From: Greg Kroah-Hartman Date: Fri, 3 Jun 2022 17:23:05 +0000 (+0200) Subject: 5.15-stable patches X-Git-Tag: v4.9.317~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=97484a18d28dd95171a58233c9cfd858845ed433;p=thirdparty%2Fkernel%2Fstable-queue.git 5.15-stable patches added patches: bpf-check-ptr_to_mem-mem_rdonly-in-check_helper_mem_access.patch bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch bpf-fix-excessive-memory-allocation-in-stack_map_alloc.patch bpf-fix-potential-array-overflow-in-bpf_trampoline_get_progs.patch bpf-reject-writes-for-ptr_to_map_key-in-check_helper_mem_access.patch docs-submitting-patches-fix-crossref-to-the-canonical-patch-format.patch nfs-memory-allocation-failures-are-not-server-fatal-errors.patch nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch --- diff --git a/queue-5.15/bpf-check-ptr_to_mem-mem_rdonly-in-check_helper_mem_access.patch b/queue-5.15/bpf-check-ptr_to_mem-mem_rdonly-in-check_helper_mem_access.patch new file mode 100644 index 00000000000..927cab5be5c --- /dev/null +++ b/queue-5.15/bpf-check-ptr_to_mem-mem_rdonly-in-check_helper_mem_access.patch @@ -0,0 +1,66 @@ +From 97e6d7dab1ca4648821c790a2b7913d6d5d549db Mon Sep 17 00:00:00 2001 +From: Kumar Kartikeya Dwivedi +Date: Sat, 19 Mar 2022 13:38:24 +0530 +Subject: bpf: Check PTR_TO_MEM | MEM_RDONLY in check_helper_mem_access + +From: Kumar Kartikeya Dwivedi + +commit 97e6d7dab1ca4648821c790a2b7913d6d5d549db upstream. + +The commit being fixed was aiming to disallow users from incorrectly +obtaining writable pointer to memory that is only meant to be read. This +is enforced now using a MEM_RDONLY flag. + +For instance, in case of global percpu variables, when the BTF type is +not struct (e.g. bpf_prog_active), the verifier marks register type as +PTR_TO_MEM | MEM_RDONLY from bpf_this_cpu_ptr or bpf_per_cpu_ptr +helpers. However, when passing such pointer to kfunc, global funcs, or +BPF helpers, in check_helper_mem_access, there is no expectation +MEM_RDONLY flag will be set, hence it is checked as pointer to writable +memory. Later, verifier sets up argument type of global func as +PTR_TO_MEM | PTR_MAYBE_NULL, so user can use a global func to get around +the limitations imposed by this flag. + +This check will also cover global non-percpu variables that may be +introduced in kernel BTF in future. + +Also, we update the log message for PTR_TO_BUF case to be similar to +PTR_TO_MEM case, so that the reason for error is clear to user. + +Fixes: 34d3a78c681e ("bpf: Make per_cpu_ptr return rdonly PTR_TO_MEM.") +Reviewed-by: Hao Luo +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220319080827.73251-3-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4602,13 +4602,23 @@ static int check_helper_mem_access(struc + return check_map_access(env, regno, reg->off, access_size, + zero_size_allowed); + case PTR_TO_MEM: ++ if (type_is_rdonly_mem(reg->type)) { ++ if (meta && meta->raw_mode) { ++ verbose(env, "R%d cannot write into %s\n", regno, ++ reg_type_str(env, reg->type)); ++ return -EACCES; ++ } ++ } + return check_mem_region_access(env, regno, reg->off, + access_size, reg->mem_size, + zero_size_allowed); + case PTR_TO_BUF: + if (type_is_rdonly_mem(reg->type)) { +- if (meta && meta->raw_mode) ++ if (meta && meta->raw_mode) { ++ verbose(env, "R%d cannot write into %s\n", regno, ++ reg_type_str(env, reg->type)); + return -EACCES; ++ } + + buf_info = "rdonly"; + max_access = &env->prog->aux->max_rdonly_access; diff --git a/queue-5.15/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch b/queue-5.15/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch new file mode 100644 index 00000000000..79f3c5736a6 --- /dev/null +++ b/queue-5.15/bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch @@ -0,0 +1,44 @@ +From 45969b4152c1752089351cd6836a42a566d49bcf Mon Sep 17 00:00:00 2001 +From: Liu Jian +Date: Sat, 16 Apr 2022 18:57:59 +0800 +Subject: bpf: Enlarge offset check value to INT_MAX in bpf_skb_{load,store}_bytes + +From: Liu Jian + +commit 45969b4152c1752089351cd6836a42a566d49bcf upstream. + +The data length of skb frags + frag_list may be greater than 0xffff, and +skb_header_pointer can not handle negative offset. So, here INT_MAX is used +to check the validity of offset. Add the same change to the related function +skb_store_bytes. + +Fixes: 05c74e5e53f6 ("bpf: add bpf_skb_load_bytes helper") +Signed-off-by: Liu Jian +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20220416105801.88708-2-liujian56@huawei.com +Signed-off-by: Greg Kroah-Hartman +--- + net/core/filter.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -1688,7 +1688,7 @@ BPF_CALL_5(bpf_skb_store_bytes, struct s + + if (unlikely(flags & ~(BPF_F_RECOMPUTE_CSUM | BPF_F_INVALIDATE_HASH))) + return -EINVAL; +- if (unlikely(offset > 0xffff)) ++ if (unlikely(offset > INT_MAX)) + return -EFAULT; + if (unlikely(bpf_try_make_writable(skb, offset + len))) + return -EFAULT; +@@ -1723,7 +1723,7 @@ BPF_CALL_4(bpf_skb_load_bytes, const str + { + void *ptr; + +- if (unlikely(offset > 0xffff)) ++ if (unlikely(offset > INT_MAX)) + goto err_clear; + + ptr = skb_header_pointer(skb, offset, len, to); diff --git a/queue-5.15/bpf-fix-excessive-memory-allocation-in-stack_map_alloc.patch b/queue-5.15/bpf-fix-excessive-memory-allocation-in-stack_map_alloc.patch new file mode 100644 index 00000000000..b385a4e2d3e --- /dev/null +++ b/queue-5.15/bpf-fix-excessive-memory-allocation-in-stack_map_alloc.patch @@ -0,0 +1,43 @@ +From b45043192b3e481304062938a6561da2ceea46a6 Mon Sep 17 00:00:00 2001 +From: Yuntao Wang +Date: Thu, 7 Apr 2022 21:04:23 +0800 +Subject: bpf: Fix excessive memory allocation in stack_map_alloc() + +From: Yuntao Wang + +commit b45043192b3e481304062938a6561da2ceea46a6 upstream. + +The 'n_buckets * (value_size + sizeof(struct stack_map_bucket))' part of the +allocated memory for 'smap' is never used after the memlock accounting was +removed, thus get rid of it. + +[ Note, Daniel: + +Commit b936ca643ade ("bpf: rework memlock-based memory accounting for maps") +moved `cost += n_buckets * (value_size + sizeof(struct stack_map_bucket))` +up and therefore before the bpf_map_area_alloc() allocation, sigh. In a later +step commit c85d69135a91 ("bpf: move memory size checks to bpf_map_charge_init()"), +and the overflow checks of `cost >= U32_MAX - PAGE_SIZE` moved into +bpf_map_charge_init(). And then 370868107bf6 ("bpf: Eliminate rlimit-based +memory accounting for stackmap maps") finally removed the bpf_map_charge_init(). +Anyway, the original code did the allocation same way as /after/ this fix. ] + +Fixes: b936ca643ade ("bpf: rework memlock-based memory accounting for maps") +Signed-off-by: Yuntao Wang +Signed-off-by: Daniel Borkmann +Link: https://lore.kernel.org/bpf/20220407130423.798386-1-ytcoode@gmail.com +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/stackmap.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/bpf/stackmap.c ++++ b/kernel/bpf/stackmap.c +@@ -119,7 +119,6 @@ static struct bpf_map *stack_map_alloc(u + return ERR_PTR(-E2BIG); + + cost = n_buckets * sizeof(struct stack_map_bucket *) + sizeof(*smap); +- cost += n_buckets * (value_size + sizeof(struct stack_map_bucket)); + smap = bpf_map_area_alloc(cost, bpf_map_attr_numa_node(attr)); + if (!smap) + return ERR_PTR(-ENOMEM); diff --git a/queue-5.15/bpf-fix-potential-array-overflow-in-bpf_trampoline_get_progs.patch b/queue-5.15/bpf-fix-potential-array-overflow-in-bpf_trampoline_get_progs.patch new file mode 100644 index 00000000000..47fbff9faeb --- /dev/null +++ b/queue-5.15/bpf-fix-potential-array-overflow-in-bpf_trampoline_get_progs.patch @@ -0,0 +1,75 @@ +From a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d Mon Sep 17 00:00:00 2001 +From: Yuntao Wang +Date: Sat, 30 Apr 2022 21:08:03 +0800 +Subject: bpf: Fix potential array overflow in bpf_trampoline_get_progs() + +From: Yuntao Wang + +commit a2aa95b71c9bbec793b5c5fa50f0a80d882b3e8d upstream. + +The cnt value in the 'cnt >= BPF_MAX_TRAMP_PROGS' check does not +include BPF_TRAMP_MODIFY_RETURN bpf programs, so the number of +the attached BPF_TRAMP_MODIFY_RETURN bpf programs in a trampoline +can exceed BPF_MAX_TRAMP_PROGS. + +When this happens, the assignment '*progs++ = aux->prog' in +bpf_trampoline_get_progs() will cause progs array overflow as the +progs field in the bpf_tramp_progs struct can only hold at most +BPF_MAX_TRAMP_PROGS bpf programs. + +Fixes: 88fd9e5352fe ("bpf: Refactor trampoline update code") +Signed-off-by: Yuntao Wang +Link: https://lore.kernel.org/r/20220430130803.210624-1-ytcoode@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/trampoline.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/kernel/bpf/trampoline.c ++++ b/kernel/bpf/trampoline.c +@@ -414,7 +414,7 @@ int bpf_trampoline_link_prog(struct bpf_ + { + enum bpf_tramp_prog_type kind; + int err = 0; +- int cnt; ++ int cnt = 0, i; + + kind = bpf_attach_type_to_tramp(prog); + mutex_lock(&tr->mutex); +@@ -425,7 +425,10 @@ int bpf_trampoline_link_prog(struct bpf_ + err = -EBUSY; + goto out; + } +- cnt = tr->progs_cnt[BPF_TRAMP_FENTRY] + tr->progs_cnt[BPF_TRAMP_FEXIT]; ++ ++ for (i = 0; i < BPF_TRAMP_MAX; i++) ++ cnt += tr->progs_cnt[i]; ++ + if (kind == BPF_TRAMP_REPLACE) { + /* Cannot attach extension if fentry/fexit are in use. */ + if (cnt) { +@@ -503,16 +506,19 @@ out: + + void bpf_trampoline_put(struct bpf_trampoline *tr) + { ++ int i; ++ + if (!tr) + return; + mutex_lock(&trampoline_mutex); + if (!refcount_dec_and_test(&tr->refcnt)) + goto out; + WARN_ON_ONCE(mutex_is_locked(&tr->mutex)); +- if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FENTRY]))) +- goto out; +- if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[BPF_TRAMP_FEXIT]))) +- goto out; ++ ++ for (i = 0; i < BPF_TRAMP_MAX; i++) ++ if (WARN_ON_ONCE(!hlist_empty(&tr->progs_hlist[i]))) ++ goto out; ++ + /* This code will be executed even when the last bpf_tramp_image + * is alive. All progs are detached from the trampoline and the + * trampoline image is patched with jmp into epilogue to skip diff --git a/queue-5.15/bpf-reject-writes-for-ptr_to_map_key-in-check_helper_mem_access.patch b/queue-5.15/bpf-reject-writes-for-ptr_to_map_key-in-check_helper_mem_access.patch new file mode 100644 index 00000000000..b8e592c8a38 --- /dev/null +++ b/queue-5.15/bpf-reject-writes-for-ptr_to_map_key-in-check_helper_mem_access.patch @@ -0,0 +1,36 @@ +From 7b3552d3f9f6897851fc453b5131a967167e43c2 Mon Sep 17 00:00:00 2001 +From: Kumar Kartikeya Dwivedi +Date: Sat, 19 Mar 2022 13:38:25 +0530 +Subject: bpf: Reject writes for PTR_TO_MAP_KEY in check_helper_mem_access + +From: Kumar Kartikeya Dwivedi + +commit 7b3552d3f9f6897851fc453b5131a967167e43c2 upstream. + +It is not permitted to write to PTR_TO_MAP_KEY, but the