git.ipfire.org Git - thirdparty/linux.git/commit

author	Puranjay Mohan <puranjay@kernel.org>
	Tue, 3 Feb 2026 16:50:58 +0000 (08:50 -0800)
committer	Alexei Starovoitov <ast@kernel.org>
	Tue, 3 Feb 2026 18:32:40 +0000 (10:32 -0800)
commit	b2a0aa3a87396483b468b7c81be2fddb29171d74
tree	52646de29dc664a8b2b0a71d99a4311743c21d70	tree
parent	3cd5c890652ba1f0682adc291b5446245259b692	commit \| diff

bpf: Clear singular ids for scalars in is_state_visited()

The verifier assigns ids to scalar registers/stack slots when they are
linked through a mov or stack spill/fill instruction. These ids are
later used to propagate newly found bounds from one register to all
registers that share the same id. The verifier also compares the ids of
these registers in current state and cached state when making pruning
decisions.

When an ID becomes singular (i.e., only a single register or stack slot
has that ID), it can no longer participate in bounds propagation. During
comparisons between current and cached states for pruning decisions,
however, such stale IDs can prevent pruning of otherwise equivalent
states.

Find and clear all singular ids before caching a state in
is_state_visited(). struct bpf_idset which is currently unused has been
repurposed for this use case.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
Link: https://lore.kernel.org/r/20260203165102.2302462-3-puranjay@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

include/linux/bpf_verifier.h		diff \| blob \| blame \| history
kernel/bpf/verifier.c		diff \| blob \| blame \| history