mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
1981 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Isaac J. Manjarres
|
d46b5c945c |
Merge android-4.14.52 (08850d5) into msm-4.14
* remotes/origin/tmp-08850d5: Linux 4.14.52 mm, page_alloc: do not break __GFP_THISNODE by zonelist reset fs/binfmt_misc.c: do not allow offset overflow vhost: fix info leak due to uninitialized memory HID: wacom: Correct logical maximum Y for 2nd-gen Intuos Pro large HID: intel_ish-hid: ipc: register more pm callbacks to support hibernation orangefs: report attributes_mask and attributes for statx orangefs: set i_size on new symlink iwlwifi: fw: harden page loading code x86/intel_rdt: Enable CMT and MBM on new Skylake stepping w1: mxc_w1: Enable clock before calling clk_get_rate() on it libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk libata: zpodd: small read overflow in eject_tray() cpufreq: governors: Fix long idle detection logic in load calculation cpufreq: Fix new policy initialization during limits updates via sysfs bdi: Move cgroup bdi_writeback to a dedicated low concurrency workqueue blk-mq: reinit q->tag_set_list entry only after grace period nbd: use bd_set_size when updating disk size nbd: update size when connected nbd: fix nbd device deletion cifs: For SMB2 security informaion query, check for minimum sized security descriptor instead of sizeof FileAllInformation class CIFS: 511c54a2f69195b28afb9dd119f03787b1625bb4 adds a check for session expiry smb3: on reconnect set PreviousSessionId field smb3: fix various xid leaks x86/MCE: Fix stack out-of-bounds write in mce-inject.c: Flags_read() ALSA: hda: add dock and led support for HP ProBook 640 G4 ALSA: hda: add dock and led support for HP EliteBook 830 G5 ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream() ALSA: hda/conexant - Add fixup for HP Z2 G4 workstation ALSA: hda/realtek - Enable mic-mute hotkey for several Lenovo AIOs btrfs: scrub: Don't use inode pages for device replace btrfs: return error value if create_io_em failed in cow_file_range Btrfs: fix memory and mount leak in btrfs_ioctl_rm_dev_v2() Btrfs: fix clone vs chattr NODATASUM race driver core: Don't ignore class_dir_create_and_add() failure. ext4: fix fencepost error in check for inode count overflow during resize ext4: correctly handle a zero-length xattr with a non-zero e_value_offs ext4: bubble errors from ext4_find_inline_data_nolock() up to ext4_iget() ext4: do not allow external inodes for inline data ext4: update mtime in ext4_punch_hole even if no blocks are released ext4: fix hole length detection in ext4_ind_map_blocks() NFSv4.1: Fix up replays of interrupted requests tls: fix use-after-free in tls_push_record hv_netvsc: Fix a network regression after ifdown/ifup net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan udp: fix rx queue len reported by diag and proc interface socket: close race condition between sock_close() and sockfs_setattr() tcp: verify the checksum of the first data segment in a new connection net/sched: act_simple: fix parsing of TCA_DEF_DATA net: dsa: add error handling for pskb_trim_rcsum ipv6: allow PMTU exceptions to local routes cdc_ncm: avoid padding beyond end of skb bonding: re-evaluate force_primary when the primary slave name changes ANDROID: sdcardfs: fix potential crash when reserved_mb is not zero ANDROID: xt_qtaguid: Remove unnecessary null checks to device's name ANDROID: Add kconfig to make dm-verity check_at_most_once default enabled Conflicts: net/netfilter/xt_qtaguid.c Change-Id: I5c94ff8a691b9d84899d7863fbd309aa41c5c338 Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Isaac J. Manjarres
|
bbea3fef30 |
Merge android-4.14.51 (a51b40c) into msm-4.14
* remotes/origin/tmp-a51b40c: Linux 4.14.51 tcp: do not overshoot window_clamp in tcp_rcv_space_adjust() Btrfs: make raid6 rebuild retry more Btrfs: fix scrub to repair raid6 corruption Revert "Btrfs: fix scrub to repair raid6 corruption" ARM: kexec: fix kdump register saving on panic() ARM: 8758/1: decompressor: restore r1 and r2 just before jumping to the kernel ARM: 8753/1: decompressor: add a missing parameter to the addruart macro efi/libstub/arm64: Handle randomized TEXT_OFFSET parisc: Move setup_profiling_timer() out of init section sched/deadline: Make the grub_reclaim() function static sched/debug: Move the print_rt_rq() and print_dl_rq() declarations to kernel/sched/sched.h drm/dumb-buffers: Integer overflow in drm_mode_create_ioctl() locking/percpu-rwsem: Annotate rwsem ownership transfer by setting RWSEM_OWNER_UNKNOWN locking/rwsem: Add a new RWSEM_ANONYMOUSLY_OWNED flag clk: imx6ull: use OSC clock during AXI rate change ARM: davinci: board-dm646x-evm: set VPIF capture card name ARM: davinci: board-dm646x-evm: pass correct I2C adapter id for VPIF ARM: davinci: dm646x: fix timer interrupt generation i2c: viperboard: return message count on master_xfer success i2c: pmcmsp: fix error return from master_xfer i2c: pmcmsp: return message count on master_xfer success ARM: keystone: fix platform_domain_notifier array overrun usb: musb: fix remote wakeup racing with suspend afs: Fix the non-encryption of calls mtd: Fix comparison in map_word_andequal() x86/pkeys/selftests: Add a test for pkey 0 x86/pkeys/selftests: Save off 'prot' for allocations x86/pkeys/selftests: Fix pointer math x86/pkeys/selftests: Fix pkey exhaustion test off-by-one x86/pkeys/selftests: Add PROT_EXEC test x86/pkeys/selftests: Factor out "instruction page" x86/pkeys/selftests: Allow faults on unknown keys x86/pkeys/selftests: Remove dead debugging code, fix dprint_in_signal x86/pkeys/selftests: Stop using assert() x86/pkeys/selftests: Give better unexpected fault error messages x86/selftests: Add mov_to_ss test x86/mpx/selftests: Adjust the self-test to fresh distros that export the MPX ABI x86/pkeys/selftests: Adjust the self-test to fresh distros that export the pkeys ABI objtool, kprobes/x86: Sync the latest <asm/insn.h> header with tools/objtool/arch/x86/include/asm/insn.h uprobes/x86: Prohibit probing on MOV SS instruction kprobes/x86: Prohibit probing on exception masking instructions ocfs2: take inode cluster lock before moving reflinked inode from orphan dir proc/kcore: don't bounds check against address 0 init: fix false positives in W+X checking net sched actions: fix invalid pointer dereferencing if skbedit flags missing ixgbe: return error on unsupported SFP module when resetting x86: Delay skip of emulated hypercall instruction KVM: Extend MAX_IRQ_ROUTES to 4096 for all archs rxrpc: Fix the min security level for kernel calls rxrpc: Fix error reception on AF_INET6 sockets qede: Fix gfp flags sent to rdma event node allocation qed: Fix l2 initializations over iWARP personality tipc: eliminate KMSAN uninit-value in strcmp complaint agp: uninorth: make two functions static cifs: smb2ops: Fix listxattr() when there are no EAs arm64: Add MIDR encoding for NVIDIA CPUs can: dev: increase bus-off message severity net: aquantia: driver should correctly declare vlan_features bits x86/xen: Reset VCPU0 info pointer after shared_info remap mac80211: use timeout from the AddBA response instead of the request ARM: dts: cygnus: fix irq type for arm global timer driver core: add __printf verification to __ata_ehi_pushv_desc drm/omap: handle alloc failures in omap_connector drm/omap: check return value from soc_device_match drm/omap: fix possible NULL ref issue in tiler_reserve_2d drm/omap: fix uninitialized ret variable drm/omap: silence unititialized variable warning mac80211: Adjust SAE authentication timeout tee: check shm references are consistent in offset/size sh: fix build failure for J2 cpu with SMP disabled sched/core: Introduce set_special_state() spi: bcm2835aux: ensure interrupts are enabled for shared handler RDMA/cma: Do not query GID during QP state transition to RTR IB/hfi1: Fix memory leak in exception path in get_irq_affinity() IB/hfi1 Use correct type for num_user_context smc: fix sendpage() call ARM: OMAP1: ams-delta: fix deferred_fiq handler nvme: Set integrity flag for user passthrough commands nvme: fix potential memory leak in option parsing iommu/vt-d: fix shift-out-of-bounds in bug checking arm64: tegra: Make BCM89610 PHY interrupt as active low kthread, sched/wait: Fix kthread_parkme() wait-loop stop_machine, sched: Fix migrate_swap() vs. active_balance() deadlock parisc: drivers.c: Fix section mismatches bpf, x64: fix memleak when not converging after image scsi: vmw-pvscsi: return DID_BUS_BUSY for adapter-initated aborts hexagon: export csum_partial_copy_nocheck hexagon: add memset_io() helper Input: atmel_mxt_ts - fix the firmware update ARM: dts: logicpd-som-lv: Fix Audio Mute ARM: dts: logicpd-som-lv: Fix WL127x Startup Issues ARM: OMAP2+: powerdomain: use raw_smp_processor_id() for trace dt-bindings: panel: lvds: Fix path to display timing bindings ARM: davinci: board-dm355-evm: fix broken networking ARM: davinci: board-omapl138-hawk: fix GPIO numbers for MMC/SD lookup ARM: davinci: board-da850-evm: fix GPIO lookup for MMC/SD ARM: davinci: board-da830-evm: fix GPIO lookup for MMC/SD IB/core: Make ib_mad_client_id atomic <linux/stringhash.h>: fix end_name_hash() for 64bit long IB/rxe: avoid double kfree_skb IB/rxe: add RXE_START_MASK for rxe_opcode IB_OPCODE_RC_SEND_ONLY_INV RDMA/iwpm: fix memory leak on map_info RDMA/cma: Fix use after destroy access to net namespace for IPoIB IB/uverbs: Fix validating mandatory attributes IB: make INFINIBAND_ADDR_TRANS configurable ib_srp: depend on INFINIBAND_ADDR_TRANS ib_srpt: depend on INFINIBAND_ADDR_TRANS nvmet-rdma: depend on INFINIBAND_ADDR_TRANS nvme: depend on INFINIBAND_ADDR_TRANS tipc: fix bug in function tipc_nl_node_dump_monitor i2c: sprd: Fix the i2c count issue i2c: sprd: Prevent i2c accesses after suspend is called bpf: fix uninitialized variable in bpf tools x86/cpu/intel: Add missing TLB cpuid values ata: ahci: mvebu: override ahci_stop_engine for mvebu AHCI libahci: Allow drivers to override stop_engine KVM: arm/arm64: vgic: fix possible spectre-v1 in vgic_mmio_read_apr() arm64: fix possible spectre-v1 in ptrace_hbp_get_event() blk-mq: fix sysfs inflight counter HID: intel-ish-hid: use put_device() instead of kfree() rpmsg: added MODULE_ALIAS for rpmsg_char remoteproc: qcom: Fix potential device node leaks perf/x86/intel: Don't enable freeze-on-smi for PerfMon V1 rds: ib: Fix missing call to rds_ib_dev_put in rds_ib_setup_qp selftests: ftrace: Add a testcase for multiple actions on trigger HID: wacom: Release device resource data obtained by devres_alloc() HID: lenovo: Add support for IBM/Lenovo Scrollpoint mice arm64: ptrace: remove addr_limit manipulation net: ethtool: Add missing kernel doc for FEC parameters thermal: int3403_thermal: Fix NULL pointer deref on module load / probe drm/amdkfd: fix clock counter retrieval for node without GPU ACPI / watchdog: Prefer iTCO_wdt on Lenovo Z50-70 ARM: dts: da850: fix W=1 warnings with pinmux node net: phy: marvell: clear wol event before setting it powerpc/powernv/memtrace: Let the arch hotunplug code flush cache dt-bindings: meson-uart: DT fix s/clocks-names/clock-names/ ACPI / PM: Blacklist Low Power S0 Idle _DSM for ThinkPad X1 Tablet(2016) usb: typec: ucsi: fix tracepoint related build error mm: memcg: add __GFP_NOWARN in __memcg_schedule_kmem_cache_create() kexec_file: do not add extra alignment to efi memmap proc: revalidate kernel thread inodes to root:root mm, pagemap: fix swap offset value for PMD migration entry scsi: isci: Fix infinite loop in while loop scsi: storvsc: Set up correct queue depth values for IDE devices parisc: time: Convert read_persistent_clock() to read_persistent_clock64() vfs: Undo an overly zealous MS_RDONLY -> SB_RDONLY conversion net: hns: Avoid action name truncation blkcg: init root blkcg_gq under lock drm/msm: don't deref error pointer in the msm_fbdev_create error path drm/msm/dsi: use correct enum in dsi_get_cmd_fmt drm/msm: Fix possible null dereference on failure of get_pages() ASoC: msm8916-wcd-analog: use threaded context for mbhc events netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update netfilter: nf_tables: NAT chain and extensions require NF_TABLES scsi: target: fix crash with iscsi target and dvd scsi: megaraid_sas: Do not log an error if FW successfully initializes. scsi: iscsi: respond to netlink with unicast when appropriate tipc: fix infinite loop when dumping link monitor summary blkcg: don't hold blkcg lock when deactivating policy spi: cadence: Add usleep_range() for cdns_spi_fill_tx_fifo() ASoC: topology: Check widget kcontrols before deref. xen: xenbus_dev_frontend: Really return response string ASoC: topology: Fix bugs of freeing soc topology PCI: kirin: Fix reset gpio name soc: bcm2835: Make !RASPBERRYPI_FIRMWARE dummies return failure soc: bcm: raspberrypi-power: Fix use of __packed eCryptfs: don't pass up plaintext names when using filename encryption ASoC: rt5514: Add the missing register in the readable table clk: honor CLK_MUX_ROUND_CLOSEST in generic clk mux dt-bindings: dmaengine: rcar-dmac: document R8A77965 support dt-bindings: serial: sh-sci: Add support for r8a77965 (H)SCIF dt-bindings: pinctrl: sunxi: Fix reference to driver doc: Add vendor prefix for Kieback & Peter GmbH spi: sh-msiof: Fix bit field overflow writes to TSCR/RSCR MIPS: dts: Boston: Fix PCI bus dtc warnings: isofs: fix potential memory leak in mount option parsing s390/smsgiucv: disable SMSG on module unload MIPS: io: Add barrier after register read in readX() fsnotify: fix ignore mask logic in send_to_group() perf report: Fix switching to another perf.data file nfp: ignore signals when communicating with management FW MIPS: io: Prevent compiler reordering writeX() x86: Add check for APIC access address for vmentry of L2 guests KVM: X86: fix incorrect reference of trace_kvm_pi_irte_update Input: synaptics-rmi4 - fix an unchecked out of memory error path clocksource/drivers/imx-tpm: Correct some registers operation flow stop_machine: Disable preemption when waking two stopper threads When cpu_stop_queue_two_works() begins to wake the stopper threads, it does so without preemption disabled, which leads to the following race condition: The source CPU calls cpu_stop_queue_two_works(), with cpu1 as the source CPU, and cpu2 as the destination CPU. When adding the stopper threads to the wake queue used in this function, the source CPU stopper thread is added first, and the destination CPU stopper thread is added last. When wake_up_q() is invoked to wake the stopper threads, the threads are woken up in the order that they are queued in, so the source CPU's stopper thread is woken up first, and it preempts the thread running on the source CPU. The stopper thread will then execute on the source CPU, disable preemption, and begin executing multi_cpu_stop() and wait for an ack from the destination CPU's stopper thread, with preemption still disabled. Since the worker thread that woke up the stopper thread on the source CPU is affine to the source CPU, and preemption is disabled on the source CPU, that thread will never run to dequeue the destination CPU's stopper thread from the wake queue, and thus, the destination CPU's stopper thread will never run, causing the source CPU's stopper thread to wait forever, and stall. Disable preemption when waking the stopper threads in cpu_stop_queue_two_works() to ensure that the worker thread that is waking up the stopper threads isn't preempted by the source CPU's stopper thread, and permanently scheduled out, leaving the remaining stopper thread asleep in the wake queue. Conflicts: drivers/gpu/drm/msm/msm_gem.c include/linux/sched.h kernel/kthread.c Change-Id: I177cb8516cdfe50d61cb948ed342d330e61376a1 Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org> Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
Davide Caratti
|
81d159444d |
net/sched: act_simple: fix parsing of TCA_DEF_DATA
[ Upstream commit 8d499533e0bc02d44283dbdab03142b599b8ba16 ]
use nla_strlcpy() to avoid copying data beyond the length of TCA_DEF_DATA
netlink attribute, in case it is less than SIMP_MAX_DATA and it does not
end with '\0' character.
v2: fix errors in the commit message, thanks Hangbin Liu
Fixes: fa1b1cff3d06 ("net_cls_act: Make act_simple use of netlink policy.")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Roman Mashak
|
8690075430 |
net sched actions: fix invalid pointer dereferencing if skbedit flags missing
[ Upstream commit af5d01842fe1fbfb9f5e1c1d957ba02ab6f4569a ] When application fails to pass flags in netlink TLV for a new skbedit action, the kernel results in the following oops: [ 8.307732] BUG: unable to handle kernel paging request at 0000000000021130 [ 8.309167] PGD 80000000193d1067 P4D 80000000193d1067 PUD 180e0067 PMD 0 [ 8.310595] Oops: 0000 [#1] SMP PTI [ 8.311334] Modules linked in: kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd cryptd glue_helper serio_raw [ 8.314190] CPU: 1 PID: 397 Comm: tc Not tainted 4.17.0-rc3+ #357 [ 8.315252] RIP: 0010:__tcf_idr_release+0x33/0x140 [ 8.316203] RSP: 0018:ffffa0718038f840 EFLAGS: 00010246 [ 8.317123] RAX: 0000000000000001 RBX: 0000000000021100 RCX: 0000000000000000 [ 8.319831] RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000021100 [ 8.321181] RBP: 0000000000000000 R08: 000000000004adf8 R09: 0000000000000122 [ 8.322645] R10: 0000000000000000 R11: ffffffff9e5b01ed R12: 0000000000000000 [ 8.324157] R13: ffffffff9e0d3cc0 R14: 0000000000000000 R15: 0000000000000000 [ 8.325590] FS: 00007f591292e700(0000) GS:ffff8fcf5bc40000(0000) knlGS:0000000000000000 [ 8.327001] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 8.327987] CR2: 0000000000021130 CR3: 00000000180e6004 CR4: 00000000001606a0 [ 8.329289] Call Trace: [ 8.329735] tcf_skbedit_init+0xa7/0xb0 [ 8.330423] tcf_action_init_1+0x362/0x410 [ 8.331139] ? try_to_wake_up+0x44/0x430 [ 8.331817] tcf_action_init+0x103/0x190 [ 8.332511] tc_ctl_action+0x11a/0x220 [ 8.333174] rtnetlink_rcv_msg+0x23d/0x2e0 [ 8.333902] ? _cond_resched+0x16/0x40 [ 8.334569] ? __kmalloc_node_track_caller+0x5b/0x2c0 [ 8.335440] ? rtnl_calcit.isra.31+0xf0/0xf0 [ 8.336178] netlink_rcv_skb+0xdb/0x110 [ 8.336855] netlink_unicast+0x167/0x220 [ 8.337550] netlink_sendmsg+0x2a7/0x390 [ 8.338258] sock_sendmsg+0x30/0x40 [ 8.338865] ___sys_sendmsg+0x2c5/0x2e0 [ 8.339531] ? pagecache_get_page+0x27/0x210 [ 8.340271] ? filemap_fault+0xa2/0x630 [ 8.340943] ? page_add_file_rmap+0x108/0x200 [ 8.341732] ? alloc_set_pte+0x2aa/0x530 [ 8.342573] ? finish_fault+0x4e/0x70 [ 8.343332] ? __handle_mm_fault+0xbc1/0x10d0 [ 8.344337] ? __sys_sendmsg+0x53/0x80 [ 8.345040] __sys_sendmsg+0x53/0x80 [ 8.345678] do_syscall_64+0x4f/0x100 [ 8.346339] entry_SYSCALL_64_after_hwframe+0x44/0xa9 [ 8.347206] RIP: 0033:0x7f591191da67 [ 8.347831] RSP: 002b:00007fff745abd48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 8.349179] RAX: ffffffffffffffda RBX: 00007fff745abe70 RCX: 00007f591191da67 [ 8.350431] RDX: 0000000000000000 RSI: 00007fff745abdc0 RDI: 0000000000000003 [ 8.351659] RBP: 000000005af35251 R08: 0000000000000001 R09: 0000000000000000 [ 8.352922] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 8.354183] R13: 00007fff745afed0 R14: 0000000000000001 R15: 00000000006767c0 [ 8.355400] Code: 41 89 d4 53 89 f5 48 89 fb e8 aa 20 fd ff 85 c0 0f 84 ed 00 00 00 48 85 db 0f 84 cf 00 00 00 40 84 ed 0f 85 cd 00 00 00 45 84 e4 <8b> 53 30 74 0d 85 d2 b8 ff ff ff ff 0f 8f b3 00 00 00 8b 43 2c [ 8.358699] RIP: __tcf_idr_release+0x33/0x140 RSP: ffffa0718038f840 [ 8.359770] CR2: 0000000000021130 [ 8.360438] ---[ end trace 60c66be45dfc14f0 ]--- The caller calls action's ->init() and passes pointer to "struct tc_action *a", which later may be initialized to point at the existing action, otherwise "struct tc_action *a" is still invalid, and therefore dereferencing it is an error as happens in tcf_idr_release, where refcnt is decremented. So in case of missing flags tcf_idr_release must be called only for existing actions. v2: - prepare patch for net tree Fixes: 5e1567aeb7fe ("net sched: skbedit action fix late binding") Signed-off-by: Roman Mashak <mrv@mojatatu.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Blagovest Kolenichev
|
a5920a6efd |
Merge android-4.14.49 into msm-4.14
* refs/heads/tmp-37f5b3d Linux 4.14.49 drm: set FMODE_UNSIGNED_OFFSET for drm files PCI: hv: Do not wait forever on a device that has disappeared cls_flower: Fix incorrect idr release when failing to modify rule rtnetlink: validate attributes in do_setlink() virtio-net: fix leaking page for gso packet during mergeable XDP net/mlx5e: When RXFCS is set, add FCS data into checksum calculation virtio-net: correctly check num_buf during err path tun: Fix NULL pointer dereference in XDP redirect net/mlx4: Fix irq-unsafe spinlock usage virtio-net: correctly transmit XDP buff after linearizing net-sysfs: Fix memory leak in XPS configuration net: phy: broadcom: Fix auxiliary control register reads ipv6: sr: fix memory OOB access in seg6_do_srh_encap/inline vrf: check the original netdevice for generating redirect vhost: synchronize IOTLB message with dev cleanup team: use netdev_features_t instead of u32 sctp: not allow transport timeout value less than HZ/5 for hb_timer qed: Fix mask for physical address in ILT entry packet: fix reserve calculation net: usb: cdc_mbim: add flag FLAG_SEND_ZLP net: phy: broadcom: Fix bcm_write_exp() net/packet: refine check for priv area size net: metrics: add proper netlink validation net: ipv4: add missing RTA_TABLE to rtm_ipv4_policy netdev-FAQ: clarify DaveM's position for stable backports kcm: Fix use-after-free caused by clonned sockets isdn: eicon: fix a missing-check bug ipv6: omit traffic class when calculating flow hash ipv4: remove warning in ip_recv_error ipmr: properly check rhltable_init() return value ip6_tunnel: remove magic mtu value 0xFFF8 ip6mr: only set ip6mr_table from setsockopt when ip6mr_new_table succeeds enic: set DMA mask to 47 bit dccp: don't free ccid2_hc_tx_sock struct in dccp_disconnect() bnx2x: use the right constant be2net: Fix error detection logic for BE3 kconfig: Avoid format overflow warning from GCC 8.1 btrfs: define SUPER_FLAG_METADUMP_V2 mmap: relax file size limit for regular files mmap: introduce sane default mmap limits scsi: sd_zbc: Avoid that resetting a zone fails sporadically scsi: sd_zbc: Fix potential memory leak FROMLIST: f2fs: run fstrim asynchronously if runtime discard is on Change-Id: I3b2bc1938bd99c73417b340af4ac523103e15775 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
Paul Blakey
|
dd4be396b8 |
cls_flower: Fix incorrect idr release when failing to modify rule
[ Upstream commit 8258d2da9f9f521dce7019e018360c28d116354e ]
When we fail to modify a rule, we incorrectly release the idr handle
of the unmodified old rule.
Fix that by checking if we need to release it.
Fixes: fe2502e49b58 ("net_sched: remove cls_flower idr on failure")
Reported-by: Vlad Buslov <vladbu@mellanox.com>
Reviewed-by: Roi Dayan <roid@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Isaac J. Manjarres
|
47984a2cfd |
Merge remote-tracking branch 'remotes/origin/tmp-cb1f148' into msm-4.14
* remotes/origin/tmp-cb1f148: Linux 4.14.47 Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" Revert "vti4: Don't override MTU passed on link creation via IFLA_MTU" Linux 4.14.46 Revert "perf record: Fix crash in pipe mode" tools: sync up .h files with the repective arch and uapi .h files perf tools: Add trace/beauty/generated/ into .gitignore Linux 4.14.45 drm/vmwgfx: Set dmabuf_size when vmw_dmabuf_init is successful kdb: make "mdr" command repeat pinctrl: mcp23s08: spi: Fix regmap debugfs entries pinctrl: msm: Use dynamic GPIO numbering regulator: of: Add a missing 'of_node_put()' in an error handling path of 'of_regulator_match()' ARM: dts: porter: Fix HDMI output routing ARM: dts: imx7d: cl-som-imx7: fix pinctrl_enet i40e: Add delay after EMP reset for firmware to recover regmap: Correct comparison in regmap_cached ARM: dts: at91: tse850: use the correct compatible for the eeprom drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen2 drm: rcar-du: lvds: Fix LVDS startup on R-Car Gen3 netlabel: If PF_INET6, check sk_buff ip header version selftests/net: fixes psock_fanout eBPF test case perf tests: Fix dwarf unwind for stripped binaries perf report: Fix memory corruption in --branch-history mode --branch-history perf tests: Use arch__compare_symbol_names to compare symbols perf report: Fix wrong jump arrow perf test: Fix test case inet_pton to accept inlines. x86/apic: Set up through-local-APIC mode on the boot CPU if 'noapic' specified drm/rockchip: Respect page offset for PRIME mmap calls MIPS: Octeon: Fix logging messages with spurious periods after newlines dpaa_eth: fix pause capability advertisement logic pinctrl: sh-pfc: r8a7796: Fix MOD_SEL register pin assignment for SSI pins group rcu: Call touch_nmi_watchdog() while printing stall warnings net: stmmac: call correct function in stmmac_mac_config_rx_queues_routing() audit: return on memory error to avoid null pointer dereference PCMCIA / PM: Avoid noirq suspend aborts during suspend-to-idle ARM: dts: bcm283x: Fix pin function of JTAG pins ARM: dts: bcm283x: Fix probing of bcm2835-i2s power: supply: ltc2941-battery-gauge: Fix temperature units sh_eth: fix TSU init on SH7734/R8A7740 ixgbe: prevent ptp_rx_hang from running when in FILTER_ALL mode udf: Provide saner default for invalid uid / gid PCI: Add function 1 DMA alias quirk for Marvell 88SE9220 dpaa_eth: fix SG mapping cpufreq: Reorder cpufreq_online() error code path net: stmmac: ensure that the MSS desc is the last desc to set the own bit net: stmmac: ensure that the device has released ownership before reading data drm/amdgpu: adjust timeout for ib_ring_tests(v2) drm/amdgpu: disable GFX ring and disable PQ wptr in hw_fini ARM: dts: dra71-evm: Correct evm_sd regulator max voltage drm: omapdrm: dss: Move initialization code from component bind to probe dmaengine: qcom: bam_dma: get num-channels and num-ees from dt vfio-ccw: fence off transport mode pinctrl: artpec6: dt: add missing pin group uart5nocts pinctrl: devicetree: Fix dt_to_map_one_config handling of hogs hwrng: stm32 - add reset during probe watchdog: asm9260_wdt: fix error handling in asm9260_wdt_probe() enic: enable rq before updating rq descriptors dmaengine: rcar-dmac: Check the done lists in rcar_dmac_chan_get_residue() dmaengine: pl330: fix a race condition in case of threaded irqs block: null_blk: fix 'Invalid parameters' when loading module tools: hv: fix compiler warnings about major/target_fname drm/bridge: sii902x: Retry status read after DDI I2C phy: qcom-qmp: Fix phy pipe clock gating ALSA: vmaster: Propagate slave error phy: rockchip-emmc: retry calpad busy trimming x86/devicetree: Fix device IRQ settings in DT x86/devicetree: Initialize device tree before using it gfs2: Fix fallocate chunk size soc: qcom: wcnss_ctrl: Fix increment in NV upload arm64: dts: qcom: Fix SPI5 config on MSM8996 perf/x86/intel: Fix event update for auto-reload perf/x86/intel: Fix large period handling on Broadwell CPUs efi/arm*: Only register page tables when they exist cdrom: do not call check_disk_change() inside cdrom_open() perf/x86/intel: Properly save/restore the PMU state in the NMI handler hwmon: (pmbus/adm1275) Accept negative page register values hwmon: (pmbus/max8688) Accept negative page register values drm/panel: simple: Fix the bus format for the Ontat panel perf/core: Fix perf_output_read_group() max17042: propagate of_node to power supply device perf/core: Fix installing cgroup events on CPU f2fs: fix to check extent cache in f2fs_drop_extent_tree f2fs: fix to clear CP_TRIMMED_FLAG f2fs: fix to set KEEP_SIZE bit in f2fs_zero_range cxl: Check if PSL data-cache is available before issue flush request powerpc/powernv/npu: Fix deadlock in mmio_invalidate() powerpc: Add missing prototype for arch_irq_work_raise() drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()' drm/meson: Fix some error handling paths in 'meson_drv_bind_master()' ipmi_ssif: Fix kernel panic at msg_done_handler watchdog: aspeed: Fix translation of reset mode to ctrl register watchdog: dw: RMW the control register PCI: Restore config space on runtime resume despite being unbound MIPS: ath79: Fix AR724X_PLL_REG_PCIE_CONFIG offset net/smc: pay attention to MAX_ORDER for CQ entries spi: bcm-qspi: fIX some error handling paths regulator: gpio: Fix some error handling paths in 'gpio_regulator_probe()' coresight: Use %px to print pcsr instead of %p drm/amdkfd: add missing include of mm.h IB/core: Honor port_num while resolving GID for IB link layer perf stat: Fix core dump when flag T is used perf top: Fix top.call-graph config option reading KVM: lapic: stop advertising DIRECTED_EOI when in-kernel IOAPIC is in use i2c: mv64xxx: Apply errata delay only in standard mode cxgb4: Fix queue free path of ULD drivers ACPICA: acpi: acpica: fix acpi operand cache leak in nseval.c ACPICA: Fix memory leak on unusual memory leak ACPICA: Events: add a return on failure from acpi_hw_register_read dt-bindings: add device tree binding for Allwinner H6 main CCU remoteproc: imx_rproc: Fix an error handling path in 'imx_rproc_probe()' bcache: quit dc->writeback_thread when BCACHE_DEV_DETACHING is set zorro: Set up z->dev.dma_mask for the DMA API IB/mlx5: Set the default active rate and width to QDR and 4X cpufreq: cppc_cpufreq: Fix cppc_cpufreq_init() failure path iommu/mediatek: Fix protect memory setting drm/vmwgfx: Unpin the screen object backup buffer when not used ext4: don't complain about incorrect features when probing arm: dts: socfpga: fix GIC PPI warning virtio-net: Fix operstate for virtio when no VIRTIO_NET_F_STATUS watchdog: aspeed: Allow configuring for alternate boot ima: Fallback to the builtin hash algorithm ima: Fix Kconfig to select TPM 2.0 CRB interface cxgb4: Setup FW queues before registering netdev ath9k: fix crash in spectral scan nvme-pci: disable APST for Samsung NVMe SSD 960 EVO + ASUS PRIME Z370-A ath10k: Fix kernel panic while using worker (ath10k_sta_rc_update_wk) watchdog: davinci_wdt: fix error handling in davinci_wdt_probe() net/mlx5: Protect from command bit overflow selftests: Print the test we're running to /dev/kmsg tools/thermal: tmon: fix for segfault rsi: fix kernel panic observed on 64bit machine powerpc/perf: Fix kernel address leak via sampling registers powerpc/perf: Prevent kernel address leak to userspace via BHRB buffer hwmon: (nct6775) Fix writing pwmX_mode parisc/pci: Switch LBA PCI bus from Hard Fail to Soft Fail mode iwlwifi: mvm: check if mac80211_queue is valid in iwl_mvm_disable_txq m68k: set dma and coherent masks for platform FEC ethernets intel_th: Use correct method of finding hub iommu/amd: Take into account that alloc_dev_data() may return NULL ath10k: advertize beacon_int_min_gcd ieee802154: ca8210: fix uninitialised data read powerpc/mpic: Check if cpu_possible() in mpic_physmask() ACPI: acpi_pad: Fix memory leak in power saving threads drivers: macintosh: rack-meter: really fix bogus memsets xen/acpi: off by one in read_acpi_id() rxrpc: Don't treat call aborts as conn aborts rxrpc: Fix Tx ring annotation after initial Tx failure btrfs: qgroup: Fix root item corruption when multiple same source snapshots are created with quota enabled btrfs: fix lockdep splat in btrfs_alloc_subvolume_writers Btrfs: fix copy_items() return value when logging an inode btrfs: tests/qgroup: Fix wrong tree backref level powerpc/64s: sreset panic if there is no debugger or crash dump handlers net: bgmac: Correctly annotate register space net: bgmac: Fix endian access in bgmac_dma_tx_ring_free() sparc64: Make atomic_xchg() an inline function rather than a macro. fscache: Fix hanging wait on page discarded by writeback lan78xx: Connect phy early KVM: VMX: raise internal error for exception during invalid protected mode state x86/mm: Fix bogus warning during EFI bootup, use boot_cpu_has() instead of this_cpu_has() in build_cr3_noflush() sched/rt: Fix rq->clock_update_flags < RQCF_ACT_SKIP warning powerpc/64s/idle: Fix restore of AMOR on POWER9 after deep sleep ocfs2/dlm: don't handle migrate lockres if already in shutdown IB/rxe: Fix for oops in rxe_register_device on ppc64le arch btrfs: Fix possible softlock on single core machines Btrfs: fix NULL pointer dereference in log_dir_items Btrfs: bail out on error during replay_dir_deletes mm: thp: fix potential clearing to referenced flag in page_idle_clear_pte_refs_one() mm: fix races between address_space dereference and free in page_evicatable mm/ksm: fix interaction with THP ibmvnic: Zero used TX descriptor counter on reset dp83640: Ensure against premature access to PHY registers after reset perf clang: Add support for recent clang versions perf tools: Fix perf builds with clang support powerpc/fscr: Enable interrupts earlier before calling get_user() cpufreq: CPPC: Initialize shared perf capabilities of CPUs Force log to disk before reading the AGF during a fstrim sr: get/drop reference to device in revalidate and check_events z3fold: fix memory leak swap: divide-by-zero when zero length swap file on ssd fs/proc/proc_sysctl.c: fix potential page fault while unregistering sysctl table x86/mm: Do not forbid _PAGE_RW before init for __ro_after_init x86/pgtable: Don't set huge PUD/PMD on non-leaf entries Btrfs: fix loss of prealloc extents past i_size after fsync log replay Btrfs: clean up resources during umount after trans is aborted nvme: don't send keep-alives to the discovery controller firmware: dmi_scan: Fix UUID length safety check sh: fix debug trap failure to process signals before return to user net: mvneta: fix enable of all initialized RXQs vlan: Fix vlan insertion for packets without ethernet header net: Fix untag for vlan packets without ethernet header qede: Do not drop rx-checksum invalidated packets. hv_netvsc: enable multicast if necessary mm/kmemleak.c: wait for scan completion before disabling free mm/vmstat.c: fix vmstat_update() preemption BUG mm/page_owner: fix recursion bug after changing skip entries mm, slab: memcg_link the SLAB's kmem_cache qede: Fix barrier usage after tx doorbell write. builddeb: Fix header package regarding dtc source links llc: properly handle dev_queue_xmit() return value x86/alternatives: Fixup alternative_call_2 perf/x86/intel: Fix linear IP of PEBS real_ip on Haswell and later CPUs net/mlx5: Make eswitch support to depend on switchdev net: dsa: mt7530: fix module autoloading for OF platform drivers bonding: fix the err path for dev hwaddr sync in bond_enslave net: qmi_wwan: add BroadMobi BM806U 2020:2033 lan78xx: Set ASD in MAC_CR when EEE is enabled. ARM: 8748/1: mm: Define vdso_start, vdso_end as array batman-adv: fix packet loss for broadcasted DHCP packets to a server batman-adv: fix multicast-via-unicast transmission with AP isolation drm/amdkfd: Fix scratch memory with HWS enabled selftests: ftrace: Add a testcase for probepoint selftests: ftrace: Add a testcase for string type with kprobe_event selftests: ftrace: Add probe event argument syntax testcase xfrm: Fix transport mode skb control buffer usage. mm, thp: do not cause memcg oom for thp mm/mempolicy.c: avoid use uninitialized preferred_node drm/ast: Fixed 1280x800 Display Issue net: dsa: Fix functional dsa-loop dependency on FIXED_PHY net/sched: fix idr leak in the error path of tcf_skbmod_init() net/sched: fix idr leak in the error path of __tcf_ipt_init() net/sched: fix idr leak in the error path of tcp_pedit_init() net/sched: fix idr leak in the error path of tcf_act_police_init() net/sched: fix idr leak in the error path of tcf_simp_init() net/sched: fix idr leak on the error path of tcf_bpf_init() RDMA/qedr: Fix QP state initialization race RDMA/qedr: Fix rc initialization on CNQ allocation failure RDMA/qedr: fix QP's ack timeout configuration RDMA/ucma: Correct option size check using optlen kbuild: make scripts/adjust_autoksyms.sh robust against timestamp races brcmfmac: Fix check for ISO3166 code perf/cgroup: Fix child event counting bug drm/tegra: Shutdown on driver unbind iwlwifi: mvm: fix array out of bounds reference iwlwifi: mvm: make sure internal station has a valid id iwlwifi: mvm: clear tx queue id when unreserving aggregation queue iwlwifi: mvm: Increase session protection time after CS vti6: Fix dev->max_mtu setting vti4: Don't override MTU passed on link creation via IFLA_MTU ip_tunnel: Clamp MTU to bounds on new link vti4: Don't count header length twice on tunnel setup batman-adv: Fix skbuff rcsum on packet reroute net/sched: fix NULL dereference in the error path of tcf_sample_init() batman-adv: fix header size check in batadv_dbg_arp() vlan: Fix out of order vlan headers with reorder header off net: Fix vlan untag for bridge and vlan_dev with reorder_hdr off iwlwifi: mvm: fix error checking for multi/broadcast sta iwlwifi: mvm: Correctly set IGTK for AP iwlwifi: mvm: set the correct tid when we flush the MCAST sta xfrm: fix rcu_read_unlock usage in xfrm_local_error drm/nouveau/bl: fix backlight regression drm/imx: move arming of the vblank event to atomic_flush gpu: ipu-v3: prg: avoid possible array underflow KVM: arm/arm64: vgic: Add missing irq_lock to vgic_mmio_read_pending sunvnet: does not support GSO for sctp ipv4: lock mtu in fnhe when received PMTU < net.ipv4.route.min_pmtu workqueue: use put_device() instead of kfree() bnxt_en: Check valid VNIC ID in bnxt_hwrm_vnic_set_tpa(). can: m_can: select pinctrl state in each suspend/resume function can: m_can: change comparison to bitshift when dealing with a mask netfilter: ebtables: fix erroneous reject of last rule dmaengine: mv_xor_v2: Fix clock resource by adding a register clock lib/test_kmod.c: fix limit check on number of test devices created selftests/vm/run_vmtests: adjust hugetlb size according to nr_cpus arm64: Relax ARM_SMCCC_ARCH_WORKAROUND_1 discovery ARM: davinci: fix the GPIO lookup for omapl138-hawk hv_netvsc: fix locking during VF setup hv_netvsc: fix locking for rx_mode hv_netvsc: fix filter flags xen: xenbus: use put_device() instead of kfree() xen-blkfront: move negotiate_mq to cover all cases of new VBDs cxgb4: do not set needs_free_netdev for mgmt dev's IB/core: Fix possible crash to access NULL netdev net: smsc911x: Fix unload crash when link is up net: qcom/emac: Use proper free methods during TX qed: Free RoCE ILT Memory on rmmod qedr fsl/fman: avoid sleeping in atomic context while adding an address fbdev: Fixing arbitrary kernel leak in case FBIOGETCMAP_SPARC in sbusfb_ioctl_helper(). IB/mlx5: Fix an error code in __mlx5_ib_modify_qp() IB/mlx4: Include GID type when deleting GIDs from HW table under RoCE IB/mlx4: Fix corruption of RoCEv2 IPv4 GIDs RDMA/qedr: Fix iWARP write and send with immediate RDMA/qedr: Fix kernel panic when running fio over NFSoRDMA ia64/err-inject: Use get_user_pages_fast() e1000e: allocate ring descriptors with dma_zalloc_coherent e1000e: Fix check_for_link return value with autoneg off perf record: Fix crash in pipe mode ARM: dts: rockchip: Add missing #sound-dai-cells on rk3288 hv_netvsc: propagate rx filters to VF hv_netvsc: filter multicast/broadcast hv_netvsc: use napi_schedule_irqoff batman-adv: Fix multicast packet loss with a single WANT_ALL_IPV4/6 flag watchdog: sbsa: use 32-bit read for WCV watchdog: f71808e_wdt: Fix magic close handling rds: Incorrect reference counting in TCP socket creation iwlwifi: mvm: Correctly set the tid for mcast queue iwlwifi: mvm: Direct multicast frames to the correct station iwlwifi: mvm: fix "failed to remove key" message iwlwifi: avoid collecting firmware dump if not loaded iwlwifi: mvm: fix assert 0x2B00 on older FWs iwlwifi: mvm: Fix channel switch for count 0 and 1 iwlwifi: mvm: fix TX of CCMP 256 net: ethtool: don't ignore return from driver get_fecparam method selftests/powerpc: Skip the subpage_prot tests if the syscall is unavailable nvme: pci: pass max vectors as num_possible_cpus() to pci_alloc_irq_vectors nvme-pci: Fix EEH failure on ppc block: display the correct diskname for bio ceph: fix potential memory leak in init_caches() Btrfs: fix log replay failure after linking special file and fsync Btrfs: send, fix issuing write op when processing hole in no data mode btrfs: use kvzalloc to allocate btrfs_fs_info drm/sun4i: Fix dclk_set_phase arm64: dts: rockchip: Fix rk3399-gru-* s2r (pinctrl hogs, wifi reset) xfrm: Fix ESN sequence number handling for IPsec GSO packets. drm/amd/amdgpu: Correct VRAM width for APUs with GMC9 xen/pirq: fix error path cleanup when binding MSIs RDMA/bnxt_re: Fix the ib_reg failure cleanup RDMA/bnxt_re: Fix incorrect DB offset calculation RDMA/bnxt_re: Unconditionly fence non wire memory operations IB/mlx: Set slid to zero in Ethernet completion struct ipvs: remove IPS_NAT_MASK check to fix passive FTP ARC: setup cpu possible mask according to possible-cpus dts property ARC: mcip: update MCIP debug mask when the new cpu came online ARC: mcip: halt GFRC counter when ARC cores halt spectrum: Reference count VLAN entries mlxsw: spectrum: Treat IPv6 unregistered multicast as broadcast mlxsw: core: Fix flex keys scratchpad offset conflict net/smc: use link_id of server in confirm link reply nvmet: fix PSDT field check in command format net/tcp/illinois: replace broken algorithm reference link gianfar: Fix Rx byte accounting for ndev stats clocksource/drivers/mips-gic-timer: Use correct shift count to extract data powerpc/boot: Fix random libfdt related build errors ARM: dts: bcm283x: Fix unit address of local_intc ARM: dts: NSP: Fix amount of RAM on BCM958625HR nbd: fix return value in error handling path sit: fix IFLA_MTU ignored on NEWLINK ip6_tunnel: fix IFLA_MTU ignored on NEWLINK ip_gre: fix IFLA_MTU ignored on NEWLINK bcache: fix kcrashes with fio in RAID5 backend dev dmaengine: rcar-dmac: fix max_chunk_size for R-Car Gen3 virtio-gpu: fix ioctl and expose the fixed status to userspace. r8152: fix tx packets accounting selftests/futex: Fix line continuation in Makefile qrtr: add MODULE_ALIAS macro to smd ARM: orion5x: Revert commit 4904dbda41c8. xen/pvcalls: fix null pointer dereference on map->sock ceph: fix dentry leak when failing to init debugfs libceph, ceph: avoid memory leak when specifying same option several times clocksource/drivers/fsl_ftm_timer: Fix error return checking nvme-pci: Fix nvme queue cleanup if IRQ setup fails batman-adv: Fix netlink dumping of BLA backbones batman-adv: Fix netlink dumping of BLA claims batman-adv: Ignore invalid batadv_v_gw during netlink send batman-adv: Ignore invalid batadv_iv_gw during netlink send netfilter: ebtables: convert BUG_ONs to WARN_ONs netfilter: ipt_CLUSTERIP: put config instead of freeing it netfilter: ipt_CLUSTERIP: put config struct if we can't increment ct refcount batman-adv: invalidate checksum on fragment reassembly batman-adv: fix packet checksum in receive path md/raid1: fix NULL pointer dereference md: fix a potential deadlock of raid5/raid10 reshape fs: dcache: Use READ_ONCE when accessing i_dir_seq fs: dcache: Avoid livelock between d_alloc_parallel and __d_add ARM: dts: imx6dl: Include correct dtsi file for Engicam i.CoreM6 DualLite/Solo RQS kvm: fix warning for CONFIG_HAVE_KVM_EVENTFD builds KVM: nVMX: Don't halt vcpu when L1 is injecting events to L2 macvlan: fix use-after-free in macvlan_common_newlink() arm64: fix unwind_frame() for filtered out fn for function graph tracing mac80211: drop frames with unexpected DS bits from fast-rx to slow path x86/topology: Update the 'cpu cores' field in /proc/cpuinfo correctly across CPU hotplug operations locking/xchg/alpha: Fix xchg() and cmpxchg() memory ordering bugs x86/intel_rdt: Fix incorrect returned value when creating rdgroup sub-directory in resctrl file system integrity/security: fix digsig.c build error with header file regulatory: add NUL to request alpha2 smsc75xx: fix smsc75xx_set_features() ARM: OMAP: Fix dmtimer init for omap1 nfs: system crashes after NFS4ERR_MOVED recovery arm64: dts: cavium: fix PCI bus dtc warnings PKCS#7: fix direct verification of SignerInfo signature selftests/bpf/test_maps: exit child process without error in ENOMEM case s390/cio: clear timer when terminating driver I/O s390/cio: fix return code after missing interrupt s390/cio: fix ccw_device_start_timeout API powerpc/bpf/jit: Fix 32-bit JIT for seccomp_data access soc: imx: gpc: de-register power domains only if initialized seccomp: add a selftest for get_metadata selftests/memfd: add run_fuse_test.sh to TEST_FILES bug.h: work around GCC PR82365 in BUG() kernel/relay.c: limit kmalloc size to KMALLOC_MAX_SIZE virtio_net: fix XDP code path in receive_small() md: raid5: avoid string overflow warning locking/xchg/alpha: Add unconditional memory barrier to cmpxchg() net/mlx5e: Return error if prio is specified when