patch 'bpf: fix starting with conditional jump' has been queued to stable release 24.11.5
luca.boccassi at gmail.com
luca.boccassi at gmail.com
Fri Feb 20 15:56:06 CET 2026
Hi,
FYI, your patch has been queued to stable release 24.11.5
Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 02/22/26. So please
shout if anyone has objections.
Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.
Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable
This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/0ea1d74f8aca3d58939ddcf4c28a4346e864d13c
Thanks.
Luca Boccassi
---
>From 0ea1d74f8aca3d58939ddcf4c28a4346e864d13c Mon Sep 17 00:00:00 2001
From: Marat Khalili <marat.khalili at huawei.com>
Date: Tue, 27 Jan 2026 11:49:42 +0000
Subject: [PATCH] bpf: fix starting with conditional jump
[ upstream commit 5b3ef932bee6da8b40ed54f41ef7185240833dde ]
When the BPF program was starting with a conditional jump only one
(true) execution branch of the program was evaluated. Any instructions
jumped over were not evaluated and could contain invalid operations.
The root cause was using zero instruction index as a signal for ending
evaluation when backtracking.
Switch from using previous instruction index for tracking execution
history to a previous instruction pointer. First instruction will not
have it set, and therefore backtracking _from_ it will end evaluation,
not backtracking _to_ it like before.
Add two tests demonstrating the problem:
* test_jump_over_invalid_first: loads BPF program with
conditional jump over the invalid operation, should not succeed;
* test_jump_over_invalid_non_first: same program with one extra
instruction at the start to demonstrate that it is indeed invalid
(and also guard against another kind of regression);
Fixes: 6e12ec4c4d6d ("bpf: add more checks")
Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Tested-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
Acked-by: Stephen Hemminger <stephen at networkplumber.org>
---
app/test/test_bpf.c | 80 ++++++++++++++++++++++++++++++++++++++++++
lib/bpf/bpf_validate.c | 20 ++++-------
2 files changed, 86 insertions(+), 14 deletions(-)
diff --git a/app/test/test_bpf.c b/app/test/test_bpf.c
index a983f90861..7a59db5ea3 100644
--- a/app/test/test_bpf.c
+++ b/app/test/test_bpf.c
@@ -206,6 +206,86 @@ test_subtract_one(void)
REGISTER_FAST_TEST(bpf_subtract_one_autotest, NOHUGE_OK, ASAN_OK, test_subtract_one);
+/*
+ * Conditionally jump over invalid operation as first instruction.
+ */
+static int
+test_jump_over_invalid_first(void)
+{
+ static const struct ebpf_insn ins[] = {
+ {
+ /* Jump over the next instruction for some r1. */
+ .code = (BPF_JMP | BPF_JEQ | BPF_K),
+ .dst_reg = EBPF_REG_1,
+ .imm = 42,
+ .off = 1,
+ },
+ {
+ /* Write 0xDEADBEEF to [r1 + INT16_MIN]. */
+ .code = (BPF_ST | BPF_MEM | EBPF_DW),
+ .dst_reg = EBPF_REG_1,
+ .off = INT16_MIN,
+ .imm = 0xDEADBEEF,
+ },
+ {
+ /* Set return value to the program argument. */
+ .code = (EBPF_ALU64 | EBPF_MOV | BPF_X),
+ .src_reg = EBPF_REG_1,
+ .dst_reg = EBPF_REG_0,
+ },
+ {
+ .code = (BPF_JMP | EBPF_EXIT),
+ },
+ };
+ return bpf_load_test(RTE_DIM(ins), ins, EINVAL);
+}
+
+REGISTER_FAST_TEST(bpf_jump_over_invalid_first_autotest, NOHUGE_OK, ASAN_OK,
+ test_jump_over_invalid_first);
+
+/*
+ * Conditionally jump over invalid operation as non-first instruction.
+ */
+static int
+test_jump_over_invalid_non_first(void)
+{
+ static const struct ebpf_insn ins[] = {
+ {
+ /* Set return value to the program argument. */
+ .code = (EBPF_ALU64 | EBPF_MOV | BPF_X),
+ .src_reg = EBPF_REG_1,
+ .dst_reg = EBPF_REG_0,
+ },
+ {
+ /* Jump over the next instruction for some r1. */
+ .code = (BPF_JMP | BPF_JEQ | BPF_K),
+ .dst_reg = EBPF_REG_1,
+ .imm = 42,
+ .off = 1,
+ },
+ {
+ /* Write 0xDEADBEEF to [r1 + INT16_MIN]. */
+ .code = (BPF_ST | BPF_MEM | EBPF_DW),
+ .dst_reg = EBPF_REG_1,
+ .off = INT16_MIN,
+ .imm = 0xDEADBEEF,
+ },
+ {
+ /* Set return value to the program argument. */
+ .code = (EBPF_ALU64 | EBPF_MOV | BPF_X),
+ .src_reg = EBPF_REG_1,
+ .dst_reg = EBPF_REG_0,
+ },
+ {
+ .code = (BPF_JMP | EBPF_EXIT),
+ },
+ };
+ return bpf_load_test(RTE_DIM(ins), ins, EINVAL);
+}
+
+REGISTER_FAST_TEST(bpf_jump_over_invalid_non_first_autotest, NOHUGE_OK, ASAN_OK,
+ test_jump_over_invalid_non_first);
+
/*
* Basic functional tests for librte_bpf.
