Re: [PATCH bpf-next v2 0/2] bpf: Preserve scalar zero spills for var-offset stack reads

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Yonghong Song <yonghong.song@linux.dev>
To: Woojin Ji <random6.xyz@gmail.com>,
	Alexei Starovoitov <ast@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	Andrii Nakryiko <andrii@kernel.org>,
	Eduard Zingerman <eddyz87@gmail.com>,
	Kumar Kartikeya Dwivedi <memxor@gmail.com>,
	Martin KaFai Lau <martin.lau@linux.dev>,
	Song Liu <song@kernel.org>, Jiri Olsa <jolsa@kernel.org>,
	Emil Tsalapatis <emil@etsalapatis.com>,
	John Fastabend <john.fastabend@gmail.com>
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v2 0/2] bpf: Preserve scalar zero spills for var-offset stack reads
Date: Sun, 21 Jun 2026 08:29:46 -0700	[thread overview]
Message-ID: <9256454d-6323-4eae-8a0a-e6bcecc92098@linux.dev> (raw)
In-Reply-To: <20260613-bpf-stack-var-off-zero-v1-v2-0-a324af0f00ea@gmail.com>



On 6/13/26 4:16 AM, Woojin Ji wrote:
> Variable-offset stack reads currently lose the known-zero fact when the
> loaded byte comes from a spilled scalar constant zero rather than from a
> STACK_ZERO byte. This series teaches the var-offset stack read path to
> preserve that zero fact while marking the contributing spill slots
> precise, and adds verifier_var_off coverage for the new behaviour and
> the pruning-sensitive negative case.
>
> I don't have a confirmed deployed-program regression, so this is targeted
> at bpf-next. I did confirm the pattern is reachable from normal C codegen
> with a small helper-based BPF C reproducer: clang 22.1.6 -O2/-O3 can
> produce a spilled scalar-zero plus variable-offset stack byte load pattern
> that the unpatched verifier rejects and the patched verifier accepts.

Could you share your C code to desmonstrate patch 1? We can then check
whether the pattern is common and whether the code can be easliy worked
around with source code (e.g. barrier_var() etc.).

>
> Changes in v2:
> - Rebased onto bpf-next.
> - Split verifier and selftests changes into separate patches.
> - Added bpf_bt_set_frame_slot_mask() instead of open-coding a slot loop.
> - Kept the new eager precision marking on the variable-offset read path.
> - Added verifier log assertions for the zero result and mark_precise trail.
> - Added sub-8-byte spill coverage with STACK_ZERO and STACK_MISC neighbours.
> - Cleaned up inline asm formatting and local labels.
>
> Tested with:
> - make O=../../out/kernel olddefconfig
> - make O=../../out/kernel -j$(nproc) kernel/bpf/verifier.o
> - make O=../../out/kernel LLVM=1 -j$(nproc) bzImage
> - ./test_progs -t verifier_var_off -v
>    Summary: 1/30 PASSED, 0 SKIPPED, 0 FAILED
> - ./test_progs -t verifier_spill_fill -t verifier_live_stack \
>    -t verifier_search_pruning -v
>    Summary: 3/127 PASSED, 0 SKIPPED, 0 FAILED
> - veristat -o csv verifier_var_off.bpf.o
>
> Assisted-by: opencode:gpt-5.5
> Signed-off-by: Woojin Ji <random6.xyz@gmail.com>
> ---
> Woojin Ji (2):
>        bpf: Preserve scalar zero spills for var-offset stack reads
>        selftests/bpf: Cover var-offset stack reads from zero spills
>
>   include/linux/bpf_verifier.h                       |   5 +
>   kernel/bpf/verifier.c                              |  55 ++++++--
>   .../testing/selftests/bpf/progs/verifier_var_off.c | 148 +++++++++++++++++++++
>   3 files changed, 198 insertions(+), 10 deletions(-)
> ---
> base-commit: 7bfb93e3475be9de894f1cecd3a727d3e1649b03
> change-id: 20260610-bpf-stack-var-off-zero-v1-34ad1bc3b533
>
> Best regards,
> --
> Woojin Ji <random6.xyz@gmail.com>
>
>

     prev parent reply	other threads:[~2026-06-21 15:29 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-13 11:16 [PATCH bpf-next v2 0/2] bpf: Preserve scalar zero spills for var-offset stack reads Woojin Ji
2026-06-13 11:16 ` [PATCH bpf-next v2 1/2] " Woojin Ji
2026-06-13 11:54   ` bot+bpf-ci
2026-06-13 11:16 ` [PATCH bpf-next v2 2/2] selftests/bpf: Cover var-offset stack reads from zero spills Woojin Ji
2026-06-21 15:29 ` Yonghong Song [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=9256454d-6323-4eae-8a0a-e6bcecc92098@linux.dev \
    --to=yonghong.song@linux.dev \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=daniel@iogearbox.net \
    --cc=eddyz87@gmail.com \
    --cc=emil@etsalapatis.com \
    --cc=john.fastabend@gmail.com \
    --cc=jolsa@kernel.org \
    --cc=martin.lau@linux.dev \
    --cc=memxor@gmail.com \
    --cc=random6.xyz@gmail.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.