current code in +check_helper_mem_access would allow for it, reject this case as well, as +helpers taking ARG_PTR_TO_UNINIT_MEM also take PTR_TO_MAP_KEY. + +Fixes: 69c087ba6225 ("bpf: Add bpf_for_each_map_elem() helper") +Signed-off-by: Kumar Kartikeya Dwivedi +Link: https://lore.kernel.org/r/20220319080827.73251-4-memxor@gmail.com +Signed-off-by: Alexei Starovoitov +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -4587,6 +4587,11 @@ static int check_helper_mem_access(struc + return check_packet_access(env, regno, reg->off, access_size, + zero_size_allowed); + case PTR_TO_MAP_KEY: ++ if (meta && meta->raw_mode) { ++ verbose(env, "R%d cannot write into %s\n", regno, ++ reg_type_str(env, reg->type)); ++ return -EACCES; ++ } + return check_mem_region_access(env, regno, reg->off, access_size, + reg->map_ptr->key_size, false); + case PTR_TO_MAP_VALUE: diff --git a/queue-5.15/docs-submitting-patches-fix-crossref-to-the-canonical-patch-format.patch b/queue-5.15/docs-submitting-patches-fix-crossref-to-the-canonical-patch-format.patch new file mode 100644 index 00000000000..66347672b3d --- /dev/null +++ b/queue-5.15/docs-submitting-patches-fix-crossref-to-the-canonical-patch-format.patch @@ -0,0 +1,43 @@ +From 6d5aa418b3bd42cdccc36e94ee199af423ef7c84 Mon Sep 17 00:00:00 2001 +From: Akira Yokosawa +Date: Wed, 27 Apr 2022 18:28:39 +0900 +Subject: docs: submitting-patches: Fix crossref to 'The canonical patch format' + +From: Akira Yokosawa + +commit 6d5aa418b3bd42cdccc36e94ee199af423ef7c84 upstream. + +The reference to `explicit_in_reply_to` is pointless as when the +reference was added in the form of "#15" [1], Section 15) was "The +canonical patch format". +The reference of "#15" had not been properly updated in a couple of +reorganizations during the plain-text SubmittingPatches era. + +Fix it by using `the_canonical_patch_format`. + +[1]: 2ae19acaa50a ("Documentation: Add "how to write a good patch summary" to SubmittingPatches") + +Signed-off-by: Akira Yokosawa +Fixes: 5903019b2a5e ("Documentation/SubmittingPatches: convert it to ReST markup") +Fixes: 9b2c76777acc ("Documentation/SubmittingPatches: enrich the Sphinx output") +Cc: Jonathan Corbet +Cc: Mauro Carvalho Chehab +Cc: stable@vger.kernel.org # v4.9+ +Link: https://lore.kernel.org/r/64e105a5-50be-23f2-6cae-903a2ea98e18@gmail.com +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman +--- + Documentation/process/submitting-patches.rst | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/Documentation/process/submitting-patches.rst ++++ b/Documentation/process/submitting-patches.rst +@@ -72,7 +72,7 @@ as you intend it to. + + The maintainer will thank you if you write your patch description in a + form which can be easily pulled into Linux's source code management +-system, ``git``, as a "commit log". See :ref:`explicit_in_reply_to`. ++system, ``git``, as a "commit log". See :ref:`the_canonical_patch_format`. + + Solve only one problem per patch. If your description starts to get + long, that's a sign that you probably need to split up your patch. diff --git a/queue-5.15/nfs-memory-allocation-failures-are-not-server-fatal-errors.patch b/queue-5.15/nfs-memory-allocation-failures-are-not-server-fatal-errors.patch new file mode 100644 index 00000000000..f648732e24c --- /dev/null +++ b/queue-5.15/nfs-memory-allocation-failures-are-not-server-fatal-errors.patch @@ -0,0 +1,32 @@ +From 452284407c18d8a522c3039339b1860afa0025a8 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 14 May 2022 10:08:10 -0400 +Subject: NFS: Memory allocation failures are not server fatal errors + +From: Trond Myklebust + +commit 452284407c18d8a522c3039339b1860afa0025a8 upstream. + +We need to filter out ENOMEM in nfs_error_is_fatal_on_server(), because +running out of memory on our client is not a server error. + +Reported-by: Olga Kornievskaia +Fixes: 2dc23afffbca ("NFS: ENOMEM should also be a fatal error.") +Cc: stable@vger.kernel.org +Signed-off-by: Trond Myklebust +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfs/internal.