android_kernel_zuk_msm8996.git/ipc, branch master null vfs: Pass data, ns, and ns->userns to mount_ns 2022-04-18T21:51:34+00:00 Eric W. Biederman ebiederm@xmission.com 2016-05-23T19:51:59+00:00 a3b31e9a916a4eae587dacf814da6e67a130569c Today what is normally called data (the mount options) is not passed to fill_super through mount_ns. Pass the mount options and the namespace separately to mount_ns so that filesystems such as proc that have mount options, can use mount_ns. Pass the user namespace to mount_ns so that the standard permission check that verifies the mounter has permissions over the namespace can be performed in mount_ns instead of in each filesystems .mount method. Thus removing the duplication between mqueuefs and proc in terms of permission checks. The extra permission check does not currently affect the rpc_pipefs filesystem and the nfsd filesystem as those filesystems do not currently allow unprivileged mounts. Without unpvileged mounts it is guaranteed that the caller has already passed capable(CAP_SYS_ADMIN) which guarantees extra permission check will pass. Update rpc_pipefs and the nfsd filesystem to ensure that the network namespace reference is always taken in fill_super and always put in kill_sb so that the logic is simpler and so that errors originating inside of fill_super do not cause a network namespace leak. Acked-by: Seth Forshee <seth.forshee@canonical.com> Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Chatur27 <jasonbright2709@gmail.com> 
Today what is normally called data (the mount options) is not passed
to fill_super through mount_ns.

Pass the mount options and the namespace separately to mount_ns so
that filesystems such as proc that have mount options, can use
mount_ns.

Pass the user namespace to mount_ns so that the standard permission
check that verifies the mounter has permissions over the namespace can
be performed in mount_ns instead of in each filesystems .mount method.
Thus removing the duplication between mqueuefs and proc in terms of
permission checks.  The extra permission check does not currently
affect the rpc_pipefs filesystem and the nfsd filesystem as those
filesystems do not currently allow unprivileged mounts.  Without
unpvileged mounts it is guaranteed that the caller has already passed
capable(CAP_SYS_ADMIN) which guarantees extra permission check will
pass.

Update rpc_pipefs and the nfsd filesystem to ensure that the network
namespace reference is always taken in fill_super and always put in kill_sb
so that the logic is simpler and so that errors originating inside of
fill_super do not cause a network namespace leak.

Acked-by: Seth Forshee <seth.forshee@canonical.com>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
kernel: add a helper to get an owning user namespace for a namespace 2022-04-18T21:51:06+00:00 Andrey Vagin avagin@openvz.org 2016-09-06T07:47:13+00:00 6c69e3aa5f24178424da5e13dd704b15bb5d820d Return -EPERM if an owning user namespace is outside of a process current user namespace. v2: In a first version ns_get_owner returned ENOENT for init_user_ns. This special cases was removed from this version. There is nothing outside of init_user_ns, so we can return EPERM. v3: rename ns->get_owner() to ns->owner(). get_* usually means that it grabs a reference. Acked-by: Serge Hallyn <serge@hallyn.com> Signed-off-by: Andrei Vagin <avagin@openvz.org> Signed-off-by: Eric W. Biederman <ebiederm@xmission.com> Signed-off-by: Chatur27 <jasonbright2709@gmail.com> 
Return -EPERM if an owning user namespace is outside of a process
current user namespace.

v2: In a first version ns_get_owner returned ENOENT for init_user_ns.
    This special cases was removed from this version. There is nothing
    outside of init_user_ns, so we can return EPERM.
v3: rename ns->get_owner() to ns->owner(). get_* usually means that it
grabs a reference.

Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Chatur27 <jasonbright2709@gmail.com>
Merge remote-tracking branch 'common/android-4.4-p' into lineage-18.1-caf-msm8998 2021-12-26T23:25:42+00:00 Michael Bestas mkbestas@lineageos.org 2021-12-26T23:25:42+00:00 0fc7d9efc394eb0b290618429ac8595294d7579c * common/android-4.4-p: Linux 4.4.296 xen/netback: don't queue unlimited number of packages xen/console: harden hvc_xen against event channel storms xen/netfront: harden netfront against event channel storms xen/blkfront: harden blkfront against event channel storms Input: touchscreen - avoid bitwise vs logical OR warning ARM: 8805/2: remove unneeded naked function usage net: lan78xx: Avoid unnecessary self assignment net: systemport: Add global locking for descriptor lifecycle timekeeping: Really make sure wall_to_monotonic isn't positive USB: serial: option: add Telit FN990 compositions PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error USB: gadget: bRequestType is a bitfield, not a enum igbvf: fix double free in `igbvf_probe` soc/tegra: fuse: Fix bitwise vs. logical OR warning nfsd: fix use-after-free due to delegation race dm btree remove: fix use after free in rebalance_children() recordmcount.pl: look for jgnop instruction as well as bcrl on s390 mac80211: send ADDBA requests using the tid/queue of the aggregation session hwmon: (dell-smm) Fix warning on /proc/i8k creation error net: netlink: af_netlink: Prevent empty skb by adding a check on len. i2c: rk3x: Handle a spurious start completion interrupt flag parisc/agp: Annotate parisc agp init functions with __init nfc: fix segfault in nfc_genl_dump_devices_done FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum Linux 4.4.295 irqchip: nvic: Fix offset for Interrupt Priority Offsets irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove iio: itg3200: Call iio_trigger_notify_done() on error iio: ltr501: Don't return error code in trigger handler iio: mma8452: Fix trigger reference couting iio: stk3310: Don't return error code in interrupt handler usb: core: config: fix validation of wMaxPacketValue entries USB: gadget: zero allocate endpoint 0 buffers USB: gadget: detect too-big endpoint 0 requests net/qla3xxx: fix an error code in ql_adapter_up() net, neigh: clear whole pneigh_entry at alloc time net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net: altera: set a couple error code in probe() net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) tracefs: Set all files to the same group ownership as the mount option signalfd: use wake_up_pollfree() binder: use wake_up_pollfree() wait: add wake_up_pollfree() libata: add horkage for ASMedia 1092 can: pch_can: pch_can_rx_normal: fix use after free tracefs: Have new files inherit the ownership of their parent ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: ctl: Fix copy of updated id with element read/write mm: bdi: initialize bdi_min_ratio when bdi is unregistered nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done can: sja1000: fix use after free in ems_pcmcia_add_card() HID: check for valid USB device for many HID drivers HID: wacom: fix problems when device is not a valid USB device HID: add USB_HID dependancy on some USB HID drivers HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy to hid-prodikeys HID: add hid_is_usb() function to make it simpler for USB detection HID: introduce hid_is_using_ll_driver UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers UPSTREAM: USB: gadget: detect too-big endpoint 0 requests Linux 4.4.294 serial: pl011: Add ACPI SBSA UART match id tty: serial: msm_serial: Deactivate RX DMA for polling support vgacon: Propagate console boot parameters before calling `vc_resize' parisc: Fix "make install" on newer debian releases siphash: use _unaligned version by default net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() natsemi: xtensa: fix section mismatch warnings fget: check that the fd still exists after getting a ref to it fs: add fget_many() and fput_many() sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl kprobes: Limit max data_size of the kretprobe instances net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound scsi: iscsi: Unblock session then wake up error handler s390/setup: avoid using memblock_enforce_memory_limit platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep net: return correct error code hugetlb: take PMD sharing into account when flushing tlb/caches tty: hvc: replace BUG_ON() with negative return value xen/netfront: don't trust the backend response data blindly xen/netfront: disentangle tx_skb_freelist xen/netfront: don't read data from request on the ring page xen/netfront: read response from backend only once xen/blkfront: don't trust the backend response data blindly xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: read response from backend only once xen: sync include/xen/interface/io/ring.h with Xen's newest version shm: extend forced shm destroy to support objects from several IPC nses fuse: release pipe buf after last use fuse: fix page stealing NFC: add NCI_UNREG flag to eliminate the race proc/vmcore: fix clearing user buffer by properly using clear_user() hugetlbfs: flush TLBs correctly after huge_pmd_unshare tracing: Check pid filtering when creating events tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows scsi: mpt3sas: Fix kernel panic during drive powercycle test ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE NFSv42: Don't fail clone() unless the OP_CLONE operation failed net: ieee802154: handle iftypes as u32 ASoC: topology: Add missing rwsem around snd_ctl_remove() calls ARM: dts: BCM5301X: Add interrupt properties to GPIO node xen: detect uninitialized xenbus in xenbus_init xen: don't continue xenstore initialization in case of errors staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() ALSA: ctxfi: Fix out-of-range access binder: fix test regression due to sender_euid change usb: hub: Fix locking issues with address0_mutex usb: hub: Fix usb enumeration issue due to address0 race USB: serial: option: add Fibocom FM101-GL variants USB: serial: option: add Telit LE910S1 0x9200 composition staging: ion: Prevent incorrect reference counting behavour Change-Id: Iadf9f213915d2a02b27ceb3b2144eac827ade329 
* common/android-4.4-p:
  Linux 4.4.296
  xen/netback: don't queue unlimited number of packages
  xen/console: harden hvc_xen against event channel storms
  xen/netfront: harden netfront against event channel storms
  xen/blkfront: harden blkfront against event channel storms
  Input: touchscreen - avoid bitwise vs logical OR warning
  ARM: 8805/2: remove unneeded naked function usage
  net: lan78xx: Avoid unnecessary self assignment
  net: systemport: Add global locking for descriptor lifecycle
  timekeeping: Really make sure wall_to_monotonic isn't positive
  USB: serial: option: add Telit FN990 compositions
  PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error
  USB: gadget: bRequestType is a bitfield, not a enum
  igbvf: fix double free in `igbvf_probe`
  soc/tegra: fuse: Fix bitwise vs. logical OR warning
  nfsd: fix use-after-free due to delegation race
  dm btree remove: fix use after free in rebalance_children()
  recordmcount.pl: look for jgnop instruction as well as bcrl on s390
  mac80211: send ADDBA requests using the tid/queue of the aggregation session
  hwmon: (dell-smm) Fix warning on /proc/i8k creation error
  net: netlink: af_netlink: Prevent empty skb by adding a check on len.
  i2c: rk3x: Handle a spurious start completion interrupt flag
  parisc/agp: Annotate parisc agp init functions with __init
  nfc: fix segfault in nfc_genl_dump_devices_done
  FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum
  Linux 4.4.295
  irqchip: nvic: Fix offset for Interrupt Priority Offsets
  irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL
  iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove
  iio: itg3200: Call iio_trigger_notify_done() on error
  iio: ltr501: Don't return error code in trigger handler
  iio: mma8452: Fix trigger reference couting
  iio: stk3310: Don't return error code in interrupt handler
  usb: core: config: fix validation of wMaxPacketValue entries
  USB: gadget: zero allocate endpoint 0 buffers
  USB: gadget: detect too-big endpoint 0 requests
  net/qla3xxx: fix an error code in ql_adapter_up()
  net, neigh: clear whole pneigh_entry at alloc time
  net: fec: only clear interrupt of handling queue in fec_enet_rx_queue()
  net: altera: set a couple error code in probe()
  net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero
  block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2)
  tracefs: Set all files to the same group ownership as the mount option
  signalfd: use wake_up_pollfree()
  binder: use wake_up_pollfree()
  wait: add wake_up_pollfree()
  libata: add horkage for ASMedia 1092
  can: pch_can: pch_can_rx_normal: fix use after free
  tracefs: Have new files inherit the ownership of their parent
  ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*()
  ALSA: pcm: oss: Limit the period size to 16MB
  ALSA: pcm: oss: Fix negative period/buffer sizes
  ALSA: ctl: Fix copy of updated id with element read/write
  mm: bdi: initialize bdi_min_ratio when bdi is unregistered
  nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done
  can: sja1000: fix use after free in ems_pcmcia_add_card()
  HID: check for valid USB device for many HID drivers
  HID: wacom: fix problems when device is not a valid USB device
  HID: add USB_HID dependancy on some USB HID drivers
  HID: add USB_HID dependancy to hid-chicony
  HID: add USB_HID dependancy to hid-prodikeys
  HID: add hid_is_usb() function to make it simpler for USB detection
  HID: introduce hid_is_using_ll_driver
  UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers
  UPSTREAM: USB: gadget: detect too-big endpoint 0 requests
  Linux 4.4.294
  serial: pl011: Add ACPI SBSA UART match id
  tty: serial: msm_serial: Deactivate RX DMA for polling support
  vgacon: Propagate console boot parameters before calling `vc_resize'
  parisc: Fix "make install" on newer debian releases
  siphash: use _unaligned version by default
  net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
  natsemi: xtensa: fix section mismatch warnings
  fget: check that the fd still exists after getting a ref to it
  fs: add fget_many() and fput_many()
  sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
  sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
  kprobes: Limit max data_size of the kretprobe instances
  net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
  net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
  scsi: iscsi: Unblock session then wake up error handler
  s390/setup: avoid using memblock_enforce_memory_limit
  platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
  net: return correct error code
  hugetlb: take PMD sharing into account when flushing tlb/caches
  tty: hvc: replace BUG_ON() with negative return value
  xen/netfront: don't trust the backend response data blindly
  xen/netfront: disentangle tx_skb_freelist
  xen/netfront: don't read data from request on the ring page
  xen/netfront: read response from backend only once
  xen/blkfront: don't trust the backend response data blindly
  xen/blkfront: don't take local copy of a request from the ring page
  xen/blkfront: read response from backend only once
  xen: sync include/xen/interface/io/ring.h with Xen's newest version
  shm: extend forced shm destroy to support objects from several IPC nses
  fuse: release pipe buf after last use
  fuse: fix page stealing
  NFC: add NCI_UNREG flag to eliminate the race
  proc/vmcore: fix clearing user buffer by properly using clear_user()
  hugetlbfs: flush TLBs correctly after huge_pmd_unshare
  tracing: Check pid filtering when creating events
  tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
  scsi: mpt3sas: Fix kernel panic during drive powercycle test
  ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
  NFSv42: Don't fail clone() unless the OP_CLONE operation failed
  net: ieee802154: handle iftypes as u32
  ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
  ARM: dts: BCM5301X: Add interrupt properties to GPIO node
  xen: detect uninitialized xenbus in xenbus_init
  xen: don't continue xenstore initialization in case of errors
  staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
  ALSA: ctxfi: Fix out-of-range access
  binder: fix test regression due to sender_euid change
  usb: hub: Fix locking issues with address0_mutex
  usb: hub: Fix usb enumeration issue due to address0 race
  USB: serial: option: add Fibocom FM101-GL variants
  USB: serial: option: add Telit LE910S1 0x9200 composition
  staging: ion: Prevent incorrect reference counting behavour

Change-Id: Iadf9f213915d2a02b27ceb3b2144eac827ade329
Merge 4.4.294 into android-4.4-p 2021-12-08T08:00:24+00:00 Greg Kroah-Hartman gregkh@google.com 2021-12-08T08:00:24+00:00 bedab629a09ae0e564ece7e7ce37cd49e62f206d Changes in 4.4.294 staging: ion: Prevent incorrect reference counting behavour USB: serial: option: add Telit LE910S1 0x9200 composition USB: serial: option: add Fibocom FM101-GL variants usb: hub: Fix usb enumeration issue due to address0 race usb: hub: Fix locking issues with address0_mutex binder: fix test regression due to sender_euid change ALSA: ctxfi: Fix out-of-range access staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() xen: don't continue xenstore initialization in case of errors xen: detect uninitialized xenbus in xenbus_init ARM: dts: BCM5301X: Add interrupt properties to GPIO node ASoC: topology: Add missing rwsem around snd_ctl_remove() calls net: ieee802154: handle iftypes as u32 NFSv42: Don't fail clone() unless the OP_CLONE operation failed ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE scsi: mpt3sas: Fix kernel panic during drive powercycle test tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows tracing: Check pid filtering when creating events hugetlbfs: flush TLBs correctly after huge_pmd_unshare proc/vmcore: fix clearing user buffer by properly using clear_user() NFC: add NCI_UNREG flag to eliminate the race fuse: fix page stealing fuse: release pipe buf after last use shm: extend forced shm destroy to support objects from several IPC nses xen: sync include/xen/interface/io/ring.h with Xen's newest version xen/blkfront: read response from backend only once xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: don't trust the backend response data blindly xen/netfront: read response from backend only once xen/netfront: don't read data from request on the ring page xen/netfront: disentangle tx_skb_freelist xen/netfront: don't trust the backend response data blindly tty: hvc: replace BUG_ON() with negative return value hugetlb: take PMD sharing into account when flushing tlb/caches net: return correct error code platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep s390/setup: avoid using memblock_enforce_memory_limit scsi: iscsi: Unblock session then wake up error handler net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() kprobes: Limit max data_size of the kretprobe instances sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl fs: add fget_many() and fput_many() fget: check that the fd still exists after getting a ref to it natsemi: xtensa: fix section mismatch warnings net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() siphash: use _unaligned version by default parisc: Fix "make install" on newer debian releases vgacon: Propagate console boot parameters before calling `vc_resize' tty: serial: msm_serial: Deactivate RX DMA for polling support serial: pl011: Add ACPI SBSA UART match id Linux 4.4.294 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id3cafc33da957a0501bcf61d000025167d552797 
Changes in 4.4.294
	staging: ion: Prevent incorrect reference counting behavour
	USB: serial: option: add Telit LE910S1 0x9200 composition
	USB: serial: option: add Fibocom FM101-GL variants
	usb: hub: Fix usb enumeration issue due to address0 race
	usb: hub: Fix locking issues with address0_mutex
	binder: fix test regression due to sender_euid change
	ALSA: ctxfi: Fix out-of-range access
	staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect()
	xen: don't continue xenstore initialization in case of errors
	xen: detect uninitialized xenbus in xenbus_init
	ARM: dts: BCM5301X: Add interrupt properties to GPIO node
	ASoC: topology: Add missing rwsem around snd_ctl_remove() calls
	net: ieee802154: handle iftypes as u32
	NFSv42: Don't fail clone() unless the OP_CLONE operation failed
	ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE
	scsi: mpt3sas: Fix kernel panic during drive powercycle test
	tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows
	tracing: Check pid filtering when creating events
	hugetlbfs: flush TLBs correctly after huge_pmd_unshare
	proc/vmcore: fix clearing user buffer by properly using clear_user()
	NFC: add NCI_UNREG flag to eliminate the race
	fuse: fix page stealing
	fuse: release pipe buf after last use
	shm: extend forced shm destroy to support objects from several IPC nses
	xen: sync include/xen/interface/io/ring.h with Xen's newest version
	xen/blkfront: read response from backend only once
	xen/blkfront: don't take local copy of a request from the ring page
	xen/blkfront: don't trust the backend response data blindly
	xen/netfront: read response from backend only once
	xen/netfront: don't read data from request on the ring page
	xen/netfront: disentangle tx_skb_freelist
	xen/netfront: don't trust the backend response data blindly
	tty: hvc: replace BUG_ON() with negative return value
	hugetlb: take PMD sharing into account when flushing tlb/caches
	net: return correct error code
	platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep
	s390/setup: avoid using memblock_enforce_memory_limit
	scsi: iscsi: Unblock session then wake up error handler
	net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound
	net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock()
	kprobes: Limit max data_size of the kretprobe instances
	sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl
	sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl
	fs: add fget_many() and fput_many()
	fget: check that the fd still exists after getting a ref to it
	natsemi: xtensa: fix section mismatch warnings
	net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings()
	siphash: use _unaligned version by default
	parisc: Fix "make install" on newer debian releases
	vgacon: Propagate console boot parameters before calling `vc_resize'
	tty: serial: msm_serial: Deactivate RX DMA for polling support
	serial: pl011: Add ACPI SBSA UART match id
	Linux 4.4.294

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id3cafc33da957a0501bcf61d000025167d552797
shm: extend forced shm destroy to support objects from several IPC nses 2021-12-08T07:44:06+00:00 Alexander Mikhalitsyn alexander.mikhalitsyn@virtuozzo.com 2021-11-20T00:43:21+00:00 c233bb6234e13a50184626bf00cd8cbe58b8bc8d commit 85b6d24646e4125c591639841169baa98a2da503 upstream. Currently, the exit_shm() function not designed to work properly when task->sysvshm.shm_clist holds shm objects from different IPC namespaces. This is a real pain when sysctl kernel.shm_rmid_forced = 1, because it leads to use-after-free (reproducer exists). This is an attempt to fix the problem by extending exit_shm mechanism to handle shm's destroy from several IPC ns'es. To achieve that we do several things: 1. add a namespace (non-refcounted) pointer to the struct shmid_kernel 2. during new shm object creation (newseg()/shmget syscall) we initialize this pointer by current task IPC ns 3. exit_shm() fully reworked such that it traverses over all shp's in task->sysvshm.shm_clist and gets IPC namespace not from current task as it was before but from shp's object itself, then call shm_destroy(shp, ns). Note: We need to be really careful here, because as it was said before (1), our pointer to IPC ns non-refcnt'ed. To be on the safe side we using special helper get_ipc_ns_not_zero() which allows to get IPC ns refcounter only if IPC ns not in the "state of destruction". Q/A Q: Why can we access shp->ns memory using non-refcounted pointer? A: Because shp object lifetime is always shorther than IPC namespace lifetime, so, if we get shp object from the task->sysvshm.shm_clist while holding task_lock(task) nobody can steal our namespace. Q: Does this patch change semantics of unshare/setns/clone syscalls? A: No. It's just fixes non-covered case when process may leave IPC namespace without getting task->sysvshm.shm_clist list cleaned up. Link: https://lkml.kernel.org/r/67bb03e5-f79c-1815-e2bf-949c67047418@colorfullife.com Link: https://lkml.kernel.org/r/20211109151501.4921-1-manfred@colorfullife.com Fixes: ab602f79915 ("shm: make exit_shm work proportional to task activity") Co-developed-by: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Andrei Vagin <avagin@gmail.com> Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Cc: Vasily Averin <vvs@virtuozzo.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 
commit 85b6d24646e4125c591639841169baa98a2da503 upstream.

Currently, the exit_shm() function not designed to work properly when
task->sysvshm.shm_clist holds shm objects from different IPC namespaces.

This is a real pain when sysctl kernel.shm_rmid_forced = 1, because it
leads to use-after-free (reproducer exists).

This is an attempt to fix the problem by extending exit_shm mechanism to
handle shm's destroy from several IPC ns'es.

To achieve that we do several things:

1. add a namespace (non-refcounted) pointer to the struct shmid_kernel

2. during new shm object creation (newseg()/shmget syscall) we
   initialize this pointer by current task IPC ns

3. exit_shm() fully reworked such that it traverses over all shp's in
   task->sysvshm.shm_clist and gets IPC namespace not from current task
   as it was before but from shp's object itself, then call
   shm_destroy(shp, ns).

Note: We need to be really careful here, because as it was said before
(1), our pointer to IPC ns non-refcnt'ed.  To be on the safe side we
using special helper get_ipc_ns_not_zero() which allows to get IPC ns
refcounter only if IPC ns not in the "state of destruction".

Q/A

Q: Why can we access shp->ns memory using non-refcounted pointer?
A: Because shp object lifetime is always shorther than IPC namespace
   lifetime, so, if we get shp object from the task->sysvshm.shm_clist
   while holding task_lock(task) nobody can steal our namespace.

Q: Does this patch change semantics of unshare/setns/clone syscalls?
A: No. It's just fixes non-covered case when process may leave IPC
   namespace without getting task->sysvshm.shm_clist list cleaned up.

Link: https://lkml.kernel.org/r/67bb03e5-f79c-1815-e2bf-949c67047418@colorfullife.com
Link: https://lkml.kernel.org/r/20211109151501.4921-1-manfred@colorfullife.com
Fixes: ab602f79915 ("shm: make exit_shm work proportional to task activity")
Co-developed-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Vasily Averin <vvs@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Merge branch 'android-4.4-p' of https://android.googlesource.com/kernel/common into lineage-17.1-caf-msm8998 2020-06-03T21:49:19+00:00 Michael Bestas mkbestas@lineageos.org 2020-06-03T21:49:19+00:00 08e780103611fb2be36c17ff80de6cb54c910dd0 This brings LA.UM.8.4.r1-05500-8x98.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: 60fca75727065 Merge 4.4.226 into android-4.4-p Conflicts: drivers/base/firmware_class.c drivers/gpu/drm/msm/msm_gem.c drivers/mmc/host/sdhci.c drivers/net/wireless/ath/ath10k/core.c kernel/trace/blktrace.c net/socket.c sound/core/rawmidi.c sound/usb/mixer.c Change-Id: Ic8599e865656da72a9405c45f27091ec1ddc168c 
This brings LA.UM.8.4.r1-05500-8x98.0 up to date with
https://android.googlesource.com/kernel/common/ android-4.4-p at commit:
60fca75727065 Merge 4.4.226 into android-4.4-p

Conflicts:
	drivers/base/firmware_class.c
	drivers/gpu/drm/msm/msm_gem.c
	drivers/mmc/host/sdhci.c
	drivers/net/wireless/ath/ath10k/core.c
	kernel/trace/blktrace.c
	net/socket.c
	sound/core/rawmidi.c
	sound/usb/mixer.c

Change-Id: Ic8599e865656da72a9405c45f27091ec1ddc168c
Merge 4.4.224 into android-4.4-p 2020-05-20T09:53:50+00:00 Greg Kroah-Hartman gregkh@google.com 2020-05-20T09:53:50+00:00 53454c3459bc25f3678f0ec9632609082685c766 Changes in 4.4.224 USB: serial: qcserial: Add DW5816e support Revert "net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS" dp83640: reverse arguments to list_add_tail net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() sch_sfq: validate silly quantum values sch_choke: avoid potential panic in choke_reset() Revert "ACPI / video: Add force_native quirk for HP Pavilion dv6" enic: do not overwrite error code ipv6: fix cleanup ordering for ip6_mr failure binfmt_elf: move brk out of mmap when doing direct loader exec x86/apm: Don't access __preempt_count with zeroed fs Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0" USB: uas: add quirk for LaCie 2Big Quadra USB: serial: garmin_gps: add sanity checking for data length batman-adv: fix batadv_nc_random_weight_tq scripts/decodecode: fix trapping instruction formatting phy: micrel: Ensure interrupts are reenabled on resume binfmt_elf: Do not move brk for INTERP-less ET_EXEC ext4: add cond_resched() to ext4_protect_reserved_inode net: ipv6: add net argument to ip6_dst_lookup_flow net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup blktrace: Fix potential deadlock between delete & sysfs ops blktrace: fix unlocked access to init/start-stop/teardown blktrace: fix trace mutex deadlock blktrace: Protect q->blk_trace with RCU blktrace: fix dereference after null check ptp: do not explicitly set drvdata in ptp_clock_register() ptp: use is_visible method to hide unused attributes ptp: create "pins" together with the rest of attributes chardev: add helper function to register char devs with a struct device ptp: Fix pass zero to ERR_PTR() in ptp_clock_register ptp: fix the race between the release of ptp_clock and cdev ptp: free ptp device pin descriptors properly net: handle no dst on skb in icmp6_send net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' net: moxa: Fix a potential double 'free_irq()' drop_monitor: work around gcc-10 stringop-overflow warning scsi: sg: add sg_remove_request in sg_write spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls cifs: Check for timeout on Negotiate stage cifs: Fix a race condition with cifs_echo_request dmaengine: pch_dma.c: Avoid data race between probe and irq handler dmaengine: mmp_tdma: Reset channel error on release drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() ipc/util.c: sysvipc_find_ipc() incorrectly updates position index net: openvswitch: fix csum updates for MPLS actions gre: do not keep the GRE header around in collect medata mode mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone() scsi: qla2xxx: Avoid double completion of abort command i40e: avoid NVM acquire deadlock during NVM update net/mlx5: Fix driver load error flow when firmware is stuck netfilter: conntrack: avoid gcc-10 zero-length-bounds warning IB/mlx4: Test return value of calls to ib_get_cached_pkey pnp: Use list_for_each_entry() instead of open coding gcc-10 warnings: fix low-hanging fruit kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Stop the ad-hoc games with -Wno-maybe-initialized gcc-10: disable 'zero-length-bounds' warning for now gcc-10: disable 'array-bounds' warning for now gcc-10: disable 'stringop-overflow' warning for now gcc-10: disable 'restrict' warning for now block: defer timeouts to a workqueue blk-mq: Allow timeouts to run while queue is freezing blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter blk-mq: Allow blocking queue tag iter callbacks x86/paravirt: Remove the unused irq_enable_sysexit pv op gcc-10: avoid shadowing standard library 'free()' in crypto net: fix a potential recursive NETDEV_FEAT_CHANGE net: ipv4: really enforce backoff for redirects netlabel: cope with NULL catmap ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses ALSA: rawmidi: Initialize allocated buffers USB: gadget: fix illegal array access in binding with UDC ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries x86: Fix early boot crash on gcc-10, third try exec: Move would_dump into flush_old_exec usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' usb: gadget: audio: Fix a missing error return value in audio_bind() usb: gadget: legacy: fix error return code in gncm_bind() usb: gadget: legacy: fix error return code in cdc_bind() Revert "ALSA: hda/realtek: Fix pop noise on ALC225" ARM: dts: r8a7740: Add missing extal2 to CPG node KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Makefile: disallow data races on gcc-10 as well scsi: iscsi: Fix a potential deadlock in the timeout handler Linux 4.4.224 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I384313d39dead8b0babb144803269033f4aacc53 
Changes in 4.4.224
	USB: serial: qcserial: Add DW5816e support
	Revert "net: phy: Avoid polling PHY with PHY_IGNORE_INTERRUPTS"
	dp83640: reverse arguments to list_add_tail
	net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc()
	sch_sfq: validate silly quantum values
	sch_choke: avoid potential panic in choke_reset()
	Revert "ACPI / video: Add force_native quirk for HP Pavilion dv6"
	enic: do not overwrite error code
	ipv6: fix cleanup ordering for ip6_mr failure
	binfmt_elf: move brk out of mmap when doing direct loader exec
	x86/apm: Don't access __preempt_count with zeroed fs
	Revert "IB/ipoib: Update broadcast object if PKey value was changed in index 0"
	USB: uas: add quirk for LaCie 2Big Quadra
	USB: serial: garmin_gps: add sanity checking for data length
	batman-adv: fix batadv_nc_random_weight_tq
	scripts/decodecode: fix trapping instruction formatting
	phy: micrel: Ensure interrupts are reenabled on resume
	binfmt_elf: Do not move brk for INTERP-less ET_EXEC
	ext4: add cond_resched() to ext4_protect_reserved_inode
	net: ipv6: add net argument to ip6_dst_lookup_flow
	net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
	blktrace: Fix potential deadlock between delete & sysfs ops
	blktrace: fix unlocked access to init/start-stop/teardown
	blktrace: fix trace mutex deadlock
	blktrace: Protect q->blk_trace with RCU
	blktrace: fix dereference after null check
	ptp: do not explicitly set drvdata in ptp_clock_register()
	ptp: use is_visible method to hide unused attributes
	ptp: create "pins" together with the rest of attributes
	chardev: add helper function to register char devs with a struct device
	ptp: Fix pass zero to ERR_PTR() in ptp_clock_register
	ptp: fix the race between the release of ptp_clock and cdev
	ptp: free ptp device pin descriptors properly
	net: handle no dst on skb in icmp6_send
	net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()'
	net: moxa: Fix a potential double 'free_irq()'
	drop_monitor: work around gcc-10 stringop-overflow warning
	scsi: sg: add sg_remove_request in sg_write
	spi: spi-dw: Add lock protect dw_spi rx/tx to prevent concurrent calls
	cifs: Check for timeout on Negotiate stage
	cifs: Fix a race condition with cifs_echo_request
	dmaengine: pch_dma.c: Avoid data race between probe and irq handler
	dmaengine: mmp_tdma: Reset channel error on release
	drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper()
	ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
	net: openvswitch: fix csum updates for MPLS actions
	gre: do not keep the GRE header around in collect medata mode
	mm/memory_hotplug.c: fix overflow in test_pages_in_a_zone()
	scsi: qla2xxx: Avoid double completion of abort command
	i40e: avoid NVM acquire deadlock during NVM update
	net/mlx5: Fix driver load error flow when firmware is stuck
	netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
	IB/mlx4: Test return value of calls to ib_get_cached_pkey
	pnp: Use list_for_each_entry() instead of open coding
	gcc-10 warnings: fix low-hanging fruit
	kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig
	Stop the ad-hoc games with -Wno-maybe-initialized
	gcc-10: disable 'zero-length-bounds' warning for now
	gcc-10: disable 'array-bounds' warning for now
	gcc-10: disable 'stringop-overflow' warning for now
	gcc-10: disable 'restrict' warning for now
	block: defer timeouts to a workqueue
	blk-mq: Allow timeouts to run while queue is freezing
	blk-mq: sync the update nr_hw_queues with blk_mq_queue_tag_busy_iter
	blk-mq: Allow blocking queue tag iter callbacks
	x86/paravirt: Remove the unused irq_enable_sysexit pv op
	gcc-10: avoid shadowing standard library 'free()' in crypto
	net: fix a potential recursive NETDEV_FEAT_CHANGE
	net: ipv4: really enforce backoff for redirects
	netlabel: cope with NULL catmap
	ALSA: hda/realtek - Limit int mic boost for Thinkpad T530
	ALSA: rawmidi: Fix racy buffer resize under concurrent accesses
	ALSA: rawmidi: Initialize allocated buffers
	USB: gadget: fix illegal array access in binding with UDC
	ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries
	x86: Fix early boot crash on gcc-10, third try
	exec: Move would_dump into flush_old_exec
	usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()'
	usb: gadget: audio: Fix a missing error return value in audio_bind()
	usb: gadget: legacy: fix error return code in gncm_bind()
	usb: gadget: legacy: fix error return code in cdc_bind()
	Revert "ALSA: hda/realtek: Fix pop noise on ALC225"
	ARM: dts: r8a7740: Add missing extal2 to CPG node
	KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce
	Makefile: disallow data races on gcc-10 as well
	scsi: iscsi: Fix a potential deadlock in the timeout handler
	Linux 4.4.224

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I384313d39dead8b0babb144803269033f4aacc53
ipc/util.c: sysvipc_find_ipc() incorrectly updates position index 2020-05-20T06:11:45+00:00 Vasily Averin vvs@virtuozzo.com 2020-05-14T00:50:48+00:00 77dbb2fa31d5e76dc8b16bdc737f293ad17b7b49 [ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") is causing this bug (seen on 5.6.8): # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages # ipcmk -Q Message queue id: 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 # ipcmk -Q Message queue id: 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcrm -q 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 2 # ipcrm -q 2 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 3 # ipcrm -q 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 Whenever an IPC item with a low id is deleted, the items with higher ids are duplicated, as if filling a hole. new_pos should jump through hole of unused ids, pos can be updated inside "for" cycle. Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") Reported-by: Andreas Schwab <schwab@suse.de> Reported-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Waiman Long <longman@redhat.com> Cc: NeilBrown <neilb@suse.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 
[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ]

Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase
position index") is causing this bug (seen on 5.6.8):

   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages

   # ipcmk -Q
   Message queue id: 0
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x82db8127 0          root       644        0            0

   # ipcmk -Q
   Message queue id: 1
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x82db8127 0          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcrm -q 0
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x76d1fb2a 1          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcmk -Q
   Message queue id: 2
   # ipcrm -q 2
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x76d1fb2a 1          root       644        0            0
   0x76d1fb2a 1          root       644        0            0

   # ipcmk -Q
   Message queue id: 3
   # ipcrm -q 1
   # ipcs -q

   ------ Message Queues --------
   key        msqid      owner      perms      used-bytes   messages
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0
   0x7c982867 3          root       644        0            0

Whenever an IPC item with a low id is deleted, the items with higher ids
are duplicated, as if filling a hole.

new_pos should jump through hole of unused ids, pos can be updated
inside "for" cycle.

Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index")
Reported-by: Andreas Schwab <schwab@suse.de>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Waiman Long <longman@redhat.com>
Cc: NeilBrown <neilb@suse.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Oberparleiter <oberpar@linux.ibm.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Merge branch 'android-4.4-p' of https://android.googlesource.com/kernel/common into lineage-17.1-caf-msm8998 2020-05-14T17:02:37+00:00 Michael Bestas mkbestas@lineageos.org 2020-05-09T22:30:22+00:00 5d60efc89fa6e5a6616bd9dfa2b0702756b7404e This brings LA.UM.8.4.r1-05400-8x98.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: 96b09cba55905 UPSTREAM: net: socket: set sock->sk to NULL after calling proto_ops::release() Conflicts: drivers/scsi/ufs/ufshcd.c drivers/usb/gadget/composite.c drivers/usb/gadget/function/f_fs.c Change-Id: I3e79c0d20e3eb3246a50c9a1e815cdf030a4232e 
This brings LA.UM.8.4.r1-05400-8x98.0 up to date with
https://android.googlesource.com/kernel/common/ android-4.4-p at commit:
96b09cba55905 UPSTREAM: net: socket: set sock->sk to NULL after calling proto_ops::release()

Conflicts:
	drivers/scsi/ufs/ufshcd.c
	drivers/usb/gadget/composite.c
	drivers/usb/gadget/function/f_fs.c

Change-Id: I3e79c0d20e3eb3246a50c9a1e815cdf030a4232e
Merge 4.4.221 into android-4.4-p 2020-05-02T15:33:50+00:00 Greg Kroah-Hartman gregkh@google.com 2020-05-02T15:33:50+00:00 5ddb3649549ffdf4b9bcc3619636fb32359452e8 Changes in 4.4.221 ext4: fix extent_status fragmentation for plain files ALSA: hda - Fix incorrect usage of IS_REACHABLE() net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg() net: ipv4: avoid unused variable warning for sysctl crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static vti4: removed duplicate log message. scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login ceph: return ceph_mdsc_do_request() errors from __get_parent() ceph: don't skip updating wanted caps when cap is stale pwm: rcar: Fix late Runtime PM enablement scsi: iscsi: Report unbind session event when the target has been removed ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() kernel/gcov/fs.c: gcov_seq_next() should increase position index ipc/util.c: sysvipc_find_ipc() should increase position index s390/cio: avoid duplicated 'ADD' uevents pwm: renesas-tpu: Fix late Runtime PM enablement pwm: bcm2835: Dynamically allocate base ipv6: fix restrict IPV6_ADDRFORM operation macvlan: fix null dereference in macvlan_device_event() net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node net/x25: Fix x25_neigh refcnt leak when receiving frame tcp: cache line align MAX_TCP_HEADER team: fix hang in team_mode_get() xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish ALSA: hda: Remove ASUS ROG Zenith from the blacklist iio: xilinx-xadc: Fix ADC-B powerdown iio: xilinx-xadc: Fix clearing interrupt when enabling trigger iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode fs/namespace.c: fix mountpoint reference counter race USB: sisusbvga: Change port variable from signed to unsigned USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit. drivers: usb: core: Minimize irq disabling in usb_sg_cancel() USB: core: Fix free-while-in-use bug in the USB S-Glibrary USB: hub: Fix handling of connect changes during sleep ALSA: usx2y: Fix potential NULL dereference ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices KVM: Check validity of resolved slot when searching memslots KVM: VMX: Enable machine check support for 32bit targets tty: hvc: fix buffer overflow during hvc_alloc(). tty: rocket, avoid OOB access usb-storage: Add unusual_devs entry for JMicron JMS566 audit: check the length of userspace generated audit records ASoC: dapm: fixup dapm kcontrol widget ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y staging: comedi: dt2815: fix writing hi byte of analog output staging: comedi: Fix comedi_device refcnt leak in comedi_open staging: vt6656: Fix drivers TBTT timing counter. staging: vt6656: Power save stop wake_up_count wrap around. UAS: no use logging any details in case of ENODEV UAS: fix deadlock in error handling and PM flushing work usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() remoteproc: Fix wrong rvring index computation sctp: use right member as the param of list_for_each_entry fuse: fix possibly missed wake-up after abort mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete net/cxgb4: Check the return from t4_query_params properly perf/core: fix parent pid/tid in task exit events bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B scsi: target: fix PR IN / READ FULL STATUS for FC xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status ext4: convert BUG_ON's to WARN_ON's in mballoc.c ext4: avoid declaring fs inconsistent due to invalid file handles ext4: protect journal inode's blocks using block_validity ext4: don't perform block validity checks on the journal inode ext4: fix block validity checks for journal inodes using indirect blocks ext4: unsigned int compared against zero propagate_one(): mnt_set_mountpoint() needs mount_lock Linux 4.4.221 Change-Id: I95cadd4206a7c89541de002faacea3a28e7b1ac3 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> 
Changes in 4.4.221
	ext4: fix extent_status fragmentation for plain files
	ALSA: hda - Fix incorrect usage of IS_REACHABLE()
	net: ipv4: emulate READ_ONCE() on ->hdrincl bit-field in raw_sendmsg()
	net: ipv4: avoid unused variable warning for sysctl
	crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static
	vti4: removed duplicate log message.
	scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login
	ceph: return ceph_mdsc_do_request() errors from __get_parent()
	ceph: don't skip updating wanted caps when cap is stale
	pwm: rcar: Fix late Runtime PM enablement
	scsi: iscsi: Report unbind session event when the target has been removed
	ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map()
	kernel/gcov/fs.c: gcov_seq_next() should increase position index
	ipc/util.c: sysvipc_find_ipc() should increase position index
	s390/cio: avoid duplicated 'ADD' uevents
	pwm: renesas-tpu: Fix late Runtime PM enablement
	pwm: bcm2835: Dynamically allocate base
	ipv6: fix restrict IPV6_ADDRFORM operation
	macvlan: fix null dereference in macvlan_device_event()
	net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node
	net/x25: Fix x25_neigh refcnt leak when receiving frame
	tcp: cache line align MAX_TCP_HEADER
	team: fix hang in team_mode_get()
	xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish
	ALSA: hda: Remove ASUS ROG Zenith from the blacklist
	iio: xilinx-xadc: Fix ADC-B powerdown
	iio: xilinx-xadc: Fix clearing interrupt when enabling trigger
	iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode
	fs/namespace.c: fix mountpoint reference counter race
	USB: sisusbvga: Change port variable from signed to unsigned
	USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE
	drivers: usb: core: Don't disable irqs in usb_sg_wait() during URB submit.
	drivers: usb: core: Minimize irq disabling in usb_sg_cancel()
	USB: core: Fix free-while-in-use bug in the USB S-Glibrary
	USB: hub: Fix handling of connect changes during sleep
	ALSA: usx2y: Fix potential NULL dereference
	ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif
	ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices
	KVM: Check validity of resolved slot when searching memslots
	KVM: VMX: Enable machine check support for 32bit targets
	tty: hvc: fix buffer overflow during hvc_alloc().
	tty: rocket, avoid OOB access
	usb-storage: Add unusual_devs entry for JMicron JMS566
	audit: check the length of userspace generated audit records
	ASoC: dapm: fixup dapm kcontrol widget
	ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y
	staging: comedi: dt2815: fix writing hi byte of analog output
	staging: comedi: Fix comedi_device refcnt leak in comedi_open
	staging: vt6656: Fix drivers TBTT timing counter.
	staging: vt6656: Power save stop wake_up_count wrap around.
	UAS: no use logging any details in case of ENODEV
	UAS: fix deadlock in error handling and PM flushing work
	usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset()
	remoteproc: Fix wrong rvring index computation
	sctp: use right member as the param of list_for_each_entry
	fuse: fix possibly missed wake-up after abort
	mtd: cfi: fix deadloop in cfi_cmdset_0002.c do_write_buffer
	usb: gadget: udc: bdc: Remove unnecessary NULL checks in bdc_req_complete
	net/cxgb4: Check the return from t4_query_params properly
	perf/core: fix parent pid/tid in task exit events
	bpf, x86: Fix encoding for lower 8-bit registers in BPF_STX BPF_B
	scsi: target: fix PR IN / READ FULL STATUS for FC
	xen/xenbus: ensure xenbus_map_ring_valloc() returns proper grant status
	ext4: convert BUG_ON's to WARN_ON's in mballoc.c
	ext4: avoid declaring fs inconsistent due to invalid file handles
	ext4: protect journal inode's blocks using block_validity
	ext4: don't perform block validity checks on the journal inode
	ext4: fix block validity checks for journal inodes using indirect blocks
	ext4: unsigned int compared against zero
	propagate_one(): mnt_set_mountpoint() needs mount_lock
	Linux 4.4.221

Change-Id: I95cadd4206a7c89541de002faacea3a28e7b1ac3
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>