443 Commits

Author	SHA1	Message	Date
Srinivasarao P	90bb7a2b24	Merge android-4.14-stable.180 (816f245) into msm-4.14 ... * refs/heads/tmp-816f245: Revert "clk: qcom: rcg2: Don't crash if our parent can't be found; return an error" Reverting crypto patches Reverting incremental fs changes Linux 4.14.180 cgroup, netclassid: remove double cond_resched mac80211: add ieee80211_is_any_nullfunc() ALSA: hda: Match both PCI ID and SSID for driver blacklist tracing: Reverse the order of trace_types_lock and event_mutex sctp: Fix SHUTDOWN CTSN Ack in the peer restart case net: systemport: suppress warnings on failed Rx SKB allocations net: bcmgenet: suppress warnings on failed Rx SKB allocations lib/mpi: Fix building for powerpc with clang net: dsa: b53: Rework ARL bin logic scripts/config: allow colons in option strings for sed s390/ftrace: fix potential crashes when switching tracers cifs: protect updating server->dstaddr with a spinlock net: stmmac: Fix sub-second increment net: stmmac: fix enabling socfpga's ptp_ref_clock wimax/i2400m: Fix potential urb refcnt leak ASoC: codecs: hdac_hdmi: Fix incorrect use of list_for_each_entry ASoC: rsnd: Fix HDMI channel mapping for multi-SSI mode ASoC: sgtl5000: Fix VAG power-on handling selftests/ipc: Fix test failure seen after initial test run ASoC: topology: Check return value of pcm_new_ver powerpc/pci/of: Parse unassigned resources vhost: vsock: kick send_pkt worker once device is started ANDROID: arm64: fix a mismerge in proc.S Linux 4.14.179 selinux: properly handle multiple messages in selinux_netlink_send() dmaengine: dmatest: Fix iteration non-stop logic nfs: Fix potential posix_acl refcnt leak in nfs3_set_acl ALSA: opti9xx: shut up gcc-10 range warning iommu/amd: Fix legacy interrupt remapping for x2APIC-enabled system scsi: target/iblock: fix WRITE SAME zeroing iommu/qcom: Fix local_base status check vfio/type1: Fix VA->PA translation for PFNMAP VMAs in vaddr_get_pfn() vfio: avoid possible overflow in vfio_iommu_type1_pin_pages RDMA/mlx4: Initialize ib_spec on the stack RDMA/mlx5: Set GRH fields in query QP on RoCE dm verity fec: fix hash block number in verity_fec_decode PM: hibernate: Freeze kernel threads in software_resume() PM: ACPI: Output correct message on target power state ALSA: pcm: oss: Place the plugin buffer overflow checks correctly ALSA: hda/hdmi: fix without unlocked before return ALSA: hda/realtek - Two front mics on a Lenovo ThinkCenter mmc: sdhci-pci: Fix eMMC driver strength for BYT-based controllers mmc: sdhci-xenon: fix annoying 1.8V regulator warning btrfs: fix partial loss of prealloc extent past i_size after fsync btrfs: fix block group leak when removing fails drm/qxl: qxl_release use after free drm/qxl: qxl_release leak in qxl_hw_surface_alloc() drm/qxl: qxl_release leak in qxl_draw_dirty_fb() drm/edid: Fix off-by-one in DispID DTD pixel clock ext4: fix special inode number checks in __ext4_iget() ANDROID: Incremental fs: Fix issues with very large files Linux 4.14.178 propagate_one(): mnt_set_mountpoint() needs mount_lock ext4: check for non-zero journal inum in ext4_calculate_overhead qed: Fix use after free in qed_chain_free ext4: unsigned int compared against zero ext4: fix block validity checks for journal inodes using indirect blocks ext4: don't perform block validity checks on the journal inode ext4: protect journal inode's blocks using block_validity ext4: avoid declaring fs inconsistent due to invalid file handles hwmon: (jc42) Fix name to have no illegal characters ext4: convert BUG_ON's to WARN_ON's in mballoc.c ext4: increase wait time needed before reuse of deleted inode numbers ext4: use matching invalidatepage in ext4_writepage arm64: Delete the space separator in __emit_inst xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status objtool: Support Clang non-section symbols in ORC dump objtool: Fix CONFIG_UBSAN_TRAP unreachable warnings scsi: target: fix PR IN / READ FULL STATUS for FC xfs: fix partially uninitialized structure in xfs_reflink_remap_extent x86: hyperv: report value of misc_features bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B mm: shmem: disable interrupt when acquiring info->lock in userfaultfd_copy path perf/core: fix parent pid/tid in task exit events ARM: dts: bcm283x: Disable dsi0 node net/cxgb4: Check the return from t4_query_params properly i2c: altera: use proper variable to hold errno nfsd: memory corruption in nfsd4_lock() iio:ad7797: Use correct attribute_group usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete usb: dwc3: gadget: Do link recovery for SS and SSP binder: take read mode of mmap_sem in binder_alloc_free_page() include/uapi/linux/swab.h: fix userspace breakage, use __BITS_PER_LONG for swap mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer remoteproc: Fix wrong rvring index computation xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT xfs: validate sb_logsunit is a multiple of the fs blocksize serial: sh-sci: Make sure status register SCxSR is read in correct sequence usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() UAS: fix deadlock in error handling and PM flushing work UAS: no use logging any details in case of ENODEV cdc-acm: introduce a cool down cdc-acm: close race betrween suspend() and acm_softint staging: vt6656: Power save stop wake_up_count wrap around. staging: vt6656: Fix pairwise key entry save. staging: vt6656: Fix drivers TBTT timing counter. staging: vt6656: Fix calling conditions of vnt_set_bss_mode staging: vt6656: Don't set RCR_MULTICAST or RCR_BROADCAST by default. vt: don't hardcode the mem allocation upper bound staging: comedi: Fix comedi_device refcnt leak in comedi_open staging: comedi: dt2815: fix writing hi byte of analog output powerpc/setup_64: Set cache-line-size based on cache-block-size ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y iwlwifi: pcie: actually release queue memory in TVQM ASoC: dapm: fixup dapm kcontrol widget audit: check the length of userspace generated audit records usb-storage: Add unusual_devs entry for JMicron JMS566 tty: rocket, avoid OOB access tty: hvc: fix buffer overflow during hvc_alloc(). KVM: VMX: Enable machine check support for 32bit targets KVM: Check validity of resolved slot when searching memslots tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() tpm/tpm_tis: Free IRQ if probing fails ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif ALSA: hda/realtek - Add new codec supported for ALC245 ALSA: usx2y: Fix potential NULL dereference tools/vm: fix cross-compile build mm/ksm: fix NULL pointer dereference when KSM zero page is enabled mm/hugetlb: fix a addressing exception caused by huge_pte_offset vmalloc: fix remap_vmalloc_range() bounds checks overflow.h: Add arithmetic shift helper USB: hub: Fix handling of connect changes during sleep USB: core: Fix free-while-in-use bug in the USB S-Glibrary USB: early: Handle AMD's spec-compliant identifiers, too USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE USB: sisusbvga: Change port variable from signed to unsigned fs/namespace.c: fix mountpoint reference counter race iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode iio: xilinx-xadc: Fix clearing interrupt when enabling trigger iio: xilinx-xadc: Fix ADC-B powerdown iio: adc: stm32-adc: fix sleep in atomic context ALSA: hda: Remove ASUS ROG Zenith from the blacklist KEYS: Avoid false positive ENOMEM error on key read vrf: Check skb for XFRM_TRANSFORMED flag xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish net: dsa: b53: Fix ARL register definitions team: fix hang in team_mode_get() tcp: cache line align MAX_TCP_HEADER net/x25: Fix x25_neigh refcnt leak when receiving frame net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node net: bcmgenet: correct per TX/RX ring statistics macvlan: fix null dereference in macvlan_device_event() macsec: avoid to set wrong mtu ipv6: fix restrict IPV6_ADDRFORM operation cxgb4: fix large delays in PTP synchronization mm, slub: restore the original intention of prefetch_freepointer() PCI/ASPM: Allow re-enabling Clock PM perf/core: Disable page faults when getting phys address pwm: bcm2835: Dynamically allocate base pwm: renesas-tpu: Fix late Runtime PM enablement s390/cio: avoid duplicated 'ADD' uevents ipc/util.c: sysvipc_find_ipc() should increase position index selftests: kmod: fix handling test numbers above 9 kernel/gcov/fs.c: gcov_seq_next() should increase position index ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() scsi: iscsi: Report unbind session event when the target has been removed pwm: rcar: Fix late Runtime PM enablement ceph: don't skip updating wanted caps when cap is stale ceph: return ceph_mdsc_do_request() errors from __get_parent() scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login watchdog: reset last_hw_keepalive time at start vti4: removed duplicate log message. crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static drm/msm: Use the correct dma_sync calls harder keys: Fix the use of the C++ keyword "private" in uapi/linux/keyctl.h net: ipv4: avoid unused variable warning for sysctl net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() ext4: fix extent_status fragmentation for plain files FROMGIT: f2fs: fix missing check for f2fs_unlock_op ANDROID: Fix kernel build regressions from virtio-gpu-next patches ANDROID: Incremental fs: Add setattr call ANDROID: cuttlefish_defconfig: enable LTO and CFI ANDROID: x86: map CFI jump tables in pti_clone_entry_text ANDROID: crypto: aesni: fix function types for aesni_(enc|dec) ANDROID: x86: disable CFI for do_syscall_* ANDROID: BACKPORT: x86, module: Ignore __typeid__ relocations ANDROID: BACKPORT: x86, relocs: Ignore __typeid__ relocations ANDROID: BACKPORT: x86/extable: Do not mark exception callback as CFI FROMLIST: crypto, x86/sha: Eliminate casts on asm implementations UPSTREAM: crypto: x86 - Rename functions to avoid conflict with crypto/sha256.h BACKPORT: x86/vmlinux: Actually use _etext for the end of the text segment ANDROID: x86: disable STACK_VALIDATION with LTO_CLANG ANDROID: x86: add support for CONFIG_LTO_CLANG ANDROID: x86/vdso: disable LTO only for VDSO ANDROID: x86/cpu/vmware: use the full form of inl in VMWARE_PORT UPSTREAM: x86/build/lto: Fix truncated .bss with -fdata-sections ANDROID: kbuild: don't select LD_DEAD_CODE_DATA_ELIMINATION with LTO ANDROID: kbuild: export LTO and CFI flags ANDROID: cfi: remove unnecessary <asm/memory.h> include ANDROID: drm/virtio: rebase to latest virgl/drm-misc-next (take 2) UPSTREAM: sysrq: Use panic() to force a crash ANDROID: Incremental fs: Use simple compression in log buffer ANDROID: dm-bow: Fix not to skip trim at framented range ANDROID: Remove VLA from uid_sys_stats.c ANDROID: cuttlefish_defconfig: enable CONFIG_DEBUG_LIST Linux 4.14.177 KEYS: Don't write out to userspace while holding key semaphore KEYS: Use individual pages in big_key for crypto buffers mtd: phram: fix a double free issue in error path mtd: lpddr: Fix a double free in probe() locktorture: Print ratio of acquisitions, not failures tty: evh_bytechan: Fix out of bounds accesses fbdev: potential information leak in do_fb_ioctl() net: dsa: bcm_sf2: Fix overflow checks iommu/amd: Fix the configuration of GCR3 table root pointer libnvdimm: Out of bounds read in __nd_ioctl() ext2: fix debug reference to ext2_xattr_cache ext2: fix empty body warnings when -Wextra is used iommu/vt-d: Fix mm reference leak NFS: Fix memory leaks in nfs_pageio_stop_mirroring() drm/amdkfd: kfree the wrong pointer x86: ACPI: fix CPU hotplug deadlock KVM: s390: vsie: Fix possible race when shadowing region 3 tables compiler.h: fix error in BUILD_BUG_ON() reporting percpu_counter: fix a data race at vm_committed_as include/linux/swapops.h: correct guards for non_swap_entry() ext4: do not commit super on read-only bdev powerpc/maple: Fix declaration made after definition s390/cpuinfo: fix wrong output when CPU0 is offline NFS: direct.c: Fix memory leak of dreq when nfs_get_lock_context fails NFSv4/pnfs: Return valid stateids in nfs_layout_find_inode_by_stateid() rtc: 88pm860x: fix possible race condition soc: imx: gpc: fix power up sequencing clk: tegra: Fix Tegra PMC clock out parents power: supply: bq27xxx_battery: Silence deferred-probe error clk: at91: usb: continue if clk_hw_round_rate() return zero of: unittest: kmemleak in of_unittest_platform_populate() rbd: call rbd_dev_unprobe() after unwatching and flushing notifies rbd: avoid a deadlock on header_rwsem when flushing notifies of: fix missing kobject init for !SYSFS && OF_DYNAMIC config soc: qcom: smem: Use le32_to_cpu for comparison wil6210: abort properly in cfg suspend wil6210: fix length check in __wmi_send wil6210: add block size checks during FW load wil6210: fix PCIe bus mastering in case of interface down rpmsg: glink: smem: Ensure ordering during tx rpmsg: glink: Fix missing mutex_init() in qcom_glink_alloc_channel() rtc: pm8xxx: Fix issue in RTC write path rpmsg: glink: use put_device() if device_register fail wil6210: rate limit wil_rx_refill error scsi: ufs: ufs-qcom: remove broken hci version quirk scsi: ufs: make sure all interrupts are processed wil6210: fix temperature debugfs wil6210: increase firmware ready timeout arch_topology: Fix section miss match warning due to free_raw_capacity() arm64: traps: Don't print stack or raw PC/LR values in backtraces arm64: perf: remove unsupported events for Cortex-A73 Revert "gpio: set up initial state from .get_direction()" clk: Fix debugfs_create_*() usage drm: NULL pointer dereference [null-pointer-deref] (CWE 476) problem video: fbdev: sis: Remove unnecessary parentheses and commented code lib/raid6: use vdupq_n_u8 to avoid endianness warnings ALSA: hda: Don't release card at firmware loading error irqchip/mbigen: Free msi_desc on device teardown netfilter: nf_tables: report EOPNOTSUPP on unsupported flags/object type arm, bpf: Fix bugs with ALU64 {RSH, ARSH} BPF_K shift by 0 ext4: use non-movable memory for superblock readahead scsi: sg: add sg_remove_request in sg_common_write objtool: Fix switch table detection in .text.unlikely mm/vmalloc.c: move 'area->pages' after if statement x86/resctrl: Fix invalid attempt at removing the default resource group x86/resctrl: Preserve CDP enable over CPU hotplug x86/intel_rdt: Enable L2 CDP in MSR IA32_L2_QOS_CFG x86/intel_rdt: Add two new resources for L2 Code and Data Prioritization (CDP) x86/intel_rdt: Enumerate L2 Code and Data Prioritization (CDP) feature x86/microcode/AMD: Increase microcode PATCH_MAX_SIZE scsi: target: fix hang when multiple threads try to destroy the same iscsi session scsi: target: remove boilerplate code kvm: x86: Host feature SSBD doesn't imply guest feature SPEC_CTRL_SSBD dm flakey: check for null arg_name in parse_features() ext4: do not zeroout extents beyond i_disksize mac80211_hwsim: Use kstrndup() in place of kasprintf() btrfs: check commit root generation in should_ignore_root tracing: Fix the race between registering 'snapshot' event trigger and triggering 'snapshot' operation ALSA: usb-audio: Don't override ignore_ctl_error value from the map ASoC: Intel: mrfld: return error codes when an error occurs ASoC: Intel: mrfld: fix incorrect check on p->sink ext4: fix incorrect inodes per group in error message ext4: fix incorrect group count in ext4_fill_super error message pwm: pca9685: Fix PWM/GPIO inter-operation jbd2: improve comments about freeing data buffers whose page mapping is NULL scsi: ufs: Fix ufshcd_hold() caused scheduling while atomic net: stmmac: dwmac-sunxi: Provide TX and RX fifo sizes net: revert default NAPI poll timeout to 2 jiffies net: qrtr: send msgs from local of same id as broadcast net: ipv6: do not consider routes via gateways for anycast address check net: ipv4: devinet: Fix crash when add/del multicast IP with autojoin hsr: check protocol version in hsr_newlink() amd-xgbe: Use __napi_schedule() in BH context mfd: dln2: Fix sanity checking for endpoints misc: echo: Remove unnecessary parentheses and simplify check for zero powerpc/fsl_booke: Avoid creating duplicate tlb1 entry ipmi: fix hung processes in __get_guid() ftrace/kprobe: Show the maxactive number on kprobe_events drm: Remove PageReserved manipulation from drm_pci_alloc drm/dp_mst: Fix clearing payload state on topology disable crypto: caam - update xts sector size for large input length dm zoned: remove duplicate nr_rnd_zones increase in dmz_init_zone() btrfs: use nofs allocations for running delayed items Btrfs: fix crash during unmount due to race with delayed inode workers powerpc: Make setjmp/longjmp signature standard powerpc: Add attributes for setjmp/longjmp scsi: mpt3sas: Fix kernel panic observed on soft HBA unplug powerpc/kprobes: Ignore traps that happened in real mode powerpc/xive: Use XIVE_BAD_IRQ instead of zero to catch non configured IPIs powerpc/hash64/devmap: Use H_PAGE_THP_HUGE when setting up huge devmap PTE entries powerpc/64/tm: Don't let userspace set regs->trap via sigreturn powerpc/powernv/idle: Restore AMR/UAMOR/AMOR after idle libata: Return correct status in sata_pmp_eh_recover_pm() when ATA_DFLAG_DETACH is set hfsplus: fix crash and filesystem corruption when deleting files cpufreq: powernv: Fix use-after-free kmod: make request_module() return an error when autoloading is disabled Input: i8042 - add Acer Aspire 5738z to nomux list s390/diag: fix display of diagnose call statistics perf tools: Support Python 3.8+ in Makefile ocfs2: no need try to truncate file beyond i_size fs/filesystems.c: downgrade user-reachable WARN_ONCE() to pr_warn_once() ext4: fix a data race at inode->i_blocks NFS: Fix a page leak in nfs_destroy_unlinked_subrequests() rtc: omap: Use define directive for PIN_CONFIG_ACTIVE_HIGH arm64: armv8_deprecated: Fix undef_hook mask for thumb setend scsi: zfcp: fix missing erp_lock in port recovery trigger for point-to-point dm verity fec: fix memory leak in verity_fec_dtr mm: Use fixed constant in page_frag_alloc instead of size + 1 tools: gpio: Fix out-of-tree build regression x86/speculation: Remove redundant arch_smt_update() invocation powerpc/pseries: Drop pointless static qualifier in vpa_debugfs_init() net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags ALSA: hda: Initialize power_state field properly crypto: mxs-dcp - fix scatterlist linearization for hash btrfs: drop block from cache on error in relocation CIFS: Fix bug which the return value by asynchronous read is error KVM: VMX: fix crash cleanup when KVM wasn't used KVM: VMX: Always VMCLEAR in-use VMCSes during crash with kexec support KVM: x86: Allocate new rmap and large page tracking when moving memslot KVM: s390: vsie: Fix delivery of addressing exceptions KVM: s390: vsie: Fix region 1 ASCE sanity shadow address checks KVM: nVMX: Properly handle userspace interrupt window request x86/entry/32: Add missing ASM_CLAC to general_protection entry signal: Extend exec_id to 64bits ath9k: Handle txpower changes even when TPC is disabled MIPS: OCTEON: irq: Fix potential NULL pointer dereference irqchip/versatile-fpga: Apply clear-mask earlier KEYS: reaching the keys quotas correctly PCI: endpoint: Fix for concurrent memory allocation in OB address region PCI/ASPM: Clear the correct bits when enabling L1 substates nvme-fc: Revert "add module to ops template to allow module references" thermal: devfreq_cooling: inline all stubs for CONFIG_DEVFREQ_THERMAL=n acpi/x86: ignore unspecified bit positions in the ACPI global lock field media: ti-vpe: cal: fix disable_irqs to only the intended target ALSA: hda/realtek - Set principled PC Beep configuration for ALC256 ALSA: doc: Document PC Beep Hidden Register on Realtek ALC256 ALSA: pcm: oss: Fix regression by buffer overflow fix ALSA: ice1724: Fix invalid access for enumerated ctl items ALSA: hda: Fix potential access overflow in beep helper ALSA: hda: Add driver blacklist ALSA: usb-audio: Add mixer workaround for TRX40 and co usb: gadget: composite: Inform controller driver of self-powered usb: gadget: f_fs: Fix use after free issue as part of queue failure ASoC: topology: use name_prefix for new kcontrol ASoC: dpcm: allow start or stop during pause for backend ASoC: dapm: connect virtual mux with default value ASoC: fix regwmask slub: improve bit diffusion for freelist ptr obfuscation misc: rtsx: set correct pcr_ops for rts522A uapi: rename ext2_swab() to swab() and share globally in swab.h btrfs: track reloc roots based on their commit root bytenr btrfs: remove a BUG_ON() from merge_reloc_roots() block, bfq: fix use-after-free in bfq_idle_slice_timer_body locking/lockdep: Avoid recursion in lockdep_count_{for,back}ward_deps() irqchip/gic-v4: Provide irq_retrigger to avoid circular locking dependency usb: dwc3: core: add support for disabling SS instances in park mode block: Fix use-after-free issue accessing struct io_cq genirq/irqdomain: Check pointer in irq_domain_alloc_irqs_hierarchy() efi/x86: Ignore the memory attributes table on i386 x86/boot: Use unsigned comparison for addresses gfs2: Don't demote a glock until its revokes are written libata: Remove extra scsi_host_put() in ata_scsi_add_hosts() PCI/switchtec: Fix init_completion race condition with poll_wait() selftests/x86/ptrace_syscall_32: Fix no-vDSO segfault sched: Avoid scale real weight down to zero irqchip/versatile-fpga: Handle chained IRQs properly block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices x86: Don't let pgprot_modify() change the page encryption bit null_blk: fix spurious IO errors after failed past-wp access null_blk: Handle null_add_dev() failures properly null_blk: Fix the null_add_dev() error path i2c: st: fix missing struct parameter description qlcnic: Fix bad kzalloc null test cxgb4/ptp: pass the sign of offset delta in FW CMD hinic: fix wrong para of wait_for_completion_timeout hinic: fix a bug of waitting for IO stopped net: vxge: fix wrong __VA_ARGS__ usage bus: sunxi-rsb: Return correct data when mixing 16-bit and 8-bit reads ANDROID: fix wakeup reason findings UPSTREAM: gpu/trace: add a gpu total memory usage tracepoint CHROMIUM: drm/virtio: rebase zero-copy patches to virgl/drm-misc-next CHROMIUM: virtio-gpu: add VIRTIO_GPU_F_RESOURCE_UUID feature CHROMIUM: drm/virtgpu: add legacy VIRTIO_GPU_* values for non-upstream variants CHROMIUM: drm/virtgpu: fix various warnings CHROMIUM: drm/virtgpu: implement metadata allocation ioctl CHROMIUM: drm/virtgpu: introduce request IDRs CHROMIUM: drm/virtgpu: implement DRM_VIRTGPU_RESOURCE_CREATE_V2 CHROMIUM: drm/virtgpu: add stub ioctl implementation CHROMIUM: drm/virtgpu: check for revelant capabilites CHROMIUM: drm/virtgpu: add memory type to virtio_gpu_object_params CHROMIUM: drm/virtgpu: make memory and resource creation opaque CHROMIUM: virtio-gpu api: VIRTIO_GPU_F_MEMORY CHROMIUM: virtwl: store plane info per virtio_gpu_object CHROMIUM: drm/virtgpu: expose new ioctls to userspace BACKPORT: drm/virtio: move virtio_gpu_object_{attach, detach} calls. ANDROID: drm: ttm: Add ttm_tt_create2 driver hook UPSTREAM: virtio-gpu api: comment feature flags UPSTREAM: drm/virtio: module_param_named() requires linux/moduleparam.h BACKPORT: drm/virtio: fix resource id creation race BACKPORT: drm/virtio: make resource id workaround runtime switchable. BACKPORT: drm/virtio: do NOT reuse resource ids BACKPORT: drm/virtio: Drop deprecated load/unload initialization f2fs: fix quota_sync failure due to f2fs_lock_op f2fs: support read iostat f2fs: Fix the accounting of dcc->undiscard_blks f2fs: fix to handle error path of f2fs_ra_meta_pages() f2fs: report the discard cmd errors properly f2fs: fix long latency due to discard during umount f2fs: add tracepoint for f2fs iostat f2fs: introduce sysfs/data_io_flag to attach REQ_META/FUA UPSTREAM: kheaders: include only headers into kheaders_data.tar.xz UPSTREAM: kheaders: remove meaningless -R option of 'ls' ANDROID: Incremental fs: Fix create_file performance ANDROID: Incremental fs: Fix compound page usercopy crash ANDROID: Incremental fs: Clean up incfs_test build process ANDROID: Incremental fs: make remount log buffer change atomic ANDROID: Incremental fs: Optimize get_filled_block ANDROID: Incremental fs: Fix mislabeled __user ptrs ANDROID: Incremental fs: Use 64-bit int for file_size when writing hash blocks Revert "ANDROID: Incremental fs: Fix initialization, use of bitfields" Linux 4.14.176 drm/msm: Use the correct dma_sync calls in msm_gem rpmsg: glink: smem: Support rx peak for size less than 4 bytes drm_dp_mst_topology: fix broken drm_dp_sideband_parse_remote_dpcd_read() usb: dwc3: don't set gadget->is_otg flag rpmsg: glink: Remove chunk size word align warning arm64: Fix size of __early_cpu_boot_status drm/msm: stop abusing dma_map/unmap for cache clk: qcom: rcg: Return failure for RCG update acpi/nfit: Fix bus command validation fbcon: fix null-ptr-deref in fbcon_switch RDMA/cm: Update num_paths in cma_resolve_iboe_route error flow Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl ceph: canonicalize server path in place ceph: remove the extra slashes in the server path IB/hfi1: Fix memory leaks in sysfs registration and unregistration IB/hfi1: Call kobject_put() when kobject_init_and_add() fails ASoC: jz4740-i2s: Fix divider written at incorrect offset in register hwrng: imx-rngc - fix an error path tools/accounting/getdelays.c: fix netlink attribute length random: always use batched entropy for get_random_u{32,64} mlxsw: spectrum_flower: Do not stop at FLOW_ACTION_VLAN_MANGLE slcan: Don't transmit uninitialized stack data in padding net: stmmac: dwmac1000: fix out-of-bounds mac address reg setting net: phy: micrel: kszphy_resume(): add delay after genphy_resume() before accessing PHY registers net: dsa: bcm_sf2: Ensure correct sub-node is parsed ipv6: don't auto-add link-local address to lag ports mm: mempolicy: require at least one nodeid for MPOL_PREFERRED padata: always acquire cpu_hotplug_lock before pinst->lock coresight: do not use the BIT() macro in the UAPI header misc: pci_endpoint_test: Fix to support > 10 pci-endpoint-test devices blk-mq: Allow blocking queue tag iter callbacks blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter drm/etnaviv: replace MMU flush marker with flush sequence tools/power turbostat: Fix gcc build warnings initramfs: restore default compression behavior drm/bochs: downgrade pci_request_region failure from error to warning sctp: fix possibly using a bad saddr with a given dst sctp: fix refcount bug in sctp_wfree net, ip_tunnel: fix interface lookup with no key ipv4: fix a RCU-list lock in fib_triestat_seq_show ANDROID: power: wakeup_reason: wake reason enhancements ubifs: wire up FS_IOC_GET_ENCRYPTION_NONCE f2fs: wire up FS_IOC_GET_ENCRYPTION_NONCE ext4: wire up FS_IOC_GET_ENCRYPTION_NONCE fscrypt: add FS_IOC_GET_ENCRYPTION_NONCE ioctl FROMLIST: power_supply: Add additional health properties to the header UPSTREAM: power: supply: core: Update sysfs-class-power ABI document BACKPORT: FROMGIT: kbuild: mkcompile_h: Include $LD version in /proc/version ANDROID: fscrypt: fall back to filesystem-layer crypto when needed ANDROID: block: require drivers to declare supported crypto key type(s) ANDROID: block: make blk_crypto_start_using_mode() properly check for support f2fs: keep inline_data when compression conversion f2fs: fix to disable compression on directory f2fs: add missing CONFIG_F2FS_FS_COMPRESSION f2fs: switch discard_policy.timeout to bool type f2fs: fix to verify tpage before releasing in f2fs_free_dic() f2fs: show compression in statx f2fs: clean up dic->tpages assignment f2fs: compress: support zstd compress algorithm f2fs: compress: add .{init,destroy}_decompress_ctx callback f2fs: compress: fix to call missing destroy_compress_ctx() f2fs: change default compression algorithm f2fs: clean up {cic,dic}.ref handling f2fs: fix to use f2fs_readpage_limit() in f2fs_read_multi_pages() f2fs: xattr.h: Make stub helpers inline f2fs: fix to avoid double unlock f2fs: fix potential .flags overflow on 32bit architecture f2fs: fix NULL pointer dereference in f2fs_verity_work() f2fs: fix to clear PG_error if fsverity failed f2fs: don't call fscrypt_get_encryption_info() explicitly in f2fs_tmpfile() f2fs: don't trigger data flush in foreground operation f2fs: fix NULL pointer dereference in f2fs_write_begin() f2fs: clean up f2fs_may_encrypt() f2fs: fix to avoid potential deadlock f2fs: don't change inode status under page lock f2fs: fix potential deadlock on compressed quota file f2fs: delete DIO read lock f2fs: don't mark compressed inode dirty during f2fs_iget() f2fs: fix to account compressed blocks in f2fs_compressed_blocks() f2fs: xattr.h: Replace zero-length array with flexible-array member f2fs: fix to update f2fs_super_block fields under sb_lock f2fs: Add a new CP flag to help fsck fix resize SPO issues f2fs: Fix mount failure due to SPO after a successful online resize FS f2fs: use kmem_cache pool during inline xattr lookups f2fs: skip migration only when BG_GC is called f2fs: fix to show tracepoint correctly f2fs: avoid __GFP_NOFAIL in f2fs_bio_alloc f2fs: introduce F2FS_IOC_GET_COMPRESS_BLOCKS f2fs: fix to avoid triggering IO in write path f2fs: add prefix for f2fs slab cache name f2fs: introduce DEFAULT_IO_TIMEOUT f2fs: skip GC when section is full f2fs: add migration count iff migration happens f2fs: clean up bggc mount option f2fs: clean up lfs/adaptive mount option f2fs: fix to show norecovery mount option f2fs: clean up parameter of macro XATTR_SIZE() f2fs: clean up codes with {f2fs_,}data_blkaddr() f2fs: show mounted time f2fs: Use scnprintf() for avoiding potential buffer overflow f2fs: allow to clear F2FS_COMPR_FL flag f2fs: fix to check dirty pages during compressed inode conversion f2fs: fix to account compressed inode correctly f2fs: fix wrong check on F2FS_IOC_FSSETXATTR f2fs: fix to avoid use-after-free in f2fs_write_multi_pages() f2fs: fix to avoid using uninitialized variable f2fs: fix inconsistent comments f2fs: remove i_sem lock coverage in f2fs_setxattr() f2fs: cover last_disk_size update with spinlock f2fs: fix to check i_compr_blocks correctly FROMLIST: kmod: make request_module() return an error when autoloading is disabled UPSTREAM: loop: Only freeze block queue when needed. UPSTREAM: loop: Only change blocksize when needed. ANDROID: Incremental fs: Fix remount ANDROID: Incremental fs: Protect get_fill_block, and add a field ANDROID: Incremental fs: Fix crash polling 0 size read_log ANDROID: Incremental fs: get_filled_blocks: better index_out ANDROID: Fix wq fp check for CFI builds ANDROID: Incremental fs: Fix four resource bugs ANDROID: kbuild: ensure __cfi_check is correctly aligned ANDROID: kbuild: fix module linker script flags for LTO Linux 4.14.175 arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id ARM: bcm2835-rpi-zero-w: Add missing pinctrl name ARM: dts: oxnas: Fix clear-mask property perf map: Fix off by one in strncpy() size argument arm64: alternative: fix build with clang integrated assembler net: ks8851-ml: Fix IO operations, again gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model bpf: Explicitly memset some bpf info structures declared on the stack bpf: Explicitly memset the bpf_attr structure platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table vt: vt_ioctl: fix use-after-free in vt_in_use() vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console vt: vt_ioctl: remove unnecessary console allocation checks vt: switch vt_dont_switch to bool vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines vt: selection, introduce vc_is_sel mac80211: fix authentication with iwlwifi/mvm mac80211: Check port authorization in the ieee80211_tx_dequeue() case media: xirlink_cit: add missing descriptor sanity checks media: stv06xx: add missing descriptor sanity checks media: dib0700: fix rc endpoint lookup media: ov519: add missing endpoint sanity checks libfs: fix infoleak in simple_attr_read() staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table media: usbtv: fix control-message timeouts media: flexcop-usb: fix endpoint sanity check usb: musb: fix crash with highmen PIO and usbmon USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback USB: cdc-acm: restore capability check order USB: serial: option: add Wistron Neweb D19Q1 USB: serial: option: add BroadMobi BM806U USB: serial: option: add support for ASKEY WWHC050 afs: Fix some tracing details Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger() Input: raydium_i2c_ts - use true and false for boolean values vti6: Fix memory leak of skb if input policy check fails netfilter: nft_fwd_netdev: validate family and chain type xfrm: policy: Fix doulbe free in xfrm_policy_timer xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire xfrm: fix uctx len check in verify_sec_ctx_len RDMA/mlx5: Block delay drop to unprivileged users vti[6]: fix packet tx through bpf_redirect() in XinY cases xfrm: handle NETDEV_UNREGISTER for xfrm device genirq: Fix reference leaks on irq affinity notifiers RDMA/core: Ensure security pkey modify is not lost gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk mac80211: mark station unauthorized before key removal scsi: sd: Fix optimal I/O size for devices that change reported values scripts/dtc: Remove redundant YYLOC global declaration tools: Let O= makes handle a relative path with -C option perf probe: Do not depend on dwfl_module_addrsym() ARM: dts: omap5: Add bus_dma_limit for L3 bus ARM: dts: dra7: Add bus_dma_limit for L3 bus Input: avoid BIT() macro usage in the serio.h UAPI header Input: synaptics - enable RMI on HP Envy 13-ad105ng i2c: hix5hd2: add missed clk_disable_unprepare in remove ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare() arm64: compat: map SPSR_ELx<->PSR for signals arm64: ptrace: map SPSR_ELx<->PSR for compat tasks sxgbe: Fix off by one in samsung driver strncpy size arg dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom mac80211: Do not send mesh HWMP PREQ if HWMP is disabled scsi: ipr: Fix softlockup when rescanning devices in petitboot fsl/fman: detect FMan erratum A050385 arm64: dts: ls1043a: FMan erratum A050385 dt-bindings: net: FMan erratum A050385 cgroup1: don't call release_agent when it is "" drivers/of/of_mdio.c:fix of_mdiobus_register() cpupower: avoid multiple definition with gcc -fno-common cgroup-v1: cgroup_pidlist_next should update position index net: ipv4: don't let PMTU updates increase route MTU hsr: set .netnsok flag hsr: add restart routine into hsr_get_node_list() hsr: use rcu_read_lock() in hsr_get_node_{list/status}() vxlan: check return value of gro_cells_init() net: dsa: mt7530: Change the LINK bit to reflect the link status bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets() slcan: not call free_netdev before rtnl_unlock in slcan_open NFC: fdp: Fix a signedness bug in fdp_nci_send_patch() net: stmmac: dwmac-rk: fix error path in rk_gmac_probe net_sched: keep alloc_hash updated after hash allocation net_sched: cls_route: remove the right filter from hashtable net: qmi_wwan: add support for ASKEY WWHC050 net/packet: tpacket_rcv: avoid a producer race condition net: mvneta: Fix the case where the last poll did not process all rx net: dsa: Fix duplicate frames flooded by learning macsec: restrict to ethernet devices hsr: fix general protection fault in hsr_addr_is_self() Revert "drm/dp_mst: Skip validating ports during destruction, just ref" staging: greybus: loopback_test: fix potential path truncations staging: greybus: loopback_test: fix potential path truncation drm/bridge: dw-hdmi: fix AVI frame colorimetry arm64: smp: fix crash_smp_send_stop() behaviour arm64: smp: fix smp_send_stop() behaviour ALSA: hda/realtek: Fix pop noise on ALC225 Revert "ipv6: Fix handling of LLA with VRF and sockets bound to VRF" Revert "vrf: mark skb for multicast or link-local as enslaved to VRF" futex: Unbreak futex hashing futex: Fix inode life-time issue kbuild: Disable -Wpointer-to-enum-cast iio: adc: at91-sama5d2_adc: fix differential channels in triggered mode iio: adc: at91-sama5d2_adc: fix channel configuration for differential channels USB: cdc-acm: fix rounding error in TIOCSSERIAL USB: cdc-acm: fix close_delay and closing_wait units in TIOCSSERIAL x86/mm: split vmalloc_sync_all() page-flags: fix a crash at SetPageError(THP_SWAP) mm, slub: prevent kmalloc_node crashes and memory leaks mm: slub: be more careful about the double cmpxchg of freelist memcg: fix NULL pointer dereference in __mem_cgroup_usage_unregister_event xhci: Do not open code __print_symbolic() in xhci trace events rtc: max8907: add missing select REGMAP_IRQ intel_th: pci: Add Elkhart Lake CPU support intel_th: Fix user-visible error codes staging/speakup: fix get_word non-space look-ahead staging: rtl8188eu: Add device id for MERCUSYS MW150US v2 mmc: sdhci-of-at91: fix cd-gpios for SAMA5D2 iio: magnetometer: ak8974: Fix negative raw values in sysfs iio: trigger: stm32-timer: disable master mode when stopping ALSA: pcm: oss: Remove WARNING from snd_pcm_plug_alloc() checks ALSA: pcm: oss: Avoid plugin buffer overflow ALSA: seq: oss: Fix running status after receiving sysex ALSA: seq: virmidi: Fix running status after receiving sysex ALSA: line6: Fix endless MIDI read loop usb: xhci: apply XHCI_SUSPEND_DELAY to AMD XHCI controller 1022:145c USB: serial: pl2303: add device-id for HP LD381 usb: host: xhci-plat: add a shutdown USB: serial: option: add ME910G1 ECM composition 0x110b usb: quirks: add NO_LPM quirk for RTL8153 based ethernet adapters USB: Disable LPM on WD19's Realtek Hub parse-maintainers: Mark as executable block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() xenbus: req->err should be updated before req->state xenbus: req->body should be updated before req->state dm bio record: save/restore bi_end_io and bi_integrity altera-stapl: altera_get_note: prevent write beyond end of 'key' drivers/perf: arm_pmu_acpi: Fix incorrect checking of gicc pointer drm/exynos: dsi: fix workaround for the legacy clock name drm/exynos: dsi: propagate error value and silence meaningless warning spi/zynqmp: remove entry that causes a cs glitch spi: pxa2xx: Add CS control clock quirk ARM: dts: dra7: Add "dma-ranges" property to PCIe RC DT nodes powerpc: Include .BTF section spi: qup: call spi_qup_pm_resume_runtime before suspending UPSTREAM: ubifs: wire up FS_IOC_GET_ENCRYPTION_NONCE UPSTREAM: f2fs: wire up FS_IOC_GET_ENCRYPTION_NONCE UPSTREAM: ext4: wire up FS_IOC_GET_ENCRYPTION_NONCE UPSTREAM: fscrypt: add FS_IOC_GET_ENCRYPTION_NONCE ioctl UPSTREAM: usb: raw_gadget: fix compilation warnings in uapi headers BACKPORT: usb: gadget: add raw-gadget interface UPSTREAM: usb: gadget: move choice ... endchoice to legacy/Kconfig ANDROID: clang: update to 10.0.5 FROMLIST: arm64: define __alloc_zeroed_user_highpage ANDROID: Incremental fs: Add INCFS_IOC_GET_FILLED_BLOCKS ANDROID: Incremental fs: Fix two typos f2fs: fix to avoid potential deadlock f2fs: add missing function name in kernel message f2fs: recycle unused compress_data.chksum feild f2fs: fix to avoid NULL pointer dereference f2fs: fix leaking uninitialized memory in compressed clusters f2fs: fix the panic in do_checkpoint() f2fs: fix to wait all node page writeback mm/swapfile.c: move inode_lock out of claim_swapfile UPSTREAM: ipv6: ndisc: add support for 'PREF64' dns64 prefix identifier UPSTREAM: ipv6: ndisc: add support for 'PREF64' dns64 prefix identifier ANDROID: dm-bow: Fix free_show value is incorrect UPSTREAM: coresight: Potential uninitialized variable in probe() ANDROID: kbuild: do not merge .section..* into .section in modules ANDROID: scsi: ufs: add ->map_sg_crypto() variant op UPSTREAM: bpf: Explicitly memset some bpf info structures declared on the stack UPSTREAM: bpf: Explicitly memset the bpf_attr structure Linux 4.14.174 ipv4: ensure rcu_read_lock() in cipso_v4_error() mm: slub: add missing TID bump in kmem_cache_alloc_bulk() ARM: 8958/1: rename missed uaccess .fixup section ARM: 8957/1: VDSO: Match ARMv8 timer in cntvct_functional() jbd2: fix data races at struct journal_head net: rmnet: fix NULL pointer dereference in rmnet_newlink() hinic: fix a bug of setting hw_ioctxt slip: not call free_netdev before rtnl_unlock in slip_open signal: avoid double atomic counter increments for user accounting mac80211: rx: avoid RCU list traversal under mutex net: ks8851-ml: Fix IRQ handling and locking net: usb: qmi_wwan: restore mtu min/max values after raw_ip switch scsi: libfc: free response frame from GPN_ID cfg80211: check reg_rule for NULL in handle_channel_custom() HID: i2c-hid: add Trekstor Surfbook E11B to descriptor override HID: apple: Add support for recent firmware on Magic Keyboards ACPI: watchdog: Allow disabling WDAT at boot perf/amd/uncore: Replace manual sampling check with CAP_NO_INTERRUPT flag batman-adv: Don't schedule OGM for disabled interface batman-adv: Avoid free/alloc race when handling OGM buffer batman-adv: Avoid free/alloc race when handling OGM2 buffer batman-adv: Fix duplicated OGMs on NETDEV_UP batman-adv: Fix debugfs path for renamed softif batman-adv: Fix debugfs path for renamed hardif batman-adv: prevent TT request storms by not sending inconsistent TT TLVLs batman-adv: Fix TT sync flags for intermediate TT responses batman-adv: Avoid race in TT TVLV allocator helper batman-adv: update data pointers after skb_cow() batman-adv: Fix internal interface indices types batman-adv: Fix lock for ogm cnt access in batadv_iv_ogm_calc_tq batman-adv: Fix check of retrieved orig_gw in batadv_v_gw_is_eligible batman-adv: Always initialize fragment header priority batman-adv: Avoid spurious warnings from bat_v neigh_cmp implementation efi: Add a sanity check to efivar_store_raw() net/smc: check for valid ib_client_data ipv6: restrict IPV6_ADDRFORM operation i2c: acpi: put device when verifying client fails iommu/vt-d: Ignore devices with out-of-spec domain number iommu/vt-d: Fix the wrong printing in RHSA parsing netfilter: nft_payload: add missing attribute validation for payload csum flags netfilter: cthelper: add missing attribute validation for cthelper nl80211: add missing attribute validation for channel switch nl80211: add missing attribute validation for beacon report scanning nl80211: add missing attribute validation for critical protocol indication pinctrl: core: Remove extra kref_get which blocks hogs being freed pinctrl: meson-gxl: fix GPIOX sdio pins iommu/vt-d: Fix a bug in intel_iommu_iova_to_phys() for huge page iommu/vt-d: dmar: replace WARN_TAINT with pr_warn + add_taint iommu/dma: Fix MSI reservation allocation x86/mce: Fix logic and comments around MSR_PPIN_CTL efi: Fix a race and a buffer overflow while reading efivars via sysfs ARC: define __ALIGN_STR and __ALIGN symbols for ARC KVM: x86: clear stale x86_emulate_ctxt->intercept value gfs2_atomic_open(): fix O_EXCL|O_CREAT handling on cold dcache cifs_atomic_open(): fix double-put on late allocation failure ktest: Add timeout for ssh sync testing drm/amd/display: remove duplicated assignment to grph_obj_type workqueue: don't use wq_select_unbound_cpu() for bound works iommu/vt-d: quirk_ioat_snb_local_iommu: replace WARN_TAINT with pr_warn + add_taint virtio-blk: fix hw_queue stopped on arbitrary error iwlwifi: mvm: Do not require PHY_SKU NVM section for 3168 devices cgroup: Iterate tasks that did not finish do_exit() cgroup: cgroup_procs_next should increase position index ipvlan: don't deref eth hdr before checking it's set ipvlan: egress mcast packets are not exceptional ipvlan: do not add hardware address of master to its unicast filter list inet_diag: return classid for all socket types macvlan: add cond_resched() during multicast processing net: fec: validate the new settings in fec_enet_set_coalesce() slip: make slhc_compress() more robust against malicious packets bonding/alb: make sure arp header is pulled before accessing it net: phy: fix MDIO bus PM PHY resuming nfc: add missing attribute validation for vendor subcommand nfc: add missing attribute validation for SE API team: add missing attribute validation for array index team: add missing attribute validation for port ifindex net: fq: add missing attribute validation for orphan mask macsec: add missing attribute validation for port can: add missing attribute validation for termination nl802154: add missing attribute validation for dev_type nl802154: add missing attribute validation fib: add missing attribute validation for tun_id net: memcg: fix lockdep splat in inet_csk_accept() net: memcg: late association of sock to memcg cgroup: memcg: net: do not associate sock with unrelated cgroup bnxt_en: reinitialize IRQs when MTU is modified sfc: detach from cb_page in efx_copy_channel() r8152: check disconnect status after long sleep net/packet: tpacket_rcv: do not increment ring index on drop net: nfc: fix bounds checking bugs on "pipe" net: macsec: update SCI upon MAC address change. netlink: Use netlink header as base to calculate bad attribute offset ipvlan: do not use cond_resched_rcu() in ipvlan_process_multicast() ipvlan: add cond_resched_rcu() while processing muticast backlog ipv6/addrconf: call ipv6_mc_up() for non-Ethernet interface gre: fix uninit-value in __iptunnel_pull_header cgroup, netclassid: periodically release file_lock on classid updating net: phy: Avoid multiple suspends phy: Revert toggling reset changes. ANDROID: Incremental fs: Add INCFS_IOC_PERMIT_FILL ANDROID: Incremental fs: Remove signature checks from kernel ANDROID: Incremental fs: Pad hash blocks ANDROID: Incremental fs: Make fill block an ioctl ANDROID: Incremental fs: Remove all access_ok checks UPSTREAM: cgroup: Iterate tasks that did not finish do_exit() UPSTREAM: arm64: memory: Add missing brackets to untagged_addr() macro UPSTREAM: mm: Avoid creating virtual address aliases in brk()/mmap()/mremap() ANDROID: Add TPM support and the vTPM proxy to Cuttlefish. ANDROID: serdev: restrict claim of platform devices UPSTREAM: fscrypt: don't evict dirty inodes after removing key fscrypt: don't evict dirty inodes after removing key Linux 4.14.173 ASoC: topology: Fix memleak in soc_tplg_manifest_load() xhci: handle port status events for removed USB3 hcd dm integrity: fix a deadlock due to offloading to an incorrect workqueue powerpc: fix hardware PMU exception bug on PowerVM compatibility mode systems dmaengine: coh901318: Fix a double lock bug in dma_tc_handle() hwmon: (adt7462) Fix an error return in ADT7462_REG_VOLT() ARM: imx: build v7_cpu_resume() unconditionally IB/hfi1, qib: Ensure RCU is locked when accessing list RMDA/cm: Fix missing ib_cm_destroy_id() in ib_cm_insert_listen() RDMA/iwcm: Fix iwcm work deallocation ASoC: dapm: Correct DAPM handling of active widgets during shutdown ASoC: pcm512x: Fix unbalanced regulator enable call in probe error path ASoC: pcm: Fix possible buffer overflow in dpcm state sysfs output ASoC: intel: skl: Fix possible buffer overflow in debug outputs ASoC: intel: skl: Fix pin debug prints ASoC: topology: Fix memleak in soc_tplg_link_elems_load() ARM: dts: ls1021a: Restore MDIO compatible to gianfar dm cache: fix a crash due to incorrect work item cancelling dmaengine: tegra-apb: Prevent race conditions of tasklet vs free list dmaengine: tegra-apb: Fix use-after-free x86/pkeys: Manually set X86_FEATURE_OSPKE to preserve existing changes vt: selection, push sel_lock up vt: selection, push console lock down vt: selection, close sel_buffer race serial: 8250_exar: add support for ACCES cards tty:serial:mvebu-uart:fix a wrong return arm: dts: dra76x: Fix mmc3 max-frequency fat: fix uninit-memory access for partial initialized inode mm, numa: fix bad pmd by atomically check for pmd_trans_huge when marking page tables prot_numa vgacon: Fix a UAF in vgacon_invert_region usb: core: port: do error out if usb_autopm_get_interface() fails usb: core: hub: do error out if usb_autopm_get_interface() fails usb: core: hub: fix unhandled return by employing a void function usb: quirks: add NO_LPM quirk for Logitech Screen Share usb: storage: Add quirk for Samsung Fit flash cifs: don't leak -EAGAIN for stat() during reconnect net: thunderx: workaround BGX TX Underflow issue x86/xen: Distribute switch variables for initialization nvme: Fix uninitialized-variable warning x86/boot/compressed: Don't declare __force_order in kaslr_64.c s390/cio: cio_ignore_proc_seq_next should increase position index watchdog: da9062: do not ping the hw during stop() net: ks8851-ml: Fix 16-bit IO operation net: ks8851-ml: Fix 16-bit data access net: ks8851-ml: Remove 8-bit bus accessors drm/msm/dsi: save pll state before dsi host is powered off drm: msm: Fix return type of dsi_mgr_connector_mode_valid for kCFI drm/msm/mdp5: rate limit pp done timeout warnings usb: gadget: serial: fix Tx stall after buffer overflow usb: gadget: ffs: ffs_aio_cancel(): Save/restore IRQ flags usb: gadget: composite: Support more than 500mA MaxPower selftests: fix too long argument serial: ar933x_uart: set UART_CS_{RX,TX}_READY_ORIDE kprobes: Fix optimize_kprobe()/unoptimize_kprobe() cancellation logic RDMA/core: Fix use of logical OR in get_new_pps RDMA/core: Fix pkey and port assignment in get_new_pps net: dsa: bcm_sf2: Forcibly configure IMP port for 1Gb/sec EDAC/amd64: Set grain per DIMM x86/mce: Handle varying MCA bank counts vhost: Check docket sk_family instead of call getname audit: always check the netlink payload length in audit_receive_msg() Revert "char/random: silence a lockdep splat with printk()" mm, thp: fix defrag setting if newline is not used mm/huge_memory.c: use head to check huge zero page perf hists browser: Restore ESC as "Zoom out" of DSO/thread/etc kprobes: Set unoptimized flag after unoptimizing code drivers: net: xgene: Fix the order of the arguments of 'alloc_etherdev_mqs()' tuntap: correctly set SOCKWQ_ASYNC_NOSPACE KVM: Check for a bad hva before dropping into the ghc slow path KVM: SVM: Override default MMIO mask if memory encryption is enabled mwifiex: drop most magic numbers from mwifiex_process_tdls_action_frame() namei: only return -ECHILD from follow_dotdot_rcu() net: ena: make ena rxfh support ETH_RSS_HASH_NO_CHANGE net: atlantic: fix potential error handling net: netlink: cap max groups which will be considered in netlink_bind() include/linux/bitops.h: introduce BITS_PER_TYPE ecryptfs: Fix up bad backport of fe2e082f5da5b4a0a92ae32978f81507ef37ec66 usb: charger: assign specific number for enum value drm/i915/gvt: Separate display reset from ALL_ENGINES reset i2c: jz4780: silence log flood on txabrt i2c: altera: Fix potential integer overflow MIPS: VPE: Fix a double free and a memory leak in 'release_vpe()' HID: hiddev: Fix race in in hiddev_disconnect() Revert "PM / devfreq: Modify the device name as devfreq(X) for sysfs" tracing: Disable trace_printk() on post poned tests HID: core: increase HID report buffer size to 8KiB HID: core: fix off-by-one memset in hid_report_raw_event() HID: ite: Only bind to keyboard USB interface on Acer SW5-012 keyboard dock KVM: VMX: check descriptor table exits on instruction emulation ACPI: watchdog: Fix gas->access_width usage ACPICA: Introduce ACPI_ACCESS_BYTE_WIDTH() macro audit: fix error handling in audit_data_to_entry() ext4: potential crash on allocation error in ext4_alloc_flex_bg_array() net: sched: correct flower port blocking qede: Fix race between rdma destroy workqueue and link change event ipv6: Fix route replacement with dev-only route ipv6: Fix nlmsg_flags when splitting a multipath route sctp: move the format error check out of __sctp_sf_do_9_1_abort nfc: pn544: Fix occasional HW initialization failure net: phy: restore mdio regs in the iproc mdio driver net: fib_rules: Correctly set table field when table number exceeds 8 bits sysrq: Remove duplicated sysrq message sysrq: Restore original console_loglevel when sysrq disabled cfg80211: add missing policy for NL80211_ATTR_STATUS_CODE cifs: Fix mode output in debugging statements net: ena: ena-com.c: prevent NULL pointer dereference net: ena: ethtool: use correct value for crc32 hash net: ena: fix incorrectly saving queue numbers when setting RSS indirection table net: ena: rss: store hash function as values and not bits net: ena: rss: fix failure to get indirection table net: ena: fix incorrect default RSS key net: ena: add missing ethtool TX timestamping indication net: ena: fix uses of round_jiffies() net: ena: fix potential crash when rxfh key is NULL qmi_wwan: unconditionally reject 2 ep interfaces qmi_wwan: re-add DW5821e pre-production variant cfg80211: check wiphy driver existence for drvinfo report mac80211: consider more elements in parsing CRC dax: pass NOWAIT flag to iomap_apply drm/msm: Set dma maximum segment size for mdss ipmi:ssif: Handle a possible NULL pointer reference ext4: fix potential race between s_group_info online resizing and access ext4: fix potential race between s_flex_groups online resizing and access ext4: fix potential race between online resizing and write operations netfilter: nf_conntrack: resolve clash for matching conntracks iwlwifi: pcie: fix rb_allocator workqueue allocation FROMLIST: f2fs: fix wrong check on F2FS_IOC_FSSETXATTR UPSTREAM: binder: prevent UAF for binderfs devices II UPSTREAM: binder: prevent UAF for binderfs devices FROMLIST: lib: test_stackinit.c: XFAIL switch variable init tests ANDROID: cuttlefish: disable KPROBES ANDROID: scsi: ufs: allow ufs variants to override sg entry size FROMLIST: ufs: fix a bug on printing PRDT BACKPORT: loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl ANDROID: fix build issue in security/selinux/avc.c ANDROID: cuttlefish_defconfig: Disable CONFIG_RT_GROUP_SCHED ANDROID: Enable HID_NINTENDO as y FROMLIST: HID: nintendo: add nintendo switch controller driver Linux 4.14.172 s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range xen: Enable interrupts when calling _cond_resched() ata: ahci: Add shutdown to freeze hardware resources of ahci netfilter: xt_hashlimit: limit the max size of hashtable ALSA: seq: Fix concurrent access to queue current tick/time ALSA: seq: Avoid concurrent access to queue flags ALSA: rawmidi: Avoid bit fields for state flags genirq/proc: Reject invalid affinity masks (again) iommu/vt-d: Fix compile warning from intel-svm.h ecryptfs: replace BUG_ON with error handling code staging: greybus: use after free in gb_audio_manager_remove_all() staging: rtl8723bs: fix copy of overlapping memory usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents btrfs: do not check delayed items are empty for single transaction cleanup btrfs: fix bytes_may_use underflow in prealloc error condtition KVM: apic: avoid calculating pending eoi from an uninitialized val KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1 KVM: nVMX: Check IO instruction VM-exit conditions KVM: nVMX: Refactor IO bitmap checks into helper function ext4: fix race between writepages and enabling EXT4_EXTENTS_FL ext4: rename s_journal_flag_rwsem to s_writepages_rwsem ext4: fix mount failure with quota configured as module ext4: add cond_resched() to __ext4_find_entry() ext4: fix a data race in EXT4_I(inode)->i_disksize KVM: nVMX: Don't emulate instructions in guest mode lib/stackdepot.c: fix global out-of-bounds in stack_slabs serial: 8250: Check UPF_IRQ_SHARED in advance vt: vt_ioctl: fix race in VT_RESIZEX VT_RESIZEX: get rid of field-by-field copyin xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI drm/amdgpu/soc15: fix xclk for raven mm/vmscan.c: don't round up scan size for online memory cgroup Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" MAINTAINERS: Update drm/i915 bug filing URL serdev: ttyport: restore client ops on deregistration tty: serial: imx: setup the correct sg entry for tx dma tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode x86/mce/amd: Fix kobject lifetime x86/mce/amd: Publish the bank pointer only after setup has succeeded staging: rtl8723bs: Fix potential overuse of kernel memory staging: rtl8723bs: Fix potential security hole staging: rtl8188eu: Fix potential overuse of kernel memory staging: rtl8188eu: Fix potential security hole USB: hub: Fix the broken detection of USB3 device in SMSC hub USB: hub: Don't record a connect-change event during reset-resume USB: Fix novation SourceControl XL after suspend usb: uas: fix a plug & unplug racing usb: host: xhci: update event ring dequeue pointer on purpose xhci: fix runtime pm enabling for quirky Intel hosts xhci: Force Maximum Packet size for Full-speed bulk devices to valid range. staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. staging: android: ashmem: Disallow ashmem memory from being remapped vt: selection, handle pending signals in paste_selection floppy: check FDC index for errors before assigning it USB: misc: iowarrior: add support for the 100 device USB: misc: iowarrior: add support for the 28 and 28L devices USB: misc: iowarrior: add support for 2 OEMed devices thunderbolt: Prevent crash if non-active NVMem file is read net/smc: fix leak of kernel memory to user space net/sched: flower: add missing validation of TCA_FLOWER_FLAGS net/sched: matchall: add missing validation of TCA_MATCHALL_FLAGS net: dsa: tag_qca: Make sure there is headroom for tag enic: prevent waking up stopped tx queues over watchdog reset selinux: ensure we cleanup the internal AVC counters on error in avc_update() mlxsw: spectrum_dpipe: Add missing error path virtio_balloon: prevent pfn array overflow help_next should increase position index brd: check and limit max_part par microblaze: Prevent the overflow of the start iwlwifi: mvm: Fix thermal zone registration irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL bcache: explicity type cast in bset_bkey_last() reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() lib/scatterlist.c: adjust indentation in __sg_alloc_table ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() radeon: insert 10ms sleep in dce5_crtc_load_lut trigger_next should increase position index ftrace: fpid_next() should increase position index drm/nouveau/disp/nv50-: prevent oops when no channel method map provided irqchip/gic-v3: Only provision redistributors that are enabled in ACPI ceph: check availability of mds cluster on mount after wait timeout cifs: fix NULL dereference in match_prepath iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop hostap: Adjust indentation in prism2_hostapd_add_sta ARM: 8951/1: Fix Kexec compilation issue. jbd2: make sure ESHUTDOWN to be recorded in the journal superblock jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record powerpc/sriov: Remove VF eeh_dev state when disabling SR-IOV ALSA: hda - Add docking station support for Lenovo Thinkpad T420s driver core: platform: fix u32 greater or equal to zero comparison s390/ftrace: generate traced function stack frame x86/decoder: Add TEST opcode to Group3-2 ALSA: hda/hdmi - add retry logic to parse_intel_hdmi() irqchip/mbigen: Set driver .suppress_bind_attrs to avoid remove problems remoteproc: Initialize rproc_class before use btrfs: device stats, log when stats are zeroed btrfs: safely advance counter when looking up bio csums btrfs: fix possible NULL-pointer dereference in integrity checks pwm: Remove set but not set variable 'pwm' ide: serverworks: potential overflow in svwks_set_pio_mode() cmd64x: potential buffer overflow in cmd64x_program_timings() pwm: omap-dmtimer: Remove PWM chip in .remove before making it unfunctional x86/mm: Fix NX bit clearing issue in kernel_map_pages_in_pgd f2fs: fix memleak of kobject watchdog/softlockup: Enforce that timestamp is valid on boot arm64: fix alternatives with LLVM's integrated assembler scsi: iscsi: Don't destroy session if there are outstanding connections f2fs: free sysfs kobject iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE usb: musb: omap2430: Get rid of musb .set_vbus for omap2430 glue drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler drm/nouveau/gr/gk20a,gm200-: add terminators to method lists read from fw drm/nouveau/secboot/gm20b: initialize pointer in gm20b_secboot_new() vme: bridges: reduce stack usage driver core: Print device when resources present in really_probe() driver core: platform: Prevent resouce overflow from causing infinite loops tty: synclink_gt: Adjust indentation in several functions tty: synclinkmp: Adjust indentation in several functions ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m wan: ixp4xx_hss: fix compile-testing on 64-bit Input: edt-ft5x06 - work around first register access error rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls efi/x86: Don't panic or BUG() on non-critical error conditions soc/tegra: fuse: Correct straps' address for older Tegra124 device trees IB/hfi1: Add software counter for ctxt0 seq drop udf: Fix free space reporting for metadata and virtual partitions usbip: Fix unsafe unaligned pointer usage drm: remove the newline for CRC source name. tools lib api fs: Fix gcc9 stringop-truncation compilation error ALSA: sh: Fix compile warning wrt const ALSA: sh: Fix unused variable warnings clk: sunxi-ng: add mux and pll notifiers for A64 CPU clock RDMA/rxe: Fix error type of mmap_offset pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs PM / devfreq: rk3399_dmc: Add COMPILE_TEST and HAVE_ARM_SMCCC dependency x86/vdso: Provide missing include file dmaengine: Store module owner in dma_device struct ARM: dts: r8a7779: Add device node for ARM global timer drm/mediatek: handle events when enabling/disabling crtc scsi: aic7xxx: Adjust indentation in ahc_find_syncrate scsi: ufs: Complete pending requests in host reset and restore path ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 orinoco: avoid assertion in case of NULL pointer rtlwifi: rtl_pci: Fix -Wcast-function-type iwlegacy: Fix -Wcast-function-type ipw2x00: Fix -Wcast-function-type b43legacy: Fix -Wcast-function-type ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status fore200e: Fix incorrect checks of NULL pointer dereference reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling media: v4l2-device.h: Explicitly compare grp{id,mask} to zero in v4l2_device macros ARM: dts: imx6: rdu2: Disable WP for USDHC2 and USDHC3 arm64: dts: qcom: msm8996: Disable USB2 PHY suspend by core NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu(). PCI/IOV: Fix memory leak in pci_iov_add_virtfn() net/wan/fsl_ucc_hdlc: reject muram offsets above 64K regulator: rk808: Lower log level on optional GPIOs being not available drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table clk: qcom: rcg2: Don't crash if our parent can't be found; return an error kconfig: fix broken dependency in randconfig-generated .config KVM: s390: ENOTSUPP -> EOPNOTSUPP fixups nbd: add a flush_workqueue in nbd_start_device ext4, jbd2: ensure panic when aborting with zero errno tracing: Fix very unlikely race of registering two stat tracers tracing: Fix tracing_stat return values in error handling paths x86/sysfb: Fix check for bad VRAM size jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal kselftest: Minimise dependency of get_size on C library interfaces clocksource/drivers/bcm2835_timer: Fix memory leak of timer usb: dwc2: Fix IN FIFO allocation usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() sparc: Add .exit.data section. MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init() efi/x86: Map the entire EFI vendor string before copying it pinctrl: baytrail: Do not clear IRQ flags on direct-irq enabled pins media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run() char/random: silence a lockdep splat with printk() gpio: gpio-grgpio: fix possible sleep-in-atomic-context bugs in grgpio_irq_map/unmap() powerpc/powernv/iov: Ensure the pdn for VFs always contains a valid PE number media: i2c: mt9v032: fix enum mbus codes and frame sizes pxa168fb: Fix the function used to release some memory in an error handling path pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs gianfar: Fix TX timestamping with a stacked DSA driver ALSA: ctl: allow TLV read operation for callback type of element in locked case ext4: fix ext4_dax_read/write inode locking sequence for IOCB_NOWAIT leds: pca963x: Fix open-drain initialization brcmfmac: Fix use after free in brcmf_sdio_readframes() cpu/hotplug, stop_machine: Fix stop_machine vs hotplug order drm/gma500: Fixup fbdev stolen size usage evaluation KVM: nVMX: Use correct root level for nested EPT shadow page tables Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs" Revert "KVM: nVMX: Use correct root level for nested EPT shadow page tables" scsi: qla2xxx: fix a potential NULL pointer dereference jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions. perf/x86/intel: Fix inaccurate period in context switch for auto-reload s390/time: Fix clk type in get_tod_clock RDMA/core: Fix protection fault in get_pkey_idx_qp_list IB/hfi1: Close window for pq and request coliding serial: imx: Only handle irqs that are actually enabled serial: imx: ensure that RX irqs are off if RX is off padata: Remove broken queue flushing perf/x86/amd: Add missing L2 misses event spec to AMD Family 17h's event map KVM: nVMX: Use correct root level for nested EPT shadow page tables arm64: ssbs: Fix context-switch when SSBS is present on all CPUs btrfs: log message when rw remount is attempted with unclean tree-log btrfs: print message when tree-log replay starts Btrfs: fix race between using extent maps and merging them ext4: improve explanation of a mount failure caused by a misconfigured kernel ext4: fix checksum errors with indexed dirs ext4: fix support for inode sizes > 1024 bytes ext4: don't assume that mmp_nodename/bdevname have NUL ARM: 8723/2: always assume the "unified" syntax for assembly code arm64: nofpsimd: Handle TIF_FOREIGN_FPSTATE flag cleanly arm64: ptrace: nofpsimd: Fail FP/SIMD regset operations arm64: cpufeature: Set the FP/SIMD compat HWCAP bits properly ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 Input: synaptics - remove the LEN0049 dmi id from topbuttonpad list Input: synaptics - enable SMBus on ThinkPad L470 Input: synaptics - switch T470s to RMI4 by default ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() ecryptfs: fix a memory leak bug in parse_tag_1_packet() ASoC: sun8i-codec: Fix setting DAI data format ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs iommu/qcom: Fix bogus detach logic KVM: x86: emulate RDPID UPSTREAM: sched/psi: Fix OOB write when writing 0 bytes to PSI files UPSTREAM: psi: Fix a division error in psi poll() UPSTREAM: sched/psi: Fix sampling error and rare div0 crashes with cgroups and high uptime UPSTREAM: sched/psi: Correct overly pessimistic size calculation FROMLIST: f2fs: Handle casefolding with Encryption FROMLIST: fscrypt: Have filesystems handle their d_ops FROMLIST: ext4: Use generic casefolding support FROMLIST: f2fs: Use generic casefolding support FROMLIST: Add standard casefolding support FROMLIST: unicode: Add utf8_casefold_hash ANDROID: cuttlefish_defconfig: Add CONFIG_UNICODE ANDROID: sdcardfs: fix -ENOENT lookup race issue ANDROID: gki_defconfig: Enable CONFIG_RD_LZ4 ANDROID: dm: Add wrapped key support in dm-default-key ANDROID: dm: add support for passing through derive_raw_secret ANDROID: block: Prevent crypto fallback for wrapped keys ANDROID: Disable wq fp check in CFI builds ANDROID: increase limit on sched-tune boost groups ANDROID: ufs, block: fix crypto power management and move into block layer ANDROID: Incremental fs: Support xattrs ANDROID: test_stackinit: work around LLVM PR44916 ANDROID: clang: update to 10.0.4 fs-verity: use u64_to_user_ptr() fs-verity: use mempool for hash requests fs-verity: implement readahead of Merkle tree pages ext4: readpages() should submit IO as read-ahead fs-verity: implement readahead for FS_IOC_ENABLE_VERITY fscrypt: improve format of no-key names ubifs: allow both hash and disk name to be provided in no-key names ubifs: don't trigger assertion on invalid no-key filename fscrypt: clarify what is meant by a per-file key fscrypt: derive dirhash key for casefolded directories fscrypt: don't allow v1 policies with casefolding fscrypt: add "fscrypt_" prefix to fname_encrypt() fscrypt: don't print name of busy file when removing key fscrypt: document gfp_flags for bounce page allocation fscrypt: optimize fscrypt_zeroout_range() fscrypt: remove redundant bi_status check fscrypt: Allow modular crypto algorithms fscrypt: include <linux/ioctl.h> in UAPI header fscrypt: don't check for ENOKEY from fscrypt_get_encryption_info() fscrypt: remove fscrypt_is_direct_key_policy() fscrypt: move fscrypt_valid_enc_modes() to policy.c fscrypt: check for appropriate use of DIRECT_KEY flag earlier fscrypt: split up fscrypt_supported_policy() by policy version fscrypt: introduce fscrypt_needs_contents_encryption() fscrypt: move fscrypt_d_revalidate() to fname.c fscrypt: constify inode parameter to filename encryption functions fscrypt: constify struct fscrypt_hkdf parameter to fscrypt_hkdf_expand() fscrypt: verify that the crypto_skcipher has the correct ivsize fscrypt: use crypto_skcipher_driver_name() fscrypt: support passing a keyring key to FS_IOC_ADD_ENCRYPTION_KEY keys: Export lookup_user_key to external users f2fs: fix build error on PAGE_KERNEL_RO Conflicts: arch/arm64/kernel/smp.c arch/arm64/kernel/traps.c block/blk-crypto-fallback.c block/keyslot-manager.c drivers/base/power/wakeup.c drivers/clk/clk.c drivers/clk/qcom/clk-rcg2.c drivers/gpu/Makefile drivers/gpu/drm/msm/msm_drv.c drivers/gpu/drm/msm/msm_gem.c drivers/hwtracing/coresight/coresight-funnel.c drivers/irqchip/irq-gic-v3.c drivers/md/dm.c drivers/net/ethernet/qualcomm/rmnet/rmnet_config.c drivers/net/ethernet/stmicro/stmmac/stmmac_hwtstamp.c drivers/net/macsec.c drivers/net/phy/micrel.c drivers/net/wireless/ath/wil6210/cfg80211.c drivers/net/wireless/ath/wil6210/fw_inc.c drivers/net/wireless/ath/wil6210/pcie_bus.c drivers/net/wireless/ath/wil6210/pm.c drivers/net/wireless/ath/wil6210/wil6210.h drivers/of/base.c drivers/power/supply/power_supply_sysfs.c drivers/rpmsg/qcom_glink_smem.c drivers/scsi/sd.c drivers/scsi/ufs/ufshcd-crypto.c drivers/scsi/ufs/ufshcd.c drivers/scsi/ufs/ufshcd.h drivers/scsi/ufs/ufshci.h drivers/usb/dwc3/core.c drivers/usb/dwc3/gadget.c drivers/usb/gadget/Kconfig drivers/usb/gadget/composite.c drivers/usb/gadget/function/f_fs.c drivers/usb/gadget/legacy/Makefile drivers/usb/host/xhci-mem.c fs/ext4/readpage.c fs/sdcardfs/lookup.c include/linux/key.h include/linux/keyslot-manager.h include/linux/power_supply.h include/uapi/linux/coresight-stm.h net/qrtr/qrtr.c Change-Id: Iaa9fcbe987e721f02596e167249a519781ed3888 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>	2020-08-05 11:41:56 +05:30
Srinivasarao P	8e1e29842d	Merge android-4.14.168 (509b380) into msm-4.14 ... * refs/heads/tmp-509b380: Revert "Revert "ANDROID: security,perf: Allow further restriction of perf_event_open"" Linux 4.14.168 m68k: Call timer_interrupt() with interrupts disabled serial: stm32: fix clearing interrupt error flags IB/iser: Fix dma_nents type definition arm64: dts: juno: Fix UART frequency drm/radeon: fix bad DMA from INTERRUPT_CNTL2 dmaengine: ti: edma: fix missed failure handling affs: fix a memory leak in affs_remount mmc: core: fix wl1251 sdio quirks mmc: sdio: fix wl1251 vendor id packet: fix data-race in fanout_flow_is_huge() net: neigh: use long type to store jiffies delta hv_netvsc: flag software created hash value MIPS: Loongson: Fix return value of loongson_hwmon_init afs: Fix large file support net: qca_spi: Move reset_count to struct qcaspi net: netem: correct the parent's backlog when corrupted packet was dropped net: netem: fix error path for corrupted GSO frames dmaengine: imx-sdma: fix size check for sdma script_number drm/msm/dsi: Implement reset correctly tcp: annotate lockless access to tcp_memory_pressure net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head net: avoid possible false sharing in sk_leave_memory_pressure() act_mirred: Fix mirred_init_module error handling net: stmmac: fix length of PTP clock's name string llc: fix sk_buff refcounting in llc_conn_state_process() llc: fix another potential sk_buff leak in llc_ui_sendmsg() mac80211: accept deauth frames in IBSS mode net: stmmac: gmac4+: Not all Unicast addresses may be available nvme: retain split access workaround for capability reads net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse() of: mdio: Fix a signedness bug in of_phy_get_and_connect() net: axienet: fix a signedness bug in probe net: stmmac: dwmac-meson8b: Fix signedness bug in probe net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe() net: hisilicon: Fix signedness bug in hix5hd2_dev_probe() net: aquantia: Fix aq_vec_isr_legacy() return value iommu/amd: Wait for completion of IOTLB flush in attach_device net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' RDMA/cma: Fix false error message ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet pinctrl: iproc-gpio: Fix incorrect pinconf configurations net: sonic: replace dev_kfree_skb in sonic_send_packet hwmon: (shtc1) fix shtc1 and shtw1 id mask ixgbe: sync the first fragment unconditionally btrfs: use correct count in btrfs_file_write_iter() Btrfs: fix inode cache waiters hanging on path allocation failure Btrfs: fix inode cache waiters hanging on failure to start caching thread Btrfs: fix hang when loading existing inode cache off disk scsi: fnic: fix msix interrupt allocation net: sonic: return NETDEV_TX_OK if failed to map buffer tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init iio: dac: ad5380: fix incorrect assignment to val bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA irqdomain: Add the missing assignment of domain->fwnode for named fwnode staging: greybus: light: fix a couple double frees x86, perf: Fix the dependency of the x86 insn decoder selftest power: supply: Init device wakeup after device_add() hwmon: (lm75) Fix write operations for negative temperatures Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()" ahci: Do not export local variable ahci_em_messages iommu/mediatek: Fix iova_to_phys PA start for 4GB mode mips: avoid explicit UB in assignment of mips_io_port_base rtc: pcf2127: bugfix: read rtc disables watchdog media: atmel: atmel-isi: fix timeout value for stop streaming mac80211: minstrel_ht: fix per-group max throughput rate initialization dmaengine: dw: platform: Switch to acpi_dma_controller_register() ASoC: sun4i-i2s: RX and TX counter registers are swapped signal: Allow cifs and drbd to receive their terminating signals bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails net/rds: Add a few missing rds_stat_names entries ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls ASoC: cs4349: Use PM ops 'cs4349_runtime_pm' ASoC: es8328: Fix copy-paste error in es8328_right_line_controls ext4: set error return correctly when ext4_htree_store_dirent fails crypto: caam - free resources in case caam_rng registration failed cifs: fix rmmod regression in cifs.ko caused by force_sig changes net/mlx5: Fix mlx5_ifc_query_lag_out_bits ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval tipc: reduce risk of wakeup queue starvation ALSA: aoa: onyx: always initialize register read value crypto: ccp - Reduce maximum stack usage x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI mic: avoid statically declaring a 'struct device'. usb: host: xhci-hub: fix extra endianness conversion qed: reduce maximum stack frame size libertas_tf: Use correct channel range in lbtf_geo_init PM: sleep: Fix possible overflow in pm_system_cancel_wakeup() clk: sunxi-ng: v3s: add the missing PLL_DDR1 scsi: libfc: fix null pointer dereference on a null lport net: pasemi: fix an use-after-free in pasemi_mac_phy_init() RDMA/hns: Fixs hw access invalid dma memory error devres: allow const resource arguments rxrpc: Fix uninitialized error code in rxrpc_send_data_packet() mfd: intel-lpss: Release IDA resources iommu/amd: Make iommu_disable safer bnxt_en: Fix ethtool selftest crash under error conditions. nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing clk: qcom: Fix -Wunused-const-variable dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width" perf/ioctl: Add check for the sample_period value drm/msm/a3xx: remove TPL1 regs from snapshot rtc: pcf8563: Clear event flags and disable interrupts before requesting irq rtc: pcf8563: Fix interrupt trigger method ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs net/af_iucv: always register net_device notifier net: netem: fix backlog accounting for corrupted GSO frames drm/msm/mdp5: Fix mdp5_cfg_init error return powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state iommu/vt-d: Duplicate iommu_resv_region objects per device list mpls: fix warning with multi-label encap media: vivid: fix incorrect assignment operation when setting video mode cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency cpufreq: brcmstb-avs-cpufreq: Fix initial command check netvsc: unshare skb in VF rx handler inet: frags: call inet_frags_fini() after unregister_pernet_subsys() signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig iommu: Use right function to get group for device misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa serial: stm32: fix wakeup source initialization serial: stm32: Add support of TC bit status check serial: stm32: fix transmit_chars when tx is stopped serial: stm32: fix rx error handling crypto: ccp - Fix 3DES complaint from ccp-crypto module crypto: ccp - fix AES CFB error exposed by new test vectors spi: spi-fsl-spi: call spi_finalize_current_message() at the end RDMA/qedr: Fix incorrect device rate. arm64: dts: meson: libretech-cc: set eMMC as removable dmaengine: tegra210-adma: Fix crash during probe ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT EDAC/mc: Fix edac_mc_find() in case no device is found thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power backlight: lm3630a: Return 0 on success in update_status functions kdb: do a sanity check on the cpu in kdb_per_cpu() ARM: riscpc: fix lack of keyboard interrupts after irq conversion pwm: meson: Don't disable PWM when setting duty repeatedly pwm: meson: Consider 128 a valid pre-divider netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule crypto: caam - fix caam_dump_sg that iterates through scatterlist platform/x86: alienware-wmi: printing the wrong error code media: davinci/vpbe: array underflow in vpbe_enum_outputs() media: omap_vout: potential buffer overflow in vidioc_dqbuf() l2tp: Fix possible NULL pointer dereference vfio/mdev: Fix aborting mdev child device removal if one fails vfio/mdev: Avoid release parent reference during error path afs: Fix the afs.cell and afs.volume xattr handlers lightnvm: pblk: fix lock order in pblk_rb_tear_down_check mmc: core: fix possible use after free of host dmaengine: tegra210-adma: restore channel status net: ena: fix ena_com_fill_hash_function() implementation net: ena: fix incorrect test of supported hash function net: ena: fix: Free napi resources when ena_up() fails net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU IB/mlx5: Add missing XRC options to QP optional params mask dwc2: gadget: Fix completed transfer size calculation in DDMA usb: gadget: fsl: fix link error against usb-gadget module ASoC: fix valid stream condition packet: in recvmsg msg_name return at least sizeof sockaddr_ll scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory scsi: qla2xxx: Fix a format specifier irqchip/gic-v3-its: fix some definitions of inner cacheability attributes NFS: Don't interrupt file writeout due to fatal errors ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk() dmaengine: axi-dmac: Don't check the number of frames for alignment 6lowpan: Off by one handling ->nexthdr media: ov2659: fix unbalanced mutex_lock/unlock ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect powerpc: vdso: Make vdso32 installation conditional in vdso_install selftests/ipc: Fix msgque compiler warnings tipc: set sysctl_tipc_rmem and named_timeout right range platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses net: hns3: fix for vport->bw_limit overflow problem ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data" scsi: target/core: Fix a race condition in the LUN lookup code scsi: qla2xxx: Unregister chrdev if module initialization fails ehea: Fix a copy-paste err in ehea_init_port_res spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios soc/fsl/qe: Fix an error code in qe_pin_request() spi: tegra114: configure dma burst size to fifo trig level spi: tegra114: flush fifos spi: tegra114: terminate dma and reset on transfer timeout spi: tegra114: fix for unpacked mode transfers spi: tegra114: clear packed bit for unpacked mode media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame media: davinci-isif: avoid uninitialized variable use ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset() arm64: dts: allwinner: a64: Add missing PIO clocks m68k: mac: Fix VIA timer counter accesses tipc: tipc clang warning jfs: fix bogus variable self-initialization regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB media: cx23885: check allocation return media: wl128x: Fix an error code in fm_download_firmware() media: cx18: update *pos correctly in cx18_read_pos() media: ivtv: update *pos correctly in ivtv_read_pos() regulator: lp87565: Fix missing register for LP87565_BUCK_0 net: sh_eth: fix a missing check of of_get_phy_mode xen, cpu_hotplug: Prevent an out of bounds access drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen() scsi: megaraid_sas: reduce module load time x86/mm: Remove unused variable 'cpu' nios2: ksyms: Add missing symbol exports powerpc/mm: Check secondary hash page table net: aquantia: fixed instack structure overflow NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE() netfilter: nft_set_hash: fix lookups with fixed size hash on big endian regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA ARM: 8848/1: virt: Align GIC version check with arm64 counterpart ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount platform/x86: wmi: fix potential null pointer dereference clocksource/drivers/exynos_mct: Fix error path in timer resources initialization clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable NFS: Fix a soft lockup in the delegation recovery code powerpc/64s: Fix logic when handling unknown CPU features staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx fs/nfs: Fix nfs_parse_devname to not modify it's argument ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of() drm/nouveau/pmu: don't print reply values if exec is false drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON net: dsa: qca8k: Enable delay for RGMII_ID mode regulator: pv88090: Fix array out-of-bounds access regulator: pv88080: Fix array out-of-bounds access regulator: pv88060: Fix array out-of-bounds access cdc-wdm: pass return value of recover_from_urb_loss dmaengine: mv_xor: Use correct device for DMA API staging: r8822be: check kzalloc return or bail KVM: PPC: Release all hardware TCE tables attached to a group hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine vfio_pci: Enable memory accesses before calling pci_map_rom keys: Timestamp new keys block: don't use bio->bi_vcnt to figure out segment number usb: phy: twl6030-usb: fix possible use-after-free on remove PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio() pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group pinctrl: sh-pfc: emev2: Add missing pinmux functions drm/etnaviv: potential NULL dereference iw_cxgb4: use tos when finding ipv6 routes iw_cxgb4: use tos when importing the endpoint fbdev: chipsfb: remove set but not used variable 'size' rtc: pm8xxx: fix unintended sign extension rtc: 88pm80x: fix unintended sign extension rtc: 88pm860x: fix unintended sign extension rtc: ds1307: rx8130: Fix alarm handling net: phy: fixed_phy: Fix fixed_phy not checking GPIO thermal: mediatek: fix register index error rtc: ds1672: fix unintended sign extension staging: most: cdev: add missing check for cdev_add failure iwlwifi: mvm: fix RSS config command ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant ARM: dts: lpc32xx: reparent keypad controller to SIC1 ARM: dts: lpc32xx: add required clocks property to keypad device node driver core: Do not resume suppliers under device_links_write_lock() crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments driver: uio: fix possible use-after-free in __uio_register_device driver: uio: fix possible memory leak in __uio_register_device tty: ipwireless: Fix potential NULL pointer dereference iwlwifi: mvm: fix A-MPDU reference assignment net/mlx5: Take lock with IRQs disabled to avoid deadlock iwlwifi: mvm: avoid possible access out of array. clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it spi/topcliff_pch: Fix potential NULL dereference on allocation error rtc: cmos: ignore bogus century byte IB/iser: Pass the correct number of entries for dma mapped SGL ASoC: imx-sgtl5000: put of nodes if finding codec fails crypto: tgr192 - fix unaligned memory access crypto: brcm - Fix some set-but-not-used warning kbuild: mark prepare0 as PHONY to fix external module build media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump() RDMA/iw_cxgb4: Fix the unchecked ep dereference spi: cadence: Correct initialisation of runtime PM arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD drm/shmob: Fix return value check in shmob_drm_probe RDMA/qedr: Fix out of bounds index check in query pkey RDMA/ocrdma: Fix out of bounds index check in query pkey IB/usnic: Fix out of bounds index check in query pkey MIPS: BCM63XX: drop unused and broken DSP platform device clk: dove: fix refcount leak in dove_clk_init() clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init() clk: armada-xp: fix refcount leak in axp_clk_init() clk: kirkwood: fix refcount leak in kirkwood_clk_init() clk: armada-370: fix refcount leak in a370_clk_init() clk: vf610: fix refcount leak in vf610_clocks_init() clk: imx7d: fix refcount leak in imx7d_clocks_init() clk: imx6sx: fix refcount leak in imx6sx_clocks_init() clk: imx6q: fix refcount leak in imx6q_clocks_init() clk: samsung: exynos4: fix refcount leak in exynos4_get_xom() clk: socfpga: fix refcount leak clk: qoriq: fix refcount leak in clockgen_init() clk: highbank: fix refcount leak in hb_clk_init() Input: nomadik-ske-keypad - fix a loop timeout test vxlan: changelink: Fix handling of default remotes pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations pinctrl: sh-pfc: sh7734: Add missing IPSR11 field pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group switchtec: Remove immediate status check after submitting MRPC command staging: bcm2835-camera: Abort probe if there is no camera IB/rxe: Fix incorrect cache cleanup in error flow net: phy: Fix not to call phy_resume() if PHY is not attached drm/dp_mst: Skip validating ports during destruction, just ref exportfs: fix 'passing zero to ERR_PTR()' warning pcrypt: use format specifier in kobject_add NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks mlxsw: reg: QEEC: Add minimum shaper fields drm/sun4i: hdmi: Fix double flag assignation pwm: lpss: Release runtime-pm reference from the driver's remove callback staging: comedi: ni_mio_common: protect register write overflow ALSA: usb-audio: update quirk for B&W PX to remove microphone IB/hfi1: Add mtu check for operational data VLs IB/rxe: replace kvfree with vfree drm/hisilicon: hibmc: Don't overwrite fb helper surface depth PCI: iproc: Remove PAXC slot check to allow VF support apparmor: don't try to replace stale label in ptrace access check ALSA: hda: fix unused variable warning drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset() drm/sti: do not remove the drm_bridge that was never added crypto: sun4i-ss - fix big endian issues mt7601u: fix bbp version check in mt7601u_wait_bbp_ready tipc: fix wrong timeout input for tipc_wait_for_cond() powerpc/archrandom: fix arch_get_random_seed_int() mfd: intel-lpss: Add default I2C device properties for Gemini Lake xfs: Sanity check flags of Q_XQUOTARM call FROMGIT: ext4: Add EXT4_IOC_FSGETXATTR/EXT4_IOC_FSSETXATTR to compat_ioctl. ANDROID: cuttlefish_defconfig: enable CONFIG_IKHEADERS as m ANDROID: cuttlefish_defconfig: enable NVDIMM/PMEM options UPSTREAM: virtio-pmem: Add virtio pmem driver BACKPORT: libnvdimm: nd_region flush callback support UPSTREAM: libnvdimm/of_pmem: Provide a unique name for bus provider UPSTREAM: libnvdimm/of_pmem: Fix platform_no_drv_owner.cocci warnings UPSTREAM: libnvdimm, of_pmem: use dev_to_node() instead of of_node_to_nid() UPSTREAM: libnvdimm: Add device-tree based driver UPSTREAM: libnvdimm: Add of_node to region and bus descriptors FROMLIST: security: selinux: allow per-file labelling for binderfs UPSTREAM: mm/page_io.c: annotate refault stalls from swap_readpage Revert "ANDROID: security,perf: Allow further restriction of perf_event_open" ANDROID: selinux: modify RTM_GETLINK permission UPSTREAM: lib/test_meminit.c: add bulk alloc/free tests UPSTREAM: lib/test_meminit: add a kmem_cache_alloc_bulk() test UPSTREAM: mm: slub: really fix slab walking for init_on_free UPSTREAM: mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations Conflicts: drivers/mmc/core/quirks.h include/uapi/linux/virtio_ids.h New header file entries are added to .bp files. Change-Id: I515cb78684f524e239850625b163ba023b517e10 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>	2020-06-30 21:32:05 +05:30
Srinivasarao P	3300821568	Merge android-4.14.161 (d8cb916) into msm-4.14 ... * refs/heads/tmp-d8cb916: Linux 4.14.161 perf probe: Fix to show function entry line as probe-able nbd: fix shutdown and recv work deadlock v2 mmc: sdhci-of-esdhc: fix P2020 errata handling mmc: sdhci: Update the tuning failed messages to pr_debug level mmc: sdhci-of-esdhc: Revert "mmc: sdhci-of-esdhc: add erratum A-009204 support" powerpc/irq: fix stack overflow verification x86/MCE/AMD: Allow Reserved types to be overwritten in smca_banks[] x86/MCE/AMD: Do not use rdmsr_safe_on_cpu() in smca_configure() KVM: arm64: Ensure 'params' is initialised when looking up sys register ext4: unlock on error in ext4_expand_extra_isize() ext4: check for directory entries too close to block end ext4: fix ext4_empty_dir() for directories with holes staging: comedi: gsc_hpdi: check dma_alloc_coherent() return value platform/x86: hp-wmi: Make buffer for HPWMI_FEATURE2_QUERY 128 bytes intel_th: pci: Add Elkhart Lake SOC support intel_th: pci: Add Comet Lake PCH-V support USB: EHCI: Do not return -EPIPE when hub is disconnected usbip: Fix error path of vhci_recv_ret_submit() usbip: Fix receive error in vhci-hcd when using scatter-gather btrfs: abort transaction after failed inode updates in create_subvol btrfs: return error pointer from alloc_test_extent_buffer s390/ftrace: fix endless recursion in function_graph tracer usb: xhci: Fix build warning seen with CONFIG_PM=n mmc: mediatek: fix CMD_TA to 2 for MT8173 HS200/HS400 mode Revert "mmc: sdhci: Fix incorrect switch to HS mode" btrfs: don't prematurely free work in scrub_missing_raid56_worker() btrfs: don't prematurely free work in reada_start_machine_worker() net: phy: initialise phydev speed and duplex sanely mips: fix build when "48 bits virtual memory" is enabled libtraceevent: Fix memory leakage in copy_filter_type crypto: vmx - Avoid weird build failures mac80211: consider QoS Null frames for STA_NULLFUNC_ACKED crypto: sun4i-ss - Fix 64-bit size_t warnings on sun4i-ss-hash.c crypto: sun4i-ss - Fix 64-bit size_t warnings fbtft: Make sure string is NULL terminated iwlwifi: check kasprintf() return value x86/insn: Add some Intel instructions to the opcode map spi: st-ssc4: add missed pm_runtime_disable btrfs: don't prematurely free work in run_ordered_work() btrfs: don't prematurely free work in end_workqueue_fn() mmc: tmio: Add MMC_CAP_ERASE to allow erase/discard/trim requests crypto: virtio - deal with unsupported input sizes spi: tegra20-slink: add missed clk_unprepare iwlwifi: mvm: fix unaligned read of rx_pkt_status x86/crash: Add a forward declaration of struct kimage cpufreq: Register drivers only after CPU devices have been registered parport: load lowlevel driver if ports not found s390/disassembler: don't hide instruction addresses ASoC: Intel: kbl_rt5663_rt5514_max98927: Add dmic format constraint ASoC: rt5677: Mark reg RT5677_PWR_ANLG2 as volatile spi: pxa2xx: Add missed security checks EDAC/ghes: Fix grain calculation media: si470x-i2c: add missed operations in remove media: pvrusb2: Fix oops on tear-down when radio support is not present fsi: core: Fix small accesses and unaligned offsets via sysfs ath10k: fix get invalid tx rate for Mesh metric perf probe: Filter out instances except for inlined subroutine and subprogram perf probe: Skip end-of-sequence and non statement lines perf probe: Fix to show calling lines of inlined functions perf probe: Return a better scope DIE if there is no best scope perf probe: Skip overlapped location on searching variables perf parse: If pmu configuration fails free terms drm/amdgpu: fix potential double drop fence reference perf probe: Fix to probe a function which has no entry pc libsubcmd: Use -O0 with DEBUG=1 perf probe: Fix to show inlined function callsite without entry_pc perf probe: Fix to show ranges of variables in functions without entry_pc perf probe: Fix to probe an inline function which has no entry pc perf probe: Walk function lines in lexical blocks perf probe: Fix to list probe event with correct line number perf probe: Fix to find range-only function instance rtlwifi: fix memory leak in rtl92c_set_fw_rsvdpagepkt() ALSA: timer: Limit max amount of slave instances spi: img-spfi: fix potential double release bnx2x: Fix PF-VF communication over multi-cos queues. rfkill: allocate static minor media: v4l2-core: fix touch support in v4l_g_fmt media: rcar_drif: fix a memory disclosure ixgbe: protect TX timestamping from API misuse pinctrl: amd: fix __iomem annotation in amd_gpio_irq_handler() Bluetooth: Fix advertising duplicated flags iio: dln2-adc: fix iio_triggered_buffer_postenable() position pinctrl: sh-pfc: sh7734: Fix duplicate TCLK1_B loop: fix no-unmap write-zeroes request behavior libata: Ensure ata_port probe has completed before detach s390/mm: add mm_pxd_folded() checks to pxd_free() s390/time: ensure get_clock_monotonic() returns monotonic values phy: qcom-usb-hs: Fix extcon double register after power cycle net: dsa: LAN9303: select REGMAP when LAN9303 enable gpu: host1x: Allocate gather copy for host1x RDMA/qedr: Fix memory leak in user qp and mr net: phy: dp83867: enable robust auto-mdix arm64: psci: Reduce the waiting time for cpu_psci_cpu_kill() x86/ioapic: Prevent inconsistent state when moving an interrupt rtl8xxxu: fix RTL8723BU connection failure issue after warm reboot drm/gma500: fix memory disclosures due to uninitialized bytes x86/mce: Lower throttling MCE messages' priority to warning Bluetooth: hci_core: fix init for HCI_USER_CHANNEL Bluetooth: missed cpu_to_le16 conversion in hci_init4_req iio: adc: max1027: Reset the device at probe time usb: usbfs: Suppress problematic bind and unbind uevents. perf report: Add warning when libunwind not compiled in perf test: Report failure for mmap events drm/bridge: dw-hdmi: Restore audio when setting a mode x86/mm: Use the correct function type for native_set_fixmap() extcon: sm5502: Reset registers during initialization media: ti-vpe: vpe: fix a v4l2-compliance failure about invalid sizeimage media: ti-vpe: vpe: ensure buffers are cleaned up properly in abort cases media: ti-vpe: vpe: fix a v4l2-compliance failure causing a kernel panic media: ti-vpe: vpe: Make sure YUYV is set as default format media: ti-vpe: vpe: fix a v4l2-compliance failure about frame sequence number media: ti-vpe: vpe: fix a v4l2-compliance warning about invalid pixel format media: ti-vpe: vpe: Fix Motion Vector vpdma stride media: cx88: Fix some error handling path in 'cx8800_initdev()' mwifiex: pcie: Fix memory leak in mwifiex_pcie_init_evt_ring block: Fix writeback throttling W=1 compiler warnings samples: pktgen: fix proc_cmd command result check logic drm/bridge: dw-hdmi: Refuse DDC/CI transfers on the internal I2C controller media: cec-funcs.h: add status_req checks media: flexcop-usb: fix NULL-ptr deref in flexcop_usb_transfer_init() regulator: max8907: Fix the usage of uninitialized variable in max8907_regulator_probe() hwrng: omap3-rom - Call clk_disable_unprepare() on exit only if not idled usb: renesas_usbhs: add suspend event support in gadget mode selftests/bpf: Correct path to include msg + path pinctrl: devicetree: Avoid taking direct reference to device name string ath10k: fix offchannel tx failure when no ath10k_mac_tx_frm_has_freq media: venus: core: Fix msm8996 frequency table tools/power/cpupower: Fix initializer override in hsw_ext_cstates media: ov6650: Fix stored crop rectangle not in sync with hardware media: ov6650: Fix stored frame format not in sync with hardware media: i2c: ov2659: Fix missing 720p register config media: ov6650: Fix crop rectangle alignment not passed back media: i2c: ov2659: fix s_stream return value media: am437x-vpfe: Setting STD to current value is not an error IB/iser: bound protection_sg size by data_sg size libertas: fix a potential NULL pointer dereference rtlwifi: prevent memory leak in rtl_usb_probe staging: rtl8188eu: fix possible null dereference staging: rtl8192u: fix multiple memory leaks on error path spi: Add call to spi_slave_abort() function when spidev driver is released iio: light: bh1750: Resolve compiler warning and make code more readable drm/bridge: analogix-anx78xx: silence -EPROBE_DEFER warnings drm: mst: Fix query_payload ack reply struct ALSA: hda/ca0132 - Avoid endless loop ALSA: hda/ca0132 - Keep power on during processing DSP response ALSA: pcm: Avoid possible info leaks from PCM stream buffers Btrfs: fix removal logic of the tree mod log that leads to use-after-free issues btrfs: handle ENOENT in btrfs_uuid_tree_iterate btrfs: do not leak reloc root if we fail to read the fs root btrfs: skip log replay on orphaned roots btrfs: do not call synchronize_srcu() in inode_tree_del btrfs: don't double lock the subvol_sem for rename exchange sctp: fully initialize v4 addr in some functions qede: Fix multicast mac configuration net: usb: lan78xx: Fix suspend/resume PHY register access error net: qlogic: Fix error paths in ql_alloc_large_buffers() net: nfc: nci: fix a possible sleep-in-atomic-context bug in nci_uart_tty_receive() net: hisilicon: Fix a BUG trigered by wrong bytes_compl net: dst: Force 4-byte alignment of dst_metrics mod_devicetable: fix PHY module format fjes: fix missed check in fjes_acpi_add af_packet: set defaule value for tmo ANDROID: cuttlefish_defconfig: Disable TRANSPARENT_HUGEPAGE Conflicts: arch/arm64/kernel/psci.c Change-Id: I989024129dbc7ce44af19108621958bfdd2fe6ef Signed-off-by: Srinivasarao P <spathi@codeaurora.org> Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2020-04-17 18:04:31 +05:30
Willem de Bruijn	2975472e04	net/packet: tpacket_rcv: avoid a producer race condition ... [ Upstream commit 61fad6816fc10fb8793a925d5c1256d1c3db0cd2 ] PACKET_RX_RING can cause multiple writers to access the same slot if a fast writer wraps the ring while a slow writer is still copying. This is particularly likely with few, large, slots (e.g., GSO packets). Synchronize kernel thread ownership of rx ring slots with a bitmap. Writers acquire a slot race-free by testing tp_status TP_STATUS_KERNEL while holding the sk receive queue lock. They release this lock before copying and set tp_status to TP_STATUS_USER to release to userspace when done. During copying, another writer may take the lock, also see TP_STATUS_KERNEL, and start writing to the same slot. Introduce a new rx_owner_map bitmap with a bit per slot. To acquire a slot, test and set with the lock held. To release race-free, update tp_status and owner bit as a transaction, so take the lock again. This is the one of a variety of discussed options (see Link below): * instead of a shadow ring, embed the data in the slot itself, such as in tp_padding. But any test for this field may match a value left by userspace, causing deadlock. * avoid the lock on release. This leaves a small race if releasing the shadow slot before setting TP_STATUS_USER. The below reproducer showed that this race is not academic. If releasing the slot after tp_status, the race is more subtle. See the first link for details. * add a new tp_status TP_KERNEL_OWNED to avoid the transactional store of two fields. But, legacy applications may interpret all non-zero tp_status as owned by the user. As libpcap does. So this is possible only opt-in by newer processes. It can be added as an optional mode. * embed the struct at the tail of pg_vec to avoid extra allocation. The implementation proved no less complex than a separate field. The additional locking cost on release adds contention, no different than scaling on multicore or multiqueue h/w. In practice, below reproducer nor small packet tcpdump showed a noticeable change in perf report in cycles spent in spinlock. Where contention is problematic, packet sockets support mitigation through PACKET_FANOUT. And we can consider adding opt-in state TP_KERNEL_OWNED. Easy to reproduce by running multiple netperf or similar TCP_STREAM flows concurrently with `tcpdump -B 129 -n greater 60000`. Based on an earlier patchset by Jon Rosen. See links below. I believe this issue goes back to the introduction of tpacket_rcv, which predates git history. Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg237222.html Suggested-by: Jon Rosen <jrosen@cisco.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Jon Rosen <jrosen@cisco.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-04-02 16:34:24 +02:00
Willem de Bruijn	db159fd8e2	net/packet: tpacket_rcv: do not increment ring index on drop ... [ Upstream commit 46e4c421a053c36bf7a33dda2272481bcaf3eed3 ] In one error case, tpacket_rcv drops packets after incrementing the ring producer index. If this happens, it does not update tp_status to TP_STATUS_USER and thus the reader is stalled for an iteration of the ring, causing out of order arrival. The only such error path is when virtio_net_hdr_from_skb fails due to encountering an unknown GSO type. Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2020-03-20 10:54:08 +01:00
Eric Dumazet	68b7234958	packet: fix data-race in fanout_flow_is_huge() ... [ Upstream commit b756ad928d98e5ef0b74af7546a6a31a8dadde00 ] KCSAN reported the following data-race [1] Adding a couple of READ_ONCE()/WRITE_ONCE() should silence it. Since the report hinted about multiple cpus using the history concurrently, I added a test avoiding writing on it if the victim slot already contains the desired value. [1] BUG: KCSAN: data-race in fanout_demux_rollover / fanout_demux_rollover read to 0xffff8880b01786cc of 4 bytes by task 18921 on cpu 1: fanout_flow_is_huge net/packet/af_packet.c:1303 [inline] fanout_demux_rollover+0x33e/0x3f0 net/packet/af_packet.c:1353 packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453 deliver_skb net/core/dev.c:1888 [inline] dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958 xmit_one net/core/dev.c:3195 [inline] dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215 __dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792 dev_queue_xmit+0x21/0x30 net/core/dev.c:3825 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795 udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173 udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471 inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0x9f/0xc0 net/socket.c:657 ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311 __sys_sendmmsg+0x123/0x350 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 write to 0xffff8880b01786cc of 4 bytes by task 18922 on cpu 0: fanout_flow_is_huge net/packet/af_packet.c:1306 [inline] fanout_demux_rollover+0x3a4/0x3f0 net/packet/af_packet.c:1353 packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453 deliver_skb net/core/dev.c:1888 [inline] dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958 xmit_one net/core/dev.c:3195 [inline] dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215 __dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792 dev_queue_xmit+0x21/0x30 net/core/dev.c:3825 neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530 neigh_output include/net/neighbour.h:511 [inline] ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116 __ip6_finish_output net/ipv6/ip6_output.c:142 [inline] __ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127 ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175 dst_output include/net/dst.h:436 [inline] ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179 ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795 udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173 udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471 inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0x9f/0xc0 net/socket.c:657 ___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311 __sys_sendmmsg+0x123/0x350 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 18922 Comm: syz-executor.3 Not tainted 5.4.0-rc6+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 3b3a5b0aab5b ("packet: rollover huge flows before small flows") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-01-27 14:46:51 +01:00
Willem de Bruijn	dd1ce3f27b	packet: in recvmsg msg_name return at least sizeof sockaddr_ll ... [ Upstream commit b2cf86e1563e33a14a1c69b3e508d15dc12f804c ] Packet send checks that msg_name is at least sizeof sockaddr_ll. Packet recv must return at least this length, so that its output can be passed unmodified to packet send. This ceased to be true since adding support for lladdr longer than sll_addr. Since, the return value uses true address length. Always return at least sizeof sockaddr_ll, even if address length is shorter. Zero the padding bytes. Change v1->v2: do not overwrite zeroed padding again. use copy_len. Fixes: 0fb375fb9b93 ("[AF_PACKET]: Allow for > 8 byte hardware addresses.") Suggested-by: David Laight <David.Laight@aculab.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>	2020-01-27 14:46:31 +01:00
Mao Wenan	665c9af898	af_packet: set defaule value for tmo ... [ Upstream commit b43d1f9f7067c6759b1051e8ecb84e82cef569fe ] There is softlockup when using TPACKET_V3: ... NMI watchdog: BUG: soft lockup - CPU#2 stuck for 60010ms! (__irq_svc) from [<c0558a0c>] (_raw_spin_unlock_irqrestore+0x44/0x54) (_raw_spin_unlock_irqrestore) from [<c027b7e8>] (mod_timer+0x210/0x25c) (mod_timer) from [<c0549c30>] (prb_retire_rx_blk_timer_expired+0x68/0x11c) (prb_retire_rx_blk_timer_expired) from [<c027a7ac>] (call_timer_fn+0x90/0x17c) (call_timer_fn) from [<c027ab6c>] (run_timer_softirq+0x2d4/0x2fc) (run_timer_softirq) from [<c021eaf4>] (__do_softirq+0x218/0x318) (__do_softirq) from [<c021eea0>] (irq_exit+0x88/0xac) (irq_exit) from [<c0240130>] (msa_irq_exit+0x11c/0x1d4) (msa_irq_exit) from [<c0209cf0>] (handle_IPI+0x650/0x7f4) (handle_IPI) from [<c02015bc>] (gic_handle_irq+0x108/0x118) (gic_handle_irq) from [<c0558ee4>] (__irq_usr+0x44/0x5c) ... If __ethtool_get_link_ksettings() is failed in prb_calc_retire_blk_tmo(), msec and tmo will be zero, so tov_in_jiffies is zero and the timer expire for retire_blk_timer is turn to mod_timer(&pkc->retire_blk_timer, jiffies + 0), which will trigger cpu usage of softirq is 100%. Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Tested-by: Xiao Jiangfeng <xiaojiangfeng@huawei.com> Signed-off-by: Mao Wenan <maowenan@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-12-31 12:36:38 +01:00
Blagovest Kolenichev	8b902c6d60	Merge android-4.14-q.140 (2f8eadd) into msm-4.14 ... * refs/heads/tmp-2f8eadd: Linux 4.14.140 xfrm: policy: remove pcpu policy cache mmc: sdhci-of-arasan: Do now show error message in case of deffered probe bonding: Add vlan tx offload to hw_enc_features team: Add vlan tx offload to hw_enc_features net/mlx5e: Use flow keys dissector to parse packets for ARFS net/mlx5e: Only support tx/rx pause setting for port owner xen/netback: Reset nr_frags before freeing skb sctp: fix the transport error_count check net/packet: fix race in tpacket_snd() net/mlx4_en: fix a memory leak bug bnx2x: Fix VF's VLAN reconfiguration in reload. iommu/amd: Move iommu_init_pci() to .init section Input: psmouse - fix build error of multiple definition netfilter: conntrack: Use consistent ct id hash calculation arm64: ftrace: Ensure module ftrace trampoline is coherent with I-side arm64: compat: Allow single-byte watchpoints on all addresses Revert "tcp: Clear sk_send_head after purging the write queue" bpf: fix bpf_jit_limit knob for PAGE_SIZE >= 64K USB: serial: option: Add Motorola modem UARTs USB: serial: option: add the BroadMobi BM818 card USB: serial: option: Add support for ZTE MF871A USB: serial: option: add D-Link DWM-222 device ID USB: CDC: fix sanity checks in CDC union parser usb: cdc-acm: make sure a refcount is taken early enough usb: gadget: udc: renesas_usb3: Fix sysfs interface of "role" USB: core: Fix races in character device registration and deregistraion iio: adc: max9611: Fix temperature reading in probe staging: comedi: dt3000: Fix rounding up of timer divisor staging: comedi: dt3000: Fix signed integer overflow 'divider * base' KVM: arm/arm64: Sync ICH_VMCR_EL2 back when about to block asm-generic: fix -Wtype-limits compiler warnings ocfs2: remove set but not used variable 'last_hash' drm: msm: Fix add_gpu_components IB/mad: Fix use-after-free in ib mad completion handling IB/core: Add mitigation for Spectre V1 arm64/mm: fix variable 'pud' set but not used arm64: unwind: Prohibit probing on return_address() arm64/efi: fix variable 'si' set but not used kbuild: modpost: handle KBUILD_EXTRA_SYMBOLS only for external modules ata: libahci: do not complain in case of deferred probe scsi: qla2xxx: Fix possible fcport null-pointer dereferences scsi: hpsa: correct scsi command status issue after reset drm/bridge: lvds-encoder: Fix build error while CONFIG_DRM_KMS_HELPER=m libata: zpodd: Fix small read overflow in zpodd_get_mech_type() perf header: Fix use of unitialized value warning perf header: Fix divide by zero error if f_header.attr_size==0 irqchip/irq-imx-gpcv2: Forward irq type to parent irqchip/gic-v3-its: Free unused vpt_page when alloc vpe table fail xen/pciback: remove set but not used variable 'old_state' clk: renesas: cpg-mssr: Fix reset control race condition clk: at91: generated: Truncate divisor to GENERATED_MAX_DIV + 1 netfilter: ebtables: also count base chain policies net: usb: pegasus: fix improper read if get_registers() fail Input: iforce - add sanity checks Input: kbtab - sanity check for endpoint type HID: hiddev: do cleanup in failure of opening a device HID: hiddev: avoid opening a disconnected device HID: holtek: test for sanity of intfdata ALSA: hda - Let all conexant codec enter D3 when rebooting ALSA: hda - Add a generic reboot_notify ALSA: hda - Fix a memory leak bug ALSA: hda - Apply workaround for another AMD chip 1022:1487 xtensa: add missing isync to the cpu_reset TLB code x86/mm: Use WRITE_ONCE() when setting PTEs bpf: add bpf_jit_limit knob to restrict unpriv allocations bpf: restrict access to core bpf sysctls bpf: get rid of pure_initcall dependency to enable jits mm/memcontrol.c: fix use after free in mem_cgroup_iter() mm/usercopy: use memory range to be accessed for wraparound check sh: kernel: hw_breakpoint: Fix missing break in switch statement scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA Change-Id: I6365fb1dd47655e268bbd361acf0ad5e7ff9d433 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2019-08-29 08:22:52 -07:00
Eric Dumazet	5ac73816dd	net/packet: fix race in tpacket_snd() ... [ Upstream commit 32d3182cd2cd29b2e7e04df7b0db350fbe11289f ] packet_sendmsg() checks tx_ring.pg_vec to decide if it must call tpacket_snd(). Problem is that the check is lockless, meaning another thread can issue a concurrent setsockopt(PACKET_TX_RING ) to flip tx_ring.pg_vec back to NULL. Given that tpacket_snd() grabs pg_vec_lock mutex, we can perform the check again to solve the race. syzbot reported : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 11429 Comm: syz-executor394 Not tainted 5.3.0-rc4+ #101 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:packet_lookup_frame+0x8d/0x270 net/packet/af_packet.c:474 Code: c1 ee 03 f7 73 0c 80 3c 0e 00 0f 85 cb 01 00 00 48 8b 0b 89 c0 4c 8d 24 c1 48 b8 00 00 00 00 00 fc ff df 4c 89 e1 48 c1 e9 03 <80> 3c 01 00 0f 85 94 01 00 00 48 8d 7b 10 4d 8b 3c 24 48 b8 00 00 RSP: 0018:ffff88809f82f7b8 EFLAGS: 00010246 RAX: dffffc0000000000 RBX: ffff8880a45c7030 RCX: 0000000000000000 RDX: 0000000000000000 RSI: 1ffff110148b8e06 RDI: ffff8880a45c703c RBP: ffff88809f82f7e8 R08: ffff888087aea200 R09: fffffbfff134ae50 R10: fffffbfff134ae4f R11: ffffffff89a5727f R12: 0000000000000000 R13: 0000000000000001 R14: ffff8880a45c6ac0 R15: 0000000000000000 FS: 00007fa04716f700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fa04716edb8 CR3: 0000000091eb4000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: packet_current_frame net/packet/af_packet.c:487 [inline] tpacket_snd net/packet/af_packet.c:2667 [inline] packet_sendmsg+0x590/0x6250 net/packet/af_packet.c:2975 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-08-25 10:50:26 +02:00
Blagovest Kolenichev	dbc4aced9e	Merge android-4.14.132 (0dcd8eb) into msm-4.14 ... * refs/heads/tmp-0dcd8eb: Linux 4.14.132 arm64: insn: Fix ldadd instruction encoding tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb futex: Update comments and docs about return values of arch futex code bpf, arm64: use more scalable stadd over ldxr / stxr loop in xadd arm64: futex: Avoid copying out uninitialised stack in failed cmpxchg() bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro bonding: Always enable vlan tx offload team: Always enable vlan tx offload tun: wake up waitqueues after IFF_UP is set tipc: check msg->req data len in tipc_nl_compat_bearer_disable tipc: change to use register_pernet_device sctp: change to hold sk after auth shkey is created successfully net: stmmac: fixed new system time seconds value calculation net: remove duplicate fetch in sock_getsockopt net/packet: fix memory leak in packet_set_ring() ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET eeprom: at24: fix unexpected timeout under high load cpu/speculation: Warn on unsupported mitigations= parameter NFS/flexfiles: Use the correct TCP timeout for flexfiles I/O x86/microcode: Fix the microcode load on CPU hotplug for real x86/speculation: Allow guests to use SSBD even if host does not scsi: vmw_pscsi: Fix use-after-free in pvscsi_queue_lck() dm log writes: make sure super sector log updates are written in order mm/page_idle.c: fix oops because end_pfn is larger than max_pfn fs/binfmt_flat.c: make load_flat_shared_library() work mm/mempolicy.c: fix an incorrect rebind node in mpol_rebind_nodemask fs/proc/array.c: allow reporting eip/esp for all coredumping threads Revert "compiler.h: update definition of unreachable()" qmi_wwan: Fix out-of-bounds read net/9p: include trans_common.h to fix missing prototype warning. 9p: p9dirent_read: check network-provided name length 9p/rdma: remove useless check in cm_event_handler 9p: acl: fix uninitialized iattr access 9p/rdma: do not disconnect on down_interruptible EAGAIN 9p/xen: fix check for xenbus_read error in front_probe block: bio_iov_iter_get_pages: pin more pages for multi-segment IOs block: add a lower-level bio_add_page interface IB/hfi1: Close PSM sdma_progress sleep window Revert "x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP" perf header: Fix unchecked usage of strncpy() perf help: Remove needless use of strncpy() perf ui helpline: Use strlcpy() as a shorter form of strncpy() + explicit set nul Change-Id: I253fc7ffebfad129b8c2165dd2d5aa5af221fd4b Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2019-07-23 11:01:07 -07:00
Blagovest Kolenichev	05efa6b764	Merge android-4.14.120 (eeb46d8) into msm-4.14 ... * refs/heads/tmp-eeb46d8: Linux 4.14.120 s390/speculation: Fix build error caused by bad backport powerpc/booke64: set RI in default MSR powerpc/powernv/idle: Restore IAMR after idle drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl tipc: fix hanging clients using poll with EPOLLOUT flag vrf: sit mtu should not be updated when vrf netdev is the link vlan: disable SIOCSHWTSTAMP in container packet: Fix error path in packet_init net: ucc_geth - fix Oops when changing number of buffers in the ring net: seeq: fix crash caused by not set dev.parent net: ethernet: stmmac: dwmac-sun8i: enable support of unicast filtering net: dsa: Fix error cleanup path in dsa_init_module ipv4: Fix raw socket lookup for local traffic fib_rules: return 0 directly if an exactly same rule exists when NLM_F_EXCL not supplied dpaa_eth: fix SG frame cleanup bridge: Fix error path for kobject_init_and_add() bonding: fix arp_validate toggling in active-backup mode powerpc/64s: Include cpu header Don't jump to compute_result state from check_result state rtlwifi: rtl8723ae: Fix missing break in switch statement mwl8k: Fix rate_idx underflow cw1200: fix missing unlock on error in cw1200_hw_scan() x86/kprobes: Avoid kretprobe recursion bug nfc: nci: Potential off by one in ->pipes[] array NFC: nci: Add some bounds checking in nci_hci_cmd_received() mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue mlxsw: spectrum_switchdev: Add MDB entries in prepare phase net: fec: manage ahb clock in runtime pm mm/memory.c: fix modifying of page protection by insert_pfn() net: hns: Fix WARNING when hns modules installed x86/fpu: Don't export __kernel_fpu_{begin,end}() cifs: fix memory leak in SMB2_read drm/rockchip: fix for mailbox read validation. netfilter: nf_tables: warn when expr implements only one of activate/deactivate Input: elan_i2c - add hardware ID for multiple Lenovo laptops ACPICA: Namespace: remove address node from global list after method termination gtp: change NET_UDP_TUNNEL dependency to select net_sched: fix two more memory leaks in cls_tcindex xtensa: xtfpga.dtsi: fix dtc warnings about SPI devres: Align data[] to ARCH_KMALLOC_MINALIGN vt: always call notifier with the console lock held arm64: dts: marvell: armada-ap806: reserve PSCI area RDMA/vmw_pvrdma: Return the correct opcode when creating WR drm/rockchip: psr: do not dereference encoder before it is null checked. leds: pwm: silently error out on EPROBE_DEFER powerpc: remove old GCC version checks arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible mm: introduce mm_[p4d|pud|pmd]_folded x86/vdso: Pass --eh-frame-hdr to the linker Btrfs: fix missing delayed iputs on unmount net: stmmac: Move debugfs init/exit to ->probe()/->remove() staging: olpc_dcon: add a missing dependency scsi: raid_attrs: fix unused variable warning drm/i915: Downgrade Gen9 Plane WM latency error tracing/fgraph: Fix set_graph_function from showing interrupts net: don't keep lonely packets forever in the gro hash media: ov5640: fix auto controls values when switching to manual mode media: ov5640: fix wrong binning value in exposure calculation drm/i915: Disable LP3 watermarks on all SNB machines fuse: fix possibly missed wake-up after abort media: adv7842: when the EDID is cleared, unconfigure CEC as well media: adv7604: when the EDID is cleared, unconfigure CEC as well media: cec: integrate cec_validate_phys_addr() in cec-api.c media: cec: make cec_get_edid_spa_location() an inline function KVM: arm/arm64: Ensure only THP is candidate for adjustment ima: open a new file instance if no read permissions IB/rxe: Revise the ib_wr_opcode enum ACPICA: AML interpreter: add region addresses in global list during initialization bcache: correct dirty data statistics MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit sparc64: Make corrupted user stacks more debuggable. sparc64: Export __node_distance. Input: synaptics-rmi4 - fix possible double free spi: ST ST95HF NFC: declare missing of table spi: Micrel eth switch: declare missing of table drm/imx: don't skip DP channel disable for background plane gpu: ipu-v3: dp: fix CSC handling selftests/net: correct the return value for run_netsocktests drm/sun4i: Set device driver data at bind time for use in unbind s390: ctcm: fix ctcm_new_device error return code MIPS: perf: ath79: Fix perfcount IRQ assignment netfilter: ctnetlink: don't use conntrack/expect object addresses as id ipvs: do not schedule icmp errors from tunnels selftests: netfilter: check icmp pkttoobig errors are set as related init: initialize jump labels before command line option parsing mm: fix inactive list balancing between NUMA nodes and cgroups tools lib traceevent: Fix missing equality check for strcmp KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing KVM: fix spectrev1 gadgets x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T s390/pkey: add one more argument space for debug feature entry mISDN: Check address length before reading address family clocksource/drivers/oxnas: Fix OX820 compatible s390/3270: fix lockdep false positive on view->lock nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands mac80211: fix memory accounting with A-MSDU aggregation mac80211: Increase MAX_MSG_LEN mac80211: fix unaligned access in mesh table hash function s390/dasd: Fix capacity calculation for large volumes libnvdimm/btt: Fix a kmemdup failure check HID: input: add mapping for "Toggle Display" key HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys HID: input: add mapping for Expose/Overview key libnvdimm/namespace: Fix a potential NULL pointer dereference iio: adc: xilinx: fix potential use-after-free on remove USB: serial: fix unthrottle races kernfs: fix barrier usage in __kernfs_new_node() hwmon: (pwm-fan) Disable PWM if fetching cooling data fails platform/x86: thinkpad_acpi: Disable Bluetooth for some machines platform/x86: sony-laptop: Fix unintentional fall-through netfilter: compat: initialize all fields in xt_init ANDROID: cuttlefish_defconfig: Disable DEVTMPFS ANDROID: Move from clang r349610 to r353983c. f2fs: fix to avoid accessing xattr across the boundary f2fs: fix to avoid potential race on sbi->unusable_block_count access/update f2fs: add tracepoint for f2fs_filemap_fault() f2fs: introduce DATA_GENERIC_ENHANCE f2fs: fix to handle error in f2fs_disable_checkpoint() f2fs: remove redundant check in f2fs_file_write_iter() f2fs: fix to be aware of readonly device in write_checkpoint() f2fs: fix to skip recovery on readonly device f2fs: fix to consider multiple device for readonly check f2fs: relocate chksum_offset for large_nat_bitmap feature f2fs: allow unfixed f2fs_checkpoint.checksum_offset f2fs: Replace spaces with tab f2fs: insert space before the open parenthesis '(' f2fs: allow address pointer number of dnode aligning to specified size f2fs: introduce f2fs_read_single_page() for cleanup f2fs: mark is_extension_exist() inline f2fs: fix to set FI_UPDATE_WRITE correctly f2fs: fix to avoid panic in f2fs_inplace_write_data() f2fs: fix to do sanity check on valid block count of segment f2fs: fix to do sanity check on valid node/block count f2fs: fix to avoid panic in do_recover_data() f2fs: fix to do sanity check on free nid f2fs: fix to do checksum even if inode page is uptodate f2fs: fix to avoid panic in f2fs_remove_inode_page() f2fs: fix to clear dirty inode in error path of f2fs_iget() f2fs: remove new blank line of f2fs kernel message f2fs: fix wrong __is_meta_io() macro f2fs: fix to avoid panic in dec_valid_node_count() f2fs: fix to avoid panic in dec_valid_block_count() f2fs: fix to use inline space only if inline_xattr is enable f2fs: fix to retrieve inline xattr space f2fs: fix error path of recovery f2fs: fix to avoid deadloop in foreground GC f2fs: data: fix warning Using plain integer as NULL pointer f2fs: add tracepoint for f2fs_file_write_iter() f2fs: add comment for conditional compilation statement f2fs: fix potential recursive call when enabling data_flush f2fs: improve discard handling with multi-device volumes f2fs: Reduce zoned block device memory usage f2fs: Fix use of number of devices Conflicts: fs/f2fs/data.c mm/vmscan.c Change-Id: If6ce28cd56119ea6094c556ff4bc1aedfb24378c Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2019-07-23 10:59:55 -07:00
Eric Dumazet	dc948de356	net/packet: fix memory leak in packet_set_ring() ... [ Upstream commit 55655e3d1197fff16a7a05088fb0e5eba50eac55 ] syzbot found we can leak memory in packet_set_ring(), if user application provides buggy parameters. Fixes: 7f953ab2ba46 ("af_packet: TX_RING support for TPACKET_V3") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-07-03 13:16:01 +02:00
Neil Horman	fe1ca8b85d	af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET ... [ Upstream commit 89ed5b519004a7706f50b70f611edbd3aaacff2c ] When an application is run that: a) Sets its scheduler to be SCHED_FIFO and b) Opens a memory mapped AF_PACKET socket, and sends frames with the MSG_DONTWAIT flag cleared, its possible for the application to hang forever in the kernel. This occurs because when waiting, the code in tpacket_snd calls schedule, which under normal circumstances allows other tasks to run, including ksoftirqd, which in some cases is responsible for freeing the transmitted skb (which in AF_PACKET calls a destructor that flips the status bit of the transmitted frame back to available, allowing the transmitting task to complete). However, when the calling application is SCHED_FIFO, its priority is such that the schedule call immediately places the task back on the cpu, preventing ksoftirqd from freeing the skb, which in turn prevents the transmitting task from detecting that the transmission is complete. We can fix this by converting the schedule call to a completion mechanism. By using a completion queue, we force the calling task, when it detects there are no more frames to send, to schedule itself off the cpu until such time as the last transmitted skb is freed, allowing forward progress to be made. Tested by myself and the reporter, with good results Change Notes: V1->V2: Enhance the sleep logic to support being interruptible and allowing for honoring to SK_SNDTIMEO (Willem de Bruijn) V2->V3: Rearrage the point at which we wait for the completion queue, to avoid needing to check for ph/skb being null at the end of the loop. Also move the complete call to the skb destructor to avoid needing to modify __packet_set_status. Also gate calling complete on packet_read_pending returning zero to avoid multiple calls to complete. (Willem de Bruijn) Move timeo computation within loop, to re-fetch the socket timeout since we also use the timeo variable to record the return code from the wait_for_complete call (Neil Horman) V3->V4: Willem has requested that the control flow be restored to the previous state. Doing so lets us eliminate the need for the po->wait_on_complete flag variable, and lets us get rid of the packet_next_frame function, but introduces another complexity. Specifically, but using the packet pending count, we can, if an applications calls sendmsg multiple times with MSG_DONTWAIT set, each set of transmitted frames, when complete, will cause tpacket_destruct_skb to issue a complete call, for which there will never be a wait_on_completion call. This imbalance will lead to any future call to wait_for_completion here to return early, when the frames they sent may not have completed. To correct this, we need to re-init the completion queue on every call to tpacket_snd before we enter the loop so as to ensure we wait properly for the frames we send in this iteration. Change the timeout and interrupted gotos to out_put rather than out_status so that we don't try to free a non-existant skb Clean up some extra newlines (Willem de Bruijn) Reviewed-by: Willem de Bruijn <willemb@google.com> Signed-off-by: Neil Horman <nhorman@tuxdriver.com> Reported-by: Matteo Croce <mcroce@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-07-03 13:16:01 +02:00
Blagovest Kolenichev	c80c23744e	Merge android-4.14.117 (74196c0) into msm-4.14 ... * refs/heads/tmp-74196c0: Linux 4.14.117 mm/kmemleak.c: fix unused-function warning media: v4l2: i2c: ov7670: Fix PLL bypass register values i2c: i2c-stm32f7: Fix SDADEL minimum formula clk: x86: Add system specific quirk to mark clocks as critical x86/mce: Improve error message when kernel cannot recover, p2 powerpc/mm/hash: Handle mmap_min_addr correctly in get_unmapped_area topdown search selinux: never allow relabeling on context mounts Input: stmfts - acknowledge that setting brightness is a blocking call Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ IB/core: Destroy QP if XRC QP fails IB/core: Fix potential memory leak while creating MAD agents IB/core: Unregister notifier before freeing MAD security ASoC: stm32: fix sai driver name initialisation scsi: RDMA/srpt: Fix a credit leak for aborted commands staging: iio: adt7316: fix the dac write calculation staging: iio: adt7316: fix the dac read calculation staging: iio: adt7316: allow adt751x to use internal vref for all dacs Bluetooth: btusb: request wake pin with NOAUTOEN perf/x86/amd: Update generic hardware cache events for Family 17h ARM: iop: don't use using 64-bit DMA masks ARM: orion: don't use using 64-bit DMA masks xsysace: Fix error handling in ace_setup sh: fix multiple function definition build errors hugetlbfs: fix memory leak for resv_map kmemleak: powerpc: skip scanning holes in the .bss section net: hns: Fix WARNING when remove HNS driver with SMMU enabled net: hns: fix ICMP6 neighbor solicitation messages discard problem net: hns: Fix probabilistic memory overwrite when HNS driver initialized net: hns: Use NAPI_POLL_WEIGHT for hns driver net: hns: fix KASAN: use-after-free in hns_nic_net_xmit_hw() scsi: storvsc: Fix calculation of sub-channel count scsi: core: add new RDAC LENOVO/DE_Series device vfio/pci: use correct format characters HID: input: add mapping for Assistant key rtc: da9063: set uie_unsupported when relevant debugfs: fix use-after-free on symlink traversal jffs2: fix use-after-free on symlink traversal net: stmmac: don't log oversized frames net: stmmac: fix dropping of multi-descriptor RX frames net: stmmac: don't overwrite discard_frame status net: stmmac: ratelimit RX error logs bonding: show full hw address in sysfs for slave entries net/mlx5: E-Switch, Fix esw manager vport indication for more vport commands igb: Fix WARN_ONCE on runtime suspend ARM: dts: rockchip: Fix gpu opp node names for rk3288 batman-adv: Reduce tt_global hash refcnt only for removed entry batman-adv: Reduce tt_local hash refcnt only for removed entry batman-adv: Reduce claim hash refcnt only for removed entry rtc: sh: Fix invalid alarm warning for non-enabled alarm HID: debug: fix race condition with between rdesc_show() and device removal HID: logitech: check the return value of create_singlethread_workqueue nvme-loop: init nvmet_ctrl fatal_err_work when allocate mm: do not stall register_shrinker() USB: core: Fix bug caused by duplicate interface PM usage counter USB: core: Fix unterminated string returned by usb_string() usb: usbip: fix isoc packet num validation in get_pipe USB: w1 ds2490: Fix bug caused by improper use of altsetting array USB: yurex: Fix protection fault after device removal ALSA: hda/realtek - Fixed Dell AIO speaker noise ALSA: hda/realtek - Add new Dell platform for headset mode caif: reduce stack size with KASAN arm64: only advance singlestep for user instruction traps arm64: Fix single stepping in kernel traps kasan: prevent compiler from optimizing away memset in tests kasan: remove redundant initialization of variable 'real_size' net: dsa: bcm_sf2: fix buffer overflow doing set_rxnfc net: phy: marvell: Fix buffer overrun with stats counters rxrpc: Fix net namespace cleanup bnxt_en: Free short FW command HWRM memory in error path in bnxt_init_one() bnxt_en: Improve multicast address setup logic. packet: validate msg_namelen in send directly sctp: avoid running the sctp state machine recursively ipv6: invert flowlabel sharing check in process and user mode ipv6/flowlabel: wait rcu grace period before put_pid() ipv4: ip_do_fragment: Preserve skb_iif during fragmentation ALSA: line6: use dynamic buffers ANDROID: cuttlefish 4.14: enable CONFIG_CRYPTO_AES_NI_INTEL=y Conflicts: mm/vmscan.c Change-Id: I4b418c58280c5fd14cc329aef602b09f235ad99a Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2019-06-25 03:08:14 -07:00
YueHaibing	078b5592a3	packet: Fix error path in packet_init ... [ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ] kernel BUG at lib/list_debug.c:47! invalid opcode: 0000 [#1 CPU: 0 PID: 12914 Comm: rmmod Tainted: G W 5.1.0+ #47 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 RIP: 0010:__list_del_entry_valid+0x53/0x90 Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48 89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2 RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286 RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000 R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000 R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000 FS: 00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0 Call Trace: unregister_pernet_operations+0x34/0x120 unregister_pernet_subsys+0x1c/0x30 packet_exit+0x1c/0x369 [af_packet __x64_sys_delete_module+0x156/0x260 ? lockdep_hardirqs_on+0x133/0x1b0 ? do_syscall_64+0x12/0x1f0 do_syscall_64+0x6e/0x1f0 entry_SYSCALL_64_after_hwframe+0x49/0xbe When modprobe af_packet, register_pernet_subsys fails and does a cleanup, ops->list is set to LIST_POISON1, but the module init is considered to success, then while rmmod it, BUG() is triggered in __list_del_entry_valid which is called from unregister_pernet_subsys. This patch fix error handing path in packet_init to avoid possilbe issue if some error occur. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-16 19:42:34 +02:00
Blagovest Kolenichev	b97245abcb	Merge android-4.14.110 (588c629) into msm-4.14 ... * refs/heads/tmp-588c629: Linux 4.14.110 vfio: ccw: only free cp on final interrupt Revert "USB: core: only clean up what we allocated" KVM: x86: Emulate MSR_IA32_ARCH_CAPABILITIES on AMD hosts KVM: Reject device ioctls from processes other than the VM's creator x86/smp: Enforce CONFIG_HOTPLUG_CPU when SMP=y cpu/hotplug: Prevent crash when CPU bringup fails on CONFIG_HOTPLUG_CPU=n perf intel-pt: Fix TSC slip mm/migrate.c: add missing flush_dcache_page for non-mapped page migrate usb: cdc-acm: fix race during wakeup blocking TX traffic xhci: Fix port resume done detection for SS ports with LPM enabled usb: host: xhci-rcar: Add XHCI_TRUST_TX_LENGTH quirk usb: common: Consider only available nodes for dr_mode USB: gadget: f_hid: fix deadlock in f_hidg_write() usb: mtu3: fix EXTCON dependency phy: sun4i-usb: Support set_mode to USB_HOST for non-OTG PHYs gpio: adnp: Fix testing wrong value in adnp_gpio_direction_input gpio: exar: add a check for the return value of ida_simple_get fails drm/vgem: fix use-after-free when drm_gem_handle_create() fails fs/proc/proc_sysctl.c: fix NULL pointer dereference in put_links Disable kgdboc failed by echo space to /sys/module/kgdboc/parameters/kgdboc USB: serial: option: add Olicard 600 USB: serial: option: add support for Quectel EM12 USB: serial: option: set driver_info for SIM5218 and compatibles USB: serial: mos7720: fix mos_parport refcount imbalance on error path USB: serial: ftdi_sio: add additional NovaTech products USB: serial: cp210x: add new device id serial: sh-sci: Fix setting SCSCR_TIE while transferring data serial: max310x: Fix to avoid potential NULL pointer dereference staging: vt6655: Fix interrupt race condition on device start up. staging: vt6655: Remove vif check from vnt_interrupt staging: comedi: ni_mio_common: Fix divide-by-zero for DIO cmdtest tty: atmel_serial: fix a potential NULL pointer dereference scsi: zfcp: fix scsi_eh host reset with port_forced ERP for non-NPIV FCP devices scsi: zfcp: fix rport unblock if deleted SCSI devices on Scsi_Host scsi: sd: Quiesce warning if device does not report optimal I/O size scsi: sd: Fix a race between closing an sd device and sd I/O ocfs2: fix inode bh swapping mixup in ocfs2_reflink_inodes_lock fs/open.c: allow opening only regular files during execve() kbuild: modversions: Fix relative CRC byte order interpretation ALSA: hda/realtek - Add support headset mode for New DELL WYSE NB ALSA: hda/realtek - Add support headset mode for DELL WYSE AIO ALSA: pcm: Don't suspend stream in unrecoverable PCM state ALSA: pcm: Fix possible OOB access in PCM oss plugins ALSA: seq: oss: Fix Spectre v1 vulnerability ALSA: rawmidi: Fix potential Spectre v1 vulnerability net: dsa: qca8k: remove leftover phy accessors NFSv4.1 don't free interrupted slot on open powerpc: bpf: Fix generation of load/store DW instructions ARM: imx6q: cpuidle: fix bug that CPU might not wake up at expected time btrfs: raid56: properly unmap parity page in finish_parity_scrub() btrfs: remove WARN_ON in log_dir_items Btrfs: fix incorrect file size after shrinking truncate and fsync powerpc/security: Fix spectre_v2 reporting powerpc/fsl: Fix the flush of branch predictor. powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup' powerpc/fsl: Update Spectre v2 reporting powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used powerpc/fsl: Flush branch predictor when entering KVM powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit) powerpc/fsl: Flush the branch predictor at each kernel entry (64bit) powerpc/fsl: Add nospectre_v2 command line argument powerpc/fsl: Emulate SPRN_BUCSR register powerpc/fsl: Fix spectre_v2 mitigations reporting powerpc/fsl: Add macro to flush the branch predictor powerpc/fsl: Add infrastructure to fixup branch predictor flush powerpc/powernv: Query firmware for count cache flush settings powerpc/pseries: Query hypervisor for count cache flush settings powerpc/64s: Add support for software count cache flush powerpc/64s: Add new security feature flags for count cache flush powerpc/asm: Add a patch_site macro & helpers for patching instructions powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E powerpc/64: Make meltdown reporting Book3S 64 specific powerpc/64: Call setup_barrier_nospec() from setup_arch() powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC powerpc/64: Make stf barrier PPC_BOOK3S_64 specific. powerpc/64: Disable the speculation barrier from the command line powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2 powerpc/64s: Enhance the information in cpu_show_spectre_v1() powerpc/64: Use barrier_nospec in syscall entry powerpc: Use barrier_nospec in copy_from_user() powerpc/64s: Enable barrier_nospec based on firmware settings powerpc/64s: Patch barrier_nospec in modules powerpc/64s: Add support for ori barrier_nospec patching tun: add a missing rcu_read_unlock() in error path tun: properly test for IFF_UP mac8390: Fix mmio access size probe net: aquantia: fix rx checksum offload for UDP/TCP over IPv6 sctp: get sctphdr by offset in sctp_compute_cksum vxlan: Don't call gro_cells_destroy() before device is unregistered thunderx: eliminate extra calls to put_page() for pages held for recycling thunderx: enable page recycling for non-XDP case tcp: do not use ipv6 header for ipv4 flow rhashtable: Still do rehash when we get EEXIST packets: Always register packet sk in the same order net-sysfs: call dev_hold if kobject_init_and_add success net: stmmac: fix memory corruption with large MTUs net: rose: fix a possible stack overflow net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec net: datagram: fix unbounded loop in __skb_try_recv_datagram() mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S genetlink: Fix a memory leak on error path dccp: do not use ipv6 header for ipv4 flow stmmac: copy unicast mac address to MAC registers video: fbdev: Set pixclock = 0 in goldfishfb Bluetooth: Verify that l2cap_get_conf_opt provides large enough buffer Bluetooth: Check L2CAP option sizes returned from l2cap_get_conf_opt ANDROID: revert the rest of ANDROID_PARANOID_NETWORK UPSTREAM: virt_wifi: Remove REGULATORY_WIPHY_SELF_MANAGED Change-Id: I70fd703c71d37e8d6055c39abcf5cf03c4c448ee Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>	2019-05-15 07:46:12 -07:00
Willem de Bruijn	538d6cdb9f	packet: validate msg_namelen in send directly ... [ Upstream commit 486efdc8f6ce802b27e15921d2353cc740c55451 ] Packet sockets in datagram mode take a destination address. Verify its length before passing to dev_hard_header. Prior to 2.6.14-rc3, the send code ignored sll_halen. This is established behavior. Directly compare msg_namelen to dev->addr_len. Change v1->v2: initialize addr in all paths Fixes: 6b8d95f1795c4 ("packet: validate address length if non-zero") Suggested-by: David Laight <David.Laight@aculab.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-05-08 07:20:44 +02:00
Maxime Chevallier	68979f5ecc	packets: Always register packet sk in the same order ... [ Upstream commit a4dc6a49156b1f8d6e17251ffda17c9e6a5db78a ] When using fanouts with AF_PACKET, the demux functions such as fanout_demux_cpu will return an index in the fanout socket array, which corresponds to the selected socket. The ordering of this array depends on the order the sockets were added to a given fanout group, so for FANOUT_CPU this means sockets are bound to cpus in the order they are configured, which is OK. However, when stopping then restarting the interface these sockets are bound to, the sockets are reassigned to the fanout group in the reverse order, due to the fact that they were inserted at the head of the interface's AF_PACKET socket list. This means that traffic that was directed to the first socket in the fanout group is now directed to the last one after an interface restart. In the case of FANOUT_CPU, traffic from CPU0 will be directed to the socket that used to receive traffic from the last CPU after an interface restart. This commit introduces a helper to add a socket at the tail of a list, then uses it to register AF_PACKET sockets. Note that this changes the order in which sockets are listed in /proc and with sock_diag. Fixes: dc99f600698d ("packet: Add fanout support") Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-04-03 06:25:09 +02:00
Christoph Paasch	1a3acbd6ad	net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec ... [ Upstream commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 ] Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller found that that triggers a warning: [ 21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0 [ 21.101490] Modules linked in: [ 21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146 [ 21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 [ 21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630 [ 21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3 [ 21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246 [ 21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000 [ 21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 [ 21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67 [ 21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d [ 21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d [ 21.112552] FS: 00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000 [ 21.113612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0 [ 21.115367] Call Trace: [ 21.115705] ? __alloc_pages_slowpath+0x21c0/0x21c0 [ 21.116362] alloc_pages_current+0xac/0x1e0 [ 21.116923] kmalloc_order+0x18/0x70 [ 21.117393] kmalloc_order_trace+0x18/0x110 [ 21.117949] packet_set_ring+0x9d5/0x1770 [ 21.118524] ? packet_rcv_spkt+0x440/0x440 [ 21.119094] ? lock_downgrade+0x620/0x620 [ 21.119646] ? __might_fault+0x177/0x1b0 [ 21.120177] packet_setsockopt+0x981/0x2940 [ 21.120753] ? __fget+0x2fb/0x4b0 [ 21.121209] ? packet_release+0xab0/0xab0 [ 21.121740] ? sock_has_perm+0x1cd/0x260 [ 21.122297] ? selinux_secmark_relabel_packet+0xd0/0xd0 [ 21.123013] ? __fget+0x324/0x4b0 [ 21.123451] ? selinux_netlbl_socket_setsockopt+0x101/0x320 [ 21.124186] ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0 [ 21.124908] ? __lock_acquire+0x529/0x3200 [ 21.125453] ? selinux_socket_setsockopt+0x5d/0x70 [ 21.126075] ? __sys_setsockopt+0x131/0x210 [ 21.126533] ? packet_release+0xab0/0xab0 [ 21.127004] __sys_setsockopt+0x131/0x210 [ 21.127449] ? kernel_accept+0x2f0/0x2f0 [ 21.127911] ? ret_from_fork+0x8/0x50 [ 21.128313] ? do_raw_spin_lock+0x11b/0x280 [ 21.128800] __x64_sys_setsockopt+0xba/0x150 [ 21.129271] ? lockdep_hardirqs_on+0x37f/0x560 [ 21.129769] do_syscall_64+0x9f/0x450 [ 21.130182] entry_SYSCALL_64_after_hwframe+0x49/0xbe We should allocate with __GFP_NOWARN to handle this. Cc: Kal Conley <kal.conley@dectris.com> Cc: Andrey Konovalov <andreyknvl@google.com> Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-04-03 06:25:08 +02:00
qctecmdr Service	87b811fc25	Merge "Merge android-4.14-p.104 (1912b02) into msm-4.14"	2019-03-08 04:23:20 -08:00
Kal Conley	2226f95924	net/packet: fix 4gb buffer limit due to overflow check ... [ Upstream commit fc62814d690cf62189854464f4bd07457d5e9e50 ] When calculating rb->frames_per_block * req->tp_block_nr the result can overflow. Check it for overflow without limiting the total buffer size to UINT_MAX. This change fixes support for packet ring buffers >= UINT_MAX. Fixes: 8f8d28e4d6d8 ("net/packet: fix overflow in check for tp_frame_nr") Signed-off-by: Kal Conley <kal.conley@dectris.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-02-27 10:08:06 +01:00
qctecmdr Service	3633dccc34	Merge "Merge android-4.14-p.98 (848d71f) into msm-4.14"	2019-02-19 22:51:43 -08:00
Subash Abhinov Kasiviswanathan	7053938973	packet: Fix false positive compilation error ... This fixes the compilation error - net/packet/af_packet.o: In function `check_copy_size': include/linux/thread_info.h:136: undefined reference to `__bad_copy_to' CRs-Fixed: 2395803 Change-Id: I33a7ec2413da0e4febc3f119c1f70ffa6c950158 Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>	2019-02-08 13:21:09 -08:00
Jason Gunthorpe	6740236de3	packet: Do not leak dev refcounts on error exit ... [ Upstream commit d972f3dce8d161e2142da0ab1ef25df00e2f21a9 ] 'dev' is non NULL when the addr_len check triggers so it must goto a label that does the dev_put otherwise dev will have a leaked refcount. This bug causes the ib_ipoib module to become unloadable when using systemd-network as it triggers this check on InfiniBand links. Fixes: 99137b7888f4 ("packet: validate address length") Reported-by: Leon Romanovsky <leonro@mellanox.com> Signed-off-by: Jason Gunthorpe <jgg@mellanox.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-01-23 08:09:47 +01:00
Willem de Bruijn	41783853bd	packet: validate address length if non-zero ... [ Upstream commit 6b8d95f1795c42161dc0984b6863e95d6acf24ed ] Validate packet socket address length if a length is given. Zero length is equivalent to not setting an address. Fixes: 99137b7888f4 ("packet: validate address length") Reported-by: Ido Schimmel <idosch@idosch.org> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-01-09 17:14:44 +01:00
Willem de Bruijn	9eee85ed84	packet: validate address length ... [ Upstream commit 99137b7888f4058087895d035d81c6b2d31015c5 ] Packet sockets with SOCK_DGRAM may pass an address for use in dev_hard_header. Ensure that it is of sufficient length. Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2019-01-09 17:14:44 +01:00
Willem de Bruijn	67f6fba765	packet: copy user buffers before orphan or clone ... [ Upstream commit 5cd8d46ea1562be80063f53c7c6a5f40224de623 ] tpacket_snd sends packets with user pages linked into skb frags. It notifies that pages can be reused when the skb is released by setting skb->destructor to tpacket_destruct_skb. This can cause data corruption if the skb is orphaned (e.g., on transmit through veth) or cloned (e.g., on mirror to another psock). Create a kernel-private copy of data in these cases, same as tun/tap zerocopy transmission. Reuse that infrastructure: mark the skb as SKBTX_ZEROCOPY_FRAG, which will trigger copy in skb_orphan_frags(_rx). Unlike other zerocopy packets, do not set shinfo destructor_arg to struct ubuf_info. tpacket_destruct_skb already uses that ptr to notify when the original skb is released and a timestamp is recorded. Do not change this timestamp behavior. The ubuf_info->callback is not needed anyway, as no zerocopy notification is expected. Mark destructor_arg as not-a-uarg by setting the lower bit to 1. The resulting value is not a valid ubuf_info pointer, nor a valid tpacket_snd frame address. Add skb_zcopy_.._nouarg helpers for this. The fix relies on features introduced in commit 52267790ef52 ("sock: add MSG_ZEROCOPY"), so can be backported as is only to 4.14. Tested with from `./in_netns.sh ./txring_overwrite` from http://github.com/wdebruij/kerneltools/tests Fixes: 69e3c75f4d54 ("net: TX_RING and packet mmap") Reported-by: Anand H. Krishnan <anandhkrishnan@gmail.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-12-05 19:41:17 +01:00
Jianfeng Tan	5150140b4e	net/packet: fix packet drop as of virtio gso ... [ Upstream commit 9d2f67e43b73e8af7438be219b66a5de0cfa8bd9 ] When we use raw socket as the vhost backend, a packet from virito with gso offloading information, cannot be sent out in later validaton at xmit path, as we did not set correct skb->protocol which is further used for looking up the gso function. To fix this, we set this field according to virito hdr information. Fixes: e858fae2b0b8f4 ("virtio_net: use common code for virtio_net_hdr and skb GSO conversion") Signed-off-by: Jianfeng Tan <jianfeng.tan@linux.alibaba.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-10-18 09:16:19 +02:00
Willem de Bruijn	9e9f27e0d7	packet: refine ring v3 block size test to hold one frame ... commit 4576cd469d980317c4edd9173f8b694aa71ea3a3 upstream. TPACKET_V3 stores variable length frames in fixed length blocks. Blocks must be able to store a block header, optional private space and at least one minimum sized frame. Frames, even for a zero snaplen packet, store metadata headers and optional reserved space. In the block size bounds check, ensure that the frame of the chosen configuration fits. This includes sockaddr_ll and optional tp_reserve. Syzbot was able to construct a ring with insuffient room for the sockaddr_ll in the header of a zero-length frame, triggering an out-of-bounds write in dev_parse_header. Convert the comparison to less than, as zero is a valid snap len. This matches the test for minimum tp_frame_size immediately below. Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Fixes: eb73190f4fbe ("net/packet: refine check for priv area size") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-08-24 13:09:22 +02:00
Willem de Bruijn	75425326b8	packet: reset network header if packet shorter than ll reserved space ... [ Upstream commit 993675a3100b16a4c80dfd70cbcde8ea7127b31d ] If variable length link layer headers result in a packet shorter than dev->hard_header_len, reset the network header offset. Else skb->mac_len may exceed skb->len after skb_mac_reset_len. packet_sendmsg_spkt already has similar logic. Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-08-24 13:09:17 +02:00
Eric Dumazet	5e6b4b9b28	net/packet: fix use-after-free ... [ Upstream commit 945d015ee0c3095d2290e845565a23dedfd8027c ] We should put copy_skb in receive_queue only after a successful call to virtio_net_hdr_from_skb(). syzbot report : BUG: KASAN: use-after-free in __skb_unlink include/linux/skbuff.h:1843 [inline] BUG: KASAN: use-after-free in __skb_dequeue include/linux/skbuff.h:1863 [inline] BUG: KASAN: use-after-free in skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815 Read of size 8 at addr ffff8801b044ecc0 by task syz-executor217/4553 CPU: 0 PID: 4553 Comm: syz-executor217 Not tainted 4.18.0-rc1+ #111 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __skb_unlink include/linux/skbuff.h:1843 [inline] __skb_dequeue include/linux/skbuff.h:1863 [inline] skb_dequeue+0x16a/0x180 net/core/skbuff.c:2815 skb_queue_purge+0x26/0x40 net/core/skbuff.c:2852 packet_set_ring+0x675/0x1da0 net/packet/af_packet.c:4331 packet_release+0x630/0xd90 net/packet/af_packet.c:2991 __sock_release+0xd7/0x260 net/socket.c:603 sock_close+0x19/0x20 net/socket.c:1186 __fput+0x35b/0x8b0 fs/file_table.c:209 ____fput+0x15/0x20 fs/file_table.c:243 task_work_run+0x1ec/0x2a0 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x1b08/0x2750 kernel/exit.c:865 do_group_exit+0x177/0x440 kernel/exit.c:968 __do_sys_exit_group kernel/exit.c:979 [inline] __se_sys_exit_group kernel/exit.c:977 [inline] __x64_sys_exit_group+0x3e/0x50 kernel/exit.c:977 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x4448e9 Code: Bad RIP value. RSP: 002b:00007ffd5f777ca8 EFLAGS: 00000202 ORIG_RAX: 00000000000000e7 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004448e9 RDX: 00000000004448e9 RSI: 000000000000fcfb RDI: 0000000000000001 RBP: 00000000006cf018 R08: 00007ffd0000a45b R09: 0000000000000000 R10: 00007ffd5f777e48 R11: 0000000000000202 R12: 00000000004021f0 R13: 0000000000402280 R14: 0000000000000000 R15: 0000000000000000 Allocated by task 4553: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] kasan_kmalloc+0xc4/0xe0 mm/kasan/kasan.c:553 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:490 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3554 skb_clone+0x1f5/0x500 net/core/skbuff.c:1282 tpacket_rcv+0x28f7/0x3200 net/packet/af_packet.c:2221 deliver_skb net/core/dev.c:1925 [inline] deliver_ptype_list_skb net/core/dev.c:1940 [inline] __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767 netif_receive_skb+0xbf/0x420 net/core/dev.c:4791 tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571 tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009 call_write_iter include/linux/fs.h:1795 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x6c6/0x9f0 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe Freed by task 4553: save_stack+0x43/0xd0 mm/kasan/kasan.c:448 set_track mm/kasan/kasan.c:460 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:521 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:528 __cache_free mm/slab.c:3498 [inline] kmem_cache_free+0x86/0x2d0 mm/slab.c:3756 kfree_skbmem+0x154/0x230 net/core/skbuff.c:582 __kfree_skb net/core/skbuff.c:642 [inline] kfree_skb+0x1a5/0x580 net/core/skbuff.c:659 tpacket_rcv+0x189e/0x3200 net/packet/af_packet.c:2385 deliver_skb net/core/dev.c:1925 [inline] deliver_ptype_list_skb net/core/dev.c:1940 [inline] __netif_receive_skb_core+0x1bfb/0x3680 net/core/dev.c:4611 __netif_receive_skb+0x2c/0x1e0 net/core/dev.c:4693 netif_receive_skb_internal+0x12e/0x7d0 net/core/dev.c:4767 netif_receive_skb+0xbf/0x420 net/core/dev.c:4791 tun_rx_batched.isra.55+0x4ba/0x8c0 drivers/net/tun.c:1571 tun_get_user+0x2af1/0x42f0 drivers/net/tun.c:1981 tun_chr_write_iter+0xb9/0x154 drivers/net/tun.c:2009 call_write_iter include/linux/fs.h:1795 [inline] new_sync_write fs/read_write.c:474 [inline] __vfs_write+0x6c6/0x9f0 fs/read_write.c:487 vfs_write+0x1f8/0x560 fs/read_write.c:549 ksys_write+0x101/0x260 fs/read_write.c:598 __do_sys_write fs/read_write.c:610 [inline] __se_sys_write fs/read_write.c:607 [inline] __x64_sys_write+0x73/0xb0 fs/read_write.c:607 do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe The buggy address belongs to the object at ffff8801b044ecc0 which belongs to the cache skbuff_head_cache of size 232 The buggy address is located 0 bytes inside of 232-byte region [ffff8801b044ecc0, ffff8801b044eda8) The buggy address belongs to the page: page:ffffea0006c11380 count:1 mapcount:0 mapping:ffff8801d9be96c0 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffffea0006c17988 ffff8801d9bec248 ffff8801d9be96c0 raw: 0000000000000000 ffff8801b044e040 000000010000000c 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801b044eb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801b044ec00: 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc fc >ffff8801b044ec80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb ^ ffff8801b044ed00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8801b044ed80: fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc fc Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-07-22 14:28:46 +02:00
Willem de Bruijn	5320e035d7	net: in virtio_net_hdr only add VLAN_HLEN to csum_start if payload holds vlan ... [ Upstream commit fd3a88625844907151737fc3b4201676effa6d27 ] Tun, tap, virtio, packet and uml vector all use struct virtio_net_hdr to communicate packet metadata to userspace. For skbuffs with vlan, the first two return the packet as it may have existed on the wire, inserting the VLAN tag in the user buffer. Then virtio_net_hdr.csum_start needs to be adjusted by VLAN_HLEN bytes. Commit f09e2249c4f5 ("macvtap: restore vlan header on user read") added this feature to macvtap. Commit 3ce9b20f1971 ("macvtap: Fix csum_start when VLAN tags are present") then fixed up csum_start. Virtio, packet and uml do not insert the vlan header in the user buffer. When introducing virtio_net_hdr_from_skb to deduplicate filling in the virtio_net_hdr, the variant from macvtap which adds VLAN_HLEN was applied uniformly, breaking csum offset for packets with vlan on virtio and packet. Make insertion of VLAN_HLEN optional. Convert the callers to pass it when needed. Fixes: e858fae2b0b8f4 ("virtio_net: use common code for virtio_net_hdr and skb GSO conversion") Fixes: 1276f24eeef2 ("packet: use common code for virtio_net_hdr and skb GSO conversion") Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-06-26 08:06:28 +08:00
Willem de Bruijn	0d751192af	packet: fix reserve calculation ... [ Upstream commit 9aad13b087ab0a588cd68259de618f100053360e ] Commit b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") ensures that packet_snd always starts writing the link layer header in reserved headroom allocated for this purpose. This is needed because packets may be shorter than hard_header_len, in which case the space up to hard_header_len may be zeroed. But that necessary padding is not accounted for in skb->len. The fix, however, is buggy. It calls skb_push, which grows skb->len when moving skb->data back. But in this case packet length should not change. Instead, call skb_reserve, which moves both skb->data and skb->tail back, without changing length. Fixes: b84bbaf7a6c8 ("packet: in packet_snd start writing at link layer allocation") Reported-by: Tariq Toukan <tariqt@mellanox.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Acked-by: Soheil Hassas Yeganeh <soheil@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-06-11 22:49:20 +02:00
Eric Dumazet	c85df6eb6e	net/packet: refine check for priv area size ... [ Upstream commit eb73190f4fbeedf762394e92d6a4ec9ace684c88 ] syzbot was able to trick af_packet again [1] Various commits tried to address the problem in the past, but failed to take into account V3 header size. [1] tpacket_rcv: packet too big, clamped from 72 to 4294967224. macoff=96 BUG: KASAN: use-after-free in prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] BUG: KASAN: use-after-free in prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 Write of size 2 at addr ffff8801cb62000e by task kworker/1:2/2106 CPU: 1 PID: 2106 Comm: kworker/1:2 Not tainted 4.17.0-rc7+ #77 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: ipv6_addrconf addrconf_dad_work Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x1b9/0x294 lib/dump_stack.c:113 print_address_description+0x6c/0x20b mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.7+0x242/0x2fe mm/kasan/report.c:412 __asan_report_store2_noabort+0x17/0x20 mm/kasan/report.c:436 prb_run_all_ft_ops net/packet/af_packet.c:1016 [inline] prb_fill_curr_block.isra.59+0x4e5/0x5c0 net/packet/af_packet.c:1039 __packet_lookup_frame_in_block net/packet/af_packet.c:1094 [inline] packet_current_rx_frame net/packet/af_packet.c:1117 [inline] tpacket_rcv+0x1866/0x3340 net/packet/af_packet.c:2282 dev_queue_xmit_nit+0x891/0xb90 net/core/dev.c:2018 xmit_one net/core/dev.c:3049 [inline] dev_hard_start_xmit+0x16b/0xc10 net/core/dev.c:3069 __dev_queue_xmit+0x2724/0x34c0 net/core/dev.c:3584 dev_queue_xmit+0x17/0x20 net/core/dev.c:3617 neigh_resolve_output+0x679/0xad0 net/core/neighbour.c:1358 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xc9c/0x2810 net/ipv6/ip6_output.c:120 ip6_finish_output+0x5fe/0xbc0 net/ipv6/ip6_output.c:154 NF_HOOK_COND include/linux/netfilter.h:277 [inline] ip6_output+0x227/0x9b0 net/ipv6/ip6_output.c:171 dst_output include/net/dst.h:444 [inline] NF_HOOK include/linux/netfilter.h:288 [inline] ndisc_send_skb+0x100d/0x1570 net/ipv6/ndisc.c:491 ndisc_send_ns+0x3c1/0x8d0 net/ipv6/ndisc.c:633 addrconf_dad_work+0xbef/0x1340 net/ipv6/addrconf.c:4033 process_one_work+0xc1e/0x1b50 kernel/workqueue.c:2145 worker_thread+0x1cc/0x1440 kernel/workqueue.c:2279 kthread+0x345/0x410 kernel/kthread.c:240 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:412 The buggy address belongs to the page: page:ffffea00072d8800 count:0 mapcount:-127 mapping:0000000000000000 index:0xffff8801cb620e80 flags: 0x2fffc0000000000() raw: 02fffc0000000000 0000000000000000 ffff8801cb620e80 00000000ffffff80 raw: ffffea00072e3820 ffffea0007132d20 0000000000000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8801cb61ff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff8801cb61ff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff8801cb620000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff8801cb620080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff8801cb620100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff Fixes: 2b6867c2ce76 ("net/packet: fix overflow in check for priv area size") Fixes: dc808110bb62 ("packet: handle too big packets for PACKET_V3") Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-06-11 22:49:20 +02:00
Willem de Bruijn	01a658c1b9	packet: in packet_snd start writing at link layer allocation ... [ Upstream commit b84bbaf7a6c8cca24f8acf25a2c8e46913a947ba ] Packet sockets allow construction of packets shorter than dev->hard_header_len to accommodate protocols with variable length link layer headers. These packets are padded to dev->hard_header_len, because some device drivers interpret that as a minimum packet size. packet_snd reserves dev->hard_header_len bytes on allocation. SOCK_DGRAM sockets call skb_push in dev_hard_header() to ensure that link layer headers are stored in the reserved range. SOCK_RAW sockets do the same in tpacket_snd, but not in packet_snd. Syzbot was able to send a zero byte packet to a device with massive 116B link layer header, causing padding to cross over into skb_shinfo. Fix this by writing from the start of the llheader reserved range also in the case of packet_snd/SOCK_RAW. Update skb_set_network_header to the new offset. This also corrects it for SOCK_DGRAM, where it incorrectly double counted reserve due to the skb_push in dev_hard_header. Fixes: 9ed988cd5915 ("packet: validate variable length ll headers") Reported-by: syzbot+71d74a5406d02057d559@syzkaller.appspotmail.com Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-05-25 16:17:24 +02:00
Willem de Bruijn	6da813d79c	packet: fix bitfield update race ... [ Upstream commit a6361f0ca4b25460f2cdf3235ebe8115f622901e ] Updates to the bitfields in struct packet_sock are not atomic. Serialize these read-modify-write cycles. Move po->running into a separate variable. Its writes are protected by po->bind_lock (except for one startup case at packet_create). Also replace a textual precondition warning with lockdep annotation. All others are set only in packet_setsockopt. Serialize these updates by holding the socket lock. Analogous to other field updates, also hold the lock when testing whether a ring is active (pg_vec). Fixes: 8dc419447415 ("[PACKET]: Add optional checksum computation for recvmsg") Reported-by: DaeRyong Jeong <threeearcat@gmail.com> Reported-by: Byoungyoung Lee <byoungyoung@purdue.edu> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-29 11:33:12 +02:00
Eric Dumazet	7c2352520e	net: af_packet: fix race in PACKET_{R|T}X_RING ... [ Upstream commit 5171b37d959641bbc619781caf62e61f7b940871 ] In order to remove the race caught by syzbot [1], we need to lock the socket before using po->tp_version as this could change under us otherwise. This means lock_sock() and release_sock() must be done by packet_set_ring() callers. [1] : BUG: KMSAN: uninit-value in packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 CPU: 0 PID: 20195 Comm: syzkaller707632 Not tainted 4.16.0+ #83 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x185/0x1d0 lib/dump_stack.c:53 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 packet_set_ring+0x1254/0x3870 net/packet/af_packet.c:4249 packet_setsockopt+0x12c6/0x5a90 net/packet/af_packet.c:3662 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 SyS_setsockopt+0x76/0xa0 net/socket.c:1828 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x3d/0xa2 RIP: 0033:0x449099 RSP: 002b:00007f42b5307ce8 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 000000000070003c RCX: 0000000000449099 RDX: 0000000000000005 RSI: 0000000000000107 RDI: 0000000000000003 RBP: 0000000000700038 R08: 000000000000001c R09: 0000000000000000 R10: 00000000200000c0 R11: 0000000000000246 R12: 0000000000000000 R13: 000000000080eecf R14: 00007f42b53089c0 R15: 0000000000000001 Local variable description: ----req_u@packet_setsockopt Variable was created at: packet_setsockopt+0x13f/0x5a90 net/packet/af_packet.c:3612 SYSC_setsockopt+0x4b8/0x570 net/socket.c:1849 Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2018-04-29 11:33:11 +02:00
Eric Dumazet	589983eb99	net/packet: fix a race in packet_bind() and packet_notifier() ... [ Upstream commit 15fe076edea787807a7cdc168df832544b58eba6 ] syzbot reported crashes [1] and provided a C repro easing bug hunting. When/if packet_do_bind() calls __unregister_prot_hook() and releases po->bind_lock, another thread can run packet_notifier() and process an NETDEV_UP event. This calls register_prot_hook() and hooks again the socket right before first thread is able to grab again po->bind_lock. Fixes this issue by temporarily setting po->num to 0, as suggested by David Miller. [1] dev_remove_pack: ffff8801bf16fa80 not found ------------[ cut here ]------------ kernel BUG at net/core/dev.c:7945! ( BUG_ON(!list_empty(&dev->ptype_all)); ) invalid opcode: 0000 [#1] SMP KASAN Dumping ftrace buffer: (ftrace buffer empty) Modules linked in: device syz0 entered promiscuous mode CPU: 0 PID: 3161 Comm: syzkaller404108 Not tainted 4.14.0+ #190 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 task: ffff8801cc57a500 task.stack: ffff8801cc588000 RIP: 0010:netdev_run_todo+0x772/0xae0 net/core/dev.c:7945 RSP: 0018:ffff8801cc58f598 EFLAGS: 00010293 RAX: ffff8801cc57a500 RBX: dffffc0000000000 RCX: ffffffff841f75b2 RDX: 0000000000000000 RSI: 1ffff100398b1ede RDI: ffff8801bf1f8810 device syz0 entered promiscuous mode RBP: ffff8801cc58f898 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801bf1f8cd8 R13: ffff8801cc58f870 R14: ffff8801bf1f8780 R15: ffff8801cc58f7f0 FS: 0000000001716880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020b13000 CR3: 0000000005e25000 CR4: 00000000001406f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:106 tun_detach drivers/net/tun.c:670 [inline] tun_chr_close+0x49/0x60 drivers/net/tun.c:2845 __fput+0x333/0x7f0 fs/file_table.c:210 ____fput+0x15/0x20 fs/file_table.c:244 task_work_run+0x199/0x270 kernel/task_work.c:113 exit_task_work include/linux/task_work.h:22 [inline] do_exit+0x9bb/0x1ae0 kernel/exit.c:865 do_group_exit+0x149/0x400 kernel/exit.c:968 SYSC_exit_group kernel/exit.c:979 [inline] SyS_exit_group+0x1d/0x20 kernel/exit.c:977 entry_SYSCALL_64_fastpath+0x1f/0x96 RIP: 0033:0x44ad19 Fixes: 30f7ea1c2b5f ("packet: race condition in packet_bind") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Cc: Francesco Ruggeri <fruggeri@aristanetworks.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-12-17 15:07:56 +01:00
Mike Maloney	7263f11b56	packet: fix crash in fanout_demux_rollover() ... syzkaller found a race condition fanout_demux_rollover() while removing a packet socket from a fanout group. po->rollover is read and operated on during packet_rcv_fanout(), via fanout_demux_rollover(), but the pointer is currently cleared before the synchronization in packet_release(). It is safer to delay the cleanup until after synchronize_net() has been called, ensuring all calls to packet_rcv_fanout() for this socket have finished. To further simplify synchronization around the rollover structure, set po->rollover in fanout_add() only if there are no errors. This removes the need for rcu in the struct and in the call to packet_getsockopt(..., PACKET_ROLLOVER_STATS, ...). Crashing stack trace: fanout_demux_rollover+0xb6/0x4d0 net/packet/af_packet.c:1392 packet_rcv_fanout+0x649/0x7c8 net/packet/af_packet.c:1487 dev_queue_xmit_nit+0x835/0xc10 net/core/dev.c:1953 xmit_one net/core/dev.c:2975 [inline] dev_hard_start_xmit+0x16b/0xac0 net/core/dev.c:2995 __dev_queue_xmit+0x17a4/0x2050 net/core/dev.c:3476 dev_queue_xmit+0x17/0x20 net/core/dev.c:3509 neigh_connected_output+0x489/0x720 net/core/neighbour.c:1379 neigh_output include/net/neighbour.h:482 [inline] ip6_finish_output2+0xad1/0x22a0 net/ipv6/ip6_output.c:120 ip6_finish_output+0x2f9/0x920 net/ipv6/ip6_output.c:146 NF_HOOK_COND include/linux/netfilter.h:239 [inline] ip6_output+0x1f4/0x850 net/ipv6/ip6_output.c:163 dst_output include/net/dst.h:459 [inline] NF_HOOK.constprop.35+0xff/0x630 include/linux/netfilter.h:250 mld_sendpack+0x6a8/0xcc0 net/ipv6/mcast.c:1660 mld_send_initial_cr.part.24+0x103/0x150 net/ipv6/mcast.c:2072 mld_send_initial_cr net/ipv6/mcast.c:2056 [inline] ipv6_mc_dad_complete+0x99/0x130 net/ipv6/mcast.c:2079 addrconf_dad_completed+0x595/0x970 net/ipv6/addrconf.c:4039 addrconf_dad_work+0xac9/0x1160 net/ipv6/addrconf.c:3971 process_one_work+0xbf0/0x1bc0 kernel/workqueue.c:2113 worker_thread+0x223/0x1990 kernel/workqueue.c:2247 kthread+0x35e/0x430 kernel/kthread.c:231 ret_from_fork+0x2a/0x40 arch/x86/entry/entry_64.S:432 Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state") Fixes: 509c7a1ecc860 ("packet: avoid panic in packet_getsockopt()") Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Mike Maloney <maloney@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-12-17 15:07:56 +01:00
Greg Kroah-Hartman	b24413180f	License cleanup: add SPDX GPL-2.0 license identifier to files with no license ... Many source files in the tree are missing licensing information, which makes it harder for compliance tools to determine the correct license. By default all files without license information are under the default license of the kernel, which is GPL version 2. Update the files which contain no license information with the 'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. How this work was done: Patches were generated and checked against linux-4.14-rc6 for a subset of the use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information, Further patches will be generated in subsequent months to fix up cases where non-standard license headers were used, and references to license had to be inferred by heuristics based on keywords. The analysis to determine which SPDX License Identifier to be applied to a file was done in a spreadsheet of side by side results from of the output of two independent scanners (ScanCode & Windriver) producing SPDX tag:value files created by Philippe Ombredanne. Philippe prepared the base worksheet, and did an initial spot review of a few 1000 files. The 4.13 kernel was the starting point of the analysis with 60,537 files assessed. Kate Stewart did a file by file comparison of the scanner results in the spreadsheet to determine which SPDX license identifier(s) to be applied to the file. She confirmed any determination that was not immediately clear with lawyers working with the Linux Foundation. Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines). All documentation files were explicitly excluded. The following heuristics were used to determine which SPDX license identifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time. In total, over 70 hours of logged manual review was done on the spreadsheet to determine the SPDX license identifiers to apply to the source files by Kate, Philippe, Thomas and, in some cases, confirmation by lawyers working with the Linux Foundation. Kate also obtained a third independent scan of the 4.13 code base from FOSSology, and compared selected files where the other two scanners disagreed against that SPDX file, to see if there was new insights. The Windriver scanner is based on an older version of FOSSology in part, so they are related. Thomas did random spot checks in about 500 files from the spreadsheets for the uapi headers and agreed with SPDX license identifier in the files he inspected. For the non-uapi files Thomas did random spot checks in about 15000 files. In initial set of patches against 4.14-rc6, 3 files were found to have copy/paste license identifier errors, and have been fixed to reflect the correct identifier. Additionally Philippe spent 10 hours this week doing a detailed manual inspection and review of the 12,461 patched files from the initial patch version early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correct This produced a worksheet with 20 files needing minor correction. This worksheet was then exported into 3 different .csv files for the different types of files to be modified. These .csv files were then reviewed by Greg. Thomas wrote a script to parse the csv files and add the proper SPDX tag to the file, in the format that the file expected. This script was further refined by Greg based on the output to detect more types of files automatically and to distinguish between header and source .c files (which need different comment types.) Finally Greg ran the script using the .csv files to generate the patches. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>	2017-11-02 11:10:55 +01:00
Eric Dumazet	509c7a1ecc	packet: avoid panic in packet_getsockopt() ... syzkaller got crashes in packet_getsockopt() processing PACKET_ROLLOVER_STATS command while another thread was managing to change po->rollover Using RCU will fix this bug. We might later add proper RCU annotations for sparse sake. In v2: I replaced kfree(rollover) in fanout_add() to kfree_rcu() variant, as spotted by John. Fixes: a9b6391814d5 ("packet: rollover statistics") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Willem de Bruijn <willemb@google.com> Cc: John Sperbeck <jsperbeck@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-10-21 01:51:34 +01:00
Willem de Bruijn	da7c956101	packet: only test po->has_vnet_hdr once in packet_snd ... Packet socket option po->has_vnet_hdr can be updated concurrently with other operations if no ring is attached. Do not test the option twice in packet_snd, as the value may change in between calls. A race on setsockopt disable may cause a packet > mtu to be sent without having GSO options set. Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.") Signed-off-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-09-28 10:24:31 -07:00
Willem de Bruijn	4971613c16	packet: in packet_do_bind, test fanout with bind_lock held ... Once a socket has po->fanout set, it remains a member of the group until it is destroyed. The prot_hook must be constant and identical across sockets in the group. If fanout_add races with packet_do_bind between the test of po->fanout and taking the lock, the bind call may make type or dev inconsistent with that of the fanout group. Hold po->bind_lock when testing po->fanout to avoid this race. I had to introduce artificial delay (local_bh_enable) to actually observe the race. Fixes: dc99f600698d ("packet: Add fanout support.") Signed-off-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-09-28 10:24:31 -07:00
Willem de Bruijn	008ba2a13f	packet: hold bind lock when rebinding to fanout hook ... Packet socket bind operations must hold the po->bind_lock. This keeps po->running consistent with whether the socket is actually on a ptype list to receive packets. fanout_add unbinds a socket and its packet_rcv/tpacket_rcv call, then binds the fanout object to receive through packet_rcv_fanout. Make it hold the po->bind_lock when testing po->running and rebinding. Else, it can race with other rebind operations, such as that in packet_set_ring from packet_rcv to tpacket_rcv. Concurrent updates can result in a socket being added to a fanout group twice, causing use-after-free KASAN bug reports, among others. Reported independently by both trinity and syzkaller. Verified that the syzkaller reproducer passes after this patch. Fixes: dc99f600698d ("packet: Add fanout support.") Reported-by: nixioaming <nixiaoming@huawei.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-09-20 13:57:19 -07:00
David S. Miller	6026e043d0	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Three cases of simple overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net>	2017-09-01 17:42:05 -07:00
Benjamin Poirier	edbd58be15	packet: Don't write vnet header beyond end of buffer ... ... which may happen with certain values of tp_reserve and maclen. Fixes: 58d19b19cd99 ("packet: vnet_hdr support for tpacket_rcv") Signed-off-by: Benjamin Poirier <bpoirier@suse.com> Cc: Willem de Bruijn <willemb@google.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-08-29 15:09:13 -07:00
David S. Miller	3b2b69efec	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Mainline had UFO fixes, but UFO is removed in net-next so we take the HEAD hunks. Minor context conflict in bcmsysport statistics bug fix. Signed-off-by: David S. Miller <davem@davemloft.net>	2017-08-10 12:11:16 -07:00
Willem de Bruijn	c27927e372	packet: fix tp_reserve race in packet_set_ring ... Updates to tp_reserve can race with reads of the field in packet_set_ring. Avoid this by holding the socket lock during updates in setsockopt PACKET_RESERVE. This bug was discovered by syzkaller. Fixes: 8913336a7e8d ("packet: add PACKET_RESERVE sockopt") Reported-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>	2017-08-10 09:52:12 -07:00
David S. Miller	29fda25a2d	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net ... Two minor conflicts in virtio_net driver (bug fix overlapping addition of a helper) and MAINTAINERS (new driver edit overlapping revamp of PHY entry). Signed-off-by: David S. Miller <davem@davemloft.net>	2017-08-01 10:07:50 -07:00