Annotation of /trunk/kernel-alx/patches-5.4/0215-5.4.116-all-fixes.patch
Parent Directory | Revision Log
Revision 3637 -
(hide annotations)
(download)
Mon Oct 24 12:40:44 2022 UTC (18 months, 3 weeks ago) by niro
File size: 19926 byte(s)
Mon Oct 24 12:40:44 2022 UTC (18 months, 3 weeks ago) by niro
File size: 19926 byte(s)
-add missing
1 | niro | 3637 | diff --git a/Makefile b/Makefile |
2 | index f473f4fe5a0c3..cb1a446f832c0 100644 | ||
3 | --- a/Makefile | ||
4 | +++ b/Makefile | ||
5 | @@ -1,7 +1,7 @@ | ||
6 | # SPDX-License-Identifier: GPL-2.0 | ||
7 | VERSION = 5 | ||
8 | PATCHLEVEL = 4 | ||
9 | -SUBLEVEL = 115 | ||
10 | +SUBLEVEL = 116 | ||
11 | EXTRAVERSION = | ||
12 | NAME = Kleptomaniac Octopus | ||
13 | |||
14 | diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c | ||
15 | index ab2a4b7dfca57..bc439dcd438f1 100644 | ||
16 | --- a/kernel/bpf/verifier.c | ||
17 | +++ b/kernel/bpf/verifier.c | ||
18 | @@ -4263,40 +4263,51 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) | ||
19 | return &env->insn_aux_data[env->insn_idx]; | ||
20 | } | ||
21 | |||
22 | +enum { | ||
23 | + REASON_BOUNDS = -1, | ||
24 | + REASON_TYPE = -2, | ||
25 | + REASON_PATHS = -3, | ||
26 | + REASON_LIMIT = -4, | ||
27 | + REASON_STACK = -5, | ||
28 | +}; | ||
29 | + | ||
30 | static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, | ||
31 | - u32 *ptr_limit, u8 opcode, bool off_is_neg) | ||
32 | + const struct bpf_reg_state *off_reg, | ||
33 | + u32 *alu_limit, u8 opcode) | ||
34 | { | ||
35 | + bool off_is_neg = off_reg->smin_value < 0; | ||
36 | bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || | ||
37 | (opcode == BPF_SUB && !off_is_neg); | ||
38 | - u32 off, max; | ||
39 | + u32 max = 0, ptr_limit = 0; | ||
40 | + | ||
41 | + if (!tnum_is_const(off_reg->var_off) && | ||
42 | + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) | ||
43 | + return REASON_BOUNDS; | ||
44 | |||
45 | switch (ptr_reg->type) { | ||
46 | case PTR_TO_STACK: | ||
47 | /* Offset 0 is out-of-bounds, but acceptable start for the | ||
48 | - * left direction, see BPF_REG_FP. | ||
49 | + * left direction, see BPF_REG_FP. Also, unknown scalar | ||
50 | + * offset where we would need to deal with min/max bounds is | ||
51 | + * currently prohibited for unprivileged. | ||
52 | */ | ||
53 | max = MAX_BPF_STACK + mask_to_left; | ||
54 | - /* Indirect variable offset stack access is prohibited in | ||
55 | - * unprivileged mode so it's not handled here. | ||
56 | - */ | ||
57 | - off = ptr_reg->off + ptr_reg->var_off.value; | ||
58 | - if (mask_to_left) | ||
59 | - *ptr_limit = MAX_BPF_STACK + off; | ||
60 | - else | ||
61 | - *ptr_limit = -off - 1; | ||
62 | - return *ptr_limit >= max ? -ERANGE : 0; | ||
63 | + ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); | ||
64 | + break; | ||
65 | case PTR_TO_MAP_VALUE: | ||
66 | max = ptr_reg->map_ptr->value_size; | ||
67 | - if (mask_to_left) { | ||
68 | - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; | ||
69 | - } else { | ||
70 | - off = ptr_reg->smin_value + ptr_reg->off; | ||
71 | - *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; | ||
72 | - } | ||
73 | - return *ptr_limit >= max ? -ERANGE : 0; | ||
74 | + ptr_limit = (mask_to_left ? | ||
75 | + ptr_reg->smin_value : | ||
76 | + ptr_reg->umax_value) + ptr_reg->off; | ||
77 | + break; | ||
78 | default: | ||
79 | - return -EINVAL; | ||
80 | + return REASON_TYPE; | ||
81 | } | ||
82 | + | ||
83 | + if (ptr_limit >= max) | ||
84 | + return REASON_LIMIT; | ||
85 | + *alu_limit = ptr_limit; | ||
86 | + return 0; | ||
87 | } | ||
88 | |||
89 | static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, | ||
90 | @@ -4314,7 +4325,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, | ||
91 | if (aux->alu_state && | ||
92 | (aux->alu_state != alu_state || | ||
93 | aux->alu_limit != alu_limit)) | ||
94 | - return -EACCES; | ||
95 | + return REASON_PATHS; | ||
96 | |||
97 | /* Corresponding fixup done in fixup_bpf_calls(). */ | ||
98 | aux->alu_state = alu_state; | ||
99 | @@ -4333,14 +4344,22 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, | ||
