45aa6f5477
970 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Ard Biesheuvel
|
8229027985 |
bpf: add __weak hook for allocating executable memory
By default, BPF uses module_alloc() to allocate executable memory, but this is not necessary on all arches and potentially undesirable on some of them. So break out the module_alloc() and module_memfree() calls into __weak functions to allow them to be overridden in arch code. Signed-off-by: Ard Biesheuvel <ard.biesheuvel@linaro.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Adam W. Willis <return.of.octobot@gmail.com> |
||
Sultan Alsawaf
|
f18743c5ae |
bpf: Avoid allocating small buffers for map keys and values
Most, if not all, map keys and values are rather small and can fit on the stack, eliminating the need to allocate them dynamically. Reserve some small stack buffers for them to avoid dynamic memory allocation. Signed-off-by: Sultan Alsawaf <sultan@kerneltoast.com> |
||
Greg Kroah-Hartman
|
27e286f3db |
This is the 4.19.262 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmNZGCIACgkQONu9yGCS aT5dEQ//Q2YBvqn1WGhMJRRtIYeczfwvLh3b5duyt1nbf7KOA7yrjpmaQvszunLj FanBKsf9QrekTxMUJ9++RlFQy/pxkexy39P3ddlE+QQnKeY+lBr5fc/XSBOmmvm+ f1CInT4C6nRRn/r/vCumGfuhZ6o+BLwPPgkTCOs9ima6iaq7nLqgFquznVQ2XFJG SCtS+OPjnoH7HMOw9vXefd53KJJj5kpE+2fMnEBjdW7x4mPM6nwY3ZxB8sIUdLXe dtfDku6W1I8qnGSnI0B+I8/4psNYr/7j4UVTgEKSGmlKKzc78qypdX8YiOGExa84 MWQrEcIGBOzOaMt5F5RWbGbQmwDtlZC2yuTc5YeJ1eSZ6WfZ42rRu+SkMgloRpjO bCzKI8bZ6jmRFNeAPSuR9sF/fRrXlgPsszWYALwy9TTPMvG33jrJaiGwYCOuRxP/ Fn9C1AshGI+Yy7pX5PR+yOWeII4fgwFBo3Oxritm0RG31KZoXKsrVdyb5CwAD0Sf VMb4SNapWwjWKOqi39jAzxgmvkFAwv99HC77dLZhTzwsW+c0+8CH0ccpX/V9997v i2IfCLEoOODlpjjoEgeoZ1lwOSX4/cSrlO4L7qcw+vkmXplEkOnD5Lj5Sdw+m9Hp 1uwQGVZyngK/eMxInDLlrOFY9SOASCIs+XjJpzqimXp1cTLLEHM= =2I2l -----END PGP SIGNATURE----- Merge 4.19.262 into android-4.19-stable Changes in 4.19.262 Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 docs: update mediator information in CoC docs ARM: fix function graph tracer and unwinder dependencies fs: fix UAF/GPF bug in nilfs_mdt_destroy firmware: arm_scmi: Add SCMI PM driver remove routine dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer scsi: qedf: Fix a UAF bug in __qedf_probe() net/ieee802154: fix uninit value bug in dgram_sendmsg um: Cleanup syscall_handler_t cast in syscalls_32.h um: Cleanup compiler warning in arch/x86/um/tls_32.c usb: mon: make mmapped memory read only USB: serial: ftdi_sio: fix 300 bps rate for SIO mmc: core: Replace with already defined values for readability mmc: core: Terminate infinite loop in SD-UHS voltage switch rpmsg: qcom: glink: replace strncpy() with strscpy_pad() nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() nilfs2: fix leak of nilfs_root in case of writer thread creation failure nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure ceph: don't truncate file in atomic_open random: clamp credited irq bits to maximum mixed ALSA: hda: Fix position reporting on Poulsbo scsi: stex: Properly zero out the passthrough command structure USB: serial: qcserial: add new usb-id for Dell branded EM7455 random: restore O_NONBLOCK support random: avoid reading two cache lines on irq randomness random: use expired timer rather than wq for mixing fast pool wifi: mac80211_hwsim: avoid mac80211 warning on bad rate Input: xpad - add supported devices as contributed on github Input: xpad - fix wireless 360 controller breaking after suspend ALSA: oss: Fix potential deadlock at unregistration ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() ALSA: usb-audio: Fix potential memory leaks ALSA: usb-audio: Fix NULL dererence at error path ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 mtd: rawnand: atmel: Unmap streaming DMA mappings iio: dac: ad5593r: Fix i2c read protocol requirements usb: add quirks for Lenovo OneLink+ Dock can: kvaser_usb: Fix use of uninitialized completion can: kvaser_usb_leaf: Fix overread with an invalid command can: kvaser_usb_leaf: Fix TX queue out of sync after restart can: kvaser_usb_leaf: Fix CAN state after restart fs: dlm: fix race between test_bit() and queue_work() fs: dlm: handle -EBUSY first in lock arg validation HID: multitouch: Add memory barriers quota: Check next/prev free block number after reading from quota file regulator: qcom_rpm: Fix circular deferral regression Revert "fs: check FMODE_LSEEK to control internal pipe splicing" parisc: fbdev/stifb: Align graphics memory size to 4MB riscv: Allow PROT_WRITE-only mmap() UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge fbdev: smscufx: Fix use-after-free in ufx_ops_open() btrfs: fix race between quota enable and quota rescan ioctl riscv: fix build with binutils 2.38 nilfs2: fix use-after-free bug of struct nilfs_root ext4: avoid crash when inline data creation follows DIO write ext4: fix null-ptr-deref in ext4_write_info ext4: make ext4_lazyinit_thread freezable ext4: place buffer head allocation before handle start livepatch: fix race between fork and KLP transition ftrace: Properly unset FTRACE_HASH_FL_MOD ring-buffer: Allow splice to read previous partially read pages ring-buffer: Check pending waiters when doing wake ups as well ring-buffer: Fix race between reset page and reading page KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" selinux: use "grep -E" instead of "egrep" sh: machvec: Use char[] for section boundaries wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() wifi: mac80211: allow bw change during channel switch in mesh bpftool: Fix a wrong type cast in btf_dumper_int spi: mt7621: Fix an error message in mt7621_spi_probe() wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() wifi: rtl8xxxu: Fix skb misuse in TX queue selection bpf: btf: fix truncated last_member_type_id in btf_struct_resolve wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration net: fs_enet: Fix wrong check in do_pd_setup bpf: Ensure correct locking around vulnerable function find_vpid() spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe netfilter: nft_fib: Fix for rpath check with VRF devices spi: s3c64xx: Fix large transfers with DMA vhost/vsock: Use kvmalloc/kvfree for larger packets. mISDN: fix use-after-free bugs in l1oip timer handlers sctp: handle the error returned from sctp_auth_asoc_init_active_key tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() bnx2x: fix potential memory leak in bnx2x_tpa_stop() once: add DO_ONCE_SLOW() for sleepable contexts net: mvpp2: fix mvpp2 debugfs leak drm: bridge: adv7511: fix CEC power down control register offset drm/mipi-dsi: Detach devices when removing the host platform/chrome: fix double-free in chromeos_laptop_prepare() platform/x86: msi-laptop: Fix old-ec check for backlight registering platform/x86: msi-laptop: Fix resource cleanup drm/bridge: megachips: Fix a null pointer dereference bug mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx ALSA: dmaengine: increment buffer pointer atomically mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe memory: of: Fix refcount leak bug in of_get_ddr_timings() soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() soc: qcom: smem_state: Add refcounting for the 'state->of_node' ARM: dts: turris-omnia: Fix mpp26 pin name and comment ARM: dts: kirkwood: lsxl: fix serial line ARM: dts: kirkwood: lsxl: remove first ethernet port ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family ARM: Drop CMDLINE_* dependency on ATAGS ARM: dts: exynos: fix polarity of VBUS GPIO of Origen iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX iio: adc: at91-sama5d2_adc: check return status for pressure and touch iio: inkern: only release the device node when done with it iio: ABI: Fix wrong format of differential capacitance channel ABI. clk: oxnas: Hold reference returned by of_get_parent() clk: berlin: Add of_node_put() for of_get_parent() clk: tegra: Fix refcount leak in tegra210_clock_init clk: tegra: Fix refcount leak in tegra114_clock_init clk: tegra20: Fix refcount leak in tegra20_clock_init HSI: omap_ssi: Fix refcount leak in ssi_probe HSI: omap_ssi_port: Fix dma_map_sg error check media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop tty: xilinx_uartps: Fix the ignore_status media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init RDMA/rxe: Fix "kernel NULL pointer dereference" error RDMA/rxe: Fix the error caused by qp->sk dyndbg: fix module.dyndbg handling dyndbg: let query-modname override actual module name mtd: devices: docg3: check the return value of devm_ioremap() in the probe ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() ata: fix ata_id_has_devslp() ata: fix ata_id_has_ncq_autosense() ata: fix ata_id_has_dipm() md/raid5: Ensure stripe_fill happens on non-read IO with journal xhci: Don't show warning for reinit on known broken suspend usb: gadget: function: fix dangling pnp_string in f_printer.c drivers: serial: jsm: fix some leaks in probe phy: qualcomm: call clk_disable_unprepare in the error handling staging: vt6655: fix some erroneous memory clean-up loops firmware: google: Test spinlock on panic path to avoid lockups serial: 8250: Fix restoring termios speed after suspend fsi: core: Check error number after calling ida_simple_get mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() mfd: lp8788: Fix an error handling path in lp8788_probe() mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() mfd: sm501: Add check for platform_driver_register() dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() spmi: pmic-arb: correct duplicate APID to PPID mapping logic clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg powerpc/math_emu/efp: Include module.h powerpc/sysdev/fsl_msi: Add missing of_node_put() powerpc/pci_dn: Add missing of_node_put() powerpc/powernv: add missing of_node_put() in opal_export_attrs() x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 powerpc: Fix SPE Power ISA properties for e500v1 platforms iommu/omap: Fix buffer overflow in debugfs iommu/iova: Fix module config properly crypto: cavium - prevent integer overflow loading firmware f2fs: fix race condition on setting FI_NO_EXTENT flag ACPI: video: Add Toshiba Satellite/Portege Z830 quirk MIPS: BCM47XX: Cast memcmp() of function to (void *) powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data wifi: brcmfmac: fix invalid address access when enabling SCAN log level openvswitch: Fix double reporting of drops in dropwatch openvswitch: Fix overreporting of drops in dropwatch tcp: annotate data-race around tcp_md5sig_pool_populated wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() xfrm: Update ipcomp_scratches with NULL when freed wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times can: bcm: check the result of can_send() in bcm_can_tx() wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 wifi: rt2x00: set SoC wmac clock register wifi: rt2x00: correctly set BBP register 86 for MT7620 net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Bluetooth: L2CAP: Fix user-after-free r8152: Rate limit overflow messages drm: Use size_t type for len variable in drm_copy_field() drm: Prevent drm_copy_field() to attempt copying a NULL pointer drm/amd/display: fix overflow on MIN_I64 definition drm/vc4: vec: Fix timings for VEC modes drm: panel-orientation-quirks: Add quirk for Anbernic Win600 platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading drm/amdgpu: fix initial connector audio value ARM: dts: imx7d-sdb: config the max pressure for tsc2046 ARM: dts: imx6q: add missing properties for sram ARM: dts: imx6dl: add missing properties for sram ARM: dts: imx6qp: add missing properties for sram ARM: dts: imx6sl: add missing properties for sram ARM: dts: imx6sll: add missing properties for sram ARM: dts: imx6sx: add missing properties for sram media: cx88: Fix a null-ptr-deref bug in buffer_prepare() scsi: 3w-9xxx: Avoid disabling device if failing to enable it nbd: Fix hung when signal interrupts nbd_start_device_ioctl() power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() staging: vt6655: fix potential memory leak ata: libahci_platform: Sanity check the DT child nodes number HID: roccat: Fix use-after-free in roccat_read() md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() usb: musb: Fix musb_gadget.c rxstate overflow bug Revert "usb: storage: Add quirk for Samsung Fit flash" nvme: copy firmware_rev on each init usb: idmouse: fix an uninit-value in idmouse_open clk: bcm2835: Make peripheral PLLC critical perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc net: ieee802154: return -EINVAL for unknown addr type net/ieee802154: don't warn zero-sized raw_sendmsg() ext4: continue to expand file system when the target size doesn't reach md: Replace snprintf with scnprintf efi: libstub: drop pointless get_memory_map() call inet: fully convert sk->sk_rx_dst to RCU rules thermal: intel_powerclamp: Use first online CPU as control_cpu gcov: support GCC 12.1 and newer compilers Linux 4.19.262 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If70223b939e3710c4fbc4f7cc522f07d4b4ffd45 |
||
Lee Jones
|
e4b17b461c |
bpf: Ensure correct locking around vulnerable function find_vpid()
[ Upstream commit 83c10cc362d91c0d8d25e60779ee52fdbbf3894d ]
The documentation for find_vpid() clearly states:
"Must be called with the tasklist_lock or rcu_read_lock() held."
Presently we do neither for find_vpid() instance in bpf_task_fd_query().
Add proper rcu_read_lock/unlock() to fix the issue.
Fixes:
|
||
Lorenz Bauer
|
c14ff13272 |
bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
[ Upstream commit a37a32583e282d8d815e22add29bc1e91e19951a ]
When trying to finish resolving a struct member, btf_struct_resolve
saves the member type id in a u16 temporary variable. This truncates
the 32 bit type id value if it exceeds UINT16_MAX.
As a result, structs that have members with type ids > UINT16_MAX and
which need resolution will fail with a message like this:
[67414] STRUCT ff_device size=120 vlen=12
effect_owners type_id=67434 bits_offset=960 Member exceeds struct_size
Fix this by changing the type of last_member_type_id to u32.
