2081b666d5
58206 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
cac5f79018 |
This is the 5.4.16 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4xqJ4ACgkQONu9yGCS aT5BdxAAwpqN58x/Y9hfA57/jOyjmB/slYHOnZ+JsGMF3HTaPAjztu/8KpTixbd2 +ypoysWhXlBCeSdhndEQBbzXflabi748lxRBVzAnYjjYsQsCRuPgEVgcw7CAyEdW 3/pbYN5XvQvN7SjDICMdkaCOj5zOJ/mIvZi+koLrq+mBVMs+qSOPxulobDD8tUl5 JbetuWegVwe6wuADI0fsGOzIbiPMK0UoqgRzV5Y7KMbBNL5OGAdzCAFL0IudyTaD EH6ED/jcLqgULravhYQ3U4k+HxeADDL0/wf8Ki0XzVENXYTRwh/R1KMDbIH6nQm1 scgIAB0d8Gt18eKDavd+cckCVBKV9sJZtfGywL61Q234SvT8aK19aKJS643M21Ey td1c7wvOXWrCdtNJT15uFTa0fRz7YZnT49dwFzdeKXMrYS+BnJQen3IzC+7nSp8Q 4176BkbmpQdJ7a4twkBgJYPuNCpKyVMLFB+OIVO+dnzlqMMApH8StYhx51m21B7r 8r/7e2TsCWqfmsiZ1I+WuFPoTvXGn7nm03H7mvfuo6d7MfvvJLXLTiIfMv+VjL1Q sh/NCaVAXz9aaLE5WYHa8FzUHnK6v/twZBA2AffpgkwNBRbfIQxHKBl3QMDpwpft 92yAh3bHQXNfc17jpuFCIEgjD5haG7d5kwD6BvlBCfSjbIBE1B0= =ApNn -----END PGP SIGNATURE----- Merge 5.4.16 into android-5.4 Changes in 5.4.16 can, slip: Protect tty->disc_data in write_wakeup and close with RCU firestream: fix memory leaks gtp: make sure only SOCK_DGRAM UDP sockets are accepted ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions net: bcmgenet: Use netif_tx_napi_add() for TX NAPI net: cxgb3_main: Add CAP_NET_ADMIN check to CHELSIO_GET_MEM net: ip6_gre: fix moving ip6gre between namespaces net, ip6_tunnel: fix namespaces move net, ip_tunnel: fix namespaces move net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link() net_sched: fix datalen for ematch net_sched: use validated TCA_KIND attribute in tc_new_tfilter() net-sysfs: Fix reference count leak net: usb: lan78xx: Add .ndo_features_check Revert "udp: do rmem bulk free even if the rx sk queue is empty" tcp_bbr: improve arithmetic division in bbr_update_bw() tcp: do not leave dangling pointers in tp->highest_sack tun: add mutex_unlock() call and napi.skb clearing in tun_get_user() airo: Fix possible info leak in AIROOLDIOCTL/SIOCDEVPRIVATE airo: Add missing CAP_NET_ADMIN check in AIROOLDIOCTL/SIOCDEVPRIVATE mlxsw: spectrum_acl: Fix use-after-free during reload fou: Fix IPv6 netlink policy net: Fix packet reordering caused by GRO and listified RX cooperation net/mlx5: Fix lowest FDB pool size net/mlx5: Update the list of the PCI supported devices net/mlx5: DR, Enable counter on non-fwd-dest objects net/mlx5: E-Switch, Prevent ingress rate configuration of uplink rep net/mlx5: DR, use non preemptible call to get the current cpu number net/mlx5e: kTLS, Fix corner-case checks in TX resync flow net/mlx5e: kTLS, Remove redundant posts in TX resync flow net/mlx5e: kTLS, Do not send decrypted-marked SKBs via non-accel path ipv4: Detect rollover in specific fib table dump Revert "io_uring: only allow submit from owning task" afs: Fix characters allowed into cell names hwmon: (adt7475) Make volt2reg return same reg as reg2volt input hwmon: (core) Do not use device managed functions for memory allocations ceph: hold extra reference to r_parent over life of request PCI: Mark AMD Navi14 GPU rev 0xc5 ATS as broken drm/panfrost: Add the panfrost_gem_mapping concept drm/i915: Align engine->uabi_class/instance with i915_drm.h PM: hibernate: fix crashes with init_on_free=1 tracing: trigger: Replace unneeded RCU-list traversals tracing/uprobe: Fix double perf_event linking on multiprobe uprobe tracing: Do not set trace clock if tracefs lockdown is in effect tracing: Fix histogram code when expression has same var as value powerpc/mm/hash: Fix sharing context ids between kernel & userspace powerpc/xive: Discard ESB load value when interrupt is invalid Revert "iwlwifi: mvm: fix scan config command size" iwlwifi: mvm: don't send the IWL_MVM_RXQ_NSSN_SYNC notif to Rx queues XArray: Fix infinite loop with entry at ULONG_MAX XArray: Fix xa_find_after with multi-index entries XArray: Fix xas_find returning too many entries pinctrl: sunrisepoint: Add missing Interrupt Status register offset iommu/vt-d: Call __dmar_remove_one_dev_info with valid pointer Input: keyspan-remote - fix control-message timeouts Revert "Input: synaptics-rmi4 - don't increment rmiaddr for SMBus transfers" ARM: 8950/1: ftrace/recordmcount: filter relocation types mmc: tegra: fix SDR50 tuning override mmc: sdhci: fix minimum clock rate for v3 controller mmc: sdhci_am654: Remove Inverted Write Protect flag mmc: sdhci_am654: Reset Command and Data line after tuning mlxsw: switchx2: Do not modify cloned SKBs during xmit net/tls: fix async operation Input: pm8xxx-vib - fix handling of separate enable register Input: sur40 - fix interface sanity checks Input: gtco - fix endpoint sanity check Input: aiptek - fix endpoint sanity check Input: pegasus_notetaker - fix endpoint sanity check Input: sun4i-ts - add a check for devm_thermal_zone_of_sensor_register netfilter: nft_osf: add missing check for DREG attribute lib: Reduce user_access_begin() boundaries in strncpy_from_user() and strnlen_user() iommu/amd: Fix IOMMU perf counter clobbering during init readdir: make user_access_begin() use the real access range leds: gpio: Fix uninitialized gpio label for fwnode based probe hsr: Fix a compilation error hwmon: (nct7802) Fix voltage limits to wrong registers hwmon: (nct7802) Fix non-working alarm on voltages scsi: RDMA/isert: Fix a recently introduced regression related to logout tracing: xen: Ordered comparison of function pointers iwlwifi: mvm: fix SKB leak on invalid queue iwlwifi: mvm: fix potential SKB leak on TXQ TX drm/i915/userptr: fix size calculation xfrm: support output_mark for offload ESP packets net, sk_msg: Don't check if sock is locked when tearing down psock do_last(): fetch directory ->i_mode and ->i_uid before it's too late readdir: be more conservative with directory entry names net/sonic: Add mutual exclusion for accessing shared state net/sonic: Clear interrupt flags immediately net/sonic: Use MMIO accessors net/sonic: Fix interface error stats collection net/sonic: Fix receive buffer handling net/sonic: Avoid needless receive descriptor EOL flag updates net/sonic: Improve receive descriptor status flag check net/sonic: Fix receive buffer replenishment net/sonic: Quiesce SONIC before re-initializing descriptor memory net/sonic: Fix command register usage net/sonic: Fix CAM initialization net/sonic: Prevent tx watchdog timeout libertas: Fix two buffer overflows at parsing bss descriptor media: v4l2-ioctl.c: zero reserved fields for S/TRY_FMT netfilter: ipset: use bitmap infrastructure completely netfilter: nf_tables: add __nft_chain_type_get() netfilter: nf_tables: autoload modules from the abort path net/x25: fix nonblocking connect Linux 5.4.16 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I9e45fa24244d45c31254748eb2ce698084ca06ac |
||
Martin Schiller
|
d8a11e0f4e |
net/x25: fix nonblocking connect
commit e21dba7a4df4d93da237da65a096084b4f2e87b4 upstream. This patch fixes 2 issues in x25_connect(): 1. It makes absolutely no sense to reset the neighbour and the connection state after a (successful) nonblocking call of x25_connect. This prevents any connection from being established, since the response (call accept) cannot be processed. 2. Any further calls to x25_connect() while a call is pending should simply return, instead of creating new Call Request (on different logical channels). This patch should also fix the "KASAN: null-ptr-deref Write in x25_connect" and "BUG: unable to handle kernel NULL pointer dereference in x25_connect" bugs reported by syzbot. Signed-off-by: Martin Schiller <ms@dev.tdt.de> Reported-by: syzbot+429c200ffc8772bfe070@syzkaller.appspotmail.com Reported-by: syzbot+eec0c87f31a7c3b66f7b@syzkaller.appspotmail.com Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Pablo Neira Ayuso
|
ce75dd3abb |
netfilter: nf_tables: autoload modules from the abort path
commit eb014de4fd418de1a277913cba244e47274fe392 upstream.
This patch introduces a list of pending module requests. This new module
list is composed of nft_module_request objects that contain the module
name and one status field that tells if the module has been already
loaded (the 'done' field).
In the first pass, from the preparation phase, the netlink command finds
that a module is missing on this list. Then, a module request is
allocated and added to this list and nft_request_module() returns
-EAGAIN. This triggers the abort path with the autoload parameter set on
from nfnetlink, request_module() is called and the module request enters
the 'done' state. Since the mutex is released when loading modules from
the abort phase, the module list is zapped so this is iteration occurs
over a local list. Therefore, the request_module() calls happen when
object lists are in consistent state (after fulling aborting the
transaction) and the commit list is empty.
On the second pass, the netlink command will find that it already tried
to load the module, so it does not request it again and
nft_request_module() returns 0. Then, there is a look up to find the
object that the command was missing. If the module was successfully
loaded, the command proceeds normally since it finds the missing object
in place, otherwise -ENOENT is reported to userspace.
This patch also updates nfnetlink to include the reason to enter the
abort phase, which is required for this new autoload module rationale.
Fixes: ec7470b834fe ("netfilter: nf_tables: store transaction list locally while requesting module")
Reported-by: syzbot+29125d208b3dae9a7019@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Pablo Neira Ayuso
|
07ac418120 |
netfilter: nf_tables: add __nft_chain_type_get()
commit 826035498ec14b77b62a44f0cb6b94d45530db6f upstream.
This new helper function validates that unknown family and chain type
coming from userspace do not trigger an out-of-bound array access. Bail
out in case __nft_chain_type_get() returns NULL from
nft_chain_parse_hook().
Fixes:
|
||
Kadlecsik József
|
ea52197c9c |
netfilter: ipset: use bitmap infrastructure completely
commit 32c72165dbd0e246e69d16a3ad348a4851afd415 upstream. The bitmap allocation did not use full unsigned long sizes when calculating the required size and that was triggered by KASAN as slab-out-of-bounds read in several places. The patch fixes all of them. Reported-by: syzbot+fabca5cbf5e54f3fe2de@syzkaller.appspotmail.com Reported-by: syzbot+827ced406c9a1d9570ed@syzkaller.appspotmail.com Reported-by: syzbot+190d63957b22ef673ea5@syzkaller.appspotmail.com Reported-by: syzbot+dfccdb2bdb4a12ad425e@syzkaller.appspotmail.com Reported-by: syzbot+df0d0f5895ef1f41a65b@syzkaller.appspotmail.com Reported-by: syzbot+b08bd19bb37513357fd4@syzkaller.appspotmail.com Reported-by: syzbot+53cdd0ec0bbabd53370a@syzkaller.appspotmail.com Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Jakub Sitnicki
|
5d001c4f74 |
net, sk_msg: Don't check if sock is locked when tearing down psock
commit 58c8db929db1c1d785a6f5d8f8692e5dbcc35e84 upstream.
As John Fastabend reports [0], psock state tear-down can happen on receive
path *after* unlocking the socket, if the only other psock user, that is
sockmap or sockhash, releases its psock reference before tcp_bpf_recvmsg
does so:
tcp_bpf_recvmsg()
psock = sk_psock_get(sk) <- refcnt 2
lock_sock(sk);
...
sock_map_free() <- refcnt 1
release_sock(sk)
sk_psock_put() <- refcnt 0
Remove the lockdep check for socket lock in psock tear-down that got
introduced in 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during
tear down").
[0] https://lore.kernel.org/netdev/5e25dc995d7d_74082aaee6e465b441@john-XPS-13-9370.notmuch/
Fixes: 7e81a3530206 ("bpf: Sockmap, ensure sock lock held during tear down")
Reported-by: syzbot+d73682fcf7fee6982fe3@syzkaller.appspotmail.com
Suggested-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Ulrich Weber
|
b2e061912c |
xfrm: support output_mark for offload ESP packets
commit 4e4362d2bf2a49ff44dbbc9585207977ca3d71d0 upstream. Commit |
||
xiaofeng.yan
|
54b818246b |
hsr: Fix a compilation error
commit 80892772c4edac88c538165d26a0105f19b61c1c upstream.
A compliation error happen when building branch 5.5-rc7
In file included from net/hsr/hsr_main.c:12:0:
net/hsr/hsr_main.h:194:20: error: two or more data types in declaration specifiers
static inline void void hsr_debugfs_rename(struct net_device *dev)
So Removed one void.
Fixes: 4c2d5e33dcd3 ("hsr: rename debugfs file when interface name is changed")
Signed-off-by: xiaofeng.yan <yanxiaofeng7@jd.com>
Acked-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
Florian Westphal
|
9e2e1a5abc |
netfilter: nft_osf: add missing check for DREG attribute
commit 7eaecf7963c1c8f62d62c6a8e7c439b0e7f2d365 upstream.
syzbot reports just another NULL deref crash because of missing test
for presence of the attribute.
Reported-by: syzbot+cf23983d697c26c34f60@syzkaller.appspotmail.com
Fixes:
|
||
Jakub Kicinski
|
c3f6abfe2f |
net/tls: fix async operation
commit db885e66d268884dc72967279b7e84f522556abc upstream.
Mallesham reports the TLS with async accelerator was broken by
commit d10523d0b3d7 ("net/tls: free the record on encryption error")
because encryption can return -EINPROGRESS in such setups, which
should not be treated as an error.
The error is also present in the BPF path (likely copied from there).
Reported-by: Mallesham Jatharakonda <mallesham.jatharakonda@oneconvergence.com>
Fixes:
|
||
David Ahern
|
29ce06b6b6 |
ipv4: Detect rollover in specific fib table dump
[ Upstream commit 9827c0634e461703abf81e8cc8b7adf5da5886d0 ]
Sven-Haegar reported looping on fib dumps when 255.255.255.255 route has
been added to a table. The looping is caused by the key rolling over from
FFFFFFFF to 0. When dumping a specific table only, we need a means to detect
when the table dump is done. The key and count saved to cb args are both 0
only at the start of the table dump. If key is 0 and count > 0, then we are
in the rollover case. Detect and return to avoid looping.
This only affects dumps of a specific table; for dumps of all tables
(the case prior to the change in the Fixes tag) inet_dump_fib moved
the entry counter to the next table and reset the cb args used by
fib_table_dump and fn_trie_dump_leaf, so the rollover ffffffff back
to 0 did not cause looping with the dumps.
Fixes:
|
||
Maxim Mikityanskiy
|
d18d22ce8f |
net: Fix packet reordering caused by GRO and listified RX cooperation
[ Upstream commit c80794323e82ac6ab45052ebba5757ce47b4b588 ] Commit |
||
Kristian Evensen
|
8bc3025206 |
fou: Fix IPv6 netlink policy
[ Upstream commit bb48eb9b12a95db9d679025927269d4adda6dbd1 ] When submitting v2 of "fou: Support binding FoU socket" ( |
||
Eric Dumazet
|
69486bfa06 |
tcp: do not leave dangling pointers in tp->highest_sack
[ Upstream commit 2bec445f9bf35e52e395b971df48d3e1e5dc704a ]
Latest commit 853697504de0 ("tcp: Fix highest_sack and highest_sack_seq")
apparently allowed syzbot to trigger various crashes in TCP stack [1]
I believe this commit only made things easier for syzbot to find
its way into triggering use-after-frees. But really the bugs
could lead to bad TCP behavior or even plain crashes even for
non malicious peers.
I have audited all calls to tcp_rtx_queue_unlink() and
tcp_rtx_queue_unlink_and_free() and made sure tp->highest_sack would be updated
if we are removing from rtx queue the skb that tp->highest_sack points to.
These updates were missing in three locations :
1) tcp_clean_rtx_queue() [This one seems quite serious,
I have no idea why this was not caught earlier]
2) tcp_rtx_queue_purge() [Probably not a big deal for normal operations]
3) tcp_send_synack() [Probably not a big deal for normal operations]
[1]
BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
BUG: KASAN: use-after-free in tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
BUG: KASAN: use-after-free in tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
Read of size 4 at addr ffff8880a488d068 by task ksoftirqd/1/16
CPU: 1 PID: 16 Comm: ksoftirqd/1 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
__asan_report_load4_noabort+0x14/0x20 mm/kasan/generic_report.c:134
tcp_highest_sack_seq include/net/tcp.h:1864 [inline]
tcp_highest_sack_seq include/net/tcp.h:1856 [inline]
tcp_check_sack_reordering+0x33c/0x3a0 net/ipv4/tcp_input.c:891
tcp_try_undo_partial net/ipv4/tcp_input.c:2730 [inline]
tcp_fastretrans_alert+0xf74/0x23f0 net/ipv4/tcp_input.c:2847
tcp_ack+0x2577/0x5bf0 net/ipv4/tcp_input.c:3710
tcp_rcv_established+0x6dd/0x1e90 net/ipv4/tcp_input.c:5706
tcp_v4_do_rcv+0x619/0x8d0 net/ipv4/tcp_ipv4.c:1619
tcp_v4_rcv+0x307f/0x3b40 net/ipv4/tcp_ipv4.c:2001
ip_protocol_deliver_rcu+0x5a/0x880 net/ipv4/ip_input.c:204
ip_local_deliver_finish+0x23b/0x380 net/ipv4/ip_input.c:231
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:252
dst_input include/net/dst.h:442 [inline]
ip_rcv_finish+0x1db/0x2f0 net/ipv4/ip_input.c:428
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:538
__netif_receive_skb_one_core+0x113/0x1a0 net/core/dev.c:5148
__netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5262
process_backlog+0x206/0x750 net/core/dev.c:6093
napi_poll net/core/dev.c:6530 [inline]
net_rx_action+0x508/0x1120 net/core/dev.c:6598
__do_softirq+0x262/0x98c kernel/softirq.c:292
run_ksoftirqd kernel/softirq.c:603 [inline]
run_ksoftirqd+0x8e/0x110 kernel/softirq.c:595
smpboot_thread_fn+0x6a3/0xa40 kernel/smpboot.c:165
kthread+0x361/0x430 kernel/kthread.c:255
ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352
Allocated by task 10091:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
__kasan_kmalloc mm/kasan/common.c:513 [inline]
__kasan_kmalloc.constprop.0+0xcf/0xe0 mm/kasan/common.c:486
kasan_slab_alloc+0xf/0x20 mm/kasan/common.c:521
slab_post_alloc_hook mm/slab.h:584 [inline]
slab_alloc_node mm/slab.c:3263 [inline]
kmem_cache_alloc_node+0x138/0x740 mm/slab.c:3575
__alloc_skb+0xd5/0x5e0 net/core/skbuff.c:198
alloc_skb_fclone include/linux/skbuff.h:1099 [inline]
sk_stream_alloc_skb net/ipv4/tcp.c:875 [inline]
sk_stream_alloc_skb+0x113/0xc90 net/ipv4/tcp.c:852
tcp_sendmsg_locked+0xcf9/0x3470 net/ipv4/tcp.c:1282
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1432
inet_sendmsg+0x9e/0xe0 net/ipv4/af_inet.c:807
sock_sendmsg_nosec net/socket.c:652 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:672
__sys_sendto+0x262/0x380 net/socket.c:1998
__do_sys_sendto net/socket.c:2010 [inline]
__se_sys_sendto net/socket.c:2006 [inline]
__x64_sys_sendto+0xe1/0x1a0 net/socket.c:2006
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Freed by task 10095:
save_stack+0x23/0x90 mm/kasan/common.c:72
set_track mm/kasan/common.c:80 [inline]
kasan_set_free_info mm/kasan/common.c:335 [inline]
__kasan_slab_free+0x102/0x150 mm/kasan/common.c:474
kasan_slab_free+0xe/0x10 mm/kasan/common.c:483
__cache_free mm/slab.c:3426 [inline]
kmem_cache_free+0x86/0x320 mm/slab.c:3694
kfree_skbmem+0x178/0x1c0 net/core/skbuff.c:645
__kfree_skb+0x1e/0x30 net/core/skbuff.c:681
sk_eat_skb include/net/sock.h:2453 [inline]
tcp_recvmsg+0x1252/0x2930 net/ipv4/tcp.c:2166
inet_recvmsg+0x136/0x610 net/ipv4/af_inet.c:838
sock_recvmsg_nosec net/socket.c:886 [inline]
sock_recvmsg net/socket.c:904 [inline]
sock_recvmsg+0xce/0x110 net/socket.c:900
__sys_recvfrom+0x1ff/0x350 net/socket.c:2055
__do_sys_recvfrom net/socket.c:2073 [inline]
__se_sys_recvfrom net/socket.c:2069 [inline]
__x64_sys_recvfrom+0xe1/0x1a0 net/socket.c:2069
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
The buggy address belongs to the object at ffff8880a488d040
which belongs to the cache skbuff_fclone_cache of size 456
The buggy address is located 40 bytes inside of
456-byte region [ffff8880a488d040, ffff8880a488d208)
The buggy address belongs to the page:
page:ffffea0002922340 refcount:1 mapcount:0 mapping:ffff88821b057000 index:0x0
raw: 00fffe0000000200 ffffea00022a5788 ffffea0002624a48 ffff88821b057000
raw: 0000000000000000 ffff8880a488d040 0000000100000006 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880a488cf00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8880a488cf80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8880a488d000: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8880a488d080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880a488d100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes: 853697504de0 ("tcp: Fix highest_sack and highest_sack_seq")
Fixes:
|
||
Wen Yang
|
562a7c3504 |
tcp_bbr: improve arithmetic division in bbr_update_bw()
[ Upstream commit 5b2f1f3070b6447b76174ea8bfb7390dc6253ebd ] do_div() does a 64-by-32 division. Use div64_long() instead of it if the divisor is long, to avoid truncation to 32-bit. And as a nice side effect also cleans up the function a bit. Signed-off-by: Wen Yang <wenyang@linux.alibaba.com> Cc: Eric Dumazet <edumazet@google.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org> Cc: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Paolo Abeni
|
41c230ae2a |
Revert "udp: do rmem bulk free even if the rx sk queue is empty"
[ Upstream commit d39ca2590d10712f412add7a88e1dd467a7246f4 ] This reverts commit |
||
Jouni Hogander
|
d6f7ed61fa |
net-sysfs: Fix reference count leak
[ Upstream commit cb626bf566eb4433318d35681286c494f04fedcc ]
Netdev_register_kobject is calling device_initialize. In case of error
reference taken by device_initialize is not given up.
