Contents of /trunk/kernel-alx/patches-5.4/0286-5.4.187-all-fixes.patch
Parent Directory | Revision Log
Revision 3635 -
(show annotations)
(download)
Mon Oct 24 12:34:12 2022 UTC (23 months ago) by niro
File size: 15914 byte(s)
Mon Oct 24 12:34:12 2022 UTC (23 months ago) by niro
File size: 15914 byte(s)
-sync kernel patches
1 | diff --git a/Makefile b/Makefile |
2 | index f9054b4e8a123..d07421bc5c2fb 100644 |
3 | --- a/Makefile |
4 | +++ b/Makefile |
5 | @@ -1,7 +1,7 @@ |
6 | # SPDX-License-Identifier: GPL-2.0 |
7 | VERSION = 5 |
8 | PATCHLEVEL = 4 |
9 | -SUBLEVEL = 186 |
10 | +SUBLEVEL = 187 |
11 | EXTRAVERSION = |
12 | NAME = Kleptomaniac Octopus |
13 | |
14 | diff --git a/arch/arm64/include/asm/vectors.h b/arch/arm64/include/asm/vectors.h |
15 | index f64613a96d530..bc9a2145f4194 100644 |
16 | --- a/arch/arm64/include/asm/vectors.h |
17 | +++ b/arch/arm64/include/asm/vectors.h |
18 | @@ -56,14 +56,14 @@ enum arm64_bp_harden_el1_vectors { |
19 | DECLARE_PER_CPU_READ_MOSTLY(const char *, this_cpu_vector); |
20 | |
21 | #ifndef CONFIG_UNMAP_KERNEL_AT_EL0 |
22 | -#define TRAMP_VALIAS 0 |
23 | +#define TRAMP_VALIAS 0ul |
24 | #endif |
25 | |
26 | static inline const char * |
27 | arm64_get_bp_hardening_vector(enum arm64_bp_harden_el1_vectors slot) |
28 | { |
29 | if (arm64_kernel_unmapped_at_el0()) |
30 | - return (char *)TRAMP_VALIAS + SZ_2K * slot; |
31 | + return (char *)(TRAMP_VALIAS + SZ_2K * slot); |
32 | |
33 | WARN_ON_ONCE(slot == EL1_VECTOR_KPTI); |
34 | |
35 | diff --git a/drivers/atm/eni.c b/drivers/atm/eni.c |
36 | index de52428b8833d..4816db0553ef8 100644 |
37 | --- a/drivers/atm/eni.c |
38 | +++ b/drivers/atm/eni.c |
39 | @@ -1116,6 +1116,8 @@ DPRINTK("iovcnt = %d\n",skb_shinfo(skb)->nr_frags); |
40 | } |
41 | paddr = dma_map_single(&eni_dev->pci_dev->dev,skb->data,skb->len, |
42 | DMA_TO_DEVICE); |
43 | + if (dma_mapping_error(&eni_dev->pci_dev->dev, paddr)) |
44 | + return enq_next; |
45 | ENI_PRV_PADDR(skb) = paddr; |
46 | /* prepare DMA queue entries */ |
47 | j = 0; |
48 | diff --git a/drivers/crypto/qcom-rng.c b/drivers/crypto/qcom-rng.c |
49 | index 4730f84b646de..3a633a0c40fdf 100644 |
50 | --- a/drivers/crypto/qcom-rng.c |
51 | +++ b/drivers/crypto/qcom-rng.c |
52 | @@ -7,6 +7,7 @@ |
53 | #include <linux/acpi.h> |
54 | #include <linux/clk.h> |
55 | #include <linux/crypto.h> |
56 | +#include <linux/iopoll.h> |
57 | #include <linux/module.h> |
58 | #include <linux/of.h> |
59 | #include <linux/platform_device.h> |
60 | @@ -42,16 +43,19 @@ static int qcom_rng_read(struct qcom_rng *rng, u8 *data, unsigned int max) |
61 | { |
62 | unsigned int currsize = 0; |
63 | u32 val; |
64 | + int ret; |
65 | |
66 | /* read random data from hardware */ |
67 | do { |
68 | - val = readl_relaxed(rng->base + PRNG_STATUS); |
69 | - if (!(val & PRNG_STATUS_DATA_AVAIL)) |
70 | - break; |
71 | + ret = readl_poll_timeout(rng->base + PRNG_STATUS, val, |
72 | + val & PRNG_STATUS_DATA_AVAIL, |
73 | + 200, 10000); |
74 | + if (ret) |
75 | + return ret; |
76 | |
77 | val = readl_relaxed(rng->base + PRNG_DATA_OUT); |
78 | if (!val) |
79 | - break; |
80 | + return -EINVAL; |
81 | |
82 | if ((max - currsize) >= WORD_SZ) { |
83 | memcpy(data, &val, WORD_SZ); |
84 | @@ -60,11 +64,10 @@ static int qcom_rng_read(struct qcom_rng *rng, u8 *data, unsigned int max) |
85 | } else { |
86 | /* copy only remaining bytes */ |
87 | memcpy(data, &val, max - currsize); |
88 | - break; |
89 | } |
90 | } while (currsize < max); |
91 | |
92 | - return currsize; |
93 | + return 0; |
94 | } |
95 | |
96 | static int qcom_rng_generate(struct crypto_rng *tfm, |
97 | @@ -86,7 +89,7 @@ static int qcom_rng_generate(struct crypto_rng *tfm, |
98 | mutex_unlock(&rng->lock); |
99 | clk_disable_unprepare(rng->clk); |
100 | |
101 | - return 0; |
102 | + return ret; |
103 | } |
104 | |
105 | static int qcom_rng_seed(struct crypto_rng *tfm, const u8 *seed, |
106 | diff --git a/drivers/firmware/efi/apple-properties.c b/drivers/firmware/efi/apple-properties.c |
107 | index 0e206c9e0d7ae..7ad2d85d7270b 100644 |
108 | --- a/drivers/firmware/efi/apple-properties.c |
109 | +++ b/drivers/firmware/efi/apple-properties.c |
110 | @@ -23,7 +23,7 @@ static bool dump_properties __initdata; |
111 | static int __init dump_properties_enable(char *arg) |
112 | { |
113 | dump_properties = true; |
114 | - return 0; |
115 | + return 1; |
116 | } |
117 | |
118 | __setup("dump_apple_properties", dump_properties_enable); |
119 | diff --git a/drivers/firmware/efi/efi.c b/drivers/firmware/efi/efi.c |
120 | index 415d7b3a59f82..8fd74a7501d40 100644 |
121 | --- a/drivers/firmware/efi/efi.c |
122 | +++ b/drivers/firmware/efi/efi.c |
123 | @@ -231,7 +231,7 @@ static int __init efivar_ssdt_setup(char *str) |
124 | memcpy(efivar_ssdt, str, strlen(str)); |
125 | else |
126 | pr_warn("efivar_ssdt: name too long: %s\n", str); |
127 | - return 0; |
128 | + return 1; |
129 | } |
130 | __setup("efivar_ssdt=", efivar_ssdt_setup); |
131 | |
132 | diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c |
133 | index f0ea782df836d..312a3c4e23318 100644 |
134 | --- a/drivers/gpu/drm/panel/panel-simple.c |
135 | +++ b/drivers/gpu/drm/panel/panel-simple.c |
136 | @@ -1619,7 +1619,7 @@ static const struct display_timing innolux_g070y2_l01_timing = { |
137 | static const struct panel_desc innolux_g070y2_l01 = { |
138 | .timings = &innolux_g070y2_l01_timing, |
139 | .num_timings = 1, |
140 | - .bpc = 6, |
141 | + .bpc = 8, |
142 | .size = { |
143 | .width = 152, |
144 | .height = 91, |
145 | diff --git a/drivers/input/tablet/aiptek.c b/drivers/input/tablet/aiptek.c |
146 | index 06d0ffef4a171..acaf8c045f19a 100644 |
147 | --- a/drivers/input/tablet/aiptek.c |
148 | +++ b/drivers/input/tablet/aiptek.c |
149 | @@ -1801,15 +1801,13 @@ aiptek_probe(struct usb_interface *intf, const struct usb_device_id *id) |
150 | input_set_abs_params(inputdev, ABS_TILT_Y, AIPTEK_TILT_MIN, AIPTEK_TILT_MAX, 0, 0); |
151 | input_set_abs_params(inputdev, ABS_WHEEL, AIPTEK_WHEEL_MIN, AIPTEK_WHEEL_MAX - 1, 0, 0); |
152 | |
153 | - /* Verify that a device really has an endpoint */ |
154 | - if (intf->cur_altsetting->desc.bNumEndpoints < 1) { |
155 | + err = usb_find_common_endpoints(intf->cur_altsetting, |
156 | + NULL, NULL, &endpoint, NULL); |
157 | + if (err) { |
158 | dev_err(&intf->dev, |
159 | - "interface has %d endpoints, but must have minimum 1\n", |
160 | - intf->cur_altsetting->desc.bNumEndpoints); |
161 | - err = -EINVAL; |
162 | + "interface has no int in endpoints, but must have minimum 1\n"); |
163 | goto fail3; |
164 | } |
165 | - endpoint = &intf->cur_altsetting->endpoint[0].desc; |
166 | |
167 | /* Go set up our URB, which is called when the tablet receives |
168 | * input. |
169 | diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c |
170 | index 362b7ca6f3b2a..57e92c5bfcc92 100644 |
171 | --- a/drivers/net/hyperv/netvsc_drv.c |
172 | +++ b/drivers/net/hyperv/netvsc_drv.c |
173 | @@ -1445,6 +1445,9 @@ static void netvsc_get_ethtool_stats(struct net_device *dev, |
174 | pcpu_sum = kvmalloc_array(num_possible_cpus(), |
175 | sizeof(struct netvsc_ethtool_pcpu_stats), |
176 | GFP_KERNEL); |
177 | + if (!pcpu_sum) |
178 | + return; |
179 | + |
180 | netvsc_get_pcpu_stats(dev, pcpu_sum); |
181 | for_each_present_cpu(cpu) { |
182 | struct netvsc_ethtool_pcpu_stats *this_sum = &pcpu_sum[cpu]; |
183 | diff --git a/drivers/net/phy/marvell.c b/drivers/net/phy/marvell.c |
184 | index 53420c5312667..49801c2eb6271 100644 |
185 | --- a/drivers/net/phy/marvell.c |
186 | +++ b/drivers/net/phy/marvell.c |
187 | @@ -1408,8 +1408,8 @@ static int marvell_suspend(struct phy_device *phydev) |
188 | int err; |
189 | |
190 | /* Suspend the fiber mode first */ |
191 | - if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, |
192 | - phydev->supported)) { |
193 | + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, |
194 | + phydev->supported)) { |
195 | err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); |
196 | if (err < 0) |
197 | goto error; |
198 | @@ -1443,8 +1443,8 @@ static int marvell_resume(struct phy_device *phydev) |
199 | int err; |
200 | |
201 | /* Resume the fiber mode first */ |
202 | - if (!linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, |
203 | - phydev->supported)) { |
204 | + if (linkmode_test_bit(ETHTOOL_LINK_MODE_FIBRE_BIT, |
205 | + phydev->supported)) { |
206 | err = marvell_set_page(phydev, MII_MARVELL_FIBER_PAGE); |
207 | if (err < 0) |
208 | goto error; |
209 | diff --git a/drivers/usb/class/usbtmc.c b/drivers/usb/class/usbtmc.c |
210 | index 3922a6f8c50a6..77b1802f829b3 100644 |
211 | --- a/drivers/usb/class/usbtmc.c |
212 | +++ b/drivers/usb/class/usbtmc.c |
213 | @@ -1889,6 +1889,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, |
214 | struct usbtmc_ctrlrequest request; |
215 | u8 *buffer = NULL; |
216 | int rv; |
217 | + unsigned int is_in, pipe; |
218 | unsigned long res; |
219 | |
220 | res = copy_from_user(&request, arg, sizeof(struct usbtmc_ctrlrequest)); |
221 | @@ -1898,12 +1899,14 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, |
222 | if (request.req.wLength > USBTMC_BUFSIZE) |
223 | return -EMSGSIZE; |
224 | |
225 | + is_in = request.req.bRequestType & USB_DIR_IN; |
226 | + |
227 | if (request.req.wLength) { |
228 | buffer = kmalloc(request.req.wLength, GFP_KERNEL); |
229 | if (!buffer) |
230 | return -ENOMEM; |
231 | |
232 | - if ((request.req.bRequestType & USB_DIR_IN) == 0) { |
233 | + if (!is_in) { |
234 | /* Send control data to device */ |
235 | res = copy_from_user(buffer, request.data, |
236 | request.req.wLength); |
237 | @@ -1914,8 +1917,12 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, |
238 | } |
239 | } |
240 | |
241 | + if (is_in) |
242 | + pipe = usb_rcvctrlpipe(data->usb_dev, 0); |
243 | + else |
244 | + pipe = usb_sndctrlpipe(data->usb_dev, 0); |
245 | rv = usb_control_msg(data->usb_dev, |
246 | - usb_rcvctrlpipe(data->usb_dev, 0), |
247 | + pipe, |
248 | request.req.bRequest, |
249 | request.req.bRequestType, |
250 | request.req.wValue, |
251 | @@ -1927,7 +1934,7 @@ static int usbtmc_ioctl_request(struct usbtmc_device_data *data, |
252 | goto exit; |
253 | } |
254 | |
255 | - if (rv && (request.req.bRequestType & USB_DIR_IN)) { |
256 | + if (rv && is_in) { |
257 | /* Read control data from device */ |
258 | res = copy_to_user(request.data, buffer, rv); |
259 | if (res) |
260 | diff --git a/drivers/usb/gadget/function/rndis.c b/drivers/usb/gadget/function/rndis.c |
261 | index 970ed1514f0bc..fa0c173a0d26f 100644 |
262 | --- a/drivers/usb/gadget/function/rndis.c |
263 | +++ b/drivers/usb/gadget/function/rndis.c |
264 | @@ -640,6 +640,7 @@ static int rndis_set_response(struct rndis_params *params, |
265 | BufLength = le32_to_cpu(buf->InformationBufferLength); |
266 | BufOffset = le32_to_cpu(buf->InformationBufferOffset); |
267 | if ((BufLength > RNDIS_MAX_TOTAL_SIZE) || |
268 | + (BufOffset > RNDIS_MAX_TOTAL_SIZE) || |
269 | (BufOffset + 8 >= RNDIS_MAX_TOTAL_SIZE)) |
270 | return -EINVAL; |
271 | |
272 | diff --git a/drivers/usb/gadget/udc/core.c b/drivers/usb/gadget/udc/core.c |
273 | index e41f67cd3d469..f9d2737aabe82 100644 |
274 | --- a/drivers/usb/gadget/udc/core.c |
275 | +++ b/drivers/usb/gadget/udc/core.c |
276 | @@ -1303,7 +1303,6 @@ static void usb_gadget_remove_driver(struct usb_udc *udc) |
277 | usb_gadget_udc_stop(udc); |
278 | |
279 | udc->driver = NULL; |
280 | - udc->dev.driver = NULL; |
281 | udc->gadget->dev.driver = NULL; |
282 | } |
283 | |
284 | @@ -1352,7 +1351,6 @@ static int udc_bind_to_driver(struct usb_udc *udc, struct usb_gadget_driver *dri |
285 | driver->function); |
286 | |
287 | udc->driver = driver; |
288 | - udc->dev.driver = &driver->driver; |
289 | udc->gadget->dev.driver = &driver->driver; |
290 | |
291 | usb_gadget_udc_set_speed(udc, driver->max_speed); |
292 | @@ -1374,7 +1372,6 @@ err1: |
293 | dev_err(&udc->dev, "failed to start %s: %d\n", |
294 | udc->driver->function, ret); |
295 | udc->driver = NULL; |
296 | - udc->dev.driver = NULL; |
297 | udc->gadget->dev.driver = NULL; |
298 | return ret; |
299 | } |
300 | diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c |
301 | index eaec97892dce8..c1cf67b24c19b 100644 |
302 | --- a/fs/ocfs2/super.c |
303 | +++ b/fs/ocfs2/super.c |
304 | @@ -1100,17 +1100,6 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) |
305 | goto read_super_error; |
306 | } |
307 | |
308 | - root = d_make_root(inode); |
309 | - if (!root) { |
310 | - status = -ENOMEM; |
311 | - mlog_errno(status); |
312 | - goto read_super_error; |
313 | - } |
314 | - |
315 | - sb->s_root = root; |
316 | - |
317 | - ocfs2_complete_mount_recovery(osb); |
318 | - |
319 | osb->osb_dev_kset = kset_create_and_add(sb->s_id, NULL, |
320 | &ocfs2_kset->kobj); |
321 | if (!osb->osb_dev_kset) { |
322 | @@ -1128,6 +1117,17 @@ static int ocfs2_fill_super(struct super_block *sb, void *data, int silent) |
323 | goto read_super_error; |
324 | } |
325 | |
326 | + root = d_make_root(inode); |
327 | + if (!root) { |
328 | + status = -ENOMEM; |
329 | + mlog_errno(status); |
330 | + goto read_super_error; |
331 | + } |
332 | + |
333 | + sb->s_root = root; |
334 | + |
335 | + ocfs2_complete_mount_recovery(osb); |
336 | + |
337 | if (ocfs2_mount_local(osb)) |
338 | snprintf(nodestr, sizeof(nodestr), "local"); |
339 | else |
340 | diff --git a/include/linux/if_arp.h b/include/linux/if_arp.h |
341 | index bf5c5f32c65e4..e147ea6794670 100644 |
342 | --- a/include/linux/if_arp.h |
343 | +++ b/include/linux/if_arp.h |
344 | @@ -51,6 +51,7 @@ static inline bool dev_is_mac_header_xmit(const struct net_device *dev) |
345 | case ARPHRD_VOID: |
346 | case ARPHRD_NONE: |
347 | case ARPHRD_RAWIP: |
348 | + case ARPHRD_PIMREG: |
349 | return false; |
350 | default: |
351 | return true; |
352 | diff --git a/net/dsa/dsa2.c b/net/dsa/dsa2.c |
353 | index 70e6fc2edd304..1f27641f9cc07 100644 |
354 | --- a/net/dsa/dsa2.c |
355 | +++ b/net/dsa/dsa2.c |
356 | @@ -669,6 +669,7 @@ static int dsa_port_parse_of(struct dsa_port *dp, struct device_node *dn) |
357 | struct net_device *master; |
358 | |
359 | master = of_find_net_device_by_node(ethernet); |
360 | + of_node_put(ethernet); |
361 | if (!master) |
362 | return -EPROBE_DEFER; |
363 | |
364 | diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c |
365 | index ed11013d4b953..70c102359bfef 100644 |
366 | --- a/net/packet/af_packet.c |
367 | +++ b/net/packet/af_packet.c |
368 | @@ -2257,8 +2257,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev, |
369 | copy_skb = skb_get(skb); |
370 | skb_head = skb->data; |
371 | } |
372 | - if (copy_skb) |
373 | + if (copy_skb) { |
374 | + memset(&PACKET_SKB_CB(copy_skb)->sa.ll, 0, |
375 | + sizeof(PACKET_SKB_CB(copy_skb)->sa.ll)); |
376 | skb_set_owner_r(copy_skb, sk); |
377 | + } |
378 | } |
379 | snaplen = po->rx_ring.frame_size - macoff; |
380 | if ((int)snaplen < 0) { |
381 | @@ -3405,6 +3408,8 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, |
382 | sock_recv_ts_and_drops(msg, sk, skb); |
383 | |
384 | if (msg->msg_name) { |
385 | + const size_t max_len = min(sizeof(skb->cb), |
386 | + sizeof(struct sockaddr_storage)); |
387 | int copy_len; |
388 | |
389 | /* If the address length field is there to be filled |
390 | @@ -3427,6 +3432,10 @@ static int packet_recvmsg(struct socket *sock, struct msghdr *msg, size_t len, |
391 | msg->msg_namelen = sizeof(struct sockaddr_ll); |
392 | } |
393 | } |
394 | + if (WARN_ON_ONCE(copy_len > max_len)) { |
395 | + copy_len = max_len; |
396 | + msg->msg_namelen = copy_len; |
397 | + } |
398 | memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, copy_len); |
399 | } |
400 | |
401 | diff --git a/tools/perf/util/symbol.c b/tools/perf/util/symbol.c |
402 | index 901ad7f6f4dcc..ea2c7beff4868 100644 |
403 | --- a/tools/perf/util/symbol.c |
404 | +++ b/tools/perf/util/symbol.c |
405 | @@ -231,7 +231,7 @@ void symbols__fixup_end(struct rb_root_cached *symbols) |
406 | prev = curr; |
407 | curr = rb_entry(nd, struct symbol, rb_node); |
408 | |
409 | - if (prev->end == prev->start && prev->end != curr->start) |
410 | + if (prev->end == prev->start || prev->end != curr->start) |
411 | arch__symbols__fixup_end(prev, curr); |
412 | } |
413 | |
414 | diff --git a/tools/testing/selftests/bpf/prog_tests/timer_crash.c b/tools/testing/selftests/bpf/prog_tests/timer_crash.c |
415 | deleted file mode 100644 |
416 | index f74b82305da8c..0000000000000 |
417 | --- a/tools/testing/selftests/bpf/prog_tests/timer_crash.c |
418 | +++ /dev/null |
419 | @@ -1,32 +0,0 @@ |
420 | -// SPDX-License-Identifier: GPL-2.0 |
421 | -#include <test_progs.h> |
422 | -#include "timer_crash.skel.h" |
423 | - |
424 | -enum { |
425 | - MODE_ARRAY, |
426 | - MODE_HASH, |
427 | -}; |
428 | - |
429 | -static void test_timer_crash_mode(int mode) |
430 | -{ |
431 | - struct timer_crash *skel; |
432 | - |
433 | - skel = timer_crash__open_and_load(); |
434 | - if (!ASSERT_OK_PTR(skel, "timer_crash__open_and_load")) |
435 | - return; |
436 | - skel->bss->pid = getpid(); |
437 | - skel->bss->crash_map = mode; |
438 | - if (!ASSERT_OK(timer_crash__attach(skel), "timer_crash__attach")) |
439 | - goto end; |
440 | - usleep(1); |
441 | -end: |
442 | - timer_crash__destroy(skel); |
443 | -} |
444 | - |
445 | -void test_timer_crash(void) |
446 | -{ |
447 | - if (test__start_subtest("array")) |
448 | - test_timer_crash_mode(MODE_ARRAY); |
449 | - if (test__start_subtest("hash")) |
450 | - test_timer_crash_mode(MODE_HASH); |
451 | -} |
452 | diff --git a/tools/testing/selftests/bpf/progs/timer_crash.c b/tools/testing/selftests/bpf/progs/timer_crash.c |
453 | deleted file mode 100644 |
454 | index f8f7944e70dae..0000000000000 |
455 | --- a/tools/testing/selftests/bpf/progs/timer_crash.c |
456 | +++ /dev/null |
457 | @@ -1,54 +0,0 @@ |
458 | -// SPDX-License-Identifier: GPL-2.0 |
459 | - |
460 | -#include <vmlinux.h> |
461 | -#include <bpf/bpf_tracing.h> |
462 | -#include <bpf/bpf_helpers.h> |
463 | - |
464 | -struct map_elem { |
465 | - struct bpf_timer timer; |
466 | - struct bpf_spin_lock lock; |
467 | -}; |
468 | - |
469 | -struct { |
470 | - __uint(type, BPF_MAP_TYPE_ARRAY); |
471 | - __uint(max_entries, 1); |
472 | - __type(key, int); |
473 | - __type(value, struct map_elem); |
474 | -} amap SEC(".maps"); |
475 | - |
476 | -struct { |
477 | - __uint(type, BPF_MAP_TYPE_HASH); |
478 | - __uint(max_entries, 1); |
479 | - __type(key, int); |
480 | - __type(value, struct map_elem); |
481 | -} hmap SEC(".maps"); |
482 | - |
483 | -int pid = 0; |
484 | -int crash_map = 0; /* 0 for amap, 1 for hmap */ |
485 | - |
486 | -SEC("fentry/do_nanosleep") |
487 | -int sys_enter(void *ctx) |
488 | -{ |
489 | - struct map_elem *e, value = {}; |
490 | - void *map = crash_map ? (void *)&hmap : (void *)&amap; |
491 | - |
492 | - if (bpf_get_current_task_btf()->tgid != pid) |
493 | - return 0; |
494 | - |
495 | - *(void **)&value = (void *)0xdeadcaf3; |
496 | - |
497 | - bpf_map_update_elem(map, &(int){0}, &value, 0); |
498 | - /* For array map, doing bpf_map_update_elem will do a |
499 | - * check_and_free_timer_in_array, which will trigger the crash if timer |
500 | - * pointer was overwritten, for hmap we need to use bpf_timer_cancel. |
501 | - */ |
502 | - if (crash_map == 1) { |
503 | - e = bpf_map_lookup_elem(map, &(int){0}); |
504 | - if (!e) |
505 | - return 0; |
506 | - bpf_timer_cancel(&e->timer); |
507 | - } |
508 | - return 0; |
509 | -} |
510 | - |
511 | -char _license[] SEC("license") = "GPL"; |