From 624b588b6555bbfca619e717b26e26155f4c83be Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 3 Aug 2022 17:24:48 +0200 Subject: [PATCH] 5.4-stable patches added patches: bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch selftests-bpf-fix-dubious-pointer-arithmetic-test.patch selftests-bpf-fix-test_align-verifier-log-patterns.patch --- ...ssage-updates-for-32-bit-right-shift.patch | 153 +++++++++++++++++ ...als-to-always-call-update_reg_bounds.patch | 52 ++++++ ...nd-bpf_sock-tests-for-dst_port-loads.patch | 147 ++++++++++++++++ ...-fix-dubious-pointer-arithmetic-test.patch | 50 ++++++ ...fix-test_align-verifier-log-patterns.patch | 158 ++++++++++++++++++ queue-5.4/series | 5 + 6 files changed, 565 insertions(+) create mode 100644 queue-5.4/bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch create mode 100644 queue-5.4/bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch create mode 100644 queue-5.4/selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch create mode 100644 queue-5.4/selftests-bpf-fix-dubious-pointer-arithmetic-test.patch create mode 100644 queue-5.4/selftests-bpf-fix-test_align-verifier-log-patterns.patch diff --git a/queue-5.4/bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch b/queue-5.4/bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch new file mode 100644 index 00000000000..dc0b7c34b37 --- /dev/null +++ b/queue-5.4/bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch @@ -0,0 +1,153 @@ +From foo@baz Wed Aug 3 05:24:03 PM CEST 2022 +From: Ovidiu Panait +Date: Wed, 3 Aug 2022 17:50:03 +0300 +Subject: bpf: Test_verifier, #70 error message updates for 32-bit right shift +To: stable@vger.kernel.org +Cc: John Fastabend , Alexei Starovoitov , Ovidiu Panait +Message-ID: <20220803145005.2385039-4-ovidiu.panait@windriver.com> + +From: John Fastabend + +commit aa131ed44ae1d76637f0dbec33cfcf9115af9bc3 upstream. + +After changes to add update_reg_bounds after ALU ops and adding ALU32 +bounds tracking the error message is changed in the 32-bit right shift +tests. + +Test "#70/u bounds check after 32-bit right shift with 64-bit input FAIL" +now fails with, + +Unexpected error message! + EXP: R0 invalid mem access + RES: func#0 @0 + +7: (b7) r1 = 2 +8: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP2 R10=fp0 fp-8_w=mmmmmmmm +8: (67) r1 <<= 31 +9: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP4294967296 R10=fp0 fp-8_w=mmmmmmmm +9: (74) w1 >>= 31 +10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP0 R10=fp0 fp-8_w=mmmmmmmm +10: (14) w1 -= 2 +11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=invP4294967294 R10=fp0 fp-8_w=mmmmmmmm +11: (0f) r0 += r1 +math between map_value pointer and 4294967294 is not allowed + +And test "#70/p bounds check after 32-bit right shift with 64-bit input +FAIL" now fails with, + +Unexpected error message! + EXP: R0 invalid mem access + RES: func#0 @0 + +7: (b7) r1 = 2 +8: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv2 R10=fp0 fp-8_w=mmmmmmmm +8: (67) r1 <<= 31 +9: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv4294967296 R10=fp0 fp-8_w=mmmmmmmm +9: (74) w1 >>= 31 +10: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv0 R10=fp0 fp-8_w=mmmmmmmm +10: (14) w1 -= 2 +11: R0_w=map_value(id=0,off=0,ks=8,vs=8,imm=0) R1_w=inv4294967294 R10=fp0 fp-8_w=mmmmmmmm +11: (0f) r0 += r1 +last_idx 11 first_idx 0 +regs=2 stack=0 before 10: (14) w1 -= 2 +regs=2 stack=0 before 9: (74) w1 >>= 31 +regs=2 stack=0 before 8: (67) r1 <<= 31 +regs=2 stack=0 before 7: (b7) r1 = 2 +math between map_value pointer and 4294967294 is not allowed + +Before this series we did not trip the "math between map_value pointer..." +error because check_reg_sane_offset is never called in +adjust_ptr_min_max_vals(). Instead we have a register state that looks +like this at line 