-----BEGIN PGP SIGNATURE-----
iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAl78APEACgkQ3qZv95d3
LNyt+w/+PkFP8++ZsiI6GegXraxVbGuY4ndXroXAiTYa0uZjdsIhqJpgyVsJ/pbq
jU/Hcfv8a0UGme7Hqy61KwN6aaCpM27zxE3aV/N9othtJWn59hiB51CyCcKMrjxK
Mj6PN+yHxLPzCNBszEvOsICsBQt9HtJB11gcbJQPJ2skriVxSER0QrZi2s5jJuoS
vVbxfRngXCnzTsxmpbYjMh1sE9/z/dNpCuyQ13f1MPAPpWFP1SxmMUfknXEO8gkF
ThRIhI6uHDucAQxhP42McBsuoP64KfB90fKzFEuWmlit4OCmqW9subTeaI8V1muK
CxkPqwRnyYmqbAM9auRwbJxtYfT0ONtDZj4zbLulq4qMTJF650968RQNIW+B1K3C
jika93Am0YbNPOyq3m9Ac96NaTFjjhpIzu13P6xUQNf3/ydPKY9PHif2CnWCHPsX
BO9fap7gsWHa88khjEGYXwcQCOC+UzQlcsT6CsWPTUTmcLObHiv863Rqm7LpXjit
9gjKlNHdP6U0q+bz5aiiEtoNJ/2ZDwoz1I+srbrk7QMdVzAn+uRRtLRQxmJtryw1
oTnJJu0iv9Zspn/PFXwlrpsYDDEBFfXFWvC+izfz8nm8CPFKgH9G96XNefcXlI9e
3qxjDpkFb74R6ovnWKtJY8pR1qX/5TRC0/+/WpbZBILqW4Z0k5w=
=YVa/
-----END PGP SIGNATURE-----
Merge 4.19.131 into android-4.19-stable
Changes in 4.19.131
net: be more gentle about silly gso requests coming from user
block/bio-integrity: don't free 'buf' if bio_integrity_add_page() failed
fanotify: fix ignore mask logic for events on child and on dir
mtd: rawnand: marvell: Fix the condition on a return code
net: bcmgenet: remove HFB_CTRL access
net: sched: export __netdev_watchdog_up()
EDAC/amd64: Add Family 17h Model 30h PCI IDs
i2c: tegra: Cleanup kerneldoc comments
i2c: tegra: Add missing kerneldoc for some fields
i2c: tegra: Fix Maximum transfer size
fix a braino in "sparc32: fix register window handling in genregs32_[gs]et()"
ALSA: hda/realtek - Enable the headset of ASUS B9450FA with ALC294
ALSA: hda/realtek: Enable mute LED on an HP system
ALSA: hda/realtek - Enable micmute LED on and HP system
apparmor: don't try to replace stale label in ptraceme check
ibmveth: Fix max MTU limit
mld: fix memory leak in ipv6_mc_destroy_dev()
net: bridge: enfore alignment for ethernet address
net: fix memleak in register_netdevice()
net: place xmit recursion in softnet data
net: use correct this_cpu primitive in dev_recursion_level
net: increment xmit_recursion level in dev_direct_xmit()
net: usb: ax88179_178a: fix packet alignment padding
rocker: fix incorrect error handling in dma_rings_init
rxrpc: Fix notification call on completion of discarded calls
sctp: Don't advertise IPv4 addresses if ipv6only is set on the socket
tcp: don't ignore ECN CWR on pure ACK
tcp: grow window for OOO packets only for SACK flows
tg3: driver sleeps indefinitely when EEH errors exceed eeh_max_freezes
ip6_gre: fix use-after-free in ip6gre_tunnel_lookup()
net: phy: Check harder for errors in get_phy_id()
ip_tunnel: fix use-after-free in ip_tunnel_lookup()
sch_cake: don't try to reallocate or unshare skb unconditionally
sch_cake: fix a few style nits
tcp_cubic: fix spurious HYSTART_DELAY exit upon drop in min RTT
sch_cake: don't call diffserv parsing code when it is not needed
net: Fix the arp error in some cases
net: Do not clear the sock TX queue in sk_set_socket()
net: core: reduce recursion limit value
USB: ohci-sm501: Add missed iounmap() in remove
usb: dwc2: Postponed gadget registration to the udc class driver
usb: add USB_QUIRK_DELAY_INIT for Logitech C922
USB: ehci: reopen solution for Synopsys HC bug
usb: host: xhci-mtk: avoid runtime suspend when removing hcd
xhci: Poll for U0 after disabling USB2 LPM
usb: host: ehci-exynos: Fix error check in exynos_ehci_probe()
usb: typec: tcpci_rt1711h: avoid screaming irq causing boot hangs
ALSA: usb-audio: add quirk for Denon DCD-1500RE
ALSA: usb-audio: add quirk for Samsung USBC Headset (AKG)
ALSA: usb-audio: Fix OOB access of mixer element list
scsi: zfcp: Fix panic on ERP timeout for previously dismissed ERP action
xhci: Fix incorrect EP_STATE_MASK
xhci: Fix enumeration issue when setting max packet size for FS devices.
xhci: Return if xHCI doesn't support LPM
cdc-acm: Add DISABLE_ECHO quirk for Microchip/SMSC chip
loop: replace kill_bdev with invalidate_bdev
IB/mad: Fix use after free when destroying MAD agent
cifs/smb3: Fix data inconsistent when punch hole
cifs/smb3: Fix data inconsistent when zero file range
xfrm: Fix double ESP trailer insertion in IPsec crypto offload.
ASoC: q6asm: handle EOS correctly
efi/esrt: Fix reference count leak in esre_create_sysfs_entry.
regualtor: pfuze100: correct sw1a/sw2 on pfuze3000
ASoC: fsl_ssi: Fix bclk calculation for mono channel
ARM: dts: Fix duovero smsc interrupt for suspend
x86/resctrl: Fix a NULL vs IS_ERR() static checker warning in rdt_cdp_peer_get()
regmap: Fix memory leak from regmap_register_patch
ARM: dts: NSP: Correct FA2 mailbox node
rxrpc: Fix handling of rwind from an ACK packet
RDMA/qedr: Fix KASAN: use-after-free in ucma_event_handler+0x532
RDMA/cma: Protect bind_list and listen_list while finding matching cm id
ASoC: rockchip: Fix a reference count leak.
RDMA/mad: Fix possible memory leak in ib_mad_post_receive_mads()
net: qed: fix left elements count calculation
net: qed: fix NVMe login fails over VFs
net: qed: fix excessive QM ILT lines consumption
cxgb4: move handling L2T ARP failures to caller
ARM: imx5: add missing put_device() call in imx_suspend_alloc_ocram()
usb: gadget: udc: Potential Oops in error handling code
netfilter: ipset: fix unaligned atomic access
net: bcmgenet: use hardware padding of runt frames
i2c: fsi: Fix the port number field in status register
i2c: core: check returned size of emulated smbus block read
sched/deadline: Initialize ->dl_boosted
sched/core: Fix PI boosting between RT and DEADLINE tasks
sata_rcar: handle pm_runtime_get_sync failure cases
ata/libata: Fix usage of page address by page_address in ata_scsi_mode_select_xlat function
drm/amd/display: Use kfree() to free rgb_user in calculate_user_regamma_ramp()
riscv/atomic: Fix sign extension for RV64I
hwrng: ks-sa - Fix runtime PM imbalance on error
ibmvnic: Harden device login requests
net: alx: fix race condition in alx_remove
s390/ptrace: fix setting syscall number
s390/vdso: fix vDSO clock_getres()
arm64: sve: Fix build failure when ARM64_SVE=y and SYSCTL=n
kbuild: improve cc-option to clean up all temporary files
blktrace: break out of blktrace setup on concurrent calls
RISC-V: Don't allow write+exec only page mapping request in mmap
ALSA: hda: Add NVIDIA codec IDs 9a & 9d through a0 to patch table
ALSA: hda/realtek - Add quirk for MSI GE63 laptop
ACPI: sysfs: Fix pm_profile_attr type
erofs: fix partially uninitialized misuse in z_erofs_onlinepage_fixup
KVM: X86: Fix MSR range of APIC registers in X2APIC mode
KVM: nVMX: Plumb L2 GPA through to PML emulation
x86/asm/64: Align start of __clear_user() loop to 16-bytes
btrfs: fix data block group relocation failure due to concurrent scrub
btrfs: fix failure of RWF_NOWAIT write into prealloc extent beyond eof
mm/slab: use memzero_explicit() in kzfree()
ocfs2: avoid inode removal while nfsd is accessing it
ocfs2: load global_inode_alloc
ocfs2: fix value of OCFS2_INVALID_SLOT
ocfs2: fix panic on nfs server over ocfs2
arm64: perf: Report the PC value in REGS_ABI_32 mode
tracing: Fix event trigger to accept redundant spaces
ring-buffer: Zero out time extend if it is nested and not absolute
drm: rcar-du: Fix build error
drm/radeon: fix fb_div check in ni_init_smc_spll_table()
Staging: rtl8723bs: prevent buffer overflow in update_sta_support_rate()
sunrpc: fixed rollback in rpc_gssd_dummy_populate()
SUNRPC: Properly set the @subbuf parameter of xdr_buf_subsegment()
pNFS/flexfiles: Fix list corruption if the mirror count changes
NFSv4 fix CLOSE not waiting for direct IO compeletion
dm writecache: correct uncommitted_block when discarding uncommitted entry
dm writecache: add cond_resched to loop in persistent_memory_claim()
xfs: add agf freeblocks verify in xfs_agf_verify
Revert "tty: hvc: Fix data abort due to race in hvc_open"
Linux 4.19.131
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I2c5abdfc2979e50d441bb0e0bcd499e03c61cefd
commit 89a3c9f5b9f0bcaa9aea3e8b2a616fcaea9aad78 upstream.
@subbuf is an output parameter of xdr_buf_subsegment(). A survey of
call sites shows that @subbuf is always uninitialized before
xdr_buf_segment() is invoked by callers.
There are some execution paths through xdr_buf_subsegment() that do
not set all of the fields in @subbuf, leaving some pointer fields
containing garbage addresses. Subsequent processing of that buffer
then results in a page fault.
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b7ade38165ca0001c5a3bd5314a314abbbfbb1b7 upstream.
__rpc_depopulate(gssd_dentry) was lost on error path
cc: stable@vger.kernel.org
Fixes: commit 4b9a445e3e ("sunrpc: create a new dummy pipe for gssd to hold open")
Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 715028460082d07a7ec6fcd87b14b46784346a72 ]
When using ip_set with counters and comment, traffic causes the kernel
to panic on 32-bit ARM:
Alignment trap: not handling instruction e1b82f9f at [<bf01b0dc>]
Unhandled fault: alignment exception (0x221) at 0xea08133c
PC is at ip_set_match_extensions+0xe0/0x224 [ip_set]
The problem occurs when we try to update the 64-bit counters - the
faulting address above is not 64-bit aligned. The problem occurs
due to the way elements are allocated, for example:
set->dsize = ip_set_elem_len(set, tb, 0, 0);
map = ip_set_alloc(sizeof(*map) + elements * set->dsize);
If the element has a requirement for a member to be 64-bit aligned,
and set->dsize is not a multiple of 8, but is a multiple of four,
then every odd numbered elements will be misaligned - and hitting
an atomic64_add() on that element will cause the kernel to panic.
ip_set_elem_len() must return a size that is rounded to the maximum
alignment of any extension field stored in the element. This change
ensures that is the case.
Fixes: 95ad1f4a93 ("netfilter: ipset: Fix extension alignment")
Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a2ad7c21ad8cf1ce4ad65e13df1c2a1c29b38ac5 ]
The handling of the receive window size (rwind) from a received ACK packet
is not correct. The rxrpc_input_ackinfo() function currently checks the
current Tx window size against the rwind from the ACK to see if it has
changed, but then limits the rwind size before storing it in the tx_winsize
member and, if it increased, wake up the transmitting process. This means
that if rwind > RXRPC_RXTX_BUFF_SIZE - 1, this path will always be
followed.
Fix this by limiting rwind before we compare it to tx_winsize.
The effect of this can be seen by enabling the rxrpc_rx_rwind_change
tracepoint.
Fixes: 702f2ac87a ("rxrpc: Wake up the transmitter if Rx window size increases on the peer")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 94579ac3f6d0820adc83b5dc5358ead0158101e9 ]
During IPsec performance testing, we see bad ICMP checksum. The error packet
has duplicated ESP trailer due to double validate_xmit_xfrm calls. The first call
is from ip_output, but the packet cannot be sent because
netif_xmit_frozen_or_stopped is true and the packet gets dev_requeue_skb. The second
call is from NET_TX softirq. However after the first call, the packet already
has the ESP trailer.
Fix by marking the skb with XFRM_XMIT bit after the packet is handled by
validate_xmit_xfrm to avoid duplicate ESP trailer insertion.
Fixes: f6e27114a6 ("net: Add a xfrm validate function to validate_xmit_skb")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Reviewed-by: Raed Salem <raeds@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 41b14fb8724d5a4b382a63cb4a1a61880347ccb8 ]
Clearing the sock TX queue in sk_set_socket() might cause unexpected
out-of-order transmit when called from sock_orphan(), as outstanding
packets can pick a different TX queue and bypass the ones already queued.
This is undesired in general. More specifically, it breaks the in-order
scheduling property guarantee for device-offloaded TLS sockets.
Remove the call to sk_tx_queue_clear() in sk_set_socket(), and add it
explicitly only where needed.
Fixes: e022f0b4a0 ("net: Introduce sk_tx_queue_mapping")
Signed-off-by: Tariq Toukan <tariqt@mellanox.com>
Reviewed-by: Boris Pismenny <borisp@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 5eea3a63ff4aba6a26002e657a6d21934b7e2b96 ]
ie.,
$ ifconfig eth0 6.6.6.6 netmask 255.255.255.0
$ ip rule add from 6.6.6.6 table 6666
$ ip route add 9.9.9.9 via 6.6.6.6
$ ping -I 6.6.6.6 9.9.9.9
PING 9.9.9.9 (9.9.9.9) from 6.6.6.6 : 56(84) bytes of data.
3 packets transmitted, 0 received, 100% packet loss, time 2079ms
$ arp
Address HWtype HWaddress Flags Mask Iface
6.6.6.6 (incomplete) eth0
The arp request address is error, this is because fib_table_lookup in
fib_check_nh lookup the destnation 9.9.9.9 nexthop, the scope of
the fib result is RT_SCOPE_LINK,the correct scope is RT_SCOPE_HOST.
Here I add a check of whether this is RT_TABLE_MAIN to solve this problem.
Fixes: 3bfd847203 ("net: Use passed in table for nexthop lookups")
Signed-off-by: guodeqing <geffrey.guo@huawei.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8c95eca0bb8c4bd2231a0d581f1ad0d50c90488c ]
As a further optimisation of the diffserv parsing codepath, we can skip it
entirely if CAKE is configured to neither use diffserv-based
classification, nor to zero out the diffserv bits.
Fixes: c87b4ecdbe8d ("sch_cake: Make sure we can write the IP header before changing DSCP bits")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b344579ca8478598937215f7005d6c7b84d28aee ]
Mirja Kuehlewind reported a bug in Linux TCP CUBIC Hystart, where
Hystart HYSTART_DELAY mechanism can exit Slow Start spuriously on an
ACK when the minimum rtt of a connection goes down. From inspection it
is clear from the existing code that this could happen in an example
like the following:
o The first 8 RTT samples in a round trip are 150ms, resulting in a
curr_rtt of 150ms and a delay_min of 150ms.
o The 9th RTT sample is 100ms. The curr_rtt does not change after the
first 8 samples, so curr_rtt remains 150ms. But delay_min can be
lowered at any time, so delay_min falls to 100ms. The code executes
the HYSTART_DELAY comparison between curr_rtt of 150ms and delay_min
of 100ms, and the curr_rtt is declared far enough above delay_min to
force a (spurious) exit of Slow start.
The fix here is simple: allow every RTT sample in a round trip to
lower the curr_rtt.
Fixes: ae27e98a51 ("[TCP] CUBIC v2.3")
Reported-by: Mirja Kuehlewind <mirja.kuehlewind@ericsson.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 3f608f0c41360b11b04c763f348b712f651c8bac ]
I spotted a few nits when comparing the in-tree version of sch_cake with
the out-of-tree one: A redundant error variable declaration shadowing an
outer declaration, and an indentation alignment issue. Fix both of these.
Fixes: 046f6fd5da ("sched: Add Common Applications Kept Enhanced (cake) qdisc")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 9208d2863ac689a563b92f2161d8d1e7127d0add ]
cake_handle_diffserv() tries to linearize mac and network header parts of
skb and to make it writable unconditionally. In some cases it leads to full
skb reallocation, which reduces throughput and increases CPU load. Some
measurements of IPv4 forward + NAPT on MIPS router with 580 MHz single-core
CPU was conducted. It appears that on kernel 4.9 skb_try_make_writable()
reallocates skb, if skb was allocated in ethernet driver via so-called
'build skb' method from page cache (it was discovered by strange increase
of kmalloc-2048 slab at first).
Obtain DSCP value via read-only skb_header_pointer() call, and leave
linearization only for DSCP bleaching or ECN CE setting. And, as an
additional optimisation, skip diffserv parsing entirely if it is not needed
by the current configuration.
Fixes: c87b4ecdbe8d ("sch_cake: Make sure we can write the IP header before changing DSCP bits")
Signed-off-by: Ilya Ponetayev <i.ponetaev@ndmsystems.com>
[ fix a few style issues, reflow commit message ]
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ba61539c6ae57f4146284a5cb4f7b7ed8d42bf45 ]
In the datapath, the ip_tunnel_lookup() is used and it internally uses
fallback tunnel device pointer, which is fb_tunnel_dev.
This pointer variable should be set to NULL when a fb interface is deleted.
But there is no routine to set fb_tunnel_dev pointer to NULL.
So, this pointer will be still used after interface is deleted and
it eventually results in the use-after-free problem.
Test commands:
ip netns add A
ip netns add B
ip link add eth0 type veth peer name eth1
ip link set eth0 netns A
ip link set eth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set eth0 up
ip netns exec A ip link add gre1 type gre local 10.0.0.1 \
remote 10.0.0.2
ip netns exec A ip link set gre1 up
ip netns exec A ip a a 10.0.100.1/24 dev gre1
ip netns exec A ip a a 10.0.0.1/24 dev eth0
ip netns exec B ip link set lo up
ip netns exec B ip link set eth1 up
ip netns exec B ip link add gre1 type gre local 10.0.0.2 \
remote 10.0.0.1
ip netns exec B ip link set gre1 up
ip netns exec B ip a a 10.0.100.2/24 dev gre1
ip netns exec B ip a a 10.0.0.2/24 dev eth1
ip netns exec A hping3 10.0.100.2 -2 --flood -d 60000 &
ip netns del B
Splat looks like:
[ 77.793450][ C3] ==================================================================
[ 77.794702][ C3] BUG: KASAN: use-after-free in ip_tunnel_lookup+0xcc4/0xf30
[ 77.795573][ C3] Read of size 4 at addr ffff888060bd9c84 by task hping3/2905
[ 77.796398][ C3]
[ 77.796664][ C3] CPU: 3 PID: 2905 Comm: hping3 Not tainted 5.8.0-rc1+ #616
[ 77.797474][ C3] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 77.798453][ C3] Call Trace:
[ 77.798815][ C3] <IRQ>
[ 77.799142][ C3] dump_stack+0x9d/0xdb
[ 77.799605][ C3] print_address_description.constprop.7+0x2cc/0x450
[ 77.800365][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.800908][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.801517][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.802145][ C3] kasan_report+0x154/0x190
[ 77.802821][ C3] ? ip_tunnel_lookup+0xcc4/0xf30
[ 77.803503][ C3] ip_tunnel_lookup+0xcc4/0xf30
[ 77.804165][ C3] __ipgre_rcv+0x1ab/0xaa0 [ip_gre]
[ 77.804862][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.805621][ C3] gre_rcv+0x304/0x1910 [ip_gre]
[ 77.806293][ C3] ? lock_acquire+0x1a9/0x870
[ 77.806925][ C3] ? gre_rcv+0xfe/0x354 [gre]
[ 77.807559][ C3] ? erspan_xmit+0x2e60/0x2e60 [ip_gre]
[ 77.808305][ C3] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 77.809032][ C3] ? rcu_read_lock_held+0x90/0xa0
[ 77.809713][ C3] gre_rcv+0x1b8/0x354 [gre]
[ ... ]
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c544193214 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit dafabb6590cb15f300b77c095d50312e2c7c8e0f ]
In the datapath, the ip6gre_tunnel_lookup() is used and it internally uses
fallback tunnel device pointer, which is fb_tunnel_dev.
This pointer variable should be set to NULL when a fb interface is deleted.
But there is no routine to set fb_tunnel_dev pointer to NULL.
So, this pointer will be still used after interface is deleted and
it eventually results in the use-after-free problem.
Test commands:
ip netns add A
ip netns add B
ip link add eth0 type veth peer name eth1
ip link set eth0 netns A
ip link set eth1 netns B
ip netns exec A ip link set lo up
ip netns exec A ip link set eth0 up
ip netns exec A ip link add ip6gre1 type ip6gre local fc:0::1 \
remote fc:0::2
ip netns exec A ip -6 a a fc💯:1/64 dev ip6gre1
ip netns exec A ip link set ip6gre1 up
ip netns exec A ip -6 a a fc:0::1/64 dev eth0
ip netns exec A ip link set ip6gre0 up
ip netns exec B ip link set lo up
ip netns exec B ip link set eth1 up
ip netns exec B ip link add ip6gre1 type ip6gre local fc:0::2 \
remote fc:0::1
ip netns exec B ip -6 a a fc💯:2/64 dev ip6gre1
ip netns exec B ip link set ip6gre1 up
ip netns exec B ip -6 a a fc:0::2/64 dev eth1
ip netns exec B ip link set ip6gre0 up
ip netns exec A ping fc💯:2 -s 60000 &
ip netns del B
Splat looks like:
[ 73.087285][ C1] BUG: KASAN: use-after-free in ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.088361][ C1] Read of size 4 at addr ffff888040559218 by task ping/1429
[ 73.089317][ C1]
[ 73.089638][ C1] CPU: 1 PID: 1429 Comm: ping Not tainted 5.7.0+ #602
[ 73.090531][ C1] Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
[ 73.091725][ C1] Call Trace:
[ 73.092160][ C1] <IRQ>
[ 73.092556][ C1] dump_stack+0x96/0xdb
[ 73.093122][ C1] print_address_description.constprop.6+0x2cc/0x450
[ 73.094016][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.094894][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.095767][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.096619][ C1] kasan_report+0x154/0x190
[ 73.097209][ C1] ? ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.097989][ C1] ip6gre_tunnel_lookup+0x1064/0x13f0 [ip6_gre]
[ 73.098750][ C1] ? gre_del_protocol+0x60/0x60 [gre]
[ 73.099500][ C1] gre_rcv+0x1c5/0x1450 [ip6_gre]
[ 73.100199][ C1] ? ip6gre_header+0xf00/0xf00 [ip6_gre]
[ 73.100985][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 73.101830][ C1] ? ip6_input_finish+0x5/0xf0
[ 73.102483][ C1] ip6_protocol_deliver_rcu+0xcbb/0x1510
[ 73.103296][ C1] ip6_input_finish+0x5b/0xf0
[ 73.103920][ C1] ip6_input+0xcd/0x2c0
[ 73.104473][ C1] ? ip6_input_finish+0xf0/0xf0
[ 73.105115][ C1] ? rcu_read_lock_held+0x90/0xa0
[ 73.105783][ C1] ? rcu_read_lock_sched_held+0xc0/0xc0
[ 73.106548][ C1] ipv6_rcv+0x1f1/0x300
[ ... ]
Suggested-by: Eric Dumazet <eric.dumazet@gmail.com>
Fixes: c12b395a46 ("gre: Support GRE over IPv6")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 662051215c758ae8545451628816204ed6cd372d ]
Back in 2013, we made a change that broke fast retransmit
for non SACK flows.
Indeed, for these flows, a sender needs to receive three duplicate
ACK before starting fast retransmit. Sending ACK with different
receive window do not count.
Even if enabling SACK is strongly recommended these days,
there still are some cases where it has to be disabled.
Not increasing the window seems better than having to
rely on RTO.
After the fix, following packetdrill test gives :
// Initialize connection
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1000,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,wscale 8>
+0 < . 1:1(0) ack 1 win 514
+0 accept(3, ..., ...) = 4
+0 < . 1:1001(1000) ack 1 win 514
// Quick ack
+0 > . 1:1(0) ack 1001 win 264
+0 < . 2001:3001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 3001:4001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 4001:5001(1000) ack 1 win 514
// DUPACK : Normally we should not change the window
+0 > . 1:1(0) ack 1001 win 264
+0 < . 1001:2001(1000) ack 1 win 514
// Hole is repaired.
+0 > . 1:1(0) ack 5001 win 272
Fixes: 4e4f1fc226 ("tcp: properly increase rcv_ssthresh for ofo packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Venkat Venkatsubra <venkat.x.venkatsubra@oracle.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 2570284060b48f3f79d8f1a2698792f36c385e9a ]
there is a problem with the CWR flag set in an incoming ACK segment
and it leads to the situation when the ECE flag is latched forever
the following packetdrill script shows what happens:
// Stack receives incoming segments with CE set
+0.1 <[ect0] . 11001:12001(1000) ack 1001 win 65535
+0.0 <[ce] . 12001:13001(1000) ack 1001 win 65535
+0.0 <[ect0] P. 13001:14001(1000) ack 1001 win 65535
// Stack repsonds with ECN ECHO
+0.0 >[noecn] . 1001:1001(0) ack 12001
+0.0 >[noecn] E. 1001:1001(0) ack 13001
+0.0 >[noecn] E. 1001:1001(0) ack 14001
// Write a packet
+0.1 write(3, ..., 1000) = 1000
+0.0 >[ect0] PE. 1001:2001(1000) ack 14001
// Pure ACK received
+0.01 <[noecn] W. 14001:14001(0) ack 2001 win 65535
// Since CWR was sent, this packet should NOT have ECE set
+0.1 write(3, ..., 1000) = 1000
+0.0 >[ect0] P. 2001:3001(1000) ack 14001
// but Linux will still keep ECE latched here, with packetdrill
// flagging a missing ECE flag, expecting
// >[ect0] PE. 2001:3001(1000) ack 14001
// in the script
In the situation above we will continue to send ECN ECHO packets
and trigger the peer to reduce the congestion window. To avoid that
we can check CWR on pure ACKs received.
v3:
- Add a sequence check to avoid sending an ACK to an ACK
v2:
- Adjusted the comment
- move CWR check before checking for unacknowledged packets
Signed-off-by: Denis Kirjanov <denis.kirjanov@suse.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 471e39df96b9a4c4ba88a2da9e25a126624d7a9c ]
If a socket is set ipv6only, it will still send IPv4 addresses in the
INIT and INIT_ACK packets. This potentially misleads the peer into using
them, which then would cause association termination.
The fix is to not add IPv4 addresses to ipv6only sockets.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Tested-by: Corey Minyard <cminyard@mvista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 97cdcf37b57e3f204be3000b9eab9686f38b4356 upstream.
This fills a hole in softnet data, so no change in structure size.
Also prepares for xmit_more placement in the same spot;
skb->xmit_more will be removed in followup patch.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit db7202dec92e6caa2706c21d6fc359af318bde2e ]
The eth_addr member is passed to ether_addr functions that require
2-byte alignment, therefore the member must be properly aligned
to avoid unaligned accesses.
The problem is in place since the initial merge of multicast to unicast:
commit 6db6f0eae6 bridge: multicast to unicast
Fixes: 6db6f0eae6 ("bridge: multicast to unicast")
Cc: Roopa Prabhu <roopa@cumulusnetworks.com>
Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Felix Fietkau <nbd@nbd.name>
Cc: stable@vger.kernel.org
Signed-off-by: Thomas Martitz <t.martitz@avm.de>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1a3db27ad9a72d033235b9673653962c02e3486e ]
Since the quiesce/activate rework, __netdev_watchdog_up() is directly
called in the ucc_geth driver.
Unfortunately, this function is not available for modules and thus
ucc_geth cannot be built as a module anymore. Fix it by exporting
__netdev_watchdog_up().
Since the commit introducing the regression was backported to stable
branches, this one should ideally be as well.
Fixes: 79dde73cf9bc ("net/ethernet/freescale: rework quiesce/activate for ucc_geth")
Signed-off-by: Valentin Longchamp <valentin@longchamp.me>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl70p5sACgkQONu9yGCS
aT4nRg/9HAG5FdyJgH3OnUY5LtrjtlVpRsD+AgdUnnftpDprZ0m4dZsUuUSF4fJJ
hzEr98/vX41yYqi2ne9mZcPnm4uOw21dEJK9X/2Z5+654i4qOwcv9FfVQSAdSpXC
KEN0rRlZw0MdXwISmU9UbBTwSRqxi0qJNWfSR3rS9DZRiSPhhxElMwbdcYXjpgKR
GZ7Wd/pDb0q371mR2Ar7+13PVxsvBzoEwYUngbeTr3EXtCiWiavBqBzABpJQYH9L
xm5ZfFLwLMsnQSd/gdW7DZGq+6JdLgf6HaY4FOcpkoDo5gSSDc2RNTg8jbzu8dM0
o2Wge54q9aTbuu+sc6k9x5HAaTPdv7uFnORdBvNhYGZWfXv69SZjCFgqwjsmPiww
+wg6D4uYWeh+faIz4tNBHk/bjIIMACnSJifsd131aXUed1cm4GeeQEQgimT8ea99
uOZrKPSTd+tbY3tZJrX2TyixYKgtaegdYTh3GWLx0AmYS8dOTHKfezUMMtFj4F7F
XTbZ3IWyVTSynO/7LRLdEGwAZjA/vWCK3YQS95qVCY1ni7h2vZw4FQb2C9CHyHAq
BIqiu2rOvxAsmIgh6GFcLLYN6cAa+lgIifmOMn2DPYrfF2gcrrGt6iOm1fc0gr5t
QbNYK7OQ/1L70BgvnI1lDAl4qG6lhSKV28SB6Csbzrz5WYzbfnE=
=iU+4
-----END PGP SIGNATURE-----
Merge 4.19.130 into android-4.19-stable
Changes in 4.19.130
power: supply: bq24257_charger: Replace depends on REGMAP_I2C with select
clk: sunxi: Fix incorrect usage of round_down()
ASoC: tegra: tegra_wm8903: Support nvidia, headset property
i2c: piix4: Detect secondary SMBus controller on AMD AM4 chipsets
iio: pressure: bmp280: Tolerate IRQ before registering
remoteproc: Fix IDR initialisation in rproc_alloc()
clk: qcom: msm8916: Fix the address location of pll->config_reg
backlight: lp855x: Ensure regulators are disabled on probe failure
ASoC: davinci-mcasp: Fix dma_chan refcnt leak when getting dma type
ARM: integrator: Add some Kconfig selections
scsi: qedi: Check for buffer overflow in qedi_set_path()
ALSA: hda/realtek - Introduce polarity for micmute LED GPIO
ALSA: isa/wavefront: prevent out of bounds write in ioctl
PCI: Allow pci_resize_resource() for devices on root bus
scsi: qla2xxx: Fix issue with adapter's stopping state
iio: bmp280: fix compensation of humidity
f2fs: report delalloc reserve as non-free in statfs for project quota
i2c: pxa: clear all master action bits in i2c_pxa_stop_message()
clk: samsung: Mark top ISP and CAM clocks on Exynos542x as critical
usblp: poison URBs upon disconnect
serial: 8250: Fix max baud limit in generic 8250 port
dm mpath: switch paths in dm_blk_ioctl() code path
PCI: aardvark: Don't blindly enable ASPM L0s and don't write to read-only register
ps3disk: use the default segment boundary
vfio/pci: fix memory leaks in alloc_perm_bits()
RDMA/mlx5: Add init2init as a modify command
m68k/PCI: Fix a memory leak in an error handling path
gpio: dwapb: Call acpi_gpiochip_free_interrupts() on GPIO chip de-registration
mfd: wm8994: Fix driver operation if loaded as modules
scsi: lpfc: Fix lpfc_nodelist leak when processing unsolicited event
clk: clk-flexgen: fix clock-critical handling
powerpc/perf/hv-24x7: Fix inconsistent output values incase multiple hv-24x7 events run
nfsd: Fix svc_xprt refcnt leak when setup callback client failed
PCI: vmd: Filter resource type bits from shadow register
powerpc/crashkernel: Take "mem=" option into account
pwm: img: Call pm_runtime_put() in pm_runtime_get_sync() failed case
yam: fix possible memory leak in yam_init_driver
NTB: ntb_pingpong: Choose doorbells based on port number
NTB: Fix the default port and peer numbers for legacy drivers
mksysmap: Fix the mismatch of '.L' symbols in System.map
apparmor: fix introspection of of task mode for unconfined tasks
apparmor: check/put label on apparmor_sk_clone_security()
ASoC: meson: add missing free_irq() in error path
scsi: sr: Fix sr_probe() missing deallocate of device minor
scsi: ibmvscsi: Don't send host info in adapter info MAD after LPM
apparmor: fix nnp subset test for unconfined
x86/purgatory: Disable various profiling and sanitizing options
staging: greybus: fix a missing-check bug in gb_lights_light_config()
arm64: dts: mt8173: fix unit name warnings
scsi: qedi: Do not flush offload work if ARP not resolved
ARM: dts: sun8i-h2-plus-bananapi-m2-zero: Fix led polarity
gpio: dwapb: Append MODULE_ALIAS for platform driver
scsi: qedf: Fix crash when MFW calls for protocol stats while function is still probing
pinctrl: rza1: Fix wrong array assignment of rza1l_swio_entries
firmware: qcom_scm: fix bogous abuse of dma-direct internals
staging: gasket: Fix mapping refcnt leak when put attribute fails
staging: gasket: Fix mapping refcnt leak when register/store fails
ALSA: usb-audio: Improve frames size computation
ALSA: usb-audio: Fix racy list management in output queue
s390/qdio: put thinint indicator after early error
tty: hvc: Fix data abort due to race in hvc_open
slimbus: ngd: get drvdata from correct device
thermal/drivers/ti-soc-thermal: Avoid dereferencing ERR_PTR
usb: dwc3: gadget: Properly handle failed kick_transfer
staging: sm750fb: add missing case while setting FB_VISUAL
PCI: v3-semi: Fix a memory leak in v3_pci_probe() error handling paths
i2c: pxa: fix i2c_pxa_scream_blue_murder() debug output
serial: amba-pl011: Make sure we initialize the port.lock spinlock
drivers: base: Fix NULL pointer exception in __platform_driver_probe() if a driver developer is foolish
PCI: rcar: Fix incorrect programming of OB windows
PCI/ASPM: Allow ASPM on links to PCIe-to-PCI/PCI-X Bridges
scsi: qla2xxx: Fix warning after FC target reset
power: supply: lp8788: Fix an error handling path in 'lp8788_charger_probe()'
power: supply: smb347-charger: IRQSTAT_D is volatile
scsi: mpt3sas: Fix double free warnings
pinctrl: rockchip: fix memleak in rockchip_dt_node_to_map
dlm: remove BUG() before panic()
clk: ti: composite: fix memory leak
PCI: Fix pci_register_host_bridge() device_register() error handling
powerpc/64: Don't initialise init_task->thread.regs
tty: n_gsm: Fix SOF skipping
tty: n_gsm: Fix waking up upper tty layer when room available
HID: Add quirks for Trust Panora Graphic Tablet
ipmi: use vzalloc instead of kmalloc for user creation
powerpc/pseries/ras: Fix FWNMI_VALID off by one
powerpc/ps3: Fix kexec shutdown hang
vfio-pci: Mask cap zero
usb/ohci-platform: Fix a warning when hibernating
drm/msm/mdp5: Fix mdp5_init error path for failed mdp5_kms allocation
ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT8-A tablet
USB: host: ehci-mxc: Add error handling in ehci_mxc_drv_probe()
tty: n_gsm: Fix bogus i++ in gsm_data_kick
fpga: dfl: afu: Corrected error handling levels
clk: samsung: exynos5433: Add IGNORE_UNUSED flag to sclk_i2s1
scsi: target: tcmu: Userspace must not complete queued commands
arm64: tegra: Fix ethernet phy-mode for Jetson Xavier
powerpc/64s/pgtable: fix an undefined behaviour
dm zoned: return NULL if dmz_get_zone_for_reclaim() fails to find a zone
PCI/PTM: Inherit Switch Downstream Port PTM settings from Upstream Port
PCI: dwc: Fix inner MSI IRQ domain registration
IB/cma: Fix ports memory leak in cma_configfs
watchdog: da9062: No need to ping manually before setting timeout
usb: dwc2: gadget: move gadget resume after the core is in L0 state
USB: gadget: udc: s3c2410_udc: Remove pointless NULL check in s3c2410_udc_nuke
usb: gadget: lpc32xx_udc: don't dereference ep pointer before null check
usb: gadget: fix potential double-free in m66592_probe.
usb: gadget: Fix issue with config_ep_by_speed function
RDMA/iw_cxgb4: cleanup device debugfs entries on ULD remove
x86/apic: Make TSC deadline timer detection message visible
ASoC: fix incomplete error-handling in img_i2s_in_probe.
scsi: target: tcmu: Fix a use after free in tcmu_check_expired_queue_cmd()
clk: bcm2835: Fix return type of bcm2835_register_gate
scsi: ufs-qcom: Fix scheduling while atomic issue
KVM: PPC: Book3S HV: Ignore kmemleak false positives
clk: sprd: return correct type of value for _sprd_pll_recalc_rate
net: sunrpc: Fix off-by-one issues in 'rpc_ntop6'
NFSv4.1 fix rpc_call_done assignment for BIND_CONN_TO_SESSION
of: Fix a refcounting bug in __of_attach_node_sysfs()
powerpc/4xx: Don't unmap NULL mbase
extcon: adc-jack: Fix an error handling path in 'adc_jack_probe()'
ASoC: fsl_asrc_dma: Fix dma_chan leak when config DMA channel failed
vfio/mdev: Fix reference count leak in add_mdev_supported_type
rxrpc: Adjust /proc/net/rxrpc/calls to display call->debug_id not user_ID
openrisc: Fix issue with argument clobbering for clone/fork
gfs2: Allow lock_nolock mount to specify jid=X
scsi: iscsi: Fix reference count leak in iscsi_boot_create_kobj
scsi: ufs: Don't update urgent bkops level when toggling auto bkops
pinctrl: imxl: Fix an error handling path in 'imx1_pinctrl_core_probe()'
pinctrl: freescale: imx: Fix an error handling path in 'imx_pinctrl_probe()'
crypto: omap-sham - add proper load balancing support for multicore
geneve: change from tx_error to tx_dropped on missing metadata
lib/zlib: remove outdated and incorrect pre-increment optimization
include/linux/bitops.h: avoid clang shift-count-overflow warnings
elfnote: mark all .note sections SHF_ALLOC
selftests/vm/pkeys: fix alloc_random_pkey() to make it really random
blktrace: use errno instead of bi_status
blktrace: fix endianness in get_pdu_int()
blktrace: fix endianness for blk_log_remap()
gfs2: fix use-after-free on transaction ail lists
ntb_perf: pass correct struct device to dma_alloc_coherent
ntb_tool: pass correct struct device to dma_alloc_coherent
NTB: ntb_tool: reading the link file should not end in a NULL byte
NTB: Revert the change to use the NTB device dev for DMA allocations
NTB: perf: Don't require one more memory window than number of peers
NTB: perf: Fix support for hardware that doesn't have port numbers
NTB: perf: Fix race condition when run with ntb_test
NTB: ntb_test: Fix bug when counting remote files
drivers/perf: hisi: Fix wrong value for all counters enable
selftests/net: in timestamping, strncpy needs to preserve null byte
afs: Fix memory leak in afs_put_sysnames()
ASoC: core: only convert non DPCM link to DPCM link
ASoC: Intel: bytcr_rt5640: Add quirk for Toshiba Encore WT10-A tablet
ASoC: rt5645: Add platform-data for Asus T101HA
drm/sun4i: hdmi ddc clk: Fix size of m divider
scsi: acornscsi: Fix an error handling path in acornscsi_probe()
x86/idt: Keep spurious entries unset in system_vectors
net/filter: Permit reading NET in load_bytes_relative when MAC not set
xdp: Fix xsk_generic_xmit errno
usb/xhci-plat: Set PM runtime as active on resume
usb: host: ehci-platform: add a quirk to avoid stuck
usb/ehci-platform: Set PM runtime as active on resume
perf report: Fix NULL pointer dereference in hists__fprintf_nr_sample_events()
ext4: stop overwrite the errcode in ext4_setup_super
bcache: fix potential deadlock problem in btree_gc_coalesce
afs: Fix non-setting of mtime when writing into mmap
afs: afs_write_end() should change i_size under the right lock
block: Fix use-after-free in blkdev_get()
arm64: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
libata: Use per port sync for detach
drm: encoder_slave: fix refcouting error for modules
drm/dp_mst: Reformat drm_dp_check_act_status() a bit
drm/qxl: Use correct notify port address when creating cursor ring
drm/amdgpu: Replace invalid device ID with a valid device ID
selinux: fix double free
ext4: fix partial cluster initialization when splitting extent
ext4: avoid race conditions when remounting with options that change dax
drm/dp_mst: Increase ACT retry timeout to 3s
x86/boot/compressed: Relax sed symbol type regex for LLVM ld.lld
block: nr_sects_write(): Disable preemption on seqcount write
mtd: rawnand: Pass a nand_chip object to nand_scan()
mtd: rawnand: Pass a nand_chip object to nand_release()
mtd: rawnand: diskonchip: Fix the probe error path
mtd: rawnand: sharpsl: Fix the probe error path
mtd: rawnand: xway: Fix the probe error path
mtd: rawnand: orion: Fix the probe error path
mtd: rawnand: oxnas: Add of_node_put()
mtd: rawnand: oxnas: Fix the probe error path
mtd: rawnand: socrates: Fix the probe error path
mtd: rawnand: plat_nand: Fix the probe error path
mtd: rawnand: mtk: Fix the probe error path
mtd: rawnand: tmio: Fix the probe error path
s390: fix syscall_get_error for compat processes
drm/i915: Whitelist context-local timestamp in the gen9 cmdparser
drm/i915/icl+: Fix hotplug interrupt disabling after storm detection
crypto: algif_skcipher - Cap recv SG list at ctx->used
crypto: algboss - don't wait during notifier callback
kprobes: Fix to protect kick_kprobe_optimizer() by kprobe_mutex
e1000e: Do not wake up the system via WOL if device wakeup is disabled
net: octeon: mgmt: Repair filling of RX ring
kretprobe: Prevent triggering kretprobe from within kprobe_flush_task
sched/rt, net: Use CONFIG_PREEMPTION.patch
net: core: device_rename: Use rwsem instead of a seqcount
Revert "dpaa_eth: fix usage as DSA master, try 3"
md: add feature flag MD_FEATURE_RAID0_LAYOUT
kvm: x86: Move kvm_set_mmio_spte_mask() from x86.c to mmu.c
kvm: x86: Fix reserved bits related calculation errors caused by MKTME
KVM: x86/mmu: Set mmio_value to '0' if reserved #PF can't be generated
Linux 4.19.130
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8fff23470852b747c3d75461b45f9d77460062d3
[ Upstream commit 11d6011c2cf29f7c8181ebde6c8bc0c4d83adcd7 ]
Sequence counters write paths are critical sections that must never be
preempted, and blocking, even for CONFIG_PREEMPTION=n, is not allowed.
Commit 5dbe7c178d ("net: fix kernel deadlock with interface rename and
netdev name retrieval.") handled a deadlock, observed with
CONFIG_PREEMPTION=n, where the devnet_rename seqcount read side was
infinitely spinning: it got scheduled after the seqcount write side
blocked inside its own critical section.
To fix that deadlock, among other issues, the commit added a
cond_resched() inside the read side section. While this will get the
non-preemptible kernel eventually unstuck, the seqcount reader is fully
exhausting its slice just spinning -- until TIF_NEED_RESCHED is set.
The fix is also still broken: if the seqcount reader belongs to a
real-time scheduling policy, it can spin forever and the kernel will
livelock.
Disabling preemption over the seqcount write side critical section will
not work: inside it are a number of GFP_KERNEL allocations and mutex
locking through the drivers/base/ :: device_rename() call chain.
>From all the above, replace the seqcount with a rwsem.
Fixes: 5dbe7c178d (net: fix kernel deadlock with interface rename and netdev name retrieval.)
Fixes: 30e6c9fa93 (net: devnet_rename_seq should be a seqcount)
Fixes: c91f6df2db (sockopt: Change getsockopt() of SO_BINDTODEVICE to return an interface name)
Cc: <stable@vger.kernel.org>
Reported-by: kbuild test robot <lkp@intel.com> [ v1 missing up_read() on error exit ]
Reported-by: Dan Carpenter <dan.carpenter@oracle.com> [ v1 missing up_read() on error exit ]
Signed-off-by: Ahmed S. Darwish <a.darwish@linutronix.de>
Reviewed-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2da2b32fd9346009e9acdb68c570ca8d3966aba7 ]
CONFIG_PREEMPTION is selected by CONFIG_PREEMPT and by CONFIG_PREEMPT_RT.
Both PREEMPT and PREEMPT_RT require the same functionality which today
depends on CONFIG_PREEMPT.
Update the comment to use CONFIG_PREEMPTION.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: David S. Miller <davem@davemloft.net>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: netdev@vger.kernel.org
Link: https://lore.kernel.org/r/20191015191821.11479-22-bigeasy@linutronix.de
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit aa2cad0600ed2ca6a0ab39948d4db1666b6c962b ]
Propagate sock_alloc_send_skb error code, not set it to
EAGAIN unconditionally, when fail to allocate skb, which
might cause that user space unnecessary loops.
Fixes: 35fcde7f8d ("xsk: support for Tx")
Signed-off-by: Li RongQing <lirongqing@baidu.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Björn Töpel <bjorn.topel@intel.com>
Link: https://lore.kernel.org/bpf/1591852266-24017-1-git-send-email-lirongqing@baidu.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0f5d82f187e1beda3fe7295dfc500af266a5bd80 ]
Added a check in the switch case on start_header that checks for
the existence of the header, and in the case that MAC is not set
and the caller requests for MAC, -EFAULT. If the caller requests
for NET then MAC's existence is completely ignored.
There is no function to check NET header's existence and as far
as cgroup_skb/egress is concerned it should always be set.
Removed for ptr >= the start of header, considering offset is
bounded unsigned and should always be true. len <= end - mac is
redundant to ptr + len <= end.
Fixes: 3eee1f75f2 ("bpf: fix bpf_skb_load_bytes_relative pkt length check")
Signed-off-by: YiFei Zhu <zhuyifei@google.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: Stanislav Fomichev <sdf@google.com>
Link: https://lore.kernel.org/bpf/76bb820ddb6a95f59a772ecbd8c8a336f646b362.1591812755.git.zhuyifei@google.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 32f71aa497cfb23d37149c2ef16ad71fce2e45e2 ]
The user ID value isn't actually much use - and leaks a kernel pointer or a
userspace value - so replace it with the call debug ID, which appears in trace
points.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 118917d696dc59fd3e1741012c2f9db2294bed6f ]
Fix off-by-one issues in 'rpc_ntop6':
- 'snprintf' returns the number of characters which would have been
written if enough space had been available, excluding the terminating
null byte. Thus, a return value of 'sizeof(scopebuf)' means that the
last character was dropped.
- 'strcat' adds a terminating null byte to the string, thus if len ==
buflen, the null byte is written past the end of the buffer.
Signed-off-by: Fedor Tokarev <ftokarev@gmail.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7wXf4ACgkQONu9yGCS
aT6rDBAAg6jIYJhhb9lpK59hpMxNsaFnPfXdA3Z6qARqH7iIQa9TTP9JF5eFndS0
+2wV8t/8Nz/3BWq9NQAF525QJdqyY6Ahcj5QQXzIzEZyb/p5fRVCBOUcBP7uaBCu
gdORR7OhHI9+7aGLr05Svb7pVWPLi0Mk5vjvthEIkojEOIREGuGlERRZNlL1SN3y
cYDBCCJtD2XiuhyZNLNxtwE/2/d/1xuIG7T3VRDS6oBtqfOXdsy5xoU9lpbbmZQg
s1i3cjWgxEYjJOJqONwzfUSu9Zj4GUZfLTx3gtXG7iEiuUfEw3ljEvIrqSqtNxB5
aTysoOu4MSdJTALHkA7Szhk2Q8Pecmo+NdKLfgMCxAWwIEbn1X9seea7QC5M5/lr
Q1z150M2+Lcs6z9I/vR+vmPh9YKn1yGV4RbTeMXwiQLlWcRh7vh7jN+YJvrpmJSL
BGbsRLB02J4i58CLW7n2rgeq5ycO41bJeWdXSSZjJg7KiZMvuD7mnDv1nUoj3Ad0
lFxgfBRYYZzGCe53xLBXKnjua1lxp8rStUK4iotqkXyhaZqHo0J52okDxSqbP4VZ
DYMfgyiFDufITd7l7qK5H6OeWQJ2IPtaude0HiMQf00bdOIrIsl+xXCtFHo6kx6z
VxwFUAUZWIKZT9ZWo2DNmbbDSRmij3Pqm6ZiakDSPT+kZFqvkBo=
=u5pA
-----END PGP SIGNATURE-----
Merge 4.19.129 into android-4.19-stable
Changes in 4.19.129
ipv6: fix IPV6_ADDRFORM operation logic
net_failover: fixed rollback in net_failover_open()
bridge: Avoid infinite loop when suppressing NS messages with invalid options
vxlan: Avoid infinite loop when suppressing NS messages with invalid options
tun: correct header offsets in napi frags mode
selftests: bpf: fix use of undeclared RET_IF macro
make 'user_access_begin()' do 'access_ok()'
Fix 'acccess_ok()' on alpha and SH
arch/openrisc: Fix issues with access_ok()
x86: uaccess: Inhibit speculation past access_ok() in user_access_begin()
lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user()
btrfs: merge btrfs_find_device and find_device
btrfs: Detect unbalanced tree with empty leaf before crashing btree operations
crypto: talitos - fix ECB and CBC algs ivsize
Input: mms114 - fix handling of mms345l
ARM: 8977/1: ptrace: Fix mask for thumb breakpoint hook
sched/fair: Don't NUMA balance for kthreads
Input: synaptics - add a second working PNP_ID for Lenovo T470s
drivers/net/ibmvnic: Update VNIC protocol version reporting
powerpc/xive: Clear the page tables for the ESB IO mapping
ath9k_htc: Silence undersized packet warnings
RDMA/uverbs: Make the event_queue fds return POLLERR when disassociated
x86/cpu/amd: Make erratum #1054 a legacy erratum
perf probe: Accept the instance number of kretprobe event
mm: add kvfree_sensitive() for freeing sensitive data objects
aio: fix async fsync creds
btrfs: tree-checker: Check level for leaves and nodes
x86_64: Fix jiffies ODR violation
x86/PCI: Mark Intel C620 MROMs as having non-compliant BARs
x86/speculation: Prevent rogue cross-process SSBD shutdown
x86/reboot/quirks: Add MacBook6,1 reboot quirk
efi/efivars: Add missing kobject_put() in sysfs entry creation error path
ALSA: es1688: Add the missed snd_card_free()
ALSA: hda/realtek - add a pintbl quirk for several Lenovo machines
ALSA: usb-audio: Fix inconsistent card PM state after resume
ALSA: usb-audio: Add vendor, product and profile name for HP Thunderbolt Dock
ACPI: sysfs: Fix reference count leak in acpi_sysfs_add_hotplug_profile()
ACPI: CPPC: Fix reference count leak in acpi_cppc_processor_probe()
ACPI: GED: add support for _Exx / _Lxx handler methods
ACPI: PM: Avoid using power resources if there are none for D0
cgroup, blkcg: Prepare some symbols for module and !CONFIG_CGROUP usages
nilfs2: fix null pointer dereference at nilfs_segctor_do_construct()
spi: dw: Fix controller unregister order
spi: bcm2835aux: Fix controller unregister order
spi: bcm-qspi: when tx/rx buffer is NULL set to 0
PM: runtime: clk: Fix clk_pm_runtime_get() error path
crypto: cavium/nitrox - Fix 'nitrox_get_first_device()' when ndevlist is fully iterated
ALSA: pcm: disallow linking stream to itself
x86/{mce,mm}: Unmap the entire page if the whole page is affected and poisoned
KVM: x86: Fix APIC page invalidation race
kvm: x86: Fix L1TF mitigation for shadow MMU
KVM: x86/mmu: Consolidate "is MMIO SPTE" code
KVM: x86: only do L1TF workaround on affected processors
x86/speculation: Change misspelled STIPB to STIBP
x86/speculation: Add support for STIBP always-on preferred mode
x86/speculation: Avoid force-disabling IBPB based on STIBP and enhanced IBRS.
x86/speculation: PR_SPEC_FORCE_DISABLE enforcement for indirect branches.
spi: No need to assign dummy value in spi_unregister_controller()
spi: Fix controller unregister order
spi: pxa2xx: Fix controller unregister order
spi: bcm2835: Fix controller unregister order
spi: pxa2xx: Balance runtime PM enable/disable on error
spi: pxa2xx: Fix runtime PM ref imbalance on probe error
crypto: virtio: Fix use-after-free in virtio_crypto_skcipher_finalize_req()
crypto: virtio: Fix src/dst scatterlist calculation in __virtio_crypto_skcipher_do_req()
crypto: virtio: Fix dest length calculation in __virtio_crypto_skcipher_do_req()
selftests/net: in rxtimestamp getopt_long needs terminating null entry
ovl: initialize error in ovl_copy_xattr
proc: Use new_inode not new_inode_pseudo
video: fbdev: w100fb: Fix a potential double free.
KVM: nSVM: fix condition for filtering async PF
KVM: nSVM: leave ASID aside in copy_vmcb_control_area
KVM: nVMX: Consult only the "basic" exit reason when routing nested exit
KVM: MIPS: Define KVM_ENTRYHI_ASID to cpu_asid_mask(&boot_cpu_data)
KVM: MIPS: Fix VPN2_MASK definition for variable cpu_vmbits
KVM: arm64: Make vcpu_cp1x() work on Big Endian hosts
scsi: megaraid_sas: TM command refire leads to controller firmware crash
ath9k: Fix use-after-free Read in ath9k_wmi_ctrl_rx
ath9k: Fix use-after-free Write in ath9k_htc_rx_msg
ath9x: Fix stack-out-of-bounds Write in ath9k_hif_usb_rx_cb
ath9k: Fix general protection fault in ath9k_hif_usb_rx_cb
Smack: slab-out-of-bounds in vsscanf
drm/vkms: Hold gem object while still in-use
mm/slub: fix a memory leak in sysfs_slab_add()
fat: don't allow to mount if the FAT length == 0
perf: Add cond_resched() to task_function_call()
agp/intel: Reinforce the barrier after GTT updates
mmc: sdhci-msm: Clear tuning done flag while hs400 tuning
ARM: dts: at91: sama5d2_ptc_ek: fix sdmmc0 node description
mmc: sdio: Fix potential NULL pointer error in mmc_sdio_init_card()
xen/pvcalls-back: test for errors when calling backend_connect()
KVM: arm64: Synchronize sysreg state on injecting an AArch32 exception
ACPI: GED: use correct trigger type field in _Exx / _Lxx handling
drm: bridge: adv7511: Extend list of audio sample rates
crypto: ccp -- don't "select" CONFIG_DMADEVICES
media: si2157: Better check for running tuner in init
objtool: Ignore empty alternatives
spi: pxa2xx: Apply CS clk quirk to BXT
net: atlantic: make hw_get_regs optional
net: ena: fix error returning in ena_com_get_hash_function()
efi/libstub/x86: Work around LLVM ELF quirk build regression
arm64: cacheflush: Fix KGDB trap detection
spi: dw: Zero DMA Tx and Rx configurations on stack
arm64: insn: Fix two bugs in encoding 32-bit logical immediates
ixgbe: Fix XDP redirect on archs with PAGE_SIZE above 4K
MIPS: Loongson: Build ATI Radeon GPU driver as module
Bluetooth: Add SCO fallback for invalid LMP parameters error
kgdb: Disable WARN_CONSOLE_UNLOCKED for all kgdb
kgdb: Prevent infinite recursive entries to the debugger
spi: dw: Enable interrupts in accordance with DMA xfer mode
clocksource: dw_apb_timer: Make CPU-affiliation being optional
clocksource: dw_apb_timer_of: Fix missing clockevent timers
btrfs: do not ignore error from btrfs_next_leaf() when inserting checksums
ARM: 8978/1: mm: make act_mm() respect THREAD_SIZE
batman-adv: Revert "disable ethtool link speed detection when auto negotiation off"
mmc: meson-mx-sdio: trigger a soft reset after a timeout or CRC error
spi: dw: Fix Rx-only DMA transfers
x86/kvm/hyper-v: Explicitly align hcall param for kvm_hyperv_exit
net: vmxnet3: fix possible buffer overflow caused by bad DMA value in vmxnet3_get_rss()
staging: android: ion: use vmap instead of vm_map_ram
brcmfmac: fix wrong location to get firmware feature
tools api fs: Make xxx__mountpoint() more scalable
e1000: Distribute switch variables for initialization
dt-bindings: display: mediatek: control dpi pins mode to avoid leakage
audit: fix a net reference leak in audit_send_reply()
media: dvb: return -EREMOTEIO on i2c transfer failure.
media: platform: fcp: Set appropriate DMA parameters
MIPS: Make sparse_init() using top-down allocation
Bluetooth: btbcm: Add 2 missing models to subver tables
audit: fix a net reference leak in audit_list_rules_send()
netfilter: nft_nat: return EOPNOTSUPP if type or flags are not supported
selftests/bpf: Fix memory leak in extract_build_id()
net: bcmgenet: set Rx mode before starting netif
lib/mpi: Fix 64-bit MIPS build with Clang
exit: Move preemption fixup up, move blocking operations down
sched/core: Fix illegal RCU from offline CPUs
drivers/perf: hisi: Fix typo in events attribute array
net: lpc-enet: fix error return code in lpc_mii_init()
media: cec: silence shift wrapping warning in __cec_s_log_addrs()
net: allwinner: Fix use correct return type for ndo_start_xmit()
powerpc/spufs: fix copy_to_user while atomic
xfs: clean up the error handling in xfs_swap_extents
Crypto/chcr: fix for ccm(aes) failed test
MIPS: Truncate link address into 32bit for 32bit kernel
mips: cm: Fix an invalid error code of INTVN_*_ERR
kgdb: Fix spurious true from in_dbg_master()
xfs: reset buffer write failure state on successful completion
xfs: fix duplicate verification from xfs_qm_dqflush()
platform/x86: intel-vbtn: Use acpi_evaluate_integer()
platform/x86: intel-vbtn: Split keymap into buttons and switches parts
platform/x86: intel-vbtn: Do not advertise switches to userspace if they are not there
platform/x86: intel-vbtn: Also handle tablet-mode switch on "Detachable" and "Portable" chassis-types
nvme: refine the Qemu Identify CNS quirk
ath10k: Remove msdu from idr when management pkt send fails
wcn36xx: Fix error handling path in 'wcn36xx_probe()'
net: qed*: Reduce RX and TX default ring count when running inside kdump kernel
mt76: avoid rx reorder buffer overflow
md: don't flush workqueue unconditionally in md_open
veth: Adjust hard_start offset on redirect XDP frames
net/mlx5e: IPoIB, Drop multicast packets that this interface sent
rtlwifi: Fix a double free in _rtl_usb_tx_urb_setup()
mwifiex: Fix memory corruption in dump_station
x86/boot: Correct relocation destination on old linkers
mips: MAAR: Use more precise address mask
mips: Add udelay lpj numbers adjustment
crypto: stm32/crc32 - fix ext4 chksum BUG_ON()
crypto: stm32/crc32 - fix run-time self test issue.
crypto: stm32/crc32 - fix multi-instance
x86/mm: Stop printing BRK addresses
m68k: mac: Don't call via_flush_cache() on Mac IIfx
btrfs: qgroup: mark qgroup inconsistent if we're inherting snapshot to a new qgroup
macvlan: Skip loopback packets in RX handler
PCI: Don't disable decoding when mmio_always_on is set
MIPS: Fix IRQ tracing when call handle_fpe() and handle_msa_fpe()
bcache: fix refcount underflow in bcache_device_free()
mmc: sdhci-msm: Set SDHCI_QUIRK_MULTIBLOCK_READ_ACMD12 quirk
staging: greybus: sdio: Respect the cmd->busy_timeout from the mmc core
mmc: via-sdmmc: Respect the cmd->busy_timeout from the mmc core
ixgbe: fix signed-integer-overflow warning
mmc: sdhci-esdhc-imx: fix the mask for tuning start point
spi: dw: Return any value retrieved from the dma_transfer callback
cpuidle: Fix three reference count leaks
platform/x86: hp-wmi: Convert simple_strtoul() to kstrtou32()
platform/x86: intel-hid: Add a quirk to support HP Spectre X2 (2015)
platform/x86: intel-vbtn: Only blacklist SW_TABLET_MODE on the 9 / "Laptop" chasis-type
string.h: fix incompatibility between FORTIFY_SOURCE and KASAN
btrfs: include non-missing as a qualifier for the latest_bdev
btrfs: send: emit file capabilities after chown
mm: thp: make the THP mapcount atomic against __split_huge_pmd_locked()
mm: initialize deferred pages with interrupts enabled
ima: Fix ima digest hash table key calculation
ima: Directly assign the ima_default_policy pointer to ima_rules
evm: Fix possible memory leak in evm_calc_hmac_or_hash()
ext4: fix EXT_MAX_EXTENT/INDEX to check for zeroed eh_max
ext4: fix error pointer dereference
ext4: fix race between ext4_sync_parent() and rename()
PCI: Avoid Pericom USB controller OHCI/EHCI PME# defect
PCI: Avoid FLR for AMD Matisse HD Audio & USB 3.0
PCI: Avoid FLR for AMD Starship USB 3.0
PCI: Add ACS quirk for iProc PAXB
PCI: Add ACS quirk for Intel Root Complex Integrated Endpoints
PCI: Remove unused NFP32xx IDs
pci:ipmi: Move IPMI PCI class id defines to pci_ids.h
hwmon/k10temp, x86/amd_nb: Consolidate shared device IDs
x86/amd_nb: Add PCI device IDs for family 17h, model 30h
PCI: add USR vendor id and use it in r8169 and w6692 driver
PCI: Move Synopsys HAPS platform device IDs
PCI: Move Rohm Vendor ID to generic list
misc: pci_endpoint_test: Add the layerscape EP device support
misc: pci_endpoint_test: Add support to test PCI EP in AM654x
PCI: Add Synopsys endpoint EDDA Device ID
PCI: Add NVIDIA GPU multi-function power dependencies
PCI: Enable NVIDIA HDA controllers
PCI: mediatek: Add controller support for MT7629
x86/amd_nb: Add PCI device IDs for family 17h, model 70h
ALSA: lx6464es - add support for LX6464ESe pci express variant
PCI: Add Genesys Logic, Inc. Vendor ID
PCI: Add Amazon's Annapurna Labs vendor ID
PCI: vmd: Add device id for VMD device 8086:9A0B
x86/amd_nb: Add Family 19h PCI IDs
PCI: Add Loongson vendor ID
serial: 8250_pci: Move Pericom IDs to pci_ids.h
PCI: Make ACS quirk implementations more uniform
PCI: Unify ACS quirk desired vs provided checking
PCI: Generalize multi-function power dependency device links
btrfs: fix error handling when submitting direct I/O bio
btrfs: fix wrong file range cleanup after an error filling dealloc range
ima: Call ima_calc_boot_aggregate() in ima_eventdigest_init()
PCI: Program MPS for RCiEP devices
e1000e: Disable TSO for buffer overrun workaround
e1000e: Relax condition to trigger reset for ME workaround
carl9170: remove P2P_GO support
media: go7007: fix a miss of snd_card_free
Bluetooth: hci_bcm: fix freeing not-requested IRQ
b43legacy: Fix case where channel status is corrupted
b43: Fix connection problem with WPA3
b43_legacy: Fix connection problem with WPA3
media: ov5640: fix use of destroyed mutex
igb: Report speed and duplex as unknown when device is runtime suspended
power: vexpress: add suppress_bind_attrs to true
pinctrl: samsung: Correct setting of eint wakeup mask on s5pv210
pinctrl: samsung: Save/restore eint_mask over suspend for EINT_TYPE GPIOs
gnss: sirf: fix error return code in sirf_probe()
sparc32: fix register window handling in genregs32_[gs]et()
sparc64: fix misuses of access_process_vm() in genregs32_[sg]et()
dm crypt: avoid truncating the logical block size
alpha: fix memory barriers so that they conform to the specification
kernel/cpu_pm: Fix uninitted local in cpu_pm
ARM: tegra: Correct PL310 Auxiliary Control Register initialization
ARM: dts: exynos: Fix GPIO polarity for thr GalaxyS3 CM36651 sensor's bus
ARM: dts: at91: sama5d2_ptc_ek: fix vbus pin
ARM: dts: s5pv210: Set keep-power-in-suspend for SDHCI1 on Aries
drivers/macintosh: Fix memleak in windfarm_pm112 driver
powerpc/64s: Don't let DT CPU features set FSCR_DSCR
powerpc/64s: Save FSCR to init_task.thread.fscr after feature init
kbuild: force to build vmlinux if CONFIG_MODVERSION=y
sunrpc: svcauth_gss_register_pseudoflavor must reject duplicate registrations.
sunrpc: clean up properly in gss_mech_unregister()
mtd: rawnand: brcmnand: fix hamming oob layout
mtd: rawnand: pasemi: Fix the probe error path
w1: omap-hdq: cleanup to add missing newline for some dev_dbg
perf probe: Do not show the skipped events
perf probe: Fix to check blacklist address correctly
perf probe: Check address correctness by map instead of _etext
perf symbols: Fix debuginfo search for Ubuntu
Linux 4.19.129
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7b1108d90ee1109a28fe488a4358b7a3e101d9c9
commit 24c5efe41c29ee3e55bcf5a1c9f61ca8709622e8 upstream.
gss_mech_register() calls svcauth_gss_register_pseudoflavor() for each
flavour, but gss_mech_unregister() does not call auth_domain_put().
This is unbalanced and makes it impossible to reload the module.
Change svcauth_gss_register_pseudoflavor() to return the registered
auth_domain, and save it for later release.
Cc: stable@vger.kernel.org (v2.6.12+)
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d47a5dc2888fd1b94adf1553068b8dad76cec96c upstream.
There is no valid case for supporting duplicate pseudoflavor
registrations.
Currently the silent acceptance of such registrations is hiding a bug.
The rpcsec_gss_krb5 module registers 2 flavours but does not unregister
them, so if you load, unload, reload the module, it will happily
continue to use the old registration which now has pointers to the
memory were the module was originally loaded. This could lead to
unexpected results.
So disallow duplicate registrations.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206651
Cc: stable@vger.kernel.org (v2.6.12+)
Signed-off-by: NeilBrown <neilb@suse.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0d7c83463fdf7841350f37960a7abadd3e650b41 ]
Instead of EINVAL which should be used for malformed netlink messages.
Fixes: eb31628e37 ("netfilter: nf_tables: Add support for IPv6 NAT")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9ad346c90509ebd983f60da7d082f261ad329507 ]
The commit 8c46fcd783 ("batman-adv: disable ethtool link speed detection
when auto negotiation off") disabled the usage of ethtool's link_ksetting
when auto negotation was enabled due to invalid values when used with
tun/tap virtual net_devices. According to the patch, automatic measurements
should be used for these kind of interfaces.
But there are major flaws with this argumentation:
* automatic measurements are not implemented
* auto negotiation has nothing to do with the validity of the retrieved
values
The first point has to be fixed by a longer patch series. The "validity"
part of the second point must be addressed in the same patch series by
dropping the usage of ethtool's link_ksetting (thus always doing automatic
measurements over ethernet).
Drop the patch again to have more default values for various net_device
types/configurations. The user can still overwrite them using the
batadv_hardif's BATADV_ATTR_THROUGHPUT_OVERRIDE.
Reported-by: Matthias Schiffer <mschiffer@universe-factory.net>
Signed-off-by: Sven Eckelmann <sven@narfation.org>
Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 56b5453a86203a44726f523b4133c1feca49ce7c ]
Bluetooth PTS test case HFP/AG/ACC/BI-12-I accepts SCO connection
with invalid parameter at the first SCO request expecting AG to
attempt another SCO request with the use of "safe settings" for
given codec, base on section 5.7.1.2 of HFP 1.7 specification.
This patch addresses it by adding "Invalid LMP Parameters" (0x1e)
to the SCO fallback case. Verified with below log:
< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
Handle: 256
Transmit bandwidth: 8000
Receive bandwidth: 8000
Max latency: 13
Setting: 0x0003
Input Coding: Linear
Input Data Format: 1's complement
Input Sample Size: 8-bit
# of bits padding at MSB: 0
Air Coding Format: Transparent Data
Retransmission effort: Optimize for link quality (0x02)
Packet type: 0x0380
3-EV3 may not be used
2-EV5 may not be used
3-EV5 may not be used
> HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) ncmd 1
Status: Success (0x00)
> HCI Event: Number of Completed Packets (0x13) plen 5
Num handles: 1
Handle: 256
Count: 1
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 1
> HCI Event: Synchronous Connect Complete (0x2c) plen 17
Status: Invalid LMP Parameters / Invalid LL Parameters (0x1e)
Handle: 0
Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
Link type: eSCO (0x02)
Transmission interval: 0x00
Retransmission window: 0x02
RX packet length: 0
TX packet length: 0
Air mode: Transparent (0x03)
< HCI Command: Setup Synchronous Connection (0x01|0x0028) plen 17
Handle: 256
Transmit bandwidth: 8000
Receive bandwidth: 8000
Max latency: 8
Setting: 0x0003
Input Coding: Linear
Input Data Format: 1's complement
Input Sample Size: 8-bit
# of bits padding at MSB: 0
Air Coding Format: Transparent Data
Retransmission effort: Optimize for link quality (0x02)
Packet type: 0x03c8
EV3 may be used
2-EV3 may not be used
3-EV3 may not be used
2-EV5 may not be used
3-EV5 may not be used
> HCI Event: Command Status (0x0f) plen 4
Setup Synchronous Connection (0x01|0x0028) ncmd 1
Status: Success (0x00)
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 5
> HCI Event: Max Slots Change (0x1b) plen 3
Handle: 256
Max slots: 1
> HCI Event: Synchronous Connect Complete (0x2c) plen 17
Status: Success (0x00)
Handle: 257
Address: 00:1B:DC:F2:21:59 (OUI 00-1B-DC)
Link type: eSCO (0x02)
Transmission interval: 0x06
Retransmission window: 0x04
RX packet length: 30
TX packet length: 30
Air mode: Transparent (0x03)
Signed-off-by: Hsin-Yu Chao <hychao@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 53fc685243bd6fb90d90305cea54598b78d3cbfc ]
When neighbor suppression is enabled the bridge device might reply to
Neighbor Solicitation (NS) messages on behalf of remote hosts.
In case the NS message includes the "Source link-layer address" option
[1], the bridge device will use the specified address as the link-layer
destination address in its reply.
To avoid an infinite loop, break out of the options parsing loop when
encountering an option with length zero and disregard the NS message.
This is consistent with the IPv6 ndisc code and RFC 4886 which states
that "Nodes MUST silently discard an ND packet that contains an option
with length zero" [2].
[1] https://tools.ietf.org/html/rfc4861#section-4.3
[2] https://tools.ietf.org/html/rfc4861#section-4.6
Fixes: ed842faeb2 ("bridge: suppress nd pkts on BR_NEIGH_SUPPRESS ports")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alla Segal <allas@mellanox.com>
Tested-by: Alla Segal <allas@mellanox.com>
Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 79a1f0ccdbb4ad700590f61b00525b390cb53905 ]
Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
Previously the checking logic looks like:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol != IPPROTO_TCP)
break;
After commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP
was blocked as the logic changed to:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
break;
else
break;
Then after commit 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
UDP/UDPLITE were blocked as the logic changed to:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
if (sk->sk_protocol != IPPROTO_TCP)
break;
Fix it by using Eric's code and simply remove the break in TCP check, which
looks like:
if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
do_some_check;
else if (sk->sk_protocol == IPPROTO_TCP)
do_some_check;
else
break;
Fixes: 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Commit 5ad6300524 ("genetlink: disallow subscribing to unknown
mcast groups") disallows userspace to subscribe to groups that don't
exist in kernel. As a result, communication between processes is
not possible unless they explicitly register a dummy group with the
kernel even if the communication is between userspace processes
only. NETLINK_USERSOCK cannot be used here since userspace processes
would require CAP_NET_ADMIN to receive multicast messages which
is available for priveleged processes only.
Fix this problem by reverting the change till a solution is
determined internally and upstream discussion.
Bug: 158311262
CRs-Fixed: 2086060
Change-Id: Id559d9ef9d1e0a25e3bbdc81503978f01c6ed85f
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
(cherry-picked from commit 047570fa7c)
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Change-Id: Id559d9ef9d1e0a25e3bbdc81503978f01c6ed85f
[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
The accept(2) is an "input" socket interface, so we should use
SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
use the right timeout in the vsock_accept().
Fixes: d021c34405 ("VSOCK: Introduce VM Sockets")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Reviewed-by: Jorgen Hansen <jhansen@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit d9a81a225277686eb629938986d97629ea102633 ]
syzbot was able to trigger a crash after using an ISDN socket
and fool l2tp.
Fix this by making sure the UDP socket is of the proper family.
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
Write of size 1 at addr ffff88808ed0c590 by task syz-executor.5/3018
CPU: 0 PID: 3018 Comm: syz-executor.5 Not tainted 5.7.0-rc6-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x188/0x20d lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd3/0x413 mm/kasan/report.c:382
__kasan_report.cold+0x20/0x38 mm/kasan/report.c:511
kasan_report+0x33/0x50 mm/kasan/common.c:625
setup_udp_tunnel_sock+0x465/0x540 net/ipv4/udp_tunnel.c:78
l2tp_tunnel_register+0xb15/0xdd0 net/l2tp/l2tp_core.c:1523
l2tp_nl_cmd_tunnel_create+0x4b2/0xa60 net/l2tp/l2tp_netlink.c:249
genl_family_rcv_msg_doit net/netlink/genetlink.c:673 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:718 [inline]
genl_rcv_msg+0x627/0xdf0 net/netlink/genetlink.c:735
netlink_rcv_skb+0x15a/0x410 net/netlink/af_netlink.c:2469
genl_rcv+0x24/0x40 net/netlink/genetlink.c:746
netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
netlink_unicast+0x537/0x740 net/netlink/af_netlink.c:1329
netlink_sendmsg+0x882/0xe10 net/netlink/af_netlink.c:1918
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:672
____sys_sendmsg+0x6e6/0x810 net/socket.c:2352
___sys_sendmsg+0x100/0x170 net/socket.c:2406
__sys_sendmsg+0xe5/0x1b0 net/socket.c:2439
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
RIP: 0033:0x45ca29
Code: 0d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007effe76edc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004fe1c0 RCX: 000000000045ca29
RDX: 0000000000000000 RSI: 0000000020000240 RDI: 0000000000000005
RBP: 000000000078bf00 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000094e R14: 00000000004d5d00 R15: 00007effe76ee6d4
Allocated by task 3018:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
__kasan_kmalloc mm/kasan/common.c:495 [inline]
__kasan_kmalloc.constprop.0+0xbf/0xd0 mm/kasan/common.c:468
__do_kmalloc mm/slab.c:3656 [inline]
__kmalloc+0x161/0x7a0 mm/slab.c:3665
kmalloc include/linux/slab.h:560 [inline]
sk_prot_alloc+0x223/0x2f0 net/core/sock.c:1612
sk_alloc+0x36/0x1100 net/core/sock.c:1666
data_sock_create drivers/isdn/mISDN/socket.c:600 [inline]
mISDN_sock_create+0x272/0x400 drivers/isdn/mISDN/socket.c:796
__sock_create+0x3cb/0x730 net/socket.c:1428
sock_create net/socket.c:1479 [inline]
__sys_socket+0xef/0x200 net/socket.c:1521
__do_sys_socket net/socket.c:1530 [inline]
__se_sys_socket net/socket.c:1528 [inline]
__x64_sys_socket+0x6f/0xb0 net/socket.c:1528
do_syscall_64+0xf6/0x7d0 arch/x86/entry/common.c:295
entry_SYSCALL_64_after_hwframe+0x49/0xb3
Freed by task 2484:
save_stack+0x1b/0x40 mm/kasan/common.c:49
set_track mm/kasan/common.c:57 [inline]
kasan_set_free_info mm/kasan/common.c:317 [inline]
__kasan_slab_free+0xf7/0x140 mm/kasan/common.c:456
__cache_free mm/slab.c:3426 [inline]
kfree+0x109/0x2b0 mm/slab.c:3757
kvfree+0x42/0x50 mm/util.c:603
__free_fdtable+0x2d/0x70 fs/file.c:31
put_files_struct fs/file.c:420 [inline]
put_files_struct+0x248/0x2e0 fs/file.c:413
exit_files+0x7e/0xa0 fs/file.c:445
do_exit+0xb04/0x2dd0 kernel/exit.c:791
do_group_exit+0x125/0x340 kernel/exit.c:894
get_signal+0x47b/0x24e0 kernel/signal.c:2739
do_signal+0x81/0x2240 arch/x86/kernel/signal.c:784
exit_to_usermode_loop+0x26c/0x360 arch/x86/entry/common.c:161
prepare_exit_to_usermode arch/x86/entry/common.c:196 [inline]
syscall_return_slowpath arch/x86/entry/common.c:279 [inline]
do_syscall_64+0x6b1/0x7d0 arch/x86/entry/common.c:305
entry_SYSCALL_64_after_hwframe+0x49/0xb3
The buggy address belongs to the object at ffff88808ed0c000
which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 1424 bytes inside of
2048-byte region [ffff88808ed0c000, ffff88808ed0c800)
The buggy address belongs to the page:
page:ffffea00023b4300 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0
flags: 0xfffe0000000200(slab)
raw: 00fffe0000000200 ffffea0002838208 ffffea00015ba288 ffff8880aa000e00
raw: 0000000000000000 ffff88808ed0c000 0000000100000001 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88808ed0c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
ffff88808ed0c500: 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff88808ed0c580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
^
ffff88808ed0c600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff88808ed0c680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
Fixes: 6b9f34239b ("l2tp: fix races in tunnel creation")
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: James Chapman <jchapman@katalix.com>
Cc: Guillaume Nault <gnault@redhat.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1b49cd71b52403822731dc9f283185d1da355f97 ]
When devinet_sysctl_register() failed, the memory allocated
in neigh_parms_alloc() should be freed.
Fixes: 20e61da7ff ("ipv4: fail early when creating netdev named all or default")
Signed-off-by: Yang Yingliang <yangyingliang@huawei.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7XQQYACgkQONu9yGCS
aT4vwQ/9EZxtWUPh/JSsl+eImHuZjCwa/gzdLh0kUvr4Tgqxv+3KkTZ+7/TyPvID
UgbxxY6qtIP3o4W3kysLAFbOJl+I4IWkEpfCn7vKLzV0BxHjx5Krodo38zT/Ll8S
Vqi62nRpiYiqD0qrr/dZSnlY1SUyMYnQ04NKKyZokyj392ErEE2TWNGhN4m3369A
2Dm46WDKckMudkUElXvu2rQkIpVMJACr/aUaFWmmGsfZt+TGQtjRozlKkkq1vokW
WJEdCVjQwmeWW5T/OZdfM5VmuqspgtU4BhAmzxTVHGGWw+MIEcNU7LIz3s7cpBdr
7ykY4NcXxvPO5Mn/P5usOZFT/TncZQ65ZqxAEgPoF089D0uXkVTOV9dCLqPzej+g
/druvsu6bJqsbi8sd5mftXi5KKH/VDPrxnkEEvhIcuc9GCAKCQjtYz8Vtmkek30U
Mz/UcqhtUTzOJU6yZg7zV/JQ6jrzrXm4VFDdiUHoNe3LuWtFsExMXhokV9TBsScY
LtDYfe9qIq345BHsKah46VKEIa0Sb53eJFKRrEUK+4EVNr8Rp13afdXPlweX41O+
ecBlHfpRsi6MB2/fY6lBlE0uHIYSIlV78wV0wHC4czbROCYY2XSCCS2MoEXu5kD4
KMqXE6nM4tYqgV3arc2nHzth7GaEnbyCPSMMOq+2on6XB4LCRQc=
=rO6H
-----END PGP SIGNATURE-----
Merge 4.19.126 into android-4.19-stable
Changes in 4.19.126
ax25: fix setsockopt(SO_BINDTODEVICE)
dpaa_eth: fix usage as DSA master, try 3
net: dsa: mt7530: fix roaming from DSA user ports
__netif_receive_skb_core: pass skb by reference
net: inet_csk: Fix so_reuseport bind-address cache in tb->fast*
net: ipip: fix wrong address family in init error path
net/mlx5: Add command entry handling completion
net: qrtr: Fix passing invalid reference to qrtr_local_enqueue()
net: revert "net: get rid of an signed integer overflow in ip_idents_reserve()"
net sched: fix reporting the first-time use timestamp
r8152: support additional Microsoft Surface Ethernet Adapter variant
sctp: Don't add the shutdown timer if its already been added
sctp: Start shutdown on association restart if in SHUTDOWN-SENT state and socket is closed
net/mlx5e: Update netdev txq on completions during closure
net/mlx5: Annotate mutex destroy for root ns
net: sun: fix missing release regions in cas_init_one().
net/mlx4_core: fix a memory leak bug.
mlxsw: spectrum: Fix use-after-free of split/unsplit/type_set in case reload fails
ARM: dts: rockchip: fix phy nodename for rk3228-evb
arm64: dts: rockchip: fix status for &gmac2phy in rk3328-evb.dts
arm64: dts: rockchip: swap interrupts interrupt-names rk3399 gpu node
ARM: dts: rockchip: swap clock-names of gpu nodes
ARM: dts: rockchip: fix pinctrl sub nodename for spi in rk322x.dtsi
gpio: tegra: mask GPIO IRQs during IRQ shutdown
ALSA: usb-audio: add mapping for ASRock TRX40 Creator
net: microchip: encx24j600: add missed kthread_stop
gfs2: move privileged user check to gfs2_quota_lock_check
cachefiles: Fix race between read_waiter and read_copier involving op->to_do
usb: dwc3: pci: Enable extcon driver for Intel Merrifield
usb: gadget: legacy: fix redundant initialization warnings
net: freescale: select CONFIG_FIXED_PHY where needed
IB/i40iw: Remove bogus call to netdev_master_upper_dev_get()
riscv: stacktrace: Fix undefined reference to `walk_stackframe'
cifs: Fix null pointer check in cifs_read
samples: bpf: Fix build error
Input: usbtouchscreen - add support for BonXeon TP
Input: evdev - call input_flush_device() on release(), not flush()
Input: xpad - add custom init packet for Xbox One S controllers
Input: dlink-dir685-touchkeys - fix a typo in driver name
Input: i8042 - add ThinkPad S230u to i8042 reset list
Input: synaptics-rmi4 - really fix attn_data use-after-free
Input: synaptics-rmi4 - fix error return code in rmi_driver_probe()
ARM: 8970/1: decompressor: increase tag size
ARM: 8843/1: use unified assembler in headers
ARM: uaccess: consolidate uaccess asm to asm/uaccess-asm.h
ARM: uaccess: integrate uaccess_save and uaccess_restore
ARM: uaccess: fix DACR mismatch with nested exceptions
gpio: exar: Fix bad handling for ida_simple_get error path
IB/qib: Call kobject_put() when kobject_init_and_add() fails
ARM: dts/imx6q-bx50v3: Set display interface clock parents
ARM: dts: bcm2835-rpi-zero-w: Fix led polarity
ARM: dts: bcm: HR2: Fix PPI interrupt types
mmc: block: Fix use-after-free issue for rpmb
RDMA/pvrdma: Fix missing pci disable in pvrdma_pci_probe()
ALSA: hwdep: fix a left shifting 1 by 31 UB bug
ALSA: hda/realtek - Add a model for Thinkpad T570 without DAC workaround
ALSA: usb-audio: mixer: volume quirk for ESS Technology Asus USB DAC
exec: Always set cap_ambient in cap_bprm_set_creds
ALSA: usb-audio: Quirks for Gigabyte TRX40 Aorus Master onboard audio
ALSA: hda/realtek - Add new codec supported for ALC287
libceph: ignore pool overlay and cache logic on redirects
IB/ipoib: Fix double free of skb in case of multicast traffic in CM mode
mm: remove VM_BUG_ON(PageSlab()) from page_mapcount()
fs/binfmt_elf.c: allocate initialized memory in fill_thread_core_info()
include/asm-generic/topology.h: guard cpumask_of_node() macro argument
iommu: Fix reference count leak in iommu_group_alloc.
parisc: Fix kernel panic in mem_init()
mmc: core: Fix recursive locking issue in CQE recovery path
RDMA/core: Fix double destruction of uobject
mac80211: mesh: fix discovery timer re-arming issue / crash
x86/dma: Fix max PFN arithmetic overflow on 32 bit systems
copy_xstate_to_kernel(): don't leave parts of destination uninitialized
xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output
xfrm interface: fix oops when deleting a x-netns interface
xfrm: fix a warning in xfrm_policy_insert_list
xfrm: fix a NULL-ptr deref in xfrm_local_error
xfrm: fix error in comment
vti4: eliminated some duplicate code.
ip_vti: receive ipip packet by calling ip_tunnel_rcv
netfilter: nft_reject_bridge: enable reject with bridge vlan
netfilter: ipset: Fix subcounter update skip
netfilter: nfnetlink_cthelper: unbreak userspace helper support
netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
esp6: get the right proto for transport mode in esp6_gso_encap
bnxt_en: Fix accumulation of bp->net_stats_prev.
xsk: Add overflow check for u64 division, stored into u32
qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
crypto: chelsio/chtls: properly set tp->lsndtime
bonding: Fix reference count leak in bond_sysfs_slave_add.
netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build
mm/vmalloc.c: don't dereference possible NULL pointer in __vunmap()
Linux 4.19.126
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ic7ffeb4cbc4d3f1b49c60d97a5d113fcad1d098a
commit b16a87d0aef7a6be766f6618976dc5ff2c689291 upstream.
The npgs member of struct xdp_umem is an u32 entity, and stores the
number of pages the UMEM consumes. The calculation of npgs
npgs = size / PAGE_SIZE
can overflow.
To avoid overflow scenarios, the division is now first stored in a
u64, and the result is verified to fit into 32b.
An alternative would be storing the npgs as a u64, however, this
wastes memory and is an unrealisticly large packet area.
Fixes: c0c77d8fb7 ("xsk: add user memory registration support sockopt")
Reported-by: "Minh Bùi Quang" <minhquangbui99@gmail.com>
Signed-off-by: Björn Töpel <bjorn.topel@intel.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Jonathan Lemon <jonathan.lemon@gmail.com>
Link: https://lore.kernel.org/bpf/CACtPs=GGvV-_Yj6rbpzTVnopgi5nhMoCcTkSkYrJHGQHJWFZMQ@mail.gmail.com/
Link: https://lore.kernel.org/bpf/20200525080400.13195-1-bjorn.topel@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3c96ec56828922e3fe5477f75eb3fc02f98f98b5 upstream.
For transport mode, when ipv6 nexthdr is set, the packet format might
be like:
----------------------------------------------------
| | dest | | | | ESP | ESP |
| IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV |
----------------------------------------------------
What it wants to get for x-proto in esp6_gso_encap() is the proto that
will be set in ESP nexthdr. So it should skip all ipv6 nexthdrs and
get the real transport protocol. Othersize, the wrong proto number
will be set into ESP nexthdr.
This patch is to skip all ipv6 nexthdrs by calling ipv6_skip_exthdr()
in esp6_gso_encap().
Fixes: 7862b4058b ("esp: Add gso handlers for esp4 and esp6")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Greg Kroah-Hartman
Chuck Lever
Vasily Averin
Russell King
David Howells
Huy Nguyen
Tariq Toukan
guodeqing
Toke Høiland-Jørgensen
Neal Cardwell
Ilya Ponetayev
Taehee Yoo
Eric Dumazet
Denis Kirjanov
Marcelo Ricardo Leitner
Florian Westphal
Yang Yingliang
Thomas Martitz
Wang Hai
Valentin Longchamp
Ahmed S. Darwish
Thomas Gleixner
Li RongQing
YiFei Zhu
Fedor Tokarev
NeilBrown
Pablo Neira Ayuso
Sven Eckelmann
Hsin-Yu Chao
Ido Schimmel
Hangbin Liu
Subash Abhinov Kasiviswanathan
Stefano Garzarella
Maciej Żenczykowski
Björn Töpel
Xin Long