Fixes: a0791f0df7d2 ("bpf: fix BTF limits")
Reviewed-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Lorenz Bauer <oss@lmb.io>
Link: https://lore.kernel.org/r/20220910110120.339242-1-oss@lmb.io
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
88a4eb86e0 |
Merge 4cb392956a ("MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK") into android-mainline
Steps on the way to 4.19.256 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8f23ebdd881ffbdcbdec5e6b76df7fe834479f4b |
||
Ovidiu Panait
|
6c6b84ef5e |
bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds()
From: John Fastabend <john.fastabend@gmail.com> commit 294f2fc6da27620a506e6c050241655459ccd6bd upstream. Currently, for all op verification we call __red_deduce_bounds() and __red_bound_offset() but we only call __update_reg_bounds() in bitwise ops. However, we could benefit from calling __update_reg_bounds() in BPF_ADD, BPF_SUB, and BPF_MUL cases as well. For example, a register with state 'R1_w=invP0' when we subtract from it, w1 -= 2 Before coerce we will now have an smin_value=S64_MIN, smax_value=U64_MAX and unsigned bounds umin_value=0, umax_value=U64_MAX. These will then be clamped to S32_MIN, U32_MAX values by coerce in the case of alu32 op as done in above example. However tnum will be a constant because the ALU op is done on a constant. Without update_reg_bounds() we have a scenario where tnum is a const but our unsigned bounds do not reflect this. By calling update_reg_bounds after coerce to 32bit we further refine the umin_value to U64_MAX in the alu64 case or U32_MAX in the alu32 case above. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/158507151689.15666.566796274289413203.stgit@john-Precision-5820-Tower Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
88e34926b0 |
This is the 4.19.254 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmLj+IgACgkQONu9yGCS aT5HkhAAkWMQdkoOQojH5Cr99e5qPacc+0403TAswoukBtFcYxAbnwqWNUb631oJ lMa8vNJl6la56tDjHztHOp+QJZ2GoseSTuUM8FxaJa39Yj0yk6FkqwnuAMn5IRSX 7EhcJeOdz0uq3AwMFbzGW3LAtSHZUiqD6XkaYFlqMzAUKBj45Oq3Ogc7U7+dTYKl CkocQBLWOOCuYfUX1Pg2g7F23maAyEmmlU6h3QgpkVTVuD4n4t4yH9iM8kBERlVc la/+o7jEzzqll+pde57VQezlH47IXlaqYnymNMRj8gddgGR9O90mFqNL4j8dzGGX OaYrw2gfcdXcFqbFdouBzx6kH2TLfEkB+Ewu6nxpzDOmQyCXUWXeUTsqM4zuRold x5Iija7/nWh7GajIemuaC9LhMZ3Z4VmEjIiAT9O93MJ5w6uo4MSV/lbPuLmrAoDk dmc5Z9CerJFJBNKo0hH5jSlK03uok0t7074N4o8KXxTrb8kP9Uhll3Q+seZjqIcd JwVCNdNSy5lNYAGhU2gpb9qREP+6oBklzqhKjkIbEB7O8LMl57UuvvVeR1y5/po/ 6wFAjwKexsfcDYQQkLkgV61XAFPteEJgJkWdBhRcU/6zA6yiRxRo3j8zu/Kc+u/P +O5VAV6kqRuiNm4W9mMJD+uAo7hfa75W+nj8jAtA5w9iuooWpMY= =a198 -----END PGP SIGNATURE----- Merge 4.19.254 into android-4.19-stable Changes in 4.19.254 riscv: add as-options for modules with assembly compontents xen/gntdev: Ignore failure to unmap INVALID_GRANT_HANDLE xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe pinctrl: ralink: Check for null return of devm_kcalloc perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() ip: Fix data-races around sysctl_ip_fwd_use_pmtu. ip: Fix data-races around sysctl_ip_nonlocal_bind. ip: Fix a data-race around sysctl_fwmark_reflect. tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. tcp: Fix data-races around sysctl_tcp_mtu_probing. tcp: Fix a data-race around sysctl_tcp_probe_threshold. tcp: Fix a data-race around sysctl_tcp_probe_interval. i2c: cadence: Change large transfer count reset logic to be unconditional net: stmmac: fix dma queue left shift overflow issue net/tls: Fix race in TLS device down flow igmp: Fix data-races around sysctl_igmp_llm_reports. igmp: Fix a data-race around sysctl_igmp_max_memberships. tcp: Fix data-races around sysctl_tcp_reordering. tcp: Fix data-races around some timeout sysctl knobs. tcp: Fix a data-race around sysctl_tcp_notsent_lowat. tcp: Fix a data-race around sysctl_tcp_tw_reuse. tcp: Fix data-races around sysctl_tcp_fastopen. be2net: Fix buffer overflow in be_get_module_eeprom tcp: Fix a data-race around sysctl_tcp_early_retrans. tcp: Fix data-races around sysctl_tcp_recovery. tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. tcp: Fix a data-race around sysctl_tcp_retrans_collapse. tcp: Fix a data-race around sysctl_tcp_stdurg. tcp: Fix a data-race around sysctl_tcp_rfc1337. tcp: Fix data-races around sysctl_tcp_max_reordering. Revert "Revert "char/random: silence a lockdep splat with printk()"" mm/mempolicy: fix uninit-value in mpol_rebind_policy() bpf: Make sure mac_header was set before using it drm/tilcdc: Remove obsolete crtc_mode_valid() hack tilcdc: tilcdc_external: fix an incorrect NULL check on list iterator HID: multitouch: simplify the application retrieval HID: multitouch: Lenovo X1 Tablet Gen3 trackpoint and buttons HID: multitouch: add support for the Smart Tech panel HID: add ALWAYS_POLL quirk to lenovo pixart mouse dlm: fix pending remove if msg allocation fails ima: remove the IMA_TEMPLATE Kconfig option ALSA: memalloc: Align buffer allocations in page size Bluetooth: Add bt_skb_sendmsg helper Bluetooth: Add bt_skb_sendmmsg helper Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Bluetooth: Fix passing NULL to PTR_ERR Bluetooth: SCO: Fix sco_send_frame returning skb->len Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks serial: mvebu-uart: correctly report configured baudrate value tty: drivers/tty/, stop using tty_schedule_flip() tty: the rest, stop using tty_schedule_flip() tty: drop tty_schedule_flip() tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() net: usb: ax88179_178a needs FLAG_SEND_ZLP PCI: hv: Fix multi-MSI to allow more than one MSI vector PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() PCI: hv: Fix interrupt mapping for multi-MSI Linux 4.19.254 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8164bc3c6ca4775c4fffb7983f7d5b3b11f5bb09 |
||
Eric Dumazet
|
03fe739e27 |
bpf: Make sure mac_header was set before using it
commit 0326195f523a549e0a9d7fd44c70b26fd7265090 upstream. Classic BPF has a way to load bytes starting from the mac header. Some skbs do not have a mac header, and skb_mac_header() in this case is returning a pointer that 65535 bytes after skb->head. Existing range check in bpf_internal_load_pointer_neg_helper() was properly kicking and no illegal access was happening. New sanity check in skb_mac_header() is firing, so we need to avoid it. WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 skb_mac_header include/linux/skbuff.h:2785 [inline] WARNING: CPU: 1 PID: 28990 at include/linux/skbuff.h:2785 bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Modules linked in: CPU: 1 PID: 28990 Comm: syz-executor.0 Not tainted 5.19.0-rc4-syzkaller-00865-g4874fb9484be #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/29/2022 RIP: 0010:skb_mac_header include/linux/skbuff.h:2785 [inline] RIP: 0010:bpf_internal_load_pointer_neg_helper+0x1b1/0x1c0 kernel/bpf/core.c:74 Code: ff ff 45 31 f6 e9 5a ff ff ff e8 aa 27 40 00 e9 3b ff ff ff e8 90 27 40 00 e9 df fe ff ff e8 86 27 40 00 eb 9e e8 2f 2c f3 ff <0f> 0b eb b1 e8 96 27 40 00 e9 79 fe ff ff 90 41 57 41 56 41 55 41 RSP: 0018:ffffc9000309f668 EFLAGS: 00010216 RAX: 0000000000000118 RBX: ffffffffffeff00c RCX: ffffc9000e417000 RDX: 0000000000040000 RSI: ffffffff81873f21 RDI: 0000000000000003 RBP: ffff8880842878c0 R08: 0000000000000003 R09: 000000000000ffff R10: 000000000000ffff R11: 0000000000000001 R12: 0000000000000004 R13: ffff88803ac56c00 R14: 000000000000ffff R15: dffffc0000000000 FS: 00007f5c88a16700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fdaa9f6c058 CR3: 000000003a82c000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> ____bpf_skb_load_helper_32 net/core/filter.c:276 [inline] bpf_skb_load_helper_32+0x191/0x220 net/core/filter.c:264 Fixes: f9aefd6b2aa3 ("net: warn if mac header was not set") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20220707123900.945305-1-edumazet@google.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
68418bd545 |
This is the 4.19.230 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIM5VcACgkQONu9yGCS aT6sAA//RICSFA96/h5dDGn1LJrTl+yi7XbY8cn5Y7Wg2Y4Lc2reRyExe43cXqyh 629xhSuyFnIK5BRHn0UHkuEXb9JTWohbrJ/3L9Vr8UmHPL3Vqb+aeKf8pLT9Lo12 6J5BXJjuL4sdbW48t45+EDy8h04zFU73x2hI8naejkTIsWuBlX3bzpg6R9sMidD9 8Iy5jTAsNyrudMRnPfQfxxUXTu1Gj1whmazZRzspK7GW5K7E3qmGN4tvB0CQZl1W zOeY/BKoPNngitfAu4SsAVtD4cdoWcIWaTDwPLbKwraiXkf0WHmp34i4MqK8rtXv ut1WRlW5dYff/M1cZTtb3EaJ35xwPP+eX4dZOhQriYXuw3OANztQjVaroF8MnXK5 QWipbqfvtyVdCVSGfGz/vcFZpIsF+I1MgIMVCYhzHsdCNogQjlSfAl8GZWimCEI4 2V3d2bn+/JYY2nv7e+66QvFYIo+53OktYxOR3fSw8fK1YYJeQx6EhxChaMvd3l7y Ri6PaEuU/rv3eKq1ZPIun2jtpeGnEtGuC6xNP9YMPzOxpGFLv21o5v+74hAs8WkB FaKNT3SG2CqMPlf2m1sHk63bQ7L6F+Pc/qD7gIClbFSE6ly7miOj5Vel2XfSjOVS 0f7cCWF7fxaAFicV96jot2U7SL+/oRQntwJfeyN6b2tPxWq5AI4= =qEhF -----END PGP SIGNATURE----- Merge 4.19.230 into android-4.19-stable Changes in 4.19.230 integrity: check the return value of audit_log_start() ima: Remove ima_policy file before directory ima: Allow template selection with ima_template[_fmt]= after ima_hash= mmc: sdhci-of-esdhc: Check for error num after setting mask net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs NFS: Fix initialisation of nfs_client cl_flags field NFSD: Clamp WRITE offsets NFSD: Fix offset type in I/O trace points NFSv4 only print the label when its queried nfs: nfs4clinet: check the return value of kstrdup() NFSv4.1: Fix uninitialised variable in devicenotify NFSv4 remove zero number of fs_locations entries error check NFSv4 expose nfs_parse_server_name function net: sched: Clarify error message when qdisc kind is unknown scsi: target: iscsi: Make sure the np under each tpg is unique usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout() bpf: Add kconfig knob for disabling unpriv bpf by default ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group net: bridge: fix stale eth hdr pointer in br_dev_xmit perf probe: Fix ppc64 'perf probe add events failed' case ARM: dts: meson: Fix the UART compatible strings staging: fbtft: Fix error path in fbtft_driver_module_init() ARM: dts: imx6qdl-udoo: Properly describe the SD card detect usb: f_fs: Fix use-after-free for epfile ixgbevf: Require large buffers for build_skb on 82599VF bonding: pair enable_port with slave_arr_updates ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path net: do not keep the dst cache when uncloning an skb dst and its metadata net: fix a memleak when uncloning an skb dst and its metadata veth: fix races around rq->rx_notify_masked tipc: rate limit warning for received illegal binding update net: amd-xgbe: disable interrupts during pci removal vt_ioctl: fix array_index_nospec in vt_setactivate vt_ioctl: add array_index_nospec to VT_ACTIVATE n_tty: wake up poll(POLLRDNORM) on receiving data usb: ulpi: Move of_node_put to ulpi_dev_release usb: ulpi: Call of_node_put correctly usb: dwc3: gadget: Prevent core from processing stale TRBs USB: gadget: validate interface OS descriptor requests usb: gadget: rndis: check size of RNDIS_MSG_SET command USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 USB: serial: option: add ZTE MF286D modem USB: serial: ch341: add support for GW Instek USB2.0-Serial devices USB: serial: cp210x: add NCR Retail IO box id USB: serial: cp210x: add CPI Bulk Coin Recycler id seccomp: Invalidate seccomp mode to catch death failures hwmon: (dell-smm) Speed up setting of fan speed perf: Fix list corruption in perf_cgroup_switch() Linux 4.19.230 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I01d106ece6e54a9d688f57409c9b37aeb35c6707 |
||
Daniel Borkmann
|
07e7f7cc61 |
bpf: Add kconfig knob for disabling unpriv bpf by default
commit 08389d888287c3823f80b0216766b71e17f0aba5 upstream.
Add a kconfig knob which allows for unprivileged bpf to be disabled by default.
If set, the knob sets /proc/sys/kernel/unprivileged_bpf_disabled to value of 2.
This still allows a transition of 2 -> {0,1} through an admin. Similarly,
this also still keeps 1 -> {1} behavior intact, so that once set to permanently
disabled, it cannot be undone aside from a reboot.
We've also added extra2 with max of 2 for the procfs handler, so that an admin
still has a chance to toggle between 0 <-> 2.
Either way, as an additional alternative, applications can make use of CAP_BPF
that we added a while ago.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/74ec548079189e4e4dffaeb42b8987bb3c852eee.1620765074.git.daniel@iogearbox.net
[fllinden@amazon.com: backported to 4.19]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
965798c6c9 |
This is the 4.19.221 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmG4YVYACgkQONu9yGCS aT5XZBAAsAbvO7xnyOVCN9+hwMOVJXMDUAsTm94JKdeP1wcnySgkxaELRvX3w2jD wVHoyysfEZskaHfvET0gnvEKIOZ/eQCR7ugI7Ry+8tOW0CBtg7vk/4Lcpyk2eHBa iadAzTyeCSG3y0Usn26m7CyoBJNd/GGy1tOR0D8Rwx05DMOHO3z6frjQ5yFHkFha /WBgWnjqh2SZ3gZ00vE/rlqsgQWiO88NGAPWstktHm4ImC4NQP5Teo9gdmUM41v1 M4IRMBkTlBW9vyAlHMHChYOobeKUlhP9j7WCTzB0RlE9to01Eb23bL3Sq+7s+an8 5N5j7tOyxrOUU3wOmR6M9WpkA6vIite0Ux9FLray89f5yM4sotxtFj7gY51Udc/2 spAsp6NigEjyIJ1kVSnPRsu2iIeY4fc9xJLfhW3s110d3HvEq/9B+lcttX3KqBUm qr1M8lUvyy8dmYfTzfvc9bIl63db9c8Tz1d/9VmT1+zEReolafpr5LM2aII5vrLo VnKSvU+v9vy7AKaPnxHB9HG3EA+V56+ehoFDxyps5tGQ9VCtxIUZHPM6/b3V6c7W tjj/eUxKl3nzb7aHMt3rcL/VNzXuSjCjElUgQUH8Jfn9NcfnvVPPVplsxsQzTqag 82vx+p4DoWbjrgzxHLj7MX7WFZnZTHn0qQeRG+ZqmQONEefRmgU= =VKlL -----END PGP SIGNATURE----- Merge 4.19.221 into android-4.19-stable Changes in 4.19.221 HID: google: add eel USB id HID: add hid_is_usb() function to make it simpler for USB detection HID: add USB_HID dependancy to hid-prodikeys HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy on some USB HID drivers HID: wacom: fix problems when device is not a valid USB device HID: check for valid USB device for many HID drivers can: kvaser_usb: get CAN clock frequency from device can: sja1000: fix use after free in ems_pcmcia_add_card() net: core: netlink: add helper refcount dec and lock function net: sched: rename qdisc_destroy() to qdisc_put() net: sched: extend Qdisc with rcu net: sched: add helper function to take reference to Qdisc net: sched: use Qdisc rcu API instead of relying on rtnl lock nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done bpf: Fix the off-by-two error in range markings ice: ignore dropped packets during init bonding: make tx_rebalance_counter an atomic nfp: Fix memory leak in nfp_cpp_area_cache_add() seg6: fix the iif in the IPv6 socket control block udp: using datalen to cap max gso segments IB/hfi1: Correct guard on eager buffer deallocation mm: bdi: initialize bdi_min_ratio when bdi is unregistered ALSA: ctl: Fix copy of updated id with element read/write ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() tracefs: Have new files inherit the ownership of their parent clk: qcom: regmap-mux: fix parent clock lookup can: pch_can: pch_can_rx_normal: fix use after free can: m_can: Disable and ignore ELO interrupt libata: add horkage for ASMedia 1092 wait: add wake_up_pollfree() binder: use wake_up_pollfree() signalfd: use wake_up_pollfree() aio: keep poll requests on waitqueue until completed aio: fix use-after-free due to missing POLLFREE handling tracefs: Set all files to the same group ownership as the mount option block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) qede: validate non LSO skb length ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer i40e: Fix pre-set max number of queues for VF mtd: rawnand: fsmc: Take instruction delay into account tools build: Remove needless libpython-version feature check that breaks test-all fast path net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero net: altera: set a couple error code in probe() net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net, neigh: clear whole pneigh_entry at alloc time net/qla3xxx: fix an error code in ql_adapter_up() USB: gadget: detect too-big endpoint 0 requests USB: gadget: zero allocate endpoint 0 buffers usb: core: config: fix validation of wMaxPacketValue entries xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending usb: core: config: using bit mask instead of individual bits xhci: avoid race between disable slot command and host runtime suspend iio: trigger: Fix reference counting iio: trigger: stm32-timer: fix MODULE_ALIAS iio: stk3310: Don't return error code in interrupt handler iio: mma8452: Fix trigger reference couting iio: ltr501: Don't return error code in trigger handler iio: kxsd9: Don't return error code in trigger handler iio: itg3200: Call iio_trigger_notify_done() on error iio: dln2-adc: Fix lockdep complaint iio: dln2: Check return value of devm_iio_trigger_register() iio: at91-sama5d2: Fix incorrect sign extension iio: adc: axp20x_adc: fix charging current reporting on AXP22x iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() irqchip/armada-370-xp: Fix support for Multi-MSI interrupts irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip: nvic: Fix offset for Interrupt Priority Offsets net_sched: fix a crash in tc_new_tfilter() net: sched: make function qdisc_free_cb() static Linux 4.19.221 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie58fef73a6ccfbd581bac4a655548f92816f1cbd |
||
Maxim Mikityanskiy
|
c315bd9625 |
bpf: Fix the off-by-two error in range markings
commit 2fa7d94afc1afbb4d702760c058dc2d7ed30f226 upstream.
The first commit cited below attempts to fix the off-by-one error that
appeared in some comparisons with an open range. Due to this error,
arithmetically equivalent pieces of code could get different verdicts
from the verifier, for example (pseudocode):
// 1. Passes the verifier:
if (data + 8 > data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
// 2. Rejected by the verifier (should still pass):
if (data + 7 >= data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
The attempted fix, however, shifts the range by one in a wrong
direction, so the bug not only remains, but also such piece of code
starts failing in the verifier:
// 3. Rejected by the verifier, but the check is stricter than in #1.
if (data + 8 >= data_end)
return early
read *(u64 *)data, i.e. [data; data+7]
The change performed by that fix converted an off-by-one bug into
off-by-two. The second commit cited below added the BPF selftests
written to ensure than code chunks like #3 are rejected, however,
they should be accepted.
This commit fixes the off-by-two error by adjusting new_range in the
right direction and fixes the tests by changing the range into the
one that should actually fail.
Fixes:
|
||
|
Greg Kroah-Hartman
|
47e51a7a22 |
This is the 4.19.218 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGguLAACgkQONu9yGCS
aT4wZQ/+OSbZuEs53pK9aEgBhXBlJtI0uIXsywUgsFZzeTfXuutrSeYs33EGTI3T
q7JB2mixxZnUoHFajVNtmKKDhN/KySRvmqEoDX+adHd2Pyx3m42kAC7odVBdSk/1
5mgcaAQmMKa/+DgMGAJmMDDoa7zzPOykPhzbgT8rIVvaLyqtBMcqVV+Wo3HsUFBe
nR4vMmb1noZhRT8Bphf/m+BnjSkh8FMVCY47W++D1fNFgZXD6jm/4qdJar0nE+si
4ymdyehKdMQ3xeuhdxzurFalM8TDMY2Yz720ST9EV2VhrJZ3STLz1pOuOonxVk1D
Y9xB4yG357Dx+zjmkPt/aNeQ7Mt3sAEUBI37y27wRi6wBa2xlie0/nGjTp2r7tEs
h34ZiKrpom7goH+FZRQndkJUqqMo4COASD9AXzJEgpZtqVH6SRA0Cw6nV1KydLSQ
zMz0IsdvUR4i6xhw6tr17FXtgnX3MjLqRh2lBLedw4e4ydi+CJU/c4sFIeMIJnjl
CMHp2mt7VyTf5jufJ0o4BY4UCDBBKt3uqEB0g58AXSMEEGUoQcpFBFd8ZJ0inYFH
JtuL8IbtBPWEt20HR411tQkhIdgPFDzAHm2q9X8YGc4DnAO+/p9xGpXy+xPrRm7p
VRKwQRFb9MOVA4bswQ4uCU+wpIsq5NaXhkjSC27U49kzDdKZbAg=
=xzh+
-----END PGP SIGNATURE-----
Merge 4.19.218 into android-4.19-stable
Changes in 4.19.218
xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
binder: use euid from cred instead of using task
binder: use cred instead of task for selinux checks
Input: elantench - fix misreporting trackpoint coordinates
Input: i8042 - Add quirk for Fujitsu Lifebook T725
libata: fix read log timeout value
ocfs2: fix data corruption on truncate
mmc: dw_mmc: Dont wait for DRTO on Write RSP error
parisc: Fix ptrace check on syscall return
tpm: Check for integer overflow in tpm2_map_response_body()
firmware/psci: fix application of sizeof to pointer
crypto: s5p-sss - Add error handling in s5p_aes_probe()
media: ite-cir: IR receiver stop working after receive overflow
media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers
ALSA: hda/realtek: Add quirk for Clevo PC70HS
ALSA: ua101: fix division by zero at probe
ALSA: 6fire: fix control and bulk message timeouts
ALSA: line6: fix control and interrupt message timeouts
ALSA: usb-audio: Add registration quirk for JBL Quantum 400
ALSA: synth: missing check for possible NULL after the call to kstrdup
ALSA: timer: Fix use-after-free problem
ALSA: timer: Unconditionally unlink slave instances, too
x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c
x86/irq: Ensure PI wakeup handler is unregistered before module unload
cavium: Return negative value when pci_alloc_irq_vectors() fails
scsi: qla2xxx: Fix unmap of already freed sgl
cavium: Fix return values of the probe function
sfc: Don't use netif_info before net_device setup
hyperv/vmbus: include linux/bitops.h
mmc: winbond: don't build on M68K
drm: panel-orientation-quirks: Add quirk for Aya Neo 2021
bpf: Prevent increasing bpf_jit_limit above max
xen/netfront: stop tx queues during live migration
spi: spl022: fix Microwire full duplex mode
watchdog: Fix OMAP watchdog early handling
vmxnet3: do not stop tx queues after netif_device_detach()
btrfs: clear MISSING device status bit in btrfs_close_one_device
btrfs: fix lost error handling when replaying directory deletes
btrfs: call btrfs_check_rw_degradable only if there is a missing device
ia64: kprobes: Fix to pass correct trampoline address to the handler
hwmon: (pmbus/lm25066) Add offset coefficients
regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
mwifiex: fix division by zero in fw download path
ath6kl: fix division by zero in send path
ath6kl: fix control-message timeout
ath10k: fix control-message timeout
ath10k: fix division by zero in send path
PCI: Mark Atheros QCA6174 to avoid bus reset
rtl8187: fix control-message timeouts
evm: mark evm_fixmode as __ro_after_init
wcn36xx: Fix HT40 capability for 2Ghz band
mwifiex: Read a PCI register after writing the TX ring write pointer
libata: fix checking of DMA state
wcn36xx: handle connection loss indication
rsi: fix occasional initialisation failure with BT coex
rsi: fix key enabled check causing unwanted encryption for vap_id > 0
rsi: fix rate mask set leading to P2P failure
rsi: Fix module dev_oper_mode parameter description
RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
signal: Remove the bogus sigkill_pending in ptrace_stop
signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
power: supply: max17042_battery: use VFSOC for capacity when no rsns
powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
serial: core: Fix initializing and restoring termios speed
ALSA: mixer: oss: Fix racy access to slots
ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
xen/balloon: add late_initcall_sync() for initial ballooning done
PCI: aardvark: Do not clear status bits of masked interrupts
PCI: aardvark: Do not unmask unused interrupts
PCI: aardvark: Fix return value of MSI domain .alloc() method
PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
quota: check block number when reading the block in quota file
quota: correct error number in free_dqentry()
pinctrl: core: fix possible memory leak in pinctrl_enable()
iio: dac: ad5446: Fix ad5622_write() return value
USB: serial: keyspan: fix memleak on probe errors
USB: iowarrior: fix control-message timeouts
drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1
Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
Bluetooth: fix use-after-free error in lock_sock_nested()
platform/x86: wmi: do not fail if disabling fails
MIPS: lantiq: dma: add small delay after reset
MIPS: lantiq: dma: reset correct number of channel
locking/lockdep: Avoid RCU-induced noinstr fail
net: sched: update default qdisc visibility after Tx queue cnt changes
smackfs: Fix use-after-free in netlbl_catmap_walk()
x86: Increase exception stack sizes
mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
mwifiex: Properly initialize private structure on interface type changes
media: mt9p031: Fix corrupted frame after restarting stream
media: netup_unidvb: handle interrupt properly according to the firmware
media: uvcvideo: Set capability in s_param
media: uvcvideo: Return -EIO for control errors
media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
media: s5p-mfc: Add checking to s5p_mfc_probe().
media: mceusb: return without resubmitting URB in case of -EPROTO error.
ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
media: rcar-csi2: Add checking to rcsi2_start_receiver()
ACPICA: Avoid evaluating methods too early during system resume
media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
tracefs: Have tracefs directories not set OTH permission bits by default
ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create()
ACPI: battery: Accept charges over the design capacity as full
leaking_addresses: Always print a trailing newline
memstick: r592: Fix a UAF bug when removing the driver
lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression
lib/xz: Validate the value before assigning it to an enum variable
workqueue: make sysfs of unbound kworker cpumask more clever
tracing/cfi: Fix cmp_entries_* functions signature mismatch
mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
PM: hibernate: Get block device exclusively in swsusp_check()
iwlwifi: mvm: disable RX-diversity in powersave
smackfs: use __GFP_NOFAIL for smk_cipso_doi()
ARM: clang: Do not rely on lr register for stacktrace
gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE
ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe()
x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted
parisc: fix warning in flush_tlb_all
task_stack: Fix end_of_stack() for architectures with upwards-growing stack
parisc/unwind: fix unwinder when CONFIG_64BIT is enabled
parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
Bluetooth: fix init and cleanup of sco_conn.timeout_work
cgroup: Make rebind_subsystems() disable v2 controllers all at once
net: dsa: rtl8366rb: Fix off-by-one bug
drm/amdgpu: fix warning for overflow check
media: em28xx: add missing em28xx_close_extension
media: dvb-usb: fix ununit-value in az6027_rc_query
media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()'
media: si470x: Avoid card name truncation
media: cx23885: Fix snd_card_free call on null card pointer
cpuidle: Fix kobject memory leaks in error paths
media: em28xx: Don't use ops->suspend if it is NULL
ath9k: Fix potential interrupt storm on queue reset
media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable()
crypto: qat - detect PFVF collision after ACK
crypto: qat - disregard spurious PFVF interrupts
hwrng: mtk - Force runtime pm ops for sleep ops
b43legacy: fix a lower bounds test
b43: fix a lower bounds test
mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured
memstick: avoid out-of-range warning
memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host()
hwmon: Fix possible memleak in __hwmon_device_register()
hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff
ath10k: fix max antenna gain unit
drm/msm: uninitialized variable in msm_gem_import()
net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
mmc: mxs-mmc: disable regulator on error and in the remove function
platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
rsi: stop thread firstly in rsi_91x_init() error handling
mwifiex: Send DELBA requests according to spec
phy: micrel: ksz8041nl: do not use power down mode
nvme-rdma: fix error code in nvme_rdma_setup_ctrl
PM: hibernate: fix sparse warnings
clocksource/drivers/timer-ti-dm: Select TIMER_OF
drm/msm: Fix potential NULL dereference in DPU SSPP
smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
irq: mips: avoid nested irq_enter()
tcp: don't free a FIN sk_buff in tcp_remove_empty_skb()
samples/kretprobes: Fix return value if register_kretprobe() failed
KVM: s390: Fix handle_sske page fault handling
libertas_tf: Fix possible memory leak in probe and disconnect
libertas: Fix possible memory leak in probe and disconnect
wcn36xx: add proper DMA memory barriers in rx path
net: amd-xgbe: Toggle PLL settings during rate change
net: phylink: avoid mvneta warning when setting pause parameters
crypto: pcrypt - Delay write to padata->info
selftests/bpf: Fix fclose/pclose mismatch in test_progs
ibmvnic: Process crqs after enabling interrupts
RDMA/rxe: Fix wrong port_cap_flags
ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
arm64: dts: rockchip: Fix GPU register width for RK3328
RDMA/bnxt_re: Fix query SRQ failure
ARM: dts: at91: tse850: the emac<->phy interface is rmii
scsi: dc395: Fix error case unwinding
MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
JFS: fix memleak in jfs_mount
ALSA: hda: Reduce udelay() at SKL+ position reporting
arm: dts: omap3-gta04a4: accelerometer irq fix
soc/tegra: Fix an error handling path in tegra_powergate_power_up()
memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
video: fbdev: chipsfb: use memset_io() instead of memset()
serial: 8250_dw: Drop wrong use of ACPI_PTR()
usb: gadget: hid: fix error code in do_config()
power: supply: rt5033_battery: Change voltage values to µV
scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
RDMA/mlx4: Return missed an error if device doesn't support steering
ASoC: cs42l42: Correct some register default values
ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER
phy: qcom-qusb2: Fix a memory leak on probe
serial: xilinx_uartps: Fix race condition causing stuck TX
mips: cm: Convert to bitfield API to fix out-of-bounds access
power: supply: bq27xxx: Fix kernel crash on IRQ handler register error
apparmor: fix error check
rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined
pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
drm/plane-helper: fix uninitialized variable reference
PCI: aardvark: Don't spam about PIO Response Status
NFS: Fix deadlocks in nfs_scan_commit_list()
fs: orangefs: fix error return code of orangefs_revalidate_lookup()
mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
auxdisplay: ht16k33: Connect backlight to fbdev
auxdisplay: ht16k33: Fix frame buffer device blanking
netfilter: nfnetlink_queue: fix OOB when mac header was cleared
dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
m68k: set a default value for MEMORY_RESERVE
watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
ar7: fix kernel builds for compiler test
scsi: qla2xxx: Fix gnl list corruption
scsi: qla2xxx: Turn off target reset during issue_lip
i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()'
xen-pciback: Fix return in pm_ctrl_init()
net: davinci_emac: Fix interrupt pacing disable
ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
zram: off by one in read_block_state()
llc: fix out-of-bound array index in llc_sk_dev_hash()
nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions
vsock: prevent unnecessary refcnt inc for nonblocking connect
cxgb4: fix eeprom len when diagnostics not implemented
USB: chipidea: fix interrupt deadlock
ARM: 9155/1: fix early early_iounmap()
ARM: 9156/1: drop cc-option fallbacks for architecture selection
f2fs: should use GFP_NOFS for directory inodes
9p/net: fix missing error check in p9_check_errors
powerpc/lib: Add helper to check if offset is within conditional branch range
powerpc/bpf: Validate branch ranges
powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
powerpc/security: Add a helper to query stf_barrier type
powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC
mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
mm, oom: do not trigger out_of_memory from the #PF
backlight: gpio-backlight: Correct initial power state handling
video: backlight: Drop maximum brightness override for brightness zero
s390/cio: check the subchannel validity for dev_busid
s390/tape: fix timer initialization in tape_std_assign()
PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros
fuse: truncate pagecache on atomic_o_trunc
x86/cpu: Fix migration safety with X86_BUG_NULL_SEL
ext4: fix lazy initialization next schedule time computation in more granular unit
fortify: Explicitly disable Clang support
parisc/entry: fix trace test in syscall exit path
PCI/MSI: Destroy sysfs before freeing entries
PCI/MSI: Deal with devices lying about their MSI mask capability
PCI: Add MSI masking quirk for Nvidia ION AHCI
erofs: remove the occupied parameter from z_erofs_pagevec_enqueue()
erofs: fix unsafe pagevec reuse of hooked pclusters
arm64: zynqmp: Do not duplicate flash partition label property
arm64: zynqmp: Fix serial compatible string
scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()
arm64: dts: hisilicon: fix arm,sp805 compatible string
usb: musb: tusb6010: check return value after calling platform_get_resource()
usb: typec: tipd: Remove WARN_ON in tps6598x_block_read
arm64: dts: freescale: fix arm,sp805 compatible string
ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect
scsi: advansys: Fix kernel pointer leak
firmware_loader: fix pre-allocated buf built-in firmware use
ARM: dts: omap: fix gpmc,mux-add-data type
usb: host: ohci-tmio: check return value after calling platform_get_resource()
ALSA: ISA: not for M68K
tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
MIPS: sni: Fix the build
scsi: target: Fix ordered tag handling
scsi: target: Fix alua_tg_pt_gps_count tracking
powerpc/5200: dts: fix memory node unit name
ALSA: gus: fix null pointer dereference on pointer block
powerpc/dcr: Use cmplwi instead of 3-argument cmpli
sh: check return code of request_irq
maple: fix wrong return value of maple_bus_init().
