The regular keyslot manager is designed for devices that have a small
number of keyslots that need to be programmed with keys ahead of time,
and bios that are sent to the device need to be tagged with a keyslot
index.
Some inline encryption hardware may not have any limitations on the
number of keyslot, and may instead allow each bio to be tagged with
a raw key, data unit number, etc. rather than a pre-programmed keyslot's
index. These devices don't need any sort of keyslot management, and it's
better for these devices not to have to allocate a regular keyslot
manager with some fixed number of keyslots. These devices can instead
set up a passthrough keyslot manager in their request queue, which
require less resources than regular keyslot managers, as they simply
do no-ops when trying to program keys into slots.
Separately, the device mapper may map over devices that have inline
encryption hardware, and it wants to pass the key along to the
underlying hardware. While the DM layer can expose inline encryption
capabilities by setting up a regular keyslot manager with some fixed
number of keyslots in the dm device's request queue, this only wastes
memory since the keys programmed into the dm device's request queue
will never be used. Instead, it's better to set up a passthrough
keyslot manager for dm devices.
Bug: 137270441
Bug: 147814592
Change-Id: I6d91e83e86a73b0d6066873c8a9117cf2c089234
Signed-off-by: Satya Tangirala <satyat@google.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
ext4 and f2fs have traditionally not supported direct I/O on encrypted
files, since it's difficult to implement with the traditional
filesystem-layer encryption. But when inline encryption is used
instead, it's straightforward to support direct I/O, as long as the I/O
is fully filesystem-block-aligned. Add support for it by:
- Making the two generic direct I/O implementations in the kernel,
__blockdev_direct_IO() and iomap_dio_rw(), set the encryption context
on bios for inline-encrypted files. __blockdev_direct_IO() is used by
f2fs, and was used by ext4 in kernel v5.4 and earlier. iomap_dio_rw()
is used by ext4 in kernel v5.5 and later.
- Making ext4 and f2fs allow direct I/O to encrypted files (rather the
current behavior of falling back to buffered I/O) when the file is
using inline encryption and the I/O is fully filesystem-block-aligned.
Bug: 137270441
Change-Id: I4c8f7497eb8f829d03611d24281113d68c21d4d1
Signed-off-by: Eric Biggers <ebiggers@google.com>
On Snapdragon SoCs, the Linux kernel isn't permitted to directly access
the standard UFS crypto configuration registers. Instead, programming
and evicting keys must be done through vendor-specific SMC calls.
To support this hardware, add a ->program_key() method to
'struct ufs_hba_variant_ops'. This allows overriding the UFS standard
key programming procedure.
Link: https://lore.kernel.org/r/20200110061634.46742-5-ebiggers@kernel.org
Bug: 137270441
Bug: 147259927
Change-Id: Ia561d5a51421baaf78de52a1eaec496093a0d0ad
Signed-off-by: Eric Biggers <ebiggers@google.com>
Export the blk-crypto symbols needed for modules to use inline crypto.
These would have already been exported, except that so far they've only
been used by fs/crypto/, which is no longer modular.
Bug: 137270441
Bug: 147814592
Change-Id: I64bf98aecabe891c188b30dd50124aacb1e008ca
Signed-off-by: Eric Biggers <ebiggers@google.com>
While we're waiting for v7 of the inline crypto patchset, fix some bugs
that made it into the v6 patchset, including one that caused bios with
an encryption context to never be merged, and one that could cause
non-contiguous pages to incorrectly added to a bio.
Bug: 137270441
Change-Id: I3911fcd6c76b5c9063b86d6af6267ad990a46718
Signed-off-by: Eric Biggers <ebiggers@google.com>
This patch allows genfscon per-file labeling for binderfs.
This is required to have separate permissions to allow
access to binder, hwbinder and vndbinder devices which are
relocating to binderfs.
Acked-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Hridya Valsaraju <hridya@google.com>
Bug: 136497735
(cherry picked from commit 7a4b519474
git://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/selinux.git
master)
Link: https://lore.kernel.org/patchwork/patch/1175776/
Change-Id: I105cc54b30ddd4120dc23a363bddc2f9d00e4dc4
Unfork Android.
This reverts commit 5dbd8df7b3.
Perf_event_paranoid=3 is no longer needed on Android. Access control
of perf events is now done by selinux. See:
https://patchwork.kernel.org/patch/11185793/
IGNORE_MERGE_CONFLICT_CHECK==kernel.rst documentation uses "====".
