4bd8a3c04c
2033 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
4bd8a3c04c |
This is the 5.4.190 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJftBAACgkQONu9yGCS
aT4f7RAA1/eeQcfKsPYN7I2ToM1F6aB51wYt1Xj0ObYcHM/lm2JWzDu2UB+fTpem
rBKvoeA+/xb++vkxBXHpJTK6TIuYder0rGcgnTmbhQPpAb37T22n5P666STRoZV2
0AN0pzFVH+LjdZcPvfHCO/xmI3Z6ay3uWwp0G4tNUUdhpl/K/3dludP8yxX4EBaD
UJOKVRWp16rcSj4NtOKjrEADeKymqnsUnjEB5KU3gEfqaDhwEeZc9rw5zWZvRIZ7
9zJkQcHAMWi2oA/wPLbiNF+Be20K1hqT8UV8WgrRyLS8JJuACZodDBchftXYwuQq
IqKMbpj+8XS9Yqxujgc+NVDOi5l4vg9Kol4LiHfax/LtRuc+DyqxZimRzVHi/Joz
/+lx3urUKzhRPNPR0fUhxwpoOYxilmI0N+ahr40PT+nq0eVOXXwTd8balmhxCpc6
1ssG+g5R0Ij0CblpzEJXodNDkJ00pxRTGRYUmqBwjVMOHt0RTwHfK4qeluPoyC19
X8YdAdrmm4BT9KPUJvStzWIZfKBE+cuho5dCB56e/keg0T9Q98zL9mXPnli0UVOW
oD7DZxOQVaJZV6QqYpkxpeut0zN1Fnyih9lkvgY3Y5dlIGZ5PbIDK4sDmo/5RTZE
Y1xu87ujBcAbDVN6j8TQmj71iikd4qfGI9vvFiHyK5Zg0rSXyfY=
=dDvH
-----END PGP SIGNATURE-----
Merge 5.4.190 into android11-5.4-lts
Changes in 5.4.190
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
net/sched: flower: fix parsing of ethertype following VLAN header
veth: Ensure eth header is in skb's linear part
gpiolib: acpi: use correct format characters
mlxsw: i2c: Fix initialization error flow
net/sched: fix initialization order when updating chain 0 head
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
net/sched: taprio: Check if socket flags are valid
cfg80211: hold bss_lock while updating nontrans_list
drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
sctp: Initialize daddr on peeled off socket
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
nfc: nci: add flush_workqueue to prevent uaf
cifs: potential buffer overflow in handling symlinks
drm/amd: Add USBC connector ID
drm/amd/display: fix audio format not updated after edid updated
drm/amd/display: Update VTEM Infopacket definition
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
drm/amdkfd: Check for potential null return of kmalloc_array()
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
scsi: target: tcmu: Fix possible page UAF
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
net: micrel: fix KS8851_MLL Kconfig
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
gpu: ipu-v3: Fix dev_dbg frequency output
regulator: wm8994: Add an off-on delay for WM8994 variant
arm64: alternatives: mark patch_alternative() as `noinstr`
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
drm/amd/display: Fix allocate_mst_payload assert on resume
powerpc: Fix virt_addr_valid() for 64-bit Book3E & 32-bit
scsi: mvsas: Add PCI ID of RocketRaid 2640
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
drivers: net: slip: fix NPD bug in sl_tx_timeout()
perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
mm, page_alloc: fix build_zonerefs_node()
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
gcc-plugins: latent_entropy: use /dev/urandom
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
btrfs: mark resumed async balance as writing
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
ipv6: fix panic when forwarding a pkt with no in6 dev
drm/amd/display: don't ignore alpha property on pre-multiplied mode
genirq/affinity: Consider that CPUs on nodes can be unbalanced
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
ARM: davinci: da850-evm: Avoid NULL pointer dereference
dm integrity: fix memory corruption when tag_size is less than digest size
smp: Fix offline cpu check in flush_smp_call_function_queue()
i2c: pasemi: Wait for write xfers to finish
dma-direct: avoid redundant memory sync for swiotlb
ax25: add refcount in ax25_dev to avoid UAF bugs
ax25: fix reference count leaks of ax25_dev
ax25: fix UAF bugs of net_device caused by rebinding operation
ax25: Fix refcount leaks caused by ax25_cb_del()
ax25: fix UAF bug in ax25_send_control()
ax25: fix NPD bug in ax25_disconnect
ax25: Fix NULL pointer dereferences in ax25 timers
ax25: Fix UAF bugs in ax25 timers
Linux 5.4.190
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I375cb1d55a4a40c1c31b86c87ddb9235cefcb902
|
||
Petr Malat
|
37e54d151e |
sctp: Initialize daddr on peeled off socket
[ Upstream commit 8467dda0c26583547731e7f3ea73fc3856bae3bf ]
Function sctp_do_peeloff() wrongly initializes daddr of the original
socket instead of the peeled off socket, which makes getpeername()
return zeroes instead of the primary address. Initialize the new socket
instead.
Fixes:
|
||
|
Greg Kroah-Hartman
|
f54aeabbaa |
This is the 5.4.186 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmI1zzcACgkQONu9yGCS aT5M/BAAlRumKfKfoizHPE+K5rKMJNkG+FeTEZMg1BHs94lkcVCkilaIpeAqAD8z UwSH7fxI27x2CJo070o4DgNlWSuujvv+lzpLp3ffy8+SBi59MCsQGD/U+wc65GRB PXhPyBYrkzmgT8eoY/6vsZaWIPt5KGOxcuG3epaO6Hoi3MpXBdsyQ7hPqMKN2HAQ h3sNCfr6rpg8uFAN54PUzjamFHc1rpDmilQJyxDA7eTQQavVlldwC9Be0Vwcz/m8 KY8gBZ6E/SFnQL7W4tRi+sPL5lE7F4BvwuO3Xm+pERoBCejp+v1CLluaUJDjuer3 wi8gPzoG4+R3tNWlPhFFcht82DiaPG6u4BCYn1LpdRvYitHUl6mXNKV7c2SkyPoA fO4MRhqWgAkrEF2mEXLQhrz2JZO5NZI88lRLQaonihmHOVlLF2qN9NKM3CzAmT3A Bl+RA0AZeUfmJ3wpAP5g/PcrQqIYUdXcw6F4qTa+ejxB22qro8lk0QALBduY6OmO VeCdTW995120V24mNZ3yp7tt9trSJS4nbzcD6ue1WRr8UqqJAbmUQF7nWkL5uaYM ZeOqJnTlehPv6m+8I3L19MZEfnJy210PX2ANSyvTFwoOClETigEoLF2GVsw2xSZS vcmZ3oe/I9z+o3zqhw2o6gN7dDaWeDVisr422fsFNz9XxvI6oK4= =6fe8 -----END PGP SIGNATURE----- Merge 5.4.186 into android11-5.4-lts Changes in 5.4.186 Revert "xfrm: state and policy should fail if XFRMA_IF_ID 0" sctp: fix the processing for INIT chunk arm64: Add part number for Arm Cortex-A77 arm64: Add Neoverse-N2, Cortex-A710 CPU part definition arm64: add ID_AA64ISAR2_EL1 sys register arm64: Add Cortex-X2 CPU part definition arm64: entry.S: Add ventry overflow sanity checks arm64: entry: Make the trampoline cleanup optional arm64: entry: Free up another register on kpti's tramp_exit path arm64: entry: Move the trampoline data page before the text page arm64: entry: Allow tramp_alias to access symbols after the 4K boundary arm64: entry: Don't assume tramp_vectors is the start of the vectors arm64: entry: Move trampoline macros out of ifdef'd section arm64: entry: Make the kpti trampoline's kpti sequence optional arm64: entry: Allow the trampoline text to occupy multiple pages arm64: entry: Add non-kpti __bp_harden_el1_vectors for mitigations arm64: entry: Add vectors that have the bhb mitigation sequences arm64: entry: Add macro for reading symbol addresses from the trampoline arm64: Add percpu vectors for EL1 arm64: proton-pack: Report Spectre-BHB vulnerabilities as part of Spectre-v2 KVM: arm64: Add templates for BHB mitigation sequences arm64: Mitigate spectre style branch history side channels KVM: arm64: Allow SMCCC_ARCH_WORKAROUND_3 to be discovered and migrated arm64: Use the clearbhb instruction in mitigations xfrm: Check if_id in xfrm_migrate xfrm: Fix xfrm migrate issues when address family changes arm64: dts: rockchip: fix rk3399-puma eMMC HS400 signal integrity arm64: dts: rockchip: reorder rk3399 hdmi clocks arm64: dts: agilex: use the compatible "intel,socfpga-agilex-hsotg" ARM: dts: rockchip: reorder rk322x hmdi clocks ARM: dts: rockchip: fix a typo on rk3288 crypto-controller mac80211: refuse aggregations sessions before authorized MIPS: smp: fill in sibling and core maps earlier ARM: 9178/1: fix unmet dependency on BITREVERSE for HAVE_ARCH_BITREVERSE can: rcar_canfd: rcar_canfd_channel_probe(): register the CAN device when fully ready atm: firestream: check the return value of ioremap() in fs_init() iwlwifi: don't advertise TWT support drm/vrr: Set VRR capable prop only if it is attached to connector nl80211: Update bss channel on channel switch for P2P_CLIENT tcp: make tcp_read_sock() more robust sfc: extend the locking on mcdi->seqno kselftest/vm: fix tests build with old libc fixup for "arm64 entry: Add macro for reading symbol address from the trampoline" Linux 5.4.186 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic884f35fbfce5fb9cec1cb44bbc493f5942b2c83 |
||
Xin Long
|
0b84cfaefe |
sctp: fix the processing for INIT chunk
commit eae5783908042a762c24e1bd11876edb91d314b1 upstream.
This patch fixes the problems below:
1. In non-shutdown_ack_sent states: in sctp_sf_do_5_1B_init() and
sctp_sf_do_5_2_2_dupinit():
chunk length check should be done before any checks that may cause
to send abort, as making packet for abort will access the init_tag
from init_hdr in sctp_ootb_pkt_new().
2. In shutdown_ack_sent state: in sctp_sf_do_9_2_reshutack():
The same checks as does in sctp_sf_do_5_2_2_dupinit() is needed
for sctp_sf_do_9_2_reshutack().
Fixes:
|
||
|
Greg Kroah-Hartman
|
80b62a22cd |
This is the 5.4.185 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIx2SQACgkQONu9yGCS aT5DCRAAy0griTHuolGm0TX853F/4Xe2EHxif+f3iByyZpIecv/pCeZM9WO0Kusf P53xFOlU1hv6xvrA/jyqzATo3LWCj+GvbEZxdJuMRE2nKcmhREICSbe7+FL9ZlNf nFjQcmJNAouXqQ14U2Vhtrapt35PlC+cX6FhKiAbTVJSpCNWIxrCvOiKKS1PWqfd RlG9cOSvf+Z8deJNdBQjwLGp4h5SnubslmKSYWVGM+TA97dkEpE7H4PnfmcUgPr6 Sy/DqBrNPnaT+AvlKcaSkkPBNrwYaMVB4M7ttkreq38yA/2oqIpQCWahexCnh4Il LlWU/yUYqL5+Zw8EfjC6BzEqJxkGFQFokO0wg5+ZmB16FUdEJjYnVe+eOuI/owTC ModNEJRSX0tjfS5zfqmGBeZT/K9ZlLholZlON8IUWS0HA/R2jjAJJbJvKntDimsS V9XfsB3dkW6eIqVvNHaTri65z7j6x6kKz91C+6bHjtrbhImNHbcvCx2WEVsUGeT8 0I6iq1OK5QMHwpXU+oSUCR3rZwlpldiWdVvI4w7G3XE91xz6B8Ghi5bwsKMDMjbH Tnh+oHwfNfoM6BwCbU0rRHGXOWBI+kfZUKLuwLZz27talIohze9JqWNcfKlX/b50 qIJNJLf1+HRYphNgjb4UPUa9FTA+zvtboAK9Auw/RU1n9xBEjGI= =j2mc -----END PGP SIGNATURE----- Merge 5.4.185 into android11-5.4-lts Changes in 5.4.185 clk: qcom: gdsc: Add support to update GDSC transition delay arm64: dts: armada-3720-turris-mox: Add missing ethernet0 alias virtio-blk: Don't use MAX_DISCARD_SEGMENTS if max_discard_seg is zero net: qlogic: check the return value of dma_alloc_coherent() in qed_vf_hw_prepare() qed: return status of qed_iov_get_link drm/sun4i: mixer: Fix P010 and P210 format numbers ARM: dts: aspeed: Fix AST2600 quad spi group ethernet: Fix error handling in xemaclite_of_probe net: ethernet: ti: cpts: Handle error for clk_enable net: ethernet: lpc_eth: Handle error for clk_enable ax25: Fix NULL pointer dereference in ax25_kill_by_device net/mlx5: Fix size field in bufferx_reg struct net/mlx5: Fix a race on command flush flow NFC: port100: fix use-after-free in port100_send_complete selftests: pmtu.sh: Kill tcpdump processes launched by subshell. gpio: ts4900: Do not set DAT and OE together gianfar: ethtool: Fix refcount leak in gfar_get_ts_info net: phy: DP83822: clear MISR2 register to disable interrupts sctp: fix kernel-infoleak for SCTP sockets net: bcmgenet: Don't claim WOL when its not available selftests/bpf: Add test for bpf_timer overwriting crash net-sysfs: add check for netdevice being present to speed_show Revert "xen-netback: remove 'hotplug-status' once it has served its purpose" Revert "xen-netback: Check for hotplug-status existence before watching" ipv6: prevent a possible race condition with lifetimes tracing: Ensure trace buffer is at least 4096 bytes large selftest/vm: fix map_fixed_noreplace test failure selftests/memfd: clean up mapping in mfd_fail_write ARM: Spectre-BHB: provide empty stub for non-config fuse: fix pipe buffer lifetime for direct_io staging: gdm724x: fix use after free in gdm_lte_rx() net: macb: Fix lost RX packet wakeup race in NAPI receive mmc: meson: Fix usage of meson_mmc_post_req() riscv: Fix auipc+jalr relocation range checks arm64: dts: marvell: armada-37xx: Remap IO space to bus address 0x0 virtio: unexport virtio_finalize_features virtio: acknowledge all features before access ARM: fix Thumb2 regression with Spectre BHB ext4: add check to prevent attempting to resize an fs with sparse_super2 x86/cpufeatures: Mark two free bits in word 3 x86/cpu: Add hardware-enforced cache coherency as a CPUID feature x86/mm/pat: Don't flush cache if hardware enforces cache coherency across encryption domnains KVM: SVM: Don't flush cache if hardware enforces cache coherency across encryption domains Linux 5.4.185 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I35a63fb952ac7b80888f54bbef02dbf6d11f2e93 |
||
Eric Dumazet
|
bbf59d7ae5 |
sctp: fix kernel-infoleak for SCTP sockets
[ Upstream commit 633593a808980f82d251d0ca89730d8bb8b0220c ]
syzbot reported a kernel infoleak [1] of 4 bytes.
After analysis, it turned out r->idiag_expires is not initialized
if inet_sctp_diag_fill() calls inet_diag_msg_common_fill()
Make sure to clear idiag_timer/idiag_retrans/idiag_expires
and let inet_diag_msg_sctpasoc_fill() fill them again if needed.
