1. 19 Dec, 2021 10 commits
  2. 18 Dec, 2021 11 commits
  3. 17 Dec, 2021 6 commits
  4. 16 Dec, 2021 13 commits
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 6441998e
      Linus Torvalds authored
      Pull audit fix from Paul Moore:
       "A single patch to fix a problem where the audit queue could grow
        unbounded when the audit daemon is forcibly stopped"
      
      * tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: improve robustness of the audit queue handling
      6441998e
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 180f3bcf
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes, including fixes from mac80211, wifi, bpf.
      
        Relatively large batches of fixes from BPF and the WiFi stack, calm in
        general networking.
      
        Current release - regressions:
      
         - dpaa2-eth: fix buffer overrun when reporting ethtool statistics
      
        Current release - new code bugs:
      
         - bpf: fix incorrect state pruning for <8B spill/fill
      
         - iavf:
             - add missing unlocks in iavf_watchdog_task()
             - do not override the adapter state in the watchdog task (again)
      
         - mlxsw: spectrum_router: consolidate MAC profiles when possible
      
        Previous releases - regressions:
      
         - mac80211 fixes:
             - rate control, avoid driver crash for retransmitted frames
             - regression in SSN handling of addba tx
             - a memory leak where sta_info is not freed
             - marking TX-during-stop for TX in in_reconfig, prevent stall
      
         - cfg80211: acquire wiphy mutex on regulatory work
      
         - wifi drivers: fix build regressions and LED config dependency
      
         - virtio_net: fix rx_drops stat for small pkts
      
         - dsa: mv88e6xxx: unforce speed & duplex in mac_link_down()
      
        Previous releases - always broken:
      
         - bpf fixes:
             - kernel address leakage in atomic fetch
             - kernel address leakage in atomic cmpxchg's r0 aux reg
             - signed bounds propagation after mov32
             - extable fixup offset
             - extable address check
      
         - mac80211:
             - fix the size used for building probe request
             - send ADDBA requests using the tid/queue of the aggregation
               session
             - agg-tx: don't schedule_and_wake_txq() under sta->lock, avoid
               deadlocks
             - validate extended element ID is present
      
         - mptcp:
             - never allow the PM to close a listener subflow (null-defer)
             - clear 'kern' flag from fallback sockets, prevent crash
             - fix deadlock in __mptcp_push_pending()
      
         - inet_diag: fix kernel-infoleak for UDP sockets
      
         - xsk: do not sleep in poll() when need_wakeup set
      
         - smc: avoid very long waits in smc_release()
      
         - sch_ets: don't remove idle classes from the round-robin list
      
         - netdevsim:
             - zero-initialize memory for bpf map's value, prevent info leak
             - don't let user space overwrite read only (max) ethtool parms
      
         - ixgbe: set X550 MDIO speed before talking to PHY
      
         - stmmac:
             - fix null-deref in flower deletion w/ VLAN prio Rx steering
             - dwmac-rk: fix oob read in rk_gmac_setup
      
         - ice: time stamping fixes
      
         - systemport: add global locking for descriptor life cycle"
      
      * tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (89 commits)
        bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
        selftest/bpf: Add a test that reads various addresses.
        bpf: Fix extable address check.
        bpf: Fix extable fixup offset.
        bpf, selftests: Add test case trying to taint map value pointer
        bpf: Make 32->64 bounds propagation slightly more robust
        bpf: Fix signed bounds propagation after mov32
        sit: do not call ipip6_dev_free() from sit_init_net()
        net: systemport: Add global locking for descriptor lifecycle
        net/smc: Prevent smc_release() from long blocking
        net: Fix double 0x prefix print in SKB dump
        virtio_net: fix rx_drops stat for small pkts
        dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED
        sfc_ef100: potential dereference of null pointer
        net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup
        net: usb: lan78xx: add Allied Telesis AT29M2-AF
        net/packet: rx_owner_map depends on pg_vec
        netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
        dpaa2-eth: fix ethtool statistics
        ixgbe: set X550 MDIO speed before talking to PHY
        ...
      180f3bcf
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 93db8300
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "There are a number of DT fixes, mostly for mistakes found through
        static checking of the dts files again, as well as a couple of minor
        changes to address incorrect DT settings.
      
        For i.MX, there is yet another series of devitree changes to update
        RGMII delay settings for ethernet, which is an ongoing problem after
        some driver changes.
      
        For SoC specific device drivers, a number of smaller fixes came up:
      
         - i.MX SoC identification was incorrectly registered non-i.MX
           machines when the driver is built-in
      
         - One fix on imx8m-blk-ctrl driver to get i.MX8MM MIPI reset work
           properly
      
         - a few compile fixes for warnings that get in the way of -Werror
      
         - a string overflow in the scpi firmware driver
      
         - a boot failure with FORTIFY_SOURCE on Rockchips machines
      
         - broken error handling in the AMD TEE driver
      
         - a revert for a tegra reset driver commit that broke HDA"
      
      * tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (25 commits)
        soc/tegra: fuse: Fix bitwise vs. logical OR warning
        firmware: arm_scpi: Fix string overflow in SCPI genpd driver
        soc: imx: Register SoC device only on i.MX boards
        soc: imx: imx8m-blk-ctrl: Fix imx8mm mipi reset
        ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
        arm64: dts: imx8mq: remove interconnect property from lcdif
        ARM: socfpga: dts: fix qspi node compatible
        arm64: dts: apple: add #interrupt-cells property to pinctrl nodes
        dt-bindings: i2c: apple,i2c: allow multiple compatibles
        arm64: meson: remove COMMON_CLK
        arm64: meson: fix dts for JetHub D1
        tee: amdtee: fix an IS_ERR() vs NULL bug
        arm64: dts: apple: change ethernet0 device type to ethernet
        arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys
        arm64: dts: rockchip: fix poweroff on helios64
        arm64: dts: rockchip: fix audio-supply for Rock Pi 4
        arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
        arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply
        arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
        ARM: rockchip: Use memcpy_toio instead of memcpy on smp bring-up
        ...
      93db8300
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0c3e2474
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-12-16
      
      We've added 15 non-merge commits during the last 7 day(s) which contain
      a total of 12 files changed, 434 insertions(+), 30 deletions(-).
      
      The main changes are:
      
      1) Fix incorrect verifier state pruning behavior for <8B register spill/fill,
         from Paul Chaignon.
      
      2) Fix x86-64 JIT's extable handling for fentry/fexit when return pointer
         is an ERR_PTR(), from Alexei Starovoitov.
      
      3) Fix 3 different possibilities that BPF verifier missed where unprivileged
         could leak kernel addresses, from Daniel Borkmann.
      
      4) Fix xsk's poll behavior under need_wakeup flag, from Magnus Karlsson.
      
      5) Fix an oob-write in test_verifier due to a missed MAX_NR_MAPS bump,
         from Kumar Kartikeya Dwivedi.
      
      6) Fix a race in test_btf_skc_cls_ingress selftest, from Martin KaFai Lau.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
        selftest/bpf: Add a test that reads various addresses.
        bpf: Fix extable address check.
        bpf: Fix extable fixup offset.
        bpf, selftests: Add test case trying to taint map value pointer
        bpf: Make 32->64 bounds propagation slightly more robust
        bpf: Fix signed bounds propagation after mov32
        bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer
        bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
        bpf, selftests: Add test case for atomic fetch on spilled pointer
        bpf: Fix kernel address leakage in atomic fetch
        selftests/bpf: Fix OOB write in test_verifier
        xsk: Do not sleep in poll() when need_wakeup set
        selftests/bpf: Tests for state pruning with u32 spill/fill
        bpf: Fix incorrect state pruning for <8B spill/fill
      ====================
      
      Link: https://lore.kernel.org/r/20211216210005.13815-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0c3e2474
    • Martin KaFai Lau's avatar
      bpf, selftests: Fix racing issue in btf_skc_cls_ingress test · c2fcbf81
      Martin KaFai Lau authored
      The libbpf CI reported occasional failure in btf_skc_cls_ingress:
      
        test_syncookie:FAIL:Unexpected syncookie states gen_cookie:80326634 recv_cookie:0
        bpf prog error at line 97
      
      "error at line 97" means the bpf prog cannot find the listening socket
      when the final ack is received.  It then skipped processing
      the syncookie in the final ack which then led to "recv_cookie:0".
      
      The problem is the userspace program did not do accept() and went
      ahead to close(listen_fd) before the kernel (and the bpf prog) had
      a chance to process the final ack.
      
      The fix is to add accept() call so that the userspace will wait for
      the kernel to finish processing the final ack first before close()-ing
      everything.
      
      Fixes: 9a856cae ("bpf: selftest: Add test_btf_skc_cls_ingress")
      Reported-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20211216191630.466151-1-kafai@fb.com
      c2fcbf81
    • Alexei Starovoitov's avatar
      selftest/bpf: Add a test that reads various addresses. · 7edc3fcb
      Alexei Starovoitov authored
      Add a function to bpf_testmod that returns invalid kernel and user addresses.
      Then attach an fexit program to that function that tries to read
      memory through these addresses.
      
      This logic checks that bpf_probe_read_kernel and BPF_PROBE_MEM logic is sane.
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      7edc3fcb
    • Alexei Starovoitov's avatar
      bpf: Fix extable address check. · 588a25e9
      Alexei Starovoitov authored
      The verifier checks that PTR_TO_BTF_ID pointer is either valid or NULL,
      but it cannot distinguish IS_ERR pointer from valid one.
      
      When offset is added to IS_ERR pointer it may become small positive
      value which is a user address that is not handled by extable logic
      and has to be checked for at the runtime.
      
      Tighten BPF_PROBE_MEM pointer check code to prevent this case.
      
      Fixes: 4c5de127 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
      Reported-by: default avatarLorenzo Fontana <lorenzo.fontana@elastic.co>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      588a25e9
    • Alexei Starovoitov's avatar
      bpf: Fix extable fixup offset. · 433956e9
      Alexei Starovoitov authored
      The prog - start_of_ldx is the offset before the faulting ldx to the location
      after it, so this will be used to adjust pt_regs->ip for jumping over it and
      continuing, and with old temp it would have been fixed up to the wrong offset,
      causing crash.
      
      Fixes: 4c5de127 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Reviewed-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      433956e9
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · a52a8e9e
      Linus Torvalds authored
      Pull clk fix from Stephen Boyd:
       "A single fix for the clk framework that needed some more bake time in
        linux-next.
      
        The problem is that two clks being registered at the same time can
        lead to a busted clk tree if the parent isn't fully registered by the
        time the child finds the parent. We rejigger the place where we mark
        the parent as fully registered so that the child can't find the parent
        until things are proper"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: Don't parent clks until the parent is fully registered
      a52a8e9e
    • Daniel Borkmann's avatar
      bpf, selftests: Add test case trying to taint map value pointer · b1a7288d
      Daniel Borkmann authored
      Add a test case which tries to taint map value pointer arithmetic into a
      unknown scalar with subsequent export through the map.
      
      Before fix:
      
        # ./test_verifier 1186
        #1186/u map access: trying to leak tained dst reg FAIL
        Unexpected success to load!
        verification time 24 usec
        stack depth 8
        processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
        #1186/p map access: trying to leak tained dst reg FAIL
        Unexpected success to load!
        verification time 8 usec
        stack depth 8
        processed 15 insns (limit 1000000) max_states_per_insn 0 total_states 1 peak_states 1 mark_read 1
        Summary: 0 PASSED, 0 SKIPPED, 2 FAILED
      
      After fix:
      
        # ./test_verifier 1186
        #1186/u map access: trying to leak tained dst reg OK
        #1186/p map access: trying to leak tained dst reg OK
        Summary: 2 PASSED, 0 SKIPPED, 0 FAILED
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      b1a7288d
    • Daniel Borkmann's avatar
      bpf: Make 32->64 bounds propagation slightly more robust · e572ff80
      Daniel Borkmann authored
      Make the bounds propagation in __reg_assign_32_into_64() slightly more
      robust and readable by aligning it similarly as we did back in the
      __reg_combine_64_into_32() counterpart. Meaning, only propagate or
      pessimize them as a smin/smax pair.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      e572ff80
    • Daniel Borkmann's avatar
      bpf: Fix signed bounds propagation after mov32 · 3cf2b61e
      Daniel Borkmann authored
      For the case where both s32_{min,max}_value bounds are positive, the
      __reg_assign_32_into_64() directly propagates them to their 64 bit
      counterparts, otherwise it pessimises them into [0,u32_max] universe and
      tries to refine them later on by learning through the tnum as per comment
      in mentioned function. However, that does not always happen, for example,
      in mov32 operation we call zext_32_to_64(dst_reg) which invokes the
      __reg_assign_32_into_64() as is without subsequent bounds update as
      elsewhere thus no refinement based on tnum takes place.
      
      Thus, not calling into the __update_reg_bounds() / __reg_deduce_bounds() /
      __reg_bound_offset() triplet as we do, for example, in case of ALU ops via
      adjust_scalar_min_max_vals(), will lead to more pessimistic bounds when
      dumping the full register state:
      
      Before fix:
      
        0: (b4) w0 = -1
        1: R0_w=invP4294967295
           (id=0,imm=ffffffff,
            smin_value=4294967295,smax_value=4294967295,
            umin_value=4294967295,umax_value=4294967295,
            var_off=(0xffffffff; 0x0),
            s32_min_value=-1,s32_max_value=-1,
            u32_min_value=-1,u32_max_value=-1)
      
        1: (bc) w0 = w0
        2: R0_w=invP4294967295
           (id=0,imm=ffffffff,
            smin_value=0,smax_value=4294967295,
            umin_value=4294967295,umax_value=4294967295,
            var_off=(0xffffffff; 0x0),
            s32_min_value=-1,s32_max_value=-1,
            u32_min_value=-1,u32_max_value=-1)
      
      Technically, the smin_value=0 and smax_value=4294967295 bounds are not
      incorrect, but given the register is still a constant, they break assumptions
      about const scalars that smin_value == smax_value and umin_value == umax_value.
      
      After fix:
      
        0: (b4) w0 = -1
        1: R0_w=invP4294967295
           (id=0,imm=ffffffff,
            smin_value=4294967295,smax_value=4294967295,
            umin_value=4294967295,umax_value=4294967295,
            var_off=(0xffffffff; 0x0),
            s32_min_value=-1,s32_max_value=-1,
            u32_min_value=-1,u32_max_value=-1)
      
        1: (bc) w0 = w0
        2: R0_w=invP4294967295
           (id=0,imm=ffffffff,
            smin_value=4294967295,smax_value=4294967295,
            umin_value=4294967295,umax_value=4294967295,
            var_off=(0xffffffff; 0x0),
            s32_min_value=-1,s32_max_value=-1,
            u32_min_value=-1,u32_max_value=-1)
      
      Without the smin_value == smax_value and umin_value == umax_value invariant
      being intact for const scalars, it is possible to leak out kernel pointers
      from unprivileged user space if the latter is enabled. For example, when such
      registers are involved in pointer arithmtics, then adjust_ptr_min_max_vals()
      will taint the destination register into an unknown scalar, and the latter
      can be exported and stored e.g. into a BPF map value.
      
      Fixes: 3f50f132 ("bpf: Verifier, do explicit ALU32 bounds tracking")
      Reported-by: default avatarKuee K1r0a <liulin063@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Reviewed-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      3cf2b61e
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · fa36bbe6
      Linus Torvalds authored
      Pull arm64 fix from Catalin Marinas:
       "Fix missing error code on kexec failure path"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        arm64: kexec: Fix missing error code 'ret' warning in load_other_segments()
      fa36bbe6