052619d9e1
64381 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Luiz Augusto von Dentz
|
784cc16aed |
BACKPORT: Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
commit d0be8347c623e0ac4202a1d4e0373882821f56b0 upstream. This fixes the following trace which is caused by hci_rx_work starting up *after* the final channel reference has been put() during sock_close() but *before* the references to the channel have been destroyed, so instead the code now rely on kref_get_unless_zero/l2cap_chan_hold_unless_zero to prevent referencing a channel that is about to be destroyed. refcount_t: increment on 0; use-after-free. BUG: KASAN: use-after-free in refcount_dec_and_test+0x20/0xd0 Read of size 4 at addr ffffffc114f5bf18 by task kworker/u17:14/705 CPU: 4 PID: 705 Comm: kworker/u17:14 Tainted: G S W 4.14.234-00003-g1fb6d0bd49a4-dirty #28 Hardware name: Qualcomm Technologies, Inc. SM8150 V2 PM8150 Google Inc. MSM sm8150 Flame DVT (DT) Workqueue: hci0 hci_rx_work Call trace: dump_backtrace+0x0/0x378 show_stack+0x20/0x2c dump_stack+0x124/0x148 print_address_description+0x80/0x2e8 __kasan_report+0x168/0x188 kasan_report+0x10/0x18 __asan_load4+0x84/0x8c refcount_dec_and_test+0x20/0xd0 l2cap_chan_put+0x48/0x12c l2cap_recv_frame+0x4770/0x6550 l2cap_recv_acldata+0x44c/0x7a4 hci_acldata_packet+0x100/0x188 hci_rx_work+0x178/0x23c process_one_work+0x35c/0x95c worker_thread+0x4cc/0x960 kthread+0x1a8/0x1c4 ret_from_fork+0x10/0x18 Bug: 165329981 Cc: stable@kernel.org Reported-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Tested-by: Lee Jones <lee.jones@linaro.org> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I6efae55d8014740aebc8c3534846c2d249068b29 |
||
Greg Kroah-Hartman
|
0974b8411a |
This is the 5.10.117 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmKErRkACgkQONu9yGCS aT72JRAAh2kFubIgH2IrQ+A8wjObsU8me3qgv7lyli51yzWIBwMlGttSA8f4z1w9 XW4J9kWzZh+r6Tfu67VXYwNcst9fYsQ3RTVo01agin4XMKi84QhIVrUpllk2fJoO 28SoxzQP/SDolLtURD6yFxdeaodCEv8tGj8WPkjRMZnyDPcmvjjTb/fSgpnPdLap uAN57k0HXcWh3nIadLayuBOQTOYbMupuuB+4vWwTy4xsdZZYTICofVnFTjBYoIMk cSs9b3fDjMVq2Zm2z4S7QI+bV+i3sZ+QTrRRGmv//R10I280a19r4sOLZHoAb8Al TaJRZhor7WDWmPDF83QuJ2CDZnDFPvEHHtUSNsYJN3SpZmcYJbB3THL+4CGKwz6b DwOqAx3g28uQSgMeTIB5fd1A4OHvHnGgdGLqnLCyfvQVPh9bAnrEHo1U22D0ehzf 6GKatGdQGaPXjOqnYBY3r3c6tyTwaGmnle1CRR5zljuRMpemlu3+IiF926t19pJ8 +VGhTzJLZqgkwyPuJ04tUXHRasPIS4zxyXCuTmvJBb8CWFkkRe/dqsOpuoblX0jw kl6u24r2KxsCuqQ4ekUP1d8K+AhCk8OOu0G/wThuTcT0IeS5eaoatPKYHT/QhxNu c6F9tppO/YD5gYRXoqf950hLdV2XIetswupkwTcoL0Ws313xPAU= =qIBX -----END PGP SIGNATURE----- Merge 5.10.117 into android12-5.10-lts Changes in 5.10.117 batman-adv: Don't skb_split skbuffs with frag_list iwlwifi: iwl-dbg: Use del_timer_sync() before freeing hwmon: (tmp401) Add OF device ID table mac80211: Reset MBSSID parameters upon connection net: Fix features skip in for_each_netdev_feature() net: mscc: ocelot: fix last VCAP IS1/IS2 filter persisting in hardware when deleted net: mscc: ocelot: fix VCAP IS2 filters matching on both lookups net: mscc: ocelot: restrict tc-trap actions to VCAP IS2 lookup 0 net: mscc: ocelot: avoid corrupting hardware counters when moving VCAP filters ipv4: drop dst in multicast routing path drm/nouveau: Fix a potential theorical leak in nouveau_get_backlight_name() netlink: do not reset transport header in netlink_recvmsg() sfc: Use swap() instead of open coding it net: sfc: fix memory leak due to ptp channel mac80211_hwsim: call ieee80211_tx_prepare_skb under RCU protection nfs: fix broken handling of the softreval mount option ionic: fix missing pci_release_regions() on error in ionic_probe() dim: initialize all struct fields hwmon: (ltq-cputemp) restrict it to SOC_XWAY selftests: vm: Makefile: rename TARGETS to VMTARGETS s390/ctcm: fix variable dereferenced before check s390/ctcm: fix potential memory leak s390/lcs: fix variable dereferenced before check net/sched: act_pedit: really ensure the skb is writable net: bcmgenet: Check for Wake-on-LAN interrupt probe deferral net: dsa: bcm_sf2: Fix Wake-on-LAN with mac_link_down() net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending net: sfc: ef10: fix memory leak in efx_ef10_mtd_probe() tls: Fix context leak on tls_device_down gfs2: Fix filesystem block deallocation for short writes hwmon: (f71882fg) Fix negative temperature ASoC: max98090: Reject invalid values in custom control put() ASoC: max98090: Generate notifications on changes for custom control ASoC: ops: Validate input values in snd_soc_put_volsw_range() s390: disable -Warray-bounds net: emaclite: Don't advertise 1000BASE-T and do auto negotiation net: sfp: Add tx-fault workaround for Huawei MA5671A SFP ONT tcp: resalt the secret every 10 seconds firmware_loader: use kernel credentials when reading firmware tty/serial: digicolor: fix possible null-ptr-deref in digicolor_uart_probe() tty: n_gsm: fix mux activation issues in gsm_config() usb: cdc-wdm: fix reading stuck on device close usb: typec: tcpci: Don't skip cleanup in .remove() on error usb: typec: tcpci_mt6360: Update for BMC PHY setting USB: serial: pl2303: add device id for HP LM930 Display USB: serial: qcserial: add support for Sierra Wireless EM7590 USB: serial: option: add Fibocom L610 modem USB: serial: option: add Fibocom MA510 modem slimbus: qcom: Fix IRQ check in qcom_slim_probe serial: 8250_mtk: Fix UART_EFR register address serial: 8250_mtk: Fix register address for XON/XOFF character ceph: fix setting of xattrs on async created inodes drm/nouveau/tegra: Stop using iommu_present() i40e: i40e_main: fix a missing check on list iterator net: atlantic: always deep reset on pm op, fixing up my null deref regression cgroup/cpuset: Remove cpus_allowed/mems_allowed setup in cpuset_init_smp() drm/vmwgfx: Initialize drm_mode_fb_cmd2 SUNRPC: Clean up scheduling of autoclose SUNRPC: Prevent immediate close+reconnect SUNRPC: Don't call connect() more than once on a TCP socket SUNRPC: Ensure we flush any closed sockets before xs_xprt_free() net: phy: Fix race condition on link status change arm[64]/memremap: don't abuse pfn_valid() to ensure presence of linear map ping: fix address binding wrt vrf usb: gadget: uvc: rename function to be more consistent usb: gadget: uvc: allow for application to cleanly shutdown io_uring: always use original task when preparing req identity SUNRPC: Fix fall-through warnings for Clang Linux 5.10.117 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I677e4d4d12cbccaffce43327f7ae09f8f3521497 |
||
Gustavo A. R. Silva
|
937c6b0e3e |
SUNRPC: Fix fall-through warnings for Clang
commit 93f479d3ad05497f29f2bed58e4a6c6a4f0a548c upstream. In preparation to enable -Wimplicit-fallthrough for Clang, fix multiple warnings by explicitly adding multiple break statements instead of letting the code fall through to the next case. Link: https://github.com/KSPP/linux/issues/115 Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Nicolas Dichtel
|
002e7223dc |
ping: fix address binding wrt vrf
commit e1a7ac6f3ba6e157adcd0ca94d92a401f1943f56 upstream.
When ping_group_range is updated, 'ping' uses the DGRAM ICMP socket,
instead of an IP raw socket. In this case, 'ping' is unable to bind its
socket to a local address owned by a vrflite.
Before the patch:
$ sysctl -w net.ipv4.ping_group_range='0 2147483647'
$ ip link add blue type vrf table 10
$ ip link add foo type dummy
$ ip link set foo master blue
$ ip link set foo up
$ ip addr add 192.168.1.1/24 dev foo
$ ip addr add 2001::1/64 dev foo
$ ip vrf exec blue ping -c1 -I 192.168.1.1 192.168.1.2
ping: bind: Cannot assign requested address
$ ip vrf exec blue ping6 -c1 -I 2001::1 2001::2
ping6: bind icmp socket: Cannot assign requested address
CC: stable@vger.kernel.org
Fixes:
|
||
Trond Myklebust
|
e68b60ae29 |
SUNRPC: Ensure we flush any closed sockets before xs_xprt_free()
commit f00432063db1a0db484e85193eccc6845435b80e upstream.
We must ensure that all sockets are closed before we call xprt_free()
and release the reference to the net namespace. The problem is that
calling fput() will defer closing the socket until delayed_fput() gets
called.
Let's fix the situation by allowing rpciod and the transport teardown
code (which runs on the system wq) to call __fput_sync(), and directly
close the socket.
Reported-by: Felix Fu <foyjog@gmail.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Fixes:
|
||
|
Trond Myklebust
|
dbe6974a39 |
SUNRPC: Don't call connect() more than once on a TCP socket
commit 89f42494f92f448747bd8a7ab1ae8b5d5520577d upstream.
Avoid socket state races due to repeated calls to ->connect() using the
same socket. If connect() returns 0 due to the connection having
completed, but we are in fact in a closing state, then we may leave the
XPRT_CONNECTING flag set on the transport.
