--- /dev/null
+From foo@baz Wed Aug 3 05:24:03 PM CEST 2022
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 3 Aug 2022 17:50:03 +0300
+Subject: bpf: Test_verifier, #70 error message updates for 32-bit right shift
+To: stable@vger.kernel.org
+Cc: John Fastabend <john.fastabend@gmail.com>, Alexei Starovoitov <ast@kernel.org>, Ovidiu Panait <ovidiu.panait@windriver.com>
+Message-ID: <20220803145005.2385039-4-ovidiu.panait@windriver.com>
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit aa131ed44ae1d76637f0dbec33cfcf9115af9bc3 upstream.
+
+After changes to add update_reg_bounds after ALU ops and adding ALU32
+bounds tracking the error message is changed in the 32-bit right shift
+tests.
+
+Test "#70/u bounds check after 32-bit right shift with 64-bit input FAIL"
+now fails with,
+
+Unexpected error message!
+ EXP: R0 invalid mem access
+ RES: func#0 @0
+
+7: (b7) r1 = 2
+8: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP2 R10=fp0 fp-8_w=mmmmmmmm
+8: (67) r1 <<= 31
+9: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP4294967296 R10=fp0 fp-8_w=mmmmmmmm
+9: (74) w1 >>= 31
+10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP0 R10=fp0 fp-8_w=mmmmmmmm
+10: (14) w1 -= 2
+11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP4294967294 R10=fp0 fp-8_w=mmmmmmmm
+11: (0f) r0 += r1
+math between map_value pointer and 4294967294 is not allowed
+
+And test "#70/p bounds check after 32-bit right shift with 64-bit input
+FAIL" now fails with,
+
+Unexpected error message!
+ EXP: R0 invalid mem access
+ RES: func#0 @0
+
+7: (b7) r1 = 2
+8: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv2 R10=fp0 fp-8_w=mmmmmmmm
+8: (67) r1 <<= 31
+9: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv4294967296 R10=fp0 fp-8_w=mmmmmmmm
+9: (74) w1 >>= 31
+10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv0 R10=fp0 fp-8_w=mmmmmmmm
+10: (14) w1 -= 2
+11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv4294967294 R10=fp0 fp-8_w=mmmmmmmm
+11: (0f) r0 += r1
+last_idx 11 first_idx 0
+regs=2 stack=0 before 10: (14) w1 -= 2
+regs=2 stack=0 before 9: (74) w1 >>= 31
+regs=2 stack=0 before 8: (67) r1 <<= 31
+regs=2 stack=0 before 7: (b7) r1 = 2
+math between map_value pointer and 4294967294 is not allowed
+
+Before this series we did not trip the "math between map_value pointer..."
+error because check_reg_sane_offset is never called in
+adjust_ptr_min_max_vals(). Instead we have a register state that looks
+like this at line 11*,
+
+11: R0_w=map_value(id=0,off=0,ks=8,vs=8,
+ smin_value=0,smax_value=0,
+ umin_value=0,umax_value=0,
+ var_off=(0x0; 0x0))
+ R1_w=invP(id=0,
+ smin_value=0,smax_value=4294967295,
+ umin_value=0,umax_value=4294967295,
+ var_off=(0xfffffffe; 0x0))
+ R10=fp(id=0,off=0,
+ smin_value=0,smax_value=0,
+ umin_value=0,umax_value=0,
+ var_off=(0x0; 0x0)) fp-8_w=mmmmmmmm
+11: (0f) r0 += r1
+
+In R1 'smin_val != smax_val' yet we have a tnum_const as seen
+by 'var_off(0xfffffffe; 0x0))' with a 0x0 mask. So we hit this check
+in adjust_ptr_min_max_vals()
+
+ if ((known && (smin_val != smax_val || umin_val != umax_val)) ||
+ smin_val > smax_val || umin_val > umax_val) {
+ /* Taint dst register if offset had invalid bounds derived from
+ * e.g. dead branches.
+ */
+ __mark_reg_unknown(env, dst_reg);
+ return 0;
+ }
+
+So we don't throw an error here and instead only throw an error
+later in the verification when the memory access is made.
+
+The root cause in verifier without alu32 bounds tracking is having
+'umin_value = 0' and 'umax_value = U64_MAX' from BPF_SUB which we set
+when 'umin_value < umax_val' here,
+
+ if (dst_reg->umin_value < umax_val) {
+ /* Overflow possible, we know nothing */
+ dst_reg->umin_value = 0;
+ dst_reg->umax_value = U64_MAX;
+ } else { ...}
+
+Later in adjust_calar_min_max_vals we previously did a
+coerce_reg_to_size() which will clamp the U64_MAX to U32_MAX by
+truncating to 32bits. But either way without a call to update_reg_bounds
+the less precise bounds tracking will fall out of the alu op
+verification.
+
+After latest changes we now exit adjust_scalar_min_max_vals with the
+more precise umin value, due to zero extension propogating bounds from
+alu32 bounds into alu64 bounds and then calling update_reg_bounds.
+This then causes the verifier to trigger an earlier error and we get
+the error in the output above.
+
+This patch updates tests to reflect new error message.
+
+* I have a local patch to print entire verifier state regardless if we
+ believe it is a constant so we can get a full picture of the state.
+ Usually if tnum_is_const() then bounds are also smin=smax, etc. but
+ this is not always true and is a bit subtle. Being able to see these
+ states helps understand dataflow imo. Let me know if we want something
+ similar upstream.
+
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/158507161475.15666.3061518385241144063.stgit@john-Precision-5820-Tower
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/bounds.c | 6 ++----
+ 1 file changed, 2 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/bpf/verifier/bounds.c
++++ b/tools/testing/selftests/bpf/verifier/bounds.c
+@@ -411,16 +411,14 @@
+ BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31),
+ /* r1 = 0xffff'fffe (NOT 0!) */
+ BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2),
+- /* computes OOB pointer */
++ /* error on computing OOB pointer */
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1),
+- /* OOB access */
+- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0),
+ /* exit */
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
+ .fixup_map_hash_8b = { 3 },
+- .errstr = "R0 invalid mem access",
++ .errstr = "math between map_value pointer and 4294967294 is not allowed",
+ .result = REJECT,
+ },
+ {
--- /dev/null
+From foo@baz Wed Aug 3 05:24:03 PM CEST 2022
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 3 Aug 2022 17:50:01 +0300
+Subject: bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()
+To: stable@vger.kernel.org
+Cc: John Fastabend <john.fastabend@gmail.com>, Alexei Starovoitov <ast@kernel.org>, Ovidiu Panait <ovidiu.panait@windriver.com>
+Message-ID: <20220803145005.2385039-2-ovidiu.panait@windriver.com>
+
+From: John Fastabend <john.fastabend@gmail.com>
+
+commit 294f2fc6da27620a506e6c050241655459ccd6bd upstream.
+
+Currently, for all op verification we call __red_deduce_bounds() and
+__red_bound_offset() but we only call __update_reg_bounds() in bitwise
+ops. However, we could benefit from calling __update_reg_bounds() in
+BPF_ADD, BPF_SUB, and BPF_MUL cases as well.
+
+For example, a register with state 'R1_w=invP0' when we subtract from
+it,
+
+ w1 -= 2
+
+Before coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX
+and unsigned bounds umin_value=0, umax_value=U64_MAX. These will then
+be clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op
+as done in above example. However tnum will be a constant because the
+ALU op is done on a constant.
+
+Without update_reg_bounds() we have a scenario where tnum is a const
+but our unsigned bounds do not reflect this. By calling update_reg_bounds
+after coerce to 32bit we further refine the umin_value to U64_MAX in the
+alu64 case or U32_MAX in the alu32 case above.
+
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5083,6 +5083,7 @@ static int adjust_scalar_min_max_vals(st
+ coerce_reg_to_size(dst_reg, 4);
+ }
+
++ __update_reg_bounds(dst_reg);
+ __reg_deduce_bounds(dst_reg);
+ __reg_bound_offset(dst_reg);
+ return 0;
--- /dev/null
+From foo@baz Wed Aug 3 05:24:03 PM CEST 2022
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 3 Aug 2022 17:50:02 +0300
+Subject: selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads
+To: stable@vger.kernel.org
+Cc: Jakub Sitnicki <jakub@cloudflare.com>, Alexei Starovoitov <ast@kernel.org>, Ovidiu Panait <ovidiu.panait@windriver.com>
+Message-ID: <20220803145005.2385039-3-ovidiu.panait@windriver.com>
+
+From: Jakub Sitnicki <jakub@cloudflare.com>
+
+commit 8f50f16ff39dd4e2d43d1548ca66925652f8aff7 upstream.
+
+Add coverage to the verifier tests and tests for reading bpf_sock fields to
+ensure that 32-bit, 16-bit, and 8-bit loads from dst_port field are allowed
+only at intended offsets and produce expected values.
+
+While 16-bit and 8-bit access to dst_port field is straight-forward, 32-bit
+wide loads need be allowed and produce a zero-padded 16-bit value for
+backward compatibility.
