[PATCH stable 6.12 1/1] selftests/bpf: Add tests with stack ptr register in conditional jmp

[PATCH stable 6.12 1/1] selftests/bpf: Add tests with stack ptr register in conditional jmp

[Shung-Hsi Yu]

From: Yonghong Song <yonghong.song@linux.dev>

Commit 5ffb537e416ee22dbfb3d552102e50da33fec7f6 upstream.

Add two tests:
  - one test has 'rX <op> r10' where rX is not r10, and
  - another test has 'rX <op> rY' where rX and rY are not r10
    but there is an early insn 'rX = r10'.

Without previous verifier change, both tests will fail.

Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
[ shung-hsi.yu: contains additional hunks for kernel/bpf/verifier.c that
  should be part of the previous patch in the series, commit
  e2d2115e56c4 "bpf: Do not include stack ptr register in precision
  backtracking bookkeeping", which was incorporated since v6.12.37. ]
Link: https://lore.kernel.org/all/9b41f9f5-396f-47e0-9a12-46c52087df6c@linux.dev/
Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
---
 kernel/bpf/verifier.c                         |  7 ++-
 .../selftests/bpf/progs/verifier_precision.c  | 53 +++++++++++++++++++
 2 files changed, 58 insertions(+), 2 deletions(-)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f01477cecf39..531412c5103d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -15480,6 +15480,8 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 
 		if (src_reg->type == PTR_TO_STACK)
 			insn_flags |= INSN_F_SRC_REG_STACK;
+		if (dst_reg->type == PTR_TO_STACK)
+			insn_flags |= INSN_F_DST_REG_STACK;
 	} else {
 		if (insn->src_reg != BPF_REG_0) {
 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
@@ -15489,10 +15491,11 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
 		memset(src_reg, 0, sizeof(*src_reg));
 		src_reg->type = SCALAR_VALUE;
 		__mark_reg_known(src_reg, insn->imm);
+
+		if (dst_reg->type == PTR_TO_STACK)
+			insn_flags |= INSN_F_DST_REG_STACK;
 	}
 
-	if (dst_reg->type == PTR_TO_STACK)
-		insn_flags |= INSN_F_DST_REG_STACK;
 	if (insn_flags) {
 		err = push_insn_history(env, this_branch, insn_flags, 0);
 		if (err)
diff --git a/tools/testing/selftests/bpf/progs/verifier_precision.c b/tools/testing/selftests/bpf/progs/verifier_precision.c
index 6b564d4c0986..051d1962a4c7 100644
--- a/tools/testing/selftests/bpf/progs/verifier_precision.c
+++ b/tools/testing/selftests/bpf/progs/verifier_precision.c
@@ -130,4 +130,57 @@ __naked int state_loop_first_last_equal(void)
 	);
 }
 
+__used __naked static void __bpf_cond_op_r10(void)
+{
+	asm volatile (
+	"r2 = 2314885393468386424 ll;"
+	"goto +0;"
+	"if r2 <= r10 goto +3;"
+	"if r1 >= -1835016 goto +0;"
+	"if r2 <= 8 goto +0;"
+	"if r3 <= 0 goto +0;"
+	"exit;"
+	::: __clobber_all);
+}
+
+SEC("?raw_tp")
+__success __log_level(2)
+__msg("8: (bd) if r2 <= r10 goto pc+3")
+__msg("9: (35) if r1 >= 0xffe3fff8 goto pc+0")
+__msg("10: (b5) if r2 <= 0x8 goto pc+0")
+__msg("mark_precise: frame1: last_idx 10 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame1: regs=r2 stack= before 9: (35) if r1 >= 0xffe3fff8 goto pc+0")
+__msg("mark_precise: frame1: regs=r2 stack= before 8: (bd) if r2 <= r10 goto pc+3")
+__msg("mark_precise: frame1: regs=r2 stack= before 7: (05) goto pc+0")
+__naked void bpf_cond_op_r10(void)
+{
+	asm volatile (
+	"r3 = 0 ll;"
+	"call __bpf_cond_op_r10;"
+	"r0 = 0;"
+	"exit;"
+	::: __clobber_all);
+}
+
+SEC("?raw_tp")
+__success __log_level(2)
+__msg("3: (bf) r3 = r10")
+__msg("4: (bd) if r3 <= r2 goto pc+1")
+__msg("5: (b5) if r2 <= 0x8 goto pc+2")
+__msg("mark_precise: frame0: last_idx 5 first_idx 0 subseq_idx -1")
+__msg("mark_precise: frame0: regs=r2 stack= before 4: (bd) if r3 <= r2 goto pc+1")
+__msg("mark_precise: frame0: regs=r2 stack= before 3: (bf) r3 = r10")
+__naked void bpf_cond_op_not_r10(void)
+{
+	asm volatile (
+	"r0 = 0;"
+	"r2 = 2314885393468386424 ll;"
+	"r3 = r10;"
+	"if r3 <= r2 goto +1;"
+	"if r2 <= 8 goto +2;"
+	"r0 = 2 ll;"
+	"exit;"
+	::: __clobber_all);
+}
+
 char _license[] SEC("license") = "GPL";
-- 
2.50.1