Reported-by: Enrico Scholz <enrico.scholz@sigma-chemnitz.de>
Fixes: 3be232f11a3c ("SUNRPC: Prevent immediate close+reconnect")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
[meenashanmugam: Backported to 5.10: Fixed merge conflict in xs_tcp_setup_socket]
Signed-off-by: Meena Shanmugam <meenashanmugam@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
|
||
|
Trond Myklebust
|
47541ed4d4 |
SUNRPC: Prevent immediate close+reconnect
commit 3be232f11a3cc9b0ef0795e39fa11bdb8e422a06 upstream. If we have already set up the socket and are waiting for it to connect, then don't immediately close and retry. Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Meena Shanmugam <meenashanmugam@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Trond Myklebust
|
2ab569edd8 |
SUNRPC: Clean up scheduling of autoclose
commit e26d9972720e2484f44cdd94ca4e31cc372ed2ed upstream. Consolidate duplicated code in xprt_force_disconnect() and xprt_conditional_disconnect(). Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com> Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com> Signed-off-by: Meena Shanmugam <meenashanmugam@google.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Eric Dumazet
|
d254309aab |
tcp: resalt the secret every 10 seconds
[ Upstream commit 4dfa9b438ee34caca4e6a4e5e961641807367f6f ] In order to limit the ability for an observer to recognize the source ports sequence used to contact a set of destinations, we should periodically shuffle the secret. 10 seconds looks effective enough without causing particular issues. Cc: Moshe Kol <moshe.kol@mail.huji.ac.il> Cc: Yossi Gilad <yossi.gilad@mail.huji.ac.il> Cc: Amit Klein <aksecurity@gmail.com> Cc: Jason A. Donenfeld <Jason@zx2c4.com> Tested-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Maxim Mikityanskiy
|
fccf4bf3f2 |
tls: Fix context leak on tls_device_down
[ Upstream commit 3740651bf7e200109dd42d5b2fb22226b26f960a ]
The commit cited below claims to fix a use-after-free condition after
tls_device_down. Apparently, the description wasn't fully accurate. The
context stayed alive, but ctx->netdev became NULL, and the offload was
torn down without a proper fallback, so a bug was present, but a
different kind of bug.
Due to misunderstanding of the issue, the original patch dropped the
refcount_dec_and_test line for the context to avoid the alleged
premature deallocation. That line has to be restored, because it matches
the refcount_inc_not_zero from the same function, otherwise the contexts
that survived tls_device_down are leaked.
This patch fixes the described issue by restoring refcount_dec_and_test.
After this change, there is no leak anymore, and the fallback to
software kTLS still works.
Fixes: c55dcdd435aa ("net/tls: Fix use-after-free after the TLS device goes down and up")
Signed-off-by: Maxim Mikityanskiy <maximmi@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Link: https://lore.kernel.org/r/20220512091830.678684-1-maximmi@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
|
||
Guangguan Wang
|
d5e1b41bf7 |
net/smc: non blocking recvmsg() return -EAGAIN when no data and signal_pending
[ Upstream commit f3c46e41b32b6266cf60b0985c61748f53bf1c61 ]
Non blocking sendmsg will return -EAGAIN when any signal pending
and no send space left, while non blocking recvmsg return -EINTR
when signal pending and no data received. This may makes confused.
As TCP returns -EAGAIN in the conditions described above. Align the
behavior of smc with TCP.
Fixes:
|
||
Paolo Abeni
|
abe35bf3be |
net/sched: act_pedit: really ensure the skb is writable
[ Upstream commit 8b796475fd7882663a870456466a4fb315cc1bd6 ]
Currently pedit tries to ensure that the accessed skb offset
is writable via skb_unclone(). The action potentially allows
touching any skb bytes, so it may end-up modifying shared data.
The above causes some sporadic MPTCP self-test failures, due to
this code:
tc -n $ns2 filter add dev ns2eth$i egress \
protocol ip prio 1000 \
handle 42 fw \
action pedit munge offset 148 u8 invert \
pipe csum tcp \
index 100
The above modifies a data byte outside the skb head and the skb is
a cloned one, carrying a TCP output packet.
This change addresses the issue by keeping track of a rough
over-estimate highest skb offset accessed by the action and ensuring
such offset is really writable.
Note that this may cause performance regressions in some scenarios,
but hopefully pedit is not in the critical path.
Fixes:
|
||
|
Eric Dumazet
|
33c93f6e55 |
netlink: do not reset transport header in netlink_recvmsg()
[ Upstream commit d5076fe4049cadef1f040eda4aaa001bb5424225 ]
netlink_recvmsg() does not need to change transport header.
If transport header was needed, it should have been reset
by the producer (netlink_dump()), not the consumer(s).
The following trace probably happened when multiple threads
were using MSG_PEEK.
BUG: KCSAN: data-race in netlink_recvmsg / netlink_recvmsg
write to 0xffff88811e9f15b2 of 2 bytes by task 32012 on cpu 1:
skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
__sys_recvfrom+0x204/0x2c0 net/socket.c:2097
__do_sys_recvfrom net/socket.c:2115 [inline]
__se_sys_recvfrom net/socket.c:2111 [inline]
__x64_sys_recvfrom+0x74/0x90 net/socket.c:2111
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
write to 0xffff88811e9f15b2 of 2 bytes by task 32005 on cpu 0:
skb_reset_transport_header include/linux/skbuff.h:2760 [inline]
netlink_recvmsg+0x1de/0x790 net/netlink/af_netlink.c:1978
____sys_recvmsg+0x162/0x2f0
___sys_recvmsg net/socket.c:2674 [inline]
__sys_recvmsg+0x209/0x3f0 net/socket.c:2704
__do_sys_recvmsg net/socket.c:2714 [inline]
__se_sys_recvmsg net/socket.c:2711 [inline]
__x64_sys_recvmsg+0x42/0x50 net/socket.c:2711
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0xffff -> 0x0000
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 32005 Comm: syz-executor.4 Not tainted 5.18.0-rc1-syzkaller-00328-ge1f700ebd6be-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes:
|
||
Lokesh Dhoundiyal
|
54f26fc07e |
ipv4: drop dst in multicast routing path
[ Upstream commit 9e6c6d17d1d6a3f1515ce399f9a011629ec79aa0 ]
kmemleak reports the following when routing multicast traffic over an
ipsec tunnel.
Kmemleak output:
unreferenced object 0x8000000044bebb00 (size 256):
comm "softirq", pid 0, jiffies 4294985356 (age 126.810s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 80 00 00 00 05 13 74 80 ..............t.
80 00 00 00 04 9b bf f9 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000f83947e0>] __kmalloc+0x1e8/0x300
[<00000000b7ed8dca>] metadata_dst_alloc+0x24/0x58
[<0000000081d32c20>] __ipgre_rcv+0x100/0x2b8
[<00000000824f6cf1>] gre_rcv+0x178/0x540
[<00000000ccd4e162>] gre_rcv+0x7c/0xd8
[<00000000c024b148>] ip_protocol_deliver_rcu+0x124/0x350
[<000000006a483377>] ip_local_deliver_finish+0x54/0x68
[<00000000d9271b3a>] ip_local_deliver+0x128/0x168
[<00000000bd4968ae>] xfrm_trans_reinject+0xb8/0xf8
[<0000000071672a19>] tasklet_action_common.isra.16+0xc4/0x1b0
[<0000000062e9c336>] __do_softirq+0x1fc/0x3e0
[<00000000013d7914>] irq_exit+0xc4/0xe0
[<00000000a4d73e90>] plat_irq_dispatch+0x7c/0x108
[<000000000751eb8e>] handle_int+0x16c/0x178
[<000000001668023b>] _raw_spin_unlock_irqrestore+0x1c/0x28
The metadata dst is leaked when ip_route_input_mc() updates the dst for
the skb. Commit
|
||
Manikanta Pubbisetty
|
c420d66047 |
mac80211: Reset MBSSID parameters upon connection
[ Upstream commit 86af062f40a73bf63321694e6bf637144f0383fe ]
Currently MBSSID parameters in struct ieee80211_bss_conf
are not reset upon connection. This could be problematic
with some drivers in a scenario where the device first
connects to a non-transmit BSS and then connects to a
transmit BSS of a Multi BSS AP. The MBSSID parameters
which are set after connecting to a non-transmit BSS will
not be reset and the same parameters will be passed on to
the driver during the subsequent connection to a transmit
BSS of a Multi BSS AP.
For example, firmware running on the ath11k device uses the
Multi BSS data for tracking the beacon of a non-transmit BSS
and reports the driver when there is a beacon miss. If we do
not reset the MBSSID parameters during the subsequent
connection to a transmit BSS, then the driver would have
wrong MBSSID data and FW would be looking for an incorrect
BSSID in the MBSSID beacon of a Multi BSS AP and reports
beacon loss leading to an unstable connection.
Reset the MBSSID parameters upon every connection to solve this
problem.
Fixes:
|
||
Sven Eckelmann
|
a6a73781b4 |
batman-adv: Don't skb_split skbuffs with frag_list
[ Upstream commit a063f2fba3fa633a599253b62561051ac185fa99 ]
The receiving interface might have used GRO to receive more fragments than
MAX_SKB_FRAGS fragments. In this case, these will not be stored in
skb_shinfo(skb)->frags but merged into the frag list.
batman-adv relies on the function skb_split to split packets up into
multiple smaller packets which are not larger than the MTU on the outgoing
interface. But this function cannot handle frag_list entries and is only
operating on skb_shinfo(skb)->frags. If it is still trying to split such an
skb and xmit'ing it on an interface without support for NETIF_F_FRAGLIST,
then validate_xmit_skb() will try to linearize it. But this fails due to
inconsistent information. And __pskb_pull_tail will trigger a BUG_ON after
skb_copy_bits() returns an error.
In case of entries in frag_list, just linearize the skb before operating on
it with skb_split().
