--- /dev/null
+From 1a1c130ab7575498eed5bcf7220037ae09cd1f8a Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 23 Mar 2021 20:26:52 +0100
+Subject: ACPI: tables: x86: Reserve memory occupied by ACPI tables
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a upstream.
+
+The following problem has been reported by George Kennedy:
+
+ Since commit 7fef431be9c9 ("mm/page_alloc: place pages to tail
+ in __free_pages_core()") the following use after free occurs
+ intermittently when ACPI tables are accessed.
+
+ BUG: KASAN: use-after-free in ibft_init+0x134/0xc49
+ Read of size 4 at addr ffff8880be453004 by task swapper/0/1
+ CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-7a7fd0d #1
+ Call Trace:
+ dump_stack+0xf6/0x158
+ print_address_description.constprop.9+0x41/0x60
+ kasan_report.cold.14+0x7b/0xd4
+ __asan_report_load_n_noabort+0xf/0x20
+ ibft_init+0x134/0xc49
+ do_one_initcall+0xc4/0x3e0
+ kernel_init_freeable+0x5af/0x66b
+ kernel_init+0x16/0x1d0
+ ret_from_fork+0x22/0x30
+
+ ACPI tables mapped via kmap() do not have their mapped pages
+ reserved and the pages can be "stolen" by the buddy allocator.
+
+Apparently, on the affected system, the ACPI table in question is
+not located in "reserved" memory, like ACPI NVS or ACPI Data, that
+will not be used by the buddy allocator, so the memory occupied by
+that table has to be explicitly reserved to prevent the buddy
+allocator from using it.
+
+In order to address this problem, rearrange the initialization of the
+ACPI tables on x86 to locate the initial tables earlier and reserve
+the memory occupied by them.
+
+The other architectures using ACPI should not be affected by this
+change.
+
+Link: https://lore.kernel.org/linux-acpi/1614802160-29362-1-git-send-email-george.kennedy@oracle.com/
+Reported-by: George Kennedy <george.kennedy@oracle.com>
+Tested-by: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Reviewed-by: Mike Rapoport <rppt@linux.ibm.com>
+Cc: 5.10+ <stable@vger.kernel.org> # 5.10+
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/acpi/boot.c | 25 ++++++++++++-------------
+ arch/x86/kernel/setup.c | 8 +++-----
+ drivers/acpi/tables.c | 42 +++++++++++++++++++++++++++++++++++++++---
+ include/linux/acpi.h | 9 ++++++++-
+ 4 files changed, 62 insertions(+), 22 deletions(-)
+
+--- a/arch/x86/kernel/acpi/boot.c
++++ b/arch/x86/kernel/acpi/boot.c
+@@ -1553,10 +1553,18 @@ void __init acpi_boot_table_init(void)
+ /*
+ * Initialize the ACPI boot-time table parser.
+ */
+- if (acpi_table_init()) {
++ if (acpi_locate_initial_tables())
+ disable_acpi();
+- return;
+- }
++ else
++ acpi_reserve_initial_tables();
++}
++
++int __init early_acpi_boot_init(void)
++{
++ if (acpi_disabled)
++ return 1;
++
++ acpi_table_init_complete();
+
+ acpi_table_parse(ACPI_SIG_BOOT, acpi_parse_sbf);
+
+@@ -1569,18 +1577,9 @@ void __init acpi_boot_table_init(void)
+ } else {
+ printk(KERN_WARNING PREFIX "Disabling ACPI support\n");
+ disable_acpi();
+- return;
++ return 1;
+ }
+ }
+-}
+-
+-int __init early_acpi_boot_init(void)
+-{
+- /*
+- * If acpi_disabled, bail out
+- */
+- if (acpi_disabled)
+- return 1;
+
+ /*
+ * Process the Multiple APIC Description Table (MADT), if present
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1129,6 +1129,9 @@ void __init setup_arch(char **cmdline_p)
+
+ cleanup_highmap();
+
++ /* Look for ACPI tables and reserve memory occupied by them. */
++ acpi_boot_table_init();
++
+ memblock_set_current_limit(ISA_END_ADDRESS);
+ e820__memblock_setup();
+
+@@ -1218,11 +1221,6 @@ void __init setup_arch(char **cmdline_p)
+
+ early_platform_quirks();
+
+- /*
+- * Parse the ACPI tables for possible boot-time SMP configuration.
