From af85d57c4a7aaf8f4590b0bab09d4385d5797226 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 18 Dec 2023 12:06:57 +0100 Subject: [PATCH] 5.15-stable patches added patches: powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch rdma-irdma-prevent-zero-length-stag-registration.patch --- ...dummy-stackframe-to-fix-stack-unwind.patch | 136 ++++++++++++++++++ ...ix-stack-teardown-in-ftrace_no_trace.patch | 50 +++++++ ...revent-zero-length-stag-registration.patch | 117 +++++++++++++++ queue-5.15/series | 3 + 4 files changed, 306 insertions(+) create mode 100644 queue-5.15/powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch create mode 100644 queue-5.15/powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch create mode 100644 queue-5.15/rdma-irdma-prevent-zero-length-stag-registration.patch diff --git a/queue-5.15/powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch b/queue-5.15/powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch new file mode 100644 index 00000000000..c5753fe1cc2 --- /dev/null +++ b/queue-5.15/powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch @@ -0,0 +1,136 @@ +From stable+bounces-6807-greg=kroah.com@vger.kernel.org Fri Dec 15 12:17:59 2023 +From: Naveen N Rao +Date: Fri, 15 Dec 2023 16:44:32 +0530 +Subject: powerpc/ftrace: Create a dummy stackframe to fix stack unwind +To: +Cc: Greg KH , Michael Ellerman +Message-ID: <20231215111433.2362641-1-naveen@kernel.org> + +From: Naveen N Rao + +commit 41a506ef71eb38d94fe133f565c87c3e06ccc072 upstream. + +With ppc64 -mprofile-kernel and ppc32 -pg, profiling instructions to +call into ftrace are emitted right at function entry. The instruction +sequence used is minimal to reduce overhead. Crucially, a stackframe is +not created for the function being traced. This breaks stack unwinding +since the function being traced does not have a stackframe for itself. +As such, it never shows up in the backtrace: + +/sys/kernel/debug/tracing # echo 1 > /proc/sys/kernel/stack_tracer_enabled +/sys/kernel/debug/tracing # cat stack_trace + Depth Size Location (17 entries) + ----- ---- -------- + 0) 4144 32 ftrace_call+0x4/0x44 + 1) 4112 432 get_page_from_freelist+0x26c/0x1ad0 + 2) 3680 496 __alloc_pages+0x290/0x1280 + 3) 3184 336 __folio_alloc+0x34/0x90 + 4) 2848 176 vma_alloc_folio+0xd8/0x540 + 5) 2672 272 __handle_mm_fault+0x700/0x1cc0 + 6) 2400 208 handle_mm_fault+0xf0/0x3f0 + 7) 2192 80 ___do_page_fault+0x3e4/0xbe0 + 8) 2112 160 do_page_fault+0x30/0xc0 + 9) 1952 256 data_access_common_virt+0x210/0x220 + 10) 1696 400 0xc00000000f16b100 + 11) 1296 384 load_elf_binary+0x804/0x1b80 + 12) 912 208 bprm_execve+0x2d8/0x7e0 + 13) 704 64 do_execveat_common+0x1d0/0x2f0 + 14) 640 160 sys_execve+0x54/0x70 + 15) 480 64 system_call_exception+0x138/0x350 + 16) 416 416 system_call_common+0x160/0x2c4 + +Fix this by having ftrace create a dummy stackframe for the function +being traced. With this, backtraces now capture the function being +traced: + +/sys/kernel/debug/tracing # cat stack_trace + Depth Size Location (17 entries) + ----- ---- -------- + 0) 3888 32 _raw_spin_trylock+0x8/0x70 + 1) 3856 576 get_page_from_freelist+0x26c/0x1ad0 + 2) 3280 64 __alloc_pages+0x290/0x1280 + 3) 3216 336 __folio_alloc+0x34/0x90 + 4) 2880 176 vma_alloc_folio+0xd8/0x540 + 5) 2704 416 __handle_mm_fault+0x700/0x1cc0 + 6) 2288 96 handle_mm_fault+0xf0/0x3f0 + 7) 2192 48 ___do_page_fault+0x3e4/0xbe0 + 8) 2144 192 do_page_fault+0x30/0xc0 + 9) 1952 608 data_access_common_virt+0x210/0x220 + 10) 1344 16 0xc0000000334bbb50 + 11) 1328 416 load_elf_binary+0x804/0x1b80 + 12) 912 64 bprm_execve+0x2d8/0x7e0 + 13) 848 176 do_execveat_common+0x1d0/0x2f0 + 14) 672 192 sys_execve+0x54/0x70 + 15) 480 64 system_call_exception+0x138/0x350 + 16) 416 416 system_call_common+0x160/0x2c4 + +This results in two additional stores in the ftrace entry code, but +produces reliable backtraces. + +Fixes: 153086644fd1 ("powerpc/ftrace: Add support for -mprofile-kernel ftrace ABI") +Cc: stable@vger.kernel.org +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20230621051349.759567-1-naveen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/trace/ftrace_64_mprofile.S ++++ b/arch/powerpc/kernel/trace/ftrace_64_mprofile.S +@@ -36,6 +36,9 @@ _GLOBAL(ftrace_regs_caller) + /* Save the original return address in A's stack frame */ + std r0,LRSAVE(r1) + ++ /* Create a minimal stack frame for representing B */ ++ stdu r1, -STACK_FRAME_MIN_SIZE(r1) ++ + /* Create our stack frame + pt_regs */ + stdu r1,-SWITCH_FRAME_SIZE(r1) + +@@ -64,6 +67,8 @@ _GLOBAL(ftrace_regs_caller) + mflr r7 + /* Save it as pt_regs->nip */ + std r7, _NIP(r1) ++ /* Also save it in B's stackframe header for proper unwind */ ++ std r7, LRSAVE+SWITCH_FRAME_SIZE(r1) + /* Save the read LR in pt_regs->link */ + std r0, _LINK(r1) + +@@ -118,7 +123,7 @@ ftrace_regs_call: + ld r2, 24(r1) + + /* Pop our stack frame */ +- addi r1, r1, SWITCH_FRAME_SIZE ++ addi r1, r1, SWITCH_FRAME_SIZE+STACK_FRAME_MIN_SIZE + + #ifdef CONFIG_LIVEPATCH + /* Based on the cmpd above, if the NIP was altered handle livepatch */ +@@ -150,6 +155,9 @@ _GLOBAL(ftrace_caller) + /* Save the original return address in A's stack frame */ + std r0, LRSAVE(r1) + ++ /* Create a minimal stack frame for representing B */ ++ stdu r1, -STACK_FRAME_MIN_SIZE(r1) ++ + /* Create our stack frame + pt_regs */ + stdu r1, -SWITCH_FRAME_SIZE(r1) + +@@ -163,6 +171,7 @@ _GLOBAL(ftrace_caller) + /* Get the _mcount() call site out of LR */ + mflr r7 + std r7, _NIP(r1) ++ std r7, LRSAVE+SWITCH_FRAME_SIZE(r1) + + /* Save callee's TOC in the ABI compliant location */ + std r2, 24(r1) +@@ -197,7 +206,7 @@ ftrace_call: + ld r2, 24(r1) + + /* Pop our stack frame */ +- addi r1, r1, SWITCH_FRAME_SIZE ++ addi r1, r1, SWITCH_FRAME_SIZE+STACK_FRAME_MIN_SIZE + + /* Reload original LR */ + ld r0, LRSAVE(r1) diff --git a/queue-5.15/powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch b/queue-5.15/powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch new file mode 100644 index 00000000000..e7af6c526c6 --- /dev/null +++ b/queue-5.15/powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch @@ -0,0 +1,50 @@ +From stable+bounces-6808-greg=kroah.com@vger.kernel.org Fri Dec 15 12:18:31 2023 +From: Naveen N Rao +Date: Fri, 15 Dec 2023 16:44:33 +0530 +Subject: powerpc/ftrace: Fix stack teardown in ftrace_no_trace +To: +Cc: Greg KH , Michael Ellerman +Message-ID: <20231215111433.2362641-2-naveen@kernel.org> + +From: Naveen N Rao + +commit 4b3338aaa74d7d4ec5b6734dc298f0db94ec83d2 upstream. + +Commit 41a506ef71eb ("powerpc/ftrace: Create a dummy stackframe to fix +stack unwind") added use of a new stack frame on ftrace entry to fix +stack unwind. However, the commit missed updating the offset used while +tearing down the ftrace stack when ftrace is disabled. Fix the same. + +In addition, the commit missed saving the correct stack pointer in +pt_regs. Update the same. + +Fixes: 41a506ef71eb ("powerpc/ftrace: Create a dummy stackframe to fix stack unwind") +Cc: stable@vger.kernel.org # v6.5+ +Signed-off-by: Naveen N Rao +Signed-off-by: Michael Ellerman +Link: https://msgid.link/20231130065947.2188860-1-naveen@kernel.org +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/trace/ftrace_64_mprofile.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/trace/ftrace_64_mprofile.S ++++ b/arch/powerpc/kernel/trace/ftrace_64_mprofile.S +@@ -54,7 +54,7 @@ _GLOBAL(ftrace_regs_caller) + SAVE_GPRS(12, 31, r1) + + /* Save previous stack pointer (r1) */ +- addi r8, r1, SWITCH_FRAME_SIZE ++ addi r8, r1, SWITCH_FRAME_SIZE+STACK_FRAME_MIN_SIZE + std r8, GPR1(r1) + + /* Load special regs for save below */ +@@ -147,7 +147,7 @@ ftrace_no_trace: + mflr r3 + mtctr r3 + REST_GPR(3, r1) +- addi r1, r1, SWITCH_FRAME_SIZE ++ addi r1, r1, SWITCH_FRAME_SIZE+STACK_FRAME_MIN_SIZE + mtlr r0 + bctr + diff --git a/queue-5.15/rdma-irdma-prevent-zero-length-stag-registration.patch b/queue-5.15/rdma-irdma-prevent-zero-length-stag-registration.patch new file mode 100644 index 00000000000..98907892147 --- /dev/null +++ b/queue-5.15/rdma-irdma-prevent-zero-length-stag-registration.patch @@ -0,0 +1,117 @@ +From bb6d73d9add68ad270888db327514384dfa44958 Mon Sep 17 00:00:00 2001 +From: Christopher Bednarz +Date: Fri, 18 Aug 2023 09:48:38 -0500 +Subject: RDMA/irdma: Prevent zero-length STAG registration + +From: Christopher Bednarz + +commit bb6d73d9add68ad270888db327514384dfa44958 upstream. + +Currently irdma allows zero-length STAGs to be programmed in HW during +the kernel mode fast register flow. Zero-length MR or STAG registration +disable HW memory length checks. + +Improve gaps in bounds checking in irdma by preventing zero-length STAG or +MR registrations except if the IB_PD_UNSAFE_GLOBAL_RKEY is set. + +This addresses the disclosure CVE-2023-25775. + +Fixes: b48c24c2d710 ("RDMA/irdma: Implement device supported verb APIs") +Signed-off-by: Christopher Bednarz +Signed-off-by: Shiraz Saleem +Link: https://lore.kernel.org/r/20230818144838.1758-1-shiraz.saleem@intel.com +Signed-off-by: Leon Romanovsky +Signed-off-by: Greg Kroah-Hartman +--- + drivers/infiniband/hw/irdma/ctrl.c | 6 ++++++ + drivers/infiniband/hw/irdma/type.h | 2 ++ + drivers/infiniband/hw/irdma/verbs.c | 10 ++++++++-- + 3 files changed, 16 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/irdma/ctrl.c ++++ b/drivers/infiniband/hw/irdma/ctrl.c +@@ -1043,6 +1043,9 @@ irdma_sc_alloc_stag(struct irdma_sc_dev + u64 hdr; + enum irdma_page_size page_size; + ++ if (!info->total_len && !info->all_memory) ++ return -EINVAL; ++ + if (info->page_size == 0x40000000) + page_size = IRDMA_PAGE_SIZE_1G; + else if (info->page_size == 0x200000) +@@ -1109,6 +1112,9 @@ irdma_sc_mr_reg_non_shared(struct irdma_ + u8 addr_type; + enum irdma_page_size page_size; + ++ if (!info->total_len && !info->all_memory) ++ return -EINVAL; ++ + if (info->page_size == 0x40000000) + page_size = IRDMA_PAGE_SIZE_1G; + else if (info->page_size == 0x200000) +--- a/drivers/infiniband/hw/irdma/type.h ++++ b/drivers/infiniband/hw/irdma/type.h +@@ -1013,6 +1013,7 @@ struct irdma_allocate_stag_info { + bool remote_access:1; + bool use_hmc_fcn_index:1; + bool use_pf_rid:1; ++ bool all_memory:1; + u8 hmc_fcn_index; + }; + +@@ -1040,6 +1041,7 @@ struct irdma_reg_ns_stag_info { + bool use_hmc_fcn_index:1; + u8 hmc_fcn_index; + bool use_pf_rid:1; ++ bool all_memory:1; + }; + + struct irdma_fast_reg_stag_info { +--- a/drivers/infiniband/hw/irdma/verbs.c ++++ b/drivers/infiniband/hw/irdma/verbs.c +@@ -2528,7 +2528,8 @@ static int irdma_hw_alloc_stag(struct ir + struct irdma_mr *iwmr) + { + struct irdma_allocate_stag_info *info; +- struct irdma_pd *iwpd = to_iwpd(iwmr->ibmr.pd); ++ struct ib_pd *pd = iwmr->ibmr.pd; ++ struct irdma_pd *iwpd = to_iwpd(pd); + enum irdma_status_code status; + int err = 0; + struct irdma_cqp_request *cqp_request; +@@ -2545,6 +2546,7 @@ static int irdma_hw_alloc_stag(struct ir + info->stag_idx = iwmr->stag >> IRDMA_CQPSQ_STAG_IDX_S; + info->pd_id = iwpd->sc_pd.pd_id; + info->total_len = iwmr->len; ++ info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY; + info->remote_access = true; + cqp_info->cqp_cmd = IRDMA_OP_ALLOC_STAG; + cqp_info->post_sq = 1; +@@ -2595,6 +2597,8 @@ static struct ib_mr *irdma_alloc_mr(stru + iwmr->type = IRDMA_MEMREG_TYPE_MEM; + palloc = &iwpbl->pble_alloc; + iwmr->page_cnt = max_num_sg; ++ /* Use system PAGE_SIZE as the sg page sizes are unknown at this point */ ++ iwmr->len = max_num_sg * PAGE_SIZE; + status = irdma_get_pble(iwdev->rf->pble_rsrc, palloc, iwmr->page_cnt, + true); + if (status) +@@ -2666,7 +2670,8 @@ static int irdma_hwreg_mr(struct irdma_d + { + struct irdma_pbl *iwpbl = &iwmr->iwpbl; + struct irdma_reg_ns_stag_info *stag_info; +- struct irdma_pd *iwpd = to_iwpd(iwmr->ibmr.pd); ++ struct ib_pd *pd = iwmr->ibmr.pd; ++ struct irdma_pd *iwpd = to_iwpd(pd); + struct irdma_pble_alloc *palloc = &iwpbl->pble_alloc; + enum irdma_status_code status; + int err = 0; +@@ -2686,6 +2691,7 @@ static int irdma_hwreg_mr(struct irdma_d + stag_info->total_len = iwmr->len; + stag_info->access_rights = irdma_get_mr_access(access); + stag_info->pd_id = iwpd->sc_pd.pd_id; ++ stag_info->all_memory = pd->flags & IB_PD_UNSAFE_GLOBAL_RKEY; + if (stag_info->access_rights & IRDMA_ACCESS_FLAGS_ZERO_BASED) + stag_info->addr_type = IRDMA_ADDR_TYPE_ZERO_BASED; + else diff --git a/queue-5.15/series b/queue-5.15/series index 3a1ffdaa565..0def30a6537 100644 --- a/queue-5.15/series +++ b/queue-5.15/series @@ -84,3 +84,6 @@ ring-buffer-fix-a-race-in-rb_time_cmpxchg-for-32-bit-archs.patch ring-buffer-do-not-try-to-put-back-write_stamp.patch ksmbd-check-the-validation-of-pdu_size-in-ksmbd_conn_handler_loop.patch usb-gadget-core-adjust-uevent-timing-on-gadget-unbind.patch +rdma-irdma-prevent-zero-length-stag-registration.patch +powerpc-ftrace-create-a-dummy-stackframe-to-fix-stack-unwind.patch +powerpc-ftrace-fix-stack-teardown-in-ftrace_no_trace.patch -- 2.47.3