From: Sasha Levin Date: Thu, 12 Mar 2026 11:08:42 +0000 (-0400) Subject: Fixes for all trees X-Git-Tag: v6.19.7~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=97d67c90a8f7972ba9052211729c2682900bb462;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for all trees Signed-off-by: Sasha Levin --- diff --git a/queue-6.18/selftests-bpf-avoid-simplification-of-crafted-bounds.patch b/queue-6.18/selftests-bpf-avoid-simplification-of-crafted-bounds.patch new file mode 100644 index 0000000000..a41bad52b7 --- /dev/null +++ b/queue-6.18/selftests-bpf-avoid-simplification-of-crafted-bounds.patch @@ -0,0 +1,67 @@ +From 0c667ed889d20e5ec56c1304c504530f19e05ae3 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 22:42:45 +0100 +Subject: selftests/bpf: Avoid simplification of crafted bounds test + +From: Paul Chaignon + +[ Upstream commit 024cea2d647ed8ab942f19544b892d324dba42b4 ] + +The reg_bounds_crafted tests validate the verifier's range analysis +logic. They focus on the actual ranges and thus ignore the tnum. As a +consequence, they carry the assumption that the tested cases can be +reproduced in userspace without using the tnum information. + +Unfortunately, the previous change the refinement logic breaks that +assumption for one test case: + + (u64)2147483648 (u32) [4294967294; 0x100000000] + +The tested bytecode is shown below. Without our previous improvement, on +the false branch of the condition, R7 is only known to have u64 range +[0xfffffffe; 0x100000000]. With our improvement, and using the tnum +information, we can deduce that R7 equals 0x100000000. + + 19: (bc) w0 = w6 ; R6=0x80000000 + 20: (bc) w0 = w7 ; R7=scalar(smin=umin=0xfffffffe,smax=umax=0x100000000,smin32=-2,smax32=0,var_off=(0x0; 0x1ffffffff)) + 21: (be) if w6 <= w7 goto pc+3 ; R6=0x80000000 R7=0x100000000 + +R7's tnum is (0; 0x1ffffffff). On the false branch, regs_refine_cond_op +refines R7's u32 range to [0; 0x7fffffff]. Then, __reg32_deduce_bounds +refines the s32 range to 0 using u32 and finally also sets u32=0. +From this, __reg_bound_offset improves the tnum to (0; 0x100000000). +Finally, our previous patch uses this new tnum to deduce that it only +intersect with u64=[0xfffffffe; 0x100000000] in a single value: +0x100000000. + +Because the verifier uses the tnum to reach this constant value, the +selftest is unable to reproduce it by only simulating ranges. The +solution implemented in this patch is to change the test case such that +there is more than one overlap value between u64 and the tnum. The max. +u64 value is thus changed from 0x100000000 to 0x300000000. + +Acked-by: Eduard Zingerman +Signed-off-by: Paul Chaignon +Link: https://lore.kernel.org/r/50641c6a7ef39520595dcafa605692427c1006ec.1772225741.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/reg_bounds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c +index d93a0c7b1786f..0322f817d07be 100644 +--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c ++++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c +@@ -2091,7 +2091,7 @@ static struct subtest_case crafted_cases[] = { + {U64, S64, {0, 0xffffffffULL}, {0x7fffffff, 0x7fffffff}}, + + {U64, U32, {0, 0x100000000}, {0, 0}}, +- {U64, U32, {0xfffffffe, 0x100000000}, {0x80000000, 0x80000000}}, ++ {U64, U32, {0xfffffffe, 0x300000000}, {0x80000000, 0x80000000}}, + + {U64, S32, {0, 0xffffffff00000000ULL}, {0, 0}}, + /* these are tricky cases where lower 32 bits allow to tighten 64 +-- +2.51.0 + diff --git a/queue-6.18/series b/queue-6.18/series index d6761be1a9..2d139d363e 100644 --- a/queue-6.18/series +++ b/queue-6.18/series @@ -309,3 +309,4 @@ ata-libata-eh-fix-detection-of-deferred-qc-timeouts.patch selftest-arm64-fix-sve2p1_sigill-to-hwcap-test.patch tracing-add-null-pointer-check-to-trigger_data_free.patch bpf-collect-only-live-registers-in-linked-regs.patch +selftests-bpf-avoid-simplification-of-crafted-bounds.patch diff --git a/queue-6.19/selftests-bpf-avoid-simplification-of-crafted-bounds.patch b/queue-6.19/selftests-bpf-avoid-simplification-of-crafted-bounds.patch new file mode 100644 index 0000000000..1d4622b8c1 --- /dev/null +++ b/queue-6.19/selftests-bpf-avoid-simplification-of-crafted-bounds.patch @@ -0,0 +1,67 @@ +From 927ee50955eb76e511a2a7b940051d4960ba3e5b Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 27 Feb 2026 22:42:45 +0100 +Subject: selftests/bpf: Avoid simplification of crafted bounds test + +From: Paul Chaignon + +[ Upstream commit 024cea2d647ed8ab942f19544b892d324dba42b4 ] + +The reg_bounds_crafted tests validate the verifier's range analysis +logic. They focus on the actual ranges and thus ignore the tnum. As a +consequence, they carry the assumption that the tested cases can be +reproduced in userspace without using the tnum information. + +Unfortunately, the previous change the refinement logic breaks that +assumption for one test case: + + (u64)2147483648 (u32) [4294967294; 0x100000000] + +The tested bytecode is shown below. Without our previous improvement, on +the false branch of the condition, R7 is only known to have u64 range +[0xfffffffe; 0x100000000]. With our improvement, and using the tnum +information, we can deduce that R7 equals 0x100000000. + + 19: (bc) w0 = w6 ; R6=0x80000000 + 20: (bc) w0 = w7 ; R7=scalar(smin=umin=0xfffffffe,smax=umax=0x100000000,smin32=-2,smax32=0,var_off=(0x0; 0x1ffffffff)) + 21: (be) if w6 <= w7 goto pc+3 ; R6=0x80000000 R7=0x100000000 + +R7's tnum is (0; 0x1ffffffff). On the false branch, regs_refine_cond_op +refines R7's u32 range to [0; 0x7fffffff]. Then, __reg32_deduce_bounds +refines the s32 range to 0 using u32 and finally also sets u32=0. +From this, __reg_bound_offset improves the tnum to (0; 0x100000000). +Finally, our previous patch uses this new tnum to deduce that it only +intersect with u64=[0xfffffffe; 0x100000000] in a single value: +0x100000000. + +Because the verifier uses the tnum to reach this constant value, the +selftest is unable to reproduce it by only simulating ranges. The +solution implemented in this patch is to change the test case such that +there is more than one overlap value between u64 and the tnum. The max. +u64 value is thus changed from 0x100000000 to 0x300000000. + +Acked-by: Eduard Zingerman +Signed-off-by: Paul Chaignon +Link: https://lore.kernel.org/r/50641c6a7ef39520595dcafa605692427c1006ec.1772225741.git.paul.chaignon@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Sasha Levin +--- + tools/testing/selftests/bpf/prog_tests/reg_bounds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c +index d93a0c7b1786f..0322f817d07be 100644 +--- a/tools/testing/selftests/bpf/prog_tests/reg_bounds.c ++++ b/tools/testing/selftests/bpf/prog_tests/reg_bounds.c +@@ -2091,7 +2091,7 @@ static struct subtest_case crafted_cases[] = { + {U64, S64, {0, 0xffffffffULL}, {0x7fffffff, 0x7fffffff}}, + + {U64, U32, {0, 0x100000000}, {0, 0}}, +- {U64, U32, {0xfffffffe, 0x100000000}, {0x80000000, 0x80000000}}, ++ {U64, U32, {0xfffffffe, 0x300000000}, {0x80000000, 0x80000000}}, + + {U64, S32, {0, 0xffffffff00000000ULL}, {0, 0}}, + /* these are tricky cases where lower 32 bits allow to tighten 64 +-- +2.51.0 + diff --git a/queue-6.19/series b/queue-6.19/series index 03106000ef..51247d51dc 100644 --- a/queue-6.19/series +++ b/queue-6.19/series @@ -308,3 +308,4 @@ ata-libata-eh-fix-detection-of-deferred-qc-timeouts.patch selftest-arm64-fix-sve2p1_sigill-to-hwcap-test.patch tracing-add-null-pointer-check-to-trigger_data_free.patch bpf-collect-only-live-registers-in-linked-regs.patch +selftests-bpf-avoid-simplification-of-crafted-bounds.patch