a random value for branching */ 1299 + "call %[bpf_ktime_get_ns];" 1300 + "if r0 == 0 goto 1f;" 1301 + /* conjure 32-bit scalar spill at fp-8 */ 1302 + "r0 = 42;" 1303 + "*(u32*)(r10 - 8) = r0;" 1304 + "goto 2f;" 1305 + "1:" 1306 + /* conjure STACK_MISC at fp-8 */ 1307 + "call %[bpf_ktime_get_ns];" 1308 + "*(u16*)(r10 - 8) = r0;" 1309 + "*(u16*)(r10 - 6) = r0;" 1310 + "2:" 1311 + /* read fp-8, should be considered safe on second visit */ 1312 + "r1 = *(u64*)(r10 - 8);" 1313 + "exit;" 1314 + : 1315 + : __imm(bpf_ktime_get_ns) 1316 + : __clobber_all); 1317 + } 1318 + 1282 1319 char _license[] SEC("license") = "GPL";