5.15-stable patches

added patches:
	selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch

diff --git a/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch b/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch
new file mode 100644 (file)
index 0000000..a5c8688
--- /dev/null
+++ b/queue-5.15/selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch
@@ -0,0 +1,52 @@
+From 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e Mon Sep 17 00:00:00 2001
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Date: Sun, 20 Feb 2022 08:01:38 +0530
+Subject: selftests/bpf: Add test for reg2btf_ids out of bounds access
+
+From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+
+commit 13c6a37d409db9abc9c0bfc6d0a2f07bf0fff60e upstream.
+
+This test tries to pass a PTR_TO_BTF_ID_OR_NULL to the release function,
+which would trigger a out of bounds access without the fix in commit
+45ce4b4f9009 ("bpf: Fix crash due to out of bounds access into reg2btf_ids.")
+but after the fix, it should only index using base_type(reg->type),
+which should be less than __BPF_REG_TYPE_MAX, and also not permit any
+type flags to be set for the reg->type.
+
+Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Link: https://lore.kernel.org/bpf/20220220023138.2224652-1-memxor@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ tools/testing/selftests/bpf/verifier/calls.c |   19 +++++++++++++++++++
+ 1 file changed, 19 insertions(+)
+
+--- a/tools/testing/selftests/bpf/verifier/calls.c
++++ b/tools/testing/selftests/bpf/verifier/calls.c
+@@ -108,6 +108,25 @@
+       .errstr = "R0 min value is outside of the allowed memory range",
+ },
+ {
++      "calls: trigger reg2btf_ids[reg->type] for reg->type > __BPF_REG_TYPE_MAX",
++      .insns = {
++      BPF_MOV64_REG(BPF_REG_1, BPF_REG_10),
++      BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, -8),
++      BPF_ST_MEM(BPF_DW, BPF_REG_1, 0, 0),
++      BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
++      BPF_MOV64_REG(BPF_REG_1, BPF_REG_0),
++      BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, BPF_PSEUDO_KFUNC_CALL, 0, 0),
++      BPF_EXIT_INSN(),
++      },
++      .prog_type = BPF_PROG_TYPE_SCHED_CLS,
++      .result = REJECT,
++      .errstr = "arg#0 pointer type STRUCT prog_test_ref_kfunc must point",
++      .fixup_kfunc_btf_id = {
++              { "bpf_kfunc_call_test_acquire", 3 },
++              { "bpf_kfunc_call_test_release", 5 },
++      },
++},
++{
+       "calls: overlapping caller/callee",
+       .insns = {
+       BPF_RAW_INSN(BPF_JMP | BPF_CALL, 0, 1, 0, 0),

diff --git a/queue-5.15/series b/queue-5.15/series
index 79a632b3ff52b11e6f780061beca46791ed464ad..82b6d7faf06f69eff250a48d95add88b76c87a18 100644 (file)
--- a/queue-5.15/series
+++ b/queue-5.15/series
@@ -30,3 +30,4 @@ gfs2-fix-mmap-page-fault-deadlocks-for-direct-i-o.patch
 btrfs-fix-deadlock-due-to-page-faults-during-direct-io-reads-and-writes.patch
 btrfs-fallback-to-blocking-mode-when-doing-async-dio-over-multiple-extents.patch
 mm-gup-make-fault_in_safe_writeable-use-fixup_user_fault.patch
+selftests-bpf-add-test-for-reg2btf_ids-out-of-bounds-access.patch