Drivers are supposed to call free_netdev in case of error. In non-error
case the last reference is given up there and device release sequence
is triggered. In error case this reference is kept and the release
sequence is never started.
Fix this by setting reg_state as NETREG_UNREGISTERED if registering
fails.
This is the rootcause for couple of memory leaks reported by Syzkaller:
BUG: memory leak unreferenced object 0xffff8880675ca008 (size 256):
comm "netdev_register", pid 281, jiffies 4294696663 (age 6.808s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<0000000058ca4711>] kmem_cache_alloc_trace+0x167/0x280
[<000000002340019b>] device_add+0x882/0x1750
[<000000001d588c3a>] netdev_register_kobject+0x128/0x380
[<0000000011ef5535>] register_netdevice+0xa1b/0xf00
[<000000007fcf1c99>] __tun_chr_ioctl+0x20d5/0x3dd0
[<000000006a5b7b2b>] tun_chr_ioctl+0x2f/0x40
[<00000000f30f834a>] do_vfs_ioctl+0x1c7/0x1510
[<00000000fba062ea>] ksys_ioctl+0x99/0xb0
[<00000000b1c1b8d2>] __x64_sys_ioctl+0x78/0xb0
[<00000000984cabb9>] do_syscall_64+0x16f/0x580
[<000000000bde033d>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<00000000e6ca2d9f>] 0xffffffffffffffff
BUG: memory leak
unreferenced object 0xffff8880668ba588 (size 8):
comm "kobject_set_nam", pid 286, jiffies 4294725297 (age 9.871s)
hex dump (first 8 bytes):
6e 72 30 00 cc be df 2b nr0....+
backtrace:
[<00000000a322332a>] __kmalloc_track_caller+0x16e/0x290
[<00000000236fd26b>] kstrdup+0x3e/0x70
[<00000000dd4a2815>] kstrdup_const+0x3e/0x50
[<0000000049a377fc>] kvasprintf_const+0x10e/0x160
[<00000000627fc711>] kobject_set_name_vargs+0x5b/0x140
[<0000000019eeab06>] dev_set_name+0xc0/0xf0
[<0000000069cb12bc>] netdev_register_kobject+0xc8/0x320
[<00000000f2e83732>] register_netdevice+0xa1b/0xf00
[<000000009e1f57cc>] __tun_chr_ioctl+0x20d5/0x3dd0
[<000000009c560784>] tun_chr_ioctl+0x2f/0x40
[<000000000d759e02>] do_vfs_ioctl+0x1c7/0x1510
[<00000000351d7c31>] ksys_ioctl+0x99/0xb0
[<000000008390040a>] __x64_sys_ioctl+0x78/0xb0
[<0000000052d196b7>] do_syscall_64+0x16f/0x580
[<0000000019af9236>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<00000000bc384531>] 0xffffffffffffffff
v3 -> v4:
Set reg_state to NETREG_UNREGISTERED if registering fails
v2 -> v3:
* Replaced BUG_ON with WARN_ON in free_netdev and netdev_release
v1 -> v2:
* Relying on driver calling free_netdev rather than calling
put_device directly in error path
Reported-by: syzbot+ad8ca40ecd77896d51e2@syzkaller.appspotmail.com
Cc: David Miller <davem@davemloft.net>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
Signed-off-by: Jouni Hogander <jouni.hogander@unikie.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
9b60a32108 |
net_sched: use validated TCA_KIND attribute in tc_new_tfilter()
[ Upstream commit 36d79af7fb59d6d9106feb9c1855eb93d6d53fe6 ]
sysbot found another issue in tc_new_tfilter().
We probably should use @name which contains the sanitized
version of TCA_KIND.
BUG: KMSAN: uninit-value in string_nocheck lib/vsprintf.c:608 [inline]
BUG: KMSAN: uninit-value in string+0x522/0x690 lib/vsprintf.c:689
CPU: 1 PID: 10753 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x1c9/0x220 lib/dump_stack.c:118
kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118
__msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215
string_nocheck lib/vsprintf.c:608 [inline]
string+0x522/0x690 lib/vsprintf.c:689
vsnprintf+0x207d/0x31b0 lib/vsprintf.c:2574
__request_module+0x2ad/0x11c0 kernel/kmod.c:143
tcf_proto_lookup_ops+0x241/0x720 net/sched/cls_api.c:139
tcf_proto_create net/sched/cls_api.c:262 [inline]
tc_new_tfilter+0x2a4e/0x5010 net/sched/cls_api.c:2058
rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415
netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
RIP: 0033:0x45b349
Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f88b3948c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f88b39496d4 RCX: 000000000045b349
RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 000000000000099f R14: 00000000004cb163 R15: 000000000075bfd4
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline]
kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127
kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82
slab_alloc_node mm/slub.c:2774 [inline]
__kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382
__kmalloc_reserve net/core/skbuff.c:141 [inline]
__alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209
alloc_skb include/linux/skbuff.h:1049 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline]
netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg net/socket.c:659 [inline]
____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330
___sys_sendmsg net/socket.c:2384 [inline]
__sys_sendmsg+0x451/0x5f0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg+0x97/0xb0 net/socket.c:2424
__x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424
do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fixes:
|
||
Cong Wang
|
b6a9a954b3 |
net_sched: fix datalen for ematch
[ Upstream commit 61678d28d4a45ef376f5d02a839cc37509ae9281 ]
syzbot reported an out-of-bound access in em_nbyte. As initially
analyzed by Eric, this is because em_nbyte sets its own em->datalen
in em_nbyte_change() other than the one specified by user, but this
value gets overwritten later by its caller tcf_em_validate().
We should leave em->datalen untouched to respect their choices.
I audit all the in-tree ematch users, all of those implement
->change() set em->datalen, so we can just avoid setting it twice
in this case.
Reported-and-tested-by: syzbot+5af9a90dad568aa9f611@syzkaller.appspotmail.com
Reported-by: syzbot+2f07903a5b05e7f36410@syzkaller.appspotmail.com
Fixes:
|
||
|
Eric Dumazet
|
888934af18 |
net: rtnetlink: validate IFLA_MTU attribute in rtnl_create_link()
[ Upstream commit d836f5c69d87473ff65c06a6123e5b2cf5e56f5b ]
rtnl_create_link() needs to apply dev->min_mtu and dev->max_mtu
checks that we apply in do_setlink()
Otherwise malicious users can crash the kernel, for example after
an integer overflow :
BUG: KASAN: use-after-free in memset include/linux/string.h:365 [inline]
BUG: KASAN: use-after-free in __alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
Write of size 32 at addr ffff88819f20b9c0 by task swapper/0/0
CPU: 0 PID: 0 Comm: swapper/0 Not tainted 5.5.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<IRQ>
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
__kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
kasan_report+0x12/0x20 mm/kasan/common.c:639
check_memory_region_inline mm/kasan/generic.c:185 [inline]
check_memory_region+0x134/0x1a0 mm/kasan/generic.c:192
memset+0x24/0x40 mm/kasan/common.c:108
memset include/linux/string.h:365 [inline]
__alloc_skb+0x37b/0x5e0 net/core/skbuff.c:238
alloc_skb include/linux/skbuff.h:1049 [inline]
alloc_skb_with_frags+0x93/0x590 net/core/skbuff.c:5664
sock_alloc_send_pskb+0x7ad/0x920 net/core/sock.c:2242
sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2259
mld_newpack+0x1d7/0x7f0 net/ipv6/mcast.c:1609
add_grhead.isra.0+0x299/0x370 net/ipv6/mcast.c:1713
add_grec+0x7db/0x10b0 net/ipv6/mcast.c:1844
mld_send_cr net/ipv6/mcast.c:1970 [inline]
mld_ifc_timer_expire+0x3d3/0x950 net/ipv6/mcast.c:2477
call_timer_fn+0x1ac/0x780 kernel/time/timer.c:1404
expire_timers kernel/time/timer.c:1449 [inline]
__run_timers kernel/time/timer.c:1773 [inline]
__run_timers kernel/time/timer.c:1740 [inline]
run_timer_softirq+0x6c3/0x1790 kernel/time/timer.c:1786
__do_softirq+0x262/0x98c kernel/softirq.c:292
invoke_softirq kernel/softirq.c:373 [inline]
irq_exit+0x19b/0x1e0 kernel/softirq.c:413
exiting_irq arch/x86/include/asm/apic.h:536 [inline]
smp_apic_timer_interrupt+0x1a3/0x610 arch/x86/kernel/apic/apic.c:1137
apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:829
</IRQ>
RIP: 0010:native_safe_halt+0xe/0x10 arch/x86/include/asm/irqflags.h:61
Code: 98 6b ea f9 eb 8a cc cc cc cc cc cc e9 07 00 00 00 0f 00 2d 44 1c 60 00 f4 c3 66 90 e9 07 00 00 00 0f 00 2d 34 1c 60 00 fb f4 <c3> cc 55 48 89 e5 41 57 41 56 41 55 41 54 53 e8 4e 5d 9a f9 e8 79
RSP: 0018:ffffffff89807ce8 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
RAX: 1ffffffff13266ae RBX: ffffffff8987a1c0 RCX: 0000000000000000
RDX: dffffc0000000000 RSI: 0000000000000006 RDI: ffffffff8987aa54
RBP: ffffffff89807d18 R08: ffffffff8987a1c0 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: dffffc0000000000
R13: ffffffff8a799980 R14: 0000000000000000 R15: 0000000000000000
arch_cpu_idle+0xa/0x10 arch/x86/kernel/process.c:690
default_idle_call+0x84/0xb0 kernel/sched/idle.c:94
cpuidle_idle_call kernel/sched/idle.c:154 [inline]
do_idle+0x3c8/0x6e0 kernel/sched/idle.c:269
cpu_startup_entry+0x1b/0x20 kernel/sched/idle.c:361
rest_init+0x23b/0x371 init/main.c:451
arch_call_rest_init+0xe/0x1b
start_kernel+0x904/0x943 init/main.c:784
x86_64_start_reservations+0x29/0x2b arch/x86/kernel/head64.c:490
x86_64_start_kernel+0x77/0x7b arch/x86/kernel/head64.c:471
secondary_startup_64+0xa4/0xb0 arch/x86/kernel/head_64.S:242
The buggy address belongs to the page:
page:ffffea00067c82c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0
raw: 057ffe0000000000 ffffea00067c82c8 ffffea00067c82c8 0000000000000000
raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88819f20b880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88819f20b900: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
>ffff88819f20b980: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
^
ffff88819f20ba00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
ffff88819f20ba80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Fixes:
|
||
William Dauchy
|
500869d718 |
net, ip_tunnel: fix namespaces move
[ Upstream commit d0f418516022c32ecceaf4275423e5bd3f8743a9 ]
in the same manner as commit 690afc165bb3 ("net: ip6_gre: fix moving
ip6gre between namespaces"), fix namespace moving as it was broken since
commit
|
||
|
William Dauchy
|
ead0377f60 |
net, ip6_tunnel: fix namespaces move
[ Upstream commit 5311a69aaca30fa849c3cc46fb25f75727fb72d0 ]
in the same manner as commit d0f418516022 ("net, ip_tunnel: fix
namespaces move"), fix namespace moving as it was broken since commit
|
||
Niko Kortstrom
|
7943bb0f06 |
net: ip6_gre: fix moving ip6gre between namespaces
[ Upstream commit 690afc165bb314354667f67157c1a1aea7dc797a ] Support for moving IPv4 GRE tunnels between namespaces was added in commit |
||
Yuki Taguchi
|
e2bd33937c |
ipv6: sr: remove SKB_GSO_IPXIP6 on End.D* actions
[ Upstream commit 62ebaeaedee7591c257543d040677a60e35c7aec ]
After LRO/GRO is applied, SRv6 encapsulated packets have
SKB_GSO_IPXIP6 feature flag, and this flag must be removed right after
decapulation procedure.
Currently, SKB_GSO_IPXIP6 flag is not removed on End.D* actions, which
creates inconsistent packet state, that is, a normal TCP/IP packets
have the SKB_GSO_IPXIP6 flag. This behavior can cause unexpected
fallback to GSO on routing to netdevices that do not support
SKB_GSO_IPXIP6. For example, on inter-VRF forwarding, decapsulated
packets separated into small packets by GSO because VRF devices do not
support TSO for packets with SKB_GSO_IPXIP6 flag, and this degrades
forwarding performance.
This patch removes encapsulation related GSO flags from the skb right
after the End.D* action is applied.
Fixes:
|
||
|
Greg Kroah-Hartman
|
33c8a1b2d0 |
This is the 5.4.15 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4tVVcACgkQONu9yGCS aT6IZQ/+J/hKVxK9S0E4nfHy8IC87wRnjmIBsjnZ8jx9+KAhYyHsL5iUL5U0YQPj O1ZYO2Yly8DzzU1RLwkMgZ+eGYBnNuSGtZN/v9IQrQYrV77F7fNM0S59f/ucQJLh lAMbaAbttR05bb48YieZm1HksoRsHmFEg0LsUbQqjm74CWJ+/JA+bZcdnTi9iiJm HELavBOM5NoO/g8Iuh0Xn5Y3W1mOTv3lG7Vn51TynUtJjlyJaaO9cVxDJzDBLabO SKYqH5X2yCBmKw3rH6F4KTDXAiM+v+EzvDwM12aEvG0TkkPEwNcFrkA4hgDFXUWi QEe24R/UP4J2W/jAH46VaeEELo0cNLzt0e9sVi6BsxtkTaf/KknxE93PSOyY40TF CM/nMJAlVv5KYmhQYPa9ZTEoUBNGcAVjsI2Pi7t86oLsFtaN6Sb1BvJTdHPwLA5Z OIi64ZBLy3jWHC4We3ajXI+PD6qlbzyTrjAE6Se5Zfmy05m936XNAfMup4mFMoBv MDEAG0f5XyyAXwARugq46xTlfjI1QO6XOnufxzFCaFETbtr+yYvmdmzWE1I+qyst Xugd94gchuWVH62YPbf+r9H2FpoHZjAroQHTV3hJ+pt/tJqYCcvISG2uv2pJePvm oRt/DO9CA2N5ls0z7WC55Kk746E5NSgsLmF4nktphnshqZR5VFs= =iz+j -----END PGP SIGNATURE----- Merge 5.4.15 into android-5.4 Changes in 5.4.15 drm/i915: Fix pid leak with banned clients libbpf: Fix compatibility for kernels without need_wakeup libbpf: Fix memory leak/double free issue libbpf: Fix potential overflow issue libbpf: Fix another potential overflow issue in bpf_prog_linfo libbpf: Make btf__resolve_size logic always check size error condition bpf: Force .BTF section start to zero when dumping from vmlinux samples: bpf: update map definition to new syntax BTF-defined map samples/bpf: Fix broken xdp_rxq_info due to map order assumptions ARM: dts: logicpd-torpedo-37xx-devkit-28: Reference new DRM panel ARM: OMAP2+: Add missing put_device() call in omapdss_init_of() xfs: Sanity check flags of Q_XQUOTARM call i2c: stm32f7: rework slave_id allocation i2c: i2c-stm32f7: fix 10-bits check in slave free id search loop mfd: intel-lpss: Add default I2C device properties for Gemini Lake SUNRPC: Fix svcauth_gss_proxy_init() SUNRPC: Fix backchannel latency metrics powerpc/security: Fix debugfs data leak on 32-bit powerpc/pseries: Enable support for ibm,drc-info property powerpc/kasan: Fix boot failure with RELOCATABLE && FSL_BOOKE powerpc/archrandom: fix arch_get_random_seed_int() tipc: reduce sensitive to retransmit failures tipc: update mon's self addr when node addr generated tipc: fix potential memory leak in __tipc_sendmsg() tipc: fix wrong socket reference counter after tipc_sk_timeout() returns tipc: fix wrong timeout input for tipc_wait_for_cond() net/mlx5e: Fix free peer_flow when refcount is 0 phy: lantiq: vrx200-pcie: fix error return code in ltq_vrx200_pcie_phy_power_on() net: phy: broadcom: Fix RGMII delays configuration for BCM54210E phy: ti: gmii-sel: fix mac tx internal delay for rgmii-rxid mt76: mt76u: fix endpoint definition order mt7601u: fix bbp version check in mt7601u_wait_bbp_ready ice: fix stack leakage s390/pkey: fix memory leak within _copy_apqns_from_user() nfsd: depend on CRYPTO_MD5 for legacy client tracking crypto: amcc - restore CRYPTO_AES dependency crypto: sun4i-ss - fix big endian issues perf map: No need to adjust the long name of modules leds: tlc591xx: update the maximum brightness soc/tegra: pmc: Fix crashes for hierarchical interrupts soc: qcom: llcc: Name regmaps to avoid collisions soc: renesas: Add missing check for non-zero product register address soc: aspeed: Fix snoop_file_poll()'s return type watchdog: sprd: Fix the incorrect pointer getting from driver data ipmi: Fix memory leak in __ipmi_bmc_register sched/core: Further clarify sched_class::set_next_task() gpiolib: No need to call gpiochip_remove_pin_ranges() twice rtw88: fix beaconing mode rsvd_page memory violation issue rtw88: fix error handling when setup efuse info drm/panfrost: Add missing check for pfdev->regulator drm: panel-lvds: Potential Oops in probe error handling drm/amdgpu: remove excess function parameter description hwrng: omap3-rom - Fix missing clock by probing with device tree dpaa2-eth: Fix minor bug in ethtool stats reporting drm/rockchip: Round up _before_ giving to the clock framework software node: Get reference to parent swnode in get_parent op PCI: mobiveil: Fix csr_read()/write() build issue drm: rcar_lvds: Fix color mismatches on R-Car H2 ES2.0 and later net: netsec: Correct dma sync for XDP_TX frames ACPI: platform: Unregister stale platform devices pwm: sun4i: Fix incorrect calculation of duty_cycle/period regulator: bd70528: Add MODULE_ALIAS to allow module auto loading drm/amdgpu/vi: silence an uninitialized variable warning power: supply: bd70528: Add MODULE_ALIAS to allow module auto loading firmware: imx: Remove call to devm_of_platform_populate libbpf: Don't use kernel-side u32 type in xsk.c rcu: Fix uninitialized variable in nocb_gp_wait() dpaa_eth: perform DMA unmapping before read dpaa_eth: avoid timestamp read on error paths scsi: ufs: delete redundant function ufshcd_def_desc_sizes() net: openvswitch: don't unlock mutex when changing the user_features fails hv_netvsc: flag software created hash value rt2800: remove errornous duplicate condition net: neigh: use long type to store jiffies delta net: axienet: Fix error return code in axienet_probe() selftests: gen_kselftest_tar.sh: Do not clobber kselftest/ rtc: bd70528: fix module alias to autoload module packet: fix data-race in fanout_flow_is_huge() i2c: stm32f7: report dma error during probe kselftests: cgroup: Avoid the reuse of fd after it is deallocated firmware: arm_scmi: Fix doorbell ring logic for !CONFIG_64BIT mmc: sdio: fix wl1251 vendor id mmc: core: fix wl1251 sdio quirks tee: optee: Fix dynamic shm pool allocations tee: optee: fix device enumeration error handling workqueue: Add RCU annotation for pwq list walk SUNRPC: Fix another issue with MIC buffer space sched/cpufreq: Move the cfs_rq_util_change() call to cpufreq_update_util() mt76: mt76u: rely on usb_interface instead of usb_dev dma-direct: don't check swiotlb=force in dma_direct_map_resource afs: Remove set but not used variables 'before', 'after' dmaengine: ti: edma: fix missed failure handling drm/radeon: fix bad DMA from INTERRUPT_CNTL2 xdp: Fix cleanup on map free for devmap_hash map type platform/chrome: wilco_ec: fix use after free issue block: fix memleak of bio integrity data s390/qeth: fix dangling IO buffers after halt/clear net-sysfs: Call dev_hold always in netdev_queue_add_kobject gpio: aspeed: avoid return type warning phy/rockchip: inno-hdmi: round clock rate down to closest 1000 Hz optee: Fix multi page dynamic shm pool alloc Linux 5.4.15 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I28b2a19657d40804406dc0e7c266296ce8768eb7 |
||
|
Jouni Hogander
|
60d671da2f |
net-sysfs: Call dev_hold always in netdev_queue_add_kobject
[ Upstream commit e0b60903b434a7ee21ba8d8659f207ed84101e89 ]
Dev_hold has to be called always in netdev_queue_add_kobject.
Otherwise usage count drops below 0 in case of failure in
kobject_init_and_add.
Fixes:
|
||
Chuck Lever
|
e0e2379bfc |
SUNRPC: Fix another issue with MIC buffer space
[ Upstream commit e8d70b321ecc9b23d09b8df63e38a2f73160c209 ]
xdr_shrink_pagelen() BUG's when @len is larger than buf->page_len.
This can happen when xdr_buf_read_mic() is given an xdr_buf with
a small page array (like, only a few bytes).
Instead, just cap the number of bytes that xdr_shrink_pagelen()
will move.
Fixes:
|
||
|
Eric Dumazet
|
f6d362634e |
packet: fix data-race in fanout_flow_is_huge()
[ Upstream commit b756ad928d98e5ef0b74af7546a6a31a8dadde00 ]
KCSAN reported the following data-race [1]
Adding a couple of READ_ONCE()/WRITE_ONCE() should silence it.
Since the report hinted about multiple cpus using the history
concurrently, I added a test avoiding writing on it if the
victim slot already contains the desired value.
[1]
BUG: KCSAN: data-race in fanout_demux_rollover / fanout_demux_rollover
read to 0xffff8880b01786cc of 4 bytes by task 18921 on cpu 1:
fanout_flow_is_huge net/packet/af_packet.c:1303 [inline]
fanout_demux_rollover+0x33e/0x3f0 net/packet/af_packet.c:1353
packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453
deliver_skb net/core/dev.c:1888 [inline]
dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958
xmit_one net/core/dev.c:3195 [inline]
dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215
__dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792
dev_queue_xmit+0x21/0x30 net/core/dev.c:3825
neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
neigh_output include/net/neighbour.h:511 [inline]
ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
__ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
__ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795
udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173
udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471
inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0x9f/0xc0 net/socket.c:657
___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311
__sys_sendmmsg+0x123/0x350 net/socket.c:2413
__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]
__x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439
do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
write to 0xffff8880b01786cc of 4 bytes by task 18922 on cpu 0:
fanout_flow_is_huge net/packet/af_packet.c:1306 [inline]
fanout_demux_rollover+0x3a4/0x3f0 net/packet/af_packet.c:1353
packet_rcv_fanout+0x34e/0x490 net/packet/af_packet.c:1453
deliver_skb net/core/dev.c:1888 [inline]
dev_queue_xmit_nit+0x15b/0x540 net/core/dev.c:1958
xmit_one net/core/dev.c:3195 [inline]
dev_hard_start_xmit+0x3f5/0x430 net/core/dev.c:3215
__dev_queue_xmit+0x14ab/0x1b40 net/core/dev.c:3792
dev_queue_xmit+0x21/0x30 net/core/dev.c:3825
neigh_direct_output+0x1f/0x30 net/core/neighbour.c:1530
neigh_output include/net/neighbour.h:511 [inline]
ip6_finish_output2+0x7a2/0xec0 net/ipv6/ip6_output.c:116
__ip6_finish_output net/ipv6/ip6_output.c:142 [inline]
__ip6_finish_output+0x2d7/0x330 net/ipv6/ip6_output.c:127
ip6_finish_output+0x41/0x160 net/ipv6/ip6_output.c:152
NF_HOOK_COND include/linux/netfilter.h:294 [inline]
ip6_output+0xf2/0x280 net/ipv6/ip6_output.c:175
dst_output include/net/dst.h:436 [inline]
ip6_local_out+0x74/0x90 net/ipv6/output_core.c:179
ip6_send_skb+0x53/0x110 net/ipv6/ip6_output.c:1795
udp_v6_send_skb.isra.0+0x3ec/0xa70 net/ipv6/udp.c:1173
udpv6_sendmsg+0x1906/0x1c20 net/ipv6/udp.c:1471
inet6_sendmsg+0x6d/0x90 net/ipv6/af_inet6.c:576
sock_sendmsg_nosec net/socket.c:637 [inline]
sock_sendmsg+0x9f/0xc0 net/socket.c:657
___sys_sendmsg+0x2b7/0x5d0 net/socket.c:2311
__sys_sendmmsg+0x123/0x350 net/socket.c:2413
__do_sys_sendmmsg net/socket.c:2442 [inline]
__se_sys_sendmmsg net/socket.c:2439 [inline]
__x64_sys_sendmmsg+0x64/0x80 net/socket.c:2439
do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
entry_SYSCALL_64_after_hwframe+0x44/0xa9
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 18922 Comm: syz-executor.3 Not tainted 5.4.0-rc6+ #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes:
|
||
|
Eric Dumazet
|
e9a6f09fc2 |
net: neigh: use long type to store jiffies delta
[ Upstream commit 9d027e3a83f39b819e908e4e09084277a2e45e95 ]
A difference of two unsigned long needs long storage.
Fixes:
|
||
Tonghao Zhang
|
79310c41b0 |
net: openvswitch: don't unlock mutex when changing the user_features fails
[ Upstream commit 4c76bf696a608ea5cc555fe97ec59a9033236604 ]
Unlocking of a not locked mutex is not allowed.
Other kernel thread may be in critical section while
we unlock it because of setting user_feature fail.
Fixes:
|
||
Tung Nguyen
|
9bc7663b71 |
tipc: fix wrong timeout input for tipc_wait_for_cond()
commit 12db3c8083fcab4270866a88191933f2d9f24f89 upstream.
In function __tipc_shutdown(), the timeout value passed to
tipc_wait_for_cond() is not jiffies.
This commit fixes it by converting that value from milliseconds
to jiffies.
Fixes:
|
||
|
Tung Nguyen
|
58e007884a |
tipc: fix wrong socket reference counter after tipc_sk_timeout() returns
commit 91a4a3eb433e4d786420c41f3c08d1d16c605962 upstream.
When tipc_sk_timeout() is executed but user space is grabbing
ownership, this function rearms itself and returns. However, the
socket reference counter is not reduced. This causes potential
unexpected behavior.
This commit fixes it by calling sock_put() before tipc_sk_timeout()
returns in the above-mentioned case.
Fixes:
|
||
|
Tung Nguyen
|
55a0b2c95f |
tipc: fix potential memory leak in __tipc_sendmsg()
commit 2fe97a578d7bad3116a89dc8a6692a51e6fc1d9c upstream.
When initiating a connection message to a server side, the connection
message is cloned and added to the socket write queue. However, if the
cloning is failed, only the socket write queue is purged. It causes
memory leak because the original connection message is not freed.
This commit fixes it by purging the list of connection message when
it cannot be cloned.
Fixes:
|
||
Hoang Le
|
28845c28f8 |
tipc: update mon's self addr when node addr generated
commit 46cb01eeeb86fca6afe24dda1167b0cb95424e29 upstream. In commit |
||
|
Hoang Le
|
b3182a666a |
tipc: reduce sensitive to retransmit failures
commit 426071f1f3995d7e9603246bffdcbf344cd31719 upstream.
With huge cluster (e.g >200nodes), the amount of that flow:
gap -> retransmit packet -> acked will take time in case of STATE_MSG
dropped/delayed because a lot of traffic. This lead to 1.5 sec tolerance
value criteria made link easy failure around 2nd, 3rd of failed
retransmission attempts.
Instead of re-introduced criteria of 99 faled retransmissions to fix the
issue, we increase failure detection timer to ten times tolerance value.
Fixes:
|
||
|
Chuck Lever
|
46fabfd623 |
SUNRPC: Fix backchannel latency metrics
commit 8729aaba74626c4ebce3abf1b9e96bb62d2958ca upstream.
I noticed that for callback requests, the reported backlog latency
is always zero, and the rtt value is crazy big. The problem was that
rqst->rq_xtime is never set for backchannel requests.
Fixes:
|
||
|
Chuck Lever
|
7be8c165dc |
SUNRPC: Fix svcauth_gss_proxy_init()
commit 5866efa8cbfbadf3905072798e96652faf02dbe8 upstream.
gss_read_proxy_verf() assumes things about the XDR buffer containing
the RPC Call that are not true for buffers generated by
svc_rdma_recv().
RDMA's buffers look more like what the upper layer generates for
sending: head is a kmalloc'd buffer; it does not point to a page
whose contents are contiguous with the first page in the buffers'
page array. The result is that ACCEPT_SEC_CONTEXT via RPC/RDMA has
stopped working on Linux NFS servers that use gssproxy.
This does not affect clients that use only TCP to send their
ACCEPT_SEC_CONTEXT operation (that's all Linux clients). Other
clients, like Solaris NFS clients, send ACCEPT_SEC_CONTEXT on the
same transport as they send all other NFS operations. Such clients
can send ACCEPT_SEC_CONTEXT via RPC/RDMA.
I thought I had found every direct reference in the server RPC code
to the rqstp->rq_pages field.
Bug found at the 2019 Westford NFS bake-a-thon.
Fixes:
|
||
|
Greg Kroah-Hartman
|
ea962facf5 |
This is the 5.4.14 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl4pSdUACgkQONu9yGCS
aT7wnRAAqw7JuC+cQMI29GiTfX/+V6BHFUGp0b7EoFWg1VVqiFqEHOf4QETS2Qy1
3ZAMIBCICMgJD03WUK95tju4byNhpAVc5HDy3ir4E0ZGE6VprgbkzmVWsJhdVd0E
y0whXgRj2mM0eXwCLcLz2qcruE/AxmL84rlnwZ5BwgxbOPq/xRzQQV8R3XUu2bos
1felFUzOLhfJKtZ5ig9ToJGCorc7jOU+cXrvUSvntOFGFqsEdmIfcQMoqE2cXExC
WQIk/JDNGnyHlX7I55P0/OBuSv4SV5JzGZjGkkS/Orqg5/KtaOMh0dAcvp25L3jY
b2bNDDnKvDEd2eb3GQNb4X7pqy8SFD5WLQH2otJjpZl6nHqOG2xCZCnrVtvf7toC
kJ0ocNIeGU6OsFzAwXATh3hk6ZFlJYkQarHjvgpETkx+WBcw9yw7DFW9Pa9khkMV
OWKqfGrqVyV1bTXTfZPHOHm+eBVmqTLPeoK4XeholrnBrPa50pBjexv+uN+UsQnT
QQxTkDpdfFv4KIkH/qgwDh/gIJ/xtjsI9JTK+70aFbSq1HrXNeoZTYof8iLOggY8
wh/aWQGf0PVC3ffgqxd7TF6CxiVn4vaP3/FfcBQVMuTnYK03BScdAEOqBCRLvLK6
509VzsCc1N7qa3vwRTTWxr0u1aCDDgDx5iqmTXW46sYxzjfwnY4=
=qNcT
-----END PGP SIGNATURE-----
Merge 5.4.14 into android-5.4
Changes in 5.4.14
ARM: dts: meson8: fix the size of the PMU registers
clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs
soc: amlogic: meson-ee-pwrc: propagate PD provider registration errors
soc: amlogic: meson-ee-pwrc: propagate errors from pm_genpd_init()
dt-bindings: reset: meson8b: fix duplicate reset IDs
ARM: dts: imx6q-dhcom: fix rtc compatible
arm64: dts: ls1028a: fix endian setting for dcfg
arm64: dts: imx8mm: Change SDMA1 ahb clock for imx8mm
bus: ti-sysc: Fix iterating over clocks
clk: Don't try to enable critical clocks if prepare failed
Revert "gpio: thunderx: Switch to GPIOLIB_IRQCHIP"
arm64: dts: imx8mq-librem5-devkit: use correct interrupt for the magnetometer
ASoC: msm8916-wcd-digital: Reset RX interpolation path after use
ASoC: stm32: sai: fix possible circular locking
ASoC: stm32: dfsdm: fix 16 bits record
ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1
ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1
ARM: OMAP2+: Fix ti_sysc_find_one_clockdomain to check for to_clk_hw_omap
ARM: dts: imx7ulp: fix reg of cpu node
ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection
ASoC: Intel: bytcht_es8316: Fix Irbis NB41 netbook quirk
ALSA: dice: fix fallback from protocol extension into limited functionality
ALSA: seq: Fix racy access for queue timer in proc read
ALSA: firewire-tascam: fix corruption due to spin lock without restoration in SoftIRQ context
ALSA: usb-audio: fix sync-ep altsetting sanity check
arm64: dts: allwinner: a64: olinuxino: Fix SDIO supply regulator
arm64: dts: allwinner: a64: olinuxino: Fix eMMC supply regulator
arm64: dts: agilex/stratix10: fix pmu interrupt numbers
Fix built-in early-load Intel microcode alignment
clk: sunxi-ng: r40: Allow setting parent rate for external clock outputs
block: fix an integer overflow in logical block size
fuse: fix fuse_send_readpages() in the syncronous read case
io_uring: only allow submit from owning task
cpuidle: teo: Fix intervals[] array indexing bug
ARM: dts: am571x-idk: Fix gpios property to have the correct gpio number
ARM: davinci: select CONFIG_RESET_CONTROLLER
perf: Correctly handle failed perf_get_aux_event()
iio: adc: ad7124: Fix DT channel configuration
iio: imu: st_lsm6dsx: Fix selection of ST_LSM6DS3_ID
iio: light: vcnl4000: Fix scale for vcnl4040
iio: chemical: pms7003: fix unmet triggered buffer dependency
iio: buffer: align the size of scan bytes to size of the largest element
USB: serial: simple: Add Motorola Solutions TETRA MTP3xxx and MTP85xx
USB: serial: option: Add support for Quectel RM500Q
USB: serial: opticon: fix control-message timeouts
USB: serial: option: add support for Quectel RM500Q in QDL mode
USB: serial: suppress driver bind attributes
USB: serial: ch341: handle unbound port at reset_resume
USB: serial: io_edgeport: handle unbound ports on URB completion
USB: serial: io_edgeport: add missing active-port sanity check
USB: serial: keyspan: handle unbound ports
USB: serial: quatech2: handle unbound ports
staging: comedi: ni_routes: fix null dereference in ni_find_route_source()
staging: comedi: ni_routes: allow partial routing information
scsi: fnic: fix invalid stack access
scsi: mptfusion: Fix double fetch bug in ioctl
ptrace: reintroduce usage of subjective credentials in ptrace_has_cap()
mtd: rawnand: gpmi: Fix suspend/resume problem
mtd: rawnand: gpmi: Restore nfc timing setup after suspend/resume
usb: core: hub: Improved device recognition on remote wakeup
cpu/SMT: Fix x86 link error without CONFIG_SYSFS
x86/resctrl: Fix an imbalance in domain_remove_cpu()
x86/CPU/AMD: Ensure clearing of SME/SEV features is maintained
locking/rwsem: Fix kernel crash when spinning on RWSEM_OWNER_UNKNOWN
perf/x86/intel/uncore: Fix missing marker for snr_uncore_imc_freerunning_events
x86/efistub: Disable paging at mixed mode entry
s390/zcrypt: Fix CCA cipher key gen with clear key value function
scsi: storvsc: Correctly set number of hardware queues for IDE disk
mtd: spi-nor: Fix selection of 4-byte addressing opcodes on Spansion
drm/i915: Add missing include file <linux/math64.h>
x86/resctrl: Fix potential memory leak
efi/earlycon: Fix write-combine mapping on x86
s390/setup: Fix secure ipl message
clk: samsung: exynos5420: Keep top G3D clocks enabled
perf hists: Fix variable name's inconsistency in hists__for_each() macro
locking/lockdep: Fix buffer overrun problem in stack_trace[]
perf report: Fix incorrectly added dimensions as switch perf data file
mm/shmem.c: thp, shmem: fix conflict of above-47bit hint address and PMD alignment
mm/huge_memory.c: thp: fix conflict of above-47bit hint address and PMD alignment
mm: memcg/slab: fix percpu slab vmstats flushing
mm: memcg/slab: call flush_memcg_workqueue() only if memcg workqueue is valid
mm, debug_pagealloc: don't rely on static keys too early
btrfs: rework arguments of btrfs_unlink_subvol
btrfs: fix invalid removal of root ref
btrfs: do not delete mismatched root refs
btrfs: relocation: fix reloc_root lifespan and access
btrfs: fix memory leak in qgroup accounting
btrfs: check rw_devices, not num_devices for balance
Btrfs: always copy scrub arguments back to user space
mm/memory_hotplug: don't free usage map when removing a re-added early section
mm/page-writeback.c: avoid potential division by zero in wb_min_max_ratio()
mm: khugepaged: add trace status description for SCAN_PAGE_HAS_PRIVATE
ARM: dts: imx6qdl-sabresd: Remove incorrect power supply assignment
ARM: dts: imx6sx-sdb: Remove incorrect power supply assignment
ARM: dts: imx6sl-evk: Remove incorrect power supply assignment
ARM: dts: imx6sll-evk: Remove incorrect power supply assignment
ARM: dts: imx6q-icore-mipi: Use 1.5 version of i.Core MX6DL
ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support
net: stmmac: 16KB buffer must be 16 byte aligned
net: stmmac: Enable 16KB buffer size
reset: Fix {of,devm}_reset_control_array_get kerneldoc return types
tipc: fix potential hanging after b/rcast changing
tipc: fix retrans failure due to wrong destination
net: fix kernel-doc warning in <linux/netdevice.h>
block: Fix the type of 'sts' in bsg_queue_rq()
drm/amd/display: Reorder detect_edp_sink_caps before link settings read.
bpf: Fix incorrect verifier simulation of ARSH under ALU32
bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop
bpf: Sockmap, ensure sock lock held during tear down
bpf: Sockmap/tls, push write_space updates through ulp updates
bpf: Sockmap, skmsg helper overestimates push, pull, and pop bounds
bpf: Sockmap/tls, msg_push_data may leave end mark in place
bpf: Sockmap/tls, tls_sw can create a plaintext buf > encrypt buf
bpf: Sockmap/tls, skmsg can have wrapped skmsg that needs extra chaining
bpf: Sockmap/tls, fix pop data with SK_DROP return code
i2c: tegra: Fix suspending in active runtime PM state
i2c: tegra: Properly disable runtime PM on driver's probe error
cfg80211: fix deadlocks in autodisconnect work
cfg80211: fix memory leak in nl80211_probe_mesh_link
cfg80211: fix memory leak in cfg80211_cqm_rssi_update
cfg80211: fix page refcount issue in A-MSDU decap
bpf/sockmap: Read psock ingress_msg before sk_receive_queue
i2c: iop3xx: Fix memory leak in probe error path
netfilter: fix a use-after-free in mtype_destroy()
netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
netfilter: nat: fix ICMP header corruption on ICMP errors
netfilter: nft_tunnel: fix null-attribute check
netfilter: nft_tunnel: ERSPAN_VERSION must not be null
netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
netfilter: nf_tables: store transaction list locally while requesting module
netfilter: nf_tables: fix flowtable list del corruption
NFC: pn533: fix bulk-message timeout
net: bpf: Don't leak time wait and request sockets
bpftool: Fix printing incorrect pointer in btf_dump_ptr
batman-adv: Fix DAT candidate selection on little endian systems
macvlan: use skb_reset_mac_header() in macvlan_queue_xmit()
hv_netvsc: Fix memory leak when removing rndis device
net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
net: dsa: tag_qca: fix doubled Tx statistics
net: hns3: pad the short frame before sending to the hardware
net: hns: fix soft lockup when there is not enough memory
net: phy: dp83867: Set FORCE_LINK_GOOD to default after reset
net/sched: act_ife: initalize ife->metalist earlier
net: usb: lan78xx: limit size of local TSO packets
net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info
ptp: free ptp device pin descriptors properly
r8152: add missing endpoint sanity check
tcp: fix marked lost packets not being retransmitted
bnxt_en: Fix NTUPLE firmware command failures.
bnxt_en: Fix ipv6 RFS filter matching logic.
bnxt_en: Do not treat DSN (Digital Serial Number) read failure as fatal.
net: ethernet: ave: Avoid lockdep warning
net: systemport: Fixed queue mapping in internal ring map
net: dsa: sja1105: Don't error out on disabled ports with no phy-mode
net: dsa: tag_gswip: fix typo in tagger name
net: sched: act_ctinfo: fix memory leak
net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec
i40e: prevent memory leak in i40e_setup_macvlans
drm/amdgpu: allow direct upload save restore list for raven2
sh_eth: check sh_eth_cpu_data::dual_port when dumping registers
mlxsw: spectrum: Do not modify cloned SKBs during xmit
mlxsw: spectrum: Wipe xstats.backlog of down ports
mlxsw: spectrum_qdisc: Include MC TCs in Qdisc counters
net: stmmac: selftests: Make it work in Synopsys AXS101 boards
net: stmmac: selftests: Mark as fail when received VLAN ID != expected
selftests: mlxsw: qos_mc_aware: Fix mausezahn invocation
net: stmmac: selftests: Update status when disabling RSS
net: stmmac: tc: Do not setup flower filtering if RSS is enabled
devlink: Wait longer before warning about unset port type
xen/blkfront: Adjust indentation in xlvbd_alloc_gendisk
dt-bindings: Add missing 'properties' keyword enclosing 'snps,tso'
tcp: refine rule to allow EPOLLOUT generation under mem pressure
irqchip: Place CONFIG_SIFIVE_PLIC into the menu
arm64: dts: qcom: msm8998: Disable coresight by default
cw1200: Fix a signedness bug in cw1200_load_firmware()
arm64: dts: meson: axg: fix audio fifo reg size
arm64: dts: meson: g12: fix audio fifo reg size
arm64: dts: meson-gxl-s905x-khadas-vim: fix gpio-keys-polled node
arm64: dts: renesas: r8a77970: Fix PWM3
arm64: dts: marvell: Add AP806-dual missing CPU clocks
cfg80211: check for set_wiphy_params
tick/sched: Annotate lockless access to last_jiffies_update
arm64: dts: marvell: Fix CP110 NAND controller node multi-line comment alignment
arm64: dts: renesas: r8a774a1: Remove audio port node
arm64: dts: imx8mm-evk: Assigned clocks for audio plls
arm64: dts: qcom: sdm845-cheza: delete zap-shader
ARM: dts: imx6ul-kontron-n6310-s: Disable the snvs-poweroff driver
arm64: dts: allwinner: a64: Re-add PMU node
ARM: dts: dra7: fix cpsw mdio fck clock
arm64: dts: juno: Fix UART frequency
ARM: dts: Fix sgx sysconfig register for omap4
Revert "arm64: dts: juno: add dma-ranges property"
mtd: devices: fix mchp23k256 read and write
mtd: cfi_cmdset_0002: only check errors when ready in cfi_check_err_status()
mtd: cfi_cmdset_0002: fix delayed error detection on HyperFlash
um: Don't trace irqflags during shutdown
um: virtio_uml: Disallow modular build
reiserfs: fix handling of -EOPNOTSUPP in reiserfs_for_each_xattr
scsi: esas2r: unlock on error in esas2r_nvram_read_direct()
scsi: hisi_sas: Don't create debugfs dump folder twice
scsi: hisi_sas: Set the BIST init value before enabling BIST
scsi: qla4xxx: fix double free bug
scsi: bnx2i: fix potential use after free
scsi: target: core: Fix a pr_debug() argument
scsi: lpfc: fix: Coverity: lpfc_get_scsi_buf_s3(): Null pointer dereferences
scsi: hisi_sas: Return directly if init hardware failed
scsi: scsi_transport_sas: Fix memory leak when removing devices
scsi: qla2xxx: Fix qla2x00_request_irqs() for MSI
scsi: qla2xxx: fix rports not being mark as lost in sync fabric scan
scsi: core: scsi_trace: Use get_unaligned_be*()
scsi: lpfc: Fix list corruption detected in lpfc_put_sgl_per_hdwq
scsi: lpfc: Fix hdwq sgl locks and irq handling
scsi: lpfc: Fix a kernel warning triggered by lpfc_get_sgl_per_hdwq()
rtw88: fix potential read outside array boundary
perf probe: Fix wrong address verification
perf script: Allow --time with --reltime
clk: sprd: Use IS_ERR() to validate the return value of syscon_regmap_lookup_by_phandle()
clk: imx7ulp: Correct system clock source option #7
clk: imx7ulp: Correct DDR clock mux options
regulator: ab8500: Remove SYSCLKREQ from enum ab8505_regulator_id
hwmon: (pmbus/ibm-cffps) Switch LEDs to blocking brightness call
hwmon: (pmbus/ibm-cffps) Fix LED blink behavior
perf script: Fix --reltime with --time
scsi: lpfc: use hdwq assigned cpu for allocation
Linux 5.4.14
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I400bdf3be682df698c2477fbf869d5ad8ce300b5
|
||
Johannes Berg
|
9d4ad8a20a |
cfg80211: check for set_wiphy_params
commit 24953de0a5e31dcca7e82c8a3c79abc2dfe8fb6e upstream. Check if set_wiphy_params is assigned and return an error if not, some drivers (e.g. virt_wifi where syzbot reported it) don't have it. Reported-by: syzbot+e8a797964a4180eb57d5@syzkaller.appspotmail.com Reported-by: syzbot+34b582cf32c1db008f8e@syzkaller.appspotmail.com Signed-off-by: Johannes Berg <johannes.berg@intel.com> Link: https://lore.kernel.org/r/20200113125358.ac07f276efff.Ibd85ee1b12e47b9efb00a2adc5cd3fac50da791a@changeid Signed-off-by: Johannes Berg <johannes.berg@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Eric Dumazet
|
1e67e245ce |
tcp: refine rule to allow EPOLLOUT generation under mem pressure
commit 216808c6ba6d00169fd2aa928ec3c0e63bef254f upstream. At the time commit |
||
Ido Schimmel
|
e256f8d845 |
devlink: Wait longer before warning about unset port type
commit 4c582234ab3948d08a24c82eb1e00436aabacbc6 upstream.
The commit cited below causes devlink to emit a warning if a type was
not set on a devlink port for longer than 30 seconds to "prevent
misbehavior of drivers". This proved to be problematic when
unregistering the backing netdev. The flow is always:
devlink_port_type_clear() // schedules the warning
unregister_netdev() // blocking
devlink_port_unregister() // cancels the warning
The call to unregister_netdev() can block for long periods of time for
various reasons: RTNL lock is contended, large amounts of configuration
to unroll following dismantle of the netdev, etc. This results in
devlink emitting a warning despite the driver behaving correctly.
In emulated environments (of future hardware) which are usually very
slow, the warning can also be emitted during port creation as more than
30 seconds can pass between the time the devlink port is registered and
when its type is set.
In addition, syzbot has hit this warning [1] 1974 times since 07/11/19
without being able to produce a reproducer. Probably because
reproduction depends on the load or other bugs (e.g., RTNL not being
released).
To prevent bogus warnings, increase the timeout to 1 hour.
[1] https://syzkaller.appspot.com/bug?id=e99b59e9c024a666c9f7450dc162a4b74d09d9cb
Fixes:
|
||
|
Eric Dumazet
|
8c2e822305 |
net: sched: act_ctinfo: fix memory leak
[ Upstream commit 09d4f10a5e78d76a53e3e584f1e6a701b6d24108 ]
Implement a cleanup method to properly free ci->params
BUG: memory leak
unreferenced object 0xffff88811746e2c0 (size 64):
comm "syz-executor617", pid 7106, jiffies 4294943055 (age 14.250s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
c0 34 60 84 ff ff ff ff 00 00 00 00 00 00 00 00 .4`.............
backtrace:
[<0000000015aa236f>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<0000000015aa236f>] slab_post_alloc_hook mm/slab.h:586 [inline]
[<0000000015aa236f>] slab_alloc mm/slab.c:3320 [inline]
[<0000000015aa236f>] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3549
[<000000002c946bd1>] kmalloc include/linux/slab.h:556 [inline]
[<000000002c946bd1>] kzalloc include/linux/slab.h:670 [inline]
[<000000002c946bd1>] tcf_ctinfo_init+0x21a/0x530 net/sched/act_ctinfo.c:236
[<0000000086952cca>] tcf_action_init_1+0x400/0x5b0 net/sched/act_api.c:944
[<000000005ab29bf8>] tcf_action_init+0x135/0x1c0 net/sched/act_api.c:1000
[<00000000392f56f9>] tcf_action_add+0x9a/0x200 net/sched/act_api.c:1410
[<0000000088f3c5dd>] tc_ctl_action+0x14d/0x1bb net/sched/act_api.c:1465
[<000000006b39d986>] rtnetlink_rcv_msg+0x178/0x4b0 net/core/rtnetlink.c:5424
[<00000000fd6ecace>] netlink_rcv_skb+0x61/0x170 net/netlink/af_netlink.c:2477
[<0000000047493d02>] rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
[<00000000bdcf8286>] netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
[<00000000bdcf8286>] netlink_unicast+0x223/0x310 net/netlink/af_netlink.c:1328
[<00000000fc5b92d9>] netlink_sendmsg+0x2c0/0x570 net/netlink/af_netlink.c:1917
[<00000000da84d076>] sock_sendmsg_nosec net/socket.c:639 [inline]
[<00000000da84d076>] sock_sendmsg+0x54/0x70 net/socket.c:659
[<0000000042fb2eee>] ____sys_sendmsg+0x2d0/0x300 net/socket.c:2330
[<000000008f23f67e>] ___sys_sendmsg+0x8a/0xd0 net/socket.c:2384
[<00000000d838e4f6>] __sys_sendmsg+0x80/0xf0 net/socket.c:2417
[<00000000289a9cb1>] __do_sys_sendmsg net/socket.c:2426 [inline]
[<00000000289a9cb1>] __se_sys_sendmsg net/socket.c:2424 [inline]
[<00000000289a9cb1>] __x64_sys_sendmsg+0x23/0x30 net/socket.c:2424
Fixes:
|
||
Alexander Lobakin
|
e3bccc22e7 |
net: dsa: tag_gswip: fix typo in tagger name
[ Upstream commit ad32205470919c8e04cdd33e0613bdba50c2376d ] The correct name is GSWIP (Gigabit Switch IP). Typo was introduced in |
||
Pengcheng Yang
|
07667c9475 |
tcp: fix marked lost packets not being retransmitted
[ Upstream commit e176b1ba476cf36f723cfcc7a9e57f3cb47dec70 ]
When the packet pointed to by retransmit_skb_hint is unlinked by ACK,
retransmit_skb_hint will be set to NULL in tcp_clean_rtx_queue().
If packet loss is detected at this time, retransmit_skb_hint will be set
to point to the current packet loss in tcp_verify_retransmit_hint(),
then the packets that were previously marked lost but not retransmitted
due to the restriction of cwnd will be skipped and cannot be
retransmitted.
To fix this, when retransmit_skb_hint is NULL, retransmit_skb_hint can
be reset only after all marked lost packets are retransmitted
(retrans_out >= lost_out), otherwise we need to traverse from
tcp_rtx_queue_head in tcp_xmit_retransmit_queue().
Packetdrill to demonstrate:
// Disable RACK and set max_reordering to keep things simple
0 `sysctl -q net.ipv4.tcp_recovery=0`
+0 `sysctl -q net.ipv4.tcp_max_reordering=3`
// Establish a connection
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+.1 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <...>
+.01 < . 1:1(0) ack 1 win 257
+0 accept(3, ..., ...) = 4
// Send 8 data segments
+0 write(4, ..., 8000) = 8000
+0 > P. 1:8001(8000) ack 1
// Enter recovery and 1:3001 is marked lost
+.01 < . 1:1(0) ack 1 win 257 <sack 3001:4001,nop,nop>
+0 < . 1:1(0) ack 1 win 257 <sack 5001:6001 3001:4001,nop,nop>
+0 < . 1:1(0) ack 1 win 257 <sack 5001:7001 3001:4001,nop,nop>
// Retransmit 1:1001, now retransmit_skb_hint points to 1001:2001
+0 > . 1:1001(1000) ack 1
// 1001:2001 was ACKed causing retransmit_skb_hint to be set to NULL
+.01 < . 1:1(0) ack 2001 win 257 <sack 5001:8001 3001:4001,nop,nop>
// Now retransmit_skb_hint points to 4001:5001 which is now marked lost
// BUG: 2001:3001 was not retransmitted
+0 > . 2001:3001(1000) ack 1
Signed-off-by: Pengcheng Yang <yangpc@wangsu.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Tested-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Eric Dumazet
|
332967b62e |
net/sched: act_ife: initalize ife->metalist earlier
[ Upstream commit 44c23d71599f81a1c7fe8389e0319822dd50c37c ]
It seems better to init ife->metalist earlier in tcf_ife_init()
to avoid the following crash :
kasan: CONFIG_KASAN_INLINE enabled
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 10483 Comm: syz-executor216 Not tainted 5.5.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:_tcf_ife_cleanup net/sched/act_ife.c:412 [inline]
RIP: 0010:tcf_ife_cleanup+0x6e/0x400 net/sched/act_ife.c:431
Code: 48 c1 ea 03 80 3c 02 00 0f 85 94 03 00 00 49 8b bd f8 00 00 00 48 b8 00 00 00 00 00 fc ff df 4c 8d 67 e8 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 5c 03 00 00 48 bb 00 00 00 00 00 fc ff df 48 8b
RSP: 0018:ffffc90001dc6d00 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffffffff864619c0 RCX: ffffffff815bfa09
RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000000
RBP: ffffc90001dc6d50 R08: 0000000000000004 R09: fffff520003b8d8e
R10: fffff520003b8d8d R11: 0000000000000003 R12: ffffffffffffffe8
R13: ffff8880a79fc000 R14: ffff88809aba0e00 R15: 0000000000000000
FS: 0000000001b51880(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563f52cce140 CR3: 0000000093541000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
tcf_action_cleanup+0x62/0x1b0 net/sched/act_api.c:119
__tcf_action_put+0xfa/0x130 net/sched/act_api.c:135
__tcf_idr_release net/sched/act_api.c:165 [inline]
__tcf_idr_release+0x59/0xf0 net/sched/act_api.c:145
tcf_idr_release include/net/act_api.h:171 [inline]
tcf_ife_init+0x97c/0x1870 net/sched/act_ife.c:616
tcf_action_init_1+0x6b6/0xa40 net/sched/act_api.c:944
tcf_action_init+0x21a/0x330 net/sched/act_api.c:1000
tcf_action_add+0xf5/0x3b0 net/sched/act_api.c:1410
tc_ctl_action+0x390/0x488 net/sched/act_api.c:1465
rtnetlink_rcv_msg+0x45e/0xaf0 net/core/rtnetlink.c:5424
netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477
rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5442
netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline]
netlink_unicast+0x58c/0x7d0 net/netlink/af_netlink.c:1328
netlink_sendmsg+0x91c/0xea0 net/netlink/af_netlink.c:1917
sock_sendmsg_nosec net/socket.c:639 [inline]
sock_sendmsg+0xd7/0x130 net/socket.c:659
____sys_sendmsg+0x753/0x880 net/socket.c:2330
___sys_sendmsg+0x100/0x170 net/socket.c:2384
__sys_sendmsg+0x105/0x1d0 net/socket.c:2417
__do_sys_sendmsg net/socket.c:2426 [inline]
__se_sys_sendmsg net/socket.c:2424 [inline]
__x64_sys_sendmsg+0x78/0xb0 net/socket.c:2424
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
Fixes:
|
||
|
Alexander Lobakin
|
42667f36bc |
net: dsa: tag_qca: fix doubled Tx statistics
[ Upstream commit bd5874da57edd001b35cf28ae737779498c16a56 ] DSA subsystem takes care of netdev statistics since commit |
||
|
Cong Wang
|
0e892fd84a |
net: avoid updating qdisc_xmit_lock_key in netdev_update_lockdep_key()
[ Upstream commit 53d374979ef147ab51f5d632dfe20b14aebeccd0 ]
syzbot reported some bogus lockdep warnings, for example bad unlock
balance in sch_direct_xmit(). They are due to a race condition between
slow path and fast path, that is qdisc_xmit_lock_key gets re-registered
in netdev_update_lockdep_key() on slow path, while we could still
acquire the queue->_xmit_lock on fast path in this small window:
CPU A CPU B
__netif_tx_lock();
lockdep_unregister_key(qdisc_xmit_lock_key);
__netif_tx_unlock();
lockdep_register_key(qdisc_xmit_lock_key);
In fact, unlike the addr_list_lock which has to be reordered when
the master/slave device relationship changes, queue->_xmit_lock is
only acquired on fast path and only when NETIF_F_LLTX is not set,
so there is likely no nested locking for it.
Therefore, we can just get rid of re-registration of
qdisc_xmit_lock_key.
Reported-by: syzbot+4ec99438ed7450da6272@syzkaller.appspotmail.com
Fixes:
|
||
Sven Eckelmann
|
7c69f6a227 |
batman-adv: Fix DAT candidate selection on little endian systems
commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.
The distributed arp table is using a DHT to store and retrieve MAC address
information for an IP address. This is done using unicast messages to
selected peers. The potential peers are looked up using the IP address and
the VID.
While the IP address is always stored in big endian byte order, this is not
the case of the VID. It can (depending on the host system) either be big
endian or little endian. The host must therefore always convert it to big
endian to ensure that all devices calculate the same peers for the same
lookup data.
Fixes:
|
||
Lorenz Bauer
|
4921b2b1ca |
net: bpf: Don't leak time wait and request sockets
commit 2e012c74823629d9db27963c79caa3f5b2010746 upstream.
It's possible to leak time wait and request sockets via the following
BPF pseudo code:
sk = bpf_skc_lookup_tcp(...)
if (sk)
bpf_sk_release(sk)
If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken
by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because
sk_flags is re-used for other data in both kinds of sockets. The check
!sock_flag(sk, SOCK_RCU_FREE)
therefore returns a bogus result. Check that sk_flags is valid by calling
sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is
not a full socket.
Fixes:
|
||
|
Florian Westphal
|
8f4dc50b5c |
netfilter: nf_tables: fix flowtable list del corruption
commit 335178d5429c4cee61b58f4ac80688f556630818 upstream.
syzbot reported following crash:
list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
[..]
Call Trace:
__list_del_entry include/linux/list.h:131 [inline]
list_del_rcu include/linux/rculist.h:148 [inline]
nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
[..]
The commit transaction list has:
NFT_MSG_NEWTABLE
NFT_MSG_NEWFLOWTABLE
NFT_MSG_DELFLOWTABLE
NFT_MSG_DELTABLE
A missing generation check during DELTABLE processing causes it to queue
the DELFLOWTABLE operation a second time, so we corrupt the list here:
case NFT_MSG_DELFLOWTABLE:
list_del_rcu(&nft_trans_flowtable(trans)->list);
nf_tables_flowtable_notify(&trans->ctx,
because we have two different DELFLOWTABLE transactions for the same
flowtable. We then call list_del_rcu() twice for the same flowtable->list.
The object handling seems to suffer from the same bug so add a generation
check too and only queue delete transactions for flowtables/objects that
are still active in the next generation.
Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com
Fixes:
|