From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Dec 2020 12:21:08 +0000 (+0100)
Subject: 5.9-stable patches
X-Git-Tag: v5.9.14~1
X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=b39cc65c86212c9b88620b2449587d23f974b183;p=thirdparty%2Fkernel%2Fstable-queue.git

5.9-stable patches

added patches:
	bpf-fix-propagation-of-32-bit-signed-bounds-from-64-bit-bounds.patch
---

diff --git a/queue-5.9/bpf-fix-propagation-of-32-bit-signed-bounds-from-64-bit-bounds.patch b/queue-5.9/bpf-fix-propagation-of-32-bit-signed-bounds-from-64-bit-bounds.patch
new file mode 100644
index 00000000000..510101f68af
--- /dev/null
+++ b/queue-5.9/bpf-fix-propagation-of-32-bit-signed-bounds-from-64-bit-bounds.patch
@@ -0,0 +1,63 @@
+From b02709587ea3d699a608568ee8157d8db4fd8cae Mon Sep 17 00:00:00 2001
+From: Alexei Starovoitov <ast@kernel.org>
+Date: Tue, 8 Dec 2020 19:01:51 +0100
+Subject: bpf: Fix propagation of 32-bit signed bounds from 64-bit bounds.
+
+From: Alexei Starovoitov <ast@kernel.org>
+
+commit b02709587ea3d699a608568ee8157d8db4fd8cae upstream.
+
+The 64-bit signed bounds should not affect 32-bit signed bounds unless the
+verifier knows that upper 32-bits are either all 1s or all 0s. For example the
+register with smin_value==1 doesn't mean that s32_min_value is also equal to 1,
+since smax_value could be larger than 32-bit subregister can hold.
+The verifier refines the smax/s32_max return value from certain helpers in
+do_refine_retval_range(). Teach the verifier to recognize that smin/s32_min
+value is also bounded. When both smin and smax bounds fit into 32-bit
+subregister the verifier can propagate those bounds.
+
+Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+Reported-by: Jean-Philippe Brucker <jean-philippe@linaro.org>
+Acked-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/verifier.c |   10 +++++-----
+ 1 file changed, 5 insertions(+), 5 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -1273,9 +1273,7 @@ static void __reg_combine_32_into_64(str
+ 
+ static bool __reg64_bound_s32(s64 a)
+ {
+-	if (a > S32_MIN && a < S32_MAX)
+-		return true;
+-	return false;
++	return a > S32_MIN && a < S32_MAX;
+ }
+ 
+ static bool __reg64_bound_u32(u64 a)
+@@ -1289,10 +1287,10 @@ static void __reg_combine_64_into_32(str
+ {
+ 	__mark_reg32_unbounded(reg);
+ 
+-	if (__reg64_bound_s32(reg->smin_value))
++	if (__reg64_bound_s32(reg->smin_value) && __reg64_bound_s32(reg->smax_value)) {
+ 		reg->s32_min_value = (s32)reg->smin_value;
+-	if (__reg64_bound_s32(reg->smax_value))
+ 		reg->s32_max_value = (s32)reg->smax_value;
++	}
+ 	if (__reg64_bound_u32(reg->umin_value))
+ 		reg->u32_min_value = (u32)reg->umin_value;
+ 	if (__reg64_bound_u32(reg->umax_value))
+@@ -4676,6 +4674,8 @@ static void do_refine_retval_range(struc
+ 
+ 	ret_reg->smax_value = meta->msize_max_value;
+ 	ret_reg->s32_max_value = meta->msize_max_value;
++	ret_reg->smin_value = -MAX_ERRNO;
++	ret_reg->s32_min_value = -MAX_ERRNO;
+ 	__reg_deduce_bounds(ret_reg);
+ 	__reg_bound_offset(ret_reg);
+ 	__update_reg_bounds(ret_reg);
diff --git a/queue-5.9/series b/queue-5.9/series
index 892c3355da2..1ea320795c6 100644
--- a/queue-5.9/series
+++ b/queue-5.9/series
@@ -74,3 +74,4 @@ netfilter-nftables_offload-set-address-type-in-control-dissector.patch
 netfilter-nftables_offload-build-mask-based-from-the-matching-bytes.patch
 x86-insn-eval-use-new-for_each_insn_prefix-macro-to-loop-over-prefixes-bytes.patch
 revert-geneve-pull-ip-header-before-ecn-decapsulation.patch
+bpf-fix-propagation-of-32-bit-signed-bounds-from-64-bit-bounds.patch