mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
4272 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
4f546b14ce |
This is the 4.14.172 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5ZM8sACgkQONu9yGCS
aT61sQ//VYIHq9fdzKuD9px1gOoXdbHliFq+Xl5TtS6LMj+NaGParvLC7WKh1ANL
2PypjozzW82XMW6xGr2QB9fiy9fiEUB6v0TM+kV58Yh3S6OMTftqMng2QjvTpvnI
GvQ4QrgnsVXr1S9no1+UI9gM+44S/0V5Fg0RYK0dwpQOYZJ3alIvKAgk+7Kc8upq
N6CUPojTd0XQm/Y6Xuer40KUL4FW48tVbWGXoptFR+R76VKCfcJz+iF0cKDdtjsQ
GhpV9OkQxQFNdBgcr+GfybqEsSNWGgWKboI/ax/Rfm88H1+E6gBrJbST6JHQ3Sm8
7k8rFpQiwr49WhKubpJCkydCIsEa1qUX0hrBsFZnr4i/r5i+QrcixIfairtBrzcp
lNe0jYYCTP1K9uXtQy45+46/rKx4sij/9VU7UmizSD+HqzfiJ1Zo75PqJsI7i5pl
6E0ftDXfZ/pFIlHS9Jfdj+IazsqKEGd0GQkoXE5O49Op+AhlU8znVYhpNnnW18y/
c0rdRr2nydFdANEhnT1vpvixMdjNVl/Nbj09f8x2ngWchc1HPggMMdpg5F16SdG9
NFBmIYmWBm5eP82p7nxwyFL3xoG8jtQ0B8e4wWFWbSobBYIMYZCB6640Gzp4MC1c
41zLKwCVFVn60TVqqGqF8fFumMElE9FBjLMAKp4v8mpfl/o23NY=
=BFpw
-----END PGP SIGNATURE-----
Merge 4.14.172 into android-4.14
Changes in 4.14.172
KVM: x86: emulate RDPID
iommu/qcom: Fix bogus detach logic
ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs
ASoC: sun8i-codec: Fix setting DAI data format
ecryptfs: fix a memory leak bug in parse_tag_1_packet()
ecryptfs: fix a memory leak bug in ecryptfs_init_messaging()
Input: synaptics - switch T470s to RMI4 by default
Input: synaptics - enable SMBus on ThinkPad L470
Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list
ALSA: usb-audio: Apply sample rate quirk for Audioengine D1
arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly
arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations
arm64: nofpsimd: Handle TIF_FOREIGN_FPSTATE flag cleanly
ARM: 8723/2: always assume the "unified" syntax for assembly code
ext4: don't assume that mmp_nodename/bdevname have NUL
ext4: fix support for inode sizes > 1024 bytes
ext4: fix checksum errors with indexed dirs
ext4: improve explanation of a mount failure caused by a misconfigured kernel
Btrfs: fix race between using extent maps and merging them
btrfs: print message when tree-log replay starts
btrfs: log message when rw remount is attempted with unclean tree-log
arm64: ssbs: Fix context-switch when SSBS is present on all CPUs
KVM: nVMX: Use correct root level for nested EPT shadow page tables
perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map
padata: Remove broken queue flushing
serial: imx: ensure that RX irqs are off if RX is off
serial: imx: Only handle irqs that are actually enabled
IB/hfi1: Close window for pq and request coliding
RDMA/core: Fix protection fault in get_pkey_idx_qp_list
s390/time: Fix clk type in get_tod_clock
perf/x86/intel: Fix inaccurate period in context switch for auto-reload
hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions.
jbd2: move the clearing of b_modified flag to the journal_unmap_buffer()
jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer
scsi: qla2xxx: fix a potential NULL pointer dereference
Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables"
Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs"
KVM: nVMX: Use correct root level for nested EPT shadow page tables
drm/gma500: Fixup fbdev stolen size usage evaluation
cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order
brcmfmac: Fix use after free in brcmf_sdio_readframes()
leds: pca963x: Fix open-drain initialization
ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT
ALSA: ctl: allow TLV read operation for callback type of element in locked case
gianfar: Fix TX timestamping with a stacked DSA driver
pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs
pxa168fb: Fix the function used to release some memory in an error handling path
media: i2c: mt9v032: fix enum mbus codes and frame sizes
powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number
gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap()
char/random: silence a lockdep splat with printk()
media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run()
pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins
efi/x86: Map the entire EFI vendor string before copying it
MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init()
sparc: Add .exit.data section.
uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol()
usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe()
usb: dwc2: Fix IN FIFO allocation
clocksource/drivers/bcm2835_timer: Fix memory leak of timer
kselftest: Minimise dependency of get_size on C library interfaces
jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal
x86/sysfb: Fix check for bad VRAM size
tracing: Fix tracing_stat return values in error handling paths
tracing: Fix very unlikely race of registering two stat tracers
ext4, jbd2: ensure panic when aborting with zero errno
nbd: add a flush_workqueue in nbd_start_device
KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups
kconfig: fix broken dependency in randconfig-generated .config
clk: qcom: rcg2: Don't crash if our parent can't be found; return an error
drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table
regulator: rk808: Lower log level on optional GPIOs being not available
net/wan/fsl_ucc_hdlc: reject muram offsets above 64K
PCI/IOV: Fix memory leak in pci_iov_add_virtfn()
NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu().
arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core
ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3
media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros
reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling
fore200e: Fix incorrect checks of NULL pointer dereference
ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status
b43legacy: Fix -Wcast-function-type
ipw2x00: Fix -Wcast-function-type
iwlegacy: Fix -Wcast-function-type
rtlwifi: rtl_pci: Fix -Wcast-function-type
orinoco: avoid assertion in case of NULL pointer
ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1
scsi: ufs: Complete pending requests in host reset and restore path
scsi: aic7xxx: Adjust indentation in ahc_find_syncrate
drm/mediatek: handle events when enabling/disabling crtc
ARM: dts: r8a7779: Add device node for ARM global timer
dmaengine: Store module owner in dma_device struct
x86/vdso: Provide missing include file
PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency
pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs
RDMA/rxe: Fix error type of mmap_offset
clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock
ALSA: sh: Fix unused variable warnings
ALSA: sh: Fix compile warning wrt const
tools lib api fs: Fix gcc9 stringop-truncation compilation error
drm: remove the newline for CRC source name.
usbip: Fix unsafe unaligned pointer usage
udf: Fix free space reporting for metadata and virtual partitions
IB/hfi1: Add software counter for ctxt0 seq drop
soc/tegra: fuse: Correct straps' address for older Tegra124 device trees
efi/x86: Don't panic or BUG() on non-critical error conditions
rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls
Input: edt-ft5x06 - work around first register access error
wan: ixp4xx_hss: fix compile-testing on 64-bit
ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m
tty: synclinkmp: Adjust indentation in several functions
tty: synclink_gt: Adjust indentation in several functions
driver core: platform: Prevent resouce overflow from causing infinite loops
driver core: Print device when resources present in really_probe()
vme: bridges: reduce stack usage
drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new()
drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw
drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler
drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add
usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue
iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE
f2fs: free sysfs kobject
scsi: iscsi: Don't destroy session if there are outstanding connections
arm64: fix alternatives with LLVM's integrated assembler
watchdog/softlockup: Enforce that timestamp is valid on boot
f2fs: fix memleak of kobject
x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd
pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional
cmd64x: potential buffer overflow in cmd64x_program_timings()
ide: serverworks: potential overflow in svwks_set_pio_mode()
pwm: Remove set but not set variable 'pwm'
btrfs: fix possible NULL-pointer dereference in integrity checks
btrfs: safely advance counter when looking up bio csums
btrfs: device stats, log when stats are zeroed
remoteproc: Initialize rproc_class before use
irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems
ALSA: hda/hdmi - add retry logic to parse_intel_hdmi()
x86/decoder: Add TEST opcode to Group3-2
s390/ftrace: generate traced function stack frame
driver core: platform: fix u32 greater or equal to zero comparison
ALSA: hda - Add docking station support for Lenovo Thinkpad T420s
powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV
jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record
jbd2: make sure ESHUTDOWN to be recorded in the journal superblock
ARM: 8951/1: Fix Kexec compilation issue.
hostap: Adjust indentation in prism2_hostapd_add_sta
iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop
cifs: fix NULL dereference in match_prepath
ceph: check availability of mds cluster on mount after wait timeout
irqchip/gic-v3: Only provision redistributors that are enabled in ACPI
drm/nouveau/disp/nv50-: prevent oops when no channel method map provided
ftrace: fpid_next() should increase position index
trigger_next should increase position index
radeon: insert 10ms sleep in dce5_crtc_load_lut
ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans()
lib/scatterlist.c: adjust indentation in __sg_alloc_table
reiserfs: prevent NULL pointer dereference in reiserfs_insert_item()
bcache: explicity type cast in bset_bkey_last()
irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL
iwlwifi: mvm: Fix thermal zone registration
microblaze: Prevent the overflow of the start
brd: check and limit max_part par
help_next should increase position index
virtio_balloon: prevent pfn array overflow
mlxsw: spectrum_dpipe: Add missing error path
selinux: ensure we cleanup the internal AVC counters on error in avc_update()
enic: prevent waking up stopped tx queues over watchdog reset
net: dsa: tag_qca: Make sure there is headroom for tag
net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS
net/sched: flower: add missing validation of TCA_FLOWER_FLAGS
net/smc: fix leak of kernel memory to user space
thunderbolt: Prevent crash if non-active NVMem file is read
USB: misc: iowarrior: add support for 2 OEMed devices
USB: misc: iowarrior: add support for the 28 and 28L devices
USB: misc: iowarrior: add support for the 100 device
floppy: check FDC index for errors before assigning it
vt: selection, handle pending signals in paste_selection
staging: android: ashmem: Disallow ashmem memory from being remapped
staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi.
xhci: Force Maximum Packet size for Full-speed bulk devices to valid range.
xhci: fix runtime pm enabling for quirky Intel hosts
usb: host: xhci: update event ring dequeue pointer on purpose
usb: uas: fix a plug & unplug racing
USB: Fix novation SourceControl XL after suspend
USB: hub: Don't record a connect-change event during reset-resume
USB: hub: Fix the broken detection of USB3 device in SMSC hub
staging: rtl8188eu: Fix potential security hole
staging: rtl8188eu: Fix potential overuse of kernel memory
staging: rtl8723bs: Fix potential security hole
staging: rtl8723bs: Fix potential overuse of kernel memory
x86/mce/amd: Publish the bank pointer only after setup has succeeded
x86/mce/amd: Fix kobject lifetime
tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode
tty: serial: imx: setup the correct sg entry for tx dma
serdev: ttyport: restore client ops on deregistration
MAINTAINERS: Update drm/i915 bug filing URL
Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
mm/vmscan.c: don't round up scan size for online memory cgroup
drm/amdgpu/soc15: fix xclk for raven
KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI
xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms
VT_RESIZEX: get rid of field-by-field copyin
vt: vt_ioctl: fix race in VT_RESIZEX
serial: 8250: Check UPF_IRQ_SHARED in advance
lib/stackdepot.c: fix global out-of-bounds in stack_slabs
KVM: nVMX: Don't emulate instructions in guest mode
ext4: fix a data race in EXT4_I(inode)->i_disksize
ext4: add cond_resched() to __ext4_find_entry()
ext4: fix mount failure with quota configured as module
ext4: rename s_journal_flag_rwsem to s_writepages_rwsem
ext4: fix race between writepages and enabling EXT4_EXTENTS_FL
KVM: nVMX: Refactor IO bitmap checks into helper function
KVM: nVMX: Check IO instruction VM-exit conditions
KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1
KVM: apic: avoid calculating pending eoi from an uninitialized val
btrfs: fix bytes_may_use underflow in prealloc error condtition
btrfs: do not check delayed items are empty for single transaction cleanup
Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents
scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout"
scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session"
usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus
staging: rtl8723bs: fix copy of overlapping memory
staging: greybus: use after free in gb_audio_manager_remove_all()
ecryptfs: replace BUG_ON with error handling code
iommu/vt-d: Fix compile warning from intel-svm.h
genirq/proc: Reject invalid affinity masks (again)
ALSA: rawmidi: Avoid bit fields for state flags
ALSA: seq: Avoid concurrent access to queue flags
ALSA: seq: Fix concurrent access to queue current tick/time
netfilter: xt_hashlimit: limit the max size of hashtable
ata: ahci: Add shutdown to freeze hardware resources of ahci
xen: Enable interrupts when calling _cond_resched()
s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range
Linux 4.14.172
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia229dbad24bf3cb8a718d73fc9eb86a053985985
|
||
Cong Wang
|
a86265edeb |
netfilter: xt_hashlimit: limit the max size of hashtable
commit 8d0015a7ab76b8b1e89a3e5f5710a6e5103f2dd5 upstream. The user-specified hashtable size is unbound, this could easily lead to an OOM or a hung task as we hold the global mutex while allocating and initializing the new hashtable. Add a max value to cap both cfg->size and cfg->max, as suggested by Florian. Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
239034f0e0 |
This is the 4.14.169 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4xkIAACgkQONu9yGCS aT4b4g//TLn7i1F3ZYXM3cVn1FoPwvM0JiPwVD/SbPxKTr10xAlwhs18l7QGsg+0 z3uK2kw7kzsg9JWV0ervGc87Laf18wqCzhi9HyiNHgYMsYNq0GTEgvSUlTKkWg8R wot+KToHAJfYhXR/8fTIBAJ1sw3o9iNwg2PhlbOVHqmPsZ/7Nf+BS+3TkhaVvXyo d8MxHrn8SlkXj0b5m4/Y+lnijVU3+J/GjAvbc/Xrp46CPyicMr4y5c7FDCyDMjlg f2lQfLzDkn+NO1YwfQy8152lLWfOhH04W3l/iIWCOu1P3GvFxt5okIlDXCQQzomF iLfb85DHT/9zuEIDLfiXYrvl6EsBZSUqiVLpB/gj8ZHoueJ5VqmeD/+zMxN8Vc+E 2D1ohbKvT43XuK44YfqrfjSRbQQPTUVLJdr5rpRlGZEdNDx2QGKVBUTjbzUBg+Ic onk4gpcrx4G2DbXKVG0lyElNrxDdIuBHvl2cii4ivy4zOnFqh3VtnGKqwHa3IEtv pXWtXSPJS6Pfg9wV6FN2aD17RQQ58RPJqm/2AuCq4E2fLhInylCevh3AbCrHj7E6 uwOw+EWSuuCcw+VtfXTyDHrGTO5ptE/iYJQTqX86rfIQmLUaQJUwVtcsHyjRCSMa +CjQ3o33dzQtBa0Kd7Cydp/U6fORQAgulwgbhiNmxhego6OnyiA= =uodM -----END PGP SIGNATURE----- Merge 4.14.169 into android-4.14 Changes in 4.14.169 can, slip: Protect tty->disc_data in write_wakeup and close with RCU firestream: fix memory leaks gtp: make sure only SOCK_DGRAM UDP sockets are accepted ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM net, ip6_tunnel: fix namespaces move net, ip_tunnel: fix namespaces move net_sched: fix datalen for ematch net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject net-sysfs: fix netdev_queue_add_kobject() breakage net-sysfs: Call dev_hold always in netdev_queue_add_kobject net-sysfs: Call dev_hold always in rx_queue_add_kobject net-sysfs: Fix reference count leak net: usb: lan78xx: Add .ndo_features_check tcp_bbr: improve arithmetic division in bbr_update_bw() net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() hwmon: (adt7475) Make volt2reg return same reg as reg2volt input hwmon: Deal with errors from the thermal subsystem hwmon: (core) Fix double-free in __hwmon_device_register() hwmon: (core) Do not use device managed functions for memory allocations Input: keyspan-remote - fix control-message timeouts Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers" ARM: 8950/1: ftrace/recordmcount: filter relocation types mmc: tegra: fix SDR50 tuning override mmc: sdhci: fix minimum clock rate for v3 controller Documentation: Document arm64 kpti control Input: pm8xxx-vib - fix handling of separate enable register Input: sur40 - fix interface sanity checks Input: gtco - fix endpoint sanity check Input: aiptek - fix endpoint sanity check Input: pegasus_notetaker - fix endpoint sanity check Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register hwmon: (nct7802) Fix voltage limits to wrong registers scsi: RDMA/isert: Fix a recently introduced regression related to logout tracing: xen: Ordered comparison of function pointers do_last(): fetch directory ->i_mode and ->i_uid before it's too late sd: Fix REQ_OP_ZONE_REPORT completion handling coresight: etb10: Do not call smp_processor_id from preemptible coresight: tmc-etf: Do not call smp_processor_id from preemptible libertas: Fix two buffer overflows at parsing bss descriptor media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func md: Avoid namespace collision with bitmap API bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() netfilter: ipset: use bitmap infrastructure completely net/x25: fix nonblocking connect Linux 4.14.169 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Idfe88b4d68180df412c1dbadd8402cb0353f0ecf |
||
Kadlecsik József
|
f3439dd7ee |
netfilter: ipset: use bitmap infrastructure completely
commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream. The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
509b38045c |
This is the 4.14.168 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4u6kwACgkQONu9yGCS
aT7ZVhAA0fWQvb1m4oDyWlRLY4yPYVqpvjre7S/MF5VoDV85SsSqQkCVP4dybmRd
SgNK9OkFuhY8QkPf8YSb6aU2tPQpIlMN3FYkpieN43OIrzU/OMOPiH50TygioPBT
oT9ihbXXmxv1oce1PDBF+tmJCjLq4Ppcxd5H5iHruwcRdP3ZGi+VXnyIcMcwK1ap
4zgDCGuI4fhkVWQPfP5Eh+57j65qvH6TjOAB94GvSMSOerW9gw9k7Vfw/tzGiktf
7Zw9GXMM1ky0MvpIhsAJScWXDgftOn599hWfKO+bdD0hnszl5fY0Ha21Y80f5HSg
S2Sl3EArr2psAxmKg9XqKJ9MugZG5odyRXS9ukIGmgNws7adDZY73Z6PLDUHsXZH
KsDwmgrGqSOkaGZyYuBTVeK5K/n7jVrZ4uPSZx/UnO1f68EOfVCJvoMzVzPZU2SS
+H7FfH0RSaSt2Mdc9LzzZO2QJ5DMA4fA0GZtNq5YU1rGyHo3Nq3aPQf9E5OJpYk6
mpXnoe8dndgmduwxdJ8wJaVJ2/nIwEZy0Hw4n5igkOKo+pTV//CQFwD87oBK16mE
+953pg7z71IEPfJYs0wlKsBj3R4JXy5zBcaNpJkWe+vWMrw0ixi6qGmf2NbmaRPP
7qlEh6r/SDnszuDn9QH90C4EqJOaaDrgI+E2dSFA2mJKhO5qcII=
=KNGQ
-----END PGP SIGNATURE-----
Merge 4.14.168 into android-4.14
Changes in 4.14.168
xfs: Sanity check flags of Q_XQUOTARM call
mfd: intel-lpss: Add default I2C device properties for Gemini Lake
powerpc/archrandom: fix arch_get_random_seed_int()
tipc: fix wrong timeout input for tipc_wait_for_cond()
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
crypto: sun4i-ss - fix big endian issues
drm/sti: do not remove the drm_bridge that was never added
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
ALSA: hda: fix unused variable warning
apparmor: don't try to replace stale label in ptrace access check
PCI: iproc: Remove PAXC slot check to allow VF support
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
IB/rxe: replace kvfree with vfree
IB/hfi1: Add mtu check for operational data VLs
ALSA: usb-audio: update quirk for B&W PX to remove microphone
staging: comedi: ni_mio_common: protect register write overflow
pwm: lpss: Release runtime-pm reference from the driver's remove callback
drm/sun4i: hdmi: Fix double flag assignation
mlxsw: reg: QEEC: Add minimum shaper fields
NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
pcrypt: use format specifier in kobject_add
exportfs: fix 'passing zero to ERR_PTR()' warning
drm/dp_mst: Skip validating ports during destruction, just ref
net: phy: Fix not to call phy_resume() if PHY is not attached
IB/rxe: Fix incorrect cache cleanup in error flow
staging: bcm2835-camera: Abort probe if there is no camera
switchtec: Remove immediate status check after submitting MRPC command
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
vxlan: changelink: Fix handling of default remotes
Input: nomadik-ske-keypad - fix a loop timeout test
clk: highbank: fix refcount leak in hb_clk_init()
clk: qoriq: fix refcount leak in clockgen_init()
clk: socfpga: fix refcount leak
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
clk: dove: fix refcount leak in dove_clk_init()
MIPS: BCM63XX: drop unused and broken DSP platform device
IB/usnic: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
RDMA/qedr: Fix out of bounds index check in query pkey
drm/shmob: Fix return value check in shmob_drm_probe
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
spi: cadence: Correct initialisation of runtime PM
RDMA/iw_cxgb4: Fix the unchecked ep dereference
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
kbuild: mark prepare0 as PHONY to fix external module build
crypto: brcm - Fix some set-but-not-used warning
crypto: tgr192 - fix unaligned memory access
ASoC: imx-sgtl5000: put of nodes if finding codec fails
IB/iser: Pass the correct number of entries for dma mapped SGL
rtc: cmos: ignore bogus century byte
spi/topcliff_pch: Fix potential NULL dereference on allocation error
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
iwlwifi: mvm: avoid possible access out of array.
net/mlx5: Take lock with IRQs disabled to avoid deadlock
iwlwifi: mvm: fix A-MPDU reference assignment
tty: ipwireless: Fix potential NULL pointer dereference
driver: uio: fix possible memory leak in __uio_register_device
driver: uio: fix possible use-after-free in __uio_register_device
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
driver core: Do not resume suppliers under device_links_write_lock()
ARM: dts: lpc32xx: add required clocks property to keypad device node
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
iwlwifi: mvm: fix RSS config command
staging: most: cdev: add missing check for cdev_add failure
rtc: ds1672: fix unintended sign extension
thermal: mediatek: fix register index error
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
rtc: ds1307: rx8130: Fix alarm handling
rtc: 88pm860x: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: pm8xxx: fix unintended sign extension
fbdev: chipsfb: remove set but not used variable 'size'
iw_cxgb4: use tos when importing the endpoint
iw_cxgb4: use tos when finding ipv6 routes
drm/etnaviv: potential NULL dereference
pinctrl: sh-pfc: emev2: Add missing pinmux functions
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
usb: phy: twl6030-usb: fix possible use-after-free on remove
block: don't use bio->bi_vcnt to figure out segment number
keys: Timestamp new keys
vfio_pci: Enable memory accesses before calling pci_map_rom
hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
KVM: PPC: Release all hardware TCE tables attached to a group
staging: r8822be: check kzalloc return or bail
dmaengine: mv_xor: Use correct device for DMA API
cdc-wdm: pass return value of recover_from_urb_loss
regulator: pv88060: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88090: Fix array out-of-bounds access
net: dsa: qca8k: Enable delay for RGMII_ID mode
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
drm/nouveau/pmu: don't print reply values if exec is false
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
fs/nfs: Fix nfs_parse_devname to not modify it's argument
staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
powerpc/64s: Fix logic when handling unknown CPU features
NFS: Fix a soft lockup in the delegation recovery code
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
platform/x86: wmi: fix potential null pointer dereference
NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
net: aquantia: fixed instack structure overflow
powerpc/mm: Check secondary hash page table
nios2: ksyms: Add missing symbol exports
x86/mm: Remove unused variable 'cpu'
scsi: megaraid_sas: reduce module load time
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
xen, cpu_hotplug: Prevent an out of bounds access
net: sh_eth: fix a missing check of of_get_phy_mode
regulator: lp87565: Fix missing register for LP87565_BUCK_0
media: ivtv: update *pos correctly in ivtv_read_pos()
media: cx18: update *pos correctly in cx18_read_pos()
media: wl128x: Fix an error code in fm_download_firmware()
media: cx23885: check allocation return
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
jfs: fix bogus variable self-initialization
tipc: tipc clang warning
m68k: mac: Fix VIA timer counter accesses
arm64: dts: allwinner: a64: Add missing PIO clocks
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
media: davinci-isif: avoid uninitialized variable use
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
spi: tegra114: clear packed bit for unpacked mode
spi: tegra114: fix for unpacked mode transfers
spi: tegra114: terminate dma and reset on transfer timeout
spi: tegra114: flush fifos
spi: tegra114: configure dma burst size to fifo trig level
soc/fsl/qe: Fix an error code in qe_pin_request()
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
ehea: Fix a copy-paste err in ehea_init_port_res
scsi: qla2xxx: Unregister chrdev if module initialization fails
scsi: target/core: Fix a race condition in the LUN lookup code
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
net: hns3: fix for vport->bw_limit overflow problem
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
tipc: set sysctl_tipc_rmem and named_timeout right range
selftests/ipc: Fix msgque compiler warnings
powerpc: vdso: Make vdso32 installation conditional in vdso_install
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
media: ov2659: fix unbalanced mutex_lock/unlock
6lowpan: Off by one handling ->nexthdr
dmaengine: axi-dmac: Don't check the number of frames for alignment
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
NFS: Don't interrupt file writeout due to fatal errors
irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
scsi: qla2xxx: Fix a format specifier
scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
ASoC: fix valid stream condition
usb: gadget: fsl: fix link error against usb-gadget module
dwc2: gadget: Fix completed transfer size calculation in DDMA
IB/mlx5: Add missing XRC options to QP optional params mask
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix incorrect test of supported hash function
net: ena: fix ena_com_fill_hash_function() implementation
dmaengine: tegra210-adma: restore channel status
mmc: core: fix possible use after free of host
lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
afs: Fix the afs.cell and afs.volume xattr handlers
vfio/mdev: Avoid release parent reference during error path
vfio/mdev: Fix aborting mdev child device removal if one fails
l2tp: Fix possible NULL pointer dereference
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
platform/x86: alienware-wmi: printing the wrong error code
crypto: caam - fix caam_dump_sg that iterates through scatterlist
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
pwm: meson: Consider 128 a valid pre-divider
pwm: meson: Don't disable PWM when setting duty repeatedly
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
kdb: do a sanity check on the cpu in kdb_per_cpu()
backlight: lm3630a: Return 0 on success in update_status functions
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
EDAC/mc: Fix edac_mc_find() in case no device is found
ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
dmaengine: tegra210-adma: Fix crash during probe
arm64: dts: meson: libretech-cc: set eMMC as removable
RDMA/qedr: Fix incorrect device rate.
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
crypto: ccp - fix AES CFB error exposed by new test vectors
crypto: ccp - Fix 3DES complaint from ccp-crypto module
serial: stm32: fix rx error handling
serial: stm32: fix transmit_chars when tx is stopped
serial: stm32: Add support of TC bit status check
serial: stm32: fix wakeup source initialization
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
iommu: Use right function to get group for device
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
netvsc: unshare skb in VF rx handler
cpufreq: brcmstb-avs-cpufreq: Fix initial command check
cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
media: vivid: fix incorrect assignment operation when setting video mode
mpls: fix warning with multi-label encap
iommu/vt-d: Duplicate iommu_resv_region objects per device list
qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
drm/msm/mdp5: Fix mdp5_cfg_init error return
net: netem: fix backlog accounting for corrupted GSO frames
net/af_iucv: always register net_device notifier
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
rtc: pcf8563: Fix interrupt trigger method
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
drm/msm/a3xx: remove TPL1 regs from snapshot
perf/ioctl: Add check for the sample_period value
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
clk: qcom: Fix -Wunused-const-variable
nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
bnxt_en: Fix ethtool selftest crash under error conditions.
iommu/amd: Make iommu_disable safer
mfd: intel-lpss: Release IDA resources
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
devres: allow const resource arguments
RDMA/hns: Fixs hw access invalid dma memory error
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
scsi: libfc: fix null pointer dereference on a null lport
clk: sunxi-ng: v3s: add the missing PLL_DDR1
PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
libertas_tf: Use correct channel range in lbtf_geo_init
qed: reduce maximum stack frame size
usb: host: xhci-hub: fix extra endianness conversion
mic: avoid statically declaring a 'struct device'.
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
crypto: ccp - Reduce maximum stack usage
ALSA: aoa: onyx: always initialize register read value
tipc: reduce risk of wakeup queue starvation
ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
crypto: caam - free resources in case caam_rng registration failed
ext4: set error return correctly when ext4_htree_store_dirent fails
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
net/rds: Add a few missing rds_stat_names entries
bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
signal: Allow cifs and drbd to receive their terminating signals
ASoC: sun4i-i2s: RX and TX counter registers are swapped
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
mac80211: minstrel_ht: fix per-group max throughput rate initialization
media: atmel: atmel-isi: fix timeout value for stop streaming
rtc: pcf2127: bugfix: read rtc disables watchdog
mips: avoid explicit UB in assignment of mips_io_port_base
iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
ahci: Do not export local variable ahci_em_messages
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
hwmon: (lm75) Fix write operations for negative temperatures
power: supply: Init device wakeup after device_add()
x86, perf: Fix the dependency of the x86 insn decoder selftest
staging: greybus: light: fix a couple double frees
irqdomain: Add the missing assignment of domain->fwnode for named fwnode
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
iio: dac: ad5380: fix incorrect assignment to val
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
net: sonic: return NETDEV_TX_OK if failed to map buffer
scsi: fnic: fix msix interrupt allocation
Btrfs: fix hang when loading existing inode cache off disk
Btrfs: fix inode cache waiters hanging on failure to start caching thread
Btrfs: fix inode cache waiters hanging on path allocation failure
btrfs: use correct count in btrfs_file_write_iter()
ixgbe: sync the first fragment unconditionally
hwmon: (shtc1) fix shtc1 and shtw1 id mask
net: sonic: replace dev_kfree_skb in sonic_send_packet
pinctrl: iproc-gpio: Fix incorrect pinconf configurations
ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
RDMA/cma: Fix false error message
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
iommu/amd: Wait for completion of IOTLB flush in attach_device
net: aquantia: Fix aq_vec_isr_legacy() return value
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
net: axienet: fix a signedness bug in probe
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
nvme: retain split access workaround for capability reads
net: stmmac: gmac4+: Not all Unicast addresses may be available
mac80211: accept deauth frames in IBSS mode
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
llc: fix sk_buff refcounting in llc_conn_state_process()
net: stmmac: fix length of PTP clock's name string
act_mirred: Fix mirred_init_module error handling
net: avoid possible false sharing in sk_leave_memory_pressure()
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
tcp: annotate lockless access to tcp_memory_pressure
drm/msm/dsi: Implement reset correctly
dmaengine: imx-sdma: fix size check for sdma script_number
net: netem: fix error path for corrupted GSO frames
net: netem: correct the parent's backlog when corrupted packet was dropped
net: qca_spi: Move reset_count to struct qcaspi
afs: Fix large file support
MIPS: Loongson: Fix return value of loongson_hwmon_init
hv_netvsc: flag software created hash value
net: neigh: use long type to store jiffies delta
packet: fix data-race in fanout_flow_is_huge()
mmc: sdio: fix wl1251 vendor id
mmc: core: fix wl1251 sdio quirks
affs: fix a memory leak in affs_remount
dmaengine: ti: edma: fix missed failure handling
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
arm64: dts: juno: Fix UART frequency
IB/iser: Fix dma_nents type definition
serial: stm32: fix clearing interrupt error flags
m68k: Call timer_interrupt() with interrupts disabled
Linux 4.14.168
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I3eeaa348e8e99998356d27c99d06dcb38e48e7d5
|
||
Pablo Neira Ayuso
|
223b167f01 |
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
[ Upstream commit 3b02b0adc242a72b5e46019b6a9e4f84823592f6 ]
Call jhash_1word() for the 4-bytes key case from the insertion and
deactivation path, otherwise big endian arch set lookups fail.
Fixes: 446a8268b7f5 ("netfilter: nft_set_hash: add lookup variant for fixed size hashtable")
Reported-by: Florian Westphal <fw@strlen.de>
Tested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
571f96858f |
This is the 4.14.167 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4pSUUACgkQONu9yGCS aT7tQA/9FkHOGpw/hHXap1LCqpOvcgagEexE2y2APxuZAaH0vBDoIHeXBJa8tsOa hIEag//gR7+CZ58eFiuNAEitOMDoeiIroh8H+GEw6ne3Ns4RGngfLySjhsaghLNS VMYENwwtyQrnbRgHZxdR9EeoMHeBOqUglmwGmGX34iNICNQ4P6ux4go3Lvxl+NWx yigKKHxZHYJgNXFw4neMoUgLX7ivQ3ccLQfAlxCkAGvJSUMN2J2qjr0PlsO2XOJy WV+ZxBiG6wOi4jO+QcCbDzfftB4vQHb3GItOQIeKGedDYcP7I/XnVQS43gW0EMYz bNoC2Zlj44Qg8v6cIeKKXHt2chy5wFvZid1JPbZSeXGAhyAmLxTLOwBJgHRPvlpT pgbMTthDXmQjx8k/lMYNEUIFEYRiTcEbyGOT4BYU6PemWh83EVdANu2xAGIFYxby L+d3gsS0LzU8ml9UYNZ0+f0ebXzvPL3qxlAu9vhTrXWPADrqR++cJmDg5z9fzvap BK3qyWhhGMuErTnlzlvkOqaAyY1EYSzVu3nWO4symyOXIebw2ofSceqTzxMAJfUk qo6ngca2RHDeISranlfRzPhG2EgegYhxsoC+51nqBGG/O2/Oln0JeA2hsDGYPbKG q4JdZEXPn50PVx19IgEHjC37lJv5aTko6z9ArxwXEcVkriyBiIE= =XBah -----END PGP SIGNATURE----- Merge 4.14.167 into android-4.14 Changes in 4.14.167 dt-bindings: reset: meson8b: fix duplicate reset IDs clk: Don't try to enable critical clocks if prepare failed ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 ALSA: seq: Fix racy access for queue timer in proc read Fix built-in early-load Intel microcode alignment block: fix an integer overflow in logical block size ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number iio: buffer: align the size of scan bytes to size of the largest element USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx USB: serial: option: Add support for Quectel RM500Q USB: serial: opticon: fix control-message timeouts USB: serial: option: add support for Quectel RM500Q in QDL mode USB: serial: suppress driver bind attributes USB: serial: ch341: handle unbound port at reset_resume USB: serial: io_edgeport: add missing active-port sanity check USB: serial: keyspan: handle unbound ports USB: serial: quatech2: handle unbound ports scsi: fnic: fix invalid stack access scsi: mptfusion: Fix double fetch bug in ioctl ptrace: reintroduce usage of subjective credentials in ptrace_has_cap() usb: core: hub: Improved device recognition on remote wakeup x86/resctrl: Fix an imbalance in domain_remove_cpu() x86/efistub: Disable paging at mixed mode entry perf hists: Fix variable name's inconsistency in hists__for_each() macro perf report: Fix incorrectly added dimensions as switch perf data file mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment btrfs: fix memory leak in qgroup accounting mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio() net: stmmac: 16KB buffer must be 16 byte aligned net: stmmac: Enable 16KB buffer size USB: serial: io_edgeport: use irqsave() in USB's complete callback USB: serial: io_edgeport: handle unbound ports on URB completion mm/huge_memory.c: make __thp_get_unmapped_area static mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment arm64: dts: agilex/stratix10: fix pmu interrupt numbers cfg80211: fix page refcount issue in A-MSDU decap netfilter: fix a use-after-free in mtype_destroy() netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct NFC: pn533: fix bulk-message timeout batman-adv: Fix DAT candidate selection on little endian systems macvlan: use skb_reset_mac_header() in macvlan_queue_xmit() hv_netvsc: Fix memory leak when removing rndis device net: dsa: tag_qca: fix doubled Tx statistics net: hns: fix soft lockup when there is not enough memory net: usb: lan78xx: limit size of local TSO packets net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info ptp: free ptp device pin descriptors properly r8152: add missing endpoint sanity check tcp: fix marked lost packets not being retransmitted xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk cw1200: Fix a signedness bug in cw1200_load_firmware() arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node cfg80211: check for set_wiphy_params tick/sched: Annotate lockless access to last_jiffies_update Revert "arm64: dts: juno: add dma-ranges property" reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr scsi: esas2r: unlock on error in esas2r_nvram_read_direct() scsi: qla4xxx: fix double free bug scsi: bnx2i: fix potential use after free scsi: target: core: Fix a pr_debug() argument scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan scsi: core: scsi_trace: Use get_unaligned_be*() perf probe: Fix wrong address verification regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id Linux 4.14.167 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie2aaf9891326fea7fc9c3e8480dd69871e9d0d7d |
||
|
Cong Wang
|
071b66b380 |
netfilter: fix a use-after-free in mtype_destroy()
commit c120959387efa51479056fd01dc90adfba7a590c upstream. map->members is freed by ip_set_free() right before using it in mtype_ext_cleanup() again. So we just have to move it down. Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
748d727135 |
