Contents of /trunk/kernel-alx/patches-5.4/0215-5.4.116-all-fixes.patch
Parent Directory
| 
Revision Log
Revision 3637 -
(show annotations)
(download)
Mon Oct 24 12:40:44 2022 UTC (18 months ago) by niro
File size: 19926 byte(s)
Mon Oct 24 12:40:44 2022 UTC (18 months ago) by niro
File size: 19926 byte(s)
-add missing
| 1 | diff --git a/Makefile b/Makefile |
| 2 | index f473f4fe5a0c3..cb1a446f832c0 100644 |
| 3 | --- a/Makefile |
| 4 | +++ b/Makefile |
| 5 | @@ -1,7 +1,7 @@ |
| 6 | # SPDX-License-Identifier: GPL-2.0 |
| 7 | VERSION = 5 |
| 8 | PATCHLEVEL = 4 |
| 9 | -SUBLEVEL = 115 |
| 10 | +SUBLEVEL = 116 |
| 11 | EXTRAVERSION = |
| 12 | NAME = Kleptomaniac Octopus |
| 13 | |
| 14 | diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c |
| 15 | index ab2a4b7dfca57..bc439dcd438f1 100644 |
| 16 | --- a/kernel/bpf/verifier.c |
| 17 | +++ b/kernel/bpf/verifier.c |
| 18 | @@ -4263,40 +4263,51 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) |
| 19 | return &env->insn_aux_data[env->insn_idx]; |
| 20 | } |
| 21 | |
| 22 | +enum { |
| 23 | + REASON_BOUNDS = -1, |
| 24 | + REASON_TYPE = -2, |
| 25 | + REASON_PATHS = -3, |
| 26 | + REASON_LIMIT = -4, |
| 27 | + REASON_STACK = -5, |
| 28 | +}; |
| 29 | + |
| 30 | static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, |
| 31 | - u32 *ptr_limit, u8 opcode, bool off_is_neg) |
| 32 | + const struct bpf_reg_state *off_reg, |
| 33 | + u32 *alu_limit, u8 opcode) |
| 34 | { |
| 35 | + bool off_is_neg = off_reg->smin_value < 0; |
| 36 | bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || |
| 37 | (opcode == BPF_SUB && !off_is_neg); |
| 38 | - u32 off, max; |
| 39 | + u32 max = 0, ptr_limit = 0; |
| 40 | + |
| 41 | + if (!tnum_is_const(off_reg->var_off) && |
| 42 | + (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) |
| 43 | + return REASON_BOUNDS; |
| 44 | |
| 45 | switch (ptr_reg->type) { |
| 46 | case PTR_TO_STACK: |
| 47 | /* Offset 0 is out-of-bounds, but acceptable start for the |
| 48 | - * left direction, see BPF_REG_FP. |
| 49 | + * left direction, see BPF_REG_FP. Also, unknown scalar |
| 50 | + * offset where we would need to deal with min/max bounds is |
| 51 | + * currently prohibited for unprivileged. |
| 52 | */ |
| 53 | max = MAX_BPF_STACK + mask_to_left; |
| 54 | - /* Indirect variable offset stack access is prohibited in |
| 55 | - * unprivileged mode so it's not handled here. |
| 56 | - */ |
| 57 | - off = ptr_reg->off + ptr_reg->var_off.value; |
| 58 | - if (mask_to_left) |
| 59 | - *ptr_limit = MAX_BPF_STACK + off; |
| 60 | - else |
| 61 | - *ptr_limit = -off - 1; |
| 62 | - return *ptr_limit >= max ? -ERANGE : 0; |
| 63 | + ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); |
| 64 | + break; |
| 65 | case PTR_TO_MAP_VALUE: |
| 66 | max = ptr_reg->map_ptr->value_size; |
| 67 | - if (mask_to_left) { |
| 68 | - *ptr_limit = ptr_reg->umax_value + ptr_reg->off; |
| 69 | - } else { |
| 70 | - off = ptr_reg->smin_value + ptr_reg->off; |
| 71 | - *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; |
| 72 | - } |
| 73 | - return *ptr_limit >= max ? -ERANGE : 0; |
| 74 | + ptr_limit = (mask_to_left ? |
| 75 | + ptr_reg->smin_value : |
| 76 | + ptr_reg->umax_value) + ptr_reg->off; |
| 77 | + break; |
| 78 | default: |
| 79 | - return -EINVAL; |
| 80 | + return REASON_TYPE; |
| 81 | } |
| 82 | + |
| 83 | + if (ptr_limit >= max) |
| 84 | + return REASON_LIMIT; |
| 85 | + *alu_limit = ptr_limit; |
| 86 | + return 0; |
| 87 | } |
| 88 | |
| 89 | static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, |
| 90 | @@ -4314,7 +4325,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, |
| 91 | if (aux->alu_state && |
| 92 | (aux->alu_state != alu_state || |
| 93 | aux->alu_limit != alu_limit)) |
| 94 | - return -EACCES; |
| 95 | + return REASON_PATHS; |
| 96 | |
| 97 | /* Corresponding fixup done in fixup_bpf_calls(). */ |
| 98 | aux->alu_state = alu_state; |
| 99 | @@ -4333,14 +4344,22 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, |
| 100 | return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); |
| 101 | } |
| 102 | |
| 103 | +static bool sanitize_needed(u8 opcode) |
| 104 | +{ |
| 105 | + return opcode == BPF_ADD || opcode == BPF_SUB; |
| 106 | +} |
| 107 | + |
| 108 | static int sanitize_ptr_alu(struct bpf_verifier_env *env, |
| 109 | struct bpf_insn *insn, |
| 110 | const struct bpf_reg_state *ptr_reg, |
| 111 | + const struct bpf_reg_state *off_reg, |
| 112 | struct bpf_reg_state *dst_reg, |
| 113 | - bool off_is_neg) |
| 114 | + struct bpf_insn_aux_data *tmp_aux, |
| 115 | + const bool commit_window) |
| 116 | { |
| 117 | + struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : tmp_aux; |
| 118 | struct bpf_verifier_state *vstate = env->cur_state; |
| 119 | - struct bpf_insn_aux_data *aux = cur_aux(env); |
| 120 | + bool off_is_neg = off_reg->smin_value < 0; |
| 121 | bool ptr_is_dst_reg = ptr_reg == dst_reg; |
| 122 | u8 opcode = BPF_OP(insn->code); |
| 123 | u32 alu_state, alu_limit; |
| 124 | @@ -4358,18 +4377,33 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, |
| 125 | if (vstate->speculative) |
| 126 | goto do_sim; |
| 127 | |
| 128 | - alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; |
| 129 | - alu_state |= ptr_is_dst_reg ? |
| 130 | - BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; |
| 131 | - |
| 132 | - err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); |
| 133 | + err = retrieve_ptr_limit(ptr_reg, off_reg, &alu_limit, opcode); |
| 134 | if (err < 0) |
| 135 | return err; |
| 136 | |
| 137 | + if (commit_window) { |
| 138 | + /* In commit phase we narrow the masking window based on |
| 139 | + * the observed pointer move after the simulated operation. |
| 140 | + */ |
| 141 | + alu_state = tmp_aux->alu_state; |
| 142 | + alu_limit = abs(tmp_aux->alu_limit - alu_limit); |
| 143 | + } else { |
| 144 | + alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; |
| 145 | + alu_state |= ptr_is_dst_reg ? |
| 146 | + BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; |
| 147 | + } |
| 148 | + |
| 149 | err = update_alu_sanitation_state(aux, alu_state, alu_limit); |
| 150 | if (err < 0) |
| 151 | return err; |
| 152 | do_sim: |
| 153 | + /* If we're in commit phase, we're done here given we already |
| 154 | + * pushed the truncated dst_reg into the speculative verification |
| 155 | + * stack. |
| 156 | + */ |
| 157 | + if (commit_window) |
| 158 | + return 0; |
| 159 | + |
| 160 | /* Simulate and find potential out-of-bounds access under |
| 161 | * speculative execution from truncation as a result of |
| 162 | * masking when off was not within expected range. If off |
| 163 | @@ -4386,7 +4420,81 @@ do_sim: |
| 164 | ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); |
| 165 | if (!ptr_is_dst_reg && ret) |
| 166 | *dst_reg = tmp; |
| 167 | - return !ret ? -EFAULT : 0; |
| 168 | + return !ret ? REASON_STACK : 0; |
| 169 | +} |
| 170 | + |
| 171 | +static int sanitize_err(struct bpf_verifier_env *env, |
