| Commit message (Collapse) | Author | Age |
|---|
| |\
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
https://source.codeaurora.org/quic/la/kernel/msm-4.4 into lineage-16.0
313e787f28bb Merge "power: qpnp-smbcharger: Change ordering of EXTCON_USB_SPEED" into kernel.lnx.4.4.r37-rel
dfa5b807ec2c Merge changes I0ab244e6,I05a4aa96 into kernel.lnx.4.4.r37-rel
c900b4827149 msm: ipa: Fix array out of bound and use after NULL check
b562b057dd2a msm: ipa: Fix pointer checked for NULL may be used
216dfe7e7a14 usb: phy-msm-susb-qmp: Add checks to check clk_enabled
2c0a97a53f77 power: qpnp-smbcharger: Change ordering of EXTCON_USB_SPEED
56d12bfe26c3 Merge commit '09d42880fd9f4d04317f030021b85323b8f8b9b9' into HEAD
09d42880fd9f Merge "msm: camera_v2: isp: update the frame drop during error case"
19d79e95f10c Merge "msm:camera: add trace log support for VFE events"
3ae0451881ca Merge "msm: camera_v2: Remove sysfs bind/unbind files"
45b4ac208b7b msm:camera: add trace log support for VFE events
5974bd4025ea msm: camera_v2: Fix page fault issue in camera ISP
ed8c0918eeb1 Merge "icnss: Reduce the shutdown timeout from 50sec to 15sec"
7e4d8780224c Merge "drm/msm/dsi-staging: Add range check in debugfs_dump_info_read"
978400398a92 icnss: Reduce the shutdown timeout from 50sec to 15sec
4e08c8cbacd4 msm: camera_v2: Remove sysfs bind/unbind files
79a8f215703e Merge "ASoC: sdm660_cdc: Set speaker amplifier enable bit"
c0f636f83226 Merge "cnss2: Update board data file name format"
bd48b0a101e8 Merge "msm: kgsl: Add missing check for snapshot IB dump"
2f5e49a21882 Merge "defconfig: msm: Disable EXT2 and EXT3 FS configs for MSM8998"
46ece1ae20ad Merge "sched/walt: Fix the memory leak of idle task load pointers"
78540133736a Merge "soc: qcom: smem: validate fields of shared structures"
196d97abd323 Merge "Merge android-4.4.183 (94fd428) into msm-4.4"
fad4d2e83739 Merge "msm: kgsl: Change data type for GPU ib vote"
54d23a97a07e Merge "drivers: thermal: Use FCAP scm call instead of DMAX in LMH DCVSh"
1379d11803dd msm: kgsl: Add missing check for snapshot IB dump
2c8f4699fdd0 defconfig: msm: Disable EXT2 and EXT3 FS configs for MSM8998
fcc47ec62ae1 soc: qcom: smem: validate fields of shared structures
7151def9c713 ASoC: sdm660_cdc: Set speaker amplifier enable bit
f395d5810f27 sched/walt: Fix the memory leak of idle task load pointers
03f0af3c211e drivers: thermal: Use FCAP scm call instead of DMAX in LMH DCVSh
f6ee0c2bb45d drivers: thermal: Use FCAP scm call instead of DMAX in KTM
cb7df67908b0 msm: kgsl: Change data type for GPU ib vote
c94369b4c1fc cnss2: print firmware cap info in stats
9a1c2880320b Merge android-4.4.183 (94fd428) into msm-4.4
94fd42809f7d Merge 4.4.183 into android-4.4
308743255040 Linux 4.4.183
df7ba8162ca1 Abort file_remove_privs() for non-reg. files
8f6345a11caa coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
3692bc31c1ff Revert "crypto: crypto4xx - properly set IV after de- and encrypt"
39c7c903c63d scsi: libsas: delete sas port if expander discover failed
a272035ea1bf scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
af8cd6101bf5 net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
b25c62cc16e0 KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
7ef8d778cf3e ia64: fix build errors by exporting paddr_to_nid()
432030b25b86 configfs: Fix use-after-free when accessing sd->s_dentry
d5a18c8609f3 i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
be1b9df5bba1 net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
0bb6c295e463 gpio: fix gpio-adp5588 build errors
dd961efe8dee perf/ring_buffer: Add ordering to rb->nest increment
8abd8a9a975e perf/ring_buffer: Fix exposing a temporarily decreased data_head
3e74b3f05abf x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
f4678b7808e7 mISDN: make sure device name is NUL terminated
e2f9c0f73454 sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
753aa7556089 neigh: fix use-after-free read in pneigh_get_next
709d8771fab7 lapb: fixed leak of control-blocks.
1777c35e8d47 ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
6f057abd08d1 be2net: Fix number of Rx queues used for flow hashing
7139a9f6246d ax25: fix inconsistent lock state in ax25_destroy_timer
f1a5c6b083bc USB: serial: option: add Telit 0x1260 and 0x1261 compositions
a67d65958e2a USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
b8ee804bba8f USB: serial: pl2303: add Allied Telesis VT-Kit3
f14747c88170 USB: usb-storage: Add new ID to ums-realtek
038c192699a9 USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
8f6b0e59d2a0 drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
6e0c7e73232f drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
ce391e4cdef8 KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
a1b9c6b4cba0 KVM: x86/pmu: do not mask the value that is written to fixed PMUs
7caddacf863f usbnet: ipheth: fix racing condition
f80a35fcb9e9 scsi: bnx2fc: fix incorrect cast to u64 on shift operation
da51a322f197 scsi: lpfc: add check for loss of ndlp when sending RRQ
3a2ff1088c2a Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
1f8233ca3a48 ASoC: cs42xx8: Add regcache mask dirty
91f1fc1ae409 cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
8b47af927e2e bcache: fix stack corruption by PRECEDING_KEY()
a2aabf288bf7 i2c: acorn: fix i2c warning
d774bd27b4f5 ptrace: restore smp_rmb() in __ptrace_may_access()
5aff00ee839a signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
0b871fc866eb fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
c05fed507582 mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
be499b84c3bd libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
d7a18814fff9 ALSA: seq: Cover unsubscribe_port() in list_mutex
4282a0b1db65 Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
cd23996afa14 futex: Fix futex lock the wrong page
38fbd5c2d572 ARM: exynos: Fix undefined instruction during Exynos5422 resume
5767587907fd pwm: Fix deadlock warning when removing PWM device
113a78a0a537 ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
78184953a2ed pwm: tiehrpwm: Update shadow register for disabling PWMs
d24e22cde8b3 dmaengine: idma64: Use actual device for DMA transfers
533171620cd5 gpio: gpio-omap: add check for off wake capable gpios
3b4652ba9d78 PCI: xilinx: Check for __get_free_pages() failure
c869210e0ac6 video: imsttfb: fix potential NULL pointer dereferences
5c7fbc5f6a7d video: hgafb: fix potential NULL pointer dereference
bea8fa863ce9 PCI: rcar: Fix a potential NULL pointer dereference
76208df36d7a PCI: rpadlpar: Fix leaked device_node references in add/remove paths
100468652e5a ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
927d2be77e6c ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
8aee025af280 ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
b49501f51371 clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
4270dc6a7a79 soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
845676341c2d platform/chrome: cros_ec_proto: check for NULL transfer function
c7155e51cf85 x86/PCI: Fix PCI IRQ routing table memory leak
198a54f07f51 nfsd: allow fh_want_write to be called twice
e6779b264d69 fuse: retrieve: cap requested size to negotiated max_write
742cb74bf108 nvmem: core: fix read buffer in place
750c55e69cca ALSA: hda - Register irq handler after the chip initialization
09ad374f23ce iommu/vt-d: Set intel_iommu_gfx_mapped correctly
9e4ed17b9416 f2fs: fix to do sanity check on valid block count of segment
534ef922376e f2fs: fix to avoid panic in do_recover_data()
90a238a8a2d2 ntp: Allow TAI-UTC offset to be set to zero
25be7d51a012 drm/bridge: adv7511: Fix low refresh rate selection
8fdebdd06c4b perf/x86/intel: Allow PEBS multi-entry in watermark mode
dee1ba919ca2 mfd: twl6040: Fix device init errors for ACCCTL register
4110c4188853 mfd: intel-lpss: Set the device in reset state when init
1bef19130b5b kernel/sys.c: prctl: fix false positive in validate_prctl_map()
937fa1624a1f mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
fceb0be41836 mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
9c8d4d77e3aa hugetlbfs: on restore reserve error path retain subpool reservation
d8129a5d7a9d ipc: prevent lockup on alloc_msg and free_msg
50c0db539937 sysctl: return -EINVAL if val violates minmax
8b9241b052a2 fs/fat/file.c: issue flush after the writeback of FAT
335e20ca9562 Merge "soc: qcom: glink_spi_xprt: Sanitize input for short cmd"
abc2a59bfdb9 Merge "soc: qcom: hab: add error handling when dt item is missing"
9998d2e52dd4 mm: add /proc/pid/smaps_rollup
a2165163680e Merge "msm: ais: sensor: actuator: fix out of bound read for bivcm region params"
7ec9476039c1 soc: qcom: hab: add error handling when dt item is missing
7967865bb4c4 msm: ais: sensor: actuator: fix out of bound read for bivcm region params
14f9c777669f Merge "Merge android-4.4.182 (9c4ab57) into msm-4.4"
eee21eb4a635 ANDROID: kernel: cgroup: cpuset: Clear cpus_requested for empty buf
f1adac4c222b ANDROID: kernel: cgroup: cpuset: Add missing allocation of cpus_requested in alloc_trial_cpuset
291c54b284a4 i2c: virtio: reallocate memory for each msg buffer
ca64572d5459 Merge changes into msm-4.4
a32f2cd75906 Merge android-4.4.182 (9c4ab57) into msm-4.4
2ae4cde5790c Merge "i2c: refine the driver of i2c virtualization"
9c4ab5729952 Merge 4.4.182 into android-4.4
33790f2eda73 Linux 4.4.182
f938ae0ce5ef tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
e757d052f3b8 tcp: add tcp_min_snd_mss sysctl
ad472d3a9483 tcp: tcp_fragment() should apply sane memory limits
4657ee0fe05e tcp: limit payload size of sacked skbs
17c66e9e49a1 Merge "msm: vidc: add additional check to avoid out of bound access"
4e933027e684 Merge "Merge android-4.4.181 (bd858d7) into msm-4.4"
be5afd934314 i2c: refine the driver of i2c virtualization
f1057f82fa62 msm: vidc: add additional check to avoid out of bound access
c176a066dfd3 diag: dci: Correct out of bounds check in processing dci pkt rsp
cc47c2c325b9 Merge "msm: adsprpc: maintain local copy of rpra offloaded to DSP"
1f3eb68e71cd msm: adsprpc: maintain local copy of rpra offloaded to DSP
a50f44266d21 Merge "diag: Prevent out-of-bound access while processing userspace data"
c658076e45e0 Merge "ASoC: msm: Add support for AVS version check"
f328b4d28d25 Merge "arm: dts: msm: Add avs-version dt property for 8996"
5dbfa1533af8 diag: Prevent out-of-bound access while processing userspace data
eb0322ea9b07 arm: dts: msm: Add avs-version dt property for 8996
5ef154a26639 Merge android-4.4.181 (bd858d7) into msm-4.4
7caeb5cb7c4f soc: qcom: glink_spi_xprt: Sanitize input for short cmd
17fd8dbacb92 Merge "soc: qcom: hab: add missing variable declaration"
1cc130f95ec7 UPSTREAM: binder: check for overflow when alloc for security context
784672577648 BACKPORT: binder: fix race between munmap() and direct reclaim
849ecbea5548 soc: qcom: hab: add missing variable declaration
bd858d730975 Merge 4.4.181 into android-4.4
0434b31d567e Merge "dwc3-msm: Fix dwc3_drd_state_string for undefined state"
411c38c969a7 Merge "usb: dwc3-msm: Ensure hardware is reset during role change"
8dce56fa0ccf Merge "usb: dwc3-msm: add enum for drd_states to remove otg_state usage"
d7b7345c3a5d Linux 4.4.181
f1d7eebd9d67 ethtool: check the return value of get_regs_len
647f72b0d75c ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
c9696a8f3e64 fuse: Add FOPEN_STREAM to use stream_open()
3bf0c459615a fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
0f5fab865ae9 drm/gma500/cdv: Check vbt config bits when detecting lvds panels
e087f7519114 genwqe: Prevent an integer overflow in the ioctl
59565e894518 MIPS: pistachio: Build uImage.gz by default
8061c23f5378 fuse: fallocate: fix return with locked inode
cf30c1953467 parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
f0d1e74c8120 rcu: locking and unlocking need to always be at least barriers
44657dbba7c4 pktgen: do not sleep with the thread lock held.
eded0b11c7a3 net: rds: fix memory leak in rds_ib_flush_mr_pool
54dd5e352cf7 net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
cc475966e5f7 neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
e5c6de6694ed ethtool: fix potential userspace buffer overflow
8795708bc939 media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
2b13a9580ef9 usb: gadget: fix request length error for isoc transfer
8b15aae1baa2 net: cdc_ncm: GetNtbFormat endian fix
613b4bc1951d Revert "x86/build: Move _etext to actual end of .text"
6ad730b83178 userfaultfd: don't pin the user memory in userfaultfd_file_create()
4e06554db5e5 brcmfmac: add subtype check for event handling in data path
993b68aa3ef7 brcmfmac: add length checks in scheduled scan result handler
35bcfbad5d94 brcmfmac: fix incorrect event channel deduction
8c12de962667 brcmfmac: revise handling events in receive path
5f4688a15c24 brcmfmac: screening firmware event packet
6da841e9ae87 brcmfmac: Add length checks on firmware events
c55a2cffa5ca bnx2x: disable GSO where gso_size is too big for hardware
a33b6d4c8bc7 net: create skb_gso_validate_mac_len()
c53c1a821d62 binder: replace "%p" with "%pK"
5280efe442b2 binder: Replace "%p" with "%pK" for stable
336c16621785 CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
360f8fe46f74 kernel/signal.c: trace_signal_deliver when signal_group_exit
7a47d1873120 memcg: make it work on sparse non-0-node systems
5db0a9c3cc52 tty: max310x: Fix external crystal register setup
e498745310d0 tty: serial: msm_serial: Fix XON/XOFF
986adddb9d8f drm/nouveau/i2c: Disable i2c bus access after ->fini()
bf8f6b43c2e7 ALSA: hda/realtek - Set default power save node to 0
494447b90d6d Btrfs: fix race updating log root item during fsync
af34de02a6a7 scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
e85d002556ea scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
8282730a0afa media: smsusb: better handle optional alignment
0bce1ea89712 media: usb: siano: Fix false-positive "uninitialized variable" warning
b1782be70e1e media: usb: siano: Fix general protection fault in smsusb
d52c0ffb383f USB: rio500: fix memory leak in close after disconnect
b92be99a0c8b USB: rio500: refuse more than one device at a time
ee9d750e9ac8 USB: Add LPM quirk for Surface Dock GigE adapter
30e66d7d2fb9 USB: sisusbvga: fix oops in error path of sisusb_probe
018b7ea9ca24 USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
f5e1ec93b208 usb: xhci: avoid null pointer deref when bos field is NULL
017e6726a4fb xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
ec70e2c130d6 include/linux/bitops.h: sanitize rotate primitives
fbbc4fe02a31 sparc64: Fix regression in non-hypervisor TLB flush xcall
5bce46edeb72 tipc: fix modprobe tipc failed after switch order of device registration -v2
416d252ba926 Revert "tipc: fix modprobe tipc failed after switch order of device registration"
f1613a9e1bdc xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
383687e15cd0 crypto: vmx - ghash: do nosimd fallback manually
61ba8e9f51b3 net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
1d33a3ebd945 bnxt_en: Fix aggregation buffer leak under OOM condition.
7d423301240b tipc: Avoid copying bytes beyond the supplied data
332bff9d9a08 usbnet: fix kernel crash after disconnect
16ffb5f7c335 net: stmmac: fix reset gpio free missing
4f9c73aa2930 net-gro: fix use-after-free read in napi_gro_frags()
5cbaa135a0e1 llc: fix skb leak in llc_build_and_send_ui_pkt()
36a7222071d1 ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
9fbf1ac57c7a ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
0984cb76d294 spi: Fix zero length xfer bug
854415f37aae spi: rspi: Fix sequencer reset during initialization
c927451887c1 spi : spi-topcliff-pch: Fix to handle empty DMA buffers
445c07409179 scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
3a5d11332896 media: saa7146: avoid high stack usage with clang
5a96cf10dc5c media: go7007: avoid clang frame overflow warning with KASAN
0e9f0805eeea media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
9effa38946b6 scsi: qla4xxx: avoid freeing unallocated dma memory
95f0bb0a6c83 usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
1909121a6192 rcutorture: Fix cleanup path for invalid torture_type strings
1081d04a0443 tty: ipwireless: fix missing checks for ioremap
c05b2ed7bc1b virtio_console: initialize vtermno value for ports
348ec7b9a1c1 media: wl128x: prevent two potential buffer overflows
557ae685914b spi: tegra114: reset controller on probe
5e75d5e2cd0c cxgb3/l2t: Fix undefined behaviour
dc2a8861fdb8 ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
971e4a273242 ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
5db3c5adf44a HID: core: move Usage Page concatenation to Main item
cb7872f12835 chardev: add additional check for minor range overlap
5680f59f0f15 x86/ia32: Fix ia32_restore_sigcontext() AC leak
94032b2e05c9 arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
04f45a555ec3 scsi: ufs: Avoid configuring regulator with undefined voltage range
60bcfed2ad60 scsi: ufs: Fix regulator load and icc-level configuration
0a597d2badef brcmfmac: fix race during disconnect when USB completion is in progress
f95ab00ab455 brcmfmac: convert dev_init_lock mutex to completion
db74ef82ca8b b43: shut up clang -Wuninitialized variable warning
951fbf92381a brcmfmac: fix missing checks for kmemdup
1d3ee4d7fc6a rtlwifi: fix a potential NULL pointer dereference
6d7b052d8466 iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
e98ef6767e41 iio: hmc5843: fix potential NULL pointer dereferences
a86d06179423 iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
4400dcd69478 x86/build: Keep local relocations with ld.lld
75ffb58460e3 cpufreq: pmac32: fix possible object reference leak
3d041608fd4b cpufreq/pasemi: fix possible object reference leak
4d02f33a4f42 cpufreq: ppc_cbe: fix possible object reference leak
6be923556aad s390: cio: fix cio_irb declaration
65e3cb04a5a2 extcon: arizona: Disable mic detect if running when driver is removed
db7eb206560c PM / core: Propagate dev->power.wakeup_path when no callbacks
066a286679b4 mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
6a783be705ba mmc: sdhci-of-esdhc: add erratum eSDHC5 support
8b0e6af16ae6 mmc_spi: add a status check for spi_sync_locked
a30e90a8eb3a scsi: libsas: Do discovery on empty PHY to update PHY info
915defac2a9a hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
0eb8a476ffc5 hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
79deb6abd1f5 hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
92b4d16997c4 hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
e3e58378c678 hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
488920af3bb3 RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
2ff310e6dae2 i40e: don't allow changes to HW VLAN stripping on active port VLANs
bc791e819503 x86/irq/64: Limit IST stack overflow check to #DB stack
3557f0857767 USB: core: Don't unbind interfaces following device reset failure
6f5e198878fb sched/core: Handle overflow in cpu_shares_write_u64
9812286a63a1 sched/core: Check quota and period overflow at usec to nsec conversion
9d4961a415ed powerpc/numa: improve control of topology updates
82077215ed25 media: pvrusb2: Prevent a buffer overflow
ca865598abf1 media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
a8e0739d465e audit: fix a memory leak bug
ff3038fe657d media: ov2659: make S_FMT succeed even if requested format doesn't match
2d97a3abcf2f media: au0828: stop video streaming only when last user stops
115ccd9ca776 media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
1433d7a0937b media: coda: clear error return value before picture run
5cadb7ae715f dmaengine: at_xdmac: remove BUG_ON macro in tasklet
af8b5d7d9477 pinctrl: pistachio: fix leaked of_node references
74dd38a5a447 HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
9bffc62051a9 mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
ae6b1f761180 x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
b059848e119f smpboot: Place the __percpu annotation correctly
28d8827a09b0 x86/build: Move _etext to actual end of .text
d3eb2caf6d41 bcache: avoid clang -Wunintialized warning
7bf3463abc95 bcache: add failure check to run_cache_set() for journal replay
d4547049bb7f bcache: fix failure in journal relplay
5789884b98ab bcache: return error immediately in bch_journal_replay()
50d25ca802f5 net: cw1200: fix a NULL pointer dereference
af2fb022b390 mwifiex: prevent an array overflow
4b24af093631 ASoC: fsl_sai: Update is_slave_mode with correct value
c1045350a6c4 mac80211/cfg80211: update bss channel on channel switch
a3c50ef9fd43 dmaengine: pl330: _stop: clear interrupt status
958848a1d97c w1: fix the resume command API
e4163587c4ee rtc: 88pm860x: prevent use-after-free on device remove
a898d150956b brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
5e1a879d9ab3 spi: pxa2xx: fix SCR (divisor) calculation
3d521a6fba45 ASoC: imx: fix fiq dependencies
af283aba93bb powerpc/boot: Fix missing check of lseek() return value
dba032038c95 mmc: core: Verify SD bus width
333e8303d6e0 cxgb4: Fix error path in cxgb4_init_module
6948c6bc17d6 gfs2: Fix lru_count going negative
635c71d11234 tools include: Adopt linux/bits.h
ed2faf464d9b perf tools: No need to include bitops.h in util.h
a1f254dc06f9 at76c50x-usb: Don't register led_trigger if usb_register_driver failed
f5e4337e4a9c ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
e39af96f4dc1 media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
a04e71a0dbc6 media: cpia2: Fix use-after-free in cpia2_exit
28eeeb86046e fbdev: fix WARNING in __alloc_pages_nodemask bug
bf8474c64846 hugetlb: use same fault hash key for shared and private mappings
6bc153907900 fbdev: fix divide error in fb_var_to_videomode
5c9a20390c01 btrfs: sysfs: don't leak memory when failing add fsid
0fa88718cdc5 Btrfs: fix race between ranged fsync and writeback of adjacent ranges
2f5ac0bd2ef7 gfs2: Fix sign extension bug in gfs2_update_stats
8aae5e98fec2 crypto: vmx - CTR: always increment IV as quadword
582bb52e4803 Revert "scsi: sd: Keep disk read-only when re-reading partition"
bd020b331706 bio: fix improper use of smp_mb__before_atomic()
603212bdc59c KVM: x86: fix return value for reserved EFER
75d63b131b73 ext4: do not delete unlinked inode from orphan list on failed truncate
31943685dd49 fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
7d64186e7910 btrfs: Honour FITRIM range constraints during free space trim
57e84e4c073d md/raid: raid5 preserve the writeback action after the parity check
9013f4870848 Revert "Don't jump to compute_result state from check_result state"
0c57364fa0f4 perf bench numa: Add define for RUSAGE_THREAD if not present
66ee750cfdd7 ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
fc0208b3428d power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
dd37fa44dffa KVM: arm/arm64: Ensure vcpu target is unset on reset failure
fe4f461ba517 xfrm4: Fix uninitialized memory read in _decode_session4
cd0848733f25 vti4: ipip tunnel deregistration fixes.
8fd94b65d207 xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
86040d722b29 xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
daea41651d43 dm delay: fix a crash when invalid device is specified
566004721c90 PCI: Mark Atheros AR9462 to avoid bus reset
0dc2ad06ddad fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
4673eae95b53 fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
c996722f7fff fbdev: sm712fb: fix support for 1024x768-16 mode
ebfadb510e3c fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
c92bde52742c fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
0d5cd17ce037 fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
ca5ce8db7f23 fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
6c2fb5beecba fbdev: sm712fb: fix brightness control on reboot, don't set SR30
dbc86a927d66 perf intel-pt: Fix sample timestamp wrt non-taken branches
eedc9a210f9f perf intel-pt: Fix improved sample timestamp
f5da0aeca525 perf intel-pt: Fix instructions sampling rate
a5b2e4b6ac21 memory: tegra: Fix integer overflow on tick value calculation
11988047b39a tracing: Fix partial reading of trace event's id file
a7929c94860e ceph: flush dirty inodes before proceeding with remount
3c99cd905ba9 iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
40857ab73988 fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
73724958d129 fuse: fix writepages on 32bit
12060f4740ca clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
4676a07add08 NFS4: Fix v4.0 client state corruption when mount
e8623e7a8f4b media: ov6650: Fix sensor possibly not detected on probe
dffc9e5ffae5 cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
b8ab0c4effb8 of: fix clang -Wunsequenced for be32_to_cpu()
2a98d346396a intel_th: msu: Fix single mode with IOMMU
bc065776c31e md: add mddev->pers to avoid potential NULL pointer dereference
ade291d2230a stm class: Fix channel free in stm output free path
65d14634b694 tipc: fix modprobe tipc failed after switch order of device registration
ff69bb4be643 tipc: switch order of device registration to fix a crash
2ff783f3e05e ppp: deflate: Fix possible crash in deflate_init
dd20e0c039fe net/mlx4_core: Change the error print to info print
b2f72a431142 net: avoid weird emergency message
70064f7ea100 KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
5e9bc16ff49f ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
98529ecd313b ext4: zero out the unused memory region in the extent tree block
9ff6372e5a6b fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
bfce20eaf18e writeback: synchronize sync(2) against cgroup writeback membership switches
cd042379c6ad crypto: arm/aes-neonbs - don't access already-freed walk.iv
b70e97ae5d8e crypto: salsa20 - don't access already-freed walk.iv
6dc48d059646 crypto: chacha20poly1305 - set cra_name correctly
b82055365307 crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
de087dd9f5c6 crypto: gcm - Fix error return code in crypto_gcm_create_common()
064d0c5a9ae6 ipmi:ssif: compare block number correctly for multi-part return messages
bef039b2419e bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
5651075a1ce3 bcache: fix a race between cache register and cacheset unregister
686e4352e3d8 Btrfs: do not start a transaction at iterate_extent_inodes()
b268b6e501ed ext4: fix ext4_show_options for file systems w/o journal
f3b9c26f191b ext4: actually request zeroing of inode table after grow
e5100e7fa78e tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
592a36c59f4c mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
e3a74fbc42ca ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
b614485b6b93 mm/mincore.c: make mincore() more conservative
80cc516ed783 ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
e6bf706cee3f ASoC: max98090: Fix restore of DAPM Muxes
2a8188c68e0a ALSA: hda/realtek - EAPD turn on later
1bbb08c8ab6a ALSA: hda/hdmi - Consider eld_valid when reporting jack event
2d8956305ae8 ALSA: usb-audio: Fix a memory leak bug
b1c1888ad6c9 crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
2ee7c2310cd0 crypto: crct10dif-generic - fix use via crypto_shash_digest()
2ee0dd38a0a0 crypto: vmx - fix copy-paste error in CTR mode
f7dee0816e5d ARM: exynos: Fix a leaked reference by adding missing of_node_put
ce814dc7e811 x86/speculation/mds: Improve CPU buffer clear documentation
4d68e2bf3834 x86/speculation/mds: Revert CPU buffer clear on double fault exit
b1d850962510 ASoC: msm: Add support for AVS version check
fbf98df8d02a cnss2: Update board data file name format
5e073ffd6668 drm/msm/dsi-staging: Add range check in debugfs_dump_info_read
9600b86489f9 dwc3-msm: Fix dwc3_drd_state_string for undefined state
cc96e0915225 usb: dwc3-msm: Ensure hardware is reset during role change
02d74bda3466 usb: dwc3-msm: add enum for drd_states to remove otg_state usage
e4e5a975f4ae Merge remote-tracking branch 'origin/upstream-f2fs-stable-linux-4.4.y' into android-4.4
2d812ba62ee4 f2fs: link f2fs quota ops for sysfile
6dc3fb0ba854 fs: sdcardfs: Add missing option to show_options
* Excluded commits:
8be3b55c4cc7 msm: camera_v2: isp: update the frame drop during error case
28e17c1f6505 msm: camera_v2: isp: handle frame drop due to scheduling latency
Change-Id: Ib67f22a311625da7dd130d2491ef9e035b1db54f
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
|
| | |\
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* refs/heads/tmp-94fd428
Linux 4.4.183
Abort file_remove_privs() for non-reg. files
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
Revert "crypto: crypto4xx - properly set IV after de- and encrypt"
scsi: libsas: delete sas port if expander discover failed
scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
ia64: fix build errors by exporting paddr_to_nid()
configfs: Fix use-after-free when accessing sd->s_dentry
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
gpio: fix gpio-adp5588 build errors
perf/ring_buffer: Add ordering to rb->nest increment
perf/ring_buffer: Fix exposing a temporarily decreased data_head
x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
mISDN: make sure device name is NUL terminated
sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
neigh: fix use-after-free read in pneigh_get_next
lapb: fixed leak of control-blocks.
ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
be2net: Fix number of Rx queues used for flow hashing
ax25: fix inconsistent lock state in ax25_destroy_timer
USB: serial: option: add Telit 0x1260 and 0x1261 compositions
USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
USB: serial: pl2303: add Allied Telesis VT-Kit3
USB: usb-storage: Add new ID to ums-realtek
USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
KVM: x86/pmu: do not mask the value that is written to fixed PMUs
usbnet: ipheth: fix racing condition
scsi: bnx2fc: fix incorrect cast to u64 on shift operation
scsi: lpfc: add check for loss of ndlp when sending RRQ
Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
ASoC: cs42xx8: Add regcache mask dirty
cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
bcache: fix stack corruption by PRECEDING_KEY()
i2c: acorn: fix i2c warning
ptrace: restore smp_rmb() in __ptrace_may_access()
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
ALSA: seq: Cover unsubscribe_port() in list_mutex
Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
futex: Fix futex lock the wrong page
ARM: exynos: Fix undefined instruction during Exynos5422 resume
pwm: Fix deadlock warning when removing PWM device
ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
pwm: tiehrpwm: Update shadow register for disabling PWMs
dmaengine: idma64: Use actual device for DMA transfers
gpio: gpio-omap: add check for off wake capable gpios
PCI: xilinx: Check for __get_free_pages() failure
video: imsttfb: fix potential NULL pointer dereferences
video: hgafb: fix potential NULL pointer dereference
PCI: rcar: Fix a potential NULL pointer dereference
PCI: rpadlpar: Fix leaked device_node references in add/remove paths
ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
platform/chrome: cros_ec_proto: check for NULL transfer function
x86/PCI: Fix PCI IRQ routing table memory leak
nfsd: allow fh_want_write to be called twice
fuse: retrieve: cap requested size to negotiated max_write
nvmem: core: fix read buffer in place
ALSA: hda - Register irq handler after the chip initialization
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to avoid panic in do_recover_data()
ntp: Allow TAI-UTC offset to be set to zero
drm/bridge: adv7511: Fix low refresh rate selection
perf/x86/intel: Allow PEBS multi-entry in watermark mode
mfd: twl6040: Fix device init errors for ACCCTL register
mfd: intel-lpss: Set the device in reset state when init
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
hugetlbfs: on restore reserve error path retain subpool reservation
ipc: prevent lockup on alloc_msg and free_msg
sysctl: return -EINVAL if val violates minmax
fs/fat/file.c: issue flush after the writeback of FAT
ANDROID: kernel: cgroup: cpuset: Clear cpus_requested for empty buf
ANDROID: kernel: cgroup: cpuset: Add missing allocation of cpus_requested in alloc_trial_cpuset
Change-Id: I5b33449bd21ec21d91b1030d53df3658a305bded
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
|
| | | |\
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes in 4.4.183
fs/fat/file.c: issue flush after the writeback of FAT
sysctl: return -EINVAL if val violates minmax
ipc: prevent lockup on alloc_msg and free_msg
hugetlbfs: on restore reserve error path retain subpool reservation
mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
mfd: intel-lpss: Set the device in reset state when init
mfd: twl6040: Fix device init errors for ACCCTL register
perf/x86/intel: Allow PEBS multi-entry in watermark mode
drm/bridge: adv7511: Fix low refresh rate selection
ntp: Allow TAI-UTC offset to be set to zero
f2fs: fix to avoid panic in do_recover_data()
f2fs: fix to do sanity check on valid block count of segment
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
ALSA: hda - Register irq handler after the chip initialization
nvmem: core: fix read buffer in place
fuse: retrieve: cap requested size to negotiated max_write
nfsd: allow fh_want_write to be called twice
x86/PCI: Fix PCI IRQ routing table memory leak
platform/chrome: cros_ec_proto: check for NULL transfer function
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
PCI: rpadlpar: Fix leaked device_node references in add/remove paths
PCI: rcar: Fix a potential NULL pointer dereference
video: hgafb: fix potential NULL pointer dereference
video: imsttfb: fix potential NULL pointer dereferences
PCI: xilinx: Check for __get_free_pages() failure
gpio: gpio-omap: add check for off wake capable gpios
dmaengine: idma64: Use actual device for DMA transfers
pwm: tiehrpwm: Update shadow register for disabling PWMs
ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
pwm: Fix deadlock warning when removing PWM device
ARM: exynos: Fix undefined instruction during Exynos5422 resume
futex: Fix futex lock the wrong page
Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
ALSA: seq: Cover unsubscribe_port() in list_mutex
libata: Extend quirks for the ST1000LM024 drives with NOLPM quirk
mm/list_lru.c: fix memory leak in __memcg_init_list_lru_node
fs/ocfs2: fix race in ocfs2_dentry_attach_lock()
signal/ptrace: Don't leak unitialized kernel memory with PTRACE_PEEK_SIGINFO
ptrace: restore smp_rmb() in __ptrace_may_access()
i2c: acorn: fix i2c warning
bcache: fix stack corruption by PRECEDING_KEY()
cgroup: Use css_tryget() instead of css_tryget_online() in task_get_css()
ASoC: cs42xx8: Add regcache mask dirty
Drivers: misc: fix out-of-bounds access in function param_set_kgdbts_var
scsi: lpfc: add check for loss of ndlp when sending RRQ
scsi: bnx2fc: fix incorrect cast to u64 on shift operation
usbnet: ipheth: fix racing condition
KVM: x86/pmu: do not mask the value that is written to fixed PMUs
KVM: s390: fix memory slot handling for KVM_SET_USER_MEMORY_REGION
drm/vmwgfx: integer underflow in vmw_cmd_dx_set_shader() leading to an invalid read
drm/vmwgfx: NULL pointer dereference from vmw_cmd_dx_view_define()
USB: Fix chipmunk-like voice when using Logitech C270 for recording audio.
USB: usb-storage: Add new ID to ums-realtek
USB: serial: pl2303: add Allied Telesis VT-Kit3
USB: serial: option: add support for Simcom SIM7500/SIM7600 RNDIS mode
USB: serial: option: add Telit 0x1260 and 0x1261 compositions
ax25: fix inconsistent lock state in ax25_destroy_timer
be2net: Fix number of Rx queues used for flow hashing
ipv6: flowlabel: fl6_sock_lookup() must use atomic_inc_not_zero
lapb: fixed leak of control-blocks.
neigh: fix use-after-free read in pneigh_get_next
sunhv: Fix device naming inconsistency between sunhv_console and sunhv_reg
mISDN: make sure device name is NUL terminated
x86/CPU/AMD: Don't force the CPB cap when running under a hypervisor
perf/ring_buffer: Fix exposing a temporarily decreased data_head
perf/ring_buffer: Add ordering to rb->nest increment
gpio: fix gpio-adp5588 build errors
net: tulip: de4x5: Drop redundant MODULE_DEVICE_TABLE()
i2c: dev: fix potential memory leak in i2cdev_ioctl_rdwr
configfs: Fix use-after-free when accessing sd->s_dentry
ia64: fix build errors by exporting paddr_to_nid()
KVM: PPC: Book3S: Use new mutex to synchronize access to rtas token list
net: sh_eth: fix mdio access in sh_eth_close() for R-Car Gen2 and RZ/A1 SoCs
scsi: libcxgbi: add a check for NULL pointer in cxgbi_check_route()
scsi: libsas: delete sas port if expander discover failed
Revert "crypto: crypto4xx - properly set IV after de- and encrypt"
coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping
Abort file_remove_privs() for non-reg. files
Linux 4.4.183
Change-Id: I2b3dee46a31e5dfb485364e1039bcf513173d7b2
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit f3e92cb8e2eb8c27d109e6fd73d3a69a8c09e288 ]
Nine years ago, I added RCU handling to neighbours, not pneighbours.
(pneigh are not commonly used)
Unfortunately I missed that /proc dump operations would use a
common entry and exit point : neigh_seq_start() and neigh_seq_stop()
We need to read_lock(tbl->lock) or risk use-after-free while
iterating the pneigh structures.
We might later convert pneigh to RCU and revert this patch.
sysbot reported :
BUG: KASAN: use-after-free in pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
Read of size 8 at addr ffff888097f2a700 by task syz-executor.0/9825
CPU: 1 PID: 9825 Comm: syz-executor.0 Not tainted 5.2.0-rc4+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
pneigh_get_next.isra.0+0x24b/0x280 net/core/neighbour.c:3158
neigh_seq_next+0xdb/0x210 net/core/neighbour.c:3240
seq_read+0x9cf/0x1110 fs/seq_file.c:258
proc_reg_read+0x1fc/0x2c0 fs/proc/inode.c:221
do_loop_readv_writev fs/read_write.c:714 [inline]
do_loop_readv_writev fs/read_write.c:701 [inline]
do_iter_read+0x4a4/0x660 fs/read_write.c:935
vfs_readv+0xf0/0x160 fs/read_write.c:997
kernel_readv fs/splice.c:359 [inline]
default_file_splice_read+0x475/0x890 fs/splice.c:414
do_splice_to+0x127/0x180 fs/splice.c:877
splice_direct_to_actor+0x2d2/0x970 fs/splice.c:954
do_splice_direct+0x1da/0x2a0 fs/splice.c:1063
do_sendfile+0x597/0xd00 fs/read_write.c:1464
__do_sys_sendfile64 fs/read_write.c:1525 [inline]
__se_sys_sendfile64 fs/read_write.c:1511 [inline]
__x64_sys_sendfile64+0x1dd/0x220 fs/read_write.c:1511
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x4592c9
Code: fd b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 cb b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f4aab51dc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000028
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00000000004592c9
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000005
RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000246 R12: 00007f4aab51e6d4
R13: 00000000004c689d R14: 00000000004db828 R15: 00000000ffffffff
Allocated by task 9827:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_kmalloc mm/kasan/common.c:489 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:462
kasan_kmalloc+0x9/0x10 mm/kasan/common.c:503
__do_kmalloc mm/slab.c:3660 [inline]
__kmalloc+0x15c/0x740 mm/slab.c:3669
kmalloc include/linux/slab.h:552 [inline]
pneigh_lookup+0x19c/0x4a0 net/core/neighbour.c:731
arp_req_set_public net/ipv4/arp.c:1010 [inline]
arp_req_set+0x613/0x720 net/ipv4/arp.c:1026
arp_ioctl+0x652/0x7f0 net/ipv4/arp.c:1226
inet_ioctl+0x2a0/0x340 net/ipv4/af_inet.c:926
sock_do_ioctl+0xd8/0x2f0 net/socket.c:1043
sock_ioctl+0x3ed/0x780 net/socket.c:1194
vfs_ioctl fs/ioctl.c:46 [inline]
file_ioctl fs/ioctl.c:509 [inline]
do_vfs_ioctl+0xd5f/0x1380 fs/ioctl.c:696
ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
__do_sys_ioctl fs/ioctl.c:720 [inline]
__se_sys_ioctl fs/ioctl.c:718 [inline]
__x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 9824:
save_stack+0x23/0x90 mm/kasan/common.c:71
set_track mm/kasan/common.c:79 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:451
kasan_slab_free+0xe/0x10 mm/kasan/common.c:459
__cache_free mm/slab.c:3432 [inline]
kfree+0xcf/0x220 mm/slab.c:3755
pneigh_ifdown_and_unlock net/core/neighbour.c:812 [inline]
__neigh_ifdown+0x236/0x2f0 net/core/neighbour.c:356
neigh_ifdown+0x20/0x30 net/core/neighbour.c:372
arp_ifdown+0x1d/0x21 net/ipv4/arp.c:1274
inetdev_destroy net/ipv4/devinet.c:319 [inline]
inetdev_event+0xa14/0x11f0 net/ipv4/devinet.c:1544
notifier_call_chain+0xc2/0x230 kernel/notifier.c:95
__raw_notifier_call_chain kernel/notifier.c:396 [inline]
raw_notifier_call_chain+0x2e/0x40 kernel/notifier.c:403
call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1749
call_netdevice_notifiers_extack net/core/dev.c:1761 [inline]
call_netdevice_notifiers net/core/dev.c:1775 [inline]
rollback_registered_many+0x9b9/0xfc0 net/core/dev.c:8178
rollback_registered+0x109/0x1d0 net/core/dev.c:8220
unregister_netdevice_queue net/core/dev.c:9267 [inline]
unregister_netdevice_queue+0x1ee/0x2c0 net/core/dev.c:9260
unregister_netdevice include/linux/netdevice.h:2631 [inline]
__tun_detach+0xd8a/0x1040 drivers/net/tun.c:724
tun_detach drivers/net/tun.c:741 [inline]
tun_chr_close+0xe0/0x180 drivers/net/tun.c:3451
__fput+0x2ff/0x890 fs/file_table.c:280
____fput+0x16/0x20 fs/file_table.c:313
task_work_run+0x145/0x1c0 kernel/task_work.c:113
tracehook_notify_resume include/linux/tracehook.h:185 [inline]
exit_to_usermode_loop+0x273/0x2c0 arch/x86/entry/common.c:168
prepare_exit_to_usermode arch/x86/entry/common.c:199 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x58e/0x680 arch/x86/entry/common.c:304
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff888097f2a700
which belongs to the cache kmalloc-64 of size 64
The buggy address is located 0 bytes inside of
64-byte region [ffff888097f2a700, ffff888097f2a740)
The buggy address belongs to the page:
page:ffffea00025fca80 refcount:1 mapcount:0 mapping:ffff8880aa400340 index:0x0
flags: 0x1fffc0000000200(slab)
raw: 01fffc0000000200 ffffea000250d548 ffffea00025726c8 ffff8880aa400340
raw: 0000000000000000 ffff888097f2a000 0000000100000020 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff888097f2a600: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
ffff888097f2a680: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
>ffff888097f2a700: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
^
ffff888097f2a780: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
ffff888097f2a800: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
Fixes: 767e97e1e0db ("neigh: RCU conversion of struct neighbour")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 6be8e297f9bcea666ea85ac7a6cd9d52d6deaf92 ]
lapb_register calls lapb_create_cb, which initializes the control-
block's ref-count to one, and __lapb_insert_cb, which increments it when
adding the new block to the list of blocks.
lapb_unregister calls __lapb_remove_cb, which decrements the ref-count
when removing control-block from the list of blocks, and calls lapb_put
itself to decrement the ref-count before returning.
However, lapb_unregister also calls __lapb_devtostruct to look up the
right control-block for the given net_device, and __lapb_devtostruct
also bumps the ref-count, which means that when lapb_unregister returns
the ref-count is still 1 and the control-block is leaked.
Call lapb_put after __lapb_devtostruct to fix leak.
Reported-by: syzbot+afb980676c836b4a0afa@syzkaller.appspotmail.com
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 65a3c497c0e965a552008db8bc2653f62bc925a1 ]
Before taking a refcount, make sure the object is not already
scheduled for deletion.
Same fix is needed in ipv6_flowlabel_opt()
Fixes: 18367681a10b ("ipv6 flowlabel: Convert np->ipv6_fl_list to RCU.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit d4d5d8e83c9616aeef28a2869cea49cc3fb35526 ]
Before thread in process context uses bh_lock_sock()
we must disable bh.
sysbot reported :
WARNING: inconsistent lock state
5.2.0-rc3+ #32 Not tainted
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
blkid/26581 [HC0[0]:SC1[1]:HE1:SE0] takes:
00000000e0da85ee (slock-AF_AX25){+.?.}, at: spin_lock include/linux/spinlock.h:338 [inline]
00000000e0da85ee (slock-AF_AX25){+.?.}, at: ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
ax25_rt_autobind+0x3ca/0x720 net/ax25/ax25_route.c:429
ax25_connect.cold+0x30/0xa4 net/ax25/af_ax25.c:1221
__sys_connect+0x264/0x330 net/socket.c:1834
__do_sys_connect net/socket.c:1845 [inline]
__se_sys_connect net/socket.c:1842 [inline]
__x64_sys_connect+0x73/0xb0 net/socket.c:1842
do_syscall_64+0xfd/0x680 arch/x86/entry/common.c:301
entry_SYSCALL_64_after_hwframe+0x49/0xbe
irq event stamp: 2272
hardirqs last enabled at (2272): [<ffffffff810065f3>] trace_hardirqs_on_thunk+0x1a/0x1c
hardirqs last disabled at (2271): [<ffffffff8100660f>] trace_hardirqs_off_thunk+0x1a/0x1c
softirqs last enabled at (1522): [<ffffffff87400654>] __do_softirq+0x654/0x94c kernel/softirq.c:320
softirqs last disabled at (2267): [<ffffffff81449010>] invoke_softirq kernel/softirq.c:374 [inline]
softirqs last disabled at (2267): [<ffffffff81449010>] irq_exit+0x180/0x1d0 kernel/softirq.c:414
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(slock-AF_AX25);
<Interrupt>
lock(slock-AF_AX25);
*** DEADLOCK ***
1 lock held by blkid/26581:
#0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: lockdep_copy_map include/linux/lockdep.h:175 [inline]
#0: 0000000010fd154d ((&ax25->dtimer)){+.-.}, at: call_timer_fn+0xe0/0x720 kernel/time/timer.c:1312
stack backtrace:
CPU: 1 PID: 26581 Comm: blkid Not tainted 5.2.0-rc3+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_usage_bug.cold+0x393/0x4a2 kernel/locking/lockdep.c:2935
valid_state kernel/locking/lockdep.c:2948 [inline]
mark_lock_irq kernel/locking/lockdep.c:3138 [inline]
mark_lock+0xd46/0x1370 kernel/locking/lockdep.c:3513
mark_irqflags kernel/locking/lockdep.c:3391 [inline]
__lock_acquire+0x159f/0x5490 kernel/locking/lockdep.c:3745
lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4303
__raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
_raw_spin_lock+0x2f/0x40 kernel/locking/spinlock.c:151
spin_lock include/linux/spinlock.h:338 [inline]
ax25_destroy_timer+0x53/0xc0 net/ax25/af_ax25.c:275
call_timer_fn+0x193/0x720 kernel/time/timer.c:1322
expire_timers kernel/time/timer.c:1366 [inline]
__run_timers kernel/time/timer.c:1685 [inline]
__run_timers kernel/time/timer.c:1653 [inline]
run_timer_softirq+0x66f/0x1740 kernel/time/timer.c:1698
__do_softirq+0x25c/0x94c kernel/softirq.c:293
invoke_softirq kernel/softirq.c:374 [inline]
irq_exit+0x180/0x1d0 kernel/softirq.c:414
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x13b/0x550 arch/x86/kernel/apic/apic.c:1068
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:806
</IRQ>
RIP: 0033:0x7f858d5c3232
Code: 8b 61 08 48 8b 84 24 d8 00 00 00 4c 89 44 24 28 48 8b ac 24 d0 00 00 00 4c 8b b4 24 e8 00 00 00 48 89 7c 24 68 48 89 4c 24 78 <48> 89 44 24 58 8b 84 24 e0 00 00 00 89 84 24 84 00 00 00 8b 84 24
RSP: 002b:00007ffcaf0cf5c0 EFLAGS: 00000206 ORIG_RAX: ffffffffffffff13
RAX: 00007f858d7d27a8 RBX: 00007f858d7d8820 RCX: 00007f858d3940d8
RDX: 00007ffcaf0cf798 RSI: 00000000f5e616f3 RDI: 00007f858d394fee
RBP: 0000000000000000 R08: 00007ffcaf0cf780 R09: 00007f858d7db480
R10: 0000000000000000 R11: 0000000009691a75 R12: 0000000000000005
R13: 00000000f5e616f3 R14: 0000000000000000 R15: 00007ffcaf0cf798
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
connections"
This reverts commit d016dc1bd29a2cfb0707fc6fb290ccd21f3b139c which is
commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
Lots of people have reported issues with this patch, and as there does
not seem to be a fix going into Linus's kernel tree any time soon,
revert the commit in the stable trees so as to get people's machines
working properly again.
Reported-by: Vasily Khoruzhick <anarsoul@gmail.com>
Reported-by: Hans de Goede <hdegoede@redhat.com>
Cc: Jeremy Cline <jeremy@jcline.org>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* refs/heads/tmp-9c4ab57
Linux 4.4.182
tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
tcp: add tcp_min_snd_mss sysctl
tcp: tcp_fragment() should apply sane memory limits
tcp: limit payload size of sacked skbs
UPSTREAM: binder: check for overflow when alloc for security context
BACKPORT: binder: fix race between munmap() and direct reclaim
Change-Id: I4cfb9eb282f54f083631fec4c8161eed42e8ab54
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
|
| | | |\|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes in 4.4.182
tcp: limit payload size of sacked skbs
tcp: tcp_fragment() should apply sane memory limits
tcp: add tcp_min_snd_mss sysctl
tcp: enforce tcp_min_snd_mss in tcp_mtu_probing()
Linux 4.4.182
Change-Id: I2698fa2ad3884a20d936e6bee638304f52df19bd
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 upstream.
If mtu probing is enabled tcp_mtu_probing() could very well end up
with a too small MSS.
Use the new sysctl tcp_min_snd_mss to make sure MSS search
is performed in an acceptable range.
CVE-2019-11479 -- tcp mss hardcoded to 48
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Cc: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream.
Some TCP peers announce a very small MSS option in their SYN and/or
SYN/ACK messages.
This forces the stack to send packets with a very high network/cpu
overhead.
Linux has enforced a minimal value of 48. Since this value includes
the size of TCP options, and that the options can consume up to 40
bytes, this means that each segment can include only 8 bytes of payload.
In some cases, it can be useful to increase the minimal value
to a saner value.
We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility
reasons.
Note that TCP_MAXSEG socket option enforces a minimal value
of (TCP_MIN_MSS). David Miller increased this minimal value
in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.")
from 64 to 88.
We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS.
CVE-2019-11479 -- tcp mss hardcoded to 48
Signed-off-by: Eric Dumazet <edumazet@google.com>
Suggested-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream.
Jonathan Looney reported that a malicious peer can force a sender
to fragment its retransmit queue into tiny skbs, inflating memory
usage and/or overflow 32bit counters.
TCP allows an application to queue up to sk_sndbuf bytes,
so we need to give some allowance for non malicious splitting
of retransmit queue.
A new SNMP counter is added to monitor how many times TCP
did not allow to split an skb if the allowance was exceeded.
Note that this counter might increase in the case applications
use SO_SNDBUF socket option to lower sk_sndbuf.
CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the
socket is already using more than half the allowed space
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff upstream.
Jonathan Looney reported that TCP can trigger the following crash
in tcp_shifted_skb() :
BUG_ON(tcp_skb_pcount(skb) < pcount);
This can happen if the remote peer has advertized the smallest
MSS that linux TCP accepts : 48
An skb can hold 17 fragments, and each fragment can hold 32KB
on x86, or 64KB on PowerPC.
This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs
can overflow.
Note that tcp_sendmsg() builds skbs with less than 64KB
of payload, so this problem needs SACK to be enabled.
SACK blocks allow TCP to coalesce multiple skbs in the retransmit
queue, thus filling the 17 fragments to maximal capacity.
CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs
Backport notes, provided by Joao Martins <joao.m.martins@oracle.com>
v4.15 or since commit 737ff314563 ("tcp: use sequence distance to
detect reordering") had switched from the packet-based FACK tracking and
switched to sequence-based.
v4.14 and older still have the old logic and hence on
tcp_skb_shift_data() needs to retain its original logic and have
@fack_count in sync. In other words, we keep the increment of pcount with
tcp_skb_pcount(skb) to later used that to update fack_count. To make it
more explicit we track the new skb that gets incremented to pcount in
@next_pcount, and we get to avoid the constant invocation of
tcp_skb_pcount(skb) all together.
Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Jonathan Looney <jtl@netflix.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Tyler Hicks <tyhicks@canonical.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Bruce Curtis <brucec@netflix.com>
Cc: Jonathan Lemon <jonathan.lemon@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | |\| |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* refs/heads/tmp-bd858d7
Linux 4.4.181
ethtool: check the return value of get_regs_len
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
fuse: Add FOPEN_STREAM to use stream_open()
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
genwqe: Prevent an integer overflow in the ioctl
MIPS: pistachio: Build uImage.gz by default
fuse: fallocate: fix return with locked inode
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
rcu: locking and unlocking need to always be at least barriers
pktgen: do not sleep with the thread lock held.
net: rds: fix memory leak in rds_ib_flush_mr_pool
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
ethtool: fix potential userspace buffer overflow
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
usb: gadget: fix request length error for isoc transfer
net: cdc_ncm: GetNtbFormat endian fix
Revert "x86/build: Move _etext to actual end of .text"
userfaultfd: don't pin the user memory in userfaultfd_file_create()
brcmfmac: add subtype check for event handling in data path
brcmfmac: add length checks in scheduled scan result handler
brcmfmac: fix incorrect event channel deduction
brcmfmac: revise handling events in receive path
brcmfmac: screening firmware event packet
brcmfmac: Add length checks on firmware events
bnx2x: disable GSO where gso_size is too big for hardware
net: create skb_gso_validate_mac_len()
binder: replace "%p" with "%pK"
binder: Replace "%p" with "%pK" for stable
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
kernel/signal.c: trace_signal_deliver when signal_group_exit
memcg: make it work on sparse non-0-node systems
tty: max310x: Fix external crystal register setup
tty: serial: msm_serial: Fix XON/XOFF
drm/nouveau/i2c: Disable i2c bus access after ->fini()
ALSA: hda/realtek - Set default power save node to 0
Btrfs: fix race updating log root item during fsync
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
media: smsusb: better handle optional alignment
media: usb: siano: Fix false-positive "uninitialized variable" warning
media: usb: siano: Fix general protection fault in smsusb
USB: rio500: fix memory leak in close after disconnect
USB: rio500: refuse more than one device at a time
USB: Add LPM quirk for Surface Dock GigE adapter
USB: sisusbvga: fix oops in error path of sisusb_probe
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
usb: xhci: avoid null pointer deref when bos field is NULL
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
include/linux/bitops.h: sanitize rotate primitives
sparc64: Fix regression in non-hypervisor TLB flush xcall
tipc: fix modprobe tipc failed after switch order of device registration -v2
Revert "tipc: fix modprobe tipc failed after switch order of device registration"
xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
crypto: vmx - ghash: do nosimd fallback manually
net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
bnxt_en: Fix aggregation buffer leak under OOM condition.
tipc: Avoid copying bytes beyond the supplied data
usbnet: fix kernel crash after disconnect
net: stmmac: fix reset gpio free missing
net-gro: fix use-after-free read in napi_gro_frags()
llc: fix skb leak in llc_build_and_send_ui_pkt()
ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
spi: Fix zero length xfer bug
spi: rspi: Fix sequencer reset during initialization
spi : spi-topcliff-pch: Fix to handle empty DMA buffers
scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
media: saa7146: avoid high stack usage with clang
media: go7007: avoid clang frame overflow warning with KASAN
media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
scsi: qla4xxx: avoid freeing unallocated dma memory
usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
rcutorture: Fix cleanup path for invalid torture_type strings
tty: ipwireless: fix missing checks for ioremap
virtio_console: initialize vtermno value for ports
media: wl128x: prevent two potential buffer overflows
spi: tegra114: reset controller on probe
cxgb3/l2t: Fix undefined behaviour
ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
HID: core: move Usage Page concatenation to Main item
chardev: add additional check for minor range overlap
x86/ia32: Fix ia32_restore_sigcontext() AC leak
arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
scsi: ufs: Avoid configuring regulator with undefined voltage range
scsi: ufs: Fix regulator load and icc-level configuration
brcmfmac: fix race during disconnect when USB completion is in progress
brcmfmac: convert dev_init_lock mutex to completion
b43: shut up clang -Wuninitialized variable warning
brcmfmac: fix missing checks for kmemdup
rtlwifi: fix a potential NULL pointer dereference
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
iio: hmc5843: fix potential NULL pointer dereferences
iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
x86/build: Keep local relocations with ld.lld
cpufreq: pmac32: fix possible object reference leak
cpufreq/pasemi: fix possible object reference leak
cpufreq: ppc_cbe: fix possible object reference leak
s390: cio: fix cio_irb declaration
extcon: arizona: Disable mic detect if running when driver is removed
PM / core: Propagate dev->power.wakeup_path when no callbacks
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
mmc: sdhci-of-esdhc: add erratum eSDHC5 support
mmc_spi: add a status check for spi_sync_locked
scsi: libsas: Do discovery on empty PHY to update PHY info
hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
i40e: don't allow changes to HW VLAN stripping on active port VLANs
x86/irq/64: Limit IST stack overflow check to #DB stack
USB: core: Don't unbind interfaces following device reset failure
sched/core: Handle overflow in cpu_shares_write_u64
sched/core: Check quota and period overflow at usec to nsec conversion
powerpc/numa: improve control of topology updates
media: pvrusb2: Prevent a buffer overflow
media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
audit: fix a memory leak bug
media: ov2659: make S_FMT succeed even if requested format doesn't match
media: au0828: stop video streaming only when last user stops
media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
media: coda: clear error return value before picture run
dmaengine: at_xdmac: remove BUG_ON macro in tasklet
pinctrl: pistachio: fix leaked of_node references
HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
smpboot: Place the __percpu annotation correctly
x86/build: Move _etext to actual end of .text
bcache: avoid clang -Wunintialized warning
bcache: add failure check to run_cache_set() for journal replay
bcache: fix failure in journal relplay
bcache: return error immediately in bch_journal_replay()
net: cw1200: fix a NULL pointer dereference
mwifiex: prevent an array overflow
ASoC: fsl_sai: Update is_slave_mode with correct value
mac80211/cfg80211: update bss channel on channel switch
dmaengine: pl330: _stop: clear interrupt status
w1: fix the resume command API
rtc: 88pm860x: prevent use-after-free on device remove
brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
spi: pxa2xx: fix SCR (divisor) calculation
ASoC: imx: fix fiq dependencies
powerpc/boot: Fix missing check of lseek() return value
mmc: core: Verify SD bus width
cxgb4: Fix error path in cxgb4_init_module
gfs2: Fix lru_count going negative
tools include: Adopt linux/bits.h
perf tools: No need to include bitops.h in util.h
at76c50x-usb: Don't register led_trigger if usb_register_driver failed
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
media: cpia2: Fix use-after-free in cpia2_exit
fbdev: fix WARNING in __alloc_pages_nodemask bug
hugetlb: use same fault hash key for shared and private mappings
fbdev: fix divide error in fb_var_to_videomode
btrfs: sysfs: don't leak memory when failing add fsid
Btrfs: fix race between ranged fsync and writeback of adjacent ranges
gfs2: Fix sign extension bug in gfs2_update_stats
crypto: vmx - CTR: always increment IV as quadword
Revert "scsi: sd: Keep disk read-only when re-reading partition"
bio: fix improper use of smp_mb__before_atomic()
KVM: x86: fix return value for reserved EFER
ext4: do not delete unlinked inode from orphan list on failed truncate
fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
btrfs: Honour FITRIM range constraints during free space trim
md/raid: raid5 preserve the writeback action after the parity check
Revert "Don't jump to compute_result state from check_result state"
perf bench numa: Add define for RUSAGE_THREAD if not present
ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
KVM: arm/arm64: Ensure vcpu target is unset on reset failure
xfrm4: Fix uninitialized memory read in _decode_session4
vti4: ipip tunnel deregistration fixes.
xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
dm delay: fix a crash when invalid device is specified
PCI: Mark Atheros AR9462 to avoid bus reset
fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
fbdev: sm712fb: fix support for 1024x768-16 mode
fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
fbdev: sm712fb: fix brightness control on reboot, don't set SR30
perf intel-pt: Fix sample timestamp wrt non-taken branches
perf intel-pt: Fix improved sample timestamp
perf intel-pt: Fix instructions sampling rate
memory: tegra: Fix integer overflow on tick value calculation
tracing: Fix partial reading of trace event's id file
ceph: flush dirty inodes before proceeding with remount
iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
fuse: fix writepages on 32bit
clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
NFS4: Fix v4.0 client state corruption when mount
media: ov6650: Fix sensor possibly not detected on probe
cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
of: fix clang -Wunsequenced for be32_to_cpu()
intel_th: msu: Fix single mode with IOMMU
md: add mddev->pers to avoid potential NULL pointer dereference
stm class: Fix channel free in stm output free path
tipc: fix modprobe tipc failed after switch order of device registration
tipc: switch order of device registration to fix a crash
ppp: deflate: Fix possible crash in deflate_init
net/mlx4_core: Change the error print to info print
net: avoid weird emergency message
KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
ext4: zero out the unused memory region in the extent tree block
fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
writeback: synchronize sync(2) against cgroup writeback membership switches
crypto: arm/aes-neonbs - don't access already-freed walk.iv
crypto: salsa20 - don't access already-freed walk.iv
crypto: chacha20poly1305 - set cra_name correctly
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
crypto: gcm - Fix error return code in crypto_gcm_create_common()
ipmi:ssif: compare block number correctly for multi-part return messages
bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
bcache: fix a race between cache register and cacheset unregister
Btrfs: do not start a transaction at iterate_extent_inodes()
ext4: fix ext4_show_options for file systems w/o journal
ext4: actually request zeroing of inode table after grow
tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
mm/mincore.c: make mincore() more conservative
ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
ASoC: max98090: Fix restore of DAPM Muxes
ALSA: hda/realtek - EAPD turn on later
ALSA: hda/hdmi - Consider eld_valid when reporting jack event
ALSA: usb-audio: Fix a memory leak bug
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
crypto: crct10dif-generic - fix use via crypto_shash_digest()
crypto: vmx - fix copy-paste error in CTR mode
ARM: exynos: Fix a leaked reference by adding missing of_node_put
x86/speculation/mds: Improve CPU buffer clear documentation
x86/speculation/mds: Revert CPU buffer clear on double fault exit
f2fs: link f2fs quota ops for sysfile
fs: sdcardfs: Add missing option to show_options
Conflicts:
drivers/scsi/sd.c
drivers/scsi/ufs/ufshcd.c
Change-Id: If6679c7cc8c3fee323c749ac359353fbebfd12d9
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
|
| | | |\|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes in 4.4.181
x86/speculation/mds: Revert CPU buffer clear on double fault exit
x86/speculation/mds: Improve CPU buffer clear documentation
ARM: exynos: Fix a leaked reference by adding missing of_node_put
crypto: vmx - fix copy-paste error in CTR mode
crypto: crct10dif-generic - fix use via crypto_shash_digest()
crypto: x86/crct10dif-pcl - fix use via crypto_shash_digest()
ALSA: usb-audio: Fix a memory leak bug
ALSA: hda/hdmi - Consider eld_valid when reporting jack event
ALSA: hda/realtek - EAPD turn on later
ASoC: max98090: Fix restore of DAPM Muxes
ASoC: RT5677-SPI: Disable 16Bit SPI Transfers
mm/mincore.c: make mincore() more conservative
ocfs2: fix ocfs2 read inode data panic in ocfs2_iget
mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L
tty/vt: fix write/write race in ioctl(KDSKBSENT) handler
ext4: actually request zeroing of inode table after grow
ext4: fix ext4_show_options for file systems w/o journal
Btrfs: do not start a transaction at iterate_extent_inodes()
bcache: fix a race between cache register and cacheset unregister
bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim()
ipmi:ssif: compare block number correctly for multi-part return messages
crypto: gcm - Fix error return code in crypto_gcm_create_common()
crypto: gcm - fix incompatibility between "gcm" and "gcm_base"
crypto: chacha20poly1305 - set cra_name correctly
crypto: salsa20 - don't access already-freed walk.iv
crypto: arm/aes-neonbs - don't access already-freed walk.iv
writeback: synchronize sync(2) against cgroup writeback membership switches
fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount
ext4: zero out the unused memory region in the extent tree block
ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug
KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes
net: avoid weird emergency message
net/mlx4_core: Change the error print to info print
ppp: deflate: Fix possible crash in deflate_init
tipc: switch order of device registration to fix a crash
tipc: fix modprobe tipc failed after switch order of device registration
stm class: Fix channel free in stm output free path
md: add mddev->pers to avoid potential NULL pointer dereference
intel_th: msu: Fix single mode with IOMMU
of: fix clang -Wunsequenced for be32_to_cpu()
cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
media: ov6650: Fix sensor possibly not detected on probe
NFS4: Fix v4.0 client state corruption when mount
clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
fuse: fix writepages on 32bit
fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
ceph: flush dirty inodes before proceeding with remount
tracing: Fix partial reading of trace event's id file
memory: tegra: Fix integer overflow on tick value calculation
perf intel-pt: Fix instructions sampling rate
perf intel-pt: Fix improved sample timestamp
perf intel-pt: Fix sample timestamp wrt non-taken branches
fbdev: sm712fb: fix brightness control on reboot, don't set SR30
fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
fbdev: sm712fb: fix support for 1024x768-16 mode
fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
PCI: Mark Atheros AR9462 to avoid bus reset
dm delay: fix a crash when invalid device is specified
xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
vti4: ipip tunnel deregistration fixes.
xfrm4: Fix uninitialized memory read in _decode_session4
KVM: arm/arm64: Ensure vcpu target is unset on reset failure
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
perf bench numa: Add define for RUSAGE_THREAD if not present
Revert "Don't jump to compute_result state from check_result state"
md/raid: raid5 preserve the writeback action after the parity check
btrfs: Honour FITRIM range constraints during free space trim
fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
ext4: do not delete unlinked inode from orphan list on failed truncate
KVM: x86: fix return value for reserved EFER
bio: fix improper use of smp_mb__before_atomic()
Revert "scsi: sd: Keep disk read-only when re-reading partition"
crypto: vmx - CTR: always increment IV as quadword
gfs2: Fix sign extension bug in gfs2_update_stats
Btrfs: fix race between ranged fsync and writeback of adjacent ranges
btrfs: sysfs: don't leak memory when failing add fsid
fbdev: fix divide error in fb_var_to_videomode
hugetlb: use same fault hash key for shared and private mappings
fbdev: fix WARNING in __alloc_pages_nodemask bug
media: cpia2: Fix use-after-free in cpia2_exit
media: vivid: use vfree() instead of kfree() for dev->bitmap_cap
ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit
at76c50x-usb: Don't register led_trigger if usb_register_driver failed
perf tools: No need to include bitops.h in util.h
tools include: Adopt linux/bits.h
gfs2: Fix lru_count going negative
cxgb4: Fix error path in cxgb4_init_module
mmc: core: Verify SD bus width
powerpc/boot: Fix missing check of lseek() return value
ASoC: imx: fix fiq dependencies
spi: pxa2xx: fix SCR (divisor) calculation
brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler()
rtc: 88pm860x: prevent use-after-free on device remove
w1: fix the resume command API
dmaengine: pl330: _stop: clear interrupt status
mac80211/cfg80211: update bss channel on channel switch
ASoC: fsl_sai: Update is_slave_mode with correct value
mwifiex: prevent an array overflow
net: cw1200: fix a NULL pointer dereference
bcache: return error immediately in bch_journal_replay()
bcache: fix failure in journal relplay
bcache: add failure check to run_cache_set() for journal replay
bcache: avoid clang -Wunintialized warning
x86/build: Move _etext to actual end of .text
smpboot: Place the __percpu annotation correctly
x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault()
mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions
HID: logitech-hidpp: use RAP instead of FAP to get the protocol version
pinctrl: pistachio: fix leaked of_node references
dmaengine: at_xdmac: remove BUG_ON macro in tasklet
media: coda: clear error return value before picture run
media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper
media: au0828: stop video streaming only when last user stops
media: ov2659: make S_FMT succeed even if requested format doesn't match
audit: fix a memory leak bug
media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable()
media: pvrusb2: Prevent a buffer overflow
powerpc/numa: improve control of topology updates
sched/core: Check quota and period overflow at usec to nsec conversion
sched/core: Handle overflow in cpu_shares_write_u64
USB: core: Don't unbind interfaces following device reset failure
x86/irq/64: Limit IST stack overflow check to #DB stack
i40e: don't allow changes to HW VLAN stripping on active port VLANs
RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure
hwmon: (vt1211) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses
hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses
hwmon: (pc87427) Use request_muxed_region for Super-IO accesses
hwmon: (f71805f) Use request_muxed_region for Super-IO accesses
scsi: libsas: Do discovery on empty PHY to update PHY info
mmc_spi: add a status check for spi_sync_locked
mmc: sdhci-of-esdhc: add erratum eSDHC5 support
mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support
PM / core: Propagate dev->power.wakeup_path when no callbacks
extcon: arizona: Disable mic detect if running when driver is removed
s390: cio: fix cio_irb declaration
cpufreq: ppc_cbe: fix possible object reference leak
cpufreq/pasemi: fix possible object reference leak
cpufreq: pmac32: fix possible object reference leak
x86/build: Keep local relocations with ld.lld
iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion
iio: hmc5843: fix potential NULL pointer dereferences
iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data
rtlwifi: fix a potential NULL pointer dereference
brcmfmac: fix missing checks for kmemdup
b43: shut up clang -Wuninitialized variable warning
brcmfmac: convert dev_init_lock mutex to completion
brcmfmac: fix race during disconnect when USB completion is in progress
scsi: ufs: Fix regulator load and icc-level configuration
scsi: ufs: Avoid configuring regulator with undefined voltage range
arm64: cpu_ops: fix a leaked reference by adding missing of_node_put
x86/ia32: Fix ia32_restore_sigcontext() AC leak
chardev: add additional check for minor range overlap
HID: core: move Usage Page concatenation to Main item
ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put
ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put
cxgb3/l2t: Fix undefined behaviour
spi: tegra114: reset controller on probe
media: wl128x: prevent two potential buffer overflows
virtio_console: initialize vtermno value for ports
tty: ipwireless: fix missing checks for ioremap
rcutorture: Fix cleanup path for invalid torture_type strings
usb: core: Add PM runtime calls to usb_hcd_platform_shutdown
scsi: qla4xxx: avoid freeing unallocated dma memory
media: m88ds3103: serialize reset messages in m88ds3103_set_frontend
media: go7007: avoid clang frame overflow warning with KASAN
media: saa7146: avoid high stack usage with clang
scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices
spi : spi-topcliff-pch: Fix to handle empty DMA buffers
spi: rspi: Fix sequencer reset during initialization
spi: Fix zero length xfer bug
ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM
ipv6: Consider sk_bound_dev_if when binding a raw socket to an address
llc: fix skb leak in llc_build_and_send_ui_pkt()
net-gro: fix use-after-free read in napi_gro_frags()
net: stmmac: fix reset gpio free missing
usbnet: fix kernel crash after disconnect
tipc: Avoid copying bytes beyond the supplied data
bnxt_en: Fix aggregation buffer leak under OOM condition.
net: mvpp2: fix bad MVPP2_TXQ_SCHED_TOKEN_CNTR_REG queue value
crypto: vmx - ghash: do nosimd fallback manually
xen/pciback: Don't disable PCI_COMMAND on PCI device reset.
Revert "tipc: fix modprobe tipc failed after switch order of device registration"
tipc: fix modprobe tipc failed after switch order of device registration -v2
sparc64: Fix regression in non-hypervisor TLB flush xcall
include/linux/bitops.h: sanitize rotate primitives
xhci: Convert xhci_handshake() to use readl_poll_timeout_atomic()
usb: xhci: avoid null pointer deref when bos field is NULL
USB: Fix slab-out-of-bounds write in usb_get_bos_descriptor
USB: sisusbvga: fix oops in error path of sisusb_probe
USB: Add LPM quirk for Surface Dock GigE adapter
USB: rio500: refuse more than one device at a time
USB: rio500: fix memory leak in close after disconnect
media: usb: siano: Fix general protection fault in smsusb
media: usb: siano: Fix false-positive "uninitialized variable" warning
media: smsusb: better handle optional alignment
scsi: zfcp: fix missing zfcp_port reference put on -EBUSY from port_remove
scsi: zfcp: fix to prevent port_remove with pure auto scan LUNs (only sdevs)
Btrfs: fix race updating log root item during fsync
ALSA: hda/realtek - Set default power save node to 0
drm/nouveau/i2c: Disable i2c bus access after ->fini()
tty: serial: msm_serial: Fix XON/XOFF
tty: max310x: Fix external crystal register setup
memcg: make it work on sparse non-0-node systems
kernel/signal.c: trace_signal_deliver when signal_group_exit
CIFS: cifs_read_allocate_pages: don't iterate through whole page array on ENOMEM
binder: Replace "%p" with "%pK" for stable
binder: replace "%p" with "%pK"
net: create skb_gso_validate_mac_len()
bnx2x: disable GSO where gso_size is too big for hardware
brcmfmac: Add length checks on firmware events
brcmfmac: screening firmware event packet
brcmfmac: revise handling events in receive path
brcmfmac: fix incorrect event channel deduction
brcmfmac: add length checks in scheduled scan result handler
brcmfmac: add subtype check for event handling in data path
userfaultfd: don't pin the user memory in userfaultfd_file_create()
Revert "x86/build: Move _etext to actual end of .text"
net: cdc_ncm: GetNtbFormat endian fix
usb: gadget: fix request length error for isoc transfer
media: uvcvideo: Fix uvc_alloc_entity() allocation alignment
ethtool: fix potential userspace buffer overflow
neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit
net/mlx4_en: ethtool, Remove unsupported SFP EEPROM high pages query
net: rds: fix memory leak in rds_ib_flush_mr_pool
pktgen: do not sleep with the thread lock held.
rcu: locking and unlocking need to always be at least barriers
parisc: Use implicit space register selection for loading the coherence index of I/O pdirs
fuse: fallocate: fix return with locked inode
MIPS: pistachio: Build uImage.gz by default
genwqe: Prevent an integer overflow in the ioctl
drm/gma500/cdv: Check vbt config bits when detecting lvds panels
fs: stream_open - opener for stream-like files so that read and write can run simultaneously without deadlock
fuse: Add FOPEN_STREAM to use stream_open()
ipv4: Define __ipv4_neigh_lookup_noref when CONFIG_INET is disabled
ethtool: check the return value of get_regs_len
Linux 4.4.181
Change-Id: Ibadc58ab76330698ff36ffdc0ca8c9d52ce36f9e
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream.
The return type for get_regs_len in struct ethtool_ops is int,
the hns3 driver may return error when failing to get the regs
len by sending cmd to firmware.
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]
Currently, the process issuing a "start" command on the pktgen procfs
interface, acquires the pktgen thread lock and never release it, until
all pktgen threads are completed. The above can blocks indefinitely any
other pktgen command and any (even unrelated) netdevice removal - as
the pktgen netdev notifier acquires the same lock.
The issue is demonstrated by the following script, reported by Matteo:
ip -b - <<'EOF'
link add type dummy
link add type veth
link set dummy0 up
EOF
modprobe pktgen
echo reset >/proc/net/pktgen/pgctrl
{
echo rem_device_all
echo add_device dummy0
} >/proc/net/pktgen/kpktgend_0
echo count 0 >/proc/net/pktgen/dummy0
echo start >/proc/net/pktgen/pgctrl &
sleep 1
rmmod veth
Fix the above releasing the thread lock around the sleep call.
Additionally we must prevent racing with forcefull rmmod - as the
thread lock no more protects from them. Instead, acquire a self-reference
before waiting for any thread. As a side effect, running
rmmod pktgen
while some thread is running now fails with "module in use" error,
before this patch such command hanged indefinitely.
Note: the issue predates the commit reported in the fixes tag, but
this fix can't be applied before the mentioned commit.
v1 -> v2:
- no need to check for thread existence after flipping the lock,
pktgen threads are freed only at net exit time
-
Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
Reported-and-tested-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]
When the following tests last for several hours, the problem will occur.
Server:
rds-stress -r 1.1.1.16 -D 1M
Client:
rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30
The following will occur.
"
Starting up....
tsks tx/s rx/s tx+rx K/s mbi K/s mbo K/s tx us/c rtt us cpu
%
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
1 0 0 0.00 0.00 0.00 0.00 0.00 -1.00
"
>From vmcore, we can find that clean_list is NULL.
>From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
Then rds_ib_mr_pool_flush_worker calls
"
rds_ib_flush_mr_pool(pool, 0, NULL);
"
Then in function
"
int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
int free_all, struct rds_ib_mr **ibmr_ret)
"
ibmr_ret is NULL.
In the source code,
"
...
list_to_llist_nodes(pool, &unmap_list, &clean_nodes, &clean_tail);
if (ibmr_ret)
*ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);
/* more than one entry in llist nodes */
if (clean_nodes->next)
llist_add_batch(clean_nodes->next, clean_tail, &pool->clean_list);
...
"
When ibmr_ret is NULL, llist_entry is not executed. clean_nodes->next
instead of clean_nodes is added in clean_list.
So clean_nodes is discarded. It can not be used again.
The workqueue is executed periodically. So more and more clean_nodes are
discarded. Finally the clean_list is NULL.
Then this problem will occur.
Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
Signed-off-by: Zhu Yanjun <yanjun.zhu@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ]
Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
updated to use the altered key. The result is that every packet Tx does
a lookup on the gateway address which does not find an entry, a new one
is created only to find the existing one in the table right before the
insert since arp_constructor was updated to reset the primary key. This
is seen in the allocs and destroys counters:
ip -s -4 ntable show | head -10 | grep alloc
which increase for each packet showing the unnecessary overhread.
Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.
Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
Reported-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Tested-by: Alan Maguire <alan.maguire@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]
ethtool_get_regs() allocates a buffer of size ops->get_regs_len(),
and pass it to the kernel driver via ops->get_regs() for filling.
There is no restriction about what the kernel drivers can or cannot do
with the open ethtool_regs structure. They usually set regs->version
and ignore regs->len or set it to the same size as ops->get_regs_len().
But if userspace allocates a smaller buffer for the registers dump,
we would cause a userspace buffer overflow in the final copy_to_user()
call, which uses the regs.len value potentially reset by the driver.
To fix this, make this case obvious and store regs.len before calling
ops->get_regs(), to only copy as much data as requested by userspace,
up to the value returned by ops->get_regs_len().
While at it, remove the redundant check for non-null regbuf.
Signed-off-by: Vivien Didelot <vivien.didelot@gmail.com>
Reviewed-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream.
If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?
Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
[bwh: Backported to 4.4: There is no GSO_BY_FRAGS case to handle, so
skb_gso_validate_mac_len() becomes a trivial comparison. Put it inline in
<linux/skbuff.h>.]
Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 526f5b851a96566803ee4bee60d0a34df56c77f8 upstream.
Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Because sock_create_kern(net, AF_TIPC, ...) called by
tipc_topsrv_create_listener() in the initialization process
of tipc_init_net(), so tipc_socket_init() must be execute before that.
Meanwhile, tipc_net_id need to be initialized when sock_create()
called, and tipc_socket_init() is no need to be called for each namespace.
I add a variable tipc_topsrv_net_ops, and split the
register_pernet_subsys() of tipc into two parts, and split
tipc_socket_init() with initialization of pernet params.
By the way, I fixed resources rollback error when tipc_bcast_init()
failed in tipc_init_net().
Fixes: 7e27e8d6130c ("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reported-by: syzbot+1e8114b61079bfe9cbc5@syzkaller.appspotmail.com
Reviewed-by: Kang Zhou <zhoukang7@huawei.com>
Reviewed-by: Suanming Mou <mousuanming@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
registration"
commit 5593530e56943182ebb6d81eca8a3be6db6dbba4 upstream.
This reverts commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e.
More revisions coming up.
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]
If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.
Reading eth->h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.
BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957
CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x172/0x1f0 lib/dump_stack.c:113
print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
__kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
kasan_report+0x12/0x20 mm/kasan/common.c:614
__asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
napi_frags_skb net/core/dev.c:5833 [inline]
napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
call_write_iter include/linux/fs.h:1872 [inline]
do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
do_iter_write fs/read_write.c:970 [inline]
do_iter_write+0x184/0x610 fs/read_write.c:951
vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
do_writev+0x15b/0x330 fs/read_write.c:1058
Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]
If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.
BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............
backtrace:
[<00000000e25b5abe>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<00000000e25b5abe>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<00000000e25b5abe>] slab_alloc mm/slab.c:3326 [inline]
[<00000000e25b5abe>] __do_kmalloc mm/slab.c:3658 [inline]
[<00000000e25b5abe>] __kmalloc+0x161/0x2c0 mm/slab.c:3669
[<00000000a1ae188a>] kmalloc include/linux/slab.h:552 [inline]
[<00000000a1ae188a>] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
[<00000000ded25bbe>] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
[<000000002ecae075>] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
[<00000000551f7c47>] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
[<0000000029027f0e>] __sock_create+0x164/0x250 net/socket.c:1430
[<000000008bdec225>] sock_create net/socket.c:1481 [inline]
[<000000008bdec225>] __sys_socket+0x69/0x110 net/socket.c:1523
[<00000000b6439228>] __do_sys_socket net/socket.c:1532 [inline]
[<00000000b6439228>] __se_sys_socket net/socket.c:1530 [inline]
[<00000000b6439228>] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff ...$.....h+ ....
backtrace:
[<0000000053026172>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
[<0000000053026172>] slab_post_alloc_hook mm/slab.h:439 [inline]
[<0000000053026172>] slab_alloc_node mm/slab.c:3269 [inline]
[<0000000053026172>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
[<00000000fa8f3c30>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
[<00000000d96fdafb>] alloc_skb include/linux/skbuff.h:1058 [inline]
[<00000000d96fdafb>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
[<000000000a34a2e7>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
[<00000000ee39999b>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
[<00000000e034d810>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
[<00000000c0bc8445>] sock_sendmsg_nosec net/socket.c:652 [inline]
[<00000000c0bc8445>] sock_sendmsg+0x54/0x70 net/socket.c:671
[<000000003b687167>] __sys_sendto+0x148/0x1f0 net/socket.c:1964
[<00000000922d78d9>] __do_sys_sendto net/socket.c:1976 [inline]
[<00000000922d78d9>] __se_sys_sendto net/socket.c:1972 [inline]
[<00000000922d78d9>] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
[<00000000cec820c1>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
[<000000000c32554f>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 72f7cfab6f93a8ea825fab8ccfb016d064269f7f ]
IPv6 does not consider if the socket is bound to a device when binding
to an address. The result is that a socket can be bound to eth0 and
then bound to the address of eth1. If the device is a VRF, the result
is that a socket can only be bound to an address in the default VRF.
Resolve by considering the device if sk_bound_dev_if is set.
Signed-off-by: Mike Manning <mmanning@vyatta.att-mail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Tested-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 5dc8cdce1d722c733f8c7af14c5fb595cfedbfa8 ]
FullMAC STAs have no way to update bss channel after CSA channel switch
completion. As a result, user-space tools may provide inconsistent
channel info. For instance, consider the following two commands:
$ sudo iw dev wlan0 link
$ sudo iw dev wlan0 info
The latter command gets channel info from the hardware, so most probably
its output will be correct. However the former command gets channel info
from scan cache, so its output will contain outdated channel info.
In fact, current bss channel info will not be updated until the
next [re-]connect.
Note that mac80211 STAs have a workaround for this, but it requires
access to internal cfg80211 data, see ieee80211_chswitch_work:
/* XXX: shouldn't really modify cfg80211-owned data! */
ifmgd->associated->channel = sdata->csa_chandef.chan;
This patch suggests to convert mac80211 workaround into cfg80211 behavior
and to update current bss channel in cfg80211_ch_switch_notify.
Signed-off-by: Sergey Matyukevich <sergey.matyukevich.os@quantenna.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 8742dc86d0c7a9628117a989c11f04a9b6b898f3 ]
We currently don't reload pointers pointing into skb header
after doing pskb_may_pull() in _decode_session4(). So in case
pskb_may_pull() changed the pointers, we read from random
memory. Fix this by putting all the needed infos on the
stack, so that we don't need to access the header pointers
after doing pskb_may_pull().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 5483844c3fc18474de29f5d6733003526e0a9f78 ]
If tunnel registration failed during module initialization, the module
would fail to deregister the IPPROTO_COMP protocol and would attempt to
deregister the tunnel.
The tunnel was not deregistered during module-exit.
Fixes: dd9ee3444014e ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 6ee02a54ef990a71bf542b6f0a4e3321de9d9c66 ]
When unloading xfrm6_tunnel module, xfrm6_tunnel_fini directly
frees the xfrm6_tunnel_spi_kmem. Maybe someone has gotten the
xfrm6_tunnel_spi, so need to wait it.
Fixes: 91cc3bb0b04ff("xfrm6_tunnel: RCU conversion")
Signed-off-by: Su Yanjun <suyj.fnst@cn.fujitsu.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
UBSAN report this:
UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
index 6 is out of range for type 'unsigned int [6]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
Call Trace:
<IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
[<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
[<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
[<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
[<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
[<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
[<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
[<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
[<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
[<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
[<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
[<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
[<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
<EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
[<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
[<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
[<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
[<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
[<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
[<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
[<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
[<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
The issue is triggered as this:
xfrm_add_policy
-->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX
//In my case, the index is 0x6E6BB6, so it pass the check.
-->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer
-->xfrm_policy_insert
--> __xfrm_policy_link //use the orgin dir, in my case is 2
--> xfrm_gen_index //generate policy index, there is 0x6E6BB6
then xfrm_policy_timer be fired
xfrm_policy_timer
--> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6
--> xfrm_policy_delete
--> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
valid, to fix the issue.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: e682adf021be ("xfrm: Try to honor policy index if it's supplied by user")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e ]
Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Because sock_create_kern(net, AF_TIPC, ...) is called by
tipc_topsrv_create_listener() in the initialization process
of tipc_net_ops, tipc_socket_init() must be execute before that.
I move tipc_socket_init() into function tipc_init_net().
Fixes: 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Kang Zhou <zhoukang7@huawei.com>
Reviewed-by: Suanming Mou <mousuanming@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 7e27e8d6130c5e88fac9ddec4249f7f2337fe7f8 ]
When tipc is loaded while many processes try to create a TIPC socket,
a crash occurs:
PANIC: Unable to handle kernel paging request at virtual
address "dfff20000000021d"
pc : tipc_sk_create+0x374/0x1180 [tipc]
lr : tipc_sk_create+0x374/0x1180 [tipc]
Exception class = DABT (current EL), IL = 32 bits
Call trace:
tipc_sk_create+0x374/0x1180 [tipc]
__sock_create+0x1cc/0x408
__sys_socket+0xec/0x1f0
__arm64_sys_socket+0x74/0xa8
...
This is due to race between sock_create and unfinished
register_pernet_device. tipc_sk_insert tries to do
"net_generic(net, tipc_net_id)".
but tipc_net_id is not initialized yet.
So switch the order of the two to close the race.
This can be reproduced with multiple processes doing socket(AF_TIPC, ...)
and one process doing module removal.
Fixes: a62fbccecd62 ("tipc: make subscriber server support net namespace")
Signed-off-by: Junwei Hu <hujunwei4@huawei.com>
Reported-by: Wang Wang <wangwang2@huawei.com>
Reviewed-by: Xiaogang Wang <wangxiaogang3@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit d7c04b05c9ca14c55309eb139430283a45c4c25f ]
When host is under high stress, it is very possible thread
running netdev_wait_allrefs() returns from msleep(250)
10 seconds late.
This leads to these messages in the syslog :
[...] unregister_netdevice: waiting for syz_tun to become free. Usage count = 0
If the device refcount is zero, the wait is over.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| |\| | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
https://source.codeaurora.org/quic/la/kernel/msm-4.4 into lineage-16.0
bcf671504f41 Merge "msm: adsprpc: maintain local copy of rpra offloaded to DSP" into kernel.lnx.4.4.r37-rel
621c16b0342c Merge "arm: dts: msm: Add avs-version dt property for 8996" into kernel.lnx.4.4.r37-rel
22fbeb474b52 Merge "msm: sensor: actuator: fix out of bound read for bivcm region params" into kernel.lnx.4.4.r37-rel
579b4b461cca Merge "diag: Prevent out-of-bound access while processing userspace data" into kernel.lnx.4.4.r37-rel
aff3d9629d10 arm: dts: msm: Add avs-version dt property for 8996
fbf5254e319b msm: sensor: actuator: fix out of bound read for bivcm region params
d73a74c20cb2 msm: adsprpc: maintain local copy of rpra offloaded to DSP
3c1b5fa08460 diag: Prevent out-of-bound access while processing userspace data
d929c539a8e5 msm: ais: sensor: actuator: fix out of bound read for bivcm region params
77a2432a11c2 ASoC: msm: Add support for AVS version check
51ae92e6a401 Merge commit '06ceb6bb61d15d96906733a0a4e1ca5a53a9fe3e' into HEAD
06ceb6bb61d1 Merge "msm: ipa3: Fix to validate check for IP type"
c7c174351b81 Merge "diag: Prevent out-of-bound access while processing non-hdlc pkt"
bc914679ea33 msm: ipa3: Fix to validate check for IP type
f275209c759d diag: Prevent out-of-bound access while processing non-hdlc pkt
77b17af341a0 Merge "ARM: dts: msm: Add support for float charger detection on MSM8996"
c9c1e20784b5 Merge "phy: qusb: Add support for DP DM pulsing for HS PHY"
5c004decb393 Merge "dsp: afe: check for minimum size before payload access"
f7f2404ce1e5 Merge "soc: msm8998: Add 16ch playback and record support for TDM"
0ee704100065 dsp: afe: check for minimum size before payload access
074cdf9e72eb Merge "cnss2: Return failure if bus type do not match"
f73796d0e9f6 Merge "asoc: Update max channels for TDM ports"
3691a75c38f2 soc: msm8998: Add 16ch playback and record support for TDM
4067f83f16aa Merge "ARM: dts: msm: Enable DP DM pulsing support on MSM8996"
ced9c94ab135 Merge "soc: qcom: hab: Add open local-cancel and compiler warning fixes"
1058027c8de2 Merge "msm: ipa: fix to validate input parameters"
c53f4c9b5b07 Merge "net: sockev: avoid races between sockev and socket_close"
c447f451f23b msm: ipa: fix to validate input parameters
0e71405de372 phy: qusb: Add support for DP DM pulsing for HS PHY
923d660f4f8e ARM: dts: msm: Add support for float charger detection on MSM8996
669f50368505 usb: dwc3: Support float charger detection
b924e5efad9c net: sockev: avoid races between sockev and socket_close
ecf5d04a091c i2c: add virtual i2c driver
3973929bb0c0 asoc: Update max channels for TDM ports
f5b94d9b13a2 Merge "fbdev: msm: check the length of the external input buffer properly"
866e7cab7632 Merge "power: qpnp-smbcharger: Add support for dpdm pulsing"
69b14d87db0c Merge "diag: Prevent out-of-bound access while processing dci transaction"
16819b1724ca Merge "diag: Prevent out-of-bound access while processing mask commands"
77b2a5118029 Merge "soc: qcom: smem: validate fields of shared structures"
9c9f59ad526d Merge "msm: mdss: assign block_id for INTF_3"
9482fdb2ac26 Merge "asoc: Ratelimit error logs to avoid excessive logging"
c0d5faa72def ARM: dts: msm: Enable DP DM pulsing support on MSM8996
20cff2eff8b0 soc: qcom: hab: Add open local-cancel and compiler warning fixes
2835220d65c2 power: qpnp-smbcharger: Add support for dpdm pulsing
705aac6195a3 Merge "msm: ais : Lock Implementation for avoid race condition"
e405d025f373 cnss2: Return failure if bus type do not match
cce422722518 soc: qcom: smem: validate fields of shared structures
24cedeb24492 Merge "Merge android-4.4.180 (71cb827) into msm-4.4"
01fcd88c0f94 fbdev: msm: check the length of the external input buffer properly
2f6ef8a30b78 Merge "usb: f_gsi: Increase max control transfer size to 8K"
cfb05dba8254 Merge "msm: ipa_v2: Protect ipa default routing table"
44607545fc3a Merge "qcom: smcinvoke: Fix stack overflow for arr_filp"
b29d59a33d59 Merge "defconfig: msm8996: Enable radio configs"
fa9dbbba7210 qcom: smcinvoke: Fix stack overflow for arr_filp
17fe44d6eb8a msm: ais : Lock Implementation for avoid race condition
547234bc3905 Merge "arm: dts: msm: Add usbin-vadc dt property for 8996"
780ec0d56272 Merge android-4.4.180 (71cb827) into msm-4.4
fe304a42badc Merge "power: qpnp-smbcharger: Add voltage now property in usb psy"
01abac7367ec Merge "soc: qcom: ipc_router_mhi_xprt: Handle error condition"
d1a5c0380504 Merge "ARM: dts: msm: Enable HDMI audio support for 8996"
f5704ee3fc16 Merge "defconfig: Enable REGMAP_ALLOW_WRITE_DEBUGFS"
726ccfec942d power: qpnp-smbcharger: Add voltage now property in usb psy
c77bbe685168 Merge "msm: ais: handle the error value returned during get clock"
765d3befd4ec msm: ais: handle the error value returned during get clock
716a46317a4f power: qpnp-smbcharger: Add support for float charger detection
f228ed90951d Merge "ARM: dts: msm: Update avb flag and partition names for auto"
fde6bcd6f665 arm: dts: msm: Add usbin-vadc dt property for 8996
f8572fa1920f Merge "ASoC: msm: Update codec name in HDMI dai link"
64c7fea7a615 Merge "serial: msm_serial_hs: Align to HW assisted flow control support"
4249d4516299 asoc: Ratelimit error logs to avoid excessive logging
095ed32dd71f serial: msm_serial_hs: Align to HW assisted flow control support
a4cc4b94d2cc usb: f_gsi: Increase max control transfer size to 8K
14ff0dc12ed0 Merge "ARM: dts: msm: add support for apq8096pro CDP"
6666379ae0e6 msm: mdss: assign block_id for INTF_3
79e903bcd908 soc: qcom: ipc_router_mhi_xprt: Handle error condition
4efd54ad69f1 Merge "pwm: pwm-qpnp: Fix the order of configuring PWM value"
af0d3ed849b5 Merge "msm: camera: jpegdma: Added missing lock for dqbuf and streamon"
71cb827c0249 Merge 4.4.180 into android-4.4
0f654c12cd72 Linux 4.4.180
5f3cf6b82211 powerpc/lib: fix book3s/32 boot failure due to code patching
95100d253fee powerpc/booke64: set RI in default MSR
9db489ed4971 drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
f518072d1ae1 drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
7a22a4ea67b7 bonding: fix arp_validate toggling in active-backup mode
6e72e6897efe ipv4: Fix raw socket lookup for local traffic
6e36b31c1b07 vrf: sit mtu should not be updated when vrf netdev is the link
6044ab2a05f6 vlan: disable SIOCSHWTSTAMP in container
bf4d21eed0d7 packet: Fix error path in packet_init
1261f44db98c net: ucc_geth - fix Oops when changing number of buffers in the ring
24d2a86b8968 bridge: Fix error path for kobject_init_and_add()
b8bb7bc326f2 powerpc/64s: Include cpu header
27d9e822a716 USB: serial: fix unthrottle races
f2387d0c3467 USB: serial: use variable for status
6db8c0882912 x86/bugs: Change L1TF mitigation string to match upstream
71041afe26a3 x86/speculation/mds: Fix documentation typo
693eb3bdaf19 Documentation: Correct the possible MDS sysfs values
0f961ec59305 x86/mds: Add MDSUM variant to the MDS documentation
3092ad5c4f2e x86/speculation/mds: Add 'mitigations=' support for MDS
a50e2ca5757f x86/speculation: Support 'mitigations=' cmdline option
31a2c5f7a25b cpu/speculation: Add 'mitigations=' cmdline option
2b26dff34698 x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
0144cbc12474 x86/speculation/mds: Fix comment
e2896d6b1e48 x86/speculation/mds: Add SMT warning message
06deb655ae26 x86/speculation: Move arch_smt_update() call to after mitigation decisions
5b0f1f5b4f58 x86/cpu/bugs: Use __initconst for 'const' init data
48204fd98023 Documentation: Add MDS vulnerability documentation
e0e64cdc7fd9 Documentation: Move L1TF to separate directory
9fe26a407f0e x86/speculation/mds: Add mitigation mode VMWERV
3fb41b4e2d38 x86/speculation/mds: Add sysfs reporting for MDS
1e9a9ef67033 x86/speculation/l1tf: Document l1tf in sysfs
8c7398befdf1 x86/speculation/mds: Add mitigation control for MDS
d4c1e6cbbcdc x86/speculation/mds: Conditionally clear CPU buffers on idle entry
a41a2dee403d x86/speculation/mds: Clear CPU buffers on exit to user
7a6c2a6c4235 x86/speculation/mds: Add mds_clear_cpu_buffers()
f223c10cf176 x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
adef560d1ef8 x86/speculation/mds: Add BUG_MSBDS_ONLY
179adc415f94 x86/speculation/mds: Add basic bug infrastructure for MDS
8be7f1183d2f x86/speculation: Consolidate CPU whitelists
683f9fba8c27 x86/msr-index: Cleanup bit defines
6eb1dfb0e945 kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
f8515b2d8c86 x86/speculation: Provide IBPB always command line options
867931a6cc51 x86/speculation: Add seccomp Spectre v2 user space protection mode
0ec9baa28b62 x86/speculation: Enable prctl mode for spectre_v2_user
ff99c966c627 x86/speculation: Add prctl() control for indirect branch speculation
bc8a006cb385 x86/speculation: Prevent stale SPEC_CTRL msr content
b784ff22d682 x86/speculation: Prepare arch_smt_update() for PRCTL mode
29652de33320 x86/speculation: Split out TIF update
e2dafdd0084b x86/speculation: Prepare for conditional IBPB in switch_mm()
708f3ed763fc x86/speculation: Avoid __switch_to_xtra() calls
2db6cf1eba01 x86/process: Consolidate and simplify switch_to_xtra() code
2959c3e36f65 x86/speculation: Prepare for per task indirect branch speculation control
a5e8a06268dc x86/speculation: Add command line control for indirect branch speculation
92bc99ff0724 x86/speculation: Unify conditional spectre v2 print functions
3d2149a49e7b x86/speculataion: Mark command line parser data __initdata
ad70092da835 x86/speculation: Mark string arrays const correctly
77aaa118c5d1 x86/speculation: Reorder the spec_v2 code
892d9881b437 x86/speculation: Rework SMT state change
1f562beba75c sched: Add sched_smt_active()
f576a78075ba x86/Kconfig: Select SCHED_SMT if SMP enabled
f68790685aa5 x86/speculation: Reorganize speculation control MSRs update
41ebb68d9a67 x86/speculation: Rename SSBD update functions
9ef693a75208 x86/speculation: Disable STIBP when enhanced IBRS is in use
6a598ce52f69 x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
fb4a4fc139a5 x86/speculation: Remove unnecessary ret variable in cpu_show_common()
809e50eb21e5 x86/speculation: Clean up spectre_v2_parse_cmdline()
f97a530be08f x86/speculation: Update the TIF_SSBD comment
0440c2c5e2d2 x86/speculation: Propagate information about RSB filling mitigation to sysfs
dc23d0241b97 x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
4a215a1155ce x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
122b3ad3a068 x86/mm: Use WRITE_ONCE() when setting PTEs
7c50deefa1e9 KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
2422db18b660 x86/cpu: Sanitize FAM6_ATOM naming
2329f765b53a x86/microcode: Update the new microcode revision unconditionally
0ee359e14c08 x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
12043f0eb5fd x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
9029b6908e1d x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
8d1385ea4c67 locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file
76869c022795 x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
a9f354ad1c1d x86/bugs: Add AMD's SPEC_CTRL MSR usage
99bd3817b6d7 x86/bugs: Add AMD's variant of SSB_NO
2b8e34665e8f x86/speculation: Simplify the CPU bug detection logic
efcb85dd2644 x86/speculation: Support Enhanced IBRS on future CPUs
042c6aee6572 x86/cpufeatures: Hide AMD-specific speculation flags
dc7e3b052ab4 x86/MCE: Save microcode revision in machine check records
30c66b528e1f x86/microcode/intel: Check microcode revision before updating sibling threads
c2a357d9b429 bitops: avoid integer overflow in GENMASK(_ULL)
d7a711b64ff8 x86: stop exporting msr-index.h to userland
98cc1464cfd6 x86/microcode/intel: Add a helper which gives the microcode revision
5ec6421c21c6 locking/static_keys: Provide DECLARE and well as DEFINE macros
40f6c72df9d8 Don't jump to compute_result state from check_result state
07d35512e494 x86/vdso: Pass --eh-frame-hdr to the linker
9767260be0b4 cw1200: fix missing unlock on error in cw1200_hw_scan()
ccc2b0f8d4be gpu: ipu-v3: dp: fix CSC handling
795c76f4e50f selftests/net: correct the return value for run_netsocktests
83494cfb0d29 s390: ctcm: fix ctcm_new_device error return code
4c78631d884d ipvs: do not schedule icmp errors from tunnels
2b46b98576cb init: initialize jump labels before command line option parsing
a54c490cecd5 tools lib traceevent: Fix missing equality check for strcmp
5664d3298b3b KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
b79c1ea82e3b s390/3270: fix lockdep false positive on view->lock
825c6401f9e9 s390/dasd: Fix capacity calculation for large volumes
905b8964c9d9 libnvdimm/btt: Fix a kmemdup failure check
3007ae4bbf26 HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
c15b4f9f4699 HID: input: add mapping for Expose/Overview key
45679938dc6f iio: adc: xilinx: fix potential use-after-free on remove
619c8933e4af platform/x86: sony-laptop: Fix unintentional fall-through
8ce5ae6912e3 netfilter: compat: initialize all fields in xt_init
a9bdfbd494da timer/debug: Change /proc/timer_stats from 0644 to 0600
e212945fe525 ASoC: Intel: avoid Oops if DMA setup fails
faf458605614 ipv6: fix a potential deadlock in do_ipv6_setsockopt()
dcb33fe3d9a6 UAS: fix alignment of scatter/gather segments
d016dc1bd29a Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
dd150bcc93ff Bluetooth: hidp: fix buffer overflow
15a12bde0fd9 scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
88246eb7bf37 usb: dwc3: Fix default lpm_nyet_threshold value
1aec586c25ee genirq: Prevent use-after-free and work list corruption
2984aa6d4a78 iommu/amd: Set exclusion range correctly
4294ec58537d scsi: csiostor: fix missing data copy in csio_scsi_err_handler()
93beb0decfe2 perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
5ea6b626b917 ASoC: tlv320aic32x4: Fix Common Pins
b7bbb5ce955b ASoC: cs4270: Set auto-increment bit for register writes
79132626f8c7 ASoC:soc-pcm:fix a codec fixup issue in TDM case
fe3f6511c9af scsi: libsas: fix a race condition when smp task timeout
0f83a55ca07e media: v4l2: i2c: ov7670: Fix PLL bypass register values
d96fc7729c44 x86/mce: Improve error message when kernel cannot recover, p2
08794d181ff6 selinux: never allow relabeling on context mounts
3bf16c452b91 Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
90b8ab9ee10f staging: iio: adt7316: fix the dac write calculation
7c4744e2c75c staging: iio: adt7316: fix the dac read calculation
a45018ff3c06 staging: iio: adt7316: allow adt751x to use internal vref for all dacs
55153b108922 usb: usbip: fix isoc packet num validation in get_pipe
3401512b7831 ARM: iop: don't use using 64-bit DMA masks
03fd6e162398 ARM: orion: don't use using 64-bit DMA masks
9fcbabe209a2 xsysace: Fix error handling in ace_setup
66c57ab148a0 hugetlbfs: fix memory leak for resv_map
550ce5b3b45b net: hns: Fix WARNING when remove HNS driver with SMMU enabled
c8d4b98eeed4 net: hns: Use NAPI_POLL_WEIGHT for hns driver
4af8444aff7c scsi: storvsc: Fix calculation of sub-channel count
4328fca13020 vfio/pci: use correct format characters
891c92860383 rtc: da9063: set uie_unsupported when relevant
02395682f19b debugfs: fix use-after-free on symlink traversal
90a015d4d782 jffs2: fix use-after-free on symlink traversal
cd43ccbfb5fb bonding: show full hw address in sysfs for slave entries
88020a14a0b7 igb: Fix WARN_ONCE on runtime suspend
6c24038d84a7 rtc: sh: Fix invalid alarm warning for non-enabled alarm
e9358b9a5db1 HID: debug: fix race condition with between rdesc_show() and device removal
1b2b6db7765e USB: core: Fix bug caused by duplicate interface PM usage counter
b384399a518c USB: core: Fix unterminated string returned by usb_string()
7a52b950902d USB: w1 ds2490: Fix bug caused by improper use of altsetting array
438b075fc77d USB: yurex: Fix protection fault after device removal
c6ae8a5a4396 packet: validate msg_namelen in send directly
aed15cc2ced6 bnxt_en: Improve multicast address setup logic.
c7a9d69b727a ipv6: invert flowlabel sharing check in process and user mode
82ae1a89b134 ipv6/flowlabel: wait rcu grace period before put_pid()
0fe65e4eac33 ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
bdbc15205b51 ALSA: line6: use dynamic buffers
e1a5cdbf7cb3 vfio/type1: Limit DMA mappings per container
e0d9031feb2f kconfig/[mn]conf: handle backspace (^H) key
8c2bbe210936 libata: fix using DMA buffers on stack
4767c30a2bac scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
cd2bdca329c1 ceph: fix use-after-free on symlink traversal
4663cb7947dd usb: u132-hcd: fix resource leak
783552a9865c scsi: qla4xxx: fix a potential NULL pointer dereference
f18c946e6cf1 net: ethernet: ti: fix possible object reference leak
64206dd039fd net: ibm: fix possible object reference leak
ae35f101789b net: xilinx: fix possible object reference leak
c0d641aa264a net: ks8851: Set initial carrier state to down
f41b4fd83fef net: ks8851: Delay requesting IRQ until opened
195aac29efe3 net: ks8851: Reassert reset pin if chip ID check fails
36b1240d4e47 net: ks8851: Dequeue RX packets explicitly
1710b4ad56db ARM: dts: pfla02: increase phy reset duration
fd1f90b4fa83 usb: gadget: net2272: Fix net2272_dequeue()
61fb6fa9b32b usb: gadget: net2280: Fix net2280_dequeue()
4ff888ea38c1 usb: gadget: net2280: Fix overrun of OUT messages
b9cf1bc4e31e sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
6e361910119b netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
d311479911c7 qlcnic: Avoid potential NULL pointer dereference
1652d1194af5 usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set
4f2df9fd0769 usbnet: ipheth: prevent TX queue timeouts when device not ready
aa24636d3dc2 Documentation: Add nospectre_v1 parameter
c816ec25621b powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
6a56ecdfd3b2 powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'
1a26467578d8 powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms
42b46e985c99 powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
5bed4b351268 powerpc/fsl: Emulate SPRN_BUCSR register
4168b2e356bc powerpc/fsl: Flush branch predictor when entering KVM
ec206826323a powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
389fd9776f3e ipv4: set the tcp_min_rtt_wlen range from 0 to one day
8cab9c87ee0f net: stmmac: move stmmac_check_ether_addr() to driver probe
1990e41b2339 team: fix possible recursive locking when add slaves
510a733497d3 ipv4: add sanity checks in ipv4_link_failure()
f480eb03c88a Revert "block/loop: Use global lock for ioctl() operation."
f08db490b406 bpf: reject wrong sized filters earlier
0b7d9b8571ad tipc: check link name with right length in tipc_nl_compat_link_set
625634be3b8b tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
cafee685fb48 netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
cec54a8e694c NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
76c279c7b6f8 fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
28bd672e7a9f intel_th: gth: Fix an off-by-one in output unassigning
20159939a8b4 slip: make slhc_free() silently accept an error pointer
2996e89c2d62 tipc: handle the err returned from cmd header function
9d688aa11077 powerpc/fsl: Fix the flush of branch predictor.
990c7be76516 powerpc/security: Fix spectre_v2 reporting
5f9678d9c8c7 powerpc/fsl: Update Spectre v2 reporting
0454f7b3282b powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
932e8acaa806 powerpc/fsl: Add nospectre_v2 command line argument
4cbfad23be50 powerpc/fsl: Fix spectre_v2 mitigations reporting
b76f9074d0f3 powerpc/fsl: Add macro to flush the branch predictor
526adfdf029e powerpc/fsl: Add infrastructure to fixup branch predictor flush
7fe905d0973e powerpc: Avoid code patching freed init sections
ee1a6e164cac powerpc/powernv: Query firmware for count cache flush settings
67fb764be590 powerpc/pseries: Query hypervisor for count cache flush settings
bda04af8692d powerpc/64s: Add support for software count cache flush
bfeafa01fa09 powerpc/64s: Add new security feature flags for count cache flush
a8d13b364862 powerpc/asm: Add a patch_site macro & helpers for patching instructions
0273c6d73a03 powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E
b7f47c8f0f4c powerpc/64: Make meltdown reporting Book3S 64 specific
04a682df27c1 powerpc/64: Call setup_barrier_nospec() from setup_arch()
e7b3fb43b970 powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
4fb0382d987e powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
58dbc8def949 powerpc/64: Disable the speculation barrier from the command line
d000015f6283 powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
b6a4dce40cb7 powerpc/64s: Enhance the information in cpu_show_spectre_v1()
1110c3ad0b66 powerpc: Use barrier_nospec in copy_from_user()
2a90ebba2fcc powerpc/64: Use barrier_nospec in syscall entry
990ce72a3bab powerpc/64s: Enable barrier_nospec based on firmware settings
39e71d5ae83f powerpc/64s: Patch barrier_nospec in modules
083c37a1bb61 powerpc/64s: Add support for ori barrier_nospec patching
fde08a5d395e powerpc/64s: Add barrier_nospec
7b9f9ce1a7a0 powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit
27296b7879d5 powerpc/64s: Fix section mismatch warnings from setup_rfi_flush()
8b1f9a4e2136 powerpc/pseries: Restore default security feature flags on setup
adde5de432d6 powerpc: Move default security feature flags
b3be4dcbd1a2 powerpc/pseries: Fix clearing of security feature flags
d9594148817b powerpc/64s: Wire up cpu_show_spectre_v2()
fe126d25bad7 powerpc/64s: Wire up cpu_show_spectre_v1()
5097bf81e845 powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
10f8cd737a03 powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
495c34251785 powerpc/64s: Enhance the information in cpu_show_meltdown()
dde12e9b3e86 powerpc/64s: Move cpu_show_meltdown()
3b99b3b3fb97 powerpc/powernv: Set or clear security feature flags
2b206ee648f3 powerpc/pseries: Set or clear security feature flags
d34ea7873f82 powerpc: Add security feature flags for Spectre/Meltdown
8249ee94a9ca powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
7777d9cb2c1c powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
e5c8265abdbb powerpc/rfi-flush: Differentiate enabled and patched flush types
8b58add49fef powerpc/rfi-flush: Always enable fallback flush on pseries
22c697163e4d powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
d04664376129 powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
f93ae3415cf7 powerpc/powernv: Support firmware disable of RFI flush
e1759aacdd16 powerpc/pseries: Support firmware disable of RFI flush
d9052a2ede31 powerpc/64s: Improve RFI L1-D cache flush fallback
13dc9b34c873 powerpc/xmon: Add RFI flush related fields to paca dump
80c305aeeb09 USB: Consolidate LPM checks to avoid enabling LPM twice
9dad11965ed2 USB: Add new USB LPM helpers
fad515213059 sunrpc: don't mark uninitialised items as VALID.
498e9066b480 nfsd: Don't release the callback slot unless it was actually held
b8d15c06cf0c ceph: fix ci->i_head_snapc leak
811fb30278b4 ceph: ensure d_name stability in ceph_dentry_hash()
2f14dae91560 sched/numa: Fix a possible divide-by-zero
10dbe2292758 trace: Fix preempt_enable_no_resched() abuse
15c2ac78cb73 MIPS: scall64-o32: Fix indirect syscall number load
fd49607468ba cifs: do not attempt cifs operation on smb2+ rename error
4c78eadb3489 KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number
485d15db01ca kbuild: simplify ld-option implementation
cd1e9004ddd5 Merge "defconfig: msm8996: Enable PAN emulation"
a4b99d2c643c Merge "defconfig: msm8996: Disable DEVPORT"
b79e25fe5818 msm: camera : Lock Implementation for avoid race condition
ce469a70f3bc ANDROID: cuttlefish_defconfig: Disable DEVTMPFS
d5f7b0a5556b diag: Prevent out-of-bound access while processing dci transaction
cfef4f88308a diag: Prevent out-of-bound access while processing mask commands
c9fa4db90a83 pwm: pwm-qpnp: Fix the order of configuring PWM value
fe15f47306a1 ANDROID: Move from clang r349610 to r353983c.
8cb9bdaac97a Merge upstream-f2fs-stable-linux-4.4.y into android-4.4
592adc484920 drm/msm: ensure display driver probe completion
77c04577d922 Merge "msm: camera_v2: handle the error value returned during get clock"
5e144157195d icnss: Add check on msa region
6183ceb8d1e7 msm: camera_v2: handle the error value returned during get clock
779dfa61f7b1 msm: ipa_v2: Protect ipa default routing table
8b5d9f6f8eac ARM: dts: msm: add support for apq8096pro CDP
59dda5e0dcec ASoC: msm: Update codec name in HDMI dai link
0cba1d4c1422 f2fs: fix to avoid accessing xattr across the boundary
f32a4e2decb0 ARM: dts: msm: Enable HDMI audio support for 8996
c44c78fab1a2 ARM: dts: msm: Update avb flag and partition names for auto
ee588a7f2329 f2fs: fix to avoid potential race on sbi->unusable_block_count access/update
993543bcbad2 f2fs: add tracepoint for f2fs_filemap_fault()
b60ff4b3605c f2fs: introduce DATA_GENERIC_ENHANCE
43c33bc93b79 f2fs: fix to handle error in f2fs_disable_checkpoint()
9ca2000e9d76 f2fs: remove redundant check in f2fs_file_write_iter()
b6bb1574fce6 f2fs: fix to be aware of readonly device in write_checkpoint()
04139be9047a f2fs: fix to skip recovery on readonly device
25f68cbbdb86 f2fs: fix to consider multiple device for readonly check
a90ff12b2ff5 f2fs: relocate chksum_offset for large_nat_bitmap feature
ad199c5f600f f2fs: allow unfixed f2fs_checkpoint.checksum_offset
a3df88564441 f2fs: Replace spaces with tab
12a9d38a0b11 f2fs: insert space before the open parenthesis '('
e3057056de10 f2fs: allow address pointer number of dnode aligning to specified size
c351f529e220 f2fs: introduce f2fs_read_single_page() for cleanup
8ac217148510 f2fs: mark is_extension_exist() inline
2c8359eee2ad f2fs: fix to set FI_UPDATE_WRITE correctly
5f2085bab2e2 f2fs: fix to avoid panic in f2fs_inplace_write_data()
d6fe88aef4c1 f2fs: fix to do sanity check on valid block count of segment
1c3e295f67d0 f2fs: fix to do sanity check on valid node/block count
4ffbe8fee8a4 f2fs: fix to avoid panic in do_recover_data()
65f109d717d4 f2fs: fix to do sanity check on free nid
c60f9c6ced33 f2fs: fix to do checksum even if inode page is uptodate
9a080abdc30b f2fs: fix to avoid panic in f2fs_remove_inode_page()
c0bcbe425670 f2fs: fix to clear dirty inode in error path of f2fs_iget()
299dea1adf40 f2fs: remove new blank line of f2fs kernel message
9b4fc7359ca2 f2fs: fix wrong __is_meta_io() macro
02fb7afdd5f0 f2fs: fix to avoid panic in dec_valid_node_count()
5caebe607e13 f2fs: fix to avoid panic in dec_valid_block_count()
b5bc76046b10 f2fs: fix to use inline space only if inline_xattr is enable
9bc578bf83ee f2fs: fix to retrieve inline xattr space
0d7333632d79 f2fs: fix error path of recovery
b9973998d9df f2fs: fix to avoid deadloop in foreground GC
5047402dec0e f2fs: data: fix warning Using plain integer as NULL pointer
5bed19fbbba0 f2fs: add tracepoint for f2fs_file_write_iter()
7e37cc9d7161 f2fs: add comment for conditional compilation statement
00e77f15eb1d f2fs: fix potential recursive call when enabling data_flush
6b25d4ac2e7d f2fs: improve discard handling with multi-device volumes
c4c54093c71d f2fs: Reduce zoned block device memory usage
2c124ddd98a9 f2fs: Fix use of number of devices
8e638383c1bf msm: camera: jpegdma: Added missing lock for dqbuf and streamon
2bc83184b422 defconfig: Enable REGMAP_ALLOW_WRITE_DEBUGFS
81bbb1b91ed2 defconfig: msm8996: Enable radio configs
0b570560f091 radio: add Silabs FM radio support for msm8996
152bacdd85c4 ANDROID: Communicates LMK events to userland where they can be logged
dc0d6bda9e08 defconfig: msm8996: Disable DEVPORT
70d7ff1aa709 defconfig: msm8996: Disable EXT2 and EXT3 FS configs
339eab8aede0 defconfig: msm8996: Enable PAN emulation
Signed-off-by: Davide Garberi <dade.garberi@gmail.com>
Change-Id: Iac613f6970faeadc98d9ed40aae0d96042502ce4
|
| | |\ \ \ |
|
| | | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | |
| | | | | |
Use-after-free is seen when sending a sockev netlink message
since socket is not held which can race with sk_free.
KASAN: use-after-free in sockev_client_cb+0x41c/0x4b8
in net/core/sockev_nlmcast.c:104
Read of size 2 at addr <ffffffc08420c550>
Call trace:
dump_backtrace+0x0/0x388 arch/arm64/kernel/time.c:55
show_stack+0x24/0x30 arch/arm64/kernel/traps.c:152
__dump_stack+0x24/0x2c lib/dump_stack.c:17
dump_stack+0x8c/0xd0 lib/dump_stack.c:53
print_address_description+0x74/0x234 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x240/0x264 mm/kasan/report.c:412
__asan_report_load2_noabort+0x2c/0x38 mm/kasan/report.c:431
sockev_client_cb+0x41c/0x4b8 net/core/sockev_nlmcast.c:104
notifier_call_chain+0x104/0x158 kernel/notifier.c:93
__blocking_notifier_call_chain+0x80/0xb0 kernel/notifier.c:317
blocking_notifier_call_chain+0x3c/0x4c kernel/notifier.c:328
sockev_notify+0x30/0x3c net/socket.c:181
SYSC_bind net/socket.c:1509 [inline]
SyS_bind+0x1ec/0x30c net/socket.c:1489
el0_svc_naked+0x34/0x38
Freed by task 19460:
save_stack mm/kasan/kasan.c:447 [inline]
set_track mm/kasan/kasan.c:459 [inline]
__kasan_slab_free+0x134/0x20c mm/kasan/kasan.c:520
kasan_slab_free+0x10/0x1c mm/kasan/kasan.c:527
slab_free_hook mm/slub.c:1401 [inline]
slab_free_freelist_hook mm/slub.c:1422 [inline]
slab_free mm/slub.c:2979 [inline]
kmem_cache_free+0x114/0x664 mm/slub.c:3001
sk_prot_free net/core/sock.c:1504 [inline]
__sk_destruct+0x324/0x3c0 net/core/sock.c:1585
__sk_free+0x180/0x200 net/core/sock.c:1601
sk_free+0x44/0x50 net/core/sock.c:1612
sock_put include/net/sock.h:1643 [inline]
sk_common_release+0x198/0x20c net/core/sock.c:3014
raw_close+0x38/0x44 net/ipv4/raw.c:703
inet_release+0x128/0x15c net/ipv4/af_inet.c:446
__sock_release+0xb8/0x258 net/socket.c:614
sock_close+0x24/0x34 net/socket.c:1150
__fput+0x1f4/0x4e4 fs/file_table.c:345
____fput+0x20/0x2c fs/file_table.c:380
task_work_run+0x9c/0x174 kernel/task_work.c:113
Change-Id: Idb4335889b6e4228f36d76ca5b6156cc5e5838da
Signed-off-by: Sharath Chandra Vurukala <sharathv@codeaurora.org>
Signed-off-by: Kaustubh Pandey <kapandey@codeaurora.org>
|
| | |\ \ \ \
| | |/ / /
| |/| / /
| | |/ /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
* refs/heads/tmp-71cb827
Linux 4.4.180
powerpc/lib: fix book3s/32 boot failure due to code patching
powerpc/booke64: set RI in default MSR
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
bonding: fix arp_validate toggling in active-backup mode
ipv4: Fix raw socket lookup for local traffic
vrf: sit mtu should not be updated when vrf netdev is the link
vlan: disable SIOCSHWTSTAMP in container
packet: Fix error path in packet_init
net: ucc_geth - fix Oops when changing number of buffers in the ring
bridge: Fix error path for kobject_init_and_add()
powerpc/64s: Include cpu header
USB: serial: fix unthrottle races
USB: serial: use variable for status
x86/bugs: Change L1TF mitigation string to match upstream
x86/speculation/mds: Fix documentation typo
Documentation: Correct the possible MDS sysfs values
x86/mds: Add MDSUM variant to the MDS documentation
x86/speculation/mds: Add 'mitigations=' support for MDS
x86/speculation: Support 'mitigations=' cmdline option
cpu/speculation: Add 'mitigations=' cmdline option
x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
x86/speculation/mds: Fix comment
x86/speculation/mds: Add SMT warning message
x86/speculation: Move arch_smt_update() call to after mitigation decisions
x86/cpu/bugs: Use __initconst for 'const' init data
Documentation: Add MDS vulnerability documentation
Documentation: Move L1TF to separate directory
x86/speculation/mds: Add mitigation mode VMWERV
x86/speculation/mds: Add sysfs reporting for MDS
x86/speculation/l1tf: Document l1tf in sysfs
x86/speculation/mds: Add mitigation control for MDS
x86/speculation/mds: Conditionally clear CPU buffers on idle entry
x86/speculation/mds: Clear CPU buffers on exit to user
x86/speculation/mds: Add mds_clear_cpu_buffers()
x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
x86/speculation/mds: Add BUG_MSBDS_ONLY
x86/speculation/mds: Add basic bug infrastructure for MDS
x86/speculation: Consolidate CPU whitelists
x86/msr-index: Cleanup bit defines
kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
x86/speculation: Provide IBPB always command line options
x86/speculation: Add seccomp Spectre v2 user space protection mode
x86/speculation: Enable prctl mode for spectre_v2_user
x86/speculation: Add prctl() control for indirect branch speculation
x86/speculation: Prevent stale SPEC_CTRL msr content
x86/speculation: Prepare arch_smt_update() for PRCTL mode
x86/speculation: Split out TIF update
x86/speculation: Prepare for conditional IBPB in switch_mm()
x86/speculation: Avoid __switch_to_xtra() calls
x86/process: Consolidate and simplify switch_to_xtra() code
x86/speculation: Prepare for per task indirect branch speculation control
x86/speculation: Add command line control for indirect branch speculation
x86/speculation: Unify conditional spectre v2 print functions
x86/speculataion: Mark command line parser data __initdata
x86/speculation: Mark string arrays const correctly
x86/speculation: Reorder the spec_v2 code
x86/speculation: Rework SMT state change
sched: Add sched_smt_active()
x86/Kconfig: Select SCHED_SMT if SMP enabled
x86/speculation: Reorganize speculation control MSRs update
x86/speculation: Rename SSBD update functions
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
x86/speculation: Remove unnecessary ret variable in cpu_show_common()
x86/speculation: Clean up spectre_v2_parse_cmdline()
x86/speculation: Update the TIF_SSBD comment
x86/speculation: Propagate information about RSB filling mitigation to sysfs
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
x86/mm: Use WRITE_ONCE() when setting PTEs
KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
x86/cpu: Sanitize FAM6_ATOM naming
x86/microcode: Update the new microcode revision unconditionally
x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file
x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
x86/bugs: Add AMD's SPEC_CTRL MSR usage
x86/bugs: Add AMD's variant of SSB_NO
x86/speculation: Simplify the CPU bug detection logic
x86/speculation: Support Enhanced IBRS on future CPUs
x86/cpufeatures: Hide AMD-specific speculation flags
x86/MCE: Save microcode revision in machine check records
x86/microcode/intel: Check microcode revision before updating sibling threads
bitops: avoid integer overflow in GENMASK(_ULL)
x86: stop exporting msr-index.h to userland
x86/microcode/intel: Add a helper which gives the microcode revision
locking/static_keys: Provide DECLARE and well as DEFINE macros
Don't jump to compute_result state from check_result state
x86/vdso: Pass --eh-frame-hdr to the linker
cw1200: fix missing unlock on error in cw1200_hw_scan()
gpu: ipu-v3: dp: fix CSC handling
selftests/net: correct the return value for run_netsocktests
s390: ctcm: fix ctcm_new_device error return code
ipvs: do not schedule icmp errors from tunnels
init: initialize jump labels before command line option parsing
tools lib traceevent: Fix missing equality check for strcmp
KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
s390/3270: fix lockdep false positive on view->lock
s390/dasd: Fix capacity calculation for large volumes
libnvdimm/btt: Fix a kmemdup failure check
HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
HID: input: add mapping for Expose/Overview key
iio: adc: xilinx: fix potential use-after-free on remove
platform/x86: sony-laptop: Fix unintentional fall-through
netfilter: compat: initialize all fields in xt_init
timer/debug: Change /proc/timer_stats from 0644 to 0600
ASoC: Intel: avoid Oops if DMA setup fails
ipv6: fix a potential deadlock in do_ipv6_setsockopt()
UAS: fix alignment of scatter/gather segments
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
Bluetooth: hidp: fix buffer overflow
scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
usb: dwc3: Fix default lpm_nyet_threshold value
genirq: Prevent use-after-free and work list corruption
iommu/amd: Set exclusion range correctly
scsi: csiostor: fix missing data copy in csio_scsi_err_handler()
perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
ASoC: tlv320aic32x4: Fix Common Pins
ASoC: cs4270: Set auto-increment bit for register writes
ASoC:soc-pcm:fix a codec fixup issue in TDM case
scsi: libsas: fix a race condition when smp task timeout
media: v4l2: i2c: ov7670: Fix PLL bypass register values
x86/mce: Improve error message when kernel cannot recover, p2
selinux: never allow relabeling on context mounts
Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
staging: iio: adt7316: fix the dac write calculation
staging: iio: adt7316: fix the dac read calculation
staging: iio: adt7316: allow adt751x to use internal vref for all dacs
usb: usbip: fix isoc packet num validation in get_pipe
ARM: iop: don't use using 64-bit DMA masks
ARM: orion: don't use using 64-bit DMA masks
xsysace: Fix error handling in ace_setup
hugetlbfs: fix memory leak for resv_map
net: hns: Fix WARNING when remove HNS driver with SMMU enabled
net: hns: Use NAPI_POLL_WEIGHT for hns driver
scsi: storvsc: Fix calculation of sub-channel count
vfio/pci: use correct format characters
rtc: da9063: set uie_unsupported when relevant
debugfs: fix use-after-free on symlink traversal
jffs2: fix use-after-free on symlink traversal
bonding: show full hw address in sysfs for slave entries
igb: Fix WARN_ONCE on runtime suspend
rtc: sh: Fix invalid alarm warning for non-enabled alarm
HID: debug: fix race condition with between rdesc_show() and device removal
USB: core: Fix bug caused by duplicate interface PM usage counter
USB: core: Fix unterminated string returned by usb_string()
USB: w1 ds2490: Fix bug caused by improper use of altsetting array
USB: yurex: Fix protection fault after device removal
packet: validate msg_namelen in send directly
bnxt_en: Improve multicast address setup logic.
ipv6: invert flowlabel sharing check in process and user mode
ipv6/flowlabel: wait rcu grace period before put_pid()
ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
ALSA: line6: use dynamic buffers
vfio/type1: Limit DMA mappings per container
kconfig/[mn]conf: handle backspace (^H) key
libata: fix using DMA buffers on stack
scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
ceph: fix use-after-free on symlink traversal
usb: u132-hcd: fix resource leak
scsi: qla4xxx: fix a potential NULL pointer dereference
net: ethernet: ti: fix possible object reference leak
net: ibm: fix possible object reference leak
net: xilinx: fix possible object reference leak
net: ks8851: Set initial carrier state to down
net: ks8851: Delay requesting IRQ until opened
net: ks8851: Reassert reset pin if chip ID check fails
net: ks8851: Dequeue RX packets explicitly
ARM: dts: pfla02: increase phy reset duration
usb: gadget: net2272: Fix net2272_dequeue()
usb: gadget: net2280: Fix net2280_dequeue()
usb: gadget: net2280: Fix overrun of OUT messages
sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
qlcnic: Avoid potential NULL pointer dereference
usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set
usbnet: ipheth: prevent TX queue timeouts when device not ready
Documentation: Add nospectre_v1 parameter
powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'
powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms
powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
powerpc/fsl: Emulate SPRN_BUCSR register
powerpc/fsl: Flush branch predictor when entering KVM
powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
net: stmmac: move stmmac_check_ether_addr() to driver probe
team: fix possible recursive locking when add slaves
ipv4: add sanity checks in ipv4_link_failure()
Revert "block/loop: Use global lock for ioctl() operation."
bpf: reject wrong sized filters earlier
tipc: check link name with right length in tipc_nl_compat_link_set
tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
intel_th: gth: Fix an off-by-one in output unassigning
slip: make slhc_free() silently accept an error pointer
tipc: handle the err returned from cmd header function
powerpc/fsl: Fix the flush of branch predictor.
powerpc/security: Fix spectre_v2 reporting
powerpc/fsl: Update Spectre v2 reporting
powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
powerpc/fsl: Add nospectre_v2 command line argument
powerpc/fsl: Fix spectre_v2 mitigations reporting
powerpc/fsl: Add macro to flush the branch predictor
powerpc/fsl: Add infrastructure to fixup branch predictor flush
powerpc: Avoid code patching freed init sections
powerpc/powernv: Query firmware for count cache flush settings
powerpc/pseries: Query hypervisor for count cache flush settings
powerpc/64s: Add support for software count cache flush
powerpc/64s: Add new security feature flags for count cache flush
powerpc/asm: Add a patch_site macro & helpers for patching instructions
powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E
powerpc/64: Make meltdown reporting Book3S 64 specific
powerpc/64: Call setup_barrier_nospec() from setup_arch()
powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
powerpc/64: Disable the speculation barrier from the command line
powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
powerpc/64s: Enhance the information in cpu_show_spectre_v1()
powerpc: Use barrier_nospec in copy_from_user()
powerpc/64: Use barrier_nospec in syscall entry
powerpc/64s: Enable barrier_nospec based on firmware settings
powerpc/64s: Patch barrier_nospec in modules
powerpc/64s: Add support for ori barrier_nospec patching
powerpc/64s: Add barrier_nospec
powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit
powerpc/64s: Fix section mismatch warnings from setup_rfi_flush()
powerpc/pseries: Restore default security feature flags on setup
powerpc: Move default security feature flags
powerpc/pseries: Fix clearing of security feature flags
powerpc/64s: Wire up cpu_show_spectre_v2()
powerpc/64s: Wire up cpu_show_spectre_v1()
powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
powerpc/64s: Enhance the information in cpu_show_meltdown()
powerpc/64s: Move cpu_show_meltdown()
powerpc/powernv: Set or clear security feature flags
powerpc/pseries: Set or clear security feature flags
powerpc: Add security feature flags for Spectre/Meltdown
powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
powerpc/rfi-flush: Differentiate enabled and patched flush types
powerpc/rfi-flush: Always enable fallback flush on pseries
powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
powerpc/powernv: Support firmware disable of RFI flush
powerpc/pseries: Support firmware disable of RFI flush
powerpc/64s: Improve RFI L1-D cache flush fallback
powerpc/xmon: Add RFI flush related fields to paca dump
USB: Consolidate LPM checks to avoid enabling LPM twice
USB: Add new USB LPM helpers
sunrpc: don't mark uninitialised items as VALID.
nfsd: Don't release the callback slot unless it was actually held
ceph: fix ci->i_head_snapc leak
ceph: ensure d_name stability in ceph_dentry_hash()
sched/numa: Fix a possible divide-by-zero
trace: Fix preempt_enable_no_resched() abuse
MIPS: scall64-o32: Fix indirect syscall number load
cifs: do not attempt cifs operation on smb2+ rename error
KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number
kbuild: simplify ld-option implementation
ANDROID: cuttlefish_defconfig: Disable DEVTMPFS
ANDROID: Move from clang r349610 to r353983c.
f2fs: fix to avoid accessing xattr across the boundary
f2fs: fix to avoid potential race on sbi->unusable_block_count access/update
f2fs: add tracepoint for f2fs_filemap_fault()
f2fs: introduce DATA_GENERIC_ENHANCE
f2fs: fix to handle error in f2fs_disable_checkpoint()
f2fs: remove redundant check in f2fs_file_write_iter()
f2fs: fix to be aware of readonly device in write_checkpoint()
f2fs: fix to skip recovery on readonly device
f2fs: fix to consider multiple device for readonly check
f2fs: relocate chksum_offset for large_nat_bitmap feature
f2fs: allow unfixed f2fs_checkpoint.checksum_offset
f2fs: Replace spaces with tab
f2fs: insert space before the open parenthesis '('
f2fs: allow address pointer number of dnode aligning to specified size
f2fs: introduce f2fs_read_single_page() for cleanup
f2fs: mark is_extension_exist() inline
f2fs: fix to set FI_UPDATE_WRITE correctly
f2fs: fix to avoid panic in f2fs_inplace_write_data()
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to do sanity check on valid node/block count
f2fs: fix to avoid panic in do_recover_data()
f2fs: fix to do sanity check on free nid
f2fs: fix to do checksum even if inode page is uptodate
f2fs: fix to avoid panic in f2fs_remove_inode_page()
f2fs: fix to clear dirty inode in error path of f2fs_iget()
f2fs: remove new blank line of f2fs kernel message
f2fs: fix wrong __is_meta_io() macro
f2fs: fix to avoid panic in dec_valid_node_count()
f2fs: fix to avoid panic in dec_valid_block_count()
f2fs: fix to use inline space only if inline_xattr is enable
f2fs: fix to retrieve inline xattr space
f2fs: fix error path of recovery
f2fs: fix to avoid deadloop in foreground GC
f2fs: data: fix warning Using plain integer as NULL pointer
f2fs: add tracepoint for f2fs_file_write_iter()
f2fs: add comment for conditional compilation statement
f2fs: fix potential recursive call when enabling data_flush
f2fs: improve discard handling with multi-device volumes
f2fs: Reduce zoned block device memory usage
f2fs: Fix use of number of devices
Sleepable function handle_lmk_event() is called in atomic context,
so ignored the commit "ANDROID: Communicates LMK events to userland
where they can be logged"
Conflicts:
arch/powerpc/include/asm/uaccess.h
kernel/cpu.c
kernel/irq/manage.c
kernel/time/timer_stats.c
net/ipv4/sysctl_net_ipv4.c
Change-Id: I3e5bd447057b44a28fc5000403198ae0fd644480
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
|
| | | |\|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Changes in 4.4.180
kbuild: simplify ld-option implementation
KVM: fail KVM_SET_VCPU_EVENTS with invalid exception number
cifs: do not attempt cifs operation on smb2+ rename error
MIPS: scall64-o32: Fix indirect syscall number load
trace: Fix preempt_enable_no_resched() abuse
sched/numa: Fix a possible divide-by-zero
ceph: ensure d_name stability in ceph_dentry_hash()
ceph: fix ci->i_head_snapc leak
nfsd: Don't release the callback slot unless it was actually held
sunrpc: don't mark uninitialised items as VALID.
USB: Add new USB LPM helpers
USB: Consolidate LPM checks to avoid enabling LPM twice
powerpc/xmon: Add RFI flush related fields to paca dump
powerpc/64s: Improve RFI L1-D cache flush fallback
powerpc/pseries: Support firmware disable of RFI flush
powerpc/powernv: Support firmware disable of RFI flush
powerpc/rfi-flush: Move the logic to avoid a redo into the debugfs code
powerpc/rfi-flush: Make it possible to call setup_rfi_flush() again
powerpc/rfi-flush: Always enable fallback flush on pseries
powerpc/rfi-flush: Differentiate enabled and patched flush types
powerpc/pseries: Add new H_GET_CPU_CHARACTERISTICS flags
powerpc/rfi-flush: Call setup_rfi_flush() after LPM migration
powerpc: Add security feature flags for Spectre/Meltdown
powerpc/pseries: Set or clear security feature flags
powerpc/powernv: Set or clear security feature flags
powerpc/64s: Move cpu_show_meltdown()
powerpc/64s: Enhance the information in cpu_show_meltdown()
powerpc/powernv: Use the security flags in pnv_setup_rfi_flush()
powerpc/pseries: Use the security flags in pseries_setup_rfi_flush()
powerpc/64s: Wire up cpu_show_spectre_v1()
powerpc/64s: Wire up cpu_show_spectre_v2()
powerpc/pseries: Fix clearing of security feature flags
powerpc: Move default security feature flags
powerpc/pseries: Restore default security feature flags on setup
powerpc/64s: Fix section mismatch warnings from setup_rfi_flush()
powerpc/64s: Add support for a store forwarding barrier at kernel entry/exit
powerpc/64s: Add barrier_nospec
powerpc/64s: Add support for ori barrier_nospec patching
powerpc/64s: Patch barrier_nospec in modules
powerpc/64s: Enable barrier_nospec based on firmware settings
powerpc/64: Use barrier_nospec in syscall entry
powerpc: Use barrier_nospec in copy_from_user()
powerpc/64s: Enhance the information in cpu_show_spectre_v1()
powerpc64s: Show ori31 availability in spectre_v1 sysfs file not v2
powerpc/64: Disable the speculation barrier from the command line
powerpc/64: Make stf barrier PPC_BOOK3S_64 specific.
powerpc/64: Add CONFIG_PPC_BARRIER_NOSPEC
powerpc/64: Call setup_barrier_nospec() from setup_arch()
powerpc/64: Make meltdown reporting Book3S 64 specific
powerpc/fsl: Add barrier_nospec implementation for NXP PowerPC Book3E
powerpc/asm: Add a patch_site macro & helpers for patching instructions
powerpc/64s: Add new security feature flags for count cache flush
powerpc/64s: Add support for software count cache flush
powerpc/pseries: Query hypervisor for count cache flush settings
powerpc/powernv: Query firmware for count cache flush settings
powerpc: Avoid code patching freed init sections
powerpc/fsl: Add infrastructure to fixup branch predictor flush
powerpc/fsl: Add macro to flush the branch predictor
powerpc/fsl: Fix spectre_v2 mitigations reporting
powerpc/fsl: Add nospectre_v2 command line argument
powerpc/fsl: Flush the branch predictor at each kernel entry (64bit)
powerpc/fsl: Update Spectre v2 reporting
powerpc/security: Fix spectre_v2 reporting
powerpc/fsl: Fix the flush of branch predictor.
tipc: handle the err returned from cmd header function
slip: make slhc_free() silently accept an error pointer
intel_th: gth: Fix an off-by-one in output unassigning
fs/proc/proc_sysctl.c: Fix a NULL pointer dereference
NFS: Forbid setting AF_INET6 to "struct sockaddr_in"->sin_family.
netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
tipc: check bearer name with right length in tipc_nl_compat_bearer_enable
tipc: check link name with right length in tipc_nl_compat_link_set
bpf: reject wrong sized filters earlier
Revert "block/loop: Use global lock for ioctl() operation."
ipv4: add sanity checks in ipv4_link_failure()
team: fix possible recursive locking when add slaves
net: stmmac: move stmmac_check_ether_addr() to driver probe
ipv4: set the tcp_min_rtt_wlen range from 0 to one day
powerpc/fsl: Enable runtime patching if nospectre_v2 boot arg is used
powerpc/fsl: Flush branch predictor when entering KVM
powerpc/fsl: Emulate SPRN_BUCSR register
powerpc/fsl: Flush the branch predictor at each kernel entry (32 bit)
powerpc/fsl: Sanitize the syscall table for NXP PowerPC 32 bit platforms
powerpc/fsl: Fixed warning: orphan section `__btb_flush_fixup'
powerpc/fsl: Add FSL_PPC_BOOK3E as supported arch for nospectre_v2 boot arg
Documentation: Add nospectre_v1 parameter
usbnet: ipheth: prevent TX queue timeouts when device not ready
usbnet: ipheth: fix potential null pointer dereference in ipheth_carrier_set
qlcnic: Avoid potential NULL pointer dereference
netfilter: bridge: set skb transport_header before entering NF_INET_PRE_ROUTING
sc16is7xx: missing unregister/delete driver on error in sc16is7xx_init()
usb: gadget: net2280: Fix overrun of OUT messages
usb: gadget: net2280: Fix net2280_dequeue()
usb: gadget: net2272: Fix net2272_dequeue()
ARM: dts: pfla02: increase phy reset duration
net: ks8851: Dequeue RX packets explicitly
net: ks8851: Reassert reset pin if chip ID check fails
net: ks8851: Delay requesting IRQ until opened
net: ks8851: Set initial carrier state to down
net: xilinx: fix possible object reference leak
net: ibm: fix possible object reference leak
net: ethernet: ti: fix possible object reference leak
scsi: qla4xxx: fix a potential NULL pointer dereference
usb: u132-hcd: fix resource leak
ceph: fix use-after-free on symlink traversal
scsi: zfcp: reduce flood of fcrscn1 trace records on multi-element RSCN
libata: fix using DMA buffers on stack
kconfig/[mn]conf: handle backspace (^H) key
vfio/type1: Limit DMA mappings per container
ALSA: line6: use dynamic buffers
ipv4: ip_do_fragment: Preserve skb_iif during fragmentation
ipv6/flowlabel: wait rcu grace period before put_pid()
ipv6: invert flowlabel sharing check in process and user mode
bnxt_en: Improve multicast address setup logic.
packet: validate msg_namelen in send directly
USB: yurex: Fix protection fault after device removal
USB: w1 ds2490: Fix bug caused by improper use of altsetting array
USB: core: Fix unterminated string returned by usb_string()
USB: core: Fix bug caused by duplicate interface PM usage counter
HID: debug: fix race condition with between rdesc_show() and device removal
rtc: sh: Fix invalid alarm warning for non-enabled alarm
igb: Fix WARN_ONCE on runtime suspend
bonding: show full hw address in sysfs for slave entries
jffs2: fix use-after-free on symlink traversal
debugfs: fix use-after-free on symlink traversal
rtc: da9063: set uie_unsupported when relevant
vfio/pci: use correct format characters
scsi: storvsc: Fix calculation of sub-channel count
net: hns: Use NAPI_POLL_WEIGHT for hns driver
net: hns: Fix WARNING when remove HNS driver with SMMU enabled
hugetlbfs: fix memory leak for resv_map
xsysace: Fix error handling in ace_setup
ARM: orion: don't use using 64-bit DMA masks
ARM: iop: don't use using 64-bit DMA masks
usb: usbip: fix isoc packet num validation in get_pipe
staging: iio: adt7316: allow adt751x to use internal vref for all dacs
staging: iio: adt7316: fix the dac read calculation
staging: iio: adt7316: fix the dac write calculation
Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ
selinux: never allow relabeling on context mounts
x86/mce: Improve error message when kernel cannot recover, p2
media: v4l2: i2c: ov7670: Fix PLL bypass register values
scsi: libsas: fix a race condition when smp task timeout
ASoC:soc-pcm:fix a codec fixup issue in TDM case
ASoC: cs4270: Set auto-increment bit for register writes
ASoC: tlv320aic32x4: Fix Common Pins
perf/x86/intel: Fix handling of wakeup_events for multi-entry PEBS
scsi: csiostor: fix missing data copy in csio_scsi_err_handler()
iommu/amd: Set exclusion range correctly
genirq: Prevent use-after-free and work list corruption
usb: dwc3: Fix default lpm_nyet_threshold value
scsi: qla2xxx: Fix incorrect region-size setting in optrom SYSFS routines
Bluetooth: hidp: fix buffer overflow
Bluetooth: Align minimum encryption key size for LE and BR/EDR connections
UAS: fix alignment of scatter/gather segments
ipv6: fix a potential deadlock in do_ipv6_setsockopt()
ASoC: Intel: avoid Oops if DMA setup fails
timer/debug: Change /proc/timer_stats from 0644 to 0600
netfilter: compat: initialize all fields in xt_init
platform/x86: sony-laptop: Fix unintentional fall-through
iio: adc: xilinx: fix potential use-after-free on remove
HID: input: add mapping for Expose/Overview key
HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys
libnvdimm/btt: Fix a kmemdup failure check
s390/dasd: Fix capacity calculation for large volumes
s390/3270: fix lockdep false positive on view->lock
KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing
tools lib traceevent: Fix missing equality check for strcmp
init: initialize jump labels before command line option parsing
ipvs: do not schedule icmp errors from tunnels
s390: ctcm: fix ctcm_new_device error return code
selftests/net: correct the return value for run_netsocktests
gpu: ipu-v3: dp: fix CSC handling
cw1200: fix missing unlock on error in cw1200_hw_scan()
x86/vdso: Pass --eh-frame-hdr to the linker
Don't jump to compute_result state from check_result state
locking/static_keys: Provide DECLARE and well as DEFINE macros
x86/microcode/intel: Add a helper which gives the microcode revision
x86: stop exporting msr-index.h to userland
bitops: avoid integer overflow in GENMASK(_ULL)
x86/microcode/intel: Check microcode revision before updating sibling threads
x86/MCE: Save microcode revision in machine check records
x86/cpufeatures: Hide AMD-specific speculation flags
x86/speculation: Support Enhanced IBRS on future CPUs
x86/speculation: Simplify the CPU bug detection logic
x86/bugs: Add AMD's variant of SSB_NO
x86/bugs: Add AMD's SPEC_CTRL MSR usage
x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
locking/atomics, asm-generic: Move some macros from <linux/bitops.h> to a new <linux/bits.h> file
x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
x86/speculation: Remove SPECTRE_V2_IBRS in enum spectre_v2_mitigation
x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
x86/microcode: Update the new microcode revision unconditionally
x86/cpu: Sanitize FAM6_ATOM naming
KVM: x86: SVM: Call x86_spec_ctrl_set_guest/host() with interrupts disabled
x86/mm: Use WRITE_ONCE() when setting PTEs
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/speculation: Propagate information about RSB filling mitigation to sysfs
x86/speculation: Update the TIF_SSBD comment
x86/speculation: Clean up spectre_v2_parse_cmdline()
x86/speculation: Remove unnecessary ret variable in cpu_show_common()
x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/speculation: Rename SSBD update functions
x86/speculation: Reorganize speculation control MSRs update
x86/Kconfig: Select SCHED_SMT if SMP enabled
sched: Add sched_smt_active()
x86/speculation: Rework SMT state change
x86/speculation: Reorder the spec_v2 code
x86/speculation: Mark string arrays const correctly
x86/speculataion: Mark command line parser data __initdata
x86/speculation: Unify conditional spectre v2 print functions
x86/speculation: Add command line control for indirect branch speculation
x86/speculation: Prepare for per task indirect branch speculation control
x86/process: Consolidate and simplify switch_to_xtra() code
x86/speculation: Avoid __switch_to_xtra() calls
x86/speculation: Prepare for conditional IBPB in switch_mm()
x86/speculation: Split out TIF update
x86/speculation: Prepare arch_smt_update() for PRCTL mode
x86/speculation: Prevent stale SPEC_CTRL msr content
x86/speculation: Add prctl() control for indirect branch speculation
x86/speculation: Enable prctl mode for spectre_v2_user
x86/speculation: Add seccomp Spectre v2 user space protection mode
x86/speculation: Provide IBPB always command line options
kvm: x86: Report STIBP on GET_SUPPORTED_CPUID
x86/msr-index: Cleanup bit defines
x86/speculation: Consolidate CPU whitelists
x86/speculation/mds: Add basic bug infrastructure for MDS
x86/speculation/mds: Add BUG_MSBDS_ONLY
x86/kvm: Expose X86_FEATURE_MD_CLEAR to guests
x86/speculation/mds: Add mds_clear_cpu_buffers()
x86/speculation/mds: Clear CPU buffers on exit to user
x86/speculation/mds: Conditionally clear CPU buffers on idle entry
x86/speculation/mds: Add mitigation control for MDS
x86/speculation/l1tf: Document l1tf in sysfs
x86/speculation/mds: Add sysfs reporting for MDS
x86/speculation/mds: Add mitigation mode VMWERV
Documentation: Move L1TF to separate directory
Documentation: Add MDS vulnerability documentation
x86/cpu/bugs: Use __initconst for 'const' init data
x86/speculation: Move arch_smt_update() call to after mitigation decisions
x86/speculation/mds: Add SMT warning message
x86/speculation/mds: Fix comment
x86/speculation/mds: Print SMT vulnerable on MSBDS with mitigations off
cpu/speculation: Add 'mitigations=' cmdline option
x86/speculation: Support 'mitigations=' cmdline option
x86/speculation/mds: Add 'mitigations=' support for MDS
x86/mds: Add MDSUM variant to the MDS documentation
Documentation: Correct the possible MDS sysfs values
x86/speculation/mds: Fix documentation typo
x86/bugs: Change L1TF mitigation string to match upstream
USB: serial: use variable for status
USB: serial: fix unthrottle races
powerpc/64s: Include cpu header
bridge: Fix error path for kobject_init_and_add()
net: ucc_geth - fix Oops when changing number of buffers in the ring
packet: Fix error path in packet_init
vlan: disable SIOCSHWTSTAMP in container
vrf: sit mtu should not be updated when vrf netdev is the link
ipv4: Fix raw socket lookup for local traffic
bonding: fix arp_validate toggling in active-backup mode
drivers/virt/fsl_hypervisor.c: dereferencing error pointers in ioctl
drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl
powerpc/booke64: set RI in default MSR
powerpc/lib: fix book3s/32 boot failure due to code patching
Linux 4.4.180
Change-Id: If2d2fdd451b55c002666b32022b269cec9545607
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 19e4e768064a87b073a4b4c138b55db70e0cfb9f ]
inet_iif should be used for the raw socket lookup. inet_iif considers
rt_iif which handles the case of local traffic.
As it stands, ping to a local address with the '-I <dev>' option fails
ever since ping was changed to use SO_BINDTODEVICE instead of
cmsg + IP_PKTINFO.
IPv6 works fine.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit ff6ab32bd4e073976e4d8797b4d514a172cfe6cb ]
VRF netdev mtu isn't typically set and have an mtu of 65536. When the
link of a tunnel is set, the tunnel mtu is changed from 1480 to the link
mtu minus tunnel header. In the case of VRF netdev is the link, then the
tunnel mtu becomes 65516. So, fix it by not setting the tunnel mtu in
this case.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 873017af778439f2f8e3d87f28ddb1fcaf244a76 ]
With NET_ADMIN enabled in container, a normal user could be mapped to
root and is able to change the real device's rx filter via ioctl on
vlan, which would affect the other ptp process on host. Fix it by
disabling SIOCSHWTSTAMP in container.
Fixes: a6111d3c93d0 ("vlan: Pass SIOC[SG]HWTSTAMP ioctls to real device")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 36096f2f4fa05f7678bc87397665491700bae757 ]
kernel BUG at lib/list_debug.c:47!
invalid opcode: 0000 [#1
CPU: 0 PID: 12914 Comm: rmmod Tainted: G W 5.1.0+ #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014
RIP: 0010:__list_del_entry_valid+0x53/0x90
Code: 48 8b 32 48 39 fe 75 35 48 8b 50 08 48 39 f2 75 40 b8 01 00 00 00 5d c3 48
89 fe 48 89 c2 48 c7 c7 18 75 fe 82 e8 cb 34 78 ff <0f> 0b 48 89 fe 48 c7 c7 50 75 fe 82 e8 ba 34 78 ff 0f 0b 48 89 f2
RSP: 0018:ffffc90001c2fe40 EFLAGS: 00010286
RAX: 000000000000004e RBX: ffffffffa0184000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: ffff888237a17788 RDI: 00000000ffffffff
RBP: ffffc90001c2fe40 R08: 0000000000000000 R09: 0000000000000000
R10: ffffc90001c2fe10 R11: 0000000000000000 R12: 0000000000000000
R13: ffffc90001c2fe50 R14: ffffffffa0184000 R15: 0000000000000000
FS: 00007f3d83634540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000555c350ea818 CR3: 0000000231677000 CR4: 00000000000006f0
Call Trace:
unregister_pernet_operations+0x34/0x120
unregister_pernet_subsys+0x1c/0x30
packet_exit+0x1c/0x369 [af_packet
__x64_sys_delete_module+0x156/0x260
? lockdep_hardirqs_on+0x133/0x1b0
? do_syscall_64+0x12/0x1f0
do_syscall_64+0x6e/0x1f0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
When modprobe af_packet, register_pernet_subsys
fails and does a cleanup, ops->list is set to LIST_POISON1,
but the module init is considered to success, then while rmmod it,
BUG() is triggered in __list_del_entry_valid which is called from
unregister_pernet_subsys. This patch fix error handing path in
packet_init to avoid possilbe issue if some error occur.
Reported-by: Hulk Robot <hulkci@huawei.com>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit bdfad5aec1392b93495b77b864d58d7f101dc1c1 ]
Currently error return from kobject_init_and_add() is not followed by a
call to kobject_put(). This means there is a memory leak. We currently
set p to NULL so that kfree() may be called on it as a noop, the code is
arguably clearer if we move the kfree() up closer to where it is
called (instead of after goto jump).
Remove a goto label 'err1' and jump to call to kobject_put() in error
return from kobject_init_and_add() fixing the memory leak. Re-name goto
label 'put_back' to 'err1' now that we don't use err1, following current
nomenclature (err1, err2 ...). Move call to kfree out of the error
code at bottom of function up to closer to where memory was allocated.
Add comment to clarify call to kfree().
Signed-off-by: Tobin C. Harding <tobin@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
[ Upstream commit 0261ea1bd1eb0da5c0792a9119b8655cf33c80a3 ]
We can receive ICMP errors from client or from
tunneling real server. While the former can be
scheduled to real server, the latter should
not be scheduled, they are decapsulated only when
existing connection is found.
Fixes: 6044eeffafbe ("ipvs: attempt to schedule icmp packets")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 8d29d16d21342a0c86405d46de0c4ac5daf1760f upstream
If a non zero value happens to be in xt[NFPROTO_BRIDGE].cur at init
time, the following panic can be caused by running
% ebtables -t broute -F BROUTING
from a 32-bit user level on a 64-bit kernel. This patch replaces
kmalloc_array with kcalloc when allocating xt.
[ 474.680846] BUG: unable to handle kernel paging request at 0000000009600920
[ 474.687869] PGD 2037006067 P4D 2037006067 PUD 2038938067 PMD 0
[ 474.693838] Oops: 0000 [#1] SMP
[ 474.697055] CPU: 9 PID: 4662 Comm: ebtables Kdump: loaded Not tainted 4.19.17-11302235.AroraKernelnext.fc18.x86_64 #1
[ 474.707721] Hardware name: Supermicro X9DRT/X9DRT, BIOS 3.0 06/28/2013
[ 474.714313] RIP: 0010:xt_compat_calc_jump+0x2f/0x63 [x_tables]
[ 474.720201] Code: 40 0f b6 ff 55 31 c0 48 6b ff 70 48 03 3d dc 45 00 00 48 89 e5 8b 4f 6c 4c 8b 47 60 ff c9 39 c8 7f 2f 8d 14 08 d1 fa 48 63 fa <41> 39 34 f8 4c 8d 0c fd 00 00 00 00 73 05 8d 42 01 eb e1 76 05 8d
[ 474.739023] RSP: 0018:ffffc9000943fc58 EFLAGS: 00010207
[ 474.744296] RAX: 0000000000000000 RBX: ffffc90006465000 RCX: 0000000002580249
[ 474.751485] RDX: 00000000012c0124 RSI: fffffffff7be17e9 RDI: 00000000012c0124
[ 474.758670] RBP: ffffc9000943fc58 R08: 0000000000000000 R09: ffffffff8117cf8f
[ 474.765855] R10: ffffc90006477000 R11: 0000000000000000 R12: 0000000000000001
[ 474.773048] R13: 0000000000000000 R14: ffffc9000943fcb8 R15: ffffc9000943fcb8
[ 474.780234] FS: 0000000000000000(0000) GS:ffff88a03f840000(0063) knlGS:00000000f7ac7700
[ 474.788612] CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
[ 474.794632] CR2: 0000000009600920 CR3: 0000002037422006 CR4: 00000000000606e0
[ 474.802052] Call Trace:
[ 474.804789] compat_do_replace+0x1fb/0x2a3 [ebtables]
[ 474.810105] compat_do_ebt_set_ctl+0x69/0xe6 [ebtables]
[ 474.815605] ? try_module_get+0x37/0x42
[ 474.819716] compat_nf_setsockopt+0x4f/0x6d
[ 474.824172] compat_ip_setsockopt+0x7e/0x8c
[ 474.828641] compat_raw_setsockopt+0x16/0x3a
[ 474.833220] compat_sock_common_setsockopt+0x1d/0x24
[ 474.838458] __compat_sys_setsockopt+0x17e/0x1b1
[ 474.843343] ? __check_object_size+0x76/0x19a
[ 474.847960] __ia32_compat_sys_socketcall+0x1cb/0x25b
[ 474.853276] do_fast_syscall_32+0xaf/0xf6
[ 474.857548] entry_SYSENTER_compat+0x6b/0x7a
Signed-off-by: Francesco Ruggeri <fruggeri@arista.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit 8651be8f14a12d24f203f283601d9b0418c389ff upstream.
Baozeng reported this deadlock case:
CPU0 CPU1
---- ----
lock([ 165.136033] sk_lock-AF_INET6);
lock([ 165.136033] rtnl_mutex);
lock([ 165.136033] sk_lock-AF_INET6);
lock([ 165.136033] rtnl_mutex);
Similar to commit 87e9f0315952
("ipv4: fix a potential deadlock in mcast getsockopt() path")
this is due to we still have a case, ipv6_sock_mc_close(),
where we acquire sk_lock before rtnl_lock. Close this deadlock
with the similar solution, that is always acquire rtnl lock first.
Fixes: baf606d9c9b1 ("ipv4,ipv6: grab rtnl before locking the socket")
Reported-by: Baozeng Ding <sploving1@gmail.com>
Tested-by: Baozeng Ding <sploving1@gmail.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: Zubin Mithra <zsm@chromium.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit d5bb334a8e171b262e48f378bd2096c0ea458265 upstream.
The minimum encryption key size for LE connections is 56 bits and to
align LE with BR/EDR, enforce 56 bits of minimum encryption key size for
BR/EDR connections as well.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream.
Struct ca is copied from userspace. It is not checked whether the "name"
field is NULL terminated, which allows local users to obtain potentially
sensitive information from kernel stack memory, via a HIDPCONNADD command.
This vulnerability is similar to CVE-2011-1079.
Signed-off-by: Young Xiao <YangX92@hotmail.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
