1 |
commit: 3a058e50f9b202f057a9193e77b4f3f96f6ebbfd |
2 |
Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
3 |
AuthorDate: Thu Jun 10 11:16:15 2021 +0000 |
4 |
Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> |
5 |
CommitDate: Thu Jun 10 11:16:15 2021 +0000 |
6 |
URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=3a058e50 |
7 |
|
8 |
Linux patch 4.14.236 |
9 |
|
10 |
Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> |
11 |
|
12 |
0000_README | 4 + |
13 |
1235_linux-4.14.236.patch | 2016 +++++++++++++++++++++++++++++++++++++++++++++ |
14 |
2 files changed, 2020 insertions(+) |
15 |
|
16 |
diff --git a/0000_README b/0000_README |
17 |
index 661dd8d..1cbc4b5 100644 |
18 |
--- a/0000_README |
19 |
+++ b/0000_README |
20 |
@@ -983,6 +983,10 @@ Patch: 1234_linux-4.14.235.patch |
21 |
From: https://www.kernel.org |
22 |
Desc: Linux 4.14.235 |
23 |
|
24 |
+Patch: 1235_linux-4.14.236.patch |
25 |
+From: https://www.kernel.org |
26 |
+Desc: Linux 4.14.236 |
27 |
+ |
28 |
Patch: 1500_XATTR_USER_PREFIX.patch |
29 |
From: https://bugs.gentoo.org/show_bug.cgi?id=470644 |
30 |
Desc: Support for namespace user.pax.* on tmpfs. |
31 |
|
32 |
diff --git a/1235_linux-4.14.236.patch b/1235_linux-4.14.236.patch |
33 |
new file mode 100644 |
34 |
index 0000000..80038e5 |
35 |
--- /dev/null |
36 |
+++ b/1235_linux-4.14.236.patch |
37 |
@@ -0,0 +1,2016 @@ |
38 |
+diff --git a/Makefile b/Makefile |
39 |
+index 8849d79161a37..3d162ef034d41 100644 |
40 |
+--- a/Makefile |
41 |
++++ b/Makefile |
42 |
+@@ -1,7 +1,7 @@ |
43 |
+ # SPDX-License-Identifier: GPL-2.0 |
44 |
+ VERSION = 4 |
45 |
+ PATCHLEVEL = 14 |
46 |
+-SUBLEVEL = 235 |
47 |
++SUBLEVEL = 236 |
48 |
+ EXTRAVERSION = |
49 |
+ NAME = Petit Gorille |
50 |
+ |
51 |
+diff --git a/arch/x86/kvm/svm.c b/arch/x86/kvm/svm.c |
52 |
+index cfd6e58e824b3..3571253b86907 100644 |
53 |
+--- a/arch/x86/kvm/svm.c |
54 |
++++ b/arch/x86/kvm/svm.c |
55 |
+@@ -3532,7 +3532,7 @@ static int cr_interception(struct vcpu_svm *svm) |
56 |
+ err = 0; |
57 |
+ if (cr >= 16) { /* mov to cr */ |
58 |
+ cr -= 16; |
59 |
+- val = kvm_register_read(&svm->vcpu, reg); |
60 |
++ val = kvm_register_readl(&svm->vcpu, reg); |
61 |
+ switch (cr) { |
62 |
+ case 0: |
63 |
+ if (!check_selective_cr0_intercepted(svm, val)) |
64 |
+@@ -3577,7 +3577,7 @@ static int cr_interception(struct vcpu_svm *svm) |
65 |
+ kvm_queue_exception(&svm->vcpu, UD_VECTOR); |
66 |
+ return 1; |
67 |
+ } |
68 |
+- kvm_register_write(&svm->vcpu, reg, val); |
69 |
++ kvm_register_writel(&svm->vcpu, reg, val); |
70 |
+ } |
71 |
+ return kvm_complete_insn_gp(&svm->vcpu, err); |
72 |
+ } |
73 |
+@@ -3607,13 +3607,13 @@ static int dr_interception(struct vcpu_svm *svm) |
74 |
+ if (dr >= 16) { /* mov to DRn */ |
75 |
+ if (!kvm_require_dr(&svm->vcpu, dr - 16)) |
76 |
+ return 1; |
77 |
+- val = kvm_register_read(&svm->vcpu, reg); |
78 |
++ val = kvm_register_readl(&svm->vcpu, reg); |
79 |
+ kvm_set_dr(&svm->vcpu, dr - 16, val); |
80 |
+ } else { |
81 |
+ if (!kvm_require_dr(&svm->vcpu, dr)) |
82 |
+ return 1; |
83 |
+ kvm_get_dr(&svm->vcpu, dr, &val); |
84 |
+- kvm_register_write(&svm->vcpu, reg, val); |
85 |
++ kvm_register_writel(&svm->vcpu, reg, val); |
86 |
+ } |
87 |
+ |
88 |
+ return kvm_skip_emulated_instruction(&svm->vcpu); |
89 |
+diff --git a/drivers/firmware/efi/cper.c b/drivers/firmware/efi/cper.c |
90 |
+index 209dc5aefc310..efbb13c6581ec 100644 |
91 |
+--- a/drivers/firmware/efi/cper.c |
92 |
++++ b/drivers/firmware/efi/cper.c |
93 |
+@@ -380,8 +380,7 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) |
94 |
+ if (!msg || !(mem->validation_bits & CPER_MEM_VALID_MODULE_HANDLE)) |
95 |
+ return 0; |
96 |
+ |
97 |
+- n = 0; |
98 |
+- len = CPER_REC_LEN - 1; |
99 |
++ len = CPER_REC_LEN; |
100 |
+ dmi_memdev_name(mem->mem_dev_handle, &bank, &device); |
101 |
+ if (bank && device) |
102 |
+ n = snprintf(msg, len, "DIMM location: %s %s ", bank, device); |
103 |
+@@ -390,7 +389,6 @@ static int cper_dimm_err_location(struct cper_mem_err_compact *mem, char *msg) |
104 |
+ "DIMM location: not present. DMI handle: 0x%.4x ", |
105 |
+ mem->mem_dev_handle); |
106 |
+ |
107 |
+- msg[n] = '\0'; |
108 |
+ return n; |
109 |
+ } |
110 |
+ |
111 |
+diff --git a/drivers/firmware/efi/memattr.c b/drivers/firmware/efi/memattr.c |
112 |
+index aac972b056d91..e0889922cc6d7 100644 |
113 |
+--- a/drivers/firmware/efi/memattr.c |
114 |
++++ b/drivers/firmware/efi/memattr.c |
115 |
+@@ -69,11 +69,6 @@ static bool entry_is_valid(const efi_memory_desc_t *in, efi_memory_desc_t *out) |
116 |
+ return false; |
117 |
+ } |
118 |
+ |
119 |
+- if (!(in->attribute & (EFI_MEMORY_RO | EFI_MEMORY_XP))) { |
120 |
+- pr_warn("Entry attributes invalid: RO and XP bits both cleared\n"); |
121 |
+- return false; |
122 |
+- } |
123 |
+- |
124 |
+ if (PAGE_SIZE > EFI_PAGE_SIZE && |
125 |
+ (!PAGE_ALIGNED(in->phys_addr) || |
126 |
+ !PAGE_ALIGNED(in->num_pages << EFI_PAGE_SHIFT))) { |
127 |
+diff --git a/drivers/hid/i2c-hid/i2c-hid-core.c b/drivers/hid/i2c-hid/i2c-hid-core.c |
128 |
+index 0294cac4c856d..b16bf43584852 100644 |
129 |
+--- a/drivers/hid/i2c-hid/i2c-hid-core.c |
130 |
++++ b/drivers/hid/i2c-hid/i2c-hid-core.c |
131 |
+@@ -1092,8 +1092,8 @@ static int i2c_hid_probe(struct i2c_client *client, |
132 |
+ hid->vendor = le16_to_cpu(ihid->hdesc.wVendorID); |
133 |
+ hid->product = le16_to_cpu(ihid->hdesc.wProductID); |
134 |
+ |
135 |
+- snprintf(hid->name, sizeof(hid->name), "%s %04hX:%04hX", |
136 |
+- client->name, hid->vendor, hid->product); |
137 |
++ snprintf(hid->name, sizeof(hid->name), "%s %04X:%04X", |
138 |
++ client->name, (u16)hid->vendor, (u16)hid->product); |
139 |
+ strlcpy(hid->phys, dev_name(&client->dev), sizeof(hid->phys)); |
140 |
+ |
141 |
+ ihid->quirks = i2c_hid_lookup_quirk(hid->vendor, hid->product); |
142 |
+diff --git a/drivers/hid/usbhid/hid-pidff.c b/drivers/hid/usbhid/hid-pidff.c |
143 |
+index 08174d341f4a1..bc75f1efa0f4c 100644 |
144 |
+--- a/drivers/hid/usbhid/hid-pidff.c |
145 |
++++ b/drivers/hid/usbhid/hid-pidff.c |
146 |
+@@ -1304,6 +1304,7 @@ int hid_pidff_init(struct hid_device *hid) |
147 |
+ |
148 |
+ if (pidff->pool[PID_DEVICE_MANAGED_POOL].value && |
149 |
+ pidff->pool[PID_DEVICE_MANAGED_POOL].value[0] == 0) { |
150 |
++ error = -EPERM; |
151 |
+ hid_notice(hid, |
152 |
+ "device does not support device managed pool\n"); |
153 |
+ goto fail; |
154 |
+diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt.c b/drivers/net/ethernet/broadcom/bnxt/bnxt.c |
155 |
+index 42af96f2b5f6b..9135c3eccb588 100644 |
156 |
+--- a/drivers/net/ethernet/broadcom/bnxt/bnxt.c |
157 |
++++ b/drivers/net/ethernet/broadcom/bnxt/bnxt.c |
158 |
+@@ -4791,7 +4791,6 @@ static int bnxt_hwrm_func_qcaps(struct bnxt *bp) |
159 |
+ |
160 |
+ pf->fw_fid = le16_to_cpu(resp->fid); |
161 |
+ pf->port_id = le16_to_cpu(resp->port_id); |
162 |
+- bp->dev->dev_port = pf->port_id; |
163 |
+ memcpy(pf->mac_addr, resp->mac_address, ETH_ALEN); |
164 |
+ pf->max_rsscos_ctxs = le16_to_cpu(resp->max_rsscos_ctx); |
165 |
+ pf->max_cp_rings = le16_to_cpu(resp->max_cmpl_rings); |
166 |
+diff --git a/drivers/net/usb/cdc_ncm.c b/drivers/net/usb/cdc_ncm.c |
167 |
+index eef1412c058d3..468db50eb5e7e 100644 |
168 |
+--- a/drivers/net/usb/cdc_ncm.c |
169 |
++++ b/drivers/net/usb/cdc_ncm.c |
170 |
+@@ -1591,6 +1591,15 @@ cdc_ncm_speed_change(struct usbnet *dev, |
171 |
+ uint32_t rx_speed = le32_to_cpu(data->DLBitRRate); |
172 |
+ uint32_t tx_speed = le32_to_cpu(data->ULBitRate); |
173 |
+ |
174 |
++ /* if the speed hasn't changed, don't report it. |
175 |
++ * RTL8156 shipped before 2021 sends notification about every 32ms. |
176 |
++ */ |
177 |
++ if (dev->rx_speed == rx_speed && dev->tx_speed == tx_speed) |
178 |
++ return; |
179 |
++ |
180 |
++ dev->rx_speed = rx_speed; |
181 |
++ dev->tx_speed = tx_speed; |
182 |
++ |
183 |
+ /* |
184 |
+ * Currently the USB-NET API does not support reporting the actual |
185 |
+ * device speed. Do print it instead. |
186 |
+@@ -1634,7 +1643,8 @@ static void cdc_ncm_status(struct usbnet *dev, struct urb *urb) |
187 |
+ * USB_CDC_NOTIFY_NETWORK_CONNECTION notification shall be |
188 |
+ * sent by device after USB_CDC_NOTIFY_SPEED_CHANGE. |
189 |
+ */ |
190 |
+- usbnet_link_change(dev, !!event->wValue, 0); |
191 |
++ if (netif_carrier_ok(dev->net) != !!event->wValue) |
192 |
++ usbnet_link_change(dev, !!event->wValue, 0); |
193 |
+ break; |
194 |
+ |
195 |
+ case USB_CDC_NOTIFY_SPEED_CHANGE: |
196 |
+diff --git a/drivers/vfio/pci/Kconfig b/drivers/vfio/pci/Kconfig |
197 |
+index 24ee2605b9f04..0da884bfc7a80 100644 |
198 |
+--- a/drivers/vfio/pci/Kconfig |
199 |
++++ b/drivers/vfio/pci/Kconfig |
200 |
+@@ -1,6 +1,7 @@ |
201 |
+ config VFIO_PCI |
202 |
+ tristate "VFIO support for PCI devices" |
203 |
+ depends on VFIO && PCI && EVENTFD |
204 |
++ depends on MMU |
205 |
+ select VFIO_VIRQFD |
206 |
+ select IRQ_BYPASS_MANAGER |
207 |
+ help |
208 |
+diff --git a/drivers/vfio/pci/vfio_pci_config.c b/drivers/vfio/pci/vfio_pci_config.c |
209 |
+index a1a26465d224c..86e917f1cc211 100644 |
210 |
+--- a/drivers/vfio/pci/vfio_pci_config.c |
211 |
++++ b/drivers/vfio/pci/vfio_pci_config.c |
212 |
+@@ -1579,7 +1579,7 @@ static int vfio_ecap_init(struct vfio_pci_device *vdev) |
213 |
+ if (len == 0xFF) { |
214 |
+ len = vfio_ext_cap_len(vdev, ecap, epos); |
215 |
+ if (len < 0) |
216 |
+- return ret; |
217 |
++ return len; |
218 |
+ } |
219 |
+ } |
220 |
+ |
221 |
+diff --git a/drivers/vfio/platform/vfio_platform_common.c b/drivers/vfio/platform/vfio_platform_common.c |
222 |
+index aa9e792110e38..f42acc830c245 100644 |
223 |
+--- a/drivers/vfio/platform/vfio_platform_common.c |
224 |
++++ b/drivers/vfio/platform/vfio_platform_common.c |
225 |
+@@ -288,7 +288,7 @@ err_irq: |
226 |
+ vfio_platform_regions_cleanup(vdev); |
227 |
+ err_reg: |
228 |
+ mutex_unlock(&driver_lock); |
229 |
+- module_put(THIS_MODULE); |
230 |
++ module_put(vdev->parent_module); |
231 |
+ return ret; |
232 |
+ } |
233 |
+ |
234 |
+diff --git a/drivers/xen/xen-pciback/vpci.c b/drivers/xen/xen-pciback/vpci.c |
235 |
+index f6ba18191c0f9..30313084f06c1 100644 |
236 |
+--- a/drivers/xen/xen-pciback/vpci.c |
237 |
++++ b/drivers/xen/xen-pciback/vpci.c |
238 |
+@@ -69,7 +69,7 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev, |
239 |
+ struct pci_dev *dev, int devid, |
240 |
+ publish_pci_dev_cb publish_cb) |
241 |
+ { |
242 |
+- int err = 0, slot, func = -1; |
243 |
++ int err = 0, slot, func = PCI_FUNC(dev->devfn); |
244 |
+ struct pci_dev_entry *t, *dev_entry; |
245 |
+ struct vpci_dev_data *vpci_dev = pdev->pci_dev_data; |
246 |
+ |
247 |
+@@ -94,23 +94,26 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev, |
248 |
+ |
249 |
+ /* |
250 |
+ * Keep multi-function devices together on the virtual PCI bus, except |
251 |
+- * virtual functions. |
252 |
++ * that we want to keep virtual functions at func 0 on their own. They |
253 |
++ * aren't multi-function devices and hence their presence at func 0 |
254 |
++ * may cause guests to not scan the other functions. |
255 |
+ */ |
256 |
+- if (!dev->is_virtfn) { |
257 |
++ if (!dev->is_virtfn || func) { |
258 |
+ for (slot = 0; slot < PCI_SLOT_MAX; slot++) { |
259 |
+ if (list_empty(&vpci_dev->dev_list[slot])) |
260 |
+ continue; |
261 |
+ |
262 |
+ t = list_entry(list_first(&vpci_dev->dev_list[slot]), |
263 |
+ struct pci_dev_entry, list); |
264 |
++ if (t->dev->is_virtfn && !PCI_FUNC(t->dev->devfn)) |
265 |
++ continue; |
266 |
+ |
267 |
+ if (match_slot(dev, t->dev)) { |
268 |
+ pr_info("vpci: %s: assign to virtual slot %d func %d\n", |
269 |
+ pci_name(dev), slot, |
270 |
+- PCI_FUNC(dev->devfn)); |
271 |
++ func); |
272 |
+ list_add_tail(&dev_entry->list, |
273 |
+ &vpci_dev->dev_list[slot]); |
274 |
+- func = PCI_FUNC(dev->devfn); |
275 |
+ goto unlock; |
276 |
+ } |
277 |
+ } |
278 |
+@@ -123,7 +126,6 @@ static int __xen_pcibk_add_pci_dev(struct xen_pcibk_device *pdev, |
279 |
+ pci_name(dev), slot); |
280 |
+ list_add_tail(&dev_entry->list, |
281 |
+ &vpci_dev->dev_list[slot]); |
282 |
+- func = dev->is_virtfn ? 0 : PCI_FUNC(dev->devfn); |
283 |
+ goto unlock; |
284 |
+ } |
285 |
+ } |
286 |
+diff --git a/fs/btrfs/file-item.c b/fs/btrfs/file-item.c |
287 |
+index edd5f152e4487..684517086138c 100644 |
288 |
+--- a/fs/btrfs/file-item.c |
289 |
++++ b/fs/btrfs/file-item.c |
290 |
+@@ -599,7 +599,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, |
291 |
+ u64 end_byte = bytenr + len; |
292 |
+ u64 csum_end; |
293 |
+ struct extent_buffer *leaf; |
294 |
+- int ret; |
295 |
++ int ret = 0; |
296 |
+ u16 csum_size = btrfs_super_csum_size(fs_info->super_copy); |
297 |
+ int blocksize_bits = fs_info->sb->s_blocksize_bits; |
298 |
+ |
299 |
+@@ -615,6 +615,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, |
300 |
+ path->leave_spinning = 1; |
301 |
+ ret = btrfs_search_slot(trans, root, &key, path, -1, 1); |
302 |
+ if (ret > 0) { |
303 |
++ ret = 0; |
304 |
+ if (path->slots[0] == 0) |
305 |
+ break; |
306 |
+ path->slots[0]--; |
307 |
+@@ -671,7 +672,7 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, |
308 |
+ ret = btrfs_del_items(trans, root, path, |
309 |
+ path->slots[0], del_nr); |
310 |
+ if (ret) |
311 |
+- goto out; |
312 |
++ break; |
313 |
+ if (key.offset == bytenr) |
314 |
+ break; |
315 |
+ } else if (key.offset < bytenr && csum_end > end_byte) { |
316 |
+@@ -715,8 +716,9 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, |
317 |
+ ret = btrfs_split_item(trans, root, path, &key, offset); |
318 |
+ if (ret && ret != -EAGAIN) { |
319 |
+ btrfs_abort_transaction(trans, ret); |
320 |
+- goto out; |
321 |
++ break; |
322 |
+ } |
323 |
++ ret = 0; |
324 |
+ |
325 |
+ key.offset = end_byte - 1; |
326 |
+ } else { |
327 |
+@@ -726,8 +728,6 @@ int btrfs_del_csums(struct btrfs_trans_handle *trans, |
328 |
+ } |
329 |
+ btrfs_release_path(path); |
330 |
+ } |
331 |
+- ret = 0; |
332 |
+-out: |
333 |
+ btrfs_free_path(path); |
334 |
+ return ret; |
335 |
+ } |
336 |
+diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c |
337 |
+index 035a2e2be156d..f890fdb59915b 100644 |
338 |
+--- a/fs/btrfs/tree-log.c |
339 |
++++ b/fs/btrfs/tree-log.c |
340 |
+@@ -1558,6 +1558,7 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans, |
341 |
+ break; |
342 |
+ |
343 |
+ if (ret == 1) { |
344 |
++ ret = 0; |
345 |
+ if (path->slots[0] == 0) |
346 |
+ break; |
347 |
+ path->slots[0]--; |
348 |
+@@ -1570,17 +1571,19 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans, |
349 |
+ |
350 |
+ ret = btrfs_del_item(trans, root, path); |
351 |
+ if (ret) |
352 |
+- goto out; |
353 |
++ break; |
354 |
+ |
355 |
+ btrfs_release_path(path); |
356 |
+ inode = read_one_inode(root, key.offset); |
357 |
+- if (!inode) |
358 |
+- return -EIO; |
359 |
++ if (!inode) { |
360 |
++ ret = -EIO; |
361 |
++ break; |
362 |
++ } |
363 |
+ |
364 |
+ ret = fixup_inode_link_count(trans, root, inode); |
365 |
+ iput(inode); |
366 |
+ if (ret) |
367 |
+- goto out; |
368 |
++ break; |
369 |
+ |
370 |
+ /* |
371 |
+ * fixup on a directory may create new entries, |
372 |
+@@ -1589,8 +1592,6 @@ static noinline int fixup_inode_link_counts(struct btrfs_trans_handle *trans, |
373 |
+ */ |
374 |
+ key.offset = (u64)-1; |
375 |
+ } |
376 |
+- ret = 0; |
377 |
+-out: |
378 |
+ btrfs_release_path(path); |
379 |
+ return ret; |
380 |
+ } |
381 |
+diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c |
382 |
+index 264332fb0e776..17f6d995576f9 100644 |
383 |
+--- a/fs/ext4/extents.c |
384 |
++++ b/fs/ext4/extents.c |
385 |
+@@ -3275,7 +3275,10 @@ static int ext4_split_extent_at(handle_t *handle, |
386 |
+ ext4_ext_mark_unwritten(ex2); |
387 |
+ |
388 |
+ err = ext4_ext_insert_extent(handle, inode, ppath, &newex, flags); |
389 |
+- if (err == -ENOSPC && (EXT4_EXT_MAY_ZEROOUT & split_flag)) { |
390 |
++ if (err != -ENOSPC && err != -EDQUOT) |
391 |
++ goto out; |
392 |
++ |
393 |
++ if (EXT4_EXT_MAY_ZEROOUT & split_flag) { |
394 |
+ if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) { |
395 |
+ if (split_flag & EXT4_EXT_DATA_VALID1) { |
396 |
+ err = ext4_ext_zeroout(inode, ex2); |
397 |
+@@ -3301,30 +3304,30 @@ static int ext4_split_extent_at(handle_t *handle, |
398 |
+ ext4_ext_pblock(&orig_ex)); |
399 |
+ } |
400 |
+ |
401 |
+- if (err) |
402 |
+- goto fix_extent_len; |
403 |
+- /* update the extent length and mark as initialized */ |
404 |
+- ex->ee_len = cpu_to_le16(ee_len); |
405 |
+- ext4_ext_try_to_merge(handle, inode, path, ex); |
406 |
+- err = ext4_ext_dirty(handle, inode, path + path->p_depth); |
407 |
+- if (err) |
408 |
+- goto fix_extent_len; |
409 |
+- |
410 |
+- /* update extent status tree */ |
411 |
+- err = ext4_zeroout_es(inode, &zero_ex); |
412 |
+- |
413 |
+- goto out; |
414 |
+- } else if (err) |
415 |
+- goto fix_extent_len; |
416 |
+- |
417 |
+-out: |
418 |
+- ext4_ext_show_leaf(inode, path); |
419 |
+- return err; |
420 |
++ if (!err) { |
421 |
++ /* update the extent length and mark as initialized */ |
422 |
++ ex->ee_len = cpu_to_le16(ee_len); |
423 |
++ ext4_ext_try_to_merge(handle, inode, path, ex); |
424 |
++ err = ext4_ext_dirty(handle, inode, path + path->p_depth); |
425 |
++ if (!err) |
426 |
++ /* update extent status tree */ |
427 |
++ err = ext4_zeroout_es(inode, &zero_ex); |
428 |
++ /* If we failed at this point, we don't know in which |
429 |
++ * state the extent tree exactly is so don't try to fix |
430 |
++ * length of the original extent as it may do even more |
431 |
++ * damage. |
432 |
++ */ |
433 |
++ goto out; |
434 |
++ } |
435 |
++ } |
436 |
+ |
437 |
+ fix_extent_len: |
438 |
+ ex->ee_len = orig_ex.ee_len; |
439 |
+ ext4_ext_dirty(handle, inode, path + path->p_depth); |
440 |
+ return err; |
441 |
++out: |
442 |
++ ext4_ext_show_leaf(inode, path); |
443 |
++ return err; |
444 |
+ } |
445 |
+ |
446 |
+ /* |
447 |
+diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c |
448 |
+index baf5c4028fd62..90e658caa8deb 100644 |
449 |
+--- a/fs/ocfs2/file.c |
450 |
++++ b/fs/ocfs2/file.c |
451 |
+@@ -1861,6 +1861,45 @@ out: |
452 |
+ return ret; |
453 |
+ } |
454 |
+ |
455 |
++/* |
456 |
++ * zero out partial blocks of one cluster. |
457 |
++ * |
458 |
++ * start: file offset where zero starts, will be made upper block aligned. |
459 |
++ * len: it will be trimmed to the end of current cluster if "start + len" |
460 |
++ * is bigger than it. |
461 |
++ */ |
462 |
++static int ocfs2_zeroout_partial_cluster(struct inode *inode, |
463 |
++ u64 start, u64 len) |
464 |
++{ |
465 |
++ int ret; |
466 |
++ u64 start_block, end_block, nr_blocks; |
467 |
++ u64 p_block, offset; |
468 |
++ u32 cluster, p_cluster, nr_clusters; |
469 |
++ struct super_block *sb = inode->i_sb; |
470 |
++ u64 end = ocfs2_align_bytes_to_clusters(sb, start); |
471 |
++ |
472 |
++ if (start + len < end) |
473 |
++ end = start + len; |
474 |
++ |
475 |
++ start_block = ocfs2_blocks_for_bytes(sb, start); |
476 |
++ end_block = ocfs2_blocks_for_bytes(sb, end); |
477 |
++ nr_blocks = end_block - start_block; |
478 |
++ if (!nr_blocks) |
479 |
++ return 0; |
480 |
++ |
481 |
++ cluster = ocfs2_bytes_to_clusters(sb, start); |
482 |
++ ret = ocfs2_get_clusters(inode, cluster, &p_cluster, |
483 |
++ &nr_clusters, NULL); |
484 |
++ if (ret) |
485 |
++ return ret; |
486 |
++ if (!p_cluster) |
487 |
++ return 0; |
488 |
++ |
489 |
++ offset = start_block - ocfs2_clusters_to_blocks(sb, cluster); |
490 |
++ p_block = ocfs2_clusters_to_blocks(sb, p_cluster) + offset; |
491 |
++ return sb_issue_zeroout(sb, p_block, nr_blocks, GFP_NOFS); |
492 |
++} |
493 |
++ |
494 |
+ /* |
495 |
+ * Parts of this function taken from xfs_change_file_space() |
496 |
+ */ |
497 |
+@@ -1871,7 +1910,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, |
498 |
+ { |
499 |
+ int ret; |
500 |
+ s64 llen; |
501 |
+- loff_t size; |
502 |
++ loff_t size, orig_isize; |
503 |
+ struct ocfs2_super *osb = OCFS2_SB(inode->i_sb); |
504 |
+ struct buffer_head *di_bh = NULL; |
505 |
+ handle_t *handle; |
506 |
+@@ -1902,6 +1941,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, |
507 |
+ goto out_inode_unlock; |
508 |
+ } |
509 |
+ |
510 |
++ orig_isize = i_size_read(inode); |
511 |
+ switch (sr->l_whence) { |
512 |
+ case 0: /*SEEK_SET*/ |
513 |
+ break; |
514 |
+@@ -1909,7 +1949,7 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, |
515 |
+ sr->l_start += f_pos; |
516 |
+ break; |
517 |
+ case 2: /*SEEK_END*/ |
518 |
+- sr->l_start += i_size_read(inode); |
519 |
++ sr->l_start += orig_isize; |
520 |
+ break; |
521 |
+ default: |
522 |
+ ret = -EINVAL; |
523 |
+@@ -1963,6 +2003,14 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, |
524 |
+ default: |
525 |
+ ret = -EINVAL; |
526 |
+ } |
527 |
++ |
528 |
++ /* zeroout eof blocks in the cluster. */ |
529 |
++ if (!ret && change_size && orig_isize < size) { |
530 |
++ ret = ocfs2_zeroout_partial_cluster(inode, orig_isize, |
531 |
++ size - orig_isize); |
532 |
++ if (!ret) |
533 |
++ i_size_write(inode, size); |
534 |
++ } |
535 |
+ up_write(&OCFS2_I(inode)->ip_alloc_sem); |
536 |
+ if (ret) { |
537 |
+ mlog_errno(ret); |
538 |
+@@ -1979,9 +2027,6 @@ static int __ocfs2_change_file_space(struct file *file, struct inode *inode, |
539 |
+ goto out_inode_unlock; |
540 |
+ } |
541 |
+ |
542 |
+- if (change_size && i_size_read(inode) < size) |
543 |
+- i_size_write(inode, size); |
544 |
+- |
545 |
+ inode->i_ctime = inode->i_mtime = current_time(inode); |
546 |
+ ret = ocfs2_mark_inode_dirty(handle, inode, di_bh); |
547 |
+ if (ret < 0) |
548 |
+diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h |
549 |
+index d8b3240cfe6ee..8509484cada4a 100644 |
550 |
+--- a/include/linux/bpf_verifier.h |
551 |
++++ b/include/linux/bpf_verifier.h |
552 |
+@@ -114,10 +114,11 @@ struct bpf_verifier_state_list { |
553 |
+ }; |
554 |
+ |
555 |
+ /* Possible states for alu_state member. */ |
556 |
+-#define BPF_ALU_SANITIZE_SRC 1U |
557 |
+-#define BPF_ALU_SANITIZE_DST 2U |
558 |
++#define BPF_ALU_SANITIZE_SRC (1U << 0) |
559 |
++#define BPF_ALU_SANITIZE_DST (1U << 1) |
560 |
+ #define BPF_ALU_NEG_VALUE (1U << 2) |
561 |
+ #define BPF_ALU_NON_POINTER (1U << 3) |
562 |
++#define BPF_ALU_IMMEDIATE (1U << 4) |
563 |
+ #define BPF_ALU_SANITIZE (BPF_ALU_SANITIZE_SRC | \ |
564 |
+ BPF_ALU_SANITIZE_DST) |
565 |
+ |
566 |
+diff --git a/include/linux/usb/usbnet.h b/include/linux/usb/usbnet.h |
567 |
+index e87a805cbfeff..5df465dc7af8a 100644 |
568 |
+--- a/include/linux/usb/usbnet.h |
569 |
++++ b/include/linux/usb/usbnet.h |
570 |
+@@ -82,6 +82,8 @@ struct usbnet { |
571 |
+ # define EVENT_LINK_CHANGE 11 |
572 |
+ # define EVENT_SET_RX_MODE 12 |
573 |
+ # define EVENT_NO_IP_ALIGN 13 |
574 |
++ u32 rx_speed; /* in bps - NOT Mbps */ |
575 |
++ u32 tx_speed; /* in bps - NOT Mbps */ |
576 |
+ }; |
577 |
+ |
578 |
+ static inline struct usb_driver *driver_of(struct usb_interface *intf) |
579 |
+diff --git a/include/net/caif/caif_dev.h b/include/net/caif/caif_dev.h |
580 |
+index 028b754ae9b17..0baf2e21a533f 100644 |
581 |
+--- a/include/net/caif/caif_dev.h |
582 |
++++ b/include/net/caif/caif_dev.h |
583 |
+@@ -119,7 +119,7 @@ void caif_free_client(struct cflayer *adap_layer); |
584 |
+ * The link_support layer is used to add any Link Layer specific |
585 |
+ * framing. |
586 |
+ */ |
587 |
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
588 |
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
589 |
+ struct cflayer *link_support, int head_room, |
590 |
+ struct cflayer **layer, int (**rcv_func)( |
591 |
+ struct sk_buff *, struct net_device *, |
592 |
+diff --git a/include/net/caif/cfcnfg.h b/include/net/caif/cfcnfg.h |
593 |
+index 70bfd017581fb..219094ace893c 100644 |
594 |
+--- a/include/net/caif/cfcnfg.h |
595 |
++++ b/include/net/caif/cfcnfg.h |
596 |
+@@ -62,7 +62,7 @@ void cfcnfg_remove(struct cfcnfg *cfg); |
597 |
+ * @fcs: Specify if checksum is used in CAIF Framing Layer. |
598 |
+ * @head_room: Head space needed by link specific protocol. |
599 |
+ */ |
600 |
+-void |
601 |
++int |
602 |
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, |
603 |
+ struct net_device *dev, struct cflayer *phy_layer, |
604 |
+ enum cfcnfg_phy_preference pref, |
605 |
+diff --git a/include/net/caif/cfserl.h b/include/net/caif/cfserl.h |
606 |
+index b5b020f3c72eb..bc3fae07a25f9 100644 |
607 |
+--- a/include/net/caif/cfserl.h |
608 |
++++ b/include/net/caif/cfserl.h |
609 |
+@@ -9,4 +9,5 @@ |
610 |
+ #include <net/caif/caif_layer.h> |
611 |
+ |
612 |
+ struct cflayer *cfserl_create(int instance, bool use_stx); |
613 |
++void cfserl_release(struct cflayer *layer); |
614 |
+ #endif |
615 |
+diff --git a/init/main.c b/init/main.c |
616 |
+index 603b1ad88cb68..f0b2411a5fbf9 100644 |
617 |
+--- a/init/main.c |
618 |
++++ b/init/main.c |
619 |
+@@ -1054,7 +1054,7 @@ static noinline void __init kernel_init_freeable(void) |
620 |
+ */ |
621 |
+ set_mems_allowed(node_states[N_MEMORY]); |
622 |
+ |
623 |
+- cad_pid = task_pid(current); |
624 |
++ cad_pid = get_pid(task_pid(current)); |
625 |
+ |
626 |
+ smp_prepare_cpus(setup_max_cpus); |
627 |
+ |
628 |
+diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c |
629 |
+index f28ba90a43a7f..4a3333039bf2a 100644 |
630 |
+--- a/kernel/bpf/verifier.c |
631 |
++++ b/kernel/bpf/verifier.c |
632 |
+@@ -2024,37 +2024,43 @@ static struct bpf_insn_aux_data *cur_aux(struct bpf_verifier_env *env) |
633 |
+ return &env->insn_aux_data[env->insn_idx]; |
634 |
+ } |
635 |
+ |
636 |
++enum { |
637 |
++ REASON_BOUNDS = -1, |
638 |
++ REASON_TYPE = -2, |
639 |
++ REASON_PATHS = -3, |
640 |
++ REASON_LIMIT = -4, |
641 |
++ REASON_STACK = -5, |
642 |
++}; |
643 |
++ |
644 |
+ static int retrieve_ptr_limit(const struct bpf_reg_state *ptr_reg, |
645 |
+- u32 *ptr_limit, u8 opcode, bool off_is_neg) |
646 |
++ u32 *alu_limit, bool mask_to_left) |
647 |
+ { |
648 |
+- bool mask_to_left = (opcode == BPF_ADD && off_is_neg) || |
649 |
+- (opcode == BPF_SUB && !off_is_neg); |
650 |
+- u32 off, max; |
651 |
++ u32 max = 0, ptr_limit = 0; |
652 |
+ |
653 |
+ switch (ptr_reg->type) { |
654 |
+ case PTR_TO_STACK: |
655 |
+ /* Offset 0 is out-of-bounds, but acceptable start for the |
656 |
+- * left direction, see BPF_REG_FP. |
657 |
++ * left direction, see BPF_REG_FP. Also, unknown scalar |
658 |
++ * offset where we would need to deal with min/max bounds is |
659 |
++ * currently prohibited for unprivileged. |
660 |
+ */ |
661 |
+ max = MAX_BPF_STACK + mask_to_left; |
662 |
+- off = ptr_reg->off + ptr_reg->var_off.value; |
663 |
+- if (mask_to_left) |
664 |
+- *ptr_limit = MAX_BPF_STACK + off; |
665 |
+- else |
666 |
+- *ptr_limit = -off - 1; |
667 |
+- return *ptr_limit >= max ? -ERANGE : 0; |
668 |
++ ptr_limit = -(ptr_reg->var_off.value + ptr_reg->off); |
669 |
++ break; |
670 |
+ case PTR_TO_MAP_VALUE: |
671 |
+ max = ptr_reg->map_ptr->value_size; |
672 |
+- if (mask_to_left) { |
673 |
+- *ptr_limit = ptr_reg->umax_value + ptr_reg->off; |
674 |
+- } else { |
675 |
+- off = ptr_reg->smin_value + ptr_reg->off; |
676 |
+- *ptr_limit = ptr_reg->map_ptr->value_size - off - 1; |
677 |
+- } |
678 |
+- return *ptr_limit >= max ? -ERANGE : 0; |
679 |
++ ptr_limit = (mask_to_left ? |
680 |
++ ptr_reg->smin_value : |
681 |
++ ptr_reg->umax_value) + ptr_reg->off; |
682 |
++ break; |
683 |
+ default: |
684 |
+- return -EINVAL; |
685 |
++ return REASON_TYPE; |
686 |
+ } |
687 |
++ |
688 |
++ if (ptr_limit >= max) |
689 |
++ return REASON_LIMIT; |
690 |
++ *alu_limit = ptr_limit; |
691 |
++ return 0; |
692 |
+ } |
693 |
+ |
694 |
+ static bool can_skip_alu_sanitation(const struct bpf_verifier_env *env, |
695 |
+@@ -2072,7 +2078,7 @@ static int update_alu_sanitation_state(struct bpf_insn_aux_data *aux, |
696 |
+ if (aux->alu_state && |
697 |
+ (aux->alu_state != alu_state || |
698 |
+ aux->alu_limit != alu_limit)) |
699 |
+- return -EACCES; |
700 |
++ return REASON_PATHS; |
701 |
+ |
702 |
+ /* Corresponding fixup done in fixup_bpf_calls(). */ |
703 |
+ aux->alu_state = alu_state; |
704 |
+@@ -2091,14 +2097,28 @@ static int sanitize_val_alu(struct bpf_verifier_env *env, |
705 |
+ return update_alu_sanitation_state(aux, BPF_ALU_NON_POINTER, 0); |
706 |
+ } |
707 |
+ |
708 |
++static bool sanitize_needed(u8 opcode) |
709 |
++{ |
710 |
++ return opcode == BPF_ADD || opcode == BPF_SUB; |
711 |
++} |
712 |
++ |
713 |
++struct bpf_sanitize_info { |
714 |
++ struct bpf_insn_aux_data aux; |
715 |
++ bool mask_to_left; |
716 |
++}; |
717 |
++ |
718 |
+ static int sanitize_ptr_alu(struct bpf_verifier_env *env, |
719 |
+ struct bpf_insn *insn, |
720 |
+ const struct bpf_reg_state *ptr_reg, |
721 |
++ const struct bpf_reg_state *off_reg, |
722 |
+ struct bpf_reg_state *dst_reg, |
723 |
+- bool off_is_neg) |
724 |
++ struct bpf_sanitize_info *info, |
725 |
++ const bool commit_window) |
726 |
+ { |
727 |
++ struct bpf_insn_aux_data *aux = commit_window ? cur_aux(env) : &info->aux; |
728 |
+ struct bpf_verifier_state *vstate = env->cur_state; |
729 |
+- struct bpf_insn_aux_data *aux = cur_aux(env); |
730 |
++ bool off_is_imm = tnum_is_const(off_reg->var_off); |
731 |
++ bool off_is_neg = off_reg->smin_value < 0; |
732 |
+ bool ptr_is_dst_reg = ptr_reg == dst_reg; |
733 |
+ u8 opcode = BPF_OP(insn->code); |
734 |
+ u32 alu_state, alu_limit; |
735 |
+@@ -2116,18 +2136,47 @@ static int sanitize_ptr_alu(struct bpf_verifier_env *env, |
736 |
+ if (vstate->speculative) |
737 |
+ goto do_sim; |
738 |
+ |
739 |
+- alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; |
740 |
+- alu_state |= ptr_is_dst_reg ? |
741 |
+- BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; |
742 |
++ if (!commit_window) { |
743 |
++ if (!tnum_is_const(off_reg->var_off) && |
744 |
++ (off_reg->smin_value < 0) != (off_reg->smax_value < 0)) |
745 |
++ return REASON_BOUNDS; |
746 |
+ |
747 |
+- err = retrieve_ptr_limit(ptr_reg, &alu_limit, opcode, off_is_neg); |
748 |
++ info->mask_to_left = (opcode == BPF_ADD && off_is_neg) || |
749 |
++ (opcode == BPF_SUB && !off_is_neg); |
750 |
++ } |
751 |
++ |
752 |
++ err = retrieve_ptr_limit(ptr_reg, &alu_limit, info->mask_to_left); |
753 |
+ if (err < 0) |
754 |
+ return err; |
755 |
+ |
756 |
++ if (commit_window) { |
757 |
++ /* In commit phase we narrow the masking window based on |
758 |
++ * the observed pointer move after the simulated operation. |
759 |
++ */ |
760 |
++ alu_state = info->aux.alu_state; |
761 |
++ alu_limit = abs(info->aux.alu_limit - alu_limit); |
762 |
++ } else { |
763 |
++ alu_state = off_is_neg ? BPF_ALU_NEG_VALUE : 0; |
764 |
++ alu_state |= off_is_imm ? BPF_ALU_IMMEDIATE : 0; |
765 |
++ alu_state |= ptr_is_dst_reg ? |
766 |
++ BPF_ALU_SANITIZE_SRC : BPF_ALU_SANITIZE_DST; |
767 |
++ } |
768 |
++ |
769 |
+ err = update_alu_sanitation_state(aux, alu_state, alu_limit); |
770 |
+ if (err < 0) |
771 |
+ return err; |
772 |
+ do_sim: |
773 |
++ /* If we're in commit phase, we're done here given we already |
774 |
++ * pushed the truncated dst_reg into the speculative verification |
775 |
++ * stack. |
776 |
++ * |
777 |
++ * Also, when register is a known constant, we rewrite register-based |
778 |
++ * operation to immediate-based, and thus do not need masking (and as |
779 |
++ * a consequence, do not need to simulate the zero-truncation either). |
780 |
++ */ |
781 |
++ if (commit_window || off_is_imm) |
782 |
++ return 0; |
783 |
++ |
784 |
+ /* Simulate and find potential out-of-bounds access under |
785 |
+ * speculative execution from truncation as a result of |
786 |
+ * masking when off was not within expected range. If off |
787 |
+@@ -2144,7 +2193,81 @@ do_sim: |
788 |
+ ret = push_stack(env, env->insn_idx + 1, env->insn_idx, true); |
789 |
+ if (!ptr_is_dst_reg && ret) |
790 |
+ *dst_reg = tmp; |
791 |
+- return !ret ? -EFAULT : 0; |
792 |
++ return !ret ? REASON_STACK : 0; |
793 |
++} |
794 |
++ |
795 |
++static int sanitize_err(struct bpf_verifier_env *env, |
796 |
++ const struct bpf_insn *insn, int reason, |
797 |
++ const struct bpf_reg_state *off_reg, |
798 |
++ const struct bpf_reg_state *dst_reg) |
799 |
++{ |
800 |
++ static const char *err = "pointer arithmetic with it prohibited for !root"; |
801 |
++ const char *op = BPF_OP(insn->code) == BPF_ADD ? "add" : "sub"; |
802 |
++ u32 dst = insn->dst_reg, src = insn->src_reg; |
803 |
++ |
804 |
++ switch (reason) { |
805 |
++ case REASON_BOUNDS: |
806 |
++ verbose("R%d has unknown scalar with mixed signed bounds, %s\n", |
807 |
++ off_reg == dst_reg ? dst : src, err); |
808 |
++ break; |
809 |
++ case REASON_TYPE: |
810 |
++ verbose("R%d has pointer with unsupported alu operation, %s\n", |
811 |
++ off_reg == dst_reg ? src : dst, err); |
812 |
++ break; |
813 |
++ case REASON_PATHS: |
814 |
++ verbose("R%d tried to %s from different maps, paths or scalars, %s\n", |
815 |
++ dst, op, err); |
816 |
++ break; |
817 |
++ case REASON_LIMIT: |
818 |
++ verbose("R%d tried to %s beyond pointer bounds, %s\n", |
819 |
++ dst, op, err); |
820 |
++ break; |
821 |
++ case REASON_STACK: |
822 |
++ verbose("R%d could not be pushed for speculative verification, %s\n", |
823 |
++ dst, err); |
824 |
++ break; |
825 |
++ default: |
826 |
++ verbose("verifier internal error: unknown reason (%d)\n", |
827 |
++ reason); |
828 |
++ break; |
829 |
++ } |
830 |
++ |
831 |
++ return -EACCES; |
832 |
++} |
833 |
++ |
834 |
++static int sanitize_check_bounds(struct bpf_verifier_env *env, |
835 |
++ const struct bpf_insn *insn, |
836 |
++ const struct bpf_reg_state *dst_reg) |
837 |
++{ |
838 |
++ u32 dst = insn->dst_reg; |
839 |
++ |
840 |
++ /* For unprivileged we require that resulting offset must be in bounds |
841 |
++ * in order to be able to sanitize access later on. |
842 |
++ */ |
843 |
++ if (env->allow_ptr_leaks) |
844 |
++ return 0; |
845 |
++ |
846 |
++ switch (dst_reg->type) { |
847 |
++ case PTR_TO_STACK: |
848 |
++ if (check_stack_access(env, dst_reg, dst_reg->off + |
849 |
++ dst_reg->var_off.value, 1)) { |
850 |
++ verbose("R%d stack pointer arithmetic goes out of range, " |
851 |
++ "prohibited for !root\n", dst); |
852 |
++ return -EACCES; |
853 |
++ } |
854 |
++ break; |
855 |
++ case PTR_TO_MAP_VALUE: |
856 |
++ if (check_map_access(env, dst, dst_reg->off, 1)) { |
857 |
++ verbose("R%d pointer arithmetic of map value goes out of range, " |
858 |
++ "prohibited for !root\n", dst); |
859 |
++ return -EACCES; |
860 |
++ } |
861 |
++ break; |
862 |
++ default: |
863 |
++ break; |
864 |
++ } |
865 |
++ |
866 |
++ return 0; |
867 |
+ } |
868 |
+ |
869 |
+ /* Handles arithmetic on a pointer and a scalar: computes new min/max and var_off. |
870 |
+@@ -2163,8 +2286,9 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
871 |
+ smin_ptr = ptr_reg->smin_value, smax_ptr = ptr_reg->smax_value; |
872 |
+ u64 umin_val = off_reg->umin_value, umax_val = off_reg->umax_value, |
873 |
+ umin_ptr = ptr_reg->umin_value, umax_ptr = ptr_reg->umax_value; |
874 |
+- u32 dst = insn->dst_reg, src = insn->src_reg; |
875 |
++ struct bpf_sanitize_info info = {}; |
876 |
+ u8 opcode = BPF_OP(insn->code); |
877 |
++ u32 dst = insn->dst_reg; |
878 |
+ int ret; |
879 |
+ |
880 |
+ dst_reg = ®s[dst]; |
881 |
+@@ -2180,37 +2304,26 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
882 |
+ |
883 |
+ if (BPF_CLASS(insn->code) != BPF_ALU64) { |
884 |
+ /* 32-bit ALU ops on pointers produce (meaningless) scalars */ |
885 |
+- if (!env->allow_ptr_leaks) |
886 |
+- verbose("R%d 32-bit pointer arithmetic prohibited\n", |
887 |
+- dst); |
888 |
++ verbose("R%d 32-bit pointer arithmetic prohibited\n", |
889 |
++ dst); |
890 |
+ return -EACCES; |
891 |
+ } |
892 |
+ |
893 |
+ if (ptr_reg->type == PTR_TO_MAP_VALUE_OR_NULL) { |
894 |
+- if (!env->allow_ptr_leaks) |
895 |
+- verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", |
896 |
+- dst); |
897 |
++ verbose("R%d pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL prohibited, null-check it first\n", |
898 |
++ dst); |
899 |
+ return -EACCES; |
900 |
+ } |
901 |
+ if (ptr_reg->type == CONST_PTR_TO_MAP) { |
902 |
+- if (!env->allow_ptr_leaks) |
903 |
+- verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", |
904 |
+- dst); |
905 |
++ verbose("R%d pointer arithmetic on CONST_PTR_TO_MAP prohibited\n", |
906 |
++ dst); |
907 |
+ return -EACCES; |
908 |
+ } |
909 |
+ if (ptr_reg->type == PTR_TO_PACKET_END) { |
910 |
+- if (!env->allow_ptr_leaks) |
911 |
+- verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", |
912 |
+- dst); |
913 |
++ verbose("R%d pointer arithmetic on PTR_TO_PACKET_END prohibited\n", |
914 |
++ dst); |
915 |
+ return -EACCES; |
916 |
+ } |
917 |
+- if (ptr_reg->type == PTR_TO_MAP_VALUE) { |
918 |
+- if (!env->allow_ptr_leaks && !known && (smin_val < 0) != (smax_val < 0)) { |
919 |
+- verbose("R%d has unknown scalar with mixed signed bounds, pointer arithmetic with it prohibited for !root\n", |
920 |
+- off_reg == dst_reg ? dst : src); |
921 |
+- return -EACCES; |
922 |
+- } |
923 |
+- } |
924 |
+ |
925 |
+ /* In case of 'scalar += pointer', dst_reg inherits pointer type and id. |
926 |
+ * The id may be overwritten later if we create a new variable offset. |
927 |
+@@ -2222,13 +2335,15 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
928 |
+ !check_reg_sane_offset(env, ptr_reg, ptr_reg->type)) |
929 |
+ return -EINVAL; |
930 |
+ |
931 |
++ if (sanitize_needed(opcode)) { |
932 |
++ ret = sanitize_ptr_alu(env, insn, ptr_reg, off_reg, dst_reg, |
933 |
++ &info, false); |
934 |
++ if (ret < 0) |
935 |
++ return sanitize_err(env, insn, ret, off_reg, dst_reg); |
936 |
++ } |
937 |
++ |
938 |
+ switch (opcode) { |
939 |
+ case BPF_ADD: |
940 |
+- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
941 |
+- if (ret < 0) { |
942 |
+- verbose("R%d tried to add from different maps, paths, or prohibited types\n", dst); |
943 |
+- return ret; |
944 |
+- } |
945 |
+ /* We can take a fixed offset as long as it doesn't overflow |
946 |
+ * the s32 'off' field |
947 |
+ */ |
948 |
+@@ -2279,16 +2394,10 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
949 |
+ } |
950 |
+ break; |
951 |
+ case BPF_SUB: |
952 |
+- ret = sanitize_ptr_alu(env, insn, ptr_reg, dst_reg, smin_val < 0); |
953 |
+- if (ret < 0) { |
954 |
+- verbose("R%d tried to sub from different maps, paths, or prohibited types\n", dst); |
955 |
+- return ret; |
956 |
+- } |
957 |
+ if (dst_reg == off_reg) { |
958 |
+ /* scalar -= pointer. Creates an unknown scalar */ |
959 |
+- if (!env->allow_ptr_leaks) |
960 |
+- verbose("R%d tried to subtract pointer from scalar\n", |
961 |
+- dst); |
962 |
++ verbose("R%d tried to subtract pointer from scalar\n", |
963 |
++ dst); |
964 |
+ return -EACCES; |
965 |
+ } |
966 |
+ /* We don't allow subtraction from FP, because (according to |
967 |
+@@ -2296,9 +2405,8 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
968 |
+ * be able to deal with it. |
969 |
+ */ |
970 |
+ if (ptr_reg->type == PTR_TO_STACK) { |
971 |
+- if (!env->allow_ptr_leaks) |
972 |
+- verbose("R%d subtraction from stack pointer prohibited\n", |
973 |
+- dst); |
974 |
++ verbose("R%d subtraction from stack pointer prohibited\n", |
975 |
++ dst); |
976 |
+ return -EACCES; |
977 |
+ } |
978 |
+ if (known && (ptr_reg->off - smin_val == |
979 |
+@@ -2348,19 +2456,14 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
980 |
+ case BPF_AND: |
981 |
+ case BPF_OR: |
982 |
+ case BPF_XOR: |
983 |
+- /* bitwise ops on pointers are troublesome, prohibit for now. |
984 |
+- * (However, in principle we could allow some cases, e.g. |
985 |
+- * ptr &= ~3 which would reduce min_value by 3.) |
986 |
+- */ |
987 |
+- if (!env->allow_ptr_leaks) |
988 |
+- verbose("R%d bitwise operator %s on pointer prohibited\n", |
989 |
+- dst, bpf_alu_string[opcode >> 4]); |
990 |
++ /* bitwise ops on pointers are troublesome. */ |
991 |
++ verbose("R%d bitwise operator %s on pointer prohibited\n", |
992 |
++ dst, bpf_alu_string[opcode >> 4]); |
993 |
+ return -EACCES; |
994 |
+ default: |
995 |
+ /* other operators (e.g. MUL,LSH) produce non-pointer results */ |
996 |
+- if (!env->allow_ptr_leaks) |
997 |
+- verbose("R%d pointer arithmetic with %s operator prohibited\n", |
998 |
+- dst, bpf_alu_string[opcode >> 4]); |
999 |
++ verbose("R%d pointer arithmetic with %s operator prohibited\n", |
1000 |
++ dst, bpf_alu_string[opcode >> 4]); |
1001 |
+ return -EACCES; |
1002 |
+ } |
1003 |
+ |
1004 |
+@@ -2371,22 +2474,13 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, |
1005 |
+ __reg_deduce_bounds(dst_reg); |
1006 |
+ __reg_bound_offset(dst_reg); |
1007 |
+ |
1008 |
+- /* For unprivileged we require that resulting offset must be in bounds |
1009 |
+- * in order to be able to sanitize access later on. |
1010 |
+- */ |
1011 |
+- if (!env->allow_ptr_leaks) { |
1012 |
+- if (dst_reg->type == PTR_TO_MAP_VALUE && |
1013 |
+- check_map_access(env, dst, dst_reg->off, 1)) { |
1014 |
+- verbose("R%d pointer arithmetic of map value goes out of range, " |
1015 |
+- "prohibited for !root\n", dst); |
1016 |
+- return -EACCES; |
1017 |
+- } else if (dst_reg->type == PTR_TO_STACK && |
1018 |
+- check_stack_access(env, dst_reg, dst_reg->off + |
1019 |
+- dst_reg->var_off.value, 1)) { |
1020 |
+- verbose("R%d stack pointer arithmetic goes out of range, " |
1021 |
+- "prohibited for !root\n", dst); |
1022 |
+- return -EACCES; |
1023 |
+- } |
1024 |
++ if (sanitize_check_bounds(env, insn, dst_reg) < 0) |
1025 |
++ return -EACCES; |
1026 |
++ if (sanitize_needed(opcode)) { |
1027 |
++ ret = sanitize_ptr_alu(env, insn, dst_reg, off_reg, dst_reg, |
1028 |
++ &info, true); |
1029 |
++ if (ret < 0) |
1030 |
++ return sanitize_err(env, insn, ret, off_reg, dst_reg); |
1031 |
+ } |
1032 |
+ |
1033 |
+ return 0; |
1034 |
+@@ -2407,7 +2501,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
1035 |
+ s64 smin_val, smax_val; |
1036 |
+ u64 umin_val, umax_val; |
1037 |
+ u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
1038 |
+- u32 dst = insn->dst_reg; |
1039 |
+ int ret; |
1040 |
+ |
1041 |
+ if (insn_bitness == 32) { |
1042 |
+@@ -2441,13 +2534,14 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
1043 |
+ return 0; |
1044 |
+ } |
1045 |
+ |
1046 |
++ if (sanitize_needed(opcode)) { |
1047 |
++ ret = sanitize_val_alu(env, insn); |
1048 |
++ if (ret < 0) |
1049 |
++ return sanitize_err(env, insn, ret, NULL, NULL); |
1050 |
++ } |
1051 |
++ |
1052 |
+ switch (opcode) { |
1053 |
+ case BPF_ADD: |
1054 |
+- ret = sanitize_val_alu(env, insn); |
1055 |
+- if (ret < 0) { |
1056 |
+- verbose("R%d tried to add from different pointers or scalars\n", dst); |
1057 |
+- return ret; |
1058 |
+- } |
1059 |
+ if (signed_add_overflows(dst_reg->smin_value, smin_val) || |
1060 |
+ signed_add_overflows(dst_reg->smax_value, smax_val)) { |
1061 |
+ dst_reg->smin_value = S64_MIN; |
1062 |
+@@ -2467,11 +2561,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, |
1063 |
+ dst_reg->var_off = tnum_add(dst_reg->var_off, src_reg.var_off); |
1064 |
+ break; |
1065 |
+ case BPF_SUB: |
1066 |
+- ret = sanitize_val_alu(env, insn); |
1067 |
+- if (ret < 0) { |
1068 |
+- verbose("R%d tried to sub from different pointers or scalars\n", dst); |
1069 |
+- return ret; |
1070 |
+- } |
1071 |
+ if (signed_sub_overflows(dst_reg->smin_value, smax_val) || |
1072 |
+ signed_sub_overflows(dst_reg->smax_value, smin_val)) { |
1073 |
+ /* Overflow possible, we know nothing */ |
1074 |
+@@ -2664,7 +2753,6 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, |
1075 |
+ struct bpf_reg_state *regs = cur_regs(env), *dst_reg, *src_reg; |
1076 |
+ struct bpf_reg_state *ptr_reg = NULL, off_reg = {0}; |
1077 |
+ u8 opcode = BPF_OP(insn->code); |
1078 |
+- int rc; |
1079 |
+ |
1080 |
+ dst_reg = ®s[insn->dst_reg]; |
1081 |
+ src_reg = NULL; |
1082 |
+@@ -2675,43 +2763,29 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, |
1083 |
+ if (src_reg->type != SCALAR_VALUE) { |
1084 |
+ if (dst_reg->type != SCALAR_VALUE) { |
1085 |
+ /* Combining two pointers by any ALU op yields |
1086 |
+- * an arbitrary scalar. |
1087 |
++ * an arbitrary scalar. Disallow all math except |
1088 |
++ * pointer subtraction |
1089 |
+ */ |
1090 |
+- if (!env->allow_ptr_leaks) { |
1091 |
+- verbose("R%d pointer %s pointer prohibited\n", |
1092 |
+- insn->dst_reg, |
1093 |
+- bpf_alu_string[opcode >> 4]); |
1094 |
+- return -EACCES; |
1095 |
++ if (opcode == BPF_SUB && env->allow_ptr_leaks) { |
1096 |
++ mark_reg_unknown(regs, insn->dst_reg); |
1097 |
++ return 0; |
1098 |
+ } |
1099 |
+- mark_reg_unknown(regs, insn->dst_reg); |
1100 |
+- return 0; |
1101 |
++ verbose("R%d pointer %s pointer prohibited\n", |
1102 |
++ insn->dst_reg, |
1103 |
++ bpf_alu_string[opcode >> 4]); |
1104 |
++ return -EACCES; |
1105 |
+ } else { |
1106 |
+ /* scalar += pointer |
1107 |
+ * This is legal, but we have to reverse our |
1108 |
+ * src/dest handling in computing the range |
1109 |
+ */ |
1110 |
+- rc = adjust_ptr_min_max_vals(env, insn, |
1111 |
+- src_reg, dst_reg); |
1112 |
+- if (rc == -EACCES && env->allow_ptr_leaks) { |
1113 |
+- /* scalar += unknown scalar */ |
1114 |
+- __mark_reg_unknown(&off_reg); |
1115 |
+- return adjust_scalar_min_max_vals( |
1116 |
+- env, insn, |
1117 |
+- dst_reg, off_reg); |
1118 |
+- } |
1119 |
+- return rc; |
1120 |
++ return adjust_ptr_min_max_vals(env, insn, |
1121 |
++ src_reg, dst_reg); |
1122 |
+ } |
1123 |
+ } else if (ptr_reg) { |
1124 |
+ /* pointer += scalar */ |
1125 |
+- rc = adjust_ptr_min_max_vals(env, insn, |
1126 |
+- dst_reg, src_reg); |
1127 |
+- if (rc == -EACCES && env->allow_ptr_leaks) { |
1128 |
+- /* unknown scalar += scalar */ |
1129 |
+- __mark_reg_unknown(dst_reg); |
1130 |
+- return adjust_scalar_min_max_vals( |
1131 |
+- env, insn, dst_reg, *src_reg); |
1132 |
+- } |
1133 |
+- return rc; |
1134 |
++ return adjust_ptr_min_max_vals(env, insn, |
1135 |
++ dst_reg, src_reg); |
1136 |
+ } |
1137 |
+ } else { |
1138 |
+ /* Pretend the src is a reg with a known value, since we only |
1139 |
+@@ -2720,17 +2794,9 @@ static int adjust_reg_min_max_vals(struct bpf_verifier_env *env, |
1140 |
+ off_reg.type = SCALAR_VALUE; |
1141 |
+ __mark_reg_known(&off_reg, insn->imm); |
1142 |
+ src_reg = &off_reg; |
1143 |
+- if (ptr_reg) { /* pointer += K */ |
1144 |
+- rc = adjust_ptr_min_max_vals(env, insn, |
1145 |
+- ptr_reg, src_reg); |
1146 |
+- if (rc == -EACCES && env->allow_ptr_leaks) { |
1147 |
+- /* unknown scalar += K */ |
1148 |
+- __mark_reg_unknown(dst_reg); |
1149 |
+- return adjust_scalar_min_max_vals( |
1150 |
+- env, insn, dst_reg, off_reg); |
1151 |
+- } |
1152 |
+- return rc; |
1153 |
+- } |
1154 |
++ if (ptr_reg) /* pointer += K */ |
1155 |
++ return adjust_ptr_min_max_vals(env, insn, |
1156 |
++ ptr_reg, src_reg); |
1157 |
+ } |
1158 |
+ |
1159 |
+ /* Got here implies adding two SCALAR_VALUEs */ |
1160 |
+@@ -4796,7 +4862,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) |
1161 |
+ const u8 code_sub = BPF_ALU64 | BPF_SUB | BPF_X; |
1162 |
+ struct bpf_insn insn_buf[16]; |
1163 |
+ struct bpf_insn *patch = &insn_buf[0]; |
1164 |
+- bool issrc, isneg; |
1165 |
++ bool issrc, isneg, isimm; |
1166 |
+ u32 off_reg; |
1167 |
+ |
1168 |
+ aux = &env->insn_aux_data[i + delta]; |
1169 |
+@@ -4807,16 +4873,21 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) |
1170 |
+ isneg = aux->alu_state & BPF_ALU_NEG_VALUE; |
1171 |
+ issrc = (aux->alu_state & BPF_ALU_SANITIZE) == |
1172 |
+ BPF_ALU_SANITIZE_SRC; |
1173 |
++ isimm = aux->alu_state & BPF_ALU_IMMEDIATE; |
1174 |
+ |
1175 |
+ off_reg = issrc ? insn->src_reg : insn->dst_reg; |
1176 |
+- if (isneg) |
1177 |
+- *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); |
1178 |
+- *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); |
1179 |
+- *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); |
1180 |
+- *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); |
1181 |
+- *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); |
1182 |
+- *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); |
1183 |
+- *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); |
1184 |
++ if (isimm) { |
1185 |
++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); |
1186 |
++ } else { |
1187 |
++ if (isneg) |
1188 |
++ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); |
1189 |
++ *patch++ = BPF_MOV32_IMM(BPF_REG_AX, aux->alu_limit); |
1190 |
++ *patch++ = BPF_ALU64_REG(BPF_SUB, BPF_REG_AX, off_reg); |
1191 |
++ *patch++ = BPF_ALU64_REG(BPF_OR, BPF_REG_AX, off_reg); |
1192 |
++ *patch++ = BPF_ALU64_IMM(BPF_NEG, BPF_REG_AX, 0); |
1193 |
++ *patch++ = BPF_ALU64_IMM(BPF_ARSH, BPF_REG_AX, 63); |
1194 |
++ *patch++ = BPF_ALU64_REG(BPF_AND, BPF_REG_AX, off_reg); |
1195 |
++ } |
1196 |
+ if (!issrc) |
1197 |
+ *patch++ = BPF_MOV64_REG(insn->dst_reg, insn->src_reg); |
1198 |
+ insn->src_reg = BPF_REG_AX; |
1199 |
+@@ -4824,7 +4895,7 @@ static int fixup_bpf_calls(struct bpf_verifier_env *env) |
1200 |
+ insn->code = insn->code == code_add ? |
1201 |
+ code_sub : code_add; |
1202 |
+ *patch++ = *insn; |
1203 |
+- if (issrc && isneg) |
1204 |
++ if (issrc && isneg && !isimm) |
1205 |
+ *patch++ = BPF_ALU64_IMM(BPF_MUL, off_reg, -1); |
1206 |
+ cnt = patch - insn_buf; |
1207 |
+ |
1208 |
+diff --git a/kernel/sched/fair.c b/kernel/sched/fair.c |
1209 |
+index 81096dd0ca0c5..37ac76dce9089 100644 |
1210 |
+--- a/kernel/sched/fair.c |
1211 |
++++ b/kernel/sched/fair.c |
1212 |
+@@ -5779,6 +5779,7 @@ static inline int select_idle_smt(struct task_struct *p, struct sched_domain *sd |
1213 |
+ */ |
1214 |
+ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int target) |
1215 |
+ { |
1216 |
++ struct cpumask *cpus = this_cpu_cpumask_var_ptr(select_idle_mask); |
1217 |
+ struct sched_domain *this_sd; |
1218 |
+ u64 avg_cost, avg_idle; |
1219 |
+ u64 time, cost; |
1220 |
+@@ -5809,11 +5810,11 @@ static int select_idle_cpu(struct task_struct *p, struct sched_domain *sd, int t |
1221 |
+ |
1222 |
+ time = local_clock(); |
1223 |
+ |
1224 |
+- for_each_cpu_wrap(cpu, sched_domain_span(sd), target) { |
1225 |
++ cpumask_and(cpus, sched_domain_span(sd), &p->cpus_allowed); |
1226 |
++ |
1227 |
++ for_each_cpu_wrap(cpu, cpus, target) { |
1228 |
+ if (!--nr) |
1229 |
+ return -1; |
1230 |
+- if (!cpumask_test_cpu(cpu, &p->cpus_allowed)) |
1231 |
+- continue; |
1232 |
+ if (idle_cpu(cpu)) |
1233 |
+ break; |
1234 |
+ } |
1235 |
+diff --git a/mm/hugetlb.c b/mm/hugetlb.c |
1236 |
+index e59e0f7ed5620..0dc181290d1fb 100644 |
1237 |
+--- a/mm/hugetlb.c |
1238 |
++++ b/mm/hugetlb.c |
1239 |
+@@ -4099,10 +4099,20 @@ int hugetlb_mcopy_atomic_pte(struct mm_struct *dst_mm, |
1240 |
+ struct page *page; |
1241 |
+ |
1242 |
+ if (!*pagep) { |
1243 |
+- ret = -ENOMEM; |
1244 |
++ /* If a page already exists, then it's UFFDIO_COPY for |
1245 |
++ * a non-missing case. Return -EEXIST. |
1246 |
++ */ |
1247 |
++ if (vm_shared && |
1248 |
++ hugetlbfs_pagecache_present(h, dst_vma, dst_addr)) { |
1249 |
++ ret = -EEXIST; |
1250 |
++ goto out; |
1251 |
++ } |
1252 |
++ |
1253 |
+ page = alloc_huge_page(dst_vma, dst_addr, 0); |
1254 |
+- if (IS_ERR(page)) |
1255 |
++ if (IS_ERR(page)) { |
1256 |
++ ret = -ENOMEM; |
1257 |
+ goto out; |
1258 |
++ } |
1259 |
+ |
1260 |
+ ret = copy_huge_page_from_user(page, |
1261 |
+ (const void __user *) src_addr, |
1262 |
+diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c |
1263 |
+index bf1263c1bc766..ba5c899d1edfa 100644 |
1264 |
+--- a/net/bluetooth/hci_core.c |
1265 |
++++ b/net/bluetooth/hci_core.c |
1266 |
+@@ -1458,8 +1458,13 @@ static int hci_dev_do_open(struct hci_dev *hdev) |
1267 |
+ } else { |
1268 |
+ /* Init failed, cleanup */ |
1269 |
+ flush_work(&hdev->tx_work); |
1270 |
+- flush_work(&hdev->cmd_work); |
1271 |
++ |
1272 |
++ /* Since hci_rx_work() is possible to awake new cmd_work |
1273 |
++ * it should be flushed first to avoid unexpected call of |
1274 |
++ * hci_cmd_work() |
1275 |
++ */ |
1276 |
+ flush_work(&hdev->rx_work); |
1277 |
++ flush_work(&hdev->cmd_work); |
1278 |
+ |
1279 |
+ skb_queue_purge(&hdev->cmd_q); |
1280 |
+ skb_queue_purge(&hdev->rx_q); |
1281 |
+diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c |
1282 |
+index 93093d7c38240..120064e9cb2be 100644 |
1283 |
+--- a/net/bluetooth/hci_sock.c |
1284 |
++++ b/net/bluetooth/hci_sock.c |
1285 |
+@@ -750,7 +750,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) |
1286 |
+ /* Detach sockets from device */ |
1287 |
+ read_lock(&hci_sk_list.lock); |
1288 |
+ sk_for_each(sk, &hci_sk_list.head) { |
1289 |
+- bh_lock_sock_nested(sk); |
1290 |
++ lock_sock(sk); |
1291 |
+ if (hci_pi(sk)->hdev == hdev) { |
1292 |
+ hci_pi(sk)->hdev = NULL; |
1293 |
+ sk->sk_err = EPIPE; |
1294 |
+@@ -759,7 +759,7 @@ void hci_sock_dev_event(struct hci_dev *hdev, int event) |
1295 |
+ |
1296 |
+ hci_dev_put(hdev); |
1297 |
+ } |
1298 |
+- bh_unlock_sock(sk); |
1299 |
++ release_sock(sk); |
1300 |
+ } |
1301 |
+ read_unlock(&hci_sk_list.lock); |
1302 |
+ } |
1303 |
+diff --git a/net/caif/caif_dev.c b/net/caif/caif_dev.c |
1304 |
+index 98b62a7990aa2..e1f9c9537e0f5 100644 |
1305 |
+--- a/net/caif/caif_dev.c |
1306 |
++++ b/net/caif/caif_dev.c |
1307 |
+@@ -303,7 +303,7 @@ static void dev_flowctrl(struct net_device *dev, int on) |
1308 |
+ caifd_put(caifd); |
1309 |
+ } |
1310 |
+ |
1311 |
+-void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
1312 |
++int caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
1313 |
+ struct cflayer *link_support, int head_room, |
1314 |
+ struct cflayer **layer, |
1315 |
+ int (**rcv_func)(struct sk_buff *, struct net_device *, |
1316 |
+@@ -314,11 +314,12 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
1317 |
+ enum cfcnfg_phy_preference pref; |
1318 |
+ struct cfcnfg *cfg = get_cfcnfg(dev_net(dev)); |
1319 |
+ struct caif_device_entry_list *caifdevs; |
1320 |
++ int res; |
1321 |
+ |
1322 |
+ caifdevs = caif_device_list(dev_net(dev)); |
1323 |
+ caifd = caif_device_alloc(dev); |
1324 |
+ if (!caifd) |
1325 |
+- return; |
1326 |
++ return -ENOMEM; |
1327 |
+ *layer = &caifd->layer; |
1328 |
+ spin_lock_init(&caifd->flow_lock); |
1329 |
+ |
1330 |
+@@ -340,7 +341,7 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
1331 |
+ sizeof(caifd->layer.name) - 1); |
1332 |
+ caifd->layer.name[sizeof(caifd->layer.name) - 1] = 0; |
1333 |
+ caifd->layer.transmit = transmit; |
1334 |
+- cfcnfg_add_phy_layer(cfg, |
1335 |
++ res = cfcnfg_add_phy_layer(cfg, |
1336 |
+ dev, |
1337 |
+ &caifd->layer, |
1338 |
+ pref, |
1339 |
+@@ -350,6 +351,7 @@ void caif_enroll_dev(struct net_device *dev, struct caif_dev_common *caifdev, |
1340 |
+ mutex_unlock(&caifdevs->lock); |
1341 |
+ if (rcv_func) |
1342 |
+ *rcv_func = receive; |
1343 |
++ return res; |
1344 |
+ } |
1345 |
+ EXPORT_SYMBOL(caif_enroll_dev); |
1346 |
+ |
1347 |
+@@ -364,6 +366,7 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what, |
1348 |
+ struct cflayer *layer, *link_support; |
1349 |
+ int head_room = 0; |
1350 |
+ struct caif_device_entry_list *caifdevs; |
1351 |
++ int res; |
1352 |
+ |
1353 |
+ cfg = get_cfcnfg(dev_net(dev)); |
1354 |
+ caifdevs = caif_device_list(dev_net(dev)); |
1355 |
+@@ -389,8 +392,10 @@ static int caif_device_notify(struct notifier_block *me, unsigned long what, |
1356 |
+ break; |
1357 |
+ } |
1358 |
+ } |
1359 |
+- caif_enroll_dev(dev, caifdev, link_support, head_room, |
1360 |
++ res = caif_enroll_dev(dev, caifdev, link_support, head_room, |
1361 |
+ &layer, NULL); |
1362 |
++ if (res) |
1363 |
++ cfserl_release(link_support); |
1364 |
+ caifdev->flowctrl = dev_flowctrl; |
1365 |
+ break; |
1366 |
+ |
1367 |
+diff --git a/net/caif/caif_usb.c b/net/caif/caif_usb.c |
1368 |
+index 5cd44f001f647..485dde566c1a9 100644 |
1369 |
+--- a/net/caif/caif_usb.c |
1370 |
++++ b/net/caif/caif_usb.c |
1371 |
+@@ -116,6 +116,11 @@ static struct cflayer *cfusbl_create(int phyid, u8 ethaddr[ETH_ALEN], |
1372 |
+ return (struct cflayer *) this; |
1373 |
+ } |
1374 |
+ |
1375 |
++static void cfusbl_release(struct cflayer *layer) |
1376 |
++{ |
1377 |
++ kfree(layer); |
1378 |
++} |
1379 |
++ |
1380 |
+ static struct packet_type caif_usb_type __read_mostly = { |
1381 |
+ .type = cpu_to_be16(ETH_P_802_EX1), |
1382 |
+ }; |
1383 |
+@@ -128,6 +133,7 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what, |
1384 |
+ struct cflayer *layer, *link_support; |
1385 |
+ struct usbnet *usbnet; |
1386 |
+ struct usb_device *usbdev; |
1387 |
++ int res; |
1388 |
+ |
1389 |
+ /* Check whether we have a NCM device, and find its VID/PID. */ |
1390 |
+ if (!(dev->dev.parent && dev->dev.parent->driver && |
1391 |
+@@ -170,8 +176,11 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what, |
1392 |
+ if (dev->num_tx_queues > 1) |
1393 |
+ pr_warn("USB device uses more than one tx queue\n"); |
1394 |
+ |
1395 |
+- caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, |
1396 |
++ res = caif_enroll_dev(dev, &common, link_support, CFUSB_MAX_HEADLEN, |
1397 |
+ &layer, &caif_usb_type.func); |
1398 |
++ if (res) |
1399 |
++ goto err; |
1400 |
++ |
1401 |
+ if (!pack_added) |
1402 |
+ dev_add_pack(&caif_usb_type); |
1403 |
+ pack_added = true; |
1404 |
+@@ -181,6 +190,9 @@ static int cfusbl_device_notify(struct notifier_block *me, unsigned long what, |
1405 |
+ layer->name[sizeof(layer->name) - 1] = 0; |
1406 |
+ |
1407 |
+ return 0; |
1408 |
++err: |
1409 |
++ cfusbl_release(link_support); |
1410 |
++ return res; |
1411 |
+ } |
1412 |
+ |
1413 |
+ static struct notifier_block caif_device_notifier = { |
1414 |
+diff --git a/net/caif/cfcnfg.c b/net/caif/cfcnfg.c |
1415 |
+index 273cb07f57d87..2e4aea9f00ef9 100644 |
1416 |
+--- a/net/caif/cfcnfg.c |
1417 |
++++ b/net/caif/cfcnfg.c |
1418 |
+@@ -452,7 +452,7 @@ unlock: |
1419 |
+ rcu_read_unlock(); |
1420 |
+ } |
1421 |
+ |
1422 |
+-void |
1423 |
++int |
1424 |
+ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, |
1425 |
+ struct net_device *dev, struct cflayer *phy_layer, |
1426 |
+ enum cfcnfg_phy_preference pref, |
1427 |
+@@ -461,7 +461,7 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, |
1428 |
+ { |
1429 |
+ struct cflayer *frml; |
1430 |
+ struct cfcnfg_phyinfo *phyinfo = NULL; |
1431 |
+- int i; |
1432 |
++ int i, res = 0; |
1433 |
+ u8 phyid; |
1434 |
+ |
1435 |
+ mutex_lock(&cnfg->lock); |
1436 |
+@@ -475,12 +475,15 @@ cfcnfg_add_phy_layer(struct cfcnfg *cnfg, |
1437 |
+ goto got_phyid; |
1438 |
+ } |
1439 |
+ pr_warn("Too many CAIF Link Layers (max 6)\n"); |
1440 |
++ res = -EEXIST; |
1441 |
+ goto out; |
1442 |
+ |
1443 |
+ got_phyid: |
1444 |
+ phyinfo = kzalloc(sizeof(struct cfcnfg_phyinfo), GFP_ATOMIC); |
1445 |
+- if (!phyinfo) |
1446 |
++ if (!phyinfo) { |
1447 |
++ res = -ENOMEM; |
1448 |
+ goto out_err; |
1449 |
++ } |
1450 |
+ |
1451 |
+ phy_layer->id = phyid; |
1452 |
+ phyinfo->pref = pref; |
1453 |
+@@ -494,8 +497,10 @@ got_phyid: |
1454 |
+ |
1455 |
+ frml = cffrml_create(phyid, fcs); |
1456 |
+ |
1457 |
+- if (!frml) |
1458 |
++ if (!frml) { |
1459 |
++ res = -ENOMEM; |
1460 |
+ goto out_err; |
1461 |
++ } |
1462 |
+ phyinfo->frm_layer = frml; |
1463 |
+ layer_set_up(frml, cnfg->mux); |
1464 |
+ |
1465 |
+@@ -513,11 +518,12 @@ got_phyid: |
1466 |
+ list_add_rcu(&phyinfo->node, &cnfg->phys); |
1467 |
+ out: |
1468 |
+ mutex_unlock(&cnfg->lock); |
1469 |
+- return; |
1470 |
++ return res; |
1471 |
+ |
1472 |
+ out_err: |
1473 |
+ kfree(phyinfo); |
1474 |
+ mutex_unlock(&cnfg->lock); |
1475 |
++ return res; |
1476 |
+ } |
1477 |
+ EXPORT_SYMBOL(cfcnfg_add_phy_layer); |
1478 |
+ |
1479 |
+diff --git a/net/caif/cfserl.c b/net/caif/cfserl.c |
1480 |
+index ce60f06d76de3..af1e1e36dc90a 100644 |
1481 |
+--- a/net/caif/cfserl.c |
1482 |
++++ b/net/caif/cfserl.c |
1483 |
+@@ -31,6 +31,11 @@ static int cfserl_transmit(struct cflayer *layr, struct cfpkt *pkt); |
1484 |
+ static void cfserl_ctrlcmd(struct cflayer *layr, enum caif_ctrlcmd ctrl, |
1485 |
+ int phyid); |
1486 |
+ |
1487 |
++void cfserl_release(struct cflayer *layer) |
1488 |
++{ |
1489 |
++ kfree(layer); |
1490 |
++} |
1491 |
++ |
1492 |
+ struct cflayer *cfserl_create(int instance, bool use_stx) |
1493 |
+ { |
1494 |
+ struct cfserl *this = kzalloc(sizeof(struct cfserl), GFP_ATOMIC); |
1495 |
+diff --git a/net/ieee802154/nl-mac.c b/net/ieee802154/nl-mac.c |
1496 |
+index c0930b9fe848b..7531cb1665d2b 100644 |
1497 |
+--- a/net/ieee802154/nl-mac.c |
1498 |
++++ b/net/ieee802154/nl-mac.c |
1499 |
+@@ -688,8 +688,10 @@ int ieee802154_llsec_getparams(struct sk_buff *skb, struct genl_info *info) |
1500 |
+ nla_put_u8(msg, IEEE802154_ATTR_LLSEC_SECLEVEL, params.out_level) || |
1501 |
+ nla_put_u32(msg, IEEE802154_ATTR_LLSEC_FRAME_COUNTER, |
1502 |
+ be32_to_cpu(params.frame_counter)) || |
1503 |
+- ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) |
1504 |
++ ieee802154_llsec_fill_key_id(msg, ¶ms.out_key)) { |
1505 |
++ rc = -ENOBUFS; |
1506 |
+ goto out_free; |
1507 |
++ } |
1508 |
+ |
1509 |
+ dev_put(dev); |
1510 |
+ |
1511 |
+diff --git a/net/ieee802154/nl-phy.c b/net/ieee802154/nl-phy.c |
1512 |
+index dc2960be51e0a..6a7fe415d5f44 100644 |
1513 |
+--- a/net/ieee802154/nl-phy.c |
1514 |
++++ b/net/ieee802154/nl-phy.c |
1515 |
+@@ -249,8 +249,10 @@ int ieee802154_add_iface(struct sk_buff *skb, struct genl_info *info) |
1516 |
+ } |
1517 |
+ |
1518 |
+ if (nla_put_string(msg, IEEE802154_ATTR_PHY_NAME, wpan_phy_name(phy)) || |
1519 |
+- nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) |
1520 |
++ nla_put_string(msg, IEEE802154_ATTR_DEV_NAME, dev->name)) { |
1521 |
++ rc = -EMSGSIZE; |
1522 |
+ goto nla_put_failure; |
1523 |
++ } |
1524 |
+ dev_put(dev); |
1525 |
+ |
1526 |
+ wpan_phy_put(phy); |
1527 |
+diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c |
1528 |
+index c1672ff009637..eea0144aada7a 100644 |
1529 |
+--- a/net/netfilter/ipvs/ip_vs_ctl.c |
1530 |
++++ b/net/netfilter/ipvs/ip_vs_ctl.c |
1531 |
+@@ -1262,7 +1262,7 @@ ip_vs_add_service(struct netns_ipvs *ipvs, struct ip_vs_service_user_kern *u, |
1532 |
+ ip_vs_addr_copy(svc->af, &svc->addr, &u->addr); |
1533 |
+ svc->port = u->port; |
1534 |
+ svc->fwmark = u->fwmark; |
1535 |
+- svc->flags = u->flags; |
1536 |
++ svc->flags = u->flags & ~IP_VS_SVC_F_HASHED; |
1537 |
+ svc->timeout = u->timeout * HZ; |
1538 |
+ svc->netmask = u->netmask; |
1539 |
+ svc->ipvs = ipvs; |
1540 |
+diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c |
1541 |
+index dfe4e6787219c..2ebeb615db157 100644 |
1542 |
+--- a/net/netfilter/nfnetlink_cthelper.c |
1543 |
++++ b/net/netfilter/nfnetlink_cthelper.c |
1544 |
+@@ -370,10 +370,14 @@ static int |
1545 |
+ nfnl_cthelper_update(const struct nlattr * const tb[], |
1546 |
+ struct nf_conntrack_helper *helper) |
1547 |
+ { |
1548 |
++ u32 size; |
1549 |
+ int ret; |
1550 |
+ |
1551 |
+- if (tb[NFCTH_PRIV_DATA_LEN]) |
1552 |
+- return -EBUSY; |
1553 |
++ if (tb[NFCTH_PRIV_DATA_LEN]) { |
1554 |
++ size = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN])); |
1555 |
++ if (size != helper->data_len) |
1556 |
++ return -EBUSY; |
1557 |
++ } |
1558 |
+ |
1559 |
+ if (tb[NFCTH_POLICY]) { |
1560 |
+ ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]); |
1561 |
+diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c |
1562 |
+index 76f47b9112214..02aebc3187632 100644 |
1563 |
+--- a/net/nfc/llcp_sock.c |
1564 |
++++ b/net/nfc/llcp_sock.c |
1565 |
+@@ -122,6 +122,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) |
1566 |
+ if (!llcp_sock->service_name) { |
1567 |
+ nfc_llcp_local_put(llcp_sock->local); |
1568 |
+ llcp_sock->local = NULL; |
1569 |
++ llcp_sock->dev = NULL; |
1570 |
+ ret = -ENOMEM; |
1571 |
+ goto put_dev; |
1572 |
+ } |
1573 |
+@@ -131,6 +132,7 @@ static int llcp_sock_bind(struct socket *sock, struct sockaddr *addr, int alen) |
1574 |
+ llcp_sock->local = NULL; |
1575 |
+ kfree(llcp_sock->service_name); |
1576 |
+ llcp_sock->service_name = NULL; |
1577 |
++ llcp_sock->dev = NULL; |
1578 |
+ ret = -EADDRINUSE; |
1579 |
+ goto put_dev; |
1580 |
+ } |
1581 |
+diff --git a/sound/core/timer.c b/sound/core/timer.c |
1582 |
+index 22589a073423b..eb31c13c8ed0d 100644 |
1583 |
+--- a/sound/core/timer.c |
1584 |
++++ b/sound/core/timer.c |
1585 |
+@@ -490,9 +490,10 @@ static void snd_timer_notify1(struct snd_timer_instance *ti, int event) |
1586 |
+ return; |
1587 |
+ if (timer->hw.flags & SNDRV_TIMER_HW_SLAVE) |
1588 |
+ return; |
1589 |
++ event += 10; /* convert to SNDRV_TIMER_EVENT_MXXX */ |
1590 |
+ list_for_each_entry(ts, &ti->slave_active_head, active_list) |
1591 |
+ if (ts->ccallback) |
1592 |
+- ts->ccallback(ts, event + 100, &tstamp, resolution); |
1593 |
++ ts->ccallback(ts, event, &tstamp, resolution); |
1594 |
+ } |
1595 |
+ |
1596 |
+ /* start/continue a master timer */ |
1597 |
+diff --git a/tools/testing/selftests/bpf/test_align.c b/tools/testing/selftests/bpf/test_align.c |
1598 |
+index 8591c89c0828a..5d530c90779e5 100644 |
1599 |
+--- a/tools/testing/selftests/bpf/test_align.c |
1600 |
++++ b/tools/testing/selftests/bpf/test_align.c |
1601 |
+@@ -446,11 +446,9 @@ static struct bpf_align_test tests[] = { |
1602 |
+ .insns = { |
1603 |
+ PREP_PKT_POINTERS, |
1604 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1605 |
+- /* ptr & const => unknown & const */ |
1606 |
+- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), |
1607 |
+- BPF_ALU64_IMM(BPF_AND, BPF_REG_5, 0x40), |
1608 |
+- /* ptr << const => unknown << const */ |
1609 |
+- BPF_MOV64_REG(BPF_REG_5, BPF_REG_2), |
1610 |
++ /* (ptr - ptr) << 2 */ |
1611 |
++ BPF_MOV64_REG(BPF_REG_5, BPF_REG_3), |
1612 |
++ BPF_ALU64_REG(BPF_SUB, BPF_REG_5, BPF_REG_2), |
1613 |
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_5, 2), |
1614 |
+ /* We have a (4n) value. Let's make a packet offset |
1615 |
+ * out of it. First add 14, to make it a (4n+2) |
1616 |
+@@ -473,20 +471,18 @@ static struct bpf_align_test tests[] = { |
1617 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1618 |
+ .result = REJECT, |
1619 |
+ .matches = { |
1620 |
+- {4, "R5=pkt(id=0,off=0,r=0,imm=0)"}, |
1621 |
+- /* ptr & 0x40 == either 0 or 0x40 */ |
1622 |
+- {5, "R5=inv(id=0,umax_value=64,var_off=(0x0; 0x40))"}, |
1623 |
+- /* ptr << 2 == unknown, (4n) */ |
1624 |
+- {7, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"}, |
1625 |
++ {4, "R5=pkt_end(id=0,off=0,imm=0)"}, |
1626 |
++ /* (ptr - ptr) << 2 == unknown, (4n) */ |
1627 |
++ {6, "R5=inv(id=0,smax_value=9223372036854775804,umax_value=18446744073709551612,var_off=(0x0; 0xfffffffffffffffc))"}, |
1628 |
+ /* (4n) + 14 == (4n+2). We blow our bounds, because |
1629 |
+ * the add could overflow. |
1630 |
+ */ |
1631 |
+- {8, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"}, |
1632 |
++ {7, "R5=inv(id=0,var_off=(0x2; 0xfffffffffffffffc))"}, |
1633 |
+ /* Checked s>=0 */ |
1634 |
+- {10, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1635 |
++ {9, "R5=inv(id=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1636 |
+ /* packet pointer + nonnegative (4n+2) */ |
1637 |
+- {12, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1638 |
+- {14, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1639 |
++ {11, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1640 |
++ {13, "R4=pkt(id=1,off=4,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1641 |
+ /* NET_IP_ALIGN + (4n+2) == (4n), alignment is fine. |
1642 |
+ * We checked the bounds, but it might have been able |
1643 |
+ * to overflow if the packet pointer started in the |
1644 |
+@@ -494,7 +490,7 @@ static struct bpf_align_test tests[] = { |
1645 |
+ * So we did not get a 'range' on R6, and the access |
1646 |
+ * attempt will fail. |
1647 |
+ */ |
1648 |
+- {16, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1649 |
++ {15, "R6=pkt(id=1,off=0,r=0,umin_value=2,umax_value=9223372036854775806,var_off=(0x2; 0x7ffffffffffffffc))"}, |
1650 |
+ } |
1651 |
+ }, |
1652 |
+ { |
1653 |
+diff --git a/tools/testing/selftests/bpf/test_verifier.c b/tools/testing/selftests/bpf/test_verifier.c |
1654 |
+index 9f7fc30d247d1..d4f611546fc0b 100644 |
1655 |
+--- a/tools/testing/selftests/bpf/test_verifier.c |
1656 |
++++ b/tools/testing/selftests/bpf/test_verifier.c |
1657 |
+@@ -462,9 +462,7 @@ static struct bpf_test tests[] = { |
1658 |
+ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, 0), |
1659 |
+ BPF_EXIT_INSN(), |
1660 |
+ }, |
1661 |
+- .errstr_unpriv = "R1 subtraction from stack pointer", |
1662 |
+- .result_unpriv = REJECT, |
1663 |
+- .errstr = "R1 invalid mem access", |
1664 |
++ .errstr = "R1 subtraction from stack pointer", |
1665 |
+ .result = REJECT, |
1666 |
+ }, |
1667 |
+ { |
1668 |
+@@ -1900,9 +1898,8 @@ static struct bpf_test tests[] = { |
1669 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1670 |
+ BPF_EXIT_INSN(), |
1671 |
+ }, |
1672 |
+- .result = ACCEPT, |
1673 |
+- .result_unpriv = REJECT, |
1674 |
+- .errstr_unpriv = "R1 pointer += pointer", |
1675 |
++ .result = REJECT, |
1676 |
++ .errstr = "R1 pointer += pointer", |
1677 |
+ }, |
1678 |
+ { |
1679 |
+ "unpriv: neg pointer", |
1680 |
+@@ -2235,7 +2232,7 @@ static struct bpf_test tests[] = { |
1681 |
+ .result = ACCEPT, |
1682 |
+ }, |
1683 |
+ { |
1684 |
+- "unpriv: adding of fp", |
1685 |
++ "unpriv: adding of fp, reg", |
1686 |
+ .insns = { |
1687 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1688 |
+ BPF_MOV64_IMM(BPF_REG_1, 0), |
1689 |
+@@ -2243,9 +2240,22 @@ static struct bpf_test tests[] = { |
1690 |
+ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), |
1691 |
+ BPF_EXIT_INSN(), |
1692 |
+ }, |
1693 |
+- .result = ACCEPT, |
1694 |
++ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", |
1695 |
+ .result_unpriv = REJECT, |
1696 |
++ .result = ACCEPT, |
1697 |
++ }, |
1698 |
++ { |
1699 |
++ "unpriv: adding of fp, imm", |
1700 |
++ .insns = { |
1701 |
++ BPF_MOV64_IMM(BPF_REG_0, 0), |
1702 |
++ BPF_MOV64_REG(BPF_REG_1, BPF_REG_10), |
1703 |
++ BPF_ALU64_IMM(BPF_ADD, BPF_REG_1, 0), |
1704 |
++ BPF_STX_MEM(BPF_DW, BPF_REG_1, BPF_REG_0, -8), |
1705 |
++ BPF_EXIT_INSN(), |
1706 |
++ }, |
1707 |
+ .errstr_unpriv = "R1 stack pointer arithmetic goes out of range", |
1708 |
++ .result_unpriv = REJECT, |
1709 |
++ .result = ACCEPT, |
1710 |
+ }, |
1711 |
+ { |
1712 |
+ "unpriv: cmp of stack pointer", |
1713 |
+@@ -2681,7 +2691,8 @@ static struct bpf_test tests[] = { |
1714 |
+ BPF_LDX_MEM(BPF_W, BPF_REG_3, BPF_REG_1, |
1715 |
+ offsetof(struct __sk_buff, data)), |
1716 |
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_4), |
1717 |
+- BPF_MOV64_REG(BPF_REG_2, BPF_REG_1), |
1718 |
++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
1719 |
++ offsetof(struct __sk_buff, len)), |
1720 |
+ BPF_ALU64_IMM(BPF_LSH, BPF_REG_2, 49), |
1721 |
+ BPF_ALU64_IMM(BPF_RSH, BPF_REG_2, 49), |
1722 |
+ BPF_ALU64_REG(BPF_ADD, BPF_REG_3, BPF_REG_2), |
1723 |
+@@ -2988,7 +2999,7 @@ static struct bpf_test tests[] = { |
1724 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1725 |
+ BPF_EXIT_INSN(), |
1726 |
+ }, |
1727 |
+- .errstr = "invalid access to packet", |
1728 |
++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", |
1729 |
+ .result = REJECT, |
1730 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1731 |
+ }, |
1732 |
+@@ -3975,9 +3986,7 @@ static struct bpf_test tests[] = { |
1733 |
+ BPF_EXIT_INSN(), |
1734 |
+ }, |
1735 |
+ .fixup_map2 = { 3, 11 }, |
1736 |
+- .errstr_unpriv = "R0 pointer += pointer", |
1737 |
+- .errstr = "R0 invalid mem access 'inv'", |
1738 |
+- .result_unpriv = REJECT, |
1739 |
++ .errstr = "R0 pointer += pointer", |
1740 |
+ .result = REJECT, |
1741 |
+ .flags = F_NEEDS_EFFICIENT_UNALIGNED_ACCESS, |
1742 |
+ }, |
1743 |
+@@ -4018,7 +4027,7 @@ static struct bpf_test tests[] = { |
1744 |
+ BPF_EXIT_INSN(), |
1745 |
+ }, |
1746 |
+ .fixup_map1 = { 4 }, |
1747 |
+- .errstr = "R4 invalid mem access", |
1748 |
++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", |
1749 |
+ .result = REJECT, |
1750 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS |
1751 |
+ }, |
1752 |
+@@ -4039,7 +4048,7 @@ static struct bpf_test tests[] = { |
1753 |
+ BPF_EXIT_INSN(), |
1754 |
+ }, |
1755 |
+ .fixup_map1 = { 4 }, |
1756 |
+- .errstr = "R4 invalid mem access", |
1757 |
++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", |
1758 |
+ .result = REJECT, |
1759 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS |
1760 |
+ }, |
1761 |
+@@ -4060,7 +4069,7 @@ static struct bpf_test tests[] = { |
1762 |
+ BPF_EXIT_INSN(), |
1763 |
+ }, |
1764 |
+ .fixup_map1 = { 4 }, |
1765 |
+- .errstr = "R4 invalid mem access", |
1766 |
++ .errstr = "R4 pointer arithmetic on PTR_TO_MAP_VALUE_OR_NULL", |
1767 |
+ .result = REJECT, |
1768 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS |
1769 |
+ }, |
1770 |
+@@ -5291,10 +5300,8 @@ static struct bpf_test tests[] = { |
1771 |
+ BPF_EXIT_INSN(), |
1772 |
+ }, |
1773 |
+ .fixup_map2 = { 3 }, |
1774 |
+- .errstr_unpriv = "R0 bitwise operator &= on pointer", |
1775 |
+- .errstr = "invalid mem access 'inv'", |
1776 |
++ .errstr = "R0 bitwise operator &= on pointer", |
1777 |
+ .result = REJECT, |
1778 |
+- .result_unpriv = REJECT, |
1779 |
+ }, |
1780 |
+ { |
1781 |
+ "map element value illegal alu op, 2", |
1782 |
+@@ -5310,10 +5317,8 @@ static struct bpf_test tests[] = { |
1783 |
+ BPF_EXIT_INSN(), |
1784 |
+ }, |
1785 |
+ .fixup_map2 = { 3 }, |
1786 |
+- .errstr_unpriv = "R0 32-bit pointer arithmetic prohibited", |
1787 |
+- .errstr = "invalid mem access 'inv'", |
1788 |
++ .errstr = "R0 32-bit pointer arithmetic prohibited", |
1789 |
+ .result = REJECT, |
1790 |
+- .result_unpriv = REJECT, |
1791 |
+ }, |
1792 |
+ { |
1793 |
+ "map element value illegal alu op, 3", |
1794 |
+@@ -5329,10 +5334,8 @@ static struct bpf_test tests[] = { |
1795 |
+ BPF_EXIT_INSN(), |
1796 |
+ }, |
1797 |
+ .fixup_map2 = { 3 }, |
1798 |
+- .errstr_unpriv = "R0 pointer arithmetic with /= operator", |
1799 |
+- .errstr = "invalid mem access 'inv'", |
1800 |
++ .errstr = "R0 pointer arithmetic with /= operator", |
1801 |
+ .result = REJECT, |
1802 |
+- .result_unpriv = REJECT, |
1803 |
+ }, |
1804 |
+ { |
1805 |
+ "map element value illegal alu op, 4", |
1806 |
+@@ -5925,8 +5928,7 @@ static struct bpf_test tests[] = { |
1807 |
+ BPF_EXIT_INSN(), |
1808 |
+ }, |
1809 |
+ .fixup_map_in_map = { 3 }, |
1810 |
+- .errstr = "R1 type=inv expected=map_ptr", |
1811 |
+- .errstr_unpriv = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", |
1812 |
++ .errstr = "R1 pointer arithmetic on CONST_PTR_TO_MAP prohibited", |
1813 |
+ .result = REJECT, |
1814 |
+ }, |
1815 |
+ { |
1816 |
+@@ -6207,7 +6209,6 @@ static struct bpf_test tests[] = { |
1817 |
+ }, |
1818 |
+ .fixup_map1 = { 3 }, |
1819 |
+ .errstr = "unbounded min value", |
1820 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1821 |
+ .result = REJECT, |
1822 |
+ }, |
1823 |
+ { |
1824 |
+@@ -6232,7 +6233,6 @@ static struct bpf_test tests[] = { |
1825 |
+ }, |
1826 |
+ .fixup_map1 = { 3 }, |
1827 |
+ .errstr = "unbounded min value", |
1828 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1829 |
+ .result = REJECT, |
1830 |
+ }, |
1831 |
+ { |
1832 |
+@@ -6259,7 +6259,6 @@ static struct bpf_test tests[] = { |
1833 |
+ }, |
1834 |
+ .fixup_map1 = { 3 }, |
1835 |
+ .errstr = "unbounded min value", |
1836 |
+- .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", |
1837 |
+ .result = REJECT, |
1838 |
+ }, |
1839 |
+ { |
1840 |
+@@ -6285,7 +6284,6 @@ static struct bpf_test tests[] = { |
1841 |
+ }, |
1842 |
+ .fixup_map1 = { 3 }, |
1843 |
+ .errstr = "unbounded min value", |
1844 |
+- .errstr_unpriv = "R8 has unknown scalar with mixed signed bounds", |
1845 |
+ .result = REJECT, |
1846 |
+ }, |
1847 |
+ { |
1848 |
+@@ -6334,7 +6332,6 @@ static struct bpf_test tests[] = { |
1849 |
+ }, |
1850 |
+ .fixup_map1 = { 3 }, |
1851 |
+ .errstr = "unbounded min value", |
1852 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1853 |
+ .result = REJECT, |
1854 |
+ }, |
1855 |
+ { |
1856 |
+@@ -6406,7 +6403,6 @@ static struct bpf_test tests[] = { |
1857 |
+ }, |
1858 |
+ .fixup_map1 = { 3 }, |
1859 |
+ .errstr = "unbounded min value", |
1860 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1861 |
+ .result = REJECT, |
1862 |
+ }, |
1863 |
+ { |
1864 |
+@@ -6458,7 +6454,6 @@ static struct bpf_test tests[] = { |
1865 |
+ }, |
1866 |
+ .fixup_map1 = { 3 }, |
1867 |
+ .errstr = "unbounded min value", |
1868 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1869 |
+ .result = REJECT, |
1870 |
+ }, |
1871 |
+ { |
1872 |
+@@ -6486,7 +6481,6 @@ static struct bpf_test tests[] = { |
1873 |
+ }, |
1874 |
+ .fixup_map1 = { 3 }, |
1875 |
+ .errstr = "unbounded min value", |
1876 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1877 |
+ .result = REJECT, |
1878 |
+ }, |
1879 |
+ { |
1880 |
+@@ -6513,7 +6507,6 @@ static struct bpf_test tests[] = { |
1881 |
+ }, |
1882 |
+ .fixup_map1 = { 3 }, |
1883 |
+ .errstr = "unbounded min value", |
1884 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1885 |
+ .result = REJECT, |
1886 |
+ }, |
1887 |
+ { |
1888 |
+@@ -6543,7 +6536,6 @@ static struct bpf_test tests[] = { |
1889 |
+ }, |
1890 |
+ .fixup_map1 = { 3 }, |
1891 |
+ .errstr = "unbounded min value", |
1892 |
+- .errstr_unpriv = "R7 has unknown scalar with mixed signed bounds", |
1893 |
+ .result = REJECT, |
1894 |
+ }, |
1895 |
+ { |
1896 |
+@@ -6602,7 +6594,6 @@ static struct bpf_test tests[] = { |
1897 |
+ }, |
1898 |
+ .fixup_map1 = { 3 }, |
1899 |
+ .errstr = "unbounded min value", |
1900 |
+- .errstr_unpriv = "R1 has unknown scalar with mixed signed bounds", |
1901 |
+ .result = REJECT, |
1902 |
+ .result_unpriv = REJECT, |
1903 |
+ }, |
1904 |
+@@ -7297,6 +7288,19 @@ static struct bpf_test tests[] = { |
1905 |
+ .result = REJECT, |
1906 |
+ .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1907 |
+ }, |
1908 |
++ { |
1909 |
++ "pkt_end - pkt_start is allowed", |
1910 |
++ .insns = { |
1911 |
++ BPF_LDX_MEM(BPF_W, BPF_REG_0, BPF_REG_1, |
1912 |
++ offsetof(struct __sk_buff, data_end)), |
1913 |
++ BPF_LDX_MEM(BPF_W, BPF_REG_2, BPF_REG_1, |
1914 |
++ offsetof(struct __sk_buff, data)), |
1915 |
++ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_2), |
1916 |
++ BPF_EXIT_INSN(), |
1917 |
++ }, |
1918 |
++ .result = ACCEPT, |
1919 |
++ .prog_type = BPF_PROG_TYPE_SCHED_CLS, |
1920 |
++ }, |
1921 |
+ { |
1922 |
+ "XDP pkt read, pkt_end mangling, bad access 1", |
1923 |
+ .insns = { |
1924 |
+@@ -7312,7 +7316,7 @@ static struct bpf_test tests[] = { |
1925 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1926 |
+ BPF_EXIT_INSN(), |
1927 |
+ }, |
1928 |
+- .errstr = "R1 offset is outside of the packet", |
1929 |
++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", |
1930 |
+ .result = REJECT, |
1931 |
+ .prog_type = BPF_PROG_TYPE_XDP, |
1932 |
+ }, |
1933 |
+@@ -7331,7 +7335,7 @@ static struct bpf_test tests[] = { |
1934 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1935 |
+ BPF_EXIT_INSN(), |
1936 |
+ }, |
1937 |
+- .errstr = "R1 offset is outside of the packet", |
1938 |
++ .errstr = "R3 pointer arithmetic on PTR_TO_PACKET_END", |
1939 |
+ .result = REJECT, |
1940 |
+ .prog_type = BPF_PROG_TYPE_XDP, |
1941 |
+ }, |
1942 |
+@@ -7766,8 +7770,9 @@ static struct bpf_test tests[] = { |
1943 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
1944 |
+ BPF_EXIT_INSN(), |
1945 |
+ }, |
1946 |
+- .result = REJECT, |
1947 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
1948 |
+ .errstr = "R0 tried to subtract pointer from scalar", |
1949 |
++ .result = REJECT, |
1950 |
+ }, |
1951 |
+ { |
1952 |
+ "check deducing bounds from const, 2", |
1953 |
+@@ -7780,6 +7785,8 @@ static struct bpf_test tests[] = { |
1954 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), |
1955 |
+ BPF_EXIT_INSN(), |
1956 |
+ }, |
1957 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
1958 |
++ .result_unpriv = REJECT, |
1959 |
+ .result = ACCEPT, |
1960 |
+ }, |
1961 |
+ { |
1962 |
+@@ -7790,20 +7797,24 @@ static struct bpf_test tests[] = { |
1963 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
1964 |
+ BPF_EXIT_INSN(), |
1965 |
+ }, |
1966 |
+- .result = REJECT, |
1967 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
1968 |
+ .errstr = "R0 tried to subtract pointer from scalar", |
1969 |
++ .result = REJECT, |
1970 |
+ }, |
1971 |
+ { |
1972 |
+ "check deducing bounds from const, 4", |
1973 |
+ .insns = { |
1974 |
++ BPF_MOV64_REG(BPF_REG_6, BPF_REG_1), |
1975 |
+ BPF_MOV64_IMM(BPF_REG_0, 0), |
1976 |
+ BPF_JMP_IMM(BPF_JSLE, BPF_REG_0, 0, 1), |
1977 |
+ BPF_EXIT_INSN(), |
1978 |
+ BPF_JMP_IMM(BPF_JSGE, BPF_REG_0, 0, 1), |
1979 |
+ BPF_EXIT_INSN(), |
1980 |
+- BPF_ALU64_REG(BPF_SUB, BPF_REG_1, BPF_REG_0), |
1981 |
++ BPF_ALU64_REG(BPF_SUB, BPF_REG_6, BPF_REG_0), |
1982 |
+ BPF_EXIT_INSN(), |
1983 |
+ }, |
1984 |
++ .errstr_unpriv = "R6 has pointer with unsupported alu operation", |
1985 |
++ .result_unpriv = REJECT, |
1986 |
+ .result = ACCEPT, |
1987 |
+ }, |
1988 |
+ { |
1989 |
+@@ -7814,8 +7825,9 @@ static struct bpf_test tests[] = { |
1990 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
1991 |
+ BPF_EXIT_INSN(), |
1992 |
+ }, |
1993 |
+- .result = REJECT, |
1994 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
1995 |
+ .errstr = "R0 tried to subtract pointer from scalar", |
1996 |
++ .result = REJECT, |
1997 |
+ }, |
1998 |
+ { |
1999 |
+ "check deducing bounds from const, 6", |
2000 |
+@@ -7826,8 +7838,9 @@ static struct bpf_test tests[] = { |
2001 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
2002 |
+ BPF_EXIT_INSN(), |
2003 |
+ }, |
2004 |
+- .result = REJECT, |
2005 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
2006 |
+ .errstr = "R0 tried to subtract pointer from scalar", |
2007 |
++ .result = REJECT, |
2008 |
+ }, |
2009 |
+ { |
2010 |
+ "check deducing bounds from const, 7", |
2011 |
+@@ -7839,8 +7852,9 @@ static struct bpf_test tests[] = { |
2012 |
+ offsetof(struct __sk_buff, mark)), |
2013 |
+ BPF_EXIT_INSN(), |
2014 |
+ }, |
2015 |
+- .result = REJECT, |
2016 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
2017 |
+ .errstr = "dereference of modified ctx ptr", |
2018 |
++ .result = REJECT, |
2019 |
+ }, |
2020 |
+ { |
2021 |
+ "check deducing bounds from const, 8", |
2022 |
+@@ -7852,8 +7866,9 @@ static struct bpf_test tests[] = { |
2023 |
+ offsetof(struct __sk_buff, mark)), |
2024 |
+ BPF_EXIT_INSN(), |
2025 |
+ }, |
2026 |
+- .result = REJECT, |
2027 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
2028 |
+ .errstr = "dereference of modified ctx ptr", |
2029 |
++ .result = REJECT, |
2030 |
+ }, |
2031 |
+ { |
2032 |
+ "check deducing bounds from const, 9", |
2033 |
+@@ -7863,8 +7878,9 @@ static struct bpf_test tests[] = { |
2034 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
2035 |
+ BPF_EXIT_INSN(), |
2036 |
+ }, |
2037 |
+- .result = REJECT, |
2038 |
++ .errstr_unpriv = "R1 has pointer with unsupported alu operation", |
2039 |
+ .errstr = "R0 tried to subtract pointer from scalar", |
2040 |
++ .result = REJECT, |
2041 |
+ }, |
2042 |
+ { |
2043 |
+ "check deducing bounds from const, 10", |
2044 |
+@@ -7876,8 +7892,8 @@ static struct bpf_test tests[] = { |
2045 |
+ BPF_ALU64_REG(BPF_SUB, BPF_REG_0, BPF_REG_1), |
2046 |
+ BPF_EXIT_INSN(), |
2047 |
+ }, |
2048 |
+- .result = REJECT, |
2049 |
+ .errstr = "math between ctx pointer and register with unbounded min value is not allowed", |
2050 |
++ .result = REJECT, |
2051 |
+ }, |
2052 |
+ { |
2053 |
+ "XDP pkt read, pkt_end <= pkt_data', bad access 2", |