100 | return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); | ||
101 | } | ||
102 | |||
103 | +static bool sanitize_needed(u8 opcode) | ||
104 | +{ | ||
105 | + return opcode == BPF_ADD || opcode == BPF_SUB; | ||
106 | +} | ||
107 | + | ||
108 | static int sanitize_ptr_alu(struct bpf_verifier_env *env, | ||
109 | struct bpf_insn *insn, | ||
110 | const struct bpf_reg_state *ptr_reg, | ||
111 | + const struct bpf_reg_state *off_reg, | ||
112 | struct bpf_reg_state *dst_reg, | ||
113 | - bool off_is_neg) | ||
114 | + struct bpf_insn_aux_data *tmp_aux, | ||
115 | + const bool commit_window) | ||
116 | { | ||
117 | + struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; | ||
118 | struct bpf_verifier_state *vstate = env->cur_state; | ||
119 | - struct bpf_insn_aux_data *aux = cur_aux(env); | ||
120 | + bool off_is_neg = off_reg->smin_value < 0; | ||
121 | bool ptr_is_dst_reg = ptr_reg == dst_reg; | ||
122 | u8 opcode = BPF_OP(insn->code); | ||
123 | u32 alu_state, alu_limit; | ||
124 | @@ -4358,18 +4377,33 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, | ||
125 | if (vstate->speculative) | ||
126 | goto do_sim; | ||
127 | |||
128 | - alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; | ||
129 | - alu_state |= ptr_is_dst_reg ? | ||
130 | - BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; | ||
131 | - | ||
132 | - err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); | ||
133 | + err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); | ||
134 | if (err < 0) | ||
135 | return err; | ||
136 | |||
137 | + if (commit_window) { | ||
138 | + /* In commit phase we narrow the masking window based on | ||
139 | + * the observed pointer move after the simulated operation. | ||
140 | + */ | ||
141 | + alu_state = tmp_aux->alu_state; | ||
142 | + alu_limit = abs(tmp_aux->alu_limit - alu_limit); | ||
143 | + } else { | ||
144 | + alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; | ||
145 | + alu_state |= ptr_is_dst_reg ? | ||
146 | + BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; | ||
147 | + } | ||
148 | + | ||
149 | err = update_alu_sanitation_state(aux, alu_state, alu_limit); | ||
150 | if (err < 0) | ||
151 | return err; | ||
152 | do_sim: | ||
153 | + /* If we're in commit phase, we're done here given we already | ||
154 | + * pushed the truncated dst_reg into the speculative verification | ||
155 | + * stack. | ||
156 | + */ | ||
157 | + if (commit_window) | ||
158 | + return 0; | ||
159 | + | ||
160 | /* Simulate and find potential out-of-bounds access under | ||
161 | * speculative execution from truncation as a result of | ||
162 | * masking when off was not within expected range. If off | ||
163 | @@ -4386,7 +4420,81 @@ do_sim: | ||
164 | ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); | ||
165 | if (!ptr_is_dst_reg && ret) | ||
166 | *dst_reg = tmp; | ||
167 | - return !ret ? -EFAULT : 0; | ||
168 | + return !ret ? REASON_STACK : 0; | ||
169 | +} | ||
170 | + | ||
171 | +static int sanitize_err(struct bpf_verifier_env *env, | ||
172 | + const struct bpf_insn *insn, int reason, | ||
173 | + const struct bpf_reg_state *off_reg, | ||
174 | + const struct bpf_reg_state *dst_reg) | ||
175 | +{ | ||
176 | + static const char *err = "pointer arithmetic with it prohibited for !root"; | ||
177 | + const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; | ||
178 | + u32 dst = insn->dst_reg, src = insn->src_reg; | ||
179 | + | ||
180 | + switch (reason) { | ||
181 | + case REASON_BOUNDS: | ||
182 | + verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n", | ||
183 | + off_reg == dst_reg ? dst : src, err); | ||
184 | + break; | ||
185 | + case REASON_TYPE: | ||
186 | + verbose(env, "R%d has pointer with unsupported alu operation, %s\n", | ||
187 | + off_reg == dst_reg ? src : dst, err); | ||
188 | + break; | ||
189 | + case REASON_PATHS: | ||
190 | + verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n", | ||
191 | + dst, op, err); | ||
192 | + break; | ||
193 | + case REASON_LIMIT: | ||
194 | + verbose(env, "R%d tried to %s beyond pointer bounds, %s\n", | ||
