Skip to content

Verifier scalar imp v2#10932

Closed
puranjaymohan wants to merge 5 commits intokernel-patches:bpf-next_basefrom
puranjaymohan:verifier_scalar_imp_v2
Closed

Verifier scalar imp v2#10932
puranjaymohan wants to merge 5 commits intokernel-patches:bpf-next_basefrom
puranjaymohan:verifier_scalar_imp_v2

Conversation

@puranjaymohan
Copy link
Copy Markdown
Collaborator

@puranjaymohan puranjaymohan commented Feb 3, 2026

No description provided.

@puranjaymohan
bpf: verifier: Assign ids on stack fills
6a62f94 
The next commit will allow clearing of scalar ids if no other
register/stack slot has that id. This is because if only one register
has a unique id, it can't participate in bounds propagation and is
equivalent to having no id.

But if the id of a stack slot is cleared by clear_singular_ids() in the
next commit, reading that stack slot into a register will not establish
a link because the stack slot's id is cleared.

This can happen in a situation where a register is spilled and later
loses its id due to a multiply operation (for example) and then the
stack slot's id becomes singular and can be cleared.

Make sure that scalar stack slots have an id before we read them into a
register.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
@puranjaymohan
bpf: verifier: Clear singular ids for scalars
7436fae 
Verifier assigns ids to scalar registers/stack slots when they are
linked through a mov or stack spill/fill instruction. These ids are
later used to propagate newly found bounds from one register to all
registers that share the same id. The verifier also compares the ids of
these registers in current state and cached state when making pruning
decisions.

When an ID becomes singular (i.e., only a single register or stack slot
has that ID), it can no longer participate in bounds propagation. During
comparisons between current and cached states for pruning decisions,
however, such stale IDs can prevent pruning of otherwise equivalent
states.

Find and clear all singular ids before caching a state in
is_state_visited(). struct bpf_idset which is currently unused has been
repurposed for this use case.

Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
@puranjaymohan
bpf: verifier: relax maybe_widen_reg() constraints
98790d8 
The maybe_widen_reg() function widens imprecise scalar registers to
unknown when their values differ between the cached and current states.
Previously, it used regs_exact() which also compared register IDs via
check_ids(), requiring registers to have matching IDs (or mapped IDs) to
be considered exact.

For scalar widening purposes, what matters is whether the value tracking
(bounds, tnum, var_off) is the same, not whether the IDs match. Two
scalars with identical value constraints but different IDs represent the
same abstract value and don't need to be widened.

Introduce scalars_exact_for_widen() that only compares the
value-tracking portion of bpf_reg_state (fields before 'id'). This
allows the verifier to preserve more scalar value information during
state merging when IDs differ but actual tracked values are identical,
reducing unnecessary widening and potentially improving verification
precision.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
@puranjaymohan
bpf: verifier: Relax scalar id equivalence for state pruning
b201785 
Scalar register IDs are used by the verifier to track relationships
between registers and enable bounds propagation across those
relationships. Once an ID becomes singular (i.e. only a single
register/stack slot carries it), it can no longer contribute to bounds
propagation and effectively becomes stale. The previous commit makes the
verifier clear such ids before caching the state.

When comparing the current and cached states for pruning, these stale
IDs can cause technically equivalent states to be considered different
and thus prevent pruning.

For example in the selftest added in the next commit, two registers - r6
and r7 are not linked to any other registers and get cached with id=0,
in the current state, they are both linked to each other with id=A.
Before this commit, check_scalar_ids, would give temporary ids to r6 and
r7 (say tid1 and tid2) and then check_ids() would map tid1->A, and when
it would see tid2->A, it would not consider these state equivalent.

Relax scalar ID equivalence by treating rold->id == 0 as "independent":
if the old state did not rely on any ID relationships for a register,
then any ID/linking present in the current state only adds constraints
and is always safe to accept for pruning. Implement this by returning
true immediately in check_scalar_ids() when old_id == 0.

Maintain correctness for the opposite direction (old_id != 0 && cur_id
== 0) by still allocating a temporary ID for cur_id == 0. This avoids
incorrectly allowing multiple independent current registers (id==0) to
satisfy a single linked old ID during mapping.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
@puranjaymohan
selftests: bpf: Add a test for ids=0
ee77223 
Test that two registers with their id=0 (unlinked) in the cached state
can be mapped to a single id in the current state.

Signed-off-by: Puranjay Mohan <puranjay@kernel.org>
@puranjaymohan puranjaymohan force-pushed the verifier_scalar_imp_v2 branch from 22f76d7 to ee77223 Compare February 3, 2026 14:26
@kernel-patches-daemon-bpf kernel-patches-daemon-bpf Bot force-pushed the bpf-next_base branch 14 times, most recently from 637c925 to a1e329f Compare February 6, 2026 22:56
@kernel-patches-daemon-bpf
Copy link
Copy Markdown

kernel-patches-daemon-bpf Bot commented Feb 10, 2026

Automatically cleaning up stale PR; feel free to reopen if needed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@puranjaymohan