t4

luisgerhorst · luisgerhorst · commit 995e66dbb720 · 2025-05-21T09:04:56.000+02:00
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
@@ -14273,19 +14273,17 @@ static int sanitize_check_bounds(struct bpf_verifier_env *env,
 		if (check_stack_access_for_ptr_arithmetic(env, dst, dst_reg,
 					dst_reg->off + dst_reg->var_off.value))
 			return -EACCES;
-		break;
+		return 0;
 	case PTR_TO_MAP_VALUE:
 		if (check_map_access(env, dst, dst_reg->off, 1, false, ACCESS_HELPER)) {
 			verbose(env, "R%d pointer arithmetic of map value goes out of range, "
 				"prohibited for !root\n", dst);
 			return -EACCES;
 		}
-		break;
+		return 0;
 	default:
-		break;
+		return -EOPNOTSUPP;
 	}
-
-	return 0;
 }
 
 /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off.
@@ -14509,11 +14507,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env,
 	if (!check_reg_sane_offset(env, dst_reg, ptr_reg->type))
 		return -EINVAL;
 	reg_bounds_sync(dst_reg);
-	if (sanitize_check_bounds(env, insn, dst_reg) < 0)
-		return -EACCES;
+	int scbe = sanitize_check_bounds(env, insn, dst_reg);
+	if (scbe == -EACCES)
+		return scbe;
 	if (sanitize_needed(opcode)) {
 		ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg,
 				       &info, true);
+		if (!can_skip_alu_sanitation(env, insn) && verifier_bug_if(scbe == -EOPNOTSUPP && !ret, env, "scb unsynced")) {
+			return -EFAULT;
+		}
 		if (ret < 0)
 			return ret;
 	}
