From: Ilya Leoshkevich <iii@linux.ibm.com>
Date: Mon, 1 Jul 2024 23:40:19 +0000 (+0200)
Subject: bpf: Fix atomic probe zero-extension
X-Git-Tag: v6.11-rc1~163^2~68^2~20
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df34ec9db6f521118895f22795da49f2ec01f8cf;p=thirdparty%2Flinux.git

bpf: Fix atomic probe zero-extension

Zero-extending results of atomic probe operations fails with:

    verifier bug. zext_dst is set, but no reg is defined

The problem is that insn_def_regno() handles BPF_ATOMICs, but not
BPF_PROBE_ATOMICs. Fix by adding the missing condition.

Fixes: d503a04f8bc0 ("bpf: Add support for certain atomics in bpf_arena to x86 JIT")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20240701234304.14336-2-iii@linux.ibm.com
---

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index d3927d819465e..e25ad5fb9115d 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3217,7 +3217,8 @@ static int insn_def_regno(const struct bpf_insn *insn)
 	case BPF_ST:
 		return -1;
 	case BPF_STX:
-		if (BPF_MODE(insn->code) == BPF_ATOMIC &&
+		if ((BPF_MODE(insn->code) == BPF_ATOMIC ||
+		     BPF_MODE(insn->code) == BPF_PROBE_ATOMIC) &&
 		    (insn->imm & BPF_FETCH)) {
 			if (insn->imm == BPF_CMPXCHG)
 				return BPF_REG_0;