566 Commits

Author	SHA1	Message	Date
Greg Kroah-Hartman	409d37b568	Merge 4.14.267 into android-4.14-stable ... Changes in 4.14.267 integrity: check the return value of audit_log_start() ima: Remove ima_policy file before directory ima: Allow template selection with ima_template[_fmt]= after ima_hash= mmc: sdhci-of-esdhc: Check for error num after setting mask net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs NFS: Fix initialisation of nfs_client cl_flags field NFSD: Clamp WRITE offsets NFSv4 only print the label when its queried nfs: nfs4clinet: check the return value of kstrdup() NFSv4.1: Fix uninitialised variable in devicenotify NFSv4 remove zero number of fs_locations entries error check NFSv4 expose nfs_parse_server_name function scsi: target: iscsi: Make sure the np under each tpg is unique usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout() Revert "net: axienet: Wait for PhyRstCmplt after core reset" bpf: Add kconfig knob for disabling unpriv bpf by default ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group ARM: dts: meson: Fix the UART compatible strings staging: fbtft: Fix error path in fbtft_driver_module_init() ARM: dts: imx6qdl-udoo: Properly describe the SD card detect usb: f_fs: Fix use-after-free for epfile bonding: pair enable_port with slave_arr_updates ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path net: do not keep the dst cache when uncloning an skb dst and its metadata net: fix a memleak when uncloning an skb dst and its metadata tipc: rate limit warning for received illegal binding update net: amd-xgbe: disable interrupts during pci removal vt_ioctl: fix array_index_nospec in vt_setactivate vt_ioctl: add array_index_nospec to VT_ACTIVATE n_tty: wake up poll(POLLRDNORM) on receiving data usb: ulpi: Move of_node_put to ulpi_dev_release usb: ulpi: Call of_node_put correctly usb: dwc3: gadget: Prevent core from processing stale TRBs USB: gadget: validate interface OS descriptor requests usb: gadget: rndis: check size of RNDIS_MSG_SET command USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 USB: serial: option: add ZTE MF286D modem USB: serial: ch341: add support for GW Instek USB2.0-Serial devices USB: serial: cp210x: add NCR Retail IO box id USB: serial: cp210x: add CPI Bulk Coin Recycler id seccomp: Invalidate seccomp mode to catch death failures hwmon: (dell-smm) Speed up setting of fan speed perf: Fix list corruption in perf_cgroup_switch() Linux 4.14.267 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie562265e833202e361fd0734d18731990c0b1cbc	2022-02-16 13:10:03 +01:00
Daniel Borkmann	e69f08ba23	bpf: Add kconfig knob for disabling unpriv bpf by default ... commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream. Add a kconfig knob which allows for unprivileged bpf to be disabled by default. If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2. This still allows a transition of 2 -> {0,1} through an admin. Similarly, this also still keeps 1 -> {1} behavior intact, so that once set to permanently disabled, it cannot be undone aside from a reboot. We've also added extra2 with max of 2 for the procfs handler, so that an admin still has a chance to toggle between 0 <-> 2. Either way, as an additional alternative, applications can make use of CAP_BPF that we added a while ago. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net [fllinden@amazon.com: backported to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-02-16 12:44:50 +01:00
Greg Kroah-Hartman	f434c8896d	This is the 4.14.265 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmICpXgACgkQONu9yGCS aT6+NxAAvBpCtxny/31ubyXztF8C182Q9PumND32nMATWi/bvaKDfJTtpWXAurQP BysgPyCrgYYUqf8ug7lJt3xHCo3zFcVhAacwEZsRE9rePaFJ/AcMSHC8dVG5uaRz q66j+flzCeumtLiOldAuJQLIWffk/y2iZ3UuQVkdP9HT6cj6ko7ZTvCYTQmBge44 8Ek+va4eDBzznIbeQvU2rwy+Hypjl6dYZq/0Jw4lKDFbZrRmGkqSybAhRofZj5DE 0hTIal1zfC1mH7FJqt/0ji5Gcql7DbABpRm2ewB9is7B4Y2bxKXVkgQhIbxavjiZ dTlpGWL+EmxrJv1f3t+QD8oWVaw3CHHb17i/JciXu/3tAr9yJ+ZQgzPXJIFOvsmj 4KYkjw0Lq0HfUpjJ6Auj7hqpQvgGuoeK9ef9Xb4jagNR+McS/pkiU7G0mztSRj8W rmGt5aa0cY10bsbtymeRr6D3uG/xiSHLmq7wj4LFCle5Gz34Z7vqU/sJkrDRegRR /5y6SeCjkarlKtNP2gnEv4usK4ZiUTl27BgIbXmKxX3irIbQBl9ORfx/YiNSjtRs 8YrcXkAG6gOzmK/ssHFJuiiXMQ0FXeAGO2R4VBaXgM6UB6vFoqJc3Qb1KzA4zwfc CA0quzCNTdcv4i+pk48ujMYgfnY1C4evMcCkN7saUCq9vDTSvPE= =CHbz -----END PGP SIGNATURE----- Merge 4.14.265 into android-4.14-stable Changes in 4.14.265 Bluetooth: refactor malicious adv data check s390/hypfs: include z/VM guests with access control group set scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices udf: Restore i_lenAlloc when inode expansion fails udf: Fix NULL ptr deref when converting from inline format PM: wakeup: simplify the output logic of pm_show_wakelocks() netfilter: nft_payload: do not update layer 4 checksum when mangling fragments serial: stm32: fix software flow control transfer tty: n_gsm: fix SW flow control encoding/handling tty: Add support for Brainboxes UC cards. usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge usb: common: ulpi: Fix crash in ulpi_match() usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS USB: core: Fix hang in usb_kill_urb by adding memory barriers usb: typec: tcpm: Do not disconnect while receiving VBUS off net: sfp: ignore disabled SFP node powerpc/32: Fix boot failure with GCC latent entropy plugin lkdtm: Fix content of section containing lkdtm_rodata_do_nothing() i40e: Increase delay to 1 s after global EMP reset i40e: fix unsigned stat widths rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() ipv6_tunnel: Rate limit warning messages net: fix information leakage in /proc/net/ptype ping: fix the sk_bound_dev_if match in ping_lookup ipv4: avoid using shared IP generator for connected sockets hwmon: (lm90) Reduce maximum conversion rate for G781 NFSv4: Handle case where the lookup of a directory fails NFSv4: nfs_atomic_open() can race when looking up a non-regular file net-procfs: show net devices bound packet types drm/msm: Fix wrong size calculation drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable ibmvnic: don't spin in tasklet yam: fix a memory leak in yam_siocdevprivate() ipv4: raw: lock the socket in raw_bind() ipv4: tcp: send zero IPID in SYNACK messages bpf: fix truncated jump targets on heavy expansions netfilter: nat: remove l4 protocol port rovers netfilter: nat: limit port clash resolution attempts ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback net: amd-xgbe: ensure to reset the tx_timer_active flag net: amd-xgbe: Fix skb data length underflow rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() af_packet: fix data-race in packet_setsockopt / packet_setsockopt audit: improve audit queue handling when "audit=1" on cmdline ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() drm/nouveau: fix off by one in BIOS boundary checking block: bio-integrity: Advance seed correctly for larger interval sizes RDMA/mlx4: Don't continue event handler after memory allocation failure iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() spi: bcm-qspi: check for valid cs before applying chip select spi: mediatek: Avoid NULL pointer crash in interrupt spi: meson-spicc: add IRQ check in meson_spicc_probe net: ieee802154: ca8210: Stop leaking skb's net: ieee802154: Return meaningful error codes from the netlink helpers net: macsec: Verify that send_sci is on when setting Tx sci explicitly drm/i915/overlay: Prevent divide by zero bugs in scaling ASoC: fsl: Add missing error handling in pcm030_fabric_probe scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client. selftests: futex: Use variable MAKE instead of make rtc: cmos: Evaluate century appropriate EDAC/altera: Fix deferred probing EDAC/xgene: Fix deferred probing ext4: fix error handling in ext4_restore_inline_data() Linux 4.14.265 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia51a926162e82c5fa5bdef1de1056cb74114ef88	2022-02-09 08:14:50 +01:00
Daniel Borkmann	6824208b59	bpf: fix truncated jump targets on heavy expansions ... commit 050fad7c4534c13c8eb1d9c2ba66012e014773cb upstream. Recently during testing, I ran into the following panic: [ 207.892422] Internal error: Accessing user space memory outside uaccess.h routines: 96000004 [#1] SMP [ 207.901637] Modules linked in: binfmt_misc [...] [ 207.966530] CPU: 45 PID: 2256 Comm: test_verifier Tainted: G W 4.17.0-rc3+ #7 [ 207.974956] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB18A 03/31/2017 [ 207.982428] pstate: 60400005 (nZCv daif +PAN -UAO) [ 207.987214] pc : bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 207.992603] lr : 0xffff000000bdb754 [ 207.996080] sp : ffff000013703ca0 [ 207.999384] x29: ffff000013703ca0 x28: 0000000000000001 [ 208.004688] x27: 0000000000000001 x26: 0000000000000000 [ 208.009992] x25: ffff000013703ce0 x24: ffff800fb4afcb00 [ 208.015295] x23: ffff00007d2f5038 x22: ffff00007d2f5000 [ 208.020599] x21: fffffffffeff2a6f x20: 000000000000000a [ 208.025903] x19: ffff000009578000 x18: 0000000000000a03 [ 208.031206] x17: 0000000000000000 x16: 0000000000000000 [ 208.036510] x15: 0000ffff9de83000 x14: 0000000000000000 [ 208.041813] x13: 0000000000000000 x12: 0000000000000000 [ 208.047116] x11: 0000000000000001 x10: ffff0000089e7f18 [ 208.052419] x9 : fffffffffeff2a6f x8 : 0000000000000000 [ 208.057723] x7 : 000000000000000a x6 : 00280c6160000000 [ 208.063026] x5 : 0000000000000018 x4 : 0000000000007db6 [ 208.068329] x3 : 000000000008647a x2 : 19868179b1484500 [ 208.073632] x1 : 0000000000000000 x0 : ffff000009578c08 [ 208.078938] Process test_verifier (pid: 2256, stack limit = 0x0000000049ca7974) [ 208.086235] Call trace: [ 208.088672] bpf_skb_load_helper_8_no_cache+0x34/0xc0 [ 208.093713] 0xffff000000bdb754 [ 208.096845] bpf_test_run+0x78/0xf8 [ 208.100324] bpf_prog_test_run_skb+0x148/0x230 [ 208.104758] sys_bpf+0x314/0x1198 [ 208.108064] el0_svc_naked+0x30/0x34 [ 208.111632] Code: 91302260 f9400001 f9001fa1 d2800001 (29500680) [ 208.117717] ---[ end trace 263cb8a59b5bf29f ]--- The program itself which caused this had a long jump over the whole instruction sequence where all of the inner instructions required heavy expansions into multiple BPF instructions. Additionally, I also had BPF hardening enabled which requires once more rewrites of all constant values in order to blind them. Each time we rewrite insns, bpf_adj_branches() would need to potentially adjust branch targets which cross the patchlet boundary to accommodate for the additional delta. Eventually that lead to the case where the target offset could not fit into insn->off's upper 0x7fff limit anymore where then offset wraps around becoming negative (in s16 universe), or vice versa depending on the jump direction. Therefore it becomes necessary to detect and reject any such occasions in a generic way for native eBPF and cBPF to eBPF migrations. For the latter we can simply check bounds in the bpf_convert_filter()'s BPF_EMIT_JMP helper macro and bail out once we surpass limits. The bpf_patch_insn_single() for native eBPF (and cBPF to eBPF in case of subsequent hardening) is a bit more complex in that we need to detect such truncations before hitting the bpf_prog_realloc(). Thus the latter is split into an extra pass to probe problematic offsets on the original program in order to fail early. With that in place and carefully tested I no longer hit the panic and the rewrites are rejected properly. The above example panic I've seen on bpf-next, though the issue itself is generic in that a guard against this issue in bpf seems more appropriate in this case. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> [ab: Dropped BPF_PSEUDO_CALL hardening, introoduced in 4.16] Signed-off-by: Alessio Balsini <balsini@android.com> Acked-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2022-02-08 18:16:27 +01:00
Greg Kroah-Hartman	2a09bcb0c2	This is the 4.14.258 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmG4YRIACgkQONu9yGCS aT7EbxAAh/UVCsvt2q3qw1kvGm2qMy4Y+zJGVXjiycNHtiUWWeOwyO8el3Fwrhrz rCfPJr9XA3DSDtMBaxVcDU4wwwIu9Z74g1GFEWm/cYkMojAYutNRXAOkRaawp0ur JBMZTOYpSFVhW0xJ2DRobyNAb8lNxe6BuuF3G+NOc4NLldc/ncmjc385L/YXoO8x 2l/RdCKaGLzmBCTZmR51F9QPownuHXPkZi4zTgaSSEdfqvIuhuSF9zHwg+AMRRjP 2fid57DDg4TLySz+u1bCS61gcj/iRXb4OpNJSGzlXHNq/jzOB2LNj7oBUItGWI7i y+JDrcgY4EqbghYSW2GD4zdW+mqjFTrel7zqhT3VHpnzIc2cUsScpkIx2Yf7qsvW DeJFpHah9bscpyzZc0FeQznTEHCWcfdpZsoZZ+4d0Vw31ZM+X52LQ2CwHIeP79Or 2/o9xfu+nURsqzj74Fq0Ai1/ka0h2ZSTmqi7rOMLx16tNOGe0y6C3ZL1Z6++0KII 1F81lQ/O319FYVjwkbuiZc90KtjqjGbpVd+jR6eeFJ5bllfbWnmb4ior7eV9fTNf QVTx5jnGB1iLfnAtteNlWo4Yo9Upfq29CG3UTxPvDIodtvUbfoh7bAcVo26TM5lf 2F6ArKhfc/SWu6zQ40P6FSSSZAg4nlH/v96oWjVGjmZDw7DudO8= =fLbW -----END PGP SIGNATURE----- Merge 4.14.258 into android-4.14-stable Changes in 4.14.258 HID: add hid_is_usb() function to make it simpler for USB detection HID: add USB_HID dependancy to hid-prodikeys HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy on some USB HID drivers HID: wacom: fix problems when device is not a valid USB device HID: check for valid USB device for many HID drivers can: sja1000: fix use after free in ems_pcmcia_add_card() nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done bpf: Fix the off-by-two error in range markings nfp: Fix memory leak in nfp_cpp_area_cache_add() seg6: fix the iif in the IPv6 socket control block IB/hfi1: Correct guard on eager buffer deallocation mm: bdi: initialize bdi_min_ratio when bdi is unregistered ALSA: ctl: Fix copy of updated id with element read/write ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() tracefs: Have new files inherit the ownership of their parent can: pch_can: pch_can_rx_normal: fix use after free can: m_can: Disable and ignore ELO interrupt libata: add horkage for ASMedia 1092 wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() tracefs: Set all files to the same group ownership as the mount option block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) qede: validate non LSO skb length net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero net: altera: set a couple error code in probe() net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net, neigh: clear whole pneigh_entry at alloc time net/qla3xxx: fix an error code in ql_adapter_up() USB: gadget: detect too-big endpoint 0 requests USB: gadget: zero allocate endpoint 0 buffers usb: core: config: fix validation of wMaxPacketValue entries xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending usb: core: config: using bit mask instead of individual bits iio: trigger: Fix reference counting iio: trigger: stm32-timer: fix MODULE_ALIAS iio: stk3310: Don't return error code in interrupt handler iio: mma8452: Fix trigger reference couting iio: ltr501: Don't return error code in trigger handler iio: kxsd9: Don't return error code in trigger handler iio: itg3200: Call iio_trigger_notify_done() on error iio: dln2-adc: Fix lockdep complaint iio: dln2: Check return value of devm_iio_trigger_register() iio: adc: axp20x_adc: fix charging current reporting on AXP22x iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() irqchip/armada-370-xp: Fix support for Multi-MSI interrupts irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip: nvic: Fix offset for Interrupt Priority Offsets Linux 4.14.258 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iecbe5bcba94e422ef4f43e57c673b15fbc8706f8	2021-12-14 10:39:21 +01:00
Maxim Mikityanskiy	e0d837ac05	bpf: Fix the off-by-two error in range markings ... commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream. The first commit cited below attempts to fix the off-by-one error that appeared in some comparisons with an open range. Due to this error, arithmetically equivalent pieces of code could get different verdicts from the verifier, for example (pseudocode): // 1. Passes the verifier: if (data + 8 > data_end) return early read *(u64 *)data, i.e. [data; data+7] // 2. Rejected by the verifier (should still pass): if (data + 7 >= data_end) return early read *(u64 *)data, i.e. [data; data+7] The attempted fix, however, shifts the range by one in a wrong direction, so the bug not only remains, but also such piece of code starts failing in the verifier: // 3. Rejected by the verifier, but the check is stricter than in #1. if (data + 8 >= data_end) return early read *(u64 *)data, i.e. [data; data+7] The change performed by that fix converted an off-by-one bug into off-by-two. The second commit cited below added the BPF selftests written to ensure than code chunks like #3 are rejected, however, they should be accepted. This commit fixes the off-by-two error by adjusting new_range in the right direction and fixes the tests by changing the range into the one that should actually fail. Fixes: fb2a311a31d3 ("bpf: fix off by one for range markings with L{T, E} patterns") Fixes: b37242c773b2 ("bpf: add test cases to bpf selftests to cover all access tests") Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20211130181607.593149-1-maximmi@nvidia.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-12-14 10:16:53 +01:00
Greg Kroah-Hartman	cc48e333d0	This is the 4.14.256 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGgua4ACgkQONu9yGCS aT79sg/8CddMTshP8xI/IBzrautjKnFz/jHqrbSSa9u4HTDho8RRegPvPtmn9qQx ytAA3NA+VCiyGLdTR5uFjSti1JSokngHeZzZFgekzdhUG9GjGU7lzRJ1yxT92KIi T1DA8d7g4wHWOo1neUWyy0p0DDQJL09yxAKI0lw+CfSMZ3JTwQGFXSX+ux7iFLjC j+GSaPNbxWY9vBqrUfmI/GhJ3le/nFNGQYodOYkWb5fHQIcYvHaY8sqrpY6a7g6D jsCIwL276uDHqh6Ye0peUN0WlPSorwfj7YOeF0AAztH3AiGSFEzpRsts5q0bLGhV tYl63xorssKYsaJrXa536YhYOVoLp31Lk38NT+7SeuI4/R6qhCQoVEsoWGH1lZME YEXB9/nM9i9SBFG6wuxbdYqKfJojPp1OzDQ3mMlBwhdUoT3Qv3Krz1V1jn6q84It phpTgxbMTE4+nmmrjKlzJHnf0v6r4ti4qYcgZ+//BXKSo5I584R8E2KMAigoB2Sy QCokNmTqIX5139fBl9h/tZXQaMBhsCykgclrCz4sorqOR69zxuk8eSbsZSqHgzYT sMiy67n7nroAbwYHK1+SHZdAsIRTc9mwf3qfZVg0uOdjBP9p6M2LITFEDjSLB3Kj nsRyIs8qmRrg+Zj2Z9MVtE3mc/ttwhD8yc6GFxu3mJk6ZfekVC4= =axXx -----END PGP SIGNATURE----- Merge 4.14.256 into android-4.14-stable Changes in 4.14.256 xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay binder: use euid from cred instead of using task binder: use cred instead of task for selinux checks Input: elantench - fix misreporting trackpoint coordinates Input: i8042 - Add quirk for Fujitsu Lifebook T725 libata: fix read log timeout value ocfs2: fix data corruption on truncate mmc: dw_mmc: Dont wait for DRTO on Write RSP error parisc: Fix ptrace check on syscall return tpm: Check for integer overflow in tpm2_map_response_body() media: ite-cir: IR receiver stop working after receive overflow ALSA: ua101: fix division by zero at probe ALSA: 6fire: fix control and bulk message timeouts ALSA: line6: fix control and interrupt message timeouts ALSA: synth: missing check for possible NULL after the call to kstrdup ALSA: timer: Fix use-after-free problem ALSA: timer: Unconditionally unlink slave instances, too x86/irq: Ensure PI wakeup handler is unregistered before module unload cavium: Return negative value when pci_alloc_irq_vectors() fails scsi: qla2xxx: Fix unmap of already freed sgl cavium: Fix return values of the probe function sfc: Don't use netif_info before net_device setup hyperv/vmbus: include linux/bitops.h mmc: winbond: don't build on M68K bpf: Prevent increasing bpf_jit_limit above max xen/netfront: stop tx queues during live migration spi: spl022: fix Microwire full duplex mode watchdog: Fix OMAP watchdog early handling vmxnet3: do not stop tx queues after netif_device_detach() btrfs: fix lost error handling when replaying directory deletes hwmon: (pmbus/lm25066) Add offset coefficients regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell mwifiex: fix division by zero in fw download path ath6kl: fix division by zero in send path ath6kl: fix control-message timeout ath10k: fix control-message timeout ath10k: fix division by zero in send path PCI: Mark Atheros QCA6174 to avoid bus reset rtl8187: fix control-message timeouts evm: mark evm_fixmode as __ro_after_init wcn36xx: Fix HT40 capability for 2Ghz band mwifiex: Read a PCI register after writing the TX ring write pointer libata: fix checking of DMA state wcn36xx: handle connection loss indication RDMA/qedr: Fix NULL deref for query_qp on the GSI QP signal: Remove the bogus sigkill_pending in ptrace_stop signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT power: supply: max17042_battery: Prevent int underflow in set_soc_threshold power: supply: max17042_battery: use VFSOC for capacity when no rsns powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found serial: core: Fix initializing and restoring termios speed ALSA: mixer: oss: Fix racy access to slots ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume xen/balloon: add late_initcall_sync() for initial ballooning done PCI: aardvark: Do not clear status bits of masked interrupts PCI: aardvark: Do not unmask unused interrupts PCI: aardvark: Fix return value of MSI domain .alloc() method PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG quota: check block number when reading the block in quota file quota: correct error number in free_dqentry() pinctrl: core: fix possible memory leak in pinctrl_enable() iio: dac: ad5446: Fix ad5622_write() return value USB: serial: keyspan: fix memleak on probe errors USB: iowarrior: fix control-message timeouts Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Bluetooth: fix use-after-free error in lock_sock_nested() platform/x86: wmi: do not fail if disabling fails MIPS: lantiq: dma: add small delay after reset MIPS: lantiq: dma: reset correct number of channel locking/lockdep: Avoid RCU-induced noinstr fail smackfs: Fix use-after-free in netlbl_catmap_walk() x86: Increase exception stack sizes mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type mwifiex: Properly initialize private structure on interface type changes media: mt9p031: Fix corrupted frame after restarting stream media: netup_unidvb: handle interrupt properly according to the firmware media: uvcvideo: Set capability in s_param media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() media: s5p-mfc: Add checking to s5p_mfc_probe(). media: mceusb: return without resubmitting URB in case of -EPROTO error. ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK ACPICA: Avoid evaluating methods too early during system resume media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() tracefs: Have tracefs directories not set OTH permission bits by default ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() ACPI: battery: Accept charges over the design capacity as full leaking_addresses: Always print a trailing newline memstick: r592: Fix a UAF bug when removing the driver lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression lib/xz: Validate the value before assigning it to an enum variable tracing/cfi: Fix cmp_entries_* functions signature mismatch mwl8k: Fix use-after-free in mwl8k_fw_state_machine() PM: hibernate: Get block device exclusively in swsusp_check() iwlwifi: mvm: disable RX-diversity in powersave smackfs: use __GFP_NOFAIL for smk_cipso_doi() ARM: clang: Do not rely on lr register for stacktrace gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe() parisc: fix warning in flush_tlb_all task_stack: Fix end_of_stack() for architectures with upwards-growing stack parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling cgroup: Make rebind_subsystems() disable v2 controllers all at once media: dvb-usb: fix ununit-value in az6027_rc_query media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()' media: si470x: Avoid card name truncation media: cx23885: Fix snd_card_free call on null card pointer cpuidle: Fix kobject memory leaks in error paths ath9k: Fix potential interrupt storm on queue reset crypto: qat - detect PFVF collision after ACK crypto: qat - disregard spurious PFVF interrupts hwrng: mtk - Force runtime pm ops for sleep ops b43legacy: fix a lower bounds test b43: fix a lower bounds test memstick: avoid out-of-range warning memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() hwmon: Fix possible memleak in __hwmon_device_register() ath10k: fix max antenna gain unit drm/msm: uninitialized variable in msm_gem_import() net: stream: don't purge sk_error_queue in sk_stream_kill_queues() mmc: mxs-mmc: disable regulator on error and in the remove function platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning mwifiex: Send DELBA requests according to spec phy: micrel: ksz8041nl: do not use power down mode PM: hibernate: fix sparse warnings smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap() irq: mips: avoid nested irq_enter() samples/kretprobes: Fix return value if register_kretprobe() failed libertas_tf: Fix possible memory leak in probe and disconnect libertas: Fix possible memory leak in probe and disconnect net: amd-xgbe: Toggle PLL settings during rate change net: phylink: avoid mvneta warning when setting pause parameters crypto: pcrypt - Delay write to padata->info ibmvnic: Process crqs after enabling interrupts RDMA/rxe: Fix wrong port_cap_flags ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() ARM: dts: at91: tse850: the emac<->phy interface is rmii scsi: dc395: Fix error case unwinding MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT JFS: fix memleak in jfs_mount ALSA: hda: Reduce udelay() at SKL+ position reporting arm: dts: omap3-gta04a4: accelerometer irq fix soc/tegra: Fix an error handling path in tegra_powergate_power_up() memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe video: fbdev: chipsfb: use memset_io() instead of memset() serial: 8250_dw: Drop wrong use of ACPI_PTR() usb: gadget: hid: fix error code in do_config() power: supply: rt5033_battery: Change voltage values to µV scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() RDMA/mlx4: Return missed an error if device doesn't support steering ASoC: cs42l42: Correct some register default values ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER serial: xilinx_uartps: Fix race condition causing stuck TX mips: cm: Convert to bitfield API to fix out-of-bounds access power: supply: bq27xxx: Fix kernel crash on IRQ handler register error apparmor: fix error check rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds drm/plane-helper: fix uninitialized variable reference PCI: aardvark: Don't spam about PIO Response Status NFS: Fix deadlocks in nfs_scan_commit_list() fs: orangefs: fix error return code of orangefs_revalidate_lookup() mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string auxdisplay: ht16k33: Connect backlight to fbdev auxdisplay: ht16k33: Fix frame buffer device blanking netfilter: nfnetlink_queue: fix OOB when mac header was cleared dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` m68k: set a default value for MEMORY_RESERVE watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT ar7: fix kernel builds for compiler test scsi: qla2xxx: Turn off target reset during issue_lip i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' xen-pciback: Fix return in pm_ctrl_init() net: davinci_emac: Fix interrupt pacing disable ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration() llc: fix out-of-bound array index in llc_sk_dev_hash() nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails vsock: prevent unnecessary refcnt inc for nonblocking connect USB: chipidea: fix interrupt deadlock ARM: 9155/1: fix early early_iounmap() ARM: 9156/1: drop cc-option fallbacks for architecture selection powerpc/lib: Add helper to check if offset is within conditional branch range powerpc/bpf: Validate branch ranges powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks mm, oom: do not trigger out_of_memory from the #PF s390/cio: check the subchannel validity for dev_busid PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros ext4: fix lazy initialization next schedule time computation in more granular unit tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT parisc/entry: fix trace test in syscall exit path PCI/MSI: Destroy sysfs before freeing entries arm64: zynqmp: Fix serial compatible string scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() usb: musb: tusb6010: check return value after calling platform_get_resource() scsi: advansys: Fix kernel pointer leak ARM: dts: omap: fix gpmc,mux-add-data type usb: host: ohci-tmio: check return value after calling platform_get_resource() tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc MIPS: sni: Fix the build scsi: target: Fix ordered tag handling scsi: target: Fix alua_tg_pt_gps_count tracking powerpc/5200: dts: fix memory node unit name ALSA: gus: fix null pointer dereference on pointer block powerpc/dcr: Use cmplwi instead of 3-argument cmpli sh: check return code of request_irq maple: fix wrong return value of maple_bus_init(). sh: fix kconfig unmet dependency warning for FRAME_POINTER sh: define __BIG_ENDIAN for math-emu mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() net: bnx2x: fix variable dereferenced before check iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset MIPS: generic/yamon-dt: fix uninitialized variable error mips: bcm63xx: add support for clk_get_parent() mips: lantiq: add support for clk_get_parent() platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' net: virtio_net_hdr_to_skb: count transport header in UFO i40e: Fix NULL ptr dereference on VSI filter sync NFC: reorganize the functions in nci_request NFC: reorder the logic in nfc_{un,}register_device perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server tun: fix bonding active backup with arp monitoring hexagon: export raw I/O routines for modules mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag btrfs: fix memory ordering between normal and ordered work functions parisc/sticon: fix reverse colors cfg80211: call cfg80211_stop_ap when switch from P2P_GO type drm/udl: fix control-message timeout drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors perf/core: Avoid put_page() when GUP fails batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh batman-adv: Consider fragmentation for needed_headroom batman-adv: Reserve needed_*room for fragments batman-adv: Don't always reallocate the fragmentation skb head RDMA/netlink: Add __maybe_unused to static inline in C file ASoC: DAPM: Cover regression by kctl change notification fix usb: max-3421: Use driver data instead of maintaining a list of bound devices soc/tegra: pmc: Fix imbalanced clock disabling in error code path Linux 4.14.256 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I32f0b43f5aa192eda1aa3a220a2f348ade0536d2	2021-11-26 15:15:32 +01:00
