1. 25 Aug, 2022 2 commits
    • Kumar Kartikeya Dwivedi's avatar
      selftests/bpf: Add regression test for pruning fix · 1800b2ac
      Kumar Kartikeya Dwivedi authored
      Add a test to ensure we do mark_chain_precision for the argument type
      ARG_CONST_ALLOC_SIZE_OR_ZERO. For other argument types, this was already
      done, but propagation for missing for this case. Without the fix, this
      test case loads successfully.
      Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
      Link: https://lore.kernel.org/r/20220823185500.467-1-memxor@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      1800b2ac
    • Kumar Kartikeya Dwivedi's avatar
      bpf: Do mark_chain_precision for ARG_CONST_ALLOC_SIZE_OR_ZERO · 2fc31465
      Kumar Kartikeya Dwivedi authored
      Precision markers need to be propagated whenever we have an ARG_CONST_*
      style argument, as the verifier cannot consider imprecise scalars to be
      equivalent for the purposes of states_equal check when such arguments
      refine the return value (in this case, set mem_size for PTR_TO_MEM). The
      resultant mem_size for the R0 is derived from the constant value, and if
      the verifier incorrectly prunes states considering them equivalent where
      such arguments exist (by seeing that both registers have reg->precise as
      false in regsafe), we can end up with invalid programs passing the
      verifier which can do access beyond what should have been the correct
      mem_size in that explored state.
      
      To show a concrete example of the problem:
      
      0000000000000000 <prog>:
             0:       r2 = *(u32 *)(r1 + 80)
             1:       r1 = *(u32 *)(r1 + 76)
             2:       r3 = r1
             3:       r3 += 4
             4:       if r3 > r2 goto +18 <LBB5_5>
             5:       w2 = 0
             6:       *(u32 *)(r1 + 0) = r2
             7:       r1 = *(u32 *)(r1 + 0)
             8:       r2 = 1
             9:       if w1 == 0 goto +1 <LBB5_3>
            10:       r2 = -1
      
      0000000000000058 <LBB5_3>:
            11:       r1 = 0 ll
            13:       r3 = 0
            14:       call bpf_ringbuf_reserve
            15:       if r0 == 0 goto +7 <LBB5_5>
            16:       r1 = r0
            17:       r1 += 16777215
            18:       w2 = 0
            19:       *(u8 *)(r1 + 0) = r2
            20:       r1 = r0
            21:       r2 = 0
            22:       call bpf_ringbuf_submit
      
      00000000000000b8 <LBB5_5>:
            23:       w0 = 0
            24:       exit
      
      For the first case, the single line execution's exploration will prune
      the search at insn 14 for the branch insn 9's second leg as it will be
      verified first using r2 = -1 (UINT_MAX), while as w1 at insn 9 will
      always be 0 so at runtime we don't get error for being greater than
      UINT_MAX/4 from bpf_ringbuf_reserve. The verifier during regsafe just
      sees reg->precise as false for both r2 registers in both states, hence
      considers them equal for purposes of states_equal.
      
      If we propagated precise markers using the backtracking support, we
      would use the precise marking to then ensure that old r2 (UINT_MAX) was
      within the new r2 (1) and this would never be true, so the verification
      would rightfully fail.
      
      The end result is that the out of bounds access at instruction 19 would
      be permitted without this fix.
      
      Note that reg->precise is always set to true when user does not have
      CAP_BPF (or when subprog count is greater than 1 (i.e. use of any static
      or global functions)), hence this is only a problem when precision marks
      need to be explicitly propagated (i.e. privileged users with CAP_BPF).
      
      A simplified test case has been included in the next patch to prevent
      future regressions.
      
      Fixes: 457f4436 ("bpf: Implement BPF ring buffer and verifier support for it")
      Signed-off-by: default avatarKumar Kartikeya Dwivedi <memxor@gmail.com>
      Link: https://lore.kernel.org/r/20220823185300.406-2-memxor@gmail.comSigned-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      2fc31465
  2. 23 Aug, 2022 1 commit
  3. 18 Aug, 2022 2 commits
    • Pu Lehui's avatar
      bpf, cgroup: Fix kernel BUG in purge_effective_progs · 7d6620f1
      Pu Lehui authored
      Syzkaller reported a triggered kernel BUG as follows:
      
