Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.107 2021-03-17T16:03:33+00:00 2021-03-17T16:03:33+00:00 Maciej Fijalkowski maciej.fijalkowski@intel.com 2021-03-03T18:56:35+00:00 urn:sha1:3e8ab75f3301aa32d9a61c0971a4a8120b5d950a commit 6bc6699881012b5bd5d49fa861a69a37fc01b49c upstream. We mmap the umem region, but we never munmap it. Add the missing call at the end of the cleanup. Fixes: 3945b37a975d ("samples/bpf: use hugepages in xdpsock app") Signed-off-by: Maciej Fijalkowski <maciej.fijalkowski@intel.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Björn Töpel <bjorn.topel@intel.com> Link: https://lore.kernel.org/bpf/20210303185636.18070-3-maciej.fijalkowski@intel.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-12-30T10:51:12+00:00 Daniel T. Lee danieltimlee@gmail.com 2020-11-24T09:03:09+00:00 urn:sha1:ceff135b9d9368a9034b550bc3ce4ac292f69dc9 [ Upstream commit 0afe0a998c40085a6342e1aeb4c510cccba46caf ] Currently, lwt_len_hist's map lwt_len_hist_map is uses pinning, and the map isn't cleared on test end. This leds to reuse of that map for each test, which prevents the results of the test from being accurate. This commit fixes the problem by removing of pinned map from bpffs. Also, this commit add the executable permission to shell script files. Fixes: f74599f7c5309 ("bpf: Add tests and samples for LWT-BPF") Signed-off-by: Daniel T. Lee <danieltimlee@gmail.com> Signed-off-by: Andrii Nakryiko <andrii@kernel.org> Link: https://lore.kernel.org/bpf/20201124090310.24374-7-danieltimlee@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-11-05T10:43:17+00:00 Magnus Karlsson magnus.karlsson@intel.com 2020-09-10T08:31:05+00:00 urn:sha1:7762afa04fd4810e88f380cf066c1d5945fb7b7b [ Upstream commit 5a2a0dd88f0f267ac5953acd81050ae43a82201f ] Fix a possible deadlock in the l2fwd application in xdpsock that can occur when there is no space in the Tx ring. There are two ways to get the kernel to consume entries in the Tx ring: calling sendto() to make it send packets and freeing entries from the completion ring, as the kernel will not send a packet if there is no space for it to add a completion entry in the completion ring. The Tx loop in l2fwd only used to call sendto(). This patches adds cleaning the completion ring in that loop. Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Link: https://lore.kernel.org/bpf/1599726666-8431-3-git-send-email-magnus.karlsson@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-10-29T08:58:04+00:00 Sherry Sun sherry.sun@nxp.com 2020-09-29T09:11:05+00:00 urn:sha1:821dcabafded19e6a9c1b005395c2c4ccea33d2e [ Upstream commit cc1a2679865a94b83804822996eed010a50a7c1d ] Since struct _mic_vring_info and vring are allocated together and follow vring, if the vring_size() is not four bytes aligned, which will cause the start address of struct _mic_vring_info is not four byte aligned. For example, when vring entries is 128, the vring_size() will be 5126 bytes. The _mic_vring_info struct layout in ddr looks like: 0x90002400: 00000000 00390000 EE010000 0000C0FF Here 0x39 is the avail_idx member, and 0xC0FFEE01 is the magic member. When EP use ioread32(magic) to reads the magic in RC's share memory, it will cause kernel panic on ARM64 platform due to the cross-byte io read. Here read magic in user space use le32toh(vr0->info->magic) will meet the same issue. So add round_up(x,4) for vring_size, then the struct _mic_vring_info will store in this way: 0x90002400: 00000000 00000000 00000039 C0FFEE01 Which will avoid kernel panic when read magic in struct _mic_vring_info. Signed-off-by: Sherry Sun <sherry.sun@nxp.com> Signed-off-by: Joakim Zhang <qiangqing.zhang@nxp.com> Link: https://lore.kernel.org/r/20200929091106.24624-4-sherry.sun@nxp.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-08-19T06:16:03+00:00 Wenbo Zhang ethercflow@gmail.com 2020-07-10T09:20:35+00:00 urn:sha1:5908a17b247ddafe19470f7413c86f277ebe7195 [ Upstream commit eef8a42d6ce087d1c81c960ae0d14f955b742feb ] The `BPF_LOG_BUF_SIZE`'s value is `UINT32_MAX >> 8`, so define an array with it on stack caused an overflow. Signed-off-by: Wenbo Zhang <ethercflow@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Andrii Nakryiko <andriin@fb.com> Link: https://lore.kernel.org/bpf/20200710092035.28919-1-ethercflow@gmail.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-07-09T07:37:54+00:00 Kees Cook keescook@chromium.org 2020-07-03T22:15:21+00:00 urn:sha1:a632f91f7a9c96593f50605f550654ccc575d330 [ Upstream commit c3eeaae9fd736b7f2afbda8d3cbb1cbae06decf3 ] Something changed recently to uncover this warning: samples/vfs/test-statx.c:24:15: warning: `struct foo' declared inside parameter list will not be visible outside of this definition or declaration 24 | #define statx foo | ^~~ Which is due the use of "struct statx" (here, "struct foo") in a function prototype argument list before it has been defined: int # 56 "/usr/include/x86_64-linux-gnu/bits/statx-generic.h" foo # 56 "/usr/include/x86_64-linux-gnu/bits/statx-generic.h" 3 4 (int __dirfd, const char *__restrict __path, int __flags, unsigned int __mask, struct # 57 "/usr/include/x86_64-linux-gnu/bits/statx-generic.h" foo # 57 "/usr/include/x86_64-linux-gnu/bits/statx-generic.h" 3 4 *__restrict __buf) __attribute__ ((__nothrow__ , __leaf__)) __attribute__ ((__nonnull__ (2, 5))); Add explicit struct before #include to avoid warning. Fixes: f1b5618e013a ("vfs: Add a sample program for the new mount API") Signed-off-by: Kees Cook <keescook@chromium.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: Miklos Szeredi <mszeredi@redhat.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: David Howells <dhowells@redhat.com> Link: http://lkml.kernel.org/r/202006282213.C516EA6@keescook Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-30T19:36:55+00:00 Gaurav Singh gaurav1086@gmail.com 2020-06-12T18:53:27+00:00 urn:sha1:d909f9db0caa2e7a582cc47f8366743e0873efcc [ Upstream commit 6903cdae9f9f08d61e49c16cbef11c293e33a615 ] Memset on the pointer right after malloc can cause a NULL pointer deference if it failed to allocate memory. A simple fix is to replace malloc()/memset() pair with a simple call to calloc(). Fixes: 0fca931a6f21 ("samples/bpf: program demonstrating access to xdp_rxq_info") Signed-off-by: Gaurav Singh <gaurav1086@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com> Acked-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-30T19:36:55+00:00 Lorenzo Bianconi lorenzo@kernel.org 2020-05-12T16:30:40+00:00 urn:sha1:0608288c6caab98e7819dd017b4a8818819ddfed [ Upstream commit 6a09815428547657f3ffd2f5c31ac2a191e7fdf3 ] xdp_redirect_cpu is currently failing in bpf_prog_load_xattr() allocating cpu_map map if CONFIG_NR_CPUS is less than 64 since cpu_map_alloc() requires max_entries to be less than NR_CPUS. Set cpu_map max_entries according to NR_CPUS in xdp_redirect_cpu_kern.c and get currently running cpus in xdp_redirect_cpu_user.c Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/374472755001c260158c4e4b22f193bdd3c56fb7.1589300442.git.lorenzo@kernel.org Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-06-03T06:21:15+00:00 Matteo Croce mcroce@redhat.com 2020-05-11T11:32:34+00:00 urn:sha1:dfe417b45634ff370adb92718241d56fda7e6814 [ Upstream commit 23ad04669f81f958e9a4121b0266228d2eb3c357 ] GCC 10 is very strict about symbol clash, and lwt_len_hist_user contains a symbol which clashes with libbpf: /usr/bin/ld: samples/bpf/lwt_len_hist_user.o:(.bss+0x0): multiple definition of `bpf_log_buf'; samples/bpf/bpf_load.o:(.bss+0x8c0): first defined here collect2: error: ld returned 1 exit status bpf_log_buf here seems to be a leftover, so removing it. Signed-off-by: Matteo Croce <mcroce@redhat.com> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Acked-by: Yonghong Song <yhs@fb.com> Link: https://lore.kernel.org/bpf/20200511113234.80722-1-mcroce@redhat.com Signed-off-by: Sasha Levin <sashal@kernel.org> 2020-04-29T14:33:14+00:00 Jann Horn jannh@google.com 2020-04-21T01:14:11+00:00 urn:sha1:f4f235309b5cc8e6217774279ae2b263345f5f6a commit bdebd6a2831b6fab69eb85cee74a8ba77f1a1cc2 upstream. remap_vmalloc_range() has had various issues with the bounds checks it promises to perform ("This function checks that addr is a valid vmalloc'ed area, and that it is big enough to cover the vma") over time, e.g.: - not detecting pgoff<<PAGE_SHIFT overflow - not detecting (pgoff<<PAGE_SHIFT)+usize overflow - not checking whether addr and addr+(pgoff<<PAGE_SHIFT) are the same vmalloc allocation - comparing a potentially wildly out-of-bounds pointer with the end of the vmalloc region In particular, since commit fc9702273e2e ("bpf: Add mmap() support for BPF_MAP_TYPE_ARRAY"), unprivileged users can cause kernel null pointer dereferences by calling mmap() on a BPF map with a size that is bigger than the distance from the start of the BPF map to the end of the address space. This could theoretically be used as a kernel ASLR bypass, by using whether mmap() with a given offset oopses or returns an error code to perform a binary search over the possible address range. To allow remap_vmalloc_range_partial() to verify that addr and addr+(pgoff<<PAGE_SHIFT) are in the same vmalloc region, pass the offset to remap_vmalloc_range_partial() instead of adding it to the pointer in remap_vmalloc_range(). In remap_vmalloc_range_partial(), fix the check against get_vm_area_size() by using size comparisons instead of pointer comparisons, and add checks for pgoff. Fixes: 833423143c3a ("[PATCH] mm: introduce remap_vmalloc_range()") Signed-off-by: Jann Horn <jannh@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Cc: stable@vger.kernel.org Cc: Alexei Starovoitov <ast@kernel.org> Cc: Daniel Borkmann <daniel@iogearbox.net> Cc: Martin KaFai Lau <kafai@fb.com> Cc: Song Liu <songliubraving@fb.com> Cc: Yonghong Song <yhs@fb.com> Cc: Andrii Nakryiko <andriin@fb.com> Cc: John Fastabend <john.fastabend@gmail.com> Cc: KP Singh <kpsingh@chromium.org> Link: http://lkml.kernel.org/r/20200415222312.236431-1-jannh@google.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>