mirror of
https://github.com/rd-stuffs/msm-4.14.git
synced 2025-02-20 11:45:48 +08:00
50931 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Eric Dumazet
|
2e5bc03802 |
tcp: md5: add missing memory barriers in tcp_md5_do_add()/tcp_md5_hash_key()
[ Upstream commit 6a2febec338df7e7699a52d00b2e1207dcf65b28 ]
MD5 keys are read with RCU protection, and tcp_md5_do_add()
might update in-place a prior key.
Normally, typical RCU updates would allocate a new piece
of memory. In this case only key->key and key->keylen might
be updated, and we do not care if an incoming packet could
see the old key, the new one, or some intermediate value,
since changing the key on a live flow is known to be problematic
anyway.
We only want to make sure that in the case key->keylen
is changed, cpus in tcp_md5_hash_key() wont try to use
uninitialized data, or crash because key->keylen was
read twice to feed sg_init_one() and ahash_request_set_crypt()
Fixes: 9ea88a153001 ("tcp: md5: check md5 signature without socket lock")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
cf2c621c8d |
llc: make sure applications use ARPHRD_ETHER
[ Upstream commit a9b1110162357689a34992d5c925852948e5b9fd ]
syzbot was to trigger a bug by tricking AF_LLC with
non sensible addr->sllc_arphrd
It seems clear LLC requires an Ethernet device.
Back in commit abf9d537fea2 ("llc: add support for SO_BINDTODEVICE")
Octavian Purdila added possibility for application to use a zero
value for sllc_arphrd, convert it to ARPHRD_ETHER to not cause
regressions on existing applications.
BUG: KASAN: use-after-free in __read_once_size include/linux/compiler.h:199 [inline]
BUG: KASAN: use-after-free in list_empty include/linux/list.h:268 [inline]
BUG: KASAN: use-after-free in waitqueue_active include/linux/wait.h:126 [inline]
BUG: KASAN: use-after-free in wq_has_sleeper include/linux/wait.h:160 [inline]
BUG: KASAN: use-after-free in skwq_has_sleeper include/net/sock.h:2092 [inline]
BUG: KASAN: use-after-free in sock_def_write_space+0x642/0x670 net/core/sock.c:2813
Read of size 8 at addr ffff88801e0b4078 by task ksoftirqd/3/27
CPU: 3 PID: 27 Comm: ksoftirqd/3 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.12.0-59-gc9ba5276e321-prebuilt.qemu.org 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:135
__read_once_size include/linux/compiler.h:199 [inline]
list_empty include/linux/list.h:268 [inline]
waitqueue_active include/linux/wait.h:126 [inline]
wq_has_sleeper include/linux/wait.h:160 [inline]
skwq_has_sleeper include/net/sock.h:2092 [inline]
sock_def_write_space+0x642/0x670 net/core/sock.c:2813
sock_wfree+0x1e1/0x260 net/core/sock.c:1958
skb_release_head_state+0xeb/0x260 net/core/skbuff.c:652
skb_release_all+0x16/0x60 net/core/skbuff.c:663
__kfree_skb net/core/skbuff.c:679 [inline]
consume_skb net/core/skbuff.c:838 [inline]
consume_skb+0xfb/0x410 net/core/skbuff.c:832
__dev_kfree_skb_any+0xa4/0xd0 net/core/dev.c:2967
dev_kfree_skb_any include/linux/netdevice.h:3650 [inline]
e1000_unmap_and_free_tx_resource.isra.0+0x21b/0x3a0 drivers/net/ethernet/intel/e1000/e1000_main.c:1963
e1000_clean_tx_irq drivers/net/ethernet/intel/e1000/e1000_main.c:3854 [inline]
e1000_clean+0x4cc/0x1d10 drivers/net/ethernet/intel/e1000/e1000_main.c:3796
napi_poll net/core/dev.c:6532 [inline]
net_rx_action+0x508/0x1120 net/core/dev.c:6600
__do_softirq+0x262/0x98c kernel/softirq.c:292
run_ksoftirqd kernel/softirq.c:603 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 8247:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc mm/slab.c:3320 [inline]
kmem_cache_alloc+0x121/0x710 mm/slab.c:3484
sock_alloc_inode+0x1c/0x1d0 net/socket.c:240
alloc_inode+0x68/0x1e0 fs/inode.c:230
new_inode_pseudo+0x19/0xf0 fs/inode.c:919
sock_alloc+0x41/0x270 net/socket.c:560
__sock_create+0xc2/0x730 net/socket.c:1384
sock_create net/socket.c:1471 [inline]
__sys_socket+0x103/0x220 net/socket.c:1513
__do_sys_socket net/socket.c:1522 [inline]
__se_sys_socket net/socket.c:1520 [inline]
__ia32_sys_socket+0x73/0xb0 net/socket.c:1520
do_syscall_32_irqs_on arch/x86/entry/common.c:337 [inline]
do_fast_syscall_32+0x27b/0xe16 arch/x86/entry/common.c:408
entry_SYSENTER_compat+0x70/0x7f arch/x86/entry/entry_64_compat.S:139
Freed by task 17:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:335 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
__cache_free mm/slab.c:3426 [inline]
kmem_cache_free+0x86/0x320 mm/slab.c:3694
sock_free_inode+0x20/0x30 net/socket.c:261
i_callback+0x44/0x80 fs/inode.c:219
__rcu_reclaim kernel/rcu/rcu.h:222 [inline]
rcu_do_batch kernel/rcu/tree.c:2183 [inline]
rcu_core+0x570/0x1540 kernel/rcu/tree.c:2408
rcu_core_si+0x9/0x10 kernel/rcu/tree.c:2417
__do_softirq+0x262/0x98c kernel/softirq.c:292
The buggy address belongs to the object at ffff88801e0b4000
which belongs to the cache sock_inode_cache of size 1152
The buggy address is located 120 bytes inside of
1152-byte region [ffff88801e0b4000, ffff88801e0b4480)
The buggy address belongs to the page:
page:ffffea0000782d00 refcount:1 mapcount:0 mapping:ffff88807aa59c40 index:0xffff88801e0b4ffd
raw: 00fffe0000000200 ffffea00008e6c88 ffffea0000782d48 ffff88807aa59c40
raw: ffff88801e0b4ffd ffff88801e0b4000 0000000100000003 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88801e0b3f00: fb fb fb fb fb fb fb fb fb fb fb fb fc fc fc fc
ffff88801e0b3f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88801e0b4000: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88801e0b4080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88801e0b4100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: abf9d537fea2 ("llc: add support for SO_BINDTODEVICE")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Xin Long
|
12dd6b12cb |
l2tp: remove skb_dst_set() from l2tp_xmit_skb()
[ Upstream commit 27d53323664c549b5bb2dfaaf6f7ad6e0376a64e ]
In the tx path of l2tp, l2tp_xmit_skb() calls skb_dst_set() to set
skb's dst. However, it will eventually call inet6_csk_xmit() or
ip_queue_xmit() where skb's dst will be overwritten by:
skb_dst_set_noref(skb, dst);
without releasing the old dst in skb. Then it causes dst/dev refcnt leak:
unregister_netdevice: waiting for eth0 to become free. Usage count = 1
This can be reproduced by simply running:
# modprobe l2tp_eth && modprobe l2tp_ip
# sh ./tools/testing/selftests/net/l2tp.sh
So before going to inet6_csk_xmit() or ip_queue_xmit(), skb's dst
should be dropped. This patch is to fix it by removing skb_dst_set()
from l2tp_xmit_skb() and moving skb_dst_drop() into l2tp_xmit_core().
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: James Chapman <jchapman@katalix.com>
Tested-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Sabrina Dubroca
|
b99658d8d1 |
ipv4: fill fl4_icmp_{type,code} in ping_v4_sendmsg
[ Upstream commit 5eff06902394425c722f0a44d9545909a8800f79 ]
IPv4 ping sockets don't set fl4.fl4_icmp_{type,code}, which leads to
incomplete IPsec ACQUIRE messages being sent to userspace. Currently,
both raw sockets and IPv6 ping sockets set those fields.
Expected output of "ip xfrm monitor":
acquire proto esp
sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 8 code 0 dev ens4
policy src 10.0.2.15/32 dst 8.8.8.8/32
<snip>
Currently with ping sockets:
acquire proto esp
sel src 10.0.2.15/32 dst 8.8.8.8/32 proto icmp type 0 code 0 dev ens4
policy src 10.0.2.15/32 dst 8.8.8.8/32
<snip>
The Libreswan test suite found this problem after Fedora changed the
value for the sysctl net.ipv4.ping_group_range.
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Paul Wouters <pwouters@redhat.com>
Tested-by: Paul Wouters <pwouters@redhat.com>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Sean Tranchetti
|
936d94fabb |
genetlink: remove genl_bind
[ Upstream commit 1e82a62fec613844da9e558f3493540a5b7a7b67 ]
A potential deadlock can occur during registering or unregistering a
new generic netlink family between the main nl_table_lock and the
cb_lock where each thread wants the lock held by the other, as
demonstrated below.
1) Thread 1 is performing a netlink_bind() operation on a socket. As part
of this call, it will call netlink_lock_table(), incrementing the
nl_table_users count to 1.
2) Thread 2 is registering (or unregistering) a genl_family via the
genl_(un)register_family() API. The cb_lock semaphore will be taken for
writing.
3) Thread 1 will call genl_bind() as part of the bind operation to handle
subscribing to GENL multicast groups at the request of the user. It will
attempt to take the cb_lock semaphore for reading, but it will fail and
be scheduled away, waiting for Thread 2 to finish the write.
4) Thread 2 will call netlink_table_grab() during the (un)registration
call. However, as Thread 1 has incremented nl_table_users, it will not
be able to proceed, and both threads will be stuck waiting for the
other.
genl_bind() is a noop, unless a genl_family implements the mcast_bind()
function to handle setting up family-specific multicast operations. Since
no one in-tree uses this functionality as Cong pointed out, simply removing
the genl_bind() function will remove the possibility for deadlock, as there
is no attempt by Thread 1 above to take the cb_lock semaphore.
Fixes: c380d9a7afff ("genetlink: pass multicast bind/unbind to families")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
qctecmdr
|
2b7e08a0a0 | Merge "cfg80211: Add support for HE" | ||
Luca Coelho
|
baf05bf479 |
cfg80211: Add support for HE
Add support for the HE in cfg80211 and also add userspace API to nl80211 to send rate information out, conforming with P802.11ax_D2.0. Signed-off-by: Liad Kaufman <liad.kaufman@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Ilan Peer <ilan.peer@intel.com> Signed-off-by: Ido Yariv <idox.yariv@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes@sipsolutions.net> Change-Id: Ic538dc9fccc0b5a68da6083bd1dfc31901d6c0ca CRs-Fixed: 2666285 Git-commit: c4cbaf7973a794839af080f13748335976cf3f3f Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git Signed-off-by: Paul Zhang <paulz@codeaurora.org> Signed-off-by: Wade Song <wadesong@codeaurora.org> |
||
Sathishkumar Muruganandam
|
8ade580562 |
UPSTREAM: mac80211: add missing WFA Multi-AP backhaul STA Rx requirement
The current mac80211 WDS (4-address mode) can be used to cover most of the
Multi-AP requirements for Data frames per the WFA Multi-AP Specification v1.0.
When configuring AP/STA interfaces in 4-address mode, they are able to function
as fronthaul AP/backhaul STA of Multi-AP device complying below
Tx, Rx requirements except one missing STA Rx requirement added by this patch.
Multi-AP specification section 14.1 describes the following requirements:
Transmitter requirements
------------------------
1. Fronthaul AP
i) When DA!=RA of backhaul STA, must use 4-address format
ii) When DA==RA of backhaul STA, shall use either 3-address
or 4-address format with RA updated with STA MAC
(mac80211 support 4-address format via AP/VLAN interface)
2. Backhaul STA
i) When SA!=TA of backhaul STA, must use 4-address format
ii) When SA==TA of backhaul STA, shall use either 3-address
or 4-address format with RA updated with AP MAC
(mac80211 support 4-address format via use_4addr)
Receiver requirements
---------------------
1. Fronthaul AP
i) When SA!=TA of backhaul STA, must support receiving 4-address
format frames
ii) When SA==TA of backhaul STA, must support receiving both
3-address and 4-address format frames
(mac80211 support both 3-addr & 4-addr via AP/VLAN interface)
2. Backhaul STA
i) When DA!=RA of backhaul STA, must support receiving 4-address
format frames
ii) When DA==RA of backhaul STA, must support receiving both
3-address and 4-address format frames
(mac80211 support only receiving 4-address format via
use_4addr)
This patch addresses the above Rx requirement (ii) for backhaul STA to receive
unicast (DA==RA) 3-address frames in addition to 4-address frames.
The current design doesn't accept 3-address frames when configured in 4-address
mode (use_4addr). Hence add a check to allow 3-address frames when DA==RA of
backhaul STA (adhering to Table 9-26 of IEEE Std 802.11™-2016).
This case was tested with a bridged station interface when associated with
a non-mac80211 based vendor AP implementation using 3-address frames for WDS.
STA was able to support the Multi-AP Rx requirement when DA==RA. No issues,
no loops seen when tested with mac80211 based AP as well.
Verified and confirmed all other Tx and Rx requirements of AP and STA for
Multi-AP respectively. They all work using the current mac80211-WDS design.
Signed-off-by: Sathishkumar Muruganandam <murugana@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Change-Id: Iea5367f7664399c178b5749f7f9f46d7730ec665
Git-commit: 1ecef20cf12865729c86b0e428584635c77159ba
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/ath.git
Signed-off-by: Balaji Pothunoori <bpothuno@codeaurora.org>
|
||
|
Sean Tranchetti
|
99db0b7d5c |
genetlink: remove genl_bind
A potential deadlock can occur during registering or unregistering a
new generic netlink family between the main nl_table_lock and the
cb_lock where each thread wants the lock held by the other, as
demonstrated below.
1) Thread 1 is performing a netlink_bind() operation on a socket. As part
of this call, it will call netlink_lock_table(), incrementing the
nl_table_users count to 1.
2) Thread 2 is registering (or unregistering) a genl_family via the
genl_(un)register_family() API. The cb_lock semaphore will be taken for
writing.
3) Thread 1 will call genl_bind() as part of the bind operation to handle
subscribing to GENL multicast groups at the request of the user. It will
attempt to take the cb_lock semaphore for reading, but it will fail and
be scheduled away, waiting for Thread 2 to finish the write.
4) Thread 2 will call netlink_table_grab() during the (un)registration
call. However, as Thread 1 has incremented nl_table_users, it will not
be able to proceed, and both threads will be stuck waiting for the
other.
genl_bind() is a noop, unless a genl_family implements the mcast_bind()
function to handle setting up family-specific multicast operations. Since
no one in-tree uses this functionality as Cong pointed out, simply removing
the genl_bind() function will remove the possibility for deadlock, as there
is no attempt by Thread 1 above to take the cb_lock semaphore.
Change-Id: Ic7fbc60896384d8fe2d46b56419f14493e5782b6
Fixes: c380d9a7afff ("genetlink: pass multicast bind/unbind to families")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Johannes Berg <johannes.berg@intel.com>
Reported-by: kernel test robot <lkp@intel.com>
Git-repo: git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git
Git-commit: 1e82a62fec613844da9e558f3493540a5b7a7b67
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
Greg Kroah-Hartman
|
b726057b9e |
Linux 4.14.187
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAl77n3MACgkQ3qZv95d3 LNzAARAAusuJS+bN1O8HuoKkjr+2Tv1UFKrYkBQTlSgChNFwgWiSCVrU4LeSSp0E H0K+ranCQZvMoFDAODkYP2C+WrxAFscRHahrkBA3sGo0+LHNxhfxyycM36I/w5Jk iRR4WkH7wpLgeTj4h2IIbSUyaCnp5pRzkKb70fzKxDgDQmBWvGFcQ0Pv9JzeKWiw 3Wz9KqKLUfEaUhIrdTFbONvbDXe82a3SE54lEy1apqL1NRumBa/rL8W8oBk7LfHE 8bGM4gd/+bRSER+tZZrWfdzazJ2uIVCCYtEm5R03NxkHZVuslKY+UGQbQcL3OxQN btEimZOGjuP1H+P83rjz4oJmhLWzkKGCBH3zVUwlj6PeSiI0suH2UJEhm8CSwONU 88cGkD75hCXxJWYwtW1dqmt7e2CtRwL4t7UgFvZ15cAG8cYgr2C6JOvxkZ0CfkWS GHnchfDKYnN6e3AWbfoNMrQuA/X6uhgU8lhtI+Txr2CD18tnmiwloQ6VRlX0zcwa 5kOsipd4qRRAmGLwGSfkg+cJXSA4Yw42RmK2R+IUeoq8mgHYPF1R8UYYB+fXIsTC g9k9yeRnd92WZuddWtHIVaHNxuOqDYUGuPUoaiEzKeaTlfxjLdxweIGbn1iThO1Y q1w4QxumGvIpSnvJ8yC1P37uT/j61QVIOytAZzNCQBKTorTo0eo= =Dhaj -----END PGP SIGNATURE----- Merge 4.14.187 into android-4.14-stable Changes in 4.14.187 scsi: scsi_devinfo: handle non-terminated strings net: be more gentle about silly gso requests coming from user block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed net: sched: export __netdev_watchdog_up() fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()" apparmor: don't try to replace stale label in ptraceme check ibmveth: Fix max MTU limit mld: fix memory leak in ipv6_mc_destroy_dev() net: bridge: enfore alignment for ethernet address net: fix memleak in register_netdevice() net: usb: ax88179_178a: fix packet alignment padding rocker: fix incorrect error handling in dma_rings_init rxrpc: Fix notification call on completion of discarded calls sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket tcp: grow window for OOO packets only for SACK flows tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes ip_tunnel: fix use-after-free in ip_tunnel_lookup() tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT ip6_gre: fix use-after-free in ip6gre_tunnel_lookup() net: Fix the arp error in some cases net: Do not clear the sock TX queue in sk_set_socket() net: core: reduce recursion limit value USB: ohci-sm501: Add missed iounmap() in remove usb: dwc2: Postponed gadget registration to the udc class driver usb: add USB_QUIRK_DELAY_INIT for Logitech C922 USB: ehci: reopen solution for Synopsys HC bug usb: host: xhci-mtk: avoid runtime suspend when removing hcd usb: host: ehci-exynos: Fix error check in exynos_ehci_probe() ALSA: usb-audio: add quirk for Denon DCD-1500RE xhci: Fix incorrect EP_STATE_MASK xhci: Fix enumeration issue when setting max packet size for FS devices. cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip loop: replace kill_bdev with invalidate_bdev ALSA: usb-audio: uac1: Invalidate ctl on interrupt ALSA: usb-audio: Clean up mixer element list traverse ALSA: usb-audio: Fix OOB access of mixer element list xhci: Poll for U0 after disabling USB2 LPM cifs/smb3: Fix data inconsistent when punch hole cifs/smb3: Fix data inconsistent when zero file range efi/esrt: Fix reference count leak in esre_create_sysfs_entry. ARM: dts: NSP: Correct FA2 mailbox node rxrpc: Fix handling of rwind from an ACK packet RDMA/cma: Protect bind_list and listen_list while finding matching cm id ASoC: rockchip: Fix a reference count leak. RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads() net: qed: fix left elements count calculation net: qed: fix NVMe login fails over VFs net: qed: fix excessive QM ILT lines consumption ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram() usb: gadget: udc: Potential Oops in error handling code netfilter: ipset: fix unaligned atomic access net: bcmgenet: use hardware padding of runt frames sched/core: Fix PI boosting between RT and DEADLINE tasks ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function net: alx: fix race condition in alx_remove s390/ptrace: fix setting syscall number kbuild: improve cc-option to clean up all temporary files blktrace: break out of blktrace setup on concurrent calls ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table ACPI: sysfs: Fix pm_profile_attr type KVM: X86: Fix MSR range of APIC registers in X2APIC mode KVM: nVMX: Plumb L2 GPA through to PML emulation btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof mm/slab: use memzero_explicit() in kzfree() ocfs2: load global_inode_alloc ocfs2: fix value of OCFS2_INVALID_SLOT ocfs2: fix panic on nfs server over ocfs2 arm64: perf: Report the PC value in REGS_ABI_32 mode tracing: Fix event trigger to accept redundant spaces drm/radeon: fix fb_div check in ni_init_smc_spll_table() Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate() sunrpc: fixed rollback in rpc_gssd_dummy_populate() SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment() pNFS/flexfiles: Fix list corruption if the mirror count changes NFSv4 fix CLOSE not waiting for direct IO compeletion xfs: add agf freeblocks verify in xfs_agf_verify Revert "tty: hvc: Fix data abort due to race in hvc_open" Linux 4.14.187 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5f3301cdfbf593334e7b3d83f6c83f56a6476a33 |
||
Chuck Lever
|
653db17384 |
SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream. @subbuf is an output parameter of xdr_buf_subsegment(). A survey of call sites shows that @subbuf is always uninitialized before xdr_buf_segment() is invoked by callers. There are some execution paths through xdr_buf_subsegment() that do not set all of the fields in @subbuf, leaving some pointer fields containing garbage addresses. Subsequent processing of that buffer then results in a page fault. Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Cc: <stable@vger.kernel.org> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Vasily Averin
|
bbffca92d1 |
sunrpc: fixed rollback in rpc_gssd_dummy_populate()
commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream. __rpc_depopulate(gssd_dentry) was lost on error path cc: stable@vger.kernel.org Fixes: commit 4b9a445e3eeb ("sunrpc: create a new dummy pipe for gssd to hold open") Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Reviewed-by: Jeff Layton <jlayton@redhat.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Russell King
|
64c4a9d931 |
netfilter: ipset: fix unaligned atomic access
[ Upstream commit 715028460082d07a7ec6fcd87b14b46784346a72 ]
When using ip_set with counters and comment, traffic causes the kernel
to panic on 32-bit ARM:
Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
Unhandled fault: alignment exception (0x221) at 0xea08133c
PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
The problem occurs when we try to update the 64-bit counters - the
faulting address above is not 64-bit aligned. The problem occurs
due to the way elements are allocated, for example:
set->dsize = ip_set_elem_len(set, tb, 0, 0);
map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
If the element has a requirement for a member to be 64-bit aligned,
and set->dsize is not a multiple of 8, but is a multiple of four,
then every odd numbered elements will be misaligned - and hitting
an atomic64_add() on that element will cause the kernel to panic.
ip_set_elem_len() must return a size that is rounded to the maximum
alignment of any extension field stored in the element. This change
ensures that is the case.
Fixes: 95ad1f4a9358 ("netfilter: ipset: Fix extension alignment")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
David Howells
|
9cdc893472 |
rxrpc: Fix handling of rwind from an ACK packet
[ Upstream commit a2ad7c21ad8cf1ce4ad65e13df1c2a1c29b38ac5 ]
The handling of the receive window size (rwind) from a received ACK packet
is not correct. The rxrpc_input_ackinfo() function currently checks the
current Tx window size against the rwind from the ACK to see if it has
changed, but then limits the rwind size before storing it in the tx_winsize
member and, if it increased, wake up the transmitting process. This means
that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be
followed.
Fix this by limiting rwind before we compare it to tx_winsize.
The effect of this can be seen by enabling the rxrpc_rx_rwind_change
tracepoint.
Fixes: 702f2ac87a9a ("rxrpc: Wake up the transmitter if Rx window size increases on the peer")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Tariq Toukan
|
1eb41db96e |
net: Do not clear the sock TX queue in sk_set_socket()
[ Upstream commit 41b14fb8724d5a4b382a63cb4a1a61880347ccb8 ]
Clearing the sock TX queue in sk_set_socket() might cause unexpected
out-of-order transmit when called from sock_orphan(), as outstanding
packets can pick a different TX queue and bypass the ones already queued.
This is undesired in general. More specifically, it breaks the in-order
scheduling property guarantee for device-offloaded TLS sockets.
Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it
explicitly only where needed.
Fixes: e022f0b4a03f ("net: Introduce sk_tx_queue_mapping")
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
guodeqing
|
897646bcf4 |
net: Fix the arp error in some cases
[ Upstream commit 5eea3a63ff4aba6a26002e657a6d21934b7e2b96 ]
ie.,
$ ifconfig eth0 6.6.6.6 netmask 255.255.255.0
$ ip rule add from 6.6.6.6 table 6666
$ ip route add 9.9.9.9 via 6.6.6.6
$ ping -I 6.6.6.6 9.9.9.9
PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data.
3 packets transmitted, 0 received, 100% packet loss, time 2079ms
$ arp
Address HWtype HWaddress Flags Mask Iface
6.6.6.6 (incomplete) eth0
The arp request address is error, this is because fib_table_lookup in
fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of
the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST.
Here I add a check of whether this is RT_TABLE_MAIN to solve this problem.
Fixes: 3bfd847203c6 ("net: Use passed in table for nexthop lookups")
Signed-off-by: guodeqing <geffrey.guo@huawei.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Taehee Yoo
|
b7e1a9cff6 |
ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
[ Upstream commit dafabb6590cb15f300b77c095d50312e2c7c8e0f ]
In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
fallback tunnel device pointer, which is fb_tunnel_dev.
This pointer variable should be set to NULL when a fb interface is deleted.
But there is no routine to set fb_tunnel_dev pointer to NULL.
So, this pointer will be still used after interface is deleted and
it eventually results in the use-after-free problem.
Test commands:
ip netns add A
ip netns add B
ip link add eth0 type veth peer name eth1
ip link set eth0 netns A
ip link set eth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set eth0 up
ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \
remote fc:0::2
ip netns exec A ip -6 a a fc💯:1/64 dev ip6gre1
ip netns exec A ip link set ip6gre1 up
ip netns exec A ip -6 a a fc:0::1/64 dev eth0
ip netns exec A ip link set ip6gre0 up
ip netns exec B ip link set lo up
ip netns exec B ip link set eth1 up
ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \
remote fc:0::1
ip netns exec B ip -6 a a fc💯:2/64 dev ip6gre1
ip netns exec B ip link set ip6gre1 up
ip netns exec B ip -6 a a fc:0::2/64 dev eth1
ip netns exec B ip link set ip6gre0 up
ip netns exec A ping fc💯:2 -s 60000 &
ip netns del B
Splat looks like:
[ 73.087285][ C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.088361][ C1] Read of size 4 at addr ffff888040559218 by task ping/1429
[ 73.089317][ C1]
[ 73.089638][ C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602
[ 73.090531][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 73.091725][ C1] Call Trace:
[ 73.092160][ C1] <IRQ>
[ 73.092556][ C1] dump_stack+0x96/0xdb
[ 73.093122][ C1] print_address_description.constprop.6+0x2cc/0x450
[ 73.094016][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.094894][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.095767][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.096619][ C1] kasan_report+0x154/0x190
[ 73.097209][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.097989][ C1] ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.098750][ C1] ? gre_del_protocol+0x60/0x60 [gre]
[ 73.099500][ C1] gre_rcv+0x1c5/0x1450 [ip6_gre]
[ 73.100199][ C1] ? ip6gre_header+0xf00/0xf00 [ip6_gre]
[ 73.100985][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 73.101830][ C1] ? ip6_input_finish+0x5/0xf0
[ 73.102483][ C1] ip6_protocol_deliver_rcu+0xcbb/0x1510
[ 73.103296][ C1] ip6_input_finish+0x5b/0xf0
[ 73.103920][ C1] ip6_input+0xcd/0x2c0
[ 73.104473][ C1] ? ip6_input_finish+0xf0/0xf0
[ 73.105115][ C1] ? rcu_read_lock_held+0x90/0xa0
[ 73.105783][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 73.106548][ C1] ipv6_rcv+0x1f1/0x300
[ ... ]
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Neal Cardwell
|
60491c5ab4 |
tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
[ Upstream commit b344579ca8478598937215f7005d6c7b84d28aee ]
Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
ACK when the minimum rtt of a connection goes down. From inspection it
is clear from the existing code that this could happen in an example
like the following:
o The first 8 RTT samples in a round trip are 150ms, resulting in a
curr_rtt of 150ms and a delay_min of 150ms.
o The 9th RTT sample is 100ms. The curr_rtt does not change after the
first 8 samples, so curr_rtt remains 150ms. But delay_min can be
lowered at any time, so delay_min falls to 100ms. The code executes
the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
of 100ms, and the curr_rtt is declared far enough above delay_min to
force a (spurious) exit of Slow start.