        ------------[ cut here ]------------
        kernel BUG at kernel/bpf/cgroup.c:925!
        invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
        CPU: 1 PID: 194 Comm: detach Not tainted 5.19.0-14184-g69dac8e4 #8
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
        rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
        RIP: 0010:__cgroup_bpf_detach+0x1f2/0x2a0
        Code: 00 e8 92 60 30 00 84 c0 75 d8 4c 89 e0 31 f6 85 f6 74 19 42 f6 84
        28 48 05 00 00 02 75 0e 48 8b 80 c0 00 00 00 48 85 c0 75 e5 <0f> 0b 48
        8b 0c5
        RSP: 0018:ffffc9000055bdb0 EFLAGS: 00000246
        RAX: 0000000000000000 RBX: ffff888100ec0800 RCX: ffffc900000f1000
        RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff888100ec4578
        RBP: 0000000000000000 R08: ffff888100ec0800 R09: 0000000000000040
        R10: 0000000000000000 R11: 0000000000000000 R12: ffff888100ec4000
        R13: 000000000000000d R14: ffffc90000199000 R15: ffff888100effb00
        FS:  00007f68213d2b80(0000) GS:ffff88813bc80000(0000)
        knlGS:0000000000000000
        CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
        CR2: 000055f74a0e5850 CR3: 0000000102836000 CR4: 00000000000006e0
        Call Trace:
         <TASK>
         cgroup_bpf_prog_detach+0xcc/0x100
         __sys_bpf+0x2273/0x2a00
         __x64_sys_bpf+0x17/0x20
         do_syscall_64+0x3b/0x90
         entry_SYSCALL_64_after_hwframe+0x63/0xcd
        RIP: 0033:0x7f68214dbcb9
        Code: 08 44 89 e0 5b 41 5c c3 66 0f 1f 84 00 00 00 00 00 48 89 f8 48 89
        f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01
        f0 ff8
        RSP: 002b:00007ffeb487db68 EFLAGS: 00000246 ORIG_RAX: 0000000000000141
        RAX: ffffffffffffffda RBX: 000000000000000b RCX: 00007f68214dbcb9
        RDX: 0000000000000090 RSI: 00007ffeb487db70 RDI: 0000000000000009
        RBP: 0000000000000003 R08: 0000000000000012 R09: 0000000b00000003
        R10: 00007ffeb487db70 R11: 0000000000000246 R12: 00007ffeb487dc20
        R13: 0000000000000004 R14: 0000000000000001 R15: 000055f74a1011b0
         </TASK>
        Modules linked in:
        ---[ end trace 0000000000000000 ]---
      
      Repetition steps:
      
      For the following cgroup tree,
      
        root
         |
        cg1
         |
        cg2
      
        1. attach prog2 to cg2, and then attach prog1 to cg1, both bpf progs
           attach type is NONE or OVERRIDE.
        2. write 1 to /proc/thread-self/fail-nth for failslab.
        3. detach prog1 for cg1, and then kernel BUG occur.
      
      Failslab injection will cause kmalloc fail and fall back to
      purge_effective_progs. The problem is that cg2 have attached another prog,
      so when go through cg2 layer, iteration will add pos to 1, and subsequent
      operations will be skipped by the following condition, and cg will meet
      NULL in the end.
      
        `if (pos && !(cg->bpf.flags[atype] & BPF_F_ALLOW_MULTI))`
      
      The NULL cg means no link or prog match, this is as expected, and it's not
      a bug. So here just skip the no match situation.
      
      Fixes: 4c46091e ("bpf: Fix KASAN use-after-free Read in compute_effective_progs")
      Signed-off-by: default avatarPu Lehui <pulehui@huawei.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20220813134030.1972696-1-pulehui@huawei.com
      7d6620f1
    • Eyal Birger's avatar
      ip_tunnel: Respect tunnel key's "flow_flags" in IP tunnels · 7ec9fce4
      Eyal Birger authored
      Commit 451ef36b ("ip_tunnels: Add new flow flags field to ip_tunnel_key")
      added a "flow_flags" member to struct ip_tunnel_key which was later used by
      the commit in the fixes tag to avoid dropping packets with sources that
      aren't locally configured when set in bpf_set_tunnel_key().
      
      VXLAN and GENEVE were made to respect this flag, ip tunnels like IPIP and GRE
      were not.
      
      This commit fixes this omission by making ip_tunnel_init_flow() receive
      the flow flags from the tunnel key in the relevant collect_md paths.
      
      Fixes: b8fff748 ("bpf: Set flow flag to allow any source IP in bpf_tunnel_key")
      Signed-off-by: default avatarEyal Birger <eyal.birger@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarPaul Chaignon <paul@isovalent.com>
      Link: https://lore.kernel.org/bpf/20220818074118.726639-1-eyal.birger@gmail.com
      7ec9fce4
  4. 17 Aug, 2022 3 commits
    • YiFei Zhu's avatar
      bpf: Restrict bpf_sys_bpf to CAP_PERFMON · 14b20b78
      YiFei Zhu authored
      The verifier cannot perform sufficient validation of any pointers passed
      into bpf_attr and treats them as integers rather than pointers. The helper
      will then read from arbitrary pointers passed into it. Restrict the helper
      to CAP_PERFMON since the security model in BPF of arbitrary kernel read is
      CAP_BPF + CAP_PERFMON.
      
      Fixes: af2ac3e1 ("bpf: Prepare bpf syscall to be used from kernel and user space.")
      Signed-off-by: default avatarYiFei Zhu <zhuyifei@google.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Link: https://lore.kernel.org/bpf/20220816205517.682470-1-zhuyifei@google.com
      14b20b78
    • Daniel Borkmann's avatar
      bpf: Partially revert flexible-array member replacement · 3024d95a
      Daniel Borkmann authored
      Partially revert 94dfc73e ("treewide: uapi: Replace zero-length arrays
      with flexible-array members") given it breaks BPF UAPI.
      
      For example, BPF CI run reveals build breakage under LLVM:
      
        [...]
          CLNG-BPF [test_maps] map_ptr_kern.o
          CLNG-BPF [test_maps] btf__core_reloc_arrays___diff_arr_val_sz.o
          CLNG-BPF [test_maps] test_bpf_cookie.o
        progs/map_ptr_kern.c:314:26: error: field 'trie_key' with variable sized type 'struct bpf_lpm_trie_key' not at the end of a struct or class is a GNU extension [-Werror,-Wgnu-variable-sized-type-not-at-end]
                 struct bpf_lpm_trie_key trie_key;
                                         ^
          CLNG-BPF [test_maps] btf__core_reloc_type_based___diff.o
        1 error generated.
        make: *** [Makefile:521: /tmp/runner/work/bpf/bpf/tools/testing/selftests/bpf/map_ptr_kern.o] Error 1
        make: *** Waiting for unfinished jobs....
        [...]
      
      Typical usage of the bpf_lpm_trie_key is that the struct gets embedded into
      a user defined key for the LPM BPF map, from the selftest example:
      
        struct bpf_lpm_trie_key {                 <-- UAPI exported struct
               __u32   prefixlen;
               __u8    data[];
        };
      
        struct lpm_key {                          <-- BPF program defined struct
               struct bpf_lpm_trie_key trie_key;
               __u32 data;
        };
      
      Undo this for BPF until a different solution can be found. It's the only flexible-
      array member case in the UAPI header.
      
      This was discovered in BPF CI after Dave reported that the include/uapi/linux/bpf.h
      header was out of sync with tools/include/uapi/linux/bpf.h after 94dfc73e. And
      the subsequent sync attempt failed CI.
      
      Fixes: 94dfc73e ("treewide: uapi: Replace zero-length arrays with flexible-array members")
      Reported-by: default avatarDave Marchevsky <davemarchevsky@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Gustavo A. R. Silva <gustavoars@kernel.org>
      Link: https://lore.kernel.org/bpf/22aebc88-da67-f086-e620-dd4a16e2bc69@iogearbox.net
      3024d95a
    • Liu Jian's avatar
      skmsg: Fix wrong last sg check in sk_msg_recvmsg() · 583585e4
      Liu Jian authored
      Fix one kernel NULL pointer dereference as below:
      
      [  224.462334] Call Trace:
      [  224.462394]  __tcp_bpf_recvmsg+0xd3/0x380
      [  224.462441]  ? sock_has_perm+0x78/0xa0
      [  224.462463]  tcp_bpf_recvmsg+0x12e/0x220
      [  224.462494]  inet_recvmsg+0x5b/0xd0
      [  224.462534]  __sys_recvfrom+0xc8/0x130
      [  224.462574]  ? syscall_trace_enter+0x1df/0x2e0
      [  224.462606]  ? __do_page_fault+0x2de/0x500
      [  224.462635]  __x64_sys_recvfrom+0x24/0x30
      [  224.462660]  do_syscall_64+0x5d/0x1d0
      [  224.462709]  entry_SYSCALL_64_after_hwframe+0x65/0xca
      
      In commit 9974d37e ("skmsg: Fix invalid last sg check in
      sk_msg_recvmsg()"), we change last sg check to sg_is_last(),
      but in sockmap redirection case (without stream_parser/stream_verdict/
      skb_verdict), we did not mark the end of the scatterlist. Check the
      sk_msg_alloc, sk_msg_page_add, and bpf_msg_push_data functions, they all
      do not mark the end of sg. They are expected to use sg.end for end
      judgment. So the judgment of '(i != msg_rx->sg.end)' is added back here.
      
      Fixes: 9974d37e ("skmsg: Fix invalid last sg check in sk_msg_recvmsg()")
      Signed-off-by: default avatarLiu Jian <liujian56@huawei.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarJakub Sitnicki <jakub@cloudflare.com>
      Link: https://lore.kernel.org/bpf/20220809094915.150391-1-liujian56@huawei.com
      583585e4
  5. 15 Aug, 2022 1 commit
  6. 12 Aug, 2022 9 commits
  7. 11 Aug, 2022 22 commits
    • Linus Torvalds's avatar
      Merge tag 'net-6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7ebfc85e
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from bluetooth, bpf, can and netfilter.
      
        A little larger than usual but it's all fixes, no late features. It's
        large partially because of timing, and partially because of follow ups
        to stuff that got merged a week or so before the merge window and
        wasn't as widely tested. Maybe the Bluetooth fixes are a little
        alarming so we'll address that, but the rest seems okay and not scary.
      
        Notably we're including a fix for the netfilter Kconfig [1], your WiFi
        warning [2] and a bluetooth fix which should unblock syzbot [3].
      
        Current release - regressions:
      
         - Bluetooth:
            - don't try to cancel uninitialized works [3]
            - L2CAP: fix use-after-free caused by l2cap_chan_put
      
         - tls: rx: fix device offload after recent rework
      
         - devlink: fix UAF on failed reload and leftover locks in mlxsw
      
        Current release - new code bugs:
      
         - netfilter:
            - flowtable: fix incorrect Kconfig dependencies [1]
            - nf_tables: fix crash when nf_trace is enabled
      
         - bpf:
            - use proper target btf when exporting attach_btf_obj_id
            - arm64: fixes for bpf trampoline support
      
         - Bluetooth:
            - ISO: unlock on error path in iso_sock_setsockopt()
            - ISO: fix info leak in iso_sock_getsockopt()
            - ISO: fix iso_sock_getsockopt for BT_DEFER_SETUP
            - ISO: fix memory corruption on iso_pinfo.base
            - ISO: fix not using the correct QoS
            - hci_conn: fix updating ISO QoS PHY
      
