> diff --git a/arch/x86/net/bpf_jit_comp.c b/arch/x86/net/bpf_jit_comp.c
> index b70cecfec179..a383ffc8f289 100644
> --- a/arch/x86/net/bpf_jit_comp.c
> +++ b/arch/x86/net/bpf_jit_comp.c

[ ... ]

> @@ -2605,14 +2640,14 @@ static int do_jit(struct bpf_verifier_env *env, 
> struct bpf_prog *bpf_prog, int *
>                       }
>                       fallthrough;
>               case BPF_STX | BPF_ATOMIC | BPF_W:
> -             case BPF_STX | BPF_ATOMIC | BPF_DW:
> +             case BPF_STX | BPF_ATOMIC | BPF_DW: {
> +                     bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> +                     u32 real_src_reg = src_reg;
> +                     u32 real_dst_reg = dst_reg;
> +                     u8 *branch_target;
>                       if (insn->imm == (BPF_AND | BPF_FETCH) ||
>                           insn->imm == (BPF_OR | BPF_FETCH) ||
>                           insn->imm == (BPF_XOR | BPF_FETCH)) {
> -                             bool is64 = BPF_SIZE(insn->code) == BPF_DW;
> -                             u32 real_src_reg = src_reg;
> -                             u32 real_dst_reg = dst_reg;
> -                             u8 *branch_target;
>
>                               /*
>                                * Can't be implemented with a single x86 insn.
> @@ -2626,7 +2661,19 @@ static int do_jit(struct bpf_verifier_env *env, struct 
> bpf_prog *bpf_prog, int *
>                               if (dst_reg == BPF_REG_0)
>                                       real_dst_reg = BPF_REG_AX;
>
> +                             ip += 3;
> +                     }
> +                     if (!bpf_atomic_is_load_store(insn)) {
> +                             err = emit_kasan_check(env, &prog, real_dst_reg,
> +                                                    insn, ip, false,
> +                                                    accesses_stack_only);
> +                             if (err)
> +                                     return err;
>                               branch_target = prog;
> +                     }
> +                     if (insn->imm == (BPF_AND | BPF_FETCH) ||
> +                         insn->imm == (BPF_OR | BPF_FETCH) ||
> +                         insn->imm == (BPF_XOR | BPF_FETCH)) {
>                               /* Load old value */
>                               emit_ldx(&prog, BPF_SIZE(insn->code),
>                                        BPF_REG_0, real_dst_reg, insn->off);

This isn't a bug, but the FETCH-op check

        insn->imm == (BPF_AND | BPF_FETCH) ||
        insn->imm == (BPF_OR | BPF_FETCH) ||
        insn->imm == (BPF_XOR | BPF_FETCH)

is now spelled out in two adjacent if blocks in this case, where it was
written once before the patch.

Could it be hoisted into a single local (e.g. bool is_fetch = ...) so the
two copies don't have to be kept in sync on later edits?


---
AI reviewed your patch. Please fix the bug or email reply why it's not a bug.
See: https://github.com/kernel-patches/vmtest/blob/master/ci/claude/README.md

CI run summary: https://github.com/kernel-patches/bpf/actions/runs/28510424881

Reply via email to