From 84d0873d014e69c3ddfb9d8763544909c4d7562c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 7 Apr 2020 16:44:36 +0200 Subject: [PATCH] drop bpf patch --- ...m-constraints-for-32-bit-comparisons.patch | 194 ------------------ ...m-constraints-for-32-bit-comparisons.patch | 194 ------------------ ...m-constraints-for-32-bit-comparisons.patch | 194 ------------------ 3 files changed, 582 deletions(-) delete mode 100644 queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch delete mode 100644 queue-5.5/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch delete mode 100644 queue-5.6/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch diff --git a/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch b/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch deleted file mode 100644 index ad54cae0050..00000000000 --- a/queue-5.4/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch +++ /dev/null @@ -1,194 +0,0 @@ -From dcefd3cdbe92aa760b07a36c5f80ea3e66bce517 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 30 Mar 2020 18:03:23 +0200 -Subject: bpf: Fix tnum constraints for 32-bit comparisons - -From: Jann Horn - -[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ] - -The BPF verifier tried to track values based on 32-bit comparisons by -(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register -bounds after jmp32 instructions"). The idea is that after a check like -this: - - if ((u32)r0 > 3) - exit - -We can't meaningfully constrain the arithmetic-range-based tracking, but -we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003). -However, the implementation from 581738a681b6 didn't compute the tnum -constraint based on the fixed operand, but instead derives it from the -arithmetic-range-based tracking. This means that after the following -sequence of operations: - - if (r0 >= 0x1'0000'0001) - exit - if ((u32)r0 > 7) - exit - -The verifier assumed that the lower half of r0 is in the range (0, 0) -and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus -causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was -incorrect. Provide a fixed implementation. - -Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") -Signed-off-by: Jann Horn -Signed-off-by: Daniel Borkmann -Signed-off-by: Alexei Starovoitov -Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 108 ++++++++++++++++++++++++++++-------------- - 1 file changed, 72 insertions(+), 36 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index a0b76b360d6f7..013780ef0bd7d 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5325,6 +5325,70 @@ static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg) - reg->smax_value <= 0 && reg->smin_value >= S32_MIN); - } - -+/* Constrain the possible values of @reg with unsigned upper bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg<0` true. */ -+ if (bound == 0) -+ return; -+ bound--; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(0, bound); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_max(reg->var_off); -+ } -+ reg->umax_value = min(reg->umax_value, bound); -+} -+ -+/* Constrain the possible values of @reg with unsigned lower bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg>MAX` true. */ -+ if (bound == (is_jmp32 ? U32_MAX : U64_MAX)) -+ return; -+ bound++; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(bound, U32_MAX); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_min(reg->var_off); -+ } -+ reg->umin_value = max(reg->umin_value, bound); -+} -+ - /* Adjusts the register min/max values in the case that the dst_reg is the - * variable register that we are working on, and src_reg is a constant or we're - * simply doing a BPF_K check. -@@ -5380,15 +5444,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umax = opcode == BPF_JGT ? val : val - 1; -- u64 true_umin = opcode == BPF_JGT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5409,15 +5466,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umin = opcode == BPF_JLT ? val : val + 1; -- u64 true_umax = opcode == BPF_JLT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: -@@ -5492,15 +5542,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umin = opcode == BPF_JGT ? val : val + 1; -- u64 true_umax = opcode == BPF_JGT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5518,15 +5561,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umax = opcode == BPF_JLT ? val : val - 1; -- u64 true_umin = opcode == BPF_JLT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: --- -2.20.1 - diff --git a/queue-5.5/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch b/queue-5.5/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch deleted file mode 100644 index 48f7a04a725..00000000000 --- a/queue-5.5/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch +++ /dev/null @@ -1,194 +0,0 @@ -From 77b98cb71e2201fd91bb38bec016956ea0966ec6 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 30 Mar 2020 18:03:23 +0200 -Subject: bpf: Fix tnum constraints for 32-bit comparisons - -From: Jann Horn - -[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ] - -The BPF verifier tried to track values based on 32-bit comparisons by -(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register -bounds after jmp32 instructions"). The idea is that after a check like -this: - - if ((u32)r0 > 3) - exit - -We can't meaningfully constrain the arithmetic-range-based tracking, but -we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003). -However, the implementation from 581738a681b6 didn't compute the tnum -constraint based on the fixed operand, but instead derives it from the -arithmetic-range-based tracking. This means that after the following -sequence of operations: - - if (r0 >= 0x1'0000'0001) - exit - if ((u32)r0 > 7) - exit - -The verifier assumed that the lower half of r0 is in the range (0, 0) -and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus -causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was -incorrect. Provide a fixed implementation. - -Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") -Signed-off-by: Jann Horn -Signed-off-by: Daniel Borkmann -Signed-off-by: Alexei Starovoitov -Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 108 ++++++++++++++++++++++++++++-------------- - 1 file changed, 72 insertions(+), 36 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 79f38a281390d..f6476c4e9037a 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5550,6 +5550,70 @@ static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg) - reg->smax_value <= 0 && reg->smin_value >= S32_MIN); - } - -+/* Constrain the possible values of @reg with unsigned upper bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg<0` true. */ -+ if (bound == 0) -+ return; -+ bound--; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(0, bound); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_max(reg->var_off); -+ } -+ reg->umax_value = min(reg->umax_value, bound); -+} -+ -+/* Constrain the possible values of @reg with unsigned lower bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg>MAX` true. */ -+ if (bound == (is_jmp32 ? U32_MAX : U64_MAX)) -+ return; -+ bound++; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(bound, U32_MAX); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_min(reg->var_off); -+ } -+ reg->umin_value = max(reg->umin_value, bound); -+} -+ - /* Adjusts the register min/max values in the case that the dst_reg is the - * variable register that we are working on, and src_reg is a constant or we're - * simply doing a BPF_K check. -@@ -5605,15 +5669,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umax = opcode == BPF_JGT ? val : val - 1; -- u64 true_umin = opcode == BPF_JGT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5634,15 +5691,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umin = opcode == BPF_JLT ? val : val + 1; -- u64 true_umax = opcode == BPF_JLT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: -@@ -5717,15 +5767,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umin = opcode == BPF_JGT ? val : val + 1; -- u64 true_umax = opcode == BPF_JGT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5743,15 +5786,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umax = opcode == BPF_JLT ? val : val - 1; -- u64 true_umin = opcode == BPF_JLT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: --- -2.20.1 - diff --git a/queue-5.6/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch b/queue-5.6/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch deleted file mode 100644 index e049698f11f..00000000000 --- a/queue-5.6/bpf-fix-tnum-constraints-for-32-bit-comparisons.patch +++ /dev/null @@ -1,194 +0,0 @@ -From d2de60c3fc508440269d005a53c8f3b450d600bb Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Mon, 30 Mar 2020 18:03:23 +0200 -Subject: bpf: Fix tnum constraints for 32-bit comparisons - -From: Jann Horn - -[ Upstream commit 604dca5e3af1db98bd123b7bfc02b017af99e3a0 ] - -The BPF verifier tried to track values based on 32-bit comparisons by -(ab)using the tnum state via 581738a681b6 ("bpf: Provide better register -bounds after jmp32 instructions"). The idea is that after a check like -this: - - if ((u32)r0 > 3) - exit - -We can't meaningfully constrain the arithmetic-range-based tracking, but -we can update the tnum state to (value=0,mask=0xffff'ffff'0000'0003). -However, the implementation from 581738a681b6 didn't compute the tnum -constraint based on the fixed operand, but instead derives it from the -arithmetic-range-based tracking. This means that after the following -sequence of operations: - - if (r0 >= 0x1'0000'0001) - exit - if ((u32)r0 > 7) - exit - -The verifier assumed that the lower half of r0 is in the range (0, 0) -and apply the tnum constraint (value=0,mask=0xffff'ffff'0000'0000) thus -causing the overall tnum to be (value=0,mask=0x1'0000'0000), which was -incorrect. Provide a fixed implementation. - -Fixes: 581738a681b6 ("bpf: Provide better register bounds after jmp32 instructions") -Signed-off-by: Jann Horn -Signed-off-by: Daniel Borkmann -Signed-off-by: Alexei Starovoitov -Link: https://lore.kernel.org/bpf/20200330160324.15259-3-daniel@iogearbox.net -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 108 ++++++++++++++++++++++++++++-------------- - 1 file changed, 72 insertions(+), 36 deletions(-) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 5080469094afe..595b39eee6422 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -5590,6 +5590,70 @@ static bool cmp_val_with_extended_s64(s64 sval, struct bpf_reg_state *reg) - reg->smax_value <= 0 && reg->smin_value >= S32_MIN); - } - -+/* Constrain the possible values of @reg with unsigned upper bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_upper_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg<0` true. */ -+ if (bound == 0) -+ return; -+ bound--; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(0, bound); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_max(reg->var_off); -+ } -+ reg->umax_value = min(reg->umax_value, bound); -+} -+ -+/* Constrain the possible values of @reg with unsigned lower bound @bound. -+ * If @is_exclusive, @bound is an exclusive limit, otherwise it is inclusive. -+ * If @is_jmp32, @bound is a 32-bit value that only constrains the low 32 bits -+ * of @reg. -+ */ -+static void set_lower_bound(struct bpf_reg_state *reg, u64 bound, bool is_jmp32, -+ bool is_exclusive) -+{ -+ if (is_exclusive) { -+ /* There are no values for `reg` that make `reg>MAX` true. */ -+ if (bound == (is_jmp32 ? U32_MAX : U64_MAX)) -+ return; -+ bound++; -+ } -+ if (is_jmp32) { -+ /* Constrain the register's value in the tnum representation. -+ * For 64-bit comparisons this happens later in -+ * __reg_bound_offset(), but for 32-bit comparisons, we can be -+ * more precise than what can be derived from the updated -+ * numeric bounds. -+ */ -+ struct tnum t = tnum_range(bound, U32_MAX); -+ -+ t.mask |= ~0xffffffffULL; /* upper half is unknown */ -+ reg->var_off = tnum_intersect(reg->var_off, t); -+ -+ /* Compute the 64-bit bound from the 32-bit bound. */ -+ bound += gen_hi_min(reg->var_off); -+ } -+ reg->umin_value = max(reg->umin_value, bound); -+} -+ - /* Adjusts the register min/max values in the case that the dst_reg is the - * variable register that we are working on, and src_reg is a constant or we're - * simply doing a BPF_K check. -@@ -5645,15 +5709,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umax = opcode == BPF_JGT ? val : val - 1; -- u64 true_umin = opcode == BPF_JGT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5674,15 +5731,8 @@ static void reg_set_min_max(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umin = opcode == BPF_JLT ? val : val + 1; -- u64 true_umax = opcode == BPF_JLT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: -@@ -5757,15 +5807,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JGE: - case BPF_JGT: - { -- u64 false_umin = opcode == BPF_JGT ? val : val + 1; -- u64 true_umax = opcode == BPF_JGT ? val - 1 : val; -- -- if (is_jmp32) { -- false_umin += gen_hi_min(false_reg->var_off); -- true_umax += gen_hi_max(true_reg->var_off); -- } -- false_reg->umin_value = max(false_reg->umin_value, false_umin); -- true_reg->umax_value = min(true_reg->umax_value, true_umax); -+ set_lower_bound(false_reg, val, is_jmp32, opcode == BPF_JGE); -+ set_upper_bound(true_reg, val, is_jmp32, opcode == BPF_JGT); - break; - } - case BPF_JSGE: -@@ -5783,15 +5826,8 @@ static void reg_set_min_max_inv(struct bpf_reg_state *true_reg, - case BPF_JLE: - case BPF_JLT: - { -- u64 false_umax = opcode == BPF_JLT ? val : val - 1; -- u64 true_umin = opcode == BPF_JLT ? val + 1 : val; -- -- if (is_jmp32) { -- false_umax += gen_hi_max(false_reg->var_off); -- true_umin += gen_hi_min(true_reg->var_off); -- } -- false_reg->umax_value = min(false_reg->umax_value, false_umax); -- true_reg->umin_value = max(true_reg->umin_value, true_umin); -+ set_upper_bound(false_reg, val, is_jmp32, opcode == BPF_JLE); -+ set_lower_bound(true_reg, val, is_jmp32, opcode == BPF_JLT); - break; - } - case BPF_JSLE: --- -2.20.1 - -- 2.47.3