+
+Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
+Link: https://lore.kernel.org/r/20220130115518.213259-3-jakub@cloudflare.com
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+[OP: backport to 5.4: cherry-pick verifier changes only]
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/include/uapi/linux/bpf.h | 3 -
+ tools/testing/selftests/bpf/verifier/sock.c | 81 ++++++++++++++++++++++++++--
+ 2 files changed, 80 insertions(+), 4 deletions(-)
+
+--- a/tools/include/uapi/linux/bpf.h
++++ b/tools/include/uapi/linux/bpf.h
+@@ -3068,7 +3068,8 @@ struct bpf_sock {
+ __u32 src_ip4;
+ __u32 src_ip6[4];
+ __u32 src_port; /* host byte order */
+- __u32 dst_port; /* network byte order */
++ __be16 dst_port; /* network byte order */
++ __u16 :16; /* zero padding */
+ __u32 dst_ip4;
+ __u32 dst_ip6[4];
+ __u32 state;
+--- a/tools/testing/selftests/bpf/verifier/sock.c
++++ b/tools/testing/selftests/bpf/verifier/sock.c
+@@ -121,7 +121,25 @@
+ .result = ACCEPT,
+ },
+ {
+- "sk_fullsock(skb->sk): sk->dst_port [narrow load]",
++ "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)",
++ .insns = {
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
++ .result = ACCEPT,
++},
++{
++ "sk_fullsock(skb->sk): sk->dst_port [half load]",
+ .insns = {
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+@@ -139,7 +157,64 @@
+ .result = ACCEPT,
+ },
+ {
+- "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]",
++ "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)",
++ .insns = {
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
++ .result = REJECT,
++ .errstr = "invalid sock access",
++},
++{
++ "sk_fullsock(skb->sk): sk->dst_port [byte load]",
++ .insns = {
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)),
++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
++ .result = ACCEPT,
++},
++{
++ "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)",
++ .insns = {
++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock),
++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2),
++ BPF_MOV64_IMM(BPF_REG_0, 0),
++ BPF_EXIT_INSN(),
++ },
++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB,
++ .result = REJECT,
++ .errstr = "invalid sock access",
++},
++{
++ "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)",
+ .insns = {
+ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)),
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2),
+@@ -149,7 +224,7 @@
+ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1),
++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)),
+ BPF_MOV64_IMM(BPF_REG_0, 0),
+ BPF_EXIT_INSN(),
+ },
--- /dev/null
+From foo@baz Wed Aug 3 05:24:03 PM CEST 2022
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 3 Aug 2022 17:50:05 +0300
+Subject: selftests/bpf: Fix "dubious pointer arithmetic" test
+To: stable@vger.kernel.org
+Cc: Jean-Philippe Brucker <jean-philippe@linaro.org>, John Fastabend <john.fastabend@gmail.com>, Alexei Starovoitov <ast@kernel.org>, Ovidiu Panait <ovidiu.panait@windriver.com>
+Message-ID: <20220803145005.2385039-6-ovidiu.panait@windriver.com>
+
+From: Jean-Philippe Brucker <jean-philippe@linaro.org>
+
+commit 3615bdf6d9b19db12b1589861609b4f1c6a8d303 upstream.
+
+The verifier trace changed following a bugfix. After checking the 64-bit
+sign, only the upper bit mask is known, not bit 31. Update the test
+accordingly.
+
+Signed-off-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_align.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/tools/testing/selftests/bpf/test_align.c
++++ b/tools/testing/selftests/bpf/test_align.c
+@@ -475,10 +475,10 @@ static struct bpf_align_test tests[] = {
+ */
+ {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
+ /* Checked s>=0 */
+- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
+ /* packet pointer + nonnegative (4n+2) */
+- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
+ /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
+ * We checked the bounds, but it might have been able
+ * to overflow if the packet pointer started in the
+@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = {
+ * So we did not get a 'range' on R6, and the access
+ * attempt will fail.
+ */
+- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"},
+ }
+ },
+ {
--- /dev/null
+From foo@baz Wed Aug 3 05:24:03 PM CEST 2022
+From: Ovidiu Panait <ovidiu.panait@windriver.com>
+Date: Wed, 3 Aug 2022 17:50:04 +0300
+Subject: selftests/bpf: Fix test_align verifier log patterns
+To: stable@vger.kernel.org
+Cc: Stanislav Fomichev <sdf@google.com>, Daniel Borkmann <daniel@iogearbox.net>, Ovidiu Panait <ovidiu.panait@windriver.com>
+Message-ID: <20220803145005.2385039-5-ovidiu.panait@windriver.com>
+
+From: Stanislav Fomichev <sdf@google.com>
+
+commit 5366d2269139ba8eb6a906d73a0819947e3e4e0a upstream.
