-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5TfLwACgkQONu9yGCS
aT5wlRAAhZELK39c78NMCTZKHtKGLsGb2os2IiI7zIRbqNNwnvJi+jAc3kgbS9jP
+W+wnhYFtFisDvqdCQ009I6A0NA1p3Nqy166JplW0iIg1e7rgUKKUfabCN9sJmjh
HGK913cJlHwGmkSxq//sBucBwWhYYGaHec28pZ7uCFATjWrTaH3G4VrvLStuicYR
YgS9MH261tWJKJm5+V2MxnOOI0103+Uey+xVqwSnLlV+qmasxwDCMU5ae+SK7e7f
cXIkNZwvDph1zunekHg+jd64GN3GYswXVcRighWP0n7Lr+0tGPN7SY5pvZIjZLv/
sdroyrqAxytTYP32hypIUgsToVvJr7zXD09LGdsgOCKVwFVn8yl1e4zgGKH3L9Xu
OK2krI90v1MVevibyaNndZ4UDKilF75oE2YYDOFW/BU1lorFAIzk4hh15CfKc8s1
KHRjePfcgQREs/SGK8k2BAmf/JwxFN1/Ro5dl7MvKn07ZYqx6QOwUoMhgxspIntN
9TlFw6elu1RSwu2BFts9wvoHO1tr7GZBa1cVkNF8qV1rzaGVY68aLDvvHGdffD6W
JgX+BCfr6vcN7R4izak1RxzAoqDrRxS0vWoC1vVsPqeIIZydSxpYDquaFnbZm+Wc
MRuh5gpQ2PzTXuMLeBB+ig6UnzsAO3x+3yIG/l5ZmmYxJbMFBKU=
=zE/i
-----END PGP SIGNATURE-----
Merge 4.19.106 into android-4.19
Changes in 4.19.106
core: Don't skip generic XDP program execution for cloned SKBs
enic: prevent waking up stopped tx queues over watchdog reset
net/smc: fix leak of kernel memory to user space
net: dsa: tag_qca: Make sure there is headroom for tag
net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
KVM: nVMX: Use correct root level for nested EPT shadow page tables
drm/gma500: Fixup fbdev stolen size usage evaluation
cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
brcmfmac: Fix use after free in brcmf_sdio_readframes()
leds: pca963x: Fix open-drain initialization
ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
ALSA: ctl: allow TLV read operation for callback type of element in locked case
gianfar: Fix TX timestamping with a stacked DSA driver
pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
pxa168fb: Fix the function used to release some memory in an error handling path
media: i2c: mt9v032: fix enum mbus codes and frame sizes
powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number
gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap()
iommu/vt-d: Fix off-by-one in PASID allocation
char/random: silence a lockdep splat with printk()
media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run()
pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
efi/x86: Map the entire EFI vendor string before copying it
MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
sparc: Add .exit.data section.
uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
usb: dwc2: Fix IN FIFO allocation
clocksource/drivers/bcm2835_timer: Fix memory leak of timer
kselftest: Minimise dependency of get_size on C library interfaces
jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
x86/sysfb: Fix check for bad VRAM size
pwm: omap-dmtimer: Simplify error handling
s390/pci: Fix possible deadlock in recover_store()
powerpc/iov: Move VF pdev fixup into pcibios_fixup_iov()
tracing: Fix tracing_stat return values in error handling paths
tracing: Fix very unlikely race of registering two stat tracers
ARM: 8952/1: Disable kmemleak on XIP kernels
ext4, jbd2: ensure panic when aborting with zero errno
ath10k: Correct the DMA direction for management tx buffers
drm/amd/display: Retrain dongles when SINK_COUNT becomes non-zero
nbd: add a flush_workqueue in nbd_start_device
KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
kconfig: fix broken dependency in randconfig-generated .config
clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table
drm/amdgpu: Ensure ret is always initialized when using SOC15_WAIT_ON_RREG
regulator: rk808: Lower log level on optional GPIOs being not available
net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
selinux: fall back to ref-walk if audit is required
arm64: dts: allwinner: H6: Add PMU mode
arm: dts: allwinner: H3: Add PMU node
selinux: ensure we cleanup the internal AVC counters on error in avc_insert()
arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
ARM: dts: imx6: rdu2: Limit USBH1 to Full Speed
PCI: iproc: Apply quirk_paxc_bridge() for module as well as built-in
media: cx23885: Add support for AVerMedia CE310B
PCI: Add generic quirk for increasing D3hot delay
PCI: Increase D3 delay for AMD Ryzen5/7 XHCI controllers
media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros
reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
r8169: check that Realtek PHY driver module is loaded
fore200e: Fix incorrect checks of NULL pointer dereference
netfilter: nft_tunnel: add the missing ERSPAN_VERSION nla_policy
ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
b43legacy: Fix -Wcast-function-type
ipw2x00: Fix -Wcast-function-type
iwlegacy: Fix -Wcast-function-type
rtlwifi: rtl_pci: Fix -Wcast-function-type
orinoco: avoid assertion in case of NULL pointer
ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
scsi: ufs: Complete pending requests in host reset and restore path
scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
drm/mediatek: handle events when enabling/disabling crtc
ARM: dts: r8a7779: Add device node for ARM global timer
selinux: ensure we cleanup the internal AVC counters on error in avc_update()
dmaengine: Store module owner in dma_device struct
dmaengine: imx-sdma: Fix memory leak
crypto: chtls - Fixed memory leak
x86/vdso: Provide missing include file
PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
reset: uniphier: Add SCSSI reset control for each channel
RDMA/rxe: Fix error type of mmap_offset
clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
ALSA: sh: Fix unused variable warnings
clk: uniphier: Add SCSSI clock gate for each channel
ALSA: sh: Fix compile warning wrt const
tools lib api fs: Fix gcc9 stringop-truncation compilation error
ACPI: button: Add DMI quirk for Razer Blade Stealth 13 late 2019 lid switch
mlx5: work around high stack usage with gcc
drm: remove the newline for CRC source name.
ARM: dts: stm32: Add power-supply for DSI panel on stm32f469-disco
usbip: Fix unsafe unaligned pointer usage
udf: Fix free space reporting for metadata and virtual partitions
staging: rtl8188: avoid excessive stack usage
IB/hfi1: Add software counter for ctxt0 seq drop
soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
efi/x86: Don't panic or BUG() on non-critical error conditions
rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
Input: edt-ft5x06 - work around first register access error
x86/nmi: Remove irq_work from the long duration NMI handler
wan: ixp4xx_hss: fix compile-testing on 64-bit
ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
tty: synclinkmp: Adjust indentation in several functions
tty: synclink_gt: Adjust indentation in several functions
visorbus: fix uninitialized variable access
driver core: platform: Prevent resouce overflow from causing infinite loops
driver core: Print device when resources present in really_probe()
bpf: Return -EBADRQC for invalid map type in __bpf_tx_xdp_map
vme: bridges: reduce stack usage
drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
drm/nouveau/drm/ttm: Remove set but not used variable 'mem'
drm/nouveau/fault/gv100-: fix memory leak on module unload
drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
f2fs: set I_LINKABLE early to avoid wrong access by vfs
f2fs: free sysfs kobject
scsi: iscsi: Don't destroy session if there are outstanding connections
arm64: fix alternatives with LLVM's integrated assembler
drm/amd/display: fixup DML dependencies
watchdog/softlockup: Enforce that timestamp is valid on boot
f2fs: fix memleak of kobject
x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
cmd64x: potential buffer overflow in cmd64x_program_timings()
ide: serverworks: potential overflow in svwks_set_pio_mode()
pwm: Remove set but not set variable 'pwm'
btrfs: fix possible NULL-pointer dereference in integrity checks
btrfs: safely advance counter when looking up bio csums
btrfs: device stats, log when stats are zeroed
module: avoid setting info->name early in case we can fall back to info->mod->name
remoteproc: Initialize rproc_class before use
irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
kbuild: use -S instead of -E for precise cc-option test in Kconfig
x86/decoder: Add TEST opcode to Group3-2
s390: adjust -mpacked-stack support check for clang 10
s390/ftrace: generate traced function stack frame
driver core: platform: fix u32 greater or equal to zero comparison
ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
drm/nouveau/mmu: fix comptag memory leak
powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
bcache: cached_dev_free needs to put the sb page
iommu/vt-d: Remove unnecessary WARN_ON_ONCE()
selftests: bpf: Reset global state between reuseport test runs
jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
ARM: 8951/1: Fix Kexec compilation issue.
hostap: Adjust indentation in prism2_hostapd_add_sta
iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
cifs: fix NULL dereference in match_prepath
bpf: map_seq_next should always increase position index
ceph: check availability of mds cluster on mount after wait timeout
rbd: work around -Wuninitialized warning
irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
ftrace: fpid_next() should increase position index
trigger_next should increase position index
radeon: insert 10ms sleep in dce5_crtc_load_lut
ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans()
lib/scatterlist.c: adjust indentation in __sg_alloc_table
reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
bcache: explicity type cast in bset_bkey_last()
irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL
iwlwifi: mvm: Fix thermal zone registration
microblaze: Prevent the overflow of the start
brd: check and limit max_part par
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_latency
drm/amdgpu/smu10: fix smu10_get_clock_by_type_with_voltage
NFS: Fix memory leaks
help_next should increase position index
cifs: log warning message (once) if out of disk space
virtio_balloon: prevent pfn array overflow
mlxsw: spectrum_dpipe: Add missing error path
drm/amdgpu/display: handle multiple numbers of fclks in dcn_calcs.c (v2)
Linux 4.19.106
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia1032b50dd82b42e13973120dcbf94ae7b864648
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4u6tsACgkQONu9yGCS
aT693A//TExeDRnNnf+2v4TJorylyRr17BMxk/Ie2L5E6d2n/RWodsrOThAPU9tx
5alNUkXCT8Jd31BUVnUoPoAQ4zSymSVi++XEf05wDeO0tQ982IESGaLmu9EC1uMF
nnM5y4IdRYmFI1Zji4h5vRJckoYUlB6Mdg4BgMr4Q1KX7RkZYfe6bjs7DwM/uyMx
jVXdFaQBD1H6F5W6A+GmgUZ36g9uNqzcBxxWwv5URj+q816NdI4bsxIJMF0v0WC+
S54fmpS07QWIYKKsQBUepeSgEF4ECESOE2VoF1ICcnfakdPnDBmNgyPJPSrLmVf+
itRUxoH1MewaOvoJrv+xsGBPmM29LcKH2oBmj5DR2Xstp7ACPs+OtXJEU9dUTDN4
NhaSts5fIp0f4Y5mMn508pDUwYDAWDt99ZJWdx6aK/TRyUsHBgpxBQDt37BE3U5W
PCBnObNe2b2KDAsVXLjX5iDYoA0+usFreveMo8uEP+ohfh0ANvJlRkzedYw7NquI
ZCcT+I1P9q8aa0528tR332VLrQeYg+kG6LVi2kAabmRA/VtEsT0w90MY/eo2vuTU
WlPmbs2yerv2HTm050e6MOgBZfPh7wP/FpbjsSXufj7EDywlfxF+1hXdwfrpPJeN
fN3g0kepeUp7+kLzO40FLam/z5ndjAUhyN2SBaPzGsXjMkZdETk=
=zvlh
-----END PGP SIGNATURE-----
Merge 4.19.99 into android-4.19
Changes in 4.19.99
Revert "efi: Fix debugobjects warning on 'efi_rts_work'"
xfs: Sanity check flags of Q_XQUOTARM call
i2c: stm32f7: rework slave_id allocation
i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop
mfd: intel-lpss: Add default I2C device properties for Gemini Lake
SUNRPC: Fix svcauth_gss_proxy_init()
powerpc/pseries: Enable support for ibm,drc-info property
powerpc/archrandom: fix arch_get_random_seed_int()
tipc: update mon's self addr when node addr generated
tipc: fix wrong timeout input for tipc_wait_for_cond()
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
crypto: sun4i-ss - fix big endian issues
perf map: No need to adjust the long name of modules
soc: aspeed: Fix snoop_file_poll()'s return type
watchdog: sprd: Fix the incorrect pointer getting from driver data
ipmi: Fix memory leak in __ipmi_bmc_register
drm/sti: do not remove the drm_bridge that was never added
ARM: dts: at91: nattis: set the PRLUD and HIPOW signals low
ARM: dts: at91: nattis: make the SD-card slot work
ixgbe: don't clear IPsec sa counters on HW clearing
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
iio: fix position relative kernel version
apparmor: Fix network performance issue in aa_label_sk_perm
ALSA: hda: fix unused variable warning
apparmor: don't try to replace stale label in ptrace access check
ARM: qcom_defconfig: Enable MAILBOX
firmware: coreboot: Let OF core populate platform device
PCI: iproc: Remove PAXC slot check to allow VF support
bridge: br_arp_nd_proxy: set icmp6_router if neigh has NTF_ROUTER
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
signal/ia64: Use the generic force_sigsegv in setup_frame
signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
ASoC: wm9712: fix unused variable warning
mailbox: mediatek: Add check for possible failure of kzalloc
IB/rxe: replace kvfree with vfree
IB/hfi1: Add mtu check for operational data VLs
genirq/debugfs: Reinstate full OF path for domain name
usb: dwc3: add EXTCON dependency for qcom
usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
cfg80211: regulatory: make initialization more robust
mei: replace POLL* with EPOLL* for write queues.
drm/msm: fix unsigned comparison with less than zero
of: Fix property name in of_node_get_device_type
ALSA: usb-audio: update quirk for B&W PX to remove microphone
iwlwifi: nvm: get num of hw addresses from firmware
staging: comedi: ni_mio_common: protect register write overflow
netfilter: nft_osf: usage from output path is not valid
pwm: lpss: Release runtime-pm reference from the driver's remove callback
powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index
rtlwifi: rtl8821ae: replace _rtl8821ae_mrate_idx_to_arfr_id with generic version
RDMA/bnxt_re: Add missing spin lock initialization
netfilter: nf_flow_table: do not remove offload when other netns's interface is down
powerpc/kgdb: add kgdb_arch_set/remove_breakpoint()
tipc: eliminate message disordering during binding table update
net: socionext: Add dummy PHY register read in phy_write()
drm/sun4i: hdmi: Fix double flag assignation
net: hns3: add error handler for hns3_nic_init_vector_data()
mlxsw: reg: QEEC: Add minimum shaper fields
mlxsw: spectrum: Set minimum shaper on MC TCs
NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
ASoC: wm97xx: fix uninitialized regmap pointer problem
ARM: dts: bcm283x: Correct mailbox register sizes
pcrypt: use format specifier in kobject_add
ASoC: sun8i-codec: add missing route for ADC
pinctrl: meson-gxl: remove invalid GPIOX tsin_a pins
bus: ti-sysc: Add mcasp optional clocks flag
exportfs: fix 'passing zero to ERR_PTR()' warning
drm: rcar-du: Fix the return value in case of error in 'rcar_du_crtc_set_crc_source()'
drm: rcar-du: Fix vblank initialization
net: always initialize pagedlen
drm/dp_mst: Skip validating ports during destruction, just ref
arm64: dts: meson-gx: Add hdmi_5v regulator as hdmi tx supply
arm64: dts: renesas: r8a7795-es1: Add missing power domains to IPMMU nodes
net: phy: Fix not to call phy_resume() if PHY is not attached
IB/hfi1: Correctly process FECN and BECN in packets
OPP: Fix missing debugfs supply directory for OPPs
IB/rxe: Fix incorrect cache cleanup in error flow
mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()
staging: bcm2835-camera: Abort probe if there is no camera
staging: bcm2835-camera: fix module autoloading
switchtec: Remove immediate status check after submitting MRPC command
ipv6: add missing tx timestamping on IPPROTO_RAW
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: r8a77970: Add missing MOD_SEL0 field
pinctrl: sh-pfc: r8a77980: Add missing MOD_SEL0 field
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
net: hns3: fix error handling int the hns3_get_vector_ring_chain
vxlan: changelink: Fix handling of default remotes
Input: nomadik-ske-keypad - fix a loop timeout test
fork,memcg: fix crash in free_thread_stack on memcg charge fail
clk: highbank: fix refcount leak in hb_clk_init()
clk: qoriq: fix refcount leak in clockgen_init()
clk: ti: fix refcount leak in ti_dt_clocks_register()
clk: socfpga: fix refcount leak
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
clk: dove: fix refcount leak in dove_clk_init()
MIPS: BCM63XX: drop unused and broken DSP platform device
arm64: defconfig: Re-enable bcm2835-thermal driver
remoteproc: qcom: q6v5-mss: Add missing clocks for MSM8996
remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996
drm: Fix error handling in drm_legacy_addctx
ARM: dts: r8a7743: Remove generic compatible string from iic3
drm/etnaviv: fix some off by one bugs
drm/fb-helper: generic: Fix setup error path
fork, memcg: fix cached_stacks case
IB/usnic: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
RDMA/qedr: Fix out of bounds index check in query pkey
drm/shmob: Fix return value check in shmob_drm_probe
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
spi: cadence: Correct initialisation of runtime PM
RDMA/iw_cxgb4: Fix the unchecked ep dereference
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
kbuild: mark prepare0 as PHONY to fix external module build
crypto: brcm - Fix some set-but-not-used warning
crypto: tgr192 - fix unaligned memory access
ASoC: imx-sgtl5000: put of nodes if finding codec fails
IB/iser: Pass the correct number of entries for dma mapped SGL
net: hns3: fix wrong combined count returned by ethtool -l
media: tw9910: Unregister subdevice with v4l2-async
IB/mlx5: Don't override existing ip_protocol
rtc: cmos: ignore bogus century byte
spi/topcliff_pch: Fix potential NULL dereference on allocation error
net: hns3: fix bug of ethtool_ops.get_channels for VF
ARM: dts: sun8i-a23-a33: Move NAND controller device node to sort by address
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
iwlwifi: mvm: avoid possible access out of array.
net/mlx5: Take lock with IRQs disabled to avoid deadlock
ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit
arm64: dts: allwinner: h6: Move GIC device node fix base address ordering
iwlwifi: mvm: fix A-MPDU reference assignment
bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
tty: ipwireless: Fix potential NULL pointer dereference
driver: uio: fix possible memory leak in __uio_register_device
driver: uio: fix possible use-after-free in __uio_register_device
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
driver core: Fix DL_FLAG_AUTOREMOVE_SUPPLIER device link flag handling
driver core: Avoid careless re-use of existing device links
driver core: Do not resume suppliers under device_links_write_lock()
driver core: Fix handling of runtime PM flags in device_link_add()
driver core: Do not call rpm_put_suppliers() in pm_runtime_drop_link()
ARM: dts: lpc32xx: add required clocks property to keypad device node
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
drm/xen-front: Fix mmap attributes for display buffers
iwlwifi: mvm: fix RSS config command
staging: most: cdev: add missing check for cdev_add failure
clk: ingenic: jz4740: Fix gating of UDC clock
rtc: ds1672: fix unintended sign extension
thermal: mediatek: fix register index error
arm64: dts: msm8916: remove bogus argument to the cpu clock
ath10k: fix dma unmap direction for management frames
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
rtc: ds1307: rx8130: Fix alarm handling
net/smc: original socket family in inet_sock_diag
rtc: 88pm860x: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: pm8xxx: fix unintended sign extension
fbdev: chipsfb: remove set but not used variable 'size'
iw_cxgb4: use tos when importing the endpoint
iw_cxgb4: use tos when finding ipv6 routes
ipmi: kcs_bmc: handle devm_kasprintf() failure case
xsk: add missing smp_rmb() in xsk_mmap
drm/etnaviv: potential NULL dereference
ntb_hw_switchtec: debug print 64bit aligned crosslink BAR Numbers
ntb_hw_switchtec: NT req id mapping table register entry number should be 512
pinctrl: sh-pfc: emev2: Add missing pinmux functions
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
RDMA/mlx5: Fix memory leak in case we fail to add an IB device
driver core: Fix possible supplier PM-usage counter imbalance
PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
usb: phy: twl6030-usb: fix possible use-after-free on remove
block: don't use bio->bi_vcnt to figure out segment number
keys: Timestamp new keys
net: dsa: b53: Fix default VLAN ID
net: dsa: b53: Properly account for VLAN filtering
net: dsa: b53: Do not program CPU port's PVID
mt76: usb: fix possible memory leak in mt76u_buf_free
media: sh: migor: Include missing dma-mapping header
vfio_pci: Enable memory accesses before calling pci_map_rom
hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
mdio_bus: Fix PTR_ERR() usage after initialization to constant
KVM: PPC: Release all hardware TCE tables attached to a group
staging: r8822be: check kzalloc return or bail
dmaengine: mv_xor: Use correct device for DMA API
cdc-wdm: pass return value of recover_from_urb_loss
brcmfmac: create debugfs files for bus-specific layer
regulator: pv88060: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88090: Fix array out-of-bounds access
net: dsa: qca8k: Enable delay for RGMII_ID mode
net/mlx5: Delete unused FPGA QPN variable
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
drm/nouveau/pmu: don't print reply values if exec is false
drm/nouveau: fix missing break in switch statement
driver core: Fix PM-runtime for links added during consumer probe
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
net: dsa: fix unintended change of bridge interface STP state
fs/nfs: Fix nfs_parse_devname to not modify it's argument
staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
powerpc/64s: Fix logic when handling unknown CPU features
NFS: Fix a soft lockup in the delegation recovery code
perf: Copy parent's address filter offsets on clone
perf, pt, coresight: Fix address filters for vmas with non-zero offset
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
platform/x86: wmi: fix potential null pointer dereference
NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
iommu: Fix IOMMU debugfs fallout
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
ARM: 8849/1: NOMMU: Fix encodings for PMSAv8's PRBAR4/PRLAR4
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
ath10k: Fix length of wmi tlv command for protected mgmt frames
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
netfilter: nft_set_hash: bogus element self comparison from deactivation path
net: sched: act_csum: Fix csum calc for tagged packets
hwrng: bcm2835 - fix probe as platform device
iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm()
NFS: Add missing encode / decode sequence_maxsz to v4.2 operations
NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
net: aquantia: fixed instack structure overflow
powerpc/mm: Check secondary hash page table
media: dvb/earth-pt1: fix wrong initialization for demod blocks
rbd: clear ->xferred on error from rbd_obj_issue_copyup()
PCI: Fix "try" semantics of bus and slot reset
nios2: ksyms: Add missing symbol exports
x86/mm: Remove unused variable 'cpu'
scsi: megaraid_sas: reduce module load time
nfp: fix simple vNIC mailbox length
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
xen, cpu_hotplug: Prevent an out of bounds access
net/mlx5: Fix multiple updates of steering rules in parallel
net/mlx5e: IPoIB, Fix RX checksum statistics update
net: sh_eth: fix a missing check of of_get_phy_mode
regulator: lp87565: Fix missing register for LP87565_BUCK_0
soc: amlogic: gx-socinfo: Add mask for each SoC packages
media: ivtv: update *pos correctly in ivtv_read_pos()
media: cx18: update *pos correctly in cx18_read_pos()
media: wl128x: Fix an error code in fm_download_firmware()
media: cx23885: check allocation return
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
crypto: ccree - reduce kernel stack usage with clang
jfs: fix bogus variable self-initialization
tipc: tipc clang warning
m68k: mac: Fix VIA timer counter accesses
ARM: dts: sun8i: a33: Reintroduce default pinctrl muxing
arm64: dts: allwinner: a64: Add missing PIO clocks
ARM: dts: sun9i: optimus: Fix fixed-regulators
net: phy: don't clear BMCR in genphy_soft_reset
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
net: dsa: Avoid null pointer when failing to connect to PHY
soc: qcom: cmd-db: Fix an error code in cmd_db_dev_probe()
media: davinci-isif: avoid uninitialized variable use
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
spi: tegra114: clear packed bit for unpacked mode
spi: tegra114: fix for unpacked mode transfers
spi: tegra114: terminate dma and reset on transfer timeout
spi: tegra114: flush fifos
spi: tegra114: configure dma burst size to fifo trig level
bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated
soc/fsl/qe: Fix an error code in qe_pin_request()
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
drm/fb-helper: generic: Call drm_client_add() after setup is done
arm64/vdso: don't leak kernel addresses
rtc: Fix timestamp value for RTC_TIMESTAMP_BEGIN_1900
rtc: mt6397: Don't call irq_dispose_mapping.
