From: Sasha Levin Date: Tue, 6 Nov 2018 06:33:05 +0000 (-0500) Subject: 4.19-stable patches X-Git-Tag: v3.18.125~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ed774de23163ca0103e22e2978ae072d4a136c87;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches Signed-off-by: Sasha Levin --- diff --git a/queue-4.19/bpf-fix-partial-copy-of-map_ptr-when-dst-is-scalar.patch b/queue-4.19/bpf-fix-partial-copy-of-map_ptr-when-dst-is-scalar.patch new file mode 100644 index 00000000000..8938d811258 --- /dev/null +++ b/queue-4.19/bpf-fix-partial-copy-of-map_ptr-when-dst-is-scalar.patch @@ -0,0 +1,93 @@ +From cbe5ca067f0c8cb7885643ef18b2c9b1cd265f52 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 1 Nov 2018 22:29:53 +0100 +Subject: bpf: fix partial copy of map_ptr when dst is scalar + +commit 0962590e553331db2cc0aef2dc35c57f6300dbbe upstream. + +ALU operations on pointers such as scalar_reg += map_value_ptr are +handled in adjust_ptr_min_max_vals(). Problem is however that map_ptr +and range in the register state share a union, so transferring state +through dst_reg->range = ptr_reg->range is just buggy as any new +map_ptr in the dst_reg is then truncated (or null) for subsequent +checks. Fix this by adding a raw member and use it for copying state +over to dst_reg. + +Fixes: f1174f77b50c ("bpf/verifier: rework value tracking") +Signed-off-by: Daniel Borkmann +Cc: Edward Cree +Acked-by: Alexei Starovoitov +Signed-off-by: Alexei Starovoitov +Acked-by: Edward Cree +Signed-off-by: Sasha Levin +--- + include/linux/bpf_verifier.h | 3 +++ + kernel/bpf/verifier.c | 10 ++++++---- + 2 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/include/linux/bpf_verifier.h b/include/linux/bpf_verifier.h +index 38b04f559ad3..1fd6fa822d2c 100644 +--- a/include/linux/bpf_verifier.h ++++ b/include/linux/bpf_verifier.h +@@ -50,6 +50,9 @@ struct bpf_reg_state { + * PTR_TO_MAP_VALUE_OR_NULL + */ + struct bpf_map *map_ptr; ++ ++ /* Max size from any of the above. */ ++ unsigned long raw; + }; + /* Fixed part of pointer offset, pointer types only */ + s32 off; +diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c +index 465952a8e465..b046564cc18d 100644 +--- a/kernel/bpf/verifier.c ++++ b/kernel/bpf/verifier.c +@@ -2762,7 +2762,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + dst_reg->umax_value = umax_ptr; + dst_reg->var_off = ptr_reg->var_off; + dst_reg->off = ptr_reg->off + smin_val; +- dst_reg->range = ptr_reg->range; ++ dst_reg->raw = ptr_reg->raw; + break; + } + /* A new variable offset is created. Note that off_reg->off +@@ -2792,10 +2792,11 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + } + dst_reg->var_off = tnum_add(ptr_reg->var_off, off_reg->var_off); + dst_reg->off = ptr_reg->off; ++ dst_reg->raw = ptr_reg->raw; + if (reg_is_pkt_pointer(ptr_reg)) { + dst_reg->id = ++env->id_gen; + /* something was added to pkt_ptr, set range to zero */ +- dst_reg->range = 0; ++ dst_reg->raw = 0; + } + break; + case BPF_SUB: +@@ -2824,7 +2825,7 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + dst_reg->var_off = ptr_reg->var_off; + dst_reg->id = ptr_reg->id; + dst_reg->off = ptr_reg->off - smin_val; +- dst_reg->range = ptr_reg->range; ++ dst_reg->raw = ptr_reg->raw; + break; + } + /* A new variable offset is created. If the subtrahend is known +@@ -2850,11 +2851,12 @@ static int adjust_ptr_min_max_vals(struct bpf_verifier_env *env, + } + dst_reg->var_off = tnum_sub(ptr_reg->var_off, off_reg->var_off); + dst_reg->off = ptr_reg->off; ++ dst_reg->raw = ptr_reg->raw; + if (reg_is_pkt_pointer(ptr_reg)) { + dst_reg->id = ++env->id_gen; + /* something was added to pkt_ptr, set range to zero */ + if (smin_val < 0) +- dst_reg->range = 0; ++ dst_reg->raw = 0; + } + break; + case BPF_AND: +-- +2.17.1 + diff --git a/queue-4.19/series b/queue-4.19/series new file mode 100644 index 00000000000..d0c3675a053 --- /dev/null +++ b/queue-4.19/series @@ -0,0 +1 @@ +bpf-fix-partial-copy-of-map_ptr-when-dst-is-scalar.patch diff --git a/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch b/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch deleted file mode 100644 index e960dc33b3c..00000000000 --- a/queue-4.9/arm-tegra-fix-ulpi-regression-on-tegra20.patch +++ /dev/null @@ -1,48 +0,0 @@ -From 0bc3a6d4f0e519111965325703f4889555413d28 Mon Sep 17 00:00:00 2001 -From: Marcel Ziswiler -Date: Thu, 22 Feb 2018 15:38:25 +0100 -Subject: ARM: tegra: Fix ULPI regression on Tegra20 - -[ Upstream commit 4c9a27a6c66d4427f3cba4019d4ba738fe99fa87 ] - -Since commit f8f8f1d04494 ("clk: Don't touch hardware when reparenting -during registration") ULPI has been broken on Tegra20 leading to the -following error message during boot: - -[ 1.974698] ulpi_phy_power_on: ulpi write failed -[ 1.979384] tegra-ehci c5004000.usb: Failed to power on the phy -[ 1.985434] tegra-ehci: probe of c5004000.usb failed with error -110 - -Debugging through the changes and finally also consulting the TRM -revealed that rather than the CDEV2 clock off OSC requiring such pin -muxing actually the PLL_P_OUT4 clock is in use. It looks like so far it -just worked by chance of that one having been enabled which Stephen's -commit now changed when reparenting sclk away from pll_p_out4 leaving -that one disabled. Fix this by properly assigning the PLL_P_OUT4 clock -as the ULPI PHY clock. - -Signed-off-by: Marcel Ziswiler -Reviewed-by: Dmitry Osipenko -Reviewed-by: Rob Herring -Signed-off-by: Thierry Reding -Signed-off-by: Sasha Levin ---- - arch/arm/boot/dts/tegra20.dtsi | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/arm/boot/dts/tegra20.dtsi b/arch/arm/boot/dts/tegra20.dtsi -index 2207c08e3fa3..d771f24f6a26 100644 ---- a/arch/arm/boot/dts/tegra20.dtsi -+++ b/arch/arm/boot/dts/tegra20.dtsi -@@ -690,7 +690,7 @@ - phy_type = "ulpi"; - clocks = <&tegra_car TEGRA20_CLK_USB2>, - <&tegra_car TEGRA20_CLK_PLL_U>, -- <&tegra_car TEGRA20_CLK_CDEV2>; -+ <&tegra_car TEGRA20_CLK_PLL_P_OUT4>; - clock-names = "reg", "pll_u", "ulpi-link"; - resets = <&tegra_car 58>, <&tegra_car 22>; - reset-names = "usb", "utmi-pads"; --- -2.17.1 -