[1]
BUG: KMSAN: kernel-infoleak in instrument_copy_to_user include/linux/instrumented.h:121 [inline]
BUG: KMSAN: kernel-infoleak in copyout lib/iov_iter.c:154 [inline]
BUG: KMSAN: kernel-infoleak in _copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
instrument_copy_to_user include/linux/instrumented.h:121 [inline]
copyout lib/iov_iter.c:154 [inline]
_copy_to_iter+0x6ef/0x25a0 lib/iov_iter.c:668
copy_to_iter include/linux/uio.h:162 [inline]
simple_copy_to_iter+0xf3/0x140 net/core/datagram.c:519
__skb_datagram_iter+0x2d5/0x11b0 net/core/datagram.c:425
skb_copy_datagram_iter+0xdc/0x270 net/core/datagram.c:533
skb_copy_datagram_msg include/linux/skbuff.h:3696 [inline]
netlink_recvmsg+0x669/0x1c80 net/netlink/af_netlink.c:1977
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
__sys_recvfrom+0x795/0xa10 net/socket.c:2097
__do_sys_recvfrom net/socket.c:2115 [inline]
__se_sys_recvfrom net/socket.c:2111 [inline]
__x64_sys_recvfrom+0x19d/0x210 net/socket.c:2111
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Uninit was created at:
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3247 [inline]
__kmalloc_node_track_caller+0xe0c/0x1510 mm/slub.c:4975
kmalloc_reserve net/core/skbuff.c:354 [inline]
__alloc_skb+0x545/0xf90 net/core/skbuff.c:426
alloc_skb include/linux/skbuff.h:1158 [inline]
netlink_dump+0x3e5/0x16c0 net/netlink/af_netlink.c:2248
__netlink_dump_start+0xcf8/0xe90 net/netlink/af_netlink.c:2373
netlink_dump_start include/linux/netlink.h:254 [inline]
inet_diag_handler_cmd+0x2e7/0x400 net/ipv4/inet_diag.c:1341
sock_diag_rcv_msg+0x24a/0x620
netlink_rcv_skb+0x40c/0x7e0 net/netlink/af_netlink.c:2494
sock_diag_rcv+0x63/0x80 net/core/sock_diag.c:277
netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
netlink_unicast+0x1093/0x1360 net/netlink/af_netlink.c:1343
netlink_sendmsg+0x14d9/0x1720 net/netlink/af_netlink.c:1919
sock_sendmsg_nosec net/socket.c:705 [inline]
sock_sendmsg net/socket.c:725 [inline]
sock_write_iter+0x594/0x690 net/socket.c:1061
do_iter_readv_writev+0xa7f/0xc70
do_iter_write+0x52c/0x1500 fs/read_write.c:851
vfs_writev fs/read_write.c:924 [inline]
do_writev+0x645/0xe00 fs/read_write.c:967
__do_sys_writev fs/read_write.c:1040 [inline]
__se_sys_writev fs/read_write.c:1037 [inline]
__x64_sys_writev+0xe5/0x120 fs/read_write.c:1037
do_syscall_x64 arch/x86/entry/common.c:51 [inline]
do_syscall_64+0x54/0xd0 arch/x86/entry/common.c:82
entry_SYSCALL_64_after_hwframe+0x44/0xae
Bytes 68-71 of 2508 are uninitialized
Memory access of size 2508 starts at ffff888114f9b000
Data copied to user address 00007f7fe09ff2e0
CPU: 1 PID: 3478 Comm: syz-executor306 Not tainted 5.17.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes:
|
||
|
Greg Kroah-Hartman
|
7ada083540 |
This is the 5.4.170 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmHVgw8ACgkQONu9yGCS aT71vhAAgVauEQ0nyXBUsH7vqKS6tYdcjoOor8FdNYSfoZ7iY6MptIdtHMVA0MxZ 793CRZDc7cyNtNVhGIomSzLPI4Nb/U5g57xfGrIQZ9Yzv1vcDsC8iEU1GLELWVAO 1gX6oyVJMXQb4JrbGGdP3QPqLPa6ekZ07c3/Dt2p32e+yqm3JvrcaDqklR7qSzBi Nx6VWp2ZxbvDqmzhzzVX+wWoB1darxp1I08ZgPMqsAbn78MelxrOxp8asNVuJQip KusrhdA4xSrXHfzYj1oxSAWctA0mlHJVie+/x+DPDKDP7/zIop+58fEbSEPLcDHA d+19gkNuNR0CtmEPACm/DAPU/iKiuK1YhmfGvPWQHdQCGQxxMKAdS0sH7BqQ2NU6 c7QiRA0Q3JNc+D2TGO5e2u1D5jqsVnBRaEAOnrHwnX6Dx27I8vwIsSKF1Si6TCdU S7whO8n1r7are5Ahaak25qR83wIpn/2fL4Q0AzP7Ox9kue7ceDQ42RfPzNoYh3LS ITJxRbxZYsnOHjlDS4dc5Hih+WioclSALmYhzSbWsjepzyv0EVEup6vzBffY5A4k ENlXQOCV7jZdfZ+ZdMI+kR9cTGO1F7Le5UKp4H+a0qpY/MWIlUI1C7qWDp5YZTsi 2iYwzrOpKCgqrMBhAR2jHeqmqItkal1dsTvrh2Lwc+3FPYRjNoo= =Lkh+ -----END PGP SIGNATURE----- Merge 5.4.170 into android11-5.4-lts Changes in 5.4.170 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option tee: handle lookup of shm with reference count 0 Input: i8042 - add deferred probe support Input: i8042 - enable deferred probe quirk for ASUS UM325UA tomoyo: Check exceeded quota early in tomoyo_domain_quota_is_ok(). platform/x86: apple-gmux: use resource_size() with res memblock: fix memblock_phys_alloc() section mismatch error recordmcount.pl: fix typo in s390 mcount regex selinux: initialize proto variable in selinux_ip_postroute_compat() scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() net/mlx5: DR, Fix NULL vs IS_ERR checking in dr_domain_init_resources udp: using datalen to cap ipv6 udp max gso segments selftests: Calculate udpgso segment count without header adjustment sctp: use call_rcu to free endpoint net: usb: pegasus: Do not drop long Ethernet frames net: lantiq_xrx200: fix statistics of received bytes NFC: st21nfca: Fix memory leak in device probe and remove ionic: Initialize the 'lif->dbid_inuse' bitmap net/mlx5e: Fix wrong features assignment in case of error selftests/net: udpgso_bench_tx: fix dst ip argument net/ncsi: check for error return from call to nla_put_u32 fsl/fman: Fix missing put_device() call in fman_port_probe i2c: validate user data in compat ioctl nfc: uapi: use kernel size_t to fix user-space builds uapi: fix linux/nfc.h userspace compilation errors xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. usb: mtu3: add memory barrier before set GPD's HWO usb: mtu3: fix list_head check warning usb: mtu3: set interval of FS intr and isoc endpoint binder: fix async_free_space accounting for empty parcels scsi: vmw_pvscsi: Set residual data length conditionally Input: appletouch - initialize work before device registration Input: spaceball - fix parsing of movement data packets net: fix use-after-free in tw_timer_handler perf script: Fix CPU filtering of a script's switch events Linux 5.4.170 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic66d754505081f001b420af0ee4c8da1edf5c27f |
||
|
Xin Long
|
831de27145 |
sctp: use call_rcu to free endpoint
[ Upstream commit 5ec7d18d1813a5bead0b495045606c93873aecbb ]
This patch is to delay the endpoint free by calling call_rcu() to fix
another use-after-free issue in sctp_sock_dump():
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
Call Trace:
__lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
spin_lock_bh include/linux/spinlock.h:334 [inline]
__lock_sock+0x203/0x350 net/core/sock.c:2253
lock_sock_nested+0xfe/0x120 net/core/sock.c:2774
lock_sock include/net/sock.h:1492 [inline]
sctp_sock_dump+0x122/0xb20 net/sctp/diag.c:324
sctp_for_each_transport+0x2b5/0x370 net/sctp/socket.c:5091
sctp_diag_dump+0x3ac/0x660 net/sctp/diag.c:527
__inet_diag_dump+0xa8/0x140 net/ipv4/inet_diag.c:1049
inet_diag_dump+0x9b/0x110 net/ipv4/inet_diag.c:1065
netlink_dump+0x606/0x1080 net/netlink/af_netlink.c:2244
__netlink_dump_start+0x59a/0x7c0 net/netlink/af_netlink.c:2352
netlink_dump_start include/linux/netlink.h:216 [inline]
inet_diag_handler_cmd+0x2ce/0x3f0 net/ipv4/inet_diag.c:1170
__sock_diag_cmd net/core/sock_diag.c:232 [inline]
sock_diag_rcv_msg+0x31d/0x410 net/core/sock_diag.c:263
netlink_rcv_skb+0x172/0x440 net/netlink/af_netlink.c:2477
sock_diag_rcv+0x2a/0x40 net/core/sock_diag.c:274
This issue occurs when asoc is peeled off and the old sk is freed after
getting it by asoc->base.sk and before calling lock_sock(sk).
To prevent the sk free, as a holder of the sk, ep should be alive when
calling lock_sock(). This patch uses call_rcu() and moves sock_put and
ep free into sctp_endpoint_destroy_rcu(), so that it's safe to try to
hold the ep under rcu_read_lock in sctp_transport_traverse_process().
If sctp_endpoint_hold() returns true, it means this ep is still alive
and we have held it and can continue to dump it; If it returns false,
it means this ep is dead and can be freed after rcu_read_unlock, and
we should skip it.
In sctp_sock_dump(), after locking the sk, if this ep is different from
tsp->asoc->ep, it means during this dumping, this asoc was peeled off
before calling lock_sock(), and the sk should be skipped; If this ep is
the same with tsp->asoc->ep, it means no peeloff happens on this asoc,
and due to lock_sock, no peeloff will happen either until release_sock.
Note that delaying endpoint free won't delay the port release, as the
port release happens in sctp_endpoint_destroy() before calling call_rcu().
Also, freeing endpoint by call_rcu() makes it safe to access the sk by
asoc->base.sk in sctp_assocs_seq_show() and sctp_rcv().
Thanks Jones to bring this issue up.
v1->v2:
- improve the changelog.
- add kfree(ep) into sctp_endpoint_destroy_rcu(), as Jakub noticed.
Reported-by: syzbot+9276d76e83e3bcde6c99@syzkaller.appspotmail.com
Reported-by: Lee Jones <lee.jones@linaro.org>
Fixes:
|
||
|
Greg Kroah-Hartman
|
553d3c4173 |
This is the 5.4.157 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGBh6EACgkQONu9yGCS aT4J7A//f9Hx5zW04Y1HOqF4Cd3zDTjSVLzgArYwHRsO22+jin+SqgxgjeXhW0d8 3VkZeSaSvEuwWMB8HCuayl88nzDudFNHm/XReCTnt4uKiP8VOFoDMHQGDeGGl6Rr U2212K8Q3xIkA5OYa5Oma1/IbnL7XDUnte4iHTvIYiBvNwFFd3rDiCUi9sdFti0P SWZI0jFtkZVztohayTdb9y5dcIMiLbvtJEB0aX1XAmHiFWqgD0maVym2fdX2L+5c p6O+eZxRH0LEVham6URh61YnD9b1by+bcIUdWlgnmZkPAf3AXskmWBo1bIcISSXC M/8RlBqlNgKVXD0Y7890ytkTQF+EQgILj0lR5plaeYIp47YyOTYLFg/Ues7dRhn6 XeP3sP/viqguYNzE54dX3t5HfYTbW3h/xzEXMoVZPuPRcM2f/YGAiOjxVyjv5hgv /4bQ1E9gfkNprXiDAad0VUfokxcqzFQR6s9asqmXaaNbvZ1a0Mk8UeR0qcl0FTvw dC6tQZgW2+d0Yi5kAG8pv/RCbZzgJwJa/tJ+I67XYdMUvISXkaGF5hMx6WG7wZBF NSW5JsBh0m8b2hKyypA3sktK0DJfx01y3/wZSXgAv+8by66hvQQuDN1mftChQnZH SAmQovITD85QXZ3LPiAZPtd2fRKAOWJhSQk7bP4cEmjBGPb4HoU= =q1OB -----END PGP SIGNATURE----- Merge 5.4.157 into android11-5.4-lts Changes in 5.4.157 ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned ARM: 9134/1: remove duplicate memcpy() definition ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype ARM: 9141/1: only warn about XIP address when not compile testing powerpc/bpf: Fix BPF_MOD when imm == 1 ipv6: use siphash in rt6_exception_hash() ipv4: use siphash instead of Jenkins in fnhe_hashfun() usbnet: sanity check for maxpacket usbnet: fix error return code in usbnet_probe() Revert "pinctrl: bcm: ns: support updated DT binding as syscon subnode" ata: sata_mv: Fix the error handling of mv_chip_id() nfc: port100: fix using -ERRNO as command type mask Revert "net: mdiobus: Fix memory leak in __mdiobus_register" net/tls: Fix flipped sign in tls_err_abort() calls mmc: vub300: fix control-message timeouts mmc: cqhci: clear HALT state after CQE enable mmc: dw_mmc: exynos: fix the finding clock sample value mmc: sdhci: Map more voltage level to SDHCI_POWER_330 mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit cfg80211: scan: fix RCU in cfg80211_add_nontrans_list() net: lan78xx: fix division by zero in send path drm/ttm: fix memleak in ttm_transfered_destroy tcp_bpf: Fix one concurrency problem in the tcp_bpf_send_verdict function IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields IB/hfi1: Fix abba locking issue with sc_disable() nvmet-tcp: fix data digest pointer calculation nvme-tcp: fix data digest pointer calculation RDMA/mlx5: Set user priority for DCT arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node regmap: Fix possible double-free in regcache_rbtree_exit() net: batman-adv: fix error handling net: Prevent infinite while loop in skb_tx_hash() RDMA/sa_query: Use strscpy_pad instead of memcpy to copy a string nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent net: nxp: lpc_eth.c: avoid hang when bringing interface down net/tls: Fix flipped sign in async_wait.err assignment phy: phy_ethtool_ksettings_get: Lock the phy for consistency phy: phy_start_aneg: Add an unlocked version sctp: use init_tag from inithdr for ABORT chunk sctp: fix the processing for INIT_ACK chunk sctp: fix the processing for COOKIE_ECHO chunk sctp: add vtag check in sctp_sf_violation sctp: add vtag check in sctp_sf_do_8_5_1_E_sa sctp: add vtag check in sctp_sf_ootb net: use netif_is_bridge_port() to check for IFF_BRIDGE_PORT cfg80211: correct bridge/4addr mode check KVM: s390: clear kicked_mask before sleeping again KVM: s390: preserve deliverable_mask in __airqs_kick_single_vcpu perf script: Check session->header.env.arch before using it Linux 5.4.157 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8dd3b408b22bc98c06b6a941260157df2a40de00 |
||
|
Xin Long
|
0f5b4c57dc |
sctp: add vtag check in sctp_sf_ootb
[ Upstream commit 9d02831e517aa36ee6bdb453a0eb47bd49923fe3 ]
sctp_sf_ootb() is called when processing DATA chunk in closed state,
and many other places are also using it.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
When fails to verify the vtag from the chunk, this patch sets asoc
to NULL, so that the abort will be made with the vtag from the
received chunk later.
Fixes:
|
||
|
Xin Long
|
df52776407 |
sctp: add vtag check in sctp_sf_do_8_5_1_E_sa
[ Upstream commit ef16b1734f0a176277b7bb9c71a6d977a6ef3998 ]
sctp_sf_do_8_5_1_E_sa() is called when processing SHUTDOWN_ACK chunk
in cookie_wait and cookie_echoed state.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
Note that when fails to verify the vtag from SHUTDOWN-ACK chunk,
SHUTDOWN COMPLETE message will still be sent back to peer, but
with the vtag from SHUTDOWN-ACK chunk, as said in 5) of
rfc4960#section-8.4.
While at it, also remove the unnecessary chunk length check from
sctp_sf_shut_8_4_5(), as it's already done in both places where
it calls sctp_sf_shut_8_4_5().
Fixes:
|
||
|
Xin Long
|
0aa322b5fe |
sctp: add vtag check in sctp_sf_violation
[ Upstream commit aa0f697e45286a6b5f0ceca9418acf54b9099d99 ]
sctp_sf_violation() is called when processing HEARTBEAT_ACK chunk
in cookie_wait state, and some other places are also using it.
The vtag in the chunk's sctphdr should be verified, otherwise, as
later in chunk length check, it may send abort with the existent
asoc's vtag, which can be exploited by one to cook a malicious
chunk to terminate a SCTP asoc.
Fixes:
|
||
|
Xin Long
|
d6470c2200 |
sctp: fix the processing for COOKIE_ECHO chunk
[ Upstream commit a64b341b8695e1c744dd972b39868371b4f68f83 ]
1. In closed state: in sctp_sf_do_5_1D_ce():
When asoc is NULL, making packet for abort will use chunk's vtag
in sctp_ootb_pkt_new(). But when asoc exists, vtag from the chunk
should be verified before using peer.i.init_tag to make packet
for abort in sctp_ootb_pkt_new(), and just discard it if vtag is
not correct.
2. In the other states: in sctp_sf_do_5_2_4_dupcook():
asoc always exists, but duplicate cookie_echo's vtag will be
handled by sctp_tietags_compare() and then take actions, so before
that we only verify the vtag for the abort sent for invalid chunk
length.
Fixes:
|
||
|
Xin Long
|
5fe74d5e4d |
sctp: fix the processing for INIT_ACK chunk
[ Upstream commit 438b95a7c98f77d51cbf4db021f41b602d750a3f ]
Currently INIT_ACK chunk in non-cookie_echoed state is processed in
sctp_sf_discard_chunk() to send an abort with the existent asoc's
vtag if the chunk length is not valid. But the vtag in the chunk's
sctphdr is not verified, which may be exploited by one to cook a
malicious chunk to terminal a SCTP asoc.
sctp_sf_discard_chunk() also is called in many other places to send
an abort, and most of those have this problem. This patch is to fix
it by sending abort with the existent asoc's vtag only if the vtag
from the chunk's sctphdr is verified in sctp_sf_discard_chunk().
Note on sctp_sf_do_9_1_abort() and sctp_sf_shutdown_pending_abort(),
the chunk length has been verified before sctp_sf_discard_chunk(),
so replace it with sctp_sf_discard(). On sctp_sf_do_asconf_ack() and
sctp_sf_do_asconf(), move the sctp_chunk_length_valid check ahead of
sctp_sf_discard_chunk(), then replace it with sctp_sf_discard().
Fixes:
|
||
|
Xin Long
|
5953ee99ba |
sctp: use init_tag from inithdr for ABORT chunk
[ Upstream commit 4f7019c7eb33967eb87766e0e4602b5576873680 ]
Currently Linux SCTP uses the verification tag of the existing SCTP
asoc when failing to process and sending the packet with the ABORT
chunk. This will result in the peer accepting the ABORT chunk and
removing the SCTP asoc. One could exploit this to terminate a SCTP
asoc.
This patch is to fix it by always using the initiate tag of the
received INIT chunk for the ABORT chunk to be sent.
Fixes:
|
||
|
Greg Kroah-Hartman
|
fa6db42758 |
This is the 5.4.155 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFv5E4ACgkQONu9yGCS aT7/ug//d0+xp5zPtHq7IsBQaWQ+DpooKnkdvwJSRpwq50793DX8bJbmXg60Odec L2VinAd4unxye7NcXu4r6u42kzzyR6/hxd9oAY6AltPKi3ZAEV0yHuVlT9l1y9Ae lgeWtyy4H4Fn+AQ0ENXKIQNG4SmWBFC9VS+BCq5z1t7NamEKM3DrVFDdhuN1A5k3 37lXwvhkdjVOCrn/1evqJ5ELk0fkR45TBhaoultPBsUu1BOqfdEyrZZ1WMu6cE0V s4v6aBva6tCa/OCTFajfPSj7lHd4ETBn3ax4bpmtdkMHqsu75gz+NL/qxLIfLCLG 9XkKvkTdRBK50OHvHPXQLc4zk/neD290Sp0lc1PsoIqkkV5RwOyf8qDS1QhPujLu mWw2SdXTD0dKvTQccHoV/uTiRByXPPRK+FSTgq+Cwcw9GiH5RP0D4D250fXy/O/f Cokr4j/rJ26drRMZbjDpRHuhVfcBajhorJLQAj4akJEoMwgrlZHRAgG3bMBat1mk H5N6emc2L6W43SYVTn5Ur6yWMX0h/RqAlYYigqMqFQ6ZfHeFkwlOPJgM8Nmt7dlC Rq1aGfJuRoAGthlFUc6DTTfjxIACQ9QozlTbDDHtAceqrSRDR25ISEs0GIPVqoqC oLFCkpgqgey/QIPmntMMwb8AL3kk/agKunrv37ssBeU/JmtM8Ak= =v8Wx -----END PGP SIGNATURE----- Merge 5.4.155 into android11-5.4-lts Changes in 5.4.155 ovl: simplify file splice ALSA: usb-audio: Add quirk for VF0770 ALSA: seq: Fix a potential UAF by wrong private_free call order ALSA: hda/realtek: Complete partial device name to avoid ambiguity ALSA: hda/realtek: Add quirk for Clevo X170KM-G ALSA: hda/realtek - ALC236 headset MIC recording issue ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' s390: fix strrchr() implementation csky: don't let sigreturn play with priveleged bits of status register csky: Fixup regs.sr broken in ptrace btrfs: unlock newly allocated extent buffer after error btrfs: deal with errors when replaying dir entry during log replay btrfs: deal with errors when adding inode reference during log replay btrfs: check for error when looking up inode during dir entry replay watchdog: orion: use 0 for unset heartbeat x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails mei: me: add Ice Lake-N device id. xhci: guard accesses to ep_state in xhci_endpoint_reset() xhci: Fix command ring pointer corruption while aborting a command xhci: Enable trust tx length quirk for Fresco FL11 USB controller cb710: avoid NULL pointer subtraction efi/cper: use stack buffer for error record decoding efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() usb: musb: dsps: Fix the probe error path Input: xpad - add support for another USB ID of Nacon GC-100 USB: serial: qcserial: add EM9191 QDL support USB: serial: option: add Quectel EC200S-CN module support USB: serial: option: add Telit LE910Cx composition 0x1204 USB: serial: option: add prod. id for Quectel EG91 virtio: write back F_VERSION_1 before validate EDAC/armada-xp: Fix output of uncorrectable error counter nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically powerpc/xive: Discard disabled interrupts in get_irqchip_state() iio: adc: aspeed: set driver data when adc probe. iio: adc128s052: Fix the error handling path of 'adc128_probe()' iio: mtk-auxadc: fix case IIO_CHAN_INFO_PROCESSED iio: light: opt3001: Fixed timeout error when 0 lux iio: ssp_sensors: add more range checking in ssp_parse_dataframe() iio: ssp_sensors: fix error code in ssp_print_mcu_debug() iio: dac: ti-dac5571: fix an error code in probe() sctp: account stream padding length for reconf chunk gpio: pca953x: Improve bias setting net: arc: select CRC32 net: korina: select CRC32 net/mlx5e: Mutually exclude RX-FCS and RX-port-timestamp net: stmmac: fix get_hw_feature() on old hardware net: encx24j600: check error in devm_regmap_init_encx24j600 ethernet: s2io: fix setting mac address during resume nfc: fix error handling of nfc_proto_register() NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() NFC: digital: fix possible memory leak in digital_in_send_sdd_req() pata_legacy: fix a couple uninitialized variable bugs ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators() mlxsw: thermal: Fix out-of-bounds memory accesses platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call drm/panel: olimex-lcd-olinuxino: select CRC32 drm/msm: Fix null pointer dereference on pointer edp drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling acpi/arm64: fix next_platform_timer() section mismatch error mqprio: Correct stats in mqprio_dump_class_stats(). qed: Fix missing error code in qed_slowpath_start() r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 ionic: don't remove netdev->dev_addr when syncing uc list Linux 5.4.155 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3c3ff41bd6f37e8d58d22a60f00017e72d5c0876 |
||
Eiichi Tsukata
|
d887745395 |
sctp: account stream padding length for reconf chunk
commit a2d859e3fc97e79d907761550dbc03ff1b36479c upstream.
sctp_make_strreset_req() makes repeated calls to sctp_addto_chunk()
which will automatically account for padding on each call. inreq and
outreq are already 4 bytes aligned, but the payload is not and doing
SCTP_PAD4(a + b) (which _sctp_make_chunk() did implicitly here) is
different from SCTP_PAD4(a) + SCTP_PAD4(b) and not enough. It led to
possible attempt to use more buffer than it was allocated and triggered
a BUG_ON.
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Cc: Greg KH <gregkh@linuxfoundation.org>
Fixes:
|
||
|
Greg Kroah-Hartman
|
0454b0c925 |
This is the 5.4.151 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmFdp/AACgkQONu9yGCS aT6QCBAAo704uXYc0gHZ74wj67qEGx4IMcUhqmANgPZAXFI+mMrdi+TTJsUjHjmO BfJEx9yDJUVwzKG8uDC04FpeWAkLa6RZc/VYSz7X/1SWbwjONv6JwFLbWJQsGnek bt65ZSCXva6ZHi+uq+lJ1Qsb6Zw34GySlk+UEDmISRGBdnCmOaYLVAUtk7nhgI29 vm8WgzWCGnOQMNKu2if7OmkfCfqtGxOmhXDwrKxAMZtcaW51ixV9dREjg0r54oKO jklY2tW2LSNuiJRorex/UggaQldvwx5KES6fJKtFkuvJ/3YgmRCzvfnYTbqwnU1y PfaTgSQIyZJSVnTzvmyKZh9TFnfoxZISoOU0fQ8twdrbNQHzleAjsslIKYOv2z9U urhbQ1gjg1UZlX0An6BVItYOeZlYT1lvPYh8lS3qwqZjy5oLKdPhTFxCci6ExAKG qvl4Db+14ucLl39WnKhGte682JLR6zqrzoRqXJMACIjB0N3K09AgCDhOkdJ0LZH/ HdwG/cksxhbcVeeAbCFYkBkV+msuR+77DdSgdv+LNicWxgBKsoZSv5loloFHKmYA 6EeGmG83KPOuixVPGMsGGK0Xx/ky5gF+tkdBadZC8g8ygtKwHzxboSKl+qh5jxbI l3UVwpXCyUUiI33HTm+fJlN6sMSRv0vWNV8X9roA+pEn2nf+9u4= =T+cA -----END PGP SIGNATURE----- Merge 5.4.151 into android11-5.4-lts Changes in 5.4.151 tty: Fix out-of-bound vmalloc access in imageblit cpufreq: schedutil: Use kobject release() method to free sugov_tunables cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory usb: cdns3: fix race condition before setting doorbell fs-verity: fix signed integer overflow with i_size near S64_MAX hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field hwmon: (w83792d) Fix NULL pointer dereference by removing unnecessary structure field hwmon: (w83791d) Fix NULL pointer dereference by removing unnecessary structure field scsi: ufs: Fix illegal offset in UPIU event trace mac80211: fix use-after-free in CCMP/GCMP RX x86/kvmclock: Move this_cpu_pvti into kvmclock.h drm/amd/display: Pass PCI deviceid into DC ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap mac80211: mesh: fix potentially unaligned access mac80211-hwsim: fix late beacon hrtimer handling sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb hwmon: (tmp421) report /PVLD condition as fault hwmon: (tmp421) fix rounding for negative values net: ipv4: Fix rtnexthop len when RTA_FLOW is present e100: fix length calculation in e100_get_regs_len e100: fix buffer overrun in e100_get_regs selftests, bpf: test_lwt_ip_encap: Really disable rp_filter Revert "block, bfq: honor already-setup queue merges" scsi: csiostor: Add module softdep on cxgb4 net: hns3: do not allow call hns3_nic_net_open repeatedly net: sched: flower: protect fl_walk() with rcu af_unix: fix races in sk_peer_pid and sk_peer_cred accesses perf/x86/intel: Update event constraints for ICX elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings debugfs: debugfs_create_file_size(): use IS_ERR to check for error ipack: ipoctal: fix stack information leak ipack: ipoctal: fix tty registration race ipack: ipoctal: fix tty-registration error handling ipack: ipoctal: fix missing allocation-failure check ipack: ipoctal: fix module reference leak ext4: fix loff_t overflow in ext4_max_bitmap_size() ext4: fix reserved space counter leakage ext4: fix potential infinite loop in ext4_dx_readdir() HID: u2fzero: ignore incomplete packets without data net: udp: annotate data race around udp_sk(sk)->corkflag net: stmmac: don't attach interface until resume finishes PCI: Fix pci_host_bridge struct device release/free handling libnvdimm/pmem: Fix crash triggered when I/O in-flight during unbind hso: fix bailout in error case of probe usb: hso: fix error handling code of hso_create_net_device usb: hso: remove the bailout parameter crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() HID: betop: fix slab-out-of-bounds Write in betop_probe netfilter: ipset: Fix oversized kvmalloc() calls HID: usbhid: free raw_report buffers in usbhid_stop Linux 5.4.151 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia17e8c3652557ea19539a107c146bf74f17902b9 |
||
|
Xin Long
|
ec018021cf |
sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb
[ Upstream commit f7e745f8e94492a8ac0b0a26e25f2b19d342918f ]
We should always check if skb_header_pointer's return is NULL before
using it, otherwise it may cause null-ptr-deref, as syzbot reported:
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_rcv_ootb net/sctp/input.c:705 [inline]
RIP: 0010:sctp_rcv+0x1d84/0x3220 net/sctp/input.c:196
Call Trace:
<IRQ>
sctp6_rcv+0x38/0x60 net/sctp/ipv6.c:1109
ip6_protocol_deliver_rcu+0x2e9/0x1ca0 net/ipv6/ip6_input.c:422
ip6_input_finish+0x62/0x170 net/ipv6/ip6_input.c:463
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:472
dst_input include/net/dst.h:460 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline]
NF_HOOK include/linux/netfilter.h:307 [inline]
NF_HOOK include/linux/netfilter.h:301 [inline]
ipv6_rcv+0x28c/0x3c0 net/ipv6/ip6_input.c:297
Fixes:
|
||
|
Greg Kroah-Hartman
|
2abce4ec2a |
Merge 5.4.149 into android11-5.4-lts
Changes in 5.4.149 PCI: pci-bridge-emul: Fix big-endian support PCI: aardvark: Indicate error in 'val' when config read fails PCI: pci-bridge-emul: Add PCIe Root Capabilities Register PCI: aardvark: Fix reporting CRS value PCI/ACPI: Add Ampere Altra SOC MCFG quirk KVM: remember position in kvm->vcpus array console: consume APC, DM, DCS s390/pci_mmio: fully validate the VMA before calling follow_pte() ARM: Qualify enabling of swiotlb_init() apparmor: remove duplicate macro list_entry_is_head() ARM: 9077/1: PLT: Move struct plt_entries definition to header ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() ARM: 9079/1: ftrace: Add MODULE_PLTS support ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE sctp: validate chunk size in __rcv_asconf_lookup sctp: add param size validation for SCTP_PARAM_SET_PRIMARY staging: rtl8192u: Fix bitwise vs logical operator in TranslateRxSignalStuff819xUsb() um: virtio_uml: fix memory leak on init failures dmaengine: acpi: Avoid comparison GSI with Linux vIRQ thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() 9p/trans_virtio: Remove sysfs file on probe failure prctl: allow to setup brk for et_dyn executables nilfs2: use refcount_dec_and_lock() to fix potential UAF profiling: fix shift-out-of-bounds bugs pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered phy: avoid unnecessary link-up delay in polling mode net: stmmac: reset Tx desc base address before restarting Tx Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH thermal/core: Fix thermal_cooling_device_register() prototype drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() parisc: Move pci_dev_is_behind_card_dino to where it is used dmaengine: sprd: Add missing MODULE_DEVICE_TABLE dmaengine: ioat: depends on !UML dmaengine: xilinx_dma: Set DMA mask for coherent APIs ceph: request Fw caps before updating the mtime in ceph_write_iter ceph: lockdep annotations for try_nonblocking_invalidate btrfs: fix lockdep warning while mounting sprout fs nilfs2: fix memory leak in nilfs_sysfs_create_device_group nilfs2: fix NULL pointer in nilfs_##name##_attr_release nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group pwm: img: Don't modify HW state in .remove() callback pwm: rockchip: Don't modify HW state in .remove() callback pwm: stm32-lp: Don't modify HW state in .remove() callback blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() rtc: rx8010: select REGMAP_I2C drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV Linux 5.4.149 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ic55297fb43e33c9ff518898479a7313aafeb9375 |
||
Marcelo Ricardo Leitner
|
2f4b67bceb |
sctp: add param size validation for SCTP_PARAM_SET_PRIMARY
commit ef6c8d6ccf0c1dccdda092ebe8782777cd7803c9 upstream.
When SCTP handles an INIT chunk, it calls for example:
sctp_sf_do_5_1B_init
sctp_verify_init
sctp_verify_param
sctp_process_init
sctp_process_param
handling of SCTP_PARAM_SET_PRIMARY
sctp_verify_init() wasn't doing proper size validation and neither the
later handling, allowing it to work over the chunk itself, possibly being
uninitialized memory.
