From: Sasha Levin <sashal@kernel.org>
Date: Fri, 29 Sep 2023 00:50:05 +0000 (-0400)
Subject: Drop bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
X-Git-Tag: v6.5.6~81
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ab0d44ac9d03ea99edcaf434d7aaeccfea8600ec;p=thirdparty%2Fkernel%2Fstable-queue.git

Drop bpf-fix-issue-in-verifying-allow_ptr_leaks.patch

Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/queue-5.10/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch b/queue-5.10/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
deleted file mode 100644
index 8589d7e236e..00000000000
--- a/queue-5.10/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 80ab7ec37d80ac93467aa9fadb8912c2d15155b5 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
-	struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
-	if ((long)(iph + 1) > (long)skb->data_end)
-		return TC_ACT_STOLEN;
-	return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 8f1e43df8c5fa..3fb6f6e4857a0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -8178,6 +8178,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		return -EINVAL;
- 	}
- 
-+	/* check src2 operand */
-+	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+	if (err)
-+		return err;
-+
-+	dst_reg = &regs[insn->dst_reg];
- 	if (BPF_SRC(insn->code) == BPF_X) {
- 		if (insn->imm != 0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -8189,12 +8195,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		if (err)
- 			return err;
- 
--		if (is_pointer_value(env, insn->src_reg)) {
-+		src_reg = &regs[insn->src_reg];
-+		if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+		    is_pointer_value(env, insn->src_reg)) {
- 			verbose(env, "R%d pointer comparison prohibited\n",
- 				insn->src_reg);
- 			return -EACCES;
- 		}
--		src_reg = &regs[insn->src_reg];
- 	} else {
- 		if (insn->src_reg != BPF_REG_0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -8202,12 +8209,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		}
- 	}
- 
--	/* check src2 operand */
--	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
--	if (err)
--		return err;
--
--	dst_reg = &regs[insn->dst_reg];
- 	is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
- 
- 	if (BPF_SRC(insn->code) == BPF_K) {
--- 
-2.40.1
-
diff --git a/queue-5.10/series b/queue-5.10/series
index bfe6d3c2542..59587783431 100644
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -76,7 +76,6 @@ media-venus-core-add-differentiator-is_v6-core.patch
 media-venus-hfi-add-a-6xx-boot-logic.patch
 media-venus-hfi_venus-write-to-vidc_ctrl_init-after-.patch
 arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
 netfilter-use-actual-socket-sk-for-reject-action.patch
 netfilter-nft_exthdr-support-sctp-chunks.patch
 netfilter-nf_tables-add-and-use-nft_sk-helper.patch
diff --git a/queue-5.15/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch b/queue-5.15/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
deleted file mode 100644
index 91edf8df1c4..00000000000
--- a/queue-5.15/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 686d9331b840b73d7bb5dba2bd6ff27b65390309 Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
-	struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
-	if ((long)(iph + 1) > (long)skb->data_end)
-		return TC_ACT_STOLEN;
-	return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index ecf4332ff312f..41327deb8cbb0 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -9193,6 +9193,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		return -EINVAL;
- 	}
- 
-+	/* check src2 operand */
-+	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+	if (err)
-+		return err;
-+
-+	dst_reg = &regs[insn->dst_reg];
- 	if (BPF_SRC(insn->code) == BPF_X) {
- 		if (insn->imm != 0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -9204,12 +9210,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		if (err)
- 			return err;
- 
--		if (is_pointer_value(env, insn->src_reg)) {
-+		src_reg = &regs[insn->src_reg];
-+		if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+		    is_pointer_value(env, insn->src_reg)) {
- 			verbose(env, "R%d pointer comparison prohibited\n",
- 				insn->src_reg);
- 			return -EACCES;
- 		}
--		src_reg = &regs[insn->src_reg];
- 	} else {
- 		if (insn->src_reg != BPF_REG_0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -9217,12 +9224,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		}
- 	}
- 
--	/* check src2 operand */
--	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
--	if (err)
--		return err;
--
--	dst_reg = &regs[insn->dst_reg];
- 	is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
- 
- 	if (BPF_SRC(insn->code) == BPF_K) {
--- 
-2.40.1
-
diff --git a/queue-5.15/series b/queue-5.15/series
index 75b48de1f19..4e64369f465 100644
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -80,7 +80,6 @@ input-i8042-add-quirk-for-tuxedo-gemini-17-gen1-clev.patch
 perf-jevents-switch-build-to-use-jevents.py.patch
 perf-build-update-build-rule-for-generated-files.patch
 arm64-dts-qcom-sdm845-db845c-mark-cont-splash-memory.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
 netfilter-exthdr-add-support-for-tcp-option-removal.patch
 netfilter-nft_exthdr-fix-non-linear-header-modificat.patch
 ata-libata-rename-link-flag-ata_lflag_no_db_delay.patch
diff --git a/queue-5.4/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch b/queue-5.4/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
deleted file mode 100644
index 5977a87308c..00000000000
--- a/queue-5.4/bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
+++ /dev/null
@@ -1,95 +0,0 @@
-From 363e575ead0d6ffb20739c373b2c406be5deccbe Mon Sep 17 00:00:00 2001
-From: Sasha Levin <sashal@kernel.org>
-Date: Wed, 23 Aug 2023 02:07:02 +0000
-Subject: bpf: Fix issue in verifying allow_ptr_leaks
-
-From: Yafang Shao <laoar.shao@gmail.com>
-
-[ Upstream commit d75e30dddf73449bc2d10bb8e2f1a2c446bc67a2 ]
-
-After we converted the capabilities of our networking-bpf program from
-cap_sys_admin to cap_net_admin+cap_bpf, our networking-bpf program
-failed to start. Because it failed the bpf verifier, and the error log
-is "R3 pointer comparison prohibited".