Lorenz Bauer	212cb35aea	bpf: Prevent increasing bpf_jit_limit above max ... [ Upstream commit fadb7ff1a6c2c565af56b4aacdd086b067eed440 ] Restrict bpf_jit_limit to the maximum supported by the arch's JIT. Signed-off-by: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20211014142554.53120-4-lmb@cloudflare.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2021-11-26 11:40:22 +01:00
Greg Kroah-Hartman	156a9ad2e0	This is the 4.14.251 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFr2ggACgkQONu9yGCS aT5t1xAAnH3MC0v48ikVkYlq8TY8Bb+f5xzuxUdgIzLQ/r2p+76HmASUG59aTG6r eZHxjlmUXzLQ7xGmS36uQhoBRDRFy7SgeRfIXT57YwXz4h0p0R9EqJbJw6oQX+T/ nbLG+NUQ6mGpX0eL+dyEZlTy1/u/e4xrWifUhaMYy+KI7Mbm3PPNFxwwU40w+8CJ IRaeJp13iIqIGzoAcyoLMIqWEzMHVG3h1jY3bsGmLELaP/h1DgekXkD5tcyzrXho NfxSfjAl4QNG9+W5/VYj11uDlcdkg9vXwjsfk4YXgkpqeC/ReMXpYlFU0FFfTP6l nzHY4zCFwjdbhLa22/SUDgv2rSYmHLYuBVkVWJlw/WT1ERccTPj7i4Ud0wgJgIM/ LcTSSPbJ70MwewpueizQbA9+gCc8lQx8ZTU++jMvtB2rwHtd6IqvdVbv5bMFtgkV XEtKmH967HQKOHL0k9Rb+wRoIiaD0GqEEjaMQhxT3oz60JVg2kL0CBbs44BuWY70 aKQba7LHxeCdln6DTjGLkS1obEV3LNbgQ5KCdTyntw8l9XMx7Woif15aWfh/M4op qUspHcvJve0/YoQV7D8yuJ1y0/fLOUmaAST0ZLz2ydpfCHdPsUHU60R4X7H18Pw2 tCJjaZ0rFr/YsNW9Q6nX/JFz2fGaaYYpF133KfpO9TBbkJ0gD0g= =NerT -----END PGP SIGNATURE----- Merge 4.14.251 into android-4.14-stable Changes in 4.14.251 Partially revert "usb: Kconfig: using select for USB_COMMON dependency" USB: cdc-acm: fix racy tty buffer accesses USB: cdc-acm: fix break reporting ovl: fix missing negative dentry check in ovl_rename() nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero xen/balloon: fix cancelled balloon action ARM: dts: omap3430-sdp: Fix NAND device node ARM: dts: qcom: apq8064: use compatible which contains chipid bpf: add also cbpf long jump test cases with heavy expansion bpf, mips: Validate conditional branch offsets xtensa: call irqchip_init only when CONFIG_USE_OF is selected bpf: Fix integer overflow in prealloc_elems_and_freelist() phy: mdio: fix memory leak net_sched: fix NULL deref in fifo_set_limit() powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 ptp_pch: Load module automatically if ID matches ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() netlink: annotate data races around nlk->bound drm/nouveau/debugfs: fix file release memory leak rtnetlink: fix if_nlmsg_stats_size() under estimation i40e: fix endless loop under rtnl i2c: acpi: fix resource leak in reconfiguration device addition net: phy: bcm7xxx: Fixed indirect MMD operations HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS netfilter: ip6_tables: zero-initialize fragment offset mac80211: Drop frames from invalid MAC address in ad-hoc mode m68k: Handle arrivals of multiple signals correctly net: sun: SUNVNET_COMMON should depend on INET scsi: ses: Fix unsigned comparison with less than zero scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" perf/x86: Reset destroy callback on event init failure sched: Always inline is_percpu_thread() Linux 4.14.251 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I10045fe572035e26d8d1399c70ace241589ac2a2	2021-10-17 10:38:56 +02:00
Tatsuhiko Yasumatsu	f34bcd10c4	bpf: Fix integer overflow in prealloc_elems_and_freelist() ... [ Upstream commit 30e29a9a2bc6a4888335a6ede968b75cd329657a ] In prealloc_elems_and_freelist(), the multiplication to calculate the size passed to bpf_map_area_alloc() could lead to an integer overflow. As a result, out-of-bounds write could occur in pcpu_freelist_populate() as reported by KASAN: [...] [ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100 [ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78 [ 16.970038] [ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1 [ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 [ 16.972026] Call Trace: [ 16.972306] dump_stack_lvl+0x34/0x44 [ 16.972687] print_address_description.constprop.0+0x21/0x140 [ 16.973297] ? pcpu_freelist_populate+0xd9/0x100 [ 16.973777] ? pcpu_freelist_populate+0xd9/0x100 [ 16.974257] kasan_report.cold+0x7f/0x11b [ 16.974681] ? pcpu_freelist_populate+0xd9/0x100 [ 16.975190] pcpu_freelist_populate+0xd9/0x100 [ 16.975669] stack_map_alloc+0x209/0x2a0 [ 16.976106] __sys_bpf+0xd83/0x2ce0 [...] The possibility of this overflow was originally discussed in [0], but was overlooked. Fix the integer overflow by changing elem_size to u64 from u32. [0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/ Fixes: 557c0c6e7df8 ("bpf: convert stackmap to pre-allocation") Signed-off-by: Tatsuhiko Yasumatsu <th.yasumatsu@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20210930135545.173698-1-th.yasumatsu@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2021-10-17 10:08:32 +02:00
Greg Kroah-Hartman	f001a7d3ec	This is the 4.14.236 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmDB7PYACgkQONu9yGCS aT4sABAAo15TKI4d1BKsnGEIjv7LYtIAnkfRm4UqoJnFWe60zgdaKKPtJnEICSkF ez0DNkDMEx4Y9uDeKzTuIYvOV+2anmZyH8xngW1UiAsKhTkofph5RExxCeze68T5 y84sAHtTpHSkuEN55R5kexZ8JkNohYuphe+7g//5zyqsgbIDzyYd2c7TUQJMOWdw wVQtuitq2vN7EuLmEeI5jTDP3qg2gjVi/DUp/OGfeYQAaoeDl0ZMaE/vGvzZngPA mm9EgX3eIc4k0HNAYbw693LP5FBPaAro5qiJ9yEGjbxwSFvmkLkpGFepk475c8CP H5GILJ8RE95VGC0baK+TbMF+CGwgJorFMMniFHC0T1GApCv3vgVtxJUXZkasmcVJ Mw/xhWI4x6zVvu9Ofq1G9eJ5MRpU+c6jpu4dUQpk3XJBihUHTaHZ6wGG48osB5/7 ajwODcnKwNAQVY/bSC5IStQsx8f7lIDTA98Pg7i3POjor40MwU8UXUub2LTvlp3y Q4b/UP0kxC6uBtcSCyCwswBj0rLK/AS0Lesf6LKXKmtTbb3cHGP+/pbq4TqTwjSa tAmTVrUAnVTbmTfzMZ2hYnu+qmRflEp92AvjHw8YqFcg27Shv4XIK0vSMXJu4gtK r7yLMLltDcNU1jA1KYZ2IRDqNMWFsLuO01A3rZYtB1jhHaIs9dA= =Nrhr -----END PGP SIGNATURE----- Merge 4.14.236 into android-4.14-stable Changes in 4.14.236 net: usb: cdc_ncm: don't spew notifications efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared efi: cper: fix snprintf() use in cper_dimm_err_location() vfio/pci: Fix error return code in vfio_ecap_init() vfio/pci: zap_vma_ptes() needs MMU vfio/platform: fix module_put call in error flow ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service HID: pidff: fix error return code in hid_pidff_init() HID: i2c-hid: fix format string mismatch netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches ieee802154: fix error return code in ieee802154_add_iface() ieee802154: fix error return code in ieee802154_llsec_getparams() Bluetooth: fix the erroneous flush_work() order Bluetooth: use correct lock to prevent UAF of hdev object net: caif: added cfserl_release function net: caif: add proper error handling net: caif: fix memory leak in caif_device_notify net: caif: fix memory leak in cfusbl_device_notify ALSA: timer: Fix master timer notification ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed pid: take a reference when initializing `cad_pid` ocfs2: fix data corruption by fallocate nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect btrfs: fix error handling in btrfs_del_csums btrfs: fixup error handling in fixup_inode_link_counts mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY bpf, selftests: Fix up some test_verifier cases for unprivileged bpf: Move off_reg into sanitize_ptr_alu bpf: Ensure off_reg has no mixed signed bounds for all types bpf: Rework ptr_limit into alu_limit and add common error path bpf: Improve verifier error messages for users bpf: Refactor and streamline bounds check into helper bpf: Move sanitize_val_alu out of op switch bpf: Tighten speculative pointer arithmetic mask bpf: Update selftests to reflect new error states bpf: do not allow root to mangle valid pointers bpf/verifier: disallow pointer subtraction selftests/bpf: fix test_align selftests/bpf: make 'dubious pointer arithmetic' test useful bpf: Fix leakage of uninitialized bpf stack under speculation bpf: Wrap aux data inside bpf_sanitize_info container bpf: Fix mask direction swap upon off reg sign change bpf: No need to simulate speculative domain for immediates bnxt_en: Remove the setting of dev_port. KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode sched/fair: Optimize select_idle_cpu xen-pciback: redo VF placement in the virtual topology Linux 4.14.236 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9a3453b78d1964e12e296c7fea22a5f32a4aa9e8	2021-06-10 13:44:32 +02:00
Daniel Borkmann	6a87d309fe	bpf: No need to simulate speculative domain for immediates ... commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream. In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under speculation") we replaced masking logic with direct loads of immediates if the register is a known constant. Given in this case we do not apply any masking, there is also no reason for the operation to be truncated under the speculative domain. Therefore, there is also zero reason for the verifier to branch-off and simulate this case, it only needs to do it for unknown but bounded scalars. As a side-effect, this also enables few test cases that were previously rejected due to simulation under zero truncation. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:53 +02:00
Daniel Borkmann	1dcebba3e4	bpf: Fix mask direction swap upon off reg sign change ... commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream. Masking direction as indicated via mask_to_left is considered to be calculated once and then used to derive pointer limits. Thus, this needs to be placed into bpf_sanitize_info instead so we can pass it to sanitize_ptr_alu() call after the pointer move. Piotr noticed a corner case where the off reg causes masking direction change which then results in an incorrect final aux->alu_limit. Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") Reported-by: Piotr Krysiuk <piotras@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:53 +02:00
Daniel Borkmann	73549ddbe5	bpf: Wrap aux data inside bpf_sanitize_info container ... commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream. Add a container structure struct bpf_sanitize_info which holds the current aux info, and update call-sites to sanitize_ptr_alu() to pass it in. This is needed for passing in additional state later on. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:53 +02:00
Daniel Borkmann	19e4f40ce7	bpf: Fix leakage of uninitialized bpf stack under speculation ... commit 801c6058d14a82179a7ee17a4b532cac6fad067f upstream. The current implemented mechanisms to mitigate data disclosure under speculation mainly address stack and map value oob access from the speculative domain. However, Piotr discovered that uninitialized BPF stack is not protected yet, and thus old data from the kernel stack, potentially including addresses of kernel structures, could still be extracted from that 512 bytes large window. The BPF stack is special compared to map values since it's not zero initialized for every program invocation, whereas map values /are/ zero initialized upon their initial allocation and thus cannot leak any prior data in either domain. In the non-speculative domain, the verifier ensures that every stack slot read must have a prior stack slot write by the BPF program to avoid such data leaking issue. However, this is not enough: for example, when the pointer arithmetic operation moves the stack pointer from the last valid stack offset to the first valid offset, the sanitation logic allows for any intermediate offsets during speculative execution, which could then be used to extract any restricted stack content via side-channel. Given for unprivileged stack pointer arithmetic the use of unknown but bounded scalars is generally forbidden, we can simply turn the register-based arithmetic operation into an immediate-based arithmetic operation without the need for masking. This also gives the benefit of reducing the needed instructions for the operation. Given after the work in 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask"), the aux->alu_limit already holds the final immediate value for the offset register with the known scalar. Thus, a simple mov of the immediate to AX register with using AX as the source for the original instruction is sufficient and possible now in this case. Reported-by: Piotr Krysiuk <piotras@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: fixed minor 4.14 conflict because of renamed function] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:53 +02:00
Alexei Starovoitov	ba1be7e6b2	bpf/verifier: disallow pointer subtraction ... commit dd066823db2ac4e22f721ec85190817b58059a54 upstream. Subtraction of pointers was accidentally allowed for unpriv programs by commit 82abbf8d2fc4. Revert that part of commit. Fixes: 82abbf8d2fc4 ("bpf: do not allow root to mangle valid pointers") Reported-by: Jann Horn <jannh@google.com> Acked-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> [fllinden@amazon.com: backport to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Alexei Starovoitov	9652b04830	bpf: do not allow root to mangle valid pointers ... commit 82abbf8d2fc46d79611ab58daa7c608df14bb3ee upstream. Do not allow root to convert valid pointers into unknown scalars. In particular disallow: ptr &= reg ptr <<= reg ptr += ptr and explicitly allow: ptr -= ptr since pkt_end - pkt == length 1. This minimizes amount of address leaks root can do. In the future may need to further tighten the leaks with kptr_restrict. 2. If program has such pointer math it's likely a user mistake and when verifier complains about it right away instead of many instructions later on invalid memory access it's easier for users to fix their progs. 3. when register holding a pointer cannot change to scalar it allows JITs to optimize better. Like 32-bit archs could use single register for pointers instead of a pair required to hold 64-bit scalars. 4. reduces architecture dependent behavior. Since code: r1 = r10; r1 &= 0xff; if (r1 ...) will behave differently arm64 vs x64 and offloaded vs native. A significant chunk of ptr mangling was allowed by commit f1174f77b50c ("bpf/verifier: rework value tracking") yet some of it was allowed even earlier. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> [fllinden@amazon.com: backport to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	e2fa89d1a2	bpf: Tighten speculative pointer arithmetic mask ... commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 upstream. This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk <piotras@gmail.com> Reported-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Benedict Schlueter <benedict.schlueter@rub.de> [fllinden@amazon.com: backported to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	b6da354729	bpf: Move sanitize_val_alu out of op switch ... commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backported to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	b1974c77cb	bpf: Refactor and streamline bounds check into helper ... commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 upstream. Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backport to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	53ba03da96	bpf: Improve verifier error messages for users ... commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream. Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backport to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	670494f9fb	bpf: Rework ptr_limit into alu_limit and add common error path ... commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream. Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	60eb41ad98	bpf: Ensure off_reg has no mixed signed bounds for all types ... commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e upstream. The mixed signed bounds check really belongs into retrieve_ptr_limit() instead of outside of it in adjust_ptr_min_max_vals(). The reason is that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer types that we handle in retrieve_ptr_limit() and given errors from the latter propagate back to adjust_ptr_min_max_vals() and lead to rejection of the program, it's a better place to reside to avoid anything slipping through for future types. The reason why we must reject such off_reg is that we otherwise would not be able to derive a mask, see details in 9d7eceede769 ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged"). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backport to 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Daniel Borkmann	b464715c67	bpf: Move off_reg into sanitize_ptr_alu ... commit 6f55b2f2a1178856c19bbce2f71449926e731914 upstream. Small refactor to drag off_reg into sanitize_ptr_alu(), so we later on can use off_reg for generalizing some of the checks for all pointer types. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: fix minor contextual conflict for 4.14] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-06-10 12:43:52 +02:00
Greg Kroah-Hartman	22dc72c914	This is the 4.14.233 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCozV0ACgkQONu9yGCS aT7I5A//RQsNjicdh1s3L88qVPRbvaD7B4QzAW0Vd8qzAdkoBHeOT0Oqo23BII5d cTHnujk4gMSoQ1/9xIh0/5znYWrPy/8CfJnzb2ZdfefW0of8v5pMXIW5l1v6BsBK KkhBFWzSxzUTwmNK99nYvLSZ09kfQchdJgNd2+lYMGXXOHSqTgieyI550qRcimB6 a7rBfsT7jisOUh4OvVui7gn1pI1p+gpQIo66/9b+6bY0Vq6aXK9/kgHKyVpPv9ND xVj9pJNx43OZ3hJp+Ek2JtX6mAn3b2SyqelQdYaWG+WX4T3S60+OyIYPfGKPgOjX VjovWh3XDeJDzOgN8UQ+eeLCWJMZROn8zUevsFR2JYFuHJW14rsV9z188Ick//BQ oPEUc48aGfiijPK2VJ31NuhwhVqi6eLuP1wBlz6v4xaUKTs0PHCnJbe9NJV1zqqZ Khmp2Tvr2X1mmRGIgalTfV+Jy8sZfW4GD26LoUoSDNLDYH7de+E1+VDnmQisbbaN 7mEbRko36PTBfls+4vfEh6oyhT1tJYdjfH86hPwiWMd005Pvg0RI0o0Ipxg+3lNz 38+ixmP0dCtWvCY9JsBdrKoTIoGZmJTIIPTrSktqnozvKC+GP8KjZMFj1vX0Udk8 LsHFczYs3el13XllhuHNIR+bym2Dwygzk/WUQpbyJ02ArD9RUtI= =Qv2g -----END PGP SIGNATURE----- Merge 4.14.233 into android-4.14-stable Changes in 4.14.233 usbip: vudc synchronize sysfs code paths ACPI: tables: x86: Reserve memory occupied by ACPI tables ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" bpf: fix up selftests after backports were fixed net: usb: ax88179_178a: initialize local variables before use iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() MIPS: Introduce isa-rev.h to define MIPS_ISA_REV MIPS: cpu-features.h: Replace __mips_isa_rev with MIPS_ISA_REV mips: Do not include hi and lo in clobber list for R6 bpf: Fix masking negation logic upon negative dst register iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd() ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet USB: Add reset-resume quirk for WD19's Realtek Hub platform/x86: thinkpad_acpi: Correct thermal sensor allocation s390/disassembler: increase ebpf disasm buffer size ACPI: custom_method: fix potential use-after-free issue ACPI: custom_method: fix a possible memory leak arm64: dts: mt8173: fix property typo of 'phys' in dsi node ecryptfs: fix kernel panic with null dev_name spi: spi-ti-qspi: Free DMA resources mmc: block: Update ext_csd.cache_ctrl if it was written mmc: core: Do a power cycle when the CMD11 fails mmc: core: Set read only for SD cards with permanent write protect bit cifs: Return correct error code from smb2_get_enc_key btrfs: fix metadata extent leak after failure to create subvolume intel_th: pci: Add Rocket Lake CPU support fbdev: zero-fill colormap in fbcmap.c staging: wimax/i2400m: fix byte-order issue crypto: api - check for ERR pointers in crypto_destroy_tfm() usb: gadget: uvc: add bInterval checking for HS mode usb: gadget: f_uac1: validate input parameters usb: dwc3: gadget: Ignore EP queue requests during bus reset usb: xhci: Fix port minor revision PCI: PM: Do not read power state in pci_enable_device_flags() x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) tee: optee: do not check memref size on return from Secure World perf/arm_pmu_platform: Fix error handling spi: dln2: Fix reference leak to master spi: omap-100k: Fix reference leak to master intel_th: Consistency and off-by-one fix phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe scsi: lpfc: Fix pt2pt connection does not recover after LOGO scsi: target: pscsi: Fix warning in pscsi_complete_cmd() media: ite-cir: check for receive overflow power: supply: bq27xxx: fix power_avg for newer ICs extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged media: media/saa7164: fix saa7164_encoder_register() memory leak bugs media: gspca/sq905.c: fix uninitialized variable power: supply: Use IRQF_ONESHOT drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() scsi: qla2xxx: Fix use after free in bsg scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() media: em28xx: fix memory leak media: vivid: update EDID clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() media: adv7604: fix possible use-after-free in adv76xx_remove() media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() media: i2c: adv7842: fix possible use-after-free in adv7842_remove() media: dvb-usb: fix memory leak in dvb_usb_adapter_init media: gscpa/stv06xx: fix memory leak drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal drm/amdgpu: fix NULL pointer dereference scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic scsi: libfc: Fix a format specifier ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer ALSA: hda/conexant: Re-order CX5066 quirk table entries ALSA: sb: Fix two use after free in snd_sb_qsound_build btrfs: fix race when picking most recent mod log operation for an old root arm64/vdso: Discard .note.gnu.property sections in vDSO openvswitch: fix stack OOB read while fragmenting IPv4 packets ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure NFSv4: Don't discard segments marked for return in _pnfs_return_layout() jffs2: Fix kasan slab-out-of-bounds problem powerpc/eeh: Fix EEH handling for hugepages in ioremap space. powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h intel_th: pci: Add Alder Lake-M support md/raid1: properly indicate failure when ending a failed write request security: commoncap: fix -Wstringop-overread warning Fix misc new gcc warnings jffs2: check the validity of dstlen in jffs2_zlib_compress() Revert 337f13046ff0 ("futex: Allow FUTEX_CLOCK_REALTIME with FUTEX_WAIT op") posix-timers: Preserve return value in clock_adjtime32() ftrace: Handle commands when closing set_ftrace_filter file ext4: fix check to prevent false positive report of incorrect used inodes ext4: fix error code in ext4_commit_super media: dvbdev: Fix memory leak in dvb_media_device_free() usb: gadget: dummy_hcd: fix gpf in gadget_setup usb: gadget: Fix double free of device descriptor pointers usb: gadget/function/f_fs string table fix for multiple languages usb: dwc3: gadget: Fix START_TRANSFER link state check tracing: Map all PIDs to command lines dm persistent data: packed struct should have an aligned() attribute too dm space map common: fix division bug in sm_ll_find_free_block() dm rq: fix double free of blk_mq_tag_set in dev remove after table load fails modules: mark ref_module static modules: mark find_symbol static modules: mark each_symbol_section static modules: unexport __module_text_address modules: unexport __module_address modules: rename the licence field in struct symsearch to license modules: return licensing information from find_symbol modules: inherit TAINT_PROPRIETARY_MODULE Bluetooth: verify AMP hci_chan before amp_destroy hsr: use netdev_err() instead of WARN_ONCE() bluetooth: eliminate the potential race condition when removing the HCI controller net/nfc: fix use-after-free llcp_sock_bind/connect MIPS: pci-rt2880: fix slot 0 configuration FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR misc: lis3lv02d: Fix false-positive WARN on various HP models misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct misc: vmw_vmci: explicitly initialize vmci_datagram payload tracing: Restructure trace_clock_global() to never block md-cluster: fix use-after-free issue when removing rdev md: split mddev_find md: factor out a mddev_find_locked helper from mddev_find md: md_open returns -EBUSY when entering racing area ipw2x00: potential buffer overflow in libipw_wx_set_encodeext() cfg80211: scan: drop entry from hidden_list on overflow drm/radeon: fix copy of uninitialized variable back to userspace ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices x86/cpu: Initialize MSR_TSC_AUX if RDTSCP *or* RDPID is supported KVM: s390: split kvm_s390_logical_to_effective KVM: s390: fix guarded storage control register handling KVM: s390: split kvm_s390_real_to_abs usb: gadget: pch_udc: Revert d3cb25a12138 completely memory: gpmc: fix out of bounds read and dereference on gpmc_cs[] ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid X/U3 family ARM: dts: exynos: correct PMIC interrupt trigger level on SMDK5250 ARM: dts: exynos: correct PMIC interrupt trigger level on Snow serial: stm32: fix incorrect characters on console serial: stm32: fix tx_empty condition usb: typec: tcpci: Check ROLE_CONTROL while interpreting CC_STATUS x86/microcode: Check for offline CPUs before requesting new microcode usb: gadget: pch_udc: Replace cpu_to_le32() by lower_32_bits() usb: gadget: pch_udc: Check if driver is present before calling ->setup() usb: gadget: pch_udc: Check for DMA mapping error crypto: qat - don't release uninitialized resources crypto: qat - ADF_STATUS_PF_RUNNING should be set after adf_dev_init fotg210-udc: Fix DMA on EP0 for length > max packet size fotg210-udc: Fix EP0 IN requests bigger than two packets fotg210-udc: Remove a dubious condition leading to fotg210_done fotg210-udc: Mask GRP2 interrupts we don't handle fotg210-udc: Don't DMA more than the buffer can take fotg210-udc: Complete OUT requests on short packets mtd: require write permissions for locking and badblock ioctls bus: qcom: Put child node before return phy: marvell: ARMADA375_USBCLUSTER_PHY should not default to y, unconditionally crypto: qat - fix error path in adf_isr_resource_alloc() USB: gadget: udc: fix wrong pointer passed to IS_ERR() and PTR_ERR() mtd: rawnand: gpmi: Fix a double free in gpmi_nand_init staging: rtl8192u: Fix potential infinite loop staging: greybus: uart: fix unprivileged TIOCCSERIAL spi: Fix use-after-free with devm_spi_alloc_* soc: qcom: mdt_loader: Validate that p_filesz < p_memsz soc: qcom: mdt_loader: Detect truncated read of segments ACPI: CPPC: Replace cppc_attr with kobj_attribute crypto: qat - Fix a double free in adf_create_ring usb: gadget: r8a66597: Add missing null check on return from platform_get_resource USB: cdc-acm: fix unprivileged TIOCCSERIAL tty: actually undefine superseded ASYNC flags tty: fix return value for unsupported ioctls firmware: qcom-scm: Fix QCOM_SCM configuration platform/x86: pmc_atom: Match all Beckhoff Automation baytrail boards with critclk_systems DMI table x86/platform/uv: Fix !KEXEC build failure Drivers: hv: vmbus: Increase wait time for VMbus unload ttyprintk: Add TTY hangup callback. media: vivid: fix assignment of dev->fbuf_out_flags media: omap4iss: return error code when omap4iss_get() failed media: m88rs6000t: avoid potential out-of-bounds reads on arrays x86/kprobes: Fix to check non boostable prefixes correctly pata_arasan_cf: fix IRQ check pata_ipx4xx_cf: fix IRQ check sata_mv: add IRQ checks ata: libahci_platform: fix IRQ check vfio/mdev: Do not allow a mdev_type to have a NULL parent pointer clk: uniphier: Fix potential infinite loop scsi: jazz_esp: Add IRQ check scsi: sun3x_esp: Add IRQ check scsi: sni_53c710: Add IRQ check mfd: stm32-timers: Avoid clearing auto reload register HSI: core: fix resource leaks in hsi_add_client_from_dt() x86/events/amd/iommu: Fix sysfs type mismatch HID: plantronics: Workaround for double volume key presses perf symbols: Fix dso__fprintf_symbols_by_name() to return the number of printed chars net: lapbether: Prevent racing when checking whether the netif is running powerpc/prom: Mark identical_pvr_fixup as __init powerpc: Fix HAVE_HARDLOCKUP_DETECTOR_ARCH build configuration ALSA: core: remove redundant spin_lock pair in snd_card_disconnect bug: Remove redundant condition check in report_bug nfc: pn533: prevent potential memory corruption ALSA: usb-audio: Add error checks for usb_driver_claim_interface() calls liquidio: Fix unintented sign extension of a left shift of a u16 powerpc/perf: Fix PMU constraint check for EBB events powerpc: iommu: fix build when neither PCI or IBMVIO is set mac80211: bail out if cipher schemes are invalid mt7601u: fix always true expression IB/hfi1: Fix error return code in parse_platform_config() net: thunderx: Fix unintentional sign extension issue i2c: cadence: add IRQ check i2c: emev2: add IRQ check i2c: jz4780: add IRQ check i2c: sh7760: add IRQ check MIPS: pci-legacy: stop using of_pci_range_to_resource powerpc/pseries: extract host bridge from pci_bus prior to bus removal rtlwifi: 8821ae: upgrade PHY and RF parameters i2c: sh7760: fix IRQ error path mwl8k: Fix a double Free in mwl8k_probe_hw vsock/vmci: log once the failed queue pair allocation RDMA/i40iw: Fix error unwinding when i40iw_hmc_sd_one fails net: davinci_emac: Fix incorrect masking of tx and rx error channel ath9k: Fix error check in ath9k_hw_read_revisions() for PCI devices powerpc/52xx: Fix an invalid ASM expression ('addi' used instead of 'add') net:emac/emac-mac: Fix a use after free in emac_mac_tx_buf_send net:nfc:digital: Fix a double free in digital_tg_recv_dep_req kfifo: fix ternary sign extension bugs smp: Fix smp_call_function_single_async prototype Revert "net/sctp: fix race condition in sctp_destroy_sock" sctp: delay auto_asconf init until binding the first addr Revert "of/fdt: Make sure no-map does not remove already reserved regions" Revert "fdt: Properly handle "no-map" field in the memory region" tpm: fix error return code in tpm2_get_cc_attrs_tbl() fs: dlm: fix debugfs dump tipc: convert dest node's address to network order net: stmmac: Set FIFO sizes for ipq806x ALSA: hdsp: don't disable if not enabled ALSA: hdspm: don't disable if not enabled ALSA: rme9652: don't disable if not enabled Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default Bluetooth: initialize skb_queue_head at l2cap_chan_create() Bluetooth: check for zapped sk before connecting ip6_vti: proper dev_{hold|put} in ndo_[un]init methods mac80211: clear the beacon's CRC after channel switch pinctrl: samsung: use 'int' for register masks in Exynos cuse: prevent clone selftests: Set CC to clang in lib.mk if LLVM is set kconfig: nconf: stop endless search loops sctp: Fix out-of-bounds warning in sctp_process_asconf_param() powerpc/smp: Set numa node before updating mask ASoC: rt286: Generalize support for ALC3263 codec samples/bpf: Fix broken tracex1 due to kprobe argument change powerpc/pseries: Stop calling printk in rtas_stop_self() wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join powerpc/iommu: Annotate nested lock for lockdep net: ethernet: mtk_eth_soc: fix RX VLAN offload ASoC: rt286: Make RT286_SET_GPIO_* readable and writable f2fs: fix a redundant call to f2fs_balance_fs if an error occurs PCI: Release OF node in pci_scan_device()'s error path ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data() NFSv4.2: Always flush out writes in nfs42_proc_fallocate() NFS: Deal correctly with attribute generation counter overflow pNFS/flexfiles: fix incorrect size check in decode_nfs_fh() NFSv4.2 fix handling of sr_eof in SEEK's reply rtc: ds1307: Fix wday settings for rx8130 sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b drm/radeon: Fix off-by-one power_state index heap overwrite khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate() mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts() ksm: fix potential missing rmap_item for stable_node net: fix nla_strcmp to handle more then one trailing null character kernel: kexec_file: fix error return code of kexec_calculate_store_digests() netfilter: nftables: avoid overflows in nft_hash_buckets() ARC: entry: fix off-by-one error in syscall number validation powerpc/64s: Fix crashes when toggling stf barrier powerpc/64s: Fix crashes when toggling entry flush barrier squashfs: fix divide error in calculate_skip() userfaultfd: release page in error path to avoid BUG_ON drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected iio: proximity: pulsedlight: Fix rumtime PM imbalance on error usb: fotg210-hcd: Fix an error message ACPI: scan: Fix a memory leak in an error handling path blk-mq: Swap two calls in blk_mq_exit_queue() usb: dwc3: omap: improve extcon initialization usb: xhci: Increase timeout for HC halt usb: dwc2: Fix gadget DMA unmap direction usb: core: hub: fix race condition about TRSMRCY of resume iio: gyro: mpu3050: Fix reported temperature value iio: tsl2583: Fix division by a zero lux_val KVM: x86: Cancel pvclock_gtod_work on module removal FDDI: defxx: Make MMIO the configuration default except for EISA MIPS: Reinstate platform `__div64_32' handler MIPS: Avoid DIVU in `__div64_32' is result would be zero MIPS: Avoid handcoded DIVU in `__div64_32' altogether thermal/core/fair share: Lock the thermal zone while looping over instances RDMA/i40iw: Avoid panic when reading back the IRQ affinity hint kobject_uevent: remove warning in init_uevent_argv() netfilter: conntrack: Make global sysctls readonly in non-init netns clk: exynos7: Mark aclk_fsys1_200 as critical x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes kgdb: fix gcc-11 warning on indentation usb: sl811-hcd: improve misleading indentation cxgb4: Fix the -Wmisleading-indentation warning isdn: capi: fix mismatched prototypes PCI: thunder: Fix compile testing ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() ACPI / hotplug / PCI: Fix reference count leak in enable_slot() Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state um: Mark all kernel symbols as local ceph: fix fscache invalidation gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP block: reexpand iov_iter after read/write lib: stackdepot: turn depot_lock spinlock to raw_spinlock serial: 8250: fix potential deadlock in rs485-mode sit: proper dev_{hold|put} in ndo_[un]init methods ip6_tunnel: sit: proper dev_{hold|put} in ndo_[un]init methods xhci: Do not use GFP_KERNEL in (potentially) atomic context ipv6: remove extra dev_hold() for fallback tunnels Linux 4.14.233 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I09e88e1e302d475f2a39bf88438dea30fa97c848	2021-05-22 11:25:16 +02:00
Daniel Borkmann	4d542ddb88	bpf: Fix masking negation logic upon negative dst register ... commit b9b34ddbe2076ade359cd5ce7537d5ed019e9807 upstream. The negation logic for the case where the off_reg is sitting in the dst register is not correct given then we cannot just invert the add to a sub or vice versa. As a fix, perform the final bitwise and-op unconditionally into AX from the off_reg, then move the pointer from the src to dst and finally use AX as the source for the original pointer arithmetic operation such that the inversion yields a correct result. The single non-AX mov in between is possible given constant blinding is retaining it as it's not an immediate based operation. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Tested-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-05-22 10:57:13 +02:00
Samuel Mendoza-Jonas	33f987529f	bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" ... The 4.14 backport of 9d7eceede ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") adds the PTR_TO_MAP_VALUE check to the wrong location in adjust_ptr_min_max_vals(), most likely because 4.14 doesn't include the commit that updates the if-statement to a switch-statement (aad2eeaf4 "bpf: Simplify ptr_min_max_vals adjustment"). Move the check to the proper location in adjust_ptr_min_max_vals(). Fixes: 17efa65350c5a ("bpf: restrict unknown scalars of mixed signed bounds for unprivileged") Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com> Reviewed-by: Frank van der Linden <fllinden@amazon.com> Reviewed-by: Ethan Chen <yishache@amazon.com> Acked-by: Yonghong Song <yhs@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-05-22 10:57:12 +02:00
Greg Kroah-Hartman	c6c06d09a5	This is the 4.14.227 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBbDwEACgkQONu9yGCS aT7jMBAAijKoov5O3OwDkbwiNo/hzyHWr0D0miTdETg4CUEngzO9PP88jHOTT9SF uPRYRefOg1XAhPgI5PUMnKNnJwR2GzeTSKEyXDkAEXW8vni6Oz0vGluE1QODYiso baruiAfm7m3WGKqkTSwGKaaAWtXMySsLh8lvklFUPsJz/KPo1tO0NBylZ69olYl+ J4ZBlhOkgKJ3qHUz9rO+sbj2dnHpzISZu+fFHAO4Eoln/tCMNSrUURJHZp+2Y0s5 t3qABPe6M3iIFaefQYW7JEsFvqvMKT8g33g8Upff5mttQe02i0ufvriSToMjgobl i8x+cMX9jmFdcRBH1AIRiYHBuNhRgA7Evn8mwkTrN3Xi6vmmHthzmlEu8J3iubgE 2/x/+Q4D6Eumr5M8DMO2DFde4tZ2m3NREaDZUJVJohB+/EiMo+vYmbFMmDLX9aLO 0jkDusv5hfUAc60ad8RwZOZIqq8o88+8rBJH/bAYi3QyfoWzap0ENZRyP5yO7Ehb PiI9CqMleMMHn9Qz8e3N1oRW8/r0lzRroHyU6ylgCL5xuPUTv8A2du1rtlP8du9o uVxDFPolsr65cfc9J4PLHfUJuAZl6rtqCjkv8TofHK+BO6kwBJEyTYDTzT2EAeBg t9jmFIbXEga08IDdJT3sDLKiMvGioX2OD4iOhZTMASVww0uNMfw= =cZHD -----END PGP SIGNATURE----- Merge 4.14.227 into android-4.14-stable Changes in 4.14.227 ext4: handle error of ext4_setup_system_zone() on remount ext4: don't allow overlapping system zones ext4: check journal inode extents more carefully bpf: Fix off-by-one for area size in creating mask to left bpf: Simplify alu_limit masking for pointer arithmetic bpf: Add sanity check for upper ptr_limit net: dsa: b53: Support setting learning on port bpf: Prohibit alu ops for pointer types not defining ptr_limit Revert "PM: runtime: Update device status before letting suppliers suspend" perf tools: Use %define api.pure full instead of %pure-parser tools build feature: Check if get_current_dir_name() is available tools build feature: Check if eventfd() is available tools build: Check if gettid() is available before providing helper perf: Make perf able to build with latest libbfd tools build feature: Check if pthread_barrier_t is available btrfs: fix race when cloning extent buffer during rewind of an old root nvmet: don't check iosqes,iocqes for discovery controllers NFSD: Repair misuse of sv_lock in 5.10.16-rt30. svcrdma: disable timeouts on rdma backchannel sunrpc: fix refcount leak for rpc auth modules net/qrtr: fix __netdev_alloc_skb call scsi: lpfc: Fix some error codes in debugfs nvme-rdma: fix possible hang when failing to set io queues usb-storage: Add quirk to defeat Kindle's automatic unload USB: replace hardcode maximum usb string length by definition usb: gadget: configfs: Fix KASAN use-after-free iio:adc:stm32-adc: Add HAS_IOMEM dependency iio:adc:qcom-spmi-vadc: add default scale to LR_MUX2_BAT_ID channel iio: adis16400: Fix an error code in adis16400_initial_setup() iio: gyro: mpu3050: Fix error handling in mpu3050_trigger_handler iio: hid-sensor-humidity: Fix alignment issue of timestamp channel iio: hid-sensor-prox: Fix scale not correct issue iio: hid-sensor-temperature: Fix issues of timestamp channel PCI: rpadlpar: Fix potential drc_name corruption in store functions perf/x86/intel: Fix a crash caused by zero PEBS status x86/ioapic: Ignore IRQ2 again kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data() x86: Move TS_COMPAT back to asm/thread_info.h x86: Introduce TS_COMPAT_RESTART to fix get_nr_restart_syscall() ext4: find old entry again if failed to rename whiteout ext4: do not try to set xattr into ea_inode if value is empty ext4: fix potential error in ext4_do_update_inode genirq: Disable interrupts for force threaded handlers Linux 4.14.227 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iadc3cdbdb9012457893c4448e32caee7706adb1c	2021-03-24 11:39:32 +01:00
Piotr Krysiuk	c49e70a5e7	bpf: Prohibit alu ops for pointer types not defining ptr_limit ... commit f232326f6966cf2a1d1db7bc917a4ce5f9f55f76 upstream. The purpose of this patch is to streamline error propagation and in particular to propagate retrieve_ptr_limit() errors for pointer types that are not defining a ptr_limit such that register-based alu ops against these types can be rejected. The main rationale is that a gap has been identified by Piotr in the existing protection against speculatively out-of-bounds loads, for example, in case of ctx pointers, unprivileged programs can still perform pointer arithmetic. This can be abused to execute speculatively out-of-bounds loads without restrictions and thus extract contents of kernel memory. Fix this by rejecting unprivileged programs that attempt any pointer arithmetic on unprotected pointer types. The two affected ones are pointer to ctx as well as pointer to map. Field access to a modified ctx' pointer is rejected at a later point in time in the verifier, and 7c6967326267 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") only relevant for root-only use cases. Risk of unprivileged program breakage is considered very low. Fixes: 7c6967326267 ("bpf: Permit map_ptr arithmetic with opcode add and offset 0") Fixes: b2157399cc98 ("bpf: prevent out-of-bounds speculation") Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-24 11:04:55 +01:00
Piotr Krysiuk	b4aa37d963	bpf: Add sanity check for upper ptr_limit ... commit 1b1597e64e1a610c7a96710fc4717158e98a08b3 upstream. Given we know the max possible value of ptr_limit at the time of retrieving the latter, add basic assertions, so that the verifier can bail out if anything looks odd and reject the program. Nothing triggered this so far, but it also does not hurt to have these. Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-24 11:04:55 +01:00
Piotr Krysiuk	59ce8e5ecf	bpf: Simplify alu_limit masking for pointer arithmetic ... commit b5871dca250cd391885218b99cc015aca1a51aea upstream. Instead of having the mov32 with aux->alu_limit - 1 immediate, move this operation to retrieve_ptr_limit() instead to simplify the logic and to allow for subsequent sanity boundary checks inside retrieve_ptr_limit(). This avoids in future that at the time of the verifier masking rewrite we'd run into an underflow which would not sign extend due to the nature of mov32 instruction. Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-24 11:04:55 +01:00
Piotr Krysiuk	92df5a174c	bpf: Fix off-by-one for area size in creating mask to left ... commit 10d2bb2e6b1d8c4576c56a748f697dbeb8388899 upstream. retrieve_ptr_limit() computes the ptr_limit for registers with stack and map_value type. ptr_limit is the size of the memory area that is still valid / in-bounds from the point of the current position and direction of the operation (add / sub). This size will later be used for masking the operation such that attempting out-of-bounds access in the speculative domain is redirected to remain within the bounds of the current map value. When masking to the right the size is correct, however, when masking to the left, the size is off-by-one which would lead to an incorrect mask and thus incorrect arithmetic operation in the non-speculative domain. Piotr found that if the resulting alu_limit value is zero, then the BPF_MOV32_IMM() from the fixup_bpf_calls() rewrite will end up loading 0xffffffff into AX instead of sign-extending to the full 64 bit range, and as a result, this allows abuse for executing speculatively out-of- bounds loads against 4GB window of address space and thus extracting the contents of kernel memory via side-channel. Fixes: 979d63d50c0c ("bpf: prevent out of bounds speculation on pointer arithmetic") Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2021-03-24 11:04:54 +01:00
Greg Kroah-Hartman	a2e73af4e5	This is the 4.14.223 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmA/xiMACgkQONu9yGCS aT6xPRAAubIMjvou8+ByMLEOK5HfhXN3VSi7iUQvBMsWPtW609hYMucIi6BdgUS5 vIXy/kwMRhQ0YW8H+rsf94Doliw6kgu4ebHLZqe7aP4EMeIoJ/HXtVfxpcrc4TzK SdUxEEilHKlxSzhmi3Qi53KBLsJusoBg/jzNJ3PQQrX3V8Zc5XCzt1ZZIpxrnQK0 Bv/CVqAFauMX27pqJq/Y4cSJZtZ6EbUjRekIC5tjqBDMi4Pf7wHGYj/tUSdm76Es 9eTDmfO9Rvk0XeKKxm0dv5ffkhyi9xBmBK82GqBnHBSDpG03JOKcK5RAWRLT84Zv joby0dsEPYTLG3nZ7cmRW0R5952BfvkabuRj07W2zu9DanMVnQtiquFZw2YdS/7a Ed5lUWxdPysObd53keXtlv3hhjB+5lPIU5d3SLbsp6W08MIk9+YA1JBHeIJX9ulX xy7kR0kUmiqCOspCKYZKmiU8DTqzko5yQfJWHYxuNosqnUYH+K9vTz1JBStdzrGM ZAIDhhxPxNuC/gRlbavmbuyaHoPrBO2+l+dF/8be1YFyqMm3iIabROBWOqjnri4+ ZAGyGpr8ktJNv8rAlFvvDbg2fYO8j8FdA1Olf+UgCWZvzKPKESGrSwHg458c37XN x0oWmytn5eXaY0LJgCo0D3Pf5uqrXKsazNSc/QZ9gwqf7hZJU8Y= =nNVc -----END PGP SIGNATURE----- Merge 4.14.223 into android-4.14-stable Changes in 4.14.223 HID: make arrays usage and value to be the same usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable ntfs: check for valid standard information attribute arm64: tegra: Add power-domain for Tegra210 HDA NET: usb: qmi_wwan: Adding support for Cinterion MV31 cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath. scripts/recordmcount.pl: support big endian for ARCH sh vmlinux.lds.h: add DWARF v5 sections kdb: Make memory allocations more robust MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section random: fix the RNDRESEEDCRNG ioctl Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function Bluetooth: Fix initializing response id after clearing struct ARM: dts: exynos: correct PMIC interrupt trigger level on Monk ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato ARM: dts: exynos: correct PMIC interrupt trigger level on Spring ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() usb: gadget: u_audio: Free requests only after callback Bluetooth: drop HCI device reference before return Bluetooth: Put HCI device if inquiry procedure interrupts ARM: dts: Configure missing thermal interrupt for 4430 usb: dwc2: Do not update data length if it is 0 on inbound transfers usb: dwc2: Abort transaction after errors with unknown reason usb: dwc2: Make "trimming xfer length" a debug message staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules arm64: dts: msm8916: Fix reserved and rfsa nodes unit address ARM: s3c: fix fiq for clang IAS bpf_lru_list: Read double-checked variable once without lock ath9k: fix data bus crash when setting nf_override via debugfs bnxt_en: reverse order of TX disable and carrier off xen/netback: fix spurious event detection for common event case mac80211: fix potential overflow when multiplying to u32 integers b43: N-PHY: Fix the update of coef for the PHY revision >= 3case ibmvnic: skip send_request_unmap for timeout reset net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout net: amd-xgbe: Reset link when the link never comes back net: mvneta: Remove per-cpu queue mapping for Armada 3700 fbdev: aty: SPARC64 requires FB_ATY_CT drm/gma500: Fix error return code in psb_driver_load() gma500: clean up error handling in init crypto: sun4i-ss - fix kmap usage MIPS: c-r4k: Fix section mismatch for loongson2_sc_init MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 media: i2c: ov5670: Fix PIXEL_RATE minimum value media: vsp1: Fix an error handling path in the probe function media: media/pci: Fix memleak in empress_init media: tm6000: Fix memleak in tm6000_start_stream ASoC: cs42l56: fix up error handling in probe crypto: bcm - Rename struct device_private to bcm_device_private media: lmedm04: Fix misuse of comma media: qm1d1c0042: fix error return code in qm1d1c0042_init() media: cx25821: Fix a bug when reallocating some dma memory media: pxa_camera: declare variable when DEBUG is defined media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values ata: ahci_brcm: Add back regulators management Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() btrfs: clarify error returns values in __load_free_space_cache hwrng: timeriomem - Fix cooldown period calculation crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() ima: Free IMA measurement buffer on error ima: Free IMA measurement buffer after kexec syscall fs/jfs: fix potential integer overflow on shift of a int jffs2: fix use after free in jffs2_sum_write_data() capabilities: Don't allow writing ambiguous v3 file capabilities clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL quota: Fix memory leak when handling corrupted quota file spi: cadence-quadspi: Abort read if dummy cycles required are too many HID: core: detect and skip invalid inputs to snto32() dmaengine: fsldma: Fix a resource leak in the remove function dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function dmaengine: hsu: disable spurious interrupt mfd: bd9571mwv: Use devm_mfd_add_devices() fdt: Properly handle "no-map" field in the memory region of/fdt: Make sure no-map does not remove already reserved regions power: reset: at91-sama5d2_shdwc: fix wkupdbc mask rtc: s5m: select REGMAP_I2C clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined regulator: axp20x: Fix reference cout leak certs: Fix blacklist flag type confusion spi: atmel: Put allocated master before return isofs: release buffer head before return auxdisplay: ht16k33: Fix refresh rate handling IB/umad: Return EIO in case of when device disassociated powerpc/47x: Disable 256k page size mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores amba: Fix resource leak for drivers without .remove tracepoint: Do not fail unregistering a probe due to memory failure perf tools: Fix DSO filtering when not finding a map for a sampled address RDMA/rxe: Fix coding error in rxe_recv.c spi: stm32: properly handle 0 byte transfer mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() powerpc/pseries/dlpar: handle ibm, configure-connector delay status powerpc/8xx: Fix software emulation interrupt spi: pxa2xx: Fix the controller numbering for Wildcat Point perf intel-pt: Fix missing CYC processing in PSB perf test: Fix unaligned access in sample parsing test Input: elo - fix an error code in elo_connect() sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set misc: eeprom_93xx46: Fix module alias to enable module autoprobe misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() VMCI: Use set_page_dirty_lock() when unregistering guest memory PCI: Align checking of syscall user config accessors drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) ext4: fix potential htree index checksum corruption i40e: Fix flow for IPv6 next header (extension header) i40e: Fix overwriting flow control settings during driver loading net/mlx4_core: Add missed mlx4_free_cmd_mailbox() ocfs2: fix a use after free on error mm/memory.c: fix potential pte_unmap_unlock pte error mm/hugetlb: fix potential double free in hugetlb_register_node() error path arm64: Add missing ISB after invalidating TLB in __primary_switch i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition mm/rmap: fix potential pte_unmap on an not mapped pte scsi: bnx2fc: Fix Kconfig warning & CNIC build errors blk-settings: align max_sectors on "logical_block_size" boundary ACPI: property: Fix fwnode string properties matching ACPI: configfs: add missing check after configfs_register_default_group() HID: wacom: Ignore attempts to overwrite the touch_max value from HID Input: raydium_ts_i2c - do not send zero length Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S Input: joydev - prevent potential read overflow in ioctl Input: i8042 - add ASUS Zenbook Flip to noselftest list USB: serial: option: update interface mapping for ZTE P685M usb: musb: Fix runtime PM race in musb_queue_resume_work USB: serial: mos7840: fix error code in mos7840_write() USB: serial: mos7720: fix error code in mos7720_write() usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt ALSA: hda/realtek: modify EAPD in the ALC886 tpm_tis: Fix check_locality for correct locality acquisition KEYS: trusted: Fix migratable=1 failing btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root btrfs: fix reloc root leak with 0 ref reloc roots on recovery btrfs: fix extent buffer leak on failure to copy root crypto: sun4i-ss - checking sg length is not sufficient crypto: sun4i-ss - handle BigEndian for cipher seccomp: Add missing return in non-void function drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table x86/reboot: Force all cpus to exit VMX root if VMX is supported floppy: reintroduce O_NDELAY fix arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing watchdog: mei_wdt: request stop on unregister mtd: spi-nor: hisi-sfc: Put child node np on error path fs/affs: release old buffer head on error path hugetlb: fix copy_huge_page_from_user contig page struct assumption mm: hugetlb: fix a race between freeing and dissolving the page usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() libnvdimm/dimm: Avoid race between probe and available_slots_show() module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols mmc: sdhci-esdhc-imx: fix kernel panic when remove module gpio: pcf857x: Fix missing first interrupt printk: fix deadlock when kernel panic f2fs: fix out-of-repair __setattr_copy() sparc32: fix a user-triggerable oops in clear_user() gfs2: Don't skip dlm unlock if glock has an lvb dm era: Recover committed writeset after crash dm era: Verify the data block size hasn't changed dm era: Fix bitset memory leaks dm era: Use correct value size in equality function of writeset tree dm era: Reinitialize bitset cache before digesting a new writeset dm era: only resize metadata in preresume icmp: introduce helper for nat'd source address in network device context icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n gtp: use icmp_ndo_send helper sunvnet: use icmp_ndo_send helper ipv6: icmp6: avoid indirect call for icmpv6_send() ipv6: silence compilation warning for non-IPV6 builds net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending dm era: Update in-core bitset after committing the metadata Linux 4.14.223 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib3da7b72393e257416645cd59c380fce3c801177	2021-03-03 18:58:56 +01:00
Marco Elver	1ee2b1fa5a	bpf_lru_list: Read double-checked variable once without lock ... [ Upstream commit 6df8fb83301d68ea0a0c0e1cbcc790fcc333ed12 ] For double-checked locking in bpf_common_lru_push_free(), node->type is read outside the critical section and then re-checked under the lock. However, concurrent writes to node->type result in data races. For example, the following concurrent access was observed by KCSAN: write to 0xffff88801521bc22 of 1 bytes by task 10038 on cpu 1: __bpf_lru_node_move_in kernel/bpf/bpf_lru_list.c:91 __local_list_flush kernel/bpf/bpf_lru_list.c:298 ... read to 0xffff88801521bc22 of 1 bytes by task 10043 on cpu 0: bpf_common_lru_push_free kernel/bpf/bpf_lru_list.c:507 bpf_lru_push_free kernel/bpf/bpf_lru_list.c:555 ... Fix the data races where node->type is read outside the critical section (for double-checked locking) by marking the access with READ_ONCE() as well as ensuring the variable is only accessed once. Fixes: 3a08c2fd7634 ("bpf: LRU List") Reported-by: syzbot+3536db46dfa58c573458@syzkaller.appspotmail.com Reported-by: syzbot+516acdb03d3e27d91bcd@syzkaller.appspotmail.com Signed-off-by: Marco Elver <elver@google.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: Martin KaFai Lau <kafai@fb.com> Link: https://lore.kernel.org/bpf/20210209112701.3341724-1-elver@google.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2021-03-03 18:22:39 +01:00
Greg Kroah-Hartman	c0303b0388	This is the 4.14.222 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmA0/JEACgkQONu9yGCS aT5IQA//XG0oLCFo1l6DDRPINDK104bYork5yGmqjGfdSplnH/OYkwmebAJEUmNn ha+Qv9xw1JlR/oGBwC4Zp0jBV4+Gjuh6SuqdyCH/NI+tTSnKd1MzfqMmo6rb5iaz RspBVgc+I5sV7Fa3GVwR54a5Yo3JgUEMIxT+q1Ftu9QT3kr1Zo0m3odm8/j8EI5o mYaYbNPnXfcn7NCotyIq2g3q7rQTcbshlUoul9WxdjUcRMdAFY1Fnj6UxrWO1b0s oFj/u/KV0WB2IeXgZgStNS5qjKhmfZKj1rAVnYOpY0zwn0wKnGa2oh4G+Pfae2yk MXQaW2KL/Y8gsCzhj1N/L5yfRMatOfT3tAqD2gGqoJVWpmLU4p15piWD5uwWkxLw HtazDI4IBNAah7mog+xnD0V2Q8auZ7f4tbtkiHTfoyFs5BavK2VETOOTeAoUsX5O e/Dif0gv6SEhkFCkL4PBz4WylD1gOY8nD1FsgbfMZ0hDSpTIjrWUtMAYZejB8YUj lS28fKO7Nu0AoGElt2nt7xobJRmp/Y7GFoz1Thy750qtl8kXUJ5sqw99gAiPAZM/ cv4UgKPzU7qfw5/qry0717YHa7k/CTjSd7tw9erNxsjdQ7ptLOGJMhS3EFc5kzQT 77NC1rqnSTQHLJfsBaRiTn5IZB5PiJssrAwBhRTcBjdwTQe+fyI= =7i2A -----END PGP SIGNATURE----- Merge 4.14.222 into android-4.14-stable Changes in 4.14.222 fgraph: Initialize tracing_graph_pause at task creation remoteproc: qcom_q6v5_mss: Validate modem blob firmware size before load remoteproc: qcom_q6v5_mss: Validate MBA firmware size before load af_key: relax availability checks for skb size calculation pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process() iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time() iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap iwlwifi: mvm: guard against device removal in reprobe SUNRPC: Move simple_get_bytes and simple_get_netobj into private header SUNRPC: Handle 0 length opaque XDR object data properly lib/string: Add strscpy_pad() function include/trace/events/writeback.h: fix -Wstringop-truncation warnings memcg: fix a crash in wb_workfn when a device disappears squashfs: add more sanity checks in id lookup squashfs: add more sanity checks in inode lookup squashfs: add more sanity checks in xattr id lookup tracing: Do not count ftrace events in top level enable output tracing: Check length before giving out the filter buffer arm/xen: Don't probe xenbus as part of an early initcall MIPS: BMIPS: Fix section mismatch warning arm64: dts: rockchip: Fix PCIe DT properties on rk3399 platform/x86: hp-wmi: Disable tablet-mode reporting by default ovl: perform vfs_getxattr() with mounter creds cap: fix conversions on getxattr ovl: skip getxattr of security labels ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL ARM: ensure the signal page contains defined contents memblock: do not start bottom-up allocations with kernel_end bpf: Check for integer overflow when using roundup_pow_of_two() netfilter: xt_recent: Fix attempt to update deleted entry xen/netback: avoid race in xenvif_rx_ring_slots_available() netfilter: conntrack: skip identical origin tuple in same zone only usb: dwc3: ulpi: fix checkpatch warning usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one net/vmw_vsock: improve locking in vsock_connect_timeout() net: watchdog: hold device global xmit lock during tx disable vsock/virtio: update credit only if socket is not closed vsock: fix locking in vsock_shutdown() i2c: stm32f7: fix configuration of the digital filter h8300: fix PREEMPTION build, TI_PRE_COUNT undefined x86/build: Disable CET instrumentation in the kernel for 32-bit too trace: Use -mcount-record for dynamic ftrace tracing: Fix SKIP_STACK_VALIDATION=1 build due to bad merge with -mrecord-mcount tracing: Avoid calling cc-option -mrecord-mcount for every Makefile Xen/x86: don't bail early from clear_foreign_p2m_mapping() Xen/x86: also check kernel mapping in set_foreign_p2m_mapping() Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages() Xen/gntdev: correct error checking in gntdev_map_grant_pages() xen/arm: don't ignore return errors from set_phys_to_machine xen-blkback: don't "handle" error by BUG() xen-netback: don't "handle" error by BUG() xen-scsiback: don't "handle" error by BUG() xen-blkback: fix error handling in xen_blkbk_map() scsi: qla2xxx: Fix crash during driver load on big endian machines USB: Gadget Ethernet: Re-enable Jumbo frames. usb: gadget: u_ether: Fix MTU size mismatch with RX packet size kvm: check tlbs_dirty directly Linux 4.14.222 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I22657377bcf9340798a60064ba3d5ebdf1165097	2021-02-23 14:55:38 +01:00
Bui Quang Minh	7661073517	bpf: Check for integer overflow when using roundup_pow_of_two() ... [ Upstream commit 6183f4d3a0a2ad230511987c6c362ca43ec0055f ] On 32-bit architecture, roundup_pow_of_two() can return 0 when the argument has upper most bit set due to resulting 1UL << 32. Add a check for this case. Fixes: d5a3b1f69186 ("bpf: introduce BPF_MAP_TYPE_STACK_TRACE") Signed-off-by: Bui Quang Minh <minhquangbui99@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20210127063653.3576-1-minhquangbui99@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2021-02-23 14:00:32 +01:00
Maciej Żenczykowski	34073d7a8e	BACKPORT: bpf: add bpf_ktime_get_boot_ns() ... On a device like a cellphone which is constantly suspending and resuming CLOCK_MONOTONIC is not particularly useful for keeping track of or reacting to external network events. Instead you want to use CLOCK_BOOTTIME. Hence add bpf_ktime_get_boot_ns() as a mirror of bpf_ktime_get_ns() based around CLOCK_BOOTTIME instead of CLOCK_MONOTONIC. Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit 71d19214776e61b33da48f7c1b46e522c7f78221) Change-Id: Ifd62c410dcc5112fd1a473a7e1f70231ca514bc0	2021-02-11 19:46:44 -08:00
Maciej Żenczykowski	cbb4c73f9e	UPSTREAM: net: bpf: Make bpf_ktime_get_ns() available to non GPL programs ... The entire implementation is in kernel/bpf/helpers.c: BPF_CALL_0(bpf_ktime_get_ns) { /* NMI safe access to clock monotonic */ return ktime_get_mono_fast_ns(); } const struct bpf_func_proto bpf_ktime_get_ns_proto = { .func = bpf_ktime_get_ns, .gpl_only = false, .ret_type = RET_INTEGER, }; and this was presumably marked GPL due to kernel/time/timekeeping.c: EXPORT_SYMBOL_GPL(ktime_get_mono_fast_ns); and while that may make sense for kernel modules (although even that is doubtful), there is currently AFAICT no other source of time available to ebpf. Furthermore this is really just equivalent to clock_gettime(CLOCK_MONOTONIC) which is exposed to userspace (via vdso even to make it performant)... As such, I see no reason to keep the GPL restriction. (In the future I'd like to have access to time from Apache licensed ebpf code) Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> (cherry picked from commit 082b57e3eb09810d357083cca5ee2df02c16aec9) Change-Id: I76f763c64fcd56e7149f94625146486ba00db6c1	2021-02-11 14:45:29 -08:00
Greg Kroah-Hartman	c1013a481e	This is the 4.14.200 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl91udkACgkQONu9yGCS aT5wdw//Wn7Nd1kcd1h2umXWcn2rjLbrflmFMtAY32YSDhT85EQaTQMckeLzVKSi KPIPdNbjKhOirlizM6+mBv3EKn3bNbdDFeq0qGy0WI7DAT2Amyn8JRi18GKgM1z/ BBzmOldG2oeFUlFes5ADdVm0b3p+iiQ5WqzIJvLkBeV1HrLAQ2/zAl6ixpUwP2wr sZymWkCXUUG2ZYn7ZxX6SXKvfvSv+GKUD0ImX82Q1DvAcQHSyiZ9/o9/pZbS4m1t innS1EXJEEZHd1x61EBu2WrQkNwXvlpTDZNa7at9Lc5Uys6NsgfUkx4+fTyqDT8h FfnxGaP9qHJRImVpxdBHsZGvUheDTVPPUk3eNNyeR1wmEz/OPCQmPIPIz0sw1TJt LL0d4XN1rLjRSUGv+q1+Y6nbc85eU7nyJG/qB35Fag4z27x3P7D/4queR1hAij37 xp6MesrmEHPA7I4xV9jTzCRvY+O5MAughhOJMzZrn2f95EpC3Mg48OHdYRtktc1b 4L9Vb/HeQ6s0hgVZhkdNfoBPsi797YNCd5WNccKpAdq17mG5s6+6qJxBgCqgHS/i 4gjeR2IgSOL0KW2eE7STn8fgyY86ZepNsONkX6I+7n1h0lC7gVH6VtW5fzyvg9Bw RLA5ulOqUc+f8Ll7MwzbRL3+wiNN4jkX5NHYpaQB2nWVEO9A+cs= =76oN -----END PGP SIGNATURE----- Merge 4.14.200 into android-4.14-stable Changes in 4.14.200 af_key: pfkey_dump needs parameter validation phy: qcom-qmp: Use correct values for ipq8074 PCIe Gen2 PHY init KVM: fix memory leak in kvm_io_bus_unregister_dev() kprobes: fix kill kprobe which has been marked as gone mm/thp: fix __split_huge_pmd_locked() for migration PMD RDMA/ucma: ucma_context reference leak in error path hdlc_ppp: add range checks in ppp_cp_parse_cr() ip: fix tos reflection in ack and reset packets net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC tipc: fix shutdown() of connection oriented socket tipc: use skb_unshare() instead in tipc_buf_append() bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. net: phy: Avoid NPD upon phy_detach() when driver is unbound net: add __must_check to skb_put_padto() ipv4: Update exception handling for multipath routes via same device geneve: add transport ports in route lookup for geneve serial: 8250: Avoid error message on reprobe mm: fix double page fault on arm64 if PTE_AF is cleared scsi: aacraid: fix illegal IO beyond last LBA m68k: q40: Fix info-leak in rtc_ioctl gma/gma500: fix a memory disclosure bug due to uninitialized bytes ASoC: kirkwood: fix IRQ error handling media: smiapp: Fix error handling at NVM reading arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback x86/ioapic: Unbreak check_timer() ALSA: usb-audio: Add delay quirk for H570e USB headsets ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out scsi: fnic: fix use after free clk/ti/adpll: allocate room for terminating null mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() mfd: mfd-core: Protect against NULL call-back function pointer tracing: Adding NULL checks for trace_array descriptor pointer bcache: fix a lost wake-up problem caused by mca_cannibalize_lock RDMA/i40iw: Fix potential use after free xfs: fix attr leaf header freemap.size underflow RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' mmc: core: Fix size overflow for mmc partitions gfs2: clean up iopen glock mess in gfs2_create_inode debugfs: Fix !DEBUG_FS debugfs_create_automount CIFS: Properly process SMB3 lease breaks kernel/sys.c: avoid copying possible padding bytes in copy_to_user neigh_stat_seq_next() should increase position index rt_cpu_seq_next should increase position index seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier media: ti-vpe: cal: Restrict DMA to avoid memory corruption ACPI: EC: Reference count query handlers under lock dmaengine: zynqmp_dma: fix burst length configuration powerpc/eeh: Only dump stack once if an MMIO loop is detected tracing: Set kernel_stack's caller size properly ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter selftests/ftrace: fix glob selftest tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility Bluetooth: Fix refcount use-after-free issue mm: pagewalk: fix termination condition in walk_pte_range() Bluetooth: prefetch channel before killing sock KVM: fix overflow of zero page refcount with ksm running ALSA: hda: Clear RIRB status before reading WP skbuff: fix a data race in skb_queue_len() audit: CONFIG_CHANGE don't log internal bookkeeping as an event selinux: sel_avc_get_stat_idx should increase position index scsi: lpfc: Fix RQ buffer leakage when no IOCBs available scsi: lpfc: Fix coverity errors in fmdi attribute handling drm/omap: fix possible object reference leak perf test: Fix test trace+probe_vfs_getname.sh on s390 RDMA/rxe: Fix configuration of atomic queue pair attributes KVM: x86: fix incorrect comparison in trace event media: staging/imx: Missing assignment in imx_media_capture_device_register() x86/pkeys: Add check for pkey "overflow" bpf: Remove recursion prevention from rcu free callback dmaengine: tegra-apb: Prevent race conditions on channel's freeing media: go7007: Fix URB type for interrupt handling Bluetooth: guard against controllers sending zero'd events timekeeping: Prevent 32bit truncation in scale64_check_overflow() ext4: fix a data race at inode->i_disksize mm: avoid data corruption on CoW fault into PFN-mapped VMA drm/amdgpu: increase atombios cmd timeout ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read scsi: aacraid: Disabling TM path and only processing IOP reset Bluetooth: L2CAP: handle l2cap config request during open state media: tda10071: fix unsigned sign extension overflow xfs: don't ever return a stale pointer from __xfs_dir3_free_read tpm: ibmvtpm: Wait for buffer to be set before proceeding rtc: ds1374: fix possible race condition tracing: Use address-of operator on section symbols serial: 8250_port: Don't service RX FIFO if throttled serial: 8250_omap: Fix sleeping function called from invalid context during probe serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout perf cpumap: Fix snprintf overflow check cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn tools: gpio-hammer: Avoid potential overflow in main RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' svcrdma: Fix leak of transport addresses ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests() mm/kmemleak.c: use address-of operator on section symbols mm/filemap.c: clear page error before actual read mm/vmscan.c: fix data races using kswapd_classzone_idx mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area scsi: qedi: Fix termination timeouts in session logout serial: uartps: Wait for tx_empty in console setup KVM: Remove CREATE_IRQCHIP/SET_PIT2 race bdev: Reduce time holding bd_mutex in sync in blkdev_close() drivers: char: tlclk.c: Avoid data race between init and interrupt handler staging:r8188eu: avoid skb_clone for amsdu to msdu conversion sparc64: vcc: Fix error return code in vcc_probe() arm64: cpufeature: Relax checks for AArch32 support at EL[0-2] dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion atm: fix a memory leak of vcc->user_back power: supply: max17040: Correct voltage reading phy: samsung: s5pv210-usb2: Add delay after reset Bluetooth: Handle Inquiry Cancel error after Inquiry Complete USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() tty: serial: samsung: Correct clock selection logic ALSA: hda: Fix potential race in unsol event handler powerpc/traps: Make unrecoverable NMIs die instead of panic fuse: don't check refcount after stealing page USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register e1000: Do not perform reset in reset_task if we are already down drm/nouveau/debugfs: fix runtime pm imbalance on error printk: handle blank console arguments passed in. usb: dwc3: Increase timeout for CmdAct cleared by device controller btrfs: don't force read-only after error in drop snapshot vfio/pci: fix memory leaks of eventfd ctx perf util: Fix memory leak of prefix_if_not_in perf kcore_copy: Fix module map when there are no modules loaded mtd: rawnand: omap_elm: Fix runtime PM imbalance on error ceph: fix potential race in ceph_check_caps mm/swap_state: fix a data race in swapin_nr_pages rapidio: avoid data race between file operation callbacks and mport_cdev_add(). mtd: parser: cmdline: Support MTD names containing one or more colons x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline vfio/pci: Clear error and request eventfd ctx after releasing cifs: Fix double add page to memcg when cifs_readpages scsi: libfc: Handling of extra kref scsi: libfc: Skip additional kref updating work event selftests/x86/syscall_nt: Clear weird flags after each test vfio/pci: fix racy on error and request eventfd ctx btrfs: qgroup: fix data leak caused by race between writeback and truncate s390/init: add missing __init annotations i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() objtool: Fix noreturn detection for ignored functions ieee802154: fix one possible memleak in ca8210_dev_com_init ieee802154/adf7242: check status of adf7242_read_reg clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() mwifiex: Increase AES key storage size to 256 bits batman-adv: bla: fix type misuse for backbone_gw hash indexing atm: eni: fix the missed pci_disable_device() for eni_init_one() batman-adv: mcast/TT: fix wrongly dropped or rerouted packets mac802154: tx: fix use-after-free drm/vc4/vc4_hdmi: fill ASoC card owner net: qed: RDMA personality shouldn't fail VF load batman-adv: Add missing include for in_interrupt() batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh ALSA: asihpi: fix iounmap in error handler MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() s390/dasd: Fix zero write for FBA devices kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() mm, THP, swap: fix allocating cluster for swapfile by mistake lib/string.c: implement stpcpy ata: define AC_ERR_OK ata: make qc_prep return ata_completion_errors ata: sata_mv, avoid trigerrable BUG_ON Linux 4.14.200 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3d3049dca196c46cb6b2a66d60a5a6a3a099efbb	2020-10-01 17:59:29 +02:00
Thomas Gleixner	25b3f09cef	bpf: Remove recursion prevention from rcu free callback ... [ Upstream commit 8a37963c7ac9ecb7f86f8ebda020e3f8d6d7b8a0 ] If an element is freed via RCU then recursion into BPF instrumentation functions is not a concern. The element is already detached from the map and the RCU callback does not hold any locks on which a kprobe, perf event or tracepoint attached BPF program could deadlock. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20200224145643.259118710@linutronix.de Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-10-01 13:12:35 +02:00
Greg Kroah-Hartman	f3c68e8b48	This is the 4.14.192 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl8qaMAACgkQONu9yGCS aT7yuhAAssZsunLWmwmmwfGvMFkCU7CQlD5zoxPEDoO4lpP183iVL22qh1HPLhy7 Q9+hFAptHQghlA0LnQVtIUTEmRszkE/TzbJo7LOe2aa7k1B9XLvb0q+NFmRjQxHQ p4f3GIUgBTVOs5jaRZ3JbfCECgSntXexphLLknvxGBUW6xxCQvbNKVCKFlcBN7Pz gbXXhaTuhi7wTuQ6ROoFfaNA6BvUuo4MINTOICkPI9up9kY1FI17/Wa6z93Rc9UJ 6JGf+57ugOBy3gj8Nc4MCGQPeveM2tM+Jw3Akp2SEkT7KJe6PkpURRmCIgPVMHC4 e2hw7RrJFzE97WKPAcj+oxwJFITNP5LzqApop3Sy3gMrVQQ5hDBz5R/PxiZaJTcs mFOkEzwhtMQfdh67iDylTTnS/nJjdBZTW4gdn+U31FXLDiooFgU7V576oJ/LlnqM /aqFGWBZrn+3R8o7No29r67x9lJBjXRuTJ5tarPRNR9Cc60hNhbCLnufaFTRXtX1 CvT3zGJQD8L+nkhG/FfIOGBwSH8aEusIAruG7t5rFI2JyU5C0ytzCBt4VGz/sV98 AydEFzDd00NhWmjIY4VLIEZsSCFwhPxgj/vHSZ/XZjbAfHmKcZiBeaR6k54KkoFz vVpW5IOMyrG/OwfkQg34fNKOtWPSiAq9x2acKc4PNCE5p6XTnfU= =6ytR -----END PGP SIGNATURE----- Merge 4.14.192 into android-4.14-stable Changes in 4.14.192 scsi: libsas: direct call probe and destruct net: phy: mdio-bcm-unimac: fix potential NULL dereference in unimac_mdio_probe() crypto: ccp - Release all allocated memory if sha type is invalid media: rc: prevent memory leak in cx23888_ir_probe iio: imu: adis16400: fix memory leak ath9k_htc: release allocated buffer if timed out ath9k: release allocated buffer if timed out x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge wireless: Use offsetof instead of custom macro. ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() drm: hold gem reference until object is no longer accessed f2fs: check memory boundary by insane namelen f2fs: check if file namelen exceeds max value 9p/trans_fd: abort p9_read_work if req status changed 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work x86/build/lto: Fix truncated .bss with -fdata-sections x86, vmlinux.lds: Page-align end of ..page_aligned sections rds: Prevent kernel-infoleak in rds_notify_queue_get() xfs: fix missed wakeup on l_flush_wait net/x25: Fix x25_neigh refcnt leak when x25 disconnect net/x25: Fix null-ptr-deref in x25_disconnect selftests/net: rxtimestamp: fix clang issues for target arch PowerPC sh: Fix validation of system call number net: lan78xx: add missing endpoint sanity check net: lan78xx: fix transfer-buffer memory leak mlx4: disable device on shutdown mlxsw: core: Increase scope of RCU read-side critical section mlxsw: core: Free EMAD transactions using kfree_rcu() ibmvnic: Fix IRQ mapping disposal in error path bpf: Fix map leak in HASH_OF_MAPS map mac80211: mesh: Free ie data when leaving mesh mac80211: mesh: Free pending skb when destroying a mpath arm64/alternatives: move length validation inside the subsection arm64: csum: Fix handling of bad packets usb: hso: Fix debug compile warning on sparc32 qed: Disable "MFW indication via attention" SPAM every 5 minutes nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame parisc: add support for cmpxchg on u8 pointers net: ethernet: ravb: exit if re-initialization fails in tx timeout Revert "i2c: cadence: Fix the hold bit setting" x86/unwind/orc: Fix ORC for newly forked tasks cxgb4: add missing release on skb in uld_send() xen-netfront: fix potential deadlock in xennet_remove() KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled x86/i8259: Use printk_deferred() to prevent deadlock Linux 4.14.192 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iedf0bb8d6f4bea8e3d701d6b24dd365c2a920fc5	2020-08-05 14:38:44 +02:00
Andrii Nakryiko	e1aa01195b	bpf: Fix map leak in HASH_OF_MAPS map ... [ Upstream commit 1d4e1eab456e1ee92a94987499b211db05f900ea ] Fix HASH_OF_MAPS bug of not putting inner map pointer on bpf_map_elem_update() operation. This is due to per-cpu extra_elems optimization, which bypassed free_htab_elem() logic doing proper clean ups. Make sure that inner map is put properly in optimized case as well. Fixes: 8c290e60fa2a ("bpf: fix hashmap extra_elems logic") Signed-off-by: Andrii Nakryiko <andriin@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Song Liu <songliubraving@fb.com> Link: https://lore.kernel.org/bpf/20200729040913.2815687-1-andriin@fb.com Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-08-05 10:06:51 +02:00
Greg Kroah-Hartman	7855a721d9	bpf: Explicitly memset some bpf info structures declared on the stack ... commit 5c6f25887963f15492b604dd25cb149c501bbabf upstream. Trying to initialize a structure with "= {};" will not always clean out all padding locations in a structure. So be explicit and call memset to initialize everything for a number of bpf information structures that are then copied from userspace, sometimes from smaller memory locations than the size of the structure. Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20200320162258.GA794295@kroah.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 16:34:37 +02:00
Greg Kroah-Hartman	ba1ebf3aef	bpf: Explicitly memset the bpf_attr structure ... commit 8096f229421f7b22433775e928d506f0342e5907 upstream. For the bpf syscall, we are relying on the compiler to properly zero out the bpf_attr union that we copy userspace data into. Unfortunately that doesn't always work properly, padding and other oddities might not be correctly zeroed, and in some tests odd things have been found when the stack is pre-initialized to other values. Fix this by explicitly memsetting the structure to 0 before using it. Reported-by: Maciej Żenczykowski <maze@google.com> Reported-by: John Stultz <john.stultz@linaro.org> Reported-by: Alexander Potapenko <glider@google.com> Reported-by: Alistair Delva <adelva@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://android-review.googlesource.com/c/kernel/common/+/1235490 Link: https://lore.kernel.org/bpf/20200320094813.GA421650@kroah.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 16:34:37 +02:00
Greg Kroah-Hartman	bb8c715f7f	UPSTREAM: bpf: Explicitly memset some bpf info structures declared on the stack ... Trying to initialize a structure with "= {};" will not always clean out all padding locations in a structure. So be explicit and call memset to initialize everything for a number of bpf information structures that are then copied from userspace, sometimes from smaller memory locations than the size of the structure. Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20200320162258.GA794295@kroah.com (cherry picked from commit 269efb7fc478563a7e7b22590d8076823f4ac82a) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I52a2cab20aa310085ec104bd811ac4f2b83657b6	2020-03-23 16:56:52 +01:00
Greg Kroah-Hartman	9affadc76e	UPSTREAM: bpf: Explicitly memset the bpf_attr structure ... For the bpf syscall, we are relying on the compiler to properly zero out the bpf_attr union that we copy userspace data into. Unfortunately that doesn't always work properly, padding and other oddities might not be correctly zeroed, and in some tests odd things have been found when the stack is pre-initialized to other values. Fix this by explicitly memsetting the structure to 0 before using it. Reported-by: Maciej Żenczykowski <maze@google.com> Reported-by: John Stultz <john.stultz@linaro.org> Reported-by: Alexander Potapenko <glider@google.com> Reported-by: Alistair Delva <adelva@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://android-review.googlesource.com/c/kernel/common/+/1235490 Link: https://lore.kernel.org/bpf/20200320094813.GA421650@kroah.com (cherry picked from commit 8096f229421f7b22433775e928d506f0342e5907) Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I2dc28cd45024da5cc6861ff4a9b25fae389cc6d8	2020-03-23 16:46:27 +01:00
Greg Kroah-Hartman	d2905c6a0e	This is the 4.14.164 stable release ... -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4a/2MACgkQONu9yGCS aT4BwA//diCficMfLINrc/9bMq3VS2Y+/lnuURMXEM9MJibjQCUS1spc6YhhNFrE 8m3aavAYywjjD3zGHj8KEaKQFDrPQxYQDzPOPK9rxjpxlUFpnYWUGlI2krpwBV6c 8xAekM62sMEIq09EHqqhKVls+WmYi47/pdfGAAt3PUR8c2eTOlxiFsiwq4nuZDdv rcMkQm87V8Wn1Nq+Dfp6R3U+X9f4DcU5n5cKiGq6ujoalT7h5/jj36JIFxBwMapF WjpqXMUUeylXxXnNFMUbEMg+lEqJlWfvj1sxdxyMdgS+L9rc9bXk/NTub4TZPaXu odwMl9RKWjJvFsvn26Pc4s31K2raEhCDYdkVoFTXWsc7vbE4A/h/yAw4Wq+cuBI4 H4fBXYYZ3D0Il9kxYYbfSaki5z1YbI54tkWcrs8f8jli5C0M3Wkkux1TA4HPj2Ja 8zJFH0++cyfpuKRiYXro+H2Tq4KxBwsWEtync8230MEywlTxkz4IIue+SCgVV+WD jmg/enRjbnkpYBSH1pKOdAAga0kHSxtwWlfLFrjhcgGse8y6sCJhUOPPcQMnf/k0 Jrmc3InHg+mtLiSsJXAp4iGABJlW+W/ouaxaxYoA9wucwQlcgxXpkigl5rOgFTma 153RYc1TSZJAe+cjx42qZxRxcD8/Vg5d6D2tL1otbMSIsD3e7Gk= =sq63 -----END PGP SIGNATURE----- Merge 4.14.164 into android-4.14 Changes in 4.14.164 USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein USB: dummy-hcd: increase max number of devices to 32 locking/spinlock/debug: Fix various data races netfilter: ctnetlink: netns exit must wait for callbacks mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() libtraceevent: Fix lib installation with O= x86/efi: Update e820 with reserved EFI boot services data to fix kexec breakage efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs efi/gop: Return EFI_SUCCESS if a usable GOP was found efi/gop: Fix memory leak in __gop_query32/64() ARM: vexpress: Set-up shared OPP table instead of individual for each CPU netfilter: uapi: Avoid undefined left-shift in xt_sctp.h netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END ARM: dts: Cygnus: Fix MDIO node address/size cells spi: spi-cavium-thunderx: Add missing pci_release_regions() ASoC: topology: Check return value for soc_tplg_pcm_create() ARM: dts: bcm283x: Fix critical trip point bpf, mips: Limit to 33 tail calls ARM: dts: am437x-gp/epos-evm: fix panel compatible samples: bpf: Replace symbol compare of trace_event samples: bpf: fix syscall_tp due to unused syscall powerpc: Ensure that swiotlb buffer is allocated from low memory bnx2x: Do not handle requests from VFs after parity bnx2x: Fix logic to get total no. of PFs per engine net: usb: lan78xx: Fix error message format specifier rfkill: Fix incorrect check to avoid NULL pointer dereference ASoC: wm8962: fix lambda value regulator: rn5t618: fix module aliases kconfig: don't crash on NULL expressions in expr_eq() perf/x86/intel: Fix PT PMI handling fs: avoid softlockups in s_inodes iterators net: stmmac: Do not accept invalid MTU values net: stmmac: RX buffer size must be 16 byte aligned s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly s390/dasd: fix memleak in path handling error case block: fix memleak when __blk_rq_map_user_iov() is failed parisc: Fix compiler warnings in debug_core.c llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) hv_netvsc: Fix unwanted rx_table reset bpf: reject passing modified ctx to helper functions bpf: Fix passing modified ctx to ld/abs/ind instruction PCI/switchtec: Read all 64 bits of part_event_bitmap mmc: block: Convert RPMB to a character device mmc: block: Delete mmc_access_rpmb() mmc: block: Fix bug when removing RPMB chardev mmc: core: Prevent bus reference leak in mmc_blk_init() mmc: block: propagate correct returned value in mmc_rpmb_ioctl gtp: fix bad unlock balance in gtp_encap_enable_socket macvlan: do not assume mac_header is set in macvlan_broadcast() net: dsa: mv88e6xxx: Preserve priority when setting CPU port. net: stmmac: dwmac-sun8i: Allow all RGMII modes net: stmmac: dwmac-sunxi: Allow all RGMII modes net: usb: lan78xx: fix possible skb leak pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM USB: core: fix check for duplicate endpoints USB: serial: option: add Telit ME910G1 0x110a composition sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK vxlan: fix tos value before xmit vlan: vlan_changelink() should propagate errors net: sch_prio: When ungrafting, replace with FIFO vlan: fix memory leak in vlan_dev_set_egress_priority Linux 4.14.164 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ifbce6635b5a3df896c29e23dd15098e80ecddeba	2020-01-12 12:24:05 +01:00
Daniel Borkmann	b454ac1b22	bpf: Fix passing modified ctx to ld/abs/ind instruction ... commit 6d4f151acf9a4f6fab09b615f246c717ddedcf0c upstream. Anatoly has been fuzzing with kBdysch harness and reported a KASAN slab oob in one of the outcomes: [...] [ 77.359642] BUG: KASAN: slab-out-of-bounds in bpf_skb_load_helper_8_no_cache+0x71/0x130 [ 77.360463] Read of size 4 at addr ffff8880679bac68 by task bpf/406 [ 77.361119] [ 77.361289] CPU: 2 PID: 406 Comm: bpf Not tainted 5.5.0-rc2-xfstests-00157-g2187f215eba #1 [ 77.362134] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014 [ 77.362984] Call Trace: [ 77.363249] dump_stack+0x97/0xe0 [ 77.363603] print_address_description.constprop.0+0x1d/0x220 [ 77.364251] ? bpf_skb_load_helper_8_no_cache+0x71/0x130 [ 77.365030] ? bpf_skb_load_helper_8_no_cache+0x71/0x130 [ 77.365860] __kasan_report.cold+0x37/0x7b [ 77.366365] ? bpf_skb_load_helper_8_no_cache+0x71/0x130 [ 77.366940] kasan_report+0xe/0x20 [ 77.367295] bpf_skb_load_helper_8_no_cache+0x71/0x130 [ 77.367821] ? bpf_skb_load_helper_8+0xf0/0xf0 [ 77.368278] ? mark_lock+0xa3/0x9b0 [ 77.368641] ? kvm_sched_clock_read+0x14/0x30 [ 77.369096] ? sched_clock+0x5/0x10 [ 77.369460] ? sched_clock_cpu+0x18/0x110 [ 77.369876] ? bpf_skb_load_helper_8+0xf0/0xf0 [ 77.370330] ___bpf_prog_run+0x16c0/0x28f0 [ 77.370755] __bpf_prog_run32+0x83/0xc0 [ 77.371153] ? __bpf_prog_run64+0xc0/0xc0 [ 77.371568] ? match_held_lock+0x1b/0x230 [ 77.371984] ? rcu_read_lock_held+0xa1/0xb0 [ 77.372416] ? rcu_is_watching+0x34/0x50 [ 77.372826] sk_filter_trim_cap+0x17c/0x4d0 [ 77.373259] ? sock_kzfree_s+0x40/0x40 [ 77.373648] ? __get_filter+0x150/0x150 [ 77.374059] ? skb_copy_datagram_from_iter+0x80/0x280 [ 77.374581] ? do_raw_spin_unlock+0xa5/0x140 [ 77.375025] unix_dgram_sendmsg+0x33a/0xa70 [ 77.375459] ? do_raw_spin_lock+0x1d0/0x1d0 [ 77.375893] ? unix_peer_get+0xa0/0xa0 [ 77.376287] ? __fget_light+0xa4/0xf0 [ 77.376670] __sys_sendto+0x265/0x280 [ 77.377056] ? __ia32_sys_getpeername+0x50/0x50 [ 77.377523] ? lock_downgrade+0x350/0x350 [ 77.377940] ? __sys_setsockopt+0x2a6/0x2c0 [ 77.378374] ? sock_read_iter+0x240/0x240 [ 77.378789] ? __sys_socketpair+0x22a/0x300 [ 77.379221] ? __ia32_sys_socket+0x50/0x50 [ 77.379649] ? mark_held_locks+0x1d/0x90 [ 77.380059] ? trace_hardirqs_on_thunk+0x1a/0x1c [ 77.380536] __x64_sys_sendto+0x74/0x90 [ 77.380938] do_syscall_64+0x68/0x2a0 [ 77.381324] entry_SYSCALL_64_after_hwframe+0x49/0xbe [ 77.381878] RIP: 0033:0x44c070 [...] After further debugging, turns out while in case of other helper functions we disallow passing modified ctx, the special case of ld/abs/ind instruction which has similar semantics (except r6 being the ctx argument) is missing such check. Modified ctx is impossible here as bpf_skb_load_helper_8_no_cache() and others are expecting skb fields in original position, hence, add check_ctx_reg() to reject any modified ctx. Issue was first introduced back in f1174f77b50c ("bpf/verifier: rework value tracking"). Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20200106215157.3553-1-daniel@iogearbox.net Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-12 12:12:02 +01:00
Daniel Borkmann	7fed98f4a1	bpf: reject passing modified ctx to helper functions ... commit 58990d1ff3f7896ee341030e9a7c2e4002570683 upstream. As commit 28e33f9d78ee ("bpf: disallow arithmetic operations on context pointer") already describes, f1174f77b50c ("bpf/verifier: rework value tracking") removed the specific white-listed cases we had previously where we would allow for pointer arithmetic in order to further generalize it, and allow e.g. context access via modified registers. While the dereferencing of modified context pointers had been forbidden through 28e33f9d78ee, syzkaller did recently manage to trigger several KASAN splats for slab out of bounds access and use after frees by simply passing a modified context pointer to a helper function which would then do the bad access since verifier allowed it in adjust_ptr_min_max_vals(). Rejecting arithmetic on ctx pointer in adjust_ptr_min_max_vals() generally could break existing programs as there's a valid use case in tracing in combination with passing the ctx to helpers as bpf_probe_read(), where the register then becomes unknown at verification time due to adding a non-constant offset to it. An access sequence may look like the following: offset = args->filename; /* field __data_loc filename */ bpf_probe_read(&dst, len, (char *)args + offset); // args is ctx There are two options: i) we could special case the ctx and as soon as we add a constant or bounded offset to it (hence ctx type wouldn't change) we could turn the ctx into an unknown scalar, or ii) we generalize the sanity test for ctx member access into a small helper and assert it on the ctx register that was passed as a function argument. Fwiw, latter is more obvious and less complex at the same time, and one case that may potentially be legitimate in future for ctx member access at least would be for ctx to carry a const offset. Therefore, fix follows approach from ii) and adds test cases to BPF kselftests. Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") Reported-by: syzbot+3d0b2441dbb71751615e@syzkaller.appspotmail.com Reported-by: syzbot+c8504affd4fdd0c1b626@syzkaller.appspotmail.com Reported-by: syzbot+e5190cb881d8660fb1a3@syzkaller.appspotmail.com Reported-by: syzbot+efae31b384d5badbd620@syzkaller.appspotmail.com Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Acked-by: Edward Cree <ecree@solarflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-01-12 12:12:02 +01:00
Yonghong Song	5179a6a673	UPSTREAM: bpf: permit multiple bpf attachments for a single perf event ... This patch enables multiple bpf attachments for a kprobe/uprobe/tracepoint single trace event. Each trace_event keeps a list of attached perf events. When an event happens, all attached bpf programs will be executed based on the order of attachment. A global bpf_event_mutex lock is introduced to protect prog_array attaching and detaching. An alternative will be introduce a mutex lock in every trace_event_call structure, but it takes a lot of extra memory. So a global bpf_event_mutex lock is a good compromise. The bpf prog detachment involves allocation of memory. If the allocation fails, a dummy do-nothing program will replace to-be-detached program in-place. Signed-off-by: Yonghong Song <yhs@fb.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit e87c6bc3852b981e71c757be20771546ce9f76f3) Signed-off-by: Connor O'Brien <connoro@google.com> Bug: 121213201 Bug: 138317270 Test: build & boot cuttlefish; attach 2 progs to 1 tracepoint Change-Id: I25ce1ed6c9512d0a6f2db7547e109958fe1619b6	2019-12-11 20:04:37 -08:00