[PATCH bpf 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks

[PATCH bpf 0/2] bpf: Fix stack slot index for Spectre v4 nospec checks

[Nuoqi Gui]

check_stack_write_fixed_off() uses one byte-indexing scheme when checking
whether a fixed-offset stack write needs Spectre v4 sanitization, and another
scheme when recording the write into slot_type[].

For sub-8-byte writes this can make the sanitization check look at bytes that
are not overwritten by the write. A zeroed lower half-slot followed by a write
to the upper half-slot can therefore miss the nospec barrier for the second
write.

Use the same stack-byte index for the sanitization check and the slot update,
and add a focused verifier selftest that expects both half-slot writes to emit
nospec when the loader has CAP_BPF but not CAP_PERFMON.

Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a
fixed-offset stack-write corner case. No architectural verifier memory-safety
bypass, exploit chain, CVE, embargo, or security escalation is claimed.

Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
Nuoqi Gui (2):
      bpf: Fix stack slot index in nospec checks
      selftests/bpf: Cover stack nospec slot indexing

 kernel/bpf/verifier.c                              |  3 ++-
 .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
 2 files changed, 25 insertions(+), 1 deletion(-)
---
base-commit: e4287bf34f97a88c7d9322f5bde828724c073a6b
change-id: 20260615-f01-11-stack-nospec-slot-index-e155b2acd587

Best regards,
--  
Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

[PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks

[Nuoqi Gui]

check_stack_write_fixed_off() computes the byte slot for a fixed-offset
stack write as -off - 1, and records each written byte in slot_type[] with
(slot - i) % BPF_REG_SIZE.

The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
bytes 7..4. That can leave the second half-slot write without nospec_result
even though the bytes being overwritten still require sanitization.

Use the same slot index in the sanitization pre-check that the write path uses
when updating slot_type[].

Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 kernel/bpf/verifier.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 2abc79dbf281c..50e80dbbc1784 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3479,7 +3479,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
 		bool sanitize = reg && is_spillable_regtype(reg->type);
 
 		for (i = 0; i < size; i++) {
-			u8 type = state->stack[spi].slot_type[i];
+			u8 type = state->stack[spi].slot_type[(slot - i) %
+							      BPF_REG_SIZE];
 
 			if (type != STACK_MISC && type != STACK_ZERO) {
 				sanitize = true;

-- 
2.34.1

Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks

[Emil Tsalapatis]

On Tue Jun 16, 2026 at 12:57 PM EDT, Nuoqi Gui wrote:
> check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> stack write as -off - 1, and records each written byte in slot_type[] with
> (slot - i) % BPF_REG_SIZE.
>
> The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
> bytes 7..4. That can leave the second half-slot write without nospec_result
> even though the bytes being overwritten still require sanitization.
>
> Use the same slot index in the sanitization pre-check that the write path uses
> when updating slot_type[].
>
> Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

> ---
>  kernel/bpf/verifier.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2abc79dbf281c..50e80dbbc1784 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3479,7 +3479,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
>  		bool sanitize = reg && is_spillable_regtype(reg->type);
>  
>  		for (i = 0; i < size; i++) {
> -			u8 type = state->stack[spi].slot_type[i];
> +			u8 type = state->stack[spi].slot_type[(slot - i) %
> +							      BPF_REG_SIZE];
>  
>  			if (type != STACK_MISC && type != STACK_ZERO) {
>  				sanitize = true;

Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks

[Luis Gerhorst]

Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> writes:

> check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> stack write as -off - 1, and records each written byte in slot_type[] with
> (slot - i) % BPF_REG_SIZE.
>
> The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
> bytes 7..4. That can leave the second half-slot write without nospec_result
> even though the bytes being overwritten still require sanitization.
>
> Use the same slot index in the sanitization pre-check that the write path uses
> when updating slot_type[].
>
> Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  kernel/bpf/verifier.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index 2abc79dbf281c..50e80dbbc1784 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -3479,7 +3479,8 @@ static int check_stack_write_fixed_off(struct bpf_verifier_env *env,
>  		bool sanitize = reg && is_spillable_regtype(reg->type);
>  
>  		for (i = 0; i < size; i++) {
> -			u8 type = state->stack[spi].slot_type[i];
> +			u8 type = state->stack[spi].slot_type[(slot - i) %
> +							      BPF_REG_SIZE];
>  
>  			if (type != STACK_MISC && type != STACK_ZERO) {
>  				sanitize = true;

Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>

I have briefly checked the other uses of slot_type[i] and they look
fine.

Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks

[Jiayuan Chen]

On 6/17/26 12:57 AM, Nuoqi Gui wrote:
> check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> stack write as -off - 1, and records each written byte in slot_type[] with
> (slot - i) % BPF_REG_SIZE.
>
> The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
> bytes 7..4. That can leave the second half-slot write without nospec_result
> even though the bytes being overwritten still require sanitization.
>
> Use the same slot index in the sanitization pre-check that the write path uses
> when updating slot_type[].
>
> Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>


I think the Fixes tag should be  2039f26f3aca ("bpf: Fix leakage due to 
insufficient speculative store bypass mitigation") ?

Otherwise, looks good to me.

Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>

Re: Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks

[Nuoqi Gui]

> -----Original Messages-----
> From: "Jiayuan Chen" <jiayuan.chen@linux.dev>
> Send time:Wednesday, 17/06/2026 19:08:40
> To: "Nuoqi Gui" <gnq25@mails.tsinghua.edu.cn>, "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Andrii Nakryiko" <andrii@kernel.org>, "Eduard Zingerman" <eddyz87@gmail.com>, "Kumar Kartikeya Dwivedi" <memxor@gmail.com>, "Emil Tsalapatis" <emil@etsalapatis.com>
> Cc: "John Fastabend" <john.fastabend@gmail.com>, "Martin KaFai Lau" <martin.lau@linux.dev>, "Luis Gerhorst" <luis.gerhorst@fau.de>, "Shuah Khan" <shuah@kernel.org>, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
> Subject: Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks
> 
> 
> On 6/17/26 12:57 AM, Nuoqi Gui wrote:
> > check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> > stack write as -off - 1, and records each written byte in slot_type[] with
> > (slot - i) % BPF_REG_SIZE.
> >
> > The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> > 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> > pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
> > bytes 7..4. That can leave the second half-slot write without nospec_result
> > even though the bytes being overwritten still require sanitization.
> >
> > Use the same slot index in the sanitization pre-check that the write path uses
> > when updating slot_type[].
> >
> > Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
> > Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> 
> 
> I think the Fixes tag should be  2039f26f3aca ("bpf: Fix leakage due to 
> insufficient speculative store bypass mitigation") ?
> 
> Otherwise, looks good to me.
> 
> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>

Thanks.
I'll change the Fixes tag in v2 to:
Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient 
speculative store bypass mitigation")

[PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing

[Nuoqi Gui]

Add a verifier test for the fixed-offset stack write case where two 4-byte
stores initialize opposite halves of the same stack slot.

The test uses the CAP_BPF-without-CAP_PERFMON loader lane so Spectre v4
mitigation remains active. It expects both half-slot writes to emit nospec
in the translated program.

Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
---
 .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
 1 file changed, 23 insertions(+)

diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
index c16f8382cf17d..9ebbd4b531df1 100644
--- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
+++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
@@ -976,4 +976,27 @@ l0_%=:	exit;						\
 	: __clobber_all);
 }
 
+SEC("socket")
+__description("noperfmon: Spectre v4 stack write slot index")
+__success __success_unpriv
+__caps_unpriv(CAP_BPF)
+__retval(0)
+#ifdef SPEC_V4
+__xlated_unpriv("r0 = 0")
+__xlated_unpriv("*(u32 *)(r10 -4) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("*(u32 *)(r10 -8) = r0")
+__xlated_unpriv("nospec")
+__xlated_unpriv("exit")
+#endif
+__naked void stack_write_nospec_slot_index(void)
+{
+	asm volatile ("					\
+	r0 = 0;						\
+	*(u32 *)(r10 - 4) = r0;			\
+	*(u32 *)(r10 - 8) = r0;			\
+	exit;						\
+"	::: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";

-- 
2.34.1

Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing

[Emil Tsalapatis]

On Tue Jun 16, 2026 at 12:57 PM EDT, Nuoqi Gui wrote:
> Add a verifier test for the fixed-offset stack write case where two 4-byte
> stores initialize opposite halves of the same stack slot.
>
> The test uses the CAP_BPF-without-CAP_PERFMON loader lane so Spectre v4
> mitigation remains active. It expects both half-slot writes to emit nospec
> in the translated program.
>
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>

Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>

Trivial style nits.