11*, + +11: R0_w=map_value(id=0,off=0,ks=8,vs=8, + smin_value=0,smax_value=0, + umin_value=0,umax_value=0, + var_off=(0x0; 0x0)) + R1_w=invP(id=0, + smin_value=0,smax_value=4294967295, + umin_value=0,umax_value=4294967295, + var_off=(0xfffffffe; 0x0)) + R10=fp(id=0,off=0, + smin_value=0,smax_value=0, + umin_value=0,umax_value=0, + var_off=(0x0; 0x0)) fp-8_w=mmmmmmmm +11: (0f) r0 += r1 + +In R1 'smin_val != smax_val' yet we have a tnum_const as seen +by 'var_off(0xfffffffe; 0x0))' with a 0x0 mask. So we hit this check +in adjust_ptr_min_max_vals() + + if ((known && (smin_val != smax_val || umin_val != umax_val)) || + smin_val > smax_val || umin_val > umax_val) { + /* Taint dst register if offset had invalid bounds derived from + * e.g. dead branches. + */ + __mark_reg_unknown(env, dst_reg); + return 0; + } + +So we don't throw an error here and instead only throw an error +later in the verification when the memory access is made. + +The root cause in verifier without alu32 bounds tracking is having +'umin_value = 0' and 'umax_value = U64_MAX' from BPF_SUB which we set +when 'umin_value < umax_val' here, + + if (dst_reg->umin_value < umax_val) { + /* Overflow possible, we know nothing */ + dst_reg->umin_value = 0; + dst_reg->umax_value = U64_MAX; + } else { ...} + +Later in adjust_calar_min_max_vals we previously did a +coerce_reg_to_size() which will clamp the U64_MAX to U32_MAX by +truncating to 32bits. But either way without a call to update_reg_bounds +the less precise bounds tracking will fall out of the alu op +verification. + +After latest changes we now exit adjust_scalar_min_max_vals with the +more precise umin value, due to zero extension propogating bounds from +alu32 bounds into alu64 bounds and then calling update_reg_bounds. +This then causes the verifier to trigger an earlier error and we get +the error in the output above. + +This patch updates tests to reflect new error message. + +* I have a local patch to print entire verifier state regardless if we + believe it is a constant so we can get a full picture of the state. + Usually if tnum_is_const() then bounds are also smin=smax, etc. but + this is not always true and is a bit subtle. Being able to see these + states helps understand dataflow imo. Let me know if we want something + similar upstream. + +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/158507161475.15666.3061518385241144063.stgit@john-Precision-5820-Tower +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/verifier/bounds.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/bpf/verifier/bounds.c ++++ b/tools/testing/selftests/bpf/verifier/bounds.c +@@ -411,16 +411,14 @@ + BPF_ALU32_IMM(BPF_RSH, BPF_REG_1, 31), + /* r1 = 0xffff'fffe (NOT 0!) */ + BPF_ALU32_IMM(BPF_SUB, BPF_REG_1, 2), +- /* computes OOB pointer */ ++ /* error on computing OOB pointer */ + BPF_ALU64_REG(BPF_ADD, BPF_REG_0, BPF_REG_1), +- /* OOB access */ +- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, 0), + /* exit */ + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, + .fixup_map_hash_8b = { 3 }, +- .errstr = "R0 invalid mem access", ++ .errstr = "math between map_value pointer and 4294967294 is not allowed", + .result = REJECT, + }, + { diff --git a/queue-5.4/bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch b/queue-5.4/bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch new file mode 100644 index 00000000000..660ff34bc77 --- /dev/null +++ b/queue-5.4/bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch @@ -0,0 +1,52 @@ +From foo@baz Wed Aug 3 05:24:03 PM CEST 2022 +From: Ovidiu Panait +Date: Wed, 3 Aug 2022 17:50:01 +0300 +Subject: bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() +To: stable@vger.kernel.org +Cc: John Fastabend , Alexei Starovoitov , Ovidiu Panait +Message-ID: <20220803145005.2385039-2-ovidiu.panait@windriver.com> + +From: John Fastabend + +commit 294f2fc6da27620a506e6c050241655459ccd6bd upstream. + +Currently, for all op verification we call __red_deduce_bounds() and +__red_bound_offset() but we only call __update_reg_bounds() in bitwise +ops. However, we could benefit from calling __update_reg_bounds() in +BPF_ADD, BPF_SUB, and BPF_MUL cases as well. + +For example, a register with state 'R1_w=invP0' when we subtract from +it, + + w1 -= 2 + +Before coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX +and unsigned bounds umin_value=0, umax_value=U64_MAX. These will then +be clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op +as done in above example. However tnum will be a constant because the +ALU op is done on a constant. + +Without update_reg_bounds() we have a scenario where tnum is a const +but our unsigned bounds do not reflect this. By calling update_reg_bounds +after coerce to 32bit we further refine the umin_value to U64_MAX in the +alu64 case or U32_MAX in the alu32 case above. + +Signed-off-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Link: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -5083,6 +5083,7 @@ static int adjust_scalar_min_max_vals(st + coerce_reg_to_size(dst_reg, 4); + } + ++ __update_reg_bounds(dst_reg); + __reg_deduce_bounds(dst_reg); + __reg_bound_offset(dst_reg); + return 0; diff --git a/queue-5.4/selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch b/queue-5.4/selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch new file mode 100644 index 00000000000..6e3e2ceab6f --- /dev/null +++ b/queue-5.4/selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch @@ -0,0 +1,147 @@ +From foo@baz Wed Aug 3 05:24:03 PM CEST 2022 +From: Ovidiu Panait +Date: Wed, 3 Aug 2022 17:50:02 +0300 +Subject: selftests/bpf: Extend verifier and bpf_sock tests for dst_port loads +To: stable@vger.kernel.org +Cc: Jakub Sitnicki , Alexei Starovoitov , Ovidiu Panait +Message-ID: <20220803145005.2385039-3-ovidiu.panait@windriver.com> + +From: Jakub Sitnicki + +commit 8f50f16ff39dd4e2d43d1548ca66925652f8aff7 upstream. + +Add coverage to the verifier tests and tests for reading bpf_sock fields to +ensure that 32-bit, 16-bit, and 8-bit loads from dst_port field are allowed +only at intended offsets and produce expected values. + +While 16-bit and 8-bit access to dst_port field is straight-forward, 32-bit +wide loads need be allowed and produce a zero-padded 16-bit value for +backward compatibility. + +Signed-off-by: Jakub Sitnicki +Link: https://lore.kernel.org/r/20220130115518.213259-3-jakub@cloudflare.com +Signed-off-by: Alexei Starovoitov +[OP: backport to 5.4: cherry-pick verifier changes only] +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + tools/include/uapi/linux/bpf.h | 3 - + tools/testing/selftests/bpf/verifier/sock.c | 81 ++++++++++++++++++++++++++-- + 2 files changed, 80 insertions(+), 4 deletions(-) + +--- a/tools/include/uapi/linux/bpf.h ++++ b/tools/include/uapi/linux/bpf.h +@@ -3068,7 +3068,8 @@ struct bpf_sock { + __u32 src_ip4; + __u32 src_ip6[4]; + __u32 src_port; /* host byte order */ +- __u32 dst_port; /* network byte order */ ++ __be16 dst_port; /* network byte order */ ++ __u16 :16; /* zero padding */ + __u32 dst_ip4; + __u32 dst_ip6[4]; + __u32 state; +--- a/tools/testing/selftests/bpf/verifier/sock.c ++++ b/tools/testing/selftests/bpf/verifier/sock.c +@@ -121,7 +121,25 @@ + .result = ACCEPT, + }, + { +- "sk_fullsock(skb->sk): sk->dst_port [narrow load]", ++ "sk_fullsock(skb->sk): sk->dst_port [word load] (backward compatibility)", ++ .insns = { ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, ++ .result = ACCEPT, ++}, ++{ ++ "sk_fullsock(skb->sk): sk->dst_port [half load]", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), +@@ -139,7 +157,64 @@ + .result = ACCEPT, + }, + { +- "sk_fullsock(skb->sk): sk->dst_port [load 2nd byte]", ++ "sk_fullsock(skb->sk): sk->dst_port [half load] (invalid)", ++ .insns = { ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, ++ .result = REJECT, ++ .errstr = "invalid sock access", ++}, ++{ ++ "sk_fullsock(skb->sk): sk->dst_port [byte load]", ++ .insns = { ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port)), ++ BPF_LDX_MEM(BPF_B, BPF_REG_2, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, ++ .result = ACCEPT, ++}, ++{ ++ "sk_fullsock(skb->sk): sk->dst_port [byte load] (invalid)", ++ .insns = { ++ BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_EMIT_CALL(BPF_FUNC_sk_fullsock), ++ BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 2), ++ BPF_MOV64_IMM(BPF_REG_0, 0), ++ BPF_EXIT_INSN(), ++ }, ++ .prog_type = BPF_PROG_TYPE_CGROUP_SKB, ++ .result = REJECT, ++ .errstr = "invalid sock access", ++}, ++{ ++ "sk_fullsock(skb->sk): past sk->dst_port [half load] (invalid)", + .insns = { + BPF_LDX_MEM(BPF_DW, BPF_REG_1, BPF_REG_1, offsetof(struct __sk_buff, sk)), + BPF_JMP_IMM(BPF_JNE, BPF_REG_1, 0, 2), +@@ -149,7 +224,7 @@ + BPF_JMP_IMM(BPF_JNE, BPF_REG_0, 0, 2), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), +- BPF_LDX_MEM(BPF_B, BPF_REG_0, BPF_REG_0, offsetof(struct bpf_sock, dst_port) + 1), ++ BPF_LDX_MEM(BPF_H, BPF_REG_0, BPF_REG_0, offsetofend(struct bpf_sock, dst_port)), + BPF_MOV64_IMM(BPF_REG_0, 0), + BPF_EXIT_INSN(), + }, diff --git a/queue-5.4/selftests-bpf-fix-dubious-pointer-arithmetic-test.patch b/queue-5.4/selftests-bpf-fix-dubious-pointer-arithmetic-test.patch new file mode 100644 index 00000000000..ffc8aaf2095 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-dubious-pointer-arithmetic-test.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Aug 3 05:24:03 PM CEST 2022 +From: Ovidiu Panait +Date: Wed, 3 Aug 2022 17:50:05 +0300 +Subject: selftests/bpf: Fix "dubious pointer arithmetic" test +To: stable@vger.kernel.org +Cc: Jean-Philippe Brucker , John Fastabend , Alexei Starovoitov , Ovidiu Panait +Message-ID: <20220803145005.2385039-6-ovidiu.panait@windriver.com> + +From: Jean-Philippe Brucker + +commit 3615bdf6d9b19db12b1589861609b4f1c6a8d303 upstream. + +The verifier trace changed following a bugfix. After checking the 64-bit +sign, only the upper bit mask is known, not bit 31. Update the test +accordingly. + +Signed-off-by: Jean-Philippe Brucker +Acked-by: John Fastabend +Signed-off-by: Alexei Starovoitov +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_align.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/tools/testing/selftests/bpf/test_align.c ++++ b/tools/testing/selftests/bpf/test_align.c +@@ -475,10 +475,10 @@ static struct bpf_align_test tests[] = { + */ + {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"}, + /* Checked s>=0 */ +- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, + /* packet pointer + nonnegative (4n+2) */ +- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, +- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, ++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, + /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine. + * We checked the bounds, but it might have been able + * to overflow if the packet pointer started in the +@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = { + * So we did not get a 'range' on R6, and the access + * attempt will fail. + */ +- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc)"}, + } + }, + { diff --git a/queue-5.4/selftests-bpf-fix-test_align-verifier-log-patterns.patch b/queue-5.4/selftests-bpf-fix-test_align-verifier-log-patterns.patch new file mode 100644 index 00000000000..e1a26e9f3b7 --- /dev/null +++ b/queue-5.4/selftests-bpf-fix-test_align-verifier-log-patterns.patch @@ -0,0 +1,158 @@ +From foo@baz