49eea524bebea0d2b7dfa1c709a6694de808eb8a
45406 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Linux Build Service Account
|
4409544bff | Merge "msm: wlan: Remove DSRC channels for US" | ||
|
Linux Build Service Account
|
8f8b5140bd |
Merge "Merge android-4.9.92 (9c3fb9c) into msm-4.9"
|
||
|
Linux Build Service Account
|
78667dedc6 |
Merge "Merge android-4.9.90 (dd1e37e) into msm-4.9"
|
||
|
Amar Singhal
|
1d377732fd |
msm: wlan: Remove DSRC channels for US
DSRC channels are not required when SRD channels are enabled. Therefore remove them. Signed-off-by: Amar Singhal <asinghal@codeaurora.org> Change-Id: I1b2937c45d43d31c5689c7c4d134fcfb9a265b0e CRs-Fixed: 2174850 |
||
|
Amar Singhal
|
261feedf5a |
msm: wlan: Add support for UNI-III ETSI sub-band
Per the EU STD. ETSI EN 300 440, sub-band 5725-5875 is allowed in EU at reduced power of 25 mW. Add the sub-band to the EU countries that support this sub-band. Change-Id: I0a43e99c4357527f607110faecddd9d0fd444fc6 Signed-off-by: Amar Singhal <asinghal@codeaurora.org> CRs-Fixed: 2141740 |
||
|
Linux Build Service Account
|
1e3777b2af | Merge "net: ipc_router: Remove wakeup-source for Sensor ports" | ||
|
Arun Kumar Neelakantam
|
029e846b98 |
net: ipc_router: Remove wakeup-source for Sensor ports
In high speed sensor data stream case system is not entering into suspend state due to edge and port specific wake-up sources. Add flag to check and avoid the wakeup sources for all sensor ports. CRs-Fixed: 2196601 Change-Id: Ibf642619b969925dc96e8a57e11f7e349b85c024 Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org> |
||
|
Avraham Stern
|
d016c0752b |
cfg80211: clear wep keys after disconnection
When a low level driver calls cfg80211_disconnected(), wep keys are
not cleared. As a result, following connection requests will fail
since cfg80211 internal state shows a connection is still in progress.
Fix this by clearing the wep keys when disconnecting.
Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: 3027a8e799b20fc922496a12f8ad2f9f36a8a696
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
Change-Id: If86c857b350d3941e016108d44c60ab9b583f7a3
CRs-Fixed:
|
||
|
Linux Build Service Account
|
7b8d25237c | Merge "net: core: Release neigh lock when neigh_probe is enabled" | ||
|
Blagovest Kolenichev
|
427fd2195c |
Merge android-4.9.92 (9c3fb9c) into msm-4.9
* refs/heads/tmp-9c3fb9c: Linux 4.9.92 net: hns: Fix a skb used after free bug kcm: lock lower socket in kcm_attach net: systemport: Rewrite __bcm_sysport_tx_reclaim() s390/qeth: on channel error, reject further cmd requests s390/qeth: lock read device while queueing next buffer s390/qeth: when thread completes, wake up all waiters s390/qeth: free netdevice when removing a card soc/fsl/qbman: fix issue in qman_delete_cgr_safe() team: Fix double free in error path skbuff: Fix not waking applications when errors are enqueued net: Only honor ifindex in IP_PKTINFO if non-0 netlink: avoid a double skb free in genlmsg_mcast() net/iucv: Free memory obtained by kzalloc net: fec: Fix unbalanced PM runtime calls net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred l2tp: do not accept arbitrary sockets ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() dccp: check sk for closed state in dccp_sendmsg() net: Fix hlist corruptions in inet_evict_bucket() net: use skb_to_full_sk() in skb_update_prio() ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() sch_netem: fix skb leak in netem_enqueue() rhashtable: Fix rhlist duplicates insertion ppp: avoid loop in xmit recursion detection code net sched actions: return explicit error when tunnel_key mode is not specified Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs" scsi: sg: don't return bogus Sg_requests Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs" Change-Id: I539eaf561b5aa70589d886052d160c71a79145ad Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
dc9767ff92 |
Merge android-4.9.90 (dd1e37e) into msm-4.9
* refs/heads/tmp-dd1e37e: Linux 4.9.90 usb: gadget: f_hid: fix: Move IN request allocation to set_alt() RDMA/ucma: Don't allow join attempts for unsupported AF family RDMA/ucma: Fix access to non-initialized CM_ID object clk: migrate the count of orphaned clocks at init IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq IB/mlx5: Fix integer overflows in mlx5_ib_create_srq dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 clk: si5351: Rename internal plls to avoid name collisions clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() clk: Don't touch hardware when reparenting during registration nfsd4: permit layoutget of executable-only files ARM: dts: aspeed-evb: Add unit name to memory node RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS ip6_vti: adjust vti mtu according to mtu of lower device iommu/vt-d: clean up pr_irq if request_threaded_irq fails pinctrl: rockchip: enable clock when reading pin direction register pinctrl: Really force states during suspend/resume coresight: Fix disabling of CoreSight TPIU pty: cancel pty slave port buf's work in tty_release drm/omap: DMM: Check for DMM readiness after successful transaction commit omapdrm: panel: fix compatible vendor string for td028ttec1 vgacon: Set VGA struct resource types iser-target: avoid reinitializing rdma contexts for isert commands IB/umem: Fix use of npages/nmap fields RDMA/cma: Use correct size when writing netlink stats IB/ipoib: Avoid memory leak if the SA returns a different DGID mmc: avoid removing non-removable hosts during suspend drm/tilcdc: ensure nonatomic iowrite64 is not used dmaengine: zynqmp_dma: Fix race condition in the probe platform/chrome: Use proper protocol transfer function watchdog: Fix potential kref imbalance when opening watchdog cros_ec: fix nul-termination for firmware build info serial: 8250_dw: Disable clock on error qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart ath10k: handling qos at STA side based on AP WMM enable/disable media: bt8xx: Fix err 'bt878_probe()' rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() drm/msm: fix leak in failed get_pages media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt Bluetooth: btqcomsmd: Fix skb double free corruption Bluetooth: hci_qca: Avoid setup failure on missing rampatch block/mq: Cure cpu hotplug lock inversion perf tests kmod-path: Don't fail if compressed modules aren't supported ath10k: fix out of bounds access to local buffer rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page mm, vmstat: suppress pcp stats for unpopulated zones in zoneinfo mm: fix check for reclaimable pages in PF_MEMALLOC reclaim throttling cifs: small underflow in cnvrtDosUnixTm() net: hns: fix ethtool_get_strings overflow in hns driver pNFS: Fix a deadlock when coalescing writes and returning the layout sm501fb: don't return zero on failure path in sm501fb_start() video: fbdev: udlfb: Fix buffer on stack x86/xen: split xen_smp_prepare_boot_cpu() tcm_fileio: Prevent information leak for short reads ia64: fix module loading for gcc-5.4 ACPI / power: Delay turning off unused power resources after suspend md/raid10: skip spare disk as 'first' disk IB/rxe: Don't clamp residual length to mtu Input: twl4030-pwrbutton - use correct device for irq request power: supply: pda_power: move from timer to delayed_work power: supply: isp1704: Fix unchecked return value of devm_kzalloc power: supply: bq24190_charger: Add disable-reset device-property bnx2x: Align RX buffers qed: Unlock on error in qed_vf_pf_acquire() vxlan: correctly handle ipv6.disable module parameter Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup() Bluetooth: hci_ldisc: Add protocol check to hci_uart_dequeue() soc/fsl/qe: round brg_freq to 1kHz granularity net: ethernet: ucc_geth: fix MEM_PART_MURAM mode ixgbevf: fix size of queue stats length jbd2: Fix lockdep splat with generic/270 test drm/nouveau/kms: Increase max retries in scanout position queries. drm/amdgpu: fix gpu reset crash ACPI / PMIC: xpower: Fix power_table addresses ipmi/watchdog: fix wdog hang on panic waiting for ipmi response platform/x86: asus-wmi: try to set als by default IB/hfi1: Fix softlockup issue IB/rdmavt: restore IRQs on error path in rvt_create_ah() ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP netfilter: x_tables: unlock on error in xt_find_table_lock() mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a mac80211: Fix possible sband related NULL pointer de-reference ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled staging: wilc1000: fix unchecked return value staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y gpio: gpio-wcove: fix GPIO IRQ status mask x86/KASLR: Fix kexec kernel boot crash when KASLR randomization fails mtip32xx: use runtime tag to initialize command header mfd: palmas: Reset the POWERHOLD mux during power off dt-bindings: mfd: axp20x: Add "xpowers,master-mode" property for AXP806 PMICs iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value ACPICA: iasl: Fix IORT SMMU GSI disassembling mac80211: don't parse encrypted management frames in ieee80211_frame_acked orangefs: do not wait for timeout if umounting Btrfs: fix extent map leak during fallocate error path Btrfs: send, fix file hole not being preserved due to inline extent Btrfs: fix incorrect space accounting after failure to insert inline extent rndis_wlan: add return value validation libertas: check return value of alloc_workqueue mt7601u: check return value of alloc_skb iio: st_pressure: st_accel: Initialise sensor platform data properly NFS: don't try to cross a mountpount when there isn't one there. xprtrdma: Cancel refresh worker during buffer shutdown pNFS: Fix use after free issues in pnfs_do_read() infiniband/uverbs: Fix integer overflows scsi: mac_esp: Replace bogus memory barrier with spinlock platform/x86: intel-vbtn: add volume up and down netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded qlcnic: fix unchecked return value wan: pc300too: abort path on failure tipc: check return value of nlmsg_new mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink openvswitch: Delete conntrack entry clashing with an expectation. netfilter: xt_CT: fix refcnt leak on error path gpio: gpio-wcove: fix irq pending status bit width Fix Express lane queue creation. Fix driver usage of 128B WQEs when WQ_CREATE is V1. netvsc: Deal with rescinded channels correctly ibmvnic: Disable irq prior to close ASoC: Intel: Skylake: Uninitialized variable in probe_codec() IB/mlx5: Set correct SL in completion for RoCE IB/mlx5: Change vma from shared to private IB/mlx5: Take write semaphore when changing the vma struct IB/mlx4: Change vma from shared to private IB/mlx4: Take write semaphore when changing the vma struct HSI: ssi_protocol: double free in ssip_pn_xmit() IB/ipoib: Update broadcast object if PKey value was changed in index 0 IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow ALSA: hda - Fix headset microphone detection for ASUS N551 and N751 e1000e: fix timing for 82579 Gigabit Ethernet controller tcp: remove poll() flakes with FastOpen NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete() md/raid10: wait up frozen array in handle_write_completed iommu/omap: Register driver before setting IOMMU ops irqchip/mips-gic: Separate IPI reservation & usage tracking ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER x86/reboot: Turn off KVM when halting a CPU mwifiex: don't leak 'chan_stats' on reset KVM: PPC: Book3S PR: Exit KVM on failed mapping scsi: virtio_scsi: Always try to read VPD pages iwlwifi: a000: fix memory offsets and lengths iwlwifi: split the handler and the wake parts of the notification infra clk: ns2: Correct SDIO bits ath: Fix updating radar flags for coutry code India powerpc/64s: Remove SAO feature from Power9 DD1 spi: dw: Disable clock after unregistering the host tools/testing/nvdimm: fix nfit_test shutdown crash ASoC: Intel: Atom: update Thinkpad 10 quirk btrfs: fix a bogus warning when converting only data or metadata media/dvb-core: Race condition when writing to CAM net: ipv6: send unsolicited NA on admin up i2c: i2c-scmi: add a MS HID genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs cpufreq/sh: Replace racy task affinity logic ACPI/processor: Replace racy task affinity logic ACPI/processor: Fix error handling in __acpi_processor_start() time: Change posix clocks ops interfaces to use timespec64 Input: ar1021_i2c - fix too long name in driver's device table rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs x86: i8259: export legacy_pic symbol power: supply: bq24190_charger: Limit over/under voltage fault logging regulator: anatop: set default voltage selector for pcie bonding: handle link transition from FAIL to UP correctly platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA led: core: Clear LED_BLINK_SW flag in led_blink_set() Revert "led: core: Fix brightness setting when setting delay_off=0" staging: android: ashmem: Fix possible deadlock in ashmem_ioctl CIFS: Enable encryption during session setup phase SMB3: Validate negotiate request must always be signed ASoC: rsnd: check src mod pointer for rsnd_mod_id() tpm: fix potential buffer overruns caused by bit glitches on the bus BACKPORT, FROMLIST: crypto: arm64/speck - add NEON-accelerated implementation of Speck-XTS ANDROID: debugobjects: Make stack check warning more informative PM / OPP: list_del_rcu should be used in function _remove_opp_dev trace/sched: Fix compilation for 32 bit systems sched/fair: select the most energy-efficient CPU candidate on wake-up sched/fair: fix array out of bounds access in select_energy_cpu_idx() sched/fair: use min capacity when evaluating active cpus sched/fair: use min capacity when evaluating idle backup cpus sched/fair: use min capacity when evaluating placement energy costs sched/fair: introduce minimum capacity capping sched feature arm/topology: link arch_scale_min_freq_capacity to cpufreq arm64/topology: link arch_scale_min_freq_capacity to cpufreq sched: add arch_scale_min_freq_capacity to track minimum capacity caps cpufreq: add scaled minimum capacity tracking for policy changes arm64: enable max frequency capping arm: enable max frequency capping cpufreq: implement max frequency capping sched/fair: introduce an arch scaling function for max frequency capping cpufreq: remove max frequency capping from scale_freq_capacity() Revert "ANDROID: cpufreq: Max freq invariant scheduler load-tracking and cpu capacity support" Revert "ANDROID: arm: Enable max freq invariant scheduler load-tracking and capacity support" Revert "ANDROID: arm64: Enable max freq invariant scheduler load-tracking and capacity support" sched/fair: reduce rounding errors in energy computations sched/fair: re-factor energy_diff to use a single (extensible) energy_env sched/fair: cleanup select_energy_cpu_brute to be more consistent sched/fair: remove capacity tracking from energy_diff sched/fair: remove energy_diff tracepoint in preparation to re-factoring sched/fair: use *p to reference task_structs sched: EAS: Fix the calculation of group util in group_idle_state() Conflicts: drivers/clk/clk.c drivers/gpu/drm/msm/msm_gem.c include/trace/events/sched.h kernel/sched/fair.c kernel/sched/features.h Change-Id: I875b8c298dc6a8151abf740126a2d1881d498203 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
39b8bb4d84 |
Merge android-4.9.89 (960923f) into msm-4.9
* refs/heads/tmp-960923f:
Linux 4.9.89
usb: gadget: bdc: 64-bit pointer capability check
usb: dwc3: Fix GDBGFIFOSPACE_TYPE values
USB: gadget: udc: Add missing platform_device_put() on error in bdc_pci_probe()
scsi: qla2xxx: Fix extraneous ref on sp's after adapter break
btrfs: Fix use-after-free when cleaning up fs_devs with a single stale device
btrfs: alloc_chunk: fix DUP stripe size handling
scsi: sg: only check for dxfer_len greater than 256M
scsi: sg: fix static checker warning in sg_is_valid_dxfer
scsi: sg: fix SG_DXFER_FROM_DEV transfers
irqchip/gic-v3-its: Ensure nr_ites >= nr_lpis
fs/aio: Use RCU accessors for kioctx_table->table[]
fs/aio: Add explicit RCU grace period when freeing kioctx
lock_parent() needs to recheck if dentry got __dentry_kill'ed under it
fs: Teach path_connected to handle nfs filesystems with multiple roots.
drm/amdgpu/dce: Don't turn off DP sink when disconnected
drm/amdgpu: fix prime teardown order
ALSA: seq: Clear client entry before deleting else at closing
ALSA: seq: Fix possible UAF in snd_seq_check_queue()
ALSA: hda - Revert power_save option default value
ALSA: pcm: Fix UAF in snd_pcm_oss_get_formats()
parisc: Handle case where flush_cache_range is called with no context
x86/mm: Fix vmalloc_fault to use pXd_large
x86/speculation: Remove Skylake C2 from Speculation Control microcode blacklist
x86/speculation, objtool: Annotate indirect calls/jumps for objtool on 32-bit kernels
x86/vm86/32: Fix POPF emulation
selftests/x86/entry_from_vm86: Add test cases for POPF
selftests/x86: Add tests for the STR and SLDT instructions
selftests/x86: Add tests for User-Mode Instruction Prevention
selftests/x86/entry_from_vm86: Exit with 1 if we fail
x86/cpufeatures: Add Intel PCONFIG cpufeature
x86/boot/32: Fix UP boot on Quark and possibly other platforms
net: hns: Some checkpatch.pl script & warning fixes
ima: relax requiring a file signature for new files with zero length
locking/locktorture: Fix num reader/writer corner cases
rcutorture/configinit: Fix build directory error message
ipvlan: add L2 check for packets arriving via virtual devices
ASoC: nuc900: Fix a loop timeout test
mac80211: remove BUG() when interface type is invalid
mac80211_hwsim: enforce PS_MANUAL_POLL to be set after PS_ENABLED
agp/intel: Flush all chipset writes after updating the GGTT
powerpc/modules: Don't try to restore r2 after a sibling call
drm/amdkfd: Fix memory leaks in kfd topology
veth: set peer GSO values
media: cpia2: Fix a couple off by one bugs
media: vsp1: Prevent suspending and resuming DRM pipelines
scsi: dh: add new rdac devices
scsi: devinfo: apply to HP XP the same flags as Hitachi VSP
scsi: core: scsi_get_device_flags_keyed(): Always return device flags
bnxt_en: Don't print "Link speed -1 no longer supported" messages.
spi: sun6i: disable/unprepare clocks on remove
tools/usbip: fixes build with musl libc toolchain
ath10k: fix invalid STS_CAP_OFFSET_MASK
mwifiex: cfg80211: do not change virtual interface during scan processing
clk: qcom: msm8916: fix mnd_width for codec_digcodec
pwm: stmpe: Fix wrong register offset for hwpwm=2 case
scsi: ses: don't ask for diagnostic pages repeatedly during probe
ath10k: update tdls teardown state to target
power: supply: ab8500_charger: Bail out in case of error in 'ab8500_charger_init_hw_registers()'
power: supply: ab8500_charger: Fix an error handling path
leds: pm8058: Silence pointer to integer size warning
userns: Don't fail follow_automount based on s_user_ns
mtd: nand: ifc: update bufnum mask for ver >= 2.0.0
ARM: dts: omap3-n900: Fix the audio CODEC's reset pin
ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin
net: thunderx: Set max queue count taking XDP_TX into account
mtd: nand: fix interpretation of NAND_CMD_NONE in nand_command[_lp]()
net: xfrm: allow clearing socket xfrm policies.
net: ieee802154: adf7242: Fix bug if defined DEBUG
test_firmware: fix setting old custom fw path back on exit
sched: Stop resched_cpu() from sending IPIs to offline CPUs
sched: Stop switched_to_rt() from sending IPIs to offline CPUs
ARM: dts: exynos: Correct Trats2 panel reset line
clk: meson: gxbb: fix wrong clock for SARADC/SANA
iwlwifi: mvm: rs: don't override the rate history in the search cycle
HID: elo: clear BTN_LEFT mapping
video/hdmi: Allow "empty" HDMI infoframes
drm/edid: set ELD connector type in drm_edid_to_eld()
mwifiex: Fix invalid port issue
perf stat: Fix bug in handling events in error state
wil6210: fix memory access violation in wil_memcpy_from/toio_32
wil6210: fix protection against connections during reset
ath10k: fix compile time sanity check for CE4 buffer size
mac80211_hwsim: use per-interface power level
Bluetooth: 6lowpan: fix delay work init in add_peer_chan()
Bluetooth: Avoid bt_accept_unlink() double unlinking
clk: qcom: msm8996: Fix the vfe1 powerdomain name
pwm: tegra: Increase precision in PWM rate calculation
kprobes/x86: Set kprobes pages read-only
kprobes/x86: Fix kprobe-booster not to boost far call instructions
ALSA: hda: Add Geminilake id to SKL_PLUS
scsi: sg: close race condition in sg_remove_sfp_usercontext()
scsi: sg: check for valid direction before starting the request
vfio/spapr_tce: Check kzalloc() return when preregistering memory
vfio/powerpc/spapr_tce: Enforce IOMMU type compatibility check
perf session: Don't rely on evlist in pipe mode
net: fec: add phy-reset-gpios PROBE_DEFER check
perf inject: Copy events when reordering events in pipe mode
drivers/perf: arm_pmu: handle no platform_device
iwlwifi: mvm: fix RX SKB header size and align it properly
perf evsel: Return exact sub event which failed with EPERM for wildcards
usb: gadget: dummy_hcd: Fix wrong power status bit clear/reset in dummy_hub_control()
usb: dwc2: Make sure we disconnect the gadget state
powerpc/nohash: Fix use of mmu_has_feature() in setup_initial_memory_limit()
md.c:didn't unlock the mddev before return EINVAL in array_size_store
md/raid6: Fix anomily when recovering a single device in RAID6.
regulator: isl9305: fix array size
v4l: vsp1: Register pipe with output WPF
v4l: vsp1: Prevent multiple streamon race commencing pipeline early
MIPS: r2-on-r6-emu: Clear BLTZALL and BGEZALL debugfs counters
MIPS: r2-on-r6-emu: Fix BLEZL and BGTZL identification
MIPS: BPF: Fix multiple problems in JIT skb access helpers.
