diff options
| author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-10-06 05:11:30 -0400 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2018-10-06 05:11:30 -0400 |
| commit | c1d84a1b42ef70d8ae601df9cadedc7ed4f1beb1 (patch) | |
| tree | b3a68e7b9b3ed10ccde115a5d19387c7a62260ab /kernel | |
| parent | 091a1eaa0e309b0e8dcbf3f2da12c7f3d03ed182 (diff) | |
| parent | 35f3625c21852ad839f20c91c7d81c4c1101e207 (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Dave writes:
"Networking fixes:
1) Fix truncation of 32-bit right shift in bpf, from Jann Horn.
2) Fix memory leak in wireless wext compat, from Stefan Seyfried.
3) Use after free in cfg80211's reg_process_hint(), from Yu Zhao.
4) Need to cancel pending work when unbinding in smsc75xx otherwise
we oops, also from Yu Zhao.
5) Don't allow enslaving a team device to itself, from Ido Schimmel.
6) Fix backwards compat with older userspace for rtnetlink FDB dumps.
From Mauricio Faria.
7) Add validation of tc policy netlink attributes, from David Ahern.
8) Fix RCU locking in rawv6_send_hdrinc(), from Wei Wang."
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (26 commits)
net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
ipv6: take rcu lock in rawv6_send_hdrinc()
net: sched: Add policy validation for tc attributes
rtnetlink: fix rtnl_fdb_dump() for ndmsg header
yam: fix a missing-check bug
net: bpfilter: Fix type cast and pointer warnings
net: cxgb3_main: fix a missing-check bug
bpf: 32-bit RSH verification must truncate input before the ALU op
net: phy: phylink: fix SFP interface autodetection
be2net: don't flip hw_features when VXLANs are added/deleted
net/packet: fix packet drop as of virtio gso
net: dsa: b53: Keep CPU port as tagged in all VLANs
openvswitch: load NAT helper
bnxt_en: get the reduced max_irqs by the ones used by RDMA
bnxt_en: free hwrm resources, if driver probe fails.
bnxt_en: Fix enables field in HWRM_QUEUE_COS2BW_CFG request
bnxt_en: Fix VNIC reservations on the PF.
team: Forbid enslaving team device to itself
net/usb: cancel pending work when unbinding smsc75xx
mlxsw: spectrum: Delete RIF when VLAN device is removed
...
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/bpf/local_storage.c | 5 | ||||
| -rw-r--r-- | kernel/bpf/verifier.c | 10 |
2 files changed, 13 insertions, 2 deletions
diff --git a/kernel/bpf/local_storage.c b/kernel/bpf/local_storage.c index 22ad967d1e5f..830d7f095748 100644 --- a/kernel/bpf/local_storage.c +++ b/kernel/bpf/local_storage.c | |||
| @@ -129,7 +129,7 @@ static int cgroup_storage_update_elem(struct bpf_map *map, void *_key, | |||
| 129 | struct bpf_cgroup_storage *storage; | 129 | struct bpf_cgroup_storage *storage; |
| 130 | struct bpf_storage_buffer *new; | 130 | struct bpf_storage_buffer *new; |
| 131 | 131 | ||
| 132 | if (flags & BPF_NOEXIST) | 132 | if (flags != BPF_ANY && flags != BPF_EXIST) |
| 133 | return -EINVAL; | 133 | return -EINVAL; |
| 134 | 134 | ||
| 135 | storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map, | 135 | storage = cgroup_storage_lookup((struct bpf_cgroup_storage_map *)map, |
| @@ -195,6 +195,9 @@ static struct bpf_map *cgroup_storage_map_alloc(union bpf_attr *attr) | |||
| 195 | if (attr->key_size != sizeof(struct bpf_cgroup_storage_key)) | 195 | if (attr->key_size != sizeof(struct bpf_cgroup_storage_key)) |
| 196 | return ERR_PTR(-EINVAL); | 196 | return ERR_PTR(-EINVAL); |
| 197 | 197 | ||
| 198 | if (attr->value_size == 0) | ||
| 199 | return ERR_PTR(-EINVAL); | ||
| 200 | |||
| 198 | if (attr->value_size > PAGE_SIZE) | 201 | if (attr->value_size > PAGE_SIZE) |
| 199 | return ERR_PTR(-E2BIG); | 202 | return ERR_PTR(-E2BIG); |
| 200 | 203 | ||
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c index bb07e74b34a2..465952a8e465 100644 --- a/kernel/bpf/verifier.c +++ b/kernel/bpf/verifier.c | |||
| @@ -2896,6 +2896,15 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | |||
| 2896 | u64 umin_val, umax_val; | 2896 | u64 umin_val, umax_val; |
| 2897 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; | 2897 | u64 insn_bitness = (BPF_CLASS(insn->code) == BPF_ALU64) ? 64 : 32; |
| 2898 | 2898 | ||
| 2899 | if (insn_bitness == 32) { | ||
| 2900 | /* Relevant for 32-bit RSH: Information can propagate towards | ||
| 2901 | * LSB, so it isn't sufficient to only truncate the output to | ||
| 2902 | * 32 bits. | ||
| 2903 | */ | ||
| 2904 | coerce_reg_to_size(dst_reg, 4); | ||
| 2905 | coerce_reg_to_size(&src_reg, 4); | ||
| 2906 | } | ||
| 2907 | |||
| 2899 | smin_val = src_reg.smin_value; | 2908 | smin_val = src_reg.smin_value; |
| 2900 | smax_val = src_reg.smax_value; | 2909 | smax_val = src_reg.smax_value; |
| 2901 | umin_val = src_reg.umin_value; | 2910 | umin_val = src_reg.umin_value; |
| @@ -3131,7 +3140,6 @@ static int adjust_scalar_min_max_vals(struct bpf_verifier_env *env, | |||
| 3131 | if (BPF_CLASS(insn->code) != BPF_ALU64) { | 3140 | if (BPF_CLASS(insn->code) != BPF_ALU64) { |
| 3132 | /* 32-bit ALU ops are (32,32)->32 */ | 3141 | /* 32-bit ALU ops are (32,32)->32 */ |
| 3133 | coerce_reg_to_size(dst_reg, 4); | 3142 | coerce_reg_to_size(dst_reg, 4); |
| 3134 | coerce_reg_to_size(&src_reg, 4); | ||
| 3135 | } | 3143 | } |
| 3136 | 3144 | ||
| 3137 | __reg_deduce_bounds(dst_reg); | 3145 | __reg_deduce_bounds(dst_reg); |