+++ /dev/null
-From 80ab7ec37d80ac93467aa9fadb8912c2d15155b5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
- struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
- if ((long)(iph + 1) > (long)skb->data_end)
- return TC_ACT_STOLEN;
- return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 8f1e43df8c5fa..3fb6f6e4857a0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -8178,6 +8178,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- return -EINVAL;
- }
-
-+ /* check src2 operand */
-+ err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+ if (err)
-+ return err;
-+
-+ dst_reg = ®s[insn->dst_reg];
- if (BPF_SRC(insn->code) == BPF_X) {
- if (insn->imm != 0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -8189,12 +8195,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- if (err)
- return err;
-
-- if (is_pointer_value(env, insn->src_reg)) {
-+ src_reg = ®s[insn->src_reg];
-+ if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+ is_pointer_value(env, insn->src_reg)) {
- verbose(env, "R%d pointer comparison prohibited\n",
- insn->src_reg);
- return -EACCES;
- }
-- src_reg = ®s[insn->src_reg];
- } else {
- if (insn->src_reg != BPF_REG_0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -8202,12 +8209,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- }
- }
-
-- /* check src2 operand */
-- err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-- if (err)
-- return err;
--
-- dst_reg = ®s[insn->dst_reg];
- is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
-
- if (BPF_SRC(insn->code) == BPF_K) {
---
-2.40.1
-
media-venus-hfi-add-a-6xx-boot-logic.patch
media-venus-hfi_venus-write-to-vidc_ctrl_init-after-.patch
arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
netfilter-use-actual-socket-sk-for-reject-action.patch
netfilter-nft_exthdr-support-sctp-chunks.patch
netfilter-nf_tables-add-and-use-nft_sk-helper.patch
+++ /dev/null
-From 686d9331b840b73d7bb5dba2bd6ff27b65390309 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
- struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
- if ((long)(iph + 1) > (long)skb->data_end)
- return TC_ACT_STOLEN;
- return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index ecf4332ff312f..41327deb8cbb0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -9193,6 +9193,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- return -EINVAL;
- }
-
-+ /* check src2 operand */
-+ err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+ if (err)
-+ return err;
-+
-+ dst_reg = ®s[insn->dst_reg];
- if (BPF_SRC(insn->code) == BPF_X) {
- if (insn->imm != 0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -9204,12 +9210,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- if (err)
- return err;
-
-- if (is_pointer_value(env, insn->src_reg)) {
-+ src_reg = ®s[insn->src_reg];
-+ if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+ is_pointer_value(env, insn->src_reg)) {
- verbose(env, "R%d pointer comparison prohibited\n",
- insn->src_reg);
- return -EACCES;
- }
-- src_reg = ®s[insn->src_reg];
- } else {
- if (insn->src_reg != BPF_REG_0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -9217,12 +9224,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- }
- }
-
-- /* check src2 operand */
-- err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-- if (err)
-- return err;
--
-- dst_reg = ®s[insn->dst_reg];
- is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
-
- if (BPF_SRC(insn->code) == BPF_K) {
---
-2.40.1
-
perf-jevents-switch-build-to-use-jevents.py.patch
perf-build-update-build-rule-for-generated-files.patch
arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
netfilter-exthdr-add-support-for-tcp-option-removal.patch
netfilter-nft_exthdr-fix-non-linear-header-modificat.patch
ata-libata-rename-link-flag-ata_lflag_no_db_delay.patch
+++ /dev/null
-From 363e575ead0d6ffb20739c373b2c406be5deccbe Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
- struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
- if ((long)(iph + 1) > (long)skb->data_end)
- return TC_ACT_STOLEN;
- return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 530664693ac48..0676cf0d5d91d 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -6113,6 +6113,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- return -EINVAL;
- }
-
-+ /* check src2 operand */
-+ err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+ if (err)
-+ return err;
-+
-+ dst_reg = ®s[insn->dst_reg];
- if (BPF_SRC(insn->code) == BPF_X) {
- if (insn->imm != 0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -6124,12 +6130,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- if (err)
- return err;
-
-- if (is_pointer_value(env, insn->src_reg)) {
-+ src_reg = ®s[insn->src_reg];
-+ if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+ is_pointer_value(env, insn->src_reg)) {
- verbose(env, "R%d pointer comparison prohibited\n",
- insn->src_reg);
- return -EACCES;
- }
-- src_reg = ®s[insn->src_reg];
- } else {
- if (insn->src_reg != BPF_REG_0) {
- verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -6137,12 +6144,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- }
- }
-
-- /* check src2 operand */
-- err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-- if (err)
-- return err;
--
-- dst_reg = ®s[insn->dst_reg];
- is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
-
- if (BPF_SRC(insn->code) == BPF_K)
---
-2.40.1
-
clk-imx-clk-pll14xx-make-two-variables-static.patch
clk-imx-pll14xx-add-new-frequency-entries-for-pll144.patch
clk-imx-pll14xx-dynamically-configure-pll-for-393216.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
drm-amd-display-reinstate-lfc-optimization.patch
drm-amd-display-fix-lfc-multiplier-changing-erratica.patch
drm-amd-display-prevent-potential-division-by-zero-e.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
