- 19 Nov, 2020 4 commits
-
-
Alexei Starovoitov authored
Daniel Xu says: ==================== 6ae08ae3 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers") introduced a subtle bug where bpf_probe_read_user_str() would potentially copy a few extra bytes after the NUL terminator. This issue is particularly nefarious when strings are used as map keys, as seemingly identical strings can occupy multiple entries in a map. This patchset fixes the issue and introduces a selftest to prevent future regressions. v6 -> v7: * Add comments v5 -> v6: * zero-pad up to sizeof(unsigned long) after NUL v4 -> v5: * don't read potentially uninitialized memory v3 -> v4: * directly pass userspace pointer to prog * test more strings of different length v2 -> v3: * set pid filter before attaching prog in selftest * use long instead of int as bpf_probe_read_user_str() retval * style changes v1 -> v2: * add Fixes: tag * add selftest ==================== Signed-off-by: Alexei Starovoitov <ast@kernel.org>
-
Daniel Xu authored
Previously, bpf_probe_read_user_str() could potentially overcopy the trailing bytes after the NUL due to how do_strncpy_from_user() does the copy in long-sized strides. The issue has been fixed in the previous commit. This commit adds a selftest that ensures we don't regress bpf_probe_read_user_str() again. Signed-off-by: Daniel Xu <dxu@dxuuu.xyz> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Song Liu <songliubraving@fb.com> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/4d977508fab4ec5b7b574b85bdf8b398868b6ee9.1605642949.git.dxu@dxuuu.xyz
-
Daniel Xu authored
do_strncpy_from_user() may copy some extra bytes after the NUL terminator into the destination buffer. This usually does not matter for normal string operations. However, when BPF programs key BPF maps with strings, this matters a lot. A BPF program may read strings from user memory by calling the bpf_probe_read_user_str() helper which eventually calls do_strncpy_from_user(). The program can then key a map with the destination buffer. BPF map keys are fixed-width and string-agnostic, meaning that map keys are treated as a set of bytes. The issue is when do_strncpy_from_user() overcopies bytes after the NUL terminator, it can result in seemingly identical strings occupying multiple slots in a BPF map. This behavior is subtle and totally unexpected by the user. This commit masks out the bytes following the NUL while preserving long-sized stride in the fast path. Fixes: 6ae08ae3 ("bpf: Add probe_read_{user, kernel} and probe_read_{user, kernel}_str helpers") Signed-off-by: Daniel Xu <dxu@dxuuu.xyz> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/21efc982b3e9f2f7b0379eed642294caaa0c27a7.1605642949.git.dxu@dxuuu.xyz
-
Jiri Olsa authored
We remove "other info" from "readelf -s --wide" output when parsing GLOBAL_SYM_COUNT variable, which was added in [1]. But we don't do that for VERSIONED_SYM_COUNT and it's failing the check_abi target on powerpc Fedora 33. The extra "other info" wasn't problem for VERSIONED_SYM_COUNT parsing until commit [2] added awk in the pipe, which assumes that the last column is symbol, but it can be "other info". Adding "other info" removal for VERSIONED_SYM_COUNT the same way as we did for GLOBAL_SYM_COUNT parsing. [1] aa915931 ("libbpf: Fix readelf output parsing for Fedora") [2] 746f534a ("tools/libbpf: Avoid counting local symbols in ABI check") Fixes: 746f534a ("tools/libbpf: Avoid counting local symbols in ABI check") Signed-off-by: Jiri Olsa <jolsa@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201118211350.1493421-1-jolsa@kernel.org
-
- 17 Nov, 2020 6 commits
-
-
John Fastabend authored
When skb has a frag_list its possible for skb_to_sgvec() to fail. This happens when the scatterlist has fewer elements to store pages than would be needed for the initial skb plus any of its frags. This case appears rare, but is possible when running an RX parser/verdict programs exposed to the internet. Currently, when this happens we throw an error, break the pipe, and kfree the msg. This effectively breaks the application or forces it to do a retry. Lets catch this case and handle it by doing an skb_linearize() on any skb we receive with frags. At this point skb_to_sgvec should not fail because the failing conditions would require frags to be in place. Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556576837.73229.14800682790808797635.stgit@john-XPS-13-9370
-
John Fastabend authored
If the skb_verdict_prog redirects an skb knowingly to itself, fix your BPF program this is not optimal and an abuse of the API please use SK_PASS. That said there may be cases, such as socket load balancing, where picking the socket is hashed based or otherwise picks the same socket it was received on in some rare cases. If this happens we don't want to confuse userspace giving them an EAGAIN error if we can avoid it. To avoid double accounting in these cases. At the moment even if the skb has already been charged against the sockets rcvbuf and forward alloc we check it again and do set_owner_r() causing it to be orphaned and recharged. For one this is useless work, but more importantly we can have a case where the skb could be put on the ingress queue, but because we are under memory pressure we return EAGAIN. The trouble here is the skb has already been accounted for so any rcvbuf checks include the memory associated with the packet already. This rolls up and can result in unnecessary EAGAIN errors in userspace read() calls. Fix by doing an unlikely check and skipping checks if skb->sk == sk. Fixes: 51199405 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556574804.73229.11328201020039674147.stgit@john-XPS-13-9370
