From: Amery Hung <ameryhung@gmail.com>
To: bpf@vger.kernel.org
Cc: netdev@vger.kernel.org, alexei.starovoitov@gmail.com,
andrii@kernel.org, daniel@iogearbox.net, eddyz87@gmail.com,
memxor@gmail.com, martin.lau@kernel.org,
mykyta.yatsenko5@gmail.com, ameryhung@gmail.com,
kernel-team@meta.com
Subject: [PATCH bpf-next v6 01/13] bpf: Simplify mark_stack_slot_obj_read() and callers
Date: Thu, 28 May 2026 18:49:24 -0700 [thread overview]
Message-ID: <20260529014936.2811085-2-ameryhung@gmail.com> (raw)
In-Reply-To: <20260529014936.2811085-1-ameryhung@gmail.com>
Rename mark_stack_slot_obj_read() as mark_stack_slots_scratched() and
directly call it from functions processing iter, dynptr and irq_flag.
Commit 6762e3a0bce5 ("bpf: simplify liveness to use (callsite, depth)
keyed func_instances") has removed the dynamic liveness component in
mark_stack_slot_obj_read(). The function effectively only marks stack
slots as scratched and always succeed. Therefore, return void, drop the
unused bpf_reg_state argument and rename it to
mark_stack_slots_scratched() to reflect what it does now.
In addition, to prepare for unifying dynptr handling, dynptr_get_spi()
will be moved out of mark_dynptr_read(). As mark_dynptr_read() would join
mark_iter_read() as a thin wrapper of mark_stack_slots_scratched(), just
open code these helpers.
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Amery Hung <ameryhung@gmail.com>
---
kernel/bpf/verifier.c | 69 +++++++++++++------------------------------
1 file changed, 21 insertions(+), 48 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index c8d980fdd709..cddbdb4f78aa 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3006,50 +3006,13 @@ static int sort_subprogs_topo(struct bpf_verifier_env *env)
return ret;
}
-static int mark_stack_slot_obj_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
- int spi, int nr_slots)
+static void mark_stack_slots_scratched(struct bpf_verifier_env *env,
+ int spi, int nr_slots)
{
int i;
for (i = 0; i < nr_slots; i++)
mark_stack_slot_scratched(env, spi - i);
- return 0;
-}
-
-static int mark_dynptr_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
-{
- int spi;
-
- /* For CONST_PTR_TO_DYNPTR, it must have already been done by
- * check_reg_arg in check_helper_call and mark_btf_func_reg_size in
- * check_kfunc_call.
- */
- if (reg->type == CONST_PTR_TO_DYNPTR)
- return 0;
- spi = dynptr_get_spi(env, reg);
- if (spi < 0)
- return spi;
- /* Caller ensures dynptr is valid and initialized, which means spi is in
- * bounds and spi is the first dynptr slot. Simply mark stack slot as
- * read.
- */
- return mark_stack_slot_obj_read(env, reg, spi, BPF_DYNPTR_NR_SLOTS);
-}
-
-static int mark_iter_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
- int spi, int nr_slots)
-{
- return mark_stack_slot_obj_read(env, reg, spi, nr_slots);
-}
-
-static int mark_irq_flag_read(struct bpf_verifier_env *env, struct bpf_reg_state *reg)
-{
- int spi;
-
- spi = irq_flag_get_spi(env, reg);
- if (spi < 0)
- return spi;
- return mark_stack_slot_obj_read(env, reg, spi, 1);
}
/* This function is supposed to be used by the following 32-bit optimization
@@ -7255,7 +7218,7 @@ static int process_kptr_func(struct bpf_verifier_env *env, int regno,
static int process_dynptr_func(struct bpf_verifier_env *env, struct bpf_reg_state *reg, argno_t argno, int insn_idx,
enum bpf_arg_type arg_type, int clone_ref_obj_id)
{
- int err;
+ int spi, err = 0;
if (reg->type != PTR_TO_STACK && reg->type != CONST_PTR_TO_DYNPTR) {
verbose(env,
@@ -7317,7 +7280,17 @@ static int process_dynptr_func(struct bpf_verifier_env *env, struct bpf_reg_stat
return -EINVAL;
}
- err = mark_dynptr_read(env, reg);
+ if (reg->type != CONST_PTR_TO_DYNPTR) {
+ spi = dynptr_get_spi(env, reg);
+ if (spi < 0)
+ return spi;
+
+ /*
+ * For CONST_PTR_TO_DYNPTR, reg is already scratched by check_reg_arg
+ * in check_helper_call and mark_btf_func_reg_size in check_kfunc_call.
+ */
+ mark_stack_slots_scratched(env, spi, BPF_DYNPTR_NR_SLOTS);
+ }
}
return err;
}
@@ -7427,9 +7400,7 @@ static int process_iter_arg(struct bpf_verifier_env *env, struct bpf_reg_state *
if (spi < 0)
return spi;
- err = mark_iter_read(env, reg, spi, nr_slots);
- if (err)
- return err;
+ mark_stack_slots_scratched(env, spi, nr_slots);
/* remember meta->iter info for process_iter_next_call() */
meta->iter.spi = spi;
@@ -11393,7 +11364,7 @@ static int process_kf_arg_ptr_to_btf_id(struct bpf_verifier_env *env,
static int process_irq_flag(struct bpf_verifier_env *env, struct bpf_reg_state *reg, argno_t argno,
struct bpf_kfunc_call_arg_meta *meta)
{
- int err, kfunc_class = IRQ_NATIVE_KFUNC;
+ int err, spi, kfunc_class = IRQ_NATIVE_KFUNC;
bool irq_save;
if (meta->func_id == special_kfunc_list[KF_bpf_local_irq_save] ||
@@ -11434,9 +11405,11 @@ static int process_irq_flag(struct bpf_verifier_env *env, struct bpf_reg_state *
return err;
}
- err = mark_irq_flag_read(env, reg);
- if (err)
- return err;
+ spi = irq_flag_get_spi(env, reg);
+ if (spi < 0)
+ return spi;
+
+ mark_stack_slots_scratched(env, spi, 1);
err = unmark_stack_slot_irq_flag(env, reg, kfunc_class);
if (err)
--
2.53.0-Meta
next prev parent reply other threads:[~2026-05-29 1:49 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 1:49 [PATCH bpf-next v6 00/13] Refactor verifier object relationship tracking Amery Hung
2026-05-29 1:49 ` Amery Hung [this message]
2026-05-29 1:49 ` [PATCH bpf-next v6 02/13] bpf: Unify dynptr handling in the verifier Amery Hung
2026-05-29 2:39 ` bot+bpf-ci
2026-05-29 1:49 ` [PATCH bpf-next v6 03/13] bpf: Assign reg->id when getting referenced kptr from ctx Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 04/13] bpf: Preserve reg->id of pointer objects after null-check Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 05/13] bpf: Refactor object relationship tracking and fix dynptr UAF bug Amery Hung
2026-05-29 2:54 ` bot+bpf-ci
2026-05-29 1:49 ` [PATCH bpf-next v6 06/13] bpf: Remove redundant dynptr arg check for helper Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 07/13] bpf: Unify referenced object tracking in verifier Amery Hung
2026-05-29 2:40 ` bot+bpf-ci
2026-05-29 1:49 ` [PATCH bpf-next v6 08/13] bpf: Unify release handling for helpers and kfuncs Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 09/13] bpf: Fix dynptr ref counting to scan all call frames Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 10/13] selftests/bpf: Test creating dynptr from dynptr data and slice Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 11/13] selftests/bpf: Test using slice after invalidating dynptr clone Amery Hung
2026-05-29 2:39 ` bot+bpf-ci
2026-05-29 1:49 ` [PATCH bpf-next v6 12/13] selftests/bpf: Test using file dynptr after the reference on file is dropped Amery Hung
2026-05-29 1:49 ` [PATCH bpf-next v6 13/13] selftests/bpf: Test using dynptr after freeing the underlying object Amery Hung
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260529014936.2811085-2-ameryhung@gmail.com \
--to=ameryhung@gmail.com \
--cc=alexei.starovoitov@gmail.com \
--cc=andrii@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=eddyz87@gmail.com \
--cc=kernel-team@meta.com \
--cc=martin.lau@kernel.org \
--cc=memxor@gmail.com \
--cc=mykyta.yatsenko5@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox