Fastcall spill/fill elision is guarded by a stack contract: stack slots in
the pattern may only be accessed by the pattern itself. Direct stack loads
and stores enforce that contract, but helper and kfunc memory arguments can
read from PTR_TO_STACK through check_stack_range_initialized() without
disabling the post-verification elision.
Make helper/kfunc stack memory checks enforce the fastcall contract after
resolving the range. Add a verifier selftest for a read-only helper access
through bpf_csum_diff().
Fixes: 5b5f51bff1b66 ("bpf: no_caller_saved_registers attribute for helper
calls")
Signed-off-by: Nuoqi Gui <[email protected]>
---
Nuoqi Gui (2):
bpf: Keep fastcall spills for helper stack reads
selftests/bpf: Cover fastcall helper stack reads
kernel/bpf/verifier.c | 4 +++
.../selftests/bpf/progs/verifier_bpf_fastcall.c | 32 ++++++++++++++++++++++
2 files changed, 36 insertions(+)
---
base-commit: 76f62d237538b456354a44e796a541cde03c6e28
change-id: 20260624-f01-12-fastcall-helper-stack-read-6d4dc1ffb513
Best regards,
--
Nuoqi Gui <[email protected]>