-
John Fastabend authored
If a socket redirects to itself and it is under memory pressure it is possible to get a socket stuck so that recv() returns EAGAIN and the socket can not advance for some time. This happens because when redirecting a skb to the same socket we received the skb on we first check if it is OK to enqueue the skb on the receiving socket by checking memory limits. But, if the skb is itself the object holding the memory needed to enqueue the skb we will keep retrying from kernel side and always fail with EAGAIN. Then userspace will get a recv() EAGAIN error if there are no skbs in the psock ingress queue. This will continue until either some skbs get kfree'd causing the memory pressure to reduce far enough that we can enqueue the pending packet or the socket is destroyed. In some cases its possible to get a socket stuck for a noticeable amount of time if the socket is only receiving skbs from sk_skb verdict programs. To reproduce I make the socket memory limits ridiculously low so sockets are always under memory pressure. More often though if under memory pressure it looks like a spurious EAGAIN error on user space side causing userspace to retry and typically enough has moved on the memory side that it works. To fix skip memory checks and skb_orphan if receiving on the same sock as already assigned. For SK_PASS cases this is easy, its always the same socket so we can just omit the orphan/set_owner pair. For backlog cases we need to check skb->sk and decide if the orphan and set_owner pair are needed. Fixes: 51199405 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556572660.73229.12566203819812939627.stgit@john-XPS-13-9370
-
John Fastabend authored
We use skb->size with sk_rmem_scheduled() which is not correct. Instead use truesize to align with socket and tcp stack usage of sk_rmem_schedule. Suggested-by: Daniel Borkman <daniel@iogearbox.net> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556570616.73229.17003722112077507863.stgit@john-XPS-13-9370
-
John Fastabend authored
Fix sockmap sk_skb programs so that they observe sk_rcvbuf limits. This allows users to tune SO_RCVBUF and sockmap will honor them. We can refactor the if(charge) case out in later patches. But, keep this fix to the point. Fixes: 51199405 ("bpf: skb_verdict, support SK_PASS on RX BPF path") Suggested-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556568657.73229.8404601585878439060.stgit@john-XPS-13-9370
-
John Fastabend authored
If copy_page_to_iter() fails or even partially completes, but with fewer bytes copied than expected we currently reset sg.start and return EFAULT. This proves problematic if we already copied data into the user buffer before we return an error. Because we leave the copied data in the user buffer and fail to unwind the scatterlist so kernel side believes data has been copied and user side believes data has _not_ been received. Expected behavior should be to return number of bytes copied and then on the next read we need to return the error assuming its still there. This can happen if we have a copy length spanning multiple scatterlist elements and one or more complete before the error is hit. The error is rare enough though that my normal testing with server side programs, such as nginx, httpd, envoy, etc., I have never seen this. The only reliable way to reproduce that I've found is to stream movies over my browser for a day or so and wait for it to hang. Not very scientific, but with a few extra WARN_ON()s in the code the bug was obvious. When we review the errors from copy_page_to_iter() it seems we are hitting a page fault from copy_page_to_iter_iovec() where the code checks fault_in_pages_writeable(buf, copy) where buf is the user buffer. It also seems typical server applications don't hit this case. The other way to try and reproduce this is run the sockmap selftest tool test_sockmap with data verification enabled, but it doesn't reproduce the fault. Perhaps we can trigger this case artificially somehow from the test tools. I haven't sorted out a way to do that yet though. Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com> Link: https://lore.kernel.org/bpf/160556566659.73229.15694973114605301063.stgit@john-XPS-13-9370
-
- 16 Nov, 2020 1 commit
-
-
Wang Hai authored
Fix to return a negative error code from the error handling case instead of 0, as done elsewhere in this function. Fixes: 65b4414a ("selftests/bpf: add sockopt test that exercises BPF_F_ALLOW_MULTI") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20201116101633.64627-1-wanghai38@huawei.com
-
- 14 Nov, 2020 1 commit
-
-
Dmitrii Banshchikov authored
Currently verifier enforces return code checks for subprograms in the same manner as it does for program entry points. This prevents returning arbitrary scalar values from subprograms. Scalar type of returned values is checked by btf_prepare_func_args() and hence it should be safe to allow only scalars for now. Relax return code checks for subprograms and allow any correct scalar values. Fixes: 51c39bb1 (bpf: Introduce function-by-function verification) Signed-off-by: Dmitrii Banshchikov <me@ubique.spb.ru> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201113171756.90594-1-me@ubique.spb.ru
-
- 13 Nov, 2020 1 commit
-
-
Wang Hai authored
progfd is created by prog_parse_fd() in do_attach() and before the latter returns in case of success, the file descriptor should be closed. Fixes: 04949ccc ("tools: bpftool: add net attach command to attach XDP on interface") Signed-off-by: Wang Hai <wanghai38@huawei.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Link: https://lore.kernel.org/bpf/20201113115152.53178-1-wanghai38@huawei.com
-
- 12 Nov, 2020 2 commits
-
-
Alexei Starovoitov authored
Andrii has been a de-facto maintainer for libbpf and other components. Update maintainers entry to acknowledge his work de-jure. The folks with git write permissions will continue to follow the rule of not applying their own patches unless absolutely trivial. Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201112180340.45265-1-alexei.starovoitov@gmail.com
-
Andrii Nakryiko authored
Correct attribute name is "unused". maybe_unused is a C++17 addition. This patch fixes compilation warning during selftests compilation. Fixes: 197afc63 ("libbpf: Don't attempt to load unused subprog as an entry-point BPF program") Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20201111231215.1779147-1-andrii@kernel.org
-
- 11 Nov, 2020 1 commit
-
-
Kaixu Xia authored
The unsigned variable datasec_id is assigned a return value from the call to check_pseudo_btf_id(), which may return negative error code. This fixes the following coccicheck warning: ./kernel/bpf/verifier.c:9616:5-15: WARNING: Unsigned expression compared with zero: datasec_id > 0 Fixes: eaa6bcb7 ("bpf: Introduce bpf_per_cpu_ptr()") Reported-by: Tosk Robot <tencent_os_robot@tencent.com> Signed-off-by: Kaixu Xia <kaixuxia@tencent.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Acked-by: John Fastabend <john.fastabend@gmail.com> Cc: Hao Luo <haoluo@google.com> Link: https://lore.kernel.org/bpf/1605071026-25906-1-git-send-email-kaixuxia@tencent.com
-
- 09 Nov, 2020 2 commits
-
-
Wang Qing authored
There is a bug when passing zero to PTR_ERR() and return. Fix the smatch error. Fixes: c4d0bfb4 ("bpf: Add bpf_snprintf_btf helper") Signed-off-by: Wang Qing <wangqing@vivo.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/bpf/1604735144-686-1-git-send-email-wangqing@vivo.com
-
Andrii Nakryiko authored
If BPF code contains unused BPF subprogram and there are no other subprogram calls (which can realistically happen in real-world applications given sufficiently smart Clang code optimizations), libbpf will erroneously assume that subprograms are entry-point programs and will attempt to load them with UNSPEC program type. Fix by not relying on subcall instructions and rather detect it based on the structure of BPF object's sections. Fixes: 9a94f277 ("tools: libbpf: restore the ability to load programs from .text section") Reported-by: Dmitrii Banshchikov <dbanschikov@fb.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20201107000251.256821-1-andrii@kernel.org
-
- 07 Nov, 2020 5 commits
-
-
Vadym Kochan authored
With CONFIG_BRIDGE=m the compilation fails: ld: drivers/net/ethernet/marvell/prestera/prestera_switchdev.o: in function `prestera_bridge_port_event': prestera_switchdev.c:(.text+0x2ebd): undefined reference to `br_vlan_enabled' in case the driver is statically enabled. Fix it by adding 'BRIDGE || BRIDGE=n' dependency. Fixes: e1189d9a ("net: marvell: prestera: Add Switchdev driver implementation") Reported-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Vadym Kochan <vadym.kochan@plvision.eu> Acked-by: Randy Dunlap <rdunlap@infradead.org> # build-tested Link: https://lore.kernel.org/r/20201106161128.24069-1-vadym.kochan@plvision.euSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linuxJakub Kicinski authored
Saeed Mahameed says: ==================== mlx5 fixes 2020-11-03 v1->v2: - Fix fixes line tag in patch #1 - Toss ktls refcount leak fix, Maxim will look further into the root cause. - Toss eswitch chain 0 prio patch, until we determine if it is needed for -rc and net. * tag 'mlx5-fixes-2020-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux: net/mlx5e: Fix incorrect access of RCU-protected xdp_prog net/mlx5e: Fix VXLAN synchronization after function reload net/mlx5: E-switch, Avoid extack error log for disabled vport net/mlx5: Fix deletion of duplicate rules net/mlx5e: Use spin_lock_bh for async_icosq_lock net/mlx5e: Protect encap route dev from concurrent release net/mlx5e: Fix modify header actions memory leak ==================== Link: https://lore.kernel.org/r/20201105202129.23644-1-saeedm@nvidia.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Heiner Kallweit authored
RTL8125B has same or similar short packet hw padding bug as RTL8168evl. The main workaround has been extended accordingly, however we have to disable also hw checksumming for short packets on affected new chip versions. Instead of checking for an affected chip version let's simply disable hw checksumming for short packets in general. v2: - remove the version checks and disable short packet hw csum in general - reflect this in commit title and message Fixes: 0439297b ("r8169: add support for RTL8125B") Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/7fbb35f0-e244-ef65-aa55-3872d7d38698@gmail.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
Heiner Kallweit authored
The caller of rtl8169_tso_csum_v2() frees the skb if false is returned. eth_skb_pad() internally frees the skb on error what would result in a double free. Therefore use __skb_put_padto() directly and instruct it to not free the skb on error. Fixes: b423e9ae ("r8169: fix offloaded tx checksum for small packets.") Reported-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com> Link: https://lore.kernel.org/r/f7e68191-acff-9ded-4263-c016428a8762@gmail.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpfJakub Kicinski authored
Alexei Starovoitov says: ==================== pull-request: bpf 2020-11-06 1) Pre-allocated per-cpu hashmap needs to zero-fill reused element, from David. 2) Tighten bpf_lsm function check, from KP. 3) Fix bpftool attaching to flow dissector, from Lorenz. 4) Use -fno-gcse for the whole kernel/bpf/core.c instead of function attribute, from Ard. * git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf: bpf: Update verification logic for LSM programs bpf: Zero-fill re-used per-cpu map element bpf: BPF_PRELOAD depends on BPF_SYSCALL tools/bpftool: Fix attaching flow dissector libbpf: Fix possible use after free in xsk_socket__delete libbpf: Fix null dereference in xsk_socket__delete libbpf, hashmap: Fix undefined behavior in hash_bits bpf: Don't rely on GCC __attribute__((optimize)) to disable GCSE tools, bpftool: Remove two unused variables. tools, bpftool: Avoid array index warnings. xsk: Fix possible memory leak at socket close bpf: Add struct bpf_redir_neigh forward declaration to BPF helper defs samples/bpf: Set rlimit for memlock to infinity in all samples bpf: Fix -Wshadow warnings selftest/bpf: Fix profiler test using CO-RE relocation for enums ==================== Link: https://lore.kernel.org/r/20201106221759.24143-1-alexei.starovoitov@gmail.comSigned-off-by: Jakub Kicinski <kuba@kernel.org>
-
- 06 Nov, 2020 17 commits
-
-
KP Singh authored
The current logic checks if the name of the BTF type passed in attach_btf_id starts with "bpf_lsm_", this is not sufficient as it also allows attachment to non-LSM hooks like the very function that performs this check, i.e. bpf_lsm_verify_prog. In order to ensure that this verification logic allows attachment to only LSM hooks, the LSM_HOOK definitions in lsm_hook_defs.h are used to generate a BTF_ID set. Upon verification, the attach_btf_id of the program being attached is checked for presence in this set. Fixes: 9e4e01df ("bpf: lsm: Implement attach, detach and execution") Signed-off-by: KP Singh <kpsingh@google.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/20201105230651.2621917-1-kpsingh@chromium.org
-
git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linuxLinus Torvalds authored
Pull mtd fixes from Miquel Raynal. * 'mtd/fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux: mtd: rawnand: stm32_fmc2: fix broken ECC mtd: spi-nor: Fix address width on flash chips > 16MB mtd: spi-nor: Don't copy self-pointing struct around mtd: rawnand: ifc: Move the ECC engine initialization to the right place mtd: rawnand: mxc: Move the ECC engine initialization to the right place
-
git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spiLinus Torvalds authored
Pull spi fix from Mark Brown: "This is an additional fix on top of 5e31ba0c ('spi: bcm2835: fix gpio cs level inversion') - when sending my prior pull request I had misremembred the status of that patch, apologies for the noise here" * tag 'spi-fix-v5.10-rc2-2' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi: spi: bcm2835: remove use of uninitialized gpio flags variable
-
git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/soundLinus Torvalds authored
Pull sound fixes from Takashi Iwai: "Quite a bunch of small fixes that have been gathered since the last pull, including changes like below: - HD-audio runtime PM fixes and refactoring - HD-audio and USB-audio quirks - SOF warning fix - Various ASoC device-specific fixes for Intel, Qualcomm, etc" * tag 'sound-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (26 commits) ALSA: usb-audio: Add implicit feedback quirk for Qu-16 ASoC: mchp-spdiftx: Do not set Validity bit(s) ALSA: usb-audio: Add implicit feedback quirk for MODX ALSA: usb-audio: add usb vendor id as DSD-capable for Khadas devices ALSA: hda/realtek - Enable headphone for ASUS TM420 ALSA: hda: prevent undefined shift in snd_hdac_ext_bus_get_link() ASoC: qcom: lpass-cpu: Fix clock disable failure ASoC: qcom: lpass-sc7180: Fix MI2S bitwidth field bit positions ASoC: codecs: wcd9335: Set digital gain range correctly ASoC: codecs: wcd934x: Set digital gain range correctly ALSA: hda: Reinstate runtime_allow() for all hda controllers ALSA: hda: Separate runtime and system suspend ALSA: hda: Refactor codec PM to use direct-complete optimization ALSA: hda/realtek - Fixed HP headset Mic can't be detected ALSA: usb-audio: Add implicit feedback quirk for Zoom UAC-2 ALSA: make snd_kcontrol_new name a normal string ALSA: fix kernel-doc markups ASoC: SOF: loader: handle all SOF_IPC_EXT types ASoC: cs42l51: manage mclk shutdown delay ASoC: qcom: sdm845: set driver name correctly ...
-
git://anongit.freedesktop.org/drm/drmLinus Torvalds authored
Pull drm fixes from Dave Airlie: "It's Friday here so that means another installment of drm fixes to distract you from the counting process. Changes all over the place, the amdgpu changes contain support for a new GPU that is close to current one already in the tree (Green Sardine) so it shouldn't have much side effects. Otherwise imx has a few cleanup patches and fixes, amdgpu and i915 have around the usual smattering of fixes, fonts got constified, and vc4/panfrost has some minor fixes. All in all a fairly regular rc3. We have an outstanding nouveau regression, but the author is looking into the fix, so should be here next week. I now return you to counting. fonts: - constify font structures. MAINTAINERS: - Fix path for amdgpu power management amdgpu: - Add support for more navi1x SKUs - Fix for suspend on CI dGPUs - VCN DPG fix for Picasso - Sienna Cichlid fixes - Polaris DPM fix - Add support for Green Sardine amdkfd: - Fix an allocation failure check i915: - Fix set domain's cache coherency - Fixes around breadcrumbs - Fix encoder lookup during PSR atomic - Hold onto an explicit ref to i915_vma_work.pinned - gvt: HWSP reset handling fix - gvt: flush workaround - gvt: vGPU context pin/unpin - gvt: mmio cmd access fix for bxt/apl imx: - drop unused functions and callbacks - reuse imx_drm_encoder_parse_of - spinlock rework - memory leak fix - minor cleanups vc4: - resource cleanup fix panfrost: - madvise/shrinker fix" * tag 'drm-fixes-2020-11-06-1' of git://anongit.freedesktop.org/drm/drm: (55 commits) drm/amdgpu/display: remove DRM_AMD_DC_GREEN_SARDINE drm/amd/display: Add green_sardine support to DM drm/amd/display: Add green_sardine support to DC drm/amdgpu: enable vcn support for green_sardine (v2) drm/amdgpu: enable green_sardine_asd.bin loading (v2) drm/amdgpu/sdma: add sdma engine support for green_sardine (v2) drm/amdgpu: add gfx support for green_sardine (v2) drm/amdgpu: add soc15 common ip block support for green_sardine (v3) drm/amdgpu: add green_sardine support for gpu_info and ip block setting (v2) drm/amdgpu: add Green_Sardine APU flag drm/amdgpu: resolved ASD loading issue on sienna amdkfd: Check kvmalloc return before memcpy drm/amdgpu: update golden setting for sienna_cichlid amd/amdgpu: Disable VCN DPG mode for Picasso drm/amdgpu/swsmu: remove duplicate call to smu_set_default_dpm_table drm/i915: Hold onto an explicit ref to i915_vma_work.pinned drm/i915/gt: Flush xcs before tgl breadcrumbs drm/i915/gt: Expose more parameters for emitting writes into the ring drm/i915: Fix encoder lookup during PSR atomic check drm/i915/gt: Use the local HWSP offset during submission ...
-
Linus Torvalds authored
Merge tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd Pull tpm fixes from Jarkko Sakkinen: "Two critical tpm driver bug fixes" * tag 'tpmdd-next-v5.10-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/jarkko/linux-tpmdd: tpm: efi: Don't create binary_bios_measurements file for an empty log tpm_tis: Disable interrupts on ThinkPad T490s
-
git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommuLinus Torvalds authored
Pull iommu fixes from Joerg Roedel: - Fix a NULL-ptr dereference in the Intel VT-d driver - Two fixes for Intel SVM support - Increase IRQ remapping table size in the AMD IOMMU driver. The old number of 128 turned out to be too low for some recent devices. - Fix a mask check in generic IOMMU code * tag 'iommu-fixes-v5.10-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: iommu: Fix a check in iommu_check_bind_data() iommu/vt-d: Fix a bug for PDP check in prq_event_thread iommu/vt-d: Fix sid not set issue in intel_svm_bind_gpasid() iommu/vt-d: Fix kernel NULL pointer dereference in find_domain() iommu/amd: Increase interrupt remapping table limit to 512 entries
-
git://github.com/awilliam/linux-vfioLinus Torvalds authored
Pull VFIO fixes from Alex Williamson: - Remove code by using existing helper (Zenghui Yu) - fsl-mc copy-user return and underflow fixes (Dan Carpenter) - fsl-mc static function declaration (Diana Craciun) - Fix ioeventfd sleeping under spinlock (Alex Williamson) - Fix pm reference count leak in vfio-platform (Zhang Qilong) - Allow opening IGD device w/o OpRegion support (Fred Gao) * tag 'vfio-v5.10-rc3' of git://github.com/awilliam/linux-vfio: vfio/pci: Bypass IGD init in case of -ENODEV vfio: platform: fix reference leak in vfio_platform_open vfio/pci: Implement ioeventfd thread handler for contended memory lock vfio/fsl-mc: Make vfio_fsl_mc_irqs_allocate static vfio/fsl-mc: prevent underflow in vfio_fsl_mc_mmap() vfio/fsl-mc: return -EFAULT if copy_to_user() fails vfio/type1: Use the new helper to find vfio_group
-
git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linuxLinus Torvalds authored
Pull arm64 fixes from Will Deacon: "Here's the weekly batch of fixes for arm64. Not an awful lot here, but there are still a few unresolved issues relating to CPU hotplug, RCU and IRQ tracing that I hope to queue fixes for next week. Summary: - Fix early use of kprobes - Fix kernel placement in kexec_file_load() - Bump maximum number of NUMA nodes" * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux: arm64: kexec_file: try more regions if loading segments fails arm64: kprobes: Use BRK instead of single-step when executing instructions out-of-line arm64: NUMA: Kconfig: Increase NODES_SHIFT to 4
-
git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arcLinus Torvalds authored
Pull ARC fixes from Vineet Gupta: - Unbork HSDKv1 platform (won't boot) due to memory map issue - Prevent stack unwinder from infinite looping * tag 'arc-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc: ARC: [plat-hsdk] Remap CCMs super early in asm boot trampoline ARC: stack unwinding: avoid indefinite looping
-
git://git.kernel.org/pub/scm/linux/kernel/git/s390/linuxLinus Torvalds authored
Pull s390 fixes from Heiko Carstens: - fix reference counting for ap devices - fix paes selftest - fix pmd_deref()/pud_deref() so they can also handle large pages - remove unused vdso file and defines - update defconfigs - call rcu_cpu_starting() early in smp init code to avoid lockdep warnings - fix hotplug of PCI function missing bus * tag 's390-5.10-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux: s390/pci: fix hot-plug of PCI function missing bus s390/smp: move rcu_cpu_starting() earlier s390/pkey: fix paes selftest failure with paes and pkey static build s390: update defconfigs s390/vdso: remove unused constants s390/vdso: remove empty unused file s390/mm: make pmd/pud_deref() large page aware s390/ap: fix ap devices reference counting
-
git://git.kernel.org/pub/scm/linux/kernel/git/netdev/netLinus Torvalds authored
Pull networking fixes from Jakub Kicinski: "Networking fixes for 5.10-rc3, including fixes from wireless, can, and netfilter subtrees. Current merge window - bugs in new features: - can: isotp: isotp_rcv_cf(): enable RX timeout handling in listen-only mode Previous releases - regressions: - mac80211: - don't require VHT elements for HE on 2.4 GHz - fix regression where EAPOL frames were sent in plaintext - netfilter: - ipset: Update byte and packet counters regardless of whether they match - ip_tunnel: fix over-mtu packet send by allowing fragmenting even if inner packet has IP_DF (don't fragment) set in its header (when TUNNEL_DONT_FRAGMENT flag is not set on the tunnel dev) - net: fec: fix MDIO probing for some FEC hardware blocks - ip6_tunnel: set inner ipproto before ip6_tnl_encap to un-break gso support - sctp: Fix COMM_LOST/CANT_STR_ASSOC err reporting on big-endian platforms, sparse-related fix used the wrong integer size Previous releases - always broken: - netfilter: use actual socket sk rather than skb sk when routing harder - r8169: work around short packet hw bug on RTL8125 by padding frames - net: ethernet: ti: cpsw: disable PTPv1 hw timestamping advertisement, the hardware does not support it - chelsio/chtls: fix always leaking ctrl_skb and another leak caused by a race condition - fix drivers incorrectly writing into skbs on TX: - cadence: force nonlinear buffers to be cloned - gianfar: Account for Tx PTP timestamp in the skb headroom - gianfar: Replace skb_realloc_headroom with skb_cow_head for PTP - can: flexcan: - remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A - add ECC initialization for VF610 and LX2160A - flexcan_remove(): disable wakeup completely - can: fix packet echo functionality: - peak_canfd: fix echo management when loopback is on - make sure skbs are not freed in IRQ context in case they need to be dropped - always clone the skbs to make sure they have a reference on the socket, and prevent it from disappearing - fix real payload length return value for RTR frames - can: j1939: return failure on bind if netdev is down, rather than waiting indefinitely Misc: - IPv6: reply ICMP error if the first fragment don't include all headers to improve compliance with RFC 8200" * tag 'net-5.10-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (66 commits) ionic: check port ptr before use r8169: work around short packet hw bug on RTL8125 net: openvswitch: silence suspicious RCU usage warning chelsio/chtls: fix always leaking ctrl_skb chelsio/chtls: fix memory leaks caused by a race can: flexcan: flexcan_remove(): disable wakeup completely can: flexcan: add ECC initialization for VF610 can: flexcan: add ECC initialization for LX2160A can: flexcan: remove FLEXCAN_QUIRK_DISABLE_MECR quirk for LS1021A can: mcp251xfd: remove unneeded break can: mcp251xfd: mcp251xfd_regmap_nocrc_read(): fix semicolon.cocci warnings can: mcp251xfd: mcp251xfd_regmap_crc_read(): increase severity of CRC read error messages can: peak_canfd: pucan_handle_can_rx(): fix echo management when loopback is on can: peak_usb: peak_usb_get_ts_time(): fix timestamp wrapping can: peak_usb: add range checking in decode operations can: xilinx_can: handle failure cases of pm_runtime_get_sync can: ti_hecc: ti_hecc_probe(): add missed clk_disable_unprepare() in error path can: isotp: padlen(): make const array static, makes object smaller can: isotp: isotp_rcv_cf(): enable RX timeout handling in listen-only mode can: isotp: Explain PDU in CAN_ISOTP help text ...
-
Tyler Hicks authored
Mimic the pre-existing ACPI and Device Tree event log behavior by not creating the binary_bios_measurements file when the EFI TPM event log is empty. This fixes the following NULL pointer dereference that can occur when reading /sys/kernel/security/tpm0/binary_bios_measurements after the kernel received an empty event log from the firmware: BUG: kernel NULL pointer dereference, address: 000000000000002c #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 2 PID: 3932 Comm: fwupdtpmevlog Not tainted 5.9.0-00003-g629990edad62 #17 Hardware name: LENOVO 20LCS03L00/20LCS03L00, BIOS N27ET38W (1.24 ) 11/28/2019 RIP: 0010:tpm2_bios_measurements_start+0x3a/0x550 Code: 54 53 48 83 ec 68 48 8b 57 70 48 8b 1e 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 48 8b 82 c0 06 00 00 48 8b 8a c8 06 00 00 <44> 8b 60 1c 48 89 4d a0 4c 89 e2 49 83 c4 20 48 83 fb 00 75 2a 49 RSP: 0018:ffffa9c901203db0 EFLAGS: 00010246 RAX: 0000000000000010 RBX: 0000000000000000 RCX: 0000000000000010 RDX: ffff8ba1eb99c000 RSI: ffff8ba1e4ce8280 RDI: ffff8ba1e4ce8258 RBP: ffffa9c901203e40 R08: ffffa9c901203dd8 R09: ffff8ba1ec443300 R10: ffffa9c901203e50 R11: 0000000000000000 R12: ffff8ba1e4ce8280 R13: ffffa9c901203ef0 R14: ffffa9c901203ef0 R15: ffff8ba1e4ce8258 FS: 00007f6595460880(0000) GS:ffff8ba1ef880000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000002c CR3: 00000007d8d18003 CR4: 00000000003706e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ? __kmalloc_node+0x113/0x320 ? kvmalloc_node+0x31/0x80 seq_read+0x94/0x420 vfs_read+0xa7/0x190 ksys_read+0xa7/0xe0 __x64_sys_read+0x1a/0x20 do_syscall_64+0x37/0x80 entry_SYSCALL_64_after_hwframe+0x44/0xa9 In this situation, the bios_event_log pointer in the tpm_bios_log struct was not NULL but was equal to the ZERO_SIZE_PTR (0x10) value. This was due to the following kmemdup() in tpm_read_log_efi(): int tpm_read_log_efi(struct tpm_chip *chip) { ... /* malloc EventLog space */ log->bios_event_log = kmemdup(log_tbl->log, log_size, GFP_KERNEL); if (!log->bios_event_log) { ret = -ENOMEM; goto out; } ... } When log_size is zero, due to an empty event log from firmware, ZERO_SIZE_PTR is returned from kmemdup(). Upon a read of the binary_bios_measurements file, the tpm2_bios_measurements_start() function does not perform a ZERO_OR_NULL_PTR() check on the bios_event_log pointer before dereferencing it. Rather than add a ZERO_OR_NULL_PTR() check in functions that make use of the bios_event_log pointer, simply avoid creating the binary_bios_measurements_file as is done in other event log retrieval backends. Explicitly ignore all of the events in the final event log when the main event log is empty. The list of events in the final event log cannot be accurately parsed without referring to the first event in the main event log (the event log header) so the final event log is useless in such a situation. Fixes: 58cc1e4f ("tpm: parse TPM event logs based on EFI table") Link: https://lore.kernel.org/linux-integrity/E1FDCCCB-CA51-4AEE-AC83-9CDE995EAE52@canonical.com/Reported-by: Kai-Heng Feng <kai.heng.feng@canonical.com> Reported-by: Kenneth R. Crudup <kenny@panix.com> Reported-by: Mimi Zohar <zohar@linux.ibm.com> Cc: Thiébaud Weksteen <tweek@google.com> Cc: Ard Biesheuvel <ardb@kernel.org> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
-
Jerry Snitselaar authored
There is a misconfiguration in the bios of the gpio pin used for the interrupt in the T490s. When interrupts are enabled in the tpm_tis driver code this results in an interrupt storm. This was initially reported when we attempted to enable the interrupt code in the tpm_tis driver, which previously wasn't setting a flag to enable it. Due to the reports of the interrupt storm that code was reverted and we went back to polling instead of using interrupts. Now that we know the T490s problem is a firmware issue, add code to check if the system is a T490s and disable interrupts if that is the case. This will allow us to enable interrupts for everyone else. If the user has a fixed bios they can force the enabling of interrupts with tpm_tis.interrupts=1 on the kernel command line. Cc: Peter Huewe <peterhuewe@gmx.de> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Hans de Goede <hdegoede@redhat.com> Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com> Reviewed-by: James Bottomley <James.Bottomley@HansenPartnership.com> Reviewed-by: Hans de Goede <hdegoede@redhat.com> Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org> Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
-
Martin Hundebøll authored
Removing the duplicate gpio chip select level handling in bcm2835_spi_setup() left the lflags variable uninitialized. Avoid trhe use of such variable by passing default flags to gpiochip_request_own_desc(). Fixes: 5e31ba0c ("spi: bcm2835: fix gpio cs level inversion") Signed-off-by: Martin Hundebøll <martin@geanix.com> Link: https://lore.kernel.org/r/20201105090615.620315-1-martin@geanix.comSigned-off-by: Mark Brown <broonie@kernel.org>
-
David Verbeiren authored
Zero-fill element values for all other cpus than current, just as when not using prealloc. This is the only way the bpf program can ensure known initial values for all cpus ('onallcpus' cannot be set when coming from the bpf program). The scenario is: bpf program inserts some elements in a per-cpu map, then deletes some (or userspace does). When later adding new elements using bpf_map_update_elem(), the bpf program can only set the value of the new elements for the current cpu. When prealloc is enabled, previously deleted elements are re-used. Without the fix, values for other cpus remain whatever they were when the re-used entry was previously freed. A selftest is added to validate correct operation in above scenario as well as in case of LRU per-cpu map element re-use. Fixes: 6c905981 ("bpf: pre-allocate hash map elements") Signed-off-by: David Verbeiren <david.verbeiren@tessares.net> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Matthieu Baerts <matthieu.baerts@tessares.net> Acked-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201104112332.15191-1-david.verbeiren@tessares.net
-
git://anongit.freedesktop.org/drm/drm-miscDave Airlie authored
Some patches for vc4 to fix some resources cleanup issues, two fixes for panfrost for madvise and the shrinker and a constification of fonts structure Signed-off-by: Dave Airlie <airlied@redhat.com> From: Maxime Ripard <maxime@cerno.tech> Link: https://patchwork.freedesktop.org/patch/msgid/20201105101354.socyu26jwyns7lfj@gilmour.lan
-