mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
9156 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Arian
|
3a330c6445 |
Merge branch 'android-4.14-stable' of https://android.googlesource.com/kernel/common into HEAD
Change-Id: I714223aa1f97959bd97b6bf758511466c9394bd8 |
||
Demon000
|
bdc4b65344 | net: ipv4: disable modules which are enabled by default | ||
Greg Kroah-Hartman
|
0eec6f6001 |
This is the 4.14.269 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIfSB4ACgkQONu9yGCS
aT6eMQ//X/iNMO6+/ZRkVor0HrGYSfrGURpPzjSUEW11bf2Uzx1rV97SoMMKKXbK
4QCDkK2UKCu41AyCFeDtzI96iAp7U36Z5ty1zJ/HVLp+9miYiNVF82E8IkNf1Imk
OusVFTd/lZbNo57jlDQCJwf7z3ohv1sPnUddz2eFMVf6fOHA+kvN5+yvPECC5pG7
ahPAMI8CuNfYqfEYHSI0ykfZ+dXuHVW7ag6fqxz8x6xucq5kw+yNCEPRr2QCkupH
CdOrq55OVA1n/YY3sY5aAuvfHVthYwV303Vz+gurq4C+ZJ1+8HIUNVk0xI2xGj8U
ORpIHx2OY7A3pzRacAxsxVg5cO1pgCv5X9Qoj4TCi9IURVQSxAI+wafahuFMDROI
X24bI8xDf/gzMQoOtO7Pt5zKZxqfPE+CZpVVL9nchBCWuVKFqIPbyDdnVhLg4PIN
2QscmSIU6gY6AIaKoCRAd8vJLkn3eOWsHak1CtVt8f+YtWXS6Vjf1LZgyPv2yk2T
GeRnwRMhU/rMT+arU7T5R7TQzOhlqRaVAvrFDsemGFpxG/91eId4tVQHs3xhPlWs
UNYSKZ41PuzZ235s6QJ67QsBD4DoHSoLsKu4gpn8vJG7OHFgYgmDniwCCYUIzmqv
fk3vxOhsCy42wCBDoXP+BxRmLOqA3v5PldbKMAjBTjaE3/lvSyA=
=e7C8
-----END PGP SIGNATURE-----
Merge 4.14.269 into android-4.14-stable
Changes in 4.14.269
cgroup/cpuset: Fix a race between cpuset_attach() and cpu hotplug
vhost/vsock: don't check owner in vhost_vsock_stop() while releasing
parisc/unaligned: Fix fldd and fstd unaligned handlers on 32-bit kernel
parisc/unaligned: Fix ldw() and stw() unalignment handlers
sr9700: sanity check for packet length
USB: zaurus: support another broken Zaurus
serial: 8250: of: Fix mapped region size when using reg-offset property
ping: remove pr_err from ping_lookup
net: __pskb_pull_tail() & pskb_carve_frag_list() drop_monitor friends
gso: do not skip outer ip header in case of ipip and net_failover
openvswitch: Fix setting ipv6 fields causing hw csum failure
drm/edid: Always set RGB444
net/mlx5e: Fix wrong return value on ioctl EEPROM query failure
configfs: fix a race in configfs_{,un}register_subsystem()
RDMA/ib_srp: Fix a deadlock
iio: adc: men_z188_adc: Fix a resource leak in an error handling path
ata: pata_hpt37x: disable primary channel on HPT371
Revert "USB: serial: ch341: add new Product ID for CH341A"
usb: gadget: rndis: add spinlock for rndis response list
USB: gadget: validate endpoint index for xilinx udc
tracefs: Set the group ownership in apply_options() not parse_options()
USB: serial: option: add support for DW5829e
USB: serial: option: add Telit LE910R1 compositions
usb: dwc3: gadget: Let the interrupt handler disable bottom halves.
xhci: re-initialize the HC during resume if HCE was set
xhci: Prevent futile URB re-submissions due to incorrect return value.
tty: n_gsm: fix encoding of control signal octet bit DV
tty: n_gsm: fix proper link termination after failed open
Revert "drm/nouveau/pmu/gm200-: avoid touching PMU outside of DEVINIT/PREOS/ACR"
memblock: use kfree() to release kmalloced memblock regions
fget: clarify and improve __fget_files() implementation
Linux 4.14.269
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0c7a1a638cac0693161ad06dd369075a6dd42402
|
||
Tao Liu
|
7840e55979 |
gso: do not skip outer ip header in case of ipip and net_failover
commit cc20cced0598d9a5ff91ae4ab147b3b5e99ee819 upstream.
We encounter a tcp drop issue in our cloud environment. Packet GROed in
host forwards to a VM virtio_net nic with net_failover enabled. VM acts
as a IPVS LB with ipip encapsulation. The full path like:
host gro -> vm virtio_net rx -> net_failover rx -> ipvs fullnat
-> ipip encap -> net_failover tx -> virtio_net tx
When net_failover transmits a ipip pkt (gso_type = 0x0103, which means
SKB_GSO_TCPV4, SKB_GSO_DODGY and SKB_GSO_IPXIP4), there is no gso
did because it supports TSO and GSO_IPXIP4. But network_header points to
inner ip header.
Call Trace:
tcp4_gso_segment ------> return NULL
inet_gso_segment ------> inner iph, network_header points to
ipip_gso_segment
inet_gso_segment ------> outer iph
skb_mac_gso_segment
Afterwards virtio_net transmits the pkt, only inner ip header is modified.
And the outer one just keeps unchanged. The pkt will be dropped in remote
host.
Call Trace:
inet_gso_segment ------> inner iph, outer iph is skipped
skb_mac_gso_segment
__skb_gso_segment
validate_xmit_skb
validate_xmit_skb_list
sch_direct_xmit
__qdisc_run
__dev_queue_xmit ------> virtio_net
dev_hard_start_xmit
__dev_queue_xmit ------> net_failover
ip_finish_output2
ip_output
iptunnel_xmit
ip_tunnel_xmit
ipip_tunnel_xmit ------> ipip
dev_hard_start_xmit
__dev_queue_xmit
ip_finish_output2
ip_output
ip_forward
ip_rcv
__netif_receive_skb_one_core
netif_receive_skb_internal
napi_gro_receive
receive_buf
virtnet_poll
net_rx_action
The root cause of this issue is specific with the rare combination of
SKB_GSO_DODGY and a tunnel device that adds an SKB_GSO_ tunnel option.
SKB_GSO_DODGY is set from external virtio_net. We need to reset network
header when callbacks.gso_segment() returns NULL.
This patch also includes ipv6_gso_segment(), considering SIT, etc.
Fixes: cb32f511a70b ("ipip: add GSO/TSO support")
Signed-off-by: Tao Liu <thomas.liu@ucloud.cn>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Xin Long
|
f5fde9970f |
ping: remove pr_err from ping_lookup
commit cd33bdcbead882c2e58fdb4a54a7bd75b610a452 upstream.
As Jakub noticed, prints should be avoided on the datapath.
Also, as packets would never come to the else branch in
ping_lookup(), remove pr_err() from ping_lookup().
Fixes: 35a79e64de29 ("ping: fix the dif and sdif check in ping_lookup")
Reported-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/1ef3f2fcd31bd681a193b1fcf235eee1603819bd.1645674068.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
6f67f3af36 |
This is the 4.14.268 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIWEyUACgkQONu9yGCS aT779Q//dXx+poIk/ameTdi+EGNWVDjmSGKKAGHDEZyzUejX8BNv1PoC8z+wbRSC ra8WINeEDAd/mA+8/mvH6fJEKFAc2Ppapo4gSNh0BkkdXDDMJkVQKZKnq/+pfOJH f0ltZPtiownRg+rw02DdLY+A5tYp9t6Gwl0EIHieqlakj3JAE6SqJxRqUEFu2WvH UbjmgYp+vV3uOAdSnRzfyfcCKhMsJegFfiwy15wpO2AmODN0vOT4DbaHkkqNKs3T j1HseuHWyYg7/1RQsHrabPJk6H76SzwI6tbAHnHZ/mkvlqg70MWH1hTax3VF/dgz AfeWjQKK1fa4z8K6WKu1RAq6LAOjDbxfhTAE2wImjL0TXz86YoDL34E3TT4uB0no HeT9JbKO245jSWh+BXttgbQp+YFypiDlyOfHeBB1jpiHCdjt8Fb4FmSHUhL80DC5 FdxNkBmZDoZXCfrNw/VBeLs8yU7lzWqps2tJTvyfJO8ZkCtZPO2EP5k2gib71KiP N/3I2QnRBlFJO/HRfSJ/jOhaM981S9RxduTNirbzvvu1CuL4ltpdd1JG5HOrkr2Q 2ce1INFJvO38ftcqHj0rjc0y2UW2QvvspG8K0RLCfn3XKmlmiBh6KbRFa+3iHYQB T4aBatw8Z3pnxvHYKVO5/jIacotoMQsK+GIekOqrj4Iw0fGGoqE= =ViBY -----END PGP SIGNATURE----- Merge 4.14.268 into android-4.14-stable Changes in 4.14.268 Makefile.extrawarn: Move -Wunaligned-access to W=1 net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup serial: parisc: GSC: fix build when IOSAPIC is not set parisc: Fix data TLB miss in sba_unmap_sg parisc: Fix sglist access in ccio-dma.c btrfs: send: in case of IO error log it net: ieee802154: at86rf230: Stop leaking skb's selftests/zram: Skip max_comp_streams interface on newer kernel selftests/zram01.sh: Fix compression ratio calculation selftests/zram: Adapt the situation that /dev/zram0 is being used ax25: improve the incomplete fix to avoid UAF and NPD bugs vfs: make freeze_super abort when sync_filesystem returns error quota: make dquot_quota_sync return errors from ->sync_fs Revert "module, async: async_synchronize_full() on module init iff async is used" iwlwifi: fix use-after-free drm/radeon: Fix backlight control on iMac 12,1 xfrm: Don't accidentally set RTO_ONLINK in decode_session4() taskstats: Cleanup the use of task->exit_code vsock: remove vsock from connected table when connect is interrupted by a signal iwlwifi: pcie: fix locking when "HW not ready" iwlwifi: pcie: gen2: fix locking when "HW not ready" net: ieee802154: ca8210: Fix lifs/sifs periods ping: fix the dif and sdif check in ping_lookup drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit bonding: fix data-races around agg_select_timer libsubcmd: Fix use-after-free for realloc(..., 0) ALSA: hda: Fix regression on forced probe mask option ALSA: hda: Fix missing codec probe on Shenker Dock 15 ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() powerpc/lib/sstep: fix 'ptesync' build error NFS: LOOKUP_DIRECTORY is also ok with symlinks EDAC: Fix calculation of returned address and next offset in edac_align_ptr() net: sched: limit TC_ACT_REPEAT loops dmaengine: sh: rcar-dmac: Check for error num after setting mask i2c: brcmstb: fix support for DSL and CM variants lib/iov_iter: initialize "flags" in new pipe_buffer mtd: rawnand: brcmnand: Refactored code to introduce helper functions mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW NFS: Do not report writeback errors in nfs_getattr() ARM: OMAP2+: hwmod: Add of_node_put() before break ata: libata-core: Disable TRIM on M88V29 tracing: Fix tp_printk option related with tp_printk_stop_on_boot net: usb: qmi_wwan: Add support for Dell DW5829e net: macb: Align the dma and coherent dma masks Linux 4.14.268 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I03f64df8d8bf977ed3fddd0277b1b0749c703480 |
||
|
Xin Long
|
5a5c871b9c |
ping: fix the dif and sdif check in ping_lookup
commit 35a79e64de29e8d57a5989aac57611c0cd29e13e upstream. When 'ping' changes to use PING socket instead of RAW socket by: # sysctl -w net.ipv4.ping_group_range="0 100" There is another regression caused when matching sk_bound_dev_if and dif, RAW socket is using inet_iif() while PING socket lookup is using skb->dev->ifindex, the cmd below fails due to this: # ip link add dummy0 type dummy # ip link set dummy0 up # ip addr add 192.168.111.1/24 dev dummy0 # ping -I dummy0 192.168.111.1 -c1 The issue was also reported on: https://github.com/iputils/iputils/issues/104 But fixed in iputils in a wrong way by not binding to device when destination IP is on device, and it will cause some of kselftests to fail, as Jianlin noticed. This patch is to use inet(6)_iif and inet(6)_sdif to get dif and sdif for PING socket, and keep consistent with RAW socket. Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind") Reported-by: Jianlin Shi <jishi@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Guillaume Nault
|
45f9a195c1 |
xfrm: Don't accidentally set RTO_ONLINK in decode_session4()
commit 23e7b1bfed61e301853b5e35472820d919498278 upstream.
Similar to commit 94e2238969e8 ("xfrm4: strip ECN bits from tos field"),
clear the ECN bits from iph->tos when setting ->flowi4_tos.
This ensures that the last bit of ->flowi4_tos is cleared, so
ip_route_output_key_hash() isn't going to restrict the scope of the
route lookup.
Use ~INET_ECN_MASK instead of IPTOS_RT_MASK, because we have no reason
to clear the high order bits.
Found by code inspection, compile tested only.
Fixes: 4da3089f2b58 ("[IPSEC]: Use TOS when doing tunnel lookups")
Signed-off-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[sudip: manually backport to previous location]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
409d37b568 |
Merge 4.14.267 into android-4.14-stable
Changes in 4.14.267 integrity: check the return value of audit_log_start() ima: Remove ima_policy file before directory ima: Allow template selection with ima_template[_fmt]= after ima_hash= mmc: sdhci-of-esdhc: Check for error num after setting mask net: phy: marvell: Fix MDI-x polarity setting in 88e1118-compatible PHYs NFS: Fix initialisation of nfs_client cl_flags field NFSD: Clamp WRITE offsets NFSv4 only print the label when its queried nfs: nfs4clinet: check the return value of kstrdup() NFSv4.1: Fix uninitialised variable in devicenotify NFSv4 remove zero number of fs_locations entries error check NFSv4 expose nfs_parse_server_name function scsi: target: iscsi: Make sure the np under each tpg is unique usb: dwc2: gadget: don't try to disable ep0 in dwc2_hsotg_suspend net: stmmac: dwmac-sun8i: use return val of readl_poll_timeout() Revert "net: axienet: Wait for PhyRstCmplt after core reset" bpf: Add kconfig knob for disabling unpriv bpf by default ARM: dts: imx23-evk: Remove MX23_PAD_SSP1_DETECT from hog group ARM: dts: meson: Fix the UART compatible strings staging: fbtft: Fix error path in fbtft_driver_module_init() ARM: dts: imx6qdl-udoo: Properly describe the SD card detect usb: f_fs: Fix use-after-free for epfile bonding: pair enable_port with slave_arr_updates ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path net: do not keep the dst cache when uncloning an skb dst and its metadata net: fix a memleak when uncloning an skb dst and its metadata tipc: rate limit warning for received illegal binding update net: amd-xgbe: disable interrupts during pci removal vt_ioctl: fix array_index_nospec in vt_setactivate vt_ioctl: add array_index_nospec to VT_ACTIVATE n_tty: wake up poll(POLLRDNORM) on receiving data usb: ulpi: Move of_node_put to ulpi_dev_release usb: ulpi: Call of_node_put correctly usb: dwc3: gadget: Prevent core from processing stale TRBs USB: gadget: validate interface OS descriptor requests usb: gadget: rndis: check size of RNDIS_MSG_SET command USB: serial: ftdi_sio: add support for Brainboxes US-159/235/320 USB: serial: option: add ZTE MF286D modem USB: serial: ch341: add support for GW Instek USB2.0-Serial devices USB: serial: cp210x: add NCR Retail IO box id USB: serial: cp210x: add CPI Bulk Coin Recycler id seccomp: Invalidate seccomp mode to catch death failures hwmon: (dell-smm) Speed up setting of fan speed perf: Fix list corruption in perf_cgroup_switch() Linux 4.14.267 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie562265e833202e361fd0734d18731990c0b1cbc |
||
Eric Dumazet
|
b541845dfc |
ipmr,ip6mr: acquire RTNL before calling ip[6]mr_free_table() on failure path
[ Upstream commit 5611a00697c8ecc5aad04392bea629e9d6a20463 ] ip[6]mr_free_table() can only be called under RTNL lock. RTNL: assertion failed at net/core/dev.c (10367) WARNING: CPU: 1 PID: 5890 at net/core/dev.c:10367 unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Modules linked in: CPU: 1 PID: 5890 Comm: syz-executor.2 Not tainted 5.16.0-syzkaller-11627-g422ee58dc0ef #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:unregister_netdevice_many+0x1246/0x1850 net/core/dev.c:10367 Code: 0f 85 9b ee ff ff e8 69 07 4b fa ba 7f 28 00 00 48 c7 c6 00 90 ae 8a 48 c7 c7 40 90 ae 8a c6 05 6d b1 51 06 01 e8 8c 90 d8 01 <0f> 0b e9 70 ee ff ff e8 3e 07 4b fa 4c 89 e7 e8 86 2a 59 fa e9 ee RSP: 0018:ffffc900046ff6e0 EFLAGS: 00010286 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000 RDX: ffff888050f51d00 RSI: ffffffff815fa008 RDI: fffff520008dfece RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff815f3d6e R11: 0000000000000000 R12: 00000000fffffff4 R13: dffffc0000000000 R14: ffffc900046ff750 R15: ffff88807b7dc000 FS: 00007f4ab736e700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007fee0b4f8990 CR3: 000000001e7d2000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <TASK> mroute_clean_tables+0x244/0xb40 net/ipv6/ip6mr.c:1509 ip6mr_free_table net/ipv6/ip6mr.c:389 [inline] ip6mr_rules_init net/ipv6/ip6mr.c:246 [inline] ip6mr_net_init net/ipv6/ip6mr.c:1306 [inline] ip6mr_net_init+0x3f0/0x4e0 net/ipv6/ip6mr.c:1298 ops_init+0xaf/0x470 net/core/net_namespace.c:140 setup_net+0x54f/0xbb0 net/core/net_namespace.c:331 copy_net_ns+0x318/0x760 net/core/net_namespace.c:475 create_new_namespaces+0x3f6/0xb20 kernel/nsproxy.c:110 copy_namespaces+0x391/0x450 kernel/nsproxy.c:178 copy_process+0x2e0c/0x7300 kernel/fork.c:2167 kernel_clone+0xe7/0xab0 kernel/fork.c:2555 __do_sys_clone+0xc8/0x110 kernel/fork.c:2672 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7f4ab89f9059 Code: Unable to access opcode bytes at RIP 0x7f4ab89f902f. RSP: 002b:00007f4ab736e118 EFLAGS: 00000206 ORIG_RAX: 0000000000000038 RAX: ffffffffffffffda RBX: 00007f4ab8b0bf60 RCX: 00007f4ab89f9059 RDX: 0000000020000280 RSI: 0000000020000270 RDI: 0000000040200000 RBP: 00007f4ab8a5308d R08: 0000000020000300 R09: 0000000020000300 R10: 00000000200002c0 R11: 0000000000000206 R12: 0000000000000000 R13: 00007ffc3977cc1f R14: 00007f4ab736e300 R15: 0000000000022000 </TASK> Fixes: f243e5a7859a ("ipmr,ip6mr: call ip6mr_free_table() on failure path") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Cong Wang <cong.wang@bytedance.com> Reported-by: syzbot <syzkaller@googlegroups.com> Link: https://lore.kernel.org/r/20220208053451.2885398-1-eric.dumazet@gmail.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
f434c8896d |
This is the 4.14.265 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmICpXgACgkQONu9yGCS aT6+NxAAvBpCtxny/31ubyXztF8C182Q9PumND32nMATWi/bvaKDfJTtpWXAurQP BysgPyCrgYYUqf8ug7lJt3xHCo3zFcVhAacwEZsRE9rePaFJ/AcMSHC8dVG5uaRz q66j+flzCeumtLiOldAuJQLIWffk/y2iZ3UuQVkdP9HT6cj6ko7ZTvCYTQmBge44 8Ek+va4eDBzznIbeQvU2rwy+Hypjl6dYZq/0Jw4lKDFbZrRmGkqSybAhRofZj5DE 0hTIal1zfC1mH7FJqt/0ji5Gcql7DbABpRm2ewB9is7B4Y2bxKXVkgQhIbxavjiZ dTlpGWL+EmxrJv1f3t+QD8oWVaw3CHHb17i/JciXu/3tAr9yJ+ZQgzPXJIFOvsmj 4KYkjw0Lq0HfUpjJ6Auj7hqpQvgGuoeK9ef9Xb4jagNR+McS/pkiU7G0mztSRj8W rmGt5aa0cY10bsbtymeRr6D3uG/xiSHLmq7wj4LFCle5Gz34Z7vqU/sJkrDRegRR /5y6SeCjkarlKtNP2gnEv4usK4ZiUTl27BgIbXmKxX3irIbQBl9ORfx/YiNSjtRs 8YrcXkAG6gOzmK/ssHFJuiiXMQ0FXeAGO2R4VBaXgM6UB6vFoqJc3Qb1KzA4zwfc CA0quzCNTdcv4i+pk48ujMYgfnY1C4evMcCkN7saUCq9vDTSvPE= =CHbz -----END PGP SIGNATURE----- Merge 4.14.265 into android-4.14-stable Changes in 4.14.265 Bluetooth: refactor malicious adv data check s390/hypfs: include z/VM guests with access control group set scsi: zfcp: Fix failed recovery on gone remote port with non-NPIV FCP devices udf: Restore i_lenAlloc when inode expansion fails udf: Fix NULL ptr deref when converting from inline format PM: wakeup: simplify the output logic of pm_show_wakelocks() netfilter: nft_payload: do not update layer 4 checksum when mangling fragments serial: stm32: fix software flow control transfer tty: n_gsm: fix SW flow control encoding/handling tty: Add support for Brainboxes UC cards. usb-storage: Add unusual-devs entry for VL817 USB-SATA bridge usb: common: ulpi: Fix crash in ulpi_match() usb: gadget: f_sourcesink: Fix isoc transfer for USB_SPEED_SUPER_PLUS USB: core: Fix hang in usb_kill_urb by adding memory barriers usb: typec: tcpm: Do not disconnect while receiving VBUS off net: sfp: ignore disabled SFP node powerpc/32: Fix boot failure with GCC latent entropy plugin lkdtm: Fix content of section containing lkdtm_rodata_do_nothing() i40e: Increase delay to 1 s after global EMP reset i40e: fix unsigned stat widths rpmsg: char: Fix race between the release of rpmsg_ctrldev and cdev rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev scsi: bnx2fc: Flush destroy_work queue before calling bnx2fc_interface_put() ipv6_tunnel: Rate limit warning messages net: fix information leakage in /proc/net/ptype ping: fix the sk_bound_dev_if match in ping_lookup ipv4: avoid using shared IP generator for connected sockets hwmon: (lm90) Reduce maximum conversion rate for G781 NFSv4: Handle case where the lookup of a directory fails NFSv4: nfs_atomic_open() can race when looking up a non-regular file net-procfs: show net devices bound packet types drm/msm: Fix wrong size calculation drm/msm/dsi: invalid parameter check in msm_dsi_phy_enable ibmvnic: don't spin in tasklet yam: fix a memory leak in yam_siocdevprivate() ipv4: raw: lock the socket in raw_bind() ipv4: tcp: send zero IPID in SYNACK messages bpf: fix truncated jump targets on heavy expansions netfilter: nat: remove l4 protocol port rovers netfilter: nat: limit port clash resolution attempts ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback net: amd-xgbe: ensure to reset the tx_timer_active flag net: amd-xgbe: Fix skb data length underflow rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() af_packet: fix data-race in packet_setsockopt / packet_setsockopt audit: improve audit queue handling when "audit=1" on cmdline ASoC: ops: Reject out of bounds values in snd_soc_put_volsw() ASoC: ops: Reject out of bounds values in snd_soc_put_volsw_sx() ASoC: ops: Reject out of bounds values in snd_soc_put_xr_sx() drm/nouveau: fix off by one in BIOS boundary checking block: bio-integrity: Advance seed correctly for larger interval sizes RDMA/mlx4: Don't continue event handler after memory allocation failure iommu/vt-d: Fix potential memory leak in intel_setup_irq_remapping() iommu/amd: Fix loop timeout issue in iommu_ga_log_enable() spi: bcm-qspi: check for valid cs before applying chip select spi: mediatek: Avoid NULL pointer crash in interrupt spi: meson-spicc: add IRQ check in meson_spicc_probe net: ieee802154: ca8210: Stop leaking skb's net: ieee802154: Return meaningful error codes from the netlink helpers net: macsec: Verify that send_sci is on when setting Tx sci explicitly drm/i915/overlay: Prevent divide by zero bugs in scaling ASoC: fsl: Add missing error handling in pcm030_fabric_probe scsi: bnx2fc: Make bnx2fc_recv_frame() mp safe nfsd: nfsd4_setclientid_confirm mistakenly expires confirmed client. selftests: futex: Use variable MAKE instead of make rtc: cmos: Evaluate century appropriate EDAC/altera: Fix deferred probing EDAC/xgene: Fix deferred probing ext4: fix error handling in ext4_restore_inline_data() Linux 4.14.265 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia51a926162e82c5fa5bdef1de1056cb74114ef88 |
||
|
Eric Dumazet
|
6e742ffe68 |
ipv4: tcp: send zero IPID in SYNACK messages
[ Upstream commit 970a5a3ea86da637471d3cd04d513a0755aba4bf ]
In commit 431280eebed9 ("ipv4: tcp: send zero IPID for RST and
ACK sent in SYN-RECV and TIME-WAIT state") we took care of some
ctl packets sent by TCP.
It turns out we need to use a similar strategy for SYNACK packets.
By default, they carry IP_DF and IPID==0, but there are ways
to ask them to use the hashed IP ident generator and thus
be used to build off-path attacks.
(Ref: Off-Path TCP Exploits of the Mixed IPID Assignment)
One of this way is to force (before listener is started)
echo 1 >/proc/sys/net/ipv4/ip_no_pmtu_disc
Another way is using forged ICMP ICMP_FRAG_NEEDED
with a very small MTU (like 68) to force a false return from
ip_dont_fragment()
In this patch, ip_build_and_send_pkt() uses the following
heuristics.
1) Most SYNACK packets are smaller than IPV4_MIN_MTU and therefore
can use IP_DF regardless of the listener or route pmtu setting.
2) In case the SYNACK packet is bigger than IPV4_MIN_MTU,
we use prandom_u32() generator instead of the IPv4 hashed ident one.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Ray Che <xijiache@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Cc: Geoff Alexander <alexandg@cs.unm.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
225d15ac02 |
ipv4: raw: lock the socket in raw_bind()
[ Upstream commit 153a0d187e767c68733b8e9f46218eb1f41ab902 ] For some reason, raw_bind() forgot to lock the socket. BUG: KCSAN: data-race in __ip4_datagram_connect / raw_bind write to 0xffff8881170d4308 of 4 bytes by task 5466 on cpu 0: raw_bind+0x1b0/0x250 net/ipv4/raw.c:739 inet_bind+0x56/0xa0 net/ipv4/af_inet.c:443 __sys_bind+0x14b/0x1b0 net/socket.c:1697 __do_sys_bind net/socket.c:1708 [inline] __se_sys_bind net/socket.c:1706 [inline] __x64_sys_bind+0x3d/0x50 net/socket.c:1706 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff8881170d4308 of 4 bytes by task 5468 on cpu 1: __ip4_datagram_connect+0xb7/0x7b0 net/ipv4/datagram.c:39 ip4_datagram_connect+0x2a/0x40 net/ipv4/datagram.c:89 inet_dgram_connect+0x107/0x190 net/ipv4/af_inet.c:576 __sys_connect_file net/socket.c:1900 [inline] __sys_connect+0x197/0x1b0 net/socket.c:1917 __do_sys_connect net/socket.c:1927 [inline] __se_sys_connect net/socket.c:1924 [inline] __x64_sys_connect+0x3d/0x50 net/socket.c:1924 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x44/0xd0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x00000000 -> 0x0003007f Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 5468 Comm: syz-executor.5 Not tainted 5.17.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Xin Long
|
86885cdf62 |
ping: fix the sk_bound_dev_if match in ping_lookup
commit 2afc3b5a31f9edf3ef0f374f5d70610c79c93a42 upstream.
When 'ping' changes to use PING socket instead of RAW socket by:
# sysctl -w net.ipv4.ping_group_range="0 100"
the selftests 'router_broadcast.sh' will fail, as such command
# ip vrf exec vrf-h1 ping -I veth0 198.51.100.255 -b
can't receive the response skb by the PING socket. It's caused by mismatch
of sk_bound_dev_if and dif in ping_rcv() when looking up the PING socket,
as dif is vrf-h1 if dif's master was set to vrf-h1.
This patch is to fix this regression by also checking the sk_bound_dev_if
against sdif so that the packets can stil be received even if the socket
is not bound to the vrf device but to the real iif.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
bcb831d367 |
This is the 4.14.262 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmHdfsgACgkQONu9yGCS
aT7zvQ/+JRXgZnEUE7Eo0vq502fdZKJGezphKAnChYWons2kCusLPGXSVIxJ29uK
j88XFgdebt8aTs34SogJB90GyEEjDrQsHrauKPmk89ynd86cSb+meqmKEg3G+RnF
ka7y07cMnRZEGeT+IGG9Y9VxqvLc1h/5xQaGbpHscCielT0nIqV9UCfC7qbRQOlm
rMcXtiyoVMe4SNPgt8OEBP/RXEZo22eElmrRpE8S5vx8Sl9/uiRqBhOdIBGWGE1g
uSl0G9gL7Stc3pCnen9yDKuDH89cxdJeo1O2TMPjYTVo0uqljnZJfIrOWnhrZTDa
h4K5YLuZS4B17Wk9PRittn+9agdRMeQUgZZoGgh558kTWbzMIONmRv0aZx44WutP
ynvTkQlmaY4X720TsDttrQmZG6RvWGF8WmJQ7+wrk7yKVD6EQeBoEJ5uPqk0Ejhf
7dBOoZGmCgwTChyscMi2yUE3vlzL2cviWRpoUY4uh2plzk+9codfNJTTFr+RpiUx
7xbGR8RL+crkR7//7WATtxAuWMapFuKr8AtWywhTPJhH6k8gGLUsoQTrKtUoI1lQ
p0o4jPpN2Ka+aHgk2Oj8OwAu2/cGD/P2p8bHmZ+8WHIlfuCFqwzg/ywDmf7WBAnQ
ZskNN8utGLIrVG/2NKTyl8xvXH6Mp888kF2Qd8TV21Q5txynRck=
=o9fI
-----END PGP SIGNATURE-----
Merge 4.14.262 into android-4.14-stable
Changes in 4.14.262
Bluetooth: btusb: Apply QCA Rome patches for some ATH3012 models
tracing: Fix check for trace_percpu_buffer validity in get_trace_buf()
tracing: Tag trace_percpu_buffer as a percpu pointer
virtio_pci: Support surprise removal of virtio pci device
ieee802154: atusb: fix uninit value in atusb_set_extended_addr
RDMA/core: Don't infoleak GRH fields
mac80211: initialize variable have_higher_than_11mbit
i40e: fix use-after-free in i40e_sync_filters_subtask()
i40e: Fix incorrect netdev's real number of RX/TX queues
ipv6: Check attribute length for RTA_GATEWAY in multipath route
ipv6: Check attribute length for RTA_GATEWAY when deleting multipath route
sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc
xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate
power: reset: ltc2952: Fix use of floating point literals
rndis_host: support Hytera digital radios
phonet: refcount leak in pep_sock_accep
ipv6: Continue processing multipath route even if gateway attribute is invalid
ipv6: Do cleanup if attribute validation fails in multipath route
scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown()
ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate
net: udp: fix alignment problem in udp4_seq_show()
mISDN: change function names to avoid conflicts
Linux 4.14.262
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If12d6fc5097cc7b53f5dc04d93ce37f977d44e6f
|
||
yangxingwu
|
fa320a57a6 |
net: udp: fix alignment problem in udp4_seq_show()
[ Upstream commit 6c25449e1a32c594d743df8e8258e8ef870b6a77 ] $ cat /pro/net/udp before: sl local_address rem_address st tx_queue rx_queue tr tm->when 26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 after: sl local_address rem_address st tx_queue rx_queue tr tm->when 26050: 0100007F:0035 00000000:0000 07 00000000:00000000 00:00000000 26320: 0100007F:0143 00000000:0000 07 00000000:00000000 00:00000000 27135: 00000000:8472 00000000:0000 07 00000000:00000000 00:00000000 Signed-off-by: yangxingwu <xingwu.yang@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
f3a2f786eb |
This is the 4.14.261 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmHVgigACgkQONu9yGCS aT4LLhAA2LPgWT+YRh7rggiqYUHf/ZKENGgjsnqAQPS+FjKklvI5cCcs2nyVMGwz y2paHiyEAqnffJR6dHNi+f4GALdRQbzVDZN5OUDPh07LD6m7kfePGF3XvT0peGuN hmlTeDW2nABzdzQm5M47kDWwB0d4NHrqOu22VQ+BmEdRiHrCnLcZqvkO01fh9gYt DSFopfINvYLMUu97cFseP1ayKGteJN7uQtxYke8ElxL8DLjSC5c5iixAgaOiLqDq ieOHDpaR7j7exCic423sk6pFcgbu1iDYYLJADwaXcuMnzEM4uKIdctABn5Oe43D4 P0ySQ2UJfRSHypyuvkTLt0YpYn6OhBrX/Tve09ot6Kk7ouLE4oqIvZImpEWZmiub 8NGATLPQPTUrmC48QKu0BgIsVNQl1yp9KWyJzG1CFAM2jMjYuHY6Vn5DErkIlsyv CpdEpW7JQPiAyfR1VFB4WRMzQlTcjNoX6DssYFYU+N4vh0nB+noPfzOw5JLA002+ 85YWWYirSxBRdncWQy0Xpw+iMGqEh4Kx+8mF+8DeVf156UnhZuRmhxuBJTBDXibn uBo3nwsSzuc79VqbnOwzrJuJmLqlbHxyUwHzyubCbOuECWoAvfzb+Rg/p5u0Zt2J zdCGJGlJByzPG/Ver6pK3GGuiAwo6rHPvCZrWDHcyL1Ph/Ds4NQ= =BUz9 -----END PGP SIGNATURE----- Merge 4.14.261 into android-4.14-stable Changes in 4.14.261 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option tee: handle lookup of shm with reference count 0 platform/x86: apple-gmux: use resource_size() with res recordmcount.pl: fix typo in s390 mcount regex selinux: initialize proto variable in selinux_ip_postroute_compat() scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() net: usb: pegasus: Do not drop long Ethernet frames NFC: st21nfca: Fix memory leak in device probe and remove fsl/fman: Fix missing put_device() call in fman_port_probe nfc: uapi: use kernel size_t to fix user-space builds uapi: fix linux/nfc.h userspace compilation errors xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. binder: fix async_free_space accounting for empty parcels scsi: vmw_pvscsi: Set residual data length conditionally Input: appletouch - initialize work before device registration Input: spaceball - fix parsing of movement data packets net: fix use-after-free in tw_timer_handler sctp: use call_rcu to free endpoint Linux 4.14.261 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I778bc28ac0835029328e2b503cb8fa241981c610 |
||
Muchun Song
|
5c2fe20ad3 |
net: fix use-after-free in tw_timer_handler
commit e22e45fc9e41bf9fcc1e92cfb78eb92786728ef0 upstream.
A real world panic issue was found as follow in Linux 5.4.
BUG: unable to handle page fault for address: ffffde49a863de28
PGD 7e6fe62067 P4D 7e6fe62067 PUD 7e6fe63067 PMD f51e064067 PTE 0
RIP: 0010:tw_timer_handler+0x20/0x40
Call Trace:
<IRQ>
call_timer_fn+0x2b/0x120
run_timer_softirq+0x1ef/0x450
__do_softirq+0x10d/0x2b8
irq_exit+0xc7/0xd0
smp_apic_timer_interrupt+0x68/0x120
apic_timer_interrupt+0xf/0x20
This issue was also reported since 2017 in the thread [1],
unfortunately, the issue was still can be reproduced after fixing
DCCP.
The ipv4_mib_exit_net is called before tcp_sk_exit_batch when a net
namespace is destroyed since tcp_sk_ops is registered befrore
ipv4_mib_ops, which means tcp_sk_ops is in the front of ipv4_mib_ops
in the list of pernet_list. There will be a use-after-free on
net->mib.net_statistics in tw_timer_handler after ipv4_mib_exit_net
if there are some inflight time-wait timers.
This bug is not introduced by commit f2bf415cfed7 ("mib: add net to
NET_ADD_STATS_BH") since the net_statistics is a global variable
instead of dynamic allocation and freeing. Actually, commit
61a7e26028b9 ("mib: put net statistics on struct net") introduces
the bug since it put net statistics on struct net and free it when
net namespace is destroyed.
Moving init_ipv4_mibs() to the front of tcp_init() to fix this bug
and replace pr_crit() with panic() since continuing is meaningless
when init_ipv4_mibs() fails.
[1] https://groups.google.com/g/syzkaller/c/p1tn-_Kc6l4/m/smuL_FMAAgAJ?pli=1
Fixes: 61a7e26028b9 ("mib: put net statistics on struct net")
Signed-off-by: Muchun Song <songmuchun@bytedance.com>
Cc: Cong Wang <cong.wang@bytedance.com>
Cc: Fam Zheng <fam.zheng@bytedance.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20211228104145.9426-1-songmuchun@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
6d1f178f21 |
This is the 4.14.257 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGwYv4ACgkQONu9yGCS aT4HeQ/8Dn/KYB6zzi6YenfG8JyTdkcIZ4Y1ElurgF5RX9/JUQbw0l5EDWsmG/IN 0JUn7KsT+eStnaI2AUj175K4oZE1l3cZxvPGEOB3ynv9/is+iSyVHARrtR1ITTO3 +YTO6ZXKLUI+oMVo3SHr6dxr6kkT0b0BDgaroaYLgVqknpPQMDQvx35ZG7E2NL4O R6ou66nG/TKTbtn7vBCCoERMcPH6TEYUhi7p+L/+cdQs2/li3JDo/d3/3WGAb0ej 0kXX16VCEghicoE8m2TOA9TAgGs6nF3i6H2ZiCMl4m0gqAcr4IdAxDzD3a5IfUV9 pt1fmz+7DNrWTxv9e5ST5R5poAIoSuuVQfNQDV4MjeDLmh5ujyl/5WUk5rYQQ9vw vRtu5DrSrSNM15jOZnlCQxlcu/1xqRKuixWQbupawhKNN00w6yJKxuQ3oM87AvX+ OX0tp6FdXVoDO2sP1xXp9o7G5DDrQq9Lh5gNen6BaVF00VawM77UjJ+ijwmCUWXf jhfAyDXZEPNRijlwcOq8rtXVb68ZhQ2sT0HVJ22ppx70bglD1FgfvGPYxFf4BIxz g+MsaMUU3rgXxIo7xatAC6NnCPMC8feYINGbf+L/MDgvySf3GU84JOIeM/MDMawe coZQpDreHcYZQtbECpeFVuEA8hTaLCvmxowbG7uVRj1sNvpxxik= =dp5S -----END PGP SIGNATURE----- Merge 4.14.257 into android-4.14-stable Changes in 4.14.257 USB: serial: option: add Telit LE910S1 0x9200 composition USB: serial: option: add Fibocom FM101-GL variants usb: hub: Fix usb enumeration issue due to address0 race usb: hub: Fix locking issues with address0_mutex binder: fix test regression due to sender_euid change ALSA: ctxfi: Fix out-of-range access media: cec: copy sequence field for the reply HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() fuse: fix page stealing xen: don't continue xenstore initialization in case of errors xen: detect uninitialized xenbus in xenbus_init tracing: Fix pid filtering when triggers are attached netfilter: ipvs: Fix reuse connection if RS weight is 0 ARM: dts: BCM5301X: Fix I2C controller interrupt ARM: dts: BCM5301X: Add interrupt properties to GPIO node ASoC: topology: Add missing rwsem around snd_ctl_remove() calls net: ieee802154: handle iftypes as u32 NFSv42: Don't fail clone() unless the OP_CLONE operation failed ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE scsi: mpt3sas: Fix kernel panic during drive powercycle test drm/vc4: fix error code in vc4_create_object() ipv6: fix typos in __ip6_finish_output() net/smc: Ensure the active closing peer first closes clcsock PM: hibernate: use correct mode for swsusp_close() tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 net/smc: Don't call clcsock shutdown twice when smc shutdown vhost/vsock: fix incorrect used length reported to the guest tracing: Check pid filtering when creating events s390/mm: validate VMA in PGSTE manipulation functions PCI: aardvark: Fix I/O space page leak PCI: aardvark: Fix a leaked reference by adding missing of_node_put() PCI: aardvark: Wait for endpoint to be ready before training link PCI: aardvark: Train link immediately after enabling training PCI: aardvark: Improve link training PCI: aardvark: Issue PERST via GPIO PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros PCI: aardvark: Indicate error in 'val' when config read fails PCI: aardvark: Introduce an advk_pcie_valid_device() helper PCI: aardvark: Don't touch PCIe registers if no card connected PCI: aardvark: Fix compilation on s390 PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() PCI: aardvark: Update comment about disabling link training PCI: aardvark: Remove PCIe outbound window configuration PCI: aardvark: Configure PCIe resources from 'ranges' DT property PCI: aardvark: Fix PCIe Max Payload Size setting PCI: Add PCI_EXP_LNKCTL2_TLS* macros PCI: aardvark: Fix link training PCI: aardvark: Fix checking for link up via LTSSM state pinctrl: armada-37xx: Correct mpp definitions pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup pinctrl: armada-37xx: Correct PWM pins definitions arm64: dts: marvell: armada-37xx: declare PCIe reset pin arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function hugetlbfs: flush TLBs correctly after huge_pmd_unshare proc/vmcore: fix clearing user buffer by properly using clear_user() NFC: add NCI_UNREG flag to eliminate the race fuse: release pipe buf after last use xen: sync include/xen/interface/io/ring.h with Xen's newest version xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: disentangle tx_skb_freelist xen/netfront: don't trust the backend response data blindly tty: hvc: replace BUG_ON() with negative return value shm: extend forced shm destroy to support objects from several IPC nses ipc: WARN if trying to remove ipc object which is absent NFSv42: Fix pagecache invalidation after COPY/CLONE hugetlb: take PMD sharing into account when flushing tlb/caches net: return correct error code platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep s390/setup: avoid using memblock_enforce_memory_limit btrfs: check-integrity: fix a warning on write caching disabled disk thermal: core: Reset previous low and high trip during thermal zone init scsi: iscsi: Unblock session then wake up error handler ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() perf hist: Fix memory leak of a perf_hpp_fmt vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit kprobes: Limit max data_size of the kretprobe instances sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl fs: add fget_many() and fput_many() fget: check that the fd still exists after getting a ref to it natsemi: xtensa: fix section mismatch warnings net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() net: mpls: Fix notifications when deleting a device siphash: use _unaligned version by default net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available net/rds: correct socket tunable error in rds_tcp_tune() net/smc: Keep smc_close_final rc during active close parisc: Fix KBUILD_IMAGE for self-extracting kernel parisc: Fix "make install" on newer debian releases vgacon: Propagate console boot parameters before calling `vc_resize' xhci: Fix commad ring abort, write all 64 bits to CRCR register. usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect x86/64/mm: Map all kernel memory into trampoline_pgd tty: serial: msm_serial: Deactivate RX DMA for polling support serial: pl011: Add ACPI SBSA UART match id serial: core: fix transmit-buffer reset and memleak parisc: Mark cr16 CPU clocksource unstable on all SMP machines Linux 4.14.257 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3148611f406a61ce3d7ff7dcb56977a114a4f499 |
||
liuguoqiang
|
1ce4633f9b |
net: return correct error code
[ Upstream commit 6def480181f15f6d9ec812bca8cbc62451ba314c ] When kmemdup called failed and register_net_sysctl return NULL, should return ENOMEM instead of ENOBUFS Signed-off-by: liuguoqiang <liuguoqiang@uniontech.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
63e8aabe1f |
tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
[ Upstream commit 4e1fddc98d2585ddd4792b5e44433dcee7ece001 ]
While testing BIG TCP patch series, I was expecting that TCP_RR workloads
with 80KB requests/answers would send one 80KB TSO packet,
then being received as a single GRO packet.
