From: Greg Kroah-Hartman Date: Mon, 14 Jun 2021 16:15:12 +0000 (+0200) Subject: drop queue-5.10/bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch X-Git-Tag: v4.4.273~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=64152ad2ad6c6fc1570acb558e910994e4d8d33a;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-5.10/bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch --- diff --git a/queue-5.10/bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch b/queue-5.10/bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch deleted file mode 100644 index 1df72a0c0b5..00000000000 --- a/queue-5.10/bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch +++ /dev/null @@ -1,88 +0,0 @@ -From f14d0069b187dab7039643ce74804b75c74f274b Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 29 Apr 2021 13:47:12 +0200 -Subject: bpf: Add deny list of btf ids check for tracing programs - -From: Jiri Olsa - -[ Upstream commit 35e3815fa8102fab4dee75f3547472c66581125d ] - -The recursion check in __bpf_prog_enter and __bpf_prog_exit -leaves some (not inlined) functions unprotected: - -In __bpf_prog_enter: - - migrate_disable is called before prog->active is checked - -In __bpf_prog_exit: - - migrate_enable,rcu_read_unlock_strict are called after - prog->active is decreased - -When attaching trampoline to them we get panic like: - - traps: PANIC: double fault, error_code: 0x0 - double fault: 0000 [#1] SMP PTI - RIP: 0010:__bpf_prog_enter+0x4/0x50 - ... - Call Trace: - - bpf_trampoline_6442466513_0+0x18/0x1000 - migrate_disable+0x5/0x50 - __bpf_prog_enter+0x9/0x50 - bpf_trampoline_6442466513_0+0x18/0x1000 - migrate_disable+0x5/0x50 - __bpf_prog_enter+0x9/0x50 - bpf_trampoline_6442466513_0+0x18/0x1000 - migrate_disable+0x5/0x50 - __bpf_prog_enter+0x9/0x50 - bpf_trampoline_6442466513_0+0x18/0x1000 - migrate_disable+0x5/0x50 - ... - -Fixing this by adding deny list of btf ids for tracing -programs and checking btf id during program verification. -Adding above functions to this list. - -Suggested-by: Alexei Starovoitov -Signed-off-by: Jiri Olsa -Signed-off-by: Alexei Starovoitov -Link: https://lore.kernel.org/bpf/20210429114712.43783-1-jolsa@kernel.org -Signed-off-by: Sasha Levin ---- - kernel/bpf/verifier.c | 14 ++++++++++++++ - 1 file changed, 14 insertions(+) - -diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c -index 4f50d6f128be..8ed0dc2f07f1 100644 ---- a/kernel/bpf/verifier.c -+++ b/kernel/bpf/verifier.c -@@ -12206,6 +12206,17 @@ int bpf_check_attach_target(struct bpf_verifier_log *log, - return 0; - } - -+BTF_SET_START(btf_id_deny) -+BTF_ID_UNUSED -+#ifdef CONFIG_SMP -+BTF_ID(func, migrate_disable) -+BTF_ID(func, migrate_enable) -+#endif -+#if !defined CONFIG_PREEMPT_RCU && !defined CONFIG_TINY_RCU -+BTF_ID(func, rcu_read_unlock_strict) -+#endif -+BTF_SET_END(btf_id_deny) -+ - static int check_attach_btf_id(struct bpf_verifier_env *env) - { - struct bpf_prog *prog = env->prog; -@@ -12265,6 +12276,9 @@ static int check_attach_btf_id(struct bpf_verifier_env *env) - ret = bpf_lsm_verify_prog(&env->log, prog); - if (ret < 0) - return ret; -+ } else if (prog->type == BPF_PROG_TYPE_TRACING && -+ btf_id_set_contains(&btf_id_deny, btf_id)) { -+ return -EINVAL; - } - - key = bpf_trampoline_compute_key(tgt_prog, btf_id); --- -2.30.2 - diff --git a/queue-5.10/series b/queue-5.10/series index 1f7328c2278..4c847c348c7 100644 --- a/queue-5.10/series +++ b/queue-5.10/series @@ -8,7 +8,6 @@ net-nfc-rawsock.c-fix-a-permission-check-bug.patch usb-cdns3-fix-runtime-pm-imbalance-on-error.patch asoc-intel-bytcr_rt5640-add-quirk-for-the-glavey-tm8.patch asoc-intel-bytcr_rt5640-add-quirk-for-the-lenovo-mii.patch -bpf-add-deny-list-of-btf-ids-check-for-tracing-progr.patch vfio-ccw-reset-fsm-state-to-idle-inside-fsm.patch vfio-ccw-serialize-fsm-idle-state-with-i-o-completio.patch asoc-sti-sas-add-missing-module_device_table.patch