Cfg jset fix #9116

eddyz87 · 2025-06-13T17:33:48Z

No description provided.

BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit; W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3). Fixes: 14c8552 ("bpf: simple DFA-based live registers analysis") Reported-by: [email protected] Suggested-by: Alexei Starovoitov <[email protected]> Signed-off-by: Eduard Zingerman <[email protected]>

A test case to check if both branches of jset are explored when computing program CFG. At 'if r1 & 0x7 ...': - register 'r2' is computed alive only if jump branch of jset instruction is followed; - register 'r0' is computed alive only if fallthrough branch of jset instruction is followed. Signed-off-by: Eduard Zingerman <[email protected]>

kernel-patches-daemon-bpf · 2025-06-20T17:24:58Z

Automatically cleaning up stale PR; feel free to reopen if needed

eddyz87 added 2 commits June 13, 2025 10:12

kernel-patches-daemon-bpf bot force-pushed the bpf-next_base branch 9 times, most recently from 7801208 to a994d4a Compare June 19, 2025 16:57

kernel-patches-daemon-bpf bot closed this Jun 20, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cfg jset fix #9116

Cfg jset fix #9116

Uh oh!

eddyz87 commented Jun 13, 2025

Uh oh!

kernel-patches-daemon-bpf bot commented Jun 20, 2025

Uh oh!

Uh oh!

Cfg jset fix #9116

Cfg jset fix #9116

Uh oh!

Conversation

eddyz87 commented Jun 13, 2025

Uh oh!

kernel-patches-daemon-bpf bot commented Jun 20, 2025

Uh oh!

Uh oh!