157 commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
db2162fa05 |
This is the 4.19.303 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmWC/FIACgkQONu9yGCS aT4PGBAAmX42BpkC8qqWMrV0bmHf7KtjUyPBeMybVKBXaFkhUSbtwraAI0QWkIUM mEqzUehaTxFhy+QFGRvA9982ChamygDZsWK+2EOigqTXFmVWrIESC5GJAHrCdc06 /b+6oNoTFuRcbVIAxyEL9S+K1pJ11/6Da6tvUKiWizczpZnA3IXLT4nbTFr3Q7cS wPv6ggk6rdyXlmMSiYrRJA4HjN/0akrUNcwoW00LCgKc8892Y7Q1YfnFiJVC75Fa U2+97SSvboM6pJ28mvm3yR4dV02Q8Cs9hI9M1rzIV6ftU8KzEUP3ZCZGaUh4Bwqi MOH8T5DaE+Velbp7ECyzQRHOzhu1dGjFOda1ZR9YpbcE/PBzZ4fOSIUf1glP3K6o U9FpIJHMn+MQk1j4AA+GYJfhOAeaiBjs5y7z3hhNLV1lvshuZGxRKONUtBtOMhwS HfYBW3/7Af7a2q2ITS27RRBCFv6Gqkza0vLzte0Om0XvCn6JFzzIsymFa0cjjg2B G++HZDBQqHWF8EEYRA1XsoJQDEk9o2F7IaX+hOar24mAEsqXBYNzOFvqn2uf/a5c 9mGBpbDGrq0P5EkwIQjgSovbvmplmmAGB74fBrCSrQVKuXjzloAjUbHQqFVVu49q lAMTCtfLxQyioSlTXrYKX1ANKjlR1kqBIF2GP2oHE74MwR3hYSo= =V5/I -----END PGP SIGNATURE----- Merge 4.19.303 into android-4.19-stable Changes in 4.19.303 qca_debug: Prevent crash on TX ring changes qca_debug: Fix ethtool -G iface tx behavior qca_spi: Fix reset behavior atm: solos-pci: Fix potential deadlock on &cli_queue_lock atm: solos-pci: Fix potential deadlock on &tx_queue_lock atm: Fix Use-After-Free in do_vcc_ioctl net/rose: Fix Use-After-Free in rose_ioctl qed: Fix a potential use-after-free in qed_cxt_tables_alloc net: Remove acked SYN flag from packet in the transmit queue correctly sign-file: Fix incorrect return values check vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space() net: stmmac: Handle disabled MDIO busses from devicetree appletalk: Fix Use-After-Free in atalk_ioctl Revert "PCI: acpiphp: Reassign resources on bridge if necessary" cred: switch to using atomic_long_t blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" bcache: avoid oversize memory allocation by small stripe_size bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() bcache: avoid NULL checking to c->root in run_cache_set() platform/x86: intel_telemetry: Fix kernel doc descriptions HID: add ALWAYS_POLL quirk for Apple kb HID: hid-asus: reset the backlight brightness level on resume HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation net: usb: qmi_wwan: claim interface 4 for ZTE MF290 HID: hid-asus: add const to read-only outgoing usb buffer perf: Fix perf_event_validate_size() lockdep splat ext4: prevent the normalized size from exceeding EXT_MAX_BLOCKS arm64: mm: Always make sw-dirty PTEs hw-dirty in pte_modify team: Fix use-after-free when an option instance allocation fails ring-buffer: Fix memory leak of free page mmc: block: Be sure to wait while busy in CQE error recovery powerpc/ftrace: Create a dummy stackframe to fix stack unwind powerpc/ftrace: Fix stack teardown in ftrace_no_trace Linux 4.19.303 Change-Id: I209240976b6ff49ae89b0a77e777041e376416d9 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Nikolay Kuratov
|
2698050cff |
vsock/virtio: Fix unsigned integer wrap around in virtio_transport_has_space()
[ Upstream commit 60316d7f10b17a7ebb1ead0642fee8710e1560e0 ]
We need to do signed arithmetic if we expect condition
`if (bytes < 0)` to be possible
Found by Linux Verification Center (linuxtesting.org) with SVACE
Fixes:
|
||
Greg Kroah-Hartman
|
4e2cad2c2a |
This is the 4.19.284 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmR14SUACgkQONu9yGCS aT5twA/9FzPtWeYCa9WdaW3YrlwXAwUSX+Q749XupcGbrXS1cljiB7XzvSQ48Ce9 FrI+b4UNRmq1sjBq39GMVTCpVcis1PhI5uthvP/eNIazFvAb8Ksidsv10cGKtmi6 dhe8+z6InAut46npKt+YHLTrgu+rkQ7nWk5thT52JLD2VsTf/AwNvy2wDVrtpwND XldYW/jP6GErmPXVdy2nBzP5kFKWpd6DIVrnKrP0g+G1UF6mV1mg2Bt9aoMyWenK TU9cv+FwAr40EmPSn6ooJbo0oOgJrkOidaoJEIgzOw4MWv/lNd6dijuKlkfKg56s elIa+TAlQBkkfXWNDSg8RCT0Im6iw+qVMmuIUvn4Y6zyFhQS2kBPZHavOHrIdYK3 HKkEjl1l24z/k7HSkPVS+FR7YxF9EeQunJBJjA3NGLx4woFVoqCgCp5C5cAyC1D1 lVE8lAPq/R5oIPgsL7WwYCdwvlnoA4R8HFmS/53ySRxQ839A0Ea1vQB96ISPdoGk AxU1DarM+BxLQbYVaW+HmDctox0wlhV9pmlSmRNzGDno0OsME9e7grUSxBC96ogf GFFYs2zTKE8y9/1LzBQSrJdXHjofOrupIEVHHcb8Bit6tuQ/hAIYl4erzIrJUc1e c0OuIcevfYbyUFYzYnWFkPWo0akRWcAIUKba5rzQV4lPpCGOfJc= =0ViV -----END PGP SIGNATURE----- Merge 4.19.284 into android-4.19-stable Changes in 4.19.284 net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs(). netlink: annotate accesses to nlk->cb_running net: annotate sk->sk_err write from do_recvmmsg() tcp: reduce POLLOUT events caused by TCP_NOTSENT_LOWAT tcp: return EPOLLOUT from tcp_poll only when notsent_bytes is half the limit tcp: factor out __tcp_close() helper tcp: add annotations around sk->sk_shutdown accesses ipvlan:Fix out-of-bounds caused by unclear skb->cb net: datagram: fix data-races in datagram_poll() af_unix: Fix a data race of sk->sk_receive_queue->qlen. af_unix: Fix data races around sk->sk_shutdown. fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() drm/amd/display: Use DC_LOG_DC in the trasform pixel function regmap: cache: Return error in cache sync operations for REGCACHE_NONE memstick: r592: Fix UAF bug in r592_remove due to race condition firmware: arm_sdei: Fix sleep from invalid context BUG ACPI: EC: Fix oops when removing custom query handlers drm/tegra: Avoid potential 32-bit integer overflow ACPICA: Avoid undefined behavior: applying zero offset to null pointer ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex ext2: Check block size validity during mount net: pasemi: Fix return type of pasemi_mac_start_tx() net: Catch invalid index in XPS mapping lib: cpu_rmap: Avoid use after free on rmap->obj array entries scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition gfs2: Fix inode height consistency check ext4: set goal start correctly in ext4_mb_normalize_request ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() f2fs: fix to drop all dirty pages during umount() if cp_error is set wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE HID: logitech-hidpp: Don't use the USB serial for USB devices HID: logitech-hidpp: Reconcile USB and Unifying serials spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 HID: wacom: generic: Set battery quirk only when we see battery data usb: typec: tcpm: fix multiple times discover svids error serial: 8250: Reinit port->pm on port specific driver unbind mcb-pci: Reallocate memory region to avoid memory overlapping sched: Fix KCSAN noinstr violation recordmcount: Fix memory leaks in the uwrite function clk: tegra20: fix gcc-7 constant overflow warning Input: xpad - add constants for GIP interface numbers phy: st: miphy28lp: use _poll_timeout functions for waits mfd: dln2: Fix memory leak in dln2_probe() btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid btrfs: fix space cache inconsistency after error loading it from disk cpupower: Make TSC read per CPU for Mperf monitor af_key: Reject optional tunnel/BEET mode templates in outbound policies net: fec: Better handle pm_runtime_get() failing in .remove() vsock: avoid to close connected socket after the timeout drivers: provide devm_platform_ioremap_resource() serial: arc_uart: fix of_iomap leak in `arc_serial_probe` ip6_gre: Fix skb_under_panic in __gre6_xmit() ip6_gre: Make o_seqno start from 0 in native mode ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode erspan: get the proto with the md version for collect_md media: netup_unidvb: fix use-after-free at del_timer() drm/exynos: fix g2d_open/close helper function definitions net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() net: bcmgenet: Restore phy_stop() depending upon suspend/close cassini: Fix a memory leak in the error handling path of cas_init_one() igb: fix bit_shift to be in [1..8] range vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() usb-storage: fix deadlock when a scsi command timeouts more than once usb: typec: altmodes/displayport: fix pin_assignment_show ALSA: hda: Fix Oops by 9.1 surround channel names ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table statfs: enforce statfs[64] structure initialization serial: Add support for Advantech PCI-1611U card ceph: force updating the msg pointer in non-split case tpm/tpm_tis: Disable interrupts for more Lenovo devices nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() netfilter: nftables: add nft_parse_register_load() and use it netfilter: nftables: add nft_parse_register_store() and use it netfilter: nftables: statify nft_parse_register() netfilter: nf_tables: validate registers coming from userspace. netfilter: nf_tables: add nft_setelem_parse_key() netfilter: nf_tables: allow up to 64 bytes in the set element data area netfilter: nf_tables: stricter validation of element data netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag netfilter: nf_tables: do not allow RULE_ID to refer to another chain HID: wacom: Force pen out of prox if no events have been received in a while Add Acer Aspire Ethos 8951G model quirk ALSA: hda/realtek - More constifications ALSA: hda/realtek - Add Headset Mic supported for HP cPC ALSA: hda/realtek - Enable headset mic of Acer X2660G with ALC662 ALSA: hda/realtek - Enable the headset of Acer N50-600 with ALC662 ALSA: hda/realtek - The front Mic on a HP machine doesn't work ALSA: hda/realtek: Fix the mic type detection issue for ASUS G551JW ALSA: hda/realtek - Add headset Mic support for Lenovo ALC897 platform ALSA: hda/realtek - ALC897 headset MIC no sound ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 lib/string_helpers: Introduce string_upper() and string_lower() helpers usb: gadget: u_ether: Convert prints to device prints usb: gadget: u_ether: Fix host MAC address case vc_screen: rewrite vcs_size to accept vc, not inode vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF s390/qdio: get rid of register asm s390/qdio: fix do_sqbs() inline assembly constraint spi: spi-fsl-spi: automatically adapt bits-per-word in cpu mode spi: fsl-spi: Re-organise transfer bits_per_word adaptation spi: fsl-cpm: Use 16 bit mode for large transfers with even size ALSA: hda/ca0132: add quirk for EVGA X299 DARK m68k: Move signal frame following exception on 68020/030 parisc: Allow to reboot machine after system halt btrfs: use nofs when cleaning up aborted transactions x86/mm: Avoid incomplete Global INVLPG flushes selftests/memfd: Fix unknown type name build failure parisc: Fix flush_dcache_page() for usage from irq context ALSA: hda/realtek - Fixed one of HP ALC671 platform Headset Mic supported ALSA: hda/realtek - Fix inverted bass GPIO pin on Acer 8951G udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated(). USB: core: Add routines for endpoint checks in old drivers USB: sisusbvga: Add endpoint checks media: radio-shark: Add endpoint checks net: fix skb leak in __skb_tstamp_tx() bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields ipv6: Fix out-of-bounds access in ipv6_find_tlv() power: supply: leds: Fix blink to LED on transition power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition power: supply: bq27xxx: Fix I2C IRQ race on remove power: supply: bq27xxx: Fix poll_interval handling and races on remove power: supply: sbs-charger: Fix INHIBITED bit for Status reg coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() x86/show_trace_log_lvl: Ensure stack pointer is aligned, again ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg forcedeth: Fix an error handling path in nv_probe() 3c589_cs: Fix an error handling path in tc589_probe() drivers: depend on HAS_IOMEM for devm_platform_ioremap_resource() Linux 4.19.284 Change-Id: I88843be551e748e295ea608158a2db7ab4486a65 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Zhuang Shengen
|
440cee971b |
vsock: avoid to close connected socket after the timeout
[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ]
When client and server establish a connection through vsock,
the client send a request to the server to initiate the connection,
then start a timer to wait for the server's response. When the server's
RESPONSE message arrives, the timer also times out and exits. The
server's RESPONSE message is processed first, and the connection is
established. However, the client's timer also times out, the original
processing logic of the client is to directly set the state of this vsock
to CLOSE and return ETIMEDOUT. It will not notify the server when the port
is released, causing the server port remain.
when client's vsock_connect timeout,it should check sk state is
ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection
is established, the client should not set the sk state to CLOSE
Note: I encountered this issue on kernel-4.18, which can be fixed by
this patch. Then I checked the latest code in the community
and found similar issue.
Fixes:
|
||
Greg Kroah-Hartman
|
f66335a3cf |
This is the 4.19.270 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPHynkACgkQONu9yGCS aT5AtBAAsdmYCYkmKZsRcS1EUTqdwKVN7FDILDcdMjfmrSp4ZDliaD1dUc0EmDRl yy+aNGCrhbuYACk9WdQsSUrUIh1dK0H5VsioB1m0cjCgifbNjsYqjYWK5ewXKUyX yjc+NmY1HVUFQDLnYHJxSbnB/o+nobWjts8nGuWHwQmoh7UmFe7lvMqZg753x6Bw wCiaC1DrU3aKHYK7IirdWgOiDiGia8DX1nX6PmLi6JTsXj+Io0i8PXKkFzANDf/p /rOyg7j8NOXIQPZGN0Zu88QiMWsNk7u2bOORZgtFbwo7r9BFbzXfWk/x8QxzDX1B iH1p02XQvBwm44xGJZKiWEY2nZdw4mpyzLXZNOL8V7vn9xhT6HDksVAPnyIkU8Dh wsij2r27x18VI9H7sstvAHvIyg6ihmq2E6WuC4W74tUcys7MXxCFc2DuJzMMocf0 7LMTmx3/oUHvuM1riJ9STo9mzXbTmfNd6hnqRnFgGKiGGhOE+pX//RHfupaXRieQ Rq51ODFKcJdDIM7hxeyPdACYF/kso8sNEODCgQ5/+3opel1mzLdBJ1T2bV12DpQe ZhTsESPCVSoUAjCnC9Jje3g0u3qztClYq1faHOXtnjykn9mHmmedVwvdfJL/sOsr ec7NgqzM9xvMQVe4CNf0mouugaLpn2m6uQDTu+GWswRfEKuCx2Q= =ksam -----END PGP SIGNATURE----- Merge 4.19.270 into android-4.19-stable Changes in 4.19.270 mm/khugepaged: fix GUP-fast interaction by sending IPI mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths block: unhash blkdev part inode when the part is deleted nfp: fix use-after-free in area_cache_get() ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() pinctrl: meditatek: Startup with the IRQs disabled can: sja1000: fix size of OCR_MODE_MASK define can: mcba_usb: Fix termination command argument ASoC: ops: Correct bounds check for second channel on SX controls perf script python: Remove explicit shebang from tests/attr.c udf: Discard preallocation before extending file with a hole udf: Fix preallocation discarding at indirect extent boundary udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size udf: Fix extending file within last block usb: gadget: uvc: Prevent buffer overflow in setup handler USB: serial: option: add Quectel EM05-G modem USB: serial: cp210x: add Kamstrup RF sniffer PIDs USB: serial: f81534: fix division by zero on line-speed change igb: Initialize mailbox message for VF reset Bluetooth: L2CAP: Fix u8 overflow net: loopback: use NET_NAME_PREDICTABLE for name_assign_type usb: musb: remove extra check in musb_gadget_vbus_draw ARM: dts: qcom: apq8064: fix coresight compatible drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static arm: dts: spear600: Fix clcd interrupt soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators arm64: dts: mt2712e: Fix unit address for pinctrl node arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port ARM: dts: turris-omnia: Add ethernet aliases ARM: dts: turris-omnia: Add switch port 6 node pstore/ram: Fix error return code in ramoops_probe() ARM: mmp: fix timer_read delay pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP tpm/tpm_crb: Fix error message in __crb_relinquish_locality() cpuidle: dt: Return the correct numbers of parsed idle states alpha: fix syscall entry in !AUDUT_SYSCALL case fs: don't audit the capability check in simple_xattr_list() selftests/ftrace: event_triggers: wait longer for test_event_enable perf: Fix possible memleak in pmu_dev_alloc() timerqueue: Use rb_entry_safe() in timerqueue_getnext() proc: fixup uptime selftest ocfs2: fix memory leak in ocfs2_stack_glue_init() MIPS: vpe-mt: fix possible memory leak while module exiting MIPS: vpe-cmp: fix possible memory leak while module exiting PNP: fix name memory leak in pnp_alloc_dev() perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value lib/notifier-error-inject: fix error when writing -errno to debugfs file debugfs: fix error when writing negative value to atomic_t debugfs file rapidio: fix possible name leaks when rio_add_device() fails rapidio: rio: fix possible name leak in rio_register_mport() clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix xen/events: only register debug interrupt for 2-level events x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() x86/xen: Fix memory leak in xen_init_lock_cpu() xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() PM: runtime: Improve path in rpm_idle() when no callback PM: runtime: Do not call __rpm_callback() from rpm_idle() platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() MIPS: BCM63xx: Add check for NULL for clk in clk_enable fs: sysv: Fix sysv_nblocks() returns wrong value rapidio: fix possible UAF when kfifo_alloc() fails eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD relay: fix type mismatch when allocating memory in relay_create_buf() hfs: Fix OOB Write in hfs_asc2mac rapidio: devices: fix missing put_device in mport_cdev_open wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() wifi: rtl8xxxu: Fix reading the vendor of combo chips pata_ipx4xx_cf: Fix unsigned comparison with less than zero media: i2c: ad5820: Fix error path can: kvaser_usb: do not increase tx statistics when sending error message frames can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT can: kvaser_usb_leaf: Set Warning state even without bus errors can: kvaser_usb_leaf: Fix improved state not being reported can: kvaser_usb_leaf: Fix wrong CAN state after stopping can: kvaser_usb_leaf: Fix bogus restart events can: kvaser_usb: Add struct kvaser_usb_busparams can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming spi: Update reference to struct spi_controller media: vivid: fix compose size exceed boundary mtd: Fix device name leak when register device failed in add_mtd_device() wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port media: camss: Clean up received buffers on failed start of streaming net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() drm/radeon: Add the missed acpi_put_table() to fix memory leak ASoC: pxa: fix null-pointer dereference in filter() regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() ima: Fix misuse of dereference of pointer in template_desc_init_fields() wifi: ath10k: Fix return value in ath10k_pci_init() mtd: lpddr2_nvm: Fix possible null-ptr-deref Input: elants_i2c - properly handle the reset GPIO when power is off media: solo6x10: fix possible memory leak in solo_sysfs_init() media: platform: exynos4-is: Fix error handling in fimc_md_init() HID: hid-sensor-custom: set fixed size for custom attributes ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT clk: rockchip: Fix memory leak in rockchip_clk_register_pll() bonding: Export skip slave logic to function mtd: maps: pxa2xx-flash: fix memory leak in probe drbd: remove call to memset before free device/resource/connection media: imon: fix a race condition in send_packet() pinctrl: pinconf-generic: add missing of_node_put() media: dvb-core: Fix ignored return value in