Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

broken perf tool on 4.5-rc1 #253

Closed
wants to merge 1 commit into from
Closed

broken perf tool on 4.5-rc1 #253

wants to merge 1 commit into from

Conversation

lzto
Copy link
Contributor

@lzto lzto commented Jan 30, 2016

reproduce:
lzto@objd ~ $ ~/linux/tools/perf/perf record -I -e intel_pt/tsc=1,noretcomp=1/u /bin/ls
lzto@objd ~ $ ~/linux/tools/perf/perf script -F event,comm,pid,tid,time,addr,ip,sym,dso,iregs
Segmentation fault
lzto@objd ~ $

Upon further investigation, it seems that
commit 747a9b0 ("Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
breaks perf tool.

__list_del(): tools/include/linux/list.h does not check null pointer dereference

reproduce:
  lzto@objd ~ $ ~/linux/tools/perf/perf record -I -e intel_pt/tsc=1,noretcomp=1/u /bin/ls
  lzto@objd ~ $ ~/linux/tools/perf/perf script  -F event,comm,pid,tid,time,addr,ip,sym,dso,iregs
  Segmentation fault
  lzto@objd ~ $

Upon further investigation, it seems that
commit 747a9b0 ("Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip")
breaks perf tool.

__list_del(): tools/include/linux/list.h does not check null pointer dereference
@lzto lzto changed the title broken perf tool on 4.4-rc1 broken perf tool on 4.5-rc1 Jan 30, 2016
@jnavila
Copy link

jnavila commented Jan 31, 2016

Issues reported here are not processed. You had better send your issue to the kernel mailing list: linux-kernel@vger.kernel.org

@lzto
Copy link
Contributor Author

lzto commented Feb 1, 2016

Thanks for the tip.

Already posted to the mail list, https://lkml.org/lkml/2016/1/30/257 .

not sure how does the LKML work. and when will the thread be picked up by someone...

quinte17 pushed a commit to quinte17/linux-stable that referenced this pull request Feb 1, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
voipac-support referenced this pull request in voipac/linux-fslc Feb 7, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 Freescale#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
@lzto lzto closed this Feb 8, 2016
mdrjr referenced this pull request in hardkernel/linux Mar 18, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 #253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sashalevin pushed a commit to sashalevin/linux-stable-security that referenced this pull request Apr 29, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
sashalevin pushed a commit to sashalevin/linux-stable-security that referenced this pull request Apr 29, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
sashalevin pushed a commit to sashalevin/linux-stable-security that referenced this pull request Apr 29, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
sashalevin pushed a commit to sashalevin/linux-stable-security that referenced this pull request Apr 29, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
sashalevin pushed a commit to sashalevin/linux-stable-security that referenced this pull request Apr 29, 2016
[ Upstream commit 0470eb9 ]

Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
hauke pushed a commit to hauke/linux that referenced this pull request Jun 12, 2016
Kirill A. Shutemov says:

This simple test-case trigers few locking asserts in kernel:

int main(int argc, char **argv)
{
        unsigned int block_size = 16 * 4096;
        struct nl_mmap_req req = {
                .nm_block_size          = block_size,
                .nm_block_nr            = 64,
                .nm_frame_size          = 16384,
                .nm_frame_nr            = 64 * block_size / 16384,
        };
        unsigned int ring_size;
	int fd;

	fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_GENERIC);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_RX_RING, &req, sizeof(req)) < 0)
                exit(1);
        if (setsockopt(fd, SOL_NETLINK, NETLINK_TX_RING, &req, sizeof(req)) < 0)
                exit(1);

	ring_size = req.nm_block_nr * req.nm_block_size;
	mmap(NULL, 2 * ring_size, PROT_READ|PROT_WRITE, MAP_SHARED, fd, 0);
	return 0;
}

+++ exited with 0 +++
BUG: sleeping function called from invalid context at /home/kas/git/public/linux-mm/kernel/locking/mutex.c:616
in_atomic(): 1, irqs_disabled(): 0, pid: 1, name: init
3 locks held by init/1:
 #0:  (reboot_mutex){+.+...}, at: [<ffffffff81080959>] SyS_reboot+0xa9/0x220
 #1:  ((reboot_notifier_list).rwsem){.+.+..}, at: [<ffffffff8107f379>] __blocking_notifier_call_chain+0x39/0x70
 #2:  (rcu_callback){......}, at: [<ffffffff810d32e0>] rcu_do_batch.isra.49+0x160/0x10c0
Preemption disabled at:[<ffffffff8145365f>] __delay+0xf/0x20

CPU: 1 PID: 1 Comm: init Not tainted 4.1.0-00009-gbddf4c4818e0 torvalds#253
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS Debian-1.8.2-1 04/01/2014
 ffff88017b3d8000 ffff88027bc03c38 ffffffff81929ceb 0000000000000102
 0000000000000000 ffff88027bc03c68 ffffffff81085a9d 0000000000000002
 ffffffff81ca2a20 0000000000000268 0000000000000000 ffff88027bc03c98
Call Trace:
 <IRQ>  [<ffffffff81929ceb>] dump_stack+0x4f/0x7b
 [<ffffffff81085a9d>] ___might_sleep+0x16d/0x270
 [<ffffffff81085bed>] __might_sleep+0x4d/0x90
 [<ffffffff8192e96f>] mutex_lock_nested+0x2f/0x430
 [<ffffffff81932fed>] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [<ffffffff81464143>] ? __this_cpu_preempt_check+0x13/0x20
 [<ffffffff8182fc3d>] netlink_set_ring+0x1ed/0x350
 [<ffffffff8182e000>] ? netlink_undo_bind+0x70/0x70
 [<ffffffff8182fe20>] netlink_sock_destruct+0x80/0x150
 [<ffffffff817e484d>] __sk_free+0x1d/0x160
 [<ffffffff817e49a9>] sk_free+0x19/0x20
[..]

Cong Wang says:

We can't hold mutex lock in a rcu callback, [..]

Thomas Graf says:

The socket should be dead at this point. It might be simpler to
add a netlink_release_ring() function which doesn't require
locking at all.

Reported-by: "Kirill A. Shutemov" <kirill@shutemov.name>
Diagnosed-by: Cong Wang <cwang@twopensource.com>
Suggested-by: Thomas Graf <tgraf@suug.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Mar 5, 2017
Since d2852a2 ("arch: add ARCH_HAS_SET_MEMORY config") and
9d876e7 ("bpf: fix unlocking of jited image when module ronx
not set") that uses the former, Fengguang reported random corruptions
on his i386 test machine [1]. On i386 there is no JIT available,
and since his kernel config doesn't have kernel modules enabled,
there was also no DEBUG_SET_MODULE_RONX enabled before which would
set interpreted bpf_prog image as read-only like we do in various
other cases for quite some time now, e.g. x86_64, arm64, etc. Thus,
the difference with above commits was that we now used set_memory_ro()
and set_memory_rw() on i386, which resulted in these issues. When
reproducing this with Fengguang's config and qemu image, I changed
lib/test_bpf.c to be run during boot instead of relying on trinity
to fiddle with cBPF.

The issues I saw with the BPF test suite when set_memory_ro() and
set_memory_rw() is used to write protect image on i386 is that after
a number of tests I noticed a corruption happening in bpf_prog_realloc().
Specifically, fp_old's content gets corrupted right *after* the
(unrelated) __vmalloc() call and contains only zeroes right after
the call instead of the original prog data. fp_old should have been
freed later on via __bpf_prog_free() *after* we copied all the data
over to the newly allocated fp. Result looks like:

  [...]
  [   13.107240] test_bpf: torvalds#249 JMP_JSET_X: if (0x3 & 0x2) return 1 jited:0 17 PASS
  [   13.108182] test_bpf: torvalds#250 JMP_JSET_X: if (0x3 & 0xffffffff) return 1 jited:0 17 PASS
  [   13.109206] test_bpf: torvalds#251 JMP_JA: Jump, gap, jump, ... jited:0 16 PASS
  [   13.110493] test_bpf: torvalds#252 BPF_MAXINSNS: Maximum possible literals jited:0 12 PASS
  [   13.111885] test_bpf: torvalds#253 BPF_MAXINSNS: Single literal jited:0 8 PASS
  [   13.112804] test_bpf: torvalds#254 BPF_MAXINSNS: Run/add until end jited:0 6341 PASS
  [   13.177195] test_bpf: torvalds#255 BPF_MAXINSNS: Too many instructions PASS
  [   13.177689] test_bpf: torvalds#256 BPF_MAXINSNS: Very long jump jited:0 9 PASS
  [   13.178611] test_bpf: torvalds#257 BPF_MAXINSNS: Ctx heavy transformations
  [   13.178713] BUG: unable to handle kernel NULL pointer dereference at 00000034
  [   13.179740] IP: bpf_prog_realloc+0x5b/0x90
  [   13.180017] *pde = 00000000
  [   13.180017]
  [   13.180017] Oops: 0002 [#1] DEBUG_PAGEALLOC
  [   13.180017] CPU: 0 PID: 1 Comm: swapper Not tainted 4.10.0-57268-gd627975-dirty torvalds#50
  [   13.180017] task: 401ec000 task.stack: 401f2000
  [   13.180017] EIP: bpf_prog_realloc+0x5b/0x90
  [   13.180017] EFLAGS: 00210246 CPU: 0
  [   13.180017] EAX: 00000000 EBX: 57ae1000 ECX: 00000000 EDX: 57ae1000
  [   13.180017] ESI: 00000019 EDI: 57b07000 EBP: 401f3e74 ESP: 401f3e68
  [   13.180017]  DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068
  [   13.180017] CR0: 80050033 CR2: 00000034 CR3: 12cb1000 CR4: 00000610
  [   13.180017] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
  [   13.180017] DR6: fffe0ff0 DR7: 00000400
  [   13.180017] Call Trace:
  [   13.180017]  bpf_prepare_filter+0x317/0x3a0
  [   13.180017]  bpf_prog_create+0x65/0xa0
  [   13.180017]  test_bpf_init+0x1ca/0x628
  [   13.180017]  ? test_hexdump_init+0xb5/0xb5
  [   13.180017]  do_one_initcall+0x7c/0x11c
  [...]

When using trinity from Fengguang's reproducer, the corruptions were
at inconsistent places, presumably from code dealing with allocations
and seeing similar effects as mentioned above.

Not using set_memory_ro() and set_memory_rw() lets the test suite
run just fine as expected, thus it looks like using set_memory_*()
on i386 seems broken and mentioned commits just uncovered it. Also,
for checking, I enabled DEBUG_RODATA_TEST for that kernel.

Latter shows that memory protecting the kernel seems not working either
on i386 (!). Test suite output:

  [...]
  [   12.692836] Write protecting the kernel text: 13416k
  [   12.693309] Write protecting the kernel read-only data: 5292k
  [   12.693802] rodata_test: test data was not read only
  [...]

Work-around to not enable ARCH_HAS_SET_MEMORY for i386 is not optimal
as it doesn't fix the issue in presumably broken set_memory_*(), but
it at least avoids people avoid having to deal with random corruptions
that are hard to track down for the time being until a real fix can
be found.

  [1] https://lkml.org/lkml/2017/3/2/648

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexei Starovoitov <ast@kernel.org>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jan 2, 2018
If userspace attempted to set a "security.capability" xattr shorter than
4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
cap_convert_nscap() read past the end of the buffer containing the xattr
value because it accessed the ->magic_etc field without verifying that
the xattr value is long enough to contain that field.

Fix it by validating the xattr value size first.

This bug was found using syzkaller with KASAN.  The KASAN report was as
follows (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
    Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852

    CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 torvalds#253
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xe3/0x195 lib/dump_stack.c:53
     print_address_description+0x73/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x235/0x350 mm/kasan/report.c:409
     cap_convert_nscap+0x514/0x630 security/commoncap.c:498
     setxattr+0x2bd/0x350 fs/xattr.c:446
     path_setxattr+0x168/0x1b0 fs/xattr.c:472
     SYSC_setxattr fs/xattr.c:487 [inline]
     SyS_setxattr+0x36/0x50 fs/xattr.c:483
     entry_SYSCALL_64_fastpath+0x18/0x85

Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities")
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Eric Biggers <ebiggers@google.com>
CallMeFoxie pushed a commit to CallMeFoxie/linux that referenced this pull request Jan 5, 2018
commit dc32b5c upstream.

If userspace attempted to set a "security.capability" xattr shorter than
4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
cap_convert_nscap() read past the end of the buffer containing the xattr
value because it accessed the ->magic_etc field without verifying that
the xattr value is long enough to contain that field.

Fix it by validating the xattr value size first.

This bug was found using syzkaller with KASAN.  The KASAN report was as
follows (cleaned up slightly):

    BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
    Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852

    CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 torvalds#253
    Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
    Call Trace:
     __dump_stack lib/dump_stack.c:17 [inline]
     dump_stack+0xe3/0x195 lib/dump_stack.c:53
     print_address_description+0x73/0x260 mm/kasan/report.c:252
     kasan_report_error mm/kasan/report.c:351 [inline]
     kasan_report+0x235/0x350 mm/kasan/report.c:409
     cap_convert_nscap+0x514/0x630 security/commoncap.c:498
     setxattr+0x2bd/0x350 fs/xattr.c:446
     path_setxattr+0x168/0x1b0 fs/xattr.c:472
     SYSC_setxattr fs/xattr.c:487 [inline]
     SyS_setxattr+0x36/0x50 fs/xattr.c:483
     entry_SYSCALL_64_fastpath+0x18/0x85

Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Reviewed-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: James Morris <james.l.morris@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jan 9, 2018
GIT e1915c8

commit abb62c4
Author: Masahiro Yamada <yamada.masahiro@socionext.com>
Date:   Fri Dec 29 21:15:54 2017 +0900

    arm64: dts: uniphier: fix gpio-ranges property of PXs3 SoC
    
    This is probably a copy-paste mistake.  The gpio-ranges of PXs3 is
    different from that of LD20.
    
    Fixes: 277b51e ("arm64: dts: uniphier: add GPIO controller nodes")
    Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>

commit 2fd9c41
Author: Nick Desaulniers <ndesaulniers@google.com>
Date:   Wed Jan 3 12:39:52 2018 -0800

    x86/process: Define cpu_tss_rw in same section as declaration
    
    cpu_tss_rw is declared with DECLARE_PER_CPU_PAGE_ALIGNED
    but then defined with DEFINE_PER_CPU_SHARED_ALIGNED
    leading to section mismatch warnings.
    
    Use DEFINE_PER_CPU_PAGE_ALIGNED consistently. This is necessary because
    it's mapped to the cpu entry area and must be page aligned.
    
    [ tglx: Massaged changelog a bit ]
    
    Fixes: 1a935bc ("x86/entry: Move SYSENTER_stack to the beginning of struct tss_struct")
    Suggested-by: Thomas Gleixner <tglx@linutronix.de>
    Signed-off-by: Nick Desaulniers <ndesaulniers@google.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: thomas.lendacky@amd.com
    Cc: Borislav Petkov <bpetkov@suse.de>
    Cc: tklauser@distanz.ch
    Cc: minipli@googlemail.com
    Cc: me@kylehuey.com
    Cc: namit@vmware.com
    Cc: luto@kernel.org
    Cc: jpoimboe@redhat.com
    Cc: tj@kernel.org
    Cc: cl@linux.com
    Cc: bp@suse.de
    Cc: thgarnie@google.com
    Cc: kirill.shutemov@linux.intel.com
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20180103203954.183360-1-ndesaulniers@google.com

commit d7732ba
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Wed Jan 3 19:52:04 2018 +0100

    x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat()
    
    The preparation for PTI which added CR3 switching to the entry code
    misplaced the CR3 switch in entry_SYSCALL_compat().
    
    With PTI enabled the entry code tries to access a per cpu variable after
    switching to kernel GS. This fails because that variable is not mapped to
    user space. This results in a double fault and in the worst case a kernel
    crash.
    
    Move the switch ahead of the access and clobber RSP which has been saved
    already.
    
    Fixes: 8a09317 ("x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching")
    Reported-by: Lars Wendler <wendler.lars@web.de>
    Reported-by: Laura Abbott <labbott@redhat.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: Borislav Betkov <bp@alien8.de>
    Cc: Andy Lutomirski <luto@kernel.org>,
    Cc: Dave Hansen <dave.hansen@linux.intel.com>,
    Cc: Peter Zijlstra <peterz@infradead.org>,
    Cc: Greg KH <gregkh@linuxfoundation.org>, ,
    Cc: Boris Ostrovsky <boris.ostrovsky@oracle.com>,
    Cc: Juergen Gross <jgross@suse.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031949200.1957@nanos

commit e816c20
Author: Kees Cook <keescook@chromium.org>
Date:   Tue Jan 2 15:21:33 2018 -0800

    exec: Weaken dumpability for secureexec
    
    This is a logical revert of commit e37fdb7 ("exec: Use secureexec
    for setting dumpability")
    
    This weakens dumpability back to checking only for uid/gid changes in
    current (which is useless), but userspace depends on dumpability not
    being tied to secureexec.
    
      https://bugzilla.redhat.com/show_bug.cgi?id=1528633
    
    Reported-by: Tom Horsley <horsley1953@gmail.com>
    Fixes: e37fdb7 ("exec: Use secureexec for setting dumpability")
    Cc: stable@vger.kernel.org
    Signed-off-by: Kees Cook <keescook@chromium.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

commit 3ffdeb1
Author: Josh Poimboeuf <jpoimboe@redhat.com>
Date:   Sun Dec 31 10:18:07 2017 -0600

    x86/dumpstack: Print registers for first stack frame
    
    In the stack dump code, if the frame after the starting pt_regs is also
    a regs frame, the registers don't get printed.  Fix that.
    
    Reported-by: Andy Lutomirski <luto@amacapital.net>
    Tested-by: Alexander Tsoy <alexander@tsoy.me>
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Toralf Förster <toralf.foerster@gmx.de>
    Cc: stable@vger.kernel.org
    Fixes: 3b3fa11 ("x86/dumpstack: Print any pt_regs found on the stack")
    Link: http://lkml.kernel.org/r/396f84491d2f0ef64eda4217a2165f5712f6a115.1514736742.git.jpoimboe@redhat.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

commit a9cdbe7
Author: Josh Poimboeuf <jpoimboe@redhat.com>
Date:   Sun Dec 31 10:18:06 2017 -0600

    x86/dumpstack: Fix partial register dumps
    
    The show_regs_safe() logic is wrong.  When there's an iret stack frame,
    it prints the entire pt_regs -- most of which is random stack data --
    instead of just the five registers at the end.
    
    show_regs_safe() is also poorly named: the on_stack() checks aren't for
    safety.  Rename the function to show_regs_if_on_stack() and add a
    comment to explain why the checks are needed.
    
    These issues were introduced with the "partial register dump" feature of
    the following commit:
    
      b02fcf9 ("x86/unwinder: Handle stack overflows more gracefully")
    
    That patch had gone through a few iterations of development, and the
    above issues were artifacts from a previous iteration of the patch where
    'regs' pointed directly to the iret frame rather than to the (partially
    empty) pt_regs.
    
    Tested-by: Alexander Tsoy <alexander@tsoy.me>
    Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: Linus Torvalds <torvalds@linux-foundation.org>
    Cc: Peter Zijlstra <peterz@infradead.org>
    Cc: Thomas Gleixner <tglx@linutronix.de>
    Cc: Toralf Förster <toralf.foerster@gmx.de>
    Cc: stable@vger.kernel.org
    Fixes: b02fcf9 ("x86/unwinder: Handle stack overflows more gracefully")
    Link: http://lkml.kernel.org/r/5b05b8b344f59db2d3d50dbdeba92d60f2304c54.1514736742.git.jpoimboe@redhat.com
    Signed-off-by: Ingo Molnar <mingo@kernel.org>

commit 52994c2
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Wed Jan 3 15:57:59 2018 +0100

    x86/pti: Make sure the user/kernel PTEs match
    
    Meelis reported that his K8 Athlon64 emits MCE warnings when PTI is
    enabled:
    
    [Hardware Error]: Error Addr: 0x0000ffff81e000e0
    [Hardware Error]: MC1 Error: L1 TLB multimatch.
    [Hardware Error]: cache level: L1, tx: INSN
    
    The address is in the entry area, which is mapped into kernel _AND_ user
    space. That's special because we switch CR3 while we are executing
    there.
    
    User mapping:
    0xffffffff81e00000-0xffffffff82000000           2M     ro         PSE     GLB x  pmd
    
    Kernel mapping:
    0xffffffff81000000-0xffffffff82000000          16M     ro         PSE         x  pmd
    
    So the K8 is complaining that the TLB entries differ. They differ in the
    GLB bit.
    
    Drop the GLB bit when installing the user shared mapping.
    
    Fixes: 6dc72c3 ("x86/mm/pti: Share entry text PMD")
    Reported-by: Meelis Roos <mroos@linux.ee>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Tested-by: Meelis Roos <mroos@linux.ee>
    Cc: Borislav Petkov <bp@alien8.de>
    Cc: Tom Lendacky <thomas.lendacky@amd.com>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/alpine.DEB.2.20.1801031407180.1957@nanos

commit 694d99d
Author: Tom Lendacky <thomas.lendacky@amd.com>
Date:   Tue Dec 26 23:43:54 2017 -0600

    x86/cpu, x86/pti: Do not enable PTI on AMD processors
    
    AMD processors are not subject to the types of attacks that the kernel
    page table isolation feature protects against.  The AMD microarchitecture
    does not allow memory references, including speculative references, that
    access higher privileged data when running in a lesser privileged mode
    when that access would result in a page fault.
    
    Disable page table isolation by default on AMD processors by not setting
    the X86_BUG_CPU_INSECURE feature, which controls whether X86_FEATURE_PTI
    is set.
    
    Signed-off-by: Tom Lendacky <thomas.lendacky@amd.com>
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Reviewed-by: Borislav Petkov <bp@suse.de>
    Cc: Dave Hansen <dave.hansen@linux.intel.com>
    Cc: Andy Lutomirski <luto@kernel.org>
    Cc: stable@vger.kernel.org
    Link: https://lkml.kernel.org/r/20171227054354.20369.94587.stgit@tlendack-t1.amdoffice.net

commit 87faa0d
Author: Thomas Gleixner <tglx@linutronix.de>
Date:   Wed Jan 3 15:18:44 2018 +0100

    x86/pti: Enable PTI by default
    
    This really want's to be enabled by default. Users who know what they are
    doing can disable it either in the config or on the kernel command line.
    
    Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
    Cc: stable@vger.kernel.org

commit afae457
Author: David Howells <dhowells@redhat.com>
Date:   Tue Jan 2 10:02:19 2018 +0000

    afs: Fix missing error handling in afs_write_end()
    
    afs_write_end() is missing page unlock and put if afs_fill_page() fails.
    
    Reported-by: Al Viro <viro@zeniv.linux.org.uk>
    Signed-off-by: David Howells <dhowells@redhat.com>

commit 440fbc3
Author: David Howells <dhowells@redhat.com>
Date:   Tue Jan 2 10:02:19 2018 +0000

    afs: Fix unlink
    
    Repeating creation and deletion of a file on an afs mount will run the box
    out of memory, e.g.:
    
            dd if=/dev/zero of=/afs/scratch/m0 bs=$((1024*1024)) count=512
            rm /afs/scratch/m0
    
    The problem seems to be that it's not properly decrementing the nlink count
    so that the inode can be scrapped.
    
    Note that this doesn't fix local creation followed by remote deletion.
    That's harder to handle and will require a separate patch as we're not told
    that the file has been deleted - only that the directory has changed.
    
    Reported-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>

commit 7888da9
Author: Dan Carpenter <dan.carpenter@oracle.com>
Date:   Tue Jan 2 10:02:19 2018 +0000

    afs: Potential uninitialized variable in afs_extract_data()
    
    Smatch warns that:
    
        fs/afs/rxrpc.c:922 afs_extract_data()
        error: uninitialized symbol 'remote_abort'.
    
    Smatch is right that "remote_abort" might be uninitialized when we pass
    it to afs_set_call_complete().  I don't know if that function uses the
    uninitialized variable.  Anyway, the comment for rxrpc_kernel_recv_data(),
    says that "*_abort should also be initialised to 0." and this patch does
    that.
    
    Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
    Signed-off-by: David Howells <dhowells@redhat.com>

commit 9880150
Author: David Howells <dhowells@redhat.com>
Date:   Tue Jan 2 10:02:19 2018 +0000

    fscache: Fix the default for fscache_maybe_release_page()
    
    Fix the default for fscache_maybe_release_page() for when the cookie isn't
    valid or the page isn't cached.  It mustn't return false as that indicates
    the page cannot yet be freed.
    
    The problem with the default is that if, say, there's no cache, but a
    network filesystem's pages are using up almost all the available memory, a
    system can OOM because the filesystem ->releasepage() op will not allow
    them to be released as fscache_maybe_release_page() incorrectly prevents
    it.
    
    This can be tested by writing a sequence of 512MiB files to an AFS mount.
    It does not affect NFS or CIFS because both of those wrap the call in a
    check of PG_fscache and it shouldn't bother Ceph as that only has
    PG_private set whilst writeback is in progress.  This might be an issue for
    9P, however.
    
    Note that the pages aren't entirely stuck.  Removing a file or unmounting
    will clear things because that uses ->invalidatepage() instead.
    
    Fixes: 201a154 ("FS-Cache: Handle pages pending storage that get evicted under OOM conditions")
    Reported-by: Marc Dionne <marc.dionne@auristor.com>
    Signed-off-by: David Howells <dhowells@redhat.com>
    Reviewed-by: Jeff Layton <jlayton@redhat.com>
    Acked-by: Al Viro <viro@zeniv.linux.org.uk>
    Tested-by: Marc Dionne <marc.dionne@auristor.com>
    cc: stable@vger.kernel.org # 2.6.32+

commit dc32b5c
Author: Eric Biggers <ebiggers@google.com>
Date:   Mon Jan 1 09:28:31 2018 -0600

    capabilities: fix buffer overread on very short xattr
    
    If userspace attempted to set a "security.capability" xattr shorter than
    4 bytes (e.g. 'setfattr -n security.capability -v x file'), then
    cap_convert_nscap() read past the end of the buffer containing the xattr
    value because it accessed the ->magic_etc field without verifying that
    the xattr value is long enough to contain that field.
    
    Fix it by validating the xattr value size first.
    
    This bug was found using syzkaller with KASAN.  The KASAN report was as
    follows (cleaned up slightly):
    
        BUG: KASAN: slab-out-of-bounds in cap_convert_nscap+0x514/0x630 security/commoncap.c:498
        Read of size 4 at addr ffff88002d8741c0 by task syz-executor1/2852
    
        CPU: 0 PID: 2852 Comm: syz-executor1 Not tainted 4.15.0-rc6-00200-gcc0aac99d977 torvalds#253
        Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-20171110_100015-anatol 04/01/2014
        Call Trace:
         __dump_stack lib/dump_stack.c:17 [inline]
         dump_stack+0xe3/0x195 lib/dump_stack.c:53
         print_address_description+0x73/0x260 mm/kasan/report.c:252
         kasan_report_error mm/kasan/report.c:351 [inline]
         kasan_report+0x235/0x350 mm/kasan/report.c:409
         cap_convert_nscap+0x514/0x630 security/commoncap.c:498
         setxattr+0x2bd/0x350 fs/xattr.c:446
         path_setxattr+0x168/0x1b0 fs/xattr.c:472
         SYSC_setxattr fs/xattr.c:487 [inline]
         SyS_setxattr+0x36/0x50 fs/xattr.c:483
         entry_SYSCALL_64_fastpath+0x18/0x85
    
    Fixes: 8db6c34 ("Introduce v3 namespaced file capabilities")
    Cc: <stable@vger.kernel.org> # v4.14+
    Signed-off-by: Eric Biggers <ebiggers@google.com>
    Reviewed-by: Serge Hallyn <serge@hallyn.com>
    Signed-off-by: James Morris <james.l.morris@oracle.com>

commit c0ee554
Author: Eric W. Biederman <ebiederm@xmission.com>
Date:   Fri Dec 22 12:37:43 2017 -0600

    pid: Handle failure to allocate the first pid in a pid namespace
    
    With the replacement of the pid bitmap and hashtable with an idr in
    alloc_pid started occassionally failing when allocating the first pid
    in a pid namespace.  Things were not completely reset resulting in
    the first allocated pid getting the number 2 (not 1).  Which
    further resulted in ns->proc_mnt not getting set and eventually
    causing an oops in proc_flush_task.
    
    Oops: 0000 [#1] SMP
    CPU: 2 PID: 6743 Comm: trinity-c117 Not tainted 4.15.0-rc4-think+ #2
    RIP: 0010:proc_flush_task+0x8e/0x1b0
    RSP: 0018:ffffc9000bbffc40 EFLAGS: 00010286
    RAX: 0000000000000001 RBX: 0000000000000001 RCX: 00000000fffffffb
    RDX: 0000000000000000 RSI: ffffc9000bbffc50 RDI: 0000000000000000
    RBP: ffffc9000bbffc63 R08: 0000000000000000 R09: 0000000000000002
    R10: ffffc9000bbffb70 R11: ffffc9000bbffc64 R12: 0000000000000003
    R13: 0000000000000000 R14: 0000000000000003 R15: ffff8804c10d7840
    FS:  00007f7cb8965700(0000) GS:ffff88050a200000(0000) knlGS:0000000000000000
    CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
    CR2: 0000000000000000 CR3: 00000003e21ae003 CR4: 00000000001606e0
    DR0: 00007fb1d6c22000 DR1: 0000000000000000 DR2: 0000000000000000
    DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
    Call Trace:
     ? release_task+0xaf/0x680
     release_task+0xd2/0x680
     ? wait_consider_task+0xb82/0xce0
     wait_consider_task+0xbe9/0xce0
     ? do_wait+0xe1/0x330
     do_wait+0x151/0x330
     kernel_wait4+0x8d/0x150
     ? task_stopped_code+0x50/0x50
     SYSC_wait4+0x95/0xa0
     ? rcu_read_lock_sched_held+0x6c/0x80
     ? syscall_trace_enter+0x2d7/0x340
     ? do_syscall_64+0x60/0x210
     do_syscall_64+0x60/0x210
     entry_SYSCALL64_slow_path+0x25/0x25
    RIP: 0033:0x7f7cb82603aa
    RSP: 002b:00007ffd60770bc8 EFLAGS: 00000246
     ORIG_RAX: 000000000000003d
    RAX: ffffffffffffffda RBX: 00007f7cb6cd4000 RCX: 00007f7cb82603aa
    RDX: 000000000000000b RSI: 00007ffd60770bd0 RDI: 0000000000007cca
    RBP: 0000000000007cca R08: 00007f7cb8965700 R09: 00007ffd607c7080
    R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
    R13: 00007ffd60770bd0 R14: 00007f7cb6cd4058 R15: 00000000cccccccd
    Code: c1 e2 04 44 8b 60 30 48 8b 40 38 44 8b 34 11 48 c7 c2 60 3a f5 81 44 89 e1 4c 8b 68 58 e8 4b b4 77 00 89 44 24 14 48 8d 74 24 10 <49> 8b 7d 00 e8 b9 6a f9 ff 48 85 c0 74 1a 48 89 c7 48 89 44 24
    RIP: proc_flush_task+0x8e/0x1b0 RSP: ffffc9000bbffc40
    CR2: 0000000000000000
    ---[ end trace 53d67a6481059862 ]---
    
    Improve the quality of the implementation by resetting the place to
    start allocating pids on failure to allocate the first pid.
    
    As improving the quality of the implementation is the goal remove the now
    unnecesarry disable_pid_allocations call when we fail to mount proc.
    
    Fixes: 95846ec ("pid: replace pid bitmap implementation with IDR API")
    Fixes: 8ef047a ("pid namespaces: make alloc_pid(), free_pid() and put_pid() work with struct upid")
    Reported-by: Dave Jones <davej@codemonkey.org.uk>
    Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>

commit 7d2901f
Author: Bogdan Mirea <Bogdan-Stefan_Mirea@mentor.com>
Date:   Thu Dec 21 17:18:59 2017 +0200

    arm64: dts: renesas: ulcb: Remove renesas, no-ether-link property
    
    The present change is a bug fix for AVB link iteratively up/down.
    
    Steps to reproduce:
    - start AVB TX stream (Using aplay via MSE),
    - disconnect+reconnect the eth cable,
    - after a reconnection the eth connection goes iteratively up/down
      without user interaction,
    - this may heal after some seconds or even stay for minutes.
    
    As the documentation specifies, the "renesas,no-ether-link" option
    should be used when a board does not provide a proper AVB_LINK signal.
    There is no need for this option enabled on RCAR H3/M3 Salvator-X/XS
    and ULCB starter kits since the AVB_LINK is correctly handled by HW.
    
    Choosing to keep or remove the "renesas,no-ether-link" option will
    have impact on the code flow in the following ways:
    - keeping this option enabled may lead to unexpected behavior since
      the RX & TX are enabled/disabled directly from adjust_link function
      without any HW interrogation,
    - removing this option, the RX & TX will only be enabled/disabled after
      HW interrogation. The HW check is made through the LMON pin in PSR
      register which specifies AVB_LINK signal value (0 - at low level;
      1 - at high level).
    
    In conclusion, the present change is also a safety improvement because
    it removes the "renesas,no-ether-link" option leading to a proper way
    of detecting the link state based on HW interrogation and not on
    software heuristic.
    
    Fixes: dc36965 ("arm64: dts: r8a7796: salvator-x: Enable EthernetAVB")
    Fixes: 6fa501c ("arm64: dts: r8a7795: enable EthernetAVB on Salvator-X")
    Signed-off-by: Bogdan Mirea <Bogdan-Stefan_Mirea@mentor.com>
    Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
    Signed-off-by: Simon Horman <horms+renesas@verge.net.au>

commit 87c059e
Author: Bogdan Mirea <Bogdan-Stefan_Mirea@mentor.com>
Date:   Thu Dec 21 17:18:58 2017 +0200

    arm64: dts: renesas: salvator-x: Remove renesas, no-ether-link property
    
    The present change is a bug fix for AVB link iteratively up/down.
    
    Steps to reproduce:
    - start AVB TX stream (Using aplay via MSE),
    - disconnect+reconnect the eth cable,
    - after a reconnection the eth connection goes iteratively up/down
      without user interaction,
    - this may heal after some seconds or even stay for minutes.
    
    As the documentation specifies, the "renesas,no-ether-link" option
    should be used when a board does not provide a proper AVB_LINK signal.
    There is no need for this option enabled on RCAR H3/M3 Salvator-X/XS
    and ULCB starter kits since the AVB_LINK is correctly handled by HW.
    
    Choosing to keep or remove the "renesas,no-ether-link" option will
    have impact on the code flow in the following ways:
    - keeping this option enabled may lead to unexpected behavior since
      the RX & TX are enabled/disabled directly from adjust_link function
      without any HW interrogation,
    - removing this option, the RX & TX will only be enabled/disabled after
      HW interrogation. The HW check is made through the LMON pin in PSR
      register which specifies AVB_LINK signal value (0 - at low level;
      1 - at high level).
    
    In conclusion, the present change is also a safety improvement because
    it removes the "renesas,no-ether-link" option leading to a proper way
    of detecting the link state based on HW interrogation and not on
    software heuristic.
    
    Fixes: dc36965 ("arm64: dts: r8a7796: salvator-x: Enable EthernetAVB")
    Fixes: 6fa501c ("arm64: dts: r8a7795: enable EthernetAVB on Salvator-X")
    Signed-off-by: Bogdan Mirea <Bogdan-Stefan_Mirea@mentor.com>
    Signed-off-by: Vladimir Zapolskiy <vladimir_zapolskiy@mentor.com>
    Signed-off-by: Simon Horman <horms+renesas@verge.net.au>

commit fbd90b4
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Thu Dec 21 22:45:24 2017 +0100

    ARM: dts: tango4: remove bogus interrupt-controller property
    
    dtc points out that the parent node of the interrupt controllers is not
    actually an interrupt controller itself, and lacks an #interrupt-cells
    property:
    
    arch/arm/boot/dts/tango4-vantage-1172.dtb: Warning (interrupts_property): Missing #interrupt-cells in interrupt-parent /soc/interrupt-controller@6e000
    
    This removes the annotation.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>

commit 506e8a9
Author: Arnd Bergmann <arnd@arndb.de>
Date:   Thu Dec 21 22:35:19 2017 +0100

    ARM: dts: ls1021a: fix incorrect clock references
    
    dtc warns about two 'clocks' properties that have an extraneous '1'
    at the end:
    
    arch/arm/boot/dts/ls1021a-qds.dtb: Warning (clocks_property): arch/arm/boot/dts/ls1021a-twr.dtb: Warning (clocks_property): Property 'clocks', cell 1 is not a phandle reference in /soc/i2c@2180000/mux@77/i2c@4/sgtl5000@2a
    arch/arm/boot/dts/ls1021a-qds.dtb: Warning (clocks_property): Missing property '#clock-cells' in node /soc/interrupt-controller@1400000 or bad phandle (referred from /soc/i2c@2180000/mux@77/i2c@4/sgtl5000@2a:clocks[1])
    Property 'clocks', cell 1 is not a phandle reference in /soc/i2c@2190000/sgtl5000@a
    arch/arm/boot/dts/ls1021a-twr.dtb: Warning (clocks_property): Missing property '#clock-cells' in node /soc/interrupt-controller@1400000 or bad phandle (referred from /soc/i2c@2190000/sgtl5000@a:clocks[1])
    
    The clocks that get referenced here are fixed-rate, so they do not
    take any argument, and dtc interprets the next cell as a phandle, which
    is invalid.
    
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>

commit d227182
Author: Joel Stanley <joel@jms.id.au>
Date:   Fri Dec 15 16:03:32 2017 +1030

    ARM: dts: aspeed-g4: Correct VUART IRQ number
    
    This should have always been 8.
    
    Fixes: db4d6d9 ("ARM: dts: aspeed: Correctly order UART nodes")
    Cc: stable@vger.kernel.org
    Signed-off-by: Joel Stanley <joel@jms.id.au>
    Reviewed-by: Cédric Le Goater <clg@kaod.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>

commit 976a9b3
Author: Javier Martinez Canillas <javierm@redhat.com>
Date:   Wed Dec 20 18:17:29 2017 +0100

    ARM: dts: exynos: Enable Mixer node for Exynos5800 Peach Pi machine
    
    Commit 1cb686c ("ARM: dts: exynos: Add status property to Exynos 542x
    Mixer nodes") disabled the Mixer node by default in the DTSI and enabled
    for each Exynos 542x DTS. But unfortunately it missed to enable it for the
    Exynos5800 Peach Pi machine, since the 5800 is also an 542x SoC variant.
    
    Fixes: 1cb686c ("ARM: dts: exynos: Add status property to Exynos 542x Mixer nodes")
    Signed-off-by: Javier Martinez Canillas <javierm@redhat.com>
    Acked-by: Marek Szyprowski <m.szyprowski@samsung.com>
    Tested-by: Guillaume Tucker <guillaume.tucker@collabora.com>
    Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
    Signed-off-by: Arnd Bergmann <arnd@arndb.de>

commit eac6a36
Author: Maxime Ripard <maxime.ripard@free-electrons.com>
Date:   Thu Dec 7 16:58:59 2017 +0100

    ARM: dts: sun8i: a711: Reinstate the PMIC compatible
    
    When we added the regulator support in commit 90c5d7c ("ARM: dts:
    sun8i: a711: Add regulator support"), we also dropped the PMIC's
    compatible. Since it's not in the PMIC DTSI, unlike most other PMIC
    DTSI, it obviously wasn't probing anymore.
    
    Re-add it so that everything works again.
    
    Fixes: 90c5d7c ("ARM: dts: sun8i: a711: Add regulator support")
    Reviewed-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

commit 451df7d
Author: Alejandro Mery <amery@hanoverdisplays.com>
Date:   Fri Dec 8 10:35:58 2017 +0000

    ARM: davinci: fix mmc entries in dm365's dma_slave_map
    
    fix mmc entries in dm365's dma_slave_map to match the actual device names
    
    Fixes: 0c750e1 ("ARM: davinci: dm365: Add dma_slave_map to edma")
    Signed-off-by: Alejandro Mery <amery@hanoverdisplays.com>
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>

commit c5a88cd
Author: David Lechner <david@lechnology.com>
Date:   Sun Dec 3 16:04:53 2017 -0600

    ARM: dts: da850-lego-ev3: Fix battery voltage gpio
    
    This fixes the battery voltage monitoring gpio-hog settings.
    
    When the gpio is low, it turns off the battery voltage to the ADC chip.
    However, this needs to be on all of the time so that we can monitor
    battery voltage.
    
    Also, there was a typo that prevented pinmuxing from working correctly.
    
    Signed-off-by: David Lechner <david@lechnology.com>
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>

commit 621f96b
Author: Alejandro Mery <amery@hanoverdisplays.com>
Date:   Tue Dec 5 12:34:57 2017 +0000

    ARM: davinci: Add dma_mask to dm365's eDMA device
    
    Add dma_mask to dm365's EDMA device.
    
    Without a valid dma_mask, EDMA on DM365 refuses to
    probe.
    
    Fixes: cef5b0d ("ARM: davinci: Add dma_mask to eDMA devices")
    Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Signed-off-by: Alejandro Mery <amery@hanoverdisplays.com>
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>

commit b638823
Author: Alejandro Mery <amery@hanoverdisplays.com>
Date:   Tue Dec 5 12:34:56 2017 +0000

    ARM: davinci: Use platform_device_register_full() to create pdev for dm365's eDMA
    
    Convert the DM365 EDMA platform device creation to use
    struct platform_device_info XXXXXX __initconst and
    platform_device_register_full()
    
    This will allow us to specify the dma_mask for the device
    in an upcoming patch. Without this, EDMA on DM365 refuses
    to probe.
    
    Fixes: 7ab388e ("ARM: davinci: Use platform_device_register_full() to create pdev for eDMA")
    Reviewed-by: Peter Ujfalusi <peter.ujfalusi@ti.com>
    Signed-off-by: Alejandro Mery <amery@hanoverdisplays.com>
    Signed-off-by: Sekhar Nori <nsekhar@ti.com>

commit bc63194
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Wed Dec 6 01:10:05 2017 +0100

    arm64: dts: rockchip: limit rk3328-rock64 gmac speed to 100MBit for now
    
    It looks like either the current kernel or the hardware has reliability
    issues when the gmac is actually running at 1GBit. In my test-case
    it is not able to boot on a nfsroot at this speed, as the system
    will always lose the connection to the nfs-server during boot, before
    reaching any login prompt and not recover from this.
    
    So until this is solved, limit the speed to 100MBit as with this the
    nfsroot survives stress tests like an apt-get upgrade without problems.
    
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>

commit 87eba07
Author: Klaus Goger <klaus.goger@theobroma-systems.com>
Date:   Tue Dec 5 08:11:58 2017 +0100

    arm64: dts: rockchip: remove vdd_log from rk3399-puma
    
    vdd_log has no consumer and therefore will not be set to a specific
    voltage. Still the PWM output pin gets configured and thence the vdd_log
    output voltage will changed from it's default. Depending on the idle
    state of the PWM this will slightly over or undervoltage the logic supply
    of the RK3399 and cause instability with GbE (undervoltage) and PCIe
    (overvoltage). Since the default value set by a voltage divider is the
    correct supply voltage and we don't need to change it during runtime we
    remove the rail from the devicetree completely so the PWM pin will not
    be configured.
    
    Signed-off-by: Klaus Goger <klaus.goger@theobroma-systems.com>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>

commit f88e930
Author: Sergey Matyukevich <geomatsi@gmail.com>
Date:   Fri Nov 3 22:58:54 2017 +0300

    arm64: dts: orange-pi-zero-plus2: fix sdcard detect
    
    The sdcard detect pin on orange-pi-zero-plus2 is pulled up.
    Fix cd-gpio description to enable sdcard detect.
    
    Signed-off-by: Sergey Matyukevich <geomatsi@gmail.com>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

commit 7d556bf
Author: Jagan Teki <jagannadh.teki@gmail.com>
Date:   Mon Dec 4 10:23:07 2017 +0530

    arm64: allwinner: a64-sopine: Fix to use dcdc1 regulator instead of vcc3v3
    
    Since current tree support AXP803 regulators,
    replace fixed regulator vcc3v3 with AXP803 dcdc1 regulator where ever
    it need to replace.
    
    Tested mmc0 on sopine baseboard.
    
    Signed-off-by: Jagan Teki <jagan@amarulasolutions.com>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

commit e17e237
Author: Chen-Yu Tsai <wens@csie.org>
Date:   Mon Dec 4 16:44:01 2017 +0800

    ARM: dts: sunxi: Convert to CCU index macros for HDMI controller
    
    When the HDMI controller device node was added, the needed PLL clock
    macros were not exported. A separate patch addresses that, but it is
    merged through a different tree.
    
    Now that both patches are in mainline proper, we can convert the raw
    numbers to proper macros.
    
    Signed-off-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

commit e2bf801
Author: Stefan Brüns <stefan.bruens@rwth-aachen.de>
Date:   Mon Nov 27 20:05:34 2017 +0100

    sunxi-rsb: Include OF based modalias in device uevent
    
    Include the OF-based modalias in the uevent sent when registering devices
    on the sunxi RSB bus, so that user space has a chance to autoload the
    kernel module for the device.
    
    Fixes a regression caused by commit 3f241bf ("arm64: allwinner: a64:
    pine64: Use dcdc1 regulator for mmc0"). When the axp20x-rsb module for
    the AXP803 PMIC is built as a module, it is not loaded and the system
    ends up with an disfunctional MMC controller.
    
    Fixes: d787dcd ("bus: sunxi-rsb: Add driver for Allwinner Reduced Serial Bus")
    Cc: stable <stable@vger.kernel.org> # 4.4.x 7a3b7cd of: device: Export of_device_{get_modalias, uvent_modalias} to modules
    Acked-by: Chen-Yu Tsai <wens@csie.org>
    Signed-off-by: Stefan Brüns <stefan.bruens@rwth-aachen.de>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>

commit bc53e3a
Author: Peter Rosin <peda@axentia.se>
Date:   Mon Nov 27 17:31:01 2017 +0100

    ARM: dts: at91: disable the nxp,se97b SMBUS timeout on the TSE-850
    
    The I2C adapter driver is sometimes slow, causing the SCL line to
    be stuck low for more than the stipulated SMBUS timeout of 25-35 ms.
    This causes the client device to give up which in turn causes silent
    corruption of data. So, disable the SMBUS timeout in the client device.
    
    Signed-off-by: Peter Rosin <peda@axentia.se>
    Acked-by: Guenter Roeck <linux@roeck-us.net>
    Signed-off-by: Alexandre Belloni <alexandre.belloni@free-electrons.com>

commit 3fa8c49
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Mon Dec 4 18:36:10 2017 +0100

    arm64: dts: rockchip: fix trailing 0 in rk3328 tsadc interrupts
    
    Probably due to some copy-paste mistake, the tsadc of rk3328 ended up
    with a 0 as 4th element that shouldn't be there, as interrupts on the
    rk3328 only have multiples of 3, making dtc complain. So remove it.
    
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>

commit 912d798
Author: Rob Herring <robh@kernel.org>
Date:   Thu Nov 9 16:35:35 2017 -0600

    ARM: dts: rockchip: fix rk3288 iep-IOMMU interrupts property cells
    
    The interrupts property in the iep-IOMMU node for the rk3288 dts file has a
    spurious extra cell causing a dtc warning:
    
    Warning (interrupts_property): interrupts size is (16), expected multiple of 12 in /iommu@ff900800
    
    Remove the extra cell.
    
    Signed-off-by: Rob Herring <robh@kernel.org>
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>

commit 741f5af
Author: Heiko Stuebner <heiko@sntech.de>
Date:   Sat Dec 2 17:36:45 2017 +0100

    ARM: dts: rockchip: add cpu0-regulator on rk3066a-marsboard
    
    The rk3066 also has operating points now, but without adjusting
    the cpu-regulator will break once higher voltages are needed for
    a specific frequency, so add the needed cpu0-regulator.
    
    Signed-off-by: Heiko Stuebner <heiko@sntech.de>

commit bdfe4ce
Author: Icenowy Zheng <icenowy@aosc.io>
Date:   Fri Nov 10 17:26:54 2017 +0800

    arm64: allwinner: a64: add Ethernet PHY regulator for several boards
    
    On several A64 boards the Ethernet PHY is powered by the DC1SW regulator
    on the AXP803 PMIC.
    
    Add phy-handle property to these boards' emac node.
    
    Signed-off-by: Icenowy Zheng <icenowy@aosc.io>
    Acked-by: Corentin LABBE <clabbe.montjoie@gmail.com>
    Tested-by: Corentin LABBE <clabbe.montjoie@gmail.com>
    Signed-off-by: Maxime Ripard <maxime.ripard@free-electrons.com>
damentz referenced this pull request in zen-kernel/zen-kernel Mar 29, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Noltari pushed a commit to Noltari/linux that referenced this pull request Mar 31, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Noltari pushed a commit to Noltari/linux that referenced this pull request Mar 31, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
smaeul pushed a commit to smaeul/linux that referenced this pull request Mar 31, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
frank-w referenced this pull request in frank-w/BPI-Router-Linux Apr 1, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Noltari pushed a commit to Noltari/linux that referenced this pull request May 29, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Noltari pushed a commit to Noltari/linux that referenced this pull request Jun 1, 2018
commit 17cfe79 upstream.

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
nemunaire pushed a commit to nemunaire/CI20_linux that referenced this pull request Jun 6, 2018
[ Upstream commit 17cfe79 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Noltari pushed a commit to Noltari/linux that referenced this pull request Jun 17, 2018
commit 17cfe79 upstream.

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d1 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Jul 16, 2018
WARNING: please, no spaces at the start of a line
torvalds#250: FILE: kernel/cgroup/cgroup.c:4554:
+       {$

ERROR: code indent should use tabs where possible
torvalds#251: FILE: kernel/cgroup/cgroup.c:4555:
+               .name = "cpu.pressure",$

WARNING: please, no spaces at the start of a line
torvalds#251: FILE: kernel/cgroup/cgroup.c:4555:
+               .name = "cpu.pressure",$

ERROR: code indent should use tabs where possible
torvalds#252: FILE: kernel/cgroup/cgroup.c:4556:
+               .flags = CFTYPE_NOT_ON_ROOT,$

WARNING: please, no spaces at the start of a line
torvalds#252: FILE: kernel/cgroup/cgroup.c:4556:
+               .flags = CFTYPE_NOT_ON_ROOT,$

ERROR: code indent should use tabs where possible
torvalds#253: FILE: kernel/cgroup/cgroup.c:4557:
+               .seq_show = cgroup_cpu_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#253: FILE: kernel/cgroup/cgroup.c:4557:
+               .seq_show = cgroup_cpu_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#254: FILE: kernel/cgroup/cgroup.c:4558:
+       },$

WARNING: please, no spaces at the start of a line
torvalds#255: FILE: kernel/cgroup/cgroup.c:4559:
+       {$

ERROR: code indent should use tabs where possible
torvalds#256: FILE: kernel/cgroup/cgroup.c:4560:
+               .name = "memory.pressure",$

WARNING: please, no spaces at the start of a line
torvalds#256: FILE: kernel/cgroup/cgroup.c:4560:
+               .name = "memory.pressure",$

ERROR: code indent should use tabs where possible
torvalds#257: FILE: kernel/cgroup/cgroup.c:4561:
+               .flags = CFTYPE_NOT_ON_ROOT,$

WARNING: please, no spaces at the start of a line
torvalds#257: FILE: kernel/cgroup/cgroup.c:4561:
+               .flags = CFTYPE_NOT_ON_ROOT,$

ERROR: code indent should use tabs where possible
torvalds#258: FILE: kernel/cgroup/cgroup.c:4562:
+               .seq_show = cgroup_memory_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#258: FILE: kernel/cgroup/cgroup.c:4562:
+               .seq_show = cgroup_memory_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#259: FILE: kernel/cgroup/cgroup.c:4563:
+       },$

WARNING: please, no spaces at the start of a line
torvalds#260: FILE: kernel/cgroup/cgroup.c:4564:
+       {$

ERROR: code indent should use tabs where possible
torvalds#261: FILE: kernel/cgroup/cgroup.c:4565:
+               .name = "io.pressure",$

WARNING: please, no spaces at the start of a line
torvalds#261: FILE: kernel/cgroup/cgroup.c:4565:
+               .name = "io.pressure",$

ERROR: code indent should use tabs where possible
torvalds#262: FILE: kernel/cgroup/cgroup.c:4566:
+               .flags = CFTYPE_NOT_ON_ROOT,$

WARNING: please, no spaces at the start of a line
torvalds#262: FILE: kernel/cgroup/cgroup.c:4566:
+               .flags = CFTYPE_NOT_ON_ROOT,$

ERROR: code indent should use tabs where possible
torvalds#263: FILE: kernel/cgroup/cgroup.c:4567:
+               .seq_show = cgroup_io_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#263: FILE: kernel/cgroup/cgroup.c:4567:
+               .seq_show = cgroup_io_pressure_show,$

WARNING: please, no spaces at the start of a line
torvalds#264: FILE: kernel/cgroup/cgroup.c:4568:
+       },$

WARNING: please, no spaces at the start of a line
torvalds#322: FILE: kernel/sched/psi.c:424:
+       cgroup = task->cgroups->dfl_cgrp;$

WARNING: please, no spaces at the start of a line
torvalds#323: FILE: kernel/sched/psi.c:425:
+       while (cgroup && (parent = cgroup_parent(cgroup))) {$

WARNING: suspect code indent for conditional statements (7, 15)
torvalds#323: FILE: kernel/sched/psi.c:425:
+       while (cgroup && (parent = cgroup_parent(cgroup))) {
+               struct psi_group *group;

ERROR: code indent should use tabs where possible
torvalds#324: FILE: kernel/sched/psi.c:426:
+               struct psi_group *group;$

WARNING: please, no spaces at the start of a line
torvalds#324: FILE: kernel/sched/psi.c:426:
+               struct psi_group *group;$

ERROR: code indent should use tabs where possible
torvalds#326: FILE: kernel/sched/psi.c:428:
+               group = cgroup_psi(cgroup);$

WARNING: please, no spaces at the start of a line
torvalds#326: FILE: kernel/sched/psi.c:428:
+               group = cgroup_psi(cgroup);$

ERROR: code indent should use tabs where possible
torvalds#327: FILE: kernel/sched/psi.c:429:
+               psi_group_change(group, cpu, now, clear, set);$

WARNING: please, no spaces at the start of a line
torvalds#327: FILE: kernel/sched/psi.c:429:
+               psi_group_change(group, cpu, now, clear, set);$

ERROR: code indent should use tabs where possible
torvalds#329: FILE: kernel/sched/psi.c:431:
+               cgroup = parent;$

WARNING: please, no spaces at the start of a line
torvalds#329: FILE: kernel/sched/psi.c:431:
+               cgroup = parent;$

WARNING: please, no spaces at the start of a line
torvalds#330: FILE: kernel/sched/psi.c:432:
+       }$

WARNING: braces {} are not necessary for any arm of this statement
torvalds#378: FILE: kernel/sched/psi.c:537:
+	if (task_on_rq_queued(task)) {
[...]
+	} else if (task->in_iowait) {
[...]

total: 13 errors, 24 warnings, 334 lines checked

NOTE: For some of the reported defects, checkpatch may be able to
      mechanically convert to the typical style using --fix or --fix-inplace.

NOTE: Whitespace errors detected.
      You may wish to use scripts/cleanpatch or scripts/cleanfile

./patches/psi-cgroup-support.patch has style problems, please review.

NOTE: If any of the errors are false positives, please report
      them to the maintainer, see CHECKPATCH in MAINTAINERS.

Please run checkpatch prior to sending patches

Cc: Johannes Weiner <jweiner@fb.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
fengguang pushed a commit to 0day-ci/linux that referenced this pull request Oct 11, 2018
syzbot managed to crash in skb_checksum_help() [1] :

        BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));

Root cause is the following check in skb_partial_csum_set()

	if (unlikely(start > skb_headlen(skb)) ||
	    unlikely((int)start + off > skb_headlen(skb) - 2))
		return false;

If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
and the check fails to detect that ((int)start + off) is off the limit,
since the compare is unsigned.

When we fix that, then the first condition (start > skb_headlen(skb))
becomes obsolete.

Then we should also check that (skb_headroom(skb) + start) wont
overflow 16bit field.

[1]
kernel BUG at net/core/dev.c:2880!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953

Fixes: 5ff8dda ("net: Ensure partial checksum offset is inside the skb head")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Noltari pushed a commit to Noltari/linux that referenced this pull request Dec 17, 2018
commit 52b5d6f upstream.

syzbot managed to crash in skb_checksum_help() [1] :

        BUG_ON(offset + sizeof(__sum16) > skb_headlen(skb));

Root cause is the following check in skb_partial_csum_set()

	if (unlikely(start > skb_headlen(skb)) ||
	    unlikely((int)start + off > skb_headlen(skb) - 2))
		return false;

If skb_headlen(skb) is 1, then (skb_headlen(skb) - 2) becomes 0xffffffff
and the check fails to detect that ((int)start + off) is off the limit,
since the compare is unsigned.

When we fix that, then the first condition (start > skb_headlen(skb))
becomes obsolete.

Then we should also check that (skb_headroom(skb) + start) wont
overflow 16bit field.

[1]
kernel BUG at net/core/dev.c:2880!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 1 PID: 7330 Comm: syz-executor4 Not tainted 4.19.0-rc6+ torvalds#253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:skb_checksum_help+0x9e3/0xbb0 net/core/dev.c:2880
Code: 85 00 ff ff ff 48 c1 e8 03 42 80 3c 28 00 0f 84 09 fb ff ff 48 8b bd 00 ff ff ff e8 97 a8 b9 fb e9 f8 fa ff ff e8 2d 09 76 fb <0f> 0b 48 8b bd 28 ff ff ff e8 1f a8 b9 fb e9 b1 f6 ff ff 48 89 cf
RSP: 0018:ffff8801d83a6f60 EFLAGS: 00010293
RAX: ffff8801b9834380 RBX: ffff8801b9f8d8c0 RCX: ffffffff8608c6d7
RDX: 0000000000000000 RSI: ffffffff8608cc63 RDI: 0000000000000006
RBP: ffff8801d83a7068 R08: ffff8801b9834380 R09: 0000000000000000
R10: ffff8801d83a76d8 R11: 0000000000000000 R12: 0000000000000001
R13: 0000000000010001 R14: 000000000000ffff R15: 00000000000000a8
FS:  00007f1a66db5700(0000) GS:ffff8801daf00000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f7d77f091b0 CR3: 00000001ba252000 CR4: 00000000001406e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
 skb_csum_hwoffload_help+0x8f/0xe0 net/core/dev.c:3269
 validate_xmit_skb+0xa2a/0xf30 net/core/dev.c:3312
 __dev_queue_xmit+0xc2f/0x3950 net/core/dev.c:3797
 dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
 packet_snd net/packet/af_packet.c:2928 [inline]
 packet_sendmsg+0x422d/0x64c0 net/packet/af_packet.c:2953

Fixes: 5ff8dda ("net: Ensure partial checksum offset is inside the skb head")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into exprected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into exprected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 5, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
borkmann added a commit to cilium/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Oct 6, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Oct 6, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Oct 7, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-4-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Oct 7, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-6-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
borkmann added a commit to cilium/linux that referenced this pull request Oct 9, 2023
Add several new test cases which assert corner cases on the mprog query
mechanism, for example, around passing in a too small or a larger array
than the current count.

  ./test_progs -t tc_opts
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
honjow pushed a commit to 3003n/linux that referenced this pull request Oct 16, 2023
Add a new test case which performs double query of the bpf_mprog through
libbpf API, but also via raw bpf(2) syscall. This is testing to gather
first the count and then in a subsequent probe the full information with
the program array without clearing passed structs in between.

  # ./vmtest.sh -- ./test_progs -t tc_opts
  [...]
  ./test_progs -t tc_opts
  [    1.398818] tsc: Refined TSC clocksource calibration: 3407.999 MHz
  [    1.400263] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fd336761, max_idle_ns: 440795243819 ns
  [    1.402734] clocksource: Switched to clocksource tsc
  [    1.426639] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.428112] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK            <--- (new test)
  torvalds#269     tc_opts_replace:OK
  torvalds#270     tc_opts_revision:OK
  Summary: 19/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-4-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
honjow pushed a commit to 3003n/linux that referenced this pull request Oct 16, 2023
Add a new test case to query on an empty bpf_mprog and pass the revision
directly into expected_revision for attachment to assert that this does
succeed.

  ./test_progs -t tc_opts
  [    1.406778] tsc: Refined TSC clocksource calibration: 3407.990 MHz
  [    1.408863] clocksource: tsc: mask: 0xffffffffffffffff max_cycles: 0x311fcaf6eb0, max_idle_ns: 440795321766 ns
  [    1.412419] clocksource: Switched to clocksource tsc
  [    1.428671] bpf_testmod: loading out-of-tree module taints kernel.
  [    1.430260] bpf_testmod: module verification failed: signature and/or required key missing - tainting kernel
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK     <--- (new test)
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/r/20231006220655.1653-6-daniel@iogearbox.net
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
borkmann added a commit to cilium/linux that referenced this pull request Oct 17, 2023
Add several new test cases which assert corner cases on the mprog query
mechanism, for example, around passing in a too small or a larger array
than the current count.

  ./test_progs -t tc_opts
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
intel-lab-lkp pushed a commit to intel-lab-lkp/linux that referenced this pull request Oct 17, 2023
Add several new test cases which assert corner cases on the mprog query
mechanism, for example, around passing in a too small or a larger array
than the current count.

  ./test_progs -t tc_opts
  torvalds#252     tc_opts_after:OK
  torvalds#253     tc_opts_append:OK
  torvalds#254     tc_opts_basic:OK
  torvalds#255     tc_opts_before:OK
  torvalds#256     tc_opts_chain_classic:OK
  torvalds#257     tc_opts_chain_mixed:OK
  torvalds#258     tc_opts_delete_empty:OK
  torvalds#259     tc_opts_demixed:OK
  torvalds#260     tc_opts_detach:OK
  torvalds#261     tc_opts_detach_after:OK
  torvalds#262     tc_opts_detach_before:OK
  torvalds#263     tc_opts_dev_cleanup:OK
  torvalds#264     tc_opts_invalid:OK
  torvalds#265     tc_opts_max:OK
  torvalds#266     tc_opts_mixed:OK
  torvalds#267     tc_opts_prepend:OK
  torvalds#268     tc_opts_query:OK
  torvalds#269     tc_opts_query_attach:OK
  torvalds#270     tc_opts_replace:OK
  torvalds#271     tc_opts_revision:OK
  Summary: 20/0 PASSED, 0 SKIPPED, 0 FAILED

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Alan Maguire <alan.maguire@oracle.com>
Link: https://lore.kernel.org/bpf/20231017081728.24769-1-daniel@iogearbox.net
paralin pushed a commit to skiffos/linux that referenced this pull request Jan 11, 2024
Toggle deleted anonymous sets as inactive in the next generation, so
users cannot perform any update on it. Clear the generation bitmask
in case the transaction is aborted.

The following KASAN splat shows a set element deletion for a bound
anonymous set that has been already removed in the same transaction.

[   64.921510] ==================================================================
[   64.923123] BUG: KASAN: wild-memory-access in nf_tables_commit+0xa24/0x1490 [nf_tables]
[   64.924745] Write of size 8 at addr dead000000000122 by task test/890
[   64.927903] CPU: 3 PID: 890 Comm: test Not tainted 6.3.0+ torvalds#253
[   64.931120] Call Trace:
[   64.932699]  <TASK>
[   64.934292]  dump_stack_lvl+0x33/0x50
[   64.935908]  ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[   64.937551]  kasan_report+0xda/0x120
[   64.939186]  ? nf_tables_commit+0xa24/0x1490 [nf_tables]
[   64.940814]  nf_tables_commit+0xa24/0x1490 [nf_tables]
[   64.942452]  ? __kasan_slab_alloc+0x2d/0x60
[   64.944070]  ? nf_tables_setelem_notify+0x190/0x190 [nf_tables]
[   64.945710]  ? kasan_set_track+0x21/0x30
[   64.947323]  nfnetlink_rcv_batch+0x709/0xd90 [nfnetlink]
[   64.948898]  ? nfnetlink_rcv_msg+0x480/0x480 [nfnetlink]

Bug 4118555

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Change-Id: Ied13e8d4c146575830e790f92b54013f49a53127
Reviewed-on: https://git-master.nvidia.com/r/c/linux-5.10/+/2911373
Reviewed-by: Bibek Basu <bbasu@nvidia.com>
Tested-by: Amulya Yarlagadda <ayarlagadda@nvidia.com>
GVS: Gerrit_Virtual_Submit <buildbot_gerritrpt@nvidia.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants