49eea524bebea0d2b7dfa1c709a6694de808eb8a
257 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
bb94f9d8f5 |
Merge 4.9.91 into android-4.9
Changes in 4.9.91
MIPS: ralink: Remove ralink_halt()
iio: st_pressure: st_accel: pass correct platform data to init
ALSA: usb-audio: Fix parsing descriptor of UAC2 processing unit
ALSA: aloop: Sync stale timer before release
ALSA: aloop: Fix access to not-yet-ready substream via cable
ALSA: hda/realtek - Always immediately update mute LED with pin VREF
mmc: dw_mmc: fix falling from idmac to PIO mode when dw_mci_reset occurs
PCI: Add function 1 DMA alias quirk for Highpoint RocketRAID 644L
ahci: Add PCI-id for the Highpoint Rocketraid 644L card
clk: bcm2835: Fix ana->maskX definitions
clk: bcm2835: Protect sections updating shared registers
clk: sunxi-ng: a31: Fix CLK_OUT_* clock ops
Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174
libata: fix length validation of ATAPI-relayed SCSI commands
libata: remove WARN() for DMA or PIO command without data
libata: don't try to pass through NCQ commands to non-NCQ devices
libata: Apply NOLPM quirk to Crucial MX100 512GB SSDs
libata: disable LPM for Crucial BX100 SSD 500GB drive
libata: Enable queued TRIM for Samsung SSD 860
libata: Apply NOLPM quirk to Crucial M500 480 and 960GB SSDs
libata: Make Crucial BX100 500GB LPM quirk apply to all firmware versions
libata: Modify quirks for MX100 to limit NCQ_TRIM quirk to MU01 version
nfsd: remove blocked locks on client teardown
mm/vmalloc: add interfaces to free unmapped page table
x86/mm: implement free pmd/pte page interfaces
mm/khugepaged.c: convert VM_BUG_ON() to collapse fail
mm/thp: do not wait for lock_page() in deferred_split_scan()
mm/shmem: do not wait for lock_page() in shmem_unused_huge_shrink()
drm/vmwgfx: Fix a destoy-while-held mutex problem.
drm/radeon: Don't turn off DP sink when disconnected
drm: udl: Properly check framebuffer mmap offsets
acpi, numa: fix pxm to online numa node associations
ACPI / watchdog: Fix off-by-one error at resource assignment
libnvdimm, {btt, blk}: do integrity setup before add_disk()
brcmfmac: fix P2P_DEVICE ethernet address generation
rtlwifi: rtl8723be: Fix loss of signal
tracing: probeevent: Fix to support minus offset from symbol
mtdchar: fix usage of mtd_ooblayout_ecc()
mtd: nand: fsl_ifc: Fix nand waitfunc return value
mtd: nand: fsl_ifc: Fix eccstat array overflow for IFC ver >= 2.0.0
mtd: nand: fsl_ifc: Read ECCSTAT0 and ECCSTAT1 registers for IFC 2.0
staging: ncpfs: memory corruption in ncp_read_kernel()
can: ifi: Repair the error handling
can: ifi: Check core revision upon probe
can: cc770: Fix stalls on rt-linux, remove redundant IRQ ack
can: cc770: Fix queue stall & dropped RTR reply
can: cc770: Fix use after free in cc770_tx_interrupt()
tty: vt: fix up tabstops properly
selftests/x86/ptrace_syscall: Fix for yet more glibc interference
kvm/x86: fix icebp instruction handling
x86/build/64: Force the linker to use 2MB page size
x86/boot/64: Verify alignment of the LOAD segment
x86/entry/64: Don't use IST entry for #BP stack
perf/x86/intel/uncore: Fix Skylake UPI event format
perf stat: Fix CVS output format for non-supported counters
perf/x86/intel: Don't accidentally clear high bits in bdw_limit_period()
perf/x86/intel/uncore: Fix multi-domain PCI CHA enumeration bug on Skylake servers
iio: ABI: Fix name of timestamp sysfs file
staging: lustre: ptlrpc: kfree used instead of kvfree
selftests, x86, protection_keys: fix wrong offset in siginfo
selftests/x86/protection_keys: Fix syscall NR redefinition warnings
signal/testing: Don't look for __SI_FAULT in userspace
x86/pkeys/selftests: Rename 'si_pkey' to 'siginfo_pkey'
selftests: x86: sysret_ss_attrs doesn't build on a PIE build
kbuild: disable clang's default use of -fmerge-all-constants
bpf: skip unnecessary capability check
bpf, x64: increase number of passes
Linux 4.9.91
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Chenbo Feng
|
3eb88807b2 |
bpf: skip unnecessary capability check
commit 0fa4fe85f4724fff89b09741c437cbee9cf8b008 upstream. The current check statement in BPF syscall will do a capability check for CAP_SYS_ADMIN before checking sysctl_unprivileged_bpf_disabled. This code path will trigger unnecessary security hooks on capability checking and cause false alarms on unprivileged process trying to get CAP_SYS_ADMIN access. This can be resolved by simply switch the order of the statement and CAP_SYS_ADMIN is not required anyway if unprivileged bpf syscall is allowed. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Al Viro
|
7dc12f7d2f |
BACKPORT: fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'"
Descriptor table is a shared object; it's not a place where you can stick temporary references to files, especially when we don't need an opened file at all. Cc: stable@vger.kernel.org # v4.14 Fixes: 98589a0998b8 ("netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Chenbo Feng <fengc@google.com> Removed the code related to function bpf_prog_get_ok() since it is not exsit in current android tree. (cherry picked from commit 040ee69226f8a96b7943645d68f41d5d44b5ff7d) Change-Id: If7a602128cdea4b4b50c8effb215c9bca7449515 |
||
|
Shmulik Ladkani
|
7e3c72f4c7 |
UPSTREAM: netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'
Commit 2c16d6033264 ("netfilter: xt_bpf: support ebpf") introduced
support for attaching an eBPF object by an fd, with the
'bpf_mt_check_v1' ABI expecting the '.fd' to be specified upon each
IPT_SO_SET_REPLACE call.
However this breaks subsequent iptables calls:
# iptables -A INPUT -m bpf --object-pinned /sys/fs/bpf/xxx -j ACCEPT
# iptables -A INPUT -s 5.6.7.8 -j ACCEPT
iptables: Invalid argument. Run `dmesg' for more information.
That's because iptables works by loading existing rules using
IPT_SO_GET_ENTRIES to userspace, then issuing IPT_SO_SET_REPLACE with
the replacement set.
However, the loaded 'xt_bpf_info_v1' has an arbitrary '.fd' number
(from the initial "iptables -m bpf" invocation) - so when 2nd invocation
occurs, userspace passes a bogus fd number, which leads to
'bpf_mt_check_v1' to fail.
One suggested solution [1] was to hack iptables userspace, to perform a
"entries fixup" immediatley after IPT_SO_GET_ENTRIES, by opening a new,
process-local fd per every 'xt_bpf_info_v1' entry seen.
However, in [2] both Pablo Neira Ayuso and Willem de Bruijn suggested to
depricate the xt_bpf_info_v1 ABI dealing with pinned ebpf objects.
This fix changes the XT_BPF_MODE_FD_PINNED behavior to ignore the given
'.fd' and instead perform an in-kernel lookup for the bpf object given
the provided '.path'.
It also defines an alias for the XT_BPF_MODE_FD_PINNED mode, named
XT_BPF_MODE_PATH_PINNED, to better reflect the fact that the user is
expected to provide the path of the pinned object.
Existing XT_BPF_MODE_FD_ELF behavior (non-pinned fd mode) is preserved.
References: [1] https://marc.info/?l=netfilter-devel&m=150564724607440&w=2
[2] https://marc.info/?l=netfilter-devel&m=150575727129880&w=2
Reported-by: Rafael Buchbinder <rafi@rbk.ms>
Signed-off-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Chenbo Feng <fengc@google.com>
(cherry picked from commit 98589a0998b8b13c4a8fa1ccb0e62751a019faa5)
Change-Id: Ia0d15a76823cca3afb38786a3d2c25c13ccf941d
|
||
|
Greg Kroah-Hartman
|
a2904940bd |
Merge 4.9.87 into android-4.9
Changes in 4.9.87 tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus tpm_tis: fix potential buffer overruns caused by bit glitches on the bus tpm: constify transmit data pointers tpm_tis_spi: Use DMA-safe memory for SPI transfers tpm-dev-common: Reject too short writes ALSA: usb-audio: Add a quirck for B&W PX headphones ALSA: hda: Add a power_save blacklist ALSA: hda - Fix pincfg at resume on Lenovo T470 dock timers: Forward timer base before migrating timers parisc: Fix ordering of cache and TLB flushes cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() dax: fix vma_is_fsdax() helper x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend x86/platform/intel-mid: Handle Intel Edison reboot correctly media: m88ds3103: don't call a non-initalized function nospec: Allow index argument to have const-qualified type ARM: mvebu: Fix broken PL310_ERRATA_753970 selects ARM: kvm: fix building with gcc-8 KVM: mmu: Fix overlap between public and private memslots KVM/x86: Remove indirect MSR op calls from SPEC_CTRL KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() PCI/ASPM: Deal with missing root ports in link state handling dm io: fix duplicate bio completion due to missing ref count ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux x86/mm: Give each mm TLB flush generation a unique ID x86/speculation: Use Indirect Branch Prediction Barrier in context switch md: only allow remove_and_add_spares when no sync_thread running. netlink: put module reference if dump start fails x86/apic/vector: Handle legacy irq data correctly bridge: check brport attr show in brport_show fib_semantics: Don't match route with mismatching tclassid hdlc_ppp: carrier detect ok, don't turn off negotiation ipv6 sit: work around bogus gcc-8 -Wrestrict warning net: fix race on decreasing number of TX queues net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 netlink: ensure to loop over all netns in genlmsg_multicast_allns() ppp: prevent unregistered channels from connecting to PPP units udplite: fix partial checksum initialization sctp: fix dst refcnt leak in sctp_v4_get_dst mlxsw: spectrum_switchdev: Check success of FDB add operation net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT tcp: Honor the eor bit in tcp_mtu_probe rxrpc: Fix send in rxrpc_send_data_packet() tcp_bbr: better deal with suboptimal GSO sctp: fix dst refcnt leak in sctp_v6_get_dst() s390/qeth: fix underestimated count of buffer elements s390/qeth: fix SETIP command handling s390/qeth: fix overestimated count of buffer elements s390/qeth: fix IP removal on offline cards s390/qeth: fix double-free on IP add/remove race s390/qeth: fix IP address lookup for L3 devices s390/qeth: fix IPA command submission race sctp: verify size of a new chunk in _sctp_make_chunk() net: mpls: Pull common label check into helper mpls, nospec: Sanitize array index in mpls_label_ok() bpf: fix wrong exposure of map_flags into fdinfo for lpm bpf: fix mlock precharge on arraymaps bpf, x64: implement retpoline for tail call bpf, arm64: fix out of bounds access in tail call bpf: add schedule points in percpu arrays management bpf, ppc64: fix out of bounds access in tail call btrfs: preserve i_mode if __btrfs_set_acl() fails Linux 4.9.87 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Dumazet
|
2a8bc5316a |
bpf: add schedule points in percpu arrays management
[ upstream commit 32fff239de37ef226d5b66329dd133f64d63b22d ]
syszbot managed to trigger RCU detected stalls in
bpf_array_free_percpu()
It takes time to allocate a huge percpu map, but even more time to free
it.
Since we run in process context, use cond_resched() to yield cpu if
needed.
