git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Eduard Zingerman <eddyz87@gmail.com>
	Fri, 10 Apr 2026 20:55:59 +0000 (13:55 -0700)
committer	Alexei Starovoitov <ast@kernel.org>
	Fri, 10 Apr 2026 22:06:14 +0000 (15:06 -0700)
commit	fed53dbcdb61b0fbb1cf1d5bbd68d10f97aec974
tree	b1e670cd1d68c776cee3339f73f1975ed0c0f5fc	tree \| snapshot
parent	bf0c571f7feb6fa05a512e2a5e50702501849d61	commit \| diff

bpf: record arg tracking results in bpf_liveness masks

After arg tracking reaches a fixed point, perform a single linear scan
over the converged at_in[] state and translate each memory access into
liveness read/write masks on the func_instance:

- Load/store instructions: FP-derived pointer's frame and offset(s)
  are converted to half-slot masks targeting
  per_frame_masks->{may_read,must_write}

- Helper/kfunc calls: record_call_access() queries
  bpf_helper_stack_access_bytes() / bpf_kfunc_stack_access_bytes()
  for each FP-derived argument to determine access size and direction.
  Unknown access size (S64_MIN) conservatively marks all slots from
  fp_off to fp+0 as read.

- Imprecise pointers (frame == ARG_IMPRECISE): conservatively mark
  all slots in every frame covered by the pointer's frame bitmask
  as fully read.

- Static subprog calls with unresolved arguments: conservatively mark
  all frames as fully read.

Instead of a call to clean_live_states(), start cleaning the current
state continuously as registers and stack become dead since the static
analysis provides complete liveness information. This makes
clean_live_states() and bpf_verifier_state->cleaned unnecessary.

Signed-off-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/20260410-patch-set-v4-8-5d4eecb343db@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

include/linux/bpf_verifier.h		diff \| blob \| blame \| history
kernel/bpf/liveness.c		diff \| blob \| blame \| history
kernel/bpf/verifier.c		diff \| blob \| blame \| history