[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 8ea607330a39184f51737c6ae706db7fdca7628e
WARNING: Author mismatch between patch and upstream commit:
Backport author: hsimeliere.opensource@xxxxxxxxxxx
Commit author: Daniel Borkmann<daniel@xxxxxxxxxxxxx>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 48068ccaea95)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 8ea607330a39 ! 1: 2a7a87725633 bpf: Fix overloading of MEM_UNINIT's meaning
@@ Metadata
## Commit message ##
bpf: Fix overloading of MEM_UNINIT's meaning
+ [ Upstream commit 8ea607330a39184f51737c6ae706db7fdca7628e ]
+
Lonial reported an issue in the BPF verifier where check_mem_size_reg()
has the following code:
@@ Commit message
Acked-by: Kumar Kartikeya Dwivedi <memxor@xxxxxxxxx>
Link: https://lore.kernel.org/r/20241021152809.33343-2-daniel@xxxxxxxxxxxxx
Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
+ Signed-off-by: BRUNO VERNAY <bruno.vernay@xxxxxx>
+ Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@xxxxxxxxxxx>
## kernel/bpf/verifier.c ##
@@ kernel/bpf/verifier.c: static int check_stack_range_initialized(
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_en
return zero_size_allowed ? 0 : -EACCES;
return check_mem_access(env, env->insn_idx, regno, offset, BPF_B,
-- atype, -1, false, false);
-+ access_type, -1, false, false);
+- atype, -1, false);
++ access_type, -1, false);
}
fallthrough;
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
- */
+
static int check_mem_size_reg(struct bpf_verifier_env *env,
struct bpf_reg_state *reg, u32 regno,
+ enum bpf_access_type access_type,
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (reg->smin_value < 0) {
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
+
+ if (reg->umin_value == 0) {
+ err = check_helper_mem_access(env, regno - 1, 0,
+- zero_size_allowed,
+- meta);
++ access_type, zero_size_allowed, meta);
+ if (err)
+ return err;
+ }
+@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
regno);
return -EACCES;
}
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (!err)
err = mark_chain_precision(env, regno);
return err;
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
{
bool may_be_null = type_may_be_null(reg->type);
struct bpf_reg_state saved_reg;
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
/* Assuming that the register contains a value check if the memory
* access is safe. Temporarily save and restore the register's state as
* the conversion shouldn't be visible to a caller.
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
mark_ptr_not_null_reg(reg);
}
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
if (may_be_null)
*reg = saved_reg;
-@@ kernel/bpf/verifier.c: static int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg
+@@ kernel/bpf/verifier.c: int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state
mark_ptr_not_null_reg(mem_reg);
}
@@ kernel/bpf/verifier.c: static int check_func_arg(struct bpf_verifier_env *env, u
+ true, meta);
break;
case ARG_PTR_TO_DYNPTR:
- err = process_dynptr_func(env, regno, insn_idx, arg_type, 0);
+ /* We only need to check for initialized / uninitialized helper
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