> ---
>  .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> index c16f8382cf17d..9ebbd4b531df1 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> @@ -976,4 +976,27 @@ l0_%=:	exit;						\
>  	: __clobber_all);
>  }
>  
> +SEC("socket")
> +__description("noperfmon: Spectre v4 stack write slot index")
> +__success __success_unpriv
> +__caps_unpriv(CAP_BPF)
> +__retval(0)
> +#ifdef SPEC_V4
> +__xlated_unpriv("r0 = 0")
> +__xlated_unpriv("*(u32 *)(r10 -4) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("*(u32 *)(r10 -8) = r0")

No whitespace to the right of -

> +__xlated_unpriv("nospec")
> +__xlated_unpriv("exit")
> +#endif
> +__naked void stack_write_nospec_slot_index(void)
> +{
> +	asm volatile ("					\
> +	r0 = 0;						\
> +	*(u32 *)(r10 - 4) = r0;			\
> +	*(u32 *)(r10 - 8) = r0;			\

Unaligned \ 

> +	exit;						\
> +"	::: __clobber_all);
> +}
> +
>  char _license[] SEC("license") = "GPL";

Re: Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing

[Nuoqi Gui]

> -----Original Messages-----
> From: "Emil Tsalapatis" <emil@etsalapatis.com>
> Send time:Wednesday, 17/06/2026 05:14:12
> To: "Nuoqi Gui" <gnq25@mails.tsinghua.edu.cn>, "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Andrii
>  Nakryiko" <andrii@kernel.org>, "Eduard Zingerman" <eddyz87@gmail.com>, "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
> Cc: "John Fastabend" <john.fastabend@gmail.com>, "Martin KaFai Lau" <martin.lau@linux.dev>, "Luis Gerhorst" <luis.gerhorst@fau.de>, "Shuah
>  Khan" <shuah@kernel.org>, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
> Subject: Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing
> 
> On Tue Jun 16, 2026 at 12:57 PM EDT, Nuoqi Gui wrote:
> > Add a verifier test for the fixed-offset stack write case where two 4-byte
> > stores initialize opposite halves of the same stack slot.
> >
> > The test uses the CAP_BPF-without-CAP_PERFMON loader lane so Spectre v4
> > mitigation remains active. It expects both half-slot writes to emit nospec
> > in the translated program.
> >
> > Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> 
> Reviewed-by: Emil Tsalapatis <emil@etsalapatis.com>
> 
> Trivial style nits.
> 
> > ---
> >  .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
> >  1 file changed, 23 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > index c16f8382cf17d..9ebbd4b531df1 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > @@ -976,4 +976,27 @@ l0_%=:	exit;						\
> >  	: __clobber_all);
> >  }
> >  
> > +SEC("socket")
> > +__description("noperfmon: Spectre v4 stack write slot index")
> > +__success __success_unpriv
> > +__caps_unpriv(CAP_BPF)
> > +__retval(0)
> > +#ifdef SPEC_V4
> > +__xlated_unpriv("r0 = 0")
> > +__xlated_unpriv("*(u32 *)(r10 -4) = r0")
> > +__xlated_unpriv("nospec")
> > +__xlated_unpriv("*(u32 *)(r10 -8) = r0")
> 
> No whitespace to the right of -
> 
> > +__xlated_unpriv("nospec")
> > +__xlated_unpriv("exit")
> > +#endif
> > +__naked void stack_write_nospec_slot_index(void)
> > +{
> > +	asm volatile ("					\
> > +	r0 = 0;						\
> > +	*(u32 *)(r10 - 4) = r0;			\
> > +	*(u32 *)(r10 - 8) = r0;			\
> 
> Unaligned \ 
> 
> > +	exit;						\
> > +"	::: __clobber_all);
> > +}
> > +
> >  char _license[] SEC("license") = "GPL";

Thanks.

I'll fix the selftest formatting by adding the missing whitespace in the
__xlated_unpriv() strings and aligning the inline asm '\' markers.

Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing

[Luis Gerhorst]

Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> writes:

> Add a verifier test for the fixed-offset stack write case where two 4-byte
> stores initialize opposite halves of the same stack slot.
>
> The test uses the CAP_BPF-without-CAP_PERFMON loader lane so Spectre v4
> mitigation remains active. It expects both half-slot writes to emit nospec
> in the translated program.
>
> Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> ---
>  .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
>  1 file changed, 23 insertions(+)
>
> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> index c16f8382cf17d..9ebbd4b531df1 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> @@ -976,4 +976,27 @@ l0_%=:	exit;						\
>  	: __clobber_all);
>  }
>  
> +SEC("socket")
> +__description("noperfmon: Spectre v4 stack write slot index")
> +__success __success_unpriv
> +__caps_unpriv(CAP_BPF)

Not sure if the conditions that led Kartikeya and Eduard to add
__caps_unpriv(CAP_BPF) explicitly for some tests also apply here.

