[PATCH v3 1/6] bpf/x86: fix JIT encoding of BPF_JSET with immediate

Marat Khalili marat.khalili at huawei.com
Tue Jun 23 12:11:22 CEST 2026

Previous message (by thread): [PATCH v3 1/6] bpf/x86: fix JIT encoding of BPF_JSET with immediate
Next message (by thread): [PATCH v3 2/6] test/bpf: add JSET test with small immediate
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

With the condition that the commit message is proofread,

Acked-by: Marat Khalili <marat.khalili at huawei.com>

> -----Original Message-----
> From: Stephen Hemminger <stephen at networkplumber.org>
> Sent: Sunday 21 June 2026 17:24
> To: dev at dpdk.org
> Cc: Stephen Hemminger <stephen at networkplumber.org>; stable at dpdk.org; Konstantin Ananyev
> <konstantin.ananyev at huawei.com>; Marat Khalili <marat.khalili at huawei.com>; Ferruh Yigit
> <ferruh.yigit at amd.com>
> Subject: [PATCH v3 1/6] bpf/x86: fix JIT encoding of BPF_JSET with immediate
> 
> Several place in x86 JIT code, it assumes that for small immediate
> values the instruction size is one byte; but it is not.
> 
> The immddiate form of the instruction takes a 32 bit value.
> The broken version of emit_tst_imm() emits TEST (0xF7 /0)
> but sized the immediate with imm_size(), which can return 1 byte.
> 
> A small mask like BPF_JSET | BPF_K #0x1 then produced a
> 4-byte instruction the CPU decodes as 7,
> swallowing the following Jcc and crashing.
> 
> Always emit a 32-bit immediate for TEST, ROR and SHIFT.

The commit message needs to be LLMed for typos and factual mistakes.

> 
> Bugzilla ID: 1959
> Fixes: cc752e43e079 ("bpf: add JIT compilation for x86_64 ISA")
> Cc: stable at dpdk.org
> 
> Signed-off-by: Stephen Hemminger <stephen at networkplumber.org>
> ---
>  lib/bpf/bpf_jit_x86.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/lib/bpf/bpf_jit_x86.c b/lib/bpf/bpf_jit_x86.c
> index 88b1b5aeab..b14a574703 100644
> --- a/lib/bpf/bpf_jit_x86.c
> +++ b/lib/bpf/bpf_jit_x86.c
> @@ -300,7 +300,7 @@ emit_ror_imm(struct bpf_jit_state *st, uint32_t dreg, uint32_t imm)
>  	emit_rex(st, BPF_ALU, 0, dreg);
>  	emit_bytes(st, &ops, sizeof(ops));
>  	emit_modregrm(st, MOD_DIRECT, mods, dreg);
> -	emit_imm(st, imm, imm_size(imm));
> +	emit_imm(st, imm, sizeof(uint8_t));

The fix appears to be correct, although this function was only ever called with
imm == 8, so the problem was not reproducible.

>  }
> 
>  /*
> @@ -441,7 +441,7 @@ emit_shift_imm(struct bpf_jit_state *st, uint32_t op, uint32_t dreg,
>  	uint32_t imm)
>  {
>  	emit_shift(st, op, dreg);
> -	emit_imm(st, imm, imm_size(imm));
> +	emit_imm(st, imm, sizeof(uint8_t));

The fix appears to be correct, I would welcome a test reproducing the problem.

>  }
> 
>  /*
> @@ -921,7 +921,7 @@ emit_tst_imm(struct bpf_jit_state *st, uint32_t op, uint32_t dreg, uint32_t imm)
>  	emit_rex(st, op, 0, dreg);
>  	emit_bytes(st, &ops, sizeof(ops));
>  	emit_modregrm(st, MOD_DIRECT, mods, dreg);
> -	emit_imm(st, imm, imm_size(imm));
> +	emit_imm(st, imm, sizeof(int32_t));

The fix appears to be correct.

>  }
> 
>  static void
> --
> 2.53.0

Previous message (by thread): [PATCH v3 1/6] bpf/x86: fix JIT encoding of BPF_JSET with immediate
Next message (by thread): [PATCH v3 2/6] test/bpf: add JSET test with small immediate
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the dev mailing list