1. 19 Dec, 2021 2 commits
  2. 18 Dec, 2021 10 commits
    • Linus Torvalds's avatar
      Merge tag 'tty-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty · 3f667b5d
      Linus Torvalds authored
      Pull tty/serial fixes from Greg KH:
       "Here are two small tty/serial fixes for 5.16-rc6.  They include:
      
         - n_hdlc fix for syzbot reported problem that you were previously
           copied on.
      
         - 8250_fintek driver fix that resolved a console problem by removing
           a previous change.
      
        Both have been in linux-next with no reported issues"
      
      * tag 'tty-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/tty:
        serial: 8250_fintek: Fix garbled text for console
        tty: n_hdlc: make n_hdlc_tty_wakeup() asynchronous
      3f667b5d
    • Linus Torvalds's avatar
      Merge tag 'usb-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb · fb7d0829
      Linus Torvalds authored
      Pull USB fixes from Greg KH:
       "Here are a number of small USB driver fixes for reported problems.
        They include:
      
         - dwc2 driver fixes
      
         - xhci driver fixes
      
         - cdnsp driver fixes
      
         - typec driver fix
      
         - gadget u_ether driver fix
      
         - new quirk additions
      
         - usb gadget endpoint calculation fix
      
         - usb serial new device ids
      
         - revert of a xhci-dbg change that broke early debug booting
      
        All changes, except for the revert, have been in linux-next with no
        reported problems. The revert was from yesterday, and it was reported
        by the developers affected that it resolved their problem"
      
      * tag 'usb-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/usb:
        Revert "usb: early: convert to readl_poll_timeout_atomic()"
        usb: typec: tcpm: fix tcpm unregister port but leave a pending timer
        usb: cdnsp: Fix lack of spin_lock_irqsave/spin_lock_restore
        USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04)
        usb: xhci: Extend support for runtime power management for AMD's Yellow carp.
        usb: dwc2: fix STM ID/VBUS detection startup delay in dwc2_driver_probe
        USB: gadget: bRequestType is a bitfield, not a enum
        USB: serial: option: add Telit FN990 compositions
        USB: serial: cp210x: fix CP2105 GPIO registration
        usb: cdnsp: Fix incorrect status for control request
        usb: cdnsp: Fix issue in cdnsp_log_ep trace event
        usb: cdnsp: Fix incorrect calling of cdnsp_died function
        usb: xhci-mtk: fix list_del warning when enable list debug
        usb: gadget: u_ether: fix race in setting MAC address in setup phase
      fb7d0829
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-for-v5.16-2021-12-18' of... · 0f03adcc
      Linus Torvalds authored
      Merge tag 'perf-tools-fixes-for-v5.16-2021-12-18' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux
      
      Pull perf tools fixes from Arnaldo Carvalho de Melo:
      
       - Fix segfaults in 'perf inject' related to usage of unopened files
      
       - The return value of hashmap__new() should be checked using IS_ERR()
      
      * tag 'perf-tools-fixes-for-v5.16-2021-12-18' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        perf inject: Fix segfault due to perf_data__fd() without open
        perf inject: Fix segfault due to close without open
        perf expr: Fix missing check for return value of hashmap__new()
      0f03adcc
    • Adrian Hunter's avatar
      perf inject: Fix segfault due to perf_data__fd() without open · c271a55b
      Adrian Hunter authored
      The fixed commit attempts to get the output file descriptor even if the
      file was never opened e.g.
      
        $ perf record uname
        Linux
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
        $ perf inject -i perf.data --vm-time-correlation=dry-run
        Segmentation fault (core dumped)
        $ gdb --quiet perf
        Reading symbols from perf...
        (gdb) r inject -i perf.data --vm-time-correlation=dry-run
        Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
        [Thread debugging using libthread_db enabled]
        Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
      
        Program received signal SIGSEGV, Segmentation fault.
        __GI___fileno (fp=0x0) at fileno.c:35
        35      fileno.c: No such file or directory.
        (gdb) bt
        #0  __GI___fileno (fp=0x0) at fileno.c:35
        #1  0x00005621e48dd987 in perf_data__fd (data=0x7fff4c68bd08) at util/data.h:72
        #2  perf_data__fd (data=0x7fff4c68bd08) at util/data.h:69
        #3  cmd_inject (argc=<optimized out>, argv=0x7fff4c69c1f0) at builtin-inject.c:1017
        #4  0x00005621e4936783 in run_builtin (p=0x5621e4ee6878 <commands+600>, argc=4, argv=0x7fff4c69c1f0) at perf.c:313
        #5  0x00005621e4897d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
        #6  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
        #7  main (argc=4, argv=0x7fff4c69c1f0) at perf.c:539
        (gdb)
      
