mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
48785 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
qctecmdr Service
|
be0b070513 | Merge "Merge android-4.14.41 (04f740d) into msm-4.14" | ||
|
qctecmdr Service
|
d56a14fbaa | Merge "cfg80211: Call reg_notifier for self managed hints conditionally" | ||
|
qctecmdr Service
|
2b0cf4c999 | Merge "qrtr: Return success if control port is not bound" | ||
Amar Singhal
|
d95a1dc6a8 |
cfg80211: Call reg_notifier for self managed hints conditionally
Currently the regulatory core does not call the regulatory callback reg_notifier for self managed wiphys, but regulatory_hint_user() call is independent of wiphy and is meant for all wiphys in the system. Even a self managed wiphy may be interested in regulatory_hint_user() to know the country code from a trusted regulatory domain change like a cellular base station. Therefore, for the regulatory source NL80211_REGDOM_SET_BY_USER and the user hint type NL80211_USER_REG_HINT_CELL_BASE, call the regulatory notifier. No current wlan driver uses the REGULATORY_WIPHY_SELF_MANAGED flag while also registering the reg_notifier regulatory callback, therefore there will be no impact on existing drivers without them being explicitly modified to take advantage of this new possibility. Change-Id: Ibd700eae551840c94daa8b721add74a8e744c748 CRs-Fixed: 2201959 Git-commit: aced43ce780dc5e683b3de00ce9fb3db7d28e1d3 Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-testing.git Signed-off-by: Jouni Malinen <jouni@codeaurora.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Amar Singhal <asinghal@codeaurora.org> |
||
Blagovest Kolenichev
|
f4d73128a3 |
Merge android-4.14.41 (04f740d) into msm-4.14
* refs/heads/tmp-04f740d Linux 4.14.41 KVM: x86: remove APIC Timer periodic/oneshot spikes KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* tracing/uprobe_event: Fix strncpy corner case sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] smb3: directory sync should not return an error nvme: add quirk to force medium priority for SQ creation thermal: exynos: Propagate error value from tmu_read() thermal: exynos: Reading temperature makes sense only when TMU is turned on Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" cpufreq: schedutil: Avoid using invalid next_freq PCI / PM: Check device_may_wakeup() in pci_enable_wake() PCI / PM: Always check PME wakeup capability for runtime wakeup support atm: zatm: Fix potential Spectre v1 net: atm: Fix potential Spectre v1 drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() drm/nouveau: Fix deadlock in nv50_mstm_register_connector() drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log drm/vc4: Fix scaling of uni-planar formats can: hi311x: Work around TX complete interrupt erratum can: hi311x: Acquire SPI lock on ->do_get_berr_counter can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() ceph: fix rsize/wsize capping in ceph_direct_read_write() mm, oom: fix concurrent munlock and oom reaper unmap, v3 mm: sections are not offlined during memory hotremove z3fold: fix reclaim lock-ups tracing: Fix regex_match_front() to not over compare the test string dm integrity: use kvfree for kvmalloc'd memory libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs rfkill: gpio: fix memory leak in probe error path gpio: fix error path in lineevent_create gpio: fix aspeed_gpio unmask irq gpioib: do not free unrequested descriptors compat: fix 4-byte infoleak via uninitialized struct field arm64: Add work around for Arm Cortex-A55 Erratum 1024718 KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry bdi: Fix oops in wb_workfn() bdi: wake up concurrent wb_shutdown() callers. tcp: fix TCP_REPAIR_QUEUE bound checking perf: Remove superfluous allocation error check memcg: fix per_node_info cleanup inetpeer: fix uninit-value in inet_getpeer soreuseport: initialise timewait reuseport field ipv4: fix uninit-value in ip_route_output_key_hash_rcu() dccp: initialize ireq->ir_mark net: fix uninit-value in __hw_addr_add_ex() net: initialize skb->peeked when cloning net: fix rtnh_ok() netlink: fix uninit-value in netlink_sendmsg crypto: af_alg - fix possible uninit-value in alg_bind() kcm: Call strp_stop before strp_done in kcm_attach netfilter: ebtables: don't attempt to allocate 0-sized compat array ipvs: fix rtnl_lock lockups caused by start_sync_thread ANDROID: goldfish: drop CONFIG_INPUT_KEYCHORD Linux 4.14.40 tracing: Fix bad use of igrab in trace_uprobe.c irqchip/qcom: Fix check for spurious interrupts platform/x86: asus-wireless: Fix NULL pointer dereference usb: musb: trace: fix NULL pointer dereference in musb_g_tx() usb: musb: host: fix potential NULL pointer dereference USB: serial: option: adding support for ublox R410M USB: serial: option: reimplement interface masking USB: Accept bulk endpoints with 1024-byte maxpacket usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue USB: serial: visor: handle potential invalid device configuration errseq: Always report a writeback error once test_firmware: fix setting old custom fw path back on exit, second try drm/bridge: vga-dac: Fix edid memory leak drm/vmwgfx: Fix a buffer object leak iw_cxgb4: Atomically flush per QP HW CQEs IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used IB/hfi1: Fix loss of BECN with AHG IB/hfi1: Fix handling of FECN marked multicast packet IB/mlx5: Use unlimited rate when static rate is not supported NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 RDMA/mlx5: Protect from shift operand overflow RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow RDMA/ucma: Allow resolving address w/o specifying source address RDMA/cxgb4: release hw resources on device removal xfs: prevent creating negative-sized file via INSERT_RANGE rtlwifi: cleanup 8723be ant_sel definition rtlwifi: btcoex: Add power_on_setting routine Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro Input: leds - fix out of bound access scsi: target: Fix fortify_panic kernel exception tracepoint: Do not warn on ENOMEM ALSA: aloop: Add missing cable lock to ctl API callbacks ALSA: aloop: Mark paused device as inactive ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() ALSA: pcm: Check PCM state at xfern compat ioctl ALSA: hda - Fix incorrect usage of IS_REACHABLE() USB: serial: option: Add support for Quectel EP06 ACPI / button: make module loadable when booted in non-ACPI mode crypto: talitos - fix IPsec cipher in length percpu: include linux/sched.h for cond_resched() net: don't call update_pmtu unconditionally geneve: update skb dst pmtu on tx path UPSTREAM: f2fs: avoid fsync() failure caused by EAGAIN in writepage() UPSTREAM: f2fs: clear PageError on writepage - part 2 ANDROID: build.config: enforce trace_printk check FROMLIST: staging: Fix sparse warnings in vsoc driver. FROMLIST: staging: vsoc: Fix a i386-randconfig warning. FROMLIST: staging: vsoc: Create wc kernel mapping for region shm. Change-Id: I697004775203b8bb5cace4fdf7e6489cfd32b54b Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
qctecmdr Service
|
af2f77c079 | Merge "cfg80211/nl80211: add DFS offload flag" | ||
Greg Kroah-Hartman
|
04f740d4da |
This is the 4.14.41 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlr753gACgkQONu9yGCS aT7p/Q//TIC9EKe21E2Lb1Kh4lL5SDjmwe/rkA3PxiqxbkXfUDBehMCfDk4YVNVG TlH1TXOubzpS/8cZJPRFHEkrYXPKIA3+hKlAvJukUJCBQqmW1ILEAX5m7jrSmf+B tLe/r0ijOtlfB1xQdUs5RxXGIndw0gMGhpo/QTXPAC0hGh0Ykd8v2s4YAjxOvdKw z4DaUKtZGEPBWFVK/Bx1Fv3iAmJMt2yerERUqz8MVegYXJt+2RUGoJtsxHuvOk1p 9q0lzHBWYihQVt1tJ0es/8cB7WsYt8txnVmeN907sryUhDjvTWIxQJb5jEV0gxxK AL89PHy4Hfki6l6r+tqYi92frFda8aLfsaSseOhlmqsv0MlwngW2dx3UbjaYd4If IQA6n0hWHuxUvjrjsPpsMAa4lvTW+/kFilb0mD6Vixy3ru+/RelKnuawJm6kbMNu Cb8QSVSJrhvC/UZLvwO7a3viJdKoI5B9pTh5FTKcY5wUPI1k01pg3WlWNxmnv4ZJ LPImR06aoJYhvbutf94AvxbCOt/au8sY4s/yk9oHgvGUEIccrGYf3BwX6ciWRt4b r4ZN92C9ZuD+u/ATFgi/akngtjjixw5YrZ20aX86dYcBZ25hYOiIMoc482tYQ12Z 1vqyvKg9o1oMypG9orF09PWstbNRu3ihGATKdXL9lfAhDklOTKc= =zWTK -----END PGP SIGNATURE----- Merge 4.14.41 into android-4.14 Changes in 4.14.41 ipvs: fix rtnl_lock lockups caused by start_sync_thread netfilter: ebtables: don't attempt to allocate 0-sized compat array kcm: Call strp_stop before strp_done in kcm_attach crypto: af_alg - fix possible uninit-value in alg_bind() netlink: fix uninit-value in netlink_sendmsg net: fix rtnh_ok() net: initialize skb->peeked when cloning net: fix uninit-value in __hw_addr_add_ex() dccp: initialize ireq->ir_mark ipv4: fix uninit-value in ip_route_output_key_hash_rcu() soreuseport: initialise timewait reuseport field inetpeer: fix uninit-value in inet_getpeer memcg: fix per_node_info cleanup perf: Remove superfluous allocation error check tcp: fix TCP_REPAIR_QUEUE bound checking bdi: wake up concurrent wb_shutdown() callers. bdi: Fix oops in wb_workfn() KVM: PPC: Book3S HV: Fix trap number return from __kvmppc_vcore_entry KVM: PPC: Book3S HV: Fix guest time accounting with VIRT_CPU_ACCOUNTING_GEN KVM: PPC: Book3S HV: Fix VRMA initialization with 2MB or 1GB memory backing arm64: Add work around for Arm Cortex-A55 Erratum 1024718 compat: fix 4-byte infoleak via uninitialized struct field gpioib: do not free unrequested descriptors gpio: fix aspeed_gpio unmask irq gpio: fix error path in lineevent_create rfkill: gpio: fix memory leak in probe error path libata: Apply NOLPM quirk for SanDisk SD7UB3Q*G1001 SSDs dm integrity: use kvfree for kvmalloc'd memory tracing: Fix regex_match_front() to not over compare the test string z3fold: fix reclaim lock-ups mm: sections are not offlined during memory hotremove mm, oom: fix concurrent munlock and oom reaper unmap, v3 ceph: fix rsize/wsize capping in ceph_direct_read_write() can: kvaser_usb: Increase correct stats counter in kvaser_usb_rx_can_msg() can: hi311x: Acquire SPI lock on ->do_get_berr_counter can: hi311x: Work around TX complete interrupt erratum drm/vc4: Fix scaling of uni-planar formats drm/i915: Fix drm:intel_enable_lvds ERROR message in kernel log drm/nouveau: Fix deadlock in nv50_mstm_register_connector() drm/atomic: Clean old_state/new_state in drm_atomic_state_default_clear() drm/atomic: Clean private obj old_state/new_state in drm_atomic_state_default_clear() net: atm: Fix potential Spectre v1 atm: zatm: Fix potential Spectre v1 PCI / PM: Always check PME wakeup capability for runtime wakeup support PCI / PM: Check device_may_wakeup() in pci_enable_wake() cpufreq: schedutil: Avoid using invalid next_freq Revert "Bluetooth: btusb: Fix quirk for Atheros 1525/QCA6174" Bluetooth: btusb: Add Dell XPS 13 9360 to btusb_needs_reset_resume_table Bluetooth: btusb: Only check needs_reset_resume DMI table for QCA rome chipsets thermal: exynos: Reading temperature makes sense only when TMU is turned on thermal: exynos: Propagate error value from tmu_read() nvme: add quirk to force medium priority for SQ creation smb3: directory sync should not return an error sched/autogroup: Fix possible Spectre-v1 indexing for sched_prio_to_weight[] tracing/uprobe_event: Fix strncpy corner case perf/x86: Fix possible Spectre-v1 indexing for hw_perf_event cache_* perf/x86/cstate: Fix possible Spectre-v1 indexing for pkg_msr perf/x86/msr: Fix possible Spectre-v1 indexing in the MSR driver perf/core: Fix possible Spectre-v1 indexing for ->aux_pages[] perf/x86: Fix possible Spectre-v1 indexing for x86_pmu::event_map() KVM: PPC: Book3S HV: Fix handling of large pages in radix page fault handler KVM: x86: remove APIC Timer periodic/oneshot spikes Linux 4.14.41 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Gustavo A. R. Silva
|
cc21a60327 |
net: atm: Fix potential Spectre v1
commit acf784bd0ce257fe43da7ca266f7a10b837479d2 upstream. ioc_data.dev_num can be controlled by user-space, hence leading to a potential exploitation of the Spectre variant 1 vulnerability. This issue was detected with the help of Smatch: net/atm/lec.c:702 lec_vcc_attach() warn: potential spectre issue 'dev_lec' Fix this by sanitizing ioc_data.dev_num before using it to index dev_lec. Also, notice that there is another instance in which array dev_lec is being indexed using ioc_data.dev_num at line 705: lec_vcc_added(netdev_priv(dev_lec[ioc_data.dev_num]), Notice that given that speculation windows are large, the policy is to kill the speculation on the first load and not worry if it can be completed with a dependent load/store [1]. [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2 Cc: stable@vger.kernel.org Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Johan Hovold
|
d1d5c31fc3 |
rfkill: gpio: fix memory leak in probe error path
commit 4bf01ca21e2e0e4561d1a03c48c3d740418702db upstream.
Make sure to free the rfkill device in case registration fails during
probe.
Fixes: 5e7ca3937fbe ("net: rfkill: gpio: convert to resource managed allocation")
Cc: stable <stable@vger.kernel.org> # 3.13
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Eric Dumazet
|
8c12bd91b5 |
tcp: fix TCP_REPAIR_QUEUE bound checking
commit bf2acc943a45d2b2e8a9f1a5ddff6b6e43cc69d9 upstream.
syzbot is able to produce a nasty WARN_ON() in tcp_verify_left_out()
with following C-repro :
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
bind(3, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
sendto(3, "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"...,
1242, MSG_FASTOPEN, {sa_family=AF_INET, sin_port=htons(20002), sin_addr=inet_addr("127.0.0.1")}, 16) = 1242
setsockopt(3, SOL_TCP, TCP_REPAIR_WINDOW, "\4\0\0@+\205\0\0\377\377\0\0\377\377\377\177\0\0\0\0", 20) = 0
writev(3, [{"\270", 1}], 1) = 1
setsockopt(3, SOL_TCP, TCP_REPAIR_OPTIONS, "\10\0\0\0\0\0\0\0\0\0\0\0|\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 386) = 0
writev(3, [{"\210v\r[\226\320t\231qwQ\204\264l\254\t\1\20\245\214p\350H\223\254;\\\37\345\307p$"..., 3144}], 1) = 3144
The 3rd system call looks odd :
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [-1], 4) = 0
This patch makes sure bound checking is using an unsigned compare.
Fixes: ee9952831cfd ("tcp: Initial repair mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Pavel Emelyanov <xemul@parallels.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
ac91ff2a5f |
inetpeer: fix uninit-value in inet_getpeer
commit b6a37e5e25414df4b8e9140a5c6f5ee0ec6f3b90 upstream. syzbot/KMSAN reported that p->dtime was read while it was not yet initialized in : delta = (__u32)jiffies - p->dtime; if (delta < ttl || !refcount_dec_if_one(&p->refcnt)) gc_stack[i] = NULL; This is a false positive, because the inetpeer wont be erased from rb-tree if the refcount_dec_if_one(&p->refcnt) does not succeed. And this wont happen before first inet_putpeer() call for this inetpeer has been done, and ->dtime field is written exactly before the refcount_dec_and_test(&p->refcnt). The KMSAN report was : BUG: KMSAN: uninit-value in inet_peer_gc net/ipv4/inetpeer.c:163 [inline] BUG: KMSAN: uninit-value in inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228 CPU: 0 PID: 9494 Comm: syz-executor5 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 inet_peer_gc net/ipv4/inetpeer.c:163 [inline] inet_getpeer+0x1567/0x1e70 net/ipv4/inetpeer.c:228 inet_getpeer_v4 include/net/inetpeer.h:110 [inline] icmpv4_xrlim_allow net/ipv4/icmp.c:330 [inline] icmp_send+0x2b44/0x3050 net/ipv4/icmp.c:725 ip_options_compile+0x237c/0x29f0 net/ipv4/ip_options.c:472 ip_rcv_options net/ipv4/ip_input.c:284 [inline] ip_rcv_finish+0xda8/0x16d0 net/ipv4/ip_input.c:365 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 netif_receive_skb+0x230/0x240 net/core/dev.c:4725 tun_rx_batched drivers/net/tun.c:1555 [inline] tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962 tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455111 RSP: 002b:00007fae0365cba0 EFLAGS: 00000293 ORIG_RAX: 0000000000000014 RAX: ffffffffffffffda RBX: 000000000000002e RCX: 0000000000455111 RDX: 0000000000000001 RSI: 00007fae0365cbf0 RDI: 00000000000000fc RBP: 0000000020000040 R08: 00000000000000fc R09: 0000000000000000 R10: 000000000000002e R11: 0000000000000293 R12: 00000000ffffffff R13: 0000000000000658 R14: 00000000006fc8e0 R15: 0000000000000000 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 inet_getpeer+0xed8/0x1e70 net/ipv4/inetpeer.c:210 inet_getpeer_v4 include/net/inetpeer.h:110 [inline] ip4_frag_init+0x4d1/0x740 net/ipv4/ip_fragment.c:153 inet_frag_alloc net/ipv4/inet_fragment.c:369 [inline] inet_frag_create net/ipv4/inet_fragment.c:385 [inline] inet_frag_find+0x7da/0x1610 net/ipv4/inet_fragment.c:418 ip_find net/ipv4/ip_fragment.c:275 [inline] ip_defrag+0x448/0x67a0 net/ipv4/ip_fragment.c:676 ip_check_defrag+0x775/0xda0 net/ipv4/ip_fragment.c:724 packet_rcv_fanout+0x2a8/0x8d0 net/packet/af_packet.c:1447 deliver_skb net/core/dev.c:1897 [inline] deliver_ptype_list_skb net/core/dev.c:1912 [inline] __netif_receive_skb_core+0x314a/0x4a80 net/core/dev.c:4545 __netif_receive_skb net/core/dev.c:4627 [inline] netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701 netif_receive_skb+0x230/0x240 net/core/dev.c:4725 tun_rx_batched drivers/net/tun.c:1555 [inline] tun_get_user+0x6d88/0x7580 drivers/net/tun.c:1962 tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990 do_iter_readv_writev+0x7bb/0x970 include/linux/fs.h:1776 do_iter_write+0x30d/0xd40 fs/read_write.c:932 vfs_writev fs/read_write.c:977 [inline] do_writev+0x3c9/0x830 fs/read_write.c:1012 SYSC_writev+0x9b/0xb0 fs/read_write.c:1085 SyS_writev+0x56/0x80 fs/read_write.c:1082 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
566804864c |
soreuseport: initialise timewait reuseport field
commit 3099a52918937ab86ec47038ad80d377ba16c531 upstream. syzbot reported an uninit-value in inet_csk_bind_conflict() [1] It turns out we never propagated sk->sk_reuseport into timewait socket. [1] BUG: KMSAN: uninit-value in inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 CPU: 1 PID: 3589 Comm: syzkaller008242 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 inet_csk_bind_conflict+0x5f9/0x990 net/ipv4/inet_connection_sock.c:151 inet_csk_get_port+0x1d28/0x1e40 net/ipv4/inet_connection_sock.c:320 inet6_bind+0x121c/0x1820 net/ipv6/af_inet6.c:399 SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 SyS_bind+0x54/0x80 net/socket.c:1460 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x4416e9 RSP: 002b:00007ffce6d15c88 EFLAGS: 00000217 ORIG_RAX: 0000000000000031 RAX: ffffffffffffffda RBX: 0100000000000000 RCX: 00000000004416e9 RDX: 000000000000001c RSI: 0000000020402000 RDI: 0000000000000004 RBP: 0000000000000000 R08: 00000000e6d15e08 R09: 00000000e6d15e08 R10: 0000000000000004 R11: 0000000000000217 R12: 0000000000009478 R13: 00000000006cd448 R14: 0000000000000000 R15: 0000000000000000 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 tcp_time_wait+0xf17/0xf50 net/ipv4/tcp_minisocks.c:283 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x2d6/0x680 net/core/sock.c:2271 release_sock+0x97/0x2a0 net/core/sock.c:2786 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 sock_release net/socket.c:595 [inline] sock_close+0xe0/0x300 net/socket.c:1149 __fput+0x49e/0xa10 fs/file_table.c:209 ____fput+0x37/0x40 fs/file_table.c:243 task_work_run+0x243/0x2c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x10e1/0x38d0 kernel/exit.c:867 do_group_exit+0x1a0/0x360 kernel/exit.c:970 SYSC_exit_group+0x21/0x30 kernel/exit.c:981 SyS_exit_group+0x25/0x30 kernel/exit.c:979 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 inet_twsk_alloc+0xaef/0xc00 net/ipv4/inet_timewait_sock.c:182 tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x2d6/0x680 net/core/sock.c:2271 release_sock+0x97/0x2a0 net/core/sock.c:2786 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 sock_release net/socket.c:595 [inline] sock_close+0xe0/0x300 net/socket.c:1149 __fput+0x49e/0xa10 fs/file_table.c:209 ____fput+0x37/0x40 fs/file_table.c:243 task_work_run+0x243/0x2c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x10e1/0x38d0 kernel/exit.c:867 do_group_exit+0x1a0/0x360 kernel/exit.c:970 SYSC_exit_group+0x21/0x30 kernel/exit.c:981 SyS_exit_group+0x25/0x30 kernel/exit.c:979 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 inet_twsk_alloc+0x13b/0xc00 net/ipv4/inet_timewait_sock.c:163 tcp_time_wait+0xd9/0xf50 net/ipv4/tcp_minisocks.c:258 tcp_rcv_state_process+0xebe/0x6490 net/ipv4/tcp_input.c:6003 tcp_v6_do_rcv+0x11dd/0x1d90 net/ipv6/tcp_ipv6.c:1331 sk_backlog_rcv include/net/sock.h:908 [inline] __release_sock+0x2d6/0x680 net/core/sock.c:2271 release_sock+0x97/0x2a0 net/core/sock.c:2786 tcp_close+0x277/0x18f0 net/ipv4/tcp.c:2269 inet_release+0x240/0x2a0 net/ipv4/af_inet.c:427 inet6_release+0xaf/0x100 net/ipv6/af_inet6.c:435 sock_release net/socket.c:595 [inline] sock_close+0xe0/0x300 net/socket.c:1149 __fput+0x49e/0xa10 fs/file_table.c:209 ____fput+0x37/0x40 fs/file_table.c:243 task_work_run+0x243/0x2c0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x10e1/0x38d0 kernel/exit.c:867 do_group_exit+0x1a0/0x360 kernel/exit.c:970 SYSC_exit_group+0x21/0x30 kernel/exit.c:981 SyS_exit_group+0x25/0x30 kernel/exit.c:979 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Fixes: da5e36308d9f ("soreuseport: TCP/IPv4 implementation") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
154ff3e040 |
ipv4: fix uninit-value in ip_route_output_key_hash_rcu()
commit d0ea2b12500543535be3f54e17920fffc9bb45f6 upstream. syzbot complained that res.type could be used while not initialized. Using RTN_UNSPEC as initial value seems better than using garbage. BUG: KMSAN: uninit-value in __mkroute_output net/ipv4/route.c:2200 [inline] BUG: KMSAN: uninit-value in ip_route_output_key_hash_rcu+0x31f0/0x3940 net/ipv4/route.c:2493 CPU: 1 PID: 12207 Comm: syz-executor0 Not tainted 4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 __mkroute_output net/ipv4/route.c:2200 [inline] ip_route_output_key_hash_rcu+0x31f0/0x3940 net/ipv4/route.c:2493 ip_route_output_key_hash net/ipv4/route.c:2322 [inline] __ip_route_output_key include/net/route.h:126 [inline] ip_route_output_flow+0x1eb/0x3c0 net/ipv4/route.c:2577 raw_sendmsg+0x1861/0x3ed0 net/ipv4/raw.c:653 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] SYSC_sendto+0x6c3/0x7e0 net/socket.c:1747 SyS_sendto+0x8a/0xb0 net/socket.c:1715 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455259 RSP: 002b:00007fdc0625dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002c RAX: ffffffffffffffda RBX: 00007fdc0625e6d4 RCX: 0000000000455259 RDX: 0000000000000000 RSI: 0000000020000040 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000020000080 R09: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004f7 R14: 00000000006fa7c8 R15: 0000000000000000 Local variable description: ----res.i.i@ip_route_output_flow Variable was created at: ip_route_output_flow+0x75/0x3c0 net/ipv4/route.c:2576 raw_sendmsg+0x1861/0x3ed0 net/ipv4/raw.c:653 Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
09e45996b3 |
dccp: initialize ireq->ir_mark
commit b855ff827476adbdc2259e9895681d82b7b26065 upstream. syzbot reported an uninit-value read of skb->mark in iptable_mangle_hook() Thanks to the nice report, I tracked the problem to dccp not caring of ireq->ir_mark for passive sessions. BUG: KMSAN: uninit-value in ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] BUG: KMSAN: uninit-value in iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 CPU: 0 PID: 5300 Comm: syz-executor3 Not tainted 4.16.0+ #81 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 ipt_mangle_out net/ipv4/netfilter/iptable_mangle.c:66 [inline] iptable_mangle_hook+0x5e5/0x720 net/ipv4/netfilter/iptable_mangle.c:84 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0x158/0x3d0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] __ip_local_out net/ipv4/ip_output.c:113 [inline] ip_local_out net/ipv4/ip_output.c:122 [inline] ip_queue_xmit+0x1d21/0x21c0 net/ipv4/ip_output.c:504 dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x455259 RSP: 002b:00007f1a4473dc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00007f1a4473e6d4 RCX: 0000000000455259 RDX: 0000000000000000 RSI: 0000000020b76fc8 RDI: 0000000000000015 RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 00000000000004f0 R14: 00000000006fa720 R15: 0000000000000000 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 ip_queue_xmit+0x1e35/0x21c0 net/ipv4/ip_output.c:502 dccp_transmit_skb+0x15eb/0x1900 net/dccp/output.c:142 dccp_xmit_packet+0x814/0x9e0 net/dccp/output.c:281 dccp_write_xmit+0x20f/0x480 net/dccp/output.c:363 dccp_sendmsg+0x12ca/0x12d0 net/dccp/proto.c:818 inet_sendmsg+0x48d/0x740 net/ipv4/af_inet.c:764 sock_sendmsg_nosec net/socket.c:630 [inline] sock_sendmsg net/socket.c:640 [inline] ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046 __sys_sendmsg net/socket.c:2080 [inline] SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091 SyS_sendmsg+0x54/0x80 net/socket.c:2087 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_save_stack mm/kmsan/kmsan.c:293 [inline] kmsan_internal_chain_origin+0x12b/0x210 mm/kmsan/kmsan.c:684 __msan_chain_origin+0x69/0xc0 mm/kmsan/kmsan_instr.c:521 inet_csk_clone_lock+0x503/0x580 net/ipv4/inet_connection_sock.c:797 dccp_create_openreq_child+0x7f/0x890 net/dccp/minisocks.c:92 dccp_v4_request_recv_sock+0x22c/0xe90 net/dccp/ipv4.c:408 dccp_v6_request_recv_sock+0x290/0x2000 net/dccp/ipv6.c:414 dccp_check_req+0x7b9/0x8f0 net/dccp/minisocks.c:197 dccp_v4_rcv+0x12e4/0x2630 net/dccp/ipv4.c:840 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline] kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188 kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314 kmem_cache_alloc+0xaab/0xb90 mm/slub.c:2756 reqsk_alloc include/net/request_sock.h:88 [inline] inet_reqsk_alloc+0xc4/0x7f0 net/ipv4/tcp_input.c:6145 dccp_v4_conn_request+0x5cc/0x1770 net/dccp/ipv4.c:600 dccp_v6_conn_request+0x299/0x1880 net/dccp/ipv6.c:317 dccp_rcv_state_process+0x2ea/0x2410 net/dccp/input.c:612 dccp_v4_do_rcv+0x229/0x340 net/dccp/ipv4.c:682 dccp_v6_do_rcv+0x16d/0x1220 net/dccp/ipv6.c:578 sk_backlog_rcv include/net/sock.h:908 [inline] __sk_receive_skb+0x60e/0xf20 net/core/sock.c:513 dccp_v4_rcv+0x24d4/0x2630 net/dccp/ipv4.c:874 ip_local_deliver_finish+0x6ed/0xd40 net/ipv4/ip_input.c:216 NF_HOOK include/linux/netfilter.h:288 [inline] ip_local_deliver+0x43c/0x4e0 net/ipv4/ip_input.c:257 dst_input include/net/dst.h:449 [inline] ip_rcv_finish+0x1253/0x16d0 net/ipv4/ip_input.c:397 NF_HOOK include/linux/netfilter.h:288 [inline] ip_rcv+0x119d/0x16f0 net/ipv4/ip_input.c:493 __netif_receive_skb_core+0x47cf/0x4a80 net/core/dev.c:4562 __netif_receive_skb net/core/dev.c:4627 [inline] process_backlog+0x62d/0xe20 net/core/dev.c:5307 napi_poll net/core/dev.c:5705 [inline] net_rx_action+0x7c1/0x1a70 net/core/dev.c:5771 __do_softirq+0x56d/0x93d kernel/softirq.c:285 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
f932780319 |
net: fix uninit-value in __hw_addr_add_ex()
commit 77d36398d99f2565c0a8d43a86fd520a82e64bb8 upstream. syzbot complained : BUG: KMSAN: uninit-value in memcmp+0x119/0x180 lib/string.c:861 CPU: 0 PID: 3 Comm: kworker/0:0 Not tainted 4.16.0+ #82 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 memcmp+0x119/0x180 lib/string.c:861 __hw_addr_add_ex net/core/dev_addr_lists.c:60 [inline] __dev_mc_add+0x1c2/0x8e0 net/core/dev_addr_lists.c:670 dev_mc_add+0x6d/0x80 net/core/dev_addr_lists.c:687 igmp6_group_added+0x2db/0xa00 net/ipv6/mcast.c:662 ipv6_dev_mc_inc+0xe9e/0x1130 net/ipv6/mcast.c:914 addrconf_join_solict net/ipv6/addrconf.c:2078 [inline] addrconf_dad_begin net/ipv6/addrconf.c:3828 [inline] addrconf_dad_work+0x427/0x2150 net/ipv6/addrconf.c:3954 process_one_work+0x12c6/0x1f60 kernel/workqueue.c:2113 worker_thread+0x113c/0x24f0 kernel/workqueue.c:2247 kthread+0x539/0x720 kernel/kthread.c:239 Fixes: f001fde5eadd ("net: introduce a list of device addresses dev_addr_list (v6)") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
5652aed1de |
net: initialize skb->peeked when cloning
commit b13dda9f9aa7caceeee61c080c2e544d5f5d85e5 upstream.
syzbot reported __skb_try_recv_from_queue() was using skb->peeked
while it was potentially unitialized.
We need to clear it in __skb_clone()
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
bf2ecb9346 |
netlink: fix uninit-value in netlink_sendmsg
commit 6091f09c2f79730d895149bcfe3d66140288cd0e upstream.
syzbot reported :
BUG: KMSAN: uninit-value in ffs arch/x86/include/asm/bitops.h:432 [inline]
BUG: KMSAN: uninit-value in netlink_sendmsg+0xb26/0x1310 net/netlink/af_netlink.c:1851
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Tom Herbert
|
19042316b9 |
kcm: Call strp_stop before strp_done in kcm_attach
commit dff8baa261174de689a44572d0ea182d7aa70598 upstream. In kcm_attach strp_done is called when sk_user_data is already set to fail the attach. strp_done needs the strp to be stopped and warns if it isn't. Call strp_stop in this case to eliminate the warning message. Reported-by: syzbot+88dfb55e4c8b770d86e3@syzkaller.appspotmail.com Fixes: e5571240236c5652f ("kcm: Check if sk_user_data already set in kcm_attach" Signed-off-by: Tom Herbert <tom@quantonium.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Florian Westphal
|
725f5ae1a6 |
netfilter: ebtables: don't attempt to allocate 0-sized compat array
commit 3f1e53abff84cf40b1adb3455d480dd295bf42e8 upstream.
Dmitry reports 32bit ebtables on 64bit kernel got broken by
a recent change that returns -EINVAL when ruleset has no entries.
ebtables however only counts user-defined chains, so for the
initial table nentries will be 0.
Don't try to allocate the compat array in this case, as no user
defined rules exist no rule will need 64bit translation.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 7d7d7e02111e9 ("netfilter: compat: reject huge allocation requests")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Julian Anastasov
|
88c43b469d |
ipvs: fix rtnl_lock lockups caused by start_sync_thread
commit 5c64576a77894a50be80be0024bed27171b55989 upstream. syzkaller reports for wrong rtnl_lock usage in sync code [1] and [2] We have 2 problems in start_sync_thread if error path is taken, eg. on memory allocation error or failure to configure sockets for mcast group or addr/port binding: 1. recursive locking: holding rtnl_lock while calling sock_release which in turn calls again rtnl_lock in ip_mc_drop_socket to leave the mcast group, as noticed by Florian Westphal. Additionally, sock_release can not be called while holding sync_mutex (ABBA deadlock). 2. task hung: holding rtnl_lock while calling kthread_stop to stop the running kthreads. As the kthreads do the same to leave the mcast group (sock_release -> ip_mc_drop_socket -> rtnl_lock) they hang. Fix the problems by calling rtnl_unlock early in the error path, now sock_release is called after unlocking both mutexes. Problem 3 (task hung reported by syzkaller [2]) is variant of problem 2: use _trylock to prevent one user to call rtnl_lock and then while waiting for sync_mutex to block kthreads that execute sock_release when they are stopped by stop_sync_thread. [1] IPVS: stopping backup sync thread 4500 ... WARNING: possible recursive locking detected 4.16.0-rc7+ #3 Not tainted -------------------------------------------- syzkaller688027/4497 is trying to acquire lock: (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 but task is already holding lock: IPVS: stopping backup sync thread 4495 ... (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(rtnl_mutex); lock(rtnl_mutex); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by syzkaller688027/4497: #0: (rtnl_mutex){+.+.}, at: [<00000000bb14d7fb>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 #1: (ipvs->sync_mutex){+.+.}, at: [<00000000703f78e3>] do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388 stack backtrace: CPU: 1 PID: 4497 Comm: syzkaller688027 Not tainted 4.16.0-rc7+ #3 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x24d lib/dump_stack.c:53 print_deadlock_bug kernel/locking/lockdep.c:1761 [inline] check_deadlock kernel/locking/lockdep.c:1805 [inline] validate_chain kernel/locking/lockdep.c:2401 [inline] __lock_acquire+0xe8f/0x3e00 kernel/locking/lockdep.c:3431 lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3920 __mutex_lock_common kernel/locking/mutex.c:756 [inline] __mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893 mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908 rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 ip_mc_drop_socket+0x88/0x230 net/ipv4/igmp.c:2643 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:413 sock_release+0x8d/0x1e0 net/socket.c:595 start_sync_thread+0x2213/0x2b70 net/netfilter/ipvs/ip_vs_sync.c:1924 do_ip_vs_set_ctl+0x1139/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2389 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1261 udp_setsockopt+0x45/0x80 net/ipv4/udp.c:2406 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2975 SYSC_setsockopt net/socket.c:1849 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1828 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x446a69 RSP: 002b:00007fa1c3a64da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000446a69 RDX: 000000000000048b RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00000000006e29fc R08: 0000000000000018 R09: 0000000000000000 R10: 00000000200000c0 R11: 0000000000000246 R12: 00000000006e29f8 R13: 00676e697279656b R14: 00007fa1c3a659c0 R15: 00000000006e2b60 [2] IPVS: sync thread started: state = BACKUP, mcast_ifn = syz_tun, syncid = 4, id = 0 IPVS: stopping backup sync thread 25415 ... INFO: task syz-executor7:25421 blocked for more than 120 seconds. Not tainted 4.16.0-rc6+ #284 "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. syz-executor7 D23688 25421 4408 0x00000004 Call Trace: context_switch kernel/sched/core.c:2862 [inline] __schedule+0x8fb/0x1ec0 kernel/sched/core.c:3440 schedule+0xf5/0x430 kernel/sched/core.c:3499 schedule_timeout+0x1a3/0x230 kernel/time/timer.c:1777 do_wait_for_common kernel/sched/completion.c:86 [inline] __wait_for_common kernel/sched/completion.c:107 [inline] wait_for_common kernel/sched/completion.c:118 [inline] wait_for_completion+0x415/0x770 kernel/sched/completion.c:139 kthread_stop+0x14a/0x7a0 kernel/kthread.c:530 stop_sync_thread+0x3d9/0x740 net/netfilter/ipvs/ip_vs_sync.c:1996 do_ip_vs_set_ctl+0x2b1/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2394 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ip_setsockopt+0x97/0xa0 net/ipv4/ip_sockglue.c:1253 sctp_setsockopt+0x2ca/0x63e0 net/sctp/socket.c:4154 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:3039 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x454889 RSP: 002b:00007fc927626c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007fc9276276d4 RCX: 0000000000454889 RDX: 000000000000048c RSI: 0000000000000000 RDI: 0000000000000017 RBP: 000000000072bf58 R08: 0000000000000018 R09: 0000000000000000 R10: 0000000020000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000051c R14: 00000000006f9b40 R15: 0000000000000001 Showing all locks held in the system: 2 locks held by khungtaskd/868: #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>] check_hung_uninterruptible_tasks kernel/hung_task.c:175 [inline] #0: (rcu_read_lock){....}, at: [<00000000a1a8f002>] watchdog+0x1c5/0xd60 kernel/hung_task.c:249 #1: (tasklist_lock){.+.+}, at: [<0000000037c2f8f9>] debug_show_all_locks+0xd3/0x3d0 kernel/locking/lockdep.c:4470 1 lock held by rsyslogd/4247: #0: (&f->f_pos_lock){+.+.}, at: [<000000000d8d6983>] __fdget_pos+0x12b/0x190 fs/file.c:765 2 locks held by getty/4338: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4339: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4340: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4341: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4342: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4343: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 2 locks held by getty/4344: #0: (&tty->ldisc_sem){++++}, at: [<00000000bee98654>] ldsem_down_read+0x37/0x40 drivers/tty/tty_ldsem.c:365 #1: (&ldata->atomic_read_lock){+.+.}, at: [<00000000c1d180aa>] n_tty_read+0x2ef/0x1a40 drivers/tty/n_tty.c:2131 3 locks held by kworker/0:5/6494: #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: [<00000000a062b18e>] work_static include/linux/workqueue.h:198 [inline] #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: [<00000000a062b18e>] set_work_data kernel/workqueue.c:619 [inline] #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: [<00000000a062b18e>] set_work_pool_and_clear_pending kernel/workqueue.c:646 [inline] #0: ((wq_completion)"%s"("ipv6_addrconf")){+.+.}, at: [<00000000a062b18e>] process_one_work+0xb12/0x1bb0 kernel/workqueue.c:2084 #1: ((addr_chk_work).work){+.+.}, at: [<00000000278427d5>] process_one_work+0xb89/0x1bb0 kernel/workqueue.c:2088 #2: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 1 lock held by syz-executor7/25421: #0: (ipvs->sync_mutex){+.+.}, at: [<00000000d414a689>] do_ip_vs_set_ctl+0x277/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2393 2 locks held by syz-executor7/25427: #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 #1: (ipvs->sync_mutex){+.+.}, at: [<00000000e6d48489>] do_ip_vs_set_ctl+0x10f8/0x1cc0 net/netfilter/ipvs/ip_vs_ctl.c:2388 1 lock held by syz-executor7/25435: #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 1 lock held by ipvs-b:2:0/25415: #0: (rtnl_mutex){+.+.}, at: [<00000000066e35ac>] rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74 Reported-and-tested-by: syzbot+a46d6abf9d56b1365a72@syzkaller.appspotmail.com Reported-and-tested-by: syzbot+5fe074c01b2032ce9618@syzkaller.appspotmail.com Fixes: e0b26cc997d5 ("ipvs: call rtnl_lock early") Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Cc: Zubin Mithra <zsm@chromium.org> Cc: Guenter Roeck <groeck@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Chris Lew
|
80a19ad27e |
qrtr: Return success if control port is not bound
If a port tries to send a message before the name service binds to the control port, then that message should succeed. This will allow clients to operate normally until the name service comes online and causes a net reset to restart all the ports. Change-Id: Ica0a5e45df0e51f282e5bf426d11ff8e41b339c4 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
qctecmdr Service
|
ba158199b5 | Merge "qrtr: mhi: Configure IPC mhi channel to autostart" | ||
|
Chris Lew
|
0991515009 |
qrtr: mhi: Configure IPC mhi channel to autostart
MHI will autostart the channel after the probe returns. This removes the race where packets can be received while the probe is running. Change-Id: I057621f283e71b1901d4b2d6a299964f0345a384 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
Sean Tranchetti
|
1cc0e6eea6 |
udp: Complement partial checksum for GSO packet
Using the udp_v4_check() function to calculate the pseudo header
for the newly segmented UDP packets results in assigning the complement
of the value to the UDP header checksum field.
Always undo the complement the partial checksum value in order to
match the case where GSO is not used on the UDP transmit path.
Change-Id: Iba9e8f1e7a2a134bcac02b8f366755e6b2e03fb5
Fixes: ee80d1ebe5ba ("udp: add udp gso")
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: 6c035ba7e73aba4536a1112f9a0901ab40aab460
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
|
||
Willem de Bruijn
|
d60dea9270 |
udp: add gso support to virtual devices
Virtual devices such as tunnels and bonding can handle large packets. Only segment packets when reaching a physical or loopback device. Change-Id: I70a98ff455780a45ce3baea7b97e823716509802 Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: 83aa025f535f76733e334e3d2a4d8577c8441a7e Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Willem de Bruijn
|
fcfec3354b |
udp: add gso segment cmsg
Allow specifying segment size in the send call. The new control message performs the same function as socket option UDP_SEGMENT while avoiding the extra system call. Change-Id: I335dfba959d264ee181f6bc8da29cebb7685e7e1 Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: 2e8de8576343ab540856082916bfb84d17288b08 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Willem de Bruijn
|
8ca26b213a |
udp: paged allocation with gso
When sending large datagrams that are later segmented, store data in page frags to avoid copying from linear in skb_segment. Change-Id: Iac57a69872655bc4f375260ddb2c9f0f06153cf4 Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: 15e36f5b8e982debe43e425d2e12d34e022d51e9 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Willem de Bruijn
|
fa5b13be92 |
udp: better wmem accounting on gso
skb_segment by default transfers allocated wmem from the gso skb to the tail of the segment list. This underreports real truesize of the list, especially if the tail might be dropped. Similar to tcp_gso_segment, update wmem_alloc with the aggregate list truesize and make each segment responsible for its own share by setting skb->destructor. Clear gso_skb->destructor prior to calling skb_segment to skip the default assignment to tail. Change-Id: I8f36b6d134f35fa9e4cbb012fcc9a3efcc91ba55 Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: ad405857b174ed31a97982bb129c320d03321cf5 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Willem de Bruijn
|
b667d4d62c |
udp: generate gso with UDP_SEGMENT
Support generic segmentation offload for udp datagrams. Callers can
concatenate and send at once the payload of multiple datagrams with
the same destination.
To set segment size, the caller sets socket option UDP_SEGMENT to the
length of each discrete payload. This value must be smaller than or
equal to the relevant MTU.
A follow-up patch adds cmsg UDP_SEGMENT to specify segment size on a
per send call basis.
Total byte length may then exceed MTU. If not an exact multiple of
segment size, the last segment will be shorter.
The implementation adds a gso_size field to the udp socket, ip(v6)
cmsg cookie and inet_cork structure to be able to set the value at
setsockopt or cmsg time and to work with both lockless and corked
paths.
Initial benchmark numbers show UDP GSO about as expensive as TCP GSO.
tcp tso
3197 MB/s 54232 msg/s 54232 calls/s
6,457,754,262 cycles
tcp gso
1765 MB/s 29939 msg/s 29939 calls/s
11,203,021,806 cycles
tcp without tso/gso *
739 MB/s 12548 msg/s 12548 calls/s
11,205,483,630 cycles
udp
876 MB/s 14873 msg/s 624666 calls/s
11,205,777,429 cycles
udp gso
2139 MB/s 36282 msg/s 36282 calls/s
11,204,374,561 cycles
[*] after reverting commit 0a6b2a1dc2a2
("tcp: switch to GSO being always on")
Measured total system cycles ('-a') for one core while pinning both
the network receive path and benchmark process to that core:
perf stat -a -C 12 -e cycles \
./udpgso_bench_tx -C 12 -4 -D "$DST" -l 4
Note the reduction in calls/s with GSO. Bytes per syscall drops
increases from 1470 to 61818.
Change-Id: I0a51351c8ccb5d77eb5cdedbb9ee9e49d34832cb
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Git-commit: bec1f6f697362c5bc635dacd7ac8499d0a10a4e7
Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
|
||
|
Willem de Bruijn
|
42d65f0675 |
udp: add udp gso
Implement generic segmentation offload support for udp datagrams. A follow-up patch adds support to the protocol stack to generate such packets. UDP GSO is not UFO. UFO fragments a single large datagram. GSO splits a large payload into a number of discrete UDP datagrams. The implementation adds a GSO type SKB_UDP_GSO_L4 to differentiate it from UFO (SKB_UDP_GSO). IPPROTO_UDPLITE is excluded, as that protocol has no gso handler registered. Change-Id: Iff5e2f40ba816b4ee6675fa5a8f47d78c2ba91cb Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: ee80d1ebe5ba7f4bd74959c873119175a4fc08d3 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Willem de Bruijn
|
f9cf7b56e3 |
udp: expose inet cork to udp
UDP segmentation offload needs access to inet_cork in the udp layer. Pass the struct to ip(6)_make_skb instead of allocating it on the stack in that function itself. This patch is a noop otherwise. Change-Id: I75917a4f2f27aa26133d466663913fec4ae48470 Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: 1cd7884dfd78df6284d27b008823b0b4a808f196 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Greg Kroah-Hartman
|
c89418ee18 |
This is the 4.14.40 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlryqJwACgkQONu9yGCS aT4TlxAApPkv3brRm/VkYEQKp+JXU9Yz9MvX+UQ8tmqmwAE2HxmKZTScMNGD+dvu tgoZEdS7i23G52Qjn1RFn1Zw4HKgW3ZJMAvrRJJJVOlNnccRrvx9wUFOiqYeUFFC NCgiKckBPbFZvLe7IMWVz1KyrotogXEWP12scuV4CG792hxzZRa1unBfrIvUi9p4 fp4IcyYucTcmQqzW4EPmOeE+iahJGTTLngyqL5uwZVegzxwQzVB+Kpc05pU0PpIo vgThcBNWaxHD8cyXFVISWoHjdMvUjvkNuDWJPUACT8Tpo4Q/r2ToPEnoEJ2meVos jlzBDQ0IwXb7L2GkTlvRLBlCCFcYizTN59LMiaApVSW1bwXS+eJef+zWlHCvmaRs /g5SU4OQUnv58j4nr/Uumjx79u4rcpVyINbuvzpKi85wInrrswVFQ5Eo+nac1r7j 3ttifyhKfxrTHCbPULX5nNYF98tP38iz4I+M8Q5jjAGB71vJ5Lrvfl5nf6K/VamS jy1R0rLo/DCkb7bym49nI+WUBs9M8+TfAEtRAB9BklPBvdA8ktrkuD/OVcJ4pWej GKmd6yi6gfuPBHDJxQyqb8Ll8IUVDTld0dMg+WZa0GsJpko39K8XuqgEwwBewlUJ yCFYrm6F939Ra2WWvUEpPjChYeoG90vaaDZGuvPB7EOeFWJjcEQ= =IWvJ -----END PGP SIGNATURE----- Merge 4.14.40 into android-4.14 Changes in 4.14.40 geneve: update skb dst pmtu on tx path net: don't call update_pmtu unconditionally percpu: include linux/sched.h for cond_resched() crypto: talitos - fix IPsec cipher in length ACPI / button: make module loadable when booted in non-ACPI mode USB: serial: option: Add support for Quectel EP06 ALSA: hda - Fix incorrect usage of IS_REACHABLE() ALSA: pcm: Check PCM state at xfern compat ioctl ALSA: seq: Fix races at MIDI encoding in snd_virmidi_output_trigger() ALSA: dice: fix kernel NULL pointer dereference due to invalid calculation for array index ALSA: aloop: Mark paused device as inactive ALSA: aloop: Add missing cable lock to ctl API callbacks tracepoint: Do not warn on ENOMEM scsi: target: Fix fortify_panic kernel exception Input: leds - fix out of bound access Input: atmel_mxt_ts - add touchpad button mapping for Samsung Chromebook Pro rtlwifi: btcoex: Add power_on_setting routine rtlwifi: cleanup 8723be ant_sel definition xfs: prevent creating negative-sized file via INSERT_RANGE RDMA/cxgb4: release hw resources on device removal RDMA/ucma: Allow resolving address w/o specifying source address RDMA/mlx5: Fix multiple NULL-ptr deref errors in rereg_mr flow RDMA/mlx5: Protect from shift operand overflow NET: usb: qmi_wwan: add support for ublox R410M PID 0x90b2 IB/mlx5: Use unlimited rate when static rate is not supported IB/hfi1: Fix handling of FECN marked multicast packet IB/hfi1: Fix loss of BECN with AHG IB/hfi1: Fix NULL pointer dereference when invalid num_vls is used iw_cxgb4: Atomically flush per QP HW CQEs drm/vmwgfx: Fix a buffer object leak drm/bridge: vga-dac: Fix edid memory leak test_firmware: fix setting old custom fw path back on exit, second try errseq: Always report a writeback error once USB: serial: visor: handle potential invalid device configuration usb: dwc3: gadget: Fix list_del corruption in dwc3_ep_dequeue USB: Accept bulk endpoints with 1024-byte maxpacket USB: serial: option: reimplement interface masking USB: serial: option: adding support for ublox R410M usb: musb: host: fix potential NULL pointer dereference usb: musb: trace: fix NULL pointer dereference in musb_g_tx() platform/x86: asus-wireless: Fix NULL pointer dereference irqchip/qcom: Fix check for spurious interrupts tracing: Fix bad use of igrab in trace_uprobe.c Linux 4.14.40 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Nicolas Dichtel
|
6a3c946b20 |
net: don't call update_pmtu unconditionally
commit f15ca723c1ebe6c1a06bc95fda6b62cd87b44559 upstream.
Some dst_ops (e.g. md_dst_ops)) doesn't set this handler. It may result to:
"BUG: unable to handle kernel NULL pointer dereference at (null)"
Let's add a helper to check if update_pmtu is available before calling it.
Fixes: 52a589d51f10 ("geneve: update skb dst pmtu on tx path")
Fixes: a93bf0ff4490 ("vxlan: update skb dst pmtu on tx path")
CC: Roman Kapl <code@rkapl.cz>
CC: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Thomas Deutschmann <whissi@gentoo.org>
Cc: Eddie Chapman <eddie@ehuk.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
qctecmdr Service
|
4198ae27ad | Merge "qrtr: Initialize the local nid to 1" | ||
|
qctecmdr Service
|
26603b7a42 | Merge "qrtr: Only broadcast to initialized nodes" | ||
|
qctecmdr Service
|
2e8ba493a3 | Merge "qrtr: Rename qrtr_all_nodes to qrtr_all_epts" | ||
|
Chris Lew
|
abd3961d05 |
qrtr: Only broadcast to initialized nodes
Messages should only be broadcasted on nodes that have finished the HELLO packet handshake. Ensure that the HELLO packet has been received before broadcasting a control message to that node. Change-Id: Id2f26c088a1a41a391c936cde9fb251c0b0c2144 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
Chris Lew
|
e0aacc3443 |
qrtr: Align header and payload
Remote IPC Router drivers expect the received packet to be aligned. This case is only exposed using the MHI transport because it does not ensure the packet will be received as one chunk like RPMSG GLINK. Change-Id: I0e5c27e3c5896e6721c8bbbfcda29551f0968626 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
Chris Lew
|
04a9ef2957 |
qrtr: Initialize the local nid to 1
Android restrictions prevent the usage of NET_ADMIN so QRTR can not be correctly configured to node id 1 on Android targets. Init the local nid to 1 so it does not need to be configured by the ns. Change-Id: I679626c7b96aa7a074c69cc4fdc806a5dbde4639 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
Isaac J. Manjarres
|
8cfb73341f |
Merge remote-tracking branch 'remotes/origin/tmp-c50e5cb' into msm-4.14
* remotes/origin/tmp-c50e5cb:
Linux 4.14.39
powerpc/eeh: Fix race with driver un/bind
arm/arm64: KVM: Add PSCI version selection API
tick/sched: Do not mess with an enqueued hrtimer
x86/microcode: Do not exit early from __reload_late()
x86/microcode/intel: Save microcode patch unconditionally
x86/smpboot: Don't use mwait_play_dead() on AMD systems
x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
tools/lib/subcmd/pager.c: do not alias select() params
objtool, perf: Fix GCC 8 -Wrestrict error
drm/i915: Enable display WA#1183 from its correct spot
drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
earlycon: Use a pointer table to fix __earlycon_table stride
fpga-manager: altera-ps-spi: preserve nCONFIG state
libceph: validate con->state at the top of try_write()
libceph: reschedule a tick in finish_hunting()
libceph: un-backoff on tick when we have a authenticated session
ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
crypto: drbg - set freed buffers to NULL
powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
powerpc/mm: Flush cache on memory hot(un)plug
KVM: arm/arm64: Close VMID generation race
ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
ARM: amba: Fix race condition with driver_override
ARM: amba: Make driver_override output consistent with other buses
PCI: aardvark: Fix PCIe Max Read Request Size setting
PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
ANDROID: binder: prevent transactions into own process.
vfio: ccw: process ssch with interrupts disabled
bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
scsi: sd: Defer spinning up drive while SANITIZE is in progress
kobject: don't use WARN for registration failures
mtd: rawnand: tango: Fix struct clk memory leak
mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
ALSA: hda/realtek - change the location for one of two front mics
ALSA: hda/realtek - Update ALC255 depop optimize
ALSA: hda/realtek - Add some fixes for ALC233
ALSA: hda: Hardening for potential Spectre v1
ALSA: seq: oss: Hardening for potential Spectre v1
ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
ALSA: control: Hardening for potential Spectre v1
ALSA: rme9652: Hardening for potential Spectre v1
ALSA: hdspm: Hardening for potential Spectre v1
ALSA: asihpi: Hardening for potential Spectre v1
ALSA: opl3: Hardening for potential Spectre v1
ALSA: hda - Skip jack and others for non-existing PCM streams
ALSA: dice: fix error path to destroy initialized stream data
ALSA: dice: fix OUI for TC group
tty: Use __GFP_NOFAIL for tty_ldisc_get()
tty: Avoid possible error pointer dereference at tty_ldisc_restore().
tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
tty: Don't call panic() at tty_ldisc_init()
drm/virtio: fix vq wait_event condition
virtio_console: reset on out of memory
virtio_console: move removal code
virtio_console: drop custom control queue cleanup
virtio_console: free buffers after reset
virtio_console: don't tie bufs to a vq
virtio: add ability to iterate over vqs
ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
USB: Increment wakeup count on remote wakeup.
usb: core: Add quirk for HP v222w 16GB Mini
usb: typec: ucsi: Increase command completion timeout value
USB: serial: cp210x: add ID for NI USB serial console
USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
USB: serial: simple: add libtransistor console
xhci: Fix USB ports for Dell Inspiron 5775
Revert "xhci: plat: Register shutdown for xhci_plat"
usbip: vhci_hcd: check rhport before using in vhci_hub_control()
usbip: vhci_hcd: Fix usb device and sockfd leaks
usbip: usbip_host: fix to hold parent lock for device_attach() calls
usbip: usbip_event: fix to not print kernel pointer address
random: rate limit unseeded randomness warnings
random: fix possible sleeping allocation from irq context
random: set up the NUMA crng instances after the CRNG is fully initialized
ext4: fix bitmap position validation
ext4: add validity checks for bitmap block numbers
ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
ext4: set h_journal if there is a failure starting a reserved handle
ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
cfi: print target address on failure
Change-Id: I9a3d0c10b1a2d2c28872401cb656d490604352a7
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
|
Chris Lew
|
72f2215d87 |
qrtr: Rename qrtr_all_nodes to qrtr_all_epts
The node list only respresents the adjacent nodes in the system. Rename the list to qrtr_all_epts to better describe the list contents. Change-Id: I168ca597d5b9b30d6c064c2a56b6e8b2dffa387b Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
Chris Lew
|
a98b7115c2 |
qrtr: Add support for multiple nodes on a single ept
An ept can be associated with multiple node ids in network. The node tree should keep track of how to send to a specific node id where as the node list should keep track of all the adjacent nodes in the network. Use the node list to broadcast control messages to adjacent nodes. Change-Id: If0f4828da149b6e590525518a8410f497f5e3894 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
Greg Kroah-Hartman
|
c50e5cb3fa |
This is the 4.14.39 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlroxuQACgkQONu9yGCS
aT5H3BAAq+AfTWGEbNgjlDMh0nNSzNG4QyitI79Y6fsJrXCy669X/+b0V7s7+RoL
R+UBw1REIG7cnDBOgNNYoyoC7UGGstBxD7X4TnnWZsGpYeilCdqETUfRT1UBIXMM
ZVnLgUcje/smCUIkJbmPzGQb6j+fRbanyynkeQ4PyXd5rHd7ncKyyYjXVE38dUm3
HiczG+F3KD6tkHcaA5PFt1Afw0EQACUYapIZIQgd7XISbskHSH9TMohrA+cTREpH
HSPw64KbTR0SuhfJiUJILTbsUNe9EHD7iEvT/wjwmD+pEgMrWxVfdFquaHX/HIBZ
Ex1brCNCvw8PCzMxhpLfkBxhc/I1swktO6/B87tWaeQtRLEaybuchaCsUuppfcPP
tCokNu2IDmLuhIEVl/kyD+GwQ3Xs95I5+o9wytpCYdS4NplX2AWsvQb00v2ZXuo6
VDa0x4aPUyLIGPITSYi2lmS10mrvCkzuvd0seuaPbM87Q2+5Mq1RxmQCvFzTgfGZ
Y+jKS3nomgP5b/QzhKM5O9y3DBMMyDx6zjwzPmhnR4mM2b1aBguk2Q1YbqXgwPJk
7GIUFeb+xD6pdWtK4lZc7Apxc2CUE7lTC0gn90EWwS5+vu+cljt4uvMmsuYLRVaw
/0+zLv+jMxkvEoI2Y0i+FuuJ2k46q8YFy1Lga0+xeVWdd1D84GI=
=0Lwm
-----END PGP SIGNATURE-----
Merge 4.14.39 into android-4.14
Changes in 4.14.39
ext4: prevent right-shifting extents beyond EXT_MAX_BLOCKS
ext4: set h_journal if there is a failure starting a reserved handle
ext4: add MODULE_SOFTDEP to ensure crc32c is included in the initramfs
ext4: add validity checks for bitmap block numbers
ext4: fix bitmap position validation
random: set up the NUMA crng instances after the CRNG is fully initialized
random: fix possible sleeping allocation from irq context
random: rate limit unseeded randomness warnings
usbip: usbip_event: fix to not print kernel pointer address
usbip: usbip_host: fix to hold parent lock for device_attach() calls
usbip: vhci_hcd: Fix usb device and sockfd leaks
usbip: vhci_hcd: check rhport before using in vhci_hub_control()
Revert "xhci: plat: Register shutdown for xhci_plat"
xhci: Fix USB ports for Dell Inspiron 5775
USB: serial: simple: add libtransistor console
USB: serial: ftdi_sio: use jtag quirk for Arrow USB Blaster
USB: serial: cp210x: add ID for NI USB serial console
usb: typec: ucsi: Increase command completion timeout value
usb: core: Add quirk for HP v222w 16GB Mini
USB: Increment wakeup count on remote wakeup.
ALSA: usb-audio: Skip broken EU on Dell dock USB-audio
virtio: add ability to iterate over vqs
virtio_console: don't tie bufs to a vq
virtio_console: free buffers after reset
virtio_console: drop custom control queue cleanup
virtio_console: move removal code
virtio_console: reset on out of memory
drm/virtio: fix vq wait_event condition
tty: Don't call panic() at tty_ldisc_init()
tty: n_gsm: Fix long delays with control frame timeouts in ADM mode
tty: n_gsm: Fix DLCI handling for ADM mode if debug & 2 is not set
tty: Avoid possible error pointer dereference at tty_ldisc_restore().
tty: Use __GFP_NOFAIL for tty_ldisc_get()
ALSA: dice: fix OUI for TC group
ALSA: dice: fix error path to destroy initialized stream data
ALSA: hda - Skip jack and others for non-existing PCM streams
ALSA: opl3: Hardening for potential Spectre v1
ALSA: asihpi: Hardening for potential Spectre v1
ALSA: hdspm: Hardening for potential Spectre v1
ALSA: rme9652: Hardening for potential Spectre v1
ALSA: control: Hardening for potential Spectre v1
ALSA: pcm: Return negative delays from SNDRV_PCM_IOCTL_DELAY.
