From: Puranjay Mohan <puranjay(a)kernel.org>
mainline inclusion
from mainline-v6.11-rc1
commit 19d3c179a37730caf600a97fed3794feac2b197b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ62
CVE: CVE-2024-43840
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them
the struct bpf_tramp_image *im pointer as an argument in R0.
The trampoline generation code uses emit_addr_mov_i64() to emit
instructions for moving the bpf_tramp_image address into R0, but
emit_addr_mov_i64() assumes the address to be in the vmalloc() space
and uses only 48 bits. Because bpf_tramp_image is allocated using
kzalloc(), its address can use more than 48-bits, in this case the
trampoline will pass an invalid address to __bpf_tramp_enter/exit()
causing a kernel crash.
Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()
as it can work with addresses that are greater than 48-bits.
Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
Signed-off-by: Puranjay Mohan <puranjay(a)kernel.org>
Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net>
Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15M…
Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org
Conflicts:
arch/arm64/net/bpf_jit_comp.c
[The conflict is due to commit 96b0f5addc7a ("arm64, bpf: Use
bpf_prog_pack for arm64 bpf trampoline"), a perf commit, which
changes ctx->image to ctx->ro_image]
Signed-off-by: Tengda Wu <wutengda2(a)huawei.com>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 166619348b98..0618c95af103 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -1942,7 +1942,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(20), A64_SP, regs_off + 8), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -1986,7 +1986,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->image + ctx->idx;
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.34.1
From: Puranjay Mohan <puranjay(a)kernel.org>
mainline inclusion
from mainline-v6.11-rc1
commit 19d3c179a37730caf600a97fed3794feac2b197b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAKQ62
CVE: CVE-2024-43840
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?…
--------------------------------
When BPF_TRAMP_F_CALL_ORIG is set, the trampoline calls
__bpf_tramp_enter() and __bpf_tramp_exit() functions, passing them
the struct bpf_tramp_image *im pointer as an argument in R0.
The trampoline generation code uses emit_addr_mov_i64() to emit
instructions for moving the bpf_tramp_image address into R0, but
emit_addr_mov_i64() assumes the address to be in the vmalloc() space
and uses only 48 bits. Because bpf_tramp_image is allocated using
kzalloc(), its address can use more than 48-bits, in this case the
trampoline will pass an invalid address to __bpf_tramp_enter/exit()
causing a kernel crash.
Fix this by using emit_a64_mov_i64() in place of emit_addr_mov_i64()
as it can work with addresses that are greater than 48-bits.
Fixes: efc9909fdce0 ("bpf, arm64: Add bpf trampoline for arm64")
Signed-off-by: Puranjay Mohan <puranjay(a)kernel.org>
Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net>
Closes: https://lore.kernel.org/all/SJ0PR15MB461564D3F7E7A763498CA6A8CBDB2@SJ0PR15M…
Link: https://lore.kernel.org/bpf/20240711151838.43469-1-puranjay@kernel.org
Conflicts:
arch/arm64/net/bpf_jit_comp.c
[The conflict is due to commit 96b0f5addc7a ("arm64, bpf: Use
bpf_prog_pack for arm64 bpf trampoline"), a perf commit, which
changes ctx->image to ctx->ro_image]
Signed-off-by: Tengda Wu <wutengda2(a)huawei.com>
---
arch/arm64/net/bpf_jit_comp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/arch/arm64/net/bpf_jit_comp.c b/arch/arm64/net/bpf_jit_comp.c
index 5560d20f68f4..f6e790058b0a 100644
--- a/arch/arm64/net/bpf_jit_comp.c
+++ b/arch/arm64/net/bpf_jit_comp.c
@@ -1640,7 +1640,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
emit(A64_STR64I(A64_R(19), A64_SP, regs_off), ctx);
if (flags & BPF_TRAMP_F_CALL_ORIG) {
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_enter, ctx);
}
@@ -1681,7 +1681,7 @@ static int prepare_trampoline(struct jit_ctx *ctx, struct bpf_tramp_image *im,
if (flags & BPF_TRAMP_F_CALL_ORIG) {
im->ip_epilogue = ctx->image + ctx->idx;
- emit_addr_mov_i64(A64_R(0), (const u64)im, ctx);
+ emit_a64_mov_i64(A64_R(0), (const u64)im, ctx);
emit_call((const u64)__bpf_tramp_exit, ctx);
}
--
2.34.1
openEuler inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAD5GG?from=project-issue
CVE: NA
--------------------
When your development environment does not have the libelf library and you
compile an external module with the "M=xxx" compilation option, the
external module will not have ORC information and there will be no warning
or errors.
