From: Paul Chaignon <paul.chaignon@gmail.com>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
Shung-Hsi Yu <shung-hsi.yu@suse.com>,
Daniel Borkmann <daniel@iogearbox.net>,
Alexei Starovoitov <ast@kernel.org>,
Eduard Zingerman <eddyz87@gmail.com>,
Andrii Nakryiko <andrii@kernel.org>, Tao Lyu <tao.lyu@epfl.ch>,
Levi Zim <rsworktech@outlook.com>
Subject: [PATCH 6.6.y 00/10] bpf: fix precision backtracking instruction iteration
Date: Mon, 11 May 2026 18:21:22 +0200 [thread overview]
Message-ID: <cover.1778516196.git.paul.chaignon@gmail.com> (raw)
The first patch in this patchset was already backported before, as
commit ecc2aeeaa08a, to address CVE-2023-52920 [1]. That backport was
however later reverted in commit 199f04528737 because it reduced the
efficiency of the BPF verifier, to the point that it rejected some
previously-accepted programs.
This patchset backports commit 41f6f64e6999 ("bpf: support non-r10
register spill/fill to/from stack in precision tracking") again, but
this time with the subsequent commits that improved the efficiency of
the verifier. In addition, the last two commits fix and test a
regression that was later found in commit 41f6f64e6999.
It took us a while with Shung-Hsi to come back to this because we felt
we didn't have enough test coverage to backport this. That changed with
the stable BPF CI Shung-Hsi built for v6.6, which successfully
validated this patchset [2]. In addition, I tested the impact of this
patchset on the verifier's efficiency with Cilium's BPF programs [3]:
it significantly improves, reducing the number of instructions the
verifier has to analyze by up to 87% in some cases!
1: https://lore.kernel.org/linux-cve-announce/2024110518-CVE-2023-52920-17f6@gregkh/
2: https://github.com/pchaigno/stable-bpf-ci/actions/runs/25671397661/job/75357317078
3: https://pchaigno.github.io/test-verifier-complexity.html
Andrii Nakryiko (10):
bpf: support non-r10 register spill/fill to/from stack in precision
tracking
selftests/bpf: add stack access precision test
bpf: preserve STACK_ZERO slots on partial reg spills
selftests/bpf: validate STACK_ZERO is preserved on subreg spill
bpf: preserve constant zero when doing partial register restore
selftests/bpf: validate zero preservation for sub-slot loads
bpf: track aligned STACK_ZERO cases as imprecise spilled registers
selftests/bpf: validate precision logic in
partial_stack_load_preserves_zeros
bpf: handle fake register spill to stack with BPF_ST_MEM instruction
selftests/bpf: validate fake register spill/fill precision
backtracking logic
include/linux/bpf_verifier.h | 31 +-
kernel/bpf/verifier.c | 233 +++++++++------
.../selftests/bpf/progs/verifier_spill_fill.c | 281 ++++++++++++++++++
.../bpf/progs/verifier_subprog_precision.c | 87 +++++-
.../testing/selftests/bpf/verifier/precise.c | 38 ++-
5 files changed, 557 insertions(+), 113 deletions(-)
--
2.43.0
next reply other threads:[~2026-05-11 16:21 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 16:21 Paul Chaignon [this message]
2026-05-11 16:22 ` [PATCH 6.6.y 01/10] bpf: support non-r10 register spill/fill to/from stack in precision tracking Paul Chaignon
2026-05-11 16:23 ` [PATCH 6.6.y 02/10] selftests/bpf: add stack access precision test Paul Chaignon
2026-05-11 16:23 ` [PATCH 6.6.y 03/10] bpf: preserve STACK_ZERO slots on partial reg spills Paul Chaignon
2026-05-11 16:24 ` [PATCH 6.6.y 04/10] selftests/bpf: validate STACK_ZERO is preserved on subreg spill Paul Chaignon
2026-05-11 16:24 ` [PATCH 6.6.y 05/10] bpf: preserve constant zero when doing partial register restore Paul Chaignon
2026-05-11 16:24 ` [PATCH 6.6.y 06/10] selftests/bpf: validate zero preservation for sub-slot loads Paul Chaignon
2026-05-11 16:24 ` [PATCH 6.6.y 07/10] bpf: track aligned STACK_ZERO cases as imprecise spilled registers Paul Chaignon
2026-05-11 16:24 ` [PATCH 6.6.y 08/10] selftests/bpf: validate precision logic in partial_stack_load_preserves_zeros Paul Chaignon
2026-05-11 16:25 ` [PATCH 6.6.y 09/10] bpf: handle fake register spill to stack with BPF_ST_MEM instruction Paul Chaignon
2026-05-11 16:25 ` [PATCH 6.6.y 10/10] selftests/bpf: validate fake register spill/fill precision backtracking logic Paul Chaignon
2026-05-12 0:17 ` [PATCH 6.6.y 00/10] bpf: fix precision backtracking instruction iteration Sasha Levin
2026-05-12 12:01 ` Paul Chaignon
2026-05-12 6:51 ` Levi Zim
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=cover.1778516196.git.paul.chaignon@gmail.com \
--to=paul.chaignon@gmail.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=gregkh@linuxfoundation.org \
--cc=rsworktech@outlook.com \
--cc=shung-hsi.yu@suse.com \
--cc=stable@vger.kernel.org \
--cc=tao.lyu@epfl.ch \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.