[ Upstream commit e86cac0acdb1a74f608bacefe702f2034133a047 ]
When a process accept()s connection from a unix socket
(either stream or seqpacket)
it gets the socket with the label of the connecting process.
For example, if a connecting process has a label 'foo',
the accept()ed socket will also have 'in' and 'out' labels 'foo',
regardless of the label of the listener process.
This is because kernel creates unix child sockets
in the context of the connecting process.
I do not see any obvious way for the listener to abuse
alien labels coming with the new socket, but,
to be on the safe side, it's better fix new socket labels.
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 81e45ff912bbc43526d6f21c7a79cc5a7159a5f5)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit 2fe209d0ad2e2729f7e22b9b31a86cc3ff0db550 ]
Currently, Smack mirrors the label of incoming tcp/ipv4 connections:
when a label 'foo' connects to a label 'bar' with tcp/ipv4,
'foo' always gets 'foo' in returned ipv4 packets. So,
1) returned packets are incorrectly labeled ('foo' instead of 'bar')
2) 'bar' can write to 'foo' without being authorized to write.
Here is a scenario how to see this:
* Take two machines, let's call them C and S,
with active Smack in the default state
(no settings, no rules, no labeled hosts, only builtin labels)
* At S, add Smack rule 'foo bar w'
(labels 'foo' and 'bar' are instantiated at S at this moment)
* At S, at label 'bar', launch a program
that listens for incoming tcp/ipv4 connections
* From C, at label 'foo', connect to the listener at S.
(label 'foo' is instantiated at C at this moment)
Connection succeedes and works.
* Send some data in both directions.
* Collect network traffic of this connection.
All packets in both directions are labeled with the CIPSO
of the label 'foo'. Hence, label 'bar' writes to 'foo' without
being authorized, and even without ever being known at C.
If anybody cares: exactly the same happens with DCCP.
This behavior 1st manifested in release 2.6.29.4 (see Fixes below)
and it looks unintentional. At least, no explanation was provided.
I changed returned packes label into the 'bar',
to bring it into line with the Smack documentation claims.
Signed-off-by: Konstantin Andreev <andreev@swemel.ru>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit d3f56c653c65f170b172d3c23120bc64ada645d8)
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
commit f1bb47a31dff6d4b34fb14e99850860ee74bb003 upstream.
Some ioctl commands do not require ioctl permission, but are routed to
other permissions such as FILE_GETATTR or FILE_SETATTR. This routing is
done by comparing the ioctl cmd to a set of 64-bit flags (FS_IOC_*).
However, if a 32-bit process is running on a 64-bit kernel, it emits
32-bit flags (FS_IOC32_*) for certain ioctl operations. These flags are
being checked erroneously, which leads to these ioctl operations being
routed to the ioctl permission, rather than the correct file
permissions.
This was also noted in a RED-PEN finding from a while back -
"/* RED-PEN how should LSM module know it's handling 32bit? */".
This patch introduces a new hook, security_file_ioctl_compat(), that is
called from the compat ioctl syscall. All current LSMs have been changed
to support this hook.
Reviewing the three places where we are currently using
security_file_ioctl(), it appears that only SELinux needs a dedicated
compat change; TOMOYO and SMACK appear to be functional without any
change.
Cc: stable@vger.kernel.org
Fixes: 0b24dcb7f2 ("Revert "selinux: simplify ioctl checking"")
Signed-off-by: Alfred Piccioni <alpic@google.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
[PM: subject tweak, line length fixes, and alignment corrections]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit f8f51085b4be6132762ce0d8940071ccdcce2504)
[vegard: fix conflict due to missing commit
df0ce17331e2501dbffc060041dfc6c5f85227b5 ("security: convert security
hooks to use hlist")]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit 55a8210c9e7d21ff2644809699765796d4bfb200 ]
When processing a packed profile in unpack_profile() described like
"profile :ns::samba-dcerpcd /usr/lib*/samba/{,samba/}samba-dcerpcd {...}"
a string ":samba-dcerpcd" is unpacked as a fully-qualified name and then
passed to aa_splitn_fqname().
aa_splitn_fqname() treats ":samba-dcerpcd" as only containing a namespace.
Thus it returns NULL for tmpname, meanwhile tmpns is non-NULL. Later
aa_alloc_profile() crashes as the new profile name is NULL now.
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 6 PID: 1657 Comm: apparmor_parser Not tainted 6.7.0-rc2-dirty #16
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
RIP: 0010:strlen+0x1e/0xa0
Call Trace:
<TASK>
? strlen+0x1e/0xa0
aa_policy_init+0x1bb/0x230
aa_alloc_profile+0xb1/0x480
unpack_profile+0x3bc/0x4960
aa_unpack+0x309/0x15e0
aa_replace_profiles+0x213/0x33c0
policy_update+0x261/0x370
profile_replace+0x20e/0x2a0
vfs_write+0x2af/0xe00
ksys_write+0x126/0x250
do_syscall_64+0x46/0xf0
entry_SYSCALL_64_after_hwframe+0x6e/0x76
</TASK>
---[ end trace 0000000000000000 ]---
RIP: 0010:strlen+0x1e/0xa0
It seems such behaviour of aa_splitn_fqname() is expected and checked in
other places where it is called (e.g. aa_remove_profiles). Well, there
is an explicit comment "a ns name without a following profile is allowed"
inside.
AFAICS, nothing can prevent unpacked "name" to be in form like
":samba-dcerpcd" - it is passed from userspace.
Deny the whole profile set replacement in such case and inform user with
EPROTO and an explaining message.
Found by Linux Verification Center (linuxtesting.org).
Fixes: 04dc715e24 ("apparmor: audit policy ns specified in policy load")
Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 9286ee97aa4803d99185768735011d0d65827c9e)
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
[ Upstream commit 3ad49d37cf5759c3b8b68d02e3563f633d9c1aee ]
There is a upper bound to "catlen" but no lower bound to prevent
negatives. I don't see that this necessarily causes a problem but we
may as well be safe.
Fixes: e114e47377 ("Smack: Simplified Mandatory Access Control Kernel")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2d7f105edbb3b2be5ffa4d833abbf9b6965e9ce7 ]
If the current task fails the check for the queried capability via
`capable(CAP_SYS_ADMIN)` LSMs like SELinux generate a denial message.