Reported-by: Felix Kaechele <felix@kaechele.ca>
Fixes:
|
||
|
Greg Kroah-Hartman
|
0577ff1c69 |
This is the 5.10.116 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmKBP7IACgkQONu9yGCS
aT5VzQ/9Ed75mD3HMc++efYdqclRotN80MMLRypmcw+hIXBe8nbUvHaRmFkFtatV
IiDTDVHNDPvhU+CGHKYgNnCEmZqZUjtHalG+pH05wTY3Kc01emJ6bcnAzBWaHsbc
/083tEGnq3LT71YpqaMP0OL6xihqKaNquH8dN6ZlKUeIQHcnuEgm+TaIPKRBQkVt
DTmUlcOsLFk9xN/lR8iXV5vnzMPVIBlzGBk4eBhZeOo8k/fHCqMLqa5ndwn6ZN1i
V3MhopG1ZR7X3N38rpvFGn+yGWGSz8w1c+WeFRqEI82+gMrbeKNfNDF5QHAYC3B1
HlaqhGPWzM6bB+sHZUNA5FaCeybjwSjvA/76idPKHi65N1Z/qJKqO9fRyHXPJpjK
CA7Q0wsLb8Ui/T6eEqxCtaj0zN7F4TpKyZXkGpRMMCJ+FFObCsoU+RqJifr0kznl
0bI9x+O17DMwYT95vQaM5lsIO+Nme3s+H5zTFiE4tVCHk3+C6H2lu99dDudMUpLM
vitjrHkbVovXmnV4iyRFIUafhtCFxu3leJNwKxNUbofFgQ+/PQkEMfDzVTxsYe2F
8Z8ZRBMw0YEq+3qTvTiBw614jNqr9NMJ697E84rL9kc6oAucXfeaE9lnB1R5zYeT
a5Tt0kLtuPmd8RB6euUWsnTfh+EWIFkfDXfkK8L9r5Nc10aML4o=
=3OVe
-----END PGP SIGNATURE-----
Merge 5.10.116 into android12-5.10-lts
Changes in 5.10.116
MIPS: Use address-of operator on section symbols
regulator: consumer: Add missing stubs to regulator/consumer.h
block: drbd: drbd_nl: Make conversion to 'enum drbd_ret_code' explicit
drm/amd/display/dc/gpio/gpio_service: Pass around correct dce_{version, environment} types
nfp: bpf: silence bitwise vs. logical OR warning
arm: remove CONFIG_ARCH_HAS_HOLES_MEMORYMODEL
Bluetooth: Fix the creation of hdev->name
mm: fix missing cache flush for all tail pages of compound page
mm: hugetlb: fix missing cache flush in copy_huge_page_from_user()
mm: userfaultfd: fix missing cache flush in mcopy_atomic_pte() and __mcopy_atomic()
Linux 5.10.116
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie56f60d172ca37af63c180390007d6b65d0618a5
|
||
|
Greg Kroah-Hartman
|
3f70116e5f |
This is the 5.10.115 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJ84ScACgkQONu9yGCS aT7E9hAAhsDVk1xE/vaWbEiMy5H+dWR6zoP57lHf2G/lKvkQ0dByZZTOyxlKSf+y 6tZyysI3iXk8bGNDsRzHh0N4CpnjnRPug6JJlmeLTPTwY94xqKvspJhGubATjLSE QX11CRqFFE4gsJnlnGRh6LLnX0pTbqnvJ49TUf1uUbQ1qJE9l3eY+Jzac2m4N/k7 f13075u8iZS3Qe6l4CcED07L+5Dg4ZvtzF68JFrT27jt25kk8kjZ+rXqP+AeHUd7 THGTLvW5PH0GPG5oalb1ySDsuBcQJaCkteoAuHJ2HJN/HhFEyRLHfbSOwgmFzlny 0uMkn2STJ/WlQzYjZ3RgmVvskkIEys2g0/WNS313Z5XHQo+Beb6TossMI8Ti/fBt W0c27iOxBHtK5PMm6G8/fznQmSOmBggWQE+VKCaPAWWxbKkghxa9FxeXd9QoLJgk V8VxlipblQzg7TZzhxXcBeXLRvltUVkUxWJZCuRGWcPy8jpTu1s9QmIT/EHPpcA8 53uvkZGGFP7sQCL0h0c49cpMgFSQ6dLkEPDQ6C0A/Du1vy0b4cgdlEfwxY0nLHiL 9s7gP215waUY37p+vp1aq/D+Dh1ayPObmERrkyU6/t0nmaqJZdg+Cr3CP0NFzITe KpHpcCwBxOj+PRQNlK7su3eCwEl5bbzusqrdt6NTbNQ9VmQHatY= =Rf1h -----END PGP SIGNATURE----- Merge 5.10.115 into android12-5.10-lts Changes in 5.10.115 MIPS: Fix CP0 counter erratum detection for R4k CPUs parisc: Merge model and model name into one line in /proc/cpuinfo ALSA: hda/realtek: Add quirk for Yoga Duet 7 13ITL6 speakers ALSA: fireworks: fix wrong return count shorter than expected by 4 bytes mmc: sdhci-msm: Reset GCC_SDCC_BCR register for SDHC mmc: core: Set HS clock speed before sending HS CMD13 gpiolib: of: fix bounds check for 'gpio-reserved-ranges' KVM: x86/svm: Account for family 17h event renumberings in amd_pmc_perf_hw_id iommu/vt-d: Calculate mask for non-aligned flushes drm/amd/display: Avoid reading audio pattern past AUDIO_CHANNELS_COUNT Revert "SUNRPC: attempt AF_LOCAL connect on setup" firewire: fix potential uaf in outbound_phy_packet_callback() firewire: remove check of list iterator against head past the loop body firewire: core: extend card->lock in fw_core_handle_bus_reset net: stmmac: disable Split Header (SPH) for Intel platforms genirq: Synchronize interrupt thread startup ASoC: da7219: Fix change notifications for tone generator frequency ASoC: wm8958: Fix change notifications for DSP controls ASoC: meson: Fix event generation for AUI ACODEC mux ASoC: meson: Fix event generation for G12A tohdmi mux ASoC: meson: Fix event generation for AUI CODEC mux s390/dasd: fix data corruption for ESE devices s390/dasd: prevent double format of tracks for ESE devices s390/dasd: Fix read for ESE with blksize < 4k s390/dasd: Fix read inconsistency for ESE DASD devices can: grcan: grcan_close(): fix deadlock can: isotp: remove re-binding of bound socket can: grcan: use ofdev->dev when allocating DMA memory can: grcan: grcan_probe(): fix broken system id check for errata workaround needs can: grcan: only use the NAPI poll budget for RX nfc: replace improper check device_is_registered() in netlink related functions nfc: nfcmrvl: main: reorder destructive operations in nfcmrvl_nci_unregister_dev to avoid bugs NFC: netlink: fix sleep in atomic bug when firmware download timeout gpio: pca953x: fix irq_stat not updated when irq is disabled (irq_mask not set) hwmon: (adt7470) Fix warning on module removal ASoC: dmaengine: Restore NULL prepare_slave_config() callback net/mlx5e: Fix trust state reset in reload net/mlx5e: Don't match double-vlan packets if cvlan is not set net/mlx5e: CT: Fix queued up restore put() executing after relevant ft release net/mlx5e: Fix the calling of update_buffer_lossy() API net/mlx5: Avoid double clear or set of sync reset requested selftests/seccomp: Don't call read() on TTY from background pgrp RDMA/siw: Fix a condition race issue in MPA request processing NFSv4: Don't invalidate inode attributes on delegation return net: ethernet: mediatek: add missing of_node_put() in mtk_sgmii_init() net: dsa: mt7530: add missing of_node_put() in mt7530_setup() net: stmmac: dwmac-sun8i: add missing of_node_put() in sun8i_dwmac_register_mdio_mux() net: cpsw: add missing of_node_put() in cpsw_probe_dt() net: emaclite: Add error handling for of_address_to_resource() hinic: fix bug of wq out of bound access selftests: mirror_gre_bridge_1q: Avoid changing PVID while interface is operational bnxt_en: Fix possible bnxt_open() failure caused by wrong RFS flag bnxt_en: Fix unnecessary dropping of RX packets selftests: ocelot: tc_flower_chains: specify conform-exceed action for policer smsc911x: allow using IRQ0 btrfs: always log symlinks in full mode net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter() kvm: x86/cpuid: Only provide CPUID leaf 0xA if host has architectural PMU net/mlx5: Fix slab-out-of-bounds while reading resource dump menu x86/kvm: Preserve BSP MSR_KVM_POLL_CONTROL across suspend/resume KVM: x86: Do not change ICR on write to APIC_SELF_IPI KVM: x86/mmu: avoid NULL-pointer dereference on page freeing bugs KVM: LAPIC: Enable timer posted-interrupt only when mwait/hlt is advertised rcu: Fix callbacks processing time limit retaining cond_resched() rcu: Apply callbacks processing time limit only on softirq block-map: add __GFP_ZERO flag for alloc_page in function bio_copy_kern dm: interlock pending dm_io and dm_wait_for_bios_completion PCI: aardvark: Clear all MSIs at setup PCI: aardvark: Fix reading MSI interrupt number mmc: rtsx: add 74 Clocks in power on flow Linux 5.10.115 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I7fb58d6de4b0d2c26f4d83f4e59d4915993571a5 |
||
Itay Iellin
|
185fa5984d |
Bluetooth: Fix the creation of hdev->name
commit 103a2f3255a95991252f8f13375c3a96a75011cd upstream. Set a size limit of 8 bytes of the written buffer to "hdev->name" including the terminating null byte, as the size of "hdev->name" is 8 bytes. If an id value which is greater than 9999 is allocated, then the "snprintf(hdev->name, sizeof(hdev->name), "hci%d", id)" function call would lead to a truncation of the id value in decimal notation. Set an explicit maximum id parameter in the id allocation function call. The id allocation function defines the maximum allocated id value as the maximum id parameter value minus one. Therefore, HCI_MAX_ID is defined as 10000. Signed-off-by: Itay Iellin <ieitayie@gmail.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
|
Greg Kroah-Hartman
|
ee8877df71 |
Revert "tcp: ensure to use the most recently sent skb when filling the rate sample"
This reverts commit
|
||
|
Greg Kroah-Hartman
|
6273d79c86 |
This is the 5.10.114 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJ4vqgACgkQONu9yGCS aT6QRRAA1w5DvnVDBc87zfegqoYAffgWJAmifSraMlb9gQIorKziH3UA/Z1AIn3D AB/ogqmpWacj5FFxOZtaC46224zCMV20dTsLx8tdigR5V04n4ZYXwoAvZB2FycFa uPq4ak3myPKYPofysq6iBExOxnVOtJicklMFwPu25Nf7O8/On0XyqGaHx4rTSlBx pgM3PLdBUlFJmkWsRtiQ6fIPZ8td38Dffk6E1oPW0ZZqDHEjZTE+rfeeGJv6FCdO CIR542BxgS/mlyfmLdaFkm4pO5Spminb9kEbU173R9RGUop0QSxkGn8AQbqD22Ts 74UChzqCEkhoY/qFCxE1rX1mYHYp3XwNuvbD389ocEw5M7ZqVNxf7oDjoqlY81rI t1U6I3S6ET3T18i9UmF4GGJHr1kpT+TYMi1n1moNwft4twlrSVsNgKJ8pH51P9+M MIQJE+mxj50aE5PZNc3LUzIs3E3+/5fyOEahmLBaXR/3117uklc3XQwuWr+UzGwJ 7sI383AAU0RHHM1IOTba4A8gd4z5DbFeRd9Fhl/drZ/gVYVpfkscqfUCBlWIdZ/A wj2DKc4jRFXzflKTHuce2mxuJAOpjjpTz3yBw1qs9gcbB+xIFfei9kZXaXEUzKuu wwCGW7cuGuXWJr3rFkMqY00ioLxjUZ6e3Kha5kyzwoHZ1r5ARcA= =ihPO -----END PGP SIGNATURE----- Merge 5.10.114 into android12-5.10-lts Changes in 5.10.114 floppy: disable FDRAWCMD by default lightnvm: disable the subsystem usb: mtu3: fix USB 3.0 dual-role-switch from device to host USB: quirks: add a Realtek card reader USB: quirks: add STRING quirk for VCOM device USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader USB: serial: option: add support for Cinterion MV32-WA/MV32-WB USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions xhci: Enable runtime PM on second Alderlake controller xhci: stop polling roothubs after shutdown xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms iio: dac: ad5592r: Fix the missing return value. iio: dac: ad5446: Fix read_raw not returning set value iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on() iio: imu: inv_icm42600: Fix I2C init possible nack usb: misc: fix improper handling of refcount in uss720_probe() usb: typec: ucsi: Fix reuse of completion structure usb: typec: ucsi: Fix role swapping usb: gadget: uvc: Fix crash when encoding data for usb request usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind() usb: dwc3: Try usb-role-switch first in dwc3_drd_init usb: dwc3: core: Fix tx/rx threshold settings usb: dwc3: core: Only handle soft-reset in DCTL usb: dwc3: gadget: Return proper request status usb: cdns3: Fix issue for clear halt endpoint usb: phy: generic: Get the vbus supply serial: imx: fix overrun interrupts in DMA mode serial: 8250: Also set sticky MCR bits in console restoration serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device arch_topology: Do not set llc_sibling if llc_id is invalid pinctrl: samsung: fix missing GPIOLIB on ARM64 Exynos config hex2bin: make the function hex_to_bin constant-time hex2bin: fix access beyond string end riscv: patch_text: Fixup last cpu should be master x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests iocost: don't reset the inuse weight of under-weighted debtors video: fbdev: udlfb: properly check endpoint type arm64: dts: meson: remove CPU opps below 1GHz for G12B boards arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards iio:imu:bmi160: disable regulator in error path mtd: rawnand: fix ecc parameters for mt7622 USB: Fix xhci event ring dequeue pointer ERDP update issue ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe phy: samsung: exynos5250-sata: fix missing device put in probe error paths ARM: OMAP2+: Fix refcount leak in omap_gic_of_init bus: ti-sysc: Make omap3 gpt12 quirk handling SoC specific phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek ARM: dts: at91: sama5d4_xplained: fix pinctrl phandle name phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe ARM: dts: Fix mmc order for omap3-gta04 ARM: dts: am3517-evm: Fix misc pinmuxing ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35 ipvs: correctly print the memory size of ip_vs_conn_tab pinctrl: mediatek: moore: Fix build error mtd: rawnand: Fix return value check of wait_for_completion_timeout mtd: fix 'part' field data corruption in mtd_info pinctrl: stm32: Do not call stm32_gpio_get() for edge triggered IRQs in EOI memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode net: dsa: Add missing of_node_put() in dsa_port_link_register_of netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook pinctrl: rockchip: fix RK3308 pinmux bits tcp: md5: incorrect tcp_header_len for incoming connections pinctrl: stm32: Keep pinctrl block clock enabled when LEVEL IRQ requested tcp: ensure to use the most recently sent skb when filling the rate sample wireguard: device: check for metadata_dst with skb_valid_dst() sctp: check asoc strreset_chunk in sctp_generate_reconf_event ARM: dts: imx6ull-colibri: fix vqmmc regulator arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock pinctrl: pistachio: fix use of irq_of_parse_and_map() cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe net: hns3: modify the return code of hclge_get_ring_chain_from_mbx net: hns3: add validity check for message data length net: hns3: add return value for mailbox handling in PF net/smc: sync err code when tcp connection was refused ip_gre: Make o_seqno start from 0 in native mode ip6_gre: Make o_seqno start from 0 in native mode ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT tcp: make sure treq->af_specific is initialized bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create() clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource() net: bcmgenet: hide status block before TX timestamping net: phy: marvell10g: fix return value on error net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK drm/amdkfd: Fix GWS queue count drm/amd/display: Fix memory leak in dcn21_clock_source_create tls: Skip tls_append_frag on zero copy size bnx2x: fix napi API usage sequence net: fec: add missing of_node_put() in fec_enet_init_stop_mode() ixgbe: ensure IPsec VF<->PF compatibility ibmvnic: fix miscellaneous checks Revert "ibmvnic: Add ethtool private flag for driver-defined queue limits" tcp: fix F-RTO may not work correctly when receiving DSACK ASoC: Intel: soc-acpi: correct device endpoints for max98373 ASoC: wm8731: Disable the regulator when probing fails ext4: fix bug_on in start_this_handle during umount filesystem x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 cifs: destage any unwritten data to the server before calling copychunk_write drivers: net: hippi: Fix deadlock in rr_close() powerpc/perf: Fix 32bit compile zonefs: Fix management of open zones zonefs: Clear inode information flags on inode creation kasan: prevent cpu_quarantine corruption when CPU offline and cache shrink occur at same time drm/i915: Fix SEL_FETCH_PLANE_*(PIPE_B+) register addresses net: ethernet: stmmac: fix write to sgmii_adapter_base thermal: int340x: Fix attr.show callback prototype x86/cpu: Load microcode during restore_processor_state() perf symbol: Pass is_kallsyms to symbols__fixup_end() perf symbol: Update symbols__fixup_end() tty: n_gsm: fix restart handling via CLD command tty: n_gsm: fix decoupled mux resource tty: n_gsm: fix mux cleanup after unregister tty device tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2 tty: n_gsm: fix malformed counter for out of frame data netfilter: nft_socket: only do sk lookups when indev is available tty: n_gsm: fix insufficient txframe size tty: n_gsm: fix wrong DLCI release order tty: n_gsm: fix missing explicit ldisc flush tty: n_gsm: fix wrong command retry handling tty: n_gsm: fix wrong command frame length field encoding tty: n_gsm: fix reset fifo race condition tty: n_gsm: fix incorrect UA handling tty: n_gsm: fix software flow control handling perf symbol: Remove arch__symbols__fixup_end() Linux 5.10.114 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5bae5ef7c58046213b62c82599707f569a955337 |
||
|
Eric Dumazet
|
0a960a3672 |
net: igmp: respect RCU rules in ip_mc_source() and ip_mc_msfilter()
commit dba5bdd57bea587ea4f0b79b03c71135f84a7e8b upstream. syzbot reported an UAF in ip_mc_sf_allow() [1] Whenever RCU protected list replaces an object, the pointer to the new object needs to be updated _before_ the call to kfree_rcu() or call_rcu() Because kfree_rcu(ptr, rcu) got support for NULL ptr only recently in commit |
||
Duoming Zhou
|
879b075a9a |
NFC: netlink: fix sleep in atomic bug when firmware download timeout
commit 4071bf121d59944d5cd2238de0642f3d7995a997 upstream. There are sleep in atomic bug that could cause kernel panic during firmware download process. The root cause is that nlmsg_new with GFP_KERNEL parameter is called in fw_dnld_timeout which is a timer handler. The call trace is shown below: BUG: sleeping function called from invalid context at include/linux/sched/mm.h:265 Call Trace: kmem_cache_alloc_node __alloc_skb nfc_genl_fw_download_done call_timer_fn __run_timers.part.0 run_timer_softirq __do_softirq ... The nlmsg_new with GFP_KERNEL parameter may sleep during memory allocation process, and the timer handler is run as the result of a "software interrupt" that should not call any other function that could sleep. This patch changes allocation mode of netlink message from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic bug. The GFP_ATOMIC flag makes memory allocation operation could be used in atomic context. Fixes: |
||
|
Duoming Zhou
|
8a9e7c64f4 |
nfc: replace improper check device_is_registered() in netlink related functions
commit da5c0f119203ad9728920456a0f52a6d850c01cd upstream.
The device_is_registered() in nfc core is used to check whether
nfc device is registered in netlink related functions such as
nfc_fw_download(), nfc_dev_up() and so on. Although device_is_registered()
is protected by device_lock, there is still a race condition between
device_del() and device_is_registered(). The root cause is that
kobject_del() in device_del() is not protected by device_lock.
(cleanup task) | (netlink task)
|
nfc_unregister_device | nfc_fw_download
device_del | device_lock
... | if (!device_is_registered)//(1)
kobject_del//(2) | ...
... | device_unlock
The device_is_registered() returns the value of state_in_sysfs and
the state_in_sysfs is set to zero in kobject_del(). If we pass check in
position (1), then set zero in position (2). As a result, the check
in position (1) is useless.
This patch uses bool variable instead of device_is_registered() to judge
whether the nfc device is registered, which is well synchronized.
Fixes:
|
||
Oliver Hartkopp
|
45bdcb5ca4 |
can: isotp: remove re-binding of bound socket
commit 72ed3ee9fa0b461ad086403a8b5336154bd82234 upstream.
As a carry over from the CAN_RAW socket (which allows to change the CAN
interface while mantaining the filter setup) the re-binding of the
CAN_ISOTP socket needs to take care about CAN ID address information and
subscriptions. It turned out that this feature is so limited (e.g. the
sockopts remain fix) that it finally has never been needed/used.
In opposite to the stateless CAN_RAW socket the switching of the CAN ID
subscriptions might additionally lead to an interrupted ongoing PDU
reception. So better remove this unneeded complexity.
Fixes:
|
||
|
Trond Myklebust
|
70d25d4fba |
Revert "SUNRPC: attempt AF_LOCAL connect on setup"
commit a3d0562d4dc039bca39445e1cddde7951662e17d upstream.
This reverts commit
|
||
|
Greg Kroah-Hartman
|
681997eca1 |
Revert "ipv6: make ip6_rt_gc_expire an atomic_t"
This reverts commit |
||
|
Greg Kroah-Hartman
|
ca9b002a16 |
This is the 5.10.113 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJpLt4ACgkQONu9yGCS aT5Wjg//dzSnqQoqXgMjLwSoMx15rfs/HjC8vgRUpdKctpzITabLc7ywdbcxuyQt it+tlQAFMIq2caH20M+u91zm1kre9f8ap5KnVEt+snkJK+mxWZ8u0uxgzGqRJV7w 1SX4lRCdbfT82T2qjlPFlLQ3bFlxy1nbYHJI1lOltl8JXgHEHuFDGH0oWr6QwdOu wAayeL5MmIpUqtLE7G5Jb9Yc1Hg+dCPHGjJNHbtR6URnVGNY664Moz/ij0qWA8RE Gaxxud677xEVoc3OVRS3r9CzEmhZGBeI0xwc9Gc8vGWaVkJGlS2/p/+M8mk75yKu gUpGZE2DNZ+8G0rs/9hs74nV01KpcOCJokLTqka+0MqKHalNVibkw8RPLThn30Ct JyK43veFQigd3WJULwvOaoM4YBzCishYQc2jvyftZRqb5rxRfTk62UoQoqNgmhyr 1MDUS8w741jF0qdH/v8Wgv7H64d4iilZV6VqVtWiyowPphHbd76qGpRSe42Xg/gY gL/xfjS17Uwid5es+wzIP4J9D3yxwwh3KZjgfAuaOVnMVCn2RqEjZyqQJSCAc8sF kCPMbXjAN9/5sGwidGGDf7ML67MIcIF6928pel95RU3lmz7X5cEzN2FCeAZg28rn W2iiSeWEh6XD7Pzbd+TYYftG3M2kGN6qzaKM2wOGNc6cK/dDROs= =NhyD -----END PGP SIGNATURE----- Merge 5.10.113 into android12-5.10-lts Changes in 5.10.113 etherdevice: Adjust ether_addr* prototypes to silence -Wstringop-overead mm: page_alloc: fix building error on -Werror=array-compare tracing: Dump stacktrace trigger to the corresponding instance perf tools: Fix segfault accessing sample_id xyarray gfs2: assign rgrp glock before compute_bitstructs net/sched: cls_u32: fix netns refcount changes in u32_change() ALSA: usb-audio: Clear MIDI port active flag after draining ALSA: hda/realtek: Add quirk for Clevo NP70PNP dm: fix mempool NULL pointer race when completing IO ASoC: atmel: Remove system clock tree configuration for at91sam9g20ek ASoC: msm8916-wcd-digital: Check failure for devm_snd_soc_register_component ASoC: codecs: wcd934x: do not switch off SIDO Buck when codec is in use dmaengine: imx-sdma: Fix error checking in sdma_event_remap dmaengine: mediatek:Fix PM usage reference leak of mtk_uart_apdma_alloc_chan_resources spi: spi-mtk-nor: initialize spi controller after resume esp: limit skb_page_frag_refill use to a single page igc: Fix infinite loop in release_swfw_sync igc: Fix BUG: scheduling while atomic rxrpc: Restore removed timer deletion net/smc: Fix sock leak when release after smc_shutdown() net/packet: fix packet_sock xmit return value checking ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() ip6_gre: Fix skb_under_panic in __gre6_xmit() net/sched: cls_u32: fix possible leak in u32_init_knode() l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu ipv6: make ip6_rt_gc_expire an atomic_t netlink: reset network and mac headers in netlink_dump() net: stmmac: Use readl_poll_timeout_atomic() in atomic state dmaengine: idxd: add RO check for wq max_batch_size write dmaengine: idxd: add RO check for wq max_transfer_size write selftests: mlxsw: vxlan_flooding: Prevent flooding of unwanted packets arm64/mm: Remove [PUD|PMD]_TABLE_BIT from [pud|pmd]_bad() arm64: mm: fix p?d_leaf() ARM: vexpress/spc: Avoid negative array index when !SMP reset: tegra-bpmp: Restore Handle errors in BPMP response platform/x86: samsung-laptop: Fix an unsigned comparison which can never be negative ALSA: usb-audio: Fix undefined behavior due to shift overflowing the constant arm64: dts: imx: Fix imx8*-var-som touchscreen property sizes vxlan: fix error return code in vxlan_fdb_append cifs: Check the IOCB_DIRECT flag, not O_DIRECT net: atlantic: Avoid out-of-bounds indexing mt76: Fix undefined behavior due to shift overflowing the constant brcmfmac: sdio: Fix undefined behavior due to shift overflowing the constant dpaa_eth: Fix missing of_node_put in dpaa_get_ts_info() drm/msm/mdp5: check the return of kzalloc() net: macb: Restart tx only if queue pointer is lagging scsi: qedi: Fix failed disconnect handling stat: fix inconsistency between struct stat and struct compat_stat nvme: add a quirk to disable namespace identifiers nvme-pci: disable namespace identifiers for Qemu controllers EDAC/synopsys: Read the error count from the correct register mm, hugetlb: allow for "high" userspace addresses oom_kill.c: futex: delay the OOM reaper to allow time for proper futex cleanup mm/mmu_notifier.c: fix race in mmu_interval_notifier_remove() ata: pata_marvell: Check the 'bmdma_addr' beforing reading dma: at_xdmac: fix a missing check on list iterator net: atlantic: invert deep par in pm functions, preventing null derefs xtensa: patch_text: Fixup last cpu should be master xtensa: fix a7 clobbering in coprocessor context load/store openvswitch: fix OOB access in reserve_sfa_size() gpio: Request interrupts after IRQ is initialized ASoC: soc-dapm: fix two incorrect uses of list iterator e1000e: Fix possible overflow in LTR decoding ARC: entry: fix syscall_trace_exit argument arm_pmu: Validate single/group leader events sched/pelt: Fix attach_entity_load_avg() corner case perf/core: Fix perf_mmap fail when CONFIG_PERF_USE_VMALLOC enabled drm/panel/raspberrypi-touchscreen: Avoid NULL deref if not initialised drm/panel/raspberrypi-touchscreen: Initialise the bridge in prepare KVM: PPC: Fix TCE handling for VFIO drm/vc4: Use pm_runtime_resume_and_get to fix pm_runtime_get_sync() usage powerpc/perf: Fix power9 event alternatives perf report: Set PERF_SAMPLE_DATA_SRC bit for Arm SPE event ext4: fix fallocate to use file_modified to update permissions consistently ext4: fix symlink file size not match to file content ext4: fix use-after-free in ext4_search_dir ext4: limit length to bitmap_maxbytes - blocksize in punch_hole ext4, doc: fix incorrect h_reserved size ext4: fix overhead calculation to account for the reserved gdt blocks ext4: force overhead calculation if the s_overhead_cluster makes no sense can: isotp: stop timeout monitoring when no first frame was sent jbd2: fix a potential race while discarding reserved buffers after an abort spi: atmel-quadspi: Fix the buswidth adjustment between spi-mem and controller staging: ion: Prevent incorrect reference counting behavour block/compat_ioctl: fix range check in BLKGETSIZE Revert "net: micrel: fix KS8851_MLL Kconfig" Linux 5.10.113 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4ed10699cbb32b89caf79b8b4a2a35b3d8824115 |
||
|
Greg Kroah-Hartman
|
f64cd19a00 |
Merge branch 'android12-5.10' into android12-5.10-lts
Sync up with android12-5.10 for the following commits: |
||
Lina Wang
|
1e037dd790 |
FROMGIT: net: fix wrong network header length
When clatd starts with ebpf offloaing, and NETIF_F_GRO_FRAGLIST is enable, several skbs are gathered in skb_shinfo(skb)->frag_list. The first skb's ipv6 header will be changed to ipv4 after bpf_skb_proto_6_to_4, network_header\transport_header\mac_header have been updated as ipv4 acts, but other skbs in frag_list didnot update anything, just ipv6 packets. udp_queue_rcv_skb will call skb_segment_list to traverse other skbs in frag_list and make sure right udp payload is delivered to user space. Unfortunately, other skbs in frag_list who are still ipv6 packets are updated like the first skb and will have wrong transport header length. e.g.before bpf_skb_proto_6_to_4,the first skb and other skbs in frag_list has the same network_header(24)& transport_header(64), after bpf_skb_proto_6_to_4, ipv6 protocol has been changed to ipv4, the first skb's network_header is 44,transport_header is 64, other skbs in frag_list didnot change.After skb_segment_list, the other skbs in frag_list has different network_header(24) and transport_header(44), so there will be 20 bytes different from original,that is difference between ipv6 header and ipv4 header. Just change transport_header to be the same with original. Actually, there are two solutions to fix it, one is traversing all skbs and changing every skb header in bpf_skb_proto_6_to_4, the other is modifying frag_list skb's header in skb_segment_list. Considering efficiency, adopt the second one--- when the first skb and other skbs in frag_list has different network_header length, restore them to make sure right udp payload is delivered to user space. Signed-off-by: Lina Wang <lina.wang@mediatek.com> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit cf3ab8d4a797960b4be20565abb3bcd227b18a68 https://git.kernel.org/pub/scm/linux/kernel/git/netdev/net.git master) Bug: 218157620 Test: TreeHugger Signed-off-by: Maciej Żenczykowski <maze@google.com> Change-Id: I36f2f329ec1a56bb0742141a7fa482cafa183ad3 |
||
Florian Westphal
|
842a9bbbef |
netfilter: nft_socket: only do sk lookups when indev is available
commit 743b83f15d4069ea57c3e40996bf4a1077e0cdc1 upstream.
Check if the incoming interface is available and NFT_BREAK
in case neither skb->sk nor input device are set.
Because nf_sk_lookup_slow*() assume packet headers are in the
'in' direction, use in postrouting is not going to yield a meaningful
result. Same is true for the forward chain, so restrict the use
to prerouting, input and output.
Use in output work if a socket is already attached to the skb.
Fixes:
|
||
Pengcheng Yang
|
aa138efd2b |
tcp: fix F-RTO may not work correctly when receiving DSACK
[ Upstream commit d9157f6806d1499e173770df1f1b234763de5c79 ]
Currently DSACK is regarded as a dupack, which may cause
F-RTO to incorrectly enter "loss was real" when receiving
DSACK.
Packetdrill to demonstrate:
// Enable F-RTO and TLP
0 `sysctl -q net.ipv4.tcp_frto=2`
0 `sysctl -q net.ipv4.tcp_early_retrans=3`
0 `sysctl -q net.ipv4.tcp_congestion_control=cubic`
// Establish a connection
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
// RTT 10ms, RTO 210ms
+.1 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <...>
+.01 < . 1:1(0) ack 1 win 257
+0 accept(3, ..., ...) = 4
// Send 2 data segments
+0 write(4, ..., 2000) = 2000
+0 > P. 1:2001(2000) ack 1
// TLP
+.022 > P. 1001:2001(1000) ack 1
// Continue to send 8 data segments
+0 write(4, ..., 10000) = 10000
+0 > P. 2001:10001(8000) ack 1
// RTO
+.188 > . 1:1001(1000) ack 1
// The original data is acked and new data is sent(F-RTO step 2.b)
+0 < . 1:1(0) ack 2001 win 257
+0 > P. 10001:12001(2000) ack 1
// D-SACK caused by TLP is regarded as a dupack, this results in
// the incorrect judgment of "loss was real"(F-RTO step 3.a)
+.022 < . 1:1(0) ack 2001 win 257 <sack 1001:2001,nop,nop>
// Never-retransmitted data(3001:4001) are acked and
// expect to switch to open state(F-RTO step 3.b)
+0 < . 1:1(0) ack 4001 win 257
+0 %{ assert tcpi_ca_state == 0, tcpi_ca_state }%
Fixes:
|
||
|
Maxim Mikityanskiy
|
1781beb879 |
tls: Skip tls_append_frag on zero copy size
[ Upstream commit a0df71948e9548de819a6f1da68f5f1742258a52 ]
Calling tls_append_frag when max_open_record_len == record->len might
add an empty fragment to the TLS record if the call happens to be on the
page boundary. Normally tls_append_frag coalesces the zero-sized
fragment to the previous one, but not if it's on page boundary.
If a resync happens then, the mlx5 driver posts dump WQEs in
tx_post_resync_dump, and the empty fragment may become a data segment
with byte_count == 0, which will confuse the NIC and lead to a CQE
error.
This commit fixes the described issue by skipping tls_append_frag on
zero size to avoid adding empty fragments. The fix is not in the driver,
because an empty fragment is hardly the desired behavior.
Fixes:
|
||
|
Eric Dumazet
|
9f29f6f8da |
tcp: make sure treq->af_specific is initialized
[ Upstream commit ba5a4fdd63ae0c575707030db0b634b160baddd7 ] syzbot complained about a recent change in TCP stack, hitting a NULL pointer [1] tcp request sockets have an af_specific pointer, which was used before the blamed change only for SYNACK generation in non SYNCOOKIE mode. tcp requests sockets momentarily created when third packet coming from client in SYNCOOKIE mode were not using treq->af_specific. Make sure this field is populated, in the same way normal TCP requests sockets do in tcp_conn_request(). [1] TCP: request_sock_TCPv6: Possible SYN flooding on port 20002. Sending cookies. Check SNMP counters. general protection fault, probably for non-canonical address 0xdffffc0000000001: 0000 [#1] PREEMPT SMP KASAN KASAN: null-ptr-deref in range [0x0000000000000008-0x000000000000000f] CPU: 1 PID: 3695 Comm: syz-executor864 Not tainted 5.18.0-rc3-syzkaller-00224-g5fd1fe4807f9 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 RIP: 0010:tcp_create_openreq_child+0xe16/0x16b0 net/ipv4/tcp_minisocks.c:534 Code: 48 c1 ea 03 80 3c 02 00 0f 85 e5 07 00 00 4c 8b b3 28 01 00 00 48 b8 00 00 00 00 00 fc ff df 49 8d 7e 08 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 c9 07 00 00 48 8b 3c 24 48 89 de 41 ff 56 08 48 RSP: 0018:ffffc90000de0588 EFLAGS: 00010202 RAX: dffffc0000000000 RBX: ffff888076490330 RCX: 0000000000000100 RDX: 0000000000000001 RSI: ffffffff87d67ff0 RDI: 0000000000000008 RBP: ffff88806ee1c7f8 R08: 0000000000000000 R09: 0000000000000000 R10: ffffffff87d67f00 R11: 0000000000000000 R12: ffff88806ee1bfc0 R13: ffff88801b0e0368 R14: 0000000000000000 R15: 0000000000000000 FS: 00007f517fe58700(0000) GS:ffff8880b9d00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00007ffcead76960 CR3: 000000006f97b000 CR4: 00000000003506e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: <IRQ> tcp_v6_syn_recv_sock+0x199/0x23b0 net/ipv6/tcp_ipv6.c:1267 tcp_get_cookie_sock+0xc9/0x850 net/ipv4/syncookies.c:207 cookie_v6_check+0x15c3/0x2340 net/ipv6/syncookies.c:258 tcp_v6_cookie_check net/ipv6/tcp_ipv6.c:1131 [inline] tcp_v6_do_rcv+0x1148/0x13b0 net/ipv6/tcp_ipv6.c:1486 tcp_v6_rcv+0x3305/0x3840 net/ipv6/tcp_ipv6.c:1725 ip6_protocol_deliver_rcu+0x2e9/0x1900 net/ipv6/ip6_input.c:422 ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:464 NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ip6_input+0x9c/0xd0 net/ipv6/ip6_input.c:473 dst_input include/net/dst.h:461 [inline] ip6_rcv_finish net/ipv6/ip6_input.c:76 [inline] NF_HOOK include/linux/netfilter.h:307 [inline] NF_HOOK include/linux/netfilter.h:301 [inline] ipv6_rcv+0x27f/0x3b0 net/ipv6/ip6_input.c:297 __netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5405 __netif_receive_skb+0x24/0x1b0 net/core/dev.c:5519 process_backlog+0x3a0/0x7c0 net/core/dev.c:5847 __napi_poll+0xb3/0x6e0 net/core/dev.c:6413 napi_poll net/core/dev.c:6480 [inline] net_rx_action+0x8ec/0xc60 net/core/dev.c:6567 __do_softirq+0x29b/0x9c2 kernel/softirq.c:558 invoke_softirq kernel/softirq.c:432 [inline] __irq_exit_rcu+0x123/0x180 kernel/softirq.c:637 irq_exit_rcu+0x5/0x20 kernel/softirq.c:649 sysvec_apic_timer_interrupt+0x93/0xc0 arch/x86/kernel/apic/apic.c:1097 Fixes: 5b0b9e4c2c89 ("tcp: md5: incorrect tcp_header_len for incoming connections") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Francesco Ruggeri <fruggeri@arista.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
|
Eric Dumazet
|
8a9d6ca360 |
tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
[ Upstream commit 4bfe744ff1644fbc0a991a2677dc874475dd6776 ] I had this bug sitting for too long in my pile, it is time to fix it. Thanks to Doug Porter for reminding me of it! We had various attempts in the past, including commit |
||
Peilin Ye
|
720b6ced85 |
ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
[ Upstream commit 31c417c948d7f6909cb63f0ac3298f3c38f8ce20 ] As pointed out by Jakub Kicinski, currently using TUNNEL_SEQ in collect_md mode is racy for [IP6]GRE[TAP] devices. Consider the following sequence of events: 1. An [IP6]GRE[TAP] device is created in collect_md mode using "ip link add ... external". "ip" ignores "[o]seq" if "external" is specified, so TUNNEL_SEQ is off, and the device is marked as NETIF_F_LLTX (i.e. it uses lockless TX); 2. Someone sets TUNNEL_SEQ on outgoing skb's, using e.g. bpf_skb_set_tunnel_key() in an eBPF program attached to this device; 3. gre_fb_xmit() or __gre6_xmit() processes these skb's: gre_build_header(skb, tun_hlen, flags, protocol, tunnel_id_to_key32(tun_info->key.tun_id), (flags & TUNNEL_SEQ) ? htonl(tunnel->o_seqno++) : 0); ^^^^^^^^^^^^^^^^^ Since we are not using the TX lock (&txq->_xmit_lock), multiple CPUs may try to do this tunnel->o_seqno++ in parallel, which is racy. Fix it by making o_seqno atomic_t. As mentioned by Eric Dumazet in commit |
||
|
Peilin Ye
|
41661b4c1a |
ip6_gre: Make o_seqno start from 0 in native mode
[ Upstream commit fde98ae91f79cab4e020f40c35ed23cbdc59661c ]
For IP6GRE and IP6GRETAP devices, currently o_seqno starts from 1 in
native mode. According to RFC 2890 2.2., "The first datagram is sent
with a sequence number of 0." Fix it.
It is worth mentioning that o_seqno already starts from 0 in collect_md
mode, see the "if (tunnel->parms.collect_md)" clause in __gre6_xmit(),
where tunnel->o_seqno is passed to gre_build_header() before getting
incremented.
Fixes:
|
||
|
Peilin Ye
|
7b187fbd7e |
ip_gre: Make o_seqno start from 0 in native mode
[ Upstream commit ff827beb706ed719c766acf36449801ded0c17fc ]
For GRE and GRETAP devices, currently o_seqno starts from 1 in native
mode. According to RFC 2890 2.2., "The first datagram is sent with a
sequence number of 0." Fix it.
It is worth mentioning that o_seqno already starts from 0 in collect_md
mode, see gre_fb_xmit(), where tunnel->o_seqno is passed to
gre_build_header() before getting incremented.
Fixes:
|
||
liuyacan
|
83d128daff |
net/smc: sync err code when tcp connection was refused
[ Upstream commit 4e2e65e2e56c6ceb4ea1719360080c0af083229e ]
In the current implementation, when TCP initiates a connection
to an unavailable [ip,port], ECONNREFUSED will be stored in the
TCP socket, but SMC will not. However, some apps (like curl) use
getsockopt(,,SO_ERROR,,) to get the error information, which makes
them miss the error message and behave strangely.
Fixes:
|
||
Xin Long
|
61a89d0a5b |
sctp: check asoc strreset_chunk in sctp_generate_reconf_event
[ Upstream commit 165e3e17fe8fe6a8aab319bc6e631a2e23b9a857 ]
A null pointer reference issue can be triggered when the response of a
stream reconf request arrives after the timer is triggered, such as:
send Incoming SSN Reset Request --->
CPU0:
reconf timer is triggered,
go to the handler code before hold sk lock
<--- reply with Outgoing SSN Reset Request
CPU1:
process Outgoing SSN Reset Request,
and set asoc->strreset_chunk to NULL
CPU0:
continue the handler code, hold sk lock,
and try to hold asoc->strreset_chunk, crash!
In Ying Xu's testing, the call trace is:
[ ] BUG: kernel NULL pointer dereference, address: 0000000000000010
[ ] RIP: 0010:sctp_chunk_hold+0xe/0x40 [sctp]
[ ] Call Trace:
[ ] <IRQ>
[ ] sctp_sf_send_reconf+0x2c/0x100 [sctp]
[ ] sctp_do_sm+0xa4/0x220 [sctp]
[ ] sctp_generate_reconf_event+0xbd/0xe0 [sctp]
[ ] call_timer_fn+0x26/0x130
This patch is to fix it by returning from the timer handler if asoc
strreset_chunk is already set to NULL.
Fixes:
|
||
|
Pengcheng Yang
|
3c464db03c |
tcp: ensure to use the most recently sent skb when filling the rate sample
[ Upstream commit b253a0680ceadc5d7b4acca7aa2d870326cad8ad ]
If an ACK (s)acks multiple skbs, we favor the information
from the most recently sent skb by choosing the skb with
the highest prior_delivered count. But in the interval
between receiving ACKs, we send multiple skbs with the same
prior_delivered, because the tp->delivered only changes
when we receive an ACK.
We used RACK's solution, copying tcp_rack_sent_after() as
tcp_skb_sent_after() helper to determine "which packet was
sent last?". Later, we will use tcp_skb_sent_after() instead
in RACK.
Fixes:
|
||
Francesco Ruggeri
|
0c60271df0 |
tcp: md5: incorrect tcp_header_len for incoming connections
[ Upstream commit 5b0b9e4c2c895227c8852488b3f09839233bba54 ]
In tcp_create_openreq_child we adjust tcp_header_len for md5 using the
remote address in newsk. But that address is still 0 in newsk at this
point, and it is only set later by the callers (tcp_v[46]_syn_recv_sock).
Use the address from the request socket instead.
Fixes:
|
||
Eyal Birger
|
9ef33d23f8 |
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
[ Upstream commit b02d196c44ead1a5949729be9ff08fe781c3e48a ]
xmit_check_hhlen() observes the dst for getting the device hard header
length to make sure a modified packet can fit. When a helper which changes
the dst - such as bpf_skb_set_tunnel_key() - is called as part of the
xmit program the accessed dst is no longer valid.
This leads to the following splat:
BUG: kernel NULL pointer dereference, address: 00000000000000de
#PF: supervisor read access in kernel mode
#PF: error_code(0x0000) - not-present page
PGD 0 P4D 0
Oops: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 798 Comm: ping Not tainted 5.18.0-rc2+ #103
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
RIP: 0010:bpf_xmit+0xfb/0x17f
Code: c6 c0 4d cd 8e 48 c7 c7 7d 33 f0 8e e8 42 09 fb ff 48 8b 45 58 48 8b 95 c8 00 00 00 48 2b 95 c0 00 00 00 48 83 e0 fe 48 8b 00 <0f> b7 80 de 00 00 00 39 c2 73 22 29 d0 b9 20 0a 00 00 31 d2 48 89
RSP: 0018:ffffb148c0bc7b98 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000240008 RCX: 0000000000000000
RDX: 0000000000000010 RSI: 00000000ffffffea RDI: 00000000ffffffff
RBP: ffff922a828a4e00 R08: ffffffff8f1350e8 R09: 00000000ffffdfff
R10: ffffffff8f055100 R11: ffffffff8f105100 R12: 0000000000000000
R13: ffff922a828a4e00 R14: 0000000000000040 R15: 0000000000000000
FS: 00007f414e8f0080(0000) GS:ffff922afdc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000000000de CR3: 0000000002d80006 CR4: 0000000000370ef0
Call Trace:
<TASK>
lwtunnel_xmit.cold+0x71/0xc8
ip_finish_output2+0x279/0x520
? __ip_finish_output.part.0+0x21/0x130
Fix by fetching the device hard header length before running the BPF code.
Fixes:
|
||
Pablo Neira Ayuso
|
6ac03e6ddd |
netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion
[ Upstream commit babc3dc9524f0bcb5a0ec61f3c3639b11508fad6 ] This patch fixes spurious EEXIST errors. Extend |
||
Miaoqian Lin
|
72ae15d5ce |
net: dsa: Add missing of_node_put() in dsa_port_link_register_of
[ Upstream commit fc06b2867f4cea543505acfb194c2be4ebf0c7d3 ]
The device_node pointer is returned by of_parse_phandle() with refcount
incremented. We should use of_node_put() on it when done.
of_node_put() will check for NULL value.
Fixes:
|
||
|
Pengcheng Yang
|
123b7e0388 |
ipvs: correctly print the memory size of ip_vs_conn_tab
[ Upstream commit eba1a872cb73314280d5448d934935b23e30b7ca ]
The memory size of ip_vs_conn_tab changed after we use hlist
instead of list.
Fixes:
|
||
|
Greg Kroah-Hartman
|
de64d941a7 |
This is the 5.10.112 stable release
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmJftPsACgkQONu9yGCS
aT6y3w//Vmd+BesdtAOmPS333kwZb1d4o7GginMjLof6TYh4T+uYovySJVU21PvY
fQtTjEa0VI3kidrwbW/zCG5IGskWYynz/lJNWeTQ57zEtOJTXhETgUmeT5WG+rr7
oxMZV7zXunZariXk9FVdxjQywSdV82brcSoEbK+CpWhaJW4H3UrWbM0HDF/en/9T
9AcnIJ3o5t3O+BDWd7VTqNhptLk3/PHS8W3vEFOo6ptFJYUzXgiZdc5YYmuNlDy+
+84PC19DDE0sd9mX7Pl0eFB0lc6nkpEciq/nFUtygLsJihZajIaIeK6Sa+iewfgc
6U+zBRAwocv8wq2lbzrXJXg5TpPhQ6pJbOlcdwU7MfmsuzTk3m3TXLo4x1SH21wW
aztNPNrAVly/DphyvvU1QpqyoMiF+al5zbCifDOpEgi4tenakQD3QDDcn5FfvYjw
5IPCtsZQ9fAAgwtpQMzyCmHc9Y4LAhPBDFC7thh2iW9kO5RlWxSBuedgeoIMne6p
Zf8iKKcVE47y/c5Q8MB4h+qOZU6k5VQSjK6A+AtdCcHhNQOWAz8kOsK4Fe0jADqP
okdjvV8qtga0/O7PsKMYvxce4eqKgAN3f3mFT4nF+fQNTBLiML+UblRTyi8CVYdi
/MK6ulzBIk6Ch4qewwTsHlbeHGd882sS9pLakpFyqW3RywMnOBA=
=2Ugm
-----END PGP SIGNATURE-----
Merge 5.10.112 into android12-5.10-lts
Changes in 5.10.112
drm/amdkfd: Use drm_priv to pass VM from KFD to amdgpu
hamradio: defer 6pack kfree after unregister_netdev
hamradio: remove needs_free_netdev to avoid UAF
cpuidle: PSCI: Move the `has_lpi` check to the beginning of the function
ACPI: processor idle: Check for architectural support for LPI
btrfs: remove unused variable in btrfs_{start,write}_dirty_block_groups()
drm/msm: Add missing put_task_struct() in debugfs path
memory: atmel-ebi: Fix missing of_node_put in atmel_ebi_probe
firmware: arm_scmi: Fix sorting of retrieved clock rates
media: rockchip/rga: do proper error checking in probe
SUNRPC: Fix the svc_deferred_event trace class
net/sched: flower: fix parsing of ethertype following VLAN header
veth: Ensure eth header is in skb's linear part
gpiolib: acpi: use correct format characters
net: mdio: Alphabetically sort header inclusion
mlxsw: i2c: Fix initialization error flow
net/sched: fix initialization order when updating chain 0 head
net: dsa: felix: suppress -EPROBE_DEFER errors
net: ethernet: stmmac: fix altr_tse_pcs function when using a fixed-link
net/sched: taprio: Check if socket flags are valid
cfg80211: hold bss_lock while updating nontrans_list
drm/msm: Fix range size vs end confusion
drm/msm/dsi: Use connector directly in msm_dsi_manager_connector_init()
net/smc: Fix NULL pointer dereference in smc_pnet_find_ib()
scsi: pm80xx: Mask and unmask upper interrupt vectors 32-63
scsi: pm80xx: Enable upper inbound, outbound queues
scsi: iscsi: Stop queueing during ep_disconnect
scsi: iscsi: Force immediate failure during shutdown
scsi: iscsi: Use system_unbound_wq for destroy_work
scsi: iscsi: Rel ref after iscsi_lookup_endpoint()
scsi: iscsi: Fix in-kernel conn failure handling
scsi: iscsi: Move iscsi_ep_disconnect()
scsi: iscsi: Fix offload conn cleanup when iscsid restarts
scsi: iscsi: Fix conn cleanup and stop race during iscsid restart
sctp: Initialize daddr on peeled off socket
testing/selftests/mqueue: Fix mq_perf_tests to free the allocated cpu set
perf tools: Fix misleading add event PMU debug message
nfc: nci: add flush_workqueue to prevent uaf
cifs: potential buffer overflow in handling symlinks
dm mpath: only use ktime_get_ns() in historical selector
net: bcmgenet: Revert "Use stronger register read/writes to assure ordering"
drm/amd: Add USBC connector ID
btrfs: fix fallocate to use file_modified to update permissions consistently
btrfs: do not warn for free space inode in cow_file_range
drm/amd/display: fix audio format not updated after edid updated
drm/amd/display: FEC check in timing validation
drm/amd/display: Update VTEM Infopacket definition
drm/amdkfd: Fix Incorrect VMIDs passed to HWS
drm/amdgpu/vcn: improve vcn dpg stop procedure
drm/amdkfd: Check for potential null return of kmalloc_array()
Drivers: hv: vmbus: Prevent load re-ordering when reading ring buffer
scsi: target: tcmu: Fix possible page UAF
scsi: lpfc: Fix queue failures when recovering from PCI parity error
scsi: ibmvscsis: Increase INITIAL_SRP_LIMIT to 1024
net: micrel: fix KS8851_MLL Kconfig
ata: libata-core: Disable READ LOG DMA EXT for Samsung 840 EVOs
gpu: ipu-v3: Fix dev_dbg frequency output
regulator: wm8994: Add an off-on delay for WM8994 variant
arm64: alternatives: mark patch_alternative() as `noinstr`
tlb: hugetlb: Add more sizes to tlb_remove_huge_tlb_entry
net: axienet: setup mdio unconditionally
net: usb: aqc111: Fix out-of-bounds accesses in RX fixup
myri10ge: fix an incorrect free for skb in myri10ge_sw_tso
drm/amd/display: Revert FEC check in validation
drm/amd/display: Fix allocate_mst_payload assert on resume
scsi: mvsas: Add PCI ID of RocketRaid 2640
scsi: megaraid_sas: Target with invalid LUN ID is deleted during scan
drivers: net: slip: fix NPD bug in sl_tx_timeout()
perf/imx_ddr: Fix undefined behavior due to shift overflowing the constant
mm, page_alloc: fix build_zonerefs_node()
mm: fix unexpected zeroed page mapping with zram swap
mm: kmemleak: take a full lowmem check in kmemleak_*_phys()
KVM: x86/mmu: Resolve nx_huge_pages when kvm.ko is loaded
memory: renesas-rpc-if: fix platform-device leak in error path
gcc-plugins: latent_entropy: use /dev/urandom
ath9k: Properly clear TX status area before reporting to mac80211
ath9k: Fix usage of driver-private space in tx_info
btrfs: fix root ref counts in error handling in btrfs_get_root_ref
btrfs: mark resumed async balance as writing
ALSA: hda/realtek: Add quirk for Clevo PD50PNT
ALSA: hda/realtek: add quirk for Lenovo Thinkpad X12 speakers
ALSA: pcm: Test for "silence" field in struct "pcm_format_data"
nl80211: correctly check NL80211_ATTR_REG_ALPHA2 size
ipv6: fix panic when forwarding a pkt with no in6 dev
drm/amd/display: don't ignore alpha property on pre-multiplied mode
drm/amdgpu: Enable gfxoff quirk on MacBook Pro
genirq/affinity: Consider that CPUs on nodes can be unbalanced
tick/nohz: Use WARN_ON_ONCE() to prevent console saturation
ARM: davinci: da850-evm: Avoid NULL pointer dereference
dm integrity: fix memory corruption when tag_size is less than digest size
smp: Fix offline cpu check in flush_smp_call_function_queue()
i2c: pasemi: Wait for write xfers to finish
timers: Fix warning condition in __run_timers()
dma-direct: avoid redundant memory sync for swiotlb
scsi: iscsi: Fix endpoint reuse regression
scsi: iscsi: Fix unbound endpoint error handling
ax25: add refcount in ax25_dev to avoid UAF bugs
ax25: fix reference count leaks of ax25_dev
ax25: fix UAF bugs of net_device caused by rebinding operation
ax25: Fix refcount leaks caused by ax25_cb_del()
ax25: fix UAF bug in ax25_send_control()
ax25: fix NPD bug in ax25_disconnect
ax25: Fix NULL pointer dereferences in ax25 timers
ax25: Fix UAF bugs in ax25 timers
Linux 5.10.112
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I9ce7b432f335445dbfb4a67a34a8a1c279011954
|
||
|
Eric Dumazet
|
35a697cab4 |
BACKPORT: net/packet: fix slab-out-of-bounds access in packet_recvmsg()
[ Upstream commit c700525fcc06b05adfea78039de02628af79e07a ]
syzbot found that when an AF_PACKET socket is using PACKET_COPY_THRESH
and mmap operations, tpacket_rcv() is queueing skbs with
garbage in skb->cb[], triggering a too big copy [1]
Presumably, users of af_packet using mmap() already gets correct
metadata from the mapped buffer, we can simply make sure
to clear 12 bytes that might be copied to user space later.
BUG: KASAN: stack-out-of-bounds in memcpy include/linux/fortify-string.h:225 [inline]
BUG: KASAN: stack-out-of-bounds in packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
Write of size 165 at addr ffffc9000385fb78 by task syz-executor233/3631
CPU: 0 PID: 3631 Comm: syz-executor233 Not tainted 5.17.0-rc7-syzkaller-02396-g0b3660695e80 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0xf/0x336 mm/kasan/report.c:255
__kasan_report mm/kasan/report.c:442 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:459
check_region_inline mm/kasan/generic.c:183 [inline]
kasan_check_range+0x13d/0x180 mm/kasan/generic.c:189
memcpy+0x39/0x60 mm/kasan/shadow.c:66
memcpy include/linux/fortify-string.h:225 [inline]
packet_recvmsg+0x56c/0x1150 net/packet/af_packet.c:3489
sock_recvmsg_nosec net/socket.c:948 [inline]
sock_recvmsg net/socket.c:966 [inline]
sock_recvmsg net/socket.c:962 [inline]
____sys_recvmsg+0x2c4/0x600 net/socket.c:2632
___sys_recvmsg+0x127/0x200 net/socket.c:2674
__sys_recvmsg+0xe2/0x1a0 net/socket.c:2704
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fdfd5954c29
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 41 15 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 c0 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcf8e71e48 EFLAGS: 00000246 ORIG_RAX: 000000000000002f
RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 00007fdfd5954c29
RDX: 0000000000000000 RSI: 0000000020000500 RDI: 0000000000000005
RBP: 0000000000000000 R08: 000000000000000d R09: 000000000000000d
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ffcf8e71e60
R13: 00000000000f4240 R14: 000000000000c1ff R15: 00007ffcf8e71e54
</TASK>
addr ffffc9000385fb78 is located in stack of task syz-executor233/3631 at offset 32 in frame:
____sys_recvmsg+0x0/0x600 include/linux/uio.h:246
this frame has 1 object:
[32, 160) 'addr'
Memory state around the buggy address:
ffffc9000385fa80: 00 04 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00
ffffc9000385fb00: 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00
>ffffc9000385fb80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f3
^
ffffc9000385fc00: f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1
ffffc9000385fc80: f1 f1 f1 00 f2 f2 f2 00 f2 f2 f2 00 00 00 00 00
==================================================================
Bug: 224546354
Fixes:
|
||
|
Oliver Hartkopp
|
50aac44273 |
can: isotp: stop timeout monitoring when no first frame was sent
commit d73497081710c876c3c61444445512989e102152 upstream.
The first attempt to fix a the 'impossible' WARN_ON_ONCE(1) in
isotp_tx_timer_handler() focussed on the identical CAN IDs created by
the syzbot reproducer and lead to upstream fix/commit 3ea566422cbd
("can: isotp: sanitize CAN ID checks in isotp_bind()"). But this did
not catch the root cause of the wrong tx.state in the tx_timer handler.
In the isotp 'first frame' case a timeout monitoring needs to be started
before the 'first frame' is send. But when this sending failed the timeout
monitoring for this specific frame has to be disabled too.
Otherwise the tx_timer is fired with the 'warn me' tx.state of ISOTP_IDLE.
Fixes:
|
||
Paolo Valerio
|
0837ff17d0 |
openvswitch: fix OOB access in reserve_sfa_size()
commit cefa91b2332d7009bc0be5d951d6cbbf349f90f8 upstream.
Given a sufficiently large number of actions, while copying and
reserving memory for a new action of a new flow, if next_offset is
greater than MAX_ACTIONS_BUFSIZE, the function reserve_sfa_size() does
not return -EMSGSIZE as expected, but it allocates MAX_ACTIONS_BUFSIZE
bytes increasing actions_len by req_size. This can then lead to an OOB
write access, especially when further actions need to be copied.
Fix it by rearranging the flow action size check.
KASAN splat below:
==================================================================
BUG: KASAN: slab-out-of-bounds in reserve_sfa_size+0x1ba/0x380 [openvswitch]
Write of size 65360 at addr ffff888147e4001c by task handler15/836
CPU: 1 PID: 836 Comm: handler15 Not tainted 5.18.0-rc1+ #27
...
Call Trace:
<TASK>
dump_stack_lvl+0x45/0x5a
print_report.cold+0x5e/0x5db
? __lock_text_start+0x8/0x8
? reserve_sfa_size+0x1ba/0x380 [openvswitch]
kasan_report+0xb5/0x130
? reserve_sfa_size+0x1ba/0x380 [openvswitch]
kasan_check_range+0xf5/0x1d0
memcpy+0x39/0x60
reserve_sfa_size+0x1ba/0x380 [openvswitch]
__add_action+0x24/0x120 [openvswitch]
ovs_nla_add_action+0xe/0x20 [openvswitch]
ovs_ct_copy_action+0x29d/0x1130 [openvswitch]
? __kernel_text_address+0xe/0x30
? unwind_get_return_address+0x56/0xa0
? create_prof_cpu_mask+0x20/0x20
? ovs_ct_verify+0xf0/0xf0 [openvswitch]
? prep_compound_page+0x198/0x2a0
? __kasan_check_byte+0x10/0x40
? kasan_unpoison+0x40/0x70
? ksize+0x44/0x60
? reserve_sfa_size+0x75/0x380 [openvswitch]
__ovs_nla_copy_actions+0xc26/0x2070 [openvswitch]
? __zone_watermark_ok+0x420/0x420
? validate_set.constprop.0+0xc90/0xc90 [openvswitch]
? __alloc_pages+0x1a9/0x3e0
? __alloc_pages_slowpath.constprop.0+0x1da0/0x1da0
? unwind_next_frame+0x991/0x1e40
? __mod_node_page_state+0x99/0x120
? __mod_lruvec_page_state+0x2e3/0x470
? __kasan_kmalloc_large+0x90/0xe0
ovs_nla_copy_actions+0x1b4/0x2c0 [openvswitch]
ovs_flow_cmd_new+0x3cd/0xb10 [openvswitch]
...
Cc: stable@vger.kernel.org
Fixes:
|