70f98fe87ab5b332fa6308ae9f05da170d65e9f6
715 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
pwnrazr
|
63b65950a4 | Merge remote-tracking branch 'android-stable/android-4.14-stable' into dev-base | ||
|
UtsavBalar1231
|
8dcc1922ac |
Merge remote-tracking branch 'aosp/android-4.14-stable' into android11-base
* aosp/android-4.14-stable: Linux 4.14.248 drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() pwm: rockchip: Don't modify HW state in .remove() callback nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group nilfs2: fix NULL pointer in nilfs_##name##_attr_release nilfs2: fix memory leak in nilfs_sysfs_create_device_group ceph: lockdep annotations for try_nonblocking_invalidate dmaengine: xilinx_dma: Set DMA mask for coherent APIs dmaengine: ioat: depends on !UML parisc: Move pci_dev_is_behind_card_dino to where it is used Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered profiling: fix shift-out-of-bounds bugs prctl: allow to setup brk for et_dyn executables 9p/trans_virtio: Remove sysfs file on probe failure thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() dmaengine: acpi: Avoid comparison GSI with Linux vIRQ sctp: add param size validation for SCTP_PARAM_SET_PRIMARY sctp: validate chunk size in __rcv_asconf_lookup crypto: talitos - fix max key size for sha384 and sha512 apparmor: remove duplicate macro list_entry_is_head() rcu: Fix missed wakeup of exp_wq waiters s390/bpf: Fix optimizing out zero-extensions Linux 4.14.247 s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant net: renesas: sh_eth: Fix freeing wrong tx descriptor qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom netfilter: socket: icmp6: fix use-after-scope net: dsa: b53: Fix calculating number of switch ports ARC: export clear_user_page() for modules mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n ethtool: Fix an error code in cxgb2.c net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 PCI: Add ACS quirks for Cavium multi-function devices mfd: Don't use irq_create_mapping() to resolve a mapping dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() net/af_unix: fix a data-race in unix_dgram_poll events: Reuse value read using READ_ONCE instead of re-reading it tipc: increase timeout in tipc_sk_enqueue() r6040: Restore MDIO clock frequency after MAC reset net/l2tp: Fix reference count leak in l2tp_udp_recv_core dccp: don't duplicate ccid when cloning dccp sock ptp: dp83640: don't define PAGE0 net-caif: avoid user-triggerable WARN_ON(1) x86/mm: Fix kern_addr_valid() to cope with existing but not present entries PM: base: power: don't try to use non-existing RTC for storing data bnx2x: Fix enabling network interfaces without VFs xen: reset legacy rtc flag for PV domU platform/chrome: cros_ec_proto: Send command again when timeout occurs memcg: enable accounting for pids in nested pid namespaces mm/hugetlb: initialize hugetlb_usage in mm_init cpufreq: powernv: Fix init_chip_info initialization in numa=off scsi: qla2xxx: Sync queue idx with queue_pair_map idx scsi: BusLogic: Fix missing pr_cont() use parisc: fix crash with signals and alloca net: w5100: check return value after calling platform_get_resource() net: fix NULL pointer reference in cipso_v4_doi_free ath9k: fix sleeping in atomic context ath9k: fix OOB read ar9300_eeprom_restore_internal parport: remove non-zero check on count ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B ASoC: rockchip: i2s: Fix regmap_ops hang usbip:vhci_hcd USB port can get stuck in the disabled state usbip: give back URBs for unsent unlink requests during cleanup usb: musb: musb_dsps: request_irq() after initializing musb Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" cifs: fix wrong release in sess_alloc_buffer() failed path selftests/bpf: Enlarge select() timeout for test_maps mmc: rtsx_pci: Fix long reads when clock is prescaled mmc: sdhci-of-arasan: Check return value of non-void funtions gfs2: Don't call dlm after protocol is unmounted staging: rts5208: Fix get_ms_information() heap buffer size rpc: fix gss_svc_init cleanup on failure ARM: tegra: tamonten: Fix UART pad setting gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() Bluetooth: avoid circular locks in sco_sock_connect net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe() arm64: dts: qcom: sdm660: use reg value for memory node media: v4l2-dv-timings.c: fix wrong condition in two for-loops ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps for the matching in-/output Bluetooth: skip invalid hci_sync_conn_complete_evt ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() staging: ks7010: Fix the initialization of the 'sleep_status' structure serial: 8250_pci: make setup_port() parameters explicitly unsigned hvsi: don't panic on tty_register_driver failure xtensa: ISS: don't panic in rs_init serial: 8250: Define RX trigger levels for OxSemi 950 devices s390/jump_label: print real address in a case of a jump label bug flow_dissector: Fix out-of-bounds warnings ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() video: fbdev: riva: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: asiliantfb: Error out if 'pixclock' equals zero bpf/tests: Do not PASS tests without actually testing the result bpf/tests: Fix copy-and-paste error in double word test tty: serial: jsm: hold port lock when reporting modem line changes staging: board: Fix uninitialized spinlock when attaching genpd usb: gadget: composite: Allow bMaxPower=0 if self-powered usb: gadget: u_ether: fix a potential null pointer dereference usb: host: fotg210: fix the actual_length of an iso packet usb: host: fotg210: fix the endpoint's transactional opportunities calculation Smack: Fix wrong semantics in smk_access_entry() netlink: Deal with ESRCH error in nlmsg_notify() video: fbdev: kyro: fix a DoS bug by restricting user input ARM: dts: qcom: apq8064: correct clock names iio: dac: ad5624r: Fix incorrect handling of an optional regulator. PCI: Use pci_update_current_state() in pci_enable_device_flags() crypto: mxs-dcp - Use sg_mapping_iter to copy data media: dib8000: rewrite the init prbs logic MIPS: Malta: fix alignment of the devicetree buffer scsi: qedi: Fix error codes in qedi_alloc_global_queues() pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() openrisc: don't printk() unconditionally vfio: Use config not menuconfig for VFIO_NOIOMMU pinctrl: samsung: Fix pinctrl bank pin count docs: Fix infiniband uverbs minor number RDMA/iwcm: Release resources if iw_cm module initialization fails HID: input: do not report stylus battery state as "full" PCI: aardvark: Fix masking and unmasking legacy INTx interrupts PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response PCI: xilinx-nwl: Enable the clock through CCF PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported ARM: 9105/1: atags_to_fdt: don't warn about stack size libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs media: rc-loopback: return number of emitters rather than error media: uvc: don't do DMA on stack VMCI: fix NULL pointer dereference when unmapping queue pair dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() power: supply: max17042: handle fails of reading status register block: bfq: fix bfq_set_next_ioprio_data() crypto: public_key: fix overflow during implicit conversion soc: aspeed: lpc-ctrl: Fix boundary check for mmap 9p/xen: Fix end of loop tests for list_for_each_entry include/linux/list.h: add a macro to test if entry is pointing to the head xen: fix setting of max_pfn in shared_info powerpc/perf/hv-gpci: Fix counter value parsing PCI/MSI: Skip masking MSI-X on Xen PV blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN blk-zoned: allow zone management send operations without CAP_SYS_ADMIN rtc: tps65910: Correct driver module alias fbmem: don't allow too huge resolutions clk: kirkwood: Fix a clocking boot regression backlight: pwm_bl: Improve bootloader/kernel device handover IMA: remove -Wmissing-prototypes warning KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted x86/resctrl: Fix a maybe-uninitialized build warning treated as error tty: Fix data race between tiocsti() and flush_to_ldisc() netns: protect netns ID lookups with RCU net: qualcomm: fix QCA7000 checksum handling net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed ipv4: make exception cache less predictible bcma: Fix memory leak for internally-handled cores ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() tty: serial: fsl_lpuart: fix the wrong mapbase value usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available usb: ehci-orion: Handle errors of clk_prepare_enable() in probe i2c: mt65xx: fix IRQ check CIFS: Fix a potencially linear read overflow mmc: moxart: Fix issue with uninitialized dma_slave_config mmc: dw_mmc: Fix issue with uninitialized dma_slave_config i2c: s3c2410: fix IRQ check i2c: iop3xx: fix deferred probing Bluetooth: add timeout sanity check to hci_inquiry usb: gadget: mv_u3d: request_irq() after initializing UDC mac80211: Fix insufficient headroom issue for AMSDU usb: phy: tahvo: add IRQ check usb: host: ohci-tmio: add IRQ check Bluetooth: Move shutdown callback before flushing tx and rx queue usb: phy: twl6030: add IRQ checks usb: phy: fsl-usb: add IRQ check usb: gadget: udc: at91: add IRQ check drm/msm/dsi: Fix some reference counted resource leaks Bluetooth: fix repeated calls to sco_sock_kill arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow soc: qcom: smsm: Fix missed interrupts if state changes while masked PCI: PM: Enable PME if it can be signaled from D3cold PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently media: em28xx-input: fix refcount bug in em28xx_usb_disconnect i2c: highlander: add IRQ check net: cipso: fix warnings in netlbl_cipsov4_add_std tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos Bluetooth: sco: prevent information leak in sco_conn_defer_accept() media: go7007: remove redundant initialization media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally certs: Trigger creation of RSA module signing key if it's not an RSA key crypto: qat - use proper type for vf_mask clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel spi: spi-pic32: Fix issue with uninitialized dma_slave_config spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config m68k: emu: Fix invalid free in nfeth_cleanup() udf_get_extendedattr() had no boundary checks. crypto: qat - do not export adf_iov_putmsg() crypto: qat - fix naming for init/shutdown VF to PF notifications crypto: qat - fix reuse of completion variable crypto: qat - handle both source of interrupt in VF ISR crypto: qat - do not ignore errors from enable_vf2pf_comms() libata: fix ata_host_start() s390/cio: add dev_busid sysfs entry for each subchannel power: supply: max17042_battery: fix typo in MAx17042_TOFF nvme-rdma: don't update queue count when failing to set io queues isofs: joliet: Fix iocharset=utf8 mount option udf: Check LVID earlier crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors crypto: mxs-dcp - Check for DMA mapping errors regmap: fix the offset of register error log PCI: Call Max Payload Size-related fixup quirks early x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions usb: host: xhci-rcar: Don't reload firmware after the completion Revert "btrfs: compression: don't try to compress if we don't have enough pages" mm/page_alloc: speed up the iteration of max_order net: ll_temac: Remove left-over debug message powerpc/boot: Delete unneeded .globl _zimage_start powerpc/module64: Fix comment in R_PPC64_ENTRY handling crypto: talitos - reduce max key size for SEC1 mm/kmemleak.c: make cond_resched() rate-limiting more efficient s390/disassembler: correct disassembly lines alignment ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) ath10k: fix recent bandwidth conversion bug f2fs: fix potential overflow USB: serial: mos7720: improve OOM-handling in read_mos_reg() igmp: Add ip_mc_list lock in ip_check_mc_rcu media: stkwebcam: fix memory leak in stk_camera_probe clk: fix build warning for orphan_list ALSA: pcm: fix divide error in snd_pcm_lib_ioctl ARM: 8918/2: only build return_address() if needed cryptoloop: add a deprecation warning perf/x86/amd/ibs: Work around erratum #1197 perf/x86/intel/pt: Fix mask of num_address_ranges qede: Fix memset corruption net: macb: Add a NULL check on desc_ptp qed: Fix the VF msix vectors flow xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG ext4: fix race writing to an inline_data file while its xattrs are changing Change-Id: I7165243ad48c1c66c9026321358efa3c019d9ecd Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com> Conflicts: drivers/clk/clk.c |
||
|
Eric Dumazet
|
27fa88e383 |
net/af_unix: fix a data-race in unix_dgram_poll
commit 04f08eb44b5011493d77b602fdec29ff0f5c6cd5 upstream. syzbot reported another data-race in af_unix [1] Lets change __skb_insert() to use WRITE_ONCE() when changing skb head qlen. Also, change unix_dgram_poll() to use lockless version of unix_recvq_full() It is verry possible we can switch all/most unix_recvq_full() to the lockless version, this will be done in a future kernel version. [1] HEAD commit: 8596e589b787732c8346f0482919e83cc9362db1 BUG: KCSAN: data-race in skb_queue_tail / unix_dgram_poll write to 0xffff88814eeb24e0 of 4 bytes by task 25815 on cpu 0: __skb_insert include/linux/skbuff.h:1938 [inline] __skb_queue_before include/linux/skbuff.h:2043 [inline] __skb_queue_tail include/linux/skbuff.h:2076 [inline] skb_queue_tail+0x80/0xa0 net/core/skbuff.c:3264 unix_dgram_sendmsg+0xff2/0x1600 net/unix/af_unix.c:1850 sock_sendmsg_nosec net/socket.c:703 [inline] sock_sendmsg net/socket.c:723 [inline] ____sys_sendmsg+0x360/0x4d0 net/socket.c:2392 ___sys_sendmsg net/socket.c:2446 [inline] __sys_sendmmsg+0x315/0x4b0 net/socket.c:2532 __do_sys_sendmmsg net/socket.c:2561 [inline] __se_sys_sendmmsg net/socket.c:2558 [inline] __x64_sys_sendmmsg+0x53/0x60 net/socket.c:2558 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae read to 0xffff88814eeb24e0 of 4 bytes by task 25834 on cpu 1: skb_queue_len include/linux/skbuff.h:1869 [inline] unix_recvq_full net/unix/af_unix.c:194 [inline] unix_dgram_poll+0x2bc/0x3e0 net/unix/af_unix.c:2777 sock_poll+0x23e/0x260 net/socket.c:1288 vfs_poll include/linux/poll.h:90 [inline] ep_item_poll fs/eventpoll.c:846 [inline] ep_send_events fs/eventpoll.c:1683 [inline] ep_poll fs/eventpoll.c:1798 [inline] do_epoll_wait+0x6ad/0xf00 fs/eventpoll.c:2226 __do_sys_epoll_wait fs/eventpoll.c:2238 [inline] __se_sys_epoll_wait fs/eventpoll.c:2233 [inline] __x64_sys_epoll_wait+0xf6/0x120 fs/eventpoll.c:2233 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3d/0x90 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae value changed: 0x0000001b -> 0x00000001 Reported by Kernel Concurrency Sanitizer on: CPU: 1 PID: 25834 Comm: syz-executor.1 Tainted: G W 5.14.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Fixes: 86b18aaa2b5b ("skbuff: fix a data race in skb_queue_len()") Cc: Qian Cai <cai@lca.pw> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
UtsavBalar1231
|
279d58885f |
Merge remote-tracking branch 'aosp/android-4.14-stable' into android11-base
* aosp/android-4.14-stable:
ANDROID: staging: ion: move buffer kmap from begin/end_cpu_access()
Linux 4.14.243
spi: mediatek: Fix fifo transfer
Revert "watchdog: iTCO_wdt: Account for rebooting on second timeout"
KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()
KVM: do not allow mapping valid but non-reference-counted pages
KVM: do not assume PTE is writable after follow_pfn
Revert "Bluetooth: Shutdown controller after workqueues are flushed or cancelled"
net: Fix zero-copy head len calculation.
qed: fix possible unpaired spin_{un}lock_bh in _qed_mcp_cmd_and_union()
r8152: Fix potential PM refcount imbalance
regulator: rt5033: Fix n_voltages settings for BUCK and LDO
btrfs: mark compressed range uptodate only if all bio succeed
Linux 4.14.242
Revert "perf map: Fix dso->nsinfo refcounting"
can: hi311x: fix a signedness bug in hi3110_cmd()
sis900: Fix missing pci_disable_device() in probe and remove
tulip: windbond-840: Fix missing pci_disable_device() in probe and remove
sctp: fix return value check in __sctp_rcv_asconf_lookup
net/mlx5: Fix flow table chaining
net: llc: fix skb_over_panic
mlx4: Fix missing error code in mlx4_load_one()
tipc: fix sleeping in tipc accept routine
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
netfilter: conntrack: adjust stop timestamp to real expiry value
cfg80211: Fix possible memory leak in function cfg80211_bss_update
x86/asm: Ensure asm/proto.h can be included stand-alone
nfc: nfcsim: fix use after free during module unload
NIU: fix incorrect error return, missed in previous revert
can: esd_usb2: fix memory leak
can: ems_usb: fix memory leak
can: usb_8dev: fix memory leak
can: mcba_usb_start(): add missing urb->transfer_dma initialization
can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF
ocfs2: issue zeroout to EOF blocks
ocfs2: fix zero out valid data
x86/kvm: fix vcpu-id indexed array sizes
gro: ensure frag0 meets IP header alignment
virtio_net: Do not pull payload in skb->head
ARM: dts: versatile: Fix up interrupt controller node names
hfs: add lock nesting notation to hfs_find_init
hfs: fix high memory mapping in hfs_bnode_read
hfs: add missing clean-up in hfs_fill_super
sctp: move 198 addresses from unusable to private scope
net: annotate data race around sk_ll_usec
net/802/garp: fix memleak in garp_request_join()
net/802/mrp: fix memleak in mrp_request_join()
workqueue: fix UAF in pwq_unbound_release_workfn()
af_unix: fix garbage collect vs MSG_PEEK
net: split out functions related to registering inflight socket files
KVM: x86: determine if an exception has an error code only when injecting it.
selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c
Conflicts:
drivers/staging/android/ion/ion.c
Change-Id: I02f44206b1899d8f2c0d984309a09a80bf6c4f06
Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com>
|
||
|
Eric Dumazet
|
b2ac545efd |
gro: ensure frag0 meets IP header alignment
commit 38ec4944b593fd90c5ef42aaaa53e66ae5769d04 upstream.
After commit 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
Guenter Roeck reported one failure in his tests using sh architecture.
After much debugging, we have been able to spot silent unaligned accesses
in inet_gro_receive()
The issue at hand is that upper networking stacks assume their header
is word-aligned. Low level drivers are supposed to reserve NET_IP_ALIGN
bytes before the Ethernet header to make that happen.
This patch hardens skb_gro_reset_offset() to not allow frag0 fast-path
if the fragment is not properly aligned.
Some arches like x86, arm64 and powerpc do not care and define NET_IP_ALIGN
as 0, this extra check will be a NOP for them.
Note that if frag0 is not used, GRO will call pskb_may_pull()
as many times as needed to pull network and transport headers.