      Fixes: 0ae03893 ("perf tools: Pass a fd to perf_file_header__read_pipe()")
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Riccardo Mancini <rickyman7@gmail.com>
      Cc: stable@vger.kernel.org
      Link: http://lore.kernel.org/lkml/20211213084829.114772-3-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      c271a55b
    • Adrian Hunter's avatar
      perf inject: Fix segfault due to close without open · 0c8e32fe
      Adrian Hunter authored
      The fixed commit attempts to close inject.output even if it was never
      opened e.g.
      
        $ perf record uname
        Linux
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.002 MB perf.data (7 samples) ]
        $ perf inject -i perf.data --vm-time-correlation=dry-run
        Segmentation fault (core dumped)
        $ gdb --quiet perf
        Reading symbols from perf...
        (gdb) r inject -i perf.data --vm-time-correlation=dry-run
        Starting program: /home/ahunter/bin/perf inject -i perf.data --vm-time-correlation=dry-run
        [Thread debugging using libthread_db enabled]
        Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
      
        Program received signal SIGSEGV, Segmentation fault.
        0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
        48      iofclose.c: No such file or directory.
        (gdb) bt
        #0  0x00007eff8afeef5b in _IO_new_fclose (fp=0x0) at iofclose.c:48
        #1  0x0000557fc7b74f92 in perf_data__close (data=data@entry=0x7ffcdafa6578) at util/data.c:376
        #2  0x0000557fc7a6b807 in cmd_inject (argc=<optimized out>, argv=<optimized out>) at builtin-inject.c:1085
        #3  0x0000557fc7ac4783 in run_builtin (p=0x557fc8074878 <commands+600>, argc=4, argv=0x7ffcdafb6a60) at perf.c:313
        #4  0x0000557fc7a25d5c in handle_internal_command (argv=<optimized out>, argc=<optimized out>) at perf.c:365
        #5  run_argv (argcp=<optimized out>, argv=<optimized out>) at perf.c:409
        #6  main (argc=4, argv=0x7ffcdafb6a60) at perf.c:539
        (gdb)
      
      Fixes: 02e6246f ("perf inject: Close inject.output on exit")
      Signed-off-by: default avatarAdrian Hunter <adrian.hunter@intel.com>
      Tested-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Riccardo Mancini <rickyman7@gmail.com>
      Cc: stable@vger.kernel.org
      Link: http://lore.kernel.org/lkml/20211213084829.114772-2-adrian.hunter@intel.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      0c8e32fe
    • Miaoqian Lin's avatar
      perf expr: Fix missing check for return value of hashmap__new() · 0a515a06
      Miaoqian Lin authored
      The hashmap__new() function may return ERR_PTR(-ENOMEM) when malloc()
      fails, add IS_ERR() checking for ctx->ids.
      Signed-off-by: default avatarMiaoqian Lin <linmq006@gmail.com>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Andi Kleen <ak@linux.intel.com>
      Cc: Ian Rogers <irogers@google.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Link: http://lore.kernel.org/lkml/20211212062504.25841-1-linmq006@gmail.com
      [ s/kfree()/free()/ and add missing linux/err.h include ]
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      0a515a06
    • Linus Torvalds's avatar
      Merge tag 'libata-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata · 9eaa88c7
      Linus Torvalds authored
      Pull libata fix from Damien Le Moal:
       "A single fix for this cycle:
      
         - Check that ATA16 passthrough commands that do not transfer any data
           have a DMA direction set to DMA_NONE (From George)"
      
      * tag 'libata-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/libata:
        libata: if T_LENGTH is zero, dma direction should be DMA_NONE
      9eaa88c7
    • Linus Torvalds's avatar
      Merge tag 'zonefs-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs · 1887bf5c
      Linus Torvalds authored
      Pull zonefs fixes from Damien Le Moal:
       "One fix and one trivial update for rc6:
      
         - Add MODULE_ALIAS_FS to get automatic module loading on mount
           (Naohiro)
      
         - Update Damien's email address in the MAINTAINERS file (me)"
      
      * tag 'zonefs-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/dlemoal/zonefs:
        MAITAINERS: Change zonefs maintainer email address
        zonefs: add MODULE_ALIAS_FS
      1887bf5c
    • Thiago Rafael Becker's avatar
      cifs: sanitize multiple delimiters in prepath · a3108089
      Thiago Rafael Becker authored
      mount.cifs can pass a device with multiple delimiters in it. This will
      cause rename(2) to fail with ENOENT.
      
