Re: [PATCH bpf v2 2/2] selftests/bpf: Cover stack nospec slot indexing

Wed, 17 Jun 2026 10:24:53 -0700 

> diff --git a/tools/testing/selftests/bpf/progs/verifier_unpriv.c 
> b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> index c16f8382cf17..d54e5b59e62e 100644
> --- a/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> +++ b/tools/testing/selftests/bpf/progs/verifier_unpriv.c
> @@ -976,4 +976,26 @@ l0_%=:   exit;                                           
> \
>       : __clobber_all);
>  }
>
> +SEC("socket")
> +__description("unpriv: Spectre v4 stack write slot index")
> +__success __success_unpriv
> +__retval(0)
> +#ifdef SPEC_V4
> +__xlated_unpriv("r0 = 0")
> +__xlated_unpriv("*(u32 *)(r10 - 4) = r0")
> +__xlated_unpriv("nospec")
> +__xlated_unpriv("*(u32 *)(r10 - 8) = r0")

The expectation strings here write the stack offset with a space after the
minus sign: "*(u32 *)(r10 - 4) = r0" and "*(u32 *)(r10 - 8) = r0".

The kernel disassembler in print_bpf_insn() (kernel/bpf/disasm.c) formats
stores with:

        verbose(cbs->private_data, "(%s *)(r%d %+d) = ...",
                ...);

The %+d conversion attaches the sign directly to the digits with no
following space, so the produced text is "*(u32 *)(r10 -4) = r0" and
"*(u32 *)(r10 -8) = r0".

The selftest matcher match_msg() in tools/testing/selftests/bpf/test_loader.c
does a byte-exact strstr() substring match with no whitespace normalization,
and these patterns contain no {{...}} so they are matched literally rather
than as a regex.

Would the "(r10 - 4)" and "(r10 - 8)" expectations ever match the actual
disassembly, given the disassembler emits "(r10 -4)" and "(r10 -8)" with no
space?

Every other __xlated/__xlated_unpriv expectation in the selftests uses the
no-space form, for example elsewhere in verifier_unpriv.c:

        __xlated_unpriv("*(u64 *)(r10 -8) = r1")

When built with SPEC_V4 enabled, would this test fail the xlated check
rather than validate the companion verifier change in commit 3fcd23a554da,
so that it does not actually exercise the nospec slot-index handling it is
meant to cover?

Should the offsets be written as "(r10 -4)" and "(r10 -8)" instead?

> +__xlated_unpriv("nospec")
> +__xlated_unpriv("exit")
> +#endif
> +__naked void stack_write_nospec_slot_index(void)
> +{
> +     asm volatile ("                                 \
> +     r0 = 0;                                 \
> +     *(u32 *)(r10 - 4) = r0;                 \
> +     *(u32 *)(r10 - 8) = r0;                 \
> +     exit;                                   \
> +"    ::: __clobber_all);
> +}
> +
>  char _license[] SEC("license") = "GPL";


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/27705665008

Reply via email to