Commit 38ca93060163 ("bpf, arm32: save 4 bytes of unneeded stack
space") messed up STACK_VAR() by 4 bytes presuming it was related
to skb scratch buffer space, but it clearly isn't as this refers
to the top word in stack, therefore restore it. This fixes a NULL
pointer dereference seen during bootup when JIT is enabled and BPF
program run in sk_filter_trim_cap() triggered by systemd-udevd.
JIT rework in 1c35ba122d4a ("ARM: net: bpf: use negative numbers
for stacked registers") and 96cced4e774a ("ARM: net: bpf: access
eBPF scratch space using ARM FP register") removed the affected
parts, so only needed in 4.18 stable.
Fixes: 38ca93060163 ("bpf, arm32: save 4 bytes of unneeded stack space")
Reported-by: Peter Robinson <pbrobinson(a)gmail.com>
Reported-by: Marc Haber <mh+netdev(a)zugschlus.de>
Tested-by: Stefan Wahren <stefan.wahren(a)i2se.com>
Tested-by: Peter Robinson <pbrobinson(a)gmail.com>
Cc: Russell King <rmk+kernel(a)armlinux.org.uk>
Cc: Alexei Starovoitov <ast(a)kernel.org>
Signed-off-by: Daniel Borkmann <daniel(a)iogearbox.net>
---
arch/arm/net/bpf_jit_32.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/net/bpf_jit_32.c b/arch/arm/net/bpf_jit_32.c
index f6a62ae..c864f6b 100644
--- a/arch/arm/net/bpf_jit_32.c
+++ b/arch/arm/net/bpf_jit_32.c
@@ -238,7 +238,7 @@ static void jit_fill_hole(void *area, unsigned int size)
#define STACK_SIZE ALIGN(_STACK_SIZE, STACK_ALIGNMENT)
/* Get the offset of eBPF REGISTERs stored on scratch space. */
-#define STACK_VAR(off) (STACK_SIZE - off)
+#define STACK_VAR(off) (STACK_SIZE - off - 4)
#if __LINUX_ARM_ARCH__ < 7
--
2.9.5
This is the start of the stable review cycle for the 3.18.119 release.
There are 15 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Sat Aug 18 17:16:20 UTC 2018.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v3.x/stable-review/patch-3.18.119-r…
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-3.18.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
Linux 3.18.119-rc1
Mark Salyzyn <salyzyn(a)android.com>
Bluetooth: hidp: buffer overflow in hidp_process_report
Eric Biggers <ebiggers(a)google.com>
crypto: ablkcipher - fix crash flushing dcache in error path
Eric Biggers <ebiggers(a)google.com>
crypto: blkcipher - fix crash flushing dcache in error path
Eric Biggers <ebiggers(a)google.com>
crypto: vmac - separate tfm and request context
Eric Biggers <ebiggers(a)google.com>
crypto: vmac - require a block cipher with 128-bit block size
Randy Dunlap <rdunlap(a)infradead.org>
kbuild: verify that $DEPMOD is installed
Liwei Song <liwei.song(a)windriver.com>
i2c: ismt: fix wrong device address when unmap the data buffer
Andrey Ryabinin <a.ryabinin(a)samsung.com>
mm: slub: fix format mismatches in slab_err() callers
Erick Reyes <erickreyes(a)google.com>
ALSA: info: Check for integer overflow in snd_info_entry_write()
Masami Hiramatsu <mhiramat(a)kernel.org>
kprobes/x86: Fix %p uses in error messages
Oleksij Rempel <o.rempel(a)pengutronix.de>
ARM: dts: imx6sx: fix irq for pcie bridge
Al Viro <viro(a)zeniv.linux.org.uk>
fix __legitimize_mnt()/mntput() race
Al Viro <viro(a)zeniv.linux.org.uk>
fix mntput/mntput race
Al Viro <viro(a)zeniv.linux.org.uk>
root dentries need RCU-delayed freeing
Juergen Gross <jgross(a)suse.com>
xen/netfront: don't cache skb_shinfo()
-------------
Diffstat:
Documentation/Changes | 17 +-
Makefile | 4 +-
arch/arm/boot/dts/imx6sx.dtsi | 2 +-
arch/x86/kernel/kprobes/core.c | 4 +-
crypto/ablkcipher.c | 57 +++---
crypto/blkcipher.c | 54 +++---
crypto/vmac.c | 412 ++++++++++++++++++-----------------------
drivers/i2c/busses/i2c-ismt.c | 2 +-
drivers/net/xen-netfront.c | 8 +-
fs/dcache.c | 6 +-
fs/namespace.c | 28 ++-
include/crypto/vmac.h | 63 -------
mm/slub.c | 6 +-
net/bluetooth/hidp/core.c | 4 +-
scripts/depmod.sh | 8 +-
sound/core/info.c | 4 +-
16 files changed, 297 insertions(+), 382 deletions(-)