This is a note to let you know that I've just added the patch titled bpf: Move sanitize_val_alu out of op switch to the 5.11-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: bpf-move-sanitize_val_alu-out-of-op-switch.patch and it can be found in the queue-5.11 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From f528819334881fd622fdadeddb3f7edaed8b7c9b Mon Sep 17 00:00:00 2001 From: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Date: Wed, 24 Mar 2021 11:25:39 +0100 Subject: bpf: Move sanitize_val_alu out of op switch From: Daniel Borkmann <daniel@xxxxxxxxxxxxx> commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann <daniel@xxxxxxxxxxxxx> Reviewed-by: John Fastabend <john.fastabend@xxxxxxxxx> Acked-by: Alexei Starovoitov <ast@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- kernel/bpf/verifier.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c @@ -5473,6 +5473,11 @@ static int sanitize_val_alu(struct bpf_v return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); } +static bool sanitize_needed(u8 opcode) +{ + return opcode == BPF_ADD || opcode == BPF_SUB; +} + static int sanitize_ptr_alu(struct bpf_verifier_env *env, struct bpf_insn *insn, const struct bpf_reg_state *ptr_reg, @@ -6445,6 +6450,12 @@ static int adjust_scalar_min_max_vals(st return 0; } + if (sanitize_needed(opcode)) { + ret = sanitize_val_alu(env, insn); + if (ret < 0) + return sanitize_err(env, insn, ret, NULL, NULL); + } + /* Calculate sign/unsigned bounds and tnum for alu32 and alu64 bit ops. * There are two classes of instructions: The first class we track both * alu32 and alu64 sign/unsigned bounds independently this provides the @@ -6461,17 +6472,11 @@ static int adjust_scalar_min_max_vals(st */ switch (opcode) { case BPF_ADD: - ret = sanitize_val_alu(env, insn); - if (ret < 0) - return sanitize_err(env, insn, ret, NULL, NULL); scalar32_min_max_add(dst_reg, &src_reg); scalar_min_max_add(dst_reg, &src_reg); dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); break; case BPF_SUB: - ret = sanitize_val_alu(env, insn); - if (ret < 0) - return sanitize_err(env, insn, ret, NULL, NULL); scalar32_min_max_sub(dst_reg, &src_reg); scalar_min_max_sub(dst_reg, &src_reg); dst_reg->var_off = tnum_sub(dst_reg->var_off, src_reg.var_off); Patches currently in stable-queue which might be from daniel@xxxxxxxxxxxxx are queue-5.11/bpf-improve-verifier-error-messages-for-users.patch queue-5.11/bpf-move-off_reg-into-sanitize_ptr_alu.patch queue-5.11/libbpf-fix-potential-null-pointer-dereference.patch queue-5.11/bpf-tighten-speculative-pointer-arithmetic-mask.patch queue-5.11/bpf-rework-ptr_limit-into-alu_limit-and-add-common-error-path.patch queue-5.11/bpf-ensure-off_reg-has-no-mixed-signed-bounds-for-al.patch queue-5.11/bpf-move-sanitize_val_alu-out-of-op-switch.patch queue-5.11/bpf-use-correct-permission-flag-for-mixed-signed-bou.patch