From: sashiko-bot@kernel.org
To: "Yonghong Song" <yonghong.song@linux.dev>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v5 06/16] bpf: Limit the scope of BPF_REG_PARAMS usage
Date: Fri, 17 Apr 2026 04:50:14 +0000 [thread overview]
Message-ID: <20260417045015.4CE60C19425@smtp.kernel.org> (raw)
In-Reply-To: <20260417034729.2629367-1-yonghong.song@linux.dev>
Sashiko AI review found 2 potential issue(s):
- [Critical] Early returns in dataflow tracking passes skip necessary state updates for the destination register during BPF_LDX using BPF_REG_PARAMS.
- [Critical] Permitting BPF_REG_PARAMS causes severe out-of-bounds memory accesses to the `regs` array during the main verifier loop (`do_check_main`).
--
commit d68722297de575b838cc2f76141cf9c052e63448
Author: Yonghong Song <yonghong.song@linux.dev>
bpf: Limit the scope of BPF_REG_PARAMS usage
This commit restricts the usage of BPF_REG_PARAMS (r11) to specific memory
load and store instruction forms. It also adds early returns in dataflow
tracking passes to prevent out-of-bounds accesses for stack arguments.
> diff --git a/kernel/bpf/const_fold.c b/kernel/bpf/const_fold.c
> index db73c4740b1e1..09db7fdb370fd 100644
> --- a/kernel/bpf/const_fold.c
> +++ b/kernel/bpf/const_fold.c
[ ... ]
> @@ -51,13 +51,18 @@ static void const_reg_xfer(struct bpf_verifier_env *env, struct const_arg_info *
> struct bpf_insn *insn, struct bpf_insn *insns, int idx)
> {
> struct const_arg_info unknown = { .state = CONST_ARG_UNKNOWN, .val = 0 };
> - struct const_arg_info *dst = &ci_out[insn->dst_reg];
> - struct const_arg_info *src = &ci_out[insn->src_reg];
> + struct const_arg_info *dst, *src;
> u8 class = BPF_CLASS(insn->code);
> u8 mode = BPF_MODE(insn->code);
> u8 opcode = BPF_OP(insn->code) | BPF_SRC(insn->code);
> int r;
>
> + /* Stack arguments using BPF_REG_PARAMS are outside the tracked register set. */
> + if (insn->dst_reg >= MAX_BPF_REG || insn->src_reg >= MAX_BPF_REG)
> + return;
If we return early here during a BPF_LDX instruction where src_reg is
BPF_REG_PARAMS (11), doesn't this skip necessary state updates for dst_reg
(e.g., registers 0 through 9)?
Since dst_reg is not marked as unknown, won't it retain its stale tracking
state? Could bpf_prune_dead_branches() rely on this stale constant to
incorrectly rewrite conditional jumps, allowing verifier safety checks to be
bypassed?
> +
> + dst = &ci_out[insn->dst_reg];
> + src = &ci_out[insn->src_reg];
[ ... ]
> diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
> index 332e6e003f270..0c7eef3385513 100644
> --- a/kernel/bpf/liveness.c
> +++ b/kernel/bpf/liveness.c
> @@ -1068,11 +1068,16 @@ static void arg_track_xfer(struct bpf_verifier_env *env, struct bpf_insn *insn,
> int depth = instance->depth;
> u8 class = BPF_CLASS(insn->code);
> u8 code = BPF_OP(insn->code);
> - struct arg_track *dst = &at_out[insn->dst_reg];
> - struct arg_track *src = &at_out[insn->src_reg];
> + struct arg_track *dst, *src;
> struct arg_track none = { .frame = ARG_NONE };
> int r;
>
> + /* Stack arguments using BPF_REG_PARAMS are outside the tracked register set. */
> + if (insn->dst_reg >= MAX_BPF_REG || insn->src_reg >= MAX_BPF_REG)
> + return;
Similarly, does this early return skip clearing the arg_track state for the
destination register when loading from a stack argument?
> +
> + dst = &at_out[insn->dst_reg];
> + src = &at_out[insn->src_reg];
[ ... ]
> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> index ff0c55d803117..f25a56cfabaca 100644
> --- a/kernel/bpf/verifier.c
> +++ b/kernel/bpf/verifier.c
> @@ -18487,13 +18487,22 @@ static int check_and_resolve_insns(struct bpf_verifier_env *env)
> return err;
>
> for (i = 0; i < insn_cnt; i++, insn++) {
> + u8 class = BPF_CLASS(insn->code);
> + u8 mode = BPF_MODE(insn->code);
> +
> if (insn->dst_reg >= MAX_BPF_REG) {
> - verbose(env, "R%d is invalid\n", insn->dst_reg);
> - return -EINVAL;
> + if (insn->dst_reg != BPF_REG_PARAMS ||
> + !((class == BPF_ST || class == BPF_STX) && mode == BPF_MEM)) {
> + verbose(env, "R%d is invalid\n", insn->dst_reg);
> + return -EINVAL;
> + }
> }
By permitting BPF_REG_PARAMS (which equals MAX_BPF_REG) to pass this validation
check, won't this cause out-of-bounds memory accesses to the regs array
(e.g., struct bpf_reg_state regs[MAX_BPF_REG]) during the main verifier loop?