dvb_register_frontend() media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() NFSv4.2: Fix a memory stomp in decode_attr_security_label NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn ALSA: asihpi: fix missing pci_disable_device() drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe bonding: uninitialized variable in bond_miimon_inspect() wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails regulator: core: fix module refcount leak in set_supply() media: saa7164: fix missing pci_disable_device() ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt SUNRPC: Fix missing release socket in rpc_sockname() NFSv4.x: Fail client initialisation if state manager thread can't run mmc: moxart: fix return value check of mmc_add_host() mmc: mxcmmc: fix return value check of mmc_add_host() mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() mmc: toshsd: fix return value check of mmc_add_host() mmc: vub300: fix return value check of mmc_add_host() mmc: wmt-sdmmc: fix return value check of mmc_add_host() mmc: atmel-mci: fix return value check of mmc_add_host() mmc: meson-gx: fix return value check of mmc_add_host() mmc: via-sdmmc: fix return value check of mmc_add_host() mmc: wbsd: fix return value check of mmc_add_host() mmc: mmci: fix return value check of mmc_add_host() media: c8sectpfe: Add of_node_put() when breaking out of loop media: coda: Add check for dcoda_iram_alloc media: coda: Add check for kmalloc clk: samsung: Fix memory leak in _samsung_clk_register_pll() wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h rtl8xxxu: add enumeration for channel bandwidth wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() blktrace: Fix output non-blktrace event when blk_classic option enabled clk: socfpga: clk-pll: Remove unused variable 'rc' clk: socfpga: use clk_hw_register for a5/c5 net: vmw_vsock: vmci: Check memcpy_from_msg() net: defxx: Fix missing err handling in dfx_init() drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() net: farsync: Fix kmemleak when rmmods farsync net/tunnel: wait until all sk_user_data reader finish before releasing the sock net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave() net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave() net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave() hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() net: amd-xgbe: Fix logic around active and passive cables net: amd-xgbe: Check only the minimum speed for active/passive cables net: lan9303: Fix read error execution path ntb_netdev: Use dev_kfree_skb_any() in interrupt context Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() stmmac: fix potential division by 0 apparmor: fix a memleak in multi_transaction_new() apparmor: fix lockdep warning when removing a namespace apparmor: Fix abi check to include v8 abi f2fs: fix normal discard process RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port scsi: scsi_debug: Fix a warning in resp_write_scat() PCI: Check for alloc failure in pci_request_irq() RDMA/hfi: Decrease PCI device reference count in error path crypto: ccree - Make cc_debugfs_global_fini() available for module init function RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed scsi: hpsa: use local workqueues instead of system workqueues scsi: hpsa: Fix possible memory leak in hpsa_init_one() crypto: tcrypt - Fix multibuffer skcipher speed test mem leak scsi: hpsa: Fix error handling in hpsa_add_sas_host() scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() scsi: fcoe: Fix possible name leak when device_register() fails scsi: ipr: Fix WARNING in ipr_init() scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails scsi: snic: Fix possible UAF in snic_tgt_create() RDMA/hfi1: Fix error return code in parse_platform_config() orangefs: Fix sysfs not cleanup when dev init failed crypto: img-hash - Fix variable dereferenced before check 'hdev->req' hwrng: amd - Fix PCI device refcount leak hwrng: geode - Fix PCI device refcount leak IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces drivers: dio: fix possible memory leak in dio_init() serial: tegra: avoid reg access when clk disabled serial: tegra: check for FIFO mode enabled status serial: tegra: set maximum num of uart ports to 8 serial: tegra: add support to use 8 bytes trigger serial: tegra: add support to adjust baud rate serial: tegra: report clk rate errors serial: tegra: Add PIO mode support tty: serial: tegra: Activate RX DMA transfer by request serial: tegra: Read DMA status before terminating class: fix possible memory leak in __class_register() vfio: platform: Do not pass return buffer to ACPI _RST method uio: uio_dmem_genirq: Fix missing unlock in irq configuration uio: uio_dmem_genirq: Fix deadlock between irq config and handling usb: fotg210-udc: Fix ages old endianness issues staging: vme_user: Fix possible UAF in tsi148_dma_list_add usb: typec: Check for ops->exit instead of ops->enter in altmode_exit serial: amba-pl011: avoid SBSA UART accessing DMACR register serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. serial: pch: Fix PCI device refcount leak in pch_request_dma() tty: serial: clean up stop-tx part in altera_uart_tx_chars() tty: serial: altera_uart_{r,t}x_chars() need only uart_port serial: altera_uart: fix locking in polling mode serial: sunsab: Fix error handling in sunsab_init() test_firmware: fix memory leak in test_firmware_init() misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() usb: gadget: f_hid: optional SETUP/SET_REPORT mode usb: gadget: f_hid: fix f_hidg lifetime vs cdev usb: gadget: f_hid: fix refcount leak on error path drivers: mcb: fix resource leak in mcb_probe() mcb: mcb-parse: fix error handing in chameleon_parse_gdd() chardev: fix error handling in cdev_device_add() i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe staging: rtl8192u: Fix use after free in ieee80211_rx() staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() vme: Fix error not catched in fake_init() i2c: ismt: Fix an out-of-bounds bug in ismt_access() usb: storage: Add check for kcalloc tracing/hist: Fix issue of losting command info in error_log samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() fbdev: ssd1307fb: Drop optional dependency fbdev: pm2fb: fix missing pci_disable_device() fbdev: via: Fix error in via_core_init() fbdev: vermilion: decrease reference count in error path fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() HSI: omap_ssi_core: fix possible memory leak in ssi_probe() power: supply: fix residue sysfs file in error handle route of __power_supply_register() perf symbol: correction while adjusting symbol HSI: omap_ssi_core: Fix error handling in ssi_init() include/uapi/linux/swab: Fix potentially missing __always_inline rtc: snvs: Allow a time difference on clock register read iommu/amd: Fix pci device refcount leak in ppr_notifier() iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() macintosh: fix possible memory leak in macio_add_one_device() macintosh/macio-adb: check the return value of ioremap() powerpc/52xx: Fix a resource leak in an error handling path cxl: Fix refcount leak in cxl_calc_capp_routing powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() powerpc/perf: callchain validate kernel stack pointer bounds powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() powerpc/hv-gpci: Fix hv_gpci event list selftests/powerpc: Fix resource leaks rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() nfc: pn533: Clear nfc_target before being used r6040: Fix kmemleak in probe and remove rtc: mxc_v2: Add missing clk_disable_unprepare() openvswitch: Fix flow lookup to use unmasked key skbuff: Account for tail adjustment during pull operations net_sched: reject TCF_EM_SIMPLE case for complex ematch module rxrpc: Fix missing unlock in rxrpc_do_sendmsg() myri10ge: Fix an error handling path in myri10ge_probe() net: stream: purge sk_error_queue in sk_stream_kill_queues() binfmt_misc: fix shift-out-of-bounds in check_special_flags fs: jfs: fix shift-out-of-bounds in dbAllocAG udf: Avoid double brelse() in udf_rename() fs: jfs: fix shift-out-of-bounds in dbDiscardAG ACPICA: Fix error code path in acpi_ds_call_control_method() nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() acct: fix potential integer overflow in encode_comp_t() hfs: fix OOB Read in __hfs_brec_find wifi: ath9k: verify the expected usb_endpoints are present wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out ASoC: codecs: rt298: Add quirk for KBL-R RVP platform ipmi: fix memleak when unload ipmi driver bpf: make sure skb->len != 0 when redirecting to a tunneling device net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() hamradio: baycom_epp: Fix return type of baycom_send_packet() wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() igb: Do not free q_vector unless new one was allocated drm/amdgpu: Fix type of second parameter in trans_msg() callback s390/ctcm: Fix return type of ctc{mp,}m_tx() s390/netiucv: Fix return type of netiucv_tx() s390/lcs: Fix return type of lcs_start_xmit() drm/sti: Use drm_mode_copy() drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() md/raid1: stop mdx_raid1 thread when raid1 array run failed mrp: introduce active flags to prevent UAF when applicant uninit ppp: associate skb with a device at tx media: dvb-frontends: fix leak of memory fw media: dvbdev: adopts refcnt to avoid UAF media: dvb-usb: fix memory leak in dvb_usb_adapter_init() blk-mq: fix possible memleak when register 'hctx' failed regulator: core: fix use_count leakage when handling boot-on mmc: f-sdh30: Add quirks for broken timeout clock capability media: si470x: Fix use-after-free in si470x_int_in_callback() clk: st: Fix memory leak in st_of_quadfs_setup() drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() ASoC: wm8994: Fix potential deadlock ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() ASoC: rt5670: Remove unbalanced pm_runtime_put() pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES usb: dwc3: core: defer probe on ulpi_read_id timeout HID: wacom: Ensure bootloader PID is usable in hidraw mode reiserfs: Add missing calls to reiserfs_security_free() iio: adc: ad_sigma_delta: do not use internal iio_dev lock gcov: add support for checksum field media: dvbdev: fix build warning due to comments media: dvbdev: fix refcnt bug ata: ahci: Fix PCS quirk application for suspend powerpc/rtas: avoid device tree lookups in rtas_os_term() powerpc/rtas: avoid scheduling in rtas_os_term() HID: plantronics: Additional PIDs for double volume key presses quirk hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount ovl: Use ovl mounter's fsuid and fsgid in ovl_link() ALSA: line6: correct midi status byte when receiving data from podxt ALSA: line6: fix stack overflow in line6_midi_transmit pnode: terminate at peers of source md: fix a crash in mempool_free mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails media: stv0288: use explicitly signed char soc: qcom: Select REMAP_MMIO for LLCC driver ktest.pl minconfig: Unset configs instead of just removing them ARM: ux500: do not directly dereference __iomem selftests: Use optional USERCFLAGS and USERLDFLAGS binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf binfmt: Fix error return code in load_elf_fdpic_binary() dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort dm thin: Use last transaction's pmd->root when commit failed dm thin: Fix UAF in run_timer_softirq() dm cache: Fix UAF in destroy() dm cache: set needs_check flag after aborting metadata x86/microcode/intel: Do not retry microcode reloading on the APs tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod media: dvb-core: Fix double free in dvb_register_device() media: dvb-core: Fix UAF due to refcount races at releasing cifs: fix confusing debug message md/bitmap: Fix bitmap chunk size overflow issues ipmi: fix long wait in unload when IPMI disconnect ima: Fix a potential NULL pointer access in ima_restore_measurement_list ipmi: fix use after free in _ipmi_destroy_user() PCI: Fix pci_device_is_present() for VFs by checking PF PCI/sysfs: Fix double free in error path crypto: n2 - add missing hash statesize iommu/amd: Fix ivrs_acpihid cmdline parsing code parisc: led: Fix potential null-ptr-deref in start_task() device_cgroup: Roll back to original exceptions after copy failure drm/connector: send hotplug uevent on connector cleanup drm/vmwgfx: Validate the box size for the snooped cursor ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop ext4: fix undefined behavior in bit shift for ext4_check_flag_values ext4: add helper to check quota inums ext4: fix bug_on in __es_tree_search caused by bad boot loader inode ext4: init quota for 'old.inode' in 'ext4_rename' ext4: fix corruption when online resizing a 1K bigalloc fs ext4: fix error code return to user-space in ext4_get_branch() ext4: avoid BUG_ON when creating xattrs ext4: fix inode leak in ext4_xattr_inode_create() on an error path ext4: initialize quota before expanding inode in setproject ioctl ext4: avoid unaccounted block allocation when expanding inode ext4: allocate extended attribute value in vmalloc area btrfs: send: avoid unnecessary backref lookups when finding clone source btrfs: replace strncpy() with strscpy() media: s5p-mfc: Fix to handle reference queue during finishing media: s5p-mfc: Clear workbit to handle error condition media: s5p-mfc: Fix in register read and write for H264 dm thin: resume even if in FAIL mode perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data ravb: Fix "failed to switch device to config mode" message during unbind driver core: Set deferred_probe_timeout to a longer default if CONFIG_MODULES is set ext4: goto right label 'failed_mount3a' ext4: correct inconsistent error msg in nojournal mode ext4: use kmemdup() to replace kmalloc + memcpy mbcache: don't reclaim used entries mbcache: add functions to delete entry if unused ext4: remove EA inode entry from mbcache on inode eviction ext4: unindent codeblock in ext4_xattr_block_set() ext4: fix race when reusing xattr blocks mbcache: automatically delete entries from cache on freeing ext4: fix deadlock due to mbcache entry corruption SUNRPC: ensure the matching upcall is in-flight upon downcall bpf: pull before calling skb_postpull_rcsum() qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure nfc: Fix potential resource leaks net: amd-xgbe: add missed tasklet_kill net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe RDMA/mlx5: Fix validation of max_rd_atomic caps for DC net: sched: atm: dont intepret cls results when asked to drop usb: rndis_host: Secure rndis_query check against int overflow caif: fix memory leak in cfctrl_linkup_request() udf: Fix extension of the last extent in the file ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet x86/bugs: Flush IBP in ib_prctl_set() nfsd: fix handling of readdir in v4root vs. mount upcall timeout riscv: uaccess: fix type of 0 variable on error in get_user() ext4: don't allow journal inode to have encrypt flag hfs/hfsplus: use WARN_ON for sanity check hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling mbcache: Avoid nesting of cache->c_list_lock under bit locks parisc: Align parisc MADV_XXX constants with all other architectures driver core: Fix bus_type.match() error handling in __driver_attach() net: sched: disallow noqueue for qdisc classes docs: Fix the docs build with Sphinx 6.0 perf auxtrace: Fix address filter duplicate symbol selection s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() net/ulp: prevent ULP without clone op from entering the LISTEN status ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF cifs: Fix uninitialized memory read for smb311 posix symlink create platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe ipv6: raw: Deduct extension header length in rawv6_push_pending_frames wifi: wilc1000: sdio: fix module autoloading ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later ktest: Add support for meta characters in GRUB_MENU ktest: introduce _get_grub_index ktest: cleanup get_grub_index ktest: introduce grub2bls REBOOT_TYPE option ktest.pl: Fix incorrect reboot for grub2bls kest.pl: Fix grub2 menu handling for rebooting usb: ulpi: defer ulpi_register on ulpi_read_id timeout quota: Factor out setup of quota inode ext4: fix bug_on in __es_tree_search caused by bad quota inode ext4: lost matching-pair of trace in ext4_truncate ext4: fix use-after-free in ext4_orphan_cleanup ext4: fix uninititialized value in 'ext4_evict_inode' ext4: generalize extents status tree search functions ext4: add new pending reservation mechanism ext4: fix reserved cluster accounting at delayed write time ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. x86/boot: Avoid using Intel mnemonics in AT&T syntax asm EDAC/device: Fix period calculation in edac_device_reset_delay_period() regulator: da9211: Use irq handler when ready hvc/xen: lock console list traversal nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() net/mlx5: Rename ptp clock info net/mlx5: Fix ptp max frequency adjustment range iommu/mediatek-v1: Add error handle for mtk_iommu_probe iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI x86/resctrl: Fix task CLOSID/RMID update race drm/virtio: Fix GEM handle creation UAF arm64: cmpxchg_double*: hazard against entire exchange variable efi: fix NULL-deref in init error path Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started serial: tegra: Only print FIFO error message when an error occurs serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30 Linux 4.19.270 Change-Id: Ieb5e7f318a7e06effcc51e5f93751ec02dbb50c4 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Artem Chernyshev
|
37ba9bef15 |
net: vmw_vsock: vmci: Check memcpy_from_msg()
[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ]
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination. Return with an error if
memcpy_from_msg() fails.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes:
|
||
Greg Kroah-Hartman
|
27e286f3db |
This is the 4.19.262 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmNZGCIACgkQONu9yGCS aT5dEQ//Q2YBvqn1WGhMJRRtIYeczfwvLh3b5duyt1nbf7KOA7yrjpmaQvszunLj FanBKsf9QrekTxMUJ9++RlFQy/pxkexy39P3ddlE+QQnKeY+lBr5fc/XSBOmmvm+ f1CInT4C6nRRn/r/vCumGfuhZ6o+BLwPPgkTCOs9ima6iaq7nLqgFquznVQ2XFJG SCtS+OPjnoH7HMOw9vXefd53KJJj5kpE+2fMnEBjdW7x4mPM6nwY3ZxB8sIUdLXe dtfDku6W1I8qnGSnI0B+I8/4psNYr/7j4UVTgEKSGmlKKzc78qypdX8YiOGExa84 MWQrEcIGBOzOaMt5F5RWbGbQmwDtlZC2yuTc5YeJ1eSZ6WfZ42rRu+SkMgloRpjO bCzKI8bZ6jmRFNeAPSuR9sF/fRrXlgPsszWYALwy9TTPMvG33jrJaiGwYCOuRxP/ Fn9C1AshGI+Yy7pX5PR+yOWeII4fgwFBo3Oxritm0RG31KZoXKsrVdyb5CwAD0Sf VMb4SNapWwjWKOqi39jAzxgmvkFAwv99HC77dLZhTzwsW+c0+8CH0ccpX/V9997v i2IfCLEoOODlpjjoEgeoZ1lwOSX4/cSrlO4L7qcw+vkmXplEkOnD5Lj5Sdw+m9Hp 1uwQGVZyngK/eMxInDLlrOFY9SOASCIs+XjJpzqimXp1cTLLEHM= =2I2l -----END PGP SIGNATURE----- Merge 4.19.262 into android-4.19-stable Changes in 4.19.262 Makefile.extrawarn: Move -Wcast-function-type-strict to W=1 docs: update mediator information in CoC docs ARM: fix function graph tracer and unwinder dependencies fs: fix UAF/GPF bug in nilfs_mdt_destroy firmware: arm_scmi: Add SCMI PM driver remove routine dmaengine: xilinx_dma: cleanup for fetching xlnx,num-fstores property dmaengine: xilinx_dma: Report error in case of dma_set_mask_and_coherent API failure ARM: dts: fix Moxa SDIO 'compatible', remove 'sdhci' misnomer scsi: qedf: Fix a UAF bug in __qedf_probe() net/ieee802154: fix uninit value bug in dgram_sendmsg um: Cleanup syscall_handler_t cast in syscalls_32.h um: Cleanup compiler warning in arch/x86/um/tls_32.c usb: mon: make mmapped memory read only USB: serial: ftdi_sio: fix 300 bps rate for SIO mmc: core: Replace with already defined values for readability mmc: core: Terminate infinite loop in SD-UHS voltage switch rpmsg: qcom: glink: replace strncpy() with strscpy_pad() nilfs2: fix NULL pointer dereference at nilfs_bmap_lookup_at_level() nilfs2: fix leak of nilfs_root in case of writer thread creation failure nilfs2: replace WARN_ONs by nilfs_error for checkpoint acquisition failure ceph: don't truncate file in atomic_open random: clamp credited irq bits to maximum mixed ALSA: hda: Fix position reporting on Poulsbo scsi: stex: Properly zero out the passthrough command structure USB: serial: qcserial: add new usb-id for Dell branded EM7455 random: restore O_NONBLOCK support random: avoid reading two cache lines on irq randomness random: use expired timer rather than wq for mixing fast pool wifi: mac80211_hwsim: avoid mac80211 warning on bad rate Input: xpad - add supported devices as contributed on github Input: xpad - fix wireless 360 controller breaking after suspend ALSA: oss: Fix potential deadlock at unregistration ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() ALSA: usb-audio: Fix potential memory leaks ALSA: usb-audio: Fix NULL dererence at error path ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 mtd: rawnand: atmel: Unmap streaming DMA mappings iio: dac: ad5593r: Fix i2c read protocol requirements usb: add quirks for Lenovo OneLink+ Dock can: kvaser_usb: Fix use of uninitialized completion can: kvaser_usb_leaf: Fix overread with an invalid command can: kvaser_usb_leaf: Fix TX queue out of sync after restart can: kvaser_usb_leaf: Fix CAN state after restart fs: dlm: fix race between test_bit() and queue_work() fs: dlm: handle -EBUSY first in lock arg validation HID: multitouch: Add memory barriers quota: Check next/prev free block number after reading from quota file regulator: qcom_rpm: Fix circular deferral regression Revert "fs: check FMODE_LSEEK to control internal pipe splicing" parisc: fbdev/stifb: Align graphics memory size to 4MB riscv: Allow PROT_WRITE-only mmap() UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge fbdev: smscufx: Fix use-after-free in ufx_ops_open() btrfs: fix race between quota enable and quota rescan ioctl riscv: fix build with binutils 2.38 nilfs2: fix use-after-free bug of struct nilfs_root ext4: avoid crash when inline data creation follows DIO write ext4: fix null-ptr-deref in ext4_write_info ext4: make ext4_lazyinit_thread freezable ext4: place buffer head allocation before handle start livepatch: fix race between fork and KLP transition ftrace: Properly unset FTRACE_HASH_FL_MOD ring-buffer: Allow splice to read previous partially read pages ring-buffer: Check pending waiters when doing wake ups as well ring-buffer: Fix race between reset page and reading page KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" selinux: use "grep -E" instead of "egrep" sh: machvec: Use char[] for section boundaries wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state() wifi: mac80211: allow bw change during channel switch in mesh bpftool: Fix a wrong type cast in btf_dumper_int spi: mt7621: Fix an error message in mt7621_spi_probe() wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse() spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume() spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime() wifi: rtl8xxxu: Fix skb misuse in TX queue selection bpf: btf: fix truncated last_member_type_id in btf_struct_resolve wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration net: fs_enet: Fix wrong check in do_pd_setup bpf: Ensure correct locking around vulnerable function find_vpid() spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe netfilter: nft_fib: Fix for rpath check with VRF devices spi: s3c64xx: Fix large transfers with DMA vhost/vsock: Use kvmalloc/kvfree for larger packets. mISDN: fix use-after-free bugs in l1oip timer handlers sctp: handle the error returned from sctp_auth_asoc_init_active_key tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks() bnx2x: fix potential memory leak in bnx2x_tpa_stop() once: add DO_ONCE_SLOW() for sleepable contexts net: mvpp2: fix mvpp2 debugfs leak drm: bridge: adv7511: fix CEC power down control register offset drm/mipi-dsi: Detach devices when removing the host platform/chrome: fix double-free in chromeos_laptop_prepare() platform/x86: msi-laptop: Fix old-ec check for backlight registering platform/x86: msi-laptop: Fix resource cleanup drm/bridge: megachips: Fix a null pointer dereference bug mmc: au1xmmc: Fix an error handling path in au1xmmc_probe() ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx ALSA: dmaengine: increment buffer pointer atomically mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe() ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe memory: of: Fix refcount leak bug in of_get_ddr_timings() soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe() soc: qcom: smem_state: Add refcounting for the 'state->of_node' ARM: dts: turris-omnia: Fix mpp26 pin name and comment ARM: dts: kirkwood: lsxl: fix serial line ARM: dts: kirkwood: lsxl: remove first ethernet port ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family ARM: Drop CMDLINE_* dependency on ATAGS ARM: dts: exynos: fix polarity of VBUS GPIO of Origen iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX iio: adc: at91-sama5d2_adc: check return status for pressure and touch iio: inkern: only release the device node when done with it iio: ABI: Fix wrong format of differential capacitance channel ABI. clk: oxnas: Hold reference returned by of_get_parent() clk: berlin: Add of_node_put() for of_get_parent() clk: tegra: Fix refcount leak in tegra210_clock_init clk: tegra: Fix refcount leak in tegra114_clock_init clk: tegra20: Fix refcount leak in tegra20_clock_init HSI: omap_ssi: Fix refcount leak in ssi_probe HSI: omap_ssi_port: Fix dma_map_sg error check media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop tty: xilinx_uartps: Fix the ignore_status media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init RDMA/rxe: Fix "kernel NULL pointer dereference" error RDMA/rxe: Fix the error caused by qp->sk dyndbg: fix module.dyndbg handling dyndbg: let query-modname override actual module name mtd: devices: docg3: check the return value of devm_ioremap() in the probe ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting() ata: fix ata_id_has_devslp() ata: fix ata_id_has_ncq_autosense() ata: fix ata_id_has_dipm() md/raid5: Ensure stripe_fill happens on non-read IO with journal xhci: Don't show warning for reinit on known broken suspend usb: gadget: function: fix dangling pnp_string in f_printer.c drivers: serial: jsm: fix some leaks in probe phy: qualcomm: call clk_disable_unprepare in the error handling staging: vt6655: fix some erroneous memory clean-up loops firmware: google: Test spinlock on panic path to avoid lockups serial: 8250: Fix restoring termios speed after suspend fsi: core: Check error number after calling ida_simple_get mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe() mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq() mfd: lp8788: Fix an error handling path in lp8788_probe() mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init() mfd: sm501: Add check for platform_driver_register() dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup() spmi: pmic-arb: correct duplicate APID to PPID mapping logic clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg powerpc/math_emu/efp: Include module.h powerpc/sysdev/fsl_msi: Add missing of_node_put() powerpc/pci_dn: Add missing of_node_put() powerpc/powernv: add missing of_node_put() in opal_export_attrs() x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5 powerpc: Fix SPE Power ISA properties for e500v1 platforms iommu/omap: Fix buffer overflow in debugfs iommu/iova: Fix module config properly crypto: cavium - prevent integer overflow loading firmware f2fs: fix race condition on setting FI_NO_EXTENT flag ACPI: video: Add Toshiba Satellite/Portege Z830 quirk MIPS: BCM47XX: Cast memcmp() of function to (void *) powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data wifi: brcmfmac: fix invalid address access when enabling SCAN log level openvswitch: Fix double reporting of drops in dropwatch openvswitch: Fix overreporting of drops in dropwatch tcp: annotate data-race around tcp_md5sig_pool_populated wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg() xfrm: Update ipcomp_scratches with NULL when freed wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit() Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create() Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times can: bcm: check the result of can_send() in bcm_can_tx() wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620 wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620 wifi: rt2x00: set SoC wmac clock register wifi: rt2x00: correctly set BBP register 86 for MT7620 net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory Bluetooth: L2CAP: Fix user-after-free r8152: Rate limit overflow messages drm: Use size_t type for len variable in drm_copy_field() drm: Prevent drm_copy_field() to attempt copying a NULL pointer drm/amd/display: fix overflow on MIN_I64 definition drm/vc4: vec: Fix timings for VEC modes drm: panel-orientation-quirks: Add quirk for Anbernic Win600 platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading drm/amdgpu: fix initial connector audio value ARM: dts: imx7d-sdb: config the max pressure for tsc2046 ARM: dts: imx6q: add missing properties for sram ARM: dts: imx6dl: add missing properties for sram ARM: dts: imx6qp: add missing properties for sram ARM: dts: imx6sl: add missing properties for sram ARM: dts: imx6sll: add missing properties for sram ARM: dts: imx6sx: add missing properties for sram media: cx88: Fix a null-ptr-deref bug in buffer_prepare() scsi: 3w-9xxx: Avoid disabling device if failing to enable it nbd: Fix hung when signal interrupts nbd_start_device_ioctl() power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type() staging: vt6655: fix potential memory leak ata: libahci_platform: Sanity check the DT child nodes number HID: roccat: Fix use-after-free in roccat_read() md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info() usb: musb: Fix musb_gadget.c rxstate overflow bug Revert "usb: storage: Add quirk for Samsung Fit flash" nvme: copy firmware_rev on each init usb: idmouse: fix an uninit-value in idmouse_open clk: bcm2835: Make peripheral PLLC critical perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc net: ieee802154: return -EINVAL for unknown addr type net/ieee802154: don't warn zero-sized raw_sendmsg() ext4: continue to expand file system when the target size doesn't reach md: Replace snprintf with scnprintf efi: libstub: drop pointless get_memory_map() call inet: fully convert sk->sk_rx_dst to RCU rules thermal: intel_powerclamp: Use first online CPU as control_cpu gcov: support GCC 12.1 and newer compilers Linux 4.19.262 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If70223b939e3710c4fbc4f7cc522f07d4b4ffd45 |
||
Junichi Uekawa
|
7aac8c63f6 |
vhost/vsock: Use kvmalloc/kvfree for larger packets.
[ Upstream commit 0e3f72931fc47bb81686020cc643cde5d9cd0bb8 ]
When copying a large file over sftp over vsock, data size is usually 32kB,
and kmalloc seems to fail to try to allocate 32 32kB regions.
vhost-5837: page allocation failure: order:4, mode:0x24040c0
Call Trace:
[<ffffffffb6a0df64>] dump_stack+0x97/0xdb
[<ffffffffb68d6aed>] warn_alloc_failed+0x10f/0x138
[<ffffffffb68d868a>] ? __alloc_pages_direct_compact+0x38/0xc8
[<ffffffffb664619f>] __alloc_pages_nodemask+0x84c/0x90d
[<ffffffffb6646e56>] alloc_kmem_pages+0x17/0x19
[<ffffffffb6653a26>] kmalloc_order_trace+0x2b/0xdb
[<ffffffffb66682f3>] __kmalloc+0x177/0x1f7
[<ffffffffb66e0d94>] ? copy_from_iter+0x8d/0x31d
[<ffffffffc0689ab7>] vhost_vsock_handle_tx_kick+0x1fa/0x301 [vhost_vsock]
[<ffffffffc06828d9>] vhost_worker+0xf7/0x157 [vhost]
[<ffffffffb683ddce>] kthread+0xfd/0x105
[<ffffffffc06827e2>] ? vhost_dev_set_owner+0x22e/0x22e [vhost]
[<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
[<ffffffffb6eb332e>] ret_from_fork+0x4e/0x80
[<ffffffffb683dcd1>] ? flush_kthread_worker+0xf3/0xf3
Work around by doing kvmalloc instead.
Fixes:
|
||
Greg Kroah-Hartman
|
80792f5eeb |
This is the 4.19.256 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmMHPc8ACgkQONu9yGCS aT7dvBAAtey5V7VviCe9tFUEkjDg9oB0YHu5I7J16ODhNgMV25xCoEmGD1fEZ4mr BWheee+8z7OmO/be0k+f95Sprd10zr6aFdvhkjRqvKcvm7gSR3hBryzDH65GVuM7 jWTa5RfJ2TWSAtJwjdMiRDnLbwsj51QXWaddnTcMtEBXvvU3aTNYkMLSBdz+xtjB 7S0DgTQNEaevz4GGw81zzmRWMoqlff/+rqyQitcFSr2teprGjSoRQbKzjlIU1D71 31jt1z0wEdeqDRu3S/VCPNQUd6oH+B2d+q7qjnuQkCt/GbhfW91Sw4fUCDFiKvYU KoZvVIo7fIhig9N4uLqqpP5vv23HMkAAPKMB12dt3ue1ozueEGiQ5fVdyFNcli6u M4b7woAooe0n/eL3jjPyk9U7Otg9Zj9+6LbOmnCZabkPPnYW3ik5s+kgrKBQYGhU hyd+ejnKdyqPzKK1JaJe0dk9ZhpwTPvd/4Hodiz+5wZqTXkB5nwBJHxXEeGv5O4R GfxkxN+kvLQkliADDXhohXQJfN3o4YplPNksHeDuh6PqMTHiqFJOnrVTS8Mkx4Y1 JVUsSVq3NsIzTIFOUMr6x8s3VTcSBWCMhWJpm3Afin39Zd9ZSenat4KNSN1IDYdR pkCYF/U051fKSqc9iq9bBilEQrdONG/x0GrTVTXTV1NCIVHMAh0= =U309 -----END PGP SIGNATURE----- Merge 4.19.256 into android-4.19-stable Changes in 4.19.256 Makefile: link with -z noexecstack --no-warn-rwx-segments x86: link vdso and boot with -z noexecstack --no-warn-rwx-segments ALSA: bcd2000: Fix a UAF bug on the error path of probing wifi: mac80211_hwsim: fix race condition in pending packet wifi: mac80211_hwsim: add back erroneously removed cast wifi: mac80211_hwsim: use 32-bit skb cookie add barriers to buffer_uptodate and set_buffer_uptodate HID: wacom: Don't register pad_input for touch switch KVM: SVM: Don't BUG if userspace injects an interrupt with GIF=0 KVM: x86: Mark TSS busy during LTR emulation _after_ all fault checks KVM: x86: Set error code to segment selector on LLDT/LTR non-canonical #GP ALSA: hda/conexant: Add quirk for LENOVO 20149 Notebook model ALSA: hda/cirrus - support for iMac 12,1 model tty: vt: initialize unicode screen buffer vfs: Check the truncate maximum size in inode_newsize_ok() fs: Add missing umask strip in vfs_tmpfile thermal: sysfs: Fix cooling_device_stats_setup() error code path fbcon: Fix boundary checks for fbcon=vc:n1-n2 parameters usbnet: Fix linkwatch use-after-free on disconnect ovl: drop WARN_ON() dentry is NULL in ovl_encode_fh() parisc: Fix device names in /proc/iomem drm/nouveau: fix another off-by-one in nvbios_addr drm/amdgpu: Check BO's requested pinning domains against its preferred_domains bpf: Verifer, adjust_scalar_min_max_vals to always call update_reg_bounds() iio: light: isl29028: Fix the warning in isl29028_remove() fuse: limit nsec serial: mvebu-uart: uart2 error bits clearing md-raid10: fix KASAN warning ia64, processor: fix -Wincompatible-pointer-types in ia64_get_irr() PCI: Add defines for normal and subtractive PCI bridges powerpc/fsl-pci: Fix Class Code of PCIe Root Port powerpc/powernv: Avoid crashing if rng is NULL MIPS: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK USB: HCD: Fix URB giveback issue in tasklet function netfilter: nf_tables: do not allow SET_ID to refer to another table netfilter: nf_tables: fix null deref due to zeroed list head arm64: Do not forget syscall when starting a new thread. arm64: fix oops in concurrently setting insn_emulation sysctls ext2: Add more validity checks for inode counts ARM: dts: imx6ul: add missing properties for sram ARM: dts: imx6ul: change operating-points to uint32-matrix ARM: dts: imx6ul: fix lcdif node compatible ARM: dts: imx6ul: fix qspi node compatible ARM: OMAP2+: display: Fix refcount leak bug ACPI: EC: Remove duplicate ThinkPad X1 Carbon 6th entry from DMI quirks ACPI: PM: save NVS memory for Lenovo G40-45 ACPI: LPSS: Fix missing check in register_device_clock() arm64: dts: qcom: ipq8074: fix NAND node name PM: hibernate: defer device probing when resuming from hibernation selinux: Add boundary check in put_entry() ARM: findbit: fix overflowing offset meson-mx-socinfo: Fix refcount leak in meson_mx_socinfo_init ARM: bcm: Fix refcount leak in bcm_kona_smc_init x86/pmem: Fix platform-device leak in error path ARM: dts: ast2500-evb: fix board compatible soc: fsl: guts: machine variable might be unset ARM: OMAP2+: Fix refcount leak in omap3xxx_prm_late_init cpufreq: zynq: Fix refcount leak in zynq_get_revision ARM: dts: qcom: pm8841: add required thermal-sensor-cells bus: hisi_lpc: fix missing platform_device_put() in hisi_lpc_acpi_probe() arm64: dts: qcom: msm8916: Fix typo in pronto remoteproc node regulator: of: Fix refcount leak bug in of_get_regulation_constraints() nohz/full, sched/rt: Fix missed tick-reenabling bug in dequeue_task_rt() thermal/tools/tmon: Include pthread and time headers in tmon.h dm: return early from dm_pr_call() if DM device is suspended ath10k: do not enforce interrupt trigger type wifi: rtlwifi: fix error codes in rtl_debugfs_set_write_h2c() drm/radeon: fix potential buffer overflow in ni_set_mc_special_registers() drm/mediatek: Add pull-down MIPI operation in mtk_dsi_poweroff function i2c: Fix a potential use after free media: tw686x: Register the irq at the end of probe ath9k: fix use-after-free in ath9k_hif_usb_rx_cb wifi: iwlegacy: 4965: fix potential off-by-one overflow in il4965_rs_fill_link_cmd() drm: bridge: adv7511: Add check for mipi_dsi_driver_register media: hdpvr: fix error value returns in hdpvr_read drm/vc4: dsi: Correct DSI divider calculations drm/rockchip: vop: Don't crash for invalid duplicate_state() drm/mediatek: dpi: Remove output format of YUV drm: bridge: sii8620: fix possible off-by-one drm/msm/mdp5: Fix global state lock backoff crypto: hisilicon - Kunpeng916 crypto driver don't sleep when in softirq media: platform: mtk-mdp: Fix mdp_ipi_comm structure alignment mediatek: mt76: mac80211: Fix missing of_node_put() in mt76_led_init() tcp: make retransmitted SKB fit into the send window libbpf: Fix the name of a reused map selftests: timers: valid-adjtimex: build fix for newer toolchains selftests: timers: clocksource-switch: fix passing errors from child fs: check FMODE_LSEEK to control internal pipe splicing wifi: wil6210: debugfs: fix info leak in wil_write_file_wmi() wifi: p54: Fix an error handling path in p54spi_probe() wifi: p54: add missing parentheses in p54_flush() can: pch_can: do not report txerr and rxerr during bus-off can: rcar_can: do not report txerr and rxerr during bus-off can: sja1000: do not report txerr and rxerr during bus-off can: hi311x: do not report txerr and rxerr during bus-off can: sun4i_can: do not report txerr and rxerr during bus-off can: kvaser_usb_hydra: do not report txerr and rxerr during bus-off can: kvaser_usb_leaf: do not report txerr and rxerr during bus-off can: usb_8dev: do not report txerr and rxerr during bus-off can: error: specify the values of data[5..7] of CAN error frames can: pch_can: pch_can_error(): initialize errc before using it Bluetooth: hci_intel: Add check for platform_driver_register i2c: cadence: Support PEC for SMBus block read i2c: mux-gpmux: Add of_node_put() when breaking out of loop wifi: wil6210: debugfs: fix uninitialized variable use in `wil_write_file_wmi()` wifi: libertas: Fix possible refcount leak in if_usb_probe() net/mlx5e: Fix the value of MLX5E_MAX_RQ_NUM_MTTS netdevsim: Avoid allocation warnings triggered from user space net: rose: fix netdev reference changes dccp: put dccp_qpolicy_full() and dccp_qpolicy_push() in the same lock clk: renesas: r9a06g032: Fix UART clkgrp bitsel mtd: maps: Fix refcount leak in of_flash_probe_versatile mtd: maps: Fix refcount leak in ap_flash_init HID: cp2112: prevent a buffer overflow in cp2112_xfer() mtd: sm_ftl: Fix deadlock caused by cancel_work_sync in sm_release mtd: st_spi_fsm: Add a clk_disable_unprepare() in .probe()'s error path fpga: altera-pr-ip: fix unsigned comparison with less than zero usb: host: Fix refcount leak in ehci_hcd_ppc_of_probe usb: ohci-nxp: Fix refcount leak in ohci_hcd_nxp_probe misc: rtsx: Fix an error handling path in rtsx_pci_probe() clk: qcom: ipq8074: fix NSS port frequency tables clk: qcom: ipq8074: set BRANCH_HALT_DELAY flag for UBI clocks soundwire: bus_type: fix remove and shutdown support staging: rtl8192u: Fix sleep in atomic context bug in dm_fsync_timer_callback mmc: sdhci-of-esdhc: Fix refcount leak in esdhc_signal_voltage_switch memstick/ms_block: Fix some incorrect memory allocation memstick/ms_block: Fix a memory leak mmc: sdhci-of-at91: fix set_uhs_signaling rewriting of MC1R scsi: smartpqi: Fix DMA direction for RAID requests usb: gadget: udc: amd5536 depends on HAS_DMA RDMA/hfi1: fix potential memory leak in setup_base_ctxt() gpio: gpiolib-of: Fix refcount bugs in of_mm_gpiochip_add_data() mmc: cavium-octeon: Add of_node_put() when breaking out of loop mmc: cavium-thunderx: Add of_node_put() when breaking out of loop HID: alps: Declare U1_UNICORN_LEGACY support USB: serial: fix tty-port initialized comments platform/olpc: Fix uninitialized data in debugfs write mm/mmap.c: fix missing call to vm_unacct_memory in mmap_region RDMA/rxe: Fix error unwind in rxe_create_qp() null_blk: fix ida error handling in null_add_dev() ext4: recover csum seed of tmp_inode after migrating to extents jbd2: fix assertion 'jh->b_frozen_data == NULL' failure when journal aborted ASoC: mediatek: mt8173: Fix refcount leak in mt8173_rt5650_rt5676_dev_probe ASoC: mt6797-mt6351: Fix refcount leak in mt6797_mt6351_dev_probe ASoC: codecs: da7210: add check for i2c_add_driver ASoC: mediatek: mt8173-rt5650: Fix refcount leak in mt8173_rt5650_dev_probe serial: 8250_dw: Store LSR into lsr_saved_flags in dw8250_tx_wait_empty() profiling: fix shift too large makes kernel panic tty: n_gsm: fix non flow control frames during mux flow off tty: n_gsm: fix packet re-transmission without open control channel tty: n_gsm: fix race condition in gsmld_write() remoteproc: qcom: wcnss: Fix handling of IRQs vfio/ccw: Do not change FSM state in subchannel event tty: n_gsm: fix wrong T1 retry count handling tty: n_gsm: fix DM command tty: n_gsm: fix missing corner cases in gsmld_poll() iommu/exynos: Handle failed IOMMU device registration properly rpmsg: qcom_smd: Fix refcount leak in qcom_smd_parse_edge kfifo: fix kfifo_to_user() return type mfd: t7l66xb: Drop platform disable callback iommu/arm-smmu: qcom_iommu: Add of_node_put() when breaking out of loop s390/zcore: fix race when reading from hardware system area ASoC: qcom: q6dsp: Fix an off-by-one in q6adm_alloc_copp() video: fbdev: amba-clcd: Fix refcount leak bugs video: fbdev: sis: fix typos in SiS_GetModeID() powerpc/32: Do not allow selection of e5500 or e6500 CPUs on PPC32 powerpc/pci: Prefer PCI domain assignment via DT 'linux,pci-domain' and alias powerpc/spufs: Fix refcount leak in spufs_init_isolated_loader powerpc/xive: Fix refcount leak in xive_get_max_prio powerpc/cell/axon_msi: Fix refcount leak in setup_msi_msg_address kprobes: Forbid probing on trampoline and BPF code areas powerpc/pci: Fix PHB numbering when using opal-phbid genelf: Use HAVE_LIBCRYPTO_SUPPORT, not the never defined HAVE_LIBCRYPTO scripts/faddr2line: Fix vmlinux detection on arm64 x86/numa: Use cpumask_available instead of hardcoded NULL check video: fbdev: arkfb: Fix a divide-by-zero bug in ark_set_pixclock() tools/thermal: Fix possible path truncations video: fbdev: vt8623fb: Check the size of screen before memset_io() video: fbdev: arkfb: Check the size of screen before memset_io() video: fbdev: s3fb: Check the size of screen before memset_io() scsi: zfcp: Fix missing auto port scan and thus missing target ports x86/olpc: fix 'logical not is only applied to the left hand side' spmi: trace: fix stack-out-of-bound access in SPMI tracing functions ext4: add EXT4_INODE_HAS_XATTR_SPACE macro in xattr.h ext4: make sure ext4_append() always allocates new block ext4: fix use-after-free in ext4_xattr_set_entry ext4: update s_overhead_clusters in the superblock during an on-line resize ext4: fix extent status tree race in writeback error recovery path ext4: correct max_inline_xattr_value_size computing ext4: correct the misjudgment in ext4_iget_extra_inode intel_th: pci: Add Raptor Lake-S CPU support intel_th: pci: Add Raptor Lake-S PCH support intel_th: pci: Add Meteor Lake-P support dm raid: fix address sanitizer warning in raid_resume dm raid: fix address sanitizer warning in raid_status dm writecache: set a default MAX_WRITEBACK_JOBS ACPI: CPPC: Do not prevent CPPC from working in the future net_sched: cls_route: remove from list when handle is 0 btrfs: reject log replay if there is unsupported RO compat flag KVM: Add infrastructure and macro to mark VM as bugged KVM: x86: Check lapic_in_kernel() before attempting to set a SynIC irq KVM: x86: Avoid theoretical NULL pointer dereference in kvm_irq_delivery_to_apic_fast() tcp: fix over estimation in sk_forced_mem_schedule() scsi: sg: Allow waiting for commands to complete on removed device Revert "net: usb: ax88179_178a needs FLAG_SEND_ZLP" Bluetooth: L2CAP: Fix l2cap_global_chan_by_psm regression net/9p: Initialize the iounit field during fid creation net_sched: cls_route: disallow handle of 0 firmware: arm_scpi: Ensure scpi_info is not assigned if the probe fails powerpc/mm: Split dump_pagelinuxtables flag_array table powerpc/ptdump: Fix display of RW pages on FSL_BOOK3E ALSA: info: Fix llseek return value when using callback rds: add missing barrier to release_refill ata: libata-eh: Add missing command name mmc: pxamci: Fix another error handling path in pxamci_probe() mmc: pxamci: Fix an error handling path in pxamci_probe() btrfs: fix lost error handling when looking up extended ref on log replay tracing: Have filter accept "common_cpu" to be consistent can: ems_usb: fix clang's -Wunaligned-access warning apparmor: fix quiet_denied for file rules apparmor: fix absroot causing audited secids to begin with = apparmor: Fix failed mount permission check error message apparmor: fix aa_label_asxprint return check apparmor: fix overlapping attachment computation apparmor: fix reference count leak in aa_pivotroot() apparmor: Fix memleak in aa_simple_write_to_buffer() NFSv4: Fix races in the legacy idmapper upcall NFSv4.1: RECLAIM_COMPLETE must handle EACCES NFSv4/pnfs: Fix a use-after-free bug in open SUNRPC: Reinitialise the backchannel request buffers before reuse pinctrl: nomadik: Fix refcount leak in nmk_pinctrl_dt_subnode_to_map pinctrl: qcom: msm8916: Allow CAMSS GP clocks to be muxed ACPI: property: Return type of acpi_add_nondev_subnodes() should be bool geneve: do not use RT_TOS for IPv6 flowlabel vsock: Fix memory leak in vsock_connect() vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout() tools build: Switch to new openssl API for test-libcrypto NTB: ntb_tool: uninitialized heap data in tool_fn_write() xen/xenbus: fix return type in xenbus_file_read() atm: idt77252: fix use-after-free bugs caused by tst_timer nios2: page fault et.al. are *not* restartable syscalls... nios2: don't leave NULLs in sys_call_table[] nios2: traced syscall does need to check the syscall number nios2: fix syscall restart checks nios2: restarts apply only to the first sigframe we build... nios2: add force_successful_syscall_return() netfilter: nf_tables: really skip inactive sets when allocating name powerpc/pci: Fix get_phb_number() locking i40e: Fix to stop tx_timeout recovery if GLOBR fails fec: Fix timer capture timing in `fec_ptp_enable_pps()` igb: Add lock to avoid data race gcc-plugins: Undefine LATENT_ENTROPY_PLUGIN when plugin disabled for a file locking/atomic: Make test_and_*_bit() ordered on failure drm/meson: Fix refcount bugs in meson_vpu_has_available_connectors() PCI: Add ACS quirk for Broadcom BCM5750x NICs irqchip/tegra: Fix overflow implicit truncation warnings usb: host: ohci-ppc-of: Fix refcount leak bug usb: renesas: Fix refcount leak bug vboxguest: Do not use devm for irq clk: qcom: ipq8074: dont disable gcc_sleep_clk_src gadgetfs: ep_io - wait until IRQ finishes cxl: Fix a memory leak in an error handling path dmaengine: sprd: Cleanup in .remove() after pm_runtime_get_sync() failed drivers:md:fix a potential use-after-free bug ext4: avoid remove directory when directory is corrupted ext4: avoid resizing to a partial cluster size lib/list_debug.c: Detect uninitialized lists tty: serial: Fix refcount leak bug in ucc_uart.c vfio: Clear the caps->buf to NULL after free mips: cavium-octeon: Fix missing of_node_put() in octeon2_usb_clocks_start riscv: mmap with PROT_WRITE but no PROT_READ is invalid RISC-V: Add fast call path of crash_kexec() watchdog: export lockup_detector_reconfigure ALSA: core: Add async signal helpers ALSA: timer: Use deferred fasync helper f2fs: fix to avoid use f2fs_bug_on() in f2fs_new_node_page() smb3: check xattr value length earlier powerpc/64: Init jump labels before parse_early_param() video: fbdev: i740fb: Check the argument of i740_calc_vclk() MIPS: tlbex: Explicitly compare _PAGE_NO_EXEC against 0 tee: add overflow check in register_shm_helper() tracing/probes: Have kprobes and uprobes use $COMM too btrfs: only write the sectors in the vertical stripe which has data stripes btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() Linux 4.19.256 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Icc0d54b54bbf59d4f46e021d161581f330e9dea6 |
||
Peilin Ye
|
4c814f5567 |
vsock: Set socket state back to SS_UNCONNECTED in vsock_connect_timeout()
commit a3e7b29e30854ed67be0d17687e744ad0c769c4b upstream.
Imagine two non-blocking vsock_connect() requests on the same socket.
The first request schedules @connect_work, and after it times out,
vsock_connect_timeout() sets *sock* state back to TCP_CLOSE, but keeps
*socket* state as SS_CONNECTING.
Later, the second request returns -EALREADY, meaning the socket "already
has a pending connection in progress", even though the first request has
already timed out.
As suggested by Stefano, fix it by setting *socket* state back to
SS_UNCONNECTED, so that the second request will return -ETIMEDOUT.
Suggested-by: Stefano Garzarella <sgarzare@redhat.com>
Fixes:
|
||
Peilin Ye
|
2fc2a7767f |
vsock: Fix memory leak in vsock_connect()
commit 7e97cfed9929eaabc41829c395eb0d1350fccb9d upstream.
An O_NONBLOCK vsock_connect() request may try to reschedule
@connect_work. Imagine the following sequence of vsock_connect()
requests:
1. The 1st, non-blocking request schedules @connect_work, which will
expire after 200 jiffies. Socket state is now SS_CONNECTING;
2. Later, the 2nd, blocking request gets interrupted by a signal after
a few jiffies while waiting for the connection to be established.
Socket state is back to SS_UNCONNECTED, but @connect_work is still
pending, and will expire after 100 jiffies.
3. Now, the 3rd, non-blocking request tries to schedule @connect_work
again. Since @connect_work is already scheduled,
schedule_delayed_work() silently returns. sock_hold() is called
twice, but sock_put() will only be called once in
vsock_connect_timeout(), causing a memory leak reported by syzbot:
BUG: memory leak
unreferenced object 0xffff88810ea56a40 (size 1232):
comm "syz-executor756", pid 3604, jiffies 4294947681 (age 12.350s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
28 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00 (..@............
backtrace:
[<ffffffff837c830e>] sk_prot_alloc+0x3e/0x1b0 net/core/sock.c:1930
[<ffffffff837cbe22>] sk_alloc+0x32/0x2e0 net/core/sock.c:1989
[<ffffffff842ccf68>] __vsock_create.constprop.0+0x38/0x320 net/vmw_vsock/af_vsock.c:734
[<ffffffff842ce8f1>] vsock_create+0xc1/0x2d0 net/vmw_vsock/af_vsock.c:2203
[<ffffffff837c0cbb>] __sock_create+0x1ab/0x2b0 net/socket.c:1468
[<ffffffff837c3acf>] sock_create net/socket.c:1519 [inline]
[<ffffffff837c3acf>] __sys_socket+0x6f/0x140 net/socket.c:1561
[<ffffffff837c3bba>] __do_sys_socket net/socket.c:1570 [inline]
[<ffffffff837c3bba>] __se_sys_socket net/socket.c:1568 [inline]
[<ffffffff837c3bba>] __x64_sys_socket+0x1a/0x20 net/socket.c:1568
[<ffffffff84512815>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff84512815>] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:80
[<ffffffff84600068>] entry_SYSCALL_64_after_hwframe+0x44/0xae
<...>
Use mod_delayed_work() instead: if @connect_work is already scheduled,
reschedule it, and undo sock_hold() to keep the reference count
balanced.
Reported-and-tested-by: syzbot+b03f55bf128f9a38f064@syzkaller.appspotmail.com
Fixes:
|
||
Greg Kroah-Hartman
|
930ed74bde |
This is the 4.19.231 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmIWE2YACgkQONu9yGCS aT5fYw/7BtQ5qXubJFiyzRLgqVQ3uh5M5VqtBVyPEP+StMjc9PZ1eaWjw4Fu/yh8 Ti+WAjZWaFu1tPFp73brkC+8BQp/ttxf1YZQLYiBE4MIf3OdkSWy9ksWEQ6Ro4hw XiALghK1M4GFjiheB4MsIf1gUt7dZAhM3mHyKPcMW6mNp458/hDMAjwsSbByOYC9 t4eMrz/CSdbkRzF2wwQkpCJcr8WV9YGP55rbbXBHjLhcd/aDsKwNskq2HcbNBR1h gRVb1X8nSHUtuNr/SQx8aWBAuKkT03dygcxNHbIet4bD5iEq+L/4qydN2wTXhuyb LulH/U3M9hp93ZfAV8/RF5ivjlmVqTZ/hRlnUUHCP1ih5YLV5Ur/lx2LUwlE6wHS hVMvutw/l6WYydW2ihFytErscQfLq+IXUKRH1lj+OeuONpNxxJwyRfc26LElKh0e 6pSSQdEl3fb+o+vFNTOYqf+H6c3KZmE/Y5dD7o21yJfD1O8uvB0HgoJYtGO/dGjt D3QgxQZUOhlz0na8pbI0XaKm3JluS3vnM0piQ0sBZtCEVrkL75Jga9NYPHVDHaXO 5PSC9lN7z/OKCScXJLgKKmzp9y8fpYsrSpmWrS+I7RwdXvQK7T5UMHDbBlErO1nX NJn4W0LhYNC0yBUbvnvUIRmVn3b4/W0h+7k0QNbWKrsejy0eLuY= =SjdS -----END PGP SIGNATURE----- Merge 4.19.231 into android-4.19-stable Changes in 4.19.231 Makefile.extrawarn: Move -Wunaligned-access to W=1 net: usb: ax88179_178a: Fix out-of-bounds accesses in RX fixup serial: parisc: GSC: fix build when IOSAPIC is not set parisc: Fix data TLB miss in sba_unmap_sg parisc: Fix sglist access in ccio-dma.c btrfs: send: in case of IO error log it net: ieee802154: at86rf230: Stop leaking skb's selftests/zram: Skip max_comp_streams interface on newer kernel selftests/zram01.sh: Fix compression ratio calculation selftests/zram: Adapt the situation that /dev/zram0 is being used ax25: improve the incomplete fix to avoid UAF and NPD bugs vfs: make freeze_super abort when sync_filesystem returns error quota: make dquot_quota_sync return errors from ->sync_fs nvme: fix a possible use-after-free in controller reset during load nvme-rdma: fix possible use-after-free in transport error_recovery work Revert "module, async: async_synchronize_full() on module init iff async is used" iwlwifi: fix use-after-free drm/radeon: Fix backlight control on iMac 12,1 xfrm: Don't accidentally set RTO_ONLINK in decode_session4() taskstats: Cleanup the use of task->exit_code mmc: block: fix read single on recovery logic vsock: remove vsock from connected table when connect is interrupted by a signal iwlwifi: pcie: fix locking when "HW not ready" iwlwifi: pcie: gen2: fix locking when "HW not ready" net: dsa: lan9303: fix reset on probe net: ieee802154: ca8210: Fix lifs/sifs periods ping: fix the dif and sdif check in ping_lookup drop_monitor: fix data-race in dropmon_net_event / trace_napi_poll_hit bonding: fix data-races around agg_select_timer libsubcmd: Fix use-after-free for realloc(..., 0) ALSA: hda: Fix regression on forced probe mask option ALSA: hda: Fix missing codec probe on Shenker Dock 15 ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw() ASoC: ops: Fix stereo change notifications in snd_soc_put_volsw_range() powerpc/lib/sstep: fix 'ptesync' build error ext4: check for out-of-order index extents in ext4_valid_extent_entries() block/wbt: fix negative inflight counter when remove scsi device NFS: LOOKUP_DIRECTORY is also ok with symlinks NFS: Do not report writeback errors in nfs_getattr() mtd: rawnand: qcom: Fix clock sequencing in qcom_nandc_probe() EDAC: Fix calculation of returned address and next offset in edac_align_ptr() net: sched: limit TC_ACT_REPEAT loops dmaengine: sh: rcar-dmac: Check for error num after setting mask i2c: brcmstb: fix support for DSL and CM variants lib/iov_iter: initialize "flags" in new pipe_buffer mtd: rawnand: brcmnand: Refactored code to introduce helper functions mtd: rawnand: brcmnand: Fixed incorrect sub-page ECC status Drivers: hv: vmbus: Expose monitor data only when monitor pages are used Drivers: hv: vmbus: Fix memory leak in vmbus_add_channel_kobj KVM: x86/pmu: Use AMD64_RAW_EVENT_MASK for PERF_TYPE_RAW ARM: OMAP2+: hwmod: Add of_node_put() before break irqchip/sifive-plic: Add missing thead,c900-plic match string netfilter: conntrack: don't refresh sctp entries in closed state arm64: dts: meson-gx: add ATF BL32 reserved-memory region kconfig: let 'shell' return enough output for deep path names ata: libata-core: Disable TRIM on M88V29 tracing: Fix tp_printk option related with tp_printk_stop_on_boot net: usb: qmi_wwan: Add support for Dell DW5829e net: macb: Align the dma and coherent dma masks Linux 4.19.231 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ifea29f81ea3bbfcc6f305c258aa0527711d128d1 |
||
Seth Forshee
|
2910bcb9f6 |
vsock: remove vsock from connected table when connect is interrupted by a signal
commit b9208492fcaecff8f43915529ae34b3bcb03877c upstream.
vsock_connect() expects that the socket could already be in the
TCP_ESTABLISHED state when the connecting task wakes up with a signal
pending. If this happens the socket will be in the connected table, and
it is not removed when the socket state is reset. In this situation it's
common for the process to retry connect(), and if the connection is
successful the socket will be added to the connected table a second
time, corrupting the list.
Prevent this by calling vsock_remove_connected() if a signal is received
while waiting for a connection. This is harmless if the socket is not in
the connected table, and if it is in the table then removing it will
prevent list corruption from a double add.
Note for backporting: this patch requires d5afa82c977e ("vsock: correct
removal of socket from the list"), which is in all current stable trees
except 4.9.y.
