diff options
| author | Nuoqi Gui <gnq25@mails.tsinghua.edu.cn> | 2026-06-17 23:20:20 +0800 |
|---|---|---|
| committer | Alexei Starovoitov <ast@kernel.org> | 2026-06-22 13:39:34 -0700 |
| commit | 3a354149bceacadbcf7d7b4766f5ef26a85892ab (patch) | |
| tree | f70c248c54d1eb7a482354cba127a127520b2a27 /mm/tests/git@git.tavy.me:linux.git | |
| parent | 3d8e6fef15db07c9247c1301ec6fa5532d15feb8 (diff) | |
bpf: Preserve pointer spill metadata during half-slot cleanup
__clean_func_state() cleans dead stack slots in 4-byte halves. When the
high half of a STACK_SPILL slot is dead and the low half remains live,
cleanup converts the live low half to STACK_MISC or STACK_ZERO and clears
the saved spilled_ptr metadata.
That conversion is safe only for scalar spills. For a pointer spill, this
metadata clear lets a later 32-bit fill from the still-live half avoid the
normal non-scalar register-fill check and be treated as an ordinary scalar
stack read.
Leave non-scalar spill slots intact in this half-live shape. This is
conservative for pruning and preserves the existing
check_stack_read_fixed_off() rejection path for partial fills from pointer
spills.
Fixes: be23266b4a08 ("bpf: 4-byte precise clean_verifier_state")
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Nuoqi Gui <gnq25@mails.tsinghua.edu.cn>
Link: https://lore.kernel.org/r/20260617-f01-06-half-slot-pointer-spill-v2-1-42b9cdc3cf64@mails.tsinghua.edu.cn
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Diffstat (limited to 'mm/tests/git@git.tavy.me:linux.git')
0 files changed, 0 insertions, 0 deletions
