xiaomi-sm8450/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
b153cbc507946f52d5aa687fd64f45d82cb36a3b
android_kernel_xiaomi_sm8450/kernel
History
Craig Gallek 8c01c4f896 bpf: fix verifier NULL pointer dereference 
do_check() can fail early without allocating env->cur_state under
memory pressure.  Syzkaller found the stack below on the linux-next
tree because of this.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  task: ffff8801c2c74700 task.stack: ffff8801c3e28000
  RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
  RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
  RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
  RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
  RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
  R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
  R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
  FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
   SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
   SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
   entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x452869
  RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
  RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
  RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
  RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
  R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
  Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
  RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
  RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
  ---[ end trace c8d37f339dc64004 ]---

Fixes: 638f5b90d4 ("bpf: reduce verifier memory consumption")
Fixes: 1969db47f8 ("bpf: fix verifier memory leaks")
Signed-off-by: Craig Gallek <kraig@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-11-03 15:49:15 +09:00
..
bpf
bpf: fix verifier NULL pointer dereference
2017-11-03 15:49:15 +09:00
cgroup
Revert "net: defer call to cgroup_sk_alloc()"
2017-10-10 20:24:29 -07:00
configs
ANDROID: binder: add hwbinder,vndbinder to BINDER_DEVICES.
2017-08-22 18:43:23 -07:00
debug
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/debug.h>
2017-03-02 08:42:34 +01:00
events
bpf: permit multiple bpf attachments for a single perf event
2017-10-25 10:47:47 +09:00
gcov
gcov: support GCC 7.1
2017-05-12 15:57:15 -07:00
irq
Merge tag 'irqchip-4.14-3' of git://git.kernel.org/pub/scm/linux/kernel/git/maz/arm-platforms into irq/urgent
2017-10-16 10:26:46 +02:00
livepatch
livepatch: unpatch all klp_objects if klp_module_coming fails
2017-10-11 15:38:46 +02:00
locking
locking/lockdep: Fix stacktrace mess
2017-10-10 10:04:28 +02:00
power
PM / s2idle: Invoke the ->wake() platform callback earlier
2017-09-29 01:26:13 +02:00
printk
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk
2017-09-07 21:00:52 -07:00
rcu
doc: Fix various RCU docbook comment-header problems
2017-10-19 22:26:11 -04:00
sched
membarrier: Provide register expedited private command
2017-10-19 22:13:40 -04:00
time
drivers/pps: aesthetic tweaks to PPS-related content
2017-09-08 18:26:51 -07:00
trace
bpf: avoid rcu_dereference inside bpf_event_mutex lock region
2017-11-01 12:35:48 +09:00
.gitignore
acct.c
fs: make the buf argument to __kernel_write a void pointer
2017-09-04 19:05:15 -04:00
async.c
async: Adjust system_state checks
2017-05-23 10:01:37 +02:00
audit_fsnotify.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-05-03 11:05:15 -07:00
audit_tree.c
Merge branch 'fsnotify' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs
2017-05-03 11:05:15 -07:00
audit_watch.c