MIPS: BPF: Quit clobbering callee saved registers in JIT code.
serial: imx: setup DCEDTE early and ensure DCD and RI irqs to be off
tty: amba-pl011: Fix spurious TX interrupts
lkdtm: turn off kcov for lkdtm_rodata_do_nothing:
coresight: Fixes coresight DT parse to get correct output port ID.
i40e: only register client on iWarp-capable devices
drm/rockchip: vop: Enable pm domain before vop_initial
drm/amdgpu: Fail fb creation from imported dma-bufs. (v2)
drm/radeon: Fail fb creation from imported dma-bufs.
video: ARM CLCD: fix dma allocation size
kvm: nVMX: Disallow userspace-injected exceptions in guest mode
kvm/svm: Setup MCG_CAP on AMD properly
iommu/iova: Fix underflow bug in __alloc_and_insert_iova_range
apparmor: Make path_max parameter readonly
qed: Correct MSI-x for storage
scsi: ses: don't get power status of SES device slot on probe
EDAC, altera: Fix peripheral warnings for Cyclone5
fm10k: correctly check if interface is removed
ALSA: firewire-digi00x: handle all MIDI messages on streaming packets
ALSA: firewire-digi00x: add support for console models of Digi00x series
IB/hfi1: Check for QSFP presence before attempting reads
ASoC: rt5677: Add OF device ID table
reiserfs: Make cancel_old_flush() reliable
ARM: dts: koelsch: Correct clock frequency of X2 DU clock input
drm: rcar-du: Handle event when disabling CRTCs
printk: Correctly handle preemption in console_unlock()
rtmutex: Fix PI chain order integrity
qed: Fix TM block ILT allocation
net/faraday: Add missing include of of.h
net: hns: Correct HNS RSS key set function
powerpc: Avoid taking a data miss on every userspace instruction miss
ARM: dts: r8a7793: Correct parent of SSI[0-9] clocks
ARM: dts: r8a7791: Correct parent of SSI[0-9] clocks
ARM: dts: r8a7790: Correct parent of SSI[0-9] clocks
ARM: dts: r7s72100: fix ethernet clock parent
NFC: pn533: change order of free_irq and dev unregistration
NFC: nfcmrvl: double free on error path
NFC: nfcmrvl: Include unaligned.h instead of access_ok.h
vxlan: vxlan dev should inherit lowerdev's gso_max_size
drm/vmwgfx: Fixes to vmwgfx_fb
braille-console: Fix value returned by _braille_console_setup
powerpc/mm/hugetlb: Filter out hugepage size not supported by page table layout
PCI: Apply Cavium ACS quirk only to CN81xx/CN83xx/CN88xx devices
bonding: refine bond_fold_stats() wrap detection
drm/ttm: never add BO that failed to validate to the LRU list
f2fs: relax node version check for victim data in gc
perf trace: Handle unpaired raw_syscalls:sys_exit event
regulator: core: Limit propagation of parent voltage count and list
blk-throttle: make sure expire time isn't too big
ARM: dts: silk: Correct clock of DU1
ARM: dts: r8a7794: Correct clock of DU1
ARM: dts: r8a7794: Add DU1 clock to device tree
ALSA: firewire-lib: add a quirk of packet without valid EOH in CIP format
mm: Fix false-positive VM_BUG_ON() in page_cache_{get,add}_speculative()
bonding: make speed, duplex setting consistent with link state
driver: (adm1275) set the m,b and R coefficients correctly for power
scsi: be2iscsi: Check tag in beiscsi_mccq_compl_wait
i40e/i40evf: Fix use after free in Rx cleanup path
perf buildid: Do not assume that readlink() returns a null terminated string
perf annotate: Fix a bug following symbolic link of a build-id file
ARM: dts: bcm2835: add index to the ethernet alias
usb: dwc3: make sure UX_EXIT_PX is cleared
dmaengine: imx-sdma: add 1ms delay to ensure SDMA channel is stopped
tcp: sysctl: Fix a race to avoid unexpected 0 window from space
spi: omap2-mcspi: poll OMAP2_MCSPI_CHSTAT_RXS for PIO transfer
ASoC: rcar: ssi: don't set SSICR.CKDV = 000 with SSIWSR.CONT
PCI: hv: Lock PCI bus on device eject
PCI: hv: Properly handle PCI bus remove
sched: act_csum: don't mangle TCP and UDP GSO packets
Input: qt1070 - add OF device ID table
sysrq: Reset the watchdog timers while displaying high-resolution timers
timers, sched_clock: Update timeout for clock wrap
media: i2c/soc_camera: fix ov6650 sensor getting wrong clock
scsi: ipr: Fix missed EH wakeup
scsi: fnic: Fix for "Number of Active IOs" in fnicstats becoming negative
x86/boot/32: Defer resyncing initial_page_table until per-cpu is set up
solo6x10: release vb2 buffers in solo_stop_streaming()
of: fix of_device_get_modalias returned length when truncating buffers
batman-adv: handle race condition for claims between gateways
zd1211rw: fix NULL-deref at probe
s390/topology: fix typo in early topology code
qed: Always publish VF link from leading hwfn
ARM: dts: Adjust moxart IRQ controller and flags
net/8021q: create device with all possible features in wanted_features
HID: clamp input to logical range if no null state
perf probe: Return errno when not hitting any event
perf probe: Fix concat_probe_trace_events
omapfb: dss: Handle return errors in dss_init_ports()
x86/mce: Init some CPU features early
netem: apply correct delay when rate throttling
net: ethernet: bgmac: Allow MAC address to be specified in DTB
ARM: bcm2835: Enable missing CMA settings for VC4 driver
usb: misc: lvs: fix race condition in disconnect handling
ath10k: fix fetching channel during potential radar detection
ath10k: disallow DFS simulation if DFS channel is not enabled
drm: Defer disabling the vblank IRQ until the next interrupt (for instant-off)
drivers: net: xgene: Fix Rx checksum validation logic
drivers: net: xgene: Fix wrong logical operation
drivers: net: phy: xgene: Fix mdio write
drivers: net: xgene: Fix hardware checksum setting
ARM: brcmstb: Enable ZONE_DMA for non 64-bit capable peripherals
perf tools: Make perf_event__synthesize_mmap_events() scale
i40e: fix ethtool to get EEPROM data from X722 interface
i40e: Acquire NVM lock before reads on all devices
eventpoll.h: fix epoll event masks
x86/mce: Handle broadcasted MCE gracefully with kexec
perf sort: Fix segfault with basic block 'cycles' sort dimension
x86/mm: Make mmap(MAP_32BIT) work correctly
selinux: check for address length in selinux_socket_bind()
PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()
drm/sun4i: Fix TCON clock and regmap initialization sequence
ath10k: fix a warning during channel switch with multiple vaps
drm/sun4i: Set drm_crtc.port to the underlying TCON's output port node
drm/sun4i: Fix up error path cleanup for master bind function
arm64: dts: r8a7796: Remove unit-address and reg from integrated cache
ARM: dts: r8a7794: Remove unit-address and reg from integrated cache
ARM: dts: r8a7793: Remove unit-address and reg from integrated cache
ARM: dts: r8a7792: Remove unit-address and reg from integrated cache
ARM: dts: r8a7791: Remove unit-address and reg from integrated cache
drm: qxl: Don't alloc fbdev if emulation is not supported
HID: reject input outside logical range only if null state is set
staging: wilc1000: add check for kmalloc allocation failure.
staging: speakup: Replace BUG_ON() with WARN_ON().
perf stat: Issue a HW watchdog disable hint
Input: tsc2007 - check for presence and power down tsc2007 during probe
blkcg: fix double free of new_blkg in blkcg_init_queue
staging: android: ashmem: Fix possible deadlock in ashmem_ioctl
Conflicts:
drivers/net/wireless/ath/wil6210/main.c
drivers/usb/dwc3/core.h
Change-Id: I2d77962cfc3dbc8b051ba51bf10b577d327ffaa9
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
|
Blagovest Kolenichev
|
aa71c72742 |
Merge android-4.9.88 (bb52bba) into msm-4.9
* refs/heads/tmp-bb52bba: Linux 4.9.88 PCI: dwc: Fix enumeration end when reaching root subordinate earlycon: add reg-offset to physical address before mapping serial: core: mark port as initialized in autoconfig serial: 8250_pci: Add Brainboxes UC-260 4 port serial device usb: gadget: f_fs: Fix use-after-free in ffs_fs_kill_sb() usb: usbmon: Read text within supplied buffer size usb: quirks: add control message delay for 1b1c:1b20 usbip: vudc: fix null pointer dereference on udc->lock USB: storage: Add JMicron bridge 152d:2567 to unusual_devs.h staging: android: ashmem: Fix lockdep issue during llseek staging: comedi: fix comedi_nsamples_left. uas: fix comparison for error code tty/serial: atmel: add new version check for usart serial: sh-sci: prevent lockup on full TTY buffers ASoC: rt5651: Fix regcache sync errors on resume ASoC: sgtl5000: Fix suspend/resume x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 x86/module: Detect and skip invalid relocations NFS: Fix unstable write completion NFS: Fix an incorrect type in struct nfs_direct_req scsi: qla2xxx: Replace fcport alloc with qla2x00_alloc_fcport ubi: Fix race condition between ubi volume creation and udev ext4: inplace xattr block update fails to deduplicate blocks netfilter: x_tables: pack percpu counter allocations netfilter: x_tables: pass xt_counters struct to counter allocator netfilter: x_tables: pass xt_counters struct instead of packet counter netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt netfilter: bridge: ebt_among: add missing match size checks netfilter: ebtables: CONFIG_COMPAT: don't trust userland offsets netfilter: IDLETIMER: be syzkaller friendly netfilter: nat: cope with negative port range netfilter: x_tables: fix missing timer initialization in xt_LED netfilter: add back stackpointer size checks tc358743: fix register i2c_rd/wr function fix Input: tca8418_keypad - remove double read of key event register ARM: omap2: hide omap3_save_secure_ram on non-OMAP3 builds watchdog: hpwdt: Remove legacy NMI sourcing. watchdog: hpwdt: fix unused variable warning watchdog: hpwdt: Check source of NMI watchdog: hpwdt: SMBIOS check x86/paravirt, objtool: Annotate indirect calls x86/speculation: Move firmware_restrict_branch_speculation_*() from C to CPP x86/boot, objtool: Annotate indirect jump in secondary_startup_64() x86/speculation, objtool: Annotate indirect calls/jumps for objtool x86/retpoline: Support retpoline builds with Clang x86/speculation: Use IBRS if available before calling into firmware Revert "x86/retpoline: Simplify vmexit_fill_RSB()" nospec: Include <asm/barrier.h> dependency nospec: Kill array_index_nospec_mask_check() ALSA: hda: add dock and led support for HP ProBook 640 G2 ALSA: hda: add dock and led support for HP EliteBook 820 G3 ALSA: seq: More protection for concurrent write and ioctl races ALSA: seq: Don't allow resizing pool in use ALSA: hda/realtek - Make dock sound work on ThinkPad L570 ALSA: hda/realtek - Fix dock line-out volume on Dell Precision 7520 ALSA: hda/realtek: Limit mic boost on T480 x86/spectre_v2: Don't check microcode versions when running under hypervisors perf tools: Fix trigger class trigger_on() x86/MCE: Serialize sysfs changes bcache: don't attach backing with duplicate UUID bcache: fix crashes in duplicate cache device register IB/mlx5: Fix incorrect size of klms in the memory region kbuild: Handle builtin dtb file names containing hyphens KVM: s390: fix memory overwrites when not using SCA entries virtio_ring: fix num_free handling in error case loop: Fix lost writes caused by missing flag Input: matrix_keypad - fix race when disabling interrupts MIPS: OCTEON: irq: Check for null return on kzalloc allocation MIPS: ath25: Check for kzalloc allocation failure MIPS: BMIPS: Do not mask IPIs during suspend drm/amdgpu:Always save uvd vcpu_bo in VM Mode drm/amdgpu:Correct max uvd handles drm/amdgpu: fix KV harvesting drm/radeon: fix KV harvesting drm/amdgpu: Notify sbios device ready before send request drm/amdgpu: Fix deadlock on runtime suspend drm/radeon: Fix deadlock on runtime suspend drm/nouveau: Fix deadlock on runtime suspend drm: Allow determining if current task is output poll worker workqueue: Allow retrieval of current task's work struct drm/i915: Always call to intel_display_set_init_power() in resume_early. scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS drm/i915: Try EDID bitbanging on HDMI after failed read RDMA/mlx5: Fix integer overflow while resizing CQ RDMA/ucma: Check that user doesn't overflow QP state RDMA/ucma: Limit possible option size ANDROID: sdcardfs: fix lock issue on 32 bit/SMP architectures UPSTREAM: kasan: add functions for unpoisoning stack variables UPSTREAM: kasan: add tests for alloca poisoning UPSTREAM: kasan: support alloca() poisoning UPSTREAM: kasan/Makefile: support LLVM style asan parameters BACKPORT: kasan: add compiler support for clang kbuild: fix --gc-sections BACKPORT: fix "netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1'" UPSTREAM: netfilter: xt_bpf: add overflow checks UPSTREAM: netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' UPSTREAM: netfilter: xt_bpf: support ebpf FROMLIST: f2fs: don't put dentry page in pagecache into highmem Change-Id: I7f13fedc725fe5333e18e4e5b6639eee27ea1120 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
16b6ed19fc |
Merge android-4.9.87 (a290494) into msm-4.9
* refs/heads/tmp-a290494: Linux 4.9.87 btrfs: preserve i_mode if __btrfs_set_acl() fails bpf, ppc64: fix out of bounds access in tail call bpf: add schedule points in percpu arrays management bpf, arm64: fix out of bounds access in tail call bpf, x64: implement retpoline for tail call bpf: fix mlock precharge on arraymaps bpf: fix wrong exposure of map_flags into fdinfo for lpm mpls, nospec: Sanitize array index in mpls_label_ok() net: mpls: Pull common label check into helper sctp: verify size of a new chunk in _sctp_make_chunk() s390/qeth: fix IPA command submission race s390/qeth: fix IP address lookup for L3 devices s390/qeth: fix double-free on IP add/remove race s390/qeth: fix IP removal on offline cards s390/qeth: fix overestimated count of buffer elements s390/qeth: fix SETIP command handling s390/qeth: fix underestimated count of buffer elements sctp: fix dst refcnt leak in sctp_v6_get_dst() tcp_bbr: better deal with suboptimal GSO rxrpc: Fix send in rxrpc_send_data_packet() tcp: Honor the eor bit in tcp_mtu_probe net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT mlxsw: spectrum_switchdev: Check success of FDB add operation sctp: fix dst refcnt leak in sctp_v4_get_dst udplite: fix partial checksum initialization ppp: prevent unregistered channels from connecting to PPP units netlink: ensure to loop over all netns in genlmsg_multicast_allns() net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 net: fix race on decreasing number of TX queues ipv6 sit: work around bogus gcc-8 -Wrestrict warning hdlc_ppp: carrier detect ok, don't turn off negotiation fib_semantics: Don't match route with mismatching tclassid bridge: check brport attr show in brport_show x86/apic/vector: Handle legacy irq data correctly netlink: put module reference if dump start fails md: only allow remove_and_add_spares when no sync_thread running. x86/speculation: Use Indirect Branch Prediction Barrier in context switch x86/mm: Give each mm TLB flush generation a unique ID ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux dm io: fix duplicate bio completion due to missing ref count PCI/ASPM: Deal with missing root ports in link state handling KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() KVM/x86: Remove indirect MSR op calls from SPEC_CTRL KVM: mmu: Fix overlap between public and private memslots ARM: kvm: fix building with gcc-8 ARM: mvebu: Fix broken PL310_ERRATA_753970 selects nospec: Allow index argument to have const-qualified type media: m88ds3103: don't call a non-initalized function x86/platform/intel-mid: Handle Intel Edison reboot correctly x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend dax: fix vma_is_fsdax() helper cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() parisc: Fix ordering of cache and TLB flushes timers: Forward timer base before migrating timers ALSA: hda - Fix pincfg at resume on Lenovo T470 dock ALSA: hda: Add a power_save blacklist ALSA: usb-audio: Add a quirck for B&W PX headphones tpm-dev-common: Reject too short writes tpm_tis_spi: Use DMA-safe memory for SPI transfers tpm: constify transmit data pointers tpm_tis: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus FROMLIST: ARM: amba: Don't read past the end of sysfs "driver_override" buffer UPSTREAM: ANDROID: binder: remove WARN() for redundant txn error Conflicts: kernel/time/timer.c Change-Id: I302546c52a480e9a4c661accf021766c499739b9 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
a8a3aff106 |
Merge android-4.9.86 (b324a70) into msm-4.9
* refs/heads/tmp-b324a70:
Linux 4.9.86
MIPS: Implement __multi3 for GCC7 MIPS64r6 builds
KVM: arm/arm64: Fix check for hugepage size when allocating at Stage 2
net: gianfar_ptp: move set_fipers() to spinlock protecting area
sctp: make use of pre-calculated len
xen/gntdev: Fix partial gntdev_mmap() cleanup
xen/gntdev: Fix off-by-one error when unmapping with holes
SolutionEngine771x: fix Ether platform data
mdio-sun4i: Fix a memory leak
xen-netfront: enable device after manual module load
bnxt_en: Fix the 'Invalid VF' id check in bnxt_vf_ndo_prep routine.
can: flex_can: Correct the checking for frame length in flexcan_start_xmit()
mac80211: mesh: drop frames appearing to be from us
nl80211: Check for the required netlink attribute presence
i40e/i40evf: Account for frags split over multiple descriptors in check linearize
uapi libc compat: add fallback for unsupported libcs
drm/ttm: check the return value of kzalloc
NET: usb: qmi_wwan: add support for YUGA CLM920-NC5 PID 0x9625
e1000: fix disabling already-disabled warning
macvlan: Fix one possible double free
xfs: quota: check result of register_shrinker()
xfs: quota: fix missed destroy of qi_tree_lock
IB/ipoib: Fix race condition in neigh creation
IB/mlx4: Fix mlx4_ib_alloc_mr error flow
s390/dasd: fix wrongly assigned configuration data
genirq: Guard handle_bad_irq log messages
IB/mlx5: Fix mlx5_ib_alloc_mr error flow
led: core: Fix brightness setting when setting delay_off=0
bnx2x: Improve reliability in case of nested PCI errors
tg3: Enable PHY reset in MTU change path for 5720
tg3: Add workaround to restrict 5762 MRRS to 2048
tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
tipc: error path leak fixes in tipc_enable_bearer()
lib/mpi: Fix umul_ppmm() for MIPS64r6
ARM: dts: ls1021a: fix incorrect clock references
scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
net: stmmac: Fix TX timestamp calculation
ip6_tunnel: get the min mtu properly in ip6_tnl_xmit
net: arc_emac: fix arc_emac_rx() error paths
net: mediatek: setup proper state for disabled GMAC on the default
ASoC: nau8825: fix issue that pop noise when start capture
spi: atmel: fixed spin_lock usage inside atmel_spi_remove
mac80211_hwsim: Fix a possible sleep-in-atomic bug in hwsim_get_radio_nl
drm/nouveau/pci: do a msi rearm on init
net: phy: xgene: disable clk on error paths
sget(): handle failures of register_shrinker()
x86/asm: Allow again using asm.h when building for the 'bpf' clang target
ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
ipv6: icmp6: Allow icmp messages to be looped back
mtd: nand: brcmnand: Zero bitflip is not an error
mtd: nand: gpmi: Fix failure when a erased page has a bitflip at BBM
net: usb: qmi_wwan: add Telit ME910 PID 0x1101 support
nvme: check hw sectors before setting chunk sectors
dmaengine: fsl-edma: disable clks on all error paths
f2fs: fix a bug caused by NULL extent tree
i2c: designware: must wait for enable
hrtimer: Ensure POSIX compliance (relative CLOCK_REALTIME hrtimers)
ANDROID: kbuild: change LTO into a choice
ANDROID: arm64: crypto: fix AES CE when built as a module
ANDROID: staging: lustre: fix filler function type
ANDROID: fs: logfs: fix filler function type
ANDROID: fs: gfs2: fix filler function type
ANDROID: fs: exofs: fix filler function type
ANDROID: fs: afs: fix filler function type
ANDROID: keychord: Check for write data size
media-device: fix ioctl function types
drivers/perf: arm_pmu: fix function type mismatch
dummycon: fix function types
fs: nfs: fix filler function type
mm: fix filler function type mismatch
mm: fix drain_local_pages function type
BACKPORT: vfs: pass type instead of fn to do_{loop,iter}_readv_writev()
arch/arm64/crypto: fix CFI in AES CE
arch/arm64/crypto: fix CFI in SHA CE
arm64: disable CFI for cpu_replace_ttbr1
v4l2-ioctl: fix function types for IOCTL_INFO_STD
UPSTREAM: module: Do not paper over type mismatches in module_param_call()
BACKPORT: treewide: Fix function prototypes for module_param_call()
UPSTREAM: module: Prepare to convert all module_param_call() prototypes
bpf: fix function type for __bpf_prog_run
kallsyms: strip the .cfi postfix from symbols with CONFIG_CFI_CLANG
add support for clang Control Flow Integrity (CFI)
HACK: init: ensure initcall ordering with LTO
xen/efi: don't use -fshort-wchar
drivers/misc: disable LTO for lkdtm_rodata.o
arm64: vdso: disable LTO
FROMLIST: BACKPORT: arm64: select ARCH_SUPPORTS_LTO_CLANG
FROMLIST: BACKPORT: arm64: disable RANDOMIZE_MODULE_REGION_FULL with LTO_CLANG
FROMLIST: arch/arm64/crypto: disable LTO for aes-ce-cipher.c
arm64: disable ARM64_ERRATUM_843419 for clang LTO
arm64: pass code model to LLVMgold
FROMLIST: BACKPORT: arm64: make mrs_s and msr_s macros work with LTO
FROMLIST: arm64: kvm: use -fno-jump-tables with clang
FROMLIST: efi/libstub: disable LTO
FROMLIST: scripts/mod: disable LTO for empty.c
FROMLIST: BACKPORT: kbuild: fix dynamic ftrace with clang LTO
FROMLIST: BACKPORT: kbuild: add support for clang LTO
FROMLIST: BACKPORT: arm64: add a workaround for GNU gold with ARM64_MODULE_PLTS
FROMLIST: arm64: explicitly pass --no-fix-cortex-a53-843419 to GNU gold
FROMLIST: kbuild: add __ld-ifversion and linker-specific macros
FROMLIST: kbuild: add ld-name macro
FROMLIST: BACKPORT: arm64: keep .altinstructions and .altinstr_replacement
arm64: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: kbuild: fix LD_DEAD_CODE_DATA_ELIMINATION
FROMLIST: BACKPORT: kbuild: add __cc-ifversion and compiler-specific variants
FROMLIST: kbuild: add clang-version.sh
Revert "binder: add missing binder_unlock()"
Linux 4.9.85
x86/entry/64: Clear extra registers beyond syscall arguments, to reduce speculation attack surface
mm: fail get_vaddr_frames() for filesystem-dax mappings
mm: Fix devm_memremap_pages() collision handling
libnvdimm, dax: fix 1GB-aligned namespaces vs physical misalignment
IB/core: disable memory registration of filesystem-dax vmas
v4l2: disable filesystem-dax mapping support
mm: introduce get_user_pages_longterm
device-dax: implement ->split() to catch invalid munmap attempts
libnvdimm: fix integer overflow static analysis warning
fs/dax.c: fix inefficiency in dax_writeback_mapping_range()
mm: avoid spurious 'bad pmd' warning messages
X.509: fix NULL dereference when restricting key with unsupported_sig
binder: add missing binder_unlock()
drm/amdgpu: add new device to use atpx quirk
drm/amdgpu: Avoid leaking PM domain on driver unbind (v2)
drm/amdgpu: add atpx quirk handling (v2)
drm/amdgpu: Add dpm quirk for Jet PRO (v2)
usb: renesas_usbhs: missed the "running" flag in usb_dmac with rx path
usb: gadget: f_fs: Process all descriptors during bind
Revert "usb: musb: host: don't start next rx urb if current one failed"
usb: ldusb: add PIDs for new CASSY devices supported by this driver
usb: dwc3: gadget: Set maxpacket size for ep0 IN
drm/edid: Add 6 bpc quirk for CPT panel in Asus UX303LA
Add delay-init quirk for Corsair K70 RGB keyboards
arm64: Disable unhandled signal log messages by default
usb: ohci: Proper handling of ed_rm_list to handle race condition between usb_kill_urb() and finish_unlinks()
ohci-hcd: Fix race condition caused by ohci_urb_enqueue() and io_watchdog_func()
PCI/cxgb4: Extend T3 PCI quirk to T4+ devices
irqchip/gic-v3: Use wmb() instead of smb_wmb() in gic_raise_softirq()
x86/oprofile: Fix bogus GCC-8 warning in nmi_setup()
iio: adis_lib: Initialize trigger before requesting interrupt
iio: buffer: check if a buffer has been set up when poll is called
RDMA/uverbs: Protect from command mask overflow
PKCS#7: fix certificate chain verification
X.509: fix BUG_ON() when hash algorithm is unsupported
cfg80211: fix cfg80211_beacon_dup
scsi: ibmvfc: fix misdefined reserved field in ibmvfc_fcp_rsp_info
xtensa: fix high memory/reserved memory collision
netfilter: drop outermost socket lock in getsockopt()
ANDROID: sdcardfs: Set num in extension_details during make_item
Conflicts:
Makefile
arch/arm64/include/asm/arch_gicv3.h
arch/arm64/kernel/module.lds
drivers/usb/gadget/function/f_fs.c
scripts/link-vmlinux.sh
Change in module_param_call() definition requires alignment in:
drivers/hwtracing/coresight/coresight-event.c
drivers/media/radio/radio-iris-transport.c
drivers/power/reset/msm-poweroff.c
drivers/soc/qcom/wcnss/wcnss_wlan.c
drivers/video/fbdev/msm/mdss_dsi_status.c
Change-Id: I2fa32c39bd4ba8a132f8f8abc8132a2ceb32907a
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
|
Arun Kumar Neelakantam
|
7e4f46b569 |
net: ipc_router: Fix buffer overflow during memcpy
The increment logic of u64 pointer in skb_copy_to_log_buf() leads to buffer overflow. Modify the proto type of skb_copy_to_log_buf() function to accept only unsigned char pointer. CRs-Fixed: 2212592 Change-Id: I8affff1316656c1060ec57f2fb10b46f85314358 Signed-off-by: Arun Kumar Neelakantam <aneela@codeaurora.org> |
||
|
Sridhar Ancha
|
03d25f838a |
net: core: Release neigh lock when neigh_probe is enabled
Release the neighbor lock when timer expires for a neighbor entry when neigh_probe flag is enabled. Change-Id: I25aa82bfbba32908b093b53fff85a52d1fd894b2 Signed-off-by: Sridhar Ancha <sancha@codeaurora.org> |
||
|
Alexander Duyck
|
3f59047e8a |
ipv4/GRO: Make GRO conform to RFC 6864
RFC 6864 states that the IPv4 ID field MUST NOT be used for purposes other than fragmentation and reassembly. Currently we are looking at this field as a way of identifying what frames can be aggregated and which cannot for GRO. While this is valid for frames that do not have DF set, it is invalid to do so if the bit is set. In addition we were generating IPv4 ID collisions when 2 or more flows were interleaved over the same tunnel. To prevent that we store the result of all IP ID checks via a "|=" instead of overwriting previous values. Change-Id: I96d90494f929fb217ceaa1698213465b0a17835a CRs-Fixed: 2221952 Signed-off-by: Alexander Duyck <aduyck@mirantis.com> Patch-mainline: netdev @ April 1, 2016, 6:05 p.m Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Signed-off-by: Manjunathappa Prakash <prakashpm@codeaurora.org> |
||
|
Manjunathappa Prakash
|
39e939a52b |
Revert "GRO: Add support for TCP with fixed IPv4 ID field, limit tunnel IP ID values"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
9c3fb9cd6e |
Merge 4.9.92 into android-4.9
Changes in 4.9.92 scsi: sg: don't return bogus Sg_requests Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs" net sched actions: return explicit error when tunnel_key mode is not specified ppp: avoid loop in xmit recursion detection code rhashtable: Fix rhlist duplicates insertion sch_netem: fix skb leak in netem_enqueue() ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() net: use skb_to_full_sk() in skb_update_prio() net: Fix hlist corruptions in inet_evict_bucket() dccp: check sk for closed state in dccp_sendmsg() ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() l2tp: do not accept arbitrary sockets net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface net: fec: Fix unbalanced PM runtime calls net/iucv: Free memory obtained by kzalloc netlink: avoid a double skb free in genlmsg_mcast() net: Only honor ifindex in IP_PKTINFO if non-0 skbuff: Fix not waking applications when errors are enqueued team: Fix double free in error path soc/fsl/qbman: fix issue in qman_delete_cgr_safe() s390/qeth: free netdevice when removing a card s390/qeth: when thread completes, wake up all waiters s390/qeth: lock read device while queueing next buffer s390/qeth: on channel error, reject further cmd requests net: systemport: Rewrite __bcm_sysport_tx_reclaim() kcm: lock lower socket in kcm_attach net: hns: Fix a skb used after free bug Linux 4.9.92 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Tom Herbert
|
406996f36e |
kcm: lock lower socket in kcm_attach
[ Upstream commit 2cc683e88c0c993ac3721d9b702cb0630abe2879 ]
Need to lock lower socket in order to provide mutual exclusion
with kcm_unattach.
v2: Add Reported-by for syzbot
Fixes:
|
||
|
Vinicius Costa Gomes
|
d5862b0590 |
skbuff: Fix not waking applications when errors are enqueued
[ Upstream commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 ]
When errors are enqueued to the error queue via sock_queue_err_skb()
function, it is possible that the waiting application is not notified.
Calling 'sk->sk_data_ready()' would not notify applications that
selected only POLLERR events in poll() (for example).
Fixes:
|
||
|
David Ahern
|
5f02dcec36 |
net: Only honor ifindex in IP_PKTINFO if non-0
[ Upstream commit 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 ] Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings if the index is actually set in the message. Signed-off-by: David Ahern <dsahern@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Nicolas Dichtel
|
455fc99cb4 |
netlink: avoid a double skb free in genlmsg_mcast()
[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ]
nlmsg_multicast() consumes always the skb, thus the original skb must be
freed only when this function is called with a clone.
Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Arvind Yadav
|
7d91487e43 |
net/iucv: Free memory obtained by kzalloc
[ Upstream commit fa6a91e9b907231d2e38ea5ed89c537b3525df3d ] Free memory by calling put_device(), if afiucv_iucv_init is not successful. Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com> Reviewed-by: Cornelia Huck <cohuck@redhat.com> Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com> Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
84fc2d7c22 |
l2tp: do not accept arbitrary sockets
[ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ]
syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()
RAW sockets can not be considered as UDP ones for instance.
In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>
==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242
CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x194/0x24d lib/dump_stack.c:53
print_address_description+0x73/0x250 mm/kasan/report.c:256
kasan_report_error mm/kasan/report.c:354 [inline]
kasan_report+0x23b/0x360 mm/kasan/report.c:412
__asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
SYSC_connect+0x213/0x4a0 net/socket.c:1640
SyS_connect+0x24/0x30 net/socket.c:1621
do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x42/0xb7
Fixes:
|
||
|
Lorenzo Bianconi
|
c5e6439e71 |
ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ] Fix the following slab-out-of-bounds kasan report in ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not linear and the accessed data are not in the linear data region of orig_skb. [ 1503.122508] ================================================================== [ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990 [ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932 [ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124 [ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014 [ 1503.123527] Call Trace: [ 1503.123579] <IRQ> [ 1503.123638] print_address_description+0x6e/0x280 [ 1503.123849] kasan_report+0x233/0x350 [ 1503.123946] memcpy+0x1f/0x50 [ 1503.124037] ndisc_send_redirect+0x94e/0x990 [ 1503.125150] ip6_forward+0x1242/0x13b0 [...] [ 1503.153890] Allocated by task 1932: [ 1503.153982] kasan_kmalloc+0x9f/0xd0 [ 1503.154074] __kmalloc_track_caller+0xb5/0x160 [ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70 [ 1503.154324] __alloc_skb+0x130/0x3e0 [ 1503.154415] sctp_packet_transmit+0x21a/0x1810 [ 1503.154533] sctp_outq_flush+0xc14/0x1db0 [ 1503.154624] sctp_do_sm+0x34e/0x2740 [ 1503.154715] sctp_primitive_SEND+0x57/0x70 [ 1503.154807] sctp_sendmsg+0xaa6/0x1b10 [ 1503.154897] sock_sendmsg+0x68/0x80 [ 1503.154987] ___sys_sendmsg+0x431/0x4b0 [ 1503.155078] __sys_sendmsg+0xa4/0x130 [ 1503.155168] do_syscall_64+0x171/0x3f0 [ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1503.155436] Freed by task 1932: [ 1503.155527] __kasan_slab_free+0x134/0x180 [ 1503.155618] kfree+0xbc/0x180 [ 1503.155709] skb_release_data+0x27f/0x2c0 [ 1503.155800] consume_skb+0x94/0xe0 [ 1503.155889] sctp_chunk_put+0x1aa/0x1f0 [ 1503.155979] sctp_inq_pop+0x2f8/0x6e0 [ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230 [ 1503.156164] sctp_inq_push+0x117/0x150 [ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0 [ 1503.156346] __release_sock+0x142/0x250 [ 1503.156436] release_sock+0x80/0x180 [ 1503.156526] sctp_sendmsg+0xbb0/0x1b10 [ 1503.156617] sock_sendmsg+0x68/0x80 [ 1503.156708] ___sys_sendmsg+0x431/0x4b0 [ 1503.156799] __sys_sendmsg+0xa4/0x130 [ 1503.156889] do_syscall_64+0x171/0x3f0 [ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7 [ 1503.157158] The buggy address belongs to the object at ffff8800298ab600 which belongs to the cache kmalloc-1024 of size 1024 [ 1503.157444] The buggy address is located 176 bytes inside of 1024-byte region [ffff8800298ab600, ffff8800298aba00) [ 1503.157702] The buggy address belongs to the page: [ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0 [ 1503.158053] flags: 0x4000000000008100(slab|head) [ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e [ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000 [ 1503.158523] page dumped because: kasan: bad access detected [ 1503.158698] Memory state around the buggy address: [ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 1503.159338] ^ [ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 1503.159785] ================================================================== [ 1503.159964] Disabling lock debugging due to kernel taint The test scenario to trigger the issue consists of 4 devices: - H0: data sender, connected to LAN0 - H1: data receiver, connected to LAN1 - GW0 and GW1: routers between LAN0 and LAN1. Both of them have an ethernet connection on LAN0 and LAN1 On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for data from LAN0 to LAN1. Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send buffer size is set to 16K). While data streams are active flush the route cache on HA multiple times. I have not been able to identify a given commit that introduced the issue since, using the reproducer described above, the kasan report has been triggered from 4.14 and I have not gone back further. Reported-by: Jianlin Shi <jishi@redhat.com> Reviewed-by: Stefano Brivio <sbrivio@redhat.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Alexey Kodanev
|
1fdc00c150 |
dccp: check sk for closed state in dccp_sendmsg()
[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]
dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().
