selftests/bpf: Add test for stack arg read without caller write

author Yonghong Song <yonghong.song@linux.dev>

Fri, 15 May 2026 22:50:45 +0000 (15:50 -0700)

committer Alexei Starovoitov <ast@kernel.org>

Sun, 17 May 2026 00:46:16 +0000 (17:46 -0700)
author Yonghong Song <yonghong.song@linux.dev>
Fri, 15 May 2026 22:50:45 +0000 (15:50 -0700)
committer Alexei Starovoitov <ast@kernel.org>
Sun, 17 May 2026 00:46:16 +0000 (17:46 -0700)
diff --git a/tools/testing/selftests/bpf/progs/btf__verifier_stack_arg_order.c b/tools/testing/selftests/bpf/progs/btf__verifier_stack_arg_order.c

index da34e8456b6c85d4771fb6868828dea7fae544dc..99bc115f8380a7be998c2d7a4b90cf78a09017b6 100644 (file)
--- a/tools/testing/selftests/bpf/progs/btf__verifier_stack_arg_order.c
+++ b/tools/testing/selftests/bpf/progs/btf__verifier_stack_arg_order.c
@@ -21,6 +21,10 @@ int subprog_pruning_call_before_load_6args(int a, int b, int c, int d, int e, in
         return a + b + c + d + e + f;
  }
  
+void subprog_bad_ptr_7args(long *a, int b, int c, int d, int e, int f, int g)
+{
+}
+
  #else
  
  int subprog_bad_order_6args(void)
@@ -38,4 +42,8 @@ int subprog_pruning_call_before_load_6args(void)
         return 0;
  }
  
+void subprog_bad_ptr_7args(void)
+{
+}
+
  #endif
diff --git a/tools/testing/selftests/bpf/progs/verifier_stack_arg.c b/tools/testing/selftests/bpf/progs/verifier_stack_arg.c

index d43a9b42034cfd0449d48fb77728aaa85b630dff..d45339b837959a03fb6d920696d211a5929d8c99 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_stack_arg.c
+++ b/tools/testing/selftests/bpf/progs/verifier_stack_arg.c
@@ -152,7 +152,7 @@ __naked void stack_arg_pruning_type_mismatch(void)
  SEC("tc")
  __description("stack_arg: release_reference invalidates stack arg slot")
  __failure
-__msg("R{{[0-9]}} !read_ok")
+__msg("callee expects 6 args, stack arg1 is not initialized")
  __naked void stack_arg_release_ref(void)
  {
         asm volatile (
@@ -201,7 +201,7 @@ __naked void stack_arg_release_ref(void)
  SEC("tc")
  __description("stack_arg: pkt pointer in stack arg slot invalidated after pull_data")
  __failure
-__msg("R{{[0-9]}} !read_ok")
+__msg("callee expects 6 args, stack arg1 is not initialized")
  __naked void stack_arg_stale_pkt_ptr(void)
  {
         asm volatile (
diff --git a/tools/testing/selftests/bpf/progs/verifier_stack_arg_order.c b/tools/testing/selftests/bpf/progs/verifier_stack_arg_order.c

index 1240cf8a40d6526c4ec9debd1976689efda57e8d..c9fe4857da3f55c54e468859b9c19e168ddb8fed 100644 (file)
--- a/tools/testing/selftests/bpf/progs/verifier_stack_arg_order.c
+++ b/tools/testing/selftests/bpf/progs/verifier_stack_arg_order.c
@@ -112,6 +112,64 @@ __naked void stack_arg_pruning_load_after_call(void)
         );
  }
  
+/*
+ * "bad_ptr": the first arg is 'long *', which is not a recognized pointer
+ * type for static subprogs (not ctx, dynptr, or tagged).  btf_prepare_func_args()
+ * sets arg_cnt = 7 / stack_arg_cnt = 2, then fails with -EINVAL.  The subprog
+ * is marked unreliable but the call still proceeds for static subprogs.
+ */
+__noinline __used __naked
+static void subprog_bad_ptr_7args(long *a, int b, int c, int d, int e, int f, int g)
+{
+       asm volatile (
+               "r0 = *(u64 *)(r11 + 8);"
+               "r1 = *(u64 *)(r11 + 16);"
+               "exit;"
+               ::: __clobber_all
+       );
+}
+
+SEC("tc")
+__description("stack_arg: read without caller write")
+__failure
+__msg("callee expects 7 args, stack arg1 is not initialized")
+__btf_func_path("btf__verifier_stack_arg_order.bpf.o")
+__naked void stack_arg_read_without_write_1(void)
+{
+       asm volatile (
+               "r1 = 0;"
+               "r2 = 0;"
+               "r3 = 0;"
+               "r4 = 0;"
+               "r5 = 0;"
+               "call subprog_bad_ptr_7args;"
+               "exit;"
+               ::: __clobber_all
+       );
+}
+
+SEC("tc")
+__description("stack_arg: read with not-initialized caller write")
+__failure
+__msg("R0 !read_ok")
+__btf_func_path("btf__verifier_stack_arg_order.bpf.o")
+__naked void stack_arg_read_without_write_2(void)
+{
+       asm volatile (
+               "r1 = 0;"
+               "r2 = 0;"
+               "r3 = 0;"
+               "r4 = 0;"
+               "r5 = 0;"
+               "*(u64 *)(r11 - 8) = 0;"
+               "*(u64 *)(r11 - 16) = 0;"
+               "call subprog_bad_ptr_7args;"
+               "call subprog_bad_ptr_7args;"
+               "exit;"
+               ::: __clobber_all
+       );
+}
+
  #else
  
  SEC("socket")
author	Yonghong Song <yonghong.song@linux.dev>
	Fri, 15 May 2026 22:50:45 +0000 (15:50 -0700)
committer	Alexei Starovoitov <ast@kernel.org>
	Sun, 17 May 2026 00:46:16 +0000 (17:46 -0700)
tools/testing/selftests/bpf/progs/btf__verifier_stack_arg_order.c		patch \| blob \| blame \| history
tools/testing/selftests/bpf/progs/verifier_stack_arg.c		patch \| blob \| blame \| history
tools/testing/selftests/bpf/progs/verifier_stack_arg_order.c		patch \| blob \| blame \| history