Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
selftests/bpf: Test variable length stack write
Add a test to make sure that variable length stack writes
scrubs STACK_SPILL into STACK_MISC.
Tested-by: Eduard Zingerman <eddyz87@gmail.com>
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20260324215938.81733-2-alexei.starovoitov@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+41
+41
tools/testing/selftests/bpf/progs/verifier_spill_fill.c
+41
tools/testing/selftests/bpf/progs/verifier_spill_fill.c
···
1316
1316
: __clobber_all);
1317
1317
}
1318
1318
1319
+
SEC("raw_tp")
1320
+
__success
1321
+
__naked void var_off_write_over_scalar_spill(void)
1322
+
{
1323
+
asm volatile (
1324
+
/* Get an unknown value bounded to {0, 4} */
1325
+
"call %[bpf_ktime_get_ns];"
1326
+
"r6 = r0;"
1327
+
"r6 &= 4;"
1328
+
1329
+
/* Spill a scalar to fp-16 */
1330
+
"r7 = 0xdeadbeef00000000 ll;"
1331
+
"*(u64 *)(r10 - 16) = r7;"
1332
+
1333
+
/*
1334
+
* Variable-offset 4-byte write covering [fp-12, fp-4).
1335
+
* This touches stype[3..0] of the spill slot at fp-16 but
1336
+
* leaves stype[7..4] as STACK_SPILL. check_stack_write_var_off()
1337
+
* must scrub the entire slot when setting spilled_ptr to NOT_INIT,
1338
+
* otherwise a subsequent sub-register fill sees a non-scalar
1339
+
* spilled_ptr and is rejected.
1340
+
*/
1341
+
"r8 = r10;"
1342
+
"r8 += r6;"
1343
+
"r8 += -12;"
1344
+
"r9 = 0;"
1345
+
"*(u32 *)(r8 + 0) = r9;"
1346
+
1347
+
/*
1348
+
* 4-byte read from fp-16. Without the fix this fails with
1349
+
* "invalid size of register fill" because is_spilled_reg()
1350
+
* sees STACK_SPILL while spilled_ptr.type == NOT_INIT.
1351
+
*/
1352
+
"r0 = *(u32 *)(r10 - 16);"
1353
+
"r0 = 0;"
1354
+
"exit;"
1355
+
:
1356
+
: __imm(bpf_ktime_get_ns)
1357
+
: __clobber_all);
1358
+
}
1359
+
1319
1360
char _license[] SEC("license") = "GPL";