Description
In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix jump offset calculation in tailcall The extra pass of bpf_int_jit_compile() skips JIT context initialization which essentially skips offset calculation leaving out_offset = -1, so the jmp_offset in emit_bpf_tail_call is calculated by "#define jmp_offset (out_offset - (cur_offset))" is a negative number, which is wrong. The final generated assembly are as follow. 54: bgeu $a2, $t1, -8 # 0x0000004c 58: addi.d $a6, $s5, -1 5c: bltz $a6, -16 # 0x0000004c 60: alsl.d $t2, $a2, $a1, 0x3 64: ld.d $t2, $t2, 264 68: beq $t2, $zero, -28 # 0x0000004c Before apply this patch, the follow test case will reveal soft lock issues. cd tools/testing/selftests/bpf/ ./test_progs --allow=tailcalls/tailcall_bpf2bpf_1 dmesg: watchdog: BUG: soft lockup - CPU#2 stuck for 26s! [test_progs:25056]
Product status
5dc615520c4dfb358245680f1904bad61116648e (git) before 1a782fa32e644aa9fbae6c8488f3e61221ac96e1
5dc615520c4dfb358245680f1904bad61116648e (git) before 17c010fe45def335fe03a0718935416b04c7f349
5dc615520c4dfb358245680f1904bad61116648e (git) before f83d469e16bb1f75991ca67c56786fb2aaa42bea
5dc615520c4dfb358245680f1904bad61116648e (git) before f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f
5dc615520c4dfb358245680f1904bad61116648e (git) before 9262e3e04621558e875eb5afb5e726b648cd5949
5dc615520c4dfb358245680f1904bad61116648e (git) before cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3
6.1
Any version before 6.1
6.1.149 (semver)
6.6.103 (semver)
6.12.43 (semver)
6.15.11 (semver)
6.16.2 (semver)
6.17 (original_commit_for_fix)
References
git.kernel.org/...c/1a782fa32e644aa9fbae6c8488f3e61221ac96e1
git.kernel.org/...c/17c010fe45def335fe03a0718935416b04c7f349
git.kernel.org/...c/f83d469e16bb1f75991ca67c56786fb2aaa42bea
git.kernel.org/...c/f2b5e50cc04d7a049b385bc1c93b9cbf5f10c94f
git.kernel.org/...c/9262e3e04621558e875eb5afb5e726b648cd5949
git.kernel.org/...c/cd39d9e6b7e4c58fa77783e7aedf7ada51d02ea3
