-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAl78APEACgkQ3qZv95d3
LNyt+w/+PkFP8++ZsiI6GegXraxVbGuY4ndXroXAiTYa0uZjdsIhqJpgyVsJ/pbq
jU/Hcfv8a0UGme7Hqy61KwN6aaCpM27zxE3aV/N9othtJWn59hiB51CyCcKMrjxK
Mj6PN+yHxLPzCNBszEvOsICsBQt9HtJB11gcbJQPJ2skriVxSER0QrZi2s5jJuoS
vVbxfRngXCnzTsxmpbYjMh1sE9/z/dNpCuyQ13f1MPAPpWFP1SxmMUfknXEO8gkF
ThRIhI6uHDucAQxhP42McBsuoP64KfB90fKzFEuWmlit4OCmqW9subTeaI8V1muK
CxkPqwRnyYmqbAM9auRwbJxtYfT0ONtDZj4zbLulq4qMTJF650968RQNIW+B1K3C
jika93Am0YbNPOyq3m9Ac96NaTFjjhpIzu13P6xUQNf3/ydPKY9PHif2CnWCHPsX
BO9fap7gsWHa88khjEGYXwcQCOC+UzQlcsT6CsWPTUTmcLObHiv863Rqm7LpXjit
9gjKlNHdP6U0q+bz5aiiEtoNJ/2ZDwoz1I+srbrk7QMdVzAn+uRRtLRQxmJtryw1
oTnJJu0iv9Zspn/PFXwlrpsYDDEBFfXFWvC+izfz8nm8CPFKgH9G96XNefcXlI9e
3qxjDpkFb74R6ovnWKtJY8pR1qX/5TRC0/+/WpbZBILqW4Z0k5w=
=YVa/
-----END PGP SIGNATURE-----
Merge 4.19.131 into android-4.19-stable
Changes in 4.19.131
net: be more gentle about silly gso requests coming from user
block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed
fanotify: fix ignore mask logic for events on child and on dir
mtd: rawnand: marvell: Fix the condition on a return code
net: bcmgenet: remove HFB_CTRL access
net: sched: export __netdev_watchdog_up()
EDAC/amd64: Add Family 17h Model 30h PCI IDs
i2c: tegra: Cleanup kerneldoc comments
i2c: tegra: Add missing kerneldoc for some fields
i2c: tegra: Fix Maximum transfer size
fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()"
ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
ALSA: hda/realtek: Enable mute LED on an HP system
ALSA: hda/realtek - Enable micmute LED on and HP system
apparmor: don't try to replace stale label in ptraceme check
ibmveth: Fix max MTU limit
mld: fix memory leak in ipv6_mc_destroy_dev()
net: bridge: enfore alignment for ethernet address
net: fix memleak in register_netdevice()
net: place xmit recursion in softnet data
net: use correct this_cpu primitive in dev_recursion_level
net: increment xmit_recursion level in dev_direct_xmit()
net: usb: ax88179_178a: fix packet alignment padding
rocker: fix incorrect error handling in dma_rings_init
rxrpc: Fix notification call on completion of discarded calls
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
tcp: don't ignore ECN CWR on pure ACK
tcp: grow window for OOO packets only for SACK flows
tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
net: phy: Check harder for errors in get_phy_id()
ip_tunnel: fix use-after-free in ip_tunnel_lookup()
sch_cake: don't try to reallocate or unshare skb unconditionally
sch_cake: fix a few style nits
tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
sch_cake: don't call diffserv parsing code when it is not needed
net: Fix the arp error in some cases
net: Do not clear the sock TX queue in sk_set_socket()
net: core: reduce recursion limit value
USB: ohci-sm501: Add missed iounmap() in remove
usb: dwc2: Postponed gadget registration to the udc class driver
usb: add USB_QUIRK_DELAY_INIT for Logitech C922
USB: ehci: reopen solution for Synopsys HC bug
usb: host: xhci-mtk: avoid runtime suspend when removing hcd
xhci: Poll for U0 after disabling USB2 LPM
usb: host: ehci-exynos: Fix error check in exynos_ehci_probe()
usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs
ALSA: usb-audio: add quirk for Denon DCD-1500RE
ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG)
ALSA: usb-audio: Fix OOB access of mixer element list
scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action
xhci: Fix incorrect EP_STATE_MASK
xhci: Fix enumeration issue when setting max packet size for FS devices.
xhci: Return if xHCI doesn't support LPM
cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip
loop: replace kill_bdev with invalidate_bdev
IB/mad: Fix use after free when destroying MAD agent
cifs/smb3: Fix data inconsistent when punch hole
cifs/smb3: Fix data inconsistent when zero file range
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
ASoC: q6asm: handle EOS correctly
efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
regualtor: pfuze100: correct sw1a/sw2 on pfuze3000
ASoC: fsl_ssi: Fix bclk calculation for mono channel
ARM: dts: Fix duovero smsc interrupt for suspend
x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
regmap: Fix memory leak from regmap_register_patch
ARM: dts: NSP: Correct FA2 mailbox node
rxrpc: Fix handling of rwind from an ACK packet
RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
RDMA/cma: Protect bind_list and listen_list while finding matching cm id
ASoC: rockchip: Fix a reference count leak.
RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
net: qed: fix left elements count calculation
net: qed: fix NVMe login fails over VFs
net: qed: fix excessive QM ILT lines consumption
cxgb4: move handling L2T ARP failures to caller
ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
usb: gadget: udc: Potential Oops in error handling code
netfilter: ipset: fix unaligned atomic access
net: bcmgenet: use hardware padding of runt frames
i2c: fsi: Fix the port number field in status register
i2c: core: check returned size of emulated smbus block read
sched/deadline: Initialize ->dl_boosted
sched/core: Fix PI boosting between RT and DEADLINE tasks
sata_rcar: handle pm_runtime_get_sync failure cases
ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function
drm/amd/display: Use kfree() to free rgb_user in calculate_user_regamma_ramp()
riscv/atomic: Fix sign extension for RV64I
hwrng: ks-sa - Fix runtime PM imbalance on error
ibmvnic: Harden device login requests
net: alx: fix race condition in alx_remove
s390/ptrace: fix setting syscall number
s390/vdso: fix vDSO clock_getres()
arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
kbuild: improve cc-option to clean up all temporary files
blktrace: break out of blktrace setup on concurrent calls
RISC-V: Don't allow write+exec only page mapping request in mmap
ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table
ALSA: hda/realtek - Add quirk for MSI GE63 laptop
ACPI: sysfs: Fix pm_profile_attr type
erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
KVM: X86: Fix MSR range of APIC registers in X2APIC mode
KVM: nVMX: Plumb L2 GPA through to PML emulation
x86/asm/64: Align start of __clear_user() loop to 16-bytes
btrfs: fix data block group relocation failure due to concurrent scrub
btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof
mm/slab: use memzero_explicit() in kzfree()
ocfs2: avoid inode removal while nfsd is accessing it
ocfs2: load global_inode_alloc
ocfs2: fix value of OCFS2_INVALID_SLOT
ocfs2: fix panic on nfs server over ocfs2
arm64: perf: Report the PC value in REGS_ABI_32 mode
tracing: Fix event trigger to accept redundant spaces
ring-buffer: Zero out time extend if it is nested and not absolute
drm: rcar-du: Fix build error
drm/radeon: fix fb_div check in ni_init_smc_spll_table()
Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
sunrpc: fixed rollback in rpc_gssd_dummy_populate()
SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
pNFS/flexfiles: Fix list corruption if the mirror count changes
NFSv4 fix CLOSE not waiting for direct IO compeletion
dm writecache: correct uncommitted_block when discarding uncommitted entry
dm writecache: add cond_resched to loop in persistent_memory_claim()
xfs: add agf freeblocks verify in xfs_agf_verify
Revert "tty: hvc: Fix data abort due to race in hvc_open"
Linux 4.19.131
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2c5abdfc2979e50d441bb0e0bcd499e03c61cefd
[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]
During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.
Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.
Fixes: f6e27114a6 ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7XQQYACgkQONu9yGCS
aT4vwQ/9EZxtWUPh/JSsl+eImHuZjCwa/gzdLh0kUvr4Tgqxv+3KkTZ+7/TyPvID
UgbxxY6qtIP3o4W3kysLAFbOJl+I4IWkEpfCn7vKLzV0BxHjx5Krodo38zT/Ll8S
Vqi62nRpiYiqD0qrr/dZSnlY1SUyMYnQ04NKKyZokyj392ErEE2TWNGhN4m3369A
2Dm46WDKckMudkUElXvu2rQkIpVMJACr/aUaFWmmGsfZt+TGQtjRozlKkkq1vokW
WJEdCVjQwmeWW5T/OZdfM5VmuqspgtU4BhAmzxTVHGGWw+MIEcNU7LIz3s7cpBdr
7ykY4NcXxvPO5Mn/P5usOZFT/TncZQ65ZqxAEgPoF089D0uXkVTOV9dCLqPzej+g
/druvsu6bJqsbi8sd5mftXi5KKH/VDPrxnkEEvhIcuc9GCAKCQjtYz8Vtmkek30U
Mz/UcqhtUTzOJU6yZg7zV/JQ6jrzrXm4VFDdiUHoNe3LuWtFsExMXhokV9TBsScY
LtDYfe9qIq345BHsKah46VKEIa0Sb53eJFKRrEUK+4EVNr8Rp13afdXPlweX41O+
ecBlHfpRsi6MB2/fY6lBlE0uHIYSIlV78wV0wHC4czbROCYY2XSCCS2MoEXu5kD4
KMqXE6nM4tYqgV3arc2nHzth7GaEnbyCPSMMOq+2on6XB4LCRQc=
=rO6H
-----END PGP SIGNATURE-----
Merge 4.19.126 into android-4.19-stable
Changes in 4.19.126
ax25: fix setsockopt(SO_BINDTODEVICE)
dpaa_eth: fix usage as DSA master, try 3
net: dsa: mt7530: fix roaming from DSA user ports
__netif_receive_skb_core: pass skb by reference
net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
net: ipip: fix wrong address family in init error path
net/mlx5: Add command entry handling completion
net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()"
net sched: fix reporting the first-time use timestamp
r8152: support additional Microsoft Surface Ethernet Adapter variant
sctp: Don't add the shutdown timer if its already been added
sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed
net/mlx5e: Update netdev txq on completions during closure
net/mlx5: Annotate mutex destroy for root ns
net: sun: fix missing release regions in cas_init_one().
net/mlx4_core: fix a memory leak bug.
mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
ARM: dts: rockchip: fix phy nodename for rk3228-evb
arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
ARM: dts: rockchip: swap clock-names of gpu nodes
ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
gpio: tegra: mask GPIO IRQs during IRQ shutdown
ALSA: usb-audio: add mapping for ASRock TRX40 Creator
net: microchip: encx24j600: add missed kthread_stop
gfs2: move privileged user check to gfs2_quota_lock_check
cachefiles: Fix race between read_waiter and read_copier involving op->to_do
usb: dwc3: pci: Enable extcon driver for Intel Merrifield
usb: gadget: legacy: fix redundant initialization warnings
net: freescale: select CONFIG_FIXED_PHY where needed
IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
riscv: stacktrace: Fix undefined reference to `walk_stackframe'
cifs: Fix null pointer check in cifs_read
samples: bpf: Fix build error
Input: usbtouchscreen - add support for BonXeon TP
Input: evdev - call input_flush_device() on release(), not flush()
Input: xpad - add custom init packet for Xbox One S controllers
Input: dlink-dir685-touchkeys - fix a typo in driver name
Input: i8042 - add ThinkPad S230u to i8042 reset list
Input: synaptics-rmi4 - really fix attn_data use-after-free
Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
ARM: 8970/1: decompressor: increase tag size
ARM: 8843/1: use unified assembler in headers
ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
ARM: uaccess: integrate uaccess_save and uaccess_restore
ARM: uaccess: fix DACR mismatch with nested exceptions
gpio: exar: Fix bad handling for ida_simple_get error path
IB/qib: Call kobject_put() when kobject_init_and_add() fails
ARM: dts/imx6q-bx50v3: Set display interface clock parents
ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
ARM: dts: bcm: HR2: Fix PPI interrupt types
mmc: block: Fix use-after-free issue for rpmb
RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
ALSA: hwdep: fix a left shifting 1 by 31 UB bug
ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
exec: Always set cap_ambient in cap_bprm_set_creds
ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
ALSA: hda/realtek - Add new codec supported for ALC287
libceph: ignore pool overlay and cache logic on redirects
IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
include/asm-generic/topology.h: guard cpumask_of_node() macro argument
iommu: Fix reference count leak in iommu_group_alloc.
parisc: Fix kernel panic in mem_init()
mmc: core: Fix recursive locking issue in CQE recovery path
RDMA/core: Fix double destruction of uobject
mac80211: mesh: fix discovery timer re-arming issue / crash
x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
copy_xstate_to_kernel(): don't leave parts of destination uninitialized
xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
xfrm interface: fix oops when deleting a x-netns interface
xfrm: fix a warning in xfrm_policy_insert_list
xfrm: fix a NULL-ptr deref in xfrm_local_error
xfrm: fix error in comment
vti4: eliminated some duplicate code.
ip_vti: receive ipip packet by calling ip_tunnel_rcv
netfilter: nft_reject_bridge: enable reject with bridge vlan
netfilter: ipset: Fix subcounter update skip
netfilter: nfnetlink_cthelper: unbreak userspace helper support
netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
esp6: get the right proto for transport mode in esp6_gso_encap
bnxt_en: Fix accumulation of bp->net_stats_prev.
xsk: Add overflow check for u64 division, stored into u32
qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
crypto: chelsio/chtls: properly set tp->lsndtime
bonding: Fix reference count leak in bond_sysfs_slave_add.
netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap()
Linux 4.19.126
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic7ffeb4cbc4d3f1b49c60d97a5d113fcad1d098a
commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream.
This patch is to fix a crash:
[ ] kasan: GPF could be caused by NULL-ptr deref or user memory access
[ ] general protection fault: 0000 [#1] SMP KASAN PTI
[ ] RIP: 0010:ipv6_local_error+0xac/0x7a0
[ ] Call Trace:
[ ] xfrm6_local_error+0x1eb/0x300
[ ] xfrm_local_error+0x95/0x130
[ ] __xfrm6_output+0x65f/0xb50
[ ] xfrm6_output+0x106/0x46f
[ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel]
[ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan]
[ ] vxlan_xmit+0x6a0/0x4276 [vxlan]
[ ] dev_hard_start_xmit+0x165/0x820
[ ] __dev_queue_xmit+0x1ff0/0x2b90
[ ] ip_finish_output2+0xd3e/0x1480
[ ] ip_do_fragment+0x182d/0x2210
[ ] ip_output+0x1d0/0x510
[ ] ip_send_skb+0x37/0xa0
[ ] raw_sendmsg+0x1b4c/0x2b80
[ ] sock_sendmsg+0xc0/0x110
This occurred when sending a v4 skb over vxlan6 over ipsec, in which case
skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in
xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries
to get ipv6 info from a ipv4 sk.
This issue was actually fixed by Commit 628e341f31 ("xfrm: make local
error reporting more robust"), but brought back by Commit 844d48746e
("xfrm: choose protocol family by skb protocol").
So to fix it, we should call xfrm6_local_error() only when skb->protocol
is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6.
Fixes: 844d48746e ("xfrm: choose protocol family by skb protocol")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream.
This waring can be triggered simply by:
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 1 mark 0 mask 0x10 #[1]
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 2 mark 0 mask 0x1 #[2]
# ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
priority 2 mark 0 mask 0x10 #[3]
Then dmesg shows:
[ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548
[ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030
[ ] Call Trace:
[ ] xfrm_policy_inexact_insert+0x85/0xe50
[ ] xfrm_policy_insert+0x4ba/0x680
[ ] xfrm_add_policy+0x246/0x4d0
[ ] xfrm_user_rcv_msg+0x331/0x5c0
[ ] netlink_rcv_skb+0x121/0x350
[ ] xfrm_netlink_rcv+0x66/0x80
[ ] netlink_unicast+0x439/0x630
[ ] netlink_sendmsg+0x714/0xbf0
[ ] sock_sendmsg+0xe2/0x110
The issue was introduced by Commit 7cb8a93968 ("xfrm: Allow inserting
policies with matching mark and different priorities"). After that, the
policies [1] and [2] would be able to be added with different priorities.
However, policy [3] will actually match both [1] and [2]. Policy [1]
was matched due to the 1st 'return true' in xfrm_policy_mark_match(),
and policy [2] was matched due to the 2nd 'return true' in there. It
caused WARN_ON() in xfrm_policy_insert_list().
This patch is to fix it by only (the same value and priority) as the
same policy in xfrm_policy_mark_match().
Thanks to Yuehaibing, we could make this fix better.
v1->v2:
- check policy->mark.v == pol->mark.v only without mask.
Fixes: 7cb8a93968 ("xfrm: Allow inserting policies with matching mark and different priorities")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a204aef9fd77dce1efd9066ca4e44eede99cd858 upstream.
An use-after-free crash can be triggered when sending big packets over
vxlan over esp with esp offload enabled:
[] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] Call Trace:
[] dump_stack+0x75/0xa0
[] kasan_report+0x37/0x50
[] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0
[] ipv6_gso_segment+0x2c8/0x13c0
[] skb_mac_gso_segment+0x1cb/0x420
[] skb_udp_tunnel_segment+0x6b5/0x1c90
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] esp4_gso_segment+0xae8/0x1709 [esp4_offload]
[] inet_gso_segment+0x440/0x1380
[] skb_mac_gso_segment+0x1cb/0x420
[] __skb_gso_segment+0x2d7/0x5f0
[] validate_xmit_skb+0x527/0xb10
[] __dev_queue_xmit+0x10f8/0x2320 <---
[] ip_finish_output2+0xa2e/0x1b50
[] ip_output+0x1a8/0x2f0
[] xfrm_output_resume+0x110e/0x15f0
[] __xfrm4_output+0xe1/0x1b0
[] xfrm4_output+0xa0/0x200
[] iptunnel_xmit+0x5a7/0x920
[] vxlan_xmit_one+0x1658/0x37a0 [vxlan]
[] vxlan_xmit+0x5e4/0x3ec8 [vxlan]
[] dev_hard_start_xmit+0x125/0x540
[] __dev_queue_xmit+0x17bd/0x2320 <---
[] ip6_finish_output2+0xb20/0x1b80
[] ip6_output+0x1b3/0x390
[] ip6_xmit+0xb82/0x17e0
[] inet6_csk_xmit+0x225/0x3d0
[] __tcp_transmit_skb+0x1763/0x3520
[] tcp_write_xmit+0xd64/0x5fe0
[] __tcp_push_pending_frames+0x8c/0x320
[] tcp_sendmsg_locked+0x2245/0x3500
[] tcp_sendmsg+0x27/0x40
As on the tx path of vxlan over esp, skb->inner_network_header would be
set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can
overwrite the former one. It causes skb_udp_tunnel_segment() to use a
wrong skb->inner_network_header, then the issue occurs.
This patch is to fix it by calling xfrm_output_gso() instead when the
inner_protocol is set, in which gso_segment of inner_protocol will be
done first.
While at it, also improve some code around.
Fixes: 7862b4058b ("esp: Add gso handlers for esp4 and esp6")
Reported-by: Xiumei Mu <xmu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream.
For beet mode, when it's ipv6 inner address with nexthdrs set,
the packet format might be:
----------------------------------------------------
| outer | | dest | | | ESP | ESP |
| IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
----------------------------------------------------
The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
continue processing the packet when nexthdr returns 0 in
xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
packet will be dropped.
I don't see any error cases that nexthdr may return 0. So
fix it by removing the check for nexthdr == 0.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6F6HkACgkQONu9yGCS
aT7FkxAAgZOwRDVRkqjfSE+MBAqbE41sO3iAWmv9gQazdK+APGdQaasQ73gBdcuQ
wliG5W9k9J0qkcnUIAnEgooAWXB9+7p4NF1BZHmpmYleXZckmXtaDK3cKgFWAOVD
KMQgiEYHgdm6otlNf328uOmoaggN1wRqmMsW/PZys0AvQ183oTsidhQwfOofCt3k
LwJiu5o+gJCIePrqKuHtkteKmjFR1KQ2RZHPmJ2ApoxVymBreJWKMl8ZVCRyteDx
JoWZfprPnZZaqb83ylkpE/lXyut0etT2zmI+W/Bg4LFDZTVfqw+HPB7opvITfP0p
6H0YwH9Qn/BiOcP6JncVUPLe8/bEiOJ/jsJwPRCcl0C7PmDrn6uhBNVfrY4CreAL
h38/vKSwK8iduyPpne6zq6hQDYBTdEpBDtXFsnElNBmyIE7yIH3ta8qDYsW13Fr7
x9U7F9KagIR1AH2b/uMzjlTDv85hvzGP8vS06S1gJn6RJP0WSDtpE7RNT6MkfMIw
Ti16a9nEJ3H+Zn76vdvlLirmziETsIVpxHSDRu/X9QfxJmXHnXg7581bu8aGZ1zN
6xwWP9mWA8KJzbX5mxXChHoZ9qQ/o4D10MxS+7DXFYiya4prHWphyTS2MYbzMzIl
TIOJ54FVg01QiQbh29X05hvd3RMOkdzJ9Tggq8oTSLvgTIUSmi0=
=jtGQ
-----END PGP SIGNATURE-----
Merge 4.19.114 into android-4.19
Changes in 4.19.114
mmc: core: Allow host controllers to require R1B for CMD6
mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for erase/trim/discard
mmc: core: Respect MMC_CAP_NEED_RSP_BUSY for eMMC sleep command
mmc: sdhci-omap: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
mmc: sdhci-tegra: Fix busy detection by enabling MMC_CAP_NEED_RSP_BUSY
Revert "drm/dp_mst: Skip validating ports during destruction, just ref"
geneve: move debug check after netdev unregister
hsr: fix general protection fault in hsr_addr_is_self()
macsec: restrict to ethernet devices
mlxsw: spectrum_mr: Fix list iteration in error path
net: cbs: Fix software cbs to consider packet sending time
net: dsa: Fix duplicate frames flooded by learning
net: mvneta: Fix the case where the last poll did not process all rx
net/packet: tpacket_rcv: avoid a producer race condition
net: qmi_wwan: add support for ASKEY WWHC050
net_sched: cls_route: remove the right filter from hashtable
net_sched: keep alloc_hash updated after hash allocation
net: stmmac: dwmac-rk: fix error path in rk_gmac_probe
NFC: fdp: Fix a signedness bug in fdp_nci_send_patch()
slcan: not call free_netdev before rtnl_unlock in slcan_open
bnxt_en: fix memory leaks in bnxt_dcbnl_ieee_getets()
bnxt_en: Reset rings if ring reservation fails during open()
net: ip_gre: Separate ERSPAN newlink / changelink callbacks
net: ip_gre: Accept IFLA_INFO_DATA-less configuration
net: dsa: mt7530: Change the LINK bit to reflect the link status
net: phy: mdio-mux-bcm-iproc: check clk_prepare_enable() return value
r8169: re-enable MSI on RTL8168c
tcp: repair: fix TCP_QUEUE_SEQ implementation
vxlan: check return value of gro_cells_init()
hsr: use rcu_read_lock() in hsr_get_node_{list/status}()
hsr: add restart routine into hsr_get_node_list()
hsr: set .netnsok flag
cgroup-v1: cgroup_pidlist_next should update position index
nfs: add minor version to nfs_server_key for fscache
cpupower: avoid multiple definition with gcc -fno-common
drivers/of/of_mdio.c:fix of_mdiobus_register()
cgroup1: don't call release_agent when it is ""
dt-bindings: net: FMan erratum A050385
arm64: dts: ls1043a: FMan erratum A050385
fsl/fman: detect FMan erratum A050385
s390/qeth: handle error when backing RX buffer
scsi: ipr: Fix softlockup when rescanning devices in petitboot
mac80211: Do not send mesh HWMP PREQ if HWMP is disabled
dpaa_eth: Remove unnecessary boolean expression in dpaa_get_headroom
sxgbe: Fix off by one in samsung driver strncpy size arg
ftrace/x86: Anotate text_mutex split between ftrace_arch_code_modify_post_process() and ftrace_arch_code_modify_prepare()
i2c: hix5hd2: add missed clk_disable_unprepare in remove
Input: raydium_i2c_ts - fix error codes in raydium_i2c_boot_trigger()
Input: synaptics - enable RMI on HP Envy 13-ad105ng
Input: avoid BIT() macro usage in the serio.h UAPI header
ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL
ARM: dts: dra7: Add bus_dma_limit for L3 bus
ARM: dts: omap5: Add bus_dma_limit for L3 bus
perf probe: Do not depend on dwfl_module_addrsym()
tools: Let O= makes handle a relative path with -C option
scripts/dtc: Remove redundant YYLOC global declaration
scsi: sd: Fix optimal I/O size for devices that change reported values
nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type
mac80211: mark station unauthorized before key removal
gpiolib: acpi: Correct comment for HP x2 10 honor_wakeup quirk
gpiolib: acpi: Rework honor_wakeup option into an ignore_wake option
gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 BYT + AXP288 model
RDMA/core: Ensure security pkey modify is not lost
genirq: Fix reference leaks on irq affinity notifiers
xfrm: handle NETDEV_UNREGISTER for xfrm device
vti[6]: fix packet tx through bpf_redirect() in XinY cases
RDMA/mlx5: Block delay drop to unprivileged users
xfrm: fix uctx len check in verify_sec_ctx_len
xfrm: add the missing verify_sec_ctx_len check in xfrm_add_acquire
xfrm: policy: Fix doulbe free in xfrm_policy_timer
afs: Fix some tracing details
netfilter: flowtable: reload ip{v6}h in nf_flow_tuple_ip{v6}
netfilter: nft_fwd_netdev: validate family and chain type
bpf/btf: Fix BTF verification of enum members in struct/union
vti6: Fix memory leak of skb if input policy check fails
Revert "r8169: check that Realtek PHY driver module is loaded"
mac80211: add option for setting control flags
mac80211: set IEEE80211_TX_CTRL_PORT_CTRL_PROTO for nl80211 TX
USB: serial: option: add support for ASKEY WWHC050
USB: serial: option: add BroadMobi BM806U
USB: serial: option: add Wistron Neweb D19Q1
USB: cdc-acm: restore capability check order
USB: serial: io_edgeport: fix slab-out-of-bounds read in edge_interrupt_callback
usb: musb: fix crash with highmen PIO and usbmon
media: flexcop-usb: fix endpoint sanity check
media: usbtv: fix control-message timeouts
staging: rtl8188eu: Add ASUS USB-N10 Nano B1 to device table
staging: wlan-ng: fix ODEBUG bug in prism2sta_disconnect_usb
staging: wlan-ng: fix use-after-free Read in hfa384x_usbin_callback
ahci: Add Intel Comet Lake H RAID PCI ID
libfs: fix infoleak in simple_attr_read()
media: ov519: add missing endpoint sanity checks
media: dib0700: fix rc endpoint lookup
media: stv06xx: add missing descriptor sanity checks
media: xirlink_cit: add missing descriptor sanity checks
mac80211: Check port authorization in the ieee80211_tx_dequeue() case
mac80211: fix authentication with iwlwifi/mvm
vt: selection, introduce vc_is_sel
vt: ioctl, switch VT_IS_IN_USE and VT_BUSY to inlines
vt: switch vt_dont_switch to bool
vt: vt_ioctl: remove unnecessary console allocation checks
vt: vt_ioctl: fix VT_DISALLOCATE freeing in-use virtual console
vt: vt_ioctl: fix use-after-free in vt_in_use()
platform/x86: pmc_atom: Add Lex 2I385SW to critclk_systems DMI table
bpf: Explicitly memset the bpf_attr structure
bpf: Explicitly memset some bpf info structures declared on the stack
gpiolib: acpi: Add quirk to ignore EC wakeups on HP x2 10 CHT + AXP288 model
net: ks8851-ml: Fix IO operations, again
arm64: alternative: fix build with clang integrated assembler
perf map: Fix off by one in strncpy() size argument
ARM: dts: oxnas: Fix clear-mask property
ARM: bcm2835-rpi-zero-w: Add missing pinctrl name
ARM: dts: imx6: phycore-som: fix arm and soc minimum voltage
ARM: dts: N900: fix onenand timings
arm64: dts: ls1043a-rdb: correct RGMII delay mode to rgmii-id
arm64: dts: ls1046ardb: set RGMII interfaces to RGMII_ID mode
Linux 4.19.114
Change-Id: Icc165d2e49aba750e1b5a8856d9774c149e59ce7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 4c59406ed00379c8663f8663d82b2537467ce9d7 upstream.
After xfrm_add_policy add a policy, its ref is 2, then
xfrm_policy_timer
read_lock
xp->walk.dead is 0
....
mod_timer()
xfrm_policy_kill
policy->walk.dead = 1
....
del_timer(&policy->timer)
xfrm_pol_put //ref is 1
xfrm_pol_put //ref is 0
xfrm_policy_destroy
call_rcu
xfrm_pol_hold //ref is 1
read_unlock
xfrm_pol_put //ref is 0
xfrm_policy_destroy
call_rcu
xfrm_policy_destroy is called twice, which may leads to
double free.
Call Trace:
RIP: 0010:refcount_warn_saturate+0x161/0x210
...
xfrm_policy_timer+0x522/0x600
call_timer_fn+0x1b3/0x5e0
? __xfrm_decode_session+0x2990/0x2990
? msleep+0xb0/0xb0
? _raw_spin_unlock_irq+0x24/0x40
? __xfrm_decode_session+0x2990/0x2990
? __xfrm_decode_session+0x2990/0x2990
run_timer_softirq+0x5c5/0x10e0
Fix this by use write_lock_bh in xfrm_policy_kill.
Fixes: ea2dea9dac ("xfrm: remove policy lock when accessing policy->walk.dead")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Timo Teräs <timo.teras@iki.fi>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a1a7e3a36e01ca6e67014f8cf673cb8e47be5550 upstream.
Without doing verify_sec_ctx_len() check in xfrm_add_acquire(), it may be
out-of-bounds to access uctx->ctx_str with uctx->ctx_len, as noticed by
syz:
BUG: KASAN: slab-out-of-bounds in selinux_xfrm_alloc_user+0x237/0x430
Read of size 768 at addr ffff8880123be9b4 by task syz-executor.1/11650
Call Trace:
dump_stack+0xe8/0x16e
print_address_description.cold.3+0x9/0x23b
kasan_report.cold.4+0x64/0x95
memcpy+0x1f/0x50
selinux_xfrm_alloc_user+0x237/0x430
security_xfrm_policy_alloc+0x5c/0xb0
xfrm_policy_construct+0x2b1/0x650
xfrm_add_acquire+0x21d/0xa10
xfrm_user_rcv_msg+0x431/0x6f0
netlink_rcv_skb+0x15a/0x410
xfrm_netlink_rcv+0x6d/0x90
netlink_unicast+0x50e/0x6a0
netlink_sendmsg+0x8ae/0xd40
sock_sendmsg+0x133/0x170
___sys_sendmsg+0x834/0x9a0
__sys_sendmsg+0x100/0x1e0
do_syscall_64+0xe5/0x660
entry_SYSCALL_64_after_hwframe+0x6a/0xdf
So fix it by adding the missing verify_sec_ctx_len check there.
Fixes: 980ebd2579 ("[IPSEC]: Sync series - acquire insert")
Reported-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 171d449a028573b2f0acdc7f31ecbb045391b320 upstream.
It's not sufficient to do 'uctx->len != (sizeof(struct xfrm_user_sec_ctx) +
uctx->ctx_len)' check only, as uctx->len may be greater than nla_len(rt),
in which case it will cause slab-out-of-bounds when accessing uctx->ctx_str
later.
This patch is to fix it by return -EINVAL when uctx->len > nla_len(rt).
Fixes: df71837d50 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl461NIACgkQONu9yGCS
aT6Mqw//W5xIIcs0Ut+P+QYNN6lCTRJ0AvFUolz79M3pyK/rHUluwTvYJbDAeGE3
sckv96rE1pxj5ZSf6LegXIoALrA4RlYHS8xXkYnRrt6xfrb7UwpqsJtt4Mx+IrJ3
9uFfaWRSvuDfRCraZxLiE2Bl9xVYvaPfFJYBmH383VB+deYNfpwORFsqNDQT+gR6
PZLuV0x//Kerwmd4OvaaHR/fIl8YVKmIz5lu3+3WIuVKxTK6Bbd3YzVu13dhVaX2
mETflLEAO/sYsUQiS4SO22ejLAiWyD8LyMV8s9KeTFQXzML3JpibKnt3ySDfzsFE
m8VRlaLcQwB0Ca2AVGHA5QV0+V+2+6qh/IcZl630feBueGQX59qLQkOurD4e/9lm
Na6ZkLPTh9UipIfTu9fvA5HY5lPt2VcSWwG2nLluckfJIpKNFVQEB7vuk9zd7468
qkXmj/J1YDdJzt2YgD0WZuKu3f1/No7rXbNmT2Oj0+HNWWvIU9xFNFlIPAxo7pJy
kwekd9+gHI0n1OhLRjzYUyf0pD+j0o75ZHsYYsUW0y6cGoWX/LmQ8JPFi+waHiov
FOe8FJz/uDtfQnJ4+izAM5Jjbu1LE+L8uGoIExYAv4DuXgPZtI2wtHvP4HHM3Aov
mDWLesMgizsroViv57aXC0C1ZPksPpGeHT+HcH7RnDQ0kQmpe3E=
=2XGW
-----END PGP SIGNATURE-----
Merge 4.19.102 into android-4.19
Changes in 4.19.102
vfs: fix do_last() regression
x86/resctrl: Fix use-after-free when deleting resource groups
x86/resctrl: Fix use-after-free due to inaccurate refcount of rdtgroup
x86/resctrl: Fix a deadlock due to inaccurate reference
crypto: pcrypt - Fix user-after-free on module unload
rsi: add hci detach for hibernation and poweroff
rsi: fix use-after-free on failed probe and unbind
perf c2c: Fix return type for histogram sorting comparision functions
PM / devfreq: Add new name attribute for sysfs
tools lib: Fix builds when glibc contains strlcpy()
arm64: kbuild: remove compressed images on 'make ARCH=arm64 (dist)clean'
ext4: validate the debug_want_extra_isize mount option at parse time
mm/mempolicy.c: fix out of bounds write in mpol_parse_str()
reiserfs: Fix memory leak of journal device string
media: digitv: don't continue if remote control state can't be read
media: af9005: uninitialized variable printked
media: vp7045: do not read uninitialized values if usb transfer fails
media: gspca: zero usb_buf
media: dvb-usb/dvb-usb-urb.c: initialize actlen to 0
tomoyo: Use atomic_t for statistics counter
ttyprintk: fix a potential deadlock in interrupt context issue
Bluetooth: Fix race condition in hci_release_sock()
cgroup: Prevent double killing of css when enabling threaded cgroup
media: si470x-i2c: Move free() past last use of 'radio'
ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity
ARM: dts: am57xx-beagle-x15/am57xx-idk: Remove "gpios" for endpoint dt nodes
ARM: dts: beagle-x15-common: Model 5V0 regulator
soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot
tools lib traceevent: Fix memory leakage in filter_event
rseq: Unregister rseq for clone CLONE_VM
clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order
mac80211: mesh: restrict airtime metric to peered established plinks
clk: mmp2: Fix the order of timer mux parents
ASoC: rt5640: Fix NULL dereference on module unload
ixgbevf: Remove limit of 10 entries for unicast filter list
ixgbe: Fix calculation of queue with VFs and flow director on interface flap
igb: Fix SGMII SFP module discovery for 100FX/LX.
platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits
ASoC: sti: fix possible sleep-in-atomic
qmi_wwan: Add support for Quectel RM500Q
parisc: Use proper printk format for resource_size_t
wireless: fix enabling channel 12 for custom regulatory domain
cfg80211: Fix radar event during another phy CAC
mac80211: Fix TKIP replay protection immediately after key setup
wireless: wext: avoid gcc -O3 warning
netfilter: nft_tunnel: ERSPAN_VERSION must not be null
net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
bnxt_en: Fix ipv6 RFS filter matching logic.
riscv: delete temporary files
iwlwifi: Don't ignore the cap field upon mcc update
ARM: dts: am335x-boneblack-common: fix memory size
vti[6]: fix packet tx through bpf_redirect()
xfrm interface: fix packet tx through bpf_redirect()
xfrm: interface: do not confirm neighbor when do pmtu update
scsi: fnic: do not queue commands during fwreset
ARM: 8955/1: virt: Relax arch timer version check during early boot
tee: optee: Fix compilation issue with nommu
airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE
airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE
r8152: get default setting of WOL before initializing
ARM: dts: am43x-epos-evm: set data pin directions for spi0 and spi1
qlcnic: Fix CPU soft lockup while collecting firmware dump
powerpc/fsl/dts: add fsl,erratum-a011043
net/fsl: treat fsl,erratum-a011043
net: fsl/fman: rename IF_MODE_XGMII to IF_MODE_10G
seq_tab_next() should increase position index
l2t_seq_next should increase position index
net: Fix skb->csum update in inet_proto_csum_replace16().
btrfs: do not zero f_bavail if we have available space
perf report: Fix no libunwind compiled warning break s390 issue
mm/migrate.c: also overwrite error when it is bigger than zero
Linux 4.19.102
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ia9b63c7932b66f469ab0e88467e1e07741408f0b
[ Upstream commit 8aaea2b0428b6aad7c7e22d3fddc31a78bb1d724 ]
When do IPv6 tunnel PMTU update and calls __ip6_rt_update_pmtu() in the end,
we should not call dst_confirm_neigh() as there is no two-way communication.
Signed-off-by: Xu Wang <vulab@iscas.ac.cn>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f042365dbffea98fb8148c98c700402e8d099f02 ]
With an ebpf program that redirects packets through a xfrm interface,
packets are dropped because no dst is attached to skb.
This could also be reproduced with an AF_PACKET socket, with the following
python script (xfrm1 is a xfrm interface):
import socket
send_s = socket.socket(socket.AF_PACKET, socket.SOCK_RAW, 0)
# scapy
# p = IP(src='10.100.0.2', dst='10.200.0.1')/ICMP(type='echo-request')
# raw(p)
req = b'E\x00\x00\x1c\x00\x01\x00\x00@\x01e\xb2\nd\x00\x02\n\xc8\x00\x01\x08\x00\xf7\xff\x00\x00\x00\x00'
send_s.sendto(req, ('xfrm1', 0x800, 0, 0))
It was also not possible to send an ip packet through an AF_PACKET socket
because a LL header was expected. Let's remove those LL header constraints.
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4u6tsACgkQONu9yGCS
aT693A//TExeDRnNnf+2v4TJorylyRr17BMxk/Ie2L5E6d2n/RWodsrOThAPU9tx
5alNUkXCT8Jd31BUVnUoPoAQ4zSymSVi++XEf05wDeO0tQ982IESGaLmu9EC1uMF
nnM5y4IdRYmFI1Zji4h5vRJckoYUlB6Mdg4BgMr4Q1KX7RkZYfe6bjs7DwM/uyMx
jVXdFaQBD1H6F5W6A+GmgUZ36g9uNqzcBxxWwv5URj+q816NdI4bsxIJMF0v0WC+
S54fmpS07QWIYKKsQBUepeSgEF4ECESOE2VoF1ICcnfakdPnDBmNgyPJPSrLmVf+
itRUxoH1MewaOvoJrv+xsGBPmM29LcKH2oBmj5DR2Xstp7ACPs+OtXJEU9dUTDN4
NhaSts5fIp0f4Y5mMn508pDUwYDAWDt99ZJWdx6aK/TRyUsHBgpxBQDt37BE3U5W
PCBnObNe2b2KDAsVXLjX5iDYoA0+usFreveMo8uEP+ohfh0ANvJlRkzedYw7NquI
ZCcT+I1P9q8aa0528tR332VLrQeYg+kG6LVi2kAabmRA/VtEsT0w90MY/eo2vuTU
WlPmbs2yerv2HTm050e6MOgBZfPh7wP/FpbjsSXufj7EDywlfxF+1hXdwfrpPJeN
fN3g0kepeUp7+kLzO40FLam/z5ndjAUhyN2SBaPzGsXjMkZdETk=
=zvlh
-----END PGP SIGNATURE-----
Merge 4.19.99 into android-4.19
Changes in 4.19.99
Revert "efi: Fix debugobjects warning on 'efi_rts_work'"
xfs: Sanity check flags of Q_XQUOTARM call
i2c: stm32f7: rework slave_id allocation
i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop
mfd: intel-lpss: Add default I2C device properties for Gemini Lake
SUNRPC: Fix svcauth_gss_proxy_init()
powerpc/pseries: Enable support for ibm,drc-info property
powerpc/archrandom: fix arch_get_random_seed_int()
tipc: update mon's self addr when node addr generated
tipc: fix wrong timeout input for tipc_wait_for_cond()
mt7601u: fix bbp version check in mt7601u_wait_bbp_ready
crypto: sun4i-ss - fix big endian issues
perf map: No need to adjust the long name of modules
soc: aspeed: Fix snoop_file_poll()'s return type
watchdog: sprd: Fix the incorrect pointer getting from driver data
ipmi: Fix memory leak in __ipmi_bmc_register
drm/sti: do not remove the drm_bridge that was never added
ARM: dts: at91: nattis: set the PRLUD and HIPOW signals low
ARM: dts: at91: nattis: make the SD-card slot work
ixgbe: don't clear IPsec sa counters on HW clearing
drm/virtio: fix bounds check in virtio_gpu_cmd_get_capset()
iio: fix position relative kernel version
apparmor: Fix network performance issue in aa_label_sk_perm
ALSA: hda: fix unused variable warning
apparmor: don't try to replace stale label in ptrace access check
ARM: qcom_defconfig: Enable MAILBOX
firmware: coreboot: Let OF core populate platform device
PCI: iproc: Remove PAXC slot check to allow VF support
bridge: br_arp_nd_proxy: set icmp6_router if neigh has NTF_ROUTER
drm/hisilicon: hibmc: Don't overwrite fb helper surface depth
signal/ia64: Use the generic force_sigsegv in setup_frame
signal/ia64: Use the force_sig(SIGSEGV,...) in ia64_rt_sigreturn
ASoC: wm9712: fix unused variable warning
mailbox: mediatek: Add check for possible failure of kzalloc
IB/rxe: replace kvfree with vfree
IB/hfi1: Add mtu check for operational data VLs
genirq/debugfs: Reinstate full OF path for domain name
usb: dwc3: add EXTCON dependency for qcom
usb: gadget: fsl_udc_core: check allocation return value and cleanup on failure
cfg80211: regulatory: make initialization more robust
mei: replace POLL* with EPOLL* for write queues.
drm/msm: fix unsigned comparison with less than zero
of: Fix property name in of_node_get_device_type
ALSA: usb-audio: update quirk for B&W PX to remove microphone
iwlwifi: nvm: get num of hw addresses from firmware
staging: comedi: ni_mio_common: protect register write overflow
netfilter: nft_osf: usage from output path is not valid
pwm: lpss: Release runtime-pm reference from the driver's remove callback
powerpc/pseries/memory-hotplug: Fix return value type of find_aa_index
rtlwifi: rtl8821ae: replace _rtl8821ae_mrate_idx_to_arfr_id with generic version
RDMA/bnxt_re: Add missing spin lock initialization
netfilter: nf_flow_table: do not remove offload when other netns's interface is down
powerpc/kgdb: add kgdb_arch_set/remove_breakpoint()
tipc: eliminate message disordering during binding table update
net: socionext: Add dummy PHY register read in phy_write()
drm/sun4i: hdmi: Fix double flag assignation
net: hns3: add error handler for hns3_nic_init_vector_data()
mlxsw: reg: QEEC: Add minimum shaper fields
mlxsw: spectrum: Set minimum shaper on MC TCs
NTB: ntb_hw_idt: replace IS_ERR_OR_NULL with regular NULL checks
ASoC: wm97xx: fix uninitialized regmap pointer problem
ARM: dts: bcm283x: Correct mailbox register sizes
pcrypt: use format specifier in kobject_add
ASoC: sun8i-codec: add missing route for ADC
pinctrl: meson-gxl: remove invalid GPIOX tsin_a pins
bus: ti-sysc: Add mcasp optional clocks flag
exportfs: fix 'passing zero to ERR_PTR()' warning
drm: rcar-du: Fix the return value in case of error in 'rcar_du_crtc_set_crc_source()'
drm: rcar-du: Fix vblank initialization
net: always initialize pagedlen
drm/dp_mst: Skip validating ports during destruction, just ref
arm64: dts: meson-gx: Add hdmi_5v regulator as hdmi tx supply
arm64: dts: renesas: r8a7795-es1: Add missing power domains to IPMMU nodes
net: phy: Fix not to call phy_resume() if PHY is not attached
IB/hfi1: Correctly process FECN and BECN in packets
OPP: Fix missing debugfs supply directory for OPPs
IB/rxe: Fix incorrect cache cleanup in error flow
mailbox: ti-msgmgr: Off by one in ti_msgmgr_of_xlate()
staging: bcm2835-camera: Abort probe if there is no camera
staging: bcm2835-camera: fix module autoloading
switchtec: Remove immediate status check after submitting MRPC command
ipv6: add missing tx timestamping on IPPROTO_RAW
pinctrl: sh-pfc: r8a7740: Add missing REF125CK pin to gether_gmii group
pinctrl: sh-pfc: r8a7740: Add missing LCD0 marks to lcd0_data24_1 group
pinctrl: sh-pfc: r8a7791: Remove bogus ctrl marks from qspi_data4_b group
pinctrl: sh-pfc: r8a7791: Remove bogus marks from vin1_b_data18 group
pinctrl: sh-pfc: sh73a0: Add missing TO pin to tpu4_to3 group
pinctrl: sh-pfc: r8a7794: Remove bogus IPSR9 field
pinctrl: sh-pfc: r8a77970: Add missing MOD_SEL0 field
pinctrl: sh-pfc: r8a77980: Add missing MOD_SEL0 field
pinctrl: sh-pfc: sh7734: Add missing IPSR11 field
pinctrl: sh-pfc: r8a77995: Remove bogus SEL_PWM[0-3]_3 configurations
pinctrl: sh-pfc: sh7269: Add missing PCIOR0 field
pinctrl: sh-pfc: sh7734: Remove bogus IPSR10 value
net: hns3: fix error handling int the hns3_get_vector_ring_chain
vxlan: changelink: Fix handling of default remotes
Input: nomadik-ske-keypad - fix a loop timeout test
fork,memcg: fix crash in free_thread_stack on memcg charge fail
clk: highbank: fix refcount leak in hb_clk_init()
clk: qoriq: fix refcount leak in clockgen_init()
clk: ti: fix refcount leak in ti_dt_clocks_register()
clk: socfpga: fix refcount leak
clk: samsung: exynos4: fix refcount leak in exynos4_get_xom()
clk: imx6q: fix refcount leak in imx6q_clocks_init()
clk: imx6sx: fix refcount leak in imx6sx_clocks_init()
clk: imx7d: fix refcount leak in imx7d_clocks_init()
clk: vf610: fix refcount leak in vf610_clocks_init()
clk: armada-370: fix refcount leak in a370_clk_init()
clk: kirkwood: fix refcount leak in kirkwood_clk_init()
clk: armada-xp: fix refcount leak in axp_clk_init()
clk: mv98dx3236: fix refcount leak in mv98dx3236_clk_init()
clk: dove: fix refcount leak in dove_clk_init()
MIPS: BCM63XX: drop unused and broken DSP platform device
arm64: defconfig: Re-enable bcm2835-thermal driver
remoteproc: qcom: q6v5-mss: Add missing clocks for MSM8996
remoteproc: qcom: q6v5-mss: Add missing regulator for MSM8996
drm: Fix error handling in drm_legacy_addctx
ARM: dts: r8a7743: Remove generic compatible string from iic3
drm/etnaviv: fix some off by one bugs
drm/fb-helper: generic: Fix setup error path
fork, memcg: fix cached_stacks case
IB/usnic: Fix out of bounds index check in query pkey
RDMA/ocrdma: Fix out of bounds index check in query pkey
RDMA/qedr: Fix out of bounds index check in query pkey
drm/shmob: Fix return value check in shmob_drm_probe
arm64: dts: apq8016-sbc: Increase load on l11 for SDCARD
spi: cadence: Correct initialisation of runtime PM
RDMA/iw_cxgb4: Fix the unchecked ep dereference
net: phy: micrel: set soft_reset callback to genphy_soft_reset for KSZ9031
memory: tegra: Don't invoke Tegra30+ specific memory timing setup on Tegra20
drm/etnaviv: NULL vs IS_ERR() buf in etnaviv_core_dump()
media: s5p-jpeg: Correct step and max values for V4L2_CID_JPEG_RESTART_INTERVAL
kbuild: mark prepare0 as PHONY to fix external module build
crypto: brcm - Fix some set-but-not-used warning
crypto: tgr192 - fix unaligned memory access
ASoC: imx-sgtl5000: put of nodes if finding codec fails
IB/iser: Pass the correct number of entries for dma mapped SGL
net: hns3: fix wrong combined count returned by ethtool -l
media: tw9910: Unregister subdevice with v4l2-async
IB/mlx5: Don't override existing ip_protocol
rtc: cmos: ignore bogus century byte
spi/topcliff_pch: Fix potential NULL dereference on allocation error
net: hns3: fix bug of ethtool_ops.get_channels for VF
ARM: dts: sun8i-a23-a33: Move NAND controller device node to sort by address
clk: sunxi-ng: sun8i-a23: Enable PLL-MIPI LDOs when ungating it
iwlwifi: mvm: avoid possible access out of array.
net/mlx5: Take lock with IRQs disabled to avoid deadlock
ip_tunnel: Fix route fl4 init in ip_md_tunnel_xmit
arm64: dts: allwinner: h6: Move GIC device node fix base address ordering
iwlwifi: mvm: fix A-MPDU reference assignment
bus: ti-sysc: Fix timer handling with drop pm_runtime_irq_safe()
tty: ipwireless: Fix potential NULL pointer dereference
driver: uio: fix possible memory leak in __uio_register_device
driver: uio: fix possible use-after-free in __uio_register_device
crypto: crypto4xx - Fix wrong ppc4xx_trng_probe()/ppc4xx_trng_remove() arguments
driver core: Fix DL_FLAG_AUTOREMOVE_SUPPLIER device link flag handling
driver core: Avoid careless re-use of existing device links
driver core: Do not resume suppliers under device_links_write_lock()
driver core: Fix handling of runtime PM flags in device_link_add()
driver core: Do not call rpm_put_suppliers() in pm_runtime_drop_link()
ARM: dts: lpc32xx: add required clocks property to keypad device node
ARM: dts: lpc32xx: reparent keypad controller to SIC1
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller variant
ARM: dts: lpc32xx: fix ARM PrimeCell LCD controller clocks property
ARM: dts: lpc32xx: phy3250: fix SD card regulator voltage
drm/xen-front: Fix mmap attributes for display buffers
iwlwifi: mvm: fix RSS config command
staging: most: cdev: add missing check for cdev_add failure
clk: ingenic: jz4740: Fix gating of UDC clock
rtc: ds1672: fix unintended sign extension
thermal: mediatek: fix register index error
arm64: dts: msm8916: remove bogus argument to the cpu clock
ath10k: fix dma unmap direction for management frames
net: phy: fixed_phy: Fix fixed_phy not checking GPIO
rtc: ds1307: rx8130: Fix alarm handling
net/smc: original socket family in inet_sock_diag
rtc: 88pm860x: fix unintended sign extension
rtc: 88pm80x: fix unintended sign extension
rtc: pm8xxx: fix unintended sign extension
fbdev: chipsfb: remove set but not used variable 'size'
iw_cxgb4: use tos when importing the endpoint
iw_cxgb4: use tos when finding ipv6 routes
ipmi: kcs_bmc: handle devm_kasprintf() failure case
xsk: add missing smp_rmb() in xsk_mmap
drm/etnaviv: potential NULL dereference
ntb_hw_switchtec: debug print 64bit aligned crosslink BAR Numbers
ntb_hw_switchtec: NT req id mapping table register entry number should be 512
pinctrl: sh-pfc: emev2: Add missing pinmux functions
pinctrl: sh-pfc: r8a7791: Fix scifb2_data_c pin group
pinctrl: sh-pfc: r8a7792: Fix vin1_data18_b pin group
pinctrl: sh-pfc: sh73a0: Fix fsic_spdif pin groups
RDMA/mlx5: Fix memory leak in case we fail to add an IB device
driver core: Fix possible supplier PM-usage counter imbalance
PCI: endpoint: functions: Use memcpy_fromio()/memcpy_toio()
usb: phy: twl6030-usb: fix possible use-after-free on remove
block: don't use bio->bi_vcnt to figure out segment number
keys: Timestamp new keys
net: dsa: b53: Fix default VLAN ID
net: dsa: b53: Properly account for VLAN filtering
net: dsa: b53: Do not program CPU port's PVID
mt76: usb: fix possible memory leak in mt76u_buf_free
media: sh: migor: Include missing dma-mapping header
vfio_pci: Enable memory accesses before calling pci_map_rom
hwmon: (pmbus/tps53679) Fix driver info initialization in probe routine
mdio_bus: Fix PTR_ERR() usage after initialization to constant
KVM: PPC: Release all hardware TCE tables attached to a group
staging: r8822be: check kzalloc return or bail
dmaengine: mv_xor: Use correct device for DMA API
cdc-wdm: pass return value of recover_from_urb_loss
brcmfmac: create debugfs files for bus-specific layer
regulator: pv88060: Fix array out-of-bounds access
regulator: pv88080: Fix array out-of-bounds access
regulator: pv88090: Fix array out-of-bounds access
net: dsa: qca8k: Enable delay for RGMII_ID mode
net/mlx5: Delete unused FPGA QPN variable
drm/nouveau/bios/ramcfg: fix missing parentheses when calculating RON
drm/nouveau/pmu: don't print reply values if exec is false
drm/nouveau: fix missing break in switch statement
driver core: Fix PM-runtime for links added during consumer probe
ASoC: qcom: Fix of-node refcount unbalance in apq8016_sbc_parse_of()
net: dsa: fix unintended change of bridge interface STP state
fs/nfs: Fix nfs_parse_devname to not modify it's argument
staging: rtlwifi: Use proper enum for return in halmac_parse_psd_data_88xx
powerpc/64s: Fix logic when handling unknown CPU features
NFS: Fix a soft lockup in the delegation recovery code
perf: Copy parent's address filter offsets on clone
perf, pt, coresight: Fix address filters for vmas with non-zero offset
clocksource/drivers/sun5i: Fail gracefully when clock rate is unavailable
clocksource/drivers/exynos_mct: Fix error path in timer resources initialization
platform/x86: wmi: fix potential null pointer dereference
NFS/pnfs: Bulk destroy of layouts needs to be safe w.r.t. umount
mmc: sdhci-brcmstb: handle mmc_of_parse() errors during probe
iommu: Fix IOMMU debugfs fallout
ARM: 8847/1: pm: fix HYP/SVC mode mismatch when MCPM is used
ARM: 8848/1: virt: Align GIC version check with arm64 counterpart
ARM: 8849/1: NOMMU: Fix encodings for PMSAv8's PRBAR4/PRLAR4
regulator: wm831x-dcdc: Fix list of wm831x_dcdc_ilim from mA to uA
ath10k: Fix length of wmi tlv command for protected mgmt frames
netfilter: nft_set_hash: fix lookups with fixed size hash on big endian
netfilter: nft_set_hash: bogus element self comparison from deactivation path
net: sched: act_csum: Fix csum calc for tagged packets
hwrng: bcm2835 - fix probe as platform device
iommu/vt-d: Fix NULL pointer reference in intel_svm_bind_mm()
NFS: Add missing encode / decode sequence_maxsz to v4.2 operations
NFSv4/flexfiles: Fix invalid deref in FF_LAYOUT_DEVID_NODE()
net: aquantia: fixed instack structure overflow
powerpc/mm: Check secondary hash page table
media: dvb/earth-pt1: fix wrong initialization for demod blocks
rbd: clear ->xferred on error from rbd_obj_issue_copyup()
PCI: Fix "try" semantics of bus and slot reset
nios2: ksyms: Add missing symbol exports
x86/mm: Remove unused variable 'cpu'
scsi: megaraid_sas: reduce module load time
nfp: fix simple vNIC mailbox length
drivers/rapidio/rio_cm.c: fix potential oops in riocm_ch_listen()
xen, cpu_hotplug: Prevent an out of bounds access
net/mlx5: Fix multiple updates of steering rules in parallel
net/mlx5e: IPoIB, Fix RX checksum statistics update
net: sh_eth: fix a missing check of of_get_phy_mode
regulator: lp87565: Fix missing register for LP87565_BUCK_0
soc: amlogic: gx-socinfo: Add mask for each SoC packages
media: ivtv: update *pos correctly in ivtv_read_pos()
media: cx18: update *pos correctly in cx18_read_pos()
media: wl128x: Fix an error code in fm_download_firmware()
media: cx23885: check allocation return
regulator: tps65086: Fix tps65086_ldoa1_ranges for selector 0xB
crypto: ccree - reduce kernel stack usage with clang
jfs: fix bogus variable self-initialization
tipc: tipc clang warning
m68k: mac: Fix VIA timer counter accesses
ARM: dts: sun8i: a33: Reintroduce default pinctrl muxing
arm64: dts: allwinner: a64: Add missing PIO clocks
ARM: dts: sun9i: optimus: Fix fixed-regulators
net: phy: don't clear BMCR in genphy_soft_reset
ARM: OMAP2+: Fix potentially uninitialized return value for _setup_reset()
net: dsa: Avoid null pointer when failing to connect to PHY
soc: qcom: cmd-db: Fix an error code in cmd_db_dev_probe()
media: davinci-isif: avoid uninitialized variable use
media: tw5864: Fix possible NULL pointer dereference in tw5864_handle_frame
spi: tegra114: clear packed bit for unpacked mode
spi: tegra114: fix for unpacked mode transfers
spi: tegra114: terminate dma and reset on transfer timeout
spi: tegra114: flush fifos
spi: tegra114: configure dma burst size to fifo trig level
bus: ti-sysc: Fix sysc_unprepare() when no clocks have been allocated
soc/fsl/qe: Fix an error code in qe_pin_request()
spi: bcm2835aux: fix driver to not allow 65535 (=-1) cs-gpios
drm/fb-helper: generic: Call drm_client_add() after setup is done
arm64/vdso: don't leak kernel addresses
rtc: Fix timestamp value for RTC_TIMESTAMP_BEGIN_1900
rtc: mt6397: Don't call irq_dispose_mapping.
ehea: Fix a copy-paste err in ehea_init_port_res
bpf: Add missed newline in verifier verbose log
drm/vmwgfx: Remove set but not used variable 'restart'
scsi: qla2xxx: Unregister chrdev if module initialization fails
of: use correct function prototype for of_overlay_fdt_apply()
net/sched: cbs: fix port_rate miscalculation
clk: qcom: Skip halt checks on gcc_pcie_0_pipe_clk for 8998
ACPI: button: reinitialize button state upon resume
firmware: arm_scmi: fix of_node leak in scmi_mailbox_check
rxrpc: Fix detection of out of order acks
scsi: target/core: Fix a race condition in the LUN lookup code
brcmfmac: fix leak of mypkt on error return path
ARM: pxa: ssp: Fix "WARNING: invalid free of devm_ allocated data"
PCI: rockchip: Fix rockchip_pcie_ep_assert_intx() bitwise operations
net: hns3: fix for vport->bw_limit overflow problem
hwmon: (w83627hf) Use request_muxed_region for Super-IO accesses
perf/core: Fix the address filtering fix
staging: android: vsoc: fix copy_from_user overrun
PCI: dwc: Fix dw_pcie_ep_find_capability() to return correct capability offset
soc: amlogic: meson-gx-pwrc-vpu: Fix power on/off register bitmask
platform/x86: alienware-wmi: fix kfree on potentially uninitialized pointer
tipc: set sysctl_tipc_rmem and named_timeout right range
usb: typec: tcpm: Notify the tcpc to start connection-detection for SRPs
selftests/ipc: Fix msgque compiler warnings
net: hns3: fix loop condition of hns3_get_tx_timeo_queue_info()
powerpc: vdso: Make vdso32 installation conditional in vdso_install
ARM: dts: ls1021: Fix SGMII PCS link remaining down after PHY disconnect
media: ov2659: fix unbalanced mutex_lock/unlock
6lowpan: Off by one handling ->nexthdr
dmaengine: axi-dmac: Don't check the number of frames for alignment
ALSA: usb-audio: Handle the error from snd_usb_mixer_apply_create_quirk()
afs: Fix AFS file locking to allow fine grained locks
afs: Further fix file locking
NFS: Don't interrupt file writeout due to fatal errors
coresight: catu: fix clang build warning
s390/kexec_file: Fix potential segment overlap in ELF loader
irqchip/gic-v3-its: fix some definitions of inner cacheability attributes
scsi: qla2xxx: Fix a format specifier
scsi: qla2xxx: Fix error handling in qlt_alloc_qfull_cmd()
scsi: qla2xxx: Avoid that qlt_send_resp_ctio() corrupts memory
KVM: PPC: Book3S HV: Fix lockdep warning when entering the guest
netfilter: nft_flow_offload: add entry to flowtable after confirmation
PCI: iproc: Enable iProc config read for PAXBv2
ARM: dts: logicpd-som-lv: Fix MMC1 card detect
packet: in recvmsg msg_name return at least sizeof sockaddr_ll
ASoC: fix valid stream condition
usb: gadget: fsl: fix link error against usb-gadget module
dwc2: gadget: Fix completed transfer size calculation in DDMA
IB/mlx5: Add missing XRC options to QP optional params mask
RDMA/rxe: Consider skb reserve space based on netdev of GID
iommu/vt-d: Make kernel parameter igfx_off work with vIOMMU
net: ena: fix swapped parameters when calling ena_com_indirect_table_fill_entry
net: ena: fix: Free napi resources when ena_up() fails
net: ena: fix incorrect test of supported hash function
net: ena: fix ena_com_fill_hash_function() implementation
dmaengine: tegra210-adma: restore channel status
watchdog: rtd119x_wdt: Fix remove function
mmc: core: fix possible use after free of host
lightnvm: pblk: fix lock order in pblk_rb_tear_down_check
ath10k: Fix encoding for protected management frames
afs: Fix the afs.cell and afs.volume xattr handlers
vfio/mdev: Avoid release parent reference during error path
vfio/mdev: Follow correct remove sequence
vfio/mdev: Fix aborting mdev child device removal if one fails
l2tp: Fix possible NULL pointer dereference
ALSA: aica: Fix a long-time build breakage
media: omap_vout: potential buffer overflow in vidioc_dqbuf()
media: davinci/vpbe: array underflow in vpbe_enum_outputs()
platform/x86: alienware-wmi: printing the wrong error code
crypto: caam - fix caam_dump_sg that iterates through scatterlist
netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule
pwm: meson: Consider 128 a valid pre-divider
pwm: meson: Don't disable PWM when setting duty repeatedly
ARM: riscpc: fix lack of keyboard interrupts after irq conversion
nfp: bpf: fix static check error through tightening shift amount adjustment
kdb: do a sanity check on the cpu in kdb_per_cpu()
netfilter: nf_tables: correct NFT_LOGLEVEL_MAX value
backlight: lm3630a: Return 0 on success in update_status functions
thermal: rcar_gen3_thermal: fix interrupt type
thermal: cpu_cooling: Actually trace CPU load in thermal_power_cpu_get_power
EDAC/mc: Fix edac_mc_find() in case no device is found
afs: Fix key leak in afs_release() and afs_evict_inode()
afs: Don't invalidate callback if AFS_VNODE_DIR_VALID not set
afs: Fix lock-wait/callback-break double locking
afs: Fix double inc of vnode->cb_break
ARM: dts: sun8i-h3: Fix wifi in Beelink X2 DT
clk: meson: gxbb: no spread spectrum on mpll0
clk: meson: axg: spread spectrum is on mpll2
dmaengine: tegra210-adma: Fix crash during probe
arm64: dts: meson: libretech-cc: set eMMC as removable
RDMA/qedr: Fix incorrect device rate.
spi: spi-fsl-spi: call spi_finalize_current_message() at the end
crypto: ccp - fix AES CFB error exposed by new test vectors
crypto: ccp - Fix 3DES complaint from ccp-crypto module
serial: stm32: fix word length configuration
serial: stm32: fix rx error handling
serial: stm32: fix rx data length when parity enabled
serial: stm32: fix transmit_chars when tx is stopped
serial: stm32: Add support of TC bit status check
serial: stm32: fix wakeup source initialization
misc: sgi-xp: Properly initialize buf in xpc_get_rsvd_page_pa
iommu: Add missing new line for dma type
iommu: Use right function to get group for device
signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig
signal/cifs: Fix cifs_put_tcp_session to call send_sig instead of force_sig
inet: frags: call inet_frags_fini() after unregister_pernet_subsys()
net: hns3: fix a memory leak issue for hclge_map_unmap_ring_to_vf_vector
crypto: talitos - fix AEAD processing.
netvsc: unshare skb in VF rx handler
net: core: support XDP generic on stacked devices.
RDMA/uverbs: check for allocation failure in uapi_add_elm()
net: don't clear sock->sk early to avoid trouble in strparser
phy: qcom-qusb2: fix missing assignment of ret when calling clk_prepare_enable
cpufreq: brcmstb-avs-cpufreq: Fix initial command check
cpufreq: brcmstb-avs-cpufreq: Fix types for voltage/frequency
clk: sunxi-ng: sun50i-h6-r: Fix incorrect W1 clock gate register
media: vivid: fix incorrect assignment operation when setting video mode
crypto: inside-secure - fix zeroing of the request in ahash_exit_inv
crypto: inside-secure - fix queued len computation
arm64: dts: renesas: ebisu: Remove renesas, no-ether-link property
mpls: fix warning with multi-label encap
serial: stm32: fix a recursive locking in stm32_config_rs485
arm64: dts: meson-gxm-khadas-vim2: fix gpio-keys-polled node
arm64: dts: meson-gxm-khadas-vim2: fix Bluetooth support
iommu/vt-d: Duplicate iommu_resv_region objects per device list
phy: usb: phy-brcm-usb: Remove sysfs attributes upon driver removal
firmware: arm_scmi: fix bitfield definitions for SENSOR_DESC attributes
firmware: arm_scmi: update rate_discrete in clock_describe_rates_get
ntb_hw_switchtec: potential shift wrapping bug in switchtec_ntb_init_sndev()
ASoC: meson: axg-tdmin: right_j is not supported
ASoC: meson: axg-tdmout: right_j is not supported
qed: iWARP - Use READ_ONCE and smp_store_release to access ep->state
qed: iWARP - fix uninitialized callback
powerpc/cacheinfo: add cacheinfo_teardown, cacheinfo_rebuild
powerpc/pseries/mobility: rebuild cacheinfo hierarchy post-migration
bpf: fix the check that forwarding is enabled in bpf_ipv6_fib_lookup
IB/hfi1: Handle port down properly in pio
drm/msm/mdp5: Fix mdp5_cfg_init error return
net: netem: fix backlog accounting for corrupted GSO frames
net/udp_gso: Allow TX timestamp with UDP GSO
net/af_iucv: build proper skbs for HiperTransport
net/af_iucv: always register net_device notifier
ASoC: ti: davinci-mcasp: Fix slot mask settings when using multiple AXRs
rtc: pcf8563: Fix interrupt trigger method
rtc: pcf8563: Clear event flags and disable interrupts before requesting irq
ARM: dts: iwg20d-q7-common: Fix SDHI1 VccQ regularor
net/sched: cbs: Fix error path of cbs_module_init
arm64: dts: allwinner: h6: Pine H64: Add interrupt line for RTC
drm/msm/a3xx: remove TPL1 regs from snapshot
ip6_fib: Don't discard nodes with valid routing information in fib6_locate_1()
perf/ioctl: Add check for the sample_period value
dmaengine: hsu: Revert "set HSU_CH_MTSR to memory width"
clk: qcom: Fix -Wunused-const-variable
nvmem: imx-ocotp: Ensure WAIT bits are preserved when setting timing
nvmem: imx-ocotp: Change TIMING calculation to u-boot algorithm
tools: bpftool: use correct argument in cgroup errors
backlight: pwm_bl: Fix heuristic to determine number of brightness levels
fork,memcg: alloc_thread_stack_node needs to set tsk->stack
bnxt_en: Fix ethtool selftest crash under error conditions.
bnxt_en: Suppress error messages when querying DSCP DCB capabilities.
iommu/amd: Make iommu_disable safer
mfd: intel-lpss: Release IDA resources
rxrpc: Fix uninitialized error code in rxrpc_send_data_packet()
xprtrdma: Fix use-after-free in rpcrdma_post_recvs
um: Fix IRQ controller regression on console read
PM: ACPI/PCI: Resume all devices during hibernation
ACPI: PM: Simplify and fix PM domain hibernation callbacks
ACPI: PM: Introduce "poweroff" callbacks for ACPI PM domain and LPSS
fsi/core: Fix error paths on CFAM init
devres: allow const resource arguments
fsi: sbefifo: Don't fail operations when in SBE IPL state
RDMA/hns: Fixs hw access invalid dma memory error
PCI: mobiveil: Remove the flag MSI_FLAG_MULTI_PCI_MSI
PCI: mobiveil: Fix devfn check in mobiveil_pcie_valid_device()
PCI: mobiveil: Fix the valid check for inbound and outbound windows
ceph: fix "ceph.dir.rctime" vxattr value
net: pasemi: fix an use-after-free in pasemi_mac_phy_init()
net/tls: fix socket wmem accounting on fallback with netem
x86/pgtable/32: Fix LOWMEM_PAGES constant
xdp: fix possible cq entry leak
ARM: stm32: use "depends on" instead of "if" after prompt
scsi: libfc: fix null pointer dereference on a null lport
xfrm interface: ifname may be wrong in logs
drm/panel: make drm_panel.h self-contained
clk: sunxi-ng: v3s: add the missing PLL_DDR1
PM: sleep: Fix possible overflow in pm_system_cancel_wakeup()
libertas_tf: Use correct channel range in lbtf_geo_init
qed: reduce maximum stack frame size
usb: host: xhci-hub: fix extra endianness conversion
media: rcar-vin: Clean up correct notifier in error path
mic: avoid statically declaring a 'struct device'.
x86/kgbd: Use NMI_VECTOR not APIC_DM_NMI
crypto: ccp - Reduce maximum stack usage
ALSA: aoa: onyx: always initialize register read value
arm64: dts: renesas: r8a77995: Fix register range of display node
tipc: reduce risk of wakeup queue starvation
ARM: dts: stm32: add missing vdda-supply to adc on stm32h743i-eval
net/mlx5: Fix mlx5_ifc_query_lag_out_bits
cifs: fix rmmod regression in cifs.ko caused by force_sig changes
iio: tsl2772: Use devm_add_action_or_reset for tsl2772_chip_off
net: fix bpf_xdp_adjust_head regression for generic-XDP
spi: bcm-qspi: Fix BSPI QUAD and DUAL mode support when using flex mode
cxgb4: smt: Add lock for atomic_dec_and_test
crypto: caam - free resources in case caam_rng registration failed
ext4: set error return correctly when ext4_htree_store_dirent fails
RDMA/hns: Bugfix for slab-out-of-bounds when unloading hip08 driver
RDMA/hns: bugfix for slab-out-of-bounds when loading hip08 driver
ASoC: es8328: Fix copy-paste error in es8328_right_line_controls
ASoC: cs4349: Use PM ops 'cs4349_runtime_pm'
ASoC: wm8737: Fix copy-paste error in wm8737_snd_controls
net/rds: Add a few missing rds_stat_names entries
tools: bpftool: fix arguments for p_err() in do_event_pipe()
tools: bpftool: fix format strings and arguments for jsonw_printf()
drm: rcar-du: lvds: Fix bridge_to_rcar_lvds
bnxt_en: Fix handling FRAG_ERR when NVM_INSTALL_UPDATE cmd fails
signal: Allow cifs and drbd to receive their terminating signals
powerpc/64s/radix: Fix memory hot-unplug page table split
ASoC: sun4i-i2s: RX and TX counter registers are swapped
dmaengine: dw: platform: Switch to acpi_dma_controller_register()
rtc: rv3029: revert error handling patch to rv3029_eeprom_write()
mac80211: minstrel_ht: fix per-group max throughput rate initialization
i40e: reduce stack usage in i40e_set_fc
media: atmel: atmel-isi: fix timeout value for stop streaming
ARM: 8896/1: VDSO: Don't leak kernel addresses
rtc: pcf2127: bugfix: read rtc disables watchdog
mips: avoid explicit UB in assignment of mips_io_port_base
media: em28xx: Fix exception handling in em28xx_alloc_urbs()
iommu/mediatek: Fix iova_to_phys PA start for 4GB mode
ahci: Do not export local variable ahci_em_messages
rxrpc: Fix lack of conn cleanup when local endpoint is cleaned up [ver #2]
Partially revert "kfifo: fix kfifo_alloc() and kfifo_init()"
hwmon: (lm75) Fix write operations for negative temperatures
net/sched: cbs: Set default link speed to 10 Mbps in cbs_set_port_rate
power: supply: Init device wakeup after device_add()
x86, perf: Fix the dependency of the x86 insn decoder selftest
staging: greybus: light: fix a couple double frees
irqdomain: Add the missing assignment of domain->fwnode for named fwnode
bcma: fix incorrect update of BCMA_CORE_PCI_MDIO_DATA
usb: typec: tps6598x: Fix build error without CONFIG_REGMAP_I2C
bcache: Fix an error code in bch_dump_read()
iio: dac: ad5380: fix incorrect assignment to val
netfilter: ctnetlink: honor IPS_OFFLOAD flag
ath9k: dynack: fix possible deadlock in ath_dynack_node_{de}init
wcn36xx: use dynamic allocation for large variables
tty: serial: fsl_lpuart: Use appropriate lpuart32_* I/O funcs
ARM: dts: aspeed-g5: Fixe gpio-ranges upper limit
xsk: avoid store-tearing when assigning queues
xsk: avoid store-tearing when assigning umem
led: triggers: Fix dereferencing of null pointer
net: sonic: return NETDEV_TX_OK if failed to map buffer
net: hns3: fix error VF index when setting VLAN offload
rtlwifi: Fix file release memory leak
ARM: dts: logicpd-som-lv: Fix i2c2 and i2c3 Pin mux
f2fs: fix wrong error injection path in inc_valid_block_count()
f2fs: fix error path of f2fs_convert_inline_page()
scsi: fnic: fix msix interrupt allocation
Btrfs: fix hang when loading existing inode cache off disk
Btrfs: fix inode cache waiters hanging on failure to start caching thread
Btrfs: fix inode cache waiters hanging on path allocation failure
btrfs: use correct count in btrfs_file_write_iter()
ixgbe: sync the first fragment unconditionally
hwmon: (shtc1) fix shtc1 and shtw1 id mask
net: sonic: replace dev_kfree_skb in sonic_send_packet
pinctrl: iproc-gpio: Fix incorrect pinconf configurations
gpio/aspeed: Fix incorrect number of banks
ath10k: adjust skb length in ath10k_sdio_mbox_rx_packet
RDMA/cma: Fix false error message
net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names'
um: Fix off by one error in IRQ enumeration
bnxt_en: Increase timeout for HWRM_DBG_COREDUMP_XX commands
f2fs: fix to avoid accessing uninitialized field of inode page in is_alive()
mailbox: qcom-apcs: fix max_register value
clk: actions: Fix factor clk struct member access
powerpc/mm/mce: Keep irqs disabled during lockless page table walk
bpf: fix BTF limits
crypto: hisilicon - Matching the dma address for dma_pool_free()
iommu/amd: Wait for completion of IOTLB flush in attach_device
net: aquantia: Fix aq_vec_isr_legacy() return value
cxgb4: Signedness bug in init_one()
net: hisilicon: Fix signedness bug in hix5hd2_dev_probe()
net: broadcom/bcmsysport: Fix signedness in bcm_sysport_probe()
net: netsec: Fix signedness bug in netsec_probe()
net: socionext: Fix a signedness bug in ave_probe()
net: stmmac: dwmac-meson8b: Fix signedness bug in probe
net: axienet: fix a signedness bug in probe
of: mdio: Fix a signedness bug in of_phy_get_and_connect()
net: nixge: Fix a signedness bug in nixge_probe()
net: ethernet: stmmac: Fix signedness bug in ipq806x_gmac_of_parse()
net: sched: cbs: Avoid division by zero when calculating the port rate
nvme: retain split access workaround for capability reads
net: stmmac: gmac4+: Not all Unicast addresses may be available
rxrpc: Fix trace-after-put looking at the put connection record
mac80211: accept deauth frames in IBSS mode
llc: fix another potential sk_buff leak in llc_ui_sendmsg()
llc: fix sk_buff refcounting in llc_conn_state_process()
ip6erspan: remove the incorrect mtu limit for ip6erspan
net: stmmac: fix length of PTP clock's name string
net: stmmac: fix disabling flexible PPS output
sctp: add chunks to sk_backlog when the newsk sk_socket is not set
s390/qeth: Fix error handling during VNICC initialization
s390/qeth: Fix initialization of vnicc cmd masks during set online
act_mirred: Fix mirred_init_module error handling
net: avoid possible false sharing in sk_leave_memory_pressure()
net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head
tcp: annotate lockless access to tcp_memory_pressure
net/smc: receive returns without data
net/smc: receive pending data after RCV_SHUTDOWN
drm/msm/dsi: Implement reset correctly
vhost/test: stop device before reset
dmaengine: imx-sdma: fix size check for sdma script_number
firmware: dmi: Fix unlikely out-of-bounds read in save_mem_devices
arm64: hibernate: check pgd table allocation
net: netem: fix error path for corrupted GSO frames
net: netem: correct the parent's backlog when corrupted packet was dropped
xsk: Fix registration of Rx-only sockets
bpf, offload: Unlock on error in bpf_offload_dev_create()
afs: Fix missing timeout reset
net: qca_spi: Move reset_count to struct qcaspi
hv_netvsc: Fix offset usage in netvsc_send_table()
hv_netvsc: Fix send_table offset in case of a host bug
afs: Fix large file support
drm: panel-lvds: Potential Oops in probe error handling
hwrng: omap3-rom - Fix missing clock by probing with device tree
dpaa_eth: perform DMA unmapping before read
dpaa_eth: avoid timestamp read on error paths
MIPS: Loongson: Fix return value of loongson_hwmon_init
hv_netvsc: flag software created hash value
net: neigh: use long type to store jiffies delta
packet: fix data-race in fanout_flow_is_huge()
i2c: stm32f7: report dma error during probe
mmc: sdio: fix wl1251 vendor id
mmc: core: fix wl1251 sdio quirks
affs: fix a memory leak in affs_remount
afs: Remove set but not used variables 'before', 'after'
dmaengine: ti: edma: fix missed failure handling
drm/radeon: fix bad DMA from INTERRUPT_CNTL2
arm64: dts: juno: Fix UART frequency
samples/bpf: Fix broken xdp_rxq_info due to map order assumptions
usb: dwc3: Allow building USB_DWC3_QCOM without EXTCON
IB/iser: Fix dma_nents type definition
serial: stm32: fix clearing interrupt error flags
arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
m68k: Call timer_interrupt() with interrupts disabled
Linux 4.19.99
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ieabeab79ea5c8cb4b6b1552702fa5d6100cea5db
[ Upstream commit e0aaa332e6a97dae57ad59cdb19e21f83c3d081c ]
The ifname is copied when the interface is created, but is never updated
later. In fact, this property is used only in one error message, where the
netdevice pointer is available, thus let's use it.
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3zQ1wACgkQONu9yGCS
aT6ZDA/+JQyM+mgrU2t5mkq9lXCwL87Jiooy0kKT9b/2EWmW5Gdxp/On9PXfqtfs
uZ+v0A1g1H+582uwuqG1wB2jr3I2AhNnRNbvSypGtk1Kitx9HqVJD/wWRRVCULww
cr3uA/ZOX+deRjOVYP3dhFp7ycn6u5+GxgmFQTLmKAYN8uUqq4/dpWy01iB0nr2A
GcoLm9P96o8P/wIWaykqOvshDrocbFcBL4VuxLeZCbFsAMTiX+jJnyIL8W7gfBJl
M2626S/hESk5DvGcMN3zwOw/nTJlvySUtfqXSvPk0sT90UMx/YZ9QdpS9GkvRb9t
OA1G+iHguEU+Fq/DawUyxwk/kt3nA6cg0q7RSxHo7QP6SGo7OaHHS1myzGDhL8oc
LDKXO2iSSzvXJDlqrU45N+1YhpeiIHCxmDctbUIM9dP4u6wWmQIyYXLrcpupTsm9
StiDBguXFHWSBFhG0+MlTUU5cypVNoN+56wBAUTR6+qoDASTzGvjNbrBsQihODV0
RMFJF17Zvn+UoEohe860EMswUBsJ+F+VSZO5yGuZgsaC/2Ih6M1dxsiNU7RF02gX
fRis6huj1+642ZsEbd2tueYGUaDN1HpMsVkN3AAkD3pJF5lX7AJRwhvRyC8N1jhc
G90KMSk2pR/ItjmUpkKaAhAKhN+oKSzuCPpHj2iGotfWdd4slXQ=
=Ekyt
-----END PGP SIGNATURE-----
Merge 4.19.89 into android-4.19
Changes in 4.19.89
rsi: release skb if rsi_prepare_beacon fails
arm64: tegra: Fix 'active-low' warning for Jetson TX1 regulator
sparc64: implement ioremap_uc
lp: fix sparc64 LPSETTIMEOUT ioctl
usb: gadget: u_serial: add missing port entry locking
tty: serial: fsl_lpuart: use the sg count from dma_map_sg
tty: serial: msm_serial: Fix flow control
serial: pl011: Fix DMA ->flush_buffer()
serial: serial_core: Perform NULL checks for break_ctl ops
serial: ifx6x60: add missed pm_runtime_disable
autofs: fix a leak in autofs_expire_indirect()
RDMA/hns: Correct the value of HNS_ROCE_HEM_CHUNK_LEN
iwlwifi: pcie: don't consider IV len in A-MSDU
exportfs_decode_fh(): negative pinned may become positive without the parent locked
audit_get_nd(): don't unlock parent too early
NFC: nxp-nci: Fix NULL pointer dereference after I2C communication error
xfrm: release device reference for invalid state
Input: cyttsp4_core - fix use after free bug
sched/core: Avoid spurious lock dependencies
perf/core: Consistently fail fork on allocation failures
ALSA: pcm: Fix stream lock usage in snd_pcm_period_elapsed()
drm/sun4i: tcon: Set min division of TCON0_DCLK to 1.
selftests: kvm: fix build with glibc >= 2.30
rsxx: add missed destroy_workqueue calls in remove
net: ep93xx_eth: fix mismatch of request_mem_region in remove
i2c: core: fix use after free in of_i2c_notify
serial: core: Allow processing sysrq at port unlock time
cxgb4vf: fix memleak in mac_hlist initialization
iwlwifi: mvm: synchronize TID queue removal
iwlwifi: trans: Clear persistence bit when starting the FW
iwlwifi: mvm: Send non offchannel traffic via AP sta
ARM: 8813/1: Make aligned 2-byte getuser()/putuser() atomic on ARMv6+
audit: Embed key into chunk
netfilter: nf_tables: don't use position attribute on rule replacement
ARC: IOC: panic if kernel was started with previously enabled IOC
net/mlx5: Release resource on error flow
clk: sunxi-ng: a64: Fix gate bit of DSI DPHY
ice: Fix NVM mask defines
dlm: fix possible call to kfree() for non-initialized pointer
ARM: dts: exynos: Fix LDO13 min values on Odroid XU3/XU4/HC1
extcon: max8997: Fix lack of path setting in USB device mode
net: ethernet: ti: cpts: correct debug for expired txq skb
rtc: s3c-rtc: Avoid using broken ALMYEAR register
rtc: max77686: Fix the returned value in case of error in 'max77686_rtc_read_time()'
i40e: don't restart nway if autoneg not supported
virtchnl: Fix off by one error
clk: rockchip: fix rk3188 sclk_smc gate data
clk: rockchip: fix rk3188 sclk_mac_lbtest parameter ordering
ARM: dts: rockchip: Fix rk3288-rock2 vcc_flash name
dlm: fix missing idr_destroy for recover_idr
MIPS: SiByte: Enable ZONE_DMA32 for LittleSur
net: dsa: mv88e6xxx: Work around mv886e6161 SERDES missing MII_PHYSID2
scsi: zfcp: update kernel message for invalid FCP_CMND length, it's not the CDB
scsi: zfcp: drop default switch case which might paper over missing case
drivers: soc: Allow building the amlogic drivers without ARCH_MESON
bus: ti-sysc: Fix getting optional clocks in clock_roles
ARM: dts: imx6: RDU2: fix eGalax touchscreen node
crypto: ecc - check for invalid values in the key verification test
crypto: bcm - fix normal/non key hash algorithm failure
arm64: dts: zynqmp: Fix node names which contain "_"
pinctrl: qcom: ssbi-gpio: fix gpio-hog related boot issues
Staging: iio: adt7316: Fix i2c data reading, set the data field
firmware: raspberrypi: Fix firmware calls with large buffers
mm/vmstat.c: fix NUMA statistics updates
clk: rockchip: fix I2S1 clock gate register for rk3328
clk: rockchip: fix ID of 8ch clock of I2S1 for rk3328
sctp: count sk_wmem_alloc by skb truesize in sctp_packet_transmit
regulator: Fix return value of _set_load() stub
USB: serial: f81534: fix reading old/new IC config
xfs: extent shifting doesn't fully invalidate page cache
net-next/hinic:fix a bug in set mac address
net-next/hinic: fix a bug in rx data flow
ice: Fix return value from NAPI poll
ice: Fix possible NULL pointer de-reference
iomap: FUA is wrong for DIO O_DSYNC writes into unwritten extents
iomap: sub-block dio needs to zeroout beyond EOF
iomap: dio data corruption and spurious errors when pipes fill
iomap: readpages doesn't zero page tail beyond EOF
iw_cxgb4: only reconnect with MPAv1 if the peer aborts
MIPS: OCTEON: octeon-platform: fix typing
net/smc: use after free fix in smc_wr_tx_put_slot()
math-emu/soft-fp.h: (_FP_ROUND_ZERO) cast 0 to void to fix warning
nds32: Fix the items of hwcap_str ordering issue.
rtc: max8997: Fix the returned value in case of error in 'max8997_rtc_read_alarm()'
rtc: dt-binding: abx80x: fix resistance scale
ARM: dts: exynos: Use Samsung SoC specific compatible for DWC2 module
media: coda: fix memory corruption in case more than 32 instances are opened
media: pulse8-cec: return 0 when invalidating the logical address
media: cec: report Vendor ID after initialization
iwlwifi: fix cfg structs for 22000 with different RF modules
ravb: Clean up duplex handling
net/ipv6: re-do dad when interface has IFF_NOARP flag change
dmaengine: coh901318: Fix a double-lock bug
dmaengine: coh901318: Remove unused variable
dmaengine: dw-dmac: implement dma protection control setting
net: qualcomm: rmnet: move null check on dev before dereferecing it
selftests/powerpc: Allocate base registers
selftests/powerpc: Skip test instead of failing
usb: dwc3: debugfs: Properly print/set link state for HS
usb: dwc3: don't log probe deferrals; but do log other error codes
ACPI: fix acpi_find_child_device() invocation in acpi_preset_companion()
f2fs: fix to account preflush command for noflush_merge mode
f2fs: fix count of seg_freed to make sec_freed correct
f2fs: change segment to section in f2fs_ioc_gc_range
ARM: dts: rockchip: Fix the PMU interrupt number for rv1108
ARM: dts: rockchip: Assign the proper GPIO clocks for rv1108
f2fs: fix to allow node segment for GC by ioctl path
sparc: Fix JIT fused branch convergance.
sparc: Correct ctx->saw_frame_pointer logic.
nvme: Free ctrl device name on init failure
dma-mapping: fix return type of dma_set_max_seg_size()
slimbus: ngd: Fix build error on x86
altera-stapl: check for a null key before strcasecmp'ing it
serial: imx: fix error handling in console_setup
i2c: imx: don't print error message on probe defer
clk: meson: Fix GXL HDMI PLL fractional bits width
gpu: host1x: Fix syncpoint ID field size on Tegra186
lockd: fix decoding of TEST results
sctp: increase sk_wmem_alloc when head->truesize is increased
iommu/amd: Fix line-break in error log reporting
ASoC: rsnd: tidyup registering method for rsnd_kctrl_new()
ARM: dts: sun4i: Fix gpio-keys warning
ARM: dts: sun4i: Fix HDMI output DTC warning
ARM: dts: sun5i: a10s: Fix HDMI output DTC warning
ARM: dts: r8a779[01]: Disable unconnected LVDS encoders
ARM: dts: sun7i: Fix HDMI output DTC warning
ARM: dts: sun8i: a23/a33: Fix OPP DTC warnings
ARM: dts: sun8i: v3s: Change pinctrl nodes to avoid warning
dlm: NULL check before kmem_cache_destroy is not needed
ARM: debug: enable UART1 for socfpga Cyclone5
can: xilinx: fix return type of ndo_start_xmit function
nfsd: fix a warning in __cld_pipe_upcall()
bpf: btf: implement btf_name_valid_identifier()
bpf: btf: check name validity for various types
tools: bpftool: fix a bitfield pretty print issue
ASoC: au8540: use 64-bit arithmetic instead of 32-bit
ARM: OMAP1/2: fix SoC name printing
arm64: dts: meson-gxl-libretech-cc: fix GPIO lines names
arm64: dts: meson-gxbb-nanopi-k2: fix GPIO lines names
arm64: dts: meson-gxbb-odroidc2: fix GPIO lines names
arm64: dts: meson-gxl-khadas-vim: fix GPIO lines names
net/x25: fix called/calling length calculation in x25_parse_address_block
net/x25: fix null_x25_address handling
tools/bpf: make libbpf _GNU_SOURCE friendly
clk: mediatek: Drop __init from mtk_clk_register_cpumuxes()
clk: mediatek: Drop more __init markings for driver probe
soc: renesas: r8a77970-sysc: Correct names of A2DP/A2CN power domains
soc: renesas: r8a77980-sysc: Correct names of A2DP[01] power domains
soc: renesas: r8a77980-sysc: Correct A3VIP[012] power domain hierarchy
kbuild: disable dtc simple_bus_reg warnings by default
tcp: make tcp_space() aware of socket backlog
ARM: dts: mmp2: fix the gpio interrupt cell number
ARM: dts: realview-pbx: Fix duplicate regulator nodes
tcp: fix off-by-one bug on aborting window-probing socket
tcp: fix SNMP under-estimation on failed retransmission
tcp: fix SNMP TCP timeout under-estimation
modpost: skip ELF local symbols during section mismatch check
kbuild: fix single target build for external module
mtd: fix mtd_oobavail() incoherent returned value
ARM: dts: pxa: clean up USB controller nodes
clk: meson: meson8b: fix the offset of vid_pll_dco's N value
clk: sunxi-ng: h3/h5: Fix CSI_MCLK parent
clk: qcom: Fix MSM8998 resets
media: cxd2880-spi: fix probe when dvb_attach fails
ARM: dts: realview: Fix some more duplicate regulator nodes
dlm: fix invalid cluster name warning
net/mlx4_core: Fix return codes of unsupported operations
pstore/ram: Avoid NULL deref in ftrace merging failure path
powerpc/math-emu: Update macros from GCC
clk: renesas: r8a77990: Correct parent clock of DU
clk: renesas: r8a77995: Correct parent clock of DU
MIPS: OCTEON: cvmx_pko_mem_debug8: use oldest forward compatible definition
nfsd: Return EPERM, not EACCES, in some SETATTR cases
media: uvcvideo: Abstract streaming object lifetime
tty: serial: qcom_geni_serial: Fix softlock
ARM: dts: sun8i: h3: Fix the system-control register range
tty: Don't block on IO when ldisc change is pending
media: stkwebcam: Bugfix for wrong return values
firmware: qcom: scm: fix compilation error when disabled
clk: qcom: gcc-msm8998: Disable halt check of UFS clocks
sctp: frag_point sanity check
soc: renesas: r8a77990-sysc: Fix initialization order of 3DG-{A,B}
mlxsw: spectrum_router: Relax GRE decap matching check
IB/hfi1: Ignore LNI errors before DC8051 transitions to Polling state
IB/hfi1: Close VNIC sdma_progress sleep window
mlx4: Use snprintf instead of complicated strcpy
usb: mtu3: fix dbginfo in qmu_tx_zlp_error_handler
clk: renesas: rcar-gen3: Set state when registering SD clocks
ASoC: max9867: Fix power management
ARM: dts: sunxi: Fix PMU compatible strings
ARM: dts: am335x-pdu001: Fix polarity of card detection input
media: vimc: fix start stream when link is disabled
net: aquantia: fix RSS table and key sizes
sched/fair: Scale bandwidth quota and period without losing quota/period ratio precision
fuse: verify nlink
fuse: verify attributes
ALSA: hda/realtek - Enable internal speaker of ASUS UX431FLC
ALSA: hda/realtek - Enable the headset-mic on a Xiaomi's laptop
ALSA: hda/realtek - Dell headphone has noise on unmute for ALC236
ALSA: pcm: oss: Avoid potential buffer overflows
ALSA: hda - Add mute led support for HP ProBook 645 G4
Input: synaptics - switch another X1 Carbon 6 to RMI/SMbus
Input: synaptics-rmi4 - re-enable IRQs in f34v7_do_reflash
Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers
Input: goodix - add upside-down quirk for Teclast X89 tablet
coresight: etm4x: Fix input validation for sysfs.
Input: Fix memory leak in psxpad_spi_probe
x86/mm/32: Sync only to VMALLOC_END in vmalloc_sync_all()
x86/PCI: Avoid AMD FCH XHCI USB PME# from D0 defect
xfrm interface: fix memory leak on creation
xfrm interface: avoid corruption on changelink
xfrm interface: fix list corruption for x-netns
xfrm interface: fix management of phydev
CIFS: Fix NULL-pointer dereference in smb2_push_mandatory_locks
CIFS: Fix SMB2 oplock break processing
tty: vt: keyboard: reject invalid keycodes
can: slcan: Fix use-after-free Read in slcan_open
kernfs: fix ino wrap-around detection
jbd2: Fix possible overflow in jbd2_log_space_left()
drm/msm: fix memleak on release
drm/i810: Prevent underflow in ioctl
arm64: dts: exynos: Revert "Remove unneeded address space mapping for soc node"
KVM: arm/arm64: vgic: Don't rely on the wrong pending table
KVM: x86: do not modify masked bits of shared MSRs
KVM: x86: fix presentation of TSX feature in ARCH_CAPABILITIES
KVM: x86: Grab KVM's srcu lock when setting nested state
crypto: crypto4xx - fix double-free in crypto4xx_destroy_sdr
crypto: atmel-aes - Fix IV handling when req->nbytes < ivsize
crypto: af_alg - cast ki_complete ternary op to int
crypto: ccp - fix uninitialized list head
crypto: ecdh - fix big endian bug in ECC library
crypto: user - fix memory leak in crypto_report
spi: atmel: Fix CS high support
mwifiex: update set_mac_address logic
can: ucan: fix non-atomic allocation in completion handler
RDMA/qib: Validate ->show()/store() callbacks before calling them
iomap: Fix pipe page leakage during splicing
thermal: Fix deadlock in thermal thermal_zone_device_check
vcs: prevent write access to vcsu devices
binder: Fix race between mmap() and binder_alloc_print_pages()
binder: Handle start==NULL in binder_update_page_range()
ALSA: hda - Fix pending unsol events at shutdown
md/raid0: Fix an error message in raid0_make_request()
watchdog: aspeed: Fix clock behaviour for ast2600
perf script: Fix invalid LBR/binary mismatch error
splice: don't read more than available pipe space
iomap: partially revert 4721a601099 (simulated directio short read on EFAULT)
xfs: add missing error check in xfs_prepare_shift()
ASoC: rsnd: fixup MIX kctrl registration
KVM: x86: fix out-of-bounds write in KVM_GET_EMULATED_CPUID (CVE-2019-19332)
net: qrtr: fix memort leak in qrtr_tun_write_iter
appletalk: Fix potential NULL pointer dereference in unregister_snap_client
appletalk: Set error code if register_snap_client failed
Linux 4.19.89
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3fa59adde9a7e9a6d4684de0e95de14a8b83d0b
commit 22d6552f827ef76ade3edf6bbb3f05048a0a7d8b upstream.
With the current implementation, phydev cannot be removed:
$ ip link add dummy type dummy
$ ip link add xfrm1 type xfrm dev dummy if_id 1
$ ip l d dummy
kernel:[77938.465445] unregister_netdevice: waiting for dummy to become free. Usage count = 1
Manage it like in ip tunnels, ie just keep the ifindex. Not that the side
effect, is that the phydev is now optional.
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Tested-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c5d1030f23002430c2a336b2b629b9d6f72b3564 upstream.
dev_net(dev) is the netns of the device and xi->net is the link netns,
where the device has been linked.
changelink() must operate in the link netns to avoid a corruption of
the xfrm lists.
Note that xi->net and dev_net(xi->physdev) are always the same.
Before the patch, the xfrmi lists may be corrupted and can later trigger a
kernel panic.
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Reported-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Tested-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e9e7e85d75f3731079ffd77c1a66f037aef04fe7 upstream.
The new parameters must not be stored in the netdev_priv() before
validation, it may corrupt the interface. Note also that if data is NULL,
only a memset() is done.
$ ip link add xfrm1 type xfrm dev lo if_id 1
$ ip link add xfrm2 type xfrm dev lo if_id 2
$ ip link set xfrm1 type xfrm dev lo if_id 2
RTNETLINK answers: File exists
$ ip -d link list dev xfrm1
5: xfrm1@lo: <NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/none 00:00:00:00:00:00 brd 00:00:00:00:00:00 promiscuity 0 minmtu 68 maxmtu 1500
xfrm if_id 0x2 addrgenmode eui64 numtxqueues 1 numrxqueues 1 gso_max_size 65536 gso_max_segs 65535
=> "if_id 0x2"
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Tested-by: Julien Floret <julien.floret@6wind.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4944a4b1077f74d89073624bd286219d2fcbfce3 ]
An ESP packet could be decrypted in async mode if the input handler for
this packet returns -EINPROGRESS in xfrm_input(). At this moment the device
reference in skb is held. Later xfrm_input() will be invoked again to
resume the processing.
If the transform state is still valid it would continue to release the
device reference and there won't be a problem; however if the transform
state is not valid when async resumption happens, the packet will be
dropped while the device reference is still being held.
When the device is deleted for some reason and the reference to this
device is not properly released, the kernel will keep logging like:
unregister_netdevice: waiting for ppp2 to become free. Usage count = 1
The issue is observed when running IPsec traffic over a PPPoE device based
on a bridge interface. By terminating the PPPoE connection on the server
end for multiple times, the PPPoE device on the client side will eventually
get stuck on the above warning message.
This patch will check the async mode first and continue to release device
reference in async resumption, before it is dropped due to invalid state.
v2: Do not assign address family from outer_mode in the transform if the
state is invalid
v3: Release device reference in the error path instead of jumping to resume
Fixes: 4ce3dbe397 ("xfrm: Fix xfrm_input() to verify state is valid when (encap_type < 0)")
Signed-off-by: Xiaodong Xu <stid.smth@gmail.com>
Reported-by: Bo Chen <chenborfc@163.com>
Tested-by: Bo Chen <chenborfc@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3owgEACgkQONu9yGCS
aT43zw//SS1As83XXuHr4mdWIVDjXo6RMJ6Ib7YbRi/uhBmQuUuGVFcqGxUIA9Kl
eSXu5Kt8TNmInzHq9AMYgegrELAEwPD2XfptALGDwiUHonQuiFaqOQn/bltJOm1L
PsG15A7+/gFhuhPJDp2ZfNBmZGdpXdIwD27oUDqF1XD64dMa/HPbFUVgxWn3HHkd
sm0J6Ez0eNA+BmLnHXYDiSaEYIiwvy1nN6XpyIfOyb2Tz6kPoe0vVWU00Cmy8KAU
EIWB+TBRunspgMsShL5Cl1MSFOxf9QOmgnZxcrODAQfb1TbLMACB1FGMjK4nLm+3
wPlSnC7L49ARl/pvmN5NOUrjHi8S8qq/Od9QW+UIckRI6KzOU832h99v4gFuHjSC
KFiLi5K9+uTIMgNOETmINBiKKUcUzYXYVajvm4tuAUq3HO8wy6jeALtt34OiJZQZ
DV8wyBdL9NDUFqBymFaMFA4Us/fGIREzvPgI0E0jth2ANuLFLtScrnStuWv8buwJ
JT3V9xCxHZtZ3Ctevx/Jp6OaQtnbSnWjMjrO0UDzZ6N7+g5UKmh9/R3xL6sBpFVU
Vu49J+qWU3VmbY3EIulel+yARNe7xS4ExK185JmNzpYFyOpXum14FHhhtQ6xNSeu
dRqyITI0KYP7jWtBDKCgVAWF5jC9gHP1ksrHSZMhyGrv1dC1XZM=
=KnJW
-----END PGP SIGNATURE-----
Merge 4.19.88 into android-4.19
Changes in 4.19.88
clk: meson: gxbb: let sar_adc_clk_div set the parent clock rate
clocksource/drivers/mediatek: Fix error handling
ASoC: msm8916-wcd-analog: Fix RX1 selection in RDAC2 MUX
ASoC: compress: fix unsigned integer overflow check
reset: Fix memory leak in reset_control_array_put()
clk: samsung: exynos5433: Fix error paths
ASoC: kirkwood: fix external clock probe defer
ASoC: kirkwood: fix device remove ordering
clk: samsung: exynos5420: Preserve PLL configuration during suspend/resume
pinctrl: cherryview: Allocate IRQ chip dynamic
ARM: dts: imx6qdl-sabreauto: Fix storm of accelerometer interrupts
reset: fix reset_control_ops kerneldoc comment
clk: at91: avoid sleeping early
clk: sunxi: Fix operator precedence in sunxi_divs_clk_setup
clk: sunxi-ng: a80: fix the zero'ing of bits 16 and 18
ARM: dts: sun8i-a83t-tbs-a711: Fix WiFi resume from suspend
samples/bpf: fix build by setting HAVE_ATTR_TEST to zero
powerpc/bpf: Fix tail call implementation
idr: Fix integer overflow in idr_for_each_entry
idr: Fix idr_alloc_u32 on 32-bit systems
x86/resctrl: Prevent NULL pointer dereference when reading mondata
clk: ti: dra7-atl-clock: Remove ti_clk_add_alias call
clk: ti: clkctrl: Fix failed to enable error with double udelay timeout
net: fec: add missed clk_disable_unprepare in remove
bridge: ebtables: don't crash when using dnat target in output chains
can: peak_usb: report bus recovery as well
can: c_can: D_CAN: c_can_chip_config(): perform a sofware reset on open
can: rx-offload: can_rx_offload_queue_tail(): fix error handling, avoid skb mem leak
can: rx-offload: can_rx_offload_offload_one(): do not increase the skb_queue beyond skb_queue_len_max
can: rx-offload: can_rx_offload_offload_one(): increment rx_fifo_errors on queue overflow or OOM
can: rx-offload: can_rx_offload_offload_one(): use ERR_PTR() to propagate error value in case of errors
can: rx-offload: can_rx_offload_irq_offload_timestamp(): continue on error
can: rx-offload: can_rx_offload_irq_offload_fifo(): continue on error
can: flexcan: increase error counters if skb enqueueing via can_rx_offload_queue_sorted() fails
can: mcp251x: mcp251x_restart_work_handler(): Fix potential force_quit race condition
watchdog: meson: Fix the wrong value of left time
ASoC: stm32: sai: add restriction on mmap support
scripts/gdb: fix debugging modules compiled with hot/cold partitioning
net: bcmgenet: use RGMII loopback for MAC reset
net: bcmgenet: reapply manual settings to the PHY
net: mscc: ocelot: fix __ocelot_rmw_ix prototype
ceph: return -EINVAL if given fsc mount option on kernel w/o support
net/fq_impl: Switch to kvmalloc() for memory allocation
mac80211: fix station inactive_time shortly after boot
block: drbd: remove a stray unlock in __drbd_send_protocol()
pwm: bcm-iproc: Prevent unloading the driver module while in use
scsi: target/tcmu: Fix queue_cmd_ring() declaration
scsi: lpfc: Fix kernel Oops due to null pring pointers
scsi: lpfc: Fix dif and first burst use in write commands
ARM: dts: Fix up SQ201 flash access
tracing: Lock event_mutex before synth_event_mutex
ARM: debug-imx: only define DEBUG_IMX_UART_PORT if needed
ARM: dts: imx51: Fix memory node duplication
ARM: dts: imx53: Fix memory node duplication
ARM: dts: imx31: Fix memory node duplication
ARM: dts: imx35: Fix memory node duplication
ARM: dts: imx7: Fix memory node duplication
ARM: dts: imx6ul: Fix memory node duplication
ARM: dts: imx6sx: Fix memory node duplication
ARM: dts: imx6sl: Fix memory node duplication
ARM: dts: imx50: Fix memory node duplication
ARM: dts: imx23: Fix memory node duplication
ARM: dts: imx1: Fix memory node duplication
ARM: dts: imx27: Fix memory node duplication
ARM: dts: imx25: Fix memory node duplication
ARM: dts: imx53-voipac-dmm-668: Fix memory node duplication
parisc: Fix serio address output
parisc: Fix HP SDC hpa address output
ARM: dts: Fix hsi gdd range for omap4
arm64: mm: Prevent mismatched 52-bit VA support
arm64: smp: Handle errors reported by the firmware
bus: ti-sysc: Check for no-reset and no-idle flags at the child level
platform/x86: mlx-platform: Fix LED configuration
ARM: OMAP1: fix USB configuration for device-only setups
RDMA/hns: Fix the bug while use multi-hop of pbl
arm64: preempt: Fix big-endian when checking preempt count in assembly
RDMA/vmw_pvrdma: Use atomic memory allocation in create AH
PM / AVS: SmartReflex: NULL check before some freeing functions is not needed
xfs: zero length symlinks are not valid
ARM: ks8695: fix section mismatch warning
ACPI / LPSS: Ignore acpi_device_fix_up_power() return value
scsi: lpfc: Enable Management features for IF_TYPE=6
scsi: qla2xxx: Fix NPIV handling for FC-NVMe
scsi: qla2xxx: Fix for FC-NVMe discovery for NPIV port
nvme: provide fallback for discard alloc failure
s390/zcrypt: make sysfs reset attribute trigger queue reset
crypto: user - support incremental algorithm dumps
arm64: dts: renesas: draak: Fix CVBS input
mwifiex: fix potential NULL dereference and use after free
mwifiex: debugfs: correct histogram spacing, formatting
brcmfmac: set F2 watermark to 256 for 4373
brcmfmac: set SDIO F1 MesBusyCtrl for CYW4373
rtl818x: fix potential use after free
bcache: do not check if debug dentry is ERR or NULL explicitly on remove
bcache: do not mark writeback_running too early
xfs: require both realtime inodes to mount
nvme: fix kernel paging oops
ubifs: Fix default compression selection in ubifs
ubi: Put MTD device after it is not used
ubi: Do not drop UBI device reference before using
microblaze: adjust the help to the real behavior
microblaze: move "... is ready" messages to arch/microblaze/Makefile
microblaze: fix multiple bugs in arch/microblaze/boot/Makefile
iwlwifi: move iwl_nvm_check_version() into dvm
iwlwifi: mvm: force TCM re-evaluation on TCM resume
iwlwifi: pcie: fix erroneous print
iwlwifi: pcie: set cmd_len in the correct place
gpio: pca953x: Fix AI overflow on PCAL6524
gpiolib: Fix return value of gpio_to_desc() stub if !GPIOLIB
kvm: vmx: Set IA32_TSC_AUX for legacy mode guests
Revert "KVM: nVMX: reset cache/shadows when switching loaded VMCS"
Revert "KVM: nVMX: move check_vmentry_postreqs() call to nested_vmx_enter_non_root_mode()"
crypto/chelsio/chtls: listen fails with multiadapt
VSOCK: bind to random port for VMADDR_PORT_ANY
mmc: meson-gx: make sure the descriptor is stopped on errors
mtd: rawnand: sunxi: Write pageprog related opcodes to WCMD_SET
usb: ehci-omap: Fix deferred probe for phy handling
btrfs: Check for missing device before bio submission in btrfs_map_bio
btrfs: fix ncopies raid_attr for RAID56
btrfs: dev-replace: set result code of cancel by status of scrub
Btrfs: allow clear_extent_dirty() to receive a cached extent state record
btrfs: only track ref_heads in delayed_ref_updates
serial: sh-sci: Fix crash in rx_timer_fn() on PIO fallback
HID: intel-ish-hid: fixes incorrect error handling
gpio: raspberrypi-exp: decrease refcount on firmware dt node
serial: 8250: Rate limit serial port rx interrupts during input overruns
kprobes/x86/xen: blacklist non-attachable xen interrupt functions
xen/pciback: Check dev_data before using it
kprobes: Blacklist symbols in arch-defined prohibited area
kprobes/x86: Show x86-64 specific blacklisted symbols correctly
vfio-mdev/samples: Use u8 instead of char for handle functions
memory: omap-gpmc: Get the header of the enum
pinctrl: xway: fix gpio-hog related boot issues
net/mlx5: Continue driver initialization despite debugfs failure
netfilter: nf_nat_sip: fix RTP/RTCP source port translations
exofs_mount(): fix leaks on failure exits
bnxt_en: Return linux standard errors in bnxt_ethtool.c
bnxt_en: Save ring statistics before reset.
bnxt_en: query force speeds before disabling autoneg mode.
KVM: s390: unregister debug feature on failing arch init
pinctrl: sh-pfc: r8a77990: Fix MOD_SEL0 SEL_I2C1 field width
pinctrl: sh-pfc: sh7264: Fix PFCR3 and PFCR0 register configuration
pinctrl: sh-pfc: sh7734: Fix shifted values in IPSR10
HID: doc: fix wrong data structure reference for UHID_OUTPUT
dm flakey: Properly corrupt multi-page bios.
gfs2: take jdata unstuff into account in do_grow
dm raid: fix false -EBUSY when handling check/repair message
xfs: Align compat attrlist_by_handle with native implementation.
xfs: Fix bulkstat compat ioctls on x32 userspace.
IB/qib: Fix an error code in qib_sdma_verbs_send()
clocksource/drivers/fttmr010: Fix invalid interrupt register access
vxlan: Fix error path in __vxlan_dev_create()
powerpc/book3s/32: fix number of bats in p/v_block_mapped()
powerpc/xmon: fix dump_segments()
drivers/regulator: fix a missing check of return value
Bluetooth: hci_bcm: Handle specific unknown packets after firmware loading
serial: max310x: Fix tx_empty() callback
openrisc: Fix broken paths to arch/or32
RDMA/srp: Propagate ib_post_send() failures to the SCSI mid-layer
scsi: qla2xxx: deadlock by configfs_depend_item
scsi: csiostor: fix incorrect dma device in case of vport
brcmfmac: Fix access point mode
ath6kl: Only use match sets when firmware supports it
ath6kl: Fix off by one error in scan completion
powerpc/perf: Fix unit_sel/cache_sel checks
powerpc/32: Avoid unsupported flags with clang
powerpc/prom: fix early DEBUG messages
powerpc/mm: Make NULL pointer deferences explicit on bad page faults.
powerpc/44x/bamboo: Fix PCI range
vfio/spapr_tce: Get rid of possible infinite loop
powerpc/powernv/eeh/npu: Fix uninitialized variables in opal_pci_eeh_freeze_status
drbd: ignore "all zero" peer volume sizes in handshake
drbd: reject attach of unsuitable uuids even if connected
drbd: do not block when adjusting "disk-options" while IO is frozen
drbd: fix print_st_err()'s prototype to match the definition
IB/rxe: Make counters thread safe
bpf/cpumap: make sure frame_size for build_skb is aligned if headroom isn't
regulator: tps65910: fix a missing check of return value
powerpc/83xx: handle machine check caused by watchdog timer
powerpc/pseries: Fix node leak in update_lmb_associativity_index()
powerpc: Fix HMIs on big-endian with CONFIG_RELOCATABLE=y
crypto: mxc-scc - fix build warnings on ARM64
pwm: clps711x: Fix period calculation
net/netlink_compat: Fix a missing check of nla_parse_nested
net/net_namespace: Check the return value of register_pernet_subsys()
f2fs: fix block address for __check_sit_bitmap
f2fs: fix to dirty inode synchronously
um: Include sys/uio.h to have writev()
um: Make GCOV depend on !KCOV
net: (cpts) fix a missing check of clk_prepare
net: stmicro: fix a missing check of clk_prepare
net: dsa: bcm_sf2: Propagate error value from mdio_write
atl1e: checking the status of atl1e_write_phy_reg
tipc: fix a missing check of genlmsg_put
net: marvell: fix a missing check of acpi_match_device
net/wan/fsl_ucc_hdlc: Avoid double free in ucc_hdlc_probe()
ocfs2: clear journal dirty flag after shutdown journal
vmscan: return NODE_RECLAIM_NOSCAN in node_reclaim() when CONFIG_NUMA is n
mm/page_alloc.c: free order-0 pages through PCP in page_frag_free()
mm/page_alloc.c: use a single function to free page
mm/page_alloc.c: deduplicate __memblock_free_early() and memblock_free()
tools/vm/page-types.c: fix "kpagecount returned fewer pages than expected" failures
netfilter: nf_tables: fix a missing check of nla_put_failure
xprtrdma: Prevent leak of rpcrdma_rep objects
infiniband: bnxt_re: qplib: Check the return value of send_message
infiniband/qedr: Potential null ptr dereference of qp
firmware: arm_sdei: fix wrong of_node_put() in init function
firmware: arm_sdei: Fix DT platform device creation
lib/genalloc.c: fix allocation of aligned buffer from non-aligned chunk
lib/genalloc.c: use vzalloc_node() to allocate the bitmap
fork: fix some -Wmissing-prototypes warnings
drivers/base/platform.c: kmemleak ignore a known leak
lib/genalloc.c: include vmalloc.h
mtd: Check add_mtd_device() ret code
tipc: fix memory leak in tipc_nl_compat_publ_dump
net/core/neighbour: tell kmemleak about hash tables
ata: ahci: mvebu: do Armada 38x configuration only on relevant SoCs
PCI/MSI: Return -ENOSPC from pci_alloc_irq_vectors_affinity()
net/core/neighbour: fix kmemleak minimal reference count for hash tables
serial: 8250: Fix serial8250 initialization crash
gpu: ipu-v3: pre: don't trigger update if buffer address doesn't change
sfc: suppress duplicate nvmem partition types in efx_ef10_mtd_probe
ip_tunnel: Make none-tunnel-dst tunnel port work with lwtunnel
decnet: fix DN_IFREQ_SIZE
net/smc: prevent races between smc_lgr_terminate() and smc_conn_free()
net/smc: don't wait for send buffer space when data was already sent
mm/hotplug: invalid PFNs from pfn_to_online_page()
xfs: end sync buffer I/O properly on shutdown error
net/smc: fix sender_free computation
blktrace: Show requests without sector
net/smc: fix byte_order for rx_curs_confirmed
tipc: fix skb may be leaky in tipc_link_input
ASoC: samsung: i2s: Fix prescaler setting for the secondary DAI
sfc: initialise found bitmap in efx_ef10_mtd_probe
geneve: change NET_UDP_TUNNEL dependency to select
net: fix possible overflow in __sk_mem_raise_allocated()
net: ip_gre: do not report erspan_ver for gre or gretap
net: ip6_gre: do not report erspan_ver for ip6gre or ip6gretap
sctp: don't compare hb_timer expire date before starting it
bpf: decrease usercnt if bpf_map_new_fd() fails in bpf_map_get_fd_by_id()
mmc: core: align max segment size with logical block size
net: dev: Use unsigned integer as an argument to left-shift
kvm: properly check debugfs dentry before using it
bpf: drop refcount if bpf_map_new_fd() fails in map_create()
net: hns3: Change fw error code NOT_EXEC to NOT_SUPPORTED
net: hns3: fix PFC not setting problem for DCB module
net: hns3: fix an issue for hclgevf_ae_get_hdev
net: hns3: fix an issue for hns3_update_new_int_gl
iommu/amd: Fix NULL dereference bug in match_hid_uid
apparmor: delete the dentry in aafs_remove() to avoid a leak
scsi: libsas: Support SATA PHY connection rate unmatch fixing during discovery
ACPI / APEI: Don't wait to serialise with oops messages when panic()ing
ACPI / APEI: Switch estatus pool to use vmalloc memory
scsi: hisi_sas: shutdown axi bus to avoid exception CQ returned
scsi: libsas: Check SMP PHY control function result
RDMA/hns: Fix the bug with updating rq head pointer when flush cqe
RDMA/hns: Bugfix for the scene without receiver queue
RDMA/hns: Fix the state of rereg mr
RDMA/hns: Use GFP_ATOMIC in hns_roce_v2_modify_qp
ASoC: rt5645: Headphone Jack sense inverts on the LattePanda board
powerpc/pseries/dlpar: Fix a missing check in dlpar_parse_cc_property()
xdp: fix cpumap redirect SKB creation bug
mtd: Remove a debug trace in mtdpart.c
mm, gup: add missing refcount overflow checks on s390
clk: at91: fix update bit maps on CFG_MOR write
clk: at91: generated: set audio_pll_allowed in at91_clk_register_generated()
usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
staging: rtl8192e: fix potential use after free
staging: rtl8723bs: Drop ACPI device ids
staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
mei: bus: prefix device names on bus with the bus name
mei: me: add comet point V device id
thunderbolt: Power cycle the router if NVM authentication fails
xfrm: Fix memleak on xfrm state destroy
media: v4l2-ctrl: fix flags for DO_WHITE_BALANCE
net: macb: fix error format in dev_err()
pwm: Clear chip_data in pwm_put()
media: atmel: atmel-isc: fix asd memory allocation
media: atmel: atmel-isc: fix INIT_WORK misplacement
macvlan: schedule bc_work even if error
net: psample: fix skb_over_panic
openvswitch: fix flow command message size
sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
slip: Fix use-after-free Read in slip_open
openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
openvswitch: remove another BUG_ON()
selftests: bpf: test_sockmap: handle file creation failures gracefully
tipc: fix link name length check
sctp: cache netns in sctp_ep_common
net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
net: macb: add missed tasklet_kill
ext4: add more paranoia checking in ext4_expand_extra_isize handling
watchdog: sama5d4: fix WDD value to be always set to max
net: macb: Fix SUBNS increment and increase resolution
net: macb driver, check for SKBTX_HW_TSTAMP
mtd: rawnand: atmel: Fix spelling mistake in error message
mtd: rawnand: atmel: fix possible object reference leak
mtd: spi-nor: cast to u64 to avoid uint overflows
drm/atmel-hlcdc: revert shift by 8
mailbox: stm32_ipcc: add spinlock to fix channels concurrent access
tcp: exit if nothing to retransmit on RTO timeout
HID: core: check whether Usage Page item is after Usage ID items
crypto: stm32/hash - Fix hmac issue more than 256 bytes
media: stm32-dcmi: fix DMA corruption when stopping streaming
media: stm32-dcmi: fix check of pm_runtime_get_sync return value
hwrng: stm32 - fix unbalanced pm_runtime_enable
clk: stm32mp1: fix HSI divider flag
clk: stm32mp1: fix mcu divider table
clk: stm32mp1: add CLK_SET_RATE_NO_REPARENT to Kernel clocks
clk: stm32mp1: parent clocks update
mailbox: mailbox-test: fix null pointer if no mmio
pinctrl: stm32: fix memory leak issue
ASoC: stm32: i2s: fix dma configuration
ASoC: stm32: i2s: fix 16 bit format support
ASoC: stm32: i2s: fix IRQ clearing
ASoC: stm32: sai: add missing put_device()
dmaengine: stm32-dma: check whether length is aligned on FIFO threshold
platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
net: fec: fix clock count mis-match
Linux 4.19.88
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ifd3801a77cb551be72788031e7fcfc8a1d4fd197
commit 86c6739eda7d2a03f2db30cbee67a5fb81afa8ba upstream.
We leak the page that we use to create skb page fragments
when destroying the xfrm_state. Fix this by dropping a
page reference if a page was assigned to the xfrm_state.
Fixes: cac2661c53 ("esp4: Avoid skb_cow_data whenever possible")
Reported-by: JD <jdtxs00@gmail.com>
Reported-by: Paul Wouters <paul@nohats.ca>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl3aL2UACgkQONu9yGCS
aT73GA//VSRJjGzdohy0+NVK3Dk7tCb2GfXFyLfRasyCbpCVGudaN9IltPU20pmj
U67BRp3jJg6AFRFDxJn4uyAxqcYF6VFp77BiBLiF6lZEv3+0xxOqdyFL2IY9Cyew
5XGNWcjXAR/bZ0r/rRXw8GUBMmW/8oewW7Iay4YhriUWv/afucbMVK7cNgyj/qvP
jSbHh4mp15BGg1aIanM7YSlJgXX2MimXwEceyHPQJgKpSx1CApI2uRMSNZw/RXeP
hFox3Ord5o/K+dowtKW+eTXUMkbm+7Htsi0p+WvE69y6KjyBzh3CEXrQqJsLtd0Y
1myphKOX42z0/hbysUZQV8AvY5jrZu/SPoH8quXD/MNxPvNe0OjO3UiMruAdohQh
I3SjKZB+HprtsCGn4X6/PiHUxq8PCLwtMaa9IIRmtFOXeuxPPeQLdEoM8m2eCEiL
DnwkDXVVtQhKymmYgWUxcAsFpXl+s3k5ZRFmWEDDTuwlyZRWMPuRaWEOH8YuIHzz
QETCyodrOis90TFgG1XJDijzPpZtxZKuJ8HdGmO7J8BMDXi6r0aoTzBk8cPAAe3A
TUqRnHoMKLLYC+9vxA90aThXsibL6DuD06beJy3H1XCSj2vKvkM/iLaL8R95JjAW
XZaEv/SH9zoEynypd+b8tOHHdPSaZcTe3pd3SDmOPLpejOuSTJU=
=VtIx
-----END PGP SIGNATURE-----
Merge 4.19.86 into android-4.19
Changes in 4.19.86
spi: mediatek: use correct mata->xfer_len when in fifo transfer
i2c: mediatek: modify threshold passed to i2c_get_dma_safe_msg_buf()
tee: optee: add missing of_node_put after of_device_is_available
Revert "OPP: Protect dev_list with opp_table lock"
net: cdc_ncm: Signedness bug in cdc_ncm_set_dgram_size()
idr: Fix idr_get_next race with idr_remove
mm/memory_hotplug: don't access uninitialized memmaps in shrink_pgdat_span()
mm/memory_hotplug: fix updating the node span
arm64: uaccess: Ensure PAN is re-enabled after unhandled uaccess fault
fbdev: Ditch fb_edid_add_monspecs
bpf, x32: Fix bug for BPF_ALU64 | BPF_NEG
bpf, x32: Fix bug with ALU64 {LSH, RSH, ARSH} BPF_X shift by 0
bpf, x32: Fix bug with ALU64 {LSH, RSH, ARSH} BPF_K shift by 0
bpf, x32: Fix bug for BPF_JMP | {BPF_JSGT, BPF_JSLE, BPF_JSLT, BPF_JSGE}
net: ovs: fix return type of ndo_start_xmit function
net: xen-netback: fix return type of ndo_start_xmit function
ARM: dts: dra7: Enable workaround for errata i870 in PCIe host mode
ARM: dts: omap5: enable OTG role for DWC3 controller
net: hns3: Fix for netdev not up problem when setting mtu
net: hns3: Fix loss of coal configuration while doing reset
f2fs: return correct errno in f2fs_gc
ARM: dts: sun8i: h3-h5: ir register size should be the whole memory block
ARM: dts: sun8i: h3: bpi-m2-plus: Fix address for external RGMII Ethernet PHY
tcp: up initial rmem to 128KB and SYN rwin to around 64KB
SUNRPC: Fix priority queue fairness
ACPI / LPSS: Make acpi_lpss_find_device() also find PCI devices
ACPI / LPSS: Resume BYT/CHT I2C controllers from resume_noirq
f2fs: keep lazytime on remount
IB/hfi1: Error path MAD response size is incorrect
IB/hfi1: Ensure ucast_dlid access doesnt exceed bounds
mt76x2: fix tx power configuration for VHT mcs 9
mt76x2: disable WLAN core before probe
mt76: fix handling ps-poll frames
iommu/io-pgtable-arm: Fix race handling in split_blk_unmap()
iommu/arm-smmu-v3: Fix unexpected CMD_SYNC timeout
kvm: arm/arm64: Fix stage2_flush_memslot for 4 level page table
arm64/numa: Report correct memblock range for the dummy node
ath10k: fix vdev-start timeout on error
rtlwifi: btcoex: Use proper enumerated types for Wi-Fi only interface
ata: ahci_brcm: Allow using driver or DSL SoCs
PM / devfreq: Fix devfreq_add_device() when drivers are built as modules.
PM / devfreq: Fix handling of min/max_freq == 0
PM / devfreq: stopping the governor before device_unregister()
ath9k: fix reporting calculated new FFT upper max
selftests/tls: Fix recv(MSG_PEEK) & splice() test cases
usb: gadget: udc: fotg210-udc: Fix a sleep-in-atomic-context bug in fotg210_get_status()
usb: dwc3: gadget: Check ENBLSLPM before sending ep command
nl80211: Fix a GET_KEY reply attribute
irqchip/irq-mvebu-icu: Fix wrong private data retrieval
watchdog: core: fix null pointer dereference when releasing cdev
watchdog: renesas_wdt: stop when unregistering
watchdog: sama5d4: fix timeout-sec usage
watchdog: w83627hf_wdt: Support NCT6796D, NCT6797D, NCT6798D
KVM: PPC: Inform the userspace about TCE update failures
printk: Do not miss new messages when replaying the log
printk: CON_PRINTBUFFER console registration is a bit racy
dmaengine: ep93xx: Return proper enum in ep93xx_dma_chan_direction
dmaengine: timb_dma: Use proper enum in td_prep_slave_sg
ALSA: hda: Fix mismatch for register mask and value in ext controller.
ext4: fix build error when DX_DEBUG is defined
clk: keystone: Enable TISCI clocks if K3_ARCH
sunrpc: Fix connect metrics
x86/PCI: Apply VMD's AERSID fixup generically
mei: samples: fix a signedness bug in amt_host_if_call()
cxgb4: Use proper enum in cxgb4_dcb_handle_fw_update
cxgb4: Use proper enum in IEEE_FAUX_SYNC
powerpc/pseries: Fix DTL buffer registration
powerpc/pseries: Fix how we iterate over the DTL entries
powerpc/xive: Move a dereference below a NULL test
ARM: dts: at91: sama5d4_xplained: fix addressable nand flash size
ARM: dts: at91: at91sam9x5cm: fix addressable nand flash size
ARM: dts: at91: sama5d2_ptc_ek: fix bootloader env offsets
mtd: rawnand: sh_flctl: Use proper enum for flctl_dma_fifo0_transfer
PM / hibernate: Check the success of generating md5 digest before hibernation
tools: PCI: Fix compilation warnings
clocksource/drivers/sh_cmt: Fixup for 64-bit machines
clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines
ice: Fix forward to queue group logic
md: allow metadata updates while suspending an array - fix
ixgbe: Fix ixgbe TX hangs with XDP_TX beyond queue limit
i40e: Use proper enum in i40e_ndo_set_vf_link_state
ixgbe: Fix crash with VFs and flow director on interface flap
IB/mthca: Fix error return code in __mthca_init_one()
IB/rxe: avoid srq memory leak
RDMA/hns: Bugfix for reserved qp number
RDMA/hns: Submit bad wr when post send wr exception
RDMA/hns: Bugfix for CM test
RDMA/hns: Limit the size of extend sge of sq
IB/mlx4: Avoid implicit enumerated type conversion
rpmsg: glink: smem: Support rx peak for size less than 4 bytes
msm/gpu/a6xx: Force of_dma_configure to setup DMA for GMU
OPP: Return error on error from dev_pm_opp_get_opp_count()
ACPICA: Never run _REG on system_memory and system_IO
cpuidle: menu: Fix wakeup statistics updates for polling state
ASoC: qdsp6: q6asm-dai: checking NULL vs IS_ERR()
powerpc/time: Use clockevents_register_device(), fixing an issue with large decrementer
powerpc/64s/radix: Explicitly flush ERAT with local LPID invalidation
ata: ep93xx: Use proper enums for directions
qed: Avoid implicit enum conversion in qed_ooo_submit_tx_buffers
media: rc: ir-rc6-decoder: enable toggle bit for Kathrein RCU-676 remote
media: pxa_camera: Fix check for pdev->dev.of_node
media: rcar-vin: fix redeclaration of symbol
media: i2c: adv748x: Support probing a single output
ALSA: hda/sigmatel - Disable automute for Elo VuPoint
bnxt_en: return proper error when FW returns HWRM_ERR_CODE_RESOURCE_ACCESS_DENIED
KVM: PPC: Book3S PR: Exiting split hack mode needs to fixup both PC and LR
USB: serial: cypress_m8: fix interrupt-out transfer length
usb: dwc2: disable power_down on rockchip devices
mtd: physmap_of: Release resources on error
cpu/SMT: State SMT is disabled even with nosmt and without "=force"
brcmfmac: reduce timeout for action frame scan
brcmfmac: fix full timeout waiting for action frame on-channel tx
qtnfmac: request userspace to do OBSS scanning if FW can not
qtnfmac: pass sgi rate info flag to wireless core
qtnfmac: inform wireless core about supported extended capabilities
qtnfmac: drop error reports for out-of-bounds key indexes
clk: samsung: Use NOIRQ stage for Exynos5433 clocks suspend/resume
clk: samsung: exynos5420: Define CLK_SECKEY gate clock only or Exynos5420
clk: samsung: Use clk_hw API for calling clk framework from clk notifiers
i2c: brcmstb: Allow enabling the driver on DSL SoCs
printk: Correct wrong casting
NFSv4.x: fix lock recovery during delegation recall
dmaengine: ioat: fix prototype of ioat_enumerate_channels
media: ov5640: fix framerate update
media: cec-gpio: select correct Signal Free Time
gfs2: slow the deluge of io error messages
i2c: omap: use core to detect 'no zero length' quirk
i2c: qup: use core to detect 'no zero length' quirk
i2c: tegra: use core to detect 'no zero length' quirk
i2c: zx2967: use core to detect 'no zero length' quirk
Input: st1232 - set INPUT_PROP_DIRECT property
Input: silead - try firmware reload after unsuccessful resume
soc: fsl: bman_portals: defer probe after bman's probe
net: hns3: Fix for rx vlan id handle to support Rev 0x21 hardware
tc-testing: fix build of eBPF programs
remoteproc: Check for NULL firmwares in sysfs interface
remoteproc: qcom: q6v5: Fix a race condition on fatal crash
kexec: Allocate decrypted control pages for kdump if SME is enabled
x86/olpc: Fix build error with CONFIG_MFD_CS5535=m
dmaengine: rcar-dmac: set scatter/gather max segment size
crypto: mxs-dcp - Fix SHA null hashes and output length
crypto: mxs-dcp - Fix AES issues
xfrm: use correct size to initialise sp->ovec
ACPI / SBS: Fix rare oops when removing modules
iwlwifi: mvm: don't send keys when entering D3
xsk: proper AF_XDP socket teardown ordering
x86/fsgsbase/64: Fix ptrace() to read the FS/GS base accurately
mmc: renesas_sdhi_internal_dmac: Whitelist r8a774a1
mmc: tmio: Fix SCC error detection
mmc: renesas_sdhi_internal_dmac: set scatter/gather max segment size
atmel_lcdfb: support native-mode display-timings
fbdev: sbuslib: use checked version of put_user()
fbdev: sbuslib: integer overflow in sbusfb_ioctl_helper()
fbdev: fix broken menu dependencies
reset: Fix potential use-after-free in __of_reset_control_get()
bcache: account size of buckets used in uuid write to ca->meta_sectors_written
bcache: recal cached_dev_sectors on detach
platform/x86: mlx-platform: Properly use mlxplat_mlxcpld_msn201x_items
media: dw9714: Fix error handling in probe function
media: dw9807-vcm: Fix probe error handling
media: cx18: Don't check for address of video_dev
mtd: spi-nor: cadence-quadspi: Use proper enum for dma_[un]map_single
mtd: devices: m25p80: Make sure WRITE_EN is issued before each write
x86/intel_rdt: Introduce utility to obtain CDP peer
x86/intel_rdt: CBM overlap should also check for overlap with CDP peer
mmc: mmci: expand startbiterr to irqmask and error check
s390/kasan: avoid vdso instrumentation
s390/kasan: avoid instrumentation of early C code
s390/kasan: avoid user access code instrumentation
proc/vmcore: Fix i386 build error of missing copy_oldmem_page_encrypted()
backlight: lm3639: Unconditionally call led_classdev_unregister
mfd: ti_am335x_tscadc: Keep ADC interface on if child is wakeup capable
printk: Give error on attempt to set log buffer length to over 2G
media: isif: fix a NULL pointer dereference bug
GFS2: Flush the GFS2 delete workqueue before stopping the kernel threads
media: cx231xx: fix potential sign-extension overflow on large shift
media: venus: vdec: fix decoded data size
ALSA: hda/ca0132 - Fix input effect controls for desktop cards
lightnvm: pblk: fix rqd.error return value in pblk_blk_erase_sync
lightnvm: pblk: fix incorrect min_write_pgs
lightnvm: pblk: guarantee emeta on line close
lightnvm: pblk: fix write amplificiation calculation
lightnvm: pblk: guarantee mw_cunits on read buffer
lightnvm: do no update csecs and sos on 1.2
lightnvm: pblk: fix error handling of pblk_lines_init()
lightnvm: pblk: consider max hw sectors supported for max_write_pgs
x86/kexec: Correct KEXEC_BACKUP_SRC_END off-by-one error
bpf: btf: Fix a missing check bug
net: fix generic XDP to handle if eth header was mangled
gpio: syscon: Fix possible NULL ptr usage
spi: fsl-lpspi: Prevent FIFO under/overrun by default
pinctrl: gemini: Mask and set properly
spi: spidev: Fix OF tree warning logic
ARM: 8802/1: Call syscall_trace_exit even when system call skipped
x86/mm: Do not warn about PCI BIOS W+X mappings
orangefs: rate limit the client not running info message
pinctrl: gemini: Fix up TVC clock group
scsi: arcmsr: clean up clang warning on extraneous parentheses
hwmon: (k10temp) Support all Family 15h Model 6xh and Model 7xh processors
hwmon: (nct6775) Fix names of DIMM temperature sources
hwmon: (pwm-fan) Silence error on probe deferral
hwmon: (ina3221) Fix INA3221_CONFIG_MODE macros
hwmon: (npcm-750-pwm-fan) Change initial pwm target to 255
selftests: forwarding: Have lldpad_app_wait_set() wait for unknown, too
net: sched: avoid writing on noop_qdisc
netfilter: nft_compat: do not dump private area
misc: cxl: Fix possible null pointer dereference
mac80211: minstrel: fix using short preamble CCK rates on HT clients
mac80211: minstrel: fix CCK rate group streams value
mac80211: minstrel: fix sampling/reporting of CCK rates in HT mode
spi: rockchip: initialize dma_slave_config properly
mlxsw: spectrum_switchdev: Check notification relevance based on upper device
ARM: dts: omap5: Fix dual-role mode on Super-Speed port
tcp: start receiver buffer autotuning sooner
ACPI / LPSS: Use acpi_lpss_* instead of acpi_subsys_* functions for hibernate
PM / devfreq: Fix static checker warning in try_then_request_governor
tools: PCI: Fix broken pcitest compilation
powerpc/time: Fix clockevent_decrementer initalisation for PR KVM
mmc: tmio: fix SCC error handling to avoid false positive CRC error
x86/resctrl: Fix rdt_find_domain() return value and checks
Linux 4.19.86
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ib9de820e5026cadf4fab89e69d1324302cdae9c3
[ Upstream commit f1193e915748291fb205a908db33bd3debece6e2 ]
This place should want to initialize array, not a element,
so it should be sizeof(array) instead of sizeof(element)
but now this array only has one element, so no error in
this condition that XFRM_MAX_OFFLOAD_DEPTH is 1
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This hack is needed to run 32-bit userspace on 64-bit kernel.
Bug: 138147164
Test: kernel_net_tests
Signed-off-by: Tri Vo <trong@google.com>
Change-Id: I083d32b45ca985cfadfe3ce57d253b63202befde
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl06qFcACgkQONu9yGCS
aT6O9A/+JZqoVYnItpOnT8Hu//0mYEKvREWqsoTJNpZJhLWtGjPTT9ospHNpVgfC
GUkFqngWzXHpzCgTYHUV3Mm+SIiVXCM3nkCU1+2YOsPzrKo/lJSfFt3wOYGpKO5V
qratAQLra5TqR0teR00aQblqKqfmrux05uL9dNcVIwve813m00jFALcpjrXnanpP
tx5cqCo3uHOou5XLraHx/CMPnfJI/mLegBUTM4DxAmN2vG4gQck2gnrU7s1eg4cy
1Fqh0Oo2Ycj5p9yoGss02JqR3wGZHOEmF55j2JcTZAPvW6/c55iPd52Trn8kPOHB
Awq/VwJmP4p10a4TWoZpv7VqpL3PzO8/AW7QWOER8QnDzfOTHGae7YT8LVp5Xqj5
1NqowuP/Tm0yaZSaDLqkdvhVqTi0oGL8OCYLErpeR9PQ3P+p3paaswopsPqnXURj
Q4Pahe1vm9WG2NpKh2bHVmmVkQmvwuxxxnaa31HI/IyLd5bYFV1/LbEa/XrSK36W
VJtO+0AjERO9uTVP/YDloDkQ4R3+3W+m520jYsgf1OwY7v/Kc6iLb7cDwci/ZWMy
YSMm8hrO0nzuT0SI25TKLDvxjGbANKvxytzOQMOTb8NsIWwaoEKWh+4r9XkdUXNa
+dx72I5J2Be+3hk+eaDNzCdEae5pgVTxBpwJbzI4RfnK1Doa4uE=
=hJdd
-----END PGP SIGNATURE-----
Merge 4.19.61 into android-4.19
Changes in 4.19.61
MIPS: ath79: fix ar933x uart parity mode
MIPS: fix build on non-linux hosts
arm64/efi: Mark __efistub_stext_offset as an absolute symbol explicitly
scsi: iscsi: set auth_protocol back to NULL if CHAP_A value is not supported
dmaengine: imx-sdma: fix use-after-free on probe error path
wil6210: fix potential out-of-bounds read
ath10k: Do not send probe response template for mesh
ath9k: Check for errors when reading SREV register
ath6kl: add some bounds checking
ath10k: add peer id check in ath10k_peer_find_by_id
wil6210: fix spurious interrupts in 3-msi
ath: DFS JP domain W56 fixed pulse type 3 RADAR detection
regmap: debugfs: Fix memory leak in regmap_debugfs_init
batman-adv: fix for leaked TVLV handler.
media: dvb: usb: fix use after free in dvb_usb_device_exit
media: spi: IR LED: add missing of table registration
crypto: talitos - fix skcipher failure due to wrong output IV
media: ov7740: avoid invalid framesize setting
media: marvell-ccic: fix DMA s/g desc number calculation
media: vpss: fix a potential NULL pointer dereference
media: media_device_enum_links32: clean a reserved field
net: stmmac: dwmac1000: Clear unused address entries
net: stmmac: dwmac4/5: Clear unused address entries
qed: Set the doorbell address correctly
signal/pid_namespace: Fix reboot_pid_ns to use send_sig not force_sig
af_key: fix leaks in key_pol_get_resp and dump_sp.
xfrm: Fix xfrm sel prefix length validation
fscrypt: clean up some BUG_ON()s in block encryption/decryption
perf annotate TUI browser: Do not use member from variable within its own initialization
media: mc-device.c: don't memset __user pointer contents
media: saa7164: fix remove_proc_entry warning
media: staging: media: davinci_vpfe: - Fix for memory leak if decoder initialization fails.
net: phy: Check against net_device being NULL
crypto: talitos - properly handle split ICV.
crypto: talitos - Align SEC1 accesses to 32 bits boundaries.
tua6100: Avoid build warnings.
batman-adv: Fix duplicated OGMs on NETDEV_UP
locking/lockdep: Fix merging of hlocks with non-zero references
media: wl128x: Fix some error handling in fm_v4l2_init_video_device()
net: hns3: set ops to null when unregister ad_dev
cpupower : frequency-set -r option misses the last cpu in related cpu list
arm64: mm: make CONFIG_ZONE_DMA32 configurable
perf jvmti: Address gcc string overflow warning for strncpy()
net: stmmac: dwmac4: fix flow control issue
net: stmmac: modify default value of tx-frames
crypto: inside-secure - do not rely on the hardware last bit for result descriptors
net: fec: Do not use netdev messages too early
net: axienet: Fix race condition causing TX hang
s390/qdio: handle PENDING state for QEBSM devices
RAS/CEC: Fix pfn insertion
net: sfp: add mutex to prevent concurrent state checks
ipset: Fix memory accounting for hash types on resize
perf cs-etm: Properly set the value of 'old' and 'head' in snapshot mode
perf test 6: Fix missing kvm module load for s390
perf report: Fix OOM error in TUI mode on s390
irqchip/meson-gpio: Add support for Meson-G12A SoC
media: uvcvideo: Fix access to uninitialized fields on probe error
media: fdp1: Support M3N and E3 platforms
iommu: Fix a leak in iommu_insert_resv_region
gpio: omap: fix lack of irqstatus_raw0 for OMAP4
gpio: omap: ensure irq is enabled before wakeup
regmap: fix bulk writes on paged registers
bpf: silence warning messages in core
media: s5p-mfc: fix reading min scratch buffer size on MFC v6/v7
selinux: fix empty write to keycreate file
x86/cpu: Add Ice Lake NNPI to Intel family
ASoC: meson: axg-tdm: fix sample clock inversion
rcu: Force inlining of rcu_read_lock()
x86/cpufeatures: Add FDP_EXCPTN_ONLY and ZERO_FCS_FDS
qed: iWARP - Fix tc for MPA ll2 connection
net: hns3: fix for skb leak when doing selftest
block: null_blk: fix race condition for null_del_dev
blkcg, writeback: dead memcgs shouldn't contribute to writeback ownership arbitration
xfrm: fix sa selector validation
sched/core: Add __sched tag for io_schedule()
sched/fair: Fix "runnable_avg_yN_inv" not used warnings
perf/x86/intel/uncore: Handle invalid event coding for free-running counter
x86/atomic: Fix smp_mb__{before,after}_atomic()
perf evsel: Make perf_evsel__name() accept a NULL argument
vhost_net: disable zerocopy by default
ipoib: correcly show a VF hardware address
x86/cacheinfo: Fix a -Wtype-limits warning
blk-iolatency: only account submitted bios
ACPICA: Clear status of GPEs on first direct enable
EDAC/sysfs: Fix memory leak when creating a csrow object
nvme: fix possible io failures when removing multipathed ns
nvme-pci: properly report state change failure in nvme_reset_work
nvme-pci: set the errno on ctrl state change error
lightnvm: pblk: fix freeing of merged pages
arm64: Do not enable IRQs for ct_user_exit
ipsec: select crypto ciphers for xfrm_algo
ipvs: defer hook registration to avoid leaks
media: s5p-mfc: Make additional clocks optional
media: i2c: fix warning same module names
ntp: Limit TAI-UTC offset
timer_list: Guard procfs specific code
acpi/arm64: ignore 5.1 FADTs that are reported as 5.0
media: coda: fix mpeg2 sequence number handling
media: coda: fix last buffer handling in V4L2_ENC_CMD_STOP
media: coda: increment sequence offset for the last returned frame
media: vimc: cap: check v4l2_fill_pixfmt return value
media: hdpvr: fix locking and a missing msleep
net: stmmac: sun8i: force select external PHY when no internal one
rtlwifi: rtl8192cu: fix error handle when usb probe failed
mt7601u: do not schedule rx_tasklet when the device has been disconnected
x86/build: Add 'set -e' to mkcapflags.sh to delete broken capflags.c
mt7601u: fix possible memory leak when the device is disconnected
ipvs: fix tinfo memory leak in start_sync_thread
ath10k: add missing error handling
ath10k: fix PCIE device wake up failed
perf tools: Increase MAX_NR_CPUS and MAX_CACHES
ASoC: Intel: hdac_hdmi: Set ops to NULL on remove
libata: don't request sense data on !ZAC ATA devices
clocksource/drivers/exynos_mct: Increase priority over ARM arch timer
xsk: Properly terminate assignment in xskq_produce_flush_desc
rslib: Fix decoding of shortened codes
rslib: Fix handling of of caller provided syndrome
ixgbe: Check DDM existence in transceiver before access
crypto: serpent - mark __serpent_setkey_sbox noinline
crypto: asymmetric_keys - select CRYPTO_HASH where needed
wil6210: drop old event after wmi_call timeout
EDAC: Fix global-out-of-bounds write when setting edac_mc_poll_msec
bcache: check CACHE_SET_IO_DISABLE in allocator code
bcache: check CACHE_SET_IO_DISABLE bit in bch_journal()
bcache: acquire bch_register_lock later in cached_dev_free()
bcache: check c->gc_thread by IS_ERR_OR_NULL in cache_set_flush()
bcache: fix potential deadlock in cached_def_free()
net: hns3: fix a -Wformat-nonliteral compile warning
net: hns3: add some error checking in hclge_tm module
ath10k: destroy sdio workqueue while remove sdio module
net: mvpp2: prs: Don't override the sign bit in SRAM parser shift
igb: clear out skb->tstamp after reading the txtime
iwlwifi: mvm: Drop large non sta frames
bpf: fix uapi bpf_prog_info fields alignment
perf stat: Make metric event lookup more robust
perf stat: Fix group lookup for metric group
bnx2x: Prevent ptp_task to be rescheduled indefinitely
net: usb: asix: init MAC address buffers
rxrpc: Fix oops in tracepoint
bpf, libbpf, smatch: Fix potential NULL pointer dereference
selftests: bpf: fix inlines in test_lwt_seg6local
bonding: validate ip header before check IPPROTO_IGMP
gpiolib: Fix references to gpiod_[gs]et_*value_cansleep() variants
tools: bpftool: Fix json dump crash on powerpc
Bluetooth: hci_bcsp: Fix memory leak in rx_skb
Bluetooth: Add new 13d3:3491 QCA_ROME device
Bluetooth: Add new 13d3:3501 QCA_ROME device
Bluetooth: 6lowpan: search for destination address in all peers
perf tests: Fix record+probe_libc_inet_pton.sh for powerpc64
Bluetooth: Check state in l2cap_disconnect_rsp
gtp: add missing gtp_encap_disable_sock() in gtp_encap_enable()
Bluetooth: validate BLE connection interval updates
gtp: fix suspicious RCU usage
gtp: fix Illegal context switch in RCU read-side critical section.
gtp: fix use-after-free in gtp_encap_destroy()
gtp: fix use-after-free in gtp_newlink()
net: mvmdio: defer probe of orion-mdio if a clock is not ready
iavf: fix dereference of null rx_buffer pointer
floppy: fix div-by-zero in setup_format_params
floppy: fix out-of-bounds read in next_valid_format
floppy: fix invalid pointer dereference in drive_name
floppy: fix out-of-bounds read in copy_buffer
xen: let alloc_xenballooned_pages() fail if not enough memory free
scsi: NCR5380: Reduce goto statements in NCR5380_select()
scsi: NCR5380: Always re-enable reselection interrupt
Revert "scsi: ncr5380: Increase register polling limit"
scsi: core: Fix race on creating sense cache
scsi: megaraid_sas: Fix calculation of target ID
scsi: mac_scsi: Increase PIO/PDMA transfer length threshold
scsi: mac_scsi: Fix pseudo DMA implementation, take 2
crypto: ghash - fix unaligned memory access in ghash_setkey()
crypto: ccp - Validate the the error value used to index error messages
crypto: arm64/sha1-ce - correct digest for empty data in finup
crypto: arm64/sha2-ce - correct digest for empty data in finup
crypto: chacha20poly1305 - fix atomic sleep when using async algorithm
crypto: crypto4xx - fix AES CTR blocksize value
crypto: crypto4xx - fix blocksize for cfb and ofb
crypto: crypto4xx - block ciphers should only accept complete blocks
crypto: ccp - memset structure fields to zero before reuse
crypto: ccp/gcm - use const time tag comparison.
crypto: crypto4xx - fix a potential double free in ppc4xx_trng_probe
Revert "bcache: set CACHE_SET_IO_DISABLE in bch_cached_dev_error()"
bcache: Revert "bcache: fix high CPU occupancy during journal"
bcache: Revert "bcache: free heap cache_set->flush_btree in bch_journal_free"
bcache: ignore read-ahead request failure on backing device
bcache: fix mistaken sysfs entry for io_error counter
bcache: destroy dc->writeback_write_wq if failed to create dc->writeback_thread
Input: gtco - bounds check collection indent level
Input: alps - don't handle ALPS cs19 trackpoint-only device
Input: synaptics - whitelist Lenovo T580 SMBus intertouch
Input: alps - fix a mismatch between a condition check and its comment
regulator: s2mps11: Fix buck7 and buck8 wrong voltages
arm64: tegra: Update Jetson TX1 GPU regulator timings
iwlwifi: pcie: don't service an interrupt that was masked
iwlwifi: pcie: fix ALIVE interrupt handling for gen2 devices w/o MSI-X
iwlwifi: don't WARN when calling iwl_get_shared_mem_conf with RF-Kill
iwlwifi: fix RF-Kill interrupt while FW load for gen2 devices
NFSv4: Handle the special Linux file open access mode
pnfs/flexfiles: Fix PTR_ERR() dereferences in ff_layout_track_ds_error
pNFS: Fix a typo in pnfs_update_layout
pnfs: Fix a problem where we gratuitously start doing I/O through the MDS
lib/scatterlist: Fix mapping iterator when sg->offset is greater than PAGE_SIZE
ASoC: dapm: Adapt for debugfs API change
raid5-cache: Need to do start() part job after adding journal device
ALSA: seq: Break too long mutex context in the write loop
ALSA: hda/realtek - Fixed Headphone Mic can't record on Dell platform
ALSA: hda/realtek: apply ALC891 headset fixup to one Dell machine
media: v4l2: Test type instead of cfg->type in v4l2_ctrl_new_custom()
media: coda: Remove unbalanced and unneeded mutex unlock
media: videobuf2-core: Prevent size alignment wrapping buffer size to 0
media: videobuf2-dma-sg: Prevent size from overflowing
KVM: x86/vPMU: refine kvm_pmu err msg when event creation failed
arm64: tegra: Fix AGIC register range
fs/proc/proc_sysctl.c: fix the default values of i_uid/i_gid on /proc/sys inodes.
kconfig: fix missing choice values in auto.conf
drm/nouveau/i2c: Enable i2c pads & busses during preinit
padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
dm zoned: fix zone state management race
xen/events: fix binding user event channels to cpus
9p/xen: Add cleanup path in p9_trans_xen_init
9p/virtio: Add cleanup path in p9_virtio_init
x86/boot: Fix memory leak in default_get_smp_config()
perf/x86/intel: Fix spurious NMI on fixed counter
perf/x86/amd/uncore: Do not set 'ThreadMask' and 'SliceMask' for non-L3 PMCs
perf/x86/amd/uncore: Set the thread mask for F17h L3 PMCs
drm/edid: parse CEA blocks embedded in DisplayID
intel_th: pci: Add Ice Lake NNPI support
PCI: hv: Fix a use-after-free bug in hv_eject_device_work()
PCI: Do not poll for PME if the device is in D3cold
PCI: qcom: Ensure that PERST is asserted for at least 100 ms
Btrfs: fix data loss after inode eviction, renaming it, and fsync it
Btrfs: fix fsync not persisting dentry deletions due to inode evictions
Btrfs: add missing inode version, ctime and mtime updates when punching hole
IB/mlx5: Report correctly tag matching rendezvous capability
HID: wacom: generic: only switch the mode on devices with LEDs
HID: wacom: generic: Correct pad syncing
HID: wacom: correct touch resolution x/y typo
libnvdimm/pfn: fix fsdax-mode namespace info-block zero-fields
coda: pass the host file in vma->vm_file on mmap
include/asm-generic/bug.h: fix "cut here" for WARN_ON for __WARN_TAINT architectures
xfs: fix pagecache truncation prior to reflink
xfs: flush removing page cache in xfs_reflink_remap_prep
xfs: don't overflow xattr listent buffer
xfs: rename m_inotbt_nores to m_finobt_nores
xfs: don't ever put nlink > 0 inodes on the unlinked list
xfs: reserve blocks for ifree transaction during log recovery
xfs: fix reporting supported extra file attributes for statx()
xfs: serialize unaligned dio writes against all other dio writes
xfs: abort unaligned nowait directio early
gpu: ipu-v3: ipu-ic: Fix saturation bit offset in TPMEM
crypto: caam - limit output IV to CBC to work around CTR mode DMA issue
parisc: Ensure userspace privilege for ptraced processes in regset functions
parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
powerpc/32s: fix suspend/resume when IBATs 4-7 are used
powerpc/watchpoint: Restore NV GPRs while returning from exception
powerpc/powernv/npu: Fix reference leak
powerpc/pseries: Fix oops in hotplug memory notifier
mmc: sdhci-msm: fix mutex while in spinlock
eCryptfs: fix a couple type promotion bugs
mtd: rawnand: mtk: Correct low level time calculation of r/w cycle
mtd: spinand: read returns badly if the last page has bitflips
intel_th: msu: Fix single mode with disabled IOMMU
Bluetooth: Add SMP workaround Microsoft Surface Precision Mouse bug
usb: Handle USB3 remote wakeup for LPM enabled devices correctly
blk-throttle: fix zero wait time for iops throttled group
blk-iolatency: clear use_delay when io.latency is set to zero
blkcg: update blkcg_print_stat() to handle larger outputs
net: mvmdio: allow up to four clocks to be specified for orion-mdio
dt-bindings: allow up to four clocks for orion-mdio
dm bufio: fix deadlock with loop device
Linux 4.19.61
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2f565111b1c16f369fa86e0481527fcc6357fe1b
[ Upstream commit 597179b0ba550bd83fab1a9d57c42a9343c58514 ]
kernelci.org reports failed builds on arc because of what looks
like an old missed 'select' statement:
net/xfrm/xfrm_algo.o: In function `xfrm_probe_algs':
xfrm_algo.c:(.text+0x1e8): undefined reference to `crypto_has_ahash'
I don't see this in randconfig builds on other architectures, but
it's fairly clear we want to select the hash code for it, like we
do for all its other users. As Herbert points out, CRYPTO_BLKCIPHER
is also required even though it has not popped up in build tests.
Fixes: 17bc197022 ("ipsec: Use skcipher and ahash when probing algorithms")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b8d6d0079757cbd1b69724cfd1c08e2171c68cee ]
After commit b38ff4075a80, the following command does not work anymore:
$ ip xfrm state add src 10.125.0.2 dst 10.125.0.1 proto esp spi 34 reqid 1 \
mode tunnel enc 'cbc(aes)' 0xb0abdba8b782ad9d364ec81e3a7d82a1 auth-trunc \
'hmac(sha1)' 0xe26609ebd00acb6a4d51fca13e49ea78a72c73e6 96 flag align4
In fact, the selector is not mandatory, allow the user to provide an empty
selector.
Fixes: b38ff4075a80 ("xfrm: Fix xfrm sel prefix length validation")
CC: Anirudh Gupta <anirudh.gupta@sophos.com>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b38ff4075a80b4da5cb2202d7965332ca0efb213 ]
Family of src/dst can be different from family of selector src/dst.
Use xfrm selector family to validate address prefix length,
while verifying new sa from userspace.
Validated patch with this command:
ip xfrm state add src 1.1.6.1 dst 1.1.6.2 proto esp spi 4260196 \
reqid 20004 mode tunnel aead "rfc4106(gcm(aes))" \
0x1111016400000000000000000000000044440001 128 \
sel src 1011:1:4::2/128 sel dst 1021:1:4::2/128 dev Port5
Fixes: 07bf790895 ("xfrm: Validate address prefix lengths in the xfrm selector.")
Signed-off-by: Anirudh Gupta <anirudh.gupta@sophos.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzpbCYACgkQONu9yGCS
aT6aJhAAjh1h5q6oRAWZ7k3CTbx7abpi3FwqlGsrinxRkwdDvy6TXTo8gBn0emS0
8TEiQXLm/6M3IGyR8m7w2TGxThyk5xtUqEbxldHwzU/wsZzJ8KegnQUbpmdmJtrh
BnvPygwOSldm8fqNZsFNWNCwt0m9LqPm5m57lHOj4PsxRFkr6jVYjtrynTbyDBus
fT4Dec/jD/0hZbP2aeS5YWNee1ElgiiRewU5q5+Dn8yIDlaX81hkiu+J/EUS/97n
8Irn7Zs7wgjEwVe9xz1SEqAO0TtDH7wgxV2JMcXMRCbj45vmiUPh9IrSqqhvjqbf
Gr36rGyuA2AIlMlzppEgP8ZiL6b5/2+e0mZFVfV4Ck3zThWq/pi8xrNk/AGVbXSA
yE7j7PMVC0Pr9zFOBEsdb6HEOkwy4drGlSWiGkN5jZ5/yexGT4LhEpoMwqSd6tZ8
p12OdVmrEYZyasKOEGyOLFvUWKDT+aClFXcnB0Vi3GNtw6K4aHJU1dtPcpeD+PvO
qMY2ePAj3GXKcg+r4dQPcbO+xEer8JZS/clTXNVwArGMQ/KII6hz2XCeSXe+aVnA
5SJZQnyimgaEev1Y1C7VVYBa4T+S54O+tjvKhv4fuX4vL622rLkUmMJyb2XWNSIC
HagZOcEN7PY9KWqaMiP5GtcumfAUQCtNfXY0QMYhR+9B2Sl2zGg=
=P21c
-----END PGP SIGNATURE-----
Merge 4.19.46 into android-4.19
Changes in 4.19.46
ipv6: fix src addr routing with the exception table
ipv6: prevent possible fib6 leaks
net: Always descend into dsa/
net: avoid weird emergency message
net/mlx4_core: Change the error print to info print
net: test nouarg before dereferencing zerocopy pointers
net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions
nfp: flower: add rcu locks when accessing netdev for tunnels
ppp: deflate: Fix possible crash in deflate_init
rtnetlink: always put IFLA_LINK for links with a link-netnsid
tipc: switch order of device registration to fix a crash
vsock/virtio: free packets during the socket release
tipc: fix modprobe tipc failed after switch order of device registration
vsock/virtio: Initialize core virtio vsock before registering the driver
net/mlx5: Imply MLXFW in mlx5_core
net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled
parisc: Export running_on_qemu symbol for modules
parisc: Skip registering LED when running in QEMU
parisc: Use PA_ASM_LEVEL in boot code
parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code
stm class: Fix channel free in stm output free path
stm class: Fix channel bitmap on 32-bit systems
brd: re-enable __GFP_HIGHMEM in brd_insert_page()
proc: prevent changes to overridden credentials
Revert "MD: fix lock contention for flush bios"
md: batch flush requests.
md: add mddev->pers to avoid potential NULL pointer dereference
dcache: sort the freeing-without-RCU-delay mess for good.
intel_th: msu: Fix single mode with IOMMU
p54: drop device reference count if fails to enable device
of: fix clang -Wunsequenced for be32_to_cpu()
cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level()
phy: ti-pipe3: fix missing bit-wise or operator when assigning val
media: ov6650: Fix sensor possibly not detected on probe
media: imx: csi: Allow unknown nearest upstream entities
media: imx: Clear fwnode link struct for each endpoint iteration
NFS4: Fix v4.0 client state corruption when mount
PNFS fallback to MDS if no deviceid found
clk: hi3660: Mark clk_gate_ufs_subsys as critical
clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider
clk: mediatek: Disable tuner_en before change PLL rate
clk: rockchip: fix wrong clock definitions for rk3328
udlfb: delete the unused parameter for dlfb_handle_damage
udlfb: fix sleeping inside spinlock
udlfb: introduce a rendering mutex
fuse: fix writepages on 32bit
fuse: honor RLIMIT_FSIZE in fuse_file_fallocate
ovl: fix missing upper fs freeze protection on copy up for ioctl
iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114
ceph: flush dirty inodes before proceeding with remount
x86_64: Add gap to int3 to allow for call emulation
x86_64: Allow breakpoints to emulate call instructions
ftrace/x86_64: Emulate call function while updating in breakpoint handler
tracing: Fix partial reading of trace event's id file
memory: tegra: Fix integer overflow on tick value calculation
perf intel-pt: Fix instructions sampling rate
perf intel-pt: Fix improved sample timestamp
perf intel-pt: Fix sample timestamp wrt non-taken branches
MIPS: perf: Fix build with CONFIG_CPU_BMIPS5000 enabled
objtool: Allow AR to be overridden with HOSTAR
fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types
fbdev: sm712fb: fix brightness control on reboot, don't set SR30
fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75
fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F
fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA
fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM
fbdev: sm712fb: fix support for 1024x768-16 mode
fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display
fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting
PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken
PCI: Mark Atheros AR9462 to avoid bus reset
PCI: Init PCIe feature bits for managed host bridge alloc
PCI/AER: Change pci_aer_init() stub to return void
PCI: rcar: Add the initialization of PCIe link in resume_noirq()
PCI: Factor out pcie_retrain_link() function
PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum
dm cache metadata: Fix loading discard bitset
dm zoned: Fix zone report handling
dm delay: fix a crash when invalid device is specified
dm integrity: correctly calculate the size of metadata area
dm mpath: always free attached_handler_name in parse_path()
fuse: Add FOPEN_STREAM to use stream_open()
xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink
xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module
vti4: ipip tunnel deregistration fixes.
xfrm: clean up xfrm protocol checks
esp4: add length check for UDP encapsulation
xfrm: Honor original L3 slave device in xfrmi policy lookup
xfrm4: Fix uninitialized memory read in _decode_session4
clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0)
power: supply: cpcap-battery: Fix division by zero
securityfs: fix use-after-free on symlink traversal
apparmorfs: fix use-after-free on symlink traversal
PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored
x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012
mac80211: Fix kernel panic due to use of txq after free
net: ieee802154: fix missing checks for regmap_update_bits
KVM: arm/arm64: Ensure vcpu target is unset on reset failure
power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG
bpf: Fix preempt_enable_no_resched() abuse
qmi_wwan: new Wistron, ZTE and D-Link devices
iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb()
sched/cpufreq: Fix kobject memleak
x86/mm/mem_encrypt: Disable all instrumentation for early SME setup
ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour
perf bench numa: Add define for RUSAGE_THREAD if not present
perf/x86/intel: Fix race in intel_pmu_disable_event()
Revert "Don't jump to compute_result state from check_result state"
md/raid: raid5 preserve the writeback action after the parity check
driver core: Postpone DMA tear-down until after devres release for probe failure
Revert "selftests/bpf: skip verifier tests for unsupported program types"
bpf: relax inode permission check for retrieving bpf program
bpf: add map_lookup_elem_sys_only for lookups from syscall side
bpf, lru: avoid messing with eviction heuristics upon syscall lookup
fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough
Linux 4.19.46
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 025c65e119bf58b610549ca359c9ecc5dee6a8d2 ]
If an xfrmi is associated to a vrf layer 3 master device,
xfrm_policy_check() fails after traffic decapsulation. The input
interface is replaced by the layer 3 master device, and hence
xfrmi_decode_session() can't match the xfrmi anymore to satisfy
policy checking.
Extend ingress xfrmi lookup to honor the original layer 3 slave
device, allowing xfrm interfaces to operate within a vrf domain.
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit dbb2483b2a46fbaf833cfb5deb5ed9cace9c7399 ]
In commit 6a53b75932 ("xfrm: check id proto in validate_tmpl()")
I introduced a check for xfrm protocol, but according to Herbert
IPSEC_PROTO_ANY should only be used as a wildcard for lookup, so
it should be removed from validate_tmpl().
And, IPSEC_PROTO_ANY is expected to only match 3 IPSec-specific
protocols, this is why xfrm_state_flush() could still miss
IPPROTO_ROUTING, which leads that those entries are left in
net->xfrm.state_all before exit net. Fix this by replacing
IPSEC_PROTO_ANY with zero.
This patch also extracts the check from validate_tmpl() to
xfrm_id_proto_valid() and uses it in parse_ipsecrequest().
With this, no other protocols should be added into xfrm.
Fixes: 6a53b75932 ("xfrm: check id proto in validate_tmpl()")
Reported-by: syzbot+0bf0519d6e0de15914fe@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b805d78d300bcf2c83d6df7da0c818b0fee41427 ]
UBSAN report this:
UBSAN: Undefined behaviour in net/xfrm/xfrm_policy.c:1289:24
index 6 is out of range for type 'unsigned int [6]'
CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.4.162-514.55.6.9.x86_64+ #13
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014
0000000000000000 1466cf39b41b23c9 ffff8801f6b07a58 ffffffff81cb35f4
0000000041b58ab3 ffffffff83230f9c ffffffff81cb34e0 ffff8801f6b07a80
ffff8801f6b07a20 1466cf39b41b23c9 ffffffff851706e0 ffff8801f6b07ae8
Call Trace:
<IRQ> [<ffffffff81cb35f4>] __dump_stack lib/dump_stack.c:15 [inline]
<IRQ> [<ffffffff81cb35f4>] dump_stack+0x114/0x1a0 lib/dump_stack.c:51
[<ffffffff81d94225>] ubsan_epilogue+0x12/0x8f lib/ubsan.c:164
[<ffffffff81d954db>] __ubsan_handle_out_of_bounds+0x16e/0x1b2 lib/ubsan.c:382
[<ffffffff82a25acd>] __xfrm_policy_unlink+0x3dd/0x5b0 net/xfrm/xfrm_policy.c:1289
[<ffffffff82a2e572>] xfrm_policy_delete+0x52/0xb0 net/xfrm/xfrm_policy.c:1309
[<ffffffff82a3319b>] xfrm_policy_timer+0x30b/0x590 net/xfrm/xfrm_policy.c:243
[<ffffffff813d3927>] call_timer_fn+0x237/0x990 kernel/time/timer.c:1144
[<ffffffff813d8e7e>] __run_timers kernel/time/timer.c:1218 [inline]
[<ffffffff813d8e7e>] run_timer_softirq+0x6ce/0xb80 kernel/time/timer.c:1401
[<ffffffff8120d6f9>] __do_softirq+0x299/0xe10 kernel/softirq.c:273
[<ffffffff8120e676>] invoke_softirq kernel/softirq.c:350 [inline]
[<ffffffff8120e676>] irq_exit+0x216/0x2c0 kernel/softirq.c:391
[<ffffffff82c5edab>] exiting_irq arch/x86/include/asm/apic.h:652 [inline]
[<ffffffff82c5edab>] smp_apic_timer_interrupt+0x8b/0xc0 arch/x86/kernel/apic/apic.c:926
[<ffffffff82c5c985>] apic_timer_interrupt+0xa5/0xb0 arch/x86/entry/entry_64.S:735
<EOI> [<ffffffff81188096>] ? native_safe_halt+0x6/0x10 arch/x86/include/asm/irqflags.h:52
[<ffffffff810834d7>] arch_safe_halt arch/x86/include/asm/paravirt.h:111 [inline]
[<ffffffff810834d7>] default_idle+0x27/0x430 arch/x86/kernel/process.c:446
[<ffffffff81085f05>] arch_cpu_idle+0x15/0x20 arch/x86/kernel/process.c:437
[<ffffffff8132abc3>] default_idle_call+0x53/0x90 kernel/sched/idle.c:92
[<ffffffff8132b32d>] cpuidle_idle_call kernel/sched/idle.c:156 [inline]
[<ffffffff8132b32d>] cpu_idle_loop kernel/sched/idle.c:251 [inline]
[<ffffffff8132b32d>] cpu_startup_entry+0x60d/0x9a0 kernel/sched/idle.c:299
[<ffffffff8113e119>] start_secondary+0x3c9/0x560 arch/x86/kernel/smpboot.c:245
The issue is triggered as this:
xfrm_add_policy
-->verify_newpolicy_info //check the index provided by user with XFRM_POLICY_MAX
//In my case, the index is 0x6E6BB6, so it pass the check.
-->xfrm_policy_construct //copy the user's policy and set xfrm_policy_timer
-->xfrm_policy_insert
--> __xfrm_policy_link //use the orgin dir, in my case is 2
--> xfrm_gen_index //generate policy index, there is 0x6E6BB6
then xfrm_policy_timer be fired
xfrm_policy_timer
--> xfrm_policy_id2dir //get dir from (policy index & 7), in my case is 6
--> xfrm_policy_delete
--> __xfrm_policy_unlink //access policy_count[dir], trigger out of range access
Add xfrm_policy_id2dir check in verify_newpolicy_info, make sure the computed dir is
valid, to fix the issue.
Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: e682adf021 ("xfrm: Try to honor policy index if it's supplied by user")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAly6xzUACgkQONu9yGCS
aT5sIA//b7nAk2zuhmbkonsBfzFq5uBJmqXcCrOgy3XHMs4fE+Q11kLd1wMAV7dx
U7FNHe4PIJ8Rczxgqr2VP3VmFbV6UuTK+UTclJKfbV3ouIAQiQBuutABBmbDUj2p
FInc/yAYyhVc9n7gX78czTiUxKnKi4+sisUYDCZPr3hr6jDPcLvm/WVWdyrcXJje
rYFNmE/2MBH1NofG+MOpq+ILhKHXlf2APN2/spl+I42a8bwodiSl9g+dhuWr7wgT
Ln2Ocf7BZ6BPCQKoveZdD1Gd56NNR/lJh4ulqpuhaZw4Yp+B/C7GmrBtdPzVSGka
IwPWoSc9/9VSUl+ooSZHms78VLbqq0rNNclskL2bN6m962u04Eu7sB2Tg/bwUs52
Wkcw0DY4J/oMJtj/CMHcQOUPsk6vwHxqnjsj+LYJ1ZjHO68tUshnENxXrbAoDc45
2fuY3TCA+XqFvqNt5HbkLPtFR78u8QmZ1lP/Pkri6xoG/GA6O0EAxhS0Z9hncGK7
8wJNuxLMd2UX94wlajQ+DF7yyCU4HOFEdeSEOwlHHBid/fckXsGzL2tKJUAbbUPP
ux3An8kJHni8nQrmUkyy1Nx29ROyAFxBLOQshWGpXgJrV3qRMYLyB2Icv0WYCGFk
zZCTupPgvb46u81VzqxrLH4RZdy4Ar4uB3BQGPKs596rlYmvnSo=
=CArs
-----END PGP SIGNATURE-----
Merge 4.19.36 into android-4.19
Changes in 4.19.36
ARC: u-boot args: check that magic number is correct
arc: hsdk_defconfig: Enable CONFIG_BLK_DEV_RAM
inotify: Fix fsnotify_mark refcount leak in inotify_update_existing_watch()
perf/core: Restore mmap record type correctly
ext4: avoid panic during forced reboot
ext4: add missing brelse() in add_new_gdb_meta_bg()
ext4: report real fs size after failed resize
ALSA: echoaudio: add a check for ioremap_nocache
ALSA: sb8: add a check for request_region
auxdisplay: hd44780: Fix memory leak on ->remove()
drm/udl: use drm_gem_object_put_unlocked.
IB/mlx4: Fix race condition between catas error reset and aliasguid flows
i40iw: Avoid panic when handling the inetdev event
mmc: davinci: remove extraneous __init annotation
ALSA: opl3: fix mismatch between snd_opl3_drum_switch definition and declaration
thermal/intel_powerclamp: fix __percpu declaration of worker_data
thermal: samsung: Fix incorrect check after code merge
thermal: bcm2835: Fix crash in bcm2835_thermal_debugfs
thermal/int340x_thermal: Add additional UUIDs
thermal/int340x_thermal: fix mode setting
thermal/intel_powerclamp: fix truncated kthread name
scsi: iscsi: flush running unbind operations when removing a session
sched/cpufreq: Fix 32-bit math overflow
sched/core: Fix buffer overflow in cgroup2 property cpu.max
x86/mm: Don't leak kernel addresses
tools/power turbostat: return the exit status of a command
perf list: Don't forget to drop the reference to the allocated thread_map
perf config: Fix an error in the config template documentation
perf config: Fix a memory leak in collect_config()
perf build-id: Fix memory leak in print_sdt_events()
perf top: Fix error handling in cmd_top()
perf hist: Add missing map__put() in error case
perf evsel: Free evsel->counts in perf_evsel__exit()
perf tests: Fix a memory leak of cpu_map object in the openat_syscall_event_on_all_cpus test
perf tests: Fix memory leak by expr__find_other() in test__expr()
perf tests: Fix a memory leak in test__perf_evsel__tp_sched_test()
ACPI / utils: Drop reference in test for device presence
PM / Domains: Avoid a potential deadlock
blk-iolatency: #include "blk.h"
drm/exynos/mixer: fix MIXER shadow registry synchronisation code
irqchip/stm32: Don't clear rising/falling config registers at init
irqchip/mbigen: Don't clear eventid when freeing an MSI
x86/hpet: Prevent potential NULL pointer dereference
x86/hyperv: Prevent potential NULL pointer dereference
x86/cpu/cyrix: Use correct macros for Cyrix calls on Geode processors
drm/nouveau/debugfs: Fix check of pm_runtime_get_sync failure
iommu/vt-d: Check capability before disabling protected memory
x86/hw_breakpoints: Make default case in hw_breakpoint_arch_parse() return an error
fix incorrect error code mapping for OBJECTID_NOT_FOUND
x86/gart: Exclude GART aperture from kcore
ext4: prohibit fstrim in norecovery mode
drm/cirrus: Use drm_framebuffer_put to avoid kernel oops in clean-up
gpio: pxa: handle corner case of unprobed device
rsi: improve kernel thread handling to fix kernel panic
f2fs: fix to avoid NULL pointer dereference on se->discard_map
9p: do not trust pdu content for stat item size
9p locks: add mount option for lock retry interval
ASoC: Fix UBSAN warning at snd_soc_get/put_volsw_sx()
f2fs: fix to do sanity check with current segment number
netfilter: xt_cgroup: shrink size of v2 path
serial: uartps: console_setup() can't be placed to init section
powerpc/pseries: Remove prrn_work workqueue
media: au0828: cannot kfree dev before usb disconnect
Bluetooth: Fix debugfs NULL pointer dereference
HID: i2c-hid: override HID descriptors for certain devices
pinctrl: core: make sure strcmp() doesn't get a null parameter
ARM: samsung: Limit SAMSUNG_PM_CHECK config option to non-Exynos platforms
usbip: fix vhci_hcd controller counting
ACPI / SBS: Fix GPE storm on recent MacBookPro's
HID: usbhid: Add quirk for Redragon/Dragonrise Seymur 2
KVM: nVMX: restore host state in nested_vmx_vmexit for VMFail
compiler.h: update definition of unreachable()
netfilter: nf_flow_table: remove flowtable hook flush routine in netns exit routine
f2fs: cleanup dirty pages if recover failed
net: stmmac: Set OWN bit for jumbo frames
cifs: fallback to older infolevels on findfirst queryinfo retry
kernel: hung_task.c: disable on suspend
platform/x86: Add Intel AtomISP2 dummy / power-management driver
drm/ttm: Fix bo_global and mem_global kfree error
ALSA: hda: fix front speakers on Huawei MBXP
ACPI: EC / PM: Disable non-wakeup GPEs for suspend-to-idle
net/rds: fix warn in rds_message_alloc_sgs
xfrm: destroy xfrm_state synchronously on net exit path
crypto: sha256/arm - fix crash bug in Thumb2 build
crypto: sha512/arm - fix crash bug in Thumb2 build
net: ip6_gre: fix possible NULL pointer dereference in ip6erspan_set_version
iommu/dmar: Fix buffer overflow during PCI bus notification
scsi: core: Avoid that system resume triggers a kernel warning
soc/tegra: pmc: Drop locking from tegra_powergate_is_powered()
lkdtm: Print real addresses
lkdtm: Add tests for NULL pointer dereference
drm/panel: panel-innolux: set display off in innolux_panel_unprepare
crypto: axis - fix for recursive locking from bottom half
Revert "ACPI / EC: Remove old CLEAR_ON_RESUME quirk"
coresight: cpu-debug: Support for CA73 CPUs
PCI: Blacklist power management of Gigabyte X299 DESIGNARE EX PCIe ports
drm/nouveau/volt/gf117: fix speedo readout register
ARM: 8839/1: kprobe: make patch_lock a raw_spinlock_t
drm/amdkfd: use init_mqd function to allocate object for hid_mqd (CI)
appletalk: Fix use-after-free in atalk_proc_exit
lib/div64.c: off by one in shift
rxrpc: Fix client call connect/disconnect race
f2fs: fix to dirty inode for i_mode recovery
include/linux/swap.h: use offsetof() instead of custom __swapoffset macro
bpf: fix use after free in bpf_evict_inode
IB/hfi1: Failed to drain send queue when QP is put into error state
mm: hide incomplete nr_indirectly_reclaimable in /proc/zoneinfo
mm: hide incomplete nr_indirectly_reclaimable in sysfs
appletalk: Fix compile regression
Linux 4.19.36
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit f75a2804da391571563c4b6b29e7797787332673 ]
xfrm_state_put() moves struct xfrm_state to the GC list
and schedules the GC work to clean it up. On net exit call
path, xfrm_state_flush() is called to clean up and
xfrm_flush_gc() is called to wait for the GC work to complete
before exit.
However, this doesn't work because one of the ->destructor(),
ipcomp_destroy(), schedules the same GC work again inside
the GC work. It is hard to wait for such a nested async
callback. This is also why syzbot still reports the following
warning:
WARNING: CPU: 1 PID: 33 at net/ipv6/xfrm6_tunnel.c:351 xfrm6_tunnel_net_exit+0x2cb/0x500 net/ipv6/xfrm6_tunnel.c:351
...
ops_exit_list.isra.0+0xb0/0x160 net/core/net_namespace.c:153
cleanup_net+0x51d/0xb10 net/core/net_namespace.c:551
process_one_work+0xd0c/0x1ce0 kernel/workqueue.c:2153
worker_thread+0x143/0x14a0 kernel/workqueue.c:2296
kthread+0x357/0x430 kernel/kthread.c:246
ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
In fact, it is perfectly fine to bypass GC and destroy xfrm_state
synchronously on net exit call path, because it is in process context
and doesn't need a work struct to do any blocking work.
This patch introduces xfrm_state_put_sync() which simply bypasses
GC, and lets its callers to decide whether to use this synchronous
version. On net exit path, xfrm_state_fini() and
xfrm6_tunnel_net_exit() use it. And, as ipcomp_destroy() itself is
blocking, it can use xfrm_state_put_sync() directly too.
Also rename xfrm_state_gc_destroy() to ___xfrm_state_destroy() to
reflect this change.
Fixes: b48c05ab5d ("xfrm: Fix warning in xfrm6_tunnel_net_exit.")
Reported-and-tested-by: syzbot+e9aebef558e3ed673934@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlyWhJcACgkQONu9yGCS
aT6XzxAAzP2QGzC4SVPgcFH1woF/d8Cz0zQ81mLXzjXtEPm39fZCM2hbBnxkXLu1
peFyrKNk6/c9541D9gsQCQT6Fu+H6u1bJKcIezlKJ2xyB/MsU1hXkjZrTJYW3RRs
gimy1EGdood2el1ubEBZiaspazoeRzBqtg1Nsmr4V0l+RT8HwtKKw+0+Nxixfp59
NoVkqTpPI5mL0FiH2R9ogcfg3SvgMZOsOhOBjdPvSjiJJsbvIWcW48MCs95XSUpF
R+l/fWn+oiFCcIqBaFheujuqZMvVrUHZHaWAPMuoR/c3Cdf0lTBokdv6UM9c0nv3
61jX5r5ImRI/dfQANN5mbB1YKcs5xOI+I7QZHQ2q4clsWrWyLapXW4clrAZJ6z5t
UVeVbuLV2y5PL9GJyBcXpyY0BOf4e2gZURaPY3C5McNwgybNoiR0ZePqKb8ZhZyh
jYOYRoBjJJpZoVTSt6MNX95NTvGaSAtqKMu1s3IeMfpwCfQKBPMOuBHr/dUqSC6I
U0xxjk/71C15dSPVcTVJT/lmcKc6TXgoagnfbn8GBtDOAjBNsYyUJLQI+db1ERCe
9MEB9k1Z87ROQ5jQCQmWsewOVAtFZBEvSszFmpKv3zTe8M2oFpXG56zckdiumwHU
nSfeZTTeWzsFJd30MioEnGYm3ZwKwZx7wi0x4B4WWvBfSpp20Us=
=xtLx
-----END PGP SIGNATURE-----
Merge 4.19.31 into android-4.19
Changes in 4.19.31
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
9p: use inode->i_lock to protect i_size_write() under 32-bit
9p/net: fix memory leak in p9_client_create
ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
ASoC: codecs: pcm186x: fix wrong usage of DECLARE_TLV_DB_SCALE()
ASoC: codecs: pcm186x: Fix energysense SLEEP bit
iio: adc: exynos-adc: Fix NULL pointer exception on unbind
mei: hbm: clean the feature flags on link reset
mei: bus: move hw module get/put to probe/release
stm class: Fix an endless loop in channel allocation
crypto: caam - fix hash context DMA unmap size
crypto: ccree - fix missing break in switch statement
crypto: caam - fixed handling of sg list
crypto: caam - fix DMA mapping of stack memory
crypto: ccree - fix free of unallocated mlli buffer
crypto: ccree - unmap buffer before copying IV
crypto: ccree - don't copy zero size ciphertext
crypto: cfb - add missing 'chunksize' property
crypto: cfb - remove bogus memcpy() with src == dest
crypto: ahash - fix another early termination in hash walk
crypto: rockchip - fix scatterlist nents error
crypto: rockchip - update new iv to device in multiple operations
drm/imx: ignore plane updates on disabled crtcs
gpu: ipu-v3: Fix i.MX51 CSI control registers offset
drm/imx: imx-ldb: add missing of_node_puts
gpu: ipu-v3: Fix CSI offsets for imx53
ASoC: rt5682: Correct the setting while select ASRC clk for AD/DA filter
clocksource: timer-ti-dm: Fix pwm dmtimer usage of fck reparenting
KVM: arm/arm64: vgic: Make vgic_dist->lpi_list_lock a raw_spinlock
arm64: dts: rockchip: fix graph_port warning on rk3399 bob kevin and excavator
s390/dasd: fix using offset into zero size array error
Input: pwm-vibra - prevent unbalanced regulator
Input: pwm-vibra - stop regulator after disabling pwm, not before
ARM: dts: Configure clock parent for pwm vibra
ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
ASoC: dapm: fix out-of-bounds accesses to DAPM lookup tables
ASoC: rsnd: fixup rsnd_ssi_master_clk_start() user count check
KVM: arm/arm64: Reset the VCPU without preemption and vcpu state loaded
arm/arm64: KVM: Allow a VCPU to fully reset itself
arm/arm64: KVM: Don't panic on failure to properly reset system registers
KVM: arm/arm64: vgic: Always initialize the group of private IRQs
KVM: arm64: Forbid kprobing of the VHE world-switch code
ASoC: samsung: Prevent clk_get_rate() calls in atomic context
ARM: OMAP2+: fix lack of timer interrupts on CPU1 after hotplug
Input: cap11xx - switch to using set_brightness_blocking()
Input: ps2-gpio - flush TX work when closing port
Input: matrix_keypad - use flush_delayed_work()
mac80211: call drv_ibss_join() on restart
mac80211: Fix Tx aggregation session tear down with ITXQs
netfilter: compat: initialize all fields in xt_init
blk-mq: insert rq with DONTPREP to hctx dispatch list when requeue
ipvs: fix dependency on nf_defrag_ipv6
floppy: check_events callback should not return a negative number
xprtrdma: Make sure Send CQ is allocated on an existing compvec
NFS: Don't use page_file_mapping after removing the page
mm/gup: fix gup_pmd_range() for dax
Revert "mm: use early_pfn_to_nid in page_ext_init"
scsi: qla2xxx: Fix panic from use after free in qla2x00_async_tm_cmd
net: dsa: bcm_sf2: potential array overflow in bcm_sf2_sw_suspend()
x86/CPU: Add Icelake model number
mm: page_alloc: fix ref bias in page_frag_alloc() for 1-byte allocs
net: hns: Fix object reference leaks in hns_dsaf_roce_reset()
i2c: cadence: Fix the hold bit setting
i2c: bcm2835: Clear current buffer pointers and counts after a transfer
auxdisplay: ht16k33: fix potential user-after-free on module unload
Input: st-keyscan - fix potential zalloc NULL dereference
clk: sunxi-ng: v3s: Fix TCON reset de-assert bit
kallsyms: Handle too long symbols in kallsyms.c
clk: sunxi: A31: Fix wrong AHB gate number
esp: Skip TX bytes accounting when sending from a request socket
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
bpf: only adjust gso_size on bytestream protocols
bpf: fix lockdep false positive in stackmap
af_key: unconditionally clone on broadcast
ARM: 8835/1: dma-mapping: Clear DMA ops on teardown
assoc_array: Fix shortcut creation
keys: Fix dependency loop between construction record and auth key
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
net: systemport: Fix reception of BPDUs
net: dsa: bcm_sf2: Do not assume DSA master supports WoL
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
qmi_wwan: apply SET_DTR quirk to Sierra WP7607
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
xfrm: Fix inbound traffic via XFRM interfaces across network namespaces
mailbox: bcm-flexrm-mailbox: Fix FlexRM ring flush timeout issue
ASoC: topology: free created components in tplg load error
qed: Fix iWARP buffer size provided for syn packet processing.
qed: Fix iWARP syn packet mac address validation.
ARM: dts: armada-xp: fix Armada XP boards NAND description
arm64: Relax GIC version check during early boot
ARM: tegra: Restore DT ABI on Tegra124 Chromebooks
net: marvell: mvneta: fix DMA debug warning
mm: handle lru_add_drain_all for UP properly
tmpfs: fix link accounting when a tmpfile is linked in
ixgbe: fix older devices that do not support IXGBE_MRQC_L3L4TXSWEN
ARCv2: lib: memcpy: fix doing prefetchw outside of buffer
ARC: uacces: remove lp_start, lp_end from clobber list
ARCv2: support manual regfile save on interrupts
ARCv2: don't assume core 0x54 has dual issue
phonet: fix building with clang
mac80211_hwsim: propagate genlmsg_reply return code
bpf, lpm: fix lookup bug in map_delete_elem
net: thunderx: make CFG_DONE message to run through generic send-ack sequence
net: thunderx: add nicvf_send_msg_to_pf result check for set_rx_mode_task
nfp: bpf: fix code-gen bug on BPF_ALU | BPF_XOR | BPF_K
nfp: bpf: fix ALU32 high bits clearance bug
bnxt_en: Fix typo in firmware message timeout logic.
bnxt_en: Wait longer for the firmware message response to complete.
net: set static variable an initial value in atl2_probe()
selftests: fib_tests: sleep after changing carrier. again.
tmpfs: fix uninitialized return value in shmem_link
stm class: Prevent division by zero
nfit: acpi_nfit_ctl(): Check out_obj->type in the right place
acpi/nfit: Fix bus command validation
nfit/ars: Attempt a short-ARS whenever the ARS state is idle at boot
nfit/ars: Attempt short-ARS even in the no_init_ars case
libnvdimm/label: Clear 'updating' flag after label-set update
libnvdimm, pfn: Fix over-trim in trim_pfn_device()
libnvdimm/pmem: Honor force_raw for legacy pmem regions
libnvdimm: Fix altmap reservation size calculation
fix cgroup_do_mount() handling of failure exits
crypto: aead - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
crypto: aegis - fix handling chunked inputs
crypto: arm/crct10dif - revert to C code for short inputs
crypto: arm64/aes-neonbs - fix returning final keystream block
crypto: arm64/crct10dif - revert to C code for short inputs
crypto: hash - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
crypto: morus - fix handling chunked inputs
crypto: pcbc - remove bogus memcpy()s with src == dest
crypto: skcipher - set CRYPTO_TFM_NEED_KEY if ->setkey() fails
crypto: testmgr - skip crc32c context test for ahash algorithms
crypto: x86/aegis - fix handling chunked inputs and MAY_SLEEP
crypto: x86/aesni-gcm - fix crash on empty plaintext
crypto: x86/morus - fix handling chunked inputs and MAY_SLEEP
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
crypto: arm64/aes-ccm - fix bugs in non-NEON fallback routine
CIFS: Do not reset lease state to NONE on lease break
CIFS: Do not skip SMB2 message IDs on send failures
CIFS: Fix read after write for files with read caching
tracing: Use strncpy instead of memcpy for string keys in hist triggers
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
tracing/perf: Use strndup_user() instead of buggy open-coded version
xen: fix dom0 boot on huge systems
ACPI / device_sysfs: Avoid OF modalias creation for removed device
mmc: sdhci-esdhc-imx: fix HS400 timing issue
mmc:fix a bug when max_discard is 0
netfilter: ipt_CLUSTERIP: fix warning unused variable cn
spi: ti-qspi: Fix mmap read when more than one CS in use
spi: pxa2xx: Setup maximum supported DMA transfer length
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
regulator: max77620: Initialize values for DT properties
regulator: s2mpa01: Fix step values for some LDOs
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
clocksource/drivers/arch_timer: Workaround for Allwinner A64 timer instability
s390/setup: fix early warning messages
s390/virtio: handle find on invalid queue gracefully
scsi: virtio_scsi: don't send sc payload with tmfs
scsi: aacraid: Fix performance issue on logical drives
scsi: sd: Optimal I/O size should be a multiple of physical block size
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
scsi: qla2xxx: Fix LUN discovery if loop id is not assigned yet by firmware
fs/devpts: always delete dcache dentry-s in dput()
splice: don't merge into linked buffers
ovl: During copy up, first copy up data and then xattrs
ovl: Do not lose security.capability xattr over metadata file copy-up
m68k: Add -ffreestanding to CFLAGS
Btrfs: setup a nofs context for memory allocation at btrfs_create_tree()
Btrfs: setup a nofs context for memory allocation at __btrfs_set_acl
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
Btrfs: fix corruption reading shared and compressed extents after hole punching
soc: qcom: rpmh: Avoid accessing freed memory from batch API
libertas_tf: don't set URB_ZERO_PACKET on IN USB transfer
irqchip/gic-v3-its: Avoid parsing _indirect_ twice for Device table
irqchip/brcmstb-l2: Use _irqsave locking variants in non-interrupt code
x86/kprobes: Prohibit probing on optprobe template code
cpufreq: kryo: Release OPP tables on module removal
cpufreq: tegra124: add missing of_node_put()
cpufreq: pxa2xx: remove incorrect __init annotation
ext4: fix check of inode in swap_inode_boot_loader
ext4: cleanup pagecache before swap i_data
ext4: update quota information while swapping boot loader inode
ext4: add mask of ext4 flags to swap
ext4: fix crash during online resizing
PCI/ASPM: Use LTR if already enabled by platform
PCI/DPC: Fix print AER status in DPC event handling
PCI: dwc: skip MSI init if MSIs have been explicitly disabled
IB/hfi1: Close race condition on user context disable and close
cxl: Wrap iterations over afu slices inside 'afu_list_lock'
ext2: Fix underflow in ext2_max_size()
clk: uniphier: Fix update register for CPU-gear
clk: clk-twl6040: Fix imprecise external abort for pdmclk
clk: samsung: exynos5: Fix possible NULL pointer exception on platform_device_alloc() failure
clk: samsung: exynos5: Fix kfree() of const memory on setting driver_override
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
clk: ingenic: Fix doc of ingenic_cgu_div_info
usb: chipidea: tegra: Fix missed ci_hdrc_remove_device()
usb: typec: tps6598x: handle block writes separately with plain-I2C adapters
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
mm: hwpoison: fix thp split handing in soft_offline_in_use_page()
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
mm/memory.c: do_fault: avoid usage of stale vm_area_struct
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
device property: Fix the length used in PROPERTY_ENTRY_STRING()
intel_th: Don't reference unassigned outputs
parport_pc: fix find_superio io compare code, should use equal test.
i2c: tegra: fix maximum transfer size
media: i2c: ov5640: Fix post-reset delay
gpio: pca953x: Fix dereference of irq data in shutdown
can: flexcan: FLEXCAN_IFLAG_MB: add () around macro argument
drm/i915: Relax mmap VMA check
bpf: only test gso type on gso packets
serial: uartps: Fix stuck ISR if RX disabled with non-empty FIFO
serial: 8250_of: assume reg-shift of 2 for mrvl,mmp-uart
serial: 8250_pci: Fix number of ports for ACCES serial cards
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
jbd2: clear dirty flag when revoking a buffer from an older transaction
jbd2: fix compile warning when using JBUFFER_TRACE
selinux: add the missing walk_size + len check in selinux_sctp_bind_connect
security/selinux: fix SECURITY_LSM_NATIVE_LABELS on reused superblock
powerpc/32: Clear on-stack exception marker upon exception return
powerpc/wii: properly disable use of BATs when requested.
powerpc/powernv: Make opal log only readable by root
powerpc/83xx: Also save/restore SPRG4-7 during suspend
powerpc/powernv: Don't reprogram SLW image on every KVM guest entry/exit
powerpc: Fix 32-bit KVM-PR lockup and host crash with MacOS guest
powerpc/ptrace: Simplify vr_get/set() to avoid GCC warning
powerpc/hugetlb: Don't do runtime allocation of 16G pages in LPAR configuration
powerpc/traps: fix recoverability of machine check handling on book3s/32
powerpc/traps: Fix the message printed when stack overflows
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
arm64: Fix HCR.TGE status for NMI contexts
arm64: debug: Ensure debug handlers check triggering exception level
arm64: KVM: Fix architecturally invalid reset value for FPEXC32_EL2
ipmi_si: fix use-after-free of resource->name
dm: fix to_sector() for 32bit
dm integrity: limit the rate of error messages
mfd: sm501: Fix potential NULL pointer dereference
cpcap-charger: generate events for userspace
NFS: Fix I/O request leakages
NFS: Fix an I/O request leakage in nfs_do_recoalesce
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
nfsd: fix performance-limiting session calculation
nfsd: fix memory corruption caused by readdir
nfsd: fix wrong check in write_v4_end_grace()
NFSv4.1: Reinitialise sequence results before retransmitting a request
svcrpc: fix UDP on servers with lots of threads
PM / wakeup: Rework wakeup source timer cancellation
bcache: never writeback a discard operation
stable-kernel-rules.rst: add link to networking patch queue
vt: perform safe console erase in the right order
x86/unwind/orc: Fix ORC unwind table alignment
perf intel-pt: Fix CYC timestamp calculation after OVF
perf tools: Fix split_kallsyms_for_kcore() for trampoline symbols
perf auxtrace: Define auxtrace record alignment
perf intel-pt: Fix overlap calculation for padding
perf/x86/intel/uncore: Fix client IMC events return huge result
perf intel-pt: Fix divide by zero when TSC is not available
md: Fix failed allocation of md_register_thread
tpm/tpm_crb: Avoid unaligned reads in crb_recv()
tpm: Unify the send callback behaviour
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
media: imx: prpencvf: Stop upstream before disabling IDMA channel
media: lgdt330x: fix lock status reporting
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
media: vimc: Add vimc-streamer for stream control
media: imx: csi: Disable CSI immediately after last EOF
media: imx: csi: Stop upstream before disabling IDMA channel
drm/fb-helper: generic: Fix drm_fbdev_client_restore()
drm/radeon/evergreen_cs: fix missing break in switch statement
drm/amd/powerplay: correct power reading on fiji
drm/amd/display: don't call dm_pp_ function from an fpu block
KVM: Call kvm_arch_memslots_updated() before updating memslots
KVM: x86/mmu: Detect MMIO generation wrap in any address space
KVM: x86/mmu: Do not cache MMIO accesses while memslots are in flux
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
KVM: nVMX: Apply addr size mask to effective address for VMX instructions
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
bcache: use (REQ_META|REQ_PRIO) to indicate bio for metadata
s390/setup: fix boot crash for machine without EDAT-1
Linux 4.19.31
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 660899ddf06ae8bb5bbbd0a19418b739375430c5 ]
After moving an XFRM interface to another namespace it stays associated
with the original namespace (net in `struct xfrm_if` and the list keyed
with `xfrmi_net_id`), allowing processes in the new namespace to use
SAs/policies that were created in the original namespace. For instance,
this allows a keying daemon in one namespace to establish IPsec SAs for
other namespaces without processes there having access to the keys or IKE
credentials.
This worked fine for outbound traffic, however, for inbound traffic the
lookup for the interfaces and the policies used the incorrect namespace
(the one the XFRM interface was moved to).
Fixes: f203b76d78 ("xfrm: Add virtual xfrm interfaces")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlxmZdUACgkQONu9yGCS
aT7dtg/9G+mhds8xaPiFxqd+0np4NJ01neNeAvF5Mosf5OMC9yDgNe8iZqrfjXCG
aJ/1mmnT+VXLihEZnjTrLuIOLF9iO83820lOwafPJWina8r6a0I2Uly+52Znv8Vz
+Y860MQO4JncWcqBKR2En2690HgNLVv3zg3iDtYx/fzrDaq0gvtFHQFUJzjWp0yT
vxmWMmEkEPVJfRLaRIb5Mgtmo5y4lpLeCZNj67Q/FKR0qPdTvnmqS8yS9O/CK1kR
cdckosanno/HtbR2dhMrqyYuWmqj7JGAb4cCsvD2Y5X25ooFY/NRUSzxb6xSH1o8
+xk7daqXZ75cnIA5DlJZJJFq5i8iUvltCQGTquk+nRXlDINwOvWxOuxNhWcEzR7Y
pmp8A/mC/w5vat96rvpA3HmIrLLZC5ZLSYtSB1kuTDRKm7NZW1sT6u4kwPKvXJci
S42QK4hJDmKzt+rWegu4K8kBQ8ihrOyERxtXA8xKG2VSaWvwSxrTFa/gInWrlB5W
vswYWmul/8f6bpBIj+L+rYvJdaYFnSXhOobliCoUFK4ZQpQK8Vr/uAwPU7yamHh+
3r40NzSpULfLHSEcSKYu4EII8hppaSosP37dHjGKET6bs4sOS2rTQVik/NfOHs3u
fBIDIxklkBAcgOvue23KuD7xbAXONZI966qYoHExZOS5nDLlzVo=
=tekf
-----END PGP SIGNATURE-----
Merge 4.19.22 into android-4.19
Changes in 4.19.22
mtd: Make sure mtd->erasesize is valid even if the partition is of size 0
mtd: spinand: Handle the case where PROGRAM LOAD does not reset the cache
mtd: spinand: Fix the error/cleanup path in spinand_init()
mtd: rawnand: gpmi: fix MX28 bus master lockup problem
libata: Add NOLPM quirk for SAMSUNG MZ7TE512HMHP-000L1 SSD
tools: iio: iio_generic_buffer: make num_loops signed
iio: adc: axp288: Fix TS-pin handling
iio: chemical: atlas-ph-sensor: correct IIO_TEMP values to millicelsius
iio: ti-ads8688: Update buffer allocation for timestamps
signal: Always notice exiting tasks
signal: Better detection of synchronous signals
misc: vexpress: Off by one in vexpress_syscfg_exec()
mei: me: add ice lake point device id.
samples: mei: use /dev/mei0 instead of /dev/mei
debugfs: fix debugfs_rename parameter checking
pinctrl: sunxi: Correct number of IRQ banks on H6 main pin controller
pinctrl: cherryview: fix Strago DMI workaround
tracing: uprobes: Fix typo in pr_fmt string
mips: cm: reprime error cause
MIPS: OCTEON: don't set octeon_dma_bar_type if PCI is disabled
MIPS: VDSO: Use same -m%-float cflag as the kernel proper
mips: loongson64: remove unreachable(), fix loongson_poweroff().
MIPS: VDSO: Include $(ccflags-vdso) in o32,n32 .lds builds
ARM: iop32x/n2100: fix PCI IRQ mapping
ARM: tango: Improve ARCH_MULTIPLATFORM compatibility
ARM: dts: da850: fix interrupt numbers for clocksource
firmware: arm_scmi: provide the mandatory device release callback
powerpc/radix: Fix kernel crash with mremap()
mic: vop: Fix use-after-free on remove
mac80211: ensure that mgmt tx skbs have tailroom for encryption
drm/modes: Prevent division by zero htotal
drm/amd/powerplay: Fix missing break in switch
drm/i915: always return something on DDI clock selection
drm/vmwgfx: Fix setting of dma masks
drm/vmwgfx: Return error code from vmw_execbuf_copy_fence_user
SUNRPC: Always drop the XPRT_LOCK on XPRT_CLOSE_WAIT
xfrm: Make set-mark default behavior backward compatible
Revert "ext4: use ext4_write_inode() when fsyncing w/o a journal"
libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()
xfrm: refine validation of template and selector families
batman-adv: Avoid WARN on net_device without parent in netns
batman-adv: Force mac header to start of data on xmit
svcrdma: Reduce max_send_sges
svcrdma: Remove max_sge check at connect time
Linux 4.19.22
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 35e6103861a3a970de6c84688c6e7a1f65b164ca upstream.
The check assumes that in transport mode, the first templates family
must match the address family of the policy selector.
Syzkaller managed to build a template using MODE_ROUTEOPTIMIZATION,
with ipv4-in-ipv6 chain, leading to following splat:
BUG: KASAN: stack-out-of-bounds in xfrm_state_find+0x1db/0x1854
Read of size 4 at addr ffff888063e57aa0 by task a.out/2050
xfrm_state_find+0x1db/0x1854
xfrm_tmpl_resolve+0x100/0x1d0
xfrm_resolve_and_create_bundle+0x108/0x1000 [..]
Problem is that addresses point into flowi4 struct, but xfrm_state_find
treats them as being ipv6 because it uses templ->encap_family is used
(AF_INET6 in case of reproducer) rather than family (AF_INET).
This patch inverts the logic: Enforce 'template family must match
selector' EXCEPT for tunnel and BEET mode.
In BEET and Tunnel mode, xfrm_tmpl_resolve_one will have remote/local
address pointers changed to point at the addresses found in the template,
rather than the flowi ones, so no oob read will occur.
Reported-by: 3ntr0py1337@gmail.com
Reported-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e2612cd496e7b465711d219ea6118893d7253f52 upstream.
Fixes 9b42c1f179, which changed the default route lookup behavior for
tunnel mode SAs in the outbound direction to use the skb mark, whereas
previously mark=0 was used if the output mark was unspecified. In
mark-based routing schemes such as Android’s, this change in default
behavior causes routing loops or lookup failures.
This patch restores the default behavior of using a 0 mark while still
incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is
specified.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/860150
Fixes: 9b42c1f179 ("xfrm: Extend the output_mark to support input direction and masking")
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fixes 9b42c1f, which changed the default route lookup behavior for
tunnel mode SAs in the outbound direction to use the skb mark, whereas
previously mark=0 was used if the output mark was unspecified. In
mark-based routing schemes such as Android’s, this change in default
behavior causes routing loops or lookup failures.
This patch restores the default behavior of using a 0 mark while still
incorporating the skb mark if the SET_MARK (and SET_MARK_MASK) is
specified.
Tested with additions to Android's kernel unit test suite:
https://android-review.googlesource.com/c/kernel/tests/+/860150
Fixes: 9b42c1f ("xfrm: Extend the output_mark to support input direction and masking")
Signed-off-by: Benedict Wong <benedictwong@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
(cherry picked from commit e2612cd496e7b465711d219ea6118893d7253f52)
Bug: 122236988
Test: Passes kernel tests
Change-Id: I1289b5b7b1eb93c6d99a0ba7d28e24c3eb25883d
Signed-off-by: Benedict Wong <benedictwong@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlw6+/8ACgkQONu9yGCS
aT6VKw/9FUsbfy4MzFMH4XmTn/k9AHhcYdQ+gSEIcJbt/JLT13fU64e/O8QlQ3PF
5GWNY5ObA+HKlReCufSuW+AuAw5s/FLVaGLn8HZQ/FU27ZgTrGpFjb3vcnYSjsU0
vurXjstzndiRmpSahNufU6t2X7fkgyd41M94572pyidcT5NcP+ngVICwXtQOsXjH
QkIaMZHTmr4le0Z1oNvDraNkESJnxo7+D2eJebx5yDReD/Mdm3gAl2q0UkDXpZzk
qb3tH1oronm7ZfiEBCZYrewxMfz78ugJW3hpOu//JCbrVI2Ja0sBSh3VB6EFceoY
WI9z8JkZ3xQeLQnCdiabdQ66mGQa9XiLUwj7+sR//P7OduwJEv8HTYpDi8iqA6Vj
SigQmjEunjSHccqBWaPy1ZMAIXoNWQBC4EJ2erv3pAPyJr2FBw9o2Bmu6JAV18ow
iX94YnQtllZp8cJsEKEUWEmXZPLcTy6mXLMLoQ922P4p4KRJVQUhde4EeZZLFn27
6sPwASnrfEW9RS/i1XuxdDPbnMYg6uE0UoRfxp1tAUBKaVArjMglyIAj7t9GA07W
4480c3AegmDFZ+GxX+w5+duKRZnxBi+sHw8aBbZRi5m9mlxeFCSWSe0hPPRR2LIQ
fZrFySHmgbl1NtTP4cvZOb7bTxoyfjcIQfiqu7cwNsYGXtbfOuk=
=A6Ro
-----END PGP SIGNATURE-----
Merge 4.19.15 into android-4.19
Changes in 4.19.15
ARM: dts: sun8i: a83t: bananapi-m3: increase vcc-pd voltage to 3.3V
pinctrl: meson: fix pull enable register calculation
arm64: dts: mt7622: fix no more console output on rfb1
powerpc: Fix COFF zImage booting on old powermacs
powerpc/mm: Fix linux page tables build with some configs
HID: ite: Add USB id match for another ITE based keyboard rfkill key quirk
ARM: dts: imx7d-pico: Describe the Wifi clock
ARM: imx: update the cpu power up timing setting on i.mx6sx
ARM: dts: imx7d-nitrogen7: Fix the description of the Wifi clock
IB/mlx5: Block DEVX umem from the non applicable cases
Input: restore EV_ABS ABS_RESERVED
powerpc/mm: Fallback to RAM if the altmap is unusable
drm/amdgpu: Fix DEBUG_LOCKS_WARN_ON(depth <= 0) in amdgpu_ctx.lock
IB/core: Fix oops in netdev_next_upper_dev_rcu()
checkstack.pl: fix for aarch64
xfrm: Fix error return code in xfrm_output_one()
xfrm: Fix bucket count reported to userspace
xfrm: Fix NULL pointer dereference in xfrm_input when skb_dst_force clears the dst_entry.
ieee802154: hwsim: fix off-by-one in parse nested
netfilter: nf_tables: fix suspicious RCU usage in nft_chain_stats_replace()
netfilter: seqadj: re-load tcp header pointer after possible head reallocation
Revert "scsi: qla2xxx: Fix NVMe Target discovery"
scsi: bnx2fc: Fix NULL dereference in error handling
Input: omap-keypad - fix idle configuration to not block SoC idle states
Input: synaptics - enable RMI on ThinkPad T560
ibmvnic: Convert reset work item mutex to spin lock
ibmvnic: Fix non-atomic memory allocation in IRQ context
ieee802154: ca8210: fix possible u8 overflow in ca8210_rx_done
x86/mm: Fix guard hole handling
x86/dump_pagetables: Fix LDT remap address marker
i40e: fix mac filter delete when setting mac address
ixgbe: Fix race when the VF driver does a reset
netfilter: ipset: do not call ipset_nest_end after nla_nest_cancel
netfilter: nat: can't use dst_hold on noref dst
netfilter: nf_conncount: use rb_link_node_rcu() instead of rb_link_node()
bnx2x: Clear fip MAC when fcoe offload support is disabled
bnx2x: Remove configured vlans as part of unload sequence.
bnx2x: Send update-svid ramrod with retry/poll flags enabled
scsi: target: iscsi: cxgbit: fix csk leak
scsi: target: iscsi: cxgbit: add missing spin_lock_init()
mt76: fix potential NULL pointer dereference in mt76_stop_tx_queues
x86, hyperv: remove PCI dependency
drivers: net: xgene: Remove unnecessary forward declarations
net/tls: Init routines in create_ctx
w90p910_ether: remove incorrect __init annotation
net: hns: Incorrect offset address used for some registers.
net: hns: All ports can not work when insmod hns ko after rmmod.
net: hns: Some registers use wrong address according to the datasheet.
net: hns: Fixed bug that netdev was opened twice
net: hns: Clean rx fbd when ae stopped.
net: hns: Free irq when exit from abnormal branch
net: hns: Avoid net reset caused by pause frames storm
net: hns: Fix ntuple-filters status error.
net: hns: Add mac pcs config when enable|disable mac
net: hns: Fix ping failed when use net bridge and send multicast
mac80211: fix a kernel panic when TXing after TXQ teardown
SUNRPC: Fix a race with XPRT_CONNECTING
qed: Fix an error code qed_ll2_start_xmit()
net: macb: fix random memory corruption on RX with 64-bit DMA
net: macb: fix dropped RX frames due to a race
net: macb: add missing barriers when reading descriptors
lan743x: Expand phy search for LAN7431
lan78xx: Resolve issue with changing MAC address
vxge: ensure data0 is initialized in when fetching firmware version information
nl80211: fix memory leak if validate_pae_over_nl80211() fails
mac80211: free skb fraglist before freeing the skb
kbuild: fix false positive warning/error about missing libelf
m68k: Fix memblock-related crashes
virtio: fix test build after uio.h change
lan743x: Remove MAC Reset from initialization
gpio: mvebu: only fail on missing clk if pwm is actually to be used
Input: synaptics - enable SMBus for HP EliteBook 840 G4
net: netxen: fix a missing check and an uninitialized use
qmi_wwan: Fix qmap header retrieval in qmimux_rx_fixup
serial/sunsu: fix refcount leak
auxdisplay: charlcd: fix x/y command parsing
scsi: zfcp: fix posting too many status read buffers leading to adapter shutdown
scsi: lpfc: do not set queue->page_count to 0 if pc_sli4_params.wqpcnt is invalid
fork: record start_time late
zram: fix double free backing device
hwpoison, memory_hotplug: allow hwpoisoned pages to be offlined
mm, devm_memremap_pages: mark devm_memremap_pages() EXPORT_SYMBOL_GPL
mm, devm_memremap_pages: kill mapping "System RAM" support
mm, devm_memremap_pages: fix shutdown handling
mm, devm_memremap_pages: add MEMORY_DEVICE_PRIVATE support
mm, hmm: use devm semantics for hmm_devmem_{add, remove}
mm, hmm: mark hmm_devmem_{add, add_resource} EXPORT_SYMBOL_GPL
mm, swap: fix swapoff with KSM pages
memcg, oom: notify on oom killer invocation from the charge path
sunrpc: fix cache_head leak due to queued request
sunrpc: use SVC_NET() in svcauth_gss_* functions
powerpc: remove old GCC version checks
powerpc: consolidate -mno-sched-epilog into FTRACE flags
powerpc: avoid -mno-sched-epilog on GCC 4.9 and newer
powerpc: Disable -Wbuiltin-requires-header when setjmp is used
kbuild: add -no-integrated-as Clang option unconditionally
kbuild: consolidate Clang compiler flags
Makefile: Export clang toolchain variables
powerpc/boot: Set target when cross-compiling for clang
raid6/ppc: Fix build for clang
dma-direct: do not include SME mask in the DMA supported check
mt76x0: init hw capabilities
media: cx23885: only reset DMA on problematic CPUs
ALSA: cs46xx: Potential NULL dereference in probe
ALSA: usb-audio: Avoid access before bLength check in build_audio_procunit()
ALSA: usb-audio: Check mixer unit descriptors more strictly
ALSA: usb-audio: Fix an out-of-bound read in create_composite_quirks
ALSA: usb-audio: Always check descriptor sizes in parser code
srcu: Lock srcu_data structure in srcu_gp_start()
driver core: Add missing dev->bus->need_parent_lock checks
Fix failure path in alloc_pid()
block: deactivate blk_stat timer in wbt_disable_default()
block: mq-deadline: Fix write completion handling
dlm: fixed memory leaks after failed ls_remove_names allocation
dlm: possible memory leak on error path in create_lkb()
dlm: lost put_lkb on error path in receive_convert() and receive_unlock()
dlm: memory leaks on error path in dlm_user_request()
gfs2: Get rid of potential double-freeing in gfs2_create_inode
gfs2: Fix loop in gfs2_rbm_find
b43: Fix error in cordic routine
selinux: policydb - fix byte order and alignment issues
PCI / PM: Allow runtime PM without callback functions
lockd: Show pid of lockd for remote locks
nfsd4: zero-length WRITE should succeed
arm64: drop linker script hack to hide __efistub_ symbols
arm64: relocatable: fix inconsistencies in linker script and options
leds: pwm: silently error out on EPROBE_DEFER
Revert "powerpc/tm: Unset MSR[TS] if not recheckpointing"
powerpc/tm: Set MSR[TS] just prior to recheckpoint
iio: dac: ad5686: fix bit shift read register
9p/net: put a lower bound on msize
rxe: fix error completion wr_id and qp_num
RDMA/srpt: Fix a use-after-free in the channel release code
iommu/vt-d: Handle domain agaw being less than iommu agaw
sched/fair: Fix infinite loop in update_blocked_averages() by reverting a9e7f6544b
ceph: don't update importing cap's mseq when handing cap export
video: fbdev: pxafb: Fix "WARNING: invalid free of devm_ allocated data"
drivers/perf: hisi: Fixup one DDRC PMU register offset
genwqe: Fix size check
intel_th: msu: Fix an off-by-one in attribute store
power: supply: olpc_battery: correct the temperature units
of: of_node_get()/of_node_put() nodes held in phandle cache
of: __of_detach_node() - remove node from phandle cache
lib: fix build failure in CONFIG_DEBUG_VIRTUAL test
drm/nouveau/drm/nouveau: Check rc from drm_dp_mst_topology_mgr_resume()
drm/vc4: Set ->is_yuv to false when num_planes == 1
drm/rockchip: psr: do not dereference encoder before it is null checked.
drm/amd/display: Fix unintialized max_bpc state values
bnx2x: Fix NULL pointer dereference in bnx2x_del_all_vlans() on some hw
Linux 4.19.15
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 0152eee6fc3b84298bb6a79961961734e8afa5b8 ]
Since commit 222d7dbd25 ("net: prevent dst uses after free")
skb_dst_force() might clear the dst_entry attached to the skb.
The xfrm code doesn't expect this to happen, so we crash with
a NULL pointer dereference in this case.
Fix it by checking skb_dst(skb) for NULL after skb_dst_force()
and drop the packet in case the dst_entry was cleared. We also
move the skb_dst_force() to a codepath that is not used when
the transformation was offloaded, because in this case we
don't have a dst_entry attached to the skb.
The output and forwarding path was already fixed by
commit 9e14379378 ("xfrm: Fix NULL pointer dereference when
skb_dst_force clears the dst_entry.")
Fixes: 222d7dbd25 ("net: prevent dst uses after free")
Reported-by: Jean-Philippe Menil <jpmenil@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ca92e173ab34a4f7fc4128bd372bd96f1af6f507 ]
sadhcnt is reported by `ip -s xfrm state count` as "buckets count", not the
hash mask.
Fixes: 28d8909bc7 ("[XFRM]: Export SAD info.")
Signed-off-by: Benjamin Poirier <bpoirier@suse.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 533555e5cbb6aa2d77598917871ae5b579fe724b ]
xfrm_output_one() does not return a error code when there is
no dst_entry attached to the skb, it is still possible crash
with a NULL pointer dereference in xfrm_output_resume(). Fix
it by return error code -EHOSTUNREACH.
Fixes: 9e14379378 ("xfrm: Fix NULL pointer dereference when skb_dst_force clears the dst_entry.")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlwnaqgACgkQONu9yGCS
aT5BPA//TXG7P4K4Nor0eu6CLJ8KaO3wZSneHUp+cV3/zZsPe/6K4pgwz5Kmho7R
ii82FuXKTwqr+CLegkGlwF01q/HFT7u487Yz1eqdrf3oqvjQjC9+ut/qO//9JePd
OLZCCrPtFqWT8ClpHhxWA3skYx9UsnBxseUFE+cMCuTVin1/YGQc/xV6CQBgZfs3
V3dfmv9D1lCZ1nlvgEHh+VMvqlvnBEgUufLYZZEb6yK9GVQuRk+piXMf2rxm1RuN
aBZHVI4tdHhYkEbhQ46ADaPLBghNeSoa2bIBnHu0G1YO+oRewQlVM/rEvMv+XOdX
GoRSX1fNYZUjI0u6EsDw0WPBILoJaLmXF8bIH3hTmTkTev4Vslyiuz0SJNwLwrkx
0Zzg2D+AF9MdvO4EBwoAnqwzO2lM6WkIsHp85NMymggp5+VL1yuuo0kr7OMw51Rl
U5ReIwcq+7TZp3WtqUQHEGO5TOfPoAdW8sINcQeWTjod6c3EHPxmvrS8EE6KgPI1
o+jE2j+uxUbgzzeq4ovJvsJj28WKqZ0jCLyMozCN6hpzki+S5qzNHYMYz3quZGQH
GN82w5cZGrtPFHAm1Ft5hVB+uS9vj6+84jIprFVYwPnBN6f5tK8Rjsz5cJ5Oh7UW
q5EAuLxcLt+5v2TMYlZRNLg/fzZBS3FnZy0KLx8XSJ+jm6E4LM0=
=GR64
-----END PGP SIGNATURE-----
Merge 4.19.13 into android-4.19
Changes in 4.19.13
iomap: Revert "fs/iomap.c: get/put the page in iomap_page_create/release()"
Revert "vfs: Allow userns root to call mknod on owned filesystems."
USB: hso: Fix OOB memory access in hso_probe/hso_get_config_data
xhci: Don't prevent USB2 bus suspend in state check intended for USB3 only
USB: xhci: fix 'broken_suspend' placement in struct xchi_hcd
USB: serial: option: add GosunCn ZTE WeLink ME3630
USB: serial: option: add HP lt4132
USB: serial: option: add Simcom SIM7500/SIM7600 (MBIM mode)
USB: serial: option: add Fibocom NL668 series
USB: serial: option: add Telit LN940 series
ubifs: Handle re-linking of inodes correctly while recovery
scsi: t10-pi: Return correct ref tag when queue has no integrity profile
scsi: sd: use mempool for discard special page
mmc: core: Reset HPI enabled state during re-init and in case of errors
mmc: core: Allow BKOPS and CACHE ctrl even if no HPI support
mmc: core: Use a minimum 1600ms timeout when enabling CACHE ctrl
mmc: omap_hsmmc: fix DMA API warning
gpio: max7301: fix driver for use with CONFIG_VMAP_STACK
gpiolib-acpi: Only defer request_irq for GpioInt ACPI event handlers
posix-timers: Fix division by zero bug
KVM: X86: Fix NULL deref in vcpu_scan_ioapic
kvm: x86: Add AMD's EX_CFG to the list of ignored MSRs
KVM: Fix UAF in nested posted interrupt processing
Drivers: hv: vmbus: Return -EINVAL for the sys files for unopened channels
futex: Cure exit race
x86/mtrr: Don't copy uninitialized gentry fields back to userspace
x86/mm: Fix decoy address handling vs 32-bit builds
x86/vdso: Pass --eh-frame-hdr to the linker
x86/intel_rdt: Ensure a CPU remains online for the region's pseudo-locking sequence
panic: avoid deadlocks in re-entrant console drivers
mm: add mm_pxd_folded checks to pgtable_bytes accounting functions
mm: make the __PAGETABLE_PxD_FOLDED defines non-empty
mm: introduce mm_[p4d|pud|pmd]_folded
xfrm_user: fix freeing of xfrm states on acquire
rtlwifi: Fix leak of skb when processing C2H_BT_INFO
iwlwifi: mvm: don't send GEO_TX_POWER_LIMIT to old firmwares
Revert "mwifiex: restructure rx_reorder_tbl_lock usage"
iwlwifi: add new cards for 9560, 9462, 9461 and killer series
media: ov5640: Fix set format regression
mm, memory_hotplug: initialize struct pages for the full memory section
mm: thp: fix flags for pmd migration when split
mm, page_alloc: fix has_unmovable_pages for HugePages
mm: don't miss the last page because of round-off error
Input: elantech - disable elan-i2c for P52 and P72
proc/sysctl: don't return ENOMEM on lookup when a table is unregistering
drm/ioctl: Fix Spectre v1 vulnerabilities
Linux 4.19.13
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Greg Kroah-Hartman
Huy Nguyen
Xin Long
Nicolas Dichtel
YueHaibing
Raed Salem
Xu Wang
Xiaodong Xu
Steffen Klassert
Li RongQing
Tri Vo
Arnd Bergmann
Anirudh Gupta
Martin Willi
Cong Wang
Tobias Brunner
Florian Westphal
Benedict Wong
Benjamin Poirier
Wei Yongjun