Re: Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks
From: Nuoqi Gui
Date: Wed Jun 17 2026 - 10:26:21 EST
> -----Original Messages-----
> From: "Jiayuan Chen" <jiayuan.chen@xxxxxxxxx>
> Send time:Wednesday, 17/06/2026 19:08:40
> To: "Nuoqi Gui" <gnq25@xxxxxxxxxxxxxxxxxxxxx>, "Alexei Starovoitov" <ast@xxxxxxxxxx>, "Daniel Borkmann" <daniel@xxxxxxxxxxxxx>, "Andrii Nakryiko" <andrii@xxxxxxxxxx>, "Eduard Zingerman" <eddyz87@xxxxxxxxx>, "Kumar Kartikeya Dwivedi" <memxor@xxxxxxxxx>, "Emil Tsalapatis" <emil@xxxxxxxxxxxxxxx>
> Cc: "John Fastabend" <john.fastabend@xxxxxxxxx>, "Martin KaFai Lau" <martin.lau@xxxxxxxxx>, "Luis Gerhorst" <luis.gerhorst@xxxxxx>, "Shuah Khan" <shuah@xxxxxxxxxx>, bpf@xxxxxxxxxxxxxxx, linux-kselftest@xxxxxxxxxxxxxxx, linux-kernel@xxxxxxxxxxxxxxx
> Subject: Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks
>
>
> On 6/17/26 12:57 AM, Nuoqi Gui wrote:
> > check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> > stack write as -off - 1, and records each written byte in slot_type[] with
> > (slot - i) % BPF_REG_SIZE.
> >
> > The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> > 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> > pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write updates
> > bytes 7..4. That can leave the second half-slot write without nospec_result
> > even though the bytes being overwritten still require sanitization.
> >
> > Use the same slot index in the sanitization pre-check that the write path uses
> > when updating slot_type[].
> >
> > Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation")
> > Signed-off-by: Nuoqi Gui <gnq25@xxxxxxxxxxxxxxxxxxxxx>
>
>
> I think the Fixes tag should be 2039f26f3aca ("bpf: Fix leakage due to
> insufficient speculative store bypass mitigation") ?
>
> Otherwise, looks good to me.
>
> Reviewed-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
Thanks.
I'll change the Fixes tag in v2 to:
Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient
speculative store bypass mitigation")