From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 21 Mar 2022 12:46:20 +0000 (+0100)
Subject: 5.4-stable patches
X-Git-Tag: v4.9.308~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a8873a062288119ad55813d8b02937aac158c283;p=thirdparty%2Fkernel%2Fstable-queue.git

5.4-stable patches

added patches:
	revert-selftests-bpf-add-test-for-bpf_timer-overwriting-crash.patch
---

diff --git a/queue-5.4/revert-selftests-bpf-add-test-for-bpf_timer-overwriting-crash.patch b/queue-5.4/revert-selftests-bpf-add-test-for-bpf_timer-overwriting-crash.patch
new file mode 100644
index 00000000000..18d643c56a6
--- /dev/null
+++ b/queue-5.4/revert-selftests-bpf-add-test-for-bpf_timer-overwriting-crash.patch
@@ -0,0 +1,120 @@
+From dfc7c764d083ad970d7960b3a451114ea1c04fe4 Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Date: Mon, 21 Mar 2022 13:42:22 +0100
+Subject: Revert "selftests/bpf: Add test for bpf_timer overwriting crash"
+
+From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+This reverts commit dcf55b071de9231e197ba7b1a2d0a423e8d7d33a which is
+commit a7e75016a0753c24d6c995bc02501ae35368e333 upstream.
+
+It is reported to break the bpf self-tests.
+
+Reported-by: Geliang Tang <geliang.tang@suse.com>
+Reported-by: Tommi Rantala <tommi.t.rantala@nokia.com>
+Cc: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Cc: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220209070324.1093182-3-memxor@gmail.com
+Cc: Sasha Levin <sashal@kernel.org>
+Link: https://lore.kernel.org/r/a0a7298ca5c64b3d0ecfcc8821c2de79186fa9f7.camel@nokia.com
+Link: https://lore.kernel.org/r/HE1PR0402MB3497CB13A12C4D15D20A1FCCF8139@HE1PR0402MB3497.eurprd04.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/prog_tests/timer_crash.c |   32 -----------
+ tools/testing/selftests/bpf/progs/timer_crash.c      |   54 -------------------
+ 2 files changed, 86 deletions(-)
+ delete mode 100644 tools/testing/selftests/bpf/prog_tests/timer_crash.c
+ delete mode 100644 tools/testing/selftests/bpf/progs/timer_crash.c
+
+--- a/tools/testing/selftests/bpf/prog_tests/timer_crash.c
++++ /dev/null
+@@ -1,32 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-#include <test_progs.h>
+-#include "timer_crash.skel.h"
+-
+-enum {
+-	MODE_ARRAY,
+-	MODE_HASH,
+-};
+-
+-static void test_timer_crash_mode(int mode)
+-{
+-	struct timer_crash *skel;
+-
+-	skel = timer_crash__open_and_load();
+-	if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load"))
+-		return;
+-	skel->bss->pid = getpid();
+-	skel->bss->crash_map = mode;
+-	if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach"))
+-		goto end;
+-	usleep(1);
+-end:
+-	timer_crash__destroy(skel);
+-}
+-
+-void test_timer_crash(void)
+-{
+-	if (test__start_subtest("array"))
+-		test_timer_crash_mode(MODE_ARRAY);
+-	if (test__start_subtest("hash"))
+-		test_timer_crash_mode(MODE_HASH);
+-}
+--- a/tools/testing/selftests/bpf/progs/timer_crash.c
++++ /dev/null
+@@ -1,54 +0,0 @@
+-// SPDX-License-Identifier: GPL-2.0
+-
+-#include <vmlinux.h>
+-#include <bpf/bpf_tracing.h>
+-#include <bpf/bpf_helpers.h>
+-
+-struct map_elem {
+-	struct bpf_timer timer;
+-	struct bpf_spin_lock lock;
+-};
+-
+-struct {
+-	__uint(type, BPF_MAP_TYPE_ARRAY);
+-	__uint(max_entries, 1);
+-	__type(key, int);
+-	__type(value, struct map_elem);
+-} amap SEC(".maps");
+-
+-struct {
+-	__uint(type, BPF_MAP_TYPE_HASH);
+-	__uint(max_entries, 1);
+-	__type(key, int);
+-	__type(value, struct map_elem);
+-} hmap SEC(".maps");
+-
+-int pid = 0;
+-int crash_map = 0; /* 0 for amap, 1 for hmap */
+-
+-SEC("fentry/do_nanosleep")
+-int sys_enter(void *ctx)
+-{
+-	struct map_elem *e, value = {};
+-	void *map = crash_map ? (void *)&hmap : (void *)&amap;
+-
+-	if (bpf_get_current_task_btf()->tgid != pid)
+-		return 0;
+-
+-	*(void **)&value = (void *)0xdeadcaf3;
+-
+-	bpf_map_update_elem(map, &(int){0}, &value, 0);
+-	/* For array map, doing bpf_map_update_elem will do a
+-	 * check_and_free_timer_in_array, which will trigger the crash if timer
+-	 * pointer was overwritten, for hmap we need to use bpf_timer_cancel.
+-	 */
+-	if (crash_map == 1) {
+-		e = bpf_map_lookup_elem(map, &(int){0});
+-		if (!e)
+-			return 0;
+-		bpf_timer_cancel(&e->timer);
+-	}
+-	return 0;
+-}
+-
+-char _license[] SEC("license") = "GPL";
diff --git a/queue-5.4/series b/queue-5.4/series
index 6381ad0e0da..e6110873541 100644
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -15,3 +15,4 @@ usb-usbtmc-fix-bug-in-pipe-direction-for-control-transfers.patch
 input-aiptek-properly-check-endpoint-type.patch
 perf-symbols-fix-symbol-size-calculation-condition.patch
 esp-fix-possible-buffer-overflow-in-esp-transformation.patch
+revert-selftests-bpf-add-test-for-bpf_timer-overwriting-crash.patch