| 172 | + const struct bpf_insn *insn, int reason, |
| 173 | + const struct bpf_reg_state *off_reg, |
| 174 | + const struct bpf_reg_state *dst_reg) |
| 175 | +{ |
| 176 | + static const char *err = "pointer arithmetic with it prohibited for !root"; |
| 177 | + const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; |
| 178 | + u32 dst = insn->dst_reg, src = insn->src_reg; |
| 179 | + |
| 180 | + switch (reason) { |
| 181 | + case REASON_BOUNDS: |
| 182 | + verbose(env, "R%d has unknown scalar with mixed signed bounds, %s\n", |
| 183 | + off_reg == dst_reg ? dst : src, err); |
| 184 | + break; |
| 185 | + case REASON_TYPE: |
| 186 | + verbose(env, "R%d has pointer with unsupported alu operation, %s\n", |
| 187 | + off_reg == dst_reg ? src : dst, err); |
| 188 | + break; |
| 189 | + case REASON_PATHS: |
| 190 | + verbose(env, "R%d tried to %s from different maps, paths or scalars, %s\n", |
| 191 | + dst, op, err); |
| 192 | + break; |
| 193 | + case REASON_LIMIT: |
| 194 | + verbose(env, "R%d tried to %s beyond pointer bounds, %s\n", |
| 195 | + dst, op, err); |
| 196 | + break; |
| 197 | + case REASON_STACK: |
| 198 | + verbose(env, "R%d could not be pushed for speculative verification, %s\n", |
| 199 | + dst, err); |
| 200 | + break; |
| 201 | + default: |
| 202 | + verbose(env, "verifier internal error: unknown reason (%d)\n", |
| 203 | + reason); |
| 204 | + break; |
| 205 | + } |
| 206 | + |
| 207 | + return -EACCES; |
| 208 | +} |
| 209 | + |
| 210 | +static int sanitize_check_bounds(struct bpf_verifier_env *env, |
| 211 | + const struct bpf_insn *insn, |
| 212 | + const struct bpf_reg_state *dst_reg) |
| 213 | +{ |
| 214 | + u32 dst = insn->dst_reg; |
| 215 | + |
| 216 | + /* For unprivileged we require that resulting offset must be in bounds |
| 217 | + * in order to be able to sanitize access later on. |
| 218 | + */ |
| 219 | + if (env->allow_ptr_leaks) |
| 220 | + return 0; |
| 221 | + |
| 222 | + switch (dst_reg->type) { |
| 223 | + case PTR_TO_STACK: |
| 224 | + if (check_stack_access(env, dst_reg, dst_reg->off + |
| 225 | + dst_reg->var_off.value, 1)) { |
| 226 | + verbose(env, "R%d stack pointer arithmetic goes out of range, " |
| 227 | + "prohibited for !root\n", dst); |
| 228 | + return -EACCES; |
| 229 | + } |
| 230 | + break; |
| 231 | + case PTR_TO_MAP_VALUE: |
| 232 | + if (check_map_access(env, dst, dst_reg->off, 1, false)) { |
| 233 | + verbose(env, "R%d pointer arithmetic of map value goes out of range, " |
| 234 | + "prohibited for !root\n", dst); |
| 235 | + return -EACCES; |
| 236 | + } |
| 237 | + break; |
| 238 | + default: |
| 239 | + break; |
| 240 | + } |
| 241 | + |
| 242 | + return 0; |
| 243 | } |
| 244 | |
| 245 | /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. |
| 246 | @@ -4407,8 +4515,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| 247 | smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; |
| 248 | u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, |
| 249 | umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; |
| 250 | - u32 dst = insn->dst_reg, src = insn->src_reg; |
| 251 | + struct bpf_insn_aux_data tmp_aux = {}; |
| 252 | u8 opcode = BPF_OP(insn->code); |
| 253 | + u32 dst = insn->dst_reg; |
| 254 | int ret; |
| 255 | |
| 256 | dst_reg = ®s[dst]; |
| 257 | @@ -4451,13 +4560,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| 258 | verbose(env, "R%d pointer arithmetic on %s prohibited\n", |