-
-A simple reproducer as follows,
-
-SEC("cls-ingress")
-int ingress(struct __sk_buff *skb)
-{
-	struct iphdr *iph = (void *)(long)skb->data + sizeof(struct ethhdr);
-
-	if ((long)(iph + 1) > (long)skb->data_end)
-		return TC_ACT_STOLEN;
-	return TC_ACT_OK;
-}
-
-Per discussion with Yonghong and Alexei [1], comparison of two packet
-pointers is not a pointer leak. This patch fixes it.
-
-Our local kernel is 6.1.y and we expect this fix to be backported to
-6.1.y, so stable is CCed.
-
-[1]. https://lore.kernel.org/bpf/CAADnVQ+Nmspr7Si+pxWn8zkE7hX-7s93ugwC+94aXSy4uQ9vBg@mail.gmail.com/
-
-Suggested-by: Yonghong Song <yonghong.song@linux.dev>
-Suggested-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
-Signed-off-by: Yafang Shao <laoar.shao@gmail.com>
-Acked-by: Eduard Zingerman <eddyz87@gmail.com>
-Cc: stable@vger.kernel.org
-Link: https://lore.kernel.org/r/20230823020703.3790-2-laoar.shao@gmail.com
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Signed-off-by: Sasha Levin <sashal@kernel.org>
----
- kernel/bpf/verifier.c | 17 +++++++++--------
- 1 file changed, 9 insertions(+), 8 deletions(-)
-
-diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
-index 530664693ac48..0676cf0d5d91d 100644
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -6113,6 +6113,12 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		return -EINVAL;
- 	}
- 
-+	/* check src2 operand */
-+	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
-+	if (err)
-+		return err;
-+
-+	dst_reg = &regs[insn->dst_reg];
- 	if (BPF_SRC(insn->code) == BPF_X) {
- 		if (insn->imm != 0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -6124,12 +6130,13 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		if (err)
- 			return err;
- 
--		if (is_pointer_value(env, insn->src_reg)) {
-+		src_reg = &regs[insn->src_reg];
-+		if (!(reg_is_pkt_pointer_any(dst_reg) && reg_is_pkt_pointer_any(src_reg)) &&
-+		    is_pointer_value(env, insn->src_reg)) {
- 			verbose(env, "R%d pointer comparison prohibited\n",
- 				insn->src_reg);
- 			return -EACCES;
- 		}
--		src_reg = &regs[insn->src_reg];
- 	} else {
- 		if (insn->src_reg != BPF_REG_0) {
- 			verbose(env, "BPF_JMP/JMP32 uses reserved fields\n");
-@@ -6137,12 +6144,6 @@ static int check_cond_jmp_op(struct bpf_verifier_env *env,
- 		}
- 	}
- 
--	/* check src2 operand */
--	err = check_reg_arg(env, insn->dst_reg, SRC_OP);
--	if (err)
--		return err;
--
--	dst_reg = &regs[insn->dst_reg];
- 	is_jmp32 = BPF_CLASS(insn->code) == BPF_JMP32;
- 
- 	if (BPF_SRC(insn->code) == BPF_K)
--- 
-2.40.1
-
diff --git a/queue-5.4/series b/queue-5.4/series
index 67654ee2c9d..59453272a28 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -38,7 +38,6 @@ perf-build-update-build-rule-for-generated-files.patch
 clk-imx-clk-pll14xx-make-two-variables-static.patch
 clk-imx-pll14xx-add-new-frequency-entries-for-pll144.patch
 clk-imx-pll14xx-dynamically-configure-pll-for-393216.patch
-bpf-fix-issue-in-verifying-allow_ptr_leaks.patch
 drm-amd-display-reinstate-lfc-optimization.patch
 drm-amd-display-fix-lfc-multiplier-changing-erratica.patch
 drm-amd-display-prevent-potential-division-by-zero-e.patch