1. 13 Jul, 2024 32 commits
  2. 12 Jul, 2024 8 commits
    • Tengda Wu's avatar
      selftests/bpf: Test for null-pointer-deref bugfix in resolve_prog_type() · e435b043
      Tengda Wu authored
      This test verifies that resolve_prog_type() works as expected when
      `attach_prog_fd` is not passed in.
      
      `prog->aux->dst_prog` in resolve_prog_type() is assigned by
      `attach_prog_fd`, and would be NULL if `attach_prog_fd` is not provided.
      
      Loading EXT prog with bpf_dynptr_from_skb() kfunc call in this way will
      lead to null-pointer-deref.
      
      Verify that the null-pointer-deref bug in resolve_prog_type() is fixed.
      Signed-off-by: default avatarTengda Wu <wutengda@huaweicloud.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Link: https://lore.kernel.org/bpf/20240711145819.254178-3-wutengda@huaweicloud.com
      e435b043
    • Tengda Wu's avatar
      bpf: Fix null pointer dereference in resolve_prog_type() for BPF_PROG_TYPE_EXT · f7866c35
      Tengda Wu authored
      When loading a EXT program without specifying `attr->attach_prog_fd`,
      the `prog->aux->dst_prog` will be null. At this time, calling
      resolve_prog_type() anywhere will result in a null pointer dereference.
      
      Example stack trace:
      
      [    8.107863] Unable to handle kernel NULL pointer dereference at virtual address 0000000000000004
      [    8.108262] Mem abort info:
      [    8.108384]   ESR = 0x0000000096000004
      [    8.108547]   EC = 0x25: DABT (current EL), IL = 32 bits
      [    8.108722]   SET = 0, FnV = 0
      [    8.108827]   EA = 0, S1PTW = 0
      [    8.108939]   FSC = 0x04: level 0 translation fault
      [    8.109102] Data abort info:
      [    8.109203]   ISV = 0, ISS = 0x00000004, ISS2 = 0x00000000
      [    8.109399]   CM = 0, WnR = 0, TnD = 0, TagAccess = 0
      [    8.109614]   GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
      [    8.109836] user pgtable: 4k pages, 48-bit VAs, pgdp=0000000101354000
      [    8.110011] [0000000000000004] pgd=0000000000000000, p4d=0000000000000000
      [    8.112624] Internal error: Oops: 0000000096000004 [#1] PREEMPT SMP
      [    8.112783] Modules linked in:
      [    8.113120] CPU: 0 PID: 99 Comm: may_access_dire Not tainted 6.10.0-rc3-next-20240613-dirty #1
      [    8.113230] Hardware name: linux,dummy-virt (DT)
      [    8.113390] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
      [    8.113429] pc : may_access_direct_pkt_data+0x24/0xa0
      [    8.113746] lr : add_subprog_and_kfunc+0x634/0x8e8
      [    8.113798] sp : ffff80008283b9f0
      [    8.113813] x29: ffff80008283b9f0 x28: ffff800082795048 x27: 0000000000000001
      [    8.113881] x26: ffff0000c0bb2600 x25: 0000000000000000 x24: 0000000000000000
      [    8.113897] x23: ffff0000c1134000 x22: 000000000001864f x21: ffff0000c1138000
      [    8.113912] x20: 0000000000000001 x19: ffff0000c12b8000 x18: ffffffffffffffff
      [    8.113929] x17: 0000000000000000 x16: 0000000000000000 x15: 0720072007200720
      [    8.113944] x14: 0720072007200720 x13: 0720072007200720 x12: 0720072007200720
      [    8.113958] x11: 0720072007200720 x10: 0000000000f9fca4 x9 : ffff80008021f4e4
      [    8.113991] x8 : 0101010101010101 x7 : 746f72705f6d656d x6 : 000000001e0e0f5f
      [    8.114006] x5 : 000000000001864f x4 : ffff0000c12b8000 x3 : 000000000000001c
      [    8.114020] x2 : 0000000000000002 x1 : 0000000000000000 x0 : 0000000000000000
      [    8.114126] Call trace:
      [    8.114159]  may_access_direct_pkt_data+0x24/0xa0
      [    8.114202]  bpf_check+0x3bc/0x28c0
      [    8.114214]  bpf_prog_load+0x658/0xa58
      [    8.114227]  __sys_bpf+0xc50/0x2250
      [    8.114240]  __arm64_sys_bpf+0x28/0x40
      [    8.114254]  invoke_syscall.constprop.0+0x54/0xf0
      [    8.114273]  do_el0_svc+0x4c/0xd8
      [    8.114289]  el0_svc+0x3c/0x140
      [    8.114305]  el0t_64_sync_handler+0x134/0x150
      [    8.114331]  el0t_64_sync+0x168/0x170
      [    8.114477] Code: 7100707f 54000081 f9401c00 f9403800 (b9400403)
      [    8.118672] ---[ end trace 0000000000000000 ]---
      
      One way to fix it is by forcing `attach_prog_fd` non-empty when
      bpf_prog_load(). But this will lead to `libbpf_probe_bpf_prog_type`
      API broken which use verifier log to probe prog type and will log
      nothing if we reject invalid EXT prog before bpf_check().
      
      Another way is by adding null check in resolve_prog_type().
      
      The issue was introduced by commit 4a9c7bbe ("bpf: Resolve to
      prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT") which wanted
      to correct type resolution for BPF_PROG_TYPE_TRACING programs. Before
      that, the type resolution of BPF_PROG_TYPE_EXT prog actually follows
      the logic below:
      
        prog->aux->dst_prog ? prog->aux->dst_prog->type : prog->type;
      
      It implies that when EXT program is not yet attached to `dst_prog`,
      the prog type should be EXT itself. This code worked fine in the past.
      So just keep using it.
      
      Fix this by returning `prog->type` for BPF_PROG_TYPE_EXT if `dst_prog`
      is not present in resolve_prog_type().
      
      Fixes: 4a9c7bbe ("bpf: Resolve to prog->aux->dst_prog->type only for BPF_PROG_TYPE_EXT")
      Signed-off-by: default avatarTengda Wu <wutengda@huaweicloud.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Martin KaFai Lau <kafai@fb.com>
      Link: https://lore.kernel.org/bpf/20240711145819.254178-2-wutengda@huaweicloud.com
      f7866c35
    • Linus Torvalds's avatar
      Merge tag 'for-6.10-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 975f3b6d
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Fix a regression in extent map shrinker behaviour.
      
        In the past weeks we got reports from users that there are huge
        latency spikes or freezes. This was bisected to newly added shrinker
        of extent maps (it was added to fix a build up of the structures in
        memory).
      
        I'm assuming that the freezes would happen to many users after release
        so I'd like to get it merged now so it's in 6.10. Although the diff
        size is not small the changes are relatively straightforward, the
        reporters verified the fixes and we did testing on our side.
      
        The fixes:
      
         - adjust behaviour under memory pressure and check lock or scheduling
           conditions, bail out if needed
      
         - synchronize tracking of the scanning progress so inode ranges are
           not skipped or work duplicated
      
         - do a delayed iput when scanning a root so evicting an inode does
           not slow things down in case of lots of dirty data, also fix
           lockdep warning, a deadlock could happen when writing the dirty
           data would need to start a transaction"
      
      * tag 'for-6.10-rc7-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: avoid races when tracking progress for extent map shrinking
        btrfs: stop extent map shrinker if reschedule is needed
        btrfs: use delayed iput during extent map shrinking
      975f3b6d
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client · a52ff901
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "A fix for a possible use-after-free following "rbd unmap" or "umount"
        marked for stable and two kernel-doc fixups"
      
      * tag 'ceph-for-6.10-rc8' of https://github.com/ceph/ceph-client:
        libceph: fix crush_choose_firstn() kernel-doc warnings
        libceph: suppress crush_choose_indep() kernel-doc warnings
        libceph: fix race between delayed_work() and ceph_monc_stop()
      a52ff901
    • Linus Torvalds's avatar
      Merge tag 'pmdomain-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm · ac6a9e07
      Linus Torvalds authored
      Pull pmdomain fix from Ulf Hansson:
      
       - qcom: Skip retention level for rpmhpd's
      
      * tag 'pmdomain-v6.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/linux-pm:
        pmdomain: qcom: rpmhpd: Skip retention level for Power Domains
      ac6a9e07
    • Linus Torvalds's avatar
      Merge tag 'mmc-v6.10-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 01ec3bb6
      Linus Torvalds authored
      Pull MMC host fixes from Ulf Hansson:
      
       - davinci_mmc: Prevent transmitted data size from exceeding sgm's
         length
      
       - sdhci: Fix max_seg_size for 64KiB PAGE_SIZE
      
      * tag 'mmc-v6.10-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: davinci_mmc: Prevent transmitted data size from exceeding sgm's length
        mmc: sdhci: Fix max_seg_size for 64KiB PAGE_SIZE
      01ec3bb6
    • Daniel Borkmann's avatar
      selftests/bpf: DENYLIST.aarch64: Skip fexit_sleep again · 517125f6
      Daniel Borkmann authored
      Revert commit 90dc9460 ("selftests/bpf: DENYLIST.aarch64: Remove
      fexit_sleep") again. The fix in 19d3c179 ("bpf, arm64: Fix trampoline
      for BPF_TRAMP_F_CALL_ORIG") does not address all of the issues and BPF
      CI is still hanging and timing out:
      
         https://github.com/kernel-patches/bpf/actions/runs/9905842936/job/27366435436
      
         [...]
         #89/11   fexit_bpf2bpf/func_replace_global_func:OK
         #89/12   fexit_bpf2bpf/fentry_to_cgroup_bpf:OK
         #89/13   fexit_bpf2bpf/func_replace_progmap:OK
         #89      fexit_bpf2bpf:OK
         Error: The operation was canceled.
      
      Thus more investigation work & fixing is needed before the test can be put
      in place again.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Puranjay Mohan <puranjay@kernel.org>
      Link: https://lore.kernel.org/bpf/20240705145009.32340-1-puranjay@kernel.org
      517125f6
    • Linus Torvalds's avatar
      Merge tag 'arm-fixes-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc · e091caf9
      Linus Torvalds authored
      Pull ARM SoC fixes from Arnd Bergmann:
       "Most of these changes are Qualcomm SoC specific and came in just after
        I sent out the last set of fixes. This includes two regression fixes
        for SoC drivers, a defconfig change to ensure the Lenovo X13s is
        usable and 11 changes to DT files to fix regressions and minor
        platform specific issues.
      
        Tony and Chunyan step back from their respective maintainership roles
        on the omap and unisoc platforms, and Christophe in turn takes over
        maintaining some of the Freescale SoC drivers that he has been taking
        care of in practice already.
      
        Lastly, there are two trivial fixes for the davinci and sunxi
        platforms"
      
      * tag 'arm-fixes-6.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
        MAINTAINERS: Update FREESCALE SOC DRIVERS and QUICC ENGINE LIBRARY
        MAINTAINERS: Add more maintainers for omaps
        ARM: davinci: Convert comma to semicolon
        MAINTAINERS: Move myself from SPRD Maintainer to Reviewer
        Revert "dt-bindings: cache: qcom,llcc: correct QDU1000 reg entries"
        arm64: dts: qcom: qdu1000: Fix LLCC reg property
        arm64: dts: qcom: sm6115: add iommu for sdhc_1
        arm64: dts: qcom: x1e80100-crd: fix DAI used for headset recording
        arm64: dts: qcom: x1e80100-crd: fix WCD audio codec TX port mapping
        soc: qcom: pmic_glink: disable UCSI on sc8280xp
        arm64: defconfig: enable Elan i2c-hid driver
        arm64: dts: qcom: sc8280xp-crd: use external pull up for touch reset
        arm64: dts: qcom: sc8280xp-x13s: fix touchscreen power on
        arm64: dts: qcom: x1e80100: Fix PCIe 6a reg offsets and add MHI
        arm64: dts: qcom: sa8775p: Correct IRQ number of EL2 non-secure physical timer
        arm64: dts: allwinner: Fix PMIC interrupt number
        arm64: dts: qcom: sc8280xp: Set status = "reserved" on PSHOLD
        arm64: dts: qcom: x1e80100-*: Allocate some CMA buffers
        arm64: dts: qcom: sc8180x: Fix LLCC reg property again
      e091caf9