4.9-stable patches

added patches:
	bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch

diff --git a/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch b/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
new file mode 100644 (file)
index 0000000..f8e7ce9
--- /dev/null
+++ b/queue-4.9/bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch
@@ -0,0 +1,48 @@
+From ben@decadent.org.uk  Wed Dec 27 21:04:06 2017
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sat, 23 Dec 2017 02:26:17 +0000
+Subject: bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN
+To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: stable@vger.kernel.org, netdev@vger.kernel.org, Edward Cree <ecree@solarflare.com>, Jann Horn <jannh@google.com>, Alexei Starovoitov <ast@kernel.org>
+Message-ID: <20171223022617.GO2971@decadent.org.uk>
+Content-Disposition: inline
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless
+pointer leaks are allowed.  Therefore, states_equal() must not treat
+a state with a pointer in a register as "equal" to a state with an
+UNKNOWN_VALUE in that register.
+
+This was fixed differently upstream, but the code around here was
+largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework
+value tracking".  The bug can be detected by the bpf/verifier sub-test
+"pointer/scalar confusion in state equality check (way 1)".
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Cc: Edward Cree <ecree@solarflare.com>
+Cc: Jann Horn <jannh@google.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Cc: Daniel Borkmann <daniel@iogearbox.net>
+
+---
+ kernel/bpf/verifier.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2722,11 +2722,12 @@ static bool states_equal(struct bpf_veri
+ 
+               /* If we didn't map access then again we don't care about the
+                * mismatched range values and it's ok if our old type was
+-               * UNKNOWN and we didn't go to a NOT_INIT'ed reg.
++               * UNKNOWN and we didn't go to a NOT_INIT'ed or pointer reg.
+                */
+               if (rold->type == NOT_INIT ||
+                   (!varlen_map_access && rold->type == UNKNOWN_VALUE &&
+-                   rcur->type != NOT_INIT))
++                   rcur->type != NOT_INIT &&
++                   !__is_pointer_value(env->allow_ptr_leaks, rcur)))
+                       continue;
+ 
+               /* Don't care about the reg->id in this case. */

diff --git a/queue-4.9/series b/queue-4.9/series
index 583f46282f6232bb95f867a52ae0bbc236186db1..344af08f5a91673bec61159e8a92426ed2441ed5 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -19,3 +19,4 @@ libnvdimm-pfn-fix-start_pad-handling-for-aligned-namespaces.patch
 net-mvneta-clear-interface-link-status-on-port-disable.patch
 net-mvneta-use-proper-rxq_number-in-loop-on-rx-queues.patch
 net-mvneta-eliminate-wrong-call-to-handle-rx-descriptor-error.patch
+bpf-verifier-fix-states_equal-comparison-of-pointer-and-unknown.patch