f2fs: fix up f2fs_lookup tracepoints
sh: fix kconfig unmet dependency warning for FRAME_POINTER
sh: define __BIG_ENDIAN for math-emu
mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set
sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()
drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame
net: bnx2x: fix variable dereferenced before check
iavf: check for null in iavf_fix_features
iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
MIPS: generic/yamon-dt: fix uninitialized variable error
mips: bcm63xx: add support for clk_get_parent()
mips: lantiq: add support for clk_get_parent()
platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
net: virtio_net_hdr_to_skb: count transport header in UFO
i40e: Fix correct max_pkt_size on VF RX queue
i40e: Fix NULL ptr dereference on VSI filter sync
i40e: Fix changing previously set num_queue_pairs for PFs
i40e: Fix display error code in dmesg
NFC: reorganize the functions in nci_request
NFC: reorder the logic in nfc_{un,}register_device
perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server
perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server
tun: fix bonding active backup with arp monitoring
hexagon: export raw I/O routines for modules
ipc: WARN if trying to remove ipc object which is absent
mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails
udf: Fix crash after seekdir
btrfs: fix memory ordering between normal and ordered work functions
parisc/sticon: fix reverse colors
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
drm/udl: fix control-message timeout
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors
perf/core: Avoid put_page() when GUP fails
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
batman-adv: Consider fragmentation for needed_headroom
batman-adv: Reserve needed_*room for fragments
batman-adv: Don't always reallocate the fragmentation skb head
RDMA/netlink: Add __maybe_unused to static inline in C file
ASoC: DAPM: Cover regression by kctl change notification fix
usb: max-3421: Use driver data instead of maintaining a list of bound devices
soc/tegra: pmc: Fix imbalanced clock disabling in error code path
Linux 4.19.218
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3f87fc92fe2a7a19ddddb522916f74dba7929583
|
||
Lorenz Bauer
|
5c6fb0e0c7 |
bpf: Prevent increasing bpf_jit_limit above max
[ Upstream commit fadb7ff1a6c2c565af56b4aacdd086b067eed440 ] Restrict bpf_jit_limit to the maximum supported by the arch's JIT. Signed-off-by: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20211014142554.53120-4-lmb@cloudflare.com Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
c979dfc05b |
This is the 4.19.211 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFmlLAACgkQONu9yGCS aT65YhAA0jOQC4ibrTvvTlYo6XZxMuy7yD/jON4dvhB/qpFXwfBjNMYicVU/5OnB 3pSLCgKXztVgV0psE6Osj4r1o8OVuFWQ53m4Ig/9N4lEJmHWCbvlMwmI/+qbKHQM NlHFfWoXjm7TLclCKljqHY1QSEgWaVMcftPRpf7/jvh/5DmCqN4+Ox1FEhU7MXT6 T171calcHY2S98i+3at632Z7c3DJ9vfu9xCsqf/L07m/7tv7m2/EISr6OL9Q36EZ v8rcOUms2qDWwb5hlzcFmSCdW9tizq7QQ0k+Gpuaag8mHNOvOjPxhOzTHXWakoH8 X3q6JGP60Pw8D8cXLIY6kU9c1+tJA+SxIinWVniaOw9SZESmg3xKPb03zLZ9U55J ZIlp3pqpRvo2nHt63506AjEONjgxodVZ5U2hSd3EvTmzIVQHgDZCSM5+5vJwBiXn JCMSRt/1u9SeTl9L8bDnC8lk5IrzIrRjbRWvkM/n0JB7ThlKIINww45anPe0zvVo lOsnqt83UCY4j8eIfphm+IBlkVZqXUZsUlSGBVJ+GdjFt15ObaU4TRFGNESSPXMZ CpW7dSq6py9DDYb/JNiL4I4uAXXouJlFp8odzrVkJDel/BJ8k0OTT63PlsiKzg27 RI8u6dPlJ+dTjKIgf+8PUPyKZdt7x+G41evC/+znrcUM3ul7iIo= =FL++ -----END PGP SIGNATURE----- Merge 4.19.211 into android-4.19-stable Changes in 4.19.211 Partially revert "usb: Kconfig: using select for USB_COMMON dependency" USB: cdc-acm: fix racy tty buffer accesses USB: cdc-acm: fix break reporting xen/privcmd: fix error handling in mmap-resource processing ovl: fix missing negative dentry check in ovl_rename() nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero xen/balloon: fix cancelled balloon action ARM: dts: omap3430-sdp: Fix NAND device node ARM: dts: qcom: apq8064: use compatible which contains chipid bpf, mips: Validate conditional branch offsets xtensa: call irqchip_init only when CONFIG_USE_OF is selected bpf, arm: Fix register clobbering in div/mod implementation bpf: Fix integer overflow in prealloc_elems_and_freelist() phy: mdio: fix memory leak net_sched: fix NULL deref in fifo_set_limit() powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 ptp_pch: Load module automatically if ID matches ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() net: sfp: Fix typo in state machine debug string netlink: annotate data races around nlk->bound drm/nouveau/debugfs: fix file release memory leak rtnetlink: fix if_nlmsg_stats_size() under estimation i40e: fix endless loop under rtnl i40e: Fix freeing of uninitialized misc IRQ vector i2c: acpi: fix resource leak in reconfiguration device addition x86/Kconfig: Correct reference to MWINCHIP3D Linux 4.19.211 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I83fabc26b9b5528ffcad45ccc55afa07a4656d53 |
||
Tatsuhiko Yasumatsu
|
078cdd5724 |
bpf: Fix integer overflow in prealloc_elems_and_freelist()
[ Upstream commit 30e29a9a2bc6a4888335a6ede968b75cd329657a ]
In prealloc_elems_and_freelist(), the multiplication to calculate the
size passed to bpf_map_area_alloc() could lead to an integer overflow.
As a result, out-of-bounds write could occur in pcpu_freelist_populate()
as reported by KASAN:
[...]
[ 16.968613] BUG: KASAN: slab-out-of-bounds in pcpu_freelist_populate+0xd9/0x100
[ 16.969408] Write of size 8 at addr ffff888104fc6ea0 by task crash/78
[ 16.970038]
[ 16.970195] CPU: 0 PID: 78 Comm: crash Not tainted 5.15.0-rc2+ #1
[ 16.970878] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
[ 16.972026] Call Trace:
[ 16.972306] dump_stack_lvl+0x34/0x44
[ 16.972687] print_address_description.constprop.0+0x21/0x140
[ 16.973297] ? pcpu_freelist_populate+0xd9/0x100
[ 16.973777] ? pcpu_freelist_populate+0xd9/0x100
[ 16.974257] kasan_report.cold+0x7f/0x11b
[ 16.974681] ? pcpu_freelist_populate+0xd9/0x100
[ 16.975190] pcpu_freelist_populate+0xd9/0x100
[ 16.975669] stack_map_alloc+0x209/0x2a0
[ 16.976106] __sys_bpf+0xd83/0x2ce0
[...]
The possibility of this overflow was originally discussed in [0], but
was overlooked.
Fix the integer overflow by changing elem_size to u64 from u32.
[0] https://lore.kernel.org/bpf/728b238e-a481-eb50-98e9-b0f430ab01e7@gmail.com/
Fixes:
|
||
|
Greg Kroah-Hartman
|
11156bde8d |
This is the 4.19.207 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFK++oACgkQONu9yGCS aT7Rjw/9GSgR6XM8TwZiL7JVTQQPHxKOILQA2LCrPVGDFadxfUfdHENAhp8cWzTS u0TTMJdMa1/gRyj6BaIHH7bUj9IJhQ8Y/iE0ySQCCD3yQKvY9pnCX/vzsbVC5NzX 6oiooirU0Fzj4/F6G2aq7pNUdi+nUpTIZj8SznJJYfdfFNEH5cPM1E1OL9QgbyaQ 6ziQMUZfnt6s5me2sldboqbhmaQK8Dew+P+0BWnE1bDNCWQkPCG/0u62gRDnzHn2 5+pQPRnkS0ruVWlFswEcIsSb59GywJiINodLKcBvPZdjNJO+zmuXMGs0C6OuwoUd RgLFB76BfmdIroyp+6EuXCcmAo0N4hd8yoETY11LdgygoeNGJPBFHBYGGt2v5YFf Ge2iR8PuR7AGtbwEcpnJnjBa6Kpftrqolz2fw8LIdVwr5CORQ0p9KYGbwY4tT3p1 hGTEdJAIGpEqrjl2m2mpIeRlWRYNzIJRjdH2PLrdulwoJw0rlVfE24O4BK0sCcz5 Z+lUkLMIYPdmQETgKRyYGubzZ0wP8Iyd9JrHcIu5AH+IBKpawyzKpj3jk81vAIpq Wzay+7eK6TcDkd/0cnE/5OsY20OMrecjRaw/XK79FnSFFRGtv6tlhFU4EYSbvjYp z6d6OCtTH3220dDUrnaqVLooInocVp2Hn8+x1pjM3C0sTUjfBYo= =Gz7W -----END PGP SIGNATURE----- Merge 4.19.207 into android-4.19-stable Changes in 4.19.207 ext4: fix race writing to an inline_data file while its xattrs are changing xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats qed: Fix the VF msix vectors flow net: macb: Add a NULL check on desc_ptp qede: Fix memset corruption perf/x86/intel/pt: Fix mask of num_address_ranges perf/x86/amd/ibs: Work around erratum #1197 cryptoloop: add a deprecation warning ARM: 8918/2: only build return_address() if needed ALSA: pcm: fix divide error in snd_pcm_lib_ioctl clk: fix build warning for orphan_list media: stkwebcam: fix memory leak in stk_camera_probe ARM: imx: add missing clk_disable_unprepare() ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init igmp: Add ip_mc_list lock in ip_check_mc_rcu USB: serial: mos7720: improve OOM-handling in read_mos_reg() ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) SUNRPC/nfs: Fix return value for nfs4_callback_compound() crypto: talitos - reduce max key size for SEC1 powerpc/module64: Fix comment in R_PPC64_ENTRY handling powerpc/boot: Delete unneeded .globl _zimage_start net: ll_temac: Remove left-over debug message mm/page_alloc: speed up the iteration of max_order Revert "btrfs: compression: don't try to compress if we don't have enough pages" ALSA: usb-audio: Add registration quirk for JBL Quantum 800 usb: host: xhci-rcar: Don't reload firmware after the completion usb: mtu3: use @mult for HS isoc or intr usb: mtu3: fix the wrong HS mult value x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions PCI: Call Max Payload Size-related fixup quirks early locking/mutex: Fix HANDOFF condition regmap: fix the offset of register error log crypto: mxs-dcp - Check for DMA mapping errors sched/deadline: Fix reset_on_fork reporting of DL tasks power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() sched/deadline: Fix missing clock update in migrate_task_rq_dl() hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() udf: Check LVID earlier isofs: joliet: Fix iocharset=utf8 mount option bcache: add proper error unwinding in bcache_device_init nvme-rdma: don't update queue count when failing to set io queues power: supply: max17042_battery: fix typo in MAx17042_TOFF s390/cio: add dev_busid sysfs entry for each subchannel libata: fix ata_host_start() crypto: qat - do not ignore errors from enable_vf2pf_comms() crypto: qat - handle both source of interrupt in VF ISR crypto: qat - fix reuse of completion variable crypto: qat - fix naming for init/shutdown VF to PF notifications crypto: qat - do not export adf_iov_putmsg() fcntl: fix potential deadlock for &fasync_struct.fa_lock udf_get_extendedattr() had no boundary checks. m68k: emu: Fix invalid free in nfeth_cleanup() spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config spi: spi-pic32: Fix issue with uninitialized dma_slave_config lib/mpi: use kcalloc in mpi_resize clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel crypto: qat - use proper type for vf_mask certs: Trigger creation of RSA module signing key if it's not an RSA key spi: sprd: Fix the wrong WDG_LOAD_VAL media: TDA1997x: enable EDID support soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: go7007: remove redundant initialization Bluetooth: sco: prevent information leak in sco_conn_defer_accept() tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos net: cipso: fix warnings in netlbl_cipsov4_add_std i2c: highlander: add IRQ check media: em28xx-input: fix refcount bug in em28xx_usb_disconnect media: venus: venc: Fix potential null pointer dereference on pointer fmt PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently PCI: PM: Enable PME if it can be signaled from D3cold soc: qcom: smsm: Fix missed interrupts if state changes while masked Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 Bluetooth: fix repeated calls to sco_sock_kill drm/msm/dsi: Fix some reference counted resource leaks usb: gadget: udc: at91: add IRQ check usb: phy: fsl-usb: add IRQ check usb: phy: twl6030: add IRQ checks Bluetooth: Move shutdown callback before flushing tx and rx queue usb: host: ohci-tmio: add IRQ check usb: phy: tahvo: add IRQ check mac80211: Fix insufficient headroom issue for AMSDU usb: gadget: mv_u3d: request_irq() after initializing UDC Bluetooth: add timeout sanity check to hci_inquiry i2c: iop3xx: fix deferred probing i2c: s3c2410: fix IRQ check mmc: dw_mmc: Fix issue with uninitialized dma_slave_config mmc: moxart: Fix issue with uninitialized dma_slave_config CIFS: Fix a potencially linear read overflow i2c: mt65xx: fix IRQ check usb: ehci-orion: Handle errors of clk_prepare_enable() in probe usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available tty: serial: fsl_lpuart: fix the wrong mapbase value ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() bcma: Fix memory leak for internally-handled cores ipv4: make exception cache less predictible net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed net: qualcomm: fix QCA7000 checksum handling ipv4: fix endianness issue in inet_rtm_getroute_build_skb() netns: protect netns ID lookups with RCU fscrypt: add fscrypt_symlink_getattr() for computing st_size ext4: report correct st_size for encrypted symlinks f2fs: report correct st_size for encrypted symlinks ubifs: report correct st_size for encrypted symlinks tty: Fix data race between tiocsti() and flush_to_ldisc() x86/resctrl: Fix a maybe-uninitialized build warning treated as error KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted IMA: remove -Wmissing-prototypes warning IMA: remove the dependency on CRYPTO_MD5 fbmem: don't allow too huge resolutions backlight: pwm_bl: Improve bootloader/kernel device handover clk: kirkwood: Fix a clocking boot regression rtc: tps65910: Correct driver module alias btrfs: reset replace target device to allocation state on close blk-zoned: allow zone management send operations without CAP_SYS_ADMIN blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN PCI/MSI: Skip masking MSI-X on Xen PV powerpc/perf/hv-gpci: Fix counter value parsing xen: fix setting of max_pfn in shared_info include/linux/list.h: add a macro to test if entry is pointing to the head 9p/xen: Fix end of loop tests for list_for_each_entry bpf/verifier: per-register parent pointers bpf: correct slot_type marking logic to allow more stack slot sharing bpf: Support variable offset stack access from helpers bpf: Reject indirect var_off stack access in raw mode bpf: Reject indirect var_off stack access in unpriv mode bpf: Sanity check max value for var_off stack access selftests/bpf: Test variable offset stack access bpf: track spill/fill of constants selftests/bpf: fix tests due to const spill/fill bpf: Introduce BPF nospec instruction for mitigating Spectre v4 bpf: Fix leakage due to insufficient speculative store bypass mitigation bpf: verifier: Allocate idmap scratch in verifier env bpf: Fix pointer arithmetic mask tightening under state pruning tools/thermal/tmon: Add cross compiling support soc: aspeed: lpc-ctrl: Fix boundary check for mmap arm64: head: avoid over-mapping in map_memory crypto: public_key: fix overflow during implicit conversion block: bfq: fix bfq_set_next_ioprio_data() power: supply: max17042: handle fails of reading status register dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() VMCI: fix NULL pointer dereference when unmapping queue pair media: uvc: don't do DMA on stack media: rc-loopback: return number of emitters rather than error libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs ARM: 9105/1: atags_to_fdt: don't warn about stack size PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure PCI: xilinx-nwl: Enable the clock through CCF PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response PCI: aardvark: Fix masking and unmasking legacy INTx interrupts HID: input: do not report stylus battery state as "full" RDMA/iwcm: Release resources if iw_cm module initialization fails docs: Fix infiniband uverbs minor number pinctrl: samsung: Fix pinctrl bank pin count vfio: Use config not menuconfig for VFIO_NOIOMMU powerpc/stacktrace: Include linux/delay.h openrisc: don't printk() unconditionally pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() scsi: qedi: Fix error codes in qedi_alloc_global_queues() platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from run_smbios_call fscache: Fix cookie key hashing f2fs: fix to account missing .skipped_gc_rwsem f2fs: fix to unmap pages from userspace process in punch_hole() MIPS: Malta: fix alignment of the devicetree buffer userfaultfd: prevent concurrent API initialization media: dib8000: rewrite the init prbs logic crypto: mxs-dcp - Use sg_mapping_iter to copy data PCI: Use pci_update_current_state() in pci_enable_device_flags() tipc: keep the skb in rcv queue until the whole data is read iio: dac: ad5624r: Fix incorrect handling of an optional regulator. ARM: dts: qcom: apq8064: correct clock names video: fbdev: kyro: fix a DoS bug by restricting user input netlink: Deal with ESRCH error in nlmsg_notify() Smack: Fix wrong semantics in smk_access_entry() usb: host: fotg210: fix the endpoint's transactional opportunities calculation usb: host: fotg210: fix the actual_length of an iso packet usb: gadget: u_ether: fix a potential null pointer dereference usb: gadget: composite: Allow bMaxPower=0 if self-powered staging: board: Fix uninitialized spinlock when attaching genpd tty: serial: jsm: hold port lock when reporting modem line changes drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex bpf/tests: Fix copy-and-paste error in double word test bpf/tests: Do not PASS tests without actually testing the result video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() flow_dissector: Fix out-of-bounds warnings s390/jump_label: print real address in a case of a jump label bug serial: 8250: Define RX trigger levels for OxSemi 950 devices xtensa: ISS: don't panic in rs_init hvsi: don't panic on tty_register_driver failure serial: 8250_pci: make setup_port() parameters explicitly unsigned staging: ks7010: Fix the initialization of the 'sleep_status' structure samples: bpf: Fix tracex7 error raised on the missing argument ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() Bluetooth: skip invalid hci_sync_conn_complete_evt bonding: 3ad: fix the concurrency between __bond_release_one() and bond_3ad_state_machine_handler() ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps for the matching in-/output media: imx258: Rectify mismatch of VTS value media: imx258: Limit the max analogue gain to 480 media: v4l2-dv-timings.c: fix wrong condition in two for-loops media: TDA1997x: fix tda1997x_query_dv_timings() return value media: tegra-cec: Handle errors of clk_prepare_enable() ARM: dts: imx53-ppd: Fix ACHC entry arm64: dts: qcom: sdm660: use reg value for memory node net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe() Bluetooth: schedule SCO timeouts with delayed_work Bluetooth: avoid circular locks in sco_sock_connect gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() ARM: tegra: tamonten: Fix UART pad setting Bluetooth: Fix handling of LE Enhanced Connection Complete serial: sh-sci: fix break handling for sysrq tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD rpc: fix gss_svc_init cleanup on failure staging: rts5208: Fix get_ms_information() heap buffer size gfs2: Don't call dlm after protocol is unmounted of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS mmc: sdhci-of-arasan: Check return value of non-void funtions mmc: rtsx_pci: Fix long reads when clock is prescaled selftests/bpf: Enlarge select() timeout for test_maps mmc: core: Return correct emmc response in case of ioctl error cifs: fix wrong release in sess_alloc_buffer() failed path Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" usb: musb: musb_dsps: request_irq() after initializing musb usbip: give back URBs for unsent unlink requests during cleanup usbip:vhci_hcd USB port can get stuck in the disabled state ASoC: rockchip: i2s: Fix regmap_ops hang ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B parport: remove non-zero check on count ath9k: fix OOB read ar9300_eeprom_restore_internal ath9k: fix sleeping in atomic context net: fix NULL pointer reference in cipso_v4_doi_free net: w5100: check return value after calling platform_get_resource() parisc: fix crash with signals and alloca ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup() scsi: BusLogic: Fix missing pr_cont() use scsi: qla2xxx: Sync queue idx with queue_pair_map idx cpufreq: powernv: Fix init_chip_info initialization in numa=off mm/hugetlb: initialize hugetlb_usage in mm_init memcg: enable accounting for pids in nested pid namespaces platform/chrome: cros_ec_proto: Send command again when timeout occurs drm/amdgpu: Fix BUG_ON assert dm thin metadata: Fix use-after-free in dm_bm_set_read_only xen: reset legacy rtc flag for PV domU bnx2x: Fix enabling network interfaces without VFs arm64/sve: Use correct size when reinitialising SVE state PM: base: power: don't try to use non-existing RTC for storing data PCI: Add AMD GPU multi-function power dependencies x86/mm: Fix kern_addr_valid() to cope with existing but not present entries tipc: fix an use-after-free issue in tipc_recvmsg net-caif: avoid user-triggerable WARN_ON(1) ptp: dp83640: don't define PAGE0 dccp: don't duplicate ccid when cloning dccp sock net/l2tp: Fix reference count leak in l2tp_udp_recv_core r6040: Restore MDIO clock frequency after MAC reset tipc: increase timeout in tipc_sk_enqueue() perf machine: Initialize srcline string member in add_location struct net/mlx5: Fix potential sleeping in atomic context events: Reuse value read using READ_ONCE instead of re-reading it net/af_unix: fix a data-race in unix_dgram_poll net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() qed: Handle management FW error ibmvnic: check failover_pending in login response net: hns3: pad the short tunnel frame before sending to hardware mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() KVM: s390: index kvm->arch.idle_mask by vcpu_idx dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation mfd: Don't use irq_create_mapping() to resolve a mapping PCI: Add ACS quirks for Cavium multi-function devices net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 block, bfq: honor already-setup queue merges ethtool: Fix an error code in cxgb2.c NTB: perf: Fix an error code in perf_setup_inbuf() mfd: axp20x: Update AXP288 volatile ranges PCI: Fix pci_dev_str_match_path() alloc while atomic bug KVM: arm64: Handle PSCI resets before userspace touches vCPU state PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' ARC: export clear_user_page() for modules net: dsa: b53: Fix calculating number of switch ports netfilter: socket: icmp6: fix use-after-scope fq_codel: reject silly quantum parameters qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom ip_gre: validate csum_start only on pull net: renesas: sh_eth: Fix freeing wrong tx descriptor s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant Linux 4.19.207 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I18108cb47ba9e95838ebe55aaabe34de345ee846 |
||
|
Daniel Borkmann
|
a386fceed7 |
bpf: Fix pointer arithmetic mask tightening under state pruning
commit e042aa532c84d18ff13291d00620502ce7a38dda upstream.
In 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask") we
narrowed the offset mask for unprivileged pointer arithmetic in order to
mitigate a corner case where in the speculative domain it is possible to
advance, for example, the map value pointer by up to value_size-1 out-of-
bounds in order to leak kernel memory via side-channel to user space.
The verifier's state pruning for scalars leaves one corner case open
where in the first verification path R_x holds an unknown scalar with an
aux->alu_limit of e.g. 7, and in a second verification path that same
register R_x, here denoted as R_x', holds an unknown scalar which has
tighter bounds and would thus satisfy range_within(R_x, R_x') as well as
tnum_in(R_x, R_x') for state pruning, yielding an aux->alu_limit of 3:
Given the second path fits the register constraints for pruning, the final
generated mask from aux->alu_limit will remain at 7. While technically
not wrong for the non-speculative domain, it would however be possible
to craft similar cases where the mask would be too wide as in 7fedb63a8307.
One way to fix it is to detect the presence of unknown scalar map pointer
arithmetic and force a deeper search on unknown scalars to ensure that
we do not run into a masking mismatch.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[OP: adjusted context for 4.19]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Lorenz Bauer
|
a4fe956b03 |
bpf: verifier: Allocate idmap scratch in verifier env
commit c9e73e3d2b1eb1ea7ff068e05007eec3bd8ef1c9 upstream. func_states_equal makes a very short lived allocation for idmap, probably because it's too large to fit on the stack. However the function is called quite often, leading to a lot of alloc / free churn. Replace the temporary allocation with dedicated scratch space in struct bpf_verifier_env. Signed-off-by: Lorenz Bauer <lmb@cloudflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Edward Cree <ecree.xilinx@gmail.com> Link: https://lore.kernel.org/bpf/20210429134656.122225-4-lmb@cloudflare.com [OP: adjusted context for 4.19] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
8729685021 |
bpf: Fix leakage due to insufficient speculative store bypass mitigation
commit 2039f26f3aca5b0e419b98f65dd36481337b86ee upstream. Spectre v4 gadgets make use of memory disambiguation, which is a set of techniques that execute memory access instructions, that is, loads and stores, out of program order; Intel's optimization manual, section 2.4.4.5: A load instruction micro-op may depend on a preceding store. Many microarchitectures block loads until all preceding store addresses are known. The memory disambiguator predicts which loads will not depend on any previous stores. When the disambiguator predicts that a load does not have such a dependency, the load takes its data from the L1 data cache. Eventually, the prediction is verified. If an actual conflict is detected, the load and all succeeding instructions are re-executed. |
||
|
Daniel Borkmann
|
91cdb5b362 |
bpf: Introduce BPF nospec instruction for mitigating Spectre v4
commit f5e81d1117501546b7be050c5fbafa6efd2c722c upstream. In case of JITs, each of the JIT backends compiles the BPF nospec instruction /either/ to a machine instruction which emits a speculation barrier /or/ to /no/ machine instruction in case the underlying architecture is not affected by Speculative Store Bypass or has different mitigations in place already. This covers both x86 and (implicitly) arm64: In case of x86, we use 'lfence' instruction for mitigation. In case of arm64, we rely on the firmware mitigation as controlled via the ssbd kernel parameter. Whenever the mitigation is enabled, it works for all of the kernel code with no need to provide any additional instructions here (hence only comment in arm64 JIT). Other archs can follow as needed. The BPF nospec instruction is specifically targeting Spectre v4 since i) we don't use a serialization barrier for the Spectre v1 case, and ii) mitigation instructions for v1 and v4 might be different on some archs. The BPF nospec is required for a future commit, where the BPF verifier does annotate intermediate BPF programs with speculation barriers. Co-developed-by: Piotr Krysiuk <piotras@gmail.com> Co-developed-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Piotr Krysiuk <piotras@gmail.com> Signed-off-by: Benedict Schlueter <benedict.schlueter@rub.de> Acked-by: Alexei Starovoitov <ast@kernel.org> [OP: adjusted context for 4.19, drop riscv and ppc32 changes] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Alexei Starovoitov
|
1195c579b2 |
bpf: track spill/fill of constants
commit f7cf25b2026dc8441e0fa3a202c2aa8a56211e30 upstream.
Compilers often spill induction variables into the stack,
hence it is necessary for the verifier to track scalar values
of the registers through stack slots.
Also few bpf programs were incorrectly rejected in the past,
since the verifier was not able to track such constants while
they were used to compute offsets into packet headers.
Tracking constants through the stack significantly decreases
the chances of state pruning, since two different constants
are considered to be different by state equivalency.
End result that cilium tests suffer serious degradation in the number
of states processed and corresponding verification time increase.
before after
bpf_lb-DLB_L3.o 1838 6441
bpf_lb-DLB_L4.o 3218 5908
bpf_lb-DUNKNOWN.o 1064 1064
bpf_lxc-DDROP_ALL.o 26935 93790
bpf_lxc-DUNKNOWN.o 34439 123886
bpf_netdev.o 9721 31413
bpf_overlay.o 6184 18561
bpf_lxc_jit.o 39389 359445
After further debugging turned out that cillium progs are
getting hurt by clang due to the same constant tracking issue.
Newer clang generates better code by spilling less to the stack.
Instead it keeps more constants in the registers which
hurts state pruning since the verifier already tracks constants
in the registers:
old clang new clang
(no spill/fill tracking introduced by this patch)
bpf_lb-DLB_L3.o 1838 1923
bpf_lb-DLB_L4.o 3218 3077
bpf_lb-DUNKNOWN.o 1064 1062
bpf_lxc-DDROP_ALL.o 26935 166729
bpf_lxc-DUNKNOWN.o 34439 174607
bpf_netdev.o 9721 8407
bpf_overlay.o 6184 5420
bpf_lcx_jit.o 39389 39389
The final table is depressing:
old clang old clang new clang new clang
const spill/fill const spill/fill
bpf_lb-DLB_L3.o 1838 6441 1923 8128
bpf_lb-DLB_L4.o 3218 5908 3077 6707
bpf_lb-DUNKNOWN.o 1064 1064 1062 1062
bpf_lxc-DDROP_ALL.o 26935 93790 166729 380712
bpf_lxc-DUNKNOWN.o 34439 123886 174607 440652
bpf_netdev.o 9721 31413 8407 31904
bpf_overlay.o 6184 18561 5420 23569
bpf_lxc_jit.o 39389 359445 39389 359445
Tracking constants in the registers hurts state pruning already.
Adding tracking of constants through stack hurts pruning even more.
The later patch address this general constant tracking issue
with coarse/precise logic.
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Andrii Nakryiko <andriin@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[OP: - drop verbose_linfo() calls, as the function is not implemented in 4.19
- adjust mark_reg_read() calls to match the prototype in 4.19]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Andrey Ignatov
|
7667818ef1 |
bpf: Sanity check max value for var_off stack access
commit 107c26a70ca81bfc33657366ad69d02fdc9efc9d upstream. As discussed in [1] max value of variable offset has to be checked for overflow on stack access otherwise verifier would accept code like this: 0: (b7) r2 = 6 1: (b7) r3 = 28 2: (7a) *(u64 *)(r10 -16) = 0 3: (7a) *(u64 *)(r10 -8) = 0 4: (79) r4 = *(u64 *)(r1 +168) 5: (c5) if r4 s< 0x0 goto pc+4 R1=ctx(id=0,off=0,imm=0) R2=inv6 R3=inv28 R4=inv(id=0,umax_value=9223372036854775807,var_off=(0x0; 0x7fffffffffffffff)) R10=fp0,call_-1 fp-8=mmmmmmmm fp-16=mmmmmmmm 6: (17) r4 -= 16 7: (0f) r4 += r10 8: (b7) r5 = 8 9: (85) call bpf_getsockopt#57 10: (b7) r0 = 0 11: (95) exit , where R4 obviosly has unbounded max value. Fix it by checking that reg->smax_value is inside (-BPF_MAX_VAR_OFF; BPF_MAX_VAR_OFF) range. reg->smax_value is used instead of reg->umax_value because stack pointers are calculated using negative offset from fp. This is opposite to e.g. map access where offset must be non-negative and where umax_value is used. Also dedicated verbose logs are added for both min and max bound check failures to have diagnostics consistent with variable offset handling in check_map_access(). [1] https://marc.info/?l=linux-netdev&m=155433357510597&w=2 Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers") Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Andrey Ignatov <rdna@fb.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Andrey Ignatov
|
14cf676ba6 |
bpf: Reject indirect var_off stack access in unpriv mode
commit 088ec26d9c2da9d879ab73e3f4117f9df6c566ee upstream.
Proper support of indirect stack access with variable offset in
unprivileged mode (!root) requires corresponding support in Spectre
masking for stack ALU in retrieve_ptr_limit().
There are no use-case for variable offset in unprivileged mode though so
make verifier reject such accesses for simplicity.
Pointer arithmetics is one (and only?) way to cause variable offset and
it's already rejected in unpriv mode so that verifier won't even get to
helper function whose argument contains variable offset, e.g.:
0: (7a) *(u64 *)(r10 -16) = 0
1: (7a) *(u64 *)(r10 -8) = 0
2: (61) r2 = *(u32 *)(r1 +0)
3: (57) r2 &= 4
4: (17) r2 -= 16
5: (0f) r2 += r10
variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1R2
stack pointer arithmetic goes out of range, prohibited for !root
Still it looks like a good idea to reject variable offset indirect stack
access for unprivileged mode in check_stack_boundary() explicitly.
Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
[OP: drop comment in retrieve_ptr_limit()]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Andrey Ignatov
|
148339cb18 |
bpf: Reject indirect var_off stack access in raw mode
commit f2bcd05ec7b839ff826d2008506ad2d2dff46a59 upstream.
It's hard to guarantee that whole memory is marked as initialized on
helper return if uninitialized stack is accessed with variable offset
since specific bounds are unknown to verifier. This may cause
uninitialized stack leaking.
Reject such an access in check_stack_boundary to prevent possible
leaking.
There are no known use-cases for indirect uninitialized stack access
with variable offset so it shouldn't break anything.
Fixes: 2011fccfb61b ("bpf: Support variable offset stack access from helpers")
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Andrey Ignatov
|
caee4103f0 |
bpf: Support variable offset stack access from helpers
commit 2011fccfb61bbd1d7c8864b2b3ed7012342e9ba3 upstream. Currently there is a difference in how verifier checks memory access for helper arguments for PTR_TO_MAP_VALUE and PTR_TO_STACK with regard to variable part of offset. check_map_access, that is used for PTR_TO_MAP_VALUE, can handle variable offsets just fine, so that BPF program can call a helper like this: some_helper(map_value_ptr + off, size); , where offset is unknown at load time, but is checked by program to be in a safe rage (off >= 0 && off + size < map_value_size). But it's not the case for check_stack_boundary, that is used for PTR_TO_STACK, and same code with pointer to stack is rejected by verifier: some_helper(stack_value_ptr + off, size); For example: 0: (7a) *(u64 *)(r10 -16) = 0 1: (7a) *(u64 *)(r10 -8) = 0 2: (61) r2 = *(u32 *)(r1 +0) 3: (57) r2 &= 4 4: (17) r2 -= 16 5: (0f) r2 += r10 6: (18) r1 = 0xffff888111343a80 8: (85) call bpf_map_lookup_elem#1 invalid variable stack read R2 var_off=(0xfffffffffffffff0; 0x4) Add support for variable offset access to check_stack_boundary so that if offset is checked by program to be in a safe range it's accepted by verifier. Signed-off-by: Andrey Ignatov <rdna@fb.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> [OP: replace reg_state(env, regno) helper with "cur_regs(env) + regno"] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Jiong Wang
|
79aba0ac3d |
bpf: correct slot_type marking logic to allow more stack slot sharing
commit 0bae2d4d62d523f06ff1a8e88ce38b45400acd28 upstream. Verifier is supposed to support sharing stack slot allocated to ptr with SCALAR_VALUE for privileged program. However this doesn't happen for some cases. The reason is verifier is not clearing slot_type STACK_SPILL for all bytes, it only clears part of them, while verifier is using: slot_type[0] == STACK_SPILL as a convention to check one slot is ptr type. So, the consequence of partial clearing slot_type is verifier could treat a partially overridden ptr slot, which should now be a SCALAR_VALUE slot, still as ptr slot, and rejects some valid programs. Before this patch, test_xdp_noinline.o under bpf selftests, bpf_lxc.o and bpf_netdev.o under Cilium bpf repo, when built with -mattr=+alu32 are rejected due to this issue. After this patch, they all accepted. There is no processed insn number change before and after this patch on Cilium bpf programs. Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Jiong Wang <jiong.wang@netronome.com> Reviewed-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> [OP: adjusted context for 4.19] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Edward Cree
|
228e64bdbb |
bpf/verifier: per-register parent pointers
commit 679c782de14bd48c19dd74cd1af20a2bc05dd936 upstream. By giving each register its own liveness chain, we elide the skip_callee() logic. Instead, each register's parent is the state it inherits from; both check_func_call() and prepare_func_exit() automatically connect reg states to the correct chain since when they copy the reg state across (r1-r5 into the callee as args, and r0 out as the return value) they also copy the parent pointer. Signed-off-by: Edward Cree <ecree@solarflare.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> [OP: adjusted context for 4.19] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
a6850bb536 |
This is the 4.19.206 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEx1cwACgkQONu9yGCS aT6wuBAAnCcrRJlXQOv5MLUaFn+cOcTusd2l1PRjsx31D1lj3rmAXRZHZmDOEje2 gKljD7HavdheP7FhRsOBC14rrBLfC3n55ZjKZxqUx0p32vEj/DAyGFZCqq7gbmk0 v6mc93Fw+ZpHW9Nmks2hYqOKsf1RsU1NGB9t0z4zBOkAVpxVwFJGgrg13txsyLfG OUpLM0f+DdoxEk6p8OWAWgZCdASV4vCFaw5iBDsHp1PoKuezKos5OLZR5FWAauEj trKl6Zp72KBLFW5g88H6LZS7i8YM45AF2QpXW7W0hiP9yUVFjMxr3aa8/mdDTbIq 1EmxCsfoamR6euQ0MBBd1bKNwBNmLD/geKXUPdxX4kM9M8MhKBY0KwXzizl17bgo ZUkoZln5I9KXK7Fl2wl5dyN6wdgRSQMbDUhJeNAzrNOTXEp8aEy8rIZaUgyzWRQA 6P5J9YfNb4hvWwv98Z3whj67h5jtzdf03XsXVXQ/ybPq3ioms7FCOcSmdfGmGeWO 1LmyAJL5E9TbRwjaOWnINxToFb248q6tl6Mj1ZKiCnAmzICZBN40PCyEGTirspHH Dza09U9x2RNs4cpDOkKqLSkIgG5ZZBrl7tnmkOj0IqvJB/Zluyb1E5tEEIEo9kK5 Jje6DKZ6QIwwF78C/qIjBqArZXu2m0hG9tCqknXwcecxxKodmO0= =UYze -----END PGP SIGNATURE----- Merge 4.19.206 into android-4.19-stable Changes in 4.19.206 net: qrtr: fix another OOB Read in qrtr_endpoint_post bpf: Do not use ax register in interpreter on div/mod bpf: Fix 32 bit src register truncation on div/mod bpf: Fix truncation handling for mod32 dst reg wrt zero ARC: Fix CONFIG_STACKDEPOT netfilter: conntrack: collect all entries in one cycle once: Fix panic when module unload can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters Revert "USB: serial: ch341: fix character loss at high transfer rates" USB: serial: option: add new VID/PID to support Fibocom FG150 usb: dwc3: gadget: Fix dwc3_calc_trbs_left() usb: dwc3: gadget: Stop EP0 transfers during pullup disable IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() e1000e: Fix the max snoop/no-snoop latency for 10M ip_gre: add validation for csum_start xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' net: marvell: fix MVNETA_TX_IN_PRGRS bit number net: hns3: fix get wrong pfc_en when query PFC configuration usb: gadget: u_audio: fix race condition on endpoint stop opp: remove WARN when no valid OPPs remain virtio: Improve vq->broken access to avoid any compiler optimization virtio_pci: Support surprise removal of virtio pci device vringh: Use wiov->used to check for read/write desc order qed: qed ll2 race condition fixes qed: Fix null-pointer dereference in qed_rdma_create_qp() drm: Copy drm_wait_vblank to user before returning drm/nouveau/disp: power down unused DP links during init net/rds: dma_map_sg is entitled to merge entries vt_kdsetmode: extend console locking fbmem: add margin check to fb_check_caps() KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs Revert "floppy: reintroduce O_NDELAY fix" net: don't unconditionally copy_from_user a struct ifreq for socket ioctls Linux 4.19.206 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I04e05680c5e311bc4cd79daae49d654b66f774a0 |
||
|
Daniel Borkmann
|
39f74b7c81 |
bpf: Fix truncation handling for mod32 dst reg wrt zero
Commit 9b00f1b78809309163dda2d044d9e94a3c0248a3 upstream. Recently noticed that when mod32 with a known src reg of 0 is performed, then the dst register is 32-bit truncated in verifier: 0: R1=ctx(id=0,off=0,imm=0) R10=fp0 0: (b7) r0 = 0 1: R0_w=inv0 R1=ctx(id=0,off=0,imm=0) R10=fp0 1: (b7) r1 = -1 2: R0_w=inv0 R1_w=inv-1 R10=fp0 2: (b4) w2 = -1 3: R0_w=inv0 R1_w=inv-1 R2_w=inv4294967295 R10=fp0 3: (9c) w1 %= w0 4: R0_w=inv0 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 4: (b7) r0 = 1 5: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 5: (1d) if r1 == r2 goto pc+1 R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 6: R0_w=inv1 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 6: (b7) r0 = 2 7: R0_w=inv2 R1_w=inv(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2_w=inv4294967295 R10=fp0 7: (95) exit 7: R0=inv1 R1=inv(id=0,umin_value=4294967295,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R2=inv4294967295 R10=fp0 7: (95) exit However, as a runtime result, we get 2 instead of 1, meaning the dst register does not contain (u32)-1 in this case. The reason is fairly straight forward given the 0 test leaves the dst register as-is: # ./bpftool p d x i 23 0: (b7) r0 = 0 1: (b7) r1 = -1 2: (b4) w2 = -1 3: (16) if w0 == 0x0 goto pc+1 4: (9c) w1 %= w0 5: (b7) r0 = 1 6: (1d) if r1 == r2 goto pc+1 7: (b7) r0 = 2 8: (95) exit This was originally not an issue given the dst register was marked as completely unknown (aka 64 bit unknown). However, after |
||
|
Daniel Borkmann
|
8313432df2 |
bpf: Fix 32 bit src register truncation on div/mod
Commit e88b2c6e5a4d9ce30d75391e4d950da74bb2bd90 upstream.
While reviewing a different fix, John and I noticed an oddity in one of the
BPF program dumps that stood out, for example:
# bpftool p d x i 13
0: (b7) r0 = 808464450
1: (b4) w4 = 808464432
2: (bc) w0 = w0
3: (15) if r0 == 0x0 goto pc+1
4: (9c) w4 %= w0
[...]
In line 2 we noticed that the mov32 would 32 bit truncate the original src
register for the div/mod operation. While for the two operations the dst
register is typically marked unknown e.g. from adjust_scalar_min_max_vals()
the src register is not, and thus verifier keeps tracking original bounds,
simplified:
0: R1=ctx(id=0,off=0,imm=0) R10=fp0
0: (b7) r0 = -1
1: R0_w=invP-1 R1=ctx(id=0,off=0,imm=0) R10=fp0
1: (b7) r1 = -1
2: R0_w=invP-1 R1_w=invP-1 R10=fp0
2: (3c) w0 /= w1
3: R0_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R1_w=invP-1 R10=fp0
3: (77) r1 >>= 32
4: R0_w=invP(id=0,umax_value=4294967295,var_off=(0x0; 0xffffffff)) R1_w=invP4294967295 R10=fp0
4: (bf) r0 = r1
5: R0_w=invP4294967295 R1_w=invP4294967295 R10=fp0
5: (95) exit
processed 6 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
Runtime result of r0 at exit is 0 instead of expected -1. Remove the
verifier mov32 src rewrite in div/mod and replace it with a jmp32 test
instead. After the fix, we result in the following code generation when
having dividend r1 and divisor r6:
div, 64 bit: div, 32 bit:
0: (b7) r6 = 8 0: (b7) r6 = 8
1: (b7) r1 = 8 1: (b7) r1 = 8
2: (55) if r6 != 0x0 goto pc+2 2: (56) if w6 != 0x0 goto pc+2
3: (ac) w1 ^= w1 3: (ac) w1 ^= w1
4: (05) goto pc+1 4: (05) goto pc+1
5: (3f) r1 /= r6 5: (3c) w1 /= w6
6: (b7) r0 = 0 6: (b7) r0 = 0
7: (95) exit 7: (95) exit
mod, 64 bit: mod, 32 bit:
0: (b7) r6 = 8 0: (b7) r6 = 8
1: (b7) r1 = 8 1: (b7) r1 = 8
2: (15) if r6 == 0x0 goto pc+1 2: (16) if w6 == 0x0 goto pc+1
3: (9f) r1 %= r6 3: (9c) w1 %= w6
4: (b7) r0 = 0 4: (b7) r0 = 0
5: (95) exit 5: (95) exit
x86 in particular can throw a 'divide error' exception for div
instruction not only for divisor being zero, but also for the case
when the quotient is too large for the designated register. For the
edx:eax and rdx:rax dividend pair it is not an issue in x86 BPF JIT
since we always zero edx (rdx). Hence really the only protection
needed is against divisor being zero.
Fixes:
|
||
|
Daniel Borkmann
|
c348d806ed |
bpf: Do not use ax register in interpreter on div/mod
Partially undo old commit 144cd91c4c2b ("bpf: move tmp variable into ax
register in interpreter"). The reason we need this here is because ax
register will be used for holding temporary state for div/mod instruction
which otherwise interpreter would corrupt. This will cause a small +8 byte
stack increase for interpreter, but with the gain that we can use it from
verifier rewrites as scratch register.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
[cascardo: This partial revert is needed in order to support using AX for
the following two commits, as there is no JMP32 on 4.19.y]
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
e5b7307b0f |
This is the 4.19.204 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEY9OkACgkQONu9yGCS aT5cmBAAqlSLVr23yowtbTJVIQepB91sDjRAJEPtsvNdFxOKUkK6O6ud6yunwUCm ZpEyy2RZBact99gDEbdqhY7jk0aaWqGHU0/OdlrHUcaSBoFeVi5GjjgWgXDW0lpd 9yz1piE3EAfbxnjg0enw/wATxm25QvuiXaCJJRBFYQ6PIld06prvGJlMem09r83o ukH3kvDDrE0ILirMcxT5yt5ZISpC/dxsnSkDEgYVhZlxWbGvhRpRzQ0CCVwnejXV ipucYMEYK/WFk9ADZUGygORzaMV6VsXHrWhvmJNUZ31KifKrkEGs+Ta4rUEE1m9I hfIaq5hXGkaMx9ssoulO/XWtioo8qXb8vpBmNRASry6IUlI3McZ4gMfeEl2GPxQc wR4lrn0v+W7Ti5E5SpUqrk/cINn/GoC1IMhvah+SZEDn6uVnLZnQqKrYaYLd972f V9r1J/tBSz8w1PuHNiQYN/vGKXoS28zSDE7ZUc+qUG0O1PyLkDd3hsg0fRfc3EEJ BSSI+M+N+l4dO8pgzxmLHUfNeGFjgEOcfdjEcxZM+d2+qOY835EwcnPNl5JwXkKP cGp0RqMO9VTi6BJShY3cRwWVLzJ8k8vgBezrTybvJuv24vJWS3uGJSvRtLbnTKwP UZp19iXn5j6rbigr6AI6y7FjJsvp4v7RdHoVnhGDYOCWZ+5UbwE= =j4/w -----END PGP SIGNATURE----- Merge 4.19.204 into android-4.19-stable Changes in 4.19.204 KVM: SVM: Fix off-by-one indexing when nullifying last used SEV VMCB tracing: Reject string operand in the histogram expression bpf: Inherit expanded/patched seen count from old aux data bpf: Do not mark insn as seen under speculative path verification bpf: Fix leakage under speculation on mispredicted branches bpf, selftests: Adjust few selftest outcomes wrt unreachable code KVM: X86: MMU: Use the correct inherited permissions to get shadow page USB:ehci:fix Kunpeng920 ehci hardware problem ppp: Fix generating ppp unit id when ifname is not specified ovl: prevent private clone if bind mount is not allowed net: xilinx_emaclite: Do not print real IOMEM pointer Linux 4.19.204 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I976cb68d2906fa68add207bca749a1964378c916 |
||
|
Daniel Borkmann
|
9df311b2e7 |
bpf: Fix leakage under speculation on mispredicted branches
commit 9183671af6dbf60a1219371d4ed73e23f43b49db upstream.
The verifier only enumerates valid control-flow paths and skips paths that
are unreachable in the non-speculative domain. And so it can miss issues
under speculative execution on mispredicted branches.
For example, a type confusion has been demonstrated with the following
crafted program:
// r0 = pointer to a map array entry
// r6 = pointer to readable stack slot
// r9 = scalar controlled by attacker
1: r0 = *(u64 *)(r0) // cache miss
2: if r0 != 0x0 goto line 4
3: r6 = r9
4: if r0 != 0x1 goto line 6
5: r9 = *(u8 *)(r6)
6: // leak r9
Since line 3 runs iff r0 == 0 and line 5 runs iff r0 == 1, the verifier
concludes that the pointer dereference on line 5 is safe. But: if the
attacker trains both the branches to fall-through, such that the following
is speculatively executed ...
r6 = r9
r9 = *(u8 *)(r6)
// leak r9
... then the program will dereference an attacker-controlled value and could
leak its content under speculative execution via side-channel. This requires
to mistrain the branch predictor, which can be rather tricky, because the
branches are mutually exclusive. However such training can be done at
congruent addresses in user space using different branches that are not
mutually exclusive. That is, by training branches in user space ...
A: if r0 != 0x0 goto line C
B: ...
C: if r0 != 0x0 goto line D
D: ...
... such that addresses A and C collide to the same CPU branch prediction
entries in the PHT (pattern history table) as those of the BPF program's
lines 2 and 4, respectively. A non-privileged attacker could simply brute
force such collisions in the PHT until observing the attack succeeding.
Alternative methods to mistrain the branch predictor are also possible that
avoid brute forcing the collisions in the PHT. A reliable attack has been
demonstrated, for example, using the following crafted program:
// r0 = pointer to a [control] map array entry
// r7 = *(u64 *)(r0 + 0), training/attack phase
// r8 = *(u64 *)(r0 + 8), oob address
// [...]
// r0 = pointer to a [data] map array entry
1: if r7 == 0x3 goto line 3
2: r8 = r0
// crafted sequence of conditional jumps to separate the conditional
// branch in line 193 from the current execution flow
3: if r0 != 0x0 goto line 5
4: if r0 == 0x0 goto exit
5: if r0 != 0x0 goto line 7
6: if r0 == 0x0 goto exit
[...]
187: if r0 != 0x0 goto line 189
188: if r0 == 0x0 goto exit
// load any slowly-loaded value (due to cache miss in phase 3) ...
189: r3 = *(u64 *)(r0 + 0x1200)
// ... and turn it into known zero for verifier, while preserving slowly-
// loaded dependency when executing:
190: r3 &= 1
191: r3 &= 2
// speculatively bypassed phase dependency
192: r7 += r3
193: if r7 == 0x3 goto exit
194: r4 = *(u8 *)(r8 + 0)
// leak r4
As can be seen, in training phase (phase != 0x3), the condition in line 1
turns into false and therefore r8 with the oob address is overridden with
the valid map value address, which in line 194 we can read out without
issues. However, in attack phase, line 2 is skipped, and due to the cache
miss in line 189 where the map value is (zeroed and later) added to the
phase register, the condition in line 193 takes the fall-through path due
to prior branch predictor training, where under speculation, it'll load the
byte at oob address r8 (unknown scalar type at that point) which could then
be leaked via side-channel.
One way to mitigate these is to 'branch off' an unreachable path, meaning,
the current verification path keeps following the is_branch_taken() path
and we push the other branch to the verification stack. Given this is
unreachable from the non-speculative domain, this branch's vstate is
explicitly marked as speculative. This is needed for two reasons: i) if
this path is solely seen from speculative execution, then we later on still
want the dead code elimination to kick in in order to sanitize these
instructions with jmp-1s, and ii) to ensure that paths walked in the
non-speculative domain are not pruned from earlier walks of paths walked in
the speculative domain. Additionally, for robustness, we mark the registers
which have been part of the conditional as unknown in the speculative path
given there should be no assumptions made on their content.
The fix in here mitigates type confusion attacks described earlier due to
i) all code paths in the BPF program being explored and ii) existing
verifier logic already ensuring that given memory access instruction
references one specific data structure.
An alternative to this fix that has also been looked at in this scope was to
mark aux->alu_state at the jump instruction with a BPF_JMP_TAKEN state as
well as direction encoding (always-goto, always-fallthrough, unknown), such
that mixing of different always-* directions themselves as well as mixing of
always-* with unknown directions would cause a program rejection by the
verifier, e.g. programs with constructs like 'if ([...]) { x = 0; } else
{ x = 1; }' with subsequent 'if (x == 1) { [...] }'. For unprivileged, this
would result in only single direction always-* taken paths, and unknown taken
paths being allowed, such that the former could be patched from a conditional
jump to an unconditional jump (ja). Compared to this approach here, it would
have two downsides: i) valid programs that otherwise are not performing any
pointer arithmetic, etc, would potentially be rejected/broken, and ii) we are
required to turn off path pruning for unprivileged, where both can be avoided
in this work through pushing the invalid branch to the verification stack.
The issue was originally discovered by Adam and Ofek, and later independently
discovered and reported as a result of Benedict and Piotr's research work.
Fixes:
|
||
|
Daniel Borkmann
|
c510c1845f |
bpf: Do not mark insn as seen under speculative path verification
commit fe9a5ca7e370e613a9a75a13008a3845ea759d6e upstream.
... in such circumstances, we do not want to mark the instruction as seen given
the goal is still to jmp-1 rewrite/sanitize dead code, if it is not reachable
from the non-speculative path verification. We do however want to verify it for
safety regardless.
With the patch as-is all the insns that have been marked as seen before the
patch will also be marked as seen after the patch (just with a potentially
different non-zero count). An upcoming patch will also verify paths that are
unreachable in the non-speculative domain, hence this extension is needed.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[OP: - env->pass_cnt is not used in 4.19, so adjust sanitize_mark_insn_seen()
to assign "true" instead
- drop sanitize_insn_aux_data() comment changes, as the function is not
present in 4.19]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
0abc8c9754 |
bpf: Inherit expanded/patched seen count from old aux data
commit d203b0fd863a2261e5d00b97f3d060c4c2a6db71 upstream.
Instead of relying on current env->pass_cnt, use the seen count from the
old aux data in adjust_insn_aux_data(), and expand it to the new range of
patched instructions. This change is valid given we always expand 1:n
with n>=1, so what applies to the old/original instruction needs to apply
for the replacement as well.
Not relying on env->pass_cnt is a prerequisite for a later change where we
want to avoid marking an instruction seen when verified under speculative
execution path.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Reviewed-by: Benedict Schlueter <benedict.schlueter@rub.de>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[OP: - declare old_data as bool instead of u32 (struct bpf_insn_aux_data.seen
is bool in 5.4)
- adjusted context for 4.19]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
7fb3f18d8f |
This is the 4.19.194 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmDB9m8ACgkQONu9yGCS aT741w/9HBuvBhPgnYTb9kFnLf6mKzhPrDm7NueYNdSdpaeqJcsgJ0/No3M0/URq XfxrWX/4Towc50FLMH9a0Cf19xy8/5PubP4vsneD06y0lOFuIsxKsNtcFEvfdZyD NY+tuv4T+XqWP2pHBrz/+XQ2ug80SKp0M6ByJ6oUqeWngAi8fp2brD8tqsgR03KE mfmS+FQB90TY+Btuzr3wVMt6fWPeu+wNERlroW3fH28hoKQpxB2wXuIDpI893WnO Vw7APf/S5BI2zoe9hAK0LcDeQ3AGXS5YtVjQwdzv9jeXGsXZVsyoZif+8ICjmyhn BAyeO6zwVisV2Bs886d8VD4EpcoAlmZvd29yFZmqFIg7UjTFkRzW1GEpyKLfDg75 AIJZUxRSqk7h0Xr6wt9OB2B9qt1VcuQkk0lIdqCpxo1NbHNNAec5zQTwv9hVZoqx IvAXEIqT2uCEChIQKKHRwoqqenrW3xiPafQBmGuePW0/+8pFY8DV/Xy8FRA3Vyik k0gz5TWMU6dgZTkBHOL69vh7QU5Cl6dvKN0YP0NFrBSZMbm5eb0+TYXyQXEoQojk gk6oDNce88AWU466f8vVG9RE+dRSamB6pOxERMzzAvc+waGTSjBr4Mc+U1kpgkWB UAe588f6MQHiuclohGsTnw0TTymP/gl/Z6+G9xPwoWqwNykYKZI= =rs8B -----END PGP SIGNATURE----- Merge 4.19.194 into android-4.19-stable Changes in 4.19.194 net: usb: cdc_ncm: don't spew notifications ALSA: usb: update old-style static const declaration nl80211: validate key indexes for cfg80211_registered_device efi: Allow EFI_MEMORY_XP and EFI_MEMORY_RO both to be cleared efi: cper: fix snprintf() use in cper_dimm_err_location() vfio/pci: Fix error return code in vfio_ecap_init() vfio/pci: zap_vma_ptes() needs MMU samples: vfio-mdev: fix error handing in mdpy_fb_probe() vfio/platform: fix module_put call in error flow ipvs: ignore IP_VS_SVC_F_HASHED flag when adding service HID: pidff: fix error return code in hid_pidff_init() HID: i2c-hid: fix format string mismatch netfilter: nfnetlink_cthelper: hit EBUSY on updates if size mismatches ieee802154: fix error return code in ieee802154_add_iface() ieee802154: fix error return code in ieee802154_llsec_getparams() ixgbevf: add correct exception tracing for XDP tipc: add extack messages for bearer/media failure tipc: fix unique bearer names sanity check Bluetooth: fix the erroneous flush_work() order Bluetooth: use correct lock to prevent UAF of hdev object net: caif: added cfserl_release function net: caif: add proper error handling net: caif: fix memory leak in caif_device_notify net: caif: fix memory leak in cfusbl_device_notify HID: multitouch: require Finger field to mark Win8 reports as MT ALSA: timer: Fix master timer notification ALSA: hda: Fix for mute key LED for HP Pavilion 15-CK0xx ext4: fix bug on in ext4_es_cache_extent as ext4_split_extent_at failed usb: dwc2: Fix build in periphal-only mode pid: take a reference when initializing `cad_pid` ocfs2: fix data corruption by fallocate nfc: fix NULL ptr dereference in llcp_sock_getname() after failed connect x86/apic: Mark _all_ legacy interrupts when IO/APIC is missing btrfs: mark ordered extent and inode with error if we fail to finish btrfs: fix error handling in btrfs_del_csums btrfs: return errors from btrfs_del_csums in cleanup_ref_head btrfs: fixup error handling in fixup_inode_link_counts mm, hugetlb: fix simple resv_huge_pages underflow on UFFDIO_COPY bpf: fix test suite to enable all unpriv program types bpf: test make sure to run unpriv test cases in test_verifier selftests/bpf: Generalize dummy program types bpf: Add BPF_F_ANY_ALIGNMENT. bpf: Adjust F_NEEDS_EFFICIENT_UNALIGNED_ACCESS handling in test_verifier.c bpf: Make more use of 'any' alignment in test_verifier.c bpf: Apply F_NEEDS_EFFICIENT_UNALIGNED_ACCESS to more ACCEPT test cases. selftests/bpf: add "any alignment" annotation for some tests selftests/bpf: Avoid running unprivileged tests with alignment requirements bnxt_en: Remove the setting of dev_port. perf/cgroups: Don't rotate events for cgroups unnecessarily perf/core: Fix corner case in perf_rotate_context() btrfs: fix unmountable seed device after fstrim KVM: SVM: Truncate GPR value for DR and CR accesses in !64-bit mode KVM: arm64: Fix debug register indexing ACPI: probe ECDT before loading AML tables regardless of module-level code flag ACPI: EC: Look for ECDT EC after calling acpi_load_tables() sched/fair: Optimize select_idle_cpu xen-pciback: redo VF placement in the virtual topology Linux 4.19.194 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I87188f5f931bdb7987f2946859f899a42e29f4b1 |
||
David S. Miller
|
878470e7f5 |
bpf: Add BPF_F_ANY_ALIGNMENT.
commit e9ee9efc0d176512cdce9d27ff8549d7ffa2bfcd upstream Often we want to write tests cases that check things like bad context offset accesses. And one way to do this is to use an odd offset on, for example, a 32-bit load. This unfortunately triggers the alignment checks first on platforms that do not set CONFIG_EFFICIENT_UNALIGNED_ACCESS. So the test case see the alignment failure rather than what it was testing for. It is often not completely possible to respect the original intention of the test, or even test the same exact thing, while solving the alignment issue. Another option could have been to check the alignment after the context and other validations are performed by the verifier, but that is a non-trivial change to the verifier. Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Tiezhu Yang <yangtiezhu@loongson.cn> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
ea6ea821c5 |
This is the 4.19.193 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmC4eNoACgkQONu9yGCS aT6liA/7BGTnGt5E20VY+gPS9ydo1LukuZ7ZT8rXoedz8ZJZE5g4vVYyUJT2yxL0 PabDMEbMjWLs26DTGnTL9orgrzENvTJyVUNQ504CQxh8jTfb1Ogti1Zc4JTKyB+m 3IdSLEdrBKasR5jsEpxtgGz5xZWzB/QX/MXX2myGAVZglFpPIxnmwdsZWNkLGyPx ofoBEeGypeJqpijvn79mX4LFZW8vzLzOGE+Z24Hg9XxALhd+o4pnw4d/oE6JwYIY gOOIUUxoX9O3dy7b26xezqfmiDPlPzxbYTEL2lPnW+HYXhFl9PmqRS6vlpz6mhAO c8EIWvxcemx7Kc1JOe3b9jZc04iihY0IBtGylAtuT7sAE4RZnlRcPkl+2W+L77Tx BuAxTtMhxKWsr22rw+0hYxIdFgsQApit+qOjmVMecu20IYHyWZwuZGBbdA83SSZk 0HSqgTkTsmZ6dgA+BocdmZ0r8zYfgUSAxZn2xmGCeEIcDeynbzJrvltpimDOvfjk 7vdmGzOIXsCWlpJ9VPMar2T19PtDezE6gdw7x6B0Z04c5WT9pFkjFB9UAtC2A7mm hGjeFQJ1WNUoLxz9b53t4Ii8uHDvseu9jHzD2JL1DR+oBNRBUoPV2SklScmwDk3y 5sAlJtRFNet3NMfyIdWb167FN+hv4Kl5bA0uolRsMTBtfHZ6Sjw= =rpdS -----END PGP SIGNATURE----- Merge 4.19.193 into android-4.19-stable Changes in 4.19.193 mm, vmstat: drop zone->lock in /proc/pagetypeinfo usb: dwc3: gadget: Enable suspend events NFC: nci: fix memory leak in nci_allocate_device cifs: set server->cipher_type to AES-128-CCM for SMB3.0 NFSv4: Fix a NULL pointer dereference in pnfs_mark_matching_lsegs_return() iommu/vt-d: Fix sysfs leak in alloc_iommu() perf intel-pt: Fix sample instruction bytes perf intel-pt: Fix transaction abort handling proc: Check /proc/$pid/attr/ writes against file opener net: hso: fix control-request directions mac80211: assure all fragments are encrypted mac80211: prevent mixed key and fragment cache attacks mac80211: properly handle A-MSDUs that start with an RFC 1042 header cfg80211: mitigate A-MSDU aggregation attacks mac80211: drop A-MSDUs on old ciphers mac80211: add fragment cache to sta_info mac80211: check defrag PN against current frame mac80211: prevent attacks on TKIP/WEP as well mac80211: do not accept/forward invalid EAPOL frames mac80211: extend protection against mixed key and fragment cache attacks ath10k: Validate first subframe of A-MSDU before processing the list dm snapshot: properly fix a crash when an origin has no snapshots kgdb: fix gcc-11 warnings harder misc/uss720: fix memory leak in uss720_probe thunderbolt: dma_port: Fix NVM read buffer bounds and offset issue mei: request autosuspend after sending rx flow control staging: iio: cdc: ad7746: avoid overwrite of num_channels iio: adc: ad7793: Add missing error code in ad7793_setup() USB: trancevibrator: fix control-request direction USB: usbfs: Don't WARN about excessively large memory allocations serial: sh-sci: Fix off-by-one error in FIFO threshold register setting serial: rp2: use 'request_firmware' instead of 'request_firmware_nowait' USB: serial: ti_usb_3410_5052: add startech.com device id USB: serial: option: add Telit LE910-S1 compositions 0x7010, 0x7011 USB: serial: ftdi_sio: add IDs for IDS GmbH Products USB: serial: pl2303: add device id for ADLINK ND-6530 GC usb: dwc3: gadget: Properly track pending and queued SG usb: gadget: udc: renesas_usb3: Fix a race in usb3_start_pipen() net: usb: fix memory leak in smsc75xx_bind bpf: fix up selftests after backports were fixed bpf, selftests: Fix up some test_verifier cases for unprivileged selftests/bpf: Test narrow loads with off > 0 in test_verifier selftests/bpf: add selftest part of "bpf: improve verifier branch analysis" bpf: extend is_branch_taken to registers bpf: Test_verifier, bpf_get_stack return value add <0 bpf, test_verifier: switch bpf_get_stack's 0 s> r8 test bpf: Move off_reg into sanitize_ptr_alu bpf: Ensure off_reg has no mixed signed bounds for all types bpf: Rework ptr_limit into alu_limit and add common error path bpf: Improve verifier error messages for users bpf: Refactor and streamline bounds check into helper bpf: Move sanitize_val_alu out of op switch bpf: Tighten speculative pointer arithmetic mask bpf: Update selftests to reflect new error states bpf: Fix leakage of uninitialized bpf stack under speculation bpf: Wrap aux data inside bpf_sanitize_info container bpf: Fix mask direction swap upon off reg sign change bpf: No need to simulate speculative domain for immediates spi: gpio: Don't leak SPI master in probe error path spi: mt7621: Disable clock in probe error path spi: mt7621: Don't leak SPI master in probe error path Bluetooth: cmtp: fix file refcount when cmtp_attach_device fails NFS: fix an incorrect limit in filelayout_decode_layout() NFS: Don't corrupt the value of pg_bytes_written in nfs_do_recoalesce() NFSv4: Fix v4.0/v4.1 SEEK_DATA return -ENOTSUPP when set NFS_V4_2 config drm/meson: fix shutdown crash when component not probed net/mlx4: Fix EEPROM dump support Revert "net:tipc: Fix a double free in tipc_sk_mcast_rcv" tipc: skb_linearize the head skb when reassembling msgs net: dsa: mt7530: fix VLAN traffic leaks net: dsa: fix a crash if ->get_sset_count() fails i2c: s3c2410: fix possible NULL pointer deref on read message after write i2c: i801: Don't generate an interrupt on bus reset perf jevents: Fix getting maximum number of fds platform/x86: hp_accel: Avoid invoking _INI to speed up resume serial: max310x: unregister uart driver in case of failure and abort net: fujitsu: fix potential null-ptr-deref net: caif: remove BUG_ON(dev == NULL) in caif_xmit char: hpet: add checks after calling ioremap isdn: mISDNinfineon: check/cleanup ioremap failure correctly in setup_io dmaengine: qcom_hidma: comment platform_driver_register call libertas: register sysfs groups properly ASoC: cs43130: handle errors in cs43130_probe() properly media: dvb: Add check on sp8870_readreg return media: gspca: properly check for errors in po1030_probe() scsi: BusLogic: Fix 64-bit system enumeration error for Buslogic openrisc: Define memory barrier mb btrfs: do not BUG_ON in link_to_fixup_dir platform/x86: hp-wireless: add AMD's hardware id to the supported list platform/x86: intel_punit_ipc: Append MODULE_DEVICE_TABLE for ACPI SMB3: incorrect file id in requests compounded with open drm/amd/display: Disconnect non-DP with no EDID drm/amd/amdgpu: fix refcount leak drm/amdgpu: Fix a use-after-free net: netcp: Fix an error message net: dsa: fix error code getting shifted with 4 in dsa_slave_get_sset_count net: fec: fix the potential memory leak in fec_enet_init() net: mdio: thunder: Fix a double free issue in the .remove function net: mdio: octeon: Fix some double free issues openvswitch: meter: fix race when getting now_ms. net: bnx2: Fix error return code in bnx2_init_board() mld: fix panic in mld_newpack() staging: emxx_udc: fix loop in _nbu2ss_nuke() ASoC: cs35l33: fix an error code in probe() bpf: Set mac_len in bpf_skb_change_head ixgbe: fix large MTU request from VF scsi: libsas: Use _safe() loop in sas_resume_port() ipv6: record frag_max_size in atomic fragments in input path sch_dsmark: fix a NULL deref in qdisc_reset() MIPS: alchemy: xxs1500: add gpio-au1000.h header file MIPS: ralink: export rt_sysc_membase for rt2880_wdt.c hugetlbfs: hugetlb_fault_mutex_hash() cleanup drivers/net/ethernet: clean up unused assignments net: hns3: check the return of skb_checksum_help() usb: core: reduce power-on-good delay time of root hub Linux 4.19.193 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0cac54fabadef0bc664d6958b1c8fcda4078ba4b |
||
|
Daniel Borkmann
|
a9d5ac78e7 |
bpf: No need to simulate speculative domain for immediates
commit a7036191277f9fa68d92f2071ddc38c09b1e5ee5 upstream
In 801c6058d14a ("bpf: Fix leakage of uninitialized bpf stack under
speculation") we replaced masking logic with direct loads of immediates
if the register is a known constant. Given in this case we do not apply
any masking, there is also no reason for the operation to be truncated
under the speculative domain.
Therefore, there is also zero reason for the verifier to branch-off and
simulate this case, it only needs to do it for unknown but bounded scalars.
As a side-effect, this also enables few test cases that were previously
rejected due to simulation under zero truncation.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
9324bd041d |
bpf: Fix mask direction swap upon off reg sign change
commit bb01a1bba579b4b1c5566af24d95f1767859771e upstream
Masking direction as indicated via mask_to_left is considered to be
calculated once and then used to derive pointer limits. Thus, this
needs to be placed into bpf_sanitize_info instead so we can pass it
to sanitize_ptr_alu() call after the pointer move. Piotr noticed a
corner case where the off reg causes masking direction change which
then results in an incorrect final aux->alu_limit.
Fixes: 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic mask")
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
963e62364c |
bpf: Wrap aux data inside bpf_sanitize_info container
commit 3d0220f6861d713213b015b582e9f21e5b28d2e0 upstream Add a container structure struct bpf_sanitize_info which holds the current aux info, and update call-sites to sanitize_ptr_alu() to pass it in. This is needed for passing in additional state later on. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Piotr Krysiuk <piotras@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
bd9df99da9 |
bpf: Fix leakage of uninitialized bpf stack under speculation
commit 801c6058d14a82179a7ee17a4b532cac6fad067f upstream.
The current implemented mechanisms to mitigate data disclosure under
speculation mainly address stack and map value oob access from the
speculative domain. However, Piotr discovered that uninitialized BPF
stack is not protected yet, and thus old data from the kernel stack,
potentially including addresses of kernel structures, could still be
extracted from that 512 bytes large window. The BPF stack is special
compared to map values since it's not zero initialized for every
program invocation, whereas map values /are/ zero initialized upon
their initial allocation and thus cannot leak any prior data in either
domain. In the non-speculative domain, the verifier ensures that every
stack slot read must have a prior stack slot write by the BPF program
to avoid such data leaking issue.
However, this is not enough: for example, when the pointer arithmetic
operation moves the stack pointer from the last valid stack offset to
the first valid offset, the sanitation logic allows for any intermediate
offsets during speculative execution, which could then be used to
extract any restricted stack content via side-channel.
Given for unprivileged stack pointer arithmetic the use of unknown
but bounded scalars is generally forbidden, we can simply turn the
register-based arithmetic operation into an immediate-based arithmetic
operation without the need for masking. This also gives the benefit
of reducing the needed instructions for the operation. Given after
the work in 7fedb63a8307 ("bpf: Tighten speculative pointer arithmetic
mask"), the aux->alu_limit already holds the final immediate value for
the offset register with the known scalar. Thus, a simple mov of the
immediate to AX register with using AX as the source for the original
instruction is sufficient and possible now in this case.
Reported-by: Piotr Krysiuk <piotras@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: Piotr Krysiuk <piotras@gmail.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Daniel Borkmann
|
45bfdd767e |
bpf: Tighten speculative pointer arithmetic mask
commit 7fedb63a8307dda0ec3b8969a3b233a1dd7ea8e0 upstream. This work tightens the offset mask we use for unprivileged pointer arithmetic in order to mitigate a corner case reported by Piotr and Benedict where in the speculative domain it is possible to advance, for example, the map value pointer by up to value_size-1 out-of-bounds in order to leak kernel memory via side-channel to user space. Before this change, the computed ptr_limit for retrieve_ptr_limit() helper represents largest valid distance when moving pointer to the right or left which is then fed as aux->alu_limit to generate masking instructions against the offset register. After the change, the derived aux->alu_limit represents the largest potential value of the offset register which we mask against which is just a narrower subset of the former limit. For minimal complexity, we call sanitize_ptr_alu() from 2 observation points in adjust_ptr_min_max_vals(), that is, before and after the simulated alu operation. In the first step, we retieve the alu_state and alu_limit before the operation as well as we branch-off a verifier path and push it to the verification stack as we did before which checks the dst_reg under truncation, in other words, when the speculative domain would attempt to move the pointer out-of-bounds. In the second step, we retrieve the new alu_limit and calculate the absolute distance between both. Moreover, we commit the alu_state and final alu_limit via update_alu_sanitation_state() to the env's instruction aux data, and bail out from there if there is a mismatch due to coming from different verification paths with different states. Reported-by: Piotr Krysiuk <piotras@gmail.com> Reported-by: Benedict Schlueter <benedict.schlueter@rub.de> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Tested-by: Benedict Schlueter <benedict.schlueter@rub.de> [fllinden@amazon.com: backported to 5.4] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [OP: backport to 4.19] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
7d26173518 |
bpf: Move sanitize_val_alu out of op switch
commit f528819334881fd622fdadeddb3f7edaed8b7c9b upstream. Add a small sanitize_needed() helper function and move sanitize_val_alu() out of the main opcode switch. In upcoming work, we'll move sanitize_ptr_alu() as well out of its opcode switch so this helps to streamline both. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backported to 5.4] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
8827288cb6 |
bpf: Refactor and streamline bounds check into helper
commit 073815b756c51ba9d8384d924c5d1c03ca3d1ae4 upstream. Move the bounds check in adjust_ptr_min_max_vals() into a small helper named sanitize_check_bounds() in order to simplify the former a bit. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backport to 5.4] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
656b3f9ef4 |
bpf: Improve verifier error messages for users
commit a6aaece00a57fa6f22575364b3903dfbccf5345d upstream Consolidate all error handling and provide more user-friendly error messages from sanitize_ptr_alu() and sanitize_val_alu(). Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> [fllinden@amazon.com: backport to 5.4] Signed-off-by: Frank van der Linden <fllinden@amazon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
8ab6572e20 |
bpf: Rework ptr_limit into alu_limit and add common error path
commit b658bbb844e28f1862867f37e8ca11a8e2aa94a3 upstream. Small refactor with no semantic changes in order to consolidate the max ptr_limit boundary check. Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: John Fastabend <john.fastabend@gmail.com> Acked-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> [OP: backport to 4.19] Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Daniel Borkmann
|
167743a5ea |
bpf: Ensure off_reg has no mixed signed bounds for all types
commit 24c109bb1537c12c02aeed2d51a347b4d6a9b76e upstream.
The mixed signed bounds check really belongs into retrieve_ptr_limit()
instead of outside of it in adjust_ptr_min_max_vals(). The reason is
that this check is not tied to PTR_TO_MAP_VALUE only, but to all pointer
types that we handle in retrieve_ptr_limit() and given errors from the latter
propagate back to adjust_ptr_min_max_vals() and lead to rejection of the
program, it's a better place to reside to avoid anything slipping through
for future types. The reason why we must reject such off_reg is that we
otherwise would not be able to derive a mask, see details in 9d7eceede769
("bpf: restrict unknown scalars of mixed signed bounds for unprivileged").
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[fllinden@amazon.com: backport to 5.4]
Signed-off-by: Frank van der Linden <fllinden@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[OP: backport to 4.19]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|