linux_dsm_epyc7002/arch
Heiko Carstens e84d2f8d2a net: filter: s390: fix JIT address randomization
This is the s390 variant of Alexei's JIT bug fix.
(patch description below stolen from Alexei's patch)

bpf_alloc_binary() adds 128 bytes of room to JITed program image
and rounds it up to the nearest page size. If image size is close
to page size (like 4000), it is rounded to two pages:
round_up(4000 + 4 + 128) == 8192
then 'hole' is computed as 8192 - (4000 + 4) = 4188
If prandom_u32() % hole selects a number >= PAGE_SIZE - sizeof(*header)
then kernel will crash during bpf_jit_free():

kernel BUG at arch/x86/mm/pageattr.c:887!
Call Trace:
 [<ffffffff81037285>] change_page_attr_set_clr+0x135/0x460
 [<ffffffff81694cc0>] ? _raw_spin_unlock_irq+0x30/0x50
 [<ffffffff810378ff>] set_memory_rw+0x2f/0x40
 [<ffffffffa01a0d8d>] bpf_jit_free_deferred+0x2d/0x60
 [<ffffffff8106bf98>] process_one_work+0x1d8/0x6a0
 [<ffffffff8106bf38>] ? process_one_work+0x178/0x6a0
 [<ffffffff8106c90c>] worker_thread+0x11c/0x370

since bpf_jit_free() does:
  unsigned long addr = (unsigned long)fp->bpf_func & PAGE_MASK;
  struct bpf_binary_header *header = (void *)addr;
to compute start address of 'bpf_binary_header'
and header->pages will pass junk to:
  set_memory_rw(addr, header->pages);

Fix it by making sure that &header->image[prandom_u32() % hole] and &header
are in the same page.

Fixes: aa2d2c73c2 ("s390/bpf,jit: address randomize and write protect jit code")

Reported-by: Alexei Starovoitov <ast@plumgrid.com>
Cc: <stable@vger.kernel.org> # v3.11+
Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2014-05-14 16:10:16 -04:00
..
alpha
arc ARC: !PREEMPT: Ensure Return to kernel mode is IRQ safe 2014-04-30 08:21:43 -07:00
arm - Fix for a Haswell regression in nested virtualization, introduced during 2014-05-02 09:26:09 -07:00
arm64 arm64: Mark the Applied Micro X-Gene SATA controller as DMA coherent 2014-05-03 22:20:35 +01:00
avr32
blackfin
c6x
cris
frv
hexagon Hexagon: Delete stale barrier.h 2014-05-01 10:09:47 -07:00
ia64 mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts 2014-04-25 16:05:40 -07:00
m32r
m68k
metag
microblaze
mips Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip 2014-04-27 11:21:03 -07:00
mn10300
openrisc
parisc Merge branch 'parisc-3.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/deller/parisc-linux 2014-05-01 15:54:44 -07:00
powerpc powerpc/4xx: Fix section mismatch in ppc4xx_pci.c 2014-04-28 16:32:53 +10:00
s390 net: filter: s390: fix JIT address randomization 2014-05-14 16:10:16 -04:00
score
sh mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts 2014-04-25 16:05:40 -07:00
sparc
tile
um mm: split 'tlb_flush_mmu()' into tlb flushing and memory freeing parts 2014-04-25 16:05:40 -07:00
unicore32
x86 net: filter: x86: fix JIT address randomization 2014-05-13 18:31:13 -04:00
xtensa Xtensa patchset for v3.15. 2014-05-05 15:36:59 -07:00
.gitignore
Kconfig