bpf: Do not reject when the stack read size is different from the tracked scalar...

[platform/kernel/linux-starfive.git] / kernel / bpf / verifier.c

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index f0dca72..5f8d912 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -3088,9 +3088,12 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
        reg = &reg_state->stack[spi].spilled_ptr;
 
        if (is_spilled_reg(&reg_state->stack[spi])) {
-               if (size != BPF_REG_SIZE) {
-                       u8 scalar_size = 0;
+               u8 spill_size = 1;
+
+               for (i = BPF_REG_SIZE - 1; i > 0 && stype[i - 1] == STACK_SPILL; i--)
+                       spill_size++;
 
+               if (size != BPF_REG_SIZE || spill_size != BPF_REG_SIZE) {
                        if (reg->type != SCALAR_VALUE) {
                                verbose_linfo(env, env->insn_idx, "; ");
                                verbose(env, "invalid size of register fill\n");
@@ -3101,10 +3104,7 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
                        if (dst_regno < 0)
                                return 0;
 
-                       for (i = BPF_REG_SIZE; i > 0 && stype[i - 1] == STACK_SPILL; i--)
-                               scalar_size++;
-
-                       if (!(off % BPF_REG_SIZE) && size == scalar_size) {
+                       if (!(off % BPF_REG_SIZE) && size == spill_size) {
                                /* The earlier check_reg_arg() has decided the
                                 * subreg_def for this insn.  Save it first.
                                 */
@@ -3128,12 +3128,6 @@ static int check_stack_read_fixed_off(struct bpf_verifier_env *env,
                        state->regs[dst_regno].live |= REG_LIVE_WRITTEN;
                        return 0;
                }
-               for (i = 1; i < BPF_REG_SIZE; i++) {
-                       if (stype[(slot - i) % BPF_REG_SIZE] != STACK_SPILL) {
-                               verbose(env, "corrupted spill memory\n");
-                               return -EACCES;
-                       }
-               }
 
                if (dst_regno >= 0) {
                        /* restore register state from stack */