bpf: handle jset (if a & b ...) as a jump in CFG computation

eddyz87 · Alexei Starovoitov · commit 3157f7e29996 · 2025-06-13T11:51:19.000-07:00
BPF_JSET is a conditional jump and currently verifier.c:can_jump() does not know about that. This can lead to incorrect live registers and SCC computation. E.g. in the following example: 1: r0 = 1; 2: r2 = 2; 3: if r1 & 0x7 goto +1; 4: exit; 5: r0 = r2; 6: exit; W/o this fix insn_successors(3) will return only (4), a jump to (5) would be missed and r2 won't be marked as alive at (3). Fixes: 14c8552 ("bpf: simple DFA-based live registers analysis") Reported-by: syzbot+a36aac327960ff474804@syzkaller.appspotmail.com Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com> Signed-off-by: Eduard Zingerman <eddyz87@gmail.com> Link: https://lore.kernel.org/r/20250613175331.3238739-1-eddyz87@gmail.com Signed-off-by: Alexei Starovoitov <ast@kernel.org>
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -23951,6 +23951,7 @@ static bool can_jump(struct bpf_insn *insn)
 	case BPF_JSLT:
 	case BPF_JSLE:
 	case BPF_JCOND:
+	case BPF_JSET:
 		return true;
 	}
 

Original file line number	Diff line number	Diff line change
`@@ -23951,6 +23951,7 @@ static bool can_jump(struct bpf_insn *insn)`
`23951`	`23951`	`case BPF_JSLT:`
`23952`	`23952`	`case BPF_JSLE:`
`23953`	`23953`	`case BPF_JCOND:`
	`23954`	`+ case BPF_JSET:`
`23954`	`23955`	`return true;`
`23955`	`23956`	`}`
`23956`	`23957`