It seems adding it to this test will not provide much benefit because
the other tests in verifier_unpriv.c already assume
sysctl_unprivileged_bpf_disabled=0.

Because this already affects the more restricted 'unpriv process under
sysctl_unprivileged_bpf_disabled=0 without CAP_BPF' environment, I
suggest dropping __caps_unpriv(CAP_BPF) it.

> +__retval(0)
> +#ifdef SPEC_V4
> +__xlated_unpriv("r0 = 0")
> +__xlated_unpriv("*(u32 *)(r10 -4) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("*(u32 *)(r10 -8) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("exit")
> +#endif
> +__naked void stack_write_nospec_slot_index(void)
> +{
> +	asm volatile ("					\
> +	r0 = 0;						\
> +	*(u32 *)(r10 - 4) = r0;			\
> +	*(u32 *)(r10 - 8) = r0;			\
> +	exit;						\
> +"	::: __clobber_all);
> +}
> +
>  char _license[] SEC("license") = "GPL";

Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>

Re: Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing

[Nuoqi Gui]

> -----Original Messages-----
> From: "Luis Gerhorst" <luis.gerhorst@fau.de>
> Send time:Wednesday, 17/06/2026 16:45:50
> To: "Nuoqi Gui" <gnq25@mails.tsinghua.edu.cn>, "Eduard Zingerman" <eddyz87@gmail.com>, "Kumar Kartikeya Dwivedi" <memxor@gmail.com>
> Cc: "Alexei Starovoitov" <ast@kernel.org>, "Daniel Borkmann" <daniel@iogearbox.net>, "Andrii Nakryiko" <andrii@kernel.org>, "John
>  Fastabend" <john.fastabend@gmail.com>, "Martin KaFai Lau" <martin.lau@linux.dev>, "Shuah Khan" <shuah@kernel.org>, bpf@vger.kernel.org, linux-kselftest@vger.kernel.org, linux-kernel@vger.kernel.org
> Subject: Re: [PATCH bpf 2/2] selftests/bpf: Cover stack nospec slot indexing
> 
> Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> writes:
> 
> > Add a verifier test for the fixed-offset stack write case where two 4-byte
> > stores initialize opposite halves of the same stack slot.
> >
> > The test uses the CAP_BPF-without-CAP_PERFMON loader lane so Spectre v4
> > mitigation remains active. It expects both half-slot writes to emit nospec
> > in the translated program.
> >
> > Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
> > ---
> >  .../testing/selftests/bpf/progs/verifier_unpriv.c  | 23 ++++++++++++++++++++++
> >  1 file changed, 23 insertions(+)
> >
> > diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > index c16f8382cf17d..9ebbd4b531df1 100644
> > --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> > @@ -976,4 +976,27 @@ l0_%=:	exit;						\
> >  	: __clobber_all);
> >  }
> >  
> > +SEC("socket")
> > +__description("noperfmon: Spectre v4 stack write slot index")
> > +__success __success_unpriv
> > +__caps_unpriv(CAP_BPF)
> 
> Not sure if the conditions that led Kartikeya and Eduard to add
> __caps_unpriv(CAP_BPF) explicitly for some tests also apply here.
> 
> It seems adding it to this test will not provide much benefit because
> the other tests in verifier_unpriv.c already assume
> sysctl_unprivileged_bpf_disabled=0.
> 
> Because this already affects the more restricted 'unpriv process under
> sysctl_unprivileged_bpf_disabled=0 without CAP_BPF' environment, I
> suggest dropping __caps_unpriv(CAP_BPF) it.
> 
> > +__retval(0)
> > +#ifdef SPEC_V4
> > +__xlated_unpriv("r0 = 0")
> > +__xlated_unpriv("*(u32 *)(r10 -4) = r0")
> > +__xlated_unpriv("nospec")
> > +__xlated_unpriv("*(u32 *)(r10 -8) = r0")
> > +__xlated_unpriv("nospec")
> > +__xlated_unpriv("exit")
> > +#endif
> > +__naked void stack_write_nospec_slot_index(void)
> > +{
> > +	asm volatile ("					\
> > +	r0 = 0;						\
> > +	*(u32 *)(r10 - 4) = r0;			\
> > +	*(u32 *)(r10 - 8) = r0;			\
> > +	exit;						\
> > +"	::: __clobber_all);
> > +}
> > +
> >  char _license[] SEC("license") = "GPL";
> 
> Acked-by: Luis Gerhorst <luis.gerhorst@fau.de>

Thanks.

I'll drop __caps_unpriv(CAP_BPF).