Fixes:
|
||
|
Daniel Borkmann
|
422baf61d4 |
bpf: fix mlock precharge on arraymaps
[ upstream commit 9c2d63b843a5c8a8d0559cc067b5398aa5ec3ffc ] syzkaller recently triggered OOM during percpu map allocation; while there is work in progress by Dennis Zhou to add __GFP_NORETRY semantics for percpu allocator under pressure, there seems also a missing bpf_map_precharge_memlock() check in array map allocation. Given today the actual bpf_map_charge_memlock() happens after the find_and_alloc_map() in syscall path, the bpf_map_precharge_memlock() is there to bail out early before we go and do the map setup work when we find that we hit the limits anyway. Therefore add this for array map as well. Fixes: |
||
|
Daniel Borkmann
|
816cfeb77c |
bpf: fix wrong exposure of map_flags into fdinfo for lpm
[ upstream commit a316338cb71a3260201490e615f2f6d5c0d8fb2c ]
trie_alloc() always needs to have BPF_F_NO_PREALLOC passed in via
attr->map_flags, since it does not support preallocation yet. We
check the flag, but we never copy the flag into trie->map.map_flags,
which is later on exposed into fdinfo and used by loaders such as
iproute2. Latter uses this in bpf_map_selfcheck_pinned() to test
whether a pinned map has the same spec as the one from the BPF obj
file and if not, bails out, which is currently the case for lpm
since it exposes always 0 as flags.
Also copy over flags in array_map_alloc() and stack_map_alloc().
They always have to be 0 right now, but we should make sure to not
miss to copy them over at a later point in time when we add actual
flags for them to use.
Fixes: b95a5c4db09b ("bpf: add a longest prefix match trie map implementation")
Reported-by: Jarno Rajahalme <jarno@covalent.io>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Sami Tolvanen
|
417637a2d9 |
bpf: fix function type for __bpf_prog_run
Bug: 67506682 Change-Id: I096a470c65a2a1867c51da9a33843ae23bf5e547 Signed-off-by: Sami Tolvanen <samitolvanen@google.com> |
||
|
Greg Kroah-Hartman
|
71f1469722 |
Merge 4.9.79 into android-4.9
Changes in 4.9.79 x86/asm/32: Make sync_core() handle missing CPUID on all 32-bit kernels orangefs: use list_for_each_entry_safe in purge_waiting_ops orangefs: initialize op on loop restart in orangefs_devreq_read usbip: prevent vhci_hcd driver from leaking a socket pointer address usbip: Fix implicit fallthrough warning usbip: Fix potential format overflow in userspace tools can: af_can: can_rcv(): replace WARN_ONCE by pr_warn_once can: af_can: canfd_rcv(): replace WARN_ONCE by pr_warn_once KVM: arm/arm64: Check pagesize when allocating a hugepage at Stage 2 Prevent timer value 0 for MWAITX drivers: base: cacheinfo: fix x86 with CONFIG_OF enabled drivers: base: cacheinfo: fix boot error message when acpi is enabled mm/mmap.c: do not blow on PROT_NONE MAP_FIXED holes in the stack hwpoison, memcg: forcibly uncharge LRU pages cma: fix calculation of aligned offset mm, page_alloc: fix potential false positive in __zone_watermark_ok ipc: msg, make msgrcv work with LONG_MIN ACPI / scan: Prefer devices without _HID/_CID for _ADR matching ACPICA: Namespace: fix operand cache leak netfilter: nfnetlink_cthelper: Add missing permission checks netfilter: xt_osf: Add missing permission checks reiserfs: fix race in prealloc discard reiserfs: don't preallocate blocks for extended attributes fs/fcntl: f_setown, avoid undefined behaviour scsi: libiscsi: fix shifting of DID_REQUEUE host byte Revert "module: Add retpoline tag to VERMAGIC" mm: fix 100% CPU kswapd busyloop on unreclaimable nodes Input: trackpoint - force 3 buttons if 0 button is reported orangefs: fix deadlock; do not write i_size in read_iter um: link vmlinux with -no-pie vsyscall: Fix permissions for emulate mode with KAISER/PTI eventpoll.h: add missing epoll event masks dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state ipv6: Fix getsockopt() for sockets with default IPV6_AUTOFLOWLABEL ipv6: fix udpv6 sendmsg crash caused by too small MTU ipv6: ip6_make_skb() needs to clear cork.base.dst lan78xx: Fix failure in USB Full Speed net: igmp: fix source address check for IGMPv3 reports net: qdisc_pkt_len_init() should be more robust net: tcp: close sock if net namespace is exiting pppoe: take ->needed_headroom of lower device into account on xmit r8169: fix memory corruption on retrieval of hardware statistics. sctp: do not allow the v4 socket to bind a v4mapped v6 address sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf tipc: fix a memory leak in tipc_nl_node_get_link() vmxnet3: repair memory leak net: Allow neigh contructor functions ability to modify the primary_key ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY ppp: unlock all_ppp_mutex before registering device be2net: restore properly promisc mode after queues reconfiguration ip6_gre: init dev->mtu and dev->hard_header_len correctly gso: validate gso_type in GSO handlers mlxsw: spectrum_router: Don't log an error on missing neighbor tun: fix a memory leak for tfile->tx_array flow_dissector: properly cap thoff field perf/x86/amd/power: Do not load AMD power module on !AMD platforms x86/microcode/intel: Extend BDW late-loading further with LLC size check hrtimer: Reset hrtimer cpu base proper on CPU hotplug x86: bpf_jit: small optimization in emit_bpf_tail_call() bpf: fix bpf_tail_call() x64 JIT bpf: introduce BPF_JIT_ALWAYS_ON config bpf: arsh is not supported in 32 bit alu thus reject it bpf: avoid false sharing of map refcount with max_entries bpf: fix divides by zero bpf: fix 32-bit divide by zero bpf: reject stores into ctx via st and xadd nfsd: auth: Fix gid sorting when rootsquash enabled Linux 4.9.79 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniel Borkmann
|
f531fbb06a |
bpf: reject stores into ctx via st and xadd
[ upstream commit f37a8cb84cce18762e8f86a70bd6a49a66ab964c ]
Alexei found that verifier does not reject stores into context
via BPF_ST instead of BPF_STX. And while looking at it, we
also should not allow XADD variant of BPF_STX.
The context rewriter is only assuming either BPF_LDX_MEM- or
BPF_STX_MEM-type operations, thus reject anything other than
that so that assumptions in the rewriter properly hold. Add
test cases as well for BPF selftests.
Fixes:
|
||
|
Alexei Starovoitov
|
265d7657c9 |
bpf: fix 32-bit divide by zero
[ upstream commit 68fda450a7df51cff9e5a4d4a4d9d0d5f2589153 ]
due to some JITs doing if (src_reg == 0) check in 64-bit mode
for div/mod operations mask upper 32-bits of src register
before doing the check
Fixes:
|
||
|
Eric Dumazet
|
4606077802 |
bpf: fix divides by zero
[ upstream commit c366287ebd698ef5e3de300d90cd62ee9ee7373e ]
Divides by zero are not nice, lets avoid them if possible.
Also do_div() seems not needed when dealing with 32bit operands,
but this seems a minor detail.
Fixes:
|
||
|
Daniel Borkmann
|
fcabc6d008 |
bpf: arsh is not supported in 32 bit alu thus reject it
[ upstream commit 7891a87efc7116590eaba57acc3c422487802c6f ]
The following snippet was throwing an 'unknown opcode cc' warning
in BPF interpreter:
0: (18) r0 = 0x0
2: (7b) *(u64 *)(r10 -16) = r0
3: (cc) (u32) r0 s>>= (u32) r0
4: (95) exit
Although a number of JITs do support BPF_ALU | BPF_ARSH | BPF_{K,X}
generation, not all of them do and interpreter does neither. We can
leave existing ones and implement it later in bpf-next for the
remaining ones, but reject this properly in verifier for the time
being.
Fixes:
|
||
|
Alexei Starovoitov
|
a3d6dd6a66 |
bpf: introduce BPF_JIT_ALWAYS_ON config
[ upstream commit 290af86629b25ffd1ed6232c4e9107da031705cb ] The BPF interpreter has been used as part of the spectre 2 attack CVE-2017-5715. A quote from goolge project zero blog: "At this point, it would normally be necessary to locate gadgets in the host kernel code that can be used to actually leak data by reading from an attacker-controlled location, shifting and masking the result appropriately and then using the result of that as offset to an attacker-controlled address for a load. But piecing gadgets together and figuring out which ones work in a speculation context seems annoying. So instead, we decided to use the eBPF interpreter, which is built into the host kernel - while there is no legitimate way to invoke it from inside a VM, the presence of the code in the host kernel's text section is sufficient to make it usable for the attack, just like with ordinary ROP gadgets." To make attacker job harder introduce BPF_JIT_ALWAYS_ON config option that removes interpreter from the kernel in favor of JIT-only mode. So far eBPF JIT is supported by: x64, arm64, arm32, sparc64, s390, powerpc64, mips64 The start of JITed program is randomized and code page is marked as read-only. In addition "constant blinding" can be turned on with net.core.bpf_jit_harden v2->v3: - move __bpf_prog_ret0 under ifdef (Daniel) v1->v2: - fix init order, test_bpf and cBPF (Daniel's feedback) - fix offloaded bpf (Jakub's feedback) - add 'return 0' dummy in case something can invoke prog->bpf_func - retarget bpf tree. For bpf-next the patch would need one extra hunk. It will be sent when the trees are merged back to net-next Considered doing: int bpf_jit_enable __read_mostly = BPF_EBPF_JIT_DEFAULT; but it seems better to land the patch as-is and in bpf-next remove bpf_jit_enable global variable from all JITs, consolidate in one place and remove this jit_init() function. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Alexei Starovoitov
|
5226bb3b95 |
bpf: fix bpf_tail_call() x64 JIT
[ upstream commit 90caccdd8cc0215705f18b92771b449b01e2474a ]
- bpf prog_array just like all other types of bpf array accepts 32-bit index.
Clarify that in the comment.
- fix x64 JIT of bpf_tail_call which was incorrectly loading 8 instead of 4 bytes
- tighten corresponding check in the interpreter to stay consistent
The JIT bug can be triggered after introduction of BPF_F_NUMA_NODE flag
in commit 96eabe7a40aa in 4.14. Before that the map_flags would stay zero and
though JIT code is wrong it will check bounds correctly.
