android11-5.4-ksunext
61337 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Nikolay Kuratov
|
067e6ec9f5 |
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ]
We need to do signed arithmetic if we expect condition
`if (bytes < 0)` to be possible
Found by Linux Verification Center (linuxtesting.org) with SVACE
Fixes:
|
||
Dong Chenchen
|
510d45207a |
net: Remove acked SYN flag from packet in the transmit queue correctly
[ Upstream commit f99cd56230f56c8b6b33713c5be4da5d6766be1f ]
syzkaller report:
kernel BUG at net/core/skbuff.c:3452!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 6.7.0-rc4-00009-gbee0e7762ad2-dirty #135
RIP: 0010:skb_copy_and_csum_bits (net/core/skbuff.c:3452)
Call Trace:
icmp_glue_bits (net/ipv4/icmp.c:357)
__ip_append_data.isra.0 (net/ipv4/ip_output.c:1165)
ip_append_data (net/ipv4/ip_output.c:1362 net/ipv4/ip_output.c:1341)
icmp_push_reply (net/ipv4/icmp.c:370)
__icmp_send (./include/net/route.h:252 net/ipv4/icmp.c:772)
ip_fragment.constprop.0 (./include/linux/skbuff.h:1234 net/ipv4/ip_output.c:592 net/ipv4/ip_output.c:577)
__ip_finish_output (net/ipv4/ip_output.c:311 net/ipv4/ip_output.c:295)
ip_output (net/ipv4/ip_output.c:427)
__ip_queue_xmit (net/ipv4/ip_output.c:535)
__tcp_transmit_skb (net/ipv4/tcp_output.c:1462)
__tcp_retransmit_skb (net/ipv4/tcp_output.c:3387)
tcp_retransmit_skb (net/ipv4/tcp_output.c:3404)
tcp_retransmit_timer (net/ipv4/tcp_timer.c:604)
tcp_write_timer (./include/linux/spinlock.h:391 net/ipv4/tcp_timer.c:716)
The panic issue was trigered by tcp simultaneous initiation.
The initiation process is as follows:
TCP A TCP B
1. CLOSED CLOSED
2. SYN-SENT --> <SEQ=100><CTL=SYN> ...
3. SYN-RECEIVED <-- <SEQ=300><CTL=SYN> <-- SYN-SENT
4. ... <SEQ=100><CTL=SYN> --> SYN-RECEIVED
5. SYN-RECEIVED --> <SEQ=100><ACK=301><CTL=SYN,ACK> ...
// TCP B: not send challenge ack for ack limit or packet loss
// TCP A: close
tcp_close
tcp_send_fin
if (!tskb && tcp_under_memory_pressure(sk))
tskb = skb_rb_last(&sk->tcp_rtx_queue); //pick SYN_ACK packet
TCP_SKB_CB(tskb)->tcp_flags |= TCPHDR_FIN; // set FIN flag
6. FIN_WAIT_1 --> <SEQ=100><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ...
// TCP B: send challenge ack to SYN_FIN_ACK
7. ... <SEQ=301><ACK=101><CTL=ACK> <-- SYN-RECEIVED //challenge ack
// TCP A: <SND.UNA=101>
8. FIN_WAIT_1 --> <SEQ=101><ACK=301><END_SEQ=102><CTL=SYN,FIN,ACK> ... // retransmit panic
__tcp_retransmit_skb //skb->len=0
tcp_trim_head
len = tp->snd_una - TCP_SKB_CB(skb)->seq // len=101-100
__pskb_trim_head
skb->data_len -= len // skb->len=-1, wrap around
... ...
ip_fragment
icmp_glue_bits //BUG_ON
If we use tcp_trim_head() to remove acked SYN from packet that contains data
or other flags, skb->len will be incorrectly decremented. We can remove SYN
flag that has been acked from rtx_queue earlier than tcp_trim_head(), which
can fix the problem mentioned above.
Fixes:
|
||
Hyunwoo Kim
|
3df812627e |
net/rose: Fix Use-After-Free in rose_ioctl
[ Upstream commit 810c38a369a0a0ce625b5c12169abce1dd9ccd53 ]
Because rose_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with rose_accept().
A use-after-free for skb occurs with the following flow.
```
rose_ioctl() -> skb_peek()
rose_accept() -> skb_dequeue() -> kfree_skb()
```
Add sk->sk_receive_queue.lock to rose_ioctl() to fix this issue.
Fixes:
|
||
|
Hyunwoo Kim
|
b099c28847 |
atm: Fix Use-After-Free in do_vcc_ioctl
[ Upstream commit 24e90b9e34f9e039f56b5f25f6e6eb92cdd8f4b3 ]
Because do_vcc_ioctl() accesses sk->sk_receive_queue
without holding a sk->sk_receive_queue.lock, it can
cause a race with vcc_recvmsg().
A use-after-free for skb occurs with the following flow.
```
do_vcc_ioctl() -> skb_peek()
vcc_recvmsg() -> skb_recv_datagram() -> skb_free_datagram()
```
Add sk->sk_receive_queue.lock to do_vcc_ioctl() to fix this issue.
Fixes:
|
||
Maciej Żenczykowski
|
9354e0acdb |
net: ipv6: support reporting otherwise unknown prefix flags in RTM_NEWPREFIX
[ Upstream commit bd4a816752bab609dd6d65ae021387beb9e2ddbd ]
Lorenzo points out that we effectively clear all unknown
flags from PIO when copying them to userspace in the netlink
RTM_NEWPREFIX notification.
We could fix this one at a time as new flags are defined,
or in one fell swoop - I choose the latter.
We could either define 6 new reserved flags (reserved1..6) and handle
them individually (and rename them as new flags are defined), or we
could simply copy the entire unmodified byte over - I choose the latter.
This unfortunately requires some anonymous union/struct magic,
so we add a static assert on the struct size for a little extra safety.
Cc: David Ahern <dsahern@kernel.org>
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes:
|
||
Greg Kroah-Hartman
|
bc99f18e84 |
Revert "psample: Require 'CAP_NET_ADMIN' when joining "packets" group"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
ee9bfb84c7 |
Revert "genetlink: add CAP_NET_ADMIN test for multicast bind"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
4684391cef |
Revert "drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group"
This reverts commit
|
||
kamasali Satyanarayan
|
9110d2473d |
Merge android11-5.4.259+ (81334f2) into msm-5.4
* remotes/origin/tmp-81334f2: UPSTREAM: netfilter: nf_tables: remove busy mark and gc batch API UPSTREAM: netfilter: nft_set_hash: mark set element as dead when deleting from packet path UPSTREAM: netfilter: nf_tables: adapt set backend to use GC transaction API UPSTREAM: netfilter: nf_tables: GC transaction API to avoid race with control plane UPSTREAM: netfilter: nft_set_rbtree: fix overlap expiration walk UPSTREAM: netfilter: nft_set_rbtree: fix null deref on element insertion UPSTREAM: netfilter: nft_set_rbtree: Switch to node list walk for overlap detection UPSTREAM: netfilter: nf_tables: drop map element references from preparation phase UPSTREAM: netfilter: nftables: rename set element data activation/deactivation functions ANDROID: ABI: Update allowed list for QCOM BACKPORT: ALSA: compress: Allow pause and resume during draining UPSTREAM: netfilter: nf_tables: pass context to nft_set_destroy() UPSTREAM: netfilter: nf_tables: don't skip expired elements during walk ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override ANDROID: Use GKI Dr. No OWNERS file ANDROID: Remove android/OWNERs file FROMGIT: Input: uinput - allow injecting event times ANDROID: fix up rpmsg_device ABI break ANDROID: fix up platform_device ABI break UPSTREAM: rpmsg: Fix possible refcount leak in rpmsg_register_device_override() UPSTREAM: rpmsg: glink: Release driver_override BACKPORT: rpmsg: Fix calling device_lock() on non-initialized device BACKPORT: rpmsg: Fix kfree() of static memory on setting driver_override UPSTREAM: rpmsg: Constify local variable in field store macro UPSTREAM: driver: platform: Add helper for safer setting of driver_override Revert "perf: Disallow mis-matched inherited group reads" Revert "xfrm: fix a data-race in xfrm_gen_index()" Revert "Bluetooth: hci_core: Fix build warnings" Revert "xfrm: interface: use DEV_STATS_INC()" Revert "netfilter: conntrack: allow sctp hearbeat after connection re-use" Revert "netfilter: conntrack: don't refresh sctp entries in closed state" Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp" Reapply "netfilter: conntrack: don't refresh sctp entries in closed state" Reapply "netfilter: conntrack: allow sctp hearbeat after connection re-use" Linux 5.4.259 xfrm6: fix inet6_dev refcount underflow problem Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Bluetooth: hci_sock: fix slab oob read in create_monitor_event phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins phy: mapphone-mdm6600: Fix runtime PM for remove phy: mapphone-mdm6600: Fix runtime disable on probe ASoC: pxa: fix a memory leak in probe() gpio: vf610: set value before the direction to avoid a glitch s390/pci: fix iommu bitmap allocation perf: Disallow mis-matched inherited group reads USB: serial: option: add Fibocom to DELL custom modem FM101R-GL USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Telit LE910C4-WWX 0x1035 composition ACPI: irq: Fix incorrect return value in acpi_register_gsi() Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" mmc: core: Capture correct oemid-bits for eMMC cards mmc: core: sdio: hold retuning if sdio in 1-bit mode mtd: physmap-core: Restore map_rom fallback mtd: spinand: micron: correct bitmask for ecc status mtd: rawnand: qcom: Unmap the right resource upon probe failure Bluetooth: hci_event: Fix using memcmp when comparing keys HID: multitouch: Add required quirk for Synaptics 0xcd7e device btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c drm: panel-orientation-quirks: Add quirk for One Mix 2S sky2: Make sure there is at least one frag_addr available regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" wifi: cfg80211: avoid leaking stack data into trace wifi: mac80211: allow transmitting EAPOL frames with tainted key Bluetooth: hci_core: Fix build warnings Bluetooth: Avoid redundant authentication HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event tracing: relax trace_event_eval_update() execution with cond_resched() ata: libata-eh: Fix compilation warning in ata_eh_link_report() gpio: timberdale: Fix potential deadlock on &tgpio->lock overlayfs: set ctime when setting mtime and atime i2c: mux: Avoid potential false error message in i2c_mux_add_adapter btrfs: initialize start_slot in btrfs_log_prealloc_extents btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA ACPI: resource: Add ASUS model S5402ZA to quirks ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA ACPI: resources: Add DMI-based legacy IRQ override quirk ACPI: Drop acpi_dev_irqresource_disabled() resource: Add irqresource_disabled() net: pktgen: Fix interface flags printing netfilter: nft_set_rbtree: .deactivate fails if element has expired neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve i40e: prevent crash on probe if hw registers have invalid values net: usb: smsc95xx: Fix an error code in smsc95xx_reset() ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr tun: prevent negative ifindex tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb tcp: fix excessive TLP and RACK timeouts from HZ rounding net: rfkill: gpio: prevent value glitch during probe net: ipv6: fix return value check in esp_remove_trailer net: ipv4: fix return value check in esp_remove_trailer xfrm: interface: use DEV_STATS_INC() xfrm: fix a data-race in xfrm_gen_index() qed: fix LL2 RX buffer allocation netfilter: nft_payload: fix wrong mac header matching KVM: x86: Mask LVTPC when handling a PMI regmap: fix NULL deref on lookup nfc: nci: fix possible NULL pointer dereference in send_acknowledge() ice: fix over-shifted variable Bluetooth: avoid memcmp() out of bounds warning Bluetooth: hci_event: Fix coding style Bluetooth: vhci: Fix race when opening vhci device Bluetooth: Fix a refcnt underflow problem for hci_conn Bluetooth: Reject connection with the device which has same BD_ADDR Bluetooth: hci_event: Ignore NULL link key usb: hub: Guard against accesses to uninitialized BOS descriptors Documentation: sysctl: align cells in second content column dev_forward_skb: do not scrub skb mark within the same name space ravb: Fix use-after-free issue in ravb_tx_timeout_work() powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE dmaengine: mediatek: Fix deadlock caused by synchronize_irq() x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: gadget: udc-xilinx: replace memcpy with memcpy_toio pinctrl: avoid unsafe code pattern in find_pinctrl() cgroup: Remove duplicates in cgroup v1 tasks file Input: xpad - add PXN V900 support Input: psmouse - fix fast_reconnect function for PS/2 mode Input: powermate - fix use-after-free in powermate_config_complete ceph: fix incorrect revoked caps assert in ceph_fill_file_size() libceph: use kernel_connect() mcb: remove is_added flag from mcb_device struct iio: pressure: ms5611: ms5611_prom_is_valid false negative bug iio: pressure: dps310: Adjust Timeout Settings iio: pressure: bmp280: Fix NULL pointer exception usb: musb: Modify the "HWVers" register address usb: musb: Get the musb_qh poniter after musb_giveback usb: dwc3: Soft reset phy on probe for host net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer dmaengine: stm32-mdma: abort resume if no ongoing transfer workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() nfc: nci: assert requested protocol is valid net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() ixgbe: fix crash with empty VF macvlan list drm/vmwgfx: fix typo of sizeof argument xen-netback: use default TX queue size for vifs mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type ieee802154: ca8210: Fix a potential UAF in ca8210_probe ravb: Fix up dma_free_coherent() call in ravb_remove() drm/msm/dsi: skip the wait for video mode done if not applicable drm: etvnaviv: fix bad backport leading to warning net: prevent address rewrite in kernel_bind() quota: Fix slow quotaoff HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect pwm: hibvt: Explicitly set .polarity in .get_state() lib/test_meminit: fix off-by-one error in test_pages() RDMA/cxgb4: Check skb value for failure to allocate Reapply "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "ring-buffer: Update "shortest_full" in polling" Revert "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "net: bridge: use DEV_STATS_INC()" FROMLIST: lib/test_meminit: fix off-by-one error in test_pages() Linux 5.4.258 xen/events: replace evtchn_rwlock with RCU ima: rework CONFIG_IMA dependency block NFS: Fix a race in __nfs_list_for_each_server() parisc: Restore __ldcw_align for PA-RISC 2.0 processors RDMA/mlx5: Fix NULL string error RDMA/siw: Fix connection failure handling RDMA/uverbs: Fix typo of sizeof argument RDMA/cma: Fix truncation compilation warning in make_cma_ports gpio: pxa: disable pinctrl calls for MMP_GPIO gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() IB/mlx4: Fix the size of a buffer in add_port_entries() RDMA/core: Require admin capabilities to set system parameters cpupower: add Makefile dependencies for install targets sctp: update hb timer immediately after users change hb_interval sctp: update transport state when processing a dupcook packet tcp: fix delayed ACKs for MSS boundary condition tcp: fix quick-ack counting to count actual ACKs of new data net: stmmac: dwmac-stm32: fix resume on STM32 MCU netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp net: nfc: llcp: Add lock when modifying device list net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() net: fix possible store tearing in neigh_periodic_work() modpost: add missing else to the "of" check NFSv4: Fix a nfs4_state_manager() race NFS: Add a helper nfs_client_for_each_server() NFS4: Trace state recovery operation wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling wifi: mwifiex: Fix tlv_buf_left calculation scsi: target: core: Fix deadlock due to recursive locking drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet regmap: rbtree: Fix wrong register marked as in-cache when creating new node wifi: iwlwifi: dbg_ini: fix structure packing ubi: Refuse attaching if mtd's erasesize is 0 net: prevent rewrite of msg_name in sock_sendmsg() net: replace calls to sock->ops->connect() with kernel_connect() fs: binfmt_elf_efpic: fix personality for ELF-FDPIC scsi: zfcp: Fix a double put in zfcp_port_enqueue() ata: libata-sata: increase PMP SRST timeout to 10s Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3" ata: libata-core: Do not register PM operations for SAS ports rbd: take header_rwsem in rbd_dev_refresh() only when updating ata: libata-core: Fix port and device removal rbd: decouple parent info read-in from updating rbd_dev ata: libata-core: Fix ata_port_request_pm() locking rbd: decouple header read-in from updating rbd_dev->header rbd: move rbd_dev_refresh() definition ring-buffer: Update "shortest_full" in polling i2c: i801: unregister tco_pdev in i801_probe() error path net: thunderbolt: Fix TCPv6 GSO checksum calculation ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES btrfs: properly report 0 avail for very full file systems ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() serial: 8250_port: Check IRQ data before use Smack:- Use overlay inode label in smack_inode_copy_up() smack: Retrieve transmuting information in smack_inode_getsecurity() smack: Record transmuting in smk_transmuted i40e: fix return of uninitialized aq_ret in i40e_set_vsi_promisc i40e: always propagate error value in i40e_set_vsi_promisc() ring-buffer: Avoid softlockup in ring_buffer_resize() selftests/ftrace: Correctly enable event in instance-event.tc i40e: improve locking of mac_filter_hash watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running watchdog: iTCO_wdt: No need to stop the timer in probe nvme-pci: do not set the NUMA node of device if it has none fbdev/sh7760fb: Depend on FB=y ncsi: Propagate carrier gain/loss events to the NCSI controller powerpc/watchpoints: Annotate atomic context in more places bpf: Clarify error expectations from bpf_clone_redirect spi: nxp-fspi: reset the FLSHxCR1 registers ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() parisc: irq: Make irq_stack_union static to avoid sparse warning parisc: drivers: Fix sparse warning parisc: iosapic.c: Fix sparse warnings parisc: sba: Fix compile warning wrt list of SBA devices gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip xtensa: boot/lib: fix function prototypes xtensa: boot: don't add include-dirs xtensa: iss/network: make functions static xtensa: add default definition for XCHAL_HAVE_DIV32 bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot clk: tegra: fix error return case for recalc_rate scsi: qla2xxx: Fix deletion race condition MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled scsi: qla2xxx: Fix update_fcport for current_topology ata: libata: disallow dev-initiated LPM transitions to unsupported states Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN drm/amd/display: prevent potential division by zero errors i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() drm/amd/display: Fix LFC multiplier changing erratically gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() drm/amd/display: Reinstate LFC optimization netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP net: rds: Fix possible NULL-pointer dereference team: fix null-ptr-deref when team device type is changed net: bridge: use DEV_STATS_INC() net: hns3: add 5ms delay before clear firmware reset irq source dccp: fix dccp_v4_err()/dccp_v6_err() again powerpc/perf/hv-24x7: Update domain value check ipv4: fix null-deref in ipv4_link_failure i40e: Fix VF VLAN offloading when port VLAN is configured i40e: Fix warning message and call stack during rmmod i40e driver i40e: Remove scheduling while atomic possibility i40e: Fix for persistent lldp support ASoC: imx-audmix: Fix return error with devm_clk_get() selftests: tls: swap the TX and RX sockets in some tests ASoC: meson: spdifin: start hw on dai probe selftests/tls: Add {} to avoid static checker warning ext4: do not let fstrim block system suspend bpf: Avoid deadlock when using queue and stack maps from NMI ext4: move setting of trimmed bit into ext4_try_to_trim_range() netfilter: nf_tables: disallow element removal on anonymous sets ext4: replace the traditional ternary conditional operator with with max()/min() ext4: mark group as trimmed only if it was fully scanned ext4: change s_last_trim_minblks type to unsigned long ext4: scope ret locally in ext4_try_to_trim_range() ext4: add new helper interface ext4_try_to_trim_range() ext4: remove the 'group' parameter of ext4_trim_extent ata: libahci: clear pending interrupt status tracing: Increase trace array ref count on enable and filter files SUNRPC: Mark the cred for revalidation if the server rejects it NFS/pNFS: Report EINVAL errors from connect() to the server Revert "drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01" Revert "usb: typec: bus: verify partner exists in typec_altmode_attention" Revert "fs/nls: make load_nls() take a const parameter" Revert "ip_tunnels: use DEV_STATS_INC()" Linux 5.4.257 net/sched: Retire rsvp classifier drm/amdgpu: fix amdgpu_cs_p1_user_fence mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller ext4: fix rec_len verify error scsi: megaraid_sas: Fix deadlock on firmware crashdump i2c: aspeed: Reset the i2c controller when timeout occurs tracefs: Add missing lockdown check to tracefs_create_dir() nfsd: fix change_info in NFSv4 RENAME replies tracing: Have option files inc the trace array ref count tracing: Have current_trace inc the trace array ref count btrfs: fix lockdep splat and potential deadlock after failure running delayed items attr: block mode changes of symlinks md/raid1: fix error: ISO C90 forbids mixed declarations selftests: tracing: Fix to unmount tracefs for recovering environment btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super btrfs: add a helper to read the superblock metadata_uuid btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h perf tools: Add an option to build without libbfd perf jevents: Make build dependency on test JSONs tools features: Add feature test to check if libbfd has buildid support kobject: Add sanity check for kset->kobj.ktype in kset_register() media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning serial: cpm_uart: Avoid suspicious locking scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc media: pci: cx23885: replace BUG with error return media: tuners: qt1010: replace BUG_ON with a regular error media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() media: anysee: fix null-ptr-deref in anysee_master_xfer media: af9005: Fix null-ptr-deref in af9005_i2c_xfer media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer powerpc/pseries: fix possible memory leak in ibmebus_bus_init() jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() ext2: fix datatype of block number in ext2_xattr_set2() md: raid1: fix potential OOB in raid1_remove_disk() bus: ti-sysc: Configure uart quirks for k3 SoC drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() wifi: mac80211_hwsim: drop short frames alx: fix OOB-read compiler warning mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 tpm_tis: Resend command to recover from data transfer errors crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() wifi: mwifiex: fix fortify warning wifi: ath9k: fix printk specifier devlink: remove reload failed checks in params get/set callbacks hw_breakpoint: fix single-stepping when using bpf_overflow_handler perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 kernel/fork: beware of __put_task_struct() calling context ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock btrfs: output extra debug info if we failed to find an inline backref autofs: fix memory leak of waitqueues in autofs_catatonic_mode parisc: Drop loops_per_jiffy from per_cpu struct drm/amd/display: Fix a bug when searching for insert_above_mpcc kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). ixgbe: fix timestamp configuration code net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() platform/mellanox: mlxbf-tmfifo: Drop jumbo frames mlxbf-tmfifo: sparse tags for config access platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors kcm: Fix memory leak in error path of kcm_sendmsg() r8152: check budget for r8152_poll() net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() net: ipv4: fix one memleak in __inet_del_ifa() clk: imx8mm: Move 1443X/1416X PLL clock structure to common place ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 usb: typec: bus: verify partner exists in typec_altmode_attention usb: typec: tcpm: Refactor tcpm_handle_vdm_request usb: typec: tcpm: Refactor tcpm_handle_vdm_request payload handling perf tools: Handle old data in PERF_RECORD_ATTR perf hists browser: Fix hierarchy mode header mtd: rawnand: brcmnand: Fix potential false time out warning mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write mtd: rawnand: brcmnand: Fix crash during the panic_write btrfs: use the correct superblock to compare fsid in btrfs_validate_super btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART fuse: nlookup missing decrement in fuse_direntplus_link ata: pata_ftide010: Add missing MODULE_DESCRIPTION ata: sata_gemini: Add missing MODULE_DESCRIPTION sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() net: hns3: fix the port information display when sfp is absent netfilter: nfnetlink_osf: avoid OOB read ip_tunnels: use DEV_STATS_INC() idr: fix param name in idr_alloc_cyclic() doc s390/zcrypt: don't leak memory if dev_set_name() fails igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 kcm: Destroy mutex in kcm_exit_net() net: sched: sch_qfq: Fix UAF in qfq_dequeue() af_unix: Fix data race around sk->sk_err. af_unix: Fix data-races around sk->sk_shutdown. af_unix: Fix data-race around unix_tot_inflight. af_unix: Fix data-races around user->unix_inflight. net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr veth: Fixing transmit return status for dropped packets igb: disable virtualization features on 82580 net: read sk->sk_family once in sk_mc_loop() ipv4: annotate data-races around fi->fib_dead sctp: annotate data-races around sk->sk_wmem_queued pwm: lpc32xx: Remove handling of PWM channels watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load perf top: Don't pass an ERR_PTR() directly to perf_session__delete() x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() perf annotate bpf: Don't enclose non-debug code with an assert() kconfig: fix possible buffer overflow NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info soc: qcom: qmi_encdec: Restrict string length in decode clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock parisc: led: Reduce CPU overhead for disk & lan LED computation parisc: led: Fix LAN receive and transmit LEDs lib/test_meminit: allocate pages up to order MAX_ORDER drm/ast: Fix DRAM init on AST2200 fbdev/ep93xx-fb: Do not assign to struct fb_info.dev scsi: qla2xxx: Remove unsupported ql2xenabledif option scsi: qla2xxx: Turn off noisy message log scsi: qla2xxx: Fix erroneous link up failure scsi: qla2xxx: fix inconsistent TMF timeout net/ipv6: SKB symmetric hash should incorporate transport ports drm: fix double free for gbo in drm_gem_vram_init and drm_gem_vram_create udf: initialize newblock to 0 usb: typec: tcpci: clear the fault status bit serial: sc16is7xx: fix broken port 0 uart init sc16is7xx: Set iobase to device index cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug crypto: stm32 - fix loop iterating through scatterlist for DMA s390/ipl: add missing secure/has_secure file to ipl type 'unknown' pstore/ram: Check start of empty przs during init fsverity: skip PKCS#7 parser when keyring is empty net: handle ARPHRD_PPP in dev_is_mac_header_xmit() X.509: if signature is unsupported skip validation dccp: Fix out of bounds access in DCCP error handler dlm: fix plock lookup when using multiple lockspaces parisc: Fix /proc/cpuinfo output for lscpu procfs: block chmod on /proc/thread-self/comm Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset" ntb: Fix calculation ntb_transport_tx_free_entry() ntb: Clean up tx tail index on link down ntb: Drop packets when qp link is down media: dvb: symbol fixup for dvb_attach() xtensa: PMU: fix base address for the newer hardware backlight/lv5207lp: Compare against struct fb_info.device backlight/bd6107: Compare against struct fb_info.device backlight/gpio_backlight: Compare against struct fb_info.device ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() ipmi_si: fix a memleak in try_smi_init() ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl PM / devfreq: Fix leak in devfreq_dev_release() igb: set max size RX buffer when store bad packet is enabled skbuff: skb_segment, Call zero copy functions before using skbuff frags netfilter: xt_sctp: validate the flag_info count netfilter: xt_u32: validate user space input netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU virtio_ring: fix avail_wrap_counter in virtqueue_add_packed cpufreq: Fix the race condition while updating the transition_task of policy dmaengine: ste_dma40: Add missing IRQ check in d40_probe um: Fix hostaudio build errors mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() rpmsg: glink: Add check for kstrdup phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 tracing: Fix race issue between cpu buffer write and swap x86/speculation: Mark all Skylake CPUs as vulnerable to GDS HID: multitouch: Correct devm device reference for hidinput input_dev name HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() RDMA/siw: Correct wrong debug message RDMA/siw: Balance the reference of cep->kref in the error path Revert "IB/isert: Fix incorrect release of isert connection" amba: bus: fix refcount leak serial: tegra: handle clk prepare error in tegra_uart_hw_init() scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock scsi: core: Use 32-bit hostnum in scsi_host_lookup() media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors media: ov2680: Fix vflip / hflip set functions media: ov2680: Fix ov2680_bayer_order() media: ov2680: Remove auto-gain and auto-exposure controls media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() media: i2c: ov5640: Configure HVP lines in s_power callback USB: gadget: f_mass_storage: Fix unused variable warning media: go7007: Remove redundant if statement iommu/vt-d: Fix to flush cache of PASID directory table IB/uverbs: Fix an potential error pointer dereference driver core: test_async: fix an error code dma-buf/sync_file: Fix docs syntax coresight: tmc: Explicit type conversions to prevent integer overflow scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly x86/APM: drop the duplicate APM_MINOR_DEV macro serial: sprd: Fix DMA buffer leak issue serial: sprd: Assign sprd_port after initialized to avoid wrong access serial: sprd: remove redundant sprd_port cleanup serial: sprd: getting port index via serial aliases only scsi: qla4xxx: Add length check when parsing nlattrs scsi: be2iscsi: Add length check when parsing nlattrs scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() media: mediatek: vcodec: Return NULL if no vdec_fb is found media: cx24120: Add retval check for cx24120_message_send() media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() media: dib7000p: Fix potential division by zero drivers: usb: smsusb: fix error handling code in smsusb_init_device media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() media: v4l2-fwnode: simplify v4l2_fwnode_parse_link media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN NFSD: da_addr_body field missing in some GETDEVICEINFO replies fs: lockd: avoid possible wrong NULL parameter jfs: validate max amount of blocks before allocation. powerpc/iommu: Fix notifiers being shared by PCI and VIO buses nfs/blocklayout: Use the passed in gfp flags wifi: ath10k: Use RMW accessors for changing LNKCTL drm/radeon: Use RMW accessors for changing LNKCTL drm/radeon: Prefer pcie_capability_read_word() drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/radeon: Correct Transmit Margin masks drm/amdgpu: Use RMW accessors for changing LNKCTL drm/amdgpu: Prefer pcie_capability_read_word() drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/amdgpu: Correct Transmit Margin masks PCI: Add #defines for Enter Compliance, Transmit Margin powerpc/fadump: reset dump area size if fadump memory reserve fails clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op PCI/ASPM: Use RMW accessors for changing LNKCTL PCI: pciehp: Use RMW accessors for changing LNKCTL PCI: Mark NVIDIA T4 GPUs to avoid bus reset clk: sunxi-ng: Modify mismatched function name drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() ipmi:ssif: Fix a memory leak when scanning for an adapter ipmi:ssif: Add check for kstrdup ALSA: ac97: Fix possible error value of *rac97 of: unittest: Fix overlay type in apply/revert check drm/mediatek: Fix potential memory leak if vmap() fail audit: fix possible soft lockup in __audit_inode_child() smackfs: Prevent underflow in smk_set_cipso() drm/msm/mdp5: Don't leak some plane state ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01 drm/armada: Fix off-by-one error in armada_overlay_get_property() of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() drm/tegra: dpaux: Fix incorrect return value of platform_get_irq drm/tegra: Remove superfluous error messages around platform_get_irq() md/md-bitmap: hold 'reconfig_mutex' in backlog_store() md/bitmap: don't set max_write_behind if there is no write mostly device drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl' arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC ARM: dts: BCM53573: Fix Ethernet info for Luxul devices drm: adv7511: Fix low refresh rate register for ADV7533/5 ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split) ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210 ARM: dts: s5pv210: correct ethernet unit address in SMDKV210 ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210 ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210 ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split) ARM: dts: s3c64xx: align pinctrl with dtschema ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410 ARM: dts: s3c6410: move fixed clocks under root node in Mini6410 drm/etnaviv: fix dumping of active MMU context ARM: dts: BCM53573: Use updated "spi-gpio" binding properties ARM: dts: BCM53573: Add cells sizes to PCIe node ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar() quota: fix dqput() to follow the guarantees dquot_srcu should provide quota: add new helper dquot_active() quota: rename dquot_active() to inode_quota_active() quota: factor out dquot_write_dquot() quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list drm/bridge: tc358764: Fix debug print parameter order netrom: Deny concurrent connect(). net/sched: sch_hfsc: Ensure inner classes have fsc curve mlxsw: i2c: Limit single transaction buffer size mlxsw: i2c: Fix chunk size setting in output mailbox buffer net: arcnet: Do not call kfree_skb() under local_irq_disable() wifi: ath9k: use IS_ERR() with debugfs_create_dir() wifi: mwifiex: avoid possible NULL skb pointer dereference wifi: ath9k: protect WMI command response buffer replacement with a lock wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx wifi: mwifiex: Fix missed return in oob checks failed path wifi: mwifiex: fix memory leak in mwifiex_histogram_read() fs: ocfs2: namei: check return value of ocfs2_add_entry() lwt: Check LWTUNNEL_XMIT_CONTINUE strictly lwt: Fix return values of BPF xmit ops hwrng: iproc-rng200 - Implement suspend and resume calls hwrng: iproc-rng200 - use semicolons rather than commas to separate statements crypto: caam - fix unchecked return value error Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() crypto: stm32 - Properly handle pm_runtime_get failing wifi: mwifiex: fix error recovery in PCIE buffer descriptor management mwifiex: switch from 'pci_' to 'dma_' API wifi: mwifiex: Fix OOB and integer underflow when rx packets can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe() regmap: rbtree: Use alloc_flags for memory allocations tcp: tcp_enter_quickack_mode() should be static bpf: Clear the probe_addr for uprobe cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit() perf/imx_ddr: don't enable counter0 if none of 4 counters are used x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved x86/boot: Annotate local functions x86/asm: Make more symbols local OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() tmpfs: verify {g,u}id mount options correctly fs: Fix error checking for d_hash_and_lookup() new helper: lookup_positive_unlocked() eventfd: prevent underflow for eventfd semaphores eventfd: Export eventfd_ctx_do_read() reiserfs: Check the return value from __getblk() Revert "net: macsec: preserve ingress frame ordering" udf: Handle error when adding extent to a file udf: Check consistency of Space Bitmap Descriptor powerpc/32s: Fix assembler warning about r0 net: Avoid address overwrite in kernel_connect platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications ALSA: seq: oss: Fix racy open/close of MIDI devices scsi: storvsc: Always set no_report_opcodes cifs: add a warning when the in-flight count goes negative sctp: handle invalid error codes without calling BUG() bnx2x: fix page fault following EEH recovery netlabel: fix shift wrapping bug in netlbl_catmap_setlong() scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM net: usb: qmi_wwan: add Quectel EM05GV2 clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM security: keys: perform capable check only on privileged operations platform/x86: huawei-wmi: Silence ambient light sensor platform/x86: intel: hid: Always call BTNL ACPI method ASoC: atmel: Fix the 8K sample parameter in I2SC master ASoc: codecs: ES8316: Fix DMIC config fs/nls: make load_nls() take a const parameter s390/dasd: fix hanging device after request requeue s390/dasd: use correct number of retries for ERP requests m68k: Fix invalid .section syntax vxlan: generalize vxlan_parse_gpe_hdr and remove unused args ethernet: atheros: fix return value check in atl1c_tso_csum() ASoC: da7219: Check for failure reading AAD IRQ events ASoC: da7219: Flush pending AAD IRQ when suspending 9p: virtio: make sure 'offs' is initialized in zc_request pinctrl: amd: Don't show `Invalid config param` errors nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() fsi: master-ast-cf: Add MODULE_FIRMWARE macro firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe serial: sc16is7xx: fix bug when first setting GPIO direction Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition staging: rtl8712: fix race condition HID: wacom: remove the battery when the EKR is off USB: serial: option: add FOXCONN T99W368/T99W373 product USB: serial: option: add Quectel EM05G variant (0x030e) modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index mmc: au1xmmc: force non-modular build and remove symbol_get usage ARM: pxa: remove use of symbol_get() erofs: ensure that the post-EOF tails are all zeroed Linux 5.4.256 Revert "MIPS: Alchemy: fix dbdma2" powerpc/pmac/smp: Drop unnecessary volatile qualifier powerpc/pmac/smp: Avoid unused-variable warnings Revert "drm/display/dp: Fix the DP DSC Receiver cap size" Revert "macsec: Fix traffic counters/statistics" Revert "macsec: use DEV_STATS_INC()" ANDROID: GKI: add back pm_runtime_get_if_in_use() Revert "interconnect: Add helpers for enabling/disabling a path" Revert "interconnect: Do not skip aggregation for disabled paths" Revert "ALSA: pcm: Set per-card upper limit of PCM buffer allocations" Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" Revert "ALSA: pcm: Fix potential data race at PCM memory allocation helpers" Revert "ALSA: pcm: Fix build error on m68k and others" Revert "Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available"" Revert "ALSA: pcm: Check for null pointer of pointer substream before dereferencing it" Linux 5.4.255 dma-buf/sw_sync: Avoid recursive lock during fence signal pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' scsi: core: raid_class: Remove raid_component_add() scsi: snic: Fix double free in snic_tgt_create() irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable Documentation/sysctl: document page_lock_unfairness ALSA: pcm: Check for null pointer of pointer substream before dereferencing it interconnect: Do not skip aggregation for disabled paths Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" ALSA: pcm: Fix build error on m68k and others rtnetlink: Reject negative ifindexes in RTM_NEWLINK mm: allow a controlled amount of unfairness in the page lock x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 drm/display/dp: Fix the DP DSC Receiver cap size PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus media: vcodec: Fix potential array out-of-bounds in encoder queue_setup radix tree: remove unused variable lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels batman-adv: Hold rtnl lock during MTU update via netlink batman-adv: Fix batadv_v_ogm_aggr_send memory leak batman-adv: Fix TT global entry leak when client roamed back batman-adv: Do not get eth header before batadv_check_management_packet batman-adv: Don't increase MTU when set by user batman-adv: Trigger events for auto adjusted MTU nfsd: Fix race to FREE_STATEID and cl_revoked clk: Fix slab-out-of-bounds error in devm_clk_release() NFSv4: Fix dropped lock for racing OPEN and delegation return ibmveth: Use dcbf rather than dcbfl bonding: fix macvlan over alb bond support net: remove bond_slave_has_mac_rcu() net/sched: fix a qdisc modification with ambiguous command request igb: Avoid starting unnecessary workqueues net: validate veth and vxcan peer ifindexes net: bcmgenet: Fix return value check for fixed_phy_register() net: bgmac: Fix return value check for fixed_phy_register() ipvlan: Fix a reference count leak warning in ipvlan_ns_exit() dccp: annotate data-races in dccp_poll() sock: annotate data-races around prot->memory_pressure octeontx2-af: SDP: fix receive link config tracing: Fix memleak due to race between current_tracer and trace drm/amd/display: check TG is non-null before checking if enabled drm/amd/display: do not wait for mpc idle if tg is disabled ASoC: fsl_sai: Disable bit clock with transmitter ASoC: fsl_sai: Add new added registers and new bit definition ASoC: fsl_sai: Refine enable/disable TE/RE sequence in trigger() regmap: Account for register length in SMBus I/O limits ALSA: pcm: Fix potential data race at PCM memory allocation helpers ALSA: pcm: Use SG-buffer only when direct DMA is available ALSA: pcm: Set per-card upper limit of PCM buffer allocations dm integrity: reduce vmalloc space footprint on 32-bit architectures dm integrity: increase RECALC_SECTORS to improve recalculate speed fbdev: fix potential OOB read in fast_imageblit() fbdev: Fix sys_imageblit() for arbitrary image widths fbdev: Improve performance of sys_imageblit() MIPS: cpu-features: Use boot_cpu_type for CPU type based features MIPS: cpu-features: Enable octeon_cache by cpu_type fs: dlm: fix mismatch of plock results from userspace fs: dlm: use dlm_plock_info for do_unlock_close fs: dlm: change plock interrupted message to debug again fs: dlm: add pid to debug log dlm: replace usage of found with dedicated list iterator variable dlm: improve plock logging if interrupted PCI: acpiphp: Reassign resources on bridge if necessary net: phy: broadcom: stub c45 read/write for 54810 mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled virtio-net: set queues after driver_ok af_unix: Fix null-ptr-deref in unix_stream_sendpage(). netfilter: set default timeout to 3 secs for sctp shutdown send and recv state mmc: block: Fix in_flight[issue_type] value error mmc: wbsd: fix double mmc_free_host() in wbsd_init() cifs: Release folio lock on fscache read hit. ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces. serial: 8250: Fix oops for port->pm on uart_change_pm() ASoC: meson: axg-tdm-formatter: fix channel slot allocation ASoC: rt5665: add missed regulator_bulk_disable ARM: dts: imx: Set default tuning step for imx6sx usdhc ARM: dts: imx: Set default tuning step for imx7d usdhc ARM: dts: imx: Adjust dma-apbh node name ARM: dts: imx7s: Drop dma-apb interrupt-names bus: ti-sysc: Flush posted write on enable before reset bus: ti-sysc: Improve reset to work with modules with no sysconfig net: do not allow gso_size to be set to GSO_BY_FRAGS sock: Fix misuse of sk_under_memory_pressure() net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset i40e: fix misleading debug logs team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves netfilter: nft_dynset: disallow object maps ipvs: fix racy memcpy in proc_do_sync_threshold selftests: mirror_gre_changes: Tighten up the TTL test match xfrm: add NULL check in xfrm_update_ae_params ip_vti: fix potential slab-use-after-free in decode_session6 ip6_vti: fix slab-use-after-free in decode_session6 xfrm: fix slab-use-after-free in decode_session6 xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c net: af_key: fix sadb_x_filter validation net: xfrm: Fix xfrm_address_filter OOB read btrfs: fix BUG_ON condition in btrfs_cancel_balance tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms powerpc/rtas_flash: allow user copy to flash block cache objects fbdev: mmp: fix value check in mmphw_probe() i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue virtio-mmio: don't break lifecycle of vm_dev virtio-mmio: Use to_virtio_mmio_device() to simply code virtio-mmio: convert to devm_platform_ioremap_resource nfsd: Remove incorrect check in nfsd4_validate_stateid nfsd4: kill warnings on testing stateids with mismatched clientids net/ncsi: Fix gma flag setting after response tracing/probes: Fix to update dynamic data counter if fetcharg uses it tracing/probes: Have process_fetch_insn() take a void * instead of pt_regs leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename mmc: sunxi: fix deferred probing mmc: bcm2835: fix deferred probing USB: dwc3: qcom: fix NULL-deref on suspend usb: dwc3: qcom: Add helper functions to enable,disable wake irqs interconnect: Add helpers for enabling/disabling a path interconnect: Move internal structs into a separate file irqchip/mips-gic: Use raw spinlock for gic_lock irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() ALSA: hda: Fix unhandled register update during auto-suspend period PM: runtime: Add pm_runtime_get_if_active() PM-runtime: add tracepoints for usage_count changes iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE iio: addac: stx104: Fix race condition when converting analog-to-digital iio: addac: stx104: Fix race condition for stx104_write_raw() iio: stx104: Move to addac subdirectory iio: adc: stx104: Implement and utilize register structures iio: adc: stx104: Utilize iomap interface iio: add addac subdirectory IMA: allow/fix UML builds powerpc/kasan: Disable KCOV in KASAN code ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 drm/amdgpu: Fix potential fence use-after-free v2 Bluetooth: L2CAP: Fix use-after-free pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() gfs2: Fix possible data races in gfs2_show_options() usb: chipidea: imx: don't request QoS for imx8ulp media: platform: mediatek: vpu: fix NULL ptr dereference media: v4l2-mem2mem: add lock to protect parameter num_rdy FS: JFS: Check for read-only mounted filesystem in txBegin FS: JFS: Fix null-ptr-deref Read in txBegin MIPS: dec: prom: Address -Warray-bounds warning fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev udf: Fix uninitialized array access for some pathnames ovl: check type and offset of struct vfsmount in ovl_entry HID: add quirk for 03f0:464a HP Elite Presenter Mouse quota: fix warning in dqgrab() quota: Properly disable quotas when add_dquot_ref() fails ALSA: emu10k1: roll up loops in DSP setup code for Audigy drm/radeon: Fix integer overflow in radeon_cs_parser_init macsec: use DEV_STATS_INC() macsec: Fix traffic counters/statistics selftests: forwarding: tc_flower: Relax success criterion mmc: sdhci-f-sdh30: Replace with sdhci_pltfm mmc: sdhci_f_sdh30: convert to devm_platform_ioremap_resource Conflict: drivers/devfreq/devfreq.c drivers/mmc/core/block.c drivers/rpmsg/qcom_glink_native.c include/net/tcp.h net/ipv4/tcp_input.c Change-Id: I9381be24d8fd353e56226698d20732fee74a03c3 Signed-off-by: kamasali Satyanarayan <quic_kamasali@quicinc.com> |
||
|
Greg Kroah-Hartman
|
af6deae771 |
This is the 5.4.264 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmV5528ACgkQONu9yGCS aT7+DxAAl/t4oGT1Di8mIhCfqsezTj/SQ6HAMaAFpKjGXdgTBX9QavwTHp35qLpv xZtibdl611oEDT2B3//cvJu9Qs8sJGlDWxpJF8fkF/NED2EHLRwUAOmhc4fyBCBq 01GfPRefU9G5E0Nw2g3o07dD0otKQzENh74iAzUr/cyju5TBgS4NC7CljiD6GXP8 DtCcbz2UMmHF5icyasjw7WoCqKaWUn7KLqU3RyQfmDgnh3z0vSXKs17CFoNk1+R6 EAkZJkrUsIDO3N6aRkJGvwtbEFDws4S7onpcthckXt6IF/OQ+h8LcHvyTpblVeWH qVBXmj1QZD+SwfP5qVtM+RwHHTE3GVJI3+MVTInu0vzgEz6lhNPILzWwso+AIhHM +SBZkx4/pO2LbrSgqn+NYWRcBTn4fXNURPd+zLXNJ1ZSnhamWm7kuFK8B36lz0s8 CB5ngLld1wg6m2NVPneqAeEcD54msGd18iNZvnxfx3c28sb27RgLqLJQKdSrtFMH tZj0+3KGkYHzWQmt07iLmg1DPAmZSNzMW7MDJRHlqDCKS2gBKO/LKxWiri2WPh+o IvgrfGzEJsyYXi5+JcGC9+RkoPcGaous4VA2kWFJSjXiXPrJC4jknQm3mtdMiTf3 V9DEOMvot9ELGI9RODaNsk59C2RhOuVimm2XWV9n88UcX38reAQ= =gOna -----END PGP SIGNATURE----- Merge 5.4.264 into android11-5.4-lts Changes in 5.4.264 hrtimers: Push pending hrtimers away from outgoing CPU earlier netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test tg3: Move the [rt]x_dropped counters to tg3_napi tg3: Increment tx_dropped in tg3_tso_bug() kconfig: fix memory leak from range properties drm/amdgpu: correct chunk_ptr to a pointer to chunk. of: base: Add of_get_cpu_state_node() to get idle states for a CPU node ACPI/IORT: Make iort_get_device_domain IRQ domain agnostic ACPI/IORT: Make iort_msi_map_rid() PCI agnostic of/iommu: Make of_map_rid() PCI agnostic of/irq: make of_msi_map_get_device_domain() bus agnostic of/irq: Make of_msi_map_rid() PCI bus agnostic of: base: Fix some formatting issues and provide missing descriptions of: Fix kerneldoc output formatting of: Add missing 'Return' section in kerneldoc comments of: dynamic: Fix of_reconfig_get_state_change() return value documentation ipv6: fix potential NULL deref in fib6_add() hv_netvsc: rndis_filter needs to select NLS net: arcnet: Fix RESET flag handling net: arcnet: com20020 fix error handling arcnet: restoring support for multiple Sohard Arcnet cards ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit() net: hns: fix fake link up on xge port netfilter: xt_owner: Fix for unsafe access of sk->sk_socket tcp: do not accept ACK of bytes we never sent bpf: sockmap, updating the sg structure should also update curr RDMA/bnxt_re: Correct module description string hwmon: (acpi_power_meter) Fix 4.29 MW bug ASoC: wm_adsp: fix memleak in wm_adsp_buffer_populate tracing: Fix a warning when allocating buffered events fails scsi: be2iscsi: Fix a memleak in beiscsi_init_wrb_handle() ARM: imx: Check return value of devm_kasprintf in imx_mmdc_perf_init ARM: dts: imx: make gpt node name generic ARM: dts: imx7: Declare timers compatible with fsl,imx6dl-gpt ALSA: pcm: fix out-of-bounds in snd_pcm_state_names nilfs2: prevent WARNING in nilfs_sufile_set_segment_usage() tracing: Always update snapshot buffer size tracing: Fix incomplete locking when disabling buffered events tracing: Fix a possible race when disabling buffered events packet: Move reference count in packet_sock to atomic_long_t arm64: dts: mediatek: mt7622: fix memory node warning check arm64: dts: mediatek: mt8173-evb: Fix regulator-fixed node names perf/core: Add a new read format to get a number of lost samples perf: Fix perf_event_validate_size() gpiolib: sysfs: Fix error handling on failed export mmc: core: add helpers mmc_regulator_enable/disable_vqmmc mmc: sdhci-sprd: Fix vqmmc not shutting down after the card was pulled usb: gadget: f_hid: fix report descriptor allocation parport: Add support for Brainboxes IX/UC/PX parallel cards usb: typec: class: fix typec_altmode_put_partner to put plugs ARM: PL011: Fix DMA support serial: sc16is7xx: address RX timeout interrupt errata serial: 8250_omap: Add earlycon support for the AM654 UART controller x86/CPU/AMD: Check vendor in the AMD microcode callback KVM: s390/mm: Properly reset no-dat nilfs2: fix missing error check for sb_set_blocksize call io_uring/af_unix: disable sending io_uring over sockets netlink: don't call ->netlink_bind with table lock held genetlink: add CAP_NET_ADMIN test for multicast bind psample: Require 'CAP_NET_ADMIN' when joining "packets" group drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group tools headers UAPI: Sync linux/perf_event.h with the kernel sources Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem" cifs: Fix non-availability of dedup breaking generic/304 smb: client: fix potential NULL deref in parse_dfs_referrals() devcoredump : Serialize devcd_del work devcoredump: Send uevent once devcd is ready Linux 5.4.264 Change-Id: I32d19db2a0ff0cf6d061fa9c8ca527d0b61dd158 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Ido Schimmel
|
4a341627a1 |
drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group
commit e03781879a0d524ce3126678d50a80484a513c4b upstream.
The "NET_DM" generic netlink family notifies drop locations over the
"events" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by adding a new field to the generic netlink multicast group
structure that when set prevents non-root users or root without the
'CAP_SYS_ADMIN' capability (in the user namespace owning the network
namespace) from joining the group. Set this field for the "events"
group. Use 'CAP_SYS_ADMIN' rather than 'CAP_NET_ADMIN' because of the
nature of the information that is shared over this group.
Note that the capability check in this case will always be performed
against the initial user namespace since the family is not netns aware
and only operates in the initial network namespace.
A new field is added to the structure rather than using the "flags"
field because the existing field uses uAPI flags and it is inappropriate
to add a new uAPI flag for an internal kernel check. In net-next we can
rework the "flags" field to use internal flags and fold the new field
into it. But for now, in order to reduce the amount of changes, add a
new field.
Since the information can only be consumed by root, mark the control
plane operations that start and stop the tracing as root-only using the
'GENL_ADMIN_PERM' flag.
Tested using [1].
Before:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
After:
# capsh -- -c ./dm_repo
# capsh --drop=cap_sys_admin -- -c ./dm_repo
Failed to join "events" multicast group
[1]
$ cat dm.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int main(int argc, char **argv)
{
struct nl_sock *sk;
int grp, err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
grp = genl_ctrl_resolve_grp(sk, "NET_DM", "events");
if (grp < 0) {
fprintf(stderr,
"Failed to resolve \"events\" multicast group\n");
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"events\" multicast group\n");
return err;
}
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o dm_repo dm.c
Fixes:
|
||
|
Ido Schimmel
|
fe8402511e |
psample: Require 'CAP_NET_ADMIN' when joining "packets" group
commit 44ec98ea5ea9cfecd31a5c4cc124703cb5442832 upstream.
The "psample" generic netlink family notifies sampled packets over the
"packets" multicast group. This is problematic since by default generic
netlink allows non-root users to listen to these notifications.
Fix by marking the group with the 'GENL_UNS_ADMIN_PERM' flag. This will
prevent non-root users or root without the 'CAP_NET_ADMIN' capability
(in the user namespace owning the network namespace) from joining the
group.
Tested using [1].
Before:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
After:
# capsh -- -c ./psample_repo
# capsh --drop=cap_net_admin -- -c ./psample_repo
Failed to join "packets" multicast group
[1]
$ cat psample.c
#include <stdio.h>
#include <netlink/genl/ctrl.h>
#include <netlink/genl/genl.h>
#include <netlink/socket.h>
int join_grp(struct nl_sock *sk, const char *grp_name)
{
int grp, err;
grp = genl_ctrl_resolve_grp(sk, "psample", grp_name);
if (grp < 0) {
fprintf(stderr, "Failed to resolve \"%s\" multicast group\n",
grp_name);
return grp;
}
err = nl_socket_add_memberships(sk, grp, NFNLGRP_NONE);
if (err) {
fprintf(stderr, "Failed to join \"%s\" multicast group\n",
grp_name);
return err;
}
return 0;
}
int main(int argc, char **argv)
{
struct nl_sock *sk;
int err;
sk = nl_socket_alloc();
if (!sk) {
fprintf(stderr, "Failed to allocate socket\n");
return -1;
}
err = genl_connect(sk);
if (err) {
fprintf(stderr, "Failed to connect socket\n");
return err;
}
err = join_grp(sk, "config");
if (err)
return err;
err = join_grp(sk, "packets");
if (err)
return err;
return 0;
}
$ gcc -I/usr/include/libnl3 -lnl-3 -lnl-genl-3 -o psample_repo psample.c
Fixes:
|
||
|
Ido Schimmel
|
263bffd2b6 |
genetlink: add CAP_NET_ADMIN test for multicast bind
This is a partial backport of upstream commit 4d54cc32112d ("mptcp:
avoid lock_fast usage in accept path"). It is only a partial backport
because the patch in the link below was erroneously squash-merged into
upstream commit 4d54cc32112d ("mptcp: avoid lock_fast usage in accept
path"). Below is the original patch description from Florian Westphal:
"
genetlink sets NL_CFG_F_NONROOT_RECV for its netlink socket so anyone can
subscribe to multicast messages.
rtnetlink doesn't allow this unconditionally, rtnetlink_bind() restricts
bind requests to CAP_NET_ADMIN for a few groups.
This allows to set GENL_UNS_ADMIN_PERM flag on genl mcast groups to
mandate CAP_NET_ADMIN.
This will be used by the upcoming mptcp netlink event facility which
exposes the token (mptcp connection identifier) to userspace.
"
Link: https://lore.kernel.org/mptcp/20210213000001.379332-8-mathew.j.martineau@linux.intel.com/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Ido Schimmel
|
a149fbadb9 |
netlink: don't call ->netlink_bind with table lock held
From: Florian Westphal <fw@strlen.de>
commit f2764bd4f6a8dffaec3e220728385d9756b3c2cb upstream.
When I added support to allow generic netlink multicast groups to be
restricted to subscribers with CAP_NET_ADMIN I was unaware that a
genl_bind implementation already existed in the past.
It was reverted due to ABBA deadlock:
1. ->netlink_bind gets called with the table lock held.
2. genetlink bind callback is invoked, it grabs the genl lock.
But when a new genl subsystem is (un)registered, these two locks are
taken in reverse order.
One solution would be to revert again and add a comment in genl
referring 1e82a62fec613, "genetlink: remove genl_bind").
This would need a second change in mptcp to not expose the raw token
value anymore, e.g. by hashing the token with a secret key so userspace
can still associate subflow events with the correct mptcp connection.
However, Paolo Abeni reminded me to double-check why the netlink table is
locked in the first place.
I can't find one. netlink_bind() is already called without this lock
when userspace joins a group via NETLINK_ADD_MEMBERSHIP setsockopt.
Same holds for the netlink_unbind operation.
Digging through the history, commit
|
||
Pavel Begunkov
|
18824f592a |
io_uring/af_unix: disable sending io_uring over sockets
commit 705318a99a138c29a512a72c3e0043b3cd7f55f4 upstream.
File reference cycles have caused lots of problems for io_uring
in the past, and it still doesn't work exactly right and races with
unix_stream_read_generic(). The safest fix would be to completely
disallow sending io_uring files via sockets via SCM_RIGHT, so there
are no possible cycles invloving registered files and thus rendering
SCM accounting on the io_uring side unnecessary.
Cc: <stable@vger.kernel.org>
Fixes: 0091bfc81741b ("io_uring/af_unix: defer registered files gc to io_uring release")
Reported-and-suggested-by: Jann Horn <jannh@google.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c716c88321939156909cfa1bd8b0faaf1c804103.1701868795.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Daniel Borkmann
|
148d8f0707 |
packet: Move reference count in packet_sock to atomic_long_t
commit db3fadacaf0c817b222090290d06ca2a338422d0 upstream. In some potential instances the reference count on struct packet_sock could be saturated and cause overflows which gets the kernel a bit confused. To prevent this, move to a 64-bit atomic reference count on 64-bit architectures to prevent the possibility of this type to overflow. Because we can not handle saturation, using refcount_t is not possible in this place. Maybe someday in the future if it changes it could be used. Also, instead of using plain atomic64_t, use atomic_long_t instead. 32-bit machines tend to be memory-limited (i.e. anything that increases a reference uses so much memory that you can't actually get to 2**32 references). 32-bit architectures also tend to have serious problems with 64-bit atomics. Hence, atomic_long_t is the more natural solution. Reported-by: "The UK's National Cyber Security Centre (NCSC)" <security@ncsc.gov.uk> Co-developed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Linus Torvalds <torvalds@linux-foundation.org> Cc: stable@kernel.org Reviewed-by: Willem de Bruijn <willemb@google.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Link: https://lore.kernel.org/r/20231201131021.19999-1-daniel@iogearbox.net Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
John Fastabend
|
b4b89b7b2d |
bpf: sockmap, updating the sg structure should also update curr
[ Upstream commit bb9aefde5bbaf6c168c77ba635c155b4980c2287 ]
Curr pointer should be updated when the sg structure is shifted.
Fixes:
|
||
Eric Dumazet
|
7ffff0cc92 |
tcp: do not accept ACK of bytes we never sent
[ Upstream commit 3d501dd326fb1c73f1b8206d4c6e1d7b15c07e27 ]
This patch is based on a detailed report and ideas from Yepeng Pan
and Christian Rossow.
ACK seq validation is currently following RFC 5961 5.2 guidelines:
The ACK value is considered acceptable only if
it is in the range of ((SND.UNA - MAX.SND.WND) <= SEG.ACK <=
SND.NXT). All incoming segments whose ACK value doesn't satisfy the
above condition MUST be discarded and an ACK sent back. It needs to
be noted that RFC 793 on page 72 (fifth check) says: "If the ACK is a
duplicate (SEG.ACK < SND.UNA), it can be ignored. If the ACK
acknowledges something not yet sent (SEG.ACK > SND.NXT) then send an
ACK, drop the segment, and return". The "ignored" above implies that
the processing of the incoming data segment continues, which means
the ACK value is treated as acceptable. This mitigation makes the
ACK check more stringent since any ACK < SND.UNA wouldn't be
accepted, instead only ACKs that are in the range ((SND.UNA -
MAX.SND.WND) <= SEG.ACK <= SND.NXT) get through.
This can be refined for new (and possibly spoofed) flows,
by not accepting ACK for bytes that were never sent.
This greatly improves TCP security at a little cost.
I added a Fixes: tag to make sure this patch will reach stable trees,
even if the 'blamed' patch was adhering to the RFC.
tp->bytes_acked was added in linux-4.2
Following packetdrill test (courtesy of Yepeng Pan) shows
the issue at hand:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1024) = 0
// ---------------- Handshake ------------------- //
// when window scale is set to 14 the window size can be extended to
// 65535 * (2^14) = 1073725440. Linux would accept an ACK packet
// with ack number in (Server_ISN+1-1073725440. Server_ISN+1)
// ,though this ack number acknowledges some data never
// sent by the server.
+0 < S 0:0(0) win 65535 <mss 1400,nop,wscale 14>
+0 > S. 0:0(0) ack 1 <...>
+0 < . 1:1(0) ack 1 win 65535
+0 accept(3, ..., ...) = 4
// For the established connection, we send an ACK packet,
// the ack packet uses ack number 1 - 1073725300 + 2^32,
// where 2^32 is used to wrap around.
// Note: we used 1073725300 instead of 1073725440 to avoid possible
// edge cases.
// 1 - 1073725300 + 2^32 = 3221241997
// Oops, old kernels happily accept this packet.
+0 < . 1:1001(1000) ack 3221241997 win 65535
// After the kernel fix the following will be replaced by a challenge ACK,
// and prior malicious frame would be dropped.
+0 > . 1:1(0) ack 1001
Fixes:
|
||
Phil Sutter
|
69431f609b |
netfilter: xt_owner: Fix for unsafe access of sk->sk_socket
[ Upstream commit 7ae836a3d630e146b732fe8ef7d86b243748751f ]
A concurrently running sock_orphan() may NULL the sk_socket pointer in
between check and deref. Follow other users (like nft_meta.c for
instance) and acquire sk_callback_lock before dereferencing sk_socket.
Fixes:
|
||
Shigeru Yoshida
|
1ec21fde58 |
ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()
[ Upstream commit 80d875cfc9d3711a029f234ef7d680db79e8fa4b ]
In ipgre_xmit(), skb_pull() may fail even if pskb_inet_may_pull() returns
true. For example, applications can use PF_PACKET to create a malformed
packet with no IP header. This type of packet causes a problem such as
uninit-value access.
This patch ensures that skb_pull() can pull the required size by checking
the skb with pskb_network_may_pull() before skb_pull().
Fixes:
|
||
|
Eric Dumazet
|
be1ab8bf05 |
ipv6: fix potential NULL deref in fib6_add()
[ Upstream commit 75475bb51e78a3f54ad2f69380f2a1c985e85f2d ]
If fib6_find_prefix() returns NULL, we should silently fallback
using fib6_null_entry regardless of RT6_DEBUG value.
syzbot reported:
WARNING: CPU: 0 PID: 5477 at net/ipv6/ip6_fib.c:1516 fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Modules linked in:
CPU: 0 PID: 5477 Comm: syz-executor.0 Not tainted 6.7.0-rc2-syzkaller-00029-g9b6de136b5f0 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 11/10/2023
RIP: 0010:fib6_add+0x310d/0x3fa0 net/ipv6/ip6_fib.c:1516
Code: 00 48 8b 54 24 68 e8 42 22 00 00 48 85 c0 74 14 49 89 c6 e8 d5 d3 c2 f7 eb 5d e8 ce d3 c2 f7 e9 ca 00 00 00 e8 c4 d3 c2 f7 90 <0f> 0b 90 48 b8 00 00 00 00 00 fc ff df 48 8b 4c 24 38 80 3c 01 00
RSP: 0018:ffffc90005067740 EFLAGS: 00010293
RAX: ffffffff89cba5bc RBX: ffffc90005067ab0 RCX: ffff88801a2e9dc0
RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
RBP: ffffc90005067980 R08: ffffffff89cbca85 R09: 1ffff110040d4b85
R10: dffffc0000000000 R11: ffffed10040d4b86 R12: 00000000ffffffff
R13: 1ffff110051c3904 R14: ffff8880206a5c00 R15: ffff888028e1c820
FS: 00007f763783c6c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f763783bff8 CR3: 000000007f74d000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
__ip6_ins_rt net/ipv6/route.c:1303 [inline]
ip6_route_add+0x88/0x120 net/ipv6/route.c:3847
ipv6_route_ioctl+0x525/0x7b0 net/ipv6/route.c:4467
inet6_ioctl+0x21a/0x270 net/ipv6/af_inet6.c:575
sock_do_ioctl+0x152/0x460 net/socket.c:1220
sock_ioctl+0x615/0x8c0 net/socket.c:1339
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl+0xf8/0x170 fs/ioctl.c:857
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x45/0x110 arch/x86/entry/common.c:82
Fixes:
|
||
Jozsef Kadlecsik
|
427deb5ba5 |
netfilter: ipset: fix race condition between swap/destroy and kernel side add/del/test
[ Upstream commit 28628fa952fefc7f2072ce6e8016968cc452b1ba ]
Linkui Xiao reported that there's a race condition when ipset swap and destroy is
called, which can lead to crash in add/del/test element operations. Swap then
destroy are usual operations to replace a set with another one in a production
system. The issue can in some cases be reproduced with the script:
ipset create hash_ip1 hash:net family inet hashsize 1024 maxelem 1048576
ipset add hash_ip1 172.20.0.0/16
ipset add hash_ip1 192.168.0.0/16
iptables -A INPUT -m set --match-set hash_ip1 src -j ACCEPT
while [ 1 ]
do
# ... Ongoing traffic...
ipset create hash_ip2 hash:net family inet hashsize 1024 maxelem 1048576
ipset add hash_ip2 172.20.0.0/16
ipset swap hash_ip1 hash_ip2
ipset destroy hash_ip2
sleep 0.05
done
In the race case the possible order of the operations are
CPU0 CPU1
ip_set_test
ipset swap hash_ip1 hash_ip2
ipset destroy hash_ip2
hash_net_kadt
Swap replaces hash_ip1 with hash_ip2 and then destroy removes hash_ip2 which
is the original hash_ip1. ip_set_test was called on hash_ip1 and because destroy
removed it, hash_net_kadt crashes.
The fix is to force ip_set_swap() to wait for all readers to finish accessing the
old set pointers by calling synchronize_rcu().
The first version of the patch was written by Linkui Xiao <xiaolinkui@kylinos.cn>.
v2: synchronize_rcu() is moved into ip_set_swap() in order not to burden
ip_set_destroy() unnecessarily when all sets are destroyed.
v3: Florian Westphal pointed out that all netfilter hooks run with rcu_read_lock() held
and em_ipset.c wraps the entire ip_set_test() in rcu read lock/unlock pair.
So there's no need to extend the rcu read locked area in ipset itself.
Closes: https://lore.kernel.org/all/69e7963b-e7f8-3ad0-210-7b86eebf7f78@netfilter.org/
Reported by: Linkui Xiao <xiaolinkui@kylinos.cn>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Michael Bestas
|
0013ddf520
|
Merge tag 'LA.UM.9.14.r1-23300-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4 into android13-5.4-lahaina
"LA.UM.9.14.r1-23300-LAHAINA.QSSI14.0" * tag 'LA.UM.9.14.r1-23300-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4: coresight: Fix duplicate and abnormal stop issues of PCIE sw path nl80211: fix beacon tx rate mask validation msm_ipa: Add flag to enable ipv6 option header soc:qcom: trivial fix soc: qcom: socinfo: Add sku sysfs support soc: qcom: socinfo: Add revision 16 support in socinfo structure mtd: msm_qpic_nand: Add mutex lock in system suspend/resume functions Conflicts: drivers/firmware/qcom_scm.c drivers/md/dm-verity-target.c drivers/usb/dwc3/core.c drivers/usb/dwc3/debugfs.c drivers/usb/gadget/function/f_fs.c Change-Id: If237dbcd440d72c0a56ed7ca57f1d55a777973a5 |
||
|
Michael Bestas
|
ffe9ce5b43
|
Merge tag 'ASB-2023-12-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-12-01 * tag 'ASB-2023-12-05_11-5.4' of https://android.googlesource.com/kernel/common: ANDROID: ABI: Update allowed list for QCOM BACKPORT: ALSA: compress: Allow pause and resume during draining UPSTREAM: netfilter: nf_tables: pass context to nft_set_destroy() UPSTREAM: netfilter: nf_tables: don't skip expired elements during walk ANDROID: GKI: db845c: Update symbols list and ABI on rpmsg_register_device_override ANDROID: Use GKI Dr. No OWNERS file ANDROID: Remove android/OWNERs file FROMGIT: Input: uinput - allow injecting event times ANDROID: fix up rpmsg_device ABI break ANDROID: fix up platform_device ABI break UPSTREAM: rpmsg: Fix possible refcount leak in rpmsg_register_device_override() UPSTREAM: rpmsg: glink: Release driver_override BACKPORT: rpmsg: Fix calling device_lock() on non-initialized device BACKPORT: rpmsg: Fix kfree() of static memory on setting driver_override UPSTREAM: rpmsg: Constify local variable in field store macro UPSTREAM: driver: platform: Add helper for safer setting of driver_override BACKPORT: firmware_loader: Abort all upcoming firmware load request once reboot triggered UPSTREAM: firmware_loader: Refactor kill_pending_fw_fallback_reqs() Revert "perf: Disallow mis-matched inherited group reads" Revert "xfrm: fix a data-race in xfrm_gen_index()" Revert "Bluetooth: hci_core: Fix build warnings" Revert "xfrm: interface: use DEV_STATS_INC()" Revert "netfilter: conntrack: allow sctp hearbeat after connection re-use" Revert "netfilter: conntrack: don't refresh sctp entries in closed state" Revert "netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp" Reapply "netfilter: conntrack: don't refresh sctp entries in closed state" Reapply "netfilter: conntrack: allow sctp hearbeat after connection re-use" Linux 5.4.259 xfrm6: fix inet6_dev refcount underflow problem Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Bluetooth: hci_sock: fix slab oob read in create_monitor_event phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins phy: mapphone-mdm6600: Fix runtime PM for remove phy: mapphone-mdm6600: Fix runtime disable on probe ASoC: pxa: fix a memory leak in probe() gpio: vf610: set value before the direction to avoid a glitch s390/pci: fix iommu bitmap allocation perf: Disallow mis-matched inherited group reads USB: serial: option: add Fibocom to DELL custom modem FM101R-GL USB: serial: option: add entry for Sierra EM9191 with new firmware USB: serial: option: add Telit LE910C4-WWX 0x1035 composition ACPI: irq: Fix incorrect return value in acpi_register_gsi() Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" mmc: core: Capture correct oemid-bits for eMMC cards mmc: core: sdio: hold retuning if sdio in 1-bit mode mtd: physmap-core: Restore map_rom fallback mtd: spinand: micron: correct bitmask for ecc status mtd: rawnand: qcom: Unmap the right resource upon probe failure Bluetooth: hci_event: Fix using memcmp when comparing keys HID: multitouch: Add required quirk for Synaptics 0xcd7e device btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c drm: panel-orientation-quirks: Add quirk for One Mix 2S sky2: Make sure there is at least one frag_addr available regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" wifi: cfg80211: avoid leaking stack data into trace wifi: mac80211: allow transmitting EAPOL frames with tainted key Bluetooth: hci_core: Fix build warnings Bluetooth: Avoid redundant authentication HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event tracing: relax trace_event_eval_update() execution with cond_resched() ata: libata-eh: Fix compilation warning in ata_eh_link_report() gpio: timberdale: Fix potential deadlock on &tgpio->lock overlayfs: set ctime when setting mtime and atime i2c: mux: Avoid potential false error message in i2c_mux_add_adapter btrfs: initialize start_slot in btrfs_log_prealloc_extents btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CBA ACPI: resource: Skip IRQ override on ASUS ExpertBook B1502CBA ACPI: resource: Skip IRQ override on Asus Expertbook B2402CBA ACPI: resource: Add Asus ExpertBook B2502 to Asus quirks ACPI: resource: Skip IRQ override on Asus Vivobook S5602ZA ACPI: resource: Add ASUS model S5402ZA to quirks ACPI: resource: Skip IRQ override on Asus Vivobook K3402ZA/K3502ZA ACPI: resources: Add DMI-based legacy IRQ override quirk ACPI: Drop acpi_dev_irqresource_disabled() resource: Add irqresource_disabled() net: pktgen: Fix interface flags printing netfilter: nft_set_rbtree: .deactivate fails if element has expired neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve i40e: prevent crash on probe if hw registers have invalid values net: usb: smsc95xx: Fix an error code in smsc95xx_reset() ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr tun: prevent negative ifindex tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb tcp: fix excessive TLP and RACK timeouts from HZ rounding net: rfkill: gpio: prevent value glitch during probe net: ipv6: fix return value check in esp_remove_trailer net: ipv4: fix return value check in esp_remove_trailer xfrm: interface: use DEV_STATS_INC() xfrm: fix a data-race in xfrm_gen_index() qed: fix LL2 RX buffer allocation netfilter: nft_payload: fix wrong mac header matching KVM: x86: Mask LVTPC when handling a PMI regmap: fix NULL deref on lookup nfc: nci: fix possible NULL pointer dereference in send_acknowledge() ice: fix over-shifted variable Bluetooth: avoid memcmp() out of bounds warning Bluetooth: hci_event: Fix coding style Bluetooth: vhci: Fix race when opening vhci device Bluetooth: Fix a refcnt underflow problem for hci_conn Bluetooth: Reject connection with the device which has same BD_ADDR Bluetooth: hci_event: Ignore NULL link key usb: hub: Guard against accesses to uninitialized BOS descriptors Documentation: sysctl: align cells in second content column dev_forward_skb: do not scrub skb mark within the same name space ravb: Fix use-after-free issue in ravb_tx_timeout_work() powerpc/64e: Fix wrong test in __ptep_test_and_clear_young() powerpc/8xx: Fix pte_access_permitted() for PAGE_NONE dmaengine: mediatek: Fix deadlock caused by synchronize_irq() x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call usb: gadget: udc-xilinx: replace memcpy with memcpy_toio pinctrl: avoid unsafe code pattern in find_pinctrl() cgroup: Remove duplicates in cgroup v1 tasks file Input: xpad - add PXN V900 support Input: psmouse - fix fast_reconnect function for PS/2 mode Input: powermate - fix use-after-free in powermate_config_complete ceph: fix incorrect revoked caps assert in ceph_fill_file_size() libceph: use kernel_connect() mcb: remove is_added flag from mcb_device struct iio: pressure: ms5611: ms5611_prom_is_valid false negative bug iio: pressure: dps310: Adjust Timeout Settings iio: pressure: bmp280: Fix NULL pointer exception usb: musb: Modify the "HWVers" register address usb: musb: Get the musb_qh poniter after musb_giveback usb: dwc3: Soft reset phy on probe for host net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer dmaengine: stm32-mdma: abort resume if no ongoing transfer workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask() nfc: nci: assert requested protocol is valid net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn() ixgbe: fix crash with empty VF macvlan list drm/vmwgfx: fix typo of sizeof argument xen-netback: use default TX queue size for vifs mlxsw: fix mlxsw_sp2_nve_vxlan_learning_set() return type ieee802154: ca8210: Fix a potential UAF in ca8210_probe ravb: Fix up dma_free_coherent() call in ravb_remove() drm/msm/dsi: skip the wait for video mode done if not applicable drm: etvnaviv: fix bad backport leading to warning net: prevent address rewrite in kernel_bind() quota: Fix slow quotaoff HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect pwm: hibvt: Explicitly set .polarity in .get_state() lib/test_meminit: fix off-by-one error in test_pages() RDMA/cxgb4: Check skb value for failure to allocate Reapply "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "ring-buffer: Update "shortest_full" in polling" Revert "ANDROID: Revert "tracing/ring-buffer: Have polling block on watermark"" Revert "net: bridge: use DEV_STATS_INC()" FROMLIST: lib/test_meminit: fix off-by-one error in test_pages() Linux 5.4.258 xen/events: replace evtchn_rwlock with RCU ima: rework CONFIG_IMA dependency block NFS: Fix a race in __nfs_list_for_each_server() parisc: Restore __ldcw_align for PA-RISC 2.0 processors RDMA/mlx5: Fix NULL string error RDMA/siw: Fix connection failure handling RDMA/uverbs: Fix typo of sizeof argument RDMA/cma: Fix truncation compilation warning in make_cma_ports gpio: pxa: disable pinctrl calls for MMP_GPIO gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config() IB/mlx4: Fix the size of a buffer in add_port_entries() RDMA/core: Require admin capabilities to set system parameters cpupower: add Makefile dependencies for install targets sctp: update hb timer immediately after users change hb_interval sctp: update transport state when processing a dupcook packet tcp: fix delayed ACKs for MSS boundary condition tcp: fix quick-ack counting to count actual ACKs of new data net: stmmac: dwmac-stm32: fix resume on STM32 MCU netfilter: handle the connecting collision properly in nf_conntrack_proto_sctp net: nfc: llcp: Add lock when modifying device list net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg net: dsa: mv88e6xxx: Avoid EEPROM timeout when EEPROM is absent ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data() net: fix possible store tearing in neigh_periodic_work() modpost: add missing else to the "of" check NFSv4: Fix a nfs4_state_manager() race NFS: Add a helper nfs_client_for_each_server() NFS4: Trace state recovery operation wifi: mt76: mt76x02: fix MT76x0 external LNA gain handling wifi: mwifiex: Fix tlv_buf_left calculation scsi: target: core: Fix deadlock due to recursive locking drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close() qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info ima: Finish deprecation of IMA_TRUSTED_KEYRING Kconfig wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet regmap: rbtree: Fix wrong register marked as in-cache when creating new node wifi: iwlwifi: dbg_ini: fix structure packing ubi: Refuse attaching if mtd's erasesize is 0 net: prevent rewrite of msg_name in sock_sendmsg() net: replace calls to sock->ops->connect() with kernel_connect() fs: binfmt_elf_efpic: fix personality for ELF-FDPIC scsi: zfcp: Fix a double put in zfcp_port_enqueue() ata: libata-sata: increase PMP SRST timeout to 10s Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3" ata: libata-core: Do not register PM operations for SAS ports rbd: take header_rwsem in rbd_dev_refresh() only when updating ata: libata-core: Fix port and device removal rbd: decouple parent info read-in from updating rbd_dev ata: libata-core: Fix ata_port_request_pm() locking rbd: decouple header read-in from updating rbd_dev->header rbd: move rbd_dev_refresh() definition ring-buffer: Update "shortest_full" in polling i2c: i801: unregister tco_pdev in i801_probe() error path net: thunderbolt: Fix TCPv6 GSO checksum calculation ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES btrfs: properly report 0 avail for very full file systems ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q nilfs2: fix potential use after free in nilfs_gccache_submit_read_data() serial: 8250_port: Check IRQ data before use Smack:- Use overlay inode label in smack_inode_copy_up() smack: Retrieve transmuting information in smack_inode_getsecurity() smack: Record transmuting in smk_transmuted i40e: fix return of uninitialized aq_ret in i40e_set_vsi_promisc i40e: always propagate error value in i40e_set_vsi_promisc() ring-buffer: Avoid softlockup in ring_buffer_resize() selftests/ftrace: Correctly enable event in instance-event.tc i40e: improve locking of mac_filter_hash watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running watchdog: iTCO_wdt: No need to stop the timer in probe nvme-pci: do not set the NUMA node of device if it has none fbdev/sh7760fb: Depend on FB=y ncsi: Propagate carrier gain/loss events to the NCSI controller powerpc/watchpoints: Annotate atomic context in more places bpf: Clarify error expectations from bpf_clone_redirect spi: nxp-fspi: reset the FLSHxCR1 registers ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset() parisc: irq: Make irq_stack_union static to avoid sparse warning parisc: drivers: Fix sparse warning parisc: iosapic.c: Fix sparse warnings parisc: sba: Fix compile warning wrt list of SBA devices gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip xtensa: boot/lib: fix function prototypes xtensa: boot: don't add include-dirs xtensa: iss/network: make functions static xtensa: add default definition for XCHAL_HAVE_DIV32 bus: ti-sysc: Fix SYSC_QUIRK_SWSUP_SIDLE_ACT handling for uart wake-up ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot clk: tegra: fix error return case for recalc_rate scsi: qla2xxx: Fix deletion race condition MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled scsi: qla2xxx: Fix update_fcport for current_topology ata: libata: disallow dev-initiated LPM transitions to unsupported states Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN drm/amd/display: prevent potential division by zero errors i2c: mux: demux-pinctrl: check the return value of devm_kstrdup() drm/amd/display: Fix LFC multiplier changing erratically gpio: tb10x: Fix an error handling path in tb10x_gpio_probe() drm/amd/display: Reinstate LFC optimization netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP net: rds: Fix possible NULL-pointer dereference team: fix null-ptr-deref when team device type is changed net: bridge: use DEV_STATS_INC() net: hns3: add 5ms delay before clear firmware reset irq source dccp: fix dccp_v4_err()/dccp_v6_err() again powerpc/perf/hv-24x7: Update domain value check ipv4: fix null-deref in ipv4_link_failure i40e: Fix VF VLAN offloading when port VLAN is configured i40e: Fix warning message and call stack during rmmod i40e driver i40e: Remove scheduling while atomic possibility i40e: Fix for persistent lldp support ASoC: imx-audmix: Fix return error with devm_clk_get() selftests: tls: swap the TX and RX sockets in some tests ASoC: meson: spdifin: start hw on dai probe selftests/tls: Add {} to avoid static checker warning ext4: do not let fstrim block system suspend bpf: Avoid deadlock when using queue and stack maps from NMI ext4: move setting of trimmed bit into ext4_try_to_trim_range() netfilter: nf_tables: disallow element removal on anonymous sets ext4: replace the traditional ternary conditional operator with with max()/min() ext4: mark group as trimmed only if it was fully scanned ext4: change s_last_trim_minblks type to unsigned long ext4: scope ret locally in ext4_try_to_trim_range() ext4: add new helper interface ext4_try_to_trim_range() ext4: remove the 'group' parameter of ext4_trim_extent ata: libahci: clear pending interrupt status tracing: Increase trace array ref count on enable and filter files SUNRPC: Mark the cred for revalidation if the server rejects it NFS/pNFS: Report EINVAL errors from connect() to the server Revert "drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01" Revert "usb: typec: bus: verify partner exists in typec_altmode_attention" Revert "fs/nls: make load_nls() take a const parameter" Revert "ip_tunnels: use DEV_STATS_INC()" Linux 5.4.257 net/sched: Retire rsvp classifier drm/amdgpu: fix amdgpu_cs_p1_user_fence mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller ext4: fix rec_len verify error scsi: megaraid_sas: Fix deadlock on firmware crashdump i2c: aspeed: Reset the i2c controller when timeout occurs tracefs: Add missing lockdown check to tracefs_create_dir() nfsd: fix change_info in NFSv4 RENAME replies tracing: Have option files inc the trace array ref count tracing: Have current_trace inc the trace array ref count btrfs: fix lockdep splat and potential deadlock after failure running delayed items attr: block mode changes of symlinks md/raid1: fix error: ISO C90 forbids mixed declarations selftests: tracing: Fix to unmount tracefs for recovering environment btrfs: compare the correct fsid/metadata_uuid in btrfs_validate_super btrfs: add a helper to read the superblock metadata_uuid btrfs: move btrfs_pinned_by_swapfile prototype into volumes.h perf tools: Add an option to build without libbfd perf jevents: Make build dependency on test JSONs tools features: Add feature test to check if libbfd has buildid support kobject: Add sanity check for kset->kobj.ktype in kset_register() media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning serial: cpm_uart: Avoid suspicious locking scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show() usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc media: pci: cx23885: replace BUG with error return media: tuners: qt1010: replace BUG_ON with a regular error media: az6007: Fix null-ptr-deref in az6007_i2c_xfer() media: anysee: fix null-ptr-deref in anysee_master_xfer media: af9005: Fix null-ptr-deref in af9005_i2c_xfer media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer() media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer powerpc/pseries: fix possible memory leak in ibmebus_bus_init() jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount() ext2: fix datatype of block number in ext2_xattr_set2() md: raid1: fix potential OOB in raid1_remove_disk() bus: ti-sysc: Configure uart quirks for k3 SoC drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable() wifi: mac80211_hwsim: drop short frames alx: fix OOB-read compiler warning mmc: sdhci-esdhc-imx: improve ESDHC_FLAG_ERR010450 tpm_tis: Resend command to recover from data transfer errors crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui() wifi: mwifiex: fix fortify warning wifi: ath9k: fix printk specifier devlink: remove reload failed checks in params get/set callbacks hw_breakpoint: fix single-stepping when using bpf_overflow_handler perf/smmuv3: Enable HiSilicon Erratum 162001900 quirk for HIP08/09 ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470 kernel/fork: beware of __put_task_struct() calling context ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock btrfs: output extra debug info if we failed to find an inline backref autofs: fix memory leak of waitqueues in autofs_catatonic_mode parisc: Drop loops_per_jiffy from per_cpu struct drm/amd/display: Fix a bug when searching for insert_above_mpcc kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg(). ixgbe: fix timestamp configuration code net/tls: do not free tls_rec on async operation in bpf_exec_tx_verdict() platform/mellanox: mlxbf-tmfifo: Drop jumbo frames mlxbf-tmfifo: sparse tags for config access platform/mellanox: mlxbf-tmfifo: Drop the Rx packet if no more descriptors kcm: Fix memory leak in error path of kcm_sendmsg() r8152: check budget for r8152_poll() net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all() net: ethernet: mvpp2_main: fix possible OOB write in mvpp2_ethtool_get_rxnfc() net: ipv4: fix one memleak in __inet_del_ifa() clk: imx8mm: Move 1443X/1416X PLL clock structure to common place ARM: dts: BCM5301X: Extend RAM to full 256MB for Linksys EA6500 V2 usb: typec: bus: verify partner exists in typec_altmode_attention usb: typec: tcpm: Refactor tcpm_handle_vdm_request usb: typec: tcpm: Refactor tcpm_handle_vdm_request payload handling perf tools: Handle old data in PERF_RECORD_ATTR perf hists browser: Fix hierarchy mode header mtd: rawnand: brcmnand: Fix potential false time out warning mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write mtd: rawnand: brcmnand: Fix crash during the panic_write btrfs: use the correct superblock to compare fsid in btrfs_validate_super btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART fuse: nlookup missing decrement in fuse_direntplus_link ata: pata_ftide010: Add missing MODULE_DESCRIPTION ata: sata_gemini: Add missing MODULE_DESCRIPTION sh: boards: Fix CEU buffer size passed to dma_declare_coherent_memory() net: hns3: fix the port information display when sfp is absent netfilter: nfnetlink_osf: avoid OOB read ip_tunnels: use DEV_STATS_INC() idr: fix param name in idr_alloc_cyclic() doc s390/zcrypt: don't leak memory if dev_set_name() fails igb: Change IGB_MIN to allow set rx/tx value between 64 and 80 igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80 igc: Change IGC_MIN to allow set rx/tx value between 64 and 80 kcm: Destroy mutex in kcm_exit_net() net: sched: sch_qfq: Fix UAF in qfq_dequeue() af_unix: Fix data race around sk->sk_err. af_unix: Fix data-races around sk->sk_shutdown. af_unix: Fix data-race around unix_tot_inflight. af_unix: Fix data-races around user->unix_inflight. net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr veth: Fixing transmit return status for dropped packets igb: disable virtualization features on 82580 net: read sk->sk_family once in sk_mc_loop() ipv4: annotate data-races around fi->fib_dead sctp: annotate data-races around sk->sk_wmem_queued pwm: lpc32xx: Remove handling of PWM channels watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load perf top: Don't pass an ERR_PTR() directly to perf_session__delete() x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm() perf annotate bpf: Don't enclose non-debug code with an assert() kconfig: fix possible buffer overflow NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info soc: qcom: qmi_encdec: Restrict string length in decode clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock parisc: led: Reduce CPU overhead for disk & lan LED computation parisc: led: Fix LAN receive and transmit LEDs lib/test_meminit: allocate pages up to order MAX_ORDER drm/ast: Fix DRAM init on AST2200 fbdev/ep93xx-fb: Do not assign to struct fb_info.dev scsi: qla2xxx: Remove unsupported ql2xenabledif option scsi: qla2xxx: Turn off noisy message log scsi: qla2xxx: Fix erroneous link up failure scsi: qla2xxx: fix inconsistent TMF timeout net/ipv6: SKB symmetric hash should incorporate transport ports drm: fix double free for gbo in drm_gem_vram_init and drm_gem_vram_create udf: initialize newblock to 0 usb: typec: tcpci: clear the fault status bit serial: sc16is7xx: fix broken port 0 uart init sc16is7xx: Set iobase to device index cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug crypto: stm32 - fix loop iterating through scatterlist for DMA s390/ipl: add missing secure/has_secure file to ipl type 'unknown' pstore/ram: Check start of empty przs during init fsverity: skip PKCS#7 parser when keyring is empty net: handle ARPHRD_PPP in dev_is_mac_header_xmit() X.509: if signature is unsupported skip validation dccp: Fix out of bounds access in DCCP error handler dlm: fix plock lookup when using multiple lockspaces parisc: Fix /proc/cpuinfo output for lscpu procfs: block chmod on /proc/thread-self/comm Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset" ntb: Fix calculation ntb_transport_tx_free_entry() ntb: Clean up tx tail index on link down ntb: Drop packets when qp link is down media: dvb: symbol fixup for dvb_attach() xtensa: PMU: fix base address for the newer hardware backlight/lv5207lp: Compare against struct fb_info.device backlight/bd6107: Compare against struct fb_info.device backlight/gpio_backlight: Compare against struct fb_info.device ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch() ipmi_si: fix a memleak in try_smi_init() ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl PM / devfreq: Fix leak in devfreq_dev_release() igb: set max size RX buffer when store bad packet is enabled skbuff: skb_segment, Call zero copy functions before using skbuff frags netfilter: xt_sctp: validate the flag_info count netfilter: xt_u32: validate user space input netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU virtio_ring: fix avail_wrap_counter in virtqueue_add_packed cpufreq: Fix the race condition while updating the transition_task of policy dmaengine: ste_dma40: Add missing IRQ check in d40_probe um: Fix hostaudio build errors mtd: rawnand: fsmc: handle clk prepare error in fsmc_nand_resume() rpmsg: glink: Add check for kstrdup phy/rockchip: inno-hdmi: do not power on rk3328 post pll on reg write phy/rockchip: inno-hdmi: round fractal pixclock in rk3328 recalc_rate phy/rockchip: inno-hdmi: use correct vco_div_5 macro on rk3328 tracing: Fix race issue between cpu buffer write and swap x86/speculation: Mark all Skylake CPUs as vulnerable to GDS HID: multitouch: Correct devm device reference for hidinput input_dev name HID: logitech-dj: Fix error handling in logi_dj_recv_switch_to_dj_mode() RDMA/siw: Correct wrong debug message RDMA/siw: Balance the reference of cep->kref in the error path Revert "IB/isert: Fix incorrect release of isert connection" amba: bus: fix refcount leak serial: tegra: handle clk prepare error in tegra_uart_hw_init() scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock scsi: core: Use 32-bit hostnum in scsi_host_lookup() media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors media: ov2680: Fix vflip / hflip set functions media: ov2680: Fix ov2680_bayer_order() media: ov2680: Remove auto-gain and auto-exposure controls media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips media: ov5640: Enable MIPI interface in ov5640_set_power_mipi() media: i2c: ov5640: Configure HVP lines in s_power callback USB: gadget: f_mass_storage: Fix unused variable warning media: go7007: Remove redundant if statement iommu/vt-d: Fix to flush cache of PASID directory table IB/uverbs: Fix an potential error pointer dereference driver core: test_async: fix an error code dma-buf/sync_file: Fix docs syntax coresight: tmc: Explicit type conversions to prevent integer overflow scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_debug_cmd_read() directly scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly x86/APM: drop the duplicate APM_MINOR_DEV macro serial: sprd: Fix DMA buffer leak issue serial: sprd: Assign sprd_port after initialized to avoid wrong access serial: sprd: remove redundant sprd_port cleanup serial: sprd: getting port index via serial aliases only scsi: qla4xxx: Add length check when parsing nlattrs scsi: be2iscsi: Add length check when parsing nlattrs scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param() usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host() media: mediatek: vcodec: Return NULL if no vdec_fb is found media: cx24120: Add retval check for cx24120_message_send() media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer() media: dib7000p: Fix potential division by zero drivers: usb: smsusb: fix error handling code in smsusb_init_device media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link() media: v4l2-fwnode: simplify v4l2_fwnode_parse_link media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling NFS: Guard against READDIR loop when entry names exceed MAXNAMELEN NFSD: da_addr_body field missing in some GETDEVICEINFO replies fs: lockd: avoid possible wrong NULL parameter jfs: validate max amount of blocks before allocation. powerpc/iommu: Fix notifiers being shared by PCI and VIO buses nfs/blocklayout: Use the passed in gfp flags wifi: ath10k: Use RMW accessors for changing LNKCTL drm/radeon: Use RMW accessors for changing LNKCTL drm/radeon: Prefer pcie_capability_read_word() drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/radeon: Correct Transmit Margin masks drm/amdgpu: Use RMW accessors for changing LNKCTL drm/amdgpu: Prefer pcie_capability_read_word() drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions drm/amdgpu: Correct Transmit Margin masks PCI: Add #defines for Enter Compliance, Transmit Margin powerpc/fadump: reset dump area size if fadump memory reserve fails clk: imx: composite-8m: fix clock pauses when set_rate would be a no-op PCI/ASPM: Use RMW accessors for changing LNKCTL PCI: pciehp: Use RMW accessors for changing LNKCTL PCI: Mark NVIDIA T4 GPUs to avoid bus reset clk: sunxi-ng: Modify mismatched function name drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init() ipmi:ssif: Fix a memory leak when scanning for an adapter ipmi:ssif: Add check for kstrdup ALSA: ac97: Fix possible error value of *rac97 of: unittest: Fix overlay type in apply/revert check drm/mediatek: Fix potential memory leak if vmap() fail audit: fix possible soft lockup in __audit_inode_child() smackfs: Prevent underflow in smk_set_cipso() drm/msm/mdp5: Don't leak some plane state ima: Remove deprecated IMA_TRUSTED_KEYRING Kconfig drm/panel: simple: Add missing connector type and pixel format for AUO T215HVN01 drm/armada: Fix off-by-one error in armada_overlay_get_property() of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name() drm/tegra: dpaux: Fix incorrect return value of platform_get_irq drm/tegra: Remove superfluous error messages around platform_get_irq() md/md-bitmap: hold 'reconfig_mutex' in backlog_store() md/bitmap: don't set max_write_behind if there is no write mostly device drm/amdgpu: Update min() to min_t() in 'amdgpu_info_ioctl' arm64: dts: qcom: sdm845: Add missing RPMh power domain to GCC ARM: dts: BCM53573: Fix Ethernet info for Luxul devices drm: adv7511: Fix low refresh rate register for ADV7533/5 ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split) ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210 ARM: dts: s5pv210: correct ethernet unit address in SMDKV210 ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210 ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210 ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split) ARM: dts: s3c64xx: align pinctrl with dtschema ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410 ARM: dts: s3c6410: move fixed clocks under root node in Mini6410 drm/etnaviv: fix dumping of active MMU context ARM: dts: BCM53573: Use updated "spi-gpio" binding properties ARM: dts: BCM53573: Add cells sizes to PCIe node ARM: dts: BCM53573: Drop nonexistent "default-off" LED trigger drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar() quota: fix dqput() to follow the guarantees dquot_srcu should provide quota: add new helper dquot_active() quota: rename dquot_active() to inode_quota_active() quota: factor out dquot_write_dquot() quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list drm/bridge: tc358764: Fix debug print parameter order netrom: Deny concurrent connect(). net/sched: sch_hfsc: Ensure inner classes have fsc curve mlxsw: i2c: Limit single transaction buffer size mlxsw: i2c: Fix chunk size setting in output mailbox buffer net: arcnet: Do not call kfree_skb() under local_irq_disable() wifi: ath9k: use IS_ERR() with debugfs_create_dir() wifi: mwifiex: avoid possible NULL skb pointer dereference wifi: ath9k: protect WMI command response buffer replacement with a lock wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx wifi: mwifiex: Fix missed return in oob checks failed path wifi: mwifiex: fix memory leak in mwifiex_histogram_read() fs: ocfs2: namei: check return value of ocfs2_add_entry() lwt: Check LWTUNNEL_XMIT_CONTINUE strictly lwt: Fix return values of BPF xmit ops hwrng: iproc-rng200 - Implement suspend and resume calls hwrng: iproc-rng200 - use semicolons rather than commas to separate statements crypto: caam - fix unchecked return value error Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe() crypto: stm32 - Properly handle pm_runtime_get failing wifi: mwifiex: fix error recovery in PCIE buffer descriptor management mwifiex: switch from 'pci_' to 'dma_' API wifi: mwifiex: Fix OOB and integer underflow when rx packets can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe() regmap: rbtree: Use alloc_flags for memory allocations tcp: tcp_enter_quickack_mode() should be static bpf: Clear the probe_addr for uprobe cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit() perf/imx_ddr: don't enable counter0 if none of 4 counters are used x86/decompressor: Don't rely on upper 32 bits of GPRs being preserved x86/boot: Annotate local functions x86/asm: Make more symbols local OPP: Fix passing 0 to PTR_ERR in _opp_attach_genpd() tmpfs: verify {g,u}id mount options correctly fs: Fix error checking for d_hash_and_lookup() new helper: lookup_positive_unlocked() eventfd: prevent underflow for eventfd semaphores eventfd: Export eventfd_ctx_do_read() reiserfs: Check the return value from __getblk() Revert "net: macsec: preserve ingress frame ordering" udf: Handle error when adding extent to a file udf: Check consistency of Space Bitmap Descriptor powerpc/32s: Fix assembler warning about r0 net: Avoid address overwrite in kernel_connect platform/mellanox: Fix mlxbf-tmfifo not handling all virtio CONSOLE notifications ALSA: seq: oss: Fix racy open/close of MIDI devices scsi: storvsc: Always set no_report_opcodes cifs: add a warning when the in-flight count goes negative sctp: handle invalid error codes without calling BUG() bnx2x: fix page fault following EEH recovery netlabel: fix shift wrapping bug in netlbl_catmap_setlong() scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM net: usb: qmi_wwan: add Quectel EM05GV2 clk: fixed-mmio: make COMMON_CLK_FIXED_MMIO depend on HAS_IOMEM security: keys: perform capable check only on privileged operations platform/x86: huawei-wmi: Silence ambient light sensor platform/x86: intel: hid: Always call BTNL ACPI method ASoC: atmel: Fix the 8K sample parameter in I2SC master ASoc: codecs: ES8316: Fix DMIC config fs/nls: make load_nls() take a const parameter s390/dasd: fix hanging device after request requeue s390/dasd: use correct number of retries for ERP requests m68k: Fix invalid .section syntax vxlan: generalize vxlan_parse_gpe_hdr and remove unused args ethernet: atheros: fix return value check in atl1c_tso_csum() ASoC: da7219: Check for failure reading AAD IRQ events ASoC: da7219: Flush pending AAD IRQ when suspending 9p: virtio: make sure 'offs' is initialized in zc_request pinctrl: amd: Don't show `Invalid config param` errors nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers() fsi: master-ast-cf: Add MODULE_FIRMWARE macro firmware: stratix10-svc: Fix an NULL vs IS_ERR() bug in probe serial: sc16is7xx: fix bug when first setting GPIO direction Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition staging: rtl8712: fix race condition HID: wacom: remove the battery when the EKR is off USB: serial: option: add FOXCONN T99W368/T99W373 product USB: serial: option: add Quectel EM05G variant (0x030e) modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff net: enetc: use EXPORT_SYMBOL_GPL for enetc_phc_index mmc: au1xmmc: force non-modular build and remove symbol_get usage ARM: pxa: remove use of symbol_get() erofs: ensure that the post-EOF tails are all zeroed Linux 5.4.256 Revert "MIPS: Alchemy: fix dbdma2" powerpc/pmac/smp: Drop unnecessary volatile qualifier powerpc/pmac/smp: Avoid unused-variable warnings Revert "drm/display/dp: Fix the DP DSC Receiver cap size" Revert "macsec: Fix traffic counters/statistics" Revert "macsec: use DEV_STATS_INC()" ANDROID: GKI: add back pm_runtime_get_if_in_use() Revert "interconnect: Add helpers for enabling/disabling a path" Revert "interconnect: Do not skip aggregation for disabled paths" Revert "ALSA: pcm: Set per-card upper limit of PCM buffer allocations" Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" Revert "ALSA: pcm: Fix potential data race at PCM memory allocation helpers" Revert "ALSA: pcm: Fix build error on m68k and others" Revert "Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available"" Revert "ALSA: pcm: Check for null pointer of pointer substream before dereferencing it" Linux 5.4.255 dma-buf/sw_sync: Avoid recursive lock during fence signal pinctrl: renesas: rza2: Add lock around pinctrl_generic{{add,remove}_group,{add,remove}_function} clk: Fix undefined reference to `clk_rate_exclusive_{get,put}' scsi: core: raid_class: Remove raid_component_add() scsi: snic: Fix double free in snic_tgt_create() irqchip/mips-gic: Don't touch vl_map if a local interrupt is not routable Documentation/sysctl: document page_lock_unfairness ALSA: pcm: Check for null pointer of pointer substream before dereferencing it interconnect: Do not skip aggregation for disabled paths Revert "ALSA: pcm: Use SG-buffer only when direct DMA is available" ALSA: pcm: Fix build error on m68k and others rtnetlink: Reject negative ifindexes in RTM_NEWLINK mm: allow a controlled amount of unfairness in the page lock x86/fpu: Set X86_FEATURE_OSXSAVE feature after enabling OSXSAVE in CR4 drm/display/dp: Fix the DP DSC Receiver cap size PCI: acpiphp: Use pci_assign_unassigned_bridge_resources() only for non-root bus media: vcodec: Fix potential array out-of-bounds in encoder queue_setup radix tree: remove unused variable lib/clz_ctz.c: Fix __clzdi2() and __ctzdi2() for 32-bit kernels batman-adv: Hold rtnl lock during MTU update via netlink batman-adv: Fix batadv_v_ogm_aggr_send memory leak batman-adv: Fix TT global entry leak when client roamed back batman-adv: Do not get eth header before batadv_check_management_packet batman-adv: Don't increase MTU when set by user batman-adv: Trigger events for auto adjusted MTU nfsd: Fix race to FREE_STATEID and cl_revoked clk: Fix slab-out-of-bounds error in devm_clk_release() NFSv4: Fix dropped lock for racing OPEN and delegation return ibmveth: Use dcbf rather than dcbfl bonding: fix macvlan over alb bond support net: remove bond_slave_has_mac_rcu() net/sched: fix a qdisc modification with ambiguous command request igb: Avoid starting unnecessary workqueues net: validate veth and vxcan peer ifindexes net: bcmgenet: Fix return value check for fixed_phy_register() net: bgmac: Fix return value check for fixed_phy_register() ipvlan: Fix a reference count leak warning in ipvlan_ns_exit() dccp: annotate data-races in dccp_poll() sock: annotate data-races around prot->memory_pressure octeontx2-af: SDP: fix receive link config tracing: Fix memleak due to race between current_tracer and trace drm/amd/display: check TG is non-null before checking if enabled drm/amd/display: do not wait for mpc idle if tg is disabled ASoC: fsl_sai: Disable bit clock with transmitter ASoC: fsl_sai: Add new added registers and new bit definition ASoC: fsl_sai: Refine enable/disable TE/RE sequence in trigger() regmap: Account for register length in SMBus I/O limits ALSA: pcm: Fix potential data race at PCM memory allocation helpers ALSA: pcm: Use SG-buffer only when direct DMA is available ALSA: pcm: Set per-card upper limit of PCM buffer allocations dm integrity: reduce vmalloc space footprint on 32-bit architectures dm integrity: increase RECALC_SECTORS to improve recalculate speed fbdev: fix potential OOB read in fast_imageblit() fbdev: Fix sys_imageblit() for arbitrary image widths fbdev: Improve performance of sys_imageblit() MIPS: cpu-features: Use boot_cpu_type for CPU type based features MIPS: cpu-features: Enable octeon_cache by cpu_type fs: dlm: fix mismatch of plock results from userspace fs: dlm: use dlm_plock_info for do_unlock_close fs: dlm: change plock interrupted message to debug again fs: dlm: add pid to debug log dlm: replace usage of found with dedicated list iterator variable dlm: improve plock logging if interrupted PCI: acpiphp: Reassign resources on bridge if necessary net: phy: broadcom: stub c45 read/write for 54810 mmc: f-sdh30: fix order of function calls in sdhci_f_sdh30_remove net: xfrm: Amend XFRMA_SEC_CTX nla_policy structure net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled virtio-net: set queues after driver_ok af_unix: Fix null-ptr-deref in unix_stream_sendpage(). netfilter: set default timeout to 3 secs for sctp shutdown send and recv state mmc: block: Fix in_flight[issue_type] value error mmc: wbsd: fix double mmc_free_host() in wbsd_init() cifs: Release folio lock on fscache read hit. ALSA: usb-audio: Add support for Mythware XA001AU capture and playback interfaces. serial: 8250: Fix oops for port->pm on uart_change_pm() ASoC: meson: axg-tdm-formatter: fix channel slot allocation ASoC: rt5665: add missed regulator_bulk_disable ARM: dts: imx: Set default tuning step for imx6sx usdhc ARM: dts: imx: Set default tuning step for imx7d usdhc ARM: dts: imx: Adjust dma-apbh node name ARM: dts: imx7s: Drop dma-apb interrupt-names bus: ti-sysc: Flush posted write on enable before reset bus: ti-sysc: Improve reset to work with modules with no sysconfig net: do not allow gso_size to be set to GSO_BY_FRAGS sock: Fix misuse of sk_under_memory_pressure() net: dsa: mv88e6xxx: Wait for EEPROM done before HW reset i40e: fix misleading debug logs team: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves netfilter: nft_dynset: disallow object maps ipvs: fix racy memcpy in proc_do_sync_threshold selftests: mirror_gre_changes: Tighten up the TTL test match xfrm: add NULL check in xfrm_update_ae_params ip_vti: fix potential slab-use-after-free in decode_session6 ip6_vti: fix slab-use-after-free in decode_session6 xfrm: fix slab-use-after-free in decode_session6 xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c net: af_key: fix sadb_x_filter validation net: xfrm: Fix xfrm_address_filter OOB read btrfs: fix BUG_ON condition in btrfs_cancel_balance tty: serial: fsl_lpuart: Clear the error flags by writing 1 for lpuart32 platforms powerpc/rtas_flash: allow user copy to flash block cache objects fbdev: mmp: fix value check in mmphw_probe() i2c: bcm-iproc: Fix bcm_iproc_i2c_isr deadlock issue virtio-mmio: don't break lifecycle of vm_dev virtio-mmio: Use to_virtio_mmio_device() to simply code virtio-mmio: convert to devm_platform_ioremap_resource nfsd: Remove incorrect check in nfsd4_validate_stateid nfsd4: kill warnings on testing stateids with mismatched clientids net/ncsi: Fix gma flag setting after response tracing/probes: Fix to update dynamic data counter if fetcharg uses it tracing/probes: Have process_fetch_insn() take a void * instead of pt_regs leds: trigger: netdev: Recheck NETDEV_LED_MODE_LINKUP on dev rename mmc: sunxi: fix deferred probing mmc: bcm2835: fix deferred probing USB: dwc3: qcom: fix NULL-deref on suspend usb: dwc3: qcom: Add helper functions to enable,disable wake irqs interconnect: Add helpers for enabling/disabling a path interconnect: Move internal structs into a separate file irqchip/mips-gic: Use raw spinlock for gic_lock irqchip/mips-gic: Get rid of the reliance on irq_cpu_online() ALSA: hda: Fix unhandled register update during auto-suspend period PM: runtime: Add pm_runtime_get_if_active() PM-runtime: add tracepoints for usage_count changes iommu/amd: Fix "Guest Virtual APIC Table Root Pointer" configuration in IRTE iio: addac: stx104: Fix race condition when converting analog-to-digital iio: addac: stx104: Fix race condition for stx104_write_raw() iio: stx104: Move to addac subdirectory iio: adc: stx104: Implement and utilize register structures iio: adc: stx104: Utilize iomap interface iio: add addac subdirectory IMA: allow/fix UML builds powerpc/kasan: Disable KCOV in KASAN code ALSA: hda: fix a possible null-pointer dereference due to data race in snd_hdac_regmap_sync() ALSA: hda/realtek: Add quirks for Unis H3C Desktop B760 & Q760 drm/amdgpu: Fix potential fence use-after-free v2 Bluetooth: L2CAP: Fix use-after-free pcmcia: rsrc_nonstatic: Fix memory leak in nonstatic_release_resource_db() gfs2: Fix possible data races in gfs2_show_options() usb: chipidea: imx: don't request QoS for imx8ulp media: platform: mediatek: vpu: fix NULL ptr dereference media: v4l2-mem2mem: add lock to protect parameter num_rdy FS: JFS: Check for read-only mounted filesystem in txBegin FS: JFS: Fix null-ptr-deref Read in txBegin MIPS: dec: prom: Address -Warray-bounds warning fs: jfs: Fix UBSAN: array-index-out-of-bounds in dbAllocDmapLev udf: Fix uninitialized array access for some pathnames ovl: check type and offset of struct vfsmount in ovl_entry HID: add quirk for 03f0:464a HP Elite Presenter Mouse quota: fix warning in dqgrab() quota: Properly disable quotas when add_dquot_ref() fails ALSA: emu10k1: roll up loops in DSP setup code for Audigy drm/radeon: Fix integer overflow in radeon_cs_parser_init macsec: use DEV_STATS_INC() macsec: Fix traffic counters/statistics selftests: forwarding: tc_flower: Relax success criterion mmc: sdhci-f-sdh30: Replace with sdhci_pltfm mmc: sdhci_f_sdh30: convert to devm_platform_ioremap_resource Conflicts: drivers/devfreq/devfreq.c drivers/mmc/core/block.c drivers/rpmsg/qcom_glink_native.c include/net/tcp.h Change-Id: Ic33d13451796752e101ed9f9bdb8c80a580af8b5 |
||
|
Greg Kroah-Hartman
|
0780b1ab09 |
This is the 5.4.263 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVyyWIACgkQONu9yGCS
aT6Y8A//QJPg7pguCawsJGrem3a5dvhi9scNMmfuhKZOKS73JEmt4yudB9IOUjIX
1c1aBcJo5yYMZq5L9mhXnlgkgqENxE9fI45FtMdwoKiriEQ0w9OBLlfZuKN9lwzC
tyIigaGE5DD3SqL8e/04LNmMPPdolM38lJ368fYaD3T4d7LfwK0qHJFL8dSg4OFQ
VaePViMFgbodjtSXoERNjVLaNtSlQDQytiWHMiQX2uf6CIIRbm+zFHn2Se1mUgh3
WGT9JfXZ+achPw6OLhSIjwL+7vowhn3eRETq4zGkkNSK+rmB6W7zjPhou4SYsmc+
FAYXvalmhQWWjlmIyZzO7GIVtgx19VuEYB8h5KLvp6DXQ0h0wCBOGgsfIT4icbgW
wO0R+toWYY3Y79OLRGiMjiL9b60njJYnrm7JrheRD+BIm2jva+Tb7UxhC6QDMfH6
a8fya8iJDNZWggwpx67JUANdMO8e+2rS4ttNxW0gTZSHhyEjo1HXctKBEmmtXk4s
HGNV5xUniPnzrP8rduNqePG5B6c3wqOHUwj45L4scGmeC0DzW7E8EBgkHfRcU6CG
ik9z5nQeDikREfK7cp8OSFtLaEBWSIX57XwHWDTMVPDGTN8EQ6eI7vTnQH3xOhA8
VWFfwcU6avROM/ih7eJ+X4JvuDKcAGTPeD6oF3II0MLPK2m7ZmE=
=p/ty
-----END PGP SIGNATURE-----
Merge 5.4.263 into android11-5.4-lts
Changes in 5.4.263
driver core: Release all resources during unbind before updating device links
RDMA/irdma: Prevent zero-length STAG registration
PCI: keystone: Drop __init from ks_pcie_add_pcie_{ep,port}()
afs: Make error on cell lookup failure consistent with OpenAFS
drm/panel: simple: Fix Innolux G101ICE-L01 bus flags
drm/panel: simple: Fix Innolux G101ICE-L01 timings
ata: pata_isapnp: Add missing error check for devm_ioport_map()
drm/rockchip: vop: Fix color for RGB888/BGR888 format on VOP full
HID: core: store the unique system identifier in hid_device
HID: fix HID device resource race between HID core and debugging support
ipv4: Correct/silence an endian warning in __ip_do_redirect
net: usb: ax88179_178a: fix failed operations during ax88179_reset
arm/xen: fix xen_vcpu_info allocation alignment
amd-xgbe: handle corner-case during sfp hotplug
amd-xgbe: handle the corner-case during tx completion
amd-xgbe: propagate the correct speed and duplex status
net: axienet: Fix check for partial TX checksum
afs: Return ENOENT if no cell DNS record can be found
afs: Fix file locking on R/O volumes to operate in local mode
nvmet: remove unnecessary ctrl parameter
nvmet: nul-terminate the NQNs passed in the connect command
MIPS: KVM: Fix a build warning about variable set but not used
ext4: add a new helper to check if es must be kept
ext4: factor out __es_alloc_extent() and __es_free_extent()
ext4: use pre-allocated es in __es_insert_extent()
ext4: use pre-allocated es in __es_remove_extent()
ext4: using nofail preallocation in ext4_es_remove_extent()
ext4: using nofail preallocation in ext4_es_insert_delayed_block()
ext4: using nofail preallocation in ext4_es_insert_extent()
ext4: fix slab-use-after-free in ext4_es_insert_extent()
ext4: make sure allocate pending entry not fail
arm64: cpufeature: Extract capped perfmon fields
KVM: arm64: limit PMU version to PMUv3 for ARMv8.1
ACPI: resource: Skip IRQ override on ASUS ExpertBook B1402CVA
bcache: replace a mistaken IS_ERR() by IS_ERR_OR_NULL() in btree_gc_coalesce()
s390/dasd: protect device queue against concurrent access
USB: serial: option: add Luat Air72*U series products
hv_netvsc: Fix race of register_netdevice_notifier and VF register
hv_netvsc: Mark VF as slave before exposing it to user-mode
dm-delay: fix a race between delay_presuspend and delay_bio
bcache: check return value from btree_node_alloc_replacement()
bcache: prevent potential division by zero error
USB: serial: option: add Fibocom L7xx modules
USB: serial: option: fix FM101R-GL defines
USB: serial: option: don't claim interface 4 for ZTE MF290
USB: dwc2: write HCINT with INTMASK applied
usb: dwc3: set the dma max_seg_size
USB: dwc3: qcom: fix resource leaks on probe deferral
USB: dwc3: qcom: fix wakeup after probe deferral
io_uring: fix off-by one bvec index
pinctrl: avoid reload of p state in list iteration
firewire: core: fix possible memory leak in create_units()
mmc: block: Do not lose cache flush during CQE error recovery
ALSA: hda: Disable power-save on KONTRON SinglePC
ALSA: hda/realtek: Headset Mic VREF to 100%
ALSA: hda/realtek: Add supported ALC257 for ChromeOS
dm-verity: align struct dm_verity_fec_io properly
dm verity: don't perform FEC for failed readahead IO
bcache: revert replacing IS_ERR_OR_NULL with IS_ERR
powerpc: Don't clobber f0/vs0 during fp|altivec register save
btrfs: add dmesg output for first mount and last unmount of a filesystem
btrfs: fix off-by-one when checking chunk map includes logical address
btrfs: send: ensure send_fd is writable
btrfs: make error messages more clear when getting a chunk map
Input: xpad - add HyperX Clutch Gladiate Support
ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
net: stmmac: xgmac: Disable FPE MMC interrupts
ravb: Fix races between ravb_tx_timeout_work() and net related ops
net: ravb: Use pm_runtime_resume_and_get()
net: ravb: Start TX queues after HW initialization succeeded
smb3: fix touch -h of symlink
s390/mm: fix phys vs virt confusion in mark_kernel_pXd() functions family
s390/cmma: fix detection of DAT pages
mtd: cfi_cmdset_0001: Support the absence of protection registers
mtd: cfi_cmdset_0001: Byte swap OTP info
fbdev: stifb: Make the STI next font pointer a 32-bit signed offset
ima: annotate iint mutex to avoid lockdep false positive warnings
ovl: skip overlayfs superblocks at global sync
ima: detect changes to the backing overlay file
scsi: qla2xxx: Simplify the code for aborting SCSI commands
scsi: core: Introduce the scsi_cmd_to_rq() function
scsi: qla2xxx: Use scsi_cmd_to_rq() instead of scsi_cmnd.request
scsi: qla2xxx: Fix system crash due to bad pointer access
cpufreq: imx6q: don't warn for disabling a non-existing frequency
cpufreq: imx6q: Don't disable 792 Mhz OPP unnecessarily
mmc: cqhci: Increase recovery halt timeout
mmc: cqhci: Warn of halt or task clear failure
mmc: cqhci: Fix task clearing in CQE error recovery
mmc: core: convert comma to semicolon
mmc: block: Retry commands in CQE error recovery
Linux 5.4.263
Change-Id: I5187b50207d7ed37d7448664448409ed75106ea1
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
|
||
Zhengchao Shao
|
7ccf772a8b |
ipv4: igmp: fix refcnt uaf issue when receiving igmp query packet
[ Upstream commit e2b706c691905fe78468c361aaabc719d0a496f1 ]
When I perform the following test operations:
1.ip link add br0 type bridge
2.brctl addif br0 eth0
3.ip addr add 239.0.0.1/32 dev eth0
4.ip addr add 239.0.0.1/32 dev br0
5.ip addr add 224.0.0.1/32 dev br0
6.while ((1))
do
ifconfig br0 up
ifconfig br0 down
done
7.send IGMPv2 query packets to port eth0 continuously. For example,
./mausezahn ethX -c 0 "01 00 5e 00 00 01 00 72 19 88 aa 02 08 00 45 00 00
1c 00 01 00 00 01 02 0e 7f c0 a8 0a b7 e0 00 00 01 11 64 ee 9b 00 00 00 00"
The preceding tests may trigger the refcnt uaf issue of the mc list. The
stack is as follows:
refcount_t: addition on 0; use-after-free.
WARNING: CPU: 21 PID: 144 at lib/refcount.c:25 refcount_warn_saturate (lib/refcount.c:25)
CPU: 21 PID: 144 Comm: ksoftirqd/21 Kdump: loaded Not tainted 6.7.0-rc1-next-20231117-dirty #80
Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
RIP: 0010:refcount_warn_saturate (lib/refcount.c:25)
RSP: 0018:ffffb68f00657910 EFLAGS: 00010286
RAX: 0000000000000000 RBX: ffff8a00c3bf96c0 RCX: ffff8a07b6160908
RDX: 00000000ffffffd8 RSI: 0000000000000027 RDI: ffff8a07b6160900
RBP: ffff8a00cba36862 R08: 0000000000000000 R09: 00000000ffff7fff
R10: ffffb68f006577c0 R11: ffffffffb0fdcdc8 R12: ffff8a00c3bf9680
R13: ffff8a00c3bf96f0 R14: 0000000000000000 R15: ffff8a00d8766e00
FS: 0000000000000000(0000) GS:ffff8a07b6140000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000055f10b520b28 CR3: 000000039741a000 CR4: 00000000000006f0
Call Trace:
<TASK>
igmp_heard_query (net/ipv4/igmp.c:1068)
igmp_rcv (net/ipv4/igmp.c:1132)
ip_protocol_deliver_rcu (net/ipv4/ip_input.c:205)
ip_local_deliver_finish (net/ipv4/ip_input.c:234)
__netif_receive_skb_one_core (net/core/dev.c:5529)
netif_receive_skb_internal (net/core/dev.c:5729)
netif_receive_skb (net/core/dev.c:5788)
br_handle_frame_finish (net/bridge/br_input.c:216)
nf_hook_bridge_pre (net/bridge/br_input.c:294)
__netif_receive_skb_core (net/core/dev.c:5423)
__netif_receive_skb_list_core (net/core/dev.c:5606)
__netif_receive_skb_list (net/core/dev.c:5674)
netif_receive_skb_list_internal (net/core/dev.c:5764)
napi_gro_receive (net/core/gro.c:609)
e1000_clean_rx_irq (drivers/net/ethernet/intel/e1000/e1000_main.c:4467)
e1000_clean (drivers/net/ethernet/intel/e1000/e1000_main.c:3805)
__napi_poll (net/core/dev.c:6533)
net_rx_action (net/core/dev.c:6735)
__do_softirq (kernel/softirq.c:554)
run_ksoftirqd (kernel/softirq.c:913)
smpboot_thread_fn (kernel/smpboot.c:164)
kthread (kernel/kthread.c:388)
ret_from_fork (arch/x86/kernel/process.c:153)
ret_from_fork_asm (arch/x86/entry/entry_64.S:250)
</TASK>
The root causes are as follows:
Thread A Thread B
... netif_receive_skb
br_dev_stop ...
br_multicast_leave_snoopers ...
__ip_mc_dec_group ...
__igmp_group_dropped igmp_rcv
igmp_stop_timer igmp_heard_query //ref = 1
ip_ma_put igmp_mod_timer
refcount_dec_and_test igmp_start_timer //ref = 0
... refcount_inc //ref increases from 0
When the device receives an IGMPv2 Query message, it starts the timer
immediately, regardless of whether the device is running. If the device is
down and has left the multicast group, it will cause the mc list refcount
uaf issue.
Fixes:
|
||
Kunwu Chan
|
fc23517c87 |
ipv4: Correct/silence an endian warning in __ip_do_redirect
[ Upstream commit c0e2926266af3b5acf28df0a8fc6e4d90effe0bb ]
net/ipv4/route.c:783:46: warning: incorrect type in argument 2 (different base types)
net/ipv4/route.c:783:46: expected unsigned int [usertype] key
net/ipv4/route.c:783:46: got restricted __be32 [usertype] new_gw
Fixes:
|
||
Pablo Neira Ayuso
|
81334f26ac |
UPSTREAM: netfilter: nf_tables: remove busy mark and gc batch API
commit a2dd0233cbc4d8a0abb5f64487487ffc9265beb5 upstream.
Ditch it, it has been replace it by the GC transaction API and it has no
clients anymore.
Bug: 299922216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Pablo Neira Ayuso
|
bdb31e6ebb |
UPSTREAM: netfilter: nft_set_hash: mark set element as dead when deleting from packet path
commit c92db3030492b8ad1d0faace7a93bbcf53850d0c upstream. Set on the NFT_SET_ELEM_DEAD_BIT flag on this element, instead of performing element removal which might race with an ongoing transaction. Enable gc when dynamic flag is set on since dynset deletion requires garbage collection after this patch. Bug: 299922216 Fixes: |
||
|
Pablo Neira Ayuso
|
a65e87c130 |
UPSTREAM: netfilter: nf_tables: adapt set backend to use GC transaction API
commit f6c383b8c31a93752a52697f8430a71dcbc46adf upstream.
Use the GC transaction API to replace the old and buggy gc API and the
busy mark approach.
No set elements are removed from async garbage collection anymore,
instead the _DEAD bit is set on so the set element is not visible from
lookup path anymore. Async GC enqueues transaction work that might be
aborted and retried later.
rbtree and pipapo set backends does not set on the _DEAD bit from the
sync GC path since this runs in control plane path where mutex is held.
In this case, set elements are deactivated, removed and then released
via RCU callback, sync GC never fails.
Bug: 299922216
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Fixes:
|
||
|
Pablo Neira Ayuso
|
adc9cb0683 |
UPSTREAM: netfilter: nf_tables: GC transaction API to avoid race with control plane
commit 5f68718b34a531a556f2f50300ead2862278da26 upstream.
The set types rhashtable and rbtree use a GC worker to reclaim memory.
>From system work queue, in periodic intervals, a scan of the table is
done.
The major caveat here is that the nft transaction mutex is not held.
This causes a race between control plane and GC when they attempt to
delete the same element.
We cannot grab the netlink mutex from the work queue, because the
control plane has to wait for the GC work queue in case the set is to be
removed, so we get following deadlock:
cpu 1 cpu2
GC work transaction comes in , lock nft mutex
`acquire nft mutex // BLOCKS
transaction asks to remove the set
set destruction calls cancel_work_sync()
cancel_work_sync will now block forever, because it is waiting for the
mutex the caller already owns.
This patch adds a new API that deals with garbage collection in two
steps:
1) Lockless GC of expired elements sets on the NFT_SET_ELEM_DEAD_BIT
so they are not visible via lookup. Annotate current GC sequence in
the GC transaction. Enqueue GC transaction work as soon as it is
full. If ruleset is updated, then GC transaction is aborted and
retried later.
2) GC work grabs the mutex. If GC sequence has changed then this GC
transaction lost race with control plane, abort it as it contains
stale references to objects and let GC try again later. If the
ruleset is intact, then this GC transaction deactivates and removes
the elements and it uses call_rcu() to destroy elements.
Note that no elements are removed from GC lockless path, the _DEAD bit
is set and pointers are collected. GC catchall does not remove the
elements anymore too. There is a new set->dead flag that is set on to
abort the GC transaction to deal with set->ops->destroy() path which
removes the remaining elements in the set from commit_release, where no
mutex is held.
To deal with GC when mutex is held, which allows safe deactivate and
removal, add sync GC API which releases the set element object via
call_rcu(). This is used by rbtree and pipapo backends which also
perform garbage collection from control plane path.
Since element removal from sets can happen from control plane and
element garbage collection/timeout, it is necessary to keep the set
structure alive until all elements have been deactivated and destroyed.
We cannot do a cancel_work_sync or flush_work in nft_set_destroy because
its called with the transaction mutex held, but the aforementioned async
work queue might be blocked on the very mutex that nft_set_destroy()
callchain is sitting on.
This gives us the choice of ABBA deadlock or UaF.
To avoid both, add set->refs refcount_t member. The GC API can then
increment the set refcount and release it once the elements have been
free'd.
Set backends are adapted to use the GC transaction API in a follow up
patch entitled:
("netfilter: nf_tables: use gc transaction API in set backends")
This is joint work with Florian Westphal.
Bug: 299922216
Fixes:
|
||
Florian Westphal
|
4ce6a73326 |
UPSTREAM: netfilter: nft_set_rbtree: fix overlap expiration walk
commit f718863aca469a109895cb855e6b81fff4827d71 upstream.
The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.
Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.
Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.
Lastly, check the genmask of the end interval if this is active in the
current generation.
Bug: 299922216
Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Florian Westphal
|
1b7330db23 |
UPSTREAM: netfilter: nft_set_rbtree: fix null deref on element insertion
commit 61ae320a29b0540c16931816299eb86bf2b66c08 upstream.
There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
nft_add_set_elem+0x14b0/0x2990
nf_tables_newsetelem+0x528/0xb30
Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.
Bug: 299922216
Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Pablo Neira Ayuso
|
f896aebc91 |
UPSTREAM: netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643 upstream.
...instead of a tree descent, which became overly complicated in an
attempt to cover cases where expired or inactive elements would affect
comparisons with the new element being inserted.
Further, it turned out that it's probably impossible to cover all those
cases, as inactive nodes might entirely hide subtrees consisting of a
complete interval plus a node that makes the current insertion not
overlap.
To speed up the overlap check, descent the tree to find a greater
element that is closer to the key value to insert. Then walk down the
node list for overlap detection. Starting the overlap check from
rb_first() unconditionally is slow, it takes 10 times longer due to the
full linear traversal of the list.
Moreover, perform garbage collection of expired elements when walking
down the node list to avoid bogus overlap reports.
For the insertion operation itself, this essentially reverts back to the
implementation before commit 7c84d41416d8 ("netfilter: nft_set_rbtree:
Detect partial overlaps on insertion"), except that cases of complete
overlap are already handled in the overlap detection phase itself, which
slightly simplifies the loop to find the insertion point.
Based on initial patch from Stefano Brivio, including text from the
original patch description too.
Bug: 299922216
Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion")
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Pablo Neira Ayuso
|
3a298023c9 |
UPSTREAM: netfilter: nf_tables: drop map element references from preparation phase
commit 628bd3e49cba1c066228e23d71a852c23e26da73 upstream. set .destroy callback releases the references to other objects in maps. This is very late and it results in spurious EBUSY errors. Drop refcount from the preparation phase instead, update set backend not to drop reference counter from set .destroy path. Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the reference counter because the transaction abort path releases the map references for each element since the set is unbound. The abort path also deals with releasing reference counter for new elements added to unbound sets. Bug: 299922216 Fixes: |
||
|
Pablo Neira Ayuso
|
28ca053314 |
UPSTREAM: netfilter: nftables: rename set element data activation/deactivation functions
commit f8bb7889af58d8e74d2d61c76b1418230f1610fa upstream.
Rename:
- nft_set_elem_activate() to nft_set_elem_data_activate().
- nft_set_elem_deactivate() to nft_set_elem_data_deactivate().
To prepare for updates in the set element infrastructure to add support
for the special catch-all element.
Bug: 299922216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Pablo Neira Ayuso
|
a8427caea3 |
UPSTREAM: netfilter: nf_tables: pass context to nft_set_destroy()
commit 0c2a85edd143162b3a698f31e94bf8cdc041da87 upstream.
The patch that adds support for stateful expressions in set definitions
require this.
Bug: 299922216
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
(cherry picked from commit
|
||
|
Florian Westphal
|
1ab45006d5 |
UPSTREAM: netfilter: nf_tables: don't skip expired elements during walk
commit 24138933b97b055d486e8064b4a1721702442a9b upstream.
There is an asymmetry between commit/abort and preparation phase if the
following conditions are met:
1. set is a verdict map ("1.2.3.4 : jump foo")
2. timeouts are enabled
In this case, following sequence is problematic:
1. element E in set S refers to chain C
2. userspace requests removal of set S
3. kernel does a set walk to decrement chain->use count for all elements
from preparation phase
4. kernel does another set walk to remove elements from the commit phase
(or another walk to do a chain->use increment for all elements from
abort phase)
If E has already expired in 1), it will be ignored during list walk, so its use count
won't have been changed.
Then, when set is culled, ->destroy callback will zap the element via
nf_tables_set_elem_destroy(), but this function is only safe for
elements that have been deactivated earlier from the preparation phase:
lack of earlier deactivate removes the element but leaks the chain use
count, which results in a WARN splat when the chain gets removed later,
plus a leak of the nft_chain structure.
Update pipapo_get() not to skip expired elements, otherwise flush
command reports bogus ENOENT errors.
Bug: 299922216
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Fixes:
|
||
|
Greg Kroah-Hartman
|
a3aeec7ab8 |
This is the 5.4.262 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVmGmUACgkQONu9yGCS aT4V7A//YzFdP4ANGVpZ7tBob7OxpgGgvEu32zCDx51LQ8n2uJRJ8WBWW6kVOBUZ YyUEXzjPPaS7JRS1O7TpCGYFWrH0ue9c/xzyvUQyyHEBZvZVj0P3O1iHlAk2FWSG pOTEfW1cFp8vtHwGn82rmIDETu56LMWd+aeVhg6psb2L6ho2LPipCkxN79kbBGSB DLfD71O2Pb3mw8ZYHVC5KKIlfODLqjq9N6T+3VsG4uQCEMHTVAHjjoIvYFeSi1cR MqPXS4/3GUyYUDTe2tjYznkSfPbdARfD1aKKPEXLuq1+q6WqvHCAG7nwgtPT/gd9 JPCxm+9DPN9+YhmEsCJpMSq3pD2eTrD5ZXhYFNc5sOsNw0L4oFRLtrB782snerw+ ogQ8DED4qATn1+x7jfRD7hwMzHih4nAL7zqy32s8knKHfp1+rOOkXfIohfc9qrUI svUjb1B+guuGHwFq6YDzxpUxmhdGqOo262cnU4jfH8lxH+w03vyNxxyQn0ZUUe2I gkvJ5wNpq4QhD/++B/DaCptw0l5AzfjOO+0xlp20xMzn5qW/BS8W26zUXhGeLOAd MHu+fv9DU0mzs3V1MxRvbBQ5gI9TngRWXJSIBCJx5YhZ8gGIhfrzoIzY+IeF6l3F idjruirbfujAQv0vQHuz7JmhHrTG+T90slQ/R8pPud73WGz5BMI= =A+DX -----END PGP SIGNATURE----- Merge 5.4.262 into android11-5.4-lts Changes in 5.4.262 locking/ww_mutex/test: Fix potential workqueue corruption perf/core: Bail out early if the request AUX area is out of bound clocksource/drivers/timer-imx-gpt: Fix potential memory leak clocksource/drivers/timer-atmel-tcb: Fix initialization on SAM9 hardware x86/mm: Drop the 4 MB restriction on minimal NUMA node memory size wifi: mac80211_hwsim: fix clang-specific fortify warning wifi: mac80211: don't return unset power in ieee80211_get_tx_power() wifi: ath9k: fix clang-specific fortify warnings wifi: ath10k: fix clang-specific fortify warning net: annotate data-races around sk->sk_tx_queue_mapping net: annotate data-races around sk->sk_dst_pending_confirm wifi: ath10k: Don't touch the CE interrupt registers after power up Bluetooth: Fix double free in hci_conn_cleanup platform/x86: thinkpad_acpi: Add battery quirk for Thinkpad X120e drm/komeda: drop all currently held locks if deadlock happens drm/amd: Fix UBSAN array-index-out-of-bounds for SMU7 drm/amd: Fix UBSAN array-index-out-of-bounds for Polaris and Tonga drm/amdgpu: Fix a null pointer access when the smc_rreg pointer is NULL selftests/efivarfs: create-read: fix a resource leak crypto: pcrypt - Fix hungtask for PADATA_RESET RDMA/hfi1: Use FIELD_GET() to extract Link Width fs/jfs: Add check for negative db_l2nbperpage fs/jfs: Add validity check for db_maxag and db_agpref jfs: fix array-index-out-of-bounds in dbFindLeaf jfs: fix array-index-out-of-bounds in diAlloc ARM: 9320/1: fix stack depot IRQ stack filter ALSA: hda: Fix possible null-ptr-deref when assigning a stream PCI: tegra194: Use FIELD_GET()/FIELD_PREP() with Link Width fields atm: iphase: Do PCI error checks on own line scsi: libfc: Fix potential NULL pointer dereference in fc_lport_ptp_setup() HID: Add quirk for Dell Pro Wireless Keyboard and Mouse KM5221W tty: vcc: Add check for kstrdup() in vcc_probe() usb: gadget: f_ncm: Always set current gadget in ncm_bind() i2c: sun6i-p2wi: Prevent potential division by zero media: gspca: cpia1: shift-out-of-bounds in set_flicker media: vivid: avoid integer overflow gfs2: ignore negated quota changes media: cobalt: Use FIELD_GET() to extract Link Width drm/amd/display: Avoid NULL dereference of timing generator kgdb: Flush console before entering kgdb on panic ASoC: ti: omap-mcbsp: Fix runtime PM underflow warnings pwm: Fix double shift bug wifi: iwlwifi: Use FW rate for non-data frames NFSv4.1: fix SP4_MACH_CRED protection for pnfs IO ipvlan: add ipvlan_route_v6_outbound() helper tty: Fix uninit-value access in ppp_sync_receive() net: hns3: fix variable may not initialized problem in hns3_init_mac_addr() tipc: Fix kernel-infoleak due to uninitialized TLV value ppp: limit MRU to 64K xen/events: fix delayed eoi list handling ptp: annotate data-race around q->head and q->tail bonding: stop the device in bond_setup_by_slave() net: ethernet: cortina: Fix max RX frame define net: ethernet: cortina: Handle large frames net: ethernet: cortina: Fix MTU max setting netfilter: nf_conntrack_bridge: initialize err to 0 net: stmmac: Rework stmmac_rx() net: stmmac: fix rx budget limit check net/mlx5e: fix double free of encap_header net/mlx5_core: Clean driver version and name net/mlx5e: Check return value of snprintf writing to fw_version buffer for representors macvlan: Don't propagate promisc change to lower dev in passthru tools/power/turbostat: Fix a knl bug cifs: spnego: add ';' in HOST_KEY_LEN media: venus: hfi: add checks to perform sanity on queue pointers randstruct: Fix gcc-plugin performance mode to stay in group bpf: Fix precision tracking for BPF_ALU | BPF_TO_BE | BPF_END scsi: megaraid_sas: Increase register read retry rount from 3 to 30 for selected registers x86/cpu/hygon: Fix the CPU topology evaluation for real KVM: x86: hyper-v: Don't auto-enable stimer on write from user-space KVM: x86: Ignore MSR_AMD64_TW_CFG access audit: don't take task_lock() in audit_exe_compare() code path audit: don't WARN_ON_ONCE(!current->mm) in audit_exe_compare() hvc/xen: fix error path in xen_hvc_init() to always register frontend driver PCI/sysfs: Protect driver's D3cold preference from user space ACPI: resource: Do IRQ override on TongFang GMxXGxx mmc: meson-gx: Remove setting of CMD_CFG_ERROR genirq/generic_chip: Make irq_remove_generic_chip() irqdomain aware PCI: keystone: Don't discard .remove() callback PCI: keystone: Don't discard .probe() callback parisc/pdc: Add width field to struct pdc_model clk: qcom: ipq8074: drop the CLK_SET_RATE_PARENT flag from PLL clocks mmc: vub300: fix an error code PM: hibernate: Use __get_safe_page() rather than touching the list PM: hibernate: Clean up sync_read handling in snapshot_write_next() btrfs: don't arbitrarily slow down delalloc if we're committing jbd2: fix potential data lost in recovering journal raced with synchronizing fs bdev quota: explicitly forbid quota files from being encrypted kernel/reboot: emergency_restart: Set correct system_state i2c: core: Run atomic i2c xfer when !preemptible mcb: fix error handling for different scenarios when parsing dmaengine: stm32-mdma: correct desc prep when channel running mm/cma: use nth_page() in place of direct struct page manipulation i3c: master: cdns: Fix reading status register parisc: Prevent booting 64-bit kernels on PA1.x machines parisc/pgtable: Do not drop upper 5 address bits of physical address ALSA: info: Fix potential deadlock at disconnection ALSA: hda/realtek - Enable internal speaker of ASUS K6500ZC serial: meson: remove redundant initialization of variable id tty: serial: meson: retrieve port FIFO size from DT serial: meson: Use platform_get_irq() to get the interrupt tty: serial: meson: fix hard LOCKUP on crtscts mode Bluetooth: btusb: Add flag to define wideband speech capability Bluetooth: btusb: add Realtek 8822CE to usb_device_id table Bluetooth: btusb: Add Realtek RTL8852BE support ID 0x0cb8:0xc559 bluetooth: Add device 0bda:887b to device tables bluetooth: Add device 13d3:3571 to device tables Bluetooth: btusb: Add RTW8852BE device 13d3:3570 to device tables Bluetooth: btusb: Add 0bda:b85b for Fn-Link RTL8852BE Revert ncsi: Propagate carrier gain/loss events to the NCSI controller net: dsa: lan9303: consequently nested-lock physical MDIO i2c: i801: fix potential race in i801_block_transaction_byte_by_byte media: lirc: drop trailing space from scancode transmit media: sharp: fix sharp encoding media: venus: hfi_parser: Add check to keep the number of codecs within range media: venus: hfi: fix the check to handle session buffer requirement media: venus: hfi: add checks to handle capabilities from firmware nfsd: fix file memleak on client_opens_release Revert "net: r8169: Disable multicast filter for RTL8168H and RTL8107E" ext4: apply umask if ACL support is disabled ext4: correct offset of gdb backup in non meta_bg group to update_backups ext4: correct return value of ext4_convert_meta_bg ext4: correct the start block of counting reserved clusters ext4: remove gdb backup copy for meta bg in setup_new_flex_group_blocks drm/amdgpu: fix error handling in amdgpu_bo_list_get() tracing: Have trace_event_file have ref counters netfilter: nf_tables: pass context to nft_set_destroy() netfilter: nftables: rename set element data activation/deactivation functions netfilter: nf_tables: drop map element references from preparation phase netfilter: nft_set_rbtree: Switch to node list walk for overlap detection netfilter: nft_set_rbtree: fix null deref on element insertion netfilter: nft_set_rbtree: fix overlap expiration walk netfilter: nf_tables: don't skip expired elements during walk netfilter: nf_tables: GC transaction API to avoid race with control plane netfilter: nf_tables: adapt set backend to use GC transaction API netfilter: nft_set_hash: mark set element as dead when deleting from packet path netfilter: nf_tables: remove busy mark and gc batch API netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path netfilter: nf_tables: GC transaction race with netns dismantle netfilter: nf_tables: GC transaction race with abort path netfilter: nf_tables: use correct lock to protect gc_list netfilter: nf_tables: defer gc run if previous batch is still pending netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration netfilter: nf_tables: fix memleak when more than 255 elements expired netfilter: nf_tables: unregister flowtable hooks on netns exit netfilter: nf_tables: double hook unregistration in netns path netfilter: nftables: update table flags from the commit phase netfilter: nf_tables: fix table flag updates netfilter: nf_tables: disable toggling dormant table state more than once netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 5.4) Linux 5.4.262 Change-Id: I93e0070751c904fd8a44800ce1756e6e93c1a95b Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Pablo Neira Ayuso
|
b053223b7c |
netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 5.4)
3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per
net_device in flowtables") reworks flowtable support to allow for
dynamic allocation of hooks, which implicitly fixes the following
bogus EBUSY in transaction:
delete flowtable
add flowtable # same flowtable with same devices, it hits EBUSY
This patch does not exist in any tree, but it fixes this issue for
-stable Linux kernel 5.4
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
c35df8b8c5 |
netfilter: nf_tables: disable toggling dormant table state more than once
commit c9bd26513b3a11b3adb3c2ed8a31a01a87173ff1 upstream.
nft -f -<<EOF
add table ip t
add table ip t { flags dormant; }
add chain ip t c { type filter hook input priority 0; }
add table ip t
EOF
Triggers a splat from nf core on next table delete because we lose
track of right hook register state:
WARNING: CPU: 2 PID: 1597 at net/netfilter/core.c:501 __nf_unregister_net_hook
RIP: 0010:__nf_unregister_net_hook+0x41b/0x570
nf_unregister_net_hook+0xb4/0xf0
__nf_tables_unregister_hook+0x160/0x1d0
[..]
The above should have table in *active* state, but in fact no
hooks were registered.
Reject on/off/on games rather than attempting to fix this.
Fixes: 179d9ba5559a ("netfilter: nf_tables: fix table flag updates")
Reported-by: "Lee, Cherie-Anne" <cherie.lee@starlabs.sg>
Cc: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Cc: info@starlabs.sg
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
e10f661adc |
netfilter: nf_tables: fix table flag updates
commit 179d9ba5559a756f4322583388b3213fe4e391b0 upstream. The dormant flag need to be updated from the preparation phase, otherwise, two consecutive requests to dorm a table in the same batch might try to remove the same hooks twice, resulting in the following warning: hook not found, pf 3 num 0 WARNING: CPU: 0 PID: 334 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 Modules linked in: CPU: 0 PID: 334 Comm: kworker/u4:5 Not tainted 5.12.0-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Workqueue: netns cleanup_net RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480 This patch is a partial revert of 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase") to restore the previous behaviour. However, there is still another problem: A batch containing a series of dorm-wakeup-dorm table and vice-versa also trigger the warning above since hook unregistration happens from the preparation phase, while hook registration occurs from the commit phase. To fix this problem, this patch adds two internal flags to annotate the original dormant flag status which are __NFT_TABLE_F_WAS_DORMANT and __NFT_TABLE_F_WAS_AWAKEN, to restore it from the abort path. The __NFT_TABLE_F_UPDATE bitmask allows to handle the dormant flag update with one single transaction. Reported-by: syzbot+7ad5cd1615f2d89c6e7e@syzkaller.appspotmail.com Fixes: 0ce7cf4127f1 ("netfilter: nftables: update table flags from the commit phase") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
46c2947fcd |
netfilter: nftables: update table flags from the commit phase
commit 0ce7cf4127f14078ca598ba9700d813178a59409 upstream. Do not update table flags from the preparation phase. Store the flags update into the transaction, then update the flags from the commit phase. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
b09e6ccf0d |
netfilter: nf_tables: double hook unregistration in netns path
commit f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 upstream. __nft_release_hooks() is called from pre_netns exit path which unregisters the hooks, then the NETDEV_UNREGISTER event is triggered which unregisters the hooks again. [ 565.221461] WARNING: CPU: 18 PID: 193 at net/netfilter/core.c:495 __nf_unregister_net_hook+0x247/0x270 [...] [ 565.246890] CPU: 18 PID: 193 Comm: kworker/u64:1 Tainted: G E 5.18.0-rc7+ #27 [ 565.253682] Workqueue: netns cleanup_net [ 565.257059] RIP: 0010:__nf_unregister_net_hook+0x247/0x270 [...] [ 565.297120] Call Trace: [ 565.300900] <TASK> [ 565.304683] nf_tables_flowtable_event+0x16a/0x220 [nf_tables] [ 565.308518] raw_notifier_call_chain+0x63/0x80 [ 565.312386] unregister_netdevice_many+0x54f/0xb50 Unregister and destroy netdev hook from netns pre_exit via kfree_rcu so the NETDEV_UNREGISTER path see unregistered hooks. Fixes: 767d1216bff8 ("netfilter: nftables: fix possible UAF over chains from packet path in netns") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
b05a24cc45 |
netfilter: nf_tables: unregister flowtable hooks on netns exit
commit 6069da443bf65f513bb507bb21e2f87cfb1ad0b6 upstream. Unregister flowtable hooks before they are releases via nf_tables_flowtable_destroy() otherwise hook core reports UAF. BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666 CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] __dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106 dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106 print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247 __kasan_report mm/kasan/report.c:433 [inline] __kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450 kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450 nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142 __nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429 nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571 nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232 nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430 nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652 nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652 __nft_release_hook() calls nft_unregister_flowtable_net_hooks() which only unregisters the hooks, then after RCU grace period, it is guaranteed that no packets add new entries to the flowtable (no flow offload rules and flowtable hooks are reachable from packet path), so it is safe to call nf_flow_table_free() which cleans up the remaining entries from the flowtable (both software and hardware) and it unbinds the flow_block. Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()") Reported-by: syzbot+e918523f77e62790d6d9@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
a995a68e8a |
netfilter: nf_tables: fix memleak when more than 255 elements expired
commit cf5000a7787cbc10341091d37245a42c119d26c5 upstream.
When more than 255 elements expired we're supposed to switch to a new gc
container structure.
This never happens: u8 type will wrap before reaching the boundary
and nft_trans_gc_space() always returns true.
This means we recycle the initial gc container structure and
lose track of the elements that came before.
While at it, don't deref 'gc' after we've passed it to call_rcu.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Reported-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
b95d7af657 |
netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration
commit b079155faae94e9b3ab9337e82100a914ebb4e8d upstream.
Skip GC run if iterator rewinds to the beginning with EAGAIN, otherwise GC
might collect the same element more than once.
Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
61a7b3de20 |
netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention
commit 96b33300fba880ec0eafcf3d82486f3463b4b6da upstream.
rbtree GC does not modify the datastructure, instead it collects expired
elements and it enqueues a GC transaction. Use a read spinlock instead
to avoid data contention while GC worker is running.
Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
03caf75da1 |
netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction
commit 2ee52ae94baabf7ee09cf2a8d854b990dac5d0e4 upstream.
New elements in this transaction might expired before such transaction
ends. Skip sync GC for such elements otherwise commit path might walk
over an already released object. Once transaction is finished, async GC
will collect such expired element.
Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
021d734c7e |
netfilter: nf_tables: defer gc run if previous batch is still pending
commit 8e51830e29e12670b4c10df070a4ea4c9593e961 upstream.
Don't queue more gc work, else we may queue the same elements multiple
times.
If an element is flagged as dead, this can mean that either the previous
gc request was invalidated/discarded by a transaction or that the previous
request is still pending in the system work queue.
The latter will happen if the gc interval is set to a very low value,
e.g. 1ms, and system work queue is backlogged.
The sets refcount is 1 if no previous gc requeusts are queued, so add
a helper for this and skip gc run if old requests are pending.
Add a helper for this and skip the gc run in this case.
Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
38ed6a5f83 |
netfilter: nf_tables: use correct lock to protect gc_list
commit 8357bc946a2abc2a10ca40e5a2105d2b4c57515e upstream.
Use nf_tables_gc_list_lock spinlock, not nf_tables_destroy_list_lock to
protect the gc_list.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
4b6346dc1e |
netfilter: nf_tables: GC transaction race with abort path
commit 720344340fb9be2765bbaab7b292ece0a4570eae upstream.
Abort path is missing a synchronization point with GC transactions. Add
GC sequence number hence any GC transaction losing race will be
discarded.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
b76dcf4662 |
netfilter: nf_tables: GC transaction race with netns dismantle
commit 02c6c24402bf1c1e986899c14ba22a10b510916b upstream.
Use maybe_get_net() since GC workqueue might race with netns exit path.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
29ff9b8efb |
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
commit 6a33d8b73dfac0a41f3877894b38082bd0c9a5bc upstream.
Netlink event path is missing a synchronization point with GC
transactions. Add GC sequence number update to netns release path and
netlink event path, any GC transaction losing race will be discarded.
Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
1398a0eee2 |
netfilter: nf_tables: remove busy mark and gc batch API
commit a2dd0233cbc4d8a0abb5f64487487ffc9265beb5 upstream. Ditch it, it has been replace it by the GC transaction API and it has no clients anymore. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
85520a1f1d |
netfilter: nft_set_hash: mark set element as dead when deleting from packet path
commit c92db3030492b8ad1d0faace7a93bbcf53850d0c upstream.
Set on the NFT_SET_ELEM_DEAD_BIT flag on this element, instead of
performing element removal which might race with an ongoing transaction.
Enable gc when dynamic flag is set on since dynset deletion requires
garbage collection after this patch.
Fixes:
|
||
|
Pablo Neira Ayuso
|
c357648929 |
netfilter: nf_tables: adapt set backend to use GC transaction API
commit f6c383b8c31a93752a52697f8430a71dcbc46adf upstream.
Use the GC transaction API to replace the old and buggy gc API and the
busy mark approach.
No set elements are removed from async garbage collection anymore,
instead the _DEAD bit is set on so the set element is not visible from
lookup path anymore. Async GC enqueues transaction work that might be
aborted and retried later.
rbtree and pipapo set backends does not set on the _DEAD bit from the
sync GC path since this runs in control plane path where mutex is held.
In this case, set elements are deactivated, removed and then released
via RCU callback, sync GC never fails.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Fixes:
|
||
|
Pablo Neira Ayuso
|
bbdb3b65aa |
netfilter: nf_tables: GC transaction API to avoid race with control plane
commit 5f68718b34a531a556f2f50300ead2862278da26 upstream.
The set types rhashtable and rbtree use a GC worker to reclaim memory.
>From system work queue, in periodic intervals, a scan of the table is
done.
The major caveat here is that the nft transaction mutex is not held.
This causes a race between control plane and GC when they attempt to
delete the same element.
We cannot grab the netlink mutex from the work queue, because the
control plane has to wait for the GC work queue in case the set is to be
removed, so we get following deadlock:
cpu 1 cpu2
GC work transaction comes in , lock nft mutex
`acquire nft mutex // BLOCKS
transaction asks to remove the set
set destruction calls cancel_work_sync()
cancel_work_sync will now block forever, because it is waiting for the
mutex the caller already owns.
This patch adds a new API that deals with garbage collection in two
steps:
1) Lockless GC of expired elements sets on the NFT_SET_ELEM_DEAD_BIT
so they are not visible via lookup. Annotate current GC sequence in
the GC transaction. Enqueue GC transaction work as soon as it is
full. If ruleset is updated, then GC transaction is aborted and
retried later.
2) GC work grabs the mutex. If GC sequence has changed then this GC
transaction lost race with control plane, abort it as it contains
stale references to objects and let GC try again later. If the
ruleset is intact, then this GC transaction deactivates and removes
the elements and it uses call_rcu() to destroy elements.
Note that no elements are removed from GC lockless path, the _DEAD bit
is set and pointers are collected. GC catchall does not remove the
elements anymore too. There is a new set->dead flag that is set on to
abort the GC transaction to deal with set->ops->destroy() path which
removes the remaining elements in the set from commit_release, where no
mutex is held.
To deal with GC when mutex is held, which allows safe deactivate and
removal, add sync GC API which releases the set element object via
call_rcu(). This is used by rbtree and pipapo backends which also
perform garbage collection from control plane path.
Since element removal from sets can happen from control plane and
element garbage collection/timeout, it is necessary to keep the set
structure alive until all elements have been deactivated and destroyed.
We cannot do a cancel_work_sync or flush_work in nft_set_destroy because
its called with the transaction mutex held, but the aforementioned async
work queue might be blocked on the very mutex that nft_set_destroy()
callchain is sitting on.
This gives us the choice of ABBA deadlock or UaF.
To avoid both, add set->refs refcount_t member. The GC API can then
increment the set refcount and release it once the elements have been
free'd.
Set backends are adapted to use the GC transaction API in a follow up
patch entitled:
("netfilter: nf_tables: use gc transaction API in set backends")
This is joint work with Florian Westphal.
Fixes:
|
||
|
Florian Westphal
|
1da4874d05 |
netfilter: nf_tables: don't skip expired elements during walk
commit 24138933b97b055d486e8064b4a1721702442a9b upstream.
There is an asymmetry between commit/abort and preparation phase if the
following conditions are met:
1. set is a verdict map ("1.2.3.4 : jump foo")
2. timeouts are enabled
In this case, following sequence is problematic:
1. element E in set S refers to chain C
2. userspace requests removal of set S
3. kernel does a set walk to decrement chain->use count for all elements
from preparation phase
4. kernel does another set walk to remove elements from the commit phase
(or another walk to do a chain->use increment for all elements from
abort phase)
If E has already expired in 1), it will be ignored during list walk, so its use count
won't have been changed.
Then, when set is culled, ->destroy callback will zap the element via
nf_tables_set_elem_destroy(), but this function is only safe for
elements that have been deactivated earlier from the preparation phase:
lack of earlier deactivate removes the element but leaks the chain use
count, which results in a WARN splat when the chain gets removed later,
plus a leak of the nft_chain structure.
Update pipapo_get() not to skip expired elements, otherwise flush
command reports bogus ENOENT errors.
Fixes: 3c4287f62044 ("nf_tables: Add set type for arbitrary concatenation of ranges")
Fixes:
|
||
|
Florian Westphal
|
acaee227cf |
netfilter: nft_set_rbtree: fix overlap expiration walk
commit f718863aca469a109895cb855e6b81fff4827d71 upstream.
The lazy gc on insert that should remove timed-out entries fails to release
the other half of the interval, if any.
Can be reproduced with tests/shell/testcases/sets/0044interval_overlap_0
in nftables.git and kmemleak enabled kernel.
Second bug is the use of rbe_prev vs. prev pointer.
If rbe_prev() returns NULL after at least one iteration, rbe_prev points
to element that is not an end interval, hence it should not be removed.
Lastly, check the genmask of the end interval if this is active in the
current generation.
Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Florian Westphal
|
899aa56385 |
netfilter: nft_set_rbtree: fix null deref on element insertion
commit 61ae320a29b0540c16931816299eb86bf2b66c08 upstream. There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem(): general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f] nft_add_set_elem+0x14b0/0x2990 nf_tables_newsetelem+0x528/0xb30 Furthermore, there is a possible use-after-free while iterating, 'node' can be free'd so we need to cache the next value to use. Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
181859bdfb |
netfilter: nft_set_rbtree: Switch to node list walk for overlap detection
commit c9e6978e2725a7d4b6cd23b2facd3f11422c0643 upstream.
...instead of a tree descent, which became overly complicated in an
attempt to cover cases where expired or inactive elements would affect
comparisons with the new element being inserted.
Further, it turned out that it's probably impossible to cover all those
cases, as inactive nodes might entirely hide subtrees consisting of a
complete interval plus a node that makes the current insertion not
overlap.
To speed up the overlap check, descent the tree to find a greater
element that is closer to the key value to insert. Then walk down the
node list for overlap detection. Starting the overlap check from
rb_first() unconditionally is slow, it takes 10 times longer due to the
full linear traversal of the list.
Moreover, perform garbage collection of expired elements when walking
down the node list to avoid bogus overlap reports.
For the insertion operation itself, this essentially reverts back to the
implementation before commit 7c84d41416d8 ("netfilter: nft_set_rbtree:
Detect partial overlaps on insertion"), except that cases of complete
overlap are already handled in the overlap detection phase itself, which
slightly simplifies the loop to find the insertion point.
Based on initial patch from Stefano Brivio, including text from the
original patch description too.
Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion")
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
3c7ec098e3 |
netfilter: nf_tables: drop map element references from preparation phase
commit 628bd3e49cba1c066228e23d71a852c23e26da73 upstream.
set .destroy callback releases the references to other objects in maps.
This is very late and it results in spurious EBUSY errors. Drop refcount
from the preparation phase instead, update set backend not to drop
reference counter from set .destroy path.
Exceptions: NFT_TRANS_PREPARE_ERROR does not require to drop the
reference counter because the transaction abort path releases the map
references for each element since the set is unbound. The abort path
also deals with releasing reference counter for new elements added to
unbound sets.
Fixes:
|
||
|
Pablo Neira Ayuso
|
6b880f3b2c |
netfilter: nftables: rename set element data activation/deactivation functions
commit f8bb7889af58d8e74d2d61c76b1418230f1610fa upstream. Rename: - nft_set_elem_activate() to nft_set_elem_data_activate(). - nft_set_elem_deactivate() to nft_set_elem_data_deactivate(). To prepare for updates in the set element infrastructure to add support for the special catch-all element. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Pablo Neira Ayuso
|
e1eed9e0b5 |
netfilter: nf_tables: pass context to nft_set_destroy()
commit 0c2a85edd143162b3a698f31e94bf8cdc041da87 upstream. The patch that adds support for stateful expressions in set definitions require this. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Johnathan Mantey
|
229738d717 |
Revert ncsi: Propagate carrier gain/loss events to the NCSI controller
commit 9e2e7efbbbff69d8340abb56d375dd79d1f5770f upstream.
This reverts commit 3780bb29311eccb7a1c9641032a112eed237f7e3.
The cited commit introduced unwanted behavior.
The intent for the commit was to be able to detect carrier loss/gain
for just the NIC connected to the BMC. The unwanted effect is a
carrier loss for auxiliary paths also causes the BMC to lose
carrier. The BMC never regains carrier despite the secondary NIC
regaining a link.
This change, when merged, needs to be backported to stable kernels.
5.4-stable, 5.10-stable, 5.15-stable, 6.1-stable, 6.5-stable
Fixes: 3780bb29311e ("ncsi: Propagate carrier gain/loss events to the NCSI controller")
CC: stable@vger.kernel.org
Signed-off-by: Johnathan Mantey <johnathanx.mantey@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Linkui Xiao
|
b2762d13df |
netfilter: nf_conntrack_bridge: initialize err to 0
[ Upstream commit a44af08e3d4d7566eeea98d7a29fe06e7b9de944 ]
K2CI reported a problem:
consume_skb(skb);
return err;
[nf_br_ip_fragment() error] uninitialized symbol 'err'.
err is not initialized, because returning 0 is expected, initialize err
to 0.
Fixes:
|
||
|
Shigeru Yoshida
|
f3b250d919 |
tipc: Fix kernel-infoleak due to uninitialized TLV value
[ Upstream commit fb317eb23b5ee4c37b0656a9a52a3db58d9dd072 ]
KMSAN reported the following kernel-infoleak issue:
=====================================================
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:114 [inline]
BUG: KMSAN: kernel-infoleak in copy_to_user_iter lib/iov_iter.c:24 [inline]
BUG: KMSAN: kernel-infoleak in iterate_ubuf include/linux/iov_iter.h:29 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
BUG: KMSAN: kernel-infoleak in iterate_and_advance include/linux/iov_iter.h:271 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
instrument_copy_to_user include/linux/instrumented.h:114 [inline]
copy_to_user_iter lib/iov_iter.c:24 [inline]
iterate_ubuf include/linux/iov_iter.h:29 [inline]
iterate_and_advance2 include/linux/iov_iter.h:245 [inline]
iterate_and_advance include/linux/iov_iter.h:271 [inline]
_copy_to_iter+0x4ec/0x2bc0 lib/iov_iter.c:186
copy_to_iter include/linux/uio.h:197 [inline]
simple_copy_to_iter net/core/datagram.c:532 [inline]
__skb_datagram_iter.5+0x148/0xe30 net/core/datagram.c:420
skb_copy_datagram_iter+0x52/0x210 net/core/datagram.c:546
skb_copy_datagram_msg include/linux/skbuff.h:3960 [inline]
netlink_recvmsg+0x43d/0x1630 net/netlink/af_netlink.c:1967
sock_recvmsg_nosec net/socket.c:1044 [inline]
sock_recvmsg net/socket.c:1066 [inline]
__sys_recvfrom+0x476/0x860 net/socket.c:2246
__do_sys_recvfrom net/socket.c:2264 [inline]
__se_sys_recvfrom net/socket.c:2260 [inline]
__x64_sys_recvfrom+0x130/0x200 net/socket.c:2260
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Uninit was created at:
slab_post_alloc_hook+0x103/0x9e0 mm/slab.h:768
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x5f7/0xb50 mm/slub.c:3523
kmalloc_reserve+0x13c/0x4a0 net/core/skbuff.c:560
__alloc_skb+0x2fd/0x770 net/core/skbuff.c:651
alloc_skb include/linux/skbuff.h:1286 [inline]
tipc_tlv_alloc net/tipc/netlink_compat.c:156 [inline]
tipc_get_err_tlv+0x90/0x5d0 net/tipc/netlink_compat.c:170
tipc_nl_compat_recv+0x1042/0x15d0 net/tipc/netlink_compat.c:1324
genl_family_rcv_msg_doit net/netlink/genetlink.c:972 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1052 [inline]
genl_rcv_msg+0x1220/0x12c0 net/netlink/genetlink.c:1067
netlink_rcv_skb+0x4a4/0x6a0 net/netlink/af_netlink.c:2545
genl_rcv+0x41/0x60 net/netlink/genetlink.c:1076
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf4b/0x1230 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1242/0x1420 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
____sys_sendmsg+0x997/0xd60 net/socket.c:2588
___sys_sendmsg+0x271/0x3b0 net/socket.c:2642
__sys_sendmsg net/socket.c:2671 [inline]
__do_sys_sendmsg net/socket.c:2680 [inline]
__se_sys_sendmsg net/socket.c:2678 [inline]
__x64_sys_sendmsg+0x2fa/0x4a0 net/socket.c:2678
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x44/0x110 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x63/0x6b
Bytes 34-35 of 36 are uninitialized
Memory access of size 36 starts at ffff88802d464a00
Data copied to user address 00007ff55033c0a0
CPU: 0 PID: 30322 Comm: syz-executor.0 Not tainted 6.6.0-14500-g1c41041124bd #10
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-1.fc38 04/01/2014
=====================================================
tipc_add_tlv() puts TLV descriptor and value onto `skb`. This size is
calculated with TLV_SPACE() macro. It adds the size of struct tlv_desc and
the length of TLV value passed as an argument, and aligns the result to a
multiple of TLV_ALIGNTO, i.e., a multiple of 4 bytes.
If the size of struct tlv_desc plus the length of TLV value is not aligned,
the current implementation leaves the remaining bytes uninitialized. This
is the cause of the above kernel-infoleak issue.
This patch resolves this issue by clearing data up to an aligned size.
Fixes:
|
||
ZhengHan Wang
|
3c4236f1b2 |
Bluetooth: Fix double free in hci_conn_cleanup
[ Upstream commit a85fb91e3d728bdfc80833167e8162cce8bc7004 ]
syzbot reports a slab use-after-free in hci_conn_hash_flush [1].
After releasing an object using hci_conn_del_sysfs in the
hci_conn_cleanup function, releasing the same object again
using the hci_dev_put and hci_conn_put functions causes a double free.
Here's a simplified flow:
hci_conn_del_sysfs:
hci_dev_put
put_device
kobject_put
kref_put
kobject_release
kobject_cleanup
kfree_const
kfree(name)
hci_dev_put:
...
kfree(name)
hci_conn_put:
put_device
...
kfree(name)
This patch drop the hci_dev_put and hci_conn_put function
call in hci_conn_cleanup function, because the object is
freed in hci_conn_del_sysfs function.
This patch also fixes the refcounting in hci_conn_add_sysfs() and
hci_conn_del_sysfs() to take into account device_add() failures.
This fixes CVE-2023-28464.
Link: https://syzkaller.appspot.com/bug?id=1bb51491ca5df96a5f724899d1dbb87afda61419 [1]
Signed-off-by: ZhengHan Wang <wzhmmmmm@gmail.com>
Co-developed-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
252bde6b17 |
net: annotate data-races around sk->sk_dst_pending_confirm
[ Upstream commit eb44ad4e635132754bfbcb18103f1dcb7058aedd ] This field can be read or written without socket lock being held. Add annotations to avoid load-store tearing. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Ping-Ke Shih
|
efeae5f497 |
wifi: mac80211: don't return unset power in ieee80211_get_tx_power()
[ Upstream commit e160ab85166e77347d0cbe5149045cb25e83937f ] We can get a UBSAN warning if ieee80211_get_tx_power() returns the INT_MIN value mac80211 internally uses for "unset power level". UBSAN: signed-integer-overflow in net/wireless/nl80211.c:3816:5 -2147483648 * 100 cannot be represented in type 'int' CPU: 0 PID: 20433 Comm: insmod Tainted: G WC OE Call Trace: dump_stack+0x74/0x92 ubsan_epilogue+0x9/0x50 handle_overflow+0x8d/0xd0 __ubsan_handle_mul_overflow+0xe/0x10 nl80211_send_iface+0x688/0x6b0 [cfg80211] [...] cfg80211_register_wdev+0x78/0xb0 [cfg80211] cfg80211_netdev_notifier_call+0x200/0x620 [cfg80211] [...] ieee80211_if_add+0x60e/0x8f0 [mac80211] ieee80211_register_hw+0xda5/0x1170 [mac80211] In this case, simply return an error instead, to indicate that no data is available. Cc: Zong-Zhe Yang <kevin_yang@realtek.com> Signed-off-by: Ping-Ke Shih <pkshih@realtek.com> Link: https://lore.kernel.org/r/20230203023636.4418-1-pkshih@realtek.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
0e07b7bd3c |
Merge 5.4.261 into android11-5.4-lts
Changes in 5.4.261 vfs: fix readahead(2) on block devices genirq/matrix: Exclude managed interrupts in irq_matrix_allocated() i40e: fix potential memory leaks in i40e_remove() tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed wifi: rtw88: debug: Fix the NULL vs IS_ERR() bug for debugfs_create_file() wifi: mt76: mt7603: rework/fix rx pse hang check tcp_metrics: add missing barriers on delete tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics() tcp_metrics: do not create an entry from tcp_init_metrics() wifi: rtlwifi: fix EDCA limit set by BT coexistence can: dev: can_restart(): don't crash kernel if carrier is OK can: dev: can_restart(): fix race condition between controller restart and netif_carrier_on() thermal: core: prevent potential string overflow r8169: use tp_to_dev instead of open code r8169: fix rare issue with broken rx after link-down on RTL8125 chtls: fix tp->rcv_tstamp initialization tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp tcp: fix cookie_init_timestamp() overflows ACPI: sysfs: Fix create_pnp_modalias() and create_of_modalias() ipv6: avoid atomic fragment on GSO packets net: add DEV_STATS_READ() helper ipvlan: properly track tx_errors regmap: debugfs: Fix a erroneous check after snprintf() clk: qcom: clk-rcg2: Fix clock rate overflow for high parent frequencies clk: qcom: gcc-sm8150: use ARRAY_SIZE instead of specifying num_parents clk: qcom: gcc-sm8150: Fix gcc_sdcc2_apps_clk_src clk: imx: Select MXC_CLK for CLK_IMX8QXP clk: keystone: pll: fix a couple NULL vs IS_ERR() checks clk: npcm7xx: Fix incorrect kfree clk: mediatek: clk-mt6779: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt6797: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt7629-eth: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt7629: Add check for mtk_alloc_clk_data clk: mediatek: clk-mt2701: Add check for mtk_alloc_clk_data platform/x86: wmi: Fix probe failure when failing to register WMI devices platform/x86: wmi: remove unnecessary initializations platform/x86: wmi: Fix opening of char device hwmon: (coretemp) Fix potentially truncated sysfs attribute name drm/rockchip: vop: Fix reset of state in duplicate state crtc funcs drm/rockchip: vop: Fix call to crtc reset helper drm/radeon: possible buffer overflow drm/rockchip: cdn-dp: Fix some error handling paths in cdn_dp_probe() arm64: dts: qcom: sdm845-mtp: fix WiFi configuration ARM: dts: qcom: mdm9615: populate vsdcc fixed regulator soc: qcom: llcc cleanup to get rid of sdm845 specific driver file soc: qcom: Rename llcc-slice to llcc-qcom soc: qcom: llcc: Handle a second device without data corruption firmware: ti_sci: Replace HTTP links with HTTPS ones firmware: ti_sci: Mark driver as non removable clk: scmi: Free scmi_clk allocated when the clocks with invalid info are skipped hwrng: geode - fix accessing registers libnvdimm/of_pmem: Use devm_kstrdup instead of kstrdup and check its return value sched/rt: Provide migrate_disable/enable() inlines nd_btt: Make BTT lanes preemptible crypto: caam/qi2 - fix Chacha20 + Poly1305 self test failure crypto: caam/jr - fix Chacha20 + Poly1305 self test failure HID: cp2112: Use irqchip template hid: cp2112: Fix duplicate workqueue initialization ARM: 9321/1: memset: cast the constant byte to unsigned char ext4: move 'ix' sanity check to corrent position scsi: ufs: core: Leave space for '\0' in utf8 desc string RDMA/hfi1: Workaround truncation compilation error sh: bios: Revive earlyprintk support ASoC: Intel: Skylake: Fix mem leak when parsing UUIDs fails ASoC: ams-delta.c: use component after check mfd: dln2: Fix double put in dln2_probe leds: pwm: simplify if condition leds: pwm: convert to atomic PWM API leds: pwm: Don't disable the PWM when the LED should be off ledtrig-cpu: Limit to 8 CPUs leds: trigger: ledtrig-cpu:: Fix 'output may be truncated' issue for 'cpu' tty: tty_jobctrl: fix pid memleak in disassociate_ctty() usb: dwc2: fix possible NULL pointer dereference caused by driver concurrency dmaengine: ti: edma: handle irq_of_parse_and_map() errors misc: st_core: Do not call kfree_skb() under spin_lock_irqsave() tools: iio: privatize globals and functions in iio_generic_buffer.c file tools: iio: iio_generic_buffer: Fix some integer type and calculation tools: iio: iio_generic_buffer ensure alignment USB: usbip: fix stub_dev hub disconnect dmaengine: pxa_dma: Remove an erroneous BUG_ON() in pxad_free_desc() f2fs: fix to initialize map.m_pblk in f2fs_precache_extents() modpost: fix tee MODULE_DEVICE_TABLE built on big-endian host powerpc/xive: Fix endian conversion size powerpc/imc-pmu: Use the correct spinlock initializer. powerpc/pseries: fix potential memory leak in init_cpu_associativity() i3c: Fix potential refcount leak in i3c_master_register_new_i3c_devs rtc: pcf85363: fix wrong mask/val parameters in regmap_update_bits call pcmcia: cs: fix possible hung task and memory leak pccardd() pcmcia: ds: fix refcount leak in pcmcia_device_add() pcmcia: ds: fix possible name leak in error path in pcmcia_device_add() media: bttv: fix use after free error due to btv->timeout timer media: s3c-camif: Avoid inappropriate kfree() media: dvb-usb-v2: af9035: fix missing unlock regmap: prevent noinc writes from clobbering cache pwm: sti: Avoid conditional gotos pwm: sti: Reduce number of allocations and drop usage of chip_data pwm: brcmstb: Utilize appropriate clock APIs in suspend/resume Input: synaptics-rmi4 - fix use after free in rmi_unregister_function() llc: verify mac len before reading mac header tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING inet: shrink struct flowi_common dccp: Call security_inet_conn_request() after setting IPv4 addresses. dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses. net: r8169: Disable multicast filter for RTL8168H and RTL8107E Fix termination state for idr_for_each_entry_ul() net: stmmac: xgmac: Enable support for multiple Flexible PPS outputs net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT tg3: power down device only on SYSTEM_POWER_OFF r8169: respect userspace disabling IFF_MULTICAST netfilter: xt_recent: fix (increase) ipv6 literal buffer length netfilter: nft_redir: use `struct nf_nat_range2` throughout and deduplicate eval call-backs netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses drm/syncobj: fix DRM_SYNCOBJ_WAIT_FLAGS_WAIT_AVAILABLE spi: spi-zynq-qspi: add spi-mem to driver kconfig dependencies fbdev: imsttfb: Fix error path of imsttfb_probe() fbdev: imsttfb: fix a resource leak in probe fbdev: fsl-diu-fb: mark wr_reg_wa() static Revert "mmc: core: Capture correct oemid-bits for eMMC cards" btrfs: use u64 for buffer sizes in the tree search ioctls Linux 5.4.261 Change-Id: Iee65ff18889e15022b25cf33662c0f835825af9d Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
kamasali Satyanarayan
|
1445b6d63a |
Merge android11-5.4.254+ (d43ac48) into msm-5.4
* remotes/origin/tmp-d43ac48: BACKPORT: firmware_loader: Abort all upcoming firmware load request once reboot triggered UPSTREAM: firmware_loader: Refactor kill_pending_fw_fallback_reqs() UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c BACKPORT: ravb: Fix use-after-free issue in ravb_tx_timeout_work() UPSTREAM: ravb: Fix up dma_free_coherent() call in ravb_remove() UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read UPSTREAM: igb: set max size RX buffer when store bad packet is enabled UPSTREAM: netfilter: xt_sctp: validate the flag_info count UPSTREAM: netfilter: xt_u32: validate user space input UPSTREAM: netfilter: nfnetlink_osf: avoid OOB read UPSTREAM: net/sched: Retire rsvp classifier UPSTREAM: ipv4: fix null-deref in ipv4_link_failure. Change-Id: I21ca4b4f9681c29854917bd0b717e1f1c1d5071d Signed-off-by: kamasali Satyanarayan <quic_kamasali@quicinc.com> |
||
|
Florian Westphal
|
21858a75dc |
netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses
[ Upstream commit 80abbe8a8263106fe45a4f293b92b5c74cc9cc8a ]
The ipv6 redirect target was derived from the ipv4 one, i.e. its
identical to a 'dnat' with the first (primary) address assigned to the
network interface. The code has been moved around to make it usable
from nf_tables too, but its still the same as it was back when this
was added in 2012.
IPv6, however, has different types of addresses, if the 'wrong' address
comes first the redirection does not work.
In Daniels case, the addresses are:
inet6 ::ffff:192 ...
inet6 2a01: ...
... so the function attempts to redirect to the mapped address.
Add more checks before the address is deemed correct:
1. If the packets' daddr is scoped, search for a scoped address too
2. skip tentative addresses
3. skip mapped addresses
Use the first address that appears to match our needs.
Reported-by: Daniel Huhardeaux <tech@tootai.net>
Closes: https://lore.kernel.org/netfilter/71be06b8-6aa0-4cf9-9e0b-e2839b01b22f@tootai.net/
Fixes:
|
||
Jeremy Sowden
|
ae99c5e16a |
netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs
[ Upstream commit 6f56ad1b92328997e1b1792047099df6f8d7acb5 ]
`nf_nat_redirect_ipv4` takes a `struct nf_nat_ipv4_multi_range_compat`,
but converts it internally to a `struct nf_nat_range2`. Change the
function to take the latter, factor out the code now shared with
`nf_nat_redirect_ipv6`, move the conversion to the xt_REDIRECT module,
and update the ipv4 range initialization in the nft_redir module.
Replace a bare hex constant for 127.0.0.1 with a macro.
Remove `WARN_ON`. `nf_nat_setup_info` calls `nf_ct_is_confirmed`:
/* Can't setup nat info for confirmed ct. */
if (nf_ct_is_confirmed(ct))
return NF_ACCEPT;
This means that `ct` cannot be null or the kernel will crash, and
implies that `ctinfo` is `IP_CT_NEW` or `IP_CT_RELATED`.
nft_redir has separate ipv4 and ipv6 call-backs which share much of
their code, and an inet one switch containing a switch that calls one of
the others based on the family of the packet. Merge the ipv4 and ipv6
ones into the inet one in order to get rid of the duplicate code.
Const-qualify the `priv` pointer since we don't need to write through
it.
Assign `priv->flags` to the range instead of OR-ing it in.
Set the `NF_NAT_RANGE_PROTO_SPECIFIED` flag once during init, rather
than on every eval.
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Florian Westphal <fw@strlen.de>
Stable-dep-of: 80abbe8a8263 ("netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Maciej Żenczykowski
|
11380557c2 |
netfilter: xt_recent: fix (increase) ipv6 literal buffer length
[ Upstream commit 7b308feb4fd2d1c06919445c65c8fbf8e9fd1781 ]
in6_pton() supports 'low-32-bit dot-decimal representation'
(this is useful with DNS64/NAT64 networks for example):
# echo +aaaa:bbbb:cccc:dddd:eeee:ffff:1.2.3.4 > /proc/self/net/xt_recent/DEFAULT
# cat /proc/self/net/xt_recent/DEFAULT
src=aaaa:bbbb:cccc:dddd:eeee:ffff:0102:0304 ttl: 0 last_seen: 9733848829 oldest_pkt: 1 9733848829
but the provided buffer is too short:
# echo +aaaa:bbbb:cccc:dddd:eeee:ffff:255.255.255.255 > /proc/self/net/xt_recent/DEFAULT
-bash: echo: write error: Invalid argument
Fixes:
|
||
D. Wythe
|
f8065cde49 |
net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT
[ Upstream commit 5211c9729484c923f8d2e06bd29f9322cc42bb8f ]
Considering scenario:
smc_cdc_rx_handler
__smc_release
sock_set_flag
smc_close_active()
sock_set_flag
__set_bit(DEAD) __set_bit(DONE)
Dues to __set_bit is not atomic, the DEAD or DONE might be lost.
if the DEAD flag lost, the state SMC_CLOSED will be never be reached
in smc_close_passive_work:
if (sock_flag(sk, SOCK_DEAD) &&
smc_close_sent_any_close(conn)) {
sk->sk_state = SMC_CLOSED;
} else {
/* just shutdown, but not yet closed locally */
sk->sk_state = SMC_APPFINCLOSEWAIT;
}
Replace sock_set_flags or __set_bit to set_bit will fix this problem.
Since set_bit is atomic.
Fixes:
|
||
Kuniyuki Iwashima
|
e5a664ef49 |
dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ] Initially, commit |
||
|
Kuniyuki Iwashima
|
3af0af2f98 |
dccp: Call security_inet_conn_request() after setting IPv4 addresses.
[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ] Initially, commit |
||
|
Shigeru Yoshida
|
2199260c42 |
tipc: Change nla_policy for bearer-related names to NLA_NUL_STRING
[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ] syzbot reported the following uninit-value access issue [1]: ===================================================== BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline] BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756 strlen lib/string.c:418 [inline] strstr+0xb8/0x2f0 lib/string.c:756 tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595 genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline] genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline] genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066 netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545 genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075 netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline] netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368 netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Uninit was created at: slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767 slab_alloc_node mm/slub.c:3478 [inline] kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523 kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559 __alloc_skb+0x318/0x740 net/core/skbuff.c:650 alloc_skb include/linux/skbuff.h:1286 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline] netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885 sock_sendmsg_nosec net/socket.c:730 [inline] sock_sendmsg net/socket.c:753 [inline] ____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541 ___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595 __sys_sendmsg net/socket.c:2624 [inline] __do_sys_sendmsg net/socket.c:2633 [inline] __se_sys_sendmsg net/socket.c:2631 [inline] __x64_sys_sendmsg+0x307/0x490 net/socket.c:2631 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd TIPC bearer-related names including link names must be null-terminated strings. If a link name which is not null-terminated is passed through netlink, strstr() and similar functions can cause buffer overrun. This causes the above issue. This patch changes the nla_policy for bearer-related names from NLA_STRING to NLA_NUL_STRING. This resolves the issue by ensuring that only null-terminated strings are accepted as bearer-related names. syzbot reported similar uninit-value issue related to bearer names [2]. The root cause of this issue is that a non-null-terminated bearer name was passed. This patch also resolved this issue. Fixes: |
||
Willem de Bruijn
|
cbdcdf42d1 |
llc: verify mac len before reading mac header
[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]
LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.
Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).
BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
netif_receive_skb_internal net/core/dev.c:5723 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5782
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002
Add a mac_len test before all three eth_hdr(skb) calls under net/llc.
There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.
But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.
It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.
At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.
Fixes:
|
||
Yan Zhai
|
4482b250c8 |
ipv6: avoid atomic fragment on GSO packets
[ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ] When the ipv6 stack output a GSO packet, if its gso_size is larger than dst MTU, then all segments would be fragmented. However, it is possible for a GSO packet to have a trailing segment with smaller actual size than both gso_size as well as the MTU, which leads to an "atomic fragment". Atomic fragments are considered harmful in RFC-8021. An Existing report from APNIC also shows that atomic fragments are more likely to be dropped even it is equivalent to a no-op [1]. Add an extra check in the GSO slow output path. For each segment from the original over-sized packet, if it fits with the path MTU, then avoid generating an atomic fragment. Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1] Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 processing") Reported-by: David Wragg <dwragg@cloudflare.com> Signed-off-by: Yan Zhai <yan@cloudflare.com> Link: https://lore.kernel.org/r/90912e3503a242dca0bc36958b11ed03a2696e5e.1698156966.git.yan@cloudflare.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
5105d46146 |
tcp: fix cookie_init_timestamp() overflows
[ Upstream commit 73ed8e03388d16c12fc577e5c700b58a29045a15 ]
cookie_init_timestamp() is supposed to return a 64bit timestamp
suitable for both TSval determination and setting of skb->tstamp.
Unfortunately it uses 32bit fields and overflows after
2^32 * 10^6 nsec (~49 days) of uptime.
Generated TSval are still correct, but skb->tstamp might be set
far away in the past, potentially confusing other layers.
tcp_ns_to_ts() is changed to return a full 64bit value,
ts and ts_now variables are changed to u64 type,
and TSMASK is removed in favor of shifts operations.
While we are at it, change this sequence:
ts >>= TSBITS;
ts--;
ts <<= TSBITS;
ts |= options;
to:
ts -= (1UL << TSBITS);
Fixes:
|
||
|
Eric Dumazet
|
e4e819bdc8 |
tcp: Remove one extra ktime_get_ns() from cookie_init_timestamp
[ Upstream commit 200ecef67b8d09d16ec55f91c92751dcc7a38d40 ]
tcp_make_synack() already uses tcp_clock_ns(), and can pass
the value to cookie_init_timestamp() to avoid another call
to ktime_get_ns() helper.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 73ed8e03388d ("tcp: fix cookie_init_timestamp() overflows")
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
bed72a332f |
tcp_metrics: do not create an entry from tcp_init_metrics()
[ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ]
tcp_init_metrics() only wants to get metrics if they were
previously stored in the cache. Creating an entry is adding
useless costs, especially when tcp_no_metrics_save is set.
Fixes:
|
||
|
Eric Dumazet
|
f3902c0e6f |
tcp_metrics: properly set tp->snd_ssthresh in tcp_init_metrics()
[ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ]
We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH
in the case tcp_get_metrics() fails for some reason.
Fixes:
|
||
|
Eric Dumazet
|
b78f2b7774 |
tcp_metrics: add missing barriers on delete
[ Upstream commit cbc3a153222805d65f821e10f4f78b6afce06f86 ]
When removing an item from RCU protected list, we must prevent
store-tearing, using rcu_assign_pointer() or WRITE_ONCE().
Fixes:
|
||
Aananth V
|
c9b929f793 |
tcp: call tcp_try_undo_recovery when an RTOd TFO SYNACK is ACKed
[ Upstream commit e326578a21414738de45f77badd332fb00bd0f58 ]
For passive TCP Fast Open sockets that had SYN/ACK timeout and did not
send more data in SYN_RECV, upon receiving the final ACK in 3WHS, the
congestion state may awkwardly stay in CA_Loss mode unless the CA state
was undone due to TCP timestamp checks. However, if
tcp_rcv_synrecv_state_fastopen() decides not to undo, then we should
enter CA_Open, because at that point we have received an ACK covering
the retransmitted SYNACKs. Currently, the icsk_ca_state is only set to
CA_Open after we receive an ACK for a data-packet. This is because
tcp_ack does not call tcp_fastretrans_alert (and tcp_process_loss) if
!prior_packets
Note that tcp_process_loss() calls tcp_try_undo_recovery(), so having
tcp_rcv_synrecv_state_fastopen() decide that if we're in CA_Loss we
should call tcp_try_undo_recovery() is consistent with that, and
low risk.
Fixes: dad8cea7add9 ("tcp: fix TFO SYNACK undo to avoid double-timestamp-undo")
Signed-off-by: Aananth V <aananthv@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Dheeraj Kumar
|
253ff03050 |
MobileAP: CVE-2022-2663 fix revert kernel change
Added CVE-2022-2663 fix revert kernel change Change-Id: I0230a6bc4fd3903c918bce86a5e5728c044b3e3b Signed-off-by: Dheeraj Kumar <quic_dhekum@quicinc.com> |
||
|
Michael Bestas
|
9c472cc1bb
|
Merge tag 'ASB-2023-11-05_11-5.4' of https://android.googlesource.com/kernel/common into android13-5.4-lahaina
https://source.android.com/docs/security/bulletin/2023-11-01 * tag 'ASB-2023-11-05_11-5.4' of https://android.googlesource.com/kernel/common: UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c BACKPORT: ravb: Fix use-after-free issue in ravb_tx_timeout_work() UPSTREAM: ravb: Fix up dma_free_coherent() call in ravb_remove() UPSTREAM: netfilter: ipset: Fix race between IPSET_CMD_CREATE and IPSET_CMD_SWAP UPSTREAM: net: xfrm: Fix xfrm_address_filter OOB read UPSTREAM: igb: set max size RX buffer when store bad packet is enabled UPSTREAM: netfilter: xt_sctp: validate the flag_info count UPSTREAM: netfilter: xt_u32: validate user space input UPSTREAM: netfilter: nfnetlink_osf: avoid OOB read UPSTREAM: net/sched: Retire rsvp classifier UPSTREAM: ipv4: fix null-deref in ipv4_link_failure Change-Id: I26b182a8dd67864a2a4421feb25b878e98478a62 |
||
|
Michael Bestas
|
9272f3a35c
|
Merge tag 'LA.UM.9.14.r1-23100-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4 into android13-5.4-lahaina
"LA.UM.9.14.r1-23100-LAHAINA.QSSI14.0" * tag 'LA.UM.9.14.r1-23100-LAHAINA.QSSI14.0' of https://git.codelinaro.org/clo/la/kernel/msm-5.4: Revert "ALSA: compress: Allow pause and resume during draining" ALSA: compress: Allow pause and resume during draining msm: kgsl: Prevent wrap around during user address mapping msm: kgsl: Limit the syncpoint count for AUX commands msm: kgsl: Prevent wrap around during user address mapping Configured process_madvise with upstream syscall number iommu: Fix missing return check of arm_lpae_init_pte usb: gadget: cdev: Don't use spinlock with sleeping functions securemsm-kernel: Fix multiple listener registration on same fd msm: kgsl: Limit the syncpoint count for AUX commands net: qrtr: use new update_marker api char: virtio_eavb: use new update_marker api usb: kpi: update_marker api for USB suspend resume Change-Id: Id82b63ff555fbc7101b41a10c1ffbef3762627bd |
||
|
Greg Kroah-Hartman
|
7b96d6414a |
This is the 5.4.260 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVLYbYACgkQONu9yGCS aT4NCQ//dUTZz1mLxyB81yVaTKkQ1mjqXmAXHcMzYtQxLAIxwz0vb57dMX6YLZxO YKdb5X1vxreYsCRRRAxf5jIMbHxLLqhG4Joaq1hyxGUripbWLpu5tmmPvuv8bSOp wXr35/SUm6W8V/fKPEmPC28j8jdUZKBULKgGf5O35zECHnVlcnTOCAHjfaZJ/0Ck xSOTabAVPxJ2Lnrvt4azxvsG1lqVmPA6sYbLR2c2WyV29VQ4VBY+GzrukQVCSedR haEaMmbUux6aOO3LX+UXq4zqO/pPYzF85GkhXO1DWPDhcmrIr/szbsT3yxMWl07T sZg8CUQl14HfoF5eHHMAnrj/zO6WI+o2CcTcjn8Z1fvcXSgf6UbvmJbJrRACOyAv c6CEjHlHOxACiHYUQATiMpuuEk+ALu05clpBexvzHfVV9S+KKcN3VosycCEeNgOk CEFZFYHbRwoKqd/1GwwBlP/B80Shms50Mj5YlD980wdI00hdMOPowyFE07Owfz4+ Xw+Nhygqtb6Q/IuzE0r0PjX0sfpDo1PlCP3HOfPZ0U0S9ASotlAnOgBFeNUMO3Fc /by7COcthjE6vxSp/1Xi2Ia5L0yD6nMWWmyeTzFJFVIJQ5CAzEbeLinZCthc5fy0 PggOKqWiZ6je59ca/TPM5Es5uJoiRaA7hefKTUVF+vZbRoU2VHI= =+ILk -----END PGP SIGNATURE----- Merge 5.4.260 into android11-5.4-lts Changes in 5.4.260 mtd: rawnand: marvell: Ensure program page operations are successful selftests/ftrace: Add new test case which checks non unique symbol mcb: Return actual parsed size when reading chameleon table mcb-lpc: Reallocate memory region to avoid memory overlapping virtio_balloon: Fix endless deflation and inflation on arm64 virtio-mmio: fix memory leak of vm_dev r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1 r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1 treewide: Spelling fix in comment igb: Fix potential memory leak in igb_add_ethtool_nfc_entry neighbour: fix various data-races igc: Fix ambiguity in the ethtool advertising net: ieee802154: adf7242: Fix some potential buffer overflow in adf7242_stats_show() r8152: Increase USB control msg timeout to 5000ms as per spec r8152: Run the unload routine if we have errors during probe r8152: Cancel hw_phy_work if we have an error in probe tcp: fix wrong RTO timeout when received SACK reneging gtp: uapi: fix GTPA_MAX gtp: fix fragmentation needed check with gso iio: exynos-adc: request second interupt only when touchscreen mode is used i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node() i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node() i2c: stm32f7: Fix PEC handling in case of SMBUS transfers i2c: aspeed: Fix i2c bus hang in slave read nvmem: imx: correct nregs for i.MX6ULL nvmem: imx: correct nregs for i.MX6SLL nvmem: imx: correct nregs for i.MX6UL perf/core: Fix potential NULL deref clk: Sanitize possible_parent_show to Handle Return Value of of_clk_get_parent_name i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper() arm64: fix a concurrency issue in emulation_proc_handler() kobject: Fix slab-out-of-bounds in fill_kobj_path() smbdirect: missing rc checks while waiting for rdma events f2fs: fix to do sanity check on inode type during garbage collection nfsd: lock_rename() needs both directories to live on the same fs x86/mm: Simplify RESERVE_BRK() x86/mm: Fix RESERVE_BRK() for older binutils ext4: add two helper functions extent_logical_end() and pa_logical_end() ext4: avoid overlapping preallocations due to overflow ext4: fix BUG in ext4_mb_new_inode_pa() due to overflow driver: platform: Add helper for safer setting of driver_override rpmsg: Constify local variable in field store macro rpmsg: Fix kfree() of static memory on setting driver_override rpmsg: Fix calling device_lock() on non-initialized device rpmsg: glink: Release driver_override rpmsg: Fix possible refcount leak in rpmsg_register_device_override() x86: Fix .brk attribute in linker script Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table irqchip/stm32-exti: add missing DT IRQ flag translation dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport fbdev: atyfb: only use ioremap_uc() on i386 and ia64 spi: npcm-fiu: Fix UMA reads when dummy.nbytes == 0 netfilter: nfnetlink_log: silence bogus compiler warning ASoC: rt5650: fix the wrong result of key button fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit() scsi: mpt3sas: Fix in error path platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e platform/mellanox: mlxbf-tmfifo: Fix a warning message net: chelsio: cxgb4: add an error code check in t4_load_phy_fw ata: ahci: fix enum constants for gcc-13 remove the sx8 block driver nvmet-tcp: move send/recv error handling in the send/recv methods instead of call-sites nvmet-tcp: Fix a possible UAF in queue intialization setup Revert "ARM: dts: Move am33xx and am43xx mmc nodes to sdhci-omap driver" PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility tty: 8250: Remove UC-257 and UC-431 tty: 8250: Add support for additional Brainboxes UC cards tty: 8250: Add support for Brainboxes UP cards tty: 8250: Add support for Intashield IS-100 Linux 5.4.260 Change-Id: I723ce192f509587c74523519038f1ad6441938fe Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
|
Florian Westphal
|
b6c09ff5ea |
netfilter: nfnetlink_log: silence bogus compiler warning
[ Upstream commit 2e1d175410972285333193837a4250a74cd472e6 ] net/netfilter/nfnetlink_log.c:800:18: warning: variable 'ctinfo' is uninitialized The warning is bogus, the variable is only used if ct is non-NULL and always initialised in that case. Init to 0 too to silence this. Reported-by: kernel test robot <lkp@intel.com> Closes: https://lore.kernel.org/oe-kbuild-all/202309100514.ndBFebXN-lkp@intel.com/ Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Fred Chen
|
54ba3b8267 |
tcp: fix wrong RTO timeout when received SACK reneging
[ Upstream commit d2a0fc372aca561556e765d0a9ec365c7c12f0ad ]
This commit fix wrong RTO timeout when received SACK reneging.
When an ACK arrived pointing to a SACK reneging, tcp_check_sack_reneging()
will rearm the RTO timer for min(1/2*srtt, 10ms) into to the future.
But since the commit 62d9f1a6945b ("tcp: fix TLP timer not set when
CA_STATE changes from DISORDER to OPEN") merged, the tcp_set_xmit_timer()
is moved after tcp_fastretrans_alert()(which do the SACK reneging check),
so the RTO timeout will be overwrited by tcp_set_xmit_timer() with
icsk_rto instead of 1/2*srtt.
Here is a packetdrill script to check this bug:
0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
// simulate srtt to 100ms
+0 < S 0:0(0) win 32792 <mss 1000, sackOK,nop,nop,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+.1 < . 1:1(0) ack 1 win 1024
+0 accept(3, ..., ...) = 4
+0 write(4, ..., 10000) = 10000
+0 > P. 1:10001(10000) ack 1
// inject sack
+.1 < . 1:1(0) ack 1 win 257 <sack 1001:10001,nop,nop>
+0 > . 1:1001(1000) ack 1
// inject sack reneging
+.1 < . 1:1(0) ack 1001 win 257 <sack 9001:10001,nop,nop>
// we expect rto fired in 1/2*srtt (50ms)
+.05 > . 1001:2001(1000) ack 1
This fix remove the FLAG_SET_XMIT_TIMER from ack_flag when
tcp_check_sack_reneging() set RTO timer with 1/2*srtt to avoid
being overwrited later.
Fixes: 62d9f1a6945b ("tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN")
Signed-off-by: Fred Chen <fred.chenchen03@gmail.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Tested-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Eric Dumazet
|
3b098edafe |
neighbour: fix various data-races
[ Upstream commit a9beb7e81bcb876615e1fbb3c07f3f9dba69831f ]
1) tbl->gc_thresh1, tbl->gc_thresh2, tbl->gc_thresh3 and tbl->gc_interval
can be written from sysfs.
2) tbl->last_flush is read locklessly from neigh_alloc()
3) tbl->proxy_queue.qlen is read locklessly from neightbl_fill_info()
4) neightbl_fill_info() reads cpu stats that can be changed concurrently.
Fixes:
|
||
qctecmdr
|
63ba6ae867 | Merge "nl80211: fix beacon tx rate mask validation" | ||
Xin Deng
|
bf0f28818c |
nl80211: fix beacon tx rate mask validation
While adding HE MCS beacon tx rate support, it is observed that legacy beacon tx rate in VHT hwsim test suite is failed. Whenever the application doesn't explicitly set VHT/MCS rate attribute in fixed rate command, by default all HE MCS masks are enabled in cfg80211. In beacon fixed rate, more than one rate mask is not allowed. Fix that by not setting all rate mask by default in case of beacon tx rate. Signed-off-by: Rajkumar Manoharan <rmanohar@codeaurora.org> Link: https://lore.kernel.org/r/1602879327-29488-1-git-send-email-rmanohar@codeaurora.org Signed-off-by: Johannes Berg <johannes.berg@intel.com> Git-repo: https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless-next.git Git-commit: 857b34c4fb104cecc95cd5c5fea5052628758a0f [quic_deng@quicinc.com: Make appropriate modifications to adapt kernel-5.4.] Change-Id: I85c5bd502b88ca2157fdc74e4c39de6e75580652 Signed-off-by: Xin Deng <quic_deng@quicinc.com> |
||
Kyle Zeng
|
49de253fb4 |
UPSTREAM: netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
commit 050d91c03b28ca479df13dfb02bcd2c60dd6a878 upstream.
The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can
lead to the use of wrong `CIDR_POS(c)` for calculating array offsets,
which can lead to integer underflow. As a result, it leads to slab
out-of-bound access.
This patch adds back the IP_SET_HASH_WITH_NET0 macro to
ip_set_hash_netportnet to address the issue.
Bug: 302199939
Fixes:
|
||
|
kamasali Satyanarayan
|
36579e50d8 |
Merge android11-5.4.254+ (91f7025) into msm-5.4
* remotes/origin/tmp-91f7025:
UPSTREAM: arm64: efi: Make efi_rt_lock a raw_spinlock
UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve
UPSTREAM: net/sched: sch_qfq: account for stab overhead in qfq_enqueue
UPSTREAM: netfilter: nf_tables: prevent OOB access in nft_byteorder_eval
UPSTREAM: af_unix: Fix null-ptr-deref in unix_stream_sendpage().
BACKPORT: net: nfc: Fix use-after-free caused by nfc_llcp_find_local
Linux 5.4.254
sch_netem: fix issues in netem_change() vs get_dist_table()
alpha: remove __init annotation from exported page_is_ram()
scsi: core: Fix possible memory leak if device_add() fails
scsi: snic: Fix possible memory leak if device_add() fails
scsi: 53c700: Check that command slot is not NULL
scsi: storvsc: Fix handling of virtual Fibre Channel timeouts
scsi: core: Fix legacy /proc parsing buffer overflow
netfilter: nf_tables: report use refcount overflow
nvme-rdma: fix potential unbalanced freeze & unfreeze
nvme-tcp: fix potential unbalanced freeze & unfreeze
btrfs: set cache_block_group_error if we find an error
btrfs: don't stop integrity writeback too early
ibmvnic: Handle DMA unmapping of login buffs in release functions
net/mlx5: Allow 0 for total host VFs
dmaengine: mcf-edma: Fix a potential un-allocated memory access
wifi: cfg80211: fix sband iftype data lookup for AP_VLAN
IB/hfi1: Fix possible panic during hotplug remove
drivers: net: prevent tun_build_skb() to exceed the packet size limit
dccp: fix data-race around dp->dccps_mss_cache
bonding: Fix incorrect deletion of ETH_P_8021AD protocol vid from slaves
net/packet: annotate data-races around tp->status
mISDN: Update parameter type of dsp_cmx_send()
selftests/rseq: Fix build with undefined __weak
drm/nouveau/disp: Revert a NULL check inside nouveau_connector_get_modes
x86: Move gds_ucode_mitigated() declaration to header
x86/mm: Fix VDSO and VVAR placement on 5-level paging machines
x86/cpu/amd: Enable Zenbleed fix for AMD Custom APU 0405
usb: common: usb-conn-gpio: Prevent bailing out if initial role is none
usb: dwc3: Properly handle processing of pending events
usb-storage: alauda: Fix uninit-value in alauda_check_media()
binder: fix memory leak in binder_init()
iio: cros_ec: Fix the allocation size for cros_ec_command
nilfs2: fix use-after-free of nilfs_root in dirtying inodes via iput
x86/pkeys: Revert
|
||
|
Greg Kroah-Hartman
|
231c81bbc8 |
Revert "xfrm: fix a data-race in xfrm_gen_index()"
This reverts commit
|