From: Shung-Hsi Yu <shung-hsi.yu@suse.com>
To: Zhenzhong Wu <jt26wzz@gmail.com>
Cc: bpf@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org, ast@kernel.org,
daniel@iogearbox.net, john.fastabend@gmail.com,
andrii@kernel.org, martin.lau@linux.dev, song@kernel.org,
yonghong.song@linux.dev, kpsingh@kernel.org, haoluo@google.com,
jolsa@kernel.org, menglong8.dong@gmail.com, eddyz87@gmail.com,
stable@vger.kernel.org, mykolal@fb.com, tamird@kernel.org,
Hao Sun <sunhao.th@gmail.com>
Subject: Re: [PATCH stable 6.6.y v3 1/4] bpf: Track equal scalars history on per-instruction level
Date: Tue, 16 Jun 2026 13:51:39 +0800 [thread overview]
Message-ID: <ajDiLjjSYPp5p7KF@u94a> (raw)
In-Reply-To: <7f27d335fa6280d5eb04e7b27a7e3d7e7ac1d641.1781194510.git.jt26wzz@gmail.com>
On Mon, Jun 15, 2026 at 12:58:38AM +0800, Zhenzhong Wu wrote:
[...]
> +/* For all R being scalar registers or spilled scalar registers
> + * in verifier state, save R in linked_regs if R->id == id.
> + * If there are too many Rs sharing same id, reset id for leftover Rs.
> + */
> +static void collect_linked_regs(struct bpf_verifier_state *vstate, u32 id,
> + struct linked_regs *linked_regs)
> +{
> + struct bpf_func_state *func;
> struct bpf_reg_state *reg;
> + int i, j;
>
> - bpf_for_each_reg_in_vstate(vstate, state, reg, ({
> - if (reg->type == SCALAR_VALUE && reg->id == known_reg->id) {
> + for (i = vstate->curframe; i >= 0; i--) {
> + func = vstate->frame[i];
> + for (j = 0; j < BPF_REG_FP; j++) {
> + reg = &func->regs[j];
> + __collect_linked_regs(linked_regs, reg, id, i, j, true);
> + }
> + for (j = 0; j < func->allocated_stack / BPF_REG_SIZE; j++) {
> + if (!is_spilled_reg(&func->stack[j]))
> + continue;
> + reg = &func->stack[j].spilled_ptr;
> + __collect_linked_regs(linked_regs, reg, id, i, j, false);
> + }
> + }
> +
> + if (linked_regs->cnt == 1)
> + linked_regs->cnt = 0;
This part seems new, not found on the original commit, and also not in
bpf-next. Can you add some more explaining (in the notes before your
signed-off-by) regarding why this is needed?
> +}
[...]
> @@ -14704,6 +14899,21 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
> return 0;
> }
>
> + /* Push scalar registers sharing same ID to jump history,
> + * do this before creating 'other_branch', so that both
> + * 'this_branch' and 'other_branch' share this history
> + * if parent state is created.
> + */
> + if (BPF_SRC(insn->code) == BPF_X && src_reg->type == SCALAR_VALUE && src_reg->id)
> + collect_linked_regs(this_branch, src_reg->id, &linked_regs);
> + if (dst_reg->type == SCALAR_VALUE && dst_reg->id)
> + collect_linked_regs(this_branch, dst_reg->id, &linked_regs);
> + if (linked_regs.cnt > 0) {
Same here, the original commit and bpf-next has the '> 1' conditional,
where as your has '> 0'. Can you also added some explanation on this
part?
> + err = push_jmp_history(env, this_branch, 0, linked_regs_pack(&linked_regs));
> + if (err)
> + return err;
> + }
> +
...
next prev parent reply other threads:[~2026-06-16 5:51 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-06-14 16:58 [PATCH stable 6.6.y v3 0/4] bpf: linked scalar precision fixes Zhenzhong Wu
2026-06-14 16:58 ` [PATCH stable 6.6.y v3 1/4] bpf: Track equal scalars history on per-instruction level Zhenzhong Wu
2026-06-14 17:10 ` sashiko-bot
2026-06-16 5:51 ` Shung-Hsi Yu [this message]
2026-06-14 16:58 ` [PATCH stable 6.6.y v3 2/4] bpf: Remove mark_precise_scalar_ids() Zhenzhong Wu
2026-06-14 17:11 ` sashiko-bot
2026-06-14 16:58 ` [PATCH stable 6.6.y v3 3/4] selftests/bpf: Tests for per-insn sync_linked_regs() precision tracking Zhenzhong Wu
2026-06-14 17:10 ` sashiko-bot
2026-06-14 16:58 ` [PATCH stable 6.6.y v3 4/4] selftests/bpf: Update comments find_equal_scalars->sync_linked_regs Zhenzhong Wu
2026-06-15 14:02 ` [PATCH stable 6.6.y v3 0/4] bpf: linked scalar precision fixes Sasha Levin
2026-06-15 22:51 ` Paul Chaignon
2026-06-16 5:22 ` Shung-Hsi Yu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ajDiLjjSYPp5p7KF@u94a \
--to=shung-hsi.yu@suse.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=haoluo@google.com \
--cc=john.fastabend@gmail.com \
--cc=jolsa@kernel.org \
--cc=jt26wzz@gmail.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin.lau@linux.dev \
--cc=menglong8.dong@gmail.com \
--cc=mykolal@fb.com \
--cc=netdev@vger.kernel.org \
--cc=song@kernel.org \
--cc=stable@vger.kernel.org \
--cc=sunhao.th@gmail.com \
--cc=tamird@kernel.org \
--cc=yonghong.song@linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.