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Marcelo Ricardo Leitner
|
cbd10b1189 |
sctp: validate chunk size in __rcv_asconf_lookup
commit b6ffe7671b24689c09faa5675dd58f93758a97ae upstream. In one of the fallbacks that SCTP has for identifying an association for an incoming packet, it looks for AddIp chunk (from ASCONF) and take a peek. Thing is, at this stage nothing was validating that the chunk actually had enough content for that, allowing the peek to happen over uninitialized memory. Similar check already exists in actual asconf handling in sctp_verify_asconf(). Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
c33130b10f |
This is the 5.4.140 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEVBCYACgkQONu9yGCS aT53WxAAqljdZCHORMxU9rnAHSGNHMtGH3UA7TXDU3SKOYSDRW4FOxI3XUJzJLeW jWB/ZXRSeNmSpwFVmUNYhMkHP3VTXDp73xx2y8DI8U20ykiTeyO6Ed+zW8GluWBP uvvdtjV511wspCUiGKOnD88z9FKvfb5OQKxRb03XrwxQqo3JvWSB5QZhWaBP0UnW j6YWAQm/luvsjx0V4sW36mDj3FWihtlyFyh4Psa7yOdlu6whgLZdGMeSCqsGAcGx 6SdshcXrMpJqU9op70a2WHbo8YYaEyLZ4bOK5FmXPfKokh7HmqHEXi7HuW2UcDmr hi3bR455LqQchw3a7OtiGaEF4liUnJw+EIQx1kaA330EvjlIUwayxdyTitZ/z+5c x9i3NS6bLFUL0FPl79tM5oyd7cR4ZSyrqIAVmE8Z+npCuk3XcKWgxfTvuPemgoBk 89Lbpe+C/zWBkStZFmK8OHAv9iBhP/jR2TmRtRhgHJQkV5qCiXCHejb3g8jur99F q4a9AmvN2ignkejh0darNXk2VdfTBfWIVrXjhcncsHSHGcV4xbc1uDyqQad0aug5 iRtmvkmYG0SruHFi3mF9KhKP1IjD0vI2uah6GeX0FLb8zQIuddNpkXSZMS/MZV0c pZicz6qB4JYT3AiiFEmfDtt1FGMwf1weZBmrfHE1OH1FWiZYC/w= =5ku+ -----END PGP SIGNATURE----- Merge 5.4.140 into android11-5.4-lts Changes in 5.4.140 Revert "ACPICA: Fix memory leak caused by _CID repair function" ALSA: seq: Fix racy deletion of subscriber arm64: dts: ls1028a: fix node name for the sysclk ARM: imx: add missing iounmap() ARM: imx: add missing clk_disable_unprepare() ARM: dts: imx6qdl-sr-som: Increase the PHY reset duration to 10ms ARM: dts: colibri-imx6ull: limit SDIO clock to 25MHz ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init ARM: dts: imx: Swap M53Menlo pinctrl_power_button/pinctrl_power_out pins arm64: dts: armada-3720-turris-mox: remove mrvl,i2c-fast-mode ALSA: usb-audio: fix incorrect clock source setting clk: stm32f4: fix post divisor setup for I2S/SAI PLLs ARM: dts: am437x-l4: fix typo in can@0 node omap5-board-common: remove not physically existing vdds_1v8_main fixed-regulator spi: imx: mx51-ecspi: Reinstate low-speed CONFIGREG delay spi: imx: mx51-ecspi: Fix low-speed CONFIGREG delay calculation scsi: sr: Return correct event when media event code is 3 media: videobuf2-core: dequeue if start_streaming fails dmaengine: imx-dma: configure the generic DMA type to make it work net, gro: Set inner transport header offset in tcp/udp GRO hook net: dsa: sja1105: overwrite dynamic FDB entries with static ones in .port_fdb_add net: dsa: sja1105: invalidate dynamic FDB entries learned concurrently with statically added ones net: phy: micrel: Fix detection of ksz87xx switch net: natsemi: Fix missing pci_disable_device() in probe and remove gpio: tqmx86: really make IRQ optional sctp: move the active_key update after sh_keys is added nfp: update ethtool reporting of pauseframe control net: ipv6: fix returned variable type in ip6_skb_dst_mtu mips: Fix non-POSIX regexp bnx2x: fix an error code in bnx2x_nic_load() net: pegasus: fix uninit-value in get_interrupt_interval net: fec: fix use-after-free in fec_drv_remove net: vxge: fix use-after-free in vxge_device_unregister blk-iolatency: error out if blk_get_queue() failed in iolatency_set_limit() Bluetooth: defer cleanup of resources in hci_unregister_dev() USB: usbtmc: Fix RCU stall warning USB: serial: option: add Telit FD980 composition 0x1056 USB: serial: ch341: fix character loss at high transfer rates USB: serial: ftdi_sio: add device ID for Auto-M3 OP-COM v2 firmware_loader: use -ETIMEDOUT instead of -EAGAIN in fw_load_sysfs_fallback firmware_loader: fix use-after-free in firmware_fallback_sysfs ALSA: hda/realtek: add mic quirk for Acer SF314-42 ALSA: usb-audio: Add registration quirk for JBL Quantum 600 usb: cdns3: Fixed incorrect gadget state usb: gadget: f_hid: added GET_IDLE and SET_IDLE handlers usb: gadget: f_hid: fixed NULL pointer dereference usb: gadget: f_hid: idle uses the highest byte for duration usb: otg-fsm: Fix hrtimer list corruption clk: fix leak on devm_clk_bulk_get_all() unwind scripts/tracing: fix the bug that can't parse raw_trace_func tracing / histogram: Give calculation hist_fields a size optee: Clear stale cache entries during initialization tee: add tee_shm_alloc_kernel_buf() optee: Fix memory leak when failing to register shm pages tpm_ftpm_tee: Free and unregister TEE shared memory during kexec staging: rtl8723bs: Fix a resource leak in sd_int_dpc staging: rtl8712: get rid of flush_scheduled_work media: rtl28xxu: fix zero-length control request pipe: increase minimum default pipe size to 2 pages ext4: fix potential htree corruption when growing large_dir directories serial: tegra: Only print FIFO error message when an error occurs serial: 8250_mtk: fix uart corruption issue when rx power off serial: 8250: Mask out floating 16/32-bit bus bits MIPS: Malta: Do not byte-swap accesses to the CBUS UART serial: 8250_pci: Enumerate Elkhart Lake UARTs via dedicated driver serial: 8250_pci: Avoid irq sharing for MSI(-X) interrupts. timers: Move clearing of base::timer_running under base:: Lock pcmcia: i82092: fix a null pointer dereference bug md/raid10: properly indicate failure when ending a failed write request KVM: x86: accept userspace interrupt only if no event is injected KVM: Do not leak memory for duplicate debugfs directories KVM: x86/mmu: Fix per-cpu counter corruption on 32-bit builds arm64: vdso: Avoid ISB after reading from cntvct_el0 soc: ixp4xx: fix printing resources spi: meson-spicc: fix memory leak in meson_spicc_remove soc: ixp4xx/qmgr: fix invalid __iomem access perf/x86/amd: Don't touch the AMD64_EVENTSEL_HOSTONLY bit inside the guest bpf, selftests: Adjust few selftest result_unpriv outcomes libata: fix ata_pio_sector for CONFIG_HIGHMEM reiserfs: add check for root_inode in reiserfs_fill_super reiserfs: check directory items on read from disk virt_wifi: fix error on connect alpha: Send stop IPI to send to online CPUs net/qla3xxx: fix schedule while atomic in ql_wait_for_drvr_lock and ql_adapter_reset arm64: fix compat syscall return truncation Linux 5.4.140 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ife156cbbbcc40156b39f4401a1bb7fb500fb035c |
||
|
Xin Long
|
d333503de1 |
sctp: move the active_key update after sh_keys is added
[ Upstream commit ae954bbc451d267f7d60d7b49db811d5a68ebd7b ]
In commit 58acd1009226 ("sctp: update active_key for asoc when old key is
being replaced"), sctp_auth_asoc_init_active_key() is called to update
the active_key right after the old key is deleted and before the new key
is added, and it caused that the active_key could be found with the key_id.
In Ying Xu's testing, the BUG_ON in sctp_auth_asoc_init_active_key() was
triggered:
[ ] kernel BUG at net/sctp/auth.c:416!
[ ] RIP: 0010:sctp_auth_asoc_init_active_key.part.8+0xe7/0xf0 [sctp]
[ ] Call Trace:
[ ] sctp_auth_set_key+0x16d/0x1b0 [sctp]
[ ] sctp_setsockopt.part.33+0x1ba9/0x2bd0 [sctp]
[ ] __sys_setsockopt+0xd6/0x1d0
[ ] __x64_sys_setsockopt+0x20/0x30
[ ] do_syscall_64+0x5b/0x1a0
So fix it by moving the active_key update after sh_keys is added.
Fixes: 58acd1009226 ("sctp: update active_key for asoc when old key is being replaced")
Reported-by: Ying Xu <yinxu@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
ae7ff75631 |
This is the 5.4.138 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEKa7oACgkQONu9yGCS aT4pag//XpTqY8Qv8aaYd4p88jw2rX/gV6/J3rRLFlbpWL8smmCFs83nGNo3xnJ6 Avc8Bt/HhIPEdFbt12Og2ZlX/6zWMpa9YfaWOKNtafFUjjS+Lol+k9E7P7pOWobC N2Diq1PCLoSgbi0V/4bJrVyty8Y85ENoCXKNgpSyBAUqsTl3ToVNqaLAt+Z7r5W3 JUN/khdQ8Ve/lcUUExL3ahqsjKSciDZZheC2DMjkvu0+8NXjkAcwINPSoT9oloOf dBiMC/iE7/CJbMdWGe/dTmjeoQfBRrwqYefm/FvDmLfriiADT0HxD6Nkda/03KgW eSI7dGw7jkg16KaYnSWnUZba9pr+/Dq8GmsUjKRZa+CbVmH8FBBBDuiyG4lOYB/t U4ZjeUR0Kaue3YTVb9WavaDLPDFwTgW7OFbdmmnPM98YDSeZwaHQKgT5Kw7M+VqD 4i0eMhnPr5FTodQJ/uMMvKFJ9uOeoU8WjGFQeNZGa15m6fLCwDSUoVNSMwVJbHKC yxSQ/uEVkgapfdXnb5G8j5dzGXuvuQYyoNF5pmzJpSuTLuN646ewP+crNR33CqIT FRG+tEoTAqMLt6n6s5pd9G0Xc7MNTSzy4G5ijuFwiwqdog/ZtqET6mP+bRe2bgb2 OnDPXkcdMPuNiKp341hDDDcpmJfPwS8W+hfciG3dx55Um7Ajv/A= =y8rJ -----END PGP SIGNATURE----- Merge 5.4.138 into android11-5.4-lts Changes in 5.4.138 net_sched: check error pointer in tcf_dump_walker() x86/asm: Ensure asm/proto.h can be included stand-alone btrfs: fix rw device counting in __btrfs_free_extra_devids btrfs: mark compressed range uptodate only if all bio succeed Revert "ACPI: resources: Add checks for ACPI IRQ override" x86/kvm: fix vcpu-id indexed array sizes KVM: add missing compat KVM_CLEAR_DIRTY_LOG ocfs2: fix zero out valid data ocfs2: issue zeroout to EOF blocks can: j1939: j1939_xtp_rx_dat_one(): fix rxtimer value between consecutive TP.DT to 750ms can: raw: raw_setsockopt(): fix raw_rcv panic for sock UAF can: mcba_usb_start(): add missing urb->transfer_dma initialization can: usb_8dev: fix memory leak can: ems_usb: fix memory leak can: esd_usb2: fix memory leak HID: wacom: Re-enable touch by default for Cintiq 24HDT / 27QHDT NIU: fix incorrect error return, missed in previous revert nfc: nfcsim: fix use after free during module unload cfg80211: Fix possible memory leak in function cfg80211_bss_update netfilter: conntrack: adjust stop timestamp to real expiry value netfilter: nft_nat: allow to specify layer 4 protocol NAT only i40e: Fix logic of disabling queues i40e: Fix firmware LLDP agent related warning i40e: Fix queue-to-TC mapping on Tx i40e: Fix log TC creation failure when max num of queues is exceeded tipc: fix sleeping in tipc accept routine net: Set true network header for ECN decapsulation mlx4: Fix missing error code in mlx4_load_one() net: llc: fix skb_over_panic net/mlx5: Fix flow table chaining net/mlx5e: Fix nullptr in mlx5e_hairpin_get_mdev() sctp: fix return value check in __sctp_rcv_asconf_lookup tulip: windbond-840: Fix missing pci_disable_device() in probe and remove sis900: Fix missing pci_disable_device() in probe and remove can: hi311x: fix a signedness bug in hi3110_cmd() PCI: mvebu: Setup BAR0 in order to fix MSI powerpc/pseries: Fix regression while building external modules Revert "perf map: Fix dso->nsinfo refcounting" i40e: Add additional info to PHY type error can: j1939: j1939_session_deactivate(): clarify lifetime of session object Linux 5.4.138 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I6dc3dcde6ce71425f82f38b01fb5e36b7653de97 |
||
|
Marcelo Ricardo Leitner
|
e0310bbeaa |
sctp: fix return value check in __sctp_rcv_asconf_lookup
[ Upstream commit 557fb5862c9272ad9b21407afe1da8acfd9b53eb ]
As Ben Hutchings noticed, this check should have been inverted: the call
returns true in case of success.
Reported-by: Ben Hutchings <ben@decadent.org.uk>
Fixes: 0c5dc070ff3d ("sctp: validate from_addr_param return")
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
|
Greg Kroah-Hartman
|
758a7acf8b |
This is the 5.4.137 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEE64UACgkQONu9yGCS aT43BA/7BbeM1RL4UmHcsqTvk3m3nXyGCw/5v9c3JZflmfmfG1H/bbeeHpRs28jL MCzZxVHakxH2MpQxxzPyy7ZD1uAFe2GFXNPoHtfVTyFRvrIQRKWygFCiqeOKnato gRlzPklzO21b+YaiyV+53vG7q0K+kSz7/J2NY8jWSDNCDLOJjBMt0BsSMdq4VyRb R2dsoHAw7ifDUPrMk41xoWdQrYweXV4ebWnKS88wrFicczz5WTNAWu9YnpePzFFn lQCpgCy1rc/64zvJOyHw8Ou7V3dcWtYpVM0iAH1T4j7St7nyDokcZ1BzIxKSklTd QZPncyLszTN/UGGwFgFw4qizGzsothQDmEdQOWtVZBPbfDqntbZJO+a9jkwdfB7H E251/e1UaeyhzEshiYPCSdJEtT945ZDhJerQQZk1yMxUy1b8HobHL8P+Ce/uGypT 6yux9fKpWZJMFN0Su8G2exJcDXFgwiciGxD9oF7Iuo1++6gIrgfizSDLga8QPbub x6/YcoWU32KZ289AyvhCQPsPSh8MQntNz5XiiTNcsS1+/7kcBVtVStH67O/tbPZz lJc2G0lYeYe2SFQvJlmLruD690isKslEr5d3csieWco6+ey5h7YF6hLMLS1BjBOL /Hq2AJj72qDFOh5Dq+zPo2oJhWm2j9Am6REE4btDhOyjLB6YJN8= =8nQ8 -----END PGP SIGNATURE----- Merge 5.4.137 into android11-5.4-lts Changes in 5.4.137 selftest: fix build error in tools/testing/selftests/vm/userfaultfd.c tools: Allow proper CC/CXX/... override with LLVM=1 in Makefile.include KVM: x86: determine if an exception has an error code only when injecting it. af_unix: fix garbage collect vs MSG_PEEK workqueue: fix UAF in pwq_unbound_release_workfn() cgroup1: fix leaked context root causing sporadic NULL deref in LTP net/802/mrp: fix memleak in mrp_request_join() net/802/garp: fix memleak in garp_request_join() net: annotate data race around sk_ll_usec sctp: move 198 addresses from unusable to private scope ipv6: allocate enough headroom in ip6_finish_output2() hfs: add missing clean-up in hfs_fill_super hfs: fix high memory mapping in hfs_bnode_read hfs: add lock nesting notation to hfs_find_init firmware: arm_scmi: Fix possible scmi_linux_errmap buffer overflow firmware: arm_scmi: Fix range check for the maximum number of pending messages cifs: fix the out of range assignment to bit fields in parse_server_interfaces iomap: remove the length variable in iomap_seek_data iomap: remove the length variable in iomap_seek_hole ARM: dts: versatile: Fix up interrupt controller node names ipv6: ip6_finish_output2: set sk into newly allocated nskb Linux 5.4.137 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I441d065c6fd79c96c67172137806f71dbcd41753 |
||
|
Xin Long
|
f65b7f377c |
sctp: move 198 addresses from unusable to private scope
[ Upstream commit 1d11fa231cabeae09a95cb3e4cf1d9dd34e00f08 ] The doc draft-stewart-tsvwg-sctp-ipv4-00 that restricts 198 addresses was never published. These addresses as private addresses should be allowed to use in SCTP. As Michael Tuexen suggested, this patch is to move 198 addresses from unusable to private scope. Reported-by: Sérgio <surkamp@gmail.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
ccc19b14a1 |
This is the 5.4.136 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEBQAcACgkQONu9yGCS aT4FRBAAgFrHSPHhtwcZ2uqAehzajAp7AbKxf1WejxPg/0YH2bE6nbhuLyDWqH5F mhyDpXVltW7xaFYZAEg9CPr6czwHAul4Bql4DH57KbO+/Q5BrS0VguepP0TPcVI5 H8KztBrJCL5TsrOsvB+EXHtqDkEuhX957Qwa6PkBJs12x2Vq3EmazGGKSZSCGKuy v5gM8wztC3NzzOhVDZ2MPbh8RTrbGUEaRFi6B/XNlcEWMAxyqDJlJInbzimIFL6T eOYZ7z+IdrV0I0Eq0tqUmnhONQZxscs/hX1yv7evZtfG7LbT3v4nJu7c6O4FnLwV 61B5aK4aytX7rTLVU+FRxP7MTmvNit71AY8SMSOx+bNLGBtrFstMv+f950j8npq1 683wCAlDD2hw3zOc6rzbXhdowKtIaFirqDEDiYOy/K5r0liaEtQboOmlBO2WDFYy q5HsoCIpNWH2Os4LlA3PYVChEzO5yQJksUgRgUhcNMA0y+8hE1/C91HxNy8HPyHf tIeRHIpdvHETzSbNIYe9b9iQK0f3S2YLI+sdMtrlEXYFpvlD/w2DsVlzr/IRKP1x N1LVskeB7PVzJEImZPTGVrbPu/a/FHtFpx3dgiST72t18rHgCFdxW7pCI05jegLr C72SSES2v3QIIRoPAO6NF/E8ltmT6lnor1AcNeGz5I4rvPB01u8= =pPb8 -----END PGP SIGNATURE----- Merge 5.4.136 into android11-5.4-lts Changes in 5.4.136 igc: Fix use-after-free error during reset igb: Fix use-after-free error during reset igc: change default return of igc_read_phy_reg() ixgbe: Fix an error handling path in 'ixgbe_probe()' igc: Prefer to use the pci_release_mem_regions method igc: Fix an error handling path in 'igc_probe()' igb: Fix an error handling path in 'igb_probe()' fm10k: Fix an error handling path in 'fm10k_probe()' e1000e: Fix an error handling path in 'e1000_probe()' iavf: Fix an error handling path in 'iavf_probe()' igb: Check if num of q_vectors is smaller than max before array access igb: Fix position of assignment to *ring gve: Fix an error handling path in 'gve_probe()' ipv6: fix 'disable_policy' for fwd packets selftests: icmp_redirect: remove from checking for IPv6 route get selftests: icmp_redirect: IPv6 PMTU info should be cleared after redirect pwm: sprd: Ensure configuring period and duty_cycle isn't wrongly skipped cxgb4: fix IRQ free race during driver unload nvme-pci: do not call nvme_dev_remove_admin from nvme_remove perf map: Fix dso->nsinfo refcounting perf probe: Fix dso->nsinfo refcounting perf env: Fix sibling_dies memory leak perf test session_topology: Delete session->evlist perf test event_update: Fix memory leak of evlist perf dso: Fix memory leak in dso__new_map() perf script: Fix memory 'threads' and 'cpus' leaks on exit perf lzma: Close lzma stream on exit perf probe-file: Delete namelist in del_events() on the error path perf data: Close all files in close_dir() spi: imx: add a check for speed_hz before calculating the clock spi: stm32: Use dma_request_chan() instead dma_request_slave_channel() spi: stm32: fixes pm_runtime calls in probe/remove regulator: hi6421: Use correct variable type for regmap api val argument regulator: hi6421: Fix getting wrong drvdata spi: mediatek: fix fifo rx mode ASoC: rt5631: Fix regcache sync errors on resume liquidio: Fix unintentional sign extension issue on left shift of u16 s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] bpf, sockmap, tcp: sk_prot needs inuse_idx set for proc stats bpftool: Check malloc return value in mount_bpffs_for_pin net: fix uninit-value in caif_seqpkt_sendmsg efi/tpm: Differentiate missing and invalid final event log table. net: decnet: Fix sleeping inside in af_decnet KVM: PPC: Book3S: Fix CONFIG_TRANSACTIONAL_MEM=n crash KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak net: sched: fix memory leak in tcindex_partial_destroy_work netrom: Decrease sock refcount when sock timers expire scsi: iscsi: Fix iface sysfs attr detection scsi: target: Fix protect handling in WRITE SAME(32) spi: cadence: Correct initialisation of runtime PM again bnxt_en: Improve bnxt_ulp_stop()/bnxt_ulp_start() call sequence. bnxt_en: Refresh RoCE capabilities in bnxt_ulp_probe() bnxt_en: Add missing check for BNXT_STATE_ABORT_ERR in bnxt_fw_rset_task() bnxt_en: Check abort error state in bnxt_half_open_nic() net: hisilicon: rename CACHE_LINE_MASK to avoid redefinition net/tcp_fastopen: fix data races around tfo_active_disable_stamp net: hns3: fix rx VLAN offload state inconsistent issue net/sched: act_skbmod: Skip non-Ethernet packets ipv6: fix another slab-out-of-bounds in fib6_nh_flush_exceptions nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not RESETTING Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" afs: Fix tracepoint string placement with built-in AFS r8169: Avoid duplicate sysfs entry creation error nvme: set the PRACT bit when using Write Zeroes with T10 PI sctp: update active_key for asoc when old key is being replaced net: sched: cls_api: Fix the the wrong parameter drm/panel: raspberrypi-touchscreen: Prevent double-free proc: Avoid mixing integer types in mem_rw() Revert "MIPS: add PMD table accounting into MIPS'pmd_alloc_one" s390/ftrace: fix ftrace_update_ftrace_func implementation s390/boot: fix use of expolines in the DMA code ALSA: usb-audio: Add missing proc text entry for BESPOKEN type ALSA: usb-audio: Add registration quirk for JBL Quantum headsets ALSA: sb: Fix potential ABBA deadlock in CSP driver ALSA: hdmi: Expose all pins on MSI MS-7C94 board xhci: Fix lost USB 2 remote wake KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow KVM: PPC: Book3S HV Nested: Sanitise H_ENTER_NESTED TM state usb: hub: Disable USB 3 device initiated lpm if exit latency is too high usb: hub: Fix link power management max exit latency (MEL) calculations USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: max-3421: Prevent corruption of freed memory usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() USB: serial: option: add support for u-blox LARA-R6 family USB: serial: cp210x: fix comments for GE CS1000 USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick usb: dwc2: gadget: Fix sending zero length packet in DDMA mode. firmware/efi: Tell memblock about EFI iomem reservations tracing/histogram: Rename "cpu" to "common_cpu" tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. btrfs: check for missing device in btrfs_trim_fs media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() ixgbe: Fix packet corruption due to missing DMA sync selftest: use mmap instead of posix_memalign to allocate memory userfaultfd: do not untag user pointers hugetlbfs: fix mount mode command line processing rbd: don't hold lock_rwsem while running_list is being drained rbd: always kick acquire on "acquired" and "released" notifications nds32: fix up stack guard gap drm: Return -ENOTTY for non-drm ioctls net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear iio: accel: bma180: Use explicit member assignment iio: accel: bma180: Fix BMA25x bandwidth register values btrfs: compression: don't try to compress if we don't have enough pages PCI: Mark AMD Navi14 GPU ATS as broken perf inject: Close inject.output on exit xhci: add xhci_get_virt_ep() helper Linux 5.4.136 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8b7e344b3dd2ee557364f9be285ed9925038a497 |
||
|
Xin Long
|
b60461696a |
sctp: update active_key for asoc when old key is being replaced
[ Upstream commit 58acd10092268831e49de279446c314727101292 ]
syzbot reported a call trace:
BUG: KASAN: use-after-free in sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
Call Trace:
sctp_auth_shkey_hold+0x22/0xa0 net/sctp/auth.c:112
sctp_set_owner_w net/sctp/socket.c:131 [inline]
sctp_sendmsg_to_asoc+0x152e/0x2180 net/sctp/socket.c:1865
sctp_sendmsg+0x103b/0x1d30 net/sctp/socket.c:2027
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:821
sock_sendmsg_nosec net/socket.c:703 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:723
This is an use-after-free issue caused by not updating asoc->shkey after
it was replaced in the key list asoc->endpoint_shared_keys, and the old
key was freed.
This patch is to fix by also updating active_key for asoc when old key is
being replaced with a new one. Note that this issue doesn't exist in
sctp_auth_del_key_id(), as it's not allowed to delete the active_key
from the asoc.
Fixes:
|
||
|
Greg Kroah-Hartman
|
a7e747c026 |
Merge 5.4.133 into android11-5.4-lts
Changes in 5.4.133
drm/mxsfb: Don't select DRM_KMS_FB_HELPER
drm/zte: Don't select DRM_KMS_FB_HELPER
drm/amd/amdgpu/sriov disable all ip hw status by default
drm/vc4: fix argument ordering in vc4_crtc_get_margins()
net: pch_gbe: Use proper accessors to BE data in pch_ptp_match()
drm/amd/display: fix use_max_lb flag for 420 pixel formats
hugetlb: clear huge pte during flush function on mips platform
atm: iphase: fix possible use-after-free in ia_module_exit()
mISDN: fix possible use-after-free in HFC_cleanup()
atm: nicstar: Fix possible use-after-free in nicstar_cleanup()
net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT
drm/mediatek: Fix PM reference leak in mtk_crtc_ddp_hw_init()
reiserfs: add check for invalid 1st journal block
drm/virtio: Fix double free on probe failure
drm/sched: Avoid data corruptions
udf: Fix NULL pointer dereference in udf_symlink function
e100: handle eeprom as little endian
igb: handle vlan types with checker enabled
drm/bridge: cdns: Fix PM reference leak in cdns_dsi_transfer()
clk: renesas: r8a77995: Add ZA2 clock
clk: tegra: Ensure that PLLU configuration is applied properly
ipv6: use prandom_u32() for ID generation
RDMA/cxgb4: Fix missing error code in create_qp()
dm space maps: don't reset space map allocation cursor when committing
pinctrl: mcp23s08: fix race condition in irq handler
ice: set the value of global config lock timeout longer
virtio_net: Remove BUG() to avoid machine dead
net: bcmgenet: check return value after calling platform_get_resource()
net: mvpp2: check return value after calling platform_get_resource()
net: micrel: check return value after calling platform_get_resource()
drm/amd/display: Update scaling settings on modeset
drm/amd/display: Release MST resources on switch from MST to SST
drm/amd/display: Set DISPCLK_MAX_ERRDET_CYCLES to 7
drm/amdkfd: use allowed domain for vmbo validation
fjes: check return value after calling platform_get_resource()
selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC
r8169: avoid link-up interrupt issue on RTL8106e if user enables ASPM
drm/amd/display: Verify Gamma & Degamma LUT sizes in amdgpu_dm_atomic_check
xfrm: Fix error reporting in xfrm_state_construct.
wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP
wl1251: Fix possible buffer overflow in wl1251_cmd_scan
cw1200: add missing MODULE_DEVICE_TABLE
bpf: Fix up register-based shifts in interpreter to silence KUBSAN
mt76: mt7615: fix fixed-rate tx status reporting
net: fix mistake path for netdev_features_strings
net: sched: fix error return code in tcf_del_walker()
drm/amdkfd: Walk through list with dqm lock hold
rtl8xxxu: Fix device info for RTL8192EU devices
MIPS: add PMD table accounting into MIPS'pmd_alloc_one
atm: nicstar: use 'dma_free_coherent' instead of 'kfree'
atm: nicstar: register the interrupt handler in the right place
vsock: notify server to shutdown when client has pending signal
RDMA/rxe: Don't overwrite errno from ib_umem_get()
iwlwifi: mvm: don't change band on bound PHY contexts
iwlwifi: pcie: free IML DMA memory allocation
iwlwifi: pcie: fix context info freeing
sfc: avoid double pci_remove of VFs
sfc: error code if SRIOV cannot be disabled
wireless: wext-spy: Fix out-of-bounds warning
media, bpf: Do not copy more entries than user space requested
net: ip: avoid OOM kills with large UDP sends over loopback
RDMA/cma: Fix rdma_resolve_route() memory leak
Bluetooth: btusb: Fixed too many in-token issue for Mediatek Chip.
Bluetooth: Fix the HCI to MGMT status conversion table
Bluetooth: Shutdown controller after workqueues are flushed or cancelled
Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc.
sctp: validate from_addr_param return
sctp: add size validation when walking chunks
MIPS: loongsoon64: Reserve memory below starting pfn to prevent Oops
MIPS: set mips32r5 for virt extensions
fscrypt: don't ignore minor_hash when hash is 0
crypto: ccp - Annotate SEV Firmware file names
perf bench: Fix 2 memory sanitizer warnings
powerpc/mm: Fix lockup on kernel exec fault
powerpc/barrier: Avoid collision with clang's __lwsync macro
drm/amdgpu: Update NV SIMD-per-CU to 2
drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create()
drm/rockchip: dsi: remove extra component_del() call
drm/amd/display: fix incorrrect valid irq check
pinctrl/amd: Add device HID for new AMD GPIO controller
drm/amd/display: Reject non-zero src_y and src_x for video planes
drm/tegra: Don't set allow_fb_modifiers explicitly
drm/msm/mdp4: Fix modifier support enabling
drm/arm/malidp: Always list modifiers
mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode
mmc: core: clear flags before allowing to retune
mmc: core: Allow UHS-I voltage switch for SDSC cards if supported
ata: ahci_sunxi: Disable DIPM
cpu/hotplug: Cure the cpusets trainwreck
clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround
fpga: stratix10-soc: Add missing fpga_mgr_free() call
MIPS: fix "mipsel-linux-ld: decompress.c:undefined reference to `memmove'"
ASoC: tegra: Set driver_name=tegra for all machine drivers
qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute
ipmi/watchdog: Stop watchdog timer when the current action is 'none'
thermal/drivers/int340x/processor_thermal: Fix tcc setting
ubifs: Fix races between xattr_{set|get} and listxattr operations
power: supply: ab8500: Fix an old bug
nvmem: core: add a missing of_node_put
extcon: intel-mrfld: Sync hardware and software state on init
seq_buf: Fix overflow in seq_buf_putmem_hex()
rq-qos: fix missed wake-ups in rq_qos_throttle try two
tracing: Simplify & fix saved_tgids logic
tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT
ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe
coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer()
dm btree remove: assign new_root only when removal succeeds
PCI: Leave Apple Thunderbolt controllers on for s2idle or standby
PCI: aardvark: Fix checking for PIO Non-posted Request
PCI: aardvark: Implement workaround for the readback value of VEND_ID
media: subdev: disallow ioctl for saa6588/davinci
media: dtv5100: fix control-request directions
media: zr364xx: fix memory leak in zr364xx_start_readpipe
media: gspca/sq905: fix control-request direction
media: gspca/sunplus: fix zero-length control requests
media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K
pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq()
jfs: fix GPF in diFree
smackfs: restrict bytes count in smk_set_cipso()
Linux 5.4.133
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4daf813e30444755db3a7d587f8be81ccd2f748b
|
||
|
Marcelo Ricardo Leitner
|
a01745edc1 |
sctp: add size validation when walking chunks
[ Upstream commit 50619dbf8db77e98d821d615af4f634d08e22698 ] The first chunk in a packet is ensured to be present at the beginning of sctp_rcv(), as a packet needs to have at least 1 chunk. But the second one, may not be completely available and ch->length can be over uninitialized memory. Fix here is by only trying to walk on the next chunk if there is enough to hold at least the header, and then proceed with the ch->length validation that is already there. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Marcelo Ricardo Leitner
|
03a5e45461 |
sctp: validate from_addr_param return
[ Upstream commit 0c5dc070ff3d6246d22ddd931f23a6266249e3db ] Ilja reported that, simply putting it, nothing was validating that from_addr_param functions were operating on initialized memory. That is, the parameter itself was being validated by sctp_walk_params, but it doesn't check for types and their specific sizes and it could be a 0-length one, causing from_addr_param to potentially work over the next parameter or even uninitialized memory. The fix here is to, in all calls to from_addr_param, check if enough space is there for the wanted IP address type. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
5317188981 |
This is the 5.4.120 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCkyEcACgkQONu9yGCS
aT70Qg//Rv09McvLQ+8E0OilJ7TdT0UthXQFP+uPTu+/HPeHQkCO168cn1hbwD9K
i0YfFYB7PqPe/wccHNsmWHSUYCzA9NnwExA84/jofjswkEMMc95x/bow5/xmLe/5
ImkjODPVHuQWewgMfbSmNu7Br4wmQC5U/K4r7hp/Aa0FdTjcHMI6Zw40FGbJrWmq
kiqhW9CeagKbxWrihQNLrSB4E5CdpNNkug/zVus2n9jlFT4tltNGSd7bPsxrp7LN
EdTfayyPUVZeCoysTNA0WZgz47f+z47vAdIlDHzWCIOZcM1RnJXKA5kFXRf8Fnfa
+hyvaHSDqYGdRgZxYMcXLL+/cS4foQ/8iQxZBCMomABM0MNUuoJ5tYR6GVetlRcR
46ZC/5OAvNoKY2Kj4Ky4ROF7aMR3NkYCY6wHUVRcw8778bmuReeLJJPsWojAI+4F
pWT08+7OUJYb3hRnGxxzKot6CPztdkpQXfXMy+wyNlNbRZ/ivs9/f/GhdblXy/6T
j12LKIh1IOxpB/wi7GRfeABUuC4MU8xqx6FuPDrBgCTMfVig/wcwF27AUr//a0F5
xrrzCrDFNAvuyD1WyYilaxWDHAe2o9ROT0JZ4VB3zu40w2VlTT77aqA174xfQa6b
418Eykw3O11dmsY8AQPTt1HhkDCiewEe4K58CJcmCNEf/inFbvI=
=kNQc
-----END PGP SIGNATURE-----
Merge 5.4.120 into android11-5.4-lts
Changes in 5.4.120
tpm: fix error return code in tpm2_get_cc_attrs_tbl()
tpm, tpm_tis: Extend locality handling to TPM2 in tpm_tis_gen_interrupt()
tpm, tpm_tis: Reserve locality in tpm_tis_resume()
KVM: x86/mmu: Remove the defunct update_pte() paging hook
PM: runtime: Fix unpaired parent child_count for force_resume
fs: dlm: fix debugfs dump
tipc: convert dest node's address to network order
ASoC: Intel: bytcr_rt5640: Enable jack-detect support on Asus T100TAF
net: stmmac: Set FIFO sizes for ipq806x
ASoC: rsnd: core: Check convert rate in rsnd_hw_params
i2c: bail out early when RDWR parameters are wrong
ALSA: hdsp: don't disable if not enabled
ALSA: hdspm: don't disable if not enabled
ALSA: rme9652: don't disable if not enabled
ALSA: bebob: enable to deliver MIDI messages for multiple ports
Bluetooth: Set CONF_NOT_COMPLETE as l2cap_chan default
Bluetooth: initialize skb_queue_head at l2cap_chan_create()
net: bridge: when suppression is enabled exclude RARP packets
Bluetooth: check for zapped sk before connecting
ip6_vti: proper dev_{hold|put} in ndo_[un]init methods
ASoC: Intel: bytcr_rt5640: Add quirk for the Chuwi Hi8 tablet
i2c: Add I2C_AQ_NO_REP_START adapter quirk
mac80211: clear the beacon's CRC after channel switch
pinctrl: samsung: use 'int' for register masks in Exynos
mt76: mt76x0: disable GTK offloading
cuse: prevent clone
ASoC: rsnd: call rsnd_ssi_master_clk_start() from rsnd_ssi_init()
Revert "iommu/amd: Fix performance counter initialization"
iommu/amd: Remove performance counter pre-initialization test
drm/amd/display: Force vsync flip when reconfiguring MPCC
selftests: Set CC to clang in lib.mk if LLVM is set
kconfig: nconf: stop endless search loops
ALSA: hda/hdmi: fix race in handling acomp ELD notification at resume
sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
flow_dissector: Fix out-of-bounds warning in __skb_flow_bpf_to_target()
powerpc/smp: Set numa node before updating mask
ASoC: rt286: Generalize support for ALC3263 codec
ethtool: ioctl: Fix out-of-bounds warning in store_link_ksettings_for_user()
net: sched: tapr: prevent cycle_time == 0 in parse_taprio_schedule
samples/bpf: Fix broken tracex1 due to kprobe argument change
powerpc/pseries: Stop calling printk in rtas_stop_self()
drm/amd/display: fixed divide by zero kernel crash during dsc enablement
wl3501_cs: Fix out-of-bounds warnings in wl3501_send_pkt
wl3501_cs: Fix out-of-bounds warnings in wl3501_mgmt_join
qtnfmac: Fix possible buffer overflow in qtnf_event_handle_external_auth
powerpc/iommu: Annotate nested lock for lockdep
iavf: remove duplicate free resources calls
net: ethernet: mtk_eth_soc: fix RX VLAN offload
bnxt_en: Add PCI IDs for Hyper-V VF devices.
