From: Yonghong Song <yonghong.song@linux.dev>
To: bot+bpf-ci@kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net,
jose.marchesi@oracle.com, kernel-team@fb.com,
martin.lau@kernel.org, eddyz87@gmail.com, clm@meta.com,
ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v5 06/16] bpf: Limit the scope of BPF_REG_PARAMS usage
Date: Sat, 18 Apr 2026 09:48:22 -0700 [thread overview]
Message-ID: <2425e72e-9044-4f6c-8959-91f2705e5c68@linux.dev> (raw)
In-Reply-To: <0384d4ba23e7f159c6e80c79a64b4dcd2186fa97b53ae7b2eb721a9cd3156775@mail.kernel.org>
On 4/16/26 9:30 PM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/kernel/bpf/const_fold.c b/kernel/bpf/const_fold.c
>> index db73c4740b1e..09db7fdb370f 100644
>> --- a/kernel/bpf/const_fold.c
>> +++ b/kernel/bpf/const_fold.c
> [ ... ]
>
>> diff --git a/kernel/bpf/liveness.c b/kernel/bpf/liveness.c
>> index 1fb4c511db5a..993d7e543e9f 100644
>> --- a/kernel/bpf/liveness.c
>> +++ b/kernel/bpf/liveness.c
> [ ... ]
>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
>> index ff0c55d80311..f25a56cfabac 100644
>> --- a/kernel/bpf/verifier.c
>> +++ b/kernel/bpf/verifier.c
>> @@ -18487,13 +18487,22 @@ static int check_and_resolve_insns(struct bpf_verifier_env *env)
>> return err;
>>
>> for (i = 0; i < insn_cnt; i++, insn++) {
>> + u8 class = BPF_CLASS(insn->code);
>> + u8 mode = BPF_MODE(insn->code);
>> +
>> if (insn->dst_reg >= MAX_BPF_REG) {
>> - verbose(env, "R%d is invalid\n", insn->dst_reg);
>> - return -EINVAL;
>> + if (insn->dst_reg != BPF_REG_PARAMS ||
>> + !((class == BPF_ST || class == BPF_STX) && mode == BPF_MEM)) {
>> + verbose(env, "R%d is invalid\n", insn->dst_reg);
>> + return -EINVAL;
>> + }
>> }
>> if (insn->src_reg >= MAX_BPF_REG) {
>> - verbose(env, "R%d is invalid\n", insn->src_reg);
>> - return -EINVAL;
>> + if (insn->src_reg != BPF_REG_PARAMS || class != BPF_LDX ||
>> + mode != BPF_MEM) {
>> + verbose(env, "R%d is invalid\n", insn->src_reg);
>> + return -EINVAL;
>> + }
>> }
>> if (insn[0].code == (BPF_LD | BPF_IMM | BPF_DW)) {
>> struct bpf_insn_aux_data *aux;
> Can these instructions with BPF_REG_PARAMS trigger out-of-bounds accesses
> in subsequent verification functions? The regs array in struct
> bpf_func_state is declared as regs[MAX_BPF_REG] with MAX_BPF_REG=11,
> giving valid indices 0-10.
>
> When instructions with src_reg=BPF_REG_PARAMS (11) reach check_load_mem():
>
> kernel/bpf/verifier.c:check_load_mem() {
> ...
> src_reg_type = regs[insn->src_reg].type;
> ...
> }
>
> This performs regs[11] which is one past the end of the array.
>
> Similarly, when instructions with dst_reg=BPF_REG_PARAMS reach
> __check_reg_arg():
>
> kernel/bpf/verifier.c:__check_reg_arg() {
> ...
> reg = ®s[regno];
> ...
> }
>
> The commit message states "array-based register tracking indexed by
> register number would cause out-of-bounds accesses. So do early return
> if needed." However, the patch adds early returns in const_fold.c and
> liveness.c but not in the main verification path functions like
> check_load_mem() or __check_reg_arg().
>
> The fix appears to arrive in subsequent commit 212295359353 ("bpf:
> Support stack arguments for bpf functions"). Between this commit and
> that fix, could user-provided BPF programs with BPF_REG_PARAMS
> instructions trigger out-of-bounds memory access in the kernel verifier?
You are right, this patch should be after "bpf: Support stack arguments
for bpf functions" to avoid such issues.
