86f9bee9c0b90b2f7661607bfbb30ca52777e3b3
1822 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
8b444656fa |
Merge 5.10.56 into android12-5.10-lts
Changes in 5.10.56 selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c io_uring: fix null-ptr-deref in io_sq_offload_start() x86/asm: Ensure asm/proto.h can be included stand-alone pipe: make pipe writes always wake up readers btrfs: fix rw device counting in __btrfs_free_extra_devids btrfs: mark compressed range uptodate only if all bio succeed Revert "ACPI: resources: Add checks for ACPI IRQ override" ACPI: DPTF: Fix reading of attributes x86/kvm: fix vcpu-id indexed array sizes KVM: add missing compat KVM_CLEAR_DIRTY_LOG ocfs2: fix zero out valid data ocfs2: issue zeroout to EOF blocks can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF can: peak_usb: pcan_usb_handle_bus_evt(): fix reading rxerr/txerr values can: mcba_usb_start(): add missing urb->transfer_dma initialization can: usb_8dev: fix memory leak can: ems_usb: fix memory leak can: esd_usb2: fix memory leak alpha: register early reserved memory in memblock HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT NIU: fix incorrect error return, missed in previous revert drm/amd/display: ensure dentist display clock update finished in DCN20 drm/amdgpu: Avoid printing of stack contents on firmware load error drm/amdgpu: Fix resource leak on probe error path blk-iocost: fix operation ordering in iocg_wake_fn() nfc: nfcsim: fix use after free during module unload cfg80211: Fix possible memory leak in function cfg80211_bss_update RDMA/bnxt_re: Fix stats counters bpf: Fix OOB read when printing XDP link fdinfo mac80211: fix enabling 4-address mode on a sta vif after assoc netfilter: conntrack: adjust stop timestamp to real expiry value netfilter: nft_nat: allow to specify layer 4 protocol NAT only i40e: Fix logic of disabling queues i40e: Fix firmware LLDP agent related warning i40e: Fix queue-to-TC mapping on Tx i40e: Fix log TC creation failure when max num of queues is exceeded tipc: fix implicit-connect for SYN+ tipc: fix sleeping in tipc accept routine net: Set true network header for ECN decapsulation net: qrtr: fix memory leaks ionic: remove intr coalesce update from napi ionic: fix up dim accounting for tx and rx ionic: count csum_none when offload enabled tipc: do not write skb_shinfo frags when doing decrytion octeontx2-pf: Fix interface down flag on error mlx4: Fix missing error code in mlx4_load_one() KVM: x86: Check the right feature bit for MSR_KVM_ASYNC_PF_ACK access net: llc: fix skb_over_panic drm/msm/dpu: Fix sm8250_mdp register length drm/msm/dp: Initialize the INTF_CONFIG register skmsg: Make sk_psock_destroy() static net/mlx5: Fix flow table chaining net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() sctp: fix return value check in __sctp_rcv_asconf_lookup tulip: windbond-840: Fix missing pci_disable_device() in probe and remove sis900: Fix missing pci_disable_device() in probe and remove can: hi311x: fix a signedness bug in hi3110_cmd() bpf: Introduce BPF nospec instruction for mitigating Spectre v4 bpf: Fix leakage due to insufficient speculative store bypass mitigation bpf: Remove superfluous aux sanitation on subprog rejection bpf: verifier: Allocate idmap scratch in verifier env bpf: Fix pointer arithmetic mask tightening under state pruning SMB3: fix readpage for large swap cache powerpc/pseries: Fix regression while building external modules Revert "perf map: Fix dso->nsinfo refcounting" i40e: Add additional info to PHY type error can: j1939: j1939_session_deactivate(): clarify lifetime of session object Linux 5.10.56 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib3c9244afb7ee5d6ee8d3235efe8956898f486c4 |
||
|
Daniel Borkmann
|
be561c0154 |
bpf: Fix pointer arithmetic mask tightening under state pruning
commit e042aa532c84d18ff13291d00620502ce7a38dda upstream.
In 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") we
narrowed the offset mask for unprivileged pointer arithmetic in order to
mitigate a corner case where in the speculative domain it is possible to
advance, for example, the map value pointer by up to value_size-1 out-of-
bounds in order to leak kernel memory via side-channel to user space.
The verifier's state pruning for scalars leaves one corner case open
where in the first verification path R_x holds an unknown scalar with an
aux->alu_limit of e.g. 7, and in a second verification path that same
register R_x, here denoted as R_x', holds an unknown scalar which has
tighter bounds and would thus satisfy range_within(R_x, R_x') as well as
tnum_in(R_x, R_x') for state pruning, yielding an aux->alu_limit of 3:
Given the second path fits the register constraints for pruning, the final
generated mask from aux->alu_limit will remain at 7. While technically
not wrong for the non-speculative domain, it would however be possible
to craft similar cases where the mask would be too wide as in 7fedb63a8307.
One way to fix it is to detect the presence of unknown scalar map pointer
arithmetic and force a deeper search on unknown scalars to ensure that
we do not run into a masking mismatch.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Lorenz Bauer
|
ffb9d5c48b |
bpf: verifier: Allocate idmap scratch in verifier env
commit c9e73e3d2b1eb1ea7ff068e05007eec3bd8ef1c9 upstream. func_states_equal makes a very short lived allocation for idmap, probably because it's too large to fit on the stack. However the function is called quite often, leading to a lot of alloc / free churn. Replace the temporary allocation with dedicated scratch space in struct bpf_verifier_env. Signed-off-by: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Edward Cree <ecree.xilinx@gmail.com> Link: https://lore.kernel.org/bpf/20210429134656.122225-4-lmb@cloudflare.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
a11ca29c65 |
bpf: Remove superfluous aux sanitation on subprog rejection
commit 59089a189e3adde4cf85f2ce479738d1ae4c514d upstream.
Follow-up to fe9a5ca7e370 ("bpf: Do not mark insn as seen under speculative
path verification"). The sanitize_insn_aux_data() helper does not serve a
particular purpose in today's code. The original intention for the helper
was that if function-by-function verification fails, a given program would
be cleared from temporary insn_aux_data[], and then its verification would
be re-attempted in the context of the main program a second time.
However, a failure in do_check_subprogs() will skip do_check_main() and
propagate the error to the user instead, thus such situation can never occur.
Given its interaction is not compatible to the Spectre v1 mitigation (due to
comparing aux->seen with env->pass_cnt), just remove sanitize_insn_aux_data()
to avoid future bugs in this area.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
0e9280654a |
bpf: Fix leakage due to insufficient speculative store bypass mitigation
[ Upstream commit 2039f26f3aca5b0e419b98f65dd36481337b86ee ] Spectre v4 gadgets make use of memory disambiguation, which is a set of techniques that execute memory access instructions, that is, loads and stores, out of program order; Intel's optimization manual, section 2.4.4.5: A load instruction micro-op may depend on a preceding store. Many microarchitectures block loads until all preceding store addresses are known. The memory disambiguator predicts which loads will not depend on any previous stores. When the disambiguator predicts that a load does not have such a dependency, the load takes its data from the L1 data cache. Eventually, the prediction is verified. If an actual conflict is detected, the load and all succeeding instructions are re-executed. |
||
|
Daniel Borkmann
|
bea9e2fd18 |
bpf: Introduce BPF nospec instruction for mitigating Spectre v4
[ Upstream commit f5e81d1117501546b7be050c5fbafa6efd2c722c ] In case of JITs, each of the JIT backends compiles the BPF nospec instruction /either/ to a machine instruction which emits a speculation barrier /or/ to /no/ machine instruction in case the underlying architecture is not affected by Speculative Store Bypass or has different mitigations in place already. This covers both x86 and (implicitly) arm64: In case of x86, we use 'lfence' instruction for mitigation. In case of arm64, we rely on the firmware mitigation as controlled via the ssbd kernel parameter. Whenever the mitigation is enabled, it works for all of the kernel code with no need to provide any additional instructions here (hence only comment in arm64 JIT). Other archs can follow as needed. The BPF nospec instruction is specifically targeting Spectre v4 since i) we don't use a serialization barrier for the Spectre v1 case, and ii) mitigation instructions for v1 and v4 might be different on some archs. The BPF nospec is required for a future commit, where the BPF verifier does annotate intermediate BPF programs with speculation barriers. Co-developed-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Signed-off-by: Benedict Schlueter <benedict.schlueter@rub.de> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
e4cac2c332 |
Merge 5.10.54 into android12-5.10-lts
Changes in 5.10.54
igc: Fix use-after-free error during reset
igb: Fix use-after-free error during reset
igc: change default return of igc_read_phy_reg()
ixgbe: Fix an error handling path in 'ixgbe_probe()'
igc: Fix an error handling path in 'igc_probe()'
igb: Fix an error handling path in 'igb_probe()'
fm10k: Fix an error handling path in 'fm10k_probe()'
e1000e: Fix an error handling path in 'e1000_probe()'
iavf: Fix an error handling path in 'iavf_probe()'
igb: Check if num of q_vectors is smaller than max before array access
igb: Fix position of assignment to *ring
gve: Fix an error handling path in 'gve_probe()'
net: add kcov handle to skb extensions
bonding: fix suspicious RCU usage in bond_ipsec_add_sa()
bonding: fix null dereference in bond_ipsec_add_sa()
ixgbevf: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops
bonding: fix suspicious RCU usage in bond_ipsec_del_sa()
bonding: disallow setting nested bonding + ipsec offload
bonding: Add struct bond_ipesc to manage SA
bonding: fix suspicious RCU usage in bond_ipsec_offload_ok()
bonding: fix incorrect return value of bond_ipsec_offload_ok()
ipv6: fix 'disable_policy' for fwd packets
stmmac: platform: Fix signedness bug in stmmac_probe_config_dt()
selftests: icmp_redirect: remove from checking for IPv6 route get
selftests: icmp_redirect: IPv6 PMTU info should be cleared after redirect
pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly skipped
cxgb4: fix IRQ free race during driver unload
mptcp: fix warning in __skb_flow_dissect() when do syn cookie for subflow join
nvme-pci: do not call nvme_dev_remove_admin from nvme_remove
KVM: x86/pmu: Clear anythread deprecated bit when 0xa leaf is unsupported on the SVM
perf inject: Fix dso->nsinfo refcounting
perf map: Fix dso->nsinfo refcounting
perf probe: Fix dso->nsinfo refcounting
perf env: Fix sibling_dies memory leak
perf test session_topology: Delete session->evlist
perf test event_update: Fix memory leak of evlist
perf dso: Fix memory leak in dso__new_map()
perf test maps__merge_in: Fix memory leak of maps
perf env: Fix memory leak of cpu_pmu_caps
perf report: Free generated help strings for sort option
perf script: Fix memory 'threads' and 'cpus' leaks on exit
perf lzma: Close lzma stream on exit
perf probe-file: Delete namelist in del_events() on the error path
perf data: Close all files in close_dir()
perf sched: Fix record failure when CONFIG_SCHEDSTATS is not set
ASoC: wm_adsp: Correct wm_coeff_tlv_get handling
spi: imx: add a check for speed_hz before calculating the clock
spi: stm32: fixes pm_runtime calls in probe/remove
regulator: hi6421: Use correct variable type for regmap api val argument
regulator: hi6421: Fix getting wrong drvdata
spi: mediatek: fix fifo rx mode
ASoC: rt5631: Fix regcache sync errors on resume
bpf, test: fix NULL pointer dereference on invalid expected_attach_type
bpf: Fix tail_call_reachable rejection for interpreter when jit failed
xdp, net: Fix use-after-free in bpf_xdp_link_release
timers: Fix get_next_timer_interrupt() with no timers pending
liquidio: Fix unintentional sign extension issue on left shift of u16
s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1]
bpf, sockmap: Fix potential memory leak on unlikely error case
bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats
bpf, sockmap, udp: sk_prot needs inuse_idx set for proc stats
bpftool: Check malloc return value in mount_bpffs_for_pin
net: fix uninit-value in caif_seqpkt_sendmsg
usb: hso: fix error handling code of hso_create_net_device
dma-mapping: handle vmalloc addresses in dma_common_{mmap,get_sgtable}
efi/tpm: Differentiate missing and invalid final event log table.
net: decnet: Fix sleeping inside in af_decnet
KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash
KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak
net: sched: fix memory leak in tcindex_partial_destroy_work
sctp: trim optlen when it's a huge value in sctp_setsockopt
netrom: Decrease sock refcount when sock timers expire
scsi: iscsi: Fix iface sysfs attr detection
scsi: target: Fix protect handling in WRITE SAME(32)
spi: cadence: Correct initialisation of runtime PM again
ACPI: Kconfig: Fix table override from built-in initrd
bnxt_en: don't disable an already disabled PCI device
bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe()
bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in bnxt_fw_rset_task()
bnxt_en: Validate vlan protocol ID on RX packets
bnxt_en: Check abort error state in bnxt_half_open_nic()
net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition
net/tcp_fastopen: fix data races around tfo_active_disable_stamp
ALSA: hda: intel-dsp-cfg: add missing ElkhartLake PCI ID
net: hns3: fix possible mismatches resp of mailbox
net: hns3: fix rx VLAN offload state inconsistent issue
spi: spi-bcm2835: Fix deadlock
net/sched: act_skbmod: Skip non-Ethernet packets
ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions
ceph: don't WARN if we're still opening a session to an MDS
nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not RESETTING
Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem"
afs: Fix tracepoint string placement with built-in AFS
r8169: Avoid duplicate sysfs entry creation error
nvme: set the PRACT bit when using Write Zeroes with T10 PI
sctp: update active_key for asoc when old key is being replaced
tcp: disable TFO blackhole logic by default
net: dsa: sja1105: make VID 4095 a bridge VLAN too
net: sched: cls_api: Fix the the wrong parameter
drm/panel: raspberrypi-touchscreen: Prevent double-free
cifs: only write 64kb at a time when fallocating a small region of a file
cifs: fix fallocate when trying to allocate a hole.
proc: Avoid mixing integer types in mem_rw()
mmc: core: Don't allocate IDA for OF aliases
s390/ftrace: fix ftrace_update_ftrace_func implementation
s390/boot: fix use of expolines in the DMA code
ALSA: usb-audio: Add missing proc text entry for BESPOKEN type
ALSA: usb-audio: Add registration quirk for JBL Quantum headsets
ALSA: sb: Fix potential ABBA deadlock in CSP driver
ALSA: hda/realtek: Fix pop noise and 2 Front Mic issues on a machine
ALSA: hdmi: Expose all pins on MSI MS-7C94 board
ALSA: pcm: Call substream ack() method upon compat mmap commit
ALSA: pcm: Fix mmap capability check
Revert "usb: renesas-xhci: Fix handling of unknown ROM state"
usb: xhci: avoid renesas_usb_fw.mem when it's unusable
xhci: Fix lost USB 2 remote wake
KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow
KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state
usb: hub: Disable USB 3 device initiated lpm if exit latency is too high
usb: hub: Fix link power management max exit latency (MEL) calculations
USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS
usb: max-3421: Prevent corruption of freed memory
usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop()
USB: serial: option: add support for u-blox LARA-R6 family
USB: serial: cp210x: fix comments for GE CS1000
USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick
usb: gadget: Fix Unbalanced pm_runtime_enable in tegra_xudc_probe
usb: dwc2: gadget: Fix GOUTNAK flow for Slave mode.
usb: dwc2: gadget: Fix sending zero length packet in DDMA mode.
usb: typec: stusb160x: register role switch before interrupt registration
firmware/efi: Tell memblock about EFI iomem reservations
tracepoints: Update static_call before tp_funcs when adding a tracepoint
tracing/histogram: Rename "cpu" to "common_cpu"
tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop.
tracing: Synthetic event field_pos is an index not a boolean
btrfs: check for missing device in btrfs_trim_fs
media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf()
ixgbe: Fix packet corruption due to missing DMA sync
bus: mhi: core: Validate channel ID when processing command completions
posix-cpu-timers: Fix rearm racing against process tick
selftest: use mmap instead of posix_memalign to allocate memory
io_uring: explicitly count entries for poll reqs
io_uring: remove double poll entry on arm failure
userfaultfd: do not untag user pointers
memblock: make for_each_mem_range() traverse MEMBLOCK_HOTPLUG regions
hugetlbfs: fix mount mode command line processing
rbd: don't hold lock_rwsem while running_list is being drained
rbd: always kick acquire on "acquired" and "released" notifications
misc: eeprom: at24: Always append device id even if label property is set.
nds32: fix up stack guard gap
driver core: Prevent warning when removing a device link from unregistered consumer
drm: Return -ENOTTY for non-drm ioctls
drm/amdgpu: update golden setting for sienna_cichlid
net: dsa: mv88e6xxx: enable SerDes RX stats for Topaz
net: dsa: mv88e6xxx: enable SerDes PCS register dump via ethtool -d on Topaz
PCI: Mark AMD Navi14 GPU ATS as broken
bonding: fix build issue
skbuff: Release nfct refcount on napi stolen or re-used skbs
Documentation: Fix intiramfs script name
perf inject: Close inject.output on exit
usb: ehci: Prevent missed ehci interrupts with edge-triggered MSI
drm/i915/gvt: Clear d3_entered on elsp cmd submission.
sfc: ensure correct number of XDP queues
xhci: add xhci_get_virt_ep() helper
skbuff: Fix build with SKB extensions disabled
Linux 5.10.54
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ifd2823b47ab1544cd1f168b138624ffe060a471e
|
||
|
Daniel Borkmann
|
39f1735c81 |
bpf: Fix tail_call_reachable rejection for interpreter when jit failed
[ Upstream commit 5dd0a6b8582ffbfa88351949d50eccd5b6694ade ]
During testing of f263a81451c1 ("bpf: Track subprog poke descriptors correctly
and fix use-after-free") under various failure conditions, for example, when
jit_subprogs() fails and tries to clean up the program to be run under the
interpreter, we ran into the following freeze:
[...]
#127/8 tailcall_bpf2bpf_3:FAIL
[...]
[ 92.041251] BUG: KASAN: slab-out-of-bounds in ___bpf_prog_run+0x1b9d/0x2e20
[ 92.042408] Read of size 8 at addr ffff88800da67f68 by task test_progs/682
[ 92.043707]
[ 92.044030] CPU: 1 PID: 682 Comm: test_progs Tainted: G O 5.13.0-53301-ge6c08cb33a30-dirty #87
[ 92.045542] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1 04/01/2014
[ 92.046785] Call Trace:
[ 92.047171] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.047773] ? __bpf_prog_run_args32+0x8b/0xb0
[ 92.048389] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.049019] ? ktime_get+0x117/0x130
[...] // few hundred [similar] lines more
[ 92.659025] ? ktime_get+0x117/0x130
[ 92.659845] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.660738] ? __bpf_prog_run_args32+0x8b/0xb0
[ 92.661528] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.662378] ? print_usage_bug+0x50/0x50
[ 92.663221] ? print_usage_bug+0x50/0x50
[ 92.664077] ? bpf_ksym_find+0x9c/0xe0
[ 92.664887] ? ktime_get+0x117/0x130
[ 92.665624] ? kernel_text_address+0xf5/0x100
[ 92.666529] ? __kernel_text_address+0xe/0x30
[ 92.667725] ? unwind_get_return_address+0x2f/0x50
[ 92.668854] ? ___bpf_prog_run+0x15d4/0x2e20
[ 92.670185] ? ktime_get+0x117/0x130
[ 92.671130] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.672020] ? __bpf_prog_run_args32+0x8b/0xb0
[ 92.672860] ? __bpf_prog_run_args64+0xc0/0xc0
[ 92.675159] ? ktime_get+0x117/0x130
[ 92.677074] ? lock_is_held_type+0xd5/0x130
[ 92.678662] ? ___bpf_prog_run+0x15d4/0x2e20
[ 92.680046] ? ktime_get+0x117/0x130
[ 92.681285] ? __bpf_prog_run32+0x6b/0x90
[ 92.682601] ? __bpf_prog_run64+0x90/0x90
[ 92.683636] ? lock_downgrade+0x370/0x370
[ 92.684647] ? mark_held_locks+0x44/0x90
[ 92.685652] ? ktime_get+0x117/0x130
[ 92.686752] ? lockdep_hardirqs_on+0x79/0x100
[ 92.688004] ? ktime_get+0x117/0x130
[ 92.688573] ? __cant_migrate+0x2b/0x80
[ 92.689192] ? bpf_test_run+0x2f4/0x510
[ 92.689869] ? bpf_test_timer_continue+0x1c0/0x1c0
[ 92.690856] ? rcu_read_lock_bh_held+0x90/0x90
[ 92.691506] ? __kasan_slab_alloc+0x61/0x80
[ 92.692128] ? eth_type_trans+0x128/0x240
[ 92.692737] ? __build_skb+0x46/0x50
[ 92.693252] ? bpf_prog_test_run_skb+0x65e/0xc50
[ 92.693954] ? bpf_prog_test_run_raw_tp+0x2d0/0x2d0
[ 92.694639] ? __fget_light+0xa1/0x100
[ 92.695162] ? bpf_prog_inc+0x23/0x30
[ 92.695685] ? __sys_bpf+0xb40/0x2c80
[ 92.696324] ? bpf_link_get_from_fd+0x90/0x90
[ 92.697150] ? mark_held_locks+0x24/0x90
[ 92.698007] ? lockdep_hardirqs_on_prepare+0x124/0x220
[ 92.699045] ? finish_task_switch+0xe6/0x370
[ 92.700072] ? lockdep_hardirqs_on+0x79/0x100
[ 92.701233] ? finish_task_switch+0x11d/0x370
[ 92.702264] ? __switch_to+0x2c0/0x740
[ 92.703148] ? mark_held_locks+0x24/0x90
[ 92.704155] ? __x64_sys_bpf+0x45/0x50
[ 92.705146] ? do_syscall_64+0x35/0x80
[ 92.706953] ? entry_SYSCALL_64_after_hwframe+0x44/0xae
[...]
Turns out that the program rejection from
|
||
|
Greg Kroah-Hartman
|
67e686fc73 |
Revert "bpf: Track subprog poke descriptors correctly and fix use-after-free"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
afe9ed0e13 |
Merge 5.10.53 into android12-5.10-lts
Changes in 5.10.53 ARM: dts: gemini: rename mdio to the right name ARM: dts: gemini: add device_type on pci ARM: dts: rockchip: Fix thermal sensor cells o rk322x ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288 arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi ARM: dts: rockchip: Fix the timer clocks order ARM: dts: rockchip: Fix IOMMU nodes properties on rk322x ARM: dts: rockchip: Fix power-controller node names for rk3066a ARM: dts: rockchip: Fix power-controller node names for rk3188 ARM: dts: rockchip: Fix power-controller node names for rk3288 arm64: dts: rockchip: Fix power-controller node names for px30 arm64: dts: rockchip: Fix power-controller node names for rk3328 arm64: dts: rockchip: Fix power-controller node names for rk3399 reset: ti-syscon: fix to_ti_syscon_reset_data macro ARM: brcmstb: dts: fix NAND nodes names ARM: Cygnus: dts: fix NAND nodes names ARM: NSP: dts: fix NAND nodes names ARM: dts: BCM63xx: Fix NAND nodes names ARM: dts: Hurricane 2: Fix NAND nodes names ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info arm64: dts: rockchip: fix regulator-gpio states array ARM: dts: ux500: Fix interrupt cells ARM: dts: ux500: Rename gpio-controller node ARM: dts: ux500: Fix orientation of accelerometer ARM: dts: imx6dl-riotboard: configure PHY clock and set proper EEE value rtc: mxc_v2: add missing MODULE_DEVICE_TABLE kbuild: sink stdout from cmd for silent build ARM: dts: am57xx-cl-som-am57x: fix ti,no-reset-on-init flag for gpios ARM: dts: am437x-gp-evm: fix ti,no-reset-on-init flag for gpios ARM: dts: am335x: fix ti,no-reset-on-init flag for gpios ARM: dts: OMAP2+: Replace underscores in sub-mailbox node names arm64: dts: ti: k3-am654x/j721e/j7200-common-proc-board: Fix MCU_RGMII1_TXC direction ARM: tegra: wm8903: Fix polarity of headphones-detection GPIO in device-trees ARM: tegra: nexus7: Correct 3v3 regulator GPIO of PM269 variant arm64: dts: qcom: sc7180: Move rmtfs memory region ARM: dts: stm32: Remove extra size-cells on dhcom-pdk2 ARM: dts: stm32: Fix touchscreen node on dhcom-pdk2 ARM: dts: stm32: fix stm32mp157c-odyssey card detect pin ARM: dts: stm32: fix gpio-keys node on STM32 MCU boards ARM: dts: stm32: fix RCC node name on stm32f429 MCU ARM: dts: stm32: fix timer nodes on STM32 MCU to prevent warnings memory: tegra: Fix compilation warnings on 64bit platforms firmware: arm_scmi: Add SMCCC discovery dependency in Kconfig firmware: arm_scmi: Fix the build when CONFIG_MAILBOX is not selected ARM: dts: bcm283x: Fix up MMC node names ARM: dts: bcm283x: Fix up GPIO LED node names arm64: dts: juno: Update SCPI nodes as per the YAML schema ARM: dts: rockchip: fix supply properties in io-domains nodes ARM: dts: stm32: fix i2c node name on stm32f746 to prevent warnings ARM: dts: stm32: move stmmac axi config in ethernet node on stm32mp15 ARM: dts: stm32: fix the Odyssey SoM eMMC VQMMC supply ARM: dts: stm32: Drop unused linux,wakeup from touchscreen node on DHCOM SoM ARM: dts: stm32: Rename spi-flash/mx66l51235l@N to flash@N on DHCOM SoM ARM: dts: stm32: fix stpmic node for stm32mp1 boards ARM: OMAP2+: Block suspend for am3 and am4 if PM is not configured soc/tegra: fuse: Fix Tegra234-only builds firmware: tegra: bpmp: Fix Tegra234-only builds arm64: dts: ls208xa: remove bus-num from dspi node arm64: dts: imx8mq: assign PCIe clocks thermal/core: Correct function name thermal_zone_device_unregister() thermal/drivers/rcar_gen3_thermal: Do not shadow rcar_gen3_ths_tj_1 thermal/drivers/imx_sc: Add missing of_node_put for loop iteration thermal/drivers/sprd: Add missing of_node_put for loop iteration kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set arch/arm64/boot/dts/marvell: fix NAND partitioning scheme rtc: max77686: Do not enforce (incorrect) interrupt trigger type scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 scsi: libsas: Add LUN number check in .slave_alloc callback scsi: libfc: Fix array index out of bound exception scsi: qedf: Add check to synchronize abort and flush sched/fair: Fix CFS bandwidth hrtimer expiry type perf/x86/intel/uncore: Clean up error handling path of iio mapping thermal/core/thermal_of: Stop zone device before unregistering it s390/traps: do not test MONITOR CALL without CONFIG_BUG s390: introduce proper type handling call_on_stack() macro cifs: prevent NULL deref in cifs_compose_mount_options() firmware: turris-mox-rwtm: add marvell,armada-3700-rwtm-firmware compatible string arm64: dts: marvell: armada-37xx: move firmware node to generic dtsi file Revert "swap: fix do_swap_page() race with swapoff" f2fs: Show casefolding support only when supported mm/thp: simplify copying of huge zero page pmd when fork mm/userfaultfd: fix uffd-wp special cases for fork() mm/page_alloc: fix memory map initialization for descending nodes usb: cdns3: Enable TDL_CHK only for OUT ep net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz net: dsa: mv88e6xxx: enable devlink ATU hash param for Topaz net: ipv6: fix return value of ip6_skb_dst_mtu netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo net/sched: act_ct: fix err check for nf_conntrack_confirm vmxnet3: fix cksum offload issues for tunnels with non-default udp ports net/sched: act_ct: remove and free nf_table callbacks net: bridge: sync fdb to new unicast-filtering ports net: netdevsim: use xso.real_dev instead of xso.dev in callback functions of struct xfrmdev_ops net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: ip_tunnel: fix mtu calculation for ETHER tunnel devices net: moxa: fix UAF in moxart_mac_probe net: qcom/emac: fix UAF in emac_remove net: ti: fix UAF in tlan_remove_one net: send SYNACK packet with accepted fwmark net: validate lwtstate->data before returning from skb_tunnel_info() Revert "mm/shmem: fix shmem_swapin() race with swapoff" net: dsa: properly check for the bridge_leave methods in dsa_switch_bridge_leave() net: fddi: fix UAF in fza_probe dma-buf/sync_file: Don't leak fences on merge failure kbuild: do not suppress Kconfig prompts for silent build ARM: dts: aspeed: Fix AST2600 machines line names ARM: dts: tacoma: Add phase corrections for eMMC tcp: consistently disable header prediction for mptcp tcp: annotate data races around tp->mtu_info tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized ipv6: tcp: drop silly ICMPv6 packet too big messages tcp: call sk_wmem_schedule before sk_mem_charge in zerocopy path tools: bpf: Fix error in 'make -C tools/ bpf_install' bpftool: Properly close va_list 'ap' by va_end() on error bpf: Track subprog poke descriptors correctly and fix use-after-free perf test bpf: Free obj_buf drm/panel: nt35510: Do not fail if DSI read fails udp: annotate data races around unix_sk(sk)->gso_size Linux 5.10.53 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iac8fe9cd2abb2d8dd993967205a97c89f01f3647 |
||
|
John Fastabend
|
a9f36bf361 |
bpf: Track subprog poke descriptors correctly and fix use-after-free
commit f263a81451c12da5a342d90572e317e611846f2c upstream. Subprograms are calling map_poke_track(), but on program release there is no hook to call map_poke_untrack(). However, on program release, the aux memory (and poke descriptor table) is freed even though we still have a reference to it in the element list of the map aux data. When we run map_poke_run(), we then end up accessing free'd memory, triggering KASAN in prog_array_map_poke_run(): [...] [ 402.824689] BUG: KASAN: use-after-free in prog_array_map_poke_run+0xc2/0x34e [ 402.824698] Read of size 4 at addr ffff8881905a7940 by task hubble-fgs/4337 [ 402.824705] CPU: 1 PID: 4337 Comm: hubble-fgs Tainted: G I 5.12.0+ #399 [ 402.824715] Call Trace: [ 402.824719] dump_stack+0x93/0xc2 [ 402.824727] print_address_description.constprop.0+0x1a/0x140 [ 402.824736] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824740] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824744] kasan_report.cold+0x7c/0xd8 [ 402.824752] ? prog_array_map_poke_run+0xc2/0x34e [ 402.824757] prog_array_map_poke_run+0xc2/0x34e [ 402.824765] bpf_fd_array_map_update_elem+0x124/0x1a0 [...] The elements concerned are walked as follows: for (i = 0; i < elem->aux->size_poke_tab; i++) { poke = &elem->aux->poke_tab[i]; [...] The access to size_poke_tab is a 4 byte read, verified by checking offsets in the KASAN dump: [ 402.825004] The buggy address belongs to the object at ffff8881905a7800 which belongs to the cache kmalloc-1k of size 1024 [ 402.825008] The buggy address is located 320 bytes inside of 1024-byte region [ffff8881905a7800, ffff8881905a7c00) The pahole output of bpf_prog_aux: struct bpf_prog_aux { [...] /* --- cacheline 5 boundary (320 bytes) --- */ u32 size_poke_tab; /* 320 4 */ [...] In general, subprograms do not necessarily manage their own data structures. For example, BTF func_info and linfo are just pointers to the main program structure. This allows reference counting and cleanup to be done on the latter which simplifies their management a bit. The aux->poke_tab struct, however, did not follow this logic. The initial proposed fix for this use-after-free bug further embedded poke data tracking into the subprogram with proper reference counting. However, Daniel and Alexei questioned why we were treating these objects special; I agree, its unnecessary. The fix here removes the per subprogram poke table allocation and map tracking and instead simply points the aux->poke_tab pointer at the main programs poke table. This way, map tracking is simplified to the main program and we do not need to manage them per subprogram. This also means, bpf_prog_free_deferred(), which unwinds the program reference counting and kfrees objects, needs to ensure that we don't try to double free the poke_tab when free'ing the subprog structures. This is easily solved by NULL'ing the poke_tab pointer. The second detail is to ensure that per subprogram JIT logic only does fixups on poke_tab[] entries it owns. To do this, we add a pointer in the poke structure to point at the subprogram value so JITs can easily check while walking the poke_tab structure if the current entry belongs to the current program. The aux pointer is stable and therefore suitable for such comparison. On the jit_subprogs() error path, we omit cleaning up the poke->aux field because these are only ever referenced from the JIT side, but on error we will never make it to the JIT, so its fine to leave them dangling. Removing these pointers would complicate the error path for no reason. However, we do need to untrack all poke descriptors from the main program as otherwise they could race with the freeing of JIT memory from the subprograms. Lastly, |
||
|
Greg Kroah-Hartman
|
8db62be3c3 |
Merge 5.10.51 into android12-5.10-lts
Changes in 5.10.51
drm/mxsfb: Don't select DRM_KMS_FB_HELPER
drm/zte: Don't select DRM_KMS_FB_HELPER
drm/ast: Fixed CVE for DP501
drm/amd/display: fix HDCP reset sequence on reinitialize
drm/amd/amdgpu/sriov disable all ip hw status by default
drm/vc4: fix argument ordering in vc4_crtc_get_margins()
drm/bridge: nwl-dsi: Force a full modeset when crtc_state->active is changed to be true
net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
drm/amd/display: fix use_max_lb flag for 420 pixel formats
clk: renesas: rcar-usb2-clock-sel: Fix error handling in .probe()
hugetlb: clear huge pte during flush function on mips platform
atm: iphase: fix possible use-after-free in ia_module_exit()
mISDN: fix possible use-after-free in HFC_cleanup()
atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
net: mdio: ipq8064: add regmap config to disable REGCACHE
drm/bridge: lt9611: Add missing MODULE_DEVICE_TABLE
reiserfs: add check for invalid 1st journal block
drm/virtio: Fix double free on probe failure
net: mdio: provide shim implementation of devm_of_mdiobus_register
net/sched: cls_api: increase max_reclassify_loop
pinctrl: equilibrium: Add missing MODULE_DEVICE_TABLE
drm/scheduler: Fix hang when sched_entity released
drm/sched: Avoid data corruptions
udf: Fix NULL pointer dereference in udf_symlink function
drm/vc4: Fix clock source for VEC PixelValve on BCM2711
drm/vc4: hdmi: Fix PM reference leak in vc4_hdmi_encoder_pre_crtc_co()
e100: handle eeprom as little endian
igb: handle vlan types with checker enabled
igb: fix assignment on big endian machines
drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer()
clk: renesas: r8a77995: Add ZA2 clock
net/mlx5e: IPsec/rep_tc: Fix rep_tc_update_skb drops IPsec packet
net/mlx5: Fix lag port remapping logic
drm: rockchip: add missing registers for RK3188
drm: rockchip: add missing registers for RK3066
net: stmmac: the XPCS obscures a potential "PHY not found" error
RDMA/rtrs: Change MAX_SESS_QUEUE_DEPTH
clk: tegra: Fix refcounting of gate clocks
clk: tegra: Ensure that PLLU configuration is applied properly
drm: bridge: cdns-mhdp8546: Fix PM reference leak in
virtio-net: Add validation for used length
ipv6: use prandom_u32() for ID generation
MIPS: cpu-probe: Fix FPU detection on Ingenic JZ4760(B)
MIPS: ingenic: Select CPU_SUPPORTS_CPUFREQ && MIPS_EXTERNAL_TIMER
drm/amd/display: Avoid HDCP over-read and corruption
drm/amdgpu: remove unsafe optimization to drop preamble ib
net: tcp better handling of reordering then loss cases
RDMA/cxgb4: Fix missing error code in create_qp()
dm space maps: don't reset space map allocation cursor when committing
dm writecache: don't split bios when overwriting contiguous cache content
dm: Fix dm_accept_partial_bio() relative to zone management commands
net: bridge: mrp: Update ring transitions.
pinctrl: mcp23s08: fix race condition in irq handler
ice: set the value of global config lock timeout longer
ice: fix clang warning regarding deadcode.DeadStores
virtio_net: Remove BUG() to avoid machine dead
net: mscc: ocelot: check return value after calling platform_get_resource()
net: bcmgenet: check return value after calling platform_get_resource()
net: mvpp2: check return value after calling platform_get_resource()
net: micrel: check return value after calling platform_get_resource()
net: moxa: Use devm_platform_get_and_ioremap_resource()
drm/amd/display: Fix DCN 3.01 DSCCLK validation
drm/amd/display: Update scaling settings on modeset
drm/amd/display: Release MST resources on switch from MST to SST
drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7
drm/amd/display: Fix off-by-one error in DML
net: phy: realtek: add delay to fix RXC generation issue
selftests: Clean forgotten resources as part of cleanup()
net: sgi: ioc3-eth: check return value after calling platform_get_resource()
drm/amdkfd: use allowed domain for vmbo validation
fjes: check return value after calling platform_get_resource()
selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM
drm/amd/display: Verify Gamma & Degamma LUT sizes in amdgpu_dm_atomic_check
xfrm: Fix error reporting in xfrm_state_construct.
dm writecache: commit just one block, not a full page
wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
wl1251: Fix possible buffer overflow in wl1251_cmd_scan
cw1200: add missing MODULE_DEVICE_TABLE
drm/amdkfd: fix circular locking on get_wave_state
drm/amdkfd: Fix circular lock in nocpsch path
bpf: Fix up register-based shifts in interpreter to silence KUBSAN
ice: fix incorrect payload indicator on PTYPE
ice: mark PTYPE 2 as reserved
mt76: mt7615: fix fixed-rate tx status reporting
net: fix mistake path for netdev_features_strings
net: ipa: Add missing of_node_put() in ipa_firmware_load()
net: sched: fix error return code in tcf_del_walker()
io_uring: fix false WARN_ONCE
drm/amdgpu: fix bad address translation for sienna_cichlid
drm/amdkfd: Walk through list with dqm lock hold
mt76: mt7915: fix IEEE80211_HE_PHY_CAP7_MAX_NC for station mode
rtl8xxxu: Fix device info for RTL8192EU devices
MIPS: add PMD table accounting into MIPS'pmd_alloc_one
net: fec: add ndo_select_queue to fix TX bandwidth fluctuations
atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
atm: nicstar: register the interrupt handler in the right place
vsock: notify server to shutdown when client has pending signal
RDMA/rxe: Don't overwrite errno from ib_umem_get()
iwlwifi: mvm: don't change band on bound PHY contexts
iwlwifi: mvm: fix error print when session protection ends
iwlwifi: pcie: free IML DMA memory allocation
iwlwifi: pcie: fix context info freeing
sfc: avoid double pci_remove of VFs
sfc: error code if SRIOV cannot be disabled
wireless: wext-spy: Fix out-of-bounds warning
cfg80211: fix default HE tx bitrate mask in 2G band
mac80211: consider per-CPU statistics if present
mac80211_hwsim: add concurrent channels scanning support over virtio
IB/isert: Align target max I/O size to initiator size
media, bpf: Do not copy more entries than user space requested
net: ip: avoid OOM kills with large UDP sends over loopback
RDMA/cma: Fix rdma_resolve_route() memory leak
Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip.
Bluetooth: Fix the HCI to MGMT status conversion table
Bluetooth: Fix alt settings for incoming SCO with transparent coding format
Bluetooth: Shutdown controller after workqueues are flushed or cancelled
Bluetooth: btusb: Add a new QCA_ROME device (0cf3:e500)
Bluetooth: L2CAP: Fix invalid access if ECRED Reconfigure fails
Bluetooth: L2CAP: Fix invalid access on ECRED Connection response
Bluetooth: btusb: Add support USB ALT 3 for WBS
Bluetooth: mgmt: Fix the command returns garbage parameter value
Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
sched/fair: Ensure _sum and _avg values stay consistent
bpf: Fix false positive kmemleak report in bpf_ringbuf_area_alloc()
flow_offload: action should not be NULL when it is referenced
sctp: validate from_addr_param return
sctp: add size validation when walking chunks
MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops
MIPS: set mips32r5 for virt extensions
selftests/resctrl: Fix incorrect parsing of option "-t"
MIPS: MT extensions are not available on MIPS32r1
ath11k: unlock on error path in ath11k_mac_op_add_interface()
arm64: dts: rockchip: add rk3328 dwc3 usb controller node
arm64: dts: rockchip: Enable USB3 for rk3328 Rock64
loop: fix I/O error on fsync() in detached loop devices
mm,hwpoison: return -EBUSY when migration fails
io_uring: simplify io_remove_personalities()
io_uring: Convert personality_idr to XArray
io_uring: convert io_buffer_idr to XArray
scsi: iscsi: Fix race condition between login and sync thread
scsi: iscsi: Fix iSCSI cls conn state
powerpc/mm: Fix lockup on kernel exec fault
powerpc/barrier: Avoid collision with clang's __lwsync macro
powerpc/powernv/vas: Release reference to tgid during window close
drm/amdgpu: Update NV SIMD-per-CU to 2
drm/amdgpu: enable sdma0 tmz for Raven/Renoir(V2)
drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create()
drm/radeon: Call radeon_suspend_kms() in radeon_pci_shutdown() for Loongson64
drm/vc4: txp: Properly set the possible_crtcs mask
drm/vc4: crtc: Skip the TXP
drm/vc4: hdmi: Prevent clock unbalance
drm/dp: Handle zeroed port counts in drm_dp_read_downstream_info()
drm/rockchip: dsi: remove extra component_del() call
drm/amd/display: fix incorrrect valid irq check
pinctrl/amd: Add device HID for new AMD GPIO controller
drm/amd/display: Reject non-zero src_y and src_x for video planes
drm/tegra: Don't set allow_fb_modifiers explicitly
drm/msm/mdp4: Fix modifier support enabling
drm/arm/malidp: Always list modifiers
drm/nouveau: Don't set allow_fb_modifiers explicitly
drm/i915/display: Do not zero past infoframes.vsc
mmc: sdhci-acpi: Disable write protect detection on Toshiba Encore 2 WT8-B
mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
mmc: core: clear flags before allowing to retune
mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
ata: ahci_sunxi: Disable DIPM
arm64: tlb: fix the TTL value of tlb_get_level
cpu/hotplug: Cure the cpusets trainwreck
clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround
fpga: stratix10-soc: Add missing fpga_mgr_free() call
ASoC: tegra: Set driver_name=tegra for all machine drivers
i40e: fix PTP on 5Gb links
qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
ipmi/watchdog: Stop watchdog timer when the current action is 'none'
thermal/drivers/int340x/processor_thermal: Fix tcc setting
ubifs: Fix races between xattr_{set|get} and listxattr operations
power: supply: ab8500: Fix an old bug
mfd: syscon: Free the allocated name field of struct regmap_config
nvmem: core: add a missing of_node_put
lkdtm/bugs: XFAIL UNALIGNED_LOAD_STORE_WRITE
selftests/lkdtm: Fix expected text for CR4 pinning
extcon: intel-mrfld: Sync hardware and software state on init
seq_buf: Fix overflow in seq_buf_putmem_hex()
rq-qos: fix missed wake-ups in rq_qos_throttle try two
tracing: Simplify & fix saved_tgids logic
tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
coresight: Propagate symlink failure
coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
dm zoned: check zone capacity
dm writecache: flush origin device when writing and cache is full
dm btree remove: assign new_root only when removal succeeds
PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
PCI: aardvark: Fix checking for PIO Non-posted Request
PCI: aardvark: Implement workaround for the readback value of VEND_ID
media: subdev: disallow ioctl for saa6588/davinci
media: dtv5100: fix control-request directions
media: zr364xx: fix memory leak in zr364xx_start_readpipe
media: gspca/sq905: fix control-request direction
media: gspca/sunplus: fix zero-length control requests
media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
io_uring: fix clear IORING_SETUP_R_DISABLED in wrong function
dm writecache: write at least 4k when committing
pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq()
drm/ast: Remove reference to struct drm_device.pdev
jfs: fix GPF in diFree
smackfs: restrict bytes count in smk_set_cipso()
ext4: fix memory leak in ext4_fill_super
f2fs: fix to avoid racing on fsync_entry_slab by multi filesystem instances
Linux 5.10.51
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Icb10fed733a0050848ecc23db13ae3d134895acd
|
||
|
Rustam Kovhaev
|
a61af01141 |
bpf: Fix false positive kmemleak report in bpf_ringbuf_area_alloc()
[ Upstream commit ccff81e1d028bbbf8573d3364a87542386c707bf ]
kmemleak scans struct page, but it does not scan the page content. If we
allocate some memory with kmalloc(), then allocate page with alloc_page(),
and if we put kmalloc pointer somewhere inside that page, kmemleak will
report kmalloc pointer as a false positive.
We can instruct kmemleak to scan the memory area by calling kmemleak_alloc()
and kmemleak_free(), but part of struct bpf_ringbuf is mmaped to user space,
and if struct bpf_ringbuf changes we would have to revisit and review size
argument in kmemleak_alloc(), because we do not want kmemleak to scan the
user space memory. Let's simplify things and use kmemleak_not_leak() here.
For posterity, also adding additional prior analysis from Andrii:
I think either kmemleak or syzbot are misreporting this. I've added a
bunch of printks around all allocations performed by BPF ringbuf. [...]
On repro side I get these two warnings:
[vmuser@archvm bpf]$ sudo ./repro
BUG: memory leak
unreferenced object 0xffff88810d538c00 (size 64):
comm "repro", pid 2140, jiffies 4294692933 (age 14.540s)
hex dump (first 32 bytes):
00 af 19 04 00 ea ff ff c0 ae 19 04 00 ea ff ff ................
80 ae 19 04 00 ea ff ff c0 29 2e 04 00 ea ff ff .........)......
backtrace:
[<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0
[<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218
[<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90
[<00000000f601d565>] do_syscall_64+0x2d/0x40
[<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae
BUG: memory leak
unreferenced object 0xffff88810d538c80 (size 64):
comm "repro", pid 2143, jiffies 4294699025 (age 8.448s)
hex dump (first 32 bytes):
80 aa 19 04 00 ea ff ff 00 ab 19 04 00 ea ff ff ................
c0 ab 19 04 00 ea ff ff 80 44 28 04 00 ea ff ff .........D(.....
backtrace:
[<0000000077bfbfbd>] __bpf_map_area_alloc+0x31/0xc0
[<00000000587fa522>] ringbuf_map_alloc.cold.4+0x48/0x218
[<0000000044d49e96>] __do_sys_bpf+0x359/0x1d90
[<00000000f601d565>] do_syscall_64+0x2d/0x40
[<0000000043d3112a>] entry_SYSCALL_64_after_hwframe+0x44/0xae
Note that both reported leaks (ffff88810d538c80 and ffff88810d538c00)
correspond to pages array bpf_ringbuf is allocating and tracking properly
internally. Note also that syzbot repro doesn't close FD of created BPF
ringbufs, and even when ./repro itself exits with error, there are still
two forked processes hanging around in my system. So clearly ringbuf maps
are alive at that point. So reporting any memory leak looks weird at that
point, because that memory is being used by active referenced BPF ringbuf.
It's also a question why repro doesn't clean up its forks. But if I do a
`pkill repro`, I do see that all the allocated memory is /properly/ cleaned
up [and the] "leaks" are deallocated properly.
BTW, if I add close() right after bpf() syscall in syzbot repro, I see that
everything is immediately deallocated, like designed. And no memory leak
is reported. So I don't think the problem is anywhere in bpf_ringbuf code,
rather in the leak detection and/or repro itself.
Reported-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com
Signed-off-by: Rustam Kovhaev <rkovhaev@gmail.com>
[ Daniel: also included analysis from Andrii to the commit log ]
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: syzbot+5d895828587f49e7fe9b@syzkaller.appspotmail.com
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/bpf/CAEf4BzYk+dqs+jwu6VKXP-RttcTEGFe+ySTGWT9CRNkagDiJVA@mail.gmail.com
Link: https://lore.kernel.org/lkml/YNTAqiE7CWJhOK2M@nuc10
Link: https://lore.kernel.org/lkml/20210615101515.GC26027@arm.com
Link: https://syzkaller.appspot.com/bug?extid=5d895828587f49e7fe9b
Link: https://lore.kernel.org/bpf/20210626181156.1873604-1-rkovhaev@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Daniel Borkmann
|
2e66c36f13 |
bpf: Fix up register-based shifts in interpreter to silence KUBSAN
[ Upstream commit 28131e9d933339a92f78e7ab6429f4aaaa07061c ] syzbot reported a shift-out-of-bounds that KUBSAN observed in the interpreter: [...] UBSAN: shift-out-of-bounds in kernel/bpf/core.c:1420:2 shift exponent 255 is too large for 64-bit type 'long long unsigned int' CPU: 1 PID: 11097 Comm: syz-executor.4 Not tainted 5.12.0-rc2-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x141/0x1d7 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:327 ___bpf_prog_run.cold+0x19/0x56c kernel/bpf/core.c:1420 __bpf_prog_run32+0x8f/0xd0 kernel/bpf/core.c:1735 bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] bpf_prog_run_pin_on_cpu include/linux/filter.h:624 [inline] bpf_prog_run_clear_cb include/linux/filter.h:755 [inline] run_filter+0x1a1/0x470 net/packet/af_packet.c:2031 packet_rcv+0x313/0x13e0 net/packet/af_packet.c:2104 dev_queue_xmit_nit+0x7c2/0xa90 net/core/dev.c:2387 xmit_one net/core/dev.c:3588 [inline] dev_hard_start_xmit+0xad/0x920 net/core/dev.c:3609 __dev_queue_xmit+0x2121/0x2e00 net/core/dev.c:4182 __bpf_tx_skb net/core/filter.c:2116 [inline] __bpf_redirect_no_mac net/core/filter.c:2141 [inline] __bpf_redirect+0x548/0xc80 net/core/filter.c:2164 ____bpf_clone_redirect net/core/filter.c:2448 [inline] bpf_clone_redirect+0x2ae/0x420 net/core/filter.c:2420 ___bpf_prog_run+0x34e1/0x77d0 kernel/bpf/core.c:1523 __bpf_prog_run512+0x99/0xe0 kernel/bpf/core.c:1737 bpf_dispatcher_nop_func include/linux/bpf.h:644 [inline] bpf_test_run+0x3ed/0xc50 net/bpf/test_run.c:50 bpf_prog_test_run_skb+0xabc/0x1c50 net/bpf/test_run.c:582 bpf_prog_test_run kernel/bpf/syscall.c:3127 [inline] __do_sys_bpf+0x1ea9/0x4f00 kernel/bpf/syscall.c:4406 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xae [...] Generally speaking, KUBSAN reports from the kernel should be fixed. However, in case of BPF, this particular report caused concerns since the large shift is not wrong from BPF point of view, just undefined. In the verifier, K-based shifts that are >= {64,32} (depending on the bitwidth of the instruction) are already rejected. The register-based cases were not given their content might not be known at verification time. Ideas such as verifier instruction rewrite with an additional AND instruction for the source register were brought up, but regularly rejected due to the additional runtime overhead they incur. As Edward Cree rightly put it: Shifts by more than insn bitness are legal in the BPF ISA; they are implementation-defined behaviour [of the underlying architecture], rather than UB, and have been made legal for performance reasons. Each of the JIT backends compiles the BPF shift operations to machine instructions which produce implementation-defined results in such a case; the resulting contents of the register may be arbitrary but program behaviour as a whole remains defined. Guard checks in the fast path (i.e. affecting JITted code) will thus not be accepted. The case of division by zero is not truly analogous here, as division instructions on many of the JIT-targeted architectures will raise a machine exception / fault on division by zero, whereas (to the best of my knowledge) none will do so on an out-of-bounds shift. Given the KUBSAN report only affects the BPF interpreter, but not JITs, one solution is to add the ANDs with 63 or 31 into ___bpf_prog_run(). That would make the shifts defined, and thus shuts up KUBSAN, and the compiler would optimize out the AND on any CPU that interprets the shift amounts modulo the width anyway (e.g., confirmed from disassembly that on x86-64 and arm64 the generated interpreter code is the same before and after this fix). The BPF interpreter is slow path, and most likely compiled out anyway as distros select BPF_JIT_ALWAYS_ON to avoid speculative execution of BPF instructions by the interpreter. Given the main argument was to avoid sacrificing performance, the fact that the AND is optimized away from compiler for mainstream archs helps as well as a solution moving forward. Also add a comment on LSH/RSH/ARSH translation for JIT authors to provide guidance when they see the ___bpf_prog_run() interpreter code and use it as a model for a new JIT backend. Reported-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Reported-by: Kurt Manucredo <fuzzybritches0@gmail.com> Signed-off-by: Eric Biggers <ebiggers@kernel.org> Co-developed-by: Eric Biggers <ebiggers@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Tested-by: syzbot+bed360704c521841c85d@syzkaller.appspotmail.com Cc: Edward Cree <ecree.xilinx@gmail.com> Link: https://lore.kernel.org/bpf/0000000000008f912605bd30d5d7@google.com Link: https://lore.kernel.org/bpf/bac16d8d-c174-bdc4-91bd-bfa62b410190@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
2df0fb4a4b |
Merge 5.10.50 into android12-5.10-lts
Changes in 5.10.50
Bluetooth: hci_qca: fix potential GPF
Bluetooth: btqca: Don't modify firmware contents in-place
Bluetooth: Remove spurious error message
ALSA: usb-audio: fix rate on Ozone Z90 USB headset
ALSA: usb-audio: Fix OOB access at proc output
ALSA: firewire-motu: fix stream format for MOTU 8pre FireWire
ALSA: usb-audio: scarlett2: Fix wrong resume call
ALSA: intel8x0: Fix breakage at ac97 clock measurement
ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 450 G8
ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 445 G8
ALSA: hda/realtek: fix mute/micmute LEDs for HP ProBook 630 G8
ALSA: hda/realtek: Add another ALC236 variant support
ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook x360 830 G8
ALSA: hda/realtek: Improve fixup for HP Spectre x360 15-df0xxx
ALSA: hda/realtek: Fix bass speaker DAC mapping for Asus UM431D
ALSA: hda/realtek: Apply LED fixup for HP Dragonfly G1, too
ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 830 G8 Notebook PC
media: dvb-usb: fix wrong definition
Input: usbtouchscreen - fix control-request directions
net: can: ems_usb: fix use-after-free in ems_usb_disconnect()
usb: gadget: eem: fix echo command packet response issue
usb: renesas-xhci: Fix handling of unknown ROM state
USB: cdc-acm: blacklist Heimann USB Appset device
usb: dwc3: Fix debugfs creation flow
usb: typec: Add the missed altmode_id_remove() in typec_register_altmode()
xhci: solve a double free problem while doing s4
gfs2: Fix underflow in gfs2_page_mkwrite
gfs2: Fix error handling in init_statfs
ntfs: fix validity check for file name attribute
selftests/lkdtm: Avoid needing explicit sub-shell
copy_page_to_iter(): fix ITER_DISCARD case
iov_iter_fault_in_readable() should do nothing in xarray case
Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl
crypto: nx - Fix memcpy() over-reading in nonce
crypto: ccp - Annotate SEV Firmware file names
arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode
ARM: dts: ux500: Fix LED probing
ARM: dts: at91: sama5d4: fix pinctrl muxing
btrfs: send: fix invalid path for unlink operations after parent orphanization
btrfs: compression: don't try to compress if we don't have enough pages
btrfs: clear defrag status of a root if starting transaction fails
ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle
ext4: fix kernel infoleak via ext4_extent_header
ext4: fix overflow in ext4_iomap_alloc()
ext4: return error code when ext4_fill_flex_info() fails
ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit
ext4: remove check for zero nr_to_scan in ext4_es_scan()
ext4: fix avefreec in find_group_orlov
ext4: use ext4_grp_locked_error in mb_find_extent
can: bcm: delay release of struct bcm_op after synchronize_rcu()
can: gw: synchronize rcu operations before removing gw job entry
can: isotp: isotp_release(): omit unintended hrtimer restart on socket release
can: j1939: j1939_sk_init(): set SOCK_RCU_FREE to call sk_destruct() after RCU is done
can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path
mac80211: remove iwlwifi specific workaround that broke sta NDP tx
SUNRPC: Fix the batch tasks count wraparound.
SUNRPC: Should wake up the privileged task firstly.
bus: mhi: Wait for M2 state during system resume
mm/gup: fix try_grab_compound_head() race with split_huge_page()
perf/smmuv3: Don't trample existing events with global filter
KVM: nVMX: Handle split-lock #AC exceptions that happen in L2
KVM: PPC: Book3S HV: Workaround high stack usage with clang
KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs
KVM: x86/mmu: Use MMU's role to detect CR4.SMEP value in nested NPT walk
s390/cio: dont call css_wait_for_slow_path() inside a lock
s390: mm: Fix secure storage access exception handling
f2fs: Prevent swap file in LFS mode
clk: agilex/stratix10/n5x: fix how the bypass_reg is handled
clk: agilex/stratix10: remove noc_clk
clk: agilex/stratix10: fix bypass representation
rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path
iio: frequency: adf4350: disable reg and clk on error in adf4350_probe()
iio: light: tcs3472: do not free unallocated IRQ
iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too
iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR
iio: ltr501: ltr501_read_ps(): add missing endianness conversion
iio: accel: bma180: Fix BMA25x bandwidth register values
serial: mvebu-uart: fix calculation of clock divisor
serial: sh-sci: Stop dmaengine transfer in sci_stop_tx()
serial_cs: Add Option International GSM-Ready 56K/ISDN modem
serial_cs: remove wrong GLOBETROTTER.cis entry
ath9k: Fix kernel NULL pointer dereference during ath_reset_internal()
ssb: sdio: Don't overwrite const buffer if block_write fails
rsi: Assign beacon rate settings to the correct rate_info descriptor field
rsi: fix AP mode with WPA failure due to encrypted EAPOL
tracing/histograms: Fix parsing of "sym-offset" modifier
tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing
seq_buf: Make trace_seq_putmem_hex() support data longer than 8
powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi()
loop: Fix missing discard support when using LOOP_CONFIGURE
evm: Execute evm_inode_init_security() only when an HMAC key is loaded
evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded
fuse: Fix crash in fuse_dentry_automount() error path
fuse: Fix crash if superblock of submount gets killed early
fuse: Fix infinite loop in sget_fc()
fuse: ignore PG_workingset after stealing
fuse: check connected before queueing on fpq->io
fuse: reject internal errno
thermal/cpufreq_cooling: Update offline CPUs per-cpu thermal_pressure
spi: Make of_register_spi_device also set the fwnode
Add a reference to ucounts for each cred
staging: media: rkvdec: fix pm_runtime_get_sync() usage count
media: marvel-ccic: fix some issues when getting pm_runtime
media: mdk-mdp: fix pm_runtime_get_sync() usage count
media: s5p: fix pm_runtime_get_sync() usage count
media: am437x: fix pm_runtime_get_sync() usage count
media: sh_vou: fix pm_runtime_get_sync() usage count
media: mtk-vcodec: fix PM runtime get logic
media: s5p-jpeg: fix pm_runtime_get_sync() usage count
media: sunxi: fix pm_runtime_get_sync() usage count
media: sti/bdisp: fix pm_runtime_get_sync() usage count
media: exynos4-is: fix pm_runtime_get_sync() usage count
media: exynos-gsc: fix pm_runtime_get_sync() usage count
spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf'
spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages()
spi: omap-100k: Fix the length judgment problem
regulator: uniphier: Add missing MODULE_DEVICE_TABLE
sched/core: Initialize the idle task with preemption disabled
hwrng: exynos - Fix runtime PM imbalance on error
crypto: nx - add missing MODULE_DEVICE_TABLE
media: sti: fix obj-$(config) targets
media: cpia2: fix memory leak in cpia2_usb_probe
media: cobalt: fix race condition in setting HPD
media: hevc: Fix dependent slice segment flags
media: pvrusb2: fix warning in pvr2_i2c_core_done
media: imx: imx7_mipi_csis: Fix logging of only error event counters
crypto: qat - check return code of qat_hal_rd_rel_reg()
crypto: qat - remove unused macro in FW loader
crypto: qce: skcipher: Fix incorrect sg count for dma transfers
arm64: perf: Convert snprintf to sysfs_emit
sched/fair: Fix ascii art by relpacing tabs
media: i2c: ov2659: Use clk_{prepare_enable,disable_unprepare}() to set xvclk on/off
media: bt878: do not schedule tasklet when it is not setup
media: em28xx: Fix possible memory leak of em28xx struct
media: hantro: Fix .buf_prepare
media: cedrus: Fix .buf_prepare
media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release
media: bt8xx: Fix a missing check bug in bt878_probe
media: st-hva: Fix potential NULL pointer dereferences
crypto: hisilicon/sec - fixup 3des minimum key size declaration
Makefile: fix GDB warning with CONFIG_RELR
media: dvd_usb: memory leak in cinergyt2_fe_attach
memstick: rtsx_usb_ms: fix UAF
mmc: sdhci-sprd: use sdhci_sprd_writew
mmc: via-sdmmc: add a check against NULL pointer dereference
spi: meson-spicc: fix a wrong goto jump for avoiding memory leak.
spi: meson-spicc: fix memory leak in meson_spicc_probe
crypto: shash - avoid comparing pointers to exported functions under CFI
media: dvb_net: avoid speculation from net slot
media: siano: fix device register error path
media: imx-csi: Skip first few frames from a BT.656 source
hwmon: (max31790) Report correct current pwm duty cycles
hwmon: (max31790) Fix pwmX_enable attributes
drivers/perf: fix the missed ida_simple_remove() in ddr_perf_probe()
KVM: PPC: Book3S HV: Fix TLB management on SMT8 POWER9 and POWER10 processors
btrfs: fix error handling in __btrfs_update_delayed_inode
btrfs: abort transaction if we fail to update the delayed inode
btrfs: sysfs: fix format string for some discard stats
btrfs: don't clear page extent mapped if we're not invalidating the full page
btrfs: disable build on platforms having page size 256K
locking/lockdep: Fix the dep path printing for backwards BFS
lockding/lockdep: Avoid to find wrong lock dep path in check_irq_usage()
KVM: s390: get rid of register asm usage
regulator: mt6358: Fix vdram2 .vsel_mask
regulator: da9052: Ensure enough delay time for .set_voltage_time_sel
media: Fix Media Controller API config checks
ACPI: video: use native backlight for GA401/GA502/GA503
HID: do not use down_interruptible() when unbinding devices
EDAC/ti: Add missing MODULE_DEVICE_TABLE
ACPI: processor idle: Fix up C-state latency if not ordered
hv_utils: Fix passing zero to 'PTR_ERR' warning
lib: vsprintf: Fix handling of number field widths in vsscanf
Input: goodix - platform/x86: touchscreen_dmi - Move upside down quirks to touchscreen_dmi.c
platform/x86: touchscreen_dmi: Add an extra entry for the upside down Goodix touchscreen on Teclast X89 tablets
platform/x86: touchscreen_dmi: Add info for the Goodix GT912 panel of TM800A550L tablets
ACPI: EC: Make more Asus laptops use ECDT _GPE
block_dump: remove block_dump feature in mark_inode_dirty()
blk-mq: grab rq->refcount before calling ->fn in blk_mq_tagset_busy_iter
blk-mq: clear stale request in tags->rq[] before freeing one request pool
fs: dlm: cancel work sync othercon
random32: Fix implicit truncation warning in prandom_seed_state()
open: don't silently ignore unknown O-flags in openat2()
drivers: hv: Fix missing error code in vmbus_connect()
fs: dlm: fix memory leak when fenced
ACPICA: Fix memory leak caused by _CID repair function
ACPI: bus: Call kobject_put() in acpi_init() error path
ACPI: resources: Add checks for ACPI IRQ override
block: fix race between adding/removing rq qos and normal IO
platform/x86: asus-nb-wmi: Revert "Drop duplicate DMI quirk structures"
platform/x86: asus-nb-wmi: Revert "add support for ASUS ROG Zephyrus G14 and G15"
platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard()
nvme-pci: fix var. type for increasing cq_head
nvmet-fc: do not check for invalid target port in nvmet_fc_handle_fcp_rqst()
EDAC/Intel: Do not load EDAC driver when running as a guest
PCI: hv: Add check for hyperv_initialized in init_hv_pci_drv()
cifs: improve fallocate emulation
ACPI: EC: trust DSDT GPE for certain HP laptop
clocksource: Retry clock read if long delays detected
clocksource: Check per-CPU clock synchronization when marked unstable
tpm_tis_spi: add missing SPI device ID entries
ACPI: tables: Add custom DSDT file as makefile prerequisite
HID: wacom: Correct base usage for capacitive ExpressKey status bits
cifs: fix missing spinlock around update to ses->status
mailbox: qcom: Use PLATFORM_DEVID_AUTO to register platform device
block: fix discard request merge
kthread_worker: fix return value when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync()
ia64: mca_drv: fix incorrect array size calculation
writeback, cgroup: increment isw_nr_in_flight before grabbing an inode
spi: Allow to have all native CSs in use along with GPIOs
spi: Avoid undefined behaviour when counting unused native CSs
media: venus: Rework error fail recover logic
media: s5p_cec: decrement usage count if disabled
media: hantro: do a PM resume earlier
crypto: ixp4xx - dma_unmap the correct address
crypto: ixp4xx - update IV after requests
crypto: ux500 - Fix error return code in hash_hw_final()
sata_highbank: fix deferred probing
pata_rb532_cf: fix deferred probing
media: I2C: change 'RST' to "RSET" to fix multiple build errors
sched/uclamp: Fix wrong implementation of cpu.uclamp.min
sched/uclamp: Fix locking around cpu_util_update_eff()
kbuild: Fix objtool dependency for 'OBJECT_FILES_NON_STANDARD_<obj> := n'
pata_octeon_cf: avoid WARN_ON() in ata_host_activate()
evm: fix writing <securityfs>/evm overflow
x86/elf: Use _BITUL() macro in UAPI headers
crypto: sa2ul - Fix leaks on failure paths with sa_dma_init()
crypto: sa2ul - Fix pm_runtime enable in sa_ul_probe()
crypto: ccp - Fix a resource leak in an error handling path
media: rc: i2c: Fix an error message
pata_ep93xx: fix deferred probing
locking/lockdep: Reduce LOCKDEP dependency list
media: rkvdec: Fix .buf_prepare
media: exynos4-is: Fix a use after free in isp_video_release
media: au0828: fix a NULL vs IS_ERR() check
media: tc358743: Fix error return code in tc358743_probe_of()
media: gspca/gl860: fix zero-length control requests
m68k: atari: Fix ATARI_KBD_CORE kconfig unmet dependency warning
media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2()
regulator: fan53880: Fix vsel_mask setting for FAN53880_BUCK
crypto: nitrox - fix unchecked variable in nitrox_register_interrupts
crypto: omap-sham - Fix PM reference leak in omap sham ops
crypto: x86/curve25519 - fix cpu feature checking logic in mod_exit
crypto: sm2 - remove unnecessary reset operations
crypto: sm2 - fix a memory leak in sm2
mmc: usdhi6rol0: fix error return code in usdhi6_probe()
arm64: consistently use reserved_pg_dir
arm64/mm: Fix ttbr0 values stored in struct thread_info for software-pan
media: subdev: remove VIDIOC_DQEVENT_TIME32 handling
media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx
hwmon: (lm70) Use device_get_match_data()
hwmon: (lm70) Revert "hwmon: (lm70) Add support for ACPI"
hwmon: (max31722) Remove non-standard ACPI device IDs
hwmon: (max31790) Fix fan speed reporting for fan7..12
KVM: nVMX: Sync all PGDs on nested transition with shadow paging
KVM: nVMX: Ensure 64-bit shift when checking VMFUNC bitmap
KVM: nVMX: Don't clobber nested MMU's A/D status on EPTP switch
KVM: x86/mmu: Fix return value in tdp_mmu_map_handle_target_level()
perf/arm-cmn: Fix invalid pointer when access dtc object sharing the same IRQ number
KVM: arm64: Don't zero the cycle count register when PMCR_EL0.P is set
regulator: hi655x: Fix pass wrong pointer to config.driver_data
btrfs: clear log tree recovering status if starting transaction fails
x86/sev: Make sure IRQs are disabled while GHCB is active
x86/sev: Split up runtime #VC handler for correct state tracking
sched/rt: Fix RT utilization tracking during policy change
sched/rt: Fix Deadline utilization tracking during policy change
sched/uclamp: Fix uclamp_tg_restrict()
lockdep: Fix wait-type for empty stack
lockdep/selftests: Fix selftests vs PROVE_RAW_LOCK_NESTING
spi: spi-sun6i: Fix chipselect/clock bug
crypto: nx - Fix RCU warning in nx842_OF_upd_status
psi: Fix race between psi_trigger_create/destroy
media: v4l2-async: Clean v4l2_async_notifier_add_fwnode_remote_subdev
media: video-mux: Skip dangling endpoints
PM / devfreq: Add missing error code in devfreq_add_device()
ACPI: PM / fan: Put fan device IDs into separate header file
block: avoid double io accounting for flush request
nvme-pci: look for StorageD3Enable on companion ACPI device instead
ACPI: sysfs: Fix a buffer overrun problem with description_show()
mark pstore-blk as broken
clocksource/drivers/timer-ti-dm: Save and restore timer TIOCP_CFG
extcon: extcon-max8997: Fix IRQ freeing at error path
ACPI: APEI: fix synchronous external aborts in user-mode
blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled()
blk-wbt: make sure throttle is enabled properly
ACPI: Use DEVICE_ATTR_<RW|RO|WO> macros
ACPI: bgrt: Fix CFI violation
cpufreq: Make cpufreq_online() call driver->offline() on errors
blk-mq: update hctx->dispatch_busy in case of real scheduler
ocfs2: fix snprintf() checking
dax: fix ENOMEM handling in grab_mapping_entry()
mm/debug_vm_pgtable/basic: add validation for dirtiness after write protect
mm/debug_vm_pgtable/basic: iterate over entire protection_map[]
mm/debug_vm_pgtable: ensure THP availability via has_transparent_hugepage()
swap: fix do_swap_page() race with swapoff
mm/shmem: fix shmem_swapin() race with swapoff
mm: memcg/slab: properly set up gfp flags for objcg pointer array
mm: page_alloc: refactor setup_per_zone_lowmem_reserve()
mm/page_alloc: fix counting of managed_pages
xfrm: xfrm_state_mtu should return at least 1280 for ipv6
drm/bridge/sii8620: fix dependency on extcon
drm/bridge: Fix the stop condition of drm_bridge_chain_pre_enable()
drm/amd/dc: Fix a missing check bug in dm_dp_mst_detect()
drm/ast: Fix missing conversions to managed API
video: fbdev: imxfb: Fix an error message
net: mvpp2: Put fwnode in error case during ->probe()
net: pch_gbe: Propagate error from devm_gpio_request_one()
pinctrl: renesas: r8a7796: Add missing bias for PRESET# pin
pinctrl: renesas: r8a77990: JTAG pins do not have pull-down capabilities
drm/vmwgfx: Mark a surface gpu-dirty after the SVGA3dCmdDXGenMips command
drm/vmwgfx: Fix cpu updates of coherent multisample surfaces
net: qrtr: ns: Fix error return code in qrtr_ns_init()
clk: meson: g12a: fix gp0 and hifi ranges
net: ftgmac100: add missing error return code in ftgmac100_probe()
drm: rockchip: set alpha_en to 0 if it is not used
drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write()
drm/rockchip: dsi: move all lane config except LCDC mux to bind()
drm/rockchip: lvds: Fix an error handling path
drm/rockchip: cdn-dp: fix sign extension on an int multiply for a u64 result
mptcp: fix pr_debug in mptcp_token_new_connect
mptcp: generate subflow hmac after mptcp_finish_join()
RDMA/srp: Fix a recently introduced memory leak
RDMA/rtrs-clt: Check state of the rtrs_clt_sess before reading its stats
RDMA/rtrs: Do not reset hb_missed_max after re-connection
RDMA/rtrs-srv: Fix memory leak of unfreed rtrs_srv_stats object
RDMA/rtrs-srv: Fix memory leak when having multiple sessions
RDMA/rtrs-clt: Check if the queue_depth has changed during a reconnection
RDMA/rtrs-clt: Fix memory leak of not-freed sess->stats and stats->pcpu_stats
ehea: fix error return code in ehea_restart_qps()
clk: tegra30: Use 300MHz for video decoder by default
xfrm: remove the fragment check for ipv6 beet mode
net/sched: act_vlan: Fix modify to allow 0
RDMA/core: Sanitize WQ state received from the userspace
drm/pl111: depend on CONFIG_VEXPRESS_CONFIG
RDMA/rxe: Fix failure during driver load
drm/pl111: Actually fix CONFIG_VEXPRESS_CONFIG depends
drm/vc4: hdmi: Fix error path of hpd-gpios
clk: vc5: fix output disabling when enabling a FOD
drm: qxl: ensure surf.data is ininitialized
tools/bpftool: Fix error return code in do_batch()
ath10k: go to path err_unsupported when chip id is not supported
ath10k: add missing error return code in ath10k_pci_probe()
wireless: carl9170: fix LEDS build errors & warnings
ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others
clk: imx8mq: remove SYS PLL 1/2 clock gates
wcn36xx: Move hal_buf allocation to devm_kmalloc in probe
ssb: Fix error return code in ssb_bus_scan()
brcmfmac: fix setting of station info chains bitmask
brcmfmac: correctly report average RSSI in station info
brcmfmac: Fix a double-free in brcmf_sdio_bus_reset
brcmsmac: mac80211_if: Fix a resource leak in an error handling path
cw1200: Revert unnecessary patches that fix unreal use-after-free bugs
ath11k: Fix an error handling path in ath11k_core_fetch_board_data_api_n()
ath10k: Fix an error code in ath10k_add_interface()
ath11k: send beacon template after vdev_start/restart during csa
netlabel: Fix memory leak in netlbl_mgmt_add_common
RDMA/mlx5: Don't add slave port to unaffiliated list
netfilter: nft_exthdr: check for IPv6 packet before further processing
netfilter: nft_osf: check for TCP packet before further processing
netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols
RDMA/rxe: Fix qp reference counting for atomic ops
selftests/bpf: Whitelist test_progs.h from .gitignore
xsk: Fix missing validation for skb and unaligned mode
xsk: Fix broken Tx ring validation
bpf: Fix libelf endian handling in resolv_btfids
RDMA/rtrs-srv: Set minimal max_send_wr and max_recv_wr
samples/bpf: Fix Segmentation fault for xdp_redirect command
samples/bpf: Fix the error return code of xdp_redirect's main()
mt76: fix possible NULL pointer dereference in mt76_tx
mt76: mt7615: fix NULL pointer dereference in tx_prepare_skb()
net: ethernet: aeroflex: fix UAF in greth_of_remove
net: ethernet: ezchip: fix UAF in nps_enet_remove
net: ethernet: ezchip: fix error handling
vrf: do not push non-ND strict packets with a source LLA through packet taps again
net: sched: add barrier to ensure correct ordering for lockless qdisc
tls: prevent oversized sendfile() hangs by ignoring MSG_MORE
netfilter: nf_tables_offload: check FLOW_DISSECTOR_KEY_BASIC in VLAN transfer logic
pkt_sched: sch_qfq: fix qfq_change_class() error path
xfrm: Fix xfrm offload fallback fail case
iwlwifi: increase PNVM load timeout
rtw88: 8822c: fix lc calibration timing
vxlan: add missing rcu_read_lock() in neigh_reduce()
ip6_tunnel: fix GRE6 segmentation
net/ipv4: swap flow ports when validating source
net: ti: am65-cpsw-nuss: Fix crash when changing number of TX queues
tc-testing: fix list handling
ieee802154: hwsim: Fix memory leak in hwsim_add_one
ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl()
bpf: Fix null ptr deref with mixed tail calls and subprogs
drm/msm: Fix error return code in msm_drm_init()
drm/msm/dpu: Fix error return code in dpu_mdss_init()
mac80211: remove iwlwifi specific workaround NDPs of null_response
net: bcmgenet: Fix attaching to PYH failed on RPi 4B
ipv6: exthdrs: do not blindly use init_net
can: j1939: j1939_sk_setsockopt(): prevent allocation of j1939 filter for optlen == 0
bpf: Do not change gso_size during bpf_skb_change_proto()
i40e: Fix error handling in i40e_vsi_open
i40e: Fix autoneg disabling for non-10GBaseT links
i40e: Fix missing rtnl locking when setting up pf switch
Revert "ibmvnic: remove duplicate napi_schedule call in open function"
ibmvnic: set ltb->buff to NULL after freeing
ibmvnic: free tx_pool if tso_pool alloc fails
RDMA/cma: Protect RMW with qp_mutex
net: macsec: fix the length used to copy the key for offloading
net: phy: mscc: fix macsec key length
net: atlantic: fix the macsec key length
ipv6: fix out-of-bound access in ip6_parse_tlv()
e1000e: Check the PCIm state
net: dsa: sja1105: fix NULL pointer dereference in sja1105_reload_cbs()
bpfilter: Specify the log level for the kmsg message
RDMA/cma: Fix incorrect Packet Lifetime calculation
gve: Fix swapped vars when fetching max queues
Revert "be2net: disable bh with spin_lock in be_process_mcc"
Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid
Bluetooth: Fix not sending Set Extended Scan Response
Bluetooth: Fix Set Extended (Scan Response) Data
Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event
clk: actions: Fix UART clock dividers on Owl S500 SoC
clk: actions: Fix SD clocks factor table on Owl S500 SoC
clk: actions: Fix bisp_factor_table based clocks on Owl S500 SoC
clk: actions: Fix AHPPREDIV-H-AHB clock chain on Owl S500 SoC
clk: qcom: clk-alpha-pll: fix CAL_L write in alpha_pll_fabia_prepare
clk: si5341: Wait for DEVICE_READY on startup
clk: si5341: Avoid divide errors due to bogus register contents
clk: si5341: Check for input clock presence and PLL lock on startup
clk: si5341: Update initialization magic
writeback: fix obtain a reference to a freeing memcg css
net: lwtunnel: handle MTU calculation in forwading
net: sched: fix warning in tcindex_alloc_perfect_hash
net: tipc: fix FB_MTU eat two pages
RDMA/mlx5: Don't access NULL-cleared mpi pointer
RDMA/core: Always release restrack object
MIPS: Fix PKMAP with 32-bit MIPS huge page support
staging: fbtft: Rectify GPIO handling
staging: fbtft: Don't spam logs when probe is deferred
ASoC: rt5682: Disable irq on shutdown
rcu: Invoke rcu_spawn_core_kthreads() from rcu_spawn_gp_kthread()
serial: fsl_lpuart: don't modify arbitrary data on lpuart32
serial: fsl_lpuart: remove RTSCTS handling from get_mctrl()
serial: 8250_omap: fix a timeout loop condition
tty: nozomi: Fix a resource leak in an error handling function
mwifiex: re-fix for unaligned accesses
iio: adis_buffer: do not return ints in irq handlers
iio: adis16400: do not return ints in irq handlers
iio: adis16475: do not return ints in irq handlers
iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: mxc4005: Fix overread of data and alignment issue.
iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: magn: hmc5843: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: magn: bmc150: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: chemical: atlas: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: cros_ec_sensors: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
ASoC: rk3328: fix missing clk_disable_unprepare() on error in rk3328_platform_probe()
ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup()
backlight: lm3630a_bl: Put fwnode in error case during ->probe()
ASoC: rsnd: tidyup loop on rsnd_adg_clk_query()
Input: hil_kbd - fix error return code in hil_dev_connect()
perf scripting python: Fix tuple_set_u64()
mtd: partitions: redboot: seek fis-index-block in the right node
mtd: rawnand: arasan: Ensure proper configuration for the asserted target
staging: mmal-vchiq: Fix incorrect static vchiq_instance.
char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol()
firmware: stratix10-svc: Fix a resource leak in an error handling path
tty: nozomi: Fix the error handling path of 'nozomi_card_init()'
leds: class: The -ENOTSUPP should never be seen by user space
leds: lm3532: select regmap I2C API
leds: lm36274: Put fwnode in error case during ->probe()
leds: lm3692x: Put fwnode in any case during ->probe()
leds: lm3697: Don't spam logs when probe is deferred
leds: lp50xx: Put fwnode in error case during ->probe()
scsi: FlashPoint: Rename si_flags field
scsi: iscsi: Flush block work before unblock
mfd: mp2629: Select MFD_CORE to fix build error
mfd: rn5t618: Fix IRQ trigger by changing it to level mode
fsi: core: Fix return of error values on failures
fsi: scom: Reset the FSI2PIB engine for any error
fsi: occ: Don't accept response from un-initialized OCC
fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE
fsi/sbefifo: Fix reset timeout
visorbus: fix error return code in visorchipset_init()
iommu/amd: Fix extended features logging
s390/irq: select HAVE_IRQ_EXIT_ON_IRQ_STACK
s390: enable HAVE_IOREMAP_PROT
s390: appldata depends on PROC_SYSCTL
selftests: splice: Adjust for handler fallback removal
iommu/dma: Fix IOVA reserve dma ranges
ASoC: max98373-sdw: use first_hw_init flag on resume
ASoC: rt1308-sdw: use first_hw_init flag on resume
ASoC: rt5682-sdw: use first_hw_init flag on resume
ASoC: rt700-sdw: use first_hw_init flag on resume
ASoC: rt711-sdw: use first_hw_init flag on resume
ASoC: rt715-sdw: use first_hw_init flag on resume
ASoC: rt5682: fix getting the wrong device id when the suspend_stress_test
ASoC: rt5682-sdw: set regcache_cache_only false before reading RT5682_DEVICE_ID
ASoC: mediatek: mtk-btcvsd: Fix an error handling path in 'mtk_btcvsd_snd_probe()'
usb: gadget: f_fs: Fix setting of device and driver data cross-references
usb: dwc2: Don't reset the core after setting turnaround time
eeprom: idt_89hpesx: Put fwnode in matching case during ->probe()
eeprom: idt_89hpesx: Restore printing the unsupported fwnode name
thunderbolt: Bond lanes only when dual_link_port != NULL in alloc_dev_default()
iio: adc: at91-sama5d2: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
iio: magn: rm3100: Fix alignment of buffer in iio_push_to_buffers_with_timestamp()
iio: light: vcnl4000: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
ASoC: fsl_spdif: Fix error handler with pm_runtime_enable
staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt()
staging: gdm724x: check for overflow in gdm_lte_netif_rx()
staging: rtl8712: fix error handling in r871xu_drv_init
staging: rtl8712: fix memory leak in rtl871x_load_fw_cb
coresight: core: Fix use of uninitialized pointer
staging: mt7621-dts: fix pci address for PCI memory range
serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates
iio: light: vcnl4035: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp()
ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK
of: Fix truncation of memory sizes on 32-bit platforms
mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume()
habanalabs: Fix an error handling path in 'hl_pci_probe()'
scsi: mpt3sas: Fix error return value in _scsih_expander_add()
soundwire: stream: Fix test for DP prepare complete
phy: uniphier-pcie: Fix updating phy parameters
phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe()
extcon: sm5502: Drop invalid register write in sm5502_reg_data
extcon: max8997: Add missing modalias string
powerpc/powernv: Fix machine check reporting of async store errors
ASoC: atmel-i2s: Fix usage of capture and playback at the same time
configfs: fix memleak in configfs_release_bin_file
ASoC: Intel: sof_sdw: add SOF_RT715_DAI_ID_FIX for AlderLake
ASoC: fsl_spdif: Fix unexpected interrupt after suspend
leds: as3645a: Fix error return code in as3645a_parse_node()
leds: ktd2692: Fix an error handling path
selftests/ftrace: fix event-no-pid on 1-core machine
serial: 8250: 8250_omap: Disable RX interrupt after DMA enable
serial: 8250: 8250_omap: Fix possible interrupt storm on K3 SoCs
powerpc: Offline CPU in stop_this_cpu()
powerpc/papr_scm: Properly handle UUID types and API
powerpc/64s: Fix copy-paste data exposure into newly created tasks
powerpc/papr_scm: Make 'perf_stats' invisible if perf-stats unavailable
ALSA: firewire-lib: Fix 'amdtp_domain_start()' when no AMDTP_OUT_STREAM stream is found
serial: mvebu-uart: do not allow changing baudrate when uartclk is not available
serial: mvebu-uart: correctly calculate minimal possible baudrate
arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART
vfio/pci: Handle concurrent vma faults
mm/pmem: avoid inserting hugepage PTE entry with fsdax if hugepage support is disabled
mm/huge_memory.c: remove dedicated macro HPAGE_CACHE_INDEX_MASK
mm/huge_memory.c: add missing read-only THP checking in transparent_hugepage_enabled()
mm/huge_memory.c: don't discard hugepage if other processes are mapping it
mm/hugetlb: use helper huge_page_order and pages_per_huge_page
mm/hugetlb: remove redundant check in preparing and destroying gigantic page
hugetlb: remove prep_compound_huge_page cleanup
include/linux/huge_mm.h: remove extern keyword
mm/z3fold: fix potential memory leak in z3fold_destroy_pool()
mm/z3fold: use release_z3fold_page_locked() to release locked z3fold page
lib/math/rational.c: fix divide by zero
selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random
selftests/vm/pkeys: handle negative sys_pkey_alloc() return code
selftests/vm/pkeys: refill shadow register after implicit kernel write
perf llvm: Return -ENOMEM when asprintf() fails
csky: fix syscache.c fallthrough warning
csky: syscache: Fixup duplicate cache flush
exfat: handle wrong stream entry size in exfat_readdir()
scsi: fc: Correct RHBA attributes length
scsi: target: cxgbit: Unmap DMA buffer before calling target_execute_cmd()
mailbox: qcom-ipcc: Fix IPCC mbox channel exhaustion
fscrypt: don't ignore minor_hash when hash is 0
fscrypt: fix derivation of SipHash keys on big endian CPUs
tpm: Replace WARN_ONCE() with dev_err_once() in tpm_tis_status()
erofs: fix error return code in erofs_read_superblock()
block: return the correct bvec when checking for gaps
io_uring: fix blocking inline submission
mmc: block: Disable CMDQ on the ioctl path
mmc: vub3000: fix control-request direction
media: exynos4-is: remove a now unused integer
scsi: core: Retry I/O for Notify (Enable Spinup) Required error
crypto: qce - fix error return code in qce_skcipher_async_req_handle()
s390: preempt: Fix preempt_count initialization
cred: add missing return error code when set_cred_ucounts() failed
iommu/dma: Fix compile warning in 32-bit builds
powerpc/preempt: Don't touch the idle task's preempt_count during hotplug
Linux 5.10.50
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iec4eab24ea8eb5a6d79739a1aec8432d93a8f82c
|
||
|
John Fastabend
|
f97b9c4c07 |
bpf: Fix null ptr deref with mixed tail calls and subprogs
[ Upstream commit 7506d211b932870155bcb39e3dd9e39fab45a7c7 ]
The sub-programs prog->aux->poke_tab[] is populated in jit_subprogs() and
then used when emitting 'BPF_JMP|BPF_TAIL_CALL' insn->code from the
individual JITs. The poke_tab[] to use is stored in the insn->imm by
the code adding it to that array slot. The JIT then uses imm to find the
right entry for an individual instruction. In the x86 bpf_jit_comp.c
this is done by calling emit_bpf_tail_call_direct with the poke_tab[]
of the imm value.
However, we observed the below null-ptr-deref when mixing tail call
programs with subprog programs. For this to happen we just need to
mix bpf-2-bpf calls and tailcalls with some extra calls or instructions
that would be patched later by one of the fixup routines. So whats
happening?
Before the fixup_call_args() -- where the jit op is done -- various
code patching is done by do_misc_fixups(). This may increase the
insn count, for example when we patch map_lookup_up using map_gen_lookup
hook. This does two things. First, it means the instruction index,
insn_idx field, of a tail call instruction will move by a 'delta'.
In verifier code,
struct bpf_jit_poke_descriptor desc = {
.reason = BPF_POKE_REASON_TAIL_CALL,
.tail_call.map = BPF_MAP_PTR(aux->map_ptr_state),
.tail_call.key = bpf_map_key_immediate(aux),
.insn_idx = i + delta,
};
Then subprog start values subprog_info[i].start will be updated
with the delta and any poke descriptor index will also be updated
with the delta in adjust_poke_desc(). If we look at the adjust
subprog starts though we see its only adjusted when the delta
occurs before the new instructions,
/* NOTE: fake 'exit' subprog should be updated as well. */
for (i = 0; i <= env->subprog_cnt; i++) {
if (env->subprog_info[i].start <= off)
continue;
Earlier subprograms are not changed because their start values
are not moved. But, adjust_poke_desc() does the offset + delta
indiscriminately. The result is poke descriptors are potentially
corrupted.
Then in jit_subprogs() we only populate the poke_tab[]
when the above insn_idx is less than the next subprogram start. From
above we corrupted our insn_idx so we might incorrectly assume a
poke descriptor is not used in a subprogram omitting it from the
subprogram. And finally when the jit runs it does the deref of poke_tab
when emitting the instruction and crashes with below. Because earlier
step omitted the poke descriptor.
The fix is straight forward with above context. Simply move same logic
from adjust_subprog_starts() into adjust_poke_descs() and only adjust
insn_idx when needed.
[ 82.396354] bpf_testmod: version magic '5.12.0-rc2alu+ SMP preempt mod_unload ' should be '5.12.0+ SMP preempt mod_unload '
[ 82.623001] loop10: detected capacity change from 0 to 8
[ 88.487424] ==================================================================
[ 88.487438] BUG: KASAN: null-ptr-deref in do_jit+0x184a/0x3290
[ 88.487455] Write of size 8 at addr 0000000000000008 by task test_progs/5295
[ 88.487471] CPU: 7 PID: 5295 Comm: test_progs Tainted: G I 5.12.0+ #386
[ 88.487483] Hardware name: Dell Inc. Precision 5820 Tower/002KVM, BIOS 1.9.2 01/24/2019
[ 88.487490] Call Trace:
[ 88.487498] dump_stack+0x93/0xc2
[ 88.487515] kasan_report.cold+0x5f/0xd8
[ 88.487530] ? do_jit+0x184a/0x3290
[ 88.487542] do_jit+0x184a/0x3290
...
[ 88.487709] bpf_int_jit_compile+0x248/0x810
...
[ 88.487765] bpf_check+0x3718/0x5140
...
[ 88.487920] bpf_prog_load+0xa22/0xf10
Fixes:
|
||
|
Greg Kroah-Hartman
|
b1a6760ddf |
Merge branch 'android12-5.10' into android12-5.10-lts
Sync up with android12-5.10 for the following commits: |
||
|
Kuan-Ying Lee
|
38abaebab7 |
ANDROID: syscall_check: add vendor hook for bpf syscall
Through this vendor hook, we can get the timing to check current running task for the validation of its credential and bpf operations. Bug: 191291287 Signed-off-by: Kuan-Ying Lee <Kuan-Ying.Lee@mediatek.com> Change-Id: Ie4ed8df7ad66df2486fc7e52a26d9191fc0c176e |
||
|
Greg Kroah-Hartman
|
948d38f94d |
Merge 5.10.46 into android12-5.10-lts
Changes in 5.10.46 dmaengine: idxd: add missing dsa driver unregister dmaengine: fsl-dpaa2-qdma: Fix error return code in two functions dmaengine: xilinx: dpdma: initialize registers before request_irq dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM dmaengine: SF_PDMA depends on HAS_IOMEM dmaengine: stedma40: add missing iounmap() on error in d40_probe() afs: Fix an IS_ERR() vs NULL check mm/memory-failure: make sure wait for page writeback in memory_failure kvm: LAPIC: Restore guard to prevent illegal APIC register access fanotify: fix copy_event_to_user() fid error clean up batman-adv: Avoid WARN_ON timing related checks mac80211: fix skb length check in ieee80211_scan_rx() mlxsw: reg: Spectrum-3: Enforce lowest max-shaper burst size of 11 mlxsw: core: Set thermal zone polling delay argument to real value at init libbpf: Fixes incorrect rx_ring_setup_done net: ipv4: fix memory leak in netlbl_cipsov4_add_std vrf: fix maximum MTU net: rds: fix memory leak in rds_recvmsg net: dsa: felix: re-enable TX flow control in ocelot_port_flush() net: lantiq: disable interrupt before sheduling NAPI netfilter: nft_fib_ipv6: skip ipv6 packets from any to link-local ice: add ndo_bpf callback for safe mode netdev ops ice: parameterize functions responsible for Tx ring management udp: fix race between close() and udp_abort() rtnetlink: Fix regression in bridge VLAN configuration net/sched: act_ct: handle DNAT tuple collision net/mlx5e: Remove dependency in IPsec initialization flows net/mlx5e: Fix page reclaim for dead peer hairpin net/mlx5: Consider RoCE cap before init RDMA resources net/mlx5: DR, Allow SW steering for sw_owner_v2 devices net/mlx5: DR, Don't use SW steering when RoCE is not supported net/mlx5e: Block offload of outer header csum for UDP tunnels netfilter: synproxy: Fix out of bounds when parsing TCP options mptcp: Fix out of bounds when parsing TCP options sch_cake: Fix out of bounds when parsing TCP options and header mptcp: try harder to borrow memory from subflow under pressure mptcp: do not warn on bad input from the network selftests: mptcp: enable syncookie only in absence of reorders alx: Fix an error handling path in 'alx_probe()' cxgb4: fix endianness when flashing boot image cxgb4: fix sleep in atomic when flashing PHY firmware cxgb4: halt chip before flashing PHY firmware image net: stmmac: dwmac1000: Fix extended MAC address registers definition net: make get_net_ns return error if NET_NS is disabled net: qualcomm: rmnet: Update rmnet device MTU based on real device net: qualcomm: rmnet: don't over-count statistics ethtool: strset: fix message length calculation qlcnic: Fix an error handling path in 'qlcnic_probe()' netxen_nic: Fix an error handling path in 'netxen_nic_probe()' cxgb4: fix wrong ethtool n-tuple rule lookup ipv4: Fix device used for dst_alloc with local routes net: qrtr: fix OOB Read in qrtr_endpoint_post bpf: Fix leakage under speculation on mispredicted branches ptp: improve max_adj check against unreasonable values net: cdc_ncm: switch to eth%d interface naming lantiq: net: fix duplicated skb in rx descriptor ring net: usb: fix possible use-after-free in smsc75xx_bind net: fec_ptp: fix issue caused by refactor the fec_devtype net: ipv4: fix memory leak in ip_mc_add1_src net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock net/mlx5: E-Switch, Read PF mac address net/mlx5: E-Switch, Allow setting GUID for host PF vport net/mlx5: Reset mkey index on creation be2net: Fix an error handling path in 'be_probe()' net: hamradio: fix memory leak in mkiss_close net: cdc_eem: fix tx fixup skb leak cxgb4: fix wrong shift. bnxt_en: Rediscover PHY capabilities after firmware reset bnxt_en: Fix TQM fastpath ring backing store computation bnxt_en: Call bnxt_ethtool_free() in bnxt_init_one() error path icmp: don't send out ICMP messages with a source address of 0.0.0.0 net: ethernet: fix potential use-after-free in ec_bhf_remove regulator: cros-ec: Fix error code in dev_err message regulator: bd70528: Fix off-by-one for buck123 .n_voltages setting platform/x86: thinkpad_acpi: Add X1 Carbon Gen 9 second fan support ASoC: rt5659: Fix the lost powers for the HDA header phy: phy-mtk-tphy: Fix some resource leaks in mtk_phy_init() ASoC: fsl-asoc-card: Set .owner attribute when registering card. regulator: rtmv20: Fix to make regcache value first reading back from HW spi: spi-zynq-qspi: Fix some wrong goto jumps & missing error code sched/pelt: Ensure that *_sum is always synced with *_avg ASoC: tas2562: Fix TDM_CFG0_SAMPRATE values spi: stm32-qspi: Always wait BUSY bit to be cleared in stm32_qspi_wait_cmd() regulator: rt4801: Fix NULL pointer dereference if priv->enable_gpios is NULL ASoC: rt5682: Fix the fast discharge for headset unplugging in soundwire mode pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled drm/sun4i: dw-hdmi: Make HDMI PHY into a platform device ASoC: qcom: lpass-cpu: Fix pop noise during audio capture begin radeon: use memcpy_to/fromio for UVD fw upload hwmon: (scpi-hwmon) shows the negative temperature properly mm: relocate 'write_protect_seq' in struct mm_struct irqchip/gic-v3: Workaround inconsistent PMR setting on NMI entry bpf: Inherit expanded/patched seen count from old aux data bpf: Do not mark insn as seen under speculative path verification can: bcm: fix infoleak in struct bcm_msg_head can: bcm/raw/isotp: use per module netdevice notifier can: j1939: fix Use-after-Free, hold skb ref while in use can: mcba_usb: fix memory leak in mcba_usb usb: core: hub: Disable autosuspend for Cypress CY7C65632 usb: chipidea: imx: Fix Battery Charger 1.2 CDP detection tracing: Do not stop recording cmdlines when tracing is off tracing: Do not stop recording comms if the trace file is being read tracing: Do no increment trace_clock_global() by one PCI: Mark TI C667X to avoid bus reset PCI: Mark some NVIDIA GPUs to avoid bus reset PCI: aardvark: Fix kernel panic during PIO transfer PCI: Add ACS quirk for Broadcom BCM57414 NIC PCI: Work around Huawei Intelligent NIC VF FLR erratum KVM: x86: Immediately reset the MMU context when the SMM flag is cleared KVM: x86/mmu: Calculate and check "full" mmu_role for nested MMU KVM: X86: Fix x86_emulator slab cache leak s390/mcck: fix calculation of SIE critical section size s390/ap: Fix hanging ioctl caused by wrong msg counter ARCv2: save ABI registers across signal handling x86/mm: Avoid truncating memblocks for SGX memory x86/process: Check PF_KTHREAD and not current->mm for kernel threads x86/ioremap: Map EFI-reserved memory as encrypted for SEV x86/pkru: Write hardware init value to PKRU when xstate is init x86/fpu: Prevent state corruption in __fpu__restore_sig() x86/fpu: Invalidate FPU state after a failed XRSTOR from a user buffer x86/fpu: Reset state for all signal restore failures crash_core, vmcoreinfo: append 'SECTION_SIZE_BITS' to vmcoreinfo dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc mac80211: Fix NULL ptr deref for injected rate info cfg80211: make certificate generation more robust cfg80211: avoid double free of PMSR request drm/amdgpu/gfx10: enlarge CP_MEC_DOORBELL_RANGE_UPPER to cover full doorbell. drm/amdgpu/gfx9: fix the doorbell missing when in CGPG issue. net: ll_temac: Make sure to free skb when it is completely used net: ll_temac: Fix TX BD buffer overwrite net: bridge: fix vlan tunnel dst null pointer dereference net: bridge: fix vlan tunnel dst refcnt when egressing mm/swap: fix pte_same_as_swp() not removing uffd-wp bit when compare mm/slub: clarify verification reporting mm/slub: fix redzoning for small allocations mm/slub: actually fix freelist pointer vs redzoning mm/slub.c: include swab.h net: stmmac: disable clocks in stmmac_remove_config_dt() net: fec_ptp: add clock rate zero check tools headers UAPI: Sync linux/in.h copy with the kernel sources perf beauty: Update copy of linux/socket.h with the kernel sources usb: dwc3: debugfs: Add and remove endpoint dirs dynamically usb: dwc3: core: fix kernel panic when do reboot Linux 5.10.46 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I99f37c9f257f90ccdb091306f3d4cfb7c32e3880 |
||
|
Daniel Borkmann
|
8c82c52d1d |
bpf: Do not mark insn as seen under speculative path verification
[ Upstream commit fe9a5ca7e370e613a9a75a13008a3845ea759d6e ] ... in such circumstances, we do not want to mark the instruction as seen given the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable from the non-speculative path verification. We do however want to verify it for safety regardless. With the patch as-is all the insns that have been marked as seen before the patch will also be marked as seen after the patch (just with a potentially different non-zero count). An upcoming patch will also verify paths that are unreachable in the non-speculative domain, hence this extension is needed. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Daniel Borkmann
|
e9d271731d |
bpf: Inherit expanded/patched seen count from old aux data
[ Upstream commit d203b0fd863a2261e5d00b97f3d060c4c2a6db71 ] Instead of relying on current env->pass_cnt, use the seen count from the old aux data in adjust_insn_aux_data(), and expand it to the new range of patched instructions. This change is valid given we always expand 1:n with n>=1, so what applies to the old/original instruction needs to apply for the replacement as well. Not relying on env->pass_cnt is a prerequisite for a later change where we want to avoid marking an instruction seen when verified under speculative execution path. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Daniel Borkmann
|
5fc6ed1831 |
bpf: Fix leakage under speculation on mispredicted branches
[ Upstream commit 9183671af6dbf60a1219371d4ed73e23f43b49db ]
The verifier only enumerates valid control-flow paths and skips paths that
are unreachable in the non-speculative domain. And so it can miss issues
under speculative execution on mispredicted branches.
For example, a type confusion has been demonstrated with the following
crafted program:
// r0 = pointer to a map array entry
// r6 = pointer to readable stack slot
// r9 = scalar controlled by attacker
1: r0 = *(u64 *)(r0) // cache miss
2: if r0 != 0x0 goto line 4
3: r6 = r9
4: if r0 != 0x1 goto line 6
5: r9 = *(u8 *)(r6)
6: // leak r9
Since line 3 runs iff r0 == 0 and line 5 runs iff r0 == 1, the verifier
concludes that the pointer dereference on line 5 is safe. But: if the
attacker trains both the branches to fall-through, such that the following
is speculatively executed ...
r6 = r9
r9 = *(u8 *)(r6)
// leak r9
... then the program will dereference an attacker-controlled value and could
leak its content under speculative execution via side-channel. This requires
to mistrain the branch predictor, which can be rather tricky, because the
branches are mutually exclusive. However such training can be done at
congruent addresses in user space using different branches that are not
mutually exclusive. That is, by training branches in user space ...
A: if r0 != 0x0 goto line C
B: ...
C: if r0 != 0x0 goto line D
D: ...
... such that addresses A and C collide to the same CPU branch prediction
entries in the PHT (pattern history table) as those of the BPF program's
lines 2 and 4, respectively. A non-privileged attacker could simply brute
force such collisions in the PHT until observing the attack succeeding.
Alternative methods to mistrain the branch predictor are also possible that
avoid brute forcing the collisions in the PHT. A reliable attack has been
demonstrated, for example, using the following crafted program:
// r0 = pointer to a [control] map array entry
// r7 = *(u64 *)(r0 + 0), training/attack phase
// r8 = *(u64 *)(r0 + 8), oob address
// [...]
// r0 = pointer to a [data] map array entry
1: if r7 == 0x3 goto line 3
2: r8 = r0
// crafted sequence of conditional jumps to separate the conditional
// branch in line 193 from the current execution flow
3: if r0 != 0x0 goto line 5
4: if r0 == 0x0 goto exit
5: if r0 != 0x0 goto line 7
6: if r0 == 0x0 goto exit
[...]
187: if r0 != 0x0 goto line 189
188: if r0 == 0x0 goto exit
// load any slowly-loaded value (due to cache miss in phase 3) ...
189: r3 = *(u64 *)(r0 + 0x1200)
// ... and turn it into known zero for verifier, while preserving slowly-
// loaded dependency when executing:
190: r3 &= 1
191: r3 &= 2
// speculatively bypassed phase dependency
192: r7 += r3
193: if r7 == 0x3 goto exit
194: r4 = *(u8 *)(r8 + 0)
// leak r4
As can be seen, in training phase (phase != 0x3), the condition in line 1
turns into false and therefore r8 with the oob address is overridden with
the valid map value address, which in line 194 we can read out without
issues. However, in attack phase, line 2 is skipped, and due to the cache
miss in line 189 where the map value is (zeroed and later) added to the
phase register, the condition in line 193 takes the fall-through path due
to prior branch predictor training, where under speculation, it'll load the
byte at oob address r8 (unknown scalar type at that point) which could then
be leaked via side-channel.
One way to mitigate these is to 'branch off' an unreachable path, meaning,
the current verification path keeps following the is_branch_taken() path
and we push the other branch to the verification stack. Given this is
unreachable from the non-speculative domain, this branch's vstate is
explicitly marked as speculative. This is needed for two reasons: i) if
this path is solely seen from speculative execution, then we later on still
want the dead code elimination to kick in in order to sanitize these
instructions with jmp-1s, and ii) to ensure that paths walked in the
non-speculative domain are not pruned from earlier walks of paths walked in
the speculative domain. Additionally, for robustness, we mark the registers
which have been part of the conditional as unknown in the speculative path
given there should be no assumptions made on their content.
The fix in here mitigates type confusion attacks described earlier due to
i) all code paths in the BPF program being explored and ii) existing
verifier logic already ensuring that given memory access instruction
references one specific data structure.
An alternative to this fix that has also been looked at in this scope was to
mark aux->alu_state at the jump instruction with a BPF_JMP_TAKEN state as
well as direction encoding (always-goto, always-fallthrough, unknown), such
that mixing of different always-* directions themselves as well as mixing of
always-* with unknown directions would cause a program rejection by the
verifier, e.g. programs with constructs like 'if ([...]) { x = 0; } else
{ x = 1; }' with subsequent 'if (x == 1) { [...] }'. For unprivileged, this
would result in only single direction always-* taken paths, and unknown taken
paths being allowed, such that the former could be patched from a conditional
jump to an unconditional jump (ja). Compared to this approach here, it would
have two downsides: i) valid programs that otherwise are not performing any
pointer arithmetic, etc, would potentially be rejected/broken, and ii) we are
required to turn off path pruning for unprivileged, where both can be avoided
in this work through pushing the invalid branch to the verification stack.
The issue was originally discovered by Adam and Ofek, and later independently
discovered and reported as a result of Benedict and Piotr's research work.
Fixes:
|
||
|
Greg Kroah-Hartman
|
82658bfd88 |
Merge 5.10.44 into android12-5.10-lts
Changes in 5.10.44 proc: Track /proc/$pid/attr/ opener mm_struct ASoC: max98088: fix ni clock divider calculation ASoC: amd: fix for pcm_read() error spi: Fix spi device unregister flow spi: spi-zynq-qspi: Fix stack violation bug bpf: Forbid trampoline attach for functions with variable arguments net/nfc/rawsock.c: fix a permission check bug usb: cdns3: Fix runtime PM imbalance on error ASoC: Intel: bytcr_rt5640: Add quirk for the Glavey TM800A550L tablet ASoC: Intel: bytcr_rt5640: Add quirk for the Lenovo Miix 3-830 tablet vfio-ccw: Reset FSM state to IDLE inside FSM vfio-ccw: Serialize FSM IDLE state with I/O completion ASoC: sti-sas: add missing MODULE_DEVICE_TABLE spi: sprd: Add missing MODULE_DEVICE_TABLE usb: chipidea: udc: assign interrupt number to USB gadget structure isdn: mISDN: netjet: Fix crash in nj_probe: bonding: init notify_work earlier to avoid uninitialized use netlink: disable IRQs for netlink_lock_table() net: mdiobus: get rid of a BUG_ON() cgroup: disable controllers at parse time wq: handle VM suspension in stall detection net/qla3xxx: fix schedule while atomic in ql_sem_spinlock RDS tcp loopback connection can hang net:sfc: fix non-freed irq in legacy irq mode scsi: bnx2fc: Return failure if io_req is already in ABTS processing scsi: vmw_pvscsi: Set correct residual data length scsi: hisi_sas: Drop free_irq() of devm_request_irq() allocated irq scsi: target: qla2xxx: Wait for stop_phase1 at WWN removal net: macb: ensure the device is available before accessing GEMGXL control registers net: appletalk: cops: Fix data race in cops_probe1 net: dsa: microchip: enable phy errata workaround on 9567 nvme-fabrics: decode host pathing error for connect MIPS: Fix kernel hang under FUNCTION_GRAPH_TRACER and PREEMPT_TRACER dm verity: fix require_signatures module_param permissions bnx2x: Fix missing error code in bnx2x_iov_init_one() nvme-tcp: remove incorrect Kconfig dep in BLK_DEV_NVME nvmet: fix false keep-alive timeout when a controller is torn down powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P2041 i2c controllers powerpc/fsl: set fsl,i2c-erratum-a004447 flag for P1010 i2c controllers spi: Don't have controller clean up spi device before driver unbind spi: Cleanup on failure of initial setup i2c: mpc: Make use of i2c_recover_bus() i2c: mpc: implement erratum A-004447 workaround ALSA: seq: Fix race of snd_seq_timer_open() ALSA: firewire-lib: fix the context to call snd_pcm_stop_xrun() ALSA: hda/realtek: headphone and mic don't work on an Acer laptop ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Elite Dragonfly G2 ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP EliteBook x360 1040 G8 ALSA: hda/realtek: fix mute/micmute LEDs for HP EliteBook 840 Aero G8 ALSA: hda/realtek: fix mute/micmute LEDs for HP ZBook Power G8 spi: bcm2835: Fix out-of-bounds access with more than 4 slaves Revert "ACPI: sleep: Put the FACS table after using it" drm: Fix use-after-free read in drm_getunique() drm: Lock pointer access in drm_master_release() perf/x86/intel/uncore: Fix M2M event umask for Ice Lake server KVM: X86: MMU: Use the correct inherited permissions to get shadow page kvm: avoid speculation-based attacks from out-of-range memslot accesses staging: rtl8723bs: Fix uninitialized variables async_xor: check src_offs is not NULL before updating it btrfs: return value from btrfs_mark_extent_written() in case of error btrfs: promote debugging asserts to full-fledged checks in validate_super cgroup1: don't allow '\n' in renaming ftrace: Do not blindly read the ip address in ftrace_bug() mmc: renesas_sdhi: abort tuning when timeout detected mmc: renesas_sdhi: Fix HS400 on R-Car M3-W+ USB: f_ncm: ncm_bitrate (speed) is unsigned usb: f_ncm: only first packet of aggregate needs to start timer usb: pd: Set PD_T_SINK_WAIT_CAP to 310ms usb: dwc3-meson-g12a: fix usb2 PHY glue init when phy0 is disabled usb: dwc3: meson-g12a: Disable the regulator in the error handling path of the probe usb: dwc3: gadget: Bail from dwc3_gadget_exit() if dwc->gadget is NULL usb: dwc3: ep0: fix NULL pointer exception usb: musb: fix MUSB_QUIRK_B_DISCONNECT_99 handling usb: typec: wcove: Use LE to CPU conversion when accessing msg->header usb: typec: ucsi: Clear PPM capability data in ucsi_init() error path usb: typec: intel_pmc_mux: Put fwnode in error case during ->probe() usb: typec: intel_pmc_mux: Add missed error check for devm_ioremap_resource() usb: gadget: f_fs: Ensure io_completion_wq is idle during unbind USB: serial: ftdi_sio: add NovaTech OrionMX product ID USB: serial: omninet: add device id for Zyxel Omni 56K Plus USB: serial: quatech2: fix control-request directions USB: serial: cp210x: fix alternate function for CP2102N QFN20 usb: gadget: eem: fix wrong eem header operation usb: fix various gadgets null ptr deref on 10gbps cabling. usb: fix various gadget panics on 10gbps cabling usb: typec: tcpm: cancel vdm and state machine hrtimer when unregister tcpm port usb: typec: tcpm: cancel frs hrtimer when unregister tcpm port regulator: core: resolve supply for boot-on/always-on regulators regulator: max77620: Use device_set_of_node_from_dev() regulator: bd718x7: Fix the BUCK7 voltage setting on BD71837 regulator: fan53880: Fix missing n_voltages setting regulator: bd71828: Fix .n_voltages settings regulator: rtmv20: Fix .set_current_limit/.get_current_limit callbacks phy: usb: Fix misuse of IS_ENABLED usb: dwc3: gadget: Disable gadget IRQ during pullup disable usb: typec: mux: Fix copy-paste mistake in typec_mux_match drm/mcde: Fix off by 10^3 in calculation drm/msm/a6xx: fix incorrectly set uavflagprd_inv field for A650 drm/msm/a6xx: update/fix CP_PROTECT initialization drm/msm/a6xx: avoid shadow NULL reference in failure path RDMA/ipoib: Fix warning caused by destroying non-initial netns RDMA/mlx4: Do not map the core_clock page to user space unless enabled ARM: cpuidle: Avoid orphan section warning vmlinux.lds.h: Avoid orphan section with !SMP tools/bootconfig: Fix error return code in apply_xbc() phy: cadence: Sierra: Fix error return code in cdns_sierra_phy_probe() ASoC: core: Fix Null-point-dereference in fmt_single_name() ASoC: meson: gx-card: fix sound-dai dt schema phy: ti: Fix an error code in wiz_probe() gpio: wcd934x: Fix shift-out-of-bounds error perf: Fix data race between pin_count increment/decrement sched/fair: Keep load_avg and load_sum synced sched/fair: Make sure to update tg contrib for blocked load sched/fair: Fix util_est UTIL_AVG_UNCHANGED handling x86/nmi_watchdog: Fix old-style NMI watchdog regression on old Intel CPUs KVM: x86: Ensure liveliness of nested VM-Enter fail tracepoint message IB/mlx5: Fix initializing CQ fragments buffer NFS: Fix a potential NULL dereference in nfs_get_client() NFSv4: Fix deadlock between nfs4_evict_inode() and nfs4_opendata_get_inode() perf session: Correct buffer copying when peeking events kvm: fix previous commit for 32-bit builds NFS: Fix use-after-free in nfs4_init_client() NFSv4: Fix second deadlock in nfs4_evict_inode() NFSv4: nfs4_proc_set_acl needs to restore NFS_CAP_UIDGID_NOMAP on error. scsi: core: Fix error handling of scsi_host_alloc() scsi: core: Fix failure handling of scsi_add_host_with_dma() scsi: core: Put .shost_dev in failure path if host state changes to RUNNING scsi: core: Only put parent device if host state differs from SHOST_CREATED tracing: Correct the length check which causes memory corruption proc: only require mm_struct for writing Linux 5.10.44 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic64172b4e72ccb54d96000b3065dd8b33aa9fef5 |
||
|
Jiri Olsa
|
584b2c7ce2 |
bpf: Forbid trampoline attach for functions with variable arguments
[ Upstream commit 31379397dcc364a59ce764fabb131b645c43e340 ] We can't currently allow to attach functions with variable arguments. The problem is that we should save all the registers for arguments, which is probably doable, but if caller uses more than 6 arguments, we need stack data, which will be wrong, because of the extra stack frame we do in bpf trampoline, so we could crash. Also currently there's malformed trampoline code generated for such functions at the moment as described in: https://lore.kernel.org/bpf/20210429212834.82621-1-jolsa@kernel.org/ Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20210505132529.401047-1-jolsa@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
9e08e97ec6 |
Merge 5.10.43 into android12-5.10
Changes in 5.10.43 btrfs: tree-checker: do not error out if extent ref hash doesn't match net: usb: cdc_ncm: don't spew notifications hwmon: (dell-smm-hwmon) Fix index values hwmon: (pmbus/isl68137) remove READ_TEMPERATURE_3 for RAA228228 netfilter: conntrack: unregister ipv4 sockopts on error unwind efi/fdt: fix panic when no valid fdt found efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared efi/libstub: prevent read overflow in find_file_option() efi: cper: fix snprintf() use in cper_dimm_err_location() vfio/pci: Fix error return code in vfio_ecap_init() vfio/pci: zap_vma_ptes() needs MMU samples: vfio-mdev: fix error handing in mdpy_fb_probe() vfio/platform: fix module_put call in error flow ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service HID: logitech-hidpp: initialize level variable HID: pidff: fix error return code in hid_pidff_init() HID: i2c-hid: fix format string mismatch devlink: Correct VIRTUAL port to not have phys_port attributes net/sched: act_ct: Offload connections with commit action net/sched: act_ct: Fix ct template allocation for zone 0 mptcp: always parse mptcp options for MPC reqsk nvme-rdma: fix in-casule data send for chained sgls ACPICA: Clean up context mutex during object deletion perf probe: Fix NULL pointer dereference in convert_variable_location() net: dsa: tag_8021q: fix the VLAN IDs used for encoding sub-VLANs net: sock: fix in-kernel mark setting net/tls: Replace TLS_RX_SYNC_RUNNING with RCU net/tls: Fix use-after-free after the TLS device goes down and up net/mlx5e: Fix incompatible casting net/mlx5: Check firmware sync reset requested is set before trying to abort it net/mlx5e: Check for needed capability for cvlan matching net/mlx5: DR, Create multi-destination flow table with level less than 64 nvmet: fix freeing unallocated p2pmem netfilter: nft_ct: skip expectations for confirmed conntrack netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches drm/i915/selftests: Fix return value check in live_breadcrumbs_smoketest() bpf: Simplify cases in bpf_base_func_proto bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks ieee802154: fix error return code in ieee802154_add_iface() ieee802154: fix error return code in ieee802154_llsec_getparams() igb: add correct exception tracing for XDP ixgbevf: add correct exception tracing for XDP cxgb4: fix regression with HASH tc prio value update ipv6: Fix KASAN: slab-out-of-bounds Read in fib6_nh_flush_exceptions ice: Fix allowing VF to request more/less queues via virtchnl ice: Fix VFR issues for AVF drivers that expect ATQLEN cleared ice: handle the VF VSI rebuild failure ice: report supported and advertised autoneg using PHY capabilities ice: Allow all LLDP packets from PF to Tx i2c: qcom-geni: Add shutdown callback for i2c cxgb4: avoid link re-train during TC-MQPRIO configuration i40e: optimize for XDP_REDIRECT in xsk path i40e: add correct exception tracing for XDP ice: simplify ice_run_xdp ice: optimize for XDP_REDIRECT in xsk path ice: add correct exception tracing for XDP ixgbe: optimize for XDP_REDIRECT in xsk path ixgbe: add correct exception tracing for XDP arm64: dts: ti: j7200-main: Mark Main NAVSS as dma-coherent optee: use export_uuid() to copy client UUID bus: ti-sysc: Fix am335x resume hang for usb otg module arm64: dts: ls1028a: fix memory node arm64: dts: zii-ultra: fix 12V_MAIN voltage arm64: dts: freescale: sl28: var4: fix RGMII clock and voltage ARM: dts: imx7d-meerkat96: Fix the 'tuning-step' property ARM: dts: imx7d-pico: Fix the 'tuning-step' property ARM: dts: imx: emcon-avari: Fix nxp,pca8574 #gpio-cells bus: ti-sysc: Fix flakey idling of uarts and stop using swsup_sidle_act tipc: add extack messages for bearer/media failure tipc: fix unique bearer names sanity check serial: stm32: fix threaded interrupt handling riscv: vdso: fix and clean-up Makefile io_uring: fix link timeout refs io_uring: use better types for cflags drm/amdgpu/vcn3: add cancel_delayed_work_sync before power gate drm/amdgpu/jpeg2.5: add cancel_delayed_work_sync before power gate drm/amdgpu/jpeg3: add cancel_delayed_work_sync before power gate Bluetooth: fix the erroneous flush_work() order Bluetooth: use correct lock to prevent UAF of hdev object wireguard: do not use -O3 wireguard: peer: allocate in kmem_cache wireguard: use synchronize_net rather than synchronize_rcu wireguard: selftests: remove old conntrack kconfig value wireguard: selftests: make sure rp_filter is disabled on vethc wireguard: allowedips: initialize list head in selftest wireguard: allowedips: remove nodes in O(1) wireguard: allowedips: allocate nodes in kmem_cache wireguard: allowedips: free empty intermediate nodes when removing single node net: caif: added cfserl_release function net: caif: add proper error handling net: caif: fix memory leak in caif_device_notify net: caif: fix memory leak in cfusbl_device_notify HID: i2c-hid: Skip ELAN power-on command after reset HID: magicmouse: fix NULL-deref on disconnect HID: multitouch: require Finger field to mark Win8 reports as MT gfs2: fix scheduling while atomic bug in glocks ALSA: timer: Fix master timer notification ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx ALSA: hda: update the power_state during the direct-complete ARM: dts: imx6dl-yapp4: Fix RGMII connection to QCA8334 switch ARM: dts: imx6q-dhcom: Add PU,VDD1P1,VDD2P5 regulators ext4: fix memory leak in ext4_fill_super ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed ext4: fix fast commit alignment issues ext4: fix memory leak in ext4_mb_init_backend on error path. ext4: fix accessing uninit percpu counter variable with fast_commit usb: dwc2: Fix build in periphal-only mode pid: take a reference when initializing `cad_pid` ocfs2: fix data corruption by fallocate mm/debug_vm_pgtable: fix alignment for pmd/pud_advanced_tests() mm/page_alloc: fix counting of free pages after take off from buddy x86/cpufeatures: Force disable X86_FEATURE_ENQCMD and remove update_pasid() x86/sev: Check SME/SEV support in CPUID first nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect drm/amdgpu: Don't query CE and UE errors drm/amdgpu: make sure we unpin the UVD BO x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing powerpc/kprobes: Fix validation of prefixed instructions across page boundary btrfs: mark ordered extent and inode with error if we fail to finish btrfs: fix error handling in btrfs_del_csums btrfs: return errors from btrfs_del_csums in cleanup_ref_head btrfs: fixup error handling in fixup_inode_link_counts btrfs: abort in rename_exchange if we fail to insert the second ref btrfs: fix deadlock when cloning inline extents and low on available space mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY drm/msm/dpu: always use mdp device to scale bandwidth btrfs: fix unmountable seed device after fstrim KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode KVM: arm64: Fix debug register indexing x86/kvm: Teardown PV features on boot CPU as well x86/kvm: Disable kvmclock on all CPUs on shutdown x86/kvm: Disable all PV features on crash lib/lz4: explicitly support in-place decompression i2c: qcom-geni: Suspend and resume the bus during SYSTEM_SLEEP_PM ops netfilter: nf_tables: missing error reporting for not selected expressions xen-netback: take a reference to the RX task thread neighbour: allow NUD_NOARP entries to be forced GCed Linux 5.10.43 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8d7ec0878193e4e454076809b7fb71fcc4e3d810 |
||
|
Daniel Borkmann
|
ff5039ec75 |
bpf, lockdown, audit: Fix buggy SELinux lockdown permission checks
[ Upstream commit ff40e51043af63715ab413995ff46996ecf9583f ] Commit |
||
|
Tobias Klauser
|
cdf3f6db1a |
bpf: Simplify cases in bpf_base_func_proto
[ Upstream commit 61ca36c8c4eb3bae35a285b1ae18c514cde65439 ] !perfmon_capable() is checked before the last switch(func_id) in bpf_base_func_proto. Thus, the cases BPF_FUNC_trace_printk and BPF_FUNC_snprintf_btf can be moved to that last switch(func_id) to omit the inline !perfmon_capable() checks. Signed-off-by: Tobias Klauser <tklauser@distanz.ch> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20210127174615.3038-1-tklauser@distanz.ch Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
c5d480cd47 |
Merge 5.10.42 into android12-5.10
Changes in 5.10.42
ALSA: hda/realtek: the bass speaker can't output sound on Yoga 9i
ALSA: hda/realtek: Headphone volume is controlled by Front mixer
ALSA: hda/realtek: Chain in pop reduction fixup for ThinkStation P340
ALSA: hda/realtek: fix mute/micmute LEDs for HP 855 G8
ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook G8
ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 15 G8
ALSA: hda/realtek: fix mute/micmute LEDs and speaker for HP Zbook Fury 17 G8
ALSA: usb-audio: scarlett2: Fix device hang with ehci-pci
ALSA: usb-audio: scarlett2: Improve driver startup messages
cifs: set server->cipher_type to AES-128-CCM for SMB3.0
NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return()
iommu/vt-d: Fix sysfs leak in alloc_iommu()
perf intel-pt: Fix sample instruction bytes
perf intel-pt: Fix transaction abort handling
perf scripts python: exported-sql-viewer.py: Fix copy to clipboard from Top Calls by elapsed Time report
perf scripts python: exported-sql-viewer.py: Fix Array TypeError
perf scripts python: exported-sql-viewer.py: Fix warning display
proc: Check /proc/$pid/attr/ writes against file opener
net: hso: fix control-request directions
net/sched: fq_pie: re-factor fix for fq_pie endless loop
net/sched: fq_pie: fix OOB access in the traffic path
netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version
mac80211: assure all fragments are encrypted
mac80211: prevent mixed key and fragment cache attacks
mac80211: properly handle A-MSDUs that start with an RFC 1042 header
cfg80211: mitigate A-MSDU aggregation attacks
mac80211: drop A-MSDUs on old ciphers
mac80211: add fragment cache to sta_info
mac80211: check defrag PN against current frame
mac80211: prevent attacks on TKIP/WEP as well
mac80211: do not accept/forward invalid EAPOL frames
mac80211: extend protection against mixed key and fragment cache attacks
ath10k: add CCMP PN replay protection for fragmented frames for PCIe
ath10k: drop fragments with multicast DA for PCIe
ath10k: drop fragments with multicast DA for SDIO
ath10k: drop MPDU which has discard flag set by firmware for SDIO
ath10k: Fix TKIP Michael MIC verification for PCIe
ath10k: Validate first subframe of A-MSDU before processing the list
ath11k: Clear the fragment cache during key install
dm snapshot: properly fix a crash when an origin has no snapshots
drm/amd/pm: correct MGpuFanBoost setting
drm/amdgpu/vcn1: add cancel_delayed_work_sync before power gate
drm/amdkfd: correct sienna_cichlid SDMA RLC register offset error
drm/amdgpu/vcn2.0: add cancel_delayed_work_sync before power gate
drm/amdgpu/vcn2.5: add cancel_delayed_work_sync before power gate
drm/amdgpu/jpeg2.0: add cancel_delayed_work_sync before power gate
selftests/gpio: Use TEST_GEN_PROGS_EXTENDED
selftests/gpio: Move include of lib.mk up
selftests/gpio: Fix build when source tree is read only
kgdb: fix gcc-11 warnings harder
Documentation: seccomp: Fix user notification documentation
seccomp: Refactor notification handler to prepare for new semantics
serial: core: fix suspicious security_locked_down() call
misc/uss720: fix memory leak in uss720_probe
thunderbolt: usb4: Fix NVM read buffer bounds and offset issue
thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue
KVM: X86: Fix vCPU preempted state from guest's point of view
KVM: arm64: Prevent mixed-width VM creation
mei: request autosuspend after sending rx flow control
staging: iio: cdc: ad7746: avoid overwrite of num_channels
iio: gyro: fxas21002c: balance runtime power in error path
iio: dac: ad5770r: Put fwnode in error case during ->probe()
iio: adc: ad7768-1: Fix too small buffer passed to iio_push_to_buffers_with_timestamp()
iio: adc: ad7124: Fix missbalanced regulator enable / disable on error.
iio: adc: ad7124: Fix potential overflow due to non sequential channel numbers
iio: adc: ad7923: Fix undersized rx buffer.
iio: adc: ad7793: Add missing error code in ad7793_setup()
iio: adc: ad7192: Avoid disabling a clock that was never enabled.
iio: adc: ad7192: handle regulator voltage error first
serial: 8250: Add UART_BUG_TXRACE workaround for Aspeed VUART
serial: 8250_dw: Add device HID for new AMD UART controller
serial: 8250_pci: Add support for new HPE serial device
serial: 8250_pci: handle FL_NOIRQ board flag
USB: trancevibrator: fix control-request direction
Revert "irqbypass: do not start cons/prod when failed connect"
USB: usbfs: Don't WARN about excessively large memory allocations
drivers: base: Fix device link removal
serial: tegra: Fix a mask operation that is always true
serial: sh-sci: Fix off-by-one error in FIFO threshold register setting
serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait'
USB: serial: ti_usb_3410_5052: add startech.com device id
USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011
USB: serial: ftdi_sio: add IDs for IDS GmbH Products
USB: serial: pl2303: add device id for ADLINK ND-6530 GC
thermal/drivers/intel: Initialize RW trip to THERMAL_TEMP_INVALID
usb: dwc3: gadget: Properly track pending and queued SG
usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen()
usb: typec: mux: Fix matching with typec_altmode_desc
net: usb: fix memory leak in smsc75xx_bind
Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails
fs/nfs: Use fatal_signal_pending instead of signal_pending
NFS: fix an incorrect limit in filelayout_decode_layout()
NFS: Fix an Oopsable condition in __nfs_pageio_add_request()
NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce()
NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config
drm/meson: fix shutdown crash when component not probed
net/mlx5e: reset XPS on error flow if netdev isn't registered yet
net/mlx5e: Fix multipath lag activation
net/mlx5e: Fix error path of updating netdev queues
{net,vdpa}/mlx5: Configure interface MAC into mpfs L2 table
net/mlx5e: Fix nullptr in add_vlan_push_action()
net/mlx5: Set reformat action when needed for termination rules
net/mlx5e: Fix null deref accessing lag dev
net/mlx4: Fix EEPROM dump support
net/mlx5: Set term table as an unmanaged flow table
SUNRPC in case of backlog, hand free slots directly to waiting task
Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv"
tipc: wait and exit until all work queues are done
tipc: skb_linearize the head skb when reassembling msgs
spi: spi-fsl-dspi: Fix a resource leak in an error handling path
netfilter: flowtable: Remove redundant hw refresh bit
net: dsa: mt7530: fix VLAN traffic leaks
net: dsa: fix a crash if ->get_sset_count() fails
net: dsa: sja1105: update existing VLANs from the bridge VLAN list
net: dsa: sja1105: use 4095 as the private VLAN for untagged traffic
net: dsa: sja1105: error out on unsupported PHY mode
net: dsa: sja1105: add error handling in sja1105_setup()
net: dsa: sja1105: call dsa_unregister_switch when allocating memory fails
net: dsa: sja1105: fix VL lookup command packing for P/Q/R/S
i2c: s3c2410: fix possible NULL pointer deref on read message after write
i2c: mediatek: Disable i2c start_en and clear intr_stat brfore reset
i2c: i801: Don't generate an interrupt on bus reset
i2c: sh_mobile: Use new clock calculation formulas for RZ/G2E
afs: Fix the nlink handling of dir-over-dir rename
perf jevents: Fix getting maximum number of fds
nvmet-tcp: fix inline data size comparison in nvmet_tcp_queue_response
mptcp: avoid error message on infinite mapping
mptcp: drop unconditional pr_warn on bad opt
mptcp: fix data stream corruption
platform/x86: hp_accel: Avoid invoking _INI to speed up resume
gpio: cadence: Add missing MODULE_DEVICE_TABLE
Revert "crypto: cavium/nitrox - add an error message to explain the failure of pci_request_mem_regions"
Revert "media: usb: gspca: add a missed check for goto_low_power"
Revert "ALSA: sb: fix a missing check of snd_ctl_add"
Revert "serial: max310x: pass return value of spi_register_driver"
serial: max310x: unregister uart driver in case of failure and abort
Revert "net: fujitsu: fix a potential NULL pointer dereference"
net: fujitsu: fix potential null-ptr-deref
Revert "net/smc: fix a NULL pointer dereference"
net/smc: properly handle workqueue allocation failure
Revert "net: caif: replace BUG_ON with recovery code"
net: caif: remove BUG_ON(dev == NULL) in caif_xmit
Revert "char: hpet: fix a missing check of ioremap"
char: hpet: add checks after calling ioremap
Revert "ALSA: gus: add a check of the status of snd_ctl_add"
Revert "ALSA: usx2y: Fix potential NULL pointer dereference"
Revert "isdn: mISDNinfineon: fix potential NULL pointer dereference"
isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io
Revert "ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd()"
ath6kl: return error code in ath6kl_wmi_set_roam_lrssi_cmd()
Revert "isdn: mISDN: Fix potential NULL pointer dereference of kzalloc"
isdn: mISDN: correctly handle ph_info allocation failure in hfcsusb_ph_info
Revert "dmaengine: qcom_hidma: Check for driver register failure"
dmaengine: qcom_hidma: comment platform_driver_register call
Revert "libertas: add checks for the return value of sysfs_create_group"
libertas: register sysfs groups properly
Revert "ASoC: cs43130: fix a NULL pointer dereference"
ASoC: cs43130: handle errors in cs43130_probe() properly
Revert "media: dvb: Add check on sp8870_readreg"
media: dvb: Add check on sp8870_readreg return
Revert "media: gspca: mt9m111: Check write_bridge for timeout"
media: gspca: mt9m111: Check write_bridge for timeout
Revert "media: gspca: Check the return value of write_bridge for timeout"
media: gspca: properly check for errors in po1030_probe()
Revert "net: liquidio: fix a NULL pointer dereference"
net: liquidio: Add missing null pointer checks
Revert "brcmfmac: add a check for the status of usb_register"
brcmfmac: properly check for bus register errors
btrfs: return whole extents in fiemap
scsi: ufs: ufs-mediatek: Fix power down spec violation
scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic
openrisc: Define memory barrier mb
scsi: pm80xx: Fix drives missing during rmmod/insmod loop
btrfs: release path before starting transaction when cloning inline extent
btrfs: do not BUG_ON in link_to_fixup_dir
platform/x86: hp-wireless: add AMD's hardware id to the supported list
platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI
platform/x86: touchscreen_dmi: Add info for the Mediacom Winpad 7.0 W700 tablet
SMB3: incorrect file id in requests compounded with open
drm/amd/display: Disconnect non-DP with no EDID
drm/amd/amdgpu: fix refcount leak
drm/amdgpu: Fix a use-after-free
drm/amd/amdgpu: fix a potential deadlock in gpu reset
drm/amdgpu: stop touching sched.ready in the backend
platform/x86: touchscreen_dmi: Add info for the Chuwi Hi10 Pro (CWI529) tablet
block: fix a race between del_gendisk and BLKRRPART
linux/bits.h: fix compilation error with GENMASK
net: netcp: Fix an error message
net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count
interconnect: qcom: bcm-voter: add a missing of_node_put()
interconnect: qcom: Add missing MODULE_DEVICE_TABLE
ASoC: cs42l42: Regmap must use_single_read/write
net: stmmac: Fix MAC WoL not working if PHY does not support WoL
net: ipa: memory region array is variable size
vfio-ccw: Check initialized flag in cp_init()
spi: Assume GPIO CS active high in ACPI case
net: really orphan skbs tied to closing sk
net: packetmmap: fix only tx timestamp on request
net: fec: fix the potential memory leak in fec_enet_init()
chelsio/chtls: unlock on error in chtls_pt_recvmsg()
net: mdio: thunder: Fix a double free issue in the .remove function
net: mdio: octeon: Fix some double free issues
cxgb4/ch_ktls: Clear resources when pf4 device is removed
openvswitch: meter: fix race when getting now_ms.
tls splice: check SPLICE_F_NONBLOCK instead of MSG_DONTWAIT
net: sched: fix packet stuck problem for lockless qdisc
net: sched: fix tx action rescheduling issue during deactivation
net: sched: fix tx action reschedule issue with stopped queue
net: hso: check for allocation failure in hso_create_bulk_serial_device()
net: bnx2: Fix error return code in bnx2_init_board()
bnxt_en: Include new P5 HV definition in VF check.
bnxt_en: Fix context memory setup for 64K page size.
mld: fix panic in mld_newpack()
net/smc: remove device from smcd_dev_list after failed device_add()
gve: Check TX QPL was actually assigned
gve: Update mgmt_msix_idx if num_ntfy changes
gve: Add NULL pointer checks when freeing irqs.
gve: Upgrade memory barrier in poll routine
gve: Correct SKB queue index validation.
iommu/virtio: Add missing MODULE_DEVICE_TABLE
net: hns3: fix incorrect resp_msg issue
net: hns3: put off calling register_netdev() until client initialize complete
iommu/vt-d: Use user privilege for RID2PASID translation
cxgb4: avoid accessing registers when clearing filters
staging: emxx_udc: fix loop in _nbu2ss_nuke()
ASoC: cs35l33: fix an error code in probe()
bpf, offload: Reorder offload callback 'prepare' in verifier
bpf: Set mac_len in bpf_skb_change_head
ixgbe: fix large MTU request from VF
ASoC: qcom: lpass-cpu: Use optional clk APIs
scsi: libsas: Use _safe() loop in sas_resume_port()
net: lantiq: fix memory corruption in RX ring
ipv6: record frag_max_size in atomic fragments in input path
ALSA: usb-audio: scarlett2: snd_scarlett_gen2_controls_create() can be static
net: ethernet: mtk_eth_soc: Fix packet statistics support for MT7628/88
sch_dsmark: fix a NULL deref in qdisc_reset()
net: hsr: fix mac_len checks
MIPS: alchemy: xxs1500: add gpio-au1000.h header file
MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c
net: zero-initialize tc skb extension on allocation
net: mvpp2: add buffer header handling in RX
i915: fix build warning in intel_dp_get_link_status()
samples/bpf: Consider frame size in tx_only of xdpsock sample
net: hns3: check the return of skb_checksum_help()
bpftool: Add sock_release help info for cgroup attach/prog load command
SUNRPC: More fixes for backlog congestion
Revert "Revert "ALSA: usx2y: Fix potential NULL pointer dereference""
net: hso: bail out on interrupt URB allocation failure
scripts/clang-tools: switch explicitly to Python 3
neighbour: Prevent Race condition in neighbour subsytem
usb: core: reduce power-on-good delay time of root hub
Linux 5.10.42
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I05d98d1355a080e0951b4b2ae77f0a9ccb6dfc5d
|
||
|
Yinjun Zhang
|
24cb8bb7f6 |
bpf, offload: Reorder offload callback 'prepare' in verifier
[ Upstream commit ceb11679d9fcf3fdb358a310a38760fcbe9b63ed ] Commit |
||
|
Greg Kroah-Hartman
|
12b1e5746c |
Merge 5.10.41 into android12-5.10
Changes in 5.10.41 bpf: Wrap aux data inside bpf_sanitize_info container bpf: Fix mask direction swap upon off reg sign change bpf: No need to simulate speculative domain for immediates context_tracking: Move guest exit context tracking to separate helpers context_tracking: Move guest exit vtime accounting to separate helpers KVM: x86: Defer vtime accounting 'til after IRQ handling perf unwind: Fix separate debug info files when using elfutils' libdw's unwinder perf unwind: Set userdata for all __report_module() paths NFC: nci: fix memory leak in nci_allocate_device Linux 5.10.41 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie9f14d4b9960fb923eb01303517012fe6274d5ef |
||
|
Daniel Borkmann
|
27acfd11ba |
bpf: No need to simulate speculative domain for immediates
commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream.
In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under
speculation") we replaced masking logic with direct loads of immediates
if the register is a known constant. Given in this case we do not apply
any masking, there is also no reason for the operation to be truncated
under the speculative domain.
Therefore, there is also zero reason for the verifier to branch-off and
simulate this case, it only needs to do it for unknown but bounded scalars.
As a side-effect, this also enables few test cases that were previously
rejected due to simulation under zero truncation.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
c87ef240a8 |
bpf: Fix mask direction swap upon off reg sign change
commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream.
Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.
Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
4e2c7b2974 |
bpf: Wrap aux data inside bpf_sanitize_info container
commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream. Add a container structure struct bpf_sanitize_info which holds the current aux info, and update call-sites to sanitize_ptr_alu() to pass it in. This is needed for passing in additional state later on. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
e054456ced |
Merge 5.10.37 into android12-5.10
Changes in 5.10.37
Bluetooth: verify AMP hci_chan before amp_destroy
bluetooth: eliminate the potential race condition when removing the HCI controller
net/nfc: fix use-after-free llcp_sock_bind/connect
io_uring: truncate lengths larger than MAX_RW_COUNT on provide buffers
Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
usb: roles: Call try_module_get() from usb_role_switch_find_by_fwnode()
tty: moxa: fix TIOCSSERIAL jiffies conversions
tty: amiserial: fix TIOCSSERIAL permission check
USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
staging: fwserial: fix TIOCSSERIAL jiffies conversions
tty: moxa: fix TIOCSSERIAL permission check
staging: fwserial: fix TIOCSSERIAL permission check
drm: bridge: fix LONTIUM use of mipi_dsi_() functions
usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply
usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply
usb: typec: tcpm: update power supply once partner accepts
usb: xhci-mtk: remove or operator for setting schedule parameters
usb: xhci-mtk: improve bandwidth scheduling with TT
ASoC: samsung: tm2_wm5110: check of of_parse return value
ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function
ASoC: tlv320aic32x4: Register clocks before registering component
ASoC: tlv320aic32x4: Increase maximum register in regmap
MIPS: pci-mt7620: fix PLL lock check
MIPS: pci-rt2880: fix slot 0 configuration
FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR
PCI: Allow VPD access for QLogic ISP2722
KVM: x86: Defer the MMU unload to the normal path on an global INVPCID
PCI: xgene: Fix cfg resource mapping
PCI: keystone: Let AM65 use the pci_ops defined in pcie-designware-host.c
PM / devfreq: Unlock mutex and free devfreq struct in error path
soc/tegra: regulators: Fix locking up when voltage-spread is out of range
iio: inv_mpu6050: Fully validate gyro and accel scale writes
iio:accel:adis16201: Fix wrong axis assignment that prevents loading
iio:adc:ad7476: Fix remove handling
sc16is7xx: Defer probe if device read fails
phy: cadence: Sierra: Fix PHY power_on sequence
misc: lis3lv02d: Fix false-positive WARN on various HP models
phy: ti: j721e-wiz: Invoke wiz_init() before of_platform_device_create()
misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
misc: vmw_vmci: explicitly initialize vmci_datagram payload
selinux: add proper NULL termination to the secclass_map permissions
x86, sched: Treat Intel SNC topology as default, COD as exception
async_xor: increase src_offs when dropping destination page
md/bitmap: wait for external bitmap writes to complete during tear down
md-cluster: fix use-after-free issue when removing rdev
md: split mddev_find
md: factor out a mddev_find_locked helper from mddev_find
md: md_open returns -EBUSY when entering racing area
md: Fix missing unused status line of /proc/mdstat
mt76: mt7615: use ieee80211_free_txskb() in mt7615_tx_token_put()
ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
cfg80211: scan: drop entry from hidden_list on overflow
rtw88: Fix array overrun in rtw_get_tx_power_params()
mt76: fix potential DMA mapping leak
FDDI: defxx: Make MMIO the configuration default except for EISA
drm/i915/gvt: Fix virtual display setup for BXT/APL
drm/i915/gvt: Fix vfio_edid issue for BXT/APL
drm/qxl: use ttm bo priorities
drm/panfrost: Clear MMU irqs before handling the fault
drm/panfrost: Don't try to map pages that are already mapped
drm/radeon: fix copy of uninitialized variable back to userspace
drm/dp_mst: Revise broadcast msg lct & lcr
drm/dp_mst: Set CLEAR_PAYLOAD_ID_TABLE as broadcast
drm: bridge/panel: Cleanup connector on bridge detach
drm/amd/display: Reject non-zero src_y and src_x for video planes
drm/amdgpu: fix concurrent VM flushes on Vega/Navi v2
ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries
ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries
ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries
ALSA: hda/realtek: Re-order ALC269 HP quirk table entries
ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries
ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries
ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries
ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries
ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries
ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries
ALSA: hda/realtek: Re-order ALC662 quirk table entries
ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices
ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable
ALSA: hda/realtek: Fix speaker amp on HP Envy AiO 32
KVM: s390: VSIE: correctly handle MVPG when in VSIE
KVM: s390: split kvm_s390_logical_to_effective
KVM: s390: fix guarded storage control register handling
s390: fix detection of vector enhancements facility 1 vs. vector packed decimal facility
KVM: s390: VSIE: fix MVPG handling for prefixing and MSO
KVM: s390: split kvm_s390_real_to_abs
KVM: s390: extend kvm_s390_shadow_fault to return entry pointer
KVM: x86/mmu: Alloc page for PDPTEs when shadowing 32-bit NPT with 64-bit
KVM: x86: Remove emulator's broken checks on CR0/CR3/CR4 loads
KVM: nSVM: Set the shadow root level to the TDP level for nested NPT
KVM: SVM: Don't strip the C-bit from CR2 on #PF interception
KVM: SVM: Do not allow SEV/SEV-ES initialization after vCPUs are created
KVM: SVM: Inject #GP on guest MSR_TSC_AUX accesses if RDTSCP unsupported
KVM: nVMX: Defer the MMU reload to the normal path on an EPTP switch
KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit
KVM: nVMX: Truncate base/index GPR value on address calc in !64-bit
KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read
KVM: Destroy I/O bus devices on unregister failure _after_ sync'ing SRCU
KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
KVM: arm64: Fully zero the vcpu state on reset
KVM: arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST_REGION read
Revert "drivers/net/wan/hdlc_fr: Fix a double free in pvc_xmit"
Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register"
ovl: fix missing revert_creds() on error path
Revert "drm/qxl: do not run release if qxl failed to init"
usb: gadget: pch_udc: Revert
|
||
|
Andrii Nakryiko
|
00d9f429af |
bpf: Prevent writable memory-mapping of read-only ringbuf pages
commit 04ea3086c4d73da7009de1e84962a904139af219 upstream.
Only the very first page of BPF ringbuf that contains consumer position
counter is supposed to be mapped as writeable by user-space. Producer
position is read-only and can be modified only by the kernel code. BPF ringbuf
data pages are read-only as well and are not meant to be modified by
user-code to maintain integrity of per-record headers.
This patch allows to map only consumer position page as writeable and
everything else is restricted to be read-only. remap_vmalloc_range()
internally adds VM_DONTEXPAND, so all the established memory mappings can't be
extended, which prevents any future violations through mremap()'ing.
Fixes:
|
||
|
Thadeu Lima de Souza Cascardo
|
1ca284f086 |
bpf, ringbuf: Deny reserve of buffers larger than ringbuf
commit 4b81ccebaeee885ab1aa1438133f2991e3a2b6ea upstream.
A BPF program might try to reserve a buffer larger than the ringbuf size.
If the consumer pointer is way ahead of the producer, that would be
successfully reserved, allowing the BPF program to read or write out of
the ringbuf allocated area.
Reported-by: Ryota Shiga (Flatt Security)
Fixes:
|
||
|
Daniel Borkmann
|
282bfc8848 |
bpf: Fix alu32 const subreg bound tracking on bitwise operations
commit 049c4e13714ecbca567b4d5f6d563f05d431c80e upstream.
Fix a bug in the verifier's scalar32_min_max_*() functions which leads to
incorrect tracking of 32 bit bounds for the simulation of and/or/xor bitops.
When both the src & dst subreg is a known constant, then the assumption is
that scalar_min_max_*() will take care to update bounds correctly. However,
this is not the case, for example, consider a register R2 which has a tnum
of 0xffffffff00000000, meaning, lower 32 bits are known constant and in this
case of value 0x00000001. R2 is then and'ed with a register R3 which is a
64 bit known constant, here, 0x100000002.
What can be seen in line '10:' is that 32 bit bounds reach an invalid state
where {u,s}32_min_value > {u,s}32_max_value. The reason is scalar32_min_max_*()
delegates 32 bit bounds updates to scalar_min_max_*(), however, that really
only takes place when both the 64 bit src & dst register is a known constant.
Given scalar32_min_max_*() is intended to be designed as closely as possible
to scalar_min_max_*(), update the 32 bit bounds in this situation through
__mark_reg32_known() which will set all {u,s}32_{min,max}_value to the correct
constant, which is 0x00000000 after the fix (given 0x00000001 & 0x00000002 in
32 bit space). This is possible given var32_off already holds the final value
as dst_reg->var_off is updated before calling scalar32_min_max_*().
Before fix, invalid tracking of R2:
[...]
9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0
9: (5f) r2 &= r3
10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=1,s32_max_value=0,u32_min_value=1,u32_max_value=0) R3_w=inv4294967298 R10=fp0
[...]
After fix, correct tracking of R2:
[...]
9: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=-9223372036854775807 (0x8000000000000001),smax_value=9223372032559808513 (0x7fffffff00000001),umin_value=1,umax_value=0xffffffff00000001,var_off=(0x1; 0xffffffff00000000),s32_min_value=1,s32_max_value=1,u32_min_value=1,u32_max_value=1) R3_w=inv4294967298 R10=fp0
9: (5f) r2 &= r3
10: R0_w=inv1337 R1=ctx(id=0,off=0,imm=0) R2_w=inv(id=0,smin_value=0,smax_value=4294967296 (0x100000000),umin_value=0,umax_value=0x100000000,var_off=(0x0; 0x100000000),s32_min_value=0,s32_max_value=0,u32_min_value=0,u32_max_value=0) R3_w=inv4294967298 R10=fp0
[...]
Fixes:
|
||
|
Daniel Borkmann
|
4394be0a18 |
bpf: Fix propagation of 32 bit unsigned bounds from 64 bit bounds
[ Upstream commit 10bf4e83167cc68595b85fd73bb91e8f2c086e36 ] Similarly as |
||
|
Greg Kroah-Hartman
|
bfac7b85a0 |
Merge 5.10.35 into android12-5.10
Changes in 5.10.35 mips: Do not include hi and lo in clobber list for R6 netfilter: conntrack: Make global sysctls readonly in non-init netns net: usb: ax88179_178a: initialize local variables before use igb: Enable RSS for Intel I211 Ethernet Controller bpf: Fix masking negation logic upon negative dst register bpf: Fix leakage of uninitialized bpf stack under speculation net: qrtr: Avoid potential use after free in MHI send perf data: Fix error return code in perf_data__create_dir() capabilities: require CAP_SETFCAP to map uid 0 perf ftrace: Fix access to pid in array when setting a pid filter tools/cgroup/slabinfo.py: updated to work on current kernel driver core: add a min_align_mask field to struct device_dma_parameters swiotlb: add a IO_TLB_SIZE define swiotlb: factor out an io_tlb_offset helper swiotlb: factor out a nr_slots helper swiotlb: clean up swiotlb_tbl_unmap_single swiotlb: refactor swiotlb_tbl_map_single swiotlb: don't modify orig_addr in swiotlb_tbl_sync_single swiotlb: respect min_align_mask nvme-pci: set min_align_mask ovl: fix leaked dentry ovl: allow upperdir inside lowerdir ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet USB: Add reset-resume quirk for WD19's Realtek Hub platform/x86: thinkpad_acpi: Correct thermal sensor allocation perf/core: Fix unconditional security_locked_down() call vfio: Depend on MMU Linux 5.10.35 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iff7d5abe7b821f453bbe4d9dad94dfd35fe0a082 |
||
|
Daniel Borkmann
|
2fa15d61e4 |
bpf: Fix leakage of uninitialized bpf stack under speculation
commit 801c6058d14a82179a7ee17a4b532cac6fad067f upstream.
The current implemented mechanisms to mitigate data disclosure under
speculation mainly address stack and map value oob access from the
speculative domain. However, Piotr discovered that uninitialized BPF
stack is not protected yet, and thus old data from the kernel stack,
potentially including addresses of kernel structures, could still be
extracted from that 512 bytes large window. The BPF stack is special
compared to map values since it's not zero initialized for every
program invocation, whereas map values /are/ zero initialized upon
their initial allocation and thus cannot leak any prior data in either
domain. In the non-speculative domain, the verifier ensures that every
stack slot read must have a prior stack slot write by the BPF program
to avoid such data leaking issue.
However, this is not enough: for example, when the pointer arithmetic
operation moves the stack pointer from the last valid stack offset to
the first valid offset, the sanitation logic allows for any intermediate
offsets during speculative execution, which could then be used to
extract any restricted stack content via side-channel.
Given for unprivileged stack pointer arithmetic the use of unknown
but bounded scalars is generally forbidden, we can simply turn the
register-based arithmetic operation into an immediate-based arithmetic
operation without the need for masking. This also gives the benefit
of reducing the needed instructions for the operation. Given after
the work in 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic
mask"), the aux->alu_limit already holds the final immediate value for
the offset register with the known scalar. Thus, a simple mov of the
immediate to AX register with using AX as the source for the original
instruction is sufficient and possible now in this case.
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
2cfa537674 |
bpf: Fix masking negation logic upon negative dst register
commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream.
The negation logic for the case where the off_reg is sitting in the
dst register is not correct given then we cannot just invert the add
to a sub or vice versa. As a fix, perform the final bitwise and-op
unconditionally into AX from the off_reg, then move the pointer from
the src to dst and finally use AX as the source for the original
pointer arithmetic operation such that the inversion yields a correct
result. The single non-AX mov in between is possible given constant
blinding is retaining it as it's not an immediate based operation.
Fixes:
|
||
|
Greg Kroah-Hartman
|
0907114be2 |
Merge 5.10.33 into android12-5.10
Changes in 5.10.33 vhost-vdpa: protect concurrent access to vhost device iotlb gpio: omap: Save and restore sysconfig KEYS: trusted: Fix TPM reservation for seal/unseal vdpa/mlx5: Set err = -ENOMEM in case dma_map_sg_attrs fails pinctrl: lewisburg: Update number of pins in community block: return -EBUSY when there are open partitions in blkdev_reread_part pinctrl: core: Show pin numbers for the controllers with base = 0 arm64: dts: allwinner: Revert SD card CD GPIO for Pine64-LTS bpf: Permits pointers on stack for helper calls bpf: Allow variable-offset stack access bpf: Refactor and streamline bounds check into helper bpf: Tighten speculative pointer arithmetic mask locking/qrwlock: Fix ordering in queued_write_lock_slowpath() perf/x86/intel/uncore: Remove uncore extra PCI dev HSWEP_PCI_PCU_3 perf/x86/kvm: Fix Broadwell Xeon stepping in isolation_ucodes[] perf auxtrace: Fix potential NULL pointer dereference perf map: Fix error return code in maps__clone() HID: google: add don USB id HID: alps: fix error return code in alps_input_configured() HID cp2112: fix support for multiple gpiochips HID: wacom: Assign boolean values to a bool variable soc: qcom: geni: shield geni_icc_get() for ACPI boot dmaengine: xilinx: dpdma: Fix descriptor issuing on video group dmaengine: xilinx: dpdma: Fix race condition in done IRQ ARM: dts: Fix swapped mmc order for omap3 net: geneve: check skb is large enough for IPv4/IPv6 header dmaengine: tegra20: Fix runtime PM imbalance on error s390/entry: save the caller of psw_idle arm64: kprobes: Restore local irqflag if kprobes is cancelled xen-netback: Check for hotplug-status existence before watching cavium/liquidio: Fix duplicate argument kasan: fix hwasan build for gcc csky: change a Kconfig symbol name to fix e1000 build error ia64: fix discontig.c section mismatches ia64: tools: remove duplicate definition of ia64_mf() on ia64 x86/crash: Fix crash_setup_memmap_entries() out-of-bounds access net: hso: fix NULL-deref on disconnect regression USB: CDC-ACM: fix poison/unpoison imbalance Linux 5.10.33 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I638db3c919ad938eaaaac3d687175252edcd7990 |
||
|
Daniel Borkmann
|
b642e493a9 |
bpf: Tighten speculative pointer arithmetic mask
[ Upstream commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 ] This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk <piotras@gmail.com> Reported-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Daniel Borkmann
|
2982ea926b |
bpf: Refactor and streamline bounds check into helper
[ Upstream commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 ] Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Andrei Matei
|
f3c4b01689 |
bpf: Allow variable-offset stack access
[ Upstream commit 01f810ace9ed37255f27608a0864abebccf0aab3 ] Before this patch, variable offset access to the stack was dissalowed for regular instructions, but was allowed for "indirect" accesses (i.e. helpers). This patch removes the restriction, allowing reading and writing to the stack through stack pointers with variable offsets. This makes stack-allocated buffers more usable in programs, and brings stack pointers closer to other types of pointers. The motivation is being able to use stack-allocated buffers for data manipulation. When the stack size limit is sufficient, allocating buffers on the stack is simpler than per-cpu arrays, or other alternatives. In unpriviledged programs, variable-offset reads and writes are disallowed (they were already disallowed for the indirect access case) because the speculative execution checking code doesn't support them. Additionally, when writing through a variable-offset stack pointer, if any pointers are in the accessible range, there's possilibities of later leaking pointers because the write cannot be tracked precisely. Writes with variable offset mark the whole range as initialized, even though we don't know which stack slots are actually written. This is in order to not reject future reads to these slots. Note that this doesn't affect writes done through helpers; like before, helpers need the whole stack range to be initialized to begin with. All the stack slots are in range are considered scalars after the write; variable-offset register spills are not tracked. For reads, all the stack slots in the variable range needs to be initialized (but see above about what writes do), otherwise the read is rejected. All register spilled in stack slots that might be read are marked as having been read, however reads through such pointers don't do register filling; the target register will always be either a scalar or a constant zero. Signed-off-by: Andrei Matei <andreimatei1@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20210207011027.676572-2-andreimatei1@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Yonghong Song
|
f79efcb007 |
bpf: Permits pointers on stack for helper calls
[ Upstream commit cd17d38f8b28f808c368121041c0a4fa91757e0d ]
Currently, when checking stack memory accessed by helper calls,
for spills, only PTR_TO_BTF_ID and SCALAR_VALUE are
allowed.
Song discovered an issue where the below bpf program
int dump_task(struct bpf_iter__task *ctx)
{
struct seq_file *seq = ctx->meta->seq;
static char[] info = "abc";
BPF_SEQ_PRINTF(seq, "%s\n", info);
return 0;
}
may cause a verifier failure.
The verifier output looks like:
; struct seq_file *seq = ctx->meta->seq;
1: (79) r1 = *(u64 *)(r1 +0)
; BPF_SEQ_PRINTF(seq, "%s\n", info);
2: (18) r2 = 0xffff9054400f6000
4: (7b) *(u64 *)(r10 -8) = r2
5: (bf) r4 = r10
;
6: (07) r4 += -8
; BPF_SEQ_PRINTF(seq, "%s\n", info);
7: (18) r2 = 0xffff9054400fe000
9: (b4) w3 = 4
10: (b4) w5 = 8
11: (85) call bpf_seq_printf#126
R1_w=ptr_seq_file(id=0,off=0,imm=0) R2_w=map_value(id=0,off=0,ks=4,vs=4,imm=0)
R3_w=inv4 R4_w=fp-8 R5_w=inv8 R10=fp0 fp-8_w=map_value
last_idx 11 first_idx 0
regs=8 stack=0 before 10: (b4) w5 = 8
regs=8 stack=0 before 9: (b4) w3 = 4
invalid indirect read from stack off -8+0 size 8
Basically, the verifier complains the map_value pointer at "fp-8" location.
To fix the issue, if env->allow_ptr_leaks is true, let us also permit
pointers on the stack to be accessible by the helper.
Reported-by: Song Liu <songliubraving@fb.com>
Suggested-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Song Liu <songliubraving@fb.com>
Link: https://lore.kernel.org/bpf/20201210013349.943719-1-yhs@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
32b16a3a3f |
Merge 5.10.32 into android12-5.10
Changes in 5.10.32
net/sctp: fix race condition in sctp_destroy_sock
mtd: rawnand: mtk: Fix WAITRDY break condition and timeout
Input: nspire-keypad - enable interrupts only when opened
gpio: sysfs: Obey valid_mask
dmaengine: idxd: Fix clobbering of SWERR overflow bit on writeback
dmaengine: idxd: fix delta_rec and crc size field for completion record
dmaengine: idxd: fix opcap sysfs attribute output
dmaengine: idxd: fix wq size store permission state
dmaengine: dw: Make it dependent to HAS_IOMEM
dmaengine: Fix a double free in dma_async_device_register
dmaengine: plx_dma: add a missing put_device() on error path
dmaengine: idxd: fix wq cleanup of WQCFG registers
ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade()
ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race
ARM: dts: Fix moving mmc devices with aliases for omap4 & 5
lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message
arc: kernel: Return -EFAULT if copy_to_user() fails
iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd()
xfrm: BEET mode doesn't support fragments for inner packets
ASoC: max98373: Changed amp shutdown register as volatile
ASoC: max98373: Added 30ms turn on/off time delay
gpu/xen: Fix a use after free in xen_drm_drv_init
neighbour: Disregard DEAD dst in neigh_update
ARM: keystone: fix integer overflow warning
ARM: omap1: fix building with clang IAS
drm/msm: Fix a5xx/a6xx timestamps
ASoC: fsl_esai: Fix TDM slot setup for I2S mode
scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state
iwlwifi: add support for Qu with AX201 device
net: ieee802154: stop dump llsec keys for monitors
net: ieee802154: forbid monitor for add llsec key
net: ieee802154: forbid monitor for del llsec key
net: ieee802154: stop dump llsec devs for monitors
net: ieee802154: forbid monitor for add llsec dev
net: ieee802154: forbid monitor for del llsec dev
net: ieee802154: stop dump llsec devkeys for monitors
net: ieee802154: forbid monitor for add llsec devkey
net: ieee802154: forbid monitor for del llsec devkey
net: ieee802154: stop dump llsec seclevels for monitors
net: ieee802154: forbid monitor for add llsec seclevel
pcnet32: Use pci_resource_len to validate PCI resource
mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN
virt_wifi: Return micros for BSS TSF values
lib: fix kconfig dependency on ARCH_WANT_FRAME_POINTERS
Input: s6sy761 - fix coordinate read bit shift
Input: i8042 - fix Pegatron C15B ID entry
HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices
dm verity fec: fix misaligned RS roots IO
readdir: make sure to verify directory entry for legacy interfaces too
arm64: fix inline asm in load_unaligned_zeropad()
arm64: alternatives: Move length validation in alternative_{insn, endif}
vfio/pci: Add missing range check in vfio_pci_mmap
riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM"
scsi: libsas: Reset num_scatter if libata marks qc as NODATA
ixgbe: fix unbalanced device enable/disable in suspend/resume
netfilter: flowtable: fix NAT IPv6 offload mangling
netfilter: conntrack: do not print icmpv6 as unknown via /proc
ice: Fix potential infinite loop when using u8 loop counter
libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC
netfilter: bridge: add pre_exit hooks for ebtable unregistration
netfilter: arp_tables: add pre_exit hook for table unregister
libbpf: Fix potential NULL pointer dereference
net: macb: fix the restore of cmp registers
net/mlx5e: fix ingress_ifindex check in mlx5e_flower_parse_meta
netfilter: nft_limit: avoid possible divide error in nft_limit_init
net/mlx5e: Fix setting of RS FEC mode
net: davicom: Fix regulator not turned off on failed probe
net: sit: Unregister catch-all devices
net: ip6_tunnel: Unregister catch-all devices
mm: ptdump: fix build failure
net: Make tcp_allowed_congestion_control readonly in non-init netns
i40e: fix the panic when running bpf in xdpdrv mode
ethtool: pause: make sure we init driver stats
ia64: remove duplicate entries in generic_defconfig
ia64: tools: remove inclusion of ia64-specific version of errno.h header
ibmvnic: avoid calling napi_disable() twice
ibmvnic: remove duplicate napi_schedule call in do_reset function
ibmvnic: remove duplicate napi_schedule call in open function
ch_ktls: Fix kernel panic
ch_ktls: fix device connection close
ch_ktls: tcb close causes tls connection failure
ch_ktls: do not send snd_una update to TCB in middle
gro: ensure frag0 meets IP header alignment
ARM: OMAP2+: Fix warning for omap_init_time_of()
ARM: 9069/1: NOMMU: Fix conversion for_each_membock() to for_each_mem_range()
ARM: footbridge: fix PCI interrupt mapping
ARM: OMAP2+: Fix uninitialized sr_inst
arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems
arm64: dts: allwinner: h6: beelink-gs1: Remove ext. 32 kHz osc reference
bpf: Use correct permission flag for mixed signed bounds arithmetic
KVM: VMX: Convert vcpu_vmx.exit_reason to a union
KVM: VMX: Don't use vcpu->run->internal.ndata as an array index
r8169: tweak max read request size for newer chips also in jumbo mtu mode
r8169: don't advertise pause in jumbo mode
bpf: Ensure off_reg has no mixed signed bounds for all types
bpf: Move off_reg into sanitize_ptr_alu
ARM: 9071/1: uprobes: Don't hook on thumb instructions
arm64: mte: Ensure TIF_MTE_ASYNC_FAULT is set atomically
bpf: Rework ptr_limit into alu_limit and add common error path
bpf: Improve verifier error messages for users
bpf: Move sanitize_val_alu out of op switch
net: phy: marvell: fix detection of PHY on Topaz switches
Linux 5.10.32
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If247bf8401509195e4f55f03dcc514f80d467966
|
||
|
Daniel Borkmann
|
fbe6603e7c |
bpf: Move sanitize_val_alu out of op switch
commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
7723d32438 |
bpf: Improve verifier error messages for users
commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream. Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
55565c3079 |
bpf: Rework ptr_limit into alu_limit and add common error path
commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream. Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |