commit 370636ffbb8695e6af549011ad91a048c8cab267
Author: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date:   Sun May 2 11:05:04 2021 +0200

    Linux 5.4.116
    
    Tested-by: Fox Chen <foxhlchen@gmail.com>
    Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
    Tested-by: Jon Hunter <jonathanh@nvidia.com>
    Tested-by: Guenter Roeck <linux@roeck-us.net>
    Link: https://lore.kernel.org/r/20210430141910.899518186@linuxfoundation.org
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit e23967af130b5e8db571a9cd0acbef8a4995fd4c
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:39 2021 +0000

    bpf: Update selftests to reflect new error states
    
    commit d7a5091351756d0ae8e63134313c455624e36a13 upstream.
    
    Update various selftest error messages:
    
     * The 'Rx tried to sub from different maps, paths, or prohibited types'
       is reworked into more specific/differentiated error messages for better
       guidance.
    
     * The change into 'value -4294967168 makes map_value pointer be out of
       bounds' is due to moving the mixed bounds check into the speculation
       handling and thus occuring slightly later than above mentioned sanity
       check.
    
     * The change into 'math between map_value pointer and register with
       unbounded min value' is similarly due to register sanity check coming
       before the mixed bounds check.
    
     * The case of 'map access: known scalar += value_ptr from different maps'
       now loads fine given masks are the same from the different paths (despite
       max map value size being different).
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    [fllinden@amazon - skip bounds.c test mods, they won't change error msg on 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit ef4e68f0af0483fa1acfb7a415bdc3302a4a04a6
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:38 2021 +0000

    bpf: Tighten speculative pointer arithmetic mask
    
    commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 upstream.
    
    This work tightens the offset mask we use for unprivileged pointer arithmetic
    in order to mitigate a corner case reported by Piotr and Benedict where in
    the speculative domain it is possible to advance, for example, the map value
    pointer by up to value_size-1 out-of-bounds in order to leak kernel memory
    via side-channel to user space.
    
    Before this change, the computed ptr_limit for retrieve_ptr_limit() helper
    represents largest valid distance when moving pointer to the right or left
    which is then fed as aux->alu_limit to generate masking instructions against
    the offset register. After the change, the derived aux->alu_limit represents
    the largest potential value of the offset register which we mask against which
    is just a narrower subset of the former limit.
    
    For minimal complexity, we call sanitize_ptr_alu() from 2 observation points
    in adjust_ptr_min_max_vals(), that is, before and after the simulated alu
    operation. In the first step, we retieve the alu_state and alu_limit before
    the operation as well as we branch-off a verifier path and push it to the
    verification stack as we did before which checks the dst_reg under truncation,
    in other words, when the speculative domain would attempt to move the pointer
    out-of-bounds.
    
    In the second step, we retrieve the new alu_limit and calculate the absolute
    distance between both. Moreover, we commit the alu_state and final alu_limit
    via update_alu_sanitation_state() to the env's instruction aux data, and bail
    out from there if there is a mismatch due to coming from different verification
    paths with different states.
    
    Reported-by: Piotr Krysiuk <piotras@gmail.com>
    Reported-by: Benedict Schlueter <benedict.schlueter@rub.de>
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    Tested-by: Benedict Schlueter <benedict.schlueter@rub.de>
    [fllinden@amazon.com: backported to 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4dc6e55e282f9ac0f674cd8c1903e5ef60bb2371
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:37 2021 +0000

    bpf: Move sanitize_val_alu out of op switch
    
    commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream.
    
    Add a small sanitize_needed() helper function and move sanitize_val_alu()
    out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu()
    as well out of its opcode switch so this helps to streamline both.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    [fllinden@amazon.com: backported to 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 876d1cec93695797896d4d321eb2783d9cce9344
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:36 2021 +0000

    bpf: Refactor and streamline bounds check into helper
    
    commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 upstream.
    
    Move the bounds check in adjust_ptr_min_max_vals() into a small helper named
    sanitize_check_bounds() in order to simplify the former a bit.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    [fllinden@amazon.com: backport to 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4158e5fea3b1c4936914bcab2dbb037e4305c3f8
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:35 2021 +0000

    bpf: Improve verifier error messages for users
    
    commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream.
    
    Consolidate all error handling and provide more user-friendly error messages
    from sanitize_ptr_alu() and sanitize_val_alu().
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    [fllinden@amazon.com: backport to 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 15de0c537bf7c816fbd5224a8593cd8dfb09a7ae
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:34 2021 +0000

    bpf: Rework ptr_limit into alu_limit and add common error path
    
    commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream.
    
    Small refactor with no semantic changes in order to consolidate the max
    ptr_limit boundary check.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit f7fbedc90909b7c69c96f121d854a56e23337765
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:33 2021 +0000

    bpf: Ensure off_reg has no mixed signed bounds for all types
    
    commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e upstream.
    
    The mixed signed bounds check really belongs into retrieve_ptr_limit()
    instead of outside of it in adjust_ptr_min_max_vals(). The reason is
    that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer
    types that we handle in retrieve_ptr_limit() and given errors from the latter
    propagate back to adjust_ptr_min_max_vals() and lead to rejection of the
    program, it's a better place to reside to avoid anything slipping through
    for future types. The reason why we must reject such off_reg is that we
    otherwise would not be able to derive a mask, see details in 9d7eceede769
    ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged").
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    [fllinden@amazon.com: backport to 5.4]
    Signed-off-by: Frank van der Linden <fllinden@amazon.com>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

commit 4a163b1c705328e850c8347a7c4c800536b84284
Author: Daniel Borkmann <daniel@iogearbox.net>
Date:   Thu Apr 29 22:08:32 2021 +0000

    bpf: Move off_reg into sanitize_ptr_alu
    
    commit 6f55b2f2a1178856c19bbce2f71449926e731914 upstream.
    
    Small refactor to drag off_reg into sanitize_ptr_alu(), so we later on can
    use off_reg for generalizing some of the checks for all pointer types.
    
    Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
    Reviewed-by: John Fastabend <john.fastabend@gmail.com>
    Acked-by: Alexei Starovoitov <ast@kernel.org>
    Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>