Bug: 120445712
Bug: 137092007
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Change-Id: Iba493424174b30baff460caaa25a54a472c87bd4
Map the permission gating RTM_GETLINK messages to a new permission so
that it can be distinguished from the other netlink route permissions
in selinux policy.
This is a temporary Android-only patch that will be deprecated in
newer kernels once the long-term solution lands as discusssed on the
mailing list [1]. The maintainer's recommended solution is more
general, much more complex, and likely not suitable for backporting.
This patch provides the minimal change needed for Android including
the userspace settable trigger which ensures that the permission
change is only applied to the newest version of Android which
contains the changes needed for userpace compatibility.
[1]: https://lore.kernel.org/selinux/20200116142653.61738-1-jeffv@google.com/
Bug: 141455849
Bug: 148218425
Test: CtsSelinuxTargetSdkCurrentTestCases
Test: atest bionic-unit-tests-static
Test: atest NetworkInterfaceTest
Test: Connect to Wi-Fi network
Test: Set up hotspot
Test: Cast from device
Test: Pair Bluetooth device
Test: Call getifaddrs() directly from within an app.
Test: Call NetworkInterface#getNetworkInterfaces() from within an app.
Change-Id: I7b44ce60ad98f858c412722d41b9842f8577151f
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Both x86 and arm64 are covered in this change.
The ramdisk and ko's are put in the DIST_DIR by the
BUILD_INITRAMFS option.
Bug: 139431025
Test: Local build and boot of cf
Signed-off-by: Ram Muthiah <rammuthiah@google.com>
Change-Id: I82a410ea3cf9b9177a1c8f2186d88344b9a63488
Allow CFI enabled entry code to make indirect calls by also mapping
CFI jump tables, and add a check to ensure the jump table section is
not empty.
Bug: 145297900
Change-Id: I1204c50a139ba62234f3bb4699c50921a831162b
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Also ignore these relocations when loading modules.
Bug: 145297900
Change-Id: I3d00f93deb3cf370ce25f8672f90e410e87ab79e
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The __typeid__* symbols aren't actually relocations, so they can be
ignored during relocation generation.
Bug: 145297900
Change-Id: I41d0e093b3cdc3665be1722551011da5ec3eb940
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Instead of using inline asm for the int3 selftest (which confuses the
Clang's ThinLTO pass), this restores the C function but disables KASAN
(and tracing for good measure) to keep the things simple and avoid
unexpected side-effects. This attempts to keep the fix from commit
ecc6061038 ("x86/alternatives: Fix int3_emulate_call() selftest stack
corruption") without using inline asm.
Bug: 145297900
Change-Id: I2b6e237d89968b677c34e162b71a520ed8375e2d
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
The exception table entries are constructed out of a relative offset
and point to the actual function, not the CFI table entry. For now,
just mark the caller as not checking CFI. The failure is most visible
at boot with CONFIG_DEBUG_RODATA_TEST=y.
Bug: 145297900
Change-Id: Ia5e9da358c41b8e8a08e253926ed31775817a4e6
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Allow CONFIG_LTO_CLANG and CONFIG_THINLTO to be enabled.
Bug: 145297900
Change-Id: I70ec9d9e897622e8f4810d06186da981fae2d59e
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
Instead of disabling LTO for all the code in the directory, only
disable it for the VDSO itself.
Bug: 145297900
Change-Id: I95a9c68ee76fdc8f4cee5c5bd1356fc90de1680c
Signed-off-by: Sami Tolvanen <samitolvanen@google.com>
To prevent keys from being compromised if an attacker acquires read
access to kernel memory, some inline encryption hardware supports
protecting the keys in hardware without software having access to or the
ability to set the plaintext keys. Instead, software only sees "wrapped
keys", which may differ on every boot. The keys can be initially
generated either by software (in which case they need to be imported to
hardware to be wrapped), or directly by the hardware.
Add support for this type of hardware by allowing keys to be flagged as
hardware-wrapped and encryption policies to be flagged as needing a
hardware-wrapped key. When used, fscrypt will pass the wrapped key
directly to the inline encryption hardware to encrypt file contents.
The hardware is responsible for internally unwrapping the key and
deriving the actual file contents encryption key.
fscrypt also asks the inline encryption hardware to derive a
cryptographically isolated software "secret", which fscrypt then uses as
the master key for all other purposes besides file contents encryption,
e.g. to derive filenames encryption keys and the key identifier.
Bug: 147209885
Change-Id: I58d1a37f5ba8cf178b80036b813e0bc99512ef3b
Co-developed-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Barani Muthukumaran <bmuthuku@codeaurora.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Some inline encryption hardware supports protecting the keys in hardware
and only exposing wrapped keys to software. To use this capability,
userspace must provide a hardware-wrapped key rather than a raw key.
However, users of inline encryption in the kernel won't necessarily use
the user-specified key directly for inline encryption. E.g. with
fscrypt with IV_INO_LBLK_64 policies, each user-provided key is used to
derive a file contents encryption key, filenames encryption key, and key
identifier. Since inline encryption can only be used with file
contents, if the user were to provide a wrapped key there would
(naively) be no way to encrypt filenames or derive the key identifier.
This problem is solved by designing the hardware to internally use the
unwrapped key as input to a KDF from which multiple cryptographically
isolated keys can be derived, including both the inline crypto key (not
exposed to software) and a secret that *is* exposed to software.
Add a function to the keyslot manager to allow upper layers to request
this software secret from a hardware-wrapped key.
Bug: 147209885
Change-Id: I32f3aa4f25bcf6b9d6f7d8890260533fad00dd1d
Co-developed-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Barani Muthukumaran <bmuthuku@codeaurora.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Currently, blk-crypto uses the algorithm to determine the size of keys.
However, some inline encryption hardware supports protecting keys from
software by wrapping the storage keys with an ephemeral key. Since
these wrapped keys are not of a fixed size, add the capability to
provide the key size when initializing a blk_crypto_key, and update the
keyslot manager to take size into account when comparing keys.
Bug: 147209885
Change-Id: I9bf26d06d18a2d671c51111b4896abe4df303988
Co-developed-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Gaurav Kashyap <gaurkash@codeaurora.org>
Signed-off-by: Barani Muthukumaran <bmuthuku@codeaurora.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Export symbol ufshcd_crypto_cap_find to find
the crypto capabilities from the crypto engine
in the storage controller. This is used to
validate that the crypto_mode and data_unit_size
provided is supported by the inline encryption
hardware. This can be used by all vops.
Bug: 147209885
Change-Id: I1020f88a35664dd1a3829750ba805ea76c93dc89
Signed-off-by: Barani Muthukumaran <bmuthuku@codeaurora.org>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Leaf changes summary: 67 artifacts changed
Changed leaf types summary: 3 leaf types changed
Removed/Changed/Added functions summary: 0 Removed, 1 Changed, 63 Added functions
Removed/Changed/Added variables summary: 0 Removed, 0 Changed, 0 Added variable
1 function with some sub-type change:
[C]'function void blk_queue_logical_block_size(request_queue*, unsigned short int)' at blk-settings.c:331:1 has some sub-type changes:
parameter 2 of type 'unsigned short int' changed:
type name changed from 'unsigned short int' to 'unsigned int'
type size changed from 16 to 32 (in bits)
63 Added functions:
[A] 'function int __close_fd(files_struct*, unsigned int)'
[A] 'function unsigned long int __get_free_pages(gfp_t, unsigned int)'
[A] 'function void __register_binfmt(linux_binfmt*, int)'
[A] 'function void _raw_read_lock(rwlock_t*)'
[A] 'function void _raw_read_unlock(rwlock_t*)'
[A] 'function void _raw_write_lock(rwlock_t*)'
[A] 'function void _raw_write_unlock(rwlock_t*)'
[A] 'function char* bin2hex(char*, void*, size_t)'
[A] 'function int bprm_change_interp(const char*, linux_binprm*)'
[A] 'function device* bus_find_device(bus_type*, device*, void*, void ()*)'
[A] 'function void clear_inode(inode*)'
[A] 'function int copy_strings_kernel(int, const char* const*, linux_binprm*)'
[A] 'function timespec64 current_time(inode*)'
[A] 'function void d_drop(dentry*)'
[A] 'function void d_instantiate(dentry*, inode*)'
[A] 'function loff_t default_llseek(file*, loff_t, int)'
[A] 'function file* dentry_open(const path*, int, const cred*)'
[A] 'function device* device_find_child(device*, void*, void ()*)'
[A] 'function int device_match_name(device*, void*)'
[A] 'function void down_write(rw_semaphore*)'
[A] 'function void dput(dentry*)'
[A] 'function void drop_nlink(inode*)'
[A] 'function int filp_close(file*, fl_owner_t)'
[A] 'function void fput(file*)'
[A] 'function void free_pages(unsigned long int, unsigned int)'
[A] 'function unsigned int get_next_ino()'
[A] 'function int get_tree_single(fs_context*, void ()*)'
[A] 'function gnss_device* gnss_allocate_device(device*)'
[A] 'function void gnss_deregister_device(gnss_device*)'
[A] 'function int gnss_insert_raw(gnss_device*, const unsigned char*, size_t)'
[A] 'function void gnss_put_device(gnss_device*)'
[A] 'function int gnss_register_device(gnss_device*)'
[A] 'function void iput(inode*)'
[A] 'function ssize_t kernel_read(file*, void*, size_t, loff_t*)'
[A] 'function void kill_litter_super(super_block*)'
[A] 'function char* kstrdup(const char*, gfp_t)'
[A] 'function int kstrtoint(const char*, unsigned int, int*)'
[A] 'function void lockref_get(lockref*)'
[A] 'function dentry* lookup_one_len(const char*, dentry*, int)'
[A] 'function inode* new_inode(super_block*)'
[A] 'function file* open_exec(const char*)'
[A] 'function int prepare_binprm(linux_binprm*)'
[A] 'function int register_filesystem(file_system_type*)'
[A] 'function int remove_arg_zero(linux_binprm*)'
[A] 'function int search_binary_handler(linux_binprm*)'
[A] 'function void serdev_device_close(serdev_device*)'
[A] 'function int serdev_device_open(serdev_device*)'
[A] 'function unsigned int serdev_device_set_baudrate(serdev_device*, unsigned int)'
[A] 'function void serdev_device_set_flow_control(serdev_device*, bool)'
[A] 'function void serdev_device_wait_until_sent(serdev_device*, long int)'
[A] 'function int serdev_device_write(serdev_device*, const unsigned char*, size_t, long int)'
[A] 'function void serdev_device_write_wakeup(serdev_device*)'
[A] 'function int simple_fill_super(super_block*, unsigned long int, const tree_descr*)'
[A] 'function int simple_pin_fs(file_system_type*, vfsmount**, int*)'
[A] 'function ssize_t simple_read_from_buffer(void*, size_t, loff_t*, void*, size_t)'
[A] 'function void simple_release_fs(vfsmount**, int*)'
[A] 'function int simple_statfs(dentry*, kstatfs*)'
[A] 'function int string_unescape(char*, char*, size_t, unsigned int)'
[A] 'function char* strsep(char**, const char*)'
[A] 'function void unregister_binfmt(linux_binfmt*)'
[A] 'function int unregister_filesystem(file_system_type*)'
[A] 'function void up_write(rw_semaphore*)'
[A] 'function void would_dump(linux_binprm*, file*)'
'struct cfg80211_ops at cfg80211.h:3640:1' changed:
type size changed from 6912 to 6976 (in bits)
1 data member insertion:
'void ()* cfg80211_ops::end_cac', at offset 5184 (in bits) at cfg80211.h:3880:1
there are data member changes:
'void ()* cfg80211_ops::update_ft_ies' offset changed from 5184 to 5248 (in bits) (by +64 bits)
'void ()* cfg80211_ops::crit_proto_start' offset changed from 5248 to 5312 (in bits) (by +64 bits)
'void ()* cfg80211_ops::crit_proto_stop' offset changed from 5312 to 5376 (in bits) (by +64 bits)
'void ()* cfg80211_ops::set_coalesce' offset changed from 5376 to 5440 (in bits) (by +64 bits)
'void ()* cfg80211_ops::channel_switch' offset changed from 5440 to 5504 (in bits) (by +64 bits)
'void ()* cfg80211_ops::set_qos_map' offset changed from 5504 to 5568 (in bits) (by +64 bits)
'void ()* cfg80211_ops::set_ap_chanwidth' offset changed from 5568 to 5632 (in bits) (by +64 bits)
'void ()* cfg80211_ops::add_tx_ts' offset changed from 5632 to 5696 (in bits) (by +64 bits)
'void ()* cfg80211_ops::del_tx_ts' offset changed from 5696 to 5760 (in bits) (by +64 bits)
'void ()* cfg80211_ops::tdls_channel_switch' offset changed from 5760 to 5824 (in bits) (by +64 bits)
'void ()* cfg80211_ops::tdls_cancel_channel_switch' offset changed from 5824 to 5888 (in bits) (by +64 bits)
'void ()* cfg80211_ops::start_nan' offset changed from 5888 to 5952 (in bits) (by +64 bits)
'void ()* cfg80211_ops::stop_nan' offset changed from 5952 to 6016 (in bits) (by +64 bits)
'void ()* cfg80211_ops::add_nan_func' offset changed from 6016 to 6080 (in bits) (by +64 bits)
'void ()* cfg80211_ops::del_nan_func' offset changed from 6080 to 6144 (in bits) (by +64 bits)
'void ()* cfg80211_ops::nan_change_conf' offset changed from 6144 to 6208 (in bits) (by +64 bits)
'void ()* cfg80211_ops::set_multicast_to_unicast' offset changed from 6208 to 6272 (in bits) (by +64 bits)
'void ()* cfg80211_ops::get_txq_stats' offset changed from 6272 to 6336 (in bits) (by +64 bits)
'void ()* cfg80211_ops::set_pmk' offset changed from 6336 to 6400 (in bits) (by +64 bits)
'void ()* cfg80211_ops::del_pmk' offset changed from 6400 to 6464 (in bits) (by +64 bits)
'void ()* cfg80211_ops::external_auth' offset changed from 6464 to 6528 (in bits) (by +64 bits)
'void ()* cfg80211_ops::tx_control_port' offset changed from 6528 to 6592 (in bits) (by +64 bits)
'void ()* cfg80211_ops::get_ftm_responder_stats' offset changed from 6592 to 6656 (in bits) (by +64 bits)
'void ()* cfg80211_ops::start_pmsr' offset changed from 6656 to 6720 (in bits) (by +64 bits)
'void ()* cfg80211_ops::abort_pmsr' offset changed from 6720 to 6784 (in bits) (by +64 bits)
'void ()* cfg80211_ops::update_owe_info' offset changed from 6784 to 6848 (in bits) (by +64 bits)
'void ()* cfg80211_ops::probe_mesh_link' offset changed from 6848 to 6912 (in bits) (by +64 bits)
one impacted interface:
function wiphy* wiphy_new_nm(const cfg80211_ops*, int, const char*)
'struct queue_limits at blkdev.h:321:1' changed:
type size hasn't changed
there are data member changes:
'unsigned int queue_limits::alignment_offset' offset changed from 384 to 416 (in bits) (by +32 bits)
'unsigned int queue_limits::io_min' offset changed from 416 to 448 (in bits) (by +32 bits)
'unsigned int queue_limits::io_opt' offset changed from 448 to 480 (in bits) (by +32 bits)
'unsigned int queue_limits::max_discard_sectors' offset changed from 480 to 512 (in bits) (by +32 bits)
'unsigned int queue_limits::max_hw_discard_sectors' offset changed from 512 to 544 (in bits) (by +32 bits)
'unsigned int queue_limits::max_write_same_sectors' offset changed from 544 to 576 (in bits) (by +32 bits)
'unsigned int queue_limits::max_write_zeroes_sectors' offset changed from 576 to 608 (in bits) (by +32 bits)
'unsigned int queue_limits::discard_granularity' offset changed from 608 to 640 (in bits) (by +32 bits)
'unsigned int queue_limits::discard_alignment' offset changed from 640 to 672 (in bits) (by +32 bits)
type 'unsigned short int' of 'queue_limits::logical_block_size' changed:
type name changed from 'unsigned short int' to 'unsigned int'
type size changed from 16 to 32 (in bits)
, offset changed from 672 to 384 (in bits) (by -288 bits), size changed from 16 to 32 (in bits) (by +16 bits)
'unsigned short int queue_limits::max_segments' offset changed from 688 to 704 (in bits) (by +16 bits)
'unsigned short int queue_limits::max_integrity_segments' offset changed from 704 to 720 (in bits) (by +16 bits)
'unsigned short int queue_limits::max_discard_segments' offset changed from 720 to 736 (in bits) (by +16 bits)
'unsigned char queue_limits::misaligned' offset changed from 736 to 752 (in bits) (by +16 bits)
'unsigned char queue_limits::discard_misaligned' offset changed from 744 to 760 (in bits) (by +16 bits)
'unsigned char queue_limits::raid_partial_stripes_expensive' offset changed from 752 to 768 (in bits) (by +16 bits)
'blk_zoned_model queue_limits::zoned' offset changed from 768 to 800 (in bits) (by +32 bits)
36 impacted interfaces
'struct request_queue at blkdev.h:395:1' changed:
type size hasn't changed
there are data member changes:
type 'struct queue_limits' of 'request_queue::limits' changed as reported earlier
36 impacted interfaces
Bug: 148000665
Change-Id: If323715c059f25b2f0bae2b392fb7cc32c176c13
Signed-off-by: Matthias Maennich <maennich@google.com>
Pull RISC-V fixes from Paul Walmsley:
"Three fixes for RISC-V:
- Don't free and reuse memory containing the code that CPUs parked at
boot reside in.
- Fix rv64 build problems for ubsan and some modules by adding
logical and arithmetic shift helpers for 128-bit values. These are
from libgcc and are similar to what's present for ARM64.
- Fix vDSO builds to clean up their own temporary files"
* tag 'riscv/for-v5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/riscv/linux:
riscv: Less inefficient gcc tishift helpers (and export their symbols)
riscv: delete temporary files
riscv: make sure the cores stay looping in .Lsecondary_park
Pull networking fixes from David Miller:
1) Fix non-blocking connect() in x25, from Martin Schiller.
2) Fix spurious decryption errors in kTLS, from Jakub Kicinski.
3) Netfilter use-after-free in mtype_destroy(), from Cong Wang.
4) Limit size of TSO packets properly in lan78xx driver, from Eric
Dumazet.
5) r8152 probe needs an endpoint sanity check, from Johan Hovold.
6) Prevent looping in tcp_bpf_unhash() during sockmap/tls free, from
John Fastabend.
7) hns3 needs short frames padded on transmit, from Yunsheng Lin.
8) Fix netfilter ICMP header corruption, from Eyal Birger.
9) Fix soft lockup when low on memory in hns3, from Yonglong Liu.
10) Fix NTUPLE firmware command failures in bnxt_en, from Michael Chan.
11) Fix memory leak in act_ctinfo, from Eric Dumazet.
* git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (91 commits)
cxgb4: reject overlapped queues in TC-MQPRIO offload
cxgb4: fix Tx multi channel port rate limit
net: sched: act_ctinfo: fix memory leak
bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
bnxt_en: Fix ipv6 RFS filter matching logic.
bnxt_en: Fix NTUPLE firmware command failures.
net: systemport: Fixed queue mapping in internal ring map
net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
net: dsa: sja1105: Don't error out on disabled ports with no phy-mode
net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
net: hns: fix soft lockup when there is not enough memory
net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
net/sched: act_ife: initalize ife->metalist earlier
netfilter: nat: fix ICMP header corruption on ICMP errors
net: wan: lapbether.c: Use built-in RCU list checking
netfilter: nf_tables: fix flowtable list del corruption
netfilter: nf_tables: fix memory leak in nf_tables_parse_netdev_hooks()
netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
netfilter: nft_tunnel: ERSPAN_VERSION must not be null
netfilter: nft_tunnel: fix null-attribute check
...
A queue can't belong to multiple traffic classes. So, reject
any such configuration that results in overlapped queues for a
traffic class.
Fixes: b1396c2bd6 ("cxgb4: parse and configure TC-MQPRIO offload")
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
T6 can support 2 egress traffic management channels per port to
double the total number of traffic classes that can be configured.
In this configuration, if the class belongs to the other channel,
then all the queues must be bound again explicitly to the new class,
for the rate limit parameters on the other channel to take effect.
So, always explicitly bind all queues to the port rate limit traffic
class, regardless of the traffic management channel that it belongs
to. Also, only bind queues to port rate limit traffic class, if all
the queues don't already belong to an existing different traffic
class.
Fixes: 4ec4762d8e ("cxgb4: add TC-MATCHALL classifier egress offload")
Signed-off-by: Rahul Lakkireddy <rahul.lakkireddy@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The existing __lshrti3 was really inefficient, and the other two helpers
are also needed to compile some modules.
Add the missing versions, and export all of the symbols like arm64
already does.
This code is based on the assembly generated by libgcc builds.
This fixes a build break triggered by ubsan:
riscv64-unknown-linux-gnu-ld: lib/ubsan.o: in function `.L2':
ubsan.c:(.text.unlikely+0x38): undefined reference to `__ashlti3'
riscv64-unknown-linux-gnu-ld: ubsan.c:(.text.unlikely+0x42): undefined reference to `__ashrti3'
Signed-off-by: Olof Johansson <olof@lixom.net>
[paul.walmsley@sifive.com: use SYM_FUNC_{START,END} instead of
ENTRY/ENDPROC; note libgcc origin]
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
Pull MTD fixes from Miquel Raynal:
"Raw NAND:
- GPMI: Fix the suspend/resume
SPI-NOR:
- Fix quad enable on Spansion like flashes
- Fix selection of 4-byte addressing opcodes on Spansion"
* tag 'mtd/fixes-for-5.5-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/mtd/linux:
mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume
mtd: rawnand: gpmi: Fix suspend/resume problem
mtd: spi-nor: Fix quad enable for Spansion like flashes
mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion
Pull drm fixes from Dave Airlie:
"Back from LCA2020, fixes wasn't too busy last week, seems to have
quieten down appropriately, some amdgpu, i915, then a core mst fix and
one fix for virtio-gpu and one for rockchip:
core mst:
- serialize down messages and clear timeslots are on unplug
amdgpu:
- Update golden settings for renoir
- eDP fix
i915:
- uAPI fix: Remove dash and colon from PMU names to comply with
tools/perf
- Fix for include file that was indirectly included
- Two fixes to make sure VMA are marked active for error capture
virtio:
- maintain obj reservation lock when submitting cmds
rockchip:
- increase link rate var size to accommodate rates"
* tag 'drm-fixes-2020-01-19' of git://anongit.freedesktop.org/drm/drm:
drm/amd/display: Reorder detect_edp_sink_caps before link settings read.
drm/amdgpu: update goldensetting for renoir
drm/dp_mst: Have DP_Tx send one msg at a time
drm/dp_mst: clear time slots for ports invalid
drm/i915/pmu: Do not use colons or dashes in PMU names
drm/rockchip: fix integer type used for storing dp data rate
drm/i915/gt: Mark ring->vma as active while pinned
drm/i915/gt: Mark context->state vma as active while pinned
drm/i915/gt: Skip trying to unbind in restore_ggtt_mappings
drm/i915: Add missing include file <linux/math64.h>
drm/virtio: add missing virtio_gpu_array_lock_resv call
Temporary files used in the VDSO build process linger on even after make
mrproper: vdso-dummy.o.tmp, vdso.so.dbg.tmp.
Delete them once they're no longer needed.
Signed-off-by: Ilie Halip <ilie.halip@gmail.com>
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
Pull x86 fixes from Ingo Molnar:
"Misc fixes:
- a resctrl fix for uninitialized objects found by debugobjects
- a resctrl memory leak fix
- fix the unintended re-enabling of the of SME and SEV CPU flags if
memory encryption was disabled at bootup via the MSR space"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
x86/resctrl: Fix potential memory leak
x86/resctrl: Fix an imbalance in domain_remove_cpu()
Pull timer fixes from Ingo Molnar:
"Three fixes: fix link failure on Alpha, fix a Sparse warning and
annotate/robustify a lockless access in the NOHZ code"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
tick/sched: Annotate lockless access to last_jiffies_update
lib/vdso: Make __cvdso_clock_getres() static
time/posix-stubs: Provide compat itimer supoprt for alpha
Pull cpu/SMT fix from Ingo Molnar:
"Fix a build bug on CONFIG_HOTPLUG_SMT=y && !CONFIG_SYSFS kernels"
* 'smp-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
cpu/SMT: Fix x86 link error without CONFIG_SYSFS
Pull x86 RAS fix from Ingo Molnar:
"Fix a thermal throttling race that can result in easy to trigger boot
crashes on certain Ice Lake platforms"
* 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mce/therm_throt: Do not access uninitialized therm_work
Pull perf fixes from Ingo Molnar:
"Tooling fixes, three Intel uncore driver fixes, plus an AUX events fix
uncovered by the perf fuzzer"
* 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
perf/x86/intel/uncore: Remove PCIe3 unit for SNR
perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events
perf/x86/intel/uncore: Add PCI ID of IMC for Xeon E3 V5 Family
perf: Correctly handle failed perf_get_aux_event()
perf hists: Fix variable name's inconsistency in hists__for_each() macro
perf map: Set kmap->kmaps backpointer for main kernel map chunks
perf report: Fix incorrectly added dimensions as switch perf data file
tools lib traceevent: Fix memory leakage in filter_event
Pull locking fixes from Ingo Molnar:
"Three fixes:
- Fix an rwsem spin-on-owner crash, introduced in v5.4
- Fix a lockdep bug when running out of stack_trace entries,
introduced in v5.4
- Docbook fix"
* 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN
futex: Fix kernel-doc notation warning
locking/lockdep: Fix buffer overrun problem in stack_trace[]
Pull irq fix from Ingo Molnar:
"Fix a recent regression in the Ingenic SoCs irqchip driver that floods
the syslog"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/ingenic: Get rid of the legacy IRQ domain
Pull EFI fixes from Ingo Molnar:
"Three EFI fixes:
- Fix a slow-boot-scrolling regression but making sure we use WC for
EFI earlycon framebuffer mappings on x86
- Fix a mixed EFI mode boot crash
- Disable paging explicitly before entering startup_32() in mixed
mode bootup"
* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/efistub: Disable paging at mixed mode entry
efi/libstub/random: Initialize pointer variables to zero for mixed mode
efi/earlycon: Fix write-combine mapping on x86
Pull rseq fixes from Ingo Molnar:
"Two rseq bugfixes:
- CLONE_VM !CLONE_THREAD didn't work properly, the kernel would end
up corrupting the TLS of the parent. Technically a change in the
ABI but the previous behavior couldn't resonably have been relied
on by applications so this looks like a valid exception to the ABI
rule.
- Make the RSEQ_FLAG_UNREGISTER ABI behavior consistent with the
handling of other flags. This is not thought to impact any
applications either"
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
rseq: Unregister rseq for clone CLONE_VM
rseq: Reject unknown flags on rseq unregister
Pull thread fixes from Christian Brauner:
"Here is an urgent fix for ptrace_may_access() permission checking.
Commit 69f594a389 ("ptrace: do not audit capability check when
outputing /proc/pid/stat") introduced the ability to opt out of audit
messages for accesses to various proc files since they are not
violations of policy.
While doing so it switched the check from ns_capable() to
has_ns_capability{_noaudit}(). That means it switched from checking
the subjective credentials (ktask->cred) of the task to using the
objective credentials (ktask->real_cred). This is appears to be wrong.
ptrace_has_cap() is currently only used in ptrace_may_access() And is
used to check whether the calling task (subject) has the
CAP_SYS_PTRACE capability in the provided user namespace to operate on
the target task (object). According to the cred.h comments this means
the subjective credentials of the calling task need to be used.
With this fix we switch ptrace_has_cap() to use security_capable() and
thus back to using the subjective credentials.
As one example where this might be particularly problematic, Jann
pointed out that in combination with the upcoming IORING_OP_OPENAT{2}
feature, this bug might allow unprivileged users to bypass the
capability checks while asynchronously opening files like /proc/*/mem,
because the capability checks for this would be performed against
kernel credentials.
To illustrate on the former point about this being exploitable: When
io_uring creates a new context it records the subjective credentials
of the caller. Later on, when it starts to do work it creates a kernel
thread and registers a callback. The callback runs with kernel creds
for ktask->real_cred and ktask->cred.
To prevent this from becoming a full-blown 0-day io_uring will call
override_cred() and override ktask->cred with the subjective
credentials of the creator of the io_uring instance. With
ptrace_has_cap() currently looking at ktask->real_cred this override
will be ineffective and the caller will be able to open arbitray proc
files as mentioned above.
Luckily, this is currently not exploitable but would be so once
IORING_OP_OPENAT{2} land in v5.6. Let's fix it now.
To minimize potential regressions I successfully ran the criu
testsuite. criu makes heavy use of ptrace() and extensively hits
ptrace_may_access() codepaths and has a good change of detecting any
regressions.
Additionally, I succesfully ran the ptrace and seccomp kernel tests"
* tag 'for-linus-2020-01-18' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
