From: Greg Kroah-Hartman Date: Fri, 29 Apr 2022 09:03:02 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v4.19.241~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e1c8f03e68626f13fe212bb0b0236686053d6400;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch revert-ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch revert-ia64-kprobes-use-generic-kretprobe-trampoline-handler.patch --- diff --git a/queue-4.19/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch b/queue-4.19/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch new file mode 100644 index 00000000000..7a9b8881a35 --- /dev/null +++ b/queue-4.19/ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch @@ -0,0 +1,82 @@ +From foo@baz Fri Apr 29 10:57:56 AM CEST 2022 +From: Masami Hiramatsu +Date: Tue, 26 Apr 2022 23:26:24 +0900 +Subject: ia64: kprobes: Fix to pass correct trampoline address to the handler +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , Sasha Levin +Message-ID: <165098318419.1366179.670272113133163758.stgit@devnote2> + +From: Masami Hiramatsu + +commit a7fe2378454cf46cd5e2776d05e72bbe8f0a468c upstream. + +The following commit: + + Commit e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler") + +Passed the wrong trampoline address to __kretprobe_trampoline_handler(): it +passes the descriptor address instead of function entry address. + +Pass the right parameter. + +Also use correct symbol dereference function to get the function address +from 'kretprobe_trampoline' - an IA64 special. + +Link: https://lkml.kernel.org/r/163163042696.489837.12551102356265354730.stgit@devnote2 + +Fixes: e792ff804f49 ("ia64: kprobes: Use generic kretprobe trampoline handler") +Cc: Josh Poimboeuf +Cc: Ingo Molnar +Cc: X86 ML +Cc: Daniel Xu +Cc: Thomas Gleixner +Cc: Borislav Petkov +Cc: Peter Zijlstra +Cc: Abhishek Sagar +Cc: Andrii Nakryiko +Cc: Paul McKenney +Cc: stable@vger.kernel.org +Signed-off-by: Masami Hiramatsu +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/kprobes.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -424,7 +424,7 @@ int __kprobes trampoline_probe_handler(s + struct hlist_node *tmp; + unsigned long flags, orig_ret_address = 0; + unsigned long trampoline_address = +- ((struct fnptr *)kretprobe_trampoline)->ip; ++ (unsigned long)dereference_function_descriptor(kretprobe_trampoline); + + INIT_HLIST_HEAD(&empty_rp); + kretprobe_hash_lock(current, &head, &flags); +@@ -500,7 +500,7 @@ void __kprobes arch_prepare_kretprobe(st + ri->ret_addr = (kprobe_opcode_t *)regs->b0; + + /* Replace the return addr with trampoline addr */ +- regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; ++ regs->b0 = (unsigned long)dereference_function_descriptor(kretprobe_trampoline); + } + + /* Check the instruction in the slot is break */ +@@ -1030,14 +1030,14 @@ static struct kprobe trampoline_p = { + int __init arch_init_kprobes(void) + { + trampoline_p.addr = +- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip; ++ dereference_function_descriptor(kretprobe_trampoline); + return register_kprobe(&trampoline_p); + } + + int __kprobes arch_trampoline_kprobe(struct kprobe *p) + { + if (p->addr == +- (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip) ++ dereference_function_descriptor(kretprobe_trampoline)) + return 1; + + return 0; diff --git a/queue-4.19/revert-ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch b/queue-4.19/revert-ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch new file mode 100644 index 00000000000..ef479d1c7ad --- /dev/null +++ b/queue-4.19/revert-ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch @@ -0,0 +1,61 @@ +From foo@baz Fri Apr 29 10:57:56 AM CEST 2022 +From: Masami Hiramatsu +Date: Tue, 26 Apr 2022 23:26:04 +0900 +Subject: Revert "ia64: kprobes: Fix to pass correct trampoline address to the handler" +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , Sasha Levin +Message-ID: <165098316441.1366179.4768446584587876237.stgit@devnote2> + +From: Masami Hiramatsu + +This reverts commit f5f96e3643dc33d6117cf7047e73512046e4858b. + +The commit f5f96e3643dc ("ia64: kprobes: Fix to pass correct trampoline +address to the handler") was wrongly backported. It involves another +commit which is a part of another bigger series, so it should not be +backported to the stable tree. + +Signed-off-by: Masami Hiramatsu +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/kprobes.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -411,8 +411,7 @@ static void kretprobe_trampoline(void) + + int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) + { +- regs->cr_iip = __kretprobe_trampoline_handler(regs, +- dereference_function_descriptor(kretprobe_trampoline), NULL); ++ regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL); + /* + * By returning a non-zero value, we are telling + * kprobe_handler() that we don't want the post_handler +@@ -428,7 +427,7 @@ void __kprobes arch_prepare_kretprobe(st + ri->fp = NULL; + + /* Replace the return addr with trampoline addr */ +- regs->b0 = (unsigned long)dereference_function_descriptor(kretprobe_trampoline); ++ regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; + } + + /* Check the instruction in the slot is break */ +@@ -958,14 +957,14 @@ static struct kprobe trampoline_p = { + int __init arch_init_kprobes(void) + { + trampoline_p.addr = +- dereference_function_descriptor(kretprobe_trampoline); ++ (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip; + return register_kprobe(&trampoline_p); + } + + int __kprobes arch_trampoline_kprobe(struct kprobe *p) + { + if (p->addr == +- dereference_function_descriptor(kretprobe_trampoline)) ++ (kprobe_opcode_t *)((struct fnptr *)kretprobe_trampoline)->ip) + return 1; + + return 0; diff --git a/queue-4.19/revert-ia64-kprobes-use-generic-kretprobe-trampoline-handler.patch b/queue-4.19/revert-ia64-kprobes-use-generic-kretprobe-trampoline-handler.patch new file mode 100644 index 00000000000..6ec1e26e3bd --- /dev/null +++ b/queue-4.19/revert-ia64-kprobes-use-generic-kretprobe-trampoline-handler.patch @@ -0,0 +1,118 @@ +From foo@baz Fri Apr 29 10:57:56 AM CEST 2022 +From: Masami Hiramatsu +Date: Tue, 26 Apr 2022 23:26:14 +0900 +Subject: Revert "ia64: kprobes: Use generic kretprobe trampoline handler" +To: stable@vger.kernel.org, Greg Kroah-Hartman +Cc: mhiramat@kernel.org, linux-kernel@vger.kernel.org, Ingo Molnar , Sasha Levin +Message-ID: <165098317414.1366179.8363938856817159557.stgit@devnote2> + +From: Masami Hiramatsu + +This reverts commit d3380de483d55d904fb94a241406b34ed2fada7d. + +Since this commit is a part of generic kretprobe trampoline +handler series, without the other patches in that series, this +causes a build error on ia64. + +Reported-by: kernel test robot +Signed-off-by: Masami Hiramatsu +Signed-off-by: Greg Kroah-Hartman +--- + arch/ia64/kernel/kprobes.c | 77 +++++++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 75 insertions(+), 2 deletions(-) + +--- a/arch/ia64/kernel/kprobes.c ++++ b/arch/ia64/kernel/kprobes.c +@@ -409,9 +409,83 @@ static void kretprobe_trampoline(void) + { + } + ++/* ++ * At this point the target function has been tricked into ++ * returning into our trampoline. Lookup the associated instance ++ * and then: ++ * - call the handler function ++ * - cleanup by marking the instance as unused ++ * - long jump back to the original return address ++ */ + int __kprobes trampoline_probe_handler(struct kprobe *p, struct pt_regs *regs) + { +- regs->cr_iip = __kretprobe_trampoline_handler(regs, kretprobe_trampoline, NULL); ++ struct kretprobe_instance *ri = NULL; ++ struct hlist_head *head, empty_rp; ++ struct hlist_node *tmp; ++ unsigned long flags, orig_ret_address = 0; ++ unsigned long trampoline_address = ++ ((struct fnptr *)kretprobe_trampoline)->ip; ++ ++ INIT_HLIST_HEAD(&empty_rp); ++ kretprobe_hash_lock(current, &head, &flags); ++ ++ /* ++ * It is possible to have multiple instances associated with a given ++ * task either because an multiple functions in the call path ++ * have a return probe installed on them, and/or more than one return ++ * return probe was registered for a target function. ++ * ++ * We can handle this because: ++ * - instances are always inserted at the head of the list ++ * - when multiple return probes are registered for the same ++ * function, the first instance's ret_addr will point to the ++ * real return address, and all the rest will point to ++ * kretprobe_trampoline ++ */ ++ hlist_for_each_entry_safe(ri, tmp, head, hlist) { ++ if (ri->task != current) ++ /* another task is sharing our hash bucket */ ++ continue; ++ ++ orig_ret_address = (unsigned long)ri->ret_addr; ++ if (orig_ret_address != trampoline_address) ++ /* ++ * This is the real return address. Any other ++ * instances associated with this task are for ++ * other calls deeper on the call stack ++ */ ++ break; ++ } ++ ++ regs->cr_iip = orig_ret_address; ++ ++ hlist_for_each_entry_safe(ri, tmp, head, hlist) { ++ if (ri->task != current) ++ /* another task is sharing our hash bucket */ ++ continue; ++ ++ if (ri->rp && ri->rp->handler) ++ ri->rp->handler(ri, regs); ++ ++ orig_ret_address = (unsigned long)ri->ret_addr; ++ recycle_rp_inst(ri, &empty_rp); ++ ++ if (orig_ret_address != trampoline_address) ++ /* ++ * This is the real return address. Any other ++ * instances associated with this task are for ++ * other calls deeper on the call stack ++ */ ++ break; ++ } ++ kretprobe_assert(ri, orig_ret_address, trampoline_address); ++ ++ kretprobe_hash_unlock(current, &flags); ++ ++ hlist_for_each_entry_safe(ri, tmp, &empty_rp, hlist) { ++ hlist_del(&ri->hlist); ++ kfree(ri); ++ } + /* + * By returning a non-zero value, we are telling + * kprobe_handler() that we don't want the post_handler +@@ -424,7 +498,6 @@ void __kprobes arch_prepare_kretprobe(st + struct pt_regs *regs) + { + ri->ret_addr = (kprobe_opcode_t *)regs->b0; +- ri->fp = NULL; + + /* Replace the return addr with trampoline addr */ + regs->b0 = ((struct fnptr *)kretprobe_trampoline)->ip; diff --git a/queue-4.19/series b/queue-4.19/series index 9c106c94d41..27a74d0b177 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -5,3 +5,6 @@ hamradio-remove-needs_free_netdev-to-avoid-uaf.patch net-sched-cls_u32-fix-netns-refcount-changes-in-u32_change.patch powerpc-64-interrupt-temporarily-save-ppr-on-stack-to-fix-register-corruption-due-to-slb-miss.patch powerpc-64s-unmerge-ex_lr-and-ex_dar.patch +revert-ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch +revert-ia64-kprobes-use-generic-kretprobe-trampoline-handler.patch +ia64-kprobes-fix-to-pass-correct-trampoline-address-to-the-handler.patch