--- /dev/null
+From cbe5ca067f0c8cb7885643ef18b2c9b1cd265f52 Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Thu, 1 Nov 2018 22:29:53 +0100
+Subject: bpf: fix partial copy of map_ptr when dst is scalar
+
+commit 0962590e553331db2cc0aef2dc35c57f6300dbbe upstream.
+
+ALU operations on pointers such as scalar_reg += map_value_ptr are
+handled in adjust_ptr_min_max_vals(). Problem is however that map_ptr
+and range in the register state share a union, so transferring state
+through dst_reg->range = ptr_reg->range is just buggy as any new
+map_ptr in the dst_reg is then truncated (or null) for subsequent
+checks. Fix this by adding a raw member and use it for copying state
+over to dst_reg.
+
+Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Edward Cree <ecree@solarflare.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Edward Cree <ecree@solarflare.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ include/linux/bpf_verifier.h | 3 +++
+ kernel/bpf/verifier.c | 10 ++++++----
+ 2 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h
+index 38b04f559ad3..1fd6fa822d2c 100644
+--- a/include/linux/bpf_verifier.h
++++ b/include/linux/bpf_verifier.h
+@@ -50,6 +50,9 @@ struct bpf_reg_state {
+ * PTR_TO_MAP_VALUE_OR_NULL
+ */
+ struct bpf_map *map_ptr;
++
++ /* Max size from any of the above. */
++ unsigned long raw;
+ };
+ /* Fixed part of pointer offset, pointer types only */
+ s32 off;
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
+index 465952a8e465..b046564cc18d 100644
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2762,7 +2762,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ dst_reg->umax_value = umax_ptr;
+ dst_reg->var_off = ptr_reg->var_off;
+ dst_reg->off = ptr_reg->off + smin_val;
+- dst_reg->range = ptr_reg->range;
++ dst_reg->raw = ptr_reg->raw;
+ break;
+ }
+ /* A new variable offset is created. Note that off_reg->off
+@@ -2792,10 +2792,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ }
+ dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off);
+ dst_reg->off = ptr_reg->off;
++ dst_reg->raw = ptr_reg->raw;
+ if (reg_is_pkt_pointer(ptr_reg)) {
+ dst_reg->id = ++env->id_gen;
+ /* something was added to pkt_ptr, set range to zero */
+- dst_reg->range = 0;
++ dst_reg->raw = 0;
+ }
+ break;
+ case BPF_SUB:
+@@ -2824,7 +2825,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ dst_reg->var_off = ptr_reg->var_off;
+ dst_reg->id = ptr_reg->id;
+ dst_reg->off = ptr_reg->off - smin_val;
+- dst_reg->range = ptr_reg->range;
++ dst_reg->raw = ptr_reg->raw;
+ break;
+ }
+ /* A new variable offset is created. If the subtrahend is known
+@@ -2850,11 +2851,12 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
+ }
+ dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off);
+ dst_reg->off = ptr_reg->off;
++ dst_reg->raw = ptr_reg->raw;
+ if (reg_is_pkt_pointer(ptr_reg)) {
+ dst_reg->id = ++env->id_gen;
+ /* something was added to pkt_ptr, set range to zero */
+ if (smin_val < 0)
+- dst_reg->range = 0;
++ dst_reg->raw = 0;
+ }
+ break;
+ case BPF_AND:
+--
+2.17.1
+
+++ /dev/null
-From 0bc3a6d4f0e519111965325703f4889555413d28 Mon Sep 17 00:00:00 2001
-From: Marcel Ziswiler <marcel.ziswiler@toradex.com>
-Date: Thu, 22 Feb 2018 15:38:25 +0100
-Subject: ARM: tegra: Fix ULPI regression on Tegra20
-
-[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ]
-
-Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting
-during registration") ULPI has been broken on Tegra20 leading to the
-following error message during boot:
-
-[ 1.974698] ulpi_phy_power_on: ulpi write failed
-[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy
-[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110
-
-Debugging through the changes and finally also consulting the TRM
-revealed that rather than the CDEV2 clock off OSC requiring such pin
-muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it
-just worked by chance of that one having been enabled which Stephen's
-commit now changed when reparenting sclk away from pll_p_out4 leaving
-that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock
-as the ULPI PHY clock.
-
-Signed-off-by: Marcel Ziswiler <marcel.ziswiler@toradex.com>
-Reviewed-by: Dmitry Osipenko <digetx@gmail.com>
-Reviewed-by: Rob Herring <robh@kernel.org>
-Signed-off-by: Thierry Reding <treding@nvidia.com>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- arch/arm/boot/dts/tegra20.dtsi | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi
-index 2207c08e3fa3..d771f24f6a26 100644
---- a/arch/arm/boot/dts/tegra20.dtsi
-+++ b/arch/arm/boot/dts/tegra20.dtsi
-@@ -690,7 +690,7 @@
- phy_type = "ulpi";
- clocks = <&tegra_car TEGRA20_CLK_USB2>,
- <&tegra_car TEGRA20_CLK_PLL_U>,
-- <&tegra_car TEGRA20_CLK_CDEV2>;
-+ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>;
- clock-names = "reg", "pll_u", "ulpi-link";
- resets = <&tegra_car 58>, <&tegra_car 22>;
- reset-names = "usb", "utmi-pads";
---
-2.17.1
-
projects / thirdparty / kernel / stable-queue.git / commitdiff