Issuing such denial messages unnecessarily can lead to a policy author
granting more privileges to a subject than needed to silence them.
Reorder CAP_SYS_ADMIN checks after the check whether the operation is
actually privileged.
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 9df6a4870dc371136e90330cfbbc51464ee66993 upstream.
When integrity_inode_get() is querying and inserting the cache, there
is a conditional race in the concurrent environment.
The race condition is the result of not properly implementing
"double-checked locking". In this case, it first checks to see if the
iint cache record exists before taking the lock, but doesn't check
again after taking the integrity_iint_lock.
Fixes: bf2276d10c ("ima: allocating iint improvements")
Signed-off-by: Tianjia Zhang <tianjia.zhang@linux.alibaba.com>
Cc: Dmitry Kasatkin <dmitry.kasatkin@gmail.com>
Cc: <stable@vger.kernel.org> # v3.10+
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 42c4e97e06a839b07d834f640a10911ad84ec8b3 upstream.
The Linux Kernel currently only requires make v3.82 while the grouped
target functionality requires make v4.3. Removed the grouped target
introduced in 4ce1f694eb5d ("selinux: ensure av_permissions.h is
built when needed") as well as the multiple header file targets in
the make rule. This effectively reverts the problem commit.
We will revisit this change when make >= 4.3 is required by the rest
of the kernel.
Cc: stable@vger.kernel.org
Fixes: 4ce1f694eb5d ("selinux: ensure av_permissions.h is built when needed")
Reported-by: Erwan Velu <e.velu@criteo.com>
Reported-by: Luiz Capitulino <luizcap@amazon.com>
Tested-by: Luiz Capitulino <luizcap@amazon.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4ce1f694eb5d8ca607fed8542d32a33b4f1217a5 ]
The Makefile rule responsible for building flask.h and
av_permissions.h only lists flask.h as a target which means that
av_permissions.h is only generated when flask.h needs to be
generated. This patch fixes this by adding av_permissions.h as a
target to the rule.
Fixes: 8753f6bec3 ("selinux: generate flask headers during kernel build")
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bcab1adeaad4b39a1e04cb98979a367d08253f03 ]
Make the flask.h target depend on the genheaders binary instead of
classmap.h to ensure that it is rebuilt if any of the dependencies of
genheaders are changed.
Notably this fixes flask.h not being rebuilt when
initial_sid_to_string.h is modified.
Fixes: 8753f6bec3 ("selinux: generate flask headers during kernel build")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 4971c268b85e1c7a734a61622fc0813c86e2362e upstream.
Commit 98de59bfe4 ("take calculation of final prot in
security_mmap_file() into a helper") moved the code to update prot, to be
the actual protections applied to the kernel, to a new helper called
mmap_prot().
However, while without the helper ima_file_mmap() was getting the updated
prot, with the helper ima_file_mmap() gets the original prot, which
contains the protections requested by the application.
A possible consequence of this change is that, if an application calls
mmap() with only PROT_READ, and the kernel applies PROT_EXEC in addition,
that application would have access to executable memory without having this
event recorded in the IMA measurement list. This situation would occur for
example if the application, before mmap(), calls the personality() system
call with READ_IMPLIES_EXEC as the first argument.
Align ima_file_mmap() parameters with those of the mmap_file LSM hook, so
that IMA can receive both the requested prot and the final prot. Since the
requested protections are stored in a new variable, and the final
protections are stored in the existing variable, this effectively restores
the original behavior of the MMAP_CHECK hook.
Cc: stable@vger.kernel.org
Fixes: 98de59bfe4 ("take calculation of final prot in security_mmap_file() into a helper")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Stefan Berger <stefanb@linux.ibm.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit eaf2213ba563b2d74a1f2c13a6b258273f689802 ]
If *.conf.default is updated, builtin-policy.h should be rebuilt,
but this does not work when compiled with O= option.
[Without this commit]
$ touch security/tomoyo/policy/exception_policy.conf.default
$ make O=/tmp security/tomoyo/
make[1]: Entering directory '/tmp'
GEN Makefile
CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
DESCEND objtool
make[1]: Leaving directory '/tmp'
[With this commit]
$ touch security/tomoyo/policy/exception_policy.conf.default
$ make O=/tmp security/tomoyo/
make[1]: Entering directory '/tmp'
GEN Makefile
CALL /home/masahiro/ref/linux/scripts/checksyscalls.sh
DESCEND objtool
POLICY security/tomoyo/builtin-policy.h
CC security/tomoyo/common.o
AR security/tomoyo/built-in.a
make[1]: Leaving directory '/tmp'
$(srctree)/ is essential because $(wildcard ) does not follow VPATH.
Fixes: f02dee2d14 ("tomoyo: Do not generate empty policy files")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit e68bfbd3b3c3a0ec3cf8c230996ad8cabe90322f upstream.
When add the 'a *:* rwm' entry to devcgroup A's whitelist, at first A's
exceptions will be cleaned and A's behavior is changed to
DEVCG_DEFAULT_ALLOW. Then parent's exceptions will be copyed to A's
whitelist. If copy failure occurs, just return leaving A to grant
permissions to all devices. And A may grant more permissions than
parent.
Backup A's whitelist and recover original exceptions after copy
failure.
Cc: stable@vger.kernel.org
Fixes: 4cef7299b4 ("device_cgroup: add proper checking when changing default behavior")
Signed-off-by: Wang Weiyang <wangweiyang2@huawei.com>
Reviewed-by: Aristeu Rozanski <aris@redhat.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c73275cf6834787ca090317f1d20dbfa3b7f05aa ]
In multi_transaction_new(), the variable t is not freed or passed out
on the failure of copy_from_user(t->data, buf, size), which could lead
to a memleak.
Fix this bug by adding a put_multi_transaction(t) in the error path.
Fixes: 1dea3b41e8 ("apparmor: speed up transactional queries")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 25369175ce84813dd99d6604e710dc2491f68523 ]
The input parameter @fields is type of struct ima_template_field ***, so
when allocates array memory for @fields, the size of element should be
sizeof(**field) instead of sizeof(*field).
Actually the original code would not cause any runtime error, but it's
better to make it logically right.
Fixes: adf53a778a ("ima: new templates management mechanism")
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Reviewed-by: Roberto Sassu <roberto.sassu@huawei.com>
Signed-off-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 4.14.299
NFSv4.1: Handle RECLAIM_COMPLETE trunking errors
NFSv4.1: We must always send RECLAIM_COMPLETE after a reboot
nfs4: Fix kmemleak when allocate slot failed
net: dsa: Fix possible memory leaks in dsa_loop_init()
nfc: s3fwrn5: Fix potential memory leak in s3fwrn5_nci_send()
nfc: nfcmrvl: Fix potential memory leak in nfcmrvl_i2c_nci_send()
net: fec: fix improper use of NETDEV_TX_BUSY
ata: pata_legacy: fix pdc20230_set_piomode()
net: sched: Fix use after free in red_enqueue()
ipvs: use explicitly signed chars
rose: Fix NULL pointer dereference in rose_send_frame()
mISDN: fix possible memory leak in mISDN_register_device()
isdn: mISDN: netjet: fix wrong check of device registration
btrfs: fix inode list leak during backref walking at resolve_indirect_refs()
btrfs: fix ulist leaks in error paths of qgroup self tests
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_reassemble_sdu
Bluetooth: L2CAP: fix use-after-free in l2cap_conn_del()
net: mdio: fix undefined behavior in bit shift for __mdiobus_register
net, neigh: Fix null-ptr-deref in neigh_table_clear()
media: s5p_cec: limit msg.len to CEC_MAX_MSG_SIZE
media: dvb-frontends/drxk: initialize err to 0
i2c: xiic: Add platform module alias
Bluetooth: L2CAP: Fix attempting to access uninitialized memory
block, bfq: protect 'bfqd->queued' by 'bfqd->lock'
btrfs: fix type of parameter generation in btrfs_get_dentry
tcp/udp: Make early_demux back namespacified.
capabilities: fix potential memleak on error path from vfs_getxattr_alloc()
ALSA: usb-audio: Add quirks for MacroSilicon MS2100/MS2106 devices
efi: random: reduce seed size to 32 bytes
parisc: Make 8250_gsc driver dependend on CONFIG_PARISC
parisc: Export iosapic_serial_irq() symbol for serial port driver
ext4: fix warning in 'ext4_da_release_space'
KVM: x86: Mask off reserved bits in CPUID.80000008H
KVM: x86: emulator: em_sysexit should update ctxt->mode
KVM: x86: emulator: introduce emulator_recalc_and_set_mode
KVM: x86: emulator: update the emulation mode after CR0 write
linux/const.h: prefix include guard of uapi/linux/const.h with _UAPI
linux/const.h: move UL() macro to include/linux/const.h
linux/bits.h: make BIT(), GENMASK(), and friends available in assembly
wifi: brcmfmac: Fix potential buffer overflow in brcmf_fweh_event_worker()
Linux 4.14.299
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id5fc7f49fbfe0ce07862d5484f49035b8c664206
commit 8cf0a1bc12870d148ae830a4ba88cfdf0e879cee upstream.
In cap_inode_getsecurity(), we will use vfs_getxattr_alloc() to
complete the memory allocation of tmpbuf, if we have completed
the memory allocation of tmpbuf, but failed to call handler->get(...),
there will be a memleak in below logic:
|-- ret = (int)vfs_getxattr_alloc(mnt_userns, ...)
| /* ^^^ alloc for tmpbuf */
|-- value = krealloc(*xattr_value, error + 1, flags)
| /* ^^^ alloc memory */
|-- error = handler->get(handler, ...)
| /* error! */
|-- *xattr_value = value
| /* xattr_value is &tmpbuf (memory leak!) */
So we will try to free(tmpbuf) after vfs_getxattr_alloc() fails to fix it.
Cc: stable@vger.kernel.org
Fixes: 8db6c34f1d ("Introduce v3 namespaced file capabilities")
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
[PM: subject line and backtrace tweaks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Changes in 4.14.291
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
ntfs: fix use-after-free in ntfs_ucsncmp()
s390/archrandom: prevent CPACF trng invocations in interrupt context
scsi: ufs: host: Hold reference returned by of_parse_phandle()
net: ping6: Fix memleak in ipv6_renew_options().
net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
netfilter: nf_queue: do not allow packet truncation below transport header offset
ARM: crypto: comment out gcc warning that breaks clang builds
mt7601u: add USB device ID for some versions of XiaoDu WiFi Dongle.
ACPI: video: Force backlight native for some TongFang devices
ACPI: video: Shortening quirk list by identifying Clevo by board_name only
macintosh/adb: fix oob read in do_adb_query() function
Makefile: link with -z noexecstack --no-warn-rwx-segments
x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments
ALSA: bcd2000: Fix a UAF bug on the error path of probing
add barriers to buffer_uptodate and set_buffer_uptodate
HID: wacom: Don't register pad_input for touch switch
KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0
KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks
KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP
ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model
ALSA: hda/cirrus - support for iMac 12,1 model
vfs: Check the truncate maximum size in inode_newsize_ok()
fs: Add missing umask strip in vfs_tmpfile
usbnet: Fix linkwatch use-after-free on disconnect
parisc: Fix device names in /proc/iomem
drm/nouveau: fix another off-by-one in nvbios_addr
drm/amdgpu: Check BO's requested pinning domains against its preferred_domains
iio: light: isl29028: Fix the warning in isl29028_remove()
fuse: limit nsec
md-raid10: fix KASAN warning
ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr()
PCI: Add defines for normal and subtractive PCI bridges
powerpc/fsl-pci: Fix Class Code of PCIe Root Port
powerpc/powernv: Avoid crashing if rng is NULL
MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
USB: HCD: Fix URB giveback issue in tasklet function
netfilter: nf_tables: fix null deref due to zeroed list head
arm64: Do not forget syscall when starting a new thread.
arm64: fix oops in concurrently setting insn_emulation sysctls
ext2: Add more validity checks for inode counts
ARM: dts: imx6ul: add missing properties for sram
ARM: dts: imx6ul: fix qspi node compatible
ARM: OMAP2+: display: Fix refcount leak bug
ACPI: PM: save NVS memory for Lenovo G40-45
ACPI: LPSS: Fix missing check in register_device_clock()
PM: hibernate: defer device probing when resuming from hibernation
selinux: Add boundary check in put_entry()
ARM: findbit: fix overflowing offset
ARM: bcm: Fix refcount leak in bcm_kona_smc_init
x86/pmem: Fix platform-device leak in error path
ARM: dts: ast2500-evb: fix board compatible
soc: fsl: guts: machine variable might be unset
cpufreq: zynq: Fix refcount leak in zynq_get_revision
ARM: dts: qcom: pm8841: add required thermal-sensor-cells
arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node
regulator: of: Fix refcount leak bug in of_get_regulation_constraints()
thermal/tools/tmon: Include pthread and time headers in tmon.h
dm: return early from dm_pr_call() if DM device is suspended
drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers()
drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function
i2c: Fix a potential use after free
ath9k: fix use-after-free in ath9k_hif_usb_rx_cb
wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd()
drm: bridge: adv7511: Add check for mipi_dsi_driver_register
media: hdpvr: fix error value returns in hdpvr_read
drm/vc4: dsi: Correct DSI divider calculations
drm/rockchip: vop: Don't crash for invalid duplicate_state()
drm/mediatek: dpi: Remove output format of YUV
drm: bridge: sii8620: fix possible off-by-one
media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment
tcp: make retransmitted SKB fit into the send window
selftests: timers: valid-adjtimex: build fix for newer toolchains
selftests: timers: clocksource-switch: fix passing errors from child
fs: check FMODE_LSEEK to control internal pipe splicing
wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi()
wifi: p54: Fix an error handling path in p54spi_probe()
wifi: p54: add missing parentheses in p54_flush()
can: pch_can: do not report txerr and rxerr during bus-off
can: rcar_can: do not report txerr and rxerr during bus-off
can: sja1000: do not report txerr and rxerr during bus-off
can: hi311x: do not report txerr and rxerr during bus-off
can: sun4i_can: do not report txerr and rxerr during bus-off
can: usb_8dev: do not report txerr and rxerr during bus-off
can: error: specify the values of data[5..7] of CAN error frames
can: pch_can: pch_can_error(): initialize errc before using it
Bluetooth: hci_intel: Add check for platform_driver_register
i2c: cadence: Support PEC for SMBus block read
i2c: mux-gpmux: Add of_node_put() when breaking out of loop
wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()`
wifi: libertas: Fix possible refcount leak in if_usb_probe()
net: rose: fix netdev reference changes
dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock
mtd: maps: Fix refcount leak in of_flash_probe_versatile
mtd: maps: Fix refcount leak in ap_flash_init
mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release
mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path
fpga: altera-pr-ip: fix unsigned comparison with less than zero
usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe
usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe
misc: rtsx: Fix an error handling path in rtsx_pci_probe()
mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch
memstick/ms_block: Fix some incorrect memory allocation
memstick/ms_block: Fix a memory leak
mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R
scsi: smartpqi: Fix DMA direction for RAID requests
usb: gadget: udc: amd5536 depends on HAS_DMA
RDMA/hfi1: fix potential memory leak in setup_base_ctxt()
gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data()
mmc: cavium-octeon: Add of_node_put() when breaking out of loop
mmc: cavium-thunderx: Add of_node_put() when breaking out of loop
USB: serial: fix tty-port initialized comments
platform/olpc: Fix uninitialized data in debugfs write
mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region
RDMA/rxe: Fix error unwind in rxe_create_qp()
ext4: recover csum seed of tmp_inode after migrating to extents
jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted
ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe
ASoC: codecs: da7210: add check for i2c_add_driver
ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe
profiling: fix shift too large makes kernel panic
tty: n_gsm: fix non flow control frames during mux flow off
tty: n_gsm: fix packet re-transmission without open control channel
tty: n_gsm: fix race condition in gsmld_write()
remoteproc: qcom: wcnss: Fix handling of IRQs
vfio/ccw: Do not change FSM state in subchannel event
tty: n_gsm: fix wrong T1 retry count handling
tty: n_gsm: fix DM command
iommu/exynos: Handle failed IOMMU device registration properly
kfifo: fix kfifo_to_user() return type
mfd: t7l66xb: Drop platform disable callback
iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop
s390/zcore: fix race when reading from hardware system area
video: fbdev: amba-clcd: Fix refcount leak bugs
video: fbdev: sis: fix typos in SiS_GetModeID()
powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias
powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader
powerpc/xive: Fix refcount leak in xive_get_max_prio
powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address
kprobes: Forbid probing on trampoline and BPF code areas
powerpc/pci: Fix PHB numbering when using opal-phbid
genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO
x86/numa: Use cpumask_available instead of hardcoded NULL check
video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock()
tools/thermal: Fix possible path truncations
video: fbdev: vt8623fb: Check the size of screen before memset_io()
video: fbdev: arkfb: Check the size of screen before memset_io()
video: fbdev: s3fb: Check the size of screen before memset_io()
scsi: zfcp: Fix missing auto port scan and thus missing target ports
x86/olpc: fix 'logical not is only applied to the left hand side'
spmi: trace: fix stack-out-of-bound access in SPMI tracing functions
ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h
ext4: make sure ext4_append() always allocates new block
ext4: fix use-after-free in ext4_xattr_set_entry
ext4: update s_overhead_clusters in the superblock during an on-line resize
ext4: fix extent status tree race in writeback error recovery path
ext4: correct max_inline_xattr_value_size computing
ext4: correct the misjudgment in ext4_iget_extra_inode
intel_th: pci: Add Raptor Lake-S CPU support
intel_th: pci: Add Raptor Lake-S PCH support
intel_th: pci: Add Meteor Lake-P support
dm raid: fix address sanitizer warning in raid_resume
dm raid: fix address sanitizer warning in raid_status
net_sched: cls_route: remove from list when handle is 0
btrfs: reject log replay if there is unsupported RO compat flag
KVM: Add infrastructure and macro to mark VM as bugged
KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq
KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast()
tcp: fix over estimation in sk_forced_mem_schedule()
scsi: sg: Allow waiting for commands to complete on removed device
Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP"
Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression
net/9p: Initialize the iounit field during fid creation
net_sched: cls_route: disallow handle of 0
powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E
ALSA: info: Fix llseek return value when using callback
rds: add missing barrier to release_refill
ata: libata-eh: Add missing command name
btrfs: fix lost error handling when looking up extended ref on log replay
can: ems_usb: fix clang's -Wunaligned-access warning
apparmor: fix quiet_denied for file rules
apparmor: Fix failed mount permission check error message
apparmor: fix aa_label_asxprint return check
apparmor: fix reference count leak in aa_pivotroot()
NFSv4: Fix races in the legacy idmapper upcall
NFSv4.1: RECLAIM_COMPLETE must handle EACCES
SUNRPC: Reinitialise the backchannel request buffers before reuse
pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map
pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed
ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool
geneve: do not use RT_TOS for IPv6 flowlabel
vsock: Fix memory leak in vsock_connect()
vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
tools build: Switch to new openssl API for test-libcrypto
xen/xenbus: fix return type in xenbus_file_read()
atm: idt77252: fix use-after-free bugs caused by tst_timer
nios2: page fault et.al. are *not* restartable syscalls...
nios2: don't leave NULLs in sys_call_table[]
nios2: traced syscall does need to check the syscall number
nios2: fix syscall restart checks
nios2: restarts apply only to the first sigframe we build...
nios2: add force_successful_syscall_return()
netfilter: nf_tables: really skip inactive sets when allocating name
powerpc/pci: Fix get_phb_number() locking
i40e: Fix to stop tx_timeout recovery if GLOBR fails
fec: Fix timer capture timing in `fec_ptp_enable_pps()`
igb: Add lock to avoid data race
kbuild: clear LDFLAGS in the top Makefile
btrfs: only write the sectors in the vertical stripe which has data stripes
btrfs: raid56: don't trust any cached sector in __raid56_parity_recover()
drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors()
PCI: Add ACS quirk for Broadcom BCM5750x NICs
irqchip/tegra: Fix overflow implicit truncation warnings
usb: host: ohci-ppc-of: Fix refcount leak bug
clk: qcom: ipq8074: dont disable gcc_sleep_clk_src
gadgetfs: ep_io - wait until IRQ finishes
cxl: Fix a memory leak in an error handling path
drivers:md:fix a potential use-after-free bug
ext4: avoid remove directory when directory is corrupted
ext4: avoid resizing to a partial cluster size
tty: serial: Fix refcount leak bug in ucc_uart.c
vfio: Clear the caps->buf to NULL after free
mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start
ALSA: core: Add async signal helpers
ALSA: timer: Use deferred fasync helper
smb3: check xattr value length earlier
powerpc/64: Init jump labels before parse_early_param()
video: fbdev: i740fb: Check the argument of i740_calc_vclk()
MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0
Linux 4.14.291
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I05ae298bdce8b81c6613d845a84158d74bb3cd8f
commit 11c3627ec6b56c1525013f336f41b79a983b4d46 upstream.
The aa_pivotroot() function has a reference counting bug in a specific
path. When aa_replace_current_label() returns on success, the function
forgets to decrement the reference count of “target”, which is
increased earlier by build_pivotroot(), causing a reference leak.
Fix it by decreasing the refcount of “target” in that path.
Fixes: 2ea3ffb778 ("apparmor: add mount mediation")
Co-developed-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Co-developed-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
Signed-off-by: Xin Xiong <xiongx18@fudan.edu.cn>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3e2a3a0830a2090e766d0d887d52c67de2a6f323 upstream.
Clang static analysis reports this issue
label.c:1802:3: warning: 2nd function call argument
is an uninitialized value
pr_info("%s", str);
^~~~~~~~~~~~~~~~~~
str is set from a successful call to aa_label_asxprint(&str, ...)
On failure a negative value is returned, not a -1. So change
the check.
Fixes: f1bd904175 ("apparmor: add the base fns() for domain labels")
Signed-off-by: Tom Rix <trix@redhat.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ec240b5905bbb09a03dccffee03062cf39e38dc2 upstream.
When the mount check fails due to a permission check failure instead
of explicitly at one of the subcomponent checks, AppArmor is reporting
a failure in the flags match. However this is not true and AppArmor
can not attribute the error at this point to any particular component,
and should only indicate the mount failed due to missing permissions.
Fixes: 2ea3ffb778 ("apparmor: add mount mediation")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 68ff8540cc9e4ab557065b3f635c1ff4c96e1f1c upstream.
Global quieting of denied AppArmor generated file events is not
handled correctly. Unfortunately the is checking if quieting of all
audit events is set instead of just denied events.
Fixes: 67012e8209 ("AppArmor: basic auditing infrastructure.")
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 15ec76fb29be31df2bccb30fc09875274cba2776 ]
Just like next_entry(), boundary check is necessary to prevent memory
out-of-bound access.
Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 4.14.276
USB: serial: pl2303: add IBM device IDs
USB: serial: simple: add Nokia phone driver
netdevice: add the case if dev is NULL
virtio_console: break out of buf poll on remove
ethernet: sun: Free the coherent when failing in probing
spi: Fix invalid sgs value
spi: Fix erroneous sgs value with min_t()
af_key: add __GFP_ZERO flag for compose_sadb_supported in function pfkey_register
fuse: fix pipe buffer lifetime for direct_io
tpm: fix reference counting for struct tpm_chip
block: Add a helper to validate the block size
virtio-blk: Use blk_validate_block_size() to validate block size
USB: usb-storage: Fix use of bitfields for hardware data in ene_ub6250.c
coresight: Fix TRCCONFIGR.QE sysfs interface
iio: inkern: apply consumer scale on IIO_VAL_INT cases
iio: inkern: apply consumer scale when no channel scale is available
iio: inkern: make a best effort on offset calculation
clk: uniphier: Fix fixed-rate initialization
ptrace: Check PTRACE_O_SUSPEND_SECCOMP permission on PTRACE_SEIZE
Documentation: add link to stable release candidate tree
Documentation: update stable tree link
SUNRPC: avoid race between mod_timer() and del_timer_sync()
NFSD: prevent underflow in nfssvc_decode_writeargs()
pinctrl: samsung: drop pin banks references on error paths
can: ems_usb: ems_usb_start_xmit(): fix double dev_kfree_skb() in error path
jffs2: fix use-after-free in jffs2_clear_xattr_subsystem
jffs2: fix memory leak in jffs2_do_mount_fs
jffs2: fix memory leak in jffs2_scan_medium
mm/pages_alloc.c: don't create ZONE_MOVABLE beyond the end of a node
mempolicy: mbind_range() set_policy() after vma_merge()
scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands
qed: display VF trust config
qed: validate and restrict untrusted VFs vlan promisc mode
Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads"
ALSA: cs4236: fix an incorrect NULL check on list iterator
drbd: fix potential silent data corruption
ACPI: properties: Consistently return -ENOENT if there are no more references
drivers: hamradio: 6pack: fix UAF bug caused by mod_timer()
video: fbdev: sm712fb: Fix crash in smtcfb_read()
video: fbdev: atari: Atari 2 bpp (STe) palette bugfix
ARM: dts: at91: sama5d2: Fix PMERRLOC resource size
ARM: dts: exynos: fix UART3 pins configuration in Exynos5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5250
ARM: dts: exynos: add missing HDMI supplies on SMDK5420
carl9170: fix missing bit-wise or operator for tx_params
thermal: int340x: Increase bitmap size
lib/raid6/test: fix multiple definition linking error
DEC: Limit PMAX memory probing to R3k systems
media: davinci: vpif: fix unbalanced runtime PM get
brcmfmac: firmware: Allocate space for default boardrev in nvram
brcmfmac: pcie: Replace brcmf_pcie_copy_mem_todev with memcpy_toio
PCI: pciehp: Clear cmd_busy bit in polling mode
crypto: authenc - Fix sleep in atomic context in decrypt_tail
crypto: mxs-dcp - Fix scatterlist processing
spi: tegra114: Add missing IRQ check in tegra_spi_probe
selftests/x86: Add validity check and allow field splitting
spi: pxa2xx-pci: Balance reference count for PCI DMA device
hwmon: (pmbus) Add mutex to regulator ops
hwmon: (sch56xx-common) Replace WDOG_ACTIVE with WDOG_HW_RUNNING
PM: hibernate: fix __setup handler error handling
PM: suspend: fix return value of __setup handler
hwrng: atmel - disable trng on failure path
crypto: vmx - add missing dependencies
ACPI: APEI: fix return value of __setup handlers
crypto: ccp - ccp_dmaengine_unregister release dma channels
hwmon: (pmbus) Add Vin unit off handling
clocksource: acpi_pm: fix return value of __setup handler
sched/debug: Remove mpol_get/put and task_lock/unlock from sched_show_numa
perf/core: Fix address filter parser for multiple filters
perf/x86/intel/pt: Fix address filter config for 32-bit kernel
media: coda: Fix missing put_device() call in coda_get_vdoa_data
video: fbdev: smscufx: Fix null-ptr-deref in ufx_usb_probe()
video: fbdev: fbcvt.c: fix printing in fb_cvt_print_name()
ARM: dts: qcom: ipq4019: fix sleep clock
soc: ti: wkup_m3_ipc: Fix IRQ check in wkup_m3_ipc_probe
media: usb: go7007: s2250-board: fix leak in probe()
ASoC: ti: davinci-i2s: Add check for clk_enable()
ALSA: spi: Add check for clk_enable()
arm64: dts: ns2: Fix spi-cpol and spi-cpha property
arm64: dts: broadcom: Fix sata nodename
printk: fix return value of printk.devkmsg __setup handler
ASoC: mxs-saif: Handle errors for clk_enable
ASoC: atmel_ssc_dai: Handle errors for clk_enable
memory: emif: Add check for setup_interrupts
memory: emif: check the pointer temp in get_device_details()
ALSA: firewire-lib: fix uninitialized flag for AV/C deferred transaction
media: stk1160: If start stream fails, return buffers with VB2_BUF_STATE_QUEUED
ASoC: atmel: Add missing of_node_put() in at91sam9g20ek_audio_probe
ASoC: wm8350: Handle error for wm8350_register_irq
ASoC: fsi: Add check for clk_enable
video: fbdev: omapfb: Add missing of_node_put() in dvic_probe_of
ASoC: dmaengine: do not use a NULL prepare_slave_config() callback
ASoC: mxs: Fix error handling in mxs_sgtl5000_probe
ASoC: imx-es8328: Fix error return code in imx_es8328_probe()
ASoC: msm8916-wcd-digital: Fix missing clk_disable_unprepare() in msm8916_wcd_digital_probe
mtd: onenand: Check for error irq
drm/edid: Don't clear formats if using deep color
ath9k_htc: fix uninit value bugs
power: reset: gemini-poweroff: Fix IRQ check in gemini_poweroff_probe
ray_cs: Check ioremap return value
power: supply: ab8500: Fix memory leak in ab8500_fg_sysfs_init
HID: i2c-hid: fix GET/SET_REPORT for unnumbered reports
iwlwifi: Fix -EIO error code that is never returned
dm crypt: fix get_key_size compiler warning if !CONFIG_KEYS
scsi: pm8001: Fix command initialization in pm80XX_send_read_log()
scsi: pm8001: Fix command initialization in pm8001_chip_ssp_tm_req()
scsi: pm8001: Fix payload initialization in pm80xx_set_thermal_config()
scsi: pm8001: Fix abort all task initialization
TOMOYO: fix __setup handlers return values
ext2: correct max file size computing
drm/tegra: Fix reference leak in tegra_dsi_ganged_probe
power: supply: bq24190_charger: Fix bq24190_vbus_is_enabled() wrong false return
KVM: x86: Fix emulation in writing cr8
KVM: x86/emulator: Defer not-present segment check in __load_segment_descriptor()
i2c: xiic: Make bus names unique
power: supply: wm8350-power: Handle error for wm8350_register_irq
power: supply: wm8350-power: Add missing free in free_charger_irq
PCI: Reduce warnings on possible RW1C corruption
powerpc/sysdev: fix incorrect use to determine if list is empty
mfd: mc13xxx: Add check for mc13xxx_irq_request
vxcan: enable local echo for sent CAN frames
MIPS: RB532: fix return value of __setup handler
mtd: rawnand: atmel: fix refcount issue in atmel_nand_controller_init
USB: storage: ums-realtek: fix error code in rts51x_read_mem()
af_netlink: Fix shift out of bounds in group mask calculation
i2c: mux: demux-pinctrl: do not deactivate a master that is not active
tcp: ensure PMTU updates are processed during fastopen
mfd: asic3: Add missing iounmap() on error asic3_mfd_probe
mxser: fix xmit_buf leak in activate when LSR == 0xff
pwm: lpc18xx-sct: Initialize driver data and hardware before pwmchip_add()
staging:iio:adc:ad7280a: Fix handing of device address bit reversing.
serial: 8250_mid: Balance reference count for PCI DMA device
serial: 8250: Fix race condition in RTS-after-send handling
iio: adc: Add check for devm_request_threaded_irq
clk: qcom: clk-rcg2: Update the frac table for pixel clock
remoteproc: qcom_wcnss: Add missing of_node_put() in wcnss_alloc_memory_region
clk: loongson1: Terminate clk_div_table with sentinel element
clk: clps711x: Terminate clk_div_table with sentinel element
clk: tegra: tegra124-emc: Fix missing put_device() call in emc_ensure_emc_driver
NFS: remove unneeded check in decode_devicenotify_args()
pinctrl: mediatek: Fix missing of_node_put() in mtk_pctrl_init
pinctrl: nomadik: Add missing of_node_put() in nmk_pinctrl_probe
pinctrl/rockchip: Add missing of_node_put() in rockchip_pinctrl_probe
tty: hvc: fix return value of __setup handler
kgdboc: fix return value of __setup handler
kgdbts: fix return value of __setup handler
jfs: fix divide error in dbNextAG
netfilter: nf_conntrack_tcp: preserve liberal flag in tcp options
xen: fix is_xen_pmu()
net: phy: broadcom: Fix brcm_fet_config_init()
qlcnic: dcb: default to returning -EOPNOTSUPP
net/x25: Fix null-ptr-deref caused by x25_disconnect
NFSv4/pNFS: Fix another issue with a list iterator pointing to the head
lib/test: use after free in register_test_dev_kmod()
selinux: use correct type for context length
loop: use sysfs_emit() in the sysfs xxx show()
Fix incorrect type in assignment of ipv6 port for audit
irqchip/nvic: Release nvic_base upon failure
ACPICA: Avoid walking the ACPI Namespace if it is not there
ACPI/APEI: Limit printable size of BERT table data
PM: core: keep irq flags in device_pm_check_callbacks()
spi: tegra20: Use of_device_get_match_data()
ext4: don't BUG if someone dirty pages without asking ext4 first
ntfs: add sanity check on allocation size
video: fbdev: nvidiafb: Use strscpy() to prevent buffer overflow
video: fbdev: w100fb: Reset global state
video: fbdev: cirrusfb: check pixclock to avoid divide by zero
video: fbdev: omapfb: acx565akm: replace snprintf with sysfs_emit
ARM: dts: qcom: fix gic_irq_domain_translate warnings for msm8960
ARM: dts: bcm2837: Add the missing L1/L2 cache information
video: fbdev: omapfb: panel-dsi-cm: Use sysfs_emit() instead of snprintf()
video: fbdev: omapfb: panel-tpo-td043mtea1: Use sysfs_emit() instead of snprintf()
ASoC: soc-core: skip zero num_dai component in searching dai name
media: cx88-mpeg: clear interrupt status register before streaming video
ARM: tegra: tamonten: Fix I2C3 pad setting
ARM: mmp: Fix failure to remove sram device
video: fbdev: sm712fb: Fix crash in smtcfb_write()
media: hdpvr: initialize dev->worker at hdpvr_register_videodev
mmc: host: Return an error when ->enable_sdio_irq() ops is missing
powerpc/lib/sstep: Fix 'sthcx' instruction
powerpc/lib/sstep: Fix build errors with newer binutils
scsi: qla2xxx: Fix warning for missing error code
scsi: qla2xxx: Suppress a kernel complaint in qla_create_qpair()
KVM: Prevent module exit until all VMs are freed
ubifs: rename_whiteout: Fix double free for whiteout_ui->data
ubifs: Add missing iput if do_tmpfile() failed in rename whiteout
ubifs: setflags: Make dirtied_ino_d 8 bytes aligned
ubifs: rename_whiteout: correct old_dir size computing
can: mcba_usb: mcba_usb_start_xmit(): fix double dev_kfree_skb in error path
can: mcba_usb: properly check endpoint type
gfs2: Make sure FITRIM minlen is rounded up to fs block size
pinctrl: pinconf-generic: Print arguments for bias-pull-*
ubi: Fix race condition between ctrl_cdev_ioctl and ubi_cdev_ioctl
ACPI: CPPC: Avoid out of bounds access when parsing _CPC data
mm/mmap: return 1 from stack_guard_gap __setup() handler
mm/memcontrol: return 1 from cgroup.memory __setup() handler
ubi: fastmap: Return error code if memory allocation fails in add_aeb()
ASoC: topology: Allow TLV control to be either read or write
ARM: dts: spear1340: Update serial node properties
ARM: dts: spear13xx: Update SPI dma properties
openvswitch: Fixed nd target mask field in the flow dump.
KVM: x86: Forbid VMM to set SYNIC/STIMER MSRs when SynIC wasn't activated
ubifs: Rectify space amount budget for mkdir/tmpfile operations
rtc: wm8350: Handle error for wm8350_register_irq
ARM: 9187/1: JIVE: fix return value of __setup handler
KVM: x86/svm: Clear reserved bits written to PerfEvtSeln MSRs
ath5k: fix OOB in ath5k_eeprom_read_pcal_info_5111
ptp: replace snprintf with sysfs_emit
powerpc: dts: t104xrdb: fix phy type for FMAN 4/5
scsi: mvsas: Replace snprintf() with sysfs_emit()
scsi: bfa: Replace snprintf() with sysfs_emit()
power: supply: axp20x_battery: properly report current when discharging
powerpc: Set crashkernel offset to mid of RMA region
PCI: aardvark: Fix support for MSI interrupts
iommu/arm-smmu-v3: fix event handling soft lockup
dm ioctl: prevent potential spectre v1 gadget
scsi: pm8001: Fix pm8001_mpi_task_abort_resp()
scsi: aha152x: Fix aha152x_setup() __setup handler return value
net/smc: correct settings of RMB window update limit
macvtap: advertise link netns via netlink
bnxt_en: Eliminate unintended link toggle during FW reset
MIPS: fix fortify panic when copying asm exception handlers
scsi: libfc: Fix use after free in fc_exch_abts_resp()
usb: dwc3: omap: fix "unbalanced disables for smps10_out1" on omap5evm
xtensa: fix DTC warning unit_address_format
Bluetooth: Fix use after free in hci_send_acl
init/main.c: return 1 from handled __setup() functions
w1: w1_therm: fixes w1_seq for ds28ea00 sensors
SUNRPC/call_alloc: async tasks mustn't block waiting for memory
NFS: swap IO handling is slightly different for O_DIRECT IO
NFS: swap-out must always use STABLE writes.
serial: samsung_tty: do not unlock port->lock for uart_write_wakeup()
virtio_console: eliminate anonymous module_init & module_exit
jfs: prevent NULL deref in diFree
parisc: Fix CPU affinity for Lasi, WAX and Dino chips
ipv6: add missing tx timestamping on IPPROTO_RAW
net: add missing SOF_TIMESTAMPING_OPT_ID support
mm: fix race between MADV_FREE reclaim and blkdev direct IO read
drm/amdgpu: fix off by one in amdgpu_gfx_kiq_acquire()
scsi: zorro7xx: Fix a resource leak in zorro7xx_remove_one()
net: stmmac: Fix unset max_speed difference between DT and non-DT platforms
drm/imx: Fix memory leak in imx_pd_connector_get_modes
drbd: Fix five use after free bugs in get_initial_state
Revert "mmc: sdhci-xenon: fix annoying 1.8V regulator warning"
mmmremap.c: avoid pointless invalidate_range_start/end on mremap(old_size=0)
mm/mempolicy: fix mpol_new leak in shared_policy_replace
x86/pm: Save the MSR validity status at context setup
x86/speculation: Restore speculation related MSRs during S3 resume
btrfs: fix qgroup reserve overflow the qgroup limit
arm64: patch_text: Fixup last cpu should be master
perf: qcom_l2_pmu: fix an incorrect NULL check on list iterator
tools build: Use $(shell ) instead of `` to get embedded libperl's ccopts
dmaengine: Revert "dmaengine: shdma: Fix runtime PM imbalance on error"
mm: don't skip swap entry even if zap_details specified
arm64: module: remove (NOLOAD) from linker script
mm/sparsemem: fix 'mem_section' will never be NULL gcc 12 warning
cgroup: Use open-time credentials for process migraton perm checks
cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv
cgroup: Use open-time cgroup namespace for process migration perm checks
xfrm: policy: match with both mark and mask on user interfaces
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
veth: Ensure eth header is in skb's linear part
gpiolib: acpi: use correct format characters
mlxsw: i2c: Fix initialization error flow
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
nfc: nci: add flush_workqueue to prevent uaf
cifs: potential buffer overflow in handling symlinks
drm/amd: Add USBC connector ID
drm/amdkfd: Check for potential null return of kmalloc_array()
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
scsi: target: tcmu: Fix possible page UAF
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
net: micrel: fix KS8851_MLL Kconfig
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
gpu: ipu-v3: Fix dev_dbg frequency output
scsi: mvsas: Add PCI ID of RocketRaid 2640
drivers: net: slip: fix NPD bug in sl_tx_timeout()
mm, page_alloc: fix build_zonerefs_node()
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
gcc-plugins: latent_entropy: use /dev/urandom
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
ARM: davinci: da850-evm: Avoid NULL pointer dereference
smp: Fix offline cpu check in flush_smp_call_function_queue()
i2c: pasemi: Wait for write xfers to finish
Linux 4.14.276
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I45d8292ce654c0236758030a89b4618cf3a3d87b
[ Upstream commit a5cd1ab7ab679d252a6d2f483eee7d45ebf2040c ]
Remove inappropriate use of ntohs() and assign the
port value directly.
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b97df7c098c531010e445da88d02b7bf7bf59ef6 ]
security_sid_to_context() expects a pointer to an u32 as the address
where to store the length of the computed context.
Reported by sparse:
security/selinux/xfrm.c:359:39: warning: incorrect type in arg 4
(different signedness)
security/selinux/xfrm.c:359:39: expected unsigned int
[usertype] *scontext_len
security/selinux/xfrm.c:359:39: got int *
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
[PM: wrapped commit description]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 39844b7e3084baecef52d1498b5fa81afa2cefa9 ]
__setup() handlers should return 1 if the parameter is handled.
Returning 0 causes the entire string to be added to init's
environment strings (limited to 32 strings), unnecessarily polluting it.
Using the documented strings "TOMOYO_loader=string1" and
"TOMOYO_trigger=string2" causes an Unknown parameter message:
Unknown kernel command line parameters
"BOOT_IMAGE=/boot/bzImage-517rc5 TOMOYO_loader=string1 \
TOMOYO_trigger=string2", will be passed to user space.
and these strings are added to init's environment string space:
Run /sbin/init as init process
with arguments:
/sbin/init
with environment:
HOME=/
TERM=linux
BOOT_IMAGE=/boot/bzImage-517rc5
TOMOYO_loader=string1
TOMOYO_trigger=string2
With this change, these __setup handlers act as expected,
and init's environment is not polluted with these strings.
Fixes: 0e4ae0e0de ("TOMOYO: Make several options configurable.")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: Igor Zhbanov <i.zhbanov@omprussia.ru>
Link: https://lore.kernel.org/r/64644a2f-4a20-bab3-1e15-3b2cdd0defe3@omprussia.ru
Cc: James Morris <jmorris@namei.org>
Cc: Kentaro Takeda <takedakn@nttdata.co.jp>
Cc: tomoyo-dev-en@lists.osdn.me
Cc: "Serge E. Hallyn" <serge@hallyn.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Sasha Levin <sashal@kernel.org>