Hence two fixes tags. All other JITs don't have this problem.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Fixes: 96eabe7a40aa ("bpf: Allow selecting numa node during map creation")
Fixes:
|
||
|
Greg Kroah-Hartman
|
033d019ce2 |
Merge 4.9.77 into android-4.9
Changes in 4.9.77 dm bufio: fix shrinker scans when (nr_to_scan < retain_target) mac80211: Add RX flag to indicate ICV stripped ath10k: rebuild crypto header in rx data frames KVM: Fix stack-out-of-bounds read in write_mmio can: gs_usb: fix return value of the "set_bittiming" callback IB/srpt: Disable RDMA access by the initiator MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task MIPS: Factor out NT_PRFPREG regset access helpers MIPS: Guard against any partial write attempt with PTRACE_SETREGSET MIPS: Consistently handle buffer counter with PTRACE_SETREGSET MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses kvm: vmx: Scrub hardware GPRs at VM-exit platform/x86: wmi: Call acpi_wmi_init() later x86/acpi: Handle SCI interrupts above legacy space gracefully ALSA: pcm: Remove incorrect snd_BUG_ON() usages ALSA: pcm: Add missing error checks in OSS emulation plugin builder ALSA: pcm: Abort properly at pending signal in OSS read/write loops ALSA: pcm: Allow aborting mutex lock at OSS read/write loops ALSA: aloop: Release cable upon open error path ALSA: aloop: Fix inconsistent format due to incomplete rule ALSA: aloop: Fix racy hw constraints adjustment x86/acpi: Reduce code duplication in mp_override_legacy_irq() zswap: don't param_set_charp while holding spinlock lan78xx: use skb_cow_head() to deal with cloned skbs sr9700: use skb_cow_head() to deal with cloned skbs smsc75xx: use skb_cow_head() to deal with cloned skbs cx82310_eth: use skb_cow_head() to deal with cloned skbs xhci: Fix ring leak in failure path of xhci_alloc_virt_device() 8021q: fix a memory leak for VLAN 0 device ip6_tunnel: disable dst caching if tunnel is dual-stack net: core: fix module type in sock_diag_bind RDS: Heap OOB write in rds_message_alloc_sgs() RDS: null pointer dereference in rds_atomic_free_op sh_eth: fix TSU resource handling sh_eth: fix SH7757 GEther initialization net: stmmac: enable EEE in MII, GMII or RGMII only ipv6: fix possible mem leaks in ipv6_make_skb() ethtool: do not print warning for applications using legacy API mlxsw: spectrum_router: Fix NULL pointer deref net/sched: Fix update of lastuse in act modules implementing stats_update crypto: algapi - fix NULL dereference in crypto_remove_spawns() rbd: set max_segments to USHRT_MAX x86/microcode/intel: Extend BDW late-loading with a revision check KVM: x86: Add memory barrier on vmcs field lookup drm/vmwgfx: Potential off by one in vmw_view_add() kaiser: Set _PAGE_NX only if supported iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK bpf: move fixup_bpf_calls() function bpf: refactor fixup_bpf_calls() bpf: prevent out-of-bounds speculation bpf, array: fix overflow in max_entries and undefined behavior in index_mask USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ USB: serial: cp210x: add new device ID ELV ALC 8xxx usb: misc: usb3503: make sure reset is low for at least 100us USB: fix usbmon BUG trigger usbip: remove kernel addresses from usb device and urb debug msgs usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl Bluetooth: Prevent stack info leak from the EFS element. uas: ignore UAS for Norelsys NS1068(X) chips e1000e: Fix e1000_check_for_copper_link_ich8lan return value. x86/Documentation: Add PTI description x86/cpu: Factor out application of forced CPU caps x86/cpufeatures: Make CPU bugs sticky x86/cpufeatures: Add X86_BUG_CPU_INSECURE x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] x86/cpu: Merge bugs.c and bugs_64.c sysfs/cpu: Add vulnerability folder x86/cpu: Implement CPU vulnerabilites sysfs functions x86/cpu/AMD: Make LFENCE a serializing instruction x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC sysfs/cpu: Fix typos in vulnerability documentation x86/alternatives: Fix optimize_nops() checking x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm x86/mm/32: Move setup_clear_cpu_cap(X86_FEATURE_PCID) earlier objtool, modules: Discard objtool annotation sections for modules objtool: Detect jumps to retpoline thunks objtool: Allow alternatives to be ignored x86/asm: Use register variable to get stack pointer value x86/retpoline: Add initial retpoline support x86/spectre: Add boot time option to select Spectre v2 mitigation x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline: Fill return stack buffer on vmexit selftests/x86: Add test_vsyscall x86/retpoline: Remove compile time warning objtool: Fix retpoline support for pre-ORC objtool x86/pti/efi: broken conversion from efi to kernel page table Linux 4.9.77 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniel Borkmann
|
820ef2a0e5 |
bpf, array: fix overflow in max_entries and undefined behavior in index_mask
commit bbeb6e4323dad9b5e0ee9f60c223dd532e2403b1 upstream.
syzkaller tried to alloc a map with 0xfffffffd entries out of a userns,
and thus unprivileged. With the recently added logic in b2157399cc98
("bpf: prevent out-of-bounds speculation") we round this up to the next
power of two value for max_entries for unprivileged such that we can
apply proper masking into potentially zeroed out map slots.
However, this will generate an index_mask of 0xffffffff, and therefore
a + 1 will let this overflow into new max_entries of 0. This will pass
allocation, etc, and later on map access we still enforce on the original
attr->max_entries value which was 0xfffffffd, therefore triggering GPF
all over the place. Thus bail out on overflow in such case.
Moreover, on 32 bit archs roundup_pow_of_two() can also not be used,
since fls_long(max_entries - 1) can result in 32 and 1UL << 32 in 32 bit
space is undefined. Therefore, do this by hand in a 64 bit variable.
This fixes all the issues triggered by syzkaller's reproducers.
Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation")
Reported-by: syzbot+b0efb8e572d01bce1ae0@syzkaller.appspotmail.com
Reported-by: syzbot+6c15e9744f75f2364773@syzkaller.appspotmail.com
Reported-by: syzbot+d2f5524fb46fd3b312ee@syzkaller.appspotmail.com
Reported-by: syzbot+61d23c95395cc90dbc2b@syzkaller.appspotmail.com
Reported-by: syzbot+0d363c942452cca68c01@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Alexei Starovoitov
|
a9bfac14cd |
bpf: prevent out-of-bounds speculation
commit b2157399cc9898260d6031c5bfe45fe137c1fbe7 upstream.
Under speculation, CPUs may mis-predict branches in bounds checks. Thus,
memory accesses under a bounds check may be speculated even if the
bounds check fails, providing a primitive for building a side channel.
To avoid leaking kernel data round up array-based maps and mask the index
after bounds check, so speculated load with out of bounds index will load
either valid value from the array or zero from the padded area.
Unconditionally mask index for all array types even when max_entries
are not rounded to power of 2 for root user.
When map is created by unpriv user generate a sequence of bpf insns
that includes AND operation to make sure that JITed code includes
the same 'index & index_mask' operation.
If prog_array map is created by unpriv user replace
bpf_tail_call(ctx, map, index);
with
if (index >= max_entries) {
index &= map->index_mask;
bpf_tail_call(ctx, map, index);
}
(along with roundup to power 2) to prevent out-of-bounds speculation.
There is secondary redundant 'if (index >= max_entries)' in the interpreter
and in all JITs, but they can be optimized later if necessary.
Other array-like maps (cpumap, devmap, sockmap, perf_event_array, cgroup_array)
cannot be used by unpriv, so no changes there.
That fixes bpf side of "Variant 1: bounds check bypass (CVE-2017-5753)" on
all architectures with and without JIT.
v2->v3:
Daniel noticed that attack potentially can be crafted via syscall commands
without loading the program, so add masking to those paths as well.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Jiri Slaby <jslaby@suse.cz>
[ Backported to 4.9 - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Alexei Starovoitov
|
f55093dccd |
bpf: refactor fixup_bpf_calls()
commit 79741b3bdec01a8628368fbcfccc7d189ed606cb upstream. reduce indent and make it iterate over instructions similar to convert_ctx_accesses(). Also convert hard BUG_ON into soft verifier error. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Jiri Slaby <jslaby@suse.cz> [Backported to 4.9.y - gregkh] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Alexei Starovoitov
|
28035366af |
bpf: move fixup_bpf_calls() function
commit e245c5c6a5656e4d61aa7bb08e9694fd6e5b2b9d upstream. no functional change. move fixup_bpf_calls() to verifier.c it's being refactored in the next patch Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Jiri Slaby <jslaby@suse.cz> [backported to 4.9 - gregkh] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
f3f3457d45 |
Merge 4.9.73 into android-4.9
Changes in 4.9.73 ACPI: APEI / ERST: Fix missing error handling in erst_reader() acpi, nfit: fix health event notification crypto: mcryptd - protect the per-CPU queue with a lock mfd: cros ec: spi: Don't send first message too soon mfd: twl4030-audio: Fix sibling-node lookup mfd: twl6040: Fix child-node lookup ALSA: rawmidi: Avoid racy info ioctl via ctl device ALSA: usb-audio: Add native DSD support for Esoteric D-05X ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU PCI / PM: Force devices to D0 in pci_pm_thaw_noirq() parisc: Hide Diva-built-in serial aux and graphics card spi: xilinx: Detect stall with Unknown commands pinctrl: cherryview: Mask all interrupts on Intel_Strago based systems KVM: X86: Fix load RFLAGS w/o the fixed bit kvm: x86: fix RSM when PCID is non-zero clk: sunxi: sun9i-mmc: Implement reset callback for reset controls powerpc/perf: Dereference BHRB entries safely libnvdimm, pfn: fix start_pad handling for aligned namespaces net: mvneta: clear interface link status on port disable net: mvneta: use proper rxq_number in loop on rx queues net: mvneta: eliminate wrong call to handle rx descriptor error bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN Linux 4.9.73 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Ben Hutchings
|
37435f7e80 |
bpf/verifier: Fix states_equal() comparison of pointer and UNKNOWN
An UNKNOWN_VALUE is not supposed to be derived from a pointer, unless pointer leaks are allowed. Therefore, states_equal() must not treat a state with a pointer in a register as "equal" to a state with an UNKNOWN_VALUE in that register. This was fixed differently upstream, but the code around here was largely rewritten in 4.14 by commit f1174f77b50c "bpf/verifier: rework value tracking". The bug can be detected by the bpf/verifier sub-test "pointer/scalar confusion in state equality check (way 1)". Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Cc: Edward Cree <ecree@solarflare.com> Cc: Jann Horn <jannh@google.com> Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> |
||
|
Greg Kroah-Hartman
|
cb7518e616 |
Merge 4.9.72 into android-4.9
Changes in 4.9.72 cxl: Check if vphb exists before iterating over AFU devices arm64: Initialise high_memory global variable earlier ALSA: hda - add support for docking station for HP 820 G2 ALSA: hda - add support for docking station for HP 840 G3 kvm: fix usage of uninit spinlock in avic_vm_destroy() HID: corsair: support for K65-K70 Rapidfire and Scimitar Pro RGB HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair arm: kprobes: Fix the return address of multiple kretprobes arm: kprobes: Align stack to 8-bytes in test code nvme-loop: handle cpu unplug when re-establishing the controller cpuidle: Validate cpu_dev in cpuidle_add_sysfs() r8152: fix the list rx_done may be used without initialization crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex vsock: track pkt owner vsock vhost-vsock: add pkt cancel capability vsock: cancel packets when failing to connect sch_dsmark: fix invalid skb_cow() usage bna: integer overflow bug in debugfs sctp: out_qlen should be updated when pruning unsent queue net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4 hwmon: (max31790) Set correct PWM value usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed usb: gadget: udc: remove pointer dereference after free netfilter: nfnl_cthelper: fix runtime expectation policy updates netfilter: nfnl_cthelper: Fix memory leak iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5 r8152: fix the rx early size of RTL8153 tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe inet: frag: release spinlock before calling icmp_send() pinctrl: st: add irq_request/release_resources callbacks scsi: lpfc: Fix PT2PT PRLI reject kvm: vmx: Flush TLB when the APIC-access address changes KVM: x86: correct async page present tracepoint KVM: VMX: Fix enable VPID conditions ARM: dts: ti: fix PCI bus dtc warnings hwmon: (asus_atk0110) fix uninitialized data access HID: xinmo: fix for out of range for THT 2P arcade controller. ASoC: STI: Fix reader substream pointer set r8152: prevent the driver from transmitting packets with carrier off s390/qeth: size calculation outbound buffers s390/qeth: no ETH header for outbound AF_IUCV bna: avoid writing uninitialized data into hw registers i40iw: Receive netdev events post INET_NOTIFIER state IB/core: Protect against self-requeue of a cq work item infiniband: Fix alignment of mmap cookies to support VIPT caching nbd: set queue timeout properly net: Do not allow negative values for busy_read and busy_poll sysctl interfaces IB/rxe: double free on error IB/rxe: increment msn only when completing a request i40e: Do not enable NAPI on q_vectors that have no rings RDMA/iser: Fix possible mr leak on device removal event irda: vlsi_ir: fix check for DMA mapping errors netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend cpufreq: Fix creation of symbolic links to policy directories net: ipconfig: fix ic_close_devs() use-after-free KVM: pci-assign: do not map smm memory slot pages in vt-d page tables virtio-balloon: use actual number of stats for stats queue buffers virtio_balloon: prevent uninitialized variable use isdn: kcapi: avoid uninitialized data net: moxa: fix TX overrun memory leak xhci: plat: Register shutdown for xhci_plat netfilter: nfnetlink_queue: fix secctx memory leak Btrfs: fix an integer overflow check ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory cpuidle: powernv: Pass correct drv->cpumask for registration bnxt_en: Fix NULL pointer dereference in reopen failure path backlight: pwm_bl: Fix overflow condition crypto: crypto4xx - increase context and scatter ring buffer elements rtc: pl031: make interrupt optional kvm, mm: account kvm related kmem slabs to kmemcg net: phy: at803x: Change error to EINVAL for invalid MAC PCI: Avoid bus reset if bridge itself is broken scsi: cxgb4i: fix Tx skb leak scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive PCI: Create SR-IOV virtfn/physfn links before attaching driver PM / OPP: Move error message to debug level igb: check memory allocation failure ixgbe: fix use of uninitialized padding IB/rxe: check for allocation failure on elem PCI/AER: Report non-fatal errors only to the affected endpoint tracing: Exclude 'generic fields' from histograms ASoC: img-parallel-out: Add pm_runtime_get/put to set_fmt callback fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw scsi: lpfc: Fix secure firmware updates scsi: lpfc: PLOGI failures during NPIV testing vfio/pci: Virtualize Maximum Payload Size fm10k: ensure we process SM mbx when processing VF mbx net: ipv6: send NS for DAD when link operationally up staging: greybus: light: Release memory obtained by kasprintf clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name collision tcp: fix under-evaluated ssthresh in TCP Vegas rtc: set the alarm to the next expiring timer cpuidle: fix broadcast control when broadcast can not be entered thermal: hisilicon: Handle return value of clk_prepare_enable thermal/drivers/hisi: Fix missing interrupt enablement thermal/drivers/hisi: Fix kernel panic on alarm interrupt thermal/drivers/hisi: Simplify the temperature/step computation thermal/drivers/hisi: Fix multiple alarm interrupts firing MIPS: math-emu: Fix final emulation phase for certain instructions platform/x86: asus-wireless: send an EV_SYN/SYN_REPORT between state changes Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" bpf: adjust insn_aux_data when patching insns bpf: fix branch pruning logic bpf: reject out-of-bounds stack pointer calculation bpf: fix incorrect sign extension in check_alu_op() sparc32: Export vac_cache_size to fix build error Linux 4.9.72 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniel Borkmann
|
3695b3b185 |
bpf: fix incorrect sign extension in check_alu_op()
From: Jann Horn <jannh@google.com>
[ Upstream commit 95a762e2c8c942780948091f8f2a4f32fce1ac6f ]
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.
Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.
Debian assigned CVE-2017-16995 for this issue.
v3:
- add CVE number (Ben Hutchings)
Fixes:
|
||
|
Daniel Borkmann
|
d75d3ee237 |
bpf: reject out-of-bounds stack pointer calculation
From: Jann Horn <jannh@google.com>
Reject programs that compute wildly out-of-bounds stack pointers.
Otherwise, pointers can be computed with an offset that doesn't fit into an
`int`, causing security issues in the stack memory access check (as well as
signed integer overflow during offset addition).
This is a fix specifically for the v4.9 stable tree because the mainline
code looks very different at this point.
Fixes:
|
||
|
Daniel Borkmann
|
7b5b73ea87 |
bpf: fix branch pruning logic
From: Alexei Starovoitov <ast@fb.com>
[ Upstream commit c131187db2d3fa2f8bf32fdf4e9a4ef805168467 ]
when the verifier detects that register contains a runtime constant
and it's compared with another constant it will prune exploration
of the branch that is guaranteed not to be taken at runtime.
This is all correct, but malicious program may be constructed
in such a way that it always has a constant comparison and
the other branch is never taken under any conditions.
In this case such path through the program will not be explored
by the verifier. It won't be taken at run-time either, but since
all instructions are JITed the malicious program may cause JITs
to complain about using reserved fields, etc.
To fix the issue we have to track the instructions explored by
the verifier and sanitize instructions that are dead at run time
with NOPs. We cannot reject such dead code, since llvm generates
it for valid C code, since it doesn't do as much data flow
analysis as the verifier does.
Fixes:
|
||
|
Daniel Borkmann
|
565f012f5a |
bpf: adjust insn_aux_data when patching insns
From: Alexei Starovoitov <ast@fb.com> [ Upstream commit 8041902dae5299c1f194ba42d14383f734631009 ] convert_ctx_accesses() replaces single bpf instruction with a set of instructions. Adjust corresponding insn_aux_data while patching. It's needed to make sure subsequent 'for(all insn)' loops have matching insn and insn_aux_data. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
3f1d77ca5f |
Merge 4.9.69 into android-4.9
Changes in 4.9.69 usb: gadget: udc: renesas_usb3: fix number of the pipes can: ti_hecc: Fix napi poll return value for repoll can: kvaser_usb: free buf in error paths can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() can: kvaser_usb: ratelimit errors if incomplete messages are received can: kvaser_usb: cancel urb on -EPIPE and -EPROTO can: ems_usb: cancel urb on -EPIPE and -EPROTO can: esd_usb2: cancel urb on -EPIPE and -EPROTO can: usb_8dev: cancel urb on -EPIPE and -EPROTO virtio: release virtio index when fail to device_register hv: kvp: Avoid reading past allocated blocks from KVP file isa: Prevent NULL dereference in isa_bus driver callbacks scsi: dma-mapping: always provide dma_get_cache_alignment scsi: use dma_get_cache_alignment() as minimum DMA alignment scsi: libsas: align sata_device's rps_resp on a cacheline efi: Move some sysfs files to be read-only by root efi/esrt: Use memunmap() instead of kfree() to free the remapping ASN.1: fix out-of-bounds read when parsing indefinite length item ASN.1: check for error from ASN1_OP_END__ACT actions KEYS: add missing permission check for request_key() destination X.509: reject invalid BIT STRING for subjectPublicKey X.509: fix comparisons of ->pkey_algo x86/PCI: Make broadcom_postcore_init() check acpi_disabled KVM: x86: fix APIC page invalidation btrfs: fix missing error return in btrfs_drop_snapshot ALSA: pcm: prevent UAF in snd_pcm_info ALSA: seq: Remove spurious WARN_ON() at timer check ALSA: usb-audio: Fix out-of-bound error ALSA: usb-audio: Add check return value for usb_string() iommu/vt-d: Fix scatterlist offset handling smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place s390: fix compat system call table KVM: s390: Fix skey emulation permission check powerpc/64s: Initialize ISAv3 MMU registers before setting partition table brcmfmac: change driver unbind order of the sdio function devices kdb: Fix handling of kallsyms_symbol_next() return value drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU media: dvb: i2c transfers over usb cannot be done from stack arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one KVM: VMX: remove I/O port 0x80 bypass on Intel hosts KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation KVM: arm/arm64: vgic-its: Check result of allocation before use arm64: fpsimd: Prevent registers leaking from dead tasks bus: arm-cci: Fix use of smp_processor_id() in preemptible context bus: arm-ccn: Check memory allocation failure bus: arm-ccn: Fix use of smp_processor_id() in preemptible context bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left. crypto: talitos - fix AEAD test failures crypto: talitos - fix memory corruption on SEC2 crypto: talitos - fix setkey to check key weakness crypto: talitos - fix AEAD for sha224 on non sha224 capable chips crypto: talitos - fix use of sg_link_tbl_len crypto: talitos - fix ctr-aes-talitos usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT ARM: BUG if jumping to usermode address in kernel mode ARM: avoid faulting on qemu thp: reduce indentation level in change_huge_pmd() thp: fix MADV_DONTNEED vs. numa balancing race mm: drop unused pmdp_huge_get_and_clear_notify() Revert "drm/armada: Fix compile fail" Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" ARM: 8657/1: uaccess: consistently check object sizes vti6: Don't report path MTU below IPV6_MIN_MTU. ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure x86/selftests: Add clobbers for int80 on x86_64 x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register sched/fair: Make select_idle_cpu() more aggressive x86/hpet: Prevent might sleep splat on resume powerpc/64: Invalidate process table caching after setting process table selftest/powerpc: Fix false failures for skipped tests powerpc: Fix compiling a BE kernel with a powerpc64le toolchain lirc: fix dead lock between open and wakeup_filter module: set __jump_table alignment to 8 powerpc/64: Fix checksum folding in csum_add() ARM: OMAP2+: Fix device node reference counts ARM: OMAP2+: Release device node after it is no longer needed. ASoC: rcar: avoid SSI_MODEx settings for SSI8 gpio: altera: Use handle_level_irq when configured as a level_high HID: chicony: Add support for another ASUS Zen AiO keyboard usb: gadget: configs: plug memory leak USB: gadgetfs: Fix a potential memory leak in 'dev_config()' usb: dwc3: gadget: Fix system suspend/resume on TI platforms usb: gadget: pxa27x: Test for a valid argument pointer usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver kvm: nVMX: VMCLEAR should not cause the vCPU to shut down libata: drop WARN from protocol error in ata_sff_qc_issue() workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq scsi: qla2xxx: Fix ql_dump_buffer scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters irqchip/crossbar: Fix incorrect type of register size KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset arm: KVM: Survive unknown traps from guests arm64: KVM: Survive unknown traps from guests KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled spi_ks8995: fix "BUG: key accdaa28 not in .data!" spi_ks8995: regs_size incorrect for some devices bnx2x: prevent crash when accessing PTP with interface down bnx2x: fix possible overrun of VFPF multicast addresses array bnx2x: fix detection of VLAN filtering feature for VF bnx2x: do not rollback VF MAC/VLAN filters we did not configure rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races ibmvnic: Fix overflowing firmware/hardware TX queue ibmvnic: Allocate number of rx/tx buffers agreed on by firmware ipv6: reorder icmpv6_init() and ip6_mr_init() crypto: s5p-sss - Fix completing crypto request in IRQ handler i2c: riic: fix restart condition blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() zram: set physical queue limits to avoid array out of bounds accesses netfilter: don't track fragmented packets axonram: Fix gendisk handling drm/amd/amdgpu: fix console deadlock if late init failed powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro EDAC, i5000, i5400: Fix definition of NRECMEMB register kbuild: pkg: use --transform option to prefix paths in tar coccinelle: fix parallel build with CHECK=scripts/coccicheck x86/mpx/selftests: Fix up weird arrays mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() gre6: use log_ecn_error module parameter in ip6_tnl_rcv() route: also update fnhe_genid when updating a route cache route: update fnhe_expires for redirect when the fnhe exists drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()' lib/genalloc.c: make the avail variable an atomic_long_t dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 NFS: Fix a typo in nfs_rename() sunrpc: Fix rpc_task_begin trace point xfs: fix forgotten rcu read unlock when skipping inode reclaim dt-bindings: usb: fix reg-property port-number range block: wake up all tasks blocked in get_request() sparc64/mm: set fields in deferred pages zsmalloc: calling zs_map_object() from irq is a bug sctp: do not free asoc when it is already dead in sctp_sendmsg sctp: use the right sk after waking up from wait_buf sleep bpf: fix lockdep splat clk: uniphier: fix DAPLL2 clock rate of Pro5 atm: horizon: Fix irq release error jump_label: Invoke jump_label_test() via early_initcall() xfrm: Copy policy family in clone_policy IB/mlx4: Increase maximal message size under UD QP IB/mlx5: Assign send CQ and recv CQ of UMR QP afs: Connect up the CB.ProbeUuid Linux 4.9.69 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Dumazet
|
f45f4f8a7c |
bpf: fix lockdep splat
[ Upstream commit 89ad2fa3f043a1e8daae193bcb5fe34d5f8caf28 ]
pcpu_freelist_pop() needs the same lockdep awareness than
pcpu_freelist_populate() to avoid a false positive.
[ INFO: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected ]
switchto-defaul/12508 [HC0[0]:SC0[6]:HE0:SE0] is trying to acquire:
(&htab->buckets[i].lock){......}, at: [<ffffffff9dc099cb>] __htab_percpu_map_update_elem+0x1cb/0x300
and this task is already holding:
(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}, at: [<ffffffff9e135848>] __dev_queue_xmit+0
x868/0x1240
which would create a new lock dependency:
(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...} -> (&htab->buckets[i].lock){......}
but this new dependency connects a SOFTIRQ-irq-safe lock:
(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2){+.-...}
... which became SOFTIRQ-irq-safe at:
[<ffffffff9db5931b>] __lock_acquire+0x42b/0x1f10
[<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
[<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
[<ffffffff9e135848>] __dev_queue_xmit+0x868/0x1240
[<ffffffff9e136240>] dev_queue_xmit+0x10/0x20
[<ffffffff9e1965d9>] ip_finish_output2+0x439/0x590
[<ffffffff9e197410>] ip_finish_output+0x150/0x2f0
[<ffffffff9e19886d>] ip_output+0x7d/0x260
[<ffffffff9e19789e>] ip_local_out+0x5e/0xe0
[<ffffffff9e197b25>] ip_queue_xmit+0x205/0x620
[<ffffffff9e1b8398>] tcp_transmit_skb+0x5a8/0xcb0
[<ffffffff9e1ba152>] tcp_write_xmit+0x242/0x1070
[<ffffffff9e1baffc>] __tcp_push_pending_frames+0x3c/0xf0
[<ffffffff9e1b3472>] tcp_rcv_established+0x312/0x700
[<ffffffff9e1c1acc>] tcp_v4_do_rcv+0x11c/0x200
[<ffffffff9e1c3dc2>] tcp_v4_rcv+0xaa2/0xc30
[<ffffffff9e191107>] ip_local_deliver_finish+0xa7/0x240
[<ffffffff9e191a36>] ip_local_deliver+0x66/0x200
[<ffffffff9e19137d>] ip_rcv_finish+0xdd/0x560
[<ffffffff9e191e65>] ip_rcv+0x295/0x510
[<ffffffff9e12ff88>] __netif_receive_skb_core+0x988/0x1020
[<ffffffff9e130641>] __netif_receive_skb+0x21/0x70
[<ffffffff9e1306ff>] process_backlog+0x6f/0x230
[<ffffffff9e132129>] net_rx_action+0x229/0x420
[<ffffffff9da07ee8>] __do_softirq+0xd8/0x43d
[<ffffffff9e282bcc>] do_softirq_own_stack+0x1c/0x30
[<ffffffff9dafc2f5>] do_softirq+0x55/0x60
[<ffffffff9dafc3a8>] __local_bh_enable_ip+0xa8/0xb0
[<ffffffff9db4c727>] cpu_startup_entry+0x1c7/0x500
[<ffffffff9daab333>] start_secondary+0x113/0x140
to a SOFTIRQ-irq-unsafe lock:
(&head->lock){+.+...}
... which became SOFTIRQ-irq-unsafe at:
... [<ffffffff9db5971f>] __lock_acquire+0x82f/0x1f10
[<ffffffff9db5b32c>] lock_acquire+0xbc/0x1b0
[<ffffffff9da05e38>] _raw_spin_lock+0x38/0x50
[<ffffffff9dc0b7fa>] pcpu_freelist_pop+0x7a/0xb0
[<ffffffff9dc08b2c>] htab_map_alloc+0x50c/0x5f0
[<ffffffff9dc00dc5>] SyS_bpf+0x265/0x1200
[<ffffffff9e28195f>] entry_SYSCALL_64_fastpath+0x12/0x17
other info that might help us debug this:
Chain exists of:
dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2 --> &htab->buckets[i].lock --> &head->lock
Possible interrupt unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&head->lock);
local_irq_disable();
lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
lock(&htab->buckets[i].lock);
<Interrupt>
lock(dev_queue->dev->qdisc_class ?: &qdisc_tx_lock#2);
*** DEADLOCK ***
Fixes:
|
||
|
Chenbo Feng
|
0521e0b3fc |
UPSTREAM: selinux: bpf: Add addtional check for bpf object file receive
Introduce a bpf object related check when sending and receiving files through unix domain socket as well as binder. It checks if the receiving process have privilege to read/write the bpf map or use the bpf program. This check is necessary because the bpf maps and programs are using a anonymous inode as their shared inode so the normal way of checking the files and sockets when passing between processes cannot work properly on eBPF object. This check only works when the BPF_SYSCALL is configured. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Reviewed-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry-pick from net-next: f66e448cfda021b0bcd884f26709796fe19c7cc1) Bug: 30950746 Change-Id: I5b2cf4ccb4eab7eda91ddd7091d6aa3e7ed9f2cd |
||
|
Chenbo Feng
|
f3ad3766a9 |
BACKPORT: security: bpf: Add LSM hooks for bpf object related syscall
Introduce several LSM hooks for the syscalls that will allow the userspace to access to eBPF object such as eBPF programs and eBPF maps. The security check is aimed to enforce a per object security protection for eBPF object so only processes with the right priviliges can read/write to a specific map or use a specific eBPF program. Besides that, a general security hook is added before the multiplexer of bpf syscall to check the cmd and the attribute used for the command. The actual security module can decide which command need to be checked and how the cmd should be checked. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: James Morris <james.l.morris@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Added the LIST_HEAD_INIT call for security hooks, it nolonger exist in uptream code. (cherry-pick from net-next: afdb09c720b62b8090584c11151d856df330e57d) Bug: 30950746 Change-Id: Ieb3ac74392f531735fc7c949b83346a5f587a77b |
||
|
Chenbo Feng
|
4672ded3ec |
BACKPORT: bpf: Add file mode configuration into bpf maps
Introduce the map read/write flags to the eBPF syscalls that returns the map fd. The flags is used to set up the file mode when construct a new file descriptor for bpf maps. To not break the backward capability, the f_flags is set to O_RDWR if the flag passed by syscall is 0. Otherwise it should be O_RDONLY or O_WRONLY. When the userspace want to modify or read the map content, it will check the file mode to see if it is allowed to make the change. Signed-off-by: Chenbo Feng <fengc@google.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: David S. Miller <davem@davemloft.net> Deleted the file mode configuration code in unsupported map type and removed the file mode check in non-existing helper functions. (cherry-pick from net-next: 6e71b04a82248ccf13a94b85cbc674a9fefe53f5) Bug: 30950746 Change-Id: Icfad20f1abb77f91068d244fb0d87fa40824dd1b |
||
|
Greg Kroah-Hartman
|
cdbe07ad26 |
Merge 4.9.55 into android-4.9
Changes in 4.9.55
USB: gadgetfs: Fix crash caused by inadequate synchronization
USB: gadgetfs: fix copy_to_user while holding spinlock
usb: gadget: udc: atmel: set vbus irqflags explicitly
usb: gadget: udc: renesas_usb3: fix for no-data control transfer
usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: pci-quirks.c: Corrected timeout values used in handshake
USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
USB: dummy-hcd: fix connection failures (wrong speed)
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: Fix erroneous synchronization change
USB: devio: Don't corrupt user memory
usb: gadget: mass_storage: set msg_registered after msg registered
USB: g_mass_storage: Fix deadlock when driver is unbound
USB: uas: fix bug in handling of alternate settings
USB: core: harden cdc_parse_cdc_header
usb: Increase quirk delay for USB devices
USB: fix out-of-bounds in usb_set_configuration
xhci: fix finding correct bus_state structure for USB 3.1 hosts
xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
iio: ad_sigma_delta: Implement a dedicated reset function
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: core: Return error for failed read_reg
IIO: BME280: Updates to Humidity readings need ctrl_reg write!
iio: ad7793: Fix the serial interface reset
iio: adc: mcp320x: Fix readout of negative voltages
iio: adc: mcp320x: Fix oops on module unload
uwb: properly check kthread_run return value
uwb: ensure that endpoint is interrupt
staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
mm, oom_reaper: skip mm structs with mmu notifiers
lib/ratelimit.c: use deferred printk() version
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
ALSA: compress: Remove unused variable
Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
ALSA: usx2y: Suppress kernel warning at page allocation failures
mlxsw: spectrum: Prevent mirred-related crash on removal
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
tcp: update skb->skb_mstamp more carefully
bpf/verifier: reject BPF_ALU64|BPF_END
tcp: fix data delivery rate
udpv6: Fix the checksum computation when HW checksum does not apply
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
net: phy: Fix mask value write on gmii2rgmii converter speed register
ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
net/sched: cls_matchall: fix crash when used with classful qdisc
tcp: fastopen: fix on syn-data transmit failure
net: emac: Fix napi poll list corruption
packet: hold bind lock when rebinding to fanout hook
bpf: one perf event close won't free bpf program attached by another perf event
isdn/i4l: fetch the ppp_write buffer in one shot
net_sched: always reset qdisc backlog in qdisc_reset()
net: qcom/emac: specify the correct size when mapping a DMA buffer
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
l2tp: Avoid schedule while atomic in exit_net
l2tp: fix race condition in l2tp_tunnel_delete
tun: bail out from tun_get_user() if the skb is empty
net: dsa: Fix network device registration order
packet: in packet_do_bind, test fanout with bind_lock held
packet: only test po->has_vnet_hdr once in packet_snd
net: Set sk_prot_creator when cloning sockets to the right proto
netlink: do not proceed if dump's start() errs
ip6_gre: ip6gre_tap device should keep dst
ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
tipc: use only positive error codes in messages
net: rtnetlink: fix info leak in RTM_GETSTATS call
socket, bpf: fix possible use after free
powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
powerpc/tm: Fix illegal TM state in signal handler
percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
driver core: platform: Don't read past the end of "driver_override" buffer
Drivers: hv: fcopy: restore correct transfer length
stm class: Fix a use-after-free
ftrace: Fix kmemleak in unregister_ftrace_graph
HID: i2c-hid: allocate hid buffers for real worst case
HID: wacom: leds: Don't try to control the EKR's read-only LEDs
HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
HID: wacom: bits shifted too much for 9th and 10th buttons
rocker: fix rocker_tlv_put_* functions for KASAN
netlink: fix nla_put_{u8,u16,u32} for KASAN
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
iwlwifi: add workaround to disable wide channels in 5GHz
scsi: sd: Do not override max_sectors_kb sysfs setting
brcmfmac: add length check in brcmf_cfg80211_escan_handler()
brcmfmac: setup passive scan if requested by user-space
drm/i915/bios: ignore HDMI on port A
nvme-pci: Use PCI bus address for data/queues in CMB
mmc: core: add driver strength selection when selecting hs400es
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
vfs: deny copy_file_range() for non regular files
ext4: fix data corruption for mmap writes
ext4: Don't clear SGID when inheriting ACLs
ext4: don't allow encrypted operations without keys
f2fs: don't allow encrypted operations without keys
KVM: x86: fix singlestepping over syscall
Linux 4.9.55
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Edward Cree
|
e159492b3c |
bpf/verifier: reject BPF_ALU64|BPF_END
[ Upstream commit e67b8a685c7c984e834e3181ef4619cd7025a136 ]
Neither ___bpf_prog_run nor the JITs accept it.
Also adds a new test case.
Fixes:
|
||
|
Greg Kroah-Hartman
|
a3840b1234 |
Merge 4.9.46 into android-4.9
Changes in 4.9.46
sparc64: remove unnecessary log message
af_key: do not use GFP_KERNEL in atomic contexts
dccp: purge write queue in dccp_destroy_sock()
dccp: defer ccid_hc_tx_delete() at dismantle time
ipv4: fix NULL dereference in free_fib_info_rcu()
net_sched/sfq: update hierarchical backlog when drop packet
net_sched: remove warning from qdisc_hash_add
bpf: fix bpf_trace_printk on 32 bit archs
openvswitch: fix skb_panic due to the incorrect actions attrlen
ptr_ring: use kmalloc_array()
ipv4: better IP_MAX_MTU enforcement
nfp: fix infinite loop on umapping cleanup
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
tipc: fix use-after-free
ipv6: reset fn->rr_ptr when replacing route
ipv6: repair fib6 tree in failure case
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
irda: do not leak initialized list.dev to userspace
net: sched: fix NULL pointer dereference when action calls some targets
net_sched: fix order of queue length updates in qdisc_replace()
bpf, verifier: add additional patterns to evaluate_reg_imm_alu
bpf: adjust verifier heuristics
bpf, verifier: fix alu ops against map_value{, _adj} register types
bpf: fix mixed signed/unsigned derived min/max value bounds
bpf/verifier: fix min/max handling in BPF_SUB
Input: trackpoint - add new trackpoint firmware ID
Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
KVM: s390: sthyi: fix sthyi inline assembly
KVM: s390: sthyi: fix specification exception detection
KVM: x86: block guest protection keys unless the host has them enabled
ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
ALSA: core: Fix unexpected error at replacing user TLV
ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource
ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
i2c: designware: Fix system suspend
mm/madvise.c: fix freeing of locked page with MADV_FREE
fork: fix incorrect fput of ->exe_file causing use-after-free
mm/memblock.c: reversed logic in memblock_discard()
drm: Release driver tracking before making the object available again
drm/atomic: If the atomic check fails, return its value first
drm: rcar-du: Fix crash in encoder failure error path
drm: rcar-du: Fix display timing controller parameter
drm: rcar-du: Fix H/V sync signal polarity configuration
tracing: Call clear_boot_tracer() at lateinit_sync
tracing: Fix kmemleak in tracing_map_array_free()
tracing: Fix freeing of filter in create_filter() when set_str is false
kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured
cifs: Fix df output for users with quota limits
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
nfsd: Limit end of page list when decoding NFSv4 WRITE
ftrace: Check for null ret_stack on profile function graph entry function
perf/core: Fix group {cpu,task} validation
perf probe: Fix --funcs to show correct symbols for offline module
perf/x86/intel/rapl: Make package handling more robust
timers: Fix excessive granularity of new timers after a nohz idle
x86/mm: Fix use-after-free of ldt_struct
net: sunrpc: svcsock: fix NULL-pointer exception
Revert "leds: handle suspend/resume in heartbeat trigger"
netfilter: nat: fix src map lookup
Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
Bluetooth: cmtp: fix possible might sleep error in cmtp_session
Bluetooth: bnep: fix possible might sleep error in bnep_session
Revert "android: binder: Sanity check at binder ioctl"
binder: use group leader instead of open thread
binder: Use wake up hint for synchronous transactions.
ANDROID: binder: fix proc->tsk check.
iio: imu: adis16480: Fix acceleration scale factor for adis16480
iio: hid-sensor-trigger: Fix the race with user space powering up sensors
staging: rtl8188eu: add RNX-N150NUB support
Clarify (and fix) MAX_LFS_FILESIZE macros
ntb_transport: fix qp count bug
ntb_transport: fix bug calculating num_qps_mw
NTB: ntb_test: fix bug printing ntb_perf results
ntb: no sleep in ntb_async_tx_submit
ntb: ntb_test: ensure the link is up before trying to configure the mws
ntb: transport shouldn't disable link due to bogus values in SPADs
ACPI: ioapic: Clear on-stack resource before using it
ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
ACPI: EC: Fix regression related to wrong ECDT initialization order
powerpc/mm: Ensure cpumask update is ordered
Linux 4.9.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Edward Cree
|
655da3da9b |
bpf/verifier: fix min/max handling in BPF_SUB
[ Upstream commit 9305706c2e808ae59f1eb201867f82f1ddf6d7a6 ]
We have to subtract the src max from the dst min, and vice-versa, since
(e.g.) the smallest result comes from the largest subtrahend.
Fixes:
|
||
|
Daniel Borkmann
|
bf5b91b782 |
bpf: fix mixed signed/unsigned derived min/max value bounds
[ Upstream commit 4cabc5b186b5427b9ee5a7495172542af105f02b ]
Edward reported that there's an issue in min/max value bounds
tracking when signed and unsigned compares both provide hints
on limits when having unknown variables. E.g. a program such
as the following should have been rejected:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff8a94cda93400
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+7
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = -1
10: (2d) if r1 > r2 goto pc+3
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=0
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
11: (65) if r1 s> 0x1 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=0,max_value=1
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
12: (0f) r0 += r1
13: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=0,max_value=1 R1=inv,min_value=0,max_value=1
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
14: (b7) r0 = 0
15: (95) exit
What happens is that in the first part ...
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = -1
10: (2d) if r1 > r2 goto pc+3
... r1 carries an unsigned value, and is compared as unsigned
against a register carrying an immediate. Verifier deduces in
reg_set_min_max() that since the compare is unsigned and operation
is greater than (>), that in the fall-through/false case, r1's
minimum bound must be 0 and maximum bound must be r2. Latter is
larger than the bound and thus max value is reset back to being
'invalid' aka BPF_REGISTER_MAX_RANGE. Thus, r1 state is now
'R1=inv,min_value=0'. The subsequent test ...
11: (65) if r1 s> 0x1 goto pc+2
... is a signed compare of r1 with immediate value 1. Here,
verifier deduces in reg_set_min_max() that since the compare
is signed this time and operation is greater than (>), that
in the fall-through/false case, we can deduce that r1's maximum
bound must be 1, meaning with prior test, we result in r1 having
the following state: R1=inv,min_value=0,max_value=1. Given that
the actual value this holds is -8, the bounds are wrongly deduced.
When this is being added to r0 which holds the map_value(_adj)
type, then subsequent store access in above case will go through
check_mem_access() which invokes check_map_access_adj(), that
will then probe whether the map memory is in bounds based
on the min_value and max_value as well as access size since
the actual unknown value is min_value <= x <= max_value; commit
fce366a9dd0d ("bpf, verifier: fix alu ops against map_value{,
_adj} register types") provides some more explanation on the
semantics.
It's worth to note in this context that in the current code,
min_value and max_value tracking are used for two things, i)
dynamic map value access via check_map_access_adj() and since
commit 06c1c049721a ("bpf: allow helpers access to variable memory")
ii) also enforced at check_helper_mem_access() when passing a
memory address (pointer to packet, map value, stack) and length
pair to a helper and the length in this case is an unknown value
defining an access range through min_value/max_value in that
case. The min_value/max_value tracking is /not/ used in the
direct packet access case to track ranges. However, the issue
also affects case ii), for example, the following crafted program
based on the same principle must be rejected as well:
0: (b7) r2 = 0
1: (bf) r3 = r10
2: (07) r3 += -512
3: (7a) *(u64 *)(r10 -16) = -8
4: (79) r4 = *(u64 *)(r10 -16)
5: (b7) r6 = -1
6: (2d) if r4 > r6 goto pc+5
R1=ctx R2=imm0,min_value=0,max_value=0,min_align=2147483648 R3=fp-512
R4=inv,min_value=0 R6=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
7: (65) if r4 s> 0x1 goto pc+4
R1=ctx R2=imm0,min_value=0,max_value=0,min_align=2147483648 R3=fp-512
R4=inv,min_value=0,max_value=1 R6=imm-1,max_value=18446744073709551615,min_align=1
R10=fp
8: (07) r4 += 1
9: (b7) r5 = 0
10: (6a) *(u16 *)(r10 -512) = 0
11: (85) call bpf_skb_load_bytes#26
12: (b7) r0 = 0
13: (95) exit
Meaning, while we initialize the max_value stack slot that the
verifier thinks we access in the [1,2] range, in reality we
pass -7 as length which is interpreted as u32 in the helper.
Thus, this issue is relevant also for the case of helper ranges.
Resetting both bounds in check_reg_overflow() in case only one
of them exceeds limits is also not enough as similar test can be
created that uses values which are within range, thus also here
learned min value in r1 is incorrect when mixed with later signed
test to create a range:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff880ad081fa00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+7
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = 2
10: (3d) if r2 >= r1 goto pc+3
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
11: (65) if r1 s> 0x4 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0
R1=inv,min_value=3,max_value=4 R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
12: (0f) r0 += r1
13: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=3,max_value=4
R1=inv,min_value=3,max_value=4 R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
14: (b7) r0 = 0
15: (95) exit
This leaves us with two options for fixing this: i) to invalidate
all prior learned information once we switch signed context, ii)
to track min/max signed and unsigned boundaries separately as
done in [0]. (Given latter introduces major changes throughout
the whole verifier, it's rather net-next material, thus this
patch follows option i), meaning we can derive bounds either
from only signed tests or only unsigned tests.) There is still the
case of adjust_reg_min_max_vals(), where we adjust bounds on ALU
operations, meaning programs like the following where boundaries
on the reg get mixed in context later on when bounds are merged
on the dst reg must get rejected, too:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff89b2bf87ce00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+6
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = 2
10: (3d) if r2 >= r1 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
11: (b7) r7 = 1
12: (65) if r7 s> 0x0 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=imm1,max_value=0 R10=fp
13: (b7) r0 = 0
14: (95) exit
from 12 to 15: R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0
R1=inv,min_value=3 R2=imm2,min_value=2,max_value=2,min_align=2 R7=imm1,min_value=1 R10=fp
15: (0f) r7 += r1
16: (65) if r7 s> 0x4 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=inv,min_value=4,max_value=4 R10=fp
17: (0f) r0 += r7
18: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=4,max_value=4 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=inv,min_value=4,max_value=4 R10=fp
19: (b7) r0 = 0
20: (95) exit
Meaning, in adjust_reg_min_max_vals() we must also reset range
values on the dst when src/dst registers have mixed signed/
unsigned derived min/max value bounds with one unbounded value
as otherwise they can be added together deducing false boundaries.
Once both boundaries are established from either ALU ops or
compare operations w/o mixing signed/unsigned insns, then they
can safely be added to other regs also having both boundaries
established. Adding regs with one unbounded side to a map value
where the bounded side has been learned w/o mixing ops is
possible, but the resulting map value won't recover from that,
meaning such op is considered invalid on the time of actual
access. Invalid bounds are set on the dst reg in case i) src reg,
or ii) in case dst reg already had them. The only way to recover
would be to perform i) ALU ops but only 'add' is allowed on map
value types or ii) comparisons, but these are disallowed on
pointers in case they span a range. This is fine as only BPF_JEQ
and BPF_JNE may be performed on PTR_TO_MAP_VALUE_OR_NULL registers
which potentially turn them into PTR_TO_MAP_VALUE type depending
on the branch, so only here min/max value cannot be invalidated
for them.
In terms of state pruning, value_from_signed is considered
as well in states_equal() when dealing with adjusted map values.
With regards to breaking existing programs, there is a small
risk, but use-cases are rather quite narrow where this could
occur and mixing compares probably unlikely.
Joint work with Josef and Edward.
[0] https://lists.iovisor.org/pipermail/iovisor-dev/2017-June/000822.html
Fixes:
|
||
|
Daniel Borkmann
|
8d674bee8f |
bpf, verifier: fix alu ops against map_value{, _adj} register types
[ Upstream commit fce366a9dd0ddc47e7ce05611c266e8574a45116 ]
While looking into map_value_adj, I noticed that alu operations
directly on the map_value() resp. map_value_adj() register (any
alu operation on a map_value() register will turn it into a
map_value_adj() typed register) are not sufficiently protected
against some of the operations. Two non-exhaustive examples are
provided that the verifier needs to reject:
i) BPF_AND on r0 (map_value_adj):
0: (bf) r2 = r10
1: (07) r2 += -8
2: (7a) *(u64 *)(r2 +0) = 0
3: (18) r1 = 0xbf842a00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+2
R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
7: (57) r0 &= 8
8: (7a) *(u64 *)(r0 +0) = 22
R0=map_value_adj(ks=8,vs=48,id=0),min_value=0,max_value=8 R10=fp
9: (95) exit
from 6 to 9: R0=inv,min_value=0,max_value=0 R10=fp
9: (95) exit
processed 10 insns
ii) BPF_ADD in 32 bit mode on r0 (map_value_adj):
0: (bf) r2 = r10
1: (07) r2 += -8
2: (7a) *(u64 *)(r2 +0) = 0
3: (18) r1 = 0xc24eee00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+2
R0=map_value(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
7: (04) (u32) r0 += (u32) 0
8: (7a) *(u64 *)(r0 +0) = 22
R0=map_value_adj(ks=8,vs=48,id=0),min_value=0,max_value=0 R10=fp
9: (95) exit
from 6 to 9: R0=inv,min_value=0,max_value=0 R10=fp
9: (95) exit
processed 10 insns
Issue is, while min_value / max_value boundaries for the access
are adjusted appropriately, we change the pointer value in a way
that cannot be sufficiently tracked anymore from its origin.
Operations like BPF_{AND,OR,DIV,MUL,etc} on a destination register
that is PTR_TO_MAP_VALUE{,_ADJ} was probably unintended, in fact,
all the test cases coming with
|
||
|
Daniel Borkmann
|
577aa83b28 |
bpf: adjust verifier heuristics
[ Upstream commit 3c2ce60bdd3d57051bf85615deec04a694473840 ] Current limits with regards to processing program paths do not really reflect today's needs anymore due to programs becoming more complex and verifier smarter, keeping track of more data such as const ALU operations, alignment tracking, spilling of PTR_TO_MAP_VALUE_ADJ registers, and other features allowing for smarter matching of what LLVM generates. This also comes with the side-effect that we result in fewer opportunities to prune search states and thus often need to do more work to prove safety than in the past due to different register states and stack layout where we mismatch. Generally, it's quite hard to determine what caused a sudden increase in complexity, it could be caused by something as trivial as a single branch somewhere at the beginning of the program where LLVM assigned a stack slot that is marked differently throughout other branches and thus causing a mismatch, where verifier then needs to prove safety for the whole rest of the program. Subsequently, programs with even less than half the insn size limit can get rejected. We noticed that while some programs load fine under pre 4.11, they get rejected due to hitting limits on more recent kernels. We saw that in the vast majority of cases (90+%) pruning failed due to register mismatches. In case of stack mismatches, majority of cases failed due to different stack slot types (invalid, spill, misc) rather than differences in spilled registers. This patch makes pruning more aggressive by also adding markers that sit at conditional jumps as well. Currently, we only mark jump targets for pruning. For example in direct packet access, these are usually error paths where we bail out. We found that adding these markers, it can reduce number of processed insns by up to 30%. Another option is to ignore reg->id in probing PTR_TO_MAP_VALUE_OR_NULL registers, which can help pruning slightly as well by up to 7% observed complexity reduction as stand-alone. Meaning, if a previous path with register type PTR_TO_MAP_VALUE_OR_NULL for map X was found to be safe, then in the current state a PTR_TO_MAP_VALUE_OR_NULL register for the same map X must be safe as well. Last but not least the patch also adds a scheduling point and bumps the current limit for instructions to be processed to a more adequate value. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
John Fastabend
|
e37bdeee95 |
bpf, verifier: add additional patterns to evaluate_reg_imm_alu
[ Upstream commit 43188702b3d98d2792969a3377a30957f05695e6 ] Currently the verifier does not track imm across alu operations when the source register is of unknown type. This adds additional pattern matching to catch this and track imm. We've seen LLVM generating this pattern while working on cilium. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
14accea70e |
Merge 4.9.39 into android-4.9
Changes in 4.9.39
xen-netfront: Rework the fix for Rx stall during OOM and network stress
net_sched: fix error recovery at qdisc creation
net: sched: Fix one possible panic when no destroy callback
net/phy: micrel: configure intterupts after autoneg workaround
ipv6: avoid unregistering inet6_dev for loopback
net: dp83640: Avoid NULL pointer dereference.
tcp: reset sk_rx_dst in tcp_disconnect()
net: prevent sign extension in dev_get_stats()
bridge: mdb: fix leak on complete_info ptr on fail path
rocker: move dereference before free
bpf: prevent leaking pointer via xadd on unpriviledged
net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
net/mlx5: Cancel delayed recovery work when unloading the driver
liquidio: fix bug in soft reset failure detection
net/mlx5e: Fix TX carrier errors report in get stats ndo
ipv6: dad: don't remove dynamic addresses if link is down
vxlan: fix hlist corruption
net: core: Fix slab-out-of-bounds in netdev_stats_to_stats64
net: ipv6: Compare lwstate in detecting duplicate nexthops
vrf: fix bug_on triggered by rx when destroying a vrf
rds: tcp: use sock_create_lite() to create the accept socket
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
brcmfmac: Fix a memory leak in error handling path in 'brcmf_cfg80211_attach'
brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
sfc: don't read beyond unicast address list
cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE
cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
cfg80211: Check if PMKID attribute is of expected size
cfg80211: Check if NAN service ID is of expected size
irqchip/gic-v3: Fix out-of-bound access in gic_set_affinity
parisc: Report SIGSEGV instead of SIGBUS when running out of stack
parisc: use compat_sys_keyctl()
parisc: DMA API: return error instead of BUG_ON for dma ops on non dma devs
parisc/mm: Ensure IRQs are off in switch_mm()
tools/lib/lockdep: Reduce MAX_LOCK_DEPTH to avoid overflowing lock_chain/: Depth
thp, mm: fix crash due race in MADV_FREE handling
kernel/extable.c: mark core_kernel_text notrace
mm/list_lru.c: fix list_lru_count_node() to be race free
fs/dcache.c: fix spin lockup issue on nlru->lock
checkpatch: silence perl 5.26.0 unescaped left brace warnings
binfmt_elf: use ELF_ET_DYN_BASE only for PIE
arm: move ELF_ET_DYN_BASE to 4MB
arm64: move ELF_ET_DYN_BASE to 4GB / 4MB
powerpc: move ELF_ET_DYN_BASE to 4GB / 4MB
s390: reduce ELF_ET_DYN_BASE
exec: Limit arg stack to at most 75% of _STK_LIM
ARM64: dts: marvell: armada37xx: Fix timer interrupt specifiers
vt: fix unchecked __put_user() in tioclinux ioctls
rcu: Add memory barriers for NOCB leader wakeup
nvmem: core: fix leaks on registration errors
mnt: In umount propagation reparent in a separate pass
mnt: In propgate_umount handle visiting mounts in any order
mnt: Make propagate_umount less slow for overlapping mount propagation trees
selftests/capabilities: Fix the test_execve test
mm: fix overflow check in expand_upwards()
crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
crypto: atmel - only treat EBUSY as transient if backlog
crypto: sha1-ssse3 - Disable avx2
crypto: caam - properly set IV after {en,de}crypt
crypto: caam - fix signals handling
Revert "sched/core: Optimize SCHED_SMT"
sched/fair, cpumask: Export for_each_cpu_wrap()
sched/topology: Fix building of overlapping sched-groups
sched/topology: Optimize build_group_mask()
sched/topology: Fix overlapping sched_group_mask
PM / wakeirq: Convert to SRCU
PM / QoS: return -EINVAL for bogus strings
tracing: Use SOFTIRQ_OFFSET for softirq dectection for more accurate results
kvm: vmx: Do not disable intercepts for BNDCFGS
kvm: x86: Guest BNDCFGS requires guest MPX support
kvm: vmx: Check value written to IA32_BNDCFGS
kvm: vmx: allow host to access guest MSR_IA32_BNDCFGS
4.9.39
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Daniel Borkmann
|
cd5de9cb85 |
bpf: prevent leaking pointer via xadd on unpriviledged
commit 6bdf6abc56b53103324dfd270a86580306e1a232 upstream. Leaking kernel addresses on unpriviledged is generally disallowed, for example, verifier rejects the following: 0: (b7) r0 = 0 1: (18) r2 = 0xffff897e82304400 3: (7b) *(u64 *)(r1 +48) = r2 R2 leaks addr into ctx Doing pointer arithmetic on them is also forbidden, so that they don't turn into unknown value and then get leaked out. However, there's xadd as a special case, where we don't check the src reg for being a pointer register, e.g. the following will pass: 0: (b7) r0 = 0 1: (7b) *(u64 *)(r1 +48) = r0 2: (18) r2 = 0xffff897e82304400 ; map 4: (db) lock *(u64 *)(r1 +48) += r2 5: (95) exit We could store the pointer into skb->cb, loose the type context, and then read it out from there again to leak it eventually out of a map value. Or more easily in a different variant, too: 0: (bf) r6 = r1 1: (7a) *(u64 *)(r10 -8) = 0 2: (bf) r2 = r10 3: (07) r2 += -8 4: (18) r1 = 0x0 6: (85) call bpf_map_lookup_elem#1 7: (15) if r0 == 0x0 goto pc+3 R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R6=ctx R10=fp 8: (b7) r3 = 0 9: (7b) *(u64 *)(r0 +0) = r3 10: (db) lock *(u64 *)(r0 +0) += r6 11: (b7) r0 = 0 12: (95) exit from 7 to 11: R0=inv,min_value=0,max_value=0 R6=ctx R10=fp 11: (b7) r0 = 0 12: (95) exit Prevent this by checking xadd src reg for pointer types. Also add a couple of test cases related to this. Fixes: |
||
|
Greg Kroah-Hartman
|
184ce810ce |
Merge 4.9.36 into android-4.9
Changes in 4.9.36 ipv6: release dst on error in ip6_dst_lookup_tail net: don't call strlen on non-terminated string in dev_set_alias() decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb net: Zero ifla_vf_info in rtnl_fill_vfinfo() net: vrf: Make add_fib_rules per network namespace flag af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers Fix an intermittent pr_emerg warning about lo becoming free. sctp: disable BH in sctp_for_each_endpoint net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx net: tipc: Fix a sleep-in-atomic bug in tipc_msg_reverse net/mlx5e: Added BW check for DIM decision mechanism net/mlx5e: Fix wrong indications in DIM due to counter wraparound proc: snmp6: Use correct type in memset igmp: acquire pmc lock for ip_mc_clear_src() igmp: add a missing spin_lock_init() ipv6: fix calling in6_ifa_hold incorrectly for dad work sctp: return next obj by passing pos + 1 into sctp_transport_get_idx net/mlx5e: Avoid doing a cleanup call if the profile doesn't have it net/mlx5: Wait for FW readiness before initializing command interface net/mlx5e: Fix timestamping capabilities reporting decnet: always not take dst->__refcnt when inserting dst into hash table net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev sfc: provide dummy definitions of vswitch functions ipv6: Do not leak throw route references rtnetlink: add IFLA_GROUP to ifla_policy netfilter: xt_TCPMSS: add more sanity tests on tcph->doff netfilter: synproxy: fix conntrackd interaction NFSv4: fix a reference leak caused WARNING messages NFSv4.x/callback: Create the callback service through svc_create_pooled xen/blkback: don't use xen_blkif_get() in xen-blkback kthread drm/ast: Handle configuration without P2A bridge mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff() MIPS: head: Reorder instructions missing a delay slot MIPS: Avoid accidental raw backtrace MIPS: pm-cps: Drop manual cache-line alignment of ready_count MIPS: Fix IRQ tracing & lockdep when rescheduling ALSA: hda - Fix endless loop of codec configure ALSA: hda - set input_path bitmap to zero after moving it to new place NFSv4.1: Fix a race in nfs4_proc_layoutget gpiolib: fix filtering out unwanted events drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr dm thin: do not queue freed thin mapping for next stage processing x86/mm: Fix boot crash caused by incorrect loop count calculation in sync_global_pgds() usb: gadget: f_fs: Fix possibe deadlock l2tp: fix race in l2tp_recv_common() l2tp: ensure session can't get removed during pppol2tp_session_ioctl() l2tp: fix duplicate session creation l2tp: hold session while sending creation notifications l2tp: take a reference on sessions used in genetlink handlers mm: numa: avoid waiting on freed migrated pages sparc64: Handle PIO & MEM non-resumable errors. sparc64: Zero pages on allocation for mondo and error queues. net: ethtool: add support for 2500BaseT and 5000BaseT link modes net: phy: add an option to disable EEE advertisement dt-bindings: net: add EEE capability constants net: phy: fix sign type error in genphy_config_eee_advert net: phy: use boolean dt properties for eee broken modes dt: bindings: net: use boolean dt properties for eee broken modes ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage xen/blkback: don't free be structure too early KVM: x86: fix fixing