+
+Commit 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always
+call update_reg_bounds()") changed the way verifier logs some of its state,
+adjust the test_align accordingly. Where possible, I tried to not copy-paste
+the entire log line and resorted to dropping the last closing brace instead.
+
+Fixes: 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()")
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Link: https://lore.kernel.org/bpf/20200515194904.229296-1-sdf@google.com
+Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_align.c | 41 +++++++++++++++----------------
+ 1 file changed, 21 insertions(+), 20 deletions(-)
+
+--- a/tools/testing/selftests/bpf/test_align.c
++++ b/tools/testing/selftests/bpf/test_align.c
+@@ -359,15 +359,15 @@ static struct bpf_align_test tests[] = {
+ * is still (4n), fixed offset is not changed.
+ * Also, we create a new reg->id.
+ */
+- {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc))"},
++ {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (18)
+ * which is 20. Then the variable offset is (4n), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
+- {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"},
++ {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
++ {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"},
+ },
+ },
+ {
+@@ -410,15 +410,15 @@ static struct bpf_align_test tests[] = {
+ /* Adding 14 makes R6 be (4n+2) */
+ {9, "R6_w=inv(id=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
+ /* Packet pointer has (4n+2) offset */
+- {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
+- {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
++ {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"},
+ /* Newly read value in R6 was shifted left by 2, so has
+ * known alignment of 4.
+ */
+@@ -426,15 +426,15 @@ static struct bpf_align_test tests[] = {
+ /* Added (4n) to packet pointer's (4n+2) var_off, giving
+ * another (4n+2).
+ */
+- {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
+- {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
++ {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
++ {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"},
++ {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"},
+ },
+ },
+ {
+@@ -469,16 +469,16 @@ static struct bpf_align_test tests[] = {
+ .matches = {
+ {4, "R5_w=pkt_end(id=0,off=0,imm=0)"},
+ /* (ptr - ptr) << 2 == unknown, (4n) */
+- {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"},
++ {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc)"},
+ /* (4n) + 14 == (4n+2). We blow our bounds, because
+ * the add could overflow.
+ */
+- {7, "R5_w=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"},
++ {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
+ /* Checked s>=0 */
+- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ /* packet pointer + nonnegative (4n+2) */
+- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
+- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine.
+ * We checked the bounds, but it might have been able
+ * to overflow if the packet pointer started in the
+@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = {
+ * So we did not get a 'range' on R6, and the access
+ * attempt will fail.
+ */
+- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"},
++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"},
+ }
+ },
+ {
+@@ -528,7 +528,7 @@ static struct bpf_align_test tests[] = {
+ /* New unknown value in R7 is (4n) */
+ {11, "R7_w=inv(id=0,umax_value=1020,var_off=(0x0; 0x3fc))"},
+ /* Subtracting it from R6 blows our unsigned bounds */
+- {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,var_off=(0x2; 0xfffffffffffffffc))"},
++ {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"},
+ /* Checked s>= 0 */
+ {14, "R6=inv(id=0,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
+ /* At the time the word size load is performed from R5,
+@@ -537,7 +537,8 @@ static struct bpf_align_test tests[] = {
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"},
++ {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc)"},
++
+ },
+ },
+ {
+@@ -579,18 +580,18 @@ static struct bpf_align_test tests[] = {
+ /* Adding 14 makes R6 be (4n+2) */
+ {11, "R6_w=inv(id=0,umin_value=14,umax_value=74,var_off=(0x2; 0x7c))"},
+ /* Subtracting from packet pointer overflows ubounds */
+- {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c))"},
++ {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c)"},
+ /* New unknown value in R7 is (4n), >= 76 */
+ {15, "R7_w=inv(id=0,umin_value=76,umax_value=1096,var_off=(0x0; 0x7fc))"},
+ /* Adding it to packet pointer gives nice bounds again */
+- {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
++ {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
+ /* At the time the word size load is performed from R5,
+ * its total fixed offset is NET_IP_ALIGN + reg->off (0)
+ * which is 2. Then the variable offset is (4n+2), so
+ * the total offset is 4-byte aligned and meets the
+ * load's requirements.
+ */
+- {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"},
++ {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"},
+ },
+ },
+ };
acpi-video-force-backlight-native-for-some-tongfang-devices.patch
acpi-video-shortening-quirk-list-by-identifying-clevo-by-board_name-only.patch
acpi-apei-better-fix-to-avoid-spamming-the-console-with-old-error-logs.patch
+bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch
+selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch
+bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch
+selftests-bpf-fix-test_align-verifier-log-patterns.patch
+selftests-bpf-fix-dubious-pointer-arithmetic-test.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