         - phy: dp83867: fix get nvmem cell fail
      
        Previous releases - regressions:
      
         - wifi: cfg80211: fix validating BSS pointers in
           __cfg80211_connect_result [2]
      
         - atm: bring back zatm uAPI after ATM had been removed
      
         - properly fix old bug making bonding ARP monitor mode not being able
           to work with software devices with lockless Tx
      
         - tap: fix null-deref on skb->dev in dev_parse_header_protocol
      
         - revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" it helps some
           devices and breaks others
      
         - netfilter:
            - nf_tables: many fixes rejecting cross-object linking which may
              lead to UAFs
            - nf_tables: fix null deref due to zeroed list head
            - nf_tables: validate variable length element extension
      
         - bgmac: fix a BUG triggered by wrong bytes_compl
      
         - bcmgenet: indicate MAC is in charge of PHY PM
      
        Previous releases - always broken:
      
         - bpf:
            - fix bad pointer deref in bpf_sys_bpf() injected via test infra
            - disallow non-builtin bpf programs calling the prog_run command
            - don't reinit map value in prealloc_lru_pop
            - fix UAFs during the read of map iterator fd
            - fix invalidity check for values in sk local storage map
            - reject sleepable program for non-resched map iterator
      
         - mptcp:
            - move subflow cleanup in mptcp_destroy_common()
            - do not queue data on closed subflows
      
         - virtio_net: fix memory leak inside XDP_TX with mergeable
      
         - vsock: fix memory leak when multiple threads try to connect()
      
         - rework sk_user_data sharing to prevent psock leaks
      
         - geneve: fix TOS inheriting for ipv4
      
         - tunnels & drivers: do not use RT_TOS for IPv6 flowlabel
      
         - phy: c45 baset1: do not skip aneg configuration if clock role is
           not specified
      
         - rose: avoid overflow when /proc displays timer information
      
         - x25: fix call timeouts in blocking connects
      
         - can: mcp251x: fix race condition on receive interrupt
      
         - can: j1939:
            - replace user-reachable WARN_ON_ONCE() with netdev_warn_once()
            - fix memory leak of skbs in j1939_session_destroy()
      
        Misc:
      
         - docs: bpf: clarify that many things are not uAPI
      
         - seg6: initialize induction variable to first valid array index (to
           silence clang vs objtool warning)
      
         - can: ems_usb: fix clang 14's -Wunaligned-access warning"
      
      * tag 'net-6.0-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (117 commits)
        net: atm: bring back zatm uAPI
        dpaa2-eth: trace the allocated address instead of page struct
        net: add missing kdoc for struct genl_multicast_group::flags
        nfp: fix use-after-free in area_cache_get()
        MAINTAINERS: use my korg address for mt7601u
        mlxsw: minimal: Fix deadlock in ports creation
        bonding: fix reference count leak in balance-alb mode
        net: usb: qmi_wwan: Add support for Cinterion MV32
        bpf: Shut up kern_sys_bpf warning.
        net/tls: Use RCU API to access tls_ctx->netdev
        tls: rx: device: don't try to copy too much on detach
        tls: rx: device: bound the frag walk
        net_sched: cls_route: remove from list when handle is 0
        selftests: forwarding: Fix failing tests with old libnet
        net: refactor bpf_sk_reuseport_detach()
        net: fix refcount bug in sk_psock_get (2)
        selftests/bpf: Ensure sleepable program is rejected by hash map iter
        selftests/bpf: Add write tests for sk local storage map iterator
        selftests/bpf: Add tests for reading a dangling map iter fd
        bpf: Only allow sleepable program for resched-able iterator
        ...
      7ebfc85e
    • Linus Torvalds's avatar
      Merge tag 'acpi-5.20-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · e091ba5c
      Linus Torvalds authored
      Pull more ACPI updates from Rafael Wysocki:
       "These fix up direct references to the fwnode field in struct device
        and extend ACPI device properties support.
      
        Specifics:
      
         - Replace direct references to the fwnode field in struct device with
           dev_fwnode() and device_match_fwnode() (Andy Shevchenko)
      
         - Make the ACPI code handling device properties support properties
           with buffer values (Sakari Ailus)"
      
      * tag 'acpi-5.20-rc1-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI: property: Fix error handling in acpi_init_properties()
        ACPI: VIOT: Do not dereference fwnode in struct device
        ACPI: property: Read buffer properties as integers
        ACPI: property: Add support for parsing buffer property UUID
        ACPI: property: Unify integer value reading functions
        ACPI: property: Switch node property referencing from ifs to a switch
        ACPI: property: Move property ref argument parsing into a new function
        ACPI: property: Use acpi_object_type consistently in property ref parsing
        ACPI: property: Tie data nodes to acpi handles
        ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
      e091ba5c
    • Linus Torvalds's avatar
      Merge tag 'iomap-6.0-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · 8745889a
      Linus Torvalds authored
      Pull more iomap updates from Darrick Wong:
       "In the past 10 days or so I've not heard any ZOMG STOP style
        complaints about removing ->writepage support from gfs2 or zonefs, so
        here's the pull request removing them (and the underlying fs iomap
        support) from the kernel:
      
         - Remove iomap_writepage and all callers, since the mm apparently
           never called the zonefs or gfs2 writepage functions"
      
      * tag 'iomap-6.0-merge-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        iomap: remove iomap_writepage
        zonefs: remove ->writepage
        gfs2: remove ->writepage
        gfs2: stop using generic_writepages in gfs2_ail1_start_one
      8745889a
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.20-rc1' of https://github.com/ceph/ceph-client · 786da5da
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "We have a good pile of various fixes and cleanups from Xiubo, Jeff,
        Luis and others, almost exclusively in the filesystem.
      
        Several patches touch files outside of our normal purview to set the
        stage for bringing in Jeff's long awaited ceph+fscrypt series in the
        near future. All of them have appropriate acks and sat in linux-next
        for a while"
      
      * tag 'ceph-for-5.20-rc1' of https://github.com/ceph/ceph-client: (27 commits)
        libceph: clean up ceph_osdc_start_request prototype
        libceph: fix ceph_pagelist_reserve() comment typo
        ceph: remove useless check for the folio
        ceph: don't truncate file in atomic_open
        ceph: make f_bsize always equal to f_frsize
        ceph: flush the dirty caps immediatelly when quota is approaching
        libceph: print fsid and epoch with osd id
        libceph: check pointer before assigned to "c->rules[]"
        ceph: don't get the inline data for new creating files
        ceph: update the auth cap when the async create req is forwarded
        ceph: make change_auth_cap_ses a global symbol
        ceph: fix incorrect old_size length in ceph_mds_request_args
        ceph: switch back to testing for NULL folio->private in ceph_dirty_folio
        ceph: call netfs_subreq_terminated with was_async == false
        ceph: convert to generic_file_llseek
        ceph: fix the incorrect comment for the ceph_mds_caps struct
        ceph: don't leak snap_rwsem in handle_cap_grant
        ceph: prevent a client from exceeding the MDS maximum xattr size
        ceph: choose auth MDS for getxattr with the Xs caps
        ceph: add session already open notify support
        ...
      786da5da
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · e18a9042
      Linus Torvalds authored
      Pull more kvm updates from Paolo Bonzini:
      
       - Xen timer fixes
      
       - Documentation formatting fixes
      
       - Make rseq selftest compatible with glibc-2.35
      
       - Fix handling of illegal LEA reg, reg
      
       - Cleanup creation of debugfs entries
      
       - Fix steal time cache handling bug
      
       - Fixes for MMIO caching
      
       - Optimize computation of number of LBRs
      
       - Fix uninitialized field in guest_maxphyaddr < host_maxphyaddr path
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (26 commits)
        KVM: x86/MMU: properly format KVM_CAP_VM_DISABLE_NX_HUGE_PAGES capability table
        Documentation: KVM: extend KVM_CAP_VM_DISABLE_NX_HUGE_PAGES heading underline
        KVM: VMX: Adjust number of LBR records for PERF_CAPABILITIES at refresh
        KVM: VMX: Use proper type-safe functions for vCPU => LBRs helpers
        KVM: x86: Refresh PMU after writes to MSR_IA32_PERF_CAPABILITIES
        KVM: selftests: Test all possible "invalid" PERF_CAPABILITIES.LBR_FMT vals
        KVM: selftests: Use getcpu() instead of sched_getcpu() in rseq_test
        KVM: selftests: Make rseq compatible with glibc-2.35
        KVM: Actually create debugfs in kvm_create_vm()
        KVM: Pass the name of the VM fd to kvm_create_vm_debugfs()
        KVM: Get an fd before creating the VM
        KVM: Shove vcpu stats_id init into kvm_vcpu_init()
        KVM: Shove vm stats_id init into kvm_create_vm()
        KVM: x86/mmu: Add sanity check that MMIO SPTE mask doesn't overlap gen
        KVM: x86/mmu: rename trace function name for asynchronous page fault
        KVM: x86/xen: Stop Xen timer before changing IRQ
        KVM: x86/xen: Initialize Xen timer only once
        KVM: SVM: Disable SEV-ES support if MMIO caching is disable
        KVM: x86/mmu: Fully re-evaluate MMIO caching when SPTE masks change
        KVM: x86: Tag kvm_mmu_x86_module_init() with __init
        ...
      e18a9042
    • Jakub Kicinski's avatar
      net: atm: bring back zatm uAPI · c2e75634
      Jakub Kicinski authored
      Jiri reports that linux-atm does not build without this header.
      Bring it back. It's completely dead code but we can't break
      the build for user space :(
      Reported-by: default avatarJiri Slaby <jirislaby@kernel.org>
      Fixes: 052e1f01 ("net: atm: remove support for ZeitNet ZN122x ATM devices")
      Link: https://lore.kernel.org/all/8576aef3-37e4-8bae-bab5-08f82a78efd3@kernel.org/
      Link: https://lore.kernel.org/r/20220810164547.484378-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      c2e75634
    • Chen Lin's avatar
      dpaa2-eth: trace the allocated address instead of page struct · e34f4934
      Chen Lin authored
      We should trace the allocated address instead of page struct.
      
      Fixes: 27c87486 ("dpaa2-eth: Use a single page per Rx buffer")
      Signed-off-by: default avatarChen Lin <chen.lin5@zte.com.cn>
      Reviewed-by: default avatarIoana Ciornei <ioana.ciornei@nxp.com>
      Link: https://lore.kernel.org/r/20220811151651.3327-1-chen45464546@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      e34f4934
    • Rafael J. Wysocki's avatar
      Merge branch 'acpi-properties' · da2679f2
      Rafael J. Wysocki authored
      Merge changes adding support for device properties with buffer values
      to the ACPI device properties handling code.
      
      * acpi-properties:
        ACPI: property: Fix error handling in acpi_init_properties()
        ACPI: property: Read buffer properties as integers
        ACPI: property: Add support for parsing buffer property UUID
        ACPI: property: Unify integer value reading functions
        ACPI: property: Switch node property referencing from ifs to a switch
        ACPI: property: Move property ref argument parsing into a new function
        ACPI: property: Use acpi_object_type consistently in property ref parsing
        ACPI: property: Tie data nodes to acpi handles
        ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
      da2679f2
    • Jakub Kicinski's avatar
      net: add missing kdoc for struct genl_multicast_group::flags · 5c221f0a
      Jakub Kicinski authored
      Multicast group flags were added in commit 4d54cc32 ("mptcp: avoid
      lock_fast usage in accept path"), but it missed adding the kdoc.
      
      Mention which flags go into that field, and do the same for
      op structs.
      
      Link: https://lore.kernel.org/r/20220809232012.403730-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      5c221f0a
    • Linus Torvalds's avatar
      Merge tag 'input-for-v5.20-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 2ae08b36
      Linus Torvalds authored
      Pull input updates from Dmitry Torokhov:
      
       - changes to input core to properly queue synthetic events (such as
         autorepeat) and to release multitouch contacts when an input device
         is inhibited or suspended
      
       - reworked quirk handling in i8042 driver that consolidates multiple
         DMI tables into one and adds several quirks for TUXEDO line of
         laptops
      
       - update to mt6779 keypad to better reflect organization of the
         hardware
      
       - changes to mtk-pmic-keys driver preparing it to handle more variants
      
       - facelift of adp5588-keys driver
      
       - improvements to iqs7222 driver
      
       - adjustments to various DT binding documents for input devices
      
       - other assorted driver fixes.
      
      * tag 'input-for-v5.20-rc0' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input: (54 commits)
        Input: adc-joystick - fix ordering in adc_joystick_probe()
        dt-bindings: input: ariel-pwrbutton: use spi-peripheral-props.yaml
        Input: deactivate MT slots when inhibiting or suspending devices
        Input: properly queue synthetic events
        dt-bindings: input: iqs7222: Use central 'linux,code' definition
        Input: i8042 - add dritek quirk for Acer Aspire One AO532
        dt-bindings: input: gpio-keys: accept also interrupt-extended
        dt-bindings: input: gpio-keys: reference input.yaml and document properties
        dt-bindings: input: gpio-keys: enforce node names to match all properties
        dt-bindings: input: Convert adc-keys to DT schema
        dt-bindings: input: Centralize 'linux,input-type' definition
        dt-bindings: input: Use common 'linux,keycodes' definition
        dt-bindings: input: Centralize 'linux,code' definition
        dt-bindings: input: Increase maximum keycode value to 0x2ff
        Input: mt6779-keypad - implement row/column selection
        Input: mt6779-keypad - match hardware matrix organization
        Input: i8042 - add additional TUXEDO devices to i8042 quirk tables
        Input: goodix - switch use of acpi_gpio_get_*_resource() APIs
        Input: i8042 - add TUXEDO devices to i8042 quirk tables
        Input: i8042 - add debug output for quirks
        ...
      2ae08b36
    • Jialiang Wang's avatar
      nfp: fix use-after-free in area_cache_get() · 02e1a114
      Jialiang Wang authored
      area_cache_get() is used to distribute cache->area and set cache->id,
       and if cache->id is not 0 and cache->area->kref refcount is 0, it will
       release the cache->area by nfp_cpp_area_release(). area_cache_get()
       set cache->id before cpp->op->area_init() and nfp_cpp_area_acquire().
      
      But if area_init() or nfp_cpp_area_acquire() fails, the cache->id is
       is already set but the refcount is not increased as expected. At this
       time, calling the nfp_cpp_area_release() will cause use-after-free.
      
      To avoid the use-after-free, set cache->id after area_init() and
       nfp_cpp_area_acquire() complete successfully.
      
      Note: This vulnerability is triggerable by providing emulated device
       equipped with specified configuration.
      
       BUG: KASAN: use-after-free in nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)
        Write of size 4 at addr ffff888005b7f4a0 by task swapper/0/1
      
       Call Trace:
        <TASK>
       nfp6000_area_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:760)
       area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:884)
      
       Allocated by task 1:
       nfp_cpp_area_alloc_with_name (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:303)
       nfp_cpp_area_cache_add (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:802)
       nfp6000_init (drivers/net/ethernet/netronome/nfp/nfpcore/nfp6000_pcie.c:1230)
       nfp_cpp_from_operations (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:1215)
       nfp_pci_probe (drivers/net/ethernet/netronome/nfp/nfp_main.c:744)
      
       Freed by task 1:
       kfree (mm/slub.c:4562)
       area_cache_get.constprop.8 (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:873)
       nfp_cpp_read (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:924 drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cppcore.c:973)
       nfp_cpp_readl (drivers/net/ethernet/netronome/nfp/nfpcore/nfp_cpplib.c:48)
      Signed-off-by: default avatarJialiang Wang <wangjialiang0806@163.com>
      Reviewed-by: default avatarYinjun Zhang <yinjun.zhang@corigine.com>
      Acked-by: default avatarSimon Horman <simon.horman@corigine.com>
      Link: https://lore.kernel.org/r/20220810073057.4032-1-wangjialiang0806@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      02e1a114
    • Jakub Kicinski's avatar
      MAINTAINERS: use my korg address for mt7601u · cef8e326
      Jakub Kicinski authored
      Change my address for mt7601u to the main one.
      
      Link: https://lore.kernel.org/r/20220809233843.408004-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      cef8e326
    • Vadim Pasternak's avatar
      mlxsw: minimal: Fix deadlock in ports creation · 4f98cb04
      Vadim Pasternak authored
      Drop devl_lock() / devl_unlock() from ports creation and removal flows
      since the devlink instance lock is now taken by mlxsw_core.
      
      Fixes: 72a4c8c9 ("mlxsw: convert driver to use unlocked devlink API during init/fini")
      Signed-off-by: default avatarVadim Pasternak <vadimp@nvidia.com>
      Signed-off-by: default avatarIdo Schimmel <idosch@nvidia.com>
      Signed-off-by: default avatarPetr Machata <petrm@nvidia.com>
      Reviewed-by: default avatarJiri Pirko <jiri@nvidia.com>
      Link: https://lore.kernel.org/r/f4afce5ab0318617f3866b85274be52542d59b32.1660211614.git.petrm@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f98cb04
    • Jay Vosburgh's avatar
      bonding: fix reference count leak in balance-alb mode · 4f5d33f4
      Jay Vosburgh authored
      Commit d5410ac7 ("net:bonding:support balance-alb interface
      with vlan to bridge") introduced a reference count leak by not releasing
      the reference acquired by ip_dev_find().  Remedy this by insuring the
      reference is released.
      
      Fixes: d5410ac7 ("net:bonding:support balance-alb interface with vlan to bridge")
      Signed-off-by: default avatarJay Vosburgh <jay.vosburgh@canonical.com>
      Reviewed-by: default avatarNikolay Aleksandrov <razor@blackwall.org>
      Link: https://lore.kernel.org/r/26758.1660194413@famineSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      4f5d33f4
    • Linus Torvalds's avatar
      Revert "Makefile.extrawarn: re-enable -Wformat for clang" · 21f9c8a1
      Linus Torvalds authored
      This reverts commit 258fafcd.
      
      The clang -Wformat warning is terminally broken, and the clang people
      can't seem to get their act together.
      
      This test program causes a warning with clang:
      
      	#include <stdio.h>
      
      	int main(int argc, char **argv)
      	{
      		printf("%hhu\n", 'a');
      	}
      
      resulting in
      
        t.c:5:19: warning: format specifies type 'unsigned char' but the argument has type 'int' [-Wformat]
                printf("%hhu\n", 'a');
                        ~~~~     ^~~
                        %d
      
      and apparently clang people consider that a feature, because they don't
      want to face the reality of how either C character constants, C
      arithmetic, and C varargs functions work.
      
      The rest of the world just shakes their head at that kind of
      incompetence, and turns off -Wformat for clang again.
      
      And no, the "you should use a pointless cast to shut this up" is not a
      valid answer.  That warning should not exist in the first place, or at
      least be optinal with some "-Wformat-me-harder" kind of option.
      
      [ Admittedly, there's also very little reason to *ever* use '%hh[ud]' in
        C, but what little reason there is is entirely about 'I want to see
        only the low 8 bits of the argument'. So I would suggest nobody ever
        use that format in the first place, but if they do, the clang
        behavious is simply always wrong. Because '%hhu' takes an 'int'. It's
        that simple. ]
      Reported-by: default avatarSudip Mukherjee (Codethink) <sudipm.mukherjee@gmail.com>
      Cc: Nick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      21f9c8a1
    • Slark Xiao's avatar
      net: usb: qmi_wwan: Add support for Cinterion MV32 · ae7107ba
      Slark Xiao authored
      There are 2 models for MV32 serials. MV32-W-A is designed
      based on Qualcomm SDX62 chip, and MV32-W-B is designed based
      on Qualcomm SDX65 chip. So we use 2 different PID to separate it.
      
      Test evidence as below:
      T:  Bus=03 Lev=01 Prnt=01 Port=02 Cnt=03 Dev#=  3 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=1e2d ProdID=00f3 Rev=05.04
      S:  Manufacturer=Cinterion
      S:  Product=Cinterion PID 0x00F3 USB Mobile Broadband
      S:  SerialNumber=d7b4be8d
      C:  #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      
      T:  Bus=03 Lev=01 Prnt=01 Port=02 Cnt=03 Dev#= 10 Spd=480 MxCh= 0
      D:  Ver= 2.10 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs=  1
      P:  Vendor=1e2d ProdID=00f4 Rev=05.04
      S:  Manufacturer=Cinterion
      S:  Product=Cinterion PID 0x00F4 USB Mobile Broadband
      S:  SerialNumber=d095087d
      C:  #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#=0x0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
      I:  If#=0x1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      I:  If#=0x2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
      I:  If#=0x3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
      Signed-off-by: default avatarSlark Xiao <slark_xiao@163.com>
      Acked-by: default avatarBjørn Mork <bjorn@mork.no>
      Link: https://lore.kernel.org/r/20220810014521.9383-1-slark_xiao@163.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ae7107ba
    • Jakub Kicinski's avatar
    • Alexei Starovoitov's avatar
      bpf: Shut up kern_sys_bpf warning. · 4e4588f1
      Alexei Starovoitov authored
      Shut up this warning:
      kernel/bpf/syscall.c:5089:5: warning: no previous prototype for function 'kern_sys_bpf' [-Wmissing-prototypes]
      int kern_sys_bpf(int cmd, union bpf_attr *attr, unsigned int size)
      Reported-by: default avatarJakub Kicinski <kuba@kernel.org>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      4e4588f1
    • Bagas Sanjaya's avatar
      KVM: x86/MMU: properly format KVM_CAP_VM_DISABLE_NX_HUGE_PAGES capability table · 19a7cc81
      Bagas Sanjaya authored
      There is unexpected warning on KVM_CAP_VM_DISABLE_NX_HUGE_PAGES capability
      table, which cause the table to be rendered as paragraph text instead.
      
      The warning is due to missing colon at capability name and returns keyword,
      as well as improper alignment on multi-line returns field.
      
      Fix the warning by adding missing colons and aligning the field.
      
      Link: https://lore.kernel.org/lkml/20220627181937.3be67263@canb.auug.org.au/
      Fixes: 084cc29f ("KVM: x86/MMU: Allow NX huge pages to be disabled on a per-vm basis")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: David Matlack <dmatlack@google.com>
      Cc: Ben Gardon <bgardon@google.com>
      Cc: Peter Xu <peterx@redhat.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-next@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Message-Id: <20220627095151.19339-3-bagasdotme@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      19a7cc81
    • Bagas Sanjaya's avatar
      Documentation: KVM: extend KVM_CAP_VM_DISABLE_NX_HUGE_PAGES heading underline · b4aed4d8
      Bagas Sanjaya authored
      Extend heading underline for KVM_CAP_VM_DISABLE_NX_HUGE_PAGE to match
      the heading text length.
      
      Link: https://lore.kernel.org/lkml/20220627181937.3be67263@canb.auug.org.au/
      Fixes: 084cc29f ("KVM: x86/MMU: Allow NX huge pages to be disabled on a per-vm basis")
      Reported-by: default avatarStephen Rothwell <sfr@canb.auug.org.au>
      Cc: Paolo Bonzini <pbonzini@redhat.com>
      Cc: Jonathan Corbet <corbet@lwn.net>
      Cc: David Matlack <dmatlack@google.com>
      Cc: Ben Gardon <bgardon@google.com>
      Cc: Peter Xu <peterx@redhat.com>
      Cc: kvm@vger.kernel.org
      Cc: linux-next@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Signed-off-by: default avatarBagas Sanjaya <bagasdotme@gmail.com>
      Message-Id: <20220627095151.19339-2-bagasdotme@gmail.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      b4aed4d8
    • Maxim Mikityanskiy's avatar
      net/tls: Use RCU API to access tls_ctx->netdev · 94ce3b64
      Maxim Mikityanskiy authored
      Currently, tls_device_down synchronizes with tls_device_resync_rx using
      RCU, however, the pointer to netdev is stored using WRITE_ONCE and
      loaded using READ_ONCE.
      
      Although such approach is technically correct (rcu_dereference is
      essentially a READ_ONCE, and rcu_assign_pointer uses WRITE_ONCE to store
      NULL), using special RCU helpers for pointers is more valid, as it
      includes additional checks and might change the implementation
      transparently to the callers.
      
      Mark the netdev pointer as __rcu and use the correct RCU helpers to
      access it. For non-concurrent access pass the right conditions that
      guarantee safe access (locks taken, refcount value). Also use the
      correct helper in mlx5e, where even READ_ONCE was missing.
      
      The transition to RCU exposes existing issues, fixed by this commit:
      
      1. bond_tls_device_xmit could read netdev twice, and it could become
      NULL the second time, after the NULL check passed.
      
      2. Drivers shouldn't stop processing the last packet if tls_device_down
      just set netdev to NULL, before tls_dev_del was called. This prevents a
      possible packet drop when transitioning to the fallback software mode.
      
      Fixes: 89df6a81 ("net/bonding: Implement TLS TX device offload")
      Fixes: c55dcdd4 ("net/tls: Fix use-after-free after the TLS device goes down and up")
      Signed-off-by: default avatarMaxim Mikityanskiy <maximmi@nvidia.com>
      Link: https://lore.kernel.org/r/20220810081602.1435800-1-maximmi@nvidia.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      94ce3b64
    • Jakub Kicinski's avatar
      tls: rx: device: don't try to copy too much on detach · d800a7b3
      Jakub Kicinski authored
      Another device offload bug, we use the length of the output
      skb as an indication of how much data to copy. But that skb
      is sized to offset + record length, and we start from offset.
      So we end up double-counting the offset which leads to
      skb_copy_bits() returning -EFAULT.
      Reported-by: default avatarTariq Toukan <tariqt@nvidia.com>
      Fixes: 84c61fe1 ("tls: rx: do not use the standard strparser")
      Tested-by: default avatarRan Rozenstein <ranro@nvidia.com>
      Link: https://lore.kernel.org/r/20220809175544.354343-2-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      d800a7b3