This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.
Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kirill Tkhai
|
1562f147ac |
net: Fix hlist corruptions in inet_evict_bucket()
[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]
inet_evict_bucket() iterates global list, and
several tasks may call it in parallel. All of
them hash the same fq->list_evictor to different
lists, which leads to list corruption.
This patch makes fq be hashed to expired list
only if this has not been made yet by another
task. Since inet_frag_alloc() allocates fq
using kmem_cache_zalloc(), we may rely on
list_evictor is initially unhashed.
The problem seems to exist before async
pernet_operations, as there was possible to have
exit method to be executed in parallel with
inet_frags::frags_work, so I add two Fixes tags.
This also may go to stable.
Fixes:
|
||
|
Eric Dumazet
|
28984ba0c4 |
net: use skb_to_full_sk() in skb_update_prio()
[ Upstream commit 4dcb31d4649df36297296b819437709f5407059c ]
Andrei Vagin reported a KASAN: slab-out-of-bounds error in
skb_update_prio()
Since SYNACK might be attached to a request socket, we need to
get back to the listener socket.
Since this listener is manipulated without locks, add const
qualifiers to sock_cgroup_prioidx() so that the const can also
be used in skb_update_prio()
Also add the const qualifier to sock_cgroup_classid() for consistency.
Fixes:
|
||
|
Eric Dumazet
|
e7d7956673 |
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
A tun device type can trivially be set to arbitrary value using
TUNSETLINK ioctl().
Therefore, lowpan_device_event() must really check that ieee802154_ptr
is not NULL.
Fixes:
|
||
|
Alexey Kodanev
|
e927ffbf07 |
sch_netem: fix skb leak in netem_enqueue()
[ Upstream commit 35d889d10b649fda66121891ec05eca88150059d ]
When we exceed current packets limit and we have more than one
segment in the list returned by skb_gso_segment(), netem drops
only the first one, skipping the rest, hence kmemleak reports:
unreferenced object 0xffff880b5d23b600 (size 1024):
comm "softirq", pid 0, jiffies 4384527763 (age 2770.629s)
hex dump (first 32 bytes):
00 80 23 5d 0b 88 ff ff 00 00 00 00 00 00 00 00 ..#]............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d8a19b9d>] __alloc_skb+0xc9/0x520
[<000000001709b32f>] skb_segment+0x8c8/0x3710
[<00000000c7b9bb88>] tcp_gso_segment+0x331/0x1830
[<00000000c921cba1>] inet_gso_segment+0x476/0x1370
[<000000008b762dd4>] skb_mac_gso_segment+0x1f9/0x510
[<000000002182660a>] __skb_gso_segment+0x1dd/0x620
[<00000000412651b9>] netem_enqueue+0x1536/0x2590 [sch_netem]
[<0000000005d3b2a9>] __dev_queue_xmit+0x1167/0x2120
[<00000000fc5f7327>] ip_finish_output2+0x998/0xf00
[<00000000d309e9d3>] ip_output+0x1aa/0x2c0
[<000000007ecbd3a4>] tcp_transmit_skb+0x18db/0x3670
[<0000000042d2a45f>] tcp_write_xmit+0x4d4/0x58c0
[<0000000056a44199>] tcp_tasklet_func+0x3d9/0x540
[<0000000013d06d02>] tasklet_action+0x1ca/0x250
[<00000000fcde0b8b>] __do_softirq+0x1b4/0x5a3
[<00000000e7ed027c>] irq_exit+0x1e2/0x210
Fix it by adding the rest of the segments, if any, to skb 'to_free'
list. Add new __qdisc_drop_all() and qdisc_drop_all() functions
because they can be useful in the future if we need to drop segmented
GSO packets in other places.
Fixes:
|
||
|
Roman Mashak
|
4f2f7a07db |
net sched actions: return explicit error when tunnel_key mode is not specified
[ Upstream commit 51d4740f88affd85d49c04e3c9cd129c0e33bcb9 ]
If set/unset mode of the tunnel_key action is not provided, ->init() still
returns 0, and the caller proceeds with bogus 'struct tc_action *' object,
this results in crash:
% tc actions add action tunnel_key src_ip 1.1.1.1 dst_ip 2.2.2.1 id 7 index 1
[ 35.805515] general protection fault: 0000 [#1] SMP PTI
[ 35.806161] Modules linked in: act_tunnel_key kvm_intel kvm irqbypass
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel aes_x86_64
crypto_simd glue_helper cryptd serio_raw
[ 35.808233] CPU: 1 PID: 428 Comm: tc Not tainted 4.16.0-rc4+ #286
[ 35.808929] RIP: 0010:tcf_action_init+0x90/0x190
[ 35.809457] RSP: 0018:ffffb8edc068b9a0 EFLAGS: 00010206
[ 35.810053] RAX: 1320c000000a0003 RBX: 0000000000000001 RCX: 0000000000000000
[ 35.810866] RDX: 0000000000000070 RSI: 0000000000007965 RDI: ffffb8edc068b910
[ 35.811660] RBP: ffffb8edc068b9d0 R08: 0000000000000000 R09: ffffb8edc068b808
[ 35.812463] R10: ffffffffc02bf040 R11: 0000000000000040 R12: ffffb8edc068bb38
[ 35.813235] R13: 0000000000000000 R14: 0000000000000000 R15: ffffb8edc068b910
[ 35.814006] FS: 00007f3d0d8556c0(0000) GS:ffff91d1dbc40000(0000)
knlGS:0000000000000000
[ 35.814881] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 35.815540] CR2: 000000000043f720 CR3: 0000000019248001 CR4: 00000000001606a0
[ 35.816457] Call Trace:
[ 35.817158] tc_ctl_action+0x11a/0x220
[ 35.817795] rtnetlink_rcv_msg+0x23d/0x2e0
[ 35.818457] ? __slab_alloc+0x1c/0x30
[ 35.819079] ? __kmalloc_node_track_caller+0xb1/0x2b0
[ 35.819544] ? rtnl_calcit.isra.30+0xe0/0xe0
[ 35.820231] netlink_rcv_skb+0xce/0x100
[ 35.820744] netlink_unicast+0x164/0x220
[ 35.821500] netlink_sendmsg+0x293/0x370
[ 35.822040] sock_sendmsg+0x30/0x40
[ 35.822508] ___sys_sendmsg+0x2c5/0x2e0
[ 35.823149] ? pagecache_get_page+0x27/0x220
[ 35.823714] ? filemap_fault+0xa2/0x640
[ 35.824423] ? page_add_file_rmap+0x108/0x200
[ 35.825065] ? alloc_set_pte+0x2aa/0x530
[ 35.825585] ? finish_fault+0x4e/0x70
[ 35.826140] ? __handle_mm_fault+0xbc1/0x10d0
[ 35.826723] ? __sys_sendmsg+0x41/0x70
[ 35.827230] __sys_sendmsg+0x41/0x70
[ 35.827710] do_syscall_64+0x68/0x120
[ 35.828195] entry_SYSCALL_64_after_hwframe+0x3d/0xa2
[ 35.828859] RIP: 0033:0x7f3d0ca4da67
[ 35.829331] RSP: 002b:00007ffc9f284338 EFLAGS: 00000246 ORIG_RAX:
000000000000002e
[ 35.830304] RAX: ffffffffffffffda RBX: 00007ffc9f284460 RCX: 00007f3d0ca4da67
[ 35.831247] RDX: 0000000000000000 RSI: 00007ffc9f2843b0 RDI: 0000000000000003
[ 35.832167] RBP: 000000005aa6a7a9 R08: 0000000000000001 R09: 0000000000000000
[ 35.833075] R10: 00000000000005f1 R11: 0000000000000246 R12: 0000000000000000
[ 35.833997] R13: 00007ffc9f2884c0 R14: 0000000000000001 R15: 0000000000674640
[ 35.834923] Code: 24 30 bb 01 00 00 00 45 31 f6 eb 5e 8b 50 08 83 c2 07 83 e2
fc 83 c2 70 49 8b 07 48 8b 40 70 48 85 c0 74 10 48 89 14 24 4c 89 ff <ff> d0 48
8b 14 24 48 01 c2 49 01 d6 45 85 ed 74 05 41 83 47 2c
[ 35.837442] RIP: tcf_action_init+0x90/0x190 RSP: ffffb8edc068b9a0
[ 35.838291] ---[ end trace a095c06ee4b97a26 ]---
Fixes:
|
||
|
Amar Singhal
|
1b4d5acaf4 |
msm: wlan: Modify regulatory rules for Qatar
Qatar has new regulation for wider range of 5GHz channels. Therefore modify regulatory rules for Qatar. Signed-off-by: Amar Singhal <asinghal@codeaurora.org> Change-Id: I9ffd550fa8164e810009dd0d4a04f04d230cf1b3 CRs-Fixed: 2214805 |
||
|
Linux Build Service Account
|
03dc27e056 | Merge "net: xfrm: remove duplicate output_mark" | ||
|
Greg Kroah-Hartman
|
dd1e37e646 |
Merge 4.9.90 into android-4.9
Changes in 4.9.90 tpm: fix potential buffer overruns caused by bit glitches on the bus ASoC: rsnd: check src mod pointer for rsnd_mod_id() SMB3: Validate negotiate request must always be signed CIFS: Enable encryption during session setup phase staging: android: ashmem: Fix possible deadlock in ashmem_ioctl Revert "led: core: Fix brightness setting when setting delay_off=0" led: core: Clear LED_BLINK_SW flag in led_blink_set() platform/x86: asus-nb-wmi: Add wapf4 quirk for the X302UA bonding: handle link transition from FAIL to UP correctly regulator: anatop: set default voltage selector for pcie power: supply: bq24190_charger: Limit over/under voltage fault logging x86: i8259: export legacy_pic symbol rtc: cmos: Do not assume irq 8 for rtc when there are no legacy irqs Input: ar1021_i2c - fix too long name in driver's device table time: Change posix clocks ops interfaces to use timespec64 ACPI/processor: Fix error handling in __acpi_processor_start() ACPI/processor: Replace racy task affinity logic cpufreq/sh: Replace racy task affinity logic genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs i2c: i2c-scmi: add a MS HID net: ipv6: send unsolicited NA on admin up media/dvb-core: Race condition when writing to CAM btrfs: fix a bogus warning when converting only data or metadata ASoC: Intel: Atom: update Thinkpad 10 quirk tools/testing/nvdimm: fix nfit_test shutdown crash spi: dw: Disable clock after unregistering the host powerpc/64s: Remove SAO feature from Power9 DD1 ath: Fix updating radar flags for coutry code India clk: ns2: Correct SDIO bits iwlwifi: split the handler and the wake parts of the notification infra iwlwifi: a000: fix memory offsets and lengths scsi: virtio_scsi: Always try to read VPD pages KVM: PPC: Book3S PR: Exit KVM on failed mapping mwifiex: don't leak 'chan_stats' on reset x86/reboot: Turn off KVM when halting a CPU ARM: 8668/1: ftrace: Fix dynamic ftrace with DEBUG_RODATA and !FRAME_POINTER irqchip/mips-gic: Separate IPI reservation & usage tracking iommu/omap: Register driver before setting IOMMU ops md/raid10: wait up frozen array in handle_write_completed NFS: Fix missing pg_cleanup after nfs_pageio_cond_complete() tcp: remove poll() flakes with FastOpen e1000e: fix timing for 82579 Gigabit Ethernet controller ALSA: hda - Fix headset microphone detection for ASUS N551 and N751 IB/ipoib: Fix deadlock between ipoib_stop and mcast join flow IB/ipoib: Update broadcast object if PKey value was changed in index 0 HSI: ssi_protocol: double free in ssip_pn_xmit() IB/mlx4: Take write semaphore when changing the vma struct IB/mlx4: Change vma from shared to private IB/mlx5: Take write semaphore when changing the vma struct IB/mlx5: Change vma from shared to private IB/mlx5: Set correct SL in completion for RoCE ASoC: Intel: Skylake: Uninitialized variable in probe_codec() ibmvnic: Disable irq prior to close netvsc: Deal with rescinded channels correctly Fix driver usage of 128B WQEs when WQ_CREATE is V1. Fix Express lane queue creation. gpio: gpio-wcove: fix irq pending status bit width netfilter: xt_CT: fix refcnt leak on error path openvswitch: Delete conntrack entry clashing with an expectation. netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink mmc: host: omap_hsmmc: checking for NULL instead of IS_ERR() tipc: check return value of nlmsg_new wan: pc300too: abort path on failure qlcnic: fix unchecked return value netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded platform/x86: intel-vbtn: add volume up and down scsi: mac_esp: Replace bogus memory barrier with spinlock infiniband/uverbs: Fix integer overflows pNFS: Fix use after free issues in pnfs_do_read() xprtrdma: Cancel refresh worker during buffer shutdown NFS: don't try to cross a mountpount when there isn't one there. iio: st_pressure: st_accel: Initialise sensor platform data properly mt7601u: check return value of alloc_skb libertas: check return value of alloc_workqueue rndis_wlan: add return value validation Btrfs: fix incorrect space accounting after failure to insert inline extent Btrfs: send, fix file hole not being preserved due to inline extent Btrfs: fix extent map leak during fallocate error path orangefs: do not wait for timeout if umounting mac80211: don't parse encrypted management frames in ieee80211_frame_acked ACPICA: iasl: Fix IORT SMMU GSI disassembling iio: hid-sensor: fix return of -EINVAL on invalid values in ret or value dt-bindings: mfd: axp20x: Add "xpowers,master-mode" property for AXP806 PMICs mfd: palmas: Reset the POWERHOLD mux during power off mtip32xx: use runtime tag to initialize command header x86/KASLR: Fix kexec kernel boot crash when KASLR randomization fails gpio: gpio-wcove: fix GPIO IRQ status mask staging: unisys: visorhba: fix s-Par to boot with option CONFIG_VMAP_STACK set to y staging: wilc1000: fix unchecked return value ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled mac80211: Fix possible sband related NULL pointer de-reference mmc: sdhci-of-esdhc: limit SD clock for ls1012a/ls1046a netfilter: x_tables: unlock on error in xt_find_table_lock() ARM: DRA7: clockdomain: Change the CLKTRCTRL of CM_PCIE_CLKSTCTRL to SW_WKUP IB/rdmavt: restore IRQs on error path in rvt_create_ah() IB/hfi1: Fix softlockup issue platform/x86: asus-wmi: try to set als by default ipmi/watchdog: fix wdog hang on panic waiting for ipmi response ACPI / PMIC: xpower: Fix power_table addresses drm/amdgpu: fix gpu reset crash drm/nouveau/kms: Increase max retries in scanout position queries. jbd2: Fix lockdep splat with generic/270 test ixgbevf: fix size of queue stats length net: ethernet: ucc_geth: fix MEM_PART_MURAM mode soc/fsl/qe: round brg_freq to 1kHz granularity Bluetooth: hci_ldisc: Add protocol check to hci_uart_dequeue() Bluetooth: hci_ldisc: Add protocol check to hci_uart_tx_wakeup() vxlan: correctly handle ipv6.disable module parameter qed: Unlock on error in qed_vf_pf_acquire() bnx2x: Align RX buffers power: supply: bq24190_charger: Add disable-reset device-property power: supply: isp1704: Fix unchecked return value of devm_kzalloc power: supply: pda_power: move from timer to delayed_work Input: twl4030-pwrbutton - use correct device for irq request IB/rxe: Don't clamp residual length to mtu md/raid10: skip spare disk as 'first' disk ACPI / power: Delay turning off unused power resources after suspend ia64: fix module loading for gcc-5.4 tcm_fileio: Prevent information leak for short reads x86/xen: split xen_smp_prepare_boot_cpu() video: fbdev: udlfb: Fix buffer on stack sm501fb: don't return zero on failure path in sm501fb_start() pNFS: Fix a deadlock when coalescing writes and returning the layout net: hns: fix ethtool_get_strings overflow in hns driver cifs: small underflow in cnvrtDosUnixTm() mm: fix check for reclaimable pages in PF_MEMALLOC reclaim throttling mm, vmstat: suppress pcp stats for unpopulated zones in zoneinfo mm: hwpoison: call shake_page() after try_to_unmap() for mlocked page rtc: ds1374: wdt: Fix issue with timeout scaling from secs to wdt ticks rtc: ds1374: wdt: Fix stop/start ioctl always returning -EINVAL ath10k: fix out of bounds access to local buffer perf tests kmod-path: Don't fail if compressed modules aren't supported block/mq: Cure cpu hotplug lock inversion Bluetooth: hci_qca: Avoid setup failure on missing rampatch Bluetooth: btqcomsmd: Fix skb double free corruption media: c8sectpfe: fix potential NULL pointer dereference in c8sectpfe_timer_interrupt drm/msm: fix leak in failed get_pages RDMA/iwpm: Fix uninitialized error code in iwpm_send_mapinfo() rtlwifi: rtl_pci: Fix the bug when inactiveps is enabled. media: bt8xx: Fix err 'bt878_probe()' ath10k: handling qos at STA side based on AP WMM enable/disable media: [RESEND] media: dvb-frontends: Add delay to Si2168 restart qmi_wwan: set FLAG_SEND_ZLP to avoid network initiated disconnect serial: 8250_dw: Disable clock on error cros_ec: fix nul-termination for firmware build info watchdog: Fix potential kref imbalance when opening watchdog platform/chrome: Use proper protocol transfer function dmaengine: zynqmp_dma: Fix race condition in the probe drm/tilcdc: ensure nonatomic iowrite64 is not used mmc: avoid removing non-removable hosts during suspend IB/ipoib: Avoid memory leak if the SA returns a different DGID RDMA/cma: Use correct size when writing netlink stats IB/umem: Fix use of npages/nmap fields iser-target: avoid reinitializing rdma contexts for isert commands vgacon: Set VGA struct resource types omapdrm: panel: fix compatible vendor string for td028ttec1 drm/omap: DMM: Check for DMM readiness after successful transaction commit pty: cancel pty slave port buf's work in tty_release coresight: Fix disabling of CoreSight TPIU pinctrl: Really force states during suspend/resume pinctrl: rockchip: enable clock when reading pin direction register iommu/vt-d: clean up pr_irq if request_threaded_irq fails ip6_vti: adjust vti mtu according to mtu of lower device RDMA/ocrdma: Fix permissions for OCRDMA_RESET_STATS ARM: dts: aspeed-evb: Add unit name to memory node nfsd4: permit layoutget of executable-only files clk: Don't touch hardware when reparenting during registration clk: axi-clkgen: Correctly handle nocount bit in recalc_rate() clk: si5351: Rename internal plls to avoid name collisions dmaengine: ti-dma-crossbar: Fix event mapping for TPCC_EVT_MUX_60_63 IB/mlx5: Fix integer overflows in mlx5_ib_create_srq IB/mlx5: Fix out-of-bounds read in create_raw_packet_qp_rq clk: migrate the count of orphaned clocks at init RDMA/ucma: Fix access to non-initialized CM_ID object RDMA/ucma: Don't allow join attempts for unsupported AF family usb: gadget: f_hid: fix: Move IN request allocation to set_alt() Linux 4.9.90 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Alexey Kodanev
|
1139d77d8a |
ip6_vti: adjust vti mtu according to mtu of lower device
[ Upstream commit 53c81e95df1793933f87748d36070a721f6cb287 ]
LTP/udp6_ipsec_vti tests fail when sending large UDP datagrams over
ip6_vti that require fragmentation and the underlying device has an
MTU smaller than 1500 plus some extra space for headers. This happens
because ip6_vti, by default, sets MTU to ETH_DATA_LEN and not updating
it depending on a destination address or link parameter. Further
attempts to send UDP packets may succeed because pmtu gets updated on
ICMPV6_PKT_TOOBIG in vti6_err().
In case the lower device has larger MTU size, e.g. 9000, ip6_vti works
but not using the possible maximum size, output packets have 1500 limit.
The above cases require manual MTU setup after ip6_vti creation. However
ip_vti already updates MTU based on lower device with ip_tunnel_bind_dev().
Here is the example when the lower device MTU is set to 9000:
# ip a sh ltp_ns_veth2
ltp_ns_veth2@if7: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9000 ...
inet 10.0.0.2/24 scope global ltp_ns_veth2
inet6 fd00::2/64 scope global
# ip li add vti6 type vti6 local fd00::2 remote fd00::1
# ip li show vti6
vti6@NONE: <POINTOPOINT,NOARP> mtu 1500 ...
link/tunnel6 fd00::2 peer fd00::1
After the patch:
# ip li add vti6 type vti6 local fd00::2 remote fd00::1
# ip li show vti6
vti6@NONE: <POINTOPOINT,NOARP> mtu 8832 ...
link/tunnel6 fd00::2 peer fd00::1
Reported-by: Petr Vorel <pvorel@suse.cz>
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Dan Carpenter
|
c70c7be280 |
netfilter: x_tables: unlock on error in xt_find_table_lock()
[ Upstream commit 7dde07e9c53617549d67dd3e1d791496d0d3868e ]
According to my static checker we should unlock here before the return.
That seems reasonable to me as well.
Fixes"
|
||
|
Mohammed Shafi Shajakhan
|
92db807f6c |
mac80211: Fix possible sband related NULL pointer de-reference
[ Upstream commit 21a8e9dd52b64f0170bad208293ef8c30c3c1403 ] Existing API 'ieee80211_get_sdata_band' returns default 2 GHz band even if the channel context configuration is NULL. This crashes for chipsets which support 5 Ghz alone when it tries to access members of 'sband'. Channel context configuration can be NULL in multivif case and when channel switch is in progress (or) when it fails. Fix this by replacing the API 'ieee80211_get_sdata_band' with 'ieee80211_get_sband' which returns a NULL pointer for sband when the channel configuration is NULL. An example scenario is as below: In multivif mode (AP + STA) with drivers like ath10k, when we do a channel switch in the AP vif (which has a number of clients connected) and a STA vif which is connected to some other AP, when the channel switch in AP vif fails, while the STA vifs tries to connect to the other AP, there is a window where the channel context is NULL/invalid and this results in a crash while the clients connected to the AP vif tries to reconnect and this race is very similar to the one investigated by Michal in https://patchwork.kernel.org/patch/3788161/ and this does happens with hardware that supports 5Ghz alone after long hours of testing with continuous channel switch on the AP vif ieee80211 phy0: channel context reservation cannot be finalized because some interfaces aren't switching wlan0: failed to finalize CSA, disconnecting wlan0-1: deauthenticating from 8c:fd:f0:01:54:9c by local choice (Reason: 3=DEAUTH_LEAVING) WARNING: CPU: 1 PID: 19032 at net/mac80211/ieee80211_i.h:1013 sta_info_alloc+0x374/0x3fc [mac80211] [<bf77272c>] (sta_info_alloc [mac80211]) [<bf78776c>] (ieee80211_add_station [mac80211])) [<bf73cc50>] (nl80211_new_station [cfg80211]) Unable to handle kernel NULL pointer dereference at virtual address 00000014 pgd = d5f4c000 Internal error: Oops: 17 [#1] PREEMPT SMP ARM PC is at sta_info_alloc+0x380/0x3fc [mac80211] LR is at sta_info_alloc+0x37c/0x3fc [mac80211] [<bf772738>] (sta_info_alloc [mac80211]) [<bf78776c>] (ieee80211_add_station [mac80211]) [<bf73cc50>] (nl80211_new_station [cfg80211])) Cc: Michal Kazior <michal.kazior@tieto.com> Signed-off-by: Mohammed Shafi Shajakhan <mohammed@qti.qualcomm.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Paolo Abeni
|
dfe9c1de14 |
ipvs: explicitly forbid ipv6 service/dest creation if ipv6 mod is disabled
[ Upstream commit 1442f6f7c1b77de1c508318164a527e240c24a4d ] When creating a new ipvs service, ipv6 addresses are always accepted if CONFIG_IP_VS_IPV6 is enabled. On dest creation the address family is not explicitly checked. This allows the user-space to configure ipvs services even if the system is booted with ipv6.disable=1. On specific configuration, ipvs can try to call ipv6 routing code at setup time, causing the kernel to oops due to fib6_rules_ops being NULL. This change addresses the issue adding a check for the ipv6 module being enabled while validating ipv6 service operations and adding the same validation for dest operations. According to git history, this issue is apparently present since the introduction of ipv6 support, and the oops can be triggered since commit |
||
|
Emmanuel Grumbach
|
e864196707 |
mac80211: don't parse encrypted management frames in ieee80211_frame_acked
[ Upstream commit cf147085fdda044622973a12e4e06f1c753ab677 ] ieee80211_frame_acked is called when a frame is acked by the peer. In case this is a management frame, we check if this an SMPS frame, in which case we can update our antenna configuration. When we parse the management frame we look at the category in case it is an action frame. That byte sits after the IV in case the frame was encrypted. This means that if the frame was encrypted, we basically look at the IV instead of looking at the category. It is then theorically possible that we think that an SMPS action frame was acked where really we had another frame that was encrypted. Since the only management frame whose ack needs to be tracked is the SMPS action frame, and that frame is not a robust management frame, it will never be encrypted. The easiest way to fix this problem is then to not look at frames that were encrypted. Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com> Signed-off-by: Luca Coelho <luciano.coelho@intel.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Chuck Lever
|
abdb88128d |
xprtrdma: Cancel refresh worker during buffer shutdown
[ Upstream commit 9378b274e1eb6925db315e345f48850d2d5d9789 ]
Trying to create MRs while the transport is being torn down can
cause a crash.
Fixes:
|
||
|
Liping Zhang
|
7ad1c43e6d |
netfilter: nft_dynset: continue to next expr if _OP_ADD succeeded
[ Upstream commit 277a292835c196894ef895d5e1fd6170bb916f55 ]
Currently, after adding the following nft rules:
# nft add set x target1 { type ipv4_addr \; flags timeout \;}
# nft add rule x y set add ip daddr timeout 1d @target1 counter
the counters will always be zero despite of the elements are added
to the dynamic set "target1" or not, as we will break the nft expr
traversal unconditionally:
# nft list ruleset
...
set target1 {
...
elements = { 8.8.8.8 expires 23h59m53s}
}
chain output {
...
set add ip daddr timeout 1d @target1 counter packets 0 bytes 0
^ ^
...
}
Since we add the elements to the set successfully, we should continue
to the next expression.
Additionally, if elements are added to "flow table" successfully, we
will _always_ continue to the next expr, even if the operation is
_OP_ADD. So it's better to keep them to be consistent.
Fixes:
|
||
|
Pan Bian
|
185c88b1ef |
tipc: check return value of nlmsg_new
[ Upstream commit 78302fd405769c9a9379e9adda119d533dce2eed ] Function nlmsg_new() will return a NULL pointer if there is no enough memory, and its return value should be checked before it is used. However, in function tipc_nl_node_get_monitor(), the validation of the return value of function nlmsg_new() is missed. This patch fixes the bug. Signed-off-by: Pan Bian <bianpan2016@163.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Liping Zhang
|
3a0427103f |
netfilter: nf_ct_helper: permit cthelpers with different names via nfnetlink
[ Upstream commit 66e5a6b18bd09d0431e97cd3c162e76c5c2aebba ]
cthelpers added via nfnetlink may have the same tuple, i.e. except for
the l3proto and l4proto, other fields are all zero. So even with the
different names, we will also fail to add them:
# nfct helper add ssdp inet udp
# nfct helper add tftp inet udp
nfct v1.4.3: netlink error: File exists
So in order to avoid unpredictable behaviour, we should:
1. cthelpers can be selected by nft ct helper obj or xt_CT target, so
report error if duplicated { name, l3proto, l4proto } tuple exist.
2. cthelpers can be selected by nf_ct_tuple_src_mask_cmp when
nf_ct_auto_assign_helper is enabled, so also report error if duplicated
{ l3proto, l4proto, src-port } tuple exist.
Also note, if the cthelper is added from userspace, then the src-port will
always be zero, it's invalid for nf_ct_auto_assign_helper, so there's no
need to check the second point listed above.
Fixes:
|
||
|
Jarno Rajahalme
|
d2e269c09f |
openvswitch: Delete conntrack entry clashing with an expectation.
[ Upstream commit cf5d70918877c6a6655dc1e92e2ebb661ce904fd ]
Conntrack helpers do not check for a potentially clashing conntrack
entry when creating a new expectation. Also, nf_conntrack_in() will
check expectations (via init_conntrack()) only if a conntrack entry
can not be found. The expectation for a packet which also matches an
existing conntrack entry will not be removed by conntrack, and is
currently handled inconsistently by OVS, as OVS expects the
expectation to be removed when the connection tracking entry matching
that expectation is confirmed.
It should be noted that normally an IP stack would not allow reuse of
a 5-tuple of an old (possibly lingering) connection for a new data
connection, so this is somewhat unlikely corner case. However, it is
possible that a misbehaving source could cause conntrack entries be
created that could then interfere with new related connections.
Fix this in the OVS module by deleting the clashing conntrack entry
after an expectation has been matched. This causes the following
nf_conntrack_in() call also find the expectation and remove it when
creating the new conntrack entry, as well as the forthcoming reply
direction packets to match the new related connection instead of the
old clashing conntrack entry.
Fixes:
|
||
|
Gao Feng
|
87cfd7f65f |
netfilter: xt_CT: fix refcnt leak on error path
[ Upstream commit 470acf55a021713869b9bcc967268ac90c8a0fac ] There are two cases which causes refcnt leak. 1. When nf_ct_timeout_ext_add failed in xt_ct_set_timeout, it should free the timeout refcnt. Now goto the err_put_timeout error handler instead of going ahead. 2. When the time policy is not found, we should call module_put. Otherwise, the related cthelper module cannot be removed anymore. It is easy to reproduce by typing the following command: # iptables -t raw -A OUTPUT -p tcp -j CT --helper ftp --timeout xxx Signed-off-by: Gao Feng <fgao@ikuai8.com> Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
5f63431093 |
tcp: remove poll() flakes with FastOpen
[ Upstream commit 0f9fa831aecfc297b7b45d4f046759bcefcf87f0 ] When using TCP FastOpen for an active session, we send one wakeup event from tcp_finish_connect(), right before the data eventually contained in the received SYNACK is queued to sk->sk_receive_queue. This means that depending on machine load or luck, poll() users might receive POLLOUT events instead of POLLIN|POLLOUT To fix this, we need to move the call to sk->sk_state_change() after the (optional) call to tcp_rcv_fastopen_synack() Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
David Ahern
|
2bea487529 |
net: ipv6: send unsolicited NA on admin up
[ Upstream commit 4a6e3c5def13c91adf2acc613837001f09af3baa ]
ndisc_notify is the ipv6 equivalent to arp_notify. When arp_notify is
set to 1, gratuitous arp requests are sent when the device is brought up.
The same is expected when ndisc_notify is set to 1 (per ndisc_notify in
Documentation/networking/ip-sysctl.txt). The NA is not sent on NETDEV_UP
event; add it.
Fixes:
|
||
|
Linux Build Service Account
|
f59dad56c0 | Merge "nl80211: Fix external_auth check for offloaded authentication" |