Patch "bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()" has been added to the 6.6-stable tree

[Sasha Levin <sashal@xxxxxxxxxx>]

This is a note to let you know that I've just added the patch titled

    bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     bpf-take-return-from-set_memory_ro-into-account-with.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 819292501c3d0dd6032d3cc52490ea8090a6e5c0
Author: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
Date:   Fri Mar 8 06:38:07 2024 +0100

    bpf: Take return from set_memory_ro() into account with bpf_prog_lock_ro()
    
    [ Upstream commit 7d2cc63eca0c993c99d18893214abf8f85d566d8 ]
    
    set_memory_ro() can fail, leaving memory unprotected.
    
    Check its return and take it into account as an error.
    
    Link: https://github.com/KSPP/linux/issues/7
    Signed-off-by: Christophe Leroy <christophe.leroy@xxxxxxxxxx>
    Cc: linux-hardening@xxxxxxxxxxxxxxx <linux-hardening@xxxxxxxxxxxxxxx>
    Reviewed-by: Kees Cook <keescook@xxxxxxxxxxxx>
    Message-ID: <286def78955e04382b227cb3e4b6ba272a7442e3.1709850515.git.christophe.leroy@xxxxxxxxxx>
    Signed-off-by: Alexei Starovoitov <ast@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/include/linux/filter.h b/include/linux/filter.h
index 5090e940ba3e4..5a2800ec94ea6 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -842,14 +842,15 @@ bpf_ctx_narrow_access_offset(u32 off, u32 size, u32 size_default)
 
 #define bpf_classic_proglen(fprog) (fprog->len * sizeof(fprog->filter[0]))
 
-static inline void bpf_prog_lock_ro(struct bpf_prog *fp)
+static inline int __must_check bpf_prog_lock_ro(struct bpf_prog *fp)
 {
 #ifndef CONFIG_BPF_JIT_ALWAYS_ON
 	if (!fp->jited) {
 		set_vm_flush_reset_perms(fp);
-		set_memory_ro((unsigned long)fp, fp->pages);
+		return set_memory_ro((unsigned long)fp, fp->pages);
 	}
 #endif
+	return 0;
 }
 
 static inline void bpf_jit_binary_lock_ro(struct bpf_binary_header *hdr)
diff --git a/kernel/bpf/core.c b/kernel/bpf/core.c
index 05445a4d55181..bdbce41d1bb4a 100644
--- a/kernel/bpf/core.c
+++ b/kernel/bpf/core.c
@@ -2373,7 +2373,9 @@ struct bpf_prog *bpf_prog_select_runtime(struct bpf_prog *fp, int *err)
 	}
 
 finalize:
-	bpf_prog_lock_ro(fp);
+	*err = bpf_prog_lock_ro(fp);
+	if (*err)
+		return fp;
 
 	/* The tail call compatibility check can only be done at
 	 * this late stage as we need to determine, if we deal
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 171045b6956d9..aa546355918cb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -18625,10 +18625,14 @@ static int jit_subprogs(struct bpf_verifier_env *env)
 	 * bpf_prog_load will add the kallsyms for the main program.
 	 */
 	for (i = 1; i < env->subprog_cnt; i++) {
-		bpf_prog_lock_ro(func[i]);
-		bpf_prog_kallsyms_add(func[i]);
+		err = bpf_prog_lock_ro(func[i]);
+		if (err)
+			goto out_free;
 	}
 
+	for (i = 1; i < env->subprog_cnt; i++)
+		bpf_prog_kallsyms_add(func[i]);
+
 	/* Last step: make now unused interpreter insns from main
 	 * prog consistent for later dump requests, so they can
 	 * later look the same as if they were interpreted only.