> -----Original Messages-----
> From: "Jiayuan Chen" <[email protected]>
> Send time:Wednesday, 17/06/2026 19:08:40
> To: "Nuoqi Gui" <[email protected]>, "Alexei Starovoitov"
> <[email protected]>, "Daniel Borkmann" <[email protected]>, "Andrii
> Nakryiko" <[email protected]>, "Eduard Zingerman" <[email protected]>, "Kumar
> Kartikeya Dwivedi" <[email protected]>, "Emil Tsalapatis"
> <[email protected]>
> Cc: "John Fastabend" <[email protected]>, "Martin KaFai Lau"
> <[email protected]>, "Luis Gerhorst" <[email protected]>, "Shuah Khan"
> <[email protected]>, [email protected], [email protected],
> [email protected]
> Subject: Re: [PATCH bpf 1/2] bpf: Fix stack slot index in nospec checks
>
>
> On 6/17/26 12:57 AM, Nuoqi Gui wrote:
> > check_stack_write_fixed_off() computes the byte slot for a fixed-offset
> > stack write as -off - 1, and records each written byte in slot_type[] with
> > (slot - i) % BPF_REG_SIZE.
> >
> > The Spectre v4 sanitization pre-check uses slot_type[i] instead. For a
> > 4-byte write at fp-8 after the lower half of fp-8 has been zeroed, the
> > pre-check scans bytes 0..3 and sees STACK_ZERO while the actual write
> > updates
> > bytes 7..4. That can leave the second half-slot write without nospec_result
> > even though the bytes being overwritten still require sanitization.
> >
> > Use the same slot index in the sanitization pre-check that the write path
> > uses
> > when updating slot_type[].
> >
> > Fixes: e4f4db47794c ("bpf: Fix pointer-leak due to insufficient speculative
> > store bypass mitigation")
> > Signed-off-by: Nuoqi Gui <[email protected]>
>
>
> I think the Fixes tag should beĀ 2039f26f3aca ("bpf: Fix leakage due to
> insufficient speculative store bypass mitigation") ?
>
> Otherwise, looks good to me.
>
> Reviewed-by: Jiayuan Chen <[email protected]>
Thanks.
I'll change the Fixes tag in v2 to:
Fixes: 2039f26f3aca ("bpf: Fix leakage due to insufficient
speculative store bypass mitigation")