of hypercalls scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type stmmac: add missing of_node_put scsi: lpfc: Set elsiocb contexts to NULL after freeing it qla2xxx: Terminate exchange if corrupted qla2xxx: Fix erroneous invalid handle message drm/amdgpu: fix program vce instance logic error. drm/amdgpu: add support for new hainan variants net: phy: dp83848: add DP83620 PHY support perf/x86/intel: Handle exclusive threadid correctly on CPU hotplug net: korina: Fix NAPI versus resources freeing powerpc/eeh: Enable IO path on permanent error net: ethtool: Initialize buffer when querying device channel settings xen-netback: fix memory leaks on XenBus disconnect xen-netback: protect resource cleaning on XenBus disconnect bnxt_en: Fix "uninitialized variable" bug in TPA code path. bpf: don't trigger OOM killer under pressure with map alloc objtool: Fix IRET's opcode gianfar: Do not reuse pages from emergency reserve Btrfs: Fix deadlock between direct IO and fast fsync Btrfs: fix truncate down when no_holes feature is enabled virtio_console: fix a crash in config_work_handler swiotlb-xen: update dev_addr after swapping pages xen-netfront: Fix Rx stall during network stress and OOM scsi: virtio_scsi: Reject commands when virtqueue is broken iwlwifi: fix kernel crash when unregistering thermal zone platform/x86: ideapad-laptop: handle ACPI event 1 amd-xgbe: Check xgbe_init() return code net: dsa: Check return value of phy_connect_direct() drm/amdgpu: check ring being ready before using vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null mlxsw: spectrum_router: Correctly reallocate adjacency entries virtio_net: fix PAGE_SIZE > 64k ip6_tunnel: must reload ipv6h in ip6ip6_tnl_xmit() vxlan: do not age static remote mac entries ibmveth: Add a proper check for the availability of the checksum features kernel/panic.c: add missing \n Documentation: devicetree: change the mediatek ethernet compatible string drm/etnaviv: trick drm_mm into giving out a low IOVA perf/x86/intel/uncore: Fix hardcoded socket 0 assumption in the Haswell init code pinctrl: intel: Set pin direction properly net: phy: marvell: fix Marvell 88E1512 used in SGMII mode mac80211: recalculate min channel width on VHT opmode changes perf/x86/intel: Use ULL constant to prevent undefined shift behaviour HID: i2c-hid: Add sleep between POWER ON and RESET scsi: lpfc: avoid double free of resource identifiers spi: davinci: use dma_mapping_error() arm64: assembler: make adr_l work in modules under KASLR net: thunderx: acpi: fix LMAC initialization drm/radeon/si: load special ucode for certain MC configs drm/amd/powerplay: fix vce cg logic error on CZ/St. drm/amd/powerplay: refine vce dpm update code on Cz. pmem: return EIO on read_pmem() failure mac80211: initialize SMPS field in HT capabilities x86/tsc: Add the Intel Denverton Processor to native_calibrate_tsc() x86/mpx: Use compatible types in comparison to fix sparse error perf/core: Fix sys_perf_event_open() vs. hotplug perf/x86: Reject non sampling events with precise_ip aio: fix lock dep warning coredump: Ensure proper size of sparse core files swiotlb: ensure that page-sized mappings are page-aligned s390/ctl_reg: make __ctl_load a full memory barrier usb: dwc2: gadget: Fix GUSBCFG.USBTRDTIM value be2net: fix status check in be_cmd_pmac_add() be2net: don't delete MAC on close on unprivileged BE3 VFs be2net: fix MAC addr setting on privileged BE3 VFs perf probe: Fix to show correct locations for events on modules net: phy: dp83867: allow RGMII_TXID/RGMII_RXID interface types tipc: allocate user memory with GFP_KERNEL flag perf probe: Fix to probe on gcc generated functions in modules net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV sctp: check af before verify address in sctp_addr_id2transport ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets ravb: Fix use-after-free on `ifconfig eth0 down` mm/vmalloc.c: huge-vmap: fail gracefully on unexpected huge vmap mappings xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY xfrm: NULL dereference on allocation failure xfrm: Oops on error in pfkey_msg2xfrm_state() netfilter: use skb_to_full_sk in ip_route_me_harder watchdog: bcm281xx: Fix use of uninitialized spinlock. sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting spi: When no dma_chan map buffers with spi_master's parent spi: fix device-node leaks regulator: tps65086: Fix expected switch DT node names regulator: tps65086: Fix DT node referencing in of_parse_cb ARM: OMAP2+: omap_device: Sync omap_device and pm_runtime after probe defer ARM: dts: OMAP3: Fix MFG ID EEPROM ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation ARM: 8685/1: ensure memblock-limit is pmd-aligned tools arch: Sync arch/x86/lib/memcpy_64.S with the kernel x86/boot/KASLR: Fix kexec crash due to 'virt_addr' calculation bug x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space x86/mm: Fix flush_tlb_page() on Xen ocfs2: o2hb: revert hb threshold to keep compatible iommu/vt-d: Don't over-free page table directories iommu: Handle default domain attach failure iommu/dma: Don't reserve PCI I/O windows iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() iommu/amd: Fix interrupt remapping when disable guest_mode cpufreq: s3c2416: double free on driver init error path clk: scpi: don't add cpufreq device if the scpi dvfs node is disabled objtool: Fix another GCC jump table detection issue infiniband: hns: avoid gcc-7.0.1 warning for uninitialized data brcmfmac: avoid writing channel out of allocated array i2c: brcmstb: Fix START and STOP conditions mtd: nand: brcmnand: Check flash #WP pin status before nand erase/program arm64: fix NULL dereference in have_cpu_die() KVM: x86: fix emulation of RSM and IRET instructions KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() KVM: x86: zero base3 of unusable segments KVM: nVMX: Fix exception injection Linux 4.9.36 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Daniel Borkmann
|
251d00bf13 |
bpf: don't trigger OOM killer under pressure with map alloc
[ Upstream commit d407bd25a204bd66b7346dde24bd3d37ef0e0b05 ] This patch adds two helpers, bpf_map_area_alloc() and bpf_map_area_free(), that are to be used for map allocations. Using kmalloc() for very large allocations can cause excessive work within the page allocator, so i) fall back earlier to vmalloc() when the attempt is considered costly anyway, and even more importantly ii) don't trigger OOM killer with any of the allocators. Since this is based on a user space request, for example, when creating maps with element pre-allocation, we really want such requests to fail instead of killing other user space processes. Also, don't spam the kernel log with warnings should any of the allocations fail under pressure. Given that, we can make backend selection in bpf_map_area_alloc() generic, and convert all maps over to use this API for spots with potentially large allocation requests. Note, replacing the one kmalloc_array() is fine as overflow checks happen earlier in htab_map_alloc(), since it must also protect the multiplication for vmalloc() should kmalloc_array() fail. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
edb6da11b9 |
FROMLIST: bpf: cgroup skb progs cannot access ld_abs/ind
Commit fb9a307d11d6 ("bpf: Allow CGROUP_SKB eBPF program to
access sk_buff") enabled programs of BPF_PROG_TYPE_CGROUP_SKB
type to use ld_abs/ind instructions. However, at this point,
we cannot use them, since offsets relative to SKF_LL_OFF will
end up pointing skb_mac_header(skb) out of bounds since in the
egress path it is not yet set at that point in time, but only
after __dev_queue_xmit() did a general reset on the mac header.
bpf_internal_load_pointer_neg_helper() will then end up reading
data from a wrong offset.
BPF_PROG_TYPE_CGROUP_SKB programs can use bpf_skb_load_bytes()
already to access packet data, which is also more flexible than
the insns carried over from cBPF.
Fixes: fb9a307d11d6 ("bpf: Allow CGROUP_SKB eBPF program to access sk_buff")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Chenbo Feng <fengc@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(url: http://patchwork.ozlabs.org/patch/771946/)
Signed-off-by: Chenbo Feng <fengc@google.com>
Bug: 30950746
Change-Id: Ia32ac79d8c0d18f811ec101897284a8b60cb042a
|
||
|
Chenbo Feng
|
b9aad97657 |
FROMLIST: [net-next,v2,2/2] bpf: Remove the capability check for cgroup skb eBPF
program Currently loading a cgroup skb eBPF program require a CAP_SYS_ADMIN capability while attaching the program to a cgroup only requires the user have CAP_NET_ADMIN privilege. We can escape the capability check when load the program just like socket filter program to make the capability requirement consistent. Change since v1: Change the code style in order to be compliant with checkpatch.pl preference (url: http://patchwork.ozlabs.org/patch/769460/) Signed-off-by: Chenbo Feng <fengc@google.com> Bug: 30950746 Change-Id: Ibe51235127d6f9349b8f563ad31effc061b278ed |
||
|
Chenbo Feng
|
9e3c655559 |
FROMLIST: [net-next,v2,1/2] bpf: Allow CGROUP_SKB eBPF program to access
sk_buff This allows cgroup eBPF program to classify packet based on their protocol or other detail information. Currently program need CAP_NET_ADMIN privilege to attach a cgroup eBPF program, and A process with CAP_NET_ADMIN can already see all packets on the system, for example, by creating an iptables rules that causes the packet to be passed to userspace via NFLOG. (url: http://patchwork.ozlabs.org/patch/769459/) Signed-off-by: Chenbo Feng <fengc@google.com> Bug: 30950746 Change-Id: I11bef84ce26cf8b8f1b89483c32a7fcdd61ae926 |
||
|
Daniel Mack
|
a5d371cda6 |
UPSTREAM: bpf: cgroup: fix documentation of __cgroup_bpf_update()
There's a 'not' missing in one paragraph. Add it.
Fixes: 3007098494be ("cgroup: add support for eBPF programs")
Signed-off-by: Daniel Mack <daniel@zonque.org>
Reported-by: Rami Rosen <roszenrami@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: Change-Id: I3df35d8d3b1261503f9b5bcd90b18c9358f1ac28
("cgroup: add support for eBPF programs")
(cherry picked from commit 01ae87eab53675cbdabd5c4d727c4a35e397cce0)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|
||
|
Alexei Starovoitov
|
1ee2b4b803 |
BACKPORT: bpf: introduce BPF_F_ALLOW_OVERRIDE flag
If BPF_F_ALLOW_OVERRIDE flag is used in BPF_PROG_ATTACH command
to the given cgroup the descendent cgroup will be able to override
effective bpf program that was inherited from this cgroup.
By default it's not passed, therefore override is disallowed.
Examples:
1.
prog X attached to /A with default
prog Y fails to attach to /A/B and /A/B/C
Everything under /A runs prog X
2.
prog X attached to /A with allow_override.
prog Y fails to attach to /A/B with default (non-override)
prog M attached to /A/B with allow_override.
Everything under /A/B runs prog M only.
3.
prog X attached to /A with allow_override.
prog Y fails to attach to /A with default.
The user has to detach first to switch the mode.
In the future this behavior may be extended with a chain of
non-overridable programs.
Also fix the bug where detach from cgroup where nothing is attached
was not throwing error. Return ENOENT in such case.
Add several testcases and adjust libbpf.
Fixes: 3007098494be ("cgroup: add support for eBPF programs")
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Tejun Heo <tj@kernel.org>
Acked-by: Daniel Mack <daniel@zonque.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: Change-Id: I3df35d8d3b1261503f9b5bcd90b18c9358f1ac28
("cgroup: add support for eBPF programs")
[AmitP: Refactored original patch for android-4.9 where libbpf sources
are in samples/bpf/ and test_cgrp2_attach2, test_cgrp2_sock,
and test_cgrp2_sock2 sample tests do not exist.]
(cherry picked from commit 7f677633379b4abb3281cdbe7e7006f049305c03)
Signed-off-by: Amit Pundir <amit.pundir@linaro.org>
|