Re: [PATCH stable 6.12 1/1] selftests/bpf: Add tests with stack ptr register in conditional jmp

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 5ffb537e416ee22dbfb3d552102e50da33fec7f6

WARNING: Author mismatch between patch and upstream commit:
Backport author: Shung-Hsi Yu <shung-hsi.yu@suse.com>
Commit author: Yonghong Song <yonghong.song@linux.dev>

Status in newer kernel trees:
6.15.y | Not found

Note: The patch differs from the upstream commit:
---
1:  5ffb537e416e ! 1:  f5e86b1f0ca1 selftests/bpf: Add tests with stack ptr register in conditional jmp
    @@ Metadata
      ## Commit message ##
         selftests/bpf: Add tests with stack ptr register in conditional jmp
     
    +    Commit 5ffb537e416ee22dbfb3d552102e50da33fec7f6 upstream.
    +
         Add two tests:
           - one test has 'rX <op> r10' where rX is not r10, and
           - another test has 'rX <op> rY' where rX and rY are not r10
    @@ Commit message
         Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
         Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
         Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
    +    [ shung-hsi.yu: contains additional hunks for kernel/bpf/verifier.c that
    +      should be part of the previous patch in the series, commit
    +      e2d2115e56c4 "bpf: Do not include stack ptr register in precision
    +      backtracking bookkeeping", which was incorporated since v6.12.37. ]
    +    Link: https://lore.kernel.org/all/9b41f9f5-396f-47e0-9a12-46c52087df6c@linux.dev/
    +    Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
     
      ## kernel/bpf/verifier.c ##
     @@ kernel/bpf/verifier.c: static int check_cond_jmp_op(struct bpf_verifier_env *env,

---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| 6.12                      | Success     | Success    |

Re: [PATCH stable 6.12 1/1] selftests/bpf: Add tests with stack ptr register in conditional jmp

[Greg KH]

On Mon, Jul 21, 2025 at 04:45:29PM +0800, Shung-Hsi Yu wrote:
> From: Yonghong Song <yonghong.song@linux.dev>
> 
> Commit 5ffb537e416ee22dbfb3d552102e50da33fec7f6 upstream.
> 
> Add two tests:
>   - one test has 'rX <op> r10' where rX is not r10, and
>   - another test has 'rX <op> rY' where rX and rY are not r10
>     but there is an early insn 'rX = r10'.
> 
> Without previous verifier change, both tests will fail.
> 
> Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
> Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
> [ shung-hsi.yu: contains additional hunks for kernel/bpf/verifier.c that
>   should be part of the previous patch in the series, commit
>   e2d2115e56c4 "bpf: Do not include stack ptr register in precision
>   backtracking bookkeeping", which was incorporated since v6.12.37. ]
> Link: https://lore.kernel.org/all/9b41f9f5-396f-47e0-9a12-46c52087df6c@linux.dev/
> Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> ---
>  kernel/bpf/verifier.c                         |  7 ++-
>  .../selftests/bpf/progs/verifier_precision.c  | 53 +++++++++++++++++++
>  2 files changed, 58 insertions(+), 2 deletions(-)

We can not take a patch only for older stable kernels and not newer
ones.

Please resubmit this as a backport for all affected kernel trees.

thanks,

greg k-h

Re: [PATCH stable 6.12 1/1] selftests/bpf: Add tests with stack ptr register in conditional jmp

[Shung-Hsi Yu]

On Tue, Jul 22, 2025 at 11:28:16AM +0200, Greg KH wrote:
> On Mon, Jul 21, 2025 at 04:45:29PM +0800, Shung-Hsi Yu wrote:
> > From: Yonghong Song <yonghong.song@linux.dev>
> > 
> > Commit 5ffb537e416ee22dbfb3d552102e50da33fec7f6 upstream.
> > 
> > Add two tests:
> >   - one test has 'rX <op> r10' where rX is not r10, and
> >   - another test has 'rX <op> rY' where rX and rY are not r10
> >     but there is an early insn 'rX = r10'.
> > 
> > Without previous verifier change, both tests will fail.
> > 
> > Signed-off-by: Yonghong Song <yonghong.song@linux.dev>
> > Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
> > Link: https://lore.kernel.org/bpf/20250524041340.4046304-1-yonghong.song@linux.dev
> > [ shung-hsi.yu: contains additional hunks for kernel/bpf/verifier.c that
> >   should be part of the previous patch in the series, commit
> >   e2d2115e56c4 "bpf: Do not include stack ptr register in precision
> >   backtracking bookkeeping", which was incorporated since v6.12.37. ]
> > Link: https://lore.kernel.org/all/9b41f9f5-396f-47e0-9a12-46c52087df6c@linux.dev/
> > Signed-off-by: Shung-Hsi Yu <shung-hsi.yu@suse.com>
> > ---
> >  kernel/bpf/verifier.c                         |  7 ++-
> >  .../selftests/bpf/progs/verifier_precision.c  | 53 +++++++++++++++++++
> >  2 files changed, 58 insertions(+), 2 deletions(-)
> 
> We can not take a patch only for older stable kernels and not newer
> ones.

Oops, forgot about 6.15, sorry.

> Please resubmit this as a backport for all affected kernel trees.

Will do.

Shung-Hsi

> thanks,
> 
> greg k-h