Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.10.138 2022-08-25T09:38:24+00:00 2022-08-25T09:38:24+00:00 Greg Kroah-Hartman gregkh@linuxfoundation.org 2022-08-25T09:38:24+00:00 urn:sha1:fa3303d70b423dd3e855f57febaba77e15069650 Link: https://lore.kernel.org/r/20220823080059.091088642@linuxfoundation.org Tested-by: Shuah Khan <skhan@linuxfoundation.org> Link: https://lore.kernel.org/r/20220824065913.068916566@linuxfoundation.org Tested-by: Ron Economos <re@w6rz.net> Tested-by: Guenter Roeck <linux@roeck-us.net> Tested-by: Linux Kernel Functional Testing <lkft@linaro.org> Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:24+00:00 Jens Wiklander jens.wiklander@linaro.org 2022-08-23T08:23:26+00:00 urn:sha1:606fe84a41851ab8307bb6096189dc8f4c8ba16b Moves the access_ok() check for valid memory range from user space from the function tee_shm_register() to tee_ioctl_shm_register(). With this we error out early before anything is done that must be undone on error. Fixes: 578c349570d2 ("tee: add overflow check in register_shm_helper()") Cc: stable@vger.kernel.org # 5.10 Reported-by: Pavel Machek <pavel@denx.de> Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:24+00:00 Tadeusz Struk tadeusz.struk@linaro.org 2022-05-17T18:04:20+00:00 urn:sha1:3527e3cbb84d8868c4d4e91ba55915f96d39ec3d commit 4c46091ee985ae84c60c5e95055d779fcd291d87 upstream. Syzbot found a Use After Free bug in compute_effective_progs(). The reproducer creates a number of BPF links, and causes a fault injected alloc to fail, while calling bpf_link_detach on them. Link detach triggers the link to be freed by bpf_link_free(), which calls __cgroup_bpf_detach() and update_effective_progs(). If the memory allocation in this function fails, the function restores the pointer to the bpf_cgroup_link on the cgroup list, but the memory gets freed just after it returns. After this, every subsequent call to update_effective_progs() causes this already deallocated pointer to be dereferenced in prog_list_length(), and triggers KASAN UAF error. To fix this issue don't preserve the pointer to the prog or link in the list, but remove it and replace it with a dummy prog without shrinking the table. The subsequent call to __cgroup_bpf_detach() or __cgroup_bpf_detach() will correct it. Fixes: af6eea57437a ("bpf: Implement bpf_link-based cgroup BPF program attachment") Reported-by: <syzbot+f264bffdfbd5614f3bb2@syzkaller.appspotmail.com> Signed-off-by: Tadeusz Struk <tadeusz.struk@linaro.org> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Cc: <stable@vger.kernel.org> Link: https://syzkaller.appspot.com/bug?id=8ebf179a95c2a2670f7cf1ba62429ec044369db4 Link: https://lore.kernel.org/bpf/20220517180420.87954-1-tadeusz.struk@linaro.org Signed-off-by: Pu Lehui <pulehui@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:23+00:00 Matthew Wilcox (Oracle) willy@infradead.org 2021-03-31T04:36:42+00:00 urn:sha1:4f7286422a7836459f79445fbbdacff53da3b58b commit 3cbf7530a163d048a6376cd22fecb9cdcb23b192 upstream. The XArray interface is easier for this driver to use. Also fixes a bug reported by the improper use of GFP_ATOMIC. Signed-off-by: Matthew Wilcox (Oracle) <willy@infradead.org> Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Stanislav Goriainov <goriainov@ispras.ru> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:23+00:00 Keith Busch kbusch@kernel.org 2021-01-04T23:02:58+00:00 urn:sha1:1daa7629d2a2a8bfcac5a70592275098afddd6cc commit 387c72cdd7fb6bef650fb078d0f6ae9682abf631 upstream. Overwriting the frozen detected status with the result of the link reset loses the NEED_RESET result that drivers are depending on for error handling to report the .slot_reset() callback. Retain this status so that subsequent error handling has the correct flow. Link: https://lore.kernel.org/r/20210104230300.1277180-4-kbusch@kernel.org Reported-by: Hinko Kocevar <hinko.kocevar@ess.eu> Tested-by: Hedi Berriche <hedi.berriche@hpe.com> Signed-off-by: Keith Busch <kbusch@kernel.org> Signed-off-by: Bjorn Helgaas <bhelgaas@google.com> Acked-by: Sean V Kelley <sean.v.kelley@intel.com> Acked-by: Hedi Berriche <hedi.berriche@hpe.com> Cc: Dominique Martinet <dominique.martinet@atmark-techno.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:23+00:00 Fedor Pchelkin pchelkin@ispras.ru 2022-08-05T15:02:16+00:00 urn:sha1:a220ff343396bae8d3b6abee72ab51f1f34b3027 commit 8c21c54a53ab21842f5050fa090f26b03c0313d6 upstream. We need to drop skb references taken in j1939_session_skb_queue() when destroying a session in j1939_session_destroy(). Otherwise those skbs would be lost. Link to Syzkaller info and repro: https://forge.ispras.ru/issues/11743. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. V1: https://lore.kernel.org/all/20220708175949.539064-1-pchelkin@ispras.ru Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Suggested-by: Oleksij Rempel <o.rempel@pengutronix.de> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://lore.kernel.org/all/20220805150216.66313-1-pchelkin@ispras.ru Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:23+00:00 Fedor Pchelkin pchelkin@ispras.ru 2022-07-29T14:36:55+00:00 urn:sha1:05b9b0a7a7cdc297b63534474bf5ec5976949abf commit 8ef49f7f8244424adcf4a546dba4cbbeb0b09c09 upstream. We should warn user-space that it is doing something wrong when trying to activate sessions with identical parameters but WARN_ON_ONCE macro can not be used here as it serves a different purpose. So it would be good to replace it with netdev_warn_once() message. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol") Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Alexey Khoroshilov <khoroshilov@ispras.ru> Acked-by: Oleksij Rempel <o.rempel@pengutronix.de> Link: https://lore.kernel.org/all/20220729143655.1108297-1-pchelkin@ispras.ru [mkl: fix indention] Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:23+00:00 Steven Rostedt (Google) rostedt@goodmis.org 2022-08-20T13:43:21+00:00 urn:sha1:184e73f12cbad9ccad80a390c7731e8c09598225 commit ab8384442ee512fc0fc72deeb036110843d0e7ff upstream. Both $comm and $COMM can be used to get current->comm in eprobes and the filtering and histogram logic. Make kprobes and uprobes consistent in this regard and allow both $comm and $COMM as well. Currently kprobes and uprobes only handle $comm, which is inconsistent with the other utilities, and can be confusing to users. Link: https://lkml.kernel.org/r/20220820134401.317014913@goodmis.org Link: https://lore.kernel.org/all/20220820220442.776e1ddaf8836e82edb34d01@kernel.org/ Cc: stable@vger.kernel.org Cc: Ingo Molnar <mingo@kernel.org> Cc: Andrew Morton <akpm@linux-foundation.org> Cc: Tzvetomir Stoyanov <tz.stoyanov@gmail.com> Cc: Tom Zanussi <zanussi@kernel.org> Fixes: 533059281ee5 ("tracing: probeevent: Introduce new argument fetching code") Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:22+00:00 Dongliang Mu mudongliangabcd@gmail.com 2021-07-14T03:27:03+00:00 urn:sha1:3debec96cae1ca86e713415a5fb8458f44814192 commit cfbe3650dd3ef2ea9a4420ca89d9a4df98af3fb6 upstream. In nf_tables_commit, if nf_tables_commit_audit_alloc fails, it does not free the adp variable. Fix this by adding nf_tables_commit_audit_free which frees the linked list with the head node adl. backtrace: kmalloc include/linux/slab.h:591 [inline] kzalloc include/linux/slab.h:721 [inline] nf_tables_commit_audit_alloc net/netfilter/nf_tables_api.c:8439 [inline] nf_tables_commit+0x16e/0x1760 net/netfilter/nf_tables_api.c:8508 nfnetlink_rcv_batch+0x512/0xa80 net/netfilter/nfnetlink.c:562 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv+0x1fa/0x220 net/netfilter/nfnetlink.c:652 netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline] netlink_unicast+0x2c7/0x3e0 net/netlink/af_netlink.c:1340 netlink_sendmsg+0x36b/0x6b0 net/netlink/af_netlink.c:1929 sock_sendmsg_nosec net/socket.c:702 [inline] sock_sendmsg+0x56/0x80 net/socket.c:722 Reported-by: syzbot <syzkaller@googlegroups.com> Reported-by: kernel test robot <lkp@intel.com> Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table") Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-08-25T09:38:22+00:00 Dan Carpenter dan.carpenter@oracle.com 2021-04-02T11:45:44+00:00 urn:sha1:f3d0db3b435a7216d3082c4ddea95f5de4726854 commit dadf33c9f6b5f694e842d224a4d071f59ac665ee upstream. The first argument of a WARN_ONCE() is a condition. This WARN_ONCE() will only print the table name, and is potentially problematic if the table name has a %s in it. Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table") Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Paul Moore <paul@paul-moore.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>