1. 19 Oct, 2022 5 commits
  2. 18 Oct, 2022 7 commits
  3. 13 Oct, 2022 28 commits
    • Hou Tao's avatar
      selftests/bpf: Use sys_pidfd_open() helper when possible · 62c69e89
      Hou Tao authored
      SYS_pidfd_open may be undefined for old glibc, so using sys_pidfd_open()
      helper defined in task_local_storage_helpers.h instead to fix potential
      build failure.
      
      And according to commit 7615d9e1 ("arch: wire-up pidfd_open()"), the
      syscall number of pidfd_open is always 434 except for alpha architure,
      so update the definition of __NR_pidfd_open accordingly.
      Signed-off-by: default avatarHou Tao <houtao1@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011071249.3471760-1-houtao@huaweicloud.com
      62c69e89
    • Andrii Nakryiko's avatar
      Merge branch 'libbpf: fix fuzzer-reported issues' · e94e0a2d
      Andrii Nakryiko authored
      Shung-Hsi Yu says:
      
      ====================
      
      Hi, this patch set fixes several fuzzer-reported issues of libbpf when
      dealing with (malformed) BPF object file:
      
      - patch #1 fix out-of-bound heap write reported by oss-fuzz (currently
        incorrectly marked as fixed)
      
      - patch #2 and #3 fix null-pointer dereference found by locally-run
        fuzzer.
      
      v2:
      - Rebase to bpf-next
      - Move elf_getshdrnum() closer to where it's result is used in patch #1, as
        suggested by Andrii
        - Touch up the comment in bpf_object__elf_collect(), replacing mention of
          e_shnum with elf_getshdrnum()
      - Minor wording change in commit message of patch #1 to for better readability
      - Remove extra note that comes after commit message in patch #1
      
      v1: https://lore.kernel.org/bpf/20221007174816.17536-1-shung-hsi.yu@suse.com/
      ====================
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      e94e0a2d
    • Andrii Nakryiko's avatar
      Merge branch 'Fix bugs found by ASAN when running selftests' · 6e73e683
      Andrii Nakryiko authored
      Xu Kuohai says:
      
      ====================
      
      From: Xu Kuohai <xukuohai@huawei.com>
      
      This series fixes bugs found by ASAN when running bpf selftests on arm64.
      
      v4:
      - Address Andrii's suggestions
      
      v3: https://lore.kernel.org/bpf/5311e154-c2d4-91a5-ccb8-f5adede579ed@huawei.com
      - Fix error failure of case test_xdp_adjust_tail_grow exposed by this series
      
      v2: https://lore.kernel.org/bpf/20221010070454.577433-1-xukuohai@huaweicloud.com
      - Rebase and fix conflict
      
      v1: https://lore.kernel.org/bpf/20221009131830.395569-1-xukuohai@huaweicloud.com
      ====================
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      6e73e683
    • Shung-Hsi Yu's avatar
      libbpf: Fix null-pointer dereference in find_prog_by_sec_insn() · d0d382f9
      Shung-Hsi Yu authored
      When there are no program sections, obj->programs is left unallocated,
      and find_prog_by_sec_insn()'s search lands on &obj->programs[0] == NULL,
      and will cause null-pointer dereference in the following access to
      prog->sec_idx.
      
      Guard the search with obj->nr_programs similar to what's being done in
      __bpf_program__iter() to prevent null-pointer access from happening.
      
      Fixes: db2b8b06 ("libbpf: Support CO-RE relocations for multi-prog sections")
      Signed-off-by: default avatarShung-Hsi Yu <shung-hsi.yu@suse.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20221012022353.7350-4-shung-hsi.yu@suse.com
      d0d382f9
    • Shung-Hsi Yu's avatar
      libbpf: Deal with section with no data gracefully · 35a85550
      Shung-Hsi Yu authored
      ELF section data pointer returned by libelf may be NULL (if section has
      SHT_NOBITS), so null check section data pointer before attempting to
      copy license and kversion section.
      
      Fixes: cb1e5e96 ("bpf tools: Collect version and license from ELF sections")
      Signed-off-by: default avatarShung-Hsi Yu <shung-hsi.yu@suse.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://lore.kernel.org/bpf/20221012022353.7350-3-shung-hsi.yu@suse.com
      35a85550
    • Shung-Hsi Yu's avatar
      libbpf: Use elf_getshdrnum() instead of e_shnum · 51deedc9
      Shung-Hsi Yu authored
      This commit replace e_shnum with the elf_getshdrnum() helper to fix two
      oss-fuzz-reported heap-buffer overflow in __bpf_object__open. Both
      reports are incorrectly marked as fixed and while still being
      reproducible in the latest libbpf.
      
        # clusterfuzz-testcase-minimized-bpf-object-fuzzer-5747922482888704
        libbpf: loading object 'fuzz-object' from buffer
        libbpf: sec_cnt is 0
        libbpf: elf: section(1) .data, size 0, link 538976288, flags 2020202020202020, type=2
        libbpf: elf: section(2) .data, size 32, link 538976288, flags 202020202020ff20, type=1
        =================================================================
        ==13==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000000c0 at pc 0x0000005a7b46 bp 0x7ffd12214af0 sp 0x7ffd12214ae8
        WRITE of size 4 at 0x6020000000c0 thread T0
        SCARINESS: 46 (4-byte-write-heap-buffer-overflow-far-from-bounds)
            #0 0x5a7b45 in bpf_object__elf_collect /src/libbpf/src/libbpf.c:3414:24
            #1 0x5733c0 in bpf_object_open /src/libbpf/src/libbpf.c:7223:16
            #2 0x5739fd in bpf_object__open_mem /src/libbpf/src/libbpf.c:7263:20
            ...
      
      The issue lie in libbpf's direct use of e_shnum field in ELF header as
      the section header count. Where as libelf implemented an extra logic
      that, when e_shnum == 0 && e_shoff != 0, will use sh_size member of the
      initial section header as the real section header count (part of ELF
      spec to accommodate situation where section header counter is larger
      than SHN_LORESERVE).
      
      The above inconsistency lead to libbpf writing into a zero-entry calloc
      area. So intead of using e_shnum directly, use the elf_getshdrnum()
      helper provided by libelf to retrieve the section header counter into
      sec_cnt.
      
      Fixes: 0d6988e1 ("libbpf: Fix section counting logic")
      Fixes: 25bbbd7a ("libbpf: Remove assumptions about uniqueness of .rodata/.data/.bss maps")
      Signed-off-by: default avatarShung-Hsi Yu <shung-hsi.yu@suse.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40868
      Link: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40957
      Link: https://lore.kernel.org/bpf/20221012022353.7350-2-shung-hsi.yu@suse.com
      51deedc9
    • Xu Kuohai's avatar
      selftest/bpf: Fix error usage of ASSERT_OK in xdp_adjust_tail.c · cbc1c998
      Xu Kuohai authored
      xdp_adjust_tail.c calls ASSERT_OK() to check the return value of
      bpf_prog_test_load(), but the condition is not correct. Fix it.
      
      Fixes: 791cad02 ("bpf: selftests: Get rid of CHECK macro in xdp_adjust_tail.c")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-7-xukuohai@huaweicloud.com
      cbc1c998
    • Xu Kuohai's avatar
      selftests/bpf: Fix error failure of case test_xdp_adjust_tail_grow · 4abdb1d5
      Xu Kuohai authored
      test_xdp_adjust_tail_grow failed with ipv6:
        test_xdp_adjust_tail_grow:FAIL:ipv6 unexpected error: -28 (errno 28)
      
      The reason is that this test case tests ipv4 before ipv6, and when ipv4
      test finished, topts.data_size_out was set to 54, which is smaller than the
      ipv6 output data size 114, so ipv6 test fails with NOSPC error.
      
      Fix it by reset topts.data_size_out to sizeof(buf) before testing ipv6.
      
      Fixes: 04fcb5f9 ("selftests/bpf: Migrate from bpf_prog_test_run")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-6-xukuohai@huaweicloud.com
      4abdb1d5
    • Xu Kuohai's avatar
      selftest/bpf: Fix memory leak in kprobe_multi_test · 6d2e21dc
      Xu Kuohai authored
      The get_syms() function in kprobe_multi_test.c does not free the string
      memory allocated by sscanf correctly. Fix it.
      
      Fixes: 5b6c7e5c ("selftests/bpf: Add attach bench test")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarJiri Olsa <jolsa@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-5-xukuohai@huaweicloud.com
      6d2e21dc
    • Xu Kuohai's avatar
      selftests/bpf: Fix memory leak caused by not destroying skeleton · 6e8280b9
      Xu Kuohai authored
      Some test cases does not destroy skeleton object correctly, causing ASAN
      to report memory leak warning. Fix it.
      
      Fixes: 0ef6740e ("selftests/bpf: Add tests for kptr_ref refcounting")
      Fixes: 1642a394 ("selftests/bpf: Add struct argument tests with fentry/fexit programs.")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-4-xukuohai@huaweicloud.com
      6e8280b9
    • Xu Kuohai's avatar
      libbpf: Fix memory leak in parse_usdt_arg() · 0dc9254e
      Xu Kuohai authored
      In the arm64 version of parse_usdt_arg(), when sscanf returns 2, reg_name
      is allocated but not freed. Fix it.
      
      Fixes: 0f861992 ("libbpf: Usdt aarch64 arg parsing support")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-3-xukuohai@huaweicloud.com
      0dc9254e
    • Xu Kuohai's avatar
      libbpf: Fix use-after-free in btf_dump_name_dups · 93c660ca
      Xu Kuohai authored
      ASAN reports an use-after-free in btf_dump_name_dups:
      
      ERROR: AddressSanitizer: heap-use-after-free on address 0xffff927006db at pc 0xaaaab5dfb618 bp 0xffffdd89b890 sp 0xffffdd89b928
      READ of size 2 at 0xffff927006db thread T0
          #0 0xaaaab5dfb614 in __interceptor_strcmp.part.0 (test_progs+0x21b614)
          #1 0xaaaab635f144 in str_equal_fn tools/lib/bpf/btf_dump.c:127
          #2 0xaaaab635e3e0 in hashmap_find_entry tools/lib/bpf/hashmap.c:143
          #3 0xaaaab635e72c in hashmap__find tools/lib/bpf/hashmap.c:212
          #4 0xaaaab6362258 in btf_dump_name_dups tools/lib/bpf/btf_dump.c:1525
          #5 0xaaaab636240c in btf_dump_resolve_name tools/lib/bpf/btf_dump.c:1552
          #6 0xaaaab6362598 in btf_dump_type_name tools/lib/bpf/btf_dump.c:1567
          #7 0xaaaab6360b48 in btf_dump_emit_struct_def tools/lib/bpf/btf_dump.c:912
          #8 0xaaaab6360630 in btf_dump_emit_type tools/lib/bpf/btf_dump.c:798
          #9 0xaaaab635f720 in btf_dump__dump_type tools/lib/bpf/btf_dump.c:282
          #10 0xaaaab608523c in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:236
          #11 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
          #12 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
          #13 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
          #14 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
          #15 0xaaaab5d65990  (test_progs+0x185990)
      
      0xffff927006db is located 11 bytes inside of 16-byte region [0xffff927006d0,0xffff927006e0)
      freed by thread T0 here:
          #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
          #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
          #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
          #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
          #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
          #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
          #6 0xaaaab6353e10 in btf__add_field tools/lib/bpf/btf.c:2032
          #7 0xaaaab6084fcc in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:232
          #8 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
          #9 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
          #10 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
          #11 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
          #12 0xaaaab5d65990  (test_progs+0x185990)
      
      previously allocated by thread T0 here:
          #0 0xaaaab5e2c7c4 in realloc (test_progs+0x24c7c4)
          #1 0xaaaab634f4a0 in libbpf_reallocarray tools/lib/bpf/libbpf_internal.h:191
          #2 0xaaaab634f840 in libbpf_add_mem tools/lib/bpf/btf.c:163
          #3 0xaaaab636643c in strset_add_str_mem tools/lib/bpf/strset.c:106
          #4 0xaaaab6366560 in strset__add_str tools/lib/bpf/strset.c:157
          #5 0xaaaab6352d70 in btf__add_str tools/lib/bpf/btf.c:1519
          #6 0xaaaab6353ff0 in btf_add_enum_common tools/lib/bpf/btf.c:2070
          #7 0xaaaab6354080 in btf__add_enum tools/lib/bpf/btf.c:2102
          #8 0xaaaab6082f50 in test_btf_dump_incremental tools/testing/selftests/bpf/prog_tests/btf_dump.c:162
          #9 0xaaaab6097530 in test_btf_dump tools/testing/selftests/bpf/prog_tests/btf_dump.c:875
          #10 0xaaaab6314ed0 in run_one_test tools/testing/selftests/bpf/test_progs.c:1062
          #11 0xaaaab631a0a8 in main tools/testing/selftests/bpf/test_progs.c:1697
          #12 0xffff9676d214 in __libc_start_main ../csu/libc-start.c:308
          #13 0xaaaab5d65990  (test_progs+0x185990)
      
      The reason is that the key stored in hash table name_map is a string
      address, and the string memory is allocated by realloc() function, when
      the memory is resized by realloc() later, the old memory may be freed,
      so the address stored in name_map references to a freed memory, causing
      use-after-free.
      
      Fix it by storing duplicated string address in name_map.
      
      Fixes: 919d2b1d ("libbpf: Allow modification of BTF and add btf__add_str API")
      Signed-off-by: default avatarXu Kuohai <xukuohai@huawei.com>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Link: https://lore.kernel.org/bpf/20221011120108.782373-2-xukuohai@huaweicloud.com
      93c660ca
    • Linus Torvalds's avatar
      Merge tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 66ae0436
      Linus Torvalds authored
      Pull networking fixes from Jakub Kicinski:
       "Including fixes from netfilter, and wifi.
      
      Current release - regressions:
      
         - Revert "net/sched: taprio: make qdisc_leaf() see the
           per-netdev-queue pfifo child qdiscs", it may cause crashes when the
           qdisc is reconfigured
      
         - inet: ping: fix splat due to packet allocation refactoring in inet
      
         - tcp: clean up kernel listener's reqsk in inet_twsk_purge(), fix UAF
           due to races when per-netns hash table is used
      
        Current release - new code bugs:
      
         - eth: adin1110: check in netdev_event that netdev belongs to driver
      
         - fixes for PTR_ERR() vs NULL bugs in driver code, from Dan and co.
      
        Previous releases - regressions:
      
         - ipv4: handle attempt to delete multipath route when fib_info
           contains an nh reference, avoid oob access
      
         - wifi: fix handful of bugs in the new Multi-BSSID code
      
         - wifi: mt76: fix rate reporting / throughput regression on mt7915
           and newer, fix checksum offload
      
         - wifi: iwlwifi: mvm: fix double list_add at
           iwl_mvm_mac_wake_tx_queue (other cases)
      
         - wifi: mac80211: do not drop packets smaller than the LLC-SNAP
           header on fast-rx
      
        Previous releases - always broken:
      
         - ieee802154: don't warn zero-sized raw_sendmsg()
      
         - ipv6: ping: fix wrong checksum for large frames
      
         - mctp: prevent double key removal and unref
      
         - tcp/udp: fix memory leaks and races around IPV6_ADDRFORM
      
         - hv_netvsc: fix race between VF offering and VF association message
      
        Misc:
      
         - remove -Warray-bounds silencing in the drivers, compilers fixed"
      
      * tag 'net-6.1-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (73 commits)
        sunhme: fix an IS_ERR() vs NULL check in probe
        net: marvell: prestera: fix a couple NULL vs IS_ERR() checks
        kcm: avoid potential race in kcm_tx_work
        tcp: Clean up kernel listener's reqsk in inet_twsk_purge()
        net: phy: micrel: Fixes FIELD_GET assertion
        openvswitch: add nf_ct_is_confirmed check before assigning the helper
        tcp: Fix data races around icsk->icsk_af_ops.
        ipv6: Fix data races around sk->sk_prot.
        tcp/udp: Call inet6_destroy_sock() in IPv6 sk->sk_destruct().
        udp: Call inet6_destroy_sock() in setsockopt(IPV6_ADDRFORM).
        tcp/udp: Fix memory leak in ipv6_renew_options().
        mctp: prevent double key removal and unref
        selftests: netfilter: Fix nft_fib.sh for all.rp_filter=1
        netfilter: rpfilter/fib: Populate flowic_l3mdev field
        selftests: netfilter: Test reverse path filtering
        net/mlx5: Make ASO poll CQ usable in atomic context
        tcp: cdg: allow tcp_cdg_release() to be called multiple times
        inet: ping: fix recent breakage
        ipv6: ping: fix wrong checksum for large frames
        net: ethernet: ti: am65-cpsw: set correct devlink flavour for unused ports
        ...
      66ae0436
    • Linus Torvalds's avatar
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · d6f04f26
      Linus Torvalds authored
      Pull virtio fixes from Michael Tsirkin:
      
       - Fix a regression in virtio pci on power
      
       - Add a reviewer for ifcvf
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vdpa/ifcvf: add reviewer
        virtio_pci: use irq to detect interrupt support
      d6f04f26
    • Linus Torvalds's avatar
      Merge tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace · aa41478a
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Found that the synthetic events were using strlen/strscpy() on values
         that could have come from userspace, and that is bad.
      
         Consolidate the string logic of kprobe and eprobe and extend it to
         the synthetic events to safely process string addresses.
      
       - Clean up content of text dump in ftrace_bug() where the output does
         not make char reads into signed and sign extending the byte output.
      
       - Fix some kernel docs in the ring buffer code.
      
      * tag 'trace-v6.1-1' of git://git.kernel.org/pub/scm/linux/kernel/git/trace/linux-trace:
        tracing: Fix reading strings from synthetic events
        tracing: Add "(fault)" name injection to kernel probes
        tracing: Move duplicate code of trace_kprobe/eprobe.c into header
        ring-buffer: Fix kernel-doc
        ftrace: Fix char print issue in print_ip_ins()
      aa41478a
    • Linus Torvalds's avatar
      Merge tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog · 3d33e6dd
      Linus Torvalds authored
      Pull watchdog updates from Wim Van Sebroeck:
      
       - new driver for Exar/MaxLinear XR28V38x
      
       - support for exynosautov9 SoC
      
       - support for Renesas R-Car V5H (R8A779G0) and RZ/V2M (r9a09g011) SoC
      
       - support for imx93
      
       - several other fixes and improvements
      
      * tag 'linux-watchdog-6.1-rc1' of git://www.linux-watchdog.org/linux-watchdog: (36 commits)
        watchdog: twl4030_wdt: add missing mod_devicetable.h include
        dt-bindings: watchdog: migrate mt7621 text bindings to YAML
        watchdog: sp5100_tco: Add "action" module parameter
        watchdog: imx93: add watchdog timer on imx93
        watchdog: imx7ulp_wdt: init wdog when it was active
        watchdog: imx7ulp_wdt: Handle wdog reconfigure failure
        watchdog: imx7ulp_wdt: Fix RCS timeout issue
        watchdog: imx7ulp_wdt: Check CMD32EN in wdog init
        watchdog: imx7ulp: Add explict memory barrier for unlock sequence
        watchdog: imx7ulp: Move suspend/resume to noirq phase
        watchdog: rti-wdt:using the pm_runtime_resume_and_get to simplify the code
        dt-bindings: watchdog: rockchip: add rockchip,rk3128-wdt
        watchdog: s3c2410_wdt: support exynosautov9 watchdog
        dt-bindings: watchdog: add exynosautov9 compatible
        watchdog: npcm: Enable clock if provided
        watchdog: meson: keep running if already active
        watchdog: dt-bindings: atmel,at91sam9-wdt: convert to json-schema
        watchdog: armada_37xx_wdt: Fix .set_timeout callback
        watchdog: sa1100: make variable sa1100dog_driver static
        watchdog: w83977f_wdt: Fix comment typo
        ...
      3d33e6dd
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-6.1-rc1' of https://github.com/ceph/ceph-client · 524d0c68
      Linus Torvalds authored
      Pull ceph updates from Ilya Dryomov:
       "A quiet round this time: several assorted filesystem fixes, the most
        noteworthy one being some additional wakeups in cap handling code, and
        a messenger cleanup"
      
      * tag 'ceph-for-6.1-rc1' of https://github.com/ceph/ceph-client:
        ceph: remove Sage's git tree from documentation
        ceph: fix incorrectly showing the .snap size for stat
        ceph: fail the open_by_handle_at() if the dentry is being unlinked
        ceph: increment i_version when doing a setattr with caps
        ceph: Use kcalloc for allocating multiple elements
        ceph: no need to wait for transition RDCACHE|RD -> RD
        ceph: fail the request if the peer MDS doesn't support getvxattr op
        ceph: wake up the waiters if any new caps comes
        libceph: drop last_piece flag from ceph_msg_data_cursor
      524d0c68
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-6.1-1' of git://git.linux-nfs.org/projects/anna/linux-nfs · 66b83455
      Linus Torvalds authored
      Pull NFS client updates from Anna Schumaker:
       "New Features:
         - Add NFSv4.2 xattr tracepoints
         - Replace xprtiod WQ in rpcrdma
         - Flexfiles cancels I/O on layout recall or revoke
      
        Bugfixes and Cleanups:
         - Directly use ida_alloc() / ida_free()
         - Don't open-code max_t()
         - Prefer using strscpy over strlcpy
         - Remove unused forward declarations
         - Always return layout states on flexfiles layout return
         - Have LISTXATTR treat NFS4ERR_NOXATTR as an empty reply instead of
           error
         - Allow more xprtrdma memory allocations to fail without triggering a
           reclaim
         - Various other xprtrdma clean ups
         - Fix rpc_killall_tasks() races"
      
      * tag 'nfs-for-6.1-1' of git://git.linux-nfs.org/projects/anna/linux-nfs: (27 commits)
        NFSv4/flexfiles: Cancel I/O if the layout is recalled or revoked
        SUNRPC: Add API to force the client to disconnect
        SUNRPC: Add a helper to allow pNFS drivers to selectively cancel RPC calls
        SUNRPC: Fix races with rpc_killall_tasks()
        xprtrdma: Fix uninitialized variable
        xprtrdma: Prevent memory allocations from driving a reclaim
        xprtrdma: Memory allocation should be allowed to fail during connect
        xprtrdma: MR-related memory allocation should be allowed to fail
        xprtrdma: Clean up synopsis of rpcrdma_regbuf_alloc()
        xprtrdma: Clean up synopsis of rpcrdma_req_create()
        svcrdma: Clean up RPCRDMA_DEF_GFP
        SUNRPC: Replace the use of the xprtiod WQ in rpcrdma
        NFSv4.2: Add a tracepoint for listxattr
        NFSv4.2: Add tracepoints for getxattr, setxattr, and removexattr
        NFSv4.2: Move TRACE_DEFINE_ENUM(NFS4_CONTENT_*) under CONFIG_NFS_V4_2
        NFSv4.2: Add special handling for LISTXATTR receiving NFS4ERR_NOXATTR
        nfs: remove nfs_wait_atomic_killable() and nfs_write_prepare() declaration
        NFSv4: remove nfs4_renewd_prepare_shutdown() declaration
        fs/nfs/pnfs_nfs.c: fix spelling typo and syntax error in comment
        NFSv4/pNFS: Always return layout stats on layout return for flexfiles
        ...
      66b83455
    • Linus Torvalds's avatar
      Merge tag 'for-linus-6.1-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux · 531d3b5f
      Linus Torvalds authored
      Pull orangefs update from Mike Marshall:
       "Change iterate to iterate_shared"
      
      * tag 'for-linus-6.1-ofs1' of git://git.kernel.org/pub/scm/linux/kernel/git/hubcap/linux:
        Orangefs: change iterate to iterate_shared
      531d3b5f
    • Dan Carpenter's avatar
      sunhme: fix an IS_ERR() vs NULL check in probe · 99df45c9
      Dan Carpenter authored
      The devm_request_region() function does not return error pointers, it
      returns NULL on error.
      
      Fixes: 914d9b27 ("sunhme: switch to devres")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Reviewed-by: default avatarSean Anderson <seanga2@gmail.com>
      Reviewed-by: default avatarRolf Eike Beer <eike-kernel@sf-tec.de>
      Link: https://lore.kernel.org/r/Y0bWzJL8JknX8MUf@kiliSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      99df45c9
    • Dan Carpenter's avatar
      net: marvell: prestera: fix a couple NULL vs IS_ERR() checks · 30e9672a
      Dan Carpenter authored
      The __prestera_nexthop_group_create() function returns NULL on error
      and the prestera_nexthop_group_get() returns error pointers.  Fix these
      two checks.
      
      Fixes: 0a23ae23 ("net: marvell: prestera: Add router nexthops ABI")
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Link: https://lore.kernel.org/r/Y0bWq+7DoKK465z8@kiliSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      30e9672a
    • Eric Dumazet's avatar
      kcm: avoid potential race in kcm_tx_work · ec7eede3
      Eric Dumazet authored
      syzbot found that kcm_tx_work() could crash [1] in:
      
      	/* Primarily for SOCK_SEQPACKET sockets */
      	if (likely(sk->sk_socket) &&
      	    test_bit(SOCK_NOSPACE, &sk->sk_socket->flags)) {
      <<*>>	clear_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
      		sk->sk_write_space(sk);
      	}
      
      I think the reason is that another thread might concurrently
      run in kcm_release() and call sock_orphan(sk) while sk is not
      locked. kcm_tx_work() find sk->sk_socket being NULL.
      
      [1]
      BUG: KASAN: null-ptr-deref in instrument_atomic_write include/linux/instrumented.h:86 [inline]
      BUG: KASAN: null-ptr-deref in clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
      BUG: KASAN: null-ptr-deref in kcm_tx_work+0xff/0x160 net/kcm/kcmsock.c:742
      Write of size 8 at addr 0000000000000008 by task kworker/u4:3/53
      
      CPU: 0 PID: 53 Comm: kworker/u4:3 Not tainted 5.19.0-rc3-next-20220621-syzkaller #0
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: kkcmd kcm_tx_work
      Call Trace:
      <TASK>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      kasan_report+0xbe/0x1f0 mm/kasan/report.c:495
      check_region_inline mm/kasan/generic.c:183 [inline]
      kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
      instrument_atomic_write include/linux/instrumented.h:86 [inline]
      clear_bit include/asm-generic/bitops/instrumented-atomic.h:41 [inline]
      kcm_tx_work+0xff/0x160 net/kcm/kcmsock.c:742
      process_one_work+0x996/0x1610 kernel/workqueue.c:2289
      worker_thread+0x665/0x1080 kernel/workqueue.c:2436
      kthread+0x2e9/0x3a0 kernel/kthread.c:376
      ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302
      </TASK>
      
      Fixes: ab7ac4eb ("kcm: Kernel Connection Multiplexor module")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Tom Herbert <tom@herbertland.com>
      Link: https://lore.kernel.org/r/20221012133412.519394-1-edumazet@google.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      ec7eede3
    • Kuniyuki Iwashima's avatar
      tcp: Clean up kernel listener's reqsk in inet_twsk_purge() · 740ea3c4
      Kuniyuki Iwashima authored
      Eric Dumazet reported a use-after-free related to the per-netns ehash
      series. [0]
      
      When we create a TCP socket from userspace, the socket always holds a
      refcnt of the netns.  This guarantees that a reqsk timer is always fired
      before netns dismantle.  Each reqsk has a refcnt of its listener, so the
      listener is not freed before the reqsk, and the net is not freed before
      the listener as well.
      
      OTOH, when in-kernel users create a TCP socket, it might not hold a refcnt
      of its netns.  Thus, a reqsk timer can be fired after the netns dismantle
      and access freed per-netns ehash.
      
      To avoid the use-after-free, we need to clean up TCP_NEW_SYN_RECV sockets
      in inet_twsk_purge() if the netns uses a per-netns ehash.
      
      [0]: https://lore.kernel.org/netdev/CANn89iLXMup0dRD_Ov79Xt8N9FM0XdhCHEN05sf3eLwxKweM6w@mail.gmail.com/
      
      BUG: KASAN: use-after-free in tcp_or_dccp_get_hashinfo
      include/net/inet_hashtables.h:181 [inline]
      BUG: KASAN: use-after-free in reqsk_queue_unlink+0x320/0x350
      net/ipv4/inet_connection_sock.c:913
      Read of size 8 at addr ffff88807545bd80 by task syz-executor.2/8301
      
      CPU: 1 PID: 8301 Comm: syz-executor.2 Not tainted
      6.0.0-syzkaller-02757-gaf7d23f9 #0
      Hardware name: Google Google Compute Engine/Google Compute Engine,
      BIOS Google 09/22/2022
      Call Trace:
      <IRQ>
      __dump_stack lib/dump_stack.c:88 [inline]
      dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
      print_address_description mm/kasan/report.c:317 [inline]
      print_report.cold+0x2ba/0x719 mm/kasan/report.c:433
      kasan_report+0xb1/0x1e0 mm/kasan/report.c:495
      tcp_or_dccp_get_hashinfo include/net/inet_hashtables.h:181 [inline]
      reqsk_queue_unlink+0x320/0x350 net/ipv4/inet_connection_sock.c:913
      inet_csk_reqsk_queue_drop net/ipv4/inet_connection_sock.c:927 [inline]
      inet_csk_reqsk_queue_drop_and_put net/ipv4/inet_connection_sock.c:939 [inline]
      reqsk_timer_handler+0x724/0x1160 net/ipv4/inet_connection_sock.c:1053
      call_timer_fn+0x1a0/0x6b0 kernel/time/timer.c:1474
      expire_timers kernel/time/timer.c:1519 [inline]
      __run_timers.part.0+0x674/0xa80 kernel/time/timer.c:1790
      __run_timers kernel/time/timer.c:1768 [inline]
      run_timer_softirq+0xb3/0x1d0 kernel/time/timer.c:1803
      __do_softirq+0x1d0/0x9c8 kernel/softirq.c:571
      invoke_softirq kernel/softirq.c:445 [inline]
      __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650
      irq_exit_rcu+0x5/0x20 kernel/softirq.c:662
      sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1107
      </IRQ>
      
      Fixes: d1e5e640 ("tcp: Introduce optional per-netns ehash.")
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Reported-by: default avatarEric Dumazet <edumazet@google.com>
      Suggested-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://lore.kernel.org/r/20221012145036.74960-1-kuniyu@amazon.comSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      740ea3c4
    • Martin KaFai Lau's avatar
      selftests/bpf: S/iptables/iptables-legacy/ in the bpf_nf and xdp_synproxy test · de9c8d84
      Martin KaFai Lau authored
      The recent vm image in CI has reported error in selftests that use
      the iptables command.  Manu Bretelle has pointed out the difference
      in the recent vm image that the iptables is sym-linked to the iptables-nft.
      With this knowledge,  I can also reproduce the CI error by manually running
      with the 'iptables-nft'.
      
      This patch is to replace the iptables command with iptables-legacy
      to unblock the CI tests.
      Signed-off-by: default avatarMartin KaFai Lau <martin.lau@kernel.org>
      Signed-off-by: default avatarAndrii Nakryiko <andrii@kernel.org>
      Acked-by: default avatarDavid Vernet <void@manifault.com>
      Link: https://lore.kernel.org/bpf/20221012221235.3529719-1-martin.lau@linux.dev
      de9c8d84
    • Michael S. Tsirkin's avatar
      vdpa/ifcvf: add reviewer · be8ddea9
      Michael S. Tsirkin authored
      Zhu Lingshan has been writing and reviewing ifcvf patches for
      a while now, add as reviewer.
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Acked-by: default avatarZhu Lingshan <lingshan.zhu@intel.com>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      be8ddea9
    • Michael S. Tsirkin's avatar
      virtio_pci: use irq to detect interrupt support · 2145ab51
      Michael S. Tsirkin authored
      commit 71491c54 ("virtio_pci: don't try to use intxif pin is zero")
      breaks virtio_pci on powerpc, when running as a qemu guest.
      
      vp_find_vqs() bails out because pci_dev->pin == 0.
      
      But pci_dev->irq is populated correctly, so vp_find_vqs_intx() would
      succeed if we called it - which is what the code used to do.
      
      This seems to happen because pci_dev->pin is not populated in
      pci_assign_irq(). A PCI core bug? Maybe.
      
      However Linus said:
      	I really think that that is basically the only time you should use
      	that 'pci_dev->pin' thing: it basically exists not for "does this
      	device have an IRQ", but for "what is the routing of this irq on this
      	device".
      
      and
      	The correct way to check for "no irq" doesn't use NO_IRQ at all, it just does
      		if (dev->irq) ...
      
      so let's just check irq and be done with it.
      Suggested-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      Reported-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Fixes: 71491c54 ("virtio_pci: don't try to use intxif pin is zero")
      Cc: "Angus Chen" <angus.chen@jaguarmicro.com>
      Signed-off-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Tested-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Acked-by: default avatarJason Wang <jasowang@redhat.com>
      Message-Id: <20221012220312.308522-1-mst@redhat.com>
      2145ab51
    • Paolo Abeni's avatar
      Merge tag 'wireless-2022-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless · ac85bc71
      Paolo Abeni authored
      Johannes Berg says:
      
      ====================
      More wireless fixes for 6.1
      
      This has only the fixes for the scan parsing issues.
      
      * tag 'wireless-2022-10-13' of git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless:
        wifi: cfg80211: update hidden BSSes to avoid WARN_ON
        wifi: mac80211: fix crash in beacon protection for P2P-device
        wifi: mac80211_hwsim: avoid mac80211 warning on bad rate
        wifi: cfg80211: avoid nontransmitted BSS list corruption
        wifi: cfg80211: fix BSS refcounting bugs
        wifi: cfg80211: ensure length byte is present before access
        wifi: mac80211: fix MBSSID parsing use-after-free
        wifi: cfg80211/mac80211: reject bad MBSSID elements
        wifi: cfg80211: fix u8 overflow in cfg80211_update_notlisted_nontrans()
      ====================
      
      Link: https://lore.kernel.org/r/20221013100522.46346-1-johannes@sipsolutions.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      ac85bc71
    • Johannes Berg's avatar
      Merge branch 'cve-fixes-2022-10-13' · e7ad651c
      Johannes Berg authored
      Pull in the fixes for various scan parsing bugs found by
      Sönke Huster by fuzzing.
      e7ad651c