The fix here is simple: allow every RTT sample in a round trip to
lower the curr_rtt.
Fixes: ae27e98a5152 ("[TCP] CUBIC v2.3")
Reported-by: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Taehee Yoo
|
35e91cf554 |
ip_tunnel: fix use-after-free in ip_tunnel_lookup()
[ Upstream commit ba61539c6ae57f4146284a5cb4f7b7ed8d42bf45 ]
In the datapath, the ip_tunnel_lookup() is used and it internally uses
fallback tunnel device pointer, which is fb_tunnel_dev.
This pointer variable should be set to NULL when a fb interface is deleted.
But there is no routine to set fb_tunnel_dev pointer to NULL.
So, this pointer will be still used after interface is deleted and
it eventually results in the use-after-free problem.
Test commands:
ip netns add A
ip netns add B
ip link add eth0 type veth peer name eth1
ip link set eth0 netns A
ip link set eth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set eth0 up
ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
remote 10.0.0.2
ip netns exec A ip link set gre1 up
ip netns exec A ip a a 10.0.100.1/24 dev gre1
ip netns exec A ip a a 10.0.0.1/24 dev eth0
ip netns exec B ip link set lo up
ip netns exec B ip link set eth1 up
ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
remote 10.0.0.1
ip netns exec B ip link set gre1 up
ip netns exec B ip a a 10.0.100.2/24 dev gre1
ip netns exec B ip a a 10.0.0.2/24 dev eth1
ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
ip netns del B
Splat looks like:
[ 77.793450][ C3] ==================================================================
[ 77.794702][ C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
[ 77.795573][ C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
[ 77.796398][ C3]
[ 77.796664][ C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
[ 77.797474][ C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 77.798453][ C3] Call Trace:
[ 77.798815][ C3] <IRQ>
[ 77.799142][ C3] dump_stack+0x9d/0xdb
[ 77.799605][ C3] print_address_description.constprop.7+0x2cc/0x450
[ 77.800365][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.800908][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.801517][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.802145][ C3] kasan_report+0x154/0x190
[ 77.802821][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.803503][ C3] ip_tunnel_lookup+0xcc4/0xf30
[ 77.804165][ C3] __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
[ 77.804862][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.805621][ C3] gre_rcv+0x304/0x1910 [ip_gre]
[ 77.806293][ C3] ? lock_acquire+0x1a9/0x870
[ 77.806925][ C3] ? gre_rcv+0xfe/0x354 [gre]
[ 77.807559][ C3] ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
[ 77.808305][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.809032][ C3] ? rcu_read_lock_held+0x90/0xa0
[ 77.809713][ C3] gre_rcv+0x1b8/0x354 [gre]
[ ... ]
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
abbf44f422 |
tcp: grow window for OOO packets only for SACK flows
[ Upstream commit 662051215c758ae8545451628816204ed6cd372d ]
Back in 2013, we made a change that broke fast retransmit
for non SACK flows.
Indeed, for these flows, a sender needs to receive three duplicate
ACK before starting fast retransmit. Sending ACK with different
receive window do not count.
Even if enabling SACK is strongly recommended these days,
there still are some cases where it has to be disabled.
Not increasing the window seems better than having to
rely on RTO.
After the fix, following packetdrill test gives :
// Initialize connection
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1000,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,wscale 8>
+0 < . 1:1(0) ack 1 win 514
+0 accept(3, ..., ...) = 4
+0 < . 1:1001(1000) ack 1 win 514
// Quick ack
+0 > . 1:1(0) ack 1001 win 264
+0 < . 2001:3001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 3001:4001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 4001:5001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 1001:2001(1000) ack 1 win 514
// Hole is repaired.
+0 > . 1:1(0) ack 5001 win 272
Fixes: 4e4f1fc22681 ("tcp: properly increase rcv_ssthresh for ofo packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Marcelo Ricardo Leitner
|
f6be9e8505 |
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
[ Upstream commit 471e39df96b9a4c4ba88a2da9e25a126624d7a9c ]
If a socket is set ipv6only, it will still send IPv4 addresses in the
INIT and INIT_ACK packets. This potentially misleads the peer into using
them, which then would cause association termination.
The fix is to not add IPv4 addresses to ipv6only sockets.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Tested-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
David Howells
|
ca03a5c2e7 |
rxrpc: Fix notification call on completion of discarded calls
[ Upstream commit 0041cd5a50442db6e456b145892a0eaf2dff061f ] When preallocated service calls are being discarded, they're passed to ->discard_new_call() to have the caller clean up any attached higher-layer preallocated pieces before being marked completed. However, the act of marking them completed now invokes the call's notification function - which causes a problem because that function might assume that the previously freed pieces of memory are still there. Fix this by setting a dummy notification function on the socket after calling ->discard_new_call(). This results in the following kasan message when the kafs module is removed. ================================================================== BUG: KASAN: use-after-free in afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707 Write of size 1 at addr ffff8880946c39e4 by task kworker/u4:1/21 CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.8.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x18f/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:383 __kasan_report mm/kasan/report.c:513 [inline] kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530 afs_wake_up_async_call+0x6aa/0x770 fs/afs/rxrpc.c:707 rxrpc_notify_socket+0x1db/0x5d0 net/rxrpc/recvmsg.c:40 __rxrpc_set_call_completion.part.0+0x172/0x410 net/rxrpc/recvmsg.c:76 __rxrpc_call_completed net/rxrpc/recvmsg.c:112 [inline] rxrpc_call_completed+0xca/0xf0 net/rxrpc/recvmsg.c:111 rxrpc_discard_prealloc+0x781/0xab0 net/rxrpc/call_accept.c:233 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603 process_one_work+0x965/0x1690 kernel/workqueue.c:2269 worker_thread+0x96/0xe10 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 Allocated by task 6820: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] __kasan_kmalloc mm/kasan/common.c:494 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:467 kmem_cache_alloc_trace+0x153/0x7d0 mm/slab.c:3551 kmalloc include/linux/slab.h:555 [inline] kzalloc include/linux/slab.h:669 [inline] afs_alloc_call+0x55/0x630 fs/afs/rxrpc.c:141 afs_charge_preallocation+0xe9/0x2d0 fs/afs/rxrpc.c:757 afs_open_socket+0x292/0x360 fs/afs/rxrpc.c:92 afs_net_init+0xa6c/0xe30 fs/afs/main.c:125 ops_init+0xaf/0x420 net/core/net_namespace.c:151 setup_net+0x2de/0x860 net/core/net_namespace.c:341 copy_net_ns+0x293/0x590 net/core/net_namespace.c:482 create_new_namespaces+0x3fb/0xb30 kernel/nsproxy.c:110 unshare_nsproxy_namespaces+0xbd/0x1f0 kernel/nsproxy.c:231 ksys_unshare+0x43d/0x8e0 kernel/fork.c:2983 __do_sys_unshare kernel/fork.c:3051 [inline] __se_sys_unshare kernel/fork.c:3049 [inline] __x64_sys_unshare+0x2d/0x40 kernel/fork.c:3049 do_syscall_64+0x60/0xe0 arch/x86/entry/common.c:359 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Freed by task 21: save_stack+0x1b/0x40 mm/kasan/common.c:48 set_track mm/kasan/common.c:56 [inline] kasan_set_free_info mm/kasan/common.c:316 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:455 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 afs_put_call+0x585/0xa40 fs/afs/rxrpc.c:190 rxrpc_discard_prealloc+0x764/0xab0 net/rxrpc/call_accept.c:230 rxrpc_listen+0x147/0x360 net/rxrpc/af_rxrpc.c:245 afs_close_socket+0x95/0x320 fs/afs/rxrpc.c:110 afs_net_exit+0x1bc/0x310 fs/afs/main.c:155 ops_exit_list.isra.0+0xa8/0x150 net/core/net_namespace.c:186 cleanup_net+0x511/0xa50 net/core/net_namespace.c:603 process_one_work+0x965/0x1690 kernel/workqueue.c:2269 worker_thread+0x96/0xe10 kernel/workqueue.c:2415 kthread+0x3b5/0x4a0 kernel/kthread.c:291 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:293 The buggy address belongs to the object at ffff8880946c3800 which belongs to the cache kmalloc-1k of size 1024 The buggy address is located 484 bytes inside of 1024-byte region [ffff8880946c3800, ffff8880946c3c00) The buggy address belongs to the page: page:ffffea000251b0c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002546508 ffffea00024fa248 ffff8880aa000c40 raw: 0000000000000000 ffff8880946c3000 0000000100000002 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff8880946c3880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880946c3900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff8880946c3980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff8880946c3a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff8880946c3a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Reported-by: syzbot+d3eccef36ddbd02713e9@syzkaller.appspotmail.com Fixes: 5ac0d62226a0 ("rxrpc: Fix missing notification") Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Yang Yingliang
|
b8dabb9635 |
net: fix memleak in register_netdevice()
[ Upstream commit 814152a89ed52c722ab92e9fbabcac3cb8a39245 ]
I got a memleak report when doing some fuzz test:
unreferenced object 0xffff888112584000 (size 13599):
comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
hex dump (first 32 bytes):
74 61 70 30 00 00 00 00 00 00 00 00 00 00 00 00 tap0............
00 ee d9 19 81 88 ff ff 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000002f60ba65>] __kmalloc_node+0x309/0x3a0
[<0000000075b211ec>] kvmalloc_node+0x7f/0xc0
[<00000000d3a97396>] alloc_netdev_mqs+0x76/0xfc0
[<00000000609c3655>] __tun_chr_ioctl+0x1456/0x3d70
[<000000001127ca24>] ksys_ioctl+0xe5/0x130
[<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
[<00000000e1023498>] do_syscall_64+0x56/0xa0
[<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
unreferenced object 0xffff888111845cc0 (size 8):
comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
hex dump (first 8 bytes):
74 61 70 30 00 88 ff ff tap0....
backtrace:
[<000000004c159777>] kstrdup+0x35/0x70
[<00000000d8b496ad>] kstrdup_const+0x3d/0x50
[<00000000494e884a>] kvasprintf_const+0xf1/0x180
[<0000000097880a2b>] kobject_set_name_vargs+0x56/0x140
[<000000008fbdfc7b>] dev_set_name+0xab/0xe0
[<000000005b99e3b4>] netdev_register_kobject+0xc0/0x390
[<00000000602704fe>] register_netdevice+0xb61/0x1250
[<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
[<000000001127ca24>] ksys_ioctl+0xe5/0x130
[<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
[<00000000e1023498>] do_syscall_64+0x56/0xa0
[<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
unreferenced object 0xffff88811886d800 (size 512):
comm "ip", pid 3048, jiffies 4294911734 (age 343.491s)
hex dump (first 32 bytes):
00 00 00 00 ad 4e ad de ff ff ff ff 00 00 00 00 .....N..........
ff ff ff ff ff ff ff ff c0 66 3d a3 ff ff ff ff .........f=.....
backtrace:
[<0000000050315800>] device_add+0x61e/0x1950
[<0000000021008dfb>] netdev_register_kobject+0x17e/0x390
[<00000000602704fe>] register_netdevice+0xb61/0x1250
[<000000002b7ca244>] __tun_chr_ioctl+0x1cd1/0x3d70
[<000000001127ca24>] ksys_ioctl+0xe5/0x130
[<00000000b7d5e66a>] __x64_sys_ioctl+0x6f/0xb0
[<00000000e1023498>] do_syscall_64+0x56/0xa0
[<000000009ec0eb12>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
If call_netdevice_notifiers() failed, then rollback_registered()
calls netdev_unregister_kobject() which holds the kobject. The
reference cannot be put because the netdev won't be add to todo
list, so it will leads a memleak, we need put the reference to
avoid memleak.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Thomas Martitz
|
bc0feec2bc |
net: bridge: enfore alignment for ethernet address
[ Upstream commit db7202dec92e6caa2706c21d6fc359af318bde2e ]
The eth_addr member is passed to ether_addr functions that require
2-byte alignment, therefore the member must be properly aligned
to avoid unaligned accesses.
The problem is in place since the initial merge of multicast to unicast:
commit 6db6f0eae6052b70885562e1733896647ec1d807 bridge: multicast to unicast
Fixes: 6db6f0eae605 ("bridge: multicast to unicast")
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Martitz <t.martitz@avm.de>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Wang Hai
|
c24d430285 |
mld: fix memory leak in ipv6_mc_destroy_dev()
[ Upstream commit ea2fce88d2fd678ed9d45354ff49b73f1d5615dd ]
Commit a84d01647989 ("mld: fix memory leak in mld_del_delrec()") fixed
the memory leak of MLD, but missing the ipv6_mc_destroy_dev() path, in
which mca_sources are leaked after ma_put().
Using ip6_mc_clear_src() to take care of the missing free.
BUG: memory leak
unreferenced object 0xffff8881113d3180 (size 64):
comm "syz-executor071", pid 389, jiffies 4294887985 (age 17.943s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 ff 02 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000002cbc483c>] kmalloc include/linux/slab.h:555 [inline]
[<000000002cbc483c>] kzalloc include/linux/slab.h:669 [inline]
[<000000002cbc483c>] ip6_mc_add1_src net/ipv6/mcast.c:2237 [inline]
[<000000002cbc483c>] ip6_mc_add_src+0x7f5/0xbb0 net/ipv6/mcast.c:2357
[<0000000058b8b1ff>] ip6_mc_source+0xe0c/0x1530 net/ipv6/mcast.c:449
[<000000000bfc4fb5>] do_ipv6_setsockopt.isra.12+0x1b2c/0x3b30 net/ipv6/ipv6_sockglue.c:754
[<00000000e4e7a722>] ipv6_setsockopt+0xda/0x150 net/ipv6/ipv6_sockglue.c:950
[<0000000029260d9a>] rawv6_setsockopt+0x45/0x100 net/ipv6/raw.c:1081
[<000000005c1b46f9>] __sys_setsockopt+0x131/0x210 net/socket.c:2132
[<000000008491f7db>] __do_sys_setsockopt net/socket.c:2148 [inline]
[<000000008491f7db>] __se_sys_setsockopt net/socket.c:2145 [inline]
[<000000008491f7db>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2145
[<00000000c7bc11c5>] do_syscall_64+0xa1/0x530 arch/x86/entry/common.c:295
[<000000005fb7a3f3>] entry_SYSCALL_64_after_hwframe+0x49/0xb3
Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Acked-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Valentin Longchamp
|
1aa52fb678 |
net: sched: export __netdev_watchdog_up()
[ Upstream commit 1a3db27ad9a72d033235b9673653962c02e3486e ]
Since the quiesce/activate rework, __netdev_watchdog_up() is directly
called in the ucc_geth driver.
Unfortunately, this function is not available for modules and thus
ucc_geth cannot be built as a module anymore. Fix it by exporting
__netdev_watchdog_up().
Since the commit introducing the regression was backported to stable
branches, this one should ideally be as well.
Fixes: 79dde73cf9bc ("net/ethernet/freescale: rework quiesce/activate for ucc_geth")
Signed-off-by: Valentin Longchamp <valentin@longchamp.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Srinivasarao P
|
aec6635ddf |
Merge android-4.14.170 (312ed39) into msm-4.14
* refs/heads/tmp-312ed39: Linux 4.14.170 perf report: Fix no libunwind compiled warning break s390 issue btrfs: do not zero f_bavail if we have available space net: Fix skb->csum update in inet_proto_csum_replace16(). l2t_seq_next should increase position index seq_tab_next() should increase position index net/sonic: Quiesce SONIC before re-initializing descriptor memory net/sonic: Fix receive buffer handling net/sonic: Use MMIO accessors net/sonic: Add mutual exclusion for accessing shared state net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G net/fsl: treat fsl,erratum-a011043 powerpc/fsl/dts: add fsl,erratum-a011043 qlcnic: Fix CPU soft lockup while collecting firmware dump r8152: get default setting of WOL before initializing airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE tee: optee: Fix compilation issue with nommu ARM: 8955/1: virt: Relax arch timer version check during early boot scsi: fnic: do not queue commands during fwreset vti[6]: fix packet tx through bpf_redirect() ARM: dts: am335x-boneblack-common: fix memory size bnxt_en: Fix ipv6 RFS filter matching logic. net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec wireless: wext: avoid gcc -O3 warning mac80211: Fix TKIP replay protection immediately after key setup cfg80211: Fix radar event during another phy CAC wireless: fix enabling channel 12 for custom regulatory domain qmi_wwan: Add support for Quectel RM500Q ASoC: sti: fix possible sleep-in-atomic igb: Fix SGMII SFP module discovery for 100FX/LX. ixgbe: Fix calculation of queue with VFs and flow director on interface flap ixgbevf: Remove limit of 10 entries for unicast filter list clk: mmp2: Fix the order of timer mux parents mac80211: mesh: restrict airtime metric to peered established plinks soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot ARM: dts: beagle-x15-common: Model 5V0 regulator ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity media: si470x-i2c: Move free() past last use of 'radio' cgroup: Prevent double killing of css when enabling threaded cgroup Bluetooth: Fix race condition in hci_release_sock() ttyprintk: fix a potential deadlock in interrupt context issue media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0 media: gspca: zero usb_buf media: af9005: uninitialized variable printked media: digitv: don't continue if remote control state can't be read reiserfs: Fix memory leak of journal device string mm/mempolicy.c: fix out of bounds write in mpol_parse_str() ext4: validate the debug_want_extra_isize mount option at parse time arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean' tools lib: Fix builds when glibc contains strlcpy() PM / devfreq: Add new name attribute for sysfs perf c2c: Fix return type for histogram sorting comparision functions crypto: pcrypt - Fix user-after-free on module unload x86/resctrl: Fix a deadlock due to inaccurate reference x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup x86/resctrl: Fix use-after-free when deleting resource groups vfs: fix do_last() regression crypto: af_alg - Use bh_lock_sock in sk_destruct rsi: fix use-after-free on probe errors net_sched: ematch: reject invalid TCF_EM_SIMPLE usb-storage: Disable UAS on JMicron SATA enclosure PCI: Add DMA alias quirk for Intel VCA NTB atm: eni: fix uninitialized variable warning gpio: max77620: Add missing dependency on GPIOLIB_IRQCHIP net: wan: sdla: Fix cast from pointer to integer of different size drivers/net/b44: Change to non-atomic bit operations on pwol_mask spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls watchdog: rn5t618_wdt: fix module aliases watchdog: max77620_wdt: fix potential build errors phy: cpcap-usb: Prevent USB line glitches from waking up modem HID: ite: Add USB id match for Acer SW5-012 keyboard dock arc: eznps: fix allmodconfig kconfig warning zd1211rw: fix storage endpoint lookup rtl8xxxu: fix interface sanity check brcmfmac: fix interface sanity check ath9k: fix storage endpoint lookup crypto: chelsio - fix writing tfm flags to wrong place serial: 8250_bcm2835aux: Fix line mismatch on driver unbind staging: vt6656: Fix false Tx excessive retries reporting. staging: vt6656: use NULLFUCTION stack on mac80211 staging: vt6656: correct packet types for CTS protect, mode. staging: wlan-ng: ensure error return is actually returned staging: most: net: fix buffer overflow usb: dwc3: turn off VBUS when leaving host mode USB: serial: ir-usb: fix IrLAP framing USB: serial: ir-usb: fix link-speed handling USB: serial: ir-usb: add missing endpoint sanity check rsi_91x_usb: fix interface sanity check orinoco_usb: fix interface sanity check ANDROID: cf_defconfig: Remove VIRTIO_CONSOLE ANDROID: cf_defconfig: removed CONFIG_CAN ANDROID: cf_defconfig: removed old VIRTIO configs ANDROID: kallsyms: strip hashes from function names with ThinLTO ANDROID: Incremental fs: Enable incremental-fs in cuttlefish_defconfig ANDROID: fix bpf jit + cfi interactions ANDROID: cuttlefish_defconfig: set CONFIG_IKHEADERS to y UPSTREAM: UAPI: ndctl: Remove use of PAGE_SIZE UPSTREAM: libnvdimm, namespace: make min namespace size 4K ANDROID: Incremental fs: Fix sparse errors Change-Id: I265f394825e9f470cfefc0dafbd0d514c526dfb6 Signed-off-by: Srinivasarao P <spathi@codeaurora.org> |
||
|
Srinivasarao P
|
f34d8ef8e8 |
Merge android-4.14.169 (239034f) into msm-4.14
* refs/heads/tmp-239034f: Linux 4.14.169 net/x25: fix nonblocking connect netfilter: ipset: use bitmap infrastructure completely bitmap: Add bitmap_alloc(), bitmap_zalloc() and bitmap_free() md: Avoid namespace collision with bitmap API scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT libertas: Fix two buffer overflows at parsing bss descriptor coresight: tmc-etf: Do not call smp_processor_id from preemptible coresight: etb10: Do not call smp_processor_id from preemptible sd: Fix REQ_OP_ZONE_REPORT completion handling do_last(): fetch directory ->i_mode and ->i_uid before it's too late tracing: xen: Ordered comparison of function pointers scsi: RDMA/isert: Fix a recently introduced regression related to logout hwmon: (nct7802) Fix voltage limits to wrong registers Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register Input: pegasus_notetaker - fix endpoint sanity check Input: aiptek - fix endpoint sanity check Input: gtco - fix endpoint sanity check Input: sur40 - fix interface sanity checks Input: pm8xxx-vib - fix handling of separate enable register Documentation: Document arm64 kpti control mmc: sdhci: fix minimum clock rate for v3 controller mmc: tegra: fix SDR50 tuning override ARM: 8950/1: ftrace/recordmcount: filter relocation types Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers" Input: keyspan-remote - fix control-message timeouts hwmon: (core) Do not use device managed functions for memory allocations hwmon: (core) Fix double-free in __hwmon_device_register() hwmon: Deal with errors from the thermal subsystem hwmon: (adt7475) Make volt2reg return same reg as reg2volt input net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() tcp_bbr: improve arithmetic division in bbr_update_bw() net: usb: lan78xx: Add .ndo_features_check net-sysfs: Fix reference count leak net-sysfs: Call dev_hold always in rx_queue_add_kobject net-sysfs: Call dev_hold always in netdev_queue_add_kobject net-sysfs: fix netdev_queue_add_kobject() breakage net-sysfs: Fix reference count leak in rx|netdev_queue_add_kobject net_sched: fix datalen for ematch net, ip_tunnel: fix namespaces move net, ip6_tunnel: fix namespaces move net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions gtp: make sure only SOCK_DGRAM UDP sockets are accepted firestream: fix memory leaks can, slip: Protect tty->disc_data in write_wakeup and close with RCU UPSTREAM: staging: most: net: fix buffer overflow ANDROID: Fixing incremental fs style issues ANDROID: Make incfs selftests pass ANDROID: Initial commit of Incremental FS ANDROID: cuttlefish_defconfig: Enable CONFIG_BTT New header file entries are added to .bp files. Change-Id: I521b976a19c8993b0047ab06e6d42b5107c234a3 Signed-off-by: Srinivasarao P <spathi@codeaurora.org> |
||
|
Srinivasarao P
|
8e1e29842d |
Merge android-4.14.168 (509b380) into msm-4.14
* refs/heads/tmp-509b380:
Revert "Revert "ANDROID: security,perf: Allow further restriction of perf_event_open""
Linux 4.14.168
m68k: Call timer_interrupt() with interrupts disabled
serial: stm32: fix clearing interrupt error flags
IB/iser: Fix dma_nents type definition
arm64: dts: juno: Fix UART frequency
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
dmaengine: ti: edma: fix missed failure handling
affs: fix a memory leak in affs_remount
mmc: core: fix wl1251 sdio quirks
mmc: sdio: fix wl1251 vendor id
packet: fix data-race in fanout_flow_is_huge()
net: neigh: use long type to store jiffies delta
hv_netvsc: flag software created hash value
MIPS: Loongson: Fix return value of loongson_hwmon_init
afs: Fix large file support
net: qca_spi: Move reset_count to struct qcaspi
net: netem: correct the parent's backlog when corrupted packet was dropped
net: netem: fix error path for corrupted GSO frames
dmaengine: imx-sdma: fix size check for sdma script_number
drm/msm/dsi: Implement reset correctly
tcp: annotate lockless access to tcp_memory_pressure
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
net: avoid possible false sharing in sk_leave_memory_pressure()
act_mirred: Fix mirred_init_module error handling
net: stmmac: fix length of PTP clock's name string
llc: fix sk_buff refcounting in llc_conn_state_process()
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
mac80211: accept deauth frames in IBSS mode
net: stmmac: gmac4+: Not all Unicast addresses may be available
nvme: retain split access workaround for capability reads
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: axienet: fix a signedness bug in probe
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
net: aquantia: Fix aq_vec_isr_legacy() return value
iommu/amd: Wait for completion of IOTLB flush in attach_device
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
RDMA/cma: Fix false error message
ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
pinctrl: iproc-gpio: Fix incorrect pinconf configurations
net: sonic: replace dev_kfree_skb in sonic_send_packet
hwmon: (shtc1) fix shtc1 and shtw1 id mask
ixgbe: sync the first fragment unconditionally
btrfs: use correct count in btrfs_file_write_iter()
Btrfs: fix inode cache waiters hanging on path allocation failure
Btrfs: fix inode cache waiters hanging on failure to start caching thread
Btrfs: fix hang when loading existing inode cache off disk
scsi: fnic: fix msix interrupt allocation
net: sonic: return NETDEV_TX_OK if failed to map buffer
tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
iio: dac: ad5380: fix incorrect assignment to val
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
irqdomain: Add the missing assignment of domain->fwnode for named fwnode
staging: greybus: light: fix a couple double frees
x86, perf: Fix the dependency of the x86 insn decoder selftest
power: supply: Init device wakeup after device_add()
hwmon: (lm75) Fix write operations for negative temperatures
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
ahci: Do not export local variable ahci_em_messages
iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
mips: avoid explicit UB in assignment of mips_io_port_base
rtc: pcf2127: bugfix: read rtc disables watchdog
media: atmel: atmel-isi: fix timeout value for stop streaming
mac80211: minstrel_ht: fix per-group max throughput rate initialization
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
ASoC: sun4i-i2s: RX and TX counter registers are swapped
signal: Allow cifs and drbd to receive their terminating signals
bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
net/rds: Add a few missing rds_stat_names entries
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
ext4: set error return correctly when ext4_htree_store_dirent fails
crypto: caam - free resources in case caam_rng registration failed
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
tipc: reduce risk of wakeup queue starvation
ALSA: aoa: onyx: always initialize register read value
crypto: ccp - Reduce maximum stack usage
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
mic: avoid statically declaring a 'struct device'.
usb: host: xhci-hub: fix extra endianness conversion
qed: reduce maximum stack frame size
libertas_tf: Use correct channel range in lbtf_geo_init
PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
clk: sunxi-ng: v3s: add the missing PLL_DDR1
scsi: libfc: fix null pointer dereference on a null lport
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
RDMA/hns: Fixs hw access invalid dma memory error
devres: allow const resource arguments
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
mfd: intel-lpss: Release IDA resources
iommu/amd: Make iommu_disable safer
bnxt_en: Fix ethtool selftest crash under error conditions.
nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
clk: qcom: Fix -Wunused-const-variable
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
perf/ioctl: Add check for the sample_period value
drm/msm/a3xx: remove TPL1 regs from snapshot
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
rtc: pcf8563: Fix interrupt trigger method
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
net/af_iucv: always register net_device notifier
net: netem: fix backlog accounting for corrupted GSO frames
drm/msm/mdp5: Fix mdp5_cfg_init error return
powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
iommu/vt-d: Duplicate iommu_resv_region objects per device list
mpls: fix warning with multi-label encap
media: vivid: fix incorrect assignment operation when setting video mode
cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
cpufreq: brcmstb-avs-cpufreq: Fix initial command check
netvsc: unshare skb in VF rx handler
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
iommu: Use right function to get group for device
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
serial: stm32: fix wakeup source initialization
serial: stm32: Add support of TC bit status check
serial: stm32: fix transmit_chars when tx is stopped
serial: stm32: fix rx error handling
crypto: ccp - Fix 3DES complaint from ccp-crypto module
crypto: ccp - fix AES CFB error exposed by new test vectors
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
RDMA/qedr: Fix incorrect device rate.
arm64: dts: meson: libretech-cc: set eMMC as removable
dmaengine: tegra210-adma: Fix crash during probe
ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
EDAC/mc: Fix edac_mc_find() in case no device is found
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
backlight: lm3630a: Return 0 on success in update_status functions
kdb: do a sanity check on the cpu in kdb_per_cpu()
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
pwm: meson: Don't disable PWM when setting duty repeatedly
pwm: meson: Consider 128 a valid pre-divider
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
crypto: caam - fix caam_dump_sg that iterates through scatterlist
platform/x86: alienware-wmi: printing the wrong error code
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
l2tp: Fix possible NULL pointer dereference
vfio/mdev: Fix aborting mdev child device removal if one fails
vfio/mdev: Avoid release parent reference during error path
afs: Fix the afs.cell and afs.volume xattr handlers
lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
mmc: core: fix possible use after free of host
dmaengine: tegra210-adma: restore channel status
net: ena: fix ena_com_fill_hash_function() implementation
net: ena: fix incorrect test of supported hash function
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
IB/mlx5: Add missing XRC options to QP optional params mask
dwc2: gadget: Fix completed transfer size calculation in DDMA
usb: gadget: fsl: fix link error against usb-gadget module
ASoC: fix valid stream condition
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
scsi: qla2xxx: Fix a format specifier
irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
NFS: Don't interrupt file writeout due to fatal errors
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
dmaengine: axi-dmac: Don't check the number of frames for alignment
6lowpan: Off by one handling ->nexthdr
media: ov2659: fix unbalanced mutex_lock/unlock
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
powerpc: vdso: Make vdso32 installation conditional in vdso_install
selftests/ipc: Fix msgque compiler warnings
tipc: set sysctl_tipc_rmem and named_timeout right range
platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
net: hns3: fix for vport->bw_limit overflow problem
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
scsi: target/core: Fix a race condition in the LUN lookup code
scsi: qla2xxx: Unregister chrdev if module initialization fails
ehea: Fix a copy-paste err in ehea_init_port_res
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
soc/fsl/qe: Fix an error code in qe_pin_request()
spi: tegra114: configure dma burst size to fifo trig level
spi: tegra114: flush fifos
spi: tegra114: terminate dma and reset on transfer timeout
spi: tegra114: fix for unpacked mode transfers
spi: tegra114: clear packed bit for unpacked mode
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
media: davinci-isif: avoid uninitialized variable use
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
arm64: dts: allwinner: a64: Add missing PIO clocks
m68k: mac: Fix VIA timer counter accesses
tipc: tipc clang warning
jfs: fix bogus variable self-initialization
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
media: cx23885: check allocation return
media: wl128x: Fix an error code in fm_download_firmware()
media: cx18: update *pos correctly in cx18_read_pos()
media: ivtv: update *pos correctly in ivtv_read_pos()
regulator: lp87565: Fix missing register for LP87565_BUCK_0
net: sh_eth: fix a missing check of of_get_phy_mode
xen, cpu_hotplug: Prevent an out of bounds access
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
scsi: megaraid_sas: reduce module load time
x86/mm: Remove unused variable 'cpu'
nios2: ksyms: Add missing symbol exports
powerpc/mm: Check secondary hash page table
net: aquantia: fixed instack structure overflow
NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
platform/x86: wmi: fix potential null pointer dereference
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
NFS: Fix a soft lockup in the delegation recovery code
powerpc/64s: Fix logic when handling unknown CPU features
staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
fs/nfs: Fix nfs_parse_devname to not modify it's argument
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
drm/nouveau/pmu: don't print reply values if exec is false
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
net: dsa: qca8k: Enable delay for RGMII_ID mode
regulator: pv88090: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88060: Fix array out-of-bounds access
cdc-wdm: pass return value of recover_from_urb_loss
dmaengine: mv_xor: Use correct device for DMA API
staging: r8822be: check kzalloc return or bail
KVM: PPC: Release all hardware TCE tables attached to a group
hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
vfio_pci: Enable memory accesses before calling pci_map_rom
keys: Timestamp new keys
block: don't use bio->bi_vcnt to figure out segment number
usb: phy: twl6030-usb: fix possible use-after-free on remove
PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: emev2: Add missing pinmux functions
drm/etnaviv: potential NULL dereference
iw_cxgb4: use tos when finding ipv6 routes
iw_cxgb4: use tos when importing the endpoint
fbdev: chipsfb: remove set but not used variable 'size'
rtc: pm8xxx: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: 88pm860x: fix unintended sign extension
rtc: ds1307: rx8130: Fix alarm handling
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
thermal: mediatek: fix register index error
rtc: ds1672: fix unintended sign extension
staging: most: cdev: add missing check for cdev_add failure
iwlwifi: mvm: fix RSS config command
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: add required clocks property to keypad device node
driver core: Do not resume suppliers under device_links_write_lock()
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
driver: uio: fix possible use-after-free in __uio_register_device
driver: uio: fix possible memory leak in __uio_register_device
tty: ipwireless: Fix potential NULL pointer dereference
iwlwifi: mvm: fix A-MPDU reference assignment
net/mlx5: Take lock with IRQs disabled to avoid deadlock
iwlwifi: mvm: avoid possible access out of array.
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
spi/topcliff_pch: Fix potential NULL dereference on allocation error
rtc: cmos: ignore bogus century byte
IB/iser: Pass the correct number of entries for dma mapped SGL
ASoC: imx-sgtl5000: put of nodes if finding codec fails
crypto: tgr192 - fix unaligned memory access
crypto: brcm - Fix some set-but-not-used warning
kbuild: mark prepare0 as PHONY to fix external module build
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
RDMA/iw_cxgb4: Fix the unchecked ep dereference
spi: cadence: Correct initialisation of runtime PM
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
drm/shmob: Fix return value check in shmob_drm_probe
RDMA/qedr: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
IB/usnic: Fix out of bounds index check in query pkey
MIPS: BCM63XX: drop unused and broken DSP platform device
clk: dove: fix refcount leak in dove_clk_init()
clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: socfpga: fix refcount leak
clk: qoriq: fix refcount leak in clockgen_init()
clk: highbank: fix refcount leak in hb_clk_init()
Input: nomadik-ske-keypad - fix a loop timeout test
vxlan: changelink: Fix handling of default remotes
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
switchtec: Remove immediate status check after submitting MRPC command
staging: bcm2835-camera: Abort probe if there is no camera
IB/rxe: Fix incorrect cache cleanup in error flow
net: phy: Fix not to call phy_resume() if PHY is not attached
drm/dp_mst: Skip validating ports during destruction, just ref
exportfs: fix 'passing zero to ERR_PTR()' warning
pcrypt: use format specifier in kobject_add
NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
mlxsw: reg: QEEC: Add minimum shaper fields
drm/sun4i: hdmi: Fix double flag assignation
pwm: lpss: Release runtime-pm reference from the driver's remove callback
staging: comedi: ni_mio_common: protect register write overflow
ALSA: usb-audio: update quirk for B&W PX to remove microphone
IB/hfi1: Add mtu check for operational data VLs
IB/rxe: replace kvfree with vfree
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
PCI: iproc: Remove PAXC slot check to allow VF support
apparmor: don't try to replace stale label in ptrace access check
ALSA: hda: fix unused variable warning
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
drm/sti: do not remove the drm_bridge that was never added
crypto: sun4i-ss - fix big endian issues
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
tipc: fix wrong timeout input for tipc_wait_for_cond()
powerpc/archrandom: fix arch_get_random_seed_int()
mfd: intel-lpss: Add default I2C device properties for Gemini Lake
xfs: Sanity check flags of Q_XQUOTARM call
FROMGIT: ext4: Add EXT4_IOC_FSGETXATTR/EXT4_IOC_FSSETXATTR to compat_ioctl.
ANDROID: cuttlefish_defconfig: enable CONFIG_IKHEADERS as m
ANDROID: cuttlefish_defconfig: enable NVDIMM/PMEM options
UPSTREAM: virtio-pmem: Add virtio pmem driver
BACKPORT: libnvdimm: nd_region flush callback support
UPSTREAM: libnvdimm/of_pmem: Provide a unique name for bus provider
UPSTREAM: libnvdimm/of_pmem: Fix platform_no_drv_owner.cocci warnings
UPSTREAM: libnvdimm, of_pmem: use dev_to_node() instead of of_node_to_nid()
UPSTREAM: libnvdimm: Add device-tree based driver
UPSTREAM: libnvdimm: Add of_node to region and bus descriptors
FROMLIST: security: selinux: allow per-file labelling for binderfs
UPSTREAM: mm/page_io.c: annotate refault stalls from swap_readpage
Revert "ANDROID: security,perf: Allow further restriction of perf_event_open"
ANDROID: selinux: modify RTM_GETLINK permission
UPSTREAM: lib/test_meminit.c: add bulk alloc/free tests
UPSTREAM: lib/test_meminit: add a kmem_cache_alloc_bulk() test
UPSTREAM: mm: slub: really fix slab walking for init_on_free
UPSTREAM: mm/slub.c: init_on_free=1 should wipe freelist ptr for bulk allocations
Conflicts:
drivers/mmc/core/quirks.h
include/uapi/linux/virtio_ids.h
New header file entries are added to .bp files.
Change-Id: I515cb78684f524e239850625b163ba023b517e10
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
|
||
|
qctecmdr
|
877102ed32 | Merge "Merge android-4.14.167 (571f968) into msm-4.14" | ||
|
qctecmdr
|
37c2499eda | Merge "Merge android-4.14.165 (748d727) into msm-4.14" | ||
|
Greg Kroah-Hartman
|
e570b0fb2f |
This is the 4.14.186 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl70qaoACgkQONu9yGCS aT47KBAAuBj7O/teYsWuuqSn02hBOlNBOSN1QMKgt72FZmZqusM3GHIII2N0dk0y RATaEXpI/WxgJ7DZ8G9FdTbIyTtbtSV6M190xfjU5gYSdRJv/eDNEYMGiXrCPzJz 4LX/fQUJJQymw1PY89VHMsMcFCVyOlQiZHKQNCfNKFb0xxv6CzbaDM91OlNfJOA4 6w4f3+kB91b+UW/50T9S+ZbJmnX40Lg6GW5yPZP8U2W2gXhHqgWvX5wKbVmr/VLz fcFz8wLxX18Qjp475r185SNp0pN5QyctiwqXm+ngMTbs1DXXHVHUrV5PFwEnc8/Y 1OUWQUfqhvzQetgkhm+WkGtt+TtC12+yjnWy0nTPNt9Uj0/WkM7PpEAjV0Q5qEuS TCJuzzNtrK0vXbTpNCorh3DUzTyH3EhAM8AO4HyVQxie4nfpqaOY/MqdKGuk3LlH jKKn5xjYt0jjRjPBUjphbJs2PU8mOmc4X2cK9tKPHfgPk6KrPJTnPUyCYMBie8g+ 5h15lBqv/SvdUMhtjD+p7LnP6iMIV7DZUW06NFQQ91Q/ZVyb4kJyynmr40ScJJ6O +f+GOdkhy3JSVFtKOgwDOx/V6HSPzVgvI6fhxfdCc9jMxmksE5LcEy7FN0m5jLYL diUbkrinK2dGq1XjJ7N/zx4HzeR6Nvg56aCMaGJvXqHgWv9znNc= =W8kd -----END PGP SIGNATURE----- Merge 4.14.186 into android-4.14-stable Changes in 4.14.186 s390: fix syscall_get_error for compat processes drm/i915: Whitelist context-local timestamp in the gen9 cmdparser power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select clk: sunxi: Fix incorrect usage of round_down() i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets iio: pressure: bmp280: Tolerate IRQ before registering remoteproc: Fix IDR initialisation in rproc_alloc() clk: qcom: msm8916: Fix the address location of pll->config_reg backlight: lp855x: Ensure regulators are disabled on probe failure ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type ARM: integrator: Add some Kconfig selections scsi: qedi: Check for buffer overflow in qedi_set_path() ALSA: isa/wavefront: prevent out of bounds write in ioctl scsi: qla2xxx: Fix issue with adapter's stopping state iio: bmp280: fix compensation of humidity f2fs: report delalloc reserve as non-free in statfs for project quota i2c: pxa: clear all master action bits in i2c_pxa_stop_message() usblp: poison URBs upon disconnect dm mpath: switch paths in dm_blk_ioctl() code path PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register ps3disk: use the default segment boundary vfio/pci: fix memory leaks in alloc_perm_bits() m68k/PCI: Fix a memory leak in an error handling path mfd: wm8994: Fix driver operation if loaded as modules scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event clk: clk-flexgen: fix clock-critical handling powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run nfsd: Fix svc_xprt refcnt leak when setup callback client failed powerpc/crashkernel: Take "mem=" option into account yam: fix possible memory leak in yam_init_driver NTB: Fix the default port and peer numbers for legacy drivers mksysmap: Fix the mismatch of '.L' symbols in System.map apparmor: fix introspection of of task mode for unconfined tasks scsi: sr: Fix sr_probe() missing deallocate of device minor scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM staging: greybus: fix a missing-check bug in gb_lights_light_config() scsi: qedi: Do not flush offload work if ARP not resolved ALSA: usb-audio: Improve frames size computation s390/qdio: put thinint indicator after early error tty: hvc: Fix data abort due to race in hvc_open thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR staging: sm750fb: add missing case while setting FB_VISUAL i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output serial: amba-pl011: Make sure we initialize the port.lock spinlock drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish PCI: rcar: Fix incorrect programming of OB windows PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges scsi: qla2xxx: Fix warning after FC target reset power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()' power: supply: smb347-charger: IRQSTAT_D is volatile scsi: mpt3sas: Fix double free warnings dlm: remove BUG() before panic() clk: ti: composite: fix memory leak PCI: Fix pci_register_host_bridge() device_register() error handling tty: n_gsm: Fix SOF skipping tty: n_gsm: Fix waking up upper tty layer when room available powerpc/pseries/ras: Fix FWNMI_VALID off by one powerpc/ps3: Fix kexec shutdown hang vfio-pci: Mask cap zero usb/ohci-platform: Fix a warning when hibernating drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe() tty: n_gsm: Fix bogus i++ in gsm_data_kick clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1 powerpc/64s/pgtable: fix an undefined behaviour dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port IB/cma: Fix ports memory leak in cma_configfs watchdog: da9062: No need to ping manually before setting timeout usb: dwc2: gadget: move gadget resume after the core is in L0 state USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check usb: gadget: fix potential double-free in m66592_probe. usb: gadget: Fix issue with config_ep_by_speed function x86/apic: Make TSC deadline timer detection message visible clk: bcm2835: Fix return type of bcm2835_register_gate scsi: ufs-qcom: Fix scheduling while atomic issue net: sunrpc: Fix off-by-one issues in 'rpc_ntop6' NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION powerpc/4xx: Don't unmap NULL mbase extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()' ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed vfio/mdev: Fix reference count leak in add_mdev_supported_type openrisc: Fix issue with argument clobbering for clone/fork gfs2: Allow lock_nolock mount to specify jid=X scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj scsi: ufs: Don't update urgent bkops level when toggling auto bkops pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()' pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()' crypto: omap-sham - add proper load balancing support for multicore geneve: change from tx_error to tx_dropped on missing metadata lib/zlib: remove outdated and incorrect pre-increment optimization include/linux/bitops.h: avoid clang shift-count-overflow warnings elfnote: mark all .note sections SHF_ALLOC selftests/vm/pkeys: fix alloc_random_pkey() to make it really random blktrace: use errno instead of bi_status blktrace: fix endianness in get_pdu_int() blktrace: fix endianness for blk_log_remap() gfs2: fix use-after-free on transaction ail lists selftests/net: in timestamping, strncpy needs to preserve null byte drm/sun4i: hdmi ddc clk: Fix size of m divider scsi: acornscsi: Fix an error handling path in acornscsi_probe() usb/xhci-plat: Set PM runtime as active on resume usb/ehci-platform: Set PM runtime as active on resume perf report: Fix NULL pointer dereference in hists__fprintf_nr_sample_events() bcache: fix potential deadlock problem in btree_gc_coalesce block: Fix use-after-free in blkdev_get() arm64: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints libata: Use per port sync for detach drm: encoder_slave: fix refcouting error for modules drm/dp_mst: Reformat drm_dp_check_act_status() a bit drm/qxl: Use correct notify port address when creating cursor ring selinux: fix double free ext4: fix partial cluster initialization when splitting extent drm/dp_mst: Increase ACT retry timeout to 3s x86/boot/compressed: Relax sed symbol type regex for LLVM ld.lld block: nr_sects_write(): Disable preemption on seqcount write mtd: rawnand: Pass a nand_chip object to nand_release() mtd: rawnand: diskonchip: Fix the probe error path mtd: rawnand: sharpsl: Fix the probe error path mtd: rawnand: xway: Fix the probe error path mtd: rawnand: orion: Fix the probe error path mtd: rawnand: oxnas: Add of_node_put() mtd: rawnand: oxnas: Fix the probe error path mtd: rawnand: socrates: Fix the probe error path mtd: rawnand: plat_nand: Fix the probe error path mtd: rawnand: mtk: Fix the probe error path mtd: rawnand: tmio: Fix the probe error path crypto: algif_skcipher - Cap recv SG list at ctx->used crypto: algboss - don't wait during notifier callback kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex e1000e: Do not wake up the system via WOL if device wakeup is disabled kretprobe: Prevent triggering kretprobe from within kprobe_flush_task sched/rt, net: Use CONFIG_PREEMPTION.patch net: core: device_rename: Use rwsem instead of a seqcount md: add feature flag MD_FEATURE_RAID0_LAYOUT kvm: x86: Move kvm_set_mmio_spte_mask() from x86.c to mmu.c kvm: x86: Fix reserved bits related calculation errors caused by MKTME KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated Linux 4.14.186 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5a9f5c8483f37ac08cf01991ffa43b333fdfa0a3 |
||
Ahmed S. Darwish
|
7569bfabdc |
net: core: device_rename: Use rwsem instead of a seqcount
[ Upstream commit 11d6011c2cf29f7c8181ebde6c8bc0c4d83adcd7 ]
Sequence counters write paths are critical sections that must never be
preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed.
Commit 5dbe7c178d3f ("net: fix kernel deadlock with interface rename and
netdev name retrieval.") handled a deadlock, observed with
CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was
infinitely spinning: it got scheduled after the seqcount write side
blocked inside its own critical section.
To fix that deadlock, among other issues, the commit added a
cond_resched() inside the read side section. While this will get the
non-preemptible kernel eventually unstuck, the seqcount reader is fully
exhausting its slice just spinning -- until TIF_NEED_RESCHED is set.
The fix is also still broken: if the seqcount reader belongs to a
real-time scheduling policy, it can spin forever and the kernel will
livelock.
Disabling preemption over the seqcount write side critical section will
not work: inside it are a number of GFP_KERNEL allocations and mutex
locking through the drivers/base/ :: device_rename() call chain.
>From all the above, replace the seqcount with a rwsem.
Fixes: 5dbe7c178d3f (net: fix kernel deadlock with interface rename and netdev name retrieval.)
Fixes: 30e6c9fa93cf (net: devnet_rename_seq should be a seqcount)
Fixes: c91f6df2db49 (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name)
Cc: <stable@vger.kernel.org>
Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ]
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ]
Signed-off-by: Ahmed S. Darwish <a.darwish@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Thomas Gleixner
|
1714d977f5 |
sched/rt, net: Use CONFIG_PREEMPTION.patch
[ Upstream commit 2da2b32fd9346009e9acdb68c570ca8d3966aba7 ] CONFIG_PREEMPTION is selected by CONFIG_PREEMPT and by CONFIG_PREEMPT_RT. Both PREEMPT and PREEMPT_RT require the same functionality which today depends on CONFIG_PREEMPT. Update the comment to use CONFIG_PREEMPTION. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: David S. Miller <davem@davemloft.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: netdev@vger.kernel.org Link: https://lore.kernel.org/r/20191015191821.11479-22-bigeasy@linutronix.de Signed-off-by: Ingo Molnar <mingo@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Fedor Tokarev
|
e669399894 |
net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
[ Upstream commit 118917d696dc59fd3e1741012c2f9db2294bed6f ] Fix off-by-one issues in 'rpc_ntop6': - 'snprintf' returns the number of characters which would have been written if enough space had been available, excluding the terminating null byte. Thus, a return value of 'sizeof(scopebuf)' means that the last character was dropped. - 'strcat' adds a terminating null byte to the string, thus if len == buflen, the null byte is written past the end of the buffer. Signed-off-by: Fedor Tokarev <ftokarev@gmail.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
d6d7b18f40 |
This is the 4.14.185 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7tx/EACgkQONu9yGCS aT4/ABAApnoLXN+Drzomi5DYYQoVyf+4sTgIHSks4Q7S0TggPYLH/UcYAkqxgmjd Lj3VKcCSZqoR6gCeTLK34DSxlKezvxKI/u5LVjdRVdyWc4W2y3InqYBGikPeuGfW Ud4E2pGe/NgoZ0jf6dxkIxQx3DqtrsY0742MTCG3BNEYo4B4HMcN0LEUEFtwSjqj e1LpE8sCX2MhfvAzCvajBhNlIv4Sdgr47+52yhxjS8h04D6rq92jGsdjUjw5Oqtt wPIf2v1zxFq3QkPf3pYW5e/FsfzzDk3pIs1bQ4TnoJkAGfI52eBTjekdRSU0TOiG U7RBXsVFCEcB/ec5WkiNzUhK4+SpEuO3SDa6u7OVlQ2wGTT/c1k1prJL0AdXwUJn NYqOe1WZpXORajLYbVNAQwvbTN3Chho5FI9w+WoU/WvmzxelqXAUCSTsqEhNV8oS ZBWu6anawL8C9d0aYsq1DeV2CMEPmQPWp9HeiNtZgl0ZKkZlqBcxW2dccq9h8PH4 xqRImk+owbKsT0NV3dV150Q41nc2rTQd2jyGeoA+iek17/XDxWT9ICArA+YfBhx1 uf+dNPyl8g8ATvTZaS7su/Q7T2rsgBc64DO5R+jtTp4QRgl/N2b4QyewfjusrRXA x3Ckq0oA9ZOcfLs9IAoTD5L1mmwSaYUa6fhiZHhop2daUPUbAgE= =BJUs -----END PGP SIGNATURE----- Merge 4.14.185 into android-4.14-stable Changes in 4.14.185 ipv6: fix IPV6_ADDRFORM operation logic vxlan: Avoid infinite loop when suppressing NS messages with invalid options make 'user_access_begin()' do 'access_ok()' Fix 'acccess_ok()' on alpha and SH arch/openrisc: Fix issues with access_ok() x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() serial: imx: Fix handling of TC irq in combination with DMA crypto: talitos - fix ECB and CBC algs ivsize ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook sched/fair: Don't NUMA balance for kthreads Input: synaptics - add a second working PNP_ID for Lenovo T470s drivers/net/ibmvnic: Update VNIC protocol version reporting powerpc/xive: Clear the page tables for the ESB IO mapping ath9k_htc: Silence undersized packet warnings perf probe: Accept the instance number of kretprobe event mm: add kvfree_sensitive() for freeing sensitive data objects x86_64: Fix jiffies ODR violation x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs x86/speculation: Prevent rogue cross-process SSBD shutdown x86/reboot/quirks: Add MacBook6,1 reboot quirk efi/efivars: Add missing kobject_put() in sysfs entry creation error path ALSA: es1688: Add the missed snd_card_free() ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines ALSA: usb-audio: Fix inconsistent card PM state after resume ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile() ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe() ACPI: GED: add support for _Exx / _Lxx handler methods ACPI: PM: Avoid using power resources if there are none for D0 cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages nilfs2: fix null pointer dereference at nilfs_segctor_do_construct() spi: bcm2835aux: Fix controller unregister order spi: bcm-qspi: when tx/rx buffer is NULL set to 0 crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated ALSA: pcm: disallow linking stream to itself kvm: x86: Fix L1TF mitigation for shadow MMU KVM: x86/mmu: Consolidate "is MMIO SPTE" code KVM: x86: only do L1TF workaround on affected processors x86/speculation: Change misspelled STIPB to STIBP x86/speculation: Add support for STIBP always-on preferred mode x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS. x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches. spi: dw: fix possible race condition spi: dw: Fix controller unregister order spi: No need to assign dummy value in spi_unregister_controller() spi: Fix controller unregister order spi: pxa2xx: Fix controller unregister order spi: bcm2835: Fix controller unregister order crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req() crypto: virtio: Fix src/dst scatterlist calculation in __virtio_crypto_skcipher_do_req() crypto: virtio: Fix dest length calculation in __virtio_crypto_skcipher_do_req() selftests/net: in rxtimestamp getopt_long needs terminating null entry ovl: initialize error in ovl_copy_xattr proc: Use new_inode not new_inode_pseudo video: fbdev: w100fb: Fix a potential double free. KVM: nSVM: fix condition for filtering async PF KVM: nSVM: leave ASID aside in copy_vmcb_control_area KVM: nVMX: Consult only the "basic" exit reason when routing nested exit KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data) KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx ath9k: Fix use-after-free Write in ath9k_htc_rx_msg ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb Smack: slab-out-of-bounds in vsscanf mm/slub: fix a memory leak in sysfs_slab_add() fat: don't allow to mount if the FAT length == 0 perf: Add cond_resched() to task_function_call() agp/intel: Reinforce the barrier after GTT updates mmc: sdhci-msm: Clear tuning done flag while hs400 tuning mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card() can: kvaser_usb: kvaser_usb_leaf: Fix some info-leaks to USB devices xen/pvcalls-back: test for errors when calling backend_connect() ACPI: GED: use correct trigger type field in _Exx / _Lxx handling drm: bridge: adv7511: Extend list of audio sample rates crypto: ccp -- don't "select" CONFIG_DMADEVICES media: si2157: Better check for running tuner in init objtool: Ignore empty alternatives spi: pxa2xx: Apply CS clk quirk to BXT net: ena: fix error returning in ena_com_get_hash_function() spi: dw: Zero DMA Tx and Rx configurations on stack ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K MIPS: Loongson: Build ATI Radeon GPU driver as module Bluetooth: Add SCO fallback for invalid LMP parameters error kgdb: Prevent infinite recursive entries to the debugger spi: dw: Enable interrupts in accordance with DMA xfer mode clocksource: dw_apb_timer: Make CPU-affiliation being optional clocksource: dw_apb_timer_of: Fix missing clockevent timers btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE spi: dw: Fix Rx-only DMA transfers x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss() staging: android: ion: use vmap instead of vm_map_ram brcmfmac: fix wrong location to get firmware feature tools api fs: Make xxx__mountpoint() more scalable e1000: Distribute switch variables for initialization dt-bindings: display: mediatek: control dpi pins mode to avoid leakage audit: fix a net reference leak in audit_send_reply() media: dvb: return -EREMOTEIO on i2c transfer failure. media: platform: fcp: Set appropriate DMA parameters MIPS: Make sparse_init() using top-down allocation audit: fix a net reference leak in audit_list_rules_send() netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported net: bcmgenet: set Rx mode before starting netif lib/mpi: Fix 64-bit MIPS build with Clang exit: Move preemption fixup up, move blocking operations down net: lpc-enet: fix error return code in lpc_mii_init() media: cec: silence shift wrapping warning in __cec_s_log_addrs() net: allwinner: Fix use correct return type for ndo_start_xmit() powerpc/spufs: fix copy_to_user while atomic Crypto/chcr: fix for ccm(aes) failed test MIPS: Truncate link address into 32bit for 32bit kernel mips: cm: Fix an invalid error code of INTVN_*_ERR kgdb: Fix spurious true from in_dbg_master() nvme: refine the Qemu Identify CNS quirk wcn36xx: Fix error handling path in 'wcn36xx_probe()' net: qed*: Reduce RX and TX default ring count when running inside kdump kernel md: don't flush workqueue unconditionally in md_open rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup() mwifiex: Fix memory corruption in dump_station x86/boot: Correct relocation destination on old linkers mips: MAAR: Use more precise address mask mips: Add udelay lpj numbers adjustment x86/mm: Stop printing BRK addresses m68k: mac: Don't call via_flush_cache() on Mac IIfx macvlan: Skip loopback packets in RX handler PCI: Don't disable decoding when mmio_always_on is set MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe() mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core ixgbe: fix signed-integer-overflow warning mmc: sdhci-esdhc-imx: fix the mask for tuning start point spi: dw: Return any value retrieved from the dma_transfer callback cpuidle: Fix three reference count leaks platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32() string.h: fix incompatibility between FORTIFY_SOURCE and KASAN btrfs: send: emit file capabilities after chown mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked() ima: Fix ima digest hash table key calculation ima: Directly assign the ima_default_policy pointer to ima_rules evm: Fix possible memory leak in evm_calc_hmac_or_hash() ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max ext4: fix error pointer dereference ext4: fix race between ext4_sync_parent() and rename() PCI: Disable MSI for Freescale Layerscape PCIe RC mode PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0 PCI: Avoid FLR for AMD Starship USB 3.0 PCI: Add ACS quirk for iProc PAXB PCI: Add ACS quirk for Ampere root ports PCI: Make ACS quirk implementations more uniform vga_switcheroo: Deduplicate power state tracking vga_switcheroo: Use device link for HDA controller PCI: Generalize multi-function power dependency device links PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints PCI: Unify ACS quirk desired vs provided checking btrfs: fix error handling when submitting direct I/O bio btrfs: fix wrong file range cleanup after an error filling dealloc range blk-mq: move _blk_mq_update_nr_hw_queues synchronize_rcu call PCI: Program MPS for RCiEP devices e1000e: Disable TSO for buffer overrun workaround e1000e: Relax condition to trigger reset for ME workaround carl9170: remove P2P_GO support media: go7007: fix a miss of snd_card_free b43legacy: Fix case where channel status is corrupted b43: Fix connection problem with WPA3 b43_legacy: Fix connection problem with WPA3 media: ov5640: fix use of destroyed mutex igb: Report speed and duplex as unknown when device is runtime suspended power: vexpress: add suppress_bind_attrs to true pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs sparc32: fix register window handling in genregs32_[gs]et() sparc64: fix misuses of access_process_vm() in genregs32_[sg]et() dm crypt: avoid truncating the logical block size kernel/cpu_pm: Fix uninitted local in cpu_pm ARM: tegra: Correct PL310 Auxiliary Control Register initialization drivers/macintosh: Fix memleak in windfarm_pm112 driver powerpc/64s: Don't let DT CPU features set FSCR_DSCR powerpc/64s: Save FSCR to init_task.thread.fscr after feature init kbuild: force to build vmlinux if CONFIG_MODVERSION=y sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations. sunrpc: clean up properly in gss_mech_unregister() mtd: rawnand: brcmnand: fix hamming oob layout mtd: rawnand: pasemi: Fix the probe error path w1: omap-hdq: cleanup to add missing newline for some dev_dbg perf probe: Do not show the skipped events perf probe: Fix to check blacklist address correctly perf symbols: Fix debuginfo search for Ubuntu Linux 4.14.185 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ifd3a6f3d9643a42802ed8f061a548a5c5ffcb109 |
||
NeilBrown
|
881d3385a9 |
sunrpc: clean up properly in gss_mech_unregister()
commit 24c5efe41c29ee3e55bcf5a1c9f61ca8709622e8 upstream. gss_mech_register() calls svcauth_gss_register_pseudoflavor() for each flavour, but gss_mech_unregister() does not call auth_domain_put(). This is unbalanced and makes it impossible to reload the module. Change svcauth_gss_register_pseudoflavor() to return the registered auth_domain, and save it for later release. Cc: stable@vger.kernel.org (v2.6.12+) Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651 Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
NeilBrown
|
f8ff4d81ab |
sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations.
commit d47a5dc2888fd1b94adf1553068b8dad76cec96c upstream. There is no valid case for supporting duplicate pseudoflavor registrations. Currently the silent acceptance of such registrations is hiding a bug. The rpcsec_gss_krb5 module registers 2 flavours but does not unregister them, so if you load, unload, reload the module, it will happily continue to use the old registration which now has pointers to the memory were the module was originally loaded. This could lead to unexpected results. So disallow duplicate registrations. Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651 Cc: stable@vger.kernel.org (v2.6.12+) Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: J. Bruce Fields <bfields@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Pablo Neira Ayuso
|
faf6305380 |
netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
Instead of EINVAL which should be used for malformed netlink messages.
Fixes: eb31628e37a0 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Hsin-Yu Chao
|
f2c3cec179 |
Bluetooth: Add SCO fallback for invalid LMP parameters error
[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
with invalid parameter at the first SCO request expecting AG to
attempt another SCO request with the use of "safe settings" for
given codec, base on section 5.7.1.2 of HFP 1.7 specification.
This patch addresses it by adding "Invalid LMP Parameters" (0x1e)
to the SCO fallback case. Verified with below log:
< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
Handle: 256
Transmit bandwidth: 8000
Receive bandwidth: 8000
Max latency: 13
Setting: 0x0003
Input Coding: Linear
Input Data Format: 1's complement
Input Sample Size: 8-bit
# of bits padding at MSB: 0
Air Coding Format: Transparent Data
Retransmission effort: Optimize for link quality (0x02)
Packet type: 0x0380
3-EV3 may not be used
2-EV5 may not be used
3-EV5 may not be used
> HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) ncmd 1
Status: Success (0x00)
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 1
> HCI Event: Synchronous Connect Complete (0x2c) plen 17
Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e)
Handle: 0
Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
Link type: eSCO (0x02)
Transmission interval: 0x00
Retransmission window: 0x02
RX packet length: 0
TX packet length: 0
Air mode: Transparent (0x03)
< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
Handle: 256
Transmit bandwidth: 8000
Receive bandwidth: 8000
Max latency: 8
Setting: 0x0003
Input Coding: Linear
Input Data Format: 1's complement
Input Sample Size: 8-bit
# of bits padding at MSB: 0
Air Coding Format: Transparent Data
Retransmission effort: Optimize for link quality (0x02)
Packet type: 0x03c8
EV3 may be used
2-EV3 may not be used
3-EV3 may not be used
2-EV5 may not be used
3-EV5 may not be used
> HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) ncmd 1
Status: Success (0x00)
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 5
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 1
> HCI Event: Synchronous Connect Complete (0x2c) plen 17
Status: Success (0x00)
Handle: 257
Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
Link type: eSCO (0x02)
Transmission interval: 0x06
Retransmission window: 0x04
RX packet length: 30
TX packet length: 30
Air mode: Transparent (0x03)
Signed-off-by: Hsin-Yu Chao <hychao@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Hangbin Liu
|
c6e6a13d72 |
ipv6: fix IPV6_ADDRFORM operation logic
[ Upstream commit 79a1f0ccdbb4ad700590f61b00525b390cb53905 ]
Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
Previously the checking logic looks like:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol != IPPROTO_TCP)
break;
After commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP
was blocked as the logic changed to:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
break;
else
break;
Then after commit 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
UDP/UDPLITE were blocked as the logic changed to:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
if (sk->sk_protocol != IPPROTO_TCP)
break;
Fix it by using Eric's code and simply remove the break in TCP check, which
looks like:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
else
break;
Fixes: 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
qctecmdr
|
ccbfefcb80 | Merge "net-ipv6-ndisc: add support for 'PREF64' dns64 prefix identifier" | ||
Maciej Żenczykowski
|
91f301e070 |
net-ipv6-ndisc: add support for 'PREF64' dns64 prefix identifier
This is trivial since we already have support for the entirely identical (from the kernel's point of view) RDNSS, DNSSL, etc. that also contain opaque data that needs to be passed down to userspace for further processing. As specified in draft-ietf-6man-ra-pref64-09 (while it is still a draft, it is purely waiting on the RFC Editor for cleanups and publishing): PREF64 option contains lifetime and a (up to) 96-bit IPv6 prefix. The 8-bit identifier of the option type as assigned by the IANA is 38. Since we lack DNS64/NAT64/CLAT support in kernel at the moment, thus this option should also be passed on to userland. See: https://tools.ietf.org/html/draft-ietf-6man-ra-pref64-09 https://www.iana.org/assignments/icmpv6-parameters/icmpv6-parameters.xhtml#icmpv6-parameters-5 CRs-fixed: 2708232 Change-Id: I5b43d07ad34b764fff259e4f0cad30c4396c6eb8 Cc: Erik Kline <ek@google.com> Cc: Jen Linkova <furry@google.com> Cc: Lorenzo Colitti <lorenzo@google.com> Cc: Michael Haro <mharo@google.com> Signed-off-by: Maciej Żenczykowski <maze@google.com> Acked-By: Lorenzo Colitti <lorenzo@google.com> Git-commit: I02bff2103194a8171f907e82f811d7ab66962138 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Chinmay Agarwal <chinagar@codeaurora.org> |
||
|
Maciej Żenczykowski
|
02d283a541 |
ANDROID: net: bpf: permit redirect from ingress L3 to egress L2 devices at near max mtu
__bpf_skb_max_len(skb) is used from: bpf_skb_adjust_room __bpf_skb_change_tail __bpf_skb_change_head but in the case of forwarding we're likely calling these functions during receive processing on ingress and bpf_redirect()'ing at a later point in time to egress on another interface, thus these mtu checks are for the wrong device (input instead of output). This is particularly problematic if we're receiving on an L3 1500 mtu cellular interface, trying to add an L2 header and forwarding to an L3 mtu 1500 mtu wifi/ethernet device (which is thus L2 1514). The mtu check prevents us from adding the 14 byte ethernet header prior to forwarding the packet. After the packet has already been redirected, we'd need to add an additional 2nd ebpf program on the target device's egress tc hook, but then we'd also see non-redirected traffic and have no easy way to tell apart normal egress with ethernet header packets from forwarded ethernet headerless packets. Link: https://patchwork.ozlabs.org/project/netdev/patch/20200507023606.111650-1-zenczykowski@gmail.com/ But note that a more thorough solution will be pursued. CRs-Fixed: 2662725 Bug: 149816401 Change-Id: If55a144d7822e23bce85f65897bca7de4e0f9b24 Cc: Alexei Starovoitov <ast@kernel.org> Cc: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Maciej Żenczykowski <maze@google.com> Git-commit: 69eb478ff932476b208d2e7e97137ced5665fa04 Git-repo: https://android.googlesource.com/kernel/common/ Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> |
||
|
Greg Kroah-Hartman
|
8d6de4a1be |
This is the 4.14.184 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7h29YACgkQONu9yGCS aT4BDw/+Mnj09eH74wHYhRAtkGOSLVl6Hye1muIUzjy7EiFfT79/fiYtu3CCW0GZ PYzGcRO3CzbRculdLGi5tT6b43M6HnCeTCyYGG7oSysRqOzQ+XSwaEK8v5ZREJJF OBZE1E2I2C0udg/PbwYXFbsgM4thkmj6SI1yUnMB1XBO/tstI7vfKnbXOCmYb+WQ o8X86B6Z1mDNs5JOOwW/Fw2YMv5iuRzpeJD757supcoHlfHbX/K4vTmAreHUZrma pwtqppdwIcVc3CsBaZLWUxq87okSBnJ4adWbJBPtrnMPsso3e7fcjOS8/u8KaKgu cgQQU2x11TmGO/PtC7+YpyixOZAgaXq/IQ4vsPB30ONsq3aaZD5UyMgplgcRPtVZ n/0eVVq2qJTg3BDeB1oGXRUp+AuVeJYvIOtCNqQyXeKCB0FS0QJo0Zre5WjhctBf GLv6TVaM+heT5uoz9SI3EulsbhD6uA6ZbKLgAVa2U5Y3+mO5JGEORDMOI3nNErHa FKsvrKfuG9B0UJfblTds7FQ7SLWxdeLBE9IFVsQgdP1Aaj8vlDCyIHOmgcPaXm+9 7U3iCL/ZAzeEsZVJ0VzLAKi5+2/cnLcj/2IdkbtR5Yu75sFzzp3npqJbnl7zje8/ hu3zcBBtcFkJgemUqd/rYbK9Audt9FDElr6MobC9NVs9OHc+1e4= =wdH7 -----END PGP SIGNATURE----- Merge 4.14.184 into android-4.14-stable Changes in 4.14.184 scsi: scsi_devinfo: fixup string compare libnvdimm: Fix endian conversion issues scsi: hisi_sas: Check sas_port before using it spi: dw: use "smp_mb()" to avoid sending spi data error s390/ftrace: save traced function caller pppoe: only process PADT targeted at local interfaces ARC: Fix ICCM & DCCM runtime size checks ARC: [plat-eznps]: Restrict to CONFIG_ISA_ARCOMPACT i2c: altera: Fix race between xfer_msg and isr thread x86/mmiotrace: Use cpumask_available() for cpumask_var_t variables net: bmac: Fix read of MAC address from ROM net/ethernet/freescale: rework quiesce/activate for ucc_geth net: ethernet: stmmac: Enable interface clocks on probe for IPQ806x net: smsc911x: Fix runtime PM imbalance on error mm: Fix mremap not considering huge pmd devmap HID: sony: Fix for broken buttons on DS3 USB dongles HID: i2c-hid: add Schneider SCL142ALM to descriptor override p54usb: add AirVasT USB stick device-id kernel/relay.c: handle alloc_percpu returning NULL in relay_open mmc: fix compilation of user API scsi: ufs: Release clock if DMA map fails airo: Fix read overflows sending packets devinet: fix memleak in inetdev_init() l2tp: do not use inet_hash()/inet_unhash() net: usb: qmi_wwan: add Telit LE910C1-EUX composition NFC: st21nfca: add missed kfree_skb() in an error path vsock: fix timeout in vsock_accept() net: check untrusted gso_size at kernel entry l2tp: add sk_family checks to l2tp_validate_socket USB: serial: qcserial: add DW5816e QDL support USB: serial: usb_wwan: do not resubmit rx urb on fatal errors USB: serial: option: add Telit LE910C1-EUX compositions usb: musb: start session in resume for host port usb: musb: Fix runtime PM imbalance on error vt: keyboard: avoid signed integer overflow in k_ascii tty: hvc_console, fix crashes on parallel open/close staging: rtl8712: Fix IEEE80211_ADDBA_PARAM_BUF_SIZE_MASK CDC-ACM: heed quirk also in error handling nvmem: qfprom: remove incorrect write support x86/cpu: Add a steppings field to struct x86_cpu_id x86/cpu: Add 'table' argument to cpu_matches() x86/speculation: Add Special Register Buffer Data Sampling (SRBDS) mitigation x86/speculation: Add SRBDS vulnerability and mitigation documentation x86/speculation: Add Ivy Bridge to affected list iio: vcnl4000: Fix i2c swapped word reading. uprobes: ensure that uprobe->offset and ->ref_ctr_offset are properly aligned Linux 4.14.184 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3d4d0f186e858b744255fcbd1d3eb9ee89603774 |
||
|
Eric Dumazet
|
c28c1bdab6 |
l2tp: add sk_family checks to l2tp_validate_socket
[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ] syzbot was able to trigger a crash after using an ISDN socket and fool l2tp. Fix this by making sure the UDP socket is of the proper family. BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018 CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x188/0x20d lib/dump_stack.c:118 print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382 __kasan_report.cold+0x20/0x38 mm/kasan/report.c:511 kasan_report+0x33/0x50 mm/kasan/common.c:625 setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78 l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523 l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249 genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline] genl_family_rcv_msg net/netlink/genetlink.c:718 [inline] genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735 netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469 genl_rcv+0x24/0x40 net/netlink/genetlink.c:746 netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline] netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329 netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e6/0x810 net/socket.c:2352 ___sys_sendmsg+0x100/0x170 net/socket.c:2406 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2439 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 RIP: 0033:0x45ca29 Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29 RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005 RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4 Allocated by task 3018: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] __kasan_kmalloc mm/kasan/common.c:495 [inline] __kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468 __do_kmalloc mm/slab.c:3656 [inline] __kmalloc+0x161/0x7a0 mm/slab.c:3665 kmalloc include/linux/slab.h:560 [inline] sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612 sk_alloc+0x36/0x1100 net/core/sock.c:1666 data_sock_create drivers/isdn/mISDN/socket.c:600 [inline] mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796 __sock_create+0x3cb/0x730 net/socket.c:1428 sock_create net/socket.c:1479 [inline] __sys_socket+0xef/0x200 net/socket.c:1521 __do_sys_socket net/socket.c:1530 [inline] __se_sys_socket net/socket.c:1528 [inline] __x64_sys_socket+0x6f/0xb0 net/socket.c:1528 do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295 entry_SYSCALL_64_after_hwframe+0x49/0xb3 Freed by task 2484: save_stack+0x1b/0x40 mm/kasan/common.c:49 set_track mm/kasan/common.c:57 [inline] kasan_set_free_info mm/kasan/common.c:317 [inline] __kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456 __cache_free mm/slab.c:3426 [inline] kfree+0x109/0x2b0 mm/slab.c:3757 kvfree+0x42/0x50 mm/util.c:603 __free_fdtable+0x2d/0x70 fs/file.c:31 put_files_struct fs/file.c:420 [inline] put_files_struct+0x248/0x2e0 fs/file.c:413 exit_files+0x7e/0xa0 fs/file.c:445 do_exit+0xb04/0x2dd0 kernel/exit.c:791 do_group_exit+0x125/0x340 kernel/exit.c:894 get_signal+0x47b/0x24e0 kernel/signal.c:2739 do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784 exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161 prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline] syscall_return_slowpath arch/x86/entry/common.c:279 [inline] do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305 entry_SYSCALL_64_after_hwframe+0x49/0xb3 The buggy address belongs to the object at ffff88808ed0c000 which belongs to the cache kmalloc-2k of size 2048 The buggy address is located 1424 bytes inside of 2048-byte region [ffff88808ed0c000, ffff88808ed0c800) The buggy address belongs to the page: page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0xfffe0000000200(slab) raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00 raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ^ ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Fixes: 6b9f34239b00 ("l2tp: fix races in tunnel creation") Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: James Chapman <jchapman@katalix.com> Cc: Guillaume Nault <gnault@redhat.com> Reported-by: syzbot <syzkaller@googlegroups.com> Acked-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Stefano Garzarella
|
eba49f06f2 |
vsock: fix timeout in vsock_accept()
[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
The accept(2) is an "input" socket interface, so we should use
SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
use the right timeout in the vsock_accept().
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
864bd400f0 |
l2tp: do not use inet_hash()/inet_unhash()
[ Upstream commit 02c71b144c811bcdd865e0a1226d0407d11357e8 ]
syzbot recently found a way to crash the kernel [1]
Issue here is that inet_hash() & inet_unhash() are currently
only meant to be used by TCP & DCCP, since only these protocols
provide the needed hashinfo pointer.
L2TP uses a single list (instead of a hash table)
This old bug became an issue after commit 610236587600
("bpf: Add new cgroup attach type to enable sock modifications")
since after this commit, sk_common_release() can be called
while the L2TP socket is still considered 'hashed'.
general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f]
CPU: 0 PID: 7063 Comm: syz-executor654 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
sk_common_release+0xba/0x370 net/core/sock.c:3210
inet_create net/ipv4/af_inet.c:390 [inline]
inet_create+0x966/0xe00 net/ipv4/af_inet.c:248
__sock_create+0x3cb/0x730 net/socket.c:1428
sock_create net/socket.c:1479 [inline]
__sys_socket+0xef/0x200 net/socket.c:1521
__do_sys_socket net/socket.c:1530 [inline]
__se_sys_socket net/socket.c:1528 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1528
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x441e29
Code: e8 fc b3 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 eb 08 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007ffdce184148 EFLAGS: 00000246 ORIG_RAX: 0000000000000029
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000441e29
RDX: 0000000000000073 RSI: 0000000000000002 RDI: 0000000000000002
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000402c30 R14: 0000000000000000 R15: 0000000000000000
Modules linked in:
---[ end trace 23b6578228ce553e ]---
RIP: 0010:inet_unhash+0x11f/0x770 net/ipv4/inet_hashtables.c:600
Code: 03 0f b6 04 02 84 c0 74 08 3c 03 0f 8e dd 04 00 00 48 8d 7d 08 44 8b 73 08 48 b8 00 00 00 00 00 fc ff df 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 55 05 00 00 48 8d 7d 14 4c 8b 6d 08 48 b8 00 00
RSP: 0018:ffffc90001777d30 EFLAGS: 00010202
RAX: dffffc0000000000 RBX: ffff88809a6df940 RCX: ffffffff8697c242
RDX: 0000000000000001 RSI: ffffffff8697c251 RDI: 0000000000000008
RBP: 0000000000000000 R08: ffff88809f3ae1c0 R09: fffffbfff1514cc1
R10: ffffffff8a8a6607 R11: fffffbfff1514cc0 R12: ffff88809a6df9b0
R13: 0000000000000007 R14: 0000000000000000 R15: ffffffff873a4d00
FS: 0000000001d2b880(0000) GS:ffff8880ae600000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000006cd090 CR3: 000000009403a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Cc: Andrii Nakryiko <andriin@fb.com>
Reported-by: syzbot+3610d489778b57cc8031@syzkaller.appspotmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Yang Yingliang
|
3e246aad5b |
devinet: fix memleak in inetdev_init()
[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
When devinet_sysctl_register() failed, the memory allocated
in neigh_parms_alloc() should be freed.
Fixes: 20e61da7ffcf ("ipv4: fail early when creating netdev named all or default")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
40fc2b4825 |
This is the 4.14.183 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7XQKUACgkQONu9yGCS aT5OSxAAz28rgSZtf4zZtryA+dB1VHAXUpqmLgs9gZP8dPQ6qrwBHXIzawvmyfoj KY5DCsAbJSotCuy1XmCGTwzkqk9G3W1Rv4F1+7eDh37sOLUjNjeGn69dCiKKD1HH 6YaBIDsZOYrm207Y1fyTB23hHWGVNMHAVGwBV/lyvy7Lpz+o/JNc+DoqtWtsKCpB 0lhm5qlQttTMKzIgfDSXznJOo5LuO3TWmC94M2JkQwvvoz5C+9njWGO0JB99dIkt svBCX+0xz2stlInxGR8ZQZNRUgM6UMBUyjkljSxpYpEUPnIDRPtE8jY9+gx4aYCk er76ZTBBnWPWH+hlY4biPpg1fWRtj6SLvD3hNgDAuou9re1HVROSdCapcoGVEAvd dYX9RrXsVTRK9QdIQn9zBVuK9YOHNps9+JSL359QzCZ8Kc5t8LlUcxKbTi6P3OZA bnb7yu+/qxpdBeP/AoCkQUdcWUAXrPgR+odQEVm+w4AczYwp0AGbcVqZIM0wZ5zW euSE7W/O/Y6mK89C+D6qOzC/Pz9mTPg9IrLP2tFGAgWd2ZhWJim2YdydZRB/BTfg QEbKOXzjiAxckdqFdfH+JEQ1KIiriu7Y8kdhVzTd2gwqPAsl48/C4rMaOzfwBrk8 W29ZhbDK5cpmiftzay6AxOacMhxDdI9jA7Q5ndtG2qKwsHh5soU= =bPeb -----END PGP SIGNATURE----- Merge 4.14.183 into android-4.14-stable Changes in 4.14.183 ax25: fix setsockopt(SO_BINDTODEVICE) net: ipip: fix wrong address family in init error path net/mlx5: Add command entry handling completion net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()" net sched: fix reporting the first-time use timestamp r8152: support additional Microsoft Surface Ethernet Adapter variant sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed net/mlx5e: Update netdev txq on completions during closure net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() net: sun: fix missing release regions in cas_init_one(). net/mlx4_core: fix a memory leak bug. ARM: dts: rockchip: fix phy nodename for rk3228-evb arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi gpio: tegra: mask GPIO IRQs during IRQ shutdown net: microchip: encx24j600: add missed kthread_stop gfs2: move privileged user check to gfs2_quota_lock_check cachefiles: Fix race between read_waiter and read_copier involving op->to_do usb: gadget: legacy: fix redundant initialization warnings net: freescale: select CONFIG_FIXED_PHY where needed cifs: Fix null pointer check in cifs_read samples: bpf: Fix build error Input: usbtouchscreen - add support for BonXeon TP Input: evdev - call input_flush_device() on release(), not flush() Input: xpad - add custom init packet for Xbox One S controllers Input: dlink-dir685-touchkeys - fix a typo in driver name Input: i8042 - add ThinkPad S230u to i8042 reset list Input: synaptics-rmi4 - really fix attn_data use-after-free Input: synaptics-rmi4 - fix error return code in rmi_driver_probe() ARM: 8843/1: use unified assembler in headers ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h ARM: uaccess: integrate uaccess_save and uaccess_restore ARM: uaccess: fix DACR mismatch with nested exceptions gpio: exar: Fix bad handling for ida_simple_get error path IB/qib: Call kobject_put() when kobject_init_and_add() fails ARM: dts: imx6q-bx50v3: Add internal switch ARM: dts/imx6q-bx50v3: Set display interface clock parents ARM: dts: bcm2835-rpi-zero-w: Fix led polarity mmc: block: Fix use-after-free issue for rpmb RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe() ALSA: hwdep: fix a left shifting 1 by 31 UB bug ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC exec: Always set cap_ambient in cap_bprm_set_creds ALSA: hda/realtek - Add new codec supported for ALC287 libceph: ignore pool overlay and cache logic on redirects mm: remove VM_BUG_ON(PageSlab()) from page_mapcount() fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info() include/asm-generic/topology.h: guard cpumask_of_node() macro argument iommu: Fix reference count leak in iommu_group_alloc. parisc: Fix kernel panic in mem_init() mac80211: mesh: fix discovery timer re-arming issue / crash x86/dma: Fix max PFN arithmetic overflow on 32 bit systems copy_xstate_to_kernel(): don't leave parts of destination uninitialized xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output xfrm: fix a warning in xfrm_policy_insert_list xfrm: fix a NULL-ptr deref in xfrm_local_error xfrm: fix error in comment vti4: eliminated some duplicate code. ip_vti: receive ipip packet by calling ip_tunnel_rcv netfilter: nft_reject_bridge: enable reject with bridge vlan netfilter: ipset: Fix subcounter update skip netfilter: nfnetlink_cthelper: unbreak userspace helper support netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code esp6: get the right proto for transport mode in esp6_gso_encap qlcnic: fix missing release in qlcnic_83xx_interrupt_test. bonding: Fix reference count leak in bond_sysfs_slave_add. netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap() sc16is7xx: move label 'err_spi' to correct section rxrpc: Fix transport sockopts to get IPv4 errors on an IPv6 socket KVM: VMX: check for existence of secondary exec controls before accessing net: hns: fix unsigned comparison to less than zero net: hns: Fixes the missing put_device in positive leg for roce reset genirq/generic_pending: Do not lose pending affinity update scsi: zfcp: fix request object use-after-free in send path causing wrong traces Linux 4.14.183 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib69018849fcc55dacce4a6aaaad70921bdee4cd0 |