49eea524bebea0d2b7dfa1c709a6694de808eb8a
484 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Blagovest Kolenichev
|
427fd2195c |
Merge android-4.9.92 (9c3fb9c) into msm-4.9
* refs/heads/tmp-9c3fb9c: Linux 4.9.92 net: hns: Fix a skb used after free bug kcm: lock lower socket in kcm_attach net: systemport: Rewrite __bcm_sysport_tx_reclaim() s390/qeth: on channel error, reject further cmd requests s390/qeth: lock read device while queueing next buffer s390/qeth: when thread completes, wake up all waiters s390/qeth: free netdevice when removing a card soc/fsl/qbman: fix issue in qman_delete_cgr_safe() team: Fix double free in error path skbuff: Fix not waking applications when errors are enqueued net: Only honor ifindex in IP_PKTINFO if non-0 netlink: avoid a double skb free in genlmsg_mcast() net/iucv: Free memory obtained by kzalloc net: fec: Fix unbalanced PM runtime calls net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred l2tp: do not accept arbitrary sockets ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() dccp: check sk for closed state in dccp_sendmsg() net: Fix hlist corruptions in inet_evict_bucket() net: use skb_to_full_sk() in skb_update_prio() ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event() sch_netem: fix skb leak in netem_enqueue() rhashtable: Fix rhlist duplicates insertion ppp: avoid loop in xmit recursion detection code net sched actions: return explicit error when tunnel_key mode is not specified Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs" scsi: sg: don't return bogus Sg_requests Revert "genirq: Use irqd_get_trigger_type to compare the trigger type for shared IRQs" Change-Id: I539eaf561b5aa70589d886052d160c71a79145ad Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
16b6ed19fc |
Merge android-4.9.87 (a290494) into msm-4.9
* refs/heads/tmp-a290494: Linux 4.9.87 btrfs: preserve i_mode if __btrfs_set_acl() fails bpf, ppc64: fix out of bounds access in tail call bpf: add schedule points in percpu arrays management bpf, arm64: fix out of bounds access in tail call bpf, x64: implement retpoline for tail call bpf: fix mlock precharge on arraymaps bpf: fix wrong exposure of map_flags into fdinfo for lpm mpls, nospec: Sanitize array index in mpls_label_ok() net: mpls: Pull common label check into helper sctp: verify size of a new chunk in _sctp_make_chunk() s390/qeth: fix IPA command submission race s390/qeth: fix IP address lookup for L3 devices s390/qeth: fix double-free on IP add/remove race s390/qeth: fix IP removal on offline cards s390/qeth: fix overestimated count of buffer elements s390/qeth: fix SETIP command handling s390/qeth: fix underestimated count of buffer elements sctp: fix dst refcnt leak in sctp_v6_get_dst() tcp_bbr: better deal with suboptimal GSO rxrpc: Fix send in rxrpc_send_data_packet() tcp: Honor the eor bit in tcp_mtu_probe net: phy: fix phy_start to consider PHY_IGNORE_INTERRUPT mlxsw: spectrum_switchdev: Check success of FDB add operation sctp: fix dst refcnt leak in sctp_v4_get_dst udplite: fix partial checksum initialization ppp: prevent unregistered channels from connecting to PPP units netlink: ensure to loop over all netns in genlmsg_multicast_allns() net: ipv4: don't allow setting net.ipv4.route.min_pmtu below 68 net: fix race on decreasing number of TX queues ipv6 sit: work around bogus gcc-8 -Wrestrict warning hdlc_ppp: carrier detect ok, don't turn off negotiation fib_semantics: Don't match route with mismatching tclassid bridge: check brport attr show in brport_show x86/apic/vector: Handle legacy irq data correctly netlink: put module reference if dump start fails md: only allow remove_and_add_spares when no sync_thread running. x86/speculation: Use Indirect Branch Prediction Barrier in context switch x86/mm: Give each mm TLB flush generation a unique ID ARM: dts: LogicPD Torpedo: Fix I2C1 pinmux ARM: dts: LogicPD SOM-LV: Fix I2C1 pinmux dm io: fix duplicate bio completion due to missing ref count PCI/ASPM: Deal with missing root ports in link state handling KVM/VMX: Optimize vmx_vcpu_run() and svm_vcpu_run() by marking the RDMSR path as unlikely() KVM/x86: Remove indirect MSR op calls from SPEC_CTRL KVM: mmu: Fix overlap between public and private memslots ARM: kvm: fix building with gcc-8 ARM: mvebu: Fix broken PL310_ERRATA_753970 selects nospec: Allow index argument to have const-qualified type media: m88ds3103: don't call a non-initalized function x86/platform/intel-mid: Handle Intel Edison reboot correctly x86/xen: Zero MSR_IA32_SPEC_CTRL before suspend dax: fix vma_is_fsdax() helper cpufreq: s3c24xx: Fix broken s3c_cpufreq_init() parisc: Fix ordering of cache and TLB flushes timers: Forward timer base before migrating timers ALSA: hda - Fix pincfg at resume on Lenovo T470 dock ALSA: hda: Add a power_save blacklist ALSA: usb-audio: Add a quirck for B&W PX headphones tpm-dev-common: Reject too short writes tpm_tis_spi: Use DMA-safe memory for SPI transfers tpm: constify transmit data pointers tpm_tis: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_nuvoton: fix potential buffer overruns caused by bit glitches on the bus tpm_i2c_infineon: fix potential buffer overruns caused by bit glitches on the bus tpm: st33zp24: fix potential buffer overruns caused by bit glitches on the bus FROMLIST: ARM: amba: Don't read past the end of sysfs "driver_override" buffer UPSTREAM: ANDROID: binder: remove WARN() for redundant txn error Conflicts: kernel/time/timer.c Change-Id: I302546c52a480e9a4c661accf021766c499739b9 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Nicolas Dichtel
|
455fc99cb4 |
netlink: avoid a double skb free in genlmsg_mcast()
[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ]
nlmsg_multicast() consumes always the skb, thus the original skb must be
freed only when this function is called with a clone.
Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Nicolas Dichtel
|
59e105c4cf |
netlink: ensure to loop over all netns in genlmsg_multicast_allns()
[ Upstream commit cb9f7a9a5c96a773bbc9c70660dc600cfff82f82 ] Nowadays, nlmsg_multicast() returns only 0 or -ESRCH but this was not the case when commit |
||
|
Jason A. Donenfeld
|
e7b12efd7d |
netlink: put module reference if dump start fails
commit b87b6194be631c94785fe93398651e804ed43e28 upstream.
Before, if cb->start() failed, the module reference would never be put,
because cb->cb_running is intentionally false at this point. Users are
generally annoyed by this because they can no longer unload modules that
leak references. Also, it may be possible to tediously wrap a reference
counter back to zero, especially since module.c still uses atomic_inc
instead of refcount_inc.
This patch expands the error path to simply call module_put if
cb->start() fails.
Fixes: 41c87425a1ac ("netlink: do not set cb_running if dump's start() errs")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Blagovest Kolenichev
|
42d425962e |
Merge android-4.9-o.74 (127372f) into msm-4.9
* refs/heads/tmp-127372f: Linux 4.9.74 mm/vmstat: Make NR_TLB_REMOTE_FLUSH_RECEIVED available even on UP tty: fix tty_ldisc_receive_buf() documentation n_tty: fix EXTPROC vs ICANON interaction with TIOCINQ (aka FIONREAD) x86/smpboot: Remove stale TLB flush invocations nohz: Prevent a timer interrupt storm in tick_nohz_stop_sched_tick() timers: Reinitialize per cpu bases on hotplug timers: Invoke timer_start_debug() where it makes sense timers: Use deferrable base independent of base::nohz_active usb: xhci: Add XHCI_TRUST_TX_LENGTH for Renesas uPD720201 USB: Fix off by one in type-specific length check of BOS SSP capability usb: add RESET_RESUME for ELSA MicroLink 56K usb: Add device quirk for Logitech HD Pro Webcam C925e USB: serial: option: adding support for YUGA CLM920-NC5 USB: serial: option: add support for Telit ME910 PID 0x1101 USB: serial: qcserial: add Sierra Wireless EM7565 USB: serial: ftdi_sio: add id for Airbus DS P8GR usbip: vhci: stop printing kernel pointer addresses in messages usbip: stub: stop printing kernel pointer addresses in messages usbip: prevent leaking socket pointer address in messages usbip: fix usbip bind writing random string after command in match_busid s390/qeth: update takeover IPs after configuration change s390/qeth: lock IP table while applying takeover changes s390/qeth: don't apply takeover changes to RXIP s390/qeth: apply takeover changes when mode is toggled net/mlx5: Fix error flow in CREATE_QP command net/mlx5e: Prevent possible races in VXLAN control flow net/mlx5e: Add refcount to VXLAN structure net/mlx5e: Fix possible deadlock of VXLAN lock net/mlx5e: Fix features check of IPv6 traffic net/mlx5: Fix rate limit packet pacing naming and struct tcp: invalidate rate samples during SACK reneging sock: free skb in skb_complete_tx_timestamp on error net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround net: Fix double free and memory corruption in get_net_ns_by_id() net: fec: Allow reception of frames bigger than 1522 bytes net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks ipv4: Fix use-after-free when flushing FIB tables adding missing rcu_read_unlock in ipxip6_rcv sctp: Replace use of sockets_allocated with specified macro. net: mvmdio: disable/unprepare clocks in EPROBE_DEFER case net: ipv4: fix for a race condition in raw_sendmsg tg3: Fix rx hang on MTU change with 5717/5719 tcp md5sig: Use skb's saddr when replying to an incoming segment tcp_bbr: record "full bw reached" decision in new full_bw_reached bit RDS: Check cmsg_len before dereferencing CMSG_DATA ptr_ring: add barriers net: reevalulate autoflowlabel setting after sysctl setting net: qmi_wwan: add Sierra EM7565 1199:9091 netlink: Add netns check on taps net: igmp: Use correct source address on IGMPv3 reports net: fec: unmap the xmit buffer that are not transferred by DMA ipv6: mcast: better catch silly mtu values ipv4: igmp: guard against silly MTU values kbuild: add '-fno-stack-check' to kernel build options x86/mm/64: Fix reboot interaction with CR4.PCIDE x86/mm: Enable CR4.PCIDE on supported systems x86/mm: Add the 'nopcid' boot option to turn off PCID x86/mm: Disable PCID on 32-bit kernels x86/mm: Remove the UP asm/tlbflush.h code, always use the (formerly) SMP code x86/mm: Reimplement flush_tlb_page() using flush_tlb_mm_range() x86/mm: Make flush_tlb_mm_range() more predictable x86/mm: Remove flush_tlb() and flush_tlb_current_task() x86/vm86/32: Switch to flush_tlb_mm_range() in mark_screen_rdonly() ALSA: hda - fix headset mic detection issue on a Dell machine ALSA: hda: Drop useless WARN_ON() ASoC: tlv320aic31xx: Fix GPIO1 register definition ASoC: twl4030: fix child-node lookup ASoC: fsl_ssi: AC'97 ops need regmap, clock and cleaning up on failure ASoC: da7218: fix fix child-node lookup ASoC: wm_adsp: Fix validation of firmware and coeff lengths iw_cxgb4: Only validate the MSN for successful completions ring-buffer: Mask out the info bits when returning buffer page length tracing: Fix crash when it fails to alloc ring buffer tracing: Fix possible double free on failure of allocating trace buffer tracing: Remove extra zeroing out of the ring buffer page sync objtool's copy of x86-opcode-map.txt Conflicts: include/linux/cpuhotplug.h kernel/time/timer.c Change-Id: I0198e2b75715d13acd86237321966774cd6d9f1d Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Kevin Cernekee
|
0b18782288 |
netlink: Add netns check on taps
[ Upstream commit 93c647643b48f0131f02e45da3bd367d80443291 ]
Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity. Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.
Test case:
vpnns -- bash -c "ip link add nlmon0 type nlmon; \
ip link set nlmon0 up; \
tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
spi 0x1 mode transport \
auth sha1 0x6162633132330000000000000000000000000000 \
enc aes 0x00000000000000000000000000000000
grep --binary abc123 /tmp/nlmon.pcap
Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Kyle Yan
|
ff97938fbf |
Merge remote-tracking branch '4.9/tmp-8dd0f52' into msm-4.9
* 4.9/tmp-8dd0f52: Linux 4.9.72 sparc32: Export vac_cache_size to fix build error bpf: fix incorrect sign extension in check_alu_op() bpf: reject out-of-bounds stack pointer calculation bpf: fix branch pruning logic bpf: adjust insn_aux_data when patching insns Revert "Bluetooth: btusb: driver to enable the usb-wakeup feature" platform/x86: asus-wireless: send an EV_SYN/SYN_REPORT between state changes MIPS: math-emu: Fix final emulation phase for certain instructions thermal/drivers/hisi: Fix multiple alarm interrupts firing thermal/drivers/hisi: Simplify the temperature/step computation thermal/drivers/hisi: Fix kernel panic on alarm interrupt thermal/drivers/hisi: Fix missing interrupt enablement thermal: hisilicon: Handle return value of clk_prepare_enable cpuidle: fix broadcast control when broadcast can not be entered rtc: set the alarm to the next expiring timer tcp: fix under-evaluated ssthresh in TCP Vegas clk: sunxi-ng: sun6i: Rename HDMI DDC clock to avoid name collision staging: greybus: light: Release memory obtained by kasprintf net: ipv6: send NS for DAD when link operationally up fm10k: ensure we process SM mbx when processing VF mbx vfio/pci: Virtualize Maximum Payload Size scsi: lpfc: PLOGI failures during NPIV testing scsi: lpfc: Fix secure firmware updates fm10k: fix mis-ordered parameters in declaration for .ndo_set_vf_bw ASoC: img-parallel-out: Add pm_runtime_get/put to set_fmt callback tracing: Exclude 'generic fields' from histograms PCI/AER: Report non-fatal errors only to the affected endpoint IB/rxe: check for allocation failure on elem ixgbe: fix use of uninitialized padding igb: check memory allocation failure PM / OPP: Move error message to debug level PCI: Create SR-IOV virtfn/physfn links before attaching driver scsi: mpt3sas: Fix IO error occurs on pulling out a drive from RAID1 volume created on two SATA drive scsi: cxgb4i: fix Tx skb leak PCI: Avoid bus reset if bridge itself is broken net: phy: at803x: Change error to EINVAL for invalid MAC kvm, mm: account kvm related kmem slabs to kmemcg rtc: pl031: make interrupt optional crypto: crypto4xx - increase context and scatter ring buffer elements backlight: pwm_bl: Fix overflow condition bnxt_en: Fix NULL pointer dereference in reopen failure path cpuidle: powernv: Pass correct drv->cpumask for registration ARM: dma-mapping: disallow dma_get_sgtable() for non-kernel managed memory Btrfs: fix an integer overflow check netfilter: nfnetlink_queue: fix secctx memory leak xhci: plat: Register shutdown for xhci_plat net: moxa: fix TX overrun memory leak isdn: kcapi: avoid uninitialized data virtio_balloon: prevent uninitialized variable use virtio-balloon: use actual number of stats for stats queue buffers KVM: pci-assign: do not map smm memory slot pages in vt-d page tables net: ipconfig: fix ic_close_devs() use-after-free cpufreq: Fix creation of symbolic links to policy directories ARM: dts: am335x-evmsk: adjust mmc2 param to allow suspend netfilter: nf_nat_snmp: Fix panic when snmp_trap_helper fails to register netfilter: nfnl_cthelper: fix a race when walk the nf_ct_helper_hash table irda: vlsi_ir: fix check for DMA mapping errors RDMA/iser: Fix possible mr leak on device removal event i40e: Do not enable NAPI on q_vectors that have no rings IB/rxe: increment msn only when completing a request IB/rxe: double free on error net: Do not allow negative values for busy_read and busy_poll sysctl interfaces nbd: set queue timeout properly infiniband: Fix alignment of mmap cookies to support VIPT caching IB/core: Protect against self-requeue of a cq work item i40iw: Receive netdev events post INET_NOTIFIER state bna: avoid writing uninitialized data into hw registers s390/qeth: no ETH header for outbound AF_IUCV s390/qeth: size calculation outbound buffers r8152: prevent the driver from transmitting packets with carrier off ASoC: STI: Fix reader substream pointer set HID: xinmo: fix for out of range for THT 2P arcade controller. hwmon: (asus_atk0110) fix uninitialized data access ARM: dts: ti: fix PCI bus dtc warnings KVM: VMX: Fix enable VPID conditions KVM: x86: correct async page present tracepoint kvm: vmx: Flush TLB when the APIC-access address changes scsi: lpfc: Fix PT2PT PRLI reject pinctrl: st: add irq_request/release_resources callbacks inet: frag: release spinlock before calling icmp_send() tipc: fix nametbl deadlock at tipc_nametbl_unsubscribe r8152: fix the rx early size of RTL8153 iommu/exynos: Workaround FLPD cache flush issues for SYSMMU v5 netfilter: nfnl_cthelper: Fix memory leak netfilter: nfnl_cthelper: fix runtime expectation policy updates usb: gadget: udc: remove pointer dereference after free usb: gadget: f_uvc: Sanity check wMaxPacketSize for SuperSpeed hwmon: (max31790) Set correct PWM value net: qmi_wwan: Add USB IDs for MDM6600 modem on Motorola Droid 4 sctp: out_qlen should be updated when pruning unsent queue bna: integer overflow bug in debugfs sch_dsmark: fix invalid skb_cow() usage vsock: cancel packets when failing to connect vhost-vsock: add pkt cancel capability vsock: track pkt owner vsock crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex r8152: fix the list rx_done may be used without initialization cpuidle: Validate cpu_dev in cpuidle_add_sysfs() nvme-loop: handle cpu unplug when re-establishing the controller arm: kprobes: Align stack to 8-bytes in test code arm: kprobes: Fix the return address of multiple kretprobes HID: corsair: Add driver Scimitar Pro RGB gaming mouse 1b1c:1b3e support to hid-corsair HID: corsair: support for K65-K70 Rapidfire and Scimitar Pro RGB kvm: fix usage of uninit spinlock in avic_vm_destroy() ALSA: hda - add support for docking station for HP 840 G3 ALSA: hda - add support for docking station for HP 820 G2 arm64: Initialise high_memory global variable earlier cxl: Check if vphb exists before iterating over AFU devices Linux 4.9.71 ath9k: fix tx99 potential info leak icmp: don't fail on fragment reassembly time exceeded IB/ipoib: Grab rtnl lock on heavy flush when calling ndo_open/stop RDMA/cma: Avoid triggering undefined behavior macvlan: Only deliver one copy of the frame to the macvlan interface udf: Avoid overflow when session starts at large offset scsi: bfa: integer overflow in debugfs scsi: sd: change allow_restart to bool in sysfs interface scsi: sd: change manage_start_stop to bool in sysfs interface rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_disassoc_cmd rtl8188eu: Fix a possible sleep-in-atomic bug in rtw_createbss_cmd vt6655: Fix a possible sleep-in-atomic bug in vt6655_suspend IB/core: Fix calculation of maximum RoCE MTU scsi: scsi_devinfo: Add REPORTLUN2 to EMC SYMMETRIX blacklist entry raid5: Set R5_Expanded on parity devices as well as data. pinctrl: adi2: Fix Kconfig build problem usb: musb: da8xx: fix babble condition handling tty fix oops when rmmod 8250 soc: mediatek: pwrap: fix compiler errors powerpc/perf/hv-24x7: Fix incorrect comparison in memord scsi: hpsa: destroy sas transport properties before scsi_host scsi: hpsa: cleanup sas_phy structures in sysfs when unloading PCI: Detach driver before procfs & sysfs teardown on device remove RDMA/cxgb4: Declare stag as __be32 xfs: fix incorrect extent state in xfs_bmap_add_extent_unwritten_real xfs: fix log block underflow during recovery cycle verification l2tp: cleanup l2tp_tunnel_delete calls nvme: use kref_get_unless_zero in nvme_find_get_ns platform/x86: hp_accel: Add quirk for HP ProBook 440 G4 btrfs: tests: Fix a memory leak in error handling path in 'run_test()' arm64: prevent regressions in compressed kernel image size when upgrading to binutils 2.27 Ib/hfi1: Return actual operational VLs in port info query bcache: fix wrong cache_misses statistics bcache: explicitly destroy mutex while exiting GFS2: Take inode off order_write list when setting jdata flag scsi: scsi_debug: write_same: fix error report thermal/drivers/step_wise: Fix temperature regulation misbehavior ASoC: rsnd: rsnd_ssi_run_mods() needs to care ssi_parent_mod ppp: Destroy the mutex when cleanup clk: tegra: Fix cclk_lp divisor register clk: hi6220: mark clock cs_atb_syspll as critical clk: imx6: refine hdmi_isfr's parent to make HDMI work on i.MX6 SoCs w/o VPU clk: mediatek: add the option for determining PLL source clock mm: Handle 0 flags in _calc_vm_trans() macro crypto: tcrypt - fix buffer lengths in test_aead_speed() arm-ccn: perf: Prevent module unload while PMU is in use xfs: truncate pagecache before writeback in xfs_setattr_size() iommu/amd: Limit the IOVA page range to the specified addresses badblocks: fix wrong return value in badblocks_set if badblocks are disabled target/file: Do not return error for UNMAP if length is zero target:fix condition return in core_pr_dump_initiator_port() iscsi-target: fix memory leak in lio_target_tiqn_addtpg() target/iscsi: Fix a race condition in iscsit_add_reject_from_cmd() platform/x86: intel_punit_ipc: Fix resource ioremap warning powerpc/ipic: Fix status get and status clear powerpc/opal: Fix EBUSY bug in acquiring tokens netfilter: ipvs: Fix inappropriate output of procfs iommu/mediatek: Fix driver name PCI: Do not allocate more buses than available in parent powerpc/powernv/cpufreq: Fix the frequency read by /proc/cpuinfo PCI/PME: Handle invalid data when reading Root Status dmaengine: ti-dma-crossbar: Correct am335x/am43xx mux value type ASoC: Intel: Skylake: Fix uuid_module memory leak in failure case rtc: pcf8563: fix output clock rate video: fbdev: au1200fb: Return an error code if a memory allocation fails video: fbdev: au1200fb: Release some resources if a memory allocation fails video: udlfb: Fix read EDID timeout fbdev: controlfb: Add missing modes to fix out of bounds access sfc: don't warn on successful change of MAC HID: cp2112: fix broken gpio_direction_input callback Revert "x86/acpi: Set persistent cpuid <-> nodeid mapping when booting" target: fix race during implicit transition work flushes target: fix ALUA transition timeout handling target: Use system workqueue for ALUA transitions btrfs: add missing memset while reading compressed inline extents NFSv4.1 respect server's max size in CREATE_SESSION efi/esrt: Cleanup bad memory map log messages perf symbols: Fix symbols__fixup_end heuristic for corner cases tty: fix data race in tty_ldisc_ref_wait() tty: don't panic on OOM in tty_set_ldisc() rxrpc: Ignore BUSY packets on old calls net: mpls: Fix nexthop alive tracking on down events net/mlx4_core: Avoid delays during VF driver device shutdown nvmet-rdma: Fix a possible uninitialized variable dereference nvmet: confirm sq percpu has scheduled and switched to atomic nvme-loop: fix a possible use-after-free when destroying the admin queue afs: Fix abort on signal while waiting for call completion afs: Fix afs_kill_pages() afs: Fix page leak in afs_write_begin() afs: Populate and use client modification time afs: Better abort and net error handling afs: Invalid op ID should abort with RXGEN_OPCODE afs: Fix the maths in afs_fs_store_data() afs: Prevent callback expiry timer overflow afs: Migrate vlocation fields to 64-bit afs: Flush outstanding writes when an fd is closed afs: Deal with an empty callback array afs: Adjust mode bits processing afs: Populate group ID from vnode status afs: Fix missing put_page() drm/radeon: reinstate oland workaround for sclk mmc: mediatek: Fixed bug where clock frequency could be set wrong sched/deadline: Use deadline instead of period when calculating overflow sched/deadline: Throttle a constrained deadline task activated after the deadline sched/deadline: Make sure the replenishment timer fires in the next period sched/deadline: Add missing update_rq_clock() in dl_task_timer() iwlwifi: mvm: cleanup pending frames in DQA mode Drivers: hv: util: move waiting for release to hv_utils_transport itself drm/radeon/si: add dpm quirk for Oland fjes: Fix wrong netdevice feature flags scsi: hpsa: do not timeout reset operations scsi: hpsa: limit outstanding rescans scsi: hpsa: update check for logical volume status ASoC: rcar: clear DE bit only in PDMACHCR when it stops openrisc: fix issue handling 8 byte get_user calls intel_th: pci: Add Gemini Lake support drm: amd: remove broken include path qed: Fix interrupt flags on Rx LL2 qed: Fix mapping leak on LL2 rx flow qed: Align CIDs according to DORQ requirement mlxsw: reg: Fix SPVMLR max record count mlxsw: reg: Fix SPVM max record count net: Resend IGMP memberships upon peer notification. irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN dmaengine: Fix array index out of bounds warning in __get_unmap_pool() net: wimax/i2400m: fix NULL-deref at probe writeback: fix memory leak in wb_queue_work() blk-mq: Fix tagset reinit in the presence of cpu hot-unplug ASoC: rsnd: fix sound route path when using SRC6/SRC9 netfilter: bridge: honor frag_max_size when refragmenting drm/omap: fix dmabuf mmap for dma_alloc'ed buffers Input: i8042 - add TUXEDO BU1406 (N24_25BU) to the nomux list NFSD: fix nfsd_reset_versions for NFSv4. NFSD: fix nfsd_minorversion(.., NFSD_AVAIL) drm/amdgpu: fix parser init error path to avoid crash in parser fini iommu/io-pgtable-arm-v7s: Check for leaf entry before dereferencing it net/mlx5: Don't save PCI state when PCI error is detected net/mlx5: Fix create autogroup prev initializer rxrpc: Wake up the transmitter if Rx window size increases on the peer net: bcmgenet: Power up the internal PHY before probing the MII net: bcmgenet: synchronize irq0 status between the isr and task net: bcmgenet: power down internal phy if open or resume fails net: bcmgenet: reserved phy revisions must be checked first net: bcmgenet: correct MIB access of UniMAC RUNT counters net: bcmgenet: correct the RBUF_OVFL_CNT and RBUF_ERR_CNT MIB values bnxt_en: Ignore 0 value in autoneg supported speed from firmware. net: initialize msg.msg_flags in recvfrom userfaultfd: selftest: vm: allow to build in vm/ directory userfaultfd: shmem: __do_fault requires VM_FAULT_NOPAGE md-cluster: free md_cluster_info if node leave cluster usb: xhci-mtk: check hcc_params after adding primary hcd KVM: nVMX: do not warn when MSR bitmap address is not backed usb: phy: isp1301: Add OF device ID table mac80211: Fix addition of mesh configuration element ext4: fix crash when a directory's i_size is too small ext4: fix fdatasync(2) after fallocate(2) operation dmaengine: dmatest: move callback wait queue to thread context eeprom: at24: change nvmem stride to 1 sched/rt: Do not pull from current CPU if only one CPU to pull nfs: don't wait on commit in nfs_commit_inode() if there were no commit requests xhci: Don't add a virt_dev to the devs array before it's fully allocated Bluetooth: btusb: driver to enable the usb-wakeup feature usb: xhci: fix TDS for MTK xHCI1.1 ceph: drop negative child dentries before try pruning inode's alias usbip: fix stub_send_ret_submit() vulnerability to null transfer_buffer usbip: fix stub_rx: harden CMD_SUBMIT path to handle malicious input usb: add helper to extract bits 12:11 of wMaxPacketSize usbip: fix stub_rx: get_pipe() to validate endpoint number USB: core: prevent malicious bNumInterfaces overflow USB: uas and storage: Add US_FL_BROKEN_FUA for another JMicron JMS567 ID tracing: Allocate mask_str buffer dynamically autofs: fix careless error in recent commit crypto: salsa20 - fix blkcipher_walk API usage crypto: hmac - require that the underlying hash algorithm is unkeyed crypto: rsa - fix buffer overread when stripping leading zeroes mfd: fsl-imx25: Clean up irq settings during removal Linux 4.9.70 RDMA/cxgb4: Annotate r2 and stag as __be32 md: free unused memory after bitmap resize audit: ensure that 'audit=1' actually enables audit for PID 1 ipvlan: fix ipv6 outbound device kbuild: do not call cc-option before KBUILD_CFLAGS initialization powerpc/64: Fix checksum folding in csum_tcpudp_nofold and ip_fast_csum_nofold KVM: arm/arm64: vgic-its: Preserve the revious read from the pending table fix kcm_clone() usb: gadget: ffs: Forbid usb_ep_alloc_request from sleeping s390: always save and restore all registers on context switch ipmi: Stop timers before cleaning up the module Fix handling of verdicts after NF_QUEUE tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() s390/qeth: fix thinko in IPv4 multicast address tracking s390/qeth: fix GSO throughput regression s390/qeth: build max size GSO skbs on L2 devices tcp/dccp: block bh before arming time_wait timer stmmac: reset last TSO segment size after device open net: remove hlist_nulls_add_tail_rcu() usbnet: fix alignment for frames with no ethernet header net/packet: fix a race in packet_bind() and packet_notifier() packet: fix crash in fanout_demux_rollover() sit: update frag_off info rds: Fix NULL pointer dereference in __rds_rdma_map tipc: fix memory leak in tipc_accept_from_sock() s390/qeth: fix early exit from error path net: qmi_wwan: add Quectel BG96 2c7c:0296 ANDROID: dma-buf/sw_sync: Rename active_list to link FROMLIST: android: binder: Fix null ptr dereference in debug msg FROMLIST: android: binder: Move buffer out of area shared with user space FROMLIST: android: binder: Add allocator selftest FROMLIST: android: binder: Refactor prev and next buffer into a helper function Linux 4.9.69 afs: Connect up the CB.ProbeUuid IB/mlx5: Assign send CQ and recv CQ of UMR QP IB/mlx4: Increase maximal message size under UD QP xfrm: Copy policy family in clone_policy jump_label: Invoke jump_label_test() via early_initcall() atm: horizon: Fix irq release error clk: uniphier: fix DAPLL2 clock rate of Pro5 bpf: fix lockdep splat sctp: use the right sk after waking up from wait_buf sleep sctp: do not free asoc when it is already dead in sctp_sendmsg zsmalloc: calling zs_map_object() from irq is a bug sparc64/mm: set fields in deferred pages block: wake up all tasks blocked in get_request() dt-bindings: usb: fix reg-property port-number range xfs: fix forgotten rcu read unlock when skipping inode reclaim sunrpc: Fix rpc_task_begin trace point NFS: Fix a typo in nfs_rename() dynamic-debug-howto: fix optional/omitted ending line number to be LARGE instead of 0 lib/genalloc.c: make the avail variable an atomic_long_t drivers/rapidio/devices/rio_mport_cdev.c: fix resource leak in error handling path in 'rio_dma_transfer()' route: update fnhe_expires for redirect when the fnhe exists route: also update fnhe_genid when updating a route cache gre6: use log_ecn_error module parameter in ip6_tnl_rcv() mac80211_hwsim: Fix memory leak in hwsim_new_radio_nl() x86/mpx/selftests: Fix up weird arrays coccinelle: fix parallel build with CHECK=scripts/coccicheck kbuild: pkg: use --transform option to prefix paths in tar EDAC, i5000, i5400: Fix definition of NRECMEMB register EDAC, i5000, i5400: Fix use of MTR_DRAM_WIDTH macro powerpc/powernv/ioda2: Gracefully fail if too many TCE levels requested drm/amd/amdgpu: fix console deadlock if late init failed axonram: Fix gendisk handling netfilter: don't track fragmented packets zram: set physical queue limits to avoid array out of bounds accesses blk-mq: initialize mq kobjects in blk_mq_init_allocated_queue() i2c: riic: fix restart condition crypto: s5p-sss - Fix completing crypto request in IRQ handler ipv6: reorder icmpv6_init() and ip6_mr_init() ibmvnic: Allocate number of rx/tx buffers agreed on by firmware ibmvnic: Fix overflowing firmware/hardware TX queue rds: tcp: Sequence teardown of listen and acceptor sockets to avoid races bnx2x: do not rollback VF MAC/VLAN filters we did not configure bnx2x: fix detection of VLAN filtering feature for VF bnx2x: fix possible overrun of VFPF multicast addresses array bnx2x: prevent crash when accessing PTP with interface down spi_ks8995: regs_size incorrect for some devices spi_ks8995: fix "BUG: key accdaa28 not in .data!" KVM: arm/arm64: VGIC: Fix command handling while ITS being disabled arm64: KVM: Survive unknown traps from guests arm: KVM: Survive unknown traps from guests KVM: nVMX: reset nested_run_pending if the vCPU is going to be reset irqchip/crossbar: Fix incorrect type of register size scsi: lpfc: Fix crash during Hardware error recovery on SLI3 adapters scsi: qla2xxx: Fix ql_dump_buffer workqueue: trigger WARN if queue_delayed_work() is called with NULL @wq libata: drop WARN from protocol error in ata_sff_qc_issue() kvm: nVMX: VMCLEAR should not cause the vCPU to shut down usb: gadget: udc: net2280: Fix tmp reusage in net2280 driver usb: gadget: pxa27x: Test for a valid argument pointer usb: dwc3: gadget: Fix system suspend/resume on TI platforms USB: gadgetfs: Fix a potential memory leak in 'dev_config()' usb: gadget: configs: plug memory leak HID: chicony: Add support for another ASUS Zen AiO keyboard gpio: altera: Use handle_level_irq when configured as a level_high ASoC: rcar: avoid SSI_MODEx settings for SSI8 ARM: OMAP2+: Release device node after it is no longer needed. ARM: OMAP2+: Fix device node reference counts powerpc/64: Fix checksum folding in csum_add() module: set __jump_table alignment to 8 lirc: fix dead lock between open and wakeup_filter powerpc: Fix compiling a BE kernel with a powerpc64le toolchain selftest/powerpc: Fix false failures for skipped tests powerpc/64: Invalidate process table caching after setting process table x86/hpet: Prevent might sleep splat on resume sched/fair: Make select_idle_cpu() more aggressive x86/platform/uv/BAU: Fix HUB errors by remove initial write to sw-ack register x86/selftests: Add clobbers for int80 on x86_64 ARM: OMAP2+: gpmc-onenand: propagate error on initialization failure vti6: Don't report path MTU below IPV6_MIN_MTU. ARM: 8657/1: uaccess: consistently check object sizes Revert "spi: SPI_FSL_DSPI should depend on HAS_DMA" Revert "drm/armada: Fix compile fail" mm: drop unused pmdp_huge_get_and_clear_notify() thp: fix MADV_DONTNEED vs. numa balancing race thp: reduce indentation level in change_huge_pmd() ARM: avoid faulting on qemu ARM: BUG if jumping to usermode address in kernel mode usb: f_fs: Force Reserved1=1 in OS_DESC_EXT_COMPAT crypto: talitos - fix ctr-aes-talitos crypto: talitos - fix use of sg_link_tbl_len crypto: talitos - fix AEAD for sha224 on non sha224 capable chips crypto: talitos - fix setkey to check key weakness crypto: talitos - fix memory corruption on SEC2 crypto: talitos - fix AEAD test failures bus: arm-ccn: fix module unloading Error: Removing state 147 which has instances left. bus: arm-ccn: Fix use of smp_processor_id() in preemptible context bus: arm-ccn: Check memory allocation failure bus: arm-cci: Fix use of smp_processor_id() in preemptible context arm64: fpsimd: Prevent registers leaking from dead tasks KVM: arm/arm64: vgic-its: Check result of allocation before use KVM: arm/arm64: vgic-irqfd: Fix MSI entry allocation KVM: arm/arm64: Fix broken GICH_ELRSR big endian conversion KVM: VMX: remove I/O port 0x80 bypass on Intel hosts arm: KVM: Fix VTTBR_BADDR_MASK BUG_ON off-by-one arm64: KVM: fix VTTBR_BADDR_MASK BUG_ON off-by-one media: dvb: i2c transfers over usb cannot be done from stack drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU kdb: Fix handling of kallsyms_symbol_next() return value brcmfmac: change driver unbind order of the sdio function devices powerpc/64s: Initialize ISAv3 MMU registers before setting partition table KVM: s390: Fix skey emulation permission check s390: fix compat system call table smp/hotplug: Move step CPUHP_AP_SMPCFD_DYING to the correct place iommu/vt-d: Fix scatterlist offset handling ALSA: usb-audio: Add check return value for usb_string() ALSA: usb-audio: Fix out-of-bound error ALSA: seq: Remove spurious WARN_ON() at timer check ALSA: pcm: prevent UAF in snd_pcm_info btrfs: fix missing error return in btrfs_drop_snapshot KVM: x86: fix APIC page invalidation x86/PCI: Make broadcom_postcore_init() check acpi_disabled X.509: fix comparisons of ->pkey_algo X.509: reject invalid BIT STRING for subjectPublicKey KEYS: add missing permission check for request_key() destination ASN.1: check for error from ASN1_OP_END__ACT actions ASN.1: fix out-of-bounds read when parsing indefinite length item efi/esrt: Use memunmap() instead of kfree() to free the remapping efi: Move some sysfs files to be read-only by root scsi: libsas: align sata_device's rps_resp on a cacheline scsi: use dma_get_cache_alignment() as minimum DMA alignment scsi: dma-mapping: always provide dma_get_cache_alignment isa: Prevent NULL dereference in isa_bus driver callbacks hv: kvp: Avoid reading past allocated blocks from KVP file virtio: release virtio index when fail to device_register can: usb_8dev: cancel urb on -EPIPE and -EPROTO can: esd_usb2: cancel urb on -EPIPE and -EPROTO can: ems_usb: cancel urb on -EPIPE and -EPROTO can: kvaser_usb: cancel urb on -EPIPE and -EPROTO can: kvaser_usb: ratelimit errors if incomplete messages are received can: kvaser_usb: Fix comparison bug in kvaser_usb_read_bulk_callback() can: kvaser_usb: free buf in error paths can: ti_hecc: Fix napi poll return value for repoll usb: gadget: udc: renesas_usb3: fix number of the pipes ANDROID: Revert "arm64: move ELF_ET_DYN_BASE to 4GB / 4MB" ANDROID: Revert "arm: move ELF_ET_DYN_BASE to 4MB" Linux 4.9.68 xen-netfront: avoid crashing on resume after a failure in talk_to_netback() usb: host: fix incorrect updating of offset USB: usbfs: Filter flags passed in from user space USB: devio: Prevent integer overflow in proc_do_submiturb() USB: Increase usbfs transfer limit USB: core: Add type-specific length check of BOS descriptors usb: xhci: fix panic in xhci_free_virt_devices_depth_first usb: hub: Cycle HUB power when initialization fails dma-buf: Update kerneldoc for sync_file_create dma-buf/sync_file: hold reference to fence when creating sync_file dma-buf/sw_sync: force signal all unsignaled fences on dying timeline dma-fence: Introduce drm_fence_set_error() helper dma-fence: Wrap querying the fence->status dma-fence: Clear fence->status during dma_fence_init() dma-buf/sw_sync: clean up list before signaling the fence dma-buf/sw_sync: move timeline_fence_ops around dma-buf/sw-sync: Use an rbtree to sort fences in the timeline dma-buf/sw-sync: Fix locking around sync_timeline lists dma-buf/sw-sync: sync_pt is private and of fixed size dma-buf/sw-sync: Reduce irqsave/irqrestore from known context dma-buf/sw-sync: Prevent user overflow on timeline advance dma-buf/sw-sync: Fix the is-signaled test to handle u32 wraparound dma-buf/dma-fence: Extract __dma_fence_is_later() net: fec: fix multicast filtering hardware setup xen-netback: vif counters from int/long to u64 cec: initiator should be the same as the destination for, poll xen-netfront: Improve error handling during initialization mm: avoid returning VM_FAULT_RETRY from ->page_mkwrite handlers vfio/spapr: Fix missing mutex unlock when creating a window be2net: fix initial MAC setting net: thunderx: avoid dereferencing xcv when NULL net: phy: micrel: KSZ8795 do not set SUPPORTED_[Asym_]Pause gtp: fix cross netns recv on gtp socket gtp: clear DF bit on GTP packet tx nvmet: cancel fatal error and flush async work before free controller i2c: i2c-cadence: Initialize configuration before probing devices tcp: correct memory barrier usage in tcp_check_space() dmaengine: pl330: fix double lock tipc: fix cleanup at module unload tipc: fix nametbl_lock soft lockup at module exit RDMA/qedr: Fix RDMA CM loopback RDMA/qedr: Return success when not changing QP state mac80211: don't try to sleep in rate_control_rate_init() drm/amdgpu: fix unload driver issue for virtual display x86/fpu: Set the xcomp_bv when we fake up a XSAVES area net: sctp: fix array overrun read on sctp_timer_tbl drm/exynos/decon5433: set STANDALONE_UPDATE_F on output enablement drm/amdgpu: fix bug set incorrect value to vce register qla2xxx: Fix wrong IOCB type assumption powerpc/mm: Fix memory hotplug BUG() on radix perf/x86/intel: Account interrupts for PEBS errors NFSv4: Fix client recovery when server reboots multiple times mac80211: prevent skb/txq mismatch KVM: arm/arm64: Fix occasional warning from the timer work function drm/exynos/decon5433: set STANDALONE_UPDATE_F also if planes are disabled drm/exynos/decon5433: update shadow registers iff there are active windows nfs: Don't take a reference on fl->fl_file for LOCK operation ravb: Remove Rx overflow log messages mac80211: calculate min channel width correctly mm: fix remote numa hits statistics net: qrtr: Mark 'buf' as little endian libfs: Modify mount_pseudo_xattr to be clear it is not a userspace mount net/appletalk: Fix kernel memory disclosure be2net: fix unicast list filling be2net: fix accesses to unicast list vti6: fix device register to report IFLA_INFO_KIND ARM: OMAP1: DMA: Correct the number of logical channels ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate net: systemport: Pad packet before inserting TSB net: systemport: Utilize skb_put_padto() libcxgb: fix error check for ip6_route_output() usb: gadget: f_fs: Fix ExtCompat descriptor validation dmaengine: stm32-dma: Fix null pointer dereference in stm32_dma_tx_status dmaengine: stm32-dma: Set correct args number for DMA request from DT l2tp: take remote address into account in l2tp_ip and l2tp_ip6 socket lookups net/mlx4_en: Fix type mismatch for 32-bit systems dax: Avoid page invalidation races and unnecessary radix tree traversals iio: adc: ti-ads1015: add 10% to conversion wait time tools include: Do not use poison with C++ kprobes/x86: Disable preemption in ftrace-based jprobes perf test attr: Fix ignored test case result usbip: tools: Install all headers needed for libusbip development sysrq : fix Show Regs call trace on ARM EDAC, sb_edac: Fix missing break in switch x86/entry: Use SYSCALL_DEFINE() macros for sys_modify_ldt() serial: 8250: Preserve DLD[7:4] for PORT_XR17V35X usb: phy: tahvo: fix error handling in tahvo_usb_probe() mmc: sdhci-msm: fix issue with power irq spi: spi-axi: fix potential use-after-free after deregistration spi: sh-msiof: Fix DMA transfer size check staging: rtl8188eu: avoid a null dereference on pmlmepriv serial: 8250_fintek: Fix rs485 disablement on invalid ioctl() m68k: fix ColdFire node shift size calculation staging: greybus: loopback: Fix iteration count on async path selftests/x86/ldt_get: Add a few additional tests for limits s390/pci: do not require AIS facility ima: fix hash algorithm initialization USB: serial: option: add Quectel BG96 id s390/runtime instrumentation: simplify task exit handling serial: 8250_pci: Add Amazon PCI serial device ID usb: quirks: Add no-lpm quirk for KY-688 USB 3.1 Type-C Hub uas: Always apply US_FL_NO_ATA_1X quirk to Seagate devices mm, oom_reaper: gather each vma to prevent leaking TLB entry Revert "crypto: caam - get rid of tasklet" drm/fsl-dcu: enable IRQ before drm_atomic_helper_resume() drm/fsl-dcu: avoid disabling pixel clock twice on suspend bcache: recover data from backing when data is clean bcache: only permit to recovery read error when cache device is clean Linux 4.9.67 drm/i915: Prevent zero length "index" write drm/i915: Don't try indexed reads to alternate slave addresses NFS: revalidate "." etc correctly on "open". Revert "x86/entry/64: Add missing irqflags tracing to native_load_gs_index()" drm/amd/pp: fix typecast error in powerplay. drm/ttm: once more fix ttm_buffer_object_transfer drm/hisilicon: Ensure LDI regs are properly configured. drm/panel: simple: Add missing panel_simple_unprepare() calls drm/radeon: fix atombios on big endian drm/amdgpu: Potential uninitialized variable in amdgpu_vm_update_directories() drm/amdgpu: potential uninitialized variable in amdgpu_vce_ring_parse_cs() Revert "drm/radeon: dont switch vt on suspend" nvme-pci: add quirk for delay before CHK RDY for WDC SN200 hwmon: (jc42) optionally try to disable the SMBUS timeout bcache: Fix building error on MIPS i2c: i801: Fix Failed to allocate irq -2147483648 error eeprom: at24: check at24_read/write arguments eeprom: at24: correctly set the size for at24mac402 eeprom: at24: fix reading from 24MAC402/24MAC602 mmc: core: prepend 0x to OCR entry in sysfs mmc: core: Do not leave the block driver in a suspended state KVM: lapic: Fixup LDR on load in x2apic KVM: lapic: Split out x2apic ldr calculation KVM: x86: inject exceptions produced by x86_decode_insn KVM: x86: Exit to user-mode on #UD intercept when emulator requires KVM: x86: pvclock: Handle first-time write to pvclock-page contains random junk ARM: OMAP2+: Fix WL1283 Bluetooth Baud Rate mfd: twl4030-power: Fix pmic for boards that need vmmc1 on reboot nfsd: fix panic in posix_unblock_lock called from nfs4_laundromat nfsd: Fix another OPEN stateid race nfsd: Fix stateid races between OPEN and CLOSE btrfs: clear space cache inode generation always mm/madvise.c: fix madvise() infinite loop under special circumstances mm, hugetlbfs: introduce ->split() to vm_operations_struct mm/cma: fix alloc_contig_range ret code/potential leak mm, thp: Do not make page table dirty unconditionally in touch_p[mu]d() ARM: dts: omap3: logicpd-torpedo-37xx-devkit: Fix MMC1 cd-gpio ARM: dts: LogicPD Torpedo: Fix camera pin mux Linux 4.9.66 xen: xenbus driver must not accept invalid transaction ids nvmet: fix KATO offset in Set Features cec: update log_addr[] before finishing configuration cec: CEC_MSG_GIVE_FEATURES should abort for CEC version < 2 cec: when canceling a message, don't overwrite old status info s390/kbuild: enable modversions for symbols exported from asm ASoC: wm_adsp: Don't overrun firmware file buffer when reading region data btrfs: return the actual error value from from btrfs_uuid_tree_iterate crypto: marvell - Copy IVDIG before launching partial DMA ahash requests ASoC: rsnd: don't double free kctrl netfilter: nf_tables: fix oob access netfilter: nft_queue: use raw_smp_processor_id() spi: SPI_FSL_DSPI should depend on HAS_DMA staging: iio: cdc: fix improper return value iio: light: fix improper return value adm80211: add checks for dma mapping errors mac80211: Suppress NEW_PEER_CANDIDATE event if no room mac80211: Remove invalid flag operations in mesh TSF synchronization drm/mediatek: don't use drm_put_dev clk: qcom: ipq4019: Add all the frequencies for apss cpu drm: Apply range restriction after color adjustment when allocation gpio: mockup: dynamically allocate memory for chip name ALSA: hda - Apply ALC269_FIXUP_NO_SHUTUP on HDA_FIXUP_ACT_PROBE ath10k: set CTS protection VDEV param only if VDEV is up bnxt_en: Set default completion ring for async events. pinctrl: sirf: atlas7: Add missing 'of_node_put()' ath10k: fix potential memory leak in ath10k_wmi_tlv_op_pull_fw_stats() ath10k: ignore configuring the incorrect board_id ath10k: fix incorrect txpower set by P2P_DEVICE interface mwifiex: sdio: fix use after free issue for save_adapter adm80211: return an error if adm8211_alloc_rings() fails rt2800: set minimum MPDU and PSDU lengths to sane values drm/armada: Fix compile fail net: 3com: typhoon: typhoon_init_one: fix incorrect return values net: 3com: typhoon: typhoon_init_one: make return values more specific net: Allow IP_MULTICAST_IF to set index to L3 slave fscrypt: use ENOTDIR when setting encryption policy on nondirectory fscrypt: use ENOKEY when file cannot be created w/o key dmaengine: zx: set DMA_CYCLIC cap_mask bit clk: sunxi-ng: fix PLL_CPUX adjusting on A33 clk: sunxi-ng: A31: Fix spdif clock register drm/sun4i: Fix a return value in case of error PCI: Apply _HPX settings only to relevant devices RDS: RDMA: fix the ib_map_mr_sg_zbva() argument RDS: RDMA: return appropriate error on rdma map failures RDS: make message size limit compliant with spec e1000e: Avoid receiver overrun interrupt bursts e1000e: Separate signaling for link check/link up e1000e: Fix return value test e1000e: Fix error path in link detection Revert "drm/i915: Do not rely on wm preservation for ILK watermarks" PM / OPP: Add missing of_node_put(np) net/9p: Switch to wait_event_killable() fscrypt: lock mutex before checking for bounce page pool sched/rt: Simplify the IPI based RT balancing logic media: v4l2-ctrl: Fix flags field on Control events cx231xx-cards: fix NULL-deref on missing association descriptor media: rc: check for integer overflow media: Don't do DMA on stack for firmware upload in the AS102 driver powerpc/signal: Properly handle return value from uprobe_deny_signal() parisc: Fix validity check of pointer size argument in new CAS implementation ixgbe: Fix skb list corruption on Power systems fm10k: Use smp_rmb rather than read_barrier_depends i40evf: Use smp_rmb rather than read_barrier_depends ixgbevf: Use smp_rmb rather than read_barrier_depends igbvf: Use smp_rmb rather than read_barrier_depends igb: Use smp_rmb rather than read_barrier_depends i40e: Use smp_rmb rather than read_barrier_depends NFC: fix device-allocation error return IB/srp: Avoid that a cable pull can trigger a kernel crash IB/srpt: Do not accept invalid initiator port names libnvdimm, namespace: make 'resource' attribute only readable by root libnvdimm, namespace: fix label initialization to use valid seq numbers libnvdimm, pfn: make 'resource' attribute only readable by root clk: ti: dra7-atl-clock: fix child-node lookups SUNRPC: Fix tracepoint storage issues with svc_recv and svc_rqst_status KVM: SVM: obey guest PAT KVM: nVMX: set IDTR and GDTR limits when loading L1 host state lockd: double unregister of inetaddr notifiers irqchip/gic-v3: Fix ppi-partitions lookup block: Fix a race between blk_cleanup_queue() and timeout handling p54: don't unregister leds when they are not initialized mtd: nand: mtk: fix infinite ECC decode IRQ issue mtd: nand: Fix writing mtdoops to nand flash. mtd: nand: omap2: Fix subpage write target: Fix QUEUE_FULL + SCSI task attribute handling iscsi-target: Fix non-immediate TMR reference leak fs/9p: Compare qid.path in v9fs_test_inode fix a page leak in vhost_scsi_iov_to_sgl() error recovery ALSA: hda/realtek - Fix ALC700 family no sound issue ALSA: hda: Fix too short HDMI/DP chmap reporting ALSA: timer: Remove kernel warning at compat ioctl error paths ALSA: usb-audio: Add sanity checks in v2 clock parsers ALSA: usb-audio: Fix potential out-of-bound access at parsing SU ALSA: usb-audio: Add sanity checks to FE parser ALSA: pcm: update tstamp only if audio_tstamp changed ext4: fix interaction between i_size, fallocate, and delalloc after a crash ata: fixes kernel crash while tracing ata_eh_link_autopsy event rtlwifi: fix uninitialized rtlhal->last_suspend_sec time rtlwifi: rtl8192ee: Fix memory leak when loading firmware nfsd: deal with revoked delegations appropriately NFS: Avoid RCU usage in tracepoints nfs: Fix ugly referral attributes NFS: Fix typo in nomigration mount option isofs: fix timestamps beyond 2027 bcache: check ca->alloc_thread initialized before wake up it libceph: don't WARN() if user tries to add invalid key eCryptfs: use after free in ecryptfs_release_messaging() nilfs2: fix race condition that causes file system corruption autofs: don't fail mount for transient error rt2x00usb: mark device removed when get ENOENT usb error MIPS: BCM47XX: Fix LED inversion for WRT54GSv1 MIPS: Fix an n32 core file generation regset support regression MIPS: dts: remove bogus bcm96358nb4ser.dtb from dtb-y entry MIPS: Fix odd fp register warnings with MIPS64r2 dm: fix race between dm_get_from_kobject() and __dm_destroy() MIPS: pci: Remove KERN_WARN instance inside the mt7620 driver dm: allocate struct mapped_device with kvzalloc dm bufio: fix integer overflow when limiting maximum cache size ALSA: hda: Add Raven PCI ID PCI: Set Cavium ACS capability quirk flags to assert RR/CR/SV/UF MIPS: ralink: Fix typo in mt7628 pinmux function MIPS: ralink: Fix MT7628 pinmux ARM: 8721/1: mm: dump: check hardware RO bit for LPAE ARM: 8722/1: mm: make STRICT_KERNEL_RWX effective for LPAE arm64: Implement arch-specific pte_access_permitted() x86/entry/64: Add missing irqflags tracing to native_load_gs_index() x86/decoder: Add new TEST instruction pattern lib/mpi: call cond_resched() from mpi_powm() loop sched: Make resched_cpu() unconditional vsock: use new wait API for vsock_stream_sendmsg() ipv6: only call ip6_route_dev_notify() once for NETDEV_UNREGISTER x86/mm: fix use-after-free of vma during userfaultfd fault ACPI / EC: Fix regression related to triggering source of EC event handling s390/disassembler: increase show_code buffer size s390/disassembler: add missing end marker for e7 table s390/runtime instrumention: fix possible memory corruption s390: fix transactional execution control register handling Conflicts: drivers/android/binder_alloc.c drivers/android/binder_alloc.h drivers/android/binder_alloc_selftest.c drivers/mmc/core/bus.c drivers/mmc/host/sdhci-msm.c drivers/thermal/step_wise.c kernel/cpu.c mm/oom_kill.c sound/usb/mixer.c Change-Id: Id01eb66cafc5970b460321e44ec8ffcfa76971a6 Signed-off-by: Kyle Yan <kyan@codeaurora.org> |
||
|
Herbert Xu
|
7ff28d3307 |
crypto: deadlock between crypto_alg_sem/rtnl_mutex/genl_mutex
[ Upstream commit 8a0f5ccfb33b0b8b51de65b7b3bf342ba10b4fb6 ] On Tue, Mar 14, 2017 at 10:44:10AM +0100, Dmitry Vyukov wrote: > > Yes, please. > Disregarding some reports is not a good way long term. Please try this patch. ---8<--- Subject: netlink: Annotate nlk cb_mutex by protocol Currently all occurences of nlk->cb_mutex are annotated by lockdep as a single class. This causes a false lcokdep cycle involving genl and crypto_user. This patch fixes it by dividing cb_mutex into individual classes based on the netlink protocol. As genl and crypto_user do not use the same netlink protocol this breaks the false dependency loop. Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Kyle Yan
|
01bff91034 |
Merge remote-tracking branch '4.9/tmp-8cca21f' into 4.9
* 4.9/tmp-8cca21f: Linux 4.9.65 mm/pagewalk.c: report holes in hugetlb ranges coda: fix 'kernel memory exposure attempt' in fsync mm/page_alloc.c: broken deferred calculation ipmi: fix unsigned long underflow ocfs2: should wait dio before inode lock in ocfs2_setattr() ocfs2: fix cluster hang after a node dies dmaengine: dmatest: warn user when dma test times out serial: 8250_fintek: Fix finding base_port with activated SuperIO serial: omap: Fix EFR write on RTS deassertion ima: do not update security.ima if appraisal status is not INTEGRITY_PASS crypto: dh - Fix double free of ctx->p crypto: dh - fix memleak in setkey net/sctp: Always set scope_id in sctp_inet6_skb_msgname fealnx: Fix building error on MIPS sctp: do not peel off an assoc from one netns to another one af_netlink: ensure that NLMSG_DONE never fails in dumps vlan: fix a use-after-free in vlan_device_event() net: usb: asix: fill null-ptr-deref in asix_suspend qmi_wwan: Add missing skb_reset_mac_header-call net: qmi_wwan: fix divide by 0 on bad descriptors net: cdc_ether: fix divide by 0 on bad descriptors bonding: discard lowest hash bit for 802.3ad layer3+4 netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed tcp: do not mangle skb->cb[] in tcp_make_synack() net: vrf: correct FRA_L3MDEV encode type tcp_nv: fix division by zero in tcpnv_acked() Linux 4.9.64 staging: greybus: spilib: fix use-after-free after deregistration brcmfmac: don't preset all channels as disabled x86/MCE/AMD: Always give panic severity for UC errors in kernel context USB: serial: garmin_gps: fix memory leak on probe errors USB: serial: garmin_gps: fix I/O after failed probe and remove USB: serial: qcserial: add pid/vid for Sierra Wireless EM7355 fw update usb: gadget: f_fs: Fix use-after-free in ffs_free_inst USB: Add delay-init quirk for Corsair K70 LUX keyboards USB: usbfs: compute urb->actual_length for isochronous crypto: dh - Don't permit 'key' or 'g' size longer than 'p' crypto: dh - Don't permit 'p' to be 0 Revert "dt-bindings: Add LEGO MINDSTORMS EV3 compatible specification" Revert "dt-bindings: Add vendor prefix for LEGO" uapi: fix linux/rds.h userspace compilation errors uapi: fix linux/rds.h userspace compilation error Revert "uapi: fix linux/rds.h userspace compilation errors" Revert "crypto: xts - Add ECB dependency" MIPS: Netlogic: Exclude netlogic,xlp-pic code from XLR builds MIPS: traps: Ensure L1 & L2 ECC checking match for CM3 systems MIPS: init: Ensure reserved memory regions are not added to bootmem MIPS: init: Ensure bootmem does not corrupt reserved memory MIPS: End asm function prologue macros with .insn staging: greybus: add host device function pointer checks staging: wilc1000: Fix endian sparse warning staging: rtl8712: fixed little endian problem ixgbe: do not disable FEC from the driver ixgbe: add mask for 64 RSS queues ixgbe: Reduce I2C retry count on X550 devices ixgbe: Fix reporting of 100Mb capability ixgbe: handle close/suspend race with netif_device_detach/present ixgbe: fix AER error handling ixgbe: Configure advertised speeds correctly for KR/KX backplane arm64: dts: NS2: reserve memory for Nitro firmware ALSA: hda/realtek - Add new codec ID ALC299 gpu: drm: mgag200: mgag200_main:- Handle error from pci_iomap backlight: adp5520: Fix error handling in adp5520_bl_probe() backlight: lcd: Fix race condition during register drm/omap: panel-sony-acx565akm.c: Add MODULE_ALIAS ALSA: vx: Fix possible transfer overflow ALSA: vx: Don't try to update capture stream before running power: supply: axp288_fuel_gauge: Read 12 bit values 2 registers at a time power: supply: axp288_fuel_gauge: Read 15 bit values 2 registers at a time rtc: rx8010: change lock mechanism scsi: lpfc: Clear the VendorVersion in the PLOGI/PLOGI ACC payload scsi: lpfc: Correct issue leading to oops during link reset scsi: lpfc: Correct host name in symbolic_name field scsi: lpfc: FCoE VPort enable-disable does not bring up the VPort scsi: lpfc: Add missing memory barrier x86/irq, trace: Add __irq_entry annotation to x86's platform IRQ handlers staging: rtl8188eu: fix incorrect ERROR tags from logs tcp: provide timestamps for partial writes scsi: ufs: add capability to keep auto bkops always enabled scsi: ufs-qcom: Fix module autoload igb: Fix hw_dbg logging in igb_update_flash_i210 igb: close/suspend race in netif_device_detach igb: reset the PHY before reading the PHY ID drm/sti: sti_vtg: Handle return NULL error from devm_ioremap_nocache ata: SATA_MV should depend on HAS_DMA ata: SATA_HIGHBANK should depend on HAS_DMA ata: ATA_BMDMA should depend on HAS_DMA ARM: dts: omap5-uevm: Allow bootloader to configure USB Ethernet MAC ARM: dts: Fix omap3 off mode pull defines ARM: OMAP2+: Fix init for multiple quirks for the same SoC ARM: dts: Fix am335x and dm814x scm syscon to probe children ARM: dts: Fix compatible for ti81xx uarts for 8250 fm10k: request reset when mbx->state changes extcon: palmas: Check the parent instance to prevent the NULL extcon: Remove potential problem when calling extcon_register_notifier() Bluetooth: btusb: fix QCA Rome suspend/resume arm: crypto: reduce priority of bit-sliced AES cipher media: dib0700: fix invalid dvb_detach argument media: imon: Fix null-ptr-deref in imon_probe Linux 4.9.63 misc: panel: properly restore atomic counter on error path qla2xxx: Fix incorrect tcm_qla2xxx_free_cmd use during TMR ABORT (v2) target/iscsi: Fix iSCSI task reassignment handling brcmfmac: remove setting IBSS mode when stopping AP security/keys: add CONFIG_KEYS_COMPAT to Kconfig netfilter: nat: Revert "netfilter: nat: convert nat bysrc hash to rhashtable" netfilter: nat: avoid use of nf_conn_nat extension Revert "ARM: dts: imx53-qsb-common: fix FEC pinmux config" ALSA: seq: Cancel pending autoload work at unbinding device Input: ims-psu - check if CDC union descriptor is sane usb: usbtest: fix NULL pointer dereference mac80211: don't compare TKIP TX MIC key in reinstall prevention mac80211: use constant time comparison with keys mac80211: accept key reinstall without changing anything ppp: fix race in ppp device destruction net_sched: avoid matching qdisc with zero handle sctp: reset owner sk for data chunks on out queues when migrating a sock tun: allow positive return values on dev_get_valid_name() call ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err ipip: only increase err_count for some certain type icmp in ipip_err tap: double-free in error path in tap_open() net/unix: don't show information about sockets from other namespaces tcp/dccp: fix other lockdep splats accessing ireq_opt tcp/dccp: fix lockdep splat in inet_csk_route_req() sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND ipv6: flowlabel: do not leave opt->tot_len with garbage soreuseport: fix initialization race packet: avoid panic in packet_getsockopt() tcp/dccp: fix ireq->opt races sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect tun: call dev_get_valid_name() before register_netdevice() l2tp: check ps->sock before running pppol2tp_session_ioctl() tcp: fix tcp_mtu_probe() vs highest_sack net: call cgroup_sk_alloc() earlier in sk_clone_lock() netlink: do not set cb_running if dump's start() errs ipv6: addrconf: increment ifp refcount before ipv6_del_addr() tun/tap: sanitize TUNSETSNDBUF input gso: fix payload length when gso_size is zero FROMLIST: binder: fix proc->files use-after-free Conflicts: drivers/scsi/ufs/ufshcd.h include/net/netfilter/nf_conntrack.h Change-Id: I38fd3aa5f077a7bde0a8de4ebe9dc9316075f199 Signed-off-by: Kyle Yan <kyan@codeaurora.org> |
||
|
Jason A. Donenfeld
|
99aa74ce9c |
af_netlink: ensure that NLMSG_DONE never fails in dumps
[ Upstream commit 0642840b8bb008528dbdf929cec9f65ac4231ad0 ] The way people generally use netlink_dump is that they fill in the skb as much as possible, breaking when nla_put returns an error. Then, they get called again and start filling out the next skb, and again, and so forth. The mechanism at work here is the ability for the iterative dumping function to detect when the skb is filled up and not fill it past the brim, waiting for a fresh skb for the rest of the data. However, if the attributes are small and nicely packed, it is possible that a dump callback function successfully fills in attributes until the skb is of size 4080 (libmnl's default page-sized receive buffer size). The dump function completes, satisfied, and then, if it happens to be that this is actually the last skb, and no further ones are to be sent, then netlink_dump will add on the NLMSG_DONE part: nlh = nlmsg_put_answer(skb, cb, NLMSG_DONE, sizeof(len), NLM_F_MULTI); It is very important that netlink_dump does this, of course. However, in this example, that call to nlmsg_put_answer will fail, because the previous filling by the dump function did not leave it enough room. And how could it possibly have done so? All of the nla_put variety of functions simply check to see if the skb has enough tailroom, independent of the context it is in. In order to keep the important assumptions of all netlink dump users, it is therefore important to give them an skb that has this end part of the tail already reserved, so that the call to nlmsg_put_answer does not fail. Otherwise, library authors are forced to find some bizarre sized receive buffer that has a large modulo relative to the common sizes of messages received, which is ugly and buggy. This patch thus saves the NLMSG_DONE for an additional message, for the case that things are dangerously close to the brim. This requires keeping track of the errno from ->dump() across calls. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason A. Donenfeld
|
4cd69ad530 |
netlink: do not set cb_running if dump's start() errs
[ Upstream commit 41c87425a1ac9b633e0fcc78eb1f19640c8fb5a0 ] It turns out that multiple places can call netlink_dump(), which means it's still possible to dereference partially initialized values in dump() that were the result of a faulty returned start(). This fixes the issue by calling start() _before_ setting cb_running to true, so that there's no chance at all of hitting the dump() function through any indirect paths. It also moves the call to start() to be when the mutex is held. This has the nice side effect of serializing invocations to start(), which is likely desirable anyway. It also prevents any possible other races that might come out of this logic. In testing this with several different pieces of tricky code to trigger these issues, this commit fixes all avenues that I'm aware of. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Cc: Johannes Berg <johannes@sipsolutions.net> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Kyle Yan
|
1bca48ef39 |
Merge remote-tracking branch '4.9/tmp-05a906d' into msm-4.9
* 4.9/tmp-05a906d:
Linux 4.9.56
Revert "socket, bpf: fix possible use after free"
Linux 4.9.55
KVM: x86: fix singlestepping over syscall
f2fs: don't allow encrypted operations without keys
ext4: don't allow encrypted operations without keys
ext4: Don't clear SGID when inheriting ACLs
ext4: fix data corruption for mmap writes
vfs: deny copy_file_range() for non regular files
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
mmc: core: add driver strength selection when selecting hs400es
nvme-pci: Use PCI bus address for data/queues in CMB
drm/i915/bios: ignore HDMI on port A
brcmfmac: setup passive scan if requested by user-space
brcmfmac: add length check in brcmf_cfg80211_escan_handler()
scsi: sd: Do not override max_sectors_kb sysfs setting
iwlwifi: add workaround to disable wide channels in 5GHz
iwlwifi: mvm: use IWL_HCMD_NOCOPY for MCAST_FILTER_CMD
netlink: fix nla_put_{u8,u16,u32} for KASAN
rocker: fix rocker_tlv_put_* functions for KASAN
HID: wacom: bits shifted too much for 9th and 10th buttons
HID: wacom: Always increment hdev refcount within wacom_get_hdev_data
HID: wacom: leds: Don't try to control the EKR's read-only LEDs
HID: i2c-hid: allocate hid buffers for real worst case
ftrace: Fix kmemleak in unregister_ftrace_graph
stm class: Fix a use-after-free
Drivers: hv: fcopy: restore correct transfer length
driver core: platform: Don't read past the end of "driver_override" buffer
percpu: make this_cpu_generic_read() atomic w.r.t. interrupts
powerpc/tm: Fix illegal TM state in signal handler
powerpc/64s: Use emergency stack for kernel TM Bad Thing program checks
socket, bpf: fix possible use after free
net: rtnetlink: fix info leak in RTM_GETSTATS call
tipc: use only positive error codes in messages
ip6_tunnel: update mtu properly for ARPHRD_ETHER tunnel device in tx path
ip6_gre: ip6gre_tap device should keep dst
netlink: do not proceed if dump's start() errs
net: Set sk_prot_creator when cloning sockets to the right proto
packet: only test po->has_vnet_hdr once in packet_snd
packet: in packet_do_bind, test fanout with bind_lock held
net: dsa: Fix network device registration order
tun: bail out from tun_get_user() if the skb is empty
l2tp: fix race condition in l2tp_tunnel_delete
l2tp: Avoid schedule while atomic in exit_net
vti: fix use after free in vti_tunnel_xmit/vti6_tnl_xmit
net: qcom/emac: specify the correct size when mapping a DMA buffer
net_sched: always reset qdisc backlog in qdisc_reset()
isdn/i4l: fetch the ppp_write buffer in one shot
bpf: one perf event close won't free bpf program attached by another perf event
packet: hold bind lock when rebinding to fanout hook
net: emac: Fix napi poll list corruption
tcp: fastopen: fix on syn-data transmit failure
net/sched: cls_matchall: fix crash when used with classful qdisc
ip6_tunnel: do not allow loading ip6_tunnel if ipv6 is disabled in cmdline
net: phy: Fix mask value write on gmii2rgmii converter speed register
ip6_gre: skb_push ipv6hdr before packing the header in ip6gre_header
udpv6: Fix the checksum computation when HW checksum does not apply
tcp: fix data delivery rate
bpf/verifier: reject BPF_ALU64|BPF_END
tcp: update skb->skb_mstamp more carefully
sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
net: sched: fix use-after-free in tcf_action_destroy and tcf_del_walker
mlxsw: spectrum: Prevent mirred-related crash on removal
ALSA: usx2y: Suppress kernel warning at page allocation failures
Revert "ALSA: echoaudio: purge contradictions between dimension matrix members and total number of members"
ALSA: compress: Remove unused variable
lsm: fix smack_inode_removexattr and xattr_getsecurity memleak
lib/ratelimit.c: use deferred printk() version
mm, oom_reaper: skip mm structs with mmu notifiers
staging: vchiq_2835_arm: Fix NULL ptr dereference in free_pagelist
uwb: ensure that endpoint is interrupt
uwb: properly check kthread_run return value
iio: adc: mcp320x: Fix oops on module unload
iio: adc: mcp320x: Fix readout of negative voltages
iio: ad7793: Fix the serial interface reset
IIO: BME280: Updates to Humidity readings need ctrl_reg write!
iio: core: Return error for failed read_reg
staging: iio: ad7192: Fix - use the dedicated reset function avoiding dma from stack.
iio: ad_sigma_delta: Implement a dedicated reset function
iio: adc: twl4030: Disable the vusb3v1 rugulator in the error handling path of 'twl4030_madc_probe()'
iio: adc: twl4030: Fix an error handling path in 'twl4030_madc_probe()'
Revert "xhci: Limit USB2 port wake support for AMD Promontory hosts"
xhci: set missing SuperSpeedPlus Link Protocol bit in roothub descriptor
xhci: Fix sleeping with spin_lock_irq() held in ASmedia 1042A workaround
xhci: fix finding correct bus_state structure for USB 3.1 hosts
USB: fix out-of-bounds in usb_set_configuration
usb: Increase quirk delay for USB devices
USB: core: harden cdc_parse_cdc_header
USB: uas: fix bug in handling of alternate settings
USB: g_mass_storage: Fix deadlock when driver is unbound
usb: gadget: mass_storage: set msg_registered after msg registered
USB: devio: Don't corrupt user memory
USB: dummy-hcd: Fix erroneous synchronization change
USB: dummy-hcd: fix infinite-loop resubmission bug
USB: dummy-hcd: fix connection failures (wrong speed)
USB: cdc-wdm: ignore -EPIPE from GetEncapsulatedResponse
usb: pci-quirks.c: Corrected timeout values used in handshake
ALSA: usb-audio: Check out-of-bounds access by corrupted buffer descriptor
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
usb-storage: unusual_devs entry to fix write-access regression for Seagate external drives
usb: gadget: udc: renesas_usb3: Fix return value of usb3_write_pipe()
usb: gadget: udc: renesas_usb3: fix Pn_RAMMAP.Pn_MPKT value
usb: gadget: udc: renesas_usb3: fix for no-data control transfer
usb: gadget: udc: atmel: set vbus irqflags explicitly
USB: gadgetfs: fix copy_to_user while holding spinlock
USB: gadgetfs: Fix crash caused by inadequate synchronization
Linux 4.9.54
s390/mm: make pmdp_invalidate() do invalidation only
ttpci: address stringop overflow warning
ALSA: au88x0: avoid theoretical uninitialized access
ASoC: rt5660: remove double const
ASoC: rt5659: drop double const
ASoC: rt5514: fix gcc-7 warning
ARM: remove duplicate 'const' annotations'
IB/qib: fix false-postive maybe-uninitialized warning
tools/power turbostat: bugfix: GFXMHz column not changing
ARM: dts: BCM5301X: Fix memory start address
libata: transport: Remove circular dependency at free time
ASoC: wm_adsp: Return an error on write to a disabled volatile control
xfs: remove kmem_zalloc_greedy
i2c: meson: fix wrong variable usage in meson_i2c_put_data
netfilter: nf_tables: set pktinfo->thoff at AH header if found
md/raid10: submit bio directly to replacement disk
rds: ib: add error handle
mm/cgroup: avoid panic when init with low memory
iommu/io-pgtable-arm: Check for leaf entry before dereferencing it
x86/acpi: Restore the order of CPU IDs
cpufreq: intel_pstate: Update pid_params.sample_rate_ns in pid_param_set()
ibmvnic: Free tx/rx scrq pointer array when releasing sub-crqs
nfs: make nfs4_cb_sv_ops static
parisc: perf: Fix potential NULL pointer dereference
netfilter: nfnl_cthelper: fix incorrect helper->expect_class_max
nvme-rdma: handle cpu unplug when re-establishing the controller
MIPS: smp-cps: Fix retrieval of VPE mask on big endian CPUs
exynos-gsc: Do not swap cb/cr for semi planar formats
iommu/exynos: Block SYSMMU while invalidating FLPD cache
MIPS: IRQ Stack: Unwind IRQ stack onto task stack
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
drivers/rapidio/devices/tsi721.c: make module parameter variable name unique
kasan: do not sanitize kexec purgatory
hugetlbfs: initialize shared policy as part of inode allocation
sata_via: Enable hotplug only on VT6421
Btrfs: fix potential use-after-free for cloned bio
Btrfs: fix segmentation fault when doing dio read
bridge: netlink: register netdevice before executing changelink
mmc: sdio: fix alignment issue in struct sdio_func
qed: Fix possible system hang in the dcbnl-getdcbx() path.
net: dsa: b53: Include IMP/CPU port in dumb forwarding mode
udp: disable inner UDP checksum offloads in IPsec case
usb: plusb: Add support for PL-27A1
team: fix memory leaks
net/packet: check length in getsockopt() called with PACKET_HDRLEN
net: core: Prevent from dereferencing null pointer when releasing SKB
lkdtm: Fix Oops when unloading the module
mips: ath79: clock:- Unmap region obtained by of_iomap
MIPS: Lantiq: Fix another request_mem_region() return code check
HID: wacom: release the resources before leaving despite devm
drm: mali-dp: Fix transposed horizontal/vertical flip
drm: mali-dp: Fix destination size handling when rotating
ASoC: dapm: fix some pointer error handling
rtl8xxxu: Add additional USB IDs for rtl8192eu devices
usb: chipidea: vbus event may exist before starting gadget
iommu/arm-smmu: Set privileged attribute to 'default' instead of 'unprivileged'
spi: pxa2xx: Add support for Intel Gemini Lake
ath10k: prevent sta pointer rcu violation
audit: log 32-bit socketcalls
ASoC: dapm: handle probe deferrals
partitions/efi: Fix integer overflow in GPT size calculation
sfc: get PIO buffer size from the NIC
USB: serial: mos7840: fix control-message error handling
USB: serial: mos7720: fix control-message error handling
drm/amdkfd: fix improper return value on error
arm: dts: mt2701: Add subsystem clock controller device nodes
IB/ipoib: Replace list_del of the neigh->list with list_del_init
IB/ipoib: rtnl_unlock can not come after free_netdev
IB/ipoib: Fix deadlock over vlan_mutex
serial: 8250_port: Remove dangerous pr_debug()
tty: goldfish: Fix a parameter of a call to free_irq
serial: 8250: moxa: Store num_ports in brd
drm/i915/psr: disable psr2 for resolution greater than 32X20
ARM: 8635/1: nommu: allow enabling REMAP_VECTORS_TO_RAM
IB/rxe: Fix a MR reference leak in check_rkey()
IB/rxe: Add a runtime check in alloc_index()
iio: adc: hx711: Add DT binding for avia,hx711
iio: adc: axp288: Drop bogus AXP288_ADC_TS_PIN_CTRL register modifications
iio: adc: imx25-gcq: Fix module autoload
hwmon: (gl520sm) Fix overflows and crash seen when writing into limit attributes
usb: make the MTK XHCI driver compile for older MIPS SoCs
clk/axs10x: Clear init field in driver probe
sh_eth: use correct name for ECMR_MPDE bit
reset: ti_syscon: fix a ti_syscon_reset_status issue
extcon: axp288: Use vbus-valid instead of -present to determine cable presence
igb: re-assign hw address pointer on reset after PCI error
ARM: dts: am335x-chilisom: Wakeup from RTC-only state by power on event
scsi: be2iscsi: Add checks to validate CID alloc/free
power: supply: axp288_fuel_gauge: Fix fuel_gauge_reg_readb return on error
MIPS: ralink: Fix incorrect assignment on ralink_soc
MIPS: ralink: Fix a typo in the pinmux setup.
MIPS: Ensure bss section ends on a long-aligned address
ARM: dts: r8a7790: Use R-Car Gen 2 fallback binding for msiof nodes
RDS: RDMA: Fix the composite message user notification
clk: sunxi-ng: fix PLL_CPUX adjusting on H3
ARM: dts: exynos: Add CPU OPPs for Exynos4412 Prime
drm/i915: Fix the overlay frontbuffer tracking
GFS2: Fix reference to ERR_PTR in gfs2_glock_iter_next
drm: bridge: add DT bindings for TI ths8135
drm_fourcc: Fix DRM_FORMAT_MOD_LINEAR #define
FROMLIST: binder: fix use-after-free in binder_transaction()
FROMLIST: binder: fix an ret value override
FROMLIST: binder: fix memory corruption in binder_transaction binder
Conflicts:
mm/oom_kill.c
sound/usb/card.c
Change-Id: I8b32fbdaa2be959a4149cf07d0bda16b75eeacbc
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
|
||
|
Jason A. Donenfeld
|
b4a119251f |
netlink: do not proceed if dump's start() errs
[ Upstream commit fef0035c0f31322d417d1954bba5ab959bf91183 ] Drivers that use the start method for netlink dumping rely on dumpit not being called if start fails. For example, ila_xlat.c allocates memory and assigns it to cb->args[0] in its start() function. It might fail to do that and return -ENOMEM instead. However, even when returning an error, dumpit will be called, which, in the example above, quickly dereferences the memory in cb->args[0], which will OOPS the kernel. This is but one example of how this goes wrong. Since start() has always been a function with an int return type, it therefore makes sense to use it properly, rather than ignoring it. This patch thus returns early and does not call dumpit() when start() fails. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Cc: Johannes Berg <johannes@sipsolutions.net> Reviewed-by: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Kyle Yan
|
f37d2ac4fd |
Merge remote-tracking branch 'origin/tmp-69973b8' into msm-4.8
* origin/tmp-69973b8: Linux 4.9 MIPS: Lantiq: Fix mask of GPE frequency MIPS: Return -ENODEV from weak implementation of rtc_mips_set_time net: mlx5: Fix Kconfig help text net: smsc911x: back out silently on probe deferrals ibmveth: set correct gso_size and gso_type Revert "radix tree test suite: fix compilation" net: ethernet: cpmac: Call SET_NETDEV_DEV() net: ethernet: lantiq_etop: Call SET_NETDEV_DEV() vhost-vsock: fix orphan connection reset cxgb4/cxgb4vf: Assign netdev->dev_port with port ID parisc: Fix TLB related boot crash on SMP machines driver: ipvlan: Unlink the upper dev when ipvlan_link_new failed ser_gigaset: return -ENOMEM on error instead of success ARM: dts: orion5x: fix number of sata port for linkstation ls-gl NET: usb: cdc_mbim: add quirk for supporting Telit LE922A can: peak: fix bad memory access and free sequence ceph: don't set req->r_locked_dir in ceph_d_revalidate crypto: algif_aead - fix uninitialized variable warning kcov: add missing #include <linux/sched.h> radix tree test suite: fix compilation zram: restrict add/remove attributes to root only libata-scsi: disable SCT Write Same for the moment ARM: dts: imx7d: fix LCDIF clock assignment dts: sun8i-h3: correct UART3 pin definitions phy: Don't increment MDIO bus refcount unless it's a different owner netvsc: reduce maximum GSO size drivers: net: cpsw-phy-sel: Clear RGMII_IDMODE on "rgmii" links Revert "default exported asm symbols to zero" Don't feed anything but regular iovec's to blk_rq_map_user_iov drm/amdgpu: just suspend the hw on pci shutdown crypto: mcryptd - Check mcryptd algorithm compatibility crypto: algif_aead - fix AEAD tag memory handling crypto: caam - fix pointer size for AArch64 boot loader, AArch32 kernel crypto: marvell - Don't corrupt state of an STD req for re-stepped ahash crypto: marvell - Don't copy hash operation twice into the SRAM can: raw: raw_setsockopt: limit number of can_filter that can be set parisc: Remove unnecessary TLB purges from flush_dcache_page_asm and flush_icache_page_asm parisc: Purge TLB before setting PTE device-dax: fix private mapping restriction, permit read-only tools/testing/nvdimm: unit test acpi_nfit_ctl() acpi, nfit: fix bus vs dimm confusion in xlat_status acpi, nfit: validate ars_status output buffer size acpi, nfit, libnvdimm: fix / harden ars_status output length handling acpi, nfit: fix extended status translations for ACPI DSMs dbri: move dereference after check for NULL shmem: fix shm fallocate() list corruption net/mlx5e: Change the SQ/RQ operational state to positive logic net/mlx5e: Don't flush SQ on error net/mlx5e: Don't notify HW when filling the edge of ICO SQ net/mlx5: Fix query ISSI flow net/mlx5: Remove duplicate pci dev name print net/mlx5: Verify module parameters net: fec: fix compile with CONFIG_M5272 be2net: Add DEVSEC privilege to SET_HSW_CONFIG command. virtio-net: Fix DMA-from-the-stack in virtnet_set_mac_address() tcp: warn on bogus MSS and try to amend it uapi glibc compat: fix outer guard of net device flags enum net: stmmac: clear reset value of snps, wr_osr_lmt/snps, rd_osr_lmt before writing fuse: fix clearing suid, sgid for chown() lockdep: Fix report formatting perf/core: Remove invalid warning from list_update_cgroup_even()t perf/x86: Fix full width counter, counter overflow perf/x86/intel: Enable C-state residency events for Knights Mill objtool: Fix bytes check of lea's rex_prefix netlink: Do not schedule work from sk_destruct uapi: export nf_log.h uapi: export tc_skbmod.h net: ep93xx_eth: Do not crash unloading module bnx2x: Prevent tunnel config for 577xx bnx2x: Correct ringparam estimate when DOWN isdn: hisax: set error code on failure net: bnx2x: fix improper return value net: ethernet: qlogic: set error code on failure atm: fix improper return value net: irda: set error code on failures net: caif: remove ineffective check net: ping: check minimum size on ICMP header length atm: lanai: set error code when ioremap fails net: usb: set error code when usb_alloc_urb fails net: bridge: set error code on failure net: af_mpls.c add space before open parenthesis netdev: broadcom: propagate error code ipv4: Drop suffix update from resize code ipv4: Drop leaf from suffix pull/push functions net: dcb: set error code on failures locking/rtmutex: Use READ_ONCE() in rt_mutex_owner() locking/rtmutex: Prevent dequeue vs. unlock race batman-adv: Check for alloc errors when preparing TT local data powerpc/64: Fix placement of .text to be immediately following .head.text powerpc/eeh: Fix deadlock when PE frozen state can't be cleared crypto: rsa - Add Makefile dependencies to fix parallel builds crypto: chcr - Fix memory corruption crypto: drbg - prevent invalid SG mappings ata: sata_mv: check for errors when parsing nr-ports from dt powerpc/mm: Fix lazy icache flush on pre-POWER5 powerpc/boot: Fix build failure in 32-bit boot wrapper x86/unwind: Fix guess-unwinder regression x86/build: Annotate die() with noreturn to fix build warning on clang x86/platform/olpc: Fix resume handler build warning scsi: lpfc: fix oops/BUG in lpfc_sli_ringtxcmpl_put() locking/selftest: Fix output since KERN_CONT changes x86/apic/uv: Silence a shift wrapping warning x86/coredump: Always use user_regs_struct for compat_elf_gregset_t sched/autogroup: Fix 64-bit kernel nice level adjustment m68k: Fix ndelay() macro m68k/defconfig: Update defconfigs for v4.9-rc1 Change-Id: Idc16bee2830d4c5c61a174175aeabc04b20067b3 Signed-off-by: Kyle Yan <kyan@codeaurora.org> |
||
|
Kyle Yan
|
ef5ecfe4fe |
Merge remote-tracking branch 'origin/tmp-3e5de27' into msm-4.8
* origin/tmp-3e5de27:
Linux 4.9-rc8
mm, vmscan: add cond_resched() into shrink_node_memcg()
mm: workingset: fix NULL ptr in count_shadow_nodes
kbuild: fix building bzImage with CONFIG_TRIM_UNUSED_KSYMS enabled
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
geneve: avoid use-after-free of skb->data
tipc: check minimum bearer MTU
net: renesas: ravb: unintialized return value
sh_eth: remove unchecked interrupts for RZ/A1
net: bcmgenet: Utilize correct struct device for all DMA operations
Fix up a couple of field names in the CREDITS file
NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
cdc_ether: Fix handling connection notification
ip6_offload: check segs for NULL in ipv6_gso_segment.
RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net
Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"
ipv6: Set skb->protocol properly for local output
ipv4: Set skb->protocol properly for local output
packet: fix race condition in packet_set_ring
net: ethernet: altera: TSE: do not use tx queue lock in tx completion handler
net: ethernet: altera: TSE: Remove unneeded dma sync for tx buffers
default exported asm symbols to zero
arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions
net: ethernet: stmmac: fix of-node and fixed-link-phydev leaks
net: ethernet: stmmac: platform: fix outdated function header
net: ethernet: stmmac: dwmac-meson8b: fix probe error path
net: ethernet: stmmac: dwmac-generic: fix probe error path
net: ethernet: stmmac: dwmac-rk: fix probe error path
net: ethernet: stmmac: dwmac-sti: fix probe error path
net: ethernet: stmmac: dwmac-socfpga: fix use-after-free on probe errors
net/rtnetlink: fix attribute name in nlmsg_size() comments
ixgbe/ixgbevf: Don't use lco_csum to compute IPv4 checksum
igb/igbvf: Don't use lco_csum to compute IPv4 checksum
net: asix: Fix AX88772_suspend() USB vendor commands failure issues
kbuild: make sure autoksyms.h exists early
KVM: use after free in kvm_ioctl_create_device()
can: peak: Add support for PCAN-USB X6 USB interface
can: peak: Fix bittiming fields size in bits
mm: fix false-positive WARN_ON() in truncate/invalidate for hugetlb
kasan: support use-after-scope detection
kasan: update kasan_global for gcc 7
lib/debugobjects: export for use in modules
zram: fix unbalanced idr management at hot removal
thp: fix corner case of munlock() of PTE-mapped THPs
mm, thp: propagation of conditional compilation in khugepaged.c
arm64: dts: juno: Correct PCI IO window
macvtap: handle ubuf refcount correctly when meet errors
tun: handle ubuf refcount correctly when meet errors
net: ethernet: ti: cpsw: fix ASSERT_RTNL() warning during resume
bpf: fix states equal logic for varlen access
netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
l2tp: fix address test in __l2tp_ip6_bind_lookup()
l2tp: fix lookup for sockets not bound to a device in l2tp_ip
l2tp: fix racy socket lookup in l2tp_ip and l2tp_ip6 bind()
l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
l2tp: lock socket before checking flags in connect()
cxgb4: Add PCI device ID for new adapter
isofs: add KERN_CONT to printing of ER records
net: fec: cache statistics while device is down
vxlan: fix a potential issue when create a new vxlan fdb entry.
Input: change KEY_DATA from 0x275 to 0x277
openvswitch: Fix skb leak in IPv6 reassembly.
esp6: Fix integrity verification when ESN are used
esp4: Fix integrity verification when ESN are used
drm/i915: drop the struct_mutex when wedged or trying to reset
drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error
xfrm_user: fix return value from xfrm_user_rcv_msg
drm: Don't call drm_for_each_crtc with a non-KMS driver
net: dsa: slave: fix fixed-link phydev leaks
net: ethernet: ti: davinci_emac: fix fixed-link phydev and of-node leaks
net: ethernet: dwc_eth_qos: fix fixed-link phydev leaks
net: ethernet: renesas: ravb: fix fixed-link phydev leaks
net: ethernet: mediatek: fix fixed-link phydev leaks
net: ethernet: marvell: mvneta: fix fixed-link phydev leaks
net: ethernet: ucc_geth: fix fixed-link phydev leaks
net: ethernet: gianfar: fix fixed-link phydev leaks
net: ethernet: fs_enet: fix fixed-link phydev leaks
net: ethernet: fec: fix fixed-link phydev leaks
net: ethernet: bcmgenet: fix fixed-link phydev leaks
net: ethernet: bcmsysport: fix fixed-link phydev leaks
net: ethernet: aurora: nb8800: fix fixed-link phydev leaks
net: ethernet: altera: fix fixed-link phydev leaks
of_mdio: add helper to deregister fixed-link PHYs
net: dsa: slave: fix of-node leak and phy priority
GSO: Reload iph after pskb_may_pull
sched: cls_flower: remove from hashtable only in case skip sw flag is not set
net/dccp: fix use-after-free in dccp_invalid_packet
net: macb: ensure ordering write to re-enable RX smoothly
net: macb: fix the RX queue reset in macb_rx()
netlink: Call cb->done from a worker thread
net/sched: pedit: make sure that offset is valid
Re-enable CONFIG_MODVERSIONS in a slightly weaker form
netfilter: ipv6: nf_defrag: drop mangled skb on ream error
Revert "i2c: octeon: thunderx: Limit register access retries"
ARC: mm: PAE40: Fix crash at munmap
mremap: move_ptes: check pte dirty after its removal
pwm: Fix device reference leak
drm/radeon: fix check for port PM availability
drm/amdgpu: fix check for port PM availability
ovl: fix d_real() for stacked fs
CIFS: iterate over posix acl xattr entry correctly in ACL_to_cifs_posix()
Call echo service immediately after socket reconnect
CIFS: Fix BUG() in calc_seckey()
drm/amd/powerplay: initialize the soft_regs offset in struct smu7_hwmgr
bpf/samples: Fix PT_REGS_IP on s390x and use it
net: dsa: fix unbalanced dsa_switch_tree reference counting
net: handle no dst on skb in icmp6_send
dbri: Fix compiler warning
qlogicpti: Fix compiler warnings
net/mlx4: Fix uninitialized fields in rule when adding promiscuous mode to device managed flow steering
Revert "net/mlx4_en: Avoid unregister_netdev at shutdown flow"
net/sched: Export tc_tunnel_key so its UAPI accessible
amd-xgbe: Fix unused suspend handlers build warning
ARC: mm: IOC: Don't enable IOC by default
ARC: Don't use "+l" inline asm constraint
tcp: Set DEFAULT_TCP_CONG to bbr if DEFAULT_BBR is set
net: phy: realtek: fix enabling of the TX-delay for RTL8211F
Documentation: devicetree: clarify usage of the RGMII phy-modes
net, sched: respect rcu grace period on cls destruction
tipc: fix link statistics counter errors
driver: macvtap: Unregister netdev rx_handler if macvtap_newlink fails
net: qcom/emac: fix of_node and phydev leaks
net: fsl/fman: fix fixed-link-phydev reference leak
net: fsl/fman: fix phydev reference leak
net: bcmgenet: fix phydev reference leak
net: dsa: fix fixed-link-phy device leaks
irda: fix overly long udelay()
driver: ipvlan: Fix one possible memleak in ipvlan_link_new
drm: hdlcd: Fix cleanup order
netfilter: nat: fix crash when conntrack entry is re-used
netfilter: nft_range: add the missing NULL pointer check
netfilter: nf_tables: fix inconsistent element expiration calculation
netfilter: nat: switch to new rhlist interface
netfilter: nat: fix cmp return value
netfilter: nft_hash: validate maximum value of u32 netlink hash attribute
KVM: arm/arm64: vgic: Don't notify EOI for non-SPIs
netfilter: fix nf_conntrack_helper documentation
netfilter: Update nf_send_reset6 to consider L3 domain
netfilter: Update ip_route_me_harder to consider L3 domain
clk: bcm: Fix unmet Kconfig dependencies for CLK_BCM_63XX
PCI: Set Read Completion Boundary to 128 iff Root Port supports it (_HPX)
PCI: Export pcie_find_root_port
clk: sunxi-ng: enable so-said LDOs for A33 SoC's pll-mipi clock
ARM: dts: STiH407-family: fix i2c nodes
flowcache: Increase threshold for refusing new allocations
scsi: be2iscsi: allocate enough memory in beiscsi_boot_get_sinfo()
scsi: mpt3sas: Unblock device after controller reset
scsi: hpsa: use bus '3' for legacy HBA devices
ARM: gr8: Rename the DTSI and relevant DTS
clk: sunxi-ng: sun6i-a31: Enable PLL-MIPI LDOs when ungating it
ahci: always fall back to single-MSI mode
xfrm: unbreak xfrm_sk_policy_lookup
scsi: libfc: fix seconds_since_last_reset miscalculation
mwifiex: printk() overflow with 32-byte SSIDs
Input: psmouse - disable automatic probing of BYD touchpads
PCI: designware-plat: Update author email
PCI: designware: Change maintainer to Joao Pinto
MAINTAINERS: Add devicetree binding to PCI i.MX6 entry
MAINTAINERS: Update Richard Zhu's email address
libata-scsi: Fixup ata_gen_passthru_sense()
mvsas: fix error return code in mvs_task_prep()
pwm: meson: Add missing spin_lock_init()
vti6: flush x-netns xfrm cache when vti interface is removed
Change-Id: I055dd31e2827d41c82aa2c23ec9772ec536e0c0b
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
|
||
|
Herbert Xu
|
ed5d7788a9 |
netlink: Do not schedule work from sk_destruct
It is wrong to schedule a work from sk_destruct using the socket
as the memory reserve because the socket will be freed immediately
after the return from sk_destruct.
Instead we should do the deferral prior to sk_free.
This patch does just that.
Fixes:
|
||
|
Herbert Xu
|
707693c8a4 |
netlink: Call cb->done from a worker thread
The cb->done interface expects to be called in process context.
This was broken by the netlink RCU conversion. This patch fixes
it by adding a worker struct to make the cb->done call where
necessary.
Fixes:
|
||
|
Kyle Yan
|
f2cf423ddb |
Merge remote-tracking branch 'origin/tmp-9c76358' into msm-4.8
* origin/tmp-9c76358:
Linux 4.9-rc6
ext4: sanity check the block and cluster size at mount time
fscrypto: don't use on-stack buffer for key derivation
fscrypto: don't use on-stack buffer for filename encryption
i2c: i2c-mux-pca954x: fix deselect enabling for device-tree
kvm: x86: merge kvm_arch_set_irq and kvm_arch_set_irq_inatomic
KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr
KVM: async_pf: avoid recursive flushing of work items
kvm: kvmclock: let KVM_GET_CLOCK return whether the master clock is in use
KVM: Disable irq while unregistering user notifier
KVM: x86: do not go through vcpu in __get_kvmclock_ns
MAINTAINERS: Add LED subsystem co-maintainer
crypto: algif_hash - Fix NULL hash crash with shash
powerpc/mm: Fix missing update of HID register on secondary CPUs
KVM: arm64: Fix the issues when guest PMCCFILTR is configured
arm64: KVM: pmu: Fix AArch32 cycle counter access
powerpc/mm/radix: Invalidate ERAT on tlbiel for POWER9 DD1
i2c: digicolor: use clk_disable_unprepare instead of clk_unprepare
ipmi/bt-bmc: change compatible node to 'aspeed, ast2400-ibt-bmc'
Revert "drm/mediatek: set vblank_disable_allowed to true"
Revert "drm/mediatek: fix a typo of OD_CFG to OD_RELAYMODE"
mremap: fix race between mremap() and page cleanning
crypto: caam - fix type mismatch warning
dmaengine: cppi41: More PM runtime fixes
fix iov_iter_advance() for ITER_PIPE
xattr: Fix setting security xattrs on sockfs
iw_cxgb4: invalidate the mr when posting a read_w_inv wr
iw_cxgb4: set *bad_wr for post_send/post_recv errors
IB/rxe: Update qp state for user query
IB/rxe: Clear queue buffer when modifying QP to reset
IB/rxe: Fix handling of erroneous WR
IB/rxe: Fix kernel panic in UDP tunnel with GRO and RX checksum
IB/mlx4: Fix create CQ error flow
IB/mlx4: Check gid_index return value
IB/mlx5: Fix NULL pointer dereference on debug print
IB/mlx5: Fix fatal error dispatching
IB/mlx5: Resolve soft lock on massive reg MRs
IB/mlx5: Use cache line size to select CQE stride
IB/mlx5: Validate requested RQT size
IB/mlx5: Fix memory leak in query device
IB/core: Avoid unsigned int overflow in sg_alloc_table
IB/core: Add missing check for addr_resolve callback return value
IB/core: Set routable RoCE gid type for ipv4/ipv6 networks
IB/cm: Mark stale CM id's whenever the mad agent was unregistered
IB/uverbs: Fix leak of XRC target QPs
ARM: Fix XIP kernels
tools/power/acpi: Remove direct kernel source include reference
gpio: Remove GPIO_DEVRES option
nvme/pci: Don't free queues on error
orangefs: add .owner to debugfs file_operations
mfd: core: Fix device reference leak in mfd_clone_cell
mfd: stmpe: Fix RESET regression on STMPE2401
mfd: intel_soc_pmic_bxtwc: Fix usbc interrupt
mfd: intel-lpss: Do not put device in reset state on suspend
mfd: lpss: Fix Intel Kaby Lake PCH-H properties
drm/i915: Assume non-DP++ port if dvo_port is HDMI and there's no AUX ch specified in the VBT
IB/hfi1: Remove incorrect IS_ERR check
IB/hfi1: Prevent hardware counter names from being cut off
IB/hfi1: Fix ECN processing in prescan_rxq
IB/hfi1: Fix status error code for unsupported packets
IB/hfi1: Relocate rcvhdrcnt module parameter check.
IB/hfi1: Fix rnr_timer addition
IB/hfi1: Delete unused lock
IB/hfi1: Clean up unused argument
IB/hfi1: Remove leftover snoop references
IB/hfi1: Fix a potential memory leak in hfi1_create_ctxts()
IB/hfi1: Return ENODEV for unsupported PCI device ids.
IB/hfi1: Fix an Oops on pci device force remove
IB/hfi1: Fix integrity check flags default values
IB/hfi1: Remove redundant sysfs irq affinity entry
IB/rdmavt: rdmavt can handle non aligned page maps
drm/amdgpu:fix vpost_needed routine
drm/amdgpu/powerplay: drop a redundant NULL check
kbuild: Steal gcc's pie from the very beginning
ARM: 8628/1: dma-mapping: preallocate DMA-debug hash tables in core_initcall
ARM: 8624/1: proc-v7m.S: fix init section name
ARM: fix backtrace
fuse: fix fuse_write_end() if zero bytes were copied
ARM: dts: STiH410-b2260: Fix typo in spi0 chipselect definition
powerpc/64: Fix setting of AIL in hypervisor mode
gpio: tc3589x: fix up .get_direction()
gpio: do not double-check direction on sleeping chips
tile: handle __ro_after_init like parisc does
mlxsw: spectrum_router: Flush FIB tables during fini
net: stmmac: Fix lack of link transition for fixed PHYs
ftrace: Add more checks for FTRACE_FL_DISABLED in processing ip records
ftrace: Ignore FTRACE_FL_DISABLED while walking dyn_ftrace records
sctp: change sk state only when it has assocs in sctp_shutdown
bnx2: Wait for in-flight DMA to complete at probe stage
Revert "bnx2: Reset device during driver initialization"
mailbox: PCC: Fix lockdep warning when request PCC channel
ALSA: usb-audio: Fix use-after-free of usb_device at disconnect
ARM: dts: omap5: board-common: fix wrong SMPS6 (VDD-DDR3) voltage
xtensa: wire up new pkey_{mprotect,alloc,free} syscalls
Revert "ACPICA: FADT support cleanup"
ps3_gelic: fix spelling mistake in debug message
ASoC: lpass-platform: fix uninitialized variable
Revert "printk: make reading the kernel log flush pending lines"
i2c: mux: fix up dependencies
gp8psk-fe: add missing MODULE_foo() macros
sunrpc: svc_age_temp_xprts_now should not call setsockopt non-tcp transports
dmaengine: cpp41: Fix handling of error path
dmaengine: cppi41: Fix unpaired pm runtime when only a USB hub is connected
dmaengine: cppi41: Fix list not empty warning on module removal
dmaengine: sun6i: fix the uninitialized value for v_lli
nvmet-rdma: drain the queue-pair just before freeing it
nvme-rdma: stop and free io queues on connect failure
nvmet-rdma: don't forget to delete a queue from the list of connection failed
nvmet: Don't queue fatal error work if csts.cfs is set
nvme-rdma: reject non-connect commands before the queue is live
nvmet-rdma: Fix possible NULL deref when handling rdma cm events
ntb_perf: potential info leak in debugfs
ntb: ntb_hw_intel: init peer_addr in struct intel_ntb_dev
ntb: make DMA_OUT_RESOURCE_TO HZ independent
ntb_transport: make DMA_OUT_RESOURCE_TO HZ independent
NTB: ntb_hw_intel: Fix typo in module parameter descriptions
ntb_pingpong: Fix db_init parameter description
net: ethernet: ixp4xx_eth: fix spelling mistake in debug message
ibmvnic: Fix size of debugfs name buffer
ibmvnic: Unmap ibmvnic_statistics structure
sfc: clear napi_hash state when copying channels
mlxsw: spectrum_router: Correctly dump neighbour activity
mlxsw: spectrum: Fix refcount bug on span entries
bnxt_en: Fix VF virtual link state.
bnxt_en: Fix ring arithmetic in bnxt_setup_tc().
Revert "include/uapi/linux/atm_zatm.h: include linux/time.h"
tcp: take care of truncations done by sk_filter()
ipv4: use new_gw for redirect neigh lookup
r8152: Fix error path in open function
crypto: caam - do not register AES-XTS mode on LP units
x86/efi: Prevent mixed mode boot corruption with CONFIG_VMAP_STACK=y
x86/efi: Fix EFI memmap pointer size warning
net: bpqether.h: remove if_ether.h guard
net: __skb_flow_dissect() must cap its return value
bpf: Add test for bpf_redirect to ipip/ip6tnl
bpf: Fix bpf_redirect to an ipip/ip6tnl dev
powerpc/oops: Fix missing pr_cont()s in instruction dump
powerpc/oops: Fix missing pr_cont()s in show_regs()
powerpc/oops: Fix missing pr_cont()s in print_msr_bits() et. al.
powerpc/oops: Fix missing pr_cont()s in show_stack()
powerpc: Fix exception vector build with 2.23 era binutils
powerpc/64s: Fix system reset interrupt winkle wakeups
drm/amdgpu: Attach exclusive fence to prime exported bo's. (v5)
ALSA: hda - Fix mic regression by ASRock mobo fixup
drm/i915: Refresh that status of MST capable connectors in ->detect()
drm/i915: Grab the rotation from the passed plane state for VLV sprites
drm/i915: Mark CPU cache as dirty when used for rendering
perf/x86/intel/uncore: Add more Intel uncore IMC PCI IDs for SkyLake
drm/arcpgu: Accommodate adv7511 switch to DRM bridge
i2c: Documentation: i2c-topology: fix minor whitespace nit
i2c: mux: demux-pinctrl: make drivers with no pinctrl work again
mlxsw: spectrum_router: Ignore FIB notification events for non-init namespaces
mlxsw: spectrum_router: Fix handling of neighbour structure
qed: Correct rdma params configuration
qed: configure ll2 RoCE v1/v2 flavor correctly
ipv4: update comment to document GSO fragmentation cases.
ALSA: hda - add a new condition to check if it is thinkpad
net: tcp response should set oif only if it is L3 master
Net Driver: Add Cypress GX3 VID=04b4 PID=3610.
rtnl: reset calcit fptr in rtnl_unregister()
vxlan: hide unused local variable
ibmvnic: Start completion queue negotiation at server-provided optimum values
net: icmp_route_lookup should use rt dev to determine L3 domain
net: qcom/emac: enable flow control if requested
net: qcom/emac: configure the external phy to allow pause frames
ARM: omap3: Add missing memory node in SOM-LV
kbuild: be more careful about matching preprocessed asm ___EXPORT_SYMBOL
x86/kexec: add -fno-PIE
scripts/has-stack-protector: add -fno-PIE
x86/cpu: Deal with broken firmware (VMWare/XEN)
net: bgmac: fix reversed checks for clock control flag
bna: Add synchronization for tx ring.
Revert "net/mlx4_en: Fix panic during reboot"
net-ipv6: on device mtu change do not add mtu to mtu-less routes
sock: fix sendmmsg for partial sendmsg
driver: macvlan: Destroy new macvlan port if macvlan_common_newlink failed.
x86/cpu/AMD: Fix cpu_llc_id for AMD Fam17h systems
perf hists: Fix column length on --hierarchy
perf hists browser: Fix column indentation on --hierarchy
perf hists browser: Show folded sign properly on --hierarchy
perf hists browser: Fix indentation of folded sign on --hierarchy
perf hist browser: Fix hierarchy column counts
arm64: dts: marvell: add unique identifiers for Armada A8k SPI controllers
arm64: dts: marvell: fix clocksource for CP110 slave SPI0
arm64: dts: marvell: Fix typo in label name on Armada 37xx
drm/fsl-dcu: disable planes before disabling CRTC
drm/fsl-dcu: update all registers on flush
drm/fsl-dcu: do not update when modifying irq registers
netfilter: nf_tables: fix oops when inserting an element into a verdict map
netfilter: conntrack: refine gc worker heuristics
netfilter: conntrack: fix CT target for UNSPEC helpers
netfilter: connmark: ignore skbs with magic untracked conntrack objects
ipvs: use IPVS_CMD_ATTR_MAX for family.maxattr
kbuild: add -fno-PIE
genirq: Use irq type from irqdata instead of irqdesc
gpio: pca953x: Move memcpy into mutex lock for set multiple
gpio: pca953x: Fix corruption of other gpios in set_multiple.
fib_trie: Correct /proc/net/route off by one error
Documentation: networking: dsa: Update tagging protocols
virtio-net: drop legacy features in virtio 1 mode
net: icmp6_send should use dst dev to determine L3 domain
ASoC: omap-abe-twl6040: fix typo in bindings documentation
dts: omap5: board-common: enable twl6040 headset jack detection
dts: omap5: board-common: add phandle to reference Palmas gpadc
ARM: OMAP2+: avoid NULL pointer dereference
ARM: OMAP2+: PRM: initialize en_uart4_mask and grpsel_uart4_mask
ARM: dts: omap3: Fix memory node in Torpedo board
ARM: AM43XX: Select OMAP_INTERCONNECT in Kconfig
ARM: OMAP3: Fix formatting of features printed
bpf: fix map not being uncharged during map creation failure
bpf: fix htab map destruction when extra reserve is in use
sctp: assign assoc_id earlier in __sctp_connect
net: hns: fix device reference leaks
net: ethernet: ti: davinci_emac: fix device reference leak
net: ethernet: ti: cpsw: fix device and of_node leaks
phy: fix device reference leaks
drm/sun4i: Propagate error to the caller
x86/platform/intel-mid: Retrofit pci_platform_pm_ops ->get_state hook
xtensa: clean up printk usage for boot/crash logging
ARM: dts: imx53-qsb: Fix regulator constraints
rtc: omap: prevent disabling of clock/module during suspend
rtc: omap: Fix selecting external osc
net/mlx5: Fix invalid pointer reference when prof_sel parameter is invalid
net/mlx5: E-Switch, Set the actions for offloaded rules properly
net/mlx5e: Handle matching on vlan priority for offloaded TC rules
net/mlx5e: Disallow changing name-space for VF representors
net/mlx5e: Re-arrange XDP SQ/CQ creation
net/mlx5e: Fix XDP error path of mlx5e_open_channel()
taskstats: fix the length of cgroupstats_cmd_get_policy
genetlink: fix a memory leak on error path
ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
ehea: fix operation state report
ipv6: dccp: fix out of bound access in dccp_v6_err()
netlink: netlink_diag_dump() runs without locks
dccp: fix out of bound access in dccp_v4_err()
dccp: do not send reset to already closed sockets
dccp: do not release listeners too soon
tcp: fix return value for partial writes
ipv4: allow local fragmentation in ip_finish_output_gso()
net: tcp: check skb is non-NULL for exact match on lookups
tcp: fix potential memory corruption
qede: Correctly map aggregation replacement pages
cxgb4: correct device ID of T6 adapter
inet: fix sleeping inside inet_wait_for_connect()
video: ARM CLCD: fix Vexpress regression
xen-netfront: cast grant table reference first to type int
ip6_udp_tunnel: remove unused IPCB related codes
ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
MAINTAINERS: Update MELLANOX MLX5 core VPI driver maintainers
drm/sun4i: Fix error handling
net: mv643xx_eth: ensure coalesce settings survive read-modify-write
net/mlx5: Simplify a test
unix: escape all null bytes in abstract unix domain socket
net: qcom/emac: use correct value for SGMII_LN_UCDR_SO_GAIN_MODE0
drivers: net: xgene: fix: Coalescing values for v2 hardware
drivers: net: xgene: fix: Disable coalescing on v1 hardware
kbuild: modversions for EXPORT_SYMBOL() for asm
bgmac: stop clearing DMA receive control register right after it is set
sctp: hold transport instead of assoc when lookup assoc in rx path
sctp: return back transport in __sctp_rcv_init_lookup
sctp: hold transport instead of assoc in sctp_diag
xen-netfront: do not cast grant table reference to signed short
can: bcm: fix warning in bcm_connect/proc_register
can: sja1000: plx_pci: Add support for Moxa CAN devices
mlxsw: spectrum: Fix incorrect reuse of MID entries
qede: Fix statistics' strings for Tx/Rx queues
net: mangle zero checksum in skb_checksum_help()
net: clear sk_err_soft in sk_clone_lock()
dctcp: avoid bogus doubling of cwnd after loss
ipv6: add mtu lock check in __ip6_rt_update_pmtu
ipv6: Don't use ufo handling on later transformed packets
netfilter: nft_dup: do not use sreg_dev if the user doesn't specify it
netfilter: nf_tables: destroy the set if fail to add transaction
r8152: Fix broken RX checksums.
netfilter: ip_vs_sync: fix bogus maybe-uninitialized warning
netfilter: conntrack: avoid excess memory allocation
netfilter: nf_tables: fix type mismatch with error return from nft_parse_u32_check
netfilter: nf_conntrack_sip: extend request line validation
netfilter: nf_tables: fix race when create new element in dynset
netfilter: nf_tables: fix *leak* when expr clone fail
netfilter: nft_dynset: fix panic if NFT_SET_HASH is not enabled
brcmfmac: avoid maybe-uninitialized warning in brcmf_cfg80211_start_ap
ARM: dts: sun8i: fix the pinmux for UART1
kbuild: prevent lib-ksyms.o rebuilds
rtc: cmos: Don't enable interrupts in the middle of the interrupt handler
iwlwifi: mvm: fix netdetect starting/stopping for unified images
iwlwifi: pcie: fix SPLC structure parsing
rtc: cmos: remove all __exit_p annotations
rtc: asm9260: fix module autoload
iwlwifi: mvm: wake the wait queue when the RX sync counter is zero
iwlwifi: mvm: comply with fw_restart mod param on suspend
iwlwifi: mvm: fix d3_test with unified D0/D3 images
iwlwifi: mvm: use ssize_t for len in iwl_debugfs_mem_read()
iwlwifi: pcie: mark command queue lock with separate lockdep class
drm/mediatek: modify the factor to make the pll_rate set in the 1G-2G range
drm/mediatek: enhance the HDMI driving current
drm/mediatek: do mtk_hdmi_send_infoframe after HDMI clock enable
drm/mediatek: clear IRQ status before enable OVL interrupt
drm/mediatek: set vblank_disable_allowed to true
drm/mediatek: fix a typo of OD_CFG to OD_RELAYMODE
dmaengine: mmp_tdma: add missing select GENERIC_ALLOCATOR in Kconfig
dmaengine: edma: Fix error return code in edma_alloc_chan_resources()
fuse: fix root dentry initialization
drm/sun4i: rgb: Remove the bridge enable/disable functions
drm/sun4i: rgb: Enable panel after controller
Change-Id: I1fab8716aff3b316b38add803837e6bb49fa8422
Signed-off-by: Kyle Yan <kyan@codeaurora.org>
|
||
|
WANG Cong
|
00ffc1ba02 |
genetlink: fix a memory leak on error path
In __genl_register_family(), when genl_validate_assign_mc_groups() fails, we forget to free the memory we possibly allocate for family->attrbuf. Note, some callers call genl_unregister_family() to clean up on error path, it doesn't work because the family is inserted to the global list in the nearly last step. Cc: Jakub Kicinski <kubakici@wp.pl> Cc: Johannes Berg <johannes@sipsolutions.net> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Eric Dumazet
|
93636d1f1f |
netlink: netlink_diag_dump() runs without locks
A recent commit removed locking from netlink_diag_dump() but forgot
one error case.
=====================================
[ BUG: bad unlock balance detected! ]
4.9.0-rc3+ #336 Not tainted
-------------------------------------
syz-executor/4018 is trying to release lock ([ 36.220068] nl_table_lock
) at:
[<ffffffff82dc8683>] netlink_diag_dump+0x1a3/0x250 net/netlink/diag.c:182
but there are no more locks to release!
other info that might help us debug this:
3 locks held by syz-executor/4018:
#0: [ 36.220068] (
sock_diag_mutex[ 36.220068] ){+.+.+.}
, at: [ 36.220068] [<ffffffff82c3873b>] sock_diag_rcv+0x1b/0x40
#1: [ 36.220068] (
sock_diag_table_mutex[ 36.220068] ){+.+.+.}
, at: [ 36.220068] [<ffffffff82c38e00>] sock_diag_rcv_msg+0x140/0x3a0
#2: [ 36.220068] (
nlk->cb_mutex[ 36.220068] ){+.+.+.}
, at: [ 36.220068] [<ffffffff82db6600>] netlink_dump+0x50/0xac0
stack backtrace:
CPU: 1 PID: 4018 Comm: syz-executor Not tainted 4.9.0-rc3+ #336
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
ffff8800645df688 ffffffff81b46934 ffffffff84eb3e78 ffff88006ad85800
ffffffff82dc8683 ffffffff84eb3e78 ffff8800645df6b8 ffffffff812043ca
dffffc0000000000 ffff88006ad85ff8 ffff88006ad85fd0 00000000ffffffff
Call Trace:
[< inline >] __dump_stack lib/dump_stack.c:15
[<ffffffff81b46934>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
[<ffffffff812043ca>] print_unlock_imbalance_bug+0x17a/0x1a0
kernel/locking/lockdep.c:3388
[< inline >] __lock_release kernel/locking/lockdep.c:3512
[<ffffffff8120cfd8>] lock_release+0x8e8/0xc60 kernel/locking/lockdep.c:3765
[< inline >] __raw_read_unlock ./include/linux/rwlock_api_smp.h:225
[<ffffffff83fc001a>] _raw_read_unlock+0x1a/0x30 kernel/locking/spinlock.c:255
[<ffffffff82dc8683>] netlink_diag_dump+0x1a3/0x250 net/netlink/diag.c:182
[<ffffffff82db6947>] netlink_dump+0x397/0xac0 net/netlink/af_netlink.c:2110
Fixes:
|
||
|
Subash Abhinov Kasiviswanathan
|
50ed2064bf |
Revert "genetlink: disallow subscribing to unknown mcast groups"
Commit
|
||
|
Eric Dumazet
|
d35c99ff77 |
netlink: do not enter direct reclaim from netlink_dump()
Since linux-3.15, netlink_dump() can use up to 16384 bytes skb
allocations.
Due to struct skb_shared_info ~320 bytes overhead, we end up using
order-3 (on x86) page allocations, that might trigger direct reclaim and
add stress.
The intent was really to attempt a large allocation but immediately
fallback to a smaller one (order-1 on x86) in case of memory stress.
On recent kernels (linux-4.4), we can remove __GFP_DIRECT_RECLAIM to
meet the goal. Old kernels would need to remove __GFP_WAIT
While we are at it, since we do an order-3 allocation, allow to use
all the allocated bytes instead of 16384 to reduce syscalls during
large dumps.
iproute2 already uses 32KB recvmsg() buffer sizes.
Alexei provided an initial patch downsizing to SKB_WITH_OVERHEAD(16384)
Fixes:
|
||
|
Andrey Vagin
|
733ade23de |
netlink: don't forget to release a rhashtable_iter structure
This bug was detected by kmemleak:
unreferenced object 0xffff8804269cc3c0 (size 64):
comm "criu", pid 1042, jiffies 4294907360 (age 13.713s)
hex dump (first 32 bytes):
a0 32 cc 2c 04 88 ff ff 00 00 00 00 00 00 00 00 .2.,............
00 01 00 00 00 00 ad de 00 02 00 00 00 00 ad de ................
backtrace:
[<ffffffff8184dffa>] kmemleak_alloc+0x4a/0xa0
[<ffffffff8124720f>] kmem_cache_alloc_trace+0x10f/0x280
[<ffffffffa02864cc>] __netlink_diag_dump+0x26c/0x290 [netlink_diag]
v2: don't remove a reference on a rhashtable_iter structure to
release it from netlink_diag_dump_done
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Fixes:
|
||
|
stephen hemminger
|
12d8de6d95 |
net: make genetlink ctrl ops const
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Herbert Xu
|
ad20207432 |
netlink: Use rhashtable walk interface in diag dump
This patch converts the diag dumping code to use the rhashtable walk code instead of going through rhashtable by hand. The lock nl_table_lock is now only taken while we process the multicast list as it's not needed for the rhashtable walk. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Fabien Siron
|
21aff3b905 |
net/netlink/af_netlink.h: Remove unused structure.
Signed-off-by: Fabien Siron <fabien.siron@epita.fr> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Herbert Xu
|
92964c79b3 |
netlink: Fix dump skb leak/double free
When we free cb->skb after a dump, we do it after releasing the
lock. This means that a new dump could have started in the time
being and we'll end up freeing their skb instead of ours.
This patch saves the skb and module before we unlock so we free
the right memory.
Fixes:
|
||
|
David S. Miller
|
1602f49b58 |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts were two cases of simple overlapping changes, nothing serious. In the UDP case, we need to add a hlist_add_tail_rcu() to linux/rculist.h, because we've moved UDP socket handling away from using nulls lists. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Dmitry Ivanov
|
e272602039 |
netlink: don't send NETLINK_URELEASE for unbound sockets
All existing users of NETLINK_URELEASE use it to clean up resources that were previously allocated to a socket via some command. As a result, no users require getting this notification for unbound sockets. Sending it for unbound sockets, however, is a problem because any user (including unprivileged users) can create a socket that uses the same ID as an existing socket. Binding this new socket will fail, but if the NETLINK_URELEASE notification is generated for such sockets, the users thereof will be tricked into thinking the socket that they allocated the resources for is closed. In the nl80211 case, this will cause destruction of virtual interfaces that still belong to an existing hostapd process; this is the case that Dmitry noticed. In the NFC case, it will cause a poll abort. In the case of netlink log/queue it will cause them to stop reporting events, as if NFULNL_CFG_CMD_UNBIND/NFQNL_CFG_CMD_UNBIND had been called. Fix this problem by checking that the socket is bound before generating the NETLINK_URELEASE notification. Cc: stable@vger.kernel.org Signed-off-by: Dmitry Ivanov <dima@ubnt.com> Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Bob Copeland
|
8f6fd83c6c |
rhashtable: accept GFP flags in rhashtable_walk_init
In certain cases, the 802.11 mesh pathtable code wants to iterate over all of the entries in the forwarding table from the receive path, which is inside an RCU read-side critical section. Enable walks inside atomic sections by allowing GFP_ATOMIC allocations for the walker state. Change all existing callsites to pass in GFP_KERNEL. Acked-by: Thomas Graf <tgraf@suug.ch> Signed-off-by: Bob Copeland <me@bobcopeland.com> [also adjust gfs2/glock.c and rhashtable tests] Signed-off-by: Johannes Berg <johannes.berg@intel.com> |
||
|
David Decotigny
|
025c68186e |
netlink: add support for NIC driver ioctls
By returning -ENOIOCTLCMD, sock_do_ioctl() falls back to calling dev_ioctl(), which provides support for NIC driver ioctls, which includes ethtool support. This is similar to the way ioctls are handled in udp.c or tcp.c. This removes the requirement that ethtool for example be tied to the support of a specific L3 protocol (ethtool uses an AF_INET socket today). Signed-off-by: David Decotigny <decot@googlers.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Florian Westphal
|
c5b0db3263 |
nfnetlink: Revert "nfnetlink: add support for memory mapped netlink"
reverts commit
|
||
|
Florian Westphal
|
263ea09084 |
Revert "genl: Add genlmsg_new_unicast() for unicast message allocation"
This reverts commit
|
||
|
Florian Westphal
|
d1b4c689d4 |
netlink: remove mmapped netlink support
mmapped netlink has a number of unresolved issues: - TX zerocopy support had to be disabled more than a year ago via commit |
||
|
Tycho Andersen
|
4a92602aa1 |
openvswitch: allow management from inside user namespaces
Operations with the GENL_ADMIN_PERM flag fail permissions checks because
this flag means we call netlink_capable, which uses the init user ns.
Instead, let's introduce a new flag, GENL_UNS_ADMIN_PERM for operations
which should be allowed inside a user namespace.
The motivation for this is to be able to run openvswitch in unprivileged
containers. I've tested this and it seems to work, but I really have no
idea about the security consequences of this patch, so thoughts would be
much appreciated.
v2: use the GENL_UNS_ADMIN_PERM flag instead of a check in each function
v3: use separate ifs for UNS_ADMIN_PERM and ADMIN_PERM, instead of one
massive one
Reported-by: James Page <james.page@canonical.com>
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
CC: Eric Biederman <ebiederm@xmission.com>
CC: Pravin Shelar <pshelar@ovn.org>
CC: Justin Pettit <jpettit@nicira.com>
CC: "David S. Miller" <davem@davemloft.net>
Acked-by: Pravin B Shelar <pshelar@ovn.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
Ken-ichirou MATSUZAWA
|
aa3a022094 |
netlink: not trim skb for mmaped socket when dump
We should not trim skb for mmaped socket since its buf size is fixed and userspace will read as frame which data equals head. mmaped socket will not call recvmsg, means max_recvmsg_len is 0, skb_reserve was not called before commit: |
||
|
David S. Miller
|
b8e429a2fe |
genetlink: Fix off-by-one in genl_allocate_reserve_groups()
The bug fix for adding n_groups to the computation forgot to adjust ">=" to ">" to keep the condition correct. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
David S. Miller
|
ddb5388ffd | Merge git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux | ||
|
Matti Vaittinen
|
ccdf6ce6a8 |
net: netlink: Fix multicast group storage allocation for families with more than one groups
Multicast groups are stored in global buffer. Check for needed buffer size incorrectly compares buffer size to first id for family. This means that for families with more than one mcast id one may allocate too small buffer and end up writing rest of the groups to some unallocated memory. Fix the buffer size check to compare allocated space to last mcast id for the family. Tested on ARM using kernel 3.14 Signed-off-by: Matti Vaittinen <matti.vaittinen@nokia.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Tom Herbert
|
fc9e50f5a5 |
netlink: add a start callback for starting a netlink dump
The start callback allows the caller to set up a context for the dump callbacks. Presumably, the context can then be destroyed in the done callback. Signed-off-by: Tom Herbert <tom@herbertland.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Mel Gorman
|
d0164adc89 |
mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd
__GFP_WAIT has been used to identify atomic context in callers that hold spinlocks or are in interrupts. They are expected to be high priority and have access one of two watermarks lower than "min" which can be referred to as the "atomic reserve". __GFP_HIGH users get access to the first lower watermark and can be called the "high priority reserve". Over time, callers had a requirement to not block when fallback options were available. Some have abused __GFP_WAIT leading to a situation where an optimisitic allocation with a fallback option can access atomic reserves. This patch uses __GFP_ATOMIC to identify callers that are truely atomic, cannot sleep and have no alternative. High priority users continue to use __GFP_HIGH. __GFP_DIRECT_RECLAIM identifies callers that can sleep and are willing to enter direct reclaim. __GFP_KSWAPD_RECLAIM to identify callers that want to wake kswapd for background reclaim. __GFP_WAIT is redefined as a caller that is willing to enter direct reclaim and wake kswapd for background reclaim. This patch then converts a number of sites o __GFP_ATOMIC is used by callers that are high priority and have memory pools for those requests. GFP_ATOMIC uses this flag. o Callers that have a limited mempool to guarantee forward progress clear __GFP_DIRECT_RECLAIM but keep __GFP_KSWAPD_RECLAIM. bio allocations fall into this category where kswapd will still be woken but atomic reserves are not used as there is a one-entry mempool to guarantee progress. o Callers that are checking if they are non-blocking should use the helper gfpflags_allow_blocking() where possible. This is because checking for __GFP_WAIT as was done historically now can trigger false positives. Some exceptions like dm-crypt.c exist where the code intent is clearer if __GFP_DIRECT_RECLAIM is used instead of the helper due to flag manipulations. o Callers that built their own GFP flags instead of starting with GFP_KERNEL and friends now also need to specify __GFP_KSWAPD_RECLAIM. The first key hazard to watch out for is callers that removed __GFP_WAIT and was depending on access to atomic reserves for inconspicuous reasons. In some cases it may be appropriate for them to use __GFP_HIGH. The second key hazard is callers that assembled their own combination of GFP flags instead of starting with something like GFP_KERNEL. They may now wish to specify __GFP_KSWAPD_RECLAIM. It's almost certainly harmless if it's missed in most cases as other activity will wake kswapd. Signed-off-by: Mel Gorman <mgorman@techsingularity.net> Acked-by: Vlastimil Babka <vbabka@suse.cz> Acked-by: Michal Hocko <mhocko@suse.com> Acked-by: Johannes Weiner <hannes@cmpxchg.org> Cc: Christoph Lameter <cl@linux.com> Cc: David Rientjes <rientjes@google.com> Cc: Vitaly Wool <vitalywool@gmail.com> Cc: Rik van Riel <riel@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
David S. Miller
|
ba3e2084f2 |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts: net/ipv6/xfrm6_output.c net/openvswitch/flow_netlink.c net/openvswitch/vport-gre.c net/openvswitch/vport-vxlan.c net/openvswitch/vport.c net/openvswitch/vport.h The openvswitch conflicts were overlapping changes. One was the egress tunnel info fix in 'net' and the other was the vport ->send() op simplification in 'net-next'. The xfrm6_output.c conflicts was also a simplification overlapping a bug fix. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
David Herrmann
|
47191d65b6 |
netlink: fix locking around NETLINK_LIST_MEMBERSHIPS
Currently, NETLINK_LIST_MEMBERSHIPS grabs the netlink table while copying
the membership state to user-space. However, grabing the netlink table is
effectively a write_lock_irq(), and as such we should not be triggering
page-faults in the critical section.
This can be easily reproduced by the following snippet:
int s = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
void *p = mmap(0, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANON, -1, 0);
int r = getsockopt(s, 0x10e, 9, p, (void*)((char*)p + 4092));
This should work just fine, but currently triggers EFAULT and a possible
WARN_ON below handle_mm_fault().
Fix this by reducing locking of NETLINK_LIST_MEMBERSHIPS to a read-side
lock. The write-lock was overkill in the first place, and the read-lock
allows page-faults just fine.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|
David S. Miller
|
26440c835f |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts: drivers/net/usb/asix_common.c net/ipv4/inet_connection_sock.c net/switchdev/switchdev.c In the inet_connection_sock.c case the request socket hashing scheme is completely different in net-next. The other two conflicts were overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Arad, Ronen
|
db65a3aaf2 |
netlink: Trim skb to alloc size to avoid MSG_TRUNC
netlink_dump() allocates skb based on the calculated min_dump_alloc or a per socket max_recvmsg_len. min_alloc_size is maximum space required for any single netdev attributes as calculated by rtnl_calcit(). max_recvmsg_len tracks the user provided buffer to netlink_recvmsg. It is capped at 16KiB. The intention is to avoid small allocations and to minimize the number of calls required to obtain dump information for all net devices. netlink_dump packs as many small messages as could fit within an skb that was sized for the largest single netdev information. The actual space available within an skb is larger than what is requested. It could be much larger and up to near 2x with align to next power of 2 approach. Allowing netlink_dump to use all the space available within the allocated skb increases the buffer size a user has to provide to avoid truncaion (i.e. MSG_TRUNG flag set). It was observed that with many VLANs configured on at least one netdev, a larger buffer of near 64KiB was necessary to avoid "Message truncated" error in "ip link" or "bridge [-c[ompressvlans]] vlan show" when min_alloc_size was only little over 32KiB. This patch trims skb to allocated size in order to allow the user to avoid truncation with more reasonable buffer size. Signed-off-by: Ronen Arad <ronen.arad@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Yaowei Bai
|
61d03535e4 |
net/netlink: lockdep_genl_is_held can be boolean
This patch makes lockdep_genl_is_held return bool to improve readability due to this particular function only using either one or zero as its return value. No functional change. Signed-off-by: Yaowei Bai <bywxiaobai@163.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
David S. Miller
|
4963ed48f2 |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Conflicts: net/ipv4/arp.c The net/ipv4/arp.c conflict was one commit adding a new local variable while another commit was deleting one. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jiri Benc
|
92c14d9b5e |
genetlink: simplify genl_notify
The genl_notify function has too many arguments for no real reason - all callers use genl_info to get them anyway. Just pass the genl_info down to genl_notify. Signed-off-by: Jiri Benc <jbenc@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Herbert Xu
|
da314c9923 |
netlink: Replace rhash_portid with bound
On Mon, Sep 21, 2015 at 02:20:22PM -0400, Tejun Heo wrote:
>
> store_release and load_acquire are different from the usual memory
> barriers and can't be paired this way. You have to pair store_release
> and load_acquire. Besides, it isn't a particularly good idea to
OK I've decided to drop the acquire/release helpers as they don't
help us at all and simply pessimises the code by using full memory
barriers (on some architectures) where only a write or read barrier
is needed.
> depend on memory barriers embedded in other data structures like the
> above. Here, especially, rhashtable_insert() would have write barrier
> *before* the entry is hashed not necessarily *after*, which means that
> in the above case, a socket which appears to have set bound to a
> reader might not visible when the reader tries to look up the socket
> on the hashtable.
But you are right we do need an explicit write barrier here to
ensure that the hashing is visible.
> There's no reason to be overly smart here. This isn't a crazy hot
> path, write barriers tend to be very cheap, store_release more so.
> Please just do smp_store_release() and note what it's paired with.
It's not about being overly smart. It's about actually understanding
what's going on with the code. I've seen too many instances of
people simply sprinkling synchronisation primitives around without
any knowledge of what is happening underneath, which is just a recipe
for creating hard-to-debug races.
> > @@ -1539,7 +1546,7 @@ static int netlink_bind(struct socket *sock, struct sockaddr *addr,
> > }
> > }
> >
> > - if (!nlk->portid) {
> > + if (!nlk->bound) {
>
> I don't think you can skip load_acquire here just because this is the
> second deref of the variable. That doesn't change anything. Race
> condition could still happen between the first and second tests and
> skipping the second would lead to the same kind of bug.
The reason this one is OK is because we do not use nlk->portid or
try to get nlk from the hash table before we return to user-space.
However, there is a real bug here that none of these acquire/release
helpers discovered. The two bound tests here used to be a single
one. Now that they are separate it is entirely possible for another
thread to come in the middle and bind the socket. So we need to
repeat the portid check in order to maintain consistency.
> > @@ -1587,7 +1594,7 @@ static int netlink_connect(struct socket *sock, struct sockaddr *addr,
> > !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND))
> > return -EPERM;
> >
> > - if (!nlk->portid)
> > + if (!nlk->bound)
>
> Don't we need load_acquire here too? Is this path holding a lock
> which makes that unnecessary?
Ditto.
---8<---
The commit
|