* [PATCH 03/17] crypto/mvsam: replace strncpy with strlcpy
From: Bruce Richardson @ 2026-06-23 16:51 UTC (permalink / raw)
To: dev
Cc: Bruce Richardson, stable, Michael Shamis, Liron Himi,
Pablo de Lara, Tomasz Duszynski
In-Reply-To: <20260623165150.765443-1-bruce.richardson@intel.com>
Replace strncpy() with safer strlcpy() which always null-terminates.
Fixes: 25b05a1c806b ("crypto/mvsam: parse max number of sessions")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/crypto/mvsam/rte_mrvl_pmd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/crypto/mvsam/rte_mrvl_pmd.c b/drivers/crypto/mvsam/rte_mrvl_pmd.c
index a824719fb0..65a63c9d62 100644
--- a/drivers/crypto/mvsam/rte_mrvl_pmd.c
+++ b/drivers/crypto/mvsam/rte_mrvl_pmd.c
@@ -1146,7 +1146,7 @@ parse_name_arg(const char *key __rte_unused,
return -EINVAL;
}
- strncpy(params->name, value, RTE_CRYPTODEV_NAME_MAX_LEN);
+ strlcpy(params->name, value, RTE_CRYPTODEV_NAME_MAX_LEN);
return 0;
}
--
2.53.0
^ permalink raw reply related
* [PATCH 02/17] common/mlx5: replace strncpy with strlcpy
From: Bruce Richardson @ 2026-06-23 16:51 UTC (permalink / raw)
To: dev
Cc: Bruce Richardson, stable, Dariusz Sosnowski, Viacheslav Ovsiienko,
Bing Zhao, Ori Kam, Suanming Mou, Matan Azrad, Maxime Coquelin
In-Reply-To: <20260623165150.765443-1-bruce.richardson@intel.com>
Replace strncpy() with safer strlcpy() which always null-terminates.
Fixes: aec086c9f1c8 ("common/mlx5: share kernel interface name getter")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/common/mlx5/linux/mlx5_common_os.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/common/mlx5/linux/mlx5_common_os.c b/drivers/common/mlx5/linux/mlx5_common_os.c
index e3db6c4124..53bcc9b844 100644
--- a/drivers/common/mlx5/linux/mlx5_common_os.c
+++ b/drivers/common/mlx5/linux/mlx5_common_os.c
@@ -231,7 +231,7 @@ mlx5_get_ifname_sysfs(const char *ibdev_path, char *ifname)
rte_errno = ENOENT;
return -rte_errno;
}
- strncpy(ifname, match, IF_NAMESIZE);
+ strlcpy(ifname, match, IF_NAMESIZE);
return 0;
}
--
2.53.0
^ permalink raw reply related
* [PATCH 01/17] common/cnxk: replace strncpy with strlcpy
From: Bruce Richardson @ 2026-06-23 16:51 UTC (permalink / raw)
To: dev
Cc: Bruce Richardson, stable, Nithin Dabilpuram, Kiran Kumar K,
Sunil Kumar Kori, Satha Rao, Harman Kalra, Jerin Jacob,
Srikanth Yalavarthi, Rakesh Kudurumalla
In-Reply-To: <20260623165150.765443-1-bruce.richardson@intel.com>
Replace strncpy() with safer strlcpy() which always null-terminates.
Fixes: 014a9e222bac ("common/cnxk: add model init and IO handling API")
Fixes: b315581c66dc ("common/cnxk: skip probing SoC environment for CN9K")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
drivers/common/cnxk/roc_model.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/common/cnxk/roc_model.c b/drivers/common/cnxk/roc_model.c
index f0312a5400..ddd7ee8634 100644
--- a/drivers/common/cnxk/roc_model.c
+++ b/drivers/common/cnxk/roc_model.c
@@ -211,15 +211,15 @@ populate_model(struct roc_model *model, uint32_t midr)
if (model_db[i].impl == impl && model_db[i].part == part &&
model_db[i].major == major && model_db[i].minor == minor) {
model->flag = model_db[i].flag;
- strncpy(model->name, model_db[i].name,
- ROC_MODEL_STR_LEN_MAX - 1);
+ strlcpy(model->name, model_db[i].name,
+ ROC_MODEL_STR_LEN_MAX);
found = true;
break;
}
not_found:
if (!found) {
model->flag = 0;
- strncpy(model->name, "unknown", ROC_MODEL_STR_LEN_MAX - 1);
+ strlcpy(model->name, "unknown", ROC_MODEL_STR_LEN_MAX);
plt_err("Invalid RoC model (impl=0x%x, part=0x%x, major=0x%x, minor=0x%x)",
impl, part, major, minor);
}
@@ -297,7 +297,7 @@ of_env_get(struct roc_model *model)
FILE *fp;
if (access(path, F_OK) != 0) {
- strncpy(model->env, "HW_PLATFORM", ROC_MODEL_STR_LEN_MAX - 1);
+ strlcpy(model->env, "HW_PLATFORM", ROC_MODEL_STR_LEN_MAX);
model->flag |= ROC_ENV_HW;
return;
}
--
2.53.0
^ permalink raw reply related
* [PATCH 00/17] drivers: replace strncpy with strlcpy
From: Bruce Richardson @ 2026-06-23 16:51 UTC (permalink / raw)
To: dev; +Cc: Bruce Richardson
Many uses of strncpy in DPDK drivers can be directly replaced by
a call to strlcpy instead, which is safer in that it always null-
terminates the string. This AI assisted patchset makes those
simple replacements, adjusting lengths as appropriate.
After this set, there are still a number of drivers with strncpy calls
in them, but those are not simple strncpy->strlcpy replacements, so
left for later rework.
Bruce Richardson (17):
common/cnxk: replace strncpy with strlcpy
common/mlx5: replace strncpy with strlcpy
crypto/mvsam: replace strncpy with strlcpy
crypto/scheduler: replace strncpy with strlcpy
event/cnxk: replace strncpy with strlcpy
net/ark: replace strncpy with strlcpy
net/bnx2x: replace strncpy with strlcpy
net/cnxk: replace strncpy with strlcpy
net/dpaa: replace strncpy with strlcpy
net/ionic: replace strncpy with strlcpy
net/mlx4: replace strncpy with strlcpy
net/mlx5: replace strncpy with strlcpy
net/nfp: replace strncpy with strlcpy
net/qede: replace strncpy with strlcpy
net/softnic: replace strncpy with strlcpy
net/vhost: replace strncpy with strlcpy
net/virtio: replace strncpy with strlcpy
drivers/common/cnxk/roc_model.c | 8 ++++----
drivers/common/mlx5/linux/mlx5_common_os.c | 2 +-
drivers/crypto/mvsam/rte_mrvl_pmd.c | 2 +-
drivers/crypto/scheduler/scheduler_pmd.c | 8 ++++----
drivers/event/cnxk/cnxk_eventdev_stats.c | 2 +-
drivers/net/ark/ark_ethdev.c | 2 +-
drivers/net/bnx2x/bnx2x.c | 2 +-
drivers/net/bnx2x/bnx2x_vfpf.c | 2 +-
drivers/net/cnxk/cnxk_eswitch.c | 4 ++--
drivers/net/cnxk/cnxk_rep_msg.c | 2 +-
drivers/net/dpaa/dpaa_ethdev.c | 2 +-
drivers/net/ionic/ionic_main.c | 4 ++--
drivers/net/mlx4/mlx4_ethdev.c | 2 +-
drivers/net/mlx5/mlx5.c | 8 ++++----
drivers/net/mlx5/windows/mlx5_ethdev_os.c | 2 +-
drivers/net/nfp/nfpcore/nfp_resource.c | 2 +-
drivers/net/qede/qede_ethdev.c | 2 +-
drivers/net/softnic/conn.c | 4 ++--
drivers/net/vhost/rte_eth_vhost.c | 2 +-
drivers/net/virtio/virtio_user/vhost_kernel_tap.c | 2 +-
20 files changed, 32 insertions(+), 32 deletions(-)
--
2.53.0
^ permalink raw reply
* Re: [PATCH v9 07/21] net/txgbe: fix Tx desc free logic
From: Stephen Hemminger @ 2026-06-23 16:50 UTC (permalink / raw)
To: Zaiyu Wang; +Cc: dev, stable, Jiawen Wu
In-Reply-To: <20260622111111.21024-8-zaiyuwang@trustnetic.com>
On Mon, 22 Jun 2026 19:10:55 +0800
Zaiyu Wang <zaiyuwang@trustnetic.com> wrote:
> diff --git a/drivers/net/txgbe/txgbe_rxtx.c b/drivers/net/txgbe/txgbe_rxtx.c
> index e2cd9b8841..d6efb3b8cc 100644
> --- a/drivers/net/txgbe/txgbe_rxtx.c
> +++ b/drivers/net/txgbe/txgbe_rxtx.c
> @@ -98,12 +98,11 @@ txgbe_tx_free_bufs(struct txgbe_tx_queue *txq)
> if (tx_last_dd >= txq->nb_tx_desc)
> tx_last_dd -= txq->nb_tx_desc;
>
> - volatile uint16_t head = (uint16_t)*txq->headwb_mem;
> + uint32_t h = rte_atomic_load_explicit(txq->headwb_mem,
> + rte_memory_order_acquire);
This will fail build on clang since txq->headwb_mem is declared as volatile
not _Atomic type.
Please fix, and resubmit both patch series.
$ CC=clang-21 meson setup build -Denable_stdatomic=true
$ ninja -C build
../drivers/net/txgbe/txgbe_rxtx.c:101:16: error: address argument to atomic operation must be a pointer to _Atomic type ('volatile uint32_t *' (aka 'volatile unsigned int *') invalid)
101 | uint32_t h = rte_atomic_load_explicit(txq->headwb_mem,
| ^ ~~~~~~~~~~~~~~~
../lib/eal/include/rte_stdatomic.h:69:2: note: expanded from macro 'rte_atomic_load_explicit'
69 | atomic_load_explicit(ptr, memorder)
| ^ ~~~
/usr/lib/llvm-21/lib/clang/21/include/stdatomic.h:145:30: note: expanded from macro 'atomic_load_explicit'
145 | #define atomic_load_explicit __c11_atomic_load
| ^
../drivers/net/txgbe/txgbe_rxtx.c:647:16: error: address argument to atomic operation must be a pointer to _Atomic type ('volatile uint32_t *' (aka 'volatile unsigned int *') invalid)
647 | uint32_t h = rte_atomic_load_explicit(txq->headwb_mem,
| ^ ~~~~~~~~~~~~~~~
../lib/eal/include/rte_stdatomic.h:69:2: note: expanded from macro 'rte_atomic_load_explicit'
69 | atomic_load_explicit(ptr, memorder)
| ^ ~~~
/usr/lib/llvm-21/lib/clang/21/include/stdatomic.h:145:30: note: expanded from macro 'atomic_load_explicit'
145 | #define atomic_load_explicit __c11_atomic_load
| ^
2 errors generated.
^ permalink raw reply
* Re: [PATCH v9 07/21] net/txgbe: fix Tx desc free logic
From: Stephen Hemminger @ 2026-06-23 16:30 UTC (permalink / raw)
To: Zaiyu Wang; +Cc: dev, stable, Jiawen Wu
In-Reply-To: <20260622111111.21024-8-zaiyuwang@trustnetic.com>
On Mon, 22 Jun 2026 19:10:55 +0800
Zaiyu Wang <zaiyuwang@trustnetic.com> wrote:
> diff --git a/drivers/net/txgbe/txgbe_rxtx.c b/drivers/net/txgbe/txgbe_rxtx.c
> index e2cd9b8841..d6efb3b8cc 100644
> --- a/drivers/net/txgbe/txgbe_rxtx.c
> +++ b/drivers/net/txgbe/txgbe_rxtx.c
> @@ -98,12 +98,11 @@ txgbe_tx_free_bufs(struct txgbe_tx_queue *txq)
> if (tx_last_dd >= txq->nb_tx_desc)
> tx_last_dd -= txq->nb_tx_desc;
>
> - volatile uint16_t head = (uint16_t)*txq->headwb_mem;
> + uint32_t h = rte_atomic_load_explicit(txq->headwb_mem,
> + rte_memory_order_acquire);
This will fail build on clang since txq->headwb_mem is declared as volatile
not _Atomic type.
Please fix, and resubmit both patch series.
^ permalink raw reply
* RE: [PATCH v3 05/25] bpf/validate: introduce debugging interface
From: Marat Khalili @ 2026-06-23 16:14 UTC (permalink / raw)
To: Thomas Monjalon; +Cc: Konstantin Ananyev, dev@dpdk.org
In-Reply-To: <DGHVaJ2SRzSz_1-YcgGmxA@monjalon.net>
> Yes would be nice so we will have a full CI run on it
> now that the dependency is merged in main.
Submitted v4, indeed one of the builds failed due to theoretically insufficient
snprintf buffer. Will wait for the dust to settle and resubmit with a fix.
^ permalink raw reply
* Re: [PATCH 1/5] eal: fix macro for versioned experimental symbol
From: Stephen Hemminger @ 2026-06-23 16:05 UTC (permalink / raw)
To: Dariusz Sosnowski; +Cc: David Marchand, dev, Bruce Richardson
In-Reply-To: <rg475uc6ktrpsqfu32jmcfhluqlopy43kiwsonogud2z4aul7r@qwibo7j5yfk6>
On Tue, 23 Jun 2026 17:26:22 +0200
Dariusz Sosnowski <dsosnowski@nvidia.com> wrote:
> On Tue, Jun 23, 2026 at 06:50:00AM -0700, Stephen Hemminger wrote:
> > On Tue, 23 Jun 2026 13:37:47 +0200
> > Dariusz Sosnowski <dsosnowski@nvidia.com> wrote:
> >
> > > Add a missing semicolon after __asm__ block in
> > > RTE_VERSION_EXPERIMENTAL_SYMBOL macro.
> > > It's lack triggers the following compilation error with clang:
> > >
> > > ../lib/ethdev/rte_flow.c:320:1: error: expected ';' after top-level asm block
> > > 320 | RTE_VERSION_EXPERIMENTAL_SYMBOL(int, rte_flow_dynf_metadata_register, (void))
> > > | ^
> > > ../lib/eal/common/eal_export.h:75:74: note: expanded from macro 'RTE_VERSION_EXPERIMENTAL_SYMBOL'
> > > 75 | __asm__(".symver " RTE_STR(name) "_exp, " RTE_STR(name) "@EXPERIMENTAL") \
> > > | ^
> > > ../lib/eal/include/rte_common.h:237:20: note: expanded from macro '\
> > > __rte_used'
> > > 237 | #define __rte_used __attribute__((used))
> > > | ^
> > >
> > > Fixes: e30e194c4d06 ("eal: rework function versioning macros")
> > > Cc: david.marchand@redhat.com
> > >
> > > Signed-
> >
> > I didn't see this because clang doesn't have symver support.
> > Which version of clang is this?
>
> clang 19 available on Debian 13:
>
> $ clang --version
> Debian clang version 19.1.7 (3+b1)
> Target: x86_64-pc-linux-gnu
> Thread model: posix
> InstalledDir: /usr/lib/llvm-19/bin
Ok, that was the asm block not the symver attribute.
^ permalink raw reply
* Re: [PATCH v7 0/4] net/zxdh: optimize Rx/Tx path performance
From: Stephen Hemminger @ 2026-06-23 15:54 UTC (permalink / raw)
To: Junlong Wang; +Cc: dev
In-Reply-To: <20260623060909.97023-1-wang.junlong1@zte.com.cn>
On Tue, 23 Jun 2026 14:09:04 +0800
Junlong Wang <wang.junlong1@zte.com.cn> wrote:
> v7:
> - Add a new xmit prepare func for xmit_pkts_simple, which will checked the size of
> ZXDH_DL_NET_HDR_SIZE and RTE_PKTMBUF_HEADROOM.
>
> v6:
> - Remove unnecessary error checking code in submit_to_backend_simple() and
> pkt_padding(). Since as the max dl_net_hdr_len is always less than
> RTE_PKTMBUF_HEADROOM, rte_pktmbuf_prepend() cannot fail in the
> simple path (single-segment mbufs).
> v5:
> - Reorganize patch series, placing interrupt fix as the first patch
> and fix condition check to properly enable interrupts.
> - Fix zxdh_recv_single_pkts() not compacting rcv_pkts[] on failure,
> which could cause use-after-free and mbuf leak.
> - Fix tx_bunch() and tx1() missing store barrier before setting AVAIL flag,
> preventing data race on weakly-ordered architectures.
> - Fix submit_to_backend_simple() writing descriptors for packets that
> failed pkt_padding(), causing mbuf leak.
> v4:
> - fix some AI review issues.
> - fix queue enable intr bug.
> v3:
> - remove unnecessary NULL check in zxdh_init_queue.
> - Split Ring: Bit[31] is unused and reserved, zxdh_queue_notify(): removing the
> zxdh_pci_with_feature(hw, ZXDH_F_RING_PACKED) check;
> - remove unnecessary double-free in in zxdh_recv_single_pkts();
> - used rte_pktmbuf_mtod();
> - remove rxq_get_vq(q) macro, use q->vq and apply it consistently;
> - Refactoring scatter and mtu check logic in zxdh_dev_mtu_set();
> - set txdp->id = avail_idx + i in tx_bunch/tx1.
> - add comment documenting zxdh_xmit_enqueue_append() now sets dxp->cookie = NULL for
> the head slot and stores cookies per descriptor via dep[idx].cookie.
> - add one-line comment noting tx_bunch() is the simple path handles single-segment.
> - remove unnecessary Extra initialization and the uint32_t cast.
> v2:
> - zxdh_rxtx.c, pkt_padding(): modifyed the return value of pkt_padding();
> - zxdh_rxtx.c, zxdh_recv_single_pkts(): modifyed When zxdh_init_mbuf() fails
> the loop does "continue" and free mbufs;
> - zxdh_rxtx.c, refill_desc_unwrap(): Add rte_io_wmb() before writing flags
> in the refill_que_descs();
> - zxdh_queue.h, zxdh_queue_enable_intr(): Remove unnecessary function of zxdh_queue_enable_intr;
> - zxdh_ethdev.c, zxdh_init_queue(): changed the hdr_mz NULL check logic;
> - zxdh_rxtx.c, zxdh_xmit_pkts_simple()、zxdh_recv_single_pkts(): add stats.bytes count;
> - zxdh_rxtx.c, zxdh_init_mbuf():remove rte_pktmbuf_dump(stdout, rxm, 40);
> - zxdh_ethdev.c, zxdh_dev_free_mbufs(): using rte_pktmbuf_free() to free mbufs;
> - Splitting into separate patches, structure reorganization and sw_ring removal、
> RX recv optimize、Tx xmit optimize、Tx;
> v1:
> This patch optimizes the ZXDH PMD's receive and transmit path for better
> performance through several improvements:
> - Add simple TX/RX burst functions (zxdh_xmit_pkts_simple and
> zxdh_recv_single_pkts) for single-segment packet scenarios.
> - Remove RX software ring (sw_ring) to reduce memory allocation and
> copy.
> - Optimize descriptor management with prefetching and simplified
> cleanup.
> - Reorganize structure fields for better cache locality.
> These changes reduce CPU cycles and memory bandwidth consumption,
> resulting in improved packet processing throughput.
>
> Junlong Wang (4):
> net/zxdh: fix queue enable intr issues
> net/zxdh: optimize queue structure to improve performance
> net/zxdh: optimize Rx recv pkts performance
> net/zxdh: optimize Tx xmit pkts performance
>
> drivers/net/zxdh/zxdh_ethdev.c | 83 +++--
> drivers/net/zxdh/zxdh_ethdev_ops.c | 23 +-
> drivers/net/zxdh/zxdh_ethdev_ops.h | 4 +
> drivers/net/zxdh/zxdh_pci.c | 2 +-
> drivers/net/zxdh/zxdh_queue.c | 11 +-
> drivers/net/zxdh/zxdh_queue.h | 122 +++---
> drivers/net/zxdh/zxdh_rxtx.c | 571 ++++++++++++++++++++++-------
> drivers/net/zxdh/zxdh_rxtx.h | 29 +-
> 8 files changed, 584 insertions(+), 261 deletions(-)
>
Better but AI review still found some issues.
Series review: net/zxdh Rx/Tx optimization (v7)
Patches 1-3 are unchanged from v6 except for the Tx prepare split
below; patch 4 still carries the unguarded in-place prepend. The v6
out-of-bounds write is narrowed but not closed.
The improvement: tx_pkt_prepare is now split, and the simple-path
variant zxdh_xmit_pkts_simple_prepare() rejects a packet whose
headroom is too small (data_off < ZXDH_DL_NET_HDR_SIZE) with a clean
error and an invalid_hdr_len_err counter. For applications that call
rte_eth_tx_prepare() this turns the corruption into a reported error.
[PATCH v7 4/4] net/zxdh: optimize Tx xmit pkts performance
Error: the headroom check lives only in tx_pkt_prepare, which is
optional, so the simple Tx burst can still reach the unchecked prepend
in pkt_padding() and write out of bounds.
rte_eth_tx_burst() does not call rte_eth_tx_prepare(); the application
invokes prepare itself, and is allowed to skip it. When MULTI_SEGS is
disabled the burst is zxdh_xmit_pkts_simple() -> submit_to_backend_simple()
-> pkt_padding(), and pkt_padding() still does:
hdr = rte_pktmbuf_mtod_offset(cookie, struct zxdh_net_hdr_dl *, -hdr_len);
rte_memcpy(hdr, net_hdr_dl, hdr_len);
cookie->data_off -= hdr_len;
with no data_off >= hdr_len guard. An application that disables
MULTI_SEGS, consumes most of the mbuf headroom before Tx (tunnel/MPLS
encap, etc.), and calls tx_burst without tx_prepare will underflow
data_off and scribble in front of buf_addr. That is a supported calling
sequence, so the memory-safety precondition cannot rest on the optional
prepare step.
The driver's own packed burst does not depend on prepare for this: in
zxdh_xmit_pkts_packed() the can_push test gates the in-place prepend on
txm->data_off >= ZXDH_DL_NET_HDR_SIZE
inline, and falls back to zxdh_xmit_enqueue_append() (header copied into
the reserved txr region) otherwise. The simple burst should be equally
self-contained.
Make the simple burst safe on its own: check data_off in the datapath
and stop at the first packet that does not fit, returning the count
already enqueued (the same break-and-return the prepare function uses),
so the caller retains ownership of the rejected packet. The
zxdh_xmit_pkts_simple_prepare() check can stay as an early, friendlier
diagnostic, but it cannot be the only guard.
Also still missing: the build-time backstop discussed earlier,
static_assert(RTE_PKTMBUF_HEADROOM >= ZXDH_DL_NET_HDR_SIZE,
"RTE_PKTMBUF_HEADROOM too small for zxdh Tx downlink header");
It does not replace the runtime check (per-packet headroom can be short
on a correctly configured build) but it cheaply rejects a build whose
default headroom cannot hold the header.
^ permalink raw reply
* Re: [PATCH v3 6/6] test/bpf: check that bpf_convert can be JIT'd
From: Stephen Hemminger @ 2026-06-23 15:51 UTC (permalink / raw)
To: Marat Khalili; +Cc: dev@dpdk.org, Konstantin Ananyev
In-Reply-To: <c510bf24a3cd492693fc54f0b558656f@huawei.com>
On Tue, 23 Jun 2026 13:57:35 +0000
Marat Khalili <marat.khalili@huawei.com> wrote:
> Thank you for working on this, please see some comments inline.
I think it is still worth keeping the tests split into two.
One test just make sure that some basic filters work as expected (match vs not match).
The other one is just doing its job by causing pcap_compile() to generate more complex
and different code. Since the packet we are feeding it is just a dummy packet, I suspect
all of the filters will be false. Let me recheck, if so then can look at return value.
^ permalink raw reply
* Re: [PATCH v3 0/9] ENETC driver related changes series
From: Stephen Hemminger @ 2026-06-23 15:46 UTC (permalink / raw)
To: Gagandeep Singh; +Cc: dev, hemant.agrawal
In-Reply-To: <20260623060004.2187716-1-g.singh@nxp.com>
On Tue, 23 Jun 2026 11:29:55 +0530
Gagandeep Singh <g.singh@nxp.com> wrote:
> V3 changes:
> - Added documentation for all devargs in enetc4.rst.
> - Fixed kvlist memory leak issue.
>
> V2 changes:
> - Fixed an un-used variable compilation issue reported on fedora:43-gcc-minsize
> - Fixed various AI reported issues:
> - Release notes updated for all new devargs
> - enect4.ini features doc updated for scattered RX.
> - removed Not required RTE_PTYPE_UNKNOWN.
> - Fixed mid-frame mbuf leak in SG case.
> - Enabled SG for enetc4 PF also.
> - move to calloc from rte_zmalloc in parse_txq_prior().
> - added vaidation checks on strdup, strtoul.
> - added NC devargs to use cacheable ops conditionally.
> - removed dead code like bd_base_p etc.
> - Fixed rte_cpu_to_le_16() conversion on flags and combined
> all flags related patches in one patch.
> - Fixed memory leak issue due to TXQ priority patch.
> - There were some false positives, I have ignored them:
> Race condition on flags field:
> clean_tx_ring only touches HW-completed BDs (next_to_clean→hwci),
> never newly-submitted BDs; doorbell hasn't fired yet.
> Missing dcbf in clean_tx_ring:
> DPDK is single-threaded per queue; TX path always overwrites
> flags completely before dcbf.
> TX dcbf granularity with wrap:
> Safe (AI admits it).
> RX refill flush at wrap:
> In-loop dcbf at i & mask == 0 already flushes aligned groups;
> trailing flush only needed for partial groups.
> RX reading before invalidate:
> dccivac precedes the read for every group in the loop
>
> Gagandeep Singh (7):
> net/enetc: fix TX BD structure
> net/enetc: fix queue initialization
> net/enetc: support ESP packet type in packet parsing
> net/enetc: update random MAC generation code
> net/enetc: add option to disable VSI messaging
> net/enetc: add devargs to control VSI-PSI timeout and delay
> net/enetc4: add cacheable BD ring support with SW cache maintenance
>
> Vanshika Shukla (2):
> net/enetc: support scatter-gather
> net/enetc: set user configurable priority to TX rings
>
> doc/guides/nics/enetc4.rst | 62 +++-
> doc/guides/nics/features/enetc4.ini | 1 +
> doc/guides/rel_notes/release_26_07.rst | 10 +
> drivers/net/enetc/base/enetc_hw.h | 13 +-
> drivers/net/enetc/enetc.h | 31 +-
> drivers/net/enetc/enetc4_ethdev.c | 172 ++++++++--
> drivers/net/enetc/enetc4_vf.c | 206 ++++++++++--
> drivers/net/enetc/enetc_ethdev.c | 25 +-
> drivers/net/enetc/enetc_rxtx.c | 430 ++++++++++++++++++++++---
> 9 files changed, 831 insertions(+), 119 deletions(-)
>
Did followup AI review and it had some more things that need fixing:
Error
=====
[PATCH v2 7/9] net/enetc: add devargs to control VSI-PSI timeout and delay
drivers/net/enetc/enetc4_vf.c, enetc4_vf_dev_init()
kvlist is leaked on the two invalid-value error paths. It is
allocated by rte_kvargs_parse() (line 1347) and only freed at
line 1385, but both
return -1; /* invalid VSI Timeout, line 1367 */
return -1; /* invalid VSI Delay, line 1380 */
return before that free. A malformed enetc4_vsi_timeout= or
enetc4_vsi_delay= leaks the kvargs structure on every probe.
Free before returning, e.g.:
if (errno != 0 || hw->vsi_timeout == 0) {
ENETC_PMD_ERR("Invalid VSI Timeout value = %u",
hw->vsi_timeout);
rte_kvargs_free(kvlist);
return -1;
}
(same for the delay path), or restructure with a goto.
Warning
=======
Series (patches 6-9)
The new runtime devargs - enetc4_vsi_disable, enetc4_vsi_timeout,
enetc4_vsi_delay, enetc4_txq_prior, and nc - are registered via
RTE_PMD_REGISTER_PARAM_STRING and noted in the release notes, but
doc/guides/nics/enetc4.rst has no Runtime Configuration section
describing them. Convention is to document devargs in the NIC guide
so users can find the syntax (e.g. the nc=1 / 'a|b|c' priority list
formats are non-obvious).
Info
====
[PATCH v2 5/9] and [PATCH v2 9/9] - RX multi-segment reassembly
In enetc_clean_rx_ring_nc() and enetc_clean_rx_ring_cacheable(),
on the frame-last BD:
first_seg->pkt_len -= rx_ring->crc_len;
reduces pkt_len but leaves the final segment's data_len unchanged,
so pkt_len != sum(data_len) when crc_len is non-zero. The old
single-segment path kept them equal (pkt_len = data_len = buf_len
- crc_len).
This is currently unreachable: enetc4 does not advertise
RTE_ETH_RX_OFFLOAD_KEEP_CRC, so crc_len is always 0 and the
subtraction is a no-op. Flagging only so the asymmetry is on record
if KEEP_CRC is ever added - at that point the last segment's
data_len would need the same adjustment (and the CRC may straddle
the last two segments).
^ permalink raw reply
* Re: [PATCH 0/5] add versioned symbols for recently stabilized APIs
From: Dariusz Sosnowski @ 2026-06-23 15:43 UTC (permalink / raw)
To: David Marchand
Cc: Thomas Monjalon, dpdk-techboard, Bruce Richardson,
Andrew Rybchenko, Viacheslav Ovsiienko, Bing Zhao, Ori Kam,
Suanming Mou, Matan Azrad, dev
In-Reply-To: <CAJFAV8yS6dLM2EUDgdG13U1Zdt208nmk2T3F8DYwT97U1coF3Q@mail.gmail.com>
On Tue, Jun 23, 2026 at 03:50:52PM +0200, David Marchand wrote:
> Hello Dariusz,
>
> On Tue, 23 Jun 2026 at 13:38, Dariusz Sosnowski <dsosnowski@nvidia.com> wrote:
> >
> > Main goal of this patchset is to address https://bugs.dpdk.org/show_bug.cgi?id=1957
>
> It is expected that experimental symbols may disappear overnight, and
> this bug could also be closed as NOTABUG.
>
> On the other hand, we do state in the doc that compatibility could be
> provided when stabilising an experimental API, so ok.. let's try.
>
> > but it also handles other recently stabilized symbols and has some minor fixes:
> >
> > - Patch 1 - Fix RTE_VERSION_EXPERIMENTAL_SYMBOL macro on clang.
>
> Ouch... /me hides.
>
>
> > - Patch 2 - Allow function versioning inside drivers.
> > - Patch 3 - Version the function symbols stabilized in
> > https://git.dpdk.org/dpdk/commit/?id=e8cab133645f5466ef75e511629add43b68a5027
> > - Patch 4 - Introduce versioning macros for global variable symbols.
> > - Patch 5 - Version the function and variable symbols stabilized in
> > https://git.dpdk.org/dpdk/commit/?id=4ee2f5c1cedf9ee7f39afa667f71b07f4004ba5c
> >
> > Issue is still not fully fixed for stabilized global variables:
> > rte_flow_dynf_metadata_offs and rte_flow_dynf_metadata_mask.
>
> Well, symbol versioning is not something for variables.
> Exposing global variables was a mistake from the start...
After fighting with this issue for some time,
I am coming to the similar conclusion :)
> Those were exported for "performance" reasons as those are accessed
> via inline helpers (but I am not sure there were benchmarks showing
> the benefits).
>
> I am for forbidding exports of global variables from now, unless some
> really good performance benchmark is provided (@techboard for info).
Sounds like a good proposal IMO.
Especially since, from a quick glance, almost all existing variables
expose values not expected to change frequently at runtime.
For example, like here, mbuf dynamic field offset.
These could be retrieved once and stored somewhere locally
(Rx/Tx queue context for example).
>
>
> Now, in practice for your issue, rather than reintroducing symbol
> aliases (technical solution that I dropped when refactoring the
> macros), I think we can do with some middle ground approach:
> - leaving the inline helpers as "stable" (not __rte_experimental),
> - restoring the EXPERIMENTAL version on the global variables, this
> will restore the location of those symbols from the previous ABI pov,
> and the checks won't catch this discrepancy anyway,
> - during 26.11, drop the EXPERIMENTAL version on those variables,
>
>
> In other words, stopping at your patch 3 of the series, then adding:
>
> $ git diff
> diff --git a/lib/ethdev/rte_flow.c b/lib/ethdev/rte_flow.c
> index ec0fe08355..8bd21ccd31 100644
> --- a/lib/ethdev/rte_flow.c
> +++ b/lib/ethdev/rte_flow.c
> @@ -23,11 +23,11 @@
> #define FLOW_LOG RTE_ETHDEV_LOG_LINE
>
> /* Mbuf dynamic field name for metadata. */
> -RTE_EXPORT_SYMBOL(rte_flow_dynf_metadata_offs)
> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_flow_dynf_metadata_offs, 19.11)
> int32_t rte_flow_dynf_metadata_offs = -1;
>
> /* Mbuf dynamic field flag bit number for metadata. */
> -RTE_EXPORT_SYMBOL(rte_flow_dynf_metadata_mask)
> +RTE_EXPORT_EXPERIMENTAL_SYMBOL(rte_flow_dynf_metadata_mask, 19.11)
> uint64_t rte_flow_dynf_metadata_mask;
>
> /**
Thank you for the suggestion.
That looks good to me.
I'll prepare a v2.
>
> > Patch 4 and 5 address the bug for these global variables,
> > by providing a single storage for both EXPERIMENTAL and
> > DPDK_26 variable symbol versions.
> > This is achieved through symbol aliasing.
> > But this solution is limited only to executables compiled with clang.
> >
> > clang and gcc have a different default behavior regarding relocations
> > of global variables exposed by shared libraries.
> >
>
> Yeah... not even thinking about adding MSVC in the list...
>
>
> --
> David Marchand
>
^ permalink raw reply
* [PATCH] examples: use strlcpy and strlcat
From: Bruce Richardson @ 2026-06-23 15:41 UTC (permalink / raw)
To: dev
Cc: Bruce Richardson, stable, Cristian Dumitrescu, Radu Nicolau,
Akhil Goyal, Fan Zhang, Anatoly Burakov, Sivaprasad Tummala,
Jasvinder Singh, Sergio Gonzalez Monroy, Ferruh Yigit,
Pablo de Lara, Declan Doherty, Alan Carew
Replace strncpy and other unbounded string functions, e.g. strcpy,
strcat, with the safer alternatives strlcpy and strlcat, so that we can
guarantee null termination of strings.
Fixes: 4bbf8e30aa5e ("examples/ip_pipeline: add CLI interface")
Fixes: 5f657a7fbe86 ("examples/pipeline: add message passing mechanism")
Fixes: 83f58a7b7b0a ("examples/pipeline: add commands for direct registers")
Fixes: 0d547ed03717 ("examples/ipsec-secgw: support configuration file")
Fixes: 63e8c07c7245 ("examples/ipsec-secgw: fix configuration parsing")
Fixes: 41e97c2ea9e6 ("examples/l2fwd-crypto: extend crypto information")
Fixes: e8ae9b662506 ("examples/vm_power: channel manager and monitor in host")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
examples/ip_pipeline/conn.c | 4 ++--
examples/ipsec-secgw/sa.c | 4 ++--
examples/l2fwd-crypto/main.c | 12 ++++++------
examples/pipeline/cli.c | 4 ++--
examples/pipeline/conn.c | 4 ++--
examples/vm_power_manager/channel_manager.c | 3 +--
6 files changed, 15 insertions(+), 16 deletions(-)
diff --git a/examples/ip_pipeline/conn.c b/examples/ip_pipeline/conn.c
index 30fca80c14..9f347fd1c2 100644
--- a/examples/ip_pipeline/conn.c
+++ b/examples/ip_pipeline/conn.c
@@ -115,8 +115,8 @@ conn_init(struct conn_params *p)
}
/* Fill in */
- strncpy(conn->welcome, p->welcome, CONN_WELCOME_LEN_MAX);
- strncpy(conn->prompt, p->prompt, CONN_PROMPT_LEN_MAX);
+ strlcpy(conn->welcome, p->welcome, CONN_WELCOME_LEN_MAX + 1);
+ strlcpy(conn->prompt, p->prompt, CONN_PROMPT_LEN_MAX + 1);
conn->buf_size = p->buf_size;
conn->msg_in_len_max = p->msg_in_len_max;
conn->msg_out_len_max = p->msg_out_len_max;
diff --git a/examples/ipsec-secgw/sa.c b/examples/ipsec-secgw/sa.c
index 866ba04b86..b5068765b6 100644
--- a/examples/ipsec-secgw/sa.c
+++ b/examples/ipsec-secgw/sa.c
@@ -338,12 +338,12 @@ parse_key_string(const char *key_str, uint8_t *key)
if (pt_end == NULL) {
if (strlen(pt_start) > 2)
return 0;
- strncpy(sub_str, pt_start, 2);
+ memcpy(sub_str, pt_start, 2);
} else {
if (pt_end - pt_start > 2)
return 0;
- strncpy(sub_str, pt_start, pt_end - pt_start);
+ memcpy(sub_str, pt_start, pt_end - pt_start);
pt_start = pt_end + 1;
}
diff --git a/examples/l2fwd-crypto/main.c b/examples/l2fwd-crypto/main.c
index ff189b5fab..22ad825c91 100644
--- a/examples/l2fwd-crypto/main.c
+++ b/examples/l2fwd-crypto/main.c
@@ -1576,19 +1576,19 @@ l2fwd_crypto_options_print(struct l2fwd_crypto_options *options)
char string_aead_op[MAX_STR_LEN];
if (options->cipher_xform.cipher.op == RTE_CRYPTO_CIPHER_OP_ENCRYPT)
- strcpy(string_cipher_op, "Encrypt");
+ strlcpy(string_cipher_op, "Encrypt", sizeof(string_cipher_op));
else
- strcpy(string_cipher_op, "Decrypt");
+ strlcpy(string_cipher_op, "Decrypt", sizeof(string_cipher_op));
if (options->auth_xform.auth.op == RTE_CRYPTO_AUTH_OP_GENERATE)
- strcpy(string_auth_op, "Auth generate");
+ strlcpy(string_auth_op, "Auth generate", sizeof(string_auth_op));
else
- strcpy(string_auth_op, "Auth verify");
+ strlcpy(string_auth_op, "Auth verify", sizeof(string_auth_op));
if (options->aead_xform.aead.op == RTE_CRYPTO_AEAD_OP_ENCRYPT)
- strcpy(string_aead_op, "Authenticated encryption");
+ strlcpy(string_aead_op, "Authenticated encryption", sizeof(string_aead_op));
else
- strcpy(string_aead_op, "Authenticated decryption");
+ strlcpy(string_aead_op, "Authenticated decryption", sizeof(string_aead_op));
printf("Options:-\nn");
diff --git a/examples/pipeline/cli.c b/examples/pipeline/cli.c
index 215b4061d5..901706fab9 100644
--- a/examples/pipeline/cli.c
+++ b/examples/pipeline/cli.c
@@ -172,9 +172,9 @@ parse_table_entry(struct rte_swx_ctl_pipeline *p,
line[0] = 0;
for (i = 0; i < n_tokens; i++) {
if (i)
- strcat(line, " ");
+ strlcat(line, " ", MAX_LINE_SIZE);
- strcat(line, tokens[i]);
+ strlcat(line, tokens[i], MAX_LINE_SIZE);
}
/* Read the table entry from the input buffer. */
diff --git a/examples/pipeline/conn.c b/examples/pipeline/conn.c
index e168c4ddaa..257f3c9f78 100644
--- a/examples/pipeline/conn.c
+++ b/examples/pipeline/conn.c
@@ -116,8 +116,8 @@ conn_init(struct conn_params *p)
}
/* Fill in */
- strncpy(conn->welcome, p->welcome, CONN_WELCOME_LEN_MAX);
- strncpy(conn->prompt, p->prompt, CONN_PROMPT_LEN_MAX);
+ strlcpy(conn->welcome, p->welcome, CONN_WELCOME_LEN_MAX + 1);
+ strlcpy(conn->prompt, p->prompt, CONN_PROMPT_LEN_MAX + 1);
conn->buf_size = p->buf_size;
conn->msg_in_len_max = p->msg_in_len_max;
conn->msg_out_len_max = p->msg_out_len_max;
diff --git a/examples/vm_power_manager/channel_manager.c b/examples/vm_power_manager/channel_manager.c
index b69449c61d..339c7fbb93 100644
--- a/examples/vm_power_manager/channel_manager.c
+++ b/examples/vm_power_manager/channel_manager.c
@@ -875,8 +875,7 @@ add_vm(const char *vm_name)
rte_free(new_domain);
return -1;
}
- strncpy(new_domain->name, vm_name, sizeof(new_domain->name));
- new_domain->name[sizeof(new_domain->name) - 1] = '\0';
+ strlcpy(new_domain->name, vm_name, sizeof(new_domain->name));
memset(new_domain->channel_mask, 0, RTE_MAX_LCORE);
new_domain->num_channels = 0;
--
2.53.0
^ permalink raw reply related
* Re: [PATCH 1/5] eal: fix macro for versioned experimental symbol
From: Dariusz Sosnowski @ 2026-06-23 15:26 UTC (permalink / raw)
To: Stephen Hemminger; +Cc: David Marchand, dev, Bruce Richardson
In-Reply-To: <20260623065000.57d775c9@phoenix.local>
On Tue, Jun 23, 2026 at 06:50:00AM -0700, Stephen Hemminger wrote:
> On Tue, 23 Jun 2026 13:37:47 +0200
> Dariusz Sosnowski <dsosnowski@nvidia.com> wrote:
>
> > Add a missing semicolon after __asm__ block in
> > RTE_VERSION_EXPERIMENTAL_SYMBOL macro.
> > It's lack triggers the following compilation error with clang:
> >
> > ../lib/ethdev/rte_flow.c:320:1: error: expected ';' after top-level asm block
> > 320 | RTE_VERSION_EXPERIMENTAL_SYMBOL(int, rte_flow_dynf_metadata_register, (void))
> > | ^
> > ../lib/eal/common/eal_export.h:75:74: note: expanded from macro 'RTE_VERSION_EXPERIMENTAL_SYMBOL'
> > 75 | __asm__(".symver " RTE_STR(name) "_exp, " RTE_STR(name) "@EXPERIMENTAL") \
> > | ^
> > ../lib/eal/include/rte_common.h:237:20: note: expanded from macro '\
> > __rte_used'
> > 237 | #define __rte_used __attribute__((used))
> > | ^
> >
> > Fixes: e30e194c4d06 ("eal: rework function versioning macros")
> > Cc: david.marchand@redhat.com
> >
> > Signed-
>
> I didn't see this because clang doesn't have symver support.
> Which version of clang is this?
clang 19 available on Debian 13:
$ clang --version
Debian clang version 19.1.7 (3+b1)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/lib/llvm-19/bin
^ permalink raw reply
* [PATCH] app: remove use of strncpy
From: Bruce Richardson @ 2026-06-23 14:50 UTC (permalink / raw)
To: dev
Cc: Bruce Richardson, stable, Kai Ji, Cheng Jiang, Chengwen Feng,
Jerin Jacob, Ori Kam, Aman Singh, Michal Kobylinski,
Piotr Azarewicz, Marcin Kerlin, Slawomir Mrozowicz,
Declan Doherty, Aleksander Gajewski, Pablo de Lara,
Guduri Prathyusha, Harry van Haaren, Morten Brørup, Jiayu Hu,
Yuan Wang, Anoob Joseph, Xiaoyu Min, Xueming Li, Yuval Avnery
Use of strncpy is not recommended, so replace it with strlcpy or memcpy
as appropriate.
Fixes: f8be1786b1b8 ("app/crypto-perf: introduce performance test application")
Fixes: 8ecd4048ba5d ("app/crypto-perf: fix string not null terminated")
Fixes: 0add6c27cd7c ("app/testeventdev: define the test options")
Fixes: 623dc9364dc6 ("app/dma-perf: introduce DMA performance test")
Fixes: 1e8a4e97b057 ("app/testpmd: add flow dump command")
Fixes: de06137cb295 ("app/regex: add RegEx test application")
Cc: stable@dpdk.org
Signed-off-by: Bruce Richardson <bruce.richardson@intel.com>
---
app/test-crypto-perf/cperf_options_parsing.c | 5 ++---
app/test-dma-perf/main.c | 2 +-
app/test-eventdev/evt_options.c | 2 +-
app/test-pmd/cmdline_flow.c | 2 +-
app/test-regex/main.c | 9 ++-------
5 files changed, 7 insertions(+), 13 deletions(-)
diff --git a/app/test-crypto-perf/cperf_options_parsing.c b/app/test-crypto-perf/cperf_options_parsing.c
index 14e731586b..0951293adb 100644
--- a/app/test-crypto-perf/cperf_options_parsing.c
+++ b/app/test-crypto-perf/cperf_options_parsing.c
@@ -481,8 +481,7 @@ parse_device_type(struct cperf_options *opts, const char *arg)
if (strlen(arg) > (sizeof(opts->device_type) - 1))
return -1;
- strncpy(opts->device_type, arg, sizeof(opts->device_type) - 1);
- *(opts->device_type + sizeof(opts->device_type) - 1) = '\0';
+ strlcpy(opts->device_type, arg, sizeof(opts->device_type));
return 0;
}
@@ -1125,7 +1124,7 @@ cperf_options_default(struct cperf_options *opts)
opts->segment_sz = 0;
opts->imix_distribution_count = 0;
- strncpy(opts->device_type, "crypto_aesni_mb",
+ strlcpy(opts->device_type, "crypto_aesni_mb",
sizeof(opts->device_type));
opts->nb_qps = 1;
diff --git a/app/test-dma-perf/main.c b/app/test-dma-perf/main.c
index 4249dcfd3d..13bf07a764 100644
--- a/app/test-dma-perf/main.c
+++ b/app/test-dma-perf/main.c
@@ -220,7 +220,7 @@ parse_entry(const char *value, struct test_configure_entry *entry)
int args_nr = -1;
int ret;
- strncpy(input, value, 254);
+ strlcpy(input, value, sizeof(input));
if (*input == '\0')
goto out;
diff --git a/app/test-eventdev/evt_options.c b/app/test-eventdev/evt_options.c
index 0e70c971eb..1da0aba386 100644
--- a/app/test-eventdev/evt_options.c
+++ b/app/test-eventdev/evt_options.c
@@ -23,7 +23,7 @@ evt_options_default(struct evt_options *opt)
memset(opt, 0, sizeof(*opt));
opt->verbose_level = 1; /* Enable minimal prints */
opt->dev_id = 0;
- strncpy(opt->test_name, "order_queue", EVT_TEST_NAME_MAX_LEN);
+ strlcpy(opt->test_name, "order_queue", sizeof(opt->test_name));
opt->nb_flows = 1024;
opt->socket_id = SOCKET_ID_ANY;
opt->pool_sz = 16 * 1024;
diff --git a/app/test-pmd/cmdline_flow.c b/app/test-pmd/cmdline_flow.c
index 67f200f2e3..465396d2e5 100644
--- a/app/test-pmd/cmdline_flow.c
+++ b/app/test-pmd/cmdline_flow.c
@@ -11910,7 +11910,7 @@ parse_string0(struct context *ctx, const struct token *token __rte_unused,
if (!ctx->object)
return len;
buf = (uint8_t *)ctx->object + arg_data->offset;
- strncpy(buf, str, len);
+ memcpy(buf, str, len);
if (ctx->objmask)
memset((uint8_t *)ctx->objmask + arg_data->offset, 0xff, len);
return len;
diff --git a/app/test-regex/main.c b/app/test-regex/main.c
index acb834a8b4..81719f2e04 100644
--- a/app/test-regex/main.c
+++ b/app/test-regex/main.c
@@ -103,7 +103,6 @@ args_parse(int argc, char **argv, char *rules_file, char *data_file,
char **argvopt;
int opt;
int opt_idx;
- size_t len;
static struct option lgopts[] = {
{ "help", 0, 0, ARG_HELP},
/* Rules database file to load. */
@@ -133,20 +132,16 @@ args_parse(int argc, char **argv, char *rules_file, char *data_file,
lgopts, &opt_idx)) != EOF) {
switch (opt) {
case ARG_RULES_FILE_NAME:
- len = strnlen(optarg, MAX_FILE_NAME - 1);
- if (len == MAX_FILE_NAME)
+ if (strlcpy(rules_file, optarg, MAX_FILE_NAME) >= MAX_FILE_NAME)
rte_exit(EXIT_FAILURE,
"Rule file name to long max %d\n",
MAX_FILE_NAME - 1);
- strncpy(rules_file, optarg, MAX_FILE_NAME - 1);
break;
case ARG_DATA_FILE_NAME:
- len = strnlen(optarg, MAX_FILE_NAME - 1);
- if (len == MAX_FILE_NAME)
+ if (strlcpy(data_file, optarg, MAX_FILE_NAME) >= MAX_FILE_NAME)
rte_exit(EXIT_FAILURE,
"Data file name to long max %d\n",
MAX_FILE_NAME - 1);
- strncpy(data_file, optarg, MAX_FILE_NAME - 1);
break;
case ARG_NUM_OF_JOBS:
*nb_jobs = atoi(optarg);
--
2.53.0
^ permalink raw reply related
* [PATCH v4 24/24] doc: add release notes for BPF validation fixes
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
Cc: dev, Konstantin Ananyev
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Document hardening the BPF validator.
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
doc/guides/rel_notes/release_26_07.rst | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/doc/guides/rel_notes/release_26_07.rst b/doc/guides/rel_notes/release_26_07.rst
index 8471966a4992..9376e7acad24 100644
--- a/doc/guides/rel_notes/release_26_07.rst
+++ b/doc/guides/rel_notes/release_26_07.rst
@@ -164,7 +164,7 @@ New Features
for installing already loaded BPF programs as port callbacks
(as opposed to loading them directly from ELF files).
-* **Added BPF validation debugging API.**
+* **Added BPF validation debugging API and hardened BPF validator.**
* Introduced a new set of APIs (prefixed with ``rte_bpf_validate_debug_``) to
introspect the BPF validator. This provides a mechanism to set breakpoints
@@ -172,6 +172,10 @@ New Features
(such as tracked register bounds). This API is crucial primarily for writing
comprehensive tests for the validator, but also serves as a foundation for a
future interactive eBPF validation debugger.
+ * Fixed numerous bugs in the BPF validator's abstract interpretation logic,
+ including incorrect bounds tracking for jumps and arithmetic operations, as
+ well as fixing several instances of undefined behavior (UB) when verifying
+ malicious or corrupt programs.
* **Added AI review helpers.**
--
2.43.0
^ permalink raw reply related
* [PATCH v4 23/24] bpf/validate: prevent overflow when building graph
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `evst_pool_init` for malicious or corrupt BPF program with
number of conditional jumps exceeding a third of UINT32_MAX could cause
arithmetic and buffer overflows when working with the program graph.
Fix the issue by limiting maximum number of conditional jumps supported
by UINT32_MAX / 4, or more than 1 billion.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
lib/bpf/bpf_validate.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 03c590c75377..f9960088a285 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -2662,6 +2662,10 @@ evst_pool_init(struct bpf_verifier *bvf)
{
uint32_t k, n;
+ if (bvf->nb_jcc_nodes > UINT32_MAX / 4)
+ /* Calculations that follow may overflow. */
+ return -E2BIG;
+
/*
* We need nb_jcc_nodes + 1 for save_cur/restore_cur
* remaining ones will be used for state tracking/pruning.
--
2.43.0
^ permalink raw reply related
* [PATCH v4 22/24] bpf/validate: fix BPF_XOR signed min calculation
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `eval_xor` calculated signed minimum using essentially unsigned
algorithm as long as any of the operands have non-negative range, which
is incorrect since it ignores any negative numbers that may have the
sign or any other bits set.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jsgt r2, #0x0, L5
3: xor r2, #0x0 ; tested instruction
4: mov r0, #0x1
5: exit
Pre-state:
r2: INT64_MIN..0
Post-state:
r2: 0
After the tested instruction validator considers r2 to equal 0, however
if -1 was loaded on step 1 it is possible for it to be -1.
Set signed range to full if any of the operands can be negative,
otherwise (if both operands are non-negative) use same algorithm as for
unsigned numbers. Add test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 17 +++++++++++++++++
lib/bpf/bpf_validate.c | 2 +-
2 files changed, 18 insertions(+), 1 deletion(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index 205373a4f86b..a06d3254d6ba 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1764,6 +1764,23 @@ test_alu64_sub_x_src_signed_max_zero(void)
REGISTER_FAST_TEST(bpf_validate_alu64_sub_x_src_signed_max_zero_autotest, NOHUGE_OK, ASAN_OK,
test_alu64_sub_x_src_signed_max_zero);
+/* 64-bit bitwise XOR between a negative scalar range and zero immediate. */
+static int
+test_alu64_xor_k_negative(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_XOR | BPF_K),
+ .imm = 0,
+ },
+ .pre.dst = make_signed_domain(INT64_MIN, 0),
+ .post.dst = unknown,
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_xor_k_negative_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_xor_k_negative);
+
/* Jump if greater than immediate. */
static int
test_jmp64_jeq_k(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 131a5468dbc4..03c590c75377 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -910,7 +910,7 @@ eval_xor(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
rd->s.max ^= rs->s.max;
/* both operands are non-negative */
- } else if (rd->s.min >= 0 || rs->s.min >= 0) {
+ } else if (rd->s.min >= 0 && rs->s.min >= 0) {
rd->s.max = eval_uor_max(rd->s.max, rs->s.max, opsz);
rd->s.min = 0;
} else
--
2.43.0
^ permalink raw reply related
* [PATCH v4 21/24] bpf/validate: fix BPF_SUB signed max zero case
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `eval_sub` used source register signed minimum to detect
overflow of the difference (operation result) signed minimum, and source
register signed maximum to detect overflow of the difference signed
maximum. However in the actual formula for difference source register
bounds are swapped (correctly, since we subtract it), so in overflow
detection we should also have swapped them. It caused false negatives in
certain cases.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jsgt r2, #0x0, L7
3: ldxdw r3, [r1 + 8]
4: jsgt r3, #0x0, L7
5: sub r2, r3 ; tested instruction
6: mov r0, #0x1
7: exit
Pre-state:
r2: INT64_MIN..0
r3: INT64_MIN..0
Post-state:
r2: INT64_MIN
Validator ignores overflow of signed minimum and considers result to
always equal INT64_MIN. However, if -1 was loaded on step 1 and -2 was
loaded on step 3 it is possible for the difference to equal 1.
Swap source register signed minimum and maximum in the overflow
condition to match the new range formula, add test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 17 +++++++++++++++++
lib/bpf/bpf_validate.c | 4 ++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index 7cf9e404b697..205373a4f86b 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1747,6 +1747,23 @@ test_alu64_or_k_positive(void)
REGISTER_FAST_TEST(bpf_validate_alu64_or_k_positive_autotest, NOHUGE_OK, ASAN_OK,
test_alu64_or_k_positive);
+/* 64-bit difference between two negative ranges.. */
+static int
+test_alu64_sub_x_src_signed_max_zero(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_SUB | BPF_X),
+ },
+ .pre.dst = make_signed_domain(INT64_MIN, 0),
+ .pre.src = make_signed_domain(INT64_MIN, 0),
+ .post.dst = unknown,
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_sub_x_src_signed_max_zero_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_sub_x_src_signed_max_zero);
+
/* Jump if greater than immediate. */
static int
test_jmp64_jeq_k(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index abb39cfd328d..131a5468dbc4 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -716,9 +716,9 @@ eval_sub(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, uint64_t msk)
eval_umax_bound(&rv, msk);
if ((rd->s.min != rd->s.max || rs->s.min != rs->s.max) &&
- (((rs->s.min < 0 && rv.s.min < rd->s.min) ||
+ (((rs->s.max < 0 && rv.s.min < rd->s.min) ||
rv.s.min > rd->s.min) ||
- ((rs->s.max < 0 && rv.s.max < rd->s.max) ||
+ ((rs->s.min < 0 && rv.s.max < rd->s.max) ||
rv.s.max > rd->s.max)))
eval_smax_bound(&rv, msk);
--
2.43.0
^ permalink raw reply related
* [PATCH v4 20/24] bpf/validate: fix BPF_OR min calculations
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
This commit fixes two different problems in signed and unsigned minimum
calculations within `eval_or`. Passing tests requires both problems to
be fixed which is why the changes are squashed in one commit.
1) Function `eval_or` calculated result signed minimum as bitwise OR
between corresponding minimums as long as any of them is non-negative,
which is incorrect since values within the range can have zeroes where
the minimums don't, including the sign bit.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jlt r2, #0x5, L8
3: jgt r2, #0x6, L8
4: jslt r2, #0x5, L8
5: jsgt r2, #0x6, L8
6: or r2, #0xfffffffe ; tested instruction
7: mov r0, #0x1
8: exit
Pre-state:
r2: 5..6
Post-state:
r2: -1
After the tested instruction validator considers r2 to always equal -1,
however if 6 was loaded on step 1 it is possible for it to be -2:
0x6 & 0xfffffffffffffffe == 0xfffffffffffffffe = -2
Set signed range to full if any of the operands can be negative,
otherwise use the maximum of both minimums as a new signed minimum
following the idea that result of bitwise OR cannot be smaller than its
operands. Add test.
2) Function `eval_or` calculated result unsigned minimum as bitwise OR
between corresponding minimums, which is incorrect since values within
the range can have zeroes the minimums don't.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jlt r2, #0x5, L8
3: jgt r2, #0x6, L8
4: jslt r2, #0x5, L8
5: jsgt r2, #0x6, L8
6: or r2, #0x2 ; tested instruction
7: mov r0, #0x1
8: exit
Pre-state:
r2: 5..6
Post-state:
r2: 7
After the tested instruction validator considers r2 to always equal 7,
however if 6 was loaded on step 1 it is possible for it to be 6:
0x6 & 0x2 == 0x6
Use the maximum of both minimums as a new unsigned minimum following the
idea that result of bitwise OR cannot be smaller than its operands. Add
test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 34 ++++++++++++++++++++++++++++++++++
lib/bpf/bpf_validate.c | 6 +++---
2 files changed, 37 insertions(+), 3 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index c3d1bdb78fbc..7cf9e404b697 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1713,6 +1713,40 @@ test_alu64_neg_zero_last(void)
REGISTER_FAST_TEST(bpf_validate_alu64_neg_zero_last_autotest, NOHUGE_OK, ASAN_OK,
test_alu64_neg_zero_last);
+/* 64-bit bitwise OR between a positive scalar range and negative immediate. */
+static int
+test_alu64_or_k_negative(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_OR | BPF_K),
+ .imm = -2,
+ },
+ .pre.dst = make_signed_domain(5, 6),
+ .post.dst = make_signed_domain(-2, -1),
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_or_k_negative_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_or_k_negative);
+
+/* 64-bit bitwise OR between a positive scalar range and positive immediate. */
+static int
+test_alu64_or_k_positive(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_OR | BPF_K),
+ .imm = 2,
+ },
+ .pre.dst = make_signed_domain(5, 6),
+ .post.dst = make_signed_domain(5, 7),
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_or_k_positive_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_or_k_positive);
+
/* Jump if greater than immediate. */
static int
test_jmp64_jeq_k(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 4e4c0ddeb2b8..abb39cfd328d 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -875,7 +875,7 @@ eval_or(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
rd->u.max |= rs->u.max;
} else {
rd->u.max = eval_uor_max(rd->u.max, rs->u.max, opsz);
- rd->u.min |= rs->u.min;
+ rd->u.min = RTE_MAX(rd->u.min, rs->u.min);
}
/* both operands are constants */
@@ -884,9 +884,9 @@ eval_or(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
rd->s.max |= rs->s.max;
/* both operands are non-negative */
- } else if (rd->s.min >= 0 || rs->s.min >= 0) {
+ } else if (rd->s.min >= 0 && rs->s.min >= 0) {
rd->s.max = eval_uor_max(rd->s.max, rs->s.max, opsz);
- rd->s.min |= rs->s.min;
+ rd->s.min = RTE_MAX(rd->s.min, rs->s.min);
} else
eval_smax_bound(rd, msk);
}
--
2.43.0
^ permalink raw reply related
* [PATCH v4 19/24] bpf/validate: fix BPF_LSH shift-out-of-bounds UB
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `eval_lsh` when validating left shift by 63 invoked macro
`RTE_LEN2MASK(0, int64_t)` which triggered shift-out-of-bounds undefined
behaviour.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jlt r2, #0x3, L8
3: jgt r2, #0x5, L8
4: jslt r2, #0x3, L8
5: jsgt r2, #0x5, L8
6: lsh r2, #0x3f ; tested instruction
7: mov r0, #0x1
8: exit
Pre-state:
r2: 3..5
Post-state:
r2: 0..UINT64_MAX
With sanitizer the following diagnostic is generated:
lib/bpf/bpf_validate.c:785:4: runtime error: shift exponent 64 is
too large for 64-bit type 'long unsigned int'
#0 0x00000274d5e0 in eval_lsh lib/bpf/bpf_validate.c:785
#1 0x00000275a2ea in eval_alu lib/bpf/bpf_validate.c:1310
#2 0x00000276ce3d in evaluate lib/bpf/bpf_validate.c:3284
Add guard for this case, add test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 17 +++++++++++++++++
lib/bpf/bpf_validate.c | 3 ++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index 5d26299ba65d..c3d1bdb78fbc 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1536,6 +1536,23 @@ test_alu64_div_mod_overflow(void)
REGISTER_FAST_TEST(bpf_validate_alu64_div_mod_overflow_autotest, NOHUGE_OK, ASAN_OK,
test_alu64_div_mod_overflow);
+/* 64-bit left shift by 63. */
+static int
+test_alu64_lsh_63(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_LSH | BPF_K),
+ .imm = 63,
+ },
+ .pre.dst = make_signed_domain(3, 5),
+ .post.dst = unknown,
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_lsh_63_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_lsh_63);
+
/* 64-bit multiplication of constant and immediate with overflow. */
static int
test_alu64_mul_k_overflow(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index d4d8ec4251f1..4e4c0ddeb2b8 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -746,7 +746,8 @@ eval_lsh(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
/* check that dreg values are and would remain always positive */
if ((uint64_t)rd->s.min >> (opsz - 1) != 0 || rd->s.max >=
- RTE_LEN2MASK(opsz - rs->u.max - 1, int64_t))
+ (rs->u.max == opsz - 1 ? 0 :
+ RTE_LEN2MASK(opsz - rs->u.max - 1, int64_t)))
eval_smax_bound(rd, msk);
else {
rd->s.max <<= rs->u.max;
--
2.43.0
^ permalink raw reply related
* [PATCH v4 18/24] bpf/validate: fix BPF_AND min calculations
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `eval_and` calculated both signed (if positive) and unsigned
minimum values as bitwise AND between corresponding minimums, which is
incorrect since intermediate values can have zeroes in bits where
minimum values don't.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jlt r2, #0x6, L8
3: jgt r2, #0x8, L8
4: jslt r2, #0x6, L8
5: jsgt r2, #0x8, L8
6: and r2, #0x5 ; tested instruction
7: mov r0, #0x1
8: exit
Pre-state:
r2: 6..8
Post-state:
r2: 4..7
After the tested instruction validator considers r2 to be equal or
greater than 4, however if 8 was loaded on step 1 it is possible for it
to be zero (0x8 & 0x5 == 0).
Use zero as a new safe lower bound for both signed (if positive) and
unsigned minimum. Add test.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 17 +++++++++++++++++
lib/bpf/bpf_validate.c | 4 ++--
2 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index f80dee24a677..5d26299ba65d 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1384,6 +1384,23 @@ test_alu64_add_x_scalar_scalar(void)
REGISTER_FAST_TEST(bpf_validate_alu64_add_x_scalar_scalar_autotest, NOHUGE_OK, ASAN_OK,
test_alu64_add_x_scalar_scalar);
+/* 64-bit bitwise AND between a scalar range and immediate. */
+static int
+test_alu64_and_k(void)
+{
+ return verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (EBPF_ALU64 | BPF_AND | BPF_K),
+ .imm = 5,
+ },
+ .pre.dst = make_signed_domain(6, 8),
+ .post.dst = make_signed_domain(0, 7),
+ });
+}
+
+REGISTER_FAST_TEST(bpf_validate_alu64_and_k_autotest, NOHUGE_OK, ASAN_OK,
+ test_alu64_and_k);
+
/* 64-bit division and modulo of UINT64_MAX*2/3. */
static int
test_alu64_div_mod_big_constant(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index af084e36c8d0..d4d8ec4251f1 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -848,7 +848,7 @@ eval_and(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
rd->u.max &= rs->u.max;
} else {
rd->u.max = eval_uand_max(rd->u.max, rs->u.max, opsz);
- rd->u.min &= rs->u.min;
+ rd->u.min = 0;
}
/* both operands are constants */
@@ -859,7 +859,7 @@ eval_and(struct bpf_reg_val *rd, const struct bpf_reg_val *rs, size_t opsz,
} else if (rd->s.min >= 0 || rs->s.min >= 0) {
rd->s.max = eval_uand_max(rd->s.max & (msk >> 1),
rs->s.max & (msk >> 1), opsz);
- rd->s.min &= rs->s.min;
+ rd->s.min = 0;
} else
eval_smax_bound(rd, msk);
}
--
2.43.0
^ permalink raw reply related
* [PATCH v4 17/24] bpf/validate: fix BPF_JMP empty range handling
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Function `eval_jcc` did not account for 'dynamically unreachable' code
paths. Some code paths may be _dynamically_ unreachable, which measn
that according to validator calculations no valid values are left to
evaluate. This does not indicate dead code since same code might be
reachable through other code paths. Previous behaviour resulted in:
* undefined behaviour in corner cases;
* ranges breaking min <= max invariant relied upon in multiple places
(e.g. signed overflow detection in `eval_mul` only checks `s.min` to
make sure the range is non-negative and so on);
* unnecessary work for validator contributing to exponential code paths
grow in some cases.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: mov r2, #0x2a
2: lddw r3, #0x8000000000000000
4: jslt r2, r3, L7 ; tested instruction
5: mov r0, #0x1
6: exit
7: mov r0, #0x2
8: exit
Pre-state:
r2: 42
r3: INT64_MIN
Post-state:
r2: 42
r3: INT64_MIN
Jump-state:
r2: 42
r3: 43..INT64_MIN INTERSECT 0x8000000000000000 (!)
At step 7 after jump from tested instruction validator considers r3 to
equal 0x8000000000000000 if viewed as unsigned, or have nonsensical
range 43..INT64_MIN if viewed as signed. In reality there is just no
valid range for this code path since it will never occur.
With sanitizer the following diagnostic is generated:
lib/bpf/bpf_validate.c:1824:15: runtime error: signed integer
overflow: -9223372036854775808 - 1 cannot be represented in type
'long int'
#0 0x000002761e41 in eval_jslt_jsge lib/bpf/bpf_validate.c:1824
#1 0x000002762acb in eval_jcc lib/bpf/bpf_validate.c:1881
#2 0x00000276b749 in evaluate lib/bpf/bpf_validate.c:3245
...
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior
lib/bpf/bpf_validate.c:1824:15
Add pruning of dynamically unreachable code paths that arise from
ordering comparisons. Add tests for remaining ordering jump cases.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 277 ++++++++++++++++++++++++++++++-
lib/bpf/bpf_validate.c | 96 ++++++++---
lib/bpf/rte_bpf_validate_debug.h | 2 +
3 files changed, 351 insertions(+), 24 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index 15ccf4f6a573..f80dee24a677 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -135,6 +135,11 @@ static const struct domain unknown = {
.u = { .min = 0, .max = UINT64_MAX },
};
+/* Unreachable state. */
+static const struct state unreachable = {
+ .is_unreachable = true,
+};
+
/* BUILDING DOMAINS */
@@ -1710,6 +1715,55 @@ test_jmp64_jslt_x(void)
REGISTER_FAST_TEST(bpf_validate_jmp64_jslt_x_autotest, NOHUGE_OK, ASAN_OK,
test_jmp64_jslt_x);
+/* Jump on ordering comparisons with potential bound overflow. */
+static int
+test_jmp64_ordering_overflow(void)
+{
+ /* In this test signed and unsigned cases are spelled out explicitly. */
+ const bool also_signed = false;
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSLT | BPF_X),
+ },
+ .pre.dst = make_singleton_domain(42),
+ .pre.src = make_singleton_domain(INT64_MIN),
+ .jump = unreachable,
+ }, also_signed), "signed less than INT64_MIN");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSGT | BPF_X),
+ },
+ .pre.dst = make_singleton_domain(42),
+ .pre.src = make_singleton_domain(INT64_MAX),
+ .jump = unreachable,
+ }, also_signed), "signed greater than INT64_MAX");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_singleton_domain(42),
+ .pre.src = make_singleton_domain(0),
+ .jump = unreachable,
+ }, also_signed), "unsigned less than zero");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGT | BPF_X),
+ },
+ .pre.dst = make_singleton_domain(42),
+ .pre.src = make_singleton_domain(UINT64_MAX),
+ .jump = unreachable,
+ }, also_signed), "unsigned greater than UINT64_MAX");
+
+ return TEST_SUCCESS;
+}
+
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_overflow_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_overflow);
+
/* Jump on ordering comparisons between two ranges. */
static int
test_jmp64_ordering_ranges(void)
@@ -1717,6 +1771,29 @@ test_jmp64_ordering_ranges(void)
/* All ranges used are valid for both signed and unsigned comparisons. */
const bool also_signed = true;
+ /*
+ * 20 ---- dst ---- 60
+ * 0 - src - 10
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(0, 10),
+ .jump = unreachable,
+ }, also_signed), "strict, dst range strongly greater than src range");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(0, 10),
+ .jump = unreachable,
+ }, also_signed), "non-strict, dst range strongly greater than src range");
+
/*
* 20 ---- dst ---- 60
* 10 -- src -- 40
@@ -1817,15 +1894,38 @@ test_jmp64_ordering_ranges(void)
.post.src = make_signed_domain(40, 59),
}, also_signed), "non-strict, dst range weakly less than src range");
+ /*
+ * 20 ---- dst ---- 60
+ * 70 - src - 80
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(70, 80),
+ .post = unreachable,
+ }, also_signed), "strict, dst range strongly less than src range");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(70, 80),
+ .post = unreachable,
+ }, also_signed), "non-strict, dst range strongly less than src range");
+
return TEST_SUCCESS;
}
REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_ranges_autotest, NOHUGE_OK, ASAN_OK,
test_jmp64_ordering_ranges);
-/* Jump on ordering comparisons with singleton. */
+/* Jump on ordering comparisons with singleton inside the range. */
static int
-test_jmp64_ordering_singleton(void)
+test_jmp64_ordering_singleton_inside(void)
{
/* All ranges used are valid for both signed and unsigned comparisons. */
const bool also_signed = true;
@@ -1878,8 +1978,177 @@ test_jmp64_ordering_singleton(void)
return TEST_SUCCESS;
}
-REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_singleton_autotest, NOHUGE_OK, ASAN_OK,
- test_jmp64_ordering_singleton);
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_singleton_inside_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_singleton_inside);
+
+/* Jump on ordering comparisons with singleton outside the range. */
+static int
+test_jmp64_ordering_singleton_outside(void)
+{
+ /* All ranges used are valid for both signed and unsigned comparisons. */
+ const bool also_signed = true;
+
+ /*
+ * 20 ---- dst ---- 60
+ * imm
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_K),
+ .imm = 10,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .jump = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JLT | BPF_K) check, range greater than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_K),
+ .imm = 10,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .jump = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JLE | BPF_K) check, range greater than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGT | BPF_K),
+ .imm = 10,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JGT | BPF_K) check, range greater than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGE | BPF_K),
+ .imm = 10,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JGE | BPF_K) check, range greater than imm");
+
+ /*
+ * 20 ---- dst ---- 60
+ * imm
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_K),
+ .imm = 70,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JLT | BPF_K) check, range less than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_K),
+ .imm = 70,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JLE | BPF_K) check, range less than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGT | BPF_K),
+ .imm = 70,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .jump = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JGT | BPF_K) check, range less than imm");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGE | BPF_K),
+ .imm = 70,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .jump = unreachable,
+ }, also_signed), "(BPF_JMP | EBPF_JGE | BPF_K) check, range less than imm");
+
+ return TEST_SUCCESS;
+}
+
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_singleton_outside_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_singleton_outside);
+
+/* Jump on ordering comparisons with ranges "touching" each other. */
+static int
+test_jmp64_ordering_touching(void)
+{
+ /* All ranges used are valid for both signed and unsigned comparisons. */
+ const bool also_signed = true;
+
+ for (int overlap = 0; overlap != 3; ++overlap) {
+
+ /*
+ * 20 - dst - 30
+ * 10 - src - (19 + overlap)
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 30),
+ .pre.src = make_signed_domain(10, 19 + overlap),
+ .jump = overlap <= 1 ? unreachable : (struct state){
+ .dst = make_singleton_domain(20),
+ .src = make_singleton_domain(21),
+ },
+ }, also_signed), "strict, dst left touching src right, overlap=%d", overlap);
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 30),
+ .pre.src = make_signed_domain(10, 19 + overlap),
+ .jump = overlap < 1 ? unreachable : (struct state){
+ .dst = make_signed_domain(20, 19 + overlap),
+ .src = make_signed_domain(20, 19 + overlap),
+ },
+ }, also_signed), "non-strict, dst left touching src right, overlap=%d", overlap);
+
+ /*
+ * 10 - dst - (19 + overlap)
+ * 20 - src - 30
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(10, 19 + overlap),
+ .pre.src = make_signed_domain(20, 30),
+ .post = overlap < 1 ? unreachable : (struct state){
+ .dst = make_signed_domain(20, 19 + overlap),
+ .src = make_signed_domain(20, 19 + overlap),
+ },
+ }, also_signed), "strict, dst right touching src left, overlap=%d", overlap);
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(10, 19 + overlap),
+ .pre.src = make_signed_domain(20, 30),
+ .post = overlap <= 1 ? unreachable : (struct state){
+ .dst = make_singleton_domain(21),
+ .src = make_singleton_domain(20),
+ },
+ }, also_signed), "non-strict, dst right touching src left, overlap=%d", overlap);
+ }
+
+ return TEST_SUCCESS;
+}
+
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_touching_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_touching);
/* 64-bit load from heap (should be set to unknown). */
static int
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 2e535069fe4d..af084e36c8d0 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -19,6 +19,9 @@
#define BPF_ARG_PTR_STACK RTE_BPF_ARG_RESERVED
+/* type containing no values (AKA "bottom", "never" etc) */
+#define BPF_ARG_UNINHABITED ((enum rte_bpf_arg_type)(RTE_BPF_ARG_UNDEF - 1))
+
struct bpf_reg_val {
struct rte_bpf_arg v;
uint64_t mask;
@@ -36,6 +39,8 @@ struct bpf_eval_state {
SLIST_ENTRY(bpf_eval_state) next; /* for @safe list traversal */
struct bpf_reg_val rv[EBPF_REG_NUM];
struct bpf_reg_val sv[MAX_BPF_STACK_SIZE / sizeof(uint64_t)];
+ /* flag set for branches determined to be dynamically unreachable */
+ bool unreachable;
};
SLIST_HEAD(bpf_evst_head, bpf_eval_state);
@@ -174,6 +179,9 @@ __rte_bpf_validate_can_access(const struct bpf_verifier *verifier,
struct value_set access_set;
uint32_t opsz;
+ if (st->unreachable)
+ return -ENOENT;
+
switch (BPF_CLASS(access->code)) {
case BPF_LDX:
rv = &st->rv[access->src_reg];
@@ -310,6 +318,10 @@ __rte_bpf_validate_may_jump(const struct bpf_verifier *verifier,
if (!may_jump_code_is_supported(jump->code))
return -ENOTSUP;
+ if (st->unreachable)
+ /* Set no bits since neither false nor true is possible. */
+ return 0;
+
rd = &st->rv[jump->dst_reg];
dst_set = (rd->v.type == RTE_BPF_ARG_UNDEF) ? value_set_full :
value_set_from_pair(rd->s.min, rd->s.max, rd->u.min, rd->u.max);
@@ -1521,40 +1533,68 @@ static void
eval_jgt_jle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->u.max = RTE_MIN(frd->u.max, frs->u.max);
- frs->u.min = RTE_MAX(frs->u.min, frd->u.min);
- trd->u.min = RTE_MAX(trd->u.min, trs->u.min + 1);
- trs->u.max = RTE_MIN(trs->u.max, trd->u.max - 1);
+ if (frd->u.min <= frs->u.max) {
+ frd->u.max = RTE_MIN(frd->u.max, frs->u.max);
+ frs->u.min = RTE_MAX(frs->u.min, frd->u.min);
+ } else
+ frd->v.type = frs->v.type = BPF_ARG_UNINHABITED;
+
+ if (trs->u.min < trd->u.max) {
+ trd->u.min = RTE_MAX(trd->u.min, trs->u.min + 1);
+ trs->u.max = RTE_MIN(trs->u.max, trd->u.max - 1);
+ } else
+ trd->v.type = trs->v.type = BPF_ARG_UNINHABITED;
}
static void
eval_jlt_jge(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->u.min = RTE_MAX(frd->u.min, frs->u.min);
- frs->u.max = RTE_MIN(frs->u.max, frd->u.max);
- trd->u.max = RTE_MIN(trd->u.max, trs->u.max - 1);
- trs->u.min = RTE_MAX(trs->u.min, trd->u.min + 1);
+ if (frs->u.min <= frd->u.max) {
+ frd->u.min = RTE_MAX(frd->u.min, frs->u.min);
+ frs->u.max = RTE_MIN(frs->u.max, frd->u.max);
+ } else
+ frd->v.type = frs->v.type = BPF_ARG_UNINHABITED;
+
+ if (trd->u.min < trs->u.max) {
+ trd->u.max = RTE_MIN(trd->u.max, trs->u.max - 1);
+ trs->u.min = RTE_MAX(trs->u.min, trd->u.min + 1);
+ } else
+ trd->v.type = trs->v.type = BPF_ARG_UNINHABITED;
}
static void
eval_jsgt_jsle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->s.max = RTE_MIN(frd->s.max, frs->s.max);
- frs->s.min = RTE_MAX(frs->s.min, frd->s.min);
- trd->s.min = RTE_MAX(trd->s.min, trs->s.min + 1);
- trs->s.max = RTE_MIN(trs->s.max, trd->s.max - 1);
+ if (frd->s.min <= frs->s.max) {
+ frd->s.max = RTE_MIN(frd->s.max, frs->s.max);
+ frs->s.min = RTE_MAX(frs->s.min, frd->s.min);
+ } else
+ frd->v.type = frs->v.type = BPF_ARG_UNINHABITED;
+
+ if (trs->s.min < trd->s.max) {
+ trd->s.min = RTE_MAX(trd->s.min, trs->s.min + 1);
+ trs->s.max = RTE_MIN(trs->s.max, trd->s.max - 1);
+ } else
+ trd->v.type = trs->v.type = BPF_ARG_UNINHABITED;
}
static void
eval_jslt_jsge(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->s.min = RTE_MAX(frd->s.min, frs->s.min);
- frs->s.max = RTE_MIN(frs->s.max, frd->s.max);
- trd->s.max = RTE_MIN(trd->s.max, trs->s.max - 1);
- trs->s.min = RTE_MAX(trs->s.min, trd->s.min + 1);
+ if (frs->s.min <= frd->s.max) {
+ frd->s.min = RTE_MAX(frd->s.min, frs->s.min);
+ frs->s.max = RTE_MIN(frs->s.max, frd->s.max);
+ } else
+ frd->v.type = frs->v.type = BPF_ARG_UNINHABITED;
+
+ if (trd->s.min < trs->s.max) {
+ trd->s.max = RTE_MIN(trd->s.max, trs->s.max - 1);
+ trs->s.min = RTE_MAX(trs->s.min, trd->s.min + 1);
+ } else
+ trd->v.type = trs->v.type = BPF_ARG_UNINHABITED;
}
static const char *
@@ -1609,6 +1649,14 @@ eval_jcc(struct bpf_verifier *bvf, const struct ebpf_insn *ins)
else if (op == EBPF_JSGE)
eval_jslt_jsge(frd, frs, trd, trs);
+ if (trd->v.type == BPF_ARG_UNINHABITED ||
+ trs->v.type == BPF_ARG_UNINHABITED)
+ tst->unreachable = true;
+
+ if (frd->v.type == BPF_ARG_UNINHABITED ||
+ frs->v.type == BPF_ARG_UNINHABITED)
+ fst->unreachable = true;
+
return NULL;
}
@@ -2349,7 +2397,7 @@ set_edge_type(struct bpf_verifier *bvf, struct inst_node *node,
* Depth-First Search (DFS) through previously constructed
* Control Flow Graph (CFG).
* Information collected at this path would be used later
- * to determine is there any loops, and/or unreachable instructions.
+ * to determine is there any loops, and/or statically unreachable instructions.
* PREREQUISITE: there is at least one node.
*/
static void
@@ -2397,7 +2445,7 @@ dfs(struct bpf_verifier *bvf)
}
/*
- * report unreachable instructions.
+ * report statically unreachable instructions.
*/
static void
log_unreachable(const struct bpf_verifier *bvf)
@@ -2970,13 +3018,21 @@ evaluate(struct bpf_verifier *bvf)
stats.nb_restore++;
}
+ if (bvf->evst->unreachable) {
+ rc = __rte_bpf_validate_debug_evaluate_step(
+ debug, get_node_idx(bvf, next),
+ RTE_BPF_VALIDATE_DEBUG_EVENT_BRANCH_UNREACHABLE);
+ if (rc < 0)
+ break;
+
+ next = NULL;
/*
* for jcc targets: check did we already evaluated
* that path and can it's evaluation be skipped that
* time.
*/
- if (node->nb_edge > 1 && prune_eval_state(bvf, node,
- next) == 0) {
+ } else if (node->nb_edge > 1 &&
+ prune_eval_state(bvf, node, next) == 0) {
rc = __rte_bpf_validate_debug_evaluate_step(
debug, get_node_idx(bvf, next),
RTE_BPF_VALIDATE_DEBUG_EVENT_BRANCH_PRUNE);
diff --git a/lib/bpf/rte_bpf_validate_debug.h b/lib/bpf/rte_bpf_validate_debug.h
index 89bf587f0211..f30fa926f10a 100644
--- a/lib/bpf/rte_bpf_validate_debug.h
+++ b/lib/bpf/rte_bpf_validate_debug.h
@@ -49,6 +49,8 @@ enum rte_bpf_validate_debug_event {
RTE_BPF_VALIDATE_DEBUG_EVENT_BRANCH_PRUNE,
/* End of branch verification, after the last verified instruction. */
RTE_BPF_VALIDATE_DEBUG_EVENT_BRANCH_RETURN,
+ /* Pruning branch as dynamically unreachable. */
+ RTE_BPF_VALIDATE_DEBUG_EVENT_BRANCH_UNREACHABLE,
/* Number of valid event values. */
RTE_BPF_VALIDATE_DEBUG_EVENT_END,
};
--
2.43.0
^ permalink raw reply related
* [PATCH v4 16/24] bpf/validate: fix BPF_JMP source range calculation
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
All two-register ordering comparison functions (`eval_jgt_jle`,
`eval_jlt_jge`, `eval_jsgt_jsle`, `eval_jslt_jsge`) were updating only
the destination register value set but not the source register one. For
instance, instruction `jgt r2, r3` should be exactly equivalent to `jlt
r3, r2`, but previously the former only updated the possible values of
r2 while the latter only updated possible values of r3. Thus the
estimate for source register was conservative and could cause false
positives.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: mov r2, #0x28
2: ldxdw r3, [r1 + 0]
3: jlt r3, #0x14, L11
4: jgt r3, #0x3c, L11
5: jslt r3, #0x14, L11
6: jsgt r3, #0x3c, L11
7: jgt r2, r3, L10 ; tested instruction
8: mov r0, #0x1
9: exit
10: mov r0, #0x2
11: exit
Pre-state:
r2: 40
r3: 20..60
...
Jump-state:
r2: 40
r3: 20..60
If tested instruction jumped from step 7 to step 10 validator expects r3
to contain values up to 60, for example 55, however for this value jump
condition r2 > r3 will never be satisfied since r2 is known to equal 40,
and thus execution would always continue to step 8 instead of jumping.
Add missing source register values update.
Introduce test harness for verifying all equivalent variations of a
comparison instruction. Add tests for all cases where both code branches
are reachable (unreachable branches will be covered by subsequent
commits).
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 394 +++++++++++++++++++++++++++++++----
lib/bpf/bpf_validate.c | 8 +
2 files changed, 358 insertions(+), 44 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index acc238f7d324..15ccf4f6a573 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -32,6 +32,31 @@ RTE_LOG_REGISTER(test_bpf_validate_logtype, test.bpf_validate, NOTICE);
#define REGISTER_FORMAT_BUFFER_SIZE 256
#define DISASSEMBLY_FORMAT_BUFFER_SIZE 64
+#define COMPARISON_INDEX_IMMEDIATE RTE_BIT32(0)
+#define COMPARISON_INDEX_GREATER RTE_BIT32(1)
+#define COMPARISON_INDEX_INCLUSIVE RTE_BIT32(2)
+#define COMPARISON_INDEX_SIGNED RTE_BIT32(3)
+
+/* List comparison opcodes to make their index bits match constants above. */
+static const uint8_t comparisons_opcode[] = {
+ (BPF_JMP | EBPF_JLT | BPF_X),
+ (BPF_JMP | EBPF_JLT | BPF_K),
+ (BPF_JMP | BPF_JGT | BPF_X),
+ (BPF_JMP | BPF_JGT | BPF_K),
+ (BPF_JMP | EBPF_JLE | BPF_X),
+ (BPF_JMP | EBPF_JLE | BPF_K),
+ (BPF_JMP | BPF_JGE | BPF_X),
+ (BPF_JMP | BPF_JGE | BPF_K),
+ (BPF_JMP | EBPF_JSLT | BPF_X),
+ (BPF_JMP | EBPF_JSLT | BPF_K),
+ (BPF_JMP | EBPF_JSGT | BPF_X),
+ (BPF_JMP | EBPF_JSGT | BPF_K),
+ (BPF_JMP | EBPF_JSLE | BPF_X),
+ (BPF_JMP | EBPF_JSLE | BPF_K),
+ (BPF_JMP | EBPF_JSGE | BPF_X),
+ (BPF_JMP | EBPF_JSGE | BPF_K),
+};
+
/* Interval bounded by two signed values, inclusive; min <= max. */
struct signed_interval {
int64_t min;
@@ -1044,6 +1069,206 @@ verify_instruction(struct verify_instruction_param prm)
return rc;
}
+static int
+opcode_comparison_index(uint8_t opcode)
+{
+ for (int index = 0; index != RTE_DIM(comparisons_opcode); ++index)
+ if (comparisons_opcode[index] == opcode)
+ return index;
+ TEST_LOG_LINE(ERR, "Unsupported or not a comparison opcode: %hhx", opcode);
+ RTE_VERIFY(false);
+}
+
+/* Change two-register comparison verification to immediate one. */
+static bool
+make_comparison_immediate(struct verify_instruction_param *prm)
+{
+ int comparison_index = opcode_comparison_index(prm->tested_instruction.code);
+ const int64_t value = prm->pre.src.s.min;
+
+ if ((comparison_index & COMPARISON_INDEX_IMMEDIATE) != 0) {
+ TEST_LOG_LINE(ERR, "Comparison %hhx is already immediate.",
+ prm->tested_instruction.code);
+ RTE_VERIFY(false);
+ }
+
+ if (!domain_is_singleton(&prm->pre.src) || !domain_is_singleton(&prm->post.src) ||
+ !domain_is_singleton(&prm->jump.src)) {
+ TEST_LOG_LINE(DEBUG, "Cannot make immediate out of a non-singleton domain.");
+ return false;
+ }
+ if (prm->pre.src.is_pointer || prm->post.src.is_pointer || prm->jump.src.is_pointer) {
+ TEST_LOG_LINE(DEBUG, "Cannot make immediate out of a pointer.");
+ return false;
+ }
+ if (prm->post.src.s.min != value || prm->jump.src.s.min != value) {
+ TEST_LOG_LINE(DEBUG, "Cannot make immediate if the value changes.");
+ return false;
+ }
+ if (!fits_in_imm32(value)) {
+ TEST_LOG_LINE(ERR, "Cannot make immediate unless value fits in int32.");
+ return false;
+ }
+
+ comparison_index |= COMPARISON_INDEX_IMMEDIATE;
+ prm->tested_instruction.code = comparisons_opcode[comparison_index];
+ prm->tested_instruction.imm = value;
+
+ RTE_VERIFY(prm->pre.src.is_defined);
+ prm->pre.src.is_defined = false;
+
+ if (!prm->post.is_unreachable) {
+ RTE_VERIFY(prm->post.src.is_defined);
+ prm->post.src.is_defined = false;
+ }
+
+ if (!prm->jump.is_unreachable) {
+ RTE_VERIFY(prm->jump.src.is_defined);
+ prm->jump.src.is_defined = false;
+ }
+
+ return true;
+}
+
+/* Change immediate comparison verification to two-register one. */
+static void
+make_comparison_two_register(struct verify_instruction_param *prm)
+{
+ int comparison_index = opcode_comparison_index(prm->tested_instruction.code);
+ const int64_t value = prm->tested_instruction.imm;
+
+ if ((comparison_index & COMPARISON_INDEX_IMMEDIATE) == 0) {
+ TEST_LOG_LINE(ERR, "Comparison %hhx is already two-register.",
+ prm->tested_instruction.code);
+ RTE_VERIFY(false);
+ }
+
+ comparison_index &= ~COMPARISON_INDEX_IMMEDIATE;
+ prm->tested_instruction.code = comparisons_opcode[comparison_index];
+ prm->tested_instruction.imm = 0;
+
+ RTE_VERIFY(!prm->pre.src.is_defined);
+ prm->pre.src = make_singleton_domain(value);
+
+ if (!prm->post.is_unreachable) {
+ RTE_VERIFY(!prm->post.src.is_defined);
+ prm->post.src = prm->pre.src;
+ }
+
+ if (!prm->jump.is_unreachable) {
+ RTE_VERIFY(!prm->jump.src.is_defined);
+ prm->jump.src = prm->pre.src;
+ }
+}
+
+/* Change comparison verification to complement (negated result) one. */
+static void
+make_comparison_complement(struct verify_instruction_param *prm)
+{
+ int comparison_index = opcode_comparison_index(prm->tested_instruction.code);
+ comparison_index ^= COMPARISON_INDEX_GREATER | COMPARISON_INDEX_INCLUSIVE;
+ prm->tested_instruction.code = comparisons_opcode[comparison_index];
+ RTE_SWAP(prm->post, prm->jump);
+}
+
+/* Change comparison verification to converse (swapped operands) one. */
+static void
+make_comparison_converse(struct verify_instruction_param *prm)
+{
+ int comparison_index = opcode_comparison_index(prm->tested_instruction.code);
+ comparison_index ^= COMPARISON_INDEX_GREATER;
+ prm->tested_instruction.code = comparisons_opcode[comparison_index];
+ RTE_SWAP(prm->pre.dst, prm->pre.src);
+ RTE_SWAP(prm->post.dst, prm->post.src);
+ RTE_SWAP(prm->jump.dst, prm->jump.src);
+}
+
+/* Change signed comparison verification to unsigned one. */
+static void
+make_comparison_signed(struct verify_instruction_param *prm)
+{
+ int comparison_index = opcode_comparison_index(prm->tested_instruction.code);
+ if ((comparison_index & COMPARISON_INDEX_SIGNED) != 0) {
+ TEST_LOG_LINE(ERR, "Comparison %hhx is already signed.",
+ prm->tested_instruction.code);
+ RTE_VERIFY(false);
+ }
+ comparison_index |= COMPARISON_INDEX_SIGNED;
+ prm->tested_instruction.code = comparisons_opcode[comparison_index];
+}
+
+/* Verify specified two-register comparison and, if possible, immediate one. */
+static int
+verify_comparison_subcase(struct verify_instruction_param prm)
+{
+ TEST_ASSERT_SUCCESS(verify_instruction(prm), "two-register version check");
+
+ if (make_comparison_immediate(&prm))
+ TEST_ASSERT_SUCCESS(verify_instruction(prm), "immediate version check");
+
+ return TEST_SUCCESS;
+}
+
+/*
+ * Verify comparison instruction validation behaviour.
+ *
+ * Call `verify_instruction` for all valid variations of the instruction.
+ *
+ * For instance, `jgt r2, r3` verifies:
+ * * `jgt r2, r3`;
+ * * `jlt r3, r2` src and dst swapped with each other;
+ * * `jle r2, r3` with post and jump domains swapped with each other;
+ * * `jge r3, r2` with all corresponding swaps;
+ * * immediate versions of everything above where possible,
+ * that is, register on the right is an int32 scalar singleton;
+ * * signed versions of everything above if `also_signed` is true;
+ *
+ * Regardless if passed instruction compares with immediate or singleton src
+ * both cases are generated and tested.
+ */
+static int
+verify_comparison(struct verify_instruction_param prm, bool also_signed)
+{
+ fill_verify_instruction_defaults(&prm);
+
+ if (!prm.pre.src.is_defined)
+ /* Convert from immediate form to simplify further logic. */
+ make_comparison_two_register(&prm);
+
+ /* All reachable domains must be defined by this point. */
+ RTE_VERIFY(prm.pre.dst.is_defined);
+ RTE_VERIFY(prm.pre.src.is_defined);
+ if (!prm.post.is_unreachable) {
+ RTE_VERIFY(prm.post.dst.is_defined);
+ RTE_VERIFY(prm.post.src.is_defined);
+ }
+ if (!prm.jump.is_unreachable) {
+ RTE_VERIFY(prm.jump.dst.is_defined);
+ RTE_VERIFY(prm.jump.src.is_defined);
+ }
+
+ for (int make_signed = 0; make_signed <= also_signed; ++make_signed) {
+ if (make_signed)
+ make_comparison_signed(&prm);
+
+ for (int complement = false; complement <= true; ++complement) {
+
+ for (int converse = false; converse <= true; ++converse) {
+
+ TEST_ASSERT_SUCCESS(verify_comparison_subcase(prm),
+ "make_signed=%d, complement=%d, converse=%d",
+ make_signed, complement, converse);
+
+ make_comparison_converse(&prm);
+ }
+
+ make_comparison_complement(&prm);
+ }
+ }
+
+ return TEST_SUCCESS;
+}
+
/* TESTS FOR SPECIFIC INSTRUCTIONS */
@@ -1485,31 +1710,69 @@ test_jmp64_jslt_x(void)
REGISTER_FAST_TEST(bpf_validate_jmp64_jslt_x_autotest, NOHUGE_OK, ASAN_OK,
test_jmp64_jslt_x);
-/* Jump on ordering relationship with narrower range. */
+/* Jump on ordering comparisons between two ranges. */
static int
-test_jmp64_jxx_x_ordering_narrower(void)
+test_jmp64_ordering_ranges(void)
{
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ /* All ranges used are valid for both signed and unsigned comparisons. */
+ const bool also_signed = true;
+
+ /*
+ * 20 ---- dst ---- 60
+ * 10 -- src -- 40
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | BPF_JGT | BPF_X),
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(20, 50),
- .jump.dst = make_signed_domain(31, 60),
- }), "(BPF_JMP | BPF_JGT | BPF_X) check");
+ .pre.src = make_signed_domain(10, 40),
+ .jump.dst = make_signed_domain(20, 39),
+ .jump.src = make_signed_domain(21, 40),
+ }, also_signed), "strict, dst range weakly greater than src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | BPF_JGE | BPF_X),
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(20, 49),
- .jump.dst = make_signed_domain(30, 60),
- }), "(BPF_JMP | BPF_JGE | BPF_X) check");
+ .pre.src = make_signed_domain(10, 40),
+ .jump.dst = make_signed_domain(20, 40),
+ .jump.src = make_signed_domain(20, 40),
+ }, also_signed), "non-strict, dst range weakly greater than src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ /*
+ * 20 ---- dst ---- 60
+ * 10 -------- src -------- 70
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(10, 70),
+ .post.src = make_signed_domain(10, 60),
+ .jump.src = make_signed_domain(21, 70),
+ }, also_signed), "strict, dst range included in src range");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(10, 70),
+ .post.src = make_signed_domain(10, 59),
+ .jump.src = make_signed_domain(20, 70),
+ }, also_signed), "non-strict, dst range included in src range");
+
+ /*
+ * 20 ---- dst ---- 60
+ * 30 - src - 50
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
.code = (BPF_JMP | EBPF_JLT | BPF_X),
},
@@ -1517,9 +1780,9 @@ test_jmp64_jxx_x_ordering_narrower(void)
.pre.src = make_signed_domain(30, 50),
.post.dst = make_signed_domain(30, 60),
.jump.dst = make_signed_domain(20, 49),
- }), "(BPF_JMP | EBPF_JLT | BPF_X) check");
+ }, also_signed), "strict, dst range includes src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
.code = (BPF_JMP | EBPF_JLE | BPF_X),
},
@@ -1527,53 +1790,96 @@ test_jmp64_jxx_x_ordering_narrower(void)
.pre.src = make_signed_domain(30, 50),
.post.dst = make_signed_domain(31, 60),
.jump.dst = make_signed_domain(20, 50),
- }), "(BPF_JMP | EBPF_JLE | BPF_X) check");
+ }, also_signed), "non-strict, dst range includes src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ /*
+ * 20 ---- dst ---- 60
+ * 40 -- src -- 70
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | EBPF_JSGT | BPF_X),
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(20, 50),
- .jump.dst = make_signed_domain(31, 60),
- }), "(BPF_JMP | EBPF_JSGT | BPF_X) check");
+ .pre.src = make_signed_domain(40, 70),
+ .post.dst = make_signed_domain(40, 60),
+ .post.src = make_signed_domain(40, 60),
+ }, also_signed), "strict, dst range weakly less than src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | EBPF_JSGE | BPF_X),
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(20, 49),
- .jump.dst = make_signed_domain(30, 60),
- }), "(BPF_JMP | EBPF_JSGE | BPF_X) check");
+ .pre.src = make_signed_domain(40, 70),
+ .post.dst = make_signed_domain(41, 60),
+ .post.src = make_signed_domain(40, 59),
+ }, also_signed), "non-strict, dst range weakly less than src range");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ return TEST_SUCCESS;
+}
+
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_ranges_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_ranges);
+
+/* Jump on ordering comparisons with singleton. */
+static int
+test_jmp64_ordering_singleton(void)
+{
+ /* All ranges used are valid for both signed and unsigned comparisons. */
+ const bool also_signed = true;
+
+ /*
+ * 20 ---- dst ---- 60
+ * imm
+ */
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | EBPF_JSLT | BPF_X),
+ .code = (BPF_JMP | EBPF_JLT | BPF_K),
+ .imm = 40,
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(30, 60),
- .jump.dst = make_signed_domain(20, 49),
- }), "(BPF_JMP | EBPF_JSLT | BPF_X) check");
+ .post.dst = make_signed_domain(40, 60),
+ .jump.dst = make_signed_domain(20, 39),
+ }, also_signed), "(BPF_JMP | EBPF_JLT | BPF_K) check");
- TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
.tested_instruction = {
- .code = (BPF_JMP | EBPF_JSLE | BPF_X),
+ .code = (BPF_JMP | BPF_JGT | BPF_K),
+ .imm = 40,
},
.pre.dst = make_signed_domain(20, 60),
- .pre.src = make_signed_domain(30, 50),
- .post.dst = make_signed_domain(31, 60),
- .jump.dst = make_signed_domain(20, 50),
- }), "(BPF_JMP | EBPF_JSLE | BPF_X) check");
+ .post.dst = make_signed_domain(20, 40),
+ .jump.dst = make_signed_domain(41, 60),
+ }, also_signed), "(BPF_JMP | EBPF_JGT | BPF_K) check");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_K),
+ .imm = 40,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post.dst = make_signed_domain(41, 60),
+ .jump.dst = make_signed_domain(20, 40),
+ }, also_signed), "(BPF_JMP | EBPF_JLE | BPF_K) check");
+
+ TEST_ASSERT_SUCCESS(verify_comparison((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGE | BPF_K),
+ .imm = 40,
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .post.dst = make_signed_domain(20, 39),
+ .jump.dst = make_signed_domain(40, 60),
+ }, also_signed), "(BPF_JMP | EBPF_JGE | BPF_K) check");
return TEST_SUCCESS;
}
-REGISTER_FAST_TEST(bpf_validate_jmp64_jxx_x_ordering_narrower_autotest, NOHUGE_OK, ASAN_OK,
- test_jmp64_jxx_x_ordering_narrower);
+REGISTER_FAST_TEST(bpf_validate_jmp64_ordering_singleton_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_ordering_singleton);
/* 64-bit load from heap (should be set to unknown). */
static int
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 0578029dccbb..2e535069fe4d 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -1522,7 +1522,9 @@ eval_jgt_jle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
frd->u.max = RTE_MIN(frd->u.max, frs->u.max);
+ frs->u.min = RTE_MAX(frs->u.min, frd->u.min);
trd->u.min = RTE_MAX(trd->u.min, trs->u.min + 1);
+ trs->u.max = RTE_MIN(trs->u.max, trd->u.max - 1);
}
static void
@@ -1530,7 +1532,9 @@ eval_jlt_jge(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
frd->u.min = RTE_MAX(frd->u.min, frs->u.min);
+ frs->u.max = RTE_MIN(frs->u.max, frd->u.max);
trd->u.max = RTE_MIN(trd->u.max, trs->u.max - 1);
+ trs->u.min = RTE_MAX(trs->u.min, trd->u.min + 1);
}
static void
@@ -1538,7 +1542,9 @@ eval_jsgt_jsle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
frd->s.max = RTE_MIN(frd->s.max, frs->s.max);
+ frs->s.min = RTE_MAX(frs->s.min, frd->s.min);
trd->s.min = RTE_MAX(trd->s.min, trs->s.min + 1);
+ trs->s.max = RTE_MIN(trs->s.max, trd->s.max - 1);
}
static void
@@ -1546,7 +1552,9 @@ eval_jslt_jsge(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
frd->s.min = RTE_MAX(frd->s.min, frs->s.min);
+ frs->s.max = RTE_MIN(frs->s.max, frd->s.max);
trd->s.max = RTE_MIN(trd->s.max, trs->s.max - 1);
+ trs->s.min = RTE_MAX(trs->s.min, trd->s.min + 1);
}
static const char *
--
2.43.0
^ permalink raw reply related
* [PATCH v4 15/24] bpf/validate: fix BPF_JGT/EBPF_JSGT no-jump max
From: Marat Khalili @ 2026-06-23 14:32 UTC (permalink / raw)
To: Konstantin Ananyev; +Cc: dev, stable, Claudia Cauli
In-Reply-To: <20260623143215.95318-1-marat.khalili@huawei.com>
Functions `eval_jgt_jle` and `eval_jsgt_jsle` reduced range maximum for
BPF_JGT and EBPF_JSGT instructions in the no-jump case to the minimum of
src register instead of the maximum, producing more conservative
estimate that could cause false positives.
E.g. consider the following program with the current validation code:
Tested program:
0: mov r0, #0x0
1: ldxdw r2, [r1 + 0]
2: jlt r2, #0x14, L15
3: jgt r2, #0x3c, L15
4: jslt r2, #0x14, L15
5: jsgt r2, #0x3c, L15
6: ldxdw r3, [r1 + 8]
7: jlt r3, #0x1e, L15
8: jgt r3, #0x32, L15
9: jslt r3, #0x1e, L15
10: jsgt r3, #0x32, L15
11: jgt r2, r3, L14 ; tested instruction
12: mov r0, #0x1
13: exit
14: mov r0, #0x2
15: exit
Pre-state:
r2: 20..60
r3: 30..50
Post-state:
r2: 20..60 INTERSECT 0x14..0x1e (!)
Immediately after the tested instruction on step 12 validator expects r2
to contain values up to 60, for example 55, however for this value jump
condition r2 > r3 on step 11 would be always satisfied since r3 is known
to not exceed 50, and thus execution will always jump to step 14 instead
of continuing to step 12.
Fix range calculation, add tests for cases where range of src register
values is a strict subset of dst. Other cases will be covered in the
subsequent commits.
Fixes: 8021917293d0 ("bpf: add extra validation for input BPF program")
Cc: stable@dpdk.org
Reported-by: Claudia Cauli <claudiacauli@gmail.com>
Signed-off-by: Marat Khalili <marat.khalili@huawei.com>
Acked-by: Konstantin Ananyev <konstantin.ananyev@huawei.com>
---
app/test/test_bpf_validate.c | 90 ++++++++++++++++++++++++++++++++++++
lib/bpf/bpf_validate.c | 4 +-
2 files changed, 92 insertions(+), 2 deletions(-)
diff --git a/app/test/test_bpf_validate.c b/app/test/test_bpf_validate.c
index 15cdc83f4f14..acc238f7d324 100644
--- a/app/test/test_bpf_validate.c
+++ b/app/test/test_bpf_validate.c
@@ -1485,6 +1485,96 @@ test_jmp64_jslt_x(void)
REGISTER_FAST_TEST(bpf_validate_jmp64_jslt_x_autotest, NOHUGE_OK, ASAN_OK,
test_jmp64_jslt_x);
+/* Jump on ordering relationship with narrower range. */
+static int
+test_jmp64_jxx_x_ordering_narrower(void)
+{
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(20, 50),
+ .jump.dst = make_signed_domain(31, 60),
+ }), "(BPF_JMP | BPF_JGT | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | BPF_JGE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(20, 49),
+ .jump.dst = make_signed_domain(30, 60),
+ }), "(BPF_JMP | BPF_JGE | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(30, 60),
+ .jump.dst = make_signed_domain(20, 49),
+ }), "(BPF_JMP | EBPF_JLT | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(31, 60),
+ .jump.dst = make_signed_domain(20, 50),
+ }), "(BPF_JMP | EBPF_JLE | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSGT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(20, 50),
+ .jump.dst = make_signed_domain(31, 60),
+ }), "(BPF_JMP | EBPF_JSGT | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSGE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(20, 49),
+ .jump.dst = make_signed_domain(30, 60),
+ }), "(BPF_JMP | EBPF_JSGE | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSLT | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(30, 60),
+ .jump.dst = make_signed_domain(20, 49),
+ }), "(BPF_JMP | EBPF_JSLT | BPF_X) check");
+
+ TEST_ASSERT_SUCCESS(verify_instruction((struct verify_instruction_param){
+ .tested_instruction = {
+ .code = (BPF_JMP | EBPF_JSLE | BPF_X),
+ },
+ .pre.dst = make_signed_domain(20, 60),
+ .pre.src = make_signed_domain(30, 50),
+ .post.dst = make_signed_domain(31, 60),
+ .jump.dst = make_signed_domain(20, 50),
+ }), "(BPF_JMP | EBPF_JSLE | BPF_X) check");
+
+ return TEST_SUCCESS;
+}
+
+REGISTER_FAST_TEST(bpf_validate_jmp64_jxx_x_ordering_narrower_autotest, NOHUGE_OK, ASAN_OK,
+ test_jmp64_jxx_x_ordering_narrower);
+
/* 64-bit load from heap (should be set to unknown). */
static int
test_mem_ldx_dw_heap(void)
diff --git a/lib/bpf/bpf_validate.c b/lib/bpf/bpf_validate.c
index 2b73e3628881..0578029dccbb 100644
--- a/lib/bpf/bpf_validate.c
+++ b/lib/bpf/bpf_validate.c
@@ -1521,7 +1521,7 @@ static void
eval_jgt_jle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->u.max = RTE_MIN(frd->u.max, frs->u.min);
+ frd->u.max = RTE_MIN(frd->u.max, frs->u.max);
trd->u.min = RTE_MAX(trd->u.min, trs->u.min + 1);
}
@@ -1537,7 +1537,7 @@ static void
eval_jsgt_jsle(struct bpf_reg_val *trd, struct bpf_reg_val *trs,
struct bpf_reg_val *frd, struct bpf_reg_val *frs)
{
- frd->s.max = RTE_MIN(frd->s.max, frs->s.min);
+ frd->s.max = RTE_MIN(frd->s.max, frs->s.max);
trd->s.min = RTE_MAX(trd->s.min, trs->s.min + 1);
}
--
2.43.0
^ permalink raw reply related
page: next (older) | prev (newer) | latest
- recent:[subjects (threaded)|topics (new)|topics (active)]
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox