Changes in 5.10.62
net: qrtr: fix another OOB Read in qrtr_endpoint_post
bpf: Fix ringbuf helper function compatibility
bpf: Fix NULL pointer dereference in bpf_get_local_storage() helper
ASoC: rt5682: Adjust headset volume button threshold
ASoC: component: Remove misplaced prefix handling in pin control functions
ARC: Fix CONFIG_STACKDEPOT
netfilter: conntrack: collect all entries in one cycle
once: Fix panic when module unload
blk-iocost: fix lockdep warning on blkcg->lock
ovl: fix uninitialized pointer read in ovl_lookup_real_one()
net: mscc: Fix non-GPL export of regmap APIs
can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters
ceph: correctly handle releasing an embedded cap flush
riscv: Ensure the value of FP registers in the core dump file is up to date
Revert "btrfs: compression: don't try to compress if we don't have enough pages"
drm/amdgpu: Cancel delayed work when GFXOFF is disabled
Revert "USB: serial: ch341: fix character loss at high transfer rates"
USB: serial: option: add new VID/PID to support Fibocom FG150
usb: renesas-xhci: Prefer firmware loading on unknown ROM state
usb: dwc3: gadget: Fix dwc3_calc_trbs_left()
usb: dwc3: gadget: Stop EP0 transfers during pullup disable
scsi: core: Fix hang of freezing queue between blocking and running device
RDMA/bnxt_re: Add missing spin lock initialization
IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs()
RDMA/bnxt_re: Remove unpaired rtnl unlock in bnxt_re_dev_init()
ice: do not abort devlink info if board identifier can't be found
net: usb: pegasus: fixes of set_register(s) return value evaluation;
igc: fix page fault when thunderbolt is unplugged
igc: Use num_tx_queues when iterating over tx_ring queue
e1000e: Fix the max snoop/no-snoop latency for 10M
e1000e: Do not take care about recovery NVM checksum
RDMA/efa: Free IRQ vectors on error flow
ip_gre: add validation for csum_start
xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()'
net: marvell: fix MVNETA_TX_IN_PRGRS bit number
ucounts: Increase ucounts reference counter before the security hook
net/sched: ets: fix crash when flipping from 'strict' to 'quantum'
ipv6: use siphash in rt6_exception_hash()
ipv4: use siphash instead of Jenkins in fnhe_hashfun()
cxgb4: dont touch blocked freelist bitmap after free
rtnetlink: Return correct error on changing device netns
net: hns3: clear hardware resource when loading driver
net: hns3: add waiting time before cmdq memory is released
net: hns3: fix duplicate node in VLAN list
net: hns3: fix get wrong pfc_en when query PFC configuration
Revert "mmc: sdhci-iproc: Set SDHCI_QUIRK_CAP_CLOCK_BASE_BROKEN on BCM2711"
net: stmmac: add mutex lock to protect est parameters
net: stmmac: fix kernel panic due to NULL pointer dereference of plat->est
drm/i915: Fix syncmap memory leak
usb: gadget: u_audio: fix race condition on endpoint stop
dt-bindings: sifive-l2-cache: Fix 'select' matching
perf/x86/intel/uncore: Fix integer overflow on 23 bit left shift of a u32
clk: renesas: rcar-usb2-clock-sel: Fix kernel NULL pointer dereference
iwlwifi: pnvm: accept multiple HW-type TLVs
opp: remove WARN when no valid OPPs remain
cpufreq: blocklist Qualcomm sm8150 in cpufreq-dt-platdev
virtio: Improve vq->broken access to avoid any compiler optimization
virtio_pci: Support surprise removal of virtio pci device
virtio_vdpa: reject invalid vq indices
vringh: Use wiov->used to check for read/write desc order
tools/virtio: fix build
qed: qed ll2 race condition fixes
qed: Fix null-pointer dereference in qed_rdma_create_qp()
Revert "drm/amd/pm: fix workload mismatch on vega10"
drm/amd/pm: change the workload type for some cards
blk-mq: don't grab rq's refcount in blk_mq_check_expired()
drm: Copy drm_wait_vblank to user before returning
drm/nouveau/disp: power down unused DP links during init
drm/nouveau/kms/nv50: workaround EFI GOP window channel format differences
net/rds: dma_map_sg is entitled to merge entries
btrfs: fix race between marking inode needs to be logged and log syncing
pipe: avoid unnecessary EPOLLET wakeups under normal loads
pipe: do FASYNC notifications for every pipe IO, not just state changes
mtd: spinand: Fix incorrect parameters for on-die ECC
tipc: call tipc_wait_for_connect only when dlen is not 0
vt_kdsetmode: extend console locking
Bluetooth: btusb: check conditions before enabling USB ALT 3 for WBS
riscv: Fixup wrong ftrace remove cflag
riscv: Fixup patch_text panic in ftrace
perf env: Fix memory leak of bpf_prog_info_linear member
perf symbol-elf: Fix memory leak by freeing sdt_note.args
perf record: Fix memory leak in vDSO found using ASAN
perf tools: Fix arm64 build error with gcc-11
perf annotate: Fix jump parsing for C++ code.
powerpc/perf: Invoke per-CPU variable access with disabled interrupts
srcu: Provide internal interface to start a Tree SRCU grace period
srcu: Provide polling interfaces for Tree SRCU grace periods
srcu: Provide internal interface to start a Tiny SRCU grace period
srcu: Make Tiny SRCU use multi-bit grace-period counter
srcu: Provide polling interfaces for Tiny SRCU grace periods
tracepoint: Use rcu get state and cond sync for static call updates
usb: typec: ucsi: acpi: Always decode connector change information
usb: typec: ucsi: Work around PPM losing change information
usb: typec: ucsi: Clear pending after acking connector change
net: dsa: mt7530: fix VLAN traffic leaks again
lkdtm: Enable DOUBLE_FAULT on all architectures
arm64: dts: qcom: msm8994-angler: Fix gpio-reserved-ranges 85-88
btrfs: fix NULL pointer dereference when deleting device by invalid id
kthread: Fix PF_KTHREAD vs to_kthread() race
Revert "floppy: reintroduce O_NDELAY fix"
Revert "parisc: Add assembly implementations for memset, strlen, strcpy, strncpy and strcat"
net: don't unconditionally copy_from_user a struct ifreq for socket ioctls
audit: move put_tree() to avoid trim_trees refcount underflow and UAF
bpf: Fix potentially incorrect results with bpf_get_local_storage()
Linux 5.10.62
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I5a9bf4b2c254ae21a10f838494cae1c3fa016be3
commit d0efb16294d145d157432feda83877ae9d7cdf37 upstream.
A common implementation of isatty(3) involves calling a ioctl passing
a dummy struct argument and checking whether the syscall failed --
bionic and glibc use TCGETS (passing a struct termios), and musl uses
TIOCGWINSZ (passing a struct winsize). If the FD is a socket, we will
copy sizeof(struct ifreq) bytes of data from the argument and return
-EFAULT if that fails. The result is that the isatty implementations
may return a non-POSIX-compliant value in errno in the case where part
of the dummy struct argument is inaccessible, as both struct termios
and struct winsize are smaller than struct ifreq (at least on arm64).
Although there is usually enough stack space following the argument
on the stack that this did not present a practical problem up to now,
with MTE stack instrumentation it's more likely for the copy to fail,
as the memory following the struct may have a different tag.
Fix the problem by adding an early check for whether the ioctl is a
valid socket ioctl, and return -ENOTTY if it isn't.
Fixes: 44c02a2c3d ("dev_ioctl(): move copyin/copyout to callers")
Link: https://linux-review.googlesource.com/id/I869da6cf6daabc3e4b7b82ac979683ba05e27d4d
Signed-off-by: Peter Collingbourne <pcc@google.com>
Cc: <stable@vger.kernel.org> # 4.19
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 5.10.46
dmaengine: idxd: add missing dsa driver unregister
dmaengine: fsl-dpaa2-qdma: Fix error return code in two functions
dmaengine: xilinx: dpdma: initialize registers before request_irq
dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM
dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM
dmaengine: SF_PDMA depends on HAS_IOMEM
dmaengine: stedma40: add missing iounmap() on error in d40_probe()
afs: Fix an IS_ERR() vs NULL check
mm/memory-failure: make sure wait for page writeback in memory_failure
kvm: LAPIC: Restore guard to prevent illegal APIC register access
fanotify: fix copy_event_to_user() fid error clean up
batman-adv: Avoid WARN_ON timing related checks
mac80211: fix skb length check in ieee80211_scan_rx()
mlxsw: reg: Spectrum-3: Enforce lowest max-shaper burst size of 11
mlxsw: core: Set thermal zone polling delay argument to real value at init
libbpf: Fixes incorrect rx_ring_setup_done
net: ipv4: fix memory leak in netlbl_cipsov4_add_std
vrf: fix maximum MTU
net: rds: fix memory leak in rds_recvmsg
net: dsa: felix: re-enable TX flow control in ocelot_port_flush()
net: lantiq: disable interrupt before sheduling NAPI
netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local
ice: add ndo_bpf callback for safe mode netdev ops
ice: parameterize functions responsible for Tx ring management
udp: fix race between close() and udp_abort()
rtnetlink: Fix regression in bridge VLAN configuration
net/sched: act_ct: handle DNAT tuple collision
net/mlx5e: Remove dependency in IPsec initialization flows
net/mlx5e: Fix page reclaim for dead peer hairpin
net/mlx5: Consider RoCE cap before init RDMA resources
net/mlx5: DR, Allow SW steering for sw_owner_v2 devices
net/mlx5: DR, Don't use SW steering when RoCE is not supported
net/mlx5e: Block offload of outer header csum for UDP tunnels
netfilter: synproxy: Fix out of bounds when parsing TCP options
mptcp: Fix out of bounds when parsing TCP options
sch_cake: Fix out of bounds when parsing TCP options and header
mptcp: try harder to borrow memory from subflow under pressure
mptcp: do not warn on bad input from the network
selftests: mptcp: enable syncookie only in absence of reorders
alx: Fix an error handling path in 'alx_probe()'
cxgb4: fix endianness when flashing boot image
cxgb4: fix sleep in atomic when flashing PHY firmware
cxgb4: halt chip before flashing PHY firmware image
net: stmmac: dwmac1000: Fix extended MAC address registers definition
net: make get_net_ns return error if NET_NS is disabled
net: qualcomm: rmnet: Update rmnet device MTU based on real device
net: qualcomm: rmnet: don't over-count statistics
ethtool: strset: fix message length calculation
qlcnic: Fix an error handling path in 'qlcnic_probe()'
netxen_nic: Fix an error handling path in 'netxen_nic_probe()'
cxgb4: fix wrong ethtool n-tuple rule lookup
ipv4: Fix device used for dst_alloc with local routes
net: qrtr: fix OOB Read in qrtr_endpoint_post
bpf: Fix leakage under speculation on mispredicted branches
ptp: improve max_adj check against unreasonable values
net: cdc_ncm: switch to eth%d interface naming
lantiq: net: fix duplicated skb in rx descriptor ring
net: usb: fix possible use-after-free in smsc75xx_bind
net: fec_ptp: fix issue caused by refactor the fec_devtype
net: ipv4: fix memory leak in ip_mc_add1_src
net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock
net/mlx5: E-Switch, Read PF mac address
net/mlx5: E-Switch, Allow setting GUID for host PF vport
net/mlx5: Reset mkey index on creation
be2net: Fix an error handling path in 'be_probe()'
net: hamradio: fix memory leak in mkiss_close
net: cdc_eem: fix tx fixup skb leak
cxgb4: fix wrong shift.
bnxt_en: Rediscover PHY capabilities after firmware reset
bnxt_en: Fix TQM fastpath ring backing store computation
bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path
icmp: don't send out ICMP messages with a source address of 0.0.0.0
net: ethernet: fix potential use-after-free in ec_bhf_remove
regulator: cros-ec: Fix error code in dev_err message
regulator: bd70528: Fix off-by-one for buck123 .n_voltages setting
platform/x86: thinkpad_acpi: Add X1 Carbon Gen 9 second fan support
ASoC: rt5659: Fix the lost powers for the HDA header
phy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init()
ASoC: fsl-asoc-card: Set .owner attribute when registering card.
regulator: rtmv20: Fix to make regcache value first reading back from HW
spi: spi-zynq-qspi: Fix some wrong goto jumps & missing error code
sched/pelt: Ensure that *_sum is always synced with *_avg
ASoC: tas2562: Fix TDM_CFG0_SAMPRATE values
spi: stm32-qspi: Always wait BUSY bit to be cleared in stm32_qspi_wait_cmd()
regulator: rt4801: Fix NULL pointer dereference if priv->enable_gpios is NULL
ASoC: rt5682: Fix the fast discharge for headset unplugging in soundwire mode
pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled
drm/sun4i: dw-hdmi: Make HDMI PHY into a platform device
ASoC: qcom: lpass-cpu: Fix pop noise during audio capture begin
radeon: use memcpy_to/fromio for UVD fw upload
hwmon: (scpi-hwmon) shows the negative temperature properly
mm: relocate 'write_protect_seq' in struct mm_struct
irqchip/gic-v3: Workaround inconsistent PMR setting on NMI entry
bpf: Inherit expanded/patched seen count from old aux data
bpf: Do not mark insn as seen under speculative path verification
can: bcm: fix infoleak in struct bcm_msg_head
can: bcm/raw/isotp: use per module netdevice notifier
can: j1939: fix Use-after-Free, hold skb ref while in use
can: mcba_usb: fix memory leak in mcba_usb
usb: core: hub: Disable autosuspend for Cypress CY7C65632
usb: chipidea: imx: Fix Battery Charger 1.2 CDP detection
tracing: Do not stop recording cmdlines when tracing is off
tracing: Do not stop recording comms if the trace file is being read
tracing: Do no increment trace_clock_global() by one
PCI: Mark TI C667X to avoid bus reset
PCI: Mark some NVIDIA GPUs to avoid bus reset
PCI: aardvark: Fix kernel panic during PIO transfer
PCI: Add ACS quirk for Broadcom BCM57414 NIC
PCI: Work around Huawei Intelligent NIC VF FLR erratum
KVM: x86: Immediately reset the MMU context when the SMM flag is cleared
KVM: x86/mmu: Calculate and check "full" mmu_role for nested MMU
KVM: X86: Fix x86_emulator slab cache leak
s390/mcck: fix calculation of SIE critical section size
s390/ap: Fix hanging ioctl caused by wrong msg counter
ARCv2: save ABI registers across signal handling
x86/mm: Avoid truncating memblocks for SGX memory
x86/process: Check PF_KTHREAD and not current->mm for kernel threads
x86/ioremap: Map EFI-reserved memory as encrypted for SEV
x86/pkru: Write hardware init value to PKRU when xstate is init
x86/fpu: Prevent state corruption in __fpu__restore_sig()
x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer
x86/fpu: Reset state for all signal restore failures
crash_core, vmcoreinfo: append 'SECTION_SIZE_BITS' to vmcoreinfo
dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc
mac80211: Fix NULL ptr deref for injected rate info
cfg80211: make certificate generation more robust
cfg80211: avoid double free of PMSR request
drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full doorbell.
drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue.
net: ll_temac: Make sure to free skb when it is completely used
net: ll_temac: Fix TX BD buffer overwrite
net: bridge: fix vlan tunnel dst null pointer dereference
net: bridge: fix vlan tunnel dst refcnt when egressing
mm/swap: fix pte_same_as_swp() not removing uffd-wp bit when compare
mm/slub: clarify verification reporting
mm/slub: fix redzoning for small allocations
mm/slub: actually fix freelist pointer vs redzoning
mm/slub.c: include swab.h
net: stmmac: disable clocks in stmmac_remove_config_dt()
net: fec_ptp: add clock rate zero check
tools headers UAPI: Sync linux/in.h copy with the kernel sources
perf beauty: Update copy of linux/socket.h with the kernel sources
usb: dwc3: debugfs: Add and remove endpoint dirs dynamically
usb: dwc3: core: fix kernel panic when do reboot
Linux 5.10.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I99f37c9f257f90ccdb091306f3d4cfb7c32e3880
[ Upstream commit ea6932d70e223e02fea3ae20a4feff05d7c1ea9a ]
There is a panic in socket ioctl cmd SIOCGSKNS when NET_NS is not enabled.
The reason is that nsfs tries to access ns->ops but the proc_ns_operations
is not implemented in this case.
[7.670023] Unable to handle kernel NULL pointer dereference at virtual address 00000010
[7.670268] pgd = 32b54000
[7.670544] [00000010] *pgd=00000000
[7.671861] Internal error: Oops: 5 [#1] SMP ARM
[7.672315] Modules linked in:
[7.672918] CPU: 0 PID: 1 Comm: systemd Not tainted 5.13.0-rc3-00375-g6799d4f2da49 #16
[7.673309] Hardware name: Generic DT based system
[7.673642] PC is at nsfs_evict+0x24/0x30
[7.674486] LR is at clear_inode+0x20/0x9c
The same to tun SIOCGSKNS command.
To fix this problem, we make get_net_ns() return -EINVAL when NET_NS is
disabled. Meanwhile move it to right place net/core/net_namespace.c.
Signed-off-by: Changbin Du <changbin.du@gmail.com>
Fixes: c62cce2cae ("net: add an ioctl to get a socket network namespace")
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: David Laight <David.Laight@ACULAB.COM>
Cc: Christian Brauner <christian.brauner@ubuntu.com>
Suggested-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Christian Brauner <christian.brauner@ubuntu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Steps on the way to 5.10-rc1
Resolves merge issues in:
drivers/net/virtio_net.c
net/xfrm/xfrm_state.c
net/xfrm/xfrm_user.c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3132e7802f25cb775eb02d0b3a03068da39a6fe2
Rejecting non-native endian BTF overlapped with the addition
of support for it.
The rest were more simple overlapping changes, except the
renesas ravb binding update, which had to follow a file
move as well as a YAML conversion.
Signed-off-by: David S. Miller <davem@davemloft.net>
If a page sent into kernel_sendpage() is a slab page or it doesn't have
ref_count, this page is improper to send by the zero copy sendpage()
method. Otherwise such page might be unexpected released in network code
path and causes impredictable panic due to kernel memory management data
structure corruption.
This path adds a WARN_ON() on the sending page before sends it into the
concrete zero-copy sendpage() method, if the page is improper for the
zero-copy sendpage() method, a warning message can be observed before
the consequential unpredictable kernel panic.
This patch does not change existing kernel_sendpage() behavior for the
improper page zero-copy send, it just provides hint warning message for
following potential panic due the kernel memory heap corruption.
Signed-off-by: Coly Li <colyli@suse.de>
Cc: Cong Wang <amwang@redhat.com>
Cc: Christoph Hellwig <hch@lst.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Sridhar Samudrala <sri@us.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We got slightly different patches removing a double word
in a comment in net/ipv4/raw.c - picked the version from net.
Simple conflict in drivers/net/ethernet/ibm/ibmvnic.c. Use cached
values instead of VNIC login response buffer (following what
commit 507ebe6444 ("ibmvnic: Fix use-after-free of VNIC login
response buffer") did).
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Fix some comments, including wrong function name, duplicated word and so
on.
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
For TCP tx zero-copy, the kernel notifies the process of completions by
queuing completion notifications on the socket error queue. This patch
allows reading these notifications via recvmsg to support TCP tx
zero-copy.
Ancillary data was originally disallowed due to privilege escalation
via io_uring's offloading of sendmsg() onto a kernel thread with kernel
credentials (https://crbug.com/project-zero/1975). So, we must ensure
that the socket type is one where the ancillary data types that are
delivered on recvmsg are plain data (no file descriptors or values that
are translated based on the identity of the calling process).
This was tested by using io_uring to call recvmsg on the MSG_ERRQUEUE
with tx zero-copy enabled. Before this patch, we received -EINVALID from
this specific code path. After this patch, we could read tcp tx
zero-copy completion notifications from the MSG_ERRQUEUE.
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Arjun Roy <arjunroy@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Jann Horn <jannh@google.com>
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Luke Hsiao <lukehsiao@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commits 6d04fe15f7 and
a31edb2059.
It turns out the idea to share a single pointer for both kernel and user
space address causes various kinds of problems. So use the slightly less
optimal version that uses an extra bit, but which is guaranteed to be safe
everywhere.
Fixes: 6d04fe15f7 ("net: optimize the sockptr_t for unified kernel/user address spaces")
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit 519a8a6cf9https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master)
Signed-off-by: John Stultz <john.stultz@linaro.org>
Change-Id: I645a8226be732b72cf8a404957754e3408dfc4bc
This reverts commits 6d04fe15f7 and
a31edb2059.
It turns out the idea to share a single pointer for both kernel and user
space address causes various kinds of problems. So use the slightly less
optimal version that uses an extra bit, but which is guaranteed to be safe
everywhere.
Fixes: 6d04fe15f7 ("net: optimize the sockptr_t for unified kernel/user address spaces")
Reported-by: Eric Dumazet <edumazet@google.com>
Reported-by: John Stultz <john.stultz@linaro.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Convert the uses of fallthrough comments to fallthrough macro.
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We should fput() file iff FDPUT_FPUT is set. So we should set fput_needed
accordingly.
Fixes: 00e188ef6a ("sockfd_lookup_light(): switch to fdget^W^Waway from fget_light")
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Use helper function fdput() to fput() the file iff FDPUT_FPUT is set.
Signed-off-by: Miaohe Lin <linmiaohe@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Steps on the way to 5.9-rc1
Resolves conflicts in:
drivers/irqchip/qcom-pdc.c
include/linux/device.h
net/xfrm/xfrm_state.c
security/lsm_audit.c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4aeb3d04f4717714a421721eb3ce690c099bb30a
Make sure not just the pointer itself but the whole range lies in
the user address space. For that pass the length and then use
the access_ok helper to do the check.
Fixes: 6d04fe15f7 ("net: optimize the sockptr_t for unified kernel/user address spaces")
Reported-by: David Laight <David.Laight@ACULAB.COM>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
For architectures like x86 and arm64 we don't need the separate bit to
indicate that a pointer is a kernel pointer as the address spaces are
unified. That way the sockptr_t can be reduced to a union of two
pointers, which leads to nicer calling conventions.
The only caveat is that we need to check that users don't pass in kernel
address and thus gain access to kernel memory. Thus the USER_SOCKPTR
helper is replaced with a init_user_sockptr function that does this check
and returns an error if it fails.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rework the remaining setsockopt code to pass a sockptr_t instead of a
plain user pointer. This removes the last remaining set_fs(KERNEL_DS)
outside of architecture specific code.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> [ieee802154]
Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pass a sockptr_t to prepare for set_fs-less handling of the kernel
pointer from bpf-cgroup.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Just check for a NULL method instead of wiring up
sock_no_{get,set}sockopt.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Now that the ->compat_{get,set}sockopt proto_ops methods are gone
there is no good reason left to keep the compat syscalls separate.
This fixes the odd use of unsigned int for the compat_setsockopt
optlen and the missing sock_use_custom_sol_socket.
It would also easily allow running the eBPF hooks for the compat
syscalls, but such a large change in behavior does not belong into
a consolidation patch like this one.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Return early when sockfd_lookup_light fails to reduce a level of
indentation for most of the function body.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Return early when sockfd_lookup_light fails to reduce a level of
indentation for most of the function body.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix the warning "Function parameter or member 'inode' not described in
'__sock_release'' due to the kerneldoc being placed before
__sock_release() not sock_release(), which does not take an inode
parameter.
Signed-off-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
setsockopt(mptcp_fd, SOL_SOCKET, ...)... appears to work (returns 0),
but it has no effect -- this is because the MPTCP layer never has a
chance to copy the settings to the subflow socket.
Skip the generic handling for the mptcp case and instead call the
mptcp specific handler instead for SOL_SOCKET too.
Next patch adds more specific handling for SOL_SOCKET to mptcp.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
To prepare removing the global routing_ioctl hack start lifting the code
into the ipv4 and appletalk ->compat_ioctl handlers. Unlike the existing
handler we don't bother copying in the name - there are no compat issues for
char arrays.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
To prepare removing the global routing_ioctl hack start lifting the code
into a newly added ipv6 ->compat_ioctl handler.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
The msg_control field in struct msghdr can either contain a user
pointer when used with the recvmsg system call, or a kernel pointer
when used with sendmsg. To complicate things further kernel_recvmsg
can stuff a kernel pointer in and then use set_fs to make the uaccess
helpers accept it.
Replace it with a union of a kernel pointer msg_control field, and
a user pointer msg_control_user one, and allow kernel_recvmsg operate
on a proper kernel pointer using a bitfield to override the normal
choice of a user pointer for recvmsg.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
In a quest to make the huge -rc1 merge easier to handle and bisect,
merge the first chunk of 5.7-rc1 patches into android-mainline.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib54436e9515660a4c0c25c49c21bfb399eb57921
Pull io_uring updates from Jens Axboe:
"Here are the io_uring changes for this merge window. Light on new
features this time around (just splice + buffer selection), lots of
cleanups, fixes, and improvements to existing support. In particular,
this contains:
- Cleanup fixed file update handling for stack fallback (Hillf)
- Re-work of how pollable async IO is handled, we no longer require
thread offload to handle that. Instead we rely using poll to drive
this, with task_work execution.
- In conjunction with the above, allow expendable buffer selection,
so that poll+recv (for example) no longer has to be a split
operation.
- Make sure we honor RLIMIT_FSIZE for buffered writes
- Add support for splice (Pavel)
- Linked work inheritance fixes and optimizations (Pavel)
- Async work fixes and cleanups (Pavel)
- Improve io-wq locking (Pavel)
- Hashed link write improvements (Pavel)
- SETUP_IOPOLL|SETUP_SQPOLL improvements (Xiaoguang)"
* tag 'for-5.7/io_uring-2020-03-29' of git://git.kernel.dk/linux-block: (54 commits)
io_uring: cleanup io_alloc_async_ctx()
io_uring: fix missing 'return' in comment
io-wq: handle hashed writes in chains
io-uring: drop 'free_pfile' in struct io_file_put
io-uring: drop completion when removing file
io_uring: Fix ->data corruption on re-enqueue
io-wq: close cancel gap for hashed linked work
io_uring: make spdxcheck.py happy
io_uring: honor original task RLIMIT_FSIZE
io-wq: hash dependent work
io-wq: split hashing and enqueueing
io-wq: don't resched if there is no work
io-wq: remove duplicated cancel code
io_uring: fix truncated async read/readv and write/writev retry
io_uring: dual license io_uring.h uapi header
io_uring: io_uring_enter(2) don't poll while SETUP_IOPOLL|SETUP_SQPOLL enabled
io_uring: Fix unused function warnings
io_uring: add end-of-bits marker and build time verify it
io_uring: provide means of removing buffers
io_uring: add IOSQE_BUFFER_SELECT support for IORING_OP_RECVMSG
...
Just like commit 4022e7af86, this fixes the fact that
IORING_OP_ACCEPT ends up using get_unused_fd_flags(), which checks
current->signal->rlim[] for limits.
Add an extra argument to __sys_accept4_file() that allows us to pass
in the proper nofile limit, and grab it at request prep time.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This splits it into two parts, one that imports the message, and one
that imports the iovec. This allows a caller to only do the first part,
and import the iovec manually afterwards.
No functional changes in this patch.
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Baby steps in the 5.6-rc1 merge cycle to make things easier to review
and debug.
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4c44b3c32065ea0ed8175b31665f2a4195a27300
When procfs is disabled, the fdinfo code causes a harmless
warning:
net/socket.c:1000:13: error: 'sock_show_fdinfo' defined but not used [-Werror=unused-function]
static void sock_show_fdinfo(struct seq_file *m, struct file *f)
Move the function definition up so we can use a single #ifdef
around it.
Fixes: b4653342b1 ("net: Allow to show socket-specific information in /proc/[pid]/fdinfo/[fd]")
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull io_uring fixes from Jens Axboe:
- A tweak to IOSQE_IO_LINK (also marked for stable) to allow links that
don't sever if the result is < 0.
This is mostly for linked timeouts, where if we ask for a pure
timeout we always get -ETIME. This makes links useless for that case,
hence allow a case where it works.
- Five minor optimizations to fix and improve cases that regressed
since v5.4.
- An SQTHREAD locking fix.
- A sendmsg/recvmsg iov assignment fix.
- Net fix where read_iter/write_iter don't honor IOCB_NOWAIT, and
subsequently ensuring that works for io_uring.
- Fix a case where for an invalid opcode we might return -EBADF instead
of -EINVAL, if the ->fd of that sqe was set to an invalid fd value.
* tag 'io_uring-5.5-20191212' of git://git.kernel.dk/linux-block:
io_uring: ensure we return -EINVAL on unknown opcode
io_uring: add sockets to list of files that support non-blocking issue
net: make socket read/write_iter() honor IOCB_NOWAIT
io_uring: only hash regular files for async work execution
io_uring: run next sqe inline if possible
io_uring: don't dynamically allocate poll data
io_uring: deferred send/recvmsg should assign iov
io_uring: sqthread should grab ctx->uring_lock for submissions
io-wq: briefly spin for new work after finishing work
io-wq: remove worker->wait waitqueue
io_uring: allow unbreakable links
This adds .show_fdinfo to socket_file_ops, so protocols will be able
to print their specific data in fdinfo.
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The socket read/write helpers only look at the file O_NONBLOCK. not
the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
and io_uring that rely on not having the file itself marked nonblocking,
but rather the iocb itself.
Cc: netdev@vger.kernel.org
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Pull networking fixes from David Miller:
1) More jumbo frame fixes in r8169, from Heiner Kallweit.
2) Fix bpf build in minimal configuration, from Alexei Starovoitov.
3) Use after free in slcan driver, from Jouni Hogander.
4) Flower classifier port ranges don't work properly in the HW offload
case, from Yoshiki Komachi.
5) Use after free in hns3_nic_maybe_stop_tx(), from Yunsheng Lin.
6) Out of bounds access in mqprio_dump(), from Vladyslav Tarasiuk.
7) Fix flow dissection in dsa TX path, from Alexander Lobakin.
8) Stale syncookie timestampe fixes from Guillaume Nault.
[ Did an evil merge to silence a warning introduced by this pull - Linus ]
* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (84 commits)
r8169: fix rtl_hw_jumbo_disable for RTL8168evl
net_sched: validate TCA_KIND attribute in tc_chain_tmplt_add()
r8169: add missing RX enabling for WoL on RTL8125
vhost/vsock: accept only packets with the right dst_cid
net: phy: dp83867: fix hfs boot in rgmii mode
net: ethernet: ti: cpsw: fix extra rx interrupt
inet: protect against too small mtu values.
gre: refetch erspan header from skb->data after pskb_may_pull()
pppoe: remove redundant BUG_ON() check in pppoe_pernet
tcp: Protect accesses to .ts_recent_stamp with {READ,WRITE}_ONCE()
tcp: tighten acceptance of ACKs not matching a child socket
tcp: fix rejected syncookies due to stale timestamps
lpc_eth: kernel BUG on remove
tcp: md5: fix potential overestimation of TCP option space
net: sched: allow indirect blocks to bind to clsact in TC
net: core: rename indirect block ingress cb function
net-sysfs: Call dev_hold always in netdev_queue_add_kobject
net: dsa: fix flow dissection on Tx path
net/tls: Fix return values to avoid ENOTSUPP
net: avoid an indirect call in ____sys_recvmsg()
...
