From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: hsimeliere.opensource@witekio.com, Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 6.1 2/2] bpf: Fix overloading of MEM_UNINIT's meaning
Date: Fri, 10 Jan 2025 14:20:52 -0500 [thread overview]
Message-ID: <20250110130335-e68cc85f814c4ef3@stable.kernel.org> (raw)
In-Reply-To: <20250110152958.92843-2-hsimeliere.opensource@witekio.com>
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 8ea607330a39184f51737c6ae706db7fdca7628e
WARNING: Author mismatch between patch and upstream commit:
Backport author: hsimeliere.opensource@witekio.com
Commit author: Daniel Borkmann<daniel@iogearbox.net>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 48068ccaea95)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 8ea607330a39 ! 1: 2a7a87725633 bpf: Fix overloading of MEM_UNINIT's meaning
@@ Metadata
## Commit message ##
bpf: Fix overloading of MEM_UNINIT's meaning
+ [ Upstream commit 8ea607330a39184f51737c6ae706db7fdca7628e ]
+
Lonial reported an issue in the BPF verifier where check_mem_size_reg()
has the following code:
@@ Commit message
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20241021152809.33343-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: BRUNO VERNAY <bruno.vernay@se.com>
+ Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
## kernel/bpf/verifier.c ##
@@ kernel/bpf/verifier.c: static int check_stack_range_initialized(
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_en
return zero_size_allowed ? 0 : -EACCES;
return check_mem_access(env, env->insn_idx, regno, offset, BPF_B,
-- atype, -1, false, false);
-+ access_type, -1, false, false);
+- atype, -1, false);
++ access_type, -1, false);
}
fallthrough;
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
- */
+
static int check_mem_size_reg(struct bpf_verifier_env *env,
struct bpf_reg_state *reg, u32 regno,
+ enum bpf_access_type access_type,
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (reg->smin_value < 0) {
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
+
+ if (reg->umin_value == 0) {
+ err = check_helper_mem_access(env, regno - 1, 0,
+- zero_size_allowed,
+- meta);
++ access_type, zero_size_allowed, meta);
+ if (err)
+ return err;
+ }
+@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
regno);
return -EACCES;
}
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (!err)
err = mark_chain_precision(env, regno);
return err;
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
{
bool may_be_null = type_may_be_null(reg->type);
struct bpf_reg_state saved_reg;
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
/* Assuming that the register contains a value check if the memory
* access is safe. Temporarily save and restore the register's state as
* the conversion shouldn't be visible to a caller.
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
mark_ptr_not_null_reg(reg);
}
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
if (may_be_null)
*reg = saved_reg;
-@@ kernel/bpf/verifier.c: static int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg
+@@ kernel/bpf/verifier.c: int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state
mark_ptr_not_null_reg(mem_reg);
}
@@ kernel/bpf/verifier.c: static int check_func_arg(struct bpf_verifier_env *env, u
+ true, meta);
break;
case ARG_PTR_TO_DYNPTR:
- err = process_dynptr_func(env, regno, insn_idx, arg_type, 0);
+ /* We only need to check for initialized / uninitialized helper
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
next prev parent reply other threads:[~2025-01-10 19:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 15:29 [PATCH 6.1 1/2] bpf: Add MEM_WRITE attribute hsimeliere.opensource
2025-01-10 15:29 ` [PATCH 6.1 2/2] bpf: Fix overloading of MEM_UNINIT's meaning hsimeliere.opensource
2025-01-10 19:20 ` Sasha Levin [this message]
2025-01-10 19:20 ` [PATCH 6.1 1/2] bpf: Add MEM_WRITE attribute Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250110130335-e68cc85f814c4ef3@stable.kernel.org \
--to=sashal@kernel.org \
--cc=hsimeliere.opensource@witekio.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.