From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org
Cc: hsimeliere.opensource@witekio.com, Sasha Levin <sashal@kernel.org>
Subject: Re: [PATCH 6.1 2/2] bpf: Fix overloading of MEM_UNINIT's meaning
Date: Fri, 10 Jan 2025 14:20:52 -0500 [thread overview]
Message-ID: <20250110130335-e68cc85f814c4ef3@stable.kernel.org> (raw)
In-Reply-To: <20250110152958.92843-2-hsimeliere.opensource@witekio.com>
[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: 8ea607330a39184f51737c6ae706db7fdca7628e
WARNING: Author mismatch between patch and upstream commit:
Backport author: hsimeliere.opensource@witekio.com
Commit author: Daniel Borkmann<daniel@iogearbox.net>
Status in newer kernel trees:
6.12.y | Present (exact SHA1)
6.6.y | Present (different SHA1: 48068ccaea95)
6.1.y | Not found
Note: The patch differs from the upstream commit:
---
1: 8ea607330a39 ! 1: 2a7a87725633 bpf: Fix overloading of MEM_UNINIT's meaning
@@ Metadata
## Commit message ##
bpf: Fix overloading of MEM_UNINIT's meaning
+ [ Upstream commit 8ea607330a39184f51737c6ae706db7fdca7628e ]
+
Lonial reported an issue in the BPF verifier where check_mem_size_reg()
has the following code:
@@ Commit message
Acked-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20241021152809.33343-2-daniel@iogearbox.net
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+ Signed-off-by: BRUNO VERNAY <bruno.vernay@se.com>
+ Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
## kernel/bpf/verifier.c ##
@@ kernel/bpf/verifier.c: static int check_stack_range_initialized(
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_en
return zero_size_allowed ? 0 : -EACCES;
return check_mem_access(env, env->insn_idx, regno, offset, BPF_B,
-- atype, -1, false, false);
-+ access_type, -1, false, false);
+- atype, -1, false);
++ access_type, -1, false);
}
fallthrough;
@@ kernel/bpf/verifier.c: static int check_helper_mem_access(struct bpf_verifier_env *env, int regno,
- */
+
static int check_mem_size_reg(struct bpf_verifier_env *env,
struct bpf_reg_state *reg, u32 regno,
+ enum bpf_access_type access_type,
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (reg->smin_value < 0) {
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
+
+ if (reg->umin_value == 0) {
+ err = check_helper_mem_access(env, regno - 1, 0,
+- zero_size_allowed,
+- meta);
++ access_type, zero_size_allowed, meta);
+ if (err)
+ return err;
+ }
+@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *env,
regno);
return -EACCES;
}
@@ kernel/bpf/verifier.c: static int check_mem_size_reg(struct bpf_verifier_env *en
if (!err)
err = mark_chain_precision(env, regno);
return err;
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
{
bool may_be_null = type_may_be_null(reg->type);
struct bpf_reg_state saved_reg;
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
/* Assuming that the register contains a value check if the memory
* access is safe. Temporarily save and restore the register's state as
* the conversion shouldn't be visible to a caller.
-@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg
+@@ kernel/bpf/verifier.c: int check_mem_reg(struct bpf_verifier_env *env, struct bpf_reg_state *reg,
mark_ptr_not_null_reg(reg);
}
@@ kernel/bpf/verifier.c: static int check_mem_reg(struct bpf_verifier_env *env, st
if (may_be_null)
*reg = saved_reg;
-@@ kernel/bpf/verifier.c: static int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg
+@@ kernel/bpf/verifier.c: int check_kfunc_mem_size_reg(struct bpf_verifier_env *env, struct bpf_reg_state
mark_ptr_not_null_reg(mem_reg);
}
@@ kernel/bpf/verifier.c: static int check_func_arg(struct bpf_verifier_env *env, u
+ true, meta);
break;
case ARG_PTR_TO_DYNPTR:
- err = process_dynptr_func(env, regno, insn_idx, arg_type, 0);
+ /* We only need to check for initialized / uninitialized helper
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-6.1.y | Success | Success |
next prev parent reply other threads:[~2025-01-10 19:20 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-10 15:29 [PATCH 6.1 1/2] bpf: Add MEM_WRITE attribute hsimeliere.opensource
2025-01-10 15:29 ` [PATCH 6.1 2/2] bpf: Fix overloading of MEM_UNINIT's meaning hsimeliere.opensource
2025-01-10 19:20 ` Sasha Levin [this message]
2025-01-10 19:20 ` [PATCH 6.1 1/2] bpf: Add MEM_WRITE attribute Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250110130335-e68cc85f814c4ef3@stable.kernel.org \
--to=sashal@kernel.org \
--cc=hsimeliere.opensource@witekio.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).