ia64: module: fix symbolizer crash on fdescr
ASoC: rt286: Make RT286_SET_GPIO_* readable and writable
thermal: thermal_of: Fix error return code of thermal_of_populate_bind_params()
f2fs: fix a redundant call to f2fs_balance_fs if an error occurs
PCI: iproc: Fix return value of iproc_msi_irq_domain_alloc()
PCI: Release OF node in pci_scan_device()'s error path
ARM: 9064/1: hw_breakpoint: Do not directly check the event's overflow_handler hook
rpmsg: qcom_glink_native: fix error return code of qcom_glink_rx_data()
NFSv4.2: Always flush out writes in nfs42_proc_fallocate()
NFS: Deal correctly with attribute generation counter overflow
PCI: endpoint: Fix missing destroy_workqueue()
pNFS/flexfiles: fix incorrect size check in decode_nfs_fh()
NFSv4.2 fix handling of sr_eof in SEEK's reply
rtc: fsl-ftm-alarm: add MODULE_TABLE()
ceph: fix inode leak on getattr error in __fh_to_dentry
rtc: ds1307: Fix wday settings for rx8130
net: hns3: fix incorrect configuration for igu_egu_hw_err
net: hns3: initialize the message content in hclge_get_link_mode()
net: hns3: add check for HNS3_NIC_STATE_INITED in hns3_reset_notify_up_enet()
net: hns3: fix for vxlan gpe tx checksum bug
net: hns3: use netif_tx_disable to stop the transmit queue
net: hns3: disable phy loopback setting in hclge_mac_start_phy
sctp: do asoc update earlier in sctp_sf_do_dupcook_a
RISC-V: Fix error code returned by riscv_hartid_to_cpuid()
sunrpc: Fix misplaced barrier in call_decode
ethernet:enic: Fix a use after free bug in enic_hard_start_xmit
sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
netfilter: xt_SECMARK: add new revision to fix structure layout
drm/radeon: Fix off-by-one power_state index heap overwrite
drm/radeon: Avoid power table parsing memory leaks
khugepaged: fix wrong result value for trace_mm_collapse_huge_page_isolate()
mm/hugeltb: handle the error case in hugetlb_fix_reserve_counts()
mm/migrate.c: fix potential indeterminate pte entry in migrate_vma_insert_page()
ksm: fix potential missing rmap_item for stable_node
net: fix nla_strcmp to handle more then one trailing null character
smc: disallow TCP_ULP in smc_setsockopt()
netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check
can: m_can: m_can_tx_work_queue(): fix tx_skb race condition
sched: Fix out-of-bound access in uclamp
sched/fair: Fix unfairness caused by missing load decay
kernel: kexec_file: fix error return code of kexec_calculate_store_digests()
netfilter: nftables: avoid overflows in nft_hash_buckets()
i40e: Fix use-after-free in i40e_client_subtask()
i40e: fix the restart auto-negotiation after FEC modified
i40e: Fix PHY type identifiers for 2.5G and 5G adapters
ARC: entry: fix off-by-one error in syscall number validation
ARC: mm: PAE: use 40-bit physical page mask
powerpc/64s: Fix crashes when toggling stf barrier
powerpc/64s: Fix crashes when toggling entry flush barrier
hfsplus: prevent corruption in shrinking truncate
squashfs: fix divide error in calculate_skip()
userfaultfd: release page in error path to avoid BUG_ON
mm/hugetlb: fix F_SEAL_FUTURE_WRITE
drm/radeon/dpm: Disable sclk switching on Oland when two 4K 60Hz monitors are connected
drm/i915: Avoid div-by-zero on gen2
iio: proximity: pulsedlight: Fix rumtime PM imbalance on error
usb: fotg210-hcd: Fix an error message
hwmon: (occ) Fix poll rate limiting
ACPI: scan: Fix a memory leak in an error handling path
kyber: fix out of bounds access when preempted
nbd: Fix NULL pointer in flush_workqueue
blk-mq: Swap two calls in blk_mq_exit_queue()
iomap: fix sub-page uptodate handling
usb: dwc3: omap: improve extcon initialization
usb: dwc3: pci: Enable usb2-gadget-lpm-disable for Intel Merrifield
usb: xhci: Increase timeout for HC halt
usb: dwc2: Fix gadget DMA unmap direction
usb: core: hub: fix race condition about TRSMRCY of resume
usb: dwc3: gadget: Return success always for kick transfer in ep queue
xhci: Do not use GFP_KERNEL in (potentially) atomic context
xhci: Add reset resume quirk for AMD xhci controller.
iio: gyro: mpu3050: Fix reported temperature value
iio: tsl2583: Fix division by a zero lux_val
cdc-wdm: untangle a circular dependency between callback and softint
KVM: x86: Cancel pvclock_gtod_work on module removal
mm: fix struct page layout on 32-bit systems
FDDI: defxx: Make MMIO the configuration default except for EISA
MIPS: Reinstate platform `__div64_32' handler
MIPS: Avoid DIVU in `__div64_32' is result would be zero
MIPS: Avoid handcoded DIVU in `__div64_32' altogether
thermal/core/fair share: Lock the thermal zone while looping over instances
f2fs: fix error handling in f2fs_end_enable_verity()
ARM: 9011/1: centralize phys-to-virt conversion of DT/ATAGS address
ARM: 9012/1: move device tree mapping out of linear region
ARM: 9020/1: mm: use correct section size macro to describe the FDT virtual address
ARM: 9027/1: head.S: explicitly map DT even if it lives in the first physical section
usb: typec: tcpm: Fix error while calculating PPS out values
kobject_uevent: remove warning in init_uevent_argv()
netfilter: conntrack: Make global sysctls readonly in non-init netns
clk: exynos7: Mark aclk_fsys1_200 as critical
nvme: do not try to reconfigure APST when the controller is not live
ASoC: rsnd: check all BUSIF status when error
Linux 5.4.120
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Iab57c5f8164542fa2a5bdc2c9a8f516ccfd67b5a
|
||
|
Xin Long
|
7a0a9f5cf8 |
sctp: fix a SCTP_MIB_CURRESTAB leak in sctp_sf_do_dupcook_b
[ Upstream commit f282df0391267fb2b263da1cc3233aa6fb81defc ]
Normally SCTP_MIB_CURRESTAB is always incremented once asoc enter into
ESTABLISHED from the state < ESTABLISHED and decremented when the asoc
is being deleted.
However, in sctp_sf_do_dupcook_b(), the asoc's state can be changed to
ESTABLISHED from the state >= ESTABLISHED where it shouldn't increment
SCTP_MIB_CURRESTAB. Otherwise, one asoc may increment MIB_CURRESTAB
multiple times but only decrement once at the end.
I was able to reproduce it by using scapy to do the 4-way shakehands,
after that I replayed the COOKIE-ECHO chunk with 'peer_vtag' field
changed to different values, and SCTP_MIB_CURRESTAB was incremented
multiple times and never went back to 0 even when the asoc was freed.
This patch is to fix it by only incrementing SCTP_MIB_CURRESTAB when
the state < ESTABLISHED in sctp_sf_do_dupcook_b().
Fixes:
|
||
|
Xin Long
|
b1b31948c0 |
sctp: do asoc update earlier in sctp_sf_do_dupcook_a
[ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this. Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") Reported-by: Alexander Sverdlin <alexander.sverdlin@nokia.com> Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com Reported-by: Michal Tesar <mtesar@redhat.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Gustavo A. R. Silva
|
5f24807c3c |
sctp: Fix out-of-bounds warning in sctp_process_asconf_param()
[ Upstream commit e5272ad4aab347dde5610c0aedb786219e3ff793 ] Fix the following out-of-bounds warning: net/sctp/sm_make_chunk.c:3150:4: warning: 'memcpy' offset [17, 28] from the object at 'addr' is out of the bounds of referenced subobject 'v4' with type 'struct sockaddr_in' at offset 0 [-Warray-bounds] This helps with the ongoing efforts to globally enable -Warray-bounds and get us closer to being able to tighten the FORTIFY_SOURCE routines on memcpy(). Link: https://github.com/KSPP/linux/issues/109 Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Reviewed-by: Kees Cook <keescook@chromium.org> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Greg Kroah-Hartman
|
279b3b1a2b |
This is the 5.4.119 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCeKsMACgkQONu9yGCS
aT4cYhAA0qDTHscvm641m/Dv4U9w3gWh2Fs8oPz43+nJ1/8CTrT/gSWA7IRDDHiV
Dys2canDVLNYTEx1TqwmHbN3R+nvQTpdz2wuJuSf7GKYQj0n3S99BEN6uxod+puu
/M7apBH5npjZKv1DMRUrQ/AUGVUuBQqtN7Hl5hEL8ibI/bsZV8+dhJJ8c8uyJpam
peiP5n2lCz5HZ/K5OyEy1jCmWQLIcRN59SmiARy/xk739igoCMUajkY1mV0WVyks
SKnZEP7tY1mLLYzpW/ZVSkXurx+ZtL1zUctRt5dh5US4uzNt/sfm8oDzyzvGojd/
iWtXefprJXbI9BGyNaBwwNmzjSXabSkoI75wExxsMQKFZpsq12pz97dwy/pZyU+c
NlzbmDQg8+Cs9dKsDw6jUXHYSJ9fb4mk6GOF9u0LXgyq1f15/DzjdzkYLXZ3tTOK
exVFs/CKz7Dg6npdO5kl7mg18AxmVH+OJftltF2+MbUohBs2vRDRr+O4cY8Wlc2Q
AF85uAE3Mo/yL1pi6O7lMW4ic5yJvTRCX/iPsxyDU8LvxM1Kc7u9CzykX3M0WFLz
TsKxfPQvoc6WGf8IWy4j1nXMzXQTHL/6CrfzOSTFngR8eqcsbgU0nkKpZNEtvnxN
k30ID+Mcl4B6k6XTECNJUXjcwg+TR+XtKOjwXAIDaVqwoW759BY=
=25pJ
-----END PGP SIGNATURE-----
Merge 5.4.119 into android11-5.4-lts
Changes in 5.4.119
Bluetooth: verify AMP hci_chan before amp_destroy
hsr: use netdev_err() instead of WARN_ONCE()
bluetooth: eliminate the potential race condition when removing the HCI controller
net/nfc: fix use-after-free llcp_sock_bind/connect
Revert "USB: cdc-acm: fix rounding error in TIOCSSERIAL"
tty: moxa: fix TIOCSSERIAL jiffies conversions
tty: amiserial: fix TIOCSSERIAL permission check
USB: serial: usb_wwan: fix TIOCSSERIAL jiffies conversions
staging: greybus: uart: fix TIOCSSERIAL jiffies conversions
USB: serial: ti_usb_3410_5052: fix TIOCSSERIAL permission check
staging: fwserial: fix TIOCSSERIAL jiffies conversions
tty: moxa: fix TIOCSSERIAL permission check
staging: fwserial: fix TIOCSSERIAL permission check
usb: typec: tcpm: Address incorrect values of tcpm psy for fixed supply
usb: typec: tcpm: Address incorrect values of tcpm psy for pps supply
usb: typec: tcpm: update power supply once partner accepts
usb: xhci-mtk: remove or operator for setting schedule parameters
usb: xhci-mtk: improve bandwidth scheduling with TT
ASoC: samsung: tm2_wm5110: check of of_parse return value
ASoC: Intel: kbl_da7219_max98927: Fix kabylake_ssp_fixup function
MIPS: pci-mt7620: fix PLL lock check
MIPS: pci-rt2880: fix slot 0 configuration
FDDI: defxx: Bail out gracefully with unassigned PCI resource for CSR
PCI: Allow VPD access for QLogic ISP2722
iio:accel:adis16201: Fix wrong axis assignment that prevents loading
misc: lis3lv02d: Fix false-positive WARN on various HP models
misc: vmw_vmci: explicitly initialize vmci_notify_bm_set_msg struct
misc: vmw_vmci: explicitly initialize vmci_datagram payload
md/bitmap: wait for external bitmap writes to complete during tear down
md-cluster: fix use-after-free issue when removing rdev
md: split mddev_find
md: factor out a mddev_find_locked helper from mddev_find
md: md_open returns -EBUSY when entering racing area
md: Fix missing unused status line of /proc/mdstat
ipw2x00: potential buffer overflow in libipw_wx_set_encodeext()
cfg80211: scan: drop entry from hidden_list on overflow
rtw88: Fix array overrun in rtw_get_tx_power_params()
drm/panfrost: Clear MMU irqs before handling the fault
drm/panfrost: Don't try to map pages that are already mapped
drm/radeon: fix copy of uninitialized variable back to userspace
drm/amd/display: Reject non-zero src_y and src_x for video planes
ALSA: hda/realtek: Re-order ALC882 Acer quirk table entries
ALSA: hda/realtek: Re-order ALC882 Sony quirk table entries
ALSA: hda/realtek: Re-order ALC882 Clevo quirk table entries
ALSA: hda/realtek: Re-order ALC269 HP quirk table entries
ALSA: hda/realtek: Re-order ALC269 Acer quirk table entries
ALSA: hda/realtek: Re-order ALC269 Dell quirk table entries
ALSA: hda/realtek: Re-order ALC269 ASUS quirk table entries
ALSA: hda/realtek: Re-order ALC269 Sony quirk table entries
ALSA: hda/realtek: Re-order ALC269 Lenovo quirk table entries
ALSA: hda/realtek: Re-order remaining ALC269 quirk table entries
ALSA: hda/realtek: Re-order ALC662 quirk table entries
ALSA: hda/realtek: Remove redundant entry for ALC861 Haier/Uniwill devices
ALSA: hda/realtek: ALC285 Thinkpad jack pin quirk is unreachable
KVM: s390: split kvm_s390_logical_to_effective
KVM: s390: fix guarded storage control register handling
s390: fix detection of vector enhancements facility 1 vs. vector packed decimal facility
KVM: s390: split kvm_s390_real_to_abs
KVM: nVMX: Truncate bits 63:32 of VMCS field on nested check in !64-bit
KVM: Stop looking for coalesced MMIO zones if the bus is destroyed
Revert "i3c master: fix missing destroy_workqueue() on error in i3c_master_register"
ovl: fix missing revert_creds() on error path
usb: gadget: pch_udc: Revert
|
||
|
Xin Long
|
3fe9ee040f |
sctp: delay auto_asconf init until binding the first addr
commit 34e5b01186858b36c4d7c87e1a025071e8e2401f upstream.
As Or Cohen described:
If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock
held and sp->do_auto_asconf is true, then an element is removed
from the auto_asconf_splist without any proper locking.
This can happen in the following functions:
1. In sctp_accept, if sctp_sock_migrate fails.
2. In inet_create or inet6_create, if there is a bpf program
attached to BPF_CGROUP_INET_SOCK_CREATE which denies
creation of the sctp socket.
This patch is to fix it by moving the auto_asconf init out of
sctp_init_sock(), by which inet_create()/inet6_create() won't
need to operate it in sctp_destroy_sock() when calling
sk_common_release().
It also makes more sense to do auto_asconf init while binding the
first addr, as auto_asconf actually requires an ANY addr bind,
see it in sctp_addr_wq_timeout_handler().
This addresses CVE-2021-23133.
Fixes:
|
||
|
Xin Long
|
e1bf000709 |
Revert "net/sctp: fix race condition in sctp_destroy_sock"
commit 01bfe5e8e428b475982a98a46cca5755726f3f7f upstream.
This reverts commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b.
This one has to be reverted as it introduced a dead lock, as
syzbot reported:
CPU0 CPU1
---- ----
lock(&net->sctp.addr_wq_lock);
lock(slock-AF_INET6);
lock(&net->sctp.addr_wq_lock);
lock(slock-AF_INET6);
CPU0 is the thread of sctp_addr_wq_timeout_handler(), and CPU1
is that of sctp_close().
The original issue this commit fixed will be fixed in the next
patch.
Reported-by: syzbot+959223586843e69a2674@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Greg Kroah-Hartman
|
8fd4b0daa5 |
This is the 5.4.114 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCABPYACgkQONu9yGCS
aT610xAAuFVE0FEaisv42yiS/jNtZk8NpPuBSaB1vP9TOyn1PyrO4p2klUdrFrLX
2d7ssYKZimDS4HB0lmr6tPXjQCuI3E2qB3s9mJntEZuxjweLR22uLC7DtWo4VDYt
87oM+jaWMao+3YOXpvbd2S8tA/WkvaBbYmXAGsO2XFoyUPhzxBXi+Mzoj5WeGPtc
bQd+Odt1n00HJSyuSlXaBeuwzVHLq43Kxm2kKt7lBH3W1IKElRnw84XJAHAylDZ4
EwIkgncGm7EN25Nk9EESC0cvCBM6PK61S7CggOtcvyrPGRBqFlmbDKFxLT2BxIdP
MuyXLvHRm6/oQb1brvWdeHw0++KwJ884HJF2/bB9ZXU8wCR317BA3dYMdSMvv7V3
3zickdfoPW8c5H/8t+BobGJoHFQ895xrwxAcQGR8oBtfjqo4JGd+9QnoEdaXb/7o
0t36qJLFYVKfkaeTxOTyQeImw79KVv4T/hXlwPBkdBu/yC8kfVL6ckJ+MfL1LH4B
BkDMT5K/Fyp3HIyNakiB9c0s9ZgdvCI0hpZvEXX69VmEVnoEokxcQXc0YHvqMpz6
neH8snkuWc2fQhsSa4hkhcmx50ohTd5MQPJ7Fp8sx4NrLJ1aJNvG1YhWqJCNkRBx
TRWSB7ipf+mesMHn4RIXINHmgvxpHHP/B6O3DvtSJPjZBtpImWw=
=Xqnx
-----END PGP SIGNATURE-----
Merge 5.4.114 into android11-5.4-lts
Changes in 5.4.114
Revert "scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure"
Revert "scsi: qla2xxx: Fix stuck login session using prli_pend_timer"
scsi: qla2xxx: Dual FCP-NVMe target port support
scsi: qla2xxx: Fix device connect issues in P2P configuration
scsi: qla2xxx: Retry PLOGI on FC-NVMe PRLI failure
scsi: qla2xxx: Add a shadow variable to hold disc_state history of fcport
scsi: qla2xxx: Fix stuck login session using prli_pend_timer
scsi: qla2xxx: Fix fabric scan hang
net/sctp: fix race condition in sctp_destroy_sock
Input: nspire-keypad - enable interrupts only when opened
gpio: sysfs: Obey valid_mask
dmaengine: dw: Make it dependent to HAS_IOMEM
ARM: dts: Drop duplicate sha2md5_fck to fix clk_disable race
ARM: dts: Fix moving mmc devices with aliases for omap4 & 5
lockdep: Add a missing initialization hint to the "INFO: Trying to register non-static key" message
arc: kernel: Return -EFAULT if copy_to_user() fails
ASoC: max98373: Added 30ms turn on/off time delay
neighbour: Disregard DEAD dst in neigh_update
ARM: keystone: fix integer overflow warning
ARM: omap1: fix building with clang IAS
drm/msm: Fix a5xx/a6xx timestamps
ASoC: fsl_esai: Fix TDM slot setup for I2S mode
scsi: scsi_transport_srp: Don't block target in SRP_PORT_LOST state
net: ieee802154: stop dump llsec keys for monitors
net: ieee802154: forbid monitor for add llsec key
net: ieee802154: forbid monitor for del llsec key
net: ieee802154: stop dump llsec devs for monitors
net: ieee802154: forbid monitor for add llsec dev
net: ieee802154: forbid monitor for del llsec dev
net: ieee802154: stop dump llsec devkeys for monitors
net: ieee802154: forbid monitor for add llsec devkey
net: ieee802154: forbid monitor for del llsec devkey
net: ieee802154: stop dump llsec seclevels for monitors
net: ieee802154: forbid monitor for add llsec seclevel
pcnet32: Use pci_resource_len to validate PCI resource
mac80211: clear sta->fast_rx when STA removed from 4-addr VLAN
virt_wifi: Return micros for BSS TSF values
Input: s6sy761 - fix coordinate read bit shift
Input: i8042 - fix Pegatron C15B ID entry
HID: wacom: set EV_KEY and EV_ABS only for non-HID_GENERIC type of devices
dm verity fec: fix misaligned RS roots IO
readdir: make sure to verify directory entry for legacy interfaces too
arm64: fix inline asm in load_unaligned_zeropad()
arm64: alternatives: Move length validation in alternative_{insn, endif}
vfio/pci: Add missing range check in vfio_pci_mmap
riscv: Fix spelling mistake "SPARSEMEM" to "SPARSMEM"
scsi: libsas: Reset num_scatter if libata marks qc as NODATA
netfilter: conntrack: do not print icmpv6 as unknown via /proc
libnvdimm/region: Fix nvdimm_has_flush() to handle ND_REGION_ASYNC
netfilter: bridge: add pre_exit hooks for ebtable unregistration
netfilter: arp_tables: add pre_exit hook for table unregister
net: macb: fix the restore of cmp registers
netfilter: nft_limit: avoid possible divide error in nft_limit_init
net: davicom: Fix regulator not turned off on failed probe
net: sit: Unregister catch-all devices
net: ip6_tunnel: Unregister catch-all devices
i40e: fix the panic when running bpf in xdpdrv mode
ibmvnic: avoid calling napi_disable() twice
ibmvnic: remove duplicate napi_schedule call in do_reset function
ibmvnic: remove duplicate napi_schedule call in open function
gro: ensure frag0 meets IP header alignment
ARM: footbridge: fix PCI interrupt mapping
arm64: dts: allwinner: Fix SD card CD GPIO for SOPine systems
r8169: remove fiddling with the PCIe max read request size
r8169: simplify setting PCI_EXP_DEVCTL_NOSNOOP_EN
r8169: fix performance regression related to PCIe max read request size
r8169: improve rtl_jumbo_config
r8169: tweak max read request size for newer chips also in jumbo mtu mode
r8169: don't advertise pause in jumbo mode
ARM: 9071/1: uprobes: Don't hook on thumb instructions
net: phy: marvell: fix detection of PHY on Topaz switches
Linux 5.4.114
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6de0e60e2781e020d93ea5dfaea2c1b6049b120c
|
||
Or Cohen
|
6180d2274b |
net/sctp: fix race condition in sctp_destroy_sock
commit b166a20b07382b8bc1dcee2a448715c9c2c81b5b upstream.
If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock
held and sp->do_auto_asconf is true, then an element is removed
from the auto_asconf_splist without any proper locking.
This can happen in the following functions:
1. In sctp_accept, if sctp_sock_migrate fails.
2. In inet_create or inet6_create, if there is a bpf program
attached to BPF_CGROUP_INET_SOCK_CREATE which denies
creation of the sctp socket.
The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock
instead of sctp_close.
This addresses CVE-2021-23133.
Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Fixes:
|
||
|
Greg Kroah-Hartman
|
f6865f9c47 |
This is the 5.4.112 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmB2je0ACgkQONu9yGCS
aT5LSQ//RbX6sC5N9hmM6XdixRqDXF0YZG6ADrZ24tEIUAvjXZa9rOFGlKyS2JAV
6KkqRfkrYK2lhyP0lGSkmWPQGoyocxV/6jLcA4XyTqetzxYRkYyW1jiEz7KCTp0+
AMwqazbMAlaTOTxbNk0TqTsLDrSAE1a5mX9XjPCqjFm1yVjc7gNxxXwKhX01u4LD
bTw+vMaMtf9MW8sfV1vU9HOcH0BFwp9Sr0/AFb05u8F4BH9MS0XGa6c2bG1o1qQM
bF7g1aZIcVgn0Jr8WrpsF/7tTUyy3l+XXBvyFNRYvqAnrdUrTDn2ItAPq3W5hqTu
Y0fdcbAtmmnrHcDeGUD+kuaCTvQGSy+qgZAFvQRkzCmweyY+rvqLEJhO7sBpjqCv
MszRkYvA0Ji4JaWUWxVlHbmbdIBQ8Jvo9ZMM7shAKq66a26De1W5CIJXTnZXJSij
dALJowoEKJ2i7V63AoJSzEOlBDYoBUY8xbVzDEjdfBTbj2Gb+cVWRRTsGDKZeuqs
933fPTRMBOc2q36q6PVpUcpaRLktAFvc33FYdSK8M3/aN22ISQ1QbXqm47sXyQbk
pHUqRFUJdvjVtQltYIiBQ/GgKY3+TQw9FtRjoSCuZuEeYjE8p004Wq/rWWIv+5mm
jwY5gfsXKjQcP/Pcxl15kcmNQ4axkC/Jzln99xFScatXV6Ksqh0=
=sCGS
-----END PGP SIGNATURE-----
Merge 5.4.112 into android11-5.4-lts
Changes in 5.4.112
counter: stm32-timer-cnt: fix ceiling miss-alignment with reload register
ALSA: aloop: Fix initialization of controls
ALSA: hda/realtek: Fix speaker amp setup on Acer Aspire E1
ASoC: intel: atom: Stop advertising non working S24LE support
nfc: fix refcount leak in llcp_sock_bind()
nfc: fix refcount leak in llcp_sock_connect()
nfc: fix memory leak in llcp_sock_connect()
nfc: Avoid endless loops caused by repeated llcp_sock_connect()
xen/evtchn: Change irq_info lock to raw_spinlock_t
net: ipv6: check for validity before dereferencing cfg->fc_nlinfo.nlh
net: dsa: lantiq_gswip: Let GSWIP automatically set the xMII clock
drm/i915: Fix invalid access to ACPI _DSM objects
gcov: re-fix clang-11+ support
ia64: fix user_stack_pointer() for ptrace()
nds32: flush_dcache_page: use page_mapping_file to avoid races with swapoff
ocfs2: fix deadlock between setattr and dio_end_io_write
fs: direct-io: fix missing sdio->boundary
parisc: parisc-agp requires SBA IOMMU driver
parisc: avoid a warning on u8 cast for cmpxchg on u8 pointers
ARM: dts: turris-omnia: configure LED[2]/INTn pin as interrupt pin
batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
ice: Increase control queue timeout
ice: Fix for dereference of NULL pointer
ice: Cleanup fltr list in case of allocation issues
net: hso: fix null-ptr-deref during tty device unregistration
ethernet/netronome/nfp: Fix a use after free in nfp_bpf_ctrl_msg_rx
bpf, sockmap: Fix sk->prot unhash op reset
net: ensure mac header is set in virtio_net_hdr_to_skb()
i40e: Fix sparse warning: missing error code 'err'
i40e: Fix sparse error: 'vsi->netdev' could be null
net: sched: sch_teql: fix null-pointer dereference
mac80211: fix TXQ AC confusion
net: hsr: Reset MAC header for Tx path
net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind()
net: let skb_orphan_partial wake-up waiters.
usbip: add sysfs_lock to synchronize sysfs code paths
usbip: stub-dev synchronize sysfs code paths
usbip: vudc synchronize sysfs code paths
usbip: synchronize event handler with sysfs code paths
i2c: turn recovery error on init to debug
virtio_net: Add XDP meta data support
net: dsa: lantiq_gswip: Don't use PHY auto polling
net: dsa: lantiq_gswip: Configure all remaining GSWIP_MII_CFG bits
xfrm: interface: fix ipv4 pmtu check to honor ip header df
regulator: bd9571mwv: Fix AVS and DVFS voltage range
net: xfrm: Localize sequence counter per network namespace
esp: delete NETIF_F_SCTP_CRC bit from features for esp offload
ASoC: SOF: Intel: hda: remove unnecessary parentheses
ASoC: SOF: Intel: HDA: fix core status verification
ASoC: wm8960: Fix wrong bclk and lrclk with pll enabled for some chips
xfrm: Fix NULL pointer dereference on policy lookup
i40e: Added Asym_Pause to supported link modes
i40e: Fix kernel oops when i40e driver removes VF's
hostfs: Use kasprintf() instead of fixed buffer formatting
hostfs: fix memory handling in follow_link()
amd-xgbe: Update DMA coherency values
sch_red: fix off-by-one checks in red_check_params()
arm64: dts: imx8mm/q: Fix pad control of SD1_DATA0
can: bcm/raw: fix msg_namelen values depending on CAN_REQUIRED_SIZE
gianfar: Handle error code at MAC address change
cxgb4: avoid collecting SGE_QBASE regs during traffic
net:tipc: Fix a double free in tipc_sk_mcast_rcv
ARM: dts: imx6: pbab01: Set vmmc supply for both SD interfaces
net/ncsi: Avoid channel_monitor hrtimer deadlock
nfp: flower: ignore duplicate merge hints from FW
net: phy: broadcom: Only advertise EEE for supported modes
ASoC: sunxi: sun4i-codec: fill ASoC card owner
net/mlx5e: Fix ethtool indication of connector type
net/mlx5: Don't request more than supported EQs
net/rds: Fix a use after free in rds_message_map_pages
soc/fsl: qbman: fix conflicting alignment attributes
i40e: Fix display statistics for veb_tc
drm/msm: Set drvdata to NULL when msm_drm_init() fails
net: udp: Add support for getsockopt(..., ..., UDP_GRO, ..., ...);
scsi: ufs: Fix irq return code
scsi: ufs: Avoid busy-waiting by eliminating tag conflicts
scsi: ufs: Use blk_{get,put}_request() to allocate and free TMFs
scsi: ufs: core: Fix task management request completion timeout
scsi: ufs: core: Fix wrong Task Tag used in task management request UPIUs
net: macb: restore cmp registers on resume path
clk: fix invalid usage of list cursor in register
clk: fix invalid usage of list cursor in unregister
workqueue: Move the position of debug_work_activate() in __queue_work()
s390/cpcmd: fix inline assembly register clobbering
perf inject: Fix repipe usage
net: openvswitch: conntrack: simplify the return expression of ovs_ct_limit_get_default_limit()
openvswitch: fix send of uninitialized stack memory in ct limit reply
net: hns3: clear VF down state bit before request link status
net/mlx5: Fix placement of log_max_flow_counter
net/mlx5: Fix PBMC register mapping
RDMA/cxgb4: check for ipv6 address properly while destroying listener
RDMA/addr: Be strict with gid size
RAS/CEC: Correct ce_add_elem()'s returned values
clk: socfpga: fix iomem pointer cast on 64-bit
dt-bindings: net: ethernet-controller: fix typo in NVMEM
net: sched: bump refcount for new action in ACT replace mode
cfg80211: remove WARN_ON() in cfg80211_sme_connect
net: tun: set tun->dev->addr_len during TUNSETLINK processing
drivers: net: fix memory leak in atusb_probe
drivers: net: fix memory leak in peak_usb_create_dev
net: mac802154: Fix general protection fault
net: ieee802154: nl-mac: fix check on panid
net: ieee802154: fix nl802154 del llsec key
net: ieee802154: fix nl802154 del llsec dev
net: ieee802154: fix nl802154 add llsec key
net: ieee802154: fix nl802154 del llsec devkey
net: ieee802154: forbid monitor for set llsec params
net: ieee802154: forbid monitor for del llsec seclevel
net: ieee802154: stop dump llsec params for monitors
Revert "cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath."
Linux 5.4.112
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I6849a183d86323395041645f332c33bd4f3a7e8c
|
||
Maciej Żenczykowski
|
fd8a95d560 |
net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind()
commit 630e4576f83accf90366686f39808d665d8dbecc upstream.
Found by virtue of ipv6 raw sockets not honouring the per-socket
IP{,V6}_FREEBIND setting.
Based on hits found via:
git grep '[.]ip_nonlocal_bind'
We fix both raw ipv6 sockets to honour IP{,V6}_FREEBIND and IP{,V6}_TRANSPARENT,
and we fix sctp sockets to honour IP{,V6}_TRANSPARENT (they already honoured
FREEBIND), and not just the ipv6 'ip_nonlocal_bind' sysctl.
The helper is defined as:
static inline bool ipv6_can_nonlocal_bind(struct net *net, struct inet_sock *inet) {
return net->ipv6.sysctl.ip_nonlocal_bind || inet->freebind || inet->transparent;
}
so this change only widens the accepted opt-outs and is thus a clean bugfix.
I'm not entirely sure what 'fixes' tag to add, since this is AFAICT an ancient bug,
but IMHO this should be applied to stable kernels as far back as possible.
As such I'm adding a 'fixes' tag with the commit that originally added the helper,
which happened in 4.19. Backporting to older LTS kernels (at least 4.9 and 4.14)
would presumably require open-coding it or backporting the helper as well.
Other possibly relevant commits:
v4.18-rc6-1502-g83ba4645152d net: add helpers checking if socket can be bound to nonlocal address
v4.18-rc6-1431-gd0c1f01138c4 net/ipv6: allow any source address for sendmsg pktinfo with ip_nonlocal_bind
v4.14-rc5-271-gb71d21c274ef sctp: full support for ipv6 ip_nonlocal_bind & IP_FREEBIND
v4.7-rc7-1883-g9b9742022888 sctp: support ipv6 nonlocal bind
v4.1-12247-g35a256fee52c ipv6: Nonlocal bind
Cc: Lorenzo Colitti <lorenzo@google.com>
Fixes:
|
||
|
Greg Kroah-Hartman
|
7834d8fef1 |
This is the 5.4.99 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAs43QACgkQONu9yGCS aT4omw/+JPBAZB5ClIOSDuf3/yJkbigVRFNVmQJy4/cluG32cxlcpudoau7AXq3N 0Sn/rfSdldl5eI98OTA+Y0yPIsVnQJdei228A5gmULkkc+rEFugorSJKRmmA7tH0 VdZ1C4NlhhmjoIT/W8mMNzv14dtyGQvRbT+zzfxqwqL6tF9+alcdBYTP/Z691K6x 8Csfe05MZ8VkvBizStaTXC+dtMhU917Ikd5i5v4ZzaesZJcUTLS7J82FhtKeoz7q tDoA/Bl+pN1KjyIIE61/zJ8DKzBtOeuo1PWJFpO+EBVhKVosr3oWJfTAiM7Fsnu5 dbKHYPsbe3mB79JdQibr7TpU7vSjDr5a/HTuYtp7WM1R5IssiFeVOdpXTGim/s/E Flao5LYSUcj0X/Io6TyUnxQWw8sJz3PGKYiLUn8/9DBpzNFzynQ+vuapXCoGxJzh W108q32PIx2ZTJsD5RUUqZbytG/zKzI1+SxXo2uOhs9/k5qT+35Yp9epsE2Cp8v1 Oiw3P/ZUDNk6zPj0dsHcTsqTofRK07l71HnM8iIbCWSPw834IoGBuB8c3H7HaHn4 v5M4tMTDAaKi/e09K92fR6SZDgZz8D0N+sLLneA4NEASXIJanCUwcgVCUbja+BO1 H1hiYTTZQa7kOkSxBa/wGsWkdfvOpOvCSFr+c6LPmB9sHMe4K8o= =3BI0 -----END PGP SIGNATURE----- Merge 5.4.99 into android11-5.4-lts Changes in 5.4.99 gpio: ep93xx: fix BUG_ON port F usage gpio: ep93xx: Fix single irqchip with multi gpiochips tracing: Do not count ftrace events in top level enable output tracing: Check length before giving out the filter buffer arm/xen: Don't probe xenbus as part of an early initcall cgroup: fix psi monitor for root cgroup arm64: dts: rockchip: Fix PCIe DT properties on rk3399 arm64: dts: qcom: sdm845: Reserve LPASS clocks in gcc ARM: OMAP2+: Fix suspcious RCU usage splats for omap_enter_idle_coupled platform/x86: hp-wmi: Disable tablet-mode reporting by default ovl: perform vfs_getxattr() with mounter creds cap: fix conversions on getxattr ovl: skip getxattr of security labels nvme-pci: ignore the subsysem NQN on Phison E16 drm/amd/display: Add more Clock Sources to DCN2.1 drm/amd/display: Fix dc_sink kref count in emulated_link_detect drm/amd/display: Free atomic state after drm_atomic_commit drm/amd/display: Decrement refcount of dc_sink before reassignment riscv: virt_addr_valid must check the address belongs to linear mapping bfq-iosched: Revert "bfq: Fix computation of shallow depth" ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL ARM: ensure the signal page contains defined contents ARM: kexec: fix oops after TLB are invalidated vmlinux.lds.h: Create section for protection against instrumentation lkdtm: don't move ctors to .rodata mt76: dma: fix a possible memory leak in mt76_add_fragment() drm/vc4: hvs: Fix buffer overflow with the dlist handling bpf: Check for integer overflow when using roundup_pow_of_two() netfilter: xt_recent: Fix attempt to update deleted entry netfilter: nftables: fix possible UAF over chains from packet path in netns netfilter: flowtable: fix tcp and udp header checksum update xen/netback: avoid race in xenvif_rx_ring_slots_available() net: enetc: initialize the RFS and RSS memories selftests: txtimestamp: fix compilation issue net: stmmac: set TxQ mode back to DCB after disabling CBS ibmvnic: Clear failover_pending if unable to schedule netfilter: conntrack: skip identical origin tuple in same zone only x86/build: Disable CET instrumentation in the kernel for 32-bit too net: hns3: add a check for queue_id in hclge_reset_vf_queue() firmware_loader: align .builtin_fw to 8 drm/sun4i: tcon: set sync polarity for tcon1 channel drm/sun4i: Fix H6 HDMI PHY configuration drm/sun4i: dw-hdmi: Fix max. frequency for H6 clk: sunxi-ng: mp: fix parent rate change flag check i2c: stm32f7: fix configuration of the digital filter h8300: fix PREEMPTION build, TI_PRE_COUNT undefined usb: dwc3: ulpi: fix checkpatch warning usb: dwc3: ulpi: Replace CPU-based busyloop with Protocol-based one rxrpc: Fix clearance of Tx/Rx ring when releasing a call udp: fix skb_copy_and_csum_datagram with odd segment sizes net: dsa: call teardown method on probe failure net: gro: do not keep too many GRO packets in napi->rx_list net: fix iteration for sctp transport seq_files net/vmw_vsock: improve locking in vsock_connect_timeout() net: watchdog: hold device global xmit lock during tx disable vsock/virtio: update credit only if socket is not closed vsock: fix locking in vsock_shutdown() net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS net/qrtr: restrict user-controlled length in qrtr_tun_write_iter() ovl: expand warning in ovl_d_real() Linux 5.4.99 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I28713d7ddd79d24b3007872877e51063df21a01e |
||
NeilBrown
|
611d93fbea |
net: fix iteration for sctp transport seq_files
commit af8085f3a4712c57d0dd415ad543bac85780375c upstream. The sctp transport seq_file iterators take a reference to the transport in the ->start and ->next functions and releases the reference in the ->show function. The preferred handling for such resources is to release them in the subsequent ->next or ->stop function call. Since Commit |
||
|
Greg Kroah-Hartman
|
e62a15d252 |
This is the 5.4.92 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAMOqAACgkQONu9yGCS aT5y+A//dHc3oRvCuXWaRS2Zhmx2KyZNOMkmElQnqi1aMcnrRhyIzNZ5gwCftYp6 9EzhryrjioTZMHd14eYwwjyT2yckoBFKNsW+cPJ4YgqB8TtVD5a/2ygYAXBrHVkW Fj3fXeJZmkRk9U156Gw/O8GP/BJ2ld/lk89IYYNkdjXwjjKyyOotBDGMSou4Swjl 8EciEzb3fyn8DvbD2bCFit5RgaNH2OMr0uTITS7RyLNmhBoZSfJo62KbFxYbnFti I3EKxVhnJemNzU+jWNpczZxTyOodMAzcOWbpttJTIxpGDsivWSXM3kDbIq1HT7pe xAfYEtkL+kgLb4EPIzdNue6GRQlRKbgwsfs/ralQ9iPFvL9GHP4zvMj6wGV1Qzjw 4PI+wc76ZNlQMtkntGrOWRDmYrTICL1UY3Uh93SmaYKWSMRATuHK6LFe+y+7tIK7 Yo/XAdlAzzmc3cGh4ikC1zj4WchRG9/GlfucnFGqxBuxZGXq8WBStBIOkHda4vFg a5Ncli+PyOID22AtXb8It6JFI70arZ53CUAwCRqRA7FYlrzZrcsZe15uuB72yDTZ mPeaNplWiIXPn8vWMDGFBX5Zhysgb/8FGXtSaFCOnE3QUVHPIE2hoLUlClfJIqxf f4uGh5HfquTXZUXzlvoM8tgKPzfpkrqZe1JKNdCh+khI6VzxX8Q= =B0JT -----END PGP SIGNATURE----- Merge 5.4.92 into android11-5.4-lts Changes in 5.4.92 usb: ohci: Make distrust_firmware param default to false compiler.h: Raise minimum version of GCC to 5.1 for arm64 xen/privcmd: allow fetching resource sizes elfcore: fix building with clang scsi: lpfc: Make function lpfc_defer_pt2pt_acc static scsi: lpfc: Make lpfc_defer_acc_rsp static spi: npcm-fiu: simplify the return expression of npcm_fiu_probe() spi: npcm-fiu: Disable clock in probe error path nfsd4: readdirplus shouldn't return parent of export bpf: Don't leak memory in bpf getsockopt when optlen == 0 bpf: Fix helper bpf_map_peek_elem_proto pointing to wrong callback udp: Prevent reuseport_select_sock from reading uninitialized socks netxen_nic: fix MSI/MSI-x interrupts net: introduce skb_list_walk_safe for skb segment walking net: skbuff: disambiguate argument and member for skb_list_walk_safe helper net: ipv6: Validate GSO SKB before finish IPv6 processing mlxsw: core: Add validation of transceiver temperature thresholds mlxsw: core: Increase critical threshold for ASIC thermal zone net: mvpp2: Remove Pause and Asym_Pause support rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request esp: avoid unneeded kmap_atomic call net: dcb: Validate netlink message in DCB handler net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands rxrpc: Call state should be read with READ_ONCE() under some circumstances net: stmmac: Fixed mtu channged by cache aligned net: sit: unregister_netdevice on newlink's error path net: avoid 32 x truesize under-estimation for tiny skbs rxrpc: Fix handling of an unsupported token type in rxrpc_read() net, sctp, filter: remap copy_from_user failure error tipc: fix NULL deref in tipc_link_xmit() mac80211: do not drop tx nulldata packets on encrypted links mac80211: check if atf has been disabled in __ieee80211_schedule_txq spi: cadence: cache reference clock rate during probe Linux 5.4.92 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iba977ff2184a57b57dbd56e1273f94d3ec3467ce |
||
Daniel Borkmann
|
55bac51762 |
net, sctp, filter: remap copy_from_user failure error
[ no upstream commit ]
Fix a potential kernel address leakage for the prerequisite where there is
a BPF program attached to the cgroup/setsockopt hook. The latter can only
be attached under root, however, if the attached program returns 1 to then
run the related kernel handler, an unprivileged program could probe for
kernel addresses that way. The reason this is possible is that we're under
set_fs(KERNEL_DS) when running the kernel setsockopt handler. Aside from
old cBPF there is also SCTP's struct sctp_getaddrs_old which contains
pointers in the uapi struct that further need copy_from_user() inside the
handler. In the normal case this would just return -EFAULT, but under a
temporary KERNEL_DS setting the memory would be copied and we'd end up at
a different error code, that is, -EINVAL, for both cases given subsequent
validations fail, which then allows the app to distinguish and make use of
this fact for probing the address space. In case of later kernel versions
this issue won't work anymore thanks to Christoph Hellwig's work that got
rid of the various temporary set_fs() address space overrides altogether.
One potential option for 5.4 as the only affected stable kernel with the
least complexity would be to remap those affected -EFAULT copy_from_user()
error codes with -EINVAL such that they cannot be probed anymore. Risk of
breakage should be rather low for this particular error case.
Fixes:
|
||
|
Greg Kroah-Hartman
|
34098f9cce |
This is the 5.4.80 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl+8/L0ACgkQONu9yGCS
aT624w/+M3fyTWj45qssxAOYUbWH4OPzKjMTKq1qHOGTBGYcVLxmggDV5xziQs8B
WiCUysdJsM9Xwe/a9+fy9X2FHk7KxILf02mYLVcwyLJLXCHsCXtvBeTf937h5SaI
cIsR1e2LQ7s1mTnVmBs2DGDQcD6Y17f/FoTpBejOSB9O+MSBNoBhOR/aaDUzzLm1
sfpQ3zpnF6iAo2KYITxq/QkyRyiCPMl1c+/ggLTYvrM15DGhnChPN9j1+X0TLdjz
UuZakvX/UY9vnY6oWla7wybwUzZMfFqZtehvwFA4wqeZqXcJcb+nBpfpoT1Gp9bv
cpz+8nmF0ER1eS6m1C/XqiTr3IqDOSAHfcu80HzJRC+dmcXjxyNj+AZyFhm+uCJS
IyUi6+mFwCypg3II2QEMNYdeips4Qj051IPNl5gEteNC4GQqXef3JdR52qIDzsHe
9xgQVFZjVDYpZ6AOkyjqzGJ0dy3a1f7GNIPxwe6DUnbkOkOB+Z5KhGFbEOp+yGoa
3PUnVvtrTs07VkB0afwoj7xIyfowmjxCPSSXkfnYY2iJ6FYsfCm2x/RtM5tTvgT+
E8W71RxsyRwhjC2Z85wi6PR59XTIJcw3oJvJkrvchCAsc3Z1L7wBtjyHdvouxo8+
h/NlGOAisTiQFdT2IixgmTZaoxE7fQLDCJDMmgZT2qPJ1hn7Pbo=
=Puge
-----END PGP SIGNATURE-----
Merge 5.4.80 into android11-5.4-lts
Changes in 5.4.80
ah6: fix error return code in ah6_input()
atm: nicstar: Unmap DMA on send error
bnxt_en: read EEPROM A2h address using page 0
devlink: Add missing genlmsg_cancel() in devlink_nl_sb_port_pool_fill()
Exempt multicast addresses from five-second neighbor lifetime
inet_diag: Fix error path to cancel the meseage in inet_req_diag_fill()
ipv6: Fix error path to cancel the meseage
lan743x: fix issue causing intermittent kernel log warnings
lan743x: prevent entire kernel HANG on open, for some platforms
mlxsw: core: Use variable timeout for EMAD retries
net: b44: fix error return code in b44_init_one()
net: bridge: add missing counters to ndo_get_stats64 callback
net: dsa: mv88e6xxx: Avoid VTU corruption on 6097
net: ethernet: ti: cpsw: fix error return code in cpsw_probe()
net: Have netpoll bring-up DSA management interface
netlabel: fix our progress tracking in netlbl_unlabel_staticlist()
netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist()
net: lantiq: Wait for the GPHY firmware to be ready
net/mlx4_core: Fix init_hca fields offset
net: qualcomm: rmnet: Fix incorrect receive packet handling during cleanup
net/smc: fix direct access to ib_gid_addr->ndev in smc_ib_determine_gid()
net/tls: fix corrupted data in recvmsg
net: x25: Increase refcnt of "struct x25_neigh" in x25_rx_call_request
page_frag: Recover from memory pressure
qed: fix error return code in qed_iwarp_ll2_start()
qlcnic: fix error return code in qlcnic_83xx_restart_hw()
sctp: change to hold/put transport for proto_unreach_timer
tcp: only postpone PROBE_RTT if RTT is < current min_rtt estimate
net/mlx5: Add handling of port type in rule deletion
net/mlx5: Disable QoS when min_rates on all VFs are zero
net: usb: qmi_wwan: Set DTR quirk for MR400
net/ncsi: Fix netlink registration
net: ftgmac100: Fix crash when removing driver
pinctrl: rockchip: enable gpio pclk for rockchip_gpio_to_irq
scsi: ufs: Fix unbalanced scsi_block_reqs_cnt caused by ufshcd_hold()
selftests: kvm: Fix the segment descriptor layout to match the actual layout
ACPI: button: Add DMI quirk for Medion Akoya E2228T
arm64: errata: Fix handling of
|
||
|
Xin Long
|
04b7fd7609 |
sctp: change to hold/put transport for proto_unreach_timer
[ Upstream commit 057a10fa1f73d745c8e69aa54ab147715f5630ae ]
A call trace was found in Hangbin's Codenomicon testing with debug kernel:
[ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp]
[ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0
[ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0
[ 2616.191533] Call Trace:
[ 2616.194265] <IRQ>
[ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0
[ 2616.207336] slab_free_freelist_hook+0xeb/0x140
[ 2616.220971] kfree+0xd6/0x2c0
[ 2616.224293] rcu_do_batch+0x3bd/0xc70
[ 2616.243096] rcu_core+0x8b9/0xd00
[ 2616.256065] __do_softirq+0x23d/0xacd
[ 2616.260166] irq_exit+0x236/0x2a0
[ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620
[ 2616.269138] apic_timer_interrupt+0xf/0x20
[ 2616.273711] </IRQ>
This is because it holds asoc when transport->proto_unreach_timer starts
and puts asoc when the timer stops, and without holding transport the
transport could be freed when the timer is still running.
So fix it by holding/putting transport instead for proto_unreach_timer
in transport, just like other timers in transport.
v1->v2:
- Also use sctp_transport_put() for the "out_unlock:" path in
sctp_generate_proto_unreach_event(), as Marcelo noticed.
Fixes:
|