195 | + dst, op, err); | ||
196 | + break; | ||
197 | + case REASON_STACK: | ||
198 | + verbose(env, "R%d could not be pushed for speculative verification, %s\n", | ||
199 | + dst, err); | ||
200 | + break; | ||
201 | + default: | ||
202 | + verbose(env, "verifier internal error: unknown reason (%d)\n", | ||
203 | + reason); | ||
204 | + break; | ||
205 | + } | ||
206 | + | ||
207 | + return -EACCES; | ||
208 | +} | ||
209 | + | ||
210 | +static int sanitize_check_bounds(struct bpf_verifier_env *env, | ||
211 | + const struct bpf_insn *insn, | ||
212 | + const struct bpf_reg_state *dst_reg) | ||
213 | +{ | ||
214 | + u32 dst = insn->dst_reg; | ||
215 | + | ||
216 | + /* For unprivileged we require that resulting offset must be in bounds | ||
217 | + * in order to be able to sanitize access later on. | ||
218 | + */ | ||
219 | + if (env->allow_ptr_leaks) | ||
220 | + return 0; | ||
221 | + | ||
222 | + switch (dst_reg->type) { | ||
223 | + case PTR_TO_STACK: | ||
224 | + if (check_stack_access(env, dst_reg, dst_reg->off + | ||
225 | + dst_reg->var_off.value, 1)) { | ||
226 | + verbose(env, "R%d stack pointer arithmetic goes out of range, " | ||
227 | + "prohibited for !root\n", dst); | ||
228 | + return -EACCES; | ||
229 | + } | ||
230 | + break; | ||
231 | + case PTR_TO_MAP_VALUE: | ||
232 | + if (check_map_access(env, dst, dst_reg->off, 1, false)) { | ||
233 | + verbose(env, "R%d pointer arithmetic of map value goes out of range, " | ||
234 | + "prohibited for !root\n", dst); | ||
235 | + return -EACCES; | ||
236 | + } | ||
237 | + break; | ||
238 | + default: | ||
239 | + break; | ||
240 | + } | ||
241 | + | ||
242 | + return 0; | ||
243 | } | ||
244 | |||
245 | /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. | ||
246 | @@ -4407,8 +4515,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | ||
247 | smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; | ||
248 | u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, | ||
249 | umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; | ||
250 | - u32 dst = insn->dst_reg, src = insn->src_reg; | ||
251 | + struct bpf_insn_aux_data tmp_aux = {}; | ||
252 | u8 opcode = BPF_OP(insn->code); | ||
253 | + u32 dst = insn->dst_reg; | ||
254 | int ret; | ||
255 | |||
256 | dst_reg = ®s[dst]; | ||
257 | @@ -4451,13 +4560,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | ||
258 | verbose(env, "R%d pointer arithmetic on %s prohibited\n", | ||
259 | dst, reg_type_str[ptr_reg->type]); | ||
260 | return -EACCES; | ||
261 | - case PTR_TO_MAP_VALUE: | ||
262 | - if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { | ||
263 | - verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", | ||
264 | - off_reg == dst_reg ? dst : src); | ||
265 | - return -EACCES; | ||
266 | - } | ||
267 | - /* fall-through */ | ||
268 | default: | ||
269 | break; | ||
270 | } | ||
271 | @@ -4472,13 +4574,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | ||
272 | !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) | ||
273 | return -EINVAL; | ||
274 | |||
275 | + if (sanitize_needed(opcode)) { | ||
276 | + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, | ||
277 | + &tmp_aux, false); | ||
278 | + if (ret < 0) | ||
279 | + return sanitize_err(env, insn, ret, off_reg, dst_reg); | ||
280 | + } | ||
281 | + | ||
282 | switch (opcode) { | ||
283 | case BPF_ADD: | ||
284 | - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); | ||
285 | - if (ret < 0) { | ||
286 | - verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); | ||
287 | - return ret; | ||
288 | - } | ||
289 | /* We can take a fixed offset as long as it doesn't overflow | ||
290 | * the s32 'off' field | ||
291 | */ | ||
292 | @@ -4529,11 +4633,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | ||
293 | } | ||
294 | break; | ||
295 | case BPF_SUB: | ||
296 | - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); | ||
297 | - if (ret < 0) { | ||
298 | - verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); | ||
299 | - return ret; | ||
300 | - } | ||
301 | if (dst_reg == off_reg) { | ||
