[PATCH bpf-next 0/3] bpf: Improve linked register tracking

[Puranjay Mohan <puranjay@kernel.org>]

This series extends the BPF verifier's linked register tracking to handle
negative offsets and BPF_SUB operations, enabling better bounds propagation for
common arithmetic patterns.

The verifier previously only tracked positive constant deltas between linked
registers using BPF_ADD. This meant patterns using negative offsets or
subtraction couldn't benefit from bounds propagation:

  r1 = r0
  r1 += -4
  if r1 s>= 0 goto ...   // r1 >= 0 implies r0 >= 4
  // verifier couldn't propagate bounds back to r0

Patch 1 extends scalar_min_max_add() to:
  - Accept BPF_SUB in addition to BPF_ADD (treating r1 -= 4 as r1 += -4)
  - Change the overflow check to properly validate s32 range
  - Add a guard against S32_MIN negation overflow
  - Retain the !alu32 restriction due to known issues with 32-bit ALU upper bits

Patches 2-3 update the selftests:
  - Patch 2 adds comprehensive tests covering success cases (negative offsets,
    BPF_SUB), failure cases (32-bit ALU, double ADD), and large delta edge cases
    (S32_MIN/S32_MAX offsets)
  - Patch 3 updates an existing test's expected output to reflect the new
    tracking behavior

Puranjay Mohan (3):
  bpf: Support negative offsets and BPF_SUB for linked register tracking
  selftests/bpf: Add tests for linked register tracking with negative
    offsets
  selftests/bpf: Update expected output for sub64_partial_overflow test

 kernel/bpf/verifier.c                         |  26 ++-
 .../selftests/bpf/progs/verifier_bounds.c     |   2 +-
 .../bpf/progs/verifier_linked_scalars.c       | 213 ++++++++++++++++++
 3 files changed, 233 insertions(+), 8 deletions(-)


base-commit: 2175ccfb93fd91d0ece74684eb7ab9443de806ec
-- 
2.47.3