Merge tag 'audit-pr-20170816' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit
2017-08-16 16:48:34 -07:00
audit.c
audit: update the function comments
2017-09-05 09:46:59 -04:00
audit.h
ipc: mqueue: Replace timespec with timespec64
2017-09-03 20:21:24 -04:00
auditfilter.c
audit: kernel generated netlink traffic should have a portid of 0
2017-05-02 10:16:05 -04:00
auditsc.c
Merge branch 'work.ipc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-09-14 17:37:26 -07:00
backtracetest.c
bounds.c
capability.c
capability: export has_capability
2017-01-12 07:01:56 -07:00
compat.c
semtimedop(): move compat to native
2017-07-15 20:46:47 -04:00
configs.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
context_tracking.c
cpu_pm.c
PM / CPU: replace raw_notifier with atomic_notifier
2017-07-31 13:09:49 +02:00
cpu.c
cpu/hotplug: Reset node state after operation
2017-10-21 16:11:30 +02:00
crash_core.c
kdump: protect vmcoreinfo data under the crash memory
2017-07-12 16:26:00 -07:00
crash_dump.c
cred.c
doc: ReSTify credentials.txt
2017-05-18 10:30:19 -06:00
delayacct.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
dma.c
elfcore.c
exec_domain.c
exit.c
waitid(): Avoid unbalanced user_access_end() on access_ok() error
2017-10-20 15:32:54 -04:00
extable.c
extable: Enable RCU if it is not watching in kernel_text_address()
2017-09-23 16:50:20 -04:00
fork.c
kmemleak: clear stale pointers from task stacks
2017-10-13 16:18:33 -07:00
freezer.c
freezer, oom: check TIF_MEMDIE on the correct task
2016-07-28 16:07:41 -07:00
futex_compat.c
Replace <asm/uaccess.h> with <linux/uaccess.h> globally
2016-12-24 11:46:01 -08:00
futex.c
futex: Fix pi_state->owner serialization
2017-09-25 16:37:11 +02:00
groups.c
kernel/groups.c: use sort library function
2017-07-10 16:32:34 -07:00
hung_task.c
kernel/hung_task.c: defer showing held locks
2017-05-08 17:15:10 -07:00
irq_work.c
jump_label.c
jump_label: Provide hotplug context variants
2017-08-10 12:28:59 +02:00
kallsyms.c
kernel/kallsyms.c: replace all_var with IS_ENABLED(CONFIG_KALLSYMS_ALL)
2017-07-10 16:32:34 -07:00
kcmp.c
kernel/kcmp.c: drop branch leftover typo
2017-10-03 17:54:25 -07:00
Kconfig.freezer
Kconfig.hz
Kconfig.locks
locking/mutex: Allow MUTEX_SPIN_ON_OWNER when DEBUG_MUTEXES
2016-10-25 11:31:51 +02:00
Kconfig.preempt
kcov.c
kcov: support compat processes
2017-09-08 18:26:51 -07:00
kexec_core.c
x86/mm, kexec: Allow kexec to be used with SME
2017-07-18 11:38:04 +02:00
kexec_file.c
kexec_file: adjust declaration of kexec_purgatory
2017-07-12 16:26:02 -07:00
kexec_internal.h
kexec_file: adjust declaration of kexec_purgatory
2017-07-12 16:26:02 -07:00
kexec.c
kdump: protect vmcoreinfo data under the crash memory
2017-07-12 16:26:00 -07:00
kmod.c
kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
2017-09-08 18:26:51 -07:00
kprobes.c
kprobes: Ensure that jprobe probepoints are at function entry
2017-07-08 11:05:35 +02:00
ksysfs.c
kexec: move vmcoreinfo out of the kernel's .bss section
2017-07-12 16:25:59 -07:00
kthread.c
kernel/kthread.c: kthread_worker: don't hog the cpu
2017-08-31 16:33:15 -07:00
latencytop.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
Makefile
kmod: move #ifdef CONFIG_MODULES wrapper to Makefile
2017-09-08 18:26:51 -07:00
memremap.c
memremap: add scheduling point to devm_memremap_pages
2017-10-03 17:54:25 -07:00
module_signing.c
module-internal.h
module.c
module: fix ddebug_remove_module()
2017-07-25 15:08:32 +02:00
notifier.c
kernel/notifier.c: simplify expression
2017-02-24 17:46:56 -08:00
nsproxy.c
perf: Add PERF_RECORD_NAMESPACES to include namespaces related info
2017-03-13 15:57:41 -03:00
padata.c
padata: Avoid nested calls to cpus_read_lock() in pcrypt_init_padata()
2017-05-26 10:10:37 +02:00
panic.c
locking/refcounts, x86/asm: Implement fast refcount overflow protection
2017-08-17 10:40:26 +02:00
params.c
kernel/params.c: improve STANDARD_PARAM_DEF readability
2017-10-03 17:54:26 -07:00
pid_namespace.c
userns,pidns: Verify the userns for new pid namespaces
2017-07-20 07:43:58 -05:00
pid.c
pids: make task_tgid_nr_ns() safe
2017-08-21 12:47:31 -07:00
profile.c
sched/headers: Prepare to move sched_info_on() and force_schedstat_enabled() from <linux/sched.h> to <linux/sched/stat.h>
2017-03-02 08:42:39 +01:00
ptrace.c
signal: Remove kernel interal si_code magic
2017-07-24 14:30:28 -05:00
range.c
reboot.c
relay.c
Merge branch 'work.splice' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
2017-05-02 11:38:06 -07:00
resource.c
seccomp.c
seccomp: make function __get_seccomp_filter static
2017-10-10 11:45:29 -07:00
signal.c
signal: Fix name of SIGEMT in #if defined() check
2017-11-01 17:04:57 -05:00
smp.c
treewide: make "nr_cpu_ids" unsigned
2017-09-08 18:26:48 -07:00
smpboot.c
watchdog/core, powerpc: Lock cpus across reconfiguration
2017-10-04 10:53:54 +02:00
smpboot.h
softirq.c
sched/core: Remove 'task' parameter and rename tsk_restore_flags() to current_restore_flags()
2017-04-11 09:06:32 +02:00
stacktrace.c
stacktrace/x86: add function for detecting reliable stack traces
2017-03-08 09:18:02 +01:00
stop_machine.c
stop_machine: Provide stop_machine_cpuslocked()
2017-05-26 10:10:36 +02:00
sys_ni.c
move aio compat to fs/aio.c
2016-12-22 22:58:37 -05:00
sys.c
prctl: Allow local CAP_SYS_ADMIN changing exe_file
2017-07-20 07:46:07 -05:00
sysctl_binary.c
fs: fix kernel_write prototype
2017-09-04 19:05:15 -04:00
sysctl.c
Merge branch 'core-watchdog-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
2017-10-06 08:36:41 -07:00
task_work.c
task_work: Replace spin_unlock_wait() with lock/unlock pair
2017-07-25 10:08:58 -07:00
taskstats.c
taskstats: add e/u/stime for TGID command
2017-05-08 17:15:12 -07:00
test_kprobes.c
torture.c
torture: Fix typo suppressing CPU-hotplug statistics
2017-07-25 13:04:45 -07:00
tracepoint.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/task.h>
2017-03-02 08:42:35 +01:00
tsacct.c
sched/headers: Prepare to move cputime functionality from <linux/sched.h> into <linux/sched/cputime.h>
2017-03-02 08:42:39 +01:00
ucount.c
ucount: Remove the atomicity from ucount->count
2017-03-06 15:26:37 -06:00
uid16.c
sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h>
2017-03-02 08:42:31 +01:00
umh.c
kmod: split out umh code into its own file
2017-09-08 18:26:50 -07:00
up.c
smp: Avoid using two cache lines for struct call_single_data
2017-08-29 15:14:38 +02:00
user_namespace.c
userns,pidns: Verify the userns for new pid namespaces
2017-07-20 07:43:58 -05:00
user-return-notifier.c
user.c
sched/headers: Prepare for new header dependencies before moving code to <linux/sched/user.h>
2017-03-02 08:42:29 +01:00
utsname_sysctl.c
sched/headers: Remove <linux/rwsem.h> from <linux/sched.h>
2017-03-03 01:45:36 +01:00
utsname.c
sched/headers: Prepare to move the task_lock()/unlock() APIs to <linux/sched/task.h>
2017-03-02 08:42:38 +01:00
watchdog_hld.c
watchdog/hardlockup/perf: Fix spelling mistake: "permanetely" -> "permanently"
2017-09-28 12:24:54 +02:00
watchdog.c
watchdog/core: Put softlockup_threads_initialized under ifdef guard
2017-10-04 11:30:50 +02:00
workqueue_internal.h
workqueue.c
workqueue: replace pool->manager_arb mutex with a flag
2017-10-10 07:13:57 -07:00