From: Alexei Starovoitov Date: Mon, 22 Jun 2026 00:51:58 +0000 (-0700) Subject: Merge branch 'bpf-fix-stack-slot-index-for-spectre-v4-nospec-checks' X-Git-Tag: v7.2-rc1~25^2~14 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=3eb21c86913439043c400cf9bbc521b015084b99;p=thirdparty%2Flinux.git Merge branch 'bpf-fix-stack-slot-index-for-spectre-v4-nospec-checks' Nuoqi Gui says: ==================== bpf: Fix stack slot index for Spectre v4 nospec checks check_stack_write_fixed_off() uses one byte-indexing scheme when checking whether a fixed-offset stack write needs Spectre v4 sanitization, and another scheme when recording the write into slot_type[]. For sub-8-byte writes this can make the sanitization check look at bytes that are not overwritten by the write. A zeroed lower half-slot followed by a write to the upper half-slot can therefore miss the nospec barrier for the second write. Use the same stack-byte index for the sanitization check and the slot update, and add a focused verifier selftest that expects both half-slot writes to emit nospec through the unprivileged loader lane. Bounded impact: this fixes verifier/JIT Spectre v4 mitigation emission for a fixed-offset stack-write corner case. No architectural verifier memory-safety bypass, exploit chain, CVE, embargo, or security escalation is claimed. Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient speculative store bypass mitigation") Signed-off-by: Nuoqi Gui --- Changes in v3: - selftests/bpf: drop the stray space in the __xlated_unpriv stack-store expectations ("(r10 - 4)"/"(r10 - 8)" -> "(r10 -4)"/"(r10 -8)") - Link to v2: https://lore.kernel.org/bpf/20260618-f01-11-stack-nospec-slot-index-v2-0-ede9495359b6@mails.tsinghua.edu.cn/ Changes in v2: - drop __caps_unpriv(CAP_BPF) from the selftest - fix selftest style - use Fixes: 2039f26f3aca per review - Link to v1: https://lore.kernel.org/bpf/20260617-f01-11-stack-nospec-slot-index-v1-0-e3a080b0cd7e@mails.tsinghua.edu.cn/ ==================== Link: https://patch.msgid.link/20260618-f01-11-stack-nospec-slot-index-v3-0-780297041721@mails.tsinghua.edu.cn Signed-off-by: Alexei Starovoitov --- 3eb21c86913439043c400cf9bbc521b015084b99