offloading eswitch vlan push ibmvnic: Check for NULL skb's in NAPI poll routine RDMA/bnxt_re: Fix system crash during load/unload RDMA/bnxt_re: Unpin SQ and RQ memory if QP create fails arm64: perf: correct PMUVer probing drm/meson: fix vsync buffer update drm/exynos: fix comparison to bitshift when dealing with a mask drm/exynos: g2d: use monotonic timestamps md raid10: fix NULL deference in handle_write_completed() gpu: ipu-v3: prg: fix device node leak in ipu_prg_lookup_by_phandle gpu: ipu-v3: pre: fix device node leak in ipu_pre_lookup_by_phandle mac80211: Fix sending ADDBA response for an ongoing session mac80211: Do not disconnect on invalid operating class cfg80211: clear wep keys after disconnection mac80211: fix calling sleeping function in atomic context mac80211: fix a possible leak of station stats mac80211: round IEEE80211_TX_STATUS_HEADROOM up to multiple of 4 xfrm: do not call rcu_read_unlock when afinfo is NULL in xfrm_get_tos s390/dasd: fix handling of internal requests md: fix md_write_start() deadlock w/o metadata devices MD: Free bioset when md_run fails rxrpc: Work around usercopy check NFC: llcp: Limit size of SDP URI iwlwifi: mvm: always init rs with 20mhz bandwidth rates iwlwifi: mvm: fix IBSS for devices that support station type API iwlwifi: mvm: fix security bug in PN checking ARM: dts: rockchip: Fix DWMMC clocks arm64: dts: rockchip: Fix DWMMC clocks IB/uverbs: Fix unbalanced unlock on error path for rdma_explicit_destroy IB/uverbs: Fix possible oops with duplicate ioctl attributes IB/uverbs: Fix method merging in uverbs_ioctl_merge xhci: workaround for AMD Promontory disabled ports wakeup tls: retrun the correct IV in getsockopt ibmvnic: Clean RX pool buffers during device close ibmvnic: Free RX socket buffer in case of adapter error ibmvnic: Wait until reset is complete to set carrier on ARM: OMAP1: clock: Fix debugfs_create_*() usage ARM: OMAP2+: Fix sar_base inititalization for HS omaps ARM: OMAP3: Fix prm wake interrupt for resume ARM: OMAP2+: timer: fix a kmemleak caused in omap_get_timer_dt selftests: memfd: add config fragment for fuse selftests: pstore: Adding config fragment CONFIG_PSTORE_RAM=m selftest/vDSO: fix O= selftests: sync: missing CFLAGS while compiling libata: Fix compile warning with ATA_DEBUG enabled arm64: dts: rockchip: correct ep-gpios for rk3399-sapphire arm64: dts: rockchip: fix rock64 gmac2io stability issues ptr_ring: prevent integer overflow when calculating size ARC: Fix malformed ARC_EMUL_UNALIGNED default mac80211: mesh: fix wrong mesh TTL offset calculation MIPS: generic: Fix machine compatible matching powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit powerpc/64s: Fix section mismatch warnings from setup_rfi_flush() powerpc/pseries: Restore default security feature flags on setup powerpc: Move default security feature flags powerpc/pseries: Fix clearing of security feature flags powerpc/64s: Wire up cpu_show_spectre_v2() powerpc/64s: Wire up cpu_show_spectre_v1() powerpc/pseries: Use the security flags in pseries_setup_rfi_flush() powerpc/powernv: Use the security flags in pnv_setup_rfi_flush() powerpc/64s: Enhance the information in cpu_show_meltdown() powerpc/64s: Move cpu_show_meltdown() powerpc/powernv: Set or clear security feature flags powerpc/pseries: Set or clear security feature flags powerpc: Add security feature flags for Spectre/Meltdown powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration powerpc/rfi-flush: Differentiate enabled and patched flush types powerpc/rfi-flush: Always enable fallback flush on pseries powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code powerpc/powernv: Support firmware disable of RFI flush powerpc/pseries: Support firmware disable of RFI flush powerpc/64s: Improve RFI L1-D cache flush fallback x86/kvm: fix LAPIC timer drift when guest uses periodic mode kvm: x86: IA32_ARCH_CAPABILITIES is always supported KVM: x86: Update cpuid properly when CR4.OSXAVE or CR4.PKE is changed KVM: s390: vsie: fix < 8k check for the itdba KVM/VMX: Expose SSBD properly to guests kernel/sys.c: fix potential Spectre v1 issue kasan: fix memory hotplug during boot kasan: free allocated shadow memory on MEM_CANCEL_ONLINE mm/kasan: don't vfree() nonexistent vm_area ipc/shm: fix shmat() nil address after round-down when remapping Revert "ipc/shm: Fix shmat mmap nil-page protection" idr: fix invalid ptr dereference on item delete sr: pass down correctly sized SCSI sense buffer IB/umem: Use the correct mm during ib_umem_release IB/hfi1: Use after free race condition in send context error path powerpc/64s: Clear PCR on boot arm64: lse: Add early clobbers to some input/output asm operands drm/vmwgfx: Fix 32-bit VMW_PORT_HB_[IN|OUT] macros xen-swiotlb: fix the check condition for xen_swiotlb_free_coherent libata: blacklist Micron 500IT SSD with MU01 firmware libata: Blacklist some Sandisk SSDs for NCQ mmc: sdhci-iproc: add SDHCI_QUIRK2_HOST_OFF_CARD_ON for cygnus mmc: sdhci-iproc: fix 32bit writes for TRANSFER_MODE register mmc: sdhci-iproc: remove hard coded mmc cap 1.8v do d_instantiate/unlock_new_inode combinations safely ALSA: timer: Fix pause event notification aio: fix io_destroy(2) vs. lookup_ioctx() race fs: don't scan the inode cache before SB_BORN is set affs_lookup(): close a race with affs_remove_link() KVM: Fix spelling mistake: "cop_unsuable" -> "cop_unusable" MIPS: Fix ptrace(2) PTRACE_PEEKUSR and PTRACE_POKEUSR accesses to o32 FGRs MIPS: ptrace: Expose FIR register through FP regset MIPS: c-r4k: Fix data corruption related to cache coherence UPSTREAM: sched/fair: Consider RT/IRQ pressure in capacity_spare_wake BACKPORT, FROMLIST: fscrypt: add Speck128/256 support Change-Id: I64e5327b80b23c1ef79abed4b67bdb6a5684ec43 Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Isaac J. Manjarres
|
f38622d678 |
Merge remote-tracking branch 'remotes/origin/tmp-6e962a3' into msm-4.14
* remotes/origin/tmp-6e962a3: Linux 4.14.44 rtc: goldfish: Add missing MODULE_LICENSE rtc: rp5c01: fix possible race condition rtc: tx4939: avoid unintended sign extension on a 24 bit shift rtc: m41t80: fix race conditions rtc: rk808: fix possible race condition rtc: hctosys: Ensure system time doesn't overflow time_t rtc: snvs: Fix usage of snvs_rtc_enable serial: altera: ensure port->regshift is honored consistently serial: 8250: Don't service RX FIFO if interrupts are disabled serial: arc_uart: Fix out-of-bounds access through DT alias serial: fsl_lpuart: Fix out-of-bounds access through DT alias serial: imx: Fix out-of-bounds access through serial port index serial: mxs-auart: Fix out-of-bounds access through serial port index serial: samsung: Fix out-of-bounds access through serial port index serial: sh-sci: Fix out-of-bounds access through DT alias serial: xuartps: Fix out-of-bounds access through DT alias media: cx25821: prevent out-of-bounds read on array card media: vivid: fix incorrect capabilities for radio media: vb2: Fix videobuf2 to map correct area media: i2c: adv748x: fix HDMI field heights media: v4l: vsp1: Fix display stalls when requesting too many inputs media: em28xx: Add Hauppauge SoloHD/DualHD bulk models media: lgdt3306a: Fix a double kfree on i2c device remove media: s3c-camif: fix out-of-bounds array access media: cx23885: Set subdev host data to clk_freq pointer media: cx23885: Override 888 ImpactVCBe crystal frequency media: ov5645: add missing of_node_put() in error path media: Don't let tvp5150_get_vbi() go out of vbi_ram_default array media: dmxdev: fix error code for invalid ioctls clk: samsung: exynos3250: Fix PLL rates clk: samsung: exynos5250: Fix PLL rates clk: samsung: exynos5433: Fix PLL rates clk: samsung: exynos5260: Fix PLL rates clk: samsung: exynos7: Fix PLL rates clk: samsung: s3c2410: Fix PLL rates clk: rockchip: Prevent calculating mmc phase if clock rate is zero clk: tegra: Fix pll_u rate configuration clk: hisilicon: mark wdt_mux_p[] as const clk: Don't show the incorrect clock phase clk: rockchip: Fix wrong parent for SDMMC phase clock for rk3228 ASoC: samsung: i2s: Ensure the RCLK rate is properly determined ASoC: topology: create TLV data for dapm widgets ASoC: samsung: odroid: Fix 32000 sample rate handling ASoC: rockchip: rk3288-hdmi-analog: Select needed codecs ASoC: hdmi-codec: Fix module unloading caused kernel crash scsi: lpfc: Fix frequency of Release WQE CQEs scsi: lpfc: Fix soft lockup in lpfc worker thread during LIP testing scsi: lpfc: Fix issue_lip if link is disabled scsi: mvsas: fix wrong endianness of sgpio api scsi: core: Make SCSI Status CONDITION MET equivalent to GOOD scsi: aacraid: Insure command thread is not recursively stopped scsi: iscsi_tcp: set BDI_CAP_STABLE_WRITES when data digest enabled scsi: sd: Keep disk read-only when re-reading partition scsi: mpt3sas: Do not mark fw_event workqueue as WQ_MEM_RECLAIM scsi: qedi: Fix kernel crash during port toggle scsi: qla4xxx: skip error recovery in case of register disconnect. scsi: aacraid: fix shutdown crash when init fails scsi: qedi: Fix truncation of CHAP name and secret scsi: storvsc: Increase cmd_per_lun for higher speed devices scsi: qla2xxx: Avoid triggering undefined behavior in qla2x00_mbx_completion() scsi: mptfusion: Add bounds check in mptctl_hp_targetinfo() scsi: sym53c8xx_2: iterator underflow in sym_getsync() scsi: bnx2fc: Fix check in SCSI completion handler for timed out request scsi: ufs: Enable quirk to ignore sending WRITE_SAME command scsi: qla2xxx: Fix memory corruption during hba reset test scsi: mpt3sas: fix an out of bound write crypto: inside-secure - fix the invalidation step during cra_exit crypto: sunxi-ss - Add MODULE_ALIAS to sun4i-ss crypto: inside-secure - fix the extra cache computation crypto: inside-secure - fix the cache_len computation crypto: inside-secure - do not process request if no command was issued crypto: ccp - don't disable interrupts while setting up debugfs crypto: atmel-aes - fix the keys zeroing on errors crypto: inside-secure - wait for the request to complete if in the backlog staging: lustre: lmv: correctly iput lmo_root staging: ks7010: Use constants from ieee80211_eid instead of literal ints. staging: rtl8192u: return -ENOMEM on failed allocation of priv->oldaddr staging: fsl-dpaa2/eth: Fix incorrect casts staging: lustre: fix bug in osc_enter_cache_try staging: bcm2835-audio: Release resources on module_exit() xhci: Show what USB release number the xHC supports from protocol capablity Bluetooth: btusb: Add device ID for RTL8822BE media: em28xx: USB bulk packet size fix media: lgdt3306a: Fix module count mismatch on usb unplug usb: gadget: composite: fix incorrect handling of OS desc requests usb: gadget: udc: change comparison to bitshift when dealing with a mask usbip: Correct maximum value of CONFIG_USBIP_VHCI_HC_PORTS usb: gadget: ffs: Execute copy_to_user() with USER_DS set usb: gadget: ffs: Let setup() return USB_GADGET_DELAYED_STATUS usb: dwc2: host: Fix transaction errors in host mode usb: dwc2: hcd: Fix host channel halt flow usb: dwc2: Fix interval type issue xhci: zero usb device slot_id member when disabling and freeing a xhci slot usb: dwc3: Makefile: fix link error on randconfig usb: dwc3: Update DWC_usb31 GTXFIFOSIZ reg fields usb: dwc3: Add SoftReset PHY synchonization delay ALSA: usb-audio: Add native DSD support for Luxman DA-06 Bluetooth: btusb: Add USB ID 7392:a611 for Edimax EW-7611ULB net-usb: add qmi_wwan if on lte modem wistron neweb d18q1 net/usb/qmi_wwan.c: Add USB id for lt4120 modem USB: OHCI: Fix NULL dereference in HCDs using HCD_LOCAL_MEM usb: host: xhci-plat: revert "usb: host: xhci-plat: enable clk in resume timing" ARM: dts: imx7d-sdb: Fix regulator-usb-otg2-vbus node name net: usbnet: fix potential deadlock on 32bit hosts usb: cdc_acm: prevent race at write to acm while system resumes usb: dwc2: Fix dwc2_hsotg_core_init_disconnected() usb: gadget: fsl_udc_core: fix ep valid checks usb: gadget: core: Fix use-after-free of usb_request usb: dwc3: omap: don't miss events during suspend/resume usb: dwc3: Undo PHY init if soft reset fails usb: gadget: f_uac2: fix bFirstInterface in composite gadget x86/kexec: Avoid double free_page() upon do_kexec_load() failure hfsplus: stop workqueue when fill_super() failed cfg80211: limit wiphy names to 128 bytes loop: fix LOOP_GET_STATUS lock imbalance loop: don't call into filesystem while holding lo_ctl_mutex scsi: zfcp: fix infinite iteration on ERP ready list scsi: sg: allocate with __GFP_ZERO in sg_build_indirect() scsi: libsas: defer ata device eh commands to libata s390: use expoline thunks in the BPF JIT s390: extend expoline to BC instructions s390: move spectre sysfs attribute code s390/kernel: use expoline for indirect branches s390/ftrace: use expoline for indirect branches s390/lib: use expoline for indirect branches s390/crc32-vx: use expoline for indirect branches s390: move expoline assembler macros to a header s390: add assembler macros for CPU alternatives ext2: fix a block leak sparc: vio: use put_device() instead of kfree() hv_netvsc: Fix net device attach on older Windows hosts hv_netvsc: Ensure correct teardown message sequence order hv_netvsc: Split netvsc_revoke_buf() and netvsc_teardown_gpadl() hv_netvsc: Use Windows version instead of NVSP version on GPAD teardown hv_netvsc: common detach logic hv_netvsc: change GPAD teardown order on older versions hv_netvsc: use RCU to fix concurrent rx and queue changes hv_netvsc: disable NAPI before channel close hv_netvsc: defer queue selection to VF hv_netvsc: fix race in napi poll when rescheduling hv_netvsc: cancel subchannel setup before halting device hv_netvsc: fix error unwind handling if vmbus_open fails hv_netvsc: only wake transmit queue if link is up hv_netvsc: avoid retry on send during shutdown hv_netvsc: Use the num_online_cpus() for channel limit hv_netvsc: empty current transmit aggregation if flow blocked hv_netvsc: preserve hw_features on mtu/channels/ringparam changes hv_netvsc: netvsc_teardown_gpadl() split hv_netvsc: Set tx_table to equal weight after subchannels open hv_netvsc: Add initialization of tx_table in netvsc_device_add() hv_netvsc: Rename tx_send_table to tx_table hv_netvsc: Rename ind_table to rx_table hv_netvsc: Fix the real number of queues of non-vRSS cases vmxnet3: use DMA memory barriers where required vmxnet3: set the DMA mask before the first DMA map operation tcp: purge write queue in tcp_connect_init() sock_diag: fix use-after-free read in __sk_free packet: in packet_snd start writing at link layer allocation net: test tailroom before appending to linear skb net/smc: check for missing nlattrs in SMC_PNETID messages net: sched: red: avoid hashing NULL child net/sched: fix refcnt leak in the error path of tcf_vlan_init() net/mlx4_core: Fix error handling in mlx4_init_port_info. net: Fix a bug in removing queues from XPS map ANDROID: proc: fix undefined behavior in proc_uid_base_readdir x86: vdso: Fix leaky vdso linker with CC=clang. ANDROID: x86_64_cuttlefish_defconfig: Disable ORC unwinder. ANDROID: build: cuttlefish: Upgrade clang to newer version. ANDROID: build: cuttlefish: Upgrade clang to newer version. ANDROID: build: cuttlefish: Fix path to clang. Conflicts: drivers/scsi/sd.c drivers/scsi/ufs/ufshcd.c drivers/usb/gadget/function/f_fs.c Change-Id: Iba64240c1ddf00c0ba4531740be132a385bc4f5e Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Davide Caratti
|
bf92255468 |
net/sched: fix idr leak in the error path of tcf_skbmod_init()
[ Upstream commit f29cdfbe33d6915ba8056179b0041279a67e3647 ]
tcf_skbmod_init() can fail after the idr has been successfully reserved.
When this happens, every subsequent attempt to configure skbmod rules
using the same idr value will systematically fail with -ENOSPC, unless
the first attempt was done using the 'replace' keyword:
# tc action add action skbmod swap mac index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc action add action skbmod swap mac index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
# tc action add action skbmod swap mac index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
...
Fix this in tcf_skbmod_init(), ensuring that tcf_idr_release() is called
on the error path when the idr has been reserved, but not yet inserted.
Also, don't test 'ovr' in the error path, to avoid a 'replace' failure
implicitly become a 'delete' that leaks refcount in act_skbmod module:
# rmmod act_skbmod; modprobe act_skbmod
# tc action add action skbmod swap mac index 100
# tc action add action skbmod swap mac continue index 100
RTNETLINK answers: File exists
We have an error talking to the kernel
# tc action replace action skbmod swap mac continue index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc action list action skbmod
#
# rmmod act_skbmod
rmmod: ERROR: Module act_skbmod is in use
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
91314c2731 |
net/sched: fix idr leak in the error path of __tcf_ipt_init()
[ Upstream commit 1e46ef1762bb2e52f0f996131a4d16ed4e9fd065 ]
__tcf_ipt_init() can fail after the idr has been successfully reserved.
When this happens, subsequent attempts to configure xt/ipt rules using
the same idr value systematically fail with -ENOSPC:
# tc action add action xt -j LOG --log-prefix test1 index 100
tablename: mangle hook: NF_IP_POST_ROUTING
target: LOG level warning prefix "test1" index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
Command "(null)" is unknown, try "tc actions help".
# tc action add action xt -j LOG --log-prefix test1 index 100
tablename: mangle hook: NF_IP_POST_ROUTING
target: LOG level warning prefix "test1" index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
Command "(null)" is unknown, try "tc actions help".
# tc action add action xt -j LOG --log-prefix test1 index 100
tablename: mangle hook: NF_IP_POST_ROUTING
target: LOG level warning prefix "test1" index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
...
Fix this in the error path of __tcf_ipt_init(), calling tcf_idr_release()
in place of tcf_idr_cleanup(). Since tcf_ipt_release() can now be called
when tcfi_t is NULL, we also need to protect calls to ipt_destroy_target()
to avoid NULL pointer dereference.
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
01a8083963 |
net/sched: fix idr leak in the error path of tcp_pedit_init()
[ Upstream commit 94fa3f929ec0c048b1f3658cc335b940df4f6d22 ]
tcf_pedit_init() can fail to allocate 'keys' after the idr has been
successfully reserved. When this happens, subsequent attempts to configure
a pedit rule using the same idr value systematically fail with -ENOSPC:
# tc action add action pedit munge ip ttl set 63 index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc action add action pedit munge ip ttl set 63 index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
# tc action add action pedit munge ip ttl set 63 index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
...
Fix this in the error path of tcf_act_pedit_init(), calling
tcf_idr_release() in place of tcf_idr_cleanup().
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
97689fea3c |
net/sched: fix idr leak in the error path of tcf_act_police_init()
[ Upstream commit 5bf7f8185f7c7112decdfe3d3e5c5d5e67f099a1 ]
tcf_act_police_init() can fail after the idr has been successfully
reserved (e.g., qdisc_get_rtab() may return NULL). When this happens,
subsequent attempts to configure a police rule using the same idr value
systematiclly fail with -ENOSPC:
# tc action add action police rate 1000 burst 1000 drop index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc action add action police rate 1000 burst 1000 drop index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
# tc action add action police rate 1000 burst 1000 drop index 100
RTNETLINK answers: No space left on device
...
Fix this in the error path of tcf_act_police_init(), calling
tcf_idr_release() in place of tcf_idr_cleanup().
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
154040a5a8 |
net/sched: fix idr leak in the error path of tcf_simp_init()
[ Upstream commit 60e10b3adc3bac0f6a894c28e0eb1f2d13607362 ]
if the kernel fails to duplicate 'sdata', creation of a new action fails
with -ENOMEM. However, subsequent attempts to install the same action
using the same value of 'index' systematically fail with -ENOSPC, and
that value of 'index' will no more be usable by act_simple, until rmmod /
insmod of act_simple.ko is done:
# tc actions add action simple sdata hello index 100
# tc actions list action simple
action order 0: Simple <hello>
index 100 ref 1 bind 0
# tc actions flush action simple
# tc actions add action simple sdata hello index 100
RTNETLINK answers: Cannot allocate memory
We have an error talking to the kernel
# tc actions flush action simple
# tc actions add action simple sdata hello index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
# tc actions add action simple sdata hello index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
...
Fix this in the error path of tcf_simp_init(), calling tcf_idr_release()
in place of tcf_idr_cleanup().
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
29e36c3099 |
net/sched: fix idr leak on the error path of tcf_bpf_init()
[ Upstream commit bbc09e7842a5023ba5bc0f8d559b9dd464e44006 ]
when the following command sequence is entered
# tc action add action bpf bytecode '4,40 0 0 12,31 0 1 2048,6 0 0 262144,6 0 0 0' index 100
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
# tc action add action bpf bytecode '4,40 0 0 12,21 0 1 2048,6 0 0 262144,6 0 0 0' index 100
RTNETLINK answers: No space left on device
We have an error talking to the kernel
act_bpf correctly refuses to install the first TC rule, because 31 is not
a valid instruction. However, it refuses to install the second TC rule,
even if the BPF code is correct. Furthermore, it's no more possible to
install any other rule having the same value of 'index' until act_bpf
module is unloaded/inserted again. After the idr has been reserved, call
tcf_idr_release() instead of tcf_idr_cleanup(), to fix this issue.
Fixes: 65a206c01e8e ("net/sched: Change act_api and act_xxx modules to use IDR")
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Davide Caratti
|
f31f64b2d2 |
net/sched: fix NULL dereference in the error path of tcf_sample_init()
[ Upstream commit 1f110e7cae09e6c6a144616480d1a9dd99c5208a ] when the following command # tc action add action sample rate 100 group 100 index 100 is run for the first time, and psample_group_get(100) fails to create a new group, tcf_sample_cleanup() calls psample_group_put(NULL), thus causing the following error: BUG: unable to handle kernel NULL pointer dereference at 000000000000001c IP: psample_group_put+0x15/0x71 [psample] PGD 8000000075775067 P4D 8000000075775067 PUD 7453c067 PMD 0 Oops: 0002 [#1] SMP PTI Modules linked in: act_sample(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec snd_hda_core mbcache jbd2 crct10dif_pclmul snd_hwdep crc32_pclmul snd_seq ghash_clmulni_intel pcbc snd_seq_device snd_pcm aesni_intel crypto_simd snd_timer glue_helper snd cryptd joydev pcspkr i2c_piix4 soundcore virtio_balloon nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_net ata_piix virtio_console virtio_blk libata serio_raw crc32c_intel virtio_pci i2c_core virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_tunnel_key] CPU: 2 PID: 5740 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:psample_group_put+0x15/0x71 [psample] RSP: 0018:ffffb8a80032f7d0 EFLAGS: 00010246 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000024 RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffffffffc06d93c0 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 R10: 00000000bd003000 R11: ffff979fba04aa59 R12: 0000000000000000 R13: 0000000000000000 R14: 0000000000000000 R15: ffff979fbba3f22c FS: 00007f7638112740(0000) GS:ffff979fbfd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000000000001c CR3: 00000000734ea001 CR4: 00000000001606e0 Call Trace: __tcf_idr_release+0x79/0xf0 tcf_sample_init+0x125/0x1d0 [act_sample] tcf_action_init_1+0x2cc/0x430 tcf_action_init+0xd3/0x1b0 tc_ctl_action+0x18b/0x240 rtnetlink_rcv_msg+0x29c/0x310 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1b9/0x270 ? rtnl_calcit.isra.28+0x100/0x100 netlink_rcv_skb+0xd2/0x110 netlink_unicast+0x17c/0x230 netlink_sendmsg+0x2cd/0x3c0 sock_sendmsg+0x30/0x40 ___sys_sendmsg+0x27a/0x290 ? filemap_map_pages+0x34a/0x3a0 ? __handle_mm_fault+0xbfd/0xe20 __sys_sendmsg+0x51/0x90 do_syscall_64+0x6e/0x1a0 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f7637523ba0 RSP: 002b:00007fff0473ef58 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fff0473f080 RCX: 00007f7637523ba0 RDX: 0000000000000000 RSI: 00007fff0473efd0 RDI: 0000000000000003 RBP: 000000005aaaac80 R08: 0000000000000002 R09: 0000000000000000 R10: 00007fff0473e9e0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff0473f094 R14: 0000000000000001 R15: 0000000000669f60 Code: be 02 00 00 00 48 89 df e8 a9 fe ff ff e9 7c ff ff ff 0f 1f 40 00 0f 1f 44 00 00 53 48 89 fb 48 c7 c7 c0 93 6d c0 e8 db 20 8c ef <83> 6b 1c 01 74 10 48 c7 c7 c0 93 6d c0 ff 14 25 e8 83 83 b0 5b RIP: psample_group_put+0x15/0x71 [psample] RSP: ffffb8a80032f7d0 CR2: 000000000000001c Fix it in tcf_sample_cleanup(), ensuring that calls to psample_group_put(p) are done only when p is not NULL. Fixes: cadb9c9fdbc6 ("net/sched: act_sample: Fix error path in init") Signed-off-by: Davide Caratti <dcaratti@redhat.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Paolo Abeni
|
8ffa5f9783 |
net: sched: red: avoid hashing NULL child
[ Upstream commit 44a63b137f7b6e4c7bd6c9cc21615941cb36509d ] Hangbin reported an Oops triggered by the syzkaller qdisc rules: kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN PTI Modules linked in: sch_red CPU: 0 PID: 28699 Comm: syz-executor5 Not tainted 4.17.0-rc4.kcov #1 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:qdisc_hash_add+0x26/0xa0 RSP: 0018:ffff8800589cf470 EFLAGS: 00010203 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff824ad971 RDX: 0000000000000007 RSI: ffffc9000ce9f000 RDI: 000000000000003c RBP: 0000000000000001 R08: ffffed000b139ea2 R09: ffff8800589cf4f0 R10: ffff8800589cf50f R11: ffffed000b139ea2 R12: ffff880054019fc0 R13: ffff880054019fb4 R14: ffff88005c0af600 R15: ffff880054019fb0 FS: 00007fa6edcb1700(0000) GS:ffff88005ce00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000740 CR3: 000000000fc16000 CR4: 00000000000006f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: red_change+0x2d2/0xed0 [sch_red] qdisc_create+0x57e/0xef0 tc_modify_qdisc+0x47f/0x14e0 rtnetlink_rcv_msg+0x6a8/0x920 netlink_rcv_skb+0x2a2/0x3c0 netlink_unicast+0x511/0x740 netlink_sendmsg+0x825/0xc30 sock_sendmsg+0xc5/0x100 ___sys_sendmsg+0x778/0x8e0 __sys_sendmsg+0xf5/0x1b0 do_syscall_64+0xbd/0x3b0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x450869 RSP: 002b:00007fa6edcb0c48 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fa6edcb16b4 RCX: 0000000000450869 RDX: 0000000000000000 RSI: 00000000200000c0 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000008778 R14: 0000000000702838 R15: 00007fa6edcb1700 Code: e9 0b fe ff ff 0f 1f 44 00 00 55 53 48 89 fb 89 f5 e8 3f 07 f3 fe 48 8d 7b 3c 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 03 38 d0 7c 04 84 d2 75 51 RIP: qdisc_hash_add+0x26/0xa0 RSP: ffff8800589cf470 When a red qdisc is updated with a 0 limit, the child qdisc is left unmodified, no additional scheduler is created in red_change(), the 'child' local variable is rightfully NULL and must not add it to the hash table. This change addresses the above issue moving qdisc_hash_add() right after the child qdisc creation. It additionally removes unneeded checks for noop_qdisc. Reported-by: Hangbin Liu <liuhangbin@gmail.com> Fixes: 49b499718fa1 ("net: sched: make default fifo qdiscs appear in the dump") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Jiri Kosina <jkosina@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Davide Caratti
|
53b2dbbee1 |
net/sched: fix refcnt leak in the error path of tcf_vlan_init()
[ Upstream commit 5a4931ae0193f8a4a97e8260fd0df1d705d83299 ]
Similarly to what was done with commit a52956dfc503 ("net sched actions:
fix refcnt leak in skbmod"), fix the error path of tcf_vlan_init() to avoid
refcnt leaks when wrong value of TCA_VLAN_PUSH_VLAN_PROTOCOL is given.
Fixes: 5026c9b1bafc ("net sched: vlan action fix late binding")
CC: Roman Mashak <mrv@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Blagovest Kolenichev
|
0e1a219e24 |
Merge android-4.14.43 (4c9e0a9) into msm-4.14
* refs/heads/tmp-4c9e0a9
Linux 4.14.43
x86/bugs: Rename SSBD_NO to SSB_NO
KVM: SVM: Implement VIRT_SPEC_CTRL support for SSBD
x86/speculation, KVM: Implement support for VIRT_SPEC_CTRL/LS_CFG
x86/bugs: Rework spec_ctrl base and mask logic
x86/bugs: Remove x86_spec_ctrl_set()
x86/bugs: Expose x86_spec_ctrl_base directly
x86/bugs: Unify x86_spec_ctrl_{set_guest,restore_host}
x86/speculation: Rework speculative_store_bypass_update()
x86/speculation: Add virtualized speculative store bypass disable support
x86/bugs, KVM: Extend speculation control for VIRT_SPEC_CTRL
x86/speculation: Handle HT correctly on AMD
x86/cpufeatures: Add FEATURE_ZEN
x86/cpufeatures: Disentangle SSBD enumeration
x86/cpufeatures: Disentangle MSR_SPEC_CTRL enumeration from IBRS
x86/speculation: Use synthetic bits for IBRS/IBPB/STIBP
KVM: SVM: Move spec control call after restore of GS
x86/cpu: Make alternative_msr_write work for 32-bit code
x86/bugs: Fix the parameters alignment and missing void
x86/bugs: Make cpu_show_common() static
x86/bugs: Fix __ssb_select_mitigation() return type
Documentation/spec_ctrl: Do some minor cleanups
proc: Use underscores for SSBD in 'status'
x86/bugs: Rename _RDS to _SSBD
x86/speculation: Make "seccomp" the default mode for Speculative Store Bypass
seccomp: Move speculation migitation control to arch code
seccomp: Add filter flag to opt-out of SSB mitigation
seccomp: Use PR_SPEC_FORCE_DISABLE
prctl: Add force disable speculation
x86/bugs: Make boot modes __ro_after_init
seccomp: Enable speculation flaw mitigations
proc: Provide details on speculation flaw mitigations
nospec: Allow getting/setting on non-current task
x86/speculation: Add prctl for Speculative Store Bypass mitigation
x86/process: Allow runtime control of Speculative Store Bypass
prctl: Add speculation control prctls
x86/speculation: Create spec-ctrl.h to avoid include hell
x86/KVM/VMX: Expose SPEC_CTRL Bit(2) to the guest
x86/bugs/AMD: Add support to disable RDS on Fam[15,16,17]h if requested
x86/bugs: Whitelist allowed SPEC_CTRL MSR values
x86/bugs/intel: Set proper CPU features and setup RDS
x86/bugs: Provide boot parameters for the spec_store_bypass_disable mitigation
x86/cpufeatures: Add X86_FEATURE_RDS
x86/bugs: Expose /sys/../spec_store_bypass
x86/bugs, KVM: Support the combination of guest and host IBRS
x86/bugs: Read SPEC_CTRL MSR during boot and re-use reserved bits
x86/bugs: Concentrate bug reporting into a separate function
x86/bugs: Concentrate bug detection into a separate function
x86/nospec: Simplify alternative_msr_write()
btrfs: fix reading stale metadata blocks after degraded raid1 mounts
btrfs: Fix delalloc inodes invalidation during transaction abort
btrfs: Split btrfs_del_delalloc_inode into 2 functions
btrfs: fix crash when trying to resume balance without the resume flag
btrfs: property: Set incompat flag if lzo/zstd compression is set
Btrfs: send, fix invalid access to commit roots due to concurrent snapshotting
Btrfs: fix xattr loss after power failure
ARM: 8772/1: kprobes: Prohibit kprobes on get_user functions
ARM: 8770/1: kprobes: Prohibit probing on optimized_callback
ARM: 8769/1: kprobes: Fix to use get_kprobe_ctlblk after irq-disabed
tick/broadcast: Use for_each_cpu() specially on UP kernels
x86/mm: Drop TS_COMPAT on 64-bit exec() syscall
ARM: 8771/1: kprobes: Prohibit kprobes on do_undefinstr
efi: Avoid potential crashes, fix the 'struct efi_pci_io_protocol_32' definition for mixed mode
x86/pkeys: Do not special case protection key 0
x86/pkeys: Override pkey when moving away from PROT_EXEC
s390: remove indirect branch from do_softirq_own_stack
s390/qdio: don't release memory in qdio_setup_irq()
s390/cpum_sf: ensure sample frequency of perf event attributes is non-zero
s390/qdio: fix access to uninitialized qdio_q fields
drm/i915/gen9: Add WaClearHIZ_WM_CHICKEN3 for bxt and glk
mm: don't allow deferred pages with NEED_PER_CPU_KM
radix tree: fix multi-order iteration race
lib/test_bitmap.c: fix bitmap optimisation tests to report errors correctly
drm: Match sysfs name in link removal to link creation
powerpc/powernv: Fix NVRAM sleep in invalid context when crashing
i2c: designware: fix poll-after-enable regression
netfilter: nf_socket: Fix out of bounds access in nf_sk_lookup_slow_v{4,6}
netfilter: nf_tables: can't fail after linking rule into active rule list
netfilter: nf_tables: free set name in error path
tee: shm: fix use-after-free via temporarily dropped reference
tracing/x86/xen: Remove zero data size trace events trace_xen_mmu_flush_tlb{_all}
vfio: ccw: fix cleanup if cp_prefetch fails
powerpc: Don't preempt_disable() in show_cpuinfo()
KVM: arm/arm64: VGIC/ITS: protect kvm_read_guest() calls with SRCU lock
KVM: arm/arm64: VGIC/ITS save/restore: protect kvm_read_guest() calls
spi: bcm-qspi: Always read and set BSPI_MAST_N_BOOT_CTRL
spi: bcm-qspi: Avoid setting MSPI_CDRAM_PCS for spi-nor master
spi: pxa2xx: Allow 64-bit DMA
ALSA: control: fix a redundant-copy issue
ALSA: hda: Add Lenovo C50 All in one to the power_save blacklist
ALSA: usb: mixer: volume quirk for CM102-A+/102S+
usbip: usbip_host: fix bad unlock balance during stub_probe()
usbip: usbip_host: fix NULL-ptr deref and use-after-free errors
usbip: usbip_host: run rebind from exit when module is removed
usbip: usbip_host: delete device from busid_table after rebind
usbip: usbip_host: refine probe and disconnect debug msgs to be useful
Linux 4.14.42
proc: do not access cmdline nor environ from file-backed areas
l2tp: revert "l2tp: fix missing print session offset info"
xfrm: fix xfrm_do_migrate() with AEAD e.g(AES-GCM)
btrfs: Take trans lock before access running trans in check_delayed_ref
xfrm: Use __skb_queue_tail in xfrm_trans_queue
scsi: aacraid: Correct hba_send to include iu_type
udp: fix SO_BINDTODEVICE
nsh: fix infinite loop
net/mlx5e: Allow offloading ipv4 header re-write for icmp
ipv6: fix uninit-value in ip6_multipath_l3_keys()
hv_netvsc: set master device
net/mlx5: Avoid cleaning flow steering table twice during error flow
net/mlx5e: TX, Use correct counter in dma_map error flow
net: sched: fix error path in tcf_proto_create() when modules are not configured
bonding: send learning packets for vlans on slave
bonding: do not allow rlb updates to invalid mac
tg3: Fix vunmap() BUG_ON() triggered from tg3_free_consistent().
tcp: ignore Fast Open on repair mode
tcp_bbr: fix to zero idle_restart only upon S/ACKed data
sctp: use the old asoc when making the cookie-ack chunk in dupcook_d
sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg
sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr
sctp: fix the issue that the cookie-ack with auth can't get processed
sctp: delay the authentication for the duplicated cookie-echo chunk
rds: do not leak kernel memory to user land
r8169: fix powering up RTL8168h
qmi_wwan: do not steal interfaces from class drivers
openvswitch: Don't swap table in nlattr_set() after OVS_ATTR_NESTED is found
net/tls: Fix connection stall on partial tls record
net/tls: Don't recursively call push_record during tls_write_space callbacks
net: support compat 64-bit time in {s,g}etsockopt
net_sched: fq: take care of throttled flows before reuse
net sched actions: fix refcnt leak in skbmod
net/mlx5: E-Switch, Include VF RDMA stats in vport statistics
net/mlx5e: Err if asked to offload TC match on frag being first
net/mlx4_en: Verify coalescing parameters are in range
net/mlx4_en: Fix an error handling path in 'mlx4_en_init_netdev()'
net: ethernet: ti: cpsw: fix packet leaking in dual_mac mode
net: ethernet: sun: niu set correct packet size in skb
llc: better deal with too small mtu
ipv4: fix memory leaks in udp_sendmsg, ping_v4_sendmsg
ipv4: fix fnhe usage by non-cached routes
dccp: fix tasklet usage
bridge: check iface upper dev when setting master via ioctl
8139too: Use disable_irq_nosync() in rtl8139_poll_controller()
ANDROID: sdcardfs: Don't d_drop in d_revalidate
FROMLIST: brcmfmac: fix initialization of struct cfg80211_inform_bss variable
FROMLIST: brcmfmac: reports boottime_ns while informing bss
Change-Id: I43c27b71b153a2a87070de3ea393002769856960
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
Jiri Pirko
|
b047794cc3 |
net: sched: fix error path in tcf_proto_create() when modules are not configured
[ Upstream commit d68d75fdc34b0253c2bded7ed18cd60eb5a9599b ]
In case modules are not configured, error out when tp->ops is null
and prevent later null pointer dereference.
Fixes: 33a48927c193 ("sched: push TC filter protocol creation into a separate function")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Eric Dumazet
|
b2a4d52fae |
net_sched: fq: take care of throttled flows before reuse
[ Upstream commit 7df40c2673a1307c3260aab6f9d4b9bf97ca8fd7 ]
Normally, a socket can not be freed/reused unless all its TX packets
left qdisc and were TX-completed. However connect(AF_UNSPEC) allows
this to happen.
With commit fc59d5bdf1e3 ("pkt_sched: fq: clear time_next_packet for
reused flows") we cleared f->time_next_packet but took no special
action if the flow was still in the throttled rb-tree.
Since f->time_next_packet is the key used in the rb-tree searches,
blindly clearing it might break rb-tree integrity. We need to make
sure the flow is no longer in the rb-tree to avoid this problem.
Fixes: fc59d5bdf1e3 ("pkt_sched: fq: clear time_next_packet for reused flows")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Roman Mashak
|
6a5b0444e7 |
net sched actions: fix refcnt leak in skbmod
[ Upstream commit a52956dfc503f8cc5cfe6454959b7049fddb4413 ]
When application fails to pass flags in netlink TLV when replacing
existing skbmod action, the kernel will leak refcnt:
$ tc actions get action skbmod index 1
total acts 0
action order 0: skbmod pipe set smac 00:11:22:33:44:55
index 1 ref 1 bind 0
For example, at this point a buggy application replaces the action with
index 1 with new smac 00:aa:22:33:44:55, it fails because of zero flags,
however refcnt gets bumped:
$ tc actions get actions skbmod index 1
total acts 0
action order 0: skbmod pipe set smac 00:11:22:33:44:55
index 1 ref 2 bind 0
$
Tha patch fixes this by calling tcf_idr_release() on existing actions.
Fixes: 86da71b57383d ("net_sched: Introduce skbmod action")
Signed-off-by: Roman Mashak <mrv@mojatatu.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Isaac J. Manjarres
|
2f44069aee |
Merge remote-tracking branch 'remotes/origin/tmp-3f8d191' into msm-4.14
* remotes/origin/tmp-3f8d191:
Linux 4.14.38
ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
s390/uprobes: implement arch_uretprobe_is_alive()
s390/dasd: fix IO error for newly defined devices
s390/cio: update chpid descriptor after resource accessibility event
tracing: Fix missing tab for hwlat_detector print format
block/swim: Fix IO error at end of medium
block/swim: Fix array bounds check
block/swim: Select appropriate drive on device open
block/swim: Rename macros to avoid inconsistent inverted logic
block/swim: Remove extra put_disk() call from error path
block/swim: Don't log an error message for an invalid ioctl
block/swim: Check drive type
m68k/mac: Don't remap SWIM MMIO region
fsnotify: Fix fsnotify_mark_connector race
cdrom: information leak in cdrom_ioctl_media_changed()
scsi: mptsas: Disable WRITE SAME
commoncap: Handle memory allocation failure.
Revert "mm/hmm: fix header file if/else/endif maze"
arm64: dts: rockchip: remove vdd_log from rk3399-puma
microblaze: Setup dependencies for ASM optimized lib functions
s390: correct module section names for expoline code revert
s390: correct nospec auto detection init order
s390: add sysfs attributes for spectre
s390: report spectre mitigation via syslog
s390: add automatic detection of the spectre defense
s390: move nobp parameter functions to nospec-branch.c
s390/entry.S: fix spurious zeroing of r0
s390: do not bypass BPENTER for interrupt system calls
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
KVM: s390: force bp isolation for VSIE
s390: introduce execute-trampolines for branches
s390: run user space and KVM guests with modified branch prediction
s390: add options to change branch prediction behaviour for the kernel
s390/alternative: use a copy of the facility bit mask
s390: add optimized array_index_mask_nospec
s390: scrub registers on kernel entry and KVM exit
KVM: s390: wire up bpb feature
s390: enable CPU alternatives unconditionally
s390: introduce CPU alternatives
virtio_net: fix adding vids on big-endian
virtio_net: split out ctrl buffer
net: ethernet: ti: cpsw: fix tx vlan priority mapping
llc: fix NULL pointer deref for SOCK_ZAPPED
llc: hold llc_sap before release_sock()
net: sched: ife: check on metadata length
net: sched: ife: handle malformed tlv length
tcp: clear tp->packets_out when purging write queue
net: sched: ife: signal not finding metaid
strparser: Fix incorrect strp->need_bytes value.
amd-xgbe: Only use the SFP supported transceiver signals
strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
amd-xgbe: Improve KR auto-negotiation and training
sctp: do not check port in sctp_inet6_cmp_addr
amd-xgbe: Add pre/post auto-negotiation phy hooks
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
pppoe: check sockaddr length in pppoe_connect()
tipc: add policy for TIPC_NLA_NET_ADDR
packet: fix bitfield update race
team: fix netconsole setup over team
net/smc: fix shutdown in state SMC_LISTEN
team: avoid adding twice the same option to the event list
net: fix deadlock while clearing neighbor proxy table
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: af_packet: fix race in PACKET_{R|T}X_RING
tcp: don't read out-of-bounds opsize
llc: delete timers synchronously in llc_sk_free()
net: validate attribute sizes in neigh_dump_table()
l2tp: check sockaddr length in pppol2tp_connect()
KEYS: DNS: limit the length of option strings
ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
Revert "ath10k: send (re)assoc peer command when NSS changed"
tpm: add retry logic
tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
tpm: cmd_ready command can be issued only after granting locality
i40e: Fix attach VF to VM issue
drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs
Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip"
ANDROID: staging: lustre: fix filler function type
ANDROID: fs: gfs2: fix filler function type
ANDROID: fs: exofs: fix filler function type
ANDROID: fs: afs: fix filler function type
ANDROID: fs: nfs: fix filler function type
ANDROID: fs: fuse: fix filler function type mismatch
ANDROID: mm: fix filler function type mismatch
ANDROID: media-device: fix ioctl function types
ANDROID: v4l2-ioctl: fix function types for IOCTL_INFO_STD
ANDROID: arch/arm64/crypto: fix CFI in SHA CE
ANDROID: arm64: kvm: disable CFI
ANDROID: arm64: mark kpti_install_ng_mappings as __nocfi
ANDROID: arm64: disable CFI for cpu_replace_ttbr1
ANDROID: kallsyms: strip the .cfi postfix from symbols with CONFIG_CFI_CLANG
ANDROID: add support for clang Control Flow Integrity (CFI)
ANDROID: HACK: init: ensure initcall ordering with LTO
ANDROID: drivers/misc: disable LTO for lkdtm_rodata.o
ANDROID: arm64: vdso: disable LTO
FROMLIST: arm64: select ARCH_SUPPORTS_LTO_CLANG
FROMLIST: arm64: disable RANDOMIZE_MODULE_REGION_FULL with LTO_CLANG
ANDROID: arm64: disable ARM64_ERRATUM_843419 for clang LTO
ANDROID: arm64: pass code model to LLVMgold
FROMLIST: arm64: make mrs_s and msr_s macros work with LTO
FROMLIST: efi/libstub: disable LTO
FROMLIST: scripts/mod: disable LTO for empty.c
FROMLIST: kbuild: fix dynamic ftrace with clang LTO
FROMLIST: kbuild: add support for clang LTO
FROMLIST: arm64: fix -m for GNU gold
FROMLIST: arm64: add a workaround for GNU gold with ARM64_MODULE_PLTS
FROMLIST: arm64: explicitly pass --no-fix-cortex-a53-843419 to GNU gold
FROMLIST: kbuild: add __ld-ifversion and linker-specific macros
FROMLIST: kbuild: add ld-name macro
FROMLIST: arm64: keep .altinstructions and .altinstr_replacement
ANDROID: arm64: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: add __cc-ifversion and compiler-specific variants
UPSTREAM: console: Drop added "static" for newport_con
UPSTREAM: tracing: always define trace_{irq,preempt}_{enable_disable}
Conflicts:
Makefile
Change-Id: Ied1a215e68f428eff9c1911491a4e364ffd1f679
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
Alexander Aring
|
388f3d9708 |
net: sched: ife: handle malformed tlv length
[ Upstream commit cc74eddd0ff325d57373cea99f642b787d7f76f5 ] There is currently no handling to check on a invalid tlv length. This patch adds such handling to avoid killing the kernel with a malformed ife packet. Signed-off-by: Alexander Aring <aring@mojatatu.com> Reviewed-by: Yotam Gigi <yotam.gi@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Alexander Aring
|
da499024f6 |
net: sched: ife: signal not finding metaid
[ Upstream commit f6cd14537ff9919081be19b9c53b9b19c0d3ea97 ] We need to record stats for received metadata that we dont know how to process. Have find_decode_metaid() return -ENOENT to capture this. Signed-off-by: Alexander Aring <aring@mojatatu.com> Reviewed-by: Yotam Gigi <yotam.gi@gmail.com> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Isaac J. Manjarres
|
92816ebe29 |
Merge remote-tracking branch 'remotes/origin/tmp-7e76ead' into msm-4.14
* remotes/origin/tmp-7e76ead: Linux 4.14.34 net/mlx4_core: Fix memory leak while delete slave's resources vhost_net: add missing lock nesting notation team: move dev_mc_sync after master_upper_dev_link in team_port_add route: check sysctl_fib_multipath_use_neigh earlier than hash vhost: validate log when IOTLB is enabled net/mlx5e: Fix traffic being dropped on VF representor net/mlx4_en: Fix mixed PFC and Global pause user control requests strparser: Fix sign of err codes net/sched: fix NULL dereference on the error path of tcf_skbmod_init() net/sched: fix NULL dereference in the error path of tunnel_key_init() net/mlx5e: Sync netdev vxlan ports at open net/mlx5e: Don't override vport admin link state in switchdev mode ipv6: sr: fix seg6 encap performances with TSO enabled nfp: use full 40 bits of the NSP buffer address net/mlx5e: Fix memory usage issues in offloading TC flows net/mlx5e: Avoid using the ipv6 stub in the TC offload neigh update path vti6: better validate user provided tunnel names ip6_tunnel: better validate user provided tunnel names ip6_gre: better validate user provided tunnel names ipv6: sit: better validate user provided tunnel names ip_tunnel: better validate user provided tunnel names net: fool proof dev_valid_name() bonding: process the err returned by dev_set_allmulti properly in bond_enslave bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave bonding: fix the err path for dev hwaddr sync in bond_enslave vrf: Fix use after free and double free in vrf_finish_output vlan: also check phy_driver ts_info for vlan's real device vhost: correctly remove wait queue during poll failure sky2: Increase D3 delay to sky2 stops working after suspend sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 sctp: do not leak kernel memory to user space r8169: fix setting driver_data after register_netdev pptp: remove a buggy dst release in pptp_connect() net/sched: fix NULL dereference in the error path of tcf_bpf_init() net sched actions: fix dumping which requires several messages to user space netlink: make sure nladdr has correct size in netlink_connect() net/ipv6: Increment OUTxxx counters after netfilter hook net/ipv6: Fix route leaking between VRFs net: fix possible out-of-bound read in skb_network_protocol() lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write) ipv6: the entire IPv6 header chain must fit the first fragment arp: fix arp_filter on l3slave devices x86/microcode: Fix CPU synchronization routine x86/microcode: Attempt late loading only when new microcode is present x86/microcode: Synchronize late microcode loading x86/microcode: Request microcode on the BSP x86/microcode/intel: Look into the patch cache first x86/microcode: Do not upload microcode if CPUs are offline x86/microcode/intel: Writeback and invalidate caches before updating microcode x86/microcode/intel: Check microcode revision before updating sibling threads x86/microcode: Get rid of struct apply_microcode_ctx x86/CPU: Check CPU feature bits after microcode upgrade x86/CPU: Add a microcode loader callback x86/microcode: Propagate return value from updating functions crypto: arm64/aes-ce-cipher - move assembler code to .S file objtool: Add Clang support thermal: int3400_thermal: fix error handling in int3400_thermal_probe() tcmu: release blocks for partially setup cmds perf tools: Fix copyfile_offset update of output offset crypto: aes-generic - build with -Os on gcc-7+ mtd: mtd_oobtest: Handle bitflips during reads Input: goodix - disable IRQs while suspended ibmvnic: Don't handle RX interrupts when not up. sdhci: Advertise 2.0v supply on SDIO host controller x86/gart: Exclude GART aperture from vmcore gpio: thunderx: fix error return code in thunderx_gpio_probe() RDMA/cma: Fix rdma_cm path querying for RoCE scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages i40evf: don't rely on netif_running() outside rtnl_lock() uio_hv_generic: check that host supports monitor page EDAC, mv64x60: Fix an error handling path block, bfq: put async queues for root bfq groups too tty: n_gsm: Allow ADM response in addition to UA for control dlci blk-mq: fix kernel oops in blk_mq_tag_idle() scsi: libsas: initialize sas_phy status according to response of DISCOVER scsi: libsas: fix error when getting phy events scsi: libsas: fix memory leak in sas_smp_get_phy_events() bcache: segregate flash only volume write streams bcache: stop writeback thread after detaching bcache: ret IOERR when read meets metadata error net: hns3: fix for changing MTU net: hns3: Fix an error macro definition of HNS3_TQP_STAT net: hns3: Fix a loop index error of tqp statistics query net: hns3: Fix an error of total drop packet statistics net/mlx5: Fix race for multiple RoCE enable wl1251: check return from call to wl1251_acx_arp_ip_filter rt2x00: do not pause queue unconditionally on error path power: supply: axp288_charger: Properly stop work on probe-error / remove ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()' staging: lustre: disable preempt while sampling processor id. perf report: Fix a no annotate browser displayed issue tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented nvme_fcloop: fix abort race condition nvme_fcloop: disassocate local port structs pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts backlight: tdo24m: Fix the SPI CS between transfers blk-mq: fix race between updating nr_hw_queues and switching io sched blk-mq: avoid to map CPU into stale hw queue IB/rdmavt: Allocate CQ memory on the correct node powernv-cpufreq: Add helper to extract pstate from PMSR gpio: label descriptors using the device name vfb: fix video mode and line_length being set when loaded mac80211: Fix setting TX power on monitor interfaces ACPI: EC: Fix debugfs_create_*() usage irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag. scsi: libiscsi: Allow sd_shutdown on bad transport spi: sh-msiof: Fix timeout failures for TX-only DMA transfers ASoC: Intel: cht_bsw_rt5645: Analog Mic support ASoC: Intel: Skylake: Disable clock gating during firmware and library download media: videobuf2-core: don't go out of the buffer range clk: sunxi-ng: a83t: Add M divider to TCON1 clock hwmon: (ina2xx) Make calibration register value fixed RDMA/cma: Mark end of CMA ID messages selftests/net: fix bugs in address and port initialization PM / devfreq: Fix potential NULL pointer dereference in governor_store clk: divider: fix incorrect usage of container_of watchdog: dw_wdt: add stop watchdog operation VFS: close race between getcwd() and d_move() net/mlx4_en: Change default QoS settings ACPI / video: Default lcd_only to true on Win8-ready and newer machines rds; Reset rs->rs_bound_addr in rds_add_bound() failure path l2tp: fix missing print session offset info net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg net: hns3: free the ring_data structrue when change tqps perf evsel: Enable ignore_missing_thread for pid option perf probe: Add warning message if there is unexpected event name perf probe: Find versioned symbols from map thermal: power_allocator: fix one race condition issue for thermal_instances list ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT Bluetooth: Add a new 04ca:3015 QCA_ROME device ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node clk: meson: mpll: use 64-bit maths in params_from_rate i40iw: Validate correct IRD/ORD connection parameters i40iw: Correct Q1/XF object count equation i40iw: Fix sequence number for the first partial FPDU Revert "ANDROID: sched/tune: Initialize raw_spin_lock in boosted_groups" Conflicts: arch/arm64/crypto/Makefile drivers/clk/qcom/clk-regmap-divider.c Change-Id: I7d83113e6d6d943804051a983d73067184b9fb39 Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Davide Caratti
|
1c71bfe84d |
net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
[ Upstream commit 2d433610176d6569e8b3a28f67bc72235bf69efc ] when the following command # tc action replace action skbmod swap mac index 100 is run for the first time, and tcf_skbmod_init() fails to allocate struct tcf_skbmod_params, tcf_skbmod_cleanup() calls kfree_rcu(NULL), thus causing the following error: BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 IP: __call_rcu+0x23/0x2b0 PGD 8000000034057067 P4D 8000000034057067 PUD 74937067 PMD 0 Oops: 0002 [#1] SMP PTI Modules linked in: act_skbmod(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul mbcache jbd2 crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep pcbc snd_seq snd_seq_device snd_pcm aesni_intel snd_timer crypto_simd glue_helper snd cryptd virtio_balloon joydev soundcore pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_net virtio_blk ata_piix libata crc32c_intel virtio_pci serio_raw virtio_ring virtio i2c_core floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_skbmod] CPU: 3 PID: 3144 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__call_rcu+0x23/0x2b0 RSP: 0018:ffffbd2e403e7798 EFLAGS: 00010246 RAX: ffffffffc0872080 RBX: ffff981d34bff780 RCX: 00000000ffffffff RDX: ffffffff922a5f00 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000021f R10: 000000003d003000 R11: 0000000000aaaaaa R12: 0000000000000000 R13: ffffffff922a5f00 R14: 0000000000000001 R15: ffff981d3b698c2c FS: 00007f3678292740(0000) GS:ffff981d3fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000007c57a006 CR4: 00000000001606e0 Call Trace: __tcf_idr_release+0x79/0xf0 tcf_skbmod_init+0x1d1/0x210 [act_skbmod] tcf_action_init_1+0x2cc/0x430 tcf_action_init+0xd3/0x1b0 tc_ctl_action+0x18b/0x240 rtnetlink_rcv_msg+0x29c/0x310 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1b9/0x270 ? rtnl_calcit.isra.28+0x100/0x100 netlink_rcv_skb+0xd2/0x110 netlink_unicast+0x17c/0x230 netlink_sendmsg+0x2cd/0x3c0 sock_sendmsg+0x30/0x40 ___sys_sendmsg+0x27a/0x290 ? filemap_map_pages+0x34a/0x3a0 ? __handle_mm_fault+0xbfd/0xe20 __sys_sendmsg+0x51/0x90 do_syscall_64+0x6e/0x1a0 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7f36776a3ba0 RSP: 002b:00007fff4703b618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007fff4703b740 RCX: 00007f36776a3ba0 RDX: 0000000000000000 RSI: 00007fff4703b690 RDI: 0000000000000003 RBP: 000000005aaaba36 R08: 0000000000000002 R09: 0000000000000000 R10: 00007fff4703b0a0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fff4703b754 R14: 0000000000000001 R15: 0000000000669f60 Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89 RIP: __call_rcu+0x23/0x2b0 RSP: ffffbd2e403e7798 CR2: 0000000000000008 Fix it in tcf_skbmod_cleanup(), ensuring that kfree_rcu(p, ...) is called only when p is not NULL. Fixes: 86da71b57383 ("net_sched: Introduce skbmod action") Signed-off-by: Davide Caratti <dcaratti@redhat.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Davide Caratti
|
a19024a3f3 |
net/sched: fix NULL dereference in the error path of tunnel_key_init()
[ Upstream commit abdadd3cfd3e7ea3da61ac774f84777d1f702058 ] when the following command # tc action add action tunnel_key unset index 100 is run for the first time, and tunnel_key_init() fails to allocate struct tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers. This causes the following error: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: tunnel_key_release+0xd/0x40 [act_tunnel_key] PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0 Oops: 0000 [#1] SMP PTI Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod CPU: 2 PID: 3101 Comm: tc Tainted: G E 4.16.0-rc4.act_vlan.orig+ #403 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: 0018:ffffba46803b7768 EFLAGS: 00010286 RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000 R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4 FS: 00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0 Call Trace: __tcf_idr_release+0x79/0xf0 tunnel_key_init+0xd9/0x460 [act_tunnel_key] tcf_action_init_1+0x2cc/0x430 tcf_action_init+0xd3/0x1b0 tc_ctl_action+0x18b/0x240 rtnetlink_rcv_msg+0x29c/0x310 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1b9/0x270 ? rtnl_calcit.isra.28+0x100/0x100 netlink_rcv_skb+0xd2/0x110 netlink_unicast+0x17c/0x230 netlink_sendmsg+0x2cd/0x3c0 sock_sendmsg+0x30/0x40 ___sys_sendmsg+0x27a/0x290 __sys_sendmsg+0x51/0x90 do_syscall_64+0x6e/0x1a0 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7febca6deba0 RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0 RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003 RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000 R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60 Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18 RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768 CR2: 0000000000000010 Fix this in tunnel_key_release(), ensuring 'param' is not NULL before dereferencing it. Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key") Signed-off-by: Davide Caratti <dcaratti@redhat.com> Acked-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Davide Caratti
|
21563c4df3 |
net/sched: fix NULL dereference in the error path of tcf_bpf_init()
[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ] when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes the following error: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0 Oops: 0000 [#1] SMP PTI Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf] CPU: 3 PID: 5654 Comm: tc Tainted: G E 4.16.0.bpf_test+ #408 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:__bpf_prog_put+0xc/0xc0 RSP: 0018:ffff9594003ef728 EFLAGS: 00010202 RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044 R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000 R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054 FS: 00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0 Call Trace: tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf] tcf_bpf_cleanup+0x4c/0x70 [act_bpf] __tcf_idr_release+0x79/0x140 tcf_bpf_init+0x125/0x330 [act_bpf] tcf_action_init_1+0x2cc/0x430 ? get_page_from_freelist+0x3f0/0x11b0 tcf_action_init+0xd3/0x1b0 tc_ctl_action+0x18b/0x240 rtnetlink_rcv_msg+0x29c/0x310 ? _cond_resched+0x15/0x30 ? __kmalloc_node_track_caller+0x1b9/0x270 ? rtnl_calcit.isra.29+0x100/0x100 netlink_rcv_skb+0xd2/0x110 netlink_unicast+0x17c/0x230 netlink_sendmsg+0x2cd/0x3c0 sock_sendmsg+0x30/0x40 ___sys_sendmsg+0x27a/0x290 ? mem_cgroup_commit_charge+0x80/0x130 ? page_add_new_anon_rmap+0x73/0xc0 ? do_anonymous_page+0x2a2/0x560 ? __handle_mm_fault+0xc75/0xe20 __sys_sendmsg+0x58/0xa0 do_syscall_64+0x6e/0x1a0 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x7fcb2e58eba0 RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0 RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003 RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000 R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0 Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00 RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728 CR2: 0000000000000020 Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f) is called only when f is not NULL. Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()") Reported-by: Lucas Bates <lucasb@mojatatu.com> Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Craig Dillabaugh
|
cd19a9b12a |
net sched actions: fix dumping which requires several messages to user space
[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ]
Fixes a bug in the tcf_dump_walker function that can cause some actions
to not be reported when dumping a large number of actions. This issue
became more aggrevated when cookies feature was added. In particular
this issue is manifest when large cookie values are assigned to the
actions and when enough actions are created that the resulting table
must be dumped in multiple batches.
The number of actions returned in each batch is limited by the total
number of actions and the memory buffer size. With small cookies
the numeric limit is reached before the buffer size limit, which avoids
the code path triggering this bug. When large cookies are used buffer
fills before the numeric limit, and the erroneous code path is hit.
For example after creating 32 csum actions with the cookie
aaaabbbbccccdddd
$ tc actions ls action csum
total acts 26
action order 0: csum (tcp) action continue
index 1 ref 1 bind 0
cookie aaaabbbbccccdddd
.....
action order 25: csum (tcp) action continue
index 26 ref 1 bind 0
cookie aaaabbbbccccdddd
total acts 6
action order 0: csum (tcp) action continue
index 28 ref 1 bind 0
cookie aaaabbbbccccdddd
......
action order 5: csum (tcp) action continue
index 32 ref 1 bind 0
cookie aaaabbbbccccdddd
Note that the action with index 27 is omitted from the report.
Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")"
Signed-off-by: Craig Dillabaugh <cdillaba@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Isaac J. Manjarres
|
7ed7e2acf0 |
Merge remote-tracking branch 'remotes/origin/tmp-51e322a' into msm-4.14
* remotes/origin/tmp-51e322a: Linux 4.14.32 s390/qeth: on channel error, reject further cmd requests s390/qeth: lock read device while queueing next buffer s390/qeth: when thread completes, wake up all waiters s390/qeth: free netdevice when removing a card dpaa_eth: remove duplicate increment of the tx_errors counter dpaa_eth: increment the RX dropped counter when needed dpaa_eth: remove duplicate initialization dpaa_eth: fix error in dpaa_remove() soc/fsl/qbman: fix issue in qman_delete_cgr_safe() team: Fix double free in error path skbuff: Fix not waking applications when errors are enqueued qede: Fix qedr link update net: systemport: Rewrite __bcm_sysport_tx_reclaim() net: Only honor ifindex in IP_PKTINFO if non-0 netlink: avoid a double skb free in genlmsg_mcast() net/iucv: Free memory obtained by kzalloc net: fec: Fix unbalanced PM runtime calls net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred l2tp: do not accept arbitrary sockets ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() dccp: check sk for closed state in dccp_sendmsg() net: Fix hlist corruptions in inet_evict_bucket() net: use skb_to_full_sk() in skb_update_prio() ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() sch_netem: fix skb leak in netem_enqueue() kcm: lock lower socket in kcm_attach rhashtable: Fix rhlist duplicates insertion ppp: avoid loop in xmit recursion detection code net sched actions: return explicit error when tunnel_key mode is not specified net: phy: Tell caller result of phy_change() mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state ipv6: sr: fix NULL pointer dereference when setting encap source address ipv6: old_dport should be a __be16 in __ip6_datagram_connect() net: ipv6: keep sk status consistent after datagram connect failure macvlan: filter out unsupported feature flags devlink: Remove redundant free on error path net: phy: relax error checking when creating sysfs link netdev->phydev sysfs: symlink: export sysfs_create_link_nowarn() qed: Fix non TCP packets should be dropped on iWARP ll2 connection tcp: purge write queue upon aborting the connection tcp: reset sk_send_head in tcp_write_queue_purge Change-Id: Ief39b9585daef847f0456cfe8fa70ba0178ea127 Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
Alexey Kodanev
|
f77ff13a06 |
sch_netem: fix skb leak in netem_enqueue()
[ Upstream commit 35d889d10b649fda66121891ec05eca88150059d ]
When we exceed current packets limit and we have more than one
segment in the list returned by skb_gso_segment(), netem drops
only the first one, skipping the rest, hence kmemleak reports:
unreferenced object 0xffff880b5d23b600 (size 1024):
comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
hex dump (first 32 bytes):
00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
[<000000001709b32f>] skb_segment+0x8c8/0x3710
[<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
[<00000000c921cba1>] inet_gso_segment+0x476/0x1370
[<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
[<000000002182660a>] __skb_gso_segment+0x1dd/0x620
[<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
[<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
[<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
[<00000000d309e9d3>] ip_output+0x1aa/0x2c0
[<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
[<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
[<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
[<0000000013d06d02>] tasklet_action+0x1ca/0x250
[<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
[<00000000e7ed027c>] irq_exit+0x1e2/0x210
Fix it by adding the rest of the segments, if any, to skb 'to_free'
list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
because they can be useful in the future if we need to drop segmented
GSO packets in other places.
Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Roman Mashak
|
28b488f7cb |
net sched actions: return explicit error when tunnel_key mode is not specified
[ Upstream commit 51d4740f88affd85d49c04e3c9cd129c0e33bcb9 ] If set/unset mode of the tunnel_key action is not provided, ->init() still returns 0, and the caller proceeds with bogus 'struct tc_action *' object, this results in crash: % tc actions add action tunnel_key src_ip 1.1.1.1 dst_ip 2.2.2.1 id 7 index 1 [ 35.805515] general protection fault: 0000 [#1] SMP PTI [ 35.806161] Modules linked in: act_tunnel_key kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd serio_raw [ 35.808233] CPU: 1 PID: 428 Comm: tc Not tainted 4.16.0-rc4+ #286 [ 35.808929] RIP: 0010:tcf_action_init+0x90/0x190 [ 35.809457] RSP: 0018:ffffb8edc068b9a0 EFLAGS: 00010206 [ 35.810053] RAX: 1320c000000a0003 RBX: 0000000000000001 RCX: 0000000000000000 [ 35.810866] RDX: 0000000000000070 RSI: 0000000000007965 RDI: ffffb8edc068b910 [ 35.811660] RBP: ffffb8edc068b9d0 R08: 0000000000000000 R09: ffffb8edc068b808 [ 35.812463] R10: ffffffffc02bf040 R11: 0000000000000040 R12: ffffb8edc068bb38 [ 35.813235] R13: 0000000000000000 R14: 0000000000000000 R15: ffffb8edc068b910 [ 35.814006] FS: 00007f3d0d8556c0(0000) GS:ffff91d1dbc40000(0000) knlGS:0000000000000000 [ 35.814881] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.815540] CR2: 000000000043f720 CR3: 0000000019248001 CR4: 00000000001606a0 [ 35.816457] Call Trace: [ 35.817158] tc_ctl_action+0x11a/0x220 [ 35.817795] rtnetlink_rcv_msg+0x23d/0x2e0 [ 35.818457] ? __slab_alloc+0x1c/0x30 [ 35.819079] ? __kmalloc_node_track_caller+0xb1/0x2b0 [ 35.819544] ? rtnl_calcit.isra.30+0xe0/0xe0 [ 35.820231] netlink_rcv_skb+0xce/0x100 [ 35.820744] netlink_unicast+0x164/0x220 [ 35.821500] netlink_sendmsg+0x293/0x370 [ 35.822040] sock_sendmsg+0x30/0x40 [ 35.822508] ___sys_sendmsg+0x2c5/0x2e0 [ 35.823149] ? pagecache_get_page+0x27/0x220 [ 35.823714] ? filemap_fault+0xa2/0x640 [ 35.824423] ? page_add_file_rmap+0x108/0x200 [ 35.825065] ? alloc_set_pte+0x2aa/0x530 [ 35.825585] ? finish_fault+0x4e/0x70 [ 35.826140] ? __handle_mm_fault+0xbc1/0x10d0 [ 35.826723] ? __sys_sendmsg+0x41/0x70 [ 35.827230] __sys_sendmsg+0x41/0x70 [ 35.827710] do_syscall_64+0x68/0x120 [ 35.828195] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 35.828859] RIP: 0033:0x7f3d0ca4da67 [ 35.829331] RSP: 002b:00007ffc9f284338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.830304] RAX: ffffffffffffffda RBX: 00007ffc9f284460 RCX: 00007f3d0ca4da67 [ 35.831247] RDX: 0000000000000000 RSI: 00007ffc9f2843b0 RDI: 0000000000000003 [ 35.832167] RBP: 000000005aa6a7a9 R08: 0000000000000001 R09: 0000000000000000 [ 35.833075] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 35.833997] R13: 00007ffc9f2884c0 R14: 0000000000000001 R15: 0000000000674640 [ 35.834923] Code: 24 30 bb 01 00 00 00 45 31 f6 eb 5e 8b 50 08 83 c2 07 83 e2 fc 83 c2 70 49 8b 07 48 8b 40 70 48 85 c0 74 10 48 89 14 24 4c 89 ff <ff> d0 48 8b 14 24 48 01 c2 49 01 d6 45 85 ed 74 05 41 83 47 2c [ 35.837442] RIP: tcf_action_init+0x90/0x190 RSP: ffffb8edc068b9a0 [ 35.838291] ---[ end trace a095c06ee4b97a26 ]--- Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key") Signed-off-by: Roman Mashak <mrv@mojatatu.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Blagovest Kolenichev
|
24b2e60f51 |
Merge android-4.14.29 (45c8dbe) into msm-4.14
* refs/heads/tmp-45c8dbe
Linux 4.14.29
usb: dwc3: Fix GDBGFIFOSPACE_TYPE values
USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe()
scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
scsi: qla2xxx: Fix logo flag for qlt_free_session_done()
scsi: qla2xxx: Fix NULL pointer access for fcport structure
scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que
btrfs: Fix memory barriers usage with device stats counters
btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device
btrfs: alloc_chunk: fix DUP stripe size handling
btrfs: add missing initialization in btrfs_check_shared
btrfs: Fix NULL pointer exception in find_bio_stripe
irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
RDMAVT: Fix synchronization around percpu_ref
fs/aio: Use RCU accessors for kioctx_table->table[]
fs/aio: Add explicit RCU grace period when freeing kioctx
lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid
kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3
KVM: arm/arm64: Reduce verbosity of KVM init log
fs: Teach path_connected to handle nfs filesystems with multiple roots.
drm/amdgpu/dce: Don't turn off DP sink when disconnected
drm/radeon: fix prime teardown order
drm/amdgpu: fix prime teardown order
drm/nouveau/bl: Fix oops on driver unbind
ALSA: seq: Clear client entry before deleting else at closing
ALSA: seq: Fix possible UAF in snd_seq_check_queue()
ALSA: hda - Revert power_save option default value
ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
parisc: Handle case where flush_cache_range is called with no context
x86/mm: Fix vmalloc_fault to use pXd_large
KVM: x86: Fix device passthrough when SME is active
x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist
x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels
x86/vm86/32: Fix POPF emulation
selftests/x86/entry_from_vm86: Add test cases for POPF
selftests/x86: Add tests for the STR and SLDT instructions
selftests/x86: Add tests for User-Mode Instruction Prevention
selftests/x86/entry_from_vm86: Exit with 1 if we fail
x86/cpufeatures: Add Intel PCONFIG cpufeature
x86/cpufeatures: Add Intel Total Memory Encryption cpufeature
ANDROID: arm-smccc: fix clang build
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
Linux 4.14.28
drm/i915/glk: Disable Guc and HuC on GLK
dmaengine: qcom_hidma: check pending interrupts
IB/mlx5: revisit -Wmaybe-uninitialized warning
ima: relax requiring a file signature for new files with zero length
locking/locktorture: Fix num reader/writer corner cases
rcutorture/configinit: Fix build directory error message
ipvlan: add L2 check for packets arriving via virtual devices
Fix misannotated out-of-line _copy_to_user()
mmc: mmc_test: Ensure command queue is disabled for testing
ASoC: nuc900: Fix a loop timeout test
crypto: caam/qi - use correct print specifier for size_t
mac80211: remove BUG() when interface type is invalid
mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
agp/intel: Flush all chipset writes after updating the GGTT
arm64: dts: renesas: salvator-common: Add EthernetAVB PHY reset
powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context
powerpc/modules: Don't try to restore r2 after a sibling call
drm/amdkfd: Fix memory leaks in kfd topology
veth: set peer GSO values
net: sched: drop qdisc_reset from dev_graft_qdisc
virtio_net: Disable interrupts if napi_complete_done rescheduled napi
media: davinci: vpif_capture: add NULL check on devm_kzalloc return value
media: cpia2: Fix a couple off by one bugs
dm raid: fix raid set size revalidation
media: vsp1: Prevent suspending and resuming DRM pipelines
scsi: dh: add new rdac devices
scsi: devinfo: apply to HP XP the same flags as Hitachi VSP
scsi: core: scsi_get_device_flags_keyed(): Always return device flags
bnxt_en: Don't print "Link speed -1 no longer supported" messages.
spi: sun6i: disable/unprepare clocks on remove
tools/usbip: fixes build with musl libc toolchain
ath10k: fix invalid STS_CAP_OFFSET_MASK
mwifiex: cfg80211: do not change virtual interface during scan processing
clk: qcom: msm8916: fix mnd_width for codec_digcodec
drm/amdgpu:fix virtual dce bug
iwlwifi: mvm: avoid dumping assert log when device is stopped
perf annotate: Fix objdump comment parsing for Intel mov dissassembly
perf annotate: Fix unnecessary memory allocation for s390x
pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D
pinctrl: sh-pfc: r8a7791: Add can_clk function
drm/sun4i: Fix format mask in DE2 driver
pwm: stmpe: Fix wrong register offset for hwpwm=2 case
scsi: ses: don't ask for diagnostic pages repeatedly during probe
drm/amdgpu:fix random missing of FLR NOTIFY
cpufreq: Fix governor module removal race
ath10k: update tdls teardown state to target
iio: health: max30102: Add power enable parameter to get_temp function
iio: adc: ina2xx: Shift bus voltage register to mask flag bits
drm/etnaviv: make THERMAL selectable
power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
power: supply: ab8500_charger: Fix an error handling path
leds: pm8058: Silence pointer to integer size warning
xfrm: Fix xfrm_replay_overflow_offload_esn
userns: Don't fail follow_automount based on s_user_ns
mtd: nand: ifc: update bufnum mask for ver >= 2.0.0
ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin
net: thunderx: Set max queue count taking XDP_TX into account
mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]()
net: xfrm: allow clearing socket xfrm policies.
rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe()
net: ieee802154: adf7242: Fix bug if defined DEBUG
test_firmware: fix setting old custom fw path back on exit
crypto: cavium - fix memory leak on info
crypto: ecc - Fix NULL pointer deref. on no default_rng
sched: Stop resched_cpu() from sending IPIs to offline CPUs
sched: Stop switched_to_rt() from sending IPIs to offline CPUs
USB: ledtrig-usbport: fix of-node leak
typec: tcpm: fusb302: Resolve out of order messaging events
staging: rtl8822be: fix missing null check on dev_alloc_skb return
drm/amdgpu: fix get_max_engine_clock_in_mhz
ARM: dts: exynos: Correct Trats2 panel reset line
clk: meson: gxbb: fix wrong clock for SARADC/SANA
ARM: dts: koelsch: Move cec_clock to root node
iwlwifi: mvm: rs: don't override the rate history in the search cycle
HID: elo: clear BTN_LEFT mapping
HID: multitouch: Only look at non touch fields in first packet of a frame
video/hdmi: Allow "empty" HDMI infoframes
dma-buf/fence: Fix lock inversion within dma-fence-array
drm/edid: set ELD connector type in drm_edid_to_eld()
Revert "btrfs: use proper endianness accessors for super_copy"
dm mpath: fix passing integrity data
earlycon: add reg-offset to physical address before mapping
serial: core: mark port as initialized in autoconfig
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
usb: dwc3: Fix lock-up on ID change during system suspend/resume
usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
usb: usbmon: Read text within supplied buffer size
usb: quirks: add control message delay for 1b1c:1b20
usbip: vudc: fix null pointer dereference on udc->lock
USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
staging: android: ashmem: Fix lockdep issue during llseek
staging: comedi: fix comedi_nsamples_left.
uas: fix comparison for error code
tty/serial: atmel: add new version check for usart
serial: sh-sci: prevent lockup on full TTY buffers
xhci: fix endpoint context tracer output
xhci: Fix front USB ports on ASUS PRIME B350M-A
usb: host: xhci-rcar: add support for r8a77965
ASoC: rt5651: Fix regcache sync errors on resume
ASoC: wm_adsp: For TLV controls only register TLV get/set
ASoC: sgtl5000: Fix suspend/resume
ASoC: sun4i-i2s: Fix RX slot number of SUN8I
x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
net: phy: Restore phy_resume() locking assumption
net: phy: fix resume handling
ANDROID: sdcardfs: fix lock issue on 32 bit/SMP architectures
Change-Id: Ida88909c333e059adf42a8794c3b92b1d15252f7
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
John Fastabend
|
a80de288d6 |
net: sched: drop qdisc_reset from dev_graft_qdisc
[ Upstream commit 7bbde83b1860c28a1cc35516352c4e7e5172c29a ] In qdisc_graft_qdisc a "new" qdisc is attached and the 'qdisc_destroy' operation is called on the old qdisc. The destroy operation will wait a rcu grace period and call qdisc_rcu_free(). At which point gso_cpu_skb is free'd along with all stats so no need to zero stats and gso_cpu_skb from the graft operation itself. Further after dropping the qdisc locks we can not continue to call qdisc_reset before waiting an rcu grace period so that the qdisc is detached from all cpus. By removing the qdisc_reset() here we get the correct property of waiting an rcu grace period and letting the qdisc_destroy operation clean up the qdisc correctly. Note, a refcnt greater than 1 would cause the destroy operation to be aborted however if this ever happened the reference to the qdisc would be lost and we would have a memory leak. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Isaac J. Manjarres
|
40324f8696 |
Merge remote-tracking branch 'remotes/origin/tmp-4576e0e' into msm-4.14
* remotes/origin/tmp-4576e0e:
Linux 4.14.26
KVM: x86: fix backward migration with async_PF
bpf, ppc64: fix out of bounds access in tail call
bpf: allow xadd only on aligned memory
bpf: add schedule points in percpu arrays management
bpf, arm64: fix out of bounds access in tail call
bpf, x64: implement retpoline for tail call
bpf: fix rcu lockdep warning for lpm_trie map_free callback
bpf: fix memory leak in lpm_trie map_free callback function
bpf: fix mlock precharge on arraymaps
Linux 4.14.25
nvme-rdma: don't suppress send completions
md: only allow remove_and_add_spares when no sync_thread running.
ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux
ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux
ACPI / bus: Parse tables as term_list for Dell XPS 9570 and Precision M5530
KVM/x86: remove WARN_ON() for when vm_munmap() fails
KVM/x86: Fix wrong macro references of X86_CR0_PG_BIT and X86_CR4_PAE_BIT in kvm_valid_sregs()
PCI/ASPM: Deal with missing root ports in link state handling
KVM: x86: fix vcpu initialization with userspace lapic
KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely()
KVM: x86: move LAPIC initialization after VMCS creation
KVM/x86: Remove indirect MSR op calls from SPEC_CTRL
KVM: mmu: Fix overlap between public and private memslots
KVM: X86: Fix SMRAM accessing even if VM is shutdown
KVM: x86: extend usage of RET_MMIO_PF_* constants
ARM: kvm: fix building with gcc-8
ARM: mvebu: Fix broken PL310_ERRATA_753970 selects
ARM: dts: rockchip: Remove 1.8 GHz operation point from phycore som
ARM: orion: fix orion_ge00_switch_board_info initialization
x86/mm: Fix {pmd,pud}_{set,clear}_flags()
nospec: Allow index argument to have const-qualified type
KVM: s390: consider epoch index on TOD clock syncs
KVM: s390: consider epoch index on hotplugged CPUs
KVM: s390: provide only a single function for setting the tod (fix SCK)
KVM: s390: take care of clock-comparator sign control
EDAC, sb_edac: Fix out of bound writes during DIMM configuration on KNL
media: m88ds3103: don't call a non-initalized function
blk-mq: don't call io sched's .requeue_request when requeueing rq to ->dispatch
s390/qeth: fix IPA command submission race
s390/qeth: fix IP address lookup for L3 devices
Revert "s390/qeth: fix using of ref counter for rxip addresses"
s390/qeth: fix double-free on IP add/remove race
s390/qeth: fix IP removal on offline cards
s390/qeth: fix overestimated count of buffer elements
s390/qeth: fix SETIP command handling
s390/qeth: fix underestimated count of buffer elements
virtio-net: disable NAPI only when enabled during XDP set
tuntap: disable preemption during XDP processing
tuntap: correctly add the missing XDP flush
tcp: purge write queue upon RST
netlink: put module reference if dump start fails
mlxsw: spectrum_router: Do not unconditionally clear route offload indication
cls_u32: fix use after free in u32_destroy_key()
amd-xgbe: Restore PCI interrupt enablement setting on resume
net/mlx5e: Verify inline header size do not exceed SKB linear size
bridge: Fix VLAN reference count problem
sctp: fix dst refcnt leak in sctp_v6_get_dst()
net: ipv4: Set addr_type in hash_keys for forwarded case
mlxsw: spectrum_router: Fix error path in mlxsw_sp_vr_create
tcp: revert F-RTO extension to detect more spurious timeouts
tcp: revert F-RTO middle-box workaround
sctp: do not pr_err for the duplicated node in transport rhlist
net/sched: cls_u32: fix cls_u32 on filter replace
net_sched: gen_estimator: fix broken estimators based on percpu stats
net/mlx5e: Fix loopback self test when GRO is off
doc: Change the min default value of tcp_wmem/tcp_rmem.
tcp_bbr: better deal with suboptimal GSO
rxrpc: Fix send in rxrpc_send_data_packet()
tcp: Honor the eor bit in tcp_mtu_probe
net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT
net/mlx5e: Specify numa node when allocating drop rq
mlxsw: spectrum_switchdev: Check success of FDB add operation
sctp: fix dst refcnt leak in sctp_v4_get_dst
net/mlx5e: Fix TCP checksum in LRO buffers
udplite: fix partial checksum initialization
sctp: verify size of a new chunk in _sctp_make_chunk()
ppp: prevent unregistered channels from connecting to PPP units
net: sched: report if filter is too large to dump
netlink: ensure to loop over all netns in genlmsg_multicast_allns()
net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68
net: fix race on decreasing number of TX queues
net: ethernet: ti: cpsw: fix net watchdog timeout
net: amd-xgbe: fix comparison to bitshift when dealing with a mask
ipv6 sit: work around bogus gcc-8 -Wrestrict warning
hdlc_ppp: carrier detect ok, don't turn off negotiation
fib_semantics: Don't match route with mismatching tclassid
bridge: check brport attr show in brport_show
x86/cpu_entry_area: Sync cpu_entry_area to initial_page_table
x86/platform/intel-mid: Handle Intel Edison reboot correctly
x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend
direct-io: Fix sleep in atomic due to sync AIO
dax: fix vma_is_fsdax() helper
cpufreq: s3c24xx: Fix broken s3c_cpufreq_init()
vfio: disable filesystem-dax page pinning
block: kyber: fix domain token leak during requeue
block: fix the count of PGPGOUT for WRITE_SAME
btrfs: use proper endianness accessors for super_copy
parisc: Fix ordering of cache and TLB flushes
parisc: Reduce irq overhead when run in qemu
parisc: Use cr16 interval timers unconditionally on qemu
timers: Forward timer base before migrating timers
mmc: dw_mmc: Fix out-of-bounds access for slot's caps
mmc: dw_mmc: Factor out dw_mci_init_slot_caps
mmc: dw_mmc: Avoid accessing registers in runtime suspended state
mmc: dw_mmc-k3: Fix out-of-bounds access through DT alias
mmc: sdhci-pci: Fix S0i3 for Intel BYT-based controllers
ALSA: hda - Fix pincfg at resume on Lenovo T470 dock
ALSA: hda: Add a power_save blacklist
ALSA: x86: Fix missing spinlock and mutex initializations
ALSA: control: Fix memory corruption risk in snd_ctl_elem_read
ALSA: usb-audio: Add a quirck for B&W PX headphones
tpm_tis_spi: Use DMA-safe memory for SPI transfers
tpm: constify transmit data pointers
tpm_tis: fix potential buffer overruns caused by bit glitches on the bus
tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus
tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus
tpm: fix potential buffer overruns caused by bit glitches on the bus
tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus
ixgbe: fix crash in build_skb Rx code path
Bluetooth: btusb: Use DMI matching for QCA reset_resume quirking
ANDROID: uid_sys_stats: Copy task_struct comm field to bigger buffer
FROMLIST: ARM: amba: Don't read past the end of sysfs "driver_override" buffer
Conflicts:
kernel/time/timer.c
Change-Id: Iab19f552a822c233175e6553faf5c62447844201
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
|
Paolo Abeni
|
ebadf88828 |
cls_u32: fix use after free in u32_destroy_key()
[ Upstream commit d7cdee5ea8d28ae1b6922deb0c1badaa3aa0ef8c ] Li Shuang reported an Oops with cls_u32 due to an use-after-free in u32_destroy_key(). The use-after-free can be triggered with: dev=lo tc qdisc add dev $dev root handle 1: htb default 10 tc filter add dev $dev parent 1: prio 5 handle 1: protocol ip u32 divisor 256 tc filter add dev $dev protocol ip parent 1: prio 5 u32 ht 800:: match ip dst\ 10.0.0.0/8 hashkey mask 0x0000ff00 at 16 link 1: tc qdisc del dev $dev root Which causes the following kasan splat: ================================================================== BUG: KASAN: use-after-free in u32_destroy_key.constprop.21+0x117/0x140 [cls_u32] Read of size 4 at addr ffff881b83dae618 by task kworker/u48:5/571 CPU: 17 PID: 571 Comm: kworker/u48:5 Not tainted 4.15.0+ #87 Hardware name: Dell Inc. PowerEdge R730/072T6D, BIOS 2.1.7 06/16/2016 Workqueue: tc_filter_workqueue u32_delete_key_freepf_work [cls_u32] Call Trace: dump_stack+0xd6/0x182 ? dma_virt_map_sg+0x22e/0x22e print_address_description+0x73/0x290 kasan_report+0x277/0x360 ? u32_destroy_key.constprop.21+0x117/0x140 [cls_u32] u32_destroy_key.constprop.21+0x117/0x140 [cls_u32] u32_delete_key_freepf_work+0x1c/0x30 [cls_u32] process_one_work+0xae0/0x1c80 ? sched_clock+0x5/0x10 ? pwq_dec_nr_in_flight+0x3c0/0x3c0 ? _raw_spin_unlock_irq+0x29/0x40 ? trace_hardirqs_on_caller+0x381/0x570 ? _raw_spin_unlock_irq+0x29/0x40 ? finish_task_switch+0x1e5/0x760 ? finish_task_switch+0x208/0x760 ? preempt_notifier_dec+0x20/0x20 ? __schedule+0x839/0x1ee0 ? check_noncircular+0x20/0x20 ? firmware_map_remove+0x73/0x73 ? find_held_lock+0x39/0x1c0 ? worker_thread+0x434/0x1820 ? lock_contended+0xee0/0xee0 ? lock_release+0x1100/0x1100 ? init_rescuer.part.16+0x150/0x150 ? retint_kernel+0x10/0x10 worker_thread+0x216/0x1820 ? process_one_work+0x1c80/0x1c80 ? lock_acquire+0x1a5/0x540 ? lock_downgrade+0x6b0/0x6b0 ? sched_clock+0x5/0x10 ? lock_release+0x1100/0x1100 ? compat_start_thread+0x80/0x80 ? do_raw_spin_trylock+0x190/0x190 ? _raw_spin_unlock_irq+0x29/0x40 ? trace_hardirqs_on_caller+0x381/0x570 ? _raw_spin_unlock_irq+0x29/0x40 ? finish_task_switch+0x1e5/0x760 ? finish_task_switch+0x208/0x760 ? preempt_notifier_dec+0x20/0x20 ? __schedule+0x839/0x1ee0 ? kmem_cache_alloc_trace+0x143/0x320 ? firmware_map_remove+0x73/0x73 ? sched_clock+0x5/0x10 ? sched_clock_cpu+0x18/0x170 ? find_held_lock+0x39/0x1c0 ? schedule+0xf3/0x3b0 ? lock_downgrade+0x6b0/0x6b0 ? __schedule+0x1ee0/0x1ee0 ? do_wait_intr_irq+0x340/0x340 ? do_raw_spin_trylock+0x190/0x190 ? _raw_spin_unlock_irqrestore+0x32/0x60 ? process_one_work+0x1c80/0x1c80 ? process_one_work+0x1c80/0x1c80 kthread+0x312/0x3d0 ? kthread_create_worker_on_cpu+0xc0/0xc0 ret_from_fork+0x3a/0x50 Allocated by task 1688: kasan_kmalloc+0xa0/0xd0 __kmalloc+0x162/0x380 u32_change+0x1220/0x3c9e [cls_u32] tc_ctl_tfilter+0x1ba6/0x2f80 rtnetlink_rcv_msg+0x4f0/0x9d0 netlink_rcv_skb+0x124/0x320 netlink_unicast+0x430/0x600 netlink_sendmsg+0x8fa/0xd60 sock_sendmsg+0xb1/0xe0 ___sys_sendmsg+0x678/0x980 __sys_sendmsg+0xc4/0x210 do_syscall_64+0x232/0x7f0 return_from_SYSCALL_64+0x0/0x75 Freed by task 112: kasan_slab_free+0x71/0xc0 kfree+0x114/0x320 rcu_process_callbacks+0xc3f/0x1600 __do_softirq+0x2bf/0xc06 The buggy address belongs to the object at ffff881b83dae600 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 24 bytes inside of 4096-byte region [ffff881b83dae600, ffff881b83daf600) The buggy address belongs to the page: page:ffffea006e0f6a00 count:1 mapcount:0 mapping: (null) index:0x0 compound_mapcount: 0 flags: 0x17ffffc0008100(slab|head) raw: 0017ffffc0008100 0000000000000000 0000000000000000 0000000100070007 raw: dead000000000100 dead000000000200 ffff880187c0e600 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff881b83dae500: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff881b83dae580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff881b83dae600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff881b83dae680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff881b83dae700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The problem is that the htnode is freed before the linked knodes and the latter will try to access the first at u32_destroy_key() time. This change addresses the issue using the htnode refcnt to guarantee the correct free order. While at it also add a RCU annotation, to keep sparse happy. v1 -> v2: use rtnl_derefence() instead of RCU read locks v2 -> v3: - don't check refcnt in u32_destroy_hnode() - cleaned-up u32_destroy() implementation - cleaned-up code comment v3 -> v4: - dropped unneeded comment Reported-by: Li Shuang <shuali@redhat.com> Fixes: c0d378ef1266 ("net_sched: use tcf_queue_work() in u32 filter") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Ivan Vecera
|
54d6bc97b4 |
net/sched: cls_u32: fix cls_u32 on filter replace
[ Upstream commit eb53f7af6f15285e2f6ada97285395343ce9f433 ]
The following sequence is currently broken:
# tc qdisc add dev foo ingress
# tc filter replace dev foo protocol all ingress \
u32 match u8 0 0 action mirred egress mirror dev bar1
# tc filter replace dev foo protocol all ingress \
handle 800::800 pref 49152 \
u32 match u8 0 0 action mirred egress mirror dev bar2
Error: cls_u32: Key node flags do not match passed flags.
We have an error talking to the kernel, -1
The error comes from u32_change() when comparing new and
existing flags. The existing ones always contains one of
TCA_CLS_FLAGS_{,NOT}_IN_HW flag depending on offloading state.
These flags cannot be passed from userspace so the condition
(n->flags != flags) in u32_change() always fails.
Fix the condition so the flags TCA_CLS_FLAGS_NOT_IN_HW and
TCA_CLS_FLAGS_IN_HW are not taken into account.
Fixes: 24d3dc6d27ea ("net/sched: cls_u32: Reflect HW offload status")
Signed-off-by: Ivan Vecera <ivecera@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Roman Kapl
|
795f3deff1 |
net: sched: report if filter is too large to dump
[ Upstream commit 5ae437ad5a2ed573b1ebb04e0afa70b8869f88dd ] So far, if the filter was too large to fit in the allocated skb, the kernel did not return any error and stopped dumping. Modify the dumper so that it returns -EMSGSIZE when a filter fails to dump and it is the first filter in the skb. If we are not first, we will get a next chance with more room. I understand this is pretty near to being an API change, but the original design (silent truncation) can be considered a bug. Note: The error case can happen pretty easily if you create a filter with 32 actions and have 4kb pages. Also recent versions of iproute try to be clever with their buffer allocation size, which in turn leads to Signed-off-by: Roman Kapl <code@rkapl.cz> Acked-by: Jiri Pirko <jiri@mellanox.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Isaac J. Manjarres
|
07f0d9dd34 |
Merge remote-tracking branch 'remotes/origin/tmp-85ab9a0' into msm-4.14
* remotes/origin/tmp-85ab9a0: Linux 4.14.24 net: sched: fix use-after-free in tcf_block_put_ext net_sched: get rid of rcu_barrier() in tcf_block_put_ext() net: sched: crash on blocks with goto chain action net: sched: fix crash when deleting secondary chains arm64: dts: marvell: mcbin: add comphy references to Ethernet ports arm64: dts: marvell: add comphy nodes on cp110 master and slave powerpc/pseries: Enable RAS hotplug events later MIPS: Implement __multi3 for GCC7 MIPS64r6 builds mlxsw: pci: Wait after reset before accessing HW nfp: always unmask aux interrupts at init of_mdio: avoid MDIO bus removal when a PHY is missing net: gianfar_ptp: move set_fipers() to spinlock protecting area sctp: make use of pre-calculated len sctp: add a ceiling to optlen in some sockopts xen/gntdev: Fix partial gntdev_mmap() cleanup xen/gntdev: Fix off-by-one error when unmapping with holes SolutionEngine771x: fix Ether platform data mdio-sun4i: Fix a memory leak xen-netfront: enable device after manual module load bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine. bnxt_en: Fix population of flow_type in bnxt_hwrm_cfa_flow_alloc() x86/platform/intel-mid: Revert "Make 'bt_sfi_data' const" nvme-fabrics: initialize default host->id in nvmf_host_default() powerpc/pseries: Make RAS IRQ explicitly dependent on DLPAR WQ leds: core: Fix regression caused by commit 2b83ff96f51d bpf: sockmap missing NULL psock check ia64, sched/cputime: Fix build error if CONFIG_VIRT_CPU_ACCOUNTING_NATIVE=y block: drain queue before waiting for q_usage_counter becoming zero wcn36xx: Fix dynamic power saving can: flex_can: Correct the checking for frame length in flexcan_start_xmit() mac80211: mesh: drop frames appearing to be from us nl80211: Check for the required netlink attribute presence net: ena: unmask MSI-X only after device initialization is completed i40e: don't remove netdev->dev_addr when syncing uc list i40e/i40evf: Account for frags split over multiple descriptors in check linearize uapi libc compat: add fallback for unsupported libcs x86/efi: Fix kernel param add_efi_memmap regression RDMA/netlink: Fix locking around __ib_get_device_by_index drm/ttm: check the return value of kzalloc NET: usb: qmi_wwan: add support for YUGA CLM920-NC5 PID 0x9625 e1000: fix disabling already-disabled warning macvlan: Fix one possible double free xfs: quota: check result of register_shrinker() xfs: quota: fix missed destroy of qi_tree_lock IB/ipoib: Fix race condition in neigh creation IB/mlx4: Fix mlx4_ib_alloc_mr error flow Input: xen-kbdfront - do not advertise multi-touch pressure support ip6_tunnel: allow ip6gre dev mtu to be set below 1280 btrfs: Fix flush bio leak s390/dasd: fix wrongly assigned configuration data afs: Fix missing error handling in afs_write_end() genirq: Guard handle_bad_irq log messages IB/mlx5: Fix mlx5_ib_alloc_mr error flow led: core: Fix brightness setting when setting delay_off=0 perf/x86/intel: Plug memory leak in intel_pmu_init() bnx2x: Improve reliability in case of nested PCI errors tg3: Enable PHY reset in MTU change path for 5720 tg3: Add workaround to restrict 5762 MRRS to 2048 tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path tipc: error path leak fixes in tipc_enable_bearer() netfilter: nf_tables: fix potential NULL-ptr deref in nf_tables_dump_obj_done() crypto: inside-secure - fix request allocations in invalidation path crypto: inside-secure - free requests even if their handling failed crypto: inside-secure - per request invalidation arm64: dts: renesas: ulcb: Remove renesas, no-ether-link property lib/mpi: Fix umul_ppmm() for MIPS64r6 crypto: af_alg - Fix race around ctx->rcvused by making it atomic_t ARM: dts: ls1021a: fix incorrect clock references RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path i915: Reject CCS modifiers for pipe C on Geminilake netfilter: uapi: correct UNTRACKED conntrack state bit number scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error netfilter: nf_tables: fix chain filter in nf_tables_dump_rules() xen/balloon: Mark unallocated host memory as UNUSABLE ASoC: rsnd: fixup ADG register mask net/mlx5: Stay in polling mode when command EQ destroy fails net/mlx5: Cleanup IRQs in case of unload failure net/mlx5e: Fix ETS BW check net: stmmac: Fix bad RX timestamp extraction net: stmmac: Fix TX timestamp calculation ip6_tunnel: get the min mtu properly in ip6_tnl_xmit ip6_gre: remove the incorrect mtu limit for ipgre tap ip_gre: remove the incorrect mtu limit for ipgre tap vxlan: update skb dst pmtu on tx path net: arc_emac: fix arc_emac_rx() error paths net: mediatek: setup proper state for disabled GMAC on the default x86-64/Xen: eliminate W+X mappings staging: ion: Fix ion_cma_heap allocations cgroup: Fix deadlock in cpu hotplug path ASoC: nau8825: fix issue that pop noise when start capture spi: atmel: fixed spin_lock usage inside atmel_spi_remove mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl x86/stacktrace: Make zombie stack traces reliable xfrm: Reinject transport-mode packets through tasklet drm/nouveau/pci: do a msi rearm on init net: phy: xgene: disable clk on error paths sget(): handle failures of register_shrinker() sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege x86/asm: Allow again using asm.h when building for the 'bpf' clang target ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch parisc: Reduce thread stack to 16 kb ipv6: icmp6: Allow icmp messages to be looped back mtd: nand: brcmnand: Zero bitflip is not an error mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM net: usb: qmi_wwan: add Telit ME910 PID 0x1101 support net: aquantia: Fix hardware DMA stream overload on large MRRS net: aquantia: Fix actual speed capabilities reporting nvme: check hw sectors before setting chunk sectors nvme-fc: remove double put reference if admin connect fails phy: cpcap-usb: Fix platform_get_irq_byname's error checking. dmaengine: fsl-edma: disable clks on all error paths scsi: aacraid: Fix I/O drop during reset mm/frame_vector.c: release a semaphore in 'get_vaddr_frames()' exec: avoid gcc-8 warning for get_task_comm hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers) Conflicts: drivers/staging/android/ion/Kconfig drivers/staging/android/ion/ion_cma_heap.c Change-Id: I58485dd9ac8092a184c42a8e125e44523221e3ea Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Jiri Pirko
|
ab5d9d1751 |
net: sched: fix use-after-free in tcf_block_put_ext
commit df45bf84e4f5a48f23d4b1a07d21d566e8b587b2 upstream. Since the block is freed with last chain being put, once we reach the end of iteration of list_for_each_entry_safe, the block may be already freed. I'm hitting this only by creating and deleting clsact: [ 202.171952] ================================================================== [ 202.180182] BUG: KASAN: use-after-free in tcf_block_put_ext+0x240/0x390 [ 202.187590] Read of size 8 at addr ffff880225539a80 by task tc/796 [ 202.194508] [ 202.196185] CPU: 0 PID: 796 Comm: tc Not tainted 4.15.0-rc2jiri+ #5 [ 202.203200] Hardware name: Mellanox Technologies Ltd. "MSN2100-CB2F"/"SA001017", BIOS 5.6.5 06/07/2016 [ 202.213613] Call Trace: [ 202.216369] dump_stack+0xda/0x169 [ 202.220192] ? dma_virt_map_sg+0x147/0x147 [ 202.224790] ? show_regs_print_info+0x54/0x54 [ 202.229691] ? tcf_chain_destroy+0x1dc/0x250 [ 202.234494] print_address_description+0x83/0x3d0 [ 202.239781] ? tcf_block_put_ext+0x240/0x390 [ 202.244575] kasan_report+0x1ba/0x460 [ 202.248707] ? tcf_block_put_ext+0x240/0x390 [ 202.253518] tcf_block_put_ext+0x240/0x390 [ 202.258117] ? tcf_chain_flush+0x290/0x290 [ 202.262708] ? qdisc_hash_del+0x82/0x1a0 [ 202.267111] ? qdisc_hash_add+0x50/0x50 [ 202.271411] ? __lock_is_held+0x5f/0x1a0 [ 202.275843] clsact_destroy+0x3d/0x80 [sch_ingress] [ 202.281323] qdisc_destroy+0xcb/0x240 [ 202.285445] qdisc_graft+0x216/0x7b0 [ 202.289497] tc_get_qdisc+0x260/0x560 Fix this by holding the block also by chain 0 and put chain 0 explicitly, out of the list_for_each_entry_safe loop at the very end of tcf_block_put_ext. Fixes: efbf78973978 ("net_sched: get rid of rcu_barrier() in tcf_block_put_ext()") Signed-off-by: Jiri Pirko <jiri@mellanox.com> Signed-off-by: David S. Miller <davem@davemloft.net> Cc: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Cong Wang
|
ac2be03ba6 |
net_sched: get rid of rcu_barrier() in tcf_block_put_ext()
commit efbf78973978b0d25af59bc26c8013a942af6e64 upstream.
Both Eric and Paolo noticed the rcu_barrier() we use in
tcf_block_put_ext() could be a performance bottleneck when
we have a lot of tc classes.
Paolo provided the following to demonstrate the issue:
tc qdisc add dev lo root htb
for I in `seq 1 1000`; do
tc class add dev lo parent 1: classid 1:$I htb rate 100kbit
tc qdisc add dev lo parent 1:$I handle $((I + 1)): htb
for J in `seq 1 10`; do
tc filter add dev lo parent $((I + 1)): u32 match ip src 1.1.1.$J
done
done
time tc qdisc del dev root
real 0m54.764s
user 0m0.023s
sys 0m0.000s
The rcu_barrier() there is to ensure we free the block after all chains
are gone, that is, to queue tcf_block_put_final() at the tail of workqueue.
We can achieve this ordering requirement by refcnt'ing tcf block instead,
that is, the tcf block is freed only when the last chain in this block is
gone. This also simplifies the code.
Paolo reported after this patch we get:
real 0m0.017s
user 0m0.000s
sys 0m0.017s
Tested-by: Paolo Abeni <pabeni@redhat.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jiri Pirko <jiri@mellanox.com>
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Roman Kapl
|
1c8e7e61cb |
net: sched: crash on blocks with goto chain action
commit a60b3f515d30d0fe8537c64671926879a3548103 upstream.
tcf_block_put_ext has assumed that all filters (and thus their goto
actions) are destroyed in RCU callback and thus can not race with our
list iteration. However, that is not true during netns cleanup (see
tcf_exts_get_net comment).
Prevent the user after free by holding all chains (except 0, that one is
already held). foreach_safe is not enough in this case.
To reproduce, run the following in a netns and then delete the ns:
ip link add dtest type dummy
tc qdisc add dev dtest ingress
tc filter add dev dtest chain 1 parent ffff: handle 1 prio 1 flower action goto chain 2
Fixes: 822e86d997 ("net_sched: remove tcf_block_put_deferred()")
Signed-off-by: Roman Kapl <code@rkapl.cz>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Roman Kapl
|
b6b42b3d2d |
net: sched: fix crash when deleting secondary chains
commit d7aa04a5e82b4f254d306926c81eae8df69e5200 upstream.
If you flush (delete) a filter chain other than chain 0 (such as when
deleting the device), the kernel may run into a use-after-free. The
chain refcount must not be decremented unless we are sure we are done
with the chain.
To reproduce the bug, run:
ip link add dtest type dummy
tc qdisc add dev dtest ingress
tc filter add dev dtest chain 1 parent ffff: flower
ip link del dtest
Introduced in: commit f93e1cdcf42c ("net/sched: fix filter flushing"),
but unless you have KAsan or luck, you won't notice it until
commit 0dadc117ac8b ("cls_flower: use tcf_exts_get_net() before call_rcu()")
Fixes: f93e1cdcf42c ("net/sched: fix filter flushing")
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Roman Kapl <code@rkapl.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Isaac J. Manjarres
|
9636a4ea18 |
Merge remote-tracking branch 'remotes/origin/tmp-af3b8e6' into msm-4.14
* remotes/origin/tmp-af3b8e6:
Linux 4.14.22
vmalloc: fix __GFP_HIGHMEM usage for vmalloc_32 on 32b systems
mei: me: add cannon point device ids for 4th device
mei: me: add cannon point device ids
crypto: s5p-sss - Fix kernel Oops in AES-ECB mode
drm/i915: fix intel_backlight_device_register declaration
crypto: talitos - fix Kernel Oops on hashing an empty file
hippi: Fix a Fix a possible sleep-in-atomic bug in rr_close
powerpc/perf/imc: Fix nest-imc cpuhotplug callback failure
PCI: rcar: Fix use-after-free in probe error path
xen: XEN_ACPI_PROCESSOR is Dom0-only
platform/x86: dell-laptop: Fix keyboard max lighting for Dell Latitude E6410
x86/mm/kmmio: Fix mmiotrace for page unaligned addresses
mm/early_ioremap: Fix boot hang with earlyprintk=efi,keep
usb: dwc3: of-simple: fix missing clk_disable_unprepare
usb: dwc3: gadget: Wait longer for controller to end command processing
dmaengine: jz4740: disable/unprepare clk if probe fails
drm/vc4: Release fence after signalling
ASoC: rsnd: ssi: fix race condition in rsnd_ssi_pointer_update
drm/armada: fix leak of crtc structure
xfrm: Fix stack-out-of-bounds with misconfigured transport mode policies.
IB/mlx4: Fix RSS hash fields restrictions
spi: sun4i: disable clocks in the remove function
ASoC: rockchip: disable clock on error
staging: ccree: Uninitialized return in ssi_ahash_import()
clk: fix a panic error caused by accessing NULL pointer
netfilter: xt_bpf: add overflow checks
xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)
dmaengine: at_hdmac: fix potential NULL pointer dereference in atc_prep_dma_interleaved
dmaengine: ioat: Fix error handling path
scsi: bfa: fix type conversion warning
scsi: bfa: fix access to bfad_im_port_s
scsi: lpfc: Use after free in lpfc_rq_buf_free()
gianfar: Disable EEE autoneg by default
509: fix printing uninitialized stack memory when OID is empty
net: dsa: mv88e6xxx: Unregister MDIO bus on error path
net: dsa: mv88e6xxx: Fix interrupt masking on removal
net: ethernet: arc: fix error handling in emac_rockchip_probe
virtio_net: fix return value check in receive_mergeable()
brcmfmac: Avoid build error with make W=1
btrfs: Fix possible off-by-one in btrfs_search_path_in_tree
Btrfs: disable FUA if mounted with nobarrier
btrfs: Fix quota reservation leak on preallocated files
locking/lockdep: Fix possible NULL deref
net: qualcomm: rmnet: Fix leak on transmit failure
KVM: VMX: fix page leak in hardware_setup()
VSOCK: fix outdated sk_state value in hvs_release()
net_sched: red: Avoid illegal values
net_sched: red: Avoid devision by zero
gianfar: fix a flooded alignment reports because of padding issue.
nfp: fix port stats for mac representors
ARM: dts: Fix elm interrupt compiler warning
s390/dasd: prevent prefix I/O error
s390/virtio: add BSD license to virtio-ccw
PM / runtime: Fix handling of suppliers with disabled runtime PM
powerpc/perf: Fix oops when grouping different pmu events
m68k: add missing SOFTIRQENTRY_TEXT linker section
ipvlan: Add the skb->mark as flow4's member to lookup route
bnxt_en: Need to unconditionally shut down RoCE in bnxt_shutdown
scripts/kernel-doc: Don't fail with status != 0 if error encountered with -none
iio: fix kernel-doc build errors
iio: proximity: sx9500: Assign interrupt from GpioIo()
md/raid1/10: add missed blk plug
phylink: ensure we take the link down when phylink_stop() is called
sfp: fix RX_LOS signal handling
sctp: only update outstanding_bytes for transmitted queue when doing prsctp_prune
md/raid5: correct degraded calculation in raid5_error
IB/core: Init subsys if compiled to vmlinuz-core
RDMA/cma: Make sure that PSN is not over max allowed
i40iw: Correct ARP index mask
i40iw: Do not free sqbuf when event is I40IW_TIMER_TYPE_CLOSE
i40iw: Allocate a sdbuf per CQP WQE
KVM: arm/arm64: Fix spinlock acquisition in vgic_set_owner
meson-gx-socinfo: Fix package id parsing
IB/hfi1: Initialize bth1 in 16B rc ack builder
pinctrl: sunxi: Fix A64 UART mux value
pinctrl: sunxi: Fix A80 interrupt pin bank
gpio: davinci: Assign first bank regs for unbanked case
gpio: 74x164: Fix crash during .remove()
net: mvpp2: allocate zeroed tx descriptors
media: ov13858: Select V4L2_FWNODE
media: s5k6aa: describe some function parameters
trace/xdp: fix compile warning: 'struct bpf_map' declared inside parameter list
kvm: arm: don't treat unavailable HYP mode as an error
pinctrl: denverton: Fix UART2 RTS pin mode
perf test: Fix test 21 for s390x
perf bench numa: Fixup discontiguous/sparse numa nodes
perf top: Fix window dimensions change handling
perf: Fix header.size for namespace events
perf test shell: Fix check open filename arg using 'perf trace' on s390x
perf annotate: Do not truncate instruction names at 6 chars
perf help: Fix a bug during strstart() conversion
perf record: Fix -c/-F options for cpu event aliases
ARM: dts: am437x-cm-t43: Correct the dmas property of spi0
ARM: dts: am4372: Correct the interrupts_properties of McASP
ARM: dts: logicpd-somlv: Fix wl127x pinmux
ARM: dts: logicpd-som-lv: Fix gpmc addresses for NAND and enet
ARM: dts: Fix omap4 hang with GPS connected to USB by using wakeupgen
ARM: AM33xx: PRM: Remove am33xx_pwrdm_read_prev_pwrst function
ARM: OMAP2+: Fix SRAM virt to phys translation for save_secure_ram_context
serdev: fix receive_buf return value when no callback
usb: build drivers/usb/common/ when USB_SUPPORT is set
usbip: keep usbip_device sockfd state in sync with tcp_socket
staging: iio: ad5933: switch buffer mode to software
staging: iio: adc: ad7192: fix external frequency setting
staging: fsl-mc: fix build testing on x86
binder: replace "%p" with "%pK"
binder: check for binder_thread allocation failure in binder_poll()
staging: android: ashmem: Fix a race condition in pin ioctls
ANDROID: binder: synchronize_rcu() when using POLLFREE.
ANDROID: binder: remove WARN() for redundant txn error
dn_getsockoptdecnet: move nf_{get/set}sockopt outside sock lock
arm64: dts: add #cooling-cells to CPU nodes
ARM: 8743/1: bL_switcher: add MODULE_LICENSE tag
video: fbdev/mmp: add MODULE_LICENSE
ASoC: ux500: add MODULE_LICENSE tag
net_sched: gen_estimator: fix lockdep splat
net: avoid skb_warn_bad_offload on IS_ERR
rds: tcp: atomically purge entries from rds_tcp_conn_list during netns delete
rds: tcp: correctly sequence cleanup on netns deletion.
netfilter: xt_RATEEST: acquire xt_rateest_mutex for hash insert
netfilter: xt_cgroup: initialize info->priv in cgroup_mt_check_v1()
netfilter: on sockopt() acquire sock lock only in the required scope
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
kcov: detect double association with a single task
KVM: x86: fix escape of guest dr6 to the host
blk_rq_map_user_iov: fix error override
staging: android: ion: Switch from WARN to pr_warn
staging: android: ion: Add __GFP_NOWARN for system contig heap
crypto: x86/twofish-3way - Fix %rbp usage
media: pvrusb2: properly check endpoint types
selinux: skip bounded transition processing if the policy isn't loaded
selinux: ensure the context is NUL terminated in security_context_to_sid_core()
ptr_ring: try vmalloc() when kmalloc() fails
ptr_ring: fail early if queue occupies more than KMALLOC_MAX_SIZE
ALSA: bcd2000: Add a sanity check for invalid EPs
ALSA: caiaq: Add a sanity check for invalid EPs
ALSA: line6: Add a sanity check for invalid EPs
drm: Require __GFP_NOFAIL for the legacy drm_modeset_lock_all
dnotify: Handle errors from fsnotify_add_mark_locked() in fcntl_dirnotify()
blktrace: fix unlocked registration of tracepoints
sctp: set frag_point in sctp_setsockopt_maxseg correctly
xfrm: check id proto in validate_tmpl()
xfrm: Fix stack-out-of-bounds read on socket policy lookup.
RDMA/netlink: Fix general protection fault
KVM/x86: Check input paging mode when cs.l is set
mm,vmscan: Make unregister_shrinker() no-op if register_shrinker() failed.
xfrm: skip policies marked as dead while rehashing
xfrm: fix rcu usage in xfrm_get_type_offload
xfrm: don't call xfrm_policy_cache_flush while holding spinlock
esp: Fix GRO when the headers not fully in the linear part of the skb.
mac80211_hwsim: validate number of different channels
cfg80211: check dev_set_name() return value
bpf: mark dst unknown on inconsistent {s, u}bounds adjustments
kcm: Only allow TCP sockets to be attached to a KCM mux
kcm: Check if sk_user_data already set in kcm_attach
vhost: use mutex_lock_nested() in vhost_dev_lock_vqs()
usb: core: Add a helper function to check the validity of EP type in URB
ANDROID: sdcardfs: Hold i_mutex for i_size_write
FROMGIT: crypto: speck - add test vectors for Speck64-XTS
FROMGIT: crypto: speck - add test vectors for Speck128-XTS
FROMGIT: crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS
FROMGIT: crypto: speck - export common helpers
FROMGIT: crypto: speck - add support for the Speck block cipher
f2fs: updates on v4.16-rc1
Conflicts:
drivers/net/ethernet/qualcomm/rmnet/rmnet_handlers.c
Change-Id: I420172cd4438ce010645ceb00a71c4e3f03596d8
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
Nogah Frankel
|
8001a37b83 |
net_sched: red: Avoid illegal values
[ Upstream commit 8afa10cbe281b10371fee5a87ab266e48d71a7f9 ]
Check the qmin & qmax values doesn't overflow for the given Wlog value.
Check that qmin <= qmax.
Fixes: a783474591f2 ("[PKT_SCHED]: Generic RED layer")
Signed-off-by: Nogah Frankel <nogahf@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Blagovest Kolenichev
|
ce969c4e6a |
Merge android-4.14.14 (9b68347) into msm-4.14
* refs/heads/tmp-9b68347 Linux 4.14.14 x86/retpoline: Remove compile time warning x86,perf: Disable intel_bts when PTI security/Kconfig: Correct the Documentation reference for PTI x86/pti: Fix !PCID and sanitize defines selftests/x86: Add test_vsyscall x86/retpoline: Fill return stack buffer on vmexit x86/retpoline/irq32: Convert assembler indirect jumps x86/retpoline/checksum32: Convert assembler indirect jumps x86/retpoline/xen: Convert Xen hypercall indirect jumps x86/retpoline/hyperv: Convert assembler indirect jumps x86/retpoline/ftrace: Convert ftrace assembler indirect jumps x86/retpoline/entry: Convert entry assembler indirect jumps x86/retpoline/crypto: Convert crypto assembler indirect jumps x86/spectre: Add boot time option to select Spectre v2 mitigation x86/retpoline: Add initial retpoline support objtool: Allow alternatives to be ignored objtool: Detect jumps to retpoline thunks x86/pti: Make unpoison of pgd for trusted boot work for real x86/alternatives: Fix optimize_nops() checking sysfs/cpu: Fix typos in vulnerability documentation x86/cpu/AMD: Use LFENCE_RDTSC in preference to MFENCE_RDTSC x86/cpu/AMD: Make LFENCE a serializing instruction x86/mm/pti: Remove dead logic in pti_user_pagetable_walk*() x86/tboot: Unbreak tboot with PTI enabled x86/cpu: Implement CPU vulnerabilites sysfs functions sysfs/cpu: Add vulnerability folder x86/cpufeatures: Add X86_BUG_SPECTRE_V[12] x86/Documentation: Add PTI description x86/pti: Unbreak EFI old_memmap e1000e: Fix e1000_check_for_copper_link_ich8lan return value. apparmor: fix ptrace label match when matching stacked labels kdump: write correct address of mem_section into vmcoreinfo mux: core: fix double get_device() uas: ignore UAS for Norelsys NS1068(X) chips Bluetooth: Prevent stack info leak from the EFS element. staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl usbip: vudc_tx: fix v_send_ret_submit() vulnerability to null xfer buffer usbip: fix vudc_rx: harden CMD_SUBMIT path to handle malicious input usbip: remove kernel addresses from usb device and urb debug msgs USB: UDC core: fix double-free in usb_add_gadget_udc_release USB: fix usbmon BUG trigger usb: misc: usb3503: make sure reset is low for at least 100us USB: serial: cp210x: add new device ID ELV ALC 8xxx USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ bpf: arsh is not supported in 32 bit alu thus reject it bpf, array: fix overflow in max_entries and undefined behavior in index_mask bpf: prevent out-of-bounds speculation drm/i915: Fix init_clock_gating for resume drm/i915: Move init_clock_gating() back to where it was drm/i915: Whitelist SLICE_COMMON_ECO_CHICKEN1 on Geminilake. drm/i915/gvt: Clear the shadow page table entry after post-sync drm/vmwgfx: Potential off by one in vmw_view_add() drm/vmwgfx: Don't cache framebuffer maps KVM: PPC: Book3S HV: Always flush TLB in kvmppc_alloc_reset_hpt() KVM: PPC: Book3S HV: Fix use after free in case of multiple resize requests KVM: PPC: Book3S HV: Drop prepare_done from struct kvm_resize_hpt KVM: PPC: Book3S PR: Fix WIMG handling under pHyp KVM: x86: Add memory barrier on vmcs field lookup x86/microcode/intel: Extend BDW late-loading with a revision check iwlwifi: pcie: fix DMA memory mapping / unmapping rbd: set max_segments to USHRT_MAX rbd: reacquire lock should update lock owner client id mmc: renesas_sdhi: Add MODULE_LICENSE crypto: algapi - fix NULL dereference in crypto_remove_spawns() membarrier: Disable preemption when calling smp_call_function_many() sfp: fix sfp-bus oops when removing socket/upstream mlxsw: spectrum: Relax sanity checks during enslavement ipv6: sr: fix TLVs not being copied using setsockopt net/sched: Fix update of lastuse in act modules implementing stats_update mlxsw: spectrum_router: Fix NULL pointer deref ethtool: do not print warning for applications using legacy API ipv6: fix possible mem leaks in ipv6_make_skb() sh_eth: fix SH7757 GEther initialization net: stmmac: enable EEE in MII, GMII or RGMII only sh_eth: fix TSU resource handling sctp: fix the handling of ICMP Frag Needed for too small MTUs sctp: do not retransmit upon FragNeeded if PMTU discovery is disabled net: fec: free/restore resource in related probe error pathes net: fec: defer probe if regulator is not ready net: fec: restore dev_id in the cases of probe error RDS: null pointer dereference in rds_atomic_free_op RDS: Heap OOB write in rds_message_alloc_sgs() phylink: ensure we report link down when LOS asserted net: core: fix module type in sock_diag_bind ip6_tunnel: disable dst caching if tunnel is dual-stack 8021q: fix a memory leak for VLAN 0 device x86/acpi: Reduce code duplication in mp_override_legacy_irq() ALSA: aloop: Fix racy hw constraints adjustment ALSA: aloop: Fix inconsistent format due to incomplete rule ALSA: aloop: Release cable upon open error path ALSA: pcm: Allow aborting mutex lock at OSS read/write loops ALSA: pcm: Abort properly at pending signal in OSS read/write loops ALSA: pcm: Add missing error checks in OSS emulation plugin builder ALSA: pcm: Workaround for weird PulseAudio behavior on rewind error ALSA: pcm: Remove incorrect snd_BUG_ON() usages x86/acpi: Handle SCI interrupts above legacy space gracefully iw_cxgb4: when flushing, complete all wrs in a chain iw_cxgb4: reflect the original WR opcode in drain cqes iw_cxgb4: only clear the ARMED bit if a notification is needed iw_cxgb4: atomically flush the qp iw_cxgb4: only call the cq comp_handler when the cq is armed platform/x86: wmi: Call acpi_wmi_init() later kvm: vmx: Scrub hardware GPRs at VM-exit cgroup: fix css_task_iter crash on CSS_TASK_ITER_PROC MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA MIPS: Consistently handle buffer counter with PTRACE_SETREGSET MIPS: Guard against any partial write attempt with PTRACE_SETREGSET MIPS: Factor out NT_PRFPREG regset access helpers MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task IB/srpt: Fix ACL lookup during login IB/srpt: Disable RDMA access by the initiator can: gs_usb: fix return value of the "set_bittiming" callback can: vxcan: improve handling of missing peer name attribute KVM: Fix stack-out-of-bounds read in write_mmio dm bufio: fix shrinker scans when (nr_to_scan < retain_target) Revert "ANDROID: fs: ext4: Add support for FIDTRIM, a best-effort ioctl for deep discard trim" fscrypt: updates on 4.15-rc4 ANDROID: uid_sys_stats: fix the comment ANDROID: Squashfs: lz4_wrapper: Remove unused variable ANDROID: Squashfs: optimize reading uncompressed data ANDROID: Squashfs: implement .readpages() ANDROID: Squashfs: replace buffer_head with BIO ANDROID: Squashfs: refactor page_actor ANDROID: Squashfs: remove the FILE_CACHE option Revert "ANDROID: Squashfs: refactor page_actor" Revert "ANDROID: Squashfs: replace buffer_head with BIO" Revert "ANDROID: Squashfs: implement .readpages()" Revert "ANDROID: Squashfs: optimize reading uncompressed data" Change-Id: Ie71e308f60efe7338e483b2851fd4459a99ce6f6 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> Signed-off-by: Runmin Wang <runminw@codeaurora.org> |
||
Roi Dayan
|
71e7f85e10 |
net/sched: Fix update of lastuse in act modules implementing stats_update
[ Upstream commit 3bb23421a504f01551b7cb9dff0e41dbf16656b0 ]
We need to update lastuse to to the most updated value between what
is already set and the new value.
If HW matching fails, i.e. because of an issue, the stats are not updated
but it could be that software did match and updated lastuse.
Fixes: 5712bf9c5c30 ("net/sched: act_mirred: Use passed lastuse argument")
Fixes: 9fea47d93bcc ("net/sched: act_gact: Update statistics when offloaded to hardware")
Signed-off-by: Roi Dayan <roid@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Runmin Wang
|
5682ea9f33 |
Merge remote-tracking branch 'remotes/origin/tmp-9189141' into msm-4.14
* remotes/origin/tmp-9189141: Linux 4.14.13 KVM: s390: prevent buffer overrun on memory hotplug during migration KVM: s390: fix cmma migration for multiple memory slots mtd: nand: pxa3xx: Fix READOOB implementation parisc: qemu idle sleep support parisc: Fix alignment of pa_tlb_lock in assembly on 32-bit SMP kernel apparmor: fix regression in mount mediation when feature set is pinned x86/microcode/AMD: Add support for fam17h microcode loading Input: elantech - add new icbody type 15 powerpc/mm: Fix SEGV on mapped region to return SEGV_ACCERR ARC: uaccess: dont use "l" gcc inline asm constraint modifier iommu/arm-smmu-v3: Cope with duplicated Stream IDs iommu/arm-smmu-v3: Don't free page table ops twice kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal() kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL x86 / CPU: Always show current CPU frequency in /proc/cpuinfo x86 / CPU: Avoid unnecessary IPIs in arch_freq_get_on_cpu() fscache: Fix the default for fscache_maybe_release_page() sunxi-rsb: Include OF based modalias in device uevent drm/i915: Apply Display WA #1183 on skl, kbl, and cfl drm/i915: Disable DC states around GMBUS on GLK crypto: chelsio - select CRYPTO_GF128MUL crypto: pcrypt - fix freeing pcrypt instances crypto: chacha20poly1305 - validate the digest size crypto: n2 - cure use after free efi/capsule-loader: Reinstate virtual capsule mapping btrfs: fix refcount_t usage when deleting btrfs_delayed_nodes userfaultfd: clear the vma->vm_userfaultfd_ctx if UFFD_EVENT_FORK fails mm/sparse.c: wrong allocation for mem_section mm/mprotect: add a cond_resched() inside change_pmd_range() kernel/acct.c: fix the acct->needcheck check in check_free_space() x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm x86/tlb: Drop the _GPL from the cpu_tlbstate export x86/events/intel/ds: Use the proper cache flush method for mapping ds buffers x86/kaslr: Fix the vaddr_end mess x86/mm: Map cpu_entry_area at the same place on 4/5 level x86/mm: Set MODULES_END to 0xffffffffff000000 ANDROID: netfilter: xt_qtaguid: Fix 4.14 compilation ANDROID: Squashfs: optimize reading uncompressed data ANDROID: Squashfs: implement .readpages() ANDROID: Squashfs: replace buffer_head with BIO ANDROID: Squashfs: refactor page_actor ANDROID: usb: f_fs: Prevent gadget unbind if it is already unbound Linux 4.14.12 rtc: m41t80: remove unneeded checks from m41t80_sqw_set_rate rtc: m41t80: avoid i2c read in m41t80_sqw_is_prepared rtc: m41t80: avoid i2c read in m41t80_sqw_recalc_rate rtc: m41t80: fix m41t80_sqw_round_rate return value rtc: m41t80: m41t80_sqw_set_rate should return 0 on success Revert "xfrm: Fix stack-out-of-bounds read in xfrm_state_find." x86/process: Define cpu_tss_rw in same section as declaration x86/pti: Switch to kernel CR3 at early in entry_SYSCALL_compat() x86/dumpstack: Print registers for first stack frame x86/dumpstack: Fix partial register dumps x86/pti: Make sure the user/kernel PTEs match x86/cpu, x86/pti: Do not enable PTI on AMD processors capabilities: fix buffer overread on very short xattr exec: Weaken dumpability for secureexec Linux 4.14.11 tty: fix tty_ldisc_receive_buf() documentation n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) x86/ldt: Make LDT pgtable free conditional x86/ldt: Plug memory leak in error path x86/espfix/64: Fix espfix double-fault handling on 5-level systems x86-32: Fix kexec with stack canary (CONFIG_CC_STACKPROTECTOR) x86/mm: Remove preempt_disable/enable() from __native_flush_tlb() x86/smpboot: Remove stale TLB flush invocations nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() staging: android: ion: Fix dma direction for dma_sync_sg_for_cpu/device drivers: base: cacheinfo: fix cache type for non-architected system cache phy: tegra: fix device-tree node lookups binder: fix proc->files use-after-free timers: Reinitialize per cpu bases on hotplug timers: Invoke timer_start_debug() where it makes sense timers: Use deferrable base independent of base::nohz_active usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 USB: Fix off by one in type-specific length check of BOS SSP capability usb: add RESET_RESUME for ELSA MicroLink 56K usb: Add device quirk for Logitech HD Pro Webcam C925e USB: serial: option: adding support for YUGA CLM920-NC5 USB: serial: option: add support for Telit ME910 PID 0x1101 USB: serial: qcserial: add Sierra Wireless EM7565 USB: serial: ftdi_sio: add id for Airbus DS P8GR USB: chipidea: msm: fix ulpi-node lookup usbip: vhci: stop printing kernel pointer addresses in messages usbip: stub: stop printing kernel pointer addresses in messages usbip: prevent leaking socket pointer address in messages usbip: fix usbip bind writing random string after command in match_busid sparc64: repair calling incorrect hweight function from stubs skbuff: in skb_copy_ubufs unclone before releasing zerocopy skbuff: skb_copy_ubufs must release uarg even without user frags skbuff: orphan frags before zerocopy clone Revert "mlx5: move affinity hints assignments to generic code" ipv6: set all.accept_dad to 0 by default ipv4: fib: Fix metrics match when deleting a route phylink: ensure AN is enabled phylink: ensure the PHY interface mode is appropriately set bnxt_en: Fix sources of spurious netpoll warnings net: sched: fix static key imbalance in case of ingress/clsact_init error vxlan: restore dev->mtu setting based on lower device net/mlx5: FPGA, return -EINVAL if size is zero tcp: refresh tcp_mstamp from timers callbacks ipv6: Honor specified parameters in fibmatch lookup net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. tcp: fix potential underestimation on rcv_rtt mlxsw: spectrum: Disable MAC learning for ovs port tipc: fix hanging poll() for stream sockets sctp: make sure stream nums can match optlen in sctp_setsockopt_reset_streams s390/qeth: fix error handling in checksum cmd callback net: dsa: bcm_sf2: Clear IDDQ_GLOBAL_PWR bit for PHY sfc: pass valid pointers from efx_enqueue_unwind openvswitch: Fix pop_vlan action for double tagged frames net/mlx5: Fix error flow in CREATE_QP command net/mlx5e: Prevent possible races in VXLAN control flow net/mlx5e: Add refcount to VXLAN structure net/mlx5e: Fix features check of IPv6 traffic net/mlx5e: Fix possible deadlock of VXLAN lock net/mlx5: Fix rate limit packet pacing naming and struct tcp: invalidate rate samples during SACK reneging sock: free skb in skb_complete_tx_timestamp on error net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround net: Fix double free and memory corruption in get_net_ns_by_id() net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks ipv4: Fix use-after-free when flushing FIB tables ip6_gre: fix device features for ioctl setup adding missing rcu_read_unlock in ipxip6_rcv sctp: Replace use of sockets_allocated with specified macro. net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case net: ipv4: fix for a race condition in raw_sendmsg s390/qeth: update takeover IPs after configuration change s390/qeth: lock IP table while applying takeover changes s390/qeth: don't apply takeover changes to RXIP s390/qeth: apply takeover changes when mode is toggled tcp_bbr: reset long-term bandwidth sampling on loss recovery undo tcp_bbr: reset full pipe detection on loss recovery undo tg3: Fix rx hang on MTU change with 5717/5719 tcp md5sig: Use skb's saddr when replying to an incoming segment tcp_bbr: record "full bw reached" decision in new full_bw_reached bit RDS: Check cmsg_len before dereferencing CMSG_DATA ptr_ring: add barriers net: reevalulate autoflowlabel setting after sysctl setting net: qmi_wwan: add Sierra EM7565 1199:9091 netlink: Add netns check on taps net: igmp: Use correct source address on IGMPv3 reports net: fec: unmap the xmit buffer that are not transferred by DMA ipv6: mcast: better catch silly mtu values ipv4: igmp: guard against silly MTU values kbuild: add '-fno-stack-check' to kernel build options block: don't let passthrough IO go into .make_request_fn() block: fix blk_rq_append_bio cpufreq: schedutil: Use idle_calls counter of the remote CPU ALSA: hda - Fix missing COEF init for ALC225/295/299 ALSA: hda - fix headset mic detection issue on a Dell machine ALSA: hda - change the location for one mic on a Lenovo machine ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines ALSA: hda: Drop useless WARN_ON() IB/core: Verify that QP is security enabled in create and destroy IB/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp() IB/mlx5: Serialize access to the VMA list IB/hfi: Only read capability registers if the capability exists gpio: fix "gpio-line-names" property retrieval ASoC: tlv320aic31xx: Fix GPIO1 register definition ASoC: twl4030: fix child-node lookup ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure ASoC: da7218: fix fix child-node lookup ASoC: wm_adsp: Fix validation of firmware and coeff lengths ASoC: codecs: msm8916-wcd: Fix supported formats iw_cxgb4: Only validate the MSN for successful completions ring-buffer: Do no reuse reader page if still in use ring-buffer: Mask out the info bits when returning buffer page length x86/ldt: Make the LDT mapping RO x86/mm/dump_pagetables: Allow dumping current pagetables x86/mm/dump_pagetables: Check user space page table for WX pages x86/mm/dump_pagetables: Add page table directory to the debugfs VFS hierarchy x86/mm/pti: Add Kconfig x86/dumpstack: Indicate in Oops whether PTI is configured and enabled x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming x86/mm: Use INVPCID for __native_flush_tlb_single() x86/mm: Optimize RESTORE_CR3 x86/mm: Use/Fix PCID to optimize user/kernel switches x86/mm: Abstract switching CR3 x86/mm: Allow flushing for future ASID switches x86/pti: Map the vsyscall page if needed x86/pti: Put the LDT in its own PGD if PTI is on x86/mm/64: Make a full PGD-entry size hole in the memory map x86/events/intel/ds: Map debug buffers in cpu_entry_area x86/cpu_entry_area: Add debugstore entries to cpu_entry_area x86/mm/pti: Map ESPFIX into user space x86/mm/pti: Share entry text PMD x86/entry: Align entry text section to PMD boundary x86/mm/pti: Share cpu_entry_area with user space page tables x86/mm/pti: Force entry through trampoline when PTI active x86/mm/pti: Add functions to clone kernel PMDs x86/mm/pti: Populate user PGD x86/mm/pti: Allocate a separate user PGD x86/mm/pti: Allow NX poison to be set in p4d/pgd x86/mm/pti: Add mapping helper functions x86/pti: Add the pti= cmdline option and documentation x86/mm/pti: Add infrastructure for page table isolation x86/mm/pti: Prepare the x86/entry assembly code for entry/exit CR3 switching x86/mm/pti: Disable global pages if PAGE_TABLE_ISOLATION=y x86/cpufeatures: Add X86_BUG_CPU_INSECURE tracing: Fix crash when it fails to alloc ring buffer tracing: Fix possible double free on failure of allocating trace buffer tracing: Remove extra zeroing out of the ring buffer page Conflicts: drivers/staging/android/ion/ion.c kernel/time/timer.c Change-Id: Ia5b16c96ab44e640e2f10ab535c4c672b670cbdc Signed-off-by: Runmin Wang <runminw@codeaurora.org> |
||
|
Jiri Pirko
|
1129573044 |
net: sched: fix static key imbalance in case of ingress/clsact_init error
[ Upstream commit b59e6979a86384e68b0ab6ffeab11f0034fba82d ]
Move static key increments to the beginning of the init function
so they pair 1:1 with decrements in ingress/clsact_destroy,
which is called in case ingress/clsact_init fails.
Fixes: 6529eaba33f0 ("net: sched: introduce tcf block infractructure")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Runmin Wang
|
b716d1c640 |
Merge remote-tracking branch 'remotes/origin/tmp-3afae84' into msm-4.14
* remotes/origin/tmp-3afae84: Linux 4.14.7 dvb_frontend: don't use-after-free the frontend struct media: dvb-core: always call invoke_release() in fe_free() x86/intel_rdt: Fix potential deadlock during resctrl unmount RDMA/cxgb4: Annotate r2 and stag as __be32 md: free unused memory after bitmap resize dm raid: fix panic when attempting to force a raid to sync audit: ensure that 'audit=1' actually enables audit for PID 1 audit: Allow auditd to set pid to 0 to end auditing nvmet-rdma: update queue list during ib_device removal blk-mq: Avoid that request queue removal can trigger list corruption ide: ide-atapi: fix compile error with defining macro DEBUG ipvlan: fix ipv6 outbound device powerpc/powernv/idle: Round up latency and residency values kbuild: do not call cc-option before KBUILD_CFLAGS initialization KVM: arm/arm64: vgic-its: Preserve the revious read from the pending table fix kcm_clone() fcntl: don't cap l_start and l_end values for F_GETLK64 in compat syscall usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping ipmi: Stop timers before cleaning up the module sctp: use right member as the param of list_for_each_entry cls_bpf: don't decrement net's refcount when offload fails net: openvswitch: datapath: fix data type in queue_gso_packets net: accept UFO datagrams from tuntap and packet tun: fix rcu_read_lock imbalance in tun_build_skb net: ipv6: Fixup device for anycast routes during copy tun: free skb in early errors tcp: when scheduling TLP, time of RTO should account for current ACK tap: free skb if flags error net: sched: cbq: create block for q->link.block tcp: use current time in tcp_rcv_space_adjust() tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() tcp: use IPCB instead of TCP_SKB_CB in inet_exact_dif_match() s390/qeth: fix GSO throughput regression s390/qeth: fix thinko in IPv4 multicast address tracking s390/qeth: build max size GSO skbs on L2 devices tcp/dccp: block bh before arming time_wait timer stmmac: reset last TSO segment size after device open net: remove hlist_nulls_add_tail_rcu() usbnet: fix alignment for frames with no ethernet header tcp: remove buggy call to tcp_v6_restore_cb() net/packet: fix a race in packet_bind() and packet_notifier() packet: fix crash in fanout_demux_rollover() tcp: add tcp_v4_fill_cb()/tcp_v4_restore_cb() sit: update frag_off info rds: Fix NULL pointer dereference in __rds_rdma_map vhost: fix skb leak in handle_rx() tipc: fix memory leak in tipc_accept_from_sock() s390/qeth: fix early exit from error path net: realtek: r8169: implement set_link_ksettings() net: thunderx: Fix TCP/UDP checksum offload for IPv4 pkts net: thunderx: Fix TCP/UDP checksum offload for IPv6 pkts net: qmi_wwan: add Quectel BG96 2c7c:0296 Linux 4.14.6 afs: Connect up the CB.ProbeUuid afs: Fix total-length calculation for multiple-page send IB/mlx5: Assign send CQ and recv CQ of UMR QP IB/mlx4: Increase maximal message size under UD QP bnxt_re: changing the ip address shouldn't affect new connections f2fs: fix to clear FI_NO_PREALLOC xfrm: Copy policy family in clone_policy tls: Use kzalloc for aead_request allocation jump_label: Invoke jump_label_test() via early_initcall() atm: horizon: Fix irq release error kbuild: rpm-pkg: fix jobserver unavailable warning mailbox: mailbox-test: don't rely on rx_buffer content to signal data ready clk: hi3660: fix incorrect uart3 clock freqency clk: uniphier: fix DAPLL2 clock rate of Pro5 clk: qcom: common: fix legacy board-clock registration clk: sunxi-ng: a83t: Fix i2c buses bits clk: stm32h7: fix test of clock config bpf: fix lockdep splat geneve: fix fill_info when link down fcntl: don't leak fd reference when fixup_compat_flock fails sctp: use the right sk after waking up from wait_buf sleep sctp: do not free asoc when it is already dead in sctp_sendmsg slub: fix sysfs duplicate filename creation when slub_debug=O zsmalloc: calling zs_map_object() from irq is a bug sparc64/mm: set fields in deferred pages block: wake up all tasks blocked in get_request() dt-bindings: usb: fix reg-property port-number range xfs: fix forgotten rcu read unlock when skipping inode reclaim nfp: fix flower offload metadata flag usage nfp: inherit the max_mtu from the PF netdev sunrpc: Fix rpc_task_begin trace point NFS: Fix a typo in nfs_rename() dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 lib/genalloc.c: make the avail variable an atomic_long_t pipe: match pipe_max_size data type with procfs drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()' rsi: fix memory leak on buf and usb_reg_buf route: update fnhe_expires for redirect when the fnhe exists route: also update fnhe_genid when updating a route cache gre6: use log_ecn_error module parameter in ip6_tnl_rcv() mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() x86/mpx/selftests: Fix up weird arrays apparmor: fix leak of null profile name if profile allocation fails powerpc/perf: Fix pmu_count to count only nest imc pmus coccinelle: fix parallel build with CHECK=scripts/coccicheck kbuild: pkg: use --transform option to prefix paths in tar net/smc: use sk_rcvbuf as start for rmb creation irqchip/qcom: Fix u32 comparison with value less than zero ARM: avoid faulting on qemu ARM: BUG if jumping to usermode address in kernel mode crypto: talitos - fix ctr-aes-talitos crypto: talitos - fix use of sg_link_tbl_len crypto: talitos - fix AEAD for sha224 on non sha224 capable chips crypto: talitos - fix setkey to check key weakness crypto: talitos - fix memory corruption on SEC2 crypto: talitos - fix AEAD test failures IB/core: Only enforce security for InfiniBand IB/core: Avoid unnecessary return value check bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left. bus: arm-ccn: Fix use of smp_processor_id() in preemptible context bus: arm-ccn: Check memory allocation failure bus: arm-cci: Fix use of smp_processor_id() in preemptible context Revert "ARM: dts: imx53: add srtc node" arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm arm64: fpsimd: Prevent registers leaking from dead tasks KVM: arm/arm64: vgic-its: Check result of allocation before use KVM: arm/arm64: vgic: Preserve the revious read from the pending table KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion KVM: VMX: remove I/O port 0x80 bypass on Intel hosts arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one media: rc: partial revert of "media: rc: per-protocol repeat period" media: rc: sir_ir: detect presence of port media: dvb: i2c transfers over usb cannot be done from stack drm/i915: Fix vblank timestamp/frame counter jumps on gen2 drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback md/r5cache: move mddev_lock() out of r5c_journal_mode_set() kdb: Fix handling of kallsyms_symbol_next() return value brcmfmac: change driver unbind order of the sdio function devices iwlwifi: mvm: enable RX offloading with TKIP and WEP iwlwifi: mvm: fix packet injection iwlwifi: add new cards for 9260 and 22000 series iwlwifi: mvm: flush queue before deleting ROC iwlwifi: mvm: don't use transmit queue hang detection when it is not possible iwlwifi: mvm: mark MIC stripped MPDUs powerpc/64s: Initialize ISAv3 MMU registers before setting partition table Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier" KVM: s390: Fix skey emulation permission check s390: fix compat system call table s390/mm: fix off-by-one bug in 5-level page table handling s390: always save and restore all registers on context switch smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place iommu/vt-d: Fix scatterlist offset handling ALSA: usb-audio: Add check return value for usb_string() ALSA: usb-audio: Fix out-of-bound error ALSA: seq: Remove spurious WARN_ON() at timer check ALSA: pcm: prevent UAF in snd_pcm_info ALSA: hda/realtek - New codec support for ALC257 btrfs: handle errors while updating refcounts in update_ref_for_cow btrfs: fix missing error return in btrfs_drop_snapshot KVM: x86: fix APIC page invalidation x86/PCI: Make broadcom_postcore_init() check acpi_disabled x86/idt: Load idt early in start_secondary X.509: fix comparisons of ->pkey_algo X.509: reject invalid BIT STRING for subjectPublicKey KEYS: reject NULL restriction string when type is specified KEYS: add missing permission check for request_key() destination ASN.1: check for error from ASN1_OP_END__ACT actions ASN.1: fix out-of-bounds read when parsing indefinite length item efi/esrt: Use memunmap() instead of kfree() to free the remapping efi: Move some sysfs files to be read-only by root scsi: libsas: align sata_device's rps_resp on a cacheline scsi: use dma_get_cache_alignment() as minimum DMA alignment scsi: dma-mapping: always provide dma_get_cache_alignment isa: Prevent NULL dereference in isa_bus driver callbacks firmware: vpd: Fix platform driver and device registration/unregistration firmware: vpd: Tie firmware kobject to device lifetime firmware: vpd: Destroy vpd sections in remove function firmware: cleanup FIRMWARE_IN_KERNEL message hv: kvp: Avoid reading past allocated blocks from KVP file Drivers: hv: vmbus: Fix a rescind issue pinctrl: armada-37xx: Fix direction_output() callback behavior iio: adc: meson-saradc: Meson8 and Meson8b do not have REG11 and REG13 iio: adc: meson-saradc: initialize the bandgap correctly on older SoCs iio: adc: meson-saradc: fix the bit_idx of the adc_en clock iio: adc: cpcap: fix incorrect validation iio: health: max30102: Temperature should be in milli Celsius iio: stm32: fix adc/trigger link error virtio: release virtio index when fail to device_register can: peak/pcie_fd: fix potential bug in restarting tx queue can: usb_8dev: cancel urb on -EPIPE and -EPROTO can: esd_usb2: cancel urb on -EPIPE and -EPROTO can: ems_usb: cancel urb on -EPIPE and -EPROTO can: mcba_usb: cancel urb on -EPROTO can: kvaser_usb: cancel urb on -EPIPE and -EPROTO can: kvaser_usb: ratelimit errors if incomplete messages are received can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() can: kvaser_usb: free buf in error paths can: ti_hecc: Fix napi poll return value for repoll can: flexcan: fix VF610 state transition issue can: peak/pci: fix potential bug when probe() fails can: mcba_usb: fix device disconnect bug usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT serdev: ttyport: fix tty locking in close serdev: ttyport: fix NULL-deref on hangup serdev: ttyport: add missing receive_buf sanity checks usb: gadget: core: Fix ->udc_set_speed() speed handling usb: gadget: udc: renesas_usb3: fix number of the pipes Change-Id: I47977dc6948f8e5edbcd21770a63242e86adcb3b Signed-off-by: Runmin Wang <runminw@codeaurora.org> |