From: Shung-Hsi Yu <shung-hsi.yu@suse.com>

Date: Tue, 7 Sep 2021 13:26:15 +0800

Subject: [PATCH] kABI: revert change in struct bpf_insn_aux_data

References: bsc#1188983, bsc#1188985, CVE-2021-34556, CVE-2021-35477

Patch-mainline: never, kABI

Revert sanitize_stack_spill to sanitize_stack_off since they're use in

pretty much identical way.

---

 include/linux/bpf_verifier.h |    2 +-

 kernel/bpf/verifier.c        |    4 ++--

 2 files changed, 3 insertions(+), 3 deletions(-)

--- a/include/linux/bpf_verifier.h

+++ b/include/linux/bpf_verifier.h

@@ -175,8 +175,8 @@ struct bpf_insn_aux_data {

 		u32 alu_limit;			/* limit for add/sub register with pointer */

 	};

 	int ctx_field_size; /* the ctx field size for load insn, maybe 0 */

+	int sanitize_stack_off; /* subject to Spectre v4 sanitation */

 	bool seen; /* this insn was processed by the verifier */

-	bool sanitize_stack_spill; /* subject to Spectre v4 sanitation */

 	u8 alu_state; /* used in combination with alu_limit */

 };

--- a/kernel/bpf/verifier.c

+++ b/kernel/bpf/verifier.c

@@ -1050,7 +1050,7 @@ static int check_stack_write(struct bpf_

 		}

 		if (sanitize)

-			env->insn_aux_data[insn_idx].sanitize_stack_spill = true;

+			env->insn_aux_data[insn_idx].sanitize_stack_off = 1;

 	}

 	if (value_regno >= 0 &&

@@ -5981,7 +5981,7 @@ static int convert_ctx_accesses(struct b

 		}

 		if (type == BPF_WRITE &&

-		    env->insn_aux_data[i + delta].sanitize_stack_spill) {

+		    env->insn_aux_data[i + delta].sanitize_stack_off) {

 			struct bpf_insn patch[] = {

 				*insn,

 				BPF_ST_NOSPEC(),