From: Yonghong Song <yonghong.song@linux.dev>
To: bot+bpf-ci@kernel.org, bpf@vger.kernel.org
Cc: ast@kernel.org, andrii@kernel.org, daniel@iogearbox.net,
jose.marchesi@oracle.com, kernel-team@fb.com,
martin.lau@kernel.org, eddyz87@gmail.com, clm@meta.com,
ihor.solodrai@linux.dev
Subject: Re: [PATCH bpf-next v3 05/24] bpf: Support stack arguments for bpf functions
Date: Mon, 11 May 2026 08:46:13 -0700 [thread overview]
Message-ID: <1718e913-d51d-4e81-9106-c39c88e9e160@linux.dev> (raw)
In-Reply-To: <1bb0dfc54cc2dbe6a38c21af2717f1b575ba60ba66a763952f38ada03a65bf85@mail.kernel.org>
On 5/11/26 8:19 AM, bot+bpf-ci@kernel.org wrote:
>> diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
>> index 321b9d69cf9c..f9020a4ea005 100644
>> --- a/include/linux/bpf_verifier.h
>> +++ b/include/linux/bpf_verifier.h
>> @@ -402,6 +402,7 @@ struct bpf_func_state {
>> bool in_callback_fn;
>> bool in_async_callback_fn;
>> bool in_exception_callback_fn;
>> + bool no_stack_arg_load;
> [ ... ]
>
>> diff --git a/kernel/bpf/states.c b/kernel/bpf/states.c
>> index bd9c22945050..c249eb40c6d6 100644
>> --- a/kernel/bpf/states.c
>> +++ b/kernel/bpf/states.c
>> @@ -833,6 +833,32 @@ static bool stacksafe(struct bpf_verifier_env *env, struct bpf_func_state *old,
>> return true;
>> }
>>
>> +/*
>> + * Compare stack arg slots between old and current states.
>> + * Outgoing stack args are path-local state and must agree for pruning.
>> + */
>> +static bool stack_arg_safe(struct bpf_verifier_env *env, struct bpf_func_state *old,
>> + struct bpf_func_state *cur, struct bpf_idmap *idmap,
>> + enum exact_level exact)
>> +{
>> + int i, nslots;
>> +
>> + nslots = max(old->out_stack_arg_cnt, cur->out_stack_arg_cnt);
>> + for (i = 0; i < nslots; i++) {
>> + struct bpf_reg_state *old_arg, *cur_arg;
>> + struct bpf_reg_state not_init = { .type = NOT_INIT };
>> +
>> + old_arg = i < old->out_stack_arg_cnt ?
>> + &old->stack_arg_regs[i] : ¬_init;
>> + cur_arg = i < cur->out_stack_arg_cnt ?
>> + &cur->stack_arg_regs[i] : ¬_init;
>> + if (!regsafe(env, old_arg, cur_arg, idmap, exact))
>> + return false;
>> + }
>> +
>> + return true;
>> +}
>> +
>> static bool refsafe(struct bpf_verifier_state *old, struct bpf_verifier_state *cur,
>> struct bpf_idmap *idmap)
>> {
>> @@ -924,6 +950,9 @@ static bool func_states_equal(struct bpf_verifier_env *env, struct bpf_func_stat
>> if (!stacksafe(env, old, cur, &env->idmap_scratch, exact))
>> return false;
>>
>> + if (!stack_arg_safe(env, old, cur, &env->idmap_scratch, exact))
>> + return false;
>> +
>> return true;
>> }
> In v2 (May 7), bot+bpf-ci@kernel.org raised a concern that
> no_stack_arg_load is not compared during state pruning in
> func_states_equal():
>
> "The same issue applies to state pruning: func_states_equal/
> stack_arg_safe does not compare no_stack_arg_load either, so a
> state with no_stack_arg_load=true can be pruned to an old state
> with no_stack_arg_load=false incorrectly. Should no_stack_arg_load
> be placed before stack (to be memcpy'd) or should copy_stack_state()
> explicitly assign it?"
>
> The field placement was fixed (moving no_stack_arg_load before 'stack'
> so it gets copied by memcpy), but func_states_equal() still does not
> explicitly compare this field.
>
> Could this allow incorrect pruning? If a BPF program writes to stack
> args and calls a function on one path (setting no_stack_arg_load=true),
> then branches and tries to read from stack args on another path, the
> verifier might incorrectly prune to the old state with
> no_stack_arg_load=false, missing the enforcement that stack arg reads
> must happen before writes/calls.
>
> Looking at func_states_equal():
>
> kernel/bpf/states.c:func_states_equal() {
> if (!stacksafe(env, old, cur, &env->idmap_scratch, exact))
> return false;
>
> if (!stack_arg_safe(env, old, cur, &env->idmap_scratch, exact))
> return false;
>
> return true;
> }
>
> Should no_stack_arg_load be compared here, similar to how other boolean
> flags in bpf_func_state are handled during state comparison?
You are right. The following is an example:
/* subprog with incoming stack arg */
r1 = *(r11+8); /* read incoming arg, no_stack_arg_load = false */
if cond goto path2;
path1:
call some_helper; /* sets no_stack_arg_load = true */
goto join;
path2:
/* no call, no_stack_arg_load = false */
goto join;
join:
r2 = *(r11+8); /* read incoming arg again */
In the above case, at 'join' point, we have no_stack_arg_load = true and false
respectively. In this case, we cannot do pruning.
Will fix.
>
> Reference: https://lore.kernel.org/bpf/11c51daec78a68837f719172ae1c21db8b3e98e0a76aa5bcd59c8b089760c40d@mail.kernel.org/
>
>
> ---
> AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
> See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md
>
> CI run summary: https://github.com/kernel-patches/bpf/actions/runs/25652623893
next prev parent reply other threads:[~2026-05-11 15:46 UTC|newest]
Thread overview: 49+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-11 5:33 [PATCH bpf-next v3 00/24] bpf: Support stack arguments for BPF functions and kfuncs Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 01/24] bpf: Convert bpf_get_spilled_reg macro to static inline function Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 02/24] bpf: Remove copy_register_state wrapper function Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 03/24] bpf: Add helper functions for r11-based stack argument insns Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 04/24] bpf: Set sub->arg_cnt earlier in btf_prepare_func_args() Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 16:29 ` Yonghong Song
2026-05-11 17:18 ` Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 05/24] bpf: Support stack arguments for bpf functions Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 15:46 ` Yonghong Song [this message]
2026-05-11 16:05 ` Alexei Starovoitov
2026-05-11 16:21 ` Yonghong Song
2026-05-12 4:17 ` Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 06/24] bpf: Refactor jmp history to use dedicated spi/frame fields Yonghong Song
2026-05-11 16:17 ` Alexei Starovoitov
2026-05-11 16:33 ` Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 07/24] bpf: Add precision marking and backtracking for stack argument slots Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 5:33 ` [PATCH bpf-next v3 08/24] bpf: Refactor record_call_access() to extract per-arg logic Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 09/24] bpf: Extend liveness analysis to track stack argument slots Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 16:35 ` Yonghong Song
2026-05-11 16:34 ` Alexei Starovoitov
2026-05-11 16:40 ` Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 10/24] bpf: Reject stack arguments in non-JITed programs Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 16:42 ` Yonghong Song
2026-05-11 5:33 ` [PATCH bpf-next v3 11/24] bpf: Prepare architecture JIT support for stack arguments Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 12/24] bpf: Enable r11 based insns Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 13/24] bpf: Support stack arguments for kfunc calls Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 14/24] bpf: Reject stack arguments if tail call reachable Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 5:34 ` [PATCH bpf-next v3 15/24] bpf: Pass bpf_subprog_info to bpf_int_jit_compile() Yonghong Song
2026-05-11 16:38 ` Alexei Starovoitov
2026-05-11 16:47 ` Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 16/24] bpf,x86: Implement JIT support for stack arguments Yonghong Song
2026-05-11 16:39 ` Alexei Starovoitov
2026-05-11 16:47 ` Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 17/24] selftests/bpf: Add tests for BPF function " Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 18/24] selftests/bpf: Add tests for stack argument validation Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 19/24] selftests/bpf: Add BTF fixup for __naked subprog parameter names Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 20/24] selftests/bpf: Add verifier tests for stack argument validation Yonghong Song
2026-05-11 6:19 ` bot+bpf-ci
2026-05-11 16:49 ` Yonghong Song
2026-05-11 5:34 ` [PATCH bpf-next v3 21/24] selftests/bpf: Add precision backtracking test for stack arguments Yonghong Song
2026-05-11 5:35 ` [PATCH bpf-next v3 22/24] bpf, arm64: Map BPF_REG_0 to x8 instead of x7 Yonghong Song
2026-05-11 5:35 ` [PATCH bpf-next v3 23/24] bpf, arm64: Add JIT support for stack arguments Yonghong Song
2026-05-11 5:35 ` [PATCH bpf-next v3 24/24] selftests/bpf: Enable stack argument tests for arm64 Yonghong Song
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1718e913-d51d-4e81-9106-c39c88e9e160@linux.dev \
--to=yonghong.song@linux.dev \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bot+bpf-ci@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=clm@meta.com \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=ihor.solodrai@linux.dev \
--cc=jose.marchesi@oracle.com \
--cc=kernel-team@fb.com \
--cc=martin.lau@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox