bka
811 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Pankaj Bharadiya
|
fd78a84b36 |
BACKPORT: treewide: Use sizeof_field() macro
Replace all the occurrences of FIELD_SIZEOF() with sizeof_field() except at places where these are defined. Later patches will remove the unused definition of FIELD_SIZEOF(). This patch is generated using following script: EXCLUDE_FILES="include/linux/stddef.h|include/linux/kernel.h" git grep -l -e "\bFIELD_SIZEOF\b" | while read file; do if [[ "$file" =~ $EXCLUDE_FILES ]]; then continue fi sed -i -e 's/\bFIELD_SIZEOF\b/sizeof_field/g' $file; done Change-Id: I24296633f28fea05d12618c8e47dc8acb8df18d8 Signed-off-by: Pankaj Bharadiya <pankaj.laxminarayan.bharadiya@intel.com> Link: https://lore.kernel.org/r/20190924105839.110713-3-pankaj.laxminarayan.bharadiya@intel.com Co-developed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: David Miller <davem@davemloft.net> # for net |
||
|
Michel Lespinasse
|
b8ba613d40 |
BACKPORT: mmap locking API: use coccinelle to convert mmap_sem rwsem call sites
This change converts the existing mmap_sem rwsem calls to use the new mmap locking API instead. The change is generated using coccinelle with the following rule: // spatch --sp-file mmap_lock_api.cocci --in-place --include-headers --dir . @@ expression mm; @@ ( -init_rwsem +mmap_init_lock | -down_write +mmap_write_lock | -down_write_killable +mmap_write_lock_killable | -down_write_trylock +mmap_write_trylock | -up_write +mmap_write_unlock | -downgrade_write +mmap_write_downgrade | -down_read +mmap_read_lock | -down_read_killable +mmap_read_lock_killable | -down_read_trylock +mmap_read_trylock | -up_read +mmap_read_unlock ) -(&mm->mmap_sem) +(mm) Change-Id: If729000ea8cedab7079ccc1350db26ed71f0df92 Signed-off-by: Michel Lespinasse <walken@google.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Daniel Jordan <daniel.m.jordan@oracle.com> Reviewed-by: Laurent Dufour <ldufour@linux.ibm.com> Reviewed-by: Vlastimil Babka <vbabka@suse.cz> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: David Rientjes <rientjes@google.com> Cc: Hugh Dickins <hughd@google.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: Jerome Glisse <jglisse@redhat.com> Cc: John Hubbard <jhubbard@nvidia.com> Cc: Liam Howlett <Liam.Howlett@oracle.com> Cc: Matthew Wilcox <willy@infradead.org> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Ying Han <yinghan@google.com> Link: http://lkml.kernel.org/r/20200520052908.204642-5-walken@google.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
David Howells
|
0f4840602e |
UPSTREAM: ipc: Convert mqueue fs to fs_context
Convert the mqueue filesystem to use the filesystem context stuff.
Notes:
(1) The relevant ipc namespace is selected in when the context is
initialised (and it defaults to the current task's ipc namespace).
The caller can override this before calling vfs_get_tree().
(2) Rather than simply calling kern_mount_data(), mq_init_ns() and
mq_internal_mount() create a context, adjust it and then do the rest
of the mount procedure.
(3) The lazy mqueue mounting on creation of a new namespace is retained
from a previous patch, but the avoidance of sget() if no superblock
yet exists is reverted and the superblock is again keyed on the
namespace pointer.
Yes, there was a performance gain in not searching the superblock
hash, but it's only paid once per ipc namespace - and only if someone
uses mqueue within that namespace, so I'm not sure it's worth it,
especially as calling sget() allows avoidance of recursion.
Change-Id: If884c332fb3b5e4d41a4210f1e3d39883b08e7d5
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
|
||
|
Christoph Hellwig
|
e13d6f5008 |
BACKPORT: sysctl: pass kernel pointers to ->proc_handler
Instead of having all the sysctl handlers deal with user pointers, which is rather hairy in terms of the BPF interaction, copy the input to and from userspace in common code. This also means that the strings are always NUL-terminated by the common code, making the API a little bit safer. As most handler just pass through the data to one of the common handlers a lot of the changes are mechnical. Change-Id: Ic71fd778e4cea58adc51d634d9e53c1f9f90cdf2 Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Andrey Ignatov <rdna@fb.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
|
bengris32
|
3b5670d492 |
Merge branch 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip into lineage-22.2
* 'linux-4.19.y-cip' of https://git.kernel.org/pub/scm/linux/kernel/git/cip/linux-cip: CIP: Bump version suffix to -cip122 after merge from cip/linux-4.19.y-st tree Update localversion-st, tree is up-to-date with 5.4.295. ARM: dts: am335x-bone-common: Increase MDIO reset deassert delay to 50ms ARM: dts: am335x-bone-common: Increase MDIO reset deassert time ARM: dts: am335x-bone-common: Add GPIO PHY reset on revision C3 board ARM: dts: am335x-bone-common: get rid of phy_id property mtd: nand: sunxi: Add randomizer configuration before randomizer enable mtd: rawnand: sunxi: Add randomizer configuration in sunxi_nfc_hw_ecc_write_chunk sch_hfsc: Fix qlen accounting bug when using peek in hfsc_enqueue() bridge: netfilter: Fix forwarding of fragmented packets vxlan: Annotate FDB data races hwmon: (gpio-fan) Add missing mutex locks nfs: handle failure of nfs_get_lock_context in unlock path sch_htb: make htb_deactivate() idempotent scsi: qedf: Use designated initializer for struct qed_fcoe_cb_ops arm64/ptrace: Fix stack-out-of-bounds read in regs_get_kernel_stack_nth() perf: Fix sample vs do_exit() jbd2: fix data-race and null-ptr-deref in jbd2_journal_dirty_metadata() mm/huge_memory: fix dereferencing invalid pmd migration entry posix-cpu-timers: fix race between handle_posix_cpu_timers() and posix_cpu_timer_del() net: atm: fix /proc/net/atm/lec handling net: atm: add lec_mutex calipso: Fix null-ptr-deref in calipso_req_{set,del}attr(). tipc: fix null-ptr-deref when acquiring remote ip of ethernet bearer atm: atmtcp: Free invalid length skb in atmtcp_c_send(). mpls: Use rcu_dereference_rtnl() in mpls_route_input_rcu(). wifi: carl9170: do not ping device which has failed to load firmware drm/nouveau/bl: increase buffer size to avoid truncate warning ALSA: hda/realtek: enable headset mic on Latitude 5420 Rugged ALSA: hda/intel: Add Thinkpad E15 to PM deny list Input: sparcspkr - avoid unannotated fall-through HID: usbhid: Eliminate recurrent out-of-bounds bug in usbhid_parse() atm: Revert atm_account_tx() if copy_from_iter_full() fails. selinux: fix selinux_xfrm_alloc_user() to set correct ctx_len scsi: s390: zfcp: Ensure synchronous unit_add jffs2: check jffs2_prealloc_raw_node_refs() result in few other places jffs2: check that raw node were preallocated before writing summary drivers/rapidio/rio_cm.c: prevent possible heap overwrite Revert "x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2" on v6.6 and older powerpc/eeh: Fix missing PE bridge reconfiguration during VFIO EEH recovery platform/x86: dell_rbu: Stop overwriting data buffer tee: Prevent size calculation wraparound on 32-bit kernels ARM: OMAP2+: Fix l4ls clk domain handling in STANDBY bus: fsl-mc: increase MC_CMD_COMPLETION_TIMEOUT_MS value watchdog: da9052_wdt: respect TWDMIN i40e: fix MMIO write access to an invalid page in i40e_clear_hw sock: Correct error checking condition for (assign|release)_proto_idx() vxlan: Do not treat dst cache initialization errors as fatal clk: rockchip: rk3036: mark ddrphy as critical wifi: mac80211: do not offer a mesh path if forwarding is disabled net: mlx4: add SOF_TIMESTAMPING_TX_SOFTWARE flag when getting ts info pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_gpio_set_direction() pinctrl: armada-37xx: propagate error from armada_37xx_gpio_get_direction() pinctrl: armada-37xx: propagate error from armada_37xx_pmx_set_by_name() ipv4/route: Use this_cpu_inc() for stats on PREEMPT_RT tcp: always seek for minimal rtt in tcp_rcv_rtt_update() net: dlink: add synchronization for stats update sctp: Do not wake readers in __sctp_write_space() emulex/benet: correct command version selection in be_cmd_get_stats() i2c: designware: Invoke runtime suspend on quick slave re-registration net: macb: Check return value of dma_set_mask_and_coherent() cpufreq: Force sync policy boost with global boost on sysfs update nios2: force update_mmu_cache on spurious tlb-permission--related pagefaults media: platform: exynos4-is: Add hardware sync wait to fimc_is_hw_change_mode() media: tc358743: ignore video while HPD is low drm/amdkfd: Set SDMA_RLCx_IB_CNTL/SWITCH_INSIDE_IB jfs: Fix null-ptr-deref in jfs_ioc_trim drm/amdgpu/gfx9: fix CSIB handling drm/amdgpu/gfx8: fix CSIB handling jfs: fix array-index-out-of-bounds read in add_missing_indices drm/amdgpu/gfx7: fix CSIB handling drm/amd/display: Add NULL pointer checks in dm_force_atomic_commit() media: uapi: v4l: Fix V4L2_TYPE_IS_OUTPUT condition sunrpc: update nextcheck time when adding new cache entries drm/amdgpu/gfx6: fix CSIB handling ACPI: battery: negate current when discharging power: supply: bq27xxx: Retrieve again when busy ACPICA: fix acpi parse and parseext cache leaks ACPICA: Avoid sequence overread in call to strncmp() ACPICA: fix acpi operand cache leak in dswstate.c PCI: Fix lock symmetry in pci_slot_unlock() regulator: max14577: Add error check for max14577_read_reg() staging: iio: ad5933: Correct settling cycles encoding per datasheet net: ch9200: fix uninitialised access during mii_nway_restart ftrace: Fix UAF when lookup kallsym after ftrace disabled dm-mirror: fix a tiny race condition mm: fix ratelimit_pages update error in dirty_ratio_handler() ipc: fix to protect IPCS lookups using RCU parisc: fix building with gcc-15 vgacon: Add check for vc_origin address range in vgacon_scroll() NFC: nci: uart: Set tty->disc_data only in success path f2fs: prevent kernel warning due to negative i_nlink from corrupted image Input: ims-pcu - check record size in ims_pcu_flash_firmware() ext4: fix calculation of credits for extent tree modification ext4: inline: fix len overflow in ext4_prepare_inline_data ata: pata_via: Force PIO for ATAPI devices on VT6415/VT6330 media: v4l2-dev: fix error handling in __video_register_device() media: gspca: Add error handling for stv06xx_read_sensor() wifi: rtlwifi: disable ASPM for RTL8723BE with subsystem ID 11ad:1723 nfsd: nfsd4_spo_must_allow() must check this is a v4 compound request wifi: p54: prevent buffer-overflow in p54_rx_eeprom_readback() gfs2: move msleep to sleepable context configfs: Do not override creating attribute file failure in populate_attrs() calipso: unlock rcu before returning -EAFNOSUPPORT usb: Flush altsetting 0 endpoints before reinitializating them after reset. fs/filesystems: Fix potential unsigned integer underflow in fs_name() net/mdiobus: Fix potential out-of-bounds read/write access MIPS: Move '-Wa,-msoft-float' check from as-option to cc-option x86/boot/compressed: prefer cc-option for CFLAGS additions net: mdio: C22 is now optional, EOPNOTSUPP if not provided i40e: retry VFLR handling if there is ongoing VF reset i40e: return false from i40e_reset_vf if reset is in progress net_sched: sch_sfq: fix a potential crash on gso_skb handling scsi: iscsi: Fix incorrect error path labels for flashnode operations NFSD: Fix NFSv3 SETATTR/CREATE's handling of large file sizes NFSD: Fix ia_size underflow Input: synaptics-rmi - fix crash with unsupported versions of F34 Input: synaptics-rmi4 - convert to use sysfs_emit() APIs do_change_type(): refuse to operate on unmounted/not ours mounts net/mlx4_en: Prevent potential integer overflow calculating Hz rtc: Fix offset calculation for .start_secs < 0 rtc: sh: assign correct interrupts with DT perf tests switch-tracking: Fix timestamp comparison mfd: stmpe-spi: Correct the name used in MODULE_DEVICE_TABLE mfd: exynos-lpass: Avoid calling exynos_lpass_disable() twice in exynos_lpass_remove() rpmsg: qcom_smd: Fix uninitialized return variable in __qcom_smd_send() perf ui browser hists: Set actions->thread before calling do_zoom_thread() fbdev: core: fbcvt: avoid division by 0 in fb_cvt_hperiod() soc: aspeed: Add NULL check in aspeed_lpc_enable_snoop() soc: aspeed: lpc: Fix impossible judgment condition arm64: dts: rockchip: disable unrouted USB controllers and PHY on RK3399 Puma with Haikou ARM: dts: qcom: apq8064 merge hw splinlock into corresponding syscon device bus: fsl-mc: fix double-free on mc_dev nilfs2: do not propagate ENOENT error from nilfs_btree_propagate() nilfs2: add pointer check for nilfs_direct_propagate() Squashfs: check return result of sb_min_blocksize ARM: dts: at91: at91sam9263: fix NAND chip selects ARM: dts: at91: usb_a9263: fix GPIO for Dataflash chip select f2fs: fix to correct check conditions in f2fs_cross_rename f2fs: use d_inode(dentry) cleanup dentry->d_inode calipso: Don't call calipso functions for AF_INET sk. net: lan743x: rename lan743x_reset_phy to lan743x_hw_reset_phy wifi: ath9k_htc: Abort software beacon handling if disabled bpf: Fix WARN() in get_bpf_raw_tp_regs pinctrl: at91: Fix possible out-of-boundary access net: ncsi: Fix GCPS 64-bit member variables f2fs: fix to do sanity check on sbi->total_valid_block_count drm/tegra: rgb: Fix the unbound reference count drm: rcar-du: Fix memory leak in rcar_du_vsps_init() selftests/seccomp: fix syscall_restart test for arm compat firmware: psci: Fix refcount leak in psci_dt_init m68k: mac: Fix macintosh_config for Mac II drm/vmwgfx: Add seqno waiter for sync_files ACPI: OSI: Stop advertising support for "3.0 _SCP Extensions" x86/mtrr: Check if fixed-range MTRRs exist in mtrr_save_fixed_ranges() crypto: marvell/cesa - Avoid empty transfer descriptor crypto: marvell/cesa - Handle zero-length skcipher requests x86/cpu: Sanitize CPUID(0x80000000) output perf/core: Fix broken throttling when max_samples_per_tick=1 gfs2: gfs2_create_inode error handling fix netfilter: nft_socket: fix sk refcount leaks thunderbolt: Do not double dequeue a configuration request usb: usbtmc: Fix timeout value in get_stb usb: storage: Ignore UAS driver for SanDisk 3.2 Gen2 storage device usb: quirks: Add NO_LPM quirk for SanDisk Extreme 55AE pinctrl: armada-37xx: set GPIO output value before setting direction pinctrl: armada-37xx: use correct OUTPUT_VAL register for GPIOs > 31 tracing: Fix compilation warning on arm32 platform/x86: thinkpad_acpi: Ignore battery threshold change event notification platform/x86: fujitsu-laptop: Support Lifebook S2110 hotkeys spi: spi-sun4i: fix early activation um: let 'make clean' properly clean underlying SUBARCH as well platform/x86: thinkpad_acpi: Support also NEC Lavie X1475JAS nfs: don't share pNFS DS connections between net namespaces HID: quirks: Add ADATA XPG alpha wireless mouse support coredump: fix error handling for replace_fd() smb: client: Reset all search buffer pointers when releasing buffer smb: client: Fix use-after-free in cifs_fill_dirent drm/i915/gvt: fix unterminated-string-initialization warning netfilter: nf_tables: do not defer rule destruction via call_rcu netfilter: nf_tables: wait for rcu grace period on net_device removal netfilter: nf_tables: pass nft_chain to destroy function, not nft_ctx mm/page_alloc.c: avoid infinite retries caused by cpuset race llc: fix data loss when reading from a socket in llc_ui_recvmsg() ALSA: pcm: Fix race of buffer access at PCM OSS layer can: bcm: add missing rcu read protection for procfs content can: bcm: add locking for bcm_op runtime updates crypto: algif_hash - fix double free in hash_accept net: dwmac-sun8i: Use parsed internal PHY address instead of 1 __legitimize_mnt(): check for MNT_SYNC_UMOUNT should be under mount_lock xenbus: Allow PVH dom0 a non-local xenstore btrfs: correct the order of prelim_ref arguments in btrfs__prelim_ref ASoC: Intel: bytcr_rt5640: Add DMI quirk for Acer Aspire SW3-013 pinctrl: meson: define the pull up/down resistor value as 60 kOhm drm: Add valid clones check regulator: ad5398: Add device tree support bpftool: Fix readlink usage in get_fd_type HID: usbkbd: Fix the bit shift number for LED_KANA scsi: st: Restore some drive settings after reset scsi: lpfc: Handle duplicate D_IDs in ndlp search-by D_ID routine hwmon: (xgene-hwmon) use appropriate type for the latency value ip: fib_rules: Fetch net from fib_rule in fib[46]_rule_configure(). net/mlx5: Extend Ethtool loopback selftest to support non-linear SKB net/mlx4_core: Avoid impossible mlx4_db_alloc() order value smack: recognize ipv4 CIPSO w/o categories pinctrl: devicetree: do not goto err when probing hogs in pinctrl_dt_to_map ASoC: ops: Enforce platform maximum on initial value ACPI: HED: Always initialize before evged PCI: Fix old_size lower bound in calculate_iosize() too EDAC/ie31200: work around false positive build warning net: pktgen: fix access outside of user given buffer in pktgen_thread_write() MIPS: pm-cps: Use per-CPU variables as per-CPU, not per-core MIPS: Use arch specific syscall name match function cpuidle: menu: Avoid discarding useful information x86/nmi: Add an emergency handler in nmi_desc & use it in nmi_shootdown_cpus() bonding: report duplicate MAC address in all situations net: xgene-v2: remove incorrect ACPI_PTR annotation x86/bugs: Make spectre user default depend on MITIGATION_SPECTRE_V2 net: pktgen: fix mpls maximum labels list parsing pinctrl: bcm281xx: Use "unsigned int" instead of bare "unsigned" media: cx231xx: set device_caps for 417 dm cache: prevent BUG_ON by blocking retries on failed device resumes media: c8sectpfe: Call of_node_put(i2c_bus) only once in c8sectpfe_probe() ARM: tegra: Switch DSI-B clock parent to PLLD on Tegra114 ieee802154: ca8210: Use proper setters and getters for bitwise types rtc: ds1307: stop disabling alarms on probe powerpc/prom_init: Fixup missing #size-cells on PowerBook6,7 mmc: sdhci: Disable SD card clock before changing parameters posix-timers: Add cond_resched() to posix_timer_add() search loop xen: Add support for XenServer 6.1 platform device dm: restrict dm device size to 2^63-512 bytes kbuild: fix argument parsing in scripts/config scsi: st: ERASE does not change tape location scsi: st: Tighten the page format heuristics with MODE SELECT ext4: reorder capability check last um: Update min_low_pfn to match changes in uml_reserved um: Store full CSGSFS and SS register from mcontext btrfs: send: return -ENAMETOOLONG when attempting a path that is too long btrfs: avoid linker error in btrfs_find_create_tree_block() i2c: pxa: fix call balance of i2c->clk handling routines mmc: host: Wait for Vdd to settle on card power off pNFS/flexfiles: Report ENETDOWN as a connection error tools/build: Don't pass test log files to linker dql: Fix dql->limit value when reset. SUNRPC: rpc_clnt_set_transport() must not change the autobind setting NFSv4: Treat ENETUNREACH errors as fatal for state recovery fbdev: core: tileblit: Implement missing margin clearing for tileblit fbdev: fsl-diu-fb: add missing device_remove_file() mailbox: use error ret code of of_parse_phandle_with_args() kconfig: merge_config: use an empty file as initfile cgroup: Fix compilation issue due to cgroup_mutex not being exported dma-mapping: avoid potential unused data compilation warning scsi: target: iscsi: Fix timeout on deleted connection openvswitch: Fix unsafe attribute parsing in output_userspace() Input: synaptics - enable InterTouch on TUXEDO InfinityBook Pro 14 v5 Input: synaptics - enable SMBus for HP Elitebook 850 G1 phy: Fix error handling in tegra_xusb_port_init ALSA: es1968: Add error handling for snd_pcm_hw_constraint_pow2() ACPI: PPTT: Fix processor subtable walk qlcnic: fix memory leak in qlcnic_sriov_channel_cfg_cmd() ALSA: sh: SND_AICA should depend on SH_DMA_API spi: loopback-test: Do not split 1024-byte hexdumps RDMA/rxe: Fix slab-use-after-free Read in rxe_queue_cleanup bug staging: axis-fifo: Correct handling of tx_fifo_depth for size validation staging: axis-fifo: avoid parsing ignored device tree properties platform/x86: asus-wmi: Fix wlan_ctrl_by_user detection do_umount(): add missing barrier before refcount checks in sync case MIPS: Fix MAX_REG_OFFSET iio: adc: dln2: Use aligned_s64 for timestamp types: Complement the aligned types with signed 64-bit one USB: usbtmc: use interruptible sleep in usbtmc_read usb: typec: tcpm: delay SNK_TRY_WAIT_DEBOUNCE to SRC_TRYWAIT transition ocfs2: stop quota recovery before disabling quotas ocfs2: implement handshaking with ocfs2 recovery thread ocfs2: switch osb->disable_recovery to enum module: ensure that kobject_put() is safe for module type kobjects xenbus: Use kref to track req lifetime usb: uhci-platform: Make the clock really optional iio: imu: st_lsm6dsx: fix possible lockup in st_lsm6dsx_read_fifo iio: adis16201: Correct inclinometer channel resolution Input: synaptics - enable InterTouch on Dell Precision M3800 Input: synaptics - enable InterTouch on Dynabook Portege X30L-G Input: synaptics - enable InterTouch on Dynabook Portege X30-D net: dsa: b53: fix learning on VLAN unaware bridges scsi: target: Fix WRITE_SAME No Data Buffer crash dm: fix copying after src array boundaries iommu/amd: Fix potential buffer overflow in parse_ivrs_acpihid irqchip/gic-v2m: Add const to of_device_id sch_htb: make htb_qlen_notify() idempotent of: module: add buffer overflow check in of_modalias() net: fec: ERR007885 Workaround for conventional TX lan743x: remove redundant initialization of variable current_head_index net: dlink: Correct endianness handling of led_mode tracing: Fix oob write in trace_seq_to_buffer() dm: always update the array size in realloc_argv on success wifi: brcm80211: fmac: Add error handling for brcmf_usb_dl_writeimage() amd-xgbe: Fix to ensure dependent features are toggled with RX checksum offload i2c: imx-lpi2c: Fix clock count when probe defers EDAC/altera: Set DDR and SDMMC interrupt mask before registration EDAC/altera: Test the correct error reg offset signal/m68k: Use force_sigsegv(SIGSEGV) in fpsp040_die mmc: sdhci: Do not lock spinlock around mmc_gpio_get_ro() x86/bugs: fix backport error in "x86/bugs: Don't fill RSB on VMEXIT with eIBRS+retpoline" Change-Id: Ia48bfc7454e776a311efd14a33b7c414038c8a6d |
||
|
Jeongjun Park
|
6348ac0cf6 |
ipc: fix to protect IPCS lookups using RCU
commit d66adabe91803ef34a8b90613c81267b5ded1472 upstream.
syzbot reported that it discovered a use-after-free vulnerability, [0]
[0]: https://lore.kernel.org/all/67af13f8.050a0220.21dd3.0038.GAE@google.com/
idr_for_each() is protected by rwsem, but this is not enough. If it is
not protected by RCU read-critical region, when idr_for_each() calls
radix_tree_node_free() through call_rcu() to free the radix_tree_node
structure, the node will be freed immediately, and when reading the next
node in radix_tree_for_each_slot(), the already freed memory may be read.
Therefore, we need to add code to make sure that idr_for_each() is
protected within the RCU read-critical region when we call it in
shm_destroy_orphaned().
Link: https://lkml.kernel.org/r/20250424143322.18830-1-aha310510@gmail.com
Fixes:
|
||
|
bengris32
|
6880313f90 |
Merge tag 'ASB-2024-09-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/docs/security/bulletin/2024-09-01 CVE-2024-36972 * tag 'ASB-2024-09-05_4.19-stable' of https://android.googlesource.com/kernel/common: Linux 4.19.321 drm/fb-helper: set x/yres_virtual in drm_fb_helper_check_var ipc: remove memcg accounting for sops objects in do_semtimedop() scsi: aacraid: Fix double-free on probe failure usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() usb: dwc3: st: fix probed platform device ref count on probe error path usb: dwc3: core: Prevent USB core invalid event buffer address access usb: dwc3: omap: add missing depopulate in probe error path USB: serial: option: add MeiG Smart SRM825L cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller net: busy-poll: use ktime_get_ns() instead of local_clock() gtp: fix a potential NULL pointer dereference soundwire: stream: fix programming slave ports for non-continous port maps net: prevent mss overflow in skb_segment() ida: Fix crash in ida_free when the bitmap is empty net:rds: Fix possible deadlock in rds_message_put fbmem: Check virtual screen sizes in fb_set_var() fbcon: Prevent that screen size is smaller than font size memcg: enable accounting of ipc resources cgroup/cpuset: Prevent UAF in proc_cpuset_show() ata: libata-core: Fix null pointer dereference on error media: uvcvideo: Fix integer overflow calculating timestamp filelock: Correct the filelock owner in fcntl_setlk/fcntl_setlk64 scsi: mpt3sas: Avoid IOMMU page faults on REPORT ZONES dm suspend: return -ERESTARTSYS instead of -EINTR wifi: mwifiex: duplicate static structs used in driver instances pinctrl: single: fix potential NULL dereference in pcs_get_function() drm/amdgpu: Using uninitialized value *size when calling amdgpu_vce_cs_reloc tools: move alignment-related macros to new <linux/align.h> Input: MT - limit max slots Bluetooth: hci_ldisc: check HCI_UART_PROTO_READY flag in HCIUARTGETPROTO ALSA: timer: Relax start tick time check for slave timer elements mmc: dw_mmc: allow biu and ciu clocks to defer cxgb4: add forgotten u64 ivlan cast before shift HID: wacom: Defer calculation of resolution until resolution_code is known Bluetooth: MGMT: Add error handling to pair_device() mmc: mmc_test: Fix NULL dereference on allocation failure drm/msm/dpu: don't play tricks with debug macros drm/msm: use drm_debug_enabled() to check for debug categories net: xilinx: axienet: Always disable promiscuous mode ipv6: prevent UAF in ip6_send_skb() netfilter: nft_counter: Synchronize nft_counter_reset() against reader. kcm: Serialise kcm_sendmsg() for the same socket. Bluetooth: hci_core: Fix LE quote calculation Bluetooth: hci_core: Fix not handling link timeouts propertly Bluetooth: Make use of __check_timeout on hci_sched_le block: use "unsigned long" for blk_validate_block_size(). gtp: pull network headers in gtp_dev_xmit() hrtimer: Prevent queuing of hrtimer without a function callback nvmet-rdma: fix possible bad dereference when freeing rsps ext4: set the type of max_zeroout to unsigned int to avoid overflow irqchip/gic-v3-its: Remove BUG_ON in its_vpe_irq_domain_alloc usb: dwc3: core: Skip setting event buffers for host only controllers s390/iucv: fix receive buffer virtual vs physical address confusion openrisc: Call setup_memory() earlier in the init sequence NFS: avoid infinite loop in pnfs_update_layout. Bluetooth: bnep: Fix out-of-bound access usb: gadget: fsl: Increase size of name buffer for endpoints f2fs: fix to do sanity check in update_sit_entry btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() btrfs: send: handle unexpected data in header buffer in begin_cmd() btrfs: handle invalid root reference found in may_destroy_subvol() btrfs: change BUG_ON to assertion when checking for delayed_node root powerpc/boot: Only free if realloc() succeeds powerpc/boot: Handle allocation failure in simple_realloc() parisc: Use irq_enter_rcu() to fix warning at kernel/context_tracking.c:367 md: clean up invalid BUG_ON in md_ioctl net/sun3_82586: Avoid reading past buffer in debug output scsi: lpfc: Initialize status local variable in lpfc_sli4_repost_sgl_list() fs: binfmt_elf_efpic: don't use missing interpreter's properties media: pci: cx23885: check cx23885_vdev_init() return quota: Remove BUG_ON from dqget() ext4: do not trim the group with corrupted block bitmap powerpc/xics: Check return value of kasprintf in icp_native_map_one_cpu wifi: iwlwifi: abort scan when rfkill on but device enabled gfs2: setattr_chown: Add missing initialization scsi: spi: Fix sshdr use binfmt_misc: cleanup on filesystem umount staging: ks7010: disable bh on tx_dev_lock i2c: riic: avoid potential division by zero wifi: cw1200: Avoid processing an invalid TIM IE ssb: Fix division by zero issue in ssb_calc_clock_rate net: dsa: vsc73xx: pass value in phy_write operation atm: idt77252: prevent use after free in dequeue_rx() net/mlx5e: Correctly report errors for ethtool rx flows btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() overflow: Implement size_t saturating arithmetic helpers overflow.h: Add flex_array_size() helper s390/cio: rename bitmap_size() -> idset_bitmap_size() memcg_write_event_control(): fix a user-triggerable oops drm/amdgpu: Actually check flags for all context ops. selinux: fix potential counting error in avc_add_xperms_decision() fix bitmap corruption on close_range() with CLOSE_RANGE_UNSHARE bitmap: introduce generic optimized bitmap_size() dm persistent data: fix memory allocation failure dm resume: don't return EINVAL when signalled arm64: ACPI: NUMA: initialize all values of acpi_early_node_map to NUMA_NO_NODE xhci: Fix Panther point NULL pointer deref at full-speed re-enumeration ALSA: usb-audio: Support Yamaha P-125 quirk entry fuse: Initialize beyond-EOF page contents before setting uptodate Linux 4.19.320 nvme/pci: Add APST quirk for Lenovo N60z laptop exec: Fix ToCToU between perm check and set-uid/gid usage drm/i915/gem: Fix Virtual Memory mapping boundaries calculation media: uvcvideo: Use entity get_cur in uvc_ctrl_set arm64: cpufeature: Fix the visibility of compat hwcaps netfilter: nf_tables: prefer nft_chain_validate netfilter: nf_tables: use timestamp to check for set element timeout netfilter: nf_tables: set element extended ACK reporting support kbuild: Fix '-S -c' in x86 stack protector scripts drm/mgag200: Set DDC timeout in milliseconds drm/bridge: analogix_dp: properly handle zero sized AUX transactions x86/mtrr: Check if fixed MTRRs exist before saving them tracing: Fix overflow in get_free_elt() power: supply: axp288_charger: Round constant_charge_voltage writes down power: supply: axp288_charger: Fix constant_charge_voltage writes serial: core: check uartclk for zero to avoid divide by zero ntp: Safeguard against time_constant overflow driver core: Fix uevent_show() vs driver detach race ntp: Clamp maxerror and esterror to operating range tick/broadcast: Move per CPU pointer access into the atomic section scsi: ufs: core: Fix hba->last_dme_cmd_tstamp timestamp updating logic usb: gadget: core: Check for unset descriptor USB: serial: debug: do not echo input by default usb: vhci-hcd: Do not drop references before new references are gained ALSA: line6: Fix racy access to midibuf spi: spi-fsl-lpspi: Fix scldiv calculation spi: fsl-lpspi: remove unneeded array spi: lpspi: add the error info of transfer speed setting spi: lpspi: Add i.MX8 boards support for lpspi spi: lpspi: Let watermark change with send data length spi: lpspi: Add slave mode support spi: lpspi: Replace all "master" with "controller" bpf: kprobe: remove unused declaring of bpf_kprobe_override i2c: smbus: Send alert notifications to all devices if source not found i2c: smbus: Improve handling of stuck alerts i2c: smbus: Don't filter out duplicate alerts arm64: errata: Expand speculative SSBS workaround (again) arm64: cputype: Add Cortex-A725 definitions arm64: cputype: Add Cortex-X1C definitions arm64: errata: Expand speculative SSBS workaround arm64: errata: Unify speculative SSBS errata logic arm64: cputype: Add Cortex-X925 definitions arm64: cputype: Add Cortex-A720 definitions arm64: cputype: Add Cortex-X3 definitions arm64: errata: Add workaround for Arm errata 3194386 and 3312417 arm64: cputype: Add Neoverse-V3 definitions arm64: cputype: Add Cortex-X4 definitions arm64: Add Neoverse-V2 part arm64: cpufeature: Force HWCAP to be based on the sysreg visible to user-space arm64: Add support for SB barrier and patch in over DSB; ISB sequences ext4: fix wrong unit use in ext4_mb_find_by_goal SUNRPC: Fix a race to wake a sync task s390/sclp: Prevent release of buffer in I/O jbd2: avoid memleak in jbd2_journal_write_metadata_buffer media: uvcvideo: Fix the bandwdith quirk on USB 3.x media: uvcvideo: Ignore empty TS packets btrfs: fix bitmap leak when loading free space cache on duplicate entry wifi: nl80211: don't give key data to userspace udf: prevent integer overflow in udf_bitmap_free_blocks() PCI: Add Edimax Vendor ID to pci_ids.h clocksource/drivers/sh_cmt: Address race condition for clock events md/raid5: avoid BUG_ON() while continue reshape after reassembling net: fec: Stop PPS on driver remove Bluetooth: l2cap: always unlock channel in l2cap_conless_channel() net: linkwatch: use system_unbound_wq net: usb: qmi_wwan: fix memory leak for not ip packets x86/mm: Fix pti_clone_pgtable() alignment assumption irqchip/mbigen: Fix mbigen node address layout net: usb: sr9700: fix uninitialized variable use in sr_mdio_read ALSA: usb-audio: Correct surround channels in UAC1 channel map protect the fetch of ->fd[fd] in do_dup2() from mispredictions ipv6: fix ndisc_is_useropt() handling for PIO net/iucv: fix use after free in iucv_sock_close() drm/vmwgfx: Fix overlay when using Screen Targets remoteproc: imx_rproc: Skip over memory region when node value is NULL remoteproc: imx_rproc: Fix ignoring mapping vdev regions remoteproc: imx_rproc: ignore mapping vdev regions perf/x86/intel/pt: Fix a topa_entry base address calculation perf/x86/intel/pt: Split ToPA metadata and page layout perf/x86/intel/pt: Use pointer arithmetics instead in ToPA entry calculation perf/x86/intel/pt: Use helpers to obtain ToPA entry size perf/x86/intel/pt: Export pt_cap_get() devres: Fix memory leakage caused by driver API devm_free_percpu() driver core: Cast to (void *) with __force for __percpu pointer dev/parport: fix the array out-of-bounds risk parport: Standardize use of printmode parport: Convert printk(KERN_<LEVEL> to pr_<level>( parport: parport_pc: Mark expected switch fall-through PCI: rockchip: Use GPIOD_OUT_LOW flag while requesting ep_gpio PCI: rockchip: Make 'ep-gpios' DT property optional mm: avoid overflows in dirty throttling logic mISDN: Fix a use after free in hfcmulti_tx() tipc: Return non-zero value from tipc_udp_addr2str() on error net: bonding: correctly annotate RCU in bond_should_notify_peers() ipv4: Fix incorrect source address in Record Route option net: ip_rt_get_source() - use new style struct initializer instead of memset MIPS: SMP-CPS: Fix address for GCR_ACCESS register for CM3 and later dma: fix call order in dmam_free_coherent jfs: Fix array-index-out-of-bounds in diFree kdb: Use the passed prompt in kdb_position_cursor() kdb: address -Wformat-security warnings kdb: Fix bound check compiler warning nilfs2: handle inconsistent state in nilfs_btnode_create_block() selftests/sigaltstack: Fix ppc64 GCC build RDMA/iwcm: Fix a use-after-free related to destroying CM IDs platform: mips: cpu_hwmon: Disable driver on unsupported hardware watchdog/perf: properly initialize the turbo mode timestamp and rearm counter perf/x86/intel/pt: Fix topa_entry base length scsi: qla2xxx: validate nvme_local_port correctly scsi: qla2xxx: During vport delete send async logout explicitly rtc: cmos: Fix return value of nvmem callbacks kobject_uevent: Fix OOB access within zap_modalias_env() decompress_bunzip2: fix rare decompression failure ubi: eba: properly rollback inside self_check_eba clk: davinci: da8xx-cfgchip: Initialize clk_init_data before use f2fs: fix to don't dirty inode for readonly filesystem scsi: qla2xxx: Return ENOBUFS if sg_cnt is more than one for ELS cmds binder: fix hang of unregistered readers PCI: hv: Return zero, not garbage, when reading PCI_INTERRUPT_PIN hwrng: amd - Convert PCIBIOS_* return codes to errnos tools/memory-model: Fix bug in lock.cat leds: ss4200: Convert PCIBIOS_* return codes to errnos wifi: mwifiex: Fix interface type change ext4: make sure the first directory block is not a hole ext4: check dot and dotdot of dx_root before making dir indexed m68k: amiga: Turn off Warp1260 interrupts during boot drm/gma500: fix null pointer dereference in psb_intel_lvds_get_modes drm/gma500: fix null pointer dereference in cdv_intel_lvds_get_modes hfs: fix to initialize fields of hfs_inode_info after hfs_alloc_inode() media: venus: fix use after free in vdec_close char: tpm: Fix possible memory leak in tpm_bios_measurements_open() ipv6: take care of scope when choosing the src addr af_packet: Handle outgoing VLAN packets without hardware offloading net: netconsole: Disable target before netpoll cleanup tick/broadcast: Make takeover of broadcast hrtimer reliable nilfs2: avoid undefined behavior in nilfs_cnt32_ge macro fs/nilfs2: remove some unused macros to tame gcc pinctrl: freescale: mxs: Fix refcount of child pinctrl: ti: ti-iodelay: fix possible memory leak when pinctrl_enable() fails pinctrl: ti: ti-iodelay: Drop if block with always false condition pinctrl: single: fix possible memory leak when pinctrl_enable() fails pinctrl: core: fix possible memory leak when pinctrl_enable() fails netfilter: ctnetlink: use helper function to calculate expect ID ice: Rework flex descriptor programming bnxt_re: Fix imm_data endianness macintosh/therm_windtunnel: fix module unload. powerpc/xmon: Fix disassembly CPU feature checks MIPS: Octeron: remove source file executable bit Input: elan_i2c - do not leave interrupt disabled on suspend failure mtd: make mtd_test.c a separate module RDMA/rxe: Don't set BTH_ACK_MASK for UC or UD QPs RDMA/mlx4: Fix truncated output warning in alias_GUID.c RDMA/mlx4: Fix truncated output warning in mad.c PCI: Fix resource double counting on remove & rescan PCI: Equalize hotplug memory and io for occupied and empty slots sparc64: Fix incorrect function signature and add prototype for prom_cif_init ext4: avoid writing unitialized memory to disk in EA inodes mfd: omap-usb-tll: Use struct_size to allocate tll drm/etnaviv: fix DMA direction handling for cached RW buffers perf report: Fix condition in sort__sym_cmp() leds: trigger: Unregister sysfs attributes before calling deactivate() media: renesas: vsp1: Store RPF partition configuration per RPF instance media: renesas: vsp1: Fix _irqsave and _irq mix media: uvcvideo: Override default flags media: uvcvideo: Allow entity-defined get_info and get_cur saa7134: Unchecked i2c_transfer function result fixed media: imon: Fix race getting ictx->lock selftests: forwarding: devlink_lib: Wait for udev events after reloading bna: adjust 'name' buf size of bna_tcb and bna_ccb structures perf: Prevent passing zero nr_pages to rb_alloc_aux() perf: Fix perf_aux_size() for greater-than 32-bit size ipvs: Avoid unnecessary calls to skb_is_gso_sctp net: fec: Fix FEC_ECR_EN1588 being cleared on link-down net: fec: Refactor: #define magic constants wifi: cfg80211: handle 2x996 RU allocation in cfg80211_calculate_bitrate_he() wifi: cfg80211: fix typo in cfg80211_calculate_bitrate_he() selftests/bpf: Check length of recv in test_sockmap net/smc: set rmb's SG_MAX_SINGLE_ALLOC limitation only when CONFIG_ARCH_NO_SG_CHAIN is defined net/smc: Allow SMC-D 1MB DMB allocations wifi: brcmsmac: LCN PHY code is used for BCM4313 2G-only device m68k: cmpxchg: Fix return value for default case in __arch_xchg() x86/xen: Convert comma to semicolon m68k: atari: Fix TT bootup freeze / unexpected (SCU) interrupt messages arm64: dts: rockchip: Increase VOP clk rate on RK3328 hwmon: (max6697) Fix swapped temp{1,8} critical alarms hwmon: (max6697) Auto-convert to use SENSOR_DEVICE_ATTR_{RO, RW, WO} hwmon: Introduce SENSOR_DEVICE_ATTR_{RO, RW, WO} and variants hwmon: (max6697) Fix underflow when writing limit attributes pwm: stm32: Always do lazy disabling hwmon: (adt7475) Fix default duty on fan is disabled x86/platform/iosf_mbi: Convert PCIBIOS_* return codes to errnos x86/pci/xen: Fix PCIBIOS_* return code handling x86/pci/intel_mid_pci: Fix PCIBIOS_* return code handling x86/of: Return consistent error type from x86_of_pci_irq_enable() hfsplus: fix to avoid false alarm of circular locking platform/chrome: cros_ec_debugfs: fix wrong EC message version Revert "net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD()" Linux 4.19.319 filelock: Fix fcntl/close race recovery compat path jfs: don't walk off the end of ealist ocfs2: add bounds checking to ocfs2_check_dir_entry() net: relax socket state check at accept time. ACPI: processor_idle: Fix invalid comparison with insertion sort for latency ARM: 9324/1: fix get_user() broken with veneer filelock: Remove locks reliably when fcntl/close race is detected hfsplus: fix uninit-value in copy_name selftests/vDSO: fix clang build errors and warnings spi: imx: Don't expect DMA for i.MX{25,35,50,51,53} cspi devices fs: better handle deep ancestor chains in is_subdir() Bluetooth: hci_core: cancel all works upon hci_unregister_dev() net: mac802154: Fix racy device stats updates by DEV_STATS_INC() and DEV_STATS_ADD() net: usb: qmi_wwan: add Telit FN912 compositions ALSA: dmaengine_pcm: terminate dmaengine before synchronize s390/sclp: Fix sclp_init() cleanup on failure can: kvaser_usb: fix return value for hif_usb_send_regout bytcr_rt5640 : inverse jack detect for Archos 101 cesium Input: elantech - fix touchpad state on resume for Lenovo N24 wifi: cfg80211: wext: add extra SIOCSIWSCAN data check mei: demote client disconnect warning on suspend to debug fs/file: fix the check in find_next_fd() kconfig: remove wrong expr_trans_bool() kconfig: gconf: give a proper initial state to the Save button ila: block BH in ila_output() Input: silead - Always support 10 fingers wifi: mac80211: fix UBSAN noise in ieee80211_prep_hw_scan() wifi: mac80211: mesh: init nonpeer_pm to active by default in mesh sdata ACPI: EC: Avoid returning AE_OK on errors in address space handler ACPI: EC: Abort address space access upon error scsi: qedf: Set qed_slowpath_params to zero before use gcc-plugins: Rename last_stmt() for GCC 14+ Change-Id: I5d910141e3e22bc861c6b0343780dcfbf31b6341 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Vasily Averin
|
72793f5cc9 |
ipc: remove memcg accounting for sops objects in do_semtimedop()
commit 6a4746ba06191e23d30230738e94334b26590a8a upstream. Linus proposes to revert an accounting for sops objects in do_semtimedop() because it's really just a temporary buffer for a single semtimedop() system call. This object can consume up to 2 pages, syscall is sleeping one, size and duration can be controlled by user, and this allocation can be repeated by many thread at the same time. However Shakeel Butt pointed that there are much more popular objects with the same life time and similar memory consumption, the accounting of which was decided to be rejected for performance reasons. Considering at least 2 pages for task_struct and 2 pages for the kernel stack, a back of the envelope calculation gives a footprint amplification of <1.5 so this temporal buffer can be safely ignored. The factor would IMO be interesting if it was >> 2 (from the PoV of excessive (ab)use, fine-grained accounting seems to be currently unfeasible due to performance impact). Link: https://lore.kernel.org/lkml/90e254df-0dfe-f080-011e-b7c53ee7fd20@virtuozzo.com/ Fixes: 18319498fdd4 ("memcg: enable accounting of ipc resources") Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Acked-by: Michal Hocko <mhocko@suse.com> Reviewed-by: Michal Koutný <mkoutny@suse.com> Acked-by: Shakeel Butt <shakeelb@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Vasily Averin
|
9e235ce6fa |
memcg: enable accounting of ipc resources
commit 18319498fdd4cdf8c1c2c48cd432863b1f915d6f upstream. When user creates IPC objects it forces kernel to allocate memory for these long-living objects. It makes sense to account them to restrict the host's memory consumption from inside the memcg-limited container. This patch enables accounting for IPC shared memory segments, messages semaphores and semaphore's undo lists. Link: https://lkml.kernel.org/r/d6507b06-4df6-78f8-6c54-3ae86e3b5339@virtuozzo.com Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Reviewed-by: Shakeel Butt <shakeelb@google.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Alexey Dobriyan <adobriyan@gmail.com> Cc: Andrei Vagin <avagin@gmail.com> Cc: Borislav Petkov <bp@alien8.de> Cc: Borislav Petkov <bp@suse.de> Cc: Christian Brauner <christian.brauner@ubuntu.com> Cc: Dmitry Safonov <0x7f454c46@gmail.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: "J. Bruce Fields" <bfields@fieldses.org> Cc: Jeff Layton <jlayton@kernel.org> Cc: Jens Axboe <axboe@kernel.dk> Cc: Jiri Slaby <jirislaby@kernel.org> Cc: Johannes Weiner <hannes@cmpxchg.org> Cc: Kirill Tkhai <ktkhai@virtuozzo.com> Cc: Michal Hocko <mhocko@kernel.org> Cc: Oleg Nesterov <oleg@redhat.com> Cc: Roman Gushchin <guro@fb.com> Cc: Serge Hallyn <serge@hallyn.com> Cc: Tejun Heo <tj@kernel.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vladimir Davydov <vdavydov.dev@gmail.com> Cc: Yutian Yang <nglaive@gmail.com> Cc: Zefan Li <lizefan.x@bytedance.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
bengris32
|
43c8b52a71 |
Merge tag 'ASB-2022-12-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/docs/security/bulletin/2022-12-01
CVE-2022-23960
* tag 'ASB-2022-12-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Linux 4.19.268
ipc/sem: Fix dangling sem_array access in semtimedop race
mmc: sdhci: Fix voltage switch delay
mmc: sdhci: use FIELD_GET for preset value bit masks
x86/ioremap: Fix page aligned size calculation in __ioremap_caller()
Bluetooth: L2CAP: Fix accepting connection request for invalid SPSM
x86/pm: Add enumeration check before spec MSRs save/restore setup
x86/tsx: Add a feature bit for TSX control MSR support
nvme: restrict management ioctls to admin
tcp/udp: Fix memory leak in ipv6_renew_options().
Kconfig.debug: provide a little extra FRAME_WARN leeway when KASAN is enabled
parisc: Increase FRAME_WARN to 2048 bytes on parisc
xtensa: increase size of gcc stack frame check
parisc: Increase size of gcc stack frame check
iommu/vt-d: Fix PCI device refcount leak in dmar_dev_scope_init()
pinctrl: single: Fix potential division by zero
ASoC: ops: Fix bounds check for _sx controls
mm: Fix '.data.once' orphan section warning
arm64: errata: Fix KVM Spectre-v2 mitigation selection for Cortex-A57/A72
arm64: Fix panic() when Spectre-v2 causes Spectre-BHB to re-allocate KVM vectors
pinctrl: intel: Save and restore pins in "direct IRQ" mode
x86/bugs: Make sure MSR_SPEC_CTRL is updated properly upon resume from S3
nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry()
tools/vm/slabinfo-gnuplot: use "grep -E" instead of "egrep"
error-injection: Add prompt for function error injection
btrfs: qgroup: fix sleep from invalid context bug in btrfs_qgroup_inherit()
hwmon: (coretemp) fix pci device refcount leak in nv1a_ram_new()
hwmon: (coretemp) Check for null before removing sysfs attrs
net: ethernet: renesas: ravb: Fix promiscuous mode after system resumed
packet: do not set TP_STATUS_CSUM_VALID on CHECKSUM_COMPLETE
net: tun: Fix use-after-free in tun_detach()
net: hsr: Fix potential use-after-free
dsa: lan9303: Correct stat name
net/9p: Fix a potential socket leak in p9_socket_open
net: net_netdev: Fix error handling in ntb_netdev_init_module()
net: phy: fix null-ptr-deref while probe() failed
qlcnic: fix sleep-in-atomic-context bugs caused by msleep
can: cc770: cc770_isa_probe(): add missing free_cc770dev()
can: sja1000_isa: sja1000_isa_probe(): add missing free_sja1000dev()
net/mlx5: Fix uninitialized variable bug in outlen_write()
of: property: decrement node refcount in of_fwnode_get_reference_args()
hwmon: (ibmpex) Fix possible UAF when ibmpex_register_bmc() fails
hwmon: (i5500_temp) fix missing pci_disable_device()
scripts/faddr2line: Fix regression in name resolution on ppc64le
iio: light: rpr0521: add missing Kconfig dependencies
iio: health:
|
||
|
bengris32
|
74c4856529 |
Merge tag 'ASB-2022-01-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/security/bulletin/2022-01-01 CVE-2020-14305 CVE-2020-29368 CVE-2021-39633 CVE-2021-39634 * tag 'ASB-2022-01-05_4.19-stable' of https://android.googlesource.com/kernel/common: Linux 4.19.224 net: fix use-after-free in tw_timer_handler Input: spaceball - fix parsing of movement data packets Input: appletouch - initialize work before device registration scsi: vmw_pvscsi: Set residual data length conditionally binder: fix async_free_space accounting for empty parcels usb: mtu3: set interval of FS intr and isoc endpoint usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. uapi: fix linux/nfc.h userspace compilation errors nfc: uapi: use kernel size_t to fix user-space builds i2c: validate user data in compat ioctl fsl/fman: Fix missing put_device() call in fman_port_probe selftests/net: udpgso_bench_tx: fix dst ip argument net/mlx5e: Fix wrong features assignment in case of error NFC: st21nfca: Fix memory leak in device probe and remove net: usb: pegasus: Do not drop long Ethernet frames sctp: use call_rcu to free endpoint selftests: Calculate udpgso segment count without header adjustment udp: using datalen to cap ipv6 udp max gso segments scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() selinux: initialize proto variable in selinux_ip_postroute_compat() recordmcount.pl: fix typo in s390 mcount regex platform/x86: apple-gmux: use resource_size() with res Input: i8042 - enable deferred probe quirk for ASUS UM325UA Input: i8042 - add deferred probe support tee: handle lookup of shm with reference count 0 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option Linux 4.19.223 phonet/pep: refuse to enable an unbound pipe hamradio: improve the incomplete fix to avoid NPD hamradio: defer ax25 kfree after unregister_netdev ax25: NPD bug when detaching AX25 device hwmon: (lm90) Do not report 'busy' status bit as alarm KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state usb: gadget: u_ether: fix race in setting MAC address in setup phase f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines x86/pkey: Fix undefined behaviour with PKRU_WD_BIT parisc: Correct completer in lws start ipmi: fix initialization when workqueue allocation fails ipmi: bail out if init_srcu_struct fails Input: atmel_mxt_ts - fix double free in mxt_read_info_block ALSA: drivers: opl3: Fix incorrect use of vp->state ALSA: jack: Check the return value of kstrdup() hwmon: (lm90) Fix usage of CONFIG2 register in detect function sfc: falcon: Check null pointer of rx_queue->page_ring drivers: net: smc911x: Check for error irq fjes: Check for error irq bonding: fix ad_actor_system option setting to default ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module net: skip virtio_net_hdr_set_proto if protocol already set net: accept UFOv6 packages in virtio_net_hdr_to_skb qlcnic: potential dereference null pointer of rx_queue->page_ring netfilter: fix regression in looped (broad|multi)cast's MAC handling IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() spi: change clk_disable_unprepare to clk_unprepare arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode HID: holtek: fix mouse probing block, bfq: fix use after free in bfq_bfqq_expire block, bfq: fix queue removal from weights tree block, bfq: fix decrement of num_active_groups block, bfq: fix asymmetric scenarios detection block, bfq: improve asymmetric scenarios detection net: usb: lan78xx: add Allied Telesis AT29M2-AF Revert "ARM: 8800/1: use choice for kernel unwinders" Linux 4.19.222 xen/netback: don't queue unlimited number of packages xen/netback: fix rx queue stall detection xen/console: harden hvc_xen against event channel storms xen/netfront: harden netfront against event channel storms xen/blkfront: harden blkfront against event channel storms scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() ovl: fix warning in ovl_create_real() fuse: annotate lock in fuse_reverse_inval_entry() media: mxl111sf: change mutex_init() location ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name firmware: arm_scpi: Fix string overflow in SCPI genpd driver Input: touchscreen - avoid bitwise vs logical OR warning ARM: 8800/1: use choice for kernel unwinders mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO ARM: 8805/2: remove unneeded naked function usage net: lan78xx: Avoid unnecessary self assignment mac80211: validate extended element ID is present net: systemport: Add global locking for descriptor lifecycle drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE libata: if T_LENGTH is zero, dma direction should be DMA_NONE timekeeping: Really make sure wall_to_monotonic isn't positive USB: serial: option: add Telit FN990 compositions USB: serial: cp210x: fix CP2105 GPIO registration PCI/MSI: Mask MSI-X vectors only on success PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) USB: gadget: bRequestType is a bitfield, not a enum sit: do not call ipip6_dev_free() from sit_init_net() net/packet: rx_owner_map depends on pg_vec netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc ixgbe: set X550 MDIO speed before talking to PHY igbvf: fix double free in `igbvf_probe` igb: Fix removal of unicast MAC filters of VFs soc/tegra: fuse: Fix bitwise vs. logical OR warning rds: memory leak in __rds_conn_create() dmaengine: st_fdma: fix MODULE_ALIAS sch_cake: do not call cake_destroy() from cake_init() ARM: socfpga: dts: fix qspi node compatible mac80211: track only QoS data frames for admission control x86/sme: Explicitly map new EFI memmap table as encrypted x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol nfsd: fix use-after-free due to delegation race audit: improve robustness of the audit queue handling dm btree remove: fix use after free in rebalance_children() recordmcount.pl: look for jgnop instruction as well as bcrl on s390 mac80211: send ADDBA requests using the tid/queue of the aggregation session hwmon: (dell-smm) Fix warning on /proc/i8k creation error tracing: Fix a kmemleak false positive in tracing_map net: netlink: af_netlink: Prevent empty skb by adding a check on len. i2c: rk3x: Handle a spurious start completion interrupt flag parisc/agp: Annotate parisc agp init functions with __init net/mlx4_en: Update reported link modes for 1/10G drm/msm/dsi: set default num_data_lanes nfc: fix segfault in nfc_genl_dump_devices_done stable: clamp SUBLEVEL in 4.19 FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum ANDROID: GKI: abi workaround for 4.19.221 Linux 4.19.221 net: sched: make function qdisc_free_cb() static net_sched: fix a crash in tc_new_tfilter() irqchip: nvic: Fix offset for Interrupt Priority Offsets irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip/armada-370-xp: Fix support for Multi-MSI interrupts irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove iio: adc: axp20x_adc: fix charging current reporting on AXP22x iio: at91-sama5d2: Fix incorrect sign extension iio: dln2: Check return value of devm_iio_trigger_register() iio: dln2-adc: Fix lockdep complaint iio: itg3200: Call iio_trigger_notify_done() on error iio: kxsd9: Don't return error code in trigger handler iio: ltr501: Don't return error code in trigger handler iio: mma8452: Fix trigger reference couting iio: stk3310: Don't return error code in interrupt handler iio: trigger: stm32-timer: fix MODULE_ALIAS iio: trigger: Fix reference counting xhci: avoid race between disable slot command and host runtime suspend usb: core: config: using bit mask instead of individual bits xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending usb: core: config: fix validation of wMaxPacketValue entries USB: gadget: zero allocate endpoint 0 buffers USB: gadget: detect too-big endpoint 0 requests net/qla3xxx: fix an error code in ql_adapter_up() net, neigh: clear whole pneigh_entry at alloc time net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net: altera: set a couple error code in probe() net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero tools build: Remove needless libpython-version feature check that breaks test-all fast path mtd: rawnand: fsmc: Take instruction delay into account i40e: Fix pre-set max number of queues for VF ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer qede: validate non LSO skb length block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) tracefs: Set all files to the same group ownership as the mount option aio: fix use-after-free due to missing POLLFREE handling aio: keep poll requests on waitqueue until completed signalfd: use wake_up_pollfree() binder: use wake_up_pollfree() wait: add wake_up_pollfree() libata: add horkage for ASMedia 1092 can: m_can: Disable and ignore ELO interrupt can: pch_can: pch_can_rx_normal: fix use after free clk: qcom: regmap-mux: fix parent clock lookup tracefs: Have new files inherit the ownership of their parent ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: ctl: Fix copy of updated id with element read/write mm: bdi: initialize bdi_min_ratio when bdi is unregistered IB/hfi1: Correct guard on eager buffer deallocation udp: using datalen to cap max gso segments seg6: fix the iif in the IPv6 socket control block nfp: Fix memory leak in nfp_cpp_area_cache_add() bonding: make tx_rebalance_counter an atomic ice: ignore dropped packets during init bpf: Fix the off-by-two error in range markings nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done net: sched: use Qdisc rcu API instead of relying on rtnl lock net: sched: add helper function to take reference to Qdisc net: sched: extend Qdisc with rcu net: sched: rename qdisc_destroy() to qdisc_put() net: core: netlink: add helper refcount dec and lock function can: sja1000: fix use after free in ems_pcmcia_add_card() can: kvaser_usb: get CAN clock frequency from device HID: check for valid USB device for many HID drivers HID: wacom: fix problems when device is not a valid USB device HID: add USB_HID dependancy on some USB HID drivers HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy to hid-prodikeys HID: add hid_is_usb() function to make it simpler for USB detection HID: google: add eel USB id UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers UPSTREAM: USB: gadget: detect too-big endpoint 0 requests Linux 4.19.220 ipmi: msghandler: Make symbol 'remove_work_wq' static parisc: Mark cr16 CPU clocksource unstable on all SMP machines serial: core: fix transmit-buffer reset and memleak serial: pl011: Add ACPI SBSA UART match id tty: serial: msm_serial: Deactivate RX DMA for polling support x86/64/mm: Map all kernel memory into trampoline_pgd usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub xhci: Fix commad ring abort, write all 64 bits to CRCR register. vgacon: Propagate console boot parameters before calling `vc_resize' parisc: Fix "make install" on newer debian releases parisc: Fix KBUILD_IMAGE for self-extracting kernel drm/msm: Do hw_init() before capturing GPU state net/smc: Keep smc_close_final rc during active close net/rds: correct socket tunable error in rds_tcp_tune() net: annotate data-races on txq->xmit_lock_owner net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() siphash: use _unaligned version by default net: mpls: Fix notifications when deleting a device net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() natsemi: xtensa: fix section mismatch warnings i2c: stm32f7: stop dma transfer in case of NACK i2c: stm32f7: recover the bus on access timeout fget: check that the fd still exists after getting a ref to it fs: add fget_many() and fput_many() sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl ipmi: Move remove_work to dedicated workqueue kprobes: Limit max data_size of the kretprobe instances vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit perf hist: Fix memory leak of a perf_hpp_fmt net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile scsi: iscsi: Unblock session then wake up error handler thermal: core: Reset previous low and high trip during thermal zone init btrfs: check-integrity: fix a warning on write caching disabled disk s390/setup: avoid using memblock_enforce_memory_limit platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep net: return correct error code atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait gfs2: Fix length of holes reported at end-of-file of: clk: Make <linux/of_clk.h> self-contained NFSv42: Fix pagecache invalidation after COPY/CLONE shm: extend forced shm destroy to support objects from several IPC nses Conflicts: drivers/hid/hid-holtek-mouse.c (used theirs) drivers/usb/gadget/legacy/dbgp.c Change-Id: I7d36754e28ada463e28de2fbd95a5d8c9c9554d9 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
bengris32
|
6ed107265a |
Merge tag 'ASB-2021-12-05_4.19-stable' of https://android.googlesource.com/kernel/common into lineage-21
https://source.android.com/security/bulletin/2021-12-01 CVE-2021-33909 CVE-2021-38204 CVE-2021-0961 * tag 'ASB-2021-12-05_4.19-stable' of https://android.googlesource.com/kernel/common: BACKPORT: arm64: vdso32: suppress error message for 'make mrproper' Linux 4.19.219 tty: hvc: replace BUG_ON() with negative return value xen/netfront: don't trust the backend response data blindly xen/netfront: disentangle tx_skb_freelist xen/netfront: don't read data from request on the ring page xen/netfront: read response from backend only once xen/blkfront: don't trust the backend response data blindly xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: read response from backend only once xen: sync include/xen/interface/io/ring.h with Xen's newest version fuse: release pipe buf after last use NFC: add NCI_UNREG flag to eliminate the race hugetlbfs: flush TLBs correctly after huge_pmd_unshare s390/mm: validate VMA in PGSTE manipulation functions tracing: Check pid filtering when creating events vhost/vsock: fix incorrect used length reported to the guest net: hns3: fix VF RSS failed problem after PF enable multi-TCs net/smc: Don't call clcsock shutdown twice when smc shutdown MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows PM: hibernate: use correct mode for swsusp_close() net/smc: Ensure the active closing peer first closes clcsock ipv6: fix typos in __ip6_finish_output() drm/vc4: fix error code in vc4_create_object() scsi: mpt3sas: Fix kernel panic during drive powercycle test ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE NFSv42: Don't fail clone() unless the OP_CLONE operation failed firmware: arm_scmi: pm: Propagate return value to caller net: ieee802154: handle iftypes as u32 ASoC: topology: Add missing rwsem around snd_ctl_remove() calls ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer ARM: dts: BCM5301X: Add interrupt properties to GPIO node ARM: dts: BCM5301X: Fix I2C controller interrupt netfilter: ipvs: Fix reuse connection if RS weight is 0 arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function arm64: dts: marvell: armada-37xx: declare PCIe reset pin pinctrl: armada-37xx: Correct PWM pins definitions pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup pinctrl: armada-37xx: Correct mpp definitions PCI: aardvark: Fix checking for link up via LTSSM state PCI: aardvark: Fix link training PCI: aardvark: Fix PCIe Max Payload Size setting PCI: aardvark: Configure PCIe resources from 'ranges' DT property PCI: aardvark: Update comment about disabling link training PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() PCI: aardvark: Fix compilation on s390 PCI: aardvark: Don't touch PCIe registers if no card connected PCI: aardvark: Indicate error in 'val' when config read fails PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros PCI: aardvark: Issue PERST via GPIO PCI: aardvark: Improve link training PCI: aardvark: Train link immediately after enabling training PCI: aardvark: Wait for endpoint to be ready before training link PCI: aardvark: Fix a leaked reference by adding missing of_node_put() proc/vmcore: fix clearing user buffer by properly using clear_user() xtensa: use CONFIG_USE_OF instead of CONFIG_OF tracing: Fix pid filtering when triggers are attached xen: detect uninitialized xenbus in xenbus_init xen: don't continue xenstore initialization in case of errors fuse: fix page stealing staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts media: cec: copy sequence field for the reply ALSA: ctxfi: Fix out-of-range access binder: fix test regression due to sender_euid change usb: hub: Fix locking issues with address0_mutex usb: hub: Fix usb enumeration issue due to address0 race usb: dwc2: hcd_queue: Fix use of floating point literal USB: serial: option: add Fibocom FM101-GL variants USB: serial: option: add Telit LE910S1 0x9200 composition Revert "net: sched: update default qdisc visibility after Tx queue cnt changes" Revert "serial: core: Fix initializing and restoring termios speed" ANDROID: GKI: disable CONFIG_FORTIFY_SOURCE Linux 4.19.218 soc/tegra: pmc: Fix imbalanced clock disabling in error code path usb: max-3421: Use driver data instead of maintaining a list of bound devices ASoC: DAPM: Cover regression by kctl change notification fix RDMA/netlink: Add __maybe_unused to static inline in C file batman-adv: Don't always reallocate the fragmentation skb head batman-adv: Reserve needed_*room for fragments batman-adv: Consider fragmentation for needed_headroom batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN perf/core: Avoid put_page() when GUP fails drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors drm/udl: fix control-message timeout cfg80211: call cfg80211_stop_ap when switch from P2P_GO type parisc/sticon: fix reverse colors btrfs: fix memory ordering between normal and ordered work functions udf: Fix crash after seekdir x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag ipc: WARN if trying to remove ipc object which is absent hexagon: export raw I/O routines for modules tun: fix bonding active backup with arp monitoring perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server NFC: reorder the logic in nfc_{un,}register_device NFC: reorganize the functions in nci_request i40e: Fix display error code in dmesg i40e: Fix changing previously set num_queue_pairs for PFs i40e: Fix NULL ptr dereference on VSI filter sync i40e: Fix correct max_pkt_size on VF RX queue net: virtio_net_hdr_to_skb: count transport header in UFO platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' mips: lantiq: add support for clk_get_parent() mips: bcm63xx: add support for clk_get_parent() MIPS: generic/yamon-dt: fix uninitialized variable error iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset iavf: check for null in iavf_fix_features net: bnx2x: fix variable dereferenced before check drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set sh: define __BIG_ENDIAN for math-emu sh: fix kconfig unmet dependency warning for FRAME_POINTER f2fs: fix up f2fs_lookup tracepoints maple: fix wrong return value of maple_bus_init(). sh: check return code of request_irq powerpc/dcr: Use cmplwi instead of 3-argument cmpli ALSA: gus: fix null pointer dereference on pointer block powerpc/5200: dts: fix memory node unit name scsi: target: Fix alua_tg_pt_gps_count tracking scsi: target: Fix ordered tag handling MIPS: sni: Fix the build tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc ALSA: ISA: not for M68K usb: host: ohci-tmio: check return value after calling platform_get_resource() ARM: dts: omap: fix gpmc,mux-add-data type firmware_loader: fix pre-allocated buf built-in firmware use scsi: advansys: Fix kernel pointer leak ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect arm64: dts: freescale: fix arm,sp805 compatible string usb: typec: tipd: Remove WARN_ON in tps6598x_block_read usb: musb: tusb6010: check return value after calling platform_get_resource() arm64: dts: hisilicon: fix arm,sp805 compatible string scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() arm64: zynqmp: Fix serial compatible string arm64: zynqmp: Do not duplicate flash partition label property erofs: fix unsafe pagevec reuse of hooked pclusters erofs: remove the occupied parameter from z_erofs_pagevec_enqueue() PCI: Add MSI masking quirk for Nvidia ION AHCI PCI/MSI: Deal with devices lying about their MSI mask capability PCI/MSI: Destroy sysfs before freeing entries parisc/entry: fix trace test in syscall exit path fortify: Explicitly disable Clang support ext4: fix lazy initialization next schedule time computation in more granular unit x86/cpu: Fix migration safety with X86_BUG_NULL_SEL fuse: truncate pagecache on atomic_o_trunc PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros s390/tape: fix timer initialization in tape_std_assign() s390/cio: check the subchannel validity for dev_busid video: backlight: Drop maximum brightness override for brightness zero backlight: gpio-backlight: Correct initial power state handling mm, oom: do not trigger out_of_memory from the #PF mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC powerpc/security: Add a helper to query stf_barrier type powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 powerpc/bpf: Validate branch ranges powerpc/lib: Add helper to check if offset is within conditional branch range 9p/net: fix missing error check in p9_check_errors f2fs: should use GFP_NOFS for directory inodes ARM: 9156/1: drop cc-option fallbacks for architecture selection ARM: 9155/1: fix early early_iounmap() USB: chipidea: fix interrupt deadlock cxgb4: fix eeprom len when diagnostics not implemented vsock: prevent unnecessary refcnt inc for nonblocking connect arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails llc: fix out-of-bound array index in llc_sk_dev_hash() zram: off by one in read_block_state() mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration() bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses net: davinci_emac: Fix interrupt pacing disable xen-pciback: Fix return in pm_ctrl_init() i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' scsi: qla2xxx: Turn off target reset during issue_lip scsi: qla2xxx: Fix gnl list corruption ar7: fix kernel builds for compiler test watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT m68k: set a default value for MEMORY_RESERVE dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` netfilter: nfnetlink_queue: fix OOB when mac header was cleared auxdisplay: ht16k33: Fix frame buffer device blanking auxdisplay: ht16k33: Connect backlight to fbdev auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() fs: orangefs: fix error return code of orangefs_revalidate_lookup() NFS: Fix deadlocks in nfs_scan_commit_list() PCI: aardvark: Don't spam about PIO Response Status drm/plane-helper: fix uninitialized variable reference pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined apparmor: fix error check power: supply: bq27xxx: Fix kernel crash on IRQ handler register error mips: cm: Convert to bitfield API to fix out-of-bounds access serial: xilinx_uartps: Fix race condition causing stuck TX phy: qcom-qusb2: Fix a memory leak on probe ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER ASoC: cs42l42: Correct some register default values RDMA/mlx4: Return missed an error if device doesn't support steering scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() power: supply: rt5033_battery: Change voltage values to µV usb: gadget: hid: fix error code in do_config() serial: 8250_dw: Drop wrong use of ACPI_PTR() video: fbdev: chipsfb: use memset_io() instead of memset() memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe soc/tegra: Fix an error handling path in tegra_powergate_power_up() arm: dts: omap3-gta04a4: accelerometer irq fix ALSA: hda: Reduce udelay() at SKL+ position reporting JFS: fix memleak in jfs_mount MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT scsi: dc395: Fix error case unwinding ARM: dts: at91: tse850: the emac<->phy interface is rmii RDMA/bnxt_re: Fix query SRQ failure arm64: dts: rockchip: Fix GPU register width for RK3328 ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() RDMA/rxe: Fix wrong port_cap_flags ibmvnic: Process crqs after enabling interrupts selftests/bpf: Fix fclose/pclose mismatch in test_progs crypto: pcrypt - Delay write to padata->info net: phylink: avoid mvneta warning when setting pause parameters net: amd-xgbe: Toggle PLL settings during rate change wcn36xx: add proper DMA memory barriers in rx path libertas: Fix possible memory leak in probe and disconnect libertas_tf: Fix possible memory leak in probe and disconnect KVM: s390: Fix handle_sske page fault handling samples/kretprobes: Fix return value if register_kretprobe() failed tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() irq: mips: avoid nested irq_enter() s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap() smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi drm/msm: Fix potential NULL dereference in DPU SSPP clocksource/drivers/timer-ti-dm: Select TIMER_OF PM: hibernate: fix sparse warnings nvme-rdma: fix error code in nvme_rdma_setup_ctrl phy: micrel: ksz8041nl: do not use power down mode mwifiex: Send DELBA requests according to spec rsi: stop thread firstly in rsi_91x_init() error handling platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning mmc: mxs-mmc: disable regulator on error and in the remove function net: stream: don't purge sk_error_queue in sk_stream_kill_queues() drm/msm: uninitialized variable in msm_gem_import() ath10k: fix max antenna gain unit hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff hwmon: Fix possible memleak in __hwmon_device_register() memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() memstick: avoid out-of-range warning mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured b43: fix a lower bounds test b43legacy: fix a lower bounds test hwrng: mtk - Force runtime pm ops for sleep ops crypto: qat - disregard spurious PFVF interrupts crypto: qat - detect PFVF collision after ACK media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() ath9k: Fix potential interrupt storm on queue reset media: em28xx: Don't use ops->suspend if it is NULL cpuidle: Fix kobject memory leaks in error paths media: cx23885: Fix snd_card_free call on null card pointer media: si470x: Avoid card name truncation media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()' media: dvb-usb: fix ununit-value in az6027_rc_query media: em28xx: add missing em28xx_close_extension drm/amdgpu: fix warning for overflow check net: dsa: rtl8366rb: Fix off-by-one bug cgroup: Make rebind_subsystems() disable v2 controllers all at once Bluetooth: fix init and cleanup of sco_conn.timeout_work parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling parisc/unwind: fix unwinder when CONFIG_64BIT is enabled task_stack: Fix end_of_stack() for architectures with upwards-growing stack parisc: fix warning in flush_tlb_all x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe() ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE ARM: clang: Do not rely on lr register for stacktrace smackfs: use __GFP_NOFAIL for smk_cipso_doi() iwlwifi: mvm: disable RX-diversity in powersave PM: hibernate: Get block device exclusively in swsusp_check() mwl8k: Fix use-after-free in mwl8k_fw_state_machine() tracing/cfi: Fix cmp_entries_* functions signature mismatch workqueue: make sysfs of unbound kworker cpumask more clever lib/xz: Validate the value before assigning it to an enum variable lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression memstick: r592: Fix a UAF bug when removing the driver leaking_addresses: Always print a trailing newline ACPI: battery: Accept charges over the design capacity as full ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() tracefs: Have tracefs directories not set OTH permission bits by default media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() ACPICA: Avoid evaluating methods too early during system resume media: rcar-csi2: Add checking to rcsi2_start_receiver() ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK media: mceusb: return without resubmitting URB in case of -EPROTO error. media: s5p-mfc: Add checking to s5p_mfc_probe(). media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() media: uvcvideo: Return -EIO for control errors media: uvcvideo: Set capability in s_param media: netup_unidvb: handle interrupt properly according to the firmware media: mt9p031: Fix corrupted frame after restarting stream mwifiex: Properly initialize private structure on interface type changes mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type x86: Increase exception stack sizes smackfs: Fix use-after-free in netlbl_catmap_walk() net: sched: update default qdisc visibility after Tx queue cnt changes locking/lockdep: Avoid RCU-induced noinstr fail MIPS: lantiq: dma: reset correct number of channel MIPS: lantiq: dma: add small delay after reset platform/x86: wmi: do not fail if disabling fails Bluetooth: fix use-after-free error in lock_sock_nested() Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 USB: iowarrior: fix control-message timeouts USB: serial: keyspan: fix memleak on probe errors iio: dac: ad5446: Fix ad5622_write() return value pinctrl: core: fix possible memory leak in pinctrl_enable() quota: correct error number in free_dqentry() quota: check block number when reading the block in quota file PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG PCI: aardvark: Fix return value of MSI domain .alloc() method PCI: aardvark: Do not unmask unused interrupts PCI: aardvark: Do not clear status bits of masked interrupts xen/balloon: add late_initcall_sync() for initial ballooning done ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume ALSA: mixer: oss: Fix racy access to slots serial: core: Fix initializing and restoring termios speed powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found power: supply: max17042_battery: use VFSOC for capacity when no rsns power: supply: max17042_battery: Prevent int underflow in set_soc_threshold signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT signal: Remove the bogus sigkill_pending in ptrace_stop RDMA/qedr: Fix NULL deref for query_qp on the GSI QP rsi: Fix module dev_oper_mode parameter description rsi: fix rate mask set leading to P2P failure rsi: fix key enabled check causing unwanted encryption for vap_id > 0 rsi: fix occasional initialisation failure with BT coex wcn36xx: handle connection loss indication libata: fix checking of DMA state mwifiex: Read a PCI register after writing the TX ring write pointer wcn36xx: Fix HT40 capability for 2Ghz band evm: mark evm_fixmode as __ro_after_init rtl8187: fix control-message timeouts PCI: Mark Atheros QCA6174 to avoid bus reset ath10k: fix division by zero in send path ath10k: fix control-message timeout ath6kl: fix control-message timeout ath6kl: fix division by zero in send path mwifiex: fix division by zero in fw download path EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled hwmon: (pmbus/lm25066) Add offset coefficients ia64: kprobes: Fix to pass correct trampoline address to the handler btrfs: call btrfs_check_rw_degradable only if there is a missing device btrfs: fix lost error handling when replaying directory deletes btrfs: clear MISSING device status bit in btrfs_close_one_device vmxnet3: do not stop tx queues after netif_device_detach() watchdog: Fix OMAP watchdog early handling spi: spl022: fix Microwire full duplex mode xen/netfront: stop tx queues during live migration bpf: Prevent increasing bpf_jit_limit above max drm: panel-orientation-quirks: Add quirk for Aya Neo 2021 mmc: winbond: don't build on M68K hyperv/vmbus: include linux/bitops.h sfc: Don't use netif_info before net_device setup cavium: Fix return values of the probe function scsi: qla2xxx: Fix unmap of already freed sgl cavium: Return negative value when pci_alloc_irq_vectors() fails x86/irq: Ensure PI wakeup handler is unregistered before module unload x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c ALSA: timer: Unconditionally unlink slave instances, too ALSA: timer: Fix use-after-free problem ALSA: synth: missing check for possible NULL after the call to kstrdup ALSA: usb-audio: Add registration quirk for JBL Quantum 400 ALSA: line6: fix control and interrupt message timeouts ALSA: 6fire: fix control and bulk message timeouts ALSA: ua101: fix division by zero at probe ALSA: hda/realtek: Add quirk for Clevo PC70HS media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers media: ite-cir: IR receiver stop working after receive overflow crypto: s5p-sss - Add error handling in s5p_aes_probe() firmware/psci: fix application of sizeof to pointer tpm: Check for integer overflow in tpm2_map_response_body() parisc: Fix ptrace check on syscall return mmc: dw_mmc: Dont wait for DRTO on Write RSP error ocfs2: fix data corruption on truncate libata: fix read log timeout value Input: i8042 - Add quirk for Fujitsu Lifebook T725 Input: elantench - fix misreporting trackpoint coordinates binder: use cred instead of task for selinux checks binder: use euid from cred instead of using task xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay ANDROID: usb: gadget: f_accessory: Mitgate handling of non-existent USB request UPSTREAM: binder: use cred instead of task for getsecid FROMGIT: binder: fix test regression due to sender_euid change BACKPORT: binder: use cred instead of task for selinux checks UPSTREAM: binder: use euid from cred instead of using task ANDROID: setlocalversion: make KMI_GENERATION optional Linux 4.19.217 rsi: fix control-message timeout staging: rtl8192u: fix control-message timeouts staging: r8712u: fix control-message timeout comedi: vmk80xx: fix bulk and interrupt message timeouts comedi: vmk80xx: fix bulk-buffer overflow comedi: vmk80xx: fix transfer-buffer overflows comedi: ni_usb6501: fix NULL-deref in command paths comedi: dt9812: fix DMA buffers on stack isofs: Fix out of bound access for corrupted isofs image printk/console: Allow to disable console output by using console="" or console=null usb-storage: Add compatibility quirk flags for iODD 2531/2541 usb: musb: Balance list entry in musb_gadget_queue usb: gadget: Mark USB_FSL_QE broken on 64-bit usb: ehci: handshake CMD_RUN instead of STS_HALT Revert "x86/kvm: fix vcpu-id indexed array sizes" Linux 4.19.216 ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed sfc: Fix reading non-legacy supported link modes IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields IB/qib: Use struct_size() helper media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() scsi: core: Put LLD module refcnt after SCSI device is released UPSTREAM: security: selinux: allow per-file labeling for bpffs Linux 4.19.215 sctp: add vtag check in sctp_sf_ootb sctp: add vtag check in sctp_sf_do_8_5_1_E_sa sctp: add vtag check in sctp_sf_violation sctp: fix the processing for COOKIE_ECHO chunk sctp: use init_tag from inithdr for ABORT chunk net: nxp: lpc_eth.c: avoid hang when bringing interface down net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST net: Prevent infinite while loop in skb_tx_hash() net: batman-adv: fix error handling regmap: Fix possible double-free in regcache_rbtree_exit() arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node RDMA/mlx5: Set user priority for DCT net: lan78xx: fix division by zero in send path mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit mmc: sdhci: Map more voltage level to SDHCI_POWER_330 mmc: dw_mmc: exynos: fix the finding clock sample value mmc: cqhci: clear HALT state after CQE enable mmc: vub300: fix control-message timeouts ipv6: make exception cache less predictible ipv6: use siphash in rt6_exception_hash() ipv4: use siphash instead of Jenkins in fnhe_hashfun() Revert "net: mdiobus: Fix memory leak in __mdiobus_register" nfc: port100: fix using -ERRNO as command type mask ata: sata_mv: Fix the error handling of mv_chip_id() usbnet: fix error return code in usbnet_probe() usbnet: sanity check for maxpacket ARM: 8819/1: Remove '-p' from LDFLAGS arm64: Avoid premature usercopy failure powerpc/bpf: Fix BPF_MOD when imm == 1 ARM: 9141/1: only warn about XIP address when not compile testing ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype ARM: 9134/1: remove duplicate memcpy() definition ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned ANDROID: Incremental fs: Fix dentry get/put imbalance on vfs_mkdir() failure Linux 4.19.214 ARM: 9122/1: select HAVE_FUTEX_CMPXCHG tracing: Have all levels of checks prevent recursion net: mdiobus: Fix memory leak in __mdiobus_register scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() ALSA: hda: avoid write to STATESTS if controller is in reset platform/x86: intel_scu_ipc: Update timeout value in comment isdn: mISDN: Fix sleeping function called from invalid context ARM: dts: spear3xx: Fix gmac node net: stmmac: add support for dwmac 3.40a btrfs: deal with errors when checking if a dir entry exists during log replay gcc-plugins/structleak: add makefile var for disabling structleak netfilter: Kconfig: use 'default y' instead of 'm' for bool config option isdn: cpai: check ctr->cnr to avoid array index out of bound nfc: nci: fix the UAF of rf_conn_info object mm, slub: fix mismatch between reconstructed freelist depth and cnt ASoC: DAPM: Fix missing kctl change notifications ALSA: hda/realtek: Add quirk for Clevo PC50HS ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset vfs: check fd has read access in kernel_read_file_from_fd() elfcore: correct reference to CONFIG_UML ocfs2: mount fails with buffer overflow in strlen ocfs2: fix data corruption after conversion from inline format can: peak_pci: peak_pci_remove(): fix UAF can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification can: rcar_can: fix suspend/resume net: hns3: disable sriov before unload hclge layer net: hns3: add limit ets dwrr bandwidth cannot be 0 NIOS2: irqflags: rename a redefined register name lan78xx: select CRC32 netfilter: ipvs: make global sysctl readonly in non-init netns ASoC: wm8960: Fix clock configuration on slave mode dma-debug: fix sg checks in debug_dma_map_sg() NFSD: Keep existing listeners on portlist error xtensa: xtfpga: Try software restart before simulating CPU reset xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default Change-Id: I29d109596ec63d8b26ae36edb5df0d163a4e51f6 Signed-off-by: bengris32 <bengris32@protonmail.ch> |
||
|
Jann Horn
|
a1504a9e20 |
ipc/sem: Fix dangling sem_array access in semtimedop race
[ Upstream commit b52be557e24c47286738276121177a41f54e3b83 ]
When __do_semtimedop() goes to sleep because it has to wait for a
semaphore value becoming zero or becoming bigger than some threshold, it
links the on-stack sem_queue to the sem_array, then goes to sleep
without holding a reference on the sem_array.
When __do_semtimedop() comes back out of sleep, one of two things must
happen:
a) We prove that the on-stack sem_queue has been disconnected from the
(possibly freed) sem_array, making it safe to return from the stack
frame that the sem_queue exists in.
b) We stabilize our reference to the sem_array, lock the sem_array, and
detach the sem_queue from the sem_array ourselves.
sem_array has RCU lifetime, so for case (b), the reference can be
stabilized inside an RCU read-side critical section by locklessly
checking whether the sem_queue is still connected to the sem_array.
However, the current code does the lockless check on sem_queue before
starting an RCU read-side critical section, so the result of the
lockless check immediately becomes useless.
Fix it by doing rcu_read_lock() before the lockless check. Now RCU
ensures that if we observe the object being on our queue, the object
can't be freed until rcu_read_unlock().
This bug is only hittable on kernel builds with full preemption support
(either CONFIG_PREEMPT or PREEMPT_DYNAMIC with preempt=full).
Fixes:
|
||
|
Alexander Mikhalitsyn
|
4e91adc737 |
shm: extend forced shm destroy to support objects from several IPC nses
commit 85b6d24646e4125c591639841169baa98a2da503 upstream.
Currently, the exit_shm() function not designed to work properly when
task->sysvshm.shm_clist holds shm objects from different IPC namespaces.
This is a real pain when sysctl kernel.shm_rmid_forced = 1, because it
leads to use-after-free (reproducer exists).
This is an attempt to fix the problem by extending exit_shm mechanism to
handle shm's destroy from several IPC ns'es.
To achieve that we do several things:
1. add a namespace (non-refcounted) pointer to the struct shmid_kernel
2. during new shm object creation (newseg()/shmget syscall) we
initialize this pointer by current task IPC ns
3. exit_shm() fully reworked such that it traverses over all shp's in
task->sysvshm.shm_clist and gets IPC namespace not from current task
as it was before but from shp's object itself, then call
shm_destroy(shp, ns).
Note: We need to be really careful here, because as it was said before
(1), our pointer to IPC ns non-refcnt'ed. To be on the safe side we
using special helper get_ipc_ns_not_zero() which allows to get IPC ns
refcounter only if IPC ns not in the "state of destruction".
Q/A
Q: Why can we access shp->ns memory using non-refcounted pointer?
A: Because shp object lifetime is always shorther than IPC namespace
lifetime, so, if we get shp object from the task->sysvshm.shm_clist
while holding task_lock(task) nobody can steal our namespace.
Q: Does this patch change semantics of unshare/setns/clone syscalls?
A: No. It's just fixes non-covered case when process may leave IPC
namespace without getting task->sysvshm.shm_clist list cleaned up.
Link: https://lkml.kernel.org/r/67bb03e5-f79c-1815-e2bf-949c67047418@colorfullife.com
Link: https://lkml.kernel.org/r/20211109151501.4921-1-manfred@colorfullife.com
Fixes:
|
||
|
Alexander Mikhalitsyn
|
766e08a7af |
ipc: WARN if trying to remove ipc object which is absent
commit 126e8bee943e9926238c891e2df5b5573aee76bc upstream.
Patch series "shm: shm_rmid_forced feature fixes".
Some time ago I met kernel crash after CRIU restore procedure,
fortunately, it was CRIU restore, so, I had dump files and could do
restore many times and crash reproduced easily. After some
investigation I've constructed the minimal reproducer. It was found
that it's use-after-free and it happens only if sysctl
kernel.shm_rmid_forced = 1.
The key of the problem is that the exit_shm() function not handles shp's
object destroy when task->sysvshm.shm_clist contains items from
different IPC namespaces. In most cases this list will contain only
items from one IPC namespace.
How can this list contain object from different namespaces? The
exit_shm() function is designed to clean up this list always when
process leaves IPC namespace. But we made a mistake a long time ago and
did not add a exit_shm() call into the setns() syscall procedures.
The first idea was just to add this call to setns() syscall but it
obviously changes semantics of setns() syscall and that's
userspace-visible change. So, I gave up on this idea.
The first real attempt to address the issue was just to omit forced
destroy if we meet shp object not from current task IPC namespace [1].
But that was not the best idea because task->sysvshm.shm_clist was
protected by rwsem which belongs to current task IPC namespace. It
means that list corruption may occur.
Second approach is just extend exit_shm() to properly handle shp's from
different IPC namespaces [2]. This is really non-trivial thing, I've
put a lot of effort into that but not believed that it's possible to
make it fully safe, clean and clear.
Thanks to the efforts of Manfred Spraul working an elegant solution was
designed. Thanks a lot, Manfred!
Eric also suggested the way to address the issue in ("[RFC][PATCH] shm:
In shm_exit destroy all created and never attached segments") Eric's
idea was to maintain a list of shm_clists one per IPC namespace, use
lock-less lists. But there is some extra memory consumption-related
concerns.
An alternative solution which was suggested by me was implemented in
("shm: reset shm_clist on setns but omit forced shm destroy"). The idea
is pretty simple, we add exit_shm() syscall to setns() but DO NOT
destroy shm segments even if sysctl kernel.shm_rmid_forced = 1, we just
clean up the task->sysvshm.shm_clist list.
This chages semantics of setns() syscall a little bit but in comparision
to the "naive" solution when we just add exit_shm() without any special
exclusions this looks like a safer option.
[1] https://lkml.org/lkml/2021/7/6/1108
[2] https://lkml.org/lkml/2021/7/14/736
This patch (of 2):
Let's produce a warning if we trying to remove non-existing IPC object
from IPC namespace kht/idr structures.
This allows us to catch possible bugs when the ipc_rmid() function was
called with inconsistent struct ipc_ids*, struct kern_ipc_perm*
arguments.
Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com
Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com
Co-developed-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com>
Cc: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Greg KH <gregkh@linuxfoundation.org>
Cc: Andrei Vagin <avagin@gmail.com>
Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Cc: Vasily Averin <vvs@virtuozzo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Peng Zhou
|
c73dd294d4 |
[ALPS05914317] SDCARDFS: add back
We add back sdcardfs in 4.19 due to OTA and some legacy apks of MTK: - uxjack apk needs to use FUSE APIs - avoid case-insensitive filename feature effect MTK-Commit-Id: 265ee40dcc2b49bf804fc4d701576fb6d447181b Change-Id: I07cce3588e51118f402a2a306fe05c322c1b61a6 Signed-off-by: Peng Zhou <Peng.Zhou@mediatek.com> CR-Id: ALPS05914317 Feature: [Android Default] Sdcard File System |
||
|
Greg Kroah-Hartman
|
633920f372 |
Revert "ANDROID: vfs: Add permission2 for filesystems with per mount permissions"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
91d4544b24 |
Merge 4.19.124 into android-4.19-stable
Changes in 4.19.124 net: dsa: Do not make user port errors fatal shmem: fix possible deadlocks on shmlock_user_lock net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' net: moxa: Fix a potential double 'free_irq()' drop_monitor: work around gcc-10 stringop-overflow warning virtio-blk: handle block_device_operations callbacks after hot unplug scsi: sg: add sg_remove_request in sg_write mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040 net: fix a potential recursive NETDEV_FEAT_CHANGE netlabel: cope with NULL catmap net: phy: fix aneg restart in phy_ethtool_set_eee pppoe: only process PADT targeted at local interfaces Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" tcp: fix error recovery in tcp_zerocopy_receive() virtio_net: fix lockdep warning on 32 bit hinic: fix a bug of ndo_stop net: dsa: loop: Add module soft dependency net: ipv4: really enforce backoff for redirects netprio_cgroup: Fix unlimited memory leak of v2 cgroups net: tcp: fix rx timestamp behavior for tcp_recvmsg tcp: fix SO_RCVLOWAT hangs with fat skbs riscv: fix vdso build with lld dmaengine: pch_dma.c: Avoid data race between probe and irq handler dmaengine: mmp_tdma: Reset channel error on release cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once ALSA: hda/hdmi: fix race in monitor detection during probe drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() ipc/util.c: sysvipc_find_ipc() incorrectly updates position index ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse gfs2: Another gfs2_walk_metadata fix pinctrl: baytrail: Enable pin configuration setting for GPIO chip pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler i40iw: Fix error handling in i40iw_manage_arp_cache() mmc: core: Check request type before completing the request mmc: block: Fix request completion in the CQE timeout path NFS: Fix fscache super_cookie index_key from changing after umount nfs: fscache: use timespec64 in inode auxdata NFSv4: Fix fscache cookie aux_data to ensure change_attr is included netfilter: conntrack: avoid gcc-10 zero-length-bounds warning arm64: fix the flush_icache_range arguments in machine_kexec netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() IB/mlx4: Test return value of calls to ib_get_cached_pkey hwmon: (da9052) Synchronize access with mfd pnp: Use list_for_each_entry() instead of open coding gcc-10 warnings: fix low-hanging fruit kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Stop the ad-hoc games with -Wno-maybe-initialized gcc-10: disable 'zero-length-bounds' warning for now gcc-10: disable 'array-bounds' warning for now gcc-10: disable 'stringop-overflow' warning for now gcc-10: disable 'restrict' warning for now gcc-10: avoid shadowing standard library 'free()' in crypto ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B usb: host: xhci-plat: keep runtime active when removing host USB: gadget: fix illegal array access in binding with UDC usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list ARM: dts: dra7: Fix bus_dma_limit for PCIe ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries cifs: fix leaked reference on requeued write x86: Fix early boot crash on gcc-10, third try x86/unwind/orc: Fix error handling in __unwind_start() exec: Move would_dump into flush_old_exec clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' usb: gadget: audio: Fix a missing error return value in audio_bind() usb: gadget: legacy: fix error return code in gncm_bind() usb: gadget: legacy: fix error return code in cdc_bind() Revert "ALSA: hda/realtek: Fix pop noise on ALC225" clk: Unlink clock if failed to prepare or enable arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy ARM: dts: r8a73a4: Add missing CMT1 interrupts arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes ARM: dts: r8a7740: Add missing extal2 to CPG node KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Makefile: disallow data races on gcc-10 as well Linux 4.19.124 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3d253f677cc08337e64d316005a0ec0c33717940 |
||
|
Vasily Averin
|
15e0db6e61 |
ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ]
Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase
position index") is causing this bug (seen on 5.6.8):
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
# ipcmk -Q
Message queue id: 0
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
0x82db8127 0 root 644 0 0
# ipcmk -Q
Message queue id: 1
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
0x82db8127 0 root 644 0 0
0x76d1fb2a 1 root 644 0 0
# ipcrm -q 0
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
0x76d1fb2a 1 root 644 0 0
0x76d1fb2a 1 root 644 0 0
# ipcmk -Q
Message queue id: 2
# ipcrm -q 2
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
0x76d1fb2a 1 root 644 0 0
0x76d1fb2a 1 root 644 0 0
# ipcmk -Q
Message queue id: 3
# ipcrm -q 1
# ipcs -q
------ Message Queues --------
key msqid owner perms used-bytes messages
0x7c982867 3 root 644 0 0
0x7c982867 3 root 644 0 0
0x7c982867 3 root 644 0 0
0x7c982867 3 root 644 0 0
Whenever an IPC item with a low id is deleted, the items with higher ids
are duplicated, as if filling a hole.
new_pos should jump through hole of unused ids, pos can be updated
inside "for" cycle.
Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index")
Reported-by: Andreas Schwab <schwab@suse.de>
Reported-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Acked-by: Waiman Long <longman@redhat.com>
Cc: NeilBrown <neilb@suse.com>
Cc: Steven Rostedt <rostedt@goodmis.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Peter Oberparleiter <oberpar@linux.ibm.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Cc: <stable@vger.kernel.org>
Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
bedd88210d |
Merge 4.19.123 into android-4.19
Changes in 4.19.123 USB: serial: qcserial: Add DW5816e support tracing/kprobes: Fix a double initialization typo vt: fix unicode console freeing with a common interface dp83640: reverse arguments to list_add_tail fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks net: macsec: preserve ingress frame ordering net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() net_sched: sch_skbprio: add message validation to skbprio_change() net: usb: qmi_wwan: add support for DW5816e sch_choke: avoid potential panic in choke_reset() sch_sfq: validate silly quantum values tipc: fix partial topology connection closure bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). net/mlx5: Fix forced completion access non initialized command entry net/mlx5: Fix command entry leak in Internal Error State bnxt_en: Improve AER slot reset. bnxt_en: Fix VF anti-spoof filter setup. net: stricter validation of untrusted gso packets HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices sctp: Fix bundling of SHUTDOWN with COOKIE-ACK HID: usbhid: Fix race between usbhid_close() and usbhid_stop() USB: uas: add quirk for LaCie 2Big Quadra USB: serial: garmin_gps: add sanity checking for data length tracing: Add a vmalloc_sync_mappings() for safe measure KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER KVM: arm64: Fix 32bit PC wrap-around arm64: hugetlb: avoid potential NULL dereference mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() staging: gasket: Check the return value of gasket_get_bar_index() coredump: fix crash when umh is disabled KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob batman-adv: fix batadv_nc_random_weight_tq batman-adv: Fix refcnt leak in batadv_show_throughput_override batman-adv: Fix refcnt leak in batadv_store_throughput_override batman-adv: Fix refcnt leak in batadv_v_ogm_process x86/entry/64: Fix unwind hints in register clearing code x86/entry/64: Fix unwind hints in kernel exit path x86/entry/64: Fix unwind hints in rewind_stack_do_exit() x86/unwind/orc: Don't skip the first frame for inactive tasks x86/unwind/orc: Prevent unwinding before ORC initialization x86/unwind/orc: Fix error path for bad ORC entry type x86/unwind/orc: Fix premature unwind stoppage due to IRET frames netfilter: nat: never update the UDP checksum when it's 0 netfilter: nf_osf: avoid passing pointer to local var objtool: Fix stack offset tracking for indirect CFAs scripts/decodecode: fix trapping instruction formatting ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Linux 4.19.123 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib87d493c94816aa0a0754530669a8bd688964987 |
||
|
Oleg Nesterov
|
c7eb87c8ba |
ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
[ Upstream commit b5f2006144c6ae941726037120fa1001ddede784 ] Commit |
||
|
Greg Kroah-Hartman
|
be3bb0daac |
Merge 4.19.119 into android-4.19
Changes in 4.19.119 ext4: fix extent_status fragmentation for plain files drm/msm: Use the correct dma_sync calls harder bpftool: Fix printing incorrect pointer in btf_dump_ptr crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static vti4: removed duplicate log message. arm64: Add part number for Neoverse N1 arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space arm64: Silence clang warning on mismatched value/register sizes watchdog: reset last_hw_keepalive time at start scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG ceph: return ceph_mdsc_do_request() errors from __get_parent() ceph: don't skip updating wanted caps when cap is stale pwm: rcar: Fix late Runtime PM enablement scsi: iscsi: Report unbind session event when the target has been removed ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() nvme: fix deadlock caused by ANA update wrong locking kernel/gcov/fs.c: gcov_seq_next() should increase position index selftests: kmod: fix handling test numbers above 9 ipc/util.c: sysvipc_find_ipc() should increase position index kconfig: qconf: Fix a few alignment issues s390/cio: avoid duplicated 'ADD' uevents loop: Better discard support for block devices Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled" pwm: renesas-tpu: Fix late Runtime PM enablement pwm: bcm2835: Dynamically allocate base perf/core: Disable page faults when getting phys address ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN MPWIN895CL tablet xhci: Ensure link state is U3 after setting USB_SS_PORT_LS_U3 drm/amd/display: Not doing optimize bandwidth if flip pending. tracing/selftests: Turn off timeout setting virtio-blk: improve virtqueue error to BLK_STS scsi: smartpqi: fix call trace in device discovery PCI/ASPM: Allow re-enabling Clock PM net: ipv6: add net argument to ip6_dst_lookup_flow net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup blktrace: Protect q->blk_trace with RCU blktrace: fix dereference after null check f2fs: fix to avoid memory leakage in f2fs_listxattr KVM: VMX: Zero out *all* general purpose registers after VM-Exit KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 KVM: Introduce a new guest mapping API kvm: fix compilation on aarch64 kvm: fix compilation on s390 kvm: fix compile on s390 part 2 KVM: Properly check if "page" is valid in kvm_vcpu_unmap x86/kvm: Introduce kvm_(un)map_gfn() x86/kvm: Cache gfn to pfn translation x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed x86/KVM: Clean up host's steal time structure cxgb4: fix adapter crash due to wrong MC size cxgb4: fix large delays in PTP synchronization ipv6: fix restrict IPV6_ADDRFORM operation macsec: avoid to set wrong mtu macvlan: fix null dereference in macvlan_device_event() net: bcmgenet: correct per TX/RX ring statistics net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array net/x25: Fix x25_neigh refcnt leak when receiving frame sched: etf: do not assume all sockets are full blown tcp: cache line align MAX_TCP_HEADER team: fix hang in team_mode_get() vrf: Fix IPv6 with qdisc and xfrm net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled net: dsa: b53: Fix ARL register definitions net: dsa: b53: Rework ARL bin logic net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish vrf: Check skb for XFRM_TRANSFORMED flag mlxsw: Fix some IS_ERR() vs NULL bugs KEYS: Avoid false positive ENOMEM error on key read ALSA: hda: Remove ASUS ROG Zenith from the blacklist ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos ALSA: usb-audio: Add connector notifier delegation iio: core: remove extra semi-colon from devm_iio_device_register() macro iio: st_sensors: rely on odr mask to know if odr can be set iio: adc: stm32-adc: fix sleep in atomic context iio: xilinx-xadc: Fix ADC-B powerdown iio: xilinx-xadc: Fix clearing interrupt when enabling trigger iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode iio: xilinx-xadc: Make sure not exceed maximum samplerate fs/namespace.c: fix mountpoint reference counter race USB: sisusbvga: Change port variable from signed to unsigned USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE USB: early: Handle AMD's spec-compliant identifiers, too USB: core: Fix free-while-in-use bug in the USB S-Glibrary USB: hub: Fix handling of connect changes during sleep vmalloc: fix remap_vmalloc_range() bounds checks mm/hugetlb: fix a addressing exception caused by huge_pte_offset mm/ksm: fix NULL pointer dereference when KSM zero page is enabled tools/vm: fix cross-compile build ALSA: usx2y: Fix potential NULL dereference ALSA: hda/realtek - Fix unexpected init_amp override ALSA: hda/realtek - Add new codec supported for ALC245 ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices tpm/tpm_tis: Free IRQ if probing fails tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() KVM: s390: Return last valid slot if approx index is out-of-bounds KVM: Check validity of resolved slot when searching memslots KVM: VMX: Enable machine check support for 32bit targets tty: hvc: fix buffer overflow during hvc_alloc(). tty: rocket, avoid OOB access usb-storage: Add unusual_devs entry for JMicron JMS566 audit: check the length of userspace generated audit records ASoC: dapm: fixup dapm kcontrol widget iwlwifi: pcie: actually release queue memory in TVQM iwlwifi: mvm: beacon statistics shouldn't go backwards ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y powerpc/setup_64: Set cache-line-size based on cache-block-size staging: comedi: dt2815: fix writing hi byte of analog output staging: comedi: Fix comedi_device refcnt leak in comedi_open vt: don't hardcode the mem allocation upper bound vt: don't use kmalloc() for the unicode screen buffer staging: vt6656: Don't set RCR_MULTICAST or RCR_BROADCAST by default. staging: vt6656: Fix calling conditions of vnt_set_bss_mode staging: vt6656: Fix drivers TBTT timing counter. staging: vt6656: Fix pairwise key entry save. staging: vt6656: Power save stop wake_up_count wrap around. cdc-acm: close race betrween suspend() and acm_softint cdc-acm: introduce a cool down UAS: no use logging any details in case of ENODEV UAS: fix deadlock in error handling and PM flushing work usb: dwc3: gadget: Fix request completion check usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() xhci: prevent bus suspend if a roothub port detected a over-current condition serial: sh-sci: Make sure status register SCxSR is read in correct sequence xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT s390/mm: fix page table upgrade vs 2ndary address mode accesses Linux 4.19.119 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4b16db8472367d135a4ff68d2863c634bf093ef5 |
||
|
Vasily Averin
|
cb0ab2beb9 |
ipc/util.c: sysvipc_find_ipc() should increase position index
[ Upstream commit 89163f93c6f969da5811af5377cc10173583123b ] If seq_file .next function does not change position index, read after some lseek can generate unexpected output. https://bugzilla.kernel.org/show_bug.cgi?id=206283 Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Waiman Long <longman@redhat.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Ingo Molnar <mingo@redhat.com> Cc: NeilBrown <neilb@suse.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Link: http://lkml.kernel.org/r/b7a20945-e315-8bb0-21e6-3875c14a8494@virtuozzo.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
7cd2c86c50 |
Merge 4.19.107 into android-4.19
Changes in 4.19.107 iommu/qcom: Fix bogus detach logic ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs ALSA: hda/realtek - Apply quirk for MSI GP63, too ALSA: hda/realtek - Apply quirk for yet another MSI laptop ASoC: sun8i-codec: Fix setting DAI data format ecryptfs: fix a memory leak bug in parse_tag_1_packet() ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() thunderbolt: Prevent crash if non-active NVMem file is read USB: misc: iowarrior: add support for 2 OEMed devices USB: misc: iowarrior: add support for the 28 and 28L devices USB: misc: iowarrior: add support for the 100 device floppy: check FDC index for errors before assigning it vt: fix scrollback flushing on background consoles vt: selection, handle pending signals in paste_selection vt: vt_ioctl: fix race in VT_RESIZEX staging: android: ashmem: Disallow ashmem memory from being remapped staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. xhci: Force Maximum Packet size for Full-speed bulk devices to valid range. xhci: fix runtime pm enabling for quirky Intel hosts xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2 usb: host: xhci: update event ring dequeue pointer on purpose USB: core: add endpoint-blacklist quirk USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 usb: uas: fix a plug & unplug racing USB: Fix novation SourceControl XL after suspend USB: hub: Don't record a connect-change event during reset-resume USB: hub: Fix the broken detection of USB3 device in SMSC hub usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields staging: rtl8188eu: Fix potential security hole staging: rtl8188eu: Fix potential overuse of kernel memory staging: rtl8723bs: Fix potential security hole staging: rtl8723bs: Fix potential overuse of kernel memory powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery jbd2: fix ocfs2 corrupt when clearing block group bits x86/mce/amd: Publish the bank pointer only after setup has succeeded x86/mce/amd: Fix kobject lifetime x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF serial: 8250: Check UPF_IRQ_SHARED in advance tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode tty: serial: imx: setup the correct sg entry for tx dma serdev: ttyport: restore client ops on deregistration MAINTAINERS: Update drm/i915 bug filing URL Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() nvme-multipath: Fix memory leak with ana_log_buf genirq/irqdomain: Make sure all irq domain flags are distinct mm/vmscan.c: don't round up scan size for online memory cgroup drm/amdgpu/soc15: fix xclk for raven xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms KVM: nVMX: Don't emulate instructions in guest mode KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI tty: serial: qcom_geni_serial: Fix UART hang tty: serial: qcom_geni_serial: Remove interrupt storm tty: serial: qcom_geni_serial: Remove use of *_relaxed() and mb() tty: serial: qcom_geni_serial: Remove set_rfr_wm() and related variables tty: serial: qcom_geni_serial: Remove xfer_mode variable tty: serial: qcom_geni_serial: Fix RX cancel command failure lib/stackdepot.c: fix global out-of-bounds in stack_slabs drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets ext4: fix a data race in EXT4_I(inode)->i_disksize ext4: add cond_resched() to __ext4_find_entry() ext4: fix potential race between online resizing and write operations ext4: fix potential race between s_group_info online resizing and access ext4: fix potential race between s_flex_groups online resizing and access ext4: fix mount failure with quota configured as module ext4: rename s_journal_flag_rwsem to s_writepages_rwsem ext4: fix race between writepages and enabling EXT4_EXTENTS_FL KVM: nVMX: Refactor IO bitmap checks into helper function KVM: nVMX: Check IO instruction VM-exit conditions KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1 KVM: apic: avoid calculating pending eoi from an uninitialized val btrfs: fix bytes_may_use underflow in prealloc error condtition btrfs: reset fs_root to NULL on error in open_ctree btrfs: do not check delayed items are empty for single transaction cleanup Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents Revert "dmaengine: imx-sdma: Fix memory leak" scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus usb: dwc2: Fix in ISOC request length checking staging: rtl8723bs: fix copy of overlapping memory staging: greybus: use after free in gb_audio_manager_remove_all() ecryptfs: replace BUG_ON with error handling code iommu/vt-d: Fix compile warning from intel-svm.h genirq/proc: Reject invalid affinity masks (again) bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill ALSA: rawmidi: Avoid bit fields for state flags ALSA: seq: Avoid concurrent access to queue flags ALSA: seq: Fix concurrent access to queue current tick/time netfilter: xt_hashlimit: limit the max size of hashtable rxrpc: Fix call RCU cleanup using non-bh-safe locks ata: ahci: Add shutdown to freeze hardware resources of ahci xen: Enable interrupts when calling _cond_resched() s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range Revert "char/random: silence a lockdep splat with printk()" Linux 4.19.107 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I74e3d49c54d4afcfa4049042163cb879c3de3100 |
||
|
Ioanna Alifieraki
|
cf85f00f87 |
Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
commit edf28f4061afe4c2d9eb1c3323d90e882c1d6800 upstream. This reverts commit |
||
|
Greg Kroah-Hartman
|
3389e56d31 |
Merge 4.19.103 into android-4.19
Changes in 4.19.103
Revert "drm/sun4i: dsi: Change the start delay calculation"
ovl: fix lseek overflow on 32bit
kernel/module: Fix memleak in module_add_modinfo_attrs()
media: iguanair: fix endpoint sanity check
ocfs2: fix oops when writing cloned file
x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR
udf: Allow writing to 'Rewritable' partitions
printk: fix exclusive_console replaying
iwlwifi: mvm: fix NVM check for 3168 devices
sparc32: fix struct ipc64_perm type definition
cls_rsvp: fix rsvp_policy
gtp: use __GFP_NOWARN to avoid memalloc warning
l2tp: Allow duplicate session creation with UDP
net: hsr: fix possible NULL deref in hsr_handle_frame()
net_sched: fix an OOB access in cls_tcindex
net: stmmac: Delete txtimer in suspend()
bnxt_en: Fix TC queue mapping.
tcp: clear tp->total_retrans in tcp_disconnect()
tcp: clear tp->delivered in tcp_disconnect()
tcp: clear tp->data_segs{in|out} in tcp_disconnect()
tcp: clear tp->segs_{in|out} in tcp_disconnect()
rxrpc: Fix use-after-free in rxrpc_put_local()
rxrpc: Fix insufficient receive notification generation
rxrpc: Fix missing active use pinning of rxrpc_local object
rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors
mfd: dln2: More sanity checking for endpoints
ipc/msg.c: consolidate all xxxctl_down() functions
tracing: Fix sched switch start/stop refcount racy updates
rcu: Avoid data-race in rcu_gp_fqs_check_wake()
brcmfmac: Fix memory leak in brcmf_usbdev_qinit
usb: typec: tcpci: mask event interrupts when remove driver
usb: gadget: legacy: set max_speed to super-speed
usb: gadget: f_ncm: Use atomic_t to track in-flight request
usb: gadget: f_ecm: Use atomic_t to track in-flight request
ALSA: usb-audio: Fix endianess in descriptor validation
ALSA: dummy: Fix PCM format loop in proc output
mm/memory_hotplug: fix remove_memory() lockdep splat
mm: move_pages: report the number of non-attempted pages
media/v4l2-core: set pages dirty upon releasing DMA buffers
media: v4l2-core: compat: ignore native command codes
media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments
lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more()
irqdomain: Fix a memory leak in irq_domain_push_irq()
platform/x86: intel_scu_ipc: Fix interrupt support
ALSA: hda: Add Clevo W65_67SB the power_save blacklist
KVM: arm64: Correct PSTATE on exception entry
KVM: arm/arm64: Correct CPSR on exception entry
KVM: arm/arm64: Correct AArch32 SPSR on exception entry
KVM: arm64: Only sign-extend MMIO up to register width
MIPS: fix indentation of the 'RELOCS' message
MIPS: boot: fix typo in 'vmlinux.lzma.its' target
s390/mm: fix dynamic pagetable upgrade for hugetlbfs
powerpc/xmon: don't access ASDR in VMs
powerpc/pseries: Advance pfn if section is not present in lmb_is_removable()
smb3: fix signing verification of large reads
PCI: tegra: Fix return value check of pm_runtime_get_sync()
mmc: spi: Toggle SPI polarity, do not hardcode it
ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards
ACPI / battery: Deal with design or full capacity being reported as -1
ACPI / battery: Use design-cap for capacity calculations if full-cap is not available
ACPI / battery: Deal better with neither design nor full capacity not being reported
alarmtimer: Unregister wakeup source when module get fails
ubifs: Reject unsupported ioctl flags explicitly
ubifs: don't trigger assertion on invalid no-key filename
ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag
ubifs: Fix deadlock in concurrent bulk-read and writepage
crypto: geode-aes - convert to skcipher API and make thread-safe
PCI: keystone: Fix link training retries initiation
mmc: sdhci-of-at91: fix memleak on clk_get failure
hv_balloon: Balloon up according to request page number
mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile
crypto: api - Check spawn->alg under lock in crypto_drop_spawn
crypto: ccree - fix backlog memory leak
crypto: ccree - fix pm wrongful error reporting
crypto: ccree - fix PM race condition
scripts/find-unused-docs: Fix massive false positives
scsi: qla2xxx: Fix mtcp dump collection failure
power: supply: ltc2941-battery-gauge: fix use-after-free
ovl: fix wrong WARN_ON() in ovl_cache_update_ino()
f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project()
f2fs: fix miscounted block limit in f2fs_statfs_project()
f2fs: code cleanup for f2fs_statfs_project()
PM: core: Fix handling of devices deleted during system-wide resume
of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc
dm zoned: support zone sizes smaller than 128MiB
dm space map common: fix to ensure new block isn't already in use
dm crypt: fix benbi IV constructor crash if used in authenticated mode
dm: fix potential for q->make_request_fn NULL pointer
dm writecache: fix incorrect flush sequence when doing SSD mode commit
padata: Remove broken queue flushing
tracing: Annotate ftrace_graph_hash pointer with __rcu
tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu
ftrace: Add comment to why rcu_dereference_sched() is open coded
ftrace: Protect ftrace_graph_hash with ftrace_sync
samples/bpf: Don't try to remove user's homedir on clean
crypto: ccp - set max RSA modulus size for v3 platform devices as well
crypto: pcrypt - Do not clear MAY_SLEEP flag in original request
crypto: atmel-aes - Fix counter overflow in CTR mode
crypto: api - Fix race condition in crypto_spawn_alg
crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill
scsi: qla2xxx: Fix unbound NVME response length
NFS: Fix memory leaks and corruption in readdir
NFS: Directory page cache pages need to be locked when read
jbd2_seq_info_next should increase position index
Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES
btrfs: set trans->drity in btrfs_commit_transaction
Btrfs: fix race between adding and putting tree mod seq elements and nodes
ARM: tegra: Enable PLLP bypass during Tegra124 LP1
iwlwifi: don't throw error when trying to remove IGTK
mwifiex: fix unbalanced locking in mwifiex_process_country_ie()
sunrpc: expiry_time should be seconds not timeval
gfs2: move setting current->backing_dev_info
gfs2: fix O_SYNC write handling
drm/rect: Avoid division by zero
media: rc: ensure lirc is initialized before registering input device
tools/kvm_stat: Fix kvm_exit filter name
xen/balloon: Support xend-based toolstack take two
watchdog: fix UAF in reboot notifier handling in watchdog core code
bcache: add readahead cache policy options via sysfs interface
eventfd: track eventfd_signal() recursion depth
aio: prevent potential eventfd recursion on poll
KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks
KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks
KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks
KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks
KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks
KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks
KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks
KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks
KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks
KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c
KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks
KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks
KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform
KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails
KVM: PPC: Book3S PR: Free shared page if mmu initialization fails
x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit
KVM: x86: Don't let userspace set host-reserved cr4 bits
KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails
KVM: s390: do not clobber registers during guest reset/store status
clk: tegra: Mark fuse clock as critical
drm/amd/dm/mst: Ignore payload update failures
percpu: Separate decrypted varaibles anytime encryption can be enabled
scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type
scsi: csiostor: Adjust indentation in csio_device_reset
scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free
scsi: ufs: Recheck bkops level if bkops is disabled
phy: qualcomm: Adjust indentation in read_poll_timeout
ext2: Adjust indentation in ext2_fill_super
powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize
drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable
NFC: pn544: Adjust indentation in pn544_hci_check_presence
ppp: Adjust indentation into ppp_async_input
net: smc911x: Adjust indentation in smc911x_phy_configure
net: tulip: Adjust indentation in {dmfe, uli526x}_init_module
IB/mlx5: Fix outstanding_pi index for GSI qps
IB/core: Fix ODP get user pages flow
nfsd: fix delay timer on 32-bit architectures
nfsd: fix jiffies/time_t mixup in LRU list
nfsd: Return the correct number of bytes written to the file
ubi: fastmap: Fix inverted logic in seen selfcheck
ubi: Fix an error pointer dereference in error handling code
mfd: da9062: Fix watchdog compatible string
mfd: rn5t618: Mark ADC control register volatile
bonding/alb: properly access headers in bond_alb_xmit()
net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port
net: mvneta: move rx_dropped and rx_errors in per-cpu stats
net_sched: fix a resource leak in tcindex_set_parms()
net: systemport: Avoid RBUF stuck in Wake-on-LAN mode
net/mlx5: IPsec, Fix esp modify function attribute
net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx
net: macb: Remove unnecessary alignment check for TSO
net: macb: Limit maximum GEM TX length in TSO
net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan()
ext4: fix deadlock allocating crypto bounce page from mempool
btrfs: use bool argument in free_root_pointers()
btrfs: free block groups after free'ing fs trees
drm: atmel-hlcdc: enable clock before configuring timing engine
drm/dp_mst: Remove VCPI while disabling topology mgr
btrfs: flush write bio if we loop in extent_write_cache_pages
KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM
KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM
KVM: VMX: Add non-canonical check on writes to RTIT address MSRs
KVM: nVMX: vmread should not set rflags to specify success in case of #PF
KVM: Use vcpu-specific gva->hva translation when querying host page size
KVM: Play nice with read-only memslots when querying host page size
mm: zero remaining unavailable struct pages
mm: return zero_resv_unavail optimization
mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section
cifs: fail i/o on soft mounts if sessionsetup errors out
x86/apic/msi: Plug non-maskable MSI affinity race
clocksource: Prevent double add_timer_on() for watchdog_timer
perf/core: Fix mlock accounting in perf_mmap()
rxrpc: Fix service call disconnection
Linux 4.19.103
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I0d7f09085c3541373e0fd6b2e3ffacc5e34f7d55
|
||
|
Lu Shuaibing
|
078dd7328e |
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream. A use of uninitialized memory in msgctl_down() because msqid64 in ksys_msgctl hasn't been initialized. The local | msqid64 | is created in ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64 is never initialized before msgctl_down() checks msqid64->msg_qbytes. KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) reports: ================================================================== BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300 Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022 CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0x75/0xae __kumsan_report+0x17c/0x3e6 kumsan_report+0xe/0x20 msgctl_down+0x94/0x300 ksys_msgctl.constprop.14+0xef/0x260 do_syscall_64+0x7e/0x1f0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4400e9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970 R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x100000000000000() raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kumsan: bad access detected ================================================================== Syzkaller reproducer: msgctl$IPC_RMID(0x0, 0x0) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); syscall(__NR_msgctl, 0, 0, 0); return 0; } [natechancellor@gmail.com: adjust indentation in ksys_msgctl] Link: https://github.com/ClangBuiltLinux/linux/issues/829 Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com Signed-off-by: Lu Shuaibing <shuaibinglu@126.com> Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Suggested-by: Arnd Bergmann <arnd@arndb.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: NeilBrown <neilb@suse.com> From: Andrew Morton <akpm@linux-foundation.org> Subject: ipc/msg.c: consolidate all xxxctl_down() functions Each line here overflows 80 cols by exactly one character. Delete one tab per line to fix. Cc: Shaohua Li <shli@fb.com> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
de4c70d6a9 |
Merge 4.19.65 into android-4.19
Changes in 4.19.65
ARM: riscpc: fix DMA
ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200
ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again
ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend
ftrace: Enable trampoline when rec count returns back to one
dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset
arm64: dts: rockchip: fix isp iommu clocks and power domain
kernel/module.c: Only return -EEXIST for modules that have finished loading
firmware/psci: psci_checker: Park kthreads before stopping them
MIPS: lantiq: Fix bitfield masking
dmaengine: rcar-dmac: Reject zero-length slave DMA requests
clk: tegra210: fix PLLU and PLLU_OUT1
fs/adfs: super: fix use-after-free bug
clk: sprd: Add check for return value of sprd_clk_regmap_init()
btrfs: fix minimum number of chunk errors for DUP
btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit()
cifs: Fix a race condition with cifs_echo_request
ceph: fix improper use of smp_mb__before_atomic()
ceph: return -ERANGE if virtual xattr value didn't fit in buffer
ACPI: blacklist: fix clang warning for unused DMI table
scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized
perf version: Fix segfault due to missing OPT_END()
x86: kvm: avoid constant-conversion warning
ACPI: fix false-positive -Wuninitialized warning
be2net: Signal that the device cannot transmit during reconfiguration
x86/apic: Silence -Wtype-limits compiler warnings
x86: math-emu: Hide clang warnings for 16-bit overflow
mm/cma.c: fail if fixed declaration can't be honored
lib/test_overflow.c: avoid tainting the kernel and fix wrap size
lib/test_string.c: avoid masking memset16/32/64 failures
coda: add error handling for fget
coda: fix build using bare-metal toolchain
uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers
drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings
ipc/mqueue.c: only perform resource calculation if user valid
mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed
xen/pv: Fix a boot up hang revealed by int3 self test
x86/kvm: Don't call kvm_spurious_fault() from .fixup
x86/paravirt: Fix callee-saved function ELF sizes
x86, boot: Remove multiple copy of static function sanitize_boot_params()
drm/nouveau: fix memory leak in nouveau_conn_reset()
kconfig: Clear "written" flag to avoid data loss
kbuild: initialize CLANG_FLAGS correctly in the top Makefile
Btrfs: fix incremental send failure after deduplication
Btrfs: fix race leading to fs corruption after transaction abort
mmc: dw_mmc: Fix occasional hang after tuning on eMMC
mmc: meson-mx-sdio: Fix misuse of GENMASK macro
gpiolib: fix incorrect IRQ requesting of an active-low lineevent
IB/hfi1: Fix Spectre v1 vulnerability
mtd: rawnand: micron: handle on-die "ECC-off" devices correctly
selinux: fix memory leak in policydb_init()
ALSA: hda: Fix 1-minute detection delay when i915 module is not available
mm: vmscan: check if mem cgroup is disabled or not before calling memcg slab shrinker
s390/dasd: fix endless loop after read unit address configuration
cgroup: kselftest: relax fs_spec checks
parisc: Fix build of compressed kernel even with debug enabled
drivers/perf: arm_pmu: Fix failure path in PM notifier
arm64: compat: Allow single-byte watchpoints on all addresses
arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG}
nbd: replace kill_bdev() with __invalidate_device() again
xen/swiotlb: fix condition for calling xen_destroy_contiguous_region()
IB/mlx5: Fix unreg_umr to ignore the mkey state
IB/mlx5: Use direct mkey destroy command upon UMR unreg failure
IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache
IB/mlx5: Fix clean_mr() to work in the expected order
IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification
IB/hfi1: Check for error on call to alloc_rsm_map_table
drm/i915/gvt: fix incorrect cache entry for guest page mapping
eeprom: at24: make spd world-readable again
ARC: enable uboot support unconditionally
objtool: Support GCC 9 cold subfunction naming scheme
gcc-9: properly declare the {pv,hv}clock_page storage
x86/vdso: Prevent segfaults due to hoisted vclock reads
scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA
x86/cpufeatures: Carve out CQM features retrieval
x86/cpufeatures: Combine word 11 and 12 into a new scattered features word
x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations
x86/speculation: Enable Spectre v1 swapgs mitigations
x86/entry/64: Use JMP instead of JMPQ
x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS
Documentation: Add swapgs description to the Spectre v1 documentation
Linux 4.19.65
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iceeabdb164657e0a616db618e6aa8445d56b0dc1
|
||
|
Kees Cook
|
48c5c4f0a4 |
ipc/mqueue.c: only perform resource calculation if user valid
[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ]
Andreas Christoforou reported:
UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow:
9 * 2305843009213693951 cannot be represented in type 'long int'
...
Call Trace:
mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414
evict+0x472/0x8c0 fs/inode.c:558
iput_final fs/inode.c:1547 [inline]
iput+0x51d/0x8c0 fs/inode.c:1573
mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320
mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459
vfs_mkobj+0x39e/0x580 fs/namei.c:2892
prepare_open ipc/mqueue.c:731 [inline]
do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771
Which could be triggered by:
struct mq_attr attr = {
.mq_flags = 0,
.mq_maxmsg = 9,
.mq_msgsize = 0x1fffffffffffffff,
.mq_curmsgs = 0,
};
if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1)
perror("mq_open");
mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and
preparing to return -EINVAL. During the cleanup, it calls
mqueue_evict_inode() which performed resource usage tracking math for
updating "user", before checking if there was a valid "user" at all
(which would indicate that the calculations would be sane). Instead,
delay this check to after seeing a valid "user".
The overflow was real, but the results went unused, so while the flaw is
harmless, it's noisy for kernel fuzzers, so just fix it by moving the
calculation under the non-NULL "user" where it actually gets used.
Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook
Signed-off-by: Kees Cook <keescook@chromium.org>
Reported-by: Andreas Christoforou <andreaschristofo@gmail.com>
Acked-by: "Eric W. Biederman" <ebiederm@xmission.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Manfred Spraul <manfred@colorfullife.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
d1f7f3be99 |
Merge 4.19.51 into android-4.19
Changes in 4.19.51
rapidio: fix a NULL pointer dereference when create_workqueue() fails
fs/fat/file.c: issue flush after the writeback of FAT
sysctl: return -EINVAL if val violates minmax
ipc: prevent lockup on alloc_msg and free_msg
drm/pl111: Initialize clock spinlock early
ARM: prevent tracing IPI_CPU_BACKTRACE
mm/hmm: select mmu notifier when selecting HMM
hugetlbfs: on restore reserve error path retain subpool reservation
mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE
mm/cma.c: fix crash on CMA allocation if bitmap allocation fails
initramfs: free initrd memory if opening /initrd.image fails
mm/cma.c: fix the bitmap status to show failed allocation reason
mm: page_mkclean vs MADV_DONTNEED race
mm/cma_debug.c: fix the break condition in cma_maxchunk_get()
mm/slab.c: fix an infinite loop in leaks_show()
kernel/sys.c: prctl: fix false positive in validate_prctl_map()
thermal: rcar_gen3_thermal: disable interrupt in .remove
drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER
mfd: tps65912-spi: Add missing of table registration
mfd: intel-lpss: Set the device in reset state when init
drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration
mfd: twl6040: Fix device init errors for ACCCTL register
perf/x86/intel: Allow PEBS multi-entry in watermark mode
drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change
drm/bridge: adv7511: Fix low refresh rate selection
objtool: Don't use ignore flag for fake jumps
drm/nouveau/kms/gv100-: fix spurious window immediate interlocks
bpf: fix undefined behavior in narrow load handling
EDAC/mpc85xx: Prevent building as a module
pwm: meson: Use the spin-lock only to protect register modifications
mailbox: stm32-ipcc: check invalid irq
ntp: Allow TAI-UTC offset to be set to zero
f2fs: fix to avoid panic in do_recover_data()
f2fs: fix to avoid panic in f2fs_inplace_write_data()
f2fs: fix to avoid panic in f2fs_remove_inode_page()
f2fs: fix to do sanity check on free nid
f2fs: fix to clear dirty inode in error path of f2fs_iget()
f2fs: fix to avoid panic in dec_valid_block_count()
f2fs: fix to use inline space only if inline_xattr is enable
f2fs: fix to do sanity check on valid block count of segment
f2fs: fix to do checksum even if inode page is uptodate
percpu: remove spurious lock dependency between percpu and sched
configfs: fix possible use-after-free in configfs_register_group
uml: fix a boot splat wrt use of cpu_all_mask
PCI: dwc: Free MSI in dw_pcie_host_init() error path
PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi()
ovl: do not generate duplicate fsnotify events for "fake" path
mmc: mmci: Prevent polling for busy detection in IRQ context
netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast
netfilter: nf_conntrack_h323: restore boundary check correctness
mips: Make sure dt memory regions are valid
netfilter: nf_tables: fix base chain stat rcu_dereference usage
watchdog: imx2_wdt: Fix set_timeout for big timeout values
watchdog: fix compile time error of pretimeout governors
blk-mq: move cancel of requeue_work into blk_mq_release
iommu/vt-d: Set intel_iommu_gfx_mapped correctly
misc: pci_endpoint_test: Fix test_reg_bar to be updated in pci_endpoint_test
PCI: designware-ep: Use aligned ATU window for raising MSI interrupts
nvme-pci: unquiesce admin queue on shutdown
nvme-pci: shutdown on timeout during deletion
netfilter: nf_flow_table: check ttl value in flow offload data path
netfilter: nf_flow_table: fix netdev refcnt leak
ALSA: hda - Register irq handler after the chip initialization
nvmem: core: fix read buffer in place
nvmem: sunxi_sid: Support SID on A83T and H5
fuse: retrieve: cap requested size to negotiated max_write
nfsd: allow fh_want_write to be called twice
nfsd: avoid uninitialized variable warning
vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING"
iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel
switchtec: Fix unintended mask of MRPC event
net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending
x86/PCI: Fix PCI IRQ routing table memory leak
i40e: Queues are reserved despite "Invalid argument" error
platform/chrome: cros_ec_proto: check for NULL transfer function
PCI: keystone: Prevent ARM32 specific code to be compiled for ARM64
soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher
clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288
soc: rockchip: Set the proper PWM for rk3288
ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx50: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx53: Specify IMX5_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA
ARM: dts: imx6sll: Specify IMX6SLL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA
ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA
PCI: rpadlpar: Fix leaked device_node references in add/remove paths
drm/amd/display: Use plane->color_space for dpp if specified
ARM: OMAP2+: pm33xx-core: Do not Turn OFF CEFUSE as PPA may be using it
platform/x86: intel_pmc_ipc: adding error handling
power: supply: max14656: fix potential use-before-alloc
net: hns3: return 0 and print warning when hit duplicate MAC
PCI: rcar: Fix a potential NULL pointer dereference
PCI: rcar: Fix 64bit MSI message address handling
scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags
video: hgafb: fix potential NULL pointer dereference
video: imsttfb: fix potential NULL pointer dereferences
block, bfq: increase idling for weight-raised queues
PCI: xilinx: Check for __get_free_pages() failure
gpio: gpio-omap: add check for off wake capable gpios
ice: Add missing case in print_link_msg for printing flow control
dmaengine: idma64: Use actual device for DMA transfers
pwm: tiehrpwm: Update shadow register for disabling PWMs
ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa
pwm: Fix deadlock warning when removing PWM device
ARM: exynos: Fix undefined instruction during Exynos5422 resume
usb: typec: fusb302: Check vconn is off when we start toggling
soc: renesas: Identify R-Car M3-W ES1.3
gpio: vf610: Do not share irq_chip
percpu: do not search past bitmap when allocating an area
Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections"
Revert "drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)"
ovl: check the capability before cred overridden
ovl: support stacked SEEK_HOLE/SEEK_DATA
drm/vc4: fix fb references in async update
ALSA: seq: Cover unsubscribe_port() in list_mutex
Linux 4.19.51
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
|
Li Rongqing
|
20de754a7d |
ipc: prevent lockup on alloc_msg and free_msg
[ Upstream commit d6a2946a88f524a47cc9b79279667137899db807 ] msgctl10 of ltp triggers the following lockup When CONFIG_KASAN is enabled on large memory SMP systems, the pages initialization can take a long time, if msgctl10 requests a huge block memory, and it will block rcu scheduler, so release cpu actively. After adding schedule() in free_msg, free_msg can not be called when holding spinlock, so adding msg to a tmp list, and free it out of spinlock rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 16-31): P32505 rcu: Tasks blocked on level-1 rcu_node (CPUs 48-63): P34978 rcu: (detected by 11, t=35024 jiffies, g=44237529, q=16542267) msgctl10 R running task 21608 32505 2794 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:__is_insn_slot_addr+0xfb/0x250 Code: 82 1d 00 48 8b 9b 90 00 00 00 4c 89 f7 49 c1 ee 03 e8 59 83 1d 00 48 b8 00 00 00 00 00 fc ff df 4c 39 eb 48 89 9d 58 ff ff ff <41> c6 04 06 f8 74 66 4c 8d 75 98 4c 89 f1 48 c1 e9 03 48 01 c8 48 RSP: 0018:ffff88bce041f758 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffffffff8471bc50 RCX: ffffffff828a2a57 RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: ffff88bce041f780 RBP: ffff88bce041f828 R08: ffffed15f3f4c5b3 R09: ffffed15f3f4c5b3 R10: 0000000000000001 R11: ffffed15f3f4c5b2 R12: 000000318aee9b73 R13: ffffffff8471bc50 R14: 1ffff1179c083ef0 R15: 1ffff1179c083eec kernel_text_address+0xc1/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 create_object+0x380/0x650 __kmalloc+0x14c/0x2b0 load_msg+0x38/0x1a0 do_msgsnd+0x19e/0xcf0 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 0-15): P32170 rcu: (detected by 14, t=35016 jiffies, g=44237525, q=12423063) msgctl10 R running task 21608 32170 32155 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:lock_acquire+0x4d/0x340 Code: 48 81 ec c0 00 00 00 45 89 c6 4d 89 cf 48 8d 6c 24 20 48 89 3c 24 48 8d bb e4 0c 00 00 89 74 24 0c 48 c7 44 24 20 b3 8a b5 41 <48> c1 ed 03 48 c7 44 24 28 b4 25 18 84 48 c7 44 24 30 d0 54 7a 82 RSP: 0018:ffff88af83417738 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffff88bd335f3080 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88bd335f3d64 RBP: ffff88af83417758 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed13f3f745b2 R12: 0000000000000000 R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 is_bpf_text_address+0x32/0xe0 kernel_text_address+0xec/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 save_stack+0x32/0xb0 __kasan_slab_free+0x130/0x180 kfree+0xfa/0x2d0 free_msg+0x24/0x50 do_msgrcv+0x508/0xe60 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe Davidlohr said: "So after releasing the lock, the msg rbtree/list is empty and new calls will not see those in the newly populated tmp_msg list, and therefore they cannot access the delayed msg freeing pointers, which is good. Also the fact that the node_cache is now freed before the actual messages seems to be harmless as this is wanted for msg_insert() avoiding GFP_ATOMIC allocations, and after releasing the info->lock the thing is freed anyway so it should not change things" Link: http://lkml.kernel.org/r/1552029161-4957-1-git-send-email-lirongqing@baidu.com Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Zhang Yu <zhangyu31@baidu.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Daniel Rosenberg
|
e81cea2a6f |
ANDROID: vfs: Add permission2 for filesystems with per mount permissions
This allows filesystems to use their mount private data to influence the permssions they return in permission2. It has been separated into a new call to avoid disrupting current permission users. Bug: 35848445 Bug: 120446149 Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca Signed-off-by: Daniel Rosenberg <drosen@google.com> [AmitP: Minor refactoring of original patch to align with changes from the following upstream commit |
||
|
Kees Cook
|
59cf0a9339 |
ipc/shm.c: use ERR_CAST() for shm_lock() error return
This uses ERR_CAST() instead of an open-coded cast, as it is casting
across structure pointers, which upsets __randomize_layout:
ipc/shm.c: In function `shm_lock':
ipc/shm.c:209:9: note: randstruct: casting between randomized structure pointer types (ssa): `struct shmid_kernel' and `struct kern_ipc_perm'
return (void *)ipcp;
^~~~~~~~~~~~
Link: http://lkml.kernel.org/r/20180919180722.GA15073@beast
Fixes:
|
||
|
Davidlohr Bueso
|
9c21dae291 |
ipc/shm: properly return EIDRM in shm_lock()
When getting rid of the general ipc_lock(), this was missed furthermore,
making the comment around the ipc object validity check bogus. Under
EIDRM conditions, callers will in turn not see the error and continue
with the operation.
Link: http://lkml.kernel.org/r/20180824030920.GD3677@linux-r8p5
Link: http://lkml.kernel.org/r/20180823024051.GC13343@shao2-debian
Fixes:
|
||
|
Manfred Spraul
|
2a9d648100 |
ipc/util.c: update return value of ipc_getref from int to bool
ipc_getref has still a return value of type "int", matching the atomic_t interface of atomic_inc_not_zero()/atomic_add_unless(). ipc_getref now uses refcount_inc_not_zero, which has a return value of type "bool". Therefore, update the return code to avoid implicit conversions. Link: http://lkml.kernel.org/r/20180712185241.4017-13-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
27c331a174 |
ipc/util.c: further variable name cleanups
The varable names got a mess, thus standardize them again:
id: user space id. Called semid, shmid, msgid if the type is known.
Most functions use "id" already.
idx: "index" for the idr lookup
Right now, some functions use lid, ipc_addid() already uses idx as
the variable name.
seq: sequence number, to avoid quick collisions of the user space id
key: user space key, used for the rhash tree
Link: http://lkml.kernel.org/r/20180712185241.4017-12-manfred@colorfullife.com
Signed-off-by: Manfred Spraul <manfred@colorfullife.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Davidlohr Bueso <dbueso@suse.de>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Kees Cook <keescook@chromium.org>
Cc: Michael Kerrisk <mtk.manpages@gmail.com>
Cc: Michal Hocko <mhocko@suse.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
|
||
|
Davidlohr Bueso
|
eae04d25a7 |
ipc: simplify ipc initialization
Now that we know that rhashtable_init() will not fail, we can get rid of a lot of the unnecessary cleanup paths when the call errored out. [manfred@colorfullife.com: variable name added to util.h to resolve checkpatch warning] Link: http://lkml.kernel.org/r/20180712185241.4017-11-manfred@colorfullife.com Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Davidlohr Bueso
|
dc2c8c84de |
ipc: get rid of ids->tables_initialized hack
In sysvipc we have an ids->tables_initialized regarding the rhashtable,
introduced in
|
||
|
Davidlohr Bueso
|
82061c57ce |
ipc: drop ipc_lock()
ipc/util.c contains multiple functions to get the ipc object pointer given an id number. There are two sets of function: One set verifies the sequence counter part of the id number, other functions do not check the sequence counter. The standard for function names in ipc/util.c is - ..._check() functions verify the sequence counter - ..._idr() functions do not verify the sequence counter ipc_lock() is an exception: It does not verify the sequence counter value, but this is not obvious from the function name. Furthermore, shm.c is the only user of this helper. Thus, we can simply move the logic into shm_lock() and get rid of the function altogether. [manfred@colorfullife.com: most of changelog] Link: http://lkml.kernel.org/r/20180712185241.4017-7-manfred@colorfullife.com Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
2e5ceb452c |
ipc/util.c: correct comment in ipc_obtain_object_check
The comment that explains ipc_obtain_object_check is wrong: The function checks the sequence number, not the reference counter. Note that checking the reference counter would be meaningless: The reference counter is decreased without holding any locks, thus an object with kern_ipc_perm.deleted=true may disappear at the end of the next rcu grace period. Link: http://lkml.kernel.org/r/20180712185241.4017-6-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
4241c1a304 |
ipc: rename ipcctl_pre_down_nolock()
Both the comment and the name of ipcctl_pre_down_nolock() are misleading: The function must be called while holdling the rw semaphore. Therefore the patch renames the function to ipcctl_obtain_check(): This name matches the other names used in util.c: - "obtain" function look up a pointer in the idr, without acquiring the object lock. - The caller is responsible for locking. - _check means that the sequence number is checked. Link: http://lkml.kernel.org/r/20180712185241.4017-5-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
39cfffd774 |
ipc/util.c: use ipc_rcu_putref() for failues in ipc_addid()
ipc_addid() is impossible to use: - for certain failures, the caller must not use ipc_rcu_putref(), because the reference counter is not yet initialized. - for other failures, the caller must use ipc_rcu_putref(), because parallel operations could be ongoing already. The patch cleans that up, by initializing the refcount early, and by modifying all callers. The issues is related to the finding of syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com: syzbot found an issue with reading kern_ipc_perm.seq, here both read and write to already released memory could happen. Link: http://lkml.kernel.org/r/20180712185241.4017-4-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
e2652ae6bd |
ipc: reorganize initialization of kern_ipc_perm.seq
ipc_addid() initializes kern_ipc_perm.seq after having called idr_alloc() (within ipc_idr_alloc()). Thus a parallel semop() or msgrcv() that uses ipc_obtain_object_check() may see an uninitialized value. The patch moves the initialization of kern_ipc_perm.seq before the calls of idr_alloc(). Notes: 1) This patch has a user space visible side effect: If /proc/sys/kernel/*_next_id is used (i.e.: checkpoint/restore) and if semget()/msgget()/shmget() fails in the final step of adding the id to the rhash tree, then .._next_id is cleared. Before the patch, is remained unmodified. There is no change of the behavior after a successful ..get() call: It always clears .._next_id, there is no impact to non checkpoint/restore code as that code does not use .._next_id. 2) The patch correctly documents that after a call to ipc_idr_alloc(), the full tear-down sequence must be used. The callers of ipc_addid() do not fullfill that, i.e. more bugfixes are required. The patch is a squash of a patch from Dmitry and my own changes. Link: http://lkml.kernel.org/r/20180712185241.4017-3-manfred@colorfullife.com Reported-by: syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Manfred Spraul
|
615c999cd8 |
ipc: compute kern_ipc_perm.id under the ipc lock
ipc_addid() initializes kern_ipc_perm.id after having called ipc_idr_alloc(). Thus a parallel semctl() or msgctl() that uses e.g. MSG_STAT may use this unitialized value as the return code. The patch moves all accesses to kern_ipc_perm.id under the spin_lock(). The issues is related to the finding of syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com: syzbot found an issue with kern_ipc_perm.seq Link: http://lkml.kernel.org/r/20180712185241.4017-2-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
|
Linus Torvalds
|
9a76aba02a |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
Pull networking updates from David Miller:
"Highlights:
- Gustavo A. R. Silva keeps working on the implicit switch fallthru
changes.
- Support 802.11ax High-Efficiency wireless in cfg80211 et al, From
Luca Coelho.
- Re-enable ASPM in r8169, from Kai-Heng Feng.
- Add virtual XFRM interfaces, which avoids all of the limitations of
existing IPSEC tunnels. From Steffen Klassert.
- Convert GRO over to use a hash table, so that when we have many
flows active we don't traverse a long list during accumluation.
- Many new self tests for routing, TC, tunnels, etc. Too many
contributors to mention them all, but I'm really happy to keep
seeing this stuff.
- Hardware timestamping support for dpaa_eth/fsl-fman from Yangbo Lu.
- Lots of cleanups and fixes in L2TP code from Guillaume Nault.
- Add IPSEC offload support to netdevsim, from Shannon Nelson.
- Add support for slotting with non-uniform distribution to netem
packet scheduler, from Yousuk Seung.
- Add UDP GSO support to mlx5e, from Boris Pismenny.
- Support offloading of Team LAG in NFP, from John Hurley.
- Allow to configure TX queue selection based upon RX queue, from
Amritha Nambiar.
- Support ethtool ring size configuration in aquantia, from Anton
Mikaev.
- Support DSCP and flowlabel per-transport in SCTP, from Xin Long.
- Support list based batching and stack traversal of SKBs, this is
very exciting work. From Edward Cree.
- Busyloop optimizations in vhost_net, from Toshiaki Makita.
- Introduce the ETF qdisc, which allows time based transmissions. IGB
can offload this in hardware. From Vinicius Costa Gomes.
- Add parameter support to devlink, from Moshe Shemesh.
- Several multiplication and division optimizations for BPF JIT in
nfp driver, from Jiong Wang.
- Lots of prepatory work to make more of the packet scheduler layer
lockless, when possible, from Vlad Buslov.
- Add ACK filter and NAT awareness to sch_cake packet scheduler, from
Toke Høiland-Jørgensen.
- Support regions and region snapshots in devlink, from Alex Vesker.
- Allow to attach XDP programs to both HW and SW at the same time on
a given device, with initial support in nfp. From Jakub Kicinski.
- Add TLS RX offload and support in mlx5, from Ilya Lesokhin.
- Use PHYLIB in r8169 driver, from Heiner Kallweit.
- All sorts of changes to support Spectrum 2 in mlxsw driver, from
Ido Schimmel.
- PTP support in mv88e6xxx DSA driver, from Andrew Lunn.
- Make TCP_USER_TIMEOUT socket option more accurate, from Jon
Maxwell.
- Support for templates in packet scheduler classifier, from Jiri
Pirko.
- IPV6 support in RDS, from Ka-Cheong Poon.
- Native tproxy support in nf_tables, from Máté Eckl.
- Maintain IP fragment queue in an rbtree, but optimize properly for
in-order frags. From Peter Oskolkov.
- Improvde handling of ACKs on hole repairs, from Yuchung Cheng"
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1996 commits)
bpf: test: fix spelling mistake "REUSEEPORT" -> "REUSEPORT"
hv/netvsc: Fix NULL dereference at single queue mode fallback
net: filter: mark expected switch fall-through
xen-netfront: fix warn message as irq device name has '/'
cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0
net: dsa: mv88e6xxx: missing unlock on error path
rds: fix building with IPV6=m
inet/connection_sock: prefer _THIS_IP_ to current_text_addr
net: dsa: mv88e6xxx: bitwise vs logical bug
net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd()
ieee802154: hwsim: using right kind of iteration
net: hns3: Add vlan filter setting by ethtool command -K
net: hns3: Set tx ring' tc info when netdev is up
net: hns3: Remove tx ring BD len register in hns3_enet
net: hns3: Fix desc num set to default when setting channel
net: hns3: Fix for phy link issue when using marvell phy driver
net: hns3: Fix for information of phydev lost problem when down/up
net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero
net: hns3: Add support for serdes loopback selftest
bnxt_en: take coredump_record structure off stack
...
|
||
|
Linus Torvalds
|
a66b4cd1e7 |
Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs open-related updates from Al Viro:
- "do we need fput() or put_filp()" rules are gone - it's always fput()
now. We keep track of that state where it belongs - in ->f_mode.
- int *opened mess killed - in finish_open(), in ->atomic_open()
instances and in fs/namei.c code around do_last()/lookup_open()/atomic_open().
- alloc_file() wrappers with saner calling conventions are introduced
(alloc_file_clone() and alloc_file_pseudo()); callers converted, with
much simplification.
- while we are at it, saner calling conventions for path_init() and
link_path_walk(), simplifying things inside fs/namei.c (both on
open-related paths and elsewhere).
* 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (40 commits)
few more cleanups of link_path_walk() callers
allow link_path_walk() to take ERR_PTR()
make path_init() unconditionally paired with terminate_walk()
document alloc_file() changes
make alloc_file() static
do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone()
new helper: alloc_file_clone()
create_pipe_files(): switch the first allocation to alloc_file_pseudo()
anon_inode_getfile(): switch to alloc_file_pseudo()
hugetlb_file_setup(): switch to alloc_file_pseudo()
ocxlflash_getfile(): switch to alloc_file_pseudo()
cxl_getfile(): switch to alloc_file_pseudo()
... and switch shmem_file_setup() to alloc_file_pseudo()
__shmem_file_setup(): reorder allocations
new wrapper: alloc_file_pseudo()
kill FILE_{CREATED,OPENED}
switch atomic_open() and lookup_open() to returning 0 in all success cases
document ->atomic_open() changes
->atomic_open(): return 0 in all success cases
get rid of 'opened' in path_openat() and the helpers downstream
...
|
||
|
David S. Miller
|
c1c8626fce |
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
Lots of overlapping changes, mostly trivial in nature. The mlxsw conflict was resolving using the example resolution at: https://github.com/jpirko/linux_mlxsw/blob/combined_queue/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Jane Chu
|
eec3636ad1 |
ipc/shm.c add ->pagesize function to shm_vm_ops
Commit |
||
|
David S. Miller
|
89b1698c93 |
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
The BTF conflicts were simple overlapping changes. The virtio_net conflict was an overlap of a fix of statistics counter, happening alongisde a move over to a bonafide statistics structure rather than counting value on the stack. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Davidlohr Bueso
|
f075faa300 |
ipc/sem.c: prevent queue.status tearing in semop
In order for load/store tearing prevention to work, _all_ accesses to the variable in question need to be done around READ and WRITE_ONCE() macros. Ensure everyone does so for q->status variable for semtimedop(). Link: http://lkml.kernel.org/r/20180717052654.676-1-dave@stgolabs.net Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |