From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 9 Jan 2020 20:24:28 +0000 (+0100)
Subject: drop bpf patch from 4.9 and 4.14
X-Git-Tag: v4.4.209~27
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb9f8928297d1536f6b0face524a361e6ae551b8;p=thirdparty%2Fkernel%2Fstable-queue.git

drop bpf patch from 4.9 and 4.14
---

diff --git a/queue-4.14/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch b/queue-4.14/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
deleted file mode 100644
index 362fbf0bb45..00000000000
--- a/queue-4.14/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 6d4f151acf9a4f6fab09b615f246c717ddedcf0c Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon, 6 Jan 2020 22:51:57 +0100
-Subject: bpf: Fix passing modified ctx to ld/abs/ind instruction
-
-From: Daniel Borkmann <daniel@iogearbox.net>
-
-commit 6d4f151acf9a4f6fab09b615f246c717ddedcf0c upstream.
-
-Anatoly has been fuzzing with kBdysch harness and reported a KASAN
-slab oob in one of the outcomes:
-
-  [...]
-  [   77.359642] BUG: KASAN: slab-out-of-bounds in bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.360463] Read of size 4 at addr ffff8880679bac68 by task bpf/406
-  [   77.361119]
-  [   77.361289] CPU: 2 PID: 406 Comm: bpf Not tainted 5.5.0-rc2-xfstests-00157-g2187f215eba #1
-  [   77.362134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
-  [   77.362984] Call Trace:
-  [   77.363249]  dump_stack+0x97/0xe0
-  [   77.363603]  print_address_description.constprop.0+0x1d/0x220
-  [   77.364251]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.365030]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.365860]  __kasan_report.cold+0x37/0x7b
-  [   77.366365]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.366940]  kasan_report+0xe/0x20
-  [   77.367295]  bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.367821]  ? bpf_skb_load_helper_8+0xf0/0xf0
-  [   77.368278]  ? mark_lock+0xa3/0x9b0
-  [   77.368641]  ? kvm_sched_clock_read+0x14/0x30
-  [   77.369096]  ? sched_clock+0x5/0x10
-  [   77.369460]  ? sched_clock_cpu+0x18/0x110
-  [   77.369876]  ? bpf_skb_load_helper_8+0xf0/0xf0
-  [   77.370330]  ___bpf_prog_run+0x16c0/0x28f0
-  [   77.370755]  __bpf_prog_run32+0x83/0xc0
-  [   77.371153]  ? __bpf_prog_run64+0xc0/0xc0
-  [   77.371568]  ? match_held_lock+0x1b/0x230
-  [   77.371984]  ? rcu_read_lock_held+0xa1/0xb0
-  [   77.372416]  ? rcu_is_watching+0x34/0x50
-  [   77.372826]  sk_filter_trim_cap+0x17c/0x4d0
-  [   77.373259]  ? sock_kzfree_s+0x40/0x40
-  [   77.373648]  ? __get_filter+0x150/0x150
-  [   77.374059]  ? skb_copy_datagram_from_iter+0x80/0x280
-  [   77.374581]  ? do_raw_spin_unlock+0xa5/0x140
-  [   77.375025]  unix_dgram_sendmsg+0x33a/0xa70
-  [   77.375459]  ? do_raw_spin_lock+0x1d0/0x1d0
-  [   77.375893]  ? unix_peer_get+0xa0/0xa0
-  [   77.376287]  ? __fget_light+0xa4/0xf0
-  [   77.376670]  __sys_sendto+0x265/0x280
-  [   77.377056]  ? __ia32_sys_getpeername+0x50/0x50
-  [   77.377523]  ? lock_downgrade+0x350/0x350
-  [   77.377940]  ? __sys_setsockopt+0x2a6/0x2c0
-  [   77.378374]  ? sock_read_iter+0x240/0x240
-  [   77.378789]  ? __sys_socketpair+0x22a/0x300
-  [   77.379221]  ? __ia32_sys_socket+0x50/0x50
-  [   77.379649]  ? mark_held_locks+0x1d/0x90
-  [   77.380059]  ? trace_hardirqs_on_thunk+0x1a/0x1c
-  [   77.380536]  __x64_sys_sendto+0x74/0x90
-  [   77.380938]  do_syscall_64+0x68/0x2a0
-  [   77.381324]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
-  [   77.381878] RIP: 0033:0x44c070
-  [...]
-
-After further debugging, turns out while in case of other helper functions
-we disallow passing modified ctx, the special case of ld/abs/ind instruction
-which has similar semantics (except r6 being the ctx argument) is missing
-such check. Modified ctx is impossible here as bpf_skb_load_helper_8_no_cache()
-and others are expecting skb fields in original position, hence, add
-check_ctx_reg() to reject any modified ctx. Issue was first introduced back
-in f1174f77b50c ("bpf/verifier: rework value tracking").
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Link: https://lore.kernel.org/bpf/20200106215157.3553-1-daniel@iogearbox.net
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- kernel/bpf/verifier.c |    9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -3442,6 +3442,7 @@ static bool may_access_skb(enum bpf_prog
- static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
- {
- 	struct bpf_reg_state *regs = cur_regs(env);
-+	static const int ctx_reg = BPF_REG_6;
- 	u8 mode = BPF_MODE(insn->code);
- 	int i, err;
- 
-@@ -3458,11 +3459,11 @@ static int check_ld_abs(struct bpf_verif
- 	}
- 
- 	/* check whether implicit source operand (register R6) is readable */
--	err = check_reg_arg(env, BPF_REG_6, SRC_OP);
-+	err = check_reg_arg(env, ctx_reg, SRC_OP);
- 	if (err)
- 		return err;
- 
--	if (regs[BPF_REG_6].type != PTR_TO_CTX) {
-+	if (regs[ctx_reg].type != PTR_TO_CTX) {
- 		verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
- 		return -EINVAL;
- 	}
-@@ -3474,6 +3475,10 @@ static int check_ld_abs(struct bpf_verif
- 			return err;
- 	}
- 
-+	err = check_ctx_reg(env, &regs[ctx_reg], ctx_reg);
-+	if (err < 0)
-+		return err;
-+
- 	/* reset caller saved regs to unreadable */
- 	for (i = 0; i < CALLER_SAVED_REGS; i++) {
- 		mark_reg_not_init(regs, caller_saved[i]);
diff --git a/queue-4.14/series b/queue-4.14/series
index 8bdbbee676a..2cd6538e94e 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -1,3 +1,2 @@
 usb-dummy-hcd-use-usb_urb_dir_in-instead-of-usb_pipein.patch
 usb-dummy-hcd-increase-max-number-of-devices-to-32.patch
-bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
diff --git a/queue-4.9/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch b/queue-4.9/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
deleted file mode 100644
index de409d120bd..00000000000
--- a/queue-4.9/bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch
+++ /dev/null
@@ -1,117 +0,0 @@
-From 6d4f151acf9a4f6fab09b615f246c717ddedcf0c Mon Sep 17 00:00:00 2001
-From: Daniel Borkmann <daniel@iogearbox.net>
-Date: Mon, 6 Jan 2020 22:51:57 +0100
-Subject: bpf: Fix passing modified ctx to ld/abs/ind instruction
-
-From: Daniel Borkmann <daniel@iogearbox.net>
-
-commit 6d4f151acf9a4f6fab09b615f246c717ddedcf0c upstream.
-
-Anatoly has been fuzzing with kBdysch harness and reported a KASAN
-slab oob in one of the outcomes:
-
-  [...]
-  [   77.359642] BUG: KASAN: slab-out-of-bounds in bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.360463] Read of size 4 at addr ffff8880679bac68 by task bpf/406
-  [   77.361119]
-  [   77.361289] CPU: 2 PID: 406 Comm: bpf Not tainted 5.5.0-rc2-xfstests-00157-g2187f215eba #1
-  [   77.362134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
-  [   77.362984] Call Trace:
-  [   77.363249]  dump_stack+0x97/0xe0
-  [   77.363603]  print_address_description.constprop.0+0x1d/0x220
-  [   77.364251]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.365030]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.365860]  __kasan_report.cold+0x37/0x7b
-  [   77.366365]  ? bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.366940]  kasan_report+0xe/0x20
-  [   77.367295]  bpf_skb_load_helper_8_no_cache+0x71/0x130
-  [   77.367821]  ? bpf_skb_load_helper_8+0xf0/0xf0
-  [   77.368278]  ? mark_lock+0xa3/0x9b0
-  [   77.368641]  ? kvm_sched_clock_read+0x14/0x30
-  [   77.369096]  ? sched_clock+0x5/0x10
-  [   77.369460]  ? sched_clock_cpu+0x18/0x110
-  [   77.369876]  ? bpf_skb_load_helper_8+0xf0/0xf0
-  [   77.370330]  ___bpf_prog_run+0x16c0/0x28f0
-  [   77.370755]  __bpf_prog_run32+0x83/0xc0
-  [   77.371153]  ? __bpf_prog_run64+0xc0/0xc0
-  [   77.371568]  ? match_held_lock+0x1b/0x230
-  [   77.371984]  ? rcu_read_lock_held+0xa1/0xb0
-  [   77.372416]  ? rcu_is_watching+0x34/0x50
-  [   77.372826]  sk_filter_trim_cap+0x17c/0x4d0
-  [   77.373259]  ? sock_kzfree_s+0x40/0x40
-  [   77.373648]  ? __get_filter+0x150/0x150
-  [   77.374059]  ? skb_copy_datagram_from_iter+0x80/0x280
-  [   77.374581]  ? do_raw_spin_unlock+0xa5/0x140
-  [   77.375025]  unix_dgram_sendmsg+0x33a/0xa70
-  [   77.375459]  ? do_raw_spin_lock+0x1d0/0x1d0
-  [   77.375893]  ? unix_peer_get+0xa0/0xa0
-  [   77.376287]  ? __fget_light+0xa4/0xf0
-  [   77.376670]  __sys_sendto+0x265/0x280
-  [   77.377056]  ? __ia32_sys_getpeername+0x50/0x50
-  [   77.377523]  ? lock_downgrade+0x350/0x350
-  [   77.377940]  ? __sys_setsockopt+0x2a6/0x2c0
-  [   77.378374]  ? sock_read_iter+0x240/0x240
-  [   77.378789]  ? __sys_socketpair+0x22a/0x300
-  [   77.379221]  ? __ia32_sys_socket+0x50/0x50
-  [   77.379649]  ? mark_held_locks+0x1d/0x90
-  [   77.380059]  ? trace_hardirqs_on_thunk+0x1a/0x1c
-  [   77.380536]  __x64_sys_sendto+0x74/0x90
-  [   77.380938]  do_syscall_64+0x68/0x2a0
-  [   77.381324]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
-  [   77.381878] RIP: 0033:0x44c070
-  [...]
-
-After further debugging, turns out while in case of other helper functions
-we disallow passing modified ctx, the special case of ld/abs/ind instruction
-which has similar semantics (except r6 being the ctx argument) is missing
-such check. Modified ctx is impossible here as bpf_skb_load_helper_8_no_cache()
-and others are expecting skb fields in original position, hence, add
-check_ctx_reg() to reject any modified ctx. Issue was first introduced back
-in f1174f77b50c ("bpf/verifier: rework value tracking").
-
-Fixes: f1174f77b50c ("bpf/verifier: rework value tracking")
-Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
-Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
-Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-Link: https://lore.kernel.org/bpf/20200106215157.3553-1-daniel@iogearbox.net
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- kernel/bpf/verifier.c |    9 +++++++--
- 1 file changed, 7 insertions(+), 2 deletions(-)
-
---- a/kernel/bpf/verifier.c
-+++ b/kernel/bpf/verifier.c
-@@ -2422,6 +2422,7 @@ static bool may_access_skb(enum bpf_prog
- static int check_ld_abs(struct bpf_verifier_env *env, struct bpf_insn *insn)
- {
- 	struct bpf_reg_state *regs = env->cur_state.regs;
-+	static const int ctx_reg = BPF_REG_6;
- 	u8 mode = BPF_MODE(insn->code);
- 	struct bpf_reg_state *reg;
- 	int i, err;
-@@ -2439,11 +2440,11 @@ static int check_ld_abs(struct bpf_verif
- 	}
- 
- 	/* check whether implicit source operand (register R6) is readable */
--	err = check_reg_arg(regs, BPF_REG_6, SRC_OP);
-+	err = check_reg_arg(regs, ctx_reg, SRC_OP);
- 	if (err)
- 		return err;
- 
--	if (regs[BPF_REG_6].type != PTR_TO_CTX) {
-+	if (regs[ctx_reg].type != PTR_TO_CTX) {
- 		verbose("at the time of BPF_LD_ABS|IND R6 != pointer to skb\n");
- 		return -EINVAL;
- 	}
-@@ -2455,6 +2456,10 @@ static int check_ld_abs(struct bpf_verif
- 			return err;
- 	}
- 
-+	err = check_ctx_reg(env, &regs[ctx_reg], ctx_reg);
-+	if (err < 0)
-+		return err;
-+
- 	/* reset caller saved regs to unreadable */
- 	for (i = 0; i < CALLER_SAVED_REGS; i++) {
- 		reg = regs + caller_saved[i];
diff --git a/queue-4.9/series b/queue-4.9/series
index ecdca3f3ea2..d8bc8e6320a 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -54,4 +54,3 @@ s390-smp-fix-physical-to-logical-cpu-map-for-smt.patch
 xen-blkback-avoid-unmapping-unmapped-grant-pages.patch
 locking-x86-remove-the-unused-atomic_inc_short-methd.patch
 pstore-ram-write-new-dumps-to-start-of-recycled-zone.patch
-bpf-fix-passing-modified-ctx-to-ld-abs-ind-instruction.patch