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/nfs/internal.h ++++ b/fs/nfs/internal.h +@@ -834,6 +834,7 @@ static inline bool nfs_error_is_fatal_on + case 0: + case -ERESTARTSYS: + case -EINTR: ++ case -ENOMEM: + return false; + } + return nfs_error_is_fatal(err); diff --git a/queue-5.15/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch b/queue-5.15/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch new file mode 100644 index 00000000000..aa25fccd188 --- /dev/null +++ b/queue-5.15/nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch @@ -0,0 +1,51 @@ +From ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sat, 21 May 2022 19:06:13 -0400 +Subject: NFSD: Fix possible sleep during nfsd4_release_lockowner() + +From: Chuck Lever + +commit ce3c4ad7f4ce5db7b4f08a1e237d8dd94b39180b upstream. + +nfsd4_release_lockowner() holds clp->cl_lock when it calls +check_for_locks(). However, check_for_locks() calls nfsd_file_get() +/ nfsd_file_put() to access the backing inode's flc_posix list, and +nfsd_file_put() can sleep if the inode was recently removed. + +Let's instead rely on the stateowner's reference count to gate +whether the release is permitted. This should be a reliable +indication of locks-in-use since file lock operations and +->lm_get_owner take appropriate references, which are released +appropriately when file locks are removed. + +Reported-by: Dai Ngo +Signed-off-by: Chuck Lever +Cc: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + fs/nfsd/nfs4state.c | 12 ++++-------- + 1 file changed, 4 insertions(+), 8 deletions(-) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -7299,16 +7299,12 @@ nfsd4_release_lockowner(struct svc_rqst + if (sop->so_is_open_owner || !same_owner_str(sop, owner)) + continue; + +- /* see if there are still any locks associated with it */ +- lo = lockowner(sop); +- list_for_each_entry(stp, &sop->so_stateids, st_perstateowner) { +- if (check_for_locks(stp->st_stid.sc_file, lo)) { +- status = nfserr_locks_held; +- spin_unlock(&clp->cl_lock); +- return status; +- } ++ if (atomic_read(&sop->so_count) != 1) { ++ spin_unlock(&clp->cl_lock); ++ return nfserr_locks_held; + } + ++ lo = lockowner(sop); + nfs4_get_stateowner(sop); + break; + } diff --git a/queue-5.15/series b/queue-5.15/series index 2f4486e2b07..20fe10b25fe 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -56,3 +56,11 @@ media-i2c-imx412-fix-reset-gpio-polarity.patch media-i2c-imx412-fix-power_off-ordering.patch tpm-fix-buffer-access-in-tpm2_get_tpm_pt.patch tpm-ibmvtpm-correct-the-return-value-in-tpm_ibmvtpm_probe.patch +docs-submitting-patches-fix-crossref-to-the-canonical-patch-format.patch +nfs-memory-allocation-failures-are-not-server-fatal-errors.patch +nfsd-fix-possible-sleep-during-nfsd4_release_lockowner.patch +bpf-fix-potential-array-overflow-in-bpf_trampoline_get_progs.patch +bpf-enlarge-offset-check-value-to-int_max-in-bpf_skb_-load-store-_bytes.patch +bpf-fix-excessive-memory-allocation-in-stack_map_alloc.patch +bpf-reject-writes-for-ptr_to_map_key-in-check_helper_mem_access.patch +bpf-check-ptr_to_mem-mem_rdonly-in-check_helper_mem_access.patch