[ Upstream commit b03faa1fafc8018295401dc558bdc76362d860a4 ]
According to RFC7609 (http://www.rfc-editor.org/info/rfc7609)
first the SMC-R connection is shut down and then the normal TCP
connection FIN processing drives cleanup of the internal TCP connection.
The unconditional release of the clcsock during active socket closing
has to be postponed if the peer has not yet signalled socket closing.
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 5211c9729484 ("net/smc: fix dangling sock under state SMC_APPFINCLOSEWAIT")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]
Initially, commit 4237c75c0a ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated. The hook is added just after the allocation,
so reqsk's IPv6 remote address was not initialised then.
However, SELinux/Smack started to read it in netlbl_req_setattr()
after commit e1adea9270 ("calipso: Allow request sockets to be
relabelled by the lsm.").
Commit 284904aa79 ("lsm: Relocate the IPv4 security_inet_conn_request()
hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
not supported at that time. Finally, the same issue was introduced again
in IPv6.
Let's apply the same fix on DCCPv6 and TCPv6.
Fixes: e1adea9270 ("calipso: Allow request sockets to be relabelled by the lsm.")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit fa2df45af13091f76b89adb84a28f13818d5d631 ]
Initially, commit 4237c75c0a ("[MLSXFRM]: Auto-labeling of child
sockets") introduced security_inet_conn_request() in some functions
where reqsk is allocated. The hook is added just after the allocation,
so reqsk's IPv4 remote address was not initialised then.
However, SELinux/Smack started to read it in netlbl_req_setattr()
after the cited commits.
This bug was partially fixed by commit 284904aa79 ("lsm: Relocate
the IPv4 security_inet_conn_request() hooks").
This patch fixes the last bug in DCCPv4.
Fixes: 389fb800ac ("netlabel: Label incoming TCP connections correctly in SELinux")
Fixes: 07feee8f81 ("netlabel: Cleanup the Smack/NetLabel code to fix incoming TCP connections")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 19b3f72a41a8751e26bffc093bb7e1cef29ad579 ]
syzbot reported the following uninit-value access issue [1]:
=====================================================
BUG: KMSAN: uninit-value in strlen lib/string.c:418 [inline]
BUG: KMSAN: uninit-value in strstr+0xb8/0x2f0 lib/string.c:756
strlen lib/string.c:418 [inline]
strstr+0xb8/0x2f0 lib/string.c:756
tipc_nl_node_reset_link_stats+0x3ea/0xb50 net/tipc/node.c:2595
genl_family_rcv_msg_doit net/netlink/genetlink.c:971 [inline]
genl_family_rcv_msg net/netlink/genetlink.c:1051 [inline]
genl_rcv_msg+0x11ec/0x1290 net/netlink/genetlink.c:1066
netlink_rcv_skb+0x371/0x650 net/netlink/af_netlink.c:2545
genl_rcv+0x40/0x60 net/netlink/genetlink.c:1075
netlink_unicast_kernel net/netlink/af_netlink.c:1342 [inline]
netlink_unicast+0xf47/0x1250 net/netlink/af_netlink.c:1368
netlink_sendmsg+0x1238/0x13d0 net/netlink/af_netlink.c:1910
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12f/0xb70 mm/slab.h:767
slab_alloc_node mm/slub.c:3478 [inline]
kmem_cache_alloc_node+0x577/0xa80 mm/slub.c:3523
kmalloc_reserve+0x13d/0x4a0 net/core/skbuff.c:559
__alloc_skb+0x318/0x740 net/core/skbuff.c:650
alloc_skb include/linux/skbuff.h:1286 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1214 [inline]
netlink_sendmsg+0xb34/0x13d0 net/netlink/af_netlink.c:1885
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x9c2/0xd60 net/socket.c:2541
___sys_sendmsg+0x28d/0x3c0 net/socket.c:2595
__sys_sendmsg net/socket.c:2624 [inline]
__do_sys_sendmsg net/socket.c:2633 [inline]
__se_sys_sendmsg net/socket.c:2631 [inline]
__x64_sys_sendmsg+0x307/0x490 net/socket.c:2631
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
TIPC bearer-related names including link names must be null-terminated
strings. If a link name which is not null-terminated is passed through
netlink, strstr() and similar functions can cause buffer overrun. This
causes the above issue.
This patch changes the nla_policy for bearer-related names from NLA_STRING
to NLA_NUL_STRING. This resolves the issue by ensuring that only
null-terminated strings are accepted as bearer-related names.
syzbot reported similar uninit-value issue related to bearer names [2]. The
root cause of this issue is that a non-null-terminated bearer name was
passed. This patch also resolved this issue.
Fixes: 7be57fc691 ("tipc: add link get/dump to new netlink api")
Fixes: 0655f6a863 ("tipc: add bearer disable/enable to new netlink api")
Reported-and-tested-by: syzbot+5138ca807af9d2b42574@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5138ca807af9d2b42574 [1]
Reported-and-tested-by: syzbot+9425c47dccbcb4c17d51@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=9425c47dccbcb4c17d51 [2]
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20231030075540.3784537-1-syoshida@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7b3ba18703a63f6fd487183b9262b08e5632da1b ]
LLC reads the mac header with eth_hdr without verifying that the skb
has an Ethernet header.
Syzbot was able to enter llc_rcv on a tun device. Tun can insert
packets without mac len and with user configurable skb->protocol
(passing a tun_pi header when not configuring IFF_NO_PI).
BUG: KMSAN: uninit-value in llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
BUG: KMSAN: uninit-value in llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_station_ac_send_test_r net/llc/llc_station.c:81 [inline]
llc_station_rcv+0x6fb/0x1290 net/llc/llc_station.c:111
llc_rcv+0xc5d/0x14a0 net/llc/llc_input.c:218
__netif_receive_skb_one_core net/core/dev.c:5523 [inline]
__netif_receive_skb+0x1a6/0x5a0 net/core/dev.c:5637
netif_receive_skb_internal net/core/dev.c:5723 [inline]
netif_receive_skb+0x58/0x660 net/core/dev.c:5782
tun_rx_batched+0x3ee/0x980 drivers/net/tun.c:1555
tun_get_user+0x54c5/0x69c0 drivers/net/tun.c:2002
Add a mac_len test before all three eth_hdr(skb) calls under net/llc.
There are further uses in include/net/llc_pdu.h. All these are
protected by a test skb->protocol == ETH_P_802_2. Which does not
protect against this tun scenario.
But the mac_len test added in this patch in llc_fixup_skb will
indirectly protect those too. That is called from llc_rcv before any
other LLC code.
It is tempting to just add a blanket mac_len check in llc_rcv, but
not sure whether that could break valid LLC paths that do not assume
an Ethernet header. 802.2 LLC may be used on top of non-802.3
protocols in principle. The below referenced commit shows that used
to, on top of Token Ring.
At least one of the three eth_hdr uses goes back to before the start
of git history. But the one that syzbot exercises is introduced in
this commit. That commit is old enough (2008), that effectively all
stable kernels should receive this.
Fixes: f83f1768f8 ("[LLC]: skb allocation size for responses")
Reported-by: syzbot+a8c7be6dee0de1b669cc@syzkaller.appspotmail.com
Signed-off-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20231025234251.3796495-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 03d6c848bfb406e9ef6d9846d759e97beaeea113 ]
When the ipv6 stack output a GSO packet, if its gso_size is larger than
dst MTU, then all segments would be fragmented. However, it is possible
for a GSO packet to have a trailing segment with smaller actual size
than both gso_size as well as the MTU, which leads to an "atomic
fragment". Atomic fragments are considered harmful in RFC-8021. An
Existing report from APNIC also shows that atomic fragments are more
likely to be dropped even it is equivalent to a no-op [1].
Add an extra check in the GSO slow output path. For each segment from
the original over-sized packet, if it fits with the path MTU, then avoid
generating an atomic fragment.
Link: https://www.potaroo.net/presentations/2022-03-01-ipv6-frag.pdf [1]
Fixes: b210de4f8c97 ("net: ipv6: Validate GSO SKB before finish IPv6 processing")
Reported-by: David Wragg <dwragg@cloudflare.com>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Link: https://lore.kernel.org/r/90912e3503a242dca0bc36958b11ed03a2696e5e.1698156966.git.yan@cloudflare.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a135798e6e200ecb2f864cecca6d257ba278370c ]
tcp_init_metrics() only wants to get metrics if they were
previously stored in the cache. Creating an entry is adding
useless costs, especially when tcp_no_metrics_save is set.
Fixes: 51c5d0c4b1 ("tcp: Maintain dynamic metrics in local cache.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 081480014a64a69d901f8ef1ffdd56d6085cf87e ]
We need to set tp->snd_ssthresh to TCP_INFINITE_SSTHRESH
in the case tcp_get_metrics() fails for some reason.
Fixes: 9ad7c049f0 ("tcp: RFC2988bis + taking RTT sample from 3WHS for the passive open side")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit cbc3a153222805d65f821e10f4f78b6afce06f86 ]
When removing an item from RCU protected list, we must prevent
store-tearing, using rcu_assign_pointer() or WRITE_ONCE().
Fixes: 04f721c671 ("tcp_metrics: Rewrite tcp_metrics_flush_all")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Acked-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
* sm8250/lineage-20:
techpack: video: hfi_iris2: Fix -Wpointer-to-int-cast
Reapply "perf: Disallow mis-matched inherited group reads"
ANDROID: fs: fuse: Freeze client on suspend when request sent to userspace
ANDROID: fs/fuse: Keep FUSE file times consistent with lower file
ANDROID: fuse: Allocate zeroed memory for canonical path
UPSTREAM: fuse: fix matching of FUSE_DEV_IOC_CLONE command
ANDROID: fuse/passthrough: API V2 with __u32 open argument
FROMLIST: fuse: Fix crediantials leak in passthrough read_iter
FROMLIST: fuse: Introduce passthrough for mmap
FROMLIST: fuse: Use daemon creds in passthrough mode
FROMLIST: fuse: Handle asynchronous read and write in passthrough
FROMLIST: fuse: Introduce synchronous read and write for passthrough
FROMLIST: fuse: Passthrough initialization and release
FROMLIST: fuse: Definitions and ioctl for passthrough
FROMLIST: fuse: 32-bit user space ioctl compat for fuse device
FROMLIST: fs: Generic function to convert iocb to rw flags
BACKPORT: fs: align IOCB_* flags with RWF_* flags
Revert "perf: Disallow mis-matched inherited group reads"
Revert "xfrm: fix a data-race in xfrm_gen_index()"
Revert "Bluetooth: hci_core: Fix build warnings"
Revert "xfrm: interface: use DEV_STATS_INC()"
Linux 4.19.297
xfrm6: fix inet6_dev refcount underflow problem
Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
phy: mapphone-mdm6600: Fix runtime PM for remove
ASoC: pxa: fix a memory leak in probe()
gpio: vf610: set value before the direction to avoid a glitch
s390/pci: fix iommu bitmap allocation
perf: Disallow mis-matched inherited group reads
USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
USB: serial: option: add entry for Sierra EM9191 with new firmware
USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
ACPI: irq: Fix incorrect return value in acpi_register_gsi()
Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
mmc: core: Capture correct oemid-bits for eMMC cards
mtd: spinand: micron: correct bitmask for ecc status
mtd: rawnand: qcom: Unmap the right resource upon probe failure
Bluetooth: hci_event: Fix using memcmp when comparing keys
btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
drm: panel-orientation-quirks: Add quirk for One Mix 2S
sky2: Make sure there is at least one frag_addr available
wifi: cfg80211: avoid leaking stack data into trace
wifi: mac80211: allow transmitting EAPOL frames with tainted key
Bluetooth: hci_core: Fix build warnings
Bluetooth: Avoid redundant authentication
HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
tracing: relax trace_event_eval_update() execution with cond_resched()
ata: libata-eh: Fix compilation warning in ata_eh_link_report()
gpio: timberdale: Fix potential deadlock on &tgpio->lock
overlayfs: set ctime when setting mtime and atime
i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
btrfs: initialize start_slot in btrfs_log_prealloc_extents
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
libceph: use kernel_connect()
libceph: fix unaligned accesses in ceph_entity_addr handling
net: pktgen: Fix interface flags printing
netfilter: nft_set_rbtree: .deactivate fails if element has expired
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
i40e: prevent crash on probe if hw registers have invalid values
net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
tcp: fix excessive TLP and RACK timeouts from HZ rounding
net: rfkill: gpio: prevent value glitch during probe
net: ipv6: fix return value check in esp_remove_trailer
net: ipv4: fix return value check in esp_remove_trailer
xfrm: interface: use DEV_STATS_INC()
xfrm: fix a data-race in xfrm_gen_index()
netfilter: nft_payload: fix wrong mac header matching
KVM: x86: Mask LVTPC when handling a PMI
regmap: fix NULL deref on lookup
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
Bluetooth: avoid memcmp() out of bounds warning
Bluetooth: hci_event: Fix coding style
Bluetooth: vhci: Fix race when opening vhci device
Bluetooth: Fix a refcnt underflow problem for hci_conn
Bluetooth: Reject connection with the device which has same BD_ADDR
Bluetooth: hci_event: Ignore NULL link key
usb: hub: Guard against accesses to uninitialized BOS descriptors
dev_forward_skb: do not scrub skb mark within the same name space
x86/alternatives: Disable KASAN in apply_alternatives()
powerpc/64e: Fix wrong test in __ptep_test_and_clear_young()
usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call
usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
pinctrl: avoid unsafe code pattern in find_pinctrl()
cgroup: Remove duplicates in cgroup v1 tasks file
Input: xpad - add PXN V900 support
Input: psmouse - fix fast_reconnect function for PS/2 mode
Input: powermate - fix use-after-free in powermate_config_complete
ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
mcb: remove is_added flag from mcb_device struct
iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
iio: pressure: bmp280: Fix NULL pointer exception
usb: musb: Modify the "HWVers" register address
usb: musb: Get the musb_qh poniter after musb_giveback
usb: dwc3: Soft reset phy on probe for host
net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read
usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
dmaengine: stm32-mdma: abort resume if no ongoing transfer
sched,idle,rcu: Push rcu_idle deeper into the idle path
workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask()
nfc: nci: assert requested protocol is valid
net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
ixgbe: fix crash with empty VF macvlan list
drm/vmwgfx: fix typo of sizeof argument
xen-netback: use default TX queue size for vifs
ieee802154: ca8210: Fix a potential UAF in ca8210_probe
drm/msm/dsi: skip the wait for video mode done if not applicable
drm: etvnaviv: fix bad backport leading to warning
net: prevent address rewrite in kernel_bind()
quota: Fix slow quotaoff
HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
RDMA/cxgb4: Check skb value for failure to allocate
net: prevent rewrite of msg_name in sock_sendmsg()
net: fix kernel-doc warnings for socket.c
net: use indirect calls helpers at the socket layer
indirect call wrappers: helpers to speed-up indirect calls of builtin
dwc3-msm-core: Remove usage of DWC31_LINK_GDBGLTSSM with POR
defconfig: kona: Fix for SonyDualSenseEdge cts failures
defconfig: kona: Fix for SonyDualSenseEdge cts failures
Revert "net: add atomic_long_t to net_device_stats fields"
Revert "net: Fix unwanted sign extension in netdev_stats_to_stats64()"
Revert "net: bridge: use DEV_STATS_INC()"
Linux 4.19.296
xen/events: replace evtchn_rwlock with RCU
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
Revert "rtnetlink: Reject negative ifindexes in RTM_NEWLINK"
dccp: fix dccp_v4_err()/dccp_v6_err() again
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
RDMA/mlx5: Fix NULL string error
RDMA/cma: Fix truncation compilation warning in make_cma_ports
gpio: pxa: disable pinctrl calls for MMP_GPIO
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
IB/mlx4: Fix the size of a buffer in add_port_entries()
cpupower: add Makefile dependencies for install targets
sctp: update hb timer immediately after users change hb_interval
sctp: update transport state when processing a dupcook packet
tcp: fix delayed ACKs for MSS boundary condition
tcp: fix quick-ack counting to count actual ACKs of new data
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
modpost: add missing else to the "of" check
scsi: target: core: Fix deadlock due to recursive locking
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
ubi: Refuse attaching if mtd's erasesize is 0
net: replace calls to sock->ops->connect() with kernel_connect()
wifi: mwifiex: Fix tlv_buf_left calculation
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3"
media: dvb: symbol fixup for dvb_attach() - again
Revert "drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...) functions"
ata: libata: disallow dev-initiated LPM transitions to unsupported states
ext4: fix rec_len verify error
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
ata: libata-sata: increase PMP SRST timeout to 10s
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-core: Fix port and device removal
ata: libata-core: Fix ata_port_request_pm() locking
net: thunderbolt: Fix TCPv6 GSO checksum calculation
btrfs: properly report 0 avail for very full file systems
i2c: i801: unregister tco_pdev in i801_probe() error path
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
serial: 8250_port: Check IRQ data before use
smack: Record transmuting in smk_transmuted
smack: Retrieve transmuting information in smack_inode_getsecurity()
Smack:- Use overlay inode label in smack_inode_copy_up()
scsi: megaraid_sas: Enable msix_load_balance for Invader and later controllers
net: Fix unwanted sign extension in netdev_stats_to_stats64()
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
watchdog: iTCO_wdt: No need to stop the timer in probe
nvme-pci: do not set the NUMA node of device if it has none
fbdev/sh7760fb: Depend on FB=y
bpf: Clarify error expectations from bpf_clone_redirect
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
ring-buffer: Avoid softlockup in ring_buffer_resize()
selftests/ftrace: Correctly enable event in instance-event.tc
parisc: irq: Make irq_stack_union static to avoid sparse warning
parisc: drivers: Fix sparse warning
parisc: iosapic.c: Fix sparse warnings
parisc: sba: Fix compile warning wrt list of SBA devices
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
clk: tegra: fix error return case for recalc_rate
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
ext4: do not let fstrim block system suspend
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: replace the traditional ternary conditional operator with with max()/min()
ext4: mark group as trimmed only if it was fully scanned
ext4: change s_last_trim_minblks type to unsigned long
ext4: scope ret locally in ext4_try_to_trim_range()
ext4: add new helper interface ext4_try_to_trim_range()
ext4: remove the 'group' parameter of ext4_trim_extent
scsi: megaraid_sas: Fix deadlock on firmware crashdump
scsi: megaraid_sas: Load balance completions across all MSI-X
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Add protection mask module parameters
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
team: fix null-ptr-deref when team device type is changed
net: bridge: use DEV_STATS_INC()
net: add atomic_long_t to net_device_stats fields
net: hns3: add 5ms delay before clear firmware reset irq source
powerpc/perf/hv-24x7: Update domain value check
ipv4: fix null-deref in ipv4_link_failure
selftests: tls: swap the TX and RX sockets in some tests
selftests/tls: Add {} to avoid static checker warning
netfilter: nf_tables: disallow element removal on anonymous sets
ata: libahci: clear pending interrupt status
ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
NFS/pNFS: Report EINVAL errors from connect() to the server
msm : Cap framerate for all Intra setting
ANDROID: ALSA: jack: Revert mismerge done in v4.19.291
usb: dwc3-msm-core: Set pipectl susphy in conndone interrupt
msm : Cap framerate for all Intra setting
BACKPORT: bpf: add bpf_ktime_get_boot_ns()
bus: mhi: fix potential out-of-bound access
usb: dwc3: gadget: Bail out in pullup if soft reset timeout happens
msm: kgsl: Limit the syncpoint count for AUX commands
msm: kgsl: Prevent wrap around during user address mapping
bt: Unset multi channel bit for 44.1/88.2Khz A2DP Rx
fw-api: CL 24698636 - update fw common interface files
BACKPORT: bpf: add bpf_ktime_get_boot_ns()
iommu: Fix missing return check of arm_lpae_init_pte
fw-api: CL 24632751 - update fw common interface files
fw-api: CL 24632749 - update fw common interface files
fw-api: CL 24610273 - update fw common interface files
fw-api: CL 24620909 - update fw common interface files
