Received: by 2002:a05:6a10:1d13:0:0:0:0 with SMTP id pp19csp2893135pxb;
        Tue, 24 Aug 2021 10:01:49 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxu+Lv9AMOl3ncRAXDf0qFfExnLXCPvI6vhMpmJzh+g4SAjUAVtrus2uWkFLzfVZWRbN1N0
X-Received: by 2002:a6b:f919:: with SMTP id j25mr33002413iog.2.1629824509140;
        Tue, 24 Aug 2021 10:01:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1629824509; cv=none;
        d=google.com; s=arc-20160816;
        b=ZXP149LPFx3n5KITgpLOmmcuqG2Wokl9NyWAWt2QChAcM2lD/AFhVtQfO1LrLtV61j
         drNGIrnQk/82zju/5v99UxNAjxxlAENJ3g+g1lyRNBS4gs0DZYR9W22Ig4YVMFaCbWDq
         dDG5bJNUf9fC8RxvlvEmoydtlHcVrrUVGA0H0GyKUmcQl0624PN0Y9w3JKxqG9hsi9L1
         Gvf8k9P634yvv6XdY2kYl6Edx03QYzkk6Q9Qpem3XOHTrZwl2XN1muyRQuyRLmujtZV1
         sPTMfh8mvOKIEouBqTRT4gPLzR3AVOMsdquuU8Zm1Jpy6j1m3OStK7P1cWX3BeObbdRh
         wiGQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :references:in-reply-to:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Mo4rSOqCOhtmN1uxw/3EePO9KErUdTPup6TGjVGmO4M=;
        b=Vt4Lf1t9snT9hkYd5zLgX0Lx32ImIhfemgh4VeDPJms6Zu8eHFrnMxrct2K8lZeoOD
         uvAy7RVxps+a3KURTaJYIdJxebfp+sjuFxTXjMgH/Gxx2HIOj+X6tC5rb3EVd3K1smQK
         fXYiVd2+wT7enK1Cg+/xcEjRDEcrK+noL4TNi6y4/eaByeUwqxjCJh35SqnjV4ZPQmXQ
         17XIZpMx1bKLuXn+9dfCxiUOmGJuHQgz63LnLbkRjb7XMqFjcS+AmUX7FXtm/S/P+wTI
         gao5tPnWBsBr7yxprT5O1Sx0XswZVvikCR42Go5qIlsKN/+wBP031UBN2AbJfHcYvlSw
         2ZzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=loZvkWHF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v66si22606095iof.105.2021.08.24.10.01.35;
        Tue, 24 Aug 2021 10:01:49 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=k20201202 header.b=loZvkWHF;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S239113AbhHXQ7v (ORCPT <rfc822;liukuiyu0707@gmail.com>
        + 99 others); Tue, 24 Aug 2021 12:59:51 -0400
Received: from mail.kernel.org ([198.145.29.99]:39104 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S234631AbhHXQ5p (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 24 Aug 2021 12:57:45 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id 04B26613AB;
        Tue, 24 Aug 2021 16:56:56 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=k20201202; t=1629824217;
        bh=2AgmuhxqTgjafhi/4u/qMkkV+mAxh1MeDTg/0Umv9Fg=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=loZvkWHFn0vcPPQpbat/A89uhlJMRnHVyETzZWnOf4xlRJ2Bj8A5bUYHEfuuInD2C
         SVoAXAUouOs3qUDEFqH1D2H1H/i7AWkmTS8qlel5+/CS9dtTEQZJFk+Vtf/3Pp5X0U
         sJoc9Hwee5h78XTM9vVHOzX/DVCvyMMgwsPOmEmAP7a62Fi77PibnIYMXPwxiYfML/
         AkOzB14LLeZEz4rzu4vtblAnsENjR/VsB8ZKF/fFDlZpqQHpTtFRpCO4FpKCffvJGm
         PT0CnOEm0qHSSshKehvTbHrhBHwYCWm0cdMWKoqZdvEhxgW2ZpmeRFOBR517LifszN
         HuS7uNTUpy1Ow==
From:   Sasha Levin <sashal@kernel.org>
To:     linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc:     Ilya Leoshkevich <iii@linux.ibm.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.13 050/127] bpf: Clear zext_dst of dead insns
Date:   Tue, 24 Aug 2021 12:54:50 -0400
Message-Id: <20210824165607.709387-51-sashal@kernel.org>
X-Mailer: git-send-email 2.30.2
In-Reply-To: <20210824165607.709387-1-sashal@kernel.org>
References: <20210824165607.709387-1-sashal@kernel.org>
MIME-Version: 1.0
X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.13.13-rc1.gz
X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
X-KernelTest-Branch: linux-5.13.y
X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git
X-KernelTest-Version: 5.13.13-rc1
X-KernelTest-Deadline: 2021-08-26T16:55+00:00
X-stable: review
X-Patchwork-Hint: Ignore
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Ilya Leoshkevich <iii@linux.ibm.com>

[ Upstream commit 45c709f8c71b525b51988e782febe84ce933e7e0 ]

"access skb fields ok" verifier test fails on s390 with the "verifier
bug. zext_dst is set, but no reg is defined" message. The first insns
of the test prog are ...

   0:	61 01 00 00 00 00 00 00 	ldxw %r0,[%r1+0]
   8:	35 00 00 01 00 00 00 00 	jge %r0,0,1
  10:	61 01 00 08 00 00 00 00 	ldxw %r0,[%r1+8]

... and the 3rd one is dead (this does not look intentional to me, but
this is a separate topic).

sanitize_dead_code() converts dead insns into "ja -1", but keeps
zext_dst. When opt_subreg_zext_lo32_rnd_hi32() tries to parse such
an insn, it sees this discrepancy and bails. This problem can be seen
only with JITs whose bpf_jit_needs_zext() returns true.

Fix by clearning dead insns' zext_dst.

The commits that contributed to this problem are:

1. 5aa5bd14c5f8 ("bpf: add initial suite for selftests"), which
   introduced the test with the dead code.
2. 5327ed3d44b7 ("bpf: verifier: mark verified-insn with
   sub-register zext flag"), which introduced the zext_dst flag.
3. 83a2881903f3 ("bpf: Account for BPF_FETCH in
   insn_has_def32()"), which introduced the sanity check.
4. 9183671af6db ("bpf: Fix leakage under speculation on
   mispredicted branches"), which bisect points to.

It's best to fix this on stable branches that contain the second one,
since that's the point where the inconsistency was introduced.

Fixes: 5327ed3d44b7 ("bpf: verifier: mark verified-insn with sub-register zext flag")
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20210812151811.184086-2-iii@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/bpf/verifier.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index eab48745231f..0fbe7ef6b155 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11632,6 +11632,7 @@ static void sanitize_dead_code(struct bpf_verifier_env *env)
 		if (aux_data[i].seen)
 			continue;
 		memcpy(insn + i, &trap, sizeof(trap));
+		aux_data[i].zext_dst = false;
 	}
 }
 
-- 
2.30.2