ehea: Fix a copy-paste err in ehea_init_port_res
bpf: Add missed newline in verifier verbose log
drm/vmwgfx: Remove set but not used variable 'restart'
scsi: qla2xxx: Unregister chrdev if module initialization fails
of: use correct function prototype for of_overlay_fdt_apply()
net/sched: cbs: fix port_rate miscalculation
clk: qcom: Skip halt checks on gcc_pcie_0_pipe_clk for 8998
ACPI: button: reinitialize button state upon resume
firmware: arm_scmi: fix of_node leak in scmi_mailbox_check
rxrpc: Fix detection of out of order acks
scsi: target/core: Fix a race condition in the LUN lookup code
brcmfmac: fix leak of mypkt on error return path
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
PCI: rockchip: Fix rockchip_pcie_ep_assert_intx() bitwise operations
net: hns3: fix for vport->bw_limit overflow problem
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
perf/core: Fix the address filtering fix
staging: android: vsoc: fix copy_from_user overrun
PCI: dwc: Fix dw_pcie_ep_find_capability() to return correct capability offset
soc: amlogic: meson-gx-pwrc-vpu: Fix power on/off register bitmask
platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
tipc: set sysctl_tipc_rmem and named_timeout right range
usb: typec: tcpm: Notify the tcpc to start connection-detection for SRPs
selftests/ipc: Fix msgque compiler warnings
net: hns3: fix loop condition of hns3_get_tx_timeo_queue_info()
powerpc: vdso: Make vdso32 installation conditional in vdso_install
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
media: ov2659: fix unbalanced mutex_lock/unlock
6lowpan: Off by one handling ->nexthdr
dmaengine: axi-dmac: Don't check the number of frames for alignment
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
afs: Fix AFS file locking to allow fine grained locks
afs: Further fix file locking
NFS: Don't interrupt file writeout due to fatal errors
coresight: catu: fix clang build warning
s390/kexec_file: Fix potential segment overlap in ELF loader
irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
scsi: qla2xxx: Fix a format specifier
scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd()
scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest
netfilter: nft_flow_offload: add entry to flowtable after confirmation
PCI: iproc: Enable iProc config read for PAXBv2
ARM: dts: logicpd-som-lv: Fix MMC1 card detect
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
ASoC: fix valid stream condition
usb: gadget: fsl: fix link error against usb-gadget module
dwc2: gadget: Fix completed transfer size calculation in DDMA
IB/mlx5: Add missing XRC options to QP optional params mask
RDMA/rxe: Consider skb reserve space based on netdev of GID
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix incorrect test of supported hash function
net: ena: fix ena_com_fill_hash_function() implementation
dmaengine: tegra210-adma: restore channel status
watchdog: rtd119x_wdt: Fix remove function
mmc: core: fix possible use after free of host
lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
ath10k: Fix encoding for protected management frames
afs: Fix the afs.cell and afs.volume xattr handlers
vfio/mdev: Avoid release parent reference during error path
vfio/mdev: Follow correct remove sequence
vfio/mdev: Fix aborting mdev child device removal if one fails
l2tp: Fix possible NULL pointer dereference
ALSA: aica: Fix a long-time build breakage
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
platform/x86: alienware-wmi: printing the wrong error code
crypto: caam - fix caam_dump_sg that iterates through scatterlist
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
pwm: meson: Consider 128 a valid pre-divider
pwm: meson: Don't disable PWM when setting duty repeatedly
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
nfp: bpf: fix static check error through tightening shift amount adjustment
kdb: do a sanity check on the cpu in kdb_per_cpu()
netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value
backlight: lm3630a: Return 0 on success in update_status functions
thermal: rcar_gen3_thermal: fix interrupt type
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
EDAC/mc: Fix edac_mc_find() in case no device is found
afs: Fix key leak in afs_release() and afs_evict_inode()
afs: Don't invalidate callback if AFS_VNODE_DIR_VALID not set
afs: Fix lock-wait/callback-break double locking
afs: Fix double inc of vnode->cb_break
ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
clk: meson: gxbb: no spread spectrum on mpll0
clk: meson: axg: spread spectrum is on mpll2
dmaengine: tegra210-adma: Fix crash during probe
arm64: dts: meson: libretech-cc: set eMMC as removable
RDMA/qedr: Fix incorrect device rate.
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
crypto: ccp - fix AES CFB error exposed by new test vectors
crypto: ccp - Fix 3DES complaint from ccp-crypto module
serial: stm32: fix word length configuration
serial: stm32: fix rx error handling
serial: stm32: fix rx data length when parity enabled
serial: stm32: fix transmit_chars when tx is stopped
serial: stm32: Add support of TC bit status check
serial: stm32: fix wakeup source initialization
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
iommu: Add missing new line for dma type
iommu: Use right function to get group for device
signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector
crypto: talitos - fix AEAD processing.
netvsc: unshare skb in VF rx handler
net: core: support XDP generic on stacked devices.
RDMA/uverbs: check for allocation failure in uapi_add_elm()
net: don't clear sock->sk early to avoid trouble in strparser
phy: qcom-qusb2: fix missing assignment of ret when calling clk_prepare_enable
cpufreq: brcmstb-avs-cpufreq: Fix initial command check
cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
clk: sunxi-ng: sun50i-h6-r: Fix incorrect W1 clock gate register
media: vivid: fix incorrect assignment operation when setting video mode
crypto: inside-secure - fix zeroing of the request in ahash_exit_inv
crypto: inside-secure - fix queued len computation
arm64: dts: renesas: ebisu: Remove renesas, no-ether-link property
mpls: fix warning with multi-label encap
serial: stm32: fix a recursive locking in stm32_config_rs485
arm64: dts: meson-gxm-khadas-vim2: fix gpio-keys-polled node
arm64: dts: meson-gxm-khadas-vim2: fix Bluetooth support
iommu/vt-d: Duplicate iommu_resv_region objects per device list
phy: usb: phy-brcm-usb: Remove sysfs attributes upon driver removal
firmware: arm_scmi: fix bitfield definitions for SENSOR_DESC attributes
firmware: arm_scmi: update rate_discrete in clock_describe_rates_get
ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev()
ASoC: meson: axg-tdmin: right_j is not supported
ASoC: meson: axg-tdmout: right_j is not supported
qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
qed: iWARP - fix uninitialized callback
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
bpf: fix the check that forwarding is enabled in bpf_ipv6_fib_lookup
IB/hfi1: Handle port down properly in pio
drm/msm/mdp5: Fix mdp5_cfg_init error return
net: netem: fix backlog accounting for corrupted GSO frames
net/udp_gso: Allow TX timestamp with UDP GSO
net/af_iucv: build proper skbs for HiperTransport
net/af_iucv: always register net_device notifier
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
rtc: pcf8563: Fix interrupt trigger method
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
ARM: dts: iwg20d-q7-common: Fix SDHI1 VccQ regularor
net/sched: cbs: Fix error path of cbs_module_init
arm64: dts: allwinner: h6: Pine H64: Add interrupt line for RTC
drm/msm/a3xx: remove TPL1 regs from snapshot
ip6_fib: Don't discard nodes with valid routing information in fib6_locate_1()
perf/ioctl: Add check for the sample_period value
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
clk: qcom: Fix -Wunused-const-variable
nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm
tools: bpftool: use correct argument in cgroup errors
backlight: pwm_bl: Fix heuristic to determine number of brightness levels
fork,memcg: alloc_thread_stack_node needs to set tsk->stack
bnxt_en: Fix ethtool selftest crash under error conditions.
bnxt_en: Suppress error messages when querying DSCP DCB capabilities.
iommu/amd: Make iommu_disable safer
mfd: intel-lpss: Release IDA resources
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
xprtrdma: Fix use-after-free in rpcrdma_post_recvs
um: Fix IRQ controller regression on console read
PM: ACPI/PCI: Resume all devices during hibernation
ACPI: PM: Simplify and fix PM domain hibernation callbacks
ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS
fsi/core: Fix error paths on CFAM init
devres: allow const resource arguments
fsi: sbefifo: Don't fail operations when in SBE IPL state
RDMA/hns: Fixs hw access invalid dma memory error
PCI: mobiveil: Remove the flag MSI_FLAG_MULTI_PCI_MSI
PCI: mobiveil: Fix devfn check in mobiveil_pcie_valid_device()
PCI: mobiveil: Fix the valid check for inbound and outbound windows
ceph: fix "ceph.dir.rctime" vxattr value
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
net/tls: fix socket wmem accounting on fallback with netem
x86/pgtable/32: Fix LOWMEM_PAGES constant
xdp: fix possible cq entry leak
ARM: stm32: use "depends on" instead of "if" after prompt
scsi: libfc: fix null pointer dereference on a null lport
xfrm interface: ifname may be wrong in logs
drm/panel: make drm_panel.h self-contained
clk: sunxi-ng: v3s: add the missing PLL_DDR1
PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
libertas_tf: Use correct channel range in lbtf_geo_init
qed: reduce maximum stack frame size
usb: host: xhci-hub: fix extra endianness conversion
media: rcar-vin: Clean up correct notifier in error path
mic: avoid statically declaring a 'struct device'.
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
crypto: ccp - Reduce maximum stack usage
ALSA: aoa: onyx: always initialize register read value
arm64: dts: renesas: r8a77995: Fix register range of display node
tipc: reduce risk of wakeup queue starvation
ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
iio: tsl2772: Use devm_add_action_or_reset for tsl2772_chip_off
net: fix bpf_xdp_adjust_head regression for generic-XDP
spi: bcm-qspi: Fix BSPI QUAD and DUAL mode support when using flex mode
cxgb4: smt: Add lock for atomic_dec_and_test
crypto: caam - free resources in case caam_rng registration failed
ext4: set error return correctly when ext4_htree_store_dirent fails
RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
net/rds: Add a few missing rds_stat_names entries
tools: bpftool: fix arguments for p_err() in do_event_pipe()
tools: bpftool: fix format strings and arguments for jsonw_printf()
drm: rcar-du: lvds: Fix bridge_to_rcar_lvds
bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
signal: Allow cifs and drbd to receive their terminating signals
powerpc/64s/radix: Fix memory hot-unplug page table split
ASoC: sun4i-i2s: RX and TX counter registers are swapped
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
mac80211: minstrel_ht: fix per-group max throughput rate initialization
i40e: reduce stack usage in i40e_set_fc
media: atmel: atmel-isi: fix timeout value for stop streaming
ARM: 8896/1: VDSO: Don't leak kernel addresses
rtc: pcf2127: bugfix: read rtc disables watchdog
mips: avoid explicit UB in assignment of mips_io_port_base
media: em28xx: Fix exception handling in em28xx_alloc_urbs()
iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
ahci: Do not export local variable ahci_em_messages
rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
hwmon: (lm75) Fix write operations for negative temperatures
net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
power: supply: Init device wakeup after device_add()
x86, perf: Fix the dependency of the x86 insn decoder selftest
staging: greybus: light: fix a couple double frees
irqdomain: Add the missing assignment of domain->fwnode for named fwnode
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
usb: typec: tps6598x: Fix build error without CONFIG_REGMAP_I2C
bcache: Fix an error code in bch_dump_read()
iio: dac: ad5380: fix incorrect assignment to val
netfilter: ctnetlink: honor IPS_OFFLOAD flag
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
wcn36xx: use dynamic allocation for large variables
tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
ARM: dts: aspeed-g5: Fixe gpio-ranges upper limit
xsk: avoid store-tearing when assigning queues
xsk: avoid store-tearing when assigning umem
led: triggers: Fix dereferencing of null pointer
net: sonic: return NETDEV_TX_OK if failed to map buffer
net: hns3: fix error VF index when setting VLAN offload
rtlwifi: Fix file release memory leak
ARM: dts: logicpd-som-lv: Fix i2c2 and i2c3 Pin mux
f2fs: fix wrong error injection path in inc_valid_block_count()
f2fs: fix error path of f2fs_convert_inline_page()
scsi: fnic: fix msix interrupt allocation
Btrfs: fix hang when loading existing inode cache off disk
Btrfs: fix inode cache waiters hanging on failure to start caching thread
Btrfs: fix inode cache waiters hanging on path allocation failure
btrfs: use correct count in btrfs_file_write_iter()
ixgbe: sync the first fragment unconditionally
hwmon: (shtc1) fix shtc1 and shtw1 id mask
net: sonic: replace dev_kfree_skb in sonic_send_packet
pinctrl: iproc-gpio: Fix incorrect pinconf configurations
gpio/aspeed: Fix incorrect number of banks
ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
RDMA/cma: Fix false error message
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
um: Fix off by one error in IRQ enumeration
bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands
f2fs: fix to avoid accessing uninitialized field of inode page in is_alive()
mailbox: qcom-apcs: fix max_register value
clk: actions: Fix factor clk struct member access
powerpc/mm/mce: Keep irqs disabled during lockless page table walk
bpf: fix BTF limits
crypto: hisilicon - Matching the dma address for dma_pool_free()
iommu/amd: Wait for completion of IOTLB flush in attach_device
net: aquantia: Fix aq_vec_isr_legacy() return value
cxgb4: Signedness bug in init_one()
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: netsec: Fix signedness bug in netsec_probe()
net: socionext: Fix a signedness bug in ave_probe()
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
net: axienet: fix a signedness bug in probe
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: nixge: Fix a signedness bug in nixge_probe()
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
net: sched: cbs: Avoid division by zero when calculating the port rate
nvme: retain split access workaround for capability reads
net: stmmac: gmac4+: Not all Unicast addresses may be available
rxrpc: Fix trace-after-put looking at the put connection record
mac80211: accept deauth frames in IBSS mode
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
llc: fix sk_buff refcounting in llc_conn_state_process()
ip6erspan: remove the incorrect mtu limit for ip6erspan
net: stmmac: fix length of PTP clock's name string
net: stmmac: fix disabling flexible PPS output
sctp: add chunks to sk_backlog when the newsk sk_socket is not set
s390/qeth: Fix error handling during VNICC initialization
s390/qeth: Fix initialization of vnicc cmd masks during set online
act_mirred: Fix mirred_init_module error handling
net: avoid possible false sharing in sk_leave_memory_pressure()
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
tcp: annotate lockless access to tcp_memory_pressure
net/smc: receive returns without data
net/smc: receive pending data after RCV_SHUTDOWN
drm/msm/dsi: Implement reset correctly
vhost/test: stop device before reset
dmaengine: imx-sdma: fix size check for sdma script_number
firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices
arm64: hibernate: check pgd table allocation
net: netem: fix error path for corrupted GSO frames
net: netem: correct the parent's backlog when corrupted packet was dropped
xsk: Fix registration of Rx-only sockets
bpf, offload: Unlock on error in bpf_offload_dev_create()
afs: Fix missing timeout reset
net: qca_spi: Move reset_count to struct qcaspi
hv_netvsc: Fix offset usage in netvsc_send_table()
hv_netvsc: Fix send_table offset in case of a host bug
afs: Fix large file support
drm: panel-lvds: Potential Oops in probe error handling
hwrng: omap3-rom - Fix missing clock by probing with device tree
dpaa_eth: perform DMA unmapping before read
dpaa_eth: avoid timestamp read on error paths
MIPS: Loongson: Fix return value of loongson_hwmon_init
hv_netvsc: flag software created hash value
net: neigh: use long type to store jiffies delta
packet: fix data-race in fanout_flow_is_huge()
i2c: stm32f7: report dma error during probe
mmc: sdio: fix wl1251 vendor id
mmc: core: fix wl1251 sdio quirks
affs: fix a memory leak in affs_remount
afs: Remove set but not used variables 'before', 'after'
dmaengine: ti: edma: fix missed failure handling
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
arm64: dts: juno: Fix UART frequency
samples/bpf: Fix broken xdp_rxq_info due to map order assumptions
usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON
IB/iser: Fix dma_nents type definition
serial: stm32: fix clearing interrupt error flags
arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
m68k: Call timer_interrupt() with interrupts disabled
Linux 4.19.99
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ieabeab79ea5c8cb4b6b1552702fa5d6100cea5db
[ Upstream commit d0fbb51dfa ]
We need to drop the bpf_devs_lock on error before returning.
Fixes: 9fd7c55591 ("bpf: offload: aggregate offloads per-device")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Link: https://lore.kernel.org/bpf/20191104091536.GB31509@mwanda
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1fbd20f8b7 ]
check_stack_access() that prints verbose log is used in
adjust_ptr_min_max_vals() that prints its own verbose log and now they
stick together, e.g.:
variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16
size=1R2 stack pointer arithmetic goes out of range, prohibited for
!root
Add missing newline so that log is more readable:
variable stack access var_off=(0xfffffffffffffff0; 0x4) off=-16 size=1
R2 stack pointer arithmetic goes out of range, prohibited for !root
Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Andrey Ignatov <rdna@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 0af2ffc93a upstream.
Anatoly has been fuzzing with kBdysch harness and reported a hang in one
of the outcomes:
0: R1=ctx(id=0,off=0,imm=0) R10=fp0
0: (85) call bpf_get_socket_cookie#46
1: R0_w=invP(id=0) R10=fp0
1: (57) r0 &= 808464432
2: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
2: (14) w0 -= 810299440
3: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
3: (c4) w0 s>>= 1
4: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
4: (76) if w0 s>= 0x30303030 goto pc+216
221: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
221: (95) exit
processed 6 insns (limit 1000000) [...]
Taking a closer look, the program was xlated as follows:
# ./bpftool p d x i 12
0: (85) call bpf_get_socket_cookie#7800896
1: (bf) r6 = r0
2: (57) r6 &= 808464432
3: (14) w6 -= 810299440
4: (c4) w6 s>>= 1
5: (76) if w6 s>= 0x30303030 goto pc+216
6: (05) goto pc-1
7: (05) goto pc-1
8: (05) goto pc-1
[...]
220: (05) goto pc-1
221: (05) goto pc-1
222: (95) exit
Meaning, the visible effect is very similar to f54c7898ed ("bpf: Fix
precision tracking for unbounded scalars"), that is, the fall-through
branch in the instruction 5 is considered to be never taken given the
conclusion from the min/max bounds tracking in w6, and therefore the
dead-code sanitation rewrites it as goto pc-1. However, real-life input
disagrees with verification analysis since a soft-lockup was observed.
The bug sits in the analysis of the ARSH. The definition is that we shift
the target register value right by K bits through shifting in copies of
its sign bit. In adjust_scalar_min_max_vals(), we do first coerce the
register into 32 bit mode, same happens after simulating the operation.
However, for the case of simulating the actual ARSH, we don't take the
mode into account and act as if it's always 64 bit, but location of sign
bit is different:
dst_reg->smin_value >>= umin_val;
dst_reg->smax_value >>= umin_val;
dst_reg->var_off = tnum_arshift(dst_reg->var_off, umin_val);
Consider an unknown R0 where bpf_get_socket_cookie() (or others) would
for example return 0xffff. With the above ARSH simulation, we'd see the
following results:
[...]
1: R1=ctx(id=0,off=0,imm=0) R2_w=invP65535 R10=fp0
1: (85) call bpf_get_socket_cookie#46
2: R0_w=invP(id=0) R10=fp0
2: (57) r0 &= 808464432
-> R0_runtime = 0x3030
3: R0_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
3: (14) w0 -= 810299440
-> R0_runtime = 0xcfb40000
4: R0_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
(0xffffffff)
4: (c4) w0 s>>= 1
-> R0_runtime = 0xe7da0000
5: R0_w=invP(id=0,umin_value=1740636160,umax_value=2147221496,var_off=(0x67c00000; 0x183bfff8)) R10=fp0
(0x67c00000) (0x7ffbfff8)
[...]
In insn 3, we have a runtime value of 0xcfb40000, which is '1100 1111 1011
0100 0000 0000 0000 0000', the result after the shift has 0xe7da0000 that
is '1110 0111 1101 1010 0000 0000 0000 0000', where the sign bit is correctly
retained in 32 bit mode. In insn4, the umax was 0xffffffff, and changed into
0x7ffbfff8 after the shift, that is, '0111 1111 1111 1011 1111 1111 1111 1000'
and means here that the simulation didn't retain the sign bit. With above
logic, the updates happen on the 64 bit min/max bounds and given we coerced
the register, the sign bits of the bounds are cleared as well, meaning, we
need to force the simulation into s32 space for 32 bit alu mode.
Verification after the fix below. We're first analyzing the fall-through branch
on 32 bit signed >= test eventually leading to rejection of the program in this
specific case:
0: R1=ctx(id=0,off=0,imm=0) R10=fp0
0: (b7) r2 = 808464432
1: R1=ctx(id=0,off=0,imm=0) R2_w=invP808464432 R10=fp0
1: (85) call bpf_get_socket_cookie#46
2: R0_w=invP(id=0) R10=fp0
2: (bf) r6 = r0
3: R0_w=invP(id=0) R6_w=invP(id=0) R10=fp0
3: (57) r6 &= 808464432
4: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=808464432,var_off=(0x0; 0x30303030)) R10=fp0
4: (14) w6 -= 810299440
5: R0_w=invP(id=0) R6_w=invP(id=0,umax_value=4294967295,var_off=(0xcf800000; 0x3077fff0)) R10=fp0
5: (c4) w6 s>>= 1
6: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0
(0x67c00000) (0xfffbfff8)
6: (76) if w6 s>= 0x30303030 goto pc+216
7: R0_w=invP(id=0) R6_w=invP(id=0,umin_value=3888119808,umax_value=4294705144,var_off=(0xe7c00000; 0x183bfff8)) R10=fp0
7: (30) r0 = *(u8 *)skb[808464432]
BPF_LD_[ABS|IND] uses reserved fields
processed 8 insns (limit 1000000) [...]
Fixes: 9cbe1f5a32 ("bpf/verifier: improve register value range tracking with ARSH")
Reported-by: Anatoly Trosinenko <anatoly.trosinenko@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Link: https://lore.kernel.org/bpf/20200115204733.16648-1-daniel@iogearbox.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4bAEoACgkQONu9yGCS
aT70DQ//YgSd3JJ9/d7TLy+Mm8GrlZIZWgRrz8YZdKcJBG+l/c+m6FR0uLDw95nf
zIFq1GY8DwS3djuNkxPoz8yvIgqoHuSjEUo+YF8v71ZdnGCXIt6SCoKbugAH+azp
zTEJ4lU3/Wrc1Gh4w5zeSgdQVPIJBQ+d7pKccZHOJ0DFwbU3hQ69vqXcaxrFuhop
vqKvNNEeCT2l1AxgAhKwNhceFL3Rb/2HxAjUED68ueY/EZ0/OsoinboBu2riSKNu
NWZTPq7B2Kht19aV48FThwksEvkelz72gkSzKvrsT03tDtNewQ7C/mreUqpU6VZE
lrcIWOHjXMQyk3g3XZfG3j8ppzHvZPaG/WEqmnJV8txjtaRU8hvj3Q95kHPheTv6
O/Ds4OpHBaS5g6+dmsUmtfSrbrhm3KKXMn0IJvyYkC/VY0RVdLKTZu0TM5ZS5id/
zW4AZWWzephUID9LAwRrTWvfGKMBK6gEiv2AtnY4XRiEMYEFw45uP97yWcUCg89L
a3BCbhhiO4tMqL/lf7KD4vPbXZsRgDM3q1wLitvM2KCVVSA32XGRMT9x8A6uwTJl
OLL39NSi8h8rqn5S22AowKcR/3VakRNw9pf5Y6AH5xOnP3R/OBHzYJNho2DUc8OI
6p+zeUZkDEIsFI1wdJSaaSWsNdpJj3Sw6SdB2QJI3c782F4pFUA=
=RCVS
-----END PGP SIGNATURE-----
Merge 4.19.95 into android-4.19
Changes in 4.19.95
USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein
USB: dummy-hcd: increase max number of devices to 32
bpf: Fix passing modified ctx to ld/abs/ind instruction
regulator: fix use after free issue
ASoC: max98090: fix possible race conditions
locking/spinlock/debug: Fix various data races
netfilter: ctnetlink: netns exit must wait for callbacks
mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame()
libtraceevent: Fix lib installation with O=
x86/efi: Update e820 with reserved EFI boot services data to fix kexec breakage
ASoC: Intel: bytcr_rt5640: Update quirk for Teclast X89
efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs
efi/gop: Return EFI_SUCCESS if a usable GOP was found
efi/gop: Fix memory leak in __gop_query32/64()
ARM: dts: imx6ul: imx6ul-14x14-evk.dtsi: Fix SPI NOR probing
ARM: vexpress: Set-up shared OPP table instead of individual for each CPU
netfilter: uapi: Avoid undefined left-shift in xt_sctp.h
netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets
netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END
netfilter: nf_tables: validate NFT_DATA_VALUE after nft_data_init()
ARM: dts: BCM5301X: Fix MDIO node address/size cells
selftests/ftrace: Fix multiple kprobe testcase
ARM: dts: Cygnus: Fix MDIO node address/size cells
spi: spi-cavium-thunderx: Add missing pci_release_regions()
ASoC: topology: Check return value for soc_tplg_pcm_create()
ARM: dts: bcm283x: Fix critical trip point
bnxt_en: Return error if FW returns more data than dump length
bpf, mips: Limit to 33 tail calls
spi: spi-ti-qspi: Fix a bug when accessing non default CS
ARM: dts: am437x-gp/epos-evm: fix panel compatible
samples: bpf: Replace symbol compare of trace_event
samples: bpf: fix syscall_tp due to unused syscall
powerpc: Ensure that swiotlb buffer is allocated from low memory
btrfs: Fix error messages in qgroup_rescan_init
bpf: Clear skb->tstamp in bpf_redirect when necessary
bnx2x: Do not handle requests from VFs after parity
bnx2x: Fix logic to get total no. of PFs per engine
cxgb4: Fix kernel panic while accessing sge_info
net: usb: lan78xx: Fix error message format specifier
parisc: add missing __init annotation
rfkill: Fix incorrect check to avoid NULL pointer dereference
ASoC: wm8962: fix lambda value
regulator: rn5t618: fix module aliases
iommu/iova: Init the struct iova to fix the possible memleak
kconfig: don't crash on NULL expressions in expr_eq()
perf/x86/intel: Fix PT PMI handling
fs: avoid softlockups in s_inodes iterators
net: stmmac: Do not accept invalid MTU values
net: stmmac: xgmac: Clear previous RX buffer size
net: stmmac: RX buffer size must be 16 byte aligned
net: stmmac: Always arm TX Timer at end of transmission start
s390/purgatory: do not build purgatory with kcov, kasan and friends
drm/exynos: gsc: add missed component_del
s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly
s390/dasd: fix memleak in path handling error case
block: fix memleak when __blk_rq_map_user_iov() is failed
parisc: Fix compiler warnings in debug_core.c
llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c)
hv_netvsc: Fix unwanted rx_table reset
powerpc/vcpu: Assume dedicated processors as non-preempt
powerpc/spinlocks: Include correct header for static key
cpufreq: imx6q: read OCOTP through nvmem for imx6ul/imx6ull
ARM: dts: imx6ul: use nvmem-cells for cpu speed grading
PCI/switchtec: Read all 64 bits of part_event_bitmap
gtp: fix bad unlock balance in gtp_encap_enable_socket
macvlan: do not assume mac_header is set in macvlan_broadcast()
net: dsa: mv88e6xxx: Preserve priority when setting CPU port.
net: stmmac: dwmac-sun8i: Allow all RGMII modes
net: stmmac: dwmac-sunxi: Allow all RGMII modes
net: usb: lan78xx: fix possible skb leak
pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM
sch_cake: avoid possible divide by zero in cake_enqueue()
sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY
tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK
vxlan: fix tos value before xmit
vlan: fix memory leak in vlan_dev_set_egress_priority
vlan: vlan_changelink() should propagate errors
mlxsw: spectrum_qdisc: Ignore grafting of invisible FIFO
net: sch_prio: When ungrafting, replace with FIFO
usb: dwc3: gadget: Fix request complete check
USB: core: fix check for duplicate endpoints
USB: serial: option: add Telit ME910G1 0x110a composition
usb: missing parentheses in USE_NEW_SCHEME
Linux 4.19.95
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I611f034c58f975a5d2b70eed0a0884f1ff5b09cc
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4La9gACgkQONu9yGCS
aT6hlA//TDpj9rdEwkaKyg/Ge4TCOJSOiwlp2/5lg2Sroiuizz527hVybGOOYAHl
gMA2Syt73PWStyfgl5B3AimcBvPADX8h/b1KiSoIdHFkq5rPFyneB6aEj+5jSK1V
63UnnTV0T49wt0Jvs6nN0FxI4ZCXbfjzaSVz4BGIflz6h9UUkPAu91CJTKtPmrAp
pliH20cMOykxyS/KfKa6zDcpIfU0k+DxL5U0Y5F1YRDKc1iPg8e6I3cNLgwKSja6
21BgdoTyZdvbC85HxSY7V6Dswp4YQPBY3y8crp8npZ9apbYV7eNU3L1+WVQvxpFg
kahhyjalqwqkKq+cTEsIFj7cjPksSlH/qytTS+lnN3BScXbFPp8GdzIazhQNSCv3
S/7T51CcvNoVcs9Qeu+nwyvx+H1LH4MYO4C7RYWZhPnMcA+/MxvT5WXNKfjf2ekM
N5h8xNATllzDuDkX+zVwW8i80SCyhVqQIKbXLn8ugGYW3G5TNdy8Ysh0kdrq26Y+
LAELsbQhK/Kt8WF+XNBpb9LLbeUGn1GTwhnbEuD7IKI+bVxnmsGk8QUu3h+a9xFh
lI7bsj8Ku9T+59/9xqAnoStEto+0tdTPB9Cx1jNdWlLiVdkewiDKiUbloFpDFS1n
L3SvqB68DC/IznQcK970g3aIx9zbkb2KZRdj2Fu7apaY5D9q85I=
=W+5k
-----END PGP SIGNATURE-----
Merge 4.19.92 into android-4.19
Changes in 4.19.92
af_packet: set defaule value for tmo
fjes: fix missed check in fjes_acpi_add
mod_devicetable: fix PHY module format
net: dst: Force 4-byte alignment of dst_metrics
net: gemini: Fix memory leak in gmac_setup_txqs
net: hisilicon: Fix a BUG trigered by wrong bytes_compl
net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive()
net: qlogic: Fix error paths in ql_alloc_large_buffers()
net: usb: lan78xx: Fix suspend/resume PHY register access error
qede: Disable hardware gro when xdp prog is installed
qede: Fix multicast mac configuration
sctp: fully initialize v4 addr in some functions
selftests: forwarding: Delete IPv6 address at the end
btrfs: don't double lock the subvol_sem for rename exchange
btrfs: do not call synchronize_srcu() in inode_tree_del
Btrfs: fix missing data checksums after replaying a log tree
btrfs: send: remove WARN_ON for readonly mount
btrfs: abort transaction after failed inode updates in create_subvol
btrfs: skip log replay on orphaned roots
btrfs: do not leak reloc root if we fail to read the fs root
btrfs: handle ENOENT in btrfs_uuid_tree_iterate
Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues
ALSA: pcm: Avoid possible info leaks from PCM stream buffers
ALSA: hda/ca0132 - Keep power on during processing DSP response
ALSA: hda/ca0132 - Avoid endless loop
ALSA: hda/ca0132 - Fix work handling in delayed HP detection
drm: mst: Fix query_payload ack reply struct
drm/panel: Add missing drm_panel_init() in panel drivers
drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings
iio: light: bh1750: Resolve compiler warning and make code more readable
drm/amdgpu: grab the id mgr lock while accessing passid_mapping
spi: Add call to spi_slave_abort() function when spidev driver is released
staging: rtl8192u: fix multiple memory leaks on error path
staging: rtl8188eu: fix possible null dereference
rtlwifi: prevent memory leak in rtl_usb_probe
libertas: fix a potential NULL pointer dereference
ath10k: fix backtrace on coredump
IB/iser: bound protection_sg size by data_sg size
media: am437x-vpfe: Setting STD to current value is not an error
media: i2c: ov2659: fix s_stream return value
media: ov6650: Fix crop rectangle alignment not passed back
media: i2c: ov2659: Fix missing 720p register config
media: ov6650: Fix stored frame format not in sync with hardware
media: ov6650: Fix stored crop rectangle not in sync with hardware
tools/power/cpupower: Fix initializer override in hsw_ext_cstates
media: venus: core: Fix msm8996 frequency table
ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq
pinctrl: devicetree: Avoid taking direct reference to device name string
drm/amdkfd: fix a potential NULL pointer dereference (v2)
selftests/bpf: Correct path to include msg + path
media: venus: Fix occasionally failures to suspend
usb: renesas_usbhs: add suspend event support in gadget mode
hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled
regulator: max8907: Fix the usage of uninitialized variable in max8907_regulator_probe()
media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init()
media: cec-funcs.h: add status_req checks
drm/bridge: dw-hdmi: Refuse DDC/CI transfers on the internal I2C controller
samples: pktgen: fix proc_cmd command result check logic
block: Fix writeback throttling W=1 compiler warnings
mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring
drm/drm_vblank: Change EINVAL by the correct errno
media: cx88: Fix some error handling path in 'cx8800_initdev()'
media: ti-vpe: vpe: Fix Motion Vector vpdma stride
media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format
media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number
media: ti-vpe: vpe: Make sure YUYV is set as default format
media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic
media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort cases
media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid sizeimage
syscalls/x86: Use the correct function type in SYSCALL_DEFINE0
drm/amd/display: Fix dongle_caps containing stale information.
extcon: sm5502: Reset registers during initialization
x86/mm: Use the correct function type for native_set_fixmap()
ath10k: Correct error handling of dma_map_single()
drm/bridge: dw-hdmi: Restore audio when setting a mode
perf test: Report failure for mmap events
perf report: Add warning when libunwind not compiled in
usb: usbfs: Suppress problematic bind and unbind uevents.
iio: adc: max1027: Reset the device at probe time
Bluetooth: missed cpu_to_le16 conversion in hci_init4_req
Bluetooth: Workaround directed advertising bug in Broadcom controllers
Bluetooth: hci_core: fix init for HCI_USER_CHANNEL
bpf/stackmap: Fix deadlock with rq_lock in bpf_get_stack()
x86/mce: Lower throttling MCE messages' priority to warning
perf tests: Disable bp_signal testing for arm64
drm/gma500: fix memory disclosures due to uninitialized bytes
rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot
ipmi: Don't allow device module unload when in use
x86/ioapic: Prevent inconsistent state when moving an interrupt
media: smiapp: Register sensor after enabling runtime PM on the device
md/bitmap: avoid race window between md_bitmap_resize and bitmap_file_clear_bit
arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill()
i40e: initialize ITRN registers with correct values
net: phy: dp83867: enable robust auto-mdix
drm/tegra: sor: Use correct SOR index on Tegra210
spi: sprd: adi: Add missing lock protection when rebooting
ACPI: button: Add DMI quirk for Medion Akoya E2215T
RDMA/qedr: Fix memory leak in user qp and mr
gpu: host1x: Allocate gather copy for host1x
net: dsa: LAN9303: select REGMAP when LAN9303 enable
phy: qcom-usb-hs: Fix extcon double register after power cycle
s390/time: ensure get_clock_monotonic() returns monotonic values
s390/mm: add mm_pxd_folded() checks to pxd_free()
net: hns3: add struct netdev_queue debug info for TX timeout
libata: Ensure ata_port probe has completed before detach
loop: fix no-unmap write-zeroes request behavior
pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B
iio: dln2-adc: fix iio_triggered_buffer_postenable() position
libbpf: Fix error handling in bpf_map__reuse_fd()
Bluetooth: Fix advertising duplicated flags
pinctrl: amd: fix __iomem annotation in amd_gpio_irq_handler()
ixgbe: protect TX timestamping from API misuse
media: rcar_drif: fix a memory disclosure
media: v4l2-core: fix touch support in v4l_g_fmt
nvmem: imx-ocotp: reset error status on probe
rfkill: allocate static minor
bnx2x: Fix PF-VF communication over multi-cos queues.
spi: img-spfi: fix potential double release
ALSA: timer: Limit max amount of slave instances
rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt()
perf probe: Fix to find range-only function instance
perf probe: Fix to list probe event with correct line number
perf jevents: Fix resource leak in process_mapfile() and main()
perf probe: Walk function lines in lexical blocks
perf probe: Fix to probe an inline function which has no entry pc
perf probe: Fix to show ranges of variables in functions without entry_pc
perf probe: Fix to show inlined function callsite without entry_pc
libsubcmd: Use -O0 with DEBUG=1
perf probe: Fix to probe a function which has no entry pc
perf tools: Splice events onto evlist even on error
drm/amdgpu: disallow direct upload save restore list from gfx driver
drm/amdgpu: fix potential double drop fence reference
xen/gntdev: Use select for DMA_SHARED_BUFFER
perf parse: If pmu configuration fails free terms
perf probe: Skip overlapped location on searching variables
perf probe: Return a better scope DIE if there is no best scope
perf probe: Fix to show calling lines of inlined functions
perf probe: Skip end-of-sequence and non statement lines
perf probe: Filter out instances except for inlined subroutine and subprogram
ath10k: fix get invalid tx rate for Mesh metric
fsi: core: Fix small accesses and unaligned offsets via sysfs
media: pvrusb2: Fix oops on tear-down when radio support is not present
soundwire: intel: fix PDI/stream mapping for Bulk
crypto: atmel - Fix authenc support when it is set to m
ice: delay less
media: si470x-i2c: add missed operations in remove
EDAC/ghes: Fix grain calculation
spi: pxa2xx: Add missed security checks
ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile
iio: dac: ad5446: Add support for new AD5600 DAC
ASoC: Intel: kbl_rt5663_rt5514_max98927: Add dmic format constraint
s390/disassembler: don't hide instruction addresses
nvme: Discard workaround for non-conformant devices
parport: load lowlevel driver if ports not found
bcache: fix static checker warning in bcache_device_free()
cpufreq: Register drivers only after CPU devices have been registered
x86/crash: Add a forward declaration of struct kimage
tracing: use kvcalloc for tgid_map array allocation
tracing/kprobe: Check whether the non-suffixed symbol is notrace
bcache: fix deadlock in bcache_allocator
iwlwifi: mvm: fix unaligned read of rx_pkt_status
ASoC: wm8904: fix regcache handling
spi: tegra20-slink: add missed clk_unprepare
tun: fix data-race in gro_normal_list()
crypto: virtio - deal with unsupported input sizes
mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests
btrfs: don't prematurely free work in end_workqueue_fn()
btrfs: don't prematurely free work in run_ordered_work()
ASoC: wm2200: add missed operations in remove and probe failure
spi: st-ssc4: add missed pm_runtime_disable
ASoC: wm5100: add missed pm_runtime_disable
ASoC: Intel: bytcr_rt5640: Update quirk for Acer Switch 10 SW5-012 2-in-1
x86/insn: Add some Intel instructions to the opcode map
brcmfmac: remove monitor interface when detaching
iwlwifi: check kasprintf() return value
fbtft: Make sure string is NULL terminated
net: ethernet: ti: ale: clean ale tbl on init and intf restart
crypto: sun4i-ss - Fix 64-bit size_t warnings
crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c
mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED
crypto: vmx - Avoid weird build failures
libtraceevent: Fix memory leakage in copy_filter_type
mips: fix build when "48 bits virtual memory" is enabled
drm/amdgpu: fix bad DMA from INTERRUPT_CNTL2
net: phy: initialise phydev speed and duplex sanely
btrfs: don't prematurely free work in reada_start_machine_worker()
btrfs: don't prematurely free work in scrub_missing_raid56_worker()
Revert "mmc: sdhci: Fix incorrect switch to HS mode"
mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode
can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices
usb: xhci: Fix build warning seen with CONFIG_PM=n
drm/amdgpu: fix uninitialized variable pasid_mapping_needed
s390/ftrace: fix endless recursion in function_graph tracer
btrfs: return error pointer from alloc_test_extent_buffer
usbip: Fix receive error in vhci-hcd when using scatter-gather
usbip: Fix error path of vhci_recv_ret_submit()
cpufreq: Avoid leaving stale IRQ work items during CPU offline
USB: EHCI: Do not return -EPIPE when hub is disconnected
intel_th: pci: Add Comet Lake PCH-V support
intel_th: pci: Add Elkhart Lake SOC support
platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes
staging: comedi: gsc_hpdi: check dma_alloc_coherent() return value
ext4: fix ext4_empty_dir() for directories with holes
ext4: check for directory entries too close to block end
ext4: unlock on error in ext4_expand_extra_isize()
KVM: arm64: Ensure 'params' is initialised when looking up sys register
x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure()
x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks[]
powerpc/vcpu: Assume dedicated processors as non-preempt
powerpc/irq: fix stack overflow verification
mmc: sdhci-msm: Correct the offset and value for DDR_CONFIG register
mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support"
mmc: sdhci: Update the tuning failed messages to pr_debug level
mmc: sdhci-of-esdhc: fix P2020 errata handling
mmc: sdhci: Workaround broken command queuing on Intel GLK
mmc: sdhci: Add a quirk for broken command queuing
nbd: fix shutdown and recv work deadlock v2
perf probe: Fix to show function entry line as probe-able
Linux 4.19.92
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic4c7f9c713549ebb3319cd0275e88678bfa0e53d
[ Upstream commit eac9153f2b ]
bpf stackmap with build-id lookup (BPF_F_STACK_BUILD_ID) can trigger A-A
deadlock on rq_lock():
rcu: INFO: rcu_sched detected stalls on CPUs/tasks:
[...]
Call Trace:
try_to_wake_up+0x1ad/0x590
wake_up_q+0x54/0x80
rwsem_wake+0x8a/0xb0
bpf_get_stack+0x13c/0x150
bpf_prog_fbdaf42eded9fe46_on_event+0x5e3/0x1000
bpf_overflow_handler+0x60/0x100
__perf_event_overflow+0x4f/0xf0
perf_swevent_overflow+0x99/0xc0
___perf_sw_event+0xe7/0x120
__schedule+0x47d/0x620
schedule+0x29/0x90
futex_wait_queue_me+0xb9/0x110
futex_wait+0x139/0x230
do_futex+0x2ac/0xa50
__x64_sys_futex+0x13c/0x180
do_syscall_64+0x42/0x100
entry_SYSCALL_64_after_hwframe+0x44/0xa9
This can be reproduced by:
1. Start a multi-thread program that does parallel mmap() and malloc();
2. taskset the program to 2 CPUs;
3. Attach bpf program to trace_sched_switch and gather stackmap with
build-id, e.g. with trace.py from bcc tools:
trace.py -U -p <pid> -s <some-bin,some-lib> t:sched:sched_switch
A sample reproducer is attached at the end.
This could also trigger deadlock with other locks that are nested with
rq_lock.
Fix this by checking whether irqs are disabled. Since rq_lock and all
other nested locks are irq safe, it is safe to do up_read() when irqs are
not disable. If the irqs are disabled, postpone up_read() in irq_work.
Fixes: 615755a77b ("bpf: extend stackmap to save binary_build_id+offset instead of address")
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20191014171223.357174-1-songliubraving@fb.com
Reproducer:
============================ 8< ============================
char *filename;
void *worker(void *p)
{
void *ptr;
int fd;
char *pptr;
fd = open(filename, O_RDONLY);
if (fd < 0)
return NULL;
while (1) {
struct timespec ts = {0, 1000 + rand() % 2000};
ptr = mmap(NULL, 4096 * 64, PROT_READ, MAP_PRIVATE, fd, 0);
usleep(1);
if (ptr == MAP_FAILED) {
printf("failed to mmap\n");
break;
}
munmap(ptr, 4096 * 64);
usleep(1);
pptr = malloc(1);
usleep(1);
pptr[0] = 1;
usleep(1);
free(pptr);
usleep(1);
nanosleep(&ts, NULL);
}
close(fd);
return NULL;
}
int main(int argc, char *argv[])
{
void *ptr;
int i;
pthread_t threads[THREAD_COUNT];
if (argc < 2)
return 0;
filename = argv[1];
for (i = 0; i < THREAD_COUNT; i++) {
if (pthread_create(threads + i, NULL, worker, NULL)) {
fprintf(stderr, "Error creating thread\n");
return 0;
}
}
for (i = 0; i < THREAD_COUNT; i++)
pthread_join(threads[i], NULL);
return 0;
}
============================ 8< ============================
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3zQ1wACgkQONu9yGCS
aT6ZDA/+JQyM+mgrU2t5mkq9lXCwL87Jiooy0kKT9b/2EWmW5Gdxp/On9PXfqtfs
uZ+v0A1g1H+582uwuqG1wB2jr3I2AhNnRNbvSypGtk1Kitx9HqVJD/wWRRVCULww
cr3uA/ZOX+deRjOVYP3dhFp7ycn6u5+GxgmFQTLmKAYN8uUqq4/dpWy01iB0nr2A
GcoLm9P96o8P/wIWaykqOvshDrocbFcBL4VuxLeZCbFsAMTiX+jJnyIL8W7gfBJl
M2626S/hESk5DvGcMN3zwOw/nTJlvySUtfqXSvPk0sT90UMx/YZ9QdpS9GkvRb9t
OA1G+iHguEU+Fq/DawUyxwk/kt3nA6cg0q7RSxHo7QP6SGo7OaHHS1myzGDhL8oc
LDKXO2iSSzvXJDlqrU45N+1YhpeiIHCxmDctbUIM9dP4u6wWmQIyYXLrcpupTsm9
StiDBguXFHWSBFhG0+MlTUU5cypVNoN+56wBAUTR6+qoDASTzGvjNbrBsQihODV0
RMFJF17Zvn+UoEohe860EMswUBsJ+F+VSZO5yGuZgsaC/2Ih6M1dxsiNU7RF02gX
fRis6huj1+642ZsEbd2tueYGUaDN1HpMsVkN3AAkD3pJF5lX7AJRwhvRyC8N1jhc
G90KMSk2pR/ItjmUpkKaAhAKhN+oKSzuCPpHj2iGotfWdd4slXQ=
=Ekyt
-----END PGP SIGNATURE-----
Merge 4.19.89 into android-4.19
Changes in 4.19.89
rsi: release skb if rsi_prepare_beacon fails
arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
sparc64: implement ioremap_uc
lp: fix sparc64 LPSETTIMEOUT ioctl
usb: gadget: u_serial: add missing port entry locking
tty: serial: fsl_lpuart: use the sg count from dma_map_sg
tty: serial: msm_serial: Fix flow control
serial: pl011: Fix DMA ->flush_buffer()
serial: serial_core: Perform NULL checks for break_ctl ops
serial: ifx6x60: add missed pm_runtime_disable
autofs: fix a leak in autofs_expire_indirect()
RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
iwlwifi: pcie: don't consider IV len in A-MSDU
exportfs_decode_fh(): negative pinned may become positive without the parent locked
audit_get_nd(): don't unlock parent too early
NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
xfrm: release device reference for invalid state
Input: cyttsp4_core - fix use after free bug
sched/core: Avoid spurious lock dependencies
perf/core: Consistently fail fork on allocation failures
ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
selftests: kvm: fix build with glibc >= 2.30
rsxx: add missed destroy_workqueue calls in remove
net: ep93xx_eth: fix mismatch of request_mem_region in remove
i2c: core: fix use after free in of_i2c_notify
serial: core: Allow processing sysrq at port unlock time
cxgb4vf: fix memleak in mac_hlist initialization
iwlwifi: mvm: synchronize TID queue removal
iwlwifi: trans: Clear persistence bit when starting the FW
iwlwifi: mvm: Send non offchannel traffic via AP sta
ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+
audit: Embed key into chunk
netfilter: nf_tables: don't use position attribute on rule replacement
ARC: IOC: panic if kernel was started with previously enabled IOC
net/mlx5: Release resource on error flow
clk: sunxi-ng: a64: Fix gate bit of DSI DPHY
ice: Fix NVM mask defines
dlm: fix possible call to kfree() for non-initialized pointer
ARM: dts: exynos: Fix LDO13 min values on Odroid XU3/XU4/HC1
extcon: max8997: Fix lack of path setting in USB device mode
net: ethernet: ti: cpts: correct debug for expired txq skb
rtc: s3c-rtc: Avoid using broken ALMYEAR register
rtc: max77686: Fix the returned value in case of error in 'max77686_rtc_read_time()'
i40e: don't restart nway if autoneg not supported
virtchnl: Fix off by one error
clk: rockchip: fix rk3188 sclk_smc gate data
clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering
ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name
dlm: fix missing idr_destroy for recover_idr
MIPS: SiByte: Enable ZONE_DMA32 for LittleSur
net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
scsi: zfcp: update kernel message for invalid FCP_CMND length, it's not the CDB
scsi: zfcp: drop default switch case which might paper over missing case
drivers: soc: Allow building the amlogic drivers without ARCH_MESON
bus: ti-sysc: Fix getting optional clocks in clock_roles
ARM: dts: imx6: RDU2: fix eGalax touchscreen node
crypto: ecc - check for invalid values in the key verification test
crypto: bcm - fix normal/non key hash algorithm failure
arm64: dts: zynqmp: Fix node names which contain "_"
pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues
Staging: iio: adt7316: Fix i2c data reading, set the data field
firmware: raspberrypi: Fix firmware calls with large buffers
mm/vmstat.c: fix NUMA statistics updates
clk: rockchip: fix I2S1 clock gate register for rk3328
clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328
sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
regulator: Fix return value of _set_load() stub
USB: serial: f81534: fix reading old/new IC config
xfs: extent shifting doesn't fully invalidate page cache
net-next/hinic:fix a bug in set mac address
net-next/hinic: fix a bug in rx data flow
ice: Fix return value from NAPI poll
ice: Fix possible NULL pointer de-reference
iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents
iomap: sub-block dio needs to zeroout beyond EOF
iomap: dio data corruption and spurious errors when pipes fill
iomap: readpages doesn't zero page tail beyond EOF
iw_cxgb4: only reconnect with MPAv1 if the peer aborts
MIPS: OCTEON: octeon-platform: fix typing
net/smc: use after free fix in smc_wr_tx_put_slot()
math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning
nds32: Fix the items of hwcap_str ordering issue.
rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()'
rtc: dt-binding: abx80x: fix resistance scale
ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module
media: coda: fix memory corruption in case more than 32 instances are opened
media: pulse8-cec: return 0 when invalidating the logical address
media: cec: report Vendor ID after initialization
iwlwifi: fix cfg structs for 22000 with different RF modules
ravb: Clean up duplex handling
net/ipv6: re-do dad when interface has IFF_NOARP flag change
dmaengine: coh901318: Fix a double-lock bug
dmaengine: coh901318: Remove unused variable
dmaengine: dw-dmac: implement dma protection control setting
net: qualcomm: rmnet: move null check on dev before dereferecing it
selftests/powerpc: Allocate base registers
selftests/powerpc: Skip test instead of failing
usb: dwc3: debugfs: Properly print/set link state for HS
usb: dwc3: don't log probe deferrals; but do log other error codes
ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()
f2fs: fix to account preflush command for noflush_merge mode
f2fs: fix count of seg_freed to make sec_freed correct
f2fs: change segment to section in f2fs_ioc_gc_range
ARM: dts: rockchip: Fix the PMU interrupt number for rv1108
ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108
f2fs: fix to allow node segment for GC by ioctl path
sparc: Fix JIT fused branch convergance.
sparc: Correct ctx->saw_frame_pointer logic.
nvme: Free ctrl device name on init failure
dma-mapping: fix return type of dma_set_max_seg_size()
slimbus: ngd: Fix build error on x86
altera-stapl: check for a null key before strcasecmp'ing it
serial: imx: fix error handling in console_setup
i2c: imx: don't print error message on probe defer
clk: meson: Fix GXL HDMI PLL fractional bits width
gpu: host1x: Fix syncpoint ID field size on Tegra186
lockd: fix decoding of TEST results
sctp: increase sk_wmem_alloc when head->truesize is increased
iommu/amd: Fix line-break in error log reporting
ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()
ARM: dts: sun4i: Fix gpio-keys warning
ARM: dts: sun4i: Fix HDMI output DTC warning
ARM: dts: sun5i: a10s: Fix HDMI output DTC warning
ARM: dts: r8a779[01]: Disable unconnected LVDS encoders
ARM: dts: sun7i: Fix HDMI output DTC warning
ARM: dts: sun8i: a23/a33: Fix OPP DTC warnings
ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning
dlm: NULL check before kmem_cache_destroy is not needed
ARM: debug: enable UART1 for socfpga Cyclone5
can: xilinx: fix return type of ndo_start_xmit function
nfsd: fix a warning in __cld_pipe_upcall()
bpf: btf: implement btf_name_valid_identifier()
bpf: btf: check name validity for various types
tools: bpftool: fix a bitfield pretty print issue
ASoC: au8540: use 64-bit arithmetic instead of 32-bit
ARM: OMAP1/2: fix SoC name printing
arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names
arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names
arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names
arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names
net/x25: fix called/calling length calculation in x25_parse_address_block
net/x25: fix null_x25_address handling
tools/bpf: make libbpf _GNU_SOURCE friendly
clk: mediatek: Drop __init from mtk_clk_register_cpumuxes()
clk: mediatek: Drop more __init markings for driver probe
soc: renesas: r8a77970-sysc: Correct names of A2DP/A2CN power domains
soc: renesas: r8a77980-sysc: Correct names of A2DP[01] power domains
soc: renesas: r8a77980-sysc: Correct A3VIP[012] power domain hierarchy
kbuild: disable dtc simple_bus_reg warnings by default
tcp: make tcp_space() aware of socket backlog
ARM: dts: mmp2: fix the gpio interrupt cell number
ARM: dts: realview-pbx: Fix duplicate regulator nodes
tcp: fix off-by-one bug on aborting window-probing socket
tcp: fix SNMP under-estimation on failed retransmission
tcp: fix SNMP TCP timeout under-estimation
modpost: skip ELF local symbols during section mismatch check
kbuild: fix single target build for external module
mtd: fix mtd_oobavail() incoherent returned value
ARM: dts: pxa: clean up USB controller nodes
clk: meson: meson8b: fix the offset of vid_pll_dco's N value
clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent
clk: qcom: Fix MSM8998 resets
media: cxd2880-spi: fix probe when dvb_attach fails
ARM: dts: realview: Fix some more duplicate regulator nodes
dlm: fix invalid cluster name warning
net/mlx4_core: Fix return codes of unsupported operations
pstore/ram: Avoid NULL deref in ftrace merging failure path
powerpc/math-emu: Update macros from GCC
clk: renesas: r8a77990: Correct parent clock of DU
clk: renesas: r8a77995: Correct parent clock of DU
MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition
nfsd: Return EPERM, not EACCES, in some SETATTR cases
media: uvcvideo: Abstract streaming object lifetime
tty: serial: qcom_geni_serial: Fix softlock
ARM: dts: sun8i: h3: Fix the system-control register range
tty: Don't block on IO when ldisc change is pending
media: stkwebcam: Bugfix for wrong return values
firmware: qcom: scm: fix compilation error when disabled
clk: qcom: gcc-msm8998: Disable halt check of UFS clocks
sctp: frag_point sanity check
soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B}
mlxsw: spectrum_router: Relax GRE decap matching check
IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state
IB/hfi1: Close VNIC sdma_progress sleep window
mlx4: Use snprintf instead of complicated strcpy
usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler
clk: renesas: rcar-gen3: Set state when registering SD clocks
ASoC: max9867: Fix power management
ARM: dts: sunxi: Fix PMU compatible strings
ARM: dts: am335x-pdu001: Fix polarity of card detection input
media: vimc: fix start stream when link is disabled
net: aquantia: fix RSS table and key sizes
sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
fuse: verify nlink
fuse: verify attributes
ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: pcm: oss: Avoid potential buffer overflows
ALSA: hda - Add mute led support for HP ProBook 645 G4
Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
Input: goodix - add upside-down quirk for Teclast X89 tablet
coresight: etm4x: Fix input validation for sysfs.
Input: Fix memory leak in psxpad_spi_probe
x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
xfrm interface: fix memory leak on creation
xfrm interface: avoid corruption on changelink
xfrm interface: fix list corruption for x-netns
xfrm interface: fix management of phydev
CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
CIFS: Fix SMB2 oplock break processing
tty: vt: keyboard: reject invalid keycodes
can: slcan: Fix use-after-free Read in slcan_open
kernfs: fix ino wrap-around detection
jbd2: Fix possible overflow in jbd2_log_space_left()
drm/msm: fix memleak on release
drm/i810: Prevent underflow in ioctl
arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
KVM: arm/arm64: vgic: Don't rely on the wrong pending table
KVM: x86: do not modify masked bits of shared MSRs
KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
KVM: x86: Grab KVM's srcu lock when setting nested state
crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
crypto: af_alg - cast ki_complete ternary op to int
crypto: ccp - fix uninitialized list head
crypto: ecdh - fix big endian bug in ECC library
crypto: user - fix memory leak in crypto_report
spi: atmel: Fix CS high support
mwifiex: update set_mac_address logic
can: ucan: fix non-atomic allocation in completion handler
RDMA/qib: Validate ->show()/store() callbacks before calling them
iomap: Fix pipe page leakage during splicing
thermal: Fix deadlock in thermal thermal_zone_device_check
vcs: prevent write access to vcsu devices
binder: Fix race between mmap() and binder_alloc_print_pages()
binder: Handle start==NULL in binder_update_page_range()
ALSA: hda - Fix pending unsol events at shutdown
md/raid0: Fix an error message in raid0_make_request()
watchdog: aspeed: Fix clock behaviour for ast2600
perf script: Fix invalid LBR/binary mismatch error
splice: don't read more than available pipe space
iomap: partially revert 4721a60109 (simulated directio short read on EFAULT)
xfs: add missing error check in xfs_prepare_shift()
ASoC: rsnd: fixup MIX kctrl registration
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
net: qrtr: fix memort leak in qrtr_tun_write_iter
appletalk: Fix potential NULL pointer dereference in unregister_snap_client
appletalk: Set error code if register_snap_client failed
Linux 4.19.89
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3fa59adde9a7e9a6d4684de0e95de14a8b83d0b
[ Upstream commit eb04bbb608 ]
This patch added name checking for the following types:
. BTF_KIND_PTR, BTF_KIND_ARRAY, BTF_KIND_VOLATILE,
BTF_KIND_CONST, BTF_KIND_RESTRICT:
the name must be null
. BTF_KIND_STRUCT, BTF_KIND_UNION: the struct/member name
is either null or a valid identifier
. BTF_KIND_ENUM: the enum type name is either null or a valid
identifier; the enumerator name must be a valid identifier.
. BTF_KIND_FWD: the name must be a valid identifier
. BTF_KIND_TYPEDEF: the name must be a valid identifier
For those places a valid name is required, the name must be
a valid C identifier. This can be relaxed later if we found
use cases for a different (non-C) frontend.
Fixes: 69b693f0ae ("bpf: btf: Introduce BPF Type Format (BTF)")
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit cdbb096add ]
Function btf_name_valid_identifier() have been implemented in
bpf-next commit 2667a2626f ("bpf: btf: Add BTF_KIND_FUNC and
BTF_KIND_FUNC_PROTO"). Backport this function so later patch
can use it.
Fixes: 69b693f0ae ("bpf: btf: Introduce BPF Type Format (BTF)")
Signed-off-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3owgEACgkQONu9yGCS
aT43zw//SS1As83XXuHr4mdWIVDjXo6RMJ6Ib7YbRi/uhBmQuUuGVFcqGxUIA9Kl
eSXu5Kt8TNmInzHq9AMYgegrELAEwPD2XfptALGDwiUHonQuiFaqOQn/bltJOm1L
PsG15A7+/gFhuhPJDp2ZfNBmZGdpXdIwD27oUDqF1XD64dMa/HPbFUVgxWn3HHkd
sm0J6Ez0eNA+BmLnHXYDiSaEYIiwvy1nN6XpyIfOyb2Tz6kPoe0vVWU00Cmy8KAU
EIWB+TBRunspgMsShL5Cl1MSFOxf9QOmgnZxcrODAQfb1TbLMACB1FGMjK4nLm+3
wPlSnC7L49ARl/pvmN5NOUrjHi8S8qq/Od9QW+UIckRI6KzOU832h99v4gFuHjSC
KFiLi5K9+uTIMgNOETmINBiKKUcUzYXYVajvm4tuAUq3HO8wy6jeALtt34OiJZQZ
DV8wyBdL9NDUFqBymFaMFA4Us/fGIREzvPgI0E0jth2ANuLFLtScrnStuWv8buwJ
JT3V9xCxHZtZ3Ctevx/Jp6OaQtnbSnWjMjrO0UDzZ6N7+g5UKmh9/R3xL6sBpFVU
Vu49J+qWU3VmbY3EIulel+yARNe7xS4ExK185JmNzpYFyOpXum14FHhhtQ6xNSeu
dRqyITI0KYP7jWtBDKCgVAWF5jC9gHP1ksrHSZMhyGrv1dC1XZM=
=KnJW
-----END PGP SIGNATURE-----
Merge 4.19.88 into android-4.19
Changes in 4.19.88
clk: meson: gxbb: let sar_adc_clk_div set the parent clock rate
clocksource/drivers/mediatek: Fix error handling
ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX
ASoC: compress: fix unsigned integer overflow check
reset: Fix memory leak in reset_control_array_put()
clk: samsung: exynos5433: Fix error paths
ASoC: kirkwood: fix external clock probe defer
ASoC: kirkwood: fix device remove ordering
clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume
pinctrl: cherryview: Allocate IRQ chip dynamic
ARM: dts: imx6qdl-sabreauto: Fix storm of accelerometer interrupts
reset: fix reset_control_ops kerneldoc comment
clk: at91: avoid sleeping early
clk: sunxi: Fix operator precedence in sunxi_divs_clk_setup
clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18
ARM: dts: sun8i-a83t-tbs-a711: Fix WiFi resume from suspend
samples/bpf: fix build by setting HAVE_ATTR_TEST to zero
powerpc/bpf: Fix tail call implementation
idr: Fix integer overflow in idr_for_each_entry
idr: Fix idr_alloc_u32 on 32-bit systems
x86/resctrl: Prevent NULL pointer dereference when reading mondata
clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call
clk: ti: clkctrl: Fix failed to enable error with double udelay timeout
net: fec: add missed clk_disable_unprepare in remove
bridge: ebtables: don't crash when using dnat target in output chains
can: peak_usb: report bus recovery as well
can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open
can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak
can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max
can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM
can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors
can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error
can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error
can: flexcan: increase error counters if skb enqueueing via can_rx_offload_queue_sorted() fails
can: mcp251x: mcp251x_restart_work_handler(): Fix potential force_quit race condition
watchdog: meson: Fix the wrong value of left time
ASoC: stm32: sai: add restriction on mmap support
scripts/gdb: fix debugging modules compiled with hot/cold partitioning
net: bcmgenet: use RGMII loopback for MAC reset
net: bcmgenet: reapply manual settings to the PHY
net: mscc: ocelot: fix __ocelot_rmw_ix prototype
ceph: return -EINVAL if given fsc mount option on kernel w/o support
net/fq_impl: Switch to kvmalloc() for memory allocation
mac80211: fix station inactive_time shortly after boot
block: drbd: remove a stray unlock in __drbd_send_protocol()
pwm: bcm-iproc: Prevent unloading the driver module while in use
scsi: target/tcmu: Fix queue_cmd_ring() declaration
scsi: lpfc: Fix kernel Oops due to null pring pointers
scsi: lpfc: Fix dif and first burst use in write commands
ARM: dts: Fix up SQ201 flash access
tracing: Lock event_mutex before synth_event_mutex
ARM: debug-imx: only define DEBUG_IMX_UART_PORT if needed
ARM: dts: imx51: Fix memory node duplication
ARM: dts: imx53: Fix memory node duplication
ARM: dts: imx31: Fix memory node duplication
ARM: dts: imx35: Fix memory node duplication
ARM: dts: imx7: Fix memory node duplication
ARM: dts: imx6ul: Fix memory node duplication
ARM: dts: imx6sx: Fix memory node duplication
ARM: dts: imx6sl: Fix memory node duplication
ARM: dts: imx50: Fix memory node duplication
ARM: dts: imx23: Fix memory node duplication
ARM: dts: imx1: Fix memory node duplication
ARM: dts: imx27: Fix memory node duplication
ARM: dts: imx25: Fix memory node duplication
ARM: dts: imx53-voipac-dmm-668: Fix memory node duplication
parisc: Fix serio address output
parisc: Fix HP SDC hpa address output
ARM: dts: Fix hsi gdd range for omap4
arm64: mm: Prevent mismatched 52-bit VA support
arm64: smp: Handle errors reported by the firmware
bus: ti-sysc: Check for no-reset and no-idle flags at the child level
platform/x86: mlx-platform: Fix LED configuration
ARM: OMAP1: fix USB configuration for device-only setups
RDMA/hns: Fix the bug while use multi-hop of pbl
arm64: preempt: Fix big-endian when checking preempt count in assembly
RDMA/vmw_pvrdma: Use atomic memory allocation in create AH
PM / AVS: SmartReflex: NULL check before some freeing functions is not needed
xfs: zero length symlinks are not valid
ARM: ks8695: fix section mismatch warning
ACPI / LPSS: Ignore acpi_device_fix_up_power() return value
scsi: lpfc: Enable Management features for IF_TYPE=6
scsi: qla2xxx: Fix NPIV handling for FC-NVMe
scsi: qla2xxx: Fix for FC-NVMe discovery for NPIV port
nvme: provide fallback for discard alloc failure
s390/zcrypt: make sysfs reset attribute trigger queue reset
crypto: user - support incremental algorithm dumps
arm64: dts: renesas: draak: Fix CVBS input
mwifiex: fix potential NULL dereference and use after free
mwifiex: debugfs: correct histogram spacing, formatting
brcmfmac: set F2 watermark to 256 for 4373
brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373
rtl818x: fix potential use after free
bcache: do not check if debug dentry is ERR or NULL explicitly on remove
bcache: do not mark writeback_running too early
xfs: require both realtime inodes to mount
nvme: fix kernel paging oops
ubifs: Fix default compression selection in ubifs
ubi: Put MTD device after it is not used
ubi: Do not drop UBI device reference before using
microblaze: adjust the help to the real behavior
microblaze: move "... is ready" messages to arch/microblaze/Makefile
microblaze: fix multiple bugs in arch/microblaze/boot/Makefile
iwlwifi: move iwl_nvm_check_version() into dvm
iwlwifi: mvm: force TCM re-evaluation on TCM resume
iwlwifi: pcie: fix erroneous print
iwlwifi: pcie: set cmd_len in the correct place
gpio: pca953x: Fix AI overflow on PCAL6524
gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB
kvm: vmx: Set IA32_TSC_AUX for legacy mode guests
Revert "KVM: nVMX: reset cache/shadows when switching loaded VMCS"
Revert "KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()"
crypto/chelsio/chtls: listen fails with multiadapt
VSOCK: bind to random port for VMADDR_PORT_ANY
mmc: meson-gx: make sure the descriptor is stopped on errors
mtd: rawnand: sunxi: Write pageprog related opcodes to WCMD_SET
usb: ehci-omap: Fix deferred probe for phy handling
btrfs: Check for missing device before bio submission in btrfs_map_bio
btrfs: fix ncopies raid_attr for RAID56
btrfs: dev-replace: set result code of cancel by status of scrub
Btrfs: allow clear_extent_dirty() to receive a cached extent state record
btrfs: only track ref_heads in delayed_ref_updates
serial: sh-sci: Fix crash in rx_timer_fn() on PIO fallback
HID: intel-ish-hid: fixes incorrect error handling
gpio: raspberrypi-exp: decrease refcount on firmware dt node
serial: 8250: Rate limit serial port rx interrupts during input overruns
kprobes/x86/xen: blacklist non-attachable xen interrupt functions
xen/pciback: Check dev_data before using it
kprobes: Blacklist symbols in arch-defined prohibited area
kprobes/x86: Show x86-64 specific blacklisted symbols correctly
vfio-mdev/samples: Use u8 instead of char for handle functions
memory: omap-gpmc: Get the header of the enum
pinctrl: xway: fix gpio-hog related boot issues
net/mlx5: Continue driver initialization despite debugfs failure
netfilter: nf_nat_sip: fix RTP/RTCP source port translations
exofs_mount(): fix leaks on failure exits
bnxt_en: Return linux standard errors in bnxt_ethtool.c
bnxt_en: Save ring statistics before reset.
bnxt_en: query force speeds before disabling autoneg mode.
KVM: s390: unregister debug feature on failing arch init
pinctrl: sh-pfc: r8a77990: Fix MOD_SEL0 SEL_I2C1 field width
pinctrl: sh-pfc: sh7264: Fix PFCR3 and PFCR0 register configuration
pinctrl: sh-pfc: sh7734: Fix shifted values in IPSR10
HID: doc: fix wrong data structure reference for UHID_OUTPUT
dm flakey: Properly corrupt multi-page bios.
gfs2: take jdata unstuff into account in do_grow
dm raid: fix false -EBUSY when handling check/repair message
xfs: Align compat attrlist_by_handle with native implementation.
xfs: Fix bulkstat compat ioctls on x32 userspace.
IB/qib: Fix an error code in qib_sdma_verbs_send()
clocksource/drivers/fttmr010: Fix invalid interrupt register access
vxlan: Fix error path in __vxlan_dev_create()
powerpc/book3s/32: fix number of bats in p/v_block_mapped()
powerpc/xmon: fix dump_segments()
drivers/regulator: fix a missing check of return value
Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading
serial: max310x: Fix tx_empty() callback
openrisc: Fix broken paths to arch/or32
RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer
scsi: qla2xxx: deadlock by configfs_depend_item
scsi: csiostor: fix incorrect dma device in case of vport
brcmfmac: Fix access point mode
ath6kl: Only use match sets when firmware supports it
ath6kl: Fix off by one error in scan completion
powerpc/perf: Fix unit_sel/cache_sel checks
powerpc/32: Avoid unsupported flags with clang
powerpc/prom: fix early DEBUG messages
powerpc/mm: Make NULL pointer deferences explicit on bad page faults.
powerpc/44x/bamboo: Fix PCI range
vfio/spapr_tce: Get rid of possible infinite loop
powerpc/powernv/eeh/npu: Fix uninitialized variables in opal_pci_eeh_freeze_status
drbd: ignore "all zero" peer volume sizes in handshake
drbd: reject attach of unsuitable uuids even if connected
drbd: do not block when adjusting "disk-options" while IO is frozen
drbd: fix print_st_err()'s prototype to match the definition
IB/rxe: Make counters thread safe
bpf/cpumap: make sure frame_size for build_skb is aligned if headroom isn't
regulator: tps65910: fix a missing check of return value
powerpc/83xx: handle machine check caused by watchdog timer
powerpc/pseries: Fix node leak in update_lmb_associativity_index()
powerpc: Fix HMIs on big-endian with CONFIG_RELOCATABLE=y
crypto: mxc-scc - fix build warnings on ARM64
pwm: clps711x: Fix period calculation
net/netlink_compat: Fix a missing check of nla_parse_nested
net/net_namespace: Check the return value of register_pernet_subsys()
f2fs: fix block address for __check_sit_bitmap
f2fs: fix to dirty inode synchronously
um: Include sys/uio.h to have writev()
um: Make GCOV depend on !KCOV
net: (cpts) fix a missing check of clk_prepare
net: stmicro: fix a missing check of clk_prepare
net: dsa: bcm_sf2: Propagate error value from mdio_write
atl1e: checking the status of atl1e_write_phy_reg
tipc: fix a missing check of genlmsg_put
net: marvell: fix a missing check of acpi_match_device
net/wan/fsl_ucc_hdlc: Avoid double free in ucc_hdlc_probe()
ocfs2: clear journal dirty flag after shutdown journal
vmscan: return NODE_RECLAIM_NOSCAN in node_reclaim() when CONFIG_NUMA is n
mm/page_alloc.c: free order-0 pages through PCP in page_frag_free()
mm/page_alloc.c: use a single function to free page
mm/page_alloc.c: deduplicate __memblock_free_early() and memblock_free()
tools/vm/page-types.c: fix "kpagecount returned fewer pages than expected" failures
netfilter: nf_tables: fix a missing check of nla_put_failure
xprtrdma: Prevent leak of rpcrdma_rep objects
infiniband: bnxt_re: qplib: Check the return value of send_message
infiniband/qedr: Potential null ptr dereference of qp
firmware: arm_sdei: fix wrong of_node_put() in init function
firmware: arm_sdei: Fix DT platform device creation
lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk
lib/genalloc.c: use vzalloc_node() to allocate the bitmap
fork: fix some -Wmissing-prototypes warnings
drivers/base/platform.c: kmemleak ignore a known leak
lib/genalloc.c: include vmalloc.h
mtd: Check add_mtd_device() ret code
tipc: fix memory leak in tipc_nl_compat_publ_dump
net/core/neighbour: tell kmemleak about hash tables
ata: ahci: mvebu: do Armada 38x configuration only on relevant SoCs
PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity()
net/core/neighbour: fix kmemleak minimal reference count for hash tables
serial: 8250: Fix serial8250 initialization crash
gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change
sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel
decnet: fix DN_IFREQ_SIZE
net/smc: prevent races between smc_lgr_terminate() and smc_conn_free()
net/smc: don't wait for send buffer space when data was already sent
mm/hotplug: invalid PFNs from pfn_to_online_page()
xfs: end sync buffer I/O properly on shutdown error
net/smc: fix sender_free computation
blktrace: Show requests without sector
net/smc: fix byte_order for rx_curs_confirmed
tipc: fix skb may be leaky in tipc_link_input
ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI
sfc: initialise found bitmap in efx_ef10_mtd_probe
geneve: change NET_UDP_TUNNEL dependency to select
net: fix possible overflow in __sk_mem_raise_allocated()
net: ip_gre: do not report erspan_ver for gre or gretap
net: ip6_gre: do not report erspan_ver for ip6gre or ip6gretap
sctp: don't compare hb_timer expire date before starting it
bpf: decrease usercnt if bpf_map_new_fd() fails in bpf_map_get_fd_by_id()
mmc: core: align max segment size with logical block size
net: dev: Use unsigned integer as an argument to left-shift
kvm: properly check debugfs dentry before using it
bpf: drop refcount if bpf_map_new_fd() fails in map_create()
net: hns3: Change fw error code NOT_EXEC to NOT_SUPPORTED
net: hns3: fix PFC not setting problem for DCB module
net: hns3: fix an issue for hclgevf_ae_get_hdev
net: hns3: fix an issue for hns3_update_new_int_gl
iommu/amd: Fix NULL dereference bug in match_hid_uid
apparmor: delete the dentry in aafs_remove() to avoid a leak
scsi: libsas: Support SATA PHY connection rate unmatch fixing during discovery
ACPI / APEI: Don't wait to serialise with oops messages when panic()ing
ACPI / APEI: Switch estatus pool to use vmalloc memory
scsi: hisi_sas: shutdown axi bus to avoid exception CQ returned
scsi: libsas: Check SMP PHY control function result
RDMA/hns: Fix the bug with updating rq head pointer when flush cqe
RDMA/hns: Bugfix for the scene without receiver queue
RDMA/hns: Fix the state of rereg mr
RDMA/hns: Use GFP_ATOMIC in hns_roce_v2_modify_qp
ASoC: rt5645: Headphone Jack sense inverts on the LattePanda board
powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()
xdp: fix cpumap redirect SKB creation bug
mtd: Remove a debug trace in mtdpart.c
mm, gup: add missing refcount overflow checks on s390
clk: at91: fix update bit maps on CFG_MOR write
clk: at91: generated: set audio_pll_allowed in at91_clk_register_generated()
usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
staging: rtl8192e: fix potential use after free
staging: rtl8723bs: Drop ACPI device ids
staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
mei: bus: prefix device names on bus with the bus name
mei: me: add comet point V device id
thunderbolt: Power cycle the router if NVM authentication fails
xfrm: Fix memleak on xfrm state destroy
media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE
net: macb: fix error format in dev_err()
pwm: Clear chip_data in pwm_put()
media: atmel: atmel-isc: fix asd memory allocation
media: atmel: atmel-isc: fix INIT_WORK misplacement
macvlan: schedule bc_work even if error
net: psample: fix skb_over_panic
openvswitch: fix flow command message size
sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
slip: Fix use-after-free Read in slip_open
openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
openvswitch: remove another BUG_ON()
selftests: bpf: test_sockmap: handle file creation failures gracefully
tipc: fix link name length check
sctp: cache netns in sctp_ep_common
net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
net: macb: add missed tasklet_kill
ext4: add more paranoia checking in ext4_expand_extra_isize handling
watchdog: sama5d4: fix WDD value to be always set to max
net: macb: Fix SUBNS increment and increase resolution
net: macb driver, check for SKBTX_HW_TSTAMP
mtd: rawnand: atmel: Fix spelling mistake in error message
mtd: rawnand: atmel: fix possible object reference leak
mtd: spi-nor: cast to u64 to avoid uint overflows
drm/atmel-hlcdc: revert shift by 8
mailbox: stm32_ipcc: add spinlock to fix channels concurrent access
tcp: exit if nothing to retransmit on RTO timeout
HID: core: check whether Usage Page item is after Usage ID items
crypto: stm32/hash - Fix hmac issue more than 256 bytes
media: stm32-dcmi: fix DMA corruption when stopping streaming
media: stm32-dcmi: fix check of pm_runtime_get_sync return value
hwrng: stm32 - fix unbalanced pm_runtime_enable
clk: stm32mp1: fix HSI divider flag
clk: stm32mp1: fix mcu divider table
clk: stm32mp1: add CLK_SET_RATE_NO_REPARENT to Kernel clocks
clk: stm32mp1: parent clocks update
mailbox: mailbox-test: fix null pointer if no mmio
pinctrl: stm32: fix memory leak issue
ASoC: stm32: i2s: fix dma configuration
ASoC: stm32: i2s: fix 16 bit format support
ASoC: stm32: i2s: fix IRQ clearing
ASoC: stm32: sai: add missing put_device()
dmaengine: stm32-dma: check whether length is aligned on FIFO threshold
platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
net: fec: fix clock count mis-match
Linux 4.19.88
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ifd3801a77cb551be72788031e7fcfc8a1d4fd197
[ Upstream commit 676e4a6fe7 ]
We want to avoid leaking pointer info from xdp_frame (that is placed in
top of frame) like commit 6dfb970d3d ("xdp: avoid leaking info stored in
frame data on page reuse"), and followup commit 97e19cce05 ("bpf:
reserve xdp_frame size in xdp headroom") that reserve this headroom.
These changes also affected how cpumap constructed SKBs, as xdpf->headroom
size changed, the skb data starting point were in-effect shifted with 32
bytes (sizeof xdp_frame). This was still okay, as the cpumap frame_size
calculation also included xdpf->headroom which were reduced by same amount.
A bug was introduced in commit 77ea5f4cbe ("bpf/cpumap: make sure
frame_size for build_skb is aligned if headroom isn't"), where the
xdpf->headroom became part of the SKB_DATA_ALIGN rounding up. This
round-up to find the frame_size is in principle still correct as it does
not exceed the 2048 bytes frame_size (which is max for ixgbe and i40e),
but the 32 bytes offset of pkt_data_start puts this over the 2048 bytes
limit. This cause skb_shared_info to spill into next frame. It is a little
hard to trigger, as the SKB need to use above 15 skb_shinfo->frags[] as
far as I calculate. This does happen in practise for TCP streams when
skb_try_coalesce() kicks in.
KASAN can be used to detect these wrong memory accesses, I've seen:
BUG: KASAN: use-after-free in skb_try_coalesce+0x3cb/0x760
BUG: KASAN: wild-memory-access in skb_release_data+0xe2/0x250
Driver veth also construct a SKB from xdp_frame in this way, but is not
affected, as it doesn't reserve/deduct the room (used by xdp_frame) from
the SKB headroom. Instead is clears the pointers via xdp_scrub_frame(),
and allows SKB to use this area.
The fix in this patch is to do like veth and instead allow SKB to (re)use
the area occupied by xdp_frame, by clearing via xdp_scrub_frame(). (This
does kill the idea of the SKB being able to access (mem) info from this
area, but I guess it was a bad idea anyhow, and it was already killed by
the veth changes.)
Fixes: 77ea5f4cbe ("bpf/cpumap: make sure frame_size for build_skb is aligned if headroom isn't")
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 352d20d611 ]
In bpf/syscall.c, map_create() first set map->usercnt to 1, a file
descriptor is supposed to return to userspace. When bpf_map_new_fd()
fails, drop the refcount.
Fixes: bd5f5f4ecb ("bpf: Add BPF_MAP_GET_FD_BY_ID")
Signed-off-by: Peng Sun <sironhide0null@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 781e62823c ]
In bpf/syscall.c, bpf_map_get_fd_by_id() use bpf_map_inc_not_zero()
to increase the refcount, both map->refcnt and map->usercnt. Then, if
bpf_map_new_fd() fails, should handle map->usercnt too.
Fixes: bd5f5f4ecb ("bpf: Add BPF_MAP_GET_FD_BY_ID")
Signed-off-by: Peng Sun <sironhide0null@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 77ea5f4cbe ]
The frame_size passed to build_skb must be aligned, else it is
possible that the embedded struct skb_shared_info gets unaligned.
For correctness make sure that xdpf->headroom in included in the
alignment. No upstream drivers can hit this, as all XDP drivers provide
an aligned headroom. This was discovered when playing with implementing
XDP support for mvneta, which have a 2 bytes DSA header, and this
Marvell ARM64 platform didn't like doing atomic operations on an
unaligned skb_shinfo(skb)->dataref addresses.
Fixes: 1c601d829a ("bpf: cpumap xdp_buff to skb conversion and allocation")
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3jdysACgkQONu9yGCS
aT49mhAAxl50oRh0bSk/SikbVCn7kRaoRNlCBsPtvtvbDDIpyREIzMRmIbH2OZjS
ji1umUu8iMj+HXW72dWNqPo2K337UzcNRsUXWAdJH8Et+ao+xOUV1jps/Zr3D9ca
2Cw6iTn2QFhKQythMlCxb30sf+kN4cAU1XY3M8xEWXB+4nAqc/aFW7mRAP1jusRb
1DAW+xqPiwCbaag1v5OzumAOGBhpmTcX8sfEYM+3DKcPgGL1jPyYeWlXA26nih8/
LQR6r2tAb454pipV0uApJ2u7V5nNxprcrfUNDmAfap2q/eF1w5pBbZoS5sqpf1eZ
2ycZ36w0ThE7lJKvNrfjq13Su+bGtpENxHlwesNPbsvz0F4xoEkelYSCE1gJBaHX
CZvq1Dhrk5DBvkCCElV8+CJxxuhMUZwzOwrz2iBLdPnpCpSgj8uNPLXMJno6D9fH
PZMCcBFf4WnCUBc06fB7qG+Z7y0TeAuLsNQmK3zYQoEc1gz4Yk5aFo7NgTyajqbD
YKINVP2Wj11TDBssolIA58EYcc2J38As54wuOvYtwy+k/mVkvZVhCPOtI+h3UYm4
lX2ROCHTzt+Av5qFlM8aSBcIlm1qihzSHEdnyqX2EZvUGC4C5Mc5/Eml3QJxAnVh
SzUfLZGzzfntpnWn2cJZ/EA/p6hXujG5k95LEwtAnxxYBFpLTKc=
=d8kA
-----END PGP SIGNATURE-----
Merge 4.19.87 into android-4.19
Changes in 4.19.87
mlxsw: spectrum_router: Fix determining underlay for a GRE tunnel
net/mlx4_en: fix mlx4 ethtool -N insertion
net/mlx4_en: Fix wrong limitation for number of TX rings
net: rtnetlink: prevent underflows in do_setvfinfo()
net/sched: act_pedit: fix WARN() in the traffic path
net: sched: ensure opts_len <= IP_TUNNEL_OPTS_MAX in act_tunnel_key
sfc: Only cancel the PPS workqueue if it exists
net/mlx5e: Fix set vf link state error flow
net/mlxfw: Verify FSM error code translation doesn't exceed array size
net/mlx5: Fix auto group size calculation
vhost/vsock: split packets to send using multiple buffers
gpio: max77620: Fixup debounce delays
tools: gpio: Correctly add make dependencies for gpio_utils
nbd:fix memory leak in nbd_get_socket()
virtio_console: allocate inbufs in add_port() only if it is needed
Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs
drm/i915/pmu: "Frequency" is reported as accumulated cycles
drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
mwifiex: Fix NL80211_TX_POWER_LIMITED
ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback
crypto: testmgr - fix sizeof() on COMP_BUF_SIZE
printk: lock/unlock console only for new logbuf entries
printk: fix integer overflow in setup_log_buf()
pinctrl: madera: Fix uninitialized variable bug in madera_mux_set_mux
PCI: cadence: Write MSI data with 32bits
gfs2: Fix marking bitmaps non-full
pty: fix compat ioctls
synclink_gt(): fix compat_ioctl()
powerpc: Fix signedness bug in update_flash_db()
powerpc/boot: Fix opal console in boot wrapper
powerpc/boot: Disable vector instructions
powerpc/eeh: Fix null deref for devices removed during EEH
powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
EDAC, thunderx: Fix memory leak in thunderx_l2c_threaded_isr()
mt76: do not store aggregation sequence number for null-data frames
mt76x0: phy: fix restore phase in mt76x0_phy_recalibrate_after_assoc
brcmsmac: AP mode: update beacon when TIM changes
ath10k: set probe request oui during driver start
ath10k: allocate small size dma memory in ath10k_pci_diag_write_mem
skd: fixup usage of legacy IO API
cdrom: don't attempt to fiddle with cdo->capability
spi: sh-msiof: fix deferred probing
mmc: mediatek: fill the actual clock for mmc debugfs
mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail
PCI: mediatek: Fix class type for MT7622 to PCI_CLASS_BRIDGE_PCI
btrfs: defrag: use btrfs_mod_outstanding_extents in cluster_pages_for_defrag
btrfs: handle error of get_old_root
gsmi: Fix bug in append_to_eventlog sysfs handler
misc: mic: fix a DMA pool free failure
w1: IAD Register is yet readable trough iad sys file. Fix snprintf (%u for unsigned, count for max size).
m68k: fix command-line parsing when passed from u-boot
scsi: hisi_sas: Feed back linkrate(max/min) when re-attached
scsi: hisi_sas: Fix the race between IO completion and timeout for SMP/internal IO
scsi: hisi_sas: Free slot later in slot_complete_vx_hw()
RDMA/bnxt_re: Avoid NULL check after accessing the pointer
RDMA/bnxt_re: Fix qp async event reporting
RDMA/bnxt_re: Avoid resource leak in case the NQ registration fails
pinctrl: sunxi: Fix a memory leak in 'sunxi_pinctrl_build_state()'
pwm: lpss: Only set update bit if we are actually changing the settings
amiflop: clean up on errors during setup
qed: Align local and global PTT to propagate through the APIs.
scsi: ips: fix missing break in switch
nfp: bpf: protect against mis-initializing atomic counters
KVM: nVMX: reset cache/shadows when switching loaded VMCS
KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()
KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
clk: tegra: Fixes for MBIST work around
scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
scsi: isci: Change sci_controller_start_task's return type to sci_status
scsi: bfa: Avoid implicit enum conversion in bfad_im_post_vendor_event
scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
crypto: ccree - avoid implicit enum conversion
nvmet: avoid integer overflow in the discard code
nvmet-fcloop: suppress a compiler warning
nvme-pci: fix hot removal during error handling
PCI: mediatek: Fixup MSI enablement logic by enabling MSI before clocks
clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
clk: at91: audio-pll: fix audio pmc type
ASoC: tegra_sgtl5000: fix device_node refcounting
scsi: dc395x: fix dma API usage in srb_done
scsi: dc395x: fix DMA API usage in sg_update_list
scsi: zorro_esp: Limit DMA transfers to 65535 bytes
net: dsa: mv88e6xxx: Fix 88E6141/6341 2500mbps SERDES speed
net: fix warning in af_unix
net: ena: Fix Kconfig dependency on X86
xfs: fix use-after-free race in xfs_buf_rele
xfs: clear ail delwri queued bufs on unmount of shutdown fs
kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack
ACPI / scan: Create platform device for INT33FE ACPI nodes
PM / Domains: Deal with multiple states but no governor in genpd
ALSA: i2c/cs8427: Fix int to char conversion
macintosh/windfarm_smu_sat: Fix debug output
PCI: vmd: Detach resources after stopping root bus
USB: misc: appledisplay: fix backlight update_status return code
usbip: tools: fix atoi() on non-null terminated string
sctp: use sk_wmem_queued to check for writable space
dm raid: avoid bitmap with raid4/5/6 journal device
selftests/bpf: fix file resource leak in load_kallsyms
SUNRPC: Fix a compile warning for cmpxchg64()
sunrpc: safely reallow resvport min/max inversion
atm: zatm: Fix empty body Clang warnings
s390/perf: Return error when debug_register fails
swiotlb: do not panic on mapping failures
spi: omap2-mcspi: Set FIFO DMA trigger level to word length
x86/intel_rdt: Prevent pseudo-locking from using stale pointers
sparc: Fix parport build warnings.
scsi: hisi_sas: Fix NULL pointer dereference
powerpc/pseries: Export raw per-CPU VPA data via debugfs
powerpc/mm/radix: Fix off-by-one in split mapping logic
powerpc/mm/radix: Fix overuse of small pages in splitting logic
powerpc/mm/radix: Fix small page at boundary when splitting
powerpc/64s/radix: Fix radix__flush_tlb_collapsed_pmd double flushing pmd
selftests/bpf: fix return value comparison for tests in test_libbpf.sh
tools: bpftool: fix completion for "bpftool map update"
ceph: fix dentry leak in ceph_readdir_prepopulate
ceph: only allow punch hole mode in fallocate
rtc: s35390a: Change buf's type to u8 in s35390a_init
RISC-V: Avoid corrupting the upper 32-bit of phys_addr_t in ioremap
thermal: armada: fix a test in probe()
f2fs: fix to spread clear_cold_data()
f2fs: spread f2fs_set_inode_flags()
mISDN: Fix type of switch control variable in ctrl_teimanager
qlcnic: fix a return in qlcnic_dcb_get_capability()
net: ethernet: ti: cpsw: unsync mcast entries while switch promisc mode
mfd: arizona: Correct calling of runtime_put_sync
mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
mfd: intel_soc_pmic_bxtwc: Chain power button IRQs as well
mfd: max8997: Enale irq-wakeup unconditionally
net: socionext: Stop PHY before resetting netsec
fs/cifs: fix uninitialised variable warnings
spi: uniphier: fix incorrect property items
selftests/ftrace: Fix to test kprobe $comm arg only if available
selftests: watchdog: fix message when /dev/watchdog open fails
selftests: watchdog: Fix error message.
selftests: kvm: Fix -Wformat warnings
selftests: fix warning: "_GNU_SOURCE" redefined
thermal: rcar_thermal: fix duplicate IRQ request
thermal: rcar_thermal: Prevent hardware access during system suspend
net: ethernet: cadence: fix socket buffer corruption problem
bpf: devmap: fix wrong interface selection in notifier_call
bpf, btf: fix a missing check bug in btf_parse
powerpc/process: Fix flush_all_to_thread for SPE
sparc64: Rework xchg() definition to avoid warnings.
arm64: lib: use C string functions with KASAN enabled
fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()
mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock
tools/testing/selftests/vm/gup_benchmark.c: fix 'write' flag usage
mm: thp: fix MADV_DONTNEED vs migrate_misplaced_transhuge_page race condition
macsec: update operstate when lower device changes
macsec: let the administrator set UP state even if lowerdev is down
block: fix the DISCARD request merge
i2c: uniphier-f: make driver robust against concurrency
i2c: uniphier-f: fix occasional timeout error
i2c: uniphier-f: fix race condition when IRQ is cleared
um: Make line/tty semantics use true write IRQ
vfs: avoid problematic remapping requests into partial EOF block
ipv4/igmp: fix v1/v2 switchback timeout based on rfc3376, 8.12
powerpc/xmon: Relax frame size for clang
selftests/powerpc/ptrace: Fix out-of-tree build
selftests/powerpc/signal: Fix out-of-tree build
selftests/powerpc/switch_endian: Fix out-of-tree build
selftests/powerpc/cache_shape: Fix out-of-tree build
block: call rq_qos_exit() after queue is frozen
mm/gup_benchmark.c: prevent integer overflow in ioctl
linux/bitmap.h: handle constant zero-size bitmaps correctly
linux/bitmap.h: fix type of nbits in bitmap_shift_right()
lib/bitmap.c: fix remaining space computation in bitmap_print_to_pagebuf
hfsplus: fix BUG on bnode parent update
hfs: fix BUG on bnode parent update
hfsplus: prevent btree data loss on ENOSPC
hfs: prevent btree data loss on ENOSPC
hfsplus: fix return value of hfsplus_get_block()
hfs: fix return value of hfs_get_block()
hfsplus: update timestamps on truncate()
hfs: update timestamp on truncate()
fs/hfs/extent.c: fix array out of bounds read of array extent
kernel/panic.c: do not append newline to the stack protector panic string
mm/memory_hotplug: make add_memory() take the device_hotplug_lock
mm/memory_hotplug: fix online/offline_pages called w.o. mem_hotplug_lock
powerpc/powernv: hold device_hotplug_lock when calling device_online()
igb: shorten maximum PHC timecounter update interval
fm10k: ensure completer aborts are marked as non-fatal after a resume
net: hns3: bugfix for buffer not free problem during resetting
net: hns3: bugfix for reporting unknown vector0 interrupt repeatly problem
net: hns3: bugfix for is_valid_csq_clean_head()
net: hns3: bugfix for hclge_mdio_write and hclge_mdio_read
ntb_netdev: fix sleep time mismatch
ntb: intel: fix return value for ndev_vec_mask()
irq/matrix: Fix memory overallocation
nvme-pci: fix conflicting p2p resource adds
arm64: makefile fix build of .i file in external module case
tools/power turbosat: fix AMD APIC-id output
mm: handle no memcg case in memcg_kmem_charge() properly
ocfs2: without quota support, avoid calling quota recovery
ocfs2: don't use iocb when EIOCBQUEUED returns
ocfs2: don't put and assigning null to bh allocated outside
ocfs2: fix clusters leak in ocfs2_defrag_extent()
net: do not abort bulk send on BQL status
sched/topology: Fix off by one bug
sched/fair: Don't increase sd->balance_interval on newidle balance
openvswitch: fix linking without CONFIG_NF_CONNTRACK_LABELS
ARM: dts: imx6sx-sdb: Fix enet phy regulator
clk: sunxi-ng: enable so-said LDOs for A64 SoC's pll-mipi clock
soc: bcm: brcmstb: Fix re-entry point with a THUMB2_KERNEL
audit: print empty EXECVE args
sock_diag: fix autoloading of the raw_diag module
net: bpfilter: fix iptables failure if bpfilter_umh is disabled
nds32: Fix bug in bitfield.h
media: ov13858: Check for possible null pointer
btrfs: avoid link error with CONFIG_NO_AUTO_INLINE
wil6210: fix debugfs memory access alignment
wil6210: fix L2 RX status handling
wil6210: fix RGF_CAF_ICR address for Talyn-MB
wil6210: fix locking in wmi_call
ath10k: snoc: fix unbalanced clock error handling
wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()'
rtl8xxxu: Fix missing break in switch
brcmsmac: never log "tid x is not agg'able" by default
wireless: airo: potential buffer overflow in sprintf()
rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
net: dsa: bcm_sf2: Turn on PHY to allow successful registration
scsi: mpt3sas: Fix Sync cache command failure during driver unload
scsi: mpt3sas: Don't modify EEDPTagMode field setting on SAS3.5 HBA devices
scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11
scsi: megaraid_sas: Fix msleep granularity
scsi: megaraid_sas: Fix goto labels in error handling
scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
scsi: lpfc: Fix odd recovery in duplicate FLOGIs in point-to-point
scsi: lpfc: Correct loss of fc4 type on remote port address change
usb: typec: tcpm: charge current handling for sink during hard reset
dlm: fix invalid free
dlm: don't leak kernel pointer to userspace
vrf: mark skb for multicast or link-local as enslaved to VRF
clk: tegra20: Turn EMC clock gate into divider
ACPICA: Use %d for signed int print formatting instead of %u
net: bcmgenet: return correct value 'ret' from bcmgenet_power_down
of: unittest: allow base devicetree to have symbol metadata
of: unittest: initialize args before calling of_*parse_*()
tools: bpftool: pass an argument to silence open_obj_pinned()
cfg80211: Prevent regulatory restore during STA disconnect in concurrent interfaces
pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
pinctrl: bcm2835: Use define directive for BCM2835_PINCONF_PARAM_PULL
pinctrl: lpc18xx: Use define directive for PIN_CONFIG_GPIO_PIN_INT
pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
PCI: keystone: Use quirk to limit MRRS for K2G
nvme-pci: fix surprise removal
spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
i2c: uniphier-f: fix timeout error after reading 8 bytes
mm/memory_hotplug: Do not unlock when fails to take the device_hotplug_lock
ipv6: Fix handling of LLA with VRF and sockets bound to VRF
cfg80211: call disconnect_wk when AP stops
mm/page_io.c: do not free shared swap slots
Bluetooth: Fix invalid-free in bcsp_close()
KVM: MMU: Do not treat ZONE_DEVICE pages as being reserved
ath10k: Fix a NULL-ptr-deref bug in ath10k_usb_alloc_urb_from_pipe
ath9k_hw: fix uninitialized variable data
md/raid10: prevent access of uninitialized resync_pages offset
mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span()
net: phy: dp83867: fix speed 10 in sgmii mode
net: phy: dp83867: increase SGMII autoneg timer duration
ocfs2: remove ocfs2_is_o2cb_active()
ARM: 8904/1: skip nomap memblocks while finding the lowmem/highmem boundary
ARC: perf: Accommodate big-endian CPU
x86/insn: Fix awk regexp warnings
x86/speculation: Fix incorrect MDS/TAA mitigation status
x86/speculation: Fix redundant MDS mitigation message
nbd: prevent memory leak
y2038: futex: Move compat implementation into futex.c
futex: Prevent robust futex exit race
ALSA: usb-audio: Fix NULL dereference at parsing BADD
nfc: port100: handle command failure cleanly
media: vivid: Set vid_cap_streaming and vid_out_streaming to true
media: vivid: Fix wrong locking that causes race conditions on streaming stop
media: usbvision: Fix races among open, close, and disconnect
cpufreq: Add NULL checks to show() and store() methods of cpufreq
media: uvcvideo: Fix error path in control parsing failure
media: b2c2-flexcop-usb: add sanity checking
media: cxusb: detect cxusb_ctrl_msg error in query
media: imon: invalid dereference in imon_touch_event
virtio_ring: fix return code on DMA mapping fails
USBIP: add config dependency for SGL_ALLOC
usbip: tools: fix fd leakage in the function of read_attr_usbip_status
usbip: Fix uninitialized symbol 'nents' in stub_recv_cmd_submit()
usb-serial: cp201x: support Mark-10 digital force gauge
USB: chaoskey: fix error case of a timeout
appledisplay: fix error handling in the scheduled work
USB: serial: mos7840: add USB ID to support Moxa UPort 2210
USB: serial: mos7720: fix remote wakeup
USB: serial: mos7840: fix remote wakeup
USB: serial: option: add support for DW5821e with eSIM support
USB: serial: option: add support for Foxconn T77W968 LTE modules
staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
powerpc/64s: support nospectre_v2 cmdline option
powerpc/book3s64: Fix link stack flush on context switch
KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
PM / devfreq: Fix kernel oops on governor module load
Linux 4.19.87
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id8c8d4cd92227f8f46c48c05440e09da957fa687
[ Upstream commit 4a6998aff8 ]
Wenwen Wang reported:
In btf_parse(), the header of the user-space btf data 'btf_data'
is firstly parsed and verified through btf_parse_hdr().
In btf_parse_hdr(), the header is copied from user-space 'btf_data'
to kernel-space 'btf->hdr' and then verified. If no error happens
during the verification process, the whole data of 'btf_data',
including the header, is then copied to 'data' in btf_parse(). It
is obvious that the header is copied twice here. More importantly,
no check is enforced after the second copy to make sure the headers
obtained in these two copies are same. Given that 'btf_data' resides
in the user space, a malicious user can race to modify the header
between these two copies. By doing so, the user can inject
inconsistent data, which can cause undefined behavior of the
kernel and introduce potential security risk.
This issue is similar to the one fixed in commit 8af03d1ae2 ("bpf:
btf: Fix a missing check bug"). To fix it, this patch copies the user
'btf_data' *before* parsing / verifying the BTF header.
Fixes: 69b693f0ae ("bpf: btf: Introduce BPF Type Format (BTF)")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Co-developed-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f592f80483 ]
The dev_map_notification() removes interface in devmap if
unregistering interface's ifindex is same.
But only checking ifindex is not enough because other netns can have
same ifindex. so that wrong interface selection could occurred.
Hence netdev pointer comparison code is added.
v2: compare netdev pointer instead of using net_eq() (Daniel Borkmann)
v1: Initial patch
Fixes: 2ddf71e23c ("net: add notifier hooks for devmap bpf map")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3aL2UACgkQONu9yGCS
aT73GA//VSRJjGzdohy0+NVK3Dk7tCb2GfXFyLfRasyCbpCVGudaN9IltPU20pmj
U67BRp3jJg6AFRFDxJn4uyAxqcYF6VFp77BiBLiF6lZEv3+0xxOqdyFL2IY9Cyew
5XGNWcjXAR/bZ0r/rRXw8GUBMmW/8oewW7Iay4YhriUWv/afucbMVK7cNgyj/qvP
jSbHh4mp15BGg1aIanM7YSlJgXX2MimXwEceyHPQJgKpSx1CApI2uRMSNZw/RXeP
hFox3Ord5o/K+dowtKW+eTXUMkbm+7Htsi0p+WvE69y6KjyBzh3CEXrQqJsLtd0Y
1myphKOX42z0/hbysUZQV8AvY5jrZu/SPoH8quXD/MNxPvNe0OjO3UiMruAdohQh
I3SjKZB+HprtsCGn4X6/PiHUxq8PCLwtMaa9IIRmtFOXeuxPPeQLdEoM8m2eCEiL
DnwkDXVVtQhKymmYgWUxcAsFpXl+s3k5ZRFmWEDDTuwlyZRWMPuRaWEOH8YuIHzz
QETCyodrOis90TFgG1XJDijzPpZtxZKuJ8HdGmO7J8BMDXi6r0aoTzBk8cPAAe3A
TUqRnHoMKLLYC+9vxA90aThXsibL6DuD06beJy3H1XCSj2vKvkM/iLaL8R95JjAW
XZaEv/SH9zoEynypd+b8tOHHdPSaZcTe3pd3SDmOPLpejOuSTJU=
=VtIx
-----END PGP SIGNATURE-----
Merge 4.19.86 into android-4.19
Changes in 4.19.86
spi: mediatek: use correct mata->xfer_len when in fifo transfer
i2c: mediatek: modify threshold passed to i2c_get_dma_safe_msg_buf()
tee: optee: add missing of_node_put after of_device_is_available
Revert "OPP: Protect dev_list with opp_table lock"
net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
idr: Fix idr_get_next race with idr_remove
mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span()
mm/memory_hotplug: fix updating the node span
arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault
fbdev: Ditch fb_edid_add_monspecs
bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG
bpf, x32: Fix bug with ALU64 {LSH, RSH, ARSH} BPF_X shift by 0
bpf, x32: Fix bug with ALU64 {LSH, RSH, ARSH} BPF_K shift by 0
bpf, x32: Fix bug for BPF_JMP | {BPF_JSGT, BPF_JSLE, BPF_JSLT, BPF_JSGE}
net: ovs: fix return type of ndo_start_xmit function
net: xen-netback: fix return type of ndo_start_xmit function
ARM: dts: dra7: Enable workaround for errata i870 in PCIe host mode
ARM: dts: omap5: enable OTG role for DWC3 controller
net: hns3: Fix for netdev not up problem when setting mtu
net: hns3: Fix loss of coal configuration while doing reset
f2fs: return correct errno in f2fs_gc
ARM: dts: sun8i: h3-h5: ir register size should be the whole memory block
ARM: dts: sun8i: h3: bpi-m2-plus: Fix address for external RGMII Ethernet PHY
tcp: up initial rmem to 128KB and SYN rwin to around 64KB
SUNRPC: Fix priority queue fairness
ACPI / LPSS: Make acpi_lpss_find_device() also find PCI devices
ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq
f2fs: keep lazytime on remount
IB/hfi1: Error path MAD response size is incorrect
IB/hfi1: Ensure ucast_dlid access doesnt exceed bounds
mt76x2: fix tx power configuration for VHT mcs 9
mt76x2: disable WLAN core before probe
mt76: fix handling ps-poll frames
iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
iommu/arm-smmu-v3: Fix unexpected CMD_SYNC timeout
kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table
arm64/numa: Report correct memblock range for the dummy node
ath10k: fix vdev-start timeout on error
rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface
ata: ahci_brcm: Allow using driver or DSL SoCs
PM / devfreq: Fix devfreq_add_device() when drivers are built as modules.
PM / devfreq: Fix handling of min/max_freq == 0
PM / devfreq: stopping the governor before device_unregister()
ath9k: fix reporting calculated new FFT upper max
selftests/tls: Fix recv(MSG_PEEK) & splice() test cases
usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status()
usb: dwc3: gadget: Check ENBLSLPM before sending ep command
nl80211: Fix a GET_KEY reply attribute
irqchip/irq-mvebu-icu: Fix wrong private data retrieval
watchdog: core: fix null pointer dereference when releasing cdev
watchdog: renesas_wdt: stop when unregistering
watchdog: sama5d4: fix timeout-sec usage
watchdog: w83627hf_wdt: Support NCT6796D, NCT6797D, NCT6798D
KVM: PPC: Inform the userspace about TCE update failures
printk: Do not miss new messages when replaying the log
printk: CON_PRINTBUFFER console registration is a bit racy
dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction
dmaengine: timb_dma: Use proper enum in td_prep_slave_sg
ALSA: hda: Fix mismatch for register mask and value in ext controller.
ext4: fix build error when DX_DEBUG is defined
clk: keystone: Enable TISCI clocks if K3_ARCH
sunrpc: Fix connect metrics
x86/PCI: Apply VMD's AERSID fixup generically
mei: samples: fix a signedness bug in amt_host_if_call()
cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update
cxgb4: Use proper enum in IEEE_FAUX_SYNC
powerpc/pseries: Fix DTL buffer registration
powerpc/pseries: Fix how we iterate over the DTL entries
powerpc/xive: Move a dereference below a NULL test
ARM: dts: at91: sama5d4_xplained: fix addressable nand flash size
ARM: dts: at91: at91sam9x5cm: fix addressable nand flash size
ARM: dts: at91: sama5d2_ptc_ek: fix bootloader env offsets
mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer
PM / hibernate: Check the success of generating md5 digest before hibernation
tools: PCI: Fix compilation warnings
clocksource/drivers/sh_cmt: Fixup for 64-bit machines
clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines
ice: Fix forward to queue group logic
md: allow metadata updates while suspending an array - fix
ixgbe: Fix ixgbe TX hangs with XDP_TX beyond queue limit
i40e: Use proper enum in i40e_ndo_set_vf_link_state
ixgbe: Fix crash with VFs and flow director on interface flap
IB/mthca: Fix error return code in __mthca_init_one()
IB/rxe: avoid srq memory leak
RDMA/hns: Bugfix for reserved qp number
RDMA/hns: Submit bad wr when post send wr exception
RDMA/hns: Bugfix for CM test
RDMA/hns: Limit the size of extend sge of sq
IB/mlx4: Avoid implicit enumerated type conversion
rpmsg: glink: smem: Support rx peak for size less than 4 bytes
msm/gpu/a6xx: Force of_dma_configure to setup DMA for GMU
OPP: Return error on error from dev_pm_opp_get_opp_count()
ACPICA: Never run _REG on system_memory and system_IO
cpuidle: menu: Fix wakeup statistics updates for polling state
ASoC: qdsp6: q6asm-dai: checking NULL vs IS_ERR()
powerpc/time: Use clockevents_register_device(), fixing an issue with large decrementer
powerpc/64s/radix: Explicitly flush ERAT with local LPID invalidation
ata: ep93xx: Use proper enums for directions
qed: Avoid implicit enum conversion in qed_ooo_submit_tx_buffers
media: rc: ir-rc6-decoder: enable toggle bit for Kathrein RCU-676 remote
media: pxa_camera: Fix check for pdev->dev.of_node
media: rcar-vin: fix redeclaration of symbol
media: i2c: adv748x: Support probing a single output
ALSA: hda/sigmatel - Disable automute for Elo VuPoint
bnxt_en: return proper error when FW returns HWRM_ERR_CODE_RESOURCE_ACCESS_DENIED
KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR
USB: serial: cypress_m8: fix interrupt-out transfer length
usb: dwc2: disable power_down on rockchip devices
mtd: physmap_of: Release resources on error
cpu/SMT: State SMT is disabled even with nosmt and without "=force"
brcmfmac: reduce timeout for action frame scan
brcmfmac: fix full timeout waiting for action frame on-channel tx
qtnfmac: request userspace to do OBSS scanning if FW can not
qtnfmac: pass sgi rate info flag to wireless core
qtnfmac: inform wireless core about supported extended capabilities
qtnfmac: drop error reports for out-of-bounds key indexes
clk: samsung: Use NOIRQ stage for Exynos5433 clocks suspend/resume
clk: samsung: exynos5420: Define CLK_SECKEY gate clock only or Exynos5420
clk: samsung: Use clk_hw API for calling clk framework from clk notifiers
i2c: brcmstb: Allow enabling the driver on DSL SoCs
printk: Correct wrong casting
NFSv4.x: fix lock recovery during delegation recall
dmaengine: ioat: fix prototype of ioat_enumerate_channels
media: ov5640: fix framerate update
media: cec-gpio: select correct Signal Free Time
gfs2: slow the deluge of io error messages
i2c: omap: use core to detect 'no zero length' quirk
i2c: qup: use core to detect 'no zero length' quirk
i2c: tegra: use core to detect 'no zero length' quirk
i2c: zx2967: use core to detect 'no zero length' quirk
Input: st1232 - set INPUT_PROP_DIRECT property
Input: silead - try firmware reload after unsuccessful resume
soc: fsl: bman_portals: defer probe after bman's probe
net: hns3: Fix for rx vlan id handle to support Rev 0x21 hardware
tc-testing: fix build of eBPF programs
remoteproc: Check for NULL firmwares in sysfs interface
remoteproc: qcom: q6v5: Fix a race condition on fatal crash
kexec: Allocate decrypted control pages for kdump if SME is enabled
x86/olpc: Fix build error with CONFIG_MFD_CS5535=m
dmaengine: rcar-dmac: set scatter/gather max segment size
crypto: mxs-dcp - Fix SHA null hashes and output length
crypto: mxs-dcp - Fix AES issues
xfrm: use correct size to initialise sp->ovec
ACPI / SBS: Fix rare oops when removing modules
iwlwifi: mvm: don't send keys when entering D3
xsk: proper AF_XDP socket teardown ordering
x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately
mmc: renesas_sdhi_internal_dmac: Whitelist r8a774a1
mmc: tmio: Fix SCC error detection
mmc: renesas_sdhi_internal_dmac: set scatter/gather max segment size
atmel_lcdfb: support native-mode display-timings
fbdev: sbuslib: use checked version of put_user()
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
fbdev: fix broken menu dependencies
reset: Fix potential use-after-free in __of_reset_control_get()
bcache: account size of buckets used in uuid write to ca->meta_sectors_written
bcache: recal cached_dev_sectors on detach
platform/x86: mlx-platform: Properly use mlxplat_mlxcpld_msn201x_items
media: dw9714: Fix error handling in probe function
media: dw9807-vcm: Fix probe error handling
media: cx18: Don't check for address of video_dev
mtd: spi-nor: cadence-quadspi: Use proper enum for dma_[un]map_single
mtd: devices: m25p80: Make sure WRITE_EN is issued before each write
x86/intel_rdt: Introduce utility to obtain CDP peer
x86/intel_rdt: CBM overlap should also check for overlap with CDP peer
mmc: mmci: expand startbiterr to irqmask and error check
s390/kasan: avoid vdso instrumentation
s390/kasan: avoid instrumentation of early C code
s390/kasan: avoid user access code instrumentation
proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted()
backlight: lm3639: Unconditionally call led_classdev_unregister
mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable
printk: Give error on attempt to set log buffer length to over 2G
media: isif: fix a NULL pointer dereference bug
GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads
media: cx231xx: fix potential sign-extension overflow on large shift
media: venus: vdec: fix decoded data size
ALSA: hda/ca0132 - Fix input effect controls for desktop cards
lightnvm: pblk: fix rqd.error return value in pblk_blk_erase_sync
lightnvm: pblk: fix incorrect min_write_pgs
lightnvm: pblk: guarantee emeta on line close
lightnvm: pblk: fix write amplificiation calculation
lightnvm: pblk: guarantee mw_cunits on read buffer
lightnvm: do no update csecs and sos on 1.2
lightnvm: pblk: fix error handling of pblk_lines_init()
lightnvm: pblk: consider max hw sectors supported for max_write_pgs
x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error
bpf: btf: Fix a missing check bug
net: fix generic XDP to handle if eth header was mangled
gpio: syscon: Fix possible NULL ptr usage
spi: fsl-lpspi: Prevent FIFO under/overrun by default
pinctrl: gemini: Mask and set properly
spi: spidev: Fix OF tree warning logic
ARM: 8802/1: Call syscall_trace_exit even when system call skipped
x86/mm: Do not warn about PCI BIOS W+X mappings
orangefs: rate limit the client not running info message
pinctrl: gemini: Fix up TVC clock group
scsi: arcmsr: clean up clang warning on extraneous parentheses
hwmon: (k10temp) Support all Family 15h Model 6xh and Model 7xh processors
hwmon: (nct6775) Fix names of DIMM temperature sources
hwmon: (pwm-fan) Silence error on probe deferral
hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros
hwmon: (npcm-750-pwm-fan) Change initial pwm target to 255
selftests: forwarding: Have lldpad_app_wait_set() wait for unknown, too
net: sched: avoid writing on noop_qdisc
netfilter: nft_compat: do not dump private area
misc: cxl: Fix possible null pointer dereference
mac80211: minstrel: fix using short preamble CCK rates on HT clients
mac80211: minstrel: fix CCK rate group streams value
mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode
spi: rockchip: initialize dma_slave_config properly
mlxsw: spectrum_switchdev: Check notification relevance based on upper device
ARM: dts: omap5: Fix dual-role mode on Super-Speed port
tcp: start receiver buffer autotuning sooner
ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate
PM / devfreq: Fix static checker warning in try_then_request_governor
tools: PCI: Fix broken pcitest compilation
powerpc/time: Fix clockevent_decrementer initalisation for PR KVM
mmc: tmio: fix SCC error handling to avoid false positive CRC error
x86/resctrl: Fix rdt_find_domain() return value and checks
Linux 4.19.86
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib9de820e5026cadf4fab89e69d1324302cdae9c3
[ Upstream commit 8af03d1ae2 ]
In btf_parse_hdr(), the length of the btf data header is firstly copied
from the user space to 'hdr_len' and checked to see whether it is larger
than 'btf_data_size'. If yes, an error code EINVAL is returned. Otherwise,
the whole header is copied again from the user space to 'btf->hdr'.
However, after the second copy, there is no check between
'btf->hdr->hdr_len' and 'hdr_len' to confirm that the two copies get the
same value. Given that the btf data is in the user space, a malicious user
can race to change the data between the two copies. By doing so, the user
can provide malicious data to the kernel and cause undefined behavior.
This patch adds a necessary check after the second copy, to make sure
'btf->hdr->hdr_len' has the same value as 'hdr_len'. Otherwise, an error
code EINVAL will be returned.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2bbnkACgkQONu9yGCS
aT6bng/+Jvj4gXLq2w+KmeN1SRbNu2ee+GjQsgQR6JZ3/dY5+rzPhuL37Op0fQd6
UwnLhY4TL3PUiRCE8pNaVYI8nDfpxRkohYP+SMtGyoQKmoiy3W/SWe3CgEwniLwg
k9TsuqxUsIUeEdSr6Bjbry0IU4VoZ3MP0cmMc1SrFUqJzFoGoUMHsHmQJvDPiy1f
l7oZUgYrXArcnPhCda6peD9AJUfuIRKAM4BW47WN6Z9moqAAAa60eXN/u/hHp+Qc
w55AZTSxel7CMbLDMnZ6/xWDgY/FHTLjkmhdIl9H6Qi8SbrJwq23zXnBO5xVameQ
4MaLIgrp7M5sohAVFdqAVZYyZrkX91ssVujYwc+I6O1TYdja1Usj2TzdyL/MPqzY
FLM9s3P0C3xKLdlg5gq9BxxnohIIhNmBy069NGsmfFd9jP2o6vFUEjiVxSY7Hp3r
GpZP1ETAfMNHCG3jN3o5EkwyLoQHegFWfLpCIEF++k9gjo2CP00+Lf16RVrSsG47
ILobFW5Wy4RXFyd7M8PrjSyuAtuzkUTzxg6P+6zuEtPwwvZPtadd97dGbA90pKvv
eB1UPHu8/emMhW/8fwDBbpeQbIh0pHtX2yQq/LTItEHGr+YjRTIyH3Z/fST5itre
ZDofsls4A+70TQ5/XOgjlDjco93iUs8KULDzQqvTFIuUIlvk3hQ=
=7fm2
-----END PGP SIGNATURE-----
Merge 4.19.78 into android-4.19
Changes in 4.19.78
tpm: use tpm_try_get_ops() in tpm-sysfs.c.
tpm: Fix TPM 1.2 Shutdown sequence to prevent future TPM operations
drm/bridge: tc358767: Increase AUX transfer length limit
drm/panel: simple: fix AUO g185han01 horizontal blanking
video: ssd1307fb: Start page range at page_offset
drm/stm: attach gem fence to atomic state
drm/panel: check failure cases in the probe func
drm/rockchip: Check for fast link training before enabling psr
drm/radeon: Fix EEH during kexec
gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property()
PCI: rpaphp: Avoid a sometimes-uninitialized warning
ipmi_si: Only schedule continuously in the thread in maintenance mode
clk: qoriq: Fix -Wunused-const-variable
clk: sunxi-ng: v3s: add missing clock slices for MMC2 module clocks
drm/amd/display: fix issue where 252-255 values are clipped
drm/amd/display: reprogram VM config when system resume
powerpc/powernv/ioda2: Allocate TCE table levels on demand for default DMA window
clk: actions: Don't reference clk_init_data after registration
clk: sirf: Don't reference clk_init_data after registration
clk: sprd: Don't reference clk_init_data after registration
clk: zx296718: Don't reference clk_init_data after registration
powerpc/xmon: Check for HV mode when dumping XIVE info from OPAL
powerpc/rtas: use device model APIs and serialization during LPM
powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function
powerpc/pseries/mobility: use cond_resched when updating device tree
pinctrl: tegra: Fix write barrier placement in pmx_writel
powerpc/eeh: Clear stale EEH_DEV_NO_HANDLER flag
vfio_pci: Restore original state on release
drm/nouveau/volt: Fix for some cards having 0 maximum voltage
pinctrl: amd: disable spurious-firing GPIO IRQs
clk: renesas: mstp: Set GENPD_FLAG_ALWAYS_ON for clock domain
clk: renesas: cpg-mssr: Set GENPD_FLAG_ALWAYS_ON for clock domain
drm/amd/display: support spdif
drm/amdgpu/si: fix ASIC tests
powerpc/64s/exception: machine check use correct cfar for late handler
pstore: fs superblock limits
clk: qcom: gcc-sdm845: Use floor ops for sdcc clks
powerpc/pseries: correctly track irq state in default idle
pinctrl: meson-gxbb: Fix wrong pinning definition for uart_c
arm64: fix unreachable code issue with cmpxchg
clk: at91: select parent if main oscillator or bypass is enabled
powerpc: dump kernel log before carrying out fadump or kdump
mbox: qcom: add APCS child device for QCS404
clk: sprd: add missing kfree
scsi: core: Reduce memory required for SCSI logging
dma-buf/sw_sync: Synchronize signal vs syncpt free
ext4: fix potential use after free after remounting with noblock_validity
MIPS: Ingenic: Disable broken BTB lookup optimization.
MIPS: tlbex: Explicitly cast _PAGE_NO_EXEC to a boolean
i2c-cht-wc: Fix lockdep warning
mfd: intel-lpss: Remove D3cold delay
PCI: tegra: Fix OF node reference leak
HID: wacom: Fix several minor compiler warnings
livepatch: Nullify obj->mod in klp_module_coming()'s error path
ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes
soundwire: intel: fix channel number reported by hardware
ARM: 8875/1: Kconfig: default to AEABI w/ Clang
rtc: snvs: fix possible race condition
rtc: pcf85363/pcf85263: fix regmap error in set_time
HID: apple: Fix stuck function keys when using FN
PCI: rockchip: Propagate errors for optional regulators
PCI: histb: Propagate errors for optional regulators
PCI: imx6: Propagate errors for optional regulators
PCI: exynos: Propagate errors for optional PHYs
security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb()
ARM: 8903/1: ensure that usable memory in bank 0 starts from a PMD-aligned address
fat: work around race with userspace's read via blockdev while mounting
pktcdvd: remove warning on attempting to register non-passthrough dev
hypfs: Fix error number left in struct pointer member
crypto: hisilicon - Fix double free in sec_free_hw_sgl()
kbuild: clean compressed initramfs image
ocfs2: wait for recovering done after direct unlock request
kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K
arm64: consider stack randomization for mmap base only when necessary
mips: properly account for stack randomization and stack guard gap
arm: properly account for stack randomization and stack guard gap
arm: use STACK_TOP when computing mmap base address
block: mq-deadline: Fix queue restart handling
bpf: fix use after free in prog symbol exposure
cxgb4:Fix out-of-bounds MSI-X info array access
erspan: remove the incorrect mtu limit for erspan
hso: fix NULL-deref on tty open
ipv6: drop incoming packets having a v4mapped source address
ipv6: Handle missing host route in __ipv6_ifa_notify
net: ipv4: avoid mixed n_redirects and rate_tokens usage
net: qlogic: Fix memory leak in ql_alloc_large_buffers
net: Unpublish sk from sk_reuseport_cb before call_rcu
nfc: fix memory leak in llcp_sock_bind()
qmi_wwan: add support for Cinterion CLS8 devices
rxrpc: Fix rxrpc_recvmsg tracepoint
sch_dsmark: fix potential NULL deref in dsmark_init()
udp: fix gso_segs calculations
vsock: Fix a lockdep warning in __vsock_release()
net: dsa: rtl8366: Check VLAN ID and not ports
udp: only do GSO if # of segs > 1
net/rds: Fix error handling in rds_ib_add_one()
xen-netfront: do not use ~0U as error return value for xennet_fill_frags()
tipc: fix unlimited bundling of small messages
sch_cbq: validate TCA_CBQ_WRROPT to avoid crash
soundwire: Kconfig: fix help format
soundwire: fix regmap dependencies and align with other serial links
Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set
smack: use GFP_NOFS while holding inode_smack::smk_lock
NFC: fix attrs checks in netlink interface
kexec: bail out upon SIGKILL when allocating memory.
9p/cache.c: Fix memory leak in v9fs_cache_session_get_cookie
Linux 4.19.78
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I02db9c4a0cc1f784e6ac1523599fcbed747a6375
commit c751798aa2 upstream.
syzkaller managed to trigger the warning in bpf_jit_free() which checks via
bpf_prog_kallsyms_verify_off() for potentially unlinked JITed BPF progs
in kallsyms, and subsequently trips over GPF when walking kallsyms entries:
[...]
8021q: adding VLAN 0 to HW filter on device batadv0
8021q: adding VLAN 0 to HW filter on device batadv0
WARNING: CPU: 0 PID: 9869 at kernel/bpf/core.c:810 bpf_jit_free+0x1e8/0x2a0
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 9869 Comm: kworker/0:7 Not tainted 5.0.0-rc8+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events bpf_prog_free_deferred
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x113/0x167 lib/dump_stack.c:113
panic+0x212/0x40b kernel/panic.c:214
__warn.cold.8+0x1b/0x38 kernel/panic.c:571
report_bug+0x1a4/0x200 lib/bug.c:186
fixup_bug arch/x86/kernel/traps.c:178 [inline]
do_error_trap+0x11b/0x200 arch/x86/kernel/traps.c:271
do_invalid_op+0x36/0x40 arch/x86/kernel/traps.c:290
invalid_op+0x14/0x20 arch/x86/entry/entry_64.S:973
RIP: 0010:bpf_jit_free+0x1e8/0x2a0
Code: 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 86 00 00 00 48 ba 00 02 00 00 00 00 ad de 0f b6 43 02 49 39 d6 0f 84 5f fe ff ff <0f> 0b e9 58 fe ff ff 48 b8 00 00 00 00 00 fc ff df 4c 89 e2 48 c1
RSP: 0018:ffff888092f67cd8 EFLAGS: 00010202
RAX: 0000000000000007 RBX: ffffc90001947000 RCX: ffffffff816e9d88
RDX: dead000000000200 RSI: 0000000000000008 RDI: ffff88808769f7f0
RBP: ffff888092f67d00 R08: fffffbfff1394059 R09: fffffbfff1394058
R10: fffffbfff1394058 R11: ffffffff89ca02c7 R12: ffffc90001947002
R13: ffffc90001947020 R14: ffffffff881eca80 R15: ffff88808769f7e8
BUG: unable to handle kernel paging request at fffffbfff400d000
#PF error: [normal kernel read fault]
PGD 21ffee067 P4D 21ffee067 PUD 21ffed067 PMD 9f942067 PTE 0
Oops: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 9869 Comm: kworker/0:7 Not tainted 5.0.0-rc8+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Workqueue: events bpf_prog_free_deferred
RIP: 0010:bpf_get_prog_addr_region kernel/bpf/core.c:495 [inline]
RIP: 0010:bpf_tree_comp kernel/bpf/core.c:558 [inline]
RIP: 0010:__lt_find include/linux/rbtree_latch.h:115 [inline]
RIP: 0010:latch_tree_find include/linux/rbtree_latch.h:208 [inline]
RIP: 0010:bpf_prog_kallsyms_find+0x107/0x2e0 kernel/bpf/core.c:632
Code: 00 f0 ff ff 44 38 c8 7f 08 84 c0 0f 85 fa 00 00 00 41 f6 45 02 01 75 02 0f 0b 48 39 da 0f 82 92 00 00 00 48 89 d8 48 c1 e8 03 <42> 0f b6 04 30 84 c0 74 08 3c 03 0f 8e 45 01 00 00 8b 03 48 c1 e0
[...]
Upon further debugging, it turns out that whenever we trigger this
issue, the kallsyms removal in bpf_prog_ksym_node_del() was /skipped/
but yet bpf_jit_free() reported that the entry is /in use/.
Problem is that symbol exposure via bpf_prog_kallsyms_add() but also
perf_event_bpf_event() were done /after/ bpf_prog_new_fd(). Once the
fd is exposed to the public, a parallel close request came in right
before we attempted to do the bpf_prog_kallsyms_add().
Given at this time the prog reference count is one, we start to rip
everything underneath us via bpf_prog_release() -> bpf_prog_put().
The memory is eventually released via deferred free, so we're seeing
that bpf_jit_free() has a kallsym entry because we added it from
bpf_prog_load() but /after/ bpf_prog_put() from the remote CPU.
Therefore, move both notifications /before/ we install the fd. The
issue was never seen between bpf_prog_alloc_id() and bpf_prog_new_fd()
because upon bpf_prog_get_fd_by_id() we'll take another reference to
the BPF prog, so we're still holding the original reference from the
bpf_prog_load().
Fixes: 6ee52e2a3f ("perf, bpf: Introduce PERF_RECORD_BPF_EVENT")
Fixes: 74451e66d5 ("bpf: make jited programs visible in traces")
Reported-by: syzbot+bd3bba6ff3fcea7a6ec6@syzkaller.appspotmail.com
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Song Liu <songliubraving@fb.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
With CONFIG_BPF_JIT, the kernel makes indirect calls to dynamically
generated code, which the compile-time Control-Flow Integrity (CFI)
checking cannot validate. This change adds basic sanity checking to
ensure we are jumping to a valid location, which narrows down the
attack surface on the stored pointer.
In addition, this change adds a weak arch_bpf_jit_check_func function,
which architectures that implement BPF JIT can override to perform
additional validation, such as verifying that the pointer points to
the correct memory region.
Bug: 140377409
Change-Id: I8ebac6637ab6bd9db44716b1c742add267298669
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
[ Upstream commit 86723c8640 ]
.ndo_xdp_xmit() assumes it is called under RCU. For example virtio_net
uses RCU to detect it has setup the resources for tx. The assumption
accidentally broke when introducing bulk queue in devmap.
Fixes: 5d053f9da4 ("bpf: devmap prepare xdp frames for bulking")
Reported-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit d4dd153d55 ]
dev_map_free() waits for flush_needed bitmap to be empty in order to
ensure all flush operations have completed before freeing its entries.
However the corresponding clear_bit() was called before using the
entries, so the entries could be used after free.
All access to the entries needs to be done before clearing the bit.
It seems commit a5e2da6e97 ("bpf: netdev is never null in
__dev_map_flush") accidentally changed the clear_bit() and memory access
order.
Note that the problem happens only in __dev_map_flush(), not in
dev_map_flush_old(). dev_map_flush_old() is called only after nulling
out the corresponding netdev_map entry, so dev_map_free() never frees
the entry thus no such race happens there.
Fixes: a5e2da6e97 ("bpf: netdev is never null in __dev_map_flush")
Signed-off-by: Toshiaki Makita <toshiaki.makita1@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit fdadd04931 ]
Michael and Sandipan report:
Commit ede95a63b5 introduced a bpf_jit_limit tuneable to limit BPF
JIT allocations. At compile time it defaults to PAGE_SIZE * 40000,
and is adjusted again at init time if MODULES_VADDR is defined.
For ppc64 kernels, MODULES_VADDR isn't defined, so we're stuck with
the compile-time default at boot-time, which is 0x9c400000 when
using 64K page size. This overflows the signed 32-bit bpf_jit_limit
value:
root@ubuntu:/tmp# cat /proc/sys/net/core/bpf_jit_limit
-1673527296
and can cause various unexpected failures throughout the network
stack. In one case `strace dhclient eth0` reported:
setsockopt(5, SOL_SOCKET, SO_ATTACH_FILTER, {len=11, filter=0x105dd27f8},
16) = -1 ENOTSUPP (Unknown error 524)
and similar failures can be seen with tools like tcpdump. This doesn't
always reproduce however, and I'm not sure why. The more consistent
failure I've seen is an Ubuntu 18.04 KVM guest booted on a POWER9
host would time out on systemd/netplan configuring a virtio-net NIC
with no noticeable errors in the logs.
Given this and also given that in near future some architectures like
arm64 will have a custom area for BPF JIT image allocations we should
get rid of the BPF_JIT_LIMIT_DEFAULT fallback / default entirely. For
4.21, we have an overridable bpf_jit_alloc_exec(), bpf_jit_free_exec()
so therefore add another overridable bpf_jit_alloc_exec_limit() helper
function which returns the possible size of the memory area for deriving
the default heuristic in bpf_jit_charge_init().
Like bpf_jit_alloc_exec() and bpf_jit_free_exec(), the new
bpf_jit_alloc_exec_limit() assumes that module_alloc() is the default
JIT memory provider, and therefore in case archs implement their custom
module_alloc() we use MODULES_{END,_VADDR} for limits and otherwise for
vmalloc_exec() cases like on ppc64 we use VMALLOC_{END,_START}.
Additionally, for archs supporting large page sizes, we should change
the sysctl to be handled as long to not run into sysctl restrictions
in future.
Fixes: ede95a63b5 ("bpf: add bpf_jit_limit knob to restrict unpriv allocations")
Reported-by: Sandipan Das <sandipan@linux.ibm.com>
Reported-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Michael Roth <mdroth@linux.vnet.ibm.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 983695fa67 upstream.
Intention of cgroup bind/connect/sendmsg BPF hooks is to act transparently
to applications as also stated in original motivation in 7828f20e37 ("Merge
branch 'bpf-cgroup-bind-connect'"). When recently integrating the latter
two hooks into Cilium to enable host based load-balancing with Kubernetes,
I ran into the issue that pods couldn't start up as DNS got broken. Kubernetes
typically sets up DNS as a service and is thus subject to load-balancing.
Upon further debugging, it turns out that the cgroupv2 sendmsg BPF hooks API
is currently insufficient and thus not usable as-is for standard applications
shipped with most distros. To break down the issue we ran into with a simple
example:
# cat /etc/resolv.conf
nameserver 147.75.207.207
nameserver 147.75.207.208
For the purpose of a simple test, we set up above IPs as service IPs and
transparently redirect traffic to a different DNS backend server for that
node:
# cilium service list
ID Frontend Backend
1 147.75.207.207:53 1 => 8.8.8.8:53
2 147.75.207.208:53 1 => 8.8.8.8:53
The attached BPF program is basically selecting one of the backends if the
service IP/port matches on the cgroup hook. DNS breaks here, because the
hooks are not transparent enough to applications which have built-in msg_name
address checks:
# nslookup 1.1.1.1
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.208#53
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53
[...]
;; connection timed out; no servers could be reached
# dig 1.1.1.1
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.208#53
;; reply from unexpected source: 8.8.8.8#53, expected 147.75.207.207#53
[...]
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> 1.1.1.1
;; global options: +cmd
;; connection timed out; no servers could be reached
For comparison, if none of the service IPs is used, and we tell nslookup
to use 8.8.8.8 directly it works just fine, of course:
# nslookup 1.1.1.1 8.8.8.8
1.1.1.1.in-addr.arpa name = one.one.one.one.
In order to fix this and thus act more transparent to the application,
this needs reverse translation on recvmsg() side. A minimal fix for this
API is to add similar recvmsg() hooks behind the BPF cgroups static key
such that the program can track state and replace the current sockaddr_in{,6}
with the original service IP. From BPF side, this basically tracks the
service tuple plus socket cookie in an LRU map where the reverse NAT can
then be retrieved via map value as one example. Side-note: the BPF cgroups
static key should be converted to a per-hook static key in future.
Same example after this fix:
# cilium service list
ID Frontend Backend
1 147.75.207.207:53 1 => 8.8.8.8:53
2 147.75.207.208:53 1 => 8.8.8.8:53
Lookups work fine now:
# nslookup 1.1.1.1
1.1.1.1.in-addr.arpa name = one.one.one.one.
Authoritative answers can be found from:
# dig 1.1.1.1
; <<>> DiG 9.11.3-1ubuntu1.7-Ubuntu <<>> 1.1.1.1
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 51550
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;1.1.1.1. IN A
;; AUTHORITY SECTION:
. 23426 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2019052001 1800 900 604800 86400
;; Query time: 17 msec
;; SERVER: 147.75.207.207#53(147.75.207.207)
;; WHEN: Tue May 21 12:59:38 UTC 2019
;; MSG SIZE rcvd: 111
And from an actual packet level it shows that we're using the back end
server when talking via 147.75.207.20{7,8} front end:
# tcpdump -i any udp
[...]
12:59:52.698732 IP foo.42011 > google-public-dns-a.google.com.domain: 18803+ PTR? 1.1.1.1.in-addr.arpa. (38)
12:59:52.698735 IP foo.42011 > google-public-dns-a.google.com.domain: 18803+ PTR? 1.1.1.1.in-addr.arpa. (38)
12:59:52.701208 IP google-public-dns-a.google.com.domain > foo.42011: 18803 1/0/0 PTR one.one.one.one. (67)
12:59:52.701208 IP google-public-dns-a.google.com.domain > foo.42011: 18803 1/0/0 PTR one.one.one.one. (67)
[...]
In order to be flexible and to have same semantics as in sendmsg BPF
programs, we only allow return codes in [1,1] range. In the sendmsg case
the program is called if msg->msg_name is present which can be the case
in both, connected and unconnected UDP.
The former only relies on the sockaddr_in{,6} passed via connect(2) if
passed msg->msg_name was NULL. Therefore, on recvmsg side, we act in similar
way to call into the BPF program whenever a non-NULL msg->msg_name was
passed independent of sk->sk_state being TCP_ESTABLISHED or not. Note
that for TCP case, the msg->msg_name is ignored in the regular recvmsg
path and therefore not relevant.
For the case of ip{,v6}_recv_error() paths, picked up via MSG_ERRQUEUE,
the hook is not called. This is intentional as it aligns with the same
semantics as in case of TCP cgroup BPF hooks right now. This might be
better addressed in future through a different bpf_attach_type such
that this case can be distinguished from the regular recvmsg paths,
for example.
Fixes: 1cedee13d2 ("bpf: Hooks for sys_sendmsg")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Andrey Ignatov <rdna@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Martynas Pumputis <m@lambda.lt>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit da2577fdd0 upstream.
If the leftmost parent node of the tree has does not have a child
on the left side, then trie_get_next_key (and bpftool map dump) will
not look at the child on the right. This leads to the traversal
missing elements.
Lookup is not affected.
Update selftest to handle this case.
Reproducer:
bpftool map create /sys/fs/bpf/lpm type lpm_trie key 6 \
value 1 entries 256 name test_lpm flags 1
bpftool map update pinned /sys/fs/bpf/lpm key 8 0 0 0 0 0 value 1
bpftool map update pinned /sys/fs/bpf/lpm key 16 0 0 0 0 128 value 2
bpftool map dump pinned /sys/fs/bpf/lpm
Returns only 1 element. (2 expected)
Fixes: b471f2f1de ("bpf: implement MAP_GET_NEXT_KEY command for LPM_TRIE")
Signed-off-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit e2f7fc0ac6 ]
Commit 31fd85816d ("bpf: permits narrower load from bpf program
context fields") made the verifier add AND instructions to clear the
unwanted bits with a mask when doing a narrow load. The mask is
computed with
(1 << size * 8) - 1
where "size" is the size of the narrow load. When doing a 4 byte load
of a an 8 byte field the verifier shifts the literal 1 by 32 places to
the left. This results in an overflow of a signed integer, which is an
undefined behavior. Typically, the computed mask was zero, so the
result of the narrow load ended up being zero too.
Cast the literal to long long to avoid overflows. Note that narrow
load of the 4 byte fields does not have the undefined behavior,
because the load size can only be either 1 or 2 bytes, so shifting 1
by 8 or 16 places will not overflow it. And reading 4 bytes would not
be a narrow load of a 4 bytes field.
Fixes: 31fd85816d ("bpf: permits narrower load from bpf program context fields")
Reviewed-by: Alban Crequy <alban@kinvolk.io>
Reviewed-by: Iago López Galeiras <iago@kinvolk.io>
Signed-off-by: Krzesimir Nowak <krzesimir@kinvolk.io>
Cc: Yonghong Song <yhs@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit ede95a63b5 upstream.
Rick reported that the BPF JIT could potentially fill the entire module
space with BPF programs from unprivileged users which would prevent later
attempts to load normal kernel modules or privileged BPF programs, for
example. If JIT was enabled but unsuccessful to generate the image, then
before commit 290af86629 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
we would always fall back to the BPF interpreter. Nowadays in the case
where the CONFIG_BPF_JIT_ALWAYS_ON could be set, then the load will abort
with a failure since the BPF interpreter was compiled out.
Add a global limit and enforce it for unprivileged users such that in case
of BPF interpreter compiled out we fail once the limit has been reached
or we fall back to BPF interpreter earlier w/o using module mem if latter
was compiled in. In a next step, fair share among unprivileged users can
be resolved in particular for the case where we would fail hard once limit
is reached.
Fixes: 290af86629 ("bpf: introduce BPF_JIT_ALWAYS_ON config")
Fixes: 0a14842f5a ("net: filter: Just In Time compiler for x86-64")
Co-Developed-by: Rick Edgecombe <rick.p.edgecombe@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Jann Horn <jannh@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: LKML <linux-kernel@vger.kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Cc: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 50b045a8c0 upstream.
One of the biggest issues we face right now with picking LRU map over
regular hash table is that a map walk out of user space, for example,
to just dump the existing entries or to remove certain ones, will
completely mess up LRU eviction heuristics and wrong entries such
as just created ones will get evicted instead. The reason for this
is that we mark an entry as "in use" via bpf_lru_node_set_ref() from
system call lookup side as well. Thus upon walk, all entries are
being marked, so information of actual least recently used ones
are "lost".
In case of Cilium where it can be used (besides others) as a BPF
based connection tracker, this current behavior causes disruption
upon control plane changes that need to walk the map from user space
to evict certain entries. Discussion result from bpfconf [0] was that
we should simply just remove marking from system call side as no
good use case could be found where it's actually needed there.
Therefore this patch removes marking for regular LRU and per-CPU
flavor. If there ever should be a need in future, the behavior could
be selected via map creation flag, but due to mentioned reason we
avoid this here.
[0] http://vger.kernel.org/bpfconf.html
Fixes: 29ba732acb ("bpf: Add BPF_MAP_TYPE_LRU_HASH")
Fixes: 8f8449384e ("bpf: Add BPF_MAP_TYPE_LRU_PERCPU_HASH")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c6110222c6 upstream.
Add a callback map_lookup_elem_sys_only() that map implementations
could use over map_lookup_elem() from system call side in case the
map implementation needs to handle the latter differently than from
the BPF data path. If map_lookup_elem_sys_only() is set, this will
be preferred pick for map lookups out of user space. This hook is
used in a follow-up fix for LRU map, but once development window
opens, we can convert other map types from map_lookup_elem() (here,
the one called upon BPF_MAP_LOOKUP_ELEM cmd is meant) over to use
the callback to simplify and clean up the latter.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e547ff3f80 upstream.
For iptable module to load a bpf program from a pinned location, it
only retrieve a loaded program and cannot change the program content so
requiring a write permission for it might not be necessary.
Also when adding or removing an unrelated iptable rule, it might need to
flush and reload the xt_bpf related rules as well and triggers the inode
permission check. It might be better to remove the write premission
check for the inode so we won't need to grant write access to all the
processes that flush and restore iptables rules.
Signed-off-by: Chenbo Feng <fengc@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1da6c4d914 ]
syzkaller was able to generate the following UAF in bpf:
BUG: KASAN: use-after-free in lookup_last fs/namei.c:2269 [inline]
BUG: KASAN: use-after-free in path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
Read of size 1 at addr ffff8801c4865c47 by task syz-executor2/9423
CPU: 0 PID: 9423 Comm: syz-executor2 Not tainted 4.20.0-rc1-next-20181109+
#110
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x244/0x39d lib/dump_stack.c:113
print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
__asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430
lookup_last fs/namei.c:2269 [inline]
path_lookupat.isra.43+0x9f8/0xc00 fs/namei.c:2318
filename_lookup+0x26a/0x520 fs/namei.c:2348
user_path_at_empty+0x40/0x50 fs/namei.c:2608
user_path include/linux/namei.h:62 [inline]
do_mount+0x180/0x1ff0 fs/namespace.c:2980
ksys_mount+0x12d/0x140 fs/namespace.c:3258
__do_sys_mount fs/namespace.c:3272 [inline]
__se_sys_mount fs/namespace.c:3269 [inline]
__x64_sys_mount+0xbe/0x150 fs/namespace.c:3269
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x457569
Code: fd b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 cb b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007fde6ed96c78 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5
RAX: ffffffffffffffda RBX: 0000000000000005 RCX: 0000000000457569
RDX: 0000000020000040 RSI: 0000000020000000 RDI: 0000000000000000
RBP: 000000000072bf00 R08: 0000000020000340 R09: 0000000000000000
R10: 0000000000200000 R11: 0000000000000246 R12: 00007fde6ed976d4
R13: 00000000004c2c24 R14: 00000000004d4990 R15: 00000000ffffffff
Allocated by task 9424:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
kasan_kmalloc+0xc7/0xe0 mm/kasan/kasan.c:553
__do_kmalloc mm/slab.c:3722 [inline]
__kmalloc_track_caller+0x157/0x760 mm/slab.c:3737
kstrdup+0x39/0x70 mm/util.c:49
bpf_symlink+0x26/0x140 kernel/bpf/inode.c:356
vfs_symlink+0x37a/0x5d0 fs/namei.c:4127
do_symlinkat+0x242/0x2d0 fs/namei.c:4154
__do_sys_symlink fs/namei.c:4173 [inline]
__se_sys_symlink fs/namei.c:4171 [inline]
__x64_sys_symlink+0x59/0x80 fs/namei.c:4171
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9425:
save_stack+0x43/0xd0 mm/kasan/kasan.c:448
set_track mm/kasan/kasan.c:460 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/kasan.c:521
kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528
__cache_free mm/slab.c:3498 [inline]
kfree+0xcf/0x230 mm/slab.c:3817
bpf_evict_inode+0x11f/0x150 kernel/bpf/inode.c:565
evict+0x4b9/0x980 fs/inode.c:558
iput_final fs/inode.c:1550 [inline]
iput+0x674/0xa90 fs/inode.c:1576
do_unlinkat+0x733/0xa30 fs/namei.c:4069
__do_sys_unlink fs/namei.c:4110 [inline]
__se_sys_unlink fs/namei.c:4108 [inline]
__x64_sys_unlink+0x42/0x50 fs/namei.c:4108
do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x49/0xbe
In this scenario path lookup under RCU is racing with the final
unlink in case of symlinks. As Linus puts it in his analysis:
[...] We actually RCU-delay the inode freeing itself, but
when we do the final iput(), the "evict()" function is called
synchronously. Now, the simple fix would seem to just RCU-delay
the kfree() of the symlink data in bpf_evict_inode(). Maybe
that's the right thing to do. [...]
Al suggested to piggy-back on the ->destroy_inode() callback in
order to implement RCU deferral there which can then kfree() the
inode->i_link eventually right before putting inode back into
inode cache. By reusing free_inode_nonrcu() from there we can
avoid the need for our own inode cache and just reuse generic
one as we currently do.
And in-fact on top of all this we should just get rid of the
bpf_evict_inode() entirely. This means truncate_inode_pages_final()
and clear_inode() will then simply be called by the fs core via
evict(). Dropping the reference should really only be done when
inode is unhashed and nothing reachable anymore, so it's better
also moved into the final ->destroy_inode() callback.
Fixes: 0f98621bef ("bpf, inode: add support for symlinks and fix mtime/ctime")
Reported-by: syzbot+fb731ca573367b7f6564@syzkaller.appspotmail.com
Reported-by: syzbot+a13e5ead792d6df37818@syzkaller.appspotmail.com
Reported-by: syzbot+7a8ba368b47fdefca61e@syzkaller.appspotmail.com
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Analyzed-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Link: https://lore.kernel.org/lkml/0000000000006946d2057bbd0eef@google.com/T/
Signed-off-by: Sasha Levin (Microsoft) <sashal@kernel.org>
commit 0803278b0b upstream.
Syzkaller hit 'KASAN: use-after-free Write in sanitize_ptr_alu' bug.
Call trace:
dump_stack+0xbf/0x12e
print_address_description+0x6a/0x280
kasan_report+0x237/0x360
sanitize_ptr_alu+0x85a/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fault injection trace:
kfree+0xea/0x290
free_func_state+0x4a/0x60
free_verifier_state+0x61/0xe0
push_stack+0x216/0x2f0 <- inject failslab
sanitize_ptr_alu+0x2b1/0x8d0
adjust_ptr_min_max_vals+0x8f2/0x1ca0
adjust_reg_min_max_vals+0x8ed/0x22e0
do_check+0x1ca6/0x5d00
bpf_check+0x9ca/0x2570
bpf_prog_load+0xc91/0x1030
__se_sys_bpf+0x61e/0x1f00
do_syscall_64+0xc8/0x550
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When kzalloc() fails in push_stack(), free_verifier_state() will free
current verifier state. As push_stack() returns, dst_reg was restored
if ptr_is_dst_reg is false. However, as member of the cur_state,
dst_reg is also freed, and error occurs when dereferencing dst_reg.
Simply fix it by testing ret of push_stack() before restoring dst_reg.
Fixes: 979d63d50c ("bpf: prevent out of bounds speculation on pointer arithmetic")
Signed-off-by: Xu Yu <xuyu@linux.alibaba.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 7c0cdf0b39 ]
trie_delete_elem() was deleting an entry even though it was not matching
if the prefixlen was correct. This patch adds a check on matchlen.
Reproducer:
$ sudo bpftool map create /sys/fs/bpf/mylpm type lpm_trie key 8 value 1 entries 128 name mylpm flags 1
$ sudo bpftool map update pinned /sys/fs/bpf/mylpm key hex 10 00 00 00 aa bb cc dd value hex 01
$ sudo bpftool map dump pinned /sys/fs/bpf/mylpm
key: 10 00 00 00 aa bb cc dd value: 01
Found 1 element
$ sudo bpftool map delete pinned /sys/fs/bpf/mylpm key hex 10 00 00 00 ff ff ff ff
$ echo $?
0
$ sudo bpftool map dump pinned /sys/fs/bpf/mylpm
Found 0 elements
A similar reproducer is added in the selftests.
Without the patch:
$ sudo ./tools/testing/selftests/bpf/test_lpm_map
test_lpm_map: test_lpm_map.c:485: test_lpm_delete: Assertion `bpf_map_delete_elem(map_fd, key) == -1 && errno == ENOENT' failed.
Aborted
With the patch: test_lpm_map runs without errors.
Fixes: e454cf5958 ("bpf: Implement map_delete_elem for BPF_MAP_TYPE_LPM_TRIE")
Cc: Craig Gallek <kraig@google.com>
Signed-off-by: Alban Crequy <alban@kinvolk.io>
Acked-by: Craig Gallek <kraig@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7c4cd051ad ]
The map_lookup_elem used to not acquiring spinlock
in order to optimize the reader.
It was true until commit 557c0c6e7d ("bpf: convert stackmap to pre-allocation")
The syscall's map_lookup_elem(stackmap) calls bpf_stackmap_copy().
bpf_stackmap_copy() may find the elem no longer needed after the copy is done.
If that is the case, pcpu_freelist_push() saves this elem for reuse later.
This push requires a spinlock.
If a tracing bpf_prog got run in the middle of the syscall's
map_lookup_elem(stackmap) and this tracing bpf_prog is calling
bpf_get_stackid(stackmap) which also requires the same pcpu_freelist's
spinlock, it may end up with a dead lock situation as reported by
Eric Dumazet in https://patchwork.ozlabs.org/patch/1030266/
The situation is the same as the syscall's map_update_elem() which
needs to acquire the pcpu_freelist's spinlock and could race
with tracing bpf_prog. Hence, this patch fixes it by protecting
bpf_stackmap_copy() with this_cpu_inc(bpf_prog_active)
to prevent tracing bpf_prog from running.
A later syscall's map_lookup_elem commit f1a2e44a3a ("bpf: add queue and stack maps")
also acquires a spinlock and races with tracing bpf_prog similarly.
Hence, this patch is forward looking and protects the majority
of the map lookups. bpf_map_offload_lookup_elem() is the exception
since it is for network bpf_prog only (i.e. never called by tracing
bpf_prog).
Fixes: 557c0c6e7d ("bpf: convert stackmap to pre-allocation")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 3612af783c upstream.
Marek reported that he saw an issue with the below snippet in that
timing measurements where off when loaded as unpriv while results
were reasonable when loaded as privileged:
[...]
uint64_t a = bpf_ktime_get_ns();
uint64_t b = bpf_ktime_get_ns();
uint64_t delta = b - a;
if ((int64_t)delta > 0) {
[...]
Turns out there is a bug where a corner case is missing in the fix
d3bd7413e0 ("bpf: fix sanitation of alu op with pointer / scalar
type from different paths"), namely fixup_bpf_calls() only checks
whether aux has a non-zero alu_state, but it also needs to test for
the case of BPF_ALU_NON_POINTER since in both occasions we need to
skip the masking rewrite (as there is nothing to mask).
Fixes: d3bd7413e0 ("bpf: fix sanitation of alu op with pointer / scalar type from different paths")
Reported-by: Marek Majkowski <marek@cloudflare.com>
Reported-by: Arthur Fabre <afabre@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/netdev/CAJPywTJqP34cK20iLM5YmUMz9KXQOdu1-+BZrGMAGgLuBWz7fg@mail.gmail.com/T/
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4af396ae48 ]
When returning BPF_STACK_BUILD_ID_IP from stack_map_get_build_id_offset,
make sure that build_id field is empty. Since we are using percpu
free list, there is a possibility that we might reuse some previous
bpf_stack_build_id with non-zero build_id.
Fixes: 615755a77b ("bpf: extend stackmap to save binary_build_id+offset instead of address")
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0b698005a9 ]
Build-id length is not fixed to 20, it can be (`man ld` /--build-id):
* 128-bit (uuid)
* 160-bit (sha1)
* any length specified in ld --build-id=0xhexstring
To fix the issue of missing BPF_STACK_BUILD_ID_VALID for shorter build-ids,
assume that build-id is somewhere in the range of 1 .. 20.
Set the remaining bytes to zero.
v2:
* don't introduce new "len = min(BPF_BUILD_ID_SIZE, nhdr->n_descsz)",
we already know that nhdr->n_descsz <= BPF_BUILD_ID_SIZE if we enter
this 'if' condition
Fixes: 615755a77b ("bpf: extend stackmap to save binary_build_id+offset instead of address")
Acked-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit beaf3d1901 ]
As Naresh reported, test_stacktrace_build_id() causes panic on i386 and
arm32 systems. This is caused by page_address() returns NULL in certain
cases.
This patch fixes this error by using kmap_atomic/kunmap_atomic instead
of page_address.
Fixes: 615755a77b (" bpf: extend stackmap to save binary_build_id+offset instead of address")
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: Song Liu <songliubraving@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Greg Kroah-Hartman