302 | /* scalar -= pointer. Creates an unknown scalar */ | ||
303 | verbose(env, "R%d tried to subtract pointer from scalar\n", | ||
304 | @@ -4614,22 +4713,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, | ||
305 | __reg_deduce_bounds(dst_reg); | ||
306 | __reg_bound_offset(dst_reg); | ||
307 | |||
308 | - /* For unprivileged we require that resulting offset must be in bounds | ||
309 | - * in order to be able to sanitize access later on. | ||
310 | - */ | ||
311 | - if (!env->allow_ptr_leaks) { | ||
312 | - if (dst_reg->type == PTR_TO_MAP_VALUE && | ||
313 | - check_map_access(env, dst, dst_reg->off, 1, false)) { | ||
314 | - verbose(env, "R%d pointer arithmetic of map value goes out of range, " | ||
315 | - "prohibited for !root\n", dst); | ||
316 | - return -EACCES; | ||
317 | - } else if (dst_reg->type == PTR_TO_STACK && | ||
318 | - check_stack_access(env, dst_reg, dst_reg->off + | ||
319 | - dst_reg->var_off.value, 1)) { | ||
320 | - verbose(env, "R%d stack pointer arithmetic goes out of range, " | ||
321 | - "prohibited for !root\n", dst); | ||
322 | - return -EACCES; | ||
323 | - } | ||
324 | + if (sanitize_check_bounds(env, insn, dst_reg) < 0) | ||
325 | + return -EACCES; | ||
326 | + if (sanitize_needed(opcode)) { | ||
327 | + ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, | ||
328 | + &tmp_aux, true); | ||
329 | + if (ret < 0) | ||
330 | + return sanitize_err(env, insn, ret, off_reg, dst_reg); | ||
331 | } | ||
332 | |||
333 | return 0; | ||
334 | @@ -4650,7 +4740,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | ||
335 | s64 smin_val, smax_val; | ||
336 | u64 umin_val, umax_val; | ||
337 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; | ||
338 | - u32 dst = insn->dst_reg; | ||
339 | int ret; | ||
340 | |||
341 | if (insn_bitness == 32) { | ||
342 | @@ -4684,13 +4773,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | ||
343 | return 0; | ||
344 | } | ||
345 | |||
346 | + if (sanitize_needed(opcode)) { | ||
347 | + ret = sanitize_val_alu(env, insn); | ||
348 | + if (ret < 0) | ||
349 | + return sanitize_err(env, insn, ret, NULL, NULL); | ||
350 | + } | ||
351 | + | ||
352 | switch (opcode) { | ||
353 | case BPF_ADD: | ||
354 | - ret = sanitize_val_alu(env, insn); | ||
355 | - if (ret < 0) { | ||
356 | - verbose(env, "R%d tried to add from different pointers or scalars\n", dst); | ||
357 | - return ret; | ||
358 | - } | ||
359 | if (signed_add_overflows(dst_reg->smin_value, smin_val) || | ||
360 | signed_add_overflows(dst_reg->smax_value, smax_val)) { | ||
361 | dst_reg->smin_value = S64_MIN; | ||
362 | @@ -4710,11 +4800,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | ||
363 | dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); | ||
364 | break; | ||
365 | case BPF_SUB: | ||
366 | - ret = sanitize_val_alu(env, insn); | ||
367 | - if (ret < 0) { | ||
368 | - verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); | ||
369 | - return ret; | ||
370 | - } | ||
371 | if (signed_sub_overflows(dst_reg->smin_value, smax_val) || | ||
372 | signed_sub_overflows(dst_reg->smax_value, smin_val)) { | ||
373 | /* Overflow possible, we know nothing */ | ||
374 | diff --git a/tools/testing/selftests/bpf/verifier/bounds_deduction.c b/tools/testing/selftests/bpf/verifier/bounds_deduction.c | ||
375 | index c162498a64fc6..91869aea6d641 100644 | ||
376 | --- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c | ||
377 | +++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c | ||
378 | @@ -6,7 +6,7 @@ | ||
379 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
380 | BPF_EXIT_INSN(), | ||
381 | }, | ||
382 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", | ||
383 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
384 | .errstr = "R0 tried to subtract pointer from scalar", | ||
385 | .result = REJECT, | ||
386 | }, | ||
387 | @@ -21,7 +21,7 @@ | ||
388 | BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), | ||
389 | BPF_EXIT_INSN(), | ||
390 | }, | ||
391 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", | ||
392 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
393 | .result_unpriv = REJECT, | ||
394 | .result = ACCEPT, | ||
395 | .retval = 1, | ||
396 | @@ -34,22 +34,23 @@ | ||
397 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
398 | BPF_EXIT_INSN(), | ||
399 | }, | ||
400 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", | ||
401 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
402 | .errstr = "R0 tried to subtract pointer from scalar", | ||
403 | .result = REJECT, | ||
404 | }, | ||
405 | { | ||
406 | "check deducing bounds from const, 4", | ||
407 | .insns = { | ||
408 | + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), | ||
409 | BPF_MOV64_IMM(BPF_REG_0, 0), | ||
410 | BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), | ||
411 | BPF_EXIT_INSN(), | ||
412 | BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), | ||
413 | BPF_EXIT_INSN(), | ||
414 | - BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), | ||
415 | + BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), | ||
416 | BPF_EXIT_INSN(), | ||
417 | }, | ||
418 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", | ||
419 | + .errstr_unpriv = "R6 has pointer with unsupported alu operation", | ||
420 | .result_unpriv = REJECT, | ||
421 | .result = ACCEPT, | ||
422 | }, | ||
423 | @@ -61,7 +62,7 @@ | ||
424 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
425 | BPF_EXIT_INSN(), | ||
426 | }, | ||
427 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", | ||
428 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
429 | .errstr = "R0 tried to subtract pointer from scalar", | ||
430 | .result = REJECT, | ||
431 | }, | ||
432 | @@ -74,7 +75,7 @@ | ||
433 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
434 | BPF_EXIT_INSN(), | ||
435 | }, | ||
436 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", | ||
437 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
438 | .errstr = "R0 tried to subtract pointer from scalar", | ||
439 | .result = REJECT, | ||
440 | }, | ||
441 | @@ -88,7 +89,7 @@ | ||
442 | offsetof(struct __sk_buff, mark)), | ||
443 | BPF_EXIT_INSN(), | ||
444 | }, | ||
445 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", | ||
446 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
447 | .errstr = "dereference of modified ctx ptr", | ||
448 | .result = REJECT, | ||
449 | .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, | ||
450 | @@ -103,7 +104,7 @@ | ||
451 | offsetof(struct __sk_buff, mark)), | ||
452 | BPF_EXIT_INSN(), | ||
453 | }, | ||
454 | - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", | ||
455 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
456 | .errstr = "dereference of modified ctx ptr", | ||
457 | .result = REJECT, | ||
458 | .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, | ||
459 | @@ -116,7 +117,7 @@ | ||
460 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), | ||
461 | BPF_EXIT_INSN(), | ||
462 | }, | ||
463 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", | ||
464 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", | ||
465 | .errstr = "R0 tried to subtract pointer from scalar", | ||
466 | .result = REJECT, | ||
467 | }, | ||
468 | diff --git a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c | ||
469 | index 9baca7a75c42a..c2aa6f26738b4 100644 | ||
470 | --- a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c | ||
471 | +++ b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c | ||
472 | @@ -19,7 +19,6 @@ | ||
473 | }, | ||
474 | .fixup_map_hash_8b = { 3 }, | ||
475 | .errstr = "unbounded min value", | ||
476 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
477 | .result = REJECT, | ||
478 | }, | ||
479 | { | ||
480 | @@ -43,7 +42,6 @@ | ||
481 | }, | ||
482 | .fixup_map_hash_8b = { 3 }, | ||
483 | .errstr = "unbounded min value", | ||
484 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
485 | .result = REJECT, | ||
486 | }, | ||
487 | { | ||
488 | @@ -69,7 +67,6 @@ | ||
489 | }, | ||
490 | .fixup_map_hash_8b = { 3 }, | ||
491 | .errstr = "unbounded min value", | ||
492 | - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", | ||
493 | .result = REJECT, | ||
494 | }, | ||
495 | { | ||
496 | @@ -94,7 +91,6 @@ | ||
497 | }, | ||
498 | .fixup_map_hash_8b = { 3 }, | ||
499 | .errstr = "unbounded min value", | ||
500 | - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", | ||
501 | .result = REJECT, | ||
502 | }, | ||
503 | { | ||
504 | @@ -141,7 +137,6 @@ | ||
505 | }, | ||
506 | .fixup_map_hash_8b = { 3 }, | ||
507 | .errstr = "unbounded min value", | ||
508 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
509 | .result = REJECT, | ||
510 | }, | ||
511 | { | ||
512 | @@ -210,7 +205,6 @@ | ||
513 | }, | ||
514 | .fixup_map_hash_8b = { 3 }, | ||
515 | .errstr = "unbounded min value", | ||
516 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
517 | .result = REJECT, | ||
518 | }, | ||
519 | { | ||
520 | @@ -260,7 +254,6 @@ | ||
521 | }, | ||
522 | .fixup_map_hash_8b = { 3 }, | ||
523 | .errstr = "unbounded min value", | ||
524 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
525 | .result = REJECT, | ||
526 | }, | ||
527 | { | ||
528 | @@ -287,7 +280,6 @@ | ||
529 | }, | ||
530 | .fixup_map_hash_8b = { 3 }, | ||
531 | .errstr = "unbounded min value", | ||
532 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
533 | .result = REJECT, | ||
534 | }, | ||
535 | { | ||
536 | @@ -313,7 +305,6 @@ | ||
537 | }, | ||
538 | .fixup_map_hash_8b = { 3 }, | ||
539 | .errstr = "unbounded min value", | ||
540 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
541 | .result = REJECT, | ||
542 | }, | ||
543 | { | ||
544 | @@ -342,7 +333,6 @@ | ||
545 | }, | ||
546 | .fixup_map_hash_8b = { 3 }, | ||
547 | .errstr = "unbounded min value", | ||
548 | - .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", | ||
549 | .result = REJECT, | ||
550 | }, | ||
551 | { | ||
552 | @@ -372,7 +362,6 @@ | ||
553 | }, | ||
554 | .fixup_map_hash_8b = { 4 }, | ||
555 | .errstr = "unbounded min value", | ||
556 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
557 | .result = REJECT, | ||
558 | }, | ||
559 | { | ||
560 | @@ -400,7 +389,5 @@ | ||
561 | }, | ||
562 | .fixup_map_hash_8b = { 3 }, | ||
563 | .errstr = "unbounded min value", | ||
564 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", | ||
565 | .result = REJECT, | ||
566 | - .result_unpriv = REJECT, | ||
567 | }, | ||
568 | diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c | ||
569 | index 0d621c841db14..c3f6f650deb76 100644 | ||
570 | --- a/tools/testing/selftests/bpf/verifier/unpriv.c | ||
571 | +++ b/tools/testing/selftests/bpf/verifier/unpriv.c | ||
572 | @@ -503,7 +503,7 @@ | ||
573 | BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), | ||
574 | BPF_EXIT_INSN(), | ||
575 | }, | ||
576 | - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", | ||
577 | + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", | ||
578 | .result_unpriv = REJECT, | ||
579 | .result = ACCEPT, | ||
580 | }, | ||
581 | diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c | ||
582 | index 00b59d5d7a7f0..28d44e6aa0b7e 100644 | ||
583 | --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c | ||
584 | +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c | ||
585 | @@ -21,8 +21,6 @@ | ||
586 | .fixup_map_hash_16b = { 5 }, | ||
587 | .fixup_map_array_48b = { 8 }, | ||
588 | .result = ACCEPT, | ||
589 | - .result_unpriv = REJECT, | ||
590 | - .errstr_unpriv = "R1 tried to add from different maps", | ||
591 | .retval = 1, | ||
592 | }, | ||
593 | { | ||
594 | @@ -122,7 +120,7 @@ | ||
595 | .fixup_map_array_48b = { 1 }, | ||
596 | .result = ACCEPT, | ||
597 | .result_unpriv = REJECT, | ||
598 | - .errstr_unpriv = "R2 tried to add from different pointers or scalars", | ||
599 | + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", | ||
600 | .retval = 0, | ||
601 | }, | ||
602 | { | ||
603 | @@ -169,7 +167,7 @@ | ||
604 | .fixup_map_array_48b = { 1 }, | ||
605 | .result = ACCEPT, | ||
606 | .result_unpriv = REJECT, | ||
607 | - .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types", | ||
608 | + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", | ||
609 | .retval = 0, | ||
610 | }, | ||
611 | { |