git.ipfire.org Git - thirdparty/linux.git/commit

author	Puranjay Mohan <puranjay@kernel.org>
	Wed, 4 Feb 2026 15:17:37 +0000 (07:17 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Wed, 4 Feb 2026 21:35:28 +0000 (13:35 -0800)
commit	7a433e519364c3c19643e5c857f4fbfaebec441c
tree	ea9532fb93d067fbd9be66317ec5064d5a925cc3	tree
parent	b2821311abbd05d3340ad7f09fe89f088572b682	commit \| diff

bpf: Support negative offsets, BPF_SUB, and alu32 for linked register tracking

Previously, the verifier only tracked positive constant deltas between
linked registers using BPF_ADD. This limitation meant patterns like:

  r1 = r0;
  r1 += -4;
  if r1 s>= 0 goto l0_%=;   // r1 >= 0 implies r0 >= 4
  // verifier couldn't propagate bounds back to r0
  if r0 != 0 goto l0_%=;
r0 /= 0; // Verifier thinks this is reachable
  l0_%=:

Similar limitation exists for 32-bit registers.

With this change, the verifier can now track negative deltas in reg->off
enabling bound propagation for the above pattern.

For alu32, we make sure the destination register has the upper 32 bits
as 0s before creating the link. BPF_ADD_CONST is split into
BPF_ADD_CONST64 and BPF_ADD_CONST32, the latter is used in case of alu32
and sync_linked_regs uses this to zext the result if known_reg has this
flag.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260204151741.2678118-2-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

include/linux/bpf_verifier.h		diff \| blob \| blame \| history
kernel/bpf/verifier.c		diff \| blob \| blame \| history
tools/testing/selftests/bpf/progs/verifier_bounds.c		diff \| blob \| blame \| history