16.0
771 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Samuel Pascua
|
622705f7c9 |
Merge tag 'v4.14.356-openela-rc1' of https://github.com/openela/kernel-lts
This is the 4.14.356 OpenELA-Extended LTS stable release candidate 1 Conflicts: arch/arm/include/asm/uaccess.h drivers/android/binder.c drivers/android/binder_alloc.c drivers/block/loop.c drivers/infiniband/ulp/srpt/ib_srpt.c drivers/mmc/core/mmc_test.c drivers/net/usb/usbnet.c fs/aio.c fs/f2fs/inode.c fs/f2fs/namei.c fs/f2fs/segment.c fs/f2fs/super.c fs/select.c include/linux/fs.h include/net/netns/ipv4.h kernel/power/swap.c mm/page_alloc.c net/core/filter.c net/ipv4/af_inet.c net/ipv4/sysctl_net_ipv4.c net/ipv4/tcp_ipv4.c net/ipv6/af_inet6.c net/qrtr/qrtr.c sound/usb/stream.c Change-Id: I016dabcf8f4fd90dae7083272b3465d184c07de8 |
||
|
Haky86
|
f01fa25d84 |
Merge branch 'deprecated/android-4.14-stable' of https://android.googlesource.com/kernel/common into lineage-21.0
Change-Id: I8750f4152cf3c402ef61f9266766128541dfa05c |
||
|
Paul Geurts
|
52ada5a71f |
NFC: trf7970a: disable all regulators on removal
[ Upstream commit 6bea4f03c6a4e973ef369e15aac88f37981db49e ]
During module probe, regulator 'vin' and 'vdd-io' are used and enabled,
but the vdd-io regulator overwrites the 'vin' regulator pointer. During
remove, only the vdd-io is disabled, as the vin regulator pointer is not
available anymore. When regulator_put() is called during resource
cleanup a kernel warning is given, as the regulator is still enabled.
Store the two regulators in separate pointers and disable both the
regulators on module remove.
Fixes:
|
||
|
Haky86
|
1a16e98230 |
Import from SM-A715F_EUR_13_Opensource
* Taken from A715FXXUADWE1 source. Change-Id: Ife88f79141085bddd4537434c451245b52ac71ad |
||
|
Greg Kroah-Hartman
|
ecca894374 |
Merge 4.14.320 into android-4.14-stable
Changes in 4.14.320 serial: lantiq: add missing interrupt ack nilfs2: reject devices with insufficient block count nilfs2: fix buffer corruption due to concurrent device reads Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs cgroup: Do not corrupt task iteration when rebinding subsystem nilfs2: prevent general protection fault in nilfs_clear_dirty_page() xfrm: Linearize the skb after offloading if needed. net: qca_spi: Avoid high load if QCA7000 is not available mmc: mtk-sd: fix deferred probing mmc: omap: fix deferred probing mmc: omap_hsmmc: fix deferred probing mmc: usdhi60rol0: fix deferred probing be2net: Extend xmit workaround to BE3 chip netfilter: nf_tables: disallow element updates of bound anonymous sets scsi: target: iscsi: Prevent login threads from racing between each other HID: wacom: Add error check to wacom_parse_and_register() arm64: Add missing Set/Way CMO encodings nfcsim.c: Fix error checking for debugfs_create_dir fbdev: imsttfb: Release framebuffer and dealloc cmap on error path usb: gadget: udc: fix NULL dereference in remove() s390/cio: unregister device when the only path is gone drm/exynos: vidi: fix a wrong error return drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Linux 4.14.320 Change-Id: Ie099bcd37431671a217ea32b54bef6d5f29c122d Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Osama Muhammad
|
687ce0ac7a |
nfcsim.c: Fix error checking for debugfs_create_dir
[ Upstream commit 9b9e46aa07273ceb96866b2e812b46f1ee0b8d2f ] This patch fixes the error checking in nfcsim.c. The DebugFS kernel API is developed in a way that the caller can safely ignore the errors that occur during the creation of DebugFS nodes. Signed-off-by: Osama Muhammad <osmtendev@gmail.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
bab8e51047 |
Merge 4.14.311 into android-4.14-stable
Changes in 4.14.311 ext4: fix cgroup writeback accounting with fs-layer encryption fs: sysfs_emit_at: Remove PAGE_SIZE alignment check tcp: tcp_make_synack() can be called from process context nfc: pn533: initialize struct pn533_out_arg properly qed/qed_dev: guard against a possible division by zero net: tunnels: annotate lockless accesses to dev->needed_headroom net: phy: smsc: bail out in lan87xx_read_status if genphy_read_status fails nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition net: usb: smsc75xx: Limit packet length to skb->len nvmet: avoid potential UAF in nvmet_req_complete() block: sunvdc: add check for mdesc_grab() returning NULL ipv4: Fix incorrect table ID in IOCTL path net: usb: smsc75xx: Move packet length check to prevent kernel panic in skb_pull net/iucv: Fix size of interrupt data ethernet: sun: add check for the mdesc_grab() hwmon: (adt7475) Display smoothing attributes in correct order hwmon: (adt7475) Fix masking of hysteresis registers hwmon: (xgene) Fix use after free bug in xgene_hwmon_remove due to race condition media: m5mols: fix off-by-one loop termination error mmc: atmel-mci: fix race between stop command and start of next command ext4: fail ext4_iget if special inode unallocated ext4: fix task hung in ext4_xattr_delete_inode sh: intc: Avoid spurious sizeof-pointer-div warning ftrace: Fix invalid address access in lookup_rec() when index is 0 fbdev: stifb: Provide valid pixelclock and add fb_check_var() checks drm/i915: Don't use stolen memory for ring buffers with LLC serial: 8250_em: Fix UART port type HID: core: Provide new max_buffer_size attribute to over-ride the default HID: uhid: Over-ride the default maximum data buffer value with our own Linux 4.14.311 Change-Id: Iae02393407700057c49ea758bda3389155a6671f Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Zheng Wang
|
2156490c4b |
nfc: st-nci: Fix use after free bug in ndlc_remove due to race condition
[ Upstream commit 5000fe6c27827a61d8250a7e4a1d26c3298ef4f6 ]
This bug influences both st_nci_i2c_remove and st_nci_spi_remove.
Take st_nci_i2c_remove as an example.
In st_nci_i2c_probe, it called ndlc_probe and bound &ndlc->sm_work
with llt_ndlc_sm_work.
When it calls ndlc_recv or timeout handler, it will finally call
schedule_work to start the work.
When we call st_nci_i2c_remove to remove the driver, there
may be a sequence as follows:
Fix it by finishing the work before cleanup in ndlc_remove
CPU0 CPU1
|llt_ndlc_sm_work
st_nci_i2c_remove |
ndlc_remove |
st_nci_remove |
nci_free_device|
kfree(ndev) |
//free ndlc->ndev |
|llt_ndlc_rcv_queue
|nci_recv_frame
|//use ndlc->ndev
Fixes:
|
||
|
Fedor Pchelkin
|
2bd1ed6d60 |
nfc: pn533: initialize struct pn533_out_arg properly
[ Upstream commit 484b7059796e3bc1cb527caa61dfc60da649b4f6 ] struct pn533_out_arg used as a temporary context for out_urb is not initialized properly. Its uninitialized 'phy' field can be dereferenced in error cases inside pn533_out_complete() callback function. It causes the following failure: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] CPU: 1 PID: 0 Comm: swapper/1 Not tainted 6.2.0-rc3-next-20230110-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 RIP: 0010:pn533_out_complete.cold+0x15/0x44 drivers/nfc/pn533/usb.c:441 Call Trace: <IRQ> __usb_hcd_giveback_urb+0x2b6/0x5c0 drivers/usb/core/hcd.c:1671 usb_hcd_giveback_urb+0x384/0x430 drivers/usb/core/hcd.c:1754 dummy_timer+0x1203/0x32d0 drivers/usb/gadget/udc/dummy_hcd.c:1988 call_timer_fn+0x1da/0x800 kernel/time/timer.c:1700 expire_timers+0x234/0x330 kernel/time/timer.c:1751 __run_timers kernel/time/timer.c:2022 [inline] __run_timers kernel/time/timer.c:1995 [inline] run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 __do_softirq+0x1fb/0xaf6 kernel/softirq.c:571 invoke_softirq kernel/softirq.c:445 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:650 irq_exit_rcu+0x9/0x20 kernel/softirq.c:662 sysvec_apic_timer_interrupt+0x97/0xc0 arch/x86/kernel/apic/apic.c:1107 Initialize the field with the pn533_usb_phy currently used. Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: 9dab880d675b ("nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()") Reported-by: syzbot+1e608ba4217c96d1952f@syzkaller.appspotmail.com Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/20230309165050.207390-1-pchelkin@ispras.ru Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
9b19b769a5 |
Merge 4.14.310 into android-4.14-stable
Changes in 4.14.310 fs: prevent out-of-bounds array speculation when closing a file descriptor x86/CPU/AMD: Disable XSAVES on AMD family 0x17 ext4: fix RENAME_WHITEOUT handling for inline directories ext4: fix another off-by-one fsmap error on 1k block filesystems ext4: move where set the MAY_INLINE_DATA flag is set ext4: fix WARNING in ext4_update_inline_data ext4: zero i_disksize when initializing the bootloader inode nfc: change order inside nfc_se_io error path nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties ila: do not generate empty messages in ila_xlat_nl_cmd_get_mapping() net: caif: Fix use-after-free in cfusbl_device_notify() MIPS: Fix a compilation issue alpha: fix R_ALPHA_LITERAL reloc for large modules macintosh: windfarm: Use unsigned type for 1-bit bitfields PCI: Add SolidRun vendor ID media: ov5640: Fix analogue gain control tipc: improve function tipc_wait_for_cond() drm/i915: Don't use BAR mappings for ring buffers with LLC x86/cpu: Fix LFENCE serialization check in init_amd() Linux 4.14.310 Change-Id: I355fd96a52b4b888b2c65b673a5a6542bbc67051 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Kang Chen
|
ad11b872bc |
nfc: fdp: add null check of devm_kmalloc_array in fdp_nci_i2c_read_device_properties
[ Upstream commit 11f180a5d62a51b484e9648f9b310e1bd50b1a57 ]
devm_kmalloc_array may fails, *fw_vsc_cfg might be null and cause
out-of-bounds write in device_property_read_u8_array later.
Fixes:
|
||
|
Greg Kroah-Hartman
|
dcf8e96bea |
Merge 4.14.308 into android-4.14-stable
Changes in 4.14.308 ARM: dts: rockchip: add power-domains property to dp node on rk3288 btrfs: send: limit number of clones and allocated memory size IB/hfi1: Assign npages earlier net: Remove WARN_ON_ONCE(sk->sk_forward_alloc) from sk_stream_kill_queues(). bpf: Do not use ax register in interpreter on div/mod bpf: fix subprog verifier bypass by div/mod by 0 exception bpf: Fix 32 bit src register truncation on div/mod bpf: Fix truncation handling for mod32 dst reg wrt zero dmaengine: sh: rcar-dmac: Check for error num after dma_set_max_seg_size USB: serial: option: add support for VW/Skoda "Carstick LTE" USB: core: Don't hold device lock while reading the "descriptors" sysfs file HID: asus: Remove check for same LED brightness on set HID: asus: use spinlock to protect concurrent accesses HID: asus: use spinlock to safely schedule workers ARM: OMAP2+: Fix memory leak in realtime_counter_init() ARM: zynq: Fix refcount leak in zynq_early_slcr_init arm64: dts: meson-gx: Fix Ethernet MAC address unit name arm64: dts: meson-gx: Fix the SCPI DVFS node name and unit address ARM: OMAP1: call platform_device_put() in error case in omap1_dm_timer_init() ARM: dts: exynos: correct wr-active property in Exynos3250 Rinato arm64: dts: amlogic: meson-gx: fix SCPI clock dvfs node name arm64: dts: amlogic: meson-gx: add missing unit address to rng node name arm64: dts: amlogic: meson-gxl: add missing unit address to eth-phy-mux node name block: bio-integrity: Copy flags when bio_integrity_payload is cloned wifi: libertas: fix memory leak in lbs_init_adapter() wifi: rtl8xxxu: don't call dev_kfree_skb() under spin_lock_irqsave() wifi: ipw2200: fix memory leak in ipw_wdev_init() wifi: brcmfmac: fix potential memory leak in brcmf_netdev_start_xmit() wifi: brcmfmac: unmap dma buffer in brcmf_msgbuf_alloc_pktid() wifi: libertas: main: don't call kfree_skb() under spin_lock_irqsave() wifi: libertas: cmdresp: don't call kfree_skb() under spin_lock_irqsave() wifi: wl3501_cs: don't call kfree_skb() under spin_lock_irqsave() genirq: Fix the return type of kstat_cpu_irqs_sum() lib/mpi: Fix buffer overrun when SG is too long ACPICA: nsrepair: handle cases without a return value correctly wifi: orinoco: check return value of hermes_write_wordrec() wifi: ath9k: htc_hst: free skb in ath9k_htc_rx_msg() if there is no callback function wifi: ath9k: Fix potential stack-out-of-bounds write in ath9k_wmi_rsp_callback() ACPI: battery: Fix missing NUL-termination with large strings crypto: seqiv - Handle EBUSY correctly net/mlx5: Enhance debug print in page allocation failure irqchip/alpine-msi: Fix refcount leak in alpine_msix_init_domains irqchip/irq-mvebu-gicp: Fix refcount leak in mvebu_gicp_probe cpufreq: davinci: Fix clk use after free Bluetooth: L2CAP: Fix potential user-after-free crypto: rsa-pkcs1pad - Use akcipher_request_complete m68k: /proc/hardware should depend on PROC_FS wifi: mwifiex: fix loop iterator in mwifiex_update_ampdu_txwinsize() can: esd_usb: Move mislocated storage of SJA1000_ECC_SEG bits in case of a bus error irqchip/irq-bcm7120-l2: Set IRQ_LEVEL for level triggered interrupts drm: mxsfb: DRM_MXSFB should depend on ARCH_MXS || ARCH_MXC drm/bridge: megachips: Fix error handling in i2c_register_driver() gpu: ipu-v3: common: Add of_node_put() for reference returned by of_graph_get_port_by_id() drm/msm/hdmi: Add missing check for alloc_ordered_workqueue pinctrl: rockchip: Fix refcount leak in rockchip_pinctrl_parse_groups ALSA: hda/ca0132: minor fix for allocation size drm/mipi-dsi: Fix byte order of 16-bit DCS set/get brightness drm/mediatek: Drop unbalanced obj unref ASoC: soc-compress.c: fixup private_data on snd_soc_new_compress() gpio: vf610: connect GPIO label to dev name hwmon: (ltc2945) Handle error case in ltc2945_value_store scsi: aic94xx: Add missing check for dma_map_single() dm: remove flush_scheduled_work() during local_exit() mfd: pcf50633-adc: Fix potential memleak in pcf50633_adc_async_read() mtd: rawnand: sunxi: Fix the size of the last OOB region Input: ads7846 - don't report pressure for ads7845 Input: ads7846 - don't check penirq immediately for 7845 powerpc/powernv/ioda: Skip unallocated resources when mapping to PE powerpc/pseries/lparcfg: add missing RTAS retry status handling MIPS: vpe-mt: drop physical_memsize media: platform: ti: Add missing check for devm_regulator_get media: rc: Fix use-after-free bugs caused by ene_tx_irqsim() media: usb: siano: Fix use after free bugs caused by do_submit_urb rpmsg: glink: Avoid infinite loop on intent for missing channel udf: Define EFSCORRUPTED error code ARM: dts: exynos: Use Exynos5420 compatible for the MIPI video phy wifi: brcmfmac: Fix potential stack-out-of-bounds in brcmf_c_preinit_dcmds() rcu: Suppress smp_processor_id() complaint in synchronize_rcu_expedited_wait() thermal: intel: Fix unsigned comparison with less than zero timers: Prevent union confusion from unexpected restart_syscall() x86/bugs: Reset speculation control settings on init inet: fix fast path in __inet_hash_connect() ACPI: Don't build ACPICA with '-Os' net: bcmgenet: Add a check for oversized packets m68k: Check syscall_trace_enter() return code ACPI: video: Fix Lenovo Ideapad Z570 DMI match drm/radeon: free iio for atombios when driver shutdown drm/msm/dsi: Add missing check for alloc_ordered_workqueue docs/scripts/gdb: add necessary make scripts_gdb step ASoC: kirkwood: Iterate over array indexes instead of using pointer math regulator: max77802: Bounds check regulator id against opmode regulator: s5m8767: Bounds check id indexing into arrays pinctrl: at91: use devm_kasprintf() to avoid potential leaks dm thin: add cond_resched() to various workqueue loops dm cache: add cond_resched() to various workqueue loops spi: bcm63xx-hsspi: Fix multi-bit mode setting wifi: rtl8xxxu: fixing transmisison failure for rtl8192eu rtc: pm8xxx: fix set-alarm race s390/kprobes: fix irq mask clobbering on kprobe reenter from post_handler s390/kprobes: fix current_kprobe never cleared after kprobes reenter hfs: fix missing hfs_bnode_get() in __hfs_bnode_create fs: hfsplus: fix UAF issue in hfsplus_put_super f2fs: fix information leak in f2fs_move_inline_dirents() ocfs2: fix defrag path triggering jbd2 ASSERT ocfs2: fix non-auto defrag path not working issue udf: Truncate added extents on failed expansion udf: Do not bother merging very long extents udf: Do not update file length for failed writes to inline files udf: Fix file corruption when appending just after end of preallocated extent x86/virt: Force GIF=1 prior to disabling SVM (for reboot flows) x86/crash: Disable virt in core NMI crash handler to avoid double shootdown x86/reboot: Disable virtualization in an emergency if SVM is supported x86/reboot: Disable SVM, not just VMX, when stopping CPUs x86/kprobes: Fix __recover_optprobed_insn check optimizing logic x86/kprobes: Fix arch_check_optimized_kprobe check within optimized_kprobe range x86/microcode/amd: Remove load_microcode_amd()'s bsp parameter x86/microcode/AMD: Add a @cpu parameter to the reloading functions x86/microcode/AMD: Fix mixed steppings support x86/speculation: Allow enabling STIBP with legacy IBRS Documentation/hw-vuln: Document the interaction between IBRS and STIBP ima: Align ima_file_mmap() parameters with mmap_file LSM hook irqdomain: Fix association race irqdomain: Fix disassociation race irqdomain: Drop bogus fwspec-mapping error handling ALSA: ice1712: Do not left ice->gpio_mutex locked in aureon_add_controls() ext4: optimize ea_inode block expansion ext4: refuse to create ea block when umounted wifi: rtl8xxxu: Use a longer retry limit of 48 wifi: cfg80211: Fix use after free for wext dm flakey: fix logic when corrupting a bio dm flakey: don't corrupt the zero page ARM: dts: exynos: correct TMU phandle in Exynos4 ARM: dts: exynos: correct TMU phandle in Odroid XU rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails alpha: fix FEN fault handling mips: fix syscall_get_nr ktest.pl: Fix missing "end_monitor" when machine check fails scsi: qla2xxx: Fix link failure in NPIV environment scsi: qla2xxx: Fix erroneous link down scsi: ses: Don't attach if enclosure has no components scsi: ses: Fix slab-out-of-bounds in ses_enclosure_data_process() scsi: ses: Fix possible addl_desc_ptr out-of-bounds accesses scsi: ses: Fix possible desc_ptr out-of-bounds accesses scsi: ses: Fix slab-out-of-bounds in ses_intf_remove() PCI: Avoid FLR for AMD FCH AHCI adapters drm/radeon: Fix eDP for single-display iMac11,2 kbuild: Port silent mode detection to future gnu make. net/sched: Retire tcindex classifier fs/jfs: fix shift exponent db_agl2size negative pwm: stm32-lp: fix the check on arr and cmp registers update ubi: ensure that VID header offset + VID header size <= alloc, size ubifs: Rectify space budget for ubifs_xrename() ubifs: Fix wrong dirty space budget for dirty inode ubifs: Reserve one leb for each journal head while doing budget ubi: Fix use-after-free when volume resizing failed ubi: Fix unreferenced object reported by kmemleak in ubi_resize_volume() ubi: Fix possible null-ptr-deref in ubi_free_volume() ubifs: Re-statistic cleaned znode count if commit failed ubifs: dirty_cow_znode: Fix memleak in error handling path ubifs: ubifs_writepage: Mark page dirty after writing inode failed ubi: Fix UAF wear-leveling entry in eraseblk_count_seq_show() ubi: ubi_wl_put_peb: Fix infinite loop when wear-leveling work failed x86: um: vdso: Add '%rcx' and '%r11' to the syscall clobber list watchdog: at91sam9_wdt: use devm_request_irq to avoid missing free_irq() in error path watchdog: Fix kmemleak in watchdog_cdev_register watchdog: pcwd_usb: Fix attempting to access uninitialized memory netfilter: ctnetlink: fix possible refcount leak in ctnetlink_create_conntrack() net: fix __dev_kfree_skb_any() vs drop monitor 9p/xen: fix version parsing 9p/xen: fix connection sequence nfc: fix memory leak of se_io context in nfc_genl_se_io ARM: dts: spear320-hmi: correct STMPE GPIO compatible tcp: tcp_check_req() can be called from process context scsi: ipr: Work around fortify-string warning thermal: intel: quark_dts: fix error pointer dereference tracing: Add NULL checks for buffer in ring_buffer_free_read_page() firmware/efi sysfb_efi: Add quirk for Lenovo IdeaPad Duet 3 media: uvcvideo: Handle cameras with invalid descriptors tty: fix out-of-bounds access in tty_driver_lookup_tty() tty: serial: fsl_lpuart: disable the CTS when send break signal tools/iio/iio_utils:fix memory leak iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_status_word() iio: accel: mma9551_core: Prevent uninitialized variable in mma9551_read_config_word() usb: host: xhci: mvebu: Iterate over array indexes instead of using pointer math USB: ene_usb6250: Allocate enough memory for full object usb: uvc: Enumerate valid values for color matching phy: rockchip-typec: Fix unsigned comparison with less than zero Bluetooth: hci_sock: purge socket queues in the destruct() callback s390/maccess: add no DAT mode to kernel_write s390/setup: init jump labels before command line parsing tcp: Fix listen() regression in 4.14.303. thermal: intel: powerclamp: Fix cur_state for multi package system Linux 4.14.308 Change-Id: Iad2a41de33ff004df8050f949aa00955604b4cf6 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Fedor Pchelkin
|
5321da6d84 |
nfc: fix memory leak of se_io context in nfc_genl_se_io
[ Upstream commit 25ff6f8a5a3b8dc48e8abda6f013e8cc4b14ffea ]
The callback context for sending/receiving APDUs to/from the selected
secure element is allocated inside nfc_genl_se_io and supposed to be
eventually freed in se_io_cb callback function. However, there are several
error paths where the bwi_timer is not charged to call se_io_cb later, and
the cb_context is leaked.
The patch proposes to free the cb_context explicitly on those error paths.
At the moment we can't simply check 'dev->ops->se_io()' return value as it
may be negative in both cases: when the timer was charged and was not.
Fixes:
|
||
|
Greg Kroah-Hartman
|
524b0e422c |
Merge 4.14.303 into android-4.14-stable
Changes in 4.14.303
libtraceevent: Fix build with binutils 2.35
once: add DO_ONCE_SLOW() for sleepable contexts
mm/khugepaged: fix GUP-fast interaction by sending IPI
mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths
block: unhash blkdev part inode when the part is deleted
nfp: fix use-after-free in area_cache_get()
ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx()
can: sja1000: fix size of OCR_MODE_MASK define
can: mcba_usb: Fix termination command argument
ASoC: ops: Correct bounds check for second channel on SX controls
perf script python: Remove explicit shebang from tests/attr.c
udf: Discard preallocation before extending file with a hole
udf: Drop unused arguments of udf_delete_aext()
udf: Fix preallocation discarding at indirect extent boundary
udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size
udf: Fix extending file within last block
usb: gadget: uvc: Prevent buffer overflow in setup handler
USB: serial: option: add Quectel EM05-G modem
USB: serial: cp210x: add Kamstrup RF sniffer PIDs
igb: Initialize mailbox message for VF reset
Bluetooth: L2CAP: Fix u8 overflow
net: loopback: use NET_NAME_PREDICTABLE for name_assign_type
usb: musb: remove extra check in musb_gadget_vbus_draw
ARM: dts: qcom: apq8064: fix coresight compatible
drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static
arm: dts: spear600: Fix clcd interrupt
soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe
arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name
ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port
ARM: dts: turris-omnia: Add ethernet aliases
ARM: dts: turris-omnia: Add switch port 6 node
pstore/ram: Fix error return code in ramoops_probe()
ARM: mmp: fix timer_read delay
pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP
tpm/tpm_crb: Fix error message in __crb_relinquish_locality()
cpuidle: dt: Return the correct numbers of parsed idle states
alpha: fix syscall entry in !AUDUT_SYSCALL case
PM: hibernate: Fix mistake in kerneldoc comment
fs: don't audit the capability check in simple_xattr_list()
perf: Fix possible memleak in pmu_dev_alloc()
timerqueue: Use rb_entry_safe() in timerqueue_getnext()
ocfs2: fix memory leak in ocfs2_stack_glue_init()
MIPS: vpe-mt: fix possible memory leak while module exiting
MIPS: vpe-cmp: fix possible memory leak while module exiting
PNP: fix name memory leak in pnp_alloc_dev()
irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe()
libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value
lib/notifier-error-inject: fix error when writing -errno to debugfs file
rapidio: fix possible name leaks when rio_add_device() fails
rapidio: rio: fix possible name leak in rio_register_mport()
ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage()
uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix
x86/xen: Fix memory leak in xen_init_lock_cpu()
platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]()
MIPS: BCM63xx: Add check for NULL for clk in clk_enable
fs: sysv: Fix sysv_nblocks() returns wrong value
rapidio: fix possible UAF when kfifo_alloc() fails
eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD
hfs: Fix OOB Write in hfs_asc2mac
rapidio: devices: fix missing put_device in mport_cdev_open
wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs()
wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb()
media: i2c: ad5820: Fix error path
spi: Update reference to struct spi_controller
media: vivid: fix compose size exceed boundary
mtd: Fix device name leak when register device failed in add_mtd_device()
media: camss: Clean up received buffers on failed start of streaming
drm/radeon: Add the missed acpi_put_table() to fix memory leak
ASoC: pxa: fix null-pointer dereference in filter()
regulator: core: fix unbalanced of node refcount in regulator_dev_lookup()
ima: Fix misuse of dereference of pointer in template_desc_init_fields()
wifi: ath10k: Fix return value in ath10k_pci_init()
mtd: lpddr2_nvm: Fix possible null-ptr-deref
Input: elants_i2c - properly handle the reset GPIO when power is off
media: solo6x10: fix possible memory leak in solo_sysfs_init()
media: platform: exynos4-is: Fix error handling in fimc_md_init()
HID: hid-sensor-custom: set fixed size for custom attributes
ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT
clk: rockchip: Fix memory leak in rockchip_clk_register_pll()
mtd: maps: pxa2xx-flash: fix memory leak in probe
media: imon: fix a race condition in send_packet()
pinctrl: pinconf-generic: add missing of_node_put()
media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer()
media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC
NFSv4.2: Fix a memory stomp in decode_attr_security_label
NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn
ALSA: asihpi: fix missing pci_disable_device()
drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios()
drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios()
ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe
bonding: uninitialized variable in bond_miimon_inspect()
regulator: core: fix module refcount leak in set_supply()
media: saa7164: fix missing pci_disable_device()
ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt
SUNRPC: Fix missing release socket in rpc_sockname()
NFSv4.x: Fail client initialisation if state manager thread can't run
mmc: moxart: fix return value check of mmc_add_host()
mmc: mxcmmc: fix return value check of mmc_add_host()
mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host()
mmc: toshsd: fix return value check of mmc_add_host()
mmc: vub300: fix return value check of mmc_add_host()
mmc: wmt-sdmmc: fix return value check of mmc_add_host()
mmc: via-sdmmc: fix return value check of mmc_add_host()
mmc: wbsd: fix return value check of mmc_add_host()
mmc: mmci: fix return value check of mmc_add_host()
media: c8sectpfe: Add of_node_put() when breaking out of loop
media: coda: Add check for dcoda_iram_alloc
media: coda: Add check for kmalloc
clk: samsung: Fix memory leak in _samsung_clk_register_pll()
wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h
wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware()
blktrace: Fix output non-blktrace event when blk_classic option enabled
net: vmw_vsock: vmci: Check memcpy_from_msg()
net: defxx: Fix missing err handling in dfx_init()
drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init()
ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave()
net: farsync: Fix kmemleak when rmmods farsync
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave()
net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave()
net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave()
net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave()
hamradio: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave()
net: amd-xgbe: Check only the minimum speed for active/passive cables
net: lan9303: Fix read error execution path
ntb_netdev: Use dev_kfree_skb_any() in interrupt context
Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
stmmac: fix potential division by 0
apparmor: fix a memleak in multi_transaction_new()
PCI: Check for alloc failure in pci_request_irq()
RDMA/hfi: Decrease PCI device reference count in error path
RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed
scsi: hpsa: Fix error handling in hpsa_add_sas_host()
scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device()
scsi: fcoe: Fix possible name leak when device_register() fails
scsi: ipr: Fix WARNING in ipr_init()
scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails
scsi: snic: Fix possible UAF in snic_tgt_create()
RDMA/hfi1: Fix error return code in parse_platform_config()
orangefs: Fix sysfs not cleanup when dev init failed
crypto: img-hash - Fix variable dereferenced before check 'hdev->req'
hwrng: amd - Fix PCI device refcount leak
hwrng: geode - Fix PCI device refcount leak
IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces
drivers: dio: fix possible memory leak in dio_init()
class: fix possible memory leak in __class_register()
vfio: platform: Do not pass return buffer to ACPI _RST method
uio: uio_dmem_genirq: Fix missing unlock in irq configuration
uio: uio_dmem_genirq: Fix deadlock between irq config and handling
usb: fotg210-udc: Fix ages old endianness issues
staging: vme_user: Fix possible UAF in tsi148_dma_list_add
serial: amba-pl011: avoid SBSA UART accessing DMACR register
serial: pch: Fix PCI device refcount leak in pch_request_dma()
serial: sunsab: Fix error handling in sunsab_init()
test_firmware: fix memory leak in test_firmware_init()
misc: tifm: fix possible memory leak in tifm_7xx1_switch_media()
misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os
cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter()
cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter()
drivers: mcb: fix resource leak in mcb_probe()
mcb: mcb-parse: fix error handing in chameleon_parse_gdd()
chardev: fix error handling in cdev_device_add()
i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe
staging: rtl8192u: Fix use after free in ieee80211_rx()
staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor()
vme: Fix error not catched in fake_init()
i2c: ismt: Fix an out-of-bounds bug in ismt_access()
usb: storage: Add check for kcalloc
fbdev: ssd1307fb: Drop optional dependency
fbdev: pm2fb: fix missing pci_disable_device()
fbdev: via: Fix error in via_core_init()
fbdev: vermilion: decrease reference count in error path
fbdev: uvesafb: Fixes an error handling path in uvesafb_probe()
HSI: omap_ssi_core: fix unbalanced pm_runtime_disable()
HSI: omap_ssi_core: fix possible memory leak in ssi_probe()
power: supply: fix residue sysfs file in error handle route of __power_supply_register()
HSI: omap_ssi_core: Fix error handling in ssi_init()
include/uapi/linux/swab: Fix potentially missing __always_inline
rtc: snvs: Allow a time difference on clock register read
iommu/amd: Fix pci device refcount leak in ppr_notifier()
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
macintosh: fix possible memory leak in macio_add_one_device()
macintosh/macio-adb: check the return value of ioremap()
powerpc/52xx: Fix a resource leak in an error handling path
cxl: Fix refcount leak in cxl_calc_capp_routing
powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data()
powerpc/perf: callchain validate kernel stack pointer bounds
powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe()
powerpc/hv-gpci: Fix hv_gpci event list
selftests/powerpc: Fix resource leaks
rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe()
nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure
mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave()
nfc: pn533: Clear nfc_target before being used
r6040: Fix kmemleak in probe and remove
openvswitch: Fix flow lookup to use unmasked key
skbuff: Account for tail adjustment during pull operations
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
myri10ge: Fix an error handling path in myri10ge_probe()
net: stream: purge sk_error_queue in sk_stream_kill_queues()
binfmt_misc: fix shift-out-of-bounds in check_special_flags
fs: jfs: fix shift-out-of-bounds in dbAllocAG
udf: Avoid double brelse() in udf_rename()
fs: jfs: fix shift-out-of-bounds in dbDiscardAG
ACPICA: Fix error code path in acpi_ds_call_control_method()
nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset()
acct: fix potential integer overflow in encode_comp_t()
hfs: fix OOB Read in __hfs_brec_find
wifi: ath9k: verify the expected usb_endpoints are present
wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out
ASoC: codecs: rt298: Add quirk for KBL-R RVP platform
ipmi: fix memleak when unload ipmi driver
bpf: make sure skb->len != 0 when redirecting to a tunneling device
net: ethernet: ti: Fix return type of netcp_ndo_start_xmit()
hamradio: baycom_epp: Fix return type of baycom_send_packet()
wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request()
igb: Do not free q_vector unless new one was allocated
s390/ctcm: Fix return type of ctc{mp,}m_tx()
s390/netiucv: Fix return type of netiucv_tx()
s390/lcs: Fix return type of lcs_start_xmit()
drm/sti: Use drm_mode_copy()
md/raid1: stop mdx_raid1 thread when raid1 array run failed
mrp: introduce active flags to prevent UAF when applicant uninit
ppp: associate skb with a device at tx
media: dvb-frontends: fix leak of memory fw
media: dvbdev: adopts refcnt to avoid UAF
media: dvb-usb: fix memory leak in dvb_usb_adapter_init()
blk-mq: fix possible memleak when register 'hctx' failed
mmc: f-sdh30: Add quirks for broken timeout clock capability
media: si470x: Fix use-after-free in si470x_int_in_callback()
clk: st: Fix memory leak in st_of_quadfs_setup()
drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid()
drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid()
orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string()
ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe()
ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume()
ASoC: wm8994: Fix potential deadlock
ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume()
ASoC: rt5670: Remove unbalanced pm_runtime_put()
pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion
pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES
usb: dwc3: core: defer probe on ulpi_read_id timeout
HID: wacom: Ensure bootloader PID is usable in hidraw mode
reiserfs: Add missing calls to reiserfs_security_free()
iio: adc: ad_sigma_delta: do not use internal iio_dev lock
gcov: add support for checksum field
media: dvbdev: fix refcnt bug
powerpc/rtas: avoid device tree lookups in rtas_os_term()
powerpc/rtas: avoid scheduling in rtas_os_term()
HID: plantronics: Additional PIDs for double volume key presses quirk
hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount
ALSA: line6: correct midi status byte when receiving data from podxt
ALSA: line6: fix stack overflow in line6_midi_transmit
pnode: terminate at peers of source
md: fix a crash in mempool_free
mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING
tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak
tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak
media: stv0288: use explicitly signed char
ktest.pl minconfig: Unset configs instead of just removing them
ARM: ux500: do not directly dereference __iomem
selftests: Use optional USERCFLAGS and USERLDFLAGS
dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort
dm thin: Use last transaction's pmd->root when commit failed
dm thin: Fix UAF in run_timer_softirq()
dm cache: Fix UAF in destroy()
dm cache: set needs_check flag after aborting metadata
x86/microcode/intel: Do not retry microcode reloading on the APs
tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line
ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod
media: dvb-core: Fix double free in dvb_register_device()
media: dvb-core: Fix UAF due to refcount races at releasing
cifs: fix confusing debug message
ima: Fix a potential NULL pointer access in ima_restore_measurement_list
PCI: Fix pci_device_is_present() for VFs by checking PF
PCI/sysfs: Fix double free in error path
crypto: n2 - add missing hash statesize
iommu/amd: Fix ivrs_acpihid cmdline parsing code
parisc: led: Fix potential null-ptr-deref in start_task()
device_cgroup: Roll back to original exceptions after copy failure
drm/connector: send hotplug uevent on connector cleanup
drm/vmwgfx: Validate the box size for the snooped cursor
ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop
ext4: fix undefined behavior in bit shift for ext4_check_flag_values
ext4: fix bug_on in __es_tree_search caused by bad boot loader inode
ext4: init quota for 'old.inode' in 'ext4_rename'
ext4: fix error code return to user-space in ext4_get_branch()
ext4: avoid BUG_ON when creating xattrs
ext4: fix inode leak in ext4_xattr_inode_create() on an error path
ext4: initialize quota before expanding inode in setproject ioctl
ext4: avoid unaccounted block allocation when expanding inode
ext4: allocate extended attribute value in vmalloc area
SUNRPC: ensure the matching upcall is in-flight upon downcall
bpf: pull before calling skb_postpull_rcsum()
qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure
nfc: Fix potential resource leaks
net: amd-xgbe: add missed tasklet_kill
net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe
net: sched: atm: dont intepret cls results when asked to drop
usb: rndis_host: Secure rndis_query check against int overflow
caif: fix memory leak in cfctrl_linkup_request()
udf: Fix extension of the last extent in the file
x86/bugs: Flush IBP in ib_prctl_set()
nfsd: fix handling of readdir in v4root vs. mount upcall timeout
hfs/hfsplus: use WARN_ON for sanity check
hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling
parisc: Align parisc MADV_XXX constants with all other architectures
driver core: Fix bus_type.match() error handling in __driver_attach()
ravb: Fix "failed to switch device to config mode" message during unbind
net: sched: disallow noqueue for qdisc classes
docs: Fix the docs build with Sphinx 6.0
perf auxtrace: Fix address filter duplicate symbol selection
s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple()
net/ulp: prevent ULP without clone op from entering the LISTEN status
ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF
platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe
ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
x86/boot: Avoid using Intel mnemonics in AT&T syntax asm
EDAC/device: Fix period calculation in edac_device_reset_delay_period()
regulator: da9211: Use irq handler when ready
hvc/xen: lock console list traversal
nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout"
Linux 4.14.303
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: If642f7084f2f69491d3104a3a2565bafd19765c9
|
||
|
Minsuk Kang
|
35529d6b82 |
nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame()
[ Upstream commit 9dab880d675b9d0dd56c6428e4e8352a3339371d ]
Fix a use-after-free that occurs in hcd when in_urb sent from
pn533_usb_send_frame() is completed earlier than out_urb. Its callback
frees the skb data in pn533_send_async_complete() that is used as a
transfer buffer of out_urb. Wait before sending in_urb until the
callback of out_urb is called. To modify the callback of out_urb alone,
separate the complete function of out_urb and ack_urb.
Found by a modified version of syzkaller.
BUG: KASAN: use-after-free in dummy_timer
Call Trace:
memcpy (mm/kasan/shadow.c:65)
dummy_perform_transfer (drivers/usb/gadget/udc/dummy_hcd.c:1352)
transfer (drivers/usb/gadget/udc/dummy_hcd.c:1453)
dummy_timer (drivers/usb/gadget/udc/dummy_hcd.c:1972)
arch_static_branch (arch/x86/include/asm/jump_label.h:27)
static_key_false (include/linux/jump_label.h:207)
timer_expire_exit (include/trace/events/timer.h:127)
call_timer_fn (kernel/time/timer.c:1475)
expire_timers (kernel/time/timer.c:1519)
__run_timers (kernel/time/timer.c:1790)
run_timer_softirq (kernel/time/timer.c:1803)
Fixes:
|
||
|
Minsuk Kang
|
61a7e15d55 |
nfc: pn533: Clear nfc_target before being used
[ Upstream commit 9f28157778ede0d4f183f7ab3b46995bb400abbe ] Fix a slab-out-of-bounds read that occurs in nla_put() called from nfc_genl_send_target() when target->sensb_res_len, which is duplicated from an nfc_target in pn533, is too large as the nfc_target is not properly initialized and retains garbage values. Clear nfc_targets with memset() before they are used. Found by a modified version of syzkaller. BUG: KASAN: slab-out-of-bounds in nla_put Call Trace: memcpy nla_put nfc_genl_dump_targets genl_lock_dumpit netlink_dump __netlink_dump_start genl_family_rcv_msg_dumpit genl_rcv_msg netlink_rcv_skb genl_rcv netlink_unicast netlink_sendmsg sock_sendmsg ____sys_sendmsg ___sys_sendmsg __sys_sendmsg do_syscall_64 Fixes: |
||
|
Greg Kroah-Hartman
|
8e45015ccc |
Merge 4.14.301 into android-4.14-stable
Changes in 4.14.301
wifi: mac80211_hwsim: fix debugfs attribute ps with rc table support
audit: fix undefined behavior in bit shift for AUDIT_BIT
wifi: mac80211: Fix ack frame idr leak when mesh has no route
spi: stm32: fix stm32_spi_prepare_mbr() that halves spi clk for every run
MIPS: pic32: treat port as signed integer
af_key: Fix send_acquire race with pfkey_register
ARM: dts: am335x-pcm-953: Define fixed regulators in root node
bus: sunxi-rsb: Support atomic transfers
ARM: dts: at91: sam9g20ek: enable udc vbus gpio pinctrl
nfc/nci: fix race with opening and closing
net: pch_gbe: fix potential memleak in pch_gbe_tx_queue()
9p/fd: fix issue of list_del corruption in p9_fd_cancel()
ARM: mxs: fix memory leak in mxs_machine_init()
net/mlx4: Check retval of mlx4_bitmap_init
net/qla3xxx: fix potential memleak in ql3xxx_send()
xfrm: Fix ignored return value in xfrm6_init()
NFC: nci: fix memory leak in nci_rx_data_packet()
dccp/tcp: Reset saddr on failure after inet6?_hash_connect().
s390/dasd: fix no record found for raw_track_access
nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION
nfc: st-nci: fix memory leaks in EVT_TRANSACTION
net: thunderx: Fix the ACPI memory leak
s390/crashdump: fix TOD programmable field size
nios2: add FORCE for vmlinuz.gz
arm64: dts: rockchip: lower rk3399-puma-haikou SD controller clock frequency
iio: light: apds9960: fix wrong register for gesture gain
iio: core: Fix entry not deleted when iio_register_sw_trigger_type() fails
kconfig: display recursive dependency resolution hint just once
nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty
Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode
serial: 8250: 8250_omap: Avoid RS485 RTS glitch on ->set_termios()
xen/platform-pci: add missing free_irq() in error path
platform/x86: asus-wmi: add missing pci_dev_put() in asus_wmi_set_xusb2pr()
platform/x86: acer-wmi: Enable SW_TABLET_MODE on Switch V 10 (SW5-017)
platform/x86: hp-wmi: Ignore Smart Experience App event
tcp: configurable source port perturb table size
net: usb: qmi_wwan: add Telit 0x103a composition
drm/amdgpu: always register an MMU notifier for userptr
iio: health: afe4403: Fix oob read in afe4403_read_raw
iio: health:
|
||
|
Martin Faltesek
|
606b3b2e99 |
nfc: st-nci: fix memory leaks in EVT_TRANSACTION
[ Upstream commit 440f2ae9c9f06e26f5dcea697a53717fc61a318c ]
Error path does not free previously allocated memory. Add devm_kfree() to
the failure path.
Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
Reviewed-by: Guenter Roeck <groeck@google.com>
Fixes:
|
||
|
Martin Faltesek
|
6f851b0865 |
nfc: st-nci: fix incorrect validating logic in EVT_TRANSACTION
[ Upstream commit c60c152230828825c06e62a8f1ce956d4b659266 ]
The first validation check for EVT_TRANSACTION has two different checks
tied together with logical AND. One is a check for minimum packet length,
and the other is for a valid aid_tag. If either condition is true (fails),
then an error should be triggered. The fix is to change && to ||.
Reported-by: Denis Efremov <denis.e.efremov@oracle.com>
Reviewed-by: Guenter Roeck <groeck@google.com>
Fixes:
|
||
|
Greg Kroah-Hartman
|
e0d945721c |
Merge 4.14.299 into android-4.14-stable
Changes in 4.14.299 NFSv4.1: Handle RECLAIM_COMPLETE trunking errors NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot nfs4: Fix kmemleak when allocate slot failed net: dsa: Fix possible memory leaks in dsa_loop_init() nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send() nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send() net: fec: fix improper use of NETDEV_TX_BUSY ata: pata_legacy: fix pdc20230_set_piomode() net: sched: Fix use after free in red_enqueue() ipvs: use explicitly signed chars rose: Fix NULL pointer dereference in rose_send_frame() mISDN: fix possible memory leak in mISDN_register_device() isdn: mISDN: netjet: fix wrong check of device registration btrfs: fix inode list leak during backref walking at resolve_indirect_refs() btrfs: fix ulist leaks in error paths of qgroup self tests Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del() net: mdio: fix undefined behavior in bit shift for __mdiobus_register net, neigh: Fix null-ptr-deref in neigh_table_clear() media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE media: dvb-frontends/drxk: initialize err to 0 i2c: xiic: Add platform module alias Bluetooth: L2CAP: Fix attempting to access uninitialized memory block, bfq: protect 'bfqd->queued' by 'bfqd->lock' btrfs: fix type of parameter generation in btrfs_get_dentry tcp/udp: Make early_demux back namespacified. capabilities: fix potential memleak on error path from vfs_getxattr_alloc() ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices efi: random: reduce seed size to 32 bytes parisc: Make 8250_gsc driver dependend on CONFIG_PARISC parisc: Export iosapic_serial_irq() symbol for serial port driver ext4: fix warning in 'ext4_da_release_space' KVM: x86: Mask off reserved bits in CPUID.80000008H KVM: x86: emulator: em_sysexit should update ctxt->mode KVM: x86: emulator: introduce emulator_recalc_and_set_mode KVM: x86: emulator: update the emulation mode after CR0 write linux/const.h: prefix include guard of uapi/linux/const.h with _UAPI linux/const.h: move UL() macro to include/linux/const.h linux/bits.h: make BIT(), GENMASK(), and friends available in assembly wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker() Linux 4.14.299 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id5fc7f49fbfe0ce07862d5484f49035b8c664206 |
||
|
Shang XiaoJing
|
825656ae61 |
nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
[ Upstream commit 93d904a734a74c54d945a9884b4962977f1176cd ]
nfcmrvl_i2c_nci_send() will be called by nfcmrvl_nci_send(), and skb
should be freed in nfcmrvl_i2c_nci_send(). However, nfcmrvl_nci_send()
will only free skb when i2c_master_send() return >=0, which means skb
will memleak when i2c_master_send() failed. Free skb no matter whether
i2c_master_send() succeeds.
Fixes:
|
||
|
Shang XiaoJing
|
1938b290d4 |
nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
[ Upstream commit 3a146b7e3099dc7cf3114f627d9b79291e2d2203 ]
s3fwrn5_nci_send() will call s3fwrn5_i2c_write() or s3fwrn82_uart_write(),
and free the skb if write() failed. However, even if the write() run
succeeds, the skb will not be freed in write(). As the result, the skb
will memleak. s3fwrn5_nci_send() should also free the skb when write()
succeeds.
Fixes:
|
||
|
vinay
|
90b75ee86e |
msm: nfc: maxim nfc driver
Implementation for maxim nfc driver. Change-Id: I66f3c07a2aa3bbbc52788bc7ceb31e0a94e32502 Signed-off-by: vinay <quic_vinak@quicinc.com> |
||
|
Greg Kroah-Hartman
|
73f6c0fdd9 |
Merge 4.14.289 into android-4.14-stable
Changes in 4.14.289 ALSA: hda - Add fixup for Dell Latitidue E5430 ALSA: hda/conexant: Apply quirk for another HP ProDesk 600 G3 model xen/netback: avoid entering xenvif_rx_next_skb() with an empty rx queue net: sock: tracing: Fix sock_exceed_buf_limit not to dereference stale pointer ARM: 9213/1: Print message about disabled Spectre workarounds only once ARM: 9214/1: alignment: advance IT state after emulating Thumb instruction cgroup: Use separate src/dst nodes when preloading css_sets for migration nilfs2: fix incorrect masking of permission flags for symlinks net: dsa: bcm_sf2: force pause link settings xhci: bail out early if driver can't accress host in resume xhci: make xhci_handshake timeout for xhci_reset() adjustable ARM: 9209/1: Spectre-BHB: avoid pr_info() every time a CPU comes out of idle inetpeer: Fix data-races around sysctl. net: Fix data-races around sysctl_mem. cipso: Fix data-races around sysctl. icmp: Fix data-races around sysctl. ARM: dts: sunxi: Fix SPI NOR campatible on Orange Pi Zero icmp: Fix a data-race around sysctl_icmp_ratelimit. icmp: Fix a data-race around sysctl_icmp_ratemask. ipv4: Fix data-races around sysctl_ip_dynaddr. sfc: fix use after free when disabling sriov seg6: fix skb checksum evaluation in SRH encapsulation/insertion seg6: fix skb checksum in SRv6 End.B6 and End.B6.Encaps behaviors sfc: fix kernel panic when creating VF virtio_mmio: Add missing PM calls to freeze/restore virtio_mmio: Restore guest page size on resume netfilter: br_netfilter: do not skip all hooks with 0 priority cpufreq: pmac32-cpufreq: Fix refcount leak bug platform/x86: hp-wmi: Ignore Sanitization Mode event net: tipc: fix possible refcount leak in tipc_sk_create() NFC: nxp-nci: don't print header length mismatch on i2c error net: sfp: fix memory leak in sfp_probe() ASoC: ops: Fix off by one in range control validation ASoC: wm5110: Fix DRE control irqchip: or1k-pic: Undefine mask_ack for level triggered hardware x86: Clear .brk area at early boot signal handling: don't use BUG_ON() for debugging USB: serial: ftdi_sio: add Belimo device ids usb: dwc3: gadget: Fix event pending check tty: serial: samsung_tty: set dma burst_size to 1 serial: 8250: fix return error code in serial8250_request_std_resource() mm: invalidate hwpoison page cache page in fault path can: m_can: m_can_tx_handler(): fix use after free of skb Linux 4.14.289 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I1e9b12a81151982c15f4a71b01aff2f1ad2eb7e5 |
||
|
Michael Walle
|
6bfe44465f |
NFC: nxp-nci: don't print header length mismatch on i2c error
[ Upstream commit 9577fc5fdc8b07b891709af6453545db405e24ad ] Don't print a misleading header length mismatch error if the i2c call returns an error. Instead just return the error code without any error message. Signed-off-by: Michael Walle <michael@walle.cc> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
0069fed6df |
Merge 4.14.287 into android-4.14-stable
Changes in 4.14.287 nvdimm: Fix badblocks clear off-by-one error dm raid: fix accesses beyond end of raid member array dm raid: fix KASAN warning in raid5_add_disks s390/archrandom: simplify back to earlier design and initialize earlier SUNRPC: Fix READ_PLUS crasher net: rose: fix UAF bugs caused by timer handler net: usb: ax88179_178a: Fix packet receiving RDMA/qedr: Fix reporting QP timeout attribute usbnet: fix memory allocation in helpers net: ipv6: unexport __init-annotated seg6_hmac_net_init() caif_virtio: fix race between virtio_device_ready() and ndo_open() netfilter: nft_dynset: restore set element counter when failing to update net: bonding: fix possible NULL deref in rlb code net: bonding: fix use-after-free after 802.3ad slave unbind nfc: nfcmrvl: Fix irq_of_parse_and_map() return value NFC: nxp-nci: Don't issue a zero length i2c_master_read() xen/gntdev: Avoid blocking in unmap_grant_pages() hwmon: (ibmaem) don't call platform_device_del() if platform_device_add() fails sit: use min ipv6/sit: fix ipip6_tunnel_get_prl return value net: Rename and export copy_skb_header xen/blkfront: fix leaking data in shared pages xen/netfront: fix leaking data in shared pages xen/netfront: force data bouncing when backend is untrusted xen/blkfront: force data bouncing when backend is untrusted xen/arm: Fix race in RB-tree based P2M accounting net: usb: qmi_wwan: add Telit 0x1060 composition net: usb: qmi_wwan: add Telit 0x1070 composition Linux 4.14.287 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I974462e48fbda757f8360d41f33373954d792eb3 |
||
|
Michael Walle
|
28d23c3b6b |
NFC: nxp-nci: Don't issue a zero length i2c_master_read()
commit eddd95b9423946aaacb55cac6a9b2cea8ab944fc upstream.
There are packets which doesn't have a payload. In that case, the second
i2c_master_read() will have a zero length. But because the NFC
controller doesn't have any data left, it will NACK the I2C read and
-ENXIO will be returned. In case there is no payload, just skip the
second i2c master read.
Fixes:
|
||
|
Krzysztof Kozlowski
|
37b51fe7f4 |
nfc: nfcmrvl: Fix irq_of_parse_and_map() return value
commit 5a478a653b4cca148d5c89832f007ec0809d7e6d upstream.
The irq_of_parse_and_map() returns 0 on failure, not a negative ERRNO.
Reported-by: Lv Ruyi <lv.ruyi@zte.com.cn>
Fixes:
|
||
|
Eric Biggers
|
d73f58abbf |
Merge 4.14.285 into android-4.14-stable
Changes in 4.14.285
9p: missing chunk of "fs/9p: Don't update file type when updating file attributes"
crypto: chacha20 - Fix keystream alignment for chacha20_block()
random: always fill buffer in get_random_bytes_wait
random: optimize add_interrupt_randomness
drivers/char/random.c: remove unused dont_count_entropy
random: Fix whitespace pre random-bytes work
random: Return nbytes filled from hw RNG
random: add a config option to trust the CPU's hwrng
random: remove preempt disabled region
random: Make crng state queryable
random: make CPU trust a boot parameter
drivers/char/random.c: constify poolinfo_table
drivers/char/random.c: remove unused stuct poolinfo::poolbits
drivers/char/random.c: make primary_crng static
random: only read from /dev/random after its pool has received 128 bits
random: move rand_initialize() earlier
random: document get_random_int() family
latent_entropy: avoid build error when plugin cflags are not set
random: fix soft lockup when trying to read from an uninitialized blocking pool
random: Support freezable kthreads in add_hwgenerator_randomness()
fdt: add support for rng-seed
random: Use wait_event_freezable() in add_hwgenerator_randomness()
char/random: Add a newline at the end of the file
Revert "hwrng: core - Freeze khwrng thread during suspend"
crypto: Deduplicate le32_to_cpu_array() and cpu_to_le32_array()
crypto: blake2s - generic C library implementation and selftest
lib/crypto: blake2s: move hmac construction into wireguard
lib/crypto: sha1: re-roll loops to reduce code size
random: Don't wake crng_init_wait when crng_init == 1
random: Add a urandom_read_nowait() for random APIs that don't warn
random: add GRND_INSECURE to return best-effort non-cryptographic bytes
random: ignore GRND_RANDOM in getentropy(2)
random: make /dev/random be almost like /dev/urandom
char/random: silence a lockdep splat with printk()
random: fix crash on multiple early calls to add_bootloader_randomness()
random: remove the blocking pool
random: delete code to pull data into pools
random: remove kernel.random.read_wakeup_threshold
random: remove unnecessary unlikely()
random: convert to ENTROPY_BITS for better code readability
random: Add and use pr_fmt()
random: fix typo in add_timer_randomness()
random: remove some dead code of poolinfo
random: split primary/secondary crng init paths
random: avoid warnings for !CONFIG_NUMA builds
x86: Remove arch_has_random, arch_has_random_seed
powerpc: Remove arch_has_random, arch_has_random_seed
s390: Remove arch_has_random, arch_has_random_seed
linux/random.h: Remove arch_has_random, arch_has_random_seed
linux/random.h: Use false with bool
linux/random.h: Mark CONFIG_ARCH_RANDOM functions __must_check
powerpc: Use bool in archrandom.h
random: add arch_get_random_*long_early()
random: avoid arch_get_random_seed_long() when collecting IRQ randomness
random: remove dead code left over from blocking pool
MAINTAINERS: co-maintain random.c
crypto: blake2s - include <linux/bug.h> instead of <asm/bug.h>
crypto: blake2s - adjust include guard naming
random: document add_hwgenerator_randomness() with other input functions
random: remove unused irq_flags argument from add_interrupt_randomness()
random: use BLAKE2s instead of SHA1 in extraction
random: do not sign extend bytes for rotation when mixing
random: do not re-init if crng_reseed completes before primary init
random: mix bootloader randomness into pool
random: harmonize "crng init done" messages
random: use IS_ENABLED(CONFIG_NUMA) instead of ifdefs
random: initialize ChaCha20 constants with correct endianness
random: early initialization of ChaCha constants
random: avoid superfluous call to RDRAND in CRNG extraction
random: don't reset crng_init_cnt on urandom_read()
random: fix typo in comments
random: cleanup poolinfo abstraction
crypto: chacha20 - Fix chacha20_block() keystream alignment (again)
random: cleanup integer types
random: remove incomplete last_data logic
random: remove unused extract_entropy() reserved argument
random: try to actively add entropy rather than passively wait for it
random: rather than entropy_store abstraction, use global
random: remove unused OUTPUT_POOL constants
random: de-duplicate INPUT_POOL constants
random: prepend remaining pool constants with POOL_
random: cleanup fractional entropy shift constants
random: access input_pool_data directly rather than through pointer
random: simplify arithmetic function flow in account()
random: continually use hwgenerator randomness
random: access primary_pool directly rather than through pointer
random: only call crng_finalize_init() for primary_crng
random: use computational hash for entropy extraction
random: simplify entropy debiting
random: use linear min-entropy accumulation crediting
random: always wake up entropy writers after extraction
random: make credit_entropy_bits() always safe
random: remove use_input_pool parameter from crng_reseed()
random: remove batched entropy locking
random: fix locking in crng_fast_load()
random: use RDSEED instead of RDRAND in entropy extraction
random: inline leaves of rand_initialize()
random: ensure early RDSEED goes through mixer on init
random: do not xor RDRAND when writing into /dev/random
random: absorb fast pool into input pool after fast load
random: use hash function for crng_slow_load()
random: remove outdated INT_MAX >> 6 check in urandom_read()
random: zero buffer after reading entropy from userspace
random: tie batched entropy generation to base_crng generation
random: remove ifdef'd out interrupt bench
random: remove unused tracepoints
random: add proper SPDX header
random: deobfuscate irq u32/u64 contributions
random: introduce drain_entropy() helper to declutter crng_reseed()
random: remove useless header comment
random: remove whitespace and reorder includes
random: group initialization wait functions
random: group entropy extraction functions
random: group entropy collection functions
random: group userspace read/write functions
random: group sysctl functions
random: rewrite header introductory comment
random: defer fast pool mixing to worker
random: do not take pool spinlock at boot
random: unify early init crng load accounting
random: check for crng_init == 0 in add_device_randomness()
random: pull add_hwgenerator_randomness() declaration into random.h
random: clear fast pool, crng, and batches in cpuhp bring up
random: round-robin registers as ulong, not u32
random: only wake up writers after zap if threshold was passed
random: cleanup UUID handling
random: unify cycles_t and jiffies usage and types
random: do crng pre-init loading in worker rather than irq
random: give sysctl_random_min_urandom_seed a more sensible value
random: don't let 644 read-only sysctls be written to
random: replace custom notifier chain with standard one
random: use SipHash as interrupt entropy accumulator
random: make consistent usage of crng_ready()
random: reseed more often immediately after booting
random: check for signal and try earlier when generating entropy
random: skip fast_init if hwrng provides large chunk of entropy
random: treat bootloader trust toggle the same way as cpu trust toggle
random: re-add removed comment about get_random_{u32,u64} reseeding
random: mix build-time latent entropy into pool at init
random: do not split fast init input in add_hwgenerator_randomness()
random: do not allow user to keep crng key around on stack
random: check for signal_pending() outside of need_resched() check
random: check for signals every PAGE_SIZE chunk of /dev/[u]random
random: make random_get_entropy() return an unsigned long
random: document crng_fast_key_erasure() destination possibility
random: fix sysctl documentation nits
init: call time_init() before rand_initialize()
ia64: define get_cycles macro for arch-override
s390: define get_cycles macro for arch-override
parisc: define get_cycles macro for arch-override
alpha: define get_cycles macro for arch-override
powerpc: define get_cycles macro for arch-override
timekeeping: Add raw clock fallback for random_get_entropy()
m68k: use fallback for random_get_entropy() instead of zero
mips: use fallback for random_get_entropy() instead of just c0 random
arm: use fallback for random_get_entropy() instead of zero
nios2: use fallback for random_get_entropy() instead of zero
x86/tsc: Use fallback for random_get_entropy() instead of zero
um: use fallback for random_get_entropy() instead of zero
sparc: use fallback for random_get_entropy() instead of zero
xtensa: use fallback for random_get_entropy() instead of zero
random: insist on random_get_entropy() existing in order to simplify
random: do not use batches when !crng_ready()
random: do not pretend to handle premature next security model
random: order timer entropy functions below interrupt functions
random: do not use input pool from hard IRQs
random: help compiler out with fast_mix() by using simpler arguments
siphash: use one source of truth for siphash permutations
random: use symbolic constants for crng_init states
random: avoid initializing twice in credit race
random: remove ratelimiting for in-kernel unseeded randomness
random: use proper jiffies comparison macro
random: handle latent entropy and command line from random_init()
random: credit architectural init the exact amount
random: use static branch for crng_ready()
random: remove extern from functions in header
random: use proper return types on get_random_{int,long}_wait()
random: move initialization functions out of hot pages
random: move randomize_page() into mm where it belongs
random: convert to using fops->write_iter()
random: wire up fops->splice_{read,write}_iter()
random: check for signals after page of pool writes
Revert "random: use static branch for crng_ready()"
crypto: drbg - add FIPS 140-2 CTRNG for noise source
crypto: drbg - always seeded with SP800-90B compliant noise source
crypto: drbg - prepare for more fine-grained tracking of seeding state
crypto: drbg - track whether DRBG was seeded with !rng_is_initialized()
crypto: drbg - move dynamic ->reseed_threshold adjustments to __drbg_seed()
crypto: drbg - always try to free Jitter RNG instance
crypto: drbg - make reseeding from get_random_bytes() synchronous
random: avoid checking crng_ready() twice in random_init()
random: mark bootloader randomness code as __init
random: account for arch randomness in bits
ASoC: cs42l52: Fix TLV scales for mixer controls
ASoC: cs53l30: Correct number of volume levels on SX controls
ASoC: cs42l52: Correct TLV for Bypass Volume
ASoC: cs42l56: Correct typo in minimum level for SX volume controls
ata: libata-core: fix NULL pointer deref in ata_host_alloc_pinfo()
ASoC: wm8962: Fix suspend while playing music
scsi: vmw_pvscsi: Expand vcpuHint to 16 bits
scsi: lpfc: Fix port stuck in bypassed state after LIP in PT2PT topology
scsi: ipr: Fix missing/incorrect resource cleanup in error case
scsi: pmcraid: Fix missing resource cleanup in error case
virtio-mmio: fix missing put_device() when vm_cmdline_parent registration failed
nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg
net: ethernet: mtk_eth_soc: fix misuse of mem alloc interface netdev[napi]_alloc_frag
random: credit cpu and bootloader seeds by default
pNFS: Don't keep retrying if the server replied NFS4ERR_LAYOUTUNAVAILABLE
i40e: Fix call trace in setup_tx_descriptors
tty: goldfish: Fix free_irq() on remove
misc: atmel-ssc: Fix IRQ check in ssc_probe
net: bgmac: Fix an erroneous kfree() in bgmac_remove()
arm64: ftrace: fix branch range checks
certs/blacklist_hashes.c: fix const confusion in certs blacklist
irqchip/gic/realview: Fix refcount leak in realview_gic_of_init
comedi: vmk80xx: fix expression for tx buffer size
USB: serial: option: add support for Cinterion MV31 with new baseline
USB: serial: io_ti: add Agilent E5805A support
usb: dwc2: Fix memory leak in dwc2_hcd_init
usb: gadget: lpc32xx_udc: Fix refcount leak in lpc32xx_udc_probe
serial: 8250: Store to lsr_save_flags after lsr read
ext4: fix bug_on ext4_mb_use_inode_pa
ext4: make variable "count" signed
ext4: add reserved GDT blocks check
virtio-pci: Remove wrong address verification in vp_del_vqs()
l2tp: don't use inet_shutdown on ppp session destroy
l2tp: fix race in pppol2tp_release with session object destroy
s390/mm: use non-quiescing sske for KVM switch to keyed guest
usb: gadget: u_ether: fix regression in setting fixed MAC address
xprtrdma: fix incorrect header size calculations
tcp: add some entropy in __inet_hash_connect()
tcp: use different parts of the port_offset for index and offset
tcp: add small random increments to the source port
tcp: dynamically allocate the perturb table used by source ports
tcp: increase source port perturb table to 2^16
tcp: drop the hash_32() part from the index calculation
Linux 4.14.285
Conflicts:
crypto/chacha20_generic.c
drivers/char/random.c
drivers/of/fdt.c
include/crypto/chacha20.h
lib/chacha20.c
Merge resolution notes:
- Added CHACHA20_KEY_SIZE and CHACHA20_BLOCK_SIZE constants to
chacha.h, to minimize changes from the 4.14.285 version of random.c
- Updated lib/vsprintf.c for
"random: replace custom notifier chain with standard one".
Change-Id: I6a4ca9b12ed23f76bac6c4c9e6306e2b354e2752
Signed-off-by: Eric Biggers <ebiggers@google.com>
|
||
|
Xiaohui Zhang
|
f21f908347 |
nfc: nfcmrvl: Fix memory leak in nfcmrvl_play_deferred
[ Upstream commit 8a4d480702b71184fabcf379b80bf7539716752e ]
Similar to the handling of play_deferred in commit
|
||
|
Greg Kroah-Hartman
|
bc1a5b8c02 |
Merge 4.14.283 into android-4.14-stable
Changes in 4.14.283
binfmt_flat: do not stop relocating GOT entries prematurely on riscv
USB: serial: option: add Quectel BG95 modem
USB: new quirk for Dell Gen 2 devices
ptrace/xtensa: Replace PT_SINGLESTEP with TIF_SINGLESTEP
ptrace: Reimplement PTRACE_KILL by always sending SIGKILL
btrfs: add "0x" prefix for unsupported optional features
btrfs: repair super block num_devices automatically
drm/virtio: fix NULL pointer dereference in virtio_gpu_conn_get_modes
mwifiex: add mutex lock for call in mwifiex_dfs_chan_sw_work_queue
b43legacy: Fix assigning negative value to unsigned variable
b43: Fix assigning negative value to unsigned variable
ipw2x00: Fix potential NULL dereference in libipw_xmit()
ACPICA: Avoid cache flush inside virtual machines
ALSA: jack: Access input_dev under mutex
drm/amd/pm: fix double free in si_parse_power_table()
ath9k: fix QCA9561 PA bias level
media: venus: hfi: avoid null dereference in deinit
media: pci: cx23885: Fix the error handling in cx23885_initdev()
media: cx25821: Fix the warning when removing the module
scsi: megaraid: Fix error check return value of register_chrdev()
drm/amd/pm: fix the compile warning
ipv6: Don't send rs packets to the interface of ARPHRD_TUNNEL
ASoC: dapm: Don't fold register value changes into notifications
s390/preempt: disable __preempt_count_add() optimization for PROFILE_ALL_BRANCHES
dma-debug: change allocation mode from GFP_NOWAIT to GFP_ATIOMIC
ipmi:ssif: Check for NULL msg when handling events and messages
rtlwifi: Use pr_warn instead of WARN_ONCE
openrisc: start CPU timer early in boot
nvme-pci: fix a NULL pointer dereference in nvme_alloc_admin_tags
ASoC: rt5645: Fix errorenous cleanup order
net: phy: micrel: Allow probing without .driver_data
media: exynos4-is: Fix compile warning
rxrpc: Return an error to sendmsg if call failed
eth: tg3: silence the GCC 12 array-bounds warning
ARM: dts: ox820: align interrupt controller node name with dtschema
fs: jfs: fix possible NULL pointer dereference in dbFree()
ARM: OMAP1: clock: Fix UART rate reporting algorithm
fat: add ratelimit to fat*_ent_bread()
ARM: versatile: Add missing of_node_put in dcscb_init
ARM: dts: exynos: add atmel,24c128 fallback to Samsung EEPROM
ARM: hisi: Add missing of_node_put after of_find_compatible_node
PCI: Avoid pci_dev_lock() AB/BA deadlock with sriov_numvfs_store()
tracing: incorrect isolate_mote_t cast in mm_vmscan_lru_isolate
powerpc/xics: fix refcount leak in icp_opal_init()
macintosh/via-pmu: Fix build failure when CONFIG_INPUT is disabled
RDMA/hfi1: Prevent panic when SDMA is disabled
drm: fix EDID struct for old ARM OABI format
ath9k: fix ar9003_get_eepmisc
ASoC: mediatek: Fix error handling in mt8173_max98090_dev_probe
ASoC: mediatek: Fix missing of_node_put in mt2701_wm8960_machine_probe
x86/delay: Fix the wrong asm constraint in delay_loop()
drm/mediatek: Fix mtk_cec_mask()
spi: spi-ti-qspi: Fix return value handling of wait_for_completion_timeout
NFC: NULL out the dev->rfkill to prevent UAF
efi: Add missing prototype for efi_capsule_setup_info
HID: hid-led: fix maximum brightness for Dream Cheeky
spi: img-spfi: Fix pm_runtime_get_sync() error checking
ath9k_htc: fix potential out of bounds access with invalid rxstatus->rs_keyix
inotify: show inotify mask flags in proc fdinfo
fsnotify: fix wrong lockdep annotations
x86/pm: Fix false positive kmemleak report in msr_build_context()
drm/msm/dsi: fix error checks and return values for DSI xmit functions
drm/msm/hdmi: check return value after calling platform_get_resource_byname()
drm/rockchip: vop: fix possible null-ptr-deref in vop_bind()
x86: Fix return value of __setup handlers
irqchip/aspeed-i2c-ic: Fix irq_of_parse_and_map() return value
x86/mm: Cleanup the control_va_addr_alignment() __setup handler
drm/msm: return an error pointer in msm_gem_prime_get_sg_table()
media: uvcvideo: Fix missing check to determine if element is found in list
ASoC: mxs-saif: Fix refcount leak in mxs_saif_probe
regulator: pfuze100: Fix refcount leak in pfuze_parse_regulators_dt
media: st-delta: Fix PM disable depth imbalance in delta_probe
media: exynos4-is: Change clk_disable to clk_disable_unprepare
media: pvrusb2: fix array-index-out-of-bounds in pvr2_i2c_core_init
Bluetooth: fix dangling sco_conn and use-after-free in sco_sock_timeout
m68k: math-emu: Fix dependencies of math emulation support
sctp: read sk->sk_bound_dev_if once in sctp_rcv()
ASoC: wm2000: fix missing clk_disable_unprepare() on error in wm2000_anc_transition()
rxrpc: Fix listen() setting the bar too high for the prealloc rings
rxrpc: Don't try to resend the request if we're receiving the reply
soc: qcom: smp2p: Fix missing of_node_put() in smp2p_parse_ipc
soc: qcom: smsm: Fix missing of_node_put() in smsm_parse_ipc
ARM: dts: bcm2835-rpi-zero-w: Fix GPIO line name for Wifi/BT
ARM: dts: bcm2835-rpi-b: Fix GPIO line names
mfd: ipaq-micro: Fix error check return value of platform_get_irq()
scsi: fcoe: Fix Wstringop-overflow warnings in fcoe_wwn_from_mac()
pinctrl: mvebu: Fix irq_of_parse_and_map() return value
drivers/base/node.c: fix compaction sysfs file leak
powerpc/8xx: export 'cpm_setbrg' for modules
powerpc/idle: Fix return value of __setup() handler
powerpc/4xx/cpm: Fix return value of __setup() handler
tty: fix deadlock caused by calling printk() under tty_port->lock
Input: sparcspkr - fix refcount leak in bbc_beep_probe
powerpc/perf: Fix the threshold compare group constraint for power9
powerpc/fsl_rio: Fix refcount leak in fsl_rio_setup
mailbox: forward the hrtimer if not queued and under a lock
iommu/mediatek: Add list_del in mtk_iommu_remove
video: fbdev: clcdfb: Fix refcount leak in clcdfb_of_vram_setup
iommu/amd: Increase timeout waiting for GA log enablement
perf c2c: Use stdio interface if slang is not supported
perf jevents: Fix event syntax error caused by ExtSel
wifi: mac80211: fix use-after-free in chanctx code
iwlwifi: mvm: fix assert 1F04 upon reconfig
fs-writeback: writeback_sb_inodes:Recalculate 'wrote' according skipped pages
ext4: fix use-after-free in ext4_rename_dir_prepare
ext4: fix bug_on in ext4_writepages
ext4: verify dir block before splitting it
ext4: avoid cycles in directory h-tree
dlm: fix plock invalid read
dlm: fix missing lkb refcount handling
ocfs2: dlmfs: fix error handling of user_dlm_destroy_lock
scsi: dc395x: Fix a missing check on list iterator
scsi: ufs: qcom: Add a readl() to make sure ref_clk gets enabled
drm/amdgpu/cs: make commands with 0 chunks illegal behaviour.
drm/nouveau/clk: Fix an incorrect NULL check on list iterator
drm/bridge: analogix_dp: Grab runtime PM reference for DP-AUX
md: fix an incorrect NULL check in does_sb_need_changing
md: fix an incorrect NULL check in md_reload_sb
RDMA/hfi1: Fix potential integer multiplication overflow errors
irqchip/armada-370-xp: Do not touch Performance Counter Overflow on A375, A38x, A39x
irqchip: irq-xtensa-mx: fix initial IRQ affinity
mac80211: upgrade passive scan to active scan on DFS channels after beacon rx
um: chan_user: Fix winch_tramp() return value
um: Fix out-of-bounds read in LDT setup
iommu/msm: Fix an incorrect NULL check on list iterator
nodemask.h: fix compilation error with GCC12
hugetlb: fix huge_pmd_unshare address update
rtl818x: Prevent using not initialized queues
ASoC: rt5514: Fix event generation for "DSP Voice Wake Up" control
carl9170: tx: fix an incorrect use of list iterator
gma500: fix an incorrect NULL check on list iterator
arm64: dts: qcom: ipq8074: fix the sleep clock frequency
phy: qcom-qmp: fix struct clk leak on probe errors
docs/conf.py: Cope with removal of language=None in Sphinx 5.0.0
dt-bindings: gpio: altera: correct interrupt-cells
phy: qcom-qmp: fix reset-controller leak on probe errors
RDMA/rxe: Generate a completion for unsupported/invalid opcode
MIPS: IP27: Remove incorrect `cpu_has_fpu' override
netfilter: nf_tables: disallow non-stateful expression in sets earlier
pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
staging: greybus: codecs: fix type confusion of list iterator variable
tty: goldfish: Use tty_port_destroy() to destroy port
usb: usbip: fix a refcount leak in stub_probe()
usb: usbip: add missing device lock on tweak configuration cmd
USB: storage: karma: fix rio_karma_init return
pwm: lp3943: Fix duty calculation in case period was clamped
rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier
soc: rockchip: Fix refcount leak in rockchip_grf_init
rtc: mt6397: check return value after calling platform_get_resource()
serial: meson: acquire port->lock in startup()
serial: digicolor-usart: Don't allow CS5-6
serial: txx9: Don't allow CS5-6
serial: sh-sci: Don't allow CS5-6
serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
modpost: fix removing numeric suffixes
jffs2: fix memory leak in jffs2_do_fill_super
ubi: ubi_create_volume: Fix use-after-free when volume creation failed
tcp: tcp_rtx_synack() can be called from process context
perf c2c: Fix sorting in percent_rmt_hitm_cmp()
mips: cpc: Fix refcount leak in mips_cpc_default_phys_base
tracing: Fix sleeping function called from invalid context on RT kernel
tracing: Avoid adding tracer option before update_tracer_options
i2c: cadence: Increase timeout per message if necessary
m68knommu: set ZERO_PAGE() to the allocated zeroed page
m68knommu: fix undefined reference to `_init_sp'
video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()
xprtrdma: treat all calls not a bcall when bc_serv is NULL
ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure
SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
net: mdio: unexport __init-annotated mdio_bus_init()
net: xfrm: unexport __init-annotated xfrm4_protocol_init()
net: ipv6: unexport __init-annotated seg6_hmac_init()
net: altera: Fix refcount leak in altera_tse_mdio_create
drm: imx: fix compiler warning with gcc-12
iio: dummy: iio_simple_dummy: check the return value of kstrdup()
lkdtm/usercopy: Expand size of "out of frame" object
tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
tty: Fix a possible resource leak in icom_probe
drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
USB: host: isp116x: check return value after calling platform_get_resource()
drivers: tty: serial: Fix deadlock in sa1100_set_termios()
drivers: usb: host: Fix deadlock in oxu_bus_suspend()
USB: hcd-pci: Fully suspend across freeze/thaw cycle
usb: dwc2: gadget: don't reset gadget's driver->bus
misc: rtsx: set NULL intfdata when probe fails
extcon: Modify extcon device to be created after driver data is set
clocksource/drivers/sp804: Avoid error on multiple instances
staging: rtl8712: fix uninit-value in r871xu_drv_init()
serial: msm_serial: disable interrupts in __msm_console_write()
kernfs: Separate kernfs_pr_cont_buf and rename_lock.
md: protect md_unregister_thread from reentrancy
Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
drm/radeon: fix a possible null pointer dereference
modpost: fix undefined behavior of is_arm_mapping_symbol()
nbd: call genl_unregister_family() first in nbd_cleanup()
nbd: fix race between nbd_alloc_config() and module removal
nbd: fix io hung while disconnecting device
nodemask: Fix return values to be unsigned
vringh: Fix loop descriptors check in the indirect cases
ALSA: hda/conexant - Fix loopback issue with CX20632
cifs: return errors during session setup during reconnects
ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
ixgbe: fix bcast packets Rx on VF after promisc removal
ixgbe: fix unexpected VLAN Rx in promisc mode on VF
Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
powerpc/32: Fix overread/overwrite of thread_struct via ptrace
md/raid0: Ignore RAID0 layout if the second zone has only one device
mtd: cfi_cmdset_0002: Move and rename chip_check/chip_ready/chip_good_for_write
mtd: cfi_cmdset_0002: Use chip_ready() for write on S29GL064N
PCI: qcom: Fix unbalanced PHY init on probe errors
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
Linux 4.14.283
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ied22d0825be1474eb1388684d690c7c40d8fe891
|
||
|
Martin Faltesek
|
d221ce54ce |
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
commit 996419e0594abb311fb958553809f24f38e7abbe upstream.
Error paths do not free previously allocated memory. Add devm_kfree() to
those failure paths.
Fixes:
|
||
|
Martin Faltesek
|
03878a8674 |
nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
commit 77e5fe8f176a525523ae091d6fd0fbb8834c156d upstream.
The first validation check for EVT_TRANSACTION has two different checks
tied together with logical AND. One is a check for minimum packet length,
and the other is for a valid aid_tag. If either condition is true (fails),
then an error should be triggered. The fix is to change && to ||.
Fixes:
|
||
|
Greg Kroah-Hartman
|
8b585d4c16 |
Merge 4.14.278 into android-4.14-stable
Changes in 4.14.278 floppy: disable FDRAWCMD by default hamradio: defer 6pack kfree after unregister_netdev hamradio: remove needs_free_netdev to avoid UAF net/sched: cls_u32: fix netns refcount changes in u32_change() Revert "net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link" lightnvm: disable the subsystem usb: mtu3: fix USB 3.0 dual-role-switch from device to host USB: quirks: add a Realtek card reader USB: quirks: add STRING quirk for VCOM device USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader USB: serial: option: add support for Cinterion MV32-WA/MV32-WB USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions xhci: stop polling roothubs after shutdown iio: dac: ad5592r: Fix the missing return value. iio: dac: ad5446: Fix read_raw not returning set value iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on() usb: misc: fix improper handling of refcount in uss720_probe() usb: gadget: uvc: Fix crash when encoding data for usb request usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind() serial: 8250: Also set sticky MCR bits in console restoration serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device hex2bin: make the function hex_to_bin constant-time hex2bin: fix access beyond string end USB: Fix xhci event ring dequeue pointer ERDP update issue ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe phy: samsung: exynos5250-sata: fix missing device put in probe error paths ARM: OMAP2+: Fix refcount leak in omap_gic_of_init ARM: dts: Fix mmc order for omap3-gta04 ipvs: correctly print the memory size of ip_vs_conn_tab mtd: rawnand: Fix return value check of wait_for_completion_timeout sctp: check asoc strreset_chunk in sctp_generate_reconf_event pinctrl: pistachio: fix use of irq_of_parse_and_map() ip_gre: Make o_seqno start from 0 in native mode tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() net: bcmgenet: hide status block before TX timestamping bnx2x: fix napi API usage sequence ASoC: wm8731: Disable the regulator when probing fails x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 cifs: destage any unwritten data to the server before calling copychunk_write drivers: net: hippi: Fix deadlock in rr_close() x86/cpu: Load microcode during restore_processor_state() tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2 tty: n_gsm: fix malformed counter for out of frame data tty: n_gsm: fix insufficient txframe size tty: n_gsm: fix missing explicit ldisc flush tty: n_gsm: fix wrong command retry handling tty: n_gsm: fix wrong command frame length field encoding tty: n_gsm: fix incorrect UA handling drm/vgem: Close use-after-free race in vgem_gem_create MIPS: Fix CP0 counter erratum detection for R4k CPUs parisc: Merge model and model name into one line in /proc/cpuinfo ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes Revert "SUNRPC: attempt AF_LOCAL connect on setup" firewire: fix potential uaf in outbound_phy_packet_callback() firewire: remove check of list iterator against head past the loop body firewire: core: extend card->lock in fw_core_handle_bus_reset ASoC: wm8958: Fix change notifications for DSP controls can: grcan: grcan_close(): fix deadlock can: grcan: use ofdev->dev when allocating DMA memory nfc: replace improper check device_is_registered() in netlink related functions nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs NFC: netlink: fix sleep in atomic bug when firmware download timeout hwmon: (adt7470) Fix warning on module removal ASoC: dmaengine: Restore NULL prepare_slave_config() callback net: emaclite: Add error handling for of_address_to_resource() smsc911x: allow using IRQ0 btrfs: always log symlinks in full mode net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter() kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU net: ipv6: ensure we call ipv6_mc_down() at most once dm: fix mempool NULL pointer race when completing IO dm: interlock pending dm_io and dm_wait_for_bios_completion PCI: aardvark: Clear all MSIs at setup PCI: aardvark: Fix reading MSI interrupt number Linux 4.14.278 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic228df2ab4834dc5c32776a73c80f3d649dbbcd9 |
||
|
Duoming Zhou
|
ced30680fb |
nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs
commit d270453a0d9ec10bb8a802a142fb1b3601a83098 upstream.
There are destructive operations such as nfcmrvl_fw_dnld_abort and
gpio_free in nfcmrvl_nci_unregister_dev. The resources such as firmware,
gpio and so on could be destructed while the upper layer functions such as
nfcmrvl_fw_dnld_start and nfcmrvl_nci_recv_frame is executing, which leads
to double-free, use-after-free and null-ptr-deref bugs.
There are three situations that could lead to double-free bugs.
The first situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... | nfcmrvl_nci_unregister_dev
release_firmware() | nfcmrvl_fw_dnld_abort
kfree(fw) //(1) | fw_dnld_over
| release_firmware
... | kfree(fw) //(2)
| ...
The second situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_fw_dnld_start |
... |
mod_timer |
(wait a time) |
fw_dnld_timeout | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
... | kfree(fw) //(2)
The third situation is shown below:
(Thread 1) | (Thread 2)
nfcmrvl_nci_recv_frame |
if(..->fw_download_in_progress)|
nfcmrvl_fw_dnld_recv_frame |
queue_work |
|
fw_dnld_rx_work | nfcmrvl_nci_unregister_dev
fw_dnld_over | nfcmrvl_fw_dnld_abort
release_firmware | fw_dnld_over
kfree(fw) //(1) | release_firmware
| kfree(fw) //(2)
The firmware struct is deallocated in position (1) and deallocated
in position (2) again.
The crash trace triggered by POC is like below:
BUG: KASAN: double-free or invalid-free in fw_dnld_over
Call Trace:
kfree
fw_dnld_over
nfcmrvl_nci_unregister_dev
nci_uart_tty_close
tty_ldisc_kill
tty_ldisc_hangup
__tty_hangup.part.0
tty_release
...
What's more, there are also use-after-free and null-ptr-deref bugs
in nfcmrvl_fw_dnld_start. If we deallocate firmware struct, gpio or
set null to the members of priv->fw_dnld in nfcmrvl_nci_unregister_dev,
then, we dereference firmware, gpio or the members of priv->fw_dnld in
nfcmrvl_fw_dnld_start, the UAF or NPD bugs will happen.
This patch reorders destructive operations after nci_unregister_device
in order to synchronize between cleanup routine and firmware download
routine.
The nci_unregister_device is well synchronized. If the device is
detaching, the firmware download routine will goto error. If firmware
download routine is executing, nci_unregister_device will wait until
firmware download routine is finished.
Fixes:
|
||
|
Greg Kroah-Hartman
|
c529afa15a |
Merge 4.14.274 into android-4.14-stable
Changes in 4.14.274 nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION net: ipv6: fix skb_over_panic in __ip6_append_data esp: Fix possible buffer overflow in ESP transformation staging: fbtft: fb_st7789v: reset display before initialization thermal: int340x: fix memory leak in int3400_notify() llc: fix netdevice reference leaks in llc_ui_bind() ALSA: pcm: Add stream lock during PCM reset ioctl operations ALSA: usb-audio: Add mute TLV for playback volumes on RODE NT-USB ALSA: cmipci: Restore aux vol on suspend/resume ALSA: pci: fix reading of swapped values from pcmreg in AC97 codec drivers: net: xgene: Fix regression in CRC stripping netfilter: nf_tables: initialize registers in nft_do_chain() ACPI / x86: Work around broken XSDT on Advantech DAC-BJ01 board ACPI: battery: Add device HID and quirk for Microsoft Surface Go 3 ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU crypto: qat - disable registration of algorithms mac80211: fix potential double free on mesh join llc: only change llc->dev when bind() succeeds Linux 4.14.274 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I1fc0ccd8ac54ffb4727f0b62b65bf2ab95bcc165 |
||
|
Jordy Zomer
|
d908d27764 |
nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION
commit 4fbcc1a4cb20fe26ad0225679c536c80f1648221 upstream. It appears that there are some buffer overflows in EVT_TRANSACTION. This happens because the length parameters that are passed to memcpy come directly from skb->data and are not guarded in any way. Signed-off-by: Jordy Zomer <jordy@pwning.systems> Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@canonical.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Denis Efremov <denis.e.efremov@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
00973e1302 |
Merge 4.14.272 into android-4.14-stable
Changes in 4.14.272 net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() qed: return status of qed_iov_get_link ethernet: Fix error handling in xemaclite_of_probe net: ethernet: ti: cpts: Handle error for clk_enable net: ethernet: lpc_eth: Handle error for clk_enable ax25: Fix NULL pointer dereference in ax25_kill_by_device net/mlx5: Fix size field in bufferx_reg struct NFC: port100: fix use-after-free in port100_send_complete gpio: ts4900: Do not set DAT and OE together sctp: fix kernel-infoleak for SCTP sockets net-sysfs: add check for netdevice being present to speed_show Revert "xen-netback: remove 'hotplug-status' once it has served its purpose" Revert "xen-netback: Check for hotplug-status existence before watching" tracing: Ensure trace buffer is at least 4096 bytes large selftests/memfd: clean up mapping in mfd_fail_write ARM: Spectre-BHB: provide empty stub for non-config staging: gdm724x: fix use after free in gdm_lte_rx() virtio: unexport virtio_finalize_features virtio: acknowledge all features before access ARM: fix Thumb2 regression with Spectre BHB ext4: add check to prevent attempting to resize an fs with sparse_super2 btrfs: unlock newly allocated extent buffer after error Linux 4.14.272 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ibf801ecb8549f8aee1b0acd8705fc75dcd5442ed |
||
|
Pavel Skripkin
|
32e866ae5a |
NFC: port100: fix use-after-free in port100_send_complete
[ Upstream commit f80cfe2f26581f188429c12bd937eb905ad3ac7b ]
Syzbot reported UAF in port100_send_complete(). The root case is in
missing usb_kill_urb() calls on error handling path of ->probe function.
port100_send_complete() accesses devm allocated memory which will be
freed on probe failure. We should kill this urbs before returning an
error from probe function to prevent reported use-after-free
Fail log:
BUG: KASAN: use-after-free in port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
Read of size 1 at addr ffff88801bb59540 by task ksoftirqd/2/26
...
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x303 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
port100_send_complete+0x16e/0x1a0 drivers/nfc/port100.c:935
__usb_hcd_giveback_urb+0x2b0/0x5c0 drivers/usb/core/hcd.c:1670
...
Allocated by task 1255:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:45 [inline]
set_alloc_info mm/kasan/common.c:436 [inline]
____kasan_kmalloc mm/kasan/common.c:515 [inline]
____kasan_kmalloc mm/kasan/common.c:474 [inline]
__kasan_kmalloc+0xa6/0xd0 mm/kasan/common.c:524
alloc_dr drivers/base/devres.c:116 [inline]
devm_kmalloc+0x96/0x1d0 drivers/base/devres.c:823
devm_kzalloc include/linux/device.h:209 [inline]
port100_probe+0x8a/0x1320 drivers/nfc/port100.c:1502
Freed by task 1255:
kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:45
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free+0xff/0x140 mm/kasan/common.c:328
kasan_slab_free include/linux/kasan.h:236 [inline]
__cache_free mm/slab.c:3437 [inline]
kfree+0xf8/0x2b0 mm/slab.c:3794
release_nodes+0x112/0x1a0 drivers/base/devres.c:501
devres_release_all+0x114/0x190 drivers/base/devres.c:530
really_probe+0x626/0xcc0 drivers/base/dd.c:670
Reported-and-tested-by: syzbot+16bcb127fb73baeecb14@syzkaller.appspotmail.com
Fixes:
|
||
|
Greg Kroah-Hartman
|
f3a2f786eb |
Merge 4.14.261 into android-4.14-stable
Changes in 4.14.261 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option tee: handle lookup of shm with reference count 0 platform/x86: apple-gmux: use resource_size() with res recordmcount.pl: fix typo in s390 mcount regex selinux: initialize proto variable in selinux_ip_postroute_compat() scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() net: usb: pegasus: Do not drop long Ethernet frames NFC: st21nfca: Fix memory leak in device probe and remove fsl/fman: Fix missing put_device() call in fman_port_probe nfc: uapi: use kernel size_t to fix user-space builds uapi: fix linux/nfc.h userspace compilation errors xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. binder: fix async_free_space accounting for empty parcels scsi: vmw_pvscsi: Set residual data length conditionally Input: appletouch - initialize work before device registration Input: spaceball - fix parsing of movement data packets net: fix use-after-free in tw_timer_handler sctp: use call_rcu to free endpoint Linux 4.14.261 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I778bc28ac0835029328e2b503cb8fa241981c610 |
||
|
Wei Yongjun
|
38c3e320e7 |
NFC: st21nfca: Fix memory leak in device probe and remove
[ Upstream commit 1b9dadba502234eea7244879b8d5d126bfaf9f0c ]
'phy->pending_skb' is alloced when device probe, but forgot to free
in the error handling path and remove path, this cause memory leak
as follows:
unreferenced object 0xffff88800bc06800 (size 512):
comm "8", pid 11775, jiffies 4295159829 (age 9.032s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d66c09ce>] __kmalloc_node_track_caller+0x1ed/0x450
[<00000000c93382b3>] kmalloc_reserve+0x37/0xd0
[<000000005fea522c>] __alloc_skb+0x124/0x380
[<0000000019f29f9a>] st21nfca_hci_i2c_probe+0x170/0x8f2
Fix it by freeing 'pending_skb' in error and remove.
Fixes:
|
||
|
Greg Kroah-Hartman
|
cc48e333d0 |
Merge 4.14.256 into android-4.14-stable
Changes in 4.14.256
xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay
binder: use euid from cred instead of using task
binder: use cred instead of task for selinux checks
Input: elantench - fix misreporting trackpoint coordinates
Input: i8042 - Add quirk for Fujitsu Lifebook T725
libata: fix read log timeout value
ocfs2: fix data corruption on truncate
mmc: dw_mmc: Dont wait for DRTO on Write RSP error
parisc: Fix ptrace check on syscall return
tpm: Check for integer overflow in tpm2_map_response_body()
media: ite-cir: IR receiver stop working after receive overflow
ALSA: ua101: fix division by zero at probe
ALSA: 6fire: fix control and bulk message timeouts
ALSA: line6: fix control and interrupt message timeouts
ALSA: synth: missing check for possible NULL after the call to kstrdup
ALSA: timer: Fix use-after-free problem
ALSA: timer: Unconditionally unlink slave instances, too
x86/irq: Ensure PI wakeup handler is unregistered before module unload
cavium: Return negative value when pci_alloc_irq_vectors() fails
scsi: qla2xxx: Fix unmap of already freed sgl
cavium: Fix return values of the probe function
sfc: Don't use netif_info before net_device setup
hyperv/vmbus: include linux/bitops.h
mmc: winbond: don't build on M68K
bpf: Prevent increasing bpf_jit_limit above max
xen/netfront: stop tx queues during live migration
spi: spl022: fix Microwire full duplex mode
watchdog: Fix OMAP watchdog early handling
vmxnet3: do not stop tx queues after netif_device_detach()
btrfs: fix lost error handling when replaying directory deletes
hwmon: (pmbus/lm25066) Add offset coefficients
regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled
regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property
EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell
mwifiex: fix division by zero in fw download path
ath6kl: fix division by zero in send path
ath6kl: fix control-message timeout
ath10k: fix control-message timeout
ath10k: fix division by zero in send path
PCI: Mark Atheros QCA6174 to avoid bus reset
rtl8187: fix control-message timeouts
evm: mark evm_fixmode as __ro_after_init
wcn36xx: Fix HT40 capability for 2Ghz band
mwifiex: Read a PCI register after writing the TX ring write pointer
libata: fix checking of DMA state
wcn36xx: handle connection loss indication
RDMA/qedr: Fix NULL deref for query_qp on the GSI QP
signal: Remove the bogus sigkill_pending in ptrace_stop
signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT
power: supply: max17042_battery: Prevent int underflow in set_soc_threshold
power: supply: max17042_battery: use VFSOC for capacity when no rsns
powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found
serial: core: Fix initializing and restoring termios speed
ALSA: mixer: oss: Fix racy access to slots
ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume
xen/balloon: add late_initcall_sync() for initial ballooning done
PCI: aardvark: Do not clear status bits of masked interrupts
PCI: aardvark: Do not unmask unused interrupts
PCI: aardvark: Fix return value of MSI domain .alloc() method
PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG
quota: check block number when reading the block in quota file
quota: correct error number in free_dqentry()
pinctrl: core: fix possible memory leak in pinctrl_enable()
iio: dac: ad5446: Fix ad5622_write() return value
USB: serial: keyspan: fix memleak on probe errors
USB: iowarrior: fix control-message timeouts
Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg()
Bluetooth: fix use-after-free error in lock_sock_nested()
platform/x86: wmi: do not fail if disabling fails
MIPS: lantiq: dma: add small delay after reset
MIPS: lantiq: dma: reset correct number of channel
locking/lockdep: Avoid RCU-induced noinstr fail
smackfs: Fix use-after-free in netlbl_catmap_walk()
x86: Increase exception stack sizes
mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type
mwifiex: Properly initialize private structure on interface type changes
media: mt9p031: Fix corrupted frame after restarting stream
media: netup_unidvb: handle interrupt properly according to the firmware
media: uvcvideo: Set capability in s_param
media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe()
media: s5p-mfc: Add checking to s5p_mfc_probe().
media: mceusb: return without resubmitting URB in case of -EPROTO error.
ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK
ACPICA: Avoid evaluating methods too early during system resume
media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte()
tracefs: Have tracefs directories not set OTH permission bits by default
ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create()
ACPI: battery: Accept charges over the design capacity as full
leaking_addresses: Always print a trailing newline
memstick: r592: Fix a UAF bug when removing the driver
lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression
lib/xz: Validate the value before assigning it to an enum variable
tracing/cfi: Fix cmp_entries_* functions signature mismatch
mwl8k: Fix use-after-free in mwl8k_fw_state_machine()
PM: hibernate: Get block device exclusively in swsusp_check()
iwlwifi: mvm: disable RX-diversity in powersave
smackfs: use __GFP_NOFAIL for smk_cipso_doi()
ARM: clang: Do not rely on lr register for stacktrace
gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE
ARM: 9136/1: ARMv7-M uses BE-8, not BE-32
spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe()
parisc: fix warning in flush_tlb_all
task_stack: Fix end_of_stack() for architectures with upwards-growing stack
parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling
cgroup: Make rebind_subsystems() disable v2 controllers all at once
media: dvb-usb: fix ununit-value in az6027_rc_query
media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()'
media: si470x: Avoid card name truncation
media: cx23885: Fix snd_card_free call on null card pointer
cpuidle: Fix kobject memory leaks in error paths
ath9k: Fix potential interrupt storm on queue reset
crypto: qat - detect PFVF collision after ACK
crypto: qat - disregard spurious PFVF interrupts
hwrng: mtk - Force runtime pm ops for sleep ops
b43legacy: fix a lower bounds test
b43: fix a lower bounds test
memstick: avoid out-of-range warning
memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host()
hwmon: Fix possible memleak in __hwmon_device_register()
ath10k: fix max antenna gain unit
drm/msm: uninitialized variable in msm_gem_import()
net: stream: don't purge sk_error_queue in sk_stream_kill_queues()
mmc: mxs-mmc: disable regulator on error and in the remove function
platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning
mwifiex: Send DELBA requests according to spec
phy: micrel: ksz8041nl: do not use power down mode
PM: hibernate: fix sparse warnings
smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi
s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap()
irq: mips: avoid nested irq_enter()
samples/kretprobes: Fix return value if register_kretprobe() failed
libertas_tf: Fix possible memory leak in probe and disconnect
libertas: Fix possible memory leak in probe and disconnect
net: amd-xgbe: Toggle PLL settings during rate change
net: phylink: avoid mvneta warning when setting pause parameters
crypto: pcrypt - Delay write to padata->info
ibmvnic: Process crqs after enabling interrupts
RDMA/rxe: Fix wrong port_cap_flags
ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc()
ARM: dts: at91: tse850: the emac<->phy interface is rmii
scsi: dc395: Fix error case unwinding
MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT
JFS: fix memleak in jfs_mount
ALSA: hda: Reduce udelay() at SKL+ position reporting
arm: dts: omap3-gta04a4: accelerometer irq fix
soc/tegra: Fix an error handling path in tegra_powergate_power_up()
memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe
video: fbdev: chipsfb: use memset_io() instead of memset()
serial: 8250_dw: Drop wrong use of ACPI_PTR()
usb: gadget: hid: fix error code in do_config()
power: supply: rt5033_battery: Change voltage values to µV
scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn()
RDMA/mlx4: Return missed an error if device doesn't support steering
ASoC: cs42l42: Correct some register default values
ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER
serial: xilinx_uartps: Fix race condition causing stuck TX
mips: cm: Convert to bitfield API to fix out-of-bounds access
power: supply: bq27xxx: Fix kernel crash on IRQ handler register error
apparmor: fix error check
rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined
pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds
drm/plane-helper: fix uninitialized variable reference
PCI: aardvark: Don't spam about PIO Response Status
NFS: Fix deadlocks in nfs_scan_commit_list()
fs: orangefs: fix error return code of orangefs_revalidate_lookup()
mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare()
dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro
auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string
auxdisplay: ht16k33: Connect backlight to fbdev
auxdisplay: ht16k33: Fix frame buffer device blanking
netfilter: nfnetlink_queue: fix OOB when mac header was cleared
dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result`
m68k: set a default value for MEMORY_RESERVE
watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT
ar7: fix kernel builds for compiler test
scsi: qla2xxx: Turn off target reset during issue_lip
i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()'
xen-pciback: Fix return in pm_ctrl_init()
net: davinci_emac: Fix interrupt pacing disable
ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses
bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed
mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration()
llc: fix out-of-bound array index in llc_sk_dev_hash()
nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
vsock: prevent unnecessary refcnt inc for nonblocking connect
USB: chipidea: fix interrupt deadlock
ARM: 9155/1: fix early early_iounmap()
ARM: 9156/1: drop cc-option fallbacks for architecture selection
powerpc/lib: Add helper to check if offset is within conditional branch range
powerpc/bpf: Validate branch ranges
powerpc/bpf: Fix BPF_SUB when imm == 0x80000000
mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks
mm, oom: do not trigger out_of_memory from the #PF
s390/cio: check the subchannel validity for dev_busid
PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros
ext4: fix lazy initialization next schedule time computation in more granular unit
tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
parisc/entry: fix trace test in syscall exit path
PCI/MSI: Destroy sysfs before freeing entries
arm64: zynqmp: Fix serial compatible string
scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq()
usb: musb: tusb6010: check return value after calling platform_get_resource()
scsi: advansys: Fix kernel pointer leak
ARM: dts: omap: fix gpmc,mux-add-data type
usb: host: ohci-tmio: check return value after calling platform_get_resource()
tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc
MIPS: sni: Fix the build
scsi: target: Fix ordered tag handling
scsi: target: Fix alua_tg_pt_gps_count tracking
powerpc/5200: dts: fix memory node unit name
ALSA: gus: fix null pointer dereference on pointer block
powerpc/dcr: Use cmplwi instead of 3-argument cmpli
sh: check return code of request_irq
maple: fix wrong return value of maple_bus_init().
sh: fix kconfig unmet dependency warning for FRAME_POINTER
sh: define __BIG_ENDIAN for math-emu
mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set
sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain()
net: bnx2x: fix variable dereferenced before check
iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset
MIPS: generic/yamon-dt: fix uninitialized variable error
mips: bcm63xx: add support for clk_get_parent()
mips: lantiq: add support for clk_get_parent()
platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()'
net: virtio_net_hdr_to_skb: count transport header in UFO
i40e: Fix NULL ptr dereference on VSI filter sync
NFC: reorganize the functions in nci_request
NFC: reorder the logic in nfc_{un,}register_device
perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server
perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server
tun: fix bonding active backup with arp monitoring
hexagon: export raw I/O routines for modules
mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag
btrfs: fix memory ordering between normal and ordered work functions
parisc/sticon: fix reverse colors
cfg80211: call cfg80211_stop_ap when switch from P2P_GO type
drm/udl: fix control-message timeout
drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors
perf/core: Avoid put_page() when GUP fails
batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN
batman-adv: mcast: fix duplicate mcast packets from BLA backbone to mesh
batman-adv: Consider fragmentation for needed_headroom
batman-adv: Reserve needed_*room for fragments
batman-adv: Don't always reallocate the fragmentation skb head
RDMA/netlink: Add __maybe_unused to static inline in C file
ASoC: DAPM: Cover regression by kctl change notification fix
usb: max-3421: Use driver data instead of maintaining a list of bound devices
soc/tegra: pmc: Fix imbalanced clock disabling in error code path
Linux 4.14.256
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I32f0b43f5aa192eda1aa3a220a2f348ade0536d2
|
||
|
Chengfeng Ye
|
6baf8dcf62 |
nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails
[ Upstream commit 9fec40f850658e00a14a7dd9e06f7fbc7e59cc4a ] skb is already freed by dev_kfree_skb in pn533_fill_fragment_skbs, but follow error handler branch when pn533_fill_fragment_skbs() fails, skb is freed again, results in double free issue. Fix this by not free skb in error path of pn533_fill_fragment_skbs. Fixes: |
||
|
Greg Kroah-Hartman
|
5b2d33ae99 |
Merge 4.14.254 into android-4.14-stable
Changes in 4.14.254 ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned ARM: 9134/1: remove duplicate memcpy() definition ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype powerpc/bpf: Fix BPF_MOD when imm == 1 ARM: 8819/1: Remove '-p' from LDFLAGS usbnet: sanity check for maxpacket usbnet: fix error return code in usbnet_probe() ata: sata_mv: Fix the error handling of mv_chip_id() nfc: port100: fix using -ERRNO as command type mask Revert "net: mdiobus: Fix memory leak in __mdiobus_register" ipv4: use siphash instead of Jenkins in fnhe_hashfun() mmc: vub300: fix control-message timeouts mmc: dw_mmc: exynos: fix the finding clock sample value mmc: sdhci: Map more voltage level to SDHCI_POWER_330 mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit net: lan78xx: fix division by zero in send path regmap: Fix possible double-free in regcache_rbtree_exit() net: batman-adv: fix error handling nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST net: nxp: lpc_eth.c: avoid hang when bringing interface down sctp: use init_tag from inithdr for ABORT chunk sctp: fix the processing for COOKIE_ECHO chunk sctp: add vtag check in sctp_sf_violation sctp: add vtag check in sctp_sf_do_8_5_1_E_sa sctp: add vtag check in sctp_sf_ootb Linux 4.14.254 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If7f3b585ec959656b73cd002a6f87d7b6c281679 |
||
|
Krzysztof Kozlowski
|
d4f5ca0a44 |
nfc: port100: fix using -ERRNO as command type mask
commit 2195f2062e4cc93870da8e71c318ef98a1c51cef upstream.
During probing, the driver tries to get a list (mask) of supported
command types in port100_get_command_type_mask() function. The value
is u64 and 0 is treated as invalid mask (no commands supported). The
function however returns also -ERRNO as u64 which will be interpret as
valid command mask.
Return 0 on every error case of port100_get_command_type_mask(), so the
probing will stop.
Cc: <stable@vger.kernel.org>
Fixes:
|
||
|
Greg Kroah-Hartman
|
5d67c93aaf |
Merge 4.14.242 into android-4.14-stable
Changes in 4.14.242 selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c KVM: x86: determine if an exception has an error code only when injecting it. net: split out functions related to registering inflight socket files af_unix: fix garbage collect vs MSG_PEEK workqueue: fix UAF in pwq_unbound_release_workfn() net/802/mrp: fix memleak in mrp_request_join() net/802/garp: fix memleak in garp_request_join() net: annotate data race around sk_ll_usec sctp: move 198 addresses from unusable to private scope hfs: add missing clean-up in hfs_fill_super hfs: fix high memory mapping in hfs_bnode_read hfs: add lock nesting notation to hfs_find_init ARM: dts: versatile: Fix up interrupt controller node names virtio_net: Do not pull payload in skb->head gro: ensure frag0 meets IP header alignment x86/kvm: fix vcpu-id indexed array sizes ocfs2: fix zero out valid data ocfs2: issue zeroout to EOF blocks can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF can: mcba_usb_start(): add missing urb->transfer_dma initialization can: usb_8dev: fix memory leak can: ems_usb: fix memory leak can: esd_usb2: fix memory leak NIU: fix incorrect error return, missed in previous revert nfc: nfcsim: fix use after free during module unload x86/asm: Ensure asm/proto.h can be included stand-alone cfg80211: Fix possible memory leak in function cfg80211_bss_update netfilter: conntrack: adjust stop timestamp to real expiry value netfilter: nft_nat: allow to specify layer 4 protocol NAT only tipc: fix sleeping in tipc accept routine mlx4: Fix missing error code in mlx4_load_one() net: llc: fix skb_over_panic net/mlx5: Fix flow table chaining sctp: fix return value check in __sctp_rcv_asconf_lookup tulip: windbond-840: Fix missing pci_disable_device() in probe and remove sis900: Fix missing pci_disable_device() in probe and remove can: hi311x: fix a signedness bug in hi3110_cmd() Revert "perf map: Fix dso->nsinfo refcounting" Linux 4.14.242 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ie1a4d3b3c5e77ece40e540b361471dddef50441d |
||
|
Krzysztof Kozlowski
|
546b6dcf83 |
nfc: nfcsim: fix use after free during module unload
commit 5e7b30d24a5b8cb691c173b45b50e3ca0191be19 upstream.
There is a use after free memory corruption during module exit:
- nfcsim_exit()
- nfcsim_device_free(dev0)
- nfc_digital_unregister_device()
This iterates over command queue and frees all commands,
- dev->up = false
- nfcsim_link_shutdown()
- nfcsim_link_recv_wake()
This wakes the sleeping thread nfcsim_link_recv_skb().
- nfcsim_link_recv_skb()
Wake from wait_event_interruptible_timeout(),
call directly the deb->cb callback even though (dev->up == false),
- digital_send_cmd_complete()
Dereference of "struct digital_cmd" cmd which was freed earlier by
nfc_digital_unregister_device().
This causes memory corruption shortly after (with unrelated stack
trace):
nfc nfc0: NFC: nfcsim_recv_wq: Device is down
llcp: nfc_llcp_recv: err -19
nfc nfc1: NFC: nfcsim_recv_wq: Device is down
BUG: unable to handle page fault for address: ffffffffffffffed
Call Trace:
fsnotify+0x54b/0x5c0
__fsnotify_parent+0x1fe/0x300
? vfs_write+0x27c/0x390
vfs_write+0x27c/0x390
ksys_write+0x63/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
KASAN report:
BUG: KASAN: use-after-free in digital_send_cmd_complete+0x16/0x50
Write of size 8 at addr ffff88800a05f720 by task kworker/0:2/71
Workqueue: events nfcsim_recv_wq [nfcsim]
Call Trace:
dump_stack_lvl+0x45/0x59
print_address_description.constprop.0+0x21/0x140
? digital_send_cmd_complete+0x16/0x50
? digital_send_cmd_complete+0x16/0x50
kasan_report.cold+0x7f/0x11b
? digital_send_cmd_complete+0x16/0x50
? digital_dep_link_down+0x60/0x60
digital_send_cmd_complete+0x16/0x50
nfcsim_recv_wq+0x38f/0x3d5 [nfcsim]
? nfcsim_in_send_cmd+0x4a/0x4a [nfcsim]
? lock_is_held_type+0x98/0x110
? finish_wait+0x110/0x110
? rcu_read_lock_sched_held+0x9c/0xd0
? rcu_read_lock_bh_held+0xb0/0xb0
? lockdep_hardirqs_on_prepare+0x12e/0x1f0
This flow of calling digital_send_cmd_complete() callback on driver exit
is specific to nfcsim which implements reading and sending work queues.
Since the NFC digital device was unregistered, the callback should not
be called.
Fixes:
|
||
|
Greg Kroah-Hartman
|
22dc72c914 |
Merge 4.14.233 into android-4.14-stable
Changes in 4.14.233 usbip: vudc synchronize sysfs code paths ACPI: tables: x86: Reserve memory occupied by ACPI tables ACPI: x86: Call acpi_boot_table_init() after acpi_table_upgrade() bpf: Fix backport of "bpf: restrict unknown scalars of mixed signed bounds for unprivileged" bpf: fix up selftests after backports were fixed net: usb: ax88179_178a: initialize local variables before use iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_enqueue_hcmd() MIPS: Introduce isa-rev.h to define MIPS_ISA_REV MIPS: cpu-features.h: Replace __mips_isa_rev with MIPS_ISA_REV mips: Do not include hi and lo in clobber list for R6 bpf: Fix masking negation logic upon negative dst register iwlwifi: Fix softirq/hardirq disabling in iwl_pcie_gen2_enqueue_hcmd() ALSA: usb-audio: Add MIDI quirk for Vox ToneLab EX USB: Add LPM quirk for Lenovo ThinkPad USB-C Dock Gen2 Ethernet USB: Add reset-resume quirk for WD19's Realtek Hub platform/x86: thinkpad_acpi: Correct thermal sensor allocation s390/disassembler: increase ebpf disasm buffer size ACPI: custom_method: fix potential use-after-free issue ACPI: custom_method: fix a possible memory leak arm64: dts: mt8173: fix property typo of 'phys' in dsi node ecryptfs: fix kernel panic with null dev_name spi: spi-ti-qspi: Free DMA resources mmc: block: Update ext_csd.cache_ctrl if it was written mmc: core: Do a power cycle when the CMD11 fails mmc: core: Set read only for SD cards with permanent write protect bit cifs: Return correct error code from smb2_get_enc_key btrfs: fix metadata extent leak after failure to create subvolume intel_th: pci: Add Rocket Lake CPU support fbdev: zero-fill colormap in fbcmap.c staging: wimax/i2400m: fix byte-order issue crypto: api - check for ERR pointers in crypto_destroy_tfm() usb: gadget: uvc: add bInterval checking for HS mode usb: gadget: f_uac1: validate input parameters usb: dwc3: gadget: Ignore EP queue requests during bus reset usb: xhci: Fix port minor revision PCI: PM: Do not read power state in pci_enable_device_flags() x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) tee: optee: do not check memref size on return from Secure World perf/arm_pmu_platform: Fix error handling spi: dln2: Fix reference leak to master spi: omap-100k: Fix reference leak to master intel_th: Consistency and off-by-one fix phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe scsi: lpfc: Fix pt2pt connection does not recover after LOGO scsi: target: pscsi: Fix warning in pscsi_complete_cmd() media: ite-cir: check for receive overflow power: supply: bq27xxx: fix power_avg for newer ICs extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged media: media/saa7164: fix saa7164_encoder_register() memory leak bugs media: gspca/sq905.c: fix uninitialized variable power: supply: Use IRQF_ONESHOT drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() scsi: qla2xxx: Fix use after free in bsg scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() media: em28xx: fix memory leak media: vivid: update EDID clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() media: adv7604: fix possible use-after-free in adv76xx_remove() media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() media: i2c: adv7842: fix possible use-after-free in adv7842_remove() media: dvb-usb: fix memory leak in dvb_usb_adapter_init media: gscpa/stv06xx: fix memory leak drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal drm/amdgpu: fix NULL pointer dereference scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic scsi: libfc: Fix a format specifier ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer ALSA: hda/conexant: Re-order CX5066 quirk table entries ALSA: sb: Fix two use after free in snd_sb_qsound_build btrfs: fix race when picking most recent mod log operation for an old root arm64/vdso: Discard .note.gnu.property sections in vDSO openvswitch: fix stack OOB read while fragmenting IPv4 packets ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure NFSv4: Don't discard segments marked for return in _pnfs_return_layout() jffs2: Fix kasan slab-out-of-bounds problem powerpc/eeh: Fix EEH handling for hugepages in ioremap space. powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h intel_th: pci: Add Alder Lake-M support md/raid1: properly indicate failure when ending a failed write request security: commoncap: fix -Wstringop-overread warning Fix misc new gcc warnings jffs2: check the validity of dstlen in jffs2_zlib_compress() Revert |
||
|
Dan Carpenter
|
6569255c27 |
nfc: pn533: prevent potential memory corruption
[ Upstream commit ca4d4c34ae9aa5c3c0da76662c5e549d2fc0cc86 ]
If the "type_a->nfcid_len" is too large then it would lead to memory
corruption in pn533_target_found_type_a() when we do:
memcpy(nfc_tgt->nfcid1, tgt_type_a->nfcid_data, nfc_tgt->nfcid1_len);
Fixes:
|
||
|
Greg Kroah-Hartman
|
89616f108f |
Merge 4.14.213 into android-4.14-stable
Changes in 4.14.213 spi: bcm2835aux: Fix use-after-free on unbind spi: bcm2835aux: Restore err assignment in bcm2835aux_spi_probe iwlwifi: pcie: limit memory read spin time arm64: dts: rockchip: Assign a fixed index to mmc devices on rk3399 boards. iwlwifi: mvm: fix kernel panic in case of assert during CSA ARC: stack unwinding: don't assume non-current task is sleeping scsi: ufs: Make sure clk scaling happens only when HBA is runtime ACTIVE soc: fsl: dpio: Get the cpumask through cpumask_of(cpu) platform/x86: acer-wmi: add automatic keyboard background light toggle key as KEY_LIGHTS_TOGGLE Input: cm109 - do not stomp on control URB Input: i8042 - add Acer laptops to the i8042 reset list pinctrl: amd: remove debounce filter setting in IRQ type setting kbuild: avoid static_assert for genksyms scsi: be2iscsi: Revert "Fix a theoretical leak in beiscsi_create_eqs()" x86/mm/mem_encrypt: Fix definition of PMD_FLAGS_DEC_WP PCI: qcom: Add missing reset for ipq806x net: stmmac: free tx skb buffer in stmmac_resume() tcp: fix cwnd-limited bug for TSO deferral where we send nothing net/mlx4_en: Avoid scheduling restart task if it is already running net/mlx4_en: Handle TX error CQE net: stmmac: delete the eee_ctrl_timer after napi disabled net: stmmac: dwmac-meson8b: fix mask definition of the m250_sel mux net: bridge: vlan: fix error return code in __vlan_add() mac80211: mesh: fix mesh_pathtbl_init() error path USB: dummy-hcd: Fix uninitialized array use in init() USB: add RESET_RESUME quirk for Snapscan 1212 ALSA: usb-audio: Fix potential out-of-bounds shift ALSA: usb-audio: Fix control 'access overflow' errors from chmap xhci: Give USB2 ports time to enter U3 in bus suspend USB: UAS: introduce a quirk to set no_write_same USB: sisusbvga: Make console support depend on BROKEN ALSA: pcm: oss: Fix potential out-of-bounds shift serial: 8250_omap: Avoid FIFO corruption caused by MDR1 access drm: fix drm_dp_mst_port refcount leaks in drm_dp_mst_allocate_vcpi pinctrl: merrifield: Set default bias in case no particular value given pinctrl: baytrail: Avoid clearing debounce value when turning it off ARM: dts: sun8i: v3s: fix GIC node memory range gpio: mvebu: fix potential user-after-free on probe scsi: bnx2i: Requires MMU can: softing: softing_netdev_open(): fix error handling RDMA/cm: Fix an attempt to use non-valid pointer when cleaning timewait kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling drm/tegra: sor: Disable clocks on error in tegra_sor_init() vxlan: Add needed_headroom for lower device vxlan: Copy needed_tailroom from lowerdev scsi: mpt3sas: Increase IOCInit request timeout to 30s dm table: Remove BUG_ON(in_interrupt()) soc/tegra: fuse: Fix index bug in get_process_id USB: serial: option: add interface-number sanity check to flag handling USB: gadget: f_acm: add support for SuperSpeed Plus USB: gadget: f_midi: setup SuperSpeed Plus descriptors usb: gadget: f_fs: Re-use SS descriptors for SuperSpeedPlus USB: gadget: f_rndis: fix bitrate for SuperSpeed and above usb: chipidea: ci_hdrc_imx: Pass DISABLE_DEVICE_STREAMING flag to imx6ul ARM: dts: exynos: fix roles of USB 3.0 ports on Odroid XU ARM: dts: exynos: fix USB 3.0 VBUS control and over-current pins on Exynos5410 ARM: dts: exynos: fix USB 3.0 pins supply being turned off on Odroid XU HID: i2c-hid: add Vero K147 to descriptor override serial_core: Check for port state when tty is in error state quota: Sanity-check quota file headers on load media: msi2500: assign SPI bus number dynamically crypto: af_alg - avoid undefined behavior accessing salg_name md: fix a warning caused by a race between concurrent md_ioctl()s Bluetooth: Fix slab-out-of-bounds read in hci_le_direct_adv_report_evt() drm/gma500: fix double free of gma_connector soc: renesas: rmobile-sysc: Fix some leaks in rmobile_init_pm_domains() soc: mediatek: Check if power domains can be powered on at boot time RDMA/bnxt_re: Set queue pair state when being queried selinux: fix error initialization in inode_doinit_with_dentry() RDMA/rxe: Compute PSN windows correctly x86/mm/ident_map: Check for errors from ident_pud_init() ARM: p2v: fix handling of LPAE translation in BE mode sched/deadline: Fix sched_dl_global_validate() sched: Reenable interrupts in do_sched_yield() crypto: talitos - Fix return type of current_desc_hdr() spi: img-spfi: fix reference leak in img_spfi_resume ASoC: pcm: DRAIN support reactivation selinux: fix inode_doinit_with_dentry() LABEL_INVALID error handling arm64: dts: exynos: Correct psci compatible used on Exynos7 Bluetooth: Fix null pointer dereference in hci_event_packet() spi: spi-ti-qspi: fix reference leak in ti_qspi_setup spi: tegra20-slink: fix reference leak in slink ops of tegra20 spi: tegra20-sflash: fix reference leak in tegra_sflash_resume spi: tegra114: fix reference leak in tegra spi ops mwifiex: fix mwifiex_shutdown_sw() causing sw reset failure ASoC: wm8998: Fix PM disable depth imbalance on error ASoC: arizona: Fix a wrong free in wm8997_probe RDMa/mthca: Work around -Wenum-conversion warning MIPS: BCM47XX: fix kconfig dependency bug for BCM47XX_BCMA staging: greybus: codecs: Fix reference counter leak in error handling media: mtk-vcodec: add missing put_device() call in mtk_vcodec_release_dec_pm() scsi: core: Fix VPD LUN ID designator priorities media: solo6x10: fix missing snd_card_free in error handling case drm/omap: dmm_tiler: fix return error code in omap_dmm_probe() Input: ads7846 - fix race that causes missing releases Input: ads7846 - fix integer overflow on Rt calculation Input: ads7846 - fix unaligned access on 7845 powerpc/feature: Fix CPU_FTRS_ALWAYS by removing CPU_FTRS_GENERIC_32 crypto: omap-aes - Fix PM disable depth imbalance in omap_aes_probe soc: ti: knav_qmss: fix reference leak in knav_queue_probe soc: ti: Fix reference imbalance in knav_dma_probe drivers: soc: ti: knav_qmss_queue: Fix error return code in knav_queue_probe Input: omap4-keypad - fix runtime PM error handling RDMA/cxgb4: Validate the number of CQEs memstick: fix a double-free bug in memstick_check ARM: dts: at91: sama5d4_xplained: add pincontrol for USB Host ARM: dts: at91: sama5d3_xplained: add pincontrol for USB Host orinoco: Move context allocation after processing the skb cw1200: fix missing destroy_workqueue() on error in cw1200_init_common media: siano: fix memory leak of debugfs members in smsdvb_hotplug samples: bpf: Fix lwt_len_hist reusing previous BPF map mips: cdmm: fix use-after-free in mips_cdmm_bus_discover media: max2175: fix max2175_set_csm_mode() error code HSI: omap_ssi: Don't jump to free ID in ssi_add_controller() ARM: dts: Remove non-existent i2c1 from 98dx3236 power: supply: bq24190_charger: fix reference leak genirq/irqdomain: Don't try to free an interrupt that has no mapping PCI: iproc: Fix out-of-bound array accesses ARM: dts: at91: at91sam9rl: fix ADC triggers ath10k: Fix an error handling path ath10k: Release some resources in an error handling path NFSv4.2: condition READDIR's mask for security label based on LSM state SUNRPC: xprt_load_transport() needs to support the netid "rdma6" lockd: don't use interval-based rebinding over TCP NFS: switch nfsiod to be an UNBOUND workqueue. vfio-pci: Use io_remap_pfn_range() for PCI IO memory media: saa7146: fix array overflow in vidioc_s_audio() clocksource/drivers/cadence_ttc: Fix memory leak in ttc_setup_clockevent() ARM: dts: at91: sama5d2: map securam as device pinctrl: falcon: add missing put_device() call in pinctrl_falcon_probe() arm64: dts: rockchip: Fix UART pull-ups on rk3328 memstick: r592: Fix error return in r592_probe() net/mlx5: Properly convey driver version to firmware ASoC: jz4740-i2s: add missed checks for clk_get() dm ioctl: fix error return code in target_message clocksource/drivers/arm_arch_timer: Correct fault programming of CNTKCTL_EL1.EVNTI cpufreq: highbank: Add missing MODULE_DEVICE_TABLE cpufreq: mediatek: Add missing MODULE_DEVICE_TABLE cpufreq: st: Add missing MODULE_DEVICE_TABLE cpufreq: loongson1: Add missing MODULE_ALIAS cpufreq: scpi: Add missing MODULE_ALIAS scsi: qedi: Fix missing destroy_workqueue() on error in __qedi_probe scsi: pm80xx: Fix error return in pm8001_pci_probe() seq_buf: Avoid type mismatch for seq_buf_init scsi: fnic: Fix error return code in fnic_probe() powerpc/pseries/hibernation: drop pseries_suspend_begin() from suspend ops powerpc/pseries/hibernation: remove redundant cacheinfo update usb: ehci-omap: Fix PM disable depth umbalance in ehci_hcd_omap_probe usb: oxu210hp-hcd: Fix memory leak in oxu_create speakup: fix uninitialized flush_lock nfsd: Fix message level for normal termination nfs_common: need lock during iterate through the list x86/kprobes: Restore BTF if the single-stepping is cancelled clk: tegra: Fix duplicated SE clock entry extcon: max77693: Fix modalias string ASoC: wm_adsp: remove "ctl" from list on error in wm_adsp_create_control() irqchip/alpine-msi: Fix freeing of interrupts on allocation error path watchdog: sirfsoc: Add missing dependency on HAS_IOMEM um: chan_xterm: Fix fd leak nfc: s3fwrn5: Release the nfc firmware powerpc/ps3: use dma_mapping_error() checkpatch: fix unescaped left brace net: bcmgenet: Fix a resource leak in an error handling path in the probe functin net: allwinner: Fix some resources leak in the error handling path of the probe and in the remove function net: korina: fix return value watchdog: qcom: Avoid context switch in restart handler watchdog: coh901327: add COMMON_CLK dependency clk: ti: Fix memleak in ti_fapll_synth_setup pwm: zx: Add missing cleanup in error path pwm: lp3943: Dynamically allocate PWM chip base perf record: Fix memory leak when using '--user-regs=?' to list registers qlcnic: Fix error code in probe clk: s2mps11: Fix a resource leak in error handling paths in the probe function clk: sunxi-ng: Make sure divider tables have sentinel cfg80211: initialize rekey_data fix namespaced fscaps when !CONFIG_SECURITY Input: cros_ec_keyb - send 'scancodes' in addition to key events Input: goodix - add upside-down quirk for Teclast X98 Pro tablet media: gspca: Fix memory leak in probe media: sunxi-cir: ensure IR is handled when it is continuous media: netup_unidvb: Don't leak SPI master in probe error path Input: cyapa_gen6 - fix out-of-bounds stack access PM: ACPI: PCI: Drop acpi_pm_set_bridge_wakeup() Revert "ACPI / resources: Use AE_CTRL_TERMINATE to terminate resources walks" ACPI: PNP: compare the string length in the matching_id() ALSA: hda/realtek - Enable headset mic of ASUS Q524UQK with ALC255 ALSA: pcm: oss: Fix a few more UBSAN fixes ALSA: usb-audio: Disable sample read check if firmware doesn't give back s390/smp: perform initial CPU reset also for SMT siblings s390/dasd: prevent inconsistent LCU device data s390/dasd: fix list corruption of pavgroup group list s390/dasd: fix list corruption of lcu list staging: comedi: mf6x4: Fix AI end-of-conversion detection powerpc/perf: Exclude kernel samples while counting events in user space. crypto: ecdh - avoid unaligned accesses in ecdh_set_secret() EDAC/amd64: Fix PCI component registration USB: serial: mos7720: fix parallel-port state restore USB: serial: keyspan_pda: fix dropped unthrottle interrupts USB: serial: keyspan_pda: fix write deadlock USB: serial: keyspan_pda: fix stalled writes USB: serial: keyspan_pda: fix write-wakeup use-after-free USB: serial: keyspan_pda: fix tx-unthrottle use-after-free USB: serial: keyspan_pda: fix write unthrottling Btrfs: fix selftests failure due to uninitialized i_mode in test inodes btrfs: fix return value mixup in btrfs_get_extent ext4: fix a memory leak of ext4_free_data ext4: fix deadlock with fs freezing and EA inodes KVM: arm64: Introduce handling of AArch32 TTBCR2 traps ARM: dts: at91: sama5d2: fix CAN message ram offset and size powerpc/rtas: Fix typo of ibm,open-errinjct in RTAS filter powerpc/xmon: Change printk() to pr_cont() powerpc/powernv/memtrace: Don't leak kernel memory to user space ima: Don't modify file descriptor mode on the fly ceph: fix race in concurrent __ceph_remove_cap invocations jffs2: Fix GC exit abnormally jfs: Fix array index bounds check in dbAdjTree drm/dp_aux_dev: check aux_dev before use in drm_dp_aux_dev_get_by_minor() spi: spi-sh: Fix use-after-free on unbind spi: davinci: Fix use-after-free on unbind spi: pic32: Don't leak DMA channels in probe error path spi: rb4xx: Don't leak SPI master in probe error path spi: sc18is602: Don't leak SPI master in probe error path spi: st-ssc4: Fix unbalanced pm_runtime_disable() in probe error path soc: qcom: smp2p: Safely acquire spinlock without IRQs mtd: parser: cmdline: Fix parsing of part-names with colons iio: buffer: Fix demux update iio: adc: rockchip_saradc: fix missing clk_disable_unprepare() on error in rockchip_saradc_resume iio:light:rpr0521: Fix timestamp alignment and prevent data leak. iio:pressure:mpl3115: Force alignment of buffer iio:imu:bmi160: Fix too large a buffer. md/cluster: fix deadlock when node is doing resync job clk: mvebu: a3700: fix the XTAL MODE pin to MPP1_9 xen-blkback: set ring->xenblkd to NULL after kthread_stop() xen/xenbus: Allow watches discard events before queueing xen/xenbus: Add 'will_handle' callback support in xenbus_watch_path() xen/xenbus/xen_bus_type: Support will_handle watch callback xen/xenbus: Count pending messages for each watch xenbus/xenbus_backend: Disallow pending watch messages libnvdimm/namespace: Fix reaping of invalidated block-window-namespace labels PCI: Fix pci_slot_release() NULL pointer dereference Linux 4.14.213 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic39f6cbb08d6b12ddb9f5372eb14ff80f2bff04e |