Fixes for 5.10

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-5.10/bpf-btf-accept-function-names-that-contain-dots.patch b/queue-5.10/bpf-btf-accept-function-names-that-contain-dots.patch
new file mode 100644 (file)
index 0000000..7903fc0
--- /dev/null
+++ b/queue-5.10/bpf-btf-accept-function-names-that-contain-dots.patch
@@ -0,0 +1,117 @@
+From 87cf03007a077d85fa370040a6cc72580d659be4 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Jun 2023 16:56:07 +0200
+Subject: bpf/btf: Accept function names that contain dots
+
+From: Florent Revest <revest@chromium.org>
+
+[ Upstream commit 9724160b3942b0a967b91a59f81da5593f28b8ba ]
+
+When building a kernel with LLVM=1, LLVM_IAS=0 and CONFIG_KASAN=y, LLVM
+leaves DWARF tags for the "asan.module_ctor" & co symbols. In turn,
+pahole creates BTF_KIND_FUNC entries for these and this makes the BTF
+metadata validation fail because they contain a dot.
+
+In a dramatic turn of event, this BTF verification failure can cause
+the netfilter_bpf initialization to fail, causing netfilter_core to
+free the netfilter_helper hashmap and netfilter_ftp to trigger a
+use-after-free. The risk of u-a-f in netfilter will be addressed
+separately but the existence of "asan.module_ctor" debug info under some
+build conditions sounds like a good enough reason to accept functions
+that contain dots in BTF.
+
+Although using only LLVM=1 is the recommended way to compile clang-based
+kernels, users can certainly do LLVM=1, LLVM_IAS=0 as well and we still
+try to support that combination according to Nick. To clarify:
+
+  - > v5.10 kernel, LLVM=1 (LLVM_IAS=0 is not the default) is recommended,
+    but user can still have LLVM=1, LLVM_IAS=0 to trigger the issue
+
+  - <= 5.10 kernel, LLVM=1 (LLVM_IAS=0 is the default) is recommended in
+    which case GNU as will be used
+
+Fixes: 1dc92851849c ("bpf: kernel side support for BTF Var and DataSec")
+Signed-off-by: Florent Revest <revest@chromium.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Andrii Nakryiko <andrii@kernel.org>
+Cc: Yonghong Song <yhs@meta.com>
+Cc: Nick Desaulniers <ndesaulniers@google.com>
+Link: https://lore.kernel.org/bpf/20230615145607.3469985-1-revest@chromium.org
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ kernel/bpf/btf.c | 20 ++++++++------------
+ 1 file changed, 8 insertions(+), 12 deletions(-)
+
+diff --git a/kernel/bpf/btf.c b/kernel/bpf/btf.c
+index cb80d18a49b56..06c028bdb8d4d 100644
+--- a/kernel/bpf/btf.c
++++ b/kernel/bpf/btf.c
+@@ -604,31 +604,30 @@ static bool btf_name_offset_valid(const struct btf *btf, u32 offset)
+               offset < btf->hdr.str_len;
+ }
+ 
+-static bool __btf_name_char_ok(char c, bool first, bool dot_ok)
++static bool __btf_name_char_ok(char c, bool first)
+ {
+       if ((first ? !isalpha(c) :
+                    !isalnum(c)) &&
+           c != '_' &&
+-          ((c == '.' && !dot_ok) ||
+-            c != '.'))
++          c != '.')
+               return false;
+       return true;
+ }
+ 
+-static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
++static bool __btf_name_valid(const struct btf *btf, u32 offset)
+ {
+       /* offset must be valid */
+       const char *src = &btf->strings[offset];
+       const char *src_limit;
+ 
+-      if (!__btf_name_char_ok(*src, true, dot_ok))
++      if (!__btf_name_char_ok(*src, true))
+               return false;
+ 
+       /* set a limit on identifier length */
+       src_limit = src + KSYM_NAME_LEN;
+       src++;
+       while (*src && src < src_limit) {
+-              if (!__btf_name_char_ok(*src, false, dot_ok))
++              if (!__btf_name_char_ok(*src, false))
+                       return false;
+               src++;
+       }
+@@ -636,17 +635,14 @@ static bool __btf_name_valid(const struct btf *btf, u32 offset, bool dot_ok)
+       return !*src;
+ }
+ 
+-/* Only C-style identifier is permitted. This can be relaxed if
+- * necessary.
+- */
+ static bool btf_name_valid_identifier(const struct btf *btf, u32 offset)
+ {
+-      return __btf_name_valid(btf, offset, false);
++      return __btf_name_valid(btf, offset);
+ }
+ 
+ static bool btf_name_valid_section(const struct btf *btf, u32 offset)
+ {
+-      return __btf_name_valid(btf, offset, true);
++      return __btf_name_valid(btf, offset);
+ }
+ 
+ static const char *__btf_name_by_offset(const struct btf *btf, u32 offset)
+@@ -3417,7 +3413,7 @@ static s32 btf_var_check_meta(struct btf_verifier_env *env,
+       }
+ 
+       if (!t->name_off ||
+-          !__btf_name_valid(env->btf, t->name_off, true)) {
++          !__btf_name_valid(env->btf, t->name_off)) {
+               btf_verifier_log_type(env, t, "Invalid name");
+               return -EINVAL;
+       }
+-- 
+2.39.2
+

diff --git a/queue-5.10/series b/queue-5.10/series
index cb2ab307734d5cee3434c146382a91ddad2cad16..094fa3512bee83090c1e798977565c1c352d093a 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -75,3 +75,4 @@ drm-exynos-fix-race-condition-uaf-in-exynos_g2d_exec.patch
 drm-radeon-fix-race-condition-uaf-in-radeon_gem_set_.patch
 x86-apic-fix-kernel-panic-when-booting-with-intremap.patch
 i2c-imx-lpi2c-fix-type-char-overflow-issue-when-calc.patch
+bpf-btf-accept-function-names-that-contain-dots.patch