--- /dev/null
+From 0c667ed889d20e5ec56c1304c504530f19e05ae3 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 22:42:45 +0100
+Subject: selftests/bpf: Avoid simplification of crafted bounds test
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 024cea2d647ed8ab942f19544b892d324dba42b4 ]
+
+The reg_bounds_crafted tests validate the verifier's range analysis
+logic. They focus on the actual ranges and thus ignore the tnum. As a
+consequence, they carry the assumption that the tested cases can be
+reproduced in userspace without using the tnum information.
+
+Unfortunately, the previous change the refinement logic breaks that
+assumption for one test case:
+
+ (u64)2147483648 (u32)<op> [4294967294; 0x100000000]
+
+The tested bytecode is shown below. Without our previous improvement, on
+the false branch of the condition, R7 is only known to have u64 range
+[0xfffffffe; 0x100000000]. With our improvement, and using the tnum
+information, we can deduce that R7 equals 0x100000000.
+
+ 19: (bc) w0 = w6 ; R6=0x80000000
+ 20: (bc) w0 = w7 ; R7=scalar(smin=umin=0xfffffffe,smax=umax=0x100000000,smin32=-2,smax32=0,var_off=(0x0; 0x1ffffffff))
+ 21: (be) if w6 <= w7 goto pc+3 ; R6=0x80000000 R7=0x100000000
+
+R7's tnum is (0; 0x1ffffffff). On the false branch, regs_refine_cond_op
+refines R7's u32 range to [0; 0x7fffffff]. Then, __reg32_deduce_bounds
+refines the s32 range to 0 using u32 and finally also sets u32=0.
+From this, __reg_bound_offset improves the tnum to (0; 0x100000000).
+Finally, our previous patch uses this new tnum to deduce that it only
+intersect with u64=[0xfffffffe; 0x100000000] in a single value:
+0x100000000.
+
+Because the verifier uses the tnum to reach this constant value, the
+selftest is unable to reproduce it by only simulating ranges. The
+solution implemented in this patch is to change the test case such that
+there is more than one overlap value between u64 and the tnum. The max.
+u64 value is thus changed from 0x100000000 to 0x300000000.
+
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Link: https://lore.kernel.org/r/50641c6a7ef39520595dcafa605692427c1006ec.1772225741.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/reg_bounds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+index d93a0c7b1786f..0322f817d07be 100644
+--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
++++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+@@ -2091,7 +2091,7 @@ static struct subtest_case crafted_cases[] = {
+ {U64, S64, {0, 0xffffffffULL}, {0x7fffffff, 0x7fffffff}},
+
+ {U64, U32, {0, 0x100000000}, {0, 0}},
+- {U64, U32, {0xfffffffe, 0x100000000}, {0x80000000, 0x80000000}},
++ {U64, U32, {0xfffffffe, 0x300000000}, {0x80000000, 0x80000000}},
+
+ {U64, S32, {0, 0xffffffff00000000ULL}, {0, 0}},
+ /* these are tricky cases where lower 32 bits allow to tighten 64
+--
+2.51.0
+
selftest-arm64-fix-sve2p1_sigill-to-hwcap-test.patch
tracing-add-null-pointer-check-to-trigger_data_free.patch
bpf-collect-only-live-registers-in-linked-regs.patch
+selftests-bpf-avoid-simplification-of-crafted-bounds.patch
--- /dev/null
+From 927ee50955eb76e511a2a7b940051d4960ba3e5b Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 27 Feb 2026 22:42:45 +0100
+Subject: selftests/bpf: Avoid simplification of crafted bounds test
+
+From: Paul Chaignon <paul.chaignon@gmail.com>
+
+[ Upstream commit 024cea2d647ed8ab942f19544b892d324dba42b4 ]
+
+The reg_bounds_crafted tests validate the verifier's range analysis
+logic. They focus on the actual ranges and thus ignore the tnum. As a
+consequence, they carry the assumption that the tested cases can be
+reproduced in userspace without using the tnum information.
+
+Unfortunately, the previous change the refinement logic breaks that
+assumption for one test case:
+
+ (u64)2147483648 (u32)<op> [4294967294; 0x100000000]
+
+The tested bytecode is shown below. Without our previous improvement, on
+the false branch of the condition, R7 is only known to have u64 range
+[0xfffffffe; 0x100000000]. With our improvement, and using the tnum
+information, we can deduce that R7 equals 0x100000000.
+
+ 19: (bc) w0 = w6 ; R6=0x80000000
+ 20: (bc) w0 = w7 ; R7=scalar(smin=umin=0xfffffffe,smax=umax=0x100000000,smin32=-2,smax32=0,var_off=(0x0; 0x1ffffffff))
+ 21: (be) if w6 <= w7 goto pc+3 ; R6=0x80000000 R7=0x100000000
+
+R7's tnum is (0; 0x1ffffffff). On the false branch, regs_refine_cond_op
+refines R7's u32 range to [0; 0x7fffffff]. Then, __reg32_deduce_bounds
+refines the s32 range to 0 using u32 and finally also sets u32=0.
+From this, __reg_bound_offset improves the tnum to (0; 0x100000000).
+Finally, our previous patch uses this new tnum to deduce that it only
+intersect with u64=[0xfffffffe; 0x100000000] in a single value:
+0x100000000.
+
+Because the verifier uses the tnum to reach this constant value, the
+selftest is unable to reproduce it by only simulating ranges. The
+solution implemented in this patch is to change the test case such that
+there is more than one overlap value between u64 and the tnum. The max.
+u64 value is thus changed from 0x100000000 to 0x300000000.
+
+Acked-by: Eduard Zingerman <eddyz87@gmail.com>
+Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
+Link: https://lore.kernel.org/r/50641c6a7ef39520595dcafa605692427c1006ec.1772225741.git.paul.chaignon@gmail.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ tools/testing/selftests/bpf/prog_tests/reg_bounds.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+index d93a0c7b1786f..0322f817d07be 100644
+--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
++++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c
+@@ -2091,7 +2091,7 @@ static struct subtest_case crafted_cases[] = {
+ {U64, S64, {0, 0xffffffffULL}, {0x7fffffff, 0x7fffffff}},
+
+ {U64, U32, {0, 0x100000000}, {0, 0}},
+- {U64, U32, {0xfffffffe, 0x100000000}, {0x80000000, 0x80000000}},
++ {U64, U32, {0xfffffffe, 0x300000000}, {0x80000000, 0x80000000}},
+
+ {U64, S32, {0, 0xffffffff00000000ULL}, {0, 0}},
+ /* these are tricky cases where lower 32 bits allow to tighten 64
+--
+2.51.0
+
selftest-arm64-fix-sve2p1_sigill-to-hwcap-test.patch
tracing-add-null-pointer-check-to-trigger_data_free.patch
bpf-collect-only-live-registers-in-linked-regs.patch
+selftests-bpf-avoid-simplification-of-crafted-bounds.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
