Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:[EOL][EOL]riscv, bpf: Sign extend struct ops return values properly[EOL][EOL]The ns_bpf_qdisc selftest triggers a kernel panic:[EOL][EOL]    Unable to handle kernel paging request at virtual address ffffffffa38dbf58[EOL]    Current test_progs pgtable: 4K pagesize, 57-bit VAs, pgdp=0x00000001109cc000[EOL]    [ffffffffa38dbf58] pgd=000000011fffd801, p4d=000000011fffd401, pud=000000011fffd001, pmd=0000000000000000[EOL]    Oops [#1][EOL]    Modules linked in: bpf_testmod(OE) xt_conntrack nls_iso8859_1 [...] [last unloaded: bpf_testmod(OE)][EOL]    CPU: 1 UID: 0 PID: 23584 Comm: test_progs Tainted: G        W  OE       6.17.0-rc1-g2465bb83e0b4 #1 NONE[EOL]    Tainted: [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE[EOL]    Hardware name: Unknown Unknown Product/Unknown Product, BIOS 2024.01+dfsg-1ubuntu5.1 01/01/2024[EOL]    epc : __qdisc_run+0x82/0x6f0[EOL]     ra : __qdisc_run+0x6e/0x6f0[EOL]    epc : ffffffff80bd5c7a ra : ffffffff80bd5c66 sp : ff2000000eecb550[EOL]     gp : ffffffff82472098 tp : ff60000096895940 t0 : ffffffff8001f180[EOL]     t1 : ffffffff801e1664 t2 : 0000000000000000 s0 : ff2000000eecb5d0[EOL]     s1 : ff60000093a6a600 a0 : ffffffffa38dbee8 a1 : 0000000000000001[EOL]     a2 : ff2000000eecb510 a3 : 0000000000000001 a4 : 0000000000000000[EOL]     a5 : 0000000000000010 a6 : 0000000000000000 a7 : 0000000000735049[EOL]     s2 : ffffffffa38dbee8 s3 : 0000000000000040 s4 : ff6000008bcda000[EOL]     s5 : 0000000000000008 s6 : ff60000093a6a680 s7 : ff60000093a6a6f0[EOL]     s8 : ff60000093a6a6ac s9 : ff60000093140000 s10: 0000000000000000[EOL]     s11: ff2000000eecb9d0 t3 : 0000000000000000 t4 : 0000000000ff0000[EOL]     t5 : 0000000000000000 t6 : ff60000093a6a8b6[EOL]    status: 0000000200000120 badaddr: ffffffffa38dbf58 cause: 000000000000000d[EOL]    [<ffffffff80bd5c7a>] __qdisc_run+0x82/0x6f0[EOL]    [<ffffffff80b6fe58>] __dev_queue_xmit+0x4c0/0x1128[EOL]    [<ffffffff80b80ae0>] neigh_resolve_output+0xd0/0x170[EOL]    [<ffffffff80d2daf6>] ip6_finish_output2+0x226/0x6c8[EOL]    [<ffffffff80d31254>] ip6_finish_output+0x10c/0x2a0[EOL]    [<ffffffff80d31446>] ip6_output+0x5e/0x178[EOL]    [<ffffffff80d2e232>] ip6_xmit+0x29a/0x608[EOL]    [<ffffffff80d6f4c6>] inet6_csk_xmit+0xe6/0x140[EOL]    [<ffffffff80c985e4>] __tcp_transmit_skb+0x45c/0xaa8[EOL]    [<ffffffff80c995fe>] tcp_connect+0x9ce/0xd10[EOL]    [<ffffffff80d66524>] tcp_v6_connect+0x4ac/0x5e8[EOL]    [<ffffffff80cc19b8>] __inet_stream_connect+0xd8/0x318[EOL]    [<ffffffff80cc1c36>] inet_stream_connect+0x3e/0x68[EOL]    [<ffffffff80b42b20>] __sys_connect_file+0x50/0x88[EOL]    [<ffffffff80b42bee>] __sys_connect+0x96/0xc8[EOL]    [<ffffffff80b42c40>] __riscv_sys_connect+0x20/0x30[EOL]    [<ffffffff80e5bcae>] do_trap_ecall_u+0x256/0x378[EOL]    [<ffffffff80e69af2>] handle_exception+0x14a/0x156[EOL]    Code: 892a 0363 1205 489c 8bc1 c7e5 2d03 084a 2703 080a (2783) 0709[EOL]    ---[ end trace 0000000000000000 ]---[EOL][EOL]The bpf_fifo_dequeue prog returns a skb which is a pointer. The pointer[EOL]is treated as a 32bit value and sign extend to 64bit in epilogue. This[EOL]behavior is right for most bpf prog types but wrong for struct ops which[EOL]requires RISC-V ABI.[EOL][EOL]So let's sign extend struct ops return values according to the function[EOL]model and RISC-V ABI([0]).[EOL][EOL]  [0]: https://riscv.org/wp-content/uploads/2024/12/riscv-calling.pdf