Fixes: 0f6925b3e8da ("virtio_net: Do not pull payload in skb->head")
Fixes:
|
||
|
UtsavBalar1231
|
b3f48eae32 |
Merge remote-tracking branch 'aosp/android-4.14-stable' into android11-base
* aosp/android-4.14-stable: Linux 4.14.217 spi: cadence: cache reference clock rate during probe net: ipv6: Validate GSO SKB before finish IPv6 processing net: skbuff: disambiguate argument and member for skb_list_walk_safe helper net: introduce skb_list_walk_safe for skb segment walking net: use skb_list_del_init() to remove from RX sublists tipc: fix NULL deref in tipc_link_xmit() rxrpc: Fix handling of an unsupported token type in rxrpc_read() net: avoid 32 x truesize under-estimation for tiny skbs net: sit: unregister_netdevice on newlink's error path net: stmmac: Fixed mtu channged by cache aligned net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands net: dcb: Validate netlink message in DCB handler esp: avoid unneeded kmap_atomic call rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request netxen_nic: fix MSI/MSI-x interrupts nfsd4: readdirplus shouldn't return parent of export usb: ohci: Make distrust_firmware param default to false netfilter: conntrack: fix reading nf_conntrack_buckets ALSA: fireface: Fix integer overflow in transmit_midi_msg() ALSA: firewire-tascam: Fix integer overflow in midi_port_work() dm: eliminate potential source of excessive kernel log noise net: sunrpc: interpret the return value of kstrtou32 correctly mm, slub: consider rest of partial list if acquire_slab() fails RDMA/usnic: Fix memleak in find_free_vf_and_create_qp_grp ext4: fix superblock checksum failure when setting password salt NFS: nfs_igrab_and_active must first reference the superblock pNFS: Mark layout for return if return-on-close was not sent NFS4: Fix use-after-free in trace_event_raw_event_nfs4_set_lock ASoC: Intel: fix error code cnl_set_dsp_D0() dump_common_audit_data(): fix racy accesses to ->d_name ARM: picoxcell: fix missing interrupt-parent properties ACPI: scan: add stub acpi_create_platform_device() for !CONFIG_ACPI net: ethernet: fs_enet: Add missing MODULE_LICENSE misdn: dsp: select CONFIG_BITREVERSE arch/arc: add copy_user_page() to <asm/page.h> to fix build error on ARC ethernet: ucc_geth: fix definition and size of ucc_geth_tx_global_pram btrfs: fix transaction leak and crash after RO remount caused by qgroup rescan ARC: build: add boot_targets to PHONY ARC: build: add uImage.lzma to the top-level target ARC: build: remove non-existing bootpImage from KBUILD_IMAGE ext4: fix bug for rename with RENAME_WHITEOUT r8152: Add Lenovo Powered USB-C Travel Hub dm snapshot: flush merged data before committing metadata mm/hugetlb: fix potential missing huge page size info ACPI: scan: Harden acpi_device_add() against device ID overflows MIPS: relocatable: fix possible boot hangup with KASLR enabled MIPS: boot: Fix unaligned access with CONFIG_MIPS_RAW_APPENDED_DTB ASoC: dapm: remove widget from dirty list on free Change-Id: Ibb9985a52c3762303dbaa9b45decfd8d817db673 Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com> |
||
|
Jason A. Donenfeld
|
b26893e51f |
net: skbuff: disambiguate argument and member for skb_list_walk_safe helper
commit 5eee7bd7e245914e4e050c413dfe864e31805207 upstream. This worked before, because we made all callers name their next pointer "next". But in trying to be more "drop-in" ready, the silliness here is revealed. This commit fixes the problem by making the macro argument and the member use different names. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Jason A. Donenfeld
|
566966019e |
net: introduce skb_list_walk_safe for skb segment walking
commit dcfea72e79b0aa7a057c8f6024169d86a1bbc84b upstream.
As part of the continual effort to remove direct usage of skb->next and
skb->prev, this patch adds a helper for iterating through the
singly-linked variant of skb lists, which are used for lists of GSO
packet. The name "skb_list_..." has been chosen to match the existing
function, "kfree_skb_list, which also operates on these singly-linked
lists, and the "..._walk_safe" part is the same idiom as elsewhere in
the kernel.
This patch removes the helper from wireguard and puts it into
linux/skbuff.h, while making it a bit more robust for general usage. In
particular, parenthesis are added around the macro argument usage, and it
now accounts for trying to iterate through an already-null skb pointer,
which will simply run the iteration zero times. This latter enhancement
means it can be used to replace both do { ... } while and while (...)
open-coded idioms.
This should take care of these three possible usages, which match all
current methods of iterations.
skb_list_walk_safe(segs, skb, next) { ... }
skb_list_walk_safe(skb, skb, next) { ... }
skb_list_walk_safe(segs, skb, segs) { ... }
Gcc appears to generate efficient code for each of these.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ Just the skbuff.h changes for backporting - gregkh]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Edward Cree
|
5440233ac4 |
net: use skb_list_del_init() to remove from RX sublists
[ Upstream commit 22f6bbb7bcfcef0b373b0502a7ff390275c575dd ]
list_del() leaves the skb->next pointer poisoned, which can then lead to
a crash in e.g. OVS forwarding. For example, setting up an OVS VXLAN
forwarding bridge on sfc as per:
========
$ ovs-vsctl show
5dfd9c47-f04b-4aaa-aa96-4fbb0a522a30
Bridge "br0"
Port "br0"
Interface "br0"
type: internal
Port "enp6s0f0"
Interface "enp6s0f0"
Port "vxlan0"
Interface "vxlan0"
type: vxlan
options: {key="1", local_ip="10.0.0.5", remote_ip="10.0.0.4"}
ovs_version: "2.5.0"
========
(where 10.0.0.5 is an address on enp6s0f1)
and sending traffic across it will lead to the following panic:
========
general protection fault: 0000 [#1] SMP PTI
CPU: 5 PID: 0 Comm: swapper/5 Not tainted 4.20.0-rc3-ehc+ #701
Hardware name: Dell Inc. PowerEdge R710/0M233H, BIOS 6.4.0 07/23/2013
RIP: 0010:dev_hard_start_xmit+0x38/0x200
Code: 53 48 89 fb 48 83 ec 20 48 85 ff 48 89 54 24 08 48 89 4c 24 18 0f 84 ab 01 00 00 48 8d 86 90 00 00 00 48 89 f5 48 89 44 24 10 <4c> 8b 33 48 c7 03 00 00 00 00 48 8b 05 c7 d1 b3 00 4d 85 f6 0f 95
RSP: 0018:ffff888627b437e0 EFLAGS: 00010202
RAX: 0000000000000000 RBX: dead000000000100 RCX: ffff88862279c000
RDX: ffff888614a342c0 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffff888618a88000 R08: 0000000000000001 R09: 00000000000003e8
R10: 0000000000000000 R11: ffff888614a34140 R12: 0000000000000000
R13: 0000000000000062 R14: dead000000000100 R15: ffff888616430000
FS: 0000000000000000(0000) GS:ffff888627b40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f6d2bc6d000 CR3: 000000000200a000 CR4: 00000000000006e0
Call Trace:
<IRQ>
__dev_queue_xmit+0x623/0x870
? masked_flow_lookup+0xf7/0x220 [openvswitch]
? ep_poll_callback+0x101/0x310
do_execute_actions+0xaba/0xaf0 [openvswitch]
? __wake_up_common+0x8a/0x150
? __wake_up_common_lock+0x87/0xc0
? queue_userspace_packet+0x31c/0x5b0 [openvswitch]
ovs_execute_actions+0x47/0x120 [openvswitch]
ovs_dp_process_packet+0x7d/0x110 [openvswitch]
ovs_vport_receive+0x6e/0xd0 [openvswitch]
? dst_alloc+0x64/0x90
? rt_dst_alloc+0x50/0xd0
? ip_route_input_slow+0x19a/0x9a0
? __udp_enqueue_schedule_skb+0x198/0x1b0
? __udp4_lib_rcv+0x856/0xa30
? __udp4_lib_rcv+0x856/0xa30
? cpumask_next_and+0x19/0x20
? find_busiest_group+0x12d/0xcd0
netdev_frame_hook+0xce/0x150 [openvswitch]
__netif_receive_skb_core+0x205/0xae0
__netif_receive_skb_list_core+0x11e/0x220
netif_receive_skb_list+0x203/0x460
? __efx_rx_packet+0x335/0x5e0 [sfc]
efx_poll+0x182/0x320 [sfc]
net_rx_action+0x294/0x3c0
__do_softirq+0xca/0x297
irq_exit+0xa6/0xb0
do_IRQ+0x54/0xd0
common_interrupt+0xf/0xf
</IRQ>
========
So, in all listified-receive handling, instead pull skbs off the lists with
skb_list_del_init().
Fixes: 9af86f933894 ("net: core: fix use-after-free in __netif_receive_skb_list_core")
Fixes: 7da517a3bc52 ("net: core: Another step of skb receive list processing")
Fixes: a4ca8b7df73c ("net: ipv4: fix drop handling in ip_list_rcv() and ip_list_rcv_finish()")
Fixes: d8269e2cbf90 ("net: ipv6: listify ipv6_rcv() and ip6_rcv_finish()")
Signed-off-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[ for 4.14.y and older, just take the skbuff.h change - gregkh ]
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Srinivasarao P
|
b9641f1aea |
Merge android-4.14-stable.200 (c1013a4) into msm-4.14
* refs/heads/tmp-c1013a4: Linux 4.14.200 ata: sata_mv, avoid trigerrable BUG_ON ata: make qc_prep return ata_completion_errors ata: define AC_ERR_OK lib/string.c: implement stpcpy mm, THP, swap: fix allocating cluster for swapfile by mistake kprobes: Fix to check probe enabled before disarm_kprobe_ftrace() s390/dasd: Fix zero write for FBA devices MIPS: Add the missing 'CPU_1074K' into __get_cpu_type() ALSA: asihpi: fix iounmap in error handler batman-adv: mcast: fix duplicate mcast packets in BLA backbone from mesh batman-adv: Add missing include for in_interrupt() net: qed: RDMA personality shouldn't fail VF load drm/vc4/vc4_hdmi: fill ASoC card owner mac802154: tx: fix use-after-free batman-adv: mcast/TT: fix wrongly dropped or rerouted packets atm: eni: fix the missed pci_disable_device() for eni_init_one() batman-adv: bla: fix type misuse for backbone_gw hash indexing mwifiex: Increase AES key storage size to 256 bits clocksource/drivers/h8300_timer8: Fix wrong return value in h8300_8timer_init() ieee802154/adf7242: check status of adf7242_read_reg ieee802154: fix one possible memleak in ca8210_dev_com_init objtool: Fix noreturn detection for ignored functions i2c: core: Call i2c_acpi_install_space_handler() before i2c_acpi_register_devices() s390/init: add missing __init annotations btrfs: qgroup: fix data leak caused by race between writeback and truncate vfio/pci: fix racy on error and request eventfd ctx selftests/x86/syscall_nt: Clear weird flags after each test scsi: libfc: Skip additional kref updating work event scsi: libfc: Handling of extra kref cifs: Fix double add page to memcg when cifs_readpages vfio/pci: Clear error and request eventfd ctx after releasing x86/speculation/mds: Mark mds_user_clear_cpu_buffers() __always_inline mtd: parser: cmdline: Support MTD names containing one or more colons rapidio: avoid data race between file operation callbacks and mport_cdev_add(). mm/swap_state: fix a data race in swapin_nr_pages ceph: fix potential race in ceph_check_caps mtd: rawnand: omap_elm: Fix runtime PM imbalance on error perf kcore_copy: Fix module map when there are no modules loaded perf util: Fix memory leak of prefix_if_not_in vfio/pci: fix memory leaks of eventfd ctx btrfs: don't force read-only after error in drop snapshot usb: dwc3: Increase timeout for CmdAct cleared by device controller printk: handle blank console arguments passed in. drm/nouveau/debugfs: fix runtime pm imbalance on error e1000: Do not perform reset in reset_task if we are already down arm64/cpufeature: Drop TraceFilt feature exposure from ID_DFR0 register USB: EHCI: ehci-mv: fix less than zero comparison of an unsigned int fuse: don't check refcount after stealing page powerpc/traps: Make unrecoverable NMIs die instead of panic ALSA: hda: Fix potential race in unsol event handler tty: serial: samsung: Correct clock selection logic USB: EHCI: ehci-mv: fix error handling in mv_ehci_probe() Bluetooth: Handle Inquiry Cancel error after Inquiry Complete phy: samsung: s5pv210-usb2: Add delay after reset power: supply: max17040: Correct voltage reading atm: fix a memory leak of vcc->user_back dt-bindings: sound: wm8994: Correct required supplies based on actual implementaion arm64: cpufeature: Relax checks for AArch32 support at EL[0-2] sparc64: vcc: Fix error return code in vcc_probe() staging:r8188eu: avoid skb_clone for amsdu to msdu conversion drivers: char: tlclk.c: Avoid data race between init and interrupt handler bdev: Reduce time holding bd_mutex in sync in blkdev_close() KVM: Remove CREATE_IRQCHIP/SET_PIT2 race serial: uartps: Wait for tx_empty in console setup scsi: qedi: Fix termination timeouts in session logout mm/mmap.c: initialize align_offset explicitly for vm_unmapped_area mm/vmscan.c: fix data races using kswapd_classzone_idx mm/filemap.c: clear page error before actual read mm/kmemleak.c: use address-of operator on section symbols NFS: Fix races nfs_page_group_destroy() vs nfs_destroy_unlinked_subrequests() ALSA: usb-audio: Fix case when USB MIDI interface has more than one extra endpoint descriptor ubifs: Fix out-of-bounds memory access caused by abnormal value of node_len svcrdma: Fix leak of transport addresses SUNRPC: Fix a potential buffer overflow in 'svc_print_xprts()' RDMA/rxe: Set sys_image_guid to be aligned with HW IB devices tools: gpio-hammer: Avoid potential overflow in main cpufreq: powernv: Fix frame-size-overflow in powernv_cpufreq_work_fn perf cpumap: Fix snprintf overflow check serial: 8250: 8250_omap: Terminate DMA before pushing data on RX timeout serial: 8250_omap: Fix sleeping function called from invalid context during probe serial: 8250_port: Don't service RX FIFO if throttled tracing: Use address-of operator on section symbols rtc: ds1374: fix possible race condition tpm: ibmvtpm: Wait for buffer to be set before proceeding xfs: don't ever return a stale pointer from __xfs_dir3_free_read media: tda10071: fix unsigned sign extension overflow Bluetooth: L2CAP: handle l2cap config request during open state scsi: aacraid: Disabling TM path and only processing IOP reset ath10k: use kzalloc to read for ath10k_sdio_hif_diag_read drm/amdgpu: increase atombios cmd timeout mm: avoid data corruption on CoW fault into PFN-mapped VMA ext4: fix a data race at inode->i_disksize timekeeping: Prevent 32bit truncation in scale64_check_overflow() Bluetooth: guard against controllers sending zero'd events media: go7007: Fix URB type for interrupt handling dmaengine: tegra-apb: Prevent race conditions on channel's freeing bpf: Remove recursion prevention from rcu free callback x86/pkeys: Add check for pkey "overflow" media: staging/imx: Missing assignment in imx_media_capture_device_register() KVM: x86: fix incorrect comparison in trace event RDMA/rxe: Fix configuration of atomic queue pair attributes perf test: Fix test trace+probe_vfs_getname.sh on s390 drm/omap: fix possible object reference leak scsi: lpfc: Fix coverity errors in fmdi attribute handling scsi: lpfc: Fix RQ buffer leakage when no IOCBs available selinux: sel_avc_get_stat_idx should increase position index audit: CONFIG_CHANGE don't log internal bookkeeping as an event skbuff: fix a data race in skb_queue_len() ALSA: hda: Clear RIRB status before reading WP KVM: fix overflow of zero page refcount with ksm running Bluetooth: prefetch channel before killing sock mm: pagewalk: fix termination condition in walk_pte_range() Bluetooth: Fix refcount use-after-free issue tools/power/x86/intel_pstate_tracer: changes for python 3 compatibility selftests/ftrace: fix glob selftest ar5523: Add USB ID of SMCWUSBT-G2 wireless adapter tracing: Set kernel_stack's caller size properly powerpc/eeh: Only dump stack once if an MMIO loop is detected dmaengine: zynqmp_dma: fix burst length configuration ACPI: EC: Reference count query handlers under lock media: ti-vpe: cal: Restrict DMA to avoid memory corruption seqlock: Require WRITE_ONCE surrounding raw_seqcount_barrier rt_cpu_seq_next should increase position index neigh_stat_seq_next() should increase position index kernel/sys.c: avoid copying possible padding bytes in copy_to_user CIFS: Properly process SMB3 lease breaks debugfs: Fix !DEBUG_FS debugfs_create_automount gfs2: clean up iopen glock mess in gfs2_create_inode mmc: core: Fix size overflow for mmc partitions RDMA/iw_cgxb4: Fix an error handling path in 'c4iw_connect()' xfs: fix attr leaf header freemap.size underflow RDMA/i40iw: Fix potential use after free bcache: fix a lost wake-up problem caused by mca_cannibalize_lock tracing: Adding NULL checks for trace_array descriptor pointer mfd: mfd-core: Protect against NULL call-back function pointer mtd: cfi_cmdset_0002: don't free cfi->cfiq in error path of cfi_amdstd_setup() clk/ti/adpll: allocate room for terminating null scsi: fnic: fix use after free PM / devfreq: tegra30: Fix integer overflow on CPU's freq max out ALSA: hda/realtek - Couldn't detect Mic if booting with headset plugged ALSA: usb-audio: Add delay quirk for H570e USB headsets x86/ioapic: Unbreak check_timer() arch/x86/lib/usercopy_64.c: fix __copy_user_flushcache() cache writeback media: smiapp: Fix error handling at NVM reading ASoC: kirkwood: fix IRQ error handling gma/gma500: fix a memory disclosure bug due to uninitialized bytes m68k: q40: Fix info-leak in rtc_ioctl scsi: aacraid: fix illegal IO beyond last LBA mm: fix double page fault on arm64 if PTE_AF is cleared serial: 8250: Avoid error message on reprobe geneve: add transport ports in route lookup for geneve ipv4: Update exception handling for multipath routes via same device net: add __must_check to skb_put_padto() net: phy: Avoid NPD upon phy_detach() when driver is unbound bnxt_en: Protect bnxt_set_eee() and bnxt_set_pauseparam() with mutex. tipc: use skb_unshare() instead in tipc_buf_append() tipc: fix shutdown() of connection oriented socket net: ipv6: fix kconfig dependency warning for IPV6_SEG6_HMAC ip: fix tos reflection in ack and reset packets hdlc_ppp: add range checks in ppp_cp_parse_cr() RDMA/ucma: ucma_context reference leak in error path mm/thp: fix __split_huge_pmd_locked() for migration PMD kprobes: fix kill kprobe which has been marked as gone KVM: fix memory leak in kvm_io_bus_unregister_dev() phy: qcom-qmp: Use correct values for ipq8074 PCIe Gen2 PHY init af_key: pfkey_dump needs parameter validation ANDROID: Fix 64/32 compat issue with virtio_gpu_resource_create_blob ANDROID: Delete goldfish build configs and defconfigs Linux 4.14.199 x86/defconfig: Enable CONFIG_USB_XHCI_HCD=y powerpc/dma: Fix dma_map_ops::get_required_mask ehci-hcd: Move include to keep CRC stable serial: 8250_pci: Add Realtek 816a and 816b Input: i8042 - add Entroware Proteus EL07R4 to nomux and reset lists Input: trackpoint - add new trackpoint variant IDs percpu: fix first chunk size calculation for populated bitmap i2c: i801: Fix resume bug usblp: fix race between disconnect() and read() USB: UAS: fix disconnect by unplugging a hub USB: quirks: Add USB_QUIRK_IGNORE_REMOTE_WAKEUP quirk for BYD zhaoxin notebook drm/mediatek: Add missing put_device() call in mtk_hdmi_dt_parse_pdata() drm/mediatek: Add exception handing in mtk_drm_probe() if component init fail MIPS: SNI: Fix spurious interrupts fbcon: Fix user font detection test at fbcon_resize(). perf test: Free formats for perf pmu parse test MIPS: SNI: Fix MIPS_L1_CACHE_SHIFT Drivers: hv: vmbus: Add timeout to vmbus_wait_for_unload clk: rockchip: Fix initialization of mux_pll_src_4plls_p KVM: MIPS: Change the definition of kvm type spi: Fix memory leak on splited transfers i2c: algo: pca: Reapply i2c bus settings after reset f2fs: fix indefinite loop scanning for free nid nvme-fc: cancel async events before freeing event struct rapidio: Replace 'select' DMAENGINES 'with depends on' SUNRPC: stop printk reading past end of string spi: spi-loopback-test: Fix out-of-bounds read scsi: lpfc: Fix FLOGI/PLOGI receive race condition in pt2pt discovery scsi: libfc: Fix for double free() scsi: pm8001: Fix memleak in pm8001_exec_internal_task_abort NFSv4.1 handle ERR_DELAY error reclaiming locking state on delegation recall hv_netvsc: Remove "unlikely" from netvsc_select_queue net: handle the return value of pskb_carve_frag_list() correctly gfs2: initialize transaction tr_ailX_lists earlier gcov: add support for GCC 10.1 usb: typec: ucsi: acpi: Check the _DEP dependencies usb: Fix out of sync data toggle if a configured device is reconfigured USB: serial: option: add support for SIM7070/SIM7080/SIM7090 modules USB: serial: option: support dynamic Quectel USB compositions USB: serial: ftdi_sio: add IDs for Xsens Mti USB converter usb: core: fix slab-out-of-bounds Read in read_descriptors staging: greybus: audio: fix uninitialized value issue video: fbdev: fix OOB read in vga_8planes_imageblit() ARM: dts: vfxxx: Add syscon compatible with OCOTP KVM: VMX: Don't freeze guest when event delivery causes an APIC-access exit vgacon: remove software scrollback support fbcon: remove now unusued 'softback_lines' cursor() argument fbcon: remove soft scrollback code RDMA/rxe: Fix the parent sysfs read when the interface has 15 chars rbd: require global CAP_SYS_ADMIN for mapping and unmapping scsi: target: iscsi: Fix hang in iscsit_access_np() when getting tpg->np_login_sem scsi: target: iscsi: Fix data digest calculation regulator: push allocation in set_consumer_device_supply() out of lock btrfs: fix wrong address when faulting in pages in the search ioctl btrfs: fix lockdep splat in add_missing_dev btrfs: require only sector size alignment for parent eb bytenr staging: wlan-ng: fix out of bounds read in prism2sta_probe_usb() iio:accel:mma8452: Fix timestamp alignment and prevent data leak. iio:accel:mma7455: Fix timestamp alignment and prevent data leak. iio: accel: kxsd9: Fix alignment of local buffer. iio:chemical:ccs811: Fix timestamp alignment and prevent data leak. iio:light:max44000 Fix timestamp alignment and prevent data leak. iio:magnetometer:ak8975 Fix alignment and data leak issues. iio:adc:ti-adc081c Fix alignment and data leak issues iio:adc:max1118 Fix alignment of timestamp and data leak issues iio:adc:ina2xx Fix timestamp alignment issue. iio:adc:ti-adc084s021 Fix alignment and data leak issues. iio:accel:bmc150-accel: Fix timestamp alignment and prevent data leak. iio:light:ltr501 Fix timestamp alignment issue. iio: adc: ti-ads1015: fix conversion when CONFIG_PM is not set iio: adc: mcp3422: fix locking on error path iio: adc: mcp3422: fix locking scope gcov: Disable gcov build with GCC 10 ALSA: hda: fix a runtime pm issue in SOF when integrated GPU is disabled cpufreq: intel_pstate: Refuse to turn off with HWP enabled ARC: [plat-hsdk]: Switch ethernet phy-mode to rgmii-id drivers/net/wan/hdlc_cisco: Add hard_header_len irqchip/eznps: Fix build error for !ARC700 builds xfs: initialize the shortform attr header padding entry drivers/net/wan/lapbether: Set network_header before transmitting ALSA: hda: Fix 2 channel swapping for Tegra firestream: Fix memleak in fs_open NFC: st95hf: Fix memleak in st95hf_in_send_cmd drivers/net/wan/lapbether: Added needed_tailroom dmaengine: acpi: Put the CSRT table after using it ARC: HSDK: wireup perf irq arm64: dts: ns2: Fixed QSPI compatible string ARM: dts: BCM5301X: Fixed QSPI compatible string mmc: sdhci-msm: Add retries when all tuning phases are found valid RDMA/core: Fix reported speed and width scsi: libsas: Set data_dir as DMA_NONE if libata marks qc as NODATA RDMA/rxe: Drop pointless checks in rxe_init_ports RDMA/rxe: Fix memleak in rxe_mem_init_user ARM: dts: socfpga: fix register entry for timer3 on Arria10 ANDROID: Add INIT_STACK_ALL_ZERO to the list of Clang-specific options Conflicts: arch/arm/configs/ranchu_defconfig arch/arm64/configs/ranchu64_defconfig arch/x86/configs/i386_ranchu_defconfig arch/x86/configs/x86_64_ranchu_defconfig drivers/mmc/host/sdhci-msm.c drivers/usb/dwc3/gadget.c mm/memory.c Change-Id: I7ec205f8d58125c2d2dcab7bfe944f5cf36b4bc9 Signed-off-by: Srinivasarao P <spathi@codeaurora.org> |
||
|
Qian Cai
|
a4c3614955 |
skbuff: fix a data race in skb_queue_len()
[ Upstream commit 86b18aaa2b5b5bb48e609cd591b3d2d0fdbe0442 ]
sk_buff.qlen can be accessed concurrently as noticed by KCSAN,
BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_dgram_sendmsg
read to 0xffff8a1b1d8a81c0 of 4 bytes by task 5371 on cpu 96:
unix_dgram_sendmsg+0x9a9/0xb70 include/linux/skbuff.h:1821
net/unix/af_unix.c:1761
____sys_sendmsg+0x33e/0x370
___sys_sendmsg+0xa6/0xf0
__sys_sendmsg+0x69/0xf0
__x64_sys_sendmsg+0x51/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
write to 0xffff8a1b1d8a81c0 of 4 bytes by task 1 on cpu 99:
__skb_try_recv_from_queue+0x327/0x410 include/linux/skbuff.h:2029
__skb_try_recv_datagram+0xbe/0x220
unix_dgram_recvmsg+0xee/0x850
____sys_recvmsg+0x1fb/0x210
___sys_recvmsg+0xa2/0xf0
__sys_recvmsg+0x66/0xf0
__x64_sys_recvmsg+0x51/0x70
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Since only the read is operating as lockless, it could introduce a logic
bug in unix_recvq_full() due to the load tearing. Fix it by adding
a lockless variant of skb_queue_len() and unix_recvq_full() where
READ_ONCE() is on the read while WRITE_ONCE() is on the write similar to
the commit d7d16a89350a ("net: add skb_queue_empty_lockless()").
Signed-off-by: Qian Cai <cai@lca.pw>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
81a3830634 |
net: add __must_check to skb_put_padto()
[ Upstream commit 4a009cb04aeca0de60b73f37b102573354214b52 ] skb_put_padto() and __skb_put_padto() callers must check return values or risk use-after-free. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Srinivasarao P
|
89c9d6d8aa |
Merge android-4.14.162 (c2bd4f8) into msm-4.14
* refs/heads/tmp-c2bd4f8: Linux 4.14.162 spi: fsl: use platform_get_irq() instead of of_irq_to_resource() gtp: avoid zero size hashtable gtp: fix an use-after-free in ipv4_pdp_find() gtp: fix wrong condition in gtp_genl_dump_pdp() tcp: do not send empty skb from tcp_write_xmit() tcp/dccp: fix possible race __inet_lookup_established() gtp: do not allow adding duplicate tid and ms_addr pdp context sit: do not confirm neighbor when do pmtu update vti: do not confirm neighbor when do pmtu update tunnel: do not confirm neighbor when do pmtu update net/dst: add new function skb_dst_update_pmtu_no_confirm gtp: do not confirm neighbor when do pmtu update ip6_gre: do not confirm neighbor when do pmtu update net: add bool confirm_neigh parameter for dst_ops.update_pmtu vhost/vsock: accept only packets with the right dst_cid udp: fix integer overflow while computing available space in sk_rcvbuf ptp: fix the race between the release of ptp_clock and cdev net/mlxfw: Fix out-of-memory error in mfa2 flash burning net: ena: fix napi handler misbehavior when the napi budget is zero pinctrl: baytrail: Really serialize all register accesses tty/serial: atmel: fix out of range clock divider handling spi: fsl: don't map irq during probe hrtimer: Annotate lockless access to timer->state net: icmp: fix data-race in cmp_global_allow() net: add a READ_ONCE() in skb_peek_tail() inetpeer: fix data-race in inet_putpeer / inet_putpeer netfilter: bridge: make sure to pull arp header in br_nf_forward_arp() 6pack,mkiss: fix possible deadlock netfilter: ebtables: compat: reject all padding in matches/watchers filldir[64]: remove WARN_ON_ONCE() for bad directory entries Make filldir[64]() verify the directory entry filename is valid perf strbuf: Remove redundant va_end() in strbuf_addv() bonding: fix active-backup transition after link failure ALSA: hda - Downgrade error message for single-cmd fallback netfilter: nf_queue: enqueue skbs with NULL dst net, sysctl: Fix compiler warning when only cBPF is present x86/mce: Fix possibly incorrect severity calculation on AMD userfaultfd: require CAP_SYS_PTRACE for UFFD_FEATURE_EVENT_FORK kernel: sysctl: make drop_caches write-only ocfs2: fix passing zero to 'PTR_ERR' warning s390/cpum_sf: Check for SDBT and SDB consistency libfdt: define INT32_MAX and UINT32_MAX in libfdt_env.h s390/zcrypt: handle new reply code FILTERED_BY_HYPERVISOR perf regs: Make perf_reg_name() return "unknown" instead of NULL perf script: Fix brstackinsn for AUXTRACE cdrom: respect device capabilities during opening action scripts/kallsyms: fix definitely-lost memory leak apparmor: fix unsigned len comparison with less than zero gpio: mpc8xxx: Don't overwrite default irq_set_type callback scsi: target: iscsi: Wait for all commands to finish before freeing a session scsi: iscsi: Don't send data to unbound connection scsi: NCR5380: Add disconnect_mask module parameter scsi: scsi_debug: num_tgts must be >= 0 scsi: ufs: Fix error handing during hibern8 enter scsi: pm80xx: Fix for SATA device discovery HID: Improve Windows Precision Touchpad detection. libnvdimm/btt: fix variable 'rc' set but not used HID: logitech-hidpp: Silence intermittent get_battery_capacity errors bcache: at least try to shrink 1 node in bch_mca_scan() clk: pxa: fix one of the pxa RTC clocks scsi: atari_scsi: sun3_scsi: Set sg_tablesize to 1 instead of SG_NONE powerpc/security: Fix wrong message when RFI Flush is disable powerpc/pseries/cmm: Implement release() function for sysfs device scsi: ufs: fix potential bug which ends in system hang scsi: lpfc: fix: Coverity: lpfc_cmpl_els_rsp(): Null pointer dereferences fs/quota: handle overflows of sysctl fs.quota.* and report as unsigned long irqchip: ingenic: Error out if IRQ domain creation failed irqchip/irq-bcm7038-l1: Enable parent IRQ if necessary clk: qcom: Allow constant ratio freq tables for rcg f2fs: fix to update dir's i_pino during cross_rename scsi: lpfc: Fix duplicate unreg_rpi error in port offline flow scsi: tracing: Fix handling of TRANSFER LENGTH == 0 for READ(6) and WRITE(6) jbd2: Fix statistics for the number of logged blocks ext4: update direct I/O read lock pattern for IOCB_NOWAIT powerpc/book3s64/hash: Add cond_resched to avoid soft lockup warning powerpc/security/book3s64: Report L1TF status in sysfs clocksource/drivers/asm9260: Add a check for of_clk_get dma-debug: add a schedule point in debug_dma_dump_mappings() powerpc/tools: Don't quote $objdump in scripts powerpc/pseries: Don't fail hash page table insert for bolted mapping powerpc/pseries: Mark accumulate_stolen_time() as notrace scsi: csiostor: Don't enable IRQs too early scsi: lpfc: Fix SLI3 hba in loop mode not discovering devices scsi: target: compare full CHAP_A Algorithm strings iommu/tegra-smmu: Fix page tables in > 4 GiB memory Input: atmel_mxt_ts - disable IRQ across suspend scsi: lpfc: Fix locking on mailbox command completion scsi: mpt3sas: Fix clear pending bit in ioctl status scsi: lpfc: Fix discovery failures when target device connectivity bounces ANDROID: serdev: Fix platform device support Conflicts: drivers/scsi/ufs/ufshcd.c kernel/time/hrtimer.c Discarded commit 'kernel: sysctl: make drop_caches write-only' due to vts regression. Change-Id: Ieabdc1178e170d30672e233f43139bb97af9bf80 Signed-off-by: Srinivasarao P <spathi@codeaurora.org> Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Blagovest Kolenichev
|
524ff247af |
Merge android-4.14-q.153 (56ab794) into msm-4.14
* refs/heads/tmp-56ab794: Linux 4.14.153 selftests/powerpc: Fix compile error on tlbie_test due to newer gcc selftests/powerpc: Add test case for tlbie vs mtpidr ordering issue powerpc/mm: Fixup tlbie vs mtpidr/mtlpidr ordering issue on POWER9 powerpc/book3s64/radix: Rename CPU_FTR_P9_TLBIE_BUG feature flag powerpc/book3s64/mm: Don't do tlbie fixup for some hardware revisions powerpc/mm: Fixup tlbie vs store ordering issue on POWER9 iio: adc: stm32-adc: fix a race when using several adcs with dma and irq iio: adc: stm32-adc: move registers definitions platform/x86: pmc_atom: Add Siemens SIMATIC IPC227E to critclk_systems DMI table kbuild: add -fcf-protection=none when using retpoline flags kbuild: use -fmacro-prefix-map to make __FILE__ a relative path sched/wake_q: Fix wakeup ordering for wake_q dmaengine: qcom: bam_dma: Fix resource leak net/flow_dissector: switch to siphash inet: stop leaking jiffies on the wire erspan: fix the tun_info options_len check for erspan vxlan: check tun_info options_len properly net: use skb_queue_empty_lockless() in busy poll contexts net: use skb_queue_empty_lockless() in poll() handlers udp: use skb_queue_empty_lockless() net: add skb_queue_empty_lockless() net: bcmgenet: reset 40nm EPHY on energy detect net: dsa: fix switch tree list r8152: add device id for Lenovo ThinkPad USB-C Dock Gen 2 net: usb: lan78xx: Connect PHY before registering MAC net: dsa: b53: Do not clear existing mirrored port mask net/mlx5e: Fix handling of compressed CQEs in case of low NAPI budget net: add READ_ONCE() annotation in __skb_wait_for_more_packets() udp: fix data-race in udp_set_dev_scratch() selftests: net: reuseport_dualstack: fix uninitalized parameter net: Zeroing the structure ethtool_wolinfo in ethtool_get_wol() net/mlx4_core: Dynamically set guaranteed amount of counters per VF net: hisilicon: Fix ping latency when deal with high throughput net: fix sk_page_frag() recursion from memory reclaim net: ethernet: ftgmac100: Fix DMA coherency issue with SW checksum net: dsa: bcm_sf2: Fix IMP setup for port different than 8 net: annotate lockless accesses to sk->sk_napi_id net: annotate accesses to sk->sk_incoming_cpu dccp: do not leak jiffies on the wire cxgb4: fix panic when attaching to ULD fail nbd: handle racing with error'ed out commands cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs i2c: stm32f7: remove warning when compiling with W=1 MIPS: bmips: mark exception vectors as char arrays of: unittest: fix memory leak in unittest_data_add ARM: 8926/1: v7m: remove register save to stack before svc scsi: target: core: Do not overwrite CDB byte 1 ARM: davinci: dm365: Fix McBSP dma_slave_map entry perf kmem: Fix memory leak in compact_gfp_flags() perf c2c: Fix memory leak in build_cl_output() ARM: dts: imx7s: Correct GPT's ipg clock source scsi: fix kconfig dependency warning related to 53C700_LE_ON_BE scsi: sni_53c710: fix compilation error scsi: scsi_dh_alua: handle RTPG sense code correctly during state transitions ARM: mm: fix alignment handler faults under memory pressure pinctrl: ns2: Fix off by one bugs in ns2_pinmux_enable() ARM: dts: logicpd-torpedo-som: Remove twl_keypad ASoc: rockchip: i2s: Fix RPM imbalance ASoC: wm_adsp: Don't generate kcontrols without READ flags regulator: pfuze100-regulator: Variable "val" in pfuze100_regulator_probe() could be uninitialized regulator: ti-abb: Fix timeout in ti_abb_wait_txdone/ti_abb_clear_all_txdone arm64: dts: Fix gpio to pinmux mapping ANDROID: overlayfs: fix printk format Change-Id: Ic95f2a41e415e4db8078dcaa3180f956986fc1ed Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Eric Dumazet
|
80e6b3268f |
net: add a READ_ONCE() in skb_peek_tail()
commit f8cc62ca3e660ae3fdaee533b1d554297cd2ae82 upstream. skb_peek_tail() can be used without protection of a lock, as spotted by KCSAN [1] In order to avoid load-stearing, add a READ_ONCE() Note that the corresponding WRITE_ONCE() are already there. [1] BUG: KCSAN: data-race in sk_wait_data / skb_queue_tail read to 0xffff8880b36a4118 of 8 bytes by task 20426 on cpu 1: skb_peek_tail include/linux/skbuff.h:1784 [inline] sk_wait_data+0x15b/0x250 net/core/sock.c:2477 kcm_wait_data+0x112/0x1f0 net/kcm/kcmsock.c:1103 kcm_recvmsg+0xac/0x320 net/kcm/kcmsock.c:1130 sock_recvmsg_nosec net/socket.c:871 [inline] sock_recvmsg net/socket.c:889 [inline] sock_recvmsg+0x92/0xb0 net/socket.c:885 ___sys_recvmsg+0x1a0/0x3e0 net/socket.c:2480 do_recvmmsg+0x19a/0x5c0 net/socket.c:2601 __sys_recvmmsg+0x1ef/0x200 net/socket.c:2680 __do_sys_recvmmsg net/socket.c:2703 [inline] __se_sys_recvmmsg net/socket.c:2696 [inline] __x64_sys_recvmmsg+0x89/0xb0 net/socket.c:2696 do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290 entry_SYSCALL_64_after_hwframe+0x44/0xa9 write to 0xffff8880b36a4118 of 8 bytes by task 451 on cpu 0: __skb_insert include/linux/skbuff.h:1852 [inline] __skb_queue_before include/linux/skbuff.h:1958 [inline] __skb_queue_tail include/linux/skbuff.h:1991 [inline] skb_queue_tail+0x7e/0xc0 net/core/skbuff.c:3145 kcm_queue_rcv_skb+0x202/0x310 net/kcm/kcmsock.c:206 kcm_rcv_strparser+0x74/0x4b0 net/kcm/kcmsock.c:370 __strp_recv+0x348/0xf50 net/strparser/strparser.c:309 strp_recv+0x84/0xa0 net/strparser/strparser.c:343 tcp_read_sock+0x174/0x5c0 net/ipv4/tcp.c:1639 strp_read_sock+0xd4/0x140 net/strparser/strparser.c:366 do_strp_work net/strparser/strparser.c:414 [inline] strp_work+0x9a/0xe0 net/strparser/strparser.c:423 process_one_work+0x3d4/0x890 kernel/workqueue.c:2269 worker_thread+0xa0/0x800 kernel/workqueue.c:2415 kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352 Reported by Kernel Concurrency Sanitizer on: CPU: 0 PID: 451 Comm: kworker/u4:3 Not tainted 5.4.0-rc3+ #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: kstrp strp_work Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
a9de6f42e9 |
net/flow_dissector: switch to siphash
commit 55667441c84fa5e0911a0aac44fb059c15ba6da2 upstream.
UDP IPv6 packets auto flowlabels are using a 32bit secret
(static u32 hashrnd in net/core/flow_dissector.c) and
apply jhash() over fields known by the receivers.
Attackers can easily infer the 32bit secret and use this information
to identify a device and/or user, since this 32bit secret is only
set at boot time.
Really, using jhash() to generate cookies sent on the wire
is a serious security concern.
Trying to change the rol32(hash, 16) in ip6_make_flowlabel() would be
a dead end. Trying to periodically change the secret (like in sch_sfq.c)
could change paths taken in the network for long lived flows.
Let's switch to siphash, as we did in commit df453700e8d8
("inet: switch IP ID generator to siphash")
Using a cryptographically strong pseudo random function will solve this
privacy issue and more generally remove other weak points in the stack.
Packet schedulers using skb_get_hash_perturb() benefit from this change.
Fixes:
|
||
|
Eric Dumazet
|
3af6b2ad90 |
net: add skb_queue_empty_lockless()
[ Upstream commit d7d16a89350ab263484c0aa2b523dd3a234e4a80 ] Some paths call skb_queue_empty() without holding the queue lock. We must use a barrier in order to not let the compiler do strange things, and avoid KCSAN splats. Adding a barrier in skb_queue_empty() might be overkill, I prefer adding a new helper to clearly identify points where the callers might be lockless. This might help us finding real bugs. The corresponding WRITE_ONCE() should add zero cost for current compilers. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Blagovest Kolenichev
|
7e722ce705 |
Merge android-4.14.123 (acd501f) into msm-4.14
* refs/heads/tmp-acd501f: Revert "arm64/iommu: handle non-remapped addresses in ->mmap and ->get_sgtable" Linux 4.14.123 NFS: Fix a double unlock from nfs_match,get_client vfio-ccw: Prevent quiesce function going into an infinite loop drm: Wake up next in drm_read() chain if we are forced to putback the event drm/drv: Hold ref on parent device during drm_device lifetime ASoC: davinci-mcasp: Fix clang warning without CONFIG_PM spi: Fix zero length xfer bug spi: rspi: Fix sequencer reset during initialization spi : spi-topcliff-pch: Fix to handle empty DMA buffers scsi: lpfc: Fix SLI3 commands being issued on SLI4 devices media: saa7146: avoid high stack usage with clang scsi: lpfc: Fix fc4type information for FDMI scsi: lpfc: Fix FDMI manufacturer attribute value media: vimc: zero the media_device on probe media: go7007: avoid clang frame overflow warning with KASAN media: vimc: stream: fix thread state before sleep media: m88ds3103: serialize reset messages in m88ds3103_set_frontend thunderbolt: Fix to check for kmemdup failure hwrng: omap - Set default quality dmaengine: tegra210-adma: use devm_clk_*() helpers batman-adv: allow updating DAT entry timeouts on incoming ARP Replies scsi: qla4xxx: avoid freeing unallocated dma memory usb: core: Add PM runtime calls to usb_hcd_platform_shutdown rcuperf: Fix cleanup path for invalid perf_type strings rcutorture: Fix cleanup path for invalid torture_type strings x86/mce: Fix machine_check_poll() tests for error types tty: ipwireless: fix missing checks for ioremap virtio_console: initialize vtermno value for ports scsi: qedf: Add missing return in qedf_post_io_req() in the fcport offload check media: wl128x: prevent two potential buffer overflows media: video-mux: fix null pointer dereferences kobject: Don't trigger kobject_uevent(KOBJ_REMOVE) twice. spi: tegra114: reset controller on probe HID: logitech-hidpp: change low battery level threshold from 31 to 30 percent cxgb3/l2t: Fix undefined behaviour ASoC: fsl_utils: fix a leaked reference by adding missing of_node_put ASoC: eukrea-tlv320: fix a leaked reference by adding missing of_node_put HID: core: move Usage Page concatenation to Main item RDMA/hns: Fix bad endianess of port_pd variable chardev: add additional check for minor range overlap x86/ia32: Fix ia32_restore_sigcontext() AC leak x86/uaccess, signal: Fix AC=1 bloat x86/uaccess, ftrace: Fix ftrace_likely_update() vs. SMAP arm64: cpu_ops: fix a leaked reference by adding missing of_node_put scsi: ufs: Avoid configuring regulator with undefined voltage range scsi: ufs: Fix regulator load and icc-level configuration rtlwifi: fix potential NULL pointer dereference rtc: xgene: fix possible race condition brcmfmac: fix Oops when bringing up interface during USB disconnect brcmfmac: fix race during disconnect when USB completion is in progress brcmfmac: fix WARNING during USB disconnect in case of unempty psq brcmfmac: convert dev_init_lock mutex to completion b43: shut up clang -Wuninitialized variable warning brcmfmac: fix missing checks for kmemdup mwifiex: Fix mem leak in mwifiex_tm_cmd rtlwifi: fix a potential NULL pointer dereference iio: common: ssp_sensors: Initialize calculated_time in ssp_common_process_data iio: hmc5843: fix potential NULL pointer dereferences iio: ad_sigma_delta: Properly handle SPI bus locking vs CS assertion x86/build: Keep local relocations with ld.lld block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR cpufreq: kirkwood: fix possible object reference leak cpufreq: pmac32: fix possible object reference leak cpufreq/pasemi: fix possible object reference leak cpufreq: ppc_cbe: fix possible object reference leak s390: cio: fix cio_irb declaration x86/microcode: Fix the ancient deprecated microcode loading method s390: zcrypt: initialize variables before_use clk: rockchip: Make rkpwm a critical clock on rk3288 extcon: arizona: Disable mic detect if running when driver is removed clk: rockchip: Fix video codec clocks on rk3288 PM / core: Propagate dev->power.wakeup_path when no callbacks drm/amdgpu: fix old fence check in amdgpu_fence_emit mmc: sdhci-of-esdhc: add erratum eSDHC-A001 and A-008358 support mmc: sdhci-of-esdhc: add erratum A-009204 support mmc: sdhci-of-esdhc: add erratum eSDHC5 support mmc_spi: add a status check for spi_sync_locked mmc: core: make pwrseq_emmc (partially) support sleepy GPIO controllers scsi: libsas: Do discovery on empty PHY to update PHY info hwmon: (f71805f) Use request_muxed_region for Super-IO accesses hwmon: (pc87427) Use request_muxed_region for Super-IO accesses hwmon: (smsc47b397) Use request_muxed_region for Super-IO accesses hwmon: (smsc47m1) Use request_muxed_region for Super-IO accesses hwmon: (vt1211) Use request_muxed_region for Super-IO accesses RDMA/cxgb4: Fix null pointer dereference on alloc_skb failure arm64: vdso: Fix clock_getres() for CLOCK_REALTIME i40e: don't allow changes to HW VLAN stripping on active port VLANs i40e: Able to add up to 16 MAC filters on an untrusted VF phy: sun4i-usb: Make sure to disable PHY0 passby for peripheral mode x86/irq/64: Limit IST stack overflow check to #DB stack USB: core: Don't unbind interfaces following device reset failure drm/msm: a5xx: fix possible object reference leak sched/core: Handle overflow in cpu_shares_write_u64 sched/rt: Check integer overflow at usec to nsec conversion sched/core: Check quota and period overflow at usec to nsec conversion cgroup: protect cgroup->nr_(dying_)descendants by css_set_lock random: add a spinlock_t to struct batched_entropy powerpc/64: Fix booting large kernels with STRICT_KERNEL_RWX powerpc/numa: improve control of topology updates media: pvrusb2: Prevent a buffer overflow media: au0828: Fix NULL pointer dereference in au0828_analog_stream_enable() media: stm32-dcmi: fix crash when subdev do not expose any formats audit: fix a memory leak bug media: ov2659: make S_FMT succeed even if requested format doesn't match media: au0828: stop video streaming only when last user stops media: ov6650: Move v4l2_clk_get() to ov6650_video_probe() helper media: coda: clear error return value before picture run dmaengine: at_xdmac: remove BUG_ON macro in tasklet clk: rockchip: undo several noc and special clocks as critical on rk3288 pinctrl: samsung: fix leaked of_node references pinctrl: pistachio: fix leaked of_node references HID: logitech-hidpp: use RAP instead of FAP to get the protocol version mm/uaccess: Use 'unsigned long' to placate UBSAN warnings on older GCC versions x86/mm: Remove in_nmi() warning from 64-bit implementation of vmalloc_fault() smpboot: Place the __percpu annotation correctly x86/build: Move _etext to actual end of .text vfio-ccw: Release any channel program when releasing/removing vfio-ccw mdev vfio-ccw: Do not call flush_workqueue while holding the spinlock bcache: avoid clang -Wunintialized warning bcache: add failure check to run_cache_set() for journal replay bcache: fix failure in journal relplay bcache: return error immediately in bch_journal_replay() crypto: sun4i-ss - Fix invalid calculation of hash end net: cw1200: fix a NULL pointer dereference mwifiex: prevent an array overflow ASoC: fsl_sai: Update is_slave_mode with correct value libbpf: fix samples/bpf build failure due to undefined UINT32_MAX mac80211/cfg80211: update bss channel on channel switch dmaengine: pl330: _stop: clear interrupt status w1: fix the resume command API scsi: qedi: Abort ep termination if offload not scheduled rtc: 88pm860x: prevent use-after-free on device remove iwlwifi: pcie: don't crash on invalid RX interrupt btrfs: Don't panic when we can't find a root key btrfs: fix panic during relocation after ENOSPC before writeback happens Btrfs: fix data bytes_may_use underflow with fallocate due to failed quota reserve scsi: qla2xxx: Avoid that lockdep complains about unsafe locking in tcm_qla2xxx_close_session() scsi: qla2xxx: Fix abort handling in tcm_qla2xxx_write_pending() scsi: qla2xxx: Fix a qla24xx_enable_msix() error path sched/cpufreq: Fix kobject memleak arm64: Fix compiler warning from pte_unmap() with -Wunused-but-set-variable ARM: vdso: Remove dependency with the arch_timer driver internals ACPI / property: fix handling of data_nodes in acpi_get_next_subnode() brcm80211: potential NULL dereference in brcmf_cfg80211_vndr_cmds_dcmd_handler() spi: pxa2xx: fix SCR (divisor) calculation ASoC: imx: fix fiq dependencies powerpc/boot: Fix missing check of lseek() return value powerpc/perf: Return accordingly on invalid chip-id in ASoC: hdmi-codec: unlock the device on startup errors pinctrl: zte: fix leaked of_node references net: ena: gcc 8: fix compilation warning dmaengine: tegra210-dma: free dma controller in remove() tools/bpf: fix perf build error with uClibc (seen on ARC) mmc: core: Verify SD bus width gfs2: Fix occasional glock use-after-free IB/hfi1: Fix WQ_MEM_RECLAIM warning NFS: make nfs_match_client killable cxgb4: Fix error path in cxgb4_init_module gfs2: Fix lru_count going negative Revert "btrfs: Honour FITRIM range constraints during free space trim" net: erspan: fix use-after-free at76c50x-usb: Don't register led_trigger if usb_register_driver failed batman-adv: mcast: fix multicast tt/tvlv worker locking bpf: devmap: fix use-after-free Read in __dev_map_entry_free ssb: Fix possible NULL pointer dereference in ssb_host_pcmcia_exit media: vivid: use vfree() instead of kfree() for dev->bitmap_cap media: serial_ir: Fix use-after-free in serial_ir_init_module media: cpia2: Fix use-after-free in cpia2_exit fbdev: fix WARNING in __alloc_pages_nodemask bug btrfs: honor path->skip_locking in backref code brcmfmac: add subtype check for event handling in data path brcmfmac: assure SSID length from firmware is limited hugetlb: use same fault hash key for shared and private mappings fbdev: fix divide error in fb_var_to_videomode btrfs: sysfs: don't leak memory when failing add fsid btrfs: sysfs: Fix error path kobject memory leak Btrfs: fix race between ranged fsync and writeback of adjacent ranges Btrfs: avoid fallback to transaction commit during fsync of files with holes Btrfs: do not abort transaction at btrfs_update_root() after failure to COW path gfs2: Fix sign extension bug in gfs2_update_stats arm64/iommu: handle non-remapped addresses in ->mmap and ->get_sgtable libnvdimm/namespace: Fix label tracking error libnvdimm/pmem: Bypass CONFIG_HARDENED_USERCOPY overhead kvm: svm/avic: fix off-by-one in checking host APIC ID mmc: sdhci-iproc: Set NO_HISPD bit to fix HS50 data hold time problem mmc: sdhci-iproc: cygnus: Set NO_HISPD bit to fix HS50 data hold time problem crypto: vmx - CTR: always increment IV as quadword Revert "scsi: sd: Keep disk read-only when re-reading partition" sbitmap: fix improper use of smp_mb__before_atomic() bio: fix improper use of smp_mb__before_atomic() KVM: x86: fix return value for reserved EFER f2fs: Fix use of number of devices ext4: do not delete unlinked inode from orphan list on failed truncate x86: Hide the int3_emulate_call/jmp functions from UML x86: Hide the int3_emulate_call/jmp functions from UML Linux 4.14.122 fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough btrfs: Honour FITRIM range constraints during free space trim bpf, lru: avoid messing with eviction heuristics upon syscall lookup bpf: add map_lookup_elem_sys_only for lookups from syscall side driver core: Postpone DMA tear-down until after devres release for probe failure md/raid: raid5 preserve the writeback action after the parity check Revert "Don't jump to compute_result state from check_result state" perf bench numa: Add define for RUSAGE_THREAD if not present ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour x86/mm/mem_encrypt: Disable all instrumentation for early SME setup sched/cpufreq: Fix kobject memleak iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG KVM: arm/arm64: Ensure vcpu target is unset on reset failure mac80211: Fix kernel panic due to use of txq after free apparmorfs: fix use-after-free on symlink traversal securityfs: fix use-after-free on symlink traversal power: supply: cpcap-battery: Fix division by zero xfrm4: Fix uninitialized memory read in _decode_session4 esp4: add length check for UDP encapsulation vti4: ipip tunnel deregistration fixes. xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink dm delay: fix a crash when invalid device is specified dm zoned: Fix zone report handling dm cache metadata: Fix loading discard bitset PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum PCI: Factor out pcie_retrain_link() function PCI: Mark Atheros AR9462 to avoid bus reset PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display fbdev: sm712fb: fix support for 1024x768-16 mode fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75 fbdev: sm712fb: fix brightness control on reboot, don't set SR30 objtool: Allow AR to be overridden with HOSTAR perf intel-pt: Fix sample timestamp wrt non-taken branches perf intel-pt: Fix improved sample timestamp perf intel-pt: Fix instructions sampling rate memory: tegra: Fix integer overflow on tick value calculation tracing: Fix partial reading of trace event's id file ftrace/x86_64: Emulate call function while updating in breakpoint handler x86_64: Allow breakpoints to emulate call instructions x86_64: Add gap to int3 to allow for call emulation ceph: flush dirty inodes before proceeding with remount iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 fuse: honor RLIMIT_FSIZE in fuse_file_fallocate fuse: fix writepages on 32bit clk: rockchip: fix wrong clock definitions for rk3328 clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider clk: hi3660: Mark clk_gate_ufs_subsys as critical PNFS fallback to MDS if no deviceid found NFS4: Fix v4.0 client state corruption when mount Revert "cifs: fix memory leak in SMB2_read" media: ov6650: Fix sensor possibly not detected on probe cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() of: fix clang -Wunsequenced for be32_to_cpu() p54: drop device reference count if fails to enable device intel_th: msu: Fix single mode with IOMMU md: add mddev->pers to avoid potential NULL pointer dereference stm class: Fix channel free in stm output free path parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code parisc: Use PA_ASM_LEVEL in boot code parisc: Skip registering LED when running in QEMU parisc: Export running_on_qemu symbol for modules net: Always descend into dsa/ vsock/virtio: Initialize core virtio vsock before registering the driver tipc: fix modprobe tipc failed after switch order of device registration vsock/virtio: free packets during the socket release tipc: switch order of device registration to fix a crash ppp: deflate: Fix possible crash in deflate_init net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions net: test nouarg before dereferencing zerocopy pointers net/mlx4_core: Change the error print to info print net: avoid weird emergency message f2fs: link f2fs quota ops for sysfile Enable CONFIG_ION_SYSTEM_HEAP BACKPORT: gcov: clang support UPSTREAM: gcov: docs: add a note on GCC vs Clang differences UPSTREAM: gcov: clang: move common GCC code into gcc_base.c UPSTREAM: module: add stubs for within_module functions UPSTREAM: gcov: remove CONFIG_GCOV_FORMAT_AUTODETECT BACKPORT: kbuild: gcov: enable -fno-tree-loop-im if supported fs: sdcardfs: Add missing option to show_options Conflicts: Makefile arch/arm64/include/asm/pgtable.h drivers/scsi/ufs/ufshcd.c Change-Id: I0c79879b0989383949ff5a292a9923b668e4514f Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Willem de Bruijn
|
723fdfbab8 |
net: test nouarg before dereferencing zerocopy pointers
[ Upstream commit 185ce5c38ea76f29b6bd9c7c8c7a5e5408834920 ]
Zerocopy skbs without completion notification were added for packet
sockets with PACKET_TX_RING user buffers. Those signal completion
through the TP_STATUS_USER bit in the ring. Zerocopy annotation was
added only to avoid premature notification after clone or orphan, by
triggering a copy on these paths for these packets.
The mechanism had to define a special "no-uarg" mode because packet
sockets already use skb_uarg(skb) == skb_shinfo(skb)->destructor_arg
for a different pointer.
Before deferencing skb_uarg(skb), verify that it is a real pointer.
Fixes: 5cd8d46ea1562 ("packet: copy user buffers before orphan or clone")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Blagovest Kolenichev
|
7ab08b2ef4 |
Merge android-4.14-p.104 (1912b02) into msm-4.14
* refs/heads/tmp-1912b02:
Linux 4.14.104
net: phylink: avoid resolving link state too early
sched/sysctl: Fix attributes of some extern declarations
phy: tegra: remove redundant self assignment of 'map'
pinctrl: max77620: Use define directive for max77620_pinconf_param values
netfilter: ipv6: Don't preserve original oif for loopback address
netfilter: nft_compat: use-after-free when deleting targets
netfilter: nf_tables: fix flush after rule deletion in the same batch
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
net: avoid false positives in untrusted gso validation
net: validate untrusted gso packets without csum offload
drm/i915/fbdev: Actually configure untiled displays
ARC: define ARCH_SLAB_MINALIGN = 8
ARC: U-boot: check arguments paranoidly
ARCv2: Enable unaligned access in early ASM code
parisc: Fix ptrace syscall number modification
KEYS: always initialize keyring_index_key::desc_len
KEYS: user: Align the payload buffer
RDMA/srp: Rework SCSI device reset handling
inet_diag: fix reporting cgroup classid and fallback to priority
net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
team: avoid complex list operations in team_nl_cmd_options_set()
sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment
net: sfp: do not probe SFP module before we're attached
net/packet: fix 4gb buffer limit due to overflow check
net/mlx5e: Don't overwrite pedit action when multiple pedit used
ipv6: propagate genlmsg_reply return code
batman-adv: fix uninit-value in batadv_interface_tx()
isdn: avm: Fix string plus integer warning from Clang
net/mlx5e: Fix wrong (zero) TX drop counter indication for representor
mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky
bpf: bpf_setsockopt: reset sock dst on SO_MARK changes
leds: lp5523: fix a missing check of return value of lp55xx_read
hwmon: (tmp421) Correct the misspelling of the tmp442 compatible attribute in OF device ID table
atm: he: fix sign-extension overflow on large shift
drm/meson: add missing of_node_put
always clear the X2APIC_ENABLE bit for PV guest
scsi: qedi: Add ep_state for login completion on un-reachable targets
scsi: ufs: Fix system suspend status
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
net: stmmac: Fix PCI module removal leak
bpf: correctly set initial window on active Fast Open sender
MIPS: jazz: fix 64bit build
scsi: isci: initialize shost fully before calling scsi_add_host()
scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
netfilter: nf_tables: fix leaking object reference count
MIPS: ath79: Enable OF serial ports in the default config
net: hns: Fix use after free identified by SLUB debug
qed: Fix qed_ll2_post_rx_buffer_notify_fw() by adding a write memory barrier
qed: Fix qed_chain_set_prod() for PBL chains with non power of 2 page count
xen/pvcalls: remove set but not used variable 'intf'
mfd: mc13xxx: Fix a missing check of a register-read failure
mfd: tps65218: Use devm_regmap_add_irq_chip and clean up error path in probe()
mfd: wm5110: Add missing ASRC rate register
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: bd9571mwv: Add volatile register to make DVFS work
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: mt6397: Do not call irq_domain_remove if PMIC unsupported
mfd: db8500-prcmu: Fix some section annotations
mfd: twl-core: Fix section annotations on {,un}protect_pm_master
pvcalls-back: set -ENOTCONN in pvcalls_conn_back_read
mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
KEYS: allow reaching the keys quotas exactly
proc, oom: do not report alien mms when setting oom_score_adj
numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
libceph: handle an empty authorize reply
mac80211: Free mpath object when rhashtable insertion fails
mac80211: Restore vif beacon interval if start ap fails
MIPS: eBPF: Always return sign extended 32b values
tracing: Fix number of entries in trace header
ARM: 8834/1: Fix: kprobes: optimized kprobes illegal instruction
Change-Id: Iaa9dd7842d9c83e5bfd7ea15e7d772fe0ce92438
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
|
Blagovest Kolenichev
|
9ec70dd408 |
Merge android-4.14-p.102 (6d248da0) into msm-4.14
* refs/heads/tmp-6d248da0: Revert "sched, trace: Fix prev_state output in sched_switch tracepoint" Linux 4.14.102 uapi/if_ether.h: move __UAPI_DEF_ETHHDR libc define pinctrl: msm: fix gpio-hog related boot issues futex: Cure exit race sched, trace: Fix prev_state output in sched_switch tracepoint drm/i915: Prevent a race during I915_GEM_MMAP ioctl with WC set dm thin: fix bug where bio that overwrites thin block ignores FUA dm crypt: don't overallocate the integrity tag space x86/a.out: Clear the dump structure initially md/raid1: don't clear bitmap bits on interrupted recovery. signal: Restore the stop PTRACE_EVENT_EXIT x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls tracing/uprobes: Fix output for multiple string arguments alpha: Fix Eiger NR_IRQS to 128 alpha: fix page fault handling for r16-r18 targets mm: proc: smaps_rollup: fix pss_locked calculation Input: elantech - enable 3rd button support on Fujitsu CELSIUS H780 Input: bma150 - register input device after setting private data kvm: vmx: Fix entry number check for add_atomic_switch_msr() ALSA: usb-audio: Fix implicit fb endpoint setup by quirk ALSA: hda - Add quirk for HP EliteBook 840 G5 perf/x86: Add check_period PMU callback perf/core: Fix impossible ring-buffer sizes warning Input: elan_i2c - add ACPI ID for touchpad in Lenovo V330-15ISK Revert "Input: elan_i2c - add ACPI ID for touchpad in ASUS Aspire F5-573G" cifs: Limit memory used by lock request calls to a page drm/nouveau/falcon: avoid touching registers if engine is off drm/nouveau: Don't disable polling in fallback mode gpio: pl061: handle failed allocations ARM: dts: kirkwood: Fix polarity of GPIO fan lines ARM: dts: da850-lcdk: Correct the sound card name ARM: dts: da850-evm: Correct the sound card name nvme-pci: use the same attributes when freeing host_mem_desc_bufs. drm/bridge: tc358767: fix output H/V syncs drm/bridge: tc358767: reject modes which require too much BW drm/bridge: tc358767: fix initial DP0/1_SRCCTRL value drm/bridge: tc358767: fix single lane configuration drm/bridge: tc358767: add defines for DP1_SRCCTRL & PHY_2LANE cpufreq: check if policy is inactive early in __cpufreq_get() perf test shell: Use a fallback to get the pathname in vfs_getname ACPI: NUMA: Use correct type for printing addresses on i386-PAE bnx2x: disable GSO where gso_size is too big for hardware net: create skb_gso_validate_mac_len() ARM: fix the cockup in the previous patch ARM: ensure that processor vtables is not lost after boot ARM: spectre-v2: per-CPU vtables to work around big.Little systems ARM: add PROC_VTABLE and PROC_TABLE macros ARM: clean up per-processor check_bugs method call ARM: split out processor lookup ARM: make lookup_processor_type() non-__init ARM: 8810/1: vfp: Fix wrong assignement to ufp_exc ARM: 8797/1: spectre-v1.1: harden __copy_to_user ARM: 8796/1: spectre-v1,v1.1: provide helpers for address sanitization ARM: 8795/1: spectre-v1.1: use put_user() for __put_user() ARM: 8794/1: uaccess: Prevent speculative use of the current addr_limit ARM: 8793/1: signal: replace __put_user_error with __put_user ARM: 8792/1: oabi-compat: copy oabi events using __copy_to_user() ARM: 8791/1: vfp: use __copy_to_user() when saving VFP state ARM: 8790/1: signal: always use __copy_to_user to save iwmmxt context ARM: 8789/1: signal: copy registers using __copy_to_user() uapi/if_ether.h: prevent redefinition of struct ethhdr blk-mq: fix a hung issue when fsync eeprom: at24: add support for 24c2048 dt-bindings: eeprom: at24: add "atmel,24c2048" compatible string Change-Id: I76266eef1ae49d35fb83938d82066e72be54bb2c Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Willem de Bruijn
|
dac7d4432b |
net: validate untrusted gso packets without csum offload
commit d5be7f632bad0f489879eed0ff4b99bd7fe0b74c upstream. Syzkaller again found a path to a kernel crash through bad gso input. By building an excessively large packet to cause an skb field to wrap. If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in skb_partial_csum_set. GSO packets that do not set checksum offload are suspicious and rare. Most callers of virtio_net_hdr_to_skb already pass them to skb_probe_transport_header. Move that test forward, change it to detect parse failure and drop packets on failure as those cleary are not one of the legitimate VIRTIO_NET_HDR_GSO types. Fixes: |
||
|
Daniel Axtens
|
785644d673 |
net: create skb_gso_validate_mac_len()
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream If you take a GSO skb, and split it into packets, will the MAC length (L2 + L3 + L4 headers + payload) of those packets be small enough to fit within a given length? Move skb_gso_mac_seglen() to skbuff.h with other related functions like skb_gso_network_seglen() so we can use it, and then create skb_gso_validate_mac_len to do the full calculation. Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: David S. Miller <davem@davemloft.net> [jwang: cherry pick for CVE-2018-1000026] Signed-off-by: Jack Wang <jinpu.wang@cloud.ionos.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Blagovest Kolenichev
|
2cda3bbed5 |
Merge android-4.14-p.97 (0053642) into msm-4.14
* refs/heads/tmp-0053642: Linux 4.14.97 btrfs: dev-replace: go back to suspended state if target device is missing btrfs: fix error handling in btrfs_dev_replace_start f2fs: read page index before freeing xen: Fix x86 sched_clock() interface for xen x86/xen/time: Output xen sched_clock time from 0 x86/xen/time: setup vcpu 0 time info page x86/xen/time: set pvclock flags on xen_time_init() x86/pvclock: add setter for pvclock_pvti_cpu0_va ptp_kvm: probe for kvm guest availability xhci: Fix leaking USB3 shared_hcd at xhci removal usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup nvmet-rdma: fix null dereference under heavy load nvmet-rdma: Add unlikely for response allocated check s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU KVM: x86: Fix a 4.14 backport regression related to userspace/guest FPU net: stmmac: Use correct values in TQS/RQS fields Revert "seccomp: add a selftest for get_metadata" perf unwind: Take pgoff into account when reporting elf to libdwfl perf unwind: Unwind with libdw doesn't take symfs into account vt: invoke notifier on screen size change can: bcm: check timer values before ktime conversion can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size posix-cpu-timers: Unbreak timer rearming x86/kaslr: Fix incorrect i8254 outb() parameters x86/selftests/pkeys: Fork() to check for state being preserved x86/pkeys: Properly copy pkey state at fork() KVM: x86: Fix single-step debugging dm crypt: fix parsing of extended IV arguments dm thin: fix passdown_double_checking_shared_status() acpi/nfit: Fix command-supported detection acpi/nfit: Block function zero DSMs Input: uinput - fix undefined behavior in uinput_validate_absinfo() compiler.h: enable builtin overflow checkers and add fallback code Input: xpad - add support for SteelSeries Stratus Duo CIFS: Do not reconnect TCP session in add_credits() CIFS: Fix credit calculation for encrypted reads with errors CIFS: Fix credits calculations for reads with errors CIFS: Fix possible hang during async MTU reads and writes Drivers: hv: vmbus: Check for ring when getting debug info hv_balloon: avoid touching uninitialized struct page during tail onlining tty/n_hdlc: fix __might_sleep warning uart: Fix crash in uart_write and uart_put_char tty: Handle problem if line discipline does not have receive_buf staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 char/mwave: fix potential Spectre v1 vulnerability s390/smp: fix CPU hotplug deadlock with CPU rescan s390/early: improve machine detection ARC: perf: map generic branches to correct hardware condition ARC: adjust memblock_reserve of kernel memory ARCv2: lib: memeset: fix doing prefetchw outside of buffer ALSA: hda - Add mute LED support for HP ProBook 470 G5 ASoC: rt5514-spi: Fix potential NULL pointer dereference ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages USB: serial: pl2303: add new PID to support PL2303TB USB: serial: simple: add Motorola Tetra TPG2200 device id mei: me: add denverton innovation engine device IDs mmc: Kconfig: Enable CONFIG_MMC_SDHCI_IO_ACCESSORS ipfrag: really prevent allocation on netns exit tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state net: ipv4: Fix memory leak in network namespace dismantle vhost: log dirty page correctly openvswitch: Avoid OOB read when parsing flow nlattrs net_sched: refetch skb protocol for each filter net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling net: Fix usage of pskb_trim_rcsum net: bridge: Fix ethernet header pointer before check skb forwardable amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs f2fs: add missing part of patch "f2fs: support flexible inline xattr size" Conflicts: drivers/usb/host/xhci-plat.c fs/f2fs/node.c Change-Id: I750a77383fb2a40417b2321db530815cc09275f2 Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org> |
||
|
Ross Lagerwall
|
66a011d153 |
net: Fix usage of pskb_trim_rcsum
[ Upstream commit 6c57f0458022298e4da1729c67bd33ce41c14e7a ] In certain cases, pskb_trim_rcsum() may change skb pointers. Reinitialize header pointers afterwards to avoid potential use-after-frees. Add a note in the documentation of pskb_trim_rcsum(). Found by KASAN. Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Isaac J. Manjarres
|
63690ffd87 |
Merge android-4.14-p.86 (8629d9b) into msm-4.14
* refs/heads/tmp-8629d9b:
Linux 4.14.86
f2fs: fix missing up_read
libceph: check authorizer reply/challenge length before reading
libceph: weaken sizeof check in ceph_x_verify_authorizer_reply()
binder: fix race that allows malicious free of live buffer
misc: mic/scif: fix copy-paste error in scif_create_remote_lookup
Drivers: hv: vmbus: check the creation_status in vmbus_establish_gpadl()
mm: use swp_offset as key in shmem_replace_page()
lib/test_kmod.c: fix rmmod double free
iio:st_magn: Fix enable device after trigger
Revert "usb: dwc3: gadget: skip Set/Clear Halt when invalid"
usb: core: quirks: add RESET_RESUME quirk for Cherry G230 Stream series
USB: usb-storage: Add new IDs to ums-realtek
staging: rtl8723bs: Add missing return for cfg80211_rtw_get_station
staging: vchiq_arm: fix compat VCHIQ_IOC_AWAIT_COMPLETION
btrfs: release metadata before running delayed refs
dmaengine: at_hdmac: fix module unloading
dmaengine: at_hdmac: fix memory leak in at_dma_xlate()
ARM: dts: rockchip: Remove @0 from the veyron memory node
ext2: fix potential use after free
ALSA: hda/realtek - fix headset mic detection for MSI MS-B171
ALSA: hda/realtek - Support ALC300
ALSA: sparc: Fix invalid snd_free_pages() at error path
ALSA: control: Fix race between adding and removing a user element
ALSA: ac97: Fix incorrect bit shift at AC97-SPSA control write
ALSA: wss: Fix invalid snd_free_pages() at error path
fs: fix lost error code in dio_complete
perf/x86/intel: Add generic branch tracing check to intel_pmu_has_bts()
perf/x86/intel: Move branch tracing setup to the Intel-specific source file
x86/fpu: Disable bottom halves while loading FPU registers
x86/MCE/AMD: Fix the thresholding machinery initialization order
arm64: dts: rockchip: Fix PCIe reset polarity for rk3399-puma-haikou.
PCI: layerscape: Fix wrong invocation of outbound window disable accessor
btrfs: relocation: set trans to be NULL after ending transaction
Btrfs: ensure path name is null terminated at btrfs_control_ioctl
xtensa: fix coprocessor part of ptrace_{get,set}xregs
xtensa: fix coprocessor context offset definitions
xtensa: enable coprocessors that are being flushed
KVM: X86: Fix scan ioapic use-before-initialization
KVM: x86: Fix kernel info-leak in KVM_HC_CLOCK_PAIRING hypercall
kvm: svm: Ensure an IBPB on all affected CPUs when freeing a vmcb
kvm: mmu: Fix race in emulated page table writes
x86/speculation: Provide IBPB always command line options
x86/speculation: Add seccomp Spectre v2 user space protection mode
x86/speculation: Enable prctl mode for spectre_v2_user
x86/speculation: Add prctl() control for indirect branch speculation
x86/speculation: Prepare arch_smt_update() for PRCTL mode
x86/speculation: Prevent stale SPEC_CTRL msr content
x86/speculation: Split out TIF update
ptrace: Remove unused ptrace_may_access_sched() and MODE_IBRS
x86/speculation: Prepare for conditional IBPB in switch_mm()
x86/speculation: Avoid __switch_to_xtra() calls
x86/process: Consolidate and simplify switch_to_xtra() code
x86/speculation: Prepare for per task indirect branch speculation control
x86/speculation: Add command line control for indirect branch speculation
x86/speculation: Unify conditional spectre v2 print functions
x86/speculataion: Mark command line parser data __initdata
x86/speculation: Mark string arrays const correctly
x86/speculation: Reorder the spec_v2 code
x86/l1tf: Show actual SMT state
x86/speculation: Rework SMT state change
sched/smt: Expose sched_smt_present static key
x86/Kconfig: Select SCHED_SMT if SMP enabled
sched/smt: Make sched_smt_present track topology
x86/speculation: Reorganize speculation control MSRs update
x86/speculation: Rename SSBD update functions
x86/speculation: Disable STIBP when enhanced IBRS is in use
x86/speculation: Move STIPB/IBPB string conditionals out of cpu_show_common()
x86/speculation: Remove unnecessary ret variable in cpu_show_common()
x86/speculation: Clean up spectre_v2_parse_cmdline()
x86/speculation: Update the TIF_SSBD comment
x86/retpoline: Remove minimal retpoline support
x86/retpoline: Make CONFIG_RETPOLINE depend on compiler support
x86/speculation: Add RETPOLINE_AMD support to the inline asm CALL_NOSPEC variant
x86/speculation: Propagate information about RSB filling mitigation to sysfs
x86/speculation: Apply IBPB more strictly to avoid cross-process data leak
x86/speculation: Enable cross-hyperthread spectre v2 STIBP mitigation
x86/bugs: Fix the AMD SSBD usage of the SPEC_CTRL MSR
x86/bugs: Update when to check for the LS_CFG SSBD mitigation
x86/bugs: Switch the selection of mitigation from CPU vendor to CPU features
x86/bugs: Add AMD's SPEC_CTRL MSR usage
x86/bugs: Add AMD's variant of SSB_NO
sched/core: Fix cpu.max vs. cpuhotplug deadlock
usbnet: ipheth: fix potential recvmsg bug and recvmsg bug 2
s390/qeth: fix length check in SNMP processing
rapidio/rionet: do not free skb before reading its length
packet: copy user buffers before orphan or clone
net: thunderx: set tso_hdrs pointer to NULL in nicvf_free_snd_queue
virtio-net: fail XDP set if guest csum is negotiated
virtio-net: disable guest csum during XDP set
net: thunderx: set xdp_prog to NULL if bpf_prog_add fails
net: skb_scrub_packet(): Scrub offload_fwd_mark
Revert "wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()"
xfs: don't fail when converting shortform attr to long form during ATTR_REPLACE
f2fs: fix to do sanity check with cp_pack_start_sum
f2fs: fix to do sanity check with i_extra_isize
f2fs: fix to do sanity check with block address in main area
f2fs: fix to do sanity check with node footer and iblocks
f2fs: fix to do sanity check with user_block_count
f2fs: fix to do sanity check with extra_attr feature
f2fs: Add sanity_check_inode() function
f2fs: fix to do sanity check with secs_per_zone
f2fs: introduce and spread verify_blkaddr
f2fs: clean up with is_valid_blkaddr()
f2fs: enhance sanity_check_raw_super() to avoid potential overflow
f2fs: sanity check on sit entry
f2fs: check blkaddr more accuratly before issue a bio
btrfs: tree-checker: Fix misleading group system information
btrfs: tree-checker: Check level for leaves and nodes
btrfs: Check that each block group has corresponding chunk at mount time
btrfs: tree-checker: Detect invalid and empty essential trees
btrfs: tree-checker: Verify block_group_item
btrfs: tree-check: reduce stack consumption in check_dir_item
btrfs: tree-checker: use %zu format string for size_t
btrfs: tree-checker: Add checker for dir item
btrfs: tree-checker: Fix false panic for sanity test
btrfs: tree-checker: Enhance btrfs_check_node output
btrfs: Move leaf and node validation checker to tree-checker.c
btrfs: Add checker for EXTENT_CSUM
btrfs: Add sanity check for EXTENT_DATA when reading out leaf
btrfs: Check if item pointer overlaps with the item itself
btrfs: Refactor check_leaf function for later expansion
btrfs: Verify that every chunk has corresponding block group at mount time
btrfs: validate type when reading a chunk
wil6210: missing length check in wmi_set_ie
net/tls: Fixed return value when tls_complete_pending_work() fails
tls: Use correct sk->sk_prot for IPV6
tls: don't override sk_write_space if tls_set_sw_offload fails.
tls: Avoid copying crypto_info again after cipher_type check.
tls: Fix TLS ulp context leak, when TLS_TX setsockopt is not used.
tls: Add function to update the TLS socket configuration
bpf: Prevent memory disambiguation attack
libceph: implement CEPHX_V2 calculation mode
libceph: add authorizer challenge
libceph: factor out encrypt_authorizer()
libceph: factor out __ceph_x_decrypt()
libceph: factor out __prepare_write_connect()
libceph: store ceph_auth_handshake pointer in ceph_connection
ubi: Initialize Fastmap checkmapping correctly
media: em28xx: Fix use-after-free when disconnecting
mm/khugepaged: collapse_shmem() do not crash on Compound
mm/khugepaged: collapse_shmem() without freezing new_page
mm/khugepaged: minor reorderings in collapse_shmem()
mm/khugepaged: collapse_shmem() remember to clear holes
mm/khugepaged: fix crashes due to misaccounted holes
mm/khugepaged: collapse_shmem() stop if punched or truncated
mm/huge_memory: fix lockdep complaint on 32-bit i_size_read()
mm/huge_memory: splitting set mapping+index before unfreeze
mm/huge_memory.c: reorder operations in __split_huge_page_tail()
mm/huge_memory: rename freeze_page() to unmap_page()
Conflicts:
drivers/net/wireless/ath/wil6210/wmi.c
fs/f2fs/segment.c
include/linux/sched.h
Extra change is added into this merge in file [1]:
f2fs: Restore discarded delta from commit
|
||
|
Willem de Bruijn
|
67f6fba765 |
packet: copy user buffers before orphan or clone
[ Upstream commit 5cd8d46ea1562be80063f53c7c6a5f40224de623 ] tpacket_snd sends packets with user pages linked into skb frags. It notifies that pages can be reused when the skb is released by setting skb->destructor to tpacket_destruct_skb. This can cause data corruption if the skb is orphaned (e.g., on transmit through veth) or cloned (e.g., on mirror to another psock). Create a kernel-private copy of data in these cases, same as tun/tap zerocopy transmission. Reuse that infrastructure: mark the skb as SKBTX_ZEROCOPY_FRAG, which will trigger copy in skb_orphan_frags(_rx). Unlike other zerocopy packets, do not set shinfo destructor_arg to struct ubuf_info. tpacket_destruct_skb already uses that ptr to notify when the original skb is released and a timestamp is recorded. Do not change this timestamp behavior. The ubuf_info->callback is not needed anyway, as no zerocopy notification is expected. Mark destructor_arg as not-a-uarg by setting the lower bit to 1. The resulting value is not a valid ubuf_info pointer, nor a valid tpacket_snd frame address. Add skb_zcopy_.._nouarg helpers for this. The fix relies on features introduced in commit |
||
|
qctecmdr Service
|
6618be6f36 |
Merge "Merge android-4.14-p.74 (91ff1d1) into msm-4.14"
|
||
|
Mohammed Javid
|
768608d55e |
net: Changes to support Shortcut Forward Engine
Shortcut forward Engine (SFE) is a software packet accelerator which works on packet tuple entires (SFE entry) based on conntrack information. net:core has changes to invoke SFE module during packet traversal. net:netfilter has changes to remove SFE Entries when conntrack is deleted or expires. Also has changes to avoid tcp window check for incoming packets. Change-Id: I1622677e472870f8100c72221d9b1fab7fa768be Signed-off-by: Mohammed Javid <mjavid@codeaurora.org> |
||
|
Blagovest Kolenichev
|
e75d96f9f2 |
Merge android-4.14-p.71 (58b620f) into msm-4.14
* refs/heads/tmp-58b620f:
Linux 4.14.71
mm: get rid of vmacache_flush_all() entirely
autofs: fix autofs_sbi() does not check super block type
tuntap: fix use after free during release
tun: fix use after free for ptr_ring
mtd: ubi: wl: Fix error return code in ubi_wl_init()
ip: frags: fix crash in ip_do_fragment()
ip: process in-order fragments efficiently
ip: add helpers to process in-order fragments faster.
ipv4: frags: precedence bug in ip_expire()
net: sk_buff rbnode reorg
net: add rb_to_skb() and other rb tree helpers
net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
ipv6: defrag: drop non-last frags smaller than min mtu
net: modify skb_rbtree_purge to return the truesize of all purged skbs.
net: speed up skb_rbtree_purge()
ip: discard IPv4 datagrams with overlapping segments.
inet: frags: fix ip6frag_low_thresh boundary
inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
inet: frags: reorganize struct netns_frags
rhashtable: reorganize struct rhashtable layout
ipv6: frags: rewrite ip6_expire_frag_queue()
inet: frags: do not clone skb in ip_expire()
inet: frags: break the 2GB limit for frags storage
inet: frags: remove inet_frag_maybe_warn_overflow()
inet: frags: get rif of inet_frag_evicting()
inet: frags: remove some helpers
inet: frags: use rhashtables for reassembly units
rhashtable: add schedule points
ipv6: export ip6 fragments sysctl to unprivileged users
inet: frags: refactor lowpan_net_frag_init()
inet: frags: refactor ipv6_frag_init()
inet: frags: Convert timers to use timer_setup()
inet: frags: refactor ipfrag_init()
inet: frags: add a pointer to struct netns_frags
inet: frags: change inet_frags_init_net() return value
drm/i915: set DP Main Stream Attribute for color range on DDI platforms
RDMA/cma: Do not ignore net namespace for unbound cm_id
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
NFSv4.1: Fix a potential layoutget/layoutrecall deadlock
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
mfd: ti_am335x_tscadc: Fix struct clk memory leak
iommu/ipmmu-vmsa: Fix allocation in atomic context
f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
f2fs: fix to wait on page writeback before updating page
media: helene: fix xtal frequency setting at power on
partitions/aix: fix usage of uninitialized lv_info and lvname structures
partitions/aix: append null character to print data from disk
media: s5p-mfc: Fix buffer look up in s5p_mfc_handle_frame_{new, copy_time} functions
Input: atmel_mxt_ts - only use first T9 instance
dm cache: only allow a single io_mode cache feature to be requested
net: dcb: For wild-card lookups, use priority -1, not 0
MIPS: generic: fix missing of_node_put()
MIPS: Octeon: add missing of_node_put()
f2fs: fix to do sanity check with reserved blkaddr of inline inode
tpm/tpm_i2c_infineon: switch to i2c_lock_bus(..., I2C_LOCK_SEGMENT)
tpm_tis_spi: Pass the SPI IRQ down to the driver
f2fs: fix to skip GC if type in SSA and SIT is inconsistent
pktcdvd: Fix possible Spectre-v1 for pkt_devs
f2fs: try grabbing node page lock aggressively in sync scenario
net: mvneta: fix mtu change on port without link
pinctrl/amd: only handle irq if it is pending and unmasked
gpio: ml-ioh: Fix buffer underwrite on probe error path
pinctrl: imx: off by one in imx_pinconf_group_dbg_show()
x86/mm: Remove in_nmi() warning from vmalloc_fault()
Bluetooth: hidp: Fix handling of strncpy for hid->name information
ath10k: disable bundle mgmt tx completion event support
tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
scsi: 3ware: fix return 0 on the error path of probe
ata: libahci: Correct setting of DEVSLP register
ata: libahci: Allow reconfigure of DEVSLP register
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
rpmsg: core: add support to power domains for devices
wlcore: Set rx_status boottime_ns field on rx
ath10k: prevent active scans on potential unusable channels
ath9k_hw: fix channel maximum power level test
ath9k: report tx status on EOSP
macintosh/via-pmu: Add missing mmio accessors
perf evlist: Fix error out while applying initial delay and LBR
perf c2c report: Fix crash for empty browser
NFSv4.0 fix client reference leak in callback
perf tools: Allow overriding MAX_NR_CPUS at compile time
f2fs: fix defined but not used build warnings
f2fs: do not set free of current section
f2fs: fix to active page in lru list for read path
tty: rocket: Fix possible buffer overwrite on register_PCI
Drivers: hv: vmbus: Cleanup synic memory free path
firmware: vpd: Fix section enabled flag on vpd_section_destroy
uio: potential double frees if __uio_register_device() fails
misc: ti-st: Fix memory leak in the error path of probe()
gpu: ipu-v3: default to id 0 on missing OF alias
media: camss: csid: Configure data type and decode format properly
timers: Clear timer_base::must_forward_clk with timer_base::lock held
md/raid5: fix data corruption of replacements after originals dropped
scsi: target: fix __transport_register_session locking
blk-mq: fix updating tags depth
net: phy: Fix the register offsets in Broadcom iProc mdio mux driver
media: dw2102: Fix memleak on sequence of probes
media: davinci: vpif_display: Mix memory leak on probe error path
selftests/bpf: fix a typo in map in map test
powerpc/powernv: Fix concurrency issue with npu->mmio_atsd_usage
gpio: tegra: Move driver registration to subsys_init level
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
i2c: aspeed: Add an explicit type casting for *get_clk_reg_val
ethtool: Remove trailing semicolon for static inline
misc: mic: SCIF Fix scif_get_new_port() error handling
ARC: [plat-axs*]: Enable SWAP
tpm: separate cmd_ready/go_idle from runtime_pm
crypto: aes-generic - fix aes-generic regression on powerpc
switchtec: Fix Spectre v1 vulnerability
x86/microcode: Update the new microcode revision unconditionally
x86/microcode: Make sure boot_cpu_data.microcode is up-to-date
cpu/hotplug: Prevent state corruption on error rollback
cpu/hotplug: Adjust misplaced smb() in cpuhp_thread_fun()
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
KVM: VMX: Do not allow reexecute_instruction() when skipping MMIO instr
KVM: s390: vsie: copy wrapping keys to right place
Btrfs: fix data corruption when deduplicating between different files
smb3: check for and properly advertise directory lease support
SMB3: Backup intent flag missing for directory opens with backupuid mounts
MIPS: VDSO: Match data page cache colouring when D$ aliases
android: binder: fix the race mmap and alloc_new_buf_locked
block: bfq: swap puts in bfqg_and_blkg_put
nbd: don't allow invalid blocksize settings
scsi: lpfc: Correct MDS diag and nvmet configuration
i2c: i801: fix DNV's SMBCTRL register offset
i2c: xiic: Make the start and the byte count write atomic
Conflicts:
include/linux/mm_types.h
Change-Id: I6d5ca1fc3e58d896127ca7a4a7ec6f662d9ab634
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
|
||
|
Eric Dumazet
|
6b921536f1 |
net: sk_buff rbnode reorg
commit bffa72cf7f9df842f0016ba03586039296b4caaf upstream skb->rbnode shares space with skb->next, skb->prev and skb->tstamp Current uses (TCP receive ofo queue and netem) need to save/restore tstamp, while skb->dev is either NULL (TCP) or a constant for a given queue (netem). Since we plan using an RB tree for TCP retransmit queue to speedup SACK processing with large BDP, this patch exchanges skb->dev and skb->tstamp. This saves some overhead in both TCP and netem. v2: removes the swtstamp field from struct tcp_skb_cb Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Soheil Hassas Yeganeh <soheil@google.com> Cc: Wei Wang <weiwan@google.com> Cc: Willem de Bruijn <willemb@google.com> Acked-by: Soheil Hassas Yeganeh <soheil@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
37c7cc80b1 |
net: add rb_to_skb() and other rb tree helpers
Geeralize private netem_rb_to_skb() TCP rtx queue will soon be converted to rb-tree, so we will need skb_rbtree_walk() helpers. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 18a4c0eab2623cc95be98a1e6af1ad18e7695977) Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
6bf32cda46 |
net: pskb_trim_rcsum() and CHECKSUM_COMPLETE are friends
After working on IP defragmentation lately, I found that some large packets defeat CHECKSUM_COMPLETE optimization because of NIC adding zero paddings on the last (small) fragment. While removing the padding with pskb_trim_rcsum(), we set skb->ip_summed to CHECKSUM_NONE, forcing a full csum validation, even if all prior fragments had CHECKSUM_COMPLETE set. We can instead compute the checksum of the part we are trimming, usually smaller than the part we keep. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 88078d98d1bb085d72af8437707279e203524fa5) Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Peter Oskolkov
|
3bde783eca |
net: modify skb_rbtree_purge to return the truesize of all purged skbs.
Tested: see the next patch is the series. Suggested-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Peter Oskolkov <posk@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 385114dec8a49b5e5945e77ba7de6356106713f4) Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
48c2afc168 |
inet: frags: get rid of ipfrag_skb_cb/FRAG_CB
ip_defrag uses skb->cb[] to store the fragment offset, and unfortunately
this integer is currently in a different cache line than skb->next,
meaning that we use two cache lines per skb when finding the insertion point.
By aliasing skb->ip_defrag_offset and skb->dev, we pack all the fields
in a single cache line and save precious memory bandwidth.
Note that after the fast path added by Changli Gao in commit
|
||
|
Isaac J. Manjarres
|
b2c8463039 |
Merge android-4.14-p.61 (b7e55e8) into msm-4.14
* remotes/origin/tmp-b7e55e8:
Linux 4.14.61
scsi: sg: fix minor memory leak in error path
drm/vc4: Reset ->{x, y}_scaling[1] when dealing with uniplanar formats
crypto: padlock-aes - Fix Nano workaround data corruption
RDMA/uverbs: Expand primary and alt AV port checks
iwlwifi: add more card IDs for 9000 series
userfaultfd: remove uffd flags from vma->vm_flags if UFFD_EVENT_FORK fails
audit: fix potential null dereference 'context->module.name'
kvm: x86: vmx: fix vpid leak
x86/entry/64: Remove %ebx handling from error_entry/exit
x86/apic: Future-proof the TSC_DEADLINE quirk for SKX
virtio_balloon: fix another race between migration and ballooning
net: socket: fix potential spectre v1 gadget in socketcall
can: ems_usb: Fix memory leak on ems_usb_disconnect()
squashfs: more metadata hardenings
squashfs: more metadata hardening
net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager
rxrpc: Fix user call ID check in rxrpc_service_prealloc_one
net: stmmac: Fix WoL for PCI-based setups
netlink: Fix spectre v1 gadget in netlink_create()
net: dsa: Do not suspend/resume closed slave_dev
ipv4: frags: handle possible skb truesize change
inet: frag: enforce memory limits earlier
bonding: avoid lockdep confusion in bond_get_stats()
Linux 4.14.60
tcp: add one more quick ack after after ECN events
tcp: refactor tcp_ecn_check_ce to remove sk type cast
tcp: do not aggressively quick ack after ECN events
tcp: add max_quickacks param to tcp_incr_quickack and tcp_enter_quickack_mode
tcp: do not force quickack when receiving out-of-order packets
netlink: Don't shift with UB on nlk->ngroups
netlink: Do not subscribe to non-existent groups
xen-netfront: wait xenbus state change when load module manually
tcp_bbr: fix bw probing to raise in-flight data for very small BDPs
NET: stmmac: align DMA stuff to largest cache line length
net: mdio-mux: bcm-iproc: fix wrong getter and setter pair
net: lan78xx: fix rx handling before first packet is send
net: fix amd-xgbe flow-control issue
net: ena: Fix use of uninitialized DMA address bits field
ipv4: remove BUG_ON() from fib_compute_spec_dst
net: dsa: qca8k: Allow overwriting CPU port setting
net: dsa: qca8k: Add QCA8334 binding documentation
net: dsa: qca8k: Enable RXMAC when bringing up a port
net: dsa: qca8k: Force CPU port to its highest bandwidth
RDMA/uverbs: Protect from attempts to create flows on unsupported QP
usb: gadget: udc: renesas_usb3: should remove debugfs
ovl: Sync upper dirty data when syncing overlayfs
PCI: xgene: Remove leftover pci_scan_child_bus() call
PCI: pciehp: Assume NoCompl+ for Thunderbolt ports
ext4: fix check to prevent initializing reserved inodes
ext4: check for allocation block validity with block group locked
ext4: fix inline data updates with checksums enabled
squashfs: be more careful about metadata corruption
random: mix rdrand with entropy sent in from userspace
block: reset bi_iter.bi_done after splitting bio
blkdev: __blkdev_direct_IO_simple: fix leak in error case
block: bio_iov_iter_get_pages: fix size of last iovec
drm/dp/mst: Fix off-by-one typo when dump payload table
drm/atomic-helper: Drop plane->fb references only for drm_atomic_helper_shutdown()
drm: Add DP PSR2 sink enable bit
ASoC: topology: Add missing clock gating parameter when parsing hw_configs
ASoC: topology: Fix bclk and fsync inversion in set_link_hw_format()
media: si470x: fix __be16 annotations
media: atomisp: compat32: fix __user annotations
scsi: cxlflash: Avoid clobbering context control register value
scsi: cxlflash: Synchronize reset and remove ops
scsi: megaraid_sas: Increase timeout by 1 sec for non-RAID fastpath IOs
scsi: scsi_dh: replace too broad "TP9" string with the exact models
regulator: Don't return or expect -errno from of_map_mode()
media: omap3isp: fix unbalanced dma_iommu_mapping
crypto: authenc - don't leak pointers to authenc keys
crypto: authencesn - don't leak pointers to authenc keys
usb: hub: Don't wait for connect state at resume for powered-off ports
microblaze: Fix simpleImage format generation
soc: imx: gpcv2: Do not pass static memory as platform data
serial: core: Make sure compiler barfs for 16-byte earlycon names
staging: lustre: ldlm: free resource when ldlm_lock_create() fails.
staging: lustre: llite: correct removexattr detection
staging: vchiq_core: Fix missing semaphore release in error case
audit: allow not equal op for audit by executable
rsi: fix nommu_map_sg overflow kernel panic
rsi: Fix 'invalid vdd' warning in mmc
ipconfig: Correctly initialise ic_nameservers
drm/gma500: fix psb_intel_lvds_mode_valid()'s return type
igb: Fix queue selection on MAC filters on i210
arm64: defconfig: Enable Rockchip io-domain driver
nvme: lightnvm: add granby support
memory: tegra: Apply interrupts mask per SoC
memory: tegra: Do not handle spurious interrupts
delayacct: Use raw_spinlocks
stop_machine: Use raw spinlocks
backlight: pwm_bl: Don't use GPIOF_* with gpiod_get_direction
dt-bindings: net: meson-dwmac: new compatible name for AXG SoC
net: hns3: Fixes the out of bounds access in hclge_map_tqp
spi: meson-spicc: Fix error handling in meson_spicc_probe()
dt-bindings: pinctrl: meson: add support for the Meson8m2 SoC
mmc: pwrseq: Use kmalloc_array instead of stack VLA
mmc: dw_mmc: update actual clock for mmc debugfs
ALSA: hda/ca0132: fix build failure when a local macro is defined
drm/atomic: Handling the case when setting old crtc for plane
media: siano: get rid of __le32/__le16 cast warnings
f2fs: avoid fsync() failure caused by EAGAIN in writepage()
bpf: fix references to free_bpf_prog_info() in comments
thermal: exynos: fix setting rising_threshold for Exynos5433
staging: lustre: o2iblnd: Fix FastReg map/unmap for MLX5
staging: lustre: o2iblnd: fix race at kiblnd_connect_peer
scsi: qedf: Set the UNLOADING flag when removing a vport
scsi: hisi_sas: config ATA de-reset as an constrained command for v3 hw
scsi: megaraid: silence a static checker bug
scsi: 3w-xxxx: fix a missing-check bug
scsi: 3w-9xxx: fix a missing-check bug
bnxt_en: Check unsupported speeds in bnxt_update_link() on PF only.
perf: fix invalid bit in diagnostic entry
s390/cpum_sf: Add data entry sizes to sampling trailer entry
brcmfmac: Add support for bcm43364 wireless chipset
mtd: rawnand: fsl_ifc: fix FSL NAND driver to read all ONFI parameter pages
media: saa7164: Fix driver name in debug output
media: media-device: fix ioctl function types
ACPI / LPSS: Only call pwm_add_table() for Bay Trail PWM if PMIC HRV is 2
libata: Fix command retry decision
media: rcar_jpu: Add missing clk_disable_unprepare() on error in jpu_open()
net: phy: phylink: Release link GPIO
dma-iommu: Fix compilation when !CONFIG_IOMMU_DMA
tty: Fix data race in tty_insert_flip_string_fixed_flag
i40e: free the skb after clearing the bitlock
nvmem: properly handle returned value nvmem_reg_read
ARM: dts: sh73a0: Add missing interrupt-affinity to PMU node
ARM: dts: emev2: Add missing interrupt-affinity to PMU node
ARM: dts: stih407-pinctrl: Fix complain about IRQ_TYPE_NONE usage
EDAC, altera: Fix ARM64 build warning
HID: i2c-hid: check if device is there before really probing
powerpc/embedded6xx/hlwd-pic: Prevent interrupts from being handled by Starlet
drm/amdgpu: Remove VRAM from shared bo domains.
drm/radeon: fix mode_valid's return type
arm64: dts: renesas: salvator-common: use audio-graph-card for Sound
HID: hid-plantronics: Re-resend Update to map button for PTT products
arm64: cmpwait: Clear event register before arming exclusive monitor
media: atomisp: ov2680: don't declare unused vars
ALSA: usb-audio: Apply rate limit to warning messages in URB complete callback
net: ethernet: ti: cpsw-phy-sel: check bus_find_device() ret value
media: smiapp: fix timeout checking in smiapp_read_nvm
ixgbevf: fix MAC address changes through ixgbevf_set_mac()
md: fix NULL dereference of mddev->pers in remove_and_add_spares()
md/raid1: add error handling of read error from FailFast device
regulator: pfuze100: add .is_enable() for pfuze100_swb_regulator_ops
ALSA: emu10k1: Rate-limit error messages about page errors
rtc: tps65910: fix possible race condition
rtc: vr41xx: fix possible race condition
rtc: tps6586x: fix possible race condition
Bluetooth: btusb: add ID for LiteOn 04ca:301a
drm/nouveau/fifo/gk104-: poll for runlist update completion
scsi: zfcp: assert that the ERP lock is held when tracing a recovery trigger
scsi: ufs: fix exception event handling
scsi: ufs: ufshcd: fix possible unclocked register access
fscrypt: use unbound workqueue for decryption
net: hns3: Fix the missing client list node initialization
spi: Add missing pm_runtime_put_noidle() after failed get
drivers/perf: arm-ccn: don't log to dmesg in event_init
ima: based on policy verify firmware signatures (pre-allocated buffer)
mwifiex: correct histogram data with appropriate index
net: dsa: qca8k: Add support for QCA8334 switch
PCI: pciehp: Request control of native hotplug only if supported
bpf: powerpc64: pad function address loads with NOPs
pinctrl: at91-pio4: add missing of_node_put
powerpc/8xx: fix invalid register expression in head_8xx.S
spi: sh-msiof: Fix setting SIRMDR1.SYNCAC to match SITMDR1.SYNCAC
powerpc: Add __printf verification to prom_printf
powerpc/powermac: Mark variable x as unused
powerpc/powermac: Add missing prototype for note_bootable_part()
powerpc/chrp/time: Make some functions static, add missing header include
powerpc/32: Add a missing include header
ath: Add regulatory mapping for Bahamas
ath: Add regulatory mapping for Bermuda
ath: Add regulatory mapping for Serbia
ath: Add regulatory mapping for Tanzania
ath: Add regulatory mapping for Uganda
ath: Add regulatory mapping for APL2_FCCA
ath: Add regulatory mapping for APL13_WORLD
ath: Add regulatory mapping for ETSI8_WORLD
ath: Add regulatory mapping for FCC3_ETSIC
nvme-pci: Fix AER reset handling
nvme-rdma: stop admin queue before freeing it
PCI: Prevent sysfs disable of device while driver is attached
PM / wakeup: Make s2idle_lock a RAW_SPINLOCK
x86/microcode: Make the late update update_lock a raw lock for RT
btrfs: qgroup: Finish rescan when hit the last leaf of extent tree
btrfs: add barriers to btrfs_sync_log before log_commit_wait wakeups
Btrfs: don't BUG_ON() in btrfs_truncate_inode_items()
Btrfs: don't return ino to ino cache if inode item removal fails
media: videobuf2-core: don't call memop 'finish' when queueing
media: tw686x: Fix incorrect vb2_mem_ops GFP flags
net: hns3: Fixes the init of the VALID BD info in the descriptor
wlcore: sdio: check for valid platform device data before suspend
mwifiex: handle race during mwifiex_usb_disconnect
mfd: cros_ec: Fail early if we cannot identify the EC
ASoC: dpcm: fix BE dai not hw_free and shutdown
Bluetooth: btusb: Add a new Realtek 8723DE ID 2ff8:b011
Bluetooth: hci_qca: Fix "Sleep inside atomic section" warning
iwlwifi: pcie: fix race in Rx buffer allocator
btrfs: balance dirty metadata pages in btrfs_finish_ordered_io
PCI: Fix devm_pci_alloc_host_bridge() memory leak
selftests: intel_pstate: return Kselftest Skip code for skipped tests
selftests: memfd: return Kselftest Skip code for skipped tests
selftests/intel_pstate: Improve test, minor fixes
perf/x86/intel/uncore: Correct fixed counter index check for NHM
perf/x86/intel/uncore: Correct fixed counter index check in generic code
usbip: dynamically allocate idev by nports found in sysfs
usbip: usbip_detach: Fix memory, udev context and udev leak
block, bfq: remove wrong lock in bfq_requests_merged
f2fs: fix race in between GC and atomic open
f2fs: fix to detect failure of dquot_initialize
f2fs: Fix deadlock in shutdown ioctl
f2fs: fix to wait page writeback during revoking atomic write
f2fs: fix to don't trigger writeback during recovery
f2fs: fix error path of move_data_page
disable loading f2fs module on PAGE_SIZE > 4KB
pnfs: Don't release the sequence slot until we've processed layoutget on open
netfilter: nf_tables: check msg_type before nft_trans_set(trans)
lightnvm: pblk: warn in case of corrupted write buffer
RDMA/mad: Convert BUG_ONs to error flows
powerpc/64s: Fix compiler store ordering to SLB shadow area
hvc_opal: don't set tb_ticks_per_usec in udbg_init_opal_common()
powerpc/eeh: Fix use-after-release of EEH driver
powerpc/64s: Add barrier_nospec
powerpc/lib: Adjust .balign inside string functions for PPC32
infiniband: fix a possible use-after-free bug
e1000e: Ignore TSYNCRXCTL when getting I219 clock attributes
ceph: fix alignment of rasize
bpf, arm32: fix inconsistent naming about emit_a32_lsr_{r64,i64}
printk: drop in_nmi check from printk_safe_flush_on_panic()
watchdog: da9063: Fix updating timeout value
irqchip/ls-scfg-msi: Map MSIs in the iommu
netfilter: ipset: List timing out entries with "timeout 1" instead of zero
netfilter: ipset: forbid family for hash:mac sets
perf tools: Fix pmu events parsing rule
rtc: ensure rtc_set_alarm fails when alarms are not supported
mm/slub.c: add __printf verification to slab_err()
mm: vmalloc: avoid racy handling of debugobjects in vunmap
mm: /proc/pid/pagemap: hide swap entries from unprivileged users
kernel/hung_task.c: show all hung tasks before panic
vfio/type1: Fix task tracking for QEMU vCPU hotplug
vfio/mdev: Check globally for duplicate devices
vfio: platform: Fix reset module leak in error path
nfsd: fix potential use-after-free in nfsd4_decode_getdeviceinfo
NFSv4.1: Fix the client behaviour on NFS4ERR_SEQ_FALSE_RETRY
ALSA: fm801: add error handling for snd_ctl_add
ALSA: emu10k1: add error handling for snd_ctl_add
skip LAYOUTRETURN if layout is invalid
hv_netvsc: fix network namespace issues with VF support
xen/netfront: raise max number of slots in xennet_get_responses()
kcov: ensure irq code sees a valid area
mlxsw: spectrum_switchdev: Fix port_vlan refcounting
arm64: fix vmemmap BUILD_BUG_ON() triggering on !vmemmap setups
tracing: Quiet gcc warning about maybe unused link variable
tracing/kprobes: Fix trace_probe flags on enable_trace_kprobe() failure
kthread, tracing: Don't expose half-written comm when creating kthreads
tracing: Fix possible double free in event_enable_trigger_func()
tracing: Fix double free of event_trigger_data
delayacct: fix crash in delayacct_blkio_end() after delayacct init failure
kvm, mm: account shadow page tables to kmemcg
Input: elan_i2c - add another ACPI ID for Lenovo Ideapad 330-15AST
Input: i8042 - add Lenovo LaVie Z to the i8042 reset list
Input: elan_i2c - add ACPI ID for lenovo ideapad 330
spi: spi-s3c64xx: Fix system resume support
drivers/infiniband/ulp/srpt/ib_srpt.c: fix build with gcc-4.4.4
IB/srpt: Fix an out-of-bounds stack access in srpt_zerolength_write()
drivers/infiniband/core/verbs.c: fix build with gcc-4.4.4
RDMA/core: Avoid that ib_drain_qp() triggers an out-of-bounds stack access
i2c: core: decrease reference count of device node in i2c_unregister_device
fork: unconditionally clear stack on fork
Linux 4.14.59
turn off -Wattribute-alias
can: m_can.c: fix setup of CCCR register: clear CCCR NISO bit before checking can.ctrlmode
can: peak_canfd: fix firmware < v3.3.0: limit allocation to 32-bit DMA addr only
can: xilinx_can: fix RX overflow interrupt not being enabled
can: xilinx_can: fix incorrect clear of non-processed interrupts
can: xilinx_can: keep only 1-2 frames in TX FIFO to fix TX accounting
can: xilinx_can: fix device dropping off bus on RX overrun
can: xilinx_can: fix recovery from error states not being propagated
can: xilinx_can: fix power management handling
can: xilinx_can: fix RX loop if RXNEMP is asserted without RXOK
driver core: Partially revert "driver core: correct device's shutdown order"
usb: gadget: f_fs: Only return delayed status when len is 0
usb: dwc2: Fix DMA alignment to start at allocated boundary
usb: core: handle hub C_PORT_OVER_CURRENT condition
usb: cdc_acm: Add quirk for Castles VEGA3000
staging: speakup: fix wraparound in uaccess length check
tcp: add tcp_ooo_try_coalesce() helper
tcp: call tcp_drop() from tcp_data_queue_ofo()
tcp: detect malicious patterns in tcp_collapse_ofo_queue()
tcp: avoid collapses in tcp_prune_queue() if possible
tcp: free batches of packets in tcp_prune_ofo_queue()
tcp: do not delay ACK in DCTCP upon CE status change
tcp: do not cancel delay-AcK on DCTCP special ACK
tcp: helpers to send special DCTCP ack
tcp: fix dctcp delayed ACK schedule
vxlan: fix default fdb entry netlink notify ordering during netdev create
vxlan: make netlink notify in vxlan_fdb_destroy optional
vxlan: add new fdb alloc and create helpers
rtnetlink: add rtnl_link_state check in rtnl_configure_link
sock: fix sg page frag coalescing in sk_alloc_sg
net: phy: consider PHY_IGNORE_INTERRUPT in phy_start_aneg_priv
multicast: do not restore deleted record source filter mode to new one
net/ipv6: Fix linklocal to global address with VRF
net/mlx5e: Fix quota counting in aRFS expire flow
net/mlx5e: Don't allow aRFS for encapsulated packets
net/mlx5: Adjust clock overflow work period
net: skb_segment() should not return NULL
net/mlx4_core: Save the qpn from the input modifier in RST2INIT wrapper
ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull
ip: hash fragments consistently
bonding: set default miimon value for non-arp modes if not set
drm/nouveau: Set DRIVER_ATOMIC cap earlier to fix debugfs
drm/nouveau/drm/nouveau: Fix runtime PM leak in nv50_disp_atomic_commit()
KVM: PPC: Check if IOMMU page is contained in the pinned physical page
xen/PVH: Set up GS segment for stack canary
MIPS: Fix off-by-one in pci_resource_to_user()
MIPS: ath79: fix register address in ath79_ddr_wb_flush()
Revert "cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting"
ANDROID: verity: really fix android-verity Kconfig
tcp: add tcp_ooo_try_coalesce() helper
tcp: call tcp_drop() from tcp_data_queue_ofo()
tcp: detect malicious patterns in tcp_collapse_ofo_queue()
tcp: avoid collapses in tcp_prune_queue() if possible
tcp: free batches of packets in tcp_prune_ofo_queue()
x86_64_cuttlefish_defconfig: Enable android-verity
x86_64_cuttlefish_defconfig: enable verity cert
ANDROID: android-verity: Fix broken parameter handling.
ANDROID: android-verity: Make it work with newer kernels
ANDROID: android-verity: Add API to verify signature with builtin keys.
ANDROID: verity: fix android-verity Kconfig dependencies
Linux 4.14.58
xhci: Fix perceived dead host due to runtime suspend race with event handler
powerpc/powernv: Fix save/restore of SPRG3 on entry/exit from stop (idle)
cxl_getfile(): fix double-iput() on alloc_file() failures
alpha: fix osf_wait4() breakage
net: usb: asix: replace mii_nway_restart in resume path
ipv6: make DAD fail with enhanced DAD when nonce length differs
net: systemport: Fix CRC forwarding check for SYSTEMPORT Lite
net/mlx4_en: Don't reuse RX page when XDP is set
hv_netvsc: Fix napi reschedule while receive completion is busy
tg3: Add higher cpu clock for 5762.
qmi_wwan: add support for Quectel EG91
ptp: fix missing break in switch
net: phy: fix flag masking in __set_phy_supported
net/ipv4: Set oif in fib_compute_spec_dst
skbuff: Unconditionally copy pfmemalloc in __skb_clone()
net: Don't copy pfmemalloc flag in __copy_skb_header()
net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort
lib/rhashtable: consider param->min_size when setting initial table size
ipv6: ila: select CONFIG_DST_CACHE
ipv6: fix useless rol32 call on hash
ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns
gen_stats: Fix netlink stats dumping in the presence of padding
drm/nouveau: Avoid looping through fake MST connectors
drm/nouveau: Use drm_connector_list_iter_* for iterating connectors
drm/i915: Fix hotplug irq ack on i965/g4x
stop_machine: Disable preemption when waking two stopper threads
vfio/spapr: Use IOMMU pageshift rather than pagesize
vfio/pci: Fix potential Spectre v1
cpufreq: intel_pstate: Register when ACPI PCCH is present
mm/huge_memory.c: fix data loss when splitting a file pmd
mm: memcg: fix use after free in mem_cgroup_iter()
ARC: mm: allow mprotect to make stack mappings executable
ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs
ARC: Fix CONFIG_SWAP
ARCv2: [plat-hsdk]: Save accl reg pair by default
ALSA: hda: add mute led support for HP ProBook 455 G5
ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
ALSA: rawmidi: Change resized buffers atomically
fat: fix memory allocation failure handling of match_strdup()
x86/MCE: Remove min interval polling limitation
x86/events/intel/ds: Fix bts_interrupt_threshold alignment
x86/apm: Don't access __preempt_count with zeroed fs
KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel.
scsi: sd_zbc: Fix variable type and bogus comment
ANDROID: uid_sys_stats: Replace tasklist lock with RCU in uid_cputime_show
Linux 4.14.57
string: drop __must_check from strscpy() and restore strscpy() usages in cgroup
arm64: KVM: Add ARCH_WORKAROUND_2 discovery through ARCH_FEATURES_FUNC_ID
arm64: KVM: Handle guest's ARCH_WORKAROUND_2 requests
arm64: KVM: Add ARCH_WORKAROUND_2 support for guests
arm64: KVM: Add HYP per-cpu accessors
arm64: ssbd: Add prctl interface for per-thread mitigation
arm64: ssbd: Introduce thread flag to control userspace mitigation
arm64: ssbd: Restore mitigation status on CPU resume
arm64: ssbd: Skip apply_ssbd if not using dynamic mitigation
arm64: ssbd: Add global mitigation state accessor
arm64: Add 'ssbd' command-line option
arm64: Add ARCH_WORKAROUND_2 probing
arm64: Add per-cpu infrastructure to call ARCH_WORKAROUND_2
arm64: Call ARCH_WORKAROUND_2 on transitions between EL0 and EL1
arm/arm64: smccc: Add SMCCC-specific return codes
KVM: arm64: Avoid storing the vcpu pointer on the stack
KVM: arm/arm64: Do not use kern_hyp_va() with kvm_vgic_global_state
arm64: alternatives: Add dynamic patching feature
KVM: arm64: Stop save/restoring host tpidr_el1 on VHE
arm64: alternatives: use tpidr_el2 on VHE hosts
KVM: arm64: Change hyp_panic()s dependency on tpidr_el2
KVM: arm/arm64: Convert kvm_host_cpu_state to a static per-cpu allocation
KVM: arm64: Store vcpu on the stack during __guest_enter()
net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
rds: avoid unenecessary cong_update in loop transport
bdi: Fix another oops in wb_workfn()
netfilter: ipv6: nf_defrag: drop skb dst before queueing
nsh: set mac len based on inner packet
autofs: fix slab out of bounds read in getname_kernel()
tls: Stricter error checking in zerocopy sendmsg path
KEYS: DNS: fix parsing multiple options
reiserfs: fix buffer overflow with long warning messages
netfilter: ebtables: reject non-bridge targets
PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
block: do not use interruptible wait anywhere
mtd: rawnand: denali_dt: set clk_x_rate to 200 MHz unconditionally
crypto: af_alg - Initialize sg_num_bytes in error code path
clocksource: Initialize cs->wd_list
media: rc: oops in ir_timer_keyup after device unplug
xhci: Fix USB3 NULL pointer dereference at logical disconnect.
net: lan78xx: Fix race in tx pending skb size calculation
rtlwifi: rtl8821ae: fix firmware is not ready to run
rtlwifi: Fix kernel Oops "Fw download fail!!"
net: cxgb3_main: fix potential Spectre v1
VSOCK: fix loopback on big-endian systems
vhost_net: validate sock before trying to put its fd
tcp: prevent bogus FRTO undos with non-SACK flows
tcp: fix Fast Open key endianness
strparser: Remove early eaten to fix full tcp receive buffer stall
stmmac: fix DMA channel hang in half-duplex mode
r8152: napi hangup fix after disconnect
qmi_wwan: add support for the Dell Wireless 5821e module
qed: Limit msix vectors in kdump kernel to the minimum required count.
qed: Fix use of incorrect size in memcpy call.
qed: Fix setting of incorrect eswitch mode.
qede: Adverstise software timestamp caps when PHC is not available.
net/tcp: Fix socket lookups with SO_BINDTODEVICE
net: sungem: fix rx checksum support
net_sched: blackhole: tell upper qdisc about dropped packets
net/packet: fix use-after-free
net: mvneta: fix the Rx desc DMA address in the Rx path
net/mlx5: Fix wrong size allocation for QoS ETC TC regitster
net/mlx5: Fix required capability for manipulating MPFS
net/mlx5: Fix incorrect raw command length parsing
net/mlx5: Fix command interface race in polling mode
net/mlx5: E-Switch, Avoid setup attempt if not being e-switch manager
net/mlx5e: Don't attempt to dereference the ppriv struct if not being eswitch manager
net/mlx5e: Avoid dealing with vport representors if not being e-switch manager
net: macb: Fix ptp time adjustment for large negative delta
net: fix use-after-free in GRO with ESP
net: dccp: switch rx_tstamp_last_feedback to monotonic clock
net: dccp: avoid crash in ccid3_hc_rx_send_feedback()
ixgbe: split XDP_TX tail and XDP_REDIRECT map flushing
ipvlan: fix IFLA_MTU ignored on NEWLINK
ipv6: sr: fix passing wrong flags to crypto_alloc_shash()
hv_netvsc: split sub-channel setup into async and sync
atm: zatm: Fix potential Spectre v1
atm: Preserve value of skb->truesize when accounting to vcc
alx: take rtnl before calling __alx_open from resume
crypto: crypto4xx - fix crypto4xx_build_pdr, crypto4xx_build_sdr leak
crypto: crypto4xx - remove bad list_del
PCI: exynos: Fix a potential init_clk_resources NULL pointer dereference
bcm63xx_enet: do not write to random DMA channel on BCM6345
bcm63xx_enet: correct clock usage
ocfs2: ip_alloc_sem should be taken in ocfs2_get_block()
ocfs2: subsystem.su_mutex is required while accessing the item->ci_parent
xprtrdma: Fix corner cases when handling device removal
cpufreq / CPPC: Set platform specific transition_delay_us
Btrfs: fix duplicate extents after fsync of file with prealloc extents
x86/paravirt: Make native_save_fl() extern inline
x86/asm: Add _ASM_ARG* constants for argument registers to <asm/asm.h>
compiler-gcc.h: Add __attribute__((gnu_inline)) to all inline declarations
ANDROID: Add hold functionality to schedtune CPU boost
ANDROID: sched/rt: Add schedtune accounting to rt task enqueue/dequeue
UPSTREAM: cpuidle: menu: Avoid selecting shallow states with stopped tick
UPSTREAM: cpuidle: menu: Refine idle state selection for running tick
UPSTREAM: sched: idle: Select idle state before stopping the tick
BACKPORT: time: hrtimer: Introduce hrtimer_next_event_without()
BACKPORT: time: tick-sched: Split tick_nohz_stop_sched_tick()
UPSTREAM: cpuidle: Return nohz hint from cpuidle_select()
UPSTREAM: jiffies: Introduce USER_TICK_USEC and redefine TICK_USEC
UPSTREAM: sched: idle: Do not stop the tick before cpuidle_idle_call()
BACKPORT: sched: idle: Do not stop the tick upfront in the idle loop
BACKPORT: time: tick-sched: Reorganize idle tick management code
ANDROID: sched/fair: fix a warning
ANDROID: sched/walt: Fix compilation issue for x86_64
ANDROID: mnt: Fix next_descendent
ANDROID: sched/events: Introduce util_est trace events
ANDROID: sched/fair: schedtune: update before schedutil
FROMLIST: sched/fair: add support to tune PELT ramp/decay timings
BACKPORT: sched/fair: Update util_est before updating schedutil
BACKPORT: sched/fair: Update util_est only on util_avg updates
BACKPORT: sched/fair: Use util_est in LB and WU paths
BACKPORT: sched/fair: Add util_est on top of PELT
ANDROID: sched/fair: Cleanup cpu_util{_wake}()
ANDROID: sched: Update max cpu capacity in case of max frequency constraints
ANDROID: arm: enable max frequency capping
ANDROID: arm64: enable max frequency capping
ANDROID: implement max frequency capping
ANDROID: sched/fair: add arch scaling function for max frequency capping
ANDROID: trace: Add WALT util signal to trace event sched_load_cfs_rq
ANDROID: sched, trace: Remove trace event sched_load_avg_cpu
ANDROID: Rename and move include/linux/sched_energy.h
ANDROID: Adjust juno energy model
ANDROID: Check equality of max cap state cap and cpu scale
ANDROID: Move energy model init call into arch_topology driver
ANDROID: Streamline sched_domain_energy_f functions
ANDROID: Separate cpu_scale and energy model setup
ANDROID: update_group_capacity for single cpu in cluster
ANDROID: sched/fair: return idle CPU immediately for prefer_idle
ANDROID: sched/fair: add idle state filter to prefer_idle case
ANDROID: sched/fair: remove order from CPU selection
ANDROID: sched/fair: unify spare capacity calculation
ANDROID:sched/fair: prefer energy efficient CPUs for !prefer_idle tasks
ANDROID: sched/fair: fix CPU selection for non latency sensitive tasks
ANDROID: sched/fair: Also do misfit in overloaded groups
ANDROID: sched/fair: Don't balance misfits if it would overload local group
ANDROID: sched/fair: Attempt to improve throughput for asym cap systems
FROMLIST: sched/fair: Don't move tasks to lower capacity cpus unless necessary
FROMLIST: sched/core: Disable SD_PREFER_SIBLING on asymmetric cpu capacity domains
FROMLIST: sched/core: Disable SD_ASYM_CPUCAPACITY for root_domains without asymmetry
FROMLIST: sched/fair: Set rq->rd->overload when misfit
FROMLIST: sched: Wrap rq->rd->overload accesses with READ/WRITE_ONCE
FROMLIST: sched: Change root_domain->overload type to int
FROMLIST: sched/fair: Change prefer_sibling type to bool
FROMLIST: sched/fair: Consider misfit tasks when load-balancing
FROMLIST: sched: Add sched_group per-cpu max capacity
FROMLIST: sched/fair: Add group_misfit_task load-balance type
FROMLIST: sched: Add static_key for asymmetric cpu capacity optimizations
UPSTREAM: ANDROID: binder: change down_write to down_read
UPSTREAM: ANDROID: binder: correct the cmd print for BINDER_WORK_RETURN_ERROR
UPSTREAM: ANDROID: binder: remove 32-bit binder interface.
UPSTREAM: android: binder: Use true and false for boolean values
UPSTREAM: android: binder: Use octal permissions
UPSTREAM: android: binder: Prefer __func__ to using hardcoded function name
UPSTREAM: ANDROID: binder: make binder_alloc_new_buf_locked static and indent its arguments
UPSTREAM: android: binder: Check for errors in binder_alloc_shrinker_init().
Conflicts:
arch/arm64/Kconfig
arch/arm64/include/asm/cpucaps.h
arch/arm64/include/asm/cpufeature.h
arch/arm64/include/asm/thread_info.h
arch/arm64/kernel/cpu_errata.c
arch/arm64/kernel/cpufeature.c
arch/arm64/kernel/entry.S
arch/arm64/kernel/ssbd.c
drivers/base/arch_topology.c
drivers/md/Kconfig
drivers/scsi/ufs/ufshcd.c
drivers/usb/gadget/function/f_fs.c
include/trace/events/sched.h
kernel/sched/cpufreq_schedutil.c
kernel/sched/energy.c
kernel/sched/fair.c
kernel/sched/features.h
kernel/sched/sched.h
kernel/sched/topology.c
kernel/sched/tune.c
kernel/sched/walt.c
kernel/sched/walt.h
kernel/stop_machine.c
kernel/time/tick-sched.c
net/socket.c
sound/core/rawmidi.c
Change-Id: Ia246711317930ecd55bb42565a04e6b4fdfc26d2
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
|
||
|
Eric Dumazet
|
751f22bb57 |
tcp: free batches of packets in tcp_prune_ofo_queue()
[ Upstream commit 72cd43ba64fc172a443410ce01645895850844c8 ] Juha-Matti Tilli reported that malicious peers could inject tiny packets in out_of_order_queue, forcing very expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for every incoming packet. out_of_order_queue rb-tree can contain thousands of nodes, iterating over all of them is not nice. Before linux-4.9, we would have pruned all packets in ofo_queue in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB. Since we plan to increase tcp_rmem[2] in the future to cope with modern BDP, can not revert to the old behavior, without great pain. Strategy taken in this patch is to purge ~12.5 % of the queue capacity. CRs-Fixed: 2290234 Change-Id: I5613d918ef491fe03c75bb02ec0f5137d21a6785 Fixes: |
||
|
Greg Kroah-Hartman
|
d29d36d37d |
Merge 4.14.58 into android-4.14-p
Changes in 4.14.58 scsi: sd_zbc: Fix variable type and bogus comment KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel. x86/apm: Don't access __preempt_count with zeroed fs x86/events/intel/ds: Fix bts_interrupt_threshold alignment x86/MCE: Remove min interval polling limitation fat: fix memory allocation failure handling of match_strdup() ALSA: rawmidi: Change resized buffers atomically ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk ALSA: hda: add mute led support for HP ProBook 455 G5 ARCv2: [plat-hsdk]: Save accl reg pair by default ARC: Fix CONFIG_SWAP ARC: configs: Remove CONFIG_INITRAMFS_SOURCE from defconfigs ARC: mm: allow mprotect to make stack mappings executable mm: memcg: fix use after free in mem_cgroup_iter() mm/huge_memory.c: fix data loss when splitting a file pmd cpufreq: intel_pstate: Register when ACPI PCCH is present vfio/pci: Fix potential Spectre v1 vfio/spapr: Use IOMMU pageshift rather than pagesize stop_machine: Disable preemption when waking two stopper threads drm/i915: Fix hotplug irq ack on i965/g4x drm/nouveau: Use drm_connector_list_iter_* for iterating connectors drm/nouveau: Avoid looping through fake MST connectors gen_stats: Fix netlink stats dumping in the presence of padding ipv4: Return EINVAL when ping_group_range sysctl doesn't map to user ns ipv6: fix useless rol32 call on hash ipv6: ila: select CONFIG_DST_CACHE lib/rhashtable: consider param->min_size when setting initial table size net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort net: Don't copy pfmemalloc flag in __copy_skb_header() skbuff: Unconditionally copy pfmemalloc in __skb_clone() net/ipv4: Set oif in fib_compute_spec_dst net: phy: fix flag masking in __set_phy_supported ptp: fix missing break in switch qmi_wwan: add support for Quectel EG91 tg3: Add higher cpu clock for 5762. hv_netvsc: Fix napi reschedule while receive completion is busy net/mlx4_en: Don't reuse RX page when XDP is set net: systemport: Fix CRC forwarding check for SYSTEMPORT Lite ipv6: make DAD fail with enhanced DAD when nonce length differs net: usb: asix: replace mii_nway_restart in resume path alpha: fix osf_wait4() breakage cxl_getfile(): fix double-iput() on alloc_file() failures powerpc/powernv: Fix save/restore of SPRG3 on entry/exit from stop (idle) xhci: Fix perceived dead host due to runtime suspend race with event handler Linux 4.14.58 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Eric Dumazet
|
f3a5ba6310 |
tcp: free batches of packets in tcp_prune_ofo_queue()
[ Upstream commit 72cd43ba64fc172a443410ce01645895850844c8 ]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet. out_of_order_queue rb-tree can contain
thousands of nodes, iterating over all of them is not nice.
Before linux-4.9, we would have pruned all packets in ofo_queue
in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs
truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB.
Since we plan to increase tcp_rmem[2] in the future to cope with
modern BDP, can not revert to the old behavior, without great pain.
Strategy taken in this patch is to purge ~12.5 % of the queue capacity.
Fixes:
|
||
|
Eric Dumazet
|
842b0c0716 |
tcp: free batches of packets in tcp_prune_ofo_queue()
[ Upstream commit 72cd43ba64fc172a443410ce01645895850844c8 ]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet. out_of_order_queue rb-tree can contain
thousands of nodes, iterating over all of them is not nice.
Before linux-4.9, we would have pruned all packets in ofo_queue
in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs
truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB.
Since we plan to increase tcp_rmem[2] in the future to cope with
modern BDP, can not revert to the old behavior, without great pain.
Strategy taken in this patch is to purge ~12.5 % of the queue capacity.
Fixes:
|
||
|
Stefano Brivio
|
6403b54a4f |
net: Don't copy pfmemalloc flag in __copy_skb_header()
[ Upstream commit 8b7008620b8452728cadead460a36f64ed78c460 ] The pfmemalloc flag indicates that the skb was allocated from the PFMEMALLOC reserves, and the flag is currently copied on skb copy and clone. However, an skb copied from an skb flagged with pfmemalloc wasn't necessarily allocated from PFMEMALLOC reserves, and on the other hand an skb allocated that way might be copied from an skb that wasn't. So we should not copy the flag on skb copy, and rather decide whether to allow an skb to be associated with sockets unrelated to page reclaim depending only on how it was allocated. Move the pfmemalloc flag before headers_start[0] using an existing 1-bit hole, so that __copy_skb_header() doesn't copy it. When cloning, we'll now take care of this flag explicitly, contravening to the warning comment of __skb_clone(). While at it, restore the newline usage introduced by commit |
||
|
Willem de Bruijn
|
42d65f0675 |
udp: add udp gso
Implement generic segmentation offload support for udp datagrams. A follow-up patch adds support to the protocol stack to generate such packets. UDP GSO is not UFO. UFO fragments a single large datagram. GSO splits a large payload into a number of discrete UDP datagrams. The implementation adds a GSO type SKB_UDP_GSO_L4 to differentiate it from UFO (SKB_UDP_GSO). IPPROTO_UDPLITE is excluded, as that protocol has no gso handler registered. Change-Id: Iff5e2f40ba816b4ee6675fa5a8f47d78c2ba91cb Signed-off-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Git-commit: ee80d1ebe5ba7f4bd74959c873119175a4fc08d3 Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git Signed-off-by: Sean Tranchetti <stranche@codeaurora.org> |
||
|
Levin, Alexander (Sasha Levin)
|
2abfcdf8e7 |
kmemcheck: remove annotations
commit 4950276672fce5c241857540f8561c440663673d upstream. Patch series "kmemcheck: kill kmemcheck", v2. As discussed at LSF/MM, kill kmemcheck. KASan is a replacement that is able to work without the limitation of kmemcheck (single CPU, slow). KASan is already upstream. We are also not aware of any users of kmemcheck (or users who don't consider KASan as a suitable replacement). The only objection was that since KASAN wasn't supported by all GCC versions provided by distros at that time we should hold off for 2 years, and try again. Now that 2 years have passed, and all distros provide gcc that supports KASAN, kill kmemcheck again for the very same reasons. This patch (of 4): Remove kmemcheck annotations, and calls to kmemcheck from the kernel. [alexander.levin@verizon.com: correctly remove kmemcheck call from dma_map_sg_attrs] Link: http://lkml.kernel.org/r/20171012192151.26531-1-alexander.levin@verizon.com Link: http://lkml.kernel.org/r/20171007030159.22241-2-alexander.levin@verizon.com Signed-off-by: Sasha Levin <alexander.levin@verizon.com> Cc: Alexander Potapenko <glider@google.com> Cc: Eric W. Biederman <ebiederm@xmission.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Pekka Enberg <penberg@kernel.org> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Tim Hansen <devtimhansen@gmail.com> Cc: Vegard Nossum <vegardno@ifi.uio.no> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Willem de Bruijn
|
60335608e2 |
net: accept UFO datagrams from tuntap and packet
[ Upstream commit 0c19f846d582af919db66a5914a0189f9f92c936 ] Tuntap and similar devices can inject GSO packets. Accept type VIRTIO_NET_HDR_GSO_UDP, even though not generating UFO natively. Processes are expected to use feature negotiation such as TUNSETOFFLOAD to detect supported offload types and refrain from injecting other packets. This process breaks down with live migration: guest kernels do not renegotiate flags, so destination hosts need to expose all features that the source host does. Partially revert the UFO removal from 182e0b6b5846~1..d9d30adf5677. This patch introduces nearly(*) no new code to simplify verification. It brings back verbatim tuntap UFO negotiation, VIRTIO_NET_HDR_GSO_UDP insertion and software UFO segmentation. It does not reinstate protocol stack support, hardware offload (NETIF_F_UFO), SKB_GSO_UDP tunneling in SKB_GSO_SOFTWARE or reception of VIRTIO_NET_HDR_GSO_UDP packets in tuntap. To support SKB_GSO_UDP reappearing in the stack, also reinstate logic in act_csum and openvswitch. Achieve equivalence with v4.13 HEAD by squashing in commit |
||
|
Ye Yin
|
2b5ec1a5f9 |
netfilter/ipvs: clear ipvs_property flag when SKB net namespace changed
When run ipvs in two different network namespace at the same host, and one
ipvs transport network traffic to the other network namespace ipvs.
'ipvs_property' flag will make the second ipvs take no effect. So we should
clear 'ipvs_property' when SKB network namespace changed.
Fixes:
|
||
|
Paolo Abeni
|
ca2c1418ef |
udp: drop head states only when all skb references are gone
After commit |
||
|
Eric Dumazet
|
c1d1b43781 |
net: convert (struct ubuf_info)->refcnt to refcount_t
refcount_t type and corresponding API should be used instead of atomic_t when the variable is used as a reference counter. This allows to avoid accidental refcounter overflows that might lead to use-after-free situations. v2: added the change in drivers/vhost/net.c as spotted by Willem. Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Willem de Bruijn <willemb@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
David S. Miller
|
6026e043d0 |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Three cases of simple overlapping changes. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Florian Fainelli
|
cd0a137acb |
net: core: Specify skb_pad()/skb_put_padto() SKB freeing
Rename skb_pad() into __skb_pad() and make it take a third argument: free_on_error which controls whether kfree_skb() should be called or not, skb_pad() directly makes use of it and passes true to preserve its existing behavior. Do exactly the same thing with __skb_put_padto() and skb_put_padto(). Suggested-by: David Miller <davem@davemloft.net> Signed-off-by: Florian Fainelli <f.fainelli@gmail.com> Reviewed-by: Woojung Huh <Woojung.Huh@microchip.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Willem de Bruijn
|
0a4a060bb2 |
sock: fix zerocopy_success regression with msg_zerocopy
Do not use uarg->zerocopy outside msg_zerocopy. In other paths the
field is not explicitly initialized and aliases another field.
Those paths have only one reference so do not need this intermediate
variable. Call uarg->callback directly.
Fixes:
|