From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from 69-171-232-181.mail-mxout.facebook.com (69-171-232-181.mail-mxout.facebook.com [69.171.232.181])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5EEA833FE06
	for <bpf@vger.kernel.org>; Fri, 24 Apr 2026 17:15:20 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=69.171.232.181
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777050923; cv=none; b=ut8hrpmLITGpxzPR1//GjcAozpyOCGWrBY258EZ/2jcySZbj6rNBA1mShG0alwwbKO/J2iobJa4xOU/WUG0izvngMJF4RqIVfLKg/hFOoUmNhTO9VvQf5oKOQ415wI9cT7DGL8x0mOJLmHbd7haJLmg8+FicwxtSe62he9f2EYY=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777050923; c=relaxed/simple;
	bh=4DjLJ+gM2y5uGIRyV7Jm1tCs9OqXeBmYHwdYXTBgATA=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version; b=BIK46fr6og/QR5CgRG0GE0tRqYtiCl/8p0r9vDaJf3CjHGYs5b96ntJRL8MaVQwbD9QcmgtatCsakEWiQ7jwJu58kfBIr06LpMeReXTFDVBtxVM2gPLAMB+ZNnXdpKZ6Eh6Qe0Na3wDsKCK2Bu21qI6f4wzgcENfRLofh2uU20w=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.dev; spf=fail smtp.mailfrom=linux.dev; arc=none smtp.client-ip=69.171.232.181
Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=linux.dev
Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=linux.dev
Received: by devvm16039.vll0.facebook.com (Postfix, from userid 128203)
	id 7EA85474A6521; Fri, 24 Apr 2026 10:15:09 -0700 (PDT)
From: Yonghong Song <yonghong.song@linux.dev>
To: bpf@vger.kernel.org
Cc: Alexei Starovoitov <ast@kernel.org>,
	Andrii Nakryiko <andrii@kernel.org>,
	Daniel Borkmann <daniel@iogearbox.net>,
	"Jose E . Marchesi" <jose.marchesi@oracle.com>,
	kernel-team@fb.com,
	Martin KaFai Lau <martin.lau@kernel.org>
Subject: [PATCH bpf-next 07/18] bpf: Enable r11 based insns
Date: Fri, 24 Apr 2026 10:15:09 -0700
Message-ID: <20260424171509.2041667-1-yonghong.song@linux.dev>
X-Mailer: git-send-email 2.52.0
In-Reply-To: <20260424171433.2034470-1-yonghong.song@linux.dev>
References: <20260424171433.2034470-1-yonghong.song@linux.dev>
Precedence: bulk
X-Mailing-List: bpf@vger.kernel.org
List-Id: <bpf.vger.kernel.org>
List-Subscribe: <mailto:bpf+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:bpf+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

BPF_REG_PARAMS (r11) is used for stack argument accesses and
the following are the only insns with r11 presence:
    - BPF_LDX | BPF_MEM | BPF_DW (load incoming stack arg)
    - BPF_STX | BPF_MEM | BPF_DW (store register to outgoing stack arg)
    - BPF_ST  | BPF_MEM | BPF_DW (store immediate to outgoing stack arg)

Additionally, validate offsets: loads must use positive 8-byte aligned
offsets (8, 16, ...) since they access incoming args. Stores must use
negative 8-byte aligned offsets (-8, -16, ...) since they write
outgoing args.

The LLVM compiler [1] implemented the above BPF_REG_PARAMS insns.

  [1] https://github.com/llvm/llvm-project/pull/189060

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
---
 kernel/bpf/verifier.c | 29 +++++++++++++++++++++++++----
 1 file changed, 25 insertions(+), 4 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 0ba140dabe93..6994536b4e04 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18678,13 +18678,34 @@ static int check_and_resolve_insns(struct bpf_v=
erifier_env *env)
 		return err;
=20
 	for (i =3D 0; i < insn_cnt; i++, insn++) {
+		u8 class =3D BPF_CLASS(insn->code);
+		u8 mode =3D BPF_MODE(insn->code);
+		u8 size =3D BPF_SIZE(insn->code);
+
 		if (insn->dst_reg >=3D MAX_BPF_REG) {
-			verbose(env, "R%d is invalid\n", insn->dst_reg);
-			return -EINVAL;
+			if (insn->dst_reg !=3D BPF_REG_PARAMS ||
+			    (class !=3D BPF_ST  && class !=3D BPF_STX) ||
+			     mode !=3D BPF_MEM || size !=3D BPF_DW) {
+				verbose(env, "R%d is invalid\n", insn->dst_reg);
+				return -EINVAL;
+			}
+			if (insn->off >=3D 0 || insn->off % BPF_REG_SIZE) {
+				verbose(env, "invalid stack arg store offset %d\n",
+					insn->off);
+				return -EINVAL;
+			}
 		}
 		if (insn->src_reg >=3D MAX_BPF_REG) {
-			verbose(env, "R%d is invalid\n", insn->src_reg);
-			return -EINVAL;
+			if (insn->src_reg !=3D BPF_REG_PARAMS ||
+			    insn->code !=3D (BPF_LDX | BPF_MEM | BPF_DW)) {
+				verbose(env, "R%d is invalid\n", insn->src_reg);
+				return -EINVAL;
+			}
+			if (insn->off <=3D 0 || insn->off % BPF_REG_SIZE) {
+				verbose(env, "invalid stack arg load offset %d\n",
+					insn->off);
+				return -EINVAL;
+			}
 		}
 		if (insn[0].code =3D=3D (BPF_LD | BPF_IMM | BPF_DW)) {
 			struct bpf_insn_aux_data *aux;
--=20
2.52.0