Wed Aug 3 05:24:03 PM CEST 2022 +From: Ovidiu Panait +Date: Wed, 3 Aug 2022 17:50:04 +0300 +Subject: selftests/bpf: Fix test_align verifier log patterns +To: stable@vger.kernel.org +Cc: Stanislav Fomichev , Daniel Borkmann , Ovidiu Panait +Message-ID: <20220803145005.2385039-5-ovidiu.panait@windriver.com> + +From: Stanislav Fomichev + +commit 5366d2269139ba8eb6a906d73a0819947e3e4e0a upstream. + +Commit 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always +call update_reg_bounds()") changed the way verifier logs some of its state, +adjust the test_align accordingly. Where possible, I tried to not copy-paste +the entire log line and resorted to dropping the last closing brace instead. + +Fixes: 294f2fc6da27 ("bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()") +Signed-off-by: Stanislav Fomichev +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20200515194904.229296-1-sdf@google.com +Signed-off-by: Ovidiu Panait +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_align.c | 41 +++++++++++++++---------------- + 1 file changed, 21 insertions(+), 20 deletions(-) + +--- a/tools/testing/selftests/bpf/test_align.c ++++ b/tools/testing/selftests/bpf/test_align.c +@@ -359,15 +359,15 @@ static struct bpf_align_test tests[] = { + * is still (4n), fixed offset is not changed. + * Also, we create a new reg->id. + */ +- {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc))"}, ++ {29, "R5_w=pkt(id=4,off=18,r=0,umax_value=2040,var_off=(0x0; 0x7fc)"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (18) + * which is 20. Then the variable offset is (4n), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"}, +- {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc))"}, ++ {33, "R4=pkt(id=4,off=22,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"}, ++ {33, "R5=pkt(id=4,off=18,r=22,umax_value=2040,var_off=(0x0; 0x7fc)"}, + }, + }, + { +@@ -410,15 +410,15 @@ static struct bpf_align_test tests[] = { + /* Adding 14 makes R6 be (4n+2) */ + {9, "R6_w=inv(id=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"}, + /* Packet pointer has (4n+2) offset */ +- {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"}, +- {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"}, ++ {11, "R5_w=pkt(id=1,off=0,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"}, ++ {13, "R4=pkt(id=1,off=4,r=0,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (0) + * which is 2. Then the variable offset is (4n+2), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc))"}, ++ {15, "R5=pkt(id=1,off=0,r=4,umin_value=14,umax_value=1034,var_off=(0x2; 0x7fc)"}, + /* Newly read value in R6 was shifted left by 2, so has + * known alignment of 4. + */ +@@ -426,15 +426,15 @@ static struct bpf_align_test tests[] = { + /* Added (4n) to packet pointer's (4n+2) var_off, giving + * another (4n+2). + */ +- {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"}, +- {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"}, ++ {19, "R5_w=pkt(id=2,off=0,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"}, ++ {21, "R4=pkt(id=2,off=4,r=0,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (0) + * which is 2. Then the variable offset is (4n+2), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc))"}, ++ {23, "R5=pkt(id=2,off=0,r=4,umin_value=14,umax_value=2054,var_off=(0x2; 0xffc)"}, + }, + }, + { +@@ -469,16 +469,16 @@ static struct bpf_align_test tests[] = { + .matches = { + {4, "R5_w=pkt_end(id=0,off=0,imm=0)"}, + /* (ptr - ptr) << 2 == unknown, (4n) */ +- {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"}, ++ {6, "R5_w=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc)"}, + /* (4n) + 14 == (4n+2). We blow our bounds, because + * the add could overflow. + */ +- {7, "R5_w=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"}, ++ {7, "R5_w=inv(id=0,smin_value=-9223372036854775806,smax_value=9223372036854775806,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"}, + /* Checked s>=0 */ +- {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, ++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + /* packet pointer + nonnegative (4n+2) */ +- {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, +- {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, ++ {11, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, ++ {13, "R4_w=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine. + * We checked the bounds, but it might have been able + * to overflow if the packet pointer started in the +@@ -486,7 +486,7 @@ static struct bpf_align_test tests[] = { + * So we did not get a 'range' on R6, and the access + * attempt will fail. + */ +- {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, ++ {15, "R6_w=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372034707292158,var_off=(0x2; 0x7fffffff7ffffffc)"}, + } + }, + { +@@ -528,7 +528,7 @@ static struct bpf_align_test tests[] = { + /* New unknown value in R7 is (4n) */ + {11, "R7_w=inv(id=0,umax_value=1020,var_off=(0x0; 0x3fc))"}, + /* Subtracting it from R6 blows our unsigned bounds */ +- {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,var_off=(0x2; 0xfffffffffffffffc))"}, ++ {12, "R6=inv(id=0,smin_value=-1006,smax_value=1034,umin_value=2,umax_value=18446744073709551614,var_off=(0x2; 0xfffffffffffffffc)"}, + /* Checked s>= 0 */ + {14, "R6=inv(id=0,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"}, + /* At the time the word size load is performed from R5, +@@ -537,7 +537,8 @@ static struct bpf_align_test tests[] = { + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc))"}, ++ {20, "R5=pkt(id=1,off=0,r=4,umin_value=2,umax_value=1034,var_off=(0x2; 0x7fc)"}, ++ + }, + }, + { +@@ -579,18 +580,18 @@ static struct bpf_align_test tests[] = { + /* Adding 14 makes R6 be (4n+2) */ + {11, "R6_w=inv(id=0,umin_value=14,umax_value=74,var_off=(0x2; 0x7c))"}, + /* Subtracting from packet pointer overflows ubounds */ +- {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c))"}, ++ {13, "R5_w=pkt(id=1,off=0,r=8,umin_value=18446744073709551542,umax_value=18446744073709551602,var_off=(0xffffffffffffff82; 0x7c)"}, + /* New unknown value in R7 is (4n), >= 76 */ + {15, "R7_w=inv(id=0,umin_value=76,umax_value=1096,var_off=(0x0; 0x7fc))"}, + /* Adding it to packet pointer gives nice bounds again */ +- {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"}, ++ {16, "R5_w=pkt(id=2,off=0,r=0,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"}, + /* At the time the word size load is performed from R5, + * its total fixed offset is NET_IP_ALIGN + reg->off (0) + * which is 2. Then the variable offset is (4n+2), so + * the total offset is 4-byte aligned and meets the + * load's requirements. + */ +- {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0x7fc))"}, ++ {20, "R5=pkt(id=2,off=0,r=4,umin_value=2,umax_value=1082,var_off=(0x2; 0xfffffffc)"}, + }, + }, + }; diff --git a/queue-5.4/series b/queue-5.4/series index ef2ea49bce0..5ffab210253 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -2,3 +2,8 @@ thermal-fix-null-pointer-dereferences-in-of_thermal_-functions.patch acpi-video-force-backlight-native-for-some-tongfang-devices.patch acpi-video-shortening-quirk-list-by-identifying-clevo-by-board_name-only.patch acpi-apei-better-fix-to-avoid-spamming-the-console-with-old-error-logs.patch +bpf-verifer-adjust_scalar_min_max_vals-to-always-call-update_reg_bounds.patch +selftests-bpf-extend-verifier-and-bpf_sock-tests-for-dst_port-loads.patch +bpf-test_verifier-70-error-message-updates-for-32-bit-right-shift.patch +selftests-bpf-fix-test_align-verifier-log-patterns.patch +selftests-bpf-fix-dubious-pointer-arithmetic-test.patch -- 2.47.3