PD#153240: add disp pts in vf for some unstable pts
Change-Id: I1d4cfd04c94feafac109bd69be3bd422aca3d8bf
Signed-off-by: shihong.zheng <shihong.zheng@amlogic.com>
PD#151104: mm: add pagetrace function
1. implement pagetrace as a driver; you can get information
of how many pages allocated by each function by read:
cat /proc/pagetrace
2. fix wrong statistics of free memory of each migrate type.
Change-Id: Ib2dff4bb5b3dd288ee188007352fc7b353eda100
Signed-off-by: tao zeng <tao.zeng@amlogic.com>
PD#152453: add ioctl for OMX to get current video layer1 on/off state
for DRM TVP resource release.
Change-Id: I8a45869f63259500cbe8be7bc146793e6d7eb266
Signed-off-by: Rongrong Zhou <rongrong.zhou@amlogic.com>
PD#152591: USB: get RESET_REGISTER address from dts.
Before we get this address by offset of cbus.
From txlx,this address is not the same because memory map modifty.
Now usb module get this address from dts.
Change-Id: I2ed7d3a19f52c80edab33dec2569ed3ccd375438
Signed-off-by: Qi Duan <qi.duan@amlogic.com>
PD#150482: unifykey: check secure storage valid before SMC call ATF.
same as PD#150483.
ATF use CONFIG to enable/disable secure storage.
If ATF disable secure storage, secure storage code will be
compiled out. Kernel should check if secure stroage exists before
SMC call ATF.
Change-Id: Ifd5e3c42a181bb814dcedad13bebb4596ae95e27
Signed-off-by: Yan Wang <yan.wang@amlogic.com>
Changes in 4.9.54
drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
drm: bridge: add DT bindings for TI ths8135
GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
drm/i915: Fix the overlay frontbuffer tracking
ARM: dts: exynos: Add CPU OPPs for Exynos4412 Prime
clk: sunxi-ng: fix PLL_CPUX adjusting on H3
RDS: RDMA: Fix the composite message user notification
ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
MIPS: Ensure bss section ends on a long-aligned address
MIPS: ralink: Fix a typo in the pinmux setup.
MIPS: ralink: Fix incorrect assignment on ralink_soc
power: supply: axp288_fuel_gauge: Fix fuel_gauge_reg_readb return on error
scsi: be2iscsi: Add checks to validate CID alloc/free
ARM: dts: am335x-chilisom: Wakeup from RTC-only state by power on event
igb: re-assign hw address pointer on reset after PCI error
extcon: axp288: Use vbus-valid instead of -present to determine cable presence
reset: ti_syscon: fix a ti_syscon_reset_status issue
sh_eth: use correct name for ECMR_MPDE bit
clk/axs10x: Clear init field in driver probe
usb: make the MTK XHCI driver compile for older MIPS SoCs
hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
iio: adc: imx25-gcq: Fix module autoload
iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
iio: adc: hx711: Add DT binding for avia,hx711
IB/rxe: Add a runtime check in alloc_index()
IB/rxe: Fix a MR reference leak in check_rkey()
ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
drm/i915/psr: disable psr2 for resolution greater than 32X20
serial: 8250: moxa: Store num_ports in brd
tty: goldfish: Fix a parameter of a call to free_irq
serial: 8250_port: Remove dangerous pr_debug()
IB/ipoib: Fix deadlock over vlan_mutex
IB/ipoib: rtnl_unlock can not come after free_netdev
IB/ipoib: Replace list_del of the neigh->list with list_del_init
arm: dts: mt2701: Add subsystem clock controller device nodes
drm/amdkfd: fix improper return value on error
USB: serial: mos7720: fix control-message error handling
USB: serial: mos7840: fix control-message error handling
sfc: get PIO buffer size from the NIC
partitions/efi: Fix integer overflow in GPT size calculation
ASoC: dapm: handle probe deferrals
audit: log 32-bit socketcalls
ath10k: prevent sta pointer rcu violation
spi: pxa2xx: Add support for Intel Gemini Lake
iommu/arm-smmu: Set privileged attribute to 'default' instead of 'unprivileged'
usb: chipidea: vbus event may exist before starting gadget
rtl8xxxu: Add additional USB IDs for rtl8192eu devices
ASoC: dapm: fix some pointer error handling
drm: mali-dp: Fix destination size handling when rotating
drm: mali-dp: Fix transposed horizontal/vertical flip
HID: wacom: release the resources before leaving despite devm
MIPS: Lantiq: Fix another request_mem_region() return code check
mips: ath79: clock:- Unmap region obtained by of_iomap
lkdtm: Fix Oops when unloading the module
net: core: Prevent from dereferencing null pointer when releasing SKB
net/packet: check length in getsockopt() called with PACKET_HDRLEN
team: fix memory leaks
usb: plusb: Add support for PL-27A1
udp: disable inner UDP checksum offloads in IPsec case
net: dsa: b53: Include IMP/CPU port in dumb forwarding mode
qed: Fix possible system hang in the dcbnl-getdcbx() path.
mmc: sdio: fix alignment issue in struct sdio_func
bridge: netlink: register netdevice before executing changelink
Btrfs: fix segmentation fault when doing dio read
Btrfs: fix potential use-after-free for cloned bio
sata_via: Enable hotplug only on VT6421
hugetlbfs: initialize shared policy as part of inode allocation
kasan: do not sanitize kexec purgatory
drivers/rapidio/devices/tsi721.c: make module parameter variable name unique
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
MIPS: IRQ Stack: Unwind IRQ stack onto task stack
iommu/exynos: Block SYSMMU while invalidating FLPD cache
exynos-gsc: Do not swap cb/cr for semi planar formats
MIPS: smp-cps: Fix retrieval of VPE mask on big endian CPUs
nvme-rdma: handle cpu unplug when re-establishing the controller
netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
parisc: perf: Fix potential NULL pointer dereference
nfs: make nfs4_cb_sv_ops static
ibmvnic: Free tx/rx scrq pointer array when releasing sub-crqs
cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set()
x86/acpi: Restore the order of CPU IDs
iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
mm/cgroup: avoid panic when init with low memory
rds: ib: add error handle
md/raid10: submit bio directly to replacement disk
netfilter: nf_tables: set pktinfo->thoff at AH header if found
i2c: meson: fix wrong variable usage in meson_i2c_put_data
xfs: remove kmem_zalloc_greedy
ASoC: wm_adsp: Return an error on write to a disabled volatile control
libata: transport: Remove circular dependency at free time
ARM: dts: BCM5301X: Fix memory start address
tools/power turbostat: bugfix: GFXMHz column not changing
IB/qib: fix false-postive maybe-uninitialized warning
ARM: remove duplicate 'const' annotations'
ASoC: rt5514: fix gcc-7 warning
ASoC: rt5659: drop double const
ASoC: rt5660: remove double const
ALSA: au88x0: avoid theoretical uninitialized access
ttpci: address stringop overflow warning
s390/mm: make pmdp_invalidate() do invalidation only
Linux 4.9.54
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 5ef1ecf060 ]
Certain 64-bit systems (e.g. Amlogic Meson GX) require buffers to be
used for DMA to be 8-byte-aligned. struct sdio_func has an embedded
small DMA buffer not meeting this requirement.
When testing switching to descriptor chain mode in meson-gx driver
SDIO is broken therefore. Fix this by allocating the small DMA buffer
separately as kmalloc ensures that the returned memory area is
properly aligned for every basic data type.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Tested-by: Helmut Klein <hgkr.klein@gmail.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Preempt and irq trace events can be used for tracing the start and
end of an atomic section which can be used by a trace viewer like
systrace to graphically view the start and end of an atomic section and
correlate them with latencies and scheduling issues.
This also serves as a prelude to using synthetic events or probes to
rewrite the preempt and irqsoff tracers, along with numerous benefits of
using trace events features for these events.
Change-Id: I4f992714c0161a415b17a03aa14cce823d8ca3bb
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Peter Zilstra <peterz@infradead.org>
Cc: kernel-team@android.com
Link: https://patchwork.kernel.org/patch/9988157/
Signed-off-by: Joel Fernandes <joelaf@google.com>
Changes in 4.9.53
cifs: release cifs root_cred after exit_cifs
cifs: release auth_key.response for reconnect.
fs/proc: Report eip/esp in /prod/PID/stat for coredumping
mac80211: fix VLAN handling with TXQs
mac80211_hwsim: Use proper TX power
mac80211: flush hw_roc_start work before cancelling the ROC
genirq: Make sparse_irq_lock protect what it should protect
KVM: PPC: Book3S: Fix race and leak in kvm_vm_ioctl_create_spapr_tce()
KVM: PPC: Book3S HV: Protect updates to spapr_tce_tables list
tracing: Fix trace_pipe behavior for instance traces
tracing: Erase irqsoff trace with empty write
md/raid5: fix a race condition in stripe batch
md/raid5: preserve STRIPE_ON_UNPLUG_LIST in break_stripe_batch_list
scsi: scsi_transport_iscsi: fix the issue that iscsi_if_rx doesn't parse nlmsg properly
drm/radeon: disable hard reset in hibernate for APUs
crypto: drbg - fix freeing of resources
crypto: talitos - Don't provide setkey for non hmac hashing algs.
crypto: talitos - fix sha224
crypto: talitos - fix hashing
security/keys: properly zero out sensitive key material in big_key
security/keys: rewrite all of big_key crypto
KEYS: fix writing past end of user-supplied buffer in keyring_read()
KEYS: prevent creating a different user's keyrings
KEYS: prevent KEYCTL_READ on negative key
powerpc/pseries: Fix parent_dn reference leak in add_dt_node()
powerpc/tm: Flush TM only if CPU has TM feature
powerpc/ftrace: Pass the correct stack pointer for DYNAMIC_FTRACE_WITH_REGS
s390/mm: fix write access check in gup_huge_pmd()
PM: core: Fix device_pm_check_callbacks()
Fix SMB3.1.1 guest authentication to Samba
SMB3: Warn user if trying to sign connection that authenticated as guest
SMB: Validate negotiate (to protect against downgrade) even if signing off
SMB3: Don't ignore O_SYNC/O_DSYNC and O_DIRECT flags
vfs: Return -ENXIO for negative SEEK_HOLE / SEEK_DATA offsets
nl80211: check for the required netlink attributes presence
bsg-lib: don't free job in bsg_prepare_job
iw_cxgb4: remove the stid on listen create failure
iw_cxgb4: put ep reference in pass_accept_req()
selftests/seccomp: Support glibc 2.26 siginfo_t.h
seccomp: fix the usage of get/put_seccomp_filter() in seccomp_get_filter()
arm64: Make sure SPsel is always set
arm64: fault: Route pte translation faults via do_translation_fault
KVM: VMX: extract __pi_post_block
KVM: VMX: avoid double list add with VT-d posted interrupts
KVM: VMX: simplify and fix vmx_vcpu_pi_load
kvm/x86: Handle async PF in RCU read-side critical sections
KVM: VMX: Do not BUG() on out-of-bounds guest IRQ
kvm: nVMX: Don't allow L2 to access the hardware CR8
xfs: validate bdev support for DAX inode flag
etnaviv: fix gem object list corruption
PCI: Fix race condition with driver_override
btrfs: fix NULL pointer dereference from free_reloc_roots()
btrfs: propagate error to btrfs_cmp_data_prepare caller
btrfs: prevent to set invalid default subvolid
x86/mm: Fix fault error path using unsafe vma pointer
x86/fpu: Don't let userspace set bogus xcomp_bv
gfs2: Fix debugfs glocks dump
timer/sysclt: Restrict timer migration sysctl values to 0 and 1
KVM: VMX: do not change SN bit in vmx_update_pi_irte()
KVM: VMX: remove WARN_ON_ONCE in kvm_vcpu_trigger_posted_interrupt
cxl: Fix driver use count
KVM: VMX: use cmpxchg64
video: fbdev: aty: do not leak uninitialized padding in clk to userspace
swiotlb-xen: implement xen_swiotlb_dma_mmap callback
Linux 4.9.53
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 237bbd29f7 upstream.
It was possible for an unprivileged user to create the user and user
session keyrings for another user. For example:
sudo -u '#3000' sh -c 'keyctl add keyring _uid.4000 "" @u
keyctl add keyring _uid_ses.4000 "" @u
sleep 15' &
sleep 1
sudo -u '#4000' keyctl describe @u
sudo -u '#4000' keyctl describe @us
This is problematic because these "fake" keyrings won't have the right
permissions. In particular, the user who created them first will own
them and will have full access to them via the possessor permissions,
which can be used to compromise the security of a user's keys:
-4: alswrv-----v------------ 3000 0 keyring: _uid.4000
-5: alswrv-----v------------ 3000 0 keyring: _uid_ses.4000
Fix it by marking user and user session keyrings with a flag
KEY_FLAG_UID_KEYRING. Then, when searching for a user or user session
keyring by name, skip all keyrings that don't have the flag set.
