summaryrefslogtreecommitdiff
path: root/net/unix/af_unix.c (follow)
Commit message (Collapse)AuthorAge
* Merge branch 'android-4.4-p' of ↵Michael Bestas2021-08-12
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998 # By Pavel Skripkin (6) and others # Via Greg Kroah-Hartman * android-4.4-p: Linux 4.4.278 sis900: Fix missing pci_disable_device() in probe and remove tulip: windbond-840: Fix missing pci_disable_device() in probe and remove net: llc: fix skb_over_panic mlx4: Fix missing error code in mlx4_load_one() tipc: fix sleeping in tipc accept routine netfilter: nft_nat: allow to specify layer 4 protocol NAT only cfg80211: Fix possible memory leak in function cfg80211_bss_update x86/asm: Ensure asm/proto.h can be included stand-alone NIU: fix incorrect error return, missed in previous revert can: esd_usb2: fix memory leak can: ems_usb: fix memory leak can: usb_8dev: fix memory leak ocfs2: issue zeroout to EOF blocks ocfs2: fix zero out valid data ARM: ensure the signal page contains defined contents lib/string.c: add multibyte memset functions ARM: dts: versatile: Fix up interrupt controller node names hfs: add lock nesting notation to hfs_find_init hfs: fix high memory mapping in hfs_bnode_read hfs: add missing clean-up in hfs_fill_super sctp: move 198 addresses from unusable to private scope net/802/garp: fix memleak in garp_request_join() net/802/mrp: fix memleak in mrp_request_join() workqueue: fix UAF in pwq_unbound_release_workfn() af_unix: fix garbage collect vs MSG_PEEK net: split out functions related to registering inflight socket files Linux 4.4.277 btrfs: compression: don't try to compress if we don't have enough pages iio: accel: bma180: Fix BMA25x bandwidth register values iio: accel: bma180: Use explicit member assignment net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick USB: serial: cp210x: fix comments for GE CS1000 USB: serial: option: add support for u-blox LARA-R6 family usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() usb: max-3421: Prevent corruption of freed memory USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: hub: Disable USB 3 device initiated lpm if exit latency is too high KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow xhci: Fix lost USB 2 remote wake ALSA: sb: Fix potential ABBA deadlock in CSP driver s390/ftrace: fix ftrace_update_ftrace_func implementation proc: Avoid mixing integer types in mem_rw() Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" scsi: target: Fix protect handling in WRITE SAME(32) scsi: iscsi: Fix iface sysfs attr detection netrom: Decrease sock refcount when sock timers expire net: decnet: Fix sleeping inside in af_decnet net: fix uninit-value in caif_seqpkt_sendmsg s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] perf probe-file: Delete namelist in del_events() on the error path perf test bpf: Free obj_buf igb: Check if num of q_vectors is smaller than max before array access iavf: Fix an error handling path in 'iavf_probe()' ipv6: tcp: drop silly ICMPv6 packet too big messages tcp: annotate data races around tp->mtu_info net: validate lwtstate->data before returning from skb_tunnel_info() net: ti: fix UAF in tlan_remove_one net: moxa: fix UAF in moxart_mac_probe net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: ipv6: fix return value of ip6_skb_dst_mtu x86/fpu: Make init_fpstate correct with optimized XSAVE Revert "memory: fsl_ifc: fix leak of IO mapping on probe failure" sched/fair: Fix CFS bandwidth hrtimer expiry type scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set thermal/core: Correct function name thermal_zone_device_unregister() ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: dts: BCM63xx: Fix NAND nodes names ARM: brcmstb: dts: fix NAND nodes names Change-Id: Id59b93b8704270f45923f262facbadde4c486a15
| * af_unix: fix garbage collect vs MSG_PEEKMiklos Szeredi2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit cbcf01128d0a92e131bd09f1688fe032480b65ca upstream. unix_gc() assumes that candidate sockets can never gain an external reference (i.e. be installed into an fd) while the unix_gc_lock is held. Except for MSG_PEEK this is guaranteed by modifying inflight count under the unix_gc_lock. MSG_PEEK does not touch any variable protected by unix_gc_lock (file count is not), yet it needs to be serialized with garbage collection. Do this by locking/unlocking unix_gc_lock: 1) increment file count 2) lock/unlock barrier to make sure incremented file count is visible to garbage collection 3) install file into fd This is a lock barrier (unlike smp_mb()) that ensures that garbage collection is run completely before or completely after the barrier. Cc: <stable@vger.kernel.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
| * net: split out functions related to registering inflight socket filesJens Axboe2021-08-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit f4e65870e5cede5ca1ec0006b6c9803994e5f7b8 upstream. We need this functionality for the io_uring file registration, but we cannot rely on it since CONFIG_UNIX can be modular. Move the helpers to a separate file, that's always builtin to the kernel if CONFIG_UNIX is m/y. No functional changes in this patch, just moving code around. Reviewed-by: Hannes Reinecke <hare@suse.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jens Axboe <axboe@kernel.dk> [ backported to older kernels to get access to unix_gc_lock - gregkh ] Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge branch 'android-4.4-p' of ↵Michael Bestas2021-07-10
|\| | | | | | | | | | | | | | | | | | | | | | | | | https://android.googlesource.com/kernel/common into lineage-18.1-caf-msm8998 This brings LA.UM.9.2.r1-03400-SDMxx0.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: b5f0035416310 Merge 4.4.274 into android-4.4-p Conflicts: include/linux/spi/spi.h Change-Id: I3daac7891ee93c70ffe08b7e70b77e8b2989af67
| * net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sockEric Dumazet2021-06-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a494bd642d9120648b06bb7d28ce6d05f55a7819 ] While unix_may_send(sk, osk) is called while osk is locked, it appears unix_release_sock() can overwrite unix_peer() after this lock has been released, making KCSAN unhappy. Changing unix_release_sock() to access/change unix_peer() before lock is released should fix this issue. BUG: KCSAN: data-race in unix_dgram_sendmsg / unix_release_sock write to 0xffff88810465a338 of 8 bytes by task 20852 on cpu 1: unix_release_sock+0x4ed/0x6e0 net/unix/af_unix.c:558 unix_release+0x2f/0x50 net/unix/af_unix.c:859 __sock_release net/socket.c:599 [inline] sock_close+0x6c/0x150 net/socket.c:1258 __fput+0x25b/0x4e0 fs/file_table.c:280 ____fput+0x11/0x20 fs/file_table.c:313 task_work_run+0xae/0x130 kernel/task_work.c:164 tracehook_notify_resume include/linux/tracehook.h:189 [inline] exit_to_user_mode_loop kernel/entry/common.c:175 [inline] exit_to_user_mode_prepare+0x156/0x190 kernel/entry/common.c:209 __syscall_exit_to_user_mode_work kernel/entry/common.c:291 [inline] syscall_exit_to_user_mode+0x20/0x40 kernel/entry/common.c:302 do_syscall_64+0x56/0x90 arch/x86/entry/common.c:57 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88810465a338 of 8 bytes by task 20888 on cpu 0: unix_may_send net/unix/af_unix.c:189 [inline] unix_dgram_sendmsg+0x923/0x1610 net/unix/af_unix.c:1712 sock_sendmsg_nosec net/socket.c:654 [inline] sock_sendmsg net/socket.c:674 [inline] ____sys_sendmsg+0x360/0x4d0 net/socket.c:2350 ___sys_sendmsg net/socket.c:2404 [inline] __sys_sendmmsg+0x315/0x4b0 net/socket.c:2490 __do_sys_sendmmsg net/socket.c:2519 [inline] __se_sys_sendmmsg net/socket.c:2516 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2516 do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0xffff888167905400 -> 0x0000000000000000 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 20888 Comm: syz-executor.0 Not tainted 5.13.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | Merge branch 'android-4.4-p' of ↵Michael Bestas2020-10-23
|\| | | | | | | | | | | | | | | | | | | | | | | | | https://android.googlesource.com/kernel/common into lineage-17.1-caf-msm8998 This brings LA.UM.8.4.r1-06000-8x98.0 up to date with https://android.googlesource.com/kernel/common/ android-4.4-p at commit: 7a9986e91f909 UPSTREAM: binder: fix UAF when releasing todo list Conflicts: fs/eventpoll.c Change-Id: I77260d03cb539d7e7eefcea360aee2d59bb9e0cb
| * skbuff: fix a data race in skb_queue_len()Qian Cai2020-10-01
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 86b18aaa2b5b5bb48e609cd591b3d2d0fdbe0442 ] sk_buff.qlen can be accessed concurrently as noticed by KCSAN, BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96: unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821 net/unix/af_unix.c:1761 ____sys_sendmsg+0x33e/0x370 ___sys_sendmsg+0xa6/0xf0 __sys_sendmsg+0x69/0xf0 __x64_sys_sendmsg+0x51/0x70 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99: __skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029 __skb_try_recv_datagram+0xbe/0x220 unix_dgram_recvmsg+0xee/0x850 ____sys_recvmsg+0x1fb/0x210 ___sys_recvmsg+0xa2/0xf0 __sys_recvmsg+0x66/0xf0 __x64_sys_recvmsg+0x51/0x70 do_syscall_64+0x91/0xb47 entry_SYSCALL_64_after_hwframe+0x49/0xbe Since only the read is operating as lockless, it could introduce a logic bug in unix_recvq_full() due to the load tearing. Fix it by adding a lockless variant of skb_queue_len() and unix_recvq_full() where READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to the commit d7d16a89350a ("net: add skb_queue_empty_lockless()"). Signed-off-by: Qian Cai <cai@lca.pw> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | Merge android-4.4-p.204 (583bdda) into msm-4.4Srinivasarao P2019-12-02
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-583bdda Linux 4.4.204 KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel powerpc/book3s64: Fix link stack flush on context switch powerpc/64s: support nospectre_v2 cmdline option staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error USB: serial: option: add support for Foxconn T77W968 LTE modules USB: serial: option: add support for DW5821e with eSIM support USB: serial: mos7840: fix remote wakeup USB: serial: mos7720: fix remote wakeup USB: serial: mos7840: add USB ID to support Moxa UPort 2210 appledisplay: fix error handling in the scheduled work usb-serial: cp201x: support Mark-10 digital force gauge virtio_console: move removal code virtio_console: drop custom control queue cleanup virtio_console: fix uninitialized variable use virtio_console: allocate inbufs in add_port() only if it is needed virtio_console: don't tie bufs to a vq virtio_console: reset on out of memory media: imon: invalid dereference in imon_touch_event media: cxusb: detect cxusb_ctrl_msg error in query media: b2c2-flexcop-usb: add sanity checking cpufreq: Add NULL checks to show() and store() methods of cpufreq media: vivid: Fix wrong locking that causes race conditions on streaming stop media: vivid: Set vid_cap_streaming and vid_out_streaming to true x86/speculation: Fix redundant MDS mitigation message x86/speculation: Fix incorrect MDS/TAA mitigation status x86/insn: Fix awk regexp warnings ARC: perf: Accommodate big-endian CPU mmc: block: Fix tag condition with packed writes ocfs2: remove ocfs2_is_o2cb_active() cpufreq: Skip cpufreq resume if it's not suspended arm64: fix for bad_mode() handler to always result in panic dm: use blk_set_queue_dying() in __dm_destroy() ath9k_hw: fix uninitialized variable data Bluetooth: Fix invalid-free in bcsp_close() IB/hfi1: Ensure full Gen3 speed in a Gen4 system spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch PCI: keystone: Use quirk to limit MRRS for K2G pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues sock: Reset dst when changing sk_mark via setsockopt net: bcmgenet: return correct value 'ret' from bcmgenet_power_down dlm: don't leak kernel pointer to userspace dlm: fix invalid free scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces scsi: megaraid_sas: Fix msleep granularity scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11 scsi: mpt3sas: Fix Sync cache command failure during driver unload rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information wireless: airo: potential buffer overflow in sprintf() brcmsmac: never log "tid x is not agg'able" by default rtl8xxxu: Fix missing break in switch wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()' audit: print empty EXECVE args sched/fair: Don't increase sd->balance_interval on newidle balance net: do not abort bulk send on BQL status ocfs2: fix clusters leak in ocfs2_defrag_extent() ocfs2: don't put and assigning null to bh allocated outside ntb: intel: fix return value for ndev_vec_mask() ntb_netdev: fix sleep time mismatch igb: shorten maximum PHC timecounter update interval fs/hfs/extent.c: fix array out of bounds read of array extent hfs: fix return value of hfs_get_block() hfsplus: fix return value of hfsplus_get_block() hfs: prevent btree data loss on ENOSPC hfsplus: prevent btree data loss on ENOSPC hfs: fix BUG on bnode parent update hfsplus: fix BUG on bnode parent update linux/bitmap.h: fix type of nbits in bitmap_shift_right() linux/bitmap.h: handle constant zero-size bitmaps correctly um: Make line/tty semantics use true write IRQ mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle() sparc64: Rework xchg() definition to avoid warnings. thermal: rcar_thermal: Prevent hardware access during system suspend selftests/ftrace: Fix to test kprobe $comm arg only if available mfd: max8997: Enale irq-wakeup unconditionally mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values qlcnic: fix a return in qlcnic_dcb_get_capability() mISDN: Fix type of switch control variable in ctrl_teimanager rtc: s35390a: Change buf's type to u8 in s35390a_init ceph: fix dentry leak in ceph_readdir_prepopulate sparc: Fix parport build warnings. spi: omap2-mcspi: Set FIFO DMA trigger level to word length s390/perf: Return error when debug_register fails atm: zatm: Fix empty body Clang warnings SUNRPC: Fix a compile warning for cmpxchg64() USB: misc: appledisplay: fix backlight update_status return code macintosh/windfarm_smu_sat: Fix debug output ALSA: i2c/cs8427: Fix int to char conversion kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack net: fix warning in af_unix scsi: dc395x: fix DMA API usage in sg_update_list scsi: dc395x: fix dma API usage in srb_done clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param scsi: isci: Change sci_controller_start_task's return type to sci_status scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler KVM/x86: Fix invvpid and invept register operand size in 64-bit mode scsi: ips: fix missing break in switch amiflop: clean up on errors during setup misc: mic: fix a DMA pool free failure gsmi: Fix bug in append_to_eventlog sysfs handler btrfs: handle error of get_old_root mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail spi: sh-msiof: fix deferred probing brcmsmac: AP mode: update beacon when TIM changes powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field powerpc: Fix signedness bug in update_flash_db() synclink_gt(): fix compat_ioctl() gfs2: Fix marking bitmaps non-full printk: fix integer overflow in setup_log_buf() ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback mwifiex: Fix NL80211_TX_POWER_LIMITED platform/x86: asus-wmi: add SERIO_I8042 dependency platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi platform/x86: asus-nb-wmi: Support ALS on the Zenbook UX430UQ platform/x86: asus-wmi: try to set als by default asus-wmi: provide access to ALS control platform/x86: asus-wmi: Set specified XUSB2PR value for X550LB platform/x86: asus-wmi: fix asus ux303ub brightness issue platform/x86: asus-wmi: Filter buggy scan codes on ASUS Q500A asus-wmi: Add quirk_no_rfkill for the Asus Z550MA asus-wmi: Add quirk_no_rfkill for the Asus U303LB asus-wmi: Add quirk_no_rfkill for the Asus N552VW asus-wmi: Add quirk_no_rfkill_wapf4 for the Asus X456UF asus-wmi: Create quirk for airplane_mode LED mm/ksm.c: don't WARN if page is still mapped in remove_stable_node() Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" net: rtnetlink: prevent underflows in do_setvfinfo() net/sched: act_pedit: fix WARN() in the traffic path sfc: Only cancel the PPS workqueue if it exists net/mlx4_en: fix mlx4 ethtool -N insertion Conflicts: arch/arm64/kernel/traps.c Change-Id: Ie8f88d491b2d80c031e81346687624d7b5a770f1 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * net: fix warning in af_unixKyeongdon Kim2019-11-28
| | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ] This fixes the "'hash' may be used uninitialized in this function" net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized] addr->hash = hash ^ sk->sk_type; Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | Merge android-4.4.177 (0c3b8c4) into msm-4.4Srinivasarao P2019-03-25
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-0c3b8c4 Linux 4.4.177 KVM: X86: Fix residual mmio emulation request to userspace KVM: nVMX: Ignore limit checks on VMX instructions using flat segments KVM: nVMX: Sign extend displacements of VMX instr's mem operands drm/radeon/evergreen_cs: fix missing break in switch statement media: uvcvideo: Avoid NULL pointer dereference at the end of streaming rcu: Do RCU GP kthread self-wakeup from softirq and interrupt PM / wakeup: Rework wakeup source timer cancellation nfsd: fix wrong check in write_v4_end_grace() nfsd: fix memory corruption caused by readdir NFS: Don't recoalesce on error in nfs_pageio_complete_mirror() NFS: Fix an I/O request leakage in nfs_do_recoalesce md: Fix failed allocation of md_register_thread perf intel-pt: Fix overlap calculation for padding perf auxtrace: Define auxtrace record alignment perf intel-pt: Fix CYC timestamp calculation after OVF NFS41: pop some layoutget errors to application dm: fix to_sector() for 32bit ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify powerpc/83xx: Also save/restore SPRG4-7 during suspend powerpc/powernv: Make opal log only readable by root powerpc/wii: properly disable use of BATs when requested. powerpc/32: Clear on-stack exception marker upon exception return jbd2: fix compile warning when using JBUFFER_TRACE jbd2: clear dirty flag when revoking a buffer from an older transaction serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup() serial: 8250_pci: Fix number of ports for ACCES serial cards perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks i2c: tegra: fix maximum transfer size parport_pc: fix find_superio io compare code, should use equal test. intel_th: Don't reference unassigned outputs kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv mm/vmalloc: fix size check for remap_vmalloc_range_partial() dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit clk: ingenic: Fix round_rate misbehaving with non-integer dividers ext2: Fix underflow in ext2_max_size() ext4: fix crash during online resizing cpufreq: pxa2xx: remove incorrect __init annotation cpufreq: tegra124: add missing of_node_put() crypto: pcbc - remove bogus memcpy()s with src == dest Btrfs: fix corruption reading shared and compressed extents after hole punching btrfs: ensure that a DUP or RAID1 block group has exactly two stripes m68k: Add -ffreestanding to CFLAGS scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock scsi: virtio_scsi: don't send sc payload with tmfs s390/virtio: handle find on invalid queue gracefully clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR regulator: s2mpa01: Fix step values for some LDOs regulator: s2mps11: Fix steps for buck7, buck8 and LDO35 ACPI / device_sysfs: Avoid OF modalias creation for removed device tracing: Do not free iter->trace in fail path of tracing_open_pipe() CIFS: Fix read after write for files with read caching crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling stm class: Prevent division by zero tmpfs: fix uninitialized return value in shmem_link net: set static variable an initial value in atl2_probe() mac80211_hwsim: propagate genlmsg_reply return code phonet: fix building with clang ARC: uacces: remove lp_start, lp_end from clobber list tmpfs: fix link accounting when a tmpfile is linked in arm64: Relax GIC version check during early boot ASoC: topology: free created components in tplg load error net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe() pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins net: systemport: Fix reception of BPDUs scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task assoc_array: Fix shortcut creation ARM: 8824/1: fix a migrating irq bug when hotplug cpu Input: st-keyscan - fix potential zalloc NULL dereference i2c: cadence: Fix the hold bit setting Input: matrix_keypad - use flush_delayed_work() ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized s390/dasd: fix using offset into zero size array error gpu: ipu-v3: Fix CSI offsets for imx53 gpu: ipu-v3: Fix i.MX51 CSI control registers offset crypto: ahash - fix another early termination in hash walk crypto: caam - fixed handling of sg list stm class: Fix an endless loop in channel allocation ASoC: fsl_esai: fix register setting issue in RIGHT_J mode 9p/net: fix memory leak in p9_client_create 9p: use inode->i_lock to protect i_size_write() under 32-bit media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused() It's wrong to add len to sector_nr in raid10 reshape twice fs/9p: use fscache mutex rather than spinlock ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 tcp/dccp: remove reqsk_put() from inet_child_forget() gro_cells: make sure device is up in gro_cells_receive() net/hsr: fix possible crash in add_timer() vxlan: Fix GRO cells race condition between receive and link delete vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() ipvlan: disallow userns cap_net_admin to change global mode/flags missing barriers in some of unix_sock ->addr and ->path accesses net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 mdio_bus: Fix use-after-free on device_register fails net/x25: fix a race in x25_bind() net/mlx4_core: Fix qp mtt size calculation net/mlx4_core: Fix reset flow when in command polling mode tcp: handle inet_csk_reqsk_queue_add() failures route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race ravb: Decrease TxFIFO depth of Q3 and Q2 to one pptp: dst_release sk_dst_cache in pptp_sock_destruct net/x25: reset state in x25_connect() net/x25: fix use-after-free in x25_device_event() net: sit: fix UBSAN Undefined behaviour in check_6rd net: hsr: fix memory leak in hsr_dev_finalize() l2tp: fix infoleak in l2tp_ip6_recvmsg() KEYS: restrict /proc/keys by credentials at open time netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters netfilter: nfnetlink_log: just returns error for unknown command netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES udplite: call proper backlog handlers ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420 Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls" ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock() iscsi_ibft: Fix missing break in switch statement Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 Input: wacom_serial4 - add support for Wacom ArtPad II tablet MIPS: Remove function size check in get_frame_info() perf symbols: Filter out hidden symbols from labels s390/qeth: fix use-after-free in error path dmaengine: dmatest: Abort test in case of mapping error dmaengine: at_xdmac: Fix wrongfull report of a channel as in use irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable ARM: pxa: ssp: unneeded to free devm_ allocated data autofs: fix error return in autofs_fill_super() autofs: drop dentry reference only when it is never used fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone x86_64: increase stack size for KASAN_EXTRA x86/kexec: Don't setup EFI info if EFI runtime is not enabled cifs: fix computation for MAX_SMB2_HDR_SIZE platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 scsi: libfc: free skb when receiving invalid flogi resp nfs: Fix NULL pointer dereference of dev_name gpio: vf610: Mask all GPIO interrupts net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() net: hns: Fix wrong read accesses via Clause 45 MDIO protocol net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case xtensa: SMP: limit number of possible CPUs by NR_CPUS xtensa: SMP: mark each possible CPU as present xtensa: smp_lx200_defconfig: fix vectors clash xtensa: SMP: fix secondary CPU initialization xtensa: SMP: fix ccount_timer_shutdown iommu/amd: Fix IOMMU page flush when detach device from a domain ipvs: Fix signed integer overflow when setsockopt timeout IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM perf tools: Handle TOPOLOGY headers with no CPU vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel media: uvcvideo: Fix 'type' check leading to overflow ip6mr: Do not call __IP6_INC_STATS() from preemptible context net: dsa: mv88e6xxx: Fix u64 statistics netlabel: fix out-of-bounds memory accesses hugetlbfs: fix races and page leaks during migration MIPS: irq: Allocate accurate order pages for irq stack applicom: Fix potential Spectre v1 vulnerabilities x86/CPU/AMD: Set the CPB bit unconditionally on F17h net: phy: Micrel KSZ8061: link failure after cable connect net: avoid use IPCB in cipso_v4_error net: Add __icmp_send helper. xen-netback: fix occasional leak of grant ref mappings under memory pressure net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails bnxt_en: Drop oversize TX packets to prevent errors. team: Free BPF filter when unregistering netdev sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79 net-sysfs: Fix mem leak in netdev_register_kobject staging: lustre: fix buffer overflow of string buffer isdn: isdn_tty: fix build warning of strncpy ncpfs: fix build warning of strncpy sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names cpufreq: Use struct kobj_attribute instead of struct global_attr USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485 USB: serial: cp210x: add ID for Ingenico 3070 USB: serial: option: add Telit ME910 ECM composition x86/uaccess: Don't leak the AC flag into __put_user() value evaluation mm: enforce min addr even if capable() in expand_downwards() mmc: spi: Fix card detection during probe powerpc: Always initialize input array when calling epapr_hypercall() KVM: arm/arm64: Fix MMIO emulation data handling arm/arm64: KVM: Feed initialized memory to MMIO accesses KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1 cfg80211: extend range deviation for DMG mac80211: don't initiate TDLS connection if station is not associated to AP ibmveth: Do not process frames after calling napi_reschedule net: altera_tse: fix connect_local_phy error path scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state() serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling mac80211: fix miscounting of ttl-dropped frames ARC: fix __ffs return value to avoid build warnings ASoC: imx-audmux: change snprintf to scnprintf for possible overflow ASoC: dapm: change snprintf to scnprintf for possible overflow usb: gadget: Potential NULL dereference on allocation error usb: dwc3: gadget: Fix the uninitialized link_state when udc starts thermal: int340x_thermal: Fix a NULL vs IS_ERR() check ALSA: compress: prevent potential divide by zero bugs ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field drm/msm: Unblock writer if reader closes file scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached libceph: handle an empty authorize reply Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" ARCv2: Enable unaligned access in early ASM code net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach() team: avoid complex list operations in team_nl_cmd_options_set() net/packet: fix 4gb buffer limit due to overflow check batman-adv: fix uninit-value in batadv_interface_tx() KEYS: always initialize keyring_index_key::desc_len KEYS: user: Align the payload buffer RDMA/srp: Rework SCSI device reset handling isdn: avm: Fix string plus integer warning from Clang leds: lp5523: fix a missing check of return value of lp55xx_read atm: he: fix sign-extension overflow on large shift isdn: i4l: isdn_tty: Fix some concurrency double-free bugs MIPS: jazz: fix 64bit build scsi: isci: initialize shost fully before calling scsi_add_host() scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param MIPS: ath79: Enable OF serial ports in the default config net: hns: Fix use after free identified by SLUB debug mfd: mc13xxx: Fix a missing check of a register-read failure mfd: wm5110: Add missing ASRC rate register mfd: qcom_rpm: write fw_version to CTRL_REG mfd: ab8500-core: Return zero in get_register_interruptible() mfd: db8500-prcmu: Fix some section annotations mfd: twl-core: Fix section annotations on {,un}protect_pm_master mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells KEYS: allow reaching the keys quotas exactly numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES ceph: avoid repeatedly adding inode to mdsc->snap_flush_list Revert "ANDROID: arm: process: Add display of memory around registers when displaying regs." ANDROID: mnt: Propagate remount correctly ANDROID: cuttlefish_defconfig: Add support for AC97 audio ANDROID: overlayfs: override_creds=off option bypass creator_cred FROMGIT: binder: create node flag to request sender's security context Conflicts: arch/arm/kernel/irq.c drivers/media/v4l2-core/videobuf2-v4l2.c sound/core/compress_offload.c Change-Id: I998f8d53b0c5b8a7102816034452b1779a3b69a3 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * missing barriers in some of unix_sock ->addr and ->path accessesAl Viro2019-03-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit ae3b564179bfd06f32d051b9e5d72ce4b2a07c37 ] Several u->addr and u->path users are not holding any locks in common with unix_bind(). unix_state_lock() is useless for those purposes. u->addr is assign-once and *(u->addr) is fully set up by the time we set u->addr (all under unix_table_lock). u->path is also set in the same critical area, also before setting u->addr, and any unix_sock with ->path filled will have non-NULL ->addr. So setting ->addr with smp_store_release() is all we need for those "lockless" users - just have them fetch ->addr with smp_load_acquire() and don't even bother looking at ->path if they see NULL ->addr. Users of ->addr and ->path fall into several classes now: 1) ones that do smp_load_acquire(u->addr) and access *(u->addr) and u->path only if smp_load_acquire() has returned non-NULL. 2) places holding unix_table_lock. These are guaranteed that *(u->addr) is seen fully initialized. If unix_sock is in one of the "bound" chains, so's ->path. 3) unix_sock_destructor() using ->addr is safe. All places that set u->addr are guaranteed to have seen all stores *(u->addr) while holding a reference to u and unix_sock_destructor() is called when (atomic) refcount hits zero. 4) unix_release_sock() using ->path is safe. unix_bind() is serialized wrt unix_release() (normally - by struct file refcount), and for the instances that had ->path set by unix_bind() unix_release_sock() comes from unix_release(), so they are fine. Instances that had it set in unix_stream_connect() either end up attached to a socket (in unix_accept()), in which case the call chain to unix_release_sock() and serialization are the same as in the previous case, or they never get accept'ed and unix_release_sock() is called when the listener is shut down and its queue gets purged. In that case the listener's queue lock provides the barriers needed - unix_stream_connect() shoves our unix_sock into listener's queue under that lock right after having set ->path and eventual unix_release_sock() caller picks them from that queue under the same lock right before calling unix_release_sock(). 5) unix_find_other() use of ->path is pointless, but safe - it happens with successful lookup by (abstract) name, so ->path.dentry is guaranteed to be NULL there. earlier-variant-reviewed-by: "Paul E. McKenney" <paulmck@linux.ibm.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | Merge android-4.4.163 (0ca3fca) into msm-4.4Srinivasarao P2018-11-15
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-0ca3fca Linux 4.4.163 x86/time: Correct the attribute on jiffies' definition l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6 cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE x86/percpu: Fix this_cpu_read() sched/fair: Fix throttle_list starvation with low CFS quota Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM USB: fix the usbfs flag sanitization for control transfers usb: gadget: storage: Fix Spectre v1 vulnerability cdc-acm: correct counting of UART states in serial state notification IB/ucm: Fix Spectre v1 vulnerability RDMA/ucma: Fix Spectre v1 vulnerability ptp: fix Spectre v1 vulnerability cachefiles: fix the race between cachefiles_bury_object() and rmdir(2) ahci: don't ignore result code of ahci_reset_controller() crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned mremap: properly flush TLB before releasing the page rtnetlink: Disallow FDB configuration for non-Ethernet device vhost: Fix Spectre V1 vulnerability net: drop skb on failure in ip_check_defrag() sctp: fix race on sctp_id2asoc r8169: fix NAPI handling under high load net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules net: socket: fix a missing-check bug net: sched: gred: pass the right attribute to gred_change_table_def() net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called ipv6: mcast: fix a use-after-free in inet6_mc_check net: bridge: remove ipv6 zero address check in mcast queries bridge: do not add port to router list when receives query with source 0.0.0.0 perf tools: Disable parallelism for 'make clean' mtd: spi-nor: Add support for is25wp series chips fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters() ARM: dts: imx53-qsb: disable 1.2GHz OPP MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression igb: Remove superfluous reset to PHY and page 0 selection MIPS: microMIPS: Fix decoding of swsp16 instruction scsi: aacraid: Fix typo in blink status bonding: avoid defaulting hard_header_len to ETH_HLEN on slave removal PM / devfreq: tegra: fix error return code in tegra_devfreq_probe() ASoC: spear: fix error return code in spdif_in_probe() spi: xlp: fix error return code in xlp_spi_probe() spi/bcm63xx: fix error return code in bcm63xx_spi_probe() MIPS: Handle non word sized instructions when examining frame spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe() usb: dwc3: omap: fix error return code in dwc3_omap_probe() usb: ehci-omap: fix error return code in ehci_hcd_omap_probe() usb: imx21-hcd: fix error return code in imx21_probe() gpio: msic: fix error return code in platform_msic_gpio_probe() sparc64: Fix exception handling in UltraSPARC-III memcpy. gpu: host1x: fix error return code in host1x_probe() sparc64 mm: Fix more TSB sizing issues video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe() tty: serial: sprd: fix error return code in sprd_probe() l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv() brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain gro: Allow tunnel stacking in the case of FOU/GUE vti6: flush x-netns xfrm cache when vti interface is removed ALSA: timer: Fix zero-division by continue of uninitialized instance ixgbe: Correct X550EM_x revision check ixgbe: fix RSS limit for X550 net/mlx5e: Correctly handle RSS indirection table when changing number of channels net/mlx5e: Fix LRO modify ixgbevf: Fix handling of NAPI budget when multiple queues are enabled per vector fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio drm/nouveau/fbcon: fix oops without fbdev emulation bpf: generally move prog destruction to RCU deferral usb-storage: fix bogus hardware error messages for ATA pass-thru devices sch_red: update backlog as well sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state xfrm: Clear sk_dst_cache when applying per-socket policy. arm64: Fix potential race with hardware DBM in ptep_set_access_flags() CIFS: handle guest access errors to Windows shares ASoC: wm8940: Enable cache usage to fix crashes on resume ASoC: ak4613: Enable cache usage to fix crashes on resume MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue usbvision: revert commit 588afcc1 perf/core: Don't leak event in the syscall error path aacraid: Start adapter after updating number of MSIX vectors x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs tpm: fix: return rc when devm_add_action() fails thermal: allow u8500-thermal driver to be a module thermal: allow spear-thermal driver to be a module btrfs: don't create or leak aliased root while cleaning up orphans sched/cgroup: Fix cgroup entity load tracking tear-down um: Avoid longjmp/setjmp symbol clashes with libpthread.a ipv6: orphan skbs in reassembly unit net/mlx4_en: Resolve dividing by zero in 32-bit system af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers radix-tree: fix radix_tree_iter_retry() for tagged iterators. x86/mm/pat: Prevent hang during boot when mapping pages ARM: dts: apq8064: add ahci ports-implemented mask tracing: Skip more functions when doing stack tracing of events ser_gigaset: use container_of() instead of detour net: drop write-only stack variable ipv6: suppress sparse warnings in IP6_ECN_set_ce() KEYS: put keyring if install_session_keyring_to_cred() fails net: cxgb3_main: fix a missing-check bug perf/ring_buffer: Prevent concurent ring buffer access smsc95xx: Check for Wake-on-LAN modes smsc75xx: Check for Wake-on-LAN modes r8152: Check for supported Wake-on-LAN Modes sr9800: Check for supported Wake-on-LAN modes lan78xx: Check for supported Wake-on-LAN modes ax88179_178a: Check for supported Wake-on-LAN modes asix: Check for supported Wake-on-LAN modes pxa168fb: prepare the clock Bluetooth: SMP: fix crash in unpairing mac80211_hwsim: do not omit multicast announce of first added radio xfrm: validate template mode ARM: 8799/1: mm: fix pci_ioremap_io() offset check cfg80211: reg: Init wiphy_idx in regulatory_hint_core() mac80211: Always report TX status xfrm6: call kfree_skb when skb is toobig xfrm: Validate address prefix lengths in the xfrm selector. BACKPORT: xfrm: Allow Output Mark to be Updated Using UPDSA ANDROID: sdcardfs: Add option to drop unused dentries f2fs: guarantee journalled quota data by checkpoint f2fs: cleanup dirty pages if recover failed f2fs: fix data corruption issue with hardware encryption f2fs: fix to recover inode->i_flags of inode block during POR f2fs: spread f2fs_set_inode_flags() f2fs: fix to spread clear_cold_data() Revert "f2fs: fix to clear PG_checked flag in set_page_dirty()" f2fs: account read IOs and use IO counts for is_idle f2fs: fix to account IO correctly for cgroup writeback f2fs: fix to account IO correctly f2fs: remove request_list check in is_idle() f2fs: allow to mount, if quota is failed f2fs: update REQ_TIME in f2fs_cross_rename() f2fs: do not update REQ_TIME in case of error conditions f2fs: remove unneeded disable_nat_bits() f2fs: remove unused sbi->trigger_ssr_threshold f2fs: shrink sbi->sb_lock coverage in set_file_temperature() f2fs: fix to recover cold bit of inode block during POR f2fs: submit cached bio to avoid endless PageWriteback f2fs: checkpoint disabling f2fs: clear PageError on the read path f2fs: allow out-place-update for direct IO in LFS mode f2fs: refactor ->page_mkwrite() flow Revert: "f2fs: check last page index in cached bio to decide submission" f2fs: support superblock checksum f2fs: add to account skip count of background GC f2fs: add to account meta IO f2fs: keep lazytime on remount f2fs: fix missing up_read f2fs: return correct errno in f2fs_gc f2fs: avoid f2fs_bug_on if f2fs_get_meta_page_nofail got EIO f2fs: mark inode dirty explicitly in recover_inode() f2fs: fix to recover inode's crtime during POR f2fs: fix to recover inode's i_gc_failures during POR f2fs: fix to recover inode's i_flags during POR f2fs: fix to recover inode's project id during POR f2fs: update i_size after DIO completion f2fs: report ENOENT correctly in f2fs_rename f2fs: fix remount problem of option io_bits f2fs: fix to recover inode's uid/gid during POR f2fs: avoid infinite loop in f2fs_alloc_nid f2fs: add new idle interval timing for discard and gc paths f2fs: split IO error injection according to RW f2fs: add SPDX license identifiers f2fs: surround fault_injection related option parsing using CONFIG_F2FS_FAULT_INJECTION f2fs: avoid sleeping under spin_lock f2fs: plug readahead IO in readdir() f2fs: fix to do sanity check with current segment number f2fs: fix memory leak of percpu counter in fill_super() f2fs: fix memory leak of write_io in fill_super() f2fs: cache NULL when both default_acl and acl are NULL f2fs: fix to flush all dirty inodes recovered in readonly fs f2fs: report error if quota off error during umount f2fs: submit bio after shutdown f2fs: avoid wrong decrypted data from disk Revert "f2fs: use printk_ratelimited for f2fs_msg" f2fs: fix unnecessary periodic wakeup of discard thread when dev is busy f2fs: fix to avoid NULL pointer dereference on se->discard_map f2fs: add additional sanity check in f2fs_acl_from_disk() Revert "BACKPORT, FROMLIST: fscrypt: add Speck128/256 support" Build fix for 076c36fce1ea0. Revert "BACKPORT, FROMGIT: crypto: speck - add support for the Speck block cipher" Revert "FROMGIT: crypto: speck - export common helpers" Revert "BACKPORT, FROMGIT: crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS" Revert "BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck128-XTS" Revert "BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck64-XTS" Revert "BACKPORT, FROMLIST: crypto: arm64/speck - add NEON-accelerated implementation of Speck-XTS" Revert "fscrypt: add Speck128/256 support" UPSTREAM: loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl BACKPORT: block/loop: set hw_sectors UPSTREAM: loop: add ioctl for changing logical block size Conflicts: fs/ext4/crypto.c fs/ext4/ext4.h Change-Id: I8cb2f70b27906879f8e8fdd90e67f438e39701b8 Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
| * net: drop write-only stack variableDavid Herrmann2018-11-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 3575dbf2cbbc8e598f17ec441aed526dbea0e1bd ] Remove a write-only stack variable from unix_attach_fds(). This is a left-over from the security fix in: commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 Author: willy tarreau <w@1wt.eu> Date: Sun Jan 10 07:54:56 2016 +0100 unix: properly account for FDs passed over unix sockets Signed-off-by: David Herrmann <dh.herrmann@gmail.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
* | Merge android-4.4@64a73ff (v4.4.76) into msm-4.4Blagovest Kolenichev2017-07-10
|\| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * refs/heads/tmp-64a73ff: Linux 4.4.76 KVM: nVMX: Fix exception injection KVM: x86: zero base3 of unusable segments KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh() KVM: x86: fix emulation of RSM and IRET instructions cpufreq: s3c2416: double free on driver init error path iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid() iommu: Handle default domain attach failure iommu/vt-d: Don't over-free page table directories ocfs2: o2hb: revert hb threshold to keep compatible x86/mm: Fix flush_tlb_page() on Xen x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space ARM: 8685/1: ensure memblock-limit is pmd-aligned ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting watchdog: bcm281xx: Fix use of uninitialized spinlock. xfrm: Oops on error in pfkey_msg2xfrm_state() xfrm: NULL dereference on allocation failure xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY jump label: fix passing kbuild_cflags when checking for asm goto support ravb: Fix use-after-free on `ifconfig eth0 down` sctp: check af before verify address in sctp_addr_id2transport net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV perf probe: Fix to show correct locations for events on modules be2net: fix status check in be_cmd_pmac_add() s390/ctl_reg: make __ctl_load a full memory barrier swiotlb: ensure that page-sized mappings are page-aligned coredump: Ensure proper size of sparse core files x86/mpx: Use compatible types in comparison to fix sparse error mac80211: initialize SMPS field in HT capabilities spi: davinci: use dma_mapping_error() scsi: lpfc: avoid double free of resource identifiers HID: i2c-hid: Add sleep between POWER ON and RESET kernel/panic.c: add missing \n ibmveth: Add a proper check for the availability of the checksum features vxlan: do not age static remote mac entries virtio_net: fix PAGE_SIZE > 64k vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null drm/amdgpu: check ring being ready before using net: dsa: Check return value of phy_connect_direct() amd-xgbe: Check xgbe_init() return code platform/x86: ideapad-laptop: handle ACPI event 1 scsi: virtio_scsi: Reject commands when virtqueue is broken xen-netfront: Fix Rx stall during network stress and OOM swiotlb-xen: update dev_addr after swapping pages virtio_console: fix a crash in config_work_handler Btrfs: fix truncate down when no_holes feature is enabled gianfar: Do not reuse pages from emergency reserve powerpc/eeh: Enable IO path on permanent error net: bgmac: Remove superflous netif_carrier_on() net: bgmac: Start transmit queue in bgmac_open net: bgmac: Fix SOF bit checking bgmac: Fix reversed test of build_skb() return value. mtd: bcm47xxpart: don't fail because of bit-flips bgmac: fix a missing check for build_skb mtd: bcm47xxpart: limit scanned flash area on BCM47XX (MIPS) only MIPS: ralink: fix MT7628 wled_an pinmux gpio MIPS: ralink: fix MT7628 pinmux typos MIPS: ralink: Fix invalid assignment of SoC type MIPS: ralink: fix USB frequency scaling MIPS: ralink: MT7688 pinmux fixes net: korina: Fix NAPI versus resources freeing MIPS: ath79: fix regression in PCI window initialization net: mvneta: Fix for_each_present_cpu usage ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags qla2xxx: Fix erroneous invalid handle message scsi: lpfc: Set elsiocb contexts to NULL after freeing it scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type KVM: x86: fix fixing of hypercalls mm: numa: avoid waiting on freed migrated pages block: fix module reference leak on put_disk() call for cgroups throttle sysctl: enable strict writes usb: gadget: f_fs: Fix possibe deadlock drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr ALSA: hda - set input_path bitmap to zero after moving it to new place ALSA: hda - Fix endless loop of codec configure MIPS: Fix IRQ tracing & lockdep when rescheduling MIPS: pm-cps: Drop manual cache-line alignment of ready_count MIPS: Avoid accidental raw backtrace mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff() drm/ast: Handle configuration without P2A bridge NFSv4: fix a reference leak caused WARNING messages netfilter: synproxy: fix conntrackd interaction netfilter: xt_TCPMSS: add more sanity tests on tcph->doff rtnetlink: add IFLA_GROUP to ifla_policy ipv6: Do not leak throw route references sfc: provide dummy definitions of vswitch functions net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev decnet: always not take dst->__refcnt when inserting dst into hash table net/mlx5: Wait for FW readiness before initializing command interface ipv6: fix calling in6_ifa_hold incorrectly for dad work igmp: add a missing spin_lock_init() igmp: acquire pmc lock for ip_mc_clear_src() net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx Fix an intermittent pr_emerg warning about lo becoming free. af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers net: Zero ifla_vf_info in rtnl_fill_vfinfo() decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb net: don't call strlen on non-terminated string in dev_set_alias() ipv6: release dst on error in ip6_dst_lookup_tail UPSTREAM: selinux: enable genfscon labeling for tracefs Change-Id: I05ae1d6271769a99ea3817e5066f5ab6511f3254 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
| * af_unix: Add sockaddr length checks before accessing sa_family in bind and ↵Mateusz Jurczyk2017-07-05
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | connect handlers [ Upstream commit defbcf2decc903a28d8398aa477b6881e711e3ea ] Verify that the caller-provided sockaddr structure is large enough to contain the sa_family field, before accessing it in bind() and connect() handlers of the AF_UNIX socket. Since neither syscall enforces a minimum size of the corresponding memory region, very short sockaddrs (zero or one byte long) result in operating on uninitialized memory while referencing .sa_family. Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* | drivers: Warning fixes to disable CC_OPTIMIZE_FOR_SIZEPrasad Sodagudi2017-05-31
|/ | | | | | | | | | These are all driver changes needed for disablement of CONFIG_CC_OPTIMIZE_FOR_SIZE. CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is enabled by default once CONFIG_CC_OPTIMIZE_FOR_SIZE is disabled. Change-Id: Ia46a1f24e8a082a29ea6151e41e6d3a85a05fd4f Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org> Signed-off-by: Sridhar Parasuram <sridhar@codeaurora.org>
* af_unix: move unix_mknod() out of bindlockWANG Cong2017-02-04
| | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 0fb44559ffd67de8517098b81f675fa0210f13f0 ] Dmitry reported a deadlock scenario: unix_bind() path: u->bindlock ==> sb_writer do_splice() path: sb_writer ==> pipe->mutex ==> u->bindlock In the unix_bind() code path, unix_mknod() does not have to be done with u->bindlock held, since it is a pure fs operation, so we can just move unix_mknod() out. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: conditionally use freezable blocking calls in readWANG Cong2016-12-10
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 06a77b07e3b44aea2b3c0e64de420ea2cfdcbaa9 ] Commit 2b15af6f95 ("af_unix: use freezable blocking calls in read") converts schedule_timeout() to its freezable version, it was probably correct at that time, but later, commit 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets") breaks the strong requirement for a freezable sleep, according to commit 0f9548ca1091: We shouldn't try_to_freeze if locks are held. Holding a lock can cause a deadlock if the lock is later acquired in the suspend or hibernate path (e.g. by dpm). Holding a lock can also cause a deadlock in the case of cgroup_freezer if a lock is held inside a frozen cgroup that is later acquired by a process outside that group. The pipe_lock is still held at that point. So use freezable version only for the recvmsg call path, avoid impact for Android. Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets") Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Tejun Heo <tj@kernel.org> Cc: Colin Cross <ccross@android.com> Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com> Cc: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock'Linus Torvalds2016-09-30
| | | | | | | | | | | | | | | | | | | | | | | | | | | | commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc upstream. Right now we use the 'readlock' both for protecting some of the af_unix IO path and for making the bind be single-threaded. The two are independent, but using the same lock makes for a nasty deadlock due to ordering with regards to filesystem locking. The bind locking would want to nest outside the VSF pathname locking, but the IO locking wants to nest inside some of those same locks. We tried to fix this earlier with commit c845acb324aa ("af_unix: Fix splice-bind deadlock") which moved the readlock inside the vfs locks, but that caused problems with overlayfs that will then call back into filesystem routines that take the lock in the wrong order anyway. Splitting the locks means that we can go back to having the bind lock be the outermost lock, and we don't have any deadlocks with lock ordering. Acked-by: Rainer Weikusat <rweikusat@cyberadapt.com> Acked-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* Revert "af_unix: Fix splice-bind deadlock"Linus Torvalds2016-09-30
| | | | | | | | | | | | | | | | | | | | | | commit 38f7bd94a97b542de86a2be9229289717e33a7a4 upstream. This reverts commit c845acb324aa85a39650a14e7696982ceea75dc1. It turns out that it just replaces one deadlock with another one: we can still get the wrong lock ordering with the readlock due to overlayfs calling back into the filesystem layer and still taking the vfs locks after the readlock. The proper solution ends up being to just split the readlock into two pieces: the bind lock (taken *outside* the vfs locks) and the IO lock (taken *inside* the filesystem locks). The two locks are independent anyway. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: fix hard linked sockets on overlayMiklos Szeredi2016-07-27
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | commit eb0a4a47ae89aaa0674ab3180de6a162f3be2ddf upstream. Overlayfs uses separate inodes even in the case of hard links on the underlying filesystems. This is a problem for AF_UNIX socket implementation which indexes sockets based on the inode. This resulted in hard linked sockets not working. The fix is to use the real, underlying inode. Test case follows: -- ovl-sock-test.c -- #include <unistd.h> #include <err.h> #include <sys/socket.h> #include <sys/un.h> #define SOCK "test-sock" #define SOCK2 "test-sock2" int main(void) { int fd, fd2; struct sockaddr_un addr = { .sun_family = AF_UNIX, .sun_path = SOCK, }; struct sockaddr_un addr2 = { .sun_family = AF_UNIX, .sun_path = SOCK2, }; unlink(SOCK); unlink(SOCK2); if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) err(1, "socket"); if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1) err(1, "bind"); if (listen(fd, 0) == -1) err(1, "listen"); if (link(SOCK, SOCK2) == -1) err(1, "link"); if ((fd2 = socket(AF_UNIX, SOCK_STREAM, 0)) == -1) err(1, "socket"); if (connect(fd2, (struct sockaddr *) &addr2, sizeof(addr2)) == -1) err (1, "connect"); return 0; } ---- Reported-by: Alexander Morozov <alexandr.morozov@docker.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: Guard against other == sk in unix_dgram_sendmsgRainer Weikusat2016-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit a5527dda344fff0514b7989ef7a755729769daa1 ] The unix_dgram_sendmsg routine use the following test if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) { to determine if sk and other are in an n:1 association (either established via connect or by using sendto to send messages to an unrelated socket identified by address). This isn't correct as the specified address could have been bound to the sending socket itself or because this socket could have been connected to itself by the time of the unix_peer_get but disconnected before the unix_state_lock(other). In both cases, the if-block would be entered despite other == sk which might either block the sender unintentionally or lead to trying to unlock the same spin lock twice for a non-blocking send. Add a other != sk check to guard against this. Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") Reported-By: Philipp Hahn <pmhahn@pmhahn.de> Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Tested-by: Philipp Hahn <pmhahn@pmhahn.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: Don't set err in unix_stream_read_generic unless there was an errorRainer Weikusat2016-03-03
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 1b92ee3d03af6643df395300ba7748f19ecdb0c5 ] The present unix_stream_read_generic contains various code sequences of the form err = -EDISASTER; if (<test>) goto out; This has the unfortunate side effect of possibly causing the error code to bleed through to the final out: return copied ? : err; and then to be wrongly returned if no data was copied because the caller didn't supply a data buffer, as demonstrated by the program available at http://pad.lv/1540731 Change it such that err is only set if an error condition was detected. Fixes: 3822b5c2fc62 ("af_unix: Revert 'lock_interruptible' in stream receive code") Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com> Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* unix: correctly track in-flight fds in sending process user_structHannes Frederic Sowa2016-03-03
| | | | | | | | | | | | | | | | | | | | | | | | [ Upstream commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 ] The commit referenced in the Fixes tag incorrectly accounted the number of in-flight fds over a unix domain socket to the original opener of the file-descriptor. This allows another process to arbitrary deplete the original file-openers resource limit for the maximum of open files. Instead the sending processes and its struct cred should be credited. To do so, we add a reference counted struct user_struct pointer to the scm_fp_list and use it to account for the number of inflight unix fds. Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets") Reported-by: David Herrmann <dh.herrmann@gmail.com> Cc: David Herrmann <dh.herrmann@gmail.com> Cc: Willy Tarreau <w@1wt.eu> Cc: Linus Torvalds <torvalds@linux-foundation.org> Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: fix struct pid memory leakEric Dumazet2016-03-03
| | | | | | | | | | | | | | | | [ Upstream commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b ] Dmitry reported a struct pid leak detected by a syzkaller program. Bug happens in unix_stream_recvmsg() when we break the loop when a signal is pending, without properly releasing scm. Fixes: b3ca9b02b007 ("net: fix multithreaded signal handling in unix recv routines") Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* unix: properly account for FDs passed over unix socketswilly tarreau2016-01-31
| | | | | | | | | | | | | | | | | | | | | [ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ] It is possible for a process to allocate and accumulate far more FDs than the process' limit by sending them over a unix socket then closing them to keep the process' fd count low. This change addresses this problem by keeping track of the number of FDs in flight per user and preventing non-privileged processes from having more FDs in flight than their configured FD limit. Reported-by: socketpair@gmail.com Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Mitigates: CVE-2013-4312 (Linux 2.0+) Suggested-by: Linus Torvalds <torvalds@linux-foundation.org> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* af_unix: Fix splice-bind deadlockRainer Weikusat2016-01-04
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice system call and AF_UNIX sockets, http://lists.openwall.net/netdev/2015/11/06/24 The situation was analyzed as (a while ago) A: socketpair() B: splice() from a pipe to /mnt/regular_file does sb_start_write() on /mnt C: try to freeze /mnt wait for B to finish with /mnt A: bind() try to bind our socket to /mnt/new_socket_name lock our socket, see it not bound yet decide that it needs to create something in /mnt try to do sb_start_write() on /mnt, block (it's waiting for C). D: splice() from the same pipe to our socket lock the pipe, see that socket is connected try to lock the socket, block waiting for A B: get around to actually feeding a chunk from pipe to file, try to lock the pipe. Deadlock. on 2015/11/10 by Al Viro, http://lists.openwall.net/netdev/2015/11/10/4 The patch fixes this by removing the kern_path_create related code from unix_mknod and executing it as part of unix_bind prior acquiring the readlock of the socket in question. This means that A (as used above) will sb_start_write on /mnt before it acquires the readlock, hence, it won't indirectly block B which first did a sb_start_write and then waited for a thread trying to acquire the readlock. Consequently, A being blocked by C waiting for B won't cause a deadlock anymore (effectively, both A and B acquire two locks in opposite order in the situation described above). Dmitry Vyukov(<dvyukov@google.com>) tested the original patch. Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* af_unix: Revert 'lock_interruptible' in stream receive codeRainer Weikusat2015-12-17
| | | | | | | | | | | | | | | | | | With b3ca9b02b00704053a38bfe4c31dbbb9c13595d0, the AF_UNIX SOCK_STREAM receive code was changed from using mutex_lock(&u->readlock) to mutex_lock_interruptible(&u->readlock) to prevent signals from being delayed for an indefinite time if a thread sleeping on the mutex happened to be selected for handling the signal. But this was never a problem with the stream receive code (as opposed to its datagram counterpart) as that never went to sleep waiting for new messages with the mutex held and thus, wouldn't cause secondary readers to block on the mutex waiting for the sleeping primary reader. As the interruptible locking makes the code more complicated in exchange for no benefit, change it back to using mutex_lock. Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: rename SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATAEric Dumazet2015-12-01
| | | | | | | | | | | | | | | | | | This patch is a cleanup to make following patch easier to review. Goal is to move SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA from (struct socket)->flags to a (struct socket_wq)->flags to benefit from RCU protection in sock_wake_async() To ease backports, we rename both constants. Two new helpers, sk_set_bit(int nr, struct sock *sk) and sk_clear_bit(int net, struct sock *sk) are added so that following patch can change their implementation. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* af-unix: passcred support for sendpageHannes Frederic Sowa2015-11-30
| | | | | | | | | | | | | | | sendpage did not care about credentials at all. This could lead to situations in which because of fd passing between processes we could append data to skbs with different scm data. It is illegal to splice those skbs together. Instead we have to allocate a new skb and if requested fill out the scm details. Fixes: 869e7c62486ec ("net: af_unix: implement stream sendpage support") Reported-by: Al Viro <viro@zeniv.linux.org.uk> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* unix: avoid use-after-free in ep_remove_wait_queueRainer Weikusat2015-11-23
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Rainer Weikusat <rweikusat@mobileactivedefense.com> writes: An AF_UNIX datagram socket being the client in an n:1 association with some server socket is only allowed to send messages to the server if the receive queue of this socket contains at most sk_max_ack_backlog datagrams. This implies that prospective writers might be forced to go to sleep despite none of the message presently enqueued on the server receive queue were sent by them. In order to ensure that these will be woken up once space becomes again available, the present unix_dgram_poll routine does a second sock_poll_wait call with the peer_wait wait queue of the server socket as queue argument (unix_dgram_recvmsg does a wake up on this queue after a datagram was received). This is inherently problematic because the server socket is only guaranteed to remain alive for as long as the client still holds a reference to it. In case the connection is dissolved via connect or by the dead peer detection logic in unix_dgram_sendmsg, the server socket may be freed despite "the polling mechanism" (in particular, epoll) still has a pointer to the corresponding peer_wait queue. There's no way to forcibly deregister a wait queue with epoll. Based on an idea by Jason Baron, the patch below changes the code such that a wait_queue_t belonging to the client socket is enqueued on the peer_wait queue of the server whenever the peer receive queue full condition is detected by either a sendmsg or a poll. A wake up on the peer queue is then relayed to the ordinary wait queue of the client socket via wake function. The connection to the peer wait queue is again dissolved if either a wake up is about to be relayed or the client socket reconnects or a dead peer is detected or the client socket is itself closed. This enables removing the second sock_poll_wait from unix_dgram_poll, thus avoiding the use-after-free, while still ensuring that no blocked writer sleeps forever. Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com> Fixes: ec0d215f9420 ("af_unix: fix 'poll for write'/connected DGRAM sockets") Reviewed-by: Jason Baron <jbaron@akamai.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* af_unix: take receive queue lock while appending new skbHannes Frederic Sowa2015-11-17
| | | | | | | | | | | | | | | | | While possibly in future we don't necessarily need to use sk_buff_head.lock this is a rather larger change, as it affects the af_unix fd garbage collector, diag and socket cleanups. This is too much for a stable patch. For the time being grab sk_buff_head.lock without disabling bh and irqs, so don't use locked skb_queue_tail. Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") Cc: Eric Dumazet <edumazet@google.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Reported-by: Eric Dumazet <edumazet@google.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* af_unix: don't append consumed skbs to sk_receive_queueHannes Frederic Sowa2015-11-16
| | | | | | | | | | | | | | | | | | | | | In case multiple writes to a unix stream socket race we could end up in a situation where we pre-allocate a new skb for use in unix_stream_sendpage but have to free it again in the locked section because another skb has been appended meanwhile, which we must use. Accidentally we didn't clear the pointer after consuming it and so we touched freed memory while appending it to the sk_receive_queue. So, clear the pointer after consuming the skb. This bug has been found with syzkaller (http://github.com/google/syzkaller) by Dmitry Vyukov. Fixes: 869e7c62486e ("net: af_unix: implement stream sendpage support") Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* af-unix: fix use-after-free with concurrent readers while splicingHannes Frederic Sowa2015-11-15
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | During splicing an af-unix socket to a pipe we have to drop all af-unix socket locks. While doing so we allow another reader to enter unix_stream_read_generic which can read, copy and finally free another skb. If exactly this skb is just in process of being spliced we get a use-after-free report by kasan. First, we must make sure to not have a free while the skb is used during the splice operation. We simply increment its use counter before unlocking the reader lock. Stream sockets have the nice characteristic that we don't care about zero length writes and they never reach the peer socket's queue. That said, we can take the UNIXCB.consumed field as the indicator if the skb was already freed from the socket's receive queue. If the skb was fully consumed after we locked the reader side again we know it has been dropped by a second reader. We indicate a short read to user space and abort the current splice operation. This bug has been found with syzkaller (http://github.com/google/syzkaller) by Dmitry Vyukov. Fixes: 2b514574f7e8 ("net: af_unix: implement splice for stream af_unix sockets") Reported-by: Dmitry Vyukov <dvyukov@google.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Eric Dumazet <eric.dumazet@gmail.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* af_unix: do not report POLLOUT on listenersEric Dumazet2015-10-25
| | | | | | | | | | | | | poll(POLLOUT) on a listener should not report fd is ready for a write(). This would break some applications using poll() and pfd.events = -1, as they would not block in poll() Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Alan Burlison <Alan.Burlison@oracle.com> Tested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/unix: fix logic about sk_peek_offsetAndrey Vagin2015-10-05
| | | | | | | | | | | | | | | | | Now send with MSG_PEEK can return data from multiple SKBs. Unfortunately we take into account the peek offset for each skb, that is wrong. We need to apply the peek offset only once. In addition, the peek offset should be used only if MSG_PEEK is set. Cc: "David S. Miller" <davem@davemloft.net> (maintainer:NETWORKING Cc: Eric Dumazet <edumazet@google.com> (commit_signer:1/14=7%) Cc: Aaron Conole <aconole@bytheb.org> Fixes: 9f389e35674f ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag") Signed-off-by: Andrey Vagin <avagin@openvz.org> Tested-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* af_unix: return data from multiple SKBs on recv() with MSG_PEEK flagAaron Conole2015-09-29
| | | | | | | | | | | | | | | | | | | | | | | | AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag is set. This is referenced in kernel bugzilla #12323 @ https://bugzilla.kernel.org/show_bug.cgi?id=12323 As described both in the BZ and lkml thread @ http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an AF_UNIX socket only reads a single skb, where the desired effect is to return as much skb data has been queued, until hitting the recv buffer size (whichever comes first). The modified MSG_PEEK path will now move to the next skb in the tree and jump to the again: label, rather than following the natural loop structure. This requires duplicating some of the loop head actions. This was tested using the python socketpair python code attached to the bugzilla issue. Signed-off-by: Aaron Conole <aconole@bytheb.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* net/unix: support SCM_SECURITY for stream socketsStephen Smalley2015-06-10
| | | | | | | | | | | | | | | | SCM_SECURITY was originally only implemented for datagram sockets, not for stream sockets. However, SCM_CREDENTIALS is supported on Unix stream sockets. For consistency, implement Unix stream support for SCM_SECURITY as well. Also clean up the existing code and get rid of the superfluous UNIXSID macro. Motivated by https://bugzilla.redhat.com/show_bug.cgi?id=1224211, where systemd was using SCM_CREDENTIALS and assumed wrongly that SCM_SECURITY was also supported on Unix stream sockets. Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Paul Moore <paul@paul-moore.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/netDavid S. Miller2015-06-01
|\ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Conflicts: drivers/net/phy/amd-xgbe-phy.c drivers/net/wireless/iwlwifi/Kconfig include/net/mac80211.h iwlwifi/Kconfig and mac80211.h were both trivial overlapping changes. The drivers/net/phy/amd-xgbe-phy.c file got removed in 'net-next' and the bug fix that happened on the 'net' side is already integrated into the rest of the amd-xgbe driver. Signed-off-by: David S. Miller <davem@davemloft.net>
| * unix/caif: sk_socket can disappear when state is unlockedMark Salyzyn2015-05-26
| | | | | | | | | | | | | | | | | | | | | | got a rare NULL pointer dereference in clear_bit Signed-off-by: Mark Salyzyn <salyzyn@android.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> ---- v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: af_unix: implement splice for stream af_unix socketsHannes Frederic Sowa2015-05-25
| | | | | | | | | | | | | | | | | | | | unix_stream_recvmsg is refactored to unix_stream_read_generic in this patch and enhanced to deal with pipe splicing. The refactoring is inneglible, we mostly have to deal with a non-existing struct msghdr argument. Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: af_unix: implement stream sendpage supportHannes Frederic Sowa2015-05-25
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This patch implements sendpage support for AF_UNIX SOCK_STREAM sockets. This is also required for a complete splice implementation. The implementation is a bit tricky because we append to already existing skbs and so have to hold unix_sk->readlock to protect the reading side from either advancing UNIXCB.consumed or freeing the skb at the socket receive tail. Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* | net: Pass kern from net_proto_family.create to sk_allocEric W. Biederman2015-05-11
|/ | | | | | | | | In preparation for changing how struct net is refcounted on kernel sockets pass the knowledge that we are creating a kernel socket from sock_create_kern through to sk_alloc. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* VFS: net/unix: d_backing_inode() annotationsDavid Howells2015-04-15
| | | | | | | places where we are dealing with S_ISSOCK file creation/lookups. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* VFS: AF_UNIX sockets should call mknod on the top layer onlyDavid Howells2015-04-15
| | | | | | | | AF_UNIX sockets should call mknod on the top layer only and should not attempt to modify the lower layer in a layered filesystem such as overlayfs. Signed-off-by: David Howells <dhowells@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* net: Remove iocb argument from sendmsg and recvmsgYing Xue2015-03-02
| | | | | | | | | | | | | | After TIPC doesn't depend on iocb argument in its internal implementations of sendmsg() and recvmsg() hooks defined in proto structure, no any user is using iocb argument in them at all now. Then we can drop the redundant iocb argument completely from kinds of implementations of both sendmsg() and recvmsg() in the entire networking stack. Cc: Christoph Hellwig <hch@lst.de> Suggested-by: Al Viro <viro@ZenIV.linux.org.uk> Signed-off-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>
* net: remove sock_iocbChristoph Hellwig2015-01-28
| | | | | | | | | | | The sock_iocb structure is allocate on stack for each read/write-like operation on sockets, and contains various fields of which only the embedded msghdr and sometimes a pointer to the scm_cookie is ever used. Get rid of the sock_iocb and put a msghdr directly on the stack and pass the scm_cookie explicitly to netlink_mmap_sendmsg. Signed-off-by: Christoph Hellwig <hch@lst.de> Signed-off-by: David S. Miller <davem@davemloft.net>
* put iov_iter into msghdrAl Viro2014-12-09
| | | | | | | | Note that the code _using_ ->msg_iter at that point will be very unhappy with anything other than unshifted iovec-backed iov_iter. We still need to convert users to proper primitives. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* switch AF_PACKET and AF_UNIX to skb_copy_datagram_from_iter()Al Viro2014-11-24
| | | | | | ... and kill skb_copy_datagram_iovec() Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
* net: Add and use skb_copy_datagram_msg() helper.David S. Miller2014-11-05
| | | | | | | | | | | | | | | This encapsulates all of the skb_copy_datagram_iovec() callers with call argument signature "skb, offset, msghdr->msg_iov, length". When we move to iov_iters in the networking, the iov_iter object will sit in the msghdr. Having a helper like this means there will be less places to touch during that transformation. Based upon descriptions and patch from Al Viro. Signed-off-by: David S. Miller <davem@davemloft.net>