* The main procedure - load eBPF program, execute it and
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 47ad6fef0f..64a8f227a3 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -64,7 +64,7 @@ struct inst_node {
uint8_t cur_edge:4;
uint8_t edge_type[MAX_EDGES];
uint32_t edge_dest[MAX_EDGES];
- uint32_t prev_node;
+ struct inst_node *prev_node;
struct {
struct bpf_eval_state *cur; /* save/restore for jcc targets */
struct bpf_eval_state *start;
@@ -1875,12 +1875,6 @@ set_edge_type(struct bpf_verifier *bvf, struct inst_node *node,
bvf->edge_type[type]++;
}
-static struct inst_node *
-get_prev_node(struct bpf_verifier *bvf, struct inst_node *node)
-{
- return bvf->in + node->prev_node;
-}
-
/*
* Depth-First Search (DFS) through previously constructed
* Control Flow Graph (CFG).
@@ -1916,7 +1910,7 @@ dfs(struct bpf_verifier *bvf)
if (next != NULL) {
/* proceed with next child */
- next->prev_node = get_node_idx(bvf, node);
+ next->prev_node = node;
node = next;
} else {
/*
@@ -1925,7 +1919,7 @@ dfs(struct bpf_verifier *bvf)
*/
set_node_colour(bvf, node, BLACK);
node->cur_edge = 0;
- node = get_prev_node(bvf, node);
+ node = node->prev_node;
}
} else
node = NULL;
@@ -2490,7 +2484,7 @@ evaluate(struct bpf_verifier *bvf)
next = NULL;
stats.nb_prune++;
} else {
- next->prev_node = get_node_idx(bvf, node);
+ next->prev_node = node;
node = next;
}
} else {
@@ -2501,11 +2495,9 @@ evaluate(struct bpf_verifier *bvf)
*/
node->cur_edge = 0;
save_safe_eval_state(bvf, node);
- node = get_prev_node(bvf, node);
+ node = node->prev_node;
- /* finished */
- if (node == bvf->in)
- node = NULL;
+ /* first node will not have prev, signalling finish */
}
}
--
2.47.3
---
Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- - 2026-02-20 14:55:45.716526825 +0000
+++ 0064-bpf-fix-starting-with-conditional-jump.patch 2026-02-20 14:55:43.252191888 +0000
@@ -1 +1 @@
-From 5b3ef932bee6da8b40ed54f41ef7185240833dde Mon Sep 17 00:00:00 2001
+From 0ea1d74f8aca3d58939ddcf4c28a4346e864d13c Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit 5b3ef932bee6da8b40ed54f41ef7185240833dde ]
+
@@ -25 +26,0 @@
-Cc: stable at dpdk.org
@@ -37 +38 @@
-index f4002ac199..cf49a13394 100644
+index a983f90861..7a59db5ea3 100644
@@ -40 +41 @@
-@@ -208,6 +208,86 @@ test_subtract_one(void)
+@@ -206,6 +206,86 @@ test_subtract_one(void)
@@ -128 +129 @@
-index d015eab915..e8dbec2827 100644
+index 47ad6fef0f..64a8f227a3 100644
@@ -140 +141 @@
-@@ -1885,12 +1885,6 @@ set_edge_type(struct bpf_verifier *bvf, struct inst_node *node,
+@@ -1875,12 +1875,6 @@ set_edge_type(struct bpf_verifier *bvf, struct inst_node *node,
@@ -153 +154 @@
-@@ -1926,7 +1920,7 @@ dfs(struct bpf_verifier *bvf)
+@@ -1916,7 +1910,7 @@ dfs(struct bpf_verifier *bvf)
@@ -162 +163 @@
-@@ -1935,7 +1929,7 @@ dfs(struct bpf_verifier *bvf)
+@@ -1925,7 +1919,7 @@ dfs(struct bpf_verifier *bvf)
@@ -171 +172 @@
-@@ -2500,7 +2494,7 @@ evaluate(struct bpf_verifier *bvf)
+@@ -2490,7 +2484,7 @@ evaluate(struct bpf_verifier *bvf)
@@ -180 +181 @@
-@@ -2511,11 +2505,9 @@ evaluate(struct bpf_verifier *bvf)
+@@ -2501,11 +2495,9 @@ evaluate(struct bpf_verifier *bvf)
More information about the stable
mailing list