      V2:
        - Make sanitize_path more readable.
        - Fix multiple delimiters between UNC and prepath.
        - Avoid a memory leak if a bad user starts putting a lot of delimiters
          in the path on purpose.
      
      BugLink: https://bugzilla.redhat.com/show_bug.cgi?id=2031200
      Fixes: 24e0a1ef ("cifs: switch to new mount api")
      Cc: stable@vger.kernel.org # 5.11+
      Acked-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarThiago Rafael Becker <trbecker@gmail.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      a3108089
    • Shyam Prasad N's avatar
      cifs: ignore resource_id while getting fscache super cookie · b774302e
      Shyam Prasad N authored
      We have a cyclic dependency between fscache super cookie
      and root inode cookie. The super cookie relies on
      tcon->resource_id, which gets populated from the root inode
      number. However, fetching the root inode initializes inode
      cookie as a child of super cookie, which is yet to be populated.
      
      resource_id is only used as auxdata to check the validity of
      super cookie. We can completely avoid setting resource_id to
      remove the circular dependency. Since vol creation time and
      vol serial numbers are used for auxdata, we should be fine.
      Additionally, there will be auxiliary data check for each
      inode cookie as well.
      
      Fixes: 5bf91ef0 ("cifs: wait for tcon resource_id before getting fscache super")
      CC: David Howells <dhowells@redhat.com>
      Signed-off-by: default avatarShyam Prasad N <sprasad@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      b774302e
  3. 17 Dec, 2021 20 commits
  4. 16 Dec, 2021 8 commits
    • Linus Torvalds's avatar
      Merge tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit · 6441998e
      Linus Torvalds authored
      Pull audit fix from Paul Moore:
       "A single patch to fix a problem where the audit queue could grow
        unbounded when the audit daemon is forcibly stopped"
      
      * tag 'audit-pr-20211216' of git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit:
        audit: improve robustness of the audit queue handling
      6441998e
    • Linus Torvalds's avatar
      Merge tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 180f3bcf
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Networking fixes, including fixes from mac80211, wifi, bpf.
      
        Relatively large batches of fixes from BPF and the WiFi stack, calm in
        general networking.
      
        Current release - regressions:
      
         - dpaa2-eth: fix buffer overrun when reporting ethtool statistics
      
        Current release - new code bugs:
      
         - bpf: fix incorrect state pruning for <8B spill/fill
      
         - iavf:
             - add missing unlocks in iavf_watchdog_task()
             - do not override the adapter state in the watchdog task (again)
      
         - mlxsw: spectrum_router: consolidate MAC profiles when possible
      
        Previous releases - regressions:
      
         - mac80211 fixes:
             - rate control, avoid driver crash for retransmitted frames
             - regression in SSN handling of addba tx
             - a memory leak where sta_info is not freed
             - marking TX-during-stop for TX in in_reconfig, prevent stall
      
         - cfg80211: acquire wiphy mutex on regulatory work
      
         - wifi drivers: fix build regressions and LED config dependency
      
         - virtio_net: fix rx_drops stat for small pkts
      
         - dsa: mv88e6xxx: unforce speed & duplex in mac_link_down()
      
        Previous releases - always broken:
      
         - bpf fixes:
             - kernel address leakage in atomic fetch
             - kernel address leakage in atomic cmpxchg's r0 aux reg
             - signed bounds propagation after mov32
             - extable fixup offset
             - extable address check
      
         - mac80211:
             - fix the size used for building probe request
             - send ADDBA requests using the tid/queue of the aggregation
               session
             - agg-tx: don't schedule_and_wake_txq() under sta->lock, avoid
               deadlocks
             - validate extended element ID is present
      
         - mptcp:
             - never allow the PM to close a listener subflow (null-defer)
             - clear 'kern' flag from fallback sockets, prevent crash
             - fix deadlock in __mptcp_push_pending()
      
         - inet_diag: fix kernel-infoleak for UDP sockets
      
         - xsk: do not sleep in poll() when need_wakeup set
      
         - smc: avoid very long waits in smc_release()
      
         - sch_ets: don't remove idle classes from the round-robin list
      
         - netdevsim:
             - zero-initialize memory for bpf map's value, prevent info leak
             - don't let user space overwrite read only (max) ethtool parms
      
         - ixgbe: set X550 MDIO speed before talking to PHY
      
         - stmmac:
             - fix null-deref in flower deletion w/ VLAN prio Rx steering
             - dwmac-rk: fix oob read in rk_gmac_setup
      
         - ice: time stamping fixes
      
         - systemport: add global locking for descriptor life cycle"
      
      * tag 'net-5.16-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (89 commits)
        bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
        selftest/bpf: Add a test that reads various addresses.
        bpf: Fix extable address check.
        bpf: Fix extable fixup offset.
        bpf, selftests: Add test case trying to taint map value pointer
        bpf: Make 32->64 bounds propagation slightly more robust
        bpf: Fix signed bounds propagation after mov32
        sit: do not call ipip6_dev_free() from sit_init_net()
        net: systemport: Add global locking for descriptor lifecycle
        net/smc: Prevent smc_release() from long blocking
        net: Fix double 0x prefix print in SKB dump
        virtio_net: fix rx_drops stat for small pkts
        dsa: mv88e6xxx: fix debug print for SPEED_UNFORCED
        sfc_ef100: potential dereference of null pointer
        net: stmmac: dwmac-rk: fix oob read in rk_gmac_setup
        net: usb: lan78xx: add Allied Telesis AT29M2-AF
        net/packet: rx_owner_map depends on pg_vec
        netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc
        dpaa2-eth: fix ethtool statistics
        ixgbe: set X550 MDIO speed before talking to PHY
        ...
      180f3bcf
    • Linus Torvalds's avatar
      Merge tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · 93db8300
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "There are a number of DT fixes, mostly for mistakes found through
        static checking of the dts files again, as well as a couple of minor
        changes to address incorrect DT settings.
      
        For i.MX, there is yet another series of devitree changes to update
        RGMII delay settings for ethernet, which is an ongoing problem after
        some driver changes.
      
        For SoC specific device drivers, a number of smaller fixes came up:
      
         - i.MX SoC identification was incorrectly registered non-i.MX
           machines when the driver is built-in
      
         - One fix on imx8m-blk-ctrl driver to get i.MX8MM MIPI reset work
           properly
      
         - a few compile fixes for warnings that get in the way of -Werror
      
         - a string overflow in the scpi firmware driver
      
         - a boot failure with FORTIFY_SOURCE on Rockchips machines
      
         - broken error handling in the AMD TEE driver
      
         - a revert for a tegra reset driver commit that broke HDA"
      
      * tag 'soc-fixes-5.16-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc: (25 commits)
        soc/tegra: fuse: Fix bitwise vs. logical OR warning
        firmware: arm_scpi: Fix string overflow in SCPI genpd driver
        soc: imx: Register SoC device only on i.MX boards
        soc: imx: imx8m-blk-ctrl: Fix imx8mm mipi reset
        ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name
        arm64: dts: imx8mq: remove interconnect property from lcdif
        ARM: socfpga: dts: fix qspi node compatible
        arm64: dts: apple: add #interrupt-cells property to pinctrl nodes
        dt-bindings: i2c: apple,i2c: allow multiple compatibles
        arm64: meson: remove COMMON_CLK
        arm64: meson: fix dts for JetHub D1
        tee: amdtee: fix an IS_ERR() vs NULL bug
        arm64: dts: apple: change ethernet0 device type to ethernet
        arm64: dts: ten64: remove redundant interrupt declaration for gpio-keys
        arm64: dts: rockchip: fix poweroff on helios64
        arm64: dts: rockchip: fix audio-supply for Rock Pi 4
        arm64: dts: rockchip: fix rk3399-leez-p710 vcc3v3-lan supply
        arm64: dts: rockchip: fix rk3308-roc-cc vcc-sd supply
        arm64: dts: rockchip: remove mmc-hs400-enhanced-strobe from rk3399-khadas-edge
        ARM: rockchip: Use memcpy_toio instead of memcpy on smp bring-up
        ...
      93db8300
    • Scott Mayhew's avatar
      selinux: fix sleeping function called from invalid context · cc274ae7
      Scott Mayhew authored
      selinux_sb_mnt_opts_compat() is called via sget_fc() under the sb_lock
      spinlock, so it can't use GFP_KERNEL allocations:
      
      [  868.565200] BUG: sleeping function called from invalid context at
                     include/linux/sched/mm.h:230
      [  868.568246] in_atomic(): 1, irqs_disabled(): 0,
                     non_block: 0, pid: 4914, name: mount.nfs
      [  868.569626] preempt_count: 1, expected: 0
      [  868.570215] RCU nest depth: 0, expected: 0
      [  868.570809] Preemption disabled at:
      [  868.570810] [<0000000000000000>] 0x0
      [  868.571848] CPU: 1 PID: 4914 Comm: mount.nfs Kdump: loaded
                     Tainted: G        W         5.16.0-rc5.2585cf9d #1
      [  868.573273] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009),
                     BIOS 1.14.0-4.fc34 04/01/2014
      [  868.574478] Call Trace:
      [  868.574844]  <TASK>
      [  868.575156]  dump_stack_lvl+0x34/0x44
      [  868.575692]  __might_resched.cold+0xd6/0x10f
      [  868.576308]  slab_pre_alloc_hook.constprop.0+0x89/0xf0
      [  868.577046]  __kmalloc_track_caller+0x72/0x420
      [  868.577684]  ? security_context_to_sid_core+0x48/0x2b0
      [  868.578569]  kmemdup_nul+0x22/0x50
      [  868.579108]  security_context_to_sid_core+0x48/0x2b0
      [  868.579854]  ? _nfs4_proc_pathconf+0xff/0x110 [nfsv4]
      [  868.580742]  ? nfs_reconfigure+0x80/0x80 [nfs]
      [  868.581355]  security_context_str_to_sid+0x36/0x40
      [  868.581960]  selinux_sb_mnt_opts_compat+0xb5/0x1e0
      [  868.582550]  ? nfs_reconfigure+0x80/0x80 [nfs]
      [  868.583098]  security_sb_mnt_opts_compat+0x2a/0x40
      [  868.583676]  nfs_compare_super+0x113/0x220 [nfs]
      [  868.584249]  ? nfs_try_mount_request+0x210/0x210 [nfs]
      [  868.584879]  sget_fc+0xb5/0x2f0
      [  868.585267]  nfs_get_tree_common+0x91/0x4a0 [nfs]
      [  868.585834]  vfs_get_tree+0x25/0xb0
      [  868.586241]  fc_mount+0xe/0x30
      [  868.586605]  do_nfs4_mount+0x130/0x380 [nfsv4]
      [  868.587160]  nfs4_try_get_tree+0x47/0xb0 [nfsv4]
      [  868.587724]  vfs_get_tree+0x25/0xb0
      [  868.588193]  do_new_mount+0x176/0x310
      [  868.588782]  __x64_sys_mount+0x103/0x140
      [  868.589388]  do_syscall_64+0x3b/0x90
      [  868.589935]  entry_SYSCALL_64_after_hwframe+0x44/0xae
      [  868.590699] RIP: 0033:0x7f2b371c6c4e
      [  868.591239] Code: 48 8b 0d dd 71 0e 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e
                           0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00
                           00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d aa 71
                           0e 00 f7 d8 64 89 01 48
      [  868.593810] RSP: 002b:00007ffc83775d88 EFLAGS: 00000246
                     ORIG_RAX: 00000000000000a5
      [  868.594691] RAX: ffffffffffffffda RBX: 00007ffc83775f10 RCX: 00007f2b371c6c4e
      [  868.595504] RDX: 0000555d517247a0 RSI: 0000555d51724700 RDI: 0000555d51724540
      [  868.596317] RBP: 00007ffc83775f10 R08: 0000555d51726890 R09: 0000555d51726890
      [  868.597162] R10: 0000000000000000 R11: 0000000000000246 R12: 0000555d51726890
      [  868.598005] R13: 0000000000000003 R14: 0000555d517246e0 R15: 0000555d511ac925
      [  868.598826]  </TASK>
      
      Cc: stable@vger.kernel.org
      Fixes: 69c4a42d ("lsm,selinux: add new hook to compare new mount to an existing mount")
      Signed-off-by: default avatarScott Mayhew <smayhew@redhat.com>
      [PM: cleanup/line-wrap the backtrace]
      Signed-off-by: default avatarPaul Moore <paul@paul-moore.com>
      cc274ae7
    • Jakub Kicinski's avatar
      Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 0c3e2474
      Jakub Kicinski authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2021-12-16
      
      We've added 15 non-merge commits during the last 7 day(s) which contain
      a total of 12 files changed, 434 insertions(+), 30 deletions(-).
      
      The main changes are:
      
      1) Fix incorrect verifier state pruning behavior for <8B register spill/fill,
         from Paul Chaignon.
      
      2) Fix x86-64 JIT's extable handling for fentry/fexit when return pointer
         is an ERR_PTR(), from Alexei Starovoitov.
      
      3) Fix 3 different possibilities that BPF verifier missed where unprivileged
         could leak kernel addresses, from Daniel Borkmann.
      
      4) Fix xsk's poll behavior under need_wakeup flag, from Magnus Karlsson.
      
      5) Fix an oob-write in test_verifier due to a missed MAX_NR_MAPS bump,
         from Kumar Kartikeya Dwivedi.
      
      6) Fix a race in test_btf_skc_cls_ingress selftest, from Martin KaFai Lau.
      
      * https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        bpf, selftests: Fix racing issue in btf_skc_cls_ingress test
        selftest/bpf: Add a test that reads various addresses.
        bpf: Fix extable address check.
        bpf: Fix extable fixup offset.
        bpf, selftests: Add test case trying to taint map value pointer
        bpf: Make 32->64 bounds propagation slightly more robust
        bpf: Fix signed bounds propagation after mov32
        bpf, selftests: Update test case for atomic cmpxchg on r0 with pointer
        bpf: Fix kernel address leakage in atomic cmpxchg's r0 aux reg
        bpf, selftests: Add test case for atomic fetch on spilled pointer
        bpf: Fix kernel address leakage in atomic fetch
        selftests/bpf: Fix OOB write in test_verifier
        xsk: Do not sleep in poll() when need_wakeup set
        selftests/bpf: Tests for state pruning with u32 spill/fill
        bpf: Fix incorrect state pruning for <8B spill/fill
      ====================
      
      Link: https://lore.kernel.org/r/20211216210005.13815-1-daniel@iogearbox.netSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      0c3e2474
    • Martin KaFai Lau's avatar
      bpf, selftests: Fix racing issue in btf_skc_cls_ingress test · c2fcbf81
      Martin KaFai Lau authored
      The libbpf CI reported occasional failure in btf_skc_cls_ingress:
      
        test_syncookie:FAIL:Unexpected syncookie states gen_cookie:80326634 recv_cookie:0
        bpf prog error at line 97
      
      "error at line 97" means the bpf prog cannot find the listening socket
      when the final ack is received.  It then skipped processing
      the syncookie in the final ack which then led to "recv_cookie:0".
      
      The problem is the userspace program did not do accept() and went
      ahead to close(listen_fd) before the kernel (and the bpf prog) had
      a chance to process the final ack.
      
      The fix is to add accept() call so that the userspace will wait for
      the kernel to finish processing the final ack first before close()-ing
      everything.
      
      Fixes: 9a856cae ("bpf: selftest: Add test_btf_skc_cls_ingress")
      Reported-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Signed-off-by: default avatarMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20211216191630.466151-1-kafai@fb.com
      c2fcbf81
    • Alexei Starovoitov's avatar
      selftest/bpf: Add a test that reads various addresses. · 7edc3fcb
      Alexei Starovoitov authored
      Add a function to bpf_testmod that returns invalid kernel and user addresses.
      Then attach an fexit program to that function that tries to read
      memory through these addresses.
      
      This logic checks that bpf_probe_read_kernel and BPF_PROBE_MEM logic is sane.
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      7edc3fcb
    • Alexei Starovoitov's avatar
      bpf: Fix extable address check. · 588a25e9
      Alexei Starovoitov authored
      The verifier checks that PTR_TO_BTF_ID pointer is either valid or NULL,
      but it cannot distinguish IS_ERR pointer from valid one.
      
      When offset is added to IS_ERR pointer it may become small positive
      value which is a user address that is not handled by extable logic
      and has to be checked for at the runtime.
      
      Tighten BPF_PROBE_MEM pointer check code to prevent this case.
      
      Fixes: 4c5de127 ("bpf: Emit explicit NULL pointer checks for PROBE_LDX instructions.")
      Reported-by: default avatarLorenzo Fontana <lorenzo.fontana@elastic.co>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      588a25e9