With the condition that the commit message is proofread, Acked-by: Marat Khalili <[email protected]>
> -----Original Message----- > From: Stephen Hemminger <[email protected]> > Sent: Sunday 21 June 2026 17:24 > To: [email protected] > Cc: Stephen Hemminger <[email protected]>; [email protected]; > Konstantin Ananyev > <[email protected]>; Marat Khalili <[email protected]>; > Ferruh Yigit > <[email protected]> > Subject: [PATCH v3 1/6] bpf/x86: fix JIT encoding of BPF_JSET with immediate > > Several place in x86 JIT code, it assumes that for small immediate > values the instruction size is one byte; but it is not. > > The immddiate form of the instruction takes a 32 bit value. > The broken version of emit_tst_imm() emits TEST (0xF7 /0) > but sized the immediate with imm_size(), which can return 1 byte. > > A small mask like BPF_JSET | BPF_K #0x1 then produced a > 4-byte instruction the CPU decodes as 7, > swallowing the following Jcc and crashing. > > Always emit a 32-bit immediate for TEST, ROR and SHIFT. The commit message needs to be LLMed for typos and factual mistakes. > > Bugzilla ID: 1959 > Fixes: cc752e43e079 ("bpf: add JIT compilation for x86_64 ISA") > Cc: [email protected] > > Signed-off-by: Stephen Hemminger <[email protected]> > --- > lib/bpf/bpf_jit_x86.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/lib/bpf/bpf_jit_x86.c b/lib/bpf/bpf_jit_x86.c > index 88b1b5aeab..b14a574703 100644 > --- a/lib/bpf/bpf_jit_x86.c > +++ b/lib/bpf/bpf_jit_x86.c > @@ -300,7 +300,7 @@ emit_ror_imm(struct bpf_jit_state *st, uint32_t dreg, > uint32_t imm) > emit_rex(st, BPF_ALU, 0, dreg); > emit_bytes(st, &ops, sizeof(ops)); > emit_modregrm(st, MOD_DIRECT, mods, dreg); > - emit_imm(st, imm, imm_size(imm)); > + emit_imm(st, imm, sizeof(uint8_t)); The fix appears to be correct, although this function was only ever called with imm == 8, so the problem was not reproducible. > } > > /* > @@ -441,7 +441,7 @@ emit_shift_imm(struct bpf_jit_state *st, uint32_t op, > uint32_t dreg, > uint32_t imm) > { > emit_shift(st, op, dreg); > - emit_imm(st, imm, imm_size(imm)); > + emit_imm(st, imm, sizeof(uint8_t)); The fix appears to be correct, I would welcome a test reproducing the problem. > } > > /* > @@ -921,7 +921,7 @@ emit_tst_imm(struct bpf_jit_state *st, uint32_t op, > uint32_t dreg, uint32_t imm) > emit_rex(st, op, 0, dreg); > emit_bytes(st, &ops, sizeof(ops)); > emit_modregrm(st, MOD_DIRECT, mods, dreg); > - emit_imm(st, imm, imm_size(imm)); > + emit_imm(st, imm, sizeof(int32_t)); The fix appears to be correct. > } > > static void > -- > 2.53.0