It turns out this was not happening, and the root cause was that
cubic Hystart ACK train was triggering after a few (2 or 3) rounds of RPC.
Hystart was wrongly setting CWND/SSTHRESH to 30, while my RPC
needed a budget of ~20 segments.
Ideally these TCP_RR flows should not exit slow start.
Cubic Hystart should reset itself at each round, instead of assuming
every TCP flow is a bulk one.
Note that even after this patch, Hystart can still trigger, depending
on scheduling artifacts, but at a higher CWND/SSTHRESH threshold,
keeping optimal TSO packet sizes.
Tested:
ip link set dev eth0 gro_ipv6_max_size 131072 gso_ipv6_max_size 131072
nstat -n; netperf -H ... -t TCP_RR -l 5 -- -r 80000,80000 -K cubic; nstat|egrep "Ip6InReceives|Hystart|Ip6OutRequests"
Before:
8605
Ip6InReceives 87541 0.0
Ip6OutRequests 129496 0.0
TcpExtTCPHystartTrainDetect 1 0.0
TcpExtTCPHystartTrainCwnd 30 0.0
After:
8760
Ip6InReceives 88514 0.0
Ip6OutRequests 87975 0.0
Fixes: ae27e98a5152 ("[TCP] CUBIC v2.3")
Co-developed-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Link: https://lore.kernel.org/r/20211123202535.1843771-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
5b2d33ae99 |
This is the 4.14.254 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGBdJsACgkQONu9yGCS aT4zDw//YE8I0I0rJ1b3kDjbrTmjGj/NBQ5GxAD3GAlBxWqRTMBRQgbW3BhI0Yfg x/gHyRvUNJit9JWXK5l+WQl+XvHALBUT3FuZXhAy+KjIUXt56/1mAwDyz+gYkhg8 GE0DDzNwWBtH2+TdKb0AQDaeYqyQKlURBfTZ906ZTC7Vs4++Cewx6WbZnB37d6Dr 6z0g105856fXMPB+HaTLVBgPyXWXSRWPtkaFHfw++z4LHs5eUs/bdAAJZ6gof7no 2AMlF/tpLwG9K9envEdooLtZc0gxHW93OfEh2HWLEr4aqjHYjJb/O1qiJgTfJl2A SgTf30UlRCqCBZKFXFBC6tuyyNDLzvUlyoSSQMXF7ByHh3I+uyS+1MiQRgvquS7n KrhBupYkW7YXI8mawT2NZRpe7DLvOeb6hPKrTxOan/f6/0psS5D4NfWDP0RmYzVF uAL6P4s22Q030lHJL13WhK31STX+GwjNHCtFIbN3ADqJ9bnVKsaqLcCs3eMbOrmC eVJS8X80IDM1clyLZUL1ifIq98zzeFQe9kUFX2jRE0cCUrwjQrJUzKEJoBLf2iU0 FL79xVd2hYy6r+8gbd5fwfMNnCQZhtmp6qfzoxIonW59mgrETvFVahJ09VpFXPKp 5yN3XQ/XVqSxSw9eKoNkk/fSdjoM9UvX7lv+HMi9yR3cbPWAT08= =maIs -----END PGP SIGNATURE----- Merge 4.14.254 into android-4.14-stable Changes in 4.14.254 ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned ARM: 9134/1: remove duplicate memcpy() definition ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype powerpc/bpf: Fix BPF_MOD when imm == 1 ARM: 8819/1: Remove '-p' from LDFLAGS usbnet: sanity check for maxpacket usbnet: fix error return code in usbnet_probe() ata: sata_mv: Fix the error handling of mv_chip_id() nfc: port100: fix using -ERRNO as command type mask Revert "net: mdiobus: Fix memory leak in __mdiobus_register" ipv4: use siphash instead of Jenkins in fnhe_hashfun() mmc: vub300: fix control-message timeouts mmc: dw_mmc: exynos: fix the finding clock sample value mmc: sdhci: Map more voltage level to SDHCI_POWER_330 mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit net: lan78xx: fix division by zero in send path regmap: Fix possible double-free in regcache_rbtree_exit() net: batman-adv: fix error handling nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST net: nxp: lpc_eth.c: avoid hang when bringing interface down sctp: use init_tag from inithdr for ABORT chunk sctp: fix the processing for COOKIE_ECHO chunk sctp: add vtag check in sctp_sf_violation sctp: add vtag check in sctp_sf_do_8_5_1_E_sa sctp: add vtag check in sctp_sf_ootb Linux 4.14.254 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If7f3b585ec959656b73cd002a6f87d7b6c281679 |
||
|
Eric Dumazet
|
b31aa41bf1 |
ipv4: use siphash instead of Jenkins in fnhe_hashfun()
commit 6457378fe796815c973f631a1904e147d6ee33b1 upstream.
A group of security researchers brought to our attention
the weakness of hash function used in fnhe_hashfun().
Lets use siphash instead of Jenkins Hash, to considerably
reduce security risks.
Also remove the inline keyword, this really is distracting.
Fixes: d546c621542d ("ipv4: harden fnhe_hashfun()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
[OP: adjusted context for 4.14 stable]
Signed-off-by: Ovidiu Panait <ovidiu.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
cfc22a96e4 |
This is the 4.14.249 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFdn9cACgkQONu9yGCS aT4c8RAAmsot4sCk8/MOhAhN/8a8anvjZvqjJbOnYvb5uLI2NtRRbeKgWNBmyZsr uYcv/2LzfrizVIsX6IfvTsGrLkXTVzJ6kClK9x5NMJWBYPlSkWWPPeuJ+BNqExLx o7XlbSHwQO1TTB2I2/ViNQSVjhnk5K33/c6mq6cv2v2DWwufm/X3zOy8bdz3eChS un3qGfjvhDUskNrAOpWNLbo2QlVJq1uIRyWFK6mcge8nLC4Ux/k4zSBEmDXq+0H4 Ywi6kyft739NdQHY0IJxxeoYFk4csYogy0HK7aZehFfXnWG/XAcWwtovFiR9YGBk mSHsnmQYAofTOvicHLGenJz6Bnpe/N2qeifVB2XBO0i7Pr6YzVt2xFZRz27FExuX jSIFMI7TzqxReUoydwQMGNGMICFJWtDgnDzjQzi8j+Fti6uKxlFiDucd1zxqDMiA 6/FUurIuh4C3XmdzNpnzC9Ju8BF/tfF2yj+pT+pHj+9VPySVl6ufuYNGSwHoeFq+ 5Nh1sXiqS+k5KUiJJppY2cNP4/1DJ08OsT6KHQVZtGc4I/UmtJAjxloEhaRkRusO OFnN2kYroZnDORG/zQiFr77dWVnYG+2zaMPsKL0yLCYwoUMVyBJtx9tiMuyJ59zr oAnGsWxbx+DlKuU/8iuhV3ZBKIEpok2XNxOVEf8EAw33UDDG+RU= =u93P -----END PGP SIGNATURE----- Merge 4.14.249 into android-4.14-stable Changes in 4.14.249 ocfs2: drop acl cache for directories too usb: gadget: r8a66597: fix a loop in set_feature() usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() cifs: fix incorrect check for null pointer in header_assemble xen/x86: fix PV trap handling on secondary processors usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter staging: greybus: uart: fix tty use after free Re-enable UAS for LaCie Rugged USB3-FW with fk quirk USB: serial: mos7840: remove duplicated 0xac24 device ID USB: serial: option: add Telit LN920 compositions USB: serial: option: remove duplicate USB device ID USB: serial: option: add device id for Foxconn T99W265 mcb: fix error handling in mcb_alloc_bus() serial: mvebu-uart: fix driver's tx_empty callback net: hso: fix muxed tty registration bnxt_en: Fix TX timeout when TX ring size is set to the smallest net/mlx4_en: Don't allow aRFS for encapsulated packets scsi: iscsi: Adjust iface sysfs attr detection thermal/core: Potential buffer overflow in thermal_build_list_of_policies() irqchip/gic-v3-its: Fix potential VPE leak on error md: fix a lock order reversal in md_alloc blktrace: Fix uaf in blk_trace access after removing by sysfs net: macb: fix use after free on rmmod net: stmmac: allow CSR clock of 300MHz m68k: Double cast io functions to unsigned long xen/balloon: use a kernel thread instead a workqueue compiler.h: Introduce absolute_pointer macro net: i825xx: Use absolute_pointer for memcpy from fixed memory location sparc: avoid stringop-overread errors qnx4: avoid stringop-overread errors parisc: Use absolute_pointer() to define PAGE0 arm64: Mark __stack_chk_guard as __ro_after_init alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile net: 6pack: Fix tx timeout and slot time spi: Fix tegra20 build with CONFIG_PM=n arm64: dts: marvell: armada-37xx: Extend PCIe MEM space PCI: aardvark: Fix checking for PIO Non-posted Request PCI: aardvark: Fix checking for PIO status xen/balloon: fix balloon kthread freezing qnx4: work around gcc false positive warning bug tty: Fix out-of-bound vmalloc access in imageblit cpufreq: schedutil: Use kobject release() method to free sugov_tunables cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory mac80211: fix use-after-free in CCMP/GCMP RX ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb hwmon: (tmp421) fix rounding for negative values e100: fix length calculation in e100_get_regs_len e100: fix buffer overrun in e100_get_regs scsi: csiostor: Add module softdep on cxgb4 af_unix: fix races in sk_peer_pid and sk_peer_cred accesses ipack: ipoctal: fix stack information leak ipack: ipoctal: fix tty registration race ipack: ipoctal: fix tty-registration error handling ipack: ipoctal: fix missing allocation-failure check ipack: ipoctal: fix module reference leak ext4: fix potential infinite loop in ext4_dx_readdir() net: udp: annotate data race around udp_sk(sk)->corkflag EDAC/synopsys: Fix wrong value type assignment for edac_mode ARM: 9077/1: PLT: Move struct plt_entries definition to header ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() ARM: 9079/1: ftrace: Add MODULE_PLTS support ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 hso: fix bailout in error case of probe usb: hso: fix error handling code of hso_create_net_device usb: hso: remove the bailout parameter crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() HID: betop: fix slab-out-of-bounds Write in betop_probe netfilter: ipset: Fix oversized kvmalloc() calls HID: usbhid: free raw_report buffers in usbhid_stop cred: allow get_cred() and put_cred() to be given NULL. Linux 4.14.249 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I931112fb81b334e62b163a45bb780da0fe94c225 |
||
|
Eric Dumazet
|
dfe1064adf |
net: udp: annotate data race around udp_sk(sk)->corkflag
commit a9f5970767d11eadc805d5283f202612c7ba1f59 upstream.
up->corkflag field can be read or written without any lock.
