From: Alexei Starovoitov Date: Sat, 7 Mar 2026 02:24:41 +0000 (-0800) Subject: Merge branch 'bpf-fix-precision-backtracking-bug-with-linked-registers' X-Git-Tag: v7.0-rc3~10^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=325d1ba3cac4a1c0bf981f73f4edbb7411f0e4dc;p=thirdparty%2Fkernel%2Flinux.git Merge branch 'bpf-fix-precision-backtracking-bug-with-linked-registers' Eduard Zingerman says: ==================== bpf: Fix precision backtracking bug with linked registers Emil Tsalapatis reported a verifier bug hit by the scx_lavd sched_ext scheduler. The essential part of the verifier log looks as follows: 436: ... // checkpoint hit for 438: (1d) if r7 == r8 goto ... frame 3: propagating r2,r7,r8 frame 2: propagating r6 mark_precise: frame3: last_idx ... mark_precise: frame3: regs=r2,r7,r8 stack= before 436: ... mark_precise: frame3: regs=r2,r7 stack= before 435: ... mark_precise: frame3: regs=r2,r7 stack= before 434: (85) call bpf_trace_vprintk#177 verifier bug: backtracking call unexpected regs 84 The log complains that registers r2 and r7 are tracked as precise while processing the bpf_trace_vprintk() call in precision backtracking. This can't be right, as r2 is reset by the call and there is nothing to backtrack it to. The precision propagation is triggered when a checkpoint is hit at instruction 438, r2 is dead at that instruction. This happens because of the following sequence of events: - Instruction 438 is first reached with registers r2 and r7 having the same id via a path that does not call bpf_trace_vprintk(): - Checkpoint is created at 438. - The jump at 438 is predicted, hence r7 and registers linked to it (r2) are propagated as precise, marking r2 and r7 precise in the checkpoint. - Instruction 438 is reached a second time with r2 undefined and via a path that calls bpf_trace_vprintk(): - Checkpoint is hit. - propagate_precision() picks registers r2 and r7 and propagates precision marks for those up to the helper call. The root cause is the fact that states_equal() and propagate_precision() assume that the precision flag can't be set for a dead register (as computed by compute_live_registers()). However, this is not the case when linked registers are at play. Fix this by accounting for live register flags in collect_linked_regs(). --- ==================== Link: https://patch.msgid.link/20260306-linked-regs-and-propagate-precision-v1-0-18e859be570d@gmail.com Signed-off-by: Alexei Starovoitov --- 325d1ba3cac4a1c0bf981f73f4edbb7411f0e4dc