--- /dev/null
+From 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 Mon Sep 17 00:00:00 2001
+From: Stanislav Fomichev <sdf@google.com>
+Date: Tue, 12 Jan 2021 08:28:29 -0800
+Subject: bpf: Don't leak memory in bpf getsockopt when optlen == 0
+
+From: Stanislav Fomichev <sdf@google.com>
+
+commit 4be34f3d0731b38a1b24566b37fbb39500aaf3a2 upstream.
+
+optlen == 0 indicates that the kernel should ignore BPF buffer
+and use the original one from the user. We, however, forget
+to free the temporary buffer that we've allocated for BPF.
+
+Fixes: d8fe449a9c51 ("bpf: Don't return EINVAL from {get,set}sockopt when optlen > PAGE_SIZE")
+Reported-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Stanislav Fomichev <sdf@google.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20210112162829.775079-1-sdf@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/cgroup.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/kernel/bpf/cgroup.c
++++ b/kernel/bpf/cgroup.c
+@@ -1391,12 +1391,13 @@ int __cgroup_bpf_run_filter_setsockopt(s
+ if (ctx.optlen != 0) {
+ *optlen = ctx.optlen;
+ *kernel_optval = ctx.optval;
++ /* export and don't free sockopt buf */
++ return 0;
+ }
+ }
+
+ out:
+- if (ret)
+- sockopt_free_buf(&ctx);
++ sockopt_free_buf(&ctx);
+ return ret;
+ }
+
--- /dev/null
+From 301a33d51880619d0c5a581b5a48d3a5248fa84b Mon Sep 17 00:00:00 2001
+From: Mircea Cirjaliu <mcirjaliu@bitdefender.com>
+Date: Tue, 19 Jan 2021 21:53:18 +0100
+Subject: bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback
+
+From: Mircea Cirjaliu <mcirjaliu@bitdefender.com>
+
+commit 301a33d51880619d0c5a581b5a48d3a5248fa84b upstream.
+
+I assume this was obtained by copy/paste. Point it to bpf_map_peek_elem()
+instead of bpf_map_pop_elem(). In practice it may have been less likely
+hit when under JIT given shielded via 84430d4232c3 ("bpf, verifier: avoid
+retpoline for map push/pop/peek operation").
+
+Fixes: f1a2e44a3aec ("bpf: add queue and stack maps")
+Signed-off-by: Mircea Cirjaliu <mcirjaliu@bitdefender.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Cc: Mauricio Vasquez <mauriciovasquezbernal@gmail.com>
+Link: https://lore.kernel.org/bpf/AM7PR02MB6082663DFDCCE8DA7A6DD6B1BBA30@AM7PR02MB6082.eurprd02.prod.outlook.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/helpers.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/kernel/bpf/helpers.c
++++ b/kernel/bpf/helpers.c
+@@ -108,7 +108,7 @@ BPF_CALL_2(bpf_map_peek_elem, struct bpf
+ }
+
+ const struct bpf_func_proto bpf_map_peek_elem_proto = {
+- .func = bpf_map_pop_elem,
++ .func = bpf_map_peek_elem,
+ .gpl_only = false,
+ .ret_type = RET_INTEGER,
+ .arg1_type = ARG_CONST_MAP_PTR,
--- /dev/null
+From bc895e8b2a64e502fbba72748d59618272052a8b Mon Sep 17 00:00:00 2001
+From: Daniel Borkmann <daniel@iogearbox.net>
+Date: Wed, 20 Jan 2021 00:24:24 +0100
+Subject: bpf: Fix signed_{sub,add32}_overflows type handling
+
+From: Daniel Borkmann <daniel@iogearbox.net>
+
+commit bc895e8b2a64e502fbba72748d59618272052a8b upstream.
+
+Fix incorrect signed_{sub,add32}_overflows() input types (and a related buggy
+comment). It looks like this might have slipped in via copy/paste issue, also
+given prior to 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+the signature of signed_sub_overflows() had s64 a and s64 b as its input args
+whereas now they are truncated to s32. Thus restore proper types. Also, the case
+of signed_add32_overflows() is not consistent to signed_sub32_overflows(). Both
+have s32 as inputs, therefore align the former.
+
+Fixes: 3f50f132d840 ("bpf: Verifier, do explicit ALU32 bounds tracking")
+Reported-by: De4dCr0w <sa516203@mail.ustc.edu.cn>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Reviewed-by: John Fastabend <john.fastabend@gmail.com>
+Acked-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/verifier.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -5255,7 +5255,7 @@ static bool signed_add_overflows(s64 a,
+ return res < a;
+ }
+
+-static bool signed_add32_overflows(s64 a, s64 b)
++static bool signed_add32_overflows(s32 a, s32 b)
+ {
+ /* Do the add in u32, where overflow is well-defined */
+ s32 res = (s32)((u32)a + (u32)b);
+@@ -5265,7 +5265,7 @@ static bool signed_add32_overflows(s64 a
+ return res < a;
+ }
+
+-static bool signed_sub_overflows(s32 a, s32 b)
++static bool signed_sub_overflows(s64 a, s64 b)
+ {
+ /* Do the sub in u64, where overflow is well-defined */
+ s64 res = (s64)((u64)a - (u64)b);
+@@ -5277,7 +5277,7 @@ static bool signed_sub_overflows(s32 a,
+
+ static bool signed_sub32_overflows(s32 a, s32 b)
+ {
+- /* Do the sub in u64, where overflow is well-defined */
++ /* Do the sub in u32, where overflow is well-defined */
+ s32 res = (s32)((u32)a - (u32)b);
+
+ if (b < 0)
--- /dev/null
+From 744ea4e3885eccb6d332a06fae9eb7420a622c0f Mon Sep 17 00:00:00 2001
+From: Gilad Reti <gilad.reti@gmail.com>
+Date: Wed, 13 Jan 2021 07:38:07 +0200
+Subject: bpf: Support PTR_TO_MEM{,_OR_NULL} register spilling
+
+From: Gilad Reti <gilad.reti@gmail.com>
+
+commit 744ea4e3885eccb6d332a06fae9eb7420a622c0f upstream.
+
+Add support for pointer to mem register spilling, to allow the verifier
+to track pointers to valid memory addresses. Such pointers are returned
+for example by a successful call of the bpf_ringbuf_reserve helper.
+
+The patch was partially contributed by CyberArk Software, Inc.
+
+Fixes: 457f44363a88 ("bpf: Implement BPF ring buffer and verifier support for it")
+Suggested-by: Yonghong Song <yhs@fb.com>
+Signed-off-by: Gilad Reti <gilad.reti@gmail.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: KP Singh <kpsingh@kernel.org>
+Link: https://lore.kernel.org/bpf/20210113053810.13518-1-gilad.reti@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/bpf/verifier.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/kernel/bpf/verifier.c
++++ b/kernel/bpf/verifier.c
+@@ -2214,6 +2214,8 @@ static bool is_spillable_regtype(enum bp
+ case PTR_TO_RDWR_BUF:
+ case PTR_TO_RDWR_BUF_OR_NULL:
+ case PTR_TO_PERCPU_BTF_ID:
++ case PTR_TO_MEM:
++ case PTR_TO_MEM_OR_NULL:
+ return true;
+ default:
+ return false;
--- /dev/null
+From 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 Mon Sep 17 00:00:00 2001
+From: "J. Bruce Fields" <bfields@redhat.com>
+Date: Mon, 11 Jan 2021 16:01:29 -0500
+Subject: nfsd4: readdirplus shouldn't return parent of export
+
+From: J. Bruce Fields <bfields@redhat.com>
+
+commit 51b2ee7d006a736a9126e8111d1f24e4fd0afaa6 upstream.
+
+If you export a subdirectory of a filesystem, a READDIRPLUS on the root
+of that export will return the filehandle of the parent with the ".."
+entry.
+
+The filehandle is optional, so let's just not return the filehandle for
+".." if we're at the root of an export.
+
+Note that once the client learns one filehandle outside of the export,
+they can trivially access the rest of the export using further lookups.
+
+However, it is also not very difficult to guess filehandles outside of
+the export. So exporting a subdirectory of a filesystem should
+considered equivalent to providing access to the entire filesystem. To
+avoid confusion, we recommend only exporting entire filesystems.
+
+Reported-by: Youjipeng <wangzhibei1999@gmail.com>
+Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+Cc: stable@vger.kernel.org
+Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/nfsd/nfs3xdr.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+--- a/fs/nfsd/nfs3xdr.c
++++ b/fs/nfsd/nfs3xdr.c
+@@ -863,9 +863,14 @@ compose_entry_fh(struct nfsd3_readdirres
+ if (isdotent(name, namlen)) {
+ if (namlen == 2) {
+ dchild = dget_parent(dparent);
+- /* filesystem root - cannot return filehandle for ".." */
++ /*
++ * Don't return filehandle for ".." if we're at
++ * the filesystem or export root:
++ */
+ if (dchild == dparent)
+ goto out;
++ if (dparent == exp->ex_path.dentry)
++ goto out;
+ } else
+ dchild = dget(dparent);
+ } else
bpf-fix-selftest-compilation-on-clang-11.patch
x86-hyperv-initialize-clockevents-after-lapic-is-ini.patch
drm-amdgpu-display-drop-dcn-support-for-aarch64.patch
+bpf-fix-signed_-sub-add32-_overflows-type-handling.patch
+x.509-fix-crash-caused-by-null-pointer.patch
+nfsd4-readdirplus-shouldn-t-return-parent-of-export.patch
+bpf-don-t-leak-memory-in-bpf-getsockopt-when-optlen-0.patch
+bpf-support-ptr_to_mem-_or_null-register-spilling.patch
+bpf-fix-helper-bpf_map_peek_elem_proto-pointing-to-wrong-callback.patch
--- /dev/null
+From 7178a107f5ea7bdb1cc23073234f0ded0ef90ec7 Mon Sep 17 00:00:00 2001
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Date: Tue, 19 Jan 2021 00:13:19 +0000
+Subject: X.509: Fix crash caused by NULL pointer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+
+commit 7178a107f5ea7bdb1cc23073234f0ded0ef90ec7 upstream.
+
+On the following call path, `sig->pkey_algo` is not assigned
+in asymmetric_key_verify_signature(), which causes runtime
+crash in public_key_verify_signature().
+
+ keyctl_pkey_verify
+ asymmetric_key_verify_signature
+ verify_signature
+ public_key_verify_signature
+
+This patch simply check this situation and fixes the crash
+caused by NULL pointer.
+
+Fixes: 215525639631 ("X.509: support OSCCA SM2-with-SM3 certificate verification")
+Reported-by: Tobias Markus <tobias@markus-regensburg.de>
+Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Reviewed-and-tested-by: Toke Høiland-Jørgensen <toke@redhat.com>
+Tested-by: João Fonseca <jpedrofonseca@ua.pt>
+Acked-by: Jarkko Sakkinen <jarkko@kernel.org>
+Cc: stable@vger.kernel.org # v5.10+
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ crypto/asymmetric_keys/public_key.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/crypto/asymmetric_keys/public_key.c
++++ b/crypto/asymmetric_keys/public_key.c
+@@ -356,7 +356,8 @@ int public_key_verify_signature(const st
+ if (ret)
+ goto error_free_key;
+
+- if (strcmp(sig->pkey_algo, "sm2") == 0 && sig->data_size) {
++ if (sig->pkey_algo && strcmp(sig->pkey_algo, "sm2") == 0 &&
++ sig->data_size) {
+ ret = cert_sig_digest_update(sig, tfm);
+ if (ret)
+ goto error_free_key;
projects / thirdparty / kernel / stable-queue.git / commitdiff