This is the 4.14.165 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4eEQ0ACgkQONu9yGCS aT5i7hAAhtuy6LEtpDbafLHmKEQwUmHu4dMWSVg0kzgraVVCGl9YqY8d+WgKn6dN mNxYvThWmD+ZSnwOJQnW4EdW/72S3S3FJ9ayTGUHkHj34/FkicxV803ETRGIeeTd 3aothT4kxKK2Mx99qKxg4+bJEMSdYME/ldGOQvqDMrIdf72b4U9N57902u0W7t1g XgzzxKb65qy29Icyr6XJUhEjA7dQuit2zNYIt4LUtAHkCmVXlUUVWBQ6FZNYVxIy 4Q3mPRpHvcbrHV3qWxAyA4k3XRiNCd5oYp6U2pXOoTCv1Ez6lGEXlrRb7P6W/qqq sAGTAgk5vCWtwH8Dqul3bdNWvN47+4jLko+kgFsiAbJDTUOejuNizUg6Jg8UnZnB IBj2INpvvBuurgvOzqp5kcX1Dt+EjaVTkXe0u4qiQE7iSemiRxUGsDDdrR/27JsV 83PHqRnBEHzIHKXIQdS2UhW5zprOf47CMuKP0nVb+oEEzEnbvh5nLKUoLNabD2sL KNPVqPDVNO57DPMiY4uRAQ5QUy6GcThwkFBD7ydqtpTPMQIPp0VG3h59DDE4noBX sekd6PKPHAJzVR9agx0ASrb8USDS3LBNQNGi5MiyAHn0SpoRQpyBzhJcHCXhVvFE LWBv6CfIu+igDRrGFdZCizhRQGNON0AfNEjMkN8RGG5rgCi7ofo= =Soo8 -----END PGP SIGNATURE----- Merge 4.14.165 into android-4.14 Changes in 4.14.165 chardev: Avoid potential use-after-free in 'chrdev_open()' usb: chipidea: host: Disable port power only if previously enabled ALSA: usb-audio: Apply the sample rate quirk for Bose Companion 5 ALSA: hda/realtek - Add new codec supported for ALCS1200A ALSA: hda/realtek - Set EAPD control to default for ALC222 kernel/trace: Fix do not unregister tracepoints when register sched_migrate_task fail tracing: Have stack tracer compile when MCOUNT_INSN_SIZE is not defined HID: Fix slab-out-of-bounds read in hid_field_extract HID: uhid: Fix returning EPOLLOUT from uhid_char_poll can: gs_usb: gs_usb_probe(): use descriptors of current altsetting can: mscan: mscan_rx_poll(): fix rx path lockup when returning from polling to irq mode can: can_dropped_invalid_skb(): ensure an initialized headroom in outgoing CAN sk_buffs gpiolib: acpi: Turn dmi_system_id table into a generic quirk table gpiolib: acpi: Add honor_wakeup module-option + quirk mechanism staging: vt6656: set usb_set_intfdata on driver fail. USB: serial: option: add ZLP support for 0x1bc7/0x9010 usb: musb: fix idling for suspend after disconnect interrupt usb: musb: Disable pullup at init usb: musb: dma: Correct parameter passed to IRQ handler staging: comedi: adv_pci1710: fix AI channels 16-31 for PCI-1713 HID: hid-input: clear unmapped usages Input: add safety guards to input_set_keycode() drm/fb-helper: Round up bits_per_pixel if possible drm/dp_mst: correct the shifting in DP_REMOTE_I2C_READ staging: rtl8188eu: Add device code for TP-Link TL-WN727N v5.21 tty: link tty and port before configuring it as console tty: always relink the port mwifiex: fix possible heap overflow in mwifiex_process_country_ie() mwifiex: pcie: Fix memory leak in mwifiex_pcie_alloc_cmdrsp_buf scsi: bfa: release allocated memory in case of error rtl8xxxu: prevent leaking urb ath10k: fix memory leak arm64: cpufeature: Avoid warnings due to unused symbols HID: hiddev: fix mess in hiddev_open() USB: Fix: Don't skip endpoint descriptors with maxpacket=0 phy: cpcap-usb: Fix error path when no host driver is loaded phy: cpcap-usb: Fix flakey host idling and enumerating of devices netfilter: arp_tables: init netns pointer in xt_tgchk_param struct netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present drm/i915/gen9: Clear residual context state on context switch Linux 4.14.165 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia2165e5228d420a483a05f2145f15255047446bc |
||
Florian Westphal
|
bd6d13a15a |
netfilter: ipset: avoid null deref when IPSET_ATTR_LINENO is present
commit 22dad713b8a5ff488e07b821195270672f486eb2 upstream. The set uadt functions assume lineno is never NULL, but it is in case of ip_set_utest(). syzkaller managed to generate a netlink message that calls this with LINENO attr present: general protection fault: 0000 [#1] PREEMPT SMP KASAN RIP: 0010:hash_mac4_uadt+0x1bc/0x470 net/netfilter/ipset/ip_set_hash_mac.c:104 Call Trace: ip_set_utest+0x55b/0x890 net/netfilter/ipset/ip_set_core.c:1867 nfnetlink_rcv_msg+0xcf2/0xfb0 net/netfilter/nfnetlink.c:229 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 nfnetlink_rcv+0x1ba/0x460 net/netfilter/nfnetlink.c:563 pass a dummy lineno storage, its easier than patching all set implementations. This seems to be a day-0 bug. Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Reported-by: syzbot+34bd2369d38707f3f4a7@syzkaller.appspotmail.com Fixes: a7b4f989a6294 ("netfilter: ipset: IP set core support") Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
d2905c6a0e |
This is the 4.14.164 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4a/2MACgkQONu9yGCS aT4BwA//diCficMfLINrc/9bMq3VS2Y+/lnuURMXEM9MJibjQCUS1spc6YhhNFrE 8m3aavAYywjjD3zGHj8KEaKQFDrPQxYQDzPOPK9rxjpxlUFpnYWUGlI2krpwBV6c 8xAekM62sMEIq09EHqqhKVls+WmYi47/pdfGAAt3PUR8c2eTOlxiFsiwq4nuZDdv rcMkQm87V8Wn1Nq+Dfp6R3U+X9f4DcU5n5cKiGq6ujoalT7h5/jj36JIFxBwMapF WjpqXMUUeylXxXnNFMUbEMg+lEqJlWfvj1sxdxyMdgS+L9rc9bXk/NTub4TZPaXu odwMl9RKWjJvFsvn26Pc4s31K2raEhCDYdkVoFTXWsc7vbE4A/h/yAw4Wq+cuBI4 H4fBXYYZ3D0Il9kxYYbfSaki5z1YbI54tkWcrs8f8jli5C0M3Wkkux1TA4HPj2Ja 8zJFH0++cyfpuKRiYXro+H2Tq4KxBwsWEtync8230MEywlTxkz4IIue+SCgVV+WD jmg/enRjbnkpYBSH1pKOdAAga0kHSxtwWlfLFrjhcgGse8y6sCJhUOPPcQMnf/k0 Jrmc3InHg+mtLiSsJXAp4iGABJlW+W/ouaxaxYoA9wucwQlcgxXpkigl5rOgFTma 153RYc1TSZJAe+cjx42qZxRxcD8/Vg5d6D2tL1otbMSIsD3e7Gk= =sq63 -----END PGP SIGNATURE----- Merge 4.14.164 into android-4.14 Changes in 4.14.164 USB: dummy-hcd: use usb_urb_dir_in instead of usb_pipein USB: dummy-hcd: increase max number of devices to 32 locking/spinlock/debug: Fix various data races netfilter: ctnetlink: netns exit must wait for callbacks mwifiex: Fix heap overflow in mmwifiex_process_tdls_action_frame() libtraceevent: Fix lib installation with O= x86/efi: Update e820 with reserved EFI boot services data to fix kexec breakage efi/gop: Return EFI_NOT_FOUND if there are no usable GOPs efi/gop: Return EFI_SUCCESS if a usable GOP was found efi/gop: Fix memory leak in __gop_query32/64() ARM: vexpress: Set-up shared OPP table instead of individual for each CPU netfilter: uapi: Avoid undefined left-shift in xt_sctp.h netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END ARM: dts: Cygnus: Fix MDIO node address/size cells spi: spi-cavium-thunderx: Add missing pci_release_regions() ASoC: topology: Check return value for soc_tplg_pcm_create() ARM: dts: bcm283x: Fix critical trip point bpf, mips: Limit to 33 tail calls ARM: dts: am437x-gp/epos-evm: fix panel compatible samples: bpf: Replace symbol compare of trace_event samples: bpf: fix syscall_tp due to unused syscall powerpc: Ensure that swiotlb buffer is allocated from low memory bnx2x: Do not handle requests from VFs after parity bnx2x: Fix logic to get total no. of PFs per engine net: usb: lan78xx: Fix error message format specifier rfkill: Fix incorrect check to avoid NULL pointer dereference ASoC: wm8962: fix lambda value regulator: rn5t618: fix module aliases kconfig: don't crash on NULL expressions in expr_eq() perf/x86/intel: Fix PT PMI handling fs: avoid softlockups in s_inodes iterators net: stmmac: Do not accept invalid MTU values net: stmmac: RX buffer size must be 16 byte aligned s390/dasd/cio: Interpret ccw_device_get_mdc return value correctly s390/dasd: fix memleak in path handling error case block: fix memleak when __blk_rq_map_user_iov() is failed parisc: Fix compiler warnings in debug_core.c llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) hv_netvsc: Fix unwanted rx_table reset bpf: reject passing modified ctx to helper functions bpf: Fix passing modified ctx to ld/abs/ind instruction PCI/switchtec: Read all 64 bits of part_event_bitmap mmc: block: Convert RPMB to a character device mmc: block: Delete mmc_access_rpmb() mmc: block: Fix bug when removing RPMB chardev mmc: core: Prevent bus reference leak in mmc_blk_init() mmc: block: propagate correct returned value in mmc_rpmb_ioctl gtp: fix bad unlock balance in gtp_encap_enable_socket macvlan: do not assume mac_header is set in macvlan_broadcast() net: dsa: mv88e6xxx: Preserve priority when setting CPU port. net: stmmac: dwmac-sun8i: Allow all RGMII modes net: stmmac: dwmac-sunxi: Allow all RGMII modes net: usb: lan78xx: fix possible skb leak pkt_sched: fq: do not accept silly TCA_FQ_QUANTUM USB: core: fix check for duplicate endpoints USB: serial: option: add Telit ME910G1 0x110a composition sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY tcp: fix "old stuff" D-SACK causing SACK to be treated as D-SACK vxlan: fix tos value before xmit vlan: vlan_changelink() should propagate errors net: sch_prio: When ungrafting, replace with FIFO vlan: fix memory leak in vlan_dev_set_egress_priority Linux 4.14.164 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ifbce6635b5a3df896c29e23dd15098e80ecddeba |
||
|
Pablo Neira Ayuso
|
4798a83039 |
netfilter: nf_tables: validate NFT_SET_ELEM_INTERVAL_END
[ Upstream commit bffc124b6fe37d0ae9b428d104efb426403bb5c9 ]
Only NFTA_SET_ELEM_KEY and NFTA_SET_ELEM_FLAGS make sense for elements
whose NFT_SET_ELEM_INTERVAL_END flag is set on.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Florian Westphal
|
d74adafded |
netfilter: ctnetlink: netns exit must wait for callbacks
[ Upstream commit 18a110b022a5c02e7dc9f6109d0bd93e58ac6ebb ]
Curtis Taylor and Jon Maxwell reported and debugged a crash on 3.10
based kernel.
Crash occurs in ctnetlink_conntrack_events because net->nfnl socket is
NULL. The nfnl socket was set to NULL by netns destruction running on
another cpu.
The exiting network namespace calls the relevant destructors in the
following order:
1. ctnetlink_net_exit_batch
This nulls out the event callback pointer in struct netns.
2. nfnetlink_net_exit_batch
This nulls net->nfnl socket and frees it.
3. nf_conntrack_cleanup_net_list
This removes all remaining conntrack entries.
This is order is correct. The only explanation for the crash so ar is:
cpu1: conntrack is dying, eviction occurs:
-> nf_ct_delete()
-> nf_conntrack_event_report \
-> nf_conntrack_eventmask_report
-> notify->fcn() (== ctnetlink_conntrack_events).
cpu1: a. fetches rcu protected pointer to obtain ctnetlink event callback.
b. gets interrupted.
cpu2: runs netns exit handlers:
a runs ctnetlink destructor, event cb pointer set to NULL.
b runs nfnetlink destructor, nfnl socket is closed and set to NULL.
cpu1: c. resumes and trips over NULL net->nfnl.
Problem appears to be that ctnetlink_net_exit_batch only prevents future
callers of nf_conntrack_eventmask_report() from obtaining the callback.
It doesn't wait of other cpus that might have already obtained the
callbacks address.
I don't see anything in upstream kernels that would prevent similar
crash: We need to wait for all cpus to have exited the event callback.
Fixes: 9592a5c01e79dbc59eb56fa ("netfilter: ctnetlink: netns support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
c2bd4f8f0c |
This is the 4.14.162 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4QjoEACgkQONu9yGCS aT61Ig/9GTbv5+njbemhs01loMsA6H4u+BwFHjxJiTzfj+7TwKDZVDcllmiKkPSQ cS3+n6oV1G5VzzmTRU5WKBNQkgu2t6TmcxI4xiDTIZ+GlzdC7b7bp0uEv7bRGIMg lm6oHBoy753oMiB/Z4itA58tuLVsEw9sjZJ3O7wvlaFl4NzD8clGCc9iLQaLofDP 7uXWPgtZ3yRDquOtjPV7c52qwbr/QUZs13iH6xwSHIK6kmTbuhKbQB2TqdrHlKrc FxlitA8NAjn8s7PrJd0NWQxxEW0by3W+pYZ6yvzF1zlY1UWkZB7WfKK8kW5A/5Jt alPtbHAZGbxuobVewObRosM/DZ6vYHNE78M6FUkyo7113lsvVNhz71h8YbO/beCc PPGzvQbbeaWGdVtTFVih75HwtGVktwRpgdA1H0NPZb4eWX9eZl8BrgMvo4EsAvl4 BMYiWbYvR7ijWvbahwTHlpnpmce2acWD5H+oGE338lXvXfXjgrH5d2DlZ9bWTdKv h1YmINQ/cZuUoAe9vlUr/uXIflwza65TJWDRRjzXMZ7FOLwXTTCjqFO+36PZ5zRf 4jdfZa4Uz0HmfH95bVJRbRuAt1Fny/mK3sx7vjTcu0qT9FpG8P3tSJR9rz8yEbVb X0dmyUHl2qNFj0Y/cV3AJJjTEuDbhmXfwPmXPgF4owR6R0rhfM4= =57Qt -----END PGP SIGNATURE----- Merge 4.14.162 into android-4.14 Changes in 4.14.162 scsi: lpfc: Fix discovery failures when target device connectivity bounces scsi: mpt3sas: Fix clear pending bit in ioctl status scsi: lpfc: Fix locking on mailbox command completion Input: atmel_mxt_ts - disable IRQ across suspend iommu/tegra-smmu: Fix page tables in > 4 GiB memory scsi: target: compare full CHAP_A Algorithm strings scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices scsi: csiostor: Don't enable IRQs too early powerpc/pseries: Mark accumulate_stolen_time() as notrace powerpc/pseries: Don't fail hash page table insert for bolted mapping powerpc/tools: Don't quote $objdump in scripts dma-debug: add a schedule point in debug_dma_dump_mappings() clocksource/drivers/asm9260: Add a check for of_clk_get powerpc/security/book3s64: Report L1TF status in sysfs powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning ext4: update direct I/O read lock pattern for IOCB_NOWAIT jbd2: Fix statistics for the number of logged blocks scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow f2fs: fix to update dir's i_pino during cross_rename clk: qcom: Allow constant ratio freq tables for rcg irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary irqchip: ingenic: Error out if IRQ domain creation failed fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences scsi: ufs: fix potential bug which ends in system hang powerpc/pseries/cmm: Implement release() function for sysfs device powerpc/security: Fix wrong message when RFI Flush is disable scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE clk: pxa: fix one of the pxa RTC clocks bcache: at least try to shrink 1 node in bch_mca_scan() HID: logitech-hidpp: Silence intermittent get_battery_capacity errors libnvdimm/btt: fix variable 'rc' set but not used HID: Improve Windows Precision Touchpad detection. scsi: pm80xx: Fix for SATA device discovery scsi: ufs: Fix error handing during hibern8 enter scsi: scsi_debug: num_tgts must be >= 0 scsi: NCR5380: Add disconnect_mask module parameter scsi: iscsi: Don't send data to unbound connection scsi: target: iscsi: Wait for all commands to finish before freeing a session gpio: mpc8xxx: Don't overwrite default irq_set_type callback apparmor: fix unsigned len comparison with less than zero scripts/kallsyms: fix definitely-lost memory leak cdrom: respect device capabilities during opening action perf script: Fix brstackinsn for AUXTRACE perf regs: Make perf_reg_name() return "unknown" instead of NULL s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h s390/cpum_sf: Check for SDBT and SDB consistency ocfs2: fix passing zero to 'PTR_ERR' warning kernel: sysctl: make drop_caches write-only userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK x86/mce: Fix possibly incorrect severity calculation on AMD net, sysctl: Fix compiler warning when only cBPF is present netfilter: nf_queue: enqueue skbs with NULL dst ALSA: hda - Downgrade error message for single-cmd fallback bonding: fix active-backup transition after link failure perf strbuf: Remove redundant va_end() in strbuf_addv() Make filldir[64]() verify the directory entry filename is valid filldir[64]: remove WARN_ON_ONCE() for bad directory entries netfilter: ebtables: compat: reject all padding in matches/watchers 6pack,mkiss: fix possible deadlock netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() inetpeer: fix data-race in inet_putpeer / inet_putpeer net: add a READ_ONCE() in skb_peek_tail() net: icmp: fix data-race in cmp_global_allow() hrtimer: Annotate lockless access to timer->state spi: fsl: don't map irq during probe tty/serial: atmel: fix out of range clock divider handling pinctrl: baytrail: Really serialize all register accesses net: ena: fix napi handler misbehavior when the napi budget is zero net/mlxfw: Fix out-of-memory error in mfa2 flash burning ptp: fix the race between the release of ptp_clock and cdev udp: fix integer overflow while computing available space in sk_rcvbuf vhost/vsock: accept only packets with the right dst_cid net: add bool confirm_neigh parameter for dst_ops.update_pmtu ip6_gre: do not confirm neighbor when do pmtu update gtp: do not confirm neighbor when do pmtu update net/dst: add new function skb_dst_update_pmtu_no_confirm tunnel: do not confirm neighbor when do pmtu update vti: do not confirm neighbor when do pmtu update sit: do not confirm neighbor when do pmtu update gtp: do not allow adding duplicate tid and ms_addr pdp context tcp/dccp: fix possible race __inet_lookup_established() tcp: do not send empty skb from tcp_write_xmit() gtp: fix wrong condition in gtp_genl_dump_pdp() gtp: fix an use-after-free in ipv4_pdp_find() gtp: avoid zero size hashtable spi: fsl: use platform_get_irq() instead of of_irq_to_resource() Linux 4.14.162 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Hangbin Liu
|
7ae78f9bbb |
net: add bool confirm_neigh parameter for dst_ops.update_pmtu
[ Upstream commit bd085ef678b2cc8c38c105673dfe8ff8f5ec0c57 ]
The MTU update code is supposed to be invoked in response to real
networking events that update the PMTU. In IPv6 PMTU update function
__ip6_rt_update_pmtu() we called dst_confirm_neigh() to update neighbor
confirmed time.
But for tunnel code, it will call pmtu before xmit, like:
- tnl_update_pmtu()
- skb_dst_update_pmtu()
- ip6_rt_update_pmtu()
- __ip6_rt_update_pmtu()
- dst_confirm_neigh()
If the tunnel remote dst mac address changed and we still do the neigh
confirm, we will not be able to update neigh cache and ping6 remote
will failed.
So for this ip_tunnel_xmit() case, _EVEN_ if the MTU is changed, we
should not be invoking dst_confirm_neigh() as we have no evidence
of successful two-way communication at this point.
On the other hand it is also important to keep the neigh reachability fresh
for TCP flows, so we cannot remove this dst_confirm_neigh() call.
To fix the issue, we have to add a new bool parameter for dst_ops.update_pmtu
to choose whether we should do neigh update or not. I will add the parameter
in this patch and set all the callers to true to comply with the previous
way, and fix the tunnel code one by one on later patches.
v5: No change.
v4: No change.
v3: Do not remove dst_confirm_neigh, but add a new bool parameter in
dst_ops.update_pmtu to control whether we should do neighbor confirm.
Also split the big patch to small ones for each area.
v2: Remove dst_confirm_neigh in __ip6_rt_update_pmtu.
Suggested-by: David Miller <davem@davemloft.net>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Marco Oliverio
|
b2823ed5cb |
netfilter: nf_queue: enqueue skbs with NULL dst
[ Upstream commit 0b9173f4688dfa7c5d723426be1d979c24ce3d51 ]
Bridge packets that are forwarded have skb->dst == NULL and get
dropped by the check introduced by
b60a77386b1d4868f72f6353d35dabe5fbe981f2 (net: make skb_dst_force
return true when dst is refcounted).
To fix this we check skb_dst() before skb_dst_force(), so we don't
drop skb packet with dst == NULL. This holds also for skb at the
PRE_ROUTING hook so we remove the second check.
Fixes: b60a77386b1d ("net: make skb_dst_force return true when dst is refcounted")
Signed-off-by: Marco Oliverio <marco.oliverio@tanaza.com>
Signed-off-by: Rocco Folino <rocco.folino@tanaza.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
f9b4ab5c8e |
This is the 4.14.156 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3aL/cACgkQONu9yGCS aT7ItBAAuh9Td+0gRweh5Wtxsj8MZYNeXb7TrM6rLU/z3QcP0GXSHB62ZUne+j9v bUS40aXAzd5O6quKt2XUW3EymyZH6InELtAV19b4wkzKjMbMOFJEEPxVs8KUUUyQ rCD0Mvazjwc8Z9c0EVVZRieLYhRo6vzgnMqaHp2BaIEd55VAF03vKWKIxJ7sEiNb uHEWYcTPFsowuvs3/+Nc/9cLYO/Cbxi9cr4FJGR/M0qNkQYK6HngWJwbWXERhfSI /CZB2FHNfzUuqZSdjbDDqznZqN/2mqePg2HpHrK+sPq3q5UJLNXW1qITls0r5P8K f4csvkt1BMjbJYS006x14s5nHpgpsmXDzzaoPVij5LZO1k2/W8ospCW7zAZK6w9c dn59S73SzCBCBPunxdK7l4FpMZZkbbW9GsrqF+EYaoR2ftUCDfXuzay79eMoCGW2 uG9Oy5lW4ci/QhNB072QMOSosnda9kWniw30Q02iFZpp9hZqpbYvSt3IH8Qgbz2S hEM2aqNEfjumBT1SdHgPsjn1Tmqeyo3wVCah6K5vy+qTjOxmVBslB5zT7upAA4be h77EN3aD7iqrwuZkeUvPpLxermqFZa7CmSXorOoOSMkzHtOiVyxS6koQechgIgpl DePv2tWYhRPmAeNo0+gGOiRAQ518PfVBSdJ9NTvcwvv+Ad+E0hM= =jEkm -----END PGP SIGNATURE----- Merge 4.14.156 into android-4.14 Changes in 4.14.156 spi: mediatek: use correct mata->xfer_len when in fifo transfer tee: optee: add missing of_node_put after of_device_is_available Revert "OPP: Protect dev_list with opp_table lock" net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size() idr: Fix idr_get_next race with idr_remove mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span() mm/memory_hotplug: fix updating the node span arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault fbdev: Ditch fb_edid_add_monspecs net: ovs: fix return type of ndo_start_xmit function net: xen-netback: fix return type of ndo_start_xmit function ARM: dts: dra7: Enable workaround for errata i870 in PCIe host mode ARM: dts: omap5: enable OTG role for DWC3 controller net: hns3: Fix for netdev not up problem when setting mtu f2fs: return correct errno in f2fs_gc ARM: dts: sun8i: h3-h5: ir register size should be the whole memory block SUNRPC: Fix priority queue fairness IB/hfi1: Ensure ucast_dlid access doesnt exceed bounds iommu/io-pgtable-arm: Fix race handling in split_blk_unmap() kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table arm64/numa: Report correct memblock range for the dummy node ath10k: fix vdev-start timeout on error ata: ahci_brcm: Allow using driver or DSL SoCs ath9k: fix reporting calculated new FFT upper max usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status() usb: dwc3: gadget: Check ENBLSLPM before sending ep command nl80211: Fix a GET_KEY reply attribute irqchip/irq-mvebu-icu: Fix wrong private data retrieval watchdog: w83627hf_wdt: Support NCT6796D, NCT6797D, NCT6798D KVM: PPC: Inform the userspace about TCE update failures dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction dmaengine: timb_dma: Use proper enum in td_prep_slave_sg ext4: fix build error when DX_DEBUG is defined clk: keystone: Enable TISCI clocks if K3_ARCH sunrpc: Fix connect metrics mei: samples: fix a signedness bug in amt_host_if_call() cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update cxgb4: Use proper enum in IEEE_FAUX_SYNC powerpc/pseries: Fix DTL buffer registration powerpc/pseries: Fix how we iterate over the DTL entries powerpc/xive: Move a dereference below a NULL test ARM: dts: at91: sama5d4_xplained: fix addressable nand flash size ARM: dts: at91: at91sam9x5cm: fix addressable nand flash size mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer PM / hibernate: Check the success of generating md5 digest before hibernation tools: PCI: Fix compilation warnings clocksource/drivers/sh_cmt: Fixup for 64-bit machines clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines md: allow metadata updates while suspending an array - fix ixgbe: Fix ixgbe TX hangs with XDP_TX beyond queue limit i40e: Use proper enum in i40e_ndo_set_vf_link_state ixgbe: Fix crash with VFs and flow director on interface flap IB/mthca: Fix error return code in __mthca_init_one() IB/mlx4: Avoid implicit enumerated type conversion ACPICA: Never run _REG on system_memory and system_IO powerpc/time: Use clockevents_register_device(), fixing an issue with large decrementer ata: ep93xx: Use proper enums for directions media: rc: ir-rc6-decoder: enable toggle bit for Kathrein RCU-676 remote media: pxa_camera: Fix check for pdev->dev.of_node media: i2c: adv748x: Support probing a single output ALSA: hda/sigmatel - Disable automute for Elo VuPoint KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR USB: serial: cypress_m8: fix interrupt-out transfer length mtd: physmap_of: Release resources on error cpu/SMT: State SMT is disabled even with nosmt and without "=force" brcmfmac: reduce timeout for action frame scan brcmfmac: fix full timeout waiting for action frame on-channel tx qtnfmac: pass sgi rate info flag to wireless core qtnfmac: drop error reports for out-of-bounds key indexes clk: samsung: exynos5420: Define CLK_SECKEY gate clock only or Exynos5420 clk: samsung: Use clk_hw API for calling clk framework from clk notifiers i2c: brcmstb: Allow enabling the driver on DSL SoCs NFSv4.x: fix lock recovery during delegation recall dmaengine: ioat: fix prototype of ioat_enumerate_channels media: cec-gpio: select correct Signal Free Time Input: st1232 - set INPUT_PROP_DIRECT property Input: silead - try firmware reload after unsuccessful resume remoteproc: Check for NULL firmwares in sysfs interface kexec: Allocate decrypted control pages for kdump if SME is enabled x86/olpc: Fix build error with CONFIG_MFD_CS5535=m dmaengine: rcar-dmac: set scatter/gather max segment size crypto: mxs-dcp - Fix SHA null hashes and output length crypto: mxs-dcp - Fix AES issues xfrm: use correct size to initialise sp->ovec ACPI / SBS: Fix rare oops when removing modules iwlwifi: mvm: don't send keys when entering D3 x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately mmc: tmio: Fix SCC error detection fbdev: sbuslib: use checked version of put_user() fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper() reset: Fix potential use-after-free in __of_reset_control_get() bcache: recal cached_dev_sectors on detach media: dw9714: Fix error handling in probe function s390/kasan: avoid vdso instrumentation proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted() backlight: lm3639: Unconditionally call led_classdev_unregister mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable printk: Give error on attempt to set log buffer length to over 2G media: isif: fix a NULL pointer dereference bug GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads media: cx231xx: fix potential sign-extension overflow on large shift x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error gpio: syscon: Fix possible NULL ptr usage spi: fsl-lpspi: Prevent FIFO under/overrun by default pinctrl: gemini: Mask and set properly spi: spidev: Fix OF tree warning logic ARM: 8802/1: Call syscall_trace_exit even when system call skipped orangefs: rate limit the client not running info message pinctrl: gemini: Fix up TVC clock group hwmon: (pwm-fan) Silence error on probe deferral hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros netfilter: nft_compat: do not dump private area misc: cxl: Fix possible null pointer dereference mac80211: minstrel: fix using short preamble CCK rates on HT clients mac80211: minstrel: fix CCK rate group streams value mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode spi: rockchip: initialize dma_slave_config properly mlxsw: spectrum_switchdev: Check notification relevance based on upper device ARM: dts: omap5: Fix dual-role mode on Super-Speed port tools: PCI: Fix broken pcitest compilation powerpc/time: Fix clockevent_decrementer initalisation for PR KVM mmc: tmio: fix SCC error handling to avoid false positive CRC error Linux 4.14.156 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Pablo Neira Ayuso
|
b72443ac86 |
netfilter: nft_compat: do not dump private area
[ Upstream commit d701d8117200399d85e63a737d2e4e897932f3b6 ]
Zero pad private area, otherwise we expose private kernel pointer to
userspace. This patch also zeroes the tail area after the ->matchsize
and ->targetsize that results from XT_ALIGN().
Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
babe48d2e9 |
This is the 4.14.154 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3K950ACgkQONu9yGCS aT7RzBAAujUlFkoT646z8Zi6najTF9/Bcpkt48h0QbGAlp44OvwzqTv0Vk9cp6hy WdCLIvH5SE2MzokMzIoanr4p2JKTBNk1FxCUYdXgGfETNbraplNRQ9yxyWo2G7Ic koWhEwQO2u7bbalD+kxbfG6w3yQN1mpTzUFzTS5lsK2IMD4WrNk0V2CNEZAPNBf/ QBig/z8ixbEHRvp7uFI/v8W/QyimQ1uVxs9nsVsAlgsQA+hUnywRXaYgeYRjEw+s x7g3FCxuvjzNEpboijSTXiUqbY33HCnSoRB+GC4IzdDQ6MBJ8blC96+jBpQM2Vhf 1nHqMB6G4BRVuC4dI/XQ3KxGxsVGEwgzuQags4mMHgXeudVoYQgntjpJlJyu5h5Y yQ4NZSRiKDY27AO1tnst2jjQwNDGF8dS4FPB/KpCNGjOlzFb351q34Lqj8fEoCt6 O3822FFjA5OhnrlqgRwIuf2qN8po+iJWR2Dg3jZXizs/eO2PBZ1h5tUNDB03MQEr Y43DeRogWCFoaYTET198qBw6pJGNYbmKR2H0LAlGpyJsGkfsSHQVks+KT5EaiCCL 96hRGZ5V1vs/hdqAB1rDMG7AVXQC51zOK5aMjvJ0jzEjRCO2fulOHH0nfaQAGhaD JhZc8eYouLj1p1+3K7yHzYZSWdzDH11182a7aHA5wd8ZTBonr0A= =qwqY -----END PGP SIGNATURE----- Merge 4.14.154 into android-4.14 Changes in 4.14.154 bonding: fix state transition issue in link monitoring CDC-NCM: handle incomplete transfer of MTU ipv4: Fix table id reference in fib_sync_down_addr net: ethernet: octeon_mgmt: Account for second possible VLAN header net: fix data-race in neigh_event_send() net: qualcomm: rmnet: Fix potential UAF when unregistering net: usb: qmi_wwan: add support for DW5821e with eSIM support NFC: fdp: fix incorrect free object nfc: netlink: fix double device reference drop NFC: st21nfca: fix double free qede: fix NULL pointer deref in __qede_remove() ALSA: timer: Fix incorrectly assigned timer instance ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series ALSA: hda/ca0132 - Fix possible workqueue stall mm: thp: handle page cache THP correctly in PageTransCompoundMap mm, vmstat: hide /proc/pagetypeinfo from normal users dump_stack: avoid the livelock of the dump_lock tools: gpio: Use !building_out_of_srctree to determine srctree perf tools: Fix time sorting drm/radeon: fix si_enable_smc_cac() failed issue HID: wacom: generic: Treat serial number and related fields as unsigned arm64: Do not mask out PTE_RDONLY in pte_same() ceph: fix use-after-free in __ceph_remove_cap() ceph: add missing check in d_revalidate snapdir handling iio: adc: stm32-adc: fix stopping dma iio: imu: adis16480: make sure provided frequency is positive iio: srf04: fix wrong limitation in distance measuring netfilter: nf_tables: Align nft_expr private data to 64-bit netfilter: ipset: Fix an error code in ip_set_sockfn_get() intel_th: pci: Add Comet Lake PCH support intel_th: pci: Add Jasper Lake PCH support can: usb_8dev: fix use-after-free on disconnect can: c_can: c_can_poll(): only read status register after status IRQ can: peak_usb: fix a potential out-of-sync while decoding packets can: rx-offload: can_rx_offload_queue_sorted(): fix error handling, avoid skb mem leak can: gs_usb: gs_can_open(): prevent memory leak can: mcba_usb: fix use-after-free on disconnect can: peak_usb: fix slab info leak configfs: Fix bool initialization/comparison configfs: stash the data we need into configfs_buffer at open time configfs_register_group() shouldn't be (and isn't) called in rmdirable parts configfs: new object reprsenting tree fragments configfs: provide exclusion between IO and removals configfs: fix a deadlock in configfs_symlink() usb: dwc3: Allow disabling of metastability workaround mfd: palmas: Assign the right powerhold mask for tps65917 ASoC: tlv320aic31xx: Handle inverted BCLK in non-DSP modes mtd: spi-nor: enable 4B opcodes for mx66l51235l mtd: spi-nor: cadence-quadspi: add a delay in write sequence misc: pci_endpoint_test: Prevent some integer overflows PCI: dra7xx: Add shutdown handler to cleanly turn off clocks misc: pci_endpoint_test: Fix BUG_ON error during pci_disable_msi() mailbox: reset txdone_method TXDONE_BY_POLL if client knows_txdone ASoC: tlv320dac31xx: mark expected switch fall-through ASoC: davinci-mcasp: Handle return value of devm_kasprintf ASoC: davinci: Kill BUG_ON() usage ASoC: davinci-mcasp: Fix an error handling path in 'davinci_mcasp_probe()' i2c: omap: Trigger bus recovery in lockup case cpufreq: ti-cpufreq: add missing of_node_put() ARM: dts: dra7: Disable USB metastability workaround for USB2 sched/fair: Fix low cpu usage with high throttling by removing expiration of cpu-local slices sched/fair: Fix -Wunused-but-set-variable warnings lib/scatterlist: Introduce sgl_alloc() and sgl_free() usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path usbip: stub_rx: fix static checker warning on unnecessary checks usbip: Implement SG support to vhci-hcd and stub driver PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() RDMA/qedr: Fix reported firmware version net/mlx5: prevent memory leak in mlx5_fpga_conn_create_cq scsi: qla2xxx: fixup incorrect usage of host_byte RDMA/uverbs: Prevent potential underflow net: openvswitch: free vport unless register_netdevice() succeeds scsi: lpfc: Honor module parameter lpfc_use_adisc scsi: qla2xxx: Initialized mailbox to prevent driver load failure ipvs: don't ignore errors in case refcounting ip_vs module fails ipvs: move old_secure_tcp into struct netns_ipvs bonding: fix unexpected IFF_BONDING bit unset macsec: fix refcnt leak in module exit routine usb: fsl: Check memory resource before releasing it usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode. usb: gadget: composite: Fix possible double free memory bug usb: gadget: configfs: fix concurrent issue between composite APIs usb: dwc3: remove the call trace of USBx_GFLADJ perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) USB: Skip endpoints with 0 maxpacket length USB: ldusb: use unsigned size format specifiers RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case scsi: qla2xxx: stop timer in shutdown path fjes: Handle workqueue allocation failure net: hisilicon: Fix "Trying to free already-free IRQ" hv_netvsc: Fix error handling in netvsc_attach() NFSv4: Don't allow a cached open with a revoked delegation net: ethernet: arc: add the missed clk_disable_unprepare igb: Fix constant media auto sense switching when no cable is connected e1000: fix memory leaks x86/apic: Move pending interrupt check code into it's own function x86/apic: Drop logical_smp_processor_id() inline x86/apic/32: Avoid bogus LDR warnings can: flexcan: disable completely the ECC mechanism mm/filemap.c: don't initiate writeback if mapping has no dirty pages cgroup,writeback: don't switch wbs immediately on dead wbs if the memcg is dead usbip: Fix free of unallocated memory in vhci tx net: prevent load/store tearing on sk->sk_stamp drm/i915/gtt: Add read only pages to gen8_pte_encode drm/i915/gtt: Read-only pages for insert_entries on bdw+ drm/i915/gtt: Disable read-only support under GVT drm/i915: Prevent writing into a read-only object via a GGTT mmap drm/i915/cmdparser: Check reg_table_count before derefencing. drm/i915/cmdparser: Do not check past the cmd length. drm/i915: Silence smatch for cmdparser drm/i915: Don't use GPU relocations prior to cmdparser stalls drm/i915: Move engine->needs_cmd_parser to engine->flags drm/i915: Rename gen7 cmdparser tables drm/i915: Disable Secure Batches for gen6+ drm/i915: Remove Master tables from cmdparser drm/i915: Add support for mandatory cmdparsing drm/i915: Support ro ppgtt mapped cmdparser shadow buffers drm/i915: Allow parsing of unsized batches drm/i915: Add gen9 BCS cmdparsing drm/i915/cmdparser: Use explicit goto for error paths drm/i915/cmdparser: Add support for backward jumps drm/i915/cmdparser: Ignore Length operands during command matching drm/i915: Lower RM timeout to avoid DSI hard hangs drm/i915/gen8+: Add RC6 CTX corruption WA drm/i915/cmdparser: Fix jump whitelist clearing KVM: x86: use Intel speculation bugs and features as derived in generic x86 code x86/msr: Add the IA32_TSX_CTRL MSR x86/cpu: Add a helper function x86_read_arch_cap_msr() x86/cpu: Add a "tsx=" cmdline option with TSX disabled by default x86/speculation/taa: Add mitigation for TSX Async Abort x86/speculation/taa: Add sysfs reporting for TSX Async Abort kvm/x86: Export MDS_NO=0 to guests when TSX is enabled x86/tsx: Add "auto" option to the tsx= cmdline parameter x86/speculation/taa: Add documentation for TSX Async Abort x86/tsx: Add config options to set tsx=on|off|auto x86/speculation/taa: Fix printing of TAA_MSG_SMT on IBRS_ALL CPUs x86/bugs: Add ITLB_MULTIHIT bug infrastructure x86/cpu: Add Tremont to the cpu vulnerability whitelist cpu/speculation: Uninline and export CPU mitigations helpers Documentation: Add ITLB_MULTIHIT documentation kvm: x86, powerpc: do not allow clearing largepages debugfs entry kvm: Convert kvm_lock to a mutex kvm: mmu: Do not release the page inside mmu_set_spte() KVM: x86: make FNAME(fetch) and __direct_map more similar KVM: x86: remove now unneeded hugepage gfn adjustment KVM: x86: change kvm_mmu_page_get_gfn BUG_ON to WARN_ON KVM: x86: add tracepoints around __direct_map and FNAME(fetch) KVM: vmx, svm: always run with EFER.NXE=1 when shadow paging is active kvm: mmu: ITLB_MULTIHIT mitigation kvm: Add helper function for creating VM worker threads kvm: x86: mmu: Recovery of shattered NX large pages Linux 4.14.154 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Eric Dumazet
|
3a0018ef96 |
ipvs: move old_secure_tcp into struct netns_ipvs
[ Upstream commit c24b75e0f9239e78105f81c5f03a751641eb07ef ] syzbot reported the following issue : BUG: KCSAN: data-race in update_defense_level / update_defense_level read to 0xffffffff861a6260 of 4 bytes by task 3006 on cpu 1: update_defense_level+0x621/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:177 defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 worker_thread+0xa0/0x800 kernel/workqueue.c:2415 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 write to 0xffffffff861a6260 of 4 bytes by task 7333 on cpu 0: update_defense_level+0xa62/0xb30 net/netfilter/ipvs/ip_vs_ctl.c:205 defense_work_handler+0x3d/0xd0 net/netfilter/ipvs/ip_vs_ctl.c:225 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 worker_thread+0xa0/0x800 kernel/workqueue.c:2415 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 7333 Comm: kworker/0:5 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: events defense_work_handler Indeed, old_secure_tcp is currently a static variable, while it needs to be a per netns variable. Fixes: a0840e2e165a ("IPVS: netns, ip_vs_ctl local vars moved to ipvs struct.") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Davide Caratti
|
78ec9c409e |
ipvs: don't ignore errors in case refcounting ip_vs module fails
[ Upstream commit 62931f59ce9cbabb934a431f48f2f1f441c605ac ] if the IPVS module is removed while the sync daemon is starting, there is a small gap where try_module_get() might fail getting the refcount inside ip_vs_use_count_inc(). Then, the refcounts of IPVS module are unbalanced, and the subsequent call to stop_sync_thread() causes the following splat: WARNING: CPU: 0 PID: 4013 at kernel/module.c:1146 module_put.part.44+0x15b/0x290 Modules linked in: ip_vs(-) nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 veth ip6table_filter ip6_tables iptable_filter binfmt_misc intel_rapl_msr intel_rapl_common crct10dif_pclmul crc32_pclmul ext4 mbcache jbd2 ghash_clmulni_intel snd_hda_codec_generic ledtrig_audio snd_hda_intel snd_intel_nhlt snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd cryptd glue_helper joydev pcspkr snd_timer virtio_balloon snd soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi virtio_net net_failover virtio_blk failover virtio_console qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ata_piix ttm crc32c_intel serio_raw drm virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: nf_defrag_ipv6] CPU: 0 PID: 4013 Comm: modprobe Tainted: G W 5.4.0-rc1.upstream+ #741 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 RIP: 0010:module_put.part.44+0x15b/0x290 Code: 04 25 28 00 00 00 0f 85 18 01 00 00 48 83 c4 68 5b 5d 41 5c 41 5d 41 5e 41 5f c3 89 44 24 28 83 e8 01 89 c5 0f 89 57 ff ff ff <0f> 0b e9 78 ff ff ff 65 8b 1d 67 83 26 4a 89 db be 08 00 00 00 48 RSP: 0018:ffff888050607c78 EFLAGS: 00010297 RAX: 0000000000000003 RBX: ffffffffc1420590 RCX: ffffffffb5db0ef9 RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffffffffc1420590 RBP: 00000000ffffffff R08: fffffbfff82840b3 R09: fffffbfff82840b3 R10: 0000000000000001 R11: fffffbfff82840b2 R12: 1ffff1100a0c0f90 R13: ffffffffc1420200 R14: ffff88804f533300 R15: ffff88804f533ca0 FS: 00007f8ea9720740(0000) GS:ffff888053800000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007f3245abe000 CR3: 000000004c28a006 CR4: 00000000001606f0 Call Trace: stop_sync_thread+0x3a3/0x7c0 [ip_vs] ip_vs_sync_net_cleanup+0x13/0x50 [ip_vs] ops_exit_list.isra.5+0x94/0x140 unregister_pernet_operations+0x29d/0x460 unregister_pernet_device+0x26/0x60 ip_vs_cleanup+0x11/0x38 [ip_vs] __x64_sys_delete_module+0x2d5/0x400 do_syscall_64+0xa5/0x4e0 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f8ea8bf0db7 Code: 73 01 c3 48 8b 0d b9 80 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 b8 b0 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 89 80 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007ffcd38d2fe8 EFLAGS: 00000206 ORIG_RAX: 00000000000000b0 RAX: ffffffffffffffda RBX: 0000000002436240 RCX: 00007f8ea8bf0db7 RDX: 0000000000000000 RSI: 0000000000000800 RDI: 00000000024362a8 RBP: 0000000000000000 R08: 00007f8ea8eba060 R09: 00007f8ea8c658a0 R10: 00007ffcd38d2a60 R11: 0000000000000206 R12: 0000000000000000 R13: 0000000000000001 R14: 00000000024362a8 R15: 0000000000000000 irq event stamp: 4538 hardirqs last enabled at (4537): [<ffffffffb6193dde>] quarantine_put+0x9e/0x170 hardirqs last disabled at (4538): [<ffffffffb5a0556a>] trace_hardirqs_off_thunk+0x1a/0x20 softirqs last enabled at (4522): [<ffffffffb6f8ebe9>] sk_common_release+0x169/0x2d0 softirqs last disabled at (4520): [<ffffffffb6f8eb3e>] sk_common_release+0xbe/0x2d0 Check the return value of ip_vs_use_count_inc() and let its caller return proper error. Inside do_ip_vs_set_ctl() the module is already refcounted, we don't need refcount/derefcount there. Finally, in register_ip_vs_app() and start_sync_thread(), take the module refcount earlier and ensure it's released in the error path. Change since v1: - better return values in case of failure of ip_vs_use_count_inc(), thanks to Julian Anastasov - no need to increase/decrease the module refcount in ip_vs_set_ctl(), thanks to Julian Anastasov Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Dan Carpenter
|
ef1bf40688 |
netfilter: ipset: Fix an error code in ip_set_sockfn_get()
commit 30b7244d79651460ff114ba8f7987ed94c86b99a upstream.
The copy_to_user() function returns the number of bytes remaining to be
copied. In this code, that positive return is checked at the end of the
function and we return zero/success. What we should do instead is
return -EFAULT.
Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Subash Abhinov Kasiviswanathan
|
0ac69147fd |
ANDROID: nf: IDLETIMER: Fix possible use before initialization in idletimer_resume
idletimer_resume() assumes that the PM_SUSPEND_PREPARE notifier is sent
before PM_POST_SUSPEND so that timer->last_suspend_time is initialized.
However, it is possible for PM_POST_SUSPEND to be sent first if there is an
error returned from another driver's PM_SUSPEND_PREPARE notifier. As a
result, structures are accessed without initialization.
The arguments to set_normalized_timespec are very large and unexpected.
timer->last_suspend_time has the value of
{.tv_sec = 0x6b6b6b6b6b6b6b6b, .tv_nsec=0x6b6b6b6b6b6b6b6b}. Since really
large iterations are required, this operation takes more than a minute
and causes the CPU to trigger a spinbug since the timestamp lock is held.
Call stack -
- set_normalized_timespec
- timespec_sub
- idletimer_resume
- notifier_call_chain
- __blocking_notifier_call_chain
- pm_notifier_call_chain
Add a flag indicating whether the current value of timer->last_suspend is
valid.
Detected with CONFIG_SLUB_DEBUG & CONFIG_DEBUG_SPINLOCK in arm64.
Bug: 140404598
Fixes: f0c2df2b1228a ("ANDROID: netfilter: xt_IDLETIMER: Add new
netlink msg type")
Change-Id: I95328b0ac85dba819ff9cef751c3d07300c232f1
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Todd Kjos <tkjos@google.com>
(cherry picked from commit 7ded4359680d3fb593cbc5c90d84bb5e5083eda9)
|
||
DongJoo Kim
|
8cc417bd38 |
ANDROID: move up spin_unlock_bh() ahead of remove_proc_entry()
It causes BUG because remove_proc_entry may sleep while holding spinlock. BUG: scheduling while atomic: ip6tables-resto/887/0x00000202 [<c0f03f00>] (wait_for_completion) from [<c031b8c8>] (proc_entry_rundown+0x74/0xd0) [<c031b854>] (proc_entry_rundown) from [<c03225c4>] (remove_proc_entry+0xc0/0x18c) [<c0322504>] (remove_proc_entry) from [<c0d656e0>] (quota_mt2_destroy+0x88/0xa8) [<c0d65658>] (quota_mt2_destroy) from [<c0e405f0>] (cleanup_entry+0x6c/0xf0) [<c0e40584>] (cleanup_entry) from [<c0e41400>] (do_replace.constprop.2+0x314/0x438) [<c0e410ec>] (do_replace.constprop.2) from [<c0e41640>] (do_ip6t_set_ctl+0x11c/0x238) [<c0e41524>] (do_ip6t_set_ctl) from [<c0d2e7ec>] (nf_setsockopt+0xd4/0xf0) [<c0d2e718>] (nf_setsockopt) from [<c0e16bb8>] (ipv6_setsockopt+0x90/0xb8) [<c0e16b28>] (ipv6_setsockopt) from [<c0e1e908>] (rawv6_setsockopt+0x54/0x22c) [<c0e1e8b4>] (rawv6_setsockopt) from [<c0cb48dc>] (sock_common_setsockopt+0x28/0x30) [<c0cb48b4>] (sock_common_setsockopt) from [<c0cb3ac8>] (SyS_setsockopt+0xb8/0x110) [<c0cb3a10>] (SyS_setsockopt) from [<c01094e0>] (ret_fast_syscall+0x0/0x48) This is a fix for an Android specific feature which was imported from unofficial upstream (xtables-addons), which also has the same issue: https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_quota2.c#l235 After this change the proc entry may now be removed later, when we're already adding another one, potentially with the same name, this will simply fail during creation, see error path for this at: https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_quota2.c#l179 Bug: 143092160 Signed-off-by: Maciej Żenczykowski <maze@google.com> Signed-off-by: DongJoo Kim <micomx@gmail.com> Change-Id: I3ff3883738353785f5792c5f06bf6b72985c4c68 |
||
|
Greg Kroah-Hartman
|
1d75f58e4e |
This is the 4.14.149 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2gq2oACgkQONu9yGCS aT73vhAAqtCzbCmmWPIUTjyUQ+ntD1EeBrCvlNf0uMqqAAtY4r5QetfcqEDUAKlW S+nGYC7ZRz7YWZKN7EplwBXldnQe0AQdavFeycoCT0Xfem+M/UbVOi0rZvrTXv7w fVM7XDbXIxIi0uluYx67Sa/qdAVEJqg2d+VCh/4Hz8KBADf95KYpTvA1XgWs2xni ztFpRS/1MW+zmILAS32TlTczdq+J+WEf+dEwboKBkgAgdYbNHD38GWEthXDQE0V/ rmmURpPV5Mj4mJ3fBY3D0/zg0mvJLvhd0EMa3AgfaEXAgxbKP8K7mVJrMD49p45Q iMSvKFKEIdE+wKdtJvG7yorrnHTzwdIZdLAHoi+OS4HCMnv34xtH39MDCLTV43mF vdjaB3a8WMij1QyQD0kDh0fFmFEzgaN3kr4HYE7RBVvmN/TtFOZySlcapp/lLp+r mqNOA/GtBHzE1BggZ6rO/FKg/t/MMLV2vpcnZzWvWFt5ecdchXPqJSowDI+HbVma 0dpMD60tcUTU3yyW6fL8AbX5/gObs6GZ1P6TsDO49hnj0VhUBwaDOTFIOguFv5nT fkV0gq3DgjmMkfOgAnetnRUI6WHcDs+oPoaz7/cmNGCP9wxEpVElhxw7QFmWE92K BN1mhi8hhNpuJqY3XCAZ9fL/FgBOwAe8o89CUYIVZy/mOCqtu4w= =M5Rv -----END PGP SIGNATURE----- Merge 4.14.149 into android-4.14 Changes in 4.14.149 s390/process: avoid potential reading of freed stack KVM: s390: Test for bad access register and size at the start of S390_MEM_OP s390/topology: avoid firing events before kobjs are created s390/cio: avoid calling strlen on null pointer s390/cio: exclude subchannels with no parent from pseudo check KVM: PPC: Book3S HV: Don't lose pending doorbell request on migration on P9 KVM: nVMX: handle page fault in vmread fix PM / devfreq: tegra: Fix kHz to Hz conversion ASoC: Define a set of DAPM pre/post-up events powerpc/powernv: Restrict OPAL symbol map to only be readable by root can: mcp251x: mcp251x_hw_reset(): allow more time after a reset tools lib traceevent: Fix "robust" test of do_generate_dynamic_list_file crypto: qat - Silence smp_processor_id() warning crypto: skcipher - Unmap pages after an external error crypto: cavium/zip - Add missing single_release() crypto: caam - fix concurrency issue in givencrypt descriptor usercopy: Avoid HIGHMEM pfn warning timer: Read jiffies once when forwarding base clk watchdog: imx2_wdt: fix min() calculation in imx2_wdt_set_timeout drm/omap: fix max fclk divider for omap36xx mmc: sdhci: improve ADMA error reporting mmc: sdhci-of-esdhc: set DMA snooping based on DMA coherence Revert "locking/pvqspinlock: Don't wait if vCPU is preempted" xen/xenbus: fix self-deadlock after killing user process ieee802154: atusb: fix use-after-free at disconnect cfg80211: initialize on-stack chandefs ima: always return negative code for error fs: nfs: Fix possible null-pointer dereferences in encode_attrs() 9p: avoid attaching writeback_fid on mmap with type PRIVATE xen/pci: reserve MCFG areas earlier ceph: fix directories inode i_blkbits initialization ceph: reconnect connection if session hang in opening state watchdog: aspeed: Add support for AST2600 netfilter: nf_tables: allow lookups in dynamic sets drm/amdgpu: Check for valid number of registers to read pNFS: Ensure we do clear the return-on-close layout stateid on fatal errors pwm: stm32-lp: Add check in case requested period cannot be achieved thermal: Fix use-after-free when unregistering thermal zone device fuse: fix memleak in cuse_channel_open sched/core: Fix migration to invalid CPU in __set_cpus_allowed_ptr() perf build: Add detection of java-11-openjdk-devel package kernel/elfcore.c: include proper prototypes perf unwind: Fix libunwind build failure on i386 systems KVM: PPC: Book3S HV: XIVE: Free escalation interrupts before disabling the VP nbd: fix crash when the blksize is zero block/ndb: add WQ_UNBOUND to the knbd-recv workqueue nbd: fix max number of supported devs powerpc/pseries: Fix cpu_hotplug_lock acquisition in resize_hpt() tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure tick: broadcast-hrtimer: Fix a race in bc_set_next perf tools: Fix segfault in cpu_cache_level__read() perf stat: Fix a segmentation fault when using repeat forever perf stat: Reset previous counts on repeat with interval vfs: Fix EOVERFLOW testing in put_compat_statfs64 coresight: etm4x: Use explicit barriers on enable/disable cfg80211: add and use strongly typed element iteration macros cfg80211: Use const more consistently in for_each_element macros nl80211: validate beacon head ASoC: sgtl5000: Improve VAG power and mute control Linux 4.14.149 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Florian Westphal
|
7059ce3126 |
netfilter: nf_tables: allow lookups in dynamic sets
[ Upstream commit acab713177377d9e0889c46bac7ff0cfb9a90c4d ]
This un-breaks lookups in sets that have the 'dynamic' flag set.
Given this active example configuration:
table filter {
set set1 {
type ipv4_addr
size 64
flags dynamic,timeout
timeout 1m
}
chain input {
type filter hook input priority 0; policy accept;
}
}
... this works:
nft add rule ip filter input add @set1 { ip saddr }
-> whenever rule is triggered, the source ip address is inserted
into the set (if it did not exist).
This won't work:
nft add rule ip filter input ip saddr @set1 counter
Error: Could not process rule: Operation not supported
In other words, we can add entries to the set, but then can't make
matching decision based on that set.
That is just wrong -- all set backends support lookups (else they would
not be very useful).
The failure comes from an explicit rejection in nft_lookup.c.
Looking at the history, it seems like NFT_SET_EVAL used to mean
'set contains expressions' (aka. "is a meter"), for instance something like
nft add rule ip filter input meter example { ip saddr limit rate 10/second }
or
nft add rule ip filter input meter example { ip saddr counter }
The actual meaning of NFT_SET_EVAL however, is
'set can be updated from the packet path'.
'meters' and packet-path insertions into sets, such as
'add @set { ip saddr }' use exactly the same kernel code (nft_dynset.c)
and thus require a set backend that provides the ->update() function.
The only set that provides this also is the only one that has the
NFT_SET_EVAL feature flag.
Removing the wrong check makes the above example work.
While at it, also fix the flag check during set instantiation to
allow supported combinations only.
Fixes: 8aeff920dcc9b3f ("netfilter: nf_tables: add stateful object reference to set elements")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Sami Tolvanen
|
82b2a4a52e |
UPSTREAM: netfilter: xt_IDLETIMER: fix sysfs callback function type
Use struct device_attribute instead of struct idletimer_tg_attr, and the correct callback function type to avoid indirect call mismatches with Control Flow Integrity checking. Bug: 117299373 Change-Id: I5cc50171e01a5162ef504a726fe3ed4b51941b34 (cherry-picked from commit 20fdaf6e1e313b4efa48243d5250526eb43ea70d) Signed-off-by: Sami Tolvanen <samitolvanen@google.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
|
Greg Kroah-Hartman
|
8ae37de3fa |
This is the 4.14.146 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2FsgQACgkQONu9yGCS aT5cqBAAt79gKhHGSTQc3bIo64G1y2lzab0hY63M+8sReTqUmNX78I2UqoDBkPvS TM5S9445v7GbpnUYJcxO9TXFkoAILI33GG+Qwod3rG9wEOhd6gp1t4dom1Q8acKW x1kGze7gt63VGGWLXnXNf8ua8QqBqmMHxkALuDBh3AWgERm4CRSmUR5oTMmA582o WD5E/mPqMl5GFtI3Tl7f9K8B1760brtlqcYDYpItxjXjRIaKYMgrOIeB0rer0FwE QX7P2Q8QWEuFAhkvZhRSKazjYpBMsdEwp8aUMD4FGvwauoE9qjY01WbZoSqtqT6f 1NmV7pDdt1+43T9udwbUZVNgAOTXdDFdeWdMsn7W7J2A9yhqGFr2NCeChcuHu9c7 Qlg8tvbhSCODv8a/+9RAg8hd4iDSbkGCP8DUIYTIsUc7/D2BGjKkWdMEfq7cXUZN kp8RmhQSwuvwDxGshVQ9oEXO+7UE2qdyw6rV4UlNJ2SQU5eprBdW5QGAYcfv9XcC m9QVyGP3lWgy5HFev90cl+vQcCyxZqZln0F7/35IQvPlwy6uxmYIjSacH8VZQHAo qP0Fr3P/5GtEpHnDdUMgELQEa0xE8tlsa/8XptZu9AK/7cPbCprQMOLDzagnloNW urtlav2YwFwJiSd5h2lqANBLPKdLh98WhGpukJQR+Onb7Ji0aPc= =5DVD -----END PGP SIGNATURE----- Merge 4.14.146 into android-4.14 Changes in 4.14.146 HID: wacom: generic: read HID_DG_CONTACTMAX from any feature report Input: elan_i2c - remove Lenovo Legion Y7000 PnpID powerpc/mm/radix: Use the right page size for vmemmap mapping USB: usbcore: Fix slab-out-of-bounds bug during device reset phy: renesas: rcar-gen3-usb2: Disable clearing VBUS in over-current media: tm6000: double free if usb disconnect while streaming xen-netfront: do not assume sk_buff_head list is empty in error handling net_sched: let qdisc_put() accept NULL pointer KVM: coalesced_mmio: add bounds checking firmware: google: check if size is valid when decoding VPD data serial: sprd: correct the wrong sequence of arguments tty/serial: atmel: reschedule TX after RX was started mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings nl80211: Fix possible Spectre-v1 for CQM RSSI thresholds ARM: OMAP2+: Fix missing SYSC_HAS_RESET_STATUS for dra7 epwmss s390/bpf: fix lcgr instruction encoding ARM: OMAP2+: Fix omap4 errata warning on other SoCs ARM: dts: dra74x: Fix iodelay configuration for mmc3 s390/bpf: use 32-bit index for tail calls fpga: altera-ps-spi: Fix getting of optional confd gpio netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info NFSv4: Fix return values for nfs4_file_open() NFSv4: Fix return value in nfs_finish_open() NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 qed: Add cleanup in qed_slowpath_start() ARM: 8874/1: mm: only adjust sections of valid mm structures batman-adv: Only read OGM2 tvlv_len after buffer len check r8152: Set memory to all 0xFFs on failed reg reads x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines netfilter: nf_conntrack_ftp: Fix debug output NFSv2: Fix eof handling NFSv2: Fix write regression kallsyms: Don't let kallsyms_lookup_size_offset() fail on retrieving the first symbol cifs: set domainName when a domain-key is used in multiuser cifs: Use kzfree() to zero out the password ARM: 8901/1: add a criteria for pfn_valid of arm sky2: Disable MSI on yet another ASUS boards (P6Xxxx) i2c: designware: Synchronize IRQs when unregistering slave client perf/x86/intel: Restrict period on Nehalem perf/x86/amd/ibs: Fix sample bias for dispatched micro-ops amd-xgbe: Fix error path in xgbe_mod_init() tools/power x86_energy_perf_policy: Fix "uninitialized variable" warnings at -O2 tools/power x86_energy_perf_policy: Fix argument parsing tools/power turbostat: fix buffer overrun net: seeq: Fix the function used to release some memory in an error handling path dmaengine: ti: dma-crossbar: Fix a memory leak bug dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() x86/uaccess: Don't leak the AC flags into __get_user() argument evaluation x86/hyper-v: Fix overflow bug in fill_gva_list() keys: Fix missing null pointer check in request_key_auth_describe() iommu/amd: Flush old domains in kdump kernel iommu/amd: Fix race in increase_address_space() PCI: kirin: Fix section mismatch warning floppy: fix usercopy direction binfmt_elf: move brk out of mmap when doing direct loader exec tcp: Reset send_head when removing skb from write-queue tcp: Don't dequeue SYN/FIN-segments from write-queue media: technisat-usb2: break out of loop at end of buffer Linux 4.14.146 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Thomas Jarosch
|
01b7134efc |
netfilter: nf_conntrack_ftp: Fix debug output
[ Upstream commit 3a069024d371125227de3ac8fa74223fcf473520 ] The find_pattern() debug output was printing the 'skip' character. This can be a NULL-byte and messes up further pr_debug() output. Output without the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 Output with the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! kernel: nf_conntrack_ftp: Match succeeded! kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 Signed-off-by: Thomas Jarosch <thomas.jarosch@intra2net.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Juliana Rodrigueiro
|
a46102f47d |
netfilter: xt_nfacct: Fix alignment mismatch in xt_nfacct_match_info
[ Upstream commit 89a26cd4b501e9511d3cd3d22327fc76a75a38b3 ]
When running a 64-bit kernel with a 32-bit iptables binary, the size of
the xt_nfacct_match_info struct diverges.
kernel: sizeof(struct xt_nfacct_match_info) : 40
iptables: sizeof(struct xt_nfacct_match_info)) : 36
Trying to append nfacct related rules results in an unhelpful message.
Although it is suggested to look for more information in dmesg, nothing
can be found there.
# iptables -A <chain> -m nfacct --nfacct-name <acct-object>
iptables: Invalid argument. Run `dmesg' for more information.
This patch fixes the memory misalignment by enforcing 8-byte alignment
within the struct's first revision. This solution is often used in many
other uapi netfilter headers.
Signed-off-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
54236917c6 |
This is the 4.14.141 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1ncE8ACgkQONu9yGCS aT4ByhAAw7Hla9CzERWJZsKWrWB9sMV4869VX2SrKghFKNXUHeFQmqY8NoXQHEFs P7zAeJnDnUbWreTd3ZFdpPOEYbJvJ9J9+9/CNgsodOynDI4uURfwfTnqDvNxfo8P PwxtXiqSe6p3L5rlCN1YF6VruV86RfjEeluQXExb4CVFoA4WLnOhVOLYiDEKLCvz HHUFmYO46O8Vw8kyPhPWlhVLndIM6fXLm3VQNDvacfalkMQPy1Sde65z3AZUqZVn oq4OnqkIWAcn6NEaUyyIohM0WLlNkyzGVVHsK2DJCsGTzb19AN0sGwMGJrIdeJaa DZLPCY6BNMNAN6W6yWfykQ3Q2yESYVGgz0uGdHANl4LNQgoKk5IX/uKpM2udyFA/ c+mYhaH8ieYE+a7O9PY+ZRbVNl2Q3fgdpU+WzofHpnmpTEApfPcC9rrf+rkd4ye3 JuaMgpjedNUkYXW86Dpnc1CAOO/BDDHXSXSN7Kr9zdX574k9tscf79EoySKNEuZ+ AFkw8kaWZPi7K4huPtRTCzEhDEazdEoMx3fWOeeciTwO3LkgV9hrssBeCkIZIB4d JEmAVH2DVD0SZLNLmMH1DIpUNaSPSDwA7IIByyMV3qU/7iepEWj6RTHyT1w6N6Yk bOC2bzD7oA853+ACdHJxHK+gHWCIfC/0KuVocTCoOE7Du0OChZ0= =TgrQ -----END PGP SIGNATURE----- Merge 4.14.141 into android-4.14 Changes in 4.14.141 HID: Add 044f:b320 ThrustMaster, Inc. 2 in 1 DT MIPS: kernel: only use i8253 clocksource with periodic clockevent mips: fix cacheinfo netfilter: ebtables: fix a memory leak bug in compat ASoC: dapm: Fix handling of custom_stop_condition on DAPM graph walks bonding: Force slave speed check after link state recovery for 802.3ad can: dev: call netif_carrier_off() in register_candev() ASoC: Fail card instantiation if DAI format setup fails st21nfca_connectivity_event_received: null check the allocation st_nci_hci_connectivity_event_received: null check the allocation ASoC: ti: davinci-mcasp: Correct slot_width posed constraint net: usb: qmi_wwan: Add the BroadMobi BM818 card qed: RDMA - Fix the hw_ver returned in device attributes isdn: mISDN: hfcsusb: Fix possible null-pointer dereferences in start_isoc_chain() netfilter: ipset: Fix rename concurrency with listing isdn: hfcsusb: Fix mISDN driver crash caused by transfer buffer on the stack perf bench numa: Fix cpu0 binding can: sja1000: force the string buffer NULL-terminated can: peak_usb: force the string buffer NULL-terminated net/ethernet/qlogic/qed: force the string buffer NULL-terminated NFSv4: Fix a potential sleep while atomic in nfs4_do_reclaim() HID: input: fix a4tech horizontal wheel custom usage SMB3: Kernel oops mounting a encryptData share with CONFIG_DEBUG_VIRTUAL net: cxgb3_main: Fix a resource leak in a error path in 'init_one()' net: hisilicon: make hip04_tx_reclaim non-reentrant net: hisilicon: fix hip04-xmit never return TX_BUSY net: hisilicon: Fix dma_map_single failed on arm64 libata: have ata_scsi_rw_xlat() fail invalid passthrough requests libata: add SG safety checks in SFF pio transfers x86/lib/cpu: Address missing prototypes warning drm/vmwgfx: fix memory leak when too many retries have occurred perf ftrace: Fix failure to set cpumask when only one cpu is present perf cpumap: Fix writing to illegal memory in handling cpumap mask perf pmu-events: Fix missing "cpu_clk_unhalted.core" event selftests: kvm: Adding config fragments HID: wacom: correct misreported EKR ring values HID: wacom: Correct distance scale for 2nd-gen Intuos devices Revert "dm bufio: fix deadlock with loop device" ceph: don't try fill file_lock on unsuccessful GETFILELOCK reply libceph: fix PG split vs OSD (re)connect race drm/nouveau: Don't retry infinitely when receiving no data on i2c over AUX gpiolib: never report open-drain/source lines as 'input' to user-space userfaultfd_release: always remove uffd flags and clear vm_userfaultfd_ctx x86/retpoline: Don't clobber RFLAGS during CALL_NOSPEC on i386 x86/apic: Handle missing global clockevent gracefully x86/CPU/AMD: Clear RDRAND CPUID bit on AMD family 15h/16h x86/boot: Save fields explicitly, zero out everything else x86/boot: Fix boot regression caused by bootparam sanitizing dm kcopyd: always complete failed jobs dm btree: fix order of block initialization in btree_split_beneath dm space map metadata: fix missing store of apply_bops() return value dm table: fix invalid memory accesses with too high sector number dm zoned: improve error handling in reclaim dm zoned: improve error handling in i/o map code dm zoned: properly handle backing device failure genirq: Properly pair kobject_del() with kobject_add() mm, page_owner: handle THP splits correctly mm/zsmalloc.c: migration can leave pages in ZS_EMPTY indefinitely mm/zsmalloc.c: fix race condition in zs_destroy_pool xfs: fix missing ILOCK unlock when xfs_setattr_nonsize fails due to EDQUOT dm zoned: fix potential NULL dereference in dmz_do_reclaim() powerpc: Allow flush_(inval_)dcache_range to work across ranges >4GB Revert "perf test 6: Fix missing kvm module load for s390" Linux 4.14.141 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Jozsef Kadlecsik
|
aa79a247cb |
netfilter: ipset: Fix rename concurrency with listing
[ Upstream commit 6c1f7e2c1b96ab9b09ac97c4df2bd9dc327206f6 ] Shijie Luo reported that when stress-testing ipset with multiple concurrent create, rename, flush, list, destroy commands, it can result ipset <version>: Broken LIST kernel message: missing DATA part! error messages and broken list results. The problem was the rename operation was not properly handled with respect of listing. The patch fixes the issue. Reported-by: Shijie Luo <luoshijie1@huawei.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
f5189d4af2 |
This is the 4.14.140 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1iS9UACgkQONu9yGCS aT69qBAAxcqiiC4Mww7maN3wrJztZQiShKr2d/6B+koVBhG289fUQRcqrU4aDtaB Odf8NZPi19WaZM3dAdP2ReTCbUM7sVPHFTiwBhnba1dKyIeZmjOMxaCtxdGRVHs3 DLDcUT874nx4EHrQoRQErJeZeyQQ3KytXmfqJKFyhplX0fDt6w2E/g1ZZpcngpNH S8KAmfy2WWcauguPJ8RGugSvn+3YC6TMerz96vNNiiPr3np0oVIsbVmo81/sKApK dPKZ2qn4l7fYNIKfDxFnnbxBNoPvd35i0CsHxhB3dX/EYGp3ARHDWclMC8e1G+bp M8dicq/Ew7AfQoVQcLZD13eBTEk8iyAAeAmMoP9OlxkrOx2V2dNyMZG6bjAgosXx /39MP68tQMchSmCjK95KbPX1EN5jHeG97weP3Fqtf8NIG8K0gLUgHJidG+8J2H94 grPZD/w78HgYOqVVsF5v4qX9B8QcSuH4PzQ7mhoksJiW+X/TlIAI6GwbUsoXw6cu mYLgTr9hd/ZAGF6VQGNHAZ2UZfg377bN8hCXRWZay/t9JOZiqMJAOSjNAs+hL2LT fbHqmKnHF92mB0v+jEn7mJXuAhHQ3wCU314ZO/zk9sxLFp/caUbV+b+1oXlTGwq7 JMeRjrxrAKVfHgPgkhcWc9bTq9MhjZ4j7GypsBMxLbIqnlU8gzE= =9QYX -----END PGP SIGNATURE----- Merge 4.14.140 into android-4.14 Changes in 4.14.140 scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA sh: kernel: hw_breakpoint: Fix missing break in switch statement mm/usercopy: use memory range to be accessed for wraparound check mm/memcontrol.c: fix use after free in mem_cgroup_iter() bpf: get rid of pure_initcall dependency to enable jits bpf: restrict access to core bpf sysctls bpf: add bpf_jit_limit knob to restrict unpriv allocations x86/mm: Use WRITE_ONCE() when setting PTEs xtensa: add missing isync to the cpu_reset TLB code ALSA: hda - Apply workaround for another AMD chip 1022:1487 ALSA: hda - Fix a memory leak bug ALSA: hda - Add a generic reboot_notify ALSA: hda - Let all conexant codec enter D3 when rebooting HID: holtek: test for sanity of intfdata HID: hiddev: avoid opening a disconnected device HID: hiddev: do cleanup in failure of opening a device Input: kbtab - sanity check for endpoint type Input: iforce - add sanity checks net: usb: pegasus: fix improper read if get_registers() fail netfilter: ebtables: also count base chain policies clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1 clk: renesas: cpg-mssr: Fix reset control race condition xen/pciback: remove set but not used variable 'old_state' irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail irqchip/irq-imx-gpcv2: Forward irq type to parent perf header: Fix divide by zero error if f_header.attr_size==0 perf header: Fix use of unitialized value warning libata: zpodd: Fix small read overflow in zpodd_get_mech_type() drm/bridge: lvds-encoder: Fix build error while CONFIG_DRM_KMS_HELPER=m scsi: hpsa: correct scsi command status issue after reset scsi: qla2xxx: Fix possible fcport null-pointer dereferences ata: libahci: do not complain in case of deferred probe kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules arm64/efi: fix variable 'si' set but not used arm64: unwind: Prohibit probing on return_address() arm64/mm: fix variable 'pud' set but not used IB/core: Add mitigation for Spectre V1 IB/mad: Fix use-after-free in ib mad completion handling drm: msm: Fix add_gpu_components ocfs2: remove set but not used variable 'last_hash' asm-generic: fix -Wtype-limits compiler warnings KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block staging: comedi: dt3000: Fix signed integer overflow 'divider * base' staging: comedi: dt3000: Fix rounding up of timer divisor iio: adc: max9611: Fix temperature reading in probe USB: core: Fix races in character device registration and deregistraion usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" usb: cdc-acm: make sure a refcount is taken early enough USB: CDC: fix sanity checks in CDC union parser USB: serial: option: add D-Link DWM-222 device ID USB: serial: option: Add support for ZTE MF871A USB: serial: option: add the BroadMobi BM818 card USB: serial: option: Add Motorola modem UARTs bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K Revert "tcp: Clear sk_send_head after purging the write queue" arm64: compat: Allow single-byte watchpoints on all addresses arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side netfilter: conntrack: Use consistent ct id hash calculation Input: psmouse - fix build error of multiple definition iommu/amd: Move iommu_init_pci() to .init section bnx2x: Fix VF's VLAN reconfiguration in reload. net/mlx4_en: fix a memory leak bug net/packet: fix race in tpacket_snd() sctp: fix the transport error_count check xen/netback: Reset nr_frags before freeing skb net/mlx5e: Only support tx/rx pause setting for port owner net/mlx5e: Use flow keys dissector to parse packets for ARFS team: Add vlan tx offload to hw_enc_features bonding: Add vlan tx offload to hw_enc_features mmc: sdhci-of-arasan: Do now show error message in case of deffered probe xfrm: policy: remove pcpu policy cache Linux 4.14.140 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Dirk Morris
|
b6a1dc4dbe |
netfilter: conntrack: Use consistent ct id hash calculation
commit 656c8e9cc1badbc18eefe6ba01d33ebbcae61b9a upstream.
Change ct id hash calculation to only use invariants.
Currently the ct id hash calculation is based on some fields that can
change in the lifetime on a conntrack entry in some corner cases. The
current hash uses the whole tuple which contains an hlist pointer which
will change when the conntrack is placed on the dying list resulting in
a ct id change.
This patch also removes the reply-side tuple and extension pointer from
the hash calculation so that the ct id will will not change from
initialization until confirmation.
Fixes: 3c79107631db1f7 ("netfilter: ctnetlink: don't use conntrack/expect object addresses as id")
Signed-off-by: Dirk Morris <dmorris@metaloft.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
6115e5154b |
This is the 4.14.139 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1WZccACgkQONu9yGCS aT7qIhAAhpP3n0wSBKDqVgnEFcF78/s9PW7fiNmS7rbXaPeM18jryluB0yJWDQpU hwirKYVVNUMNu7UclmWon3UrKQLmVtqkFfK337bDS3F+qX/B44z9+6KTkik2SkX4 qX6UymmJtf1vnxYJ1Tn1c0Zs8F2KMsOG+xk8VyfulOc4bDyLdf5Yp/yhmkwTSABv OvEQIGHOYIsJHJJZDlME6NCKLQ697nL2+GKTPOoikI69mW5wervDiK88KfOKrQoY S7HoHPkYk2DrWVEp/uvWUSqnFHTK6855J8kjRINcsMpujeHtAokDrztCmh7S5iIm +4Z0s3ikcGW2PF8cRt4lAsA8ILWmQ9a14pSxu/iB73E92MaiCYAlo1Yp+55ZDHfw 0q8M/T2ZDsV9+hfL+rwPs/BeToEm5Al/8CatfbFbK5R9I0UTcqHc5cj6nWPrCp5h 2fSxe3kwJo84vamEa/q9OBSEnl6JRcXa2hr06JQvDPJ2dDWrJk2Va/vDLbQTPGnP 5eJSwxgQXDTq6nB0Re+2YuRIrLWe3HUiVd7GsjQ/gFRwjOL0/6IxjTmuG8avXXsx /uBE50LxjdV4rxS4iA52qhBtCepPJazZe1/NPaI9TId51uunBpMvrC5FIkRldmun VFm1w58HzTf9DgMVOUwkkTIBIFWeJ7Mi8Kdgq2TwvtnnxdpL4U0= =BsL1 -----END PGP SIGNATURE----- Merge 4.14.139 into android-4.14 Changes in 4.14.139 iio: adc: max9611: Fix misuse of GENMASK macro crypto: ccp - Fix oops by properly managing allocated structures crypto: ccp - Ignore tag length when decrypting GCM ciphertext usb: usbfs: fix double-free of usb memory upon submiturb error usb: iowarrior: fix deadlock on disconnect sound: fix a memory leak bug mmc: cavium: Set the correct dma max segment size for mmc_host mmc: cavium: Add the missing dma unmap when the dma has finished. loop: set PF_MEMALLOC_NOIO for the worker thread Input: synaptics - enable RMI mode for HP Spectre X360 lkdtm: support llvm-objcopy crypto: ccp - Validate buffer lengths for copy operations crypto: ccp - Add support for valid authsize values less than 16 tcp: Clear sk_send_head after purging the write queue x86/mm: Check for pfn instead of page in vmalloc_sync_one() x86/mm: Sync also unmappings in vmalloc_sync_all() mm/vmalloc: Sync unmappings in __purge_vmap_area_lazy() perf annotate: Fix s390 gap between kernel end and module start perf db-export: Fix thread__exec_comm() perf record: Fix module size on s390 usb: host: xhci-rcar: Fix timeout in xhci_suspend() usb: yurex: Fix use-after-free in yurex_delete can: rcar_canfd: fix possible IRQ storm on high load can: peak_usb: fix potential double kfree_skb() netfilter: nfnetlink: avoid deadlock due to synchronous request_module vfio-ccw: Set pa_nr to 0 if memory allocation fails for pa_iova_pfn netfilter: Fix rpfilter dropping vrf packets by mistake netfilter: nft_hash: fix symhash with modulus one scripts/sphinx-pre-install: fix script for RHEL/CentOS iscsi_ibft: make ISCSI_IBFT dependson ACPI instead of ISCSI_IBFT_FIND mac80211: don't warn about CW params when not using them hwmon: (nct6775) Fix register address and added missed tolerance for nct6106 drm: silence variable 'conn' set but not used cpufreq/pasemi: fix use-after-free in pas_cpufreq_cpu_init() s390/qdio: add sanity checks to the fast-requeue path ALSA: compress: Fix regression on compressed capture streams ALSA: compress: Prevent bypasses of set_params ALSA: compress: Don't allow paritial drain operations on capture streams ALSA: compress: Be more restrictive about when a drain is allowed perf tools: Fix proper buffer size for feature processing perf probe: Avoid calling freeing routine multiple times for same pointer drbd: dynamically allocate shash descriptor ACPI/IORT: Fix off-by-one check in iort_dev_find_its_id() ARM: davinci: fix sleep.S build error on ARMv4 scsi: megaraid_sas: fix panic on loading firmware crashdump scsi: ibmvfc: fix WARN_ON during event pool release scsi: scsi_dh_alua: always use a 2 second delay before retrying RTPG test_firmware: fix a memory leak bug tty/ldsem, locking/rwsem: Add missing ACQUIRE to read_failed sleep loop perf/core: Fix creating kernel counters for PMUs that override event->cpu HID: sony: Fix race condition between rumble and device remove. can: peak_usb: pcan_usb_pro: Fix info-leaks to USB devices can: peak_usb: pcan_usb_fd: Fix info-leaks to USB devices hwmon: (nct7802) Fix wrong detection of in4 presence drm/i915: Fix wrong escape clock divisor init for GLK ALSA: firewire: fix a memory leak bug ALSA: hda - Don't override global PCM hw info flag ALSA: hda - Workaround for crackled sound on AMD controller (1022:1457) mac80211: don't WARN on short WMM parameters from AP SMB3: Fix deadlock in validate negotiate hits reconnect smb3: send CAP_DFS capability during session setup NFSv4: Only pass the delegation to setattr if we're sending a truncate NFSv4: Fix an Oops in nfs4_do_setattr KVM: Fix leak vCPU's VMCS value into other pCPU mwifiex: fix 802.11n/WPA detection iwlwifi: don't unmap as page memory that was mapped as single iwlwifi: mvm: fix an out-of-bound access iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT on version < 41 iwlwifi: mvm: fix version check for GEO_TX_POWER_LIMIT support Linux 4.14.139 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Laura Garcia Liebana
|
628272f3f3 |
netfilter: nft_hash: fix symhash with modulus one
[ Upstream commit 28b1d6ef53e3303b90ca8924bb78f31fa527cafb ]
The rule below doesn't work as the kernel raises -ERANGE.
nft add rule netdev nftlb lb01 ip daddr set \
symhash mod 1 map { 0 : 192.168.0.10 } fwd to "eth0"
This patch allows to use the symhash modulus with one
element, in the same way that the other types of hashes and
algorithms that uses the modulus parameter.
Signed-off-by: Laura Garcia Liebana <nevola@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Florian Westphal
|
7a26884462 |
netfilter: nfnetlink: avoid deadlock due to synchronous request_module
[ Upstream commit 1b0890cd60829bd51455dc5ad689ed58c4408227 ]
Thomas and Juliana report a deadlock when running:
(rmmod nf_conntrack_netlink/xfrm_user)
conntrack -e NEW -E &
modprobe -v xfrm_user
They provided following analysis:
conntrack -e NEW -E
netlink_bind()
netlink_lock_table() -> increases "nl_table_users"
nfnetlink_bind()
# does not unlock the table as it's locked by netlink_bind()
__request_module()
call_usermodehelper_exec()
This triggers "modprobe nf_conntrack_netlink" from kernel, netlink_bind()
won't return until modprobe process is done.
"modprobe xfrm_user":
xfrm_user_init()
register_pernet_subsys()
-> grab pernet_ops_rwsem
..
netlink_table_grab()
calls schedule() as "nl_table_users" is non-zero
so modprobe is blocked because netlink_bind() increased
nl_table_users while also holding pernet_ops_rwsem.
"modprobe nf_conntrack_netlink" runs and inits nf_conntrack_netlink:
ctnetlink_init()
register_pernet_subsys()
-> blocks on "pernet_ops_rwsem" thanks to xfrm_user module
both modprobe processes wait on one another -- neither can make
progress.
Switch netlink_bind() to "nowait" modprobe -- this releases the netlink
table lock, which then allows both modprobe instances to complete.
Reported-by: Thomas Jarosch <thomas.jarosch@intra2net.com>
Reported-by: Juliana Rodrigueiro <juliana.rodrigueiro@intra2net.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
a5847ae74b |
This is the 4.14.135 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1BJxsACgkQONu9yGCS
aT4wBxAAymuWVXtmeWFQSFNji/RAJcHBAOvydIRMr7vwCXpojuRerNolo7WibM/B
Mgx2OISn0d8rg98Cc3wiM6WUN9AeHr3lSWXORg3iBr0zP+ZO5Vs0Y2w9gueEJS+i
egMvi2KZyS3Esrfmxv62pJ9DIVqyPVlvzN/Y79BARcwIeZOt+puycR5XV3WROzX9
Wy2JBz5f56m9qzPGKXGRLlvq7LghZ5EbyFoIb/fj9K6pFdVBrpSEOeocCQos9IEz
0+1TiWAkqOGLGZWJ3CFW/6Nbn1JO3hZpIgqxVczZXR+4UVhR+yniHUzZ20g89DzE
mmprjKGv/8/7pXyXtGhjXuaZN5r1ldUje5SZf1X7SzxLuABSKIHykYJjKUQY2O3b
8tpPULGA77V7Ww4TtyRLeOVPqaVslWFgLP6snyileSdoxfISebo2KptQn0pmuFX2
Y0ePPot/aHHXmhrn5mAY9UZO9etqko8LjvVHDOsQQ99GJJ1BAz73w+wkKDtHXGuo
iqUlSSW2YpThnAkufUlyhk10y6itGmy0P7GSrw8PCd9As2/LAz6c9+8+NPp/2P2Z
Ffl2q7eUCqb0HixAnq5KqcPDSVdyqVtQ7XeN3lAEWVGmwpiu2xyuZgpQyT5FRqOZ
mLYHZJF7FEZOZo+hkbH4O6j3umJ0QFJakVwrEiQ/ha0yLZpS3OM=
=u0hP
-----END PGP SIGNATURE-----
Merge 4.14.135 into android-4.14
Changes in 4.14.135
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
dmaengine: imx-sdma: fix use-after-free on probe error path
wil6210: fix potential out-of-bounds read
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
media: spi: IR LED: add missing of table registration
crypto: talitos - fix skcipher failure due to wrong output IV
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
media: media_device_enum_links32: clean a reserved field
net: stmmac: dwmac1000: Clear unused address entries
net: stmmac: dwmac4/5: Clear unused address entries
qed: Set the doorbell address correctly
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
fscrypt: clean up some BUG_ON()s in block encryption/decryption
media: mc-device.c: don't memset __user pointer contents
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
crypto: talitos - properly handle split ICV.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
tua6100: Avoid build warnings.
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
cpupower : frequency-set -r option misses the last cpu in related cpu list
net: stmmac: dwmac4: fix flow control issue
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
RAS/CEC: Fix pfn insertion
net: sfp: add mutex to prevent concurrent state checks
ipset: Fix memory accounting for hash types on resize
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
perf test 6: Fix missing kvm module load for s390
media: fdp1: Support M3N and E3 platforms
iommu: Fix a leak in iommu_insert_resv_region
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
rcu: Force inlining of rcu_read_lock()
x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
xfrm: fix sa selector validation
sched/core: Add __sched tag for io_schedule()
x86/atomic: Fix smp_mb__{before,after}_atomic()
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
ipoib: correcly show a VF hardware address
EDAC/sysfs: Fix memory leak when creating a csrow object
ipsec: select crypto ciphers for xfrm_algo
ipvs: defer hook registration to avoid leaks
media: s5p-mfc: Make additional clocks optional
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
media: coda: increment sequence offset for the last returned frame
media: vimc: cap: check v4l2_fill_pixfmt return value
media: hdpvr: fix locking and a missing msleep
rtlwifi: rtl8192cu: fix error handle when usb probe failed
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ipvs: fix tinfo memory leak in start_sync_thread
ath10k: add missing error handling
ath10k: fix PCIE device wake up failed
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
libata: don't request sense data on !ZAC ATA devices
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
crypto: serpent - mark __serpent_setkey_sbox noinline
crypto: asymmetric_keys - select CRYPTO_HASH where needed
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
net: hns3: fix a -Wformat-nonliteral compile warning
net: hns3: add some error checking in hclge_tm module
ath10k: destroy sdio workqueue while remove sdio module
iwlwifi: mvm: Drop large non sta frames
perf stat: Make metric event lookup more robust
net: usb: asix: init MAC address buffers
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: 6lowpan: search for destination address in all peers
Bluetooth: Check state in l2cap_disconnect_rsp
gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
Bluetooth: validate BLE connection interval updates
gtp: fix suspicious RCU usage
gtp: fix Illegal context switch in RCU read-side critical section.
gtp: fix use-after-free in gtp_encap_destroy()
gtp: fix use-after-free in gtp_newlink()
net: mvmdio: defer probe of orion-mdio if a clock is not ready
iavf: fix dereference of null rx_buffer pointer
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
xen: let alloc_xenballooned_pages() fail if not enough memory free
scsi: NCR5380: Reduce goto statements in NCR5380_select()
scsi: NCR5380: Always re-enable reselection interrupt
Revert "scsi: ncr5380: Increase register polling limit"
scsi: core: Fix race on creating sense cache
scsi: megaraid_sas: Fix calculation of target ID
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
scsi: mac_scsi: Fix pseudo DMA implementation, take 2
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: ccp - Validate the the error value used to index error messages
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: ccp - memset structure fields to zero before reuse
crypto: ccp/gcm - use const time tag comparison.
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
Input: gtco - bounds check collection indent level
Input: alps - don't handle ALPS cs19 trackpoint-only device
Input: synaptics - whitelist Lenovo T580 SMBus intertouch
Input: alps - fix a mismatch between a condition check and its comment
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
arm64: tegra: Update Jetson TX1 GPU regulator timings
iwlwifi: pcie: don't service an interrupt that was masked
iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X
NFSv4: Handle the special Linux file open access mode
pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ASoC: dapm: Adapt for debugfs API change
ALSA: seq: Break too long mutex context in the write loop
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
arm64: tegra: Fix AGIC register range
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
dm zoned: fix zone state management race
xen/events: fix binding user event channels to cpus
9p/xen: Add cleanup path in p9_trans_xen_init
9p/virtio: Add cleanup path in p9_virtio_init
x86/boot: Fix memory leak in default_get_smp_config()
perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs
perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs
intel_th: pci: Add Ice Lake NNPI support
PCI: Do not poll for PME if the device is in D3cold
Btrfs: fix data loss after inode eviction, renaming it, and fsync it
Btrfs: fix fsync not persisting dentry deletions due to inode evictions
Btrfs: add missing inode version, ctime and mtime updates when punching hole
HID: wacom: generic: only switch the mode on devices with LEDs
HID: wacom: correct touch resolution x/y typo
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
coda: pass the host file in vma->vm_file on mmap
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
parisc: Ensure userspace privilege for ptraced processes in regset functions
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
eCryptfs: fix a couple type promotion bugs
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
net: mvmdio: allow up to four clocks to be specified for orion-mdio
dt-bindings: allow up to four clocks for orion-mdio
dm bufio: fix deadlock with loop device
compiler.h, kasan: Avoid duplicating __read_once_size_nocheck()
compiler.h: Add read_word_at_a_time() function.
lib/strscpy: Shut up KASAN false-positives in strscpy()
bnx2x: Prevent load reordering in tx completion processing
bnx2x: Prevent ptp_task to be rescheduled indefinitely
caif-hsi: fix possible deadlock in cfhsi_exit_module()
igmp: fix memory leak in igmpv3_del_delrec()
ipv4: don't set IPv6 only flags to IPv4 addresses
net: bcmgenet: use promisc for unsupported filters
net: dsa: mv88e6xxx: wait after reset deactivation
net: neigh: fix multiple neigh timer scheduling
net: openvswitch: fix csum updates for MPLS actions
nfc: fix potential illegal memory access
rxrpc: Fix send on a connected, but unbound socket
sky2: Disable MSI on ASUS P6T
vrf: make sure skb->data contains ip header to make routing
macsec: fix use-after-free of skb during RX
macsec: fix checksumming after decryption
netrom: fix a memory leak in nr_rx_frame()
netrom: hold sock when setting skb->destructor
bonding: validate ip header before check IPPROTO_IGMP
net: make skb_dst_force return true when dst is refcounted
tcp: fix tcp_set_congestion_control() use from bpf hook
tcp: Reset bytes_acked and bytes_received when disconnecting
net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling
net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query
net: bridge: stp: don't cache eth dest pointer before skb pull
dma-buf: balance refcount inbalance
dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc
MIPS: lb60: Fix pin mappings
ext4: don't allow any modifications to an immutable file
ext4: enforce the immutable flag on open files
mm: add filemap_fdatawait_range_keep_errors()
jbd2: introduce jbd2_inode dirty range scoping
ext4: use jbd2_inode dirty range scoping
ext4: allow directory holes
mm: vmscan: scan anonymous pages on file refaults
perf/events/amd/uncore: Fix amd_uncore_llc ID to use pre-defined cpu_llc_id
NFSv4: Fix open create exclusive when the server reboots
nfsd: increase DRC cache limit
nfsd: give out fewer session slots as limit approaches
nfsd: fix performance-limiting session calculation
nfsd: Fix overflow causing non-working mounts on 1 TB machines
hvsock: fix epollout hang from race condition
drm/panel: simple: Fix panel_simple_dsi_probe
usb: core: hub: Disable hub-initiated U1/U2
tty: max310x: Fix invalid baudrate divisors calculator
pinctrl: rockchip: fix leaked of_node references
tty: serial: cpm_uart - fix init when SMC is relocated
drm/edid: Fix a missing-check bug in drm_load_edid_firmware()
PCI: Return error if cannot probe VF
drm/bridge: tc358767: read display_props in get_modes()
drm/bridge: sii902x: pixel clock unit is 10kHz instead of 1kHz
drm/crc-debugfs: User irqsafe spinlock in drm_crtc_add_crc_entry
memstick: Fix error cleanup path of memstick_init
tty/serial: digicolor: Fix digicolor-usart already registered warning
tty: serial: msm_serial: avoid system lockup condition
serial: 8250: Fix TX interrupt handling condition
drm/virtio: Add memory barriers for capset cache.
phy: renesas: rcar-gen2: Fix memory leak at error paths
powerpc/pseries/mobility: prevent cpu hotplug during DT update
drm/rockchip: Properly adjust to a true clock in adjusted_mode
tty: serial_core: Set port active bit in uart_port_activate
usb: gadget: Zero ffs_io_data
powerpc/pci/of: Fix OF flags parsing for 64bit BARs
drm/msm: Depopulate platform on probe failure
serial: mctrl_gpio: Check if GPIO property exisits before requesting it
PCI: sysfs: Ignore lockdep for remove attribute
kbuild: Add -Werror=unknown-warning-option to CLANG_FLAGS
PCI: xilinx-nwl: Fix Multi MSI data programming
iio: iio-utils: Fix possible incorrect mask calculation
powerpc/xmon: Fix disabling tracing while in xmon
recordmcount: Fix spurious mcount entries on powerpc
mfd: core: Set fwnode for created devices
mfd: arizona: Fix undefined behavior
mfd: hi655x-pmic: Fix missing return value check for devm_regmap_init_mmio_clk
um: Silence lockdep complaint about mmap_sem
powerpc/4xx/uic: clear pending interrupt after irq type/pol change
RDMA/i40iw: Set queue pair state when being queried
serial: sh-sci: Terminate TX DMA during buffer flushing
serial: sh-sci: Fix TX DMA buffer flushing and workqueue races
kallsyms: exclude kasan local symbols on s390
perf test mmap-thread-lookup: Initialize variable to suppress memory sanitizer warning
perf session: Fix potential NULL pointer dereference found by the smatch tool
perf annotate: Fix dereferencing freed memory found by the smatch tool
RDMA/rxe: Fill in wc byte_len with IB_WC_RECV_RDMA_WITH_IMM
PCI: dwc: pci-dra7xx: Fix compilation when !CONFIG_GPIOLIB
powerpc/boot: add {get, put}_unaligned_be32 to xz_config.h
f2fs: avoid out-of-range memory access
mailbox: handle failed named mailbox channel request
powerpc/eeh: Handle hugepages in ioremap space
block/bio-integrity: fix a memory leak bug
sh: prevent warnings when using iounmap
mm/kmemleak.c: fix check for softirq context
9p: pass the correct prototype to read_cache_page
mm/gup.c: mark undo_dev_pagemap as __maybe_unused
mm/gup.c: remove some BUG_ONs from get_gate_page()
mm/mmu_notifier: use hlist_add_head_rcu()
locking/lockdep: Fix lock used or unused stats error
locking/lockdep: Hide unused 'class' variable
drm/crc: Only report a single overflow when a CRC fd is opened
drm/crc-debugfs: Also sprinkle irqrestore over early exits
usb: wusbcore: fix unbalanced get/put cluster_id
usb: pci-quirks: Correct AMD PLL quirk detection
KVM: nVMX: do not use dangling shadow VMCS after guest reset
btrfs: inode: Don't compress if NODATASUM or NODATACOW set
x86/sysfb_efi: Add quirks for some devices with swapped width and height
x86/speculation/mds: Apply more accurate check on hypervisor platform
binder: prevent transactions to context manager from its own process.
fpga-manager: altera-ps-spi: Fix build error
hpet: Fix division by zero in hpet_time_div()
ALSA: line6: Fix wrong altsetting for LINE6_PODHD500_1
ALSA: hda - Add a conexant codec entry to let mute led work
powerpc/xive: Fix loop exit-condition in xive_find_target_in_mask()
powerpc/tm: Fix oops on sigreturn on systems without TM
access: avoid the RCU grace period for the temporary subjective credentials
Linux 4.14.135
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Florian Westphal
|
8cf295c38d |
net: make skb_dst_force return true when dst is refcounted
[ Upstream commit b60a77386b1d4868f72f6353d35dabe5fbe981f2 ]
netfilter did not expect that skb_dst_force() can cause skb to lose its
dst entry.
I got a bug report with a skb->dst NULL dereference in netfilter
output path. The backtrace contains nf_reinject(), so the dst might have
been cleared when skb got queued to userspace.
Other users were fixed via
if (skb_dst(skb)) {
skb_dst_force(skb);
if (!skb_dst(skb))
goto handle_err;
}
But I think its preferable to make the 'dst might be cleared' part
of the function explicit.
In netfilter case, skb with a null dst is expected when queueing in
prerouting hook, so drop skb for the other hooks.
v2:
v1 of this patch returned true in case skb had no dst entry.
Eric said:
Say if we have two skb_dst_force() calls for some reason
on the same skb, only the first one will return false.
This now returns false even when skb had no dst, as per Erics
suggestion, so callers might need to check skb_dst() first before
skb_dst_force().
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Julian Anastasov
|
0f7f0b0574 |
ipvs: fix tinfo memory leak in start_sync_thread
[ Upstream commit 5db7c8b9f9fc2aeec671ae3ca6375752c162e0e7 ] syzkaller reports for memory leak in start_sync_thread [1] As Eric points out, kthread may start and stop before the threadfn function is called, so there is no chance the data (tinfo in our case) to be released in thread. Fix this by releasing tinfo in the controlling code instead. [1] BUG: memory leak unreferenced object 0xffff8881206bf700 (size 32): comm "syz-executor761", pid 7268, jiffies 4294943441 (age 20.470s) hex dump (first 32 bytes): 00 40 7c 09 81 88 ff ff 80 45 b8 21 81 88 ff ff .@|......E.!.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<0000000057619e23>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<0000000057619e23>] slab_post_alloc_hook mm/slab.h:439 [inline] [<0000000057619e23>] slab_alloc mm/slab.c:3326 [inline] [<0000000057619e23>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553 [<0000000086ce5479>] kmalloc include/linux/slab.h:547 [inline] [<0000000086ce5479>] start_sync_thread+0x5d2/0xe10 net/netfilter/ipvs/ip_vs_sync.c:1862 [<000000001a9229cc>] do_ip_vs_set_ctl+0x4c5/0x780 net/netfilter/ipvs/ip_vs_ctl.c:2402 [<00000000ece457c8>] nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] [<00000000ece457c8>] nf_setsockopt+0x4c/0x80 net/netfilter/nf_sockopt.c:115 [<00000000942f62d4>] ip_setsockopt net/ipv4/ip_sockglue.c:1258 [inline] [<00000000942f62d4>] ip_setsockopt+0x9b/0xb0 net/ipv4/ip_sockglue.c:1238 [<00000000a56a8ffd>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616 [<00000000fa895401>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130 [<0000000095eef4cf>] __sys_setsockopt+0x98/0x120 net/socket.c:2078 [<000000009747cf88>] __do_sys_setsockopt net/socket.c:2089 [inline] [<000000009747cf88>] __se_sys_setsockopt net/socket.c:2086 [inline] [<000000009747cf88>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086 [<00000000ded8ba80>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301 [<00000000893b4ac8>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported-by: syzbot+7e2e50c8adfccd2e5041@syzkaller.appspotmail.com Suggested-by: Eric Biggers <ebiggers@kernel.org> Fixes: 998e7a76804b ("ipvs: Use kthread_run() instead of doing a double-fork via kernel_thread()") Signed-off-by: Julian Anastasov <ja@ssi.bg> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Julian Anastasov
|
0d450977ae |
ipvs: defer hook registration to avoid leaks
[ Upstream commit cf47a0b882a4e5f6b34c7949d7b293e9287f1972 ] syzkaller reports for memory leak when registering hooks [1] As we moved the nf_unregister_net_hooks() call into __ip_vs_dev_cleanup(), defer the nf_register_net_hooks() call, so that hooks are allocated and freed from same pernet_operations (ipvs_core_dev_ops). [1] BUG: memory leak unreferenced object 0xffff88810acd8a80 (size 96): comm "syz-executor073", pid 7254, jiffies 4294950560 (age 22.250s) hex dump (first 32 bytes): 02 00 00 00 00 00 00 00 50 8b bb 82 ff ff ff ff ........P....... 00 00 00 00 00 00 00 00 00 77 bb 82 ff ff ff ff .........w...... backtrace: [<0000000013db61f1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<0000000013db61f1>] slab_post_alloc_hook mm/slab.h:439 [inline] [<0000000013db61f1>] slab_alloc_node mm/slab.c:3269 [inline] [<0000000013db61f1>] kmem_cache_alloc_node_trace+0x15b/0x2a0 mm/slab.c:3597 [<000000001a27307d>] __do_kmalloc_node mm/slab.c:3619 [inline] [<000000001a27307d>] __kmalloc_node+0x38/0x50 mm/slab.c:3627 [<0000000025054add>] kmalloc_node include/linux/slab.h:590 [inline] [<0000000025054add>] kvmalloc_node+0x4a/0xd0 mm/util.c:431 [<0000000050d1bc00>] kvmalloc include/linux/mm.h:637 [inline] [<0000000050d1bc00>] kvzalloc include/linux/mm.h:645 [inline] [<0000000050d1bc00>] allocate_hook_entries_size+0x3b/0x60 net/netfilter/core.c:61 [<00000000e8abe142>] nf_hook_entries_grow+0xae/0x270 net/netfilter/core.c:128 [<000000004b94797c>] __nf_register_net_hook+0x9a/0x170 net/netfilter/core.c:337 [<00000000d1545cbc>] nf_register_net_hook+0x34/0xc0 net/netfilter/core.c:464 [<00000000876c9b55>] nf_register_net_hooks+0x53/0xc0 net/netfilter/core.c:480 [<000000002ea868e0>] __ip_vs_init+0xe8/0x170 net/netfilter/ipvs/ip_vs_core.c:2280 [<000000002eb2d451>] ops_init+0x4c/0x140 net/core/net_namespace.c:130 [<000000000284ec48>] setup_net+0xde/0x230 net/core/net_namespace.c:316 [<00000000a70600fa>] copy_net_ns+0xf0/0x1e0 net/core/net_namespace.c:439 [<00000000ff26c15e>] create_new_namespaces+0x141/0x2a0 kernel/nsproxy.c:107 [<00000000b103dc79>] copy_namespaces+0xa1/0xe0 kernel/nsproxy.c:165 [<000000007cc008a2>] copy_process.part.0+0x11fd/0x2150 kernel/fork.c:2035 [<00000000c344af7c>] copy_process kernel/fork.c:1800 [inline] [<00000000c344af7c>] _do_fork+0x121/0x4f0 kernel/fork.c:2369 Reported-by: syzbot+722da59ccb264bc19910@syzkaller.appspotmail.com Fixes: 719c7d563c17 ("ipvs: Fix use-after-free in ip_vs_in") Signed-off-by: Julian Anastasov <ja@ssi.bg> Acked-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Brivio
|
6276007fd2 |
ipset: Fix memory accounting for hash types on resize
[ Upstream commit 11921796f4799ca9c61c4b22cc54d84aa69f8a35 ]
If a fresh array block is allocated during resize, the current in-memory
set size should be increased by the size of the block, not replaced by it.
Before the fix, adding entries to a hash set type, leading to a table
resize, caused an inconsistent memory size to be reported. This becomes
more obvious when swapping sets with similar sizes:
# cat hash_ip_size.sh
#!/bin/sh
FAIL_RETRIES=10
tries=0
while [ ${tries} -lt ${FAIL_RETRIES} ]; do
ipset create t1 hash:ip
for i in `seq 1 4345`; do
ipset add t1 1.2.$((i / 255)).$((i % 255))
done
t1_init="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
ipset create t2 hash:ip
for i in `seq 1 4360`; do
ipset add t2 1.2.$((i / 255)).$((i % 255))
done
t2_init="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
ipset swap t1 t2
t1_swap="$(ipset list t1|sed -n 's/Size in memory: \(.*\)/\1/p')"
t2_swap="$(ipset list t2|sed -n 's/Size in memory: \(.*\)/\1/p')"
ipset destroy t1
ipset destroy t2
tries=$((tries + 1))
if [ ${t1_init} -lt 10000 ] || [ ${t2_init} -lt 10000 ]; then
echo "FAIL after ${tries} tries:"
echo "T1 size ${t1_init}, after swap ${t1_swap}"
echo "T2 size ${t2_init}, after swap ${t2_swap}"
exit 1
fi
done
echo "PASS"
# echo -n 'func hash_ip4_resize +p' > /sys/kernel/debug/dynamic_debug/control
# ./hash_ip_size.sh
[ 2035.018673] attempt to resize set t1 from 10 to 11, t 00000000fe6551fa
[ 2035.078583] set t1 resized from 10 (00000000fe6551fa) to 11 (00000000172a0163)
[ 2035.080353] Table destroy by resize 00000000fe6551fa
FAIL after 4 tries:
T1 size 9064, after swap 71128
T2 size 71128, after swap 9064
Reported-by: NOYB <JunkYardMail1@Frontier.com>
Fixes: 9e41f26a505c ("netfilter: ipset: Count non-static extension memory for userspace")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
93c338c2e7 |
This is the 4.14.129 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0Nx7MACgkQONu9yGCS
aT6rcxAA0os++XT8OzzsnJamD3O+oqDxCm3Pd3mNj8uck2XCHtzSEvq0z8a3/Xo2
RXWBNDbYRHDGCNwK+2OxSbmyBO6ZqH7lp+KkipGTwWmc6spmm0gnDMSQ1312g6v5
uVL8Tyirc9xEvkkHHNbxxuQ5e8RoxU0P+dBktDg5ipUCNLdO397/ldrg2cpxSsT4
SeUL6kQmXyH9X/btZVq+xUdIqgn5JDuzrDbGSmFa7SV/D+IVIvxiR5tt7ZLuWVVl
n9AqjTERAg0bLcOq7j5/eyephR0ooumd1J8z6PgMnmj66UTYtgkdDBVBYEFRUlEB
9tmmX5KWlpdbVfhvTRrbKo0kfRrVCy1h3CDf0hiJpYJesf6f+CBOorUORdvXKHEp
rQ2o6nshVWGsGv0fD3j4FzURZxbWFDOvveGApRj2p5626gLnRwz9kBvsy3FK/Gb9
d9b2fZRDf1Iz6QYKTybexhPfDxA2Gy3MvZ1Yj7EXIrf4rUrRSf+WSjSE69g8i9Q0
/1lWVQ9aW1UQ9Ya/r6xS5q2VNzWUDCpYDRDqyiiND0E1MrgsvL56YsmWbzQOI/hV
tm7j5NEqCPHVY0UQqjkAUspQbkLKbkVoj4TiQKgppkp1a2uZjo48AGbIqq0tJ/h8
aHkb/PgRyxLpD/+NFhLbwJGN7kATuMlegduhwJkxfv0kCmyEwrw=
=flvv
-----END PGP SIGNATURE-----
Merge 4.14.129 into android-4.14
Changes in 4.14.129
perf machine: Guard against NULL in machine__exit()
ax25: fix inconsistent lock state in ax25_destroy_timer
be2net: Fix number of Rx queues used for flow hashing
ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
lapb: fixed leak of control-blocks.
neigh: fix use-after-free read in pneigh_get_next
net: openvswitch: do not free vport if register_netdevice() is failed.
sctp: Free cookie before we memdup a new one
sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
Staging: vc04_services: Fix a couple error codes
perf/x86/intel/ds: Fix EVENT vs. UEVENT PEBS constraints
netfilter: nf_queue: fix reinject verdict handling
ipvs: Fix use-after-free in ip_vs_in
selftests: netfilter: missing error check when setting up veth interface
clk: ti: clkctrl: Fix clkdm_clk handling
powerpc/powernv: Return for invalid IMC domain
mISDN: make sure device name is NUL terminated
x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
perf/ring_buffer: Fix exposing a temporarily decreased data_head
perf/ring_buffer: Add ordering to rb->nest increment
perf/ring-buffer: Always use {READ,WRITE}_ONCE() for rb->user_page data
gpio: fix gpio-adp5588 build errors
net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
net: aquantia: fix LRO with FCS error
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
ALSA: hda - Force polling mode on CNL for fixing codec communication
configfs: Fix use-after-free when accessing sd->s_dentry
perf data: Fix 'strncat may truncate' build failure with recent gcc
perf record: Fix s390 missing module symbol and warning for non-root users
ia64: fix build errors by exporting paddr_to_nid()
KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
KVM: PPC: Book3S HV: Don't take kvm->lock around kvm_for_each_vcpu
net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
net: phy: dp83867: Set up RGMII TX delay
scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
scsi: smartpqi: properly set both the DMA mask and the coherent DMA mask
scsi: scsi_dh_alua: Fix possible null-ptr-deref
scsi: libsas: delete sas port if expander discover failed
mlxsw: spectrum: Prevent force of 56G
HID: wacom: Don't set tool type until we're in range
HID: wacom: Don't report anything prior to the tool entering range
HID: wacom: Send BTN_TOUCH in response to INTUOSP2_BT eraser contact
coredump: fix race condition between collapse_huge_page() and core dumping
infiniband: fix race condition between infiniband mlx4, mlx5 driver and core dumping
Abort file_remove_privs() for non-reg. files
Linux 4.14.129
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
YueHaibing
|
72634d7fd9 |
ipvs: Fix use-after-free in ip_vs_in
[ Upstream commit 719c7d563c17b150877cee03a4b812a424989dfa ] BUG: KASAN: use-after-free in ip_vs_in.part.29+0xe8/0xd20 [ip_vs] Read of size 4 at addr ffff8881e9b26e2c by task sshd/5603 CPU: 0 PID: 5603 Comm: sshd Not tainted 4.19.39+ #30 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011 Call Trace: dump_stack+0x71/0xab print_address_description+0x6a/0x270 kasan_report+0x179/0x2c0 ip_vs_in.part.29+0xe8/0xd20 [ip_vs] ip_vs_in+0xd8/0x170 [ip_vs] nf_hook_slow+0x5f/0xe0 __ip_local_out+0x1d5/0x250 ip_local_out+0x19/0x60 __tcp_transmit_skb+0xba1/0x14f0 tcp_write_xmit+0x41f/0x1ed0 ? _copy_from_iter_full+0xca/0x340 __tcp_push_pending_frames+0x52/0x140 tcp_sendmsg_locked+0x787/0x1600 ? tcp_sendpage+0x60/0x60 ? inet_sk_set_state+0xb0/0xb0 tcp_sendmsg+0x27/0x40 sock_sendmsg+0x6d/0x80 sock_write_iter+0x121/0x1c0 ? sock_sendmsg+0x80/0x80 __vfs_write+0x23e/0x370 vfs_write+0xe7/0x230 ksys_write+0xa1/0x120 ? __ia32_sys_read+0x50/0x50 ? __audit_syscall_exit+0x3ce/0x450 do_syscall_64+0x73/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x7ff6f6147c60 Code: 73 01 c3 48 8b 0d 28 12 2d 00 f7 d8 64 89 01 48 83 c8 ff c3 66 0f 1f 44 00 00 83 3d 5d 73 2d 00 00 75 10 b8 01 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 31 c3 48 83 RSP: 002b:00007ffd772ead18 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 RAX: ffffffffffffffda RBX: 0000000000000034 RCX: 00007ff6f6147c60 RDX: 0000000000000034 RSI: 000055df30a31270 RDI: 0000000000000003 RBP: 000055df30a31270 R08: 0000000000000000 R09: 0000000000000000 R10: 00007ffd772ead70 R11: 0000000000000246 R12: 00007ffd772ead74 R13: 00007ffd772eae20 R14: 00007ffd772eae24 R15: 000055df2f12ddc0 Allocated by task 6052: kasan_kmalloc+0xa0/0xd0 __kmalloc+0x10a/0x220 ops_init+0x97/0x190 register_pernet_operations+0x1ac/0x360 register_pernet_subsys+0x24/0x40 0xffffffffc0ea016d do_one_initcall+0x8b/0x253 do_init_module+0xe3/0x335 load_module+0x2fc0/0x3890 __do_sys_finit_module+0x192/0x1c0 do_syscall_64+0x73/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 6067: __kasan_slab_free+0x130/0x180 kfree+0x90/0x1a0 ops_free_list.part.7+0xa6/0xc0 unregister_pernet_operations+0x18b/0x1f0 unregister_pernet_subsys+0x1d/0x30 ip_vs_cleanup+0x1d/0xd2f [ip_vs] __x64_sys_delete_module+0x20c/0x300 do_syscall_64+0x73/0x200 entry_SYSCALL_64_after_hwframe+0x44/0xa9 The buggy address belongs to the object at ffff8881e9b26600 which belongs to the cache kmalloc-4096 of size 4096 The buggy address is located 2092 bytes inside of 4096-byte region [ffff8881e9b26600, ffff8881e9b27600) The buggy address belongs to the page: page:ffffea0007a6c800 count:1 mapcount:0 mapping:ffff888107c0e600 index:0x0 compound_mapcount: 0 flags: 0x17ffffc0008100(slab|head) raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff888107c0e600 raw: 0000000000000000 0000000080070007 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected while unregistering ipvs module, ops_free_list calls __ip_vs_cleanup, then nf_unregister_net_hooks be called to do remove nf hook entries. It need a RCU period to finish, however net->ipvs is set to NULL immediately, which will trigger NULL pointer dereference when a packet is hooked and handled by ip_vs_in where net->ipvs is dereferenced. Another scene is ops_free_list call ops_free to free the net_generic directly while __ip_vs_cleanup finished, then calling ip_vs_in will triggers use-after-free. This patch moves nf_unregister_net_hooks from __ip_vs_cleanup() to __ip_vs_dev_cleanup(), where rcu_barrier() is called by unregister_pernet_device -> unregister_pernet_operations, that will do the needed grace period. Reported-by: Hulk Robot <hulkci@huawei.com> Fixes: efe41606184e ("ipvs: convert to use pernet nf_hook api") Suggested-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jagdish Motwani
|
20e4ded10e |
netfilter: nf_queue: fix reinject verdict handling
[ Upstream commit 946c0d8e6ed43dae6527e878d0077c1e11015db0 ]
This patch fixes netfilter hook traversal when there are more than 1 hooks
returning NF_QUEUE verdict. When the first queue reinjects the packet,
'nf_reinject' starts traversing hooks with a proper hook_index. However,
if it again receives a NF_QUEUE verdict (by some other netfilter hook), it
queues the packet with a wrong hook_index. So, when the second queue
reinjects the packet, it re-executes hooks in between.
Fixes: 960632ece694 ("netfilter: convert hook list to an array")
Signed-off-by: Jagdish Motwani <jagdish.motwani@sophos.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Al Viro
|
1c0ac5e9bf |
BACKPORT: fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'"
Descriptor table is a shared object; it's not a place where you can stick temporary references to files, especially when we don't need an opened file at all. Cc: stable@vger.kernel.org # v4.14 Fixes: 98589a0998b8 ("netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'") Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Chenbo Feng <fengc@google.com> Removed the code related to function bpf_prog_get_ok() since it is not exsit in current android tree. (cherry picked from commit 040ee69226f8a96b7943645d68f41d5d44b5ff7d) Change-Id: If7a602128cdea4b4b50c8effb215c9bca7449515 |
||
|
Greg Kroah-Hartman
|
eeb46d84ec |
This is the 4.14.120 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzdoQwACgkQONu9yGCS
aT5uuQ/9EzGk9z2eFEE8pdp9KIUqC3uTDTymR6qIHBQ26PBY+1wXa60yhd0qCLVi
lycHCEE2PUn6b/5cMLmBoFr8JhM5fHHOSNY9Vi5WDm2vKGNKJ6TRE1HHjxAkXqFk
IZUk839X5b2JUYBUJfmH3gcvUGrtaIJv0Nnd/dgCAn9r2Nb0yRljKPy1PY7Gd1hS
ASE1WOvEIAZD+FESKpbnrT0W4st/AEe0hpBYCxUmPGF2q/v0ErzOKASVMtvA5zM2
xRPGAWOI9eRIbWEU1KLaI9ALEkqUnzKRsCTEmVwZSoCIaf3TmeCUd117vl3dn0IA
l/OqdNYpn2Ogx/nEYZ+duTq39QKDNkn3/y4ZHK22z2BwSrh6EFiRyOUEzgzvq8Jx
SVthwsLAjVE0Dlc/CEqnTxEvTq0yvVDxlbC9coSgcMDyEKy2FCXGvi61QpIQnla4
F89cqXZ/Rmt99OZh/rmXzqr/WuxUYdGF10gHe7gIKWoYu2TwBGW9z6pqGNfyT/h3
wKAbUYXKjDtTt0WHMAzuT6PZzg982CLIvtnE8OcpHs2DOI4LNGsyGEPmNmv/W4iR
0cf1N0Fx07JHUATNQoMcKVEUKJpMqm95jozsmDDYEpavIHPpe2J5QyMW3OuLXd+U
AeQhG4xwPH4/mNXbMWDqeCyFFidWSK/Ezct7iSUFE7vxFYcFrco=
=n2qf
-----END PGP SIGNATURE-----
Merge 4.14.120 into android-4.14
Changes in 4.14.120
netfilter: compat: initialize all fields in xt_init
platform/x86: sony-laptop: Fix unintentional fall-through
platform/x86: thinkpad_acpi: Disable Bluetooth for some machines
hwmon: (pwm-fan) Disable PWM if fetching cooling data fails
kernfs: fix barrier usage in __kernfs_new_node()
USB: serial: fix unthrottle races
iio: adc: xilinx: fix potential use-after-free on remove
libnvdimm/namespace: Fix a potential NULL pointer dereference
HID: input: add mapping for Expose/Overview key
HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
HID: input: add mapping for "Toggle Display" key
libnvdimm/btt: Fix a kmemdup failure check
s390/dasd: Fix capacity calculation for large volumes
mac80211: fix unaligned access in mesh table hash function
mac80211: Increase MAX_MSG_LEN
mac80211: fix memory accounting with A-MSDU aggregation
nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands
s390/3270: fix lockdep false positive on view->lock
clocksource/drivers/oxnas: Fix OX820 compatible
mISDN: Check address length before reading address family
s390/pkey: add one more argument space for debug feature entry
x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T
KVM: fix spectrev1 gadgets
KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
tools lib traceevent: Fix missing equality check for strcmp
mm: fix inactive list balancing between NUMA nodes and cgroups
init: initialize jump labels before command line option parsing
selftests: netfilter: check icmp pkttoobig errors are set as related
ipvs: do not schedule icmp errors from tunnels
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
MIPS: perf: ath79: Fix perfcount IRQ assignment
s390: ctcm: fix ctcm_new_device error return code
drm/sun4i: Set device driver data at bind time for use in unbind
selftests/net: correct the return value for run_netsocktests
gpu: ipu-v3: dp: fix CSC handling
drm/imx: don't skip DP channel disable for background plane
spi: Micrel eth switch: declare missing of table
spi: ST ST95HF NFC: declare missing of table
Input: synaptics-rmi4 - fix possible double free
sparc64: Export __node_distance.
sparc64: Make corrupted user stacks more debuggable.
MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit
bcache: correct dirty data statistics
ACPICA: AML interpreter: add region addresses in global list during initialization
IB/rxe: Revise the ib_wr_opcode enum
ima: open a new file instance if no read permissions
KVM: arm/arm64: Ensure only THP is candidate for adjustment
media: cec: make cec_get_edid_spa_location() an inline function
media: cec: integrate cec_validate_phys_addr() in cec-api.c
media: adv7604: when the EDID is cleared, unconfigure CEC as well
media: adv7842: when the EDID is cleared, unconfigure CEC as well
fuse: fix possibly missed wake-up after abort
drm/i915: Disable LP3 watermarks on all SNB machines
media: ov5640: fix wrong binning value in exposure calculation
media: ov5640: fix auto controls values when switching to manual mode
net: don't keep lonely packets forever in the gro hash
tracing/fgraph: Fix set_graph_function from showing interrupts
drm/i915: Downgrade Gen9 Plane WM latency error
scsi: raid_attrs: fix unused variable warning
staging: olpc_dcon: add a missing dependency
net: stmmac: Move debugfs init/exit to ->probe()/->remove()
Btrfs: fix missing delayed iputs on unmount
x86/vdso: Pass --eh-frame-hdr to the linker
mm: introduce mm_[p4d|pud|pmd]_folded
arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible
powerpc: remove old GCC version checks
leds: pwm: silently error out on EPROBE_DEFER
drm/rockchip: psr: do not dereference encoder before it is null checked.
RDMA/vmw_pvrdma: Return the correct opcode when creating WR
arm64: dts: marvell: armada-ap806: reserve PSCI area
vt: always call notifier with the console lock held
devres: Align data[] to ARCH_KMALLOC_MINALIGN
xtensa: xtfpga.dtsi: fix dtc warnings about SPI
net_sched: fix two more memory leaks in cls_tcindex
gtp: change NET_UDP_TUNNEL dependency to select
ACPICA: Namespace: remove address node from global list after method termination
Input: elan_i2c - add hardware ID for multiple Lenovo laptops
netfilter: nf_tables: warn when expr implements only one of activate/deactivate
drm/rockchip: fix for mailbox read validation.
cifs: fix memory leak in SMB2_read
x86/fpu: Don't export __kernel_fpu_{begin,end}()
net: hns: Fix WARNING when hns modules installed
mm/memory.c: fix modifying of page protection by insert_pfn()
net: fec: manage ahb clock in runtime pm
mlxsw: spectrum_switchdev: Add MDB entries in prepare phase
mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue
mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue
NFC: nci: Add some bounds checking in nci_hci_cmd_received()
nfc: nci: Potential off by one in ->pipes[] array
x86/kprobes: Avoid kretprobe recursion bug
cw1200: fix missing unlock on error in cw1200_hw_scan()
mwl8k: Fix rate_idx underflow
rtlwifi: rtl8723ae: Fix missing break in switch statement
Don't jump to compute_result state from check_result state
powerpc/64s: Include cpu header
bonding: fix arp_validate toggling in active-backup mode
bridge: Fix error path for kobject_init_and_add()
dpaa_eth: fix SG frame cleanup
fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied
ipv4: Fix raw socket lookup for local traffic
net: dsa: Fix error cleanup path in dsa_init_module
net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering
net: seeq: fix crash caused by not set dev.parent
net: ucc_geth - fix Oops when changing number of buffers in the ring
packet: Fix error path in packet_init
vlan: disable SIOCSHWTSTAMP in container
vrf: sit mtu should not be updated when vrf netdev is the link
tipc: fix hanging clients using poll with EPOLLOUT flag
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
powerpc/powernv/idle: Restore IAMR after idle
powerpc/booke64: set RI in default MSR
s390/speculation: Fix build error caused by bad backport
Linux 4.14.120
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Florian Westphal
|
f11935ef23 |
netfilter: nf_tables: warn when expr implements only one of activate/deactivate
[ Upstream commit 0ef235c71755c5f36c50282fcf2d7d08709be344 ] ->destroy is only allowed to free data, or do other cleanups that do not have side effects on other state, such as visibility to other netlink requests. Such things need to be done in ->deactivate. As a transaction can fail, we need to make sure we can undo such operations, therefore ->activate() has to be provided too. So print a warning and refuse registration if expr->ops provides only one of the two operations. v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi) Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> |
||
|
Florian Westphal
|
f862c13c3c |
netfilter: ctnetlink: don't use conntrack/expect object addresses as id
[ Upstream commit 3c79107631db1f7fd32cf3f7368e4672004a3010 ]
else, we leak the addresses to userspace via ctnetlink events
and dumps.
Compute an ID on demand based on the immutable parts of nf_conn struct.
Another advantage compared to using an address is that there is no
immediate re-use of the same ID in case the conntrack entry is freed and
reallocated again immediately.
Fixes: 3583240249ef ("[NETFILTER]: nf_conntrack_expect: kill unique ID")
Fixes: 7f85f914721f ("[NETFILTER]: nf_conntrack: kill unique ID")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Julian Anastasov
|
f3cab444f2 |
ipvs: do not schedule icmp errors from tunnels
[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.
Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|