If a machine insmod this module and it's process is calling a function in
this module, typing kaptch will result in an error indicating that the
stack of this process is not trustworthy. The worst thing is that if this
module is a necessary and will be used for a long time, kpatch will be
difficult to type.
---------------------
Revert "kbuild: fix false positive warning/error about missing libelf"
This reverts commit ef7cfd00b2caf6edeb7f169682b64be2d0a798cf.
Fixes: ef7cfd00b2ca ("kbuild: fix false positive warning/error about missing libelf")
Signed-off-by: Zhao Xuedong <zhaoxuedong(a)meituan.com>
---
Makefile | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index fbaeeb80a69e..82dcf846d07b 100644
--- a/Makefile
+++ b/Makefile
@@ -1100,6 +1100,11 @@ ifdef CONFIG_STACK_VALIDATION
ifeq ($(has_libelf),1)
objtool_target := tools/objtool FORCE
else
+ ifdef CONFIG_UNWINDER_ORC
+ $(error "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel")
+ else
+ $(warning "Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel")
+ endif
SKIP_STACK_VALIDATION := 1
export SKIP_STACK_VALIDATION
endif
@@ -1249,14 +1254,6 @@ uapi-asm-generic:
PHONY += prepare-objtool prepare-resolve_btfids
prepare-objtool: $(objtool_target)
-ifeq ($(SKIP_STACK_VALIDATION),1)
-ifdef CONFIG_UNWINDER_ORC
- @echo "error: Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel" >&2
- @false
-else
- @echo "warning: Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel" >&2
-endif
-endif
prepare-resolve_btfids: $(resolve_btfids_target)
ifeq ($(ERROR_RESOLVE_BTFIDS),1)
--
2.43.0
From: Peter Zijlstra <peterz(a)infradead.org>
mainline inclusion
from mainline-v6.3-rc6
commit b168098912926236bbeebaf7795eb7aab76d2b45
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAL27E
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
Thomas reported that offlining CPUs spends a lot of time in
synchronize_rcu() as called from perf_pmu_migrate_context() even though
he's not actually using uncore events.
Turns out, the thing is unconditionally waiting for RCU, even if there's
no actual events to migrate.
Fixes: 0cda4c023132 ("perf: Introduce perf_pmu_migrate_context()")
Reported-by: Thomas Gleixner <tglx(a)linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org>
Tested-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org>
Link: https://lkml.kernel.org/r/20230403090858.GT4253@hirez.programming.kicks-ass…
Conflicts:
kernel/events/core.c
[Due to not merge previous commit
bd27568117664b8b3e259721393df420ed51f57b]
Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com>
---
kernel/events/core.c | 68 +++++++++++++++++++++++---------------------
1 file changed, 35 insertions(+), 33 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index be528436a03b..b9667223b050 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -11247,42 +11247,44 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
list_add(&event->migrate_entry, &events);
}
- /*
- * Wait for the events to quiesce before re-instating them.
- */
- synchronize_rcu();
+ if (!list_empty(&events)) {
+ /*
+ * Wait for the events to quiesce before re-instating them.
+ */
+ synchronize_rcu();
- /*
- * Re-instate events in 2 passes.
- *
- * Skip over group leaders and only install siblings on this first
- * pass, siblings will not get enabled without a leader, however a
- * leader will enable its siblings, even if those are still on the old
- * context.
- */
- list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- if (event->group_leader == event)
- continue;
+ /*
+ * Re-instate events in 2 passes.