>
> This commit also lacks a Fixes: tag. The suggested tag would be:
>
> Fixes: 595885eced33 ("bpf: Introduce bpf register BPF_REG_PARAMS")
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/24546989054
next prev parent reply other threads:[~2026-04-18 16:48 UTC|newest]
Thread overview: 73+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-17 3:46 [PATCH bpf-next v5 00/16] bpf: Support stack arguments for BPF functions and kfuncs Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 01/16] bpf: Remove unused parameter from check_map_kptr_access() Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 02/16] bpf: Refactor to avoid redundant calculation of bpf_reg_state Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 03/16] bpf: Refactor to handle memory and size together Yonghong Song
2026-04-17 4:49 ` sashiko-bot
2026-04-18 16:40 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 16:47 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 04/16] bpf: Prepare verifier logs for upcoming kfunc stack arguments Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 05/16] bpf: Introduce bpf register BPF_REG_PARAMS Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 06/16] bpf: Limit the scope of BPF_REG_PARAMS usage Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 16:48 ` Yonghong Song [this message]
2026-04-17 4:50 ` sashiko-bot
2026-04-18 16:50 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 16:54 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 07/16] bpf: Reuse MAX_BPF_FUNC_ARGS for maximum number of arguments Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 17:00 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 17:03 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 08/16] bpf: Support stack arguments for bpf functions Yonghong Song
2026-04-17 4:35 ` sashiko-bot
2026-04-18 17:10 ` Yonghong Song
2026-04-17 4:43 ` bot+bpf-ci
2026-04-18 17:11 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-17 3:47 ` [PATCH bpf-next v5 09/16] bpf: Reject stack arguments in non-JITed programs Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 17:17 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-17 3:47 ` [PATCH bpf-next v5 10/16] bpf: Reject stack arguments if tail call reachable Yonghong Song
2026-04-17 4:08 ` sashiko-bot
2026-04-18 17:18 ` Yonghong Song
2026-04-18 17:37 ` Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 17:24 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 11/16] bpf: Support stack arguments for kfunc calls Yonghong Song
2026-04-17 4:40 ` sashiko-bot
2026-04-18 17:46 ` Yonghong Song
2026-04-17 4:43 ` bot+bpf-ci
2026-04-18 17:57 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-18 18:04 ` Yonghong Song
2026-04-17 3:47 ` [PATCH bpf-next v5 12/16] bpf: Enable stack argument support for x86_64 Yonghong Song
2026-04-17 4:30 ` bot+bpf-ci
2026-04-17 5:03 ` sashiko-bot
2026-04-18 18:07 ` Yonghong Song
2026-04-18 1:04 ` bot+bpf-ci
2026-04-17 3:48 ` [PATCH bpf-next v5 13/16] bpf,x86: Implement JIT support for stack arguments Yonghong Song
2026-04-17 4:44 ` sashiko-bot
2026-04-18 16:43 ` Puranjay Mohan
2026-04-18 18:15 ` Yonghong Song
2026-04-18 1:20 ` bot+bpf-ci
2026-04-18 18:23 ` Yonghong Song
2026-04-17 3:48 ` [PATCH bpf-next v5 14/16] selftests/bpf: Add tests for BPF function " Yonghong Song
2026-04-17 4:20 ` sashiko-bot
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 18:26 ` Yonghong Song
2026-04-17 3:48 ` [PATCH bpf-next v5 15/16] selftests/bpf: Add negative test for greater-than-8-byte kfunc stack argument Yonghong Song
2026-04-17 4:28 ` sashiko-bot
2026-04-18 18:29 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-17 3:48 ` [PATCH bpf-next v5 16/16] selftests/bpf: Add verifier tests for stack argument validation Yonghong Song
2026-04-17 4:38 ` sashiko-bot
2026-04-18 18:36 ` Yonghong Song
2026-04-18 0:52 ` bot+bpf-ci
2026-04-18 16:39 ` [PATCH bpf-next v5 00/16] bpf: Support stack arguments for BPF functions and kfuncs Puranjay Mohan
2026-04-18 18:47 ` Alexei Starovoitov
2026-04-18 18:54 ` Yonghong Song
2026-04-18 17:06 ` Puranjay Mohan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2425e72e-9044-4f6c-8959-91f2705e5c68@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=jose.marchesi@oracle.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.