Annotate accesses to avoid possible syzbot/KCSAN reports.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
1dff798c56 |
This is the 4.14.247 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFK+1EACgkQONu9yGCS aT7r6hAArGmJXgI+6YUtwD5lyBuN5L4epJeT3IZklAFcWlQKllkT1t9p4D9TSkgJ KxelHIKWkh3Mi67rERzT35vR69s43UgFluSn/oUGqJApG6MUHGsb4T9QC6lvqDRs TAGt5RY8WQPwkEcnR5qSRKxejdqQGpz8N0g8xSiLpakAavJO2/1jERYUDNDlS05b oZlQdZB2CHFDL7xjDLB7Zl12mRPWWnEGTjcVGaurRuUivJxVFVqCFN2tiozwC0f1 5ZdVsAynPMl06Q8Kr+S5LfHeZ8XzqwPD4VUJfZAfak6AOsvsBa27vqJ7G6qgMfoj 7uXBXwhw7AJwnQ8j2yLkvrh1Q0TdeL6dHAekuc8+ekPvyD026FwiqNUZFlL9JANu 63EY3arvXg1vfugNE13GYcRcMuo7wdYViGYvQbhG4B/lhsvYfpHcTgaORqQwnsOh gSm4SdNmGcKG7ih/oe1mrPRtI86t7eN2oAnKFpCe57I50xfKv+IGBDELy3SeVx1O jXRgR6+TeLZ3lrgMxSrrRThn4q+OOwWYzZ3Z9AVEsFZ2HZSsRC3/I71YcU2N8pvl VEGbXhhuDvGzI94ouyep7p9zXliy7k+c3RYzXAoStkxdGIpACbca9a6qxpCkkRRA l8ZIqYYGs/jGasTsoOYHaMz9GVG9EsP3g6XyQL4LCQ6xBKuPzRY= =Fuci -----END PGP SIGNATURE----- Merge 4.14.247 into android-4.14-stable Changes in 4.14.247 ext4: fix race writing to an inline_data file while its xattrs are changing xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG qed: Fix the VF msix vectors flow net: macb: Add a NULL check on desc_ptp qede: Fix memset corruption perf/x86/intel/pt: Fix mask of num_address_ranges perf/x86/amd/ibs: Work around erratum #1197 cryptoloop: add a deprecation warning ARM: 8918/2: only build return_address() if needed ALSA: pcm: fix divide error in snd_pcm_lib_ioctl clk: fix build warning for orphan_list media: stkwebcam: fix memory leak in stk_camera_probe igmp: Add ip_mc_list lock in ip_check_mc_rcu USB: serial: mos7720: improve OOM-handling in read_mos_reg() f2fs: fix potential overflow ath10k: fix recent bandwidth conversion bug ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) s390/disassembler: correct disassembly lines alignment mm/kmemleak.c: make cond_resched() rate-limiting more efficient crypto: talitos - reduce max key size for SEC1 powerpc/module64: Fix comment in R_PPC64_ENTRY handling powerpc/boot: Delete unneeded .globl _zimage_start net: ll_temac: Remove left-over debug message mm/page_alloc: speed up the iteration of max_order Revert "btrfs: compression: don't try to compress if we don't have enough pages" usb: host: xhci-rcar: Don't reload firmware after the completion x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions PCI: Call Max Payload Size-related fixup quirks early regmap: fix the offset of register error log crypto: mxs-dcp - Check for DMA mapping errors power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() udf: Check LVID earlier isofs: joliet: Fix iocharset=utf8 mount option nvme-rdma: don't update queue count when failing to set io queues power: supply: max17042_battery: fix typo in MAx17042_TOFF s390/cio: add dev_busid sysfs entry for each subchannel libata: fix ata_host_start() crypto: qat - do not ignore errors from enable_vf2pf_comms() crypto: qat - handle both source of interrupt in VF ISR crypto: qat - fix reuse of completion variable crypto: qat - fix naming for init/shutdown VF to PF notifications crypto: qat - do not export adf_iov_putmsg() udf_get_extendedattr() had no boundary checks. m68k: emu: Fix invalid free in nfeth_cleanup() spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config spi: spi-pic32: Fix issue with uninitialized dma_slave_config clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel crypto: qat - use proper type for vf_mask certs: Trigger creation of RSA module signing key if it's not an RSA key soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: go7007: remove redundant initialization Bluetooth: sco: prevent information leak in sco_conn_defer_accept() tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos net: cipso: fix warnings in netlbl_cipsov4_add_std i2c: highlander: add IRQ check media: em28xx-input: fix refcount bug in em28xx_usb_disconnect PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently PCI: PM: Enable PME if it can be signaled from D3cold soc: qcom: smsm: Fix missed interrupts if state changes while masked Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 Bluetooth: fix repeated calls to sco_sock_kill drm/msm/dsi: Fix some reference counted resource leaks usb: gadget: udc: at91: add IRQ check usb: phy: fsl-usb: add IRQ check usb: phy: twl6030: add IRQ checks Bluetooth: Move shutdown callback before flushing tx and rx queue usb: host: ohci-tmio: add IRQ check usb: phy: tahvo: add IRQ check mac80211: Fix insufficient headroom issue for AMSDU usb: gadget: mv_u3d: request_irq() after initializing UDC Bluetooth: add timeout sanity check to hci_inquiry i2c: iop3xx: fix deferred probing i2c: s3c2410: fix IRQ check mmc: dw_mmc: Fix issue with uninitialized dma_slave_config mmc: moxart: Fix issue with uninitialized dma_slave_config CIFS: Fix a potencially linear read overflow i2c: mt65xx: fix IRQ check usb: ehci-orion: Handle errors of clk_prepare_enable() in probe usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available tty: serial: fsl_lpuart: fix the wrong mapbase value ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() bcma: Fix memory leak for internally-handled cores ipv4: make exception cache less predictible net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed net: qualcomm: fix QCA7000 checksum handling netns: protect netns ID lookups with RCU tty: Fix data race between tiocsti() and flush_to_ldisc() x86/resctrl: Fix a maybe-uninitialized build warning treated as error KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted IMA: remove -Wmissing-prototypes warning backlight: pwm_bl: Improve bootloader/kernel device handover clk: kirkwood: Fix a clocking boot regression fbmem: don't allow too huge resolutions rtc: tps65910: Correct driver module alias blk-zoned: allow zone management send operations without CAP_SYS_ADMIN blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN PCI/MSI: Skip masking MSI-X on Xen PV powerpc/perf/hv-gpci: Fix counter value parsing xen: fix setting of max_pfn in shared_info include/linux/list.h: add a macro to test if entry is pointing to the head 9p/xen: Fix end of loop tests for list_for_each_entry soc: aspeed: lpc-ctrl: Fix boundary check for mmap crypto: public_key: fix overflow during implicit conversion block: bfq: fix bfq_set_next_ioprio_data() power: supply: max17042: handle fails of reading status register dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() VMCI: fix NULL pointer dereference when unmapping queue pair media: uvc: don't do DMA on stack media: rc-loopback: return number of emitters rather than error libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs ARM: 9105/1: atags_to_fdt: don't warn about stack size PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure PCI: xilinx-nwl: Enable the clock through CCF PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response PCI: aardvark: Fix masking and unmasking legacy INTx interrupts HID: input: do not report stylus battery state as "full" RDMA/iwcm: Release resources if iw_cm module initialization fails docs: Fix infiniband uverbs minor number pinctrl: samsung: Fix pinctrl bank pin count vfio: Use config not menuconfig for VFIO_NOIOMMU openrisc: don't printk() unconditionally pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() scsi: qedi: Fix error codes in qedi_alloc_global_queues() MIPS: Malta: fix alignment of the devicetree buffer media: dib8000: rewrite the init prbs logic crypto: mxs-dcp - Use sg_mapping_iter to copy data PCI: Use pci_update_current_state() in pci_enable_device_flags() iio: dac: ad5624r: Fix incorrect handling of an optional regulator. ARM: dts: qcom: apq8064: correct clock names video: fbdev: kyro: fix a DoS bug by restricting user input netlink: Deal with ESRCH error in nlmsg_notify() Smack: Fix wrong semantics in smk_access_entry() usb: host: fotg210: fix the endpoint's transactional opportunities calculation usb: host: fotg210: fix the actual_length of an iso packet usb: gadget: u_ether: fix a potential null pointer dereference usb: gadget: composite: Allow bMaxPower=0 if self-powered staging: board: Fix uninitialized spinlock when attaching genpd tty: serial: jsm: hold port lock when reporting modem line changes bpf/tests: Fix copy-and-paste error in double word test bpf/tests: Do not PASS tests without actually testing the result video: fbdev: asiliantfb: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: riva: Error out if 'pixclock' equals zero ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() flow_dissector: Fix out-of-bounds warnings s390/jump_label: print real address in a case of a jump label bug serial: 8250: Define RX trigger levels for OxSemi 950 devices xtensa: ISS: don't panic in rs_init hvsi: don't panic on tty_register_driver failure serial: 8250_pci: make setup_port() parameters explicitly unsigned staging: ks7010: Fix the initialization of the 'sleep_status' structure ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() Bluetooth: skip invalid hci_sync_conn_complete_evt ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps for the matching in-/output media: v4l2-dv-timings.c: fix wrong condition in two for-loops arm64: dts: qcom: sdm660: use reg value for memory node net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe() Bluetooth: avoid circular locks in sco_sock_connect gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() ARM: tegra: tamonten: Fix UART pad setting rpc: fix gss_svc_init cleanup on failure staging: rts5208: Fix get_ms_information() heap buffer size gfs2: Don't call dlm after protocol is unmounted mmc: sdhci-of-arasan: Check return value of non-void funtions mmc: rtsx_pci: Fix long reads when clock is prescaled selftests/bpf: Enlarge select() timeout for test_maps cifs: fix wrong release in sess_alloc_buffer() failed path Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" usb: musb: musb_dsps: request_irq() after initializing musb usbip: give back URBs for unsent unlink requests during cleanup usbip:vhci_hcd USB port can get stuck in the disabled state ASoC: rockchip: i2s: Fix regmap_ops hang ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B parport: remove non-zero check on count ath9k: fix OOB read ar9300_eeprom_restore_internal ath9k: fix sleeping in atomic context net: fix NULL pointer reference in cipso_v4_doi_free net: w5100: check return value after calling platform_get_resource() parisc: fix crash with signals and alloca scsi: BusLogic: Fix missing pr_cont() use scsi: qla2xxx: Sync queue idx with queue_pair_map idx cpufreq: powernv: Fix init_chip_info initialization in numa=off mm/hugetlb: initialize hugetlb_usage in mm_init memcg: enable accounting for pids in nested pid namespaces platform/chrome: cros_ec_proto: Send command again when timeout occurs xen: reset legacy rtc flag for PV domU bnx2x: Fix enabling network interfaces without VFs PM: base: power: don't try to use non-existing RTC for storing data x86/mm: Fix kern_addr_valid() to cope with existing but not present entries net-caif: avoid user-triggerable WARN_ON(1) ptp: dp83640: don't define PAGE0 dccp: don't duplicate ccid when cloning dccp sock net/l2tp: Fix reference count leak in l2tp_udp_recv_core r6040: Restore MDIO clock frequency after MAC reset tipc: increase timeout in tipc_sk_enqueue() events: Reuse value read using READ_ONCE instead of re-reading it net/af_unix: fix a data-race in unix_dgram_poll tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation mfd: Don't use irq_create_mapping() to resolve a mapping PCI: Add ACS quirks for Cavium multi-function devices net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 ethtool: Fix an error code in cxgb2.c PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' ARC: export clear_user_page() for modules net: dsa: b53: Fix calculating number of switch ports netfilter: socket: icmp6: fix use-after-scope qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom net: renesas: sh_eth: Fix freeing wrong tx descriptor s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant Linux 4.14.247 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If4d48fb4bfd873036c9584406e8cf4ebbdb8a655 |
||
zhenggy
|
5f842ee68a |
tcp: fix tp->undo_retrans accounting in tcp_sacktag_one()
commit 4f884f3962767877d7aabbc1ec124d2c307a4257 upstream.
Commit 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit
time") may directly retrans a multiple segments TSO/GSO packet without
split, Since this commit, we can no longer assume that a retransmitted
packet is a single segment.
This patch fixes the tp->undo_retrans accounting in tcp_sacktag_one()
that use the actual segments(pcount) of the retransmitted packet.
Before that commit (10d3be569243), the assumption underlying the
tp->undo_retrans-- seems correct.
Fixes: 10d3be569243 ("tcp-tso: do not split TSO packets at retransmit time")
Signed-off-by: zhenggy <zhenggy@chinatelecom.cn>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Gustavo A. R. Silva
|
09c96d2dc2 |
ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs()
[ Upstream commit 6321c7acb82872ef6576c520b0e178eaad3a25c0 ]
Fix the following out-of-bounds warning:
In function 'ip_copy_addrs',
inlined from '__ip_queue_xmit' at net/ipv4/ip_output.c:517:2:
net/ipv4/ip_output.c:449:2: warning: 'memcpy' offset [40, 43] from the object at 'fl' is out of the bounds of referenced subobject 'saddr' with type 'unsigned int' at offset 36 [-Warray-bounds]
449 | memcpy(&iph->saddr, &fl4->saddr,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
450 | sizeof(fl4->saddr) + sizeof(fl4->daddr));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The problem is that the original code is trying to copy data into a
couple of struct members adjacent to each other in a single call to
memcpy(). This causes a legitimate compiler warning because memcpy()
overruns the length of &iph->saddr and &fl4->saddr. As these are just
a couple of struct members, fix this by using direct assignments,
instead of memcpy().
This helps with the ongoing efforts to globally enable -Warray-bounds
and get us closer to being able to tighten the FORTIFY_SOURCE routines
on memcpy().
Link: https://github.com/KSPP/linux/issues/109
Reported-by: kernel test robot <lkp@intel.com>
Link: https://lore.kernel.org/lkml/d5ae2e65-1f18-2577-246f-bada7eee6ccd@intel.com/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
f484595be6 |
ipv4: make exception cache less predictible
[ Upstream commit 67d6d681e15b578c1725bad8ad079e05d1c48a8e ]
Even after commit 6457378fe796 ("ipv4: use siphash instead of Jenkins in
fnhe_hashfun()"), an attacker can still use brute force to learn
some secrets from a victim linux host.
One way to defeat these attacks is to make the max depth of the hash
table bucket a random value.
Before this patch, each bucket of the hash table used to store exceptions
could contain 6 items under attack.
After the patch, each bucket would contains a random number of items,
between 6 and 10. The attacker can no longer infer secrets.
This is slightly increasing memory size used by the hash table,
by 50% in average, we do not expect this to be a problem.
This patch is more complex than the prior one (IPv6 equivalent),
because IPv4 was reusing the oldest entry.
Since we need to be able to evict more than one entry per
update_or_create_fnhe() call, I had to replace
fnhe_oldest() with fnhe_remove_oldest().
Also note that we will queue extra kfree_rcu() calls under stress,
which hopefully wont be a too big issue.
Fixes: 4895c771c7f0 ("ipv4: Add FIB nexthop exceptions.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Reviewed-by: David Ahern <dsahern@kernel.org>
Tested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Martin KaFai Lau
|
5cb7fa34b7 |
tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos
[ Upstream commit 525e2f9fd0229eb10cb460a9e6d978257f24804e ]
st->bucket stores the current bucket number.
st->offset stores the offset within this bucket that is the sk to be
seq_show(). Thus, st->offset only makes sense within the same
st->bucket.
These two variables are an optimization for the common no-lseek case.
When resuming the seq_file iteration (i.e. seq_start()),
tcp_seek_last_pos() tries to continue from the st->offset
at bucket st->bucket.
However, it is possible that the bucket pointed by st->bucket
has changed and st->offset may end up skipping the whole st->bucket
without finding a sk. In this case, tcp_seek_last_pos() currently
continues to satisfy the offset condition in the next (and incorrect)
bucket. Instead, regardless of the offset value, the first sk of the
next bucket should be returned. Thus, "bucket == st->bucket" check is
added to tcp_seek_last_pos().
The chance of hitting this is small and the issue is a decade old,
so targeting for the next tree.
Fixes: a8b690f98baf ("tcp: Fix slowness in read /proc/net/tcp")
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Kuniyuki Iwashima <kuniyu@amazon.co.jp>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/bpf/20210701200541.1033917-1-kafai@fb.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Mathieu Desnoyers
|
170a838966 |
ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2)
commit e1e84eb58eb494b77c8389fc6308b5042dcce791 upstream.
As per RFC792, ICMP errors should be sent to the source host.
However, in configurations with Virtual Routing and Forwarding tables,
looking up which routing table to use is currently done by using the
destination net_device.
commit 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to
determine L3 domain") changes the interface passed to
l3mdev_master_ifindex() and inet_addr_type_dev_table() from skb_in->dev
to skb_dst(skb_in)->dev. This effectively uses the destination device
rather than the source device for choosing which routing table should be
used to lookup where to send the ICMP error.
Therefore, if the source and destination interfaces are within separate
VRFs, or one in the global routing table and the other in a VRF, looking
up the source host in the destination interface's routing table will
fail if the destination interface's routing table contains no route to
the source host.
One observable effect of this issue is that traceroute does not work in
the following cases:
- Route leaking between global routing table and VRF
- Route leaking between VRFs
Preferably use the source device routing table when sending ICMP error
messages. If no source device is set, fall-back on the destination
device routing table. Else, use the main routing table (index 0).
[ It has been pointed out that a similar issue may exist with ICMP
errors triggered when forwarding between network namespaces. It would
be worthwhile to investigate, but is outside of the scope of this
investigation. ]
[ It has also been pointed out that a similar issue exists with
unreachable / fragmentation needed messages, which can be triggered by
changing the MTU of eth1 in r1 to 1400 and running:
ip netns exec h1 ping -s 1450 -Mdo -c1 172.16.2.2
Some investigation points to raw_icmp_error() and raw_err() as being
involved in this last scenario. The focus of this patch is TTL expired
ICMP messages, which go through icmp_route_lookup.
Investigation of failure modes related to raw_icmp_error() is beyond
this investigation's scope. ]
Fixes: 9d1a6c4ea43e ("net: icmp_route_lookup should use rt dev to determine L3 domain")
Link: https://tools.ietf.org/html/rfc792
Signed-off-by: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Liu Jian
|
7896774998 |
igmp: Add ip_mc_list lock in ip_check_mc_rcu
commit 23d2b94043ca8835bd1e67749020e839f396a1c2 upstream. I got below panic when doing fuzz test: Kernel panic - not syncing: panic_on_warn set ... CPU: 0 PID: 4056 Comm: syz-executor.3 Tainted: G B 5.14.0-rc1-00195-gcff5c4254439-dirty #2 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014 Call Trace: dump_stack_lvl+0x7a/0x9b panic+0x2cd/0x5af end_report.cold+0x5a/0x5a kasan_report+0xec/0x110 ip_check_mc_rcu+0x556/0x5d0 __mkroute_output+0x895/0x1740 ip_route_output_key_hash_rcu+0x2d0/0x1050 ip_route_output_key_hash+0x182/0x2e0 ip_route_output_flow+0x28/0x130 udp_sendmsg+0x165d/0x2280 udpv6_sendmsg+0x121e/0x24f0 inet6_sendmsg+0xf7/0x140 sock_sendmsg+0xe9/0x180 ____sys_sendmsg+0x2b8/0x7a0 ___sys_sendmsg+0xf0/0x160 __sys_sendmmsg+0x17e/0x3c0 __x64_sys_sendmmsg+0x9e/0x100 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x462eb9 Code: f7 d8 64 89 02 b8 ff ff ff ff c3 66 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f3df5af1c58 EFLAGS: 00000246 ORIG_RAX: 0000000000000133 RAX: ffffffffffffffda RBX: 000000000073bf00 RCX: 0000000000462eb9 RDX: 0000000000000312 RSI: 0000000020001700 RDI: 0000000000000007 RBP: 0000000000000004 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00007f3df5af26bc R13: 00000000004c372d R14: 0000000000700b10 R15: 00000000ffffffff It is one use-after-free in ip_check_mc_rcu. In ip_mc_del_src, the ip_sf_list of pmc has been freed under pmc->lock protection. But access to ip_sf_list in ip_check_mc_rcu is not protected by the lock. Signed-off-by: Liu Jian <liujian56@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
4b5389d362 |
This is the 4.14.246 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEx1VQACgkQONu9yGCS aT6OORAAprkznfRjVhDNhLAeVfi1UjhYbo5AhKwb9E/OoO7Q09gz2Qs3OeLVxZyP 66iOeZ27nOBYmLmKMDWoqCrM7GNDLB8xwgmdPZbpoVAEoTRNNMNesma070UXDmMp xqb6hbnc3vpom9BSGxq4A089wDWq66o6zyxxDShgeUH9hvtXjip62RqfkxVskxUg m1fPs7wp4VuXsMxg0GNvAcQFAK6/Se2s2cIb82jBcEd73RZwSoBLdZMI2PsnC0s5 jc9bSB4mUC5eKFBrL9QOy4Rs5/lv2xWNHMZsIo1rb6OdPttoZtZKWuhYLyoGYvyh iLMJDPtXQWkQTfQElK37OIj60MrvvxHBGIab+b1hSuJxXLpjbBPEtKIz/XcQCKNh jpLthL8sXhHkHK5/98Fqnv3mSc0why/9ZntYsGQFevJtg6ltvxTlGnLXe2NiVtAo Zz8eAuMEeeBsddUESKse0yI6oSqMks9sY196Y9r/1u5rQMwZXLwN/GDCBqnMhow3 mQxSHSDt18k0UisutqZv/Lu4o83qcQIFNz0jPSCJmU2kzMJdvxJDHgBg7EmYh9Wk 3VI4YnHpDvXhCJliwenrUPRgRoHy+q/h4U0NXSr2lsX3YGmogGMyNrWePViB/Tk8 W+b0+TH04Vct9N/HuCJPPs/CrlwrBiVbp5t9loDAsYRH86yuHPg= =vwDf -----END PGP SIGNATURE----- Merge 4.14.246 into android-4.14-stable Changes in 4.14.246 ARC: Fix CONFIG_STACKDEPOT can: usb: esd_usb2: esd_usb2_rx_event(): fix the interchange of the CAN RX and TX error counters Revert "USB: serial: ch341: fix character loss at high transfer rates" USB: serial: option: add new VID/PID to support Fibocom FG150 usb: dwc3: gadget: Fix dwc3_calc_trbs_left() usb: dwc3: gadget: Stop EP0 transfers during pullup disable IB/hfi1: Fix possible null-pointer dereference in _extend_sdma_tx_descs() e1000e: Fix the max snoop/no-snoop latency for 10M ip_gre: add validation for csum_start xgene-v2: Fix a resource leak in the error handling path of 'xge_probe()' net: marvell: fix MVNETA_TX_IN_PRGRS bit number usb: gadget: u_audio: fix race condition on endpoint stop opp: remove WARN when no valid OPPs remain virtio: Improve vq->broken access to avoid any compiler optimization vringh: Use wiov->used to check for read/write desc order drm: Copy drm_wait_vblank to user before returning drm/nouveau/disp: power down unused DP links during init net/rds: dma_map_sg is entitled to merge entries vt_kdsetmode: extend console locking fbmem: add margin check to fb_check_caps() KVM: x86/mmu: Treat NX as used (not reserved) for all !TDP shadow MMUs KVM: X86: MMU: Use the correct inherited permissions to get shadow page Revert "floppy: reintroduce O_NDELAY fix" Linux 4.14.246 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I02cf03ba61e0b37e372a63b589af3f0d537485c5 |
||
Shreyansh Chouhan
|
99279223a3 |
ip_gre: add validation for csum_start
[ Upstream commit 1d011c4803c72f3907eccfc1ec63caefb852fcbf ]
Validate csum_start in gre_handle_offloads before we call _gre_xmit so
that we do not crash later when the csum_start value is used in the
lco_csum function call.
This patch deals with ipv4 code.
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Reported-by: syzbot+ff8e1b9f2f36481e2efc@syzkaller.appspotmail.com
Signed-off-by: Shreyansh Chouhan <chouhan.shreyansh630@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
34db58ab71 |
Linux 4.14.245
-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmEnj9kACgkQ3qZv95d3
LNwXhA/9F1aMb4K87uxNq1bsKrhv03CA7DjjCprh+7VgH0CF2oygda7i36AHubLh
9C9PoWR1UkJxrngWukb9B+1JGDjHOjUtsaLFzOGZ+LXDubMpRA3hXN1NfgMnIab7
9tsYH7zyKUkOqhW6u0KzVjlDOmVtioWTD/woaFT0SKLKglogmBdA7sXU6XAJ+lJ7
nxUGMqMWsoqV0TfD8OXpBUztQzT/rtIHbfBZhlEEAc3rTZDF4OtX+5btl9dGIzlW
QGcAb2NgoWXttyVQl9qaX2Sw+tzWj6jITnYEEckt6v7cJgK2sud9ZaIPcK8pMN0t
7jbdPfOogggccqunpI398ijjOHfsY7x7lFedPbcEL0rFkpesWmSoKtWr/1MSlTQ0
Jfz1CRXVFFt4jn4+uzjUg1k7lhUH0Wiz//VWdxF9hSwWWGOtbF63fye9ZWmaCTha
YnFdOnKua8BIFJnW8qDNH8iDM41pzhT+t/YnkPH3dEIYoxTvu4GBg9z2p3KXj3SA
vPw53E95WbpkEKHZMX/y8nIo/XHggdK1SkIQNxLsyvu97yfu6QWMc2A+fWcj9r+w
rsOw2fZTA8SfKLqzOszuPFsljH1mWOWFe2S+VB7/F01VwmlqLIPXENNDi+6H5Azr
5lp0zdpJyLxR6auuNTnIdVIGlmIHTQcx+x872L5BusZl6nSHalw=
=Slrl
-----END PGP SIGNATURE-----
Merge 4.14.245 into android-4.14-stable
Changes in 4.14.245
iio: humidity: hdc100x: Add margin to the conversion time
iio: adc: Fix incorrect exit of for-loop
ASoC: intel: atom: Fix reference to PCM buffer address
i2c: dev: zero out array used for i2c reads from userspace
ACPI: NFIT: Fix support for virtual SPA ranges
ASoC: cs42l42: Correct definition of ADC Volume control
ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J
ASoC: cs42l42: Fix inversion of ADC Notch Switch control
ASoC: cs42l42: Remove duplicate control for WNF filter frequency
net: dsa: mt7530: add the missing RxUnicast MIB counter
ppp: Fix generating ifname when empty IFLA_IFNAME is specified
psample: Add a fwd declaration for skbuff
net: Fix memory leak in ieee802154_raw_deliver
net: bridge: fix memleak in br_add_if()
tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
xen/events: Fix race in set_evtchn_to_irq
vsock/virtio: avoid potential deadlock when vsock device remove
powerpc/kprobes: Fix kprobe Oops happens in booke
x86/tools: Fix objdump version check again
x86/resctrl: Fix default monitoring groups reporting
PCI/MSI: Enable and mask MSI-X early
PCI/MSI: Do not set invalid bits in MSI mask
PCI/MSI: Correct misleading comments
PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown()
PCI/MSI: Protect msi_desc::masked for multi-MSI
PCI/MSI: Mask all unused MSI-X entries
PCI/MSI: Enforce that MSI-X table entry is masked for update
PCI/MSI: Enforce MSI[X] entry updates to be visible
vmlinux.lds.h: Handle clang's module.{c,d}tor sections
mac80211: drop data frames without key on encrypted links
KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656)
KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653)
x86/fpu: Make init_fpstate correct with optimized XSAVE
ath: Use safer key clearing with key cache entries
ath9k: Clear key cache explicitly on disabling hardware
ath: Export ath_hw_keysetmac()
ath: Modify ath_key_delete() to not need full key entry
ath9k: Postpone key cache entry deletion for TXQ frames reference it
dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe()
ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218
dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available
scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry()
scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach()
scsi: core: Avoid printing an error if target_alloc() returns -ENXIO
ARM: dts: nomadik: Fix up interrupt controller node names
net: usb: lan78xx: don't modify phy_device state concurrently
Bluetooth: hidp: use correct wait queue when removing ctrl_wait
dccp: add do-while-0 stubs for dccp_pr_debug macros
vhost: Fix the calculation in vhost_overflow()
bnxt: don't lock the tx queue from napi poll
net: 6pack: fix slab-out-of-bounds in decode_data
ptp_pch: Restore dependency on PCI
net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32
net: mdio-mux: Don't ignore memory allocation errors
net: mdio-mux: Handle -EPROBE_DEFER correctly
mmc: dw_mmc: Fix hang on data CRC error
ALSA: hda - fix the 'Capture Switch' value change notifications
ipack: tpci200: fix many double free issues in tpci200_pci_probe
btrfs: prevent rename2 from exchanging a subvol with a directory from different parents
ASoC: intel: atom: Fix breakage for PCM buffer address setup
locks: print a warning when mount fails due to lack of "mand" support
fs: warn about impending deprecation of mandatory locks
netfilter: nft_exthdr: fix endianness of tcp option cast
Linux 4.14.245
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I92a7f927b514f4164425c9ce9b30011ca7b3710f
|
||
Neal Cardwell
|
e0f5a8ed1c |
tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets
[ Upstream commit 6de035fec045f8ae5ee5f3a02373a18b939e91fb ]
Currently if BBR congestion control is initialized after more than 2B
packets have been delivered, depending on the phase of the
tp->delivered counter the tracking of BBR round trips can get stuck.
The bug arises because if tp->delivered is between 2^31 and 2^32 at
the time the BBR congestion control module is initialized, then the
initialization of bbr->next_rtt_delivered to 0 will cause the logic to
believe that the end of the round trip is still billions of packets in
the future. More specifically, the following check will fail
repeatedly:
!before(rs->prior_delivered, bbr->next_rtt_delivered)
and thus the connection will take up to 2B packets delivered before
that check will pass and the connection will set:
bbr->round_start = 1;
This could cause many mechanisms in BBR to fail to trigger, for
example bbr_check_full_bw_reached() would likely never exit STARTUP.
This bug is 5 years old and has not been observed, and as a practical
matter this would likely rarely trigger, since it would require
transferring at least 2B packets, or likely more than 3 terabytes of
data, before switching congestion control algorithms to BBR.
This patch is a stable candidate for kernels as far back as v4.9,
when tcp_bbr.c was added.
Fixes: 0f8782ea1497 ("tcp_bbr: add BBR congestion control")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Kevin Yang <yyd@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20210811024056.235161-1-ncardwell@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
a446f52a5d |
This is the 4.14.241 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEBH5YACgkQONu9yGCS aT4StQ//UpkdbNrSQeQqX7/WaKOK5qXoRY6rVVTJIkQnoRHq3FXRavWQIs2b4XUc y6CrDacGlfh3EocKPscGMyWCTzRx1t9aSTsgss1yyZYSIQoFzqoJws/nog/auszM AQKm2GWd+yWGvPii1XJ35oHJuQ/cYTAqSNleOnmMMCMIi2uPGp9NefoQI0s1YzL5 Em9O/006JldP6brasRgocUN1GRq2Wtg3gLiEcF7bw8QTmROD//iCxuBKyDu7s7g+ K+kV2bOnxtfkdjMWWUFRksE0D2Lu98g/rXpCjp2XvoG4K6d3Dwvjgm+fgTPoH/Np NtZbmVWkzN1RpsWIdjorQlTgrcZNAPeun8qF+i2Y1od5EIaDNJHpOq1dh/e5/T1m NjtaO5BhQzq7OsJsRmWfk63aE6LKqBoPD5zCNVF32MfCLFBOEFLh8D5k9djOTOOW DKOal8zDAWFKxkgHn6EYh39z3tLJwZF5oBKbxa1/B4bfTvvusJlyFZVpVrIN7xzG FxDZ6PBoI8r6HBqSMdfWlfJ8KwQsaaJRuYNmHGDu1d44S139ytL3B9D1SsI6kVXW ZPEI3pwPSk8m4DYrDwSlucKPQXSZqg6V1JRawYvMeBWB+wTNJc7oRgrM7zeNs9D6 zuXen+UY7kfxpa8EdAPZAZ6BH2WuPjdGW0AGl0mm1P8fZ5CMCbs= =M7p2 -----END PGP SIGNATURE----- Merge 4.14.241 into android-4.14-stable Changes in 4.14.241 ARM: dts: gemini: add device_type on pci ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288 arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi ARM: dts: rockchip: Fix the timer clocks order ARM: dts: rockchip: Fix power-controller node names for rk3288 arm64: dts: rockchip: Fix power-controller node names for rk3328 reset: ti-syscon: fix to_ti_syscon_reset_data macro ARM: brcmstb: dts: fix NAND nodes names ARM: Cygnus: dts: fix NAND nodes names ARM: NSP: dts: fix NAND nodes names ARM: dts: BCM63xx: Fix NAND nodes names ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info ARM: dts: stm32: fix RCC node name on stm32f429 MCU arm64: dts: juno: Update SCPI nodes as per the YAML schema arm64: dts: ls208xa: remove bus-num from dspi node thermal/core: Correct function name thermal_zone_device_unregister() kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set rtc: max77686: Do not enforce (incorrect) interrupt trigger type scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 scsi: libfc: Fix array index out of bound exception sched/fair: Fix CFS bandwidth hrtimer expiry type net: ipv6: fix return value of ip6_skb_dst_mtu netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo net: bridge: sync fdb to new unicast-filtering ports net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: moxa: fix UAF in moxart_mac_probe net: qcom/emac: fix UAF in emac_remove net: ti: fix UAF in tlan_remove_one net: send SYNACK packet with accepted fwmark net: validate lwtstate->data before returning from skb_tunnel_info() dma-buf/sync_file: Don't leak fences on merge failure tcp: annotate data races around tp->mtu_info ipv6: tcp: drop silly ICMPv6 packet too big messages igb: Fix use-after-free error during reset ixgbe: Fix an error handling path in 'ixgbe_probe()' igb: Fix an error handling path in 'igb_probe()' fm10k: Fix an error handling path in 'fm10k_probe()' e1000e: Fix an error handling path in 'e1000_probe()' iavf: Fix an error handling path in 'iavf_probe()' igb: Check if num of q_vectors is smaller than max before array access perf map: Fix dso->nsinfo refcounting perf probe: Fix dso->nsinfo refcounting perf lzma: Close lzma stream on exit perf test bpf: Free obj_buf perf probe-file: Delete namelist in del_events() on the error path spi: mediatek: fix fifo rx mode liquidio: Fix unintentional sign extension issue on left shift of u16 s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] net: fix uninit-value in caif_seqpkt_sendmsg net: decnet: Fix sleeping inside in af_decnet netrom: Decrease sock refcount when sock timers expire scsi: iscsi: Fix iface sysfs attr detection scsi: target: Fix protect handling in WRITE SAME(32) spi: cadence: Correct initialisation of runtime PM again Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" proc: Avoid mixing integer types in mem_rw() Revert "MIPS: add PMD table accounting into MIPS'pmd_alloc_one" s390/ftrace: fix ftrace_update_ftrace_func implementation ALSA: sb: Fix potential ABBA deadlock in CSP driver xhci: Fix lost USB 2 remote wake KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow usb: hub: Disable USB 3 device initiated lpm if exit latency is too high USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: max-3421: Prevent corruption of freed memory usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() USB: serial: option: add support for u-blox LARA-R6 family USB: serial: cp210x: fix comments for GE CS1000 USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick usb: dwc2: gadget: Fix sending zero length packet in DDMA mode. tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() ixgbe: Fix packet corruption due to missing DMA sync selftest: use mmap instead of posix_memalign to allocate memory drm: Return -ENOTTY for non-drm ioctls net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear iio: accel: bma180: Use explicit member assignment iio: accel: bma180: Fix BMA25x bandwidth register values btrfs: compression: don't try to compress if we don't have enough pages spi: spi-fsl-dspi: Fix a resource leak in an error handling path xhci: add xhci_get_virt_ep() helper Linux 4.14.241 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If71586baa50da4c192a204b49a3e7802aa796790 |
||
|
Eric Dumazet
|
ca958d6be2 |
ipv6: tcp: drop silly ICMPv6 packet too big messages
commit c7bb4b89033b764eb07db4e060548a6311d801ee upstream.
While TCP stack scales reasonably well, there is still one part that
can be used to DDOS it.
IPv6 Packet too big messages have to lookup/insert a new route,
and if abused by attackers, can easily put hosts under high stress,
with many cpus contending on a spinlock while one is stuck in fib6_run_gc()
ip6_protocol_deliver_rcu()
icmpv6_rcv()
icmpv6_notify()
tcp_v6_err()
tcp_v6_mtu_reduced()
inet6_csk_update_pmtu()
ip6_rt_update_pmtu()
__ip6_rt_update_pmtu()
ip6_rt_cache_alloc()
ip6_dst_alloc()
dst_alloc()
ip6_dst_gc()
fib6_run_gc()
spin_lock_bh() ...
Some of our servers have been hit by malicious ICMPv6 packets
trying to _increase_ the MTU/MSS of TCP flows.
We believe these ICMPv6 packets are a result of a bug in one ISP stack,
since they were blindly sent back for _every_ (small) packet sent to them.
These packets are for one TCP flow:
09:24:36.266491 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.266509 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316688 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316704 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.608151 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
TCP stack can filter some silly requests :
1) MTU below IPV6_MIN_MTU can be filtered early in tcp_v6_err()
2) tcp_v6_mtu_reduced() can drop requests trying to increase current MSS.
This tests happen before the IPv6 routing stack is entered, thus
removing the potential contention and route exhaustion.
Note that IPv6 stack was performing these checks, but too late
(ie : after the route has been added, and after the potential
garbage collect war)
v2: fix typo caught by Martin, thanks !
v3: exports tcp_mtu_to_mss(), caught by David, thanks !
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Maciej Żenczykowski <maze@google.com>
Cc: Martin KaFai Lau <kafai@fb.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
f7c6f21aaa |
tcp: annotate data races around tp->mtu_info
commit 561022acb1ce62e50f7a8258687a21b84282a4cb upstream.
While tp->mtu_info is read while socket is owned, the write
sides happen from err handlers (tcp_v[46]_mtu_reduced)
which only own the socket spinlock.
Fixes: 563d34d05786 ("tcp: dont drop MTU reduction indications")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
954b37d98c |
Linux 4.14.238
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmDcb/YACgkQ3qZv95d3 LNxvtBAAmSuqNUAn7N49MxIV8WF0Vljy1XdWlpJ2GMYEshqQ2/YJ4wMvYWU/+Ric 5qDVI9Ul79ZBDr2WJc3nZvAXn/IPUqSzTlZLgT+231qlAL1zFHkt0ul8T6078YqR 5I5qoKYBE21lfkZAG974GXo0rKy82raWgrqV85r54G2JJ1ZHZmcPjBZjwaobXoby hs+fNRcqv02ZIiGp6Ap9Je/vkzytuqUU4V96GrbaJrDAOS4e2JmZpWQTFYwNKn4W n9uozBLAGwrvWFiTZ4BLKDT2+xwBXtlRzwieJb57XdWWg7OgvlFst7n3owqzNMTv Zai9+Ux/p0VhFDdLLLtDG+igXj33vhy/75bt+NasIrc+NHxWztwOqbdA7er1OPk0 cGUe5r0AVK8/Z01hjkdL/qaqqVVoZy2vh88wpn1Dh9g7L82HLxyRMZS0jpSrrFpx GL35p+hxHyxDvixBDlenz7YQhU420D9wDcOpowdPxwbhpsK5Icpjm1tnEm6ljlzz fk5oa8Lg183eWPZH9OWaL5SycMuzJMdhvTCVJSyMzDuZxSq6jw6WIjdT352GCemV 8Ctq5nQkarhcHvbHOjFviLjIUCJgNWPCMGFs47nR+6/iE920ZSWi3NJajeFjtjmI INYo792mUNf75uJqVhWpCTQU1x2uXqLh9oG/6iXTfv2FN42ddDM= =UgHQ -----END PGP SIGNATURE----- Merge 4.14.238 into android-4.14-stable Changes in 4.14.238 net: ieee802154: fix null deref in parse dev addr HID: hid-sensor-hub: Return error for hid_set_field() failure HID: Add BUS_VIRTUAL to hid_connect logging HID: usbhid: fix info leak in hid_submit_ctrl ARM: OMAP2+: Fix build warning when mmc_omap is not built HID: gt683r: add missing MODULE_DEVICE_TABLE gfs2: Fix use-after-free in gfs2_glock_shrink_scan scsi: target: core: Fix warning on realtime kernels ethernet: myri10ge: Fix missing error code in myri10ge_probe() nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() net: ipconfig: Don't override command-line hostnames or domains rtnetlink: Fix missing error code in rtnl_bridge_notify() net/x25: Return the correct errno code net: Return the correct errno code fib: Return the correct errno code dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM dmaengine: stedma40: add missing iounmap() on error in d40_probe() mm/memory-failure: make sure wait for page writeback in memory_failure batman-adv: Avoid WARN_ON timing related checks net: ipv4: fix memory leak in netlbl_cipsov4_add_std net: rds: fix memory leak in rds_recvmsg udp: fix race between close() and udp_abort() rtnetlink: Fix regression in bridge VLAN configuration netfilter: synproxy: Fix out of bounds when parsing TCP options alx: Fix an error handling path in 'alx_probe()' net: stmmac: dwmac1000: Fix extended MAC address registers definition qlcnic: Fix an error handling path in 'qlcnic_probe()' netxen_nic: Fix an error handling path in 'netxen_nic_probe()' net: cdc_ncm: switch to eth%d interface naming net: usb: fix possible use-after-free in smsc75xx_bind net: ipv4: fix memory leak in ip_mc_add1_src net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock be2net: Fix an error handling path in 'be_probe()' net: hamradio: fix memory leak in mkiss_close net: cdc_eem: fix tx fixup skb leak icmp: don't send out ICMP messages with a source address of 0.0.0.0 net: ethernet: fix potential use-after-free in ec_bhf_remove radeon: use memcpy_to/fromio for UVD fw upload hwmon: (scpi-hwmon) shows the negative temperature properly can: bcm: fix infoleak in struct bcm_msg_head can: mcba_usb: fix memory leak in mcba_usb usb: core: hub: Disable autosuspend for Cypress CY7C65632 tracing: Do not stop recording cmdlines when tracing is off tracing: Do not stop recording comms if the trace file is being read tracing: Do no increment trace_clock_global() by one PCI: Mark TI C667X to avoid bus reset PCI: Mark some NVIDIA GPUs to avoid bus reset PCI: Add ACS quirk for Broadcom BCM57414 NIC PCI: Work around Huawei Intelligent NIC VF FLR erratum ARCv2: save ABI registers across signal handling dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc net: bridge: fix vlan tunnel dst null pointer dereference net: bridge: fix vlan tunnel dst refcnt when egressing mm/slub.c: include swab.h net: fec_ptp: add clock rate zero check can: bcm/raw/isotp: use per module netdevice notifier inet: use bigger hash table for IP ID generation usb: dwc3: core: fix kernel panic when do reboot kernfs: deal with kernfs_fill_super() failures unfuck sysfs_mount() x86/fpu: Reset state for all signal restore failures drm/nouveau: wait for moving fence after pinning v2 drm/radeon: wait for moving fence after pinning ARM: 9081/1: fix gcc-10 thumb2-kernel regression Makefile: Move -Wno-unused-but-set-variable out of GCC only block MIPS: generic: Update node names to avoid unit addresses arm64: perf: Disable PMU while processing counter overflows Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" mac80211: remove warning in ieee80211_get_sband() cfg80211: call cfg80211_leave_ocb when switching away from OCB mac80211: drop multicast fragments ping: Check return value of function 'ping_queue_rcv_skb' inet: annotate date races around sk->sk_txhash net: caif: fix memory leak in ldisc_open net/packet: annotate accesses to po->bind net/packet: annotate accesses to po->ifindex r8152: Avoid memcpy() over-reading of ETH_SS_STATS sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS r8169: Avoid memcpy() over-reading of ETH_SS_STATS net: qed: Fix memcpy() overflow of qed_dcbx_params() net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY pinctrl: stm32: fix the reported number of GPIO lines per bank nilfs2: fix memory leak in nilfs_sysfs_delete_device_group i2c: robotfuzz-osif: fix control-request directions Linux 4.14.238 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If0fafb89548f179bcf4114cc962164be23717637 |
||
Zheng Yongjun
|
e1df54a22b |
ping: Check return value of function 'ping_queue_rcv_skb'
[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ] Function 'ping_queue_rcv_skb' not always return success, which will also return fail. If not check the wrong return value of it, lead to function `ping_rcv` return success. Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
3ba51ed2c3 |
inet: use bigger hash table for IP ID generation
commit aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba upstream.
In commit 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
I used a very small hash table that could be abused
by patient attackers to reveal sensitive information.
Switch to a dynamic sizing, depending on RAM size.
Typical big hosts will now use 128x more storage (2 MB)
to get a similar increase in security and reduction
of hash collisions.
As a bonus, use of alloc_large_system_hash() spreads
allocated memory among all NUMA nodes.
Fixes: 73f156a6e8c1 ("inetpeer: get rid of ip_id_count")
Reported-by: Amit Klein <aksecurity@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Toke Høiland-Jørgensen
|
6ae141218d |
icmp: don't send out ICMP messages with a source address of 0.0.0.0
[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ]
When constructing ICMP response messages, the kernel will try to pick a
suitable source address for the outgoing packet. However, if no IPv4
addresses are configured on the system at all, this will fail and we end up
producing an ICMP message with a source address of 0.0.0.0. This can happen
on a box routing IPv4 traffic via v6 nexthops, for instance.
Since 0.0.0.0 is not generally routable on the internet, there's a good
chance that such ICMP messages will never make it back to the sender of the
original packet that the ICMP message was sent in response to. This, in
turn, can create connectivity and PMTUd problems for senders. Fortunately,
RFC7600 reserves a dummy address to be used as a source for ICMP
messages (192.0.0.8/32), so let's teach the kernel to substitute that
address as a last resort if the regular source address selection procedure
fails.
Below is a quick example reproducing this issue with network namespaces:
ip netns add ns0
ip l add type veth peer netns ns0
ip l set dev veth0 up
ip a add 10.0.0.1/24 dev veth0
ip a add fc00:dead:cafe:42::1/64 dev veth0
ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2
ip -n ns0 l set dev veth0 up
ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0
ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1
ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0
ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1
tcpdump -tpni veth0 -c 2 icmp &
ping -w 1 10.1.0.1 > /dev/null
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64
IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
2 packets captured
2 packets received by filter
0 packets dropped by kernel
With this patch the above capture changes to:
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64
IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Juliusz Chroboczek <jch@irif.fr>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Chengyang Fan
|
6cff57eea3 |
net: ipv4: fix memory leak in ip_mc_add1_src
[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ]
BUG: memory leak
unreferenced object 0xffff888101bc4c00 (size 32):
comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................
backtrace:
[<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline]
[<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline]
[<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline]
[<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095
[<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416
[<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline]
[<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423
[<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857
[<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117
[<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline]
[<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline]
[<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125
[<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47
[<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae
In commit 24803f38a5c0 ("igmp: do not remove igmp souce list info when set
link down"), the ip_mc_clear_src() in ip_mc_destroy_dev() was removed,
because it was also called in igmpv3_clear_delrec().
Rough callgraph:
inetdev_destroy
-> ip_mc_destroy_dev
-> igmpv3_clear_delrec
-> ip_mc_clear_src
-> RCU_INIT_POINTER(dev->ip_ptr, NULL)
However, ip_mc_clear_src() called in igmpv3_clear_delrec() doesn't
release in_dev->mc_list->sources. And RCU_INIT_POINTER() assigns the
NULL to dev->ip_ptr. As a result, in_dev cannot be obtained through
inetdev_by_index() and then in_dev->mc_list->sources cannot be released
by ip_mc_del1_src() in the sock_close. Rough call sequence goes like:
sock_close
-> __sock_release
-> inet_release
-> ip_mc_drop_socket
-> inetdev_by_index
-> ip_mc_leave_src
-> ip_mc_del_src
-> ip_mc_del1_src
So we still need to call ip_mc_clear_src() in ip_mc_destroy_dev() to free
in_dev->mc_list->sources.
Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info ...")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Chengyang Fan <cy.fan@huawei.com>
Acked-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Paolo Abeni
|
a0882f68f5 |
udp: fix race between close() and udp_abort()
[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ]
Kaustubh reported and diagnosed a panic in udp_lib_lookup().
The root cause is udp_abort() racing with close(). Both
racing functions acquire the socket lock, but udp{v6}_destroy_sock()
release it before performing destructive actions.
We can't easily extend the socket lock scope to avoid the race,
instead use the SOCK_DEAD flag to prevent udp_abort from doing
any action when the critical race happens.
Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
Fixes: 5d77dca82839 ("net: diag: support SOCK_DESTROY for UDP sockets")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Nanyong Sun
|
6dcea66d3b |
net: ipv4: fix memory leak in netlbl_cipsov4_add_std
[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ]
Reported by syzkaller:
BUG: memory leak
unreferenced object 0xffff888105df7000 (size 64):
comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
The memory of doi_def->map.std pointing is allocated in
netlbl_cipsov4_add_std, but no place has freed it. It should be
freed in cipso_v4_doi_free which frees the cipso DOI resource.
Fixes: 96cb8e3313c7a ("[NetLabel]: CIPSOv4 and Unlabeled packet integration")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Nanyong Sun <sunnanyong@huawei.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Josh Triplett
|
c97aafab4b |
net: ipconfig: Don't override command-line hostnames or domains
[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ] If the user specifies a hostname or domain name as part of the ip= command-line option, preserve it and don't overwrite it with one supplied by DHCP/BOOTP. For instance, ip=::::myhostname::dhcp will use "myhostname" rather than ignoring and overwriting it. Fix the comment on ic_bootp_string that suggests it only copies a string "if not already set"; it doesn't have any such logic. Signed-off-by: Josh Triplett <josh@joshtriplett.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
d45bd6ee16 |
This is the 4.14.231 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmB5X7IACgkQONu9yGCS aT7h8w/+PO3GtGFL65xIMTx1e7HY7M8WsKIYIXGZ8yd8G+AvtlWMiUxTtiQWpYY7 Iy3BFGNSPr/ZYxQh2dkzruktWuBn0avM08XWvpM30NzuwJdhzV2FD1KdPj5OJsHv YV0x2kBIYvsdcDR2LtEpyeNCZj/i4PPleIIUMmqMayuXSrqzxlvQTZpW8LfqUCqM GOS3cf5wZl0BPfkEFAyLVNub2CotlxoDUUY6XavNOTOGnCzRB0m6nEBKwZ25g7Uw kdvdNo6zAgIEhgFvE8HCrDK0rBowj7zG/qk16CZXYZELRdFY/DJA+dljmqbxK+Ip ys6+05073Xbor5LbvmvZ4/DFR3g2f3KgR0gN/nZktyn3ECdW5opeQ0/xP3VZH73x wYLbhVNx6wjqdaJnu0/fffRluZtFdhKxLdABJnOVSNTkBoRPEQwnx2DpKSuXxxU/ ofCq20nKah6S7CVpsq7bdHqcupKkEsxfAG/UaAoyBwJ4MQlpPMs4WOor09SJ05+j PzXozwZjFrDas/SjM0Ijg/5jdSaZBn0a23JkVYkrg/f4I+4WOZd/eb3+2135O8Nm ptYQxrgv4Gz7a/DSvu4FXPSRkReCKXrD28Qw1XkCqD0zQayaqMywdjGz3/FVvo2x ohjnJYIsD2EJpxt4GWjP5BAiREHJEFubg8Dcjq/7IQAZgBJjkSw= =SoaZ -----END PGP SIGNATURE----- Merge 4.14.231 into android-4.14-stable Changes in 4.14.231 ALSA: aloop: Fix initialization of controls ASoC: intel: atom: Stop advertising non working S24LE support nfc: fix refcount leak in llcp_sock_bind() nfc: fix refcount leak in llcp_sock_connect() nfc: fix memory leak in llcp_sock_connect() nfc: Avoid endless loops caused by repeated llcp_sock_connect() xen/evtchn: Change irq_info lock to raw_spinlock_t net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh ia64: fix user_stack_pointer() for ptrace() ocfs2: fix deadlock between setattr and dio_end_io_write fs: direct-io: fix missing sdio->boundary parisc: parisc-agp requires SBA IOMMU driver parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field net: ensure mac header is set in virtio_net_hdr_to_skb() net: sched: sch_teql: fix null-pointer dereference usbip: add sysfs_lock to synchronize sysfs code paths usbip: stub-dev synchronize sysfs code paths usbip: synchronize event handler with sysfs code paths i2c: turn recovery error on init to debug regulator: bd9571mwv: Fix AVS and DVFS voltage range ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips amd-xgbe: Update DMA coherency values sch_red: fix off-by-one checks in red_check_params() gianfar: Handle error code at MAC address change net:tipc: Fix a double free in tipc_sk_mcast_rcv ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces net/ncsi: Avoid channel_monitor hrtimer deadlock ASoC: sunxi: sun4i-codec: fill ASoC card owner soc/fsl: qbman: fix conflicting alignment attributes clk: fix invalid usage of list cursor in register clk: fix invalid usage of list cursor in unregister workqueue: Move the position of debug_work_activate() in __queue_work() s390/cpcmd: fix inline assembly register clobbering net/mlx5: Fix placement of log_max_flow_counter RDMA/cxgb4: check for ipv6 address properly while destroying listener clk: socfpga: fix iomem pointer cast on 64-bit net/ncsi: Make local function ncsi_get_filter() static net/ncsi: Improve general state logging net/ncsi: Don't return error on normal response net/ncsi: Add generic netlink family net/ncsi: Refactor MAC, VLAN filters net/ncsi: Avoid GFP_KERNEL in response handler usbip: fix vudc usbip_sockfd_store races leading to gpf cfg80211: remove WARN_ON() in cfg80211_sme_connect net: tun: set tun->dev->addr_len during TUNSETLINK processing drivers: net: fix memory leak in atusb_probe drivers: net: fix memory leak in peak_usb_create_dev net: mac802154: Fix general protection fault net: ieee802154: nl-mac: fix check on panid net: ieee802154: fix nl802154 del llsec key net: ieee802154: fix nl802154 del llsec dev net: ieee802154: fix nl802154 add llsec key net: ieee802154: fix nl802154 del llsec devkey net: ieee802154: forbid monitor for set llsec params net: ieee802154: forbid monitor for del llsec seclevel net: ieee802154: stop dump llsec params for monitors Revert "cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath." KVM: arm64: Hide system instruction access to Trace registers KVM: arm64: Disable guest access to trace filter controls drm/imx: imx-ldb: fix out of bounds array access warning gfs2: report "already frozen/thawed" errors block: only update parent bi_status when bio fail net: phy: broadcom: Only advertise EEE for supported modes netfilter: x_tables: fix compat match/target pad out-of-bound write perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches xen/events: fix setting irq affinity Linux 4.14.231 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5000f92ba1b384d06e2be0faafdf345854765b54 |
||
Florian Westphal
|
522a019194 |
netfilter: x_tables: fix compat match/target pad out-of-bound write
commit b29c457a6511435960115c0f548c4360d5f4801d upstream. xt_compat_match/target_from_user doesn't check that zeroing the area to start of next rule won't write past end of allocated ruleset blob. Remove this code and zero the entire blob beforehand. Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com Reported-by: Andy Nguyen <theflow@google.com> Fixes: 9fa492cdc160c ("[NETFILTER]: x_tables: simplify compat API") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
b1d9f3ebda |
icmp: randomize the global rate limiter
[ Upstream commit b38e7819cae946e2edf869e604af1e65a5d241c5 ]
Keyu Man reported that the ICMP rate limiter could be used
by attackers to get useful signal. Details will be provided
in an upcoming academic publication.
Our solution is to add some noise, so that the attackers
no longer can get help from the predictable token bucket limiter.
Fixes: 4cdf507d5452 ("icmp: add a global rate limitation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Keyu Man <kman001@ucr.edu>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Change-Id: Idbca441c50068fa5df89f9ee2a9ea70eb044eba2
Git-commit: d6c552505c0d1719dda42b4af2def0618bd7bf54
Git-repo: https://android.googlesource.com/kernel/msm
Signed-off-by: urevanth <urevanth@codeaurora.org>
|