+ *
+ * Skip over group leaders and only install siblings on this first
+ * pass, siblings will not get enabled without a leader, however a
+ * leader will enable its siblings, even if those are still on the old
+ * context.
+ */
+ list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
+ if (event->group_leader == event)
+ continue;
- list_del(&event->migrate_entry);
- if (event->state >= PERF_EVENT_STATE_OFF)
- event->state = PERF_EVENT_STATE_INACTIVE;
- account_event_cpu(event, dst_cpu);
- perf_install_in_context(dst_ctx, event, dst_cpu);
- get_ctx(dst_ctx);
- }
+ list_del(&event->migrate_entry);
+ if (event->state >= PERF_EVENT_STATE_OFF)
+ event->state = PERF_EVENT_STATE_INACTIVE;
+ account_event_cpu(event, dst_cpu);
+ perf_install_in_context(dst_ctx, event, dst_cpu);
+ get_ctx(dst_ctx);
+ }
- /*
- * Once all the siblings are setup properly, install the group leaders
- * to make it go.
- */
- list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- list_del(&event->migrate_entry);
- if (event->state >= PERF_EVENT_STATE_OFF)
- event->state = PERF_EVENT_STATE_INACTIVE;
- account_event_cpu(event, dst_cpu);
- perf_install_in_context(dst_ctx, event, dst_cpu);
- get_ctx(dst_ctx);
+ /*
+ * Once all the siblings are setup properly, install the group leaders
+ * to make it go.
+ */
+ list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
+ list_del(&event->migrate_entry);
+ if (event->state >= PERF_EVENT_STATE_OFF)
+ event->state = PERF_EVENT_STATE_INACTIVE;
+ account_event_cpu(event, dst_cpu);
+ perf_install_in_context(dst_ctx, event, dst_cpu);
+ get_ctx(dst_ctx);
+ }
}
mutex_unlock(&dst_ctx->mutex);
mutex_unlock(&src_ctx->mutex);
--
2.34.1
From: Peter Zijlstra <peterz(a)infradead.org>
mainline inclusion
from mainline-v6.3-rc6
commit b168098912926236bbeebaf7795eb7aab76d2b45
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAL27E
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id…
---------------------------
Thomas reported that offlining CPUs spends a lot of time in
synchronize_rcu() as called from perf_pmu_migrate_context() even though
he's not actually using uncore events.
Turns out, the thing is unconditionally waiting for RCU, even if there's
no actual events to migrate.
Fixes: 0cda4c023132 ("perf: Introduce perf_pmu_migrate_context()")
Reported-by: Thomas Gleixner <tglx(a)linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz(a)infradead.org>
Tested-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Thomas Gleixner <tglx(a)linutronix.de>
Reviewed-by: Paul E. McKenney <paulmck(a)kernel.org>
Link: https://lkml.kernel.org/r/20230403090858.GT4253@hirez.programming.kicks-ass…
Conflicts:
kernel/events/core.c
[Due to not merge previous commit
bd27568117664b8b3e259721393df420ed51f57b]
Signed-off-by: Liu Chuang <liuchuang40(a)huawei.com>
---
kernel/events/core.c | 68 +++++++++++++++++++++++---------------------
1 file changed, 35 insertions(+), 33 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index b1fabcaeeffd..46b0c7fc2270 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -12424,42 +12424,44 @@ void perf_pmu_migrate_context(struct pmu *pmu, int src_cpu, int dst_cpu)
list_add(&event->migrate_entry, &events);
}
- /*
- * Wait for the events to quiesce before re-instating them.
- */
- synchronize_rcu();
+ if (!list_empty(&events)) {
+ /*
+ * Wait for the events to quiesce before re-instating them.
+ */
+ synchronize_rcu();
- /*
- * Re-instate events in 2 passes.
- *
- * Skip over group leaders and only install siblings on this first
- * pass, siblings will not get enabled without a leader, however a
- * leader will enable its siblings, even if those are still on the old
- * context.
- */
- list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- if (event->group_leader == event)
- continue;
+ /*
+ * Re-instate events in 2 passes.
+ *
+ * Skip over group leaders and only install siblings on this first
+ * pass, siblings will not get enabled without a leader, however a
+ * leader will enable its siblings, even if those are still on the old
+ * context.
+ */
+ list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
+ if (event->group_leader == event)
+ continue;
- list_del(&event->migrate_entry);
- if (event->state >= PERF_EVENT_STATE_OFF)
- event->state = PERF_EVENT_STATE_INACTIVE;
- account_event_cpu(event, dst_cpu);
- perf_install_in_context(dst_ctx, event, dst_cpu);
- get_ctx(dst_ctx);
- }
+ list_del(&event->migrate_entry);
+ if (event->state >= PERF_EVENT_STATE_OFF)
+ event->state = PERF_EVENT_STATE_INACTIVE;
+ account_event_cpu(event, dst_cpu);
+ perf_install_in_context(dst_ctx, event, dst_cpu);
+ get_ctx(dst_ctx);
+ }
- /*
- * Once all the siblings are setup properly, install the group leaders
- * to make it go.
- */
- list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
- list_del(&event->migrate_entry);
- if (event->state >= PERF_EVENT_STATE_OFF)
- event->state = PERF_EVENT_STATE_INACTIVE;
- account_event_cpu(event, dst_cpu);
- perf_install_in_context(dst_ctx, event, dst_cpu);
- get_ctx(dst_ctx);
+ /*
+ * Once all the siblings are setup properly, install the group leaders
+ * to make it go.
+ */
+ list_for_each_entry_safe(event, tmp, &events, migrate_entry) {
+ list_del(&event->migrate_entry);
+ if (event->state >= PERF_EVENT_STATE_OFF)
+ event->state = PERF_EVENT_STATE_INACTIVE;
+ account_event_cpu(event, dst_cpu);
+ perf_install_in_context(dst_ctx, event, dst_cpu);
+ get_ctx(dst_ctx);
+ }
}
mutex_unlock(&dst_ctx->mutex);
mutex_unlock(&src_ctx->mutex);
--
2.34.1
openEuler inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/IAD5GG?from=project-issue
CVE: NA
--------------------
When your development environment does not have the libelf library and you
compile an external module with the "M=xxx" compilation option, the
external module will not have ORC information and there will be no warning
or errors.
If a machine insmod this module and it's process is calling a function in
this module, typing kaptch will result in an error indicating that the
stack of this process is not trustworthy. The worst thing is that if this
module is a necessary and will be used for a long time, kpatch will be
difficult to type.
---------------------
Revert "kbuild: fix false positive warning/error about missing libelf"
This reverts commit ef7cfd00b2caf6edeb7f169682b64be2d0a798cf.
Fixes: ef7cfd00b2ca
Signed-off-by: Zhao Xuedong <zhaoxuedong(a)meituan.com>
---
Makefile | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
diff --git a/Makefile b/Makefile
index fbaeeb80a69e..82dcf846d07b 100644
--- a/Makefile
+++ b/Makefile
@@ -1100,6 +1100,11 @@ ifdef CONFIG_STACK_VALIDATION
ifeq ($(has_libelf),1)
objtool_target := tools/objtool FORCE
else
+ ifdef CONFIG_UNWINDER_ORC
+ $(error "Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel")
+ else
+ $(warning "Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel")
+ endif
SKIP_STACK_VALIDATION := 1
export SKIP_STACK_VALIDATION
endif
@@ -1249,14 +1254,6 @@ uapi-asm-generic:
PHONY += prepare-objtool prepare-resolve_btfids
prepare-objtool: $(objtool_target)
-ifeq ($(SKIP_STACK_VALIDATION),1)
-ifdef CONFIG_UNWINDER_ORC
- @echo "error: Cannot generate ORC metadata for CONFIG_UNWINDER_ORC=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel" >&2
- @false
-else
- @echo "warning: Cannot use CONFIG_STACK_VALIDATION=y, please install libelf-dev, libelf-devel or elfutils-libelf-devel" >&2
-endif
-endif
prepare-resolve_btfids: $(resolve_btfids_target)
ifeq ($(ERROR_RESOLVE_BTFIDS),1)
--
2.43.0