Merge tag 'v6.6.44' into for/openbmc/dev-6.6

This is the 6.6.44 stable release

af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash

[ Upstream commit 638f32604385fd23059985da8de918e9c18f0b98 ]

AF_UNIX socket tracks the most recent OOB packet (in its receive queue

af_unix: Disable MSG_OOB handling for sockets in sockmap/sockhash

[ Upstream commit 638f32604385fd23059985da8de918e9c18f0b98 ]

AF_UNIX socket tracks the most recent OOB packet (in its receive queue)
with an `oob_skb` pointer. BPF redirecting does not account for that: when
an OOB packet is moved between sockets, `oob_skb` is left outdated. This
results in a single skb that may be accessed from two different sockets.

Take the easy way out: silently drop MSG_OOB data targeting any socket that
is in a sockmap or a sockhash. Note that such silent drop is akin to the
fate of redirected skb's scm_fp_list (SCM_RIGHTS, SCM_CREDENTIALS).

For symmetry, forbid MSG_OOB in unix_bpf_recvmsg().

Fixes: 314001f0bf92 ("af_unix: Add OOB support")
Suggested-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Jakub Sitnicki <jakub@cloudflare.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20240713200218.2140950-2-mhal@rbox.co
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.14' into dev-6.6

This is the 6.6.14 stable release

bpf: sockmap, fix proto update hook to avoid dup calls

[ Upstream commit 16b2f264983dc264c1560cc0170e760dec1bf54f ]

When sockets are added to a sockmap or sockhash we allocate and init a
psock. The

bpf: sockmap, fix proto update hook to avoid dup calls

[ Upstream commit 16b2f264983dc264c1560cc0170e760dec1bf54f ]

When sockets are added to a sockmap or sockhash we allocate and init a
psock. Then update the proto ops with sock_map_init_proto the flow is

sock_hash_update_common
sock_map_link
psock = sock_map_psock_get_checked() <-returns existing psock
sock_map_init_proto(sk, psock) <- updates sk_proto

If the socket is already in a map this results in the sock_map_init_proto
being called multiple times on the same socket. We do this because when
a socket is added to multiple maps this might result in a new set of BPF
programs being attached to the socket requiring an updated ops struct.

This creates a rule where it must be safe to call psock_update_sk_prot
multiple times. When we added a fix for UAF through unix sockets in patch
4dd9a38a753fc we broke this rule by adding a sock_hold in that path
to ensure the sock is not released. The result is if a af_unix stream sock
is placed in multiple maps it results in a memory leak because we call
sock_hold multiple times with only a single sock_put on it.

Fixes: 8866730aed51 ("bpf, sockmap: af_unix stream sockets need to hold ref for pair sock")
Reported-by: Xingwei Lee <xrivendell7@gmail.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/r/20231221232327.43678-2-john.fastabend@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge tag 'v6.6.6' into dev-6.6

This is the 6.6.6 stable release

Signed-off-by: Joel Stanley <joel@jms.id.au>

bpf, sockmap: af_unix stream sockets need to hold ref for pair sock

[ Upstream commit 8866730aed5100f06d3d965c22f1c61f74942541 ]

AF_UNIX stream sockets are a paired socket. So sending on one of the

bpf, sockmap: af_unix stream sockets need to hold ref for pair sock

[ Upstream commit 8866730aed5100f06d3d965c22f1c61f74942541 ]

AF_UNIX stream sockets are a paired socket. So sending on one of the pairs
will lookup the paired socket as part of the send operation. It is possible
however to put just one of the pairs in a BPF map. This currently increments
the refcnt on the sock in the sockmap to ensure it is not free'd by the
stack before sockmap cleans up its state and stops any skbs being sent/recv'd
to that socket.

But we missed a case. If the peer socket is closed it will be free'd by the
stack. However, the paired socket can still be referenced from BPF sockmap
side because we hold a reference there. Then if we are sending traffic through
BPF sockmap to that socket it will try to dereference the free'd pair in its
send logic creating a use after free. And following splat:

[59.900375] BUG: KASAN: slab-use-after-free in sk_wake_async+0x31/0x1b0
[59.901211] Read of size 8 at addr ffff88811acbf060 by task kworker/1:2/954
[...]
[59.905468] Call Trace:
[59.905787] <TASK>
[59.906066] dump_stack_lvl+0x130/0x1d0
[59.908877] print_report+0x16f/0x740
[59.910629] kasan_report+0x118/0x160
[59.912576] sk_wake_async+0x31/0x1b0
[59.913554] sock_def_readable+0x156/0x2a0
[59.914060] unix_stream_sendmsg+0x3f9/0x12a0
[59.916398] sock_sendmsg+0x20e/0x250
[59.916854] skb_send_sock+0x236/0xac0
[59.920527] sk_psock_backlog+0x287/0xaa0

To fix let BPF sockmap hold a refcnt on both the socket in the sockmap and its
paired socket. It wasn't obvious how to contain the fix to bpf_unix logic. The
primarily problem with keeping this logic in bpf_unix was: In the sock close()
we could handle the deref by having a close handler. But, when we are destroying
the psock through a map delete operation we wouldn't have gotten any signal
thorugh the proto struct other than it being replaced. If we do the deref from
the proto replace its too early because we need to deref the sk_pair after the
backlog worker has been stopped.

Given all this it seems best to just cache it at the end of the psock and eat 8B
for the af_unix and vsock users. Notice dgram sockets are OK because they handle
locking already.

Fixes: 94531cfcbe79 ("af_unix: Add unix_stream_proto for sockmap")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Jakub Sitnicki <jakub@cloudflare.com>
Link: https://lore.kernel.org/bpf/20231129012557.95371-2-john.fastabend@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>

show more ...

Merge branch 'next' into for-linus

Prepare input updates for 6.4 merge window.

Merge branch 'for-6.4/amd-sfh' into for-linus

- assorted functional fixes for amd-sfh driver (Basavaraj Natikar)

Merge tag 'asoc-v6.4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

ASoC: Updates for v6.4

The bulk of the commits here are for the conversion of drivers to use
voi

Merge tag 'asoc-v6.4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-next

ASoC: Updates for v6.4

The bulk of the commits here are for the conversion of drivers to use
void remove callbacks but there's a reasonable amount of other stuff
going on, the pace of development with the SOF code continues to be high
and there's a bunch of new drivers too:

- More core cleanups from Morimto-san.
- Update drivers to have remove() callbacks returning void, mostly
mechanical with some substantial changes.
- Continued feature and simplification work on SOF, including addition
of a no-DSP mode for bringup, HDA MLink and extensions to the IPC4
protocol.
- Hibernation support for CS35L45.
- More DT binding conversions.
- Support for Cirrus Logic CS35L56, Freescale QMC, Maxim MAX98363,
nVidia systems with MAX9809x and RT5631, Realtek RT712, Renesas R-Car
Gen4, Rockchip RK3588 and TI TAS5733.

show more ...

Merge tag 'spi-nor/for-6.4' into mtd/next

SPI NOR core changes:
* introduce Read While Write support for flashes featuring several banks
* set the 4-Byte Address Mode method based on SFDP data
* all

Merge tag 'spi-nor/for-6.4' into mtd/next

SPI NOR core changes:
* introduce Read While Write support for flashes featuring several banks
* set the 4-Byte Address Mode method based on SFDP data
* allow post_sfdp hook to return errors
* parse SCCR MC table and introduce support for multi-chip devices

SPI NOR manufacturer drivers changes:
* macronix: add support for mx25uw51245g with RWW
* spansion:
- determine current address mode at runtime as it can be changed in a
non-volatile way and differ from factory defaults or from what SFDP
advertises.
- enable JFFS2 write buffer mode for few ECC'd NOR flashes: S25FS256T,
s25hx and s28hx
- add support for s25hl02gt and s25hs02gt

Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>

show more ...

Merge branches 'misc' and 'fixes' into for-next

Merge drm/drm-next into drm-intel-gt-next

Need to pull in commit from drm-next (earlier in drm-intel-next):

1eca0778f4b3 ("drm/i915: add struct i915_dsm to wrap dsm members together")

In order to

Merge drm/drm-next into drm-intel-gt-next

Need to pull in commit from drm-next (earlier in drm-intel-next):

1eca0778f4b3 ("drm/i915: add struct i915_dsm to wrap dsm members together")

In order to merge following patch to drm-intel-gt-next:

https://patchwork.freedesktop.org/patch/530942/?series=114925&rev=6

Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>

show more ...

Merge branch 'riscv-jh7110_initial_dts' into riscv-dt-for-next

Merge Hal's series adding support for the new StarFive JH7110 SoC.
There's a few bindings here for core components that were not picked

Merge branch 'riscv-jh7110_initial_dts' into riscv-dt-for-next

Merge Hal's series adding support for the new StarFive JH7110 SoC.
There's a few bindings here for core components that were not picked up
by the various maintainers for the subsystems (previously Palmer would
pick these up via the RISC-V tree) & the first two commits in the branch
are shared with the clk tree, since the dts depends on defines in the
dt-binding headers.

This is based on -rc2, as the board does not actually boot on -rc1
due to the bug Linus introduced.

Signed-off-by: Conor Dooley <conor.dooley@microchip.com>

show more ...

Merge branch 'iommufd/for-rc' into for-next

The following selftest patch requires both the bug fixes and the
improvements of the selftest framework.

* iommufd/for-rc:
iommufd: Do not corrupt the

Merge branch 'iommufd/for-rc' into for-next

The following selftest patch requires both the bug fixes and the
improvements of the selftest framework.

* iommufd/for-rc:
iommufd: Do not corrupt the pfn list when doing batch carry
iommufd: Fix unpinning of pages when an access is present
iommufd: Check for uptr overflow
Linux 6.3-rc5

Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>

show more ...

Merge 6.3-rc5 into driver-core-next

We need the fixes in here for testing, as well as the driver core
changes for documentation updates to build on.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxf

Merge 6.3-rc5 into driver-core-next

We need the fixes in here for testing, as well as the driver core
changes for documentation updates to build on.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

Merge tag 'v6.3-rc3'

Merge v6.3-rc3, so that 'acpi_quirk_skip_gpio_event_handlers'
is available, which is needed for adding x86 android tablet
support in axp288_charger.

Signed-off-by: Sebastian Re

Merge tag 'v6.3-rc3'

Merge v6.3-rc3, so that 'acpi_quirk_skip_gpio_event_handlers'
is available, which is needed for adding x86 android tablet
support in axp288_charger.

Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>

show more ...

Merge tag 'asoc-fix-v6.3-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v6.3

More fixes for v6.3, plus a few new trivial device ID additions.
A

Merge tag 'asoc-fix-v6.3-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v6.3

More fixes for v6.3, plus a few new trivial device ID additions.
Almost all of this is for the Intel drivers, though there is one
core fix from Shengjiu which ensures that format constraints are
correctly applied in some cases where they were missed.

show more ...

Merge remote-tracking branch 'drm/drm-next' into drm-misc-next

Backmerge to get rc4.

Signed-off-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>

Merge drm/drm-next into drm-intel-next

Catch up with 6.3-rc cycle...

Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>

Merge 6.3-rc4 into usb-next

We need the USB fixes here, and the USB gadget update for future
development patches to be based on.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Merge remote-tracking branch 'drm/drm-next' into msm-next

Merge drm-next into msm-next to pick up external clk and PM dependencies
for improved a6xx GPU reset sequence.

Signed-off-by: Rob Clark <ro

Merge remote-tracking branch 'drm/drm-next' into msm-next

Merge drm-next into msm-next to pick up external clk and PM dependencies
for improved a6xx GPU reset sequence.

Signed-off-by: Rob Clark <robdclark@chromium.org>

show more ...

Merge 6.3-rc3 into tty-next

We need the tty/serial fixes in here and it resolves a merge conflict
with:
drivers/tty/serial/8250/8250_em.c

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.

Merge 6.3-rc3 into tty-next

We need the tty/serial fixes in here and it resolves a merge conflict
with:
drivers/tty/serial/8250/8250_em.c

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

Merge 6.3-rc3 into char-misc-next

We need the mainline fixes in this branch for testing and other
subsystem changes to be based properly on.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundatio

Merge 6.3-rc3 into char-misc-next

We need the mainline fixes in this branch for testing and other
subsystem changes to be based properly on.

Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

show more ...

Merge tag 'v6.3-rc2' into next

Merge with mainline to get of_property_present() and other newer APIs.

Merge tag 'v6.3-rc2' into spi-6.4 to fix clock related boot issues

Linux 6.3-rc2