From f01ed80303b2cdcfe8ecd6ef9290bc4766d61e77 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 4 Mar 2024 11:41:46 +0100 Subject: [PATCH] 5.4-stable patches added patches: cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch objtool-add-support-for-intra-function-calls.patch objtool-is_fentry_call-crashes-if-call-has-no-destination.patch x86-speculation-support-intra-function-call-validation.patch --- ...-memory-leak-in-cachefiles_add_cache.patch | 66 +++++++ ...add-support-for-intra-function-calls.patch | 178 ++++++++++++++++++ ...l-crashes-if-call-has-no-destination.patch | 38 ++++ queue-5.4/series | 4 + ...pport-intra-function-call-validation.patch | 61 ++++++ 5 files changed, 347 insertions(+) create mode 100644 queue-5.4/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch create mode 100644 queue-5.4/objtool-add-support-for-intra-function-calls.patch create mode 100644 queue-5.4/objtool-is_fentry_call-crashes-if-call-has-no-destination.patch create mode 100644 queue-5.4/x86-speculation-support-intra-function-call-validation.patch diff --git a/queue-5.4/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch b/queue-5.4/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch new file mode 100644 index 00000000000..be8839af3bf --- /dev/null +++ b/queue-5.4/cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch @@ -0,0 +1,66 @@ +From e21a2f17566cbd64926fb8f16323972f7a064444 Mon Sep 17 00:00:00 2001 +From: Baokun Li +Date: Sat, 17 Feb 2024 16:14:31 +0800 +Subject: cachefiles: fix memory leak in cachefiles_add_cache() + +From: Baokun Li + +commit e21a2f17566cbd64926fb8f16323972f7a064444 upstream. + +The following memory leak was reported after unbinding /dev/cachefiles: + +================================================================== +unreferenced object 0xffff9b674176e3c0 (size 192): + comm "cachefilesd2", pid 680, jiffies 4294881224 + hex dump (first 32 bytes): + 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ + backtrace (crc ea38a44b): + [] kmem_cache_alloc+0x2d5/0x370 + [] prepare_creds+0x26/0x2e0 + [] cachefiles_determine_cache_security+0x1f/0x120 + [] cachefiles_add_cache+0x13c/0x3a0 + [] cachefiles_daemon_write+0x146/0x1c0 + [] vfs_write+0xcb/0x520 + [] ksys_write+0x69/0xf0 + [] do_syscall_64+0x72/0x140 + [] entry_SYSCALL_64_after_hwframe+0x6e/0x76 +================================================================== + +Put the reference count of cache_cred in cachefiles_daemon_unbind() to +fix the problem. And also put cache_cred in cachefiles_add_cache() error +branch to avoid memory leaks. + +Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") +CC: stable@vger.kernel.org +Signed-off-by: Baokun Li +Link: https://lore.kernel.org/r/20240217081431.796809-1-libaokun1@huawei.com +Acked-by: David Howells +Reviewed-by: Jingbo Xu +Reviewed-by: Jeff Layton +Signed-off-by: Christian Brauner +Signed-off-by: Baokun Li +Signed-off-by: Greg Kroah-Hartman +--- + fs/cachefiles/bind.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/cachefiles/bind.c ++++ b/fs/cachefiles/bind.c +@@ -245,6 +245,8 @@ error_open_root: + kmem_cache_free(cachefiles_object_jar, fsdef); + error_root_object: + cachefiles_end_secure(cache, saved_cred); ++ put_cred(cache->cache_cred); ++ cache->cache_cred = NULL; + pr_err("Failed to register: %d\n", ret); + return ret; + } +@@ -265,6 +267,7 @@ void cachefiles_daemon_unbind(struct cac + + dput(cache->graveyard); + mntput(cache->mnt); ++ put_cred(cache->cache_cred); + + kfree(cache->rootdirname); + kfree(cache->secctx); diff --git a/queue-5.4/objtool-add-support-for-intra-function-calls.patch b/queue-5.4/objtool-add-support-for-intra-function-calls.patch new file mode 100644 index 00000000000..e10ba65365a --- /dev/null +++ b/queue-5.4/objtool-add-support-for-intra-function-calls.patch @@ -0,0 +1,178 @@ +From stable+bounces-25322-greg=kroah.com@vger.kernel.org Wed Feb 28 03:47:32 2024 +From: Rui Qi +Date: Wed, 28 Feb 2024 10:45:34 +0800 +Subject: objtool: Add support for intra-function calls +To: bp@alien8.de, mingo@redhat.com, tglx@linutronix.de, hpa@zytor.com, jpoimboe@redhat.com, peterz@infradead.org, mbenes@suse.cz, gregkh@linuxfoundation.org, stable@vger.kernel.org, alexandre.chartre@oracle.com +Cc: x86@kernel.org, linux-kernel@vger.kernel.org, yuanzhu@bytedance.com, Rui Qi +Message-ID: <20240228024535.79980-3-qirui.001@bytedance.com> + +From: Alexandre Chartre + +commit 8aa8eb2a8f5b3305a95f39957dd2b715fa668e21 upstream. + +Change objtool to support intra-function calls. On x86, an intra-function +call is represented in objtool as a push onto the stack (of the return +address), and a jump to the destination address. That way the stack +information is correctly updated and the call flow is still accurate. + +Signed-off-by: Alexandre Chartre +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Miroslav Benes +Acked-by: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20200414103618.12657-4-alexandre.chartre@oracle.com +Signed-off-by: Rui Qi +Signed-off-by: Greg Kroah-Hartman +--- + include/linux/frame.h | 11 ++++ + tools/objtool/Documentation/stack-validation.txt | 8 ++ + tools/objtool/arch/x86/decode.c | 6 ++ + tools/objtool/check.c | 62 +++++++++++++++++++++-- + 4 files changed, 83 insertions(+), 4 deletions(-) + +--- a/include/linux/frame.h ++++ b/include/linux/frame.h +@@ -15,9 +15,20 @@ + static void __used __section(.discard.func_stack_frame_non_standard) \ + *__func_stack_frame_non_standard_##func = func + ++/* ++ * This macro indicates that the following intra-function call is valid. ++ * Any non-annotated intra-function call will cause objtool to issue a warning. ++ */ ++#define ANNOTATE_INTRA_FUNCTION_CALL \ ++ 999: \ ++ .pushsection .discard.intra_function_calls; \ ++ .long 999b; \ ++ .popsection; ++ + #else /* !CONFIG_STACK_VALIDATION */ + + #define STACK_FRAME_NON_STANDARD(func) ++#define ANNOTATE_INTRA_FUNCTION_CALL + + #endif /* CONFIG_STACK_VALIDATION */ + +--- a/tools/objtool/Documentation/stack-validation.txt ++++ b/tools/objtool/Documentation/stack-validation.txt +@@ -290,6 +290,14 @@ they mean, and suggestions for how to fi + https://gcc.gnu.org/bugzilla/show_bug.cgi?id=70646 + + ++11. file.o: warning: unannotated intra-function call ++ ++ This warning means that a direct call is done to a destination which ++ is not at the beginning of a function. If this is a legit call, you ++ can remove this warning by putting the ANNOTATE_INTRA_FUNCTION_CALL ++ directive right before the call. ++ ++ + If the error doesn't seem to make sense, it could be a bug in objtool. + Feel free to ask the objtool maintainer for help. + +--- a/tools/objtool/arch/x86/decode.c ++++ b/tools/objtool/arch/x86/decode.c +@@ -437,6 +437,12 @@ int arch_decode_instruction(struct elf * + + case 0xe8: + *type = INSN_CALL; ++ /* ++ * For the impact on the stack, a CALL behaves like ++ * a PUSH of an immediate value (the return address). ++ */ ++ op->src.type = OP_SRC_CONST; ++ op->dest.type = OP_DEST_PUSH; + break; + + case 0xfc: +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -645,6 +645,7 @@ static int add_jump_destinations(struct + return 0; + } + ++ + /* + * Find the destination instructions for all calls. + */ +@@ -666,10 +667,7 @@ static int add_call_destinations(struct + dest_off); + + if (!insn->call_dest && !insn->ignore) { +- WARN_FUNC("unsupported intra-function call", +- insn->sec, insn->offset); +- if (retpoline) +- WARN("If this is a retpoline, please patch it in with alternatives and annotate it with ANNOTATE_NOSPEC_ALTERNATIVE."); ++ WARN_FUNC("unannotated intra-function call", insn->sec, insn->offset); + return -1; + } + +@@ -1291,6 +1289,58 @@ static int read_retpoline_hints(struct o + return 0; + } + ++ ++static int read_intra_function_calls(struct objtool_file *file) ++{ ++ struct instruction *insn; ++ struct section *sec; ++ struct rela *rela; ++ ++ sec = find_section_by_name(file->elf, ".rela.discard.intra_function_calls"); ++ if (!sec) ++ return 0; ++ ++ list_for_each_entry(rela, &sec->rela_list, list) { ++ unsigned long dest_off; ++ ++ if (rela->sym->type != STT_SECTION) { ++ WARN("unexpected relocation symbol type in %s", ++ sec->name); ++ return -1; ++ } ++ ++ insn = find_insn(file, rela->sym->sec, rela->addend); ++ if (!insn) { ++ WARN("bad .discard.intra_function_call entry"); ++ return -1; ++ } ++ ++ if (insn->type != INSN_CALL) { ++ WARN_FUNC("intra_function_call not a direct call", ++ insn->sec, insn->offset); ++ return -1; ++ } ++ ++ /* ++ * Treat intra-function CALLs as JMPs, but with a stack_op. ++ * See add_call_destinations(), which strips stack_ops from ++ * normal CALLs. ++ */ ++ insn->type = INSN_JUMP_UNCONDITIONAL; ++ ++ dest_off = insn->offset + insn->len + insn->immediate; ++ insn->jump_dest = find_insn(file, insn->sec, dest_off); ++ if (!insn->jump_dest) { ++ WARN_FUNC("can't find call dest at %s+0x%lx", ++ insn->sec, insn->offset, ++ insn->sec->name, dest_off); ++ return -1; ++ } ++ } ++ ++ return 0; ++} ++ + static void mark_rodata(struct objtool_file *file) + { + struct section *sec; +@@ -1346,6 +1396,10 @@ static int decode_sections(struct objtoo + if (ret) + return ret; + ++ ret = read_intra_function_calls(file); ++ if (ret) ++ return ret; ++ + ret = add_call_destinations(file); + if (ret) + return ret; diff --git a/queue-5.4/objtool-is_fentry_call-crashes-if-call-has-no-destination.patch b/queue-5.4/objtool-is_fentry_call-crashes-if-call-has-no-destination.patch new file mode 100644 index 00000000000..a8e021ecb93 --- /dev/null +++ b/queue-5.4/objtool-is_fentry_call-crashes-if-call-has-no-destination.patch @@ -0,0 +1,38 @@ +From stable+bounces-25321-greg=kroah.com@vger.kernel.org Wed Feb 28 03:47:16 2024 +From: Rui Qi +Date: Wed, 28 Feb 2024 10:45:33 +0800 +Subject: objtool: is_fentry_call() crashes if call has no destination +To: bp@alien8.de, mingo@redhat.com, tglx@linutronix.de, hpa@zytor.com, jpoimboe@redhat.com, peterz@infradead.org, mbenes@suse.cz, gregkh@linuxfoundation.org, stable@vger.kernel.org, alexandre.chartre@oracle.com +Cc: x86@kernel.org, linux-kernel@vger.kernel.org, yuanzhu@bytedance.com, Rui Qi +Message-ID: <20240228024535.79980-2-qirui.001@bytedance.com> + +From: Alexandre Chartre + +commit 87cf61fe848ca8ddf091548671e168f52e8a718e upstream. + +Fix is_fentry_call() so that it works if a call has no destination +set (call_dest). This needs to be done in order to support intra- +function calls. + +Signed-off-by: Alexandre Chartre +Signed-off-by: Peter Zijlstra (Intel) +Reviewed-by: Miroslav Benes +Acked-by: Josh Poimboeuf +Link: https://lkml.kernel.org/r/20200414103618.12657-2-alexandre.chartre@oracle.com +Signed-off-by: Rui Qi +Signed-off-by: Greg Kroah-Hartman +--- + tools/objtool/check.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/objtool/check.c ++++ b/tools/objtool/check.c +@@ -1367,7 +1367,7 @@ static int decode_sections(struct objtoo + + static bool is_fentry_call(struct instruction *insn) + { +- if (insn->type == INSN_CALL && ++ if (insn->type == INSN_CALL && insn->call_dest && + insn->call_dest->type == STT_NOTYPE && + !strcmp(insn->call_dest->name, "__fentry__")) + return true; diff --git a/queue-5.4/series b/queue-5.4/series index ce40813a810..a4429654565 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -21,3 +21,7 @@ dmaengine-fsl-qdma-init-irq-after-reg-initialization.patch mmc-core-fix-emmc-initialization-with-1-bit-bus-connection.patch fs-aio-make-io_cancel-generate-completions-again.patch x86-cpu-intel-detect-tme-keyid-bits-before-setting-mtrr-mask-registers.patch +cachefiles-fix-memory-leak-in-cachefiles_add_cache.patch +objtool-is_fentry_call-crashes-if-call-has-no-destination.patch +objtool-add-support-for-intra-function-calls.patch +x86-speculation-support-intra-function-call-validation.patch diff --git a/queue-5.4/x86-speculation-support-intra-function-call-validation.patch b/queue-5.4/x86-speculation-support-intra-function-call-validation.patch new file mode 100644 index 00000000000..447d9770221 --- /dev/null +++ b/queue-5.4/x86-speculation-support-intra-function-call-validation.patch @@ -0,0 +1,61 @@ +From stable+bounces-25323-greg=kroah.com@vger.kernel.org Wed Feb 28 03:47:45 2024 +From: Rui Qi +Date: Wed, 28 Feb 2024 10:45:35 +0800 +Subject: x86/speculation: Support intra-function call validation +To: bp@alien8.de, mingo@redhat.com, tglx@linutronix.de, hpa@zytor.com, jpoimboe@redhat.com, peterz@infradead.org, mbenes@suse.cz, gregkh@linuxfoundation.org, stable@vger.kernel.org, alexandre.chartre@oracle.com +Cc: x86@kernel.org, linux-kernel@vger.kernel.org, yuanzhu@bytedance.com, Rui Qi +Message-ID: <20240228024535.79980-4-qirui.001@bytedance.com> + +From: Rui Qi + +commit 8afd1c7da2b0 ("x86/speculation: Change FILL_RETURN_BUFFER to work with +objtool") does not support intra-function call stack validation, which causes +kernel live patching to fail. This commit adds support for this, and after +testing, the kernel live patching feature is restored to normal. + +Fixes: 8afd1c7da2b0 ("x86/speculation: Change FILL_RETURN_BUFFER to work with objtool") +Cc: # v5.4.250+ +Signed-off-by: Rui Qi +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/nospec-branch.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/include/asm/nospec-branch.h ++++ b/arch/x86/include/asm/nospec-branch.h +@@ -13,6 +13,8 @@ + #include + #include + ++#include ++#include + /* + * This should be used immediately before a retpoline alternative. It tells + * objtool where the retpolines are so that it can make sense of the control +@@ -51,14 +53,18 @@ + #define __FILL_RETURN_BUFFER(reg, nr, sp) \ + mov $(nr/2), reg; \ + 771: \ ++ ANNOTATE_INTRA_FUNCTION_CALL; \ + call 772f; \ + 773: /* speculation trap */ \ ++ UNWIND_HINT_EMPTY; \ + pause; \ + lfence; \ + jmp 773b; \ + 772: \ ++ ANNOTATE_INTRA_FUNCTION_CALL; \ + call 774f; \ + 775: /* speculation trap */ \ ++ UNWIND_HINT_EMPTY; \ + pause; \ + lfence; \ + jmp 775b; \ +@@ -152,6 +158,7 @@ + .endm + + .macro ISSUE_UNBALANCED_RET_GUARD ++ ANNOTATE_INTRA_FUNCTION_CALL; + call .Lunbalanced_ret_guard_\@ + int3 + .Lunbalanced_ret_guard_\@: -- 2.47.3