mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
48662 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Kirill Tkhai
|
946b9671ac |
net: Fix hlist corruptions in inet_evict_bucket()
[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ] inet_evict_bucket() iterates global list, and several tasks may call it in parallel. All of them hash the same fq->list_evictor to different lists, which leads to list corruption. This patch makes fq be hashed to expired list only if this has not been made yet by another task. Since inet_frag_alloc() allocates fq using kmem_cache_zalloc(), we may rely on list_evictor is initially unhashed. The problem seems to exist before async pernet_operations, as there was possible to have exit method to be executed in parallel with inet_frags::frags_work, so I add two Fixes tags. This also may go to stable. Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor" Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()" Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Eric Dumazet
|
4ff5078b03 |
net: use skb_to_full_sk() in skb_update_prio()
[ Upstream commit 4dcb31d4649df36297296b819437709f5407059c ]
Andrei Vagin reported a KASAN: slab-out-of-bounds error in
skb_update_prio()
Since SYNACK might be attached to a request socket, we need to
get back to the listener socket.
Since this listener is manipulated without locks, add const
qualifiers to sock_cgroup_prioidx() so that the const can also
be used in skb_update_prio()
Also add the const qualifier to sock_cgroup_classid() for consistency.
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrei Vagin <avagin@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
f6cdb675ca |
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
A tun device type can trivially be set to arbitrary value using
TUNSETLINK ioctl().
Therefore, lowpan_device_event() must really check that ieee802154_ptr
is not NULL.
Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Alexander Aring <alex.aring@gmail.com>
Cc: Stefan Schmidt <stefan@osg.samsung.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Stefan Schmidt <stefan@osg.samsung.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Alexey Kodanev
|
f77ff13a06 |
sch_netem: fix skb leak in netem_enqueue()
[ Upstream commit 35d889d10b649fda66121891ec05eca88150059d ]
When we exceed current packets limit and we have more than one
segment in the list returned by skb_gso_segment(), netem drops
only the first one, skipping the rest, hence kmemleak reports:
unreferenced object 0xffff880b5d23b600 (size 1024):
comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
hex dump (first 32 bytes):
00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
[<000000001709b32f>] skb_segment+0x8c8/0x3710
[<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
[<00000000c921cba1>] inet_gso_segment+0x476/0x1370
[<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
[<000000002182660a>] __skb_gso_segment+0x1dd/0x620
[<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
[<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
[<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
[<00000000d309e9d3>] ip_output+0x1aa/0x2c0
[<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
[<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
[<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
[<0000000013d06d02>] tasklet_action+0x1ca/0x250
[<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
[<00000000e7ed027c>] irq_exit+0x1e2/0x210
Fix it by adding the rest of the segments, if any, to skb 'to_free'
list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
because they can be useful in the future if we need to drop segmented
GSO packets in other places.
Fixes: 6071bd1aa13e ("netem: Segment GSO packets on enqueue")
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Tom Herbert
|
515bc34124 |
kcm: lock lower socket in kcm_attach
[ Upstream commit 2cc683e88c0c993ac3721d9b702cb0630abe2879 ]
Need to lock lower socket in order to provide mutual exclusion
with kcm_unattach.
v2: Add Reported-by for syzbot
Fixes: ab7ac4eb9832e32a09f4e804 ("kcm: Kernel Connection Multiplexor module")
Reported-by: syzbot+ea75c0ffcd353d32515f064aaebefc5279e6161e@syzkaller.appspotmail.com
Signed-off-by: Tom Herbert <tom@quantonium.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Roman Mashak
|
28b488f7cb |
net sched actions: return explicit error when tunnel_key mode is not specified
[ Upstream commit 51d4740f88affd85d49c04e3c9cd129c0e33bcb9 ] If set/unset mode of the tunnel_key action is not provided, ->init() still returns 0, and the caller proceeds with bogus 'struct tc_action *' object, this results in crash: % tc actions add action tunnel_key src_ip 1.1.1.1 dst_ip 2.2.2.1 id 7 index 1 [ 35.805515] general protection fault: 0000 [#1] SMP PTI [ 35.806161] Modules linked in: act_tunnel_key kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64 crypto_simd glue_helper cryptd serio_raw [ 35.808233] CPU: 1 PID: 428 Comm: tc Not tainted 4.16.0-rc4+ #286 [ 35.808929] RIP: 0010:tcf_action_init+0x90/0x190 [ 35.809457] RSP: 0018:ffffb8edc068b9a0 EFLAGS: 00010206 [ 35.810053] RAX: 1320c000000a0003 RBX: 0000000000000001 RCX: 0000000000000000 [ 35.810866] RDX: 0000000000000070 RSI: 0000000000007965 RDI: ffffb8edc068b910 [ 35.811660] RBP: ffffb8edc068b9d0 R08: 0000000000000000 R09: ffffb8edc068b808 [ 35.812463] R10: ffffffffc02bf040 R11: 0000000000000040 R12: ffffb8edc068bb38 [ 35.813235] R13: 0000000000000000 R14: 0000000000000000 R15: ffffb8edc068b910 [ 35.814006] FS: 00007f3d0d8556c0(0000) GS:ffff91d1dbc40000(0000) knlGS:0000000000000000 [ 35.814881] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 35.815540] CR2: 000000000043f720 CR3: 0000000019248001 CR4: 00000000001606a0 [ 35.816457] Call Trace: [ 35.817158] tc_ctl_action+0x11a/0x220 [ 35.817795] rtnetlink_rcv_msg+0x23d/0x2e0 [ 35.818457] ? __slab_alloc+0x1c/0x30 [ 35.819079] ? __kmalloc_node_track_caller+0xb1/0x2b0 [ 35.819544] ? rtnl_calcit.isra.30+0xe0/0xe0 [ 35.820231] netlink_rcv_skb+0xce/0x100 [ 35.820744] netlink_unicast+0x164/0x220 [ 35.821500] netlink_sendmsg+0x293/0x370 [ 35.822040] sock_sendmsg+0x30/0x40 [ 35.822508] ___sys_sendmsg+0x2c5/0x2e0 [ 35.823149] ? pagecache_get_page+0x27/0x220 [ 35.823714] ? filemap_fault+0xa2/0x640 [ 35.824423] ? page_add_file_rmap+0x108/0x200 [ 35.825065] ? alloc_set_pte+0x2aa/0x530 [ 35.825585] ? finish_fault+0x4e/0x70 [ 35.826140] ? __handle_mm_fault+0xbc1/0x10d0 [ 35.826723] ? __sys_sendmsg+0x41/0x70 [ 35.827230] __sys_sendmsg+0x41/0x70 [ 35.827710] do_syscall_64+0x68/0x120 [ 35.828195] entry_SYSCALL_64_after_hwframe+0x3d/0xa2 [ 35.828859] RIP: 0033:0x7f3d0ca4da67 [ 35.829331] RSP: 002b:00007ffc9f284338 EFLAGS: 00000246 ORIG_RAX: 000000000000002e [ 35.830304] RAX: ffffffffffffffda RBX: 00007ffc9f284460 RCX: 00007f3d0ca4da67 [ 35.831247] RDX: 0000000000000000 RSI: 00007ffc9f2843b0 RDI: 0000000000000003 [ 35.832167] RBP: 000000005aa6a7a9 R08: 0000000000000001 R09: 0000000000000000 [ 35.833075] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000 [ 35.833997] R13: 00007ffc9f2884c0 R14: 0000000000000001 R15: 0000000000674640 [ 35.834923] Code: 24 30 bb 01 00 00 00 45 31 f6 eb 5e 8b 50 08 83 c2 07 83 e2 fc 83 c2 70 49 8b 07 48 8b 40 70 48 85 c0 74 10 48 89 14 24 4c 89 ff <ff> d0 48 8b 14 24 48 01 c2 49 01 d6 45 85 ed 74 05 41 83 47 2c [ 35.837442] RIP: tcf_action_init+0x90/0x190 RSP: ffffb8edc068b9a0 [ 35.838291] ---[ end trace a095c06ee4b97a26 ]--- Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key") Signed-off-by: Roman Mashak <mrv@mojatatu.com> Acked-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
David Lebrun
|
dbad5abd2b |
ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state
[ Upstream commit 191f86ca8ef27f7a492fd1c03620498c6e94f0ac ] The seg6_build_state() function is called with RCU read lock held, so we cannot use GFP_KERNEL. This patch uses GFP_ATOMIC instead. [ 92.770271] ============================= [ 92.770628] WARNING: suspicious RCU usage [ 92.770921] 4.16.0-rc4+ #12 Not tainted [ 92.771277] ----------------------------- [ 92.771585] ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section! [ 92.772279] [ 92.772279] other info that might help us debug this: [ 92.772279] [ 92.773067] [ 92.773067] rcu_scheduler_active = 2, debug_locks = 1 [ 92.773514] 2 locks held by ip/2413: [ 92.773765] #0: (rtnl_mutex){+.+.}, at: [<00000000e5461720>] rtnetlink_rcv_msg+0x441/0x4d0 [ 92.774377] #1: (rcu_read_lock){....}, at: [<00000000df4f161e>] lwtunnel_build_state+0x59/0x210 [ 92.775065] [ 92.775065] stack backtrace: [ 92.775371] CPU: 0 PID: 2413 Comm: ip Not tainted 4.16.0-rc4+ #12 [ 92.775791] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1.fc27 04/01/2014 [ 92.776608] Call Trace: [ 92.776852] dump_stack+0x7d/0xbc [ 92.777130] __schedule+0x133/0xf00 [ 92.777393] ? unwind_get_return_address_ptr+0x50/0x50 [ 92.777783] ? __sched_text_start+0x8/0x8 [ 92.778073] ? rcu_is_watching+0x19/0x30 [ 92.778383] ? kernel_text_address+0x49/0x60 [ 92.778800] ? __kernel_text_address+0x9/0x30 [ 92.779241] ? unwind_get_return_address+0x29/0x40 [ 92.779727] ? pcpu_alloc+0x102/0x8f0 [ 92.780101] _cond_resched+0x23/0x50 [ 92.780459] __mutex_lock+0xbd/0xad0 [ 92.780818] ? pcpu_alloc+0x102/0x8f0 [ 92.781194] ? seg6_build_state+0x11d/0x240 [ 92.781611] ? save_stack+0x9b/0xb0 [ 92.781965] ? __ww_mutex_wakeup_for_backoff+0xf0/0xf0 [ 92.782480] ? seg6_build_state+0x11d/0x240 [ 92.782925] ? lwtunnel_build_state+0x1bd/0x210 [ 92.783393] ? ip6_route_info_create+0x687/0x1640 [ 92.783846] ? ip6_route_add+0x74/0x110 [ 92.784236] ? inet6_rtm_newroute+0x8a/0xd0 Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Signed-off-by: David Lebrun <dlebrun@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
David Lebrun
|
cb4963b494 |
ipv6: sr: fix NULL pointer dereference when setting encap source address
[ Upstream commit 8936ef7604c11b5d701580d779e0f5684abc7b68 ] When using seg6 in encap mode, we call ipv6_dev_get_saddr() to set the source address of the outer IPv6 header, in case none was specified. Using skb->dev can lead to BUG() when it is in an inconsistent state. This patch uses the net_device attached to the skb's dst instead. [940807.667429] BUG: unable to handle kernel NULL pointer dereference at 000000000000047c [940807.762427] IP: ipv6_dev_get_saddr+0x8b/0x1d0 [940807.815725] PGD 0 P4D 0 [940807.847173] Oops: 0000 [#1] SMP PTI [940807.890073] Modules linked in: [940807.927765] CPU: 6 PID: 0 Comm: swapper/6 Tainted: G W 4.16.0-rc1-seg6bpf+ #2 [940808.028988] Hardware name: HP ProLiant DL120 G6/ProLiant DL120 G6, BIOS O26 09/06/2010 [940808.128128] RIP: 0010:ipv6_dev_get_saddr+0x8b/0x1d0 [940808.187667] RSP: 0018:ffff88043fd836b0 EFLAGS: 00010206 [940808.251366] RAX: 0000000000000005 RBX: ffff88042cb1c860 RCX: 00000000000000fe [940808.338025] RDX: 00000000000002c0 RSI: ffff88042cb1c860 RDI: 0000000000004500 [940808.424683] RBP: ffff88043fd83740 R08: 0000000000000000 R09: ffffffffffffffff [940808.511342] R10: 0000000000000040 R11: 0000000000000000 R12: ffff88042cb1c850 [940808.598012] R13: ffffffff8208e380 R14: ffff88042ac8da00 R15: 0000000000000002 [940808.684675] FS: 0000000000000000(0000) GS:ffff88043fd80000(0000) knlGS:0000000000000000 [940808.783036] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [940808.852975] CR2: 000000000000047c CR3: 00000004255fe000 CR4: 00000000000006e0 [940808.939634] Call Trace: [940808.970041] <IRQ> [940808.995250] ? ip6t_do_table+0x265/0x640 [940809.043341] seg6_do_srh_encap+0x28f/0x300 [940809.093516] ? seg6_do_srh+0x1a0/0x210 [940809.139528] seg6_do_srh+0x1a0/0x210 [940809.183462] seg6_output+0x28/0x1e0 [940809.226358] lwtunnel_output+0x3f/0x70 [940809.272370] ip6_xmit+0x2b8/0x530 [940809.313185] ? ac6_proc_exit+0x20/0x20 [940809.359197] inet6_csk_xmit+0x7d/0xc0 [940809.404173] tcp_transmit_skb+0x548/0x9a0 [940809.453304] __tcp_retransmit_skb+0x1a8/0x7a0 [940809.506603] ? ip6_default_advmss+0x40/0x40 [940809.557824] ? tcp_current_mss+0x24/0x90 [940809.605925] tcp_retransmit_skb+0xd/0x80 [940809.654016] tcp_xmit_retransmit_queue.part.17+0xf9/0x210 [940809.719797] tcp_ack+0xa47/0x1110 [940809.760612] tcp_rcv_established+0x13c/0x570 [940809.812865] tcp_v6_do_rcv+0x151/0x3d0 [940809.858879] tcp_v6_rcv+0xa5c/0xb10 [940809.901770] ? seg6_output+0xdd/0x1e0 [940809.946745] ip6_input_finish+0xbb/0x460 [940809.994837] ip6_input+0x74/0x80 [940810.034612] ? ip6_rcv_finish+0xb0/0xb0 [940810.081663] ipv6_rcv+0x31c/0x4c0 ... Fixes: 6c8702c60b886 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels") Reported-by: Tom Herbert <tom@quantonium.net> Signed-off-by: David Lebrun <dlebrun@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Stefano Brivio
|
5defa8c926 |
ipv6: old_dport should be a __be16 in __ip6_datagram_connect()
[ Upstream commit 5f2fb802eee1df0810b47ea251942fe3fd36589a ]
Fixes: 2f987a76a977 ("net: ipv6: keep sk status consistent after datagram connect failure")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Acked-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Paolo Abeni
|
a8f02befc8 |
net: ipv6: keep sk status consistent after datagram connect failure
[ Upstream commit 2f987a76a97773beafbc615b9c4d8fe79129a7f4 ]
On unsuccesful ip6_datagram_connect(), if the failure is caused by
ip6_datagram_dst_update(), the sk peer information are cleared, but
the sk->sk_state is preserved.
If the socket was already in an established status, the overall sk
status is inconsistent and fouls later checks in datagram code.
Fix this saving the old peer information and restoring them in
case of failure. This also aligns ipv6 datagram connect() behavior
with ipv4.
v1 -> v2:
- added missing Fixes tag
Fixes: 85cb73ff9b74 ("net: ipv6: reset daddr and dport in sk if connect() fails")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Arkadi Sharshevsky
|
b51eb57dac |
devlink: Remove redundant free on error path
[ Upstream commit 7fe4d6dcbcb43fe0282d4213fc52be178bb30e91 ]
The current code performs unneeded free. Remove the redundant skb freeing
during the error path.
Fixes: 1555d204e743 ("devlink: Support for pipeline debug (dpipe)")
Signed-off-by: Arkadi Sharshevsky <arkadis@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Soheil Hassas Yeganeh
|
e44c173305 |
tcp: purge write queue upon aborting the connection
[ Upstream commit e05836ac07c77dd90377f8c8140bce2a44af5fe7 ]
When the connection is aborted, there is no point in
keeping the packets on the write queue until the connection
is closed.
Similar to a27fd7a8ed38 ('tcp: purge write queue upon RST'),
this is essential for a correct MSG_ZEROCOPY implementation,
because userspace cannot call close(fd) before receiving
zerocopy signals even when the connection is aborted.
Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Linux Build Service Account
|
0dff9d69de | Merge "Merge remote-tracking branch 'remotes/origin/tmp-a45ab56' into msm-4.14" into msm-4.14 | ||
|
Linux Build Service Account
|
e3d0f054d6 |
Merge changes I5aac588c,If1dbdcdb,If9ba9c65,I66d73fe4,I795bfe2d,I7bb7e03d,I27398995 into msm-4.14
* changes: ARM: dts: msm: Add intent list for IPCRTR on sdm855 ARM: dts: msm: Fix RPMSG intents field for sdm855 rpmsg: glink: Remove chunk size word align warning rpmsg: glink: Change ioread functions to iomemcpy_from qrtr: Fix NET_BIND_SERVICE logic qrtr: Fix broadcast packet format soc: qcom: glink_pkt: Fix priv data for rpmsg cb |
||
|
Linux Build Service Account
|
b44db7f749 | Merge "xfrm: Use __skb_queue_tail in xfrm_trans_queue" into msm-4.14 | ||
Isaac J. Manjarres
|
805d13413a |
Merge remote-tracking branch 'remotes/origin/tmp-a45ab56' into msm-4.14
* remotes/origin/tmp-a45ab56: Linux 4.14.30 RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file kbuild: fix linker feature test macros when cross compiling with Clang RDMA/ucma: Don't allow join attempts for unsupported AF family RDMA/ucma: Fix access to non-initialized CM_ID object clk: migrate the count of orphaned clocks at init RDMA/core: Do not use invalid destination in determining port reuse serial: 8250_pci: Don't fail on multiport card class IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq IB/mlx5: Fix integer overflows in mlx5_ib_create_srq scsi: mpt3sas: wait for and flush running commands on shutdown/unload scsi: mpt3sas: fix oops in error handlers after shutdown/unload dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 crypto: artpec6 - set correct iv size for gcm(aes) clk: si5351: Rename internal plls to avoid name collisions clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() clk: Don't touch hardware when reparenting during registration clk: at91: pmc: Wait for clocks when resuming nfsd4: permit layoutget of executable-only files ARM: dts: aspeed-evb: Add unit name to memory node RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS scsi: lpfc: Fix issues connecting with nvme initiator scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled soc: qcom: smsm: fix child-node lookup ip_gre: fix potential memory leak in erspan_rcv ip_gre: fix error path when erspan_rcv failed ip6_vti: adjust vti mtu according to mtu of lower device iommu/vt-d: clean up pr_irq if request_threaded_irq fails pinctrl: rockchip: enable clock when reading pin direction register pinctrl: Really force states during suspend/resume media: davinci: fix a debug printk PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures PCI: endpoint: Fix find_first_zero_bit() usage PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit coresight: Fix disabling of CoreSight TPIU pty: cancel pty slave port buf's work in tty_release drm/omap: DMM: Check for DMM readiness after successful transaction commit mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable omapdrm: panel: fix compatible vendor string for td028ttec1 vgacon: Set VGA struct resource types iser-target: avoid reinitializing rdma contexts for isert commands IB/umem: Fix use of npages/nmap fields RDMA/cma: Use correct size when writing netlink stats IB/ipoib: Avoid memory leak if the SA returns a different DGID rtc: ac100: Fix multiple race conditions media: s5p-mfc: Fix lock contention - request_firmware() once sfp: fix non-detection of PHY sfp: fix EEPROM reading in the case of non-SFF8472 SFPs net: phy: meson-gxl: check phy_write return value /dev/mem: Add bounce buffer for copy-out mmc: block: fix logical error to avoid memory leak mmc: avoid removing non-removable hosts during suspend drm/tilcdc: ensure nonatomic iowrite64 is not used dmaengine: zynqmp_dma: Fix race condition in the probe platform/chrome: Use proper protocol transfer function watchdog: Fix kref imbalance seen if handle_boot_enabled=0 watchdog: Fix potential kref imbalance when opening watchdog cros_ec: fix nul-termination for firmware build info serial: 8250_dw: Disable clock on error tty: goldfish: Enable 'earlycon' only if built-in qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart ath10k: handling qos at STA side based on AP WMM enable/disable media: bt8xx: Fix err 'bt878_probe()' rtlwifi: always initialize variables given to RT_TRACE() rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. spi: sh-msiof: Avoid writing to registers from spi_master.setup() hv_netvsc: Fix the TX/RX buffer default sizes hv_netvsc: Fix the receive buffer size limit RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() drm/msm: fix leak in failed get_pages media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt cpufreq: longhaul: Revert transition_delay_us to 200 ms Bluetooth: btqcomsmd: Fix skb double free corruption Bluetooth: hci_qca: Avoid setup failure on missing rampatch staging: android: ashmem: Fix possible deadlock in ashmem_ioctl scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers FROMLIST: crypto: arm64/speck - add NEON-accelerated implementation of Speck-XTS BACKPORT: kbuild: fix linker feature test macros when cross compiling with Clang Conflicts: drivers/clk/clk.c drivers/gpu/drm/msm/msm_gem.c Change-Id: Ia2b16feb38555f4f7ba11aef07d6e601b2e41fdc Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
Chris Lew
|
56faadfd27 |
qrtr: Fix NET_BIND_SERVICE logic
Fix the capability logic to allow node id configuration be done from clients that have NET_ADMIN or NET_BIND_SERVICE Change-Id: I795bfe2d4a969348b1ff3ef6000feecc27b5bc53 Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
|
Chris Lew
|
75639baf85 |
qrtr: Fix broadcast packet format
The remote processor IPCRTR drivers expect the format for broadcast control messages to have the node id set to the actual processor id and the port id to be set to the broadcast identifier. Change the broadcast enqueue function to this format for remote processors. Keep the local broadcast format the same. Change-Id: I7bb7e03d81ec86ba88c68f944c0f197485a6673c Signed-off-by: Chris Lew <clew@codeaurora.org> |
||
Greg Kroah-Hartman
|
a45ab563a4 |
This is the 4.14.30 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlq2IfoACgkQONu9yGCS aT5mvw//Vqj0kVcbbIVWlafFnsRS7+u4VggHOLBmunW/GATBqXFeqFa/naJ3GB2H Ji91CkHUaR/8hohgMndd4GIJFxOYEf9zMzWxyza5pjcgBzwFHywd3n2cgnNzwPgE xHv3HbLXT4MjHbtk6Zf3vVb+khcLikWtXbdBoO+K+sJWcITA31GuQSFuICXAeiTu K5yvGA/Y3dUMm1dN2fzV3ZuEZ8vuHVMVmzUHg+RlHVfLEVVkCOL2JupO+8S060Px 0heMcRaWTceyyAQ66xJ1hYo1Ia9qK0jTlohvYmRP1lguR6KTw0O8rBhJlUsmrPo0 17xohxgYbpwjs+g3cVas4Jf2bzlPa+PjYk6ZIkci/7tvZilF5HscZIJRwstgFjSY CM7TGk6bpadVT6rSzC2pUGdyPOElPAUYJZTinhRoSQWQL0A4HH4YFM0Wf6qVD1w+ KtESJR9VG8AKnp+w4HLwCpua/2zRCHANgpdItRKSO/hEnShP1CAsi60l9pHJI/e7 myOpE4OoJZSJMO26MoFsO3LWAlleGwUKGp/Lh/Gz/ANpks8HUnSGCVH1I+sWKfY1 nHL6tGFga8T5f3nAgJT2e8RNMkNI7AzYM8s0ygVy/JZ6qgtPtzHsSW5DRFYt+fy/ tqP0m+26e5TjYSKO4oaPmFfWEWjCzWYfXg4sk4d9dZZA+41r0B0= =pK0E -----END PGP SIGNATURE----- Merge 4.14.30 into android-4.14 Changes in 4.14.30 scsi: megaraid_sas: Do not use 32-bit atomic request descriptor for Ventura controllers staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Bluetooth: hci_qca: Avoid setup failure on missing rampatch Bluetooth: btqcomsmd: Fix skb double free corruption cpufreq: longhaul: Revert transition_delay_us to 200 ms media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt drm/msm: fix leak in failed get_pages RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() hv_netvsc: Fix the receive buffer size limit hv_netvsc: Fix the TX/RX buffer default sizes spi: sh-msiof: Avoid writing to registers from spi_master.setup() rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. rtlwifi: always initialize variables given to RT_TRACE() media: bt8xx: Fix err 'bt878_probe()' ath10k: handling qos at STA side based on AP WMM enable/disable media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect tty: goldfish: Enable 'earlycon' only if built-in serial: 8250_dw: Disable clock on error cros_ec: fix nul-termination for firmware build info watchdog: Fix potential kref imbalance when opening watchdog watchdog: Fix kref imbalance seen if handle_boot_enabled=0 platform/chrome: Use proper protocol transfer function dmaengine: zynqmp_dma: Fix race condition in the probe drm/tilcdc: ensure nonatomic iowrite64 is not used mmc: avoid removing non-removable hosts during suspend mmc: block: fix logical error to avoid memory leak /dev/mem: Add bounce buffer for copy-out net: phy: meson-gxl: check phy_write return value sfp: fix EEPROM reading in the case of non-SFF8472 SFPs sfp: fix non-detection of PHY media: s5p-mfc: Fix lock contention - request_firmware() once rtc: ac100: Fix multiple race conditions IB/ipoib: Avoid memory leak if the SA returns a different DGID RDMA/cma: Use correct size when writing netlink stats IB/umem: Fix use of npages/nmap fields iser-target: avoid reinitializing rdma contexts for isert commands vgacon: Set VGA struct resource types omapdrm: panel: fix compatible vendor string for td028ttec1 mmc: sdhci-xenon: wait 5ms after set 1.8V signal enable drm/omap: DMM: Check for DMM readiness after successful transaction commit pty: cancel pty slave port buf's work in tty_release coresight: Fix disabling of CoreSight TPIU PCI: designware-ep: Fix ->get_msi() to check MSI_EN bit PCI: endpoint: Fix find_first_zero_bit() usage PCI: rcar: Handle rcar_pcie_parse_request_of_pci_ranges() failures media: davinci: fix a debug printk pinctrl: Really force states during suspend/resume pinctrl: rockchip: enable clock when reading pin direction register iommu/vt-d: clean up pr_irq if request_threaded_irq fails ip6_vti: adjust vti mtu according to mtu of lower device ip_gre: fix error path when erspan_rcv failed ip_gre: fix potential memory leak in erspan_rcv soc: qcom: smsm: fix child-node lookup scsi: lpfc: Fix SCSI LUN discovery when SCSI and NVME enabled scsi: lpfc: Fix issues connecting with nvme initiator RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS ARM: dts: aspeed-evb: Add unit name to memory node nfsd4: permit layoutget of executable-only files clk: at91: pmc: Wait for clocks when resuming clk: Don't touch hardware when reparenting during registration clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() clk: si5351: Rename internal plls to avoid name collisions crypto: artpec6 - set correct iv size for gcm(aes) dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 scsi: mpt3sas: fix oops in error handlers after shutdown/unload scsi: mpt3sas: wait for and flush running commands on shutdown/unload IB/mlx5: Fix integer overflows in mlx5_ib_create_srq IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq serial: 8250_pci: Don't fail on multiport card class RDMA/core: Do not use invalid destination in determining port reuse clk: migrate the count of orphaned clocks at init RDMA/ucma: Fix access to non-initialized CM_ID object RDMA/ucma: Don't allow join attempts for unsupported AF family kbuild: fix linker feature test macros when cross compiling with Clang RDMA/vmw_pvrdma: Fix usage of user response structures in ABI file Linux 4.14.30 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Haishuang Yan
|
f1f225794a |
ip_gre: fix potential memory leak in erspan_rcv
[ Upstream commit 50670b6ee9bc4ae8f9ce3112b437987adf273245 ]
If md is NULL, tun_dst must be freed, otherwise it will cause memory
leak.
Fixes: 1a66a836da6 ("gre: add collect_md mode to ERSPAN tunnel")
Cc: William Tu <u9012063@gmail.com>
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Haishuang Yan
|
9cd6c84e93 |
ip_gre: fix error path when erspan_rcv failed
[ Upstream commit dd8d5b8c5b22e31079b259b8bfb686f1fac1080a ]
When erspan_rcv call return PACKET_REJECT, we shoudn't call ipgre_rcv to
process packets again, instead send icmp unreachable message in error
path.
Fixes: 84e54fe0a5ea ("gre: introduce native tunnel support for ERSPAN")
Acked-by: William Tu <u9012063@gmail.com>
Cc: William Tu <u9012063@gmail.com>
Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Alexey Kodanev
|
e6cfc52516 |
ip6_vti: adjust vti mtu according to mtu of lower device
[ Upstream commit 53c81e95df1793933f87748d36070a721f6cb287 ]
LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over
ip6_vti that require fragmentation and the underlying device has an
MTU smaller than 1500 plus some extra space for headers. This happens
because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating
it depending on a destination address or link parameter. Further
attempts to send UDP packets may succeed because pmtu gets updated on
ICMPV6_PKT_TOOBIG in vti6_err().
In case the lower device has larger MTU size, e.g. 9000, ip6_vti works
but not using the possible maximum size, output packets have 1500 limit.
The above cases require manual MTU setup after ip6_vti creation. However
ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev().
Here is the example when the lower device MTU is set to 9000:
# ip a sh ltp_ns_veth2
ltp_ns_veth2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 ...
inet 10.0.0.2/24 scope global ltp_ns_veth2
inet6 fd00::2/64 scope global
# ip li add vti6 type vti6 local fd00::2 remote fd00::1
# ip li show vti6
vti6@NONE: <POINTOPOINT,NOARP> mtu 1500 ...
link/tunnel6 fd00::2 peer fd00::1
After the patch:
# ip li add vti6 type vti6 local fd00::2 remote fd00::1
# ip li show vti6
vti6@NONE: <POINTOPOINT,NOARP> mtu 8832 ...
link/tunnel6 fd00::2 peer fd00::1
Reported-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Sean Tranchetti
|
f00d8fd660 |
xfrm: Use __skb_queue_tail in xfrm_trans_queue
We do not need locking in xfrm_trans_queue because it is designed
to use per-CPU buffers. However, the original code incorrectly
used skb_queue_tail which takes the lock. This patch switches
it to __skb_queue_tail instead.
Reported-and-tested-by: Artem Savkov <asavkov@redhat.com>
Fixes: acf568ee859f ("xfrm: Reinject transport-mode packets...")
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Git-commit: d16b46e4fd8bc6063624605f25b8c0835bb1fbe3
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Change-Id: Ia2917d9d4f43f20ae09ede0fe92f5245db9baf2b
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
|
||
Blagovest Kolenichev
|
24b2e60f51 |
Merge android-4.14.29 (45c8dbe) into msm-4.14
* refs/heads/tmp-45c8dbe
Linux 4.14.29
usb: dwc3: Fix GDBGFIFOSPACE_TYPE values
USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe()
scsi: qla2xxx: Fix crashes in qla2x00_probe_one on probe failure
scsi: qla2xxx: Fix logo flag for qlt_free_session_done()
scsi: qla2xxx: Fix NULL pointer access for fcport structure
scsi: qla2xxx: Fix smatch warning in qla25xx_delete_{rsp|req}_que
btrfs: Fix memory barriers usage with device stats counters
btrfs: remove spurious WARN_ON(ref->count < 0) in find_parent_nodes
btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device
btrfs: alloc_chunk: fix DUP stripe size handling
btrfs: add missing initialization in btrfs_check_shared
btrfs: Fix NULL pointer exception in find_bio_stripe
irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
RDMAVT: Fix synchronization around percpu_ref
fs/aio: Use RCU accessors for kioctx_table->table[]
fs/aio: Add explicit RCU grace period when freeing kioctx
lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
KVM: arm/arm64: vgic: Don't populate multiple LRs with the same vintid
kvm: arm/arm64: vgic-v3: Tighten synchronization for guests using v2 on v3
KVM: arm/arm64: Reduce verbosity of KVM init log
fs: Teach path_connected to handle nfs filesystems with multiple roots.
drm/amdgpu/dce: Don't turn off DP sink when disconnected
drm/radeon: fix prime teardown order
drm/amdgpu: fix prime teardown order
drm/nouveau/bl: Fix oops on driver unbind
ALSA: seq: Clear client entry before deleting else at closing
ALSA: seq: Fix possible UAF in snd_seq_check_queue()
ALSA: hda - Revert power_save option default value
ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
parisc: Handle case where flush_cache_range is called with no context
x86/mm: Fix vmalloc_fault to use pXd_large
KVM: x86: Fix device passthrough when SME is active
x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist
x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels
x86/vm86/32: Fix POPF emulation
selftests/x86/entry_from_vm86: Add test cases for POPF
selftests/x86: Add tests for the STR and SLDT instructions
selftests/x86: Add tests for User-Mode Instruction Prevention
selftests/x86/entry_from_vm86: Exit with 1 if we fail
x86/cpufeatures: Add Intel PCONFIG cpufeature
x86/cpufeatures: Add Intel Total Memory Encryption cpufeature
ANDROID: arm-smccc: fix clang build
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
Linux 4.14.28
drm/i915/glk: Disable Guc and HuC on GLK
dmaengine: qcom_hidma: check pending interrupts
IB/mlx5: revisit -Wmaybe-uninitialized warning
ima: relax requiring a file signature for new files with zero length
locking/locktorture: Fix num reader/writer corner cases
rcutorture/configinit: Fix build directory error message
ipvlan: add L2 check for packets arriving via virtual devices
Fix misannotated out-of-line _copy_to_user()
mmc: mmc_test: Ensure command queue is disabled for testing
ASoC: nuc900: Fix a loop timeout test
crypto: caam/qi - use correct print specifier for size_t
mac80211: remove BUG() when interface type is invalid
mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
agp/intel: Flush all chipset writes after updating the GGTT
arm64: dts: renesas: salvator-common: Add EthernetAVB PHY reset
powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context
powerpc/modules: Don't try to restore r2 after a sibling call
drm/amdkfd: Fix memory leaks in kfd topology
veth: set peer GSO values
net: sched: drop qdisc_reset from dev_graft_qdisc
virtio_net: Disable interrupts if napi_complete_done rescheduled napi
media: davinci: vpif_capture: add NULL check on devm_kzalloc return value
media: cpia2: Fix a couple off by one bugs
dm raid: fix raid set size revalidation
media: vsp1: Prevent suspending and resuming DRM pipelines
scsi: dh: add new rdac devices
scsi: devinfo: apply to HP XP the same flags as Hitachi VSP
scsi: core: scsi_get_device_flags_keyed(): Always return device flags
bnxt_en: Don't print "Link speed -1 no longer supported" messages.
spi: sun6i: disable/unprepare clocks on remove
tools/usbip: fixes build with musl libc toolchain
ath10k: fix invalid STS_CAP_OFFSET_MASK
mwifiex: cfg80211: do not change virtual interface during scan processing
clk: qcom: msm8916: fix mnd_width for codec_digcodec
drm/amdgpu:fix virtual dce bug
iwlwifi: mvm: avoid dumping assert log when device is stopped
perf annotate: Fix objdump comment parsing for Intel mov dissassembly
perf annotate: Fix unnecessary memory allocation for s390x
pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D
pinctrl: sh-pfc: r8a7791: Add can_clk function
drm/sun4i: Fix format mask in DE2 driver
pwm: stmpe: Fix wrong register offset for hwpwm=2 case
scsi: ses: don't ask for diagnostic pages repeatedly during probe
drm/amdgpu:fix random missing of FLR NOTIFY
cpufreq: Fix governor module removal race
ath10k: update tdls teardown state to target
iio: health: max30102: Add power enable parameter to get_temp function
iio: adc: ina2xx: Shift bus voltage register to mask flag bits
drm/etnaviv: make THERMAL selectable
power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
power: supply: ab8500_charger: Fix an error handling path
leds: pm8058: Silence pointer to integer size warning
xfrm: Fix xfrm_replay_overflow_offload_esn
userns: Don't fail follow_automount based on s_user_ns
mtd: nand: ifc: update bufnum mask for ver >= 2.0.0
ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin
net: thunderx: Set max queue count taking XDP_TX into account
mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]()
net: xfrm: allow clearing socket xfrm policies.
rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe()
net: ieee802154: adf7242: Fix bug if defined DEBUG
test_firmware: fix setting old custom fw path back on exit
crypto: cavium - fix memory leak on info
crypto: ecc - Fix NULL pointer deref. on no default_rng
sched: Stop resched_cpu() from sending IPIs to offline CPUs
sched: Stop switched_to_rt() from sending IPIs to offline CPUs
USB: ledtrig-usbport: fix of-node leak
typec: tcpm: fusb302: Resolve out of order messaging events
staging: rtl8822be: fix missing null check on dev_alloc_skb return
drm/amdgpu: fix get_max_engine_clock_in_mhz
ARM: dts: exynos: Correct Trats2 panel reset line
clk: meson: gxbb: fix wrong clock for SARADC/SANA
ARM: dts: koelsch: Move cec_clock to root node
iwlwifi: mvm: rs: don't override the rate history in the search cycle
HID: elo: clear BTN_LEFT mapping
HID: multitouch: Only look at non touch fields in first packet of a frame
video/hdmi: Allow "empty" HDMI infoframes
dma-buf/fence: Fix lock inversion within dma-fence-array
drm/edid: set ELD connector type in drm_edid_to_eld()
Revert "btrfs: use proper endianness accessors for super_copy"
dm mpath: fix passing integrity data
earlycon: add reg-offset to physical address before mapping
serial: core: mark port as initialized in autoconfig
serial: 8250_pci: Add Brainboxes UC-260 4 port serial device
usb: dwc3: Fix lock-up on ID change during system suspend/resume
usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb()
usb: usbmon: Read text within supplied buffer size
usb: quirks: add control message delay for 1b1c:1b20
usbip: vudc: fix null pointer dereference on udc->lock
USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h
staging: android: ashmem: Fix lockdep issue during llseek
staging: comedi: fix comedi_nsamples_left.
uas: fix comparison for error code
tty/serial: atmel: add new version check for usart
serial: sh-sci: prevent lockup on full TTY buffers
xhci: fix endpoint context tracer output
xhci: Fix front USB ports on ASUS PRIME B350M-A
usb: host: xhci-rcar: add support for r8a77965
ASoC: rt5651: Fix regcache sync errors on resume
ASoC: wm_adsp: For TLV controls only register TLV get/set
ASoC: sgtl5000: Fix suspend/resume
ASoC: sun4i-i2s: Fix RX slot number of SUN8I
x86: Treat R_X86_64_PLT32 as R_X86_64_PC32
net: phy: Restore phy_resume() locking assumption
net: phy: fix resume handling
ANDROID: sdcardfs: fix lock issue on 32 bit/SMP architectures
Change-Id: Ida88909c333e059adf42a8794c3b92b1d15252f7
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
|
Greg Kroah-Hartman
|
267c6efd76 |
This is the 4.14.28 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqvagEACgkQONu9yGCS aT6OIxAAmZR4SyE7pWG9IwDzRcWhkPqknnKyM9SsfZ4m9TjiTRDZudUuJHy9LYko L1uCqQqd2cb88DkkY7aoThlZUNQmRKxbqlm1KGFnxYTIWpqmwC0Cod47P1gPdfu8 eCHFTskA3LzhWKtKISIYAstfgiiSMPDcaK+AoMFSgNHJPIRzK1ixMbPqd+NskBBn jkSAWgc3z7GazyPgX9mnR8jh6hrPBARgDgCUUlc5kG4xBQMJD5u00Z2u6hgPgGeH AjmB/LGWepZC/e+XbJGZlu2J/gOREkqpGmIgBlhLMZKFaa1uGb6do6vDpUwQsfHY NutaJ5sKuDRRk72jWNvYLxXetV+X8yMR/NcbUwN7NLe9tKQRQKQicscYSnSma5p+ /9kusRfbDuDgx6dSDf8qtfL4N01suUpZadfHRYJWTnmsR718ybc05LYegcve6m3n c1VL8oAVB9SHLWEEirqDfBIsDPwwUt2D+3Qa2BK7aLFdWJD8DAwBB+vuYOscvPMQ 4R4YG3Tt2jxlbdYSNnnF2/Y8RvJvYSH9TCz2ZxjTYjO1di+ildnF2KP2ncXnfU6s 2i5c/5efb5FRQUN3x2EiGK9adRhHc6D2vheOMOMGIFJX/hI4fDNuQyX9676hliMc +BRom5CU7712BVeR70+XuO9K9M1UDeqUGK0tgWFc8xI9LdrnfVc= =85d3 -----END PGP SIGNATURE----- Merge 4.14.28 into android-4.14 Changes in 4.14.28 net: phy: fix resume handling net: phy: Restore phy_resume() locking assumption x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 ASoC: sun4i-i2s: Fix RX slot number of SUN8I ASoC: sgtl5000: Fix suspend/resume ASoC: wm_adsp: For TLV controls only register TLV get/set ASoC: rt5651: Fix regcache sync errors on resume usb: host: xhci-rcar: add support for r8a77965 xhci: Fix front USB ports on ASUS PRIME B350M-A xhci: fix endpoint context tracer output serial: sh-sci: prevent lockup on full TTY buffers tty/serial: atmel: add new version check for usart uas: fix comparison for error code staging: comedi: fix comedi_nsamples_left. staging: android: ashmem: Fix lockdep issue during llseek USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h usbip: vudc: fix null pointer dereference on udc->lock usb: quirks: add control message delay for 1b1c:1b20 usb: usbmon: Read text within supplied buffer size usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() usb: dwc3: Fix lock-up on ID change during system suspend/resume serial: 8250_pci: Add Brainboxes UC-260 4 port serial device serial: core: mark port as initialized in autoconfig earlycon: add reg-offset to physical address before mapping dm mpath: fix passing integrity data Revert "btrfs: use proper endianness accessors for super_copy" drm/edid: set ELD connector type in drm_edid_to_eld() dma-buf/fence: Fix lock inversion within dma-fence-array video/hdmi: Allow "empty" HDMI infoframes HID: multitouch: Only look at non touch fields in first packet of a frame HID: elo: clear BTN_LEFT mapping iwlwifi: mvm: rs: don't override the rate history in the search cycle ARM: dts: koelsch: Move cec_clock to root node clk: meson: gxbb: fix wrong clock for SARADC/SANA ARM: dts: exynos: Correct Trats2 panel reset line drm/amdgpu: fix get_max_engine_clock_in_mhz staging: rtl8822be: fix missing null check on dev_alloc_skb return typec: tcpm: fusb302: Resolve out of order messaging events USB: ledtrig-usbport: fix of-node leak sched: Stop switched_to_rt() from sending IPIs to offline CPUs sched: Stop resched_cpu() from sending IPIs to offline CPUs crypto: ecc - Fix NULL pointer deref. on no default_rng crypto: cavium - fix memory leak on info test_firmware: fix setting old custom fw path back on exit net: ieee802154: adf7242: Fix bug if defined DEBUG rtc: brcmstb-waketimer: fix error handling in brcmstb_waketmr_probe() net: xfrm: allow clearing socket xfrm policies. mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]() net: thunderx: Set max queue count taking XDP_TX into account ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin ARM: dts: omap3-n900: Fix the audio CODEC's reset pin mtd: nand: ifc: update bufnum mask for ver >= 2.0.0 userns: Don't fail follow_automount based on s_user_ns xfrm: Fix xfrm_replay_overflow_offload_esn leds: pm8058: Silence pointer to integer size warning power: supply: ab8500_charger: Fix an error handling path power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()' drm/etnaviv: make THERMAL selectable iio: adc: ina2xx: Shift bus voltage register to mask flag bits iio: health: max30102: Add power enable parameter to get_temp function ath10k: update tdls teardown state to target cpufreq: Fix governor module removal race drm/amdgpu:fix random missing of FLR NOTIFY scsi: ses: don't ask for diagnostic pages repeatedly during probe pwm: stmpe: Fix wrong register offset for hwpwm=2 case drm/sun4i: Fix format mask in DE2 driver pinctrl: sh-pfc: r8a7791: Add can_clk function pinctrl: sh-pfc: r8a7795-es1: Fix MOD_SEL1 bit[25:24] to 0x3 when using STP_ISEN_1_D perf annotate: Fix unnecessary memory allocation for s390x perf annotate: Fix objdump comment parsing for Intel mov dissassembly iwlwifi: mvm: avoid dumping assert log when device is stopped drm/amdgpu:fix virtual dce bug clk: qcom: msm8916: fix mnd_width for codec_digcodec mwifiex: cfg80211: do not change virtual interface during scan processing ath10k: fix invalid STS_CAP_OFFSET_MASK tools/usbip: fixes build with musl libc toolchain spi: sun6i: disable/unprepare clocks on remove bnxt_en: Don't print "Link speed -1 no longer supported" messages. scsi: core: scsi_get_device_flags_keyed(): Always return device flags scsi: devinfo: apply to HP XP the same flags as Hitachi VSP scsi: dh: add new rdac devices media: vsp1: Prevent suspending and resuming DRM pipelines dm raid: fix raid set size revalidation media: cpia2: Fix a couple off by one bugs media: davinci: vpif_capture: add NULL check on devm_kzalloc return value virtio_net: Disable interrupts if napi_complete_done rescheduled napi net: sched: drop qdisc_reset from dev_graft_qdisc veth: set peer GSO values drm/amdkfd: Fix memory leaks in kfd topology powerpc/modules: Don't try to restore r2 after a sibling call powerpc/64: Don't trace irqs-off at interrupt return to soft-disabled context arm64: dts: renesas: salvator-common: Add EthernetAVB PHY reset agp/intel: Flush all chipset writes after updating the GGTT mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED mac80211: remove BUG() when interface type is invalid crypto: caam/qi - use correct print specifier for size_t ASoC: nuc900: Fix a loop timeout test mmc: mmc_test: Ensure command queue is disabled for testing Fix misannotated out-of-line _copy_to_user() ipvlan: add L2 check for packets arriving via virtual devices rcutorture/configinit: Fix build directory error message locking/locktorture: Fix num reader/writer corner cases ima: relax requiring a file signature for new files with zero length IB/mlx5: revisit -Wmaybe-uninitialized warning dmaengine: qcom_hidma: check pending interrupts drm/i915/glk: Disable Guc and HuC on GLK Linux 4.14.28 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Luca Coelho
|
8077cba5b1 |
mac80211: remove BUG() when interface type is invalid
[ Upstream commit c7976f5272486e4ff406014c4b43e2fa3b70b052 ] In the ieee80211_setup_sdata() we check if the interface type is valid and, if not, call BUG(). This should never happen, but if there is something wrong with the code, it will not be caught until the bug happens when an interface is being set up. Calling BUG() is too extreme for this and a WARN_ON() would be better used instead. Change that. Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
John Fastabend
|
a80de288d6 |
net: sched: drop qdisc_reset from dev_graft_qdisc
[ Upstream commit 7bbde83b1860c28a1cc35516352c4e7e5172c29a ] In qdisc_graft_qdisc a "new" qdisc is attached and the 'qdisc_destroy' operation is called on the old qdisc. The destroy operation will wait a rcu grace period and call qdisc_rcu_free(). At which point gso_cpu_skb is free'd along with all stats so no need to zero stats and gso_cpu_skb from the graft operation itself. Further after dropping the qdisc locks we can not continue to call qdisc_reset before waiting an rcu grace period so that the qdisc is detached from all cpus. By removing the qdisc_reset() here we get the correct property of waiting an rcu grace period and letting the qdisc_destroy operation clean up the qdisc correctly. Note, a refcnt greater than 1 would cause the destroy operation to be aborted however if this ever happened the reference to the qdisc would be lost and we would have a memory leak. Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Yossef Efraim
|
ab3db1af42 |
xfrm: Fix xfrm_replay_overflow_offload_esn
[ Upstream commit 0ba23a211360af7b6658e4fcfc571970bbbacc55 ]
In case of wrap around, replay_esn->oseq_hi is not updated
before it is tested for it's actual value, leading function
to fail with overflow indication and packets being dropped.
This patch updates replay_esn->oseq_hi in the right place.
Fixes: d7dbefc45cf5 ("xfrm: Add xfrm_replay_overflow functions for offloading")
Signed-off-by: Yossef Efraim <yossefe@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Lorenzo Colitti
|
bd174cd107 |
net: xfrm: allow clearing socket xfrm policies.
[ Upstream commit be8f8284cd897af2482d4e54fbc2bdfc15557259 ]
Currently it is possible to add or update socket policies, but
not clear them. Therefore, once a socket policy has been applied,
the socket cannot be used for unencrypted traffic.
This patch allows (privileged) users to clear socket policies by
passing in a NULL pointer and zero length argument to the
{IP,IPV6}_{IPSEC,XFRM}_POLICY setsockopts. This results in both
the incoming and outgoing policies being cleared.
The simple approach taken in this patch cannot clear socket
policies in only one direction. If desired this could be added
in the future, for example by continuing to pass in a length of
zero (which currently is guaranteed to return EMSGSIZE) and
making the policy be a pointer to an integer that contains one
of the XFRM_POLICY_{IN,OUT} enum values.
An alternative would have been to interpret the length as a
signed integer and use XFRM_POLICY_IN (i.e., 0) to clear the
input policy and -XFRM_POLICY_OUT (i.e., -1) to clear the output
policy.
Tested: https://android-review.googlesource.com/539816
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Linux Build Service Account
|
be49c61378 | Merge "Merge remote-tracking branch 'remotes/origin/tmp-df0daba' into msm-4.14" into msm-4.14 | ||
|
Linux Build Service Account
|
780ad12511 | Merge "Merge remote-tracking branch 'remotes/origin/tmp-4576e0e' into msm-4.14" into msm-4.14 | ||
|
Isaac J. Manjarres
|
3ba3c6ce0a |
Merge remote-tracking branch 'remotes/origin/tmp-df0daba' into msm-4.14
* remotes/origin/tmp-df0daba: Linux 4.14.27 x86/kprobes: Fix kernel crash when probing .entry_trampoline code objtool: Fix 32-bit build objtool: Fix another switch table detection issue objtool, retpolines: Integrate objtool with retpoline support more closely objtool: Add module specific retpoline rules kbuild: move cc-option and cc-disable-warning after incl. arch Makefile kbuild: Set KBUILD_CFLAGS before incl. arch Makefile kbuild: re-order the code to not parse unnecessary variables objtool: Add retpoline validation objtool: Use existing global variables for options x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute() x86/boot, objtool: Annotate indirect jump in secondary_startup_64() x86/paravirt, objtool: Annotate indirect calls x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP x86/speculation, objtool: Annotate indirect calls/jumps for objtool x86/retpoline: Support retpoline builds with Clang x86/speculation: Use IBRS if available before calling into firmware Revert "x86/retpoline: Simplify vmexit_fill_RSB()" x86-64/realmode: Add instruction suffix x86/LDT: Avoid warning in 32-bit builds with older gcc x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers x86/mm: Remove stale comment about KMEMCHECK x86/entry/64: Use 'xorl' for faster register clearing x86/entry: Reduce the code footprint of the 'idtentry' macro nospec: Include <asm/barrier.h> dependency nospec: Kill array_index_nospec_mask_check() MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base() dt-bindings: Document mti,mips-cpc binding scsi: qla2xxx: Fix recursion while sending terminate exchange scsi: qla2xxx: Fix NULL pointer crash due to probe failure ALSA: hda: add dock and led support for HP ProBook 640 G2 ALSA: hda: add dock and led support for HP EliteBook 820 G3 ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines ALSA: seq: More protection for concurrent write and ioctl races ALSA: seq: Don't allow resizing pool in use ALSA: hda/realtek - Make dock sound work on ThinkPad L570 ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 ALSA: hda/realtek: Limit mic boost on T480 ALSA: hda/realtek - Add headset mode support for Dell laptop ALSA: hda/realtek - Add support headset mode for DELL WYSE x86/spectre_v2: Don't check microcode versions when running under hypervisors perf tools: Fix trigger class trigger_on() x86/MCE: Serialize sysfs changes x86/MCE: Save microcode revision in machine check records bcache: don't attach backing with duplicate UUID bcache: fix crashes in duplicate cache device register IB/mlx5: Fix incorrect size of klms in the memory region dm bufio: avoid false-positive Wmaybe-uninitialized warning kbuild: Handle builtin dtb file names containing hyphens IB/core: Fix missing RDMA cgroups release in case of failure to register device arm64: mm: fix thinko in non-global page table attribute check KVM: s390: fix memory overwrites when not using SCA entries virtio_ring: fix num_free handling in error case loop: Fix lost writes caused by missing flag Documentation/sphinx: Fix Directive import error mm/memblock.c: hardcode the end_pfn being -1 lib/bug.c: exclude non-BUG/WARN exceptions from report_bug() Input: matrix_keypad - fix race when disabling interrupts PCI: dwc: Fix enumeration end when reaching root subordinate MIPS: OCTEON: irq: Check for null return on kzalloc allocation MIPS: ath25: Check for kzalloc allocation failure MIPS: BMIPS: Do not mask IPIs during suspend drm/amdgpu:Always save uvd vcpu_bo in VM Mode drm/amdgpu:Correct max uvd handles drm/amdgpu: fix KV harvesting drm/radeon: fix KV harvesting drm/amdgpu: Notify sbios device ready before send request drm/amdgpu: used cached pcie gen info for SI (v2) drm/amd/powerplay: fix power over limit on Fiji drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE Revert "drm/radeon/pm: autoswitch power state when in balanced mode" drm/amd/powerplay/vega10: allow mclk switching with no displays drm/amd/powerplay/smu7: allow mclk switching with no displays drm/nouveau: prefer XBGR2101010 for addfb ioctl drm/amdgpu: Fix deadlock on runtime suspend drm/radeon: Fix deadlock on runtime suspend drm/nouveau: Fix deadlock on runtime suspend drm: Allow determining if current task is output poll worker workqueue: Allow retrieval of current task's work struct drm/i915: Always call to intel_display_set_init_power() in resume_early. scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS scsi: core: Avoid that ATA error handling can trigger a kernel hang or oops drm/i915/perf: fix perf stream opening lock drm/i915: Try EDID bitbanging on HDMI after failed read drm/i915: Update watermark state correctly in sanitize_watermarks drm/i915: Disable DC states around GMBUS on GLK drm/i915: Clear the in-use marker on execbuf failure drm/i915: Fix rsvd2 mask when out-fence is returned regulator: stm32-vrefbuf: fix check on ready flag net/smc: fix NULL pointer dereference on sock_create_kern() error path IB/uverbs: Improve lockdep_check RDMA/mlx5: Fix integer overflow while resizing CQ RDMA/ucma: Check that user doesn't overflow QP state RDMA/ucma: Limit possible option size NFS: Fix unstable write completion pNFS: Prevent the layout header refcount going to zero in pnfs_roc() NFS: Fix an incorrect type in struct nfs_direct_req scsi: qla2xxx: Fix memory leak in dual/target mode scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout. scsi: qla2xxx: Defer processing of GS IOCB calls scsi: qla2xxx: Clear loop id after delete scsi: qla2xxx: Fix scan state field for fcport scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport scsi: qla2xxx: Fix abort command deadlock due to spinlock scsi: qla2xxx: Fix PRLI state check scsi: qla2xxx: Fix Relogin being triggered too fast scsi: qla2xxx: Fix NPIV host cleanup in target mode scsi: qla2xxx: Fix login state machine stuck at GPDB scsi: qla2xxx: Serialize GPNID for multiple RSCN scsi: qla2xxx: Retry switch command on time out scsi: qla2xxx: Fix re-login for Nport Handle in use scsi: qla2xxx: Skip IRQ affinity for Target QPairs scsi: qla2xxx: Move session delete to driver work queue scsi: qla2xxx: Fix gpnid error processing scsi: qla2xxx: Fix system crash for Notify ack timeout handling tpm: only attempt to disable the LPC CLKRUN if is already enabled tpm: remove unused variables tpm: delete the TPM_TIS_CLK_ENABLE flag tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd() tpm_tis: Move ilb_base_addr to tpm_tis_data netfilter: use skb_to_full_sk in ip6_route_me_harder netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt netfilter: bridge: ebt_among: add missing match size checks netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets netfilter: IDLETIMER: be syzkaller friendly netfilter: nat: cope with negative port range netfilter: x_tables: fix missing timer initialization in xt_LED netfilter: xt_hashlimit: fix lock imbalance netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation netfilter: add back stackpointer size checks ASoC: Intel: kbl: fix jack name ASoC: Intel: Skylake: Fix jack name format substitution ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds watchdog: hpwdt: Remove legacy NMI sourcing. watchdog: hpwdt: fix unused variable warning watchdog: hpwdt: Check source of NMI watchdog: hpwdt: SMBIOS check kbuild: move "_all" target out of $(KBUILD_SRC) conditional FROMLIST: f2fs: don't put dentry page in pagecache into highmem Conflicts: Makefile Change-Id: I9c0acaa8aea9f4986bf01898de8d4be4658c64ce Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org> |
||
|
Greg Kroah-Hartman
|
df0daba830 |
This is the 4.14.27 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlqqQuAACgkQONu9yGCS aT5HWQ/+JN9PWuHl/QWq7WbwoXu6Y8tqXFmuw2v/jViWJyKyBPD9lh3KcZ+wEYYk Vd8IIImgDsMjvaQ1/dzFSfUrFe3JsSDlVvdFSpmjAoFTpYCsQM2FUz/b4o/D/l9S AO3OifGW//yqt6a5YdI+5Q7vHMsUiLstfQl/vPy1RC8uvq5JSGwnTRIF0oI+PvG9 X79pUxCirkPoLrvK2ruBdsRY+zTzGlSm+OPv7u93M6ZEugDPoQaWxYfHZbyKihtV 30lV1tkl+zwAeW8m51IrftQPxq58CHWFlb2g+UdainrCu3XkSQODgonPudyBcgIt oU4pTK6EEh9ntGmF8gI3lPLFb41lD9j3UsYP5BWf9BLV8t5ryUox4yEoJXXWv4cP +/UsK7cNaBSdT6TtQHOwKhkx7vUQ0+J8nqRJvkfkfQYwv+1jfQqz1Kl9fplu1Pgt t/LuuL4C4n8eMKwWunspd0SXdIqhZpkwZ/ECWulLQ4yeQMWeitObtN/dA71bBkLu U9u7djLgztLIeKPAHyrxGEZMhwP1kNiRrMJKNZhugPtx0IhoIDvNvdXvxIE2izbP Xm+MMxoQ05kIrL+DqnJH9FJSx2TTej5B1p4NIexxZ0YSaW+UPk1u2AVz2PAU+G2K CLLuD7lfsya4Zu64ZJKXTf5KFwkeHQqXKI6w8lYxz188+p70ghk= =2ZQa -----END PGP SIGNATURE----- Merge 4.14.27 into android-4.14 Changes in 4.14.27 kbuild: move "_all" target out of $(KBUILD_SRC) conditional watchdog: hpwdt: SMBIOS check watchdog: hpwdt: Check source of NMI watchdog: hpwdt: fix unused variable warning watchdog: hpwdt: Remove legacy NMI sourcing. ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds ASoC: Intel: Skylake: Fix jack name format substitution ASoC: Intel: kbl: fix jack name netfilter: add back stackpointer size checks netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation netfilter: xt_hashlimit: fix lock imbalance netfilter: x_tables: fix missing timer initialization in xt_LED netfilter: nat: cope with negative port range netfilter: IDLETIMER: be syzkaller friendly netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets netfilter: bridge: ebt_among: add missing match size checks netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt netfilter: use skb_to_full_sk in ip6_route_me_harder tpm_tis: Move ilb_base_addr to tpm_tis_data tpm: Keep CLKRUN enabled throughout the duration of transmit_cmd() tpm: delete the TPM_TIS_CLK_ENABLE flag tpm: remove unused variables tpm: only attempt to disable the LPC CLKRUN if is already enabled scsi: qla2xxx: Fix system crash for Notify ack timeout handling scsi: qla2xxx: Fix gpnid error processing scsi: qla2xxx: Move session delete to driver work queue scsi: qla2xxx: Skip IRQ affinity for Target QPairs scsi: qla2xxx: Fix re-login for Nport Handle in use scsi: qla2xxx: Retry switch command on time out scsi: qla2xxx: Serialize GPNID for multiple RSCN scsi: qla2xxx: Fix login state machine stuck at GPDB scsi: qla2xxx: Fix NPIV host cleanup in target mode scsi: qla2xxx: Fix Relogin being triggered too fast scsi: qla2xxx: Fix PRLI state check scsi: qla2xxx: Fix abort command deadlock due to spinlock scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport scsi: qla2xxx: Fix scan state field for fcport scsi: qla2xxx: Clear loop id after delete scsi: qla2xxx: Defer processing of GS IOCB calls scsi: qla2xxx: Remove aborting ELS IOCB call issued as part of timeout. scsi: qla2xxx: Fix system crash in qlt_plogi_ack_unref scsi: qla2xxx: Fix memory leak in dual/target mode NFS: Fix an incorrect type in struct nfs_direct_req pNFS: Prevent the layout header refcount going to zero in pnfs_roc() NFS: Fix unstable write completion RDMA/ucma: Limit possible option size RDMA/ucma: Check that user doesn't overflow QP state RDMA/mlx5: Fix integer overflow while resizing CQ IB/uverbs: Improve lockdep_check net/smc: fix NULL pointer dereference on sock_create_kern() error path regulator: stm32-vrefbuf: fix check on ready flag drm/i915: Fix rsvd2 mask when out-fence is returned drm/i915: Clear the in-use marker on execbuf failure drm/i915: Disable DC states around GMBUS on GLK drm/i915: Update watermark state correctly in sanitize_watermarks drm/i915: Try EDID bitbanging on HDMI after failed read drm/i915/perf: fix perf stream opening lock scsi: core: Avoid that ATA error handling can trigger a kernel hang or oops scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS drm/i915: Always call to intel_display_set_init_power() in resume_early. workqueue: Allow retrieval of current task's work struct drm: Allow determining if current task is output poll worker drm/nouveau: Fix deadlock on runtime suspend drm/radeon: Fix deadlock on runtime suspend drm/amdgpu: Fix deadlock on runtime suspend drm/nouveau: prefer XBGR2101010 for addfb ioctl drm/amd/powerplay/smu7: allow mclk switching with no displays drm/amd/powerplay/vega10: allow mclk switching with no displays Revert "drm/radeon/pm: autoswitch power state when in balanced mode" drm/radeon: insist on 32-bit DMA for Cedar on PPC64/PPC64LE drm/amd/powerplay: fix power over limit on Fiji drm/amdgpu: used cached pcie gen info for SI (v2) drm/amdgpu: Notify sbios device ready before send request drm/radeon: fix KV harvesting drm/amdgpu: fix KV harvesting drm/amdgpu:Correct max uvd handles drm/amdgpu:Always save uvd vcpu_bo in VM Mode MIPS: BMIPS: Do not mask IPIs during suspend MIPS: ath25: Check for kzalloc allocation failure MIPS: OCTEON: irq: Check for null return on kzalloc allocation PCI: dwc: Fix enumeration end when reaching root subordinate Input: matrix_keypad - fix race when disabling interrupts lib/bug.c: exclude non-BUG/WARN exceptions from report_bug() mm/memblock.c: hardcode the end_pfn being -1 Documentation/sphinx: Fix Directive import error loop: Fix lost writes caused by missing flag virtio_ring: fix num_free handling in error case KVM: s390: fix memory overwrites when not using SCA entries arm64: mm: fix thinko in non-global page table attribute check IB/core: Fix missing RDMA cgroups release in case of failure to register device kbuild: Handle builtin dtb file names containing hyphens dm bufio: avoid false-positive Wmaybe-uninitialized warning IB/mlx5: Fix incorrect size of klms in the memory region bcache: fix crashes in duplicate cache device register bcache: don't attach backing with duplicate UUID x86/MCE: Save microcode revision in machine check records x86/MCE: Serialize sysfs changes perf tools: Fix trigger class trigger_on() x86/spectre_v2: Don't check microcode versions when running under hypervisors ALSA: hda/realtek - Add support headset mode for DELL WYSE ALSA: hda/realtek - Add headset mode support for Dell laptop ALSA: hda/realtek: Limit mic boost on T480 ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 ALSA: hda/realtek - Make dock sound work on ThinkPad L570 ALSA: seq: Don't allow resizing pool in use ALSA: seq: More protection for concurrent write and ioctl races ALSA: hda - Fix a wrong FIXUP for alc289 on Dell machines ALSA: hda: add dock and led support for HP EliteBook 820 G3 ALSA: hda: add dock and led support for HP ProBook 640 G2 scsi: qla2xxx: Fix NULL pointer crash due to probe failure scsi: qla2xxx: Fix recursion while sending terminate exchange dt-bindings: Document mti,mips-cpc binding MIPS: CPC: Map registers using DT in mips_cpc_default_phys_base() nospec: Kill array_index_nospec_mask_check() nospec: Include <asm/barrier.h> dependency x86/entry: Reduce the code footprint of the 'idtentry' macro x86/entry/64: Use 'xorl' for faster register clearing x86/mm: Remove stale comment about KMEMCHECK x86/asm: Improve how GEN_*_SUFFIXED_RMWcc() specify clobbers x86/LDT: Avoid warning in 32-bit builds with older gcc x86-64/realmode: Add instruction suffix Revert "x86/retpoline: Simplify vmexit_fill_RSB()" x86/speculation: Use IBRS if available before calling into firmware x86/retpoline: Support retpoline builds with Clang x86/speculation, objtool: Annotate indirect calls/jumps for objtool x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP x86/paravirt, objtool: Annotate indirect calls x86/boot, objtool: Annotate indirect jump in secondary_startup_64() x86/mm/sme, objtool: Annotate indirect call in sme_encrypt_execute() objtool: Use existing global variables for options objtool: Add retpoline validation kbuild: re-order the code to not parse unnecessary variables kbuild: Set KBUILD_CFLAGS before incl. arch Makefile kbuild: move cc-option and cc-disable-warning after incl. arch Makefile objtool: Add module specific retpoline rules objtool, retpolines: Integrate objtool with retpoline support more closely objtool: Fix another switch table detection issue objtool: Fix 32-bit build x86/kprobes: Fix kernel crash when probing .entry_trampoline code Linux 4.14.27 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Davide Caratti
|
bba05fb6a1 |
net/smc: fix NULL pointer dereference on sock_create_kern() error path
commit a5dcb73b96a9d21431048bdaac02d9e96f386da3 upstream. when sock_create_kern(..., a) returns an error, 'a' might not be a valid pointer, so it shouldn't be dereferenced to read a->sk->sk_sndbuf and and a->sk->sk_rcvbuf; not doing that caused the following crash: general protection fault: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 0 PID: 4254 Comm: syzkaller919713 Not tainted 4.16.0-rc1+ #18 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: 0018:ffff8801b06afbc8 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff8801b63457c0 RCX: ffffffff85a3e746 RDX: 0000000000000004 RSI: 00000000ffffffff RDI: 0000000000000020 RBP: ffff8801b06afbf0 R08: 00000000000007c0 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000 R13: ffff8801b6345c08 R14: 00000000ffffffe9 R15: ffffffff8695ced0 FS: 0000000001afb880(0000) GS:ffff8801db200000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000040 CR3: 00000001b0721004 CR4: 00000000001606f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: __sock_create+0x4d4/0x850 net/socket.c:1285 sock_create net/socket.c:1325 [inline] SYSC_socketpair net/socket.c:1409 [inline] SyS_socketpair+0x1c0/0x6f0 net/socket.c:1366 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x4404b9 RSP: 002b:00007fff44ab6908 EFLAGS: 00000246 ORIG_RAX: 0000000000000035 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004404b9 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 000000000000002b RBP: 00007fff44ab6910 R08: 0000000000000002 R09: 00007fff44003031 R10: 0000000020000040 R11: 0000000000000246 R12: ffffffffffffffff R13: 0000000000000006 R14: 0000000000000000 R15: 0000000000000000 Code: 48 c1 ea 03 80 3c 02 00 0f 85 b3 01 00 00 4c 8b a3 48 04 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7c 24 20 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 82 01 00 00 4d 8b 7c 24 20 48 b8 00 00 00 00 RIP: smc_create+0x14e/0x300 net/smc/af_smc.c:1410 RSP: ffff8801b06afbc8 Fixes: cd6851f30386 smc: remote memory buffers (RMBs) Reported-and-tested-by: syzbot+aa0227369be2dcc26ebe@syzkaller.appspotmail.com Signed-off-by: Davide Caratti <dcaratti@redhat.com> Signed-off-by: Ursula Braun <ubraun@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
9131a1b3d9 |
netfilter: use skb_to_full_sk in ip6_route_me_harder
commit 7d98386d55a5afaa65de77e1e9197edeb8a42079 upstream.
For some reason, Florian forgot to apply to ip6_route_me_harder
the fix that went in commit 29e09229d9f2 ("netfilter: use
skb_to_full_sk in ip_route_me_harder")
Fixes: ca6fb0651883 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Florian Westphal
|
39f154faec |
netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt
commit b078556aecd791b0e5cb3a59f4c3a14273b52121 upstream.
l4proto->manip_pkt() can cause reallocation of skb head so pointer
to the ipv6 header must be reloaded.
Reported-and-tested-by: <syzbot+10005f4292fc9cc89de7@syzkaller.appspotmail.com>
Fixes: 58a317f1061c89 ("netfilter: ipv6: add IPv6 NAT support")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
2d7e070039 |
netfilter: bridge: ebt_among: add missing match size checks
commit c4585a2823edf4d1326da44d1524ecbfda26bb37 upstream. ebt_among is special, it has a dynamic match size and is exempt from the central size checks. Therefore it must check that the size of the match structure provided from userspace is sane by making sure em->match_size is at least the minimum size of the expected structure. The module has such a check, but its only done after accessing a structure that might be out of bounds. tested with: ebtables -A INPUT ... \ --among-dst fe:fe:fe:fe:fe:fe --among-dst fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fb,fe:fe:fe:fe:fc:fd,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe --among-src fe:fe:fe:fe:ff:f,fe:fe:fe:fe:fe:fa,fe:fe:fe:fe:fe:fd,fe:fe:fe:fe:fe:fe,fe:fe:fe:fe:fe:fe Reported-by: <syzbot+fe0b19af568972814355@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Florian Westphal
|
eaa06bfba8 |
netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets
commit b71812168571fa55e44cdd0254471331b9c4c4c6 upstream. We need to make sure the offsets are not out of range of the total size. Also check that they are in ascending order. The WARN_ON triggered by syzkaller (it sets panic_on_warn) is changed to also bail out, no point in continuing parsing. Briefly tested with simple ruleset of -A INPUT --limit 1/s' --log plus jump to custom chains using 32bit ebtables binary. Reported-by: <syzbot+845a53d13171abf8bf29@syzkaller.appspotmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
c89e04e5c0 |
netfilter: IDLETIMER: be syzkaller friendly
commit cfc2c740533368b96e2be5e0a4e8c3cace7d9814 upstream. We had one report from syzkaller [1] First issue is that INIT_WORK() should be done before mod_timer() or we risk timer being fired too soon, even with a 1 second timer. Second issue is that we need to reject too big info->timeout to avoid overflows in msecs_to_jiffies(info->timeout * 1000), or risk looping, if result after overflow is 0. [1] WARNING: CPU: 1 PID: 5129 at kernel/workqueue.c:1444 __queue_work+0xdf4/0x1230 kernel/workqueue.c:1444 Kernel panic - not syncing: panic_on_warn set ... CPU: 1 PID: 5129 Comm: syzkaller159866 Not tainted 4.16.0-rc1+ #230 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <IRQ> __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x194/0x257 lib/dump_stack.c:53 panic+0x1e4/0x41c kernel/panic.c:183 __warn+0x1dc/0x200 kernel/panic.c:547 report_bug+0x211/0x2d0 lib/bug.c:184 fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178 fixup_bug arch/x86/kernel/traps.c:247 [inline] do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296 do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315 invalid_op+0x22/0x40 arch/x86/entry/entry_64.S:988 RIP: 0010:__queue_work+0xdf4/0x1230 kernel/workqueue.c:1444 RSP: 0018:ffff8801db507538 EFLAGS: 00010006 RAX: ffff8801aeb46080 RBX: ffff8801db530200 RCX: ffffffff81481404 RDX: 0000000000000100 RSI: ffffffff86b42640 RDI: 0000000000000082 RBP: ffff8801db507758 R08: 1ffff1003b6a0de5 R09: 000000000000000c R10: ffff8801db5073f0 R11: 0000000000000020 R12: 1ffff1003b6a0eb6 R13: ffff8801b1067ae0 R14: 00000000000001f8 R15: dffffc0000000000 queue_work_on+0x16a/0x1c0 kernel/workqueue.c:1488 queue_work include/linux/workqueue.h:488 [inline] schedule_work include/linux/workqueue.h:546 [inline] idletimer_tg_expired+0x44/0x60 net/netfilter/xt_IDLETIMER.c:116 call_timer_fn+0x228/0x820 kernel/time/timer.c:1326 expire_timers kernel/time/timer.c:1363 [inline] __run_timers+0x7ee/0xb70 kernel/time/timer.c:1666 run_timer_softirq+0x4c/0x70 kernel/time/timer.c:1692 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 invoke_softirq kernel/softirq.c:365 [inline] irq_exit+0x1cc/0x200 kernel/softirq.c:405 exiting_irq arch/x86/include/asm/apic.h:541 [inline] smp_apic_timer_interrupt+0x16b/0x700 arch/x86/kernel/apic/apic.c:1052 apic_timer_interrupt+0xa9/0xb0 arch/x86/entry/entry_64.S:829 </IRQ> RIP: 0010:arch_local_irq_restore arch/x86/include/asm/paravirt.h:777 [inline] RIP: 0010:__raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:160 [inline] RIP: 0010:_raw_spin_unlock_irqrestore+0x5e/0xba kernel/locking/spinlock.c:184 RSP: 0018:ffff8801c20173c8 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff12 RAX: dffffc0000000000 RBX: 0000000000000282 RCX: 0000000000000006 RDX: 1ffffffff0d592cd RSI: 1ffff10035d68d23 RDI: 0000000000000282 RBP: ffff8801c20173d8 R08: 1ffff10038402e47 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffff8820e5c8 R13: ffff8801b1067ad8 R14: ffff8801aea7c268 R15: ffff8801aea7c278 __debug_object_init+0x235/0x1040 lib/debugobjects.c:378 debug_object_init+0x17/0x20 lib/debugobjects.c:391 __init_work+0x2b/0x60 kernel/workqueue.c:506 idletimer_tg_create net/netfilter/xt_IDLETIMER.c:152 [inline] idletimer_tg_checkentry+0x691/0xb00 net/netfilter/xt_IDLETIMER.c:213 xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:850 check_target net/ipv6/netfilter/ip6_tables.c:533 [inline] find_check_entry.isra.7+0x935/0xcf0 net/ipv6/netfilter/ip6_tables.c:575 translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:744 do_replace net/ipv6/netfilter/ip6_tables.c:1160 [inline] do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1686 nf_sockopt net/netfilter/nf_sockopt.c:106 [inline] nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115 ipv6_setsockopt+0x10b/0x130 net/ipv6/ipv6_sockglue.c:927 udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422 sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2976 SYSC_setsockopt net/socket.c:1850 [inline] SyS_setsockopt+0x189/0x360 net/socket.c:1829 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 Fixes: 0902b469bd25 ("netfilter: xtables: idletimer target implementation") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzkaller <syzkaller@googlegroups.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paolo Abeni
|
53f94e6110 |
netfilter: nat: cope with negative port range
commit db57ccf0f2f4624b4c4758379f8165277504fbd7 upstream. syzbot reported a division by 0 bug in the netfilter nat code: divide error: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 4168 Comm: syzkaller034710 Not tainted 4.16.0-rc1+ #309 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nf_nat_l4proto_unique_tuple+0x291/0x530 net/netfilter/nf_nat_proto_common.c:88 RSP: 0018:ffff8801b2466778 EFLAGS: 00010246 RAX: 000000000000f153 RBX: ffff8801b2466dd8 RCX: ffff8801b2466c7c RDX: 0000000000000000 RSI: ffff8801b2466c58 RDI: ffff8801db5293ac RBP: ffff8801b24667d8 R08: ffff8801b8ba6dc0 R09: ffffffff88af5900 R10: ffff8801b24666f0 R11: 0000000000000000 R12: 000000002990f153 R13: 0000000000000001 R14: 0000000000000000 R15: ffff8801b2466c7c FS: 00000000017e3880(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000208fdfe4 CR3: 00000001b5340002 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: dccp_unique_tuple+0x40/0x50 net/netfilter/nf_nat_proto_dccp.c:30 get_unique_tuple+0xc28/0x1c10 net/netfilter/nf_nat_core.c:362 nf_nat_setup_info+0x1c2/0xe00 net/netfilter/nf_nat_core.c:406 nf_nat_redirect_ipv6+0x306/0x730 net/netfilter/nf_nat_redirect.c:124 redirect_tg6+0x7f/0xb0 net/netfilter/xt_REDIRECT.c:34 ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365 ip6table_nat_do_chain+0x65/0x80 net/ipv6/netfilter/ip6table_nat.c:41 nf_nat_ipv6_fn+0x594/0xa80 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:302 nf_nat_ipv6_local_fn+0x33/0x5d0 net/ipv6/netfilter/nf_nat_l3proto_ipv6.c:407 ip6table_nat_local_fn+0x2c/0x40 net/ipv6/netfilter/ip6table_nat.c:69 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook include/linux/netfilter.h:243 [inline] NF_HOOK include/linux/netfilter.h:286 [inline] ip6_xmit+0x10ec/0x2260 net/ipv6/ip6_output.c:277 inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139 dccp_transmit_skb+0x9ac/0x10f0 net/dccp/output.c:142 dccp_connect+0x369/0x670 net/dccp/output.c:564 dccp_v6_connect+0xe17/0x1bf0 net/dccp/ipv6.c:946 __inet_stream_connect+0x2d4/0xf00 net/ipv4/af_inet.c:620 inet_stream_connect+0x58/0xa0 net/ipv4/af_inet.c:684 SYSC_connect+0x213/0x4a0 net/socket.c:1639 SyS_connect+0x24/0x30 net/socket.c:1620 do_syscall_64+0x282/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x26/0x9b RIP: 0033:0x441c69 RSP: 002b:00007ffe50cc0be8 EFLAGS: 00000217 ORIG_RAX: 000000000000002a RAX: ffffffffffffffda RBX: ffffffffffffffff RCX: 0000000000441c69 RDX: 000000000000001c RSI: 00000000208fdfe4 RDI: 0000000000000003 RBP: 00000000006cc018 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000538 R11: 0000000000000217 R12: 0000000000403590 R13: 0000000000403620 R14: 0000000000000000 R15: 0000000000000000 Code: 48 89 f0 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 46 02 00 00 48 8b 45 c8 44 0f b7 20 e8 88 97 04 fd 31 d2 41 0f b7 c4 4c 89 f9 <41> f7 f6 48 c1 e9 03 48 b8 00 00 00 00 00 fc ff df 0f b6 0c 01 RIP: nf_nat_l4proto_unique_tuple+0x291/0x530 net/netfilter/nf_nat_proto_common.c:88 RSP: ffff8801b2466778 The problem is that currently we don't have any check on the configured port range. A port range == -1 triggers the bug, while other negative values may require a very long time to complete the following loop. This commit addresses the issue swapping the two ends on negative ranges. The check is performed in nf_nat_l4proto_unique_tuple() since the nft nat loads the port values from nft registers at runtime. v1 -> v2: use the correct 'Fixes' tag v2 -> v3: update commit message, drop unneeded READ_ONCE() Fixes: 5b1158e909ec ("[NETFILTER]: Add NAT support for nf_conntrack") Reported-by: syzbot+8012e198bd037f4871e5@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paolo Abeni
|
ab737b02b2 |
netfilter: x_tables: fix missing timer initialization in xt_LED
commit 10414014bc085aac9f787a5890b33b5605fbcfc4 upstream. syzbot reported that xt_LED may try to use the ledinternal->timer without previously initializing it: ------------[ cut here ]------------ kernel BUG at kernel/time/timer.c:958! invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: CPU: 1 PID: 1826 Comm: kworker/1:2 Not tainted 4.15.0+ #306 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work RIP: 0010:__mod_timer kernel/time/timer.c:958 [inline] RIP: 0010:mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: 0018:ffff8801d24fe9f8 EFLAGS: 00010293 RAX: ffff8801d25246c0 RBX: ffff8801aec6cb50 RCX: ffffffff816052c6 RDX: 0000000000000000 RSI: 00000000fffbd14b RDI: ffff8801aec6cb68 RBP: ffff8801d24fec98 R08: 0000000000000000 R09: 1ffff1003a49fd6c R10: ffff8801d24feb28 R11: 0000000000000005 R12: dffffc0000000000 R13: ffff8801d24fec70 R14: 00000000fffbd14b R15: ffff8801af608f90 FS: 0000000000000000(0000) GS:ffff8801db500000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000206d6fd0 CR3: 0000000006a22001 CR4: 00000000001606e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: led_tg+0x1db/0x2e0 net/netfilter/xt_LED.c:75 ip6t_do_table+0xc2a/0x1a30 net/ipv6/netfilter/ip6_tables.c:365 ip6table_raw_hook+0x65/0x80 net/ipv6/netfilter/ip6table_raw.c:42 nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline] nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483 nf_hook.constprop.27+0x3f6/0x830 include/linux/netfilter.h:243 NF_HOOK include/linux/netfilter.h:286 [inline] ndisc_send_skb+0xa51/0x1370 net/ipv6/ndisc.c:491 ndisc_send_ns+0x38a/0x870 net/ipv6/ndisc.c:633 addrconf_dad_work+0xb9e/0x1320 net/ipv6/addrconf.c:4008 process_one_work+0xbbf/0x1af0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x33c/0x400 kernel/kthread.c:238 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:429 Code: 85 2a 0b 00 00 4d 8b 3c 24 4d 85 ff 75 9f 4c 8b bd 60 fd ff ff e8 bb 57 10 00 65 ff 0d 94 9a a1 7e e9 d9 fc ff ff e8 aa 57 10 00 <0f> 0b e8 a3 57 10 00 e9 14 fb ff ff e8 99 57 10 00 4c 89 bd 70 RIP: __mod_timer kernel/time/timer.c:958 [inline] RSP: ffff8801d24fe9f8 RIP: mod_timer+0x7d6/0x13c0 kernel/time/timer.c:1102 RSP: ffff8801d24fe9f8 ---[ end trace f661ab06f5dd8b3d ]--- The ledinternal struct can be shared between several different xt_LED targets, but the related timer is currently initialized only if the first target requires it. Fix it by unconditionally initializing the timer struct. v1 -> v2: call del_timer_sync() unconditionally, too. Fixes: 268cb38e1802 ("netfilter: x_tables: add LED trigger target") Reported-by: syzbot+10c98dc5725c6c8fc7fb@syzkaller.appspotmail.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
2a7ebc07a1 |
netfilter: xt_hashlimit: fix lock imbalance
commit de526f401284e1638d4c97cb5a4c292ac3f37655 upstream.
syszkaller found that rcu was not held in hashlimit_mt_common()
We only need to enable BH at this point.
Fixes: bea74641e378 ("netfilter: xt_hashlimit: add rate match mode")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Cong Wang
|
4514a597aa |
netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
commit b3e456fce9f51d6276e576d00271e2813c1b8b67 upstream.
There is a race condition between clusterip_config_entry_put()
and clusterip_config_init(), after we release the spinlock in
clusterip_config_entry_put(), a new proc file with a same IP could
be created immediately since it is already removed from the configs
list, therefore it triggers this warning:
------------[ cut here ]------------
proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330 proc_register+0x2a4/0x370 fs/proc/generic.c:329
Kernel panic - not syncing: panic_on_warn set ...
As a quick fix, just move the proc_remove() inside the spinlock.
Reported-by: <syzbot+03218bcdba6aa76441a3@syzkaller.appspotmail.com>
Fixes: 6c5d5cfbe3c5 ("netfilter: ipt_CLUSTERIP: check duplicate config when initializing")
Tested-by: Paolo Abeni <pabeni@redhat.com>
Cc: Xin Long <lucien.xin@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
638c2e4eff |
netfilter: add back stackpointer size checks
commit 57ebd808a97d7c5b1e1afb937c2db22beba3c1f8 upstream.
The rationale for removing the check is only correct for rulesets
generated by ip(6)tables.
In iptables, a jump can only occur to a user-defined chain, i.e.
because we size the stack based on number of user-defined chains we
cannot exceed stack size.
However, the underlying binary format has no such restriction,
and the validation step only ensures that the jump target is a
valid rule start point.
IOW, its possible to build a rule blob that has no user-defined
chains but does contain a jump.
If this happens, no jump stack gets allocated and crash occurs
because no jumpstack was allocated.
Fixes: 7814b6ec6d0d6 ("netfilter: xtables: don't save/restore jumpstack offset")
Reported-by: syzbot+e783f671527912cd9403@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Linux Build Service Account
|
e0969d21f1 | Merge "Merge remote-tracking branch 'remotes/origin/tmp-85ab9a0' into msm-4.14" into msm-4.14 | ||
|
Linux Build Service Account
|
daf88c7463 | Merge "netfilter:Notify user space on creating sysfs file" into msm-4.14 | ||
Devi Sandeep Endluri V V
|
4c159b2a80 |
net: socket: Added notifier chains for socket administrative functions
Allows other areas in the kernel to register notifier callbacks which get invoked whenever something performs an administrative action on a socket. This patch adds hooks in socket(), bind(), listen(), accept(), shutdown(). CRs-Fixed: 626021 Change-Id: I4ae99cb2206d7c4eddba69757335c18d10143045 Acked-by: Manoj Basapathi <manojbm@qti.qualcomm.com> Signed-off-by: Devi Sandeep Endluri V V <dendluri@codeaurora.org> Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org> |
||
|
Devi Sandeep Endluri V V
|
a826e61c91 |
netfilter:Notify user space on creating sysfs file
uevent indication is required to notify the user space on creation of sysfs file entry. This helps in creating specific sysfs labeled entries for newly created file which are module specific. Change-Id: I576fa77158445ced6d5efb93b5d724d75f30b03f CRs-Fixed: 2056628 Acked-by: Manoj Basapathi <manojbm@qti.qualcomm.com> Signed-off-by: Tejaswi Tanikella <tejaswit@codeaurora.org> |
||
|
Linux Build Service Account
|
9010c0ecb7 | Merge "net: Add snapshot of sockev module" into msm-4.14 | ||
|
Linux Build Service Account
|
4e64f3490b | Merge "netfilter: xtables: Add snapshot of hardidletimer target" into msm-4.14 |