From: Yonghong Song <yonghong.song@linux.dev>
To: sashiko@lists.linux.dev
Cc: bpf@vger.kernel.org
Subject: Re: [PATCH bpf-next v6 05/17] bpf: Introduce bpf register BPF_REG_PARAMS
Date: Sun, 19 Apr 2026 11:14:56 -0700 [thread overview]
Message-ID: <f6c12a4b-8ffb-4f13-933a-7fa550e94d49@linux.dev> (raw)
In-Reply-To: <20260419170630.D877EC2BCAF@smtp.kernel.org>
On 4/19/26 10:06 AM, sashiko-bot@kernel.org wrote:
> Sashiko AI review found 1 potential issue(s):
> - [Critical] Unvalidated BPF_REG_PARAMS instructions cause silent register aliasing and arbitrary kernel memory corruption on architectures lacking stack argument support.
> --
>
> commit 9b78142c31c81cff58a84123ee2833f9b935c211
> Author: Yonghong Song <yonghong.song@linux.dev>
>
> bpf: Introduce bpf register BPF_REG_PARAMS
>
> This commit introduces BPF_REG_PARAMS as a dedicated BPF register for stack
> argument accesses, occupying BPF register number 11 (R11). It shifts the
> kernel-internal hidden register BPF_REG_AX to slot 12.
>
>> diff --git a/include/linux/filter.h b/include/linux/filter.h
>> index 1ec6d5ba64cc4..b77d0b06db6eb 100644
>> --- a/include/linux/filter.h
>> +++ b/include/linux/filter.h
>> @@ -58,8 +58,9 @@ struct ctl_table_header;
>> #define BPF_REG_H BPF_REG_9 /* hlen, callee-saved */
>>
>> /* Kernel hidden auxiliary/helper register. */
>> -#define BPF_REG_AX MAX_BPF_REG
>> -#define MAX_BPF_EXT_REG (MAX_BPF_REG + 1)
>> +#define BPF_REG_PARAMS MAX_BPF_REG
> Does the introduction of BPF_REG_PARAMS without JIT-support validation allow
> architectures lacking stack argument support (like ARM64, RISC-V, s390x) to
> inadvertently use uninitialized JIT register mappings?
See patch 'bpf: Enable r11 based insns'. r11 based insns will be
rejected earlier in check_and_resolve_insns(). And before this patch,
bpf function support is done, jit support is disabled,
so we are fine.
>
> If the verifier doesn't gate BPF_REG_PARAMS usage behind a check like
> bpf_jit_supports_stack_args(), could a crafted program trigger silent
> register aliasing?
This is not an issue. All potential r11 related issues are resolved
(as far as I know) before "bpf: Enable r11 based insns".
>
> For example, if a program sets BPF_REG_1 to an arbitrary kernel address and
> executes BPF_STX_MEM(BPF_DW, BPF_REG_PARAMS, BPF_REG_2, -8), the verifier may
> allow it as a safe outgoing stack argument write. When the ARM64 JIT compiles
> the instruction, it looks up index 11. If that index is uninitialized and
> defaults to 0, it would emit a store using x0 (which is BPF_REG_1) as the
> base pointer (e.g., STR x1, [x0, #-8]).
>
> Could this write an arbitrary value into a controlled kernel address and
> bypass verifier memory safety guarantees?
>
>> +#define BPF_REG_AX (MAX_BPF_REG + 1)
>> +#define MAX_BPF_EXT_REG (MAX_BPF_REG + 2)
>> #define MAX_BPF_JIT_REG MAX_BPF_EXT_REG
next prev parent reply other threads:[~2026-04-19 18:15 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-19 16:33 [PATCH bpf-next v6 00/17] bpf: Support stack arguments for BPF functions and kfuncs Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 01/17] bpf: Remove unused parameter from check_map_kptr_access() Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 02/17] bpf: Refactor to avoid redundant calculation of bpf_reg_state Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 03/17] bpf: Refactor to handle memory and size together Yonghong Song
2026-04-20 23:58 ` Alexei Starovoitov
2026-04-21 4:04 ` Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 04/17] bpf: Prepare verifier logs for upcoming kfunc stack arguments Yonghong Song
2026-04-21 0:03 ` Alexei Starovoitov
2026-04-21 4:06 ` Yonghong Song
2026-04-21 6:07 ` Yonghong Song
2026-04-21 13:48 ` Alexei Starovoitov
2026-04-21 15:41 ` Yonghong Song
2026-04-21 15:46 ` Alexei Starovoitov
2026-04-21 16:37 ` Yonghong Song
2026-04-21 17:24 ` Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 05/17] bpf: Introduce bpf register BPF_REG_PARAMS Yonghong Song
2026-04-19 17:06 ` sashiko-bot
2026-04-19 18:14 ` Yonghong Song [this message]
2026-04-19 16:33 ` [PATCH bpf-next v6 06/17] bpf: Reuse MAX_BPF_FUNC_ARGS for maximum number of arguments Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 07/17] bpf: Support stack arguments for bpf functions Yonghong Song
2026-04-19 19:15 ` sashiko-bot
2026-04-20 4:35 ` Yonghong Song
2026-04-21 0:37 ` Alexei Starovoitov
2026-04-21 4:15 ` Yonghong Song
2026-04-19 16:33 ` [PATCH bpf-next v6 08/17] bpf: Reject stack arguments in non-JITed programs Yonghong Song
2026-04-19 18:21 ` sashiko-bot
2026-04-20 4:23 ` Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 09/17] bpf: Track r11 registers in const_fold and liveness Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 10/17] bpf: Prepare architecture JIT support for stack arguments Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 11/17] bpf: Enable r11 based insns Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 12/17] bpf: Support stack arguments for kfunc calls Yonghong Song
2026-04-19 17:08 ` sashiko-bot
2026-04-19 18:18 ` Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 13/17] bpf: Reject stack arguments if tail call reachable Yonghong Song
2026-04-19 17:08 ` sashiko-bot
2026-04-19 18:20 ` Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 14/17] bpf,x86: Implement JIT support for stack arguments Yonghong Song
2026-04-19 17:25 ` sashiko-bot
2026-04-19 18:55 ` Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 15/17] selftests/bpf: Add tests for BPF function " Yonghong Song
2026-04-19 17:15 ` sashiko-bot
2026-04-20 5:52 ` Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 16/17] selftests/bpf: Add tests for stack argument validation Yonghong Song
2026-04-19 16:34 ` [PATCH bpf-next v6 17/17] selftests/bpf: Add verifier " Yonghong Song
2026-04-19 17:21 ` sashiko-bot
2026-04-20 6:14 ` Yonghong Song
2026-04-20 15:41 ` [PATCH bpf-next v6 00/17] bpf: Support stack arguments for BPF functions and kfuncs Puranjay Mohan
2026-04-20 20:22 ` Yonghong Song
2026-04-20 20:25 ` Puranjay Mohan
2026-04-20 21:49 ` Alexei Starovoitov
2026-04-20 23:44 ` Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f6c12a4b-8ffb-4f13-933a-7fa550e94d49@linux.dev \
--to=yonghong.song@linux.dev \
--cc=bpf@vger.kernel.org \
--cc=sashiko@lists.linux.dev \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.