mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
1107 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
40fc2b4825 |
This is the 4.14.183 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7XQKUACgkQONu9yGCS aT5OSxAAz28rgSZtf4zZtryA+dB1VHAXUpqmLgs9gZP8dPQ6qrwBHXIzawvmyfoj KY5DCsAbJSotCuy1XmCGTwzkqk9G3W1Rv4F1+7eDh37sOLUjNjeGn69dCiKKD1HH 6YaBIDsZOYrm207Y1fyTB23hHWGVNMHAVGwBV/lyvy7Lpz+o/JNc+DoqtWtsKCpB 0lhm5qlQttTMKzIgfDSXznJOo5LuO3TWmC94M2JkQwvvoz5C+9njWGO0JB99dIkt svBCX+0xz2stlInxGR8ZQZNRUgM6UMBUyjkljSxpYpEUPnIDRPtE8jY9+gx4aYCk er76ZTBBnWPWH+hlY4biPpg1fWRtj6SLvD3hNgDAuou9re1HVROSdCapcoGVEAvd dYX9RrXsVTRK9QdIQn9zBVuK9YOHNps9+JSL359QzCZ8Kc5t8LlUcxKbTi6P3OZA bnb7yu+/qxpdBeP/AoCkQUdcWUAXrPgR+odQEVm+w4AczYwp0AGbcVqZIM0wZ5zW euSE7W/O/Y6mK89C+D6qOzC/Pz9mTPg9IrLP2tFGAgWd2ZhWJim2YdydZRB/BTfg QEbKOXzjiAxckdqFdfH+JEQ1KIiriu7Y8kdhVzTd2gwqPAsl48/C4rMaOzfwBrk8 W29ZhbDK5cpmiftzay6AxOacMhxDdI9jA7Q5ndtG2qKwsHh5soU= =bPeb -----END PGP SIGNATURE----- Merge 4.14.183 into android-4.14-stable Changes in 4.14.183 ax25: fix setsockopt(SO_BINDTODEVICE) net: ipip: fix wrong address family in init error path net/mlx5: Add command entry handling completion net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" net sched: fix reporting the first-time use timestamp r8152: support additional Microsoft Surface Ethernet Adapter variant sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed net/mlx5e: Update netdev txq on completions during closure net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() net: sun: fix missing release regions in cas_init_one(). net/mlx4_core: fix a memory leak bug. ARM: dts: rockchip: fix phy nodename for rk3228-evb arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi gpio: tegra: mask GPIO IRQs during IRQ shutdown net: microchip: encx24j600: add missed kthread_stop gfs2: move privileged user check to gfs2_quota_lock_check cachefiles: Fix race between read_waiter and read_copier involving op->to_do usb: gadget: legacy: fix redundant initialization warnings net: freescale: select CONFIG_FIXED_PHY where needed cifs: Fix null pointer check in cifs_read samples: bpf: Fix build error Input: usbtouchscreen - add support for BonXeon TP Input: evdev - call input_flush_device() on release(), not flush() Input: xpad - add custom init packet for Xbox One S controllers Input: dlink-dir685-touchkeys - fix a typo in driver name Input: i8042 - add ThinkPad S230u to i8042 reset list Input: synaptics-rmi4 - really fix attn_data use-after-free Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() ARM: 8843/1: use unified assembler in headers ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h ARM: uaccess: integrate uaccess_save and uaccess_restore ARM: uaccess: fix DACR mismatch with nested exceptions gpio: exar: Fix bad handling for ida_simple_get error path IB/qib: Call kobject_put() when kobject_init_and_add() fails ARM: dts: imx6q-bx50v3: Add internal switch ARM: dts/imx6q-bx50v3: Set display interface clock parents ARM: dts: bcm2835-rpi-zero-w: Fix led polarity mmc: block: Fix use-after-free issue for rpmb RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() ALSA: hwdep: fix a left shifting 1 by 31 UB bug ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC exec: Always set cap_ambient in cap_bprm_set_creds ALSA: hda/realtek - Add new codec supported for ALC287 libceph: ignore pool overlay and cache logic on redirects mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() include/asm-generic/topology.h: guard cpumask_of_node() macro argument iommu: Fix reference count leak in iommu_group_alloc. parisc: Fix kernel panic in mem_init() mac80211: mesh: fix discovery timer re-arming issue / crash x86/dma: Fix max PFN arithmetic overflow on 32 bit systems copy_xstate_to_kernel(): don't leave parts of destination uninitialized xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output xfrm: fix a warning in xfrm_policy_insert_list xfrm: fix a NULL-ptr deref in xfrm_local_error xfrm: fix error in comment vti4: eliminated some duplicate code. ip_vti: receive ipip packet by calling ip_tunnel_rcv netfilter: nft_reject_bridge: enable reject with bridge vlan netfilter: ipset: Fix subcounter update skip netfilter: nfnetlink_cthelper: unbreak userspace helper support netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code esp6: get the right proto for transport mode in esp6_gso_encap qlcnic: fix missing release in qlcnic_83xx_interrupt_test. bonding: Fix reference count leak in bond_sysfs_slave_add. netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap() sc16is7xx: move label 'err_spi' to correct section rxrpc: Fix transport sockopts to get IPv4 errors on an IPv6 socket KVM: VMX: check for existence of secondary exec controls before accessing net: hns: fix unsigned comparison to less than zero net: hns: Fixes the missing put_device in positive leg for roce reset genirq/generic_pending: Do not lose pending affinity update scsi: zfcp: fix request object use-after-free in send path causing wrong traces Linux 4.14.183 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib69018849fcc55dacce4a6aaaad70921bdee4cd0 |
||
Xin Long
|
4d31cb94bb |
xfrm: fix a NULL-ptr deref in xfrm_local_error
commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream. This patch is to fix a crash: [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access [ ] general protection fault: 0000 [#1] SMP KASAN PTI [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0 [ ] Call Trace: [ ] xfrm6_local_error+0x1eb/0x300 [ ] xfrm_local_error+0x95/0x130 [ ] __xfrm6_output+0x65f/0xb50 [ ] xfrm6_output+0x106/0x46f [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel] [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan] [ ] vxlan_xmit+0x6a0/0x4276 [vxlan] [ ] dev_hard_start_xmit+0x165/0x820 [ ] __dev_queue_xmit+0x1ff0/0x2b90 [ ] ip_finish_output2+0xd3e/0x1480 [ ] ip_do_fragment+0x182d/0x2210 [ ] ip_output+0x1d0/0x510 [ ] ip_send_skb+0x37/0xa0 [ ] raw_sendmsg+0x1b4c/0x2b80 [ ] sock_sendmsg+0xc0/0x110 This occurred when sending a v4 skb over vxlan6 over ipsec, in which case skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries to get ipv6 info from a ipv4 sk. This issue was actually fixed by Commit 628e341f319f ("xfrm: make local error reporting more robust"), but brought back by Commit 844d48746e4b ("xfrm: choose protocol family by skb protocol"). So to fix it, we should call xfrm6_local_error() only when skb->protocol is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6. Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol") Reported-by: Xiumei Mu <xmu@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Xin Long
|
1cd914b02b |
xfrm: fix a warning in xfrm_policy_insert_list
commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream.
This waring can be triggered simply by:
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 1 mark 0 mask 0x10 #[1]
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 2 mark 0 mask 0x1 #[2]
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 2 mark 0 mask 0x10 #[3]
Then dmesg shows:
[ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548
[ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030
[ ] Call Trace:
[ ] xfrm_policy_inexact_insert+0x85/0xe50
[ ] xfrm_policy_insert+0x4ba/0x680
[ ] xfrm_add_policy+0x246/0x4d0
[ ] xfrm_user_rcv_msg+0x331/0x5c0
[ ] netlink_rcv_skb+0x121/0x350
[ ] xfrm_netlink_rcv+0x66/0x80
[ ] netlink_unicast+0x439/0x630
[ ] netlink_sendmsg+0x714/0xbf0
[ ] sock_sendmsg+0xe2/0x110
The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting
policies with matching mark and different priorities"). After that, the
policies [1] and [2] would be able to be added with different priorities.
However, policy [3] will actually match both [1] and [2]. Policy [1]
was matched due to the 1st 'return true' in xfrm_policy_mark_match(),
and policy [2] was matched due to the 2nd 'return true' in there. It
caused WARN_ON() in xfrm_policy_insert_list().
This patch is to fix it by only (the same value and priority) as the
same policy in xfrm_policy_mark_match().
Thanks to Yuehaibing, we could make this fix better.
v1->v2:
- check policy->mark.v == pol->mark.v only without mask.
Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Xin Long
|
af0fabbf82 |
xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
commit a204aef9fd77dce1efd9066ca4e44eede99cd858 upstream.
An use-after-free crash can be triggered when sending big packets over
vxlan over esp with esp offload enabled:
[] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] Call Trace:
[] dump_stack+0x75/0xa0
[] kasan_report+0x37/0x50
[] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] ipv6_gso_segment+0x2c8/0x13c0
[] skb_mac_gso_segment+0x1cb/0x420
[] skb_udp_tunnel_segment+0x6b5/0x1c90
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] esp4_gso_segment+0xae8/0x1709 [esp4_offload]
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] __skb_gso_segment+0x2d7/0x5f0
[] validate_xmit_skb+0x527/0xb10
[] __dev_queue_xmit+0x10f8/0x2320 <---
[] ip_finish_output2+0xa2e/0x1b50
[] ip_output+0x1a8/0x2f0
[] xfrm_output_resume+0x110e/0x15f0
[] __xfrm4_output+0xe1/0x1b0
[] xfrm4_output+0xa0/0x200
[] iptunnel_xmit+0x5a7/0x920
[] vxlan_xmit_one+0x1658/0x37a0 [vxlan]
[] vxlan_xmit+0x5e4/0x3ec8 [vxlan]
[] dev_hard_start_xmit+0x125/0x540
[] __dev_queue_xmit+0x17bd/0x2320 <---
[] ip6_finish_output2+0xb20/0x1b80
[] ip6_output+0x1b3/0x390
[] ip6_xmit+0xb82/0x17e0
[] inet6_csk_xmit+0x225/0x3d0
[] __tcp_transmit_skb+0x1763/0x3520
[] tcp_write_xmit+0xd64/0x5fe0
[] __tcp_push_pending_frames+0x8c/0x320
[] tcp_sendmsg_locked+0x2245/0x3500
[] tcp_sendmsg+0x27/0x40
As on the tx path of vxlan over esp, skb->inner_network_header would be
set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can
overwrite the former one. It causes skb_udp_tunnel_segment() to use a
wrong skb->inner_network_header, then the issue occurs.
This patch is to fix it by calling xfrm_output_gso() instead when the
inner_protocol is set, in which gso_segment of inner_protocol will be
done first.
While at it, also improve some code around.
Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Xin Long
|
06d984ae97 |
xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream.
For beet mode, when it's ipv6 inner address with nexthdrs set,
the packet format might be:
----------------------------------------------------
| outer | | dest | | | ESP | ESP |
| IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
----------------------------------------------------
The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
continue processing the packet when nexthdr returns 0 in
xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
packet will be dropped.
I don't see any error cases that nexthdr may return 0. So
fix it by removing the check for nexthdr == 0.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
fae4e1d295 |
This is the 4.14.175 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6F9/8ACgkQONu9yGCS
aT5DJQ//aAbpT3q2hDbthg9szl/SsAlJr6UX90k7ZjxlI/wnXTepNIWTZqvSnvV4
sb8HeOz2KUuTUh/PvM2vS37kdtzKqefku77tGl3JOE+pIIlKQ1au82U7vuSmo/FH
Ua+/MEN55f8baiZvYTGGQtwc36Bnj64iO8RUT5iSK2GU7KVVyIgFwKKqRQIzJ+Ds
dPACfMErty/+gvC9t0nx5u4BkC9ilIj5DH0OXiQvxZr9PQfg3lg7FFF/a6M0gaRF
qhBZFX2xKzQRKVKnbob5kSpir6gsW/cu8S43YIcNzx72Ce4ROFi910J7P1Jzlb5j
KEQGL7IuP+k8fwCpMZ7B9Goh9ian9VSUXKjrlr+UGotOGLzQ+dk4c/NJvCjxQvqx
m8FtHNjo3WUl72Ul1p6zJc4JMC3LD3ZSkIQGhVny4Z52n4D4CnWI7+b5ppQe9RZD
Iu8XjS0pTGfUUiomtci9ZcpWcTiWvW/VY0sRQbKj94h1nETWblXzXef5vJygZbMm
hL950oGkWeh2MoBM3FYyBSP0YYkruTtUSQ1GRs7tsboUsiMM9cNSkwzsFU9xeEvh
ZPIN5IdAIRilauOiI3YLEfO7JPz4OG0AlzodgnjbFchLqSIVzme8Wr84tFOYBhp1
868Am3/E3p8qqmnMvtS8/TTETeehhbrPVUp1D+7zHnkv/mRC1CU=
=uswL
-----END PGP SIGNATURE-----
Merge 4.14.175 into android-4.14
Changes in 4.14.175
spi: qup: call spi_qup_pm_resume_runtime before suspending
powerpc: Include .BTF section
ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes
spi: pxa2xx: Add CS control clock quirk
spi/zynqmp: remove entry that causes a cs glitch
drm/exynos: dsi: propagate error value and silence meaningless warning
drm/exynos: dsi: fix workaround for the legacy clock name
drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer
altera-stapl: altera_get_note: prevent write beyond end of 'key'
dm bio record: save/restore bi_end_io and bi_integrity
xenbus: req->body should be updated before req->state
xenbus: req->err should be updated before req->state
block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group()
parse-maintainers: Mark as executable
USB: Disable LPM on WD19's Realtek Hub
usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters
USB: serial: option: add ME910G1 ECM composition 0x110b
usb: host: xhci-plat: add a shutdown
USB: serial: pl2303: add device-id for HP LD381
usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c
ALSA: line6: Fix endless MIDI read loop
ALSA: seq: virmidi: Fix running status after receiving sysex
ALSA: seq: oss: Fix running status after receiving sysex
ALSA: pcm: oss: Avoid plugin buffer overflow
ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks
iio: trigger: stm32-timer: disable master mode when stopping
iio: magnetometer: ak8974: Fix negative raw values in sysfs
mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2
staging: rtl8188eu: Add device id for MERCUSYS MW150US v2
staging/speakup: fix get_word non-space look-ahead
intel_th: Fix user-visible error codes
intel_th: pci: Add Elkhart Lake CPU support
rtc: max8907: add missing select REGMAP_IRQ
xhci: Do not open code __print_symbolic() in xhci trace events
memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event
mm: slub: be more careful about the double cmpxchg of freelist
mm, slub: prevent kmalloc_node crashes and memory leaks
page-flags: fix a crash at SetPageError(THP_SWAP)
x86/mm: split vmalloc_sync_all()
USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL
USB: cdc-acm: fix rounding error in TIOCSSERIAL
iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels
iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode
kbuild: Disable -Wpointer-to-enum-cast
futex: Fix inode life-time issue
futex: Unbreak futex hashing
Revert "vrf: mark skb for multicast or link-local as enslaved to VRF"
Revert "ipv6: Fix handling of LLA with VRF and sockets bound to VRF"
ALSA: hda/realtek: Fix pop noise on ALC225
arm64: smp: fix smp_send_stop() behaviour
arm64: smp: fix crash_smp_send_stop() behaviour
drm/bridge: dw-hdmi: fix AVI frame colorimetry
staging: greybus: loopback_test: fix potential path truncation
staging: greybus: loopback_test: fix potential path truncations
Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
hsr: fix general protection fault in hsr_addr_is_self()
macsec: restrict to ethernet devices
net: dsa: Fix duplicate frames flooded by learning
net: mvneta: Fix the case where the last poll did not process all rx
net/packet: tpacket_rcv: avoid a producer race condition
net: qmi_wwan: add support for ASKEY WWHC050
net_sched: cls_route: remove the right filter from hashtable
net_sched: keep alloc_hash updated after hash allocation
net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
slcan: not call free_netdev before rtnl_unlock in slcan_open
bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
net: dsa: mt7530: Change the LINK bit to reflect the link status
vxlan: check return value of gro_cells_init()
hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
hsr: add restart routine into hsr_get_node_list()
hsr: set .netnsok flag
net: ipv4: don't let PMTU updates increase route MTU
cgroup-v1: cgroup_pidlist_next should update position index
cpupower: avoid multiple definition with gcc -fno-common
drivers/of/of_mdio.c:fix of_mdiobus_register()
cgroup1: don't call release_agent when it is ""
dt-bindings: net: FMan erratum A050385
arm64: dts: ls1043a: FMan erratum A050385
fsl/fman: detect FMan erratum A050385
scsi: ipr: Fix softlockup when rescanning devices in petitboot
mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom
sxgbe: Fix off by one in samsung driver strncpy size arg
arm64: ptrace: map SPSR_ELx<->PSR for compat tasks
arm64: compat: map SPSR_ELx<->PSR for signals
ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
i2c: hix5hd2: add missed clk_disable_unprepare in remove
Input: synaptics - enable RMI on HP Envy 13-ad105ng
Input: avoid BIT() macro usage in the serio.h UAPI header
ARM: dts: dra7: Add bus_dma_limit for L3 bus
ARM: dts: omap5: Add bus_dma_limit for L3 bus
perf probe: Do not depend on dwfl_module_addrsym()
tools: Let O= makes handle a relative path with -C option
scripts/dtc: Remove redundant YYLOC global declaration
scsi: sd: Fix optimal I/O size for devices that change reported values
mac80211: mark station unauthorized before key removal
gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model
RDMA/core: Ensure security pkey modify is not lost
genirq: Fix reference leaks on irq affinity notifiers
xfrm: handle NETDEV_UNREGISTER for xfrm device
vti[6]: fix packet tx through bpf_redirect() in XinY cases
RDMA/mlx5: Block delay drop to unprivileged users
xfrm: fix uctx len check in verify_sec_ctx_len
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
xfrm: policy: Fix doulbe free in xfrm_policy_timer
netfilter: nft_fwd_netdev: validate family and chain type
vti6: Fix memory leak of skb if input policy check fails
Input: raydium_i2c_ts - use true and false for boolean values
Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
afs: Fix some tracing details
USB: serial: option: add support for ASKEY WWHC050
USB: serial: option: add BroadMobi BM806U
USB: serial: option: add Wistron Neweb D19Q1
USB: cdc-acm: restore capability check order
USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback
usb: musb: fix crash with highmen PIO and usbmon
media: flexcop-usb: fix endpoint sanity check
media: usbtv: fix control-message timeouts
staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table
staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb
staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
libfs: fix infoleak in simple_attr_read()
media: ov519: add missing endpoint sanity checks
media: dib0700: fix rc endpoint lookup
media: stv06xx: add missing descriptor sanity checks
media: xirlink_cit: add missing descriptor sanity checks
mac80211: Check port authorization in the ieee80211_tx_dequeue() case
mac80211: fix authentication with iwlwifi/mvm
vt: selection, introduce vc_is_sel
vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
vt: switch vt_dont_switch to bool
vt: vt_ioctl: remove unnecessary console allocation checks
vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
vt: vt_ioctl: fix use-after-free in vt_in_use()
platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table
bpf: Explicitly memset the bpf_attr structure
bpf: Explicitly memset some bpf info structures declared on the stack
gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model
net: ks8851-ml: Fix IO operations, again
arm64: alternative: fix build with clang integrated assembler
perf map: Fix off by one in strncpy() size argument
ARM: dts: oxnas: Fix clear-mask property
ARM: bcm2835-rpi-zero-w: Add missing pinctrl name
arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id
arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode
Linux 4.14.175
Change-Id: If2c2cb5b3745ed6fbc5cb77737cfb1758fea4cb9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
YueHaibing
|
dc0ea9b710 |
xfrm: policy: Fix doulbe free in xfrm_policy_timer
commit 4c59406ed00379c8663f8663d82b2537467ce9d7 upstream.
After xfrm_add_policy add a policy, its ref is 2, then
xfrm_policy_timer
read_lock
xp->walk.dead is 0
....
mod_timer()
xfrm_policy_kill
policy->walk.dead = 1
....
del_timer(&policy->timer)
xfrm_pol_put //ref is 1
xfrm_pol_put //ref is 0
xfrm_policy_destroy
call_rcu
xfrm_pol_hold //ref is 1
read_unlock
xfrm_pol_put //ref is 0
xfrm_policy_destroy
call_rcu
xfrm_policy_destroy is called twice, which may leads to
double free.
Call Trace:
RIP: 0010:refcount_warn_saturate+0x161/0x210
...
xfrm_policy_timer+0x522/0x600
call_timer_fn+0x1b3/0x5e0
? __xfrm_decode_session+0x2990/0x2990
? msleep+0xb0/0xb0
? _raw_spin_unlock_irq+0x24/0x40
? __xfrm_decode_session+0x2990/0x2990
? __xfrm_decode_session+0x2990/0x2990
run_timer_softirq+0x5c5/0x10e0
Fix this by use write_lock_bh in xfrm_policy_kill.
Fixes: ea2dea9dacc2 ("xfrm: remove policy lock when accessing policy->walk.dead")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Xin Long
|
25106012e9 |
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream.
Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650
Call Trace:
dump_stack+0xe8/0x16e
print_address_description.cold.3+0x9/0x23b
kasan_report.cold.4+0x64/0x95
memcpy+0x1f/0x50
selinux_xfrm_alloc_user+0x237/0x430
security_xfrm_policy_alloc+0x5c/0xb0
xfrm_policy_construct+0x2b1/0x650
xfrm_add_acquire+0x21d/0xa10
xfrm_user_rcv_msg+0x431/0x6f0
netlink_rcv_skb+0x15a/0x410
xfrm_netlink_rcv+0x6d/0x90
netlink_unicast+0x50e/0x6a0
netlink_sendmsg+0x8ae/0xd40
sock_sendmsg+0x133/0x170
___sys_sendmsg+0x834/0x9a0
__sys_sendmsg+0x100/0x1e0
do_syscall_64+0xe5/0x660
entry_SYSCALL_64_after_hwframe+0x6a/0xdf
So fix it by adding the missing verify_sec_ctx_len check there.
Fixes: 980ebd25794f ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Xin Long
|
c91b46394b |
xfrm: fix uctx len check in verify_sec_ctx_len
commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.
This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Raed Salem
|
a6001a0709 |
xfrm: handle NETDEV_UNREGISTER for xfrm device
commit 03891f820c2117b19e80b370281eb924a09cf79f upstream.
This patch to handle the asynchronous unregister
device event so the device IPsec offload resources
could be cleanly released.
Fixes: e4db5b61c572 ("xfrm: policy: remove pcpu policy cache")
Signed-off-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
f960b38ecc |
This is the 4.14.159 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl35LxUACgkQONu9yGCS aT4dLRAAn62JwQdXIRD51BSeXOCxH/oTba3lec9YCf7ttnQojnBKg4Fzxps4R0eH a32uSWOfEb9P7CIIlSAKTx6XPJ3TAmsFjUO1KmO0kbMVmUw6G3yb0g/96/tNjSUt xJwyhYSasQDMmxV/5HvrkCbobeHP1Gf+eacKWfJHaVOUo1UXaW+25A++I5fYOdhn vrcHmJyJAQN38beSOVLDUJ+VXTyEO5ZUG+Pe7IwK1QiOF4JfWoIddCdxxyynT5PR R54x+xPLsaiFXQEjlVIATIsr9KgR3is4utpfSd7MYGxCD7yV4VNrZZighVKBIlV8 39K0zmcpbSIu3PHvxVGxpdjTzPWErPKH6tjHJ/weMI+zy4tHpzUOvpooH46BvYsn XMhlqsYlWS0Nj9eCpUxxkDr1hyuZlpv5RPyW4xKFWor6zQvVi+cl1wiDu0tKCD7T gg3vB04mMOBnGUsEzTc0I/hPcWp6xThQg4N9Zh/MbdwqSkN5KHDgakIMa2yEYRB7 ZLskhnvB2te1KVHvn5CsxR0ABPextALn/u/7qELgGIKoyJVzgmL/lF3wceGsUwz3 hpcWmYKKu5nPg+L1bCHj05O3IcaUhCmvTBkV39nh4TshTTPU0PkvBv20UoChcgER /4QhKydpeLwKi5hTuBuHN6z3PuGrId3opf28KdGsHQ1KGPqd5os= =p3OE -----END PGP SIGNATURE----- Merge 4.14.159 into android-4.14 Changes in 4.14.159 rsi: release skb if rsi_prepare_beacon fails arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator usb: gadget: u_serial: add missing port entry locking tty: serial: fsl_lpuart: use the sg count from dma_map_sg tty: serial: msm_serial: Fix flow control serial: pl011: Fix DMA ->flush_buffer() serial: serial_core: Perform NULL checks for break_ctl ops serial: ifx6x60: add missed pm_runtime_disable autofs: fix a leak in autofs_expire_indirect() RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN iwlwifi: pcie: don't consider IV len in A-MSDU exportfs_decode_fh(): negative pinned may become positive without the parent locked audit_get_nd(): don't unlock parent too early NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error xfrm: release device reference for invalid state Input: cyttsp4_core - fix use after free bug sched/core: Avoid spurious lock dependencies ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed() rsxx: add missed destroy_workqueue calls in remove net: ep93xx_eth: fix mismatch of request_mem_region in remove i2c: core: fix use after free in of_i2c_notify serial: core: Allow processing sysrq at port unlock time cxgb4vf: fix memleak in mac_hlist initialization iwlwifi: mvm: synchronize TID queue removal iwlwifi: mvm: Send non offchannel traffic via AP sta ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+ net/mlx5: Release resource on error flow clk: sunxi-ng: a64: Fix gate bit of DSI DPHY dlm: fix possible call to kfree() for non-initialized pointer extcon: max8997: Fix lack of path setting in USB device mode net: ethernet: ti: cpts: correct debug for expired txq skb rtc: s3c-rtc: Avoid using broken ALMYEAR register i40e: don't restart nway if autoneg not supported clk: rockchip: fix rk3188 sclk_smc gate data clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name dlm: fix missing idr_destroy for recover_idr MIPS: SiByte: Enable ZONE_DMA32 for LittleSur net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2 scsi: zfcp: drop default switch case which might paper over missing case crypto: ecc - check for invalid values in the key verification test crypto: bcm - fix normal/non key hash algorithm failure pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues Staging: iio: adt7316: Fix i2c data reading, set the data field mm/vmstat.c: fix NUMA statistics updates clk: rockchip: fix I2S1 clock gate register for rk3328 clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328 regulator: Fix return value of _set_load() stub net-next/hinic:fix a bug in set mac address iomap: sub-block dio needs to zeroout beyond EOF MIPS: OCTEON: octeon-platform: fix typing net/smc: use after free fix in smc_wr_tx_put_slot() math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()' rtc: dt-binding: abx80x: fix resistance scale ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module media: pulse8-cec: return 0 when invalidating the logical address media: cec: report Vendor ID after initialization dmaengine: coh901318: Fix a double-lock bug dmaengine: coh901318: Remove unused variable dmaengine: dw-dmac: implement dma protection control setting usb: dwc3: debugfs: Properly print/set link state for HS usb: dwc3: don't log probe deferrals; but do log other error codes ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion() f2fs: fix count of seg_freed to make sec_freed correct f2fs: change segment to section in f2fs_ioc_gc_range ARM: dts: rockchip: Fix the PMU interrupt number for rv1108 ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108 f2fs: fix to allow node segment for GC by ioctl path sparc: Correct ctx->saw_frame_pointer logic. dma-mapping: fix return type of dma_set_max_seg_size() altera-stapl: check for a null key before strcasecmp'ing it serial: imx: fix error handling in console_setup i2c: imx: don't print error message on probe defer lockd: fix decoding of TEST results ASoC: rsnd: tidyup registering method for rsnd_kctrl_new() ARM: dts: sun5i: a10s: Fix HDMI output DTC warning ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning dlm: NULL check before kmem_cache_destroy is not needed ARM: debug: enable UART1 for socfpga Cyclone5 nfsd: fix a warning in __cld_pipe_upcall() ASoC: au8540: use 64-bit arithmetic instead of 32-bit ARM: OMAP1/2: fix SoC name printing arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names net/x25: fix called/calling length calculation in x25_parse_address_block net/x25: fix null_x25_address handling ARM: dts: mmp2: fix the gpio interrupt cell number ARM: dts: realview-pbx: Fix duplicate regulator nodes tcp: fix off-by-one bug on aborting window-probing socket tcp: fix SNMP under-estimation on failed retransmission tcp: fix SNMP TCP timeout under-estimation modpost: skip ELF local symbols during section mismatch check kbuild: fix single target build for external module mtd: fix mtd_oobavail() incoherent returned value ARM: dts: pxa: clean up USB controller nodes clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent ARM: dts: realview: Fix some more duplicate regulator nodes dlm: fix invalid cluster name warning net/mlx4_core: Fix return codes of unsupported operations pstore/ram: Avoid NULL deref in ftrace merging failure path powerpc/math-emu: Update macros from GCC clk: renesas: r8a77995: Correct parent clock of DU MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition nfsd: Return EPERM, not EACCES, in some SETATTR cases tty: Don't block on IO when ldisc change is pending media: stkwebcam: Bugfix for wrong return values firmware: qcom: scm: fix compilation error when disabled mlxsw: spectrum_router: Relax GRE decap matching check IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state IB/hfi1: Close VNIC sdma_progress sleep window mlx4: Use snprintf instead of complicated strcpy usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler ARM: dts: sunxi: Fix PMU compatible strings media: vimc: fix start stream when link is disabled net: aquantia: fix RSS table and key sizes tcp: exit if nothing to retransmit on RTO timeout sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision fuse: verify nlink fuse: verify attributes ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236 ALSA: pcm: oss: Avoid potential buffer overflows ALSA: hda - Add mute led support for HP ProBook 645 G4 Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers Input: goodix - add upside-down quirk for Teclast X89 tablet coresight: etm4x: Fix input validation for sysfs. Input: Fix memory leak in psxpad_spi_probe x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks CIFS: Fix SMB2 oplock break processing tty: vt: keyboard: reject invalid keycodes can: slcan: Fix use-after-free Read in slcan_open kernfs: fix ino wrap-around detection jbd2: Fix possible overflow in jbd2_log_space_left() drm/i810: Prevent underflow in ioctl KVM: arm/arm64: vgic: Don't rely on the wrong pending table KVM: x86: do not modify masked bits of shared MSRs KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr crypto: af_alg - cast ki_complete ternary op to int crypto: ccp - fix uninitialized list head crypto: ecdh - fix big endian bug in ECC library crypto: user - fix memory leak in crypto_report spi: atmel: Fix CS high support RDMA/qib: Validate ->show()/store() callbacks before calling them iomap: Fix pipe page leakage during splicing thermal: Fix deadlock in thermal thermal_zone_device_check binder: Handle start==NULL in binder_update_page_range() ASoC: rsnd: fixup MIX kctrl registration KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332) appletalk: Fix potential NULL pointer dereference in unregister_snap_client appletalk: Set error code if register_snap_client failed usb: gadget: configfs: Fix missing spin_lock_init() usb: gadget: pch_udc: fix use after free scsi: qla2xxx: Fix driver unload hang media: venus: remove invalid compat_ioctl32 handler USB: uas: honor flag to avoid CAPACITY16 USB: uas: heed CAPACITY_HEURISTICS USB: documentation: flags on usb-storage versus UAS usb: Allow USB device to be warm reset in suspended state staging: rtl8188eu: fix interface sanity check staging: rtl8712: fix interface sanity check staging: gigaset: fix general protection fault on probe staging: gigaset: fix illegal free on probe errors staging: gigaset: add endpoint-type sanity check usb: xhci: only set D3hot for pci device xhci: Increase STS_HALT timeout in xhci_suspend() xhci: handle some XHCI_TRUST_TX_LENGTH quirks cases as default behaviour. ARM: dts: pandora-common: define wl1251 as child node of mmc3 iio: humidity: hdc100x: fix IIO_HUMIDITYRELATIVE channel reporting USB: atm: ueagle-atm: add missing endpoint check USB: idmouse: fix interface sanity checks USB: serial: io_edgeport: fix epic endpoint lookup USB: adutux: fix interface sanity check usb: core: urb: fix URB structure initialization function usb: mon: Fix a deadlock in usbmon between mmap and read tpm: add check after commands attribs tab allocation mtd: spear_smi: Fix Write Burst mode virtio-balloon: fix managed page counts when migrating pages between zones usb: dwc3: ep0: Clear started flag on completion btrfs: check page->mapping when loading free space cache btrfs: use refcount_inc_not_zero in kill_all_nodes Btrfs: fix negative subv_writers counter and data space leak after buffered write btrfs: Remove btrfs_bio::flags member Btrfs: send, skip backreference walking for extents with many references btrfs: record all roots for rename exchange on a subvol rtlwifi: rtl8192de: Fix missing code to retrieve RX buffer address rtlwifi: rtl8192de: Fix missing callback that tests for hw release of buffer rtlwifi: rtl8192de: Fix missing enable interrupt flag lib: raid6: fix awk build warnings ovl: relax WARN_ON() on rename to self ALSA: hda - Fix pending unsol events at shutdown md/raid0: Fix an error message in raid0_make_request() watchdog: aspeed: Fix clock behaviour for ast2600 hwrng: omap - Fix RNG wait loop timeout dm zoned: reduce overhead of backing device checks workqueue: Fix spurious sanity check failures in destroy_workqueue() workqueue: Fix pwq ref leak in rescuer_thread() ASoC: Jack: Fix NULL pointer dereference in snd_soc_jack_report blk-mq: avoid sysfs buffer overflow with too many CPU cores cgroup: pids: use atomic64_t for pids->limit ar5523: check NULL before memcpy() in ar5523_cmd() s390/mm: properly clear _PAGE_NOEXEC bit when it is not supported media: bdisp: fix memleak on release media: radio: wl1273: fix interrupt masking on release media: cec.h: CEC_OP_REC_FLAG_ values were swapped cpuidle: Do not unset the driver if it is there already intel_th: Fix a double put_device() in error path intel_th: pci: Add Ice Lake CPU support intel_th: pci: Add Tiger Lake CPU support PM / devfreq: Lock devfreq in trans_stat_show cpufreq: powernv: fix stack bloat and hard limit on number of CPUs ACPI: OSL: only free map once in osl.c ACPI: bus: Fix NULL pointer check in acpi_bus_get_private_data() ACPI: PM: Avoid attaching ACPI PM domain to certain devices pinctrl: samsung: Add of_node_put() before return in error path pinctrl: samsung: Fix device node refcount leaks in S3C24xx wakeup controller init pinctrl: samsung: Fix device node refcount leaks in init code pinctrl: samsung: Fix device node refcount leaks in S3C64xx wakeup controller init mmc: host: omap_hsmmc: add code for special init of wl1251 to get rid of pandora_wl1251_init_card ARM: dts: omap3-tao3530: Fix incorrect MMC card detection GPIO polarity ppdev: fix PPGETTIME/PPSETTIME ioctls powerpc: Allow 64bit VDSO __kernel_sync_dicache to work across ranges >4GB powerpc/xive: Prevent page fault issues in the machine crash handler powerpc: Allow flush_icache_range to work across ranges >4GB powerpc/xive: Skip ioremap() of ESB pages for LSI interrupts video/hdmi: Fix AVI bar unpack quota: Check that quota is not dirty before release ext2: check err when partial != NULL quota: fix livelock in dquot_writeback_dquots ext4: Fix credit estimate for final inode freeing reiserfs: fix extended attributes on the root directory block: fix single range discard merge scsi: zfcp: trace channel log even for FCP command responses scsi: qla2xxx: Fix DMA unmap leak scsi: qla2xxx: Fix session lookup in qlt_abort_work() scsi: qla2xxx: Fix qla24xx_process_bidir_cmd() scsi: qla2xxx: Always check the qla2x00_wait_for_hba_online() return value scsi: qla2xxx: Fix message indicating vectors used by driver xhci: Fix memory leak in xhci_add_in_port() xhci: make sure interrupts are restored to correct state iio: adis16480: Add debugfs_reg_access entry phy: renesas: rcar-gen3-usb2: Fix sysfs interface of "role" omap: pdata-quirks: remove openpandora quirks for mmc3 and wl1251 scsi: lpfc: Cap NPIV vports to 256 scsi: lpfc: Correct code setting non existent bits in sli4 ABORT WQE drbd: Change drbd_request_detach_interruptible's return type to int e100: Fix passing zero to 'PTR_ERR' warning in e100_load_ucode_wait x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk power: supply: cpcap-battery: Fix signed counter sample register mlxsw: spectrum_router: Refresh nexthop neighbour when it becomes dead media: vimc: fix component match compare ath10k: fix fw crash by moving chip reset after napi disabled powerpc: Avoid clang warnings around setjmp and longjmp powerpc: Fix vDSO clock_getres() ext4: work around deleting a file with i_nlink == 0 safely firmware: qcom: scm: Ensure 'a0' status code is treated as signed mm/shmem.c: cast the type of unmap_start to u64 ext4: fix a bug in ext4_wait_for_tail_page_commit mfd: rk808: Fix RK818 ID template blk-mq: make sure that line break can be printed workqueue: Fix missing kfree(rescuer) in destroy_workqueue() sunrpc: fix crash when cache_head become valid before update net/mlx5e: Fix SFF 8472 eeprom length gfs2: fix glock reference problem in gfs2_trans_remove_revoke kernel/module.c: wakeup processes in module_wq on module unload gpiolib: acpi: Add Terra Pad 1061 to the run_edge_events_on_boot_blacklist raid5: need to set STRIPE_HANDLE for batch head of: unittest: fix memory leak in attach_node_and_children Linux 4.14.159 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Xiaodong Xu
|
3bbb8eec91 |
xfrm: release device reference for invalid state
[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]
An ESP packet could be decrypted in async mode if the input handler for
this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
reference in skb is held. Later xfrm_input() will be invoked again to
resume the processing.
If the transform state is still valid it would continue to release the
device reference and there won't be a problem; however if the transform
state is not valid when async resumption happens, the packet will be
dropped while the device reference is still being held.
When the device is deleted for some reason and the reference to this
device is not properly released, the kernel will keep logging like:
unregister_netdevice: waiting for ppp2 to become free. Usage count = 1
The issue is observed when running IPsec traffic over a PPPoE device based
on a bridge interface. By terminating the PPPoE connection on the server
end for multiple times, the PPPoE device on the client side will eventually
get stuck on the above warning message.
This patch will check the async mode first and continue to release device
reference in async resumption, before it is dropped due to invalid state.
v2: Do not assign address family from outer_mode in the transform if the
state is invalid
v3: Release device reference in the error path instead of jumping to resume
Fixes: 4ce3dbe397d7b ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
Reported-by: Bo Chen <chenborfc@163.com>
Tested-by: Bo Chen <chenborfc@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
84afceb668 |
This is the 4.14.158 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3pFmwACgkQONu9yGCS aT68qg//RlehfhDnOYveXC8iOlpnzUfE0gI0Ix5CbOuPk0pjYHD+pjC22QUK8fza LWoUH4XSmQ7k5v9xw9MXA45yEpsBajrF2uiOYEUbzEIeh2QetTa9+WlZ25wFnza9 tICP2ct9lSs+E7bs3R8RW37cRLuYfhGtc9sskMfhAdTn9MQKOf9h7jIk0lFjhMB/ GbK449Eo6+8Rh2Pai9EYhWCh70d8ZFHLN3UWZUqG8RfWj1041GwVIoNOhwh5fCOq susq/EZI58BKsUv614sUxQ+dMaY+AOLKZAeYcP49tn/aARl2MjQaYSO8wnyUSVwn F7VYN2uvDVKXZa1/vGNtF6Q6O3nuvVwOgaFFx0srH9rSA7s8se+ZQTHg9WqGo36l fl2u7VN40Lq3Hv53gDV9qLHaPaxtAh39lDG9UoGnefzdbNGPVQRTqypMeRLHidwQ CK5lmbCr9BHoOGTRE0jl147WHTXtzYxjPnUmhZlIT2vxxDXP1AQqOHLLjHviXFrp VclLhGbJUAcB3fGSZJtLHYgPlZms+AFLxDQN4l9e3Xqu+F/W9z+NlAX7bEfYLBm0 v/x/b+BL+qtQ9DBIfc57uGxajgHzoI3ZtctiqZJ93IxFMRZEQVQsHYAh/pcK2AIh ONu4VvFjhdxWFQuzAZe8IEDyHbhcQSL+IMmKq+wu9KtGOfLNxWg= =D1w0 -----END PGP SIGNATURE----- Merge 4.14.158 into android-4.14 Changes in 4.14.158 Revert "KVM: nVMX: reset cache/shadows when switching loaded VMCS" clk: meson: gxbb: let sar_adc_clk_div set the parent clock rate ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX ASoC: compress: fix unsigned integer overflow check reset: Fix memory leak in reset_control_array_put() ASoC: kirkwood: fix external clock probe defer clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume reset: fix reset_control_ops kerneldoc comment clk: at91: avoid sleeping early clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18 idr: Fix idr_alloc_u32 on 32-bit systems x86/resctrl: Prevent NULL pointer dereference when reading mondata clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call net: fec: add missed clk_disable_unprepare in remove bridge: ebtables: don't crash when using dnat target in output chains can: peak_usb: report bus recovery as well can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error watchdog: meson: Fix the wrong value of left time scripts/gdb: fix debugging modules compiled with hot/cold partitioning net: bcmgenet: reapply manual settings to the PHY ceph: return -EINVAL if given fsc mount option on kernel w/o support mac80211: fix station inactive_time shortly after boot block: drbd: remove a stray unlock in __drbd_send_protocol() pwm: bcm-iproc: Prevent unloading the driver module while in use scsi: lpfc: Fix kernel Oops due to null pring pointers scsi: lpfc: Fix dif and first burst use in write commands ARM: dts: Fix up SQ201 flash access ARM: debug-imx: only define DEBUG_IMX_UART_PORT if needed ARM: dts: imx53-voipac-dmm-668: Fix memory node duplication parisc: Fix serio address output parisc: Fix HP SDC hpa address output arm64: mm: Prevent mismatched 52-bit VA support arm64: smp: Handle errors reported by the firmware ARM: OMAP1: fix USB configuration for device-only setups RDMA/vmw_pvrdma: Use atomic memory allocation in create AH PM / AVS: SmartReflex: NULL check before some freeing functions is not needed ARM: ks8695: fix section mismatch warning ACPI / LPSS: Ignore acpi_device_fix_up_power() return value scsi: lpfc: Enable Management features for IF_TYPE=6 crypto: user - support incremental algorithm dumps mwifiex: fix potential NULL dereference and use after free mwifiex: debugfs: correct histogram spacing, formatting rtl818x: fix potential use after free xfs: require both realtime inodes to mount ubi: Put MTD device after it is not used ubi: Do not drop UBI device reference before using microblaze: adjust the help to the real behavior microblaze: move "... is ready" messages to arch/microblaze/Makefile iwlwifi: move iwl_nvm_check_version() into dvm gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB kvm: vmx: Set IA32_TSC_AUX for legacy mode guests VSOCK: bind to random port for VMADDR_PORT_ANY mmc: meson-gx: make sure the descriptor is stopped on errors mtd: rawnand: sunxi: Write pageprog related opcodes to WCMD_SET btrfs: only track ref_heads in delayed_ref_updates HID: intel-ish-hid: fixes incorrect error handling serial: 8250: Rate limit serial port rx interrupts during input overruns kprobes/x86/xen: blacklist non-attachable xen interrupt functions xen/pciback: Check dev_data before using it vfio-mdev/samples: Use u8 instead of char for handle functions pinctrl: xway: fix gpio-hog related boot issues net/mlx5: Continue driver initialization despite debugfs failure exofs_mount(): fix leaks on failure exits bnxt_en: Return linux standard errors in bnxt_ethtool.c bnxt_en: query force speeds before disabling autoneg mode. KVM: s390: unregister debug feature on failing arch init pinctrl: sh-pfc: sh7264: Fix PFCR3 and PFCR0 register configuration pinctrl: sh-pfc: sh7734: Fix shifted values in IPSR10 HID: doc: fix wrong data structure reference for UHID_OUTPUT dm flakey: Properly corrupt multi-page bios. gfs2: take jdata unstuff into account in do_grow xfs: Align compat attrlist_by_handle with native implementation. xfs: Fix bulkstat compat ioctls on x32 userspace. IB/qib: Fix an error code in qib_sdma_verbs_send() clocksource/drivers/fttmr010: Fix invalid interrupt register access vxlan: Fix error path in __vxlan_dev_create() powerpc/book3s/32: fix number of bats in p/v_block_mapped() powerpc/xmon: fix dump_segments() drivers/regulator: fix a missing check of return value Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading serial: max310x: Fix tx_empty() callback openrisc: Fix broken paths to arch/or32 RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer scsi: qla2xxx: deadlock by configfs_depend_item scsi: csiostor: fix incorrect dma device in case of vport ath6kl: Only use match sets when firmware supports it ath6kl: Fix off by one error in scan completion powerpc/perf: Fix unit_sel/cache_sel checks powerpc/prom: fix early DEBUG messages powerpc/mm: Make NULL pointer deferences explicit on bad page faults. powerpc/44x/bamboo: Fix PCI range vfio/spapr_tce: Get rid of possible infinite loop powerpc/powernv/eeh/npu: Fix uninitialized variables in opal_pci_eeh_freeze_status drbd: ignore "all zero" peer volume sizes in handshake drbd: reject attach of unsuitable uuids even if connected drbd: do not block when adjusting "disk-options" while IO is frozen drbd: fix print_st_err()'s prototype to match the definition IB/rxe: Make counters thread safe regulator: tps65910: fix a missing check of return value powerpc/83xx: handle machine check caused by watchdog timer powerpc/pseries: Fix node leak in update_lmb_associativity_index() crypto: mxc-scc - fix build warnings on ARM64 pwm: clps711x: Fix period calculation net/netlink_compat: Fix a missing check of nla_parse_nested net/net_namespace: Check the return value of register_pernet_subsys() f2fs: fix to dirty inode synchronously um: Make GCOV depend on !KCOV net: (cpts) fix a missing check of clk_prepare net: stmicro: fix a missing check of clk_prepare net: dsa: bcm_sf2: Propagate error value from mdio_write atl1e: checking the status of atl1e_write_phy_reg tipc: fix a missing check of genlmsg_put net/wan/fsl_ucc_hdlc: Avoid double free in ucc_hdlc_probe() ocfs2: clear journal dirty flag after shutdown journal vmscan: return NODE_RECLAIM_NOSCAN in node_reclaim() when CONFIG_NUMA is n lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk lib/genalloc.c: use vzalloc_node() to allocate the bitmap fork: fix some -Wmissing-prototypes warnings drivers/base/platform.c: kmemleak ignore a known leak lib/genalloc.c: include vmalloc.h mtd: Check add_mtd_device() ret code tipc: fix memory leak in tipc_nl_compat_publ_dump net/core/neighbour: tell kmemleak about hash tables PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity() net/core/neighbour: fix kmemleak minimal reference count for hash tables serial: 8250: Fix serial8250 initialization crash gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel decnet: fix DN_IFREQ_SIZE net/smc: prevent races between smc_lgr_terminate() and smc_conn_free() blktrace: Show requests without sector tipc: fix skb may be leaky in tipc_link_input sfc: initialise found bitmap in efx_ef10_mtd_probe net: fix possible overflow in __sk_mem_raise_allocated() sctp: don't compare hb_timer expire date before starting it bpf: decrease usercnt if bpf_map_new_fd() fails in bpf_map_get_fd_by_id() net: dev: Use unsigned integer as an argument to left-shift kvm: properly check debugfs dentry before using it bpf: drop refcount if bpf_map_new_fd() fails in map_create() net: hns3: Change fw error code NOT_EXEC to NOT_SUPPORTED iommu/amd: Fix NULL dereference bug in match_hid_uid apparmor: delete the dentry in aafs_remove() to avoid a leak scsi: libsas: Support SATA PHY connection rate unmatch fixing during discovery ACPI / APEI: Don't wait to serialise with oops messages when panic()ing ACPI / APEI: Switch estatus pool to use vmalloc memory scsi: libsas: Check SMP PHY control function result powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property() mtd: Remove a debug trace in mtdpart.c mm, gup: add missing refcount overflow checks on s390 clk: at91: fix update bit maps on CFG_MOR write clk: at91: generated: set audio_pll_allowed in at91_clk_register_generated() staging: rtl8192e: fix potential use after free staging: rtl8723bs: Drop ACPI device ids staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P mei: bus: prefix device names on bus with the bus name xfrm: Fix memleak on xfrm state destroy media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE net: macb: fix error format in dev_err() pwm: Clear chip_data in pwm_put() media: atmel: atmel-isc: fix asd memory allocation media: atmel: atmel-isc: fix INIT_WORK misplacement macvlan: schedule bc_work even if error net: psample: fix skb_over_panic openvswitch: fix flow command message size slip: Fix use-after-free Read in slip_open openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info() openvswitch: remove another BUG_ON() tipc: fix link name length check sctp: cache netns in sctp_ep_common net: sched: fix `tc -s class show` no bstats on class with nolock subqueues ext4: add more paranoia checking in ext4_expand_extra_isize handling watchdog: sama5d4: fix WDD value to be always set to max net: macb: Fix SUBNS increment and increase resolution net: macb driver, check for SKBTX_HW_TSTAMP mtd: rawnand: atmel: Fix spelling mistake in error message mtd: rawnand: atmel: fix possible object reference leak mtd: spi-nor: cast to u64 to avoid uint overflows y2038: futex: Move compat implementation into futex.c futex: Prevent robust futex exit race futex: Move futex exit handling into futex code futex: Replace PF_EXITPIDONE with a state exit/exec: Seperate mm_release() futex: Split futex_mm_release() for exit/exec futex: Set task::futex_state to DEAD right after handling futex exit futex: Mark the begin of futex exit explicitly futex: Sanitize exit state handling futex: Provide state handling for exec() as well futex: Add mutex around futex exit futex: Provide distinct return value when owner is exiting futex: Prevent exit livelock HID: core: check whether Usage Page item is after Usage ID items crypto: stm32/hash - Fix hmac issue more than 256 bytes media: stm32-dcmi: fix DMA corruption when stopping streaming hwrng: stm32 - fix unbalanced pm_runtime_enable mailbox: mailbox-test: fix null pointer if no mmio pinctrl: stm32: fix memory leak issue ASoC: stm32: i2s: fix dma configuration ASoC: stm32: i2s: fix 16 bit format support ASoC: stm32: i2s: fix IRQ clearing platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size net: fec: fix clock count mis-match Linux 4.14.158 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Steffen Klassert
|
171148ea3a |
xfrm: Fix memleak on xfrm state destroy
commit 86c6739eda7d2a03f2db30cbee67a5fb81afa8ba upstream.
We leak the page that we use to create skb page fragments
when destroying the xfrm_state. Fix this by dropping a
page reference if a page was assigned to the xfrm_state.
Fixes: cac2661c53f3 ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: JD <jdtxs00@gmail.com>
Reported-by: Paul Wouters <paul@nohats.ca>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
f9b4ab5c8e |
This is the 4.14.156 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3aL/cACgkQONu9yGCS aT7ItBAAuh9Td+0gRweh5Wtxsj8MZYNeXb7TrM6rLU/z3QcP0GXSHB62ZUne+j9v bUS40aXAzd5O6quKt2XUW3EymyZH6InELtAV19b4wkzKjMbMOFJEEPxVs8KUUUyQ rCD0Mvazjwc8Z9c0EVVZRieLYhRo6vzgnMqaHp2BaIEd55VAF03vKWKIxJ7sEiNb uHEWYcTPFsowuvs3/+Nc/9cLYO/Cbxi9cr4FJGR/M0qNkQYK6HngWJwbWXERhfSI /CZB2FHNfzUuqZSdjbDDqznZqN/2mqePg2HpHrK+sPq3q5UJLNXW1qITls0r5P8K f4csvkt1BMjbJYS006x14s5nHpgpsmXDzzaoPVij5LZO1k2/W8ospCW7zAZK6w9c dn59S73SzCBCBPunxdK7l4FpMZZkbbW9GsrqF+EYaoR2ftUCDfXuzay79eMoCGW2 uG9Oy5lW4ci/QhNB072QMOSosnda9kWniw30Q02iFZpp9hZqpbYvSt3IH8Qgbz2S hEM2aqNEfjumBT1SdHgPsjn1Tmqeyo3wVCah6K5vy+qTjOxmVBslB5zT7upAA4be h77EN3aD7iqrwuZkeUvPpLxermqFZa7CmSXorOoOSMkzHtOiVyxS6koQechgIgpl DePv2tWYhRPmAeNo0+gGOiRAQ518PfVBSdJ9NTvcwvv+Ad+E0hM= =jEkm -----END PGP SIGNATURE----- Merge 4.14.156 into android-4.14 Changes in 4.14.156 spi: mediatek: use correct mata->xfer_len when in fifo transfer tee: optee: add missing of_node_put after of_device_is_available Revert "OPP: Protect dev_list with opp_table lock" net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() idr: Fix idr_get_next race with idr_remove mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span() mm/memory_hotplug: fix updating the node span arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault fbdev: Ditch fb_edid_add_monspecs net: ovs: fix return type of ndo_start_xmit function net: xen-netback: fix return type of ndo_start_xmit function ARM: dts: dra7: Enable workaround for errata i870 in PCIe host mode ARM: dts: omap5: enable OTG role for DWC3 controller net: hns3: Fix for netdev not up problem when setting mtu f2fs: return correct errno in f2fs_gc ARM: dts: sun8i: h3-h5: ir register size should be the whole memory block SUNRPC: Fix priority queue fairness IB/hfi1: Ensure ucast_dlid access doesnt exceed bounds iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table arm64/numa: Report correct memblock range for the dummy node ath10k: fix vdev-start timeout on error ata: ahci_brcm: Allow using driver or DSL SoCs ath9k: fix reporting calculated new FFT upper max usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() usb: dwc3: gadget: Check ENBLSLPM before sending ep command nl80211: Fix a GET_KEY reply attribute irqchip/irq-mvebu-icu: Fix wrong private data retrieval watchdog: w83627hf_wdt: Support NCT6796D, NCT6797D, NCT6798D KVM: PPC: Inform the userspace about TCE update failures dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction dmaengine: timb_dma: Use proper enum in td_prep_slave_sg ext4: fix build error when DX_DEBUG is defined clk: keystone: Enable TISCI clocks if K3_ARCH sunrpc: Fix connect metrics mei: samples: fix a signedness bug in amt_host_if_call() cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update cxgb4: Use proper enum in IEEE_FAUX_SYNC powerpc/pseries: Fix DTL buffer registration powerpc/pseries: Fix how we iterate over the DTL entries powerpc/xive: Move a dereference below a NULL test ARM: dts: at91: sama5d4_xplained: fix addressable nand flash size ARM: dts: at91: at91sam9x5cm: fix addressable nand flash size mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer PM / hibernate: Check the success of generating md5 digest before hibernation tools: PCI: Fix compilation warnings clocksource/drivers/sh_cmt: Fixup for 64-bit machines clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines md: allow metadata updates while suspending an array - fix ixgbe: Fix ixgbe TX hangs with XDP_TX beyond queue limit i40e: Use proper enum in i40e_ndo_set_vf_link_state ixgbe: Fix crash with VFs and flow director on interface flap IB/mthca: Fix error return code in __mthca_init_one() IB/mlx4: Avoid implicit enumerated type conversion ACPICA: Never run _REG on system_memory and system_IO powerpc/time: Use clockevents_register_device(), fixing an issue with large decrementer ata: ep93xx: Use proper enums for directions media: rc: ir-rc6-decoder: enable toggle bit for Kathrein RCU-676 remote media: pxa_camera: Fix check for pdev->dev.of_node media: i2c: adv748x: Support probing a single output ALSA: hda/sigmatel - Disable automute for Elo VuPoint KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR USB: serial: cypress_m8: fix interrupt-out transfer length mtd: physmap_of: Release resources on error cpu/SMT: State SMT is disabled even with nosmt and without "=force" brcmfmac: reduce timeout for action frame scan brcmfmac: fix full timeout waiting for action frame on-channel tx qtnfmac: pass sgi rate info flag to wireless core qtnfmac: drop error reports for out-of-bounds key indexes clk: samsung: exynos5420: Define CLK_SECKEY gate clock only or Exynos5420 clk: samsung: Use clk_hw API for calling clk framework from clk notifiers i2c: brcmstb: Allow enabling the driver on DSL SoCs NFSv4.x: fix lock recovery during delegation recall dmaengine: ioat: fix prototype of ioat_enumerate_channels media: cec-gpio: select correct Signal Free Time Input: st1232 - set INPUT_PROP_DIRECT property Input: silead - try firmware reload after unsuccessful resume remoteproc: Check for NULL firmwares in sysfs interface kexec: Allocate decrypted control pages for kdump if SME is enabled x86/olpc: Fix build error with CONFIG_MFD_CS5535=m dmaengine: rcar-dmac: set scatter/gather max segment size crypto: mxs-dcp - Fix SHA null hashes and output length crypto: mxs-dcp - Fix AES issues xfrm: use correct size to initialise sp->ovec ACPI / SBS: Fix rare oops when removing modules iwlwifi: mvm: don't send keys when entering D3 x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately mmc: tmio: Fix SCC error detection fbdev: sbuslib: use checked version of put_user() fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() reset: Fix potential use-after-free in __of_reset_control_get() bcache: recal cached_dev_sectors on detach media: dw9714: Fix error handling in probe function s390/kasan: avoid vdso instrumentation proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted() backlight: lm3639: Unconditionally call led_classdev_unregister mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable printk: Give error on attempt to set log buffer length to over 2G media: isif: fix a NULL pointer dereference bug GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads media: cx231xx: fix potential sign-extension overflow on large shift x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error gpio: syscon: Fix possible NULL ptr usage spi: fsl-lpspi: Prevent FIFO under/overrun by default pinctrl: gemini: Mask and set properly spi: spidev: Fix OF tree warning logic ARM: 8802/1: Call syscall_trace_exit even when system call skipped orangefs: rate limit the client not running info message pinctrl: gemini: Fix up TVC clock group hwmon: (pwm-fan) Silence error on probe deferral hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros netfilter: nft_compat: do not dump private area misc: cxl: Fix possible null pointer dereference mac80211: minstrel: fix using short preamble CCK rates on HT clients mac80211: minstrel: fix CCK rate group streams value mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode spi: rockchip: initialize dma_slave_config properly mlxsw: spectrum_switchdev: Check notification relevance based on upper device ARM: dts: omap5: Fix dual-role mode on Super-Speed port tools: PCI: Fix broken pcitest compilation powerpc/time: Fix clockevent_decrementer initalisation for PR KVM mmc: tmio: fix SCC error handling to avoid false positive CRC error Linux 4.14.156 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Li RongQing
|
3dc9256449 |
xfrm: use correct size to initialise sp->ovec
[ Upstream commit f1193e915748291fb205a908db33bd3debece6e2 ] This place should want to initialize array, not a element, so it should be sizeof(array) instead of sizeof(element) but now this array only has one element, so no error in this condition that XFRM_MAX_OFFLOAD_DEPTH is 1 Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
911452d916 |
This is the 4.14.144 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1/Kb4ACgkQONu9yGCS aT5i2w//RrCkq8zV+BuqYz8OWv4dVuGfH+nhvTmo2Y9puaD486TviUHMvJDby/t9 DNWhRssVPMWhyfNZN9pW3qu93+g9U+sr7PCLbhSaYa1AaCdQQ5U0BszW9nAgfkOA GRFaIOhmjhL6AheqiwWacdNczdRCCGtiyHsj+yDLsyPkdS44UKBPQs4G7SbMA90W /Pa2d3xuW8WrOGAyh+pQHH/6KmK+djyjpTlJ7bnJlCPjpAnnWrGMjtAGihA3hz5i XnmOIUNz0P9/F5JcAPxuMSKb5UxRpuof1VYk6+jLY21BA5ouDARJG2gtHke+RZVR BTLgrn6/jPfHSjv5+AlyloL1RL2Hh6m/aePq+wdWx+usbyDvFbLkiD8+oSvM71xs /Ht1PhrJ7EbKKgV5KjVQ7zS73pELUBsAP5okNy/etz+SuVDDuAyaFIIUIpqSzvYM fyPk1LRdydwNTXYApWj8WWtkwqF0Mibh4TOIVhVi2tUMJHsO9E0aX+cysj8RP7/K k7FkUUBxvc3ylK1v6Y90q/OtHYpkTaakRS1j3QB6pDaA5hw3pp/CDnyO0wpqQGv4 4CK+IVnZ3+QSmHVzOWmh1XpH9SzhGwMGsRv9YI+YmwtIRRlJWpLEOfslzc1bNh7/ QF7uKKerDZqC3jP5Vy2AddDetuTPcvsD6+fCqcijJoxj7dFYcb4= =7rmS -----END PGP SIGNATURE----- Merge 4.14.144 into android-4.14 Changes in 4.14.144 ALSA: hda - Fix potential endless loop at applying quirks ALSA: hda/realtek - Fix overridden device-specific initialization ALSA: hda/realtek - Fix the problem of two front mics on a ThinkCentre sched/fair: Don't assign runtime for throttled cfs_rq drm/vmwgfx: Fix double free in vmw_recv_msg() powerpc/tm: Fix FP/VMX unavailable exceptions inside a transaction xfrm: clean up xfrm protocol checks ip6: fix skb leak in ip6frag_expire_frag_queue() PCI: designware-ep: Fix find_first_zero_bit() usage PCI: dra7xx: Fix legacy INTD IRQ handling vhost/test: fix build for vhost test batman-adv: fix uninit-value in batadv_netlink_get_ifindex() batman-adv: Only read OGM tvlv_len after buffer len check hv_sock: Fix hang when a connection is closed powerpc/64: mark start_here_multiplatform as __ref arm64: dts: rockchip: enable usb-host regulators at boot on rk3328-rock64 scripts/decode_stacktrace: match basepath using shell prefix operator, not regex clk: s2mps11: Add used attribute to s2mps11_dt_match kernel/module: Fix mem leak in module_add_modinfo_attrs vhost: make sure log_num < in_num Linux 4.14.144 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Cong Wang
|
cd393b3851 |
xfrm: clean up xfrm protocol checks
commit dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399 upstream.
In commit 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
I introduced a check for xfrm protocol, but according to Herbert
IPSEC_PROTO_ANY should only be used as a wildcard for lookup, so
it should be removed from validate_tmpl().
And, IPSEC_PROTO_ANY is expected to only match 3 IPSec-specific
protocols, this is why xfrm_state_flush() could still miss
IPPROTO_ROUTING, which leads that those entries are left in
net->xfrm.state_all before exit net. Fix this by replacing
IPSEC_PROTO_ANY with zero.
This patch also extracts the check from validate_tmpl() to
xfrm_id_proto_valid() and uses it in parse_ipsecrequest().
With this, no other protocols should be added into xfrm.
Fixes: 6a53b7593233 ("xfrm: check id proto in validate_tmpl()")
Reported-by: syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
f5189d4af2 |
This is the 4.14.140 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1iS9UACgkQONu9yGCS aT69qBAAxcqiiC4Mww7maN3wrJztZQiShKr2d/6B+koVBhG289fUQRcqrU4aDtaB Odf8NZPi19WaZM3dAdP2ReTCbUM7sVPHFTiwBhnba1dKyIeZmjOMxaCtxdGRVHs3 DLDcUT874nx4EHrQoRQErJeZeyQQ3KytXmfqJKFyhplX0fDt6w2E/g1ZZpcngpNH S8KAmfy2WWcauguPJ8RGugSvn+3YC6TMerz96vNNiiPr3np0oVIsbVmo81/sKApK dPKZ2qn4l7fYNIKfDxFnnbxBNoPvd35i0CsHxhB3dX/EYGp3ARHDWclMC8e1G+bp M8dicq/Ew7AfQoVQcLZD13eBTEk8iyAAeAmMoP9OlxkrOx2V2dNyMZG6bjAgosXx /39MP68tQMchSmCjK95KbPX1EN5jHeG97weP3Fqtf8NIG8K0gLUgHJidG+8J2H94 grPZD/w78HgYOqVVsF5v4qX9B8QcSuH4PzQ7mhoksJiW+X/TlIAI6GwbUsoXw6cu mYLgTr9hd/ZAGF6VQGNHAZ2UZfg377bN8hCXRWZay/t9JOZiqMJAOSjNAs+hL2LT fbHqmKnHF92mB0v+jEn7mJXuAhHQ3wCU314ZO/zk9sxLFp/caUbV+b+1oXlTGwq7 JMeRjrxrAKVfHgPgkhcWc9bTq9MhjZ4j7GypsBMxLbIqnlU8gzE= =9QYX -----END PGP SIGNATURE----- Merge 4.14.140 into android-4.14 Changes in 4.14.140 scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA sh: kernel: hw_breakpoint: Fix missing break in switch statement mm/usercopy: use memory range to be accessed for wraparound check mm/memcontrol.c: fix use after free in mem_cgroup_iter() bpf: get rid of pure_initcall dependency to enable jits bpf: restrict access to core bpf sysctls bpf: add bpf_jit_limit knob to restrict unpriv allocations x86/mm: Use WRITE_ONCE() when setting PTEs xtensa: add missing isync to the cpu_reset TLB code ALSA: hda - Apply workaround for another AMD chip 1022:1487 ALSA: hda - Fix a memory leak bug ALSA: hda - Add a generic reboot_notify ALSA: hda - Let all conexant codec enter D3 when rebooting HID: holtek: test for sanity of intfdata HID: hiddev: avoid opening a disconnected device HID: hiddev: do cleanup in failure of opening a device Input: kbtab - sanity check for endpoint type Input: iforce - add sanity checks net: usb: pegasus: fix improper read if get_registers() fail netfilter: ebtables: also count base chain policies clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1 clk: renesas: cpg-mssr: Fix reset control race condition xen/pciback: remove set but not used variable 'old_state' irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail irqchip/irq-imx-gpcv2: Forward irq type to parent perf header: Fix divide by zero error if f_header.attr_size==0 perf header: Fix use of unitialized value warning libata: zpodd: Fix small read overflow in zpodd_get_mech_type() drm/bridge: lvds-encoder: Fix build error while CONFIG_DRM_KMS_HELPER=m scsi: hpsa: correct scsi command status issue after reset scsi: qla2xxx: Fix possible fcport null-pointer dereferences ata: libahci: do not complain in case of deferred probe kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules arm64/efi: fix variable 'si' set but not used arm64: unwind: Prohibit probing on return_address() arm64/mm: fix variable 'pud' set but not used IB/core: Add mitigation for Spectre V1 IB/mad: Fix use-after-free in ib mad completion handling drm: msm: Fix add_gpu_components ocfs2: remove set but not used variable 'last_hash' asm-generic: fix -Wtype-limits compiler warnings KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block staging: comedi: dt3000: Fix signed integer overflow 'divider * base' staging: comedi: dt3000: Fix rounding up of timer divisor iio: adc: max9611: Fix temperature reading in probe USB: core: Fix races in character device registration and deregistraion usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" usb: cdc-acm: make sure a refcount is taken early enough USB: CDC: fix sanity checks in CDC union parser USB: serial: option: add D-Link DWM-222 device ID USB: serial: option: Add support for ZTE MF871A USB: serial: option: add the BroadMobi BM818 card USB: serial: option: Add Motorola modem UARTs bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K Revert "tcp: Clear sk_send_head after purging the write queue" arm64: compat: Allow single-byte watchpoints on all addresses arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side netfilter: conntrack: Use consistent ct id hash calculation Input: psmouse - fix build error of multiple definition iommu/amd: Move iommu_init_pci() to .init section bnx2x: Fix VF's VLAN reconfiguration in reload. net/mlx4_en: fix a memory leak bug net/packet: fix race in tpacket_snd() sctp: fix the transport error_count check xen/netback: Reset nr_frags before freeing skb net/mlx5e: Only support tx/rx pause setting for port owner net/mlx5e: Use flow keys dissector to parse packets for ARFS team: Add vlan tx offload to hw_enc_features bonding: Add vlan tx offload to hw_enc_features mmc: sdhci-of-arasan: Do now show error message in case of deffered probe xfrm: policy: remove pcpu policy cache Linux 4.14.140 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Florian Westphal
|
64d1cec408 |
xfrm: policy: remove pcpu policy cache
commit e4db5b61c572475bbbcf63e3c8a2606bfccf2c9d upstream. Kristian Evensen says: In a project I am involved in, we are running ipsec (Strongswan) on different mt7621-based routers. Each router is configured as an initiator and has around ~30 tunnels to different responders (running on misc. devices). Before the flow cache was removed (kernel 4.9), we got a combined throughput of around 70Mbit/s for all tunnels on one router. However, we recently switched to kernel 4.14 (4.14.48), and the total throughput is somewhere around 57Mbit/s (best-case). I.e., a drop of around 20%. Reverting the flow cache removal restores, as expected, performance levels to that of kernel 4.9. When pcpu xdst exists, it has to be validated first before it can be used. A negative hit thus increases cost vs. no-cache. As number of tunnels increases, hit rate decreases so this pcpu caching isn't a viable strategy. Furthermore, the xdst cache also needs to run with BH off, so when removing this the bh disable/enable pairs can be removed too. Kristian tested a 4.14.y backport of this change and reported increased performance: In our tests, the throughput reduction has been reduced from around -20% to -5%. We also see that the overall throughput is independent of the number of tunnels, while before the throughput was reduced as the number of tunnels increased. Reported-by: Kristian Evensen <kristian.evensen@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
a5847ae74b |
This is the 4.14.135 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1BJxsACgkQONu9yGCS
aT4wBxAAymuWVXtmeWFQSFNji/RAJcHBAOvydIRMr7vwCXpojuRerNolo7WibM/B
Mgx2OISn0d8rg98Cc3wiM6WUN9AeHr3lSWXORg3iBr0zP+ZO5Vs0Y2w9gueEJS+i
egMvi2KZyS3Esrfmxv62pJ9DIVqyPVlvzN/Y79BARcwIeZOt+puycR5XV3WROzX9
Wy2JBz5f56m9qzPGKXGRLlvq7LghZ5EbyFoIb/fj9K6pFdVBrpSEOeocCQos9IEz
0+1TiWAkqOGLGZWJ3CFW/6Nbn1JO3hZpIgqxVczZXR+4UVhR+yniHUzZ20g89DzE
mmprjKGv/8/7pXyXtGhjXuaZN5r1ldUje5SZf1X7SzxLuABSKIHykYJjKUQY2O3b
8tpPULGA77V7Ww4TtyRLeOVPqaVslWFgLP6snyileSdoxfISebo2KptQn0pmuFX2
Y0ePPot/aHHXmhrn5mAY9UZO9etqko8LjvVHDOsQQ99GJJ1BAz73w+wkKDtHXGuo
iqUlSSW2YpThnAkufUlyhk10y6itGmy0P7GSrw8PCd9As2/LAz6c9+8+NPp/2P2Z
Ffl2q7eUCqb0HixAnq5KqcPDSVdyqVtQ7XeN3lAEWVGmwpiu2xyuZgpQyT5FRqOZ
mLYHZJF7FEZOZo+hkbH4O6j3umJ0QFJakVwrEiQ/ha0yLZpS3OM=
=u0hP
-----END PGP SIGNATURE-----
Merge 4.14.135 into android-4.14
Changes in 4.14.135
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
dmaengine: imx-sdma: fix use-after-free on probe error path
wil6210: fix potential out-of-bounds read
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
media: spi: IR LED: add missing of table registration
crypto: talitos - fix skcipher failure due to wrong output IV
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
media: media_device_enum_links32: clean a reserved field
net: stmmac: dwmac1000: Clear unused address entries
net: stmmac: dwmac4/5: Clear unused address entries
qed: Set the doorbell address correctly
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
fscrypt: clean up some BUG_ON()s in block encryption/decryption
media: mc-device.c: don't memset __user pointer contents
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
crypto: talitos - properly handle split ICV.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
tua6100: Avoid build warnings.
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
cpupower : frequency-set -r option misses the last cpu in related cpu list
net: stmmac: dwmac4: fix flow control issue
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
RAS/CEC: Fix pfn insertion
net: sfp: add mutex to prevent concurrent state checks
ipset: Fix memory accounting for hash types on resize
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
perf test 6: Fix missing kvm module load for s390
media: fdp1: Support M3N and E3 platforms
iommu: Fix a leak in iommu_insert_resv_region
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
rcu: Force inlining of rcu_read_lock()
x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
xfrm: fix sa selector validation
sched/core: Add __sched tag for io_schedule()
x86/atomic: Fix smp_mb__{before,after}_atomic()
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
ipoib: correcly show a VF hardware address
EDAC/sysfs: Fix memory leak when creating a csrow object
ipsec: select crypto ciphers for xfrm_algo
ipvs: defer hook registration to avoid leaks
media: s5p-mfc: Make additional clocks optional
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
media: coda: increment sequence offset for the last returned frame
media: vimc: cap: check v4l2_fill_pixfmt return value
media: hdpvr: fix locking and a missing msleep
rtlwifi: rtl8192cu: fix error handle when usb probe failed
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ipvs: fix tinfo memory leak in start_sync_thread
ath10k: add missing error handling
ath10k: fix PCIE device wake up failed
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
libata: don't request sense data on !ZAC ATA devices
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
crypto: serpent - mark __serpent_setkey_sbox noinline
crypto: asymmetric_keys - select CRYPTO_HASH where needed
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
net: hns3: fix a -Wformat-nonliteral compile warning
net: hns3: add some error checking in hclge_tm module
ath10k: destroy sdio workqueue while remove sdio module
iwlwifi: mvm: Drop large non sta frames
perf stat: Make metric event lookup more robust
net: usb: asix: init MAC address buffers
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: Check state in l2cap_disconnect_rsp
gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
Bluetooth: validate BLE connection interval updates
gtp: fix suspicious RCU usage
gtp: fix Illegal context switch in RCU read-side critical section.
gtp: fix use-after-free in gtp_encap_destroy()
gtp: fix use-after-free in gtp_newlink()
net: mvmdio: defer probe of orion-mdio if a clock is not ready
iavf: fix dereference of null rx_buffer pointer
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
xen: let alloc_xenballooned_pages() fail if not enough memory free
scsi: NCR5380: Reduce goto statements in NCR5380_select()
scsi: NCR5380: Always re-enable reselection interrupt
Revert "scsi: ncr5380: Increase register polling limit"
scsi: core: Fix race on creating sense cache
scsi: megaraid_sas: Fix calculation of target ID
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
scsi: mac_scsi: Fix pseudo DMA implementation, take 2
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: ccp - Validate the the error value used to index error messages
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: ccp - memset structure fields to zero before reuse
crypto: ccp/gcm - use const time tag comparison.
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
Input: gtco - bounds check collection indent level
Input: alps - don't handle ALPS cs19 trackpoint-only device
Input: synaptics - whitelist Lenovo T580 SMBus intertouch
Input: alps - fix a mismatch between a condition check and its comment
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
arm64: tegra: Update Jetson TX1 GPU regulator timings
iwlwifi: pcie: don't service an interrupt that was masked
iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X
NFSv4: Handle the special Linux file open access mode
pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ASoC: dapm: Adapt for debugfs API change
ALSA: seq: Break too long mutex context in the write loop
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
arm64: tegra: Fix AGIC register range
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
dm zoned: fix zone state management race
xen/events: fix binding user event channels to cpus
9p/xen: Add cleanup path in p9_trans_xen_init
9p/virtio: Add cleanup path in p9_virtio_init
x86/boot: Fix memory leak in default_get_smp_config()
perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs
perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs
intel_th: pci: Add Ice Lake NNPI support
PCI: Do not poll for PME if the device is in D3cold
Btrfs: fix data loss after inode eviction, renaming it, and fsync it
Btrfs: fix fsync not persisting dentry deletions due to inode evictions
Btrfs: add missing inode version, ctime and mtime updates when punching hole
HID: wacom: generic: only switch the mode on devices with LEDs
HID: wacom: correct touch resolution x/y typo
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
coda: pass the host file in vma->vm_file on mmap
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
parisc: Ensure userspace privilege for ptraced processes in regset functions
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
eCryptfs: fix a couple type promotion bugs
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
net: mvmdio: allow up to four clocks to be specified for orion-mdio
dt-bindings: allow up to four clocks for orion-mdio
dm bufio: fix deadlock with loop device
compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
compiler.h: Add read_word_at_a_time() function.
lib/strscpy: Shut up KASAN false-positives in strscpy()
bnx2x: Prevent load reordering in tx completion processing
bnx2x: Prevent ptp_task to be rescheduled indefinitely
caif-hsi: fix possible deadlock in cfhsi_exit_module()
igmp: fix memory leak in igmpv3_del_delrec()
ipv4: don't set IPv6 only flags to IPv4 addresses
net: bcmgenet: use promisc for unsupported filters
net: dsa: mv88e6xxx: wait after reset deactivation
net: neigh: fix multiple neigh timer scheduling
net: openvswitch: fix csum updates for MPLS actions
nfc: fix potential illegal memory access
rxrpc: Fix send on a connected, but unbound socket
sky2: Disable MSI on ASUS P6T
vrf: make sure skb->data contains ip header to make routing
macsec: fix use-after-free of skb during RX
macsec: fix checksumming after decryption
netrom: fix a memory leak in nr_rx_frame()
netrom: hold sock when setting skb->destructor
bonding: validate ip header before check IPPROTO_IGMP
net: make skb_dst_force return true when dst is refcounted
tcp: fix tcp_set_congestion_control() use from bpf hook
tcp: Reset bytes_acked and bytes_received when disconnecting
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: stp: don't cache eth dest pointer before skb pull
dma-buf: balance refcount inbalance
dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc
MIPS: lb60: Fix pin mappings
ext4: don't allow any modifications to an immutable file
ext4: enforce the immutable flag on open files
mm: add filemap_fdatawait_range_keep_errors()
jbd2: introduce jbd2_inode dirty range scoping
ext4: use jbd2_inode dirty range scoping
ext4: allow directory holes
mm: vmscan: scan anonymous pages on file refaults
perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id
NFSv4: Fix open create exclusive when the server reboots
nfsd: increase DRC cache limit
nfsd: give out fewer session slots as limit approaches
nfsd: fix performance-limiting session calculation
nfsd: Fix overflow causing non-working mounts on 1 TB machines
hvsock: fix epollout hang from race condition
drm/panel: simple: Fix panel_simple_dsi_probe
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
PCI: Return error if cannot probe VF
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
powerpc/pseries/mobility: prevent cpu hotplug during DT update
drm/rockchip: Properly adjust to a true clock in adjusted_mode
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
drm/msm: Depopulate platform on probe failure
serial: mctrl_gpio: Check if GPIO property exisits before requesting it
PCI: sysfs: Ignore lockdep for remove attribute
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
powerpc/xmon: Fix disabling tracing while in xmon
recordmcount: Fix spurious mcount entries on powerpc
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
kallsyms: exclude kasan local symbols on s390
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
perf session: Fix potential NULL pointer dereference found by the smatch tool
perf annotate: Fix dereferencing freed memory found by the smatch tool
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
powerpc/eeh: Handle hugepages in ioremap space
block/bio-integrity: fix a memory leak bug
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/gup.c: mark undo_dev_pagemap as __maybe_unused
mm/gup.c: remove some BUG_ONs from get_gate_page()
mm/mmu_notifier: use hlist_add_head_rcu()
locking/lockdep: Fix lock used or unused stats error
locking/lockdep: Hide unused 'class' variable
drm/crc: Only report a single overflow when a CRC fd is opened
drm/crc-debugfs: Also sprinkle irqrestore over early exits
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
KVM: nVMX: do not use dangling shadow VMCS after guest reset
btrfs: inode: Don't compress if NODATASUM or NODATACOW set
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
binder: prevent transactions to context manager from its own process.
fpga-manager: altera-ps-spi: Fix build error
hpet: Fix division by zero in hpet_time_div()
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask()
powerpc/tm: Fix oops on sigreturn on systems without TM
access: avoid the RCU grace period for the temporary subjective credentials
Linux 4.14.135
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Arnd Bergmann
|
d73991322a |
ipsec: select crypto ciphers for xfrm_algo
[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ]
kernelci.org reports failed builds on arc because of what looks
like an old missed 'select' statement:
net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs':
xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash'
I don't see this in randconfig builds on other architectures, but
it's fairly clear we want to select the hash code for it, like we
do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER
is also required even though it has not popped up in build tests.
Fixes: 17bc19702221 ("ipsec: Use skcipher and ahash when probing algorithms")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Nicolas Dichtel
|
708e50121d |
xfrm: fix sa selector validation
[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
After commit b38ff4075a80, the following command does not work anymore:
$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
In fact, the selector is not mandatory, allow the user to provide an empty
selector.
Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
CC: Anirudh Gupta <anirudh.gupta@sophos.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Anirudh Gupta
|
2b4bd28ba3 |
xfrm: Fix xfrm sel prefix length validation
[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.
Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
Fixes: 07bf7908950a ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Tri Vo
|
54fa720a6f |
ANDROID: xfrm: remove in_compat_syscall() checks
This hack is needed to run 32-bit userspace on 64-bit kernel. Bug: 138147164 Test: kernel_net_tests Signed-off-by: Tri Vo <trong@google.com> Change-Id: I083d32b45ca985cfadfe3ce57d253b63202befde |
||
|
Greg Kroah-Hartman
|
fd9e32a025 |
This is the 4.14.122 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzpbIIACgkQONu9yGCS aT7bGhAAs0CR9GnL3sgl9AlMJ3SHGMnWA+KVt3KCPnIJMMz7QNJrhAUxpg/vBN3l UqOGey7+T4l8KYXzVZyO1Fd9qyQ+qZSr25V/U9FmqboKLxtaG44/R9S8UfhwaWXg RHlWdWc8gwrIcIsXlN+DmDfC3xGvCSC8M2Fh3xXtBR8agK4B06cuCKIFkwBKuOxI zR9WLvGb1Ytletr4ev8yISzEPS8EKPra0Reh6k3cKB8SvVPB5mKfwu7t/7Vqf8/3 HcXvwEXeiz8JTEciWB6ThSNRZ9oWd41jfVAvQb1zLGXaQmAFVve5Q0IOqLkMXIzw RA6p2nsRIGKsZw6LdBz3lmNqOIBgBLS5rmwIUju7BdoVHqVYzBTIz7oEBI0V4xXe XdNexC7IIWGwKcYcWxCIqzSE5JU4dwbYLktZFvqibE7IyslhN2d54Zz/dFycG5YM 6RM1HdEUmJ6lwxXWUCcpCJnObOvhQwCaP5QpCjak/XZvaIJubGhunePOnNbnzUz/ JfWXWEJ+64dv3ZxzqvpZYEb8iBPUMqcavmrIF8lWoKlwcOtnGpWnYzh+kgANw5jF XDij9Riq+9b79fQa0CXKaDik75pNkYucPLTkATBX/mROEHb1mIoxR1Z7Bil6PPiR yUNOfhPBZJ5FcM4eCfTRO3yFuJedfBEyFLnlNtNedM/W8dqu4/0= =3Yy7 -----END PGP SIGNATURE----- Merge 4.14.122 into android-4.14 Changes in 4.14.122 net: avoid weird emergency message net/mlx4_core: Change the error print to info print net: test nouarg before dereferencing zerocopy pointers net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions ppp: deflate: Fix possible crash in deflate_init tipc: switch order of device registration to fix a crash vsock/virtio: free packets during the socket release tipc: fix modprobe tipc failed after switch order of device registration vsock/virtio: Initialize core virtio vsock before registering the driver net: Always descend into dsa/ parisc: Export running_on_qemu symbol for modules parisc: Skip registering LED when running in QEMU parisc: Use PA_ASM_LEVEL in boot code parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code stm class: Fix channel free in stm output free path md: add mddev->pers to avoid potential NULL pointer dereference intel_th: msu: Fix single mode with IOMMU p54: drop device reference count if fails to enable device of: fix clang -Wunsequenced for be32_to_cpu() cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() media: ov6650: Fix sensor possibly not detected on probe Revert "cifs: fix memory leak in SMB2_read" NFS4: Fix v4.0 client state corruption when mount PNFS fallback to MDS if no deviceid found clk: hi3660: Mark clk_gate_ufs_subsys as critical clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider clk: rockchip: fix wrong clock definitions for rk3328 fuse: fix writepages on 32bit fuse: honor RLIMIT_FSIZE in fuse_file_fallocate iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 ceph: flush dirty inodes before proceeding with remount x86_64: Add gap to int3 to allow for call emulation x86_64: Allow breakpoints to emulate call instructions ftrace/x86_64: Emulate call function while updating in breakpoint handler tracing: Fix partial reading of trace event's id file memory: tegra: Fix integer overflow on tick value calculation perf intel-pt: Fix instructions sampling rate perf intel-pt: Fix improved sample timestamp perf intel-pt: Fix sample timestamp wrt non-taken branches objtool: Allow AR to be overridden with HOSTAR fbdev: sm712fb: fix brightness control on reboot, don't set SR30 fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75 fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM fbdev: sm712fb: fix support for 1024x768-16 mode fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken PCI: Mark Atheros AR9462 to avoid bus reset PCI: Factor out pcie_retrain_link() function PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum dm cache metadata: Fix loading discard bitset dm zoned: Fix zone report handling dm delay: fix a crash when invalid device is specified xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module vti4: ipip tunnel deregistration fixes. esp4: add length check for UDP encapsulation xfrm4: Fix uninitialized memory read in _decode_session4 power: supply: cpcap-battery: Fix division by zero securityfs: fix use-after-free on symlink traversal apparmorfs: fix use-after-free on symlink traversal mac80211: Fix kernel panic due to use of txq after free KVM: arm/arm64: Ensure vcpu target is unset on reset failure power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() sched/cpufreq: Fix kobject memleak x86/mm/mem_encrypt: Disable all instrumentation for early SME setup ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour perf bench numa: Add define for RUSAGE_THREAD if not present Revert "Don't jump to compute_result state from check_result state" md/raid: raid5 preserve the writeback action after the parity check driver core: Postpone DMA tear-down until after devres release for probe failure bpf: add map_lookup_elem_sys_only for lookups from syscall side bpf, lru: avoid messing with eviction heuristics upon syscall lookup btrfs: Honour FITRIM range constraints during free space trim fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough Linux 4.14.122 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
YueHaibing
|
1a2bb5125a |
xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ] UBSAN report this: UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24 index 6 is out of range for type 'unsigned int [6]' CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014 0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4 0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80 ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8 Call Trace: <IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline] <IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51 [<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164 [<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382 [<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289 [<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309 [<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243 [<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144 [<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline] [<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401 [<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273 [<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline] [<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391 [<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline] [<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926 [<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735 <EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52 [<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline] [<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446 [<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437 [<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92 [<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline] [<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline] [<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299 [<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245 The issue is triggered as this: xfrm_add_policy -->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX //In my case, the index is 0x6E6BB6, so it pass the check. -->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer -->xfrm_policy_insert --> __xfrm_policy_link //use the orgin dir, in my case is 2 --> xfrm_gen_index //generate policy index, there is 0x6E6BB6 then xfrm_policy_timer be fired xfrm_policy_timer --> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6 --> xfrm_policy_delete --> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is valid, to fix the issue. Reported-by: Hulk Robot <hulkci@huawei.com> Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user") Signed-off-by: YueHaibing <yuehaibing@huawei.com> Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
4dd44f441d |
This is the 4.14.100 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlxmZZoACgkQONu9yGCS aT6WeQ//VV1Ap7gBdL4trsHKvLqeKw6CcaC4UPEQUhPkDIlZMSPhrNF+XH70RXM+ iQ41jlMW1JJSgUynAy9Ls9VQAZOYZ3ME5DAe7QBZtw38liCqpwVAQ3CLPxAx4Z8M g1ehoruJeTvl7hW643nBSWPnhaVTIjk86x5tsy7v0b46pBYnBuwUPWaNAHDQ696/ jQS/Y7+IHh8MWbQOSMIDkEHhc+3WvOUG6OkZLDd24AYG8XOCGV07S7bzWSQH70sn 9J+F5iHLABCPYtXKSJkCSlJKBQwIHMmxfMSms2Dxo7p34oEt2PTHxuTCVDoXGVm/ aIfr6myaizGZgWxU4obQu4HBniAlAhcx8wX8ChzbMJuOD2yN3UuDqLfS2wft3gYB jZQyiiZl4JA/vNVrY7ygWl/Gozc5893i0Rg+hIgQVbp49MkzX0fA9vxHIqY5eckF 1ixUco9e3NlfAm+3jqcpbsM0j4TJYKRotJgpPYx0yOWIbI8/eaPWjzvRnVaOAxyR ABWDEmeTvhOCrozOnN7TOjioRwPB6Hs18FY17C8bSA75y6BMyoWvUkg3HkR5QXp0 aqdAuRZ7kuYY/gv6Kla5VtYaZF9tkZSbU7fUEWh2tarPnWVQxaLFE7eXLy4WyNzK Maiwh48Qct/jokSEIl6Aq6PNnhxcwvo1qoPZ+awPROYZ7M2lfKQ= =nMNG -----END PGP SIGNATURE----- Merge 4.14.100 into android-4.14 Changes in 4.14.100 mtd: rawnand: gpmi: fix MX28 bus master lockup problem iio: adc: axp288: Fix TS-pin handling iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius signal: Always notice exiting tasks signal: Better detection of synchronous signals misc: vexpress: Off by one in vexpress_syscfg_exec() samples: mei: use /dev/mei0 instead of /dev/mei debugfs: fix debugfs_rename parameter checking tracing: uprobes: Fix typo in pr_fmt string mips: cm: reprime error cause MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds ARM: iop32x/n2100: fix PCI IRQ mapping ARM: tango: Improve ARCH_MULTIPLATFORM compatibility mac80211: ensure that mgmt tx skbs have tailroom for encryption drm/modes: Prevent division by zero htotal drm/vmwgfx: Fix setting of dma masks drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user HID: debug: fix the ring buffer implementation Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal" libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive() xfrm: refine validation of template and selector families batman-adv: Avoid WARN on net_device without parent in netns batman-adv: Force mac header to start of data on xmit perf tests attr: Fix task term values perf tests attr: Fix group stat tests perf tests attr: Make hw events optional uio: Reduce return paths from uio_write() uio: Prevent device destruction while fds are open uio: use request_threaded_irq instead uio: change to use the mutex lock instead of the spin lock uio: fix crash after the device is unregistered uio: fix wrong return value from uio_mmap() uio: fix possible circular locking dependency Revert "uio: use request_threaded_irq instead" Linux 4.14.100 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Florian Westphal
|
bc09fc5d8a |
xfrm: refine validation of template and selector families
commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream. The check assumes that in transport mode, the first templates family must match the address family of the policy selector. Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION, with ipv4-in-ipv6 chain, leading to following splat: BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854 Read of size 4 at addr ffff888063e57aa0 by task a.out/2050 xfrm_state_find+0x1db/0x1854 xfrm_tmpl_resolve+0x100/0x1d0 xfrm_resolve_and_create_bundle+0x108/0x1000 [..] Problem is that addresses point into flowi4 struct, but xfrm_state_find treats them as being ipv6 because it uses templ->encap_family is used (AF_INET6 in case of reproducer) rather than family (AF_INET). This patch inverts the logic: Enforce 'template family must match selector' EXCEPT for tunnel and BEET mode. In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local address pointers changed to point at the addresses found in the template, rather than the flowi ones, so no oob read will occur. Reported-by: 3ntr0py1337@gmail.com Reported-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Benedict Wong
|
71c835d2a5 |
UPSTREAM: xfrm: Make set-mark default behavior backward compatible
Fixes 9b42c1f, which changed the default route lookup behavior for tunnel mode SAs in the outbound direction to use the skb mark, whereas previously mark=0 was used if the output mark was unspecified. In mark-based routing schemes such as Android’s, this change in default behavior causes routing loops or lookup failures. This patch restores the default behavior of using a 0 mark while still incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is specified. Tested with additions to Android's kernel unit test suite: https://android-review.googlesource.com/c/kernel/tests/+/860150 Fixes: 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking") Signed-off-by: Benedict Wong <benedictwong@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit e2612cd496e7b465711d219ea6118893d7253f52) Bug: 122236988 Test: Passes kernel tests Change-Id: I1289b5b7b1eb93c6d99a0ba7d28e24c3eb25883d Signed-off-by: Benedict Wong <benedictwong@google.com> |
||
|
Greg Kroah-Hartman
|
da2880fa47 |
This is the 4.14.93 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlw6/lMACgkQONu9yGCS
aT7sQBAA1xkdFxT4QkGCz+pwU/tz9gj7BrCnKfhI4kAcgHsI+qRGZkMn3QDA0GY2
rUHx5Hfd7GgpqAl440OtWMwgy5KnEGFV8d0m98qagLGrhMfnZAidjatR77Xcr52r
3bW2xGebFHF8ndqjg6AhfWn2TxOjS/o4af99NWOhQcUU5OYeoPqDpk4t/jxJ4kck
D0t+PubXuHHwItFd1iK4BEFJo8vwpLnfP/sRJaCEE39wP8m3EghkhhPoAQkdB+OZ
wa8dvfU3Adc3YyDb8XY53DqkhS9EM10TZNnPmLQ5vJO6t8UIUJdaHmXiMnmqZ3Ww
4shwDdwheLqrp9EJl81ZqQOc8BIE6gkHksI3vIh6nuPUDR9WG1WHdQnbmCOOJeMO
I16hh3PBYlN+7Ipo4E2Q4Rr6iYOawvKEU47m0EZtcJUIWMxN8WkcMgZgjT0pxRuN
IhhL2FWSHBp0JUHTSGNs+j8jl5px8Rvyt8PlB3IVhX6pYy7WeakZtF1jvpW6EzVB
cR7BTq0X+VykP0agHX4I+ZzXVK45cKZCdUCnfgy38kJItAt1Y9Ov6ekAk8KjGkSP
CoStFeP8LpSXjBxH7lG42boKQnLIzd8Jg8t2E+hkGh362y4q4OWdyMC1/MuTKsOW
wHyRQLzNfVEXCf7PCp5ZkAlaIZtsJQNIhqSoa8OGkCDT+P9C+cY=
=BQgO
-----END PGP SIGNATURE-----
Merge 4.14.93 into android-4.14
Changes in 4.14.93
pinctrl: meson: fix pull enable register calculation
powerpc: Fix COFF zImage booting on old powermacs
powerpc/mm: Fix linux page tables build with some configs
HID: ite: Add USB id match for another ITE based keyboard rfkill key quirk
ARM: imx: update the cpu power up timing setting on i.mx6sx
ARM: dts: imx7d-nitrogen7: Fix the description of the Wifi clock
Input: restore EV_ABS ABS_RESERVED
checkstack.pl: fix for aarch64
xfrm: Fix error return code in xfrm_output_one()
xfrm: Fix bucket count reported to userspace
xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry.
netfilter: seqadj: re-load tcp header pointer after possible head reallocation
scsi: bnx2fc: Fix NULL dereference in error handling
Input: omap-keypad - fix idle configuration to not block SoC idle states
Input: synaptics - enable RMI on ThinkPad T560
ibmvnic: Fix non-atomic memory allocation in IRQ context
ieee802154: ca8210: fix possible u8 overflow in ca8210_rx_done
x86/mm: Fix guard hole handling
x86/dump_pagetables: Fix LDT remap address marker
i40e: fix mac filter delete when setting mac address
netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
netfilter: nat: can't use dst_hold on noref dst
bnx2x: Clear fip MAC when fcoe offload support is disabled
bnx2x: Remove configured vlans as part of unload sequence.
bnx2x: Send update-svid ramrod with retry/poll flags enabled
scsi: target: iscsi: cxgbit: fix csk leak
scsi: target: iscsi: cxgbit: add missing spin_lock_init()
x86, hyperv: remove PCI dependency
drivers: net: xgene: Remove unnecessary forward declarations
w90p910_ether: remove incorrect __init annotation
net: hns: Incorrect offset address used for some registers.
net: hns: All ports can not work when insmod hns ko after rmmod.
net: hns: Some registers use wrong address according to the datasheet.
net: hns: Fixed bug that netdev was opened twice
net: hns: Clean rx fbd when ae stopped.
net: hns: Free irq when exit from abnormal branch
net: hns: Avoid net reset caused by pause frames storm
net: hns: Fix ntuple-filters status error.
net: hns: Add mac pcs config when enable|disable mac
net: hns: Fix ping failed when use net bridge and send multicast
SUNRPC: Fix a race with XPRT_CONNECTING
qed: Fix an error code qed_ll2_start_xmit()
net: macb: fix random memory corruption on RX with 64-bit DMA
net: macb: fix dropped RX frames due to a race
lan78xx: Resolve issue with changing MAC address
vxge: ensure data0 is initialized in when fetching firmware version information
mac80211: free skb fraglist before freeing the skb
kbuild: fix false positive warning/error about missing libelf
virtio: fix test build after uio.h change
gpio: mvebu: only fail on missing clk if pwm is actually to be used
Input: synaptics - enable SMBus for HP EliteBook 840 G4
net: netxen: fix a missing check and an uninitialized use
qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup
serial/sunsu: fix refcount leak
scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid
genirq/affinity: Don't return with empty affinity masks on error
tools: fix cross-compile var clobbering
fork: record start_time late
zram: fix double free backing device
hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
mm, devm_memremap_pages: kill mapping "System RAM" support
mm, hmm: use devm semantics for hmm_devmem_{add, remove}
mm, hmm: mark hmm_devmem_{add, add_resource} EXPORT_SYMBOL_GPL
mm, swap: fix swapoff with KSM pages
sunrpc: fix cache_head leak due to queued request
sunrpc: use SVC_NET() in svcauth_gss_* functions
powerpc: avoid -mno-sched-epilog on GCC 4.9 and newer
powerpc: Disable -Wbuiltin-requires-header when setjmp is used
ftrace: Build with CPPFLAGS to get -Qunused-arguments
md: raid10: remove VLAIS
kbuild: add -no-integrated-as Clang option unconditionally
kbuild: consolidate Clang compiler flags
Makefile: Export clang toolchain variables
powerpc/boot: Set target when cross-compiling for clang
raid6/ppc: Fix build for clang
vhost/vsock: fix uninitialized vhost_vsock->guest_cid
dm verity: fix crash on bufio buffer that was allocated with vmalloc
dm zoned: Fix target BIO completion handling
ALSA: cs46xx: Potential NULL dereference in probe
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
dlm: fixed memory leaks after failed ls_remove_names allocation
dlm: possible memory leak on error path in create_lkb()
dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
dlm: memory leaks on error path in dlm_user_request()
gfs2: Get rid of potential double-freeing in gfs2_create_inode
gfs2: Fix loop in gfs2_rbm_find
b43: Fix error in cordic routine
selinux: policydb - fix byte order and alignment issues
lockd: Show pid of lockd for remote locks
scripts/kallsyms: filter arm64's __efistub_ symbols
arm64: drop linker script hack to hide __efistub_ symbols
arm64: relocatable: fix inconsistencies in linker script and options
powerpc/tm: Set MSR[TS] just prior to recheckpoint
9p/net: put a lower bound on msize
rxe: fix error completion wr_id and qp_num
iommu/vt-d: Handle domain agaw being less than iommu agaw
sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b9c
ceph: don't update importing cap's mseq when handing cap export
genwqe: Fix size check
intel_th: msu: Fix an off-by-one in attribute store
power: supply: olpc_battery: correct the temperature units
lib: fix build failure in CONFIG_DEBUG_VIRTUAL test
drm/vc4: Set ->is_yuv to false when num_planes == 1
bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw
tools: power/acpi, revert to LD = gcc
Linux 4.14.93
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Steffen Klassert
|
4ddb80f419 |
xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry.
[ Upstream commit 0152eee6fc3b84298bb6a79961961734e8afa5b8 ]
Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code doesn't expect this to happen, so we crash with
a NULL pointer dereference in this case.
Fix it by checking skb_dst(skb) for NULL after skb_dst_force()
and drop the packet in case the dst_entry was cleared. We also
move the skb_dst_force() to a codepath that is not used when
the transformation was offloaded, because in this case we
don't have a dst_entry attached to the skb.
The output and forwarding path was already fixed by
commit 9e1437937807 ("xfrm: Fix NULL pointer dereference when
skb_dst_force clears the dst_entry.")
Fixes: 222d7dbd258d ("net: prevent dst uses after free")
Reported-by: Jean-Philippe Menil <jpmenil@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Benjamin Poirier
|
ed04bb260d |
xfrm: Fix bucket count reported to userspace
[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ]
sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
hash mask.
Fixes: 28d8909bc790 ("[XFRM]: Export SAD info.")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Wei Yongjun
|
bf2b044bc8 |
xfrm: Fix error return code in xfrm_output_one()
[ Upstream commit 533555e5cbb6aa2d77598917871ae5b579fe724b ]
xfrm_output_one() does not return a error code when there is
no dst_entry attached to the skb, it is still possible crash
with a NULL pointer dereference in xfrm_output_resume(). Fix
it by return error code -EHOSTUNREACH.
Fixes: 9e1437937807 ("xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
4e76528bd4 |
This is the 4.14.81 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlvrIsYACgkQONu9yGCS
aT7AahAAn0IfSox3VzHgWzpZJts8jGyziMbP15hjSJjYlZSrrxUVKW3H5Kf0CUmR
33GaUM3CbfWAlQdqcgHbIoydQwY38Rggmuc/zonC+Bo0tPjfYGGGF6iFfNnwe+1L
nwYa2G/iPH776/+JkkSYbSsYnu5jHqGdkpai5zA5BFXd0HgD1vjRlsh7oKi2hwzk
ktWPVNQjucBOmXcG2hDzP685hj/e49trHzkCxwZG0CDJBbWHN8c5gxaTGf8QstuS
JvRts1Uh7w2kUkMh0oGcsFsEXJtupiAwUR36CqWA/kIfGBT+3D0XLCmWsDEqMxKQ
XWJXMAL/gPXi2b8bJaL4jyvuKwF4auWOWWP0rwRzyZKwHk2Mxa1aAc7QM6KgKoLx
DG4m+OLcCVFtHZDb70EXtl8qPtF6CBsY/EqbC1vaaFtwj0s3ytS/P6S37oPyJhC6
JF5O+k9cz9/C+2rkKrrzGnVrXoVlySczHxORkkdcTksRj/fxZ9j0C/+r5ZJbDy7k
8dzDJaThzLxS9nnD0ctGNIHzBr1iubyWGWN6dWHT2JlpcF9l1o6zlV3uIAnGiO+R
Qa3kNhIGKP265wqn/wGZpQX1aK4cO8e9FEaOQNpKzP4AB9whUpf/unDe9M/LVqRM
PEESzW8XLMaFL6WJlz3ZvO+C0LiUkbwAadLtsMaOGLcSh90C3jc=
=vsAz
-----END PGP SIGNATURE-----
Merge 4.14.81 into android-4.14
Changes in 4.14.81
mtd: spi-nor: fsl-quadspi: fix read error for flash size larger than 16MB
spi: bcm-qspi: switch back to reading flash using smaller chunks
bcache: trace missed reading by cache_missed
bcache: fix miss key refill->end in writeback
hwmon: (pmbus) Fix page count auto-detection.
jffs2: free jffs2_sb_info through jffs2_kill_sb()
cpufreq: conservative: Take limits changes into account properly
pcmcia: Implement CLKRUN protocol disabling for Ricoh bridges
ipmi: Fix timer race with module unload
parisc: Fix address in HPMC IVA
parisc: Fix map_pages() to not overwrite existing pte entries
parisc: Fix exported address of os_hpmc handler
ALSA: hda - Add quirk for ASUS G751 laptop
ALSA: hda - Fix headphone pin config for ASUS G751
ALSA: hda/realtek - Fix the problem of the front MIC on the Lenovo M715
ALSA: hda - Add mic quirk for the Lenovo G50-30 (17aa:3905)
ALSA: ca0106: Disable IZD on SB0570 DAC to fix audio pops
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/xen: Fix boot loader version reported for PVH guests
x86/corruption-check: Fix panic in memory_corruption_check() when boot option without value is provided
x86/mm/pat: Disable preemption around __flush_tlb_all()
x86/speculation: Support Enhanced IBRS on future CPUs
ARM: dts: exynos: Disable pull control for MAX8997 interrupts on Origen
bpf: do not blindly change rlimit in reuseport net selftest
Revert "perf tools: Fix PMU term format max value calculation"
xfrm: policy: use hlist rcu variants on insert
perf vendor events intel: Fix wrong filter_band* values for uncore events
sparc: Fix single-pcr perf event counter management.
sparc: Throttle perf events properly.
sparc64: Make proc_id signed.
sched/fair: Fix the min_vruntime update logic in dequeue_entity()
perf tools: Fix use of alternatives to find JDIR
perf cpu_map: Align cpu map synthesized events properly.
x86/fpu: Remove second definition of fpu in __fpu__restore_sig()
net: qla3xxx: Remove overflowing shift statement
selftests: ftrace: Add synthetic event syntax testcase
i2c: rcar: cleanup DMA for all kinds of failure
locking/lockdep: Fix debug_locks off performance problem
ataflop: fix error handling during setup
swim: fix cleanup on setup error
nfp: devlink port split support for 1x100G CXP NIC
tun: Consistently configure generic netdev params via rtnetlink
s390/sthyi: Fix machine name validity indication
hwmon: (pwm-fan) Set fan speed to 0 on suspend
lightnvm: pblk: fix two sleep-in-atomic-context bugs
spi: spi-ep93xx: Use dma_data_direction for ep93xx_spi_dma_{finish,prepare}
perf tools: Free temporary 'sys' string in read_event_files()
perf tools: Cleanup trace-event-info 'tdata' leak
perf strbuf: Match va_{add,copy} with va_end
cpupower: Fix coredump on VMWare
mmc: sdhci-pci-o2micro: Add quirk for O2 Micro dev 0x8620 rev 0x01
iwlwifi: pcie: avoid empty free RB queue
iwlwifi: mvm: clear HW_RESTART_REQUESTED when stopping the interface
x86/olpc: Indicate that legacy PC XO-1 platform should not register RTC
ACPI / processor: Fix the return value of acpi_processor_ids_walk()
cpufreq: dt: Try freeing static OPPs only if we have added them
mtd: rawnand: atmel: Fix potential NULL pointer dereference
signal: Introduce COMPAT_SIGMINSTKSZ for use in compat_sys_sigaltstack
Bluetooth: btbcm: Add entry for BCM4335C0 UART bluetooth
x86: boot: Fix EFI stub alignment
pinctrl: qcom: spmi-mpp: Fix err handling of pmic_mpp_set_mux
brcmfmac: fix for proper support of 160MHz bandwidth
net: phy: phylink: ensure the carrier is off when starting phylink
block, bfq: correctly charge and reset entity service in all cases
kprobes: Return error if we fail to reuse kprobe instead of BUG_ON()
ACPI / LPSS: Add alternative ACPI HIDs for Cherry Trail DMA controllers
pinctrl: qcom: spmi-mpp: Fix drive strength setting
pinctrl: spmi-mpp: Fix pmic_mpp_config_get() to be compliant
pinctrl: ssbi-gpio: Fix pm8xxx_pin_config_get() to be compliant
net: dsa: mv88e6xxx: Fix writing to a PHY page.
iwlwifi: mvm: fix BAR seq ctrl reporting
ixgbevf: VF2VF TCP RSS
ath10k: schedule hardware restart if WMI command times out
thermal: da9062/61: Prevent hardware access during system suspend
cgroup, netclassid: add a preemption point to write_classid
scsi: esp_scsi: Track residual for PIO transfers
UAPI: ndctl: Fix g++-unsupported initialisation in headers
KVM: nVMX: Clear reserved bits of #DB exit qualification
scsi: megaraid_sas: fix a missing-check bug
RDMA/core: Do not expose unsupported counters
IB/ipoib: Clear IPCB before icmp_send
RDMA/bnxt_re: Fix recursive lock warning in debug kernel
usb: host: ohci-at91: fix request of irq for optional gpio
PCI: mediatek: Fix mtk_pcie_find_port() endpoint/port matching logic
tpm: suppress transmit cmd error logs when TPM 1.2 is disabled/deactivated
Drivers: hv: vmbus: Use cpumask_var_t for on-stack cpu mask
VMCI: Resource wildcard match fixed
PCI / ACPI: Enable wake automatically for power managed bridges
usb: gadget: udc: atmel: handle at91sam9rl PMC
ext4: fix argument checking in EXT4_IOC_MOVE_EXT
MD: fix invalid stored role for a disk
f2fs: fix to recover inode's i_flags during POR
PCI/MSI: Warn and return error if driver enables MSI/MSI-X twice
coresight: etb10: Fix handling of perf mode
PCI: dwc: pci-dra7xx: Enable errata i870 for both EP and RC mode
crypto: caam - fix implicit casts in endianness helpers
usb: chipidea: Prevent unbalanced IRQ disable
driver/dma/ioat: Call del_timer_sync() without holding prep_lock
uio: ensure class is registered before devices
scsi: lpfc: Correct soft lockup when running mds diagnostics
scsi: lpfc: Correct race with abort on completion path
f2fs: report error if quota off error during umount
signal: Always deliver the kernel's SIGKILL and SIGSTOP to a pid namespace init
mfd: menelaus: Fix possible race condition and leak
dmaengine: dma-jz4780: Return error if not probed from DT
IB/rxe: fix for duplicate request processing and ack psns
ALSA: hda: Check the non-cached stream buffers more explicitly
cpupower: Fix AMD Family 0x17 msr_pstate size
Revert "f2fs: fix to clear PG_checked flag in set_page_dirty()"
f2fs: fix to account IO correctly
ARM: dts: exynos: Remove "cooling-{min|max}-level" for CPU nodes
arm: dts: exynos: Add missing cooling device properties for CPUs
ARM: dts: exynos: Convert exynos5250.dtsi to opp-v2 bindings
ARM: dts: exynos: Mark 1 GHz CPU OPP as suspend OPP on Exynos5250
xen-swiotlb: use actually allocated size on check physical continuous
tpm: Restore functionality to xen vtpm driver.
xen/blkfront: avoid NULL blkfront_info dereference on device removal
xen/balloon: Support xend-based toolstack
xen: fix race in xen_qlock_wait()
xen: make xen_qlock_wait() nestable
xen/pvh: increase early stack size
xen/pvh: don't try to unplug emulated devices
libertas: don't set URB_ZERO_PACKET on IN USB transfer
usbip:vudc: BUG kmalloc-2048 (Not tainted): Poison overwritten
usb: gadget: udc: renesas_usb3: Fix b-device mode for "workaround"
iwlwifi: mvm: check return value of rs_rate_from_ucode_rate()
net/ipv4: defensive cipso option parsing
dmaengine: ppc4xx: fix off-by-one build failure
dmaengine: stm32-dma: fix incomplete configuration in cyclic mode
libnvdimm: Hold reference on parent while scheduling async init
libnvdimm, region: Fail badblocks listing for inactive regions
ASoC: intel: skylake: Add missing break in skl_tplg_get_token()
IB/mlx5: Fix MR cache initialization
jbd2: fix use after free in jbd2_log_do_checkpoint()
gfs2_meta: ->mount() can get NULL dev_name
ext4: initialize retries variable in ext4_da_write_inline_data_begin()
ext4: fix setattr project check in fssetxattr ioctl
ext4: propagate error from dquot_initialize() in EXT4_IOC_FSSETXATTR
ext4: fix use-after-free race in ext4_remount()'s error path
HID: hiddev: fix potential Spectre v1
EDAC, amd64: Add Family 17h, models 10h-2fh support
EDAC, {i7core,sb,skx}_edac: Fix uncorrected error counting
EDAC, skx_edac: Fix logical channel intermediate decoding
ARM: dts: dra7: Fix up unaligned access setting for PCIe EP
PCI/ASPM: Fix link_state teardown on device removal
PCI: Add Device IDs for Intel GPU "spurious interrupt" quirk
PCI: vmd: White list for fast interrupt handlers
signal/GenWQE: Fix sending of SIGKILL
signal: Guard against negative signal numbers in copy_siginfo_from_user32
crypto: lrw - Fix out-of bounds access on counter overflow
crypto: tcrypt - fix ghash-generic speed test
mm: /proc/pid/smaps_rollup: fix NULL pointer deref in smaps_pte_range()
ima: fix showing large 'violations' or 'runtime_measurements_count'
hugetlbfs: dirty pages as they are added to pagecache
mm/rmap: map_pte() was not handling private ZONE_DEVICE page properly
KVM: arm64: Fix caching of host MDCR_EL2 value
kbuild: fix kernel/bounds.c 'W=1' warning
iio: ad5064: Fix regulator handling
iio: adc: imx25-gcq: Fix leak of device_node in mx25_gcq_setup_cfgs()
iio: adc: at91: fix acking DRDY irq on simple conversions
iio: adc: at91: fix wrong channel number in triggered buffer mode
w1: omap-hdq: fix missing bus unregister at removal
smb3: allow stats which track session and share reconnects to be reset
smb3: do not attempt cifs operation in smb3 query info error path
smb3: on kerberos mount if server doesn't specify auth type use krb5
printk: Fix panic caused by passing log_buf_len to command line
genirq: Fix race on spurious interrupt detection
NFSv4.1: Fix the r/wsize checking
nfs: Fix a missed page unlock after pg_doio()
nfsd: Fix an Oops in free_session()
lockd: fix access beyond unterminated strings in prints
dm ioctl: harden copy_params()'s copy_from_user() from malicious users
dm zoned: fix metadata block ref counting
dm zoned: fix various dmz_get_mblock() issues
powerpc/msi: Fix compile error on mpc83xx
MIPS: OCTEON: fix out of bounds array access on CN68XX
iommu/arm-smmu: Ensure that page-table updates are visible before TLBI
TC: Set DMA masks for devices
media: v4l2-tpg: fix kernel oops when enabling HFLIP and OSD
kgdboc: Passing ekgdboc to command line causes panic
xen: fix xen_qlock_wait()
xen-blkfront: fix kernel panic with negotiate_mq error path
media: em28xx: use a default format if TRY_FMT fails
media: tvp5150: avoid going past array on v4l2_querymenu()
media: em28xx: fix input name for Terratec AV 350
media: em28xx: make v4l2-compliance happier by starting sequence on zero
media: media colorspaces*.rst: rename AdobeRGB to opRGB
arm64: lse: remove -fcall-used-x0 flag
rpmsg: smd: fix memory leak on channel create
Cramfs: fix abad comparison when wrap-arounds occur
ARM: dts: socfpga: Fix SDRAM node address for Arria10
arm64: dts: stratix10: Correct System Manager register size
soc/tegra: pmc: Fix child-node lookup
selftests/powerpc: Fix ptrace tm failure
btrfs: qgroup: Avoid calling qgroup functions if qgroup is not enabled
btrfs: Handle owner mismatch gracefully when walking up tree
btrfs: locking: Add extra check in btrfs_init_new_buffer() to avoid deadlock
btrfs: fix error handling in free_log_tree
btrfs: Enhance btrfs_trim_fs function to handle error better
btrfs: Ensure btrfs_trim_fs can trim the whole filesystem
btrfs: iterate all devices during trim, instead of fs_devices::alloc_list
btrfs: don't attempt to trim devices that don't support it
btrfs: wait on caching when putting the bg cache
btrfs: protect space cache inode alloc with GFP_NOFS
btrfs: reset max_extent_size on clear in a bitmap
btrfs: make sure we create all new block groups
Btrfs: fix warning when replaying log after fsync of a tmpfile
Btrfs: fix wrong dentries after fsync of file that got its parent replaced
btrfs: qgroup: Dirty all qgroups before rescan
Btrfs: fix null pointer dereference on compressed write path error
Btrfs: fix assertion on fsync of regular file when using no-holes feature
btrfs: set max_extent_size properly
btrfs: don't use ctl->free_space for max_extent_size
btrfs: only free reserved extent if we didn't insert it
btrfs: don't run delayed_iputs in commit
btrfs: move the dio_sem higher up the callchain
Btrfs: fix use-after-free during inode eviction
Btrfs: fix use-after-free when dumping free space
Btrfs: fix fsync after hole punching when using no-holes feature
net: sched: Remove TCA_OPTIONS from policy
bpf: wait for running BPF programs when updating map-in-map
MD: fix invalid stored role for a disk - try2
Linux 4.14.81
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Florian Westphal
|
11896963b7 |
xfrm: policy: use hlist rcu variants on insert
[ Upstream commit 9dffff200fd178f11dd50eb1fd8ccd0650c9284e ]
bydst table/list lookups use rcu, so insertions must use rcu versions.
Fixes: a7c44247f704e ("xfrm: policy: make xfrm_policy_lookup_bytype lockless")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
6c95b90db5 |
This is the 4.14.79 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlve+b8ACgkQONu9yGCS aT5cXA//Q9gvEZaPH/q5+QMH1imNbOaIFxkL9VDechj9VIiEzJaZQ48OOHO8y4hv AFl9LL7uRkYb77NWwPaQ6Izy2lLV/EuINYUnCIdF/1U0oAuz+1ZkzyweHe5qTub/ j2X39wRnvc1ZW7ZqjYsj2VnDe+78+MhuU0DmcvdBuiRpxpbinFNTnol6uMQasvdF E6zjAPrjRqEn9RNo1W3zibGIWbJnweIsY3aqI6ugGuChamR8zDng1EV6PWUMRdWB jSKZUxaoR1Y+zMm9g/Uvp96LlFa5DLy6qLayE9o9ahLHbvf56xTLkFUJKbz8QhiJ Cjq0Cplmg1gPK+sFM+YQBFw3kMvxkZtDYcsTeNUqwTLiz0GLV26JpSQJCTWl3bXY 3vdZaybdZ9axlo8+e7dpHvr74Wr0eT4l3DJSmHUcZA6vk94f+b6DR1Sx0Q/gd8Op loNIsMaOtccZRKfc0Xfi/8sQfYFtnflhb4TEmaiTZkRhhbO5ZxaWZqlZVn3+wQqw k18EODPdsHLFh8PVYaUbzIpjRDveigyvi0wWQXXPOoudQM7QjkVwM5uei766AGe1 0swOb3fIagt5Zkha3GvlvI2wN1AcQcqbcAijKCYZj7OZ9fvBWErt2Nt2sEW9Op1/ fuEf6iCZN+yoKc7v+5nI33PvpNVr1ntE1kR36F1HKinHEXxh5Rk= =tSWE -----END PGP SIGNATURE----- Merge 4.14.79 into android-4.14 Changes in 4.14.79 xfrm: Validate address prefix lengths in the xfrm selector. xfrm6: call kfree_skb when skb is toobig xfrm: reset transport header back to network header after all input transforms ahave been applied xfrm: reset crypto_done when iterating over multiple input xfrms mac80211: Always report TX status cfg80211: reg: Init wiphy_idx in regulatory_hint_core() mac80211: fix pending queue hang due to TX_DROP cfg80211: Address some corner cases in scan result channel updating mac80211: TDLS: fix skb queue/priority assignment mac80211: fix TX status reporting for ieee80211s xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry. ARM: 8799/1: mm: fix pci_ioremap_io() offset check xfrm: validate template mode netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev arm64: hugetlb: Fix handling of young ptes ARM: dts: BCM63xx: Fix incorrect interrupt specifiers net: macb: Clean 64b dma addresses if they are not detected soc: fsl: qbman: qman: avoid allocating from non existing gen_pool soc: fsl: qe: Fix copy/paste bug in ucc_get_tdm_sync_shift() nl80211: Fix possible Spectre-v1 for NL80211_TXRATE_HT mac80211_hwsim: do not omit multicast announce of first added radio Bluetooth: SMP: fix crash in unpairing pxa168fb: prepare the clock qed: Avoid implicit enum conversion in qed_set_tunn_cls_info qed: Fix mask parameter in qed_vf_prep_tunn_req_tlv qed: Avoid implicit enum conversion in qed_roce_mode_to_flavor qed: Avoid constant logical operation warning in qed_vf_pf_acquire qed: Avoid implicit enum conversion in qed_iwarp_parse_rx_pkt nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds asix: Check for supported Wake-on-LAN modes ax88179_178a: Check for supported Wake-on-LAN modes lan78xx: Check for supported Wake-on-LAN modes sr9800: Check for supported Wake-on-LAN modes r8152: Check for supported Wake-on-LAN Modes smsc75xx: Check for Wake-on-LAN modes smsc95xx: Check for Wake-on-LAN modes cfg80211: fix use-after-free in reg_process_hint() perf/core: Fix perf_pmu_unregister() locking perf/ring_buffer: Prevent concurent ring buffer access perf/x86/intel/uncore: Fix PCI BDF address of M3UPI on SKX perf/x86/amd/uncore: Set ThreadMask and SliceMask for L3 Cache perf events net: fec: fix rare tx timeout declance: Fix continuation with the adapter identification message net: qualcomm: rmnet: Skip processing loopback packets locking/ww_mutex: Fix runtime warning in the WW mutex selftest be2net: don't flip hw_features when VXLANs are added/deleted net: cxgb3_main: fix a missing-check bug yam: fix a missing-check bug ocfs2: fix crash in ocfs2_duplicate_clusters_by_page() iwlwifi: mvm: check for short GI only for OFDM iwlwifi: dbg: allow wrt collection before ALIVE iwlwifi: fix the ALIVE notification layout tools/testing/nvdimm: unit test clear-error commands usbip: vhci_hcd: update 'status' file header and format scsi: aacraid: address UBSAN warning regression IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush IB/rxe: put the pool on allocation failure s390/qeth: fix error handling in adapter command callbacks net/mlx5: Fix mlx5_get_vector_affinity function powerpc/pseries: Add empty update_numa_cpu_lookup_table() for NUMA=n dm integrity: fail early if required HMAC key is not available net: phy: realtek: Use the dummy stubs for MMD register access for rtl8211b net: phy: Add general dummy stubs for MMD register access net/mlx5e: Refine ets validation function scsi: qla2xxx: Avoid double completion of abort command kbuild: set no-integrated-as before incl. arch Makefile IB/mlx5: Avoid passing an invalid QP type to firmware ARM: tegra: Fix ULPI regression on Tegra20 l2tp: remove configurable payload offset cifs: Use ULL suffix for 64-bit constant test_bpf: Fix testing with CONFIG_BPF_JIT_ALWAYS_ON=y on other arches KVM: x86: Update the exit_qualification access bits while walking an address sparc64: Fix regression in pmdp_invalidate(). tpm: move the delay_msec increment after sleep in tpm_transmit() bpf: sockmap, map_release does not hold refcnt for pinned maps tpm: tpm_crb: relinquish locality on error path. xen-netfront: Update features after registering netdev xen-netfront: Fix mismatched rtnl_unlock IB/usnic: Update with bug fixes from core code mmc: dw_mmc-rockchip: correct property names in debug MIPS: Workaround GCC __builtin_unreachable reordering bug lan78xx: Don't reset the interface on open enic: do not overwrite error code iio: buffer: fix the function signature to match implementation selftests/powerpc: Add ptrace hw breakpoint test scsi: ibmvfc: Avoid unnecessary port relogin scsi: sd: Remember that READ CAPACITY(16) succeeded btrfs: quota: Set rescan progress to (u64)-1 if we hit last leaf net: phy: phylink: Don't release NULL GPIO x86/paravirt: Fix some warning messages net: stmmac: mark PM functions as __maybe_unused kconfig: fix the rule of mainmenu_stmt symbol libertas: call into generic suspend code before turning off power perf tests: Fix indexing when invoking subtests compiler.h: Allow arch-specific asm/compiler.h ARM: dts: imx53-qsb: disable 1.2GHz OPP perf python: Use -Wno-redundant-decls to build with PYTHON=python3 rxrpc: Don't check RXRPC_CALL_TX_LAST after calling rxrpc_rotate_tx_window() rxrpc: Only take the rwind and mtu values from latest ACK rxrpc: Fix connection-level abort handling net: ena: fix warning in rmmod caused by double iounmap net: ena: fix NULL dereference due to untimely napi initialization selftests: rtnetlink.sh explicitly requires bash. fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() sch_netem: restore skb->dev after dequeuing from the rbtree mtd: spi-nor: Add support for is25wp series chips kvm: x86: fix WARN due to uninitialized guest FPU state ARM: dts: r8a7790: Correct critical CPU temperature media: uvcvideo: Fix driver reference counting ALSA: usx2y: Fix invalid stream URBs Revert "netfilter: ipv6: nf_defrag: drop skb dst before queueing" perf tools: Disable parallelism for 'make clean' drm/i915/gvt: fix memory leak of a cmd_entry struct on error exit path bridge: do not add port to router list when receives query with source 0.0.0.0 net: bridge: remove ipv6 zero address check in mcast queries ipv6: mcast: fix a use-after-free in inet6_mc_check ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called llc: set SOCK_RCU_FREE in llc_sap_add_socket() net: fec: don't dump RX FIFO register when not available net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs net: sched: gred: pass the right attribute to gred_change_table_def() net: socket: fix a missing-check bug net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules net: udp: fix handling of CHECKSUM_COMPLETE packets r8169: fix NAPI handling under high load sctp: fix race on sctp_id2asoc udp6: fix encap return code for resubmitting vhost: Fix Spectre V1 vulnerability virtio_net: avoid using netif_tx_disable() for serializing tx routine ethtool: fix a privilege escalation bug bonding: fix length of actor system ip6_tunnel: Fix encapsulation layout openvswitch: Fix push/pop ethernet validation net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type net: sched: Fix for duplicate class dump net: drop skb on failure in ip_check_defrag() net: fix pskb_trim_rcsum_slow() with odd trim offset net/mlx5e: fix csum adjustments caused by RXFCS rtnetlink: Disallow FDB configuration for non-Ethernet device net: ipmr: fix unresolved entry dumps net: bcmgenet: Poll internal PHY for GENETv5 net/sched: cls_api: add missing validation of netlink attributes net/mlx5: Fix build break when CONFIG_SMP=n Linux 4.14.79 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Sean Tranchetti
|
26c6b9da7a |
xfrm: validate template mode
[ Upstream commit 32bf94fb5c2ec4ec842152d0e5937cd4bb6738fa ] XFRM mode parameters passed as part of the user templates in the IP_XFRM_POLICY are never properly validated. Passing values other than valid XFRM modes can cause stack-out-of-bounds reads to occur later in the XFRM processing: [ 140.535608] ================================================================ [ 140.543058] BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x17e4/0x1cc4 [ 140.550306] Read of size 4 at addr ffffffc0238a7a58 by task repro/5148 [ 140.557369] [ 140.558927] Call trace: [ 140.558936] dump_backtrace+0x0/0x388 [ 140.558940] show_stack+0x24/0x30 [ 140.558946] __dump_stack+0x24/0x2c [ 140.558949] dump_stack+0x8c/0xd0 [ 140.558956] print_address_description+0x74/0x234 [ 140.558960] kasan_report+0x240/0x264 [ 140.558963] __asan_report_load4_noabort+0x2c/0x38 [ 140.558967] xfrm_state_find+0x17e4/0x1cc4 [ 140.558971] xfrm_resolve_and_create_bundle+0x40c/0x1fb8 [ 140.558975] xfrm_lookup+0x238/0x1444 [ 140.558977] xfrm_lookup_route+0x48/0x11c [ 140.558984] ip_route_output_flow+0x88/0xc4 [ 140.558991] raw_sendmsg+0xa74/0x266c [ 140.558996] inet_sendmsg+0x258/0x3b0 [ 140.559002] sock_sendmsg+0xbc/0xec [ 140.559005] SyS_sendto+0x3a8/0x5a8 [ 140.559008] el0_svc_naked+0x34/0x38 [ 140.559009] [ 140.592245] page dumped because: kasan: bad access detected [ 140.597981] page_owner info is not active (free page?) [ 140.603267] [ 140.653503] ================================================================ Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Steffen Klassert
|
73c6f86060 |
xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.
[ Upstream commit 9e1437937807b0122e8da1ca8765be2adca9aee6 ]
Since commit 222d7dbd258d ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code don't expect this to happen, so we crash with
a NULL pointer dereference in this case. Fix it by checking
skb_dst(skb) for NULL after skb_dst_force() and drop the packet
in cast the dst_entry was cleared.
Fixes: 222d7dbd258d ("net: prevent dst uses after free")
Reported-by: Tobias Hommel <netdev-list@genoetigt.de>
Reported-by: Kristian Evensen <kristian.evensen@gmail.com>
Reported-by: Wolfgang Walter <linux@stwm.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Sowmini Varadhan
|
64f38286c7 |
xfrm: reset crypto_done when iterating over multiple input xfrms
[ Upstream commit 782710e333a526780d65918d669cb96646983ba2 ]
We only support one offloaded xfrm (we do not have devices that
can handle more than one offload), so reset crypto_done in
xfrm_input() when iterating over multiple transforms in xfrm_input,
so that we can invoke the appropriate x->type->input for the
non-offloaded transforms
Fixes: d77e38e612a0 ("xfrm: Add an IPsec hardware offloading API")
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Steffen Klassert
|
3b5d512831 |
xfrm: Validate address prefix lengths in the xfrm selector.
[ Upstream commit 07bf7908950a8b14e81aa1807e3c667eab39287a ]
We don't validate the address prefix lengths in the xfrm
selector we got from userspace. This can lead to undefined
behaviour in the address matching functions if the prefix
is too big for the given address family. Fix this by checking
the prefixes and refuse SA/policy insertation when a prefix
is invalid.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Air Icy <icytxw@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
5efa57938b |
This is the 4.14.72 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlurKVgACgkQONu9yGCS aT4QAQ/6AydrXG3viEM2XdOHlWyi4JyJJlRMciM00gZRcyWHRkEy1S4XgwSmwyWt BglQGrUhCfXkKbhExQYnKKZWarqwdrw3N33kclxxA6HvsIVoci8gvAIuT6vbizKe ZlIeNcyQGCV6KcjbyG3rv3zsy4Mqh3N+SpQ2id2T00dSLje5zPzgRLMBnNkVB1P7 ufZW3eVrPv2aS8Scf7s2Xl52bOBHA9u1Ht7Rdig3kyyfPuSjuhqJKrNiuNDWQ7tS Xg7ZB15bfTia+2ILEydAfURyrgWDB92pOSPM64l/wENoOWk4/HOcxZr9BjyoQneK vfXwRts5mG2JX2MmsTww8n5x2BqlY3Z7pbKySGnLLxcCz87rMPicmyoOIQZxUFsB fGHcBmI4T+UW55Dxc3jfW8u9iAarN2xYZKVG16NY/7HVMLIgxSae1LBSQJZq3mJ8 RPYF7Q3a7A7Mmtn+gJQhRKaI9kB8WDQuf565Vx+9ihOaq0sMU+zdgQGm0hfRx4PT 2L7xYHj0kDB54ZWYpo66CrNSSY97UdSR8W7Yb2ZkDpsmz5uuPU1F2pn58lSzqhu8 oXuIPTmgHvoRAYVpmfTwlYSb28CpBfmRr2noTlrPMYxYVdhWl+1bNSGYO8EJaEH5 hWyMvSRgrngzqe8EihzN9CqyDUXNPBYr/P52auL0Ecx1IlH9Slk= =sCX+ -----END PGP SIGNATURE----- Merge 4.14.72 into android-4.14 Changes in 4.14.72 be2net: Fix memory leak in be_cmd_get_profile_config() net/mlx5: Fix use-after-free in self-healing flow net: qca_spi: Fix race condition in spi transfers rds: fix two RCU related problems net/mlx5: Check for error in mlx5_attach_interface net/mlx5: Fix debugfs cleanup in the device init/remove flow net/mlx5: E-Switch, Fix memory leak when creating switchdev mode FDB tables net/tls: Set count of SG entries if sk_alloc_sg returns -ENOSPC erspan: fix error handling for erspan tunnel erspan: return PACKET_REJECT when the appropriate tunnel is not found tcp: really ignore MSG_ZEROCOPY if no SO_ZEROCOPY hv/netvsc: Fix NULL dereference at single queue mode fallback usb: dwc3: change stream event enable bit back to 13 iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register iommu/io-pgtable-arm-v7s: Abort allocation when table address overflows the PTE ALSA: msnd: Fix the default sample sizes ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro xfrm: fix 'passing zero to ERR_PTR()' warning amd-xgbe: use dma_mapping_error to check map errors gfs2: Special-case rindex for gfs2_grow clk: imx6ul: fix missing of_node_put() clk: core: Potentially free connection id clk: clk-fixed-factor: Clear OF_POPULATED flag in case of failure kbuild: add .DELETE_ON_ERROR special target media: tw686x: Fix oops on buffer alloc failure dmaengine: pl330: fix irq race with terminate_all MIPS: ath79: fix system restart media: videobuf2-core: check for q->error in vb2_core_qbuf() IB/rxe: Drop QP0 silently block: allow max_discard_segments to be stacked IB/ipoib: Fix error return code in ipoib_dev_init() mtd/maps: fix solutionengine.c printk format warnings media: ov5645: Supported external clock is 24MHz perf test: Fix subtest number when showing results gfs2: Don't reject a supposedly full bitmap if we have blocks reserved perf tools: Synthesize GROUP_DESC feature in pipe mode fbdev: omapfb: off by one in omapfb_register_client() perf tools: Fix struct comm_str removal crash video: goldfishfb: fix memory leak on driver remove fbdev/via: fix defined but not used warning perf powerpc: Fix callchain ip filtering when return address is in a register video: fbdev: pxafb: clear allocated memory for video modes fbdev: Distinguish between interlaced and progressive modes ARM: exynos: Clear global variable on init error path perf powerpc: Fix callchain ip filtering nvme-rdma: unquiesce queues when deleting the controller KVM: arm/arm64: vgic: Fix possible spectre-v1 write in vgic_mmio_write_apr() powerpc/powernv: opal_put_chars partial write fix staging: bcm2835-camera: fix timeout handling in wait_for_completion_timeout staging: bcm2835-camera: handle wait_for_completion_timeout return properly ASoC: rt5514: Fix the issue of the delay volume applied MIPS: jz4740: Bump zload address mac80211: restrict delayed tailroom needed decrement Smack: Fix handling of IPv4 traffic received by PF_INET6 sockets wan/fsl_ucc_hdlc: use IS_ERR_VALUE() to check return value of qe_muram_alloc arm64: fix possible spectre-v1 write in ptrace_hbp_set_event() reset: imx7: Fix always writing bits as 0 efi/arm: preserve early mapping of UEFI memory map longer for BGRT nfp: avoid buffer leak when FW communication fails xen-netfront: fix queue name setting arm64: dts: qcom: db410c: Fix Bluetooth LED trigger ARM: dts: qcom: msm8974-hammerhead: increase load on l20 for sdhci s390/qeth: fix race in used-buffer accounting s390/qeth: reset layer2 attribute on layer switch platform/x86: toshiba_acpi: Fix defined but not used build warnings KVM: arm/arm64: Fix vgic init race drivers/base: stop new probing during shutdown i2c: aspeed: Fix initial values of master and slave state dmaengine: mv_xor_v2: kill the tasklets upon exit crypto: sharah - Unregister correct algorithms for SAHARA 3 x86/pti: Check the return value of pti_user_pagetable_walk_p4d() x86/pti: Check the return value of pti_user_pagetable_walk_pmd() x86/mm/pti: Add an overflow check to pti_clone_pmds() xen-netfront: fix warn message as irq device name has '/' RDMA/cma: Protect cma dev list with lock pstore: Fix incorrect persistent ram buffer mapping xen/netfront: fix waiting for xenbus state change IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler s390/crypto: Fix return code checking in cbc_paes_crypt() mmc: omap_hsmmc: fix wakeirq handling on removal ipmi: Fix I2C client removal in the SSIF driver Tools: hv: Fix a bug in the key delete code misc: hmc6352: fix potential Spectre v1 xhci: Fix use after free for URB cancellation on a reallocated endpoint usb: Don't die twice if PCI xhci host is not responding in resume mei: ignore not found client in the enumeration mei: bus: need to unlink client before freeing USB: Add quirk to support DJI CineSSD usb: uas: add support for more quirk flags usb: Avoid use-after-free by flushing endpoints early in usb_set_interface() usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame() USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller usb: gadget: udc: renesas_usb3: fix maxpacket size of ep0 USB: net2280: Fix erroneous synchronization change USB: serial: io_ti: fix array underflow in completion handler usb: misc: uss720: Fix two sleep-in-atomic-context bugs USB: serial: ti_usb_3410_5052: fix array underflow in completion handler USB: yurex: Fix buffer over-read in yurex_write() usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt() Revert "cdc-acm: implement put_char() and flush_chars()" cifs: prevent integer overflow in nxt_dir_entry() CIFS: fix wrapping bugs in num_entries() xtensa: ISS: don't allocate memory in platform_setup perf/core: Force USER_DS when recording user stack data x86/EISA: Don't probe EISA bus for Xen PV guests NFSv4.1 fix infinite loop on I/O. binfmt_elf: Respect error return from `regset->active' net/mlx5: Add missing SET_DRIVER_VERSION command translation arm64: dts: uniphier: Add missing cooling device properties for CPUs audit: fix use-after-free in audit_add_watch mtdchar: fix overflows in adjustment of `count` vfs: fix freeze protection in mnt_want_write_file() for overlayfs Bluetooth: Use lock_sock_nested in bt_accept_enqueue evm: Don't deadlock if a crypto algorithm is unavailable KVM: PPC: Book3S HV: Add of_node_put() in success path security: check for kstrdup() failure in lsm_append() MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads configfs: fix registered group removal pinctrl: rza1: Fix selector use for groups and functions sched/core: Use smp_mb() in wake_woken_function() efi/esrt: Only call efi_mem_reserve() for boot services memory ARM: hisi: handle of_iomap and fix missing of_node_put ARM: hisi: fix error handling and missing of_node_put ARM: hisi: check of_iomap and fix missing of_node_put liquidio: fix hang when re-binding VF host drv after running DPDK VF driver gpu: ipu-v3: csi: pass back mbus_code_to_bus_cfg error codes tty: fix termios input-speed encoding when using BOTHER tty: fix termios input-speed encoding mmc: sdhci-of-esdhc: set proper dma mask for ls104x chips mmc: tegra: prevent HS200 on Tegra 3 mmc: sdhci: do not try to use 3.3V signaling if not supported drm/nouveau: Fix runtime PM leak in drm_open() drm/nouveau/debugfs: Wake up GPU before doing any reclocking drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping parport: sunbpp: fix error return code sched/fair: Fix util_avg of new tasks for asymmetric systems coresight: Handle errors in finding input/output ports coresight: tpiu: Fix disabling timeouts coresight: ETM: Add support for Arm Cortex-A73 and Cortex-A35 staging: bcm2835-audio: Don't leak workqueue if open fails gpio: pxa: Fix potential NULL dereference gpiolib: Mark gpio_suffixes array with __maybe_unused mfd: 88pm860x-i2c: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) input: rohm_bu21023: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT) drm/amdkfd: Fix error codes in kfd_get_process rtc: bq4802: add error handling for devm_ioremap ALSA: pcm: Fix snd_interval_refine first/last with open min/max scsi: libfc: fixup 'sleeping function called from invalid context' selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress drm/panel: type promotion bug in s6e8aa0_read_mtp_id() blk-mq: only attempt to merge bio if there is rq in sw queue blk-mq: avoid to synchronize rcu inside blk_cleanup_queue() pinctrl: msm: Fix msm_config_group_get() to be compliant pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant clk: tegra: bpmp: Don't crash when a clock fails to register mei: bus: type promotion bug in mei_nfc_if_version() earlycon: Initialize port->uartclk based on clock-frequency property earlycon: Remove hardcoded port->uartclk initialization in of_setup_earlycon ASoC: samsung: i2s: Fix error handling path in i2s_set_sysclk() ASoC: samsung: Fix invalid argument when devm_gpiod_get is called drm/i915: Apply the GTT write flush for all !llc machines net/ipv6: prevent use after free in ip6_route_mpath_notify e1000e: Remove Other from EIAC Partial revert "e1000e: Avoid receiver overrun interrupt bursts" e1000e: Fix queue interrupt re-raising in Other interrupt e1000e: Avoid missed interrupts following ICR read Revert "e1000e: Separate signaling for link check/link up" e1000e: Fix link check race condition e1000e: Fix check_for_link return value with autoneg off Linux 4.14.72 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
YueHaibing
|
318f224d12 |
xfrm: fix 'passing zero to ERR_PTR()' warning
[ Upstream commit 934ffce1343f22ed5e2d0bd6da4440f4848074de ]
Fix a static code checker warning:
net/xfrm/xfrm_policy.c:1836 xfrm_resolve_and_create_bundle() warn: passing zero to 'ERR_PTR'
xfrm_tmpl_resolve return 0 just means no xdst found, return NULL
instead of passing zero to ERR_PTR.
Fixes: d809ec895505 ("xfrm: do not assume that template resolving always returns xfrms")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
6fff4be48e |
This is the 4.14.68 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluPhTQACgkQONu9yGCS
aT7uMA/9GlKiVnqhXCRDZUS6zbbflwFRQK3nkXQ1xi4hGea6HzDJO1ADvmB36SQC
I/stuXN4pA0k2kuCLijqzVE7h4DA7S3Jemok+gISFxJH7tib2fsDFVEu1fN+e8xE
Npd16tdb0KKAGDCuuYtRatpWdmmsCqdVU51wtLTvOMq19vT2w2E+2gKTgzQkehTp
Bo6aF33bhfiWB/trea2lFFKpkrFF92bZubgx/NK8MW799XQvnWN8OkSSt85WfqdA
kFfcJSJF32s+q10BsZfapPuEzxbnlsB97/SvoW2hHQmAm4T8f/78nGD5/N8kAS2C
ZuKElZnZAyR0gv+4G4M3Bz1GU/vPQ7yh9zIIKW99FdsvY9Q1uilJBtRa6uuViOiu
3NoBFfYtOY2J7jp41gJeNctrMvSgfUSiiNgw+rP5eUbydsFMezcAgj6DmroyJtkY
Wt3VAvREtOzSyjet7IYrod1Qj9xJmGKJDQ5iRLwjjV2CVyFyxf94CTb6gJf/9A4u
YOCugisS/bix6hncjlKzf+EZN1YXXLX0olB4Smuv5C7UpmAWX2dLQGqhbxVSeJUh
zCC6vEX/Z86HtL4SVUSqgRoDi8URLQAftTU0mqPtP34qlYTOBGvlVJM9Dhe183Pg
bXpye3WpWSgKujrPY6j336A5QjzLpywUZCREmlcG9CatRO5j0F4=
=dt34
-----END PGP SIGNATURE-----
Merge 4.14.68 into android-4.14
Changes in 4.14.68
crypto: vmx - Use skcipher for ctr fallback
vti6: fix PMTU caching and reporting on xmit
xfrm: fix missing dst_release() after policy blocking lbcast and multicast
xfrm: free skb if nlsk pointer is NULL
esp6: fix memleak on error path in esp6_input
mac80211: add stations tied to AP_VLANs during hw reconfig
ext4: clear mmp sequence number when remounting read-only
nl80211: Add a missing break in parse_station_flags
drm/bridge: adv7511: Reset registers on hotplug
scsi: target: iscsi: cxgbit: fix max iso npdu calculation
scsi: libiscsi: fix possible NULL pointer dereference in case of TMF
drm/imx: imx-ldb: disable LDB on driver bind
drm/imx: imx-ldb: check if channel is enabled before printing warning
nbd: don't requeue the same request twice.
nbd: handle unexpected replies better
usb: gadget: r8a66597: Fix two possible sleep-in-atomic-context bugs in init_controller()
usb: gadget: r8a66597: Fix a possible sleep-in-atomic-context bugs in r8a66597_queue()
usb: gadget: f_uac2: fix error handling in afunc_bind (again)
usb: gadget: u_audio: fix pcm/card naming in g_audio_setup()
usb: gadget: u_audio: update hw_ptr in iso_complete after data copied
usb: gadget: u_audio: remove caching of stream buffer parameters
usb: gadget: u_audio: remove cached period bytes value
usb: gadget: u_audio: protect stream runtime fields with stream spinlock
usb/phy: fix PPC64 build errors in phy-fsl-usb.c
tools: usb: ffs-test: Fix build on big endian systems
usb: gadget: f_uac2: fix endianness of 'struct cntrl_*_lay3'
netfilter: nft_set_hash: add rcu_barrier() in the nft_rhash_destroy()
bpf, ppc64: fix unexpected r0=0 exit path inside bpf_xadd
netfilter: nf_tables: fix memory leaks on chain rename
netfilter: nf_tables: don't allow to rename to already-pending name
KVM: vmx: use local variable for current_vmptr when emulating VMPTRST
tools/power turbostat: fix -S on UP systems
net: caif: Add a missing rcu_read_unlock() in caif_flow_cb
qed: Fix link flap issue due to mismatching EEE capabilities.
qed: Fix possible race for the link state value.
qed: Correct Multicast API to reflect existence of 256 approximate buckets.
atl1c: reserve min skb headroom
net: prevent ISA drivers from building on PPC32
can: mpc5xxx_can: check of_iomap return before use
can: m_can: Move accessing of message ram to after clocks are enabled
i2c: davinci: Avoid zero value of CLKH
perf/x86/amd/ibs: Don't access non-started event
media: staging: omap4iss: Include asm/cacheflush.h after generic includes
bnx2x: Fix invalid memory access in rss hash config path.
qmi_wwan: fix interface number for DW5821e production firmware
net: axienet: Fix double deregister of mdio
locking/rtmutex: Allow specifying a subclass for nested locking
i2c/mux, locking/core: Annotate the nested rt_mutex usage
sched/rt: Restore rt_runtime after disabling RT_RUNTIME_SHARE
x86/boot: Fix if_changed build flip/flop bug
fscache: Allow cancelled operations to be enqueued
cachefiles: Fix refcounting bug in backing-file read monitoring
cachefiles: Wait rather than BUG'ing on "Unexpected object collision"
selftests/ftrace: Add snapshot and tracing_on test case
hinic: Link the logical network device to the pci device in sysfs
ipc/sem.c: prevent queue.status tearing in semop
zswap: re-check zswap_is_full() after do zswap_shrink()
tools/power turbostat: Read extended processor family from CPUID
Revert "MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum"
ARC: dma [non-IOC] setup SMP_CACHE_BYTES and cache_line_size
bpf: use GFP_ATOMIC instead of GFP_KERNEL in bpf_parse_prog()
nfp: flower: fix port metadata conversion bug
enic: handle mtu change for vf properly
ARC: [plat-eznps] Add missing struct nps_host_reg_aux_dpc
arc: [plat-eznps] fix data type errors in platform headers
arc: [plat-eznps] fix printk warning in arc/plat-eznps/mtm.c
arc: fix build errors in arc/include/asm/delay.h
arc: fix type warnings in arc/mm/cache.c
sparc/time: Add missing __init to init_tick_ops()
sparc: use asm-generic version of msi.h
enic: do not call enic_change_mtu in enic_probe
squashfs metadata 2: electric boogaloo
mm: delete historical BUG from zap_pmd_range()
Squashfs: Compute expected length from inode size rather than block length
drivers: net: lmc: fix case value for target abort error
memcg: remove memcg_cgroup::id from IDR on mem_cgroup_css_alloc() failure
gpiolib-acpi: make sure we trigger edge events at least once on boot
scsi: fcoe: fix use-after-free in fcoe_ctlr_els_send
scsi: fcoe: drop frames in ELS LOGO error path
scsi: fcoe: clear FC_RP_STARTED flags when receiving a LOGO
scsi: vmw_pvscsi: Return DID_RESET for status SAM_STAT_COMMAND_TERMINATED
mm/memory.c: check return value of ioremap_prot
mei: don't update offset in write
cifs: add missing debug entries for kconfig options
cifs: check kmalloc before use
smb3: enumerating snapshots was leaving part of the data off end
smb3: Do not send SMB3 SET_INFO if nothing changed
smb3: don't request leases in symlink creation and query
smb3: fill in statfs fsid and correct namelen
btrfs: use correct compare function of dirty_metadata_bytes
btrfs: don't leak ret from do_chunk_alloc
Btrfs: fix btrfs_write_inode vs delayed iput deadlock
iommu/arm-smmu: Error out only if not enough context interrupts
printk: Split the code for storing a message into the log buffer
printk: Create helper function to queue deferred console handling
printk/nmi: Prevent deadlock when accessing the main log buffer in NMI
kprobes/arm64: Fix %p uses in error messages
arm64: mm: check for upper PAGE_SHIFT bits in pfn_valid()
arm64: dts: rockchip: corrected uart1 clock-names for rk3328
KVM: arm/arm64: Skip updating PMD entry if no change
KVM: arm/arm64: Skip updating PTE entry if no change
s390/kvm: fix deadlock when killed by oom
stop_machine: Reflow cpu_stop_queue_two_works()
stop_machine: Atomically queue and wake stopper threads
ext4: check for NUL characters in extended attribute's name
ext4: sysfs: print ext4_super_block fields as little-endian
ext4: reset error code in ext4_find_entry in fallback
nvme-pci: add a memory barrier to nvme_dbbuf_update_and_check_event
platform/x86: ideapad-laptop: Apply no_hw_rfkill to Y20-15IKBM, too
mm: move tlb_table_flush to tlb_flush_mmu_free
mm/tlb, x86/mm: Support invalidating TLB caches for RCU_TABLE_FREE
x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
x86/speculation/l1tf: Suggest what to do on systems with too much RAM
x86/vdso: Fix vDSO build if a retpoline is emitted
x86/process: Re-export start_thread()
KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
x86/kvm/vmx: Remove duplicate l1d flush definitions
fuse: Don't access pipe->buffers without pipe_lock()
fuse: fix initial parallel dirops
fuse: fix double request_end()
fuse: fix unlocked access to processing queue
fuse: umount should wait for all requests
fuse: Fix oops at process_init_reply()
fuse: Add missed unlock_page() to fuse_readpages_fill()
udl-kms: change down_interruptible to down
udl-kms: handle allocation failure
udl-kms: fix crash due to uninitialized memory
udl-kms: avoid division
b43legacy/leds: Ensure NUL-termination of LED name string
b43/leds: Ensure NUL-termination of LED name string
ASoC: dpcm: don't merge format from invalid codec dai
ASoC: zte: Fix incorrect PCM format bit usages
ASoC: sirf: Fix potential NULL pointer dereference
pinctrl: freescale: off by one in imx1_pinconf_group_dbg_show()
x86/vdso: Fix lsl operand order
x86/nmi: Fix NMI uaccess race against CR3 switching
x86/irqflags: Mark native_restore_fl extern inline
x86/spectre: Add missing family 6 check to microcode check
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
hwmon: (nct6775) Fix potential Spectre v1
x86/entry/64: Wipe KASAN stack shadow before rewind_stack_do_exit()
s390/mm: fix addressing exception after suspend/resume
s390: fix br_r1_trampoline for machines without exrl
s390/qdio: reset old sbal_state flags
s390/numa: move initial setup of node_to_cpumask_map
s390/pci: fix out of bounds access during irq setup
kprobes/arm: Fix %p uses in error messages
kprobes: Make list and blacklist root user read only
MIPS: Correct the 64-bit DSP accumulator register size
MIPS: Always use -march=<arch>, not -<arch> shortcuts
MIPS: Change definition of cpu_relax() for Loongson-3
MIPS: lib: Provide MIPS64r6 __multi3() for GCC < 7
tpm: Return the actual size when receiving an unsupported command
scsi: mpt3sas: Fix _transport_smp_handler() error path
scsi: sysfs: Introduce sysfs_{un,}break_active_protection()
scsi: core: Avoid that SCSI device removal through sysfs triggers a deadlock
iscsi target: fix session creation failure handling
clk: rockchip: fix clk_i2sout parent selection bits on rk3399
PM / clk: signedness bug in of_pm_clk_add_clks()
power: generic-adc-battery: fix out-of-bounds write when copying channel properties
power: generic-adc-battery: check for duplicate properties copied from iio channels
watchdog: Mark watchdog touch functions as notrace
cdrom: Fix info leak/OOB read in cdrom_ioctl_drive_status
gcc-plugins: Add include required by GCC release 8
gcc-plugins: Use dynamic initializers
Linux 4.14.68
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Florian Westphal
|
0118f86d21 |
xfrm: free skb if nlsk pointer is NULL
[ Upstream commit 86126b77dcd551ce223e7293bb55854e3df05646 ]
nlmsg_multicast() always frees the skb, so in case we cannot call
it we must do that ourselves.
Fixes: 21ee543edc0dea ("xfrm: fix race between netns cleanup and state expire notification")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Tommi Rantala
|
d35cc7ed2c |
xfrm: fix missing dst_release() after policy blocking lbcast and multicast
[ Upstream commit 8cc88773855f988d6a3bbf102bbd9dd9c828eb81 ]
Fix missing dst_release() when local broadcast or multicast traffic is
xfrm policy blocked.
For IPv4 this results to dst leak: ip_route_output_flow() allocates
dst_entry via __ip_route_output_key() and passes it to
xfrm_lookup_route(). xfrm_lookup returns ERR_PTR(-EPERM) that is
propagated. The dst that was allocated is never released.
IPv4 local broadcast testcase:
ping -b 192.168.1.255 &
sleep 1
ip xfrm policy add src 0.0.0.0/0 dst 192.168.1.255/32 dir out action block
IPv4 multicast testcase:
ping 224.0.0.1 &
sleep 1
ip xfrm policy add src 0.0.0.0/0 dst 224.0.0.1/32 dir out action block
For IPv6 the missing dst_release() causes trouble e.g. when used in netns:
ip netns add TEST
ip netns exec TEST ip link set lo up
ip link add dummy0 type dummy
ip link set dev dummy0 netns TEST
ip netns exec TEST ip addr add fd00::1111 dev dummy0
ip netns exec TEST ip link set dummy0 up
ip netns exec TEST ping -6 -c 5 ff02::1%dummy0 &
sleep 1
ip netns exec TEST ip xfrm policy add src ::/0 dst ff02::1 dir out action block
wait
ip netns del TEST
After netns deletion we see:
[ 258.239097] unregister_netdevice: waiting for lo to become free. Usage count = 2
[ 268.279061] unregister_netdevice: waiting for lo to become free. Usage count = 2
[ 278.367018] unregister_netdevice: waiting for lo to become free. Usage count = 2
[ 288.375259] unregister_netdevice: waiting for lo to become free. Usage count = 2
Fixes: ac37e2515c1a ("xfrm: release dst_orig in case of error in xfrm_lookup()")
Signed-off-by: Tommi Rantala <tommi.t.rantala@nokia.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
kbuild test robot
|
36b4801b9a |
UPSTREAM: xfrm: fix ptr_ret.cocci warnings
net/xfrm/xfrm_interface.c:692:1-3: WARNING: PTR_ERR_OR_ZERO can be used
Use PTR_ERR_OR_ZERO rather than if(IS_ERR(...)) + PTR_ERR
Generated by: scripts/coccinelle/api/ptr_ret.cocci
Fixes: 44e2b838c24d ("xfrm: Return detailed errors from xfrmi_newlink")
CC: Benedict Wong <benedictwong@google.com>
Signed-off-by: kbuild test robot <fengguang.wu@intel.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit c6f5e017df9dfa9f6cbe70da008e7d716d726f1b)
Signed-off-by: Benedict Wong <benedictwong@google.com>
Bug: 113046120
Test: All kernel net-tests run, passing (20x repeated)
Change-Id: I4ec93c0427fded57ff5126dc7b3d97d9b5fd615b
|
||
|
Benedict Wong
|
4a33ca9e01 |
UPSTREAM: xfrm: Return detailed errors from xfrmi_newlink
Currently all failure modes of xfrm interface creation return EEXIST. This change improves the granularity of errnos provided by also returning ENODEV or EINVAL if failures happen in looking up the underlying interface, or a required parameter is not provided. This change has been tested against the Android Kernel Networking Tests, with additional xfrmi_newlink tests here: https://android-review.googlesource.com/c/kernel/tests/+/715755 Signed-off-by: Benedict Wong <benedictwong@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit 44e2b838c24d883dae8496dc7b6ddac7956ba53c) Bug: 113046120 Change-Id: Ic680bf1e4a828aaae01b289223d9396a551eefd2 |
||
Nathan Harold
|
ac346daa94 |
UPSTREAM: xfrm: Allow xfrmi if_id to be updated by UPDSA
Allow attaching an SA to an xfrm interface id after the creation of the SA, so that tasks such as keying which must be done as the SA is created, can remain separate from the decision on how to route traffic from an SA. This permits SA creation to be decomposed in to three separate steps: 1) allocation of a SPI 2) algorithm and key negotiation 3) insertion into the data path Signed-off-by: Nathan Harold <nharold@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit 5baf4f9c0035f3e33bb693a1a1e87599f6e804e6) Signed-off-by: Benedict Wong <benedictwong@google.com> Bug: 113046120 Change-Id: I45a4bf725f3b8eaa8dae3266f9c411febb4c8720 |
||
|
Benedict Wong
|
0e1ddf08e1 |
UPSTREAM: xfrm: Remove xfrmi interface ID from flowi
In order to remove performance impact of having the extra u32 in every single flowi, this change removes the flowi_xfrm struct, prefering to take the if_id as a method parameter where needed. In the inbound direction, if_id is only needed during the __xfrm_check_policy() function, and the if_id can be determined at that point based on the skb. As such, xfrmi_decode_session() is only called with the skb in __xfrm_check_policy(). In the outbound direction, the only place where if_id is needed is the xfrm_lookup() call in xfrmi_xmit2(). With this change, the if_id is directly passed into the xfrm_lookup_with_ifid() call. All existing callers can still call xfrm_lookup(), which uses a default if_id of 0. This change does not change any behavior of XFRMIs except for improving overall system performance via flowi size reduction. This change has been tested against the Android Kernel Networking Tests: https://android.googlesource.com/kernel/tests/+/master/net/test Signed-off-by: Benedict Wong <benedictwong@google.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit bc56b33404599edc412b91933d74b36873e8ea25) Bug: 113046120 Change-Id: Icd3a1ea08427b91c54a64318d9dbb9acfb5d429a |