fw-api: CL 24602439 - update fw common interface files
fw-api: Fix E3.0: E3R44: WCSS_VERSION 2544
fw-api: peach: E3.0: E3R44: WCSS_VERSION 2544 Add peach hw header files
dsp: q6asm: Add check for ADSP payload size
ASoC: msm-audio-effects-q6-v2: Add BPF order check
dsp: q6afe: Add check for fbsp state
ASoC: msm-lsm-client: Integer overflow check
fw-api: CL 24551836 - update fw common interface files
fw-api: CL 24528979 - update fw common interface files
fw-api: CL 24448911 - update fw common interface files
fw-api: CL 24431840 - update fw common interface files
fw-api: CL 24431228 - update fw common interface files
fw-api: CL 24417305 - update fw common interface files
fw-api: CL 24374793 - update fw common interface files
fw-api: CL 24331558 - update fw common interface files
fw-api: CL 24317964 - update fw common interface files
fw-api: CL 24309540 - update fw common interface files
fw-api: CL 24285962 - update fw common interface files
block: ratelimit handle_bad_sector() message
securemsm-kernel: Fix multiple listener registration on same fd
dsp: Correct copyright info
fw-api: CL 24269688 - update fw common interface files
fw-api: CL 24263101 - update fw common interface files
fw-api: CL 24263097 - update fw common interface files
fw-api: CL 24258897 - update fw common interface files
fw-api: CL 24245865 - update fw common interface files
fw-api: CL 24229660 - update fw common interface files
fw-api: CL 24140579 - update fw common interface files
fw-api: CL 24056101 - update fw common interface files
fw-api: CL 24006951 - update fw common interface files
fw-api: CL 23998194 - update fw common interface files
fw-api: CL 23995783 - update fw common interface files
fw-api: CL 23981895 - update fw common interface files
fw-api: CL 23981866 - update fw common interface files
fw-api: CL 23966557 - update fw common interface files
fw-api: CL 23935730 - update fw common interface files
fw-api: CL 23935724 - update fw common interface files
fw-api: CL 23933290 - update fw common interface files
fw-api: CL 23915932 - update fw common interface files
fw-api: CL 23911002 - update fw common interface files
fw-api: CL 23907437 - update fw common interface files
fw-api: CL 23894107 - update fw common interface files
fw-api: CL 23887001 - update fw common interface files
fw-api: CL 23874450 - update fw common interface files
fw-api: CL 23872196 - update fw common interface files
fw-api: CL 23852898 - update fw common interface files
fw-api: CL 23810815 - update fw common interface files
fw-api: CL 23799210 - update fw common interface files
fw-api: CL 23782068 - update fw common interface files
fw-api: CL 23772256 - update fw common interface files
fw-api: CL 23772239 - update fw common interface files
fw-api: CL 23675183 - update fw common interface files
fw-api: CL 23639466 - update fw common interface files
fw-api: CL 23638576 - update fw common interface files
fw-api: CL 23631091 - update fw common interface files
fw-api: CL 23629843 - update fw common interface files
fw-api: CL 23627777 - update fw common interface files
fw-api: CL 23606322 - update fw common interface files
fw-api: CL 23606285 - update fw common interface files
fw-api: CL 23581168 - update fw common interface files
video: driver: Return proper error code
video: driver: Return proper error code
Change-Id: Iff47e9f74b8912786908e3568926bf02787cee48
https://source.android.com/docs/security/bulletin/2023-11-01
* tag 'ASB-2023-11-05_4.19-stable' of https://android.googlesource.com/kernel/common:
Reapply "perf: Disallow mis-matched inherited group reads"
Revert "perf: Disallow mis-matched inherited group reads"
Revert "xfrm: fix a data-race in xfrm_gen_index()"
Revert "Bluetooth: hci_core: Fix build warnings"
Revert "xfrm: interface: use DEV_STATS_INC()"
Linux 4.19.297
xfrm6: fix inet6_dev refcount underflow problem
Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
phy: mapphone-mdm6600: Fix runtime PM for remove
ASoC: pxa: fix a memory leak in probe()
gpio: vf610: set value before the direction to avoid a glitch
s390/pci: fix iommu bitmap allocation
perf: Disallow mis-matched inherited group reads
USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
USB: serial: option: add entry for Sierra EM9191 with new firmware
USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
ACPI: irq: Fix incorrect return value in acpi_register_gsi()
Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
mmc: core: Capture correct oemid-bits for eMMC cards
mtd: spinand: micron: correct bitmask for ecc status
mtd: rawnand: qcom: Unmap the right resource upon probe failure
Bluetooth: hci_event: Fix using memcmp when comparing keys
btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
drm: panel-orientation-quirks: Add quirk for One Mix 2S
sky2: Make sure there is at least one frag_addr available
wifi: cfg80211: avoid leaking stack data into trace
wifi: mac80211: allow transmitting EAPOL frames with tainted key
Bluetooth: hci_core: Fix build warnings
Bluetooth: Avoid redundant authentication
HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
tracing: relax trace_event_eval_update() execution with cond_resched()
ata: libata-eh: Fix compilation warning in ata_eh_link_report()
gpio: timberdale: Fix potential deadlock on &tgpio->lock
overlayfs: set ctime when setting mtime and atime
i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
btrfs: initialize start_slot in btrfs_log_prealloc_extents
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
libceph: use kernel_connect()
libceph: fix unaligned accesses in ceph_entity_addr handling
net: pktgen: Fix interface flags printing
netfilter: nft_set_rbtree: .deactivate fails if element has expired
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
i40e: prevent crash on probe if hw registers have invalid values
net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
tcp: fix excessive TLP and RACK timeouts from HZ rounding
net: rfkill: gpio: prevent value glitch during probe
net: ipv6: fix return value check in esp_remove_trailer
net: ipv4: fix return value check in esp_remove_trailer
xfrm: interface: use DEV_STATS_INC()
xfrm: fix a data-race in xfrm_gen_index()
netfilter: nft_payload: fix wrong mac header matching
KVM: x86: Mask LVTPC when handling a PMI
regmap: fix NULL deref on lookup
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
Bluetooth: avoid memcmp() out of bounds warning
Bluetooth: hci_event: Fix coding style
Bluetooth: vhci: Fix race when opening vhci device
Bluetooth: Fix a refcnt underflow problem for hci_conn
Bluetooth: Reject connection with the device which has same BD_ADDR
Bluetooth: hci_event: Ignore NULL link key
usb: hub: Guard against accesses to uninitialized BOS descriptors
dev_forward_skb: do not scrub skb mark within the same name space
x86/alternatives: Disable KASAN in apply_alternatives()
powerpc/64e: Fix wrong test in __ptep_test_and_clear_young()
usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call
usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
pinctrl: avoid unsafe code pattern in find_pinctrl()
cgroup: Remove duplicates in cgroup v1 tasks file
Input: xpad - add PXN V900 support
Input: psmouse - fix fast_reconnect function for PS/2 mode
Input: powermate - fix use-after-free in powermate_config_complete
ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
mcb: remove is_added flag from mcb_device struct
iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
iio: pressure: bmp280: Fix NULL pointer exception
usb: musb: Modify the "HWVers" register address
usb: musb: Get the musb_qh poniter after musb_giveback
usb: dwc3: Soft reset phy on probe for host
net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read
usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
dmaengine: stm32-mdma: abort resume if no ongoing transfer
sched,idle,rcu: Push rcu_idle deeper into the idle path
workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask()
nfc: nci: assert requested protocol is valid
net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
ixgbe: fix crash with empty VF macvlan list
drm/vmwgfx: fix typo of sizeof argument
xen-netback: use default TX queue size for vifs
ieee802154: ca8210: Fix a potential UAF in ca8210_probe
drm/msm/dsi: skip the wait for video mode done if not applicable
drm: etvnaviv: fix bad backport leading to warning
net: prevent address rewrite in kernel_bind()
quota: Fix slow quotaoff
HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
RDMA/cxgb4: Check skb value for failure to allocate
net: prevent rewrite of msg_name in sock_sendmsg()
net: fix kernel-doc warnings for socket.c
net: use indirect calls helpers at the socket layer
indirect call wrappers: helpers to speed-up indirect calls of builtin
Revert "net: add atomic_long_t to net_device_stats fields"
Revert "net: Fix unwanted sign extension in netdev_stats_to_stats64()"
Revert "net: bridge: use DEV_STATS_INC()"
Linux 4.19.296
xen/events: replace evtchn_rwlock with RCU
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
Revert "rtnetlink: Reject negative ifindexes in RTM_NEWLINK"
dccp: fix dccp_v4_err()/dccp_v6_err() again
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
RDMA/mlx5: Fix NULL string error
RDMA/cma: Fix truncation compilation warning in make_cma_ports
gpio: pxa: disable pinctrl calls for MMP_GPIO
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
IB/mlx4: Fix the size of a buffer in add_port_entries()
cpupower: add Makefile dependencies for install targets
sctp: update hb timer immediately after users change hb_interval
sctp: update transport state when processing a dupcook packet
tcp: fix delayed ACKs for MSS boundary condition
tcp: fix quick-ack counting to count actual ACKs of new data
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
modpost: add missing else to the "of" check
scsi: target: core: Fix deadlock due to recursive locking
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
ubi: Refuse attaching if mtd's erasesize is 0
net: replace calls to sock->ops->connect() with kernel_connect()
wifi: mwifiex: Fix tlv_buf_left calculation
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3"
media: dvb: symbol fixup for dvb_attach() - again
Revert "drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...) functions"
ata: libata: disallow dev-initiated LPM transitions to unsupported states
ext4: fix rec_len verify error
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
ata: libata-sata: increase PMP SRST timeout to 10s
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-core: Fix port and device removal
ata: libata-core: Fix ata_port_request_pm() locking
net: thunderbolt: Fix TCPv6 GSO checksum calculation
btrfs: properly report 0 avail for very full file systems
i2c: i801: unregister tco_pdev in i801_probe() error path
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
serial: 8250_port: Check IRQ data before use
smack: Record transmuting in smk_transmuted
smack: Retrieve transmuting information in smack_inode_getsecurity()
Smack:- Use overlay inode label in smack_inode_copy_up()
scsi: megaraid_sas: Enable msix_load_balance for Invader and later controllers
net: Fix unwanted sign extension in netdev_stats_to_stats64()
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
watchdog: iTCO_wdt: No need to stop the timer in probe
nvme-pci: do not set the NUMA node of device if it has none
fbdev/sh7760fb: Depend on FB=y
bpf: Clarify error expectations from bpf_clone_redirect
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
ring-buffer: Avoid softlockup in ring_buffer_resize()
selftests/ftrace: Correctly enable event in instance-event.tc
parisc: irq: Make irq_stack_union static to avoid sparse warning
parisc: drivers: Fix sparse warning
parisc: iosapic.c: Fix sparse warnings
parisc: sba: Fix compile warning wrt list of SBA devices
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
clk: tegra: fix error return case for recalc_rate
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
ext4: do not let fstrim block system suspend
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: replace the traditional ternary conditional operator with with max()/min()
ext4: mark group as trimmed only if it was fully scanned
ext4: change s_last_trim_minblks type to unsigned long
ext4: scope ret locally in ext4_try_to_trim_range()
ext4: add new helper interface ext4_try_to_trim_range()
ext4: remove the 'group' parameter of ext4_trim_extent
scsi: megaraid_sas: Fix deadlock on firmware crashdump
scsi: megaraid_sas: Load balance completions across all MSI-X
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: qla2xxx: Add protection mask module parameters
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
team: fix null-ptr-deref when team device type is changed
net: bridge: use DEV_STATS_INC()
net: add atomic_long_t to net_device_stats fields
net: hns3: add 5ms delay before clear firmware reset irq source
powerpc/perf/hv-24x7: Update domain value check
ipv4: fix null-deref in ipv4_link_failure
selftests: tls: swap the TX and RX sockets in some tests
selftests/tls: Add {} to avoid static checker warning
netfilter: nf_tables: disallow element removal on anonymous sets
ata: libahci: