summaryrefslogtreecommitdiff
path: root/net (follow)
Commit message (Collapse)AuthorAge
...
| | * inet: stop leaking jiffies on the wireEric Dumazet2019-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a904a0693c189691eeee64f6c6b188bd7dc244e9 ] Historically linux tried to stick to RFC 791, 1122, 2003 for IPv4 ID field generation. RFC 6864 made clear that no matter how hard we try, we can not ensure unicity of IP ID within maximum lifetime for all datagrams with a given source address/destination address/protocol tuple. Linux uses a per socket inet generator (inet_id), initialized at connection startup with a XOR of 'jiffies' and other fields that appear clear on the wire. Thiemo Nagel pointed that this strategy is a privacy concern as this provides 16 bits of entropy to fingerprint devices. Let's switch to a random starting point, this is just as good as far as RFC 6864 is concerned and does not leak anything critical. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Thiemo Nagel <tnagel@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * net: add READ_ONCE() annotation in __skb_wait_for_more_packets()Eric Dumazet2019-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 7c422d0ce97552dde4a97e6290de70ec6efb0fc6 ] __skb_wait_for_more_packets() can be called while other cpus can feed packets to the socket receive queue. KCSAN reported : BUG: KCSAN: data-race in __skb_wait_for_more_packets / __udp_enqueue_schedule_skb write to 0xffff888102e40b58 of 8 bytes by interrupt on cpu 0: __skb_insert include/linux/skbuff.h:1852 [inline] __skb_queue_before include/linux/skbuff.h:1958 [inline] __skb_queue_tail include/linux/skbuff.h:1991 [inline] __udp_enqueue_schedule_skb+0x2d7/0x410 net/ipv4/udp.c:1470 __udp_queue_rcv_skb net/ipv4/udp.c:1940 [inline] udp_queue_rcv_one_skb+0x7bd/0xc70 net/ipv4/udp.c:2057 udp_queue_rcv_skb+0xb5/0x400 net/ipv4/udp.c:2074 udp_unicast_rcv_skb.isra.0+0x7e/0x1c0 net/ipv4/udp.c:2233 __udp4_lib_rcv+0xa44/0x17c0 net/ipv4/udp.c:2300 udp_rcv+0x2b/0x40 net/ipv4/udp.c:2470 ip_protocol_deliver_rcu+0x4d/0x420 net/ipv4/ip_input.c:204 ip_local_deliver_finish+0x110/0x140 net/ipv4/ip_input.c:231 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_local_deliver+0x133/0x210 net/ipv4/ip_input.c:252 dst_input include/net/dst.h:442 [inline] ip_rcv_finish+0x121/0x160 net/ipv4/ip_input.c:413 NF_HOOK include/linux/netfilter.h:305 [inline] NF_HOOK include/linux/netfilter.h:299 [inline] ip_rcv+0x18f/0x1a0 net/ipv4/ip_input.c:523 __netif_receive_skb_one_core+0xa7/0xe0 net/core/dev.c:5010 __netif_receive_skb+0x37/0xf0 net/core/dev.c:5124 process_backlog+0x1d3/0x420 net/core/dev.c:5955 read to 0xffff888102e40b58 of 8 bytes by task 13035 on cpu 1: __skb_wait_for_more_packets+0xfa/0x320 net/core/datagram.c:100 __skb_recv_udp+0x374/0x500 net/ipv4/udp.c:1683 udp_recvmsg+0xe1/0xb10 net/ipv4/udp.c:1712 inet_recvmsg+0xbb/0x250 net/ipv4/af_inet.c:838 sock_recvmsg_nosec+0x5c/0x70 net/socket.c:871 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 13035 Comm: syz-executor.3 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol()zhanglin2019-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 5ff223e86f5addbfae26419cbb5d61d98f6fbf7d ] memset() the structure ethtool_wolinfo that has padded bytes but the padded bytes have not been zeroed out. Signed-off-by: zhanglin <zhang.lin16@zte.com.cn> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * dccp: do not leak jiffies on the wireEric Dumazet2019-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 3d1e5039f5f87a8731202ceca08764ee7cb010d3 ] For some reason I missed the case of DCCP passive flows in my previous patch. Fixes: a904a0693c18 ("inet: stop leaking jiffies on the wire") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Thiemo Nagel <tnagel@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge android-4.4-p.199 (3f5703c) into msm-4.4Srinivasarao P2019-11-11
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-3f5703c Linux 4.4.199 Revert "ALSA: hda: Flush interrupts on disabling" xfs: Correctly invert xfs_buftarg LRU isolation logic sctp: not bind the socket in sctp_connect sctp: fix the issue that flags are ignored when using kernel_connect sch_netem: fix rcu splat in netem_enqueue() net: usb: sr9800: fix uninitialized local variable bonding: fix potential NULL deref in bond_update_slave_arr llc: fix sk_buff leak in llc_conn_service() llc: fix sk_buff leak in llc_sap_state_process() rtlwifi: Fix potential overflow on P2P code s390/cmm: fix information leak in cmm_timeout_handler() nl80211: fix validation of mesh path nexthop HID: fix error message in hid_open_report() HID: Fix assumption that devices have inputs USB: serial: whiteheat: fix line-speed endianness USB: serial: whiteheat: fix potential slab corruption USB: ldusb: fix control-message timeout USB: ldusb: fix ring-buffer locking USB: gadget: Reject endpoints with 0 maxpacket value UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments") ALSA: bebob: Fix prototype of helper function to return negative value fuse: truncate pending writes on O_TRUNC fuse: flush dirty data/metadata before non-truncate setattr ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() thunderbolt: Use 32-bit writes when writing ring producer/consumer USB: legousbtower: fix a signedness bug in tower_probe() tracing: Initialize iter->seq after zeroing in tracing_read_pipe() NFSv4: Fix leak of clp->cl_acceptor string MIPS: fw: sni: Fix out of bounds init of o32 stack fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() efi/x86: Do not clean dummy variable in kexec path efi/cper: Fix endianness of PCIe class code serial: mctrl_gpio: Check for NULL pointer fs: cifs: mute -Wunused-const-variable message RDMA/iwcm: Fix a lock inversion issue perf map: Fix overlapped map handling iio: fix center temperature of bmc150-accel-core exec: load_script: Do not exec truncated interpreter path usb: handle warm-reset port requests on hub resume scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks x86/cpu: Add Atom Tremont (Jacobsville) sc16is7xx: Fix for "Unexpected interrupt: 8" dm: Use kzalloc for all structs with embedded biosets/mempools dm snapshot: rework COW throttling to fix deadlock dm snapshot: introduce account_start_copy() and account_end_copy() dm snapshot: use mutex instead of rw_semaphore ANDROID: cpufreq: times: add /proc/uid_concurrent_{active,policy}_time Conflicts: drivers/cpufreq/cpufreq_times.c Change-Id: I2c27599db8577afa4853222b11d9aec20071e752 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * | Merge 4.4.199 into android-4.4-pGreg Kroah-Hartman2019-11-06
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.199 dm snapshot: use mutex instead of rw_semaphore dm snapshot: introduce account_start_copy() and account_end_copy() dm snapshot: rework COW throttling to fix deadlock dm: Use kzalloc for all structs with embedded biosets/mempools sc16is7xx: Fix for "Unexpected interrupt: 8" x86/cpu: Add Atom Tremont (Jacobsville) scripts/setlocalversion: Improve -dirty check with git-status --no-optional-locks usb: handle warm-reset port requests on hub resume exec: load_script: Do not exec truncated interpreter path iio: fix center temperature of bmc150-accel-core perf map: Fix overlapped map handling RDMA/iwcm: Fix a lock inversion issue fs: cifs: mute -Wunused-const-variable message serial: mctrl_gpio: Check for NULL pointer efi/cper: Fix endianness of PCIe class code efi/x86: Do not clean dummy variable in kexec path fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry() fs: ocfs2: fix a possible null-pointer dereference in ocfs2_info_scan_inode_alloc() MIPS: fw: sni: Fix out of bounds init of o32 stack NFSv4: Fix leak of clp->cl_acceptor string tracing: Initialize iter->seq after zeroing in tracing_read_pipe() USB: legousbtower: fix a signedness bug in tower_probe() thunderbolt: Use 32-bit writes when writing ring producer/consumer ath6kl: fix a NULL-ptr-deref bug in ath6kl_usb_alloc_urb_from_pipe() fuse: flush dirty data/metadata before non-truncate setattr fuse: truncate pending writes on O_TRUNC ALSA: bebob: Fix prototype of helper function to return negative value UAS: Revert commit 3ae62a42090f ("UAS: fix alignment of scatter/gather segments") USB: gadget: Reject endpoints with 0 maxpacket value USB: ldusb: fix ring-buffer locking USB: ldusb: fix control-message timeout USB: serial: whiteheat: fix potential slab corruption USB: serial: whiteheat: fix line-speed endianness HID: Fix assumption that devices have inputs HID: fix error message in hid_open_report() nl80211: fix validation of mesh path nexthop s390/cmm: fix information leak in cmm_timeout_handler() rtlwifi: Fix potential overflow on P2P code llc: fix sk_buff leak in llc_sap_state_process() llc: fix sk_buff leak in llc_conn_service() bonding: fix potential NULL deref in bond_update_slave_arr net: usb: sr9800: fix uninitialized local variable sch_netem: fix rcu splat in netem_enqueue() sctp: fix the issue that flags are ignored when using kernel_connect sctp: not bind the socket in sctp_connect xfs: Correctly invert xfs_buftarg LRU isolation logic Revert "ALSA: hda: Flush interrupts on disabling" Linux 4.4.199 Change-Id: Ia26458456401f9ec050f4c11bd5bdf24b8a21b24 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| | * sctp: not bind the socket in sctp_connectXin Long2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 9b6c08878e23adb7cc84bdca94d8a944b03f099e upstream. Now when sctp_connect() is called with a wrong sa_family, it binds to a port but doesn't set bp->port, then sctp_get_af_specific will return NULL and sctp_connect() returns -EINVAL. Then if sctp_bind() is called to bind to another port, the last port it has bound will leak due to bp->port is NULL by then. sctp_connect() doesn't need to bind ports, as later __sctp_connect will do it if bp->port is NULL. So remove it from sctp_connect(). While at it, remove the unnecessary sockaddr.sa_family len check as it's already done in sctp_inet_connect. Fixes: 644fbdeacf1d ("sctp: fix the issue that flags are ignored when using kernel_connect") Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sctp: fix the issue that flags are ignored when using kernel_connectXin Long2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9 upstream. Now sctp uses inet_dgram_connect as its proto_ops .connect, and the flags param can't be passed into its proto .connect where this flags is really needed. sctp works around it by getting flags from socket file in __sctp_connect. It works for connecting from userspace, as inherently the user sock has socket file and it passes f_flags as the flags param into the proto_ops .connect. However, the sock created by sock_create_kern doesn't have a socket file, and it passes the flags (like O_NONBLOCK) by using the flags param in kernel_connect, which calls proto_ops .connect later. So to fix it, this patch defines a new proto_ops .connect for sctp, sctp_inet_connect, which calls __sctp_connect() directly with this flags param. After this, the sctp's proto .connect can be removed. Note that sctp_inet_connect doesn't need to do some checks that are not needed for sctp, which makes thing better than with inet_dgram_connect. Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Reviewed-by: Michal Kubecek <mkubecek@suse.cz> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sch_netem: fix rcu splat in netem_enqueue()Eric Dumazet2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 159d2c7d8106177bd9a986fd005a311fe0d11285 upstream. qdisc_root() use from netem_enqueue() triggers a lockdep warning. __dev_queue_xmit() uses rcu_read_lock_bh() which is not equivalent to rcu_read_lock() + local_bh_disable_bh as far as lockdep is concerned. WARNING: suspicious RCU usage 5.3.0-rc7+ #0 Not tainted ----------------------------- include/net/sch_generic.h:492 suspicious rcu_dereference_check() usage! other info that might help us debug this: rcu_scheduler_active = 2, debug_locks = 1 3 locks held by syz-executor427/8855: #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: lwtunnel_xmit_redirect include/net/lwtunnel.h:92 [inline] #0: 00000000b5525c01 (rcu_read_lock_bh){....}, at: ip_finish_output2+0x2dc/0x2570 net/ipv4/ip_output.c:214 #1: 00000000b5525c01 (rcu_read_lock_bh){....}, at: __dev_queue_xmit+0x20a/0x3650 net/core/dev.c:3804 #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: spin_lock include/linux/spinlock.h:338 [inline] #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_xmit_skb net/core/dev.c:3502 [inline] #2: 00000000364bae92 (&(&sch->q.lock)->rlock){+.-.}, at: __dev_queue_xmit+0x14b8/0x3650 net/core/dev.c:3838 stack backtrace: CPU: 0 PID: 8855 Comm: syz-executor427 Not tainted 5.3.0-rc7+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 lockdep_rcu_suspicious+0x153/0x15d kernel/locking/lockdep.c:5357 qdisc_root include/net/sch_generic.h:492 [inline] netem_enqueue+0x1cfb/0x2d80 net/sched/sch_netem.c:479 __dev_xmit_skb net/core/dev.c:3527 [inline] __dev_queue_xmit+0x15d2/0x3650 net/core/dev.c:3838 dev_queue_xmit+0x18/0x20 net/core/dev.c:3902 neigh_hh_output include/net/neighbour.h:500 [inline] neigh_output include/net/neighbour.h:509 [inline] ip_finish_output2+0x1726/0x2570 net/ipv4/ip_output.c:228 __ip_finish_output net/ipv4/ip_output.c:308 [inline] __ip_finish_output+0x5fc/0xb90 net/ipv4/ip_output.c:290 ip_finish_output+0x38/0x1f0 net/ipv4/ip_output.c:318 NF_HOOK_COND include/linux/netfilter.h:294 [inline] ip_mc_output+0x292/0xf40 net/ipv4/ip_output.c:417 dst_output include/net/dst.h:436 [inline] ip_local_out+0xbb/0x190 net/ipv4/ip_output.c:125 ip_send_skb+0x42/0xf0 net/ipv4/ip_output.c:1555 udp_send_skb.isra.0+0x6b2/0x1160 net/ipv4/udp.c:887 udp_sendmsg+0x1e96/0x2820 net/ipv4/udp.c:1174 inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x3e2/0x920 net/socket.c:2311 __sys_sendmmsg+0x1bf/0x4d0 net/socket.c:2413 __do_sys_sendmmsg net/socket.c:2442 [inline] __se_sys_sendmmsg net/socket.c:2439 [inline] __x64_sys_sendmmsg+0x9d/0x100 net/socket.c:2439 do_syscall_64+0xfd/0x6a0 arch/x86/entry/common.c:296 entry_SYSCALL_64_after_hwframe+0x49/0xbe Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * llc: fix sk_buff leak in llc_conn_service()Eric Biggers2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit b74555de21acd791f12c4a1aeaf653dd7ac21133 upstream. syzbot reported: BUG: memory leak unreferenced object 0xffff88811eb3de00 (size 224): comm "syz-executor559", pid 7315, jiffies 4294943019 (age 10.300s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 a0 38 24 81 88 ff ff 00 c0 f2 15 81 88 ff ff ..8$............ backtrace: [<000000008d1c66a1>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000008d1c66a1>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000008d1c66a1>] slab_alloc_node mm/slab.c:3269 [inline] [<000000008d1c66a1>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000447d9496>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<000000000cdbf82f>] alloc_skb include/linux/skbuff.h:1058 [inline] [<000000000cdbf82f>] llc_alloc_frame+0x66/0x110 net/llc/llc_sap.c:54 [<000000002418b52e>] llc_conn_ac_send_sabme_cmd_p_set_x+0x2f/0x140 net/llc/llc_c_ac.c:777 [<000000001372ae17>] llc_exec_conn_trans_actions net/llc/llc_conn.c:475 [inline] [<000000001372ae17>] llc_conn_service net/llc/llc_conn.c:400 [inline] [<000000001372ae17>] llc_conn_state_process+0x1ac/0x640 net/llc/llc_conn.c:75 [<00000000f27e53c1>] llc_establish_connection+0x110/0x170 net/llc/llc_if.c:109 [<00000000291b2ca0>] llc_ui_connect+0x10e/0x370 net/llc/af_llc.c:477 [<000000000f9c740b>] __sys_connect+0x11d/0x170 net/socket.c:1840 [...] The bug is that most callers of llc_conn_send_pdu() assume it consumes a reference to the skb, when actually due to commit b85ab56c3f81 ("llc: properly handle dev_queue_xmit() return value") it doesn't. Revert most of that commit, and instead make the few places that need llc_conn_send_pdu() to *not* consume a reference call skb_get() before. Fixes: b85ab56c3f81 ("llc: properly handle dev_queue_xmit() return value") Reported-by: syzbot+6b825a6494a04cc0e3f7@syzkaller.appspotmail.com Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * llc: fix sk_buff leak in llc_sap_state_process()Eric Biggers2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit c6ee11c39fcc1fb55130748990a8f199e76263b4 upstream. syzbot reported: BUG: memory leak unreferenced object 0xffff888116270800 (size 224): comm "syz-executor641", pid 7047, jiffies 4294947360 (age 13.860s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 20 e1 2a 81 88 ff ff 00 40 3d 2a 81 88 ff ff . .*.....@=*.... backtrace: [<000000004d41b4cc>] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline] [<000000004d41b4cc>] slab_post_alloc_hook mm/slab.h:439 [inline] [<000000004d41b4cc>] slab_alloc_node mm/slab.c:3269 [inline] [<000000004d41b4cc>] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579 [<00000000506a5965>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198 [<000000001ba5a161>] alloc_skb include/linux/skbuff.h:1058 [inline] [<000000001ba5a161>] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327 [<0000000047d9c78b>] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225 [<000000003828fe54>] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242 [<00000000e34d94f9>] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933 [<00000000de2de3fb>] sock_sendmsg_nosec net/socket.c:652 [inline] [<00000000de2de3fb>] sock_sendmsg+0x54/0x70 net/socket.c:671 [<000000008fe16e7a>] __sys_sendto+0x148/0x1f0 net/socket.c:1964 [...] The bug is that llc_sap_state_process() always takes an extra reference to the skb, but sometimes neither llc_sap_next_state() nor llc_sap_state_process() itself drops this reference. Fix it by changing llc_sap_next_state() to never consume a reference to the skb, rather than sometimes do so and sometimes not. Then remove the extra skb_get() and kfree_skb() from llc_sap_state_process(). Reported-by: syzbot+6bf095f9becf5efef645@syzkaller.appspotmail.com Reported-by: syzbot+31c16aa4202dace3812e@syzkaller.appspotmail.com Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Biggers <ebiggers@google.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * nl80211: fix validation of mesh path nexthopMarkus Theil2019-11-06
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 1fab1b89e2e8f01204a9c05a39fd0b6411a48593 upstream. Mesh path nexthop should be a ethernet address, but current validation checks against 4 byte integers. Cc: stable@vger.kernel.org Fixes: 2ec600d672e74 ("nl80211/cfg80211: support for mesh, sta dumping") Signed-off-by: Markus Theil <markus.theil@tu-ilmenau.de> Link: https://lore.kernel.org/r/20191029093003.10355-1-markus.theil@tu-ilmenau.de Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge android-4.4-p.198 (dbd0162) into msm-4.4Srinivasarao P2019-10-30
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-dbd0162 Linux 4.4.198 RDMA/cxgb4: Do not dma memory off of the stack net: sched: Fix memory exposure from short TCA_U32_SEL PCI: PM: Fix pci_power_up() xen/netback: fix error path of xenvif_connect_data() cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() CIFS: avoid using MID 0xFFFF parisc: Fix vmap memory leak in ioremap()/iounmap() xtensa: drop EXPORT_SYMBOL for outs*/ins* mm/slub: fix a deadlock in show_slab_objects() scsi: zfcp: fix reaction on bit error threshold notification drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 mac80211: Reject malformed SSID elements cfg80211: wext: avoid copying malformed SSIDs ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting scsi: core: try to get module before removing device USB: ldusb: fix read info leaks USB: usblp: fix use-after-free on disconnect USB: ldusb: fix memleak on disconnect USB: serial: ti_usb_3410_5052: fix port-close races usb: udc: lpc32xx: fix bad bit shift operation USB: legousbtower: fix memleak on disconnect memfd: Fix locking when tagging pins ipv4: Return -ENETUNREACH if we can't create route but saddr is valid net: avoid potential infinite loop in tc_ctl_action() sctp: change sctp_prot .no_autobind with true net: bcmgenet: Set phydev->dev_flags only for internal PHYs net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 loop: Add LOOP_SET_DIRECT_IO to compat ioctl namespace: fix namespace.pl script to support relative paths net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() mips: Loongson: Fix the link time qualifier of 'serial_exit()' nl80211: fix null pointer dereference ARM: dts: am4372: Set memory bandwidth limit for DISPC ARM: OMAP2+: Fix missing reset done flag for am3 and am43 scsi: qla2xxx: Fix unbound sleep in fcport delete path. scsi: megaraid: disable device when probe failed after enabled device scsi: ufs: skip shutdown if hba is not powered rtlwifi: Fix potential overflow on P2P code ANDROID: clang: update to 9.0.8 based on r365631c ANDROID: move up spin_unlock_bh() ahead of remove_proc_entry() ANDROID: refactor build.config files to remove duplication Conflicts: drivers/block/loop.c Change-Id: I68d2106c6480b9a2573f31302b0c75922f427732 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * | Merge 4.4.198 into android-4.4-pGreg Kroah-Hartman2019-10-29
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.198 scsi: ufs: skip shutdown if hba is not powered scsi: megaraid: disable device when probe failed after enabled device scsi: qla2xxx: Fix unbound sleep in fcport delete path. ARM: OMAP2+: Fix missing reset done flag for am3 and am43 ARM: dts: am4372: Set memory bandwidth limit for DISPC nl80211: fix null pointer dereference mips: Loongson: Fix the link time qualifier of 'serial_exit()' net: hisilicon: Fix usage of uninitialized variable in function mdio_sc_cfg_reg_write() namespace: fix namespace.pl script to support relative paths loop: Add LOOP_SET_DIRECT_IO to compat ioctl net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 net: bcmgenet: Set phydev->dev_flags only for internal PHYs sctp: change sctp_prot .no_autobind with true net: avoid potential infinite loop in tc_ctl_action() ipv4: Return -ENETUNREACH if we can't create route but saddr is valid memfd: Fix locking when tagging pins USB: legousbtower: fix memleak on disconnect usb: udc: lpc32xx: fix bad bit shift operation USB: serial: ti_usb_3410_5052: fix port-close races USB: ldusb: fix memleak on disconnect USB: usblp: fix use-after-free on disconnect USB: ldusb: fix read info leaks scsi: core: try to get module before removing device ASoC: rsnd: Reinitialize bit clock inversion flag for every format setting cfg80211: wext: avoid copying malformed SSIDs mac80211: Reject malformed SSID elements drm/edid: Add 6 bpc quirk for SDC panel in Lenovo G50 scsi: zfcp: fix reaction on bit error threshold notification mm/slub: fix a deadlock in show_slab_objects() xtensa: drop EXPORT_SYMBOL for outs*/ins* parisc: Fix vmap memory leak in ioremap()/iounmap() CIFS: avoid using MID 0xFFFF btrfs: block-group: Fix a memory leak due to missing btrfs_put_block_group() memstick: jmb38x_ms: Fix an error handling path in 'jmb38x_ms_probe()' cpufreq: Avoid cpufreq_suspend() deadlock on system shutdown xen/netback: fix error path of xenvif_connect_data() PCI: PM: Fix pci_power_up() net: sched: Fix memory exposure from short TCA_U32_SEL RDMA/cxgb4: Do not dma memory off of the stack Linux 4.4.198 Change-Id: Ibaaa507ab0873375f5ad9ef2d53982aa8d346599 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| | * net: sched: Fix memory exposure from short TCA_U32_SELKees Cook2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 98c8f125fd8a6240ea343c1aa50a1be9047791b8 upstream. Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink policy, so max length isn't enforced, only minimum. This means nkeys (from userspace) was being trusted without checking the actual size of nla_len(), which could lead to a memory over-read, and ultimately an exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within a namespace. Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Jamal Hadi Salim <jhs@mojatatu.com> Cc: Cong Wang <xiyou.wangcong@gmail.com> Cc: Jiri Pirko <jiri@resnulli.us> Cc: "David S. Miller" <davem@davemloft.net> Cc: netdev@vger.kernel.org Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Zubin Mithra <zsm@chromium.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * mac80211: Reject malformed SSID elementsWill Deacon2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 4152561f5da3fca92af7179dd538ea89e248f9d0 upstream. Although this shouldn't occur in practice, it's a good idea to bounds check the length field of the SSID element prior to using it for things like allocations or memcpy operations. Cc: <stable@vger.kernel.org> Cc: Kees Cook <keescook@chromium.org> Reported-by: Nicolas Waisman <nico@semmle.com> Signed-off-by: Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20191004095132.15777-1-will@kernel.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * cfg80211: wext: avoid copying malformed SSIDsWill Deacon2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 4ac2813cc867ae563a1ba5a9414bfb554e5796fa upstream. Ensure the SSID element is bounds-checked prior to invoking memcpy() with its length field, when copying to userspace. Cc: <stable@vger.kernel.org> Cc: Kees Cook <keescook@chromium.org> Reported-by: Nicolas Waisman <nico@semmle.com> Signed-off-by: Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20191004095132.15777-2-will@kernel.org [adjust commit log a bit] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ipv4: Return -ENETUNREACH if we can't create route but saddr is validStefano Brivio2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 595e0651d0296bad2491a4a29a7a43eae6328b02 ] ...instead of -EINVAL. An issue was found with older kernel versions while unplugging a NFS client with pending RPCs, and the wrong error code here prevented it from recovering once link is back up with a configured address. Incidentally, this is not an issue anymore since commit 4f8943f80883 ("SUNRPC: Replace direct task wakeups from softirq context"), included in 5.2-rc7, had the effect of decoupling the forwarding of this error by using SO_ERROR in xs_wake_error(), as pointed out by Benjamin Coddington. To the best of my knowledge, this isn't currently causing any further issue, but the error code doesn't look appropriate anyway, and we might hit this in other paths as well. In detail, as analysed by Gonzalo Siero, once the route is deleted because the interface is down, and can't be resolved and we return -EINVAL here, this ends up, courtesy of inet_sk_rebuild_header(), as the socket error seen by tcp_write_err(), called by tcp_retransmit_timer(). In turn, tcp_write_err() indirectly calls xs_error_report(), which wakes up the RPC pending tasks with a status of -EINVAL. This is then seen by call_status() in the SUN RPC implementation, which aborts the RPC call calling rpc_exit(), instead of handling this as a potentially temporary condition, i.e. as a timeout. Return -EINVAL only if the input parameters passed to ip_route_output_key_hash_rcu() are actually invalid (this is the case if the specified source address is multicast, limited broadcast or all zeroes), but return -ENETUNREACH in all cases where, at the given moment, the given source address doesn't allow resolving the route. While at it, drop the initialisation of err to -ENETUNREACH, which was added to __ip_route_output_key() back then by commit 0315e3827048 ("net: Fix behaviour of unreachable, blackhole and prohibit routes"), but actually had no effect, as it was, and is, overwritten by the fib_lookup() return code assignment, and anyway ignored in all other branches, including the if (fl4->saddr) one: I find this rather confusing, as it would look like -ENETUNREACH is the "default" error, while that statement has no effect. Also note that after commit fc75fc8339e7 ("ipv4: dont create routes on down devices"), we would get -ENETUNREACH if the device is down, but -EINVAL if the source address is specified and we can't resolve the route, and this appears to be rather inconsistent. Reported-by: Stefan Walter <walteste@inf.ethz.ch> Analysed-by: Benjamin Coddington <bcodding@redhat.com> Analysed-by: Gonzalo Siero <gsierohu@redhat.com> Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * net: avoid potential infinite loop in tc_ctl_action()Eric Dumazet2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ] tc_ctl_action() has the ability to loop forever if tcf_action_add() returns -EAGAIN. This special case has been done in case a module needed to be loaded, but it turns out that tcf_add_notify() could also return -EAGAIN if the socket sk_rcvbuf limit is hit. We need to separate the two cases, and only loop for the module loading case. While we are at it, add a limit of 10 attempts since unbounded loops are always scary. syzbot repro was something like : socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3 write(3, ..., 38) = 38 setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...) NMI backtrace for cpu 0 CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x172/0x1f0 lib/dump_stack.c:113 nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] watchdog+0x9d0/0xef0 kernel/hung_task.c:289 kthread+0x361/0x430 kernel/kthread.c:255 ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 Sending NMI from CPU 0 to CPUs 1: NMI backtrace for cpu 1 CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline] RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453 Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6 RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046 RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000 RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914 RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1 R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003 FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159 __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122 __wake_up+0xe/0x10 kernel/sched/wait.c:142 netlink_unlock_table net/netlink/af_netlink.c:466 [inline] netlink_unlock_table net/netlink/af_netlink.c:463 [inline] netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514 netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534 rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714 tcf_add_notify net/sched/act_api.c:1343 [inline] tcf_action_add+0x243/0x370 net/sched/act_api.c:1362 tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x803/0x920 net/socket.c:2311 __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440939 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sctp: change sctp_prot .no_autobind with trueXin Long2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ] syzbot reported a memory leak: BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64): backtrace: [...] slab_alloc mm/slab.c:3319 [inline] [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483 [...] sctp_bucket_create net/sctp/socket.c:8523 [inline] [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270 [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402 [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497 [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022 [...] sctp_setsockopt net/sctp/socket.c:4641 [inline] [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611 [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147 [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 [...] __do_sys_setsockopt net/socket.c:2100 [inline] It was caused by when sending msgs without binding a port, in the path: inet_sendmsg() -> inet_send_prepare() -> inet_autobind() -> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is not. Later when binding another port by sctp_setsockopt_bindx(), a new bucket will be created as bp->port is not set. sctp's autobind is supposed to call sctp_autobind() where it does all things including setting bp->port. Since sctp_autobind() is called in sctp_sendmsg() if the sk is not yet bound, it should have skipped the auto bind. THis patch is to avoid calling inet_autobind() in inet_send_prepare() by changing sctp_prot .no_autobind with true, also remove the unused .get_port. Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * nl80211: fix null pointer dereferenceMiaoqing Pan2019-10-29
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b501426cf86e70649c983c52f4c823b3c40d72a3 ] If the interface is not in MESH mode, the command 'iw wlanx mpath del' will cause kernel panic. The root cause is null pointer access in mpp_flush_by_proxy(), as the pointer 'sdata->u.mesh.mpp_paths' is NULL for non MESH interface. Unable to handle kernel NULL pointer dereference at virtual address 00000068 [...] PC is at _raw_spin_lock_bh+0x20/0x5c LR is at mesh_path_del+0x1c/0x17c [mac80211] [...] Process iw (pid: 4537, stack limit = 0xd83e0238) [...] [<c021211c>] (_raw_spin_lock_bh) from [<bf8c7648>] (mesh_path_del+0x1c/0x17c [mac80211]) [<bf8c7648>] (mesh_path_del [mac80211]) from [<bf6cdb7c>] (extack_doit+0x20/0x68 [compat]) [<bf6cdb7c>] (extack_doit [compat]) from [<c05c309c>] (genl_rcv_msg+0x274/0x30c) [<c05c309c>] (genl_rcv_msg) from [<c05c25d8>] (netlink_rcv_skb+0x58/0xac) [<c05c25d8>] (netlink_rcv_skb) from [<c05c2e14>] (genl_rcv+0x20/0x34) [<c05c2e14>] (genl_rcv) from [<c05c1f90>] (netlink_unicast+0x11c/0x204) [<c05c1f90>] (netlink_unicast) from [<c05c2420>] (netlink_sendmsg+0x30c/0x370) [<c05c2420>] (netlink_sendmsg) from [<c05886d0>] (sock_sendmsg+0x70/0x84) [<c05886d0>] (sock_sendmsg) from [<c0589f4c>] (___sys_sendmsg.part.3+0x188/0x228) [<c0589f4c>] (___sys_sendmsg.part.3) from [<c058add4>] (__sys_sendmsg+0x4c/0x70) [<c058add4>] (__sys_sendmsg) from [<c0208c80>] (ret_fast_syscall+0x0/0x44) Code: e2822c02 e2822001 e5832004 f590f000 (e1902f9f) ---[ end trace bbd717600f8f884d ]--- Signed-off-by: Miaoqing Pan <miaoqing@codeaurora.org> Link: https://lore.kernel.org/r/1569485810-761-1-git-send-email-miaoqing@codeaurora.org [trim useless data from commit message] Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| * | ANDROID: move up spin_unlock_bh() ahead of remove_proc_entry()DongJoo Kim2019-10-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | It causes BUG because remove_proc_entry may sleep while holding spinlock. BUG: scheduling while atomic: ip6tables-resto/887/0x00000202 [<c0f03f00>] (wait_for_completion) from [<c031b8c8>] (proc_entry_rundown+0x74/0xd0) [<c031b854>] (proc_entry_rundown) from [<c03225c4>] (remove_proc_entry+0xc0/0x18c) [<c0322504>] (remove_proc_entry) from [<c0d656e0>] (quota_mt2_destroy+0x88/0xa8) [<c0d65658>] (quota_mt2_destroy) from [<c0e405f0>] (cleanup_entry+0x6c/0xf0) [<c0e40584>] (cleanup_entry) from [<c0e41400>] (do_replace.constprop.2+0x314/0x438) [<c0e410ec>] (do_replace.constprop.2) from [<c0e41640>] (do_ip6t_set_ctl+0x11c/0x238) [<c0e41524>] (do_ip6t_set_ctl) from [<c0d2e7ec>] (nf_setsockopt+0xd4/0xf0) [<c0d2e718>] (nf_setsockopt) from [<c0e16bb8>] (ipv6_setsockopt+0x90/0xb8) [<c0e16b28>] (ipv6_setsockopt) from [<c0e1e908>] (rawv6_setsockopt+0x54/0x22c) [<c0e1e8b4>] (rawv6_setsockopt) from [<c0cb48dc>] (sock_common_setsockopt+0x28/0x30) [<c0cb48b4>] (sock_common_setsockopt) from [<c0cb3ac8>] (SyS_setsockopt+0xb8/0x110) [<c0cb3a10>] (SyS_setsockopt) from [<c01094e0>] (ret_fast_syscall+0x0/0x48) This is a fix for an Android specific feature which was imported from unofficial upstream (xtables-addons), which also has the same issue: https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_quota2.c#l235 After this change the proc entry may now be removed later, when we're already adding another one, potentially with the same name, this will simply fail during creation, see error path for this at: https://sourceforge.net/p/xtables-addons/xtables-addons/ci/master/tree/extensions/xt_quota2.c#l179 Bug: 143092160 Signed-off-by: Maciej ƻenczykowski <maze@google.com> Signed-off-by: DongJoo Kim <micomx@gmail.com> Change-Id: I3ff3883738353785f5792c5f06bf6b72985c4c68
* | | Merge android-4.4-p.197 (93ec8fb) into msm-4.4Srinivasarao P2019-10-30
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-93ec8fb Linux 4.4.197 xfs: clear sb->s_fs_info on mount failure x86/asm: Fix MWAITX C-state hint value tracing: Get trace_array reference for available_tracers files media: stkwebcam: fix runtime PM after driver unbind CIFS: Force revalidate inode when dentry is stale cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc arm64: Rename cpuid_feature field extract routines arm64: capabilities: Handle sign of the feature bit kernel/sysctl.c: do not override max_threads provided by userspace CIFS: Force reval dentry if LOOKUP_REVAL flag is set CIFS: Gracefully handle QueryInfo errors during open perf llvm: Don't access out-of-scope array iio: light: opt3001: fix mutex unlock race iio: adc: ad799x: fix probe error handling staging: vt6655: Fix memory leak in vt6655_probe USB: legousbtower: fix use-after-free on release USB: legousbtower: fix open after failed reset request USB: legousbtower: fix potential NULL-deref on disconnect USB: legousbtower: fix deadlock on disconnect USB: legousbtower: fix slab info leak at probe usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() USB: dummy-hcd: fix power budget for SuperSpeed mode USB: microtek: fix info-leak at probe USB: usblcd: fix I/O after disconnect USB: serial: fix runtime PM after driver unbind USB: serial: option: add support for Cinterion CLS8 devices USB: serial: option: add Telit FN980 compositions USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 USB: serial: keyspan: fix NULL-derefs on open() and write() serial: uartlite: fix exit path null pointer USB: ldusb: fix NULL-derefs on driver unbind USB: chaoskey: fix use-after-free on release USB: usblp: fix runtime PM after driver unbind USB: iowarrior: fix use-after-free after driver unbind USB: iowarrior: fix use-after-free on release USB: iowarrior: fix use-after-free on disconnect USB: adutux: fix use-after-free on release USB: adutux: fix NULL-derefs on disconnect USB: adutux: fix use-after-free on disconnect USB: adutux: remove redundant variable minor xhci: Increase STS_SAVE timeout in xhci_suspend() usb: xhci: wait for CNR controller not ready bit in xhci resume xhci: Check all endpoints for LPM timeout xhci: Prevent device initiated U1/U2 link pm if exit latency is too long USB: usb-skeleton: fix NULL-deref on disconnect USB: usb-skeleton: fix runtime PM after driver unbind USB: yurex: fix NULL-derefs on disconnect USB: yurex: Don't retry on unexpected errors USB: rio500: Remove Rio 500 kernel driver panic: ensure preemption is disabled during panic() ASoC: sgtl5000: Improve VAG power and mute control nl80211: validate beacon head cfg80211: Use const more consistently in for_each_element macros cfg80211: add and use strongly typed element iteration macros crypto: caam - fix concurrency issue in givencrypt descriptor perf stat: Fix a segmentation fault when using repeat forever tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure kernel/elfcore.c: include proper prototypes fuse: fix memleak in cuse_channel_open thermal: Fix use-after-free when unregistering thermal zone device drm/amdgpu: Check for valid number of registers to read ceph: fix directories inode i_blkbits initialization xen/pci: reserve MCFG areas earlier 9p: avoid attaching writeback_fid on mmap with type PRIVATE fs: nfs: Fix possible null-pointer dereferences in encode_attrs() ima: always return negative code for error cfg80211: initialize on-stack chandefs ieee802154: atusb: fix use-after-free at disconnect crypto: qat - Silence smp_processor_id() warning can: mcp251x: mcp251x_hw_reset(): allow more time after a reset powerpc/powernv: Restrict OPAL symbol map to only be readable by root ASoC: Define a set of DAPM pre/post-up events KVM: nVMX: handle page fault in vmread fix s390/cio: exclude subchannels with no parent from pseudo check s390/cio: avoid calling strlen on null pointer s390/topology: avoid firing events before kobjs are created KVM: s390: Test for bad access register and size at the start of S390_MEM_OP Change-Id: I948ef653eafcff32197e1886e13548b32be2d0ad Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * | Merge 4.4.197 into android-4.4-pGreg Kroah-Hartman2019-10-17
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.197 KVM: s390: Test for bad access register and size at the start of S390_MEM_OP s390/topology: avoid firing events before kobjs are created s390/cio: avoid calling strlen on null pointer s390/cio: exclude subchannels with no parent from pseudo check KVM: nVMX: handle page fault in vmread fix ASoC: Define a set of DAPM pre/post-up events powerpc/powernv: Restrict OPAL symbol map to only be readable by root can: mcp251x: mcp251x_hw_reset(): allow more time after a reset crypto: qat - Silence smp_processor_id() warning ieee802154: atusb: fix use-after-free at disconnect cfg80211: initialize on-stack chandefs ima: always return negative code for error fs: nfs: Fix possible null-pointer dereferences in encode_attrs() 9p: avoid attaching writeback_fid on mmap with type PRIVATE xen/pci: reserve MCFG areas earlier ceph: fix directories inode i_blkbits initialization drm/amdgpu: Check for valid number of registers to read thermal: Fix use-after-free when unregistering thermal zone device fuse: fix memleak in cuse_channel_open kernel/elfcore.c: include proper prototypes tools lib traceevent: Do not free tep->cmdlines in add_new_comm() on failure perf stat: Fix a segmentation fault when using repeat forever crypto: caam - fix concurrency issue in givencrypt descriptor cfg80211: add and use strongly typed element iteration macros cfg80211: Use const more consistently in for_each_element macros nl80211: validate beacon head ASoC: sgtl5000: Improve VAG power and mute control panic: ensure preemption is disabled during panic() USB: rio500: Remove Rio 500 kernel driver USB: yurex: Don't retry on unexpected errors USB: yurex: fix NULL-derefs on disconnect USB: usb-skeleton: fix runtime PM after driver unbind USB: usb-skeleton: fix NULL-deref on disconnect xhci: Prevent device initiated U1/U2 link pm if exit latency is too long xhci: Check all endpoints for LPM timeout usb: xhci: wait for CNR controller not ready bit in xhci resume xhci: Increase STS_SAVE timeout in xhci_suspend() USB: adutux: remove redundant variable minor USB: adutux: fix use-after-free on disconnect USB: adutux: fix NULL-derefs on disconnect USB: adutux: fix use-after-free on release USB: iowarrior: fix use-after-free on disconnect USB: iowarrior: fix use-after-free on release USB: iowarrior: fix use-after-free after driver unbind USB: usblp: fix runtime PM after driver unbind USB: chaoskey: fix use-after-free on release USB: ldusb: fix NULL-derefs on driver unbind serial: uartlite: fix exit path null pointer USB: serial: keyspan: fix NULL-derefs on open() and write() USB: serial: ftdi_sio: add device IDs for Sienna and Echelon PL-20 USB: serial: option: add Telit FN980 compositions USB: serial: option: add support for Cinterion CLS8 devices USB: serial: fix runtime PM after driver unbind USB: usblcd: fix I/O after disconnect USB: microtek: fix info-leak at probe USB: dummy-hcd: fix power budget for SuperSpeed mode usb: renesas_usbhs: gadget: Do not discard queues in usb_ep_set_{halt,wedge}() usb: renesas_usbhs: gadget: Fix usb_ep_set_{halt,wedge}() behavior USB: legousbtower: fix slab info leak at probe USB: legousbtower: fix deadlock on disconnect USB: legousbtower: fix potential NULL-deref on disconnect USB: legousbtower: fix open after failed reset request USB: legousbtower: fix use-after-free on release staging: vt6655: Fix memory leak in vt6655_probe iio: adc: ad799x: fix probe error handling iio: light: opt3001: fix mutex unlock race perf llvm: Don't access out-of-scope array CIFS: Gracefully handle QueryInfo errors during open CIFS: Force reval dentry if LOOKUP_REVAL flag is set kernel/sysctl.c: do not override max_threads provided by userspace arm64: capabilities: Handle sign of the feature bit arm64: Rename cpuid_feature field extract routines Staging: fbtft: fix memory leak in fbtft_framebuffer_alloc cifs: Check uniqueid for SMB2+ and return -ESTALE if necessary CIFS: Force revalidate inode when dentry is stale media: stkwebcam: fix runtime PM after driver unbind tracing: Get trace_array reference for available_tracers files x86/asm: Fix MWAITX C-state hint value xfs: clear sb->s_fs_info on mount failure Linux 4.4.197 Change-Id: I0879b08629040431c71dae0d8b5474863d5e0391 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| | * nl80211: validate beacon headJohannes Berg2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit f88eb7c0d002a67ef31aeb7850b42ff69abc46dc upstream. We currently don't validate the beacon head, i.e. the header, fixed part and elements that are to go in front of the TIM element. This means that the variable elements there can be malformed, e.g. have a length exceeding the buffer size, but most downstream code from this assumes that this has already been checked. Add the necessary checks to the netlink policy. Cc: stable@vger.kernel.org Fixes: ed1b6cc7f80f ("cfg80211/nl80211: add beacon settings") Link: https://lore.kernel.org/r/1569009255-I7ac7fbe9436e9d8733439eab8acbbd35e55c74ef@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * cfg80211: initialize on-stack chandefsJohannes Berg2019-10-17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit f43e5210c739fe76a4b0ed851559d6902f20ceb1 upstream. In a few places we don't properly initialize on-stack chandefs, resulting in EDMG data to be non-zero, which broke things. Additionally, in a few places we rely on the driver to init the data completely, but perhaps we shouldn't as non-EDMG drivers may not initialize the EDMG data, also initialize it there. Cc: stable@vger.kernel.org Fixes: 2a38075cd0be ("nl80211: Add support for EDMG channels") Reported-by: Dmitry Osipenko <digetx@gmail.com> Tested-by: Dmitry Osipenko <digetx@gmail.com> Link: https://lore.kernel.org/r/1569239475-I2dcce394ecf873376c386a78f31c2ec8b538fa25@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge android-4.4-p.196 (736005d) into msm-4.4Srinivasarao P2019-10-30
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-736005d Linux 4.4.196 NFC: fix attrs checks in netlink interface smack: use GFP_NOFS while holding inode_smack::smk_lock Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set sch_cbq: validate TCA_CBQ_WRROPT to avoid crash net/rds: Fix error handling in rds_ib_add_one() xen-netfront: do not use ~0U as error return value for xennet_fill_frags() sch_dsmark: fix potential NULL deref in dsmark_init() nfc: fix memory leak in llcp_sock_bind() net: qlogic: Fix memory leak in ql_alloc_large_buffers net: ipv4: avoid mixed n_redirects and rate_tokens usage ipv6: drop incoming packets having a v4mapped source address hso: fix NULL-deref on tty open ANDROID: binder: synchronize_rcu() when using POLLFREE. ANDROID: binder: remove waitqueue when thread exits. kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K ocfs2: wait for recovering done after direct unlock request hypfs: Fix error number left in struct pointer member fat: work around race with userspace's read via blockdev while mounting security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() HID: apple: Fix stuck function keys when using FN ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes mfd: intel-lpss: Remove D3cold delay scsi: core: Reduce memory required for SCSI logging powerpc/pseries: correctly track irq state in default idle powerpc/64s/exception: machine check use correct cfar for late handler vfio_pci: Restore original state on release pinctrl: tegra: Fix write barrier placement in pmx_writel powerpc/pseries/mobility: use cond_resched when updating device tree powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function powerpc/rtas: use device model APIs and serialization during LPM clk: sirf: Don't reference clk_init_data after registration clk: qoriq: Fix -Wunused-const-variable ipmi_si: Only schedule continuously in the thread in maintenance mode gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() video: ssd1307fb: Start page range at page_offset Change-Id: If2b47b65954e56510e7a8b963a7110ebc9a4f1cc Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * | Merge 4.4.196 into android-4.4-pGreg Kroah-Hartman2019-10-07
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.196 video: ssd1307fb: Start page range at page_offset gpu: drm: radeon: Fix a possible null-pointer dereference in radeon_connector_set_property() ipmi_si: Only schedule continuously in the thread in maintenance mode clk: qoriq: Fix -Wunused-const-variable clk: sirf: Don't reference clk_init_data after registration powerpc/rtas: use device model APIs and serialization during LPM powerpc/futex: Fix warning: 'oldval' may be used uninitialized in this function powerpc/pseries/mobility: use cond_resched when updating device tree pinctrl: tegra: Fix write barrier placement in pmx_writel vfio_pci: Restore original state on release powerpc/64s/exception: machine check use correct cfar for late handler powerpc/pseries: correctly track irq state in default idle scsi: core: Reduce memory required for SCSI logging mfd: intel-lpss: Remove D3cold delay ARM: 8898/1: mm: Don't treat faults reported from cache maintenance as writes HID: apple: Fix stuck function keys when using FN security: smack: Fix possible null-pointer dereferences in smack_socket_sock_rcv_skb() fat: work around race with userspace's read via blockdev while mounting hypfs: Fix error number left in struct pointer member ocfs2: wait for recovering done after direct unlock request kmemleak: increase DEBUG_KMEMLEAK_EARLY_LOG_SIZE default to 16K ANDROID: binder: remove waitqueue when thread exits. ANDROID: binder: synchronize_rcu() when using POLLFREE. hso: fix NULL-deref on tty open ipv6: drop incoming packets having a v4mapped source address net: ipv4: avoid mixed n_redirects and rate_tokens usage net: qlogic: Fix memory leak in ql_alloc_large_buffers nfc: fix memory leak in llcp_sock_bind() sch_dsmark: fix potential NULL deref in dsmark_init() xen-netfront: do not use ~0U as error return value for xennet_fill_frags() net/rds: Fix error handling in rds_ib_add_one() sch_cbq: validate TCA_CBQ_WRROPT to avoid crash Smack: Don't ignore other bprm->unsafe flags if LSM_UNSAFE_PTRACE is set smack: use GFP_NOFS while holding inode_smack::smk_lock NFC: fix attrs checks in netlink interface Linux 4.4.196 Change-Id: I7e03bb3ca1865988df014b8e38336b76430842a9 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| | * NFC: fix attrs checks in netlink interfaceAndrey Konovalov2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 18917d51472fe3b126a3a8f756c6b18085eb8130 upstream. nfc_genl_deactivate_target() relies on the NFC_ATTR_TARGET_INDEX attribute being present, but doesn't check whether it is actually provided by the user. Same goes for nfc_genl_fw_download() and NFC_ATTR_FIRMWARE_NAME. This patch adds appropriate checks. Found with syzkaller. Signed-off-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sch_cbq: validate TCA_CBQ_WRROPT to avoid crashEric Dumazet2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit e9789c7cc182484fc031fd88097eb14cb26c4596 ] syzbot reported a crash in cbq_normalize_quanta() caused by an out of range cl->priority. iproute2 enforces this check, but malicious users do not. kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] SMP KASAN PTI Modules linked in: CPU: 1 PID: 26447 Comm: syz-executor.1 Not tainted 5.3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:cbq_normalize_quanta.part.0+0x1fd/0x430 net/sched/sch_cbq.c:902 RSP: 0018:ffff8801a5c333b0 EFLAGS: 00010206 RAX: 0000000020000003 RBX: 00000000fffffff8 RCX: ffffc9000712f000 RDX: 00000000000043bf RSI: ffffffff83be8962 RDI: 0000000100000018 RBP: ffff8801a5c33420 R08: 000000000000003a R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: 00000000000002ef R13: ffff88018da95188 R14: dffffc0000000000 R15: 0000000000000015 FS: 00007f37d26b1700(0000) GS:ffff8801dad00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00000000004c7cec CR3: 00000001bcd0a006 CR4: 00000000001626f0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: [<ffffffff83be9d57>] cbq_normalize_quanta include/net/pkt_sched.h:27 [inline] [<ffffffff83be9d57>] cbq_addprio net/sched/sch_cbq.c:1097 [inline] [<ffffffff83be9d57>] cbq_set_wrr+0x2d7/0x450 net/sched/sch_cbq.c:1115 [<ffffffff83bee8a7>] cbq_change_class+0x987/0x225b net/sched/sch_cbq.c:1537 [<ffffffff83b96985>] tc_ctl_tclass+0x555/0xcd0 net/sched/sch_api.c:2329 [<ffffffff83a84655>] rtnetlink_rcv_msg+0x485/0xc10 net/core/rtnetlink.c:5248 [<ffffffff83cadf0a>] netlink_rcv_skb+0x17a/0x460 net/netlink/af_netlink.c:2510 [<ffffffff83a7db6d>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5266 [<ffffffff83cac2c6>] netlink_unicast_kernel net/netlink/af_netlink.c:1324 [inline] [<ffffffff83cac2c6>] netlink_unicast+0x536/0x720 net/netlink/af_netlink.c:1350 [<ffffffff83cacd4a>] netlink_sendmsg+0x89a/0xd50 net/netlink/af_netlink.c:1939 [<ffffffff8399d46e>] sock_sendmsg_nosec net/socket.c:673 [inline] [<ffffffff8399d46e>] sock_sendmsg+0x12e/0x170 net/socket.c:684 [<ffffffff8399f1fd>] ___sys_sendmsg+0x81d/0x960 net/socket.c:2359 [<ffffffff839a2d05>] __sys_sendmsg+0x105/0x1d0 net/socket.c:2397 [<ffffffff839a2df9>] SYSC_sendmsg net/socket.c:2406 [inline] [<ffffffff839a2df9>] SyS_sendmsg+0x29/0x30 net/socket.c:2404 [<ffffffff8101ccc8>] do_syscall_64+0x528/0x770 arch/x86/entry/common.c:305 [<ffffffff84400091>] entry_SYSCALL_64_after_hwframe+0x42/0xb7 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * net/rds: Fix error handling in rds_ib_add_one()Dotan Barak2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit d64bf89a75b65f83f06be9fb8f978e60d53752db ] rds_ibdev:ipaddr_list and rds_ibdev:conn_list are initialized after allocation some resources such as protection domain. If allocation of such resources fail, then these uninitialized variables are accessed in rds_ib_dev_free() in failure path. This can potentially crash the system. The code has been updated to initialize these variables very early in the function. Signed-off-by: Dotan Barak <dotanb@dev.mellanox.co.il> Signed-off-by: Sudhakar Dindukurti <sudhakar.dindukurti@oracle.com> Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sch_dsmark: fix potential NULL deref in dsmark_init()Eric Dumazet2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 474f0813a3002cb299bb73a5a93aa1f537a80ca8 ] Make sure TCA_DSMARK_INDICES was provided by the user. syzbot reported : kasan: CONFIG_KASAN_INLINE enabled kasan: GPF could be caused by NULL-ptr deref or user memory access general protection fault: 0000 [#1] PREEMPT SMP KASAN CPU: 1 PID: 8799 Comm: syz-executor235 Not tainted 5.3.0+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:nla_get_u16 include/net/netlink.h:1501 [inline] RIP: 0010:dsmark_init net/sched/sch_dsmark.c:364 [inline] RIP: 0010:dsmark_init+0x193/0x640 net/sched/sch_dsmark.c:339 Code: 85 db 58 0f 88 7d 03 00 00 e8 e9 1a ac fb 48 8b 9d 70 ff ff ff 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 04 48 89 fa 48 c1 ea 03 <0f> b6 14 02 48 89 f8 83 e0 07 83 c0 01 38 d0 7c 08 84 d2 0f 85 ca RSP: 0018:ffff88809426f3b8 EFLAGS: 00010247 RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff85c6eb09 RDX: 0000000000000000 RSI: ffffffff85c6eb17 RDI: 0000000000000004 RBP: ffff88809426f4b0 R08: ffff88808c4085c0 R09: ffffed1015d26159 R10: ffffed1015d26158 R11: ffff8880ae930ac7 R12: ffff8880a7e96940 R13: dffffc0000000000 R14: ffff88809426f8c0 R15: 0000000000000000 FS: 0000000001292880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000020000080 CR3: 000000008ca1b000 CR4: 00000000001406e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: qdisc_create+0x4ee/0x1210 net/sched/sch_api.c:1237 tc_modify_qdisc+0x524/0x1c50 net/sched/sch_api.c:1653 rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5223 netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5241 netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 sock_sendmsg_nosec net/socket.c:637 [inline] sock_sendmsg+0xd7/0x130 net/socket.c:657 ___sys_sendmsg+0x803/0x920 net/socket.c:2311 __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 __do_sys_sendmsg net/socket.c:2365 [inline] __se_sys_sendmsg net/socket.c:2363 [inline] __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x440369 Fixes: 758cc43c6d73 ("[PKT_SCHED]: Fix dsmark to apply changes consistent") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * nfc: fix memory leak in llcp_sock_bind()Eric Dumazet2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a0c2dc1fe63e2869b74c1c7f6a81d1745c8a695d ] sysbot reported a memory leak after a bind() has failed. While we are at it, abort the operation if kmemdup() has failed. BUG: memory leak unreferenced object 0xffff888105d83ec0 (size 32): comm "syz-executor067", pid 7207, jiffies 4294956228 (age 19.430s) hex dump (first 32 bytes): 00 69 6c 65 20 72 65 61 64 00 6e 65 74 3a 5b 34 .ile read.net:[4 30 32 36 35 33 33 30 39 37 5d 00 00 00 00 00 00 026533097]...... backtrace: [<0000000036bac473>] kmemleak_alloc_recursive /./include/linux/kmemleak.h:43 [inline] [<0000000036bac473>] slab_post_alloc_hook /mm/slab.h:522 [inline] [<0000000036bac473>] slab_alloc /mm/slab.c:3319 [inline] [<0000000036bac473>] __do_kmalloc /mm/slab.c:3653 [inline] [<0000000036bac473>] __kmalloc_track_caller+0x169/0x2d0 /mm/slab.c:3670 [<000000000cd39d07>] kmemdup+0x27/0x60 /mm/util.c:120 [<000000008e57e5fc>] kmemdup /./include/linux/string.h:432 [inline] [<000000008e57e5fc>] llcp_sock_bind+0x1b3/0x230 /net/nfc/llcp_sock.c:107 [<000000009cb0b5d3>] __sys_bind+0x11c/0x140 /net/socket.c:1647 [<00000000492c3bbc>] __do_sys_bind /net/socket.c:1658 [inline] [<00000000492c3bbc>] __se_sys_bind /net/socket.c:1656 [inline] [<00000000492c3bbc>] __x64_sys_bind+0x1e/0x30 /net/socket.c:1656 [<0000000008704b2a>] do_syscall_64+0x76/0x1a0 /arch/x86/entry/common.c:296 [<000000009f4c57a4>] entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: 30cc4587659e ("NFC: Move LLCP code to the NFC top level diirectory") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * net: ipv4: avoid mixed n_redirects and rate_tokens usagePaolo Abeni2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b406472b5ad79ede8d10077f0c8f05505ace8b6d ] Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets") we use 'n_redirects' to account for redirect packets, but we still use 'rate_tokens' to compute the redirect packets exponential backoff. If the device sent to the relevant peer any ICMP error packet after sending a redirect, it will also update 'rate_token' according to the leaking bucket schema; typically 'rate_token' will raise above BITS_PER_LONG and the redirect packets backoff algorithm will produce undefined behavior. Fix the issue using 'n_redirects' to compute the exponential backoff in ip_rt_send_redirect(). Note that we still clear rate_tokens after a redirect silence period, to avoid changing an established behaviour. The root cause predates git history; before the mentioned commit in the critical scenario, the kernel stopped sending redirects, after the mentioned commit the behavior more randomic. Reported-by: Xiumei Mu <xmu@redhat.com> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Acked-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ipv6: drop incoming packets having a v4mapped source addressEric Dumazet2019-10-07
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ] This began with a syzbot report. syzkaller was injecting IPv6 TCP SYN packets having a v4mapped source address. After an unsuccessful 4-tuple lookup, TCP creates a request socket (SYN_RECV) and calls reqsk_queue_hash_req() reqsk_queue_hash_req() calls sk_ehashfn(sk) At this point we have AF_INET6 sockets, and the heuristic used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses is to use ipv6_addr_v4mapped(&sk->sk_v6_daddr) For the particular spoofed packet, we end up hashing V4 addresses which were not initialized by the TCP IPv6 stack, so KMSAN fired a warning. I first fixed sk_ehashfn() to test both source and destination addresses, but then faced various problems, including user-space programs like packetdrill that had similar assumptions. Instead of trying to fix the whole ecosystem, it is better to admit that we have a dual stack behavior, and that we can not build linux kernels without V4 stack anyway. The dual stack API automatically forces the traffic to be IPv4 if v4mapped addresses are used at bind() or connect(), so it makes no sense to allow IPv6 traffic to use the same v4mapped class. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Florian Westphal <fw@strlen.de> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | | Merge android-4.4-p.195 (4af3204) into msm-4.4Srinivasarao P2019-10-30
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-4af3204 Linux 4.4.195 Btrfs: fix race setting up and completing qgroup rescan workers btrfs: Relinquish CPUs in btrfs_compare_trees Btrfs: fix use-after-free when using the tree modification log ovl: filter of trusted xattr results in audit CIFS: Fix oplock handling for SMB 2.1+ protocols i2c: riic: Clear NACK in tend isr hwrng: core - don't wait on add_early_randomness() quota: fix wrong condition in is_quota_modification() ext4: fix punch hole for inline_data file systems /dev/mem: Bail out upon SIGKILL. cfg80211: Purge frame registrations on iftype change md/raid6: Set R5_ReadError when there is read failure on parity disk alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up ASoC: Intel: Fix use of potentially uninitialized variable media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table KVM: x86: Manually calculate reserved bits when loading PDPTRS KVM: x86: set ctxt->have_exception in x86_decode_insn() KVM: x86: always stop emulation on page fault parisc: Disable HP HSC-PCI Cards to prevent kernel crash fuse: fix missing unlock_page in fuse_writepage() printk: Do not lose last line in kmsg buffer dump ALSA: firewire-tascam: check intermediate state of clock status and retry ALSA: firewire-tascam: handle error code when getting current source of clock media: omap3isp: Set device on omap3isp subdevs btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() libertas: Add missing sentinel at end of if_usb.c fw_table mmc: sdhci: Fix incorrect switch to HS mode ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set kprobes: Prohibit probing on BUG() and WARN() address dmaengine: ti: edma: Do not reset reserved paRAM slots md/raid1: fail run raid1 array when active disk less than one hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' ACPI: custom_method: fix memory leaks libtraceevent: Change users plugin directory ACPI / CPPC: do not require the _PSD method media: ov9650: add a sanity check media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() media: cpia2_usb: fix memory leaks media: saa7146: add cleanup in hexium_attach() media: hdpvr: add terminating 0 at end of string media: radio/si470x: kill urb on error net: lpc-enet: fix printk format strings media: omap3isp: Don't set streaming state on random subdevs dmaengine: iop-adma: use correct printk format strings media: gspca: zero usb_buf on error efi: cper: print AER info of PCIe fatal error md: don't set In_sync if array is frozen md: don't call spare_active in md_reap_sync_thread if all member devices can't work ia64:unwind: fix double free for mod->arch.init_unw_table ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid base: soc: Export soc_device_register/unregister APIs media: iguanair: add sanity checks ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() ALSA: hda - Show the fatal CORB/RIRB error more clearly x86/apic: Soft disable APIC before initializing it x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails sched/core: Fix CPU controller for !RT_GROUP_SCHED sched/fair: Fix imbalance due to CPU affinity media: hdpvr: Add device num check and handling media: dib0700: fix link error for dibx000_i2c_set_speed leds: leds-lp5562 allow firmware files up to the maximum length dmaengine: bcm2835: Print error in case setting DMA mask fails ASoC: sgtl5000: Fix charge pump source assignment ALSA: hda: Flush interrupts on disabling nfc: enforce CAP_NET_RAW for raw sockets ieee802154: enforce CAP_NET_RAW for raw sockets ax25: enforce CAP_NET_RAW for raw sockets appletalk: enforce CAP_NET_RAW for raw sockets mISDN: enforce CAP_NET_RAW for raw sockets usbnet: sanity checking of packet sizes and device mtu usbnet: ignore endpoints with invalid wMaxPacketSize skge: fix checksum byte order sch_netem: fix a divide by zero in tabledist() openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC net/phy: fix DP83865 10 Mbps HDX loopback disable function cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize arcnet: provide a buffer big enough to actually receive packets Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices drm: Flush output polling on shutdown f2fs: fix to do sanity check on segment bitmap of LFS curseg Revert "f2fs: avoid out-of-range memory access" f2fs: check all the data segments against all node ones irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices locking/lockdep: Add debug_locks check in __lock_downgrade() mac80211: handle deauthentication/disassociation from TDLS peer mac80211: Print text for disassociation reason ALSA: hda - Add laptop imic fixup for ASUS M9V laptop ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() net: rds: Fix NULL ptr use in rds_tcp_kill_sock crypto: talitos - fix missing break in switch statement mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() HID: hidraw: Fix invalid read in hidraw_ioctl HID: logitech: Fix general protection fault caused by Logitech driver HID: lg: make transfer buffers DMA capable HID: prodikeys: Fix general protection fault during probe Revert "Bluetooth: validate BLE connection interval updates" ANDROID: usb: gadget: Fix dependency for f_accessory Remove taskname from lowmemorykiller kill reports ANDROID: Fixes to locking around handle_lmk_event Conflicts: drivers/staging/android/lowmemorykiller.c fs/f2fs/segment.c fs/f2fs/super.c Change-Id: Id4b74ec2b0512aa13bc4392d61d5092f633fed0e Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * | Merge 4.4.195 into android-4.4-pGreg Kroah-Hartman2019-10-06
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.195 Revert "Bluetooth: validate BLE connection interval updates" HID: prodikeys: Fix general protection fault during probe HID: lg: make transfer buffers DMA capable HID: logitech: Fix general protection fault caused by Logitech driver HID: hidraw: Fix invalid read in hidraw_ioctl mtd: cfi_cmdset_0002: Use chip_good() to retry in do_write_oneword() crypto: talitos - fix missing break in switch statement net: rds: Fix NULL ptr use in rds_tcp_kill_sock ASoC: fsl: Fix of-node refcount unbalance in fsl_ssi_probe_from_dt() ALSA: hda - Add laptop imic fixup for ASUS M9V laptop mac80211: Print text for disassociation reason mac80211: handle deauthentication/disassociation from TDLS peer locking/lockdep: Add debug_locks check in __lock_downgrade() irqchip/gic-v3-its: Fix LPI release for Multi-MSI devices f2fs: check all the data segments against all node ones Revert "f2fs: avoid out-of-range memory access" f2fs: fix to do sanity check on segment bitmap of LFS curseg drm: Flush output polling on shutdown Bluetooth: btrtl: Additional Realtek 8822CE Bluetooth devices arcnet: provide a buffer big enough to actually receive packets cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize net/phy: fix DP83865 10 Mbps HDX loopback disable function openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC sch_netem: fix a divide by zero in tabledist() skge: fix checksum byte order usbnet: ignore endpoints with invalid wMaxPacketSize usbnet: sanity checking of packet sizes and device mtu mISDN: enforce CAP_NET_RAW for raw sockets appletalk: enforce CAP_NET_RAW for raw sockets ax25: enforce CAP_NET_RAW for raw sockets ieee802154: enforce CAP_NET_RAW for raw sockets nfc: enforce CAP_NET_RAW for raw sockets ALSA: hda: Flush interrupts on disabling ASoC: sgtl5000: Fix charge pump source assignment dmaengine: bcm2835: Print error in case setting DMA mask fails leds: leds-lp5562 allow firmware files up to the maximum length media: dib0700: fix link error for dibx000_i2c_set_speed media: hdpvr: Add device num check and handling sched/fair: Fix imbalance due to CPU affinity sched/core: Fix CPU controller for !RT_GROUP_SCHED x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails x86/apic: Soft disable APIC before initializing it ALSA: hda - Show the fatal CORB/RIRB error more clearly ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() media: iguanair: add sanity checks base: soc: Export soc_device_register/unregister APIs ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid ia64:unwind: fix double free for mod->arch.init_unw_table md: don't call spare_active in md_reap_sync_thread if all member devices can't work md: don't set In_sync if array is frozen efi: cper: print AER info of PCIe fatal error media: gspca: zero usb_buf on error dmaengine: iop-adma: use correct printk format strings media: omap3isp: Don't set streaming state on random subdevs net: lpc-enet: fix printk format strings media: radio/si470x: kill urb on error media: hdpvr: add terminating 0 at end of string media: saa7146: add cleanup in hexium_attach() media: cpia2_usb: fix memory leaks media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() media: ov9650: add a sanity check ACPI / CPPC: do not require the _PSD method libtraceevent: Change users plugin directory ACPI: custom_method: fix memory leaks hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' md/raid1: fail run raid1 array when active disk less than one dmaengine: ti: edma: Do not reset reserved paRAM slots kprobes: Prohibit probing on BUG() and WARN() address ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set mmc: sdhci: Fix incorrect switch to HS mode libertas: Add missing sentinel at end of if_usb.c fw_table media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type media: omap3isp: Set device on omap3isp subdevs ALSA: firewire-tascam: handle error code when getting current source of clock ALSA: firewire-tascam: check intermediate state of clock status and retry printk: Do not lose last line in kmsg buffer dump fuse: fix missing unlock_page in fuse_writepage() parisc: Disable HP HSC-PCI Cards to prevent kernel crash KVM: x86: always stop emulation on page fault KVM: x86: set ctxt->have_exception in x86_decode_insn() KVM: x86: Manually calculate reserved bits when loading PDPTRS media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table ASoC: Intel: Fix use of potentially uninitialized variable ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP md/raid6: Set R5_ReadError when there is read failure on parity disk cfg80211: Purge frame registrations on iftype change /dev/mem: Bail out upon SIGKILL. ext4: fix punch hole for inline_data file systems quota: fix wrong condition in is_quota_modification() hwrng: core - don't wait on add_early_randomness() i2c: riic: Clear NACK in tend isr CIFS: Fix oplock handling for SMB 2.1+ protocols ovl: filter of trusted xattr results in audit Btrfs: fix use-after-free when using the tree modification log btrfs: Relinquish CPUs in btrfs_compare_trees Btrfs: fix race setting up and completing qgroup rescan workers Linux 4.4.195 Change-Id: I0a333f55c8fd4273b37044e4e4e89ac1fb0fad1a Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| | * cfg80211: Purge frame registrations on iftype changeDenis Kenzior2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit c1d3ad84eae35414b6b334790048406bd6301b12 upstream. Currently frame registrations are not purged, even when changing the interface type. This can lead to potentially weird situations where frames possibly not allowed on a given interface type remain registered due to the type switching happening after registration. The kernel currently relies on userspace apps to actually purge the registrations themselves, this is not something that the kernel should rely on. Add a call to cfg80211_mlme_purge_registrations() to forcefully remove any registrations left over prior to switching the iftype. Cc: stable@vger.kernel.org Signed-off-by: Denis Kenzior <denkenz@gmail.com> Link: https://lore.kernel.org/r/20190828211110.15005-1-denkenz@gmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * nfc: enforce CAP_NET_RAW for raw socketsOri Nimron2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 3a359798b176183ef09efb7a3dc59abad1cc7104 ] When creating a raw AF_NFC socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Ori Nimron <orinimron123@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ieee802154: enforce CAP_NET_RAW for raw socketsOri Nimron2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit e69dbd4619e7674c1679cba49afd9dd9ac347eef ] When creating a raw AF_IEEE802154 socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Ori Nimron <orinimron123@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Acked-by: Stefan Schmidt <stefan@datenfreihafen.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * ax25: enforce CAP_NET_RAW for raw socketsOri Nimron2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 0614e2b73768b502fc32a75349823356d98aae2c ] When creating a raw AF_AX25 socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Ori Nimron <orinimron123@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * appletalk: enforce CAP_NET_RAW for raw socketsOri Nimron2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 6cc03e8aa36c51f3b26a0d21a3c4ce2809c842ac ] When creating a raw AF_APPLETALK socket, CAP_NET_RAW needs to be checked first. Signed-off-by: Ori Nimron <orinimron123@gmail.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * sch_netem: fix a divide by zero in tabledist()Eric Dumazet2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit b41d936b5ecfdb3a4abc525ce6402a6c49cffddc ] syzbot managed to crash the kernel in tabledist() loading an empty distribution table. t = dist->table[rnd % dist->size]; Simply return an error when such load is attempted. Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * openvswitch: change type of UPCALL_PID attribute to NLA_UNSPECLi RongQing2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit ea8564c865299815095bebeb4b25bef474218e4c ] userspace openvswitch patch "(dpif-linux: Implement the API functions to allow multiple handler threads read upcall)" changes its type from U32 to UNSPEC, but leave the kernel unchanged and after kernel 6e237d099fac "(netlink: Relax attr validation for fixed length types)", this bug is exposed by the below warning [ 57.215841] netlink: 'ovs-vswitchd': attribute type 5 has an invalid length. Fixes: 5cd667b0a456 ("openvswitch: Allow each vport to have an array of 'port_id's") Signed-off-by: Li RongQing <lirongqing@baidu.com> Acked-by: Pravin B Shelar <pshelar@ovn.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * mac80211: handle deauthentication/disassociation from TDLS peerYu Wang2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 79c92ca42b5a3e0ea172ea2ce8df8e125af237da ] When receiving a deauthentication/disassociation frame from a TDLS peer, a station should not disconnect the current AP, but only disable the current TDLS link if it's enabled. Without this change, a TDLS issue can be reproduced by following the steps as below: 1. STA-1 and STA-2 are connected to AP, bidirection traffic is running between STA-1 and STA-2. 2. Set up TDLS link between STA-1 and STA-2, stay for a while, then teardown TDLS link. 3. Repeat step #2 and monitor the connection between STA and AP. During the test, one STA may send a deauthentication/disassociation frame to another, after TDLS teardown, with reason code 6/7, which means: Class 2/3 frame received from nonassociated STA. On receive this frame, the receiver STA will disconnect the current AP and then reconnect. It's not a expected behavior, purpose of this frame should be disabling the TDLS link, not the link with AP. Cc: stable@vger.kernel.org Signed-off-by: Yu Wang <yyuwang@codeaurora.org> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * mac80211: Print text for disassociation reasonArkadiusz Miskiewicz2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 68506e9af132a6b5735c1dd4b11240da0cf5eeae ] When disassociation happens only numeric reason is printed in ieee80211_rx_mgmt_disassoc(). Add text variant, too. Signed-off-by: Arkadiusz Miƛkiewicz <arekm@maven.pl> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| | * net: rds: Fix NULL ptr use in rds_tcp_kill_sockMao Wenan2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | After the commit c4e97b06cfdc ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock()."), it introduced null-ptr-deref in rds_tcp_kill_sock as below: BUG: KASAN: null-ptr-deref on address 0000000000000020 Read of size 8 by task kworker/u16:10/910 CPU: 3 PID: 910 Comm: kworker/u16:10 Not tainted 4.4.178+ #3 Hardware name: linux,dummy-virt (DT) Workqueue: netns cleanup_net Call trace: [<ffffff90080abb50>] dump_backtrace+0x0/0x618 [<ffffff90080ac1a0>] show_stack+0x38/0x60 [<ffffff9008c42b78>] dump_stack+0x1a8/0x230 [<ffffff90085d469c>] kasan_report_error+0xc8c/0xfc0 [<ffffff90085d54a4>] kasan_report+0x94/0xd8 [<ffffff90085d1b28>] __asan_load8+0x88/0x150 [<ffffff9009c9cc2c>] rds_tcp_dev_event+0x734/0xb48 [<ffffff90081eacb0>] raw_notifier_call_chain+0x150/0x1e8 [<ffffff900973fec0>] call_netdevice_notifiers_info+0x90/0x110 [<ffffff9009764874>] netdev_run_todo+0x2f4/0xb08 [<ffffff9009796d34>] rtnl_unlock+0x2c/0x48 [<ffffff9009756484>] default_device_exit_batch+0x444/0x528 [<ffffff9009720498>] ops_exit_list+0x1c0/0x240 [<ffffff9009724a80>] cleanup_net+0x738/0xbf8 [<ffffff90081ca6cc>] process_one_work+0x96c/0x13e0 [<ffffff90081cf370>] worker_thread+0x7e0/0x1910 [<ffffff90081e7174>] kthread+0x304/0x390 [<ffffff9008094280>] ret_from_fork+0x10/0x50 If the first loop add the tc->t_sock = NULL to the tmp_list, 1). list_for_each_entry_safe(tc, _tc, &rds_tcp_conn_list, t_tcp_node) then the second loop is to find connections to destroy, tc->t_sock might equal NULL, and tc->t_sock->sk happens null-ptr-deref. 2). list_for_each_entry_safe(tc, _tc, &tmp_list, t_tcp_node) Fixes: c4e97b06cfdc ("net: rds: force to destroy connection if t_sock is NULL in rds_tcp_kill_sock().") Signed-off-by: Mao Wenan <maowenan@huawei.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| | * Revert "Bluetooth: validate BLE connection interval updates"Marcel Holtmann2019-10-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 68d19d7d995759b96169da5aac313363f92a9075 ] This reverts commit c49a8682fc5d298d44e8d911f4fa14690ea9485e. There are devices which require low connection intervals for usable operation including keyboards and mice. Forcing a static connection interval for these types of devices has an impact in latency and causes a regression. Signed-off-by: Marcel Holtmann <marcel@holtmann.org> Signed-off-by: Johan Hedberg <johan.hedberg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
| * | Merge 4.4.194 into android-4.4-pGreg Kroah-Hartman2019-09-21
| |\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.194 bridge/mdb: remove wrong use of NLM_F_MULTI cdc_ether: fix rndis support for Mediatek based smartphones ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()' isdn/capi: check message length in capi_write() net: Fix null de-reference of device refcount sch_hhf: ensure quantum and hhf_non_hh_weight are non-zero sctp: Fix the link time qualifier of 'sctp_ctrlsock_exit()' sctp: use transport pf_retrans in sctp_do_8_2_transport_strike tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR tipc: add NULL pointer check before calling kfree_rcu tun: fix use-after-free when register netdev failed Revert "MIPS: SiByte: Enable swiotlb for SWARM, LittleSur and BigSur" Btrfs: fix assertion failure during fsync and use of stale transaction genirq: Prevent NULL pointer dereference in resend_irqs() KVM: s390: Do not leak kernel stack data in the KVM_S390_INTERRUPT ioctl KVM: x86: work around leak of uninitialized stack contents KVM: nVMX: handle page fault in vmread MIPS: VDSO: Prevent use of smp_processor_id() MIPS: VDSO: Use same -m%-float cflag as the kernel proper clk: rockchip: Don't yell about bad mmc phases when getting driver core: Fix use-after-free and double free on glue directory crypto: talitos - check AES key size crypto: talitos - check data blocksize in ablkcipher. x86/build: Add -Wnoaddress-of-packed-member to REALMODE_CFLAGS, to silence GCC9 build warning MIPS: netlogic: xlr: Remove erroneous check in nlm_fmn_send() ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs USB: usbcore: Fix slab-out-of-bounds bug during device reset media: tm6000: double free if usb disconnect while streaming x86/boot: Add missing bootparam that breaks boot on some platforms xen-netfront: do not assume sk_buff_head list is empty in error handling KVM: coalesced_mmio: add bounds checking serial: sprd: correct the wrong sequence of arguments tty/serial: atmel: reschedule TX after RX was started mwifiex: Fix three heap overflow at parsing element in cfg80211_ap_settings s390/bpf: fix lcgr instruction encoding ARM: OMAP2+: Fix omap4 errata warning on other SoCs s390/bpf: use 32-bit index for tail calls NFSv4: Fix return values for nfs4_file_open() NFS: Fix initialisation of I/O result struct in nfs_pgio_rpcsetup Kconfig: Fix the reference to the IDT77105 Phy driver in the description of ATM_NICSTAR_USE_IDT77105 ARM: 8874/1: mm: only adjust sections of valid mm structures r8152: Set memory to all 0xFFs on failed reg reads x86/apic: Fix arch_dynirq_lower_bound() bug for DT enabled machines netfilter: nf_conntrack_ftp: Fix debug output NFSv2: Fix eof handling NFSv2: Fix write regression cifs: set domainName when a domain-key is used in multiuser cifs: Use kzfree() to zero out the password sky2: Disable MSI on yet another ASUS boards (P6Xxxx) tools/power turbostat: fix buffer overrun net: seeq: Fix the function used to release some memory in an error handling path dmaengine: ti: omap-dma: Add cleanup in omap_dma_probe() keys: Fix missing null pointer check in request_key_auth_describe() floppy: fix usercopy direction media: technisat-usb2: break out of loop at end of buffer ARC: export "abort" for modules net_sched: let qdisc_put() accept NULL pointer Linux 4.4.194 Change-Id: I680ac71d33ab7a4fd239de6333ea5b76376521b6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
| * | Merge 4.4.193 into android-4.4-pGreg Kroah-Hartman2019-09-16
| |\ \ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Changes in 4.4.193 ALSA: hda - Fix potential endless loop at applying quirks ALSA: hda/realtek - Fix overridden device-specific initialization xfrm: clean up xfrm protocol checks vhost/test: fix build for vhost test scripts/decode_stacktrace: match basepath using shell prefix operator, not regex clk: s2mps11: Add used attribute to s2mps11_dt_match x86, boot: Remove multiple copy of static function sanitize_boot_params() af_packet: tone down the Tx-ring unsupported spew. vhost: make sure log_num < in_num Linux 4.4.193 Change-Id: If2283bf8bc29f3deaf1c047c8ec9e502fbdf0521 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>