ALSA: core: Report audio_tstamp in snd_pcm_sync_ptr
ALSA: seq: oss: Fix unbalanced use lock for synth MIDI device
ALSA: seq: oss: Hardening for potential Spectre v1
ALSA: hda: Hardening for potential Spectre v1
ALSA: hda/realtek - Add some fixes for ALC233
ALSA: hda/realtek - Update ALC255 depop optimize
ALSA: hda/realtek - change the location for one of two front mics
mtd: spi-nor: cadence-quadspi: Fix page fault kernel panic
mtd: cfi: cmdset_0001: Do not allow read/write to suspend erase block.
mtd: cfi: cmdset_0001: Workaround Micron Erase suspend bug.
mtd: cfi: cmdset_0002: Do not allow read/write to suspend erase block.
mtd: rawnand: tango: Fix struct clk memory leak
kobject: don't use WARN for registration failures
scsi: sd: Defer spinning up drive while SANITIZE is in progress
bfq-iosched: ensure to clear bic/bfqq pointers when preparing request
vfio: ccw: process ssch with interrupts disabled
ANDROID: binder: prevent transactions into own process.
PCI: aardvark: Fix logic in advk_pcie_{rd,wr}_conf()
PCI: aardvark: Set PIO_ADDR_LS correctly in advk_pcie_rd_conf()
PCI: aardvark: Use ISR1 instead of ISR0 interrupt in legacy irq mode
PCI: aardvark: Fix PCIe Max Read Request Size setting
ARM: amba: Make driver_override output consistent with other buses
ARM: amba: Fix race condition with driver_override
ARM: amba: Don't read past the end of sysfs "driver_override" buffer
ARM: socfpga_defconfig: Remove QSPI Sector 4K size force
KVM: arm/arm64: Close VMID generation race
powerpc/mm: Flush cache on memory hot(un)plug
powerpc/powernv/npu: Do a PID GPU TLB flush when invalidating a large address range
crypto: drbg - set freed buffers to NULL
ASoC: fsl_esai: Fix divisor calculation failure at lower ratio
libceph: un-backoff on tick when we have a authenticated session
libceph: reschedule a tick in finish_hunting()
libceph: validate con->state at the top of try_write()
fpga-manager: altera-ps-spi: preserve nCONFIG state
earlycon: Use a pointer table to fix __earlycon_table stride
cpufreq: powernv: Fix hardlockup due to synchronous smp_call in timer interrupt
rtc: opal: Fix OPAL RTC driver OPAL_BUSY loops
drm/amdgpu: set COMPUTE_PGM_RSRC1 for SGPR/VGPR clearing shaders
drm/i915: Enable display WA#1183 from its correct spot
objtool, perf: Fix GCC 8 -Wrestrict error
tools/lib/subcmd/pager.c: do not alias select() params
x86/ipc: Fix x32 version of shmid64_ds and msqid64_ds
x86/smpboot: Don't use mwait_play_dead() on AMD systems
x86/microcode/intel: Save microcode patch unconditionally
x86/microcode: Do not exit early from __reload_late()
tick/sched: Do not mess with an enqueued hrtimer
arm/arm64: KVM: Add PSCI version selection API
powerpc/eeh: Fix race with driver un/bind
Linux 4.14.39
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Ilya Dryomov
|
7563d6f2be |
libceph: validate con->state at the top of try_write()
commit 9c55ad1c214d9f8c4594ac2c3fa392c1c32431a7 upstream. ceph_con_workfn() validates con->state before calling try_read() and then try_write(). However, try_read() temporarily releases con->mutex, notably in process_message() and ceph_con_in_msg_alloc(), opening the window for ceph_con_close() to sneak in, close the connection and release con->sock. When try_write() is called on the assumption that con->state is still valid (i.e. not STANDBY or CLOSED), a NULL sock gets passed to the networking stack: BUG: unable to handle kernel NULL pointer dereference at 0000000000000020 IP: selinux_socket_sendmsg+0x5/0x20 Make sure con->state is valid at the top of try_write() and add an explicit BUG_ON for this, similar to try_read(). Cc: stable@vger.kernel.org Link: https://tracker.ceph.com/issues/23706 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jason Dillaman <dillaman@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ilya Dryomov
|
c2bc3eb559 |
libceph: reschedule a tick in finish_hunting()
commit 7b4c443d139f1d2b5570da475f7a9cbcef86740c upstream. If we go without an established session for a while, backoff delay will climb to 30 seconds. The keepalive timeout is also 30 seconds, so it's pretty easily hit after a prolonged hunting for a monitor: we don't get a chance to send out a keepalive in time, which means we never get back a keepalive ack in time, cutting an established session and attempting to connect to a different monitor every 30 seconds: [Sun Apr 1 23:37:05 2018] libceph: mon0 10.80.20.99:6789 session established [Sun Apr 1 23:37:36 2018] libceph: mon0 10.80.20.99:6789 session lost, hunting for new mon [Sun Apr 1 23:37:36 2018] libceph: mon2 10.80.20.103:6789 session established [Sun Apr 1 23:38:07 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon [Sun Apr 1 23:38:07 2018] libceph: mon1 10.80.20.100:6789 session established [Sun Apr 1 23:38:37 2018] libceph: mon1 10.80.20.100:6789 session lost, hunting for new mon [Sun Apr 1 23:38:37 2018] libceph: mon2 10.80.20.103:6789 session established [Sun Apr 1 23:39:08 2018] libceph: mon2 10.80.20.103:6789 session lost, hunting for new mon The regular keepalive interval is 10 seconds. After ->hunting is cleared in finish_hunting(), call __schedule_delayed() to ensure we send out a keepalive after 10 seconds. Cc: stable@vger.kernel.org # 4.7+ Link: http://tracker.ceph.com/issues/23537 Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jason Dillaman <dillaman@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Ilya Dryomov
|
76f7b52b5b |
libceph: un-backoff on tick when we have a authenticated session
commit facb9f6eba3df4e8027301cc0e514dc582a1b366 upstream. This means that if we do some backoff, then authenticate, and are healthy for an extended period of time, a subsequent failure won't leave us starting our hunting sequence with a large backoff. Mirrors ceph.git commit d466bc6e66abba9b464b0b69687cf45c9dccf383. Cc: stable@vger.kernel.org # 4.7+ Signed-off-by: Ilya Dryomov <idryomov@gmail.com> Reviewed-by: Jason Dillaman <dillaman@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Isaac J. Manjarres
|
2f44069aee |
Merge remote-tracking branch 'remotes/origin/tmp-3f8d191' into msm-4.14
* remotes/origin/tmp-3f8d191:
Linux 4.14.38
ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
s390/uprobes: implement arch_uretprobe_is_alive()
s390/dasd: fix IO error for newly defined devices
s390/cio: update chpid descriptor after resource accessibility event
tracing: Fix missing tab for hwlat_detector print format
block/swim: Fix IO error at end of medium
block/swim: Fix array bounds check
block/swim: Select appropriate drive on device open
block/swim: Rename macros to avoid inconsistent inverted logic
block/swim: Remove extra put_disk() call from error path
block/swim: Don't log an error message for an invalid ioctl
block/swim: Check drive type
m68k/mac: Don't remap SWIM MMIO region
fsnotify: Fix fsnotify_mark_connector race
cdrom: information leak in cdrom_ioctl_media_changed()
scsi: mptsas: Disable WRITE SAME
commoncap: Handle memory allocation failure.
Revert "mm/hmm: fix header file if/else/endif maze"
arm64: dts: rockchip: remove vdd_log from rk3399-puma
microblaze: Setup dependencies for ASM optimized lib functions
s390: correct module section names for expoline code revert
s390: correct nospec auto detection init order
s390: add sysfs attributes for spectre
s390: report spectre mitigation via syslog
s390: add automatic detection of the spectre defense
s390: move nobp parameter functions to nospec-branch.c
s390/entry.S: fix spurious zeroing of r0
s390: do not bypass BPENTER for interrupt system calls
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
KVM: s390: force bp isolation for VSIE
s390: introduce execute-trampolines for branches
s390: run user space and KVM guests with modified branch prediction
s390: add options to change branch prediction behaviour for the kernel
s390/alternative: use a copy of the facility bit mask
s390: add optimized array_index_mask_nospec
s390: scrub registers on kernel entry and KVM exit
KVM: s390: wire up bpb feature
s390: enable CPU alternatives unconditionally
s390: introduce CPU alternatives
virtio_net: fix adding vids on big-endian
virtio_net: split out ctrl buffer
net: ethernet: ti: cpsw: fix tx vlan priority mapping
llc: fix NULL pointer deref for SOCK_ZAPPED
llc: hold llc_sap before release_sock()
net: sched: ife: check on metadata length
net: sched: ife: handle malformed tlv length
tcp: clear tp->packets_out when purging write queue
net: sched: ife: signal not finding metaid
strparser: Fix incorrect strp->need_bytes value.
amd-xgbe: Only use the SFP supported transceiver signals
strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
amd-xgbe: Improve KR auto-negotiation and training
sctp: do not check port in sctp_inet6_cmp_addr
amd-xgbe: Add pre/post auto-negotiation phy hooks
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
pppoe: check sockaddr length in pppoe_connect()
tipc: add policy for TIPC_NLA_NET_ADDR
packet: fix bitfield update race
team: fix netconsole setup over team
net/smc: fix shutdown in state SMC_LISTEN
team: avoid adding twice the same option to the event list
net: fix deadlock while clearing neighbor proxy table
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: af_packet: fix race in PACKET_{R|T}X_RING
tcp: don't read out-of-bounds opsize
llc: delete timers synchronously in llc_sk_free()
net: validate attribute sizes in neigh_dump_table()
l2tp: check sockaddr length in pppol2tp_connect()
KEYS: DNS: limit the length of option strings
ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
Revert "ath10k: send (re)assoc peer command when NSS changed"
tpm: add retry logic
tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
tpm: cmd_ready command can be issued only after granting locality
i40e: Fix attach VF to VM issue
drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs
Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip"
ANDROID: staging: lustre: fix filler function type
ANDROID: fs: gfs2: fix filler function type
ANDROID: fs: exofs: fix filler function type
ANDROID: fs: afs: fix filler function type
ANDROID: fs: nfs: fix filler function type
ANDROID: fs: fuse: fix filler function type mismatch
ANDROID: mm: fix filler function type mismatch
ANDROID: media-device: fix ioctl function types
ANDROID: v4l2-ioctl: fix function types for IOCTL_INFO_STD
ANDROID: arch/arm64/crypto: fix CFI in SHA CE
ANDROID: arm64: kvm: disable CFI
ANDROID: arm64: mark kpti_install_ng_mappings as __nocfi
ANDROID: arm64: disable CFI for cpu_replace_ttbr1
ANDROID: kallsyms: strip the .cfi postfix from symbols with CONFIG_CFI_CLANG
ANDROID: add support for clang Control Flow Integrity (CFI)
ANDROID: HACK: init: ensure initcall ordering with LTO
ANDROID: drivers/misc: disable LTO for lkdtm_rodata.o
ANDROID: arm64: vdso: disable LTO
FROMLIST: arm64: select ARCH_SUPPORTS_LTO_CLANG
FROMLIST: arm64: disable RANDOMIZE_MODULE_REGION_FULL with LTO_CLANG
ANDROID: arm64: disable ARM64_ERRATUM_843419 for clang LTO
ANDROID: arm64: pass code model to LLVMgold
FROMLIST: arm64: make mrs_s and msr_s macros work with LTO
FROMLIST: efi/libstub: disable LTO
FROMLIST: scripts/mod: disable LTO for empty.c
FROMLIST: kbuild: fix dynamic ftrace with clang LTO
FROMLIST: kbuild: add support for clang LTO
FROMLIST: arm64: fix -m for GNU gold
FROMLIST: arm64: add a workaround for GNU gold with ARM64_MODULE_PLTS
FROMLIST: arm64: explicitly pass --no-fix-cortex-a53-843419 to GNU gold
FROMLIST: kbuild: add __ld-ifversion and linker-specific macros
FROMLIST: kbuild: add ld-name macro
FROMLIST: arm64: keep .altinstructions and .altinstr_replacement
ANDROID: arm64: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: add __cc-ifversion and compiler-specific variants
UPSTREAM: console: Drop added "static" for newport_con
UPSTREAM: tracing: always define trace_{irq,preempt}_{enable_disable}
Conflicts:
Makefile
Change-Id: Ied1a215e68f428eff9c1911491a4e364ffd1f679
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
|
Greg Kroah-Hartman
|
3f8d1912e9 |
This is the 4.14.38 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrlkV4ACgkQONu9yGCS
aT4+4RAAvG+qVTliLyVoSNznoj5vTjhZ4ew60N5yPOsll+g/lDIU91NGG6eXT1aS
HYcOjxrMzby3ubXwUrShBR8syzarAM9Q1WJgCfA7UmwGVr+kVa7Uv8LZ4SXtykZM
6L+hj4/BHeETH1OAkIkjADN3/as5gd1cbxmFuNnzoGCGVmpVdze757XDeh1KrkQN
xdiRnrhCAvy5FeBlPY8/vVuPzRnTAKi5UWH0mDKWh3v1ba31I3BSVIuXz81HnNPB
Yb3g/DRLAQeE7I54m4OjB9bWSM8Ei7SaARsHk/g1Bigs4QWEFOECPCEgfTNnBeu7
RYk9uYPznoqXb6YIUH2sq0lbem+Lj4Nku1YpkCBT9EUMHSmtbTXEQAzXNanNcag3
g5zBAP7+fVtK3K28uyQtwv+/jTBrwP6uWnZK1sAoOgrngOlBYe+/A9/1o+MKUE4K
ljIWh68AuFfLTWZtJtRMZq4g8J5GmhL3M5TarpakSKfMlHfTEY5bW4n+05ta87Cq
qgLLWnzZEzwTiiHxYp06hr0kpuzQ798LWP573Iz+6JkZYoSgvFXK0JnVwpDN1H+K
xv220wFi2vd0Y4HwaUcy9PdDOG8ROp8YoVWzpskLNyEVv1jPVc4jiOvwEiaJHFFO
KHHooLJjBEZxTrS0ok+coQqufao6kBsnlJzAJ3gQsKBnyGRg7H4=
=8nAH
-----END PGP SIGNATURE-----
Merge 4.14.38 into android-4.14
Changes in 4.14.38
Revert "pinctrl: intel: Initialize GPIO properly when used through irqchip"
drm: bridge: dw-hdmi: Fix overflow workaround for Amlogic Meson GX SoCs
i40e: Fix attach VF to VM issue
tpm: cmd_ready command can be issued only after granting locality
tpm: tpm-interface: fix tpm_transmit/_cmd kdoc
tpm: add retry logic
Revert "ath10k: send (re)assoc peer command when NSS changed"
bonding: do not set slave_dev npinfo before slave_enable_netpoll in bond_enslave
ipv6: add RTA_TABLE and RTA_PREFSRC to rtm_ipv6_policy
ipv6: sr: fix NULL pointer dereference in seg6_do_srh_encap()- v4 pkts
KEYS: DNS: limit the length of option strings
l2tp: check sockaddr length in pppol2tp_connect()
net: validate attribute sizes in neigh_dump_table()
llc: delete timers synchronously in llc_sk_free()
tcp: don't read out-of-bounds opsize
net: af_packet: fix race in PACKET_{R|T}X_RING
tcp: md5: reject TCP_MD5SIG or TCP_MD5SIG_EXT on established sockets
net: fix deadlock while clearing neighbor proxy table
team: avoid adding twice the same option to the event list
net/smc: fix shutdown in state SMC_LISTEN
team: fix netconsole setup over team
packet: fix bitfield update race
tipc: add policy for TIPC_NLA_NET_ADDR
pppoe: check sockaddr length in pppoe_connect()
vlan: Fix reading memory beyond skb->tail in skb_vlan_tagged_multi
amd-xgbe: Add pre/post auto-negotiation phy hooks
sctp: do not check port in sctp_inet6_cmp_addr
amd-xgbe: Improve KR auto-negotiation and training
strparser: Do not call mod_delayed_work with a timeout of LONG_MAX
amd-xgbe: Only use the SFP supported transceiver signals
strparser: Fix incorrect strp->need_bytes value.
net: sched: ife: signal not finding metaid
tcp: clear tp->packets_out when purging write queue
net: sched: ife: handle malformed tlv length
net: sched: ife: check on metadata length
llc: hold llc_sap before release_sock()
llc: fix NULL pointer deref for SOCK_ZAPPED
net: ethernet: ti: cpsw: fix tx vlan priority mapping
virtio_net: split out ctrl buffer
virtio_net: fix adding vids on big-endian
s390: introduce CPU alternatives
s390: enable CPU alternatives unconditionally
KVM: s390: wire up bpb feature
s390: scrub registers on kernel entry and KVM exit
s390: add optimized array_index_mask_nospec
s390/alternative: use a copy of the facility bit mask
s390: add options to change branch prediction behaviour for the kernel
s390: run user space and KVM guests with modified branch prediction
s390: introduce execute-trampolines for branches
KVM: s390: force bp isolation for VSIE
s390: Replace IS_ENABLED(EXPOLINE_*) with IS_ENABLED(CONFIG_EXPOLINE_*)
s390: do not bypass BPENTER for interrupt system calls
s390/entry.S: fix spurious zeroing of r0
s390: move nobp parameter functions to nospec-branch.c
s390: add automatic detection of the spectre defense
s390: report spectre mitigation via syslog
s390: add sysfs attributes for spectre
s390: correct nospec auto detection init order
s390: correct module section names for expoline code revert
microblaze: Setup dependencies for ASM optimized lib functions
arm64: dts: rockchip: remove vdd_log from rk3399-puma
Revert "mm/hmm: fix header file if/else/endif maze"
commoncap: Handle memory allocation failure.
scsi: mptsas: Disable WRITE SAME
cdrom: information leak in cdrom_ioctl_media_changed()
fsnotify: Fix fsnotify_mark_connector race
m68k/mac: Don't remap SWIM MMIO region
block/swim: Check drive type
block/swim: Don't log an error message for an invalid ioctl
block/swim: Remove extra put_disk() call from error path
block/swim: Rename macros to avoid inconsistent inverted logic
block/swim: Select appropriate drive on device open
block/swim: Fix array bounds check
block/swim: Fix IO error at end of medium
tracing: Fix missing tab for hwlat_detector print format
s390/cio: update chpid descriptor after resource accessibility event
s390/dasd: fix IO error for newly defined devices
s390/uprobes: implement arch_uretprobe_is_alive()
ACPI / video: Only default only_lcd to true on Win8-ready _desktops_
Linux 4.14.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Cong Wang
|
7814c479de |
llc: fix NULL pointer deref for SOCK_ZAPPED
[ Upstream commit 3a04ce7130a7e5dad4e78d45d50313747f8c830f ]
For SOCK_ZAPPED socket, we don't need to care about llc->sap,
so we should just skip these refcount functions in this case.
Fixes: f7e43672683b ("llc: hold llc_sap before release_sock()")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Cong Wang
|
543a60112f |
llc: hold llc_sap before release_sock()
[ Upstream commit f7e43672683b097bb074a8fe7af9bc600a23f231 ] syzbot reported we still access llc->sap in llc_backlog_rcv() after it is freed in llc_sap_remove_socket(): Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load1_noabort+0x14/0x20 mm/kasan/report.c:430 llc_conn_ac_send_sabme_cmd_p_set_x+0x3a8/0x460 net/llc/llc_c_ac.c:785 llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] llc_conn_service net/llc/llc_conn.c:400 [inline] llc_conn_state_process+0x4e1/0x13a0 net/llc/llc_conn.c:75 llc_backlog_rcv+0x195/0x1e0 net/llc/llc_conn.c:891 sk_backlog_rcv include/net/sock.h:909 [inline] __release_sock+0x12f/0x3a0 net/core/sock.c:2335 release_sock+0xa4/0x2b0 net/core/sock.c:2850 llc_ui_release+0xc8/0x220 net/llc/af_llc.c:204 llc->sap is refcount'ed and llc_sap_remove_socket() is paired with llc_sap_add_socket(). This can be amended by holding its refcount before llc_sap_remove_socket() and releasing it after release_sock(). Reported-by: <syzbot+6e181fc95081c2cf9051@syzkaller.appspotmail.com> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |