Re: [PATCH bpf-next 02/18] bpf: Add precision marking and backtracking for stack argument slots

[Yonghong Song <yonghong.song@linux.dev>]

On 4/28/26 9:46 AM, Eduard Zingerman wrote:
> On Fri, 2026-04-24 at 10:14 -0700, Yonghong Song wrote:
>> Extend the precision marking and backtracking infrastructure to
>> support stack argument slots (r11-based accesses). Without this,
>> precision demands for scalar values passed through stack arguments
>> are silently dropped, which could allow the verifier to incorrectly
>> prune states with different constant values in stack arg slots.
>>
>> INSN_F_STACK_ARG_ACCESS is encoded as INSN_F_STACK_ACCESS |
>> INSN_F_DST_REG_STACK (BIT(9) | BIT(10)). This is safe because
>> INSN_F_STACK_ACCESS is only used for ST/STX/LDX insns while
>> INSN_F_DST_REG_STACK is only used for JMP insns — they never appear
>> on the same instruction. This keeps the total within the 12-bit
>> jmp_history flags budget.
>>
>> Three components are added:
>>
>> 1. Jump history recording for stack arg accesses:
>>     - check_stack_arg_write() records INSN_F_STACK_ARG_ACCESS for
>>       outgoing stores.
>>     - check_stack_arg_read() records INSN_F_STACK_ARG_ACCESS for
>>       incoming loads.
>>
>> 2. backtrack_insn() handling:
>>     - BPF_LDX: when backtracking through an incoming stack arg load,
>>       transfer precision demand from the destination register to the
>>       stack arg slot mask.
>>     - BPF_STX/BPF_ST: when backtracking through an outgoing stack arg
>>       store, transfer precision demand from the stack arg slot to the
>>       source register.
>>     - Call boundary: when exiting a callee back to the caller,
>>       propagate the callee's incoming stack arg precision bits to the
>>       caller's outgoing stack arg slots. The slot index maps directly
>>       (slot i in callee corresponds to slot i in caller) since the
>>       caller's stack_arg_regs only contains outgoing slots.
>>
>> 3. bpf_mark_chain_precision() state walking:
>>     - When iterating parent states, mark stack_arg_regs[spi].precise
>>       for slots that have pending precision demand.
>>
>> Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
>> ---
> Acked-by: Eduard Zingerman <eddyz87@gmail.com>
>
>>   include/linux/bpf_verifier.h | 13 ++++++++
>>   kernel/bpf/backtrack.c       | 61 ++++++++++++++++++++++++++++++++++--
>>   kernel/bpf/verifier.c        | 30 +++++++++++++++---
>>   3 files changed, 98 insertions(+), 6 deletions(-)
>>
>> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
>> index 2cc349d7fc17..735f33ad3db7 100644
>> --- a/include/linux/bpf_verifier.h
>> +++ b/include/linux/bpf_verifier.h
>> @@ -393,6 +393,13 @@ enum {
>>   	INSN_F_SPI_SHIFT = 3, /* shifted 3 bits to the left */
>>   
>>   	INSN_F_STACK_ACCESS = BIT(9),
>> +	/*
>> +	 * INSN_F_STACK_ARG_ACCESS uses INSN_F_STACK_ACCESS | INSN_F_DST_REG_STACK.
>> +	 * This is safe because INSN_F_DST_REG_STACK is only used for JMP insns
>> +	 * while INSN_F_STACK_ACCESS is only used for ST/STX/LDX insns — they
>> +	 * never appear on the same instruction.
>> +	 */
>> +	INSN_F_STACK_ARG_ACCESS = BIT(9) | BIT(10),
> Tbh, I'd split bpf_jmp_history_entry like this:
>
>    struct bpf_jmp_history_entry {
>           u32 idx:20;
> 	 u32 frame:3;
> 	 u32 spi:6;
>           /* insn idx can't be bigger than 1 million */
>           u32 prev_idx : 20;
>           /* special INSN_F_xxx flags */
>           u32 flags : 12;
>           /* additional registers that need precision tracking when this
>            * jump is backtracked, vector of six 10-bit records
>            */
>           u64 linked_regs;
>    };

Good point, let me try.

>
> [...]
>
>> @@ -453,9 +498,10 @@ static int backtrack_insn(struct bpf_verifier_env *env, int idx, int subseq_idx,
>>   					     bt_stack_mask(bt));
>>   				return -EFAULT;
>>   			}
>> -			/* clear r1-r5 in callback subprog's mask */
>> +			/* clear r1-r5 and stack arg slots in callback subprog's mask */
>>   			for (i = BPF_REG_1; i <= BPF_REG_5; i++)
>>   				bt_clear_reg(bt, i);
>> +			bt->stack_arg_masks[bt->frame] = 0;
> Nit: I think having these set at this point is a bug condition.

This one is a leftover from early patch and I didn't remove it. I just tested again.
this is indeed not needed. Will remove.

>
>>   			if (bt_subprog_exit(bt))
>>   				return -EFAULT;
>>   			return 0;
> [...]
>
>> diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
> [...]
>
>>   static int check_outgoing_stack_args(struct bpf_verifier_env *env, struct bpf_func_state *caller,
>> @@ -7269,8 +7285,14 @@ static int check_mem_size_reg(struct bpf_verifier_env *env,
>>   	}
>>   	err = check_helper_mem_access(env, mem_reg, mem_argno, size_reg->umax_value,
>>   				      access_type, zero_size_allowed, meta);
>> -	if (!err)
>> -		err = mark_chain_precision(env, reg_from_argno(size_argno));
>> +	if (!err) {
>> +		int regno = reg_from_argno(size_argno);
>> +
>> +		if (regno >= 0)
>> +			err = mark_chain_precision(env, regno);
>> +		else
>> +			err = mark_stack_arg_precision(env, arg_from_argno(size_argno) - 1);
>> +	}
> Nit: maybe make this a utility function, e.g. mark_arg_precision(env, argno) ?

Sure, will do.

>
>>   	return err;
>>   }
>>