From 72e19c1d4cae71a4f588b3d1d7b2c2d3a7155c33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 2 May 2021 13:10:55 +0200 Subject: [PATCH] 4.14-stable patches added patches: acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch bpf-fix-up-selftests-after-backports-were-fixed.patch --- ...serve-memory-occupied-by-acpi-tables.patch | 225 ++++++++++++++++++ ..._table_init-after-acpi_table_upgrade.patch | 49 ++++ ...mixed-signed-bounds-for-unprivileged.patch | 58 +++++ ...selftests-after-backports-were-fixed.patch | 126 ++++++++++ queue-4.14/series | 4 + queue-4.19/series | 2 + queue-5.10/series | 2 + queue-5.11/series | 2 + queue-5.12/series | 2 + queue-5.4/series | 3 + 10 files changed, 473 insertions(+) create mode 100644 queue-4.14/acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch create mode 100644 queue-4.14/acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch create mode 100644 queue-4.14/bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch create mode 100644 queue-4.14/bpf-fix-up-selftests-after-backports-were-fixed.patch create mode 100644 queue-5.10/series create mode 100644 queue-5.11/series create mode 100644 queue-5.12/series create mode 100644 queue-5.4/series diff --git a/queue-4.14/acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch b/queue-4.14/acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch new file mode 100644 index 00000000000..2661e14bf91 --- /dev/null +++ b/queue-4.14/acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch @@ -0,0 +1,225 @@ +From 1a1c130ab7575498eed5bcf7220037ae09cd1f8a Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 23 Mar 2021 20:26:52 +0100 +Subject: ACPI: tables: x86: Reserve memory occupied by ACPI tables + +From: Rafael J. Wysocki + +commit 1a1c130ab7575498eed5bcf7220037ae09cd1f8a upstream. + +The following problem has been reported by George Kennedy: + + Since commit 7fef431be9c9 ("mm/page_alloc: place pages to tail + in __free_pages_core()") the following use after free occurs + intermittently when ACPI tables are accessed. + + BUG: KASAN: use-after-free in ibft_init+0x134/0xc49 + Read of size 4 at addr ffff8880be453004 by task swapper/0/1 + CPU: 3 PID: 1 Comm: swapper/0 Not tainted 5.12.0-rc1-7a7fd0d #1 + Call Trace: + dump_stack+0xf6/0x158 + print_address_description.constprop.9+0x41/0x60 + kasan_report.cold.14+0x7b/0xd4 + __asan_report_load_n_noabort+0xf/0x20 + ibft_init+0x134/0xc49 + do_one_initcall+0xc4/0x3e0 + kernel_init_freeable+0x5af/0x66b + kernel_init+0x16/0x1d0 + ret_from_fork+0x22/0x30 + + ACPI tables mapped via kmap() do not have their mapped pages + reserved and the pages can be "stolen" by the buddy allocator. + +Apparently, on the affected system, the ACPI table in question is +not located in "reserved" memory, like ACPI NVS or ACPI Data, that +will not be used by the buddy allocator, so the memory occupied by +that table has to be explicitly reserved to prevent the buddy +allocator from using it. + +In order to address this problem, rearrange the initialization of the +ACPI tables on x86 to locate the initial tables earlier and reserve +the memory occupied by them. + +The other architectures using ACPI should not be affected by this +change. + +Link: https://lore.kernel.org/linux-acpi/1614802160-29362-1-git-send-email-george.kennedy@oracle.com/ +Reported-by: George Kennedy +Tested-by: George Kennedy +Signed-off-by: Rafael J. Wysocki +Reviewed-by: Mike Rapoport +Cc: 5.10+ # 5.10+ +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/acpi/boot.c | 25 ++++++++++++------------- + arch/x86/kernel/setup.c | 8 +++----- + drivers/acpi/tables.c | 42 +++++++++++++++++++++++++++++++++++++++--- + include/linux/acpi.h | 9 ++++++++- + 4 files changed, 62 insertions(+), 22 deletions(-) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -1553,10 +1553,18 @@ void __init acpi_boot_table_init(void) + /* + * Initialize the ACPI boot-time table parser. + */ +- if (acpi_table_init()) { ++ if (acpi_locate_initial_tables()) + disable_acpi(); +- return; +- } ++ else ++ acpi_reserve_initial_tables(); ++} ++ ++int __init early_acpi_boot_init(void) ++{ ++ if (acpi_disabled) ++ return 1; ++ ++ acpi_table_init_complete(); + + acpi_table_parse(ACPI_SIG_BOOT, acpi_parse_sbf); + +@@ -1569,18 +1577,9 @@ void __init acpi_boot_table_init(void) + } else { + printk(KERN_WARNING PREFIX "Disabling ACPI support\n"); + disable_acpi(); +- return; ++ return 1; + } + } +-} +- +-int __init early_acpi_boot_init(void) +-{ +- /* +- * If acpi_disabled, bail out +- */ +- if (acpi_disabled) +- return 1; + + /* + * Process the Multiple APIC Description Table (MADT), if present +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1129,6 +1129,9 @@ void __init setup_arch(char **cmdline_p) + + cleanup_highmap(); + ++ /* Look for ACPI tables and reserve memory occupied by them. */ ++ acpi_boot_table_init(); ++ + memblock_set_current_limit(ISA_END_ADDRESS); + e820__memblock_setup(); + +@@ -1218,11 +1221,6 @@ void __init setup_arch(char **cmdline_p) + + early_platform_quirks(); + +- /* +- * Parse the ACPI tables for possible boot-time SMP configuration. +- */ +- acpi_boot_table_init(); +- + early_acpi_boot_init(); + + initmem_init(); +--- a/drivers/acpi/tables.c ++++ b/drivers/acpi/tables.c +@@ -726,7 +726,7 @@ acpi_os_table_override(struct acpi_table + } + + /* +- * acpi_table_init() ++ * acpi_locate_initial_tables() + * + * find RSDP, find and checksum SDT/XSDT. + * checksum all tables, print SDT/XSDT +@@ -734,7 +734,7 @@ acpi_os_table_override(struct acpi_table + * result: sdt_entry[] is initialized + */ + +-int __init acpi_table_init(void) ++int __init acpi_locate_initial_tables(void) + { + acpi_status status; + +@@ -749,9 +749,45 @@ int __init acpi_table_init(void) + status = acpi_initialize_tables(initial_tables, ACPI_MAX_TABLES, 0); + if (ACPI_FAILURE(status)) + return -EINVAL; +- acpi_table_initrd_scan(); + ++ return 0; ++} ++ ++void __init acpi_reserve_initial_tables(void) ++{ ++ int i; ++ ++ for (i = 0; i < ACPI_MAX_TABLES; i++) { ++ struct acpi_table_desc *table_desc = &initial_tables[i]; ++ u64 start = table_desc->address; ++ u64 size = table_desc->length; ++ ++ if (!start || !size) ++ break; ++ ++ pr_info("Reserving %4s table memory at [mem 0x%llx-0x%llx]\n", ++ table_desc->signature.ascii, start, start + size - 1); ++ ++ memblock_reserve(start, size); ++ } ++} ++ ++void __init acpi_table_init_complete(void) ++{ ++ acpi_table_initrd_scan(); + check_multiple_madt(); ++} ++ ++int __init acpi_table_init(void) ++{ ++ int ret; ++ ++ ret = acpi_locate_initial_tables(); ++ if (ret) ++ return ret; ++ ++ acpi_table_init_complete(); ++ + return 0; + } + +--- a/include/linux/acpi.h ++++ b/include/linux/acpi.h +@@ -228,10 +228,14 @@ void __iomem *__acpi_map_table(unsigned + void __acpi_unmap_table(void __iomem *map, unsigned long size); + int early_acpi_boot_init(void); + int acpi_boot_init (void); ++void acpi_boot_table_prepare (void); + void acpi_boot_table_init (void); + int acpi_mps_check (void); + int acpi_numa_init (void); + ++int acpi_locate_initial_tables (void); ++void acpi_reserve_initial_tables (void); ++void acpi_table_init_complete (void); + int acpi_table_init (void); + int acpi_table_parse(char *id, acpi_tbl_table_handler handler); + int __init acpi_table_parse_entries(char *id, unsigned long table_size, +@@ -714,9 +718,12 @@ static inline int acpi_boot_init(void) + return 0; + } + ++static inline void acpi_boot_table_prepare(void) ++{ ++} ++ + static inline void acpi_boot_table_init(void) + { +- return; + } + + static inline int acpi_mps_check(void) diff --git a/queue-4.14/acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch b/queue-4.14/acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch new file mode 100644 index 00000000000..8f2a5db3083 --- /dev/null +++ b/queue-4.14/acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch @@ -0,0 +1,49 @@ +From 6998a8800d73116187aad542391ce3b2dd0f9e30 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 13 Apr 2021 16:01:00 +0200 +Subject: ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() + +From: Rafael J. Wysocki + +commit 6998a8800d73116187aad542391ce3b2dd0f9e30 upstream. + +Commit 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by +ACPI tables") attempted to address an issue with reserving the memory +occupied by ACPI tables, but it broke the initrd-based table override +mechanism relied on by multiple users. + +To restore the initrd-based ACPI table override functionality, move +the acpi_boot_table_init() invocation in setup_arch() on x86 after +the acpi_table_upgrade() one. + +Fixes: 1a1c130ab757 ("ACPI: tables: x86: Reserve memory occupied by ACPI tables") +Reported-by: Hans de Goede +Tested-by: Hans de Goede +Signed-off-by: Rafael J. Wysocki +Cc: George Kennedy +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/kernel/setup.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1129,9 +1129,6 @@ void __init setup_arch(char **cmdline_p) + + cleanup_highmap(); + +- /* Look for ACPI tables and reserve memory occupied by them. */ +- acpi_boot_table_init(); +- + memblock_set_current_limit(ISA_END_ADDRESS); + e820__memblock_setup(); + +@@ -1214,6 +1211,8 @@ void __init setup_arch(char **cmdline_p) + reserve_initrd(); + + acpi_table_upgrade(); ++ /* Look for ACPI tables and reserve memory occupied by them. */ ++ acpi_boot_table_init(); + + vsmp_init(); + diff --git a/queue-4.14/bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch b/queue-4.14/bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch new file mode 100644 index 00000000000..dea5e09b94e --- /dev/null +++ b/queue-4.14/bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch @@ -0,0 +1,58 @@ +From fllinden@amazon.com Sun May 2 13:07:04 2021 +From: Frank van der Linden +Date: Sat, 1 May 2021 18:05:05 +0000 +Subject: bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" +To: +Cc: , +Message-ID: <20210501180506.19154-2-fllinden@amazon.com> + +From: Samuel Mendoza-Jonas + +The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed +signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the +wrong location in adjust_ptr_min_max_vals(), most likely because 4.14 +doesn't include the commit that updates the if-statement to a +switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment"). + +Move the check to the proper location in adjust_ptr_min_max_vals(). + +Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") +Signed-off-by: Samuel Mendoza-Jonas +Reviewed-by: Frank van der Linden +Reviewed-by: Ethan Chen +Acked-by: Yonghong Song +Signed-off-by: Greg Kroah-Hartman +--- + kernel/bpf/verifier.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2204,6 +2204,13 @@ static int adjust_ptr_min_max_vals(struc + dst); + return -EACCES; + } ++ if (ptr_reg->type == PTR_TO_MAP_VALUE) { ++ if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { ++ verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", ++ off_reg == dst_reg ? dst : src); ++ return -EACCES; ++ } ++ } + + /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. + * The id may be overwritten later if we create a new variable offset. +@@ -2349,13 +2356,6 @@ static int adjust_ptr_min_max_vals(struc + verbose("R%d bitwise operator %s on pointer prohibited\n", + dst, bpf_alu_string[opcode >> 4]); + return -EACCES; +- case PTR_TO_MAP_VALUE: +- if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { +- verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", +- off_reg == dst_reg ? dst : src); +- return -EACCES; +- } +- /* fall-through */ + default: + /* other operators (e.g. MUL,LSH) produce non-pointer results */ + if (!env->allow_ptr_leaks) diff --git a/queue-4.14/bpf-fix-up-selftests-after-backports-were-fixed.patch b/queue-4.14/bpf-fix-up-selftests-after-backports-were-fixed.patch new file mode 100644 index 00000000000..313b11e867a --- /dev/null +++ b/queue-4.14/bpf-fix-up-selftests-after-backports-were-fixed.patch @@ -0,0 +1,126 @@ +From fllinden@amazon.com Sun May 2 13:07:20 2021 +From: Frank van der Linden +Date: Sat, 1 May 2021 18:05:06 +0000 +Subject: bpf: fix up selftests after backports were fixed +To: +Cc: , +Message-ID: <20210501180506.19154-3-fllinden@amazon.com> + +From: Frank van der Linden + +After the backport of the changes to fix CVE 2019-7308, the +selftests also need to be fixed up, as was done originally +in mainline 80c9b2fae87b ("bpf: add various test cases to selftests"). + +4.14 commit 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") +did that, but since there was an error in the backport, some +selftests did not change output. So, add them now that this error +has been fixed, and their output has actually changed as expected. + +This adds the rest of the changed test outputs from 80c9b2fae87b. + +Fixes: 03f11a51a19 ("bpf: Fix selftests are changes for CVE 2019-7308") +Signed-off-by: Frank van der Linden +Signed-off-by: Greg Kroah-Hartman +--- + tools/testing/selftests/bpf/test_verifier.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/tools/testing/selftests/bpf/test_verifier.c ++++ b/tools/testing/selftests/bpf/test_verifier.c +@@ -6207,6 +6207,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6231,6 +6232,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6257,6 +6259,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6282,6 +6285,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6330,6 +6334,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6401,6 +6406,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6452,6 +6458,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6479,6 +6486,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6505,6 +6513,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6534,6 +6543,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { +@@ -6592,6 +6602,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "unbounded min value", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + .result_unpriv = REJECT, + }, +@@ -6644,6 +6655,7 @@ static struct bpf_test tests[] = { + }, + .fixup_map1 = { 3 }, + .errstr = "R0 min value is negative, either use unsigned index or do a if (index >=0) check.", ++ .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", + .result = REJECT, + }, + { diff --git a/queue-4.14/series b/queue-4.14/series index 59936a100bc..2375d92c506 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -1 +1,5 @@ usbip-vudc-synchronize-sysfs-code-paths.patch +acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch +acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch +bpf-fix-backport-of-bpf-restrict-unknown-scalars-of-mixed-signed-bounds-for-unprivileged.patch +bpf-fix-up-selftests-after-backports-were-fixed.patch diff --git a/queue-4.19/series b/queue-4.19/series index 155c39b8d28..df0b6e127bb 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -1 +1,3 @@ erofs-fix-extended-inode-could-cross-boundary.patch +acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch +acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch diff --git a/queue-5.10/series b/queue-5.10/series new file mode 100644 index 00000000000..8112b37f82c --- /dev/null +++ b/queue-5.10/series @@ -0,0 +1,2 @@ +mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-5.11/series b/queue-5.11/series new file mode 100644 index 00000000000..8112b37f82c --- /dev/null +++ b/queue-5.11/series @@ -0,0 +1,2 @@ +mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-5.12/series b/queue-5.12/series new file mode 100644 index 00000000000..8112b37f82c --- /dev/null +++ b/queue-5.12/series @@ -0,0 +1,2 @@ +mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch +netfilter-conntrack-make-global-sysctls-readonly-in-non-init-netns.patch diff --git a/queue-5.4/series b/queue-5.4/series new file mode 100644 index 00000000000..81b46afdc44 --- /dev/null +++ b/queue-5.4/series @@ -0,0 +1,3 @@ +mips-do-not-include-hi-and-lo-in-clobber-list-for-r6.patch +acpi-tables-x86-reserve-memory-occupied-by-acpi-tables.patch +acpi-x86-call-acpi_boot_table_init-after-acpi_table_upgrade.patch -- 2.47.3