| 259 | dst, reg_type_str[ptr_reg->type]); |
| 260 | return -EACCES; |
| 261 | - case PTR_TO_MAP_VALUE: |
| 262 | - if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { |
| 263 | - verbose(env, "R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", |
| 264 | - off_reg == dst_reg ? dst : src); |
| 265 | - return -EACCES; |
| 266 | - } |
| 267 | - /* fall-through */ |
| 268 | default: |
| 269 | break; |
| 270 | } |
| 271 | @@ -4472,13 +4574,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| 272 | !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) |
| 273 | return -EINVAL; |
| 274 | |
| 275 | + if (sanitize_needed(opcode)) { |
| 276 | + ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, |
| 277 | + &tmp_aux, false); |
| 278 | + if (ret < 0) |
| 279 | + return sanitize_err(env, insn, ret, off_reg, dst_reg); |
| 280 | + } |
| 281 | + |
| 282 | switch (opcode) { |
| 283 | case BPF_ADD: |
| 284 | - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
| 285 | - if (ret < 0) { |
| 286 | - verbose(env, "R%d tried to add from different maps, paths, or prohibited types\n", dst); |
| 287 | - return ret; |
| 288 | - } |
| 289 | /* We can take a fixed offset as long as it doesn't overflow |
| 290 | * the s32 'off' field |
| 291 | */ |
| 292 | @@ -4529,11 +4633,6 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| 293 | } |
| 294 | break; |
| 295 | case BPF_SUB: |
| 296 | - ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
| 297 | - if (ret < 0) { |
| 298 | - verbose(env, "R%d tried to sub from different maps, paths, or prohibited types\n", dst); |
| 299 | - return ret; |
| 300 | - } |
| 301 | if (dst_reg == off_reg) { |
| 302 | /* scalar -= pointer. Creates an unknown scalar */ |
| 303 | verbose(env, "R%d tried to subtract pointer from scalar\n", |
| 304 | @@ -4614,22 +4713,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
| 305 | __reg_deduce_bounds(dst_reg); |
| 306 | __reg_bound_offset(dst_reg); |
| 307 | |
| 308 | - /* For unprivileged we require that resulting offset must be in bounds |
| 309 | - * in order to be able to sanitize access later on. |
| 310 | - */ |
| 311 | - if (!env->allow_ptr_leaks) { |
| 312 | - if (dst_reg->type == PTR_TO_MAP_VALUE && |
| 313 | - check_map_access(env, dst, dst_reg->off, 1, false)) { |
| 314 | - verbose(env, "R%d pointer arithmetic of map value goes out of range, " |
| 315 | - "prohibited for !root\n", dst); |
| 316 | - return -EACCES; |
| 317 | - } else if (dst_reg->type == PTR_TO_STACK && |
| 318 | - check_stack_access(env, dst_reg, dst_reg->off + |
| 319 | - dst_reg->var_off.value, 1)) { |
| 320 | - verbose(env, "R%d stack pointer arithmetic goes out of range, " |
| 321 | - "prohibited for !root\n", dst); |
| 322 | - return -EACCES; |
| 323 | - } |
| 324 | + if (sanitize_check_bounds(env, insn, dst_reg) < 0) |
| 325 | + return -EACCES; |
| 326 | + if (sanitize_needed(opcode)) { |
| 327 | + ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, |
| 328 | + &tmp_aux, true); |
| 329 | + if (ret < 0) |
| 330 | + return sanitize_err(env, insn, ret, off_reg, dst_reg); |
| 331 | } |
| 332 | |
| 333 | return 0; |
| 334 | @@ -4650,7 +4740,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
| 335 | s64 smin_val, smax_val; |
| 336 | u64 umin_val, umax_val; |
| 337 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
| 338 | - u32 dst = insn->dst_reg; |
| 339 | int ret; |
| 340 | |
| 341 | if (insn_bitness == 32) { |
| 342 | @@ -4684,13 +4773,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
| 343 | return 0; |
| 344 | } |
| 345 | |
| 346 | + if (sanitize_needed(opcode)) { |
| 347 | + ret = sanitize_val_alu(env, insn); |
| 348 | + if (ret < 0) |
| 349 | + return sanitize_err(env, insn, ret, NULL, NULL); |
| 350 | + } |
| 351 | + |
| 352 | switch (opcode) { |
| 353 | case BPF_ADD: |
| 354 | - ret = sanitize_val_alu(env, insn); |
| 355 | - if (ret < 0) { |
| 356 | - verbose(env, "R%d tried to add from different pointers or scalars\n", dst); |
| 357 | - return ret; |
| 358 | - } |
| 359 | if (signed_add_overflows(dst_reg->smin_value, smin_val) || |
| 360 | signed_add_overflows(dst_reg->smax_value, smax_val)) { |
| 361 | dst_reg->smin_value = S64_MIN; |
| 362 | @@ -4710,11 +4800,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
| 363 | dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); |
| 364 | break; |
| 365 | case BPF_SUB: |
| 366 | - ret = sanitize_val_alu(env, insn); |
| 367 | - if (ret < 0) { |
| 368 | - verbose(env, "R%d tried to sub from different pointers or scalars\n", dst); |
| 369 | - return ret; |
| 370 | - } |
| 371 | if (signed_sub_overflows(dst_reg->smin_value, smax_val) || |
| 372 | signed_sub_overflows(dst_reg->smax_value, smin_val)) { |
| 373 | /* Overflow possible, we know nothing */ |
| 374 | diff --git a/tools/testing/selftests/bpf/verifier/bounds_deduction.c b/tools/testing/selftests/bpf/verifier/bounds_deduction.c |
| 375 | index c162498a64fc6..91869aea6d641 100644 |
| 376 | --- a/tools/testing/selftests/bpf/verifier/bounds_deduction.c |
| 377 | +++ b/tools/testing/selftests/bpf/verifier/bounds_deduction.c |
| 378 | @@ -6,7 +6,7 @@ |
| 379 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
| 380 | BPF_EXIT_INSN(), |
| 381 | }, |
| 382 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", |
| 383 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 384 | .errstr = "R0 tried to subtract pointer from scalar", |
| 385 | .result = REJECT, |
| 386 | }, |
| 387 | @@ -21,7 +21,7 @@ |
| 388 | BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), |
| 389 | BPF_EXIT_INSN(), |
| 390 | }, |
| 391 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", |
| 392 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 393 | .result_unpriv = REJECT, |
| 394 | .result = ACCEPT, |
| 395 | .retval = 1, |
| 396 | @@ -34,22 +34,23 @@ |
| 397 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
| 398 | BPF_EXIT_INSN(), |
| 399 | }, |
| 400 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", |
| 401 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 402 | .errstr = "R0 tried to subtract pointer from scalar", |
| 403 | .result = REJECT, |
| 404 | }, |
| 405 | { |
| 406 | "check deducing bounds from const, 4", |
| 407 | .insns = { |
| 408 | + BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), |
| 409 | BPF_MOV64_IMM(BPF_REG_0, 0), |
| 410 | BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), |
| 411 | BPF_EXIT_INSN(), |
| 412 | BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), |
| 413 | BPF_EXIT_INSN(), |
| 414 | - BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), |
| 415 | + BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), |
| 416 | BPF_EXIT_INSN(), |
| 417 | }, |
| 418 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", |
| 419 | + .errstr_unpriv = "R6 has pointer with unsupported alu operation", |
| 420 | .result_unpriv = REJECT, |
| 421 | .result = ACCEPT, |
| 422 | }, |
| 423 | @@ -61,7 +62,7 @@ |
| 424 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
| 425 | BPF_EXIT_INSN(), |
| 426 | }, |
| 427 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", |
| 428 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 429 | .errstr = "R0 tried to subtract pointer from scalar", |
| 430 | .result = REJECT, |
| 431 | }, |
| 432 | @@ -74,7 +75,7 @@ |
| 433 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
| 434 | BPF_EXIT_INSN(), |
| 435 | }, |
| 436 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", |
| 437 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 438 | .errstr = "R0 tried to subtract pointer from scalar", |
| 439 | .result = REJECT, |
| 440 | }, |
| 441 | @@ -88,7 +89,7 @@ |
| 442 | offsetof(struct __sk_buff, mark)), |
| 443 | BPF_EXIT_INSN(), |
| 444 | }, |
| 445 | - .errstr_unpriv = "R1 tried to sub from different maps, paths, or prohibited types", |
| 446 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 447 | .errstr = "dereference of modified ctx ptr", |
| 448 | .result = REJECT, |
| 449 | .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, |
| 450 | @@ -103,7 +104,7 @@ |
| 451 | offsetof(struct __sk_buff, mark)), |
| 452 | BPF_EXIT_INSN(), |
| 453 | }, |
| 454 | - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", |
| 455 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 456 | .errstr = "dereference of modified ctx ptr", |
| 457 | .result = REJECT, |
| 458 | .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, |
| 459 | @@ -116,7 +117,7 @@ |
| 460 | BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
| 461 | BPF_EXIT_INSN(), |
| 462 | }, |
| 463 | - .errstr_unpriv = "R0 tried to sub from different maps, paths, or prohibited types", |
| 464 | + .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
| 465 | .errstr = "R0 tried to subtract pointer from scalar", |
| 466 | .result = REJECT, |
| 467 | }, |
| 468 | diff --git a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c |
| 469 | index 9baca7a75c42a..c2aa6f26738b4 100644 |
| 470 | --- a/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c |
| 471 | +++ b/tools/testing/selftests/bpf/verifier/bounds_mix_sign_unsign.c |
| 472 | @@ -19,7 +19,6 @@ |
| 473 | }, |
| 474 | .fixup_map_hash_8b = { 3 }, |
| 475 | .errstr = "unbounded min value", |
| 476 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 477 | .result = REJECT, |
| 478 | }, |
| 479 | { |
| 480 | @@ -43,7 +42,6 @@ |
| 481 | }, |
| 482 | .fixup_map_hash_8b = { 3 }, |
| 483 | .errstr = "unbounded min value", |
| 484 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 485 | .result = REJECT, |
| 486 | }, |
| 487 | { |
| 488 | @@ -69,7 +67,6 @@ |
| 489 | }, |
| 490 | .fixup_map_hash_8b = { 3 }, |
| 491 | .errstr = "unbounded min value", |
| 492 | - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", |
| 493 | .result = REJECT, |
| 494 | }, |
| 495 | { |
| 496 | @@ -94,7 +91,6 @@ |
| 497 | }, |
| 498 | .fixup_map_hash_8b = { 3 }, |
| 499 | .errstr = "unbounded min value", |
| 500 | - .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", |
| 501 | .result = REJECT, |
| 502 | }, |
| 503 | { |
| 504 | @@ -141,7 +137,6 @@ |
| 505 | }, |
| 506 | .fixup_map_hash_8b = { 3 }, |
| 507 | .errstr = "unbounded min value", |
| 508 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 509 | .result = REJECT, |
| 510 | }, |
| 511 | { |
| 512 | @@ -210,7 +205,6 @@ |
| 513 | }, |
| 514 | .fixup_map_hash_8b = { 3 }, |
| 515 | .errstr = "unbounded min value", |
| 516 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 517 | .result = REJECT, |
| 518 | }, |
| 519 | { |
| 520 | @@ -260,7 +254,6 @@ |
| 521 | }, |
| 522 | .fixup_map_hash_8b = { 3 }, |
| 523 | .errstr = "unbounded min value", |
| 524 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 525 | .result = REJECT, |
| 526 | }, |
| 527 | { |
| 528 | @@ -287,7 +280,6 @@ |
| 529 | }, |
| 530 | .fixup_map_hash_8b = { 3 }, |
| 531 | .errstr = "unbounded min value", |
| 532 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 533 | .result = REJECT, |
| 534 | }, |
| 535 | { |
| 536 | @@ -313,7 +305,6 @@ |
| 537 | }, |
| 538 | .fixup_map_hash_8b = { 3 }, |
| 539 | .errstr = "unbounded min value", |
| 540 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 541 | .result = REJECT, |
| 542 | }, |
| 543 | { |
| 544 | @@ -342,7 +333,6 @@ |
| 545 | }, |
| 546 | .fixup_map_hash_8b = { 3 }, |
| 547 | .errstr = "unbounded min value", |
| 548 | - .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", |
| 549 | .result = REJECT, |
| 550 | }, |
| 551 | { |
| 552 | @@ -372,7 +362,6 @@ |
| 553 | }, |
| 554 | .fixup_map_hash_8b = { 4 }, |
| 555 | .errstr = "unbounded min value", |
| 556 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 557 | .result = REJECT, |
| 558 | }, |
| 559 | { |
| 560 | @@ -400,7 +389,5 @@ |
| 561 | }, |
| 562 | .fixup_map_hash_8b = { 3 }, |
| 563 | .errstr = "unbounded min value", |
| 564 | - .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
| 565 | .result = REJECT, |
| 566 | - .result_unpriv = REJECT, |
| 567 | }, |
| 568 | diff --git a/tools/testing/selftests/bpf/verifier/unpriv.c b/tools/testing/selftests/bpf/verifier/unpriv.c |
| 569 | index 0d621c841db14..c3f6f650deb76 100644 |
| 570 | --- a/tools/testing/selftests/bpf/verifier/unpriv.c |
| 571 | +++ b/tools/testing/selftests/bpf/verifier/unpriv.c |
| 572 | @@ -503,7 +503,7 @@ |
| 573 | BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), |
| 574 | BPF_EXIT_INSN(), |
| 575 | }, |
| 576 | - .errstr_unpriv = "R1 tried to add from different maps, paths, or prohibited types", |
| 577 | + .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", |
| 578 | .result_unpriv = REJECT, |
| 579 | .result = ACCEPT, |
| 580 | }, |
| 581 | diff --git a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c |
| 582 | index 00b59d5d7a7f0..28d44e6aa0b7e 100644 |
| 583 | --- a/tools/testing/selftests/bpf/verifier/value_ptr_arith.c |
| 584 | +++ b/tools/testing/selftests/bpf/verifier/value_ptr_arith.c |
| 585 | @@ -21,8 +21,6 @@ |
| 586 | .fixup_map_hash_16b = { 5 }, |
| 587 | .fixup_map_array_48b = { 8 }, |
| 588 | .result = ACCEPT, |
| 589 | - .result_unpriv = REJECT, |
| 590 | - .errstr_unpriv = "R1 tried to add from different maps", |
| 591 | .retval = 1, |
| 592 | }, |
| 593 | { |
| 594 | @@ -122,7 +120,7 @@ |
| 595 | .fixup_map_array_48b = { 1 }, |
| 596 | .result = ACCEPT, |
| 597 | .result_unpriv = REJECT, |
| 598 | - .errstr_unpriv = "R2 tried to add from different pointers or scalars", |
| 599 | + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", |
| 600 | .retval = 0, |
| 601 | }, |
| 602 | { |
| 603 | @@ -169,7 +167,7 @@ |
| 604 | .fixup_map_array_48b = { 1 }, |
| 605 | .result = ACCEPT, |
| 606 | .result_unpriv = REJECT, |
| 607 | - .errstr_unpriv = "R2 tried to add from different maps, paths, or prohibited types", |
| 608 | + .errstr_unpriv = "R2 tried to add from different maps, paths or scalars", |
| 609 | .retval = 0, |
| 610 | }, |
| 611 | { |