mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
481 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
6d1f178f21 |
This is the 4.14.257 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGwYv4ACgkQONu9yGCS aT4HeQ/8Dn/KYB6zzi6YenfG8JyTdkcIZ4Y1ElurgF5RX9/JUQbw0l5EDWsmG/IN 0JUn7KsT+eStnaI2AUj175K4oZE1l3cZxvPGEOB3ynv9/is+iSyVHARrtR1ITTO3 +YTO6ZXKLUI+oMVo3SHr6dxr6kkT0b0BDgaroaYLgVqknpPQMDQvx35ZG7E2NL4O R6ou66nG/TKTbtn7vBCCoERMcPH6TEYUhi7p+L/+cdQs2/li3JDo/d3/3WGAb0ej 0kXX16VCEghicoE8m2TOA9TAgGs6nF3i6H2ZiCMl4m0gqAcr4IdAxDzD3a5IfUV9 pt1fmz+7DNrWTxv9e5ST5R5poAIoSuuVQfNQDV4MjeDLmh5ujyl/5WUk5rYQQ9vw vRtu5DrSrSNM15jOZnlCQxlcu/1xqRKuixWQbupawhKNN00w6yJKxuQ3oM87AvX+ OX0tp6FdXVoDO2sP1xXp9o7G5DDrQq9Lh5gNen6BaVF00VawM77UjJ+ijwmCUWXf jhfAyDXZEPNRijlwcOq8rtXVb68ZhQ2sT0HVJ22ppx70bglD1FgfvGPYxFf4BIxz g+MsaMUU3rgXxIo7xatAC6NnCPMC8feYINGbf+L/MDgvySf3GU84JOIeM/MDMawe coZQpDreHcYZQtbECpeFVuEA8hTaLCvmxowbG7uVRj1sNvpxxik= =dp5S -----END PGP SIGNATURE----- Merge 4.14.257 into android-4.14-stable Changes in 4.14.257 USB: serial: option: add Telit LE910S1 0x9200 composition USB: serial: option: add Fibocom FM101-GL variants usb: hub: Fix usb enumeration issue due to address0 race usb: hub: Fix locking issues with address0_mutex binder: fix test regression due to sender_euid change ALSA: ctxfi: Fix out-of-range access media: cec: copy sequence field for the reply HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() fuse: fix page stealing xen: don't continue xenstore initialization in case of errors xen: detect uninitialized xenbus in xenbus_init tracing: Fix pid filtering when triggers are attached netfilter: ipvs: Fix reuse connection if RS weight is 0 ARM: dts: BCM5301X: Fix I2C controller interrupt ARM: dts: BCM5301X: Add interrupt properties to GPIO node ASoC: topology: Add missing rwsem around snd_ctl_remove() calls net: ieee802154: handle iftypes as u32 NFSv42: Don't fail clone() unless the OP_CLONE operation failed ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE scsi: mpt3sas: Fix kernel panic during drive powercycle test drm/vc4: fix error code in vc4_create_object() ipv6: fix typos in __ip6_finish_output() net/smc: Ensure the active closing peer first closes clcsock PM: hibernate: use correct mode for swsusp_close() tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 net/smc: Don't call clcsock shutdown twice when smc shutdown vhost/vsock: fix incorrect used length reported to the guest tracing: Check pid filtering when creating events s390/mm: validate VMA in PGSTE manipulation functions PCI: aardvark: Fix I/O space page leak PCI: aardvark: Fix a leaked reference by adding missing of_node_put() PCI: aardvark: Wait for endpoint to be ready before training link PCI: aardvark: Train link immediately after enabling training PCI: aardvark: Improve link training PCI: aardvark: Issue PERST via GPIO PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros PCI: aardvark: Indicate error in 'val' when config read fails PCI: aardvark: Introduce an advk_pcie_valid_device() helper PCI: aardvark: Don't touch PCIe registers if no card connected PCI: aardvark: Fix compilation on s390 PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() PCI: aardvark: Update comment about disabling link training PCI: aardvark: Remove PCIe outbound window configuration PCI: aardvark: Configure PCIe resources from 'ranges' DT property PCI: aardvark: Fix PCIe Max Payload Size setting PCI: Add PCI_EXP_LNKCTL2_TLS* macros PCI: aardvark: Fix link training PCI: aardvark: Fix checking for link up via LTSSM state pinctrl: armada-37xx: Correct mpp definitions pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup pinctrl: armada-37xx: Correct PWM pins definitions arm64: dts: marvell: armada-37xx: declare PCIe reset pin arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function hugetlbfs: flush TLBs correctly after huge_pmd_unshare proc/vmcore: fix clearing user buffer by properly using clear_user() NFC: add NCI_UNREG flag to eliminate the race fuse: release pipe buf after last use xen: sync include/xen/interface/io/ring.h with Xen's newest version xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: disentangle tx_skb_freelist xen/netfront: don't trust the backend response data blindly tty: hvc: replace BUG_ON() with negative return value shm: extend forced shm destroy to support objects from several IPC nses ipc: WARN if trying to remove ipc object which is absent NFSv42: Fix pagecache invalidation after COPY/CLONE hugetlb: take PMD sharing into account when flushing tlb/caches net: return correct error code platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep s390/setup: avoid using memblock_enforce_memory_limit btrfs: check-integrity: fix a warning on write caching disabled disk thermal: core: Reset previous low and high trip during thermal zone init scsi: iscsi: Unblock session then wake up error handler ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() perf hist: Fix memory leak of a perf_hpp_fmt vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit kprobes: Limit max data_size of the kretprobe instances sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl fs: add fget_many() and fput_many() fget: check that the fd still exists after getting a ref to it natsemi: xtensa: fix section mismatch warnings net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() net: mpls: Fix notifications when deleting a device siphash: use _unaligned version by default net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available net/rds: correct socket tunable error in rds_tcp_tune() net/smc: Keep smc_close_final rc during active close parisc: Fix KBUILD_IMAGE for self-extracting kernel parisc: Fix "make install" on newer debian releases vgacon: Propagate console boot parameters before calling `vc_resize' xhci: Fix commad ring abort, write all 64 bits to CRCR register. usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect x86/64/mm: Map all kernel memory into trampoline_pgd tty: serial: msm_serial: Deactivate RX DMA for polling support serial: pl011: Add ACPI SBSA UART match id serial: core: fix transmit-buffer reset and memleak parisc: Mark cr16 CPU clocksource unstable on all SMP machines Linux 4.14.257 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3148611f406a61ce3d7ff7dcb56977a114a4f499 |
||
Stefano Garzarella
|
c98267b4fa |
vhost/vsock: fix incorrect used length reported to the guest
commit 49d8c5ffad07ca014cfae72a1b9b8c52b6ad9cb8 upstream.
The "used length" reported by calling vhost_add_used() must be the
number of bytes written by the device (using "in" buffers).
In vhost_vsock_handle_tx_kick() the device only reads the guest
buffers (they are all "out" buffers), without writing anything,
so we must pass 0 as "used length" to comply virtio spec.
Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
Cc: stable@vger.kernel.org
Reported-by: Halil Pasic <pasic@linux.ibm.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20211122163525.294024-2-sgarzare@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
4b5389d362 |
This is the 4.14.246 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEx1VQACgkQONu9yGCS aT6OORAAprkznfRjVhDNhLAeVfi1UjhYbo5AhKwb9E/OoO7Q09gz2Qs3OeLVxZyP 66iOeZ27nOBYmLmKMDWoqCrM7GNDLB8xwgmdPZbpoVAEoTRNNMNesma070UXDmMp xqb6hbnc3vpom9BSGxq4A089wDWq66o6zyxxDShgeUH9hvtXjip62RqfkxVskxUg m1fPs7wp4VuXsMxg0GNvAcQFAK6/Se2s2cIb82jBcEd73RZwSoBLdZMI2PsnC0s5 jc9bSB4mUC5eKFBrL9QOy4Rs5/lv2xWNHMZsIo1rb6OdPttoZtZKWuhYLyoGYvyh iLMJDPtXQWkQTfQElK37OIj60MrvvxHBGIab+b1hSuJxXLpjbBPEtKIz/XcQCKNh jpLthL8sXhHkHK5/98Fqnv3mSc0why/9ZntYsGQFevJtg6ltvxTlGnLXe2NiVtAo Zz8eAuMEeeBsddUESKse0yI6oSqMks9sY196Y9r/1u5rQMwZXLwN/GDCBqnMhow3 mQxSHSDt18k0UisutqZv/Lu4o83qcQIFNz0jPSCJmU2kzMJdvxJDHgBg7EmYh9Wk 3VI4YnHpDvXhCJliwenrUPRgRoHy+q/h4U0NXSr2lsX3YGmogGMyNrWePViB/Tk8 W+b0+TH04Vct9N/HuCJPPs/CrlwrBiVbp5t9loDAsYRH86yuHPg= =vwDf -----END PGP SIGNATURE----- Merge 4.14.246 into android-4.14-stable Changes in 4.14.246 ARC: Fix CONFIG_STACKDEPOT can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters Revert "USB: serial: ch341: fix character loss at high transfer rates" USB: serial: option: add new VID/PID to support Fibocom FG150 usb: dwc3: gadget: Fix dwc3_calc_trbs_left() usb: dwc3: gadget: Stop EP0 transfers during pullup disable IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() e1000e: Fix the max snoop/no-snoop latency for 10M ip_gre: add validation for csum_start xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' net: marvell: fix MVNETA_TX_IN_PRGRS bit number usb: gadget: u_audio: fix race condition on endpoint stop opp: remove WARN when no valid OPPs remain virtio: Improve vq->broken access to avoid any compiler optimization vringh: Use wiov->used to check for read/write desc order drm: Copy drm_wait_vblank to user before returning drm/nouveau/disp: power down unused DP links during init net/rds: dma_map_sg is entitled to merge entries vt_kdsetmode: extend console locking fbmem: add margin check to fb_check_caps() KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs KVM: X86: MMU: Use the correct inherited permissions to get shadow page Revert "floppy: reintroduce O_NDELAY fix" Linux 4.14.246 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I02cf03ba61e0b37e372a63b589af3f0d537485c5 |
||
Neeraj Upadhyay
|
c6cd645292 |
vringh: Use wiov->used to check for read/write desc order
[ Upstream commit e74cfa91f42c50f7f649b0eca46aa049754ccdbd ] As __vringh_iov() traverses a descriptor chain, it populates each descriptor entry into either read or write vring iov and increments that iov's ->used member. So, as we iterate over a descriptor chain, at any point, (riov/wriov)->used value gives the number of descriptor enteries available, which are to be read or written by the device. As all read iovs must precede the write iovs, wiov->used should be zero when we are traversing a read descriptor. Current code checks for wiov->i, to figure out whether any previous entry in the current descriptor chain was a write descriptor. However, iov->i is only incremented, when these vring iovs are consumed, at a later point, and remain 0 in __vringh_iov(). So, correct the check for read and write descriptor order, to use wiov->used. Acked-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Neeraj Upadhyay <neeraju@codeaurora.org> Link: https://lore.kernel.org/r/1624591502-4827-1-git-send-email-neeraju@codeaurora.org Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
34db58ab71 |
Linux 4.14.245
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmEnj9kACgkQ3qZv95d3
LNwXhA/9F1aMb4K87uxNq1bsKrhv03CA7DjjCprh+7VgH0CF2oygda7i36AHubLh
9C9PoWR1UkJxrngWukb9B+1JGDjHOjUtsaLFzOGZ+LXDubMpRA3hXN1NfgMnIab7
9tsYH7zyKUkOqhW6u0KzVjlDOmVtioWTD/woaFT0SKLKglogmBdA7sXU6XAJ+lJ7
nxUGMqMWsoqV0TfD8OXpBUztQzT/rtIHbfBZhlEEAc3rTZDF4OtX+5btl9dGIzlW
QGcAb2NgoWXttyVQl9qaX2Sw+tzWj6jITnYEEckt6v7cJgK2sud9ZaIPcK8pMN0t
7jbdPfOogggccqunpI398ijjOHfsY7x7lFedPbcEL0rFkpesWmSoKtWr/1MSlTQ0
Jfz1CRXVFFt4jn4+uzjUg1k7lhUH0Wiz//VWdxF9hSwWWGOtbF63fye9ZWmaCTha
YnFdOnKua8BIFJnW8qDNH8iDM41pzhT+t/YnkPH3dEIYoxTvu4GBg9z2p3KXj3SA
vPw53E95WbpkEKHZMX/y8nIo/XHggdK1SkIQNxLsyvu97yfu6QWMc2A+fWcj9r+w
rsOw2fZTA8SfKLqzOszuPFsljH1mWOWFe2S+VB7/F01VwmlqLIPXENNDi+6H5Azr
5lp0zdpJyLxR6auuNTnIdVIGlmIHTQcx+x872L5BusZl6nSHalw=
=Slrl
-----END PGP SIGNATURE-----
Merge 4.14.245 into android-4.14-stable
Changes in 4.14.245
iio: humidity: hdc100x: Add margin to the conversion time
iio: adc: Fix incorrect exit of for-loop
ASoC: intel: atom: Fix reference to PCM buffer address
i2c: dev: zero out array used for i2c reads from userspace
ACPI: NFIT: Fix support for virtual SPA ranges
ASoC: cs42l42: Correct definition of ADC Volume control
ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
ASoC: cs42l42: Fix inversion of ADC Notch Switch control
ASoC: cs42l42: Remove duplicate control for WNF filter frequency
net: dsa: mt7530: add the missing RxUnicast MIB counter
ppp: Fix generating ifname when empty IFLA_IFNAME is specified
psample: Add a fwd declaration for skbuff
net: Fix memory leak in ieee802154_raw_deliver
net: bridge: fix memleak in br_add_if()
tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
xen/events: Fix race in set_evtchn_to_irq
vsock/virtio: avoid potential deadlock when vsock device remove
powerpc/kprobes: Fix kprobe Oops happens in booke
x86/tools: Fix objdump version check again
x86/resctrl: Fix default monitoring groups reporting
PCI/MSI: Enable and mask MSI-X early
PCI/MSI: Do not set invalid bits in MSI mask
PCI/MSI: Correct misleading comments
PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
PCI/MSI: Protect msi_desc::masked for multi-MSI
PCI/MSI: Mask all unused MSI-X entries
PCI/MSI: Enforce that MSI-X table entry is masked for update
PCI/MSI: Enforce MSI[X] entry updates to be visible
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
mac80211: drop data frames without key on encrypted links
KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
x86/fpu: Make init_fpstate correct with optimized XSAVE
ath: Use safer key clearing with key cache entries
ath9k: Clear key cache explicitly on disabling hardware
ath: Export ath_hw_keysetmac()
ath: Modify ath_key_delete() to not need full key entry
ath9k: Postpone key cache entry deletion for TXQ frames reference it
dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach()
scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
ARM: dts: nomadik: Fix up interrupt controller node names
net: usb: lan78xx: don't modify phy_device state concurrently
Bluetooth: hidp: use correct wait queue when removing ctrl_wait
dccp: add do-while-0 stubs for dccp_pr_debug macros
vhost: Fix the calculation in vhost_overflow()
bnxt: don't lock the tx queue from napi poll
net: 6pack: fix slab-out-of-bounds in decode_data
ptp_pch: Restore dependency on PCI
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
net: mdio-mux: Don't ignore memory allocation errors
net: mdio-mux: Handle -EPROBE_DEFER correctly
mmc: dw_mmc: Fix hang on data CRC error
ALSA: hda - fix the 'Capture Switch' value change notifications
ipack: tpci200: fix many double free issues in tpci200_pci_probe
btrfs: prevent rename2 from exchanging a subvol with a directory from different parents
ASoC: intel: atom: Fix breakage for PCM buffer address setup
locks: print a warning when mount fails due to lack of "mand" support
fs: warn about impending deprecation of mandatory locks
netfilter: nft_exthdr: fix endianness of tcp option cast
Linux 4.14.245
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I92a7f927b514f4164425c9ce9b30011ca7b3710f
|
||
Xie Yongji
|
152962a7dc |
vhost: Fix the calculation in vhost_overflow()
[ Upstream commit f7ad318ea0ad58ebe0e595e59aed270bb643b29b ]
This fixes the incorrect calculation for integer overflow
when the last address of iova range is 0xffffffff.
Fixes: ec33d031a14b ("vhost: detect 32 bit integer wrap around")
Reported-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Xie Yongji <xieyongji@bytedance.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20210728130756.97-2-xieyongji@bytedance.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
843d2d2be3 |
This is the 4.14.229 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBtjckACgkQONu9yGCS aT7M8BAAo00BlCe5d1PiDucCEjSchANvXXgDTCgtbXXo43ce3lTAtDqkOb9G6Xsz 0+xwQI+eoGYZgN4wgS8qh7OsuZ5qNwvgvYLW1PEoch7x7XQnYjcQs28k9mVPEtK4 R4MhfLmdZrUB6Qmh+wnTRKu+l9SuWhNrSWVkSW6+O50Q4T7fqMT1oMtoudBwidM6 p2V3mE9Ab7oVhxY2VNQnq3Dx5ofDi41F1aKm9qsqRMpno+JVxACSEmboLjARuole eJ3iadiF8m3Kcb0XhnVTaexizvZMONTkC8KmU0n4245GyiCDmoND3XRJElJICwTJ bw9Y6RM7WKHUmnCJABZE+AK/3315Z8ZjSuKuT4SD6bZpDYc08FKlWGBvOFWxvEOr qcDIOU94MP1s96iOroGKjW4xXbLZyL77ze/RFaXERjjbNjYJxPJlHd+2P3flAYVT YMDv5tnNXW4Nl8nUgTTh3vHsu9KpFlPFvkVNaRdeY3bKRyQ3rbpt/D5pbozeGsXI e3nVz03PydhqxhKhw6x0egDblyyCpjU1z//sksHGsouD8SmsenvnvC0a2iaUMS/N FbNVBp/d958aLCgfc44QQTDblEu4Gv3BMhEt/cud6AELqI5AUmRbK25KF8pDqdLn UqpEl994rFyWVcfMqFCIeXxPqHzHFwG7PFP7ZrAqzoBx8OgkyMA= =NnsJ -----END PGP SIGNATURE----- Merge 4.14.229 into android-4.14-stable Changes in 4.14.229 selinux: vsock: Set SID for socket returned by accept() ipv6: weaken the v4mapped source check ext4: fix bh ref count on error paths rpc: fix NULL dereference on kmalloc failure ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe ASoC: es8316: Simplify adc_pga_gain_tlv table ASoC: cs42l42: Fix mixer volume control ASoC: cs42l42: Always wait at least 3ms after reset powerpc: Force inlining of cpu_has_feature() to avoid build failure vhost: Fix vhost_vq_reset() scsi: st: Fix a use after free in st_open() scsi: qla2xxx: Fix broken #endif placement staging: comedi: cb_pcidas: fix request_irq() warn staging: comedi: cb_pcidas64: fix request_irq() warn ASoC: rt5659: Update MCLK rate in set_sysclk() ext4: do not iput inode under running transaction in ext4_rename() brcmfmac: clear EAP/association status bits on linkdown events net: ethernet: aquantia: Handle error cleanup of start on open appletalk: Fix skb allocation size in loopback case net: wan/lmc: unregister device when no matching device is found bpf: Remove MTU check in __bpf_skb_max_len ALSA: usb-audio: Apply sample rate quirk to Logitech Connect ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook tracing: Fix stack trace event size mm: fix race by making init_zero_pfn() early_initcall drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() drm/amdgpu: check alignment on CPU page for bo map reiserfs: update reiserfs_xattrs_initialized() condition mm: memcontrol: fix NR_WRITEBACK leak in memcg and system stats mm: memcg: make sure memory.events is uptodate when waking pollers mem_cgroup: make sure moving_account, move_lock_task and stat_cpu in the same cacheline mm: fix oom_kill event handling mm: writeback: use exact memcg dirty counts pinctrl: rockchip: fix restore error in resume extcon: Add stubs for extcon_register_notifier_all() functions extcon: Fix error handling in extcon_dev_register firewire: nosy: Fix a use-after-free bug in nosy_ioctl() usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem usb: musb: Fix suspend with devices connected for a64 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI cdc-acm: fix BREAK rx code path adding necessary calls USB: cdc-acm: untangle a circular dependency between callback and softint USB: cdc-acm: downgrade message to debug USB: cdc-acm: fix use-after-free after probe failure usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference staging: rtl8192e: Fix incorrect source in memcpy() staging: rtl8192e: Change state information from u16 to u8 drivers: video: fbcon: fix NULL dereference in fbcon_cursor() Linux 4.14.229 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I618bf325d9ef28d168e8799abf2a3d049c224697 |
||
Laurent Vivier
|
9fc708819a |
vhost: Fix vhost_vq_reset()
[ Upstream commit beb691e69f4dec7bfe8b81b509848acfd1f0dbf9 ]
vhost_reset_is_le() is vhost_init_is_le(), and in the case of
cross-endian legacy, vhost_init_is_le() depends on vq->user_be.
vq->user_be is set by vhost_disable_cross_endian().
But in vhost_vq_reset(), we have:
vhost_reset_is_le(vq);
vhost_disable_cross_endian(vq);
And so user_be is used before being set.
To fix that, reverse the lines order as there is no other dependency
between them.
Signed-off-by: Laurent Vivier <lvivier@redhat.com>
Link: https://lore.kernel.org/r/20210312140913.788592-1-lvivier@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
4316c8a738 |
This is the 4.14.215 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl/98+cACgkQONu9yGCS aT7n5g//a40CH6m++8mX+9rzBaG5ZejYOc6corDvi8Ojj06YbR8Qx7vC6pFSQUfJ oKAaxjczaMrKYPXB5Eu7iyyVV/OgZQnhrkJtJVx4dRojEbHMEoBL/FcxJTzxHu88 K2EqDU9drVp/B+r1tBp/8HdLIfeBKD79zS75TTJKt29n/iIu4MG86Rr3Qie7rmX7 DuvfDRuKUP5GdjgDJhPcOhaqL/BoF2uRbJCunVAoo96cEX8n3OiSdCSjfYNYf0QD UfvlnbNf/kdxO/qrVsohUxDMfcrhCKwcD/WbpCpgKZtzwrhTnO4nhl/p9v2owLB9 lsyNN6BTjO0O/sgGQDwd4W38eyeHTjJFNxPXONKSdz6G2wl6qPLkrJwlza6HU3kF FlRaWxQiZpq4Xint7aa1UVnnZzToNkoAnpBfHQ1wo701n7lRZ5A01H4JgYA+cF9N r/UXkOhfrSH0QdA/Oh9HM++oaj1acDfy7A2ut1HEuE/Gzcw0vrOXzaCZEUWS7GJ0 YC2dij4vzEYDjT2Ko4ydrWAaUD5Jr0htoJAeJga4YZtzyyaVKgRJeVPpnAT7lFkj Td/2McCENz7NKyV2tWIWBiZ78MZSseWGTCVVlSIbWzLvptmqStym8dtaya7J9a9s BNTf9Y0Zgp65La8j3Vm27k76iysdzisJRJilmmdEQscDWrsPXWk= =Q9jA -----END PGP SIGNATURE----- Merge 4.14.215 into android-4.14-stable Changes in 4.14.215 kbuild: don't hardcode depmod path workqueue: Kick a worker based on the actual activation of delayed works scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff() scsi: ide: Do not set the RQF_PREEMPT flag for sense requests lib/genalloc: fix the overflow when size is too big depmod: handle the case of /sbin/depmod without /sbin in PATH ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() ethernet: ucc_geth: set dev->max_mtu to 1518 atm: idt77252: call pci_disable_device() on error path qede: fix offload for IPIP tunnel packets virtio_net: Fix recursive call to cpus_read_lock() net/ncsi: Use real net-device for response handler net: ethernet: Fix memleak in ethoc_probe net-sysfs: take the rtnl lock when storing xps_cpus net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() net: hns: fix return value check in __lb_other_process() net: hdlc_ppp: Fix issues when mod_timer is called while timer is running CDC-NCM: remove "connected" log message net: usb: qmi_wwan: add Quectel EM160R-GL vhost_net: fix ubuf refcount incorrectly when sendmsg fails net: sched: prevent invalid Scell_log shift count net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc net: mvpp2: Fix GoP port 3 Networking Complex Control configurations net: systemport: set dev->max_mtu to UMAC_MAX_MTU_SIZE video: hyperv_fb: Fix the mmap() regression for v5.4.y and older crypto: ecdh - avoid buffer overflow in ecdh_set_secret() usb: gadget: enable super speed plus USB: cdc-acm: blacklist another IR Droid device usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set usb: usbip: vhci_hcd: protect shift size usb: uas: Add PNY USB Portable SSD to unusual_uas USB: serial: iuu_phoenix: fix DMA from stack USB: serial: option: add LongSung M5710 module support USB: serial: option: add Quectel EM160R-GL USB: yurex: fix control-URB timeout handling USB: usblp: fix DMA to stack ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks usb: gadget: select CONFIG_CRC32 usb: gadget: f_uac2: reset wMaxPacketSize usb: gadget: function: printer: Fix a memory leak for interface descriptor USB: gadget: legacy: fix return error code in acm_ms_bind() usb: gadget: Fix spinlock lockup on usb_function_deactivate usb: gadget: configfs: Preserve function ordering after bind failure usb: gadget: configfs: Fix use-after-free issue with udc_name USB: serial: keyspan_pda: remove unused variable x86/mm: Fix leak of pmd ptlock ALSA: hda/conexant: add a new hda codec CX11970 ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 Revert "device property: Keep secondary firmware node secondary by type" netfilter: ipset: fix shift-out-of-bounds in htable_bits() netfilter: xt_RATEEST: reject non-null terminated string from userspace x86/mtrr: Correct the range check before performing MTRR type lookups KVM: x86: fix shift out of bounds reported by UBSAN scsi: target: Fix XCOPY NAA identifier lookup Linux 4.14.215 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4a2050b044f2cecda91e6354513044c6352b97a9 |
||
Yunjian Wang
|
da35ba33e1 |
vhost_net: fix ubuf refcount incorrectly when sendmsg fails
[ Upstream commit 01e31bea7e622f1890c274f4aaaaf8bccd296aa5 ]
Currently the vhost_zerocopy_callback() maybe be called to decrease
the refcount when sendmsg fails in tun. The error handling in vhost
handle_tx_zerocopy() will try to decrease the same refcount again.
This is wrong. To fix this issue, we only call vhost_net_ubuf_put()
when vq->heads[nvq->desc].len == VHOST_DMA_IN_PROGRESS.
Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
Signed-off-by: Yunjian Wang <wangyunjian@huawei.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/1609207308-20544-1-git-send-email-wangyunjian@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
890226def6 |
This is the 4.14.204 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+jzuAACgkQONu9yGCS
aT7HQhAAgdVyTKGg2cRfirxFQ8L4kHNU7Zf0NYSeFwL9lTEaC/f6jHhqzzHln/W8
fN7u7c5KM9P7w6YjemqCeRt4b7jXuUtyx0dvGblXAGaabbUaa34yLshwv4zAW37h
FMPBjORfmI9JIh2EgcWpmECDE6HjeP5b828LL/5FTfcOamhA6XiOFO+0vNRlMRXX
IJY+GwfmcBRb7j7ks9q5At6bigow1UvAc7NXZPCTZRrM/RVK36nOq6aDyhegHtKg
h4UN2NzJcR0ItyBGKiKbeyPOQfWAVzEhvD8gjNLBRt3kb5Uc0z8XWfXhFtQiBEGm
EK4Wb8JOOcQDpUmobG9klT49sgC84qsGzwNgbSIUwyLRYxS66ouDsXf7p4T6vlKY
Msz5sEKLXGJncDPPy3E5wtIzm7Htp8cNBUkrcjjD2mZx8CuDRy7NTKrX2mjdJa5n
zLoW4QeMZAcMYqmfz+Z5edWY3PXflWv69kQhDXEs70rpnNg51OmeqSiJWfUnx+FT
o0UOVsqmUqOQfDsOIY7L2rem7K7HBX14QyYAi6ZaoXzglz1ev5VBI+PgfJtc9uLf
SMoY8K5l215zc3BWTLkLj8sq/QiZ03Jj3QKIpCZyxDiZP2/3Tn7hnprfy0x1JbqE
bX3A8DZfkH7MvW8U42vlxQNHoFYBKUx27BP8yirwkhspLt0oHxo=
=2cR2
-----END PGP SIGNATURE-----
Merge 4.14.204 into android-4.14-stable
Changes in 4.14.204
scripts/setlocalversion: make git describe output more reliable
arm64: link with -z norelro regardless of CONFIG_RELOCATABLE
efivarfs: Replace invalid slashes with exclamation marks in dentries.
gtp: fix an use-before-init in gtp_newlink()
ravb: Fix bit fields checking in ravb_hwtstamp_get()
tipc: fix memory leak caused by tipc_buf_append()
arch/x86/amd/ibs: Fix re-arming IBS Fetch
x86/xen: disable Firmware First mode for correctable memory errors
fuse: fix page dereference after free
p54: avoid accessing the data mapped to streaming DMA
mtd: lpddr: Fix bad logic in print_drs_error
ata: sata_rcar: Fix DMA boundary mask
fscrypt: return -EXDEV for incompatible rename or link into encrypted dir
x86/unwind/orc: Fix inactive tasks with stack pointer in %sp on GCC 10 compiled kernels
mlxsw: core: Fix use-after-free in mlxsw_emad_trans_finish()
futex: Fix incorrect should_fail_futex() handling
powerpc/powernv/smp: Fix spurious DBG() warning
powerpc: select ARCH_WANT_IRQS_OFF_ACTIVATE_MM
sparc64: remove mm_cpumask clearing to fix kthread_use_mm race
f2fs: add trace exit in exception path
f2fs: fix to check segment boundary during SIT page readahead
um: change sigio_spinlock to a mutex
ARM: 8997/2: hw_breakpoint: Handle inexact watchpoint addresses
xfs: fix realtime bitmap/summary file truncation when growing rt volume
video: fbdev: pvr2fb: initialize variables
ath10k: start recovery process when payload length exceeds max htc length for sdio
ath10k: fix VHT NSS calculation when STBC is enabled
drm/brige/megachips: Add checking if ge_b850v3_lvds_init() is working correctly
media: videodev2.h: RGB BT2020 and HSV are always full range
media: platform: Improve queue set up flow for bug fixing
usb: typec: tcpm: During PR_SWAP, source caps should be sent only after tSwapSourceStart
media: tw5864: check status of tw5864_frameinterval_get
mmc: via-sdmmc: Fix data race bug
drm/bridge/synopsys: dsi: add support for non-continuous HS clock
printk: reduce LOG_BUF_SHIFT range for H8300
kgdb: Make "kgdbcon" work properly with "kgdb_earlycon"
cpufreq: sti-cpufreq: add stih418 support
USB: adutux: fix debugging
uio: free uio id after uio file node is freed
arm64/mm: return cpu_all_mask when node is NUMA_NO_NODE
ACPI: Add out of bounds and numa_off protections to pxm_to_node()
drivers/net/wan/hdlc_fr: Correctly handle special skb->protocol values
bus/fsl_mc: Do not rely on caller to provide non NULL mc_io
power: supply: test_power: add missing newlines when printing parameters by sysfs
md/bitmap: md_bitmap_get_counter returns wrong blocks
bnxt_en: Log unknown link speed appropriately.
clk: ti: clockdomain: fix static checker warning
net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid
drivers: watchdog: rdc321x_wdt: Fix race condition bugs
ext4: Detect already used quota file early
gfs2: add validation checks for size of superblock
arm64: dts: renesas: ulcb: add full-pwr-cycle-in-suspend into eMMC nodes
memory: emif: Remove bogus debugfs error handling
ARM: dts: s5pv210: remove DMA controller bus node name to fix dtschema warnings
ARM: dts: s5pv210: move PMU node out of clock controller
ARM: dts: s5pv210: remove dedicated 'audio-subsystem' node
nbd: make the config put is called before the notifying the waiter
sgl_alloc_order: fix memory leak
nvme-rdma: fix crash when connect rejected
md/raid5: fix oops during stripe resizing
perf/x86/amd/ibs: Don't include randomized bits in get_ibs_op_count()
perf/x86/amd/ibs: Fix raw sample data accumulation
leds: bcm6328, bcm6358: use devres LED registering function
fs: Don't invalidate page buffers in block_write_full_page()
NFS: fix nfs_path in case of a rename retry
ACPI / extlog: Check for RDMSR failure
ACPI: video: use ACPI backlight for HP 635 Notebook
ACPI: debug: don't allow debugging when ACPI is disabled
acpi-cpufreq: Honor _PSD table setting on new AMD CPUs
w1: mxc_w1: Fix timeout resolution problem leading to bus error
scsi: mptfusion: Fix null pointer dereferences in mptscsih_remove()
btrfs: reschedule if necessary when logging directory items
btrfs: send, recompute reference path after orphanization of a directory
btrfs: use kvzalloc() to allocate clone_roots in btrfs_ioctl_send()
btrfs: cleanup cow block on error
btrfs: fix use-after-free on readahead extent after failure to create it
usb: dwc3: ep0: Fix ZLP for OUT ep0 requests
usb: dwc3: core: add phy cleanup for probe error handling
usb: dwc3: core: don't trigger runtime pm when remove driver
usb: cdc-acm: fix cooldown mechanism
usb: host: fsl-mph-dr-of: check return of dma_set_mask()
drm/i915: Force VT'd workarounds when running as a guest OS
vt: keyboard, simplify vt_kdgkbsent
vt: keyboard, extend func_buf_lock to readers
dmaengine: dma-jz4780: Fix race in jz4780_dma_tx_status
iio:light:si1145: Fix timestamp alignment and prevent data leak.
iio:adc:ti-adc0832 Fix alignment issue with timestamp
iio:adc:ti-adc12138 Fix alignment issue with timestamp
iio:gyro:itg3200: Fix timestamp alignment and prevent data leak.
s390/stp: add locking to sysfs functions
powerpc/rtas: Restrict RTAS requests from userspace
powerpc: Warn about use of smt_snooze_delay
powerpc/powernv/elog: Fix race while processing OPAL error log event.
NFSv4.2: support EXCHGID4_FLAG_SUPP_FENCE_OPS 4.2 EXCHANGE_ID flag
NFSD: Add missing NFSv2 .pc_func methods
ubifs: dent: Fix some potential memory leaks while iterating entries
perf python scripting: Fix printable strings in python3 scripts
ubi: check kthread_should_stop() after the setting of task state
ia64: fix build error with !COREDUMP
drm/amdgpu: don't map BO in reserved region
ceph: promote to unsigned long long before shifting
libceph: clear con->out_msg on Policy::stateful_server faults
9P: Cast to loff_t before multiplying
ring-buffer: Return 0 on success from ring_buffer_resize()
vringh: fix __vringh_iov() when riov and wiov are different
ext4: fix leaking sysfs kobject after failed mount
ext4: fix error handling code in add_new_gdb
ext4: fix invalid inode checksum
drm/ttm: fix eviction valuable range check.
rtc: rx8010: don't modify the global rtc ops
tty: make FONTX ioctl use the tty pointer they were actually passed
arm64: berlin: Select DW_APB_TIMER_OF
cachefiles: Handle readpage error correctly
hil/parisc: Disable HIL driver when it gets stuck
arm: dts: mt7623: add missing pause for switchport
ARM: samsung: fix PM debug build with DEBUG_LL but !MMU
ARM: s3c24xx: fix missing system reset
device property: Keep secondary firmware node secondary by type
device property: Don't clear secondary pointer for shared primary firmware node
KVM: arm64: Fix AArch32 handling of DBGD{CCINT,SCRext} and DBGVCR
staging: comedi: cb_pcidas: Allow 2-channel commands for AO subdevice
staging: octeon: repair "fixed-link" support
staging: octeon: Drop on uncorrectable alignment or FCS error
Linux 4.14.204
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ibed153216ddb983a9ef0640ae9c82781f51880fe
|
||
|
Stefano Garzarella
|
f3fe75ab1a |
vringh: fix __vringh_iov() when riov and wiov are different
commit 5745bcfbbf89b158416075374254d3c013488f21 upstream.
If riov and wiov are both defined and they point to different
objects, only riov is initialized. If the wiov is not initialized
by the caller, the function fails returning -EINVAL and printing
"Readable desc 0x... after writable" error message.
This issue happens when descriptors have both readable and writable
buffers (eg. virtio-blk devices has virtio_blk_outhdr in the readable
buffer and status as last byte of writable buffer) and we call
__vringh_iov() to get both type of buffers in two different iovecs.
Let's replace the 'else if' clause with 'if' to initialize both
riov and wiov if they are not NULL.
As checkpatch pointed out, we also avoid crashing the kernel
when riov and wiov are both NULL, replacing BUG() with WARN_ON()
and returning -EINVAL.
Fixes: f87d0fbb5798 ("vringh: host-side implementation of virtio rings.")
Cc: stable@vger.kernel.org
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/20201008204256.162292-1-sgarzare@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
93599f65c3 |
This is the 4.14.201 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+GrkEACgkQONu9yGCS aT58SQ/+PLxjpiE1Mn0CRjYBclZXvuhrJOP0KOqLNIM7/eXn3pbxS9wKjn9ykTM+ KTa5s1y0IXDaWYs4lsEnfIKKXDmLHfwnj959StIR6gW+16/cSqppKpiq14MPhkOE WMLvvXOUKfAGMCEzsCoof6Qu/in302DoBK6Nvec53PFeAl+yWaJV4dnIGJpZQtZF O2A/gVL2Fqvk2O1v6wRqWfaBPFBNePOCdMcGrTWwH8JnoSuk8VGad6AWvOTakbny xeRyzKhoPGXiKCiwbNU71IhXO6X5fG7Q/bnS+uZ91186FsHUEMRQeDWPWqz3OqEw Xa/1SSSK0bkFzLn8U0XF0Xe8Txadr/ZDc2EeRlFe0pUVO/kBrGbnT9u7erv3/Ry3 DPPI/JeHg2onsVlnHZLAqFegA6JpGr8FiWQxgMIQ0CtklxVM123dYw8XNXS8Zr/c qeWKGtcpacXR+6fogtPF7HEHma59+XP2hawICgH25JOKa6MeqsaQdM5YAS2DymVV fhzfEj1a851KjesPM/axbQifJVjgDud2vbbv19hVMaWWDLXH/vhB+QNGeI3wAjJn 0QuUe5kUASFy1HrleCmFQUEjOIxTKE87l2vEHzkkOnjgmWpNF/T+SR5MutCrhV8h 9sl3QIT7zqIYci+x8oK8E2X9d2bGmGN30NfqgHo+iL47DZXKSCc= =tX82 -----END PGP SIGNATURE----- Merge 4.14.201 into android-4.14-stable Changes in 4.14.201 vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock vsock/virtio: stop workers during the .remove() vsock/virtio: add transport parameter to the virtio_transport_reset_no_sock() net: virtio_vsock: Enhance connection semantics USB: gadget: f_ncm: Fix NDP16 datagram validation gpio: tc35894: fix up tc35894 interrupt configuration Input: i8042 - add nopnp quirk for Acer Aspire 5 A515 drm/amdgpu: restore proper ref count in amdgpu_display_crtc_set_config drivers/net/wan/hdlc_fr: Add needed_headroom for PVC devices drm/sun4i: mixer: Extend regmap max_register net: dec: de2104x: Increase receive ring size for Tulip rndis_host: increase sleep time in the query-response loop drivers/net/wan/lapbether: Make skb->protocol consistent with the header drivers/net/wan/hdlc: Set skb->protocol before transmitting mac80211: do not allow bigger VHT MPDUs than the hardware supports spi: fsl-espi: Only process interrupts for expected events nvme-fc: fail new connections to a deleted host or remote port pinctrl: mvebu: Fix i2c sda definition for 98DX3236 nfs: Fix security label length not being reset clk: samsung: exynos4: mark 'chipid' clock as CLK_IGNORE_UNUSED iommu/exynos: add missing put_device() call in exynos_iommu_of_xlate() i2c: cpm: Fix i2c_ram structure Input: trackpoint - enable Synaptics trackpoints random32: Restore __latent_entropy attribute on net_rand_state net/packet: fix overflow in tpacket_rcv epoll: do not insert into poll queues until all sanity checks are done epoll: replace ->visited/visited_list with generation count epoll: EPOLL_CTL_ADD: close the race in decision to take fast path ep_create_wakeup_source(): dentry name can change under you... netfilter: ctnetlink: add a range check for l3/l4 protonum drm/syncobj: Fix drm_syncobj_handle_to_fd refcount leak fbdev, newport_con: Move FONT_EXTRA_WORDS macros into linux/font.h Fonts: Support FONT_EXTRA_WORDS macros for built-in fonts Revert "ravb: Fixed to be able to unload modules" fbcon: Fix global-out-of-bounds read in fbcon_get_font() net: wireless: nl80211: fix out-of-bounds access in nl80211_del_key() usermodehelper: reset umask to default before executing user process platform/x86: thinkpad_acpi: initialize tp_nvram_state variable platform/x86: thinkpad_acpi: re-initialize ACPI buffer size when reuse driver core: Fix probe_count imbalance in really_probe() perf top: Fix stdio interface input handling with glibc 2.28+ mtd: rawnand: sunxi: Fix the probe error path Btrfs: fix unexpected failure of nocow buffered writes after snapshotting when low on space ftrace: Move RCU is watching check after recursion check macsec: avoid use-after-free in macsec_handle_frame() mm/khugepaged: fix filemap page_to_pgoff(page) != offset cifs: Fix incomplete memory allocation on setxattr path i2c: meson: fix clock setting overwrite sctp: fix sctp_auth_init_hmacs() error path team: set dev->needed_headroom in team_setup_by_port() net: team: fix memory leak in __team_options_register openvswitch: handle DNAT tuple collision drm/amdgpu: prevent double kfree ttm->sg xfrm: clone XFRMA_REPLAY_ESN_VAL in xfrm_do_migrate xfrm: clone XFRMA_SEC_CTX in xfrm_do_migrate xfrm: clone whole liftime_cur structure in xfrm_do_migrate net: stmmac: removed enabling eee in EEE set callback platform/x86: fix kconfig dependency warning for FUJITSU_LAPTOP xfrm: Use correct address family in xfrm_state_find bonding: set dev->needed_headroom in bond_setup_by_slave() mdio: fix mdio-thunder.c dependency & build error net: usb: ax88179_178a: fix missing stop entry in driver_info rxrpc: Fix rxkad token xdr encoding rxrpc: Downgrade the BUG() for unsupported token type in rxrpc_read() rxrpc: Fix some missing _bh annotations on locking conn->state_lock rxrpc: Fix server keyring leak perf: Fix task_function_call() error handling mmc: core: don't set limits.discard_granularity as 0 mm: khugepaged: recalculate min_free_kbytes after memory hotplug as expected by khugepaged net: usb: rtl8150: set random MAC address when set_ethernet_addr() fails Linux 4.14.201 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iffb5ee67b94a852de1bd865817587bc27320f28b |
||
|
Stefano Garzarella
|
8a39664066 |
vsock/virtio: add transport parameter to the virtio_transport_reset_no_sock()
[ Upstream commit 4c7246dc45e2706770d5233f7ce1597a07e069ba ] We are going to add 'struct vsock_sock *' parameter to virtio_transport_get_ops(). In some cases, like in the virtio_transport_reset_no_sock(), we don't have any socket assigned to the packet received, so we can't use the virtio_transport_get_ops(). In order to allow virtio_transport_reset_no_sock() to use the '.send_pkt' callback from the 'vhost_transport' or 'virtio_transport', we add the 'struct virtio_transport *' to it and to its caller: virtio_transport_recv_pkt(). We moved the 'vhost_transport' and 'virtio_transport' definition, to pass their address to the virtio_transport_recv_pkt(). Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
433305b0af |
This is the 4.14.182 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7OfIMACgkQONu9yGCS aT5dxRAAooSpyWoPEdRPKVVF1FybPCn+0U0LZfTGEBbhNdFqb8RoLUxjUXhmYRId Wu6BWbRuxMIPFMweR8LNwgs7mmY83ogRk91vnWDAfJ3kvNlxNfdWBNYtrnm6+YhQ Nne8k/W7yj+oyYAPBm+SSblFGMgz8krCyRvRRf16TubZmwwFipQhJ0BdlPun5rzz Fz99tzmt99+8nkphBMI2UIQfJN6bYUD03SRJTO7o3hD3viT5/FgfG1BQtf5eFttS PXU2wGqBfiIaupILpOJ5ulT7Mkael9DERLx6SjDMD8eA6nOkn8oJeJHBFisjrt4k h0TT8nlE11dyF8QrKjyFzF82pv0Gaatc7tfGdiZTHRhUHY/wcnSNCdOcGP3rLMJf f9+cjIxSQJQr45Y+hEp5Z87GaPjg5rJiSJYvPGDrVAE4HZ9uJH1CSza3DQGPq8CB ihssDrn9cnvqVGaCWRYMyUy8nro2VRiXSUwxAavWuIu9fRB5/66g1a8B5Fr3Npmz Eyqlmafck+aLA5XtV+eX2tEzouIMaBKCFTvB970MeCIg1cma+P7QxMO89mvxTAwY C//kE4bvR8o0WJHnVUreqiEPwnu2IlpmtEVEphxWXUG+VOACOfgQQnuvGSwk8F5q thZJLwS5LOtC/s0uwXmLm8PL52nUBvT1bEyWzVgXaH/cmGKi/hs= =Ljah -----END PGP SIGNATURE----- Merge 4.14.182 into android-4.14-stable Changes in 4.14.182 ext4: add cond_resched() to ext4_protect_reserved_inode watchdog: Fix the race between the release of watchdog_core_data and cdev i2c: dev: Fix the race between the release of i2c_dev and cdev padata: ensure the reorder timer callback runs on the correct CPU padata: ensure padata_do_serial() runs on the correct CPU ima: Set file->f_mode instead of file->f_flags in ima_calc_file_hash() evm: Check also if *tfm is an error pointer in init_desc() ima: Fix return value of ima_write_policy() fix multiplication overflow in copy_fdtable() iommu/amd: Fix over-read of ACPI UID from IVRS table i2c: mux: demux-pinctrl: Fix an error handling path in 'i2c_demux_pinctrl_probe()' ubi: Fix seq_file usage in detailed_erase_block_info debugfs file gcc-common.h: Update for GCC 10 HID: multitouch: add eGalaxTouch P80H84 support scsi: qla2xxx: Fix hang when issuing nvme disconnect-all in NPIV configfs: fix config_item refcnt leak in configfs_rmdir() vhost/vsock: fix packet delivery order to monitoring devices component: Silence bind error on -EPROBE_DEFER scsi: ibmvscsi: Fix WARN_ON during event pool release x86/apic: Move TSC deadline timer debug printk gtp: set NLM_F_MULTI flag in gtp_genl_dump_pdp() ceph: fix double unlock in handle_cap_export() USB: core: Fix misleading driver bug report platform/x86: asus-nb-wmi: Do not load on Asus T100TA and T200TA ARM: futex: Address build warning padata: set cpu_index of unused CPUs to -1 padata: Replace delayed timer with immediate workqueue in padata_reorder padata: initialize pd->cpu with effective cpumask padata: purge get_cpu and reorder_via_wq from padata_do_serial arm64: fix the flush_icache_range arguments in machine_kexec l2tp: don't register sessions in l2tp_session_create() l2tp: initialise l2tp_eth sessions before registering them l2tp: protect sock pointer of struct pppol2tp_session with RCU l2tp: initialise PPP sessions before registering them ALSA: iec1712: Initialize STDSP24 properly when using the model=staudio option ALSA: pcm: fix incorrect hw_base increase apparmor: Fix aa_label refcnt leak in policy_update dmaengine: tegra210-adma: Fix an error handling path in 'tegra_adma_probe()' powerpc: restore alphabetic order in Kconfig powerpc: Remove STRICT_KERNEL_RWX incompatibility with RELOCATABLE powerpc/64s: Disable STRICT_KERNEL_RWX x86/uaccess, ubsan: Fix UBSAN vs. SMAP ubsan: build ubsan.c more conservatively libnvdimm/btt: Remove unnecessary code in btt_freelist_init libnvdimm/btt: Fix LBA masking during 'free list' population media: fdp1: Fix R-Car M3-N naming in debug message cxgb4: free mac_hlist properly cxgb4/cxgb4vf: Fix mac_hlist initialization and free Revert "gfs2: Don't demote a glock until its revokes are written" staging: iio: ad2s1210: Fix SPI reading staging: greybus: Fix uninitialized scalar variable iio: sca3000: Remove an erroneous 'get_device()' iio: dac: vf610: Fix an error handling path in 'vf610_dac_probe()' mei: release me_cl object reference rapidio: fix an error in get_user_pages_fast() error handling rxrpc: Fix a memory leak in rxkad_verify_response() x86/unwind/orc: Fix unwind_get_return_address_ptr() for inactive tasks iio: adc: stm32-adc: Use dma_request_chan() instead dma_request_slave_channel() iio: adc: stm32-adc: fix device used to request dma Linux 4.14.182 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5c1fd52b8c5565f2b3be89efeefc5a66fe806247 |
||
|
Stefano Garzarella
|
486a24502c |
vhost/vsock: fix packet delivery order to monitoring devices
[ Upstream commit 107bc0766b9feb5113074c753735a3f115c2141f ] We want to deliver packets to monitoring devices before it is put in the virtqueue, to avoid that replies can appear in the packet capture before the transmitted packet. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
816f245a4e |
This is the 4.14.180 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl63u08ACgkQONu9yGCS aT7zkA//Z1zZBfRCicvSsJHs04qw/XtR253AMqBRIG1fV5FVhwuFIlDWNkY35vOf 22bRXRQFhvycZK3XVxqCPfkIpjvuGeuRXaNaC3HKphUk4FKzweOO8O2MTNyLB/U7 3ftlCi8Rp/h4P1qcoTMjtCevFm5mhM2PhDzpWZg4iP7CHlueY5SxHNzwhPSVwdTv 2gCgwt2WbAAKoYDfrWCYui5DeUx/G8E7fOtkOLQFFAfQ6lVHp87M7ZtI+Tm2wtLS QbnjdRLHs7EyRO2aQBxQjHsDxfRuNgB/q3qaSszSwKKpWJBi/Kc84Lzvw5eeeq3y YEpGqf5tskyRg26iR5GENzDHo5AEBXKNCzuK6iiMzJIZ1SshuMY3fqQiKjbGEu64 Ehx2Pw38b2Km/cJIWO4h6K9kO1R3Fkb7RC9hYw2Mne5q4/uumJnMUrllMQI6REEB TX558hwr1Ww3H4gpxLzUTgXu9sAah/Ejq5L5KKOq3nSjPFE2OLhQYgj8b2KiVuAX CB99geHAZhsXzLu/blSLYu9CVhuSS/6RG9bUUs4xO0XUcMdYYje3N8gV5XD0cqdO 8Ct4MgPzwq9VJbJqMPalViCZEotjKPNib5WTz7RFjT8ZL/UhJOYk1bEU1HsBeWf9 SHiBpQGjn6PtUD8F/nEiwK8Oq5P87khchKtatFRD6RC3ckS+7nw= =M3T7 -----END PGP SIGNATURE----- Merge 4.14.180 into android-4.14-stable Changes in 4.14.180 vhost: vsock: kick send_pkt worker once device is started powerpc/pci/of: Parse unassigned resources ASoC: topology: Check return value of pcm_new_ver selftests/ipc: Fix test failure seen after initial test run ASoC: sgtl5000: Fix VAG power-on handling ASoC: rsnd: Fix HDMI channel mapping for multi-SSI mode ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry wimax/i2400m: Fix potential urb refcnt leak net: stmmac: fix enabling socfpga's ptp_ref_clock net: stmmac: Fix sub-second increment cifs: protect updating server->dstaddr with a spinlock s390/ftrace: fix potential crashes when switching tracers scripts/config: allow colons in option strings for sed net: dsa: b53: Rework ARL bin logic lib/mpi: Fix building for powerpc with clang net: bcmgenet: suppress warnings on failed Rx SKB allocations net: systemport: suppress warnings on failed Rx SKB allocations sctp: Fix SHUTDOWN CTSN Ack in the peer restart case tracing: Reverse the order of trace_types_lock and event_mutex ALSA: hda: Match both PCI ID and SSID for driver blacklist mac80211: add ieee80211_is_any_nullfunc() cgroup, netclassid: remove double cond_resched Linux 4.14.180 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I97fba604c23f3f7324a1d8f883606ed563459b47 |
||
Jia He
|
ad70bc0e01 |
vhost: vsock: kick send_pkt worker once device is started
commit 0b841030625cde5f784dd62aec72d6a766faae70 upstream.
Ning Bo reported an abnormal 2-second gap when booting Kata container [1].
The unconditional timeout was caused by VSOCK_DEFAULT_CONNECT_TIMEOUT of
connecting from the client side. The vhost vsock client tries to connect
an initializing virtio vsock server.
The abnormal flow looks like:
host-userspace vhost vsock guest vsock
============== =========== ============
connect() --------> vhost_transport_send_pkt_work() initializing
| vq->private_data==NULL
| will not be queued
V
schedule_timeout(2s)
vhost_vsock_start() <--------- device ready
set vq->private_data
wait for 2s and failed
connect() again vq->private_data!=NULL recv connecting pkt
Details:
1. Host userspace sends a connect pkt, at that time, guest vsock is under
initializing, hence the vhost_vsock_start has not been called. So
vq->private_data==NULL, and the pkt is not been queued to send to guest
2. Then it sleeps for 2s
3. After guest vsock finishes initializing, vq->private_data is set
4. When host userspace wakes up after 2s, send connecting pkt again,
everything is fine.
As suggested by Stefano Garzarella, this fixes it by additional kicking the
send_pkt worker in vhost_vsock_start once the virtio device is started. This
makes the pending pkt sent again.
After this patch, kata-runtime (with vsock enabled) boot time is reduced
from 3s to 1s on a ThunderX2 arm64 server.
[1] https://github.com/kata-containers/runtime/issues/1917
Reported-by: Ning Bo <n.b@live.com>
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Jia He <justin.he@arm.com>
Link: https://lore.kernel.org/r/20200501043840.186557-1-justin.he@arm.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
5a81c7e39a |
This is the 4.14.173 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5pGdsACgkQONu9yGCS
aT4e8g//e9KvLX52jYtFVkQ1VpRmp5jvh4s3acky/akvbSYgFvk2X+MFwZCUDk7s
6/ULYnjDu38ZpvxcxCdEcMrsu506GPzKInotUvO/epGy2tjZlWHBgkblef+ZEC4y
KWWDVBrgugQGb+qFn4pRLKazyEvXzr5CZUMQ0rjtrA1k3ttviUZGxj5wxPUvNCJu
RM0K9D54rNxjx9IHtMSMqXRMtfp8m3gUeDIQ5J39kC6aIV/QcZWJFy77WELG+Q+0
mJHjEI+HXO2w68a5XxP3ry7mVqsPB8asj+n4d7evWr3YlnYSeeBQah7B5v0nfpoW
jZSYJ2cYJ6p/2B3AlYoYUwr/pGLwqz17taWozcyVssy+NxgORfy6PmpVCJhe2u8s
liW0fA86ZC3PcgUI+xkrhVeNRw+OSvsPhsqzl6XSMACJf05niUqjVxD9CySmAKwb
PrXHDbnwfZK8MB5wJ3/0j0PtTkwt0qiRS9daD14qxr+8OLTQ9C7zOxmZI9jkrqVd
GmbYgx5fZYeP11vb6h1cOmJae/xIkm9Yl8RbbuWpiGtbFAVHWD/B8w9YL0U138pW
f+aCpn66eyli27/MmEFJdAUQYvhkOwZ5TGwKuJrqYi5EDjRFTWUfaFfwYsIn1AaM
69nnNHUrGgozQGDfQZEEFMSCZFJZfma3zbkJyHqpV+KMqma8/dI=
=XWup
-----END PGP SIGNATURE-----
Merge 4.14.173 into android-4.14
Changes in 4.14.173
iwlwifi: pcie: fix rb_allocator workqueue allocation
netfilter: nf_conntrack: resolve clash for matching conntracks
ext4: fix potential race between online resizing and write operations
ext4: fix potential race between s_flex_groups online resizing and access
ext4: fix potential race between s_group_info online resizing and access
ipmi:ssif: Handle a possible NULL pointer reference
drm/msm: Set dma maximum segment size for mdss
dax: pass NOWAIT flag to iomap_apply
mac80211: consider more elements in parsing CRC
cfg80211: check wiphy driver existence for drvinfo report
qmi_wwan: re-add DW5821e pre-production variant
qmi_wwan: unconditionally reject 2 ep interfaces
net: ena: fix potential crash when rxfh key is NULL
net: ena: fix uses of round_jiffies()
net: ena: add missing ethtool TX timestamping indication
net: ena: fix incorrect default RSS key
net: ena: rss: fix failure to get indirection table
net: ena: rss: store hash function as values and not bits
net: ena: fix incorrectly saving queue numbers when setting RSS indirection table
net: ena: ethtool: use correct value for crc32 hash
net: ena: ena-com.c: prevent NULL pointer dereference
cifs: Fix mode output in debugging statements
cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE
sysrq: Restore original console_loglevel when sysrq disabled
sysrq: Remove duplicated sysrq message
net: fib_rules: Correctly set table field when table number exceeds 8 bits
net: phy: restore mdio regs in the iproc mdio driver
nfc: pn544: Fix occasional HW initialization failure
sctp: move the format error check out of __sctp_sf_do_9_1_abort
ipv6: Fix nlmsg_flags when splitting a multipath route
ipv6: Fix route replacement with dev-only route
qede: Fix race between rdma destroy workqueue and link change event
net: sched: correct flower port blocking
ext4: potential crash on allocation error in ext4_alloc_flex_bg_array()
audit: fix error handling in audit_data_to_entry()
ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro
ACPI: watchdog: Fix gas->access_width usage
KVM: VMX: check descriptor table exits on instruction emulation
HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock
HID: core: fix off-by-one memset in hid_report_raw_event()
HID: core: increase HID report buffer size to 8KiB
tracing: Disable trace_printk() on post poned tests
Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs"
HID: hiddev: Fix race in in hiddev_disconnect()
MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()'
i2c: altera: Fix potential integer overflow
i2c: jz4780: silence log flood on txabrt
drm/i915/gvt: Separate display reset from ALL_ENGINES reset
usb: charger: assign specific number for enum value
ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66
include/linux/bitops.h: introduce BITS_PER_TYPE
net: netlink: cap max groups which will be considered in netlink_bind()
net: atlantic: fix potential error handling
net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE
namei: only return -ECHILD from follow_dotdot_rcu()
mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame()
KVM: SVM: Override default MMIO mask if memory encryption is enabled
KVM: Check for a bad hva before dropping into the ghc slow path
tuntap: correctly set SOCKWQ_ASYNC_NOSPACE
drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()'
kprobes: Set unoptimized flag after unoptimizing code
perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc
mm/huge_memory.c: use head to check huge zero page
mm, thp: fix defrag setting if newline is not used
Revert "char/random: silence a lockdep splat with printk()"
audit: always check the netlink payload length in audit_receive_msg()
vhost: Check docket sk_family instead of call getname
x86/mce: Handle varying MCA bank counts
EDAC/amd64: Set grain per DIMM
net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec
RDMA/core: Fix pkey and port assignment in get_new_pps
RDMA/core: Fix use of logical OR in get_new_pps
kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic
serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE
selftests: fix too long argument
usb: gadget: composite: Support more than 500mA MaxPower
usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags
usb: gadget: serial: fix Tx stall after buffer overflow
drm/msm/mdp5: rate limit pp done timeout warnings
drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI
drm/msm/dsi: save pll state before dsi host is powered off
net: ks8851-ml: Remove 8-bit bus accessors
net: ks8851-ml: Fix 16-bit data access
net: ks8851-ml: Fix 16-bit IO operation
watchdog: da9062: do not ping the hw during stop()
s390/cio: cio_ignore_proc_seq_next should increase position index
x86/boot/compressed: Don't declare __force_order in kaslr_64.c
nvme: Fix uninitialized-variable warning
x86/xen: Distribute switch variables for initialization
net: thunderx: workaround BGX TX Underflow issue
cifs: don't leak -EAGAIN for stat() during reconnect
usb: storage: Add quirk for Samsung Fit flash
usb: quirks: add NO_LPM quirk for Logitech Screen Share
usb: core: hub: fix unhandled return by employing a void function
usb: core: hub: do error out if usb_autopm_get_interface() fails
usb: core: port: do error out if usb_autopm_get_interface() fails
vgacon: Fix a UAF in vgacon_invert_region
mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa
fat: fix uninit-memory access for partial initialized inode
arm: dts: dra76x: Fix mmc3 max-frequency
tty:serial:mvebu-uart:fix a wrong return
serial: 8250_exar: add support for ACCES cards
vt: selection, close sel_buffer race
vt: selection, push console lock down
vt: selection, push sel_lock up
x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes
dmaengine: tegra-apb: Fix use-after-free
dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list
dm cache: fix a crash due to incorrect work item cancelling
ARM: dts: ls1021a: Restore MDIO compatible to gianfar
ASoC: topology: Fix memleak in soc_tplg_link_elems_load()
ASoC: intel: skl: Fix pin debug prints
ASoC: intel: skl: Fix possible buffer overflow in debug outputs
ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output
ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path
ASoC: dapm: Correct DAPM handling of active widgets during shutdown
RDMA/iwcm: Fix iwcm work deallocation
RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen()
IB/hfi1, qib: Ensure RCU is locked when accessing list
ARM: imx: build v7_cpu_resume() unconditionally
hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT()
dmaengine: coh901318: Fix a double lock bug in dma_tc_handle()
powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems
dm integrity: fix a deadlock due to offloading to an incorrect workqueue
xhci: handle port status events for removed USB3 hcd
ASoC: topology: Fix memleak in soc_tplg_manifest_load()
Linux 4.14.173
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic06bd3eb90ee58f3fd96bff8969ebf6d9db4cb8d
|
||
Eugenio Pérez
|
ff8e12b0cf |
vhost: Check docket sk_family instead of call getname
commit 42d84c8490f9f0931786f1623191fcab397c3d64 upstream.
Doing so, we save one call to get data we already have in the struct.
Also, since there is no guarantee that getname use sockaddr_ll
parameter beyond its size, we add a little bit of security here.
It should do not do beyond MAX_ADDR_LEN, but syzbot found that
ax25_getname writes more (72 bytes, the size of full_sockaddr_ax25,
versus 20 + 32 bytes of sockaddr_ll + MAX_ADDR_LEN in syzbot repro).
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
Reported-by: syzbot+f2a62d07a5198c819c7b@syzkaller.appspotmail.com
Signed-off-by: Eugenio Pérez <eperezma@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[jwang: backport to 4.14]
Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Andrey Konovalov
|
47ba92a255 |
UPSTREAM: vhost, kcov: collect coverage from vhost_worker
(Upstream commit 8f6a7f96dc29cefe16ab60f06f9c3a43510b96fd.) Add kcov_remote_start()/kcov_remote_stop() annotations to the vhost_worker() function, which is responsible for processing vhost works. Since vhost_worker() threads are spawned per vhost device instance the common kcov handle is used for kcov_remote_start()/stop() annotations (see Documentation/dev-tools/kcov.rst for details). As the result kcov can now be used to collect coverage from vhost worker threads. Link: http://lkml.kernel.org/r/e49d5d154e5da6c9ada521d2b7ce10a49ce9f98b.1572366574.git.andreyknvl@google.com Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Cc: Alan Stern <stern@rowland.harvard.edu> Cc: Alexander Potapenko <glider@google.com> Cc: Anders Roxell <anders.roxell@linaro.org> Cc: Arnd Bergmann <arnd@arndb.de> Cc: David Windsor <dwindsor@gmail.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Elena Reshetova <elena.reshetova@intel.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: Jason Wang <jasowang@redhat.com> Cc: Marco Elver <elver@google.com> Cc: "Michael S. Tsirkin" <mst@redhat.com> Cc: Steven Rostedt <rostedt@goodmis.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Bug: 147413187 Change-Id: Ie99a67ede00a839a28472877e5c3263db69d1c58 |
||
|
Stefano Garzarella
|
1f8b45f101 |
vhost/vsock: accept only packets with the right dst_cid
[ Upstream commit 8a3cc29c316c17de590e3ff8b59f3d6cbfd37b0a ] When we receive a new packet from the guest, we check if the src_cid is correct, but we forgot to check the dst_cid. The host should accept only packets where dst_cid is equal to the host CID. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Stefano Garzarella
|
4e846d399c |
vhost/vsock: split packets to send using multiple buffers
commit 6dbd3e66e7785a2f055bf84d98de9b8fd31ff3f5 upstream. If the packets to sent to the guest are bigger than the buffer available, we can split them, using multiple buffers and fixing the length in the packet header. This is safe since virtio-vsock supports only stream sockets. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
yongduan
|
7e9480b480 |
vhost: make sure log_num < in_num
commit 060423bfdee3f8bc6e2c1bac97de24d5415e2bc4 upstream.
The code assumes log_num < in_num everywhere, and that is true as long as
in_num is incremented by descriptor iov count, and log_num by 1. However
this breaks if there's a zero sized descriptor.
As a result, if a malicious guest creates a vring desc with desc.len = 0,
it may cause the host kernel to crash by overflowing the log array. This
bug can be triggered during the VM migration.
There's no need to log when desc.len = 0, so just don't increment log_num
in this case.
Fixes: 3a4d5c94e959 ("vhost_net: a kernel-level virtio server")
Cc: stable@vger.kernel.org
Reviewed-by: Lidong Chen <lidongchen@tencent.com>
Signed-off-by: ruippan <ruippan@tencent.com>
Signed-off-by: yongduan <yongduan@tencent.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Tiwei Bie
|
e93482df92 |
vhost/test: fix build for vhost test
commit 264b563b8675771834419057cbe076c1a41fb666 upstream.
Since vhost_exceeds_weight() was introduced, callers need to specify
the packet weight and byte weight in vhost_dev_init(). Note that, the
packet weight isn't counted in this patch to keep the original behavior
unchanged.
Fixes: e82b9b0727ff ("vhost: introduce vhost_exceeds_weight()")
Cc: stable@vger.kernel.org
Signed-off-by: Tiwei Bie <tiwei.bie@intel.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Jason Wang
|
ddd38aa7b4 |
vhost_net: disable zerocopy by default
[ Upstream commit 098eadce3c622c07b328d0a43dda379b38cf7c5e ] Vhost_net was known to suffer from HOL[1] issues which is not easy to fix. Several downstream disable the feature by default. What's more, the datapath was split and datacopy path got the support of batching and XDP support recently which makes it faster than zerocopy part for small packets transmission. It looks to me that disable zerocopy by default is more appropriate. It cold be enabled by default again in the future if we fix the above issues. [1] https://patchwork.kernel.org/patch/3787671/ Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Jason Wang
|
011942d12c |
vhost: scsi: add weight support
commit c1ea02f15ab5efb3e93fc3144d895410bf79fcf2 upstream.
This patch will check the weight and exit the loop if we exceeds the
weight. This is useful for preventing scsi kthread from hogging cpu
which is guest triggerable.
This addresses CVE-2019-3900.
Cc: Paolo Bonzini <pbonzini@redhat.com>
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: 057cbf49a1f0 ("tcm_vhost: Initial merge for vhost level target fabric driver")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Balbir Singh <sblbir@amzn.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
46c7fce709 |
vhost: vsock: add weight support
commit e79b431fb901ba1106670bcc80b9b617b25def7d upstream.
This patch will check the weight and exit the loop if we exceeds the
weight. This is useful for preventing vsock kthread from hogging cpu
which is guest triggerable. The weight can help to avoid starving the
request from on direction while another direction is being processed.
The value of weight is picked from vhost-net.
This addresses CVE-2019-3900.
Cc: Stefan Hajnoczi <stefanha@redhat.com>
Fixes: 433fc58e6bf2 ("VSOCK: Introduce vhost_vsock.ko")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Balbir Singh <sblbir@amzn.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
ae44674949 |
vhost_net: fix possible infinite loop
commit e2412c07f8f3040593dfb88207865a3cd58680c0 upstream.
When the rx buffer is too small for a packet, we will discard the vq
descriptor and retry it for the next packet:
while ((sock_len = vhost_net_rx_peek_head_len(net, sock->sk,
&busyloop_intr))) {
...
/* On overrun, truncate and discard */
if (unlikely(headcount > UIO_MAXIOV)) {
iov_iter_init(&msg.msg_iter, READ, vq->iov, 1, 1);
err = sock->ops->recvmsg(sock, &msg,
1, MSG_DONTWAIT | MSG_TRUNC);
pr_debug("Discarded rx packet: len %zd\n", sock_len);
continue;
}
...
}
This makes it possible to trigger a infinite while..continue loop
through the co-opreation of two VMs like:
1) Malicious VM1 allocate 1 byte rx buffer and try to slow down the
vhost process as much as possible e.g using indirect descriptors or
other.
2) Malicious VM2 generate packets to VM1 as fast as possible
Fixing this by checking against weight at the end of RX and TX
loop. This also eliminate other similar cases when:
- userspace is consuming the packets in the meanwhile
- theoretical TOCTOU attack if guest moving avail index back and forth
to hit the continue after vhost find guest just add new buffers
This addresses CVE-2019-3900.
Fixes: d8316f3991d20 ("vhost: fix total length when packets are too short")
Fixes: 3a4d5c94e9593 ("vhost_net: a kernel-level virtio server")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Balbir Singh <sblbir@amzn.com>
|
||
|
Jason Wang
|
c051fb9788 |
vhost: introduce vhost_exceeds_weight()
commit e82b9b0727ff6d665fff2d326162b460dded554d upstream. We used to have vhost_exceeds_weight() for vhost-net to: - prevent vhost kthread from hogging the cpu - balance the time spent between TX and RX This function could be useful for vsock and scsi as well. So move it to vhost.c. Device must specify a weight which counts the number of requests, or it can also specific a byte_weight which counts the number of bytes that has been processed. Signed-off-by: Jason Wang <jasowang@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Balbir Singh <sblbir@amzn.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason Wang
|
2c4e518f1e |
vhost_net: introduce vhost_exceeds_weight()
commit 272f35cba53d088085e5952fd81d7a133ab90789 upstream. Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Balbir Singh <sblbir@amzn.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Paolo Abeni
|
e9dac4ca99 |
vhost_net: use packet weight for rx handler, too
commit db688c24eada63b1efe6d0d7d835e5c3bdd71fd3 upstream.
Similar to commit a2ac99905f1e ("vhost-net: set packet weight of
tx polling to 2 * vq size"), we need a packet-based limit for
handler_rx, too - elsewhere, under rx flood with small packets,
tx can be delayed for a very long time, even without busypolling.
The pkt limit applied to handle_rx must be the same applied by
handle_tx, or we will get unfair scheduling between rx and tx.
Tying such limit to the queue length makes it less effective for
large queue length values and can introduce large process
scheduler latencies, so a constant valued is used - likewise
the existing bytes limit.
The selected limit has been validated with PVP[1] performance
test with different queue sizes:
queue size 256 512 1024
baseline 366 354 362
weight 128 715 723 670
weight 256 740 745 733
weight 512 600 460 583
weight 1024 423 427 418
A packet weight of 256 gives peek performances in under all the
tested scenarios.
No measurable regression in unidirectional performance tests has
been detected.
[1] https://developers.redhat.com/blog/2017/06/05/measuring-and-comparing-open-vswitch-performance/
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Balbir Singh <sblbir@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
haibinzhang(张海斌)
|
6416172c94 |
vhost-net: set packet weight of tx polling to 2 * vq size
commit a2ac99905f1ea8b15997a6ec39af69aa28a3653b upstream.
handle_tx will delay rx for tens or even hundreds of milliseconds when tx busy
polling udp packets with small length(e.g. 1byte udp payload), because setting
VHOST_NET_WEIGHT takes into account only sent-bytes but no single packet length.
Ping-Latencies shown below were tested between two Virtual Machines using
netperf (UDP_STREAM, len=1), and then another machine pinged the client:
vq size=256
Packet-Weight Ping-Latencies(millisecond)
min avg max
Origin 3.319 18.489 57.303
64 1.643 2.021 2.552
128 1.825 2.600 3.224
256 1.997 2.710 4.295
512 1.860 3.171 4.631
1024 2.002 4.173 9.056
2048 2.257 5.650 9.688
4096 2.093 8.508 15.943
vq size=512
Packet-Weight Ping-Latencies(millisecond)
min avg max
Origin 6.537 29.177 66.245
64 2.798 3.614 4.403
128 2.861 3.820 4.775
256 3.008 4.018 4.807
512 3.254 4.523 5.824
1024 3.079 5.335 7.747
2048 3.944 8.201 12.762
4096 4.158 11.057 19.985
Seems pretty consistent, a small dip at 2 VQ sizes.
Ring size is a hint from device about a burst size it can tolerate. Based on
benchmarks, set the weight to 2 * vq size.
To evaluate this change, another tests were done using netperf(RR, TX) between
two machines with Intel(R) Xeon(R) Gold 6133 CPU @ 2.50GHz, and vq size was
tweaked through qemu. Results shown below does not show obvious changes.
vq size=256 TCP_RR vq size=512 TCP_RR
size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize%
1/ 1/ -7%/ -2% 1/ 1/ 0%/ -2%
1/ 4/ +1%/ 0% 1/ 4/ +1%/ 0%
1/ 8/ +1%/ -2% 1/ 8/ 0%/ +1%
64/ 1/ -6%/ 0% 64/ 1/ +7%/ +3%
64/ 4/ 0%/ +2% 64/ 4/ -1%/ +1%
64/ 8/ 0%/ 0% 64/ 8/ -1%/ -2%
256/ 1/ -3%/ -4% 256/ 1/ -4%/ -2%
256/ 4/ +3%/ +4% 256/ 4/ +1%/ +2%
256/ 8/ +2%/ 0% 256/ 8/ +1%/ -1%
vq size=256 UDP_RR vq size=512 UDP_RR
size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize%
1/ 1/ -5%/ +1% 1/ 1/ -3%/ -2%
1/ 4/ +4%/ +1% 1/ 4/ -2%/ +2%
1/ 8/ -1%/ -1% 1/ 8/ -1%/ 0%
64/ 1/ -2%/ -3% 64/ 1/ +1%/ +1%
64/ 4/ -5%/ -1% 64/ 4/ +2%/ 0%
64/ 8/ 0%/ -1% 64/ 8/ -2%/ +1%
256/ 1/ +7%/ +1% 256/ 1/ -7%/ 0%
256/ 4/ +1%/ +1% 256/ 4/ -3%/ -4%
256/ 8/ +2%/ +2% 256/ 8/ +1%/ +1%
vq size=256 TCP_STREAM vq size=512 TCP_STREAM
size/sessions/+thu%/+normalize% size/sessions/+thu%/+normalize%
64/ 1/ 0%/ -3% 64/ 1/ 0%/ 0%
64/ 4/ +3%/ -1% 64/ 4/ -2%/ +4%
64/ 8/ +9%/ -4% 64/ 8/ -1%/ +2%
256/ 1/ +1%/ -4% 256/ 1/ +1%/ +1%
256/ 4/ -1%/ -1% 256/ 4/ -3%/ 0%
256/ 8/ +7%/ +5% 256/ 8/ -3%/ 0%
512/ 1/ +1%/ 0% 512/ 1/ -1%/ -1%
512/ 4/ +1%/ -1% 512/ 4/ 0%/ 0%
512/ 8/ +7%/ -5% 512/ 8/ +6%/ -1%
1024/ 1/ 0%/ -1% 1024/ 1/ 0%/ +1%
1024/ 4/ +3%/ 0% 1024/ 4/ +1%/ 0%
1024/ 8/ +8%/ +5% 1024/ 8/ -1%/ 0%
2048/ 1/ +2%/ +2% 2048/ 1/ -1%/ 0%
2048/ 4/ +1%/ 0% 2048/ 4/ 0%/ -1%
2048/ 8/ -2%/ 0% 2048/ 8/ 5%/ -1%
4096/ 1/ -2%/ 0% 4096/ 1/ -2%/ 0%
4096/ 4/ +2%/ 0% 4096/ 4/ 0%/ 0%
4096/ 8/ +9%/ -2% 4096/ 8/ -5%/ -1%
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Haibin Zhang <haibinzhang@tencent.com>
Signed-off-by: Yunfang Tai <yunfangtai@tencent.com>
Signed-off-by: Lidong Chen <lidongchen@tencent.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Balbir Singh <sblbir@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
f052bafe54 |
vhost: reject zero size iova range
[ Upstream commit 813dbeb656d6c90266f251d8bd2b02d445afa63f ] We used to accept zero size iova range which will lead a infinite loop in translate_desc(). Fixing this by failing the request in this case. Reported-by: syzbot+d21e6e297322a900c128@syzkaller.appspotmail.com Fixes: 6b1e6cc7 ("vhost: new device IOTLB API") Signed-off-by: Jason Wang <jasowang@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Zha Bin
|
b384efc1fb |
vhost/vsock: fix vhost vsock cid hashing inconsistent
commit 7fbe078c37aba3088359c9256c1a1d0c3e39ee81 upstream.
The vsock core only supports 32bit CID, but the Virtio-vsock spec define
CID (dst_cid and src_cid) as u64 and the upper 32bits is reserved as
zero. This inconsistency causes one bug in vhost vsock driver. The
scenarios is:
0. A hash table (vhost_vsock_hash) is used to map an CID to a vsock
object. And hash_min() is used to compute the hash key. hash_min() is
defined as:
(sizeof(val) <= 4 ? hash_32(val, bits) : hash_long(val, bits)).
That means the hash algorithm has dependency on the size of macro
argument 'val'.
0. In function vhost_vsock_set_cid(), a 64bit CID is passed to
hash_min() to compute the hash key when inserting a vsock object into
the hash table.
0. In function vhost_vsock_get(), a 32bit CID is passed to hash_min()
to compute the hash key when looking up a vsock for an CID.
Because the different size of the CID, hash_min() returns different hash
key, thus fails to look up the vsock object for an CID.
To fix this bug, we keep CID as u64 in the IOCTLs and virtio message
headers, but explicitly convert u64 to u32 when deal with the hash table
and vsock core.
Fixes: 834e772c8db0 ("vhost/vsock: fix use-after-free in network stack callers")
Link: https://github.com/stefanha/virtio/blob/vsock/trunk/content.tex
Signed-off-by: Zha Bin <zhabin@linux.alibaba.com>
Reviewed-by: Liu Jiang <gerry@linux.alibaba.com>
Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Shengjing Zhu <i@zhsj.me>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
d5a74d2b46 |
vhost: correctly check the return value of translate_desc() in log_used()
[ Upstream commit 816db7663565cd23f74ed3d5c9240522e3fb0dda ]
When fail, translate_desc() returns negative value, otherwise the
number of iovs. So we should fail when the return value is negative
instead of a blindly check against zero.
Detected by CoverityScan, CID# 1442593: Control flow issues (DEADCODE)
Fixes: cc5e71075947 ("vhost: log dirty page correctly")
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
1981e4c9a9 |
vhost: log dirty page correctly
[ Upstream commit cc5e710759470bc7f3c61d11fd54586f15fdbdf4 ]
Vhost dirty page logging API is designed to sync through GPA. But we
try to log GIOVA when device IOTLB is enabled. This is wrong and may
lead to missing data after migration.
To solve this issue, when logging with device IOTLB enabled, we will:
1) reuse the device IOTLB translation result of GIOVA->HVA mapping to
get HVA, for writable descriptor, get HVA through iovec. For used
ring update, translate its GIOVA to HVA
2) traverse the GPA->HVA mapping to get the possible GPA and log
through GPA. Pay attention this reverse mapping is not guaranteed
to be unique, so we should log each possible GPA in this case.
This fix the failure of scp to guest during migration. In -next, we
will probably support passing GIOVA->GPA instead of GIOVA->HVA.
Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
Reported-by: Jintack Lim <jintack@cs.columbia.edu>
Cc: Jintack Lim <jintack@cs.columbia.edu>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Stefan Hajnoczi
|
14c2cd93e2 |
vhost/vsock: fix uninitialized vhost_vsock->guest_cid
commit a72b69dc083a931422cc8a5e33841aff7d5312f2 upstream. The vhost_vsock->guest_cid field is uninitialized when /dev/vhost-vsock is opened until the VHOST_VSOCK_SET_GUEST_CID ioctl is called. kvmalloc(..., GFP_KERNEL | __GFP_RETRY_MAYFAIL) does not zero memory. All other vhost_vsock fields are initialized explicitly so just initialize this field too. Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Cc: Daniel Verkamp <dverkamp@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason Wang
|
2510d91bda |
vhost: make sure used idx is seen before log in vhost_add_used_n()
[ Upstream commit 841df922417eb82c835e93d4b93eb6a68c99d599 ]
We miss a write barrier that guarantees used idx is updated and seen
before log. This will let userspace sync and copy used ring before
used idx is update. Fix this by adding a barrier before log_write().
Fixes: 8dd014adfea6f ("vhost-net: mergeable buffers support")
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stefan Hajnoczi
|
7e43eec4b4 |
vhost/vsock: fix reset orphans race with close timeout
[ Upstream commit c38f57da428b033f2721b611d84b1f40bde674a8 ] If a local process has closed a connected socket and hasn't received a RST packet yet, then the socket remains in the table until a timeout expires. When a vhost_vsock instance is released with the timeout still pending, the socket is never freed because vhost_vsock has already set the SOCK_DONE flag. Check if the close timer is pending and let it close the socket. This prevents the race which can leak sockets. Reported-by: Maximilian Riemensberger <riemensberger@cadami.net> Cc: Graham Whaley <graham.whaley@gmail.com> Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Stefan Hajnoczi
|
f15c072d65 |
vhost/vsock: fix use-after-free in network stack callers
commit 834e772c8db0c6a275d75315d90aba4ebbb1e249 upstream. If the network stack calls .send_pkt()/.cancel_pkt() during .release(), a struct vhost_vsock use-after-free is possible. This occurs because .release() does not wait for other CPUs to stop using struct vhost_vsock. Switch to an RCU-enabled hashtable (indexed by guest CID) so that .release() can wait for other CPUs by calling synchronize_rcu(). This also eliminates vhost_vsock_lock acquisition in the data path so it could have a positive effect on performance. This is CVE-2018-14625 "kernel: use-after-free Read in vhost_transport_send_pkt". Cc: stable@vger.kernel.org Reported-and-tested-by: syzbot+bd391451452fb0b93039@syzkaller.appspotmail.com Reported-by: syzbot+e3e074963495f92a89ed@syzkaller.appspotmail.com Reported-by: syzbot+d5a0a170c5069658b141@syzkaller.appspotmail.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Acked-by: Jason Wang <jasowang@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Edwards
|
56bce0e5d5 |
vhost/scsi: truncate T10 PI iov_iter to prot_bytes
commit 4542d623c7134bc1738f8a68ccb6dd546f1c264f upstream.
Commands with protection information included were not truncating the
protection iov_iter to the number of protection bytes in the command.
This resulted in vhost_scsi mis-calculating the size of the protection
SGL in vhost_scsi_calc_sgls(), and including both the protection and
data SG entries in the protection SGL.
Fixes: 09b13fa8c1a1 ("vhost/scsi: Add ANY_LAYOUT support in vhost_scsi_handle_vq")
Signed-off-by: Greg Edwards <gedwards@ddn.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Fixes: 09b13fa8c1a1093e9458549ac8bb203a7c65c62a
Cc: stable@vger.kernel.org
Reviewed-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
b522f279f9 |
vhost: Fix Spectre V1 vulnerability
[ Upstream commit ff002269a4ee9c769dbf9365acef633ebcbd6cbe ] The idx in vhost_vring_ioctl() was controlled by userspace, hence a potential exploitation of the Spectre variant 1 vulnerability. Fixing this by sanitizing idx before using it to index d->vqs. Cc: Michael S. Tsirkin <mst@redhat.com> Cc: Josh Poimboeuf <jpoimboe@redhat.com> Cc: Andrea Arcangeli <aarcange@redhat.com> Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason Wang
|
bf82c2cb14 |
vhost: correctly check the iova range when waking virtqueue
[ Upstream commit 2d66f997f0545c8f7fc5cf0b49af1decb35170e7 ]
We don't wakeup the virtqueue if the first byte of pending iova range
is the last byte of the range we just got updated. This will lead a
virtqueue to wait for IOTLB updating forever. Fixing by correct the
check and wake up the virtqueue in this case.
Fixes: 6b1e6cc7855b ("vhost: new device IOTLB API")
Reported-by: Peter Xu <peterx@redhat.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Reviewed-by: Peter Xu <peterx@redhat.com>
Tested-by: Peter Xu <peterx@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Jason Wang
|
59f9f2c76f |
vhost: reset metadata cache when initializing new IOTLB
[ Upstream commit b13f9c6364373a1b9f71e9846dc4fb199296f926 ] We need to reset metadata cache during new IOTLB initialization, otherwise the stale pointers to previous IOTLB may be still accessed which will lead a use after free. Reported-by: syzbot+c51e6736a1bf614b3272@syzkaller.appspotmail.com Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache") Signed-off-by: Jason Wang <jasowang@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason Wang
|
7eba6537c3 |
vhost_net: validate sock before trying to put its fd
[ Upstream commit b8f1f65882f07913157c44673af7ec0b308d03eb ]
Sock will be NULL if we pass -1 to vhost_net_set_backend(), but when
we meet errors during ubuf allocation, the code does not check for
NULL before calling sockfd_put(), this will lead NULL
dereferencing. Fixing by checking sock pointer before.
Fixes: bab632d69ee4 ("vhost: vhost TX zero-copy support")
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Michael S. Tsirkin
|
7446344baa |
vhost: fix info leak due to uninitialized memory
commit 670ae9caaca467ea1bfd325cb2a5c98ba87f94ad upstream. struct vhost_msg within struct vhost_msg_node is copied to userspace. Unfortunately it turns out on 64 bit systems vhost_msg has padding after type which gcc doesn't initialize, leaking 4 uninitialized bytes to userspace. This padding also unfortunately means 32 bit users of this interface are broken on a 64 bit kernel which will need to be fixed separately. Fixes: CVE-2018-1118 Cc: stable@vger.kernel.org Reported-by: Kevin Easton <kevin@guarana.org> Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Reported-by: syzbot+87cfa083e727a224754b@syzkaller.appspotmail.com Signed-off-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason Wang
|
6d431f6e68 |
vhost: synchronize IOTLB message with dev cleanup
[ Upstream commit 1b15ad683ab42a203f98b67045b40720e99d0e9a ]
DaeRyong Jeong reports a race between vhost_dev_cleanup() and
vhost_process_iotlb_msg():
Thread interleaving:
CPU0 (vhost_process_iotlb_msg) CPU1 (vhost_dev_cleanup)
(In the case of both VHOST_IOTLB_UPDATE and
VHOST_IOTLB_INVALIDATE)
===== =====
vhost_umem_clean(dev->iotlb);
if (!dev->iotlb) {
ret = -EFAULT;
break;
}
dev->iotlb = NULL;
The reason is we don't synchronize between them, fixing by protecting
vhost_process_iotlb_msg() with dev mutex.
Reported-by: DaeRyong Jeong <threeearcat@gmail.com>
Fixes: 6b1e6cc7855b0 ("vhost: new device IOTLB API")
Signed-off-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Eric Auger
|
2ea541eb40 |
vhost: Fix vhost_copy_to_user()
[ Upstream commit 7ced6c98c7ab7a1f6743931e28671b833af79b1e ]
vhost_copy_to_user is used to copy vring used elements to userspace.
We should use VHOST_ADDR_USED instead of VHOST_ADDR_DESC.
Fixes: f88949138058 ("vhost: introduce O(1) vq metadata cache")
Signed-off-by: Eric Auger <eric.auger@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Stefan Hajnoczi
|
e240ffd5a3 |
vhost: fix vhost_vq_access_ok() log check
[ Upstream commit d14d2b78090c7de0557362b26a4ca591aa6a9faa ]
Commit d65026c6c62e7d9616c8ceb5a53b68bcdc050525 ("vhost: validate log
when IOTLB is enabled") introduced a regression. The logic was
originally:
if (vq->iotlb)
return 1;
return A && B;
After the patch the short-circuit logic for A was inverted:
if (A || vq->iotlb)
return A;
return B;
This patch fixes the regression by rewriting the checks in the obvious
way, no longer returning A when vq->iotlb is non-NULL (which is hard to
understand).
Reported-by: syzbot+65a84dde0214b0387ccd@syzkaller.appspotmail.com
Cc: Jason Wang <jasowang@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|