+- */
+- acpi_boot_table_init();
+-
+ early_acpi_boot_init();
+
+ initmem_init();
+--- a/drivers/acpi/tables.c
++++ b/drivers/acpi/tables.c
+@@ -726,7 +726,7 @@ acpi_os_table_override(struct acpi_table
+ }
+
+ /*
+- * acpi_table_init()
++ * acpi_locate_initial_tables()
+ *
+ * find RSDP, find and checksum SDT/XSDT.
+ * checksum all tables, print SDT/XSDT
+@@ -734,7 +734,7 @@ acpi_os_table_override(struct acpi_table
+ * result: sdt_entry[] is initialized
+ */
+
+-int __init acpi_table_init(void)
++int __init acpi_locate_initial_tables(void)
+ {
+ acpi_status status;
+
+@@ -749,9 +749,45 @@ int __init acpi_table_init(void)
+ status = acpi_initialize_tables(initial_tables, ACPI_MAX_TABLES, 0);
+ if (ACPI_FAILURE(status))
+ return -EINVAL;
+- acpi_table_initrd_scan();
+
++ return 0;
++}
++
++void __init acpi_reserve_initial_tables(void)
++{
++ int i;
++
++ for (i = 0; i < ACPI_MAX_TABLES; i++) {
++ struct acpi_table_desc *table_desc = &initial_tables[i];
++ u64 start = table_desc->address;
++ u64 size = table_desc->length;
++
++ if (!start || !size)
++ break;
++
++ pr_info("Reserving %4s table memory at [mem 0x%llx-0x%llx]\n",
++ table_desc->signature.ascii, start, start + size - 1);
++
++ memblock_reserve(start, size);
++ }
++}
++
++void __init acpi_table_init_complete(void)
++{
++ acpi_table_initrd_scan();
+ check_multiple_madt();
++}
++
++int __init acpi_table_init(void)
++{
++ int ret;
++
++ ret = acpi_locate_initial_tables();
++ if (ret)
++ return ret;
++
++ acpi_table_init_complete();
++
+ return 0;
+ }
+
+--- a/include/linux/acpi.h
++++ b/include/linux/acpi.h
+@@ -228,10 +228,14 @@ void __iomem *__acpi_map_table(unsigned
+ void __acpi_unmap_table(void __iomem *map, unsigned long size);
+ int early_acpi_boot_init(void);
+ int acpi_boot_init (void);
++void acpi_boot_table_prepare (void);
+ void acpi_boot_table_init (void);
+ int acpi_mps_check (void);
+ int acpi_numa_init (void);
+
++int acpi_locate_initial_tables (void);
++void acpi_reserve_initial_tables (void);
++void acpi_table_init_complete (void);
+ int acpi_table_init (void);
+ int acpi_table_parse(char *id, acpi_tbl_table_handler handler);
+ int __init acpi_table_parse_entries(char *id, unsigned long table_size,
+@@ -714,9 +718,12 @@ static inline int acpi_boot_init(void)
+ return 0;
+ }
+
++static inline void acpi_boot_table_prepare(void)
++{
++}
++
+ static inline void acpi_boot_table_init(void)
+ {
+- return;
+ }
+
+ static inline int acpi_mps_check(void)
--- /dev/null
+From 6998a8800d73116187aad542391ce3b2dd0f9e30 Mon Sep 17 00:00:00 2001
+From: "Rafael J. Wysocki" <rafael.j.wysocki@intel.com>
+Date: Tue, 13 Apr 2021 16:01:00 +0200
+Subject: ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
+
+From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+
+commit 6998a8800d73116187aad542391ce3b2dd0f9e30 upstream.
+
+Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by
+ACPI tables") attempted to address an issue with reserving the memory
+occupied by ACPI tables, but it broke the initrd-based table override
+mechanism relied on by multiple users.
+
+To restore the initrd-based ACPI table override functionality, move
+the acpi_boot_table_init() invocation in setup_arch() on x86 after
+the acpi_table_upgrade() one.
+
+Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables")
+Reported-by: Hans de Goede <hdegoede@redhat.com>
+Tested-by: Hans de Goede <hdegoede@redhat.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Cc: George Kennedy <george.kennedy@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ arch/x86/kernel/setup.c | 5 ++---
+ 1 file changed, 2 insertions(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -1129,9 +1129,6 @@ void __init setup_arch(char **cmdline_p)
+
+ cleanup_highmap();
+
+- /* Look for ACPI tables and reserve memory occupied by them. */
+- acpi_boot_table_init();
+-
+ memblock_set_current_limit(ISA_END_ADDRESS);
+ e820__memblock_setup();
+
+@@ -1214,6 +1211,8 @@ void __init setup_arch(char **cmdline_p)
+ reserve_initrd();
+
+ acpi_table_upgrade();
++ /* Look for ACPI tables and reserve memory occupied by them. */
++ acpi_boot_table_init();
+
+ vsmp_init();
+
--- /dev/null
+From fllinden@amazon.com Sun May 2 13:07:04 2021
+From: Frank van der Linden <fllinden@amazon.com>
+Date: Sat, 1 May 2021 18:05:05 +0000
+Subject: bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged"
+To: <stable@vger.kernel.org>
+Cc: <bpf@vger.kernel.org>, <samjonas@amazon.com>
+Message-ID: <20210501180506.19154-2-fllinden@amazon.com>
+
+From: Samuel Mendoza-Jonas <samjonas@amazon.com>
+
+The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed
+signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the
+wrong location in adjust_ptr_min_max_vals(), most likely because 4.14
+doesn't include the commit that updates the if-statement to a
+switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment").
+
+Move the check to the proper location in adjust_ptr_min_max_vals().
+
+Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged")
+Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com>
+Reviewed-by: Frank van der Linden <fllinden@amazon.com>
+Reviewed-by: Ethan Chen <yishache@amazon.com>
+Acked-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ kernel/bpf/verifier.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2204,6 +2204,13 @@ static int adjust_ptr_min_max_vals(struc
+ dst);
+ return -EACCES;
+ }
++ if (ptr_reg->type == PTR_TO_MAP_VALUE) {
++ if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
++ verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
++ off_reg == dst_reg ? dst : src);
++ return -EACCES;
++ }
++ }
+
+ /* In case of 'scalar += pointer', dst_reg inherits pointer type and id.
+ * The id may be overwritten later if we create a new variable offset.
+@@ -2349,13 +2356,6 @@ static int adjust_ptr_min_max_vals(struc
+ verbose("R%d bitwise operator %s on pointer prohibited\n",
+ dst, bpf_alu_string[opcode >> 4]);
+ return -EACCES;
+- case PTR_TO_MAP_VALUE:
+- if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) {
+- verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n",
+- off_reg == dst_reg ? dst : src);
+- return -EACCES;
+- }
+- /* fall-through */
+ default:
+ /* other operators (e.g. MUL,LSH) produce non-pointer results */
+ if (!env->allow_ptr_leaks)
--- /dev/null
+From fllinden@amazon.com Sun May 2 13:07:20 2021
+From: Frank van der Linden <fllinden@amazon.com>
+Date: Sat, 1 May 2021 18:05:06 +0000
+Subject: bpf: fix up selftests after backports were fixed
+To: <stable@vger.kernel.org>
+Cc: <bpf@vger.kernel.org>, <samjonas@amazon.com>
+Message-ID: <20210501180506.19154-3-fllinden@amazon.com>
+
+From: Frank van der Linden <fllinden@amazon.com>
+
+After the backport of the changes to fix CVE 2019-7308, the
+selftests also need to be fixed up, as was done originally
+in mainline 80c9b2fae87b ("bpf: add various test cases to selftests").
+
+4.14 commit 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308")
+did that, but since there was an error in the backport, some
+selftests did not change output. So, add them now that this error
+has been fixed, and their output has actually changed as expected.
+
+This adds the rest of the changed test outputs from 80c9b2fae87b.
+
+Fixes: 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308")
+Signed-off-by: Frank van der Linden <fllinden@amazon.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/tools/testing/selftests/bpf/test_verifier.c
++++ b/tools/testing/selftests/bpf/test_verifier.c
+@@ -6207,6 +6207,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6231,6 +6232,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6257,6 +6259,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6282,6 +6285,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6330,6 +6334,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6401,6 +6406,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6452,6 +6458,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6479,6 +6486,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6505,6 +6513,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6534,6 +6543,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
+@@ -6592,6 +6602,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "unbounded min value",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ .result_unpriv = REJECT,
+ },
+@@ -6644,6 +6655,7 @@ static struct bpf_test tests[] = {
+ },
+ .fixup_map1 = { 3 },
+ .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.",
++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds",
+ .result = REJECT,
+ },
+ {
usbip-vudc-synchronize-sysfs-code-paths.patch
+acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch
+acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch
+bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch
+bpf-fix-up-selftests-after-backports-were-fixed.patch
erofs-fix-extended-inode-could-cross-boundary.patch
+acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch
+acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch
--- /dev/null
+mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
+netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
--- /dev/null
+mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
+netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
--- /dev/null
+mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
+netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch
--- /dev/null
+mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch
+acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch
+acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