When do_check_main() processes these instructions, functions like
check_reg_arg() will attempt to access regs[11], which overlays verifier
internal state.
I note this regression is fixed later in the patch series in commit
6ec4a3fcb5e83 ("bpf: Support stack arguments for bpf functions"), but it
appears to introduce an issue in this intermediate patch.
--
Sashiko AI review · https://sashiko.dev/#/patchset/20260417034658.2625353-1-yonghong.song@linux.dev?part=6
next prev parent reply other threads:[~2026-04-17 4:50 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 3:46 [PATCH bpf-next v5 00/16] bpf: Support stack arguments for BPF functions and kfuncs Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 01/16] bpf: Remove unused parameter from check_map_kptr_access() Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 02/16] bpf: Refactor to avoid redundant calculation of bpf_reg_state Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 03/16] bpf: Refactor to handle memory and size together Yonghong Song
2026-04-17 4:49 ` sashiko-bot
2026-04-18 16:40 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 16:47 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 04/16] bpf: Prepare verifier logs for upcoming kfunc stack arguments Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 05/16] bpf: Introduce bpf register BPF_REG_PARAMS Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 06/16] bpf: Limit the scope of BPF_REG_PARAMS usage Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 16:48 ` Yonghong Song
2026-04-17 4:50 ` sashiko-bot [this message]
2026-04-18 16:50 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 16:54 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 07/16] bpf: Reuse MAX_BPF_FUNC_ARGS for maximum number of arguments Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 17:00 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 17:03 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 08/16] bpf: Support stack arguments for bpf functions Yonghong Song
2026-04-17 4:35 ` sashiko-bot
2026-04-18 17:10 ` Yonghong Song
2026-04-17 4:43 ` bot+bpf-ci
2026-04-18 17:11 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-17 3:47 ` [PATCH bpf-next v5 09/16] bpf: Reject stack arguments in non-JITed programs Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 17:17 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-17 3:47 ` [PATCH bpf-next v5 10/16] bpf: Reject stack arguments if tail call reachable Yonghong Song
2026-04-17 4:08 ` sashiko-bot
2026-04-18 17:18 ` Yonghong Song
2026-04-18 17:37 ` Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 17:24 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 11/16] bpf: Support stack arguments for kfunc calls Yonghong Song
2026-04-17 4:40 ` sashiko-bot
2026-04-18 17:46 ` Yonghong Song
2026-04-17 4:43 ` bot+bpf-ci
2026-04-18 17:57 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 18:04 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 12/16] bpf: Enable stack argument support for x86_64 Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-17 5:03 ` sashiko-bot
2026-04-18 18:07 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-17 3:48 ` [PATCH bpf-next v5 13/16] bpf,x86: Implement JIT support for stack arguments Yonghong Song
2026-04-17 4:44 ` sashiko-bot
2026-04-18 16:43 ` Puranjay Mohan
2026-04-18 18:15 ` Yonghong Song
2026-04-18 1:20 ` bot+bpf-ci
2026-04-18 18:23 ` Yonghong Song
2026-04-17 3:48 ` [PATCH bpf-next v5 14/16] selftests/bpf: Add tests for BPF function " Yonghong Song
2026-04-17 4:20 ` sashiko-bot
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 18:26 ` Yonghong Song
2026-04-17 3:48 ` [PATCH bpf-next v5 15/16] selftests/bpf: Add negative test for greater-than-8-byte kfunc stack argument Yonghong Song
2026-04-17 4:28 ` sashiko-bot
2026-04-18 18:29 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-17 3:48 ` [PATCH bpf-next v5 16/16] selftests/bpf: Add verifier tests for stack argument validation Yonghong Song
2026-04-17 4:38 ` sashiko-bot
2026-04-18 18:36 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 16:39 ` [PATCH bpf-next v5 00/16] bpf: Support stack arguments for BPF functions and kfuncs Puranjay Mohan
2026-04-18 18:47 ` Alexei Starovoitov
2026-04-18 18:54 ` Yonghong Song
2026-04-18 17:06 ` Puranjay Mohan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260417045015.4CE60C19425@smtp.kernel.org \
--to=sashiko-bot@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.