Fixes: 69664cf16a ("keys: don't generate user and user session keyrings unless they're accessed")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.9.52
SUNRPC: Refactor svc_set_num_threads()
NFSv4: Fix callback server shutdown
mm: prevent double decrease of nr_reserved_highatomic
orangefs: Don't clear SGID when inheriting ACLs
IB/{qib, hfi1}: Avoid flow control testing for RDMA write operation
drm/sun4i: Implement drm_driver lastclose to restore fbdev console
IB/addr: Fix setting source address in addr6_resolve()
tty: improve tty_insert_flip_char() fast path
tty: improve tty_insert_flip_char() slow path
tty: fix __tty_insert_flip_char regression
pinctrl/amd: save pin registers over suspend/resume
Input: i8042 - add Gigabyte P57 to the keyboard reset table
MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix quiet NaN propagation
MIPS: math-emu: <MAX|MAXA|MIN|MINA>.<D|S>: Fix cases of both inputs zero
MIPS: math-emu: <MAX|MIN>.<D|S>: Fix cases of both inputs negative
MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of input values with opposite signs
MIPS: math-emu: <MAXA|MINA>.<D|S>: Fix cases of both infinite inputs
MIPS: math-emu: MINA.<D|S>: Fix some cases of infinity and zero inputs
MIPS: math-emu: Handle zero accumulator case in MADDF and MSUBF separately
MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix NaN propagation
MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of infinite inputs
MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Fix some cases of zero inputs
MIPS: math-emu: <MADDF|MSUBF>.<D|S>: Clean up "maddf_flags" enumeration
MIPS: math-emu: <MADDF|MSUBF>.S: Fix accuracy (32-bit case)
MIPS: math-emu: <MADDF|MSUBF>.D: Fix accuracy (64-bit case)
crypto: ccp - Fix XTS-AES-128 support on v5 CCPs
crypto: AF_ALG - remove SGL terminator indicator when chaining
ext4: fix incorrect quotaoff if the quota feature is enabled
ext4: fix quota inconsistency during orphan cleanup for read-only mounts
powerpc: Fix DAR reporting when alignment handler faults
block: Relax a check in blk_start_queue()
md/bitmap: disable bitmap_resize for file-backed bitmaps.
skd: Avoid that module unloading triggers a use-after-free
skd: Submit requests to firmware before triggering the doorbell
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
scsi: zfcp: fix capping of unsuccessful GPN_FT SAN response trace records
scsi: zfcp: fix passing fsf_req to SCSI trace on TMF to correlate with HBA
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response
scsi: zfcp: trace high part of "new" 64 bit SCSI LUN
scsi: megaraid_sas: set minimum value of resetwaittime to be 1 secs
scsi: megaraid_sas: Check valid aen class range to avoid kernel panic
scsi: megaraid_sas: Return pended IOCTLs with cmd_status MFI_STAT_WRONG_STATE in case adapter is dead
scsi: storvsc: fix memory leak on ring buffer busy
scsi: sg: remove 'save_scat_len'
scsi: sg: use standard lists for sg_requests
scsi: sg: off by one in sg_ioctl()
scsi: sg: factor out sg_fill_request_table()
scsi: sg: fixup infoleak when using SG_GET_REQUEST_TABLE
scsi: qla2xxx: Correction to vha->vref_count timeout
scsi: qla2xxx: Fix an integer overflow in sysfs code
ftrace: Fix selftest goto location on error
ftrace: Fix memleak when unregistering dynamic ops when tracing disabled
tracing: Add barrier to trace_printk() buffer nesting modification
tracing: Apply trace_clock changes to instance max buffer
ARC: Re-enable MMU upon Machine Check exception
PCI: shpchp: Enable bridge bus mastering if MSI is enabled
PCI: pciehp: Report power fault only once until we clear it
net/netfilter/nf_conntrack_core: Fix net_conntrack_lock()
s390/mm: fix local TLB flushing vs. detach of an mm address space
s390/mm: fix race on mm->context.flush_mm
media: v4l2-compat-ioctl32: Fix timespec conversion
media: uvcvideo: Prevent heap overflow when accessing mapped controls
PM / devfreq: Fix memory leak when fail to register device
bcache: initialize dirty stripes in flash_dev_run()
bcache: Fix leak of bdev reference
bcache: do not subtract sectors_to_gc for bypassed IO
bcache: correct cache_dirty_target in __update_writeback_rate()
bcache: Correct return value for sysfs attach errors
bcache: fix for gc and write-back race
bcache: fix bch_hprint crash and improve output
Linux 4.9.52
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e652399edb upstream.
Version 5 CCPs have some new requirements for XTS-AES: the type field
must be specified, and the key requires 512 bits, with each part
occupying 256 bits and padded with zeroes.
Signed-off-by: Gary R Hook <ghook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 979990c628 upstream.
kernelci.org reports a crazy stack usage for the VT code when CONFIG_KASAN
is enabled:
drivers/tty/vt/keyboard.c: In function 'kbd_keycode':
drivers/tty/vt/keyboard.c:1452:1: error: the frame size of 2240 bytes is larger than 2048 bytes [-Werror=frame-larger-than=]
The problem is that tty_insert_flip_char() gets inlined many times into
kbd_keycode(), and also into other functions, and each copy requires 128
bytes for stack redzone to check for a possible out-of-bounds access on
the 'ch' and 'flags' arguments that are passed into
tty_insert_flip_string_flags as a variable-length string.
This introduces a new __tty_insert_flip_char() function for the slow
path, which receives the two arguments by value. This completely avoids
the problem and the stack usage goes back down to around 100 bytes.
Without KASAN, this is also slightly better, as we don't have to
spill the arguments to the stack but can simply pass 'ch' and 'flag'
in registers, saving a few bytes in .text for each call site.
This should be backported to linux-4.0 or later, which first introduced
the stack sanitizer in the kernel.
Fixes: c420f167db ("kasan: enable stack instrumentation")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#148982: add freeze op to distinguish freeze mode vs mem mode
Signed-off-by: Qiufang Dai <qiufang.dai@amlogic.com>
Change-Id: I3bec4d687a933603a29aeb7a44422aa81e47cea7
Changes in 4.9.51
ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt()
ipv6: add rcu grace period before freeing fib6_node
ipv6: fix sparse warning on rt6i_node
macsec: add genl family module alias
udp: on peeking bad csum, drop packets even if not at head
fsl/man: Inherit parent device and of_node
sctp: Avoid out-of-bounds reads from address storage
qlge: avoid memcpy buffer overflow
netvsc: fix deadlock betwen link status and removal
cxgb4: Fix stack out-of-bounds read due to wrong size to t4_record_mbox()
packet: Don't write vnet header beyond end of buffer
kcm: do not attach PF_KCM sockets to avoid deadlock
Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()"
tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
mlxsw: spectrum: Forbid linking to devices that have uppers
bridge: switchdev: Clear forward mark when transmitting packet
Revert "net: use lib/percpu_counter API for fragmentation mem accounting"
Revert "net: fix percpu memory leaks"
gianfar: Fix Tx flow control deactivation
vhost_net: correctly check tx avail during rx busy polling
ip6_gre: update mtu properly in ip6gre_err
ipv6: fix memory leak with multiple tables during netns destruction
ipv6: fix typo in fib6_net_exit()
sctp: fix missing wake ups in some situations
ip_tunnel: fix setting ttl and tos value in collect_md mode
f2fs: let fill_super handle roll-forward errors
f2fs: check hot_data for roll-forward recovery
x86/fsgsbase/64: Fully initialize FS and GS state in start_thread_common
x86/fsgsbase/64: Report FSBASE and GSBASE correctly in core dumps
x86/switch_to/64: Rewrite FS/GS switching yet again to fix AMD CPUs
xfs: Move handling of missing page into one place in xfs_find_get_desired_pgoff()
xfs: fix spurious spin_is_locked() assert failures on non-smp kernels
xfs: push buffer of flush locked dquot to avoid quotacheck deadlock
xfs: try to avoid blowing out the transaction reservation when bunmaping a shared extent
xfs: release bli from transaction properly on fs shutdown
xfs: remove bli from AIL before release on transaction abort
xfs: don't allow bmap on rt files
xfs: free uncommitted transactions during log recovery
xfs: free cowblocks and retry on buffered write ENOSPC
xfs: don't crash on unexpected holes in dir/attr btrees
xfs: check _btree_check_block value
xfs: set firstfsb to NULLFSBLOCK before feeding it to _bmapi_write
xfs: check _alloc_read_agf buffer pointer before using
xfs: fix quotacheck dquot id overflow infinite loop
xfs: fix multi-AG deadlock in xfs_bunmapi
xfs: Fix per-inode DAX flag inheritance
xfs: fix inobt inode allocation search optimization
xfs: clear MS_ACTIVE after finishing log recovery
xfs: don't leak quotacheck dquots when cow recovery
iomap: fix integer truncation issues in the zeroing and dirtying helpers
xfs: write unmount record for ro mounts
xfs: toggle readonly state around xfs_log_mount_finish
xfs: remove xfs_trans_ail_delete_bulk
xfs: Add infrastructure needed for error propagation during buffer IO failure
xfs: Properly retry failed inode items in case of error during buffer writeback
xfs: fix recovery failure when log record header wraps log end
xfs: always verify the log tail during recovery
xfs: fix log recovery corruption error due to tail overwrite
xfs: handle -EFSCORRUPTED during head/tail verification
xfs: add log recovery tracepoint for head/tail
xfs: stop searching for free slots in an inode chunk when there are none
xfs: evict all inodes involved with log redo item
xfs: check for race with xfs_reclaim_inode() in xfs_ifree_cluster()
xfs: open-code xfs_buf_item_dirty()
xfs: remove unnecessary dirty bli format check for ordered bufs
xfs: ordered buffer log items are never formatted
xfs: refactor buffer logging into buffer dirtying helper
xfs: don't log dirty ranges for ordered buffers
xfs: skip bmbt block ino validation during owner change
xfs: move bmbt owner change to last step of extent swap
xfs: disallow marking previously dirty buffers as ordered
xfs: relog dirty buffers during swapext bmbt owner change
xfs: disable per-inode DAX flag
xfs: fix incorrect log_flushed on fsync
xfs: don't set v3 xflags for v2 inodes
xfs: open code end_buffer_async_write in xfs_finish_page_writeback
xfs: use kmem_free to free return value of kmem_zalloc
md/raid5: release/flush io in raid5_do_work()
xfs: fix compiler warnings
ipv6: Fix may be used uninitialized warning in rt6_check
Linux 4.9.51
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 799ea9e9c5 upstream.
When we introduced the bmap redo log items, we set MS_ACTIVE on the
mountpoint and XFS_IRECOVERY on the inode to prevent unlinked inodes
from being truncated prematurely during log recovery. This also had the
effect of putting linked inodes on the lru instead of evicting them.
Unfortunately, we neglected to find all those unreferenced lru inodes
and evict them after finishing log recovery, which means that we leak
them if anything goes wrong in the rest of xfs_mountfs, because the lru
is only cleaned out on unmount.
Therefore, evict unreferenced inodes in the lru list immediately
after clearing MS_ACTIVE.
Fixes: 17c12bcd30 ("xfs: when replaying bmap operations, don't let unlinked inodes get reaped")
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Cc: viro@ZenIV.linux.org.uk
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 25cc72a338 ]
The mlxsw driver relies on NETDEV_CHANGEUPPER events to configure the
device in case a port is enslaved to a master netdev such as bridge or
bond.
Since the driver ignores events unrelated to its ports and their
uppers, it's possible to engineer situations in which the device's data
path differs from the kernel's.
One example to such a situation is when a port is enslaved to a bond
that is already enslaved to a bridge. When the bond was enslaved the
driver ignored the event - as the bond wasn't one of its uppers - and
therefore a bridge port instance isn't created in the device.
Until such configurations are supported forbid them by checking that the
upper device doesn't have uppers of its own.
Fixes: 0d65fc1304 ("mlxsw: spectrum: Implement LAG port join/leave")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Nogah Frankel <nogahf@mellanox.com>
Tested-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#150981: synchronous lcd driver linux3.14 to linux4.9
1.add bl_level bootargs parameter
2.repair unifykey bl_level error
3.update the mechanism of 50/60hz switch
4.add pwm & enable sequence reverse support
5.add vbyone special control adjust support
Change-Id: I63136af6b96d793691eed23c064e7515e1d50aff
Signed-off-by: Weiming Liu <weiming.liu@amlogic.com>
PD#150739: merged code from c502feca7 on the amlogic-3.14-dev
1.codec_mm: fixed tvp first wait long time bug
2.pcrmaster: fix some avsync issue in pcrmaster mode
3.vfm: fix vf provider crash issue
Change-Id: I64202a38a3ed0c50ba665fb477caea26c67ddcb0
Signed-off-by: Nanxin Qin <nanxin.qin@amlogic.com>
Changes in 4.9.49
usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
USB: serial: option: add support for D-Link DWM-157 C1
usb: Add device quirk for Logitech HD Pro Webcam C920-C
usb:xhci:Fix regression when ATI chipsets detected
USB: musb: fix external abort on suspend
USB: core: Avoid race of async_completed() w/ usbdev_release()
staging/rts5208: fix incorrect shift to extract upper nybble
iio: adc: ti-ads1015: fix incorrect data rate setting update
iio: adc: ti-ads1015: fix scale information for ADS1115
iio: adc: ti-ads1015: enable conversion when CONFIG_PM is not set
iio: adc: ti-ads1015: avoid getting stale result after runtime resume
iio: adc: ti-ads1015: don't return invalid value from buffer setup callbacks
iio: adc: ti-ads1015: add adequate wait time to get correct conversion
driver core: bus: Fix a potential double free
intel_th: pci: Add Cannon Lake PCH-H support
intel_th: pci: Add Cannon Lake PCH-LP support
ath10k: fix memory leak in rx ring buffer allocation
Input: trackpoint - assume 3 buttons when buttons detection fails
rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
Bluetooth: Add support of 13d3:3494 RTL8723BE device
iwlwifi: pci: add new PCI ID for 7265D
dlm: avoid double-free on error path in dlm_device_{register,unregister}
mwifiex: correct channel stat buffer overflows
MCB: add support for SC31 to mcb-lpc
s390/mm: avoid empty zero pages for KVM guests to avoid postcopy hangs
drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
workqueue: Fix flag collision
cs5536: add support for IDE controller variant
scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
scsi: sg: recheck MMAP_IO request length with lock held
drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context
drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event()
Linux 4.9.49
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 591b6bb605 upstream.
Several legacy devices such as Geode-based Cisco ASA appliances
and DB800 development board do possess CS5536 IDE controller
with different PCI id than existing one. Using pata_generic is
not always feasible as at least DB800 requires MSR quirk from
pata_cs5536 to be used with vendor firmware.
Signed-off-by: Andrey Korolyov <andrey@xdel.ru>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit fbf1c41fc0 upstream.
Commit 0a94efb5ac ("workqueue: implicit ordered attribute should be
overridable") introduced a __WQ_ORDERED_EXPLICIT flag but gave it the
same value as __WQ_LEGACY. I don't believe these were intended to
mean the same thing, so renumber __WQ_ORDERED_EXPLICIT.
Fixes: 0a94efb5ac ("workqueue: implicit ordered attribute should be ...")
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
PD#150194: modify suspend & resume fail.
1. fixed alloc blk_test memory on probe,
pre-allocated memory allows suspend/resume
without dynamic allocation.
2. do not flush cache while resume.
Change-Id: If4a310da82f053359f89599fd187ad51a24f16ba
Signed-off-by: Nan Li <nan.li@amlogic.com>
PD#150194: mm: update cma policy and debug sysfs
1. For movable memory, using CMA first, this can help to avoid
low memory issue and driver can't allocate pages issue;
2. change /proc/slabinfo sysfs with total size print of each slab;
3. change /proc/pagetypeinfo with toatal pages of each migrate type;
4. add statistics for free pages of each migrate type, and show in
echo m > /proc/sysrq-trigger.
Change-Id: I2fdab73c2d1278cd025185362a1159e4f683166b
Signed-off-by: Tao Zeng <tao.zeng@amlogic.com>
PD#145456: Support RPMB shared secret provisioning [2/2]
[Problem]
RPMB requires a shared secret between host (AP) and device (eMMC flash)
in order to perform HMAC authentication.
[Solution]
This commit provides a special reboot mode, reboot rpmbp, to securely
provision the shared secret into eMMC flash device.
[Test]
Tested on GXL reference board P212. Passed.
Change-Id: I81dd482215d0f0232fe10efbc60b6af4ba2d9641
Signed-off-by: Peifu Jiang <peifu.jiang@amlogic.com>
Changes in 4.9.46
sparc64: remove unnecessary log message
af_key: do not use GFP_KERNEL in atomic contexts
dccp: purge write queue in dccp_destroy_sock()
dccp: defer ccid_hc_tx_delete() at dismantle time
ipv4: fix NULL dereference in free_fib_info_rcu()
net_sched/sfq: update hierarchical backlog when drop packet
net_sched: remove warning from qdisc_hash_add
bpf: fix bpf_trace_printk on 32 bit archs
openvswitch: fix skb_panic due to the incorrect actions attrlen
ptr_ring: use kmalloc_array()
ipv4: better IP_MAX_MTU enforcement
nfp: fix infinite loop on umapping cleanup
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
tipc: fix use-after-free
ipv6: reset fn->rr_ptr when replacing route
ipv6: repair fib6 tree in failure case
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
net/mlx4_core: Enable 4K UAR if SRIOV module parameter is not enabled
irda: do not leak initialized list.dev to userspace
net: sched: fix NULL pointer dereference when action calls some targets
net_sched: fix order of queue length updates in qdisc_replace()
bpf, verifier: add additional patterns to evaluate_reg_imm_alu
bpf: adjust verifier heuristics
bpf, verifier: fix alu ops against map_value{, _adj} register types
bpf: fix mixed signed/unsigned derived min/max value bounds
bpf/verifier: fix min/max handling in BPF_SUB
Input: trackpoint - add new trackpoint firmware ID
Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
Input: ALPS - fix two-finger scroll breakage in right side on ALPS touchpad
KVM: s390: sthyi: fix sthyi inline assembly
KVM: s390: sthyi: fix specification exception detection
KVM: x86: block guest protection keys unless the host has them enabled
ALSA: usb-audio: Add delay quirk for H650e/Jabra 550a USB headsets
ALSA: core: Fix unexpected error at replacing user TLV
ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
ALSA: firewire: fix NULL pointer dereference when releasing uninitialized data of iso-resource
ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
mm, shmem: fix handling /sys/kernel/mm/transparent_hugepage/shmem_enabled
i2c: designware: Fix system suspend
mm/madvise.c: fix freeing of locked page with MADV_FREE
fork: fix incorrect fput of ->exe_file causing use-after-free
mm/memblock.c: reversed logic in memblock_discard()
drm: Release driver tracking before making the object available again
drm/atomic: If the atomic check fails, return its value first
drm: rcar-du: Fix crash in encoder failure error path
drm: rcar-du: Fix display timing controller parameter
drm: rcar-du: Fix H/V sync signal polarity configuration
tracing: Call clear_boot_tracer() at lateinit_sync
tracing: Fix kmemleak in tracing_map_array_free()
tracing: Fix freeing of filter in create_filter() when set_str is false
kbuild: linker script do not match C names unless LD_DEAD_CODE_DATA_ELIMINATION is configured
cifs: Fix df output for users with quota limits
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
nfsd: Limit end of page list when decoding NFSv4 WRITE
ftrace: Check for null ret_stack on profile function graph entry function
perf/core: Fix group {cpu,task} validation
perf probe: Fix --funcs to show correct symbols for offline module
perf/x86/intel/rapl: Make package handling more robust
timers: Fix excessive granularity of new timers after a nohz idle
x86/mm: Fix use-after-free of ldt_struct
net: sunrpc: svcsock: fix NULL-pointer exception
Revert "leds: handle suspend/resume in heartbeat trigger"
netfilter: nat: fix src map lookup
Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
Bluetooth: cmtp: fix possible might sleep error in cmtp_session
Bluetooth: bnep: fix possible might sleep error in bnep_session
Revert "android: binder: Sanity check at binder ioctl"
binder: use group leader instead of open thread
binder: Use wake up hint for synchronous transactions.
ANDROID: binder: fix proc->tsk check.
iio: imu: adis16480: Fix acceleration scale factor for adis16480
iio: hid-sensor-trigger: Fix the race with user space powering up sensors
staging: rtl8188eu: add RNX-N150NUB support
Clarify (and fix) MAX_LFS_FILESIZE macros
ntb_transport: fix qp count bug
ntb_transport: fix bug calculating num_qps_mw
NTB: ntb_test: fix bug printing ntb_perf results
ntb: no sleep in ntb_async_tx_submit
ntb: ntb_test: ensure the link is up before trying to configure the mws
ntb: transport shouldn't disable link due to bogus values in SPADs
ACPI: ioapic: Clear on-stack resource before using it
ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
ACPI: EC: Fix regression related to wrong ECDT initialization order
powerpc/mm: Ensure cpumask update is ordered
Linux 4.9.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 0cc3b0ec23 upstream.
We have a MAX_LFS_FILESIZE macro that is meant to be filled in by
filesystems (and other IO targets) that know they are 64-bit clean and
don't have any 32-bit limits in their IO path.
It turns out that our 32-bit value for that limit was bogus. On 32-bit,
the VM layer is limited by the page cache to only 32-bit index values,
but our logic for that was confusing and actually wrong. We used to
define that value to
(((loff_t)PAGE_SIZE << (BITS_PER_LONG-1))-1)
which is actually odd in several ways: it limits the index to 31 bits,
and then it limits files so that they can't have data in that last byte
of a page that has the highest 31-bit index (ie page index 0x7fffffff).
Neither of those limitations make sense. The index is actually the full
32 bit unsigned value, and we can use that whole full page. So the
maximum size of the file would logically be "PAGE_SIZE << BITS_PER_LONG".
However, we do wan tto avoid the maximum index, because we have code
that iterates over the page indexes, and we don't want that code to
overflow. So the maximum size of a file on a 32-bit host should
actually be one page less than the full 32-bit index.
So the actual limit is ULONG_MAX << PAGE_SHIFT. That means that we will
not actually be using the page of that last index (ULONG_MAX), but we
can grow a file up to that limit.
The wrong value of MAX_LFS_FILESIZE actually caused problems for Doug
Nazar, who was still using a 32-bit host, but with a 9.7TB 2 x RAID5
volume. It turns out that our old MAX_LFS_FILESIZE was 8TiB (well, one
byte less), but the actual true VM limit is one page less than 16TiB.
This was invisible until commit c2a9737f45 ("vfs,mm: fix a dead loop
in truncate_inode_pages_range()"), which started applying that
MAX_LFS_FILESIZE limit to block devices too.
NOTE! On 64-bit, the page index isn't a limiter at all, and the limit is
actually just the offset type itself (loff_t), which is signed. But for
clarity, on 64-bit, just use the maximum signed value, and don't make
people have to count the number of 'f' characters in the hex constant.
So just use LLONG_MAX for the 64-bit case. That was what the value had
been before too, just written out as a hex constant.
Fixes: c2a9737f45 ("vfs,mm: fix a dead loop in truncate_inode_pages_range()")
Reported-and-tested-by: Doug Nazar <nazard@nazar.ca>
Cc: Andreas Dilger <adilger@dilger.ca>
Cc: Mark Fasheh <mfasheh@versity.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Dave Kleikamp <shaggy@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dd86e373e0 upstream.
The package management code in RAPL relies on package mapping being
available before a CPU is started. This changed with:
9d85eb9119 ("x86/smpboot: Make logical package management more robust")
because the ACPI/BIOS information turned out to be unreliable, but that
left RAPL in broken state. This was not noticed because on a regular boot
all CPUs are online before RAPL is initialized.
A possible fix would be to reintroduce the mess which allocates a package
data structure in CPU prepare and when it turns out to already exist in
starting throw it away later in the CPU online callback. But that's a
horrible hack and not required at all because RAPL becomes functional for
perf only in the CPU online callback. That's correct because user space is
not yet informed about the CPU being onlined, so nothing caan rely on RAPL
being available on that particular CPU.
Move the allocation to the CPU online callback and simplify the hotplug
handling. At this point the package mapping is established and correct.
This also adds a missing check for available package data in the
event_init() function.
Reported-by: Yasuaki Ishimatsu <yasu.isimatu@gmail.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Jiri Olsa <jolsa@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Sebastian Siewior <bigeasy@linutronix.de>
Cc: Stephane Eranian <eranian@google.com>
Cc: Vince Weaver <vincent.weaver@maine.edu>
Fixes: 9d85eb9119 ("x86/smpboot: Make logical package management more robust")
Link: http://lkml.kernel.org/r/20170131230141.212593966@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
[ jwang: backport to 4.9 fix Null pointer deref during hotplug cpu.]
Signed-off-by: Jack Wang <jinpu.wang@profitbricks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4cabc5b186 ]
Edward reported that there's an issue in min/max value bounds
tracking when signed and unsigned compares both provide hints
on limits when having unknown variables. E.g. a program such
as the following should have been rejected:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff8a94cda93400
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+7
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = -1
10: (2d) if r1 > r2 goto pc+3
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=0
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
11: (65) if r1 s> 0x1 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=0,max_value=1
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
12: (0f) r0 += r1
13: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=0,max_value=1 R1=inv,min_value=0,max_value=1
R2=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
14: (b7) r0 = 0
15: (95) exit
What happens is that in the first part ...
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = -1
10: (2d) if r1 > r2 goto pc+3
... r1 carries an unsigned value, and is compared as unsigned
against a register carrying an immediate. Verifier deduces in
reg_set_min_max() that since the compare is unsigned and operation
is greater than (>), that in the fall-through/false case, r1's
minimum bound must be 0 and maximum bound must be r2. Latter is
larger than the bound and thus max value is reset back to being
'invalid' aka BPF_REGISTER_MAX_RANGE. Thus, r1 state is now
'R1=inv,min_value=0'. The subsequent test ...
11: (65) if r1 s> 0x1 goto pc+2
... is a signed compare of r1 with immediate value 1. Here,
verifier deduces in reg_set_min_max() that since the compare
is signed this time and operation is greater than (>), that
in the fall-through/false case, we can deduce that r1's maximum
bound must be 1, meaning with prior test, we result in r1 having
the following state: R1=inv,min_value=0,max_value=1. Given that
the actual value this holds is -8, the bounds are wrongly deduced.
When this is being added to r0 which holds the map_value(_adj)
type, then subsequent store access in above case will go through
check_mem_access() which invokes check_map_access_adj(), that
will then probe whether the map memory is in bounds based
on the min_value and max_value as well as access size since
the actual unknown value is min_value <= x <= max_value; commit
fce366a9dd ("bpf, verifier: fix alu ops against map_value{,
_adj} register types") provides some more explanation on the
semantics.
It's worth to note in this context that in the current code,
min_value and max_value tracking are used for two things, i)
dynamic map value access via check_map_access_adj() and since
commit 06c1c04972 ("bpf: allow helpers access to variable memory")
ii) also enforced at check_helper_mem_access() when passing a
memory address (pointer to packet, map value, stack) and length
pair to a helper and the length in this case is an unknown value
defining an access range through min_value/max_value in that
case. The min_value/max_value tracking is /not/ used in the
direct packet access case to track ranges. However, the issue
also affects case ii), for example, the following crafted program
based on the same principle must be rejected as well:
0: (b7) r2 = 0
1: (bf) r3 = r10
2: (07) r3 += -512
3: (7a) *(u64 *)(r10 -16) = -8
4: (79) r4 = *(u64 *)(r10 -16)
5: (b7) r6 = -1
6: (2d) if r4 > r6 goto pc+5
R1=ctx R2=imm0,min_value=0,max_value=0,min_align=2147483648 R3=fp-512
R4=inv,min_value=0 R6=imm-1,max_value=18446744073709551615,min_align=1 R10=fp
7: (65) if r4 s> 0x1 goto pc+4
R1=ctx R2=imm0,min_value=0,max_value=0,min_align=2147483648 R3=fp-512
R4=inv,min_value=0,max_value=1 R6=imm-1,max_value=18446744073709551615,min_align=1
R10=fp
8: (07) r4 += 1
9: (b7) r5 = 0
10: (6a) *(u16 *)(r10 -512) = 0
11: (85) call bpf_skb_load_bytes#26
12: (b7) r0 = 0
13: (95) exit
Meaning, while we initialize the max_value stack slot that the
verifier thinks we access in the [1,2] range, in reality we
pass -7 as length which is interpreted as u32 in the helper.
Thus, this issue is relevant also for the case of helper ranges.
Resetting both bounds in check_reg_overflow() in case only one
of them exceeds limits is also not enough as similar test can be
created that uses values which are within range, thus also here
learned min value in r1 is incorrect when mixed with later signed
test to create a range:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff880ad081fa00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+7
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = 2
10: (3d) if r2 >= r1 goto pc+3
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
11: (65) if r1 s> 0x4 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0
R1=inv,min_value=3,max_value=4 R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
12: (0f) r0 += r1
13: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=3,max_value=4
R1=inv,min_value=3,max_value=4 R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
14: (b7) r0 = 0
15: (95) exit
This leaves us with two options for fixing this: i) to invalidate
all prior learned information once we switch signed context, ii)
to track min/max signed and unsigned boundaries separately as
done in [0]. (Given latter introduces major changes throughout
the whole verifier, it's rather net-next material, thus this
patch follows option i), meaning we can derive bounds either
from only signed tests or only unsigned tests.) There is still the
case of adjust_reg_min_max_vals(), where we adjust bounds on ALU
operations, meaning programs like the following where boundaries
on the reg get mixed in context later on when bounds are merged
on the dst reg must get rejected, too:
0: (7a) *(u64 *)(r10 -8) = 0
1: (bf) r2 = r10
2: (07) r2 += -8
3: (18) r1 = 0xffff89b2bf87ce00
5: (85) call bpf_map_lookup_elem#1
6: (15) if r0 == 0x0 goto pc+6
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R10=fp
7: (7a) *(u64 *)(r10 -16) = -8
8: (79) r1 = *(u64 *)(r10 -16)
9: (b7) r2 = 2
10: (3d) if r2 >= r1 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R10=fp
11: (b7) r7 = 1
12: (65) if r7 s> 0x0 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=imm1,max_value=0 R10=fp
13: (b7) r0 = 0
14: (95) exit
from 12 to 15: R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0
R1=inv,min_value=3 R2=imm2,min_value=2,max_value=2,min_align=2 R7=imm1,min_value=1 R10=fp
15: (0f) r7 += r1
16: (65) if r7 s> 0x4 goto pc+2
R0=map_value(ks=8,vs=8,id=0),min_value=0,max_value=0 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=inv,min_value=4,max_value=4 R10=fp
17: (0f) r0 += r7
18: (72) *(u8 *)(r0 +0) = 0
R0=map_value_adj(ks=8,vs=8,id=0),min_value=4,max_value=4 R1=inv,min_value=3
R2=imm2,min_value=2,max_value=2,min_align=2 R7=inv,min_value=4,max_value=4 R10=fp
19: (b7) r0 = 0
20: (95) exit
Meaning, in adjust_reg_min_max_vals() we must also reset range
values on the dst when src/dst registers have mixed signed/
unsigned derived min/max value bounds with one unbounded value
as otherwise they can be added together deducing false boundaries.
Once both boundaries are established from either ALU ops or
compare operations w/o mixing signed/unsigned insns, then they
can safely be added to other regs also having both boundaries
established. Adding regs with one unbounded side to a map value
where the bounded side has been learned w/o mixing ops is
possible, but the resulting map value won't recover from that,
meaning such op is considered invalid on the time of actual
access. Invalid bounds are set on the dst reg in case i) src reg,
or ii) in case dst reg already had them. The only way to recover
would be to perform i) ALU ops but only 'add' is allowed on map
value types or ii) comparisons, but these are disallowed on
pointers in case they span a range. This is fine as only BPF_JEQ
and BPF_JNE may be performed on PTR_TO_MAP_VALUE_OR_NULL registers
which potentially turn them into PTR_TO_MAP_VALUE type depending
on the branch, so only here min/max value cannot be invalidated
for them.
In terms of state pruning, value_from_signed is considered
as well in states_equal() when dealing with adjusted map values.
With regards to breaking existing programs, there is a small
risk, but use-cases are rather quite narrow where this could
occur and mixing compares probably unlikely.
Joint work with Josef and Edward.
[0] https://lists.iovisor.org/pipermail/iovisor-dev/2017-June/000822.html
Fixes: 484611357c ("bpf: allow access into map value arrays")
Reported-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 81fbfe8ada ]
As found by syzkaller, malicious users can set whatever tx_queue_len
on a tun device and eventually crash the kernel.
Lets remove the ALIGN(XXX, SMP_CACHE_BYTES) thing since a small
ring buffer is not fast anyway.
Fixes: 2e0ab8ca83 ("ptr_ring: array based FIFO for pointers")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Michael S. Tsirkin <mst@redhat.com>
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.9.45
netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
audit: Fix use after free in audit_remove_watch_rule()
parisc: pci memory bar assignment fails with 64bit kernels on dino/cujo
crypto: ixp4xx - Fix error handling path in 'aead_perform()'
crypto: x86/sha1 - Fix reads beyond the number of blocks passed
Input: elan_i2c - add ELAN0608 to the ACPI table
Input: elan_i2c - Add antoher Lenovo ACPI ID for upcoming Lenovo NB
ALSA: seq: 2nd attempt at fixing race creating a queue
ALSA: usb-audio: Apply sample rate quirk to Sennheiser headset
ALSA: usb-audio: Add mute TLV for playback volumes on C-Media devices
mm: discard memblock data later
mm: fix double mmap_sem unlock on MMF_UNSTABLE enforced SIGBUS
mm/mempolicy: fix use after free when calling get_mempolicy
mm: revert x86_64 and arm64 ELF_ET_DYN_BASE base changes
xen: fix bio vec merging
blk-mq-pci: add a fallback when pci_irq_get_affinity returns NULL
powerpc: Fix VSX enabling/flushing to also test MSR_FP and MSR_VEC
xen-blkfront: use a right index when checking requests
x86/asm/64: Clear AC on NMI entries
irqchip/atmel-aic: Fix unbalanced of_node_put() in aic_common_irq_fixup()
irqchip/atmel-aic: Fix unbalanced refcount in aic_common_rtc_irq_fixup()
genirq: Restore trigger settings in irq_modify_status()
genirq/ipi: Fixup checks against nr_cpu_ids
Sanitize 'move_pages()' permission checks
pids: make task_tgid_nr_ns() safe
usb: optimize acpi companion search for usb port devices
usb: qmi_wwan: add D-Link DWM-222 device ID
Linux 4.9.45
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit dd1c1f2f20 upstream.
This was reported many times, and this was even mentioned in commit
52ee2dfdd4 ("pids: refactor vnr/nr_ns helpers to make them safe") but
somehow nobody bothered to fix the obvious problem: task_tgid_nr_ns() is
not safe because task->group_leader points to nowhere after the exiting
task passes exit_notify(), rcu_read_lock() can not help.
We really need to change __unhash_process() to nullify group_leader,
parent, and real_parent, but this needs some cleanups. Until then we
can turn task_tgid_nr_ns() into another user of __task_pid_nr_ns() and
fix the problem.
Reported-by: Troy Kensinger <tkensinger@google.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3010f87650 upstream.
There is existing use after free bug when deferred struct pages are
enabled:
The memblock_add() allocates memory for the memory array if more than
128 entries are needed. See comment in e820__memblock_setup():
* The bootstrap memblock region count maximum is 128 entries
* (INIT_MEMBLOCK_REGIONS), but EFI might pass us more E820 entries
* than that - so allow memblock resizing.
This memblock memory is freed here:
free_low_memory_core_early()
We access the freed memblock.memory later in boot when deferred pages
are initialized in this path:
deferred_init_memmap()
for_each_mem_pfn_range()
__next_mem_pfn_range()
type = &memblock.memory;
One possible explanation for why this use-after-free hasn't been hit
before is that the limit of INIT_MEMBLOCK_REGIONS has never been
exceeded at least on systems where deferred struct pages were enabled.
Tested by reducing INIT_MEMBLOCK_REGIONS down to 4 from the current 128,
and verifying in qemu that this code is getting excuted and that the
freed pages are sane.
Link: http://lkml.kernel.org/r/1502485554-318703-2-git-send-email-pasha.tatashin@oracle.com
Fixes: 7e18adb4f8 ("mm: meminit: initialise remaining struct pages in parallel with kswapd")
Signed-off-by: Pavel Tatashin <pasha.tatashin@oracle.com>
Reviewed-by: Steven Sistare <steven.sistare@oracle.com>
Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Reviewed-by: Bob Picco <bob.picco@oracle.com>
Acked-by: Michal Hocko <mhocko@suse.com>
Cc: Mel Gorman <mgorman@techsingularity.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
