bpf: fix two bugs in verification logic when accessing 'ctx' pointer

[firefly-linux-kernel-4.4.55.git] / kernel / bpf / verifier.c

diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 66bec36ec1ecc121557b6a38c0ad899a5d65e663..47dcd3aa6e236e14d85f33e6d74c44e6257d159b 100644 (file)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -1637,6 +1637,8 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
 
+                       src_reg_type = regs[insn->src_reg].type;
+
                        /* check that memory (src_reg + off) is readable,
                         * the state of dst_reg will be updated by this func
                         */
@@ -1646,9 +1648,12 @@ static int do_check(struct verifier_env *env)
                        if (err)
                                return err;
 
-                       src_reg_type = regs[insn->src_reg].type;
+                       if (BPF_SIZE(insn->code) != BPF_W) {
+                               insn_idx++;
+                               continue;
+                       }
 
-                       if (insn->imm == 0 && BPF_SIZE(insn->code) == BPF_W) {
+                       if (insn->imm == 0) {
                                /* saw a valid insn
                                 * dst_reg = *(u32 *)(src_reg + off)
                                 * use reserved 'imm' field to mark this insn