Edward Cree says:
====================
bpf: rewrite value tracking in verifier
This series simplifies alignment tracking, generalises bounds tracking
and fixes some bounds-tracking bugs in the BPF verifier. Pointer
arithmetic on packet pointers, stack pointers, map value pointers and
context pointers has been unified, and bounds on these pointers are
only checked when the pointer is dereferenced.
Operations on pointers which destroy all relation to the original
pointer (such as multiplies and shifts) are disallowed if
!env->allow_ptr_leaks, otherwise they convert the pointer to an
unknown scalar and feed it to the normal scalar arithmetic handling.
Pointer types have been unified with the corresponding
adjusted-pointer types where those existed
(e.g. PTR_TO_MAP_VALUE[_ADJ] or FRAME_PTR vs PTR_TO_STACK); similarly,
CONST_IMM and UNKNOWN_VALUE have been unified into SCALAR_VALUE.
Pointer types (except CONST_PTR_TO_MAP, PTR_TO_MAP_VALUE_OR_NULL and
PTR_TO_PACKET_END, which do not allow arithmetic) have a 'fixed
offset' and a 'variable offset'; the former is used when e.g. adding
an immediate or a known-constant register, as long as it does not
overflow. Otherwise the latter is used, and any operation creating a
new variable offset creates a new 'id' (and, for PTR_TO_PACKET, clears
the 'range'). SCALAR_VALUEs use the 'variable offset' fields to track
the range of possible values; the 'fixed offset' should never be set
on a scalar.
====================
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>