Fixes:
|
||
Greg Kroah-Hartman
|
47e51a7a22 |
This is the 4.19.218 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmGguLAACgkQONu9yGCS aT4wZQ/+OSbZuEs53pK9aEgBhXBlJtI0uIXsywUgsFZzeTfXuutrSeYs33EGTI3T q7JB2mixxZnUoHFajVNtmKKDhN/KySRvmqEoDX+adHd2Pyx3m42kAC7odVBdSk/1 5mgcaAQmMKa/+DgMGAJmMDDoa7zzPOykPhzbgT8rIVvaLyqtBMcqVV+Wo3HsUFBe nR4vMmb1noZhRT8Bphf/m+BnjSkh8FMVCY47W++D1fNFgZXD6jm/4qdJar0nE+si 4ymdyehKdMQ3xeuhdxzurFalM8TDMY2Yz720ST9EV2VhrJZ3STLz1pOuOonxVk1D Y9xB4yG357Dx+zjmkPt/aNeQ7Mt3sAEUBI37y27wRi6wBa2xlie0/nGjTp2r7tEs h34ZiKrpom7goH+FZRQndkJUqqMo4COASD9AXzJEgpZtqVH6SRA0Cw6nV1KydLSQ zMz0IsdvUR4i6xhw6tr17FXtgnX3MjLqRh2lBLedw4e4ydi+CJU/c4sFIeMIJnjl CMHp2mt7VyTf5jufJ0o4BY4UCDBBKt3uqEB0g58AXSMEEGUoQcpFBFd8ZJ0inYFH JtuL8IbtBPWEt20HR411tQkhIdgPFDzAHm2q9X8YGc4DnAO+/p9xGpXy+xPrRm7p VRKwQRFb9MOVA4bswQ4uCU+wpIsq5NaXhkjSC27U49kzDdKZbAg= =xzh+ -----END PGP SIGNATURE----- Merge 4.19.218 into android-4.19-stable Changes in 4.19.218 xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay binder: use euid from cred instead of using task binder: use cred instead of task for selinux checks Input: elantench - fix misreporting trackpoint coordinates Input: i8042 - Add quirk for Fujitsu Lifebook T725 libata: fix read log timeout value ocfs2: fix data corruption on truncate mmc: dw_mmc: Dont wait for DRTO on Write RSP error parisc: Fix ptrace check on syscall return tpm: Check for integer overflow in tpm2_map_response_body() firmware/psci: fix application of sizeof to pointer crypto: s5p-sss - Add error handling in s5p_aes_probe() media: ite-cir: IR receiver stop working after receive overflow media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers ALSA: hda/realtek: Add quirk for Clevo PC70HS ALSA: ua101: fix division by zero at probe ALSA: 6fire: fix control and bulk message timeouts ALSA: line6: fix control and interrupt message timeouts ALSA: usb-audio: Add registration quirk for JBL Quantum 400 ALSA: synth: missing check for possible NULL after the call to kstrdup ALSA: timer: Fix use-after-free problem ALSA: timer: Unconditionally unlink slave instances, too x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c x86/irq: Ensure PI wakeup handler is unregistered before module unload cavium: Return negative value when pci_alloc_irq_vectors() fails scsi: qla2xxx: Fix unmap of already freed sgl cavium: Fix return values of the probe function sfc: Don't use netif_info before net_device setup hyperv/vmbus: include linux/bitops.h mmc: winbond: don't build on M68K drm: panel-orientation-quirks: Add quirk for Aya Neo 2021 bpf: Prevent increasing bpf_jit_limit above max xen/netfront: stop tx queues during live migration spi: spl022: fix Microwire full duplex mode watchdog: Fix OMAP watchdog early handling vmxnet3: do not stop tx queues after netif_device_detach() btrfs: clear MISSING device status bit in btrfs_close_one_device btrfs: fix lost error handling when replaying directory deletes btrfs: call btrfs_check_rw_degradable only if there is a missing device ia64: kprobes: Fix to pass correct trampoline address to the handler hwmon: (pmbus/lm25066) Add offset coefficients regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell mwifiex: fix division by zero in fw download path ath6kl: fix division by zero in send path ath6kl: fix control-message timeout ath10k: fix control-message timeout ath10k: fix division by zero in send path PCI: Mark Atheros QCA6174 to avoid bus reset rtl8187: fix control-message timeouts evm: mark evm_fixmode as __ro_after_init wcn36xx: Fix HT40 capability for 2Ghz band mwifiex: Read a PCI register after writing the TX ring write pointer libata: fix checking of DMA state wcn36xx: handle connection loss indication rsi: fix occasional initialisation failure with BT coex rsi: fix key enabled check causing unwanted encryption for vap_id > 0 rsi: fix rate mask set leading to P2P failure rsi: Fix module dev_oper_mode parameter description RDMA/qedr: Fix NULL deref for query_qp on the GSI QP signal: Remove the bogus sigkill_pending in ptrace_stop signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT power: supply: max17042_battery: Prevent int underflow in set_soc_threshold power: supply: max17042_battery: use VFSOC for capacity when no rsns powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found serial: core: Fix initializing and restoring termios speed ALSA: mixer: oss: Fix racy access to slots ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume xen/balloon: add late_initcall_sync() for initial ballooning done PCI: aardvark: Do not clear status bits of masked interrupts PCI: aardvark: Do not unmask unused interrupts PCI: aardvark: Fix return value of MSI domain .alloc() method PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG quota: check block number when reading the block in quota file quota: correct error number in free_dqentry() pinctrl: core: fix possible memory leak in pinctrl_enable() iio: dac: ad5446: Fix ad5622_write() return value USB: serial: keyspan: fix memleak on probe errors USB: iowarrior: fix control-message timeouts drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() Bluetooth: fix use-after-free error in lock_sock_nested() platform/x86: wmi: do not fail if disabling fails MIPS: lantiq: dma: add small delay after reset MIPS: lantiq: dma: reset correct number of channel locking/lockdep: Avoid RCU-induced noinstr fail net: sched: update default qdisc visibility after Tx queue cnt changes smackfs: Fix use-after-free in netlbl_catmap_walk() x86: Increase exception stack sizes mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type mwifiex: Properly initialize private structure on interface type changes media: mt9p031: Fix corrupted frame after restarting stream media: netup_unidvb: handle interrupt properly according to the firmware media: uvcvideo: Set capability in s_param media: uvcvideo: Return -EIO for control errors media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() media: s5p-mfc: Add checking to s5p_mfc_probe(). media: mceusb: return without resubmitting URB in case of -EPROTO error. ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK media: rcar-csi2: Add checking to rcsi2_start_receiver() ACPICA: Avoid evaluating methods too early during system resume media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() tracefs: Have tracefs directories not set OTH permission bits by default ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() ACPI: battery: Accept charges over the design capacity as full leaking_addresses: Always print a trailing newline memstick: r592: Fix a UAF bug when removing the driver lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression lib/xz: Validate the value before assigning it to an enum variable workqueue: make sysfs of unbound kworker cpumask more clever tracing/cfi: Fix cmp_entries_* functions signature mismatch mwl8k: Fix use-after-free in mwl8k_fw_state_machine() PM: hibernate: Get block device exclusively in swsusp_check() iwlwifi: mvm: disable RX-diversity in powersave smackfs: use __GFP_NOFAIL for smk_cipso_doi() ARM: clang: Do not rely on lr register for stacktrace gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe() x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted parisc: fix warning in flush_tlb_all task_stack: Fix end_of_stack() for architectures with upwards-growing stack parisc/unwind: fix unwinder when CONFIG_64BIT is enabled parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling Bluetooth: fix init and cleanup of sco_conn.timeout_work cgroup: Make rebind_subsystems() disable v2 controllers all at once net: dsa: rtl8366rb: Fix off-by-one bug drm/amdgpu: fix warning for overflow check media: em28xx: add missing em28xx_close_extension media: dvb-usb: fix ununit-value in az6027_rc_query media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()' media: si470x: Avoid card name truncation media: cx23885: Fix snd_card_free call on null card pointer cpuidle: Fix kobject memory leaks in error paths media: em28xx: Don't use ops->suspend if it is NULL ath9k: Fix potential interrupt storm on queue reset media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() crypto: qat - detect PFVF collision after ACK crypto: qat - disregard spurious PFVF interrupts hwrng: mtk - Force runtime pm ops for sleep ops b43legacy: fix a lower bounds test b43: fix a lower bounds test mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured memstick: avoid out-of-range warning memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() hwmon: Fix possible memleak in __hwmon_device_register() hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff ath10k: fix max antenna gain unit drm/msm: uninitialized variable in msm_gem_import() net: stream: don't purge sk_error_queue in sk_stream_kill_queues() mmc: mxs-mmc: disable regulator on error and in the remove function platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning rsi: stop thread firstly in rsi_91x_init() error handling mwifiex: Send DELBA requests according to spec phy: micrel: ksz8041nl: do not use power down mode nvme-rdma: fix error code in nvme_rdma_setup_ctrl PM: hibernate: fix sparse warnings clocksource/drivers/timer-ti-dm: Select TIMER_OF drm/msm: Fix potential NULL dereference in DPU SSPP smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap() irq: mips: avoid nested irq_enter() tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() samples/kretprobes: Fix return value if register_kretprobe() failed KVM: s390: Fix handle_sske page fault handling libertas_tf: Fix possible memory leak in probe and disconnect libertas: Fix possible memory leak in probe and disconnect wcn36xx: add proper DMA memory barriers in rx path net: amd-xgbe: Toggle PLL settings during rate change net: phylink: avoid mvneta warning when setting pause parameters crypto: pcrypt - Delay write to padata->info selftests/bpf: Fix fclose/pclose mismatch in test_progs ibmvnic: Process crqs after enabling interrupts RDMA/rxe: Fix wrong port_cap_flags ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() arm64: dts: rockchip: Fix GPU register width for RK3328 RDMA/bnxt_re: Fix query SRQ failure ARM: dts: at91: tse850: the emac<->phy interface is rmii scsi: dc395: Fix error case unwinding MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT JFS: fix memleak in jfs_mount ALSA: hda: Reduce udelay() at SKL+ position reporting arm: dts: omap3-gta04a4: accelerometer irq fix soc/tegra: Fix an error handling path in tegra_powergate_power_up() memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe video: fbdev: chipsfb: use memset_io() instead of memset() serial: 8250_dw: Drop wrong use of ACPI_PTR() usb: gadget: hid: fix error code in do_config() power: supply: rt5033_battery: Change voltage values to µV scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() RDMA/mlx4: Return missed an error if device doesn't support steering ASoC: cs42l42: Correct some register default values ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER phy: qcom-qusb2: Fix a memory leak on probe serial: xilinx_uartps: Fix race condition causing stuck TX mips: cm: Convert to bitfield API to fix out-of-bounds access power: supply: bq27xxx: Fix kernel crash on IRQ handler register error apparmor: fix error check rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds drm/plane-helper: fix uninitialized variable reference PCI: aardvark: Don't spam about PIO Response Status NFS: Fix deadlocks in nfs_scan_commit_list() fs: orangefs: fix error return code of orangefs_revalidate_lookup() mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string auxdisplay: ht16k33: Connect backlight to fbdev auxdisplay: ht16k33: Fix frame buffer device blanking netfilter: nfnetlink_queue: fix OOB when mac header was cleared dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` m68k: set a default value for MEMORY_RESERVE watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT ar7: fix kernel builds for compiler test scsi: qla2xxx: Fix gnl list corruption scsi: qla2xxx: Turn off target reset during issue_lip i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' xen-pciback: Fix return in pm_ctrl_init() net: davinci_emac: Fix interrupt pacing disable ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration() zram: off by one in read_block_state() llc: fix out-of-bound array index in llc_sk_dev_hash() nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions vsock: prevent unnecessary refcnt inc for nonblocking connect cxgb4: fix eeprom len when diagnostics not implemented USB: chipidea: fix interrupt deadlock ARM: 9155/1: fix early early_iounmap() ARM: 9156/1: drop cc-option fallbacks for architecture selection f2fs: should use GFP_NOFS for directory inodes 9p/net: fix missing error check in p9_check_errors powerpc/lib: Add helper to check if offset is within conditional branch range powerpc/bpf: Validate branch ranges powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 powerpc/security: Add a helper to query stf_barrier type powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks mm, oom: do not trigger out_of_memory from the #PF backlight: gpio-backlight: Correct initial power state handling video: backlight: Drop maximum brightness override for brightness zero s390/cio: check the subchannel validity for dev_busid s390/tape: fix timer initialization in tape_std_assign() PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros fuse: truncate pagecache on atomic_o_trunc x86/cpu: Fix migration safety with X86_BUG_NULL_SEL ext4: fix lazy initialization next schedule time computation in more granular unit fortify: Explicitly disable Clang support parisc/entry: fix trace test in syscall exit path PCI/MSI: Destroy sysfs before freeing entries PCI/MSI: Deal with devices lying about their MSI mask capability PCI: Add MSI masking quirk for Nvidia ION AHCI erofs: remove the occupied parameter from z_erofs_pagevec_enqueue() erofs: fix unsafe pagevec reuse of hooked pclusters arm64: zynqmp: Do not duplicate flash partition label property arm64: zynqmp: Fix serial compatible string scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() arm64: dts: hisilicon: fix arm,sp805 compatible string usb: musb: tusb6010: check return value after calling platform_get_resource() usb: typec: tipd: Remove WARN_ON in tps6598x_block_read arm64: dts: freescale: fix arm,sp805 compatible string ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect scsi: advansys: Fix kernel pointer leak firmware_loader: fix pre-allocated buf built-in firmware use ARM: dts: omap: fix gpmc,mux-add-data type usb: host: ohci-tmio: check return value after calling platform_get_resource() ALSA: ISA: not for M68K tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc MIPS: sni: Fix the build scsi: target: Fix ordered tag handling scsi: target: Fix alua_tg_pt_gps_count tracking powerpc/5200: dts: fix memory node unit name ALSA: gus: fix null pointer dereference on pointer block powerpc/dcr: Use cmplwi instead of 3-argument cmpli sh: check return code of request_irq maple: fix wrong return value of maple_bus_init(). f2fs: fix up f2fs_lookup tracepoints sh: fix kconfig unmet dependency warning for FRAME_POINTER sh: define __BIG_ENDIAN for math-emu mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame net: bnx2x: fix variable dereferenced before check iavf: check for null in iavf_fix_features iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset MIPS: generic/yamon-dt: fix uninitialized variable error mips: bcm63xx: add support for clk_get_parent() mips: lantiq: add support for clk_get_parent() platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' net: virtio_net_hdr_to_skb: count transport header in UFO i40e: Fix correct max_pkt_size on VF RX queue i40e: Fix NULL ptr dereference on VSI filter sync i40e: Fix changing previously set num_queue_pairs for PFs i40e: Fix display error code in dmesg NFC: reorganize the functions in nci_request NFC: reorder the logic in nfc_{un,}register_device perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server tun: fix bonding active backup with arp monitoring hexagon: export raw I/O routines for modules ipc: WARN if trying to remove ipc object which is absent mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails udf: Fix crash after seekdir btrfs: fix memory ordering between normal and ordered work functions parisc/sticon: fix reverse colors cfg80211: call cfg80211_stop_ap when switch from P2P_GO type drm/udl: fix control-message timeout drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors perf/core: Avoid put_page() when GUP fails batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN batman-adv: Consider fragmentation for needed_headroom batman-adv: Reserve needed_*room for fragments batman-adv: Don't always reallocate the fragmentation skb head RDMA/netlink: Add __maybe_unused to static inline in C file ASoC: DAPM: Cover regression by kctl change notification fix usb: max-3421: Use driver data instead of maintaining a list of bound devices soc/tegra: pmc: Fix imbalanced clock disabling in error code path Linux 4.19.218 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3f87fc92fe2a7a19ddddb522916f74dba7929583 |
||
Eiichi Tsukata
|
0608664fb5 |
vsock: prevent unnecessary refcnt inc for nonblocking connect
[ Upstream commit c7cd82b90599fa10915f41e3dd9098a77d0aa7b6 ]
Currently vosck_connect() increments sock refcount for nonblocking
socket each time it's called, which can lead to memory leak if
it's called multiple times because connect timeout function decrements
sock refcount only once.
Fixes it by making vsock_connect() return -EALREADY immediately when
sock state is already SS_CONNECTING.
Fixes:
|
||
Greg Kroah-Hartman
|
bc6ea49ddc |
Merge 4.19.205 into android-4.19-stable
Changes in 4.19.205 iio: humidity: hdc100x: Add margin to the conversion time iio: adc: Fix incorrect exit of for-loop ASoC: intel: atom: Fix reference to PCM buffer address i2c: dev: zero out array used for i2c reads from userspace ACPI: NFIT: Fix support for virtual SPA ranges ieee802154: hwsim: fix GPF in hwsim_set_edge_lqi ieee802154: hwsim: fix GPF in hwsim_new_edge_nl ASoC: cs42l42: Correct definition of ADC Volume control ASoC: cs42l42: Don't allow SND_SOC_DAIFMT_LEFT_J ASoC: cs42l42: Fix inversion of ADC Notch Switch control ASoC: cs42l42: Remove duplicate control for WNF filter frequency ASoC: cs42l42: Fix LRCLK frame start edge net: dsa: mt7530: add the missing RxUnicast MIB counter ppp: Fix generating ifname when empty IFLA_IFNAME is specified psample: Add a fwd declaration for skbuff net: Fix memory leak in ieee802154_raw_deliver net: igmp: fix data-race in igmp_ifc_timer_expire() net: dsa: lan9303: fix broken backpressure in .port_fdb_dump net: bridge: fix memleak in br_add_if() tcp_bbr: fix u32 wrap bug in round logic if bbr_init() called after 2B packets net: igmp: increase size of mr_ifc_count xen/events: Fix race in set_evtchn_to_irq vsock/virtio: avoid potential deadlock when vsock device remove powerpc/kprobes: Fix kprobe Oops happens in booke x86/tools: Fix objdump version check again genirq: Provide IRQCHIP_AFFINITY_PRE_STARTUP x86/msi: Force affinity setup before startup x86/ioapic: Force affinity setup before startup x86/resctrl: Fix default monitoring groups reporting genirq/msi: Ensure deactivation on teardown PCI/MSI: Enable and mask MSI-X early PCI/MSI: Do not set invalid bits in MSI mask PCI/MSI: Correct misleading comments PCI/MSI: Use msi_mask_irq() in pci_msi_shutdown() PCI/MSI: Protect msi_desc::masked for multi-MSI PCI/MSI: Mask all unused MSI-X entries PCI/MSI: Enforce that MSI-X table entry is masked for update PCI/MSI: Enforce MSI[X] entry updates to be visible vmlinux.lds.h: Handle clang's module.{c,d}tor sections iommu/vt-d: Fix agaw for a supported 48 bit guest address width mac80211: drop data frames without key on encrypted links KVM: nSVM: always intercept VMLOAD/VMSAVE when nested (CVE-2021-3656) KVM: nSVM: avoid picking up unsupported bits from L2 in int_ctl (CVE-2021-3653) x86/fpu: Make init_fpstate correct with optimized XSAVE ath: Use safer key clearing with key cache entries ath9k: Clear key cache explicitly on disabling hardware ath: Export ath_hw_keysetmac() ath: Modify ath_key_delete() to not need full key entry ath9k: Postpone key cache entry deletion for TXQ frames reference it dmaengine: xilinx_dma: Fix read-after-free bug when terminating transfers dmaengine: usb-dmac: Fix PM reference leak in usb_dmac_probe() ARM: dts: am43x-epos-evm: Reduce i2c0 bus speed for tps65218 dmaengine: of-dma: router_xlate to return -EPROBE_DEFER if controller is not yet available scsi: megaraid_mm: Fix end of loop tests for list_for_each_entry() scsi: scsi_dh_rdac: Avoid crash during rdac_bus_attach() scsi: core: Avoid printing an error if target_alloc() returns -ENXIO ARM: dts: nomadik: Fix up interrupt controller node names net: usb: lan78xx: don't modify phy_device state concurrently Bluetooth: hidp: use correct wait queue when removing ctrl_wait cpufreq: armada-37xx: forbid cpufreq for 1.2 GHz variant dccp: add do-while-0 stubs for dccp_pr_debug macros vhost: Fix the calculation in vhost_overflow() bnxt: don't lock the tx queue from napi poll bnxt: disable napi before canceling DIM net: 6pack: fix slab-out-of-bounds in decode_data ptp_pch: Restore dependency on PCI net: qlcnic: add missed unlock in qlcnic_83xx_flash_read32 net: mdio-mux: Don't ignore memory allocation errors net: mdio-mux: Handle -EPROBE_DEFER correctly mmc: dw_mmc: Fix hang on data CRC error ALSA: hda - fix the 'Capture Switch' value change notifications tracing / histogram: Fix NULL pointer dereference on strcmp() on NULL event name slimbus: messaging: start transaction ids from 1 instead of zero slimbus: messaging: check for valid transaction id slimbus: ngd: reset dma setup during runtime pm ipack: tpci200: fix many double free issues in tpci200_pci_probe ipack: tpci200: fix memory leak in the tpci200_register btrfs: prevent rename2 from exchanging a subvol with a directory from different parents PCI: Increase D3 delay for AMD Renoir/Cezanne XHCI ASoC: intel: atom: Fix breakage for PCM buffer address setup locks: print a warning when mount fails due to lack of "mand" support fs: warn about impending deprecation of mandatory locks netfilter: nft_exthdr: fix endianness of tcp option cast Linux 4.19.205 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I710e9719923984fdc85b2979aa916f78f57dc387 |
||
Longpeng(Mike)
|
a6013d42d2 |
vsock/virtio: avoid potential deadlock when vsock device remove
[ Upstream commit 49b0b6ffe20c5344f4173f3436298782a08da4f2 ]
There's a potential deadlock case when remove the vsock device or
process the RESET event:
vsock_for_each_connected_socket:
spin_lock_bh(&vsock_table_lock) ----------- (1)
...
virtio_vsock_reset_sock:
lock_sock(sk) --------------------- (2)
...
spin_unlock_bh(&vsock_table_lock)
lock_sock() may do initiative schedule when the 'sk' is owned by
other thread at the same time, we would receivce a warning message
that "scheduling while atomic".
Even worse, if the next task (selected by the scheduler) try to
release a 'sk', it need to request vsock_table_lock and the deadlock
occur, cause the system into softlockup state.
Call trace:
queued_spin_lock_slowpath
vsock_remove_bound
vsock_remove_sock
virtio_transport_release
__vsock_release
vsock_release
__sock_release
sock_close
__fput
____fput
So we should not require sk_lock in this case, just like the behavior
in vhost_vsock or vmci.
Fixes:
|
||
Greg Kroah-Hartman
|
97fd50773c |
This is the 4.19.198 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmD22r0ACgkQONu9yGCS aT7QGBAAjVxynXPmbTuTPEXe4JXpIypErZCbUt8hUdtUcGkR3C7Kpv4zfz2Sqejc W2NOGNrU6OtUR+pWR+GwwqfFzop4LZl5jj46CiMZ9mY81LVVh7dNxXx6huIXkgy5 rI8oQAPNn5QaWHNANgdjCgdXRbA7FxBHDfaiGvwQbTW92wLV/w4ZH1coFxkkVdV1 eL3wZnVf0SNw0WTDiRDfCEH9Wx7RvVZ9KI/TqVOxYKv3LPl3faJVbjbQ8aP0lBxQ Vx+SB0w6C8f/P1KVIgU+1VluWsiQzHSxrliK2JCFqCoUFvZ02l3c6G4W2bQUcPw/ HqkozAywWftEXYFuXAGKnRQjX97vKABF/A7FZG3FrmP3zuzeRnFWrlheFSAccGww K/QH4avlk/ZO0XPghnVJhlOaYvNU90cimFVfillnuMdGrUdElsZuEIGLj/7KaQOB GryuTyB8ZTVFCiHQlGKUY+3DMC5SJ4aHb1lpQd/+OGqgkUXMWXc9ZFshcLcsBZUE 88ruExWq8fTmLXI6d4u/WZDi7e4pMtnP2N0ahMWC/EzpiLYQWpmVCDzQm09SnpiB T4NdBP5vR96M9EF68xNNgrIIwn3aw/yKm3VQzy6eQLtQ7zFVxIpa8jdUDR5pYYJv rAtawF7cgT0BkTaOE6LUDFNdR8feYvE87nuyL5pVN5ZLOefpgMM= =ijbU -----END PGP SIGNATURE----- Merge 4.19.198 into android-4.19-stable Changes in 4.19.198 scsi: core: Retry I/O for Notify (Enable Spinup) Required error ALSA: usb-audio: fix rate on Ozone Z90 USB headset ALSA: usb-audio: Fix OOB access at proc output media: dvb-usb: fix wrong definition Input: usbtouchscreen - fix control-request directions net: can: ems_usb: fix use-after-free in ems_usb_disconnect() usb: gadget: eem: fix echo command packet response issue USB: cdc-acm: blacklist Heimann USB Appset device usb: dwc3: Fix debugfs creation flow usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() xhci: solve a double free problem while doing s4 ntfs: fix validity check for file name attribute iov_iter_fault_in_readable() should do nothing in xarray case Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode ARM: dts: at91: sama5d4: fix pinctrl muxing btrfs: send: fix invalid path for unlink operations after parent orphanization btrfs: clear defrag status of a root if starting transaction fails ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle ext4: fix kernel infoleak via ext4_extent_header ext4: return error code when ext4_fill_flex_info() fails ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit ext4: remove check for zero nr_to_scan in ext4_es_scan() ext4: fix avefreec in find_group_orlov ext4: use ext4_grp_locked_error in mb_find_extent can: bcm: delay release of struct bcm_op after synchronize_rcu() can: gw: synchronize rcu operations before removing gw job entry can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path SUNRPC: Fix the batch tasks count wraparound. SUNRPC: Should wake up the privileged task firstly. s390/cio: dont call css_wait_for_slow_path() inside a lock rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path iio: light: tcs3472: do not free unallocated IRQ iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR iio: ltr501: ltr501_read_ps(): add missing endianness conversion serial: sh-sci: Stop dmaengine transfer in sci_stop_tx() serial_cs: Add Option International GSM-Ready 56K/ISDN modem serial_cs: remove wrong GLOBETROTTER.cis entry ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() ssb: sdio: Don't overwrite const buffer if block_write fails rsi: Assign beacon rate settings to the correct rate_info descriptor field rsi: fix AP mode with WPA failure due to encrypted EAPOL tracing/histograms: Fix parsing of "sym-offset" modifier tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing seq_buf: Make trace_seq_putmem_hex() support data longer than 8 powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi() evm: Execute evm_inode_init_security() only when an HMAC key is loaded evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded fuse: check connected before queueing on fpq->io spi: Make of_register_spi_device also set the fwnode spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() spi: omap-100k: Fix the length judgment problem regulator: uniphier: Add missing MODULE_DEVICE_TABLE crypto: nx - add missing MODULE_DEVICE_TABLE media: cpia2: fix memory leak in cpia2_usb_probe media: cobalt: fix race condition in setting HPD media: pvrusb2: fix warning in pvr2_i2c_core_done crypto: qat - check return code of qat_hal_rd_rel_reg() crypto: qat - remove unused macro in FW loader sched/fair: Fix ascii art by relpacing tabs media: em28xx: Fix possible memory leak of em28xx struct media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release media: bt8xx: Fix a missing check bug in bt878_probe media: st-hva: Fix potential NULL pointer dereferences media: dvd_usb: memory leak in cinergyt2_fe_attach mmc: via-sdmmc: add a check against NULL pointer dereference crypto: shash - avoid comparing pointers to exported functions under CFI media: dvb_net: avoid speculation from net slot media: siano: fix device register error path media: imx-csi: Skip first few frames from a BT.656 source btrfs: fix error handling in __btrfs_update_delayed_inode btrfs: abort transaction if we fail to update the delayed inode btrfs: disable build on platforms having page size 256K regulator: da9052: Ensure enough delay time for .set_voltage_time_sel HID: do not use down_interruptible() when unbinding devices EDAC/ti: Add missing MODULE_DEVICE_TABLE ACPI: processor idle: Fix up C-state latency if not ordered hv_utils: Fix passing zero to 'PTR_ERR' warning lib: vsprintf: Fix handling of number field widths in vsscanf ACPI: EC: Make more Asus laptops use ECDT _GPE block_dump: remove block_dump feature in mark_inode_dirty() fs: dlm: cancel work sync othercon random32: Fix implicit truncation warning in prandom_seed_state() fs: dlm: fix memory leak when fenced ACPICA: Fix memory leak caused by _CID repair function ACPI: bus: Call kobject_put() in acpi_init() error path platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() clocksource: Retry clock read if long delays detected ACPI: tables: Add custom DSDT file as makefile prerequisite HID: wacom: Correct base usage for capacitive ExpressKey status bits ia64: mca_drv: fix incorrect array size calculation media: s5p_cec: decrement usage count if disabled crypto: ixp4xx - dma_unmap the correct address crypto: ux500 - Fix error return code in hash_hw_final() sata_highbank: fix deferred probing pata_rb532_cf: fix deferred probing media: I2C: change 'RST' to "RSET" to fix multiple build errors pata_octeon_cf: avoid WARN_ON() in ata_host_activate() evm: fix writing <securityfs>/evm overflow crypto: ccp - Fix a resource leak in an error handling path media: rc: i2c: Fix an error message pata_ep93xx: fix deferred probing media: exynos4-is: Fix a use after free in isp_video_release media: tc358743: Fix error return code in tc358743_probe_of() media: gspca/gl860: fix zero-length control requests media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() mmc: usdhi6rol0: fix error return code in usdhi6_probe() media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx hwmon: (max31722) Remove non-standard ACPI device IDs hwmon: (max31790) Fix fan speed reporting for fan7..12 btrfs: clear log tree recovering status if starting transaction fails spi: spi-sun6i: Fix chipselect/clock bug crypto: nx - Fix RCU warning in nx842_OF_upd_status ACPI: sysfs: Fix a buffer overrun problem with description_show() blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() blk-wbt: make sure throttle is enabled properly ocfs2: fix snprintf() checking net: mvpp2: Put fwnode in error case during ->probe() net: pch_gbe: Propagate error from devm_gpio_request_one() drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write() ehea: fix error return code in ehea_restart_qps() RDMA/rxe: Fix failure during driver load drm: qxl: ensure surf.data is ininitialized tools/bpftool: Fix error return code in do_batch() wireless: carl9170: fix LEDS build errors & warnings ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others wcn36xx: Move hal_buf allocation to devm_kmalloc in probe ssb: Fix error return code in ssb_bus_scan() brcmfmac: fix setting of station info chains bitmask brcmfmac: correctly report average RSSI in station info brcmsmac: mac80211_if: Fix a resource leak in an error handling path ath10k: Fix an error code in ath10k_add_interface() netlabel: Fix memory leak in netlbl_mgmt_add_common RDMA/mlx5: Don't add slave port to unaffiliated list netfilter: nft_exthdr: check for IPv6 packet before further processing netfilter: nft_osf: check for TCP packet before further processing netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols RDMA/rxe: Fix qp reference counting for atomic ops samples/bpf: Fix the error return code of xdp_redirect's main() net: ethernet: aeroflex: fix UAF in greth_of_remove net: ethernet: ezchip: fix UAF in nps_enet_remove net: ethernet: ezchip: fix error handling pkt_sched: sch_qfq: fix qfq_change_class() error path vxlan: add missing rcu_read_lock() in neigh_reduce() net/ipv4: swap flow ports when validating source ieee802154: hwsim: Fix memory leak in hwsim_add_one ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() mac80211: remove iwlwifi specific workaround NDPs of null_response net: bcmgenet: Fix attaching to PYH failed on RPi 4B ipv6: exthdrs: do not blindly use init_net bpf: Do not change gso_size during bpf_skb_change_proto() i40e: Fix error handling in i40e_vsi_open i40e: Fix autoneg disabling for non-10GBaseT links Revert "ibmvnic: remove duplicate napi_schedule call in open function" ibmvnic: free tx_pool if tso_pool alloc fails ipv6: fix out-of-bound access in ip6_parse_tlv() Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event writeback: fix obtain a reference to a freeing memcg css net: lwtunnel: handle MTU calculation in forwading net: sched: fix warning in tcindex_alloc_perfect_hash RDMA/mlx5: Don't access NULL-cleared mpi pointer tty: nozomi: Fix a resource leak in an error handling function mwifiex: re-fix for unaligned accesses iio: adis_buffer: do not return ints in irq handlers iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup() ASoC: rsnd: tidyup loop on rsnd_adg_clk_query() Input: hil_kbd - fix error return code in hil_dev_connect() char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol() tty: nozomi: Fix the error handling path of 'nozomi_card_init()' scsi: FlashPoint: Rename si_flags field fsi: core: Fix return of error values on failures fsi: scom: Reset the FSI2PIB engine for any error fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE fsi/sbefifo: Fix reset timeout visorbus: fix error return code in visorchipset_init() s390: appldata depends on PROC_SYSCTL eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() eeprom: idt_89hpesx: Restore printing the unsupported fwnode name iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() staging: gdm724x: check for overflow in gdm_lte_netif_rx() staging: mt7621-dts: fix pci address for PCI memory range serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp() ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK of: Fix truncation of memory sizes on 32-bit platforms mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume() scsi: mpt3sas: Fix error return value in _scsih_expander_add() phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() extcon: sm5502: Drop invalid register write in sm5502_reg_data extcon: max8997: Add missing modalias string ASoC: atmel-i2s: Fix usage of capture and playback at the same time configfs: fix memleak in configfs_release_bin_file leds: as3645a: Fix error return code in as3645a_parse_node() leds: ktd2692: Fix an error handling path powerpc: Offline CPU in stop_this_cpu() serial: mvebu-uart: correctly calculate minimal possible baudrate arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART vfio/pci: Handle concurrent vma faults mm/huge_memory.c: don't discard hugepage if other processes are mapping it selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random perf llvm: Return -ENOMEM when asprintf() fails mmc: block: Disable CMDQ on the ioctl path mmc: vub3000: fix control-request direction drm/mxsfb: Don't select DRM_KMS_FB_HELPER drm/zte: Don't select DRM_KMS_FB_HELPER drm/amd/amdgpu/sriov disable all ip hw status by default net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() drm/amd/display: fix use_max_lb flag for 420 pixel formats hugetlb: clear huge pte during flush function on mips platform atm: iphase: fix possible use-after-free in ia_module_exit() mISDN: fix possible use-after-free in HFC_cleanup() atm: nicstar: Fix possible use-after-free in nicstar_cleanup() net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT reiserfs: add check for invalid 1st journal block drm/virtio: Fix double free on probe failure udf: Fix NULL pointer dereference in udf_symlink function e100: handle eeprom as little endian clk: renesas: r8a77995: Add ZA2 clock clk: tegra: Ensure that PLLU configuration is applied properly ipv6: use prandom_u32() for ID generation RDMA/cxgb4: Fix missing error code in create_qp() dm space maps: don't reset space map allocation cursor when committing pinctrl: mcp23s08: fix race condition in irq handler ice: set the value of global config lock timeout longer virtio_net: Remove BUG() to avoid machine dead net: bcmgenet: check return value after calling platform_get_resource() net: mvpp2: check return value after calling platform_get_resource() net: micrel: check return value after calling platform_get_resource() fjes: check return value after calling platform_get_resource() selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC xfrm: Fix error reporting in xfrm_state_construct. wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP wl1251: Fix possible buffer overflow in wl1251_cmd_scan cw1200: add missing MODULE_DEVICE_TABLE net: fix mistake path for netdev_features_strings rtl8xxxu: Fix device info for RTL8192EU devices MIPS: add PMD table accounting into MIPS'pmd_alloc_one atm: nicstar: use 'dma_free_coherent' instead of 'kfree' atm: nicstar: register the interrupt handler in the right place vsock: notify server to shutdown when client has pending signal RDMA/rxe: Don't overwrite errno from ib_umem_get() iwlwifi: mvm: don't change band on bound PHY contexts iwlwifi: pcie: free IML DMA memory allocation sfc: avoid double pci_remove of VFs sfc: error code if SRIOV cannot be disabled wireless: wext-spy: Fix out-of-bounds warning media, bpf: Do not copy more entries than user space requested net: ip: avoid OOM kills with large UDP sends over loopback RDMA/cma: Fix rdma_resolve_route() memory leak Bluetooth: Fix the HCI to MGMT status conversion table Bluetooth: Shutdown controller after workqueues are flushed or cancelled Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. sctp: validate from_addr_param return sctp: add size validation when walking chunks MIPS: set mips32r5 for virt extensions fscrypt: don't ignore minor_hash when hash is 0 bdi: Do not use freezable workqueue serial: mvebu-uart: clarify the baud rate derivation serial: mvebu-uart: fix calculation of clock divisor fuse: reject internal errno powerpc/barrier: Avoid collision with clang's __lwsync macro usb: gadget: f_fs: Fix setting of device and driver data cross-references drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create() drm/amd/display: fix incorrrect valid irq check pinctrl/amd: Add device HID for new AMD GPIO controller drm/msm/mdp4: Fix modifier support enabling mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode mmc: core: clear flags before allowing to retune mmc: core: Allow UHS-I voltage switch for SDSC cards if supported ata: ahci_sunxi: Disable DIPM cpu/hotplug: Cure the cpusets trainwreck clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround ASoC: tegra: Set driver_name=tegra for all machine drivers qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute ipmi/watchdog: Stop watchdog timer when the current action is 'none' power: supply: ab8500: Fix an old bug seq_buf: Fix overflow in seq_buf_putmem_hex() tracing: Simplify & fix saved_tgids logic tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer() dm btree remove: assign new_root only when removal succeeds PCI: Leave Apple Thunderbolt controllers on for s2idle or standby PCI: aardvark: Fix checking for PIO Non-posted Request media: subdev: disallow ioctl for saa6588/davinci media: dtv5100: fix control-request directions media: zr364xx: fix memory leak in zr364xx_start_readpipe media: gspca/sq905: fix control-request direction media: gspca/sunplus: fix zero-length control requests media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() jfs: fix GPF in diFree smackfs: restrict bytes count in smk_set_cipso() KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() scsi: core: Fix bad pointer dereference when ehandler kthread is invalid tracing: Do not reference char * as a string in histograms PCI: aardvark: Don't rely on jiffies while holding spinlock PCI: aardvark: Fix kernel panic during PIO transfer tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero misc/libmasm/module: Fix two use after free in ibmasm_init_one Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" w1: ds2438: fixing bug that would always get page0 scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs scsi: core: Cap scsi_host cmd_per_lun at can_queue ALSA: ac97: fix PM reference leak in ac97_bus_remove() tty: serial: 8250: serial_cs: Fix a memory leak in error handling path scsi: scsi_dh_alua: Check for negative result value fs/jfs: Fix missing error code in lmLogInit() scsi: iscsi: Add iscsi_cls_conn refcount helpers scsi: iscsi: Fix conn use after free during resets scsi: iscsi: Fix shost->max_id use scsi: qedi: Fix null ref during abort handling mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE s390/sclp_vt220: fix console name to match device selftests: timers: rtcpie: skip test if default RTC device does not exist ALSA: sb: Fix potential double-free of CSP mixer elements powerpc/ps3: Add dma_mask to ps3_dma_region gpio: zynq: Check return value of pm_runtime_get_sync ALSA: ppc: fix error return code in snd_pmac_probe() selftests/powerpc: Fix "no_handler" EBB selftest gpio: pca953x: Add support for the On Semi pca9655 ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Input: hideep - fix the uninitialized use in hideep_nvm_unlock() ALSA: bebob: add support for ToneWeal FW66 usb: gadget: f_hid: fix endianness issue with descriptors usb: gadget: hid: fix error return code in hid_bind() powerpc/boot: Fixup device-tree on little endian backlight: lm3630a: Fix return code of .update_status() callback ALSA: hda: Add IRQ check for platform_get_irq() staging: rtl8723bs: fix macro value for 2.4Ghz only device intel_th: Wait until port is in reset before programming it i2c: core: Disable client irq on reboot/shutdown lib/decompress_unlz4.c: correctly handle zero-padding around initrds. pwm: spear: Don't modify HW state in .remove callback power: supply: ab8500: Avoid NULL pointers power: supply: max17042: Do not enforce (incorrect) interrupt trigger type power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 watchdog: Fix possible use-after-free in wdt_startup() watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() watchdog: Fix possible use-after-free by calling del_timer_sync() watchdog: iTCO_wdt: Account for rebooting on second timeout x86/fpu: Return proper error codes from user access functions PCI: tegra: Add missing MODULE_DEVICE_TABLE orangefs: fix orangefs df output. ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty NFS: nfs_find_open_context() may only select open files power: supply: charger-manager: add missing MODULE_DEVICE_TABLE power: supply: ab8500: add missing MODULE_DEVICE_TABLE pwm: tegra: Don't modify HW state in .remove callback ACPI: AMBA: Fix resource name in /proc/iomem ACPI: video: Add quirk for the Dell Vostro 3350 virtio-blk: Fix memory leak among suspend/resume procedure virtio_net: Fix error handling in virtnet_restore() virtio_console: Assure used length from device is limited f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun power: supply: rt5033_battery: Fix device tree enumeration NFSv4: Initialise connection to the server in nfs4_alloc_client() um: fix error return code in slip_open() um: fix error return code in winch_tramp() watchdog: aspeed: fix hardware timeout calculation nfs: fix acl memory leak of posix_acl_create() ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode PCI: iproc: Fix multi-MSI base vector number allocation PCI: iproc: Support multi-MSI only on uniprocessor kernel x86/fpu: Limit xstate copy size in xstateregs_set() virtio_net: move tx vq operation under tx queue lock ALSA: isa: Fix error return code in snd_cmi8330_probe() NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times hexagon: use common DISCARDS macro reset: a10sr: add missing of_match_table reference ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1 ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 memory: atmel-ebi: add missing of_node_put for loop iteration rtc: fix snprintf() checking in is_rtc_hctosys() arm64: dts: renesas: v3msk: Fix memory size ARM: dts: r8a7779, marzen: Fix DU clock names ARM: dts: BCM5301X: Fixup SPI binding reset: bail if try_module_get() fails memory: fsl_ifc: fix leak of IO mapping on probe failure memory: fsl_ifc: fix leak of private memory on probe failure ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema ARM: dts: imx6q-dhcom: Fix ethernet reset time properties ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() mips: always link byteswap helpers into decompressor mips: disable branch profiling in boot/decompress.o MIPS: vdso: Invalid GIC access through VDSO net: bridge: multicast: fix PIM hello router port marking race scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() seq_file: disallow extremely large seq buffer allocations Linux 4.19.198 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iaa8a95c4d30ca85021bae6c60b4818038797e04e |
||
Longpeng(Mike)
|
0ea3919ffd |
vsock: notify server to shutdown when client has pending signal
[ Upstream commit c7ff9cff70601ea19245d997bb977344663434c7 ] The client's sk_state will be set to TCP_ESTABLISHED if the server replay the client's connect request. However, if the client has pending signal, its sk_state will be set to TCP_CLOSE without notify the server, so the server will hold the corrupt connection. client server 1. sk_state=TCP_SYN_SENT | 2. call ->connect() | 3. wait reply | | 4. sk_state=TCP_ESTABLISHED | 5. insert to connected list | 6. reply to the client 7. sk_state=TCP_ESTABLISHED | 8. insert to connected list | 9. *signal pending* <--------------------- the user kill client 10. sk_state=TCP_CLOSE | client is exiting... | 11. call ->release() | virtio_transport_close if (!(sk->sk_state == TCP_ESTABLISHED || sk->sk_state == TCP_CLOSING)) return true; *return at here, the server cannot notice the connection is corrupt* So the client should notify the peer in this case. Cc: David S. Miller <davem@davemloft.net> Cc: Jakub Kicinski <kuba@kernel.org> Cc: Jorgen Hansen <jhansen@vmware.com> Cc: Norbert Slusarek <nslusarek@gmx.net> Cc: Andra Paraschiv <andraprs@amazon.com> Cc: Colin Ian King <colin.king@canonical.com> Cc: David Brazdil <dbrazdil@google.com> Cc: Alexander Popov <alex.popov@linux.com> Suggested-by: Stefano Garzarella <sgarzare@redhat.com> Link: https://lkml.org/lkml/2021/5/17/418 Signed-off-by: lixianming <lixianming5@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
011b73c995 |
This is the 4.19.191 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCoybcACgkQONu9yGCS aT7dBQ//ZniOtxGdujpsPI6Fs7ET0E9K9Pa6hfxneiffPEgEtfA3ab9g7Y88fb9m vzXCpghzPmqk5Fd/+qDeIFxTaEQ1OoUWdx8uXF56XXh5NqTPLJ/gqmgcIqAnPrVq HefKZg3RiOLC4dT0LqALeqDF0dFrXEw+iOnlctXcjOjX6CSUtiLeyTIS5pytv1Ap rMlAkwfYuyBXs8almb6gb+JbemljgvLB9uB0RNG1YxXN5b/y6LqfDdpJIQCaWGxZ p+EYIbCp1NporUTpbWUJWaMD7krMpNhdeOMlkP4fUYmCYkFXqn1CSWVEYZjTDuah HFr57qshm7EMpjBofDCBhjCsphmcFnzkIKON8kH3HXYCb3HNYVo7rWkXg4KRS5XH kUFPmvgSmLi8Ad4dMc/xBBShB/fYaT1Ij1UB0iyKl4R/MDJ+gf6tjKQsFfK5Losr pyXEPyOWmXyWCgMUilWd2nnhkxfrBtXkxlbR1XlXfZ3Sn6GJANN7/Of2mmXFQB1E YBnL+H3bQSkdoZnoGQCktxs+hj74cG167/zSRNC/dFmBhuAmmDZXiR0ai020iyNw Grzv55owpby0HBpJXSWMBYUvV+2PfhZ69JjHc/bfoPUkeMgtW+oeDY2R5rk/enmW 0aNOycvMQujU7IzBdg8TaqHH6rIRSoFowcUXLLAwzoMt0AcE1c4= =V0VA -----END PGP SIGNATURE----- Merge 4.19.191 into android-4.19-stable Changes in 4.19.191 s390/disassembler: increase ebpf disasm buffer size ACPI: custom_method: fix potential use-after-free issue ACPI: custom_method: fix a possible memory leak ftrace: Handle commands when closing set_ftrace_filter file ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node arm64: dts: mt8173: fix property typo of 'phys' in dsi node ecryptfs: fix kernel panic with null dev_name mtd: spinand: core: add missing MODULE_DEVICE_TABLE() mtd: rawnand: atmel: Update ecc_stats.corrected counter spi: spi-ti-qspi: Free DMA resources scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers mmc: block: Update ext_csd.cache_ctrl if it was written mmc: block: Issue a cache flush only when it's enabled mmc: core: Do a power cycle when the CMD11 fails mmc: core: Set read only for SD cards with permanent write protect bit erofs: add unsupported inode i_format check cifs: Return correct error code from smb2_get_enc_key btrfs: fix metadata extent leak after failure to create subvolume intel_th: pci: Add Rocket Lake CPU support fbdev: zero-fill colormap in fbcmap.c staging: wimax/i2400m: fix byte-order issue crypto: api - check for ERR pointers in crypto_destroy_tfm() usb: gadget: uvc: add bInterval checking for HS mode genirq/matrix: Prevent allocation counter corruption usb: gadget: f_uac1: validate input parameters usb: dwc3: gadget: Ignore EP queue requests during bus reset usb: xhci: Fix port minor revision PCI: PM: Do not read power state in pci_enable_device_flags() x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) tee: optee: do not check memref size on return from Secure World perf/arm_pmu_platform: Fix error handling usb: xhci-mtk: support quirk to disable usb2 lpm xhci: check control context is valid before dereferencing it. xhci: fix potential array out of bounds with several interrupters spi: dln2: Fix reference leak to master spi: omap-100k: Fix reference leak to master intel_th: Consistency and off-by-one fix phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe scsi: lpfc: Fix pt2pt connection does not recover after LOGO scsi: target: pscsi: Fix warning in pscsi_complete_cmd() media: ite-cir: check for receive overflow media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB power: supply: bq27xxx: fix power_avg for newer ICs extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged media: media/saa7164: fix saa7164_encoder_register() memory leak bugs media: gspca/sq905.c: fix uninitialized variable power: supply: Use IRQF_ONESHOT drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() scsi: qla2xxx: Fix use after free in bsg scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() media: em28xx: fix memory leak media: vivid: update EDID clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() media: tc358743: fix possible use-after-free in tc358743_remove() media: adv7604: fix possible use-after-free in adv76xx_remove() media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() media: i2c: adv7842: fix possible use-after-free in adv7842_remove() media: dvb-usb: fix memory leak in dvb_usb_adapter_init media: gscpa/stv06xx: fix memory leak drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal amdgpu: avoid incorrect %hu format string drm/amdgpu: fix NULL pointer dereference scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic scsi: libfc: Fix a format specifier s390/archrandom: add parameter check for s390_arch_random_generate ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer ALSA: hda/conexant: Re-order CX5066 quirk table entries ALSA: sb: Fix two use after free in snd_sb_qsound_build ALSA: usb-audio: Explicitly set up the clock selector ALSA: usb-audio: More constifications ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset PC 8 ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx btrfs: fix race when picking most recent mod log operation for an old root arm64/vdso: Discard .note.gnu.property sections in vDSO ubifs: Only check replay with inode type to judge if inode linked f2fs: fix to avoid out-of-bounds memory access mlxsw: spectrum_mr: Update egress RIF list before route's action openvswitch: fix stack OOB read while fragmenting IPv4 packets ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure NFS: Don't discard pNFS layout segments that are marked for return NFSv4: Don't discard segments marked for return in _pnfs_return_layout() jffs2: Fix kasan slab-out-of-bounds problem powerpc/eeh: Fix EEH handling for hugepages in ioremap space. powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h intel_th: pci: Add Alder Lake-M support tpm: vtpm_proxy: Avoid reading host log when using a virtual device md/raid1: properly indicate failure when ending a failed write request dm raid: fix inconclusive reshape layout on fast raid4/5/6 table reload sequences security: commoncap: fix -Wstringop-overread warning Fix misc new gcc warnings jffs2: check the validity of dstlen in jffs2_zlib_compress() Revert |
||
Stefano Garzarella
|
dae0929f31 |
vsock/vmci: log once the failed queue pair allocation
[ Upstream commit e16edc99d658cd41c60a44cc14d170697aa3271f ]
VMCI feature is not supported in conjunction with the vSphere Fault
Tolerance (FT) feature.
VMware Tools can repeatedly try to create a vsock connection. If FT is
enabled the kernel logs is flooded with the following messages:
qp_alloc_hypercall result = -20
Could not attach to queue pair with -20
"qp_alloc_hypercall result = -20" was hidden by commit e8266c4c3307
("VMCI: Stop log spew when qp allocation isn't possible"), but "Could
not attach to queue pair with -20" is still there flooding the log.
Since the error message can be useful in some cases, print it only once.
Fixes:
|
||
Greg Kroah-Hartman
|
8c62f42548 |
This is the 4.19.185 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBtjk0ACgkQONu9yGCS aT67fA//b+kjELShGiGxLBK+dWFXnYn8tLJJ6G1Bq2WvBiMxSkbXgG5tCqJKAk0t yhva5Ljo7eAJ9GEQnv/UL3qnsrW4r6ThT3u0Ort2YxBi3pw2U8PyU7pRTFSnGj/C QxtGvXfh5DIsxOWppbUz5X8jWABTrYXmMEe7WCONVFTLWwHuhV4RRPycvis8wY4w 1NtGx5KVJR1EYANXHrhKsI4J9dCAXg+K9I6PyWkHDEzCgXrwdticMNOVYgZ5ByTN ofkmBX+j/AL2veXTV8sAOA/H9SQ0pJStzy99IoZQ/IzFAKqCuh+JhkMvnDQYhfx1 eDwTFG7Dl6pCbyCsb2iGXzJioTuk5LGXw7+uqVXO1YRUNpekl7x97rhn/q6PoEof OImU1+MOBPhVZVA0yYYQf6URCxh7F/s7MsbenmxZbIF9tstZC7HoezqzdFg4YF/I pKqlIBxSes+fJCZb1LiQI2KkaNtD0i/KJljGduCkPF4Axgb2/KEmePDyIeB8hr12 nT++9BIkIFM4d19IgtBnWrOIuALx15WeEQKXzbUxl9nt2peh7K6HvjcXJUOxJz2W qsdHnjGE1v6atKHD4DiDRAnliD9cJ41ImP3S8WHH1UxWNOMQ/dTlBAY7Z+XC/4eo 8+6gqAE8MHKvP62yd4zsuWXkhnUeryRtL8AGBvVxkTFa/mtaKAU= =rqGc -----END PGP SIGNATURE----- Merge 4.19.185 into android-4.19-stable Changes in 4.19.185 selinux: vsock: Set SID for socket returned by accept() tcp: relookup sock for RST+ACK packets handled by obsolete req sock ipv6: weaken the v4mapped source check ext4: fix bh ref count on error paths rpc: fix NULL dereference on kmalloc failure ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe ASoC: es8316: Simplify adc_pga_gain_tlv table ASoC: cs42l42: Fix Bitclock polarity inversion ASoC: cs42l42: Fix channel width support ASoC: cs42l42: Fix mixer volume control ASoC: cs42l42: Always wait at least 3ms after reset vhost: Fix vhost_vq_reset() scsi: st: Fix a use after free in st_open() scsi: qla2xxx: Fix broken #endif placement staging: comedi: cb_pcidas: fix request_irq() warn staging: comedi: cb_pcidas64: fix request_irq() warn ASoC: rt5659: Update MCLK rate in set_sysclk() thermal/core: Add NULL pointer check before using cooling device stats locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling ext4: do not iput inode under running transaction in ext4_rename() brcmfmac: clear EAP/association status bits on linkdown events ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() net: ethernet: aquantia: Handle error cleanup of start on open appletalk: Fix skb allocation size in loopback case net: wan/lmc: unregister device when no matching device is found bpf: Remove MTU check in __bpf_skb_max_len ALSA: usb-audio: Apply sample rate quirk to Logitech Connect ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook PM: runtime: Fix race getting/putting suppliers at probe PM: runtime: Fix ordering in pm_runtime_get_suppliers() tracing: Fix stack trace event size mm: fix race by making init_zero_pfn() early_initcall drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() drm/amdgpu: check alignment on CPU page for bo map reiserfs: update reiserfs_xattrs_initialized() condition pinctrl: rockchip: fix restore error in resume extcon: Add stubs for extcon_register_notifier_all() functions extcon: Fix error handling in extcon_dev_register firewire: nosy: Fix a use-after-free bug in nosy_ioctl() usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem usb: musb: Fix suspend with devices connected for a64 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI cdc-acm: fix BREAK rx code path adding necessary calls USB: cdc-acm: untangle a circular dependency between callback and softint USB: cdc-acm: downgrade message to debug USB: cdc-acm: fix double free on probe failure USB: cdc-acm: fix use-after-free after probe failure usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. staging: rtl8192e: Fix incorrect source in memcpy() staging: rtl8192e: Change state information from u16 to u8 drivers: video: fbcon: fix NULL dereference in fbcon_cursor() Linux 4.19.185 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I65f4fd7d1b60193895371093882ab33943d22e7c |
||
David Brazdil
|
9539977384 |
selinux: vsock: Set SID for socket returned by accept()
[ Upstream commit 1f935e8e72ec28dddb2dc0650b3b6626a293d94b ]
For AF_VSOCK, accept() currently returns sockets that are unlabelled.
Other socket families derive the child's SID from the SID of the parent
and the SID of the incoming packet. This is typically done as the
connected socket is placed in the queue that accept() removes from.
Reuse the existing 'security_sk_clone' hook to copy the SID from the
parent (server) socket to the child. There is no packet SID in this
case.
Fixes:
|
||
Ram Muthiah
|
ec2be24ab7 |
ANDROID: Make vsock virtio packet buff size configurable
When the android virtual device stays up for long periods of time, the SLAB sustains everincreasing fragmentation. Contributing to this fragmentation are the virtio packet buffer allocations which are a drain on 64Kb compound pages. Eventually these can't be allocated due to fragmentation. To enable successful allocations for this packet buffer, the packet buffer's size needs to be reduced. To enable a reduction without impacting other partners, this var is being exposed as a command line param. Bug: 149494272 Test: atest ManagedProfileLifecycleStressTest#testCreateStartDelete on local cuttlefish device Signed-off-by: Ram Muthiah <rammuthiah@google.com> Change-Id: Ia4f9180025b64d61d9e2b882daa84460b8f08fd2 |
||
Stefano Garzarella
|
b3c91763e2 |
vsock: fix locking in vsock_shutdown()
commit 1c5fae9c9a092574398a17facc31c533791ef232 upstream.
In vsock_shutdown() we touched some socket fields without holding the
socket lock, such as 'state' and 'sk_flags'.
Also, after the introduction of multi-transport, we are accessing
'vsk->transport' in vsock_send_shutdown() without holding the lock
and this call can be made while the connection is in progress, so
the transport can change in the meantime.
To avoid issues, we hold the socket lock when we enter in
vsock_shutdown() and release it when we leave.
Among the transports that implement the 'shutdown' callback, only
hyperv_transport acquired the lock. Since the caller now holds it,
we no longer take it.
Fixes:
|
||
Stefano Garzarella
|
afb1f8a1ea |
vsock/virtio: update credit only if socket is not closed
commit ce7536bc7398e2ae552d2fabb7e0e371a9f1fe46 upstream.
If the socket is closed or is being released, some resources used by
virtio_transport_space_update() such as 'vsk->trans' may be released.
To avoid a use after free bug we should only update the available credit
when we are sure the socket is still open and we have the lock held.
Fixes:
|
||
Norbert Slusarek
|
52862c2fe8 |
net/vmw_vsock: improve locking in vsock_connect_timeout()
commit 3d0bc44d39bca615b72637e340317b7899b7f911 upstream.
A possible locking issue in vsock_connect_timeout() was recognized by
Eric Dumazet which might cause a null pointer dereference in
vsock_transport_cancel_pkt(). This patch assures that
vsock_transport_cancel_pkt() will be called within the lock, so a race
condition won't occur which could result in vsk->transport to be set to NULL.
Fixes:
|
||
Jeff Vander Stoep
|
1aa82721dd |
vsock: use ns_capable_noaudit() on socket create
[ Upstream commit af545bb5ee53f5261db631db2ac4cde54038bdaf ] During __vsock_create() CAP_NET_ADMIN is used to determine if the vsock_sock->trusted should be set to true. This value is used later for determing if a remote connection should be allowed to connect to a restricted VM. Unfortunately, if the caller doesn't have CAP_NET_ADMIN, an audit message such as an selinux denial is generated even if the caller does not want a trusted socket. Logging errors on success is confusing. To avoid this, switch the capable(CAP_NET_ADMIN) check to the noaudit version. Reported-by: Roman Kiryanov <rkir@google.com> https://android-review.googlesource.com/c/device/generic/goldfish/+/1468545/ Signed-off-by: Jeff Vander Stoep <jeffv@google.com> Reviewed-by: James Morris <jamorris@linux.microsoft.com> Link: https://lore.kernel.org/r/20201023143757.377574-1-jeffv@google.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Sebastien Boeuf
|
7f2acd64ac |
net: virtio_vsock: Enhance connection semantics
[ Upstream commit df12eb6d6cd920ab2f0e0a43cd6e1c23a05cea91 ] Whenever the vsock backend on the host sends a packet through the RX queue, it expects an answer on the TX queue. Unfortunately, there is one case where the host side will hang waiting for the answer and might effectively never recover if no timeout mechanism was implemented. This issue happens when the guest side starts binding to the socket, which insert a new bound socket into the list of already bound sockets. At this time, we expect the guest to also start listening, which will trigger the sk_state to move from TCP_CLOSE to TCP_LISTEN. The problem occurs if the host side queued a RX packet and triggered an interrupt right between the end of the binding process and the beginning of the listening process. In this specific case, the function processing the packet virtio_transport_recv_pkt() will find a bound socket, which means it will hit the switch statement checking for the sk_state, but the state won't be changed into TCP_LISTEN yet, which leads the code to pick the default statement. This default statement will only free the buffer, while it should also respond to the host side, by sending a packet on its TX queue. In order to simply fix this unfortunate chain of events, it is important that in case the default statement is entered, and because at this stage we know the host side is waiting for an answer, we must send back a packet containing the operation VIRTIO_VSOCK_OP_RST. One could say that a proper timeout mechanism on the host side will be enough to avoid the backend to hang. But the point of this patch is to ensure the normal use case will be provided with proper responsiveness when it comes to establishing the connection. Signed-off-by: Sebastien Boeuf <sebastien.boeuf@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
7c20b974aa |
vsock/virtio: add transport parameter to the virtio_transport_reset_no_sock()
[ Upstream commit 4c7246dc45e2706770d5233f7ce1597a07e069ba ] We are going to add 'struct vsock_sock *' parameter to virtio_transport_get_ops(). In some cases, like in the virtio_transport_reset_no_sock(), we don't have any socket assigned to the packet received, so we can't use the virtio_transport_get_ops(). In order to allow virtio_transport_reset_no_sock() to use the '.send_pkt' callback from the 'vhost_transport' or 'virtio_transport', we add the 'struct virtio_transport *' to it and to its caller: virtio_transport_recv_pkt(). We moved the 'vhost_transport' and 'virtio_transport' definition, to pass their address to the virtio_transport_recv_pkt(). Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
6a5a7a88cc |
vsock/virtio: stop workers during the .remove()
[ Upstream commit 17dd1367389cfe7f150790c83247b68e0c19d106 ] Before to call vdev->config->reset(vdev) we need to be sure that no one is accessing the device, for this reason, we add new variables in the struct virtio_vsock to stop the workers during the .remove(). This patch also add few comments before vdev->config->reset(vdev) and vdev->config->del_vqs(vdev). Suggested-by: Stefan Hajnoczi <stefanha@redhat.com> Suggested-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
1fa81b7cad |
vsock/virtio: use RCU to avoid use-after-free on the_virtio_vsock
[ Upstream commit 9c7a5582f5d720dc35cfcc42ccaded69f0642e4a ] Some callbacks used by the upper layers can run while we are in the .remove(). A potential use-after-free can happen, because we free the_virtio_vsock without knowing if the callbacks are over or not. To solve this issue we move the assignment of the_virtio_vsock at the end of .probe(), when we finished all the initialization, and at the beginning of .remove(), before to release resources. For the same reason, we do the same also for the vdev->priv. We use RCU to be sure that all callbacks that use the_virtio_vsock ended before freeing it. This is not required for callbacks that use vdev->priv, because after the vdev->config->del_vqs() we are sure that they are ended and will no longer be invoked. We also take the mutex during the .remove() to avoid that .probe() can run while we are resetting the device. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
630be67afc |
vsock: fix timeout in vsock_accept()
[ Upstream commit 7e0afbdfd13d1e708fe96e31c46c4897101a6a43 ]
The accept(2) is an "input" socket interface, so we should use
SO_RCVTIMEO instead of SO_SNDTIMEO to set the timeout.
So this patch replace sock_sndtimeo() with sock_rcvtimeo() to
use the right timeout in the vsock_accept().
Fixes:
|
||
Sunil Muthuswamy
|
9a7f8a176a |
hv_sock: Remove the accept port restriction
[ Upstream commit c742c59e1fbd022b64d91aa9a0092b3a699d653c ] Currently, hv_sock restricts the port the guest socket can accept connections on. hv_sock divides the socket port namespace into two parts for server side (listening socket), 0-0x7FFFFFFF & 0x80000000-0xFFFFFFFF (there are no restrictions on client port namespace). The first part (0-0x7FFFFFFF) is reserved for sockets where connections can be accepted. The second part (0x80000000-0xFFFFFFFF) is reserved for allocating ports for the peer (host) socket, once a connection is accepted. This reservation of the port namespace is specific to hv_sock and not known by the generic vsock library (ex: af_vsock). This is problematic because auto-binds/ephemeral ports are handled by the generic vsock library and it has no knowledge of this port reservation and could allocate a port that is not compatible with hv_sock (and legitimately so). The issue hasn't surfaced so far because the auto-bind code of vsock (__vsock_bind_stream) prior to the change 'VSOCK: bind to random port for VMADDR_PORT_ANY' would start walking up from LAST_RESERVED_PORT (1023) and start assigning ports. That will take a large number of iterations to hit 0x7FFFFFFF. But, after the above change to randomize port selection, the issue has started coming up more frequently. There has really been no good reason to have this port reservation logic in hv_sock from the get go. Reserving a local port for peer ports is not how things are handled generally. Peer ports should reflect the peer port. This fixes the issue by lifting the port reservation, and also returns the right peer port. Since the code converts the GUID to the peer port (by using the first 4 bytes), there is a possibility of conflicts, but that seems like a reasonable risk to take, given this is limited to vsock and that only applies to all local sockets. Signed-off-by: Sunil Muthuswamy <sunilmut@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Lepton Wu
|
7e976ccc4f |
VSOCK: bind to random port for VMADDR_PORT_ANY
[ Upstream commit 8236b08cf50f85bbfaf48910a0b3ee68318b7c4b ] The old code always starts from fixed port for VMADDR_PORT_ANY. Sometimes when VMM crashed, there is still orphaned vsock which is waiting for close timer, then it could cause connection time out for new started VM if they are trying to connect to same port with same guest cid since the new packets could hit that orphaned vsock. We could also fix this by doing more in vhost_vsock_reset_orphans, but any way, it should be better to start from a random local port instead of a fixed one. Signed-off-by: Lepton Wu <ytht.net@gmail.com> Reviewed-by: Jorgen Hansen <jhansen@vmware.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
70d594d17e |
vhost/vsock: split packets to send using multiple buffers
commit 6dbd3e66e7785a2f055bf84d98de9b8fd31ff3f5 upstream. If the packets to sent to the guest are bigger than the buffer available, we can split them, using multiple buffers and fixing the length in the packet header. This is safe since virtio-vsock supports only stream sockets. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Michael S. Tsirkin <mst@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Stefano Garzarella
|
e238e05ec2 |
vsock/virtio: fix sock refcnt holding during the shutdown
[ Upstream commit ad8a7220355d39cddce8eac1cea9677333e8b821 ] The "42f5cda5eaf4" commit rightly set SOCK_DONE on peer shutdown, but there is an issue if we receive the SHUTDOWN(RDWR) while the virtio_transport_close_timeout() is scheduled. In this case, when the timeout fires, the SOCK_DONE is already set and the virtio_transport_close_timeout() will not call virtio_transport_reset() and virtio_transport_do_close(). This causes that both sockets remain open and will never be released, preventing the unloading of [virtio|vhost]_transport modules. This patch fixes this issue, calling virtio_transport_reset() and virtio_transport_do_close() when we receive the SHUTDOWN(RDWR) and there is nothing left to read. Fixes: 42f5cda5eaf4 ("vsock/virtio: set SOCK_DONE on peer shutdown") Cc: Stephen Barber <smbarber@chromium.org> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eric Dumazet
|
eaf548feaa |
net: use skb_queue_empty_lockless() in poll() handlers
[ Upstream commit 3ef7cf57c72f32f61e97f8fa401bc39ea1f1a5d4 ] Many poll() handlers are lockless. Using skb_queue_empty_lockless() instead of skb_queue_empty() is more appropriate. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dexuan Cui
|
3c1f070440 |
vsock: Fix a lockdep warning in __vsock_release()
[ Upstream commit 0d9138ffac24cf8b75366ede3a68c951e6dcc575 ] Lockdep is unhappy if two locks from the same class are held. Fix the below warning for hyperv and virtio sockets (vmci socket code doesn't have the issue) by using lock_sock_nested() when __vsock_release() is called recursively: ============================================ WARNING: possible recursive locking detected 5.3.0+ #1 Not tainted -------------------------------------------- server/1795 is trying to acquire lock: ffff8880c5158990 (sk_lock-AF_VSOCK){+.+.}, at: hvs_release+0x10/0x120 [hv_sock] but task is already holding lock: ffff8880c5158150 (sk_lock-AF_VSOCK){+.+.}, at: __vsock_release+0x2e/0xf0 [vsock] other info that might help us debug this: Possible unsafe locking scenario: CPU0 ---- lock(sk_lock-AF_VSOCK); lock(sk_lock-AF_VSOCK); *** DEADLOCK *** May be due to missing lock nesting notation 2 locks held by server/1795: #0: ffff8880c5d05ff8 (&sb->s_type->i_mutex_key#10){+.+.}, at: __sock_release+0x2d/0xa0 #1: ffff8880c5158150 (sk_lock-AF_VSOCK){+.+.}, at: __vsock_release+0x2e/0xf0 [vsock] stack backtrace: CPU: 5 PID: 1795 Comm: server Not tainted 5.3.0+ #1 Call Trace: dump_stack+0x67/0x90 __lock_acquire.cold.67+0xd2/0x20b lock_acquire+0xb5/0x1c0 lock_sock_nested+0x6d/0x90 hvs_release+0x10/0x120 [hv_sock] __vsock_release+0x24/0xf0 [vsock] __vsock_release+0xa0/0xf0 [vsock] vsock_release+0x12/0x30 [vsock] __sock_release+0x37/0xa0 sock_close+0x14/0x20 __fput+0xc1/0x250 task_work_run+0x98/0xc0 do_exit+0x344/0xc60 do_group_exit+0x47/0xb0 get_signal+0x15c/0xc50 do_signal+0x30/0x720 exit_to_usermode_loop+0x50/0xa0 do_syscall_64+0x24e/0x270 entry_SYSCALL_64_after_hwframe+0x49/0xbe RIP: 0033:0x7f4184e85f31 Tested-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: Dexuan Cui <decui@microsoft.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Dexuan Cui
|
91a71a61da |
hv_sock: Fix hang when a connection is closed
[ Upstream commit 685703b497bacea8765bb409d6b73455b73c540e ] There is a race condition for an established connection that is being closed by the guest: the refcnt is 4 at the end of hvs_release() (Note: here the 'remove_sock' is false): 1 for the initial value; 1 for the sk being in the bound list; 1 for the sk being in the connected list; 1 for the delayed close_work. After hvs_release() finishes, __vsock_release() -> sock_put(sk) *may* decrease the refcnt to 3. Concurrently, hvs_close_connection() runs in another thread: calls vsock_remove_sock() to decrease the refcnt by 2; call sock_put() to decrease the refcnt to 0, and free the sk; next, the "release_sock(sk)" may hang due to use-after-free. In the above, after hvs_release() finishes, if hvs_close_connection() runs faster than "__vsock_release() -> sock_put(sk)", then there is not any issue, because at the beginning of hvs_close_connection(), the refcnt is still 4. The issue can be resolved if an extra reference is taken when the connection is established. Fixes: a9eeb998c28d ("hv_sock: Add support for delayed close") Signed-off-by: Dexuan Cui <decui@microsoft.com> Reviewed-by: Sunil Muthuswamy <sunilmut@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Sunil Muthuswamy
|
8a474bc4e6 |
vsock: correct removal of socket from the list
commit d5afa82c977ea06f7119058fa0eb8519ea501031 upstream. The current vsock code for removal of socket from the list is both subject to race and inefficient. It takes the lock, checks whether the socket is in the list, drops the lock and if the socket was on the list, deletes it from the list. This is subject to race because as soon as the lock is dropped once it is checked for presence, that condition cannot be relied upon for any decision. It is also inefficient because if the socket is present in the list, it takes the lock twice. Signed-off-by: Sunil Muthuswamy <sunilmut@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Sunil Muthuswamy
|
9d3586bcda |
hv_sock: Add support for delayed close
commit a9eeb998c28d5506616426bd3a216bd5735a18b8 upstream. Currently, hvsock does not implement any delayed or background close logic. Whenever the hvsock socket is closed, a FIN is sent to the peer, and the last reference to the socket is dropped, which leads to a call to .destruct where the socket can hang indefinitely waiting for the peer to close it's side. The can cause the user application to hang in the close() call. This change implements proper STREAM(TCP) closing handshake mechanism by sending the FIN to the peer and the waiting for the peer's FIN to arrive for a given timeout. On timeout, it will try to terminate the connection (i.e. a RST). This is in-line with other socket providers such as virtio. This change does not address the hang in the vmbus_hvsock_device_unregister where it waits indefinitely for the host to rescind the channel. That should be taken up as a separate fix. Signed-off-by: Sunil Muthuswamy <sunilmut@microsoft.com> Reviewed-by: Dexuan Cui <decui@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Sunil Muthuswamy
|
49fb03de36 |
hvsock: fix epollout hang from race condition
[ Upstream commit cb359b60416701c8bed82fec79de25a144beb893 ] Currently, hvsock can enter into a state where epoll_wait on EPOLLOUT will not return even when the hvsock socket is writable, under some race condition. This can happen under the following sequence: - fd = socket(hvsocket) - fd_out = dup(fd) - fd_in = dup(fd) - start a writer thread that writes data to fd_out with a combination of epoll_wait(fd_out, EPOLLOUT) and - start a reader thread that reads data from fd_in with a combination of epoll_wait(fd_in, EPOLLIN) - On the host, there are two threads that are reading/writing data to the hvsocket stack: hvs_stream_has_space hvs_notify_poll_out vsock_poll sock_poll ep_poll Race condition: check for epollout from ep_poll(): assume no writable space in the socket hvs_stream_has_space() returns 0 check for epollin from ep_poll(): assume socket has some free space < HVS_PKT_LEN(HVS_SEND_BUF_SIZE) hvs_stream_has_space() will clear the channel pending send size host will not notify the guest because the pending send size has been cleared and so the hvsocket will never mark the socket writable Now, the EPOLLOUT will never return even if the socket write buffer is empty. The fix is to set the pending size to the default size and never change it. This way the host will always notify the guest whenever the writable space is bigger than the pending size. The host is already optimized to *only* notify the guest when the pending size threshold boundary is crossed and not everytime. This change also reduces the cpu usage somewhat since hv_stream_has_space() is in the hotpath of send: vsock_stream_sendmsg()->hv_stream_has_space() Earlier hv_stream_has_space was setting/clearing the pending size on every call. Signed-off-by: Sunil Muthuswamy <sunilmut@microsoft.com> Reviewed-by: Dexuan Cui <decui@microsoft.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stephen Barber
|
1b201b63b6 |
vsock/virtio: set SOCK_DONE on peer shutdown
[ Upstream commit 42f5cda5eaf4396a939ae9bb43bb8d1d09c1b15c ] Set the SOCK_DONE flag to match the TCP_CLOSING state when a peer has shut down and there is nothing left to read. This fixes the following bug: 1) Peer sends SHUTDOWN(RDWR). 2) Socket enters TCP_CLOSING but SOCK_DONE is not set. 3) read() returns -ENOTCONN until close() is called, then returns 0. Signed-off-by: Stephen Barber <smbarber@chromium.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Jorge E. Moreira
|
9f12f4c922 |
vsock/virtio: Initialize core virtio vsock before registering the driver
[ Upstream commit ba95e5dfd36647622d8897a2a0470dde60e59ffd ] Avoid a race in which static variables in net/vmw_vsock/af_vsock.c are accessed (while handling interrupts) before they are initialized. [ 4.201410] BUG: unable to handle kernel paging request at ffffffffffffffe8 [ 4.207829] IP: vsock_addr_equals_addr+0x3/0x20 [ 4.211379] PGD 28210067 P4D 28210067 PUD 28212067 PMD 0 [ 4.211379] Oops: 0000 [#1] PREEMPT SMP PTI [ 4.211379] Modules linked in: [ 4.211379] CPU: 1 PID: 30 Comm: kworker/1:1 Not tainted 4.14.106-419297-gd7e28cc1f241 #1 [ 4.211379] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014 [ 4.211379] Workqueue: virtio_vsock virtio_transport_rx_work [ 4.211379] task: ffffa3273d175280 task.stack: ffffaea1800e8000 [ 4.211379] RIP: 0010:vsock_addr_equals_addr+0x3/0x20 [ 4.211379] RSP: 0000:ffffaea1800ebd28 EFLAGS: 00010286 [ 4.211379] RAX: 0000000000000002 RBX: 0000000000000000 RCX: ffffffffb94e42f0 [ 4.211379] RDX: 0000000000000400 RSI: ffffffffffffffe0 RDI: ffffaea1800ebdd0 [ 4.211379] RBP: ffffaea1800ebd58 R08: 0000000000000001 R09: 0000000000000001 [ 4.211379] R10: 0000000000000000 R11: ffffffffb89d5d60 R12: ffffaea1800ebdd0 [ 4.211379] R13: 00000000828cbfbf R14: 0000000000000000 R15: ffffaea1800ebdc0 [ 4.211379] FS: 0000000000000000(0000) GS:ffffa3273fd00000(0000) knlGS:0000000000000000 [ 4.211379] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 4.211379] CR2: ffffffffffffffe8 CR3: 000000002820e001 CR4: 00000000001606e0 [ 4.211379] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 4.211379] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 4.211379] Call Trace: [ 4.211379] ? vsock_find_connected_socket+0x6c/0xe0 [ 4.211379] virtio_transport_recv_pkt+0x15f/0x740 [ 4.211379] ? detach_buf+0x1b5/0x210 [ 4.211379] virtio_transport_rx_work+0xb7/0x140 [ 4.211379] process_one_work+0x1ef/0x480 [ 4.211379] worker_thread+0x312/0x460 [ 4.211379] kthread+0x132/0x140 [ 4.211379] ? process_one_work+0x480/0x480 [ 4.211379] ? kthread_destroy_worker+0xd0/0xd0 [ 4.211379] ret_from_fork+0x35/0x40 [ 4.211379] Code: c7 47 08 00 00 00 00 66 c7 07 28 00 c7 47 08 ff ff ff ff c7 47 04 ff ff ff ff c3 0f 1f 00 66 2e 0f 1f 84 00 00 00 00 00 8b 47 08 <3b> 46 08 75 0a 8b 47 04 3b 46 04 0f 94 c0 c3 31 c0 c3 90 66 2e [ 4.211379] RIP: vsock_addr_equals_addr+0x3/0x20 RSP: ffffaea1800ebd28 [ 4.211379] CR2: ffffffffffffffe8 [ 4.211379] ---[ end trace f31cc4a2e6df3689 ]--- [ 4.211379] Kernel panic - not syncing: Fatal exception in interrupt [ 4.211379] Kernel Offset: 0x37000000 from 0xffffffff81000000 (relocation range: 0xffffffff80000000-0xffffffffbfffffff) [ 4.211379] Rebooting in 5 seconds.. Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug") Cc: Stefan Hajnoczi <stefanha@redhat.com> Cc: Stefano Garzarella <sgarzare@redhat.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: kvm@vger.kernel.org Cc: virtualization@lists.linux-foundation.org Cc: netdev@vger.kernel.org Cc: kernel-team@android.com Cc: stable@vger.kernel.org [4.9+] Signed-off-by: Jorge E. Moreira <jemoreira@google.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Acked-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Stefano Garzarella
|
4af8a327ae |
vsock/virtio: free packets during the socket release
[ Upstream commit ac03046ece2b158ebd204dfc4896fd9f39f0e6c8 ] When the socket is released, we should free all packets queued in the per-socket list in order to avoid a memory leak. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Adalbert Lazăr
|
8e59639791 |
vsock/virtio: fix kernel panic from virtio_transport_reset_no_sock
[ Upstream commit 4c404ce23358d5d8fbdeb7a6021a9b33d3c3c167 ] Previous to commit 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug"), vsock_core_init() was called from virtio_vsock_probe(). Now, virtio_transport_reset_no_sock() can be called before vsock_core_init() has the chance to run. [Wed Feb 27 14:17:09 2019] BUG: unable to handle kernel NULL pointer dereference at 0000000000000110 [Wed Feb 27 14:17:09 2019] #PF error: [normal kernel read fault] [Wed Feb 27 14:17:09 2019] PGD 0 P4D 0 [Wed Feb 27 14:17:09 2019] Oops: 0000 [#1] SMP PTI [Wed Feb 27 14:17:09 2019] CPU: 3 PID: 59 Comm: kworker/3:1 Not tainted 5.0.0-rc7-390-generic-hvi #390 [Wed Feb 27 14:17:09 2019] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 [Wed Feb 27 14:17:09 2019] Workqueue: virtio_vsock virtio_transport_rx_work [vmw_vsock_virtio_transport] [Wed Feb 27 14:17:09 2019] RIP: 0010:virtio_transport_reset_no_sock+0x8c/0xc0 [vmw_vsock_virtio_transport_common] [Wed Feb 27 14:17:09 2019] Code: 35 8b 4f 14 48 8b 57 08 31 f6 44 8b 4f 10 44 8b 07 48 8d 7d c8 e8 84 f8 ff ff 48 85 c0 48 89 c3 74 2a e8 f7 31 03 00 48 89 df <48> 8b 80 10 01 00 00 e8 68 fb 69 ed 48 8b 75 f0 65 48 33 34 25 28 [Wed Feb 27 14:17:09 2019] RSP: 0018:ffffb42701ab7d40 EFLAGS: 00010282 [Wed Feb 27 14:17:09 2019] RAX: 0000000000000000 RBX: ffff9d79637ee080 RCX: 0000000000000003 [Wed Feb 27 14:17:09 2019] RDX: 0000000000000001 RSI: 0000000000000002 RDI: ffff9d79637ee080 [Wed Feb 27 14:17:09 2019] RBP: ffffb42701ab7d78 R08: ffff9d796fae70e0 R09: ffff9d796f403500 [Wed Feb 27 14:17:09 2019] R10: ffffb42701ab7d90 R11: 0000000000000000 R12: ffff9d7969d09240 [Wed Feb 27 14:17:09 2019] R13: ffff9d79624e6840 R14: ffff9d7969d09318 R15: ffff9d796d48ff80 [Wed Feb 27 14:17:09 2019] FS: 0000000000000000(0000) GS:ffff9d796fac0000(0000) knlGS:0000000000000000 [Wed Feb 27 14:17:09 2019] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [Wed Feb 27 14:17:09 2019] CR2: 0000000000000110 CR3: 0000000427f22000 CR4: 00000000000006e0 [Wed Feb 27 14:17:09 2019] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [Wed Feb 27 14:17:09 2019] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [Wed Feb 27 14:17:09 2019] Call Trace: [Wed Feb 27 14:17:09 2019] virtio_transport_recv_pkt+0x63/0x820 [vmw_vsock_virtio_transport_common] [Wed Feb 27 14:17:09 2019] ? kfree+0x17e/0x190 [Wed Feb 27 14:17:09 2019] ? detach_buf_split+0x145/0x160 [Wed Feb 27 14:17:09 2019] ? __switch_to_asm+0x40/0x70 [Wed Feb 27 14:17:09 2019] virtio_transport_rx_work+0xa0/0x106 [vmw_vsock_virtio_transport] [Wed Feb 27 14:17:09 2019] NET: Registered protocol family 40 [Wed Feb 27 14:17:09 2019] process_one_work+0x167/0x410 [Wed Feb 27 14:17:09 2019] worker_thread+0x4d/0x460 [Wed Feb 27 14:17:09 2019] kthread+0x105/0x140 [Wed Feb 27 14:17:09 2019] ? rescuer_thread+0x360/0x360 [Wed Feb 27 14:17:09 2019] ? kthread_destroy_worker+0x50/0x50 [Wed Feb 27 14:17:09 2019] ret_from_fork+0x35/0x40 [Wed Feb 27 14:17:09 2019] Modules linked in: vmw_vsock_virtio_transport vmw_vsock_virtio_transport_common input_leds vsock serio_raw i2c_piix4 mac_hid qemu_fw_cfg autofs4 cirrus ttm drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops virtio_net psmouse drm net_failover pata_acpi virtio_blk failover floppy Fixes: 22b5c0b63f32 ("vsock/virtio: fix kernel panic after device hot-unplug") Reported-by: Alexandru Herghelegiu <aherghelegiu@bitdefender.com> Signed-off-by: Adalbert Lazăr <alazar@bitdefender.com> Co-developed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Reviewed-by: Stefano Garzarella <sgarzare@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
5eae58996b |
vsock/virtio: reset connected sockets on device removal
[ Upstream commit 85965487abc540368393a15491e6e7fcd230039d ] When the virtio transport device disappear, we should reset all connected sockets in order to inform the users. Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stefano Garzarella
|
cd2013568d |
vsock/virtio: fix kernel panic after device hot-unplug
[ Upstream commit 22b5c0b63f32568e130fa2df4ba23efce3eb495b ] virtio_vsock_remove() invokes the vsock_core_exit() also if there are opened sockets for the AF_VSOCK protocol family. In this way the vsock "transport" pointer is set to NULL, triggering the kernel panic at the first socket activity. This patch move the vsock_core_init()/vsock_core_exit() in the virtio_vsock respectively in module_init and module_exit functions, that cannot be invoked until there are open sockets. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1609699 Reported-by: Yan Fu <yafu@redhat.com> Signed-off-by: Stefano Garzarella <sgarzare@redhat.com> Acked-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Paolo Abeni
|
03a6fc5712 |
vsock: cope with memory allocation failure at socket creation time
[ Upstream commit 225d9464268599a5b4d094d02ec17808e44c7553 ]
In the unlikely event that the kmalloc call in vmci_transport_socket_init()
fails, we end-up calling vmci_transport_destruct() with a NULL vmci_trans()
and oopsing.
This change addresses the above explicitly checking for zero vmci_trans()
at destruction time.
Reported-by: Xiumei Mu <xmu@redhat.com>
Fixes:
|