patch 'bpf/validate: fix BPF_XOR signed min calculation' has been queued to stable release 24.11.7

luca.boccassi at gmail.com luca.boccassi at gmail.com
Mon Jul 6 12:21:12 CEST 2026


Hi,

FYI, your patch has been queued to stable release 24.11.7

Note it hasn't been pushed to http://dpdk.org/browse/dpdk-stable yet.
It will be pushed if I get no objections before 07/05/26. So please
shout if anyone has objections.

Also note that after the patch there's a diff of the upstream commit vs the
patch applied to the branch. This will indicate if there was any rebasing
needed to apply to the stable branch. If there were code changes for rebasing
(ie: not only metadata diffs), please double check that the rebase was
correctly done.

Queued patches are on a temporary branch at:
https://github.com/bluca/dpdk-stable

This queued commit can be viewed at:
https://github.com/bluca/dpdk-stable/commit/e122eb78996217c7a9ecab9360f008cc6cb24c3b

Thanks.

Luca Boccassi

---
>From e122eb78996217c7a9ecab9360f008cc6cb24c3b Mon Sep 17 00:00:00 2001
From: Marat Khalili <marat.khalili at huawei.com>
Date: Wed, 24 Jun 2026 13:17:55 +0100
Subject: [PATCH] bpf/validate: fix BPF_XOR signed min calculation

[ upstream commit abdbaa35eed82219cfbc65a4cd79b969cbd58f08 ]

Function `eval_xor` calculated signed minimum using essentially unsigned
algorithm as long as any of the operands have non-negative range, which
is incorrect since it ignores any negative numbers that may have the
sign or any other bits set.

E.g. consider the following program with the current validation code:

    Tested program:
        0:  mov r0, #0x0
        1:  ldxdw r2, [r1 + 0]
        2:  jsgt r2, #0x0, L5
        3:  xor r2, #0x0  ; tested instruction
        4:  mov r0, #0x1
        5:  exit
    Pre-state:
       r2:  INT64_MIN..0
    Post-state:
       r2:  0

After the tested instruction validator considers r2 to equal 0, however
if -1 was loaded on step 1 it is possible for it to be -1.

Set signed range to full if any of the operands can be negative,
otherwise (if both operands are non-negative) use same algorithm as for
unsigned numbers. Add test.

Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")

Reported-by: Claudia Cauli <claudiacauli at gmail.com>
Signed-off-by: Marat Khalili <marat.khalili at huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev at huawei.com>
---
 lib/bpf/bpf_validate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 09d610eaa3..cc8a4baf4b 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -490,7 +490,7 @@ eval_xor(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
 		rd->s.max ^= rs->s.max;
 
 	/* both operands are non-negative */
-	} else if (rd->s.min >= 0 || rs->s.min >= 0) {
+	} else if (rd->s.min >= 0 && rs->s.min >= 0) {
 		rd->s.max = eval_uor_max(rd->s.max, rs->s.max, opsz);
 		rd->s.min = 0;
 	} else
-- 
2.47.3

---
  Diff of the applied patch vs upstream commit (please double-check if non-empty:
---
--- -	2026-07-03 12:55:49.709482408 +0100
+++ 0080-bpf-validate-fix-BPF_XOR-signed-min-calculation.patch	2026-07-03 12:55:46.730575555 +0100
@@ -1 +1 @@
-From abdbaa35eed82219cfbc65a4cd79b969cbd58f08 Mon Sep 17 00:00:00 2001
+From e122eb78996217c7a9ecab9360f008cc6cb24c3b Mon Sep 17 00:00:00 2001
@@ -5,0 +6,2 @@
+[ upstream commit abdbaa35eed82219cfbc65a4cd79b969cbd58f08 ]
+
@@ -33 +34,0 @@
-Cc: stable at dpdk.org
@@ -39,32 +40,3 @@
- app/test/test_bpf_validate.c | 17 +++++++++++++++++
- lib/bpf/bpf_validate.c       |  2 +-
- 2 files changed, 18 insertions(+), 1 deletion(-)
-
-diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
-index 5cf8d99eff..3f6747eaf6 100644
---- a/app/test/test_bpf_validate.c
-+++ b/app/test/test_bpf_validate.c
-@@ -1764,6 +1764,23 @@ test_alu64_sub_x_src_signed_max_zero(void)
- REGISTER_FAST_TEST(bpf_validate_alu64_sub_x_src_signed_max_zero_autotest, NOHUGE_OK, ASAN_OK,
- 	test_alu64_sub_x_src_signed_max_zero);
- 
-+/* 64-bit bitwise XOR between a negative scalar range and zero immediate. */
-+static int
-+test_alu64_xor_k_negative(void)
-+{
-+	return verify_instruction((struct verify_instruction_param){
-+		.tested_instruction = {
-+			.code = (EBPF_ALU64 | BPF_XOR | BPF_K),
-+			.imm = 0,
-+		},
-+		.pre.dst = make_signed_domain(INT64_MIN, 0),
-+		.post.dst = unknown,
-+	});
-+}
-+
-+REGISTER_FAST_TEST(bpf_validate_alu64_xor_k_negative_autotest, NOHUGE_OK, ASAN_OK,
-+	test_alu64_xor_k_negative);
-+
- /* Jump if greater than immediate. */
- static int
- test_jmp64_jeq_k(void)
+ lib/bpf/bpf_validate.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
@@ -72 +44 @@
-index 131a5468db..03c590c753 100644
+index 09d610eaa3..cc8a4baf4b 100644
@@ -75 +47 @@
-@@ -910,7 +910,7 @@ eval_xor(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
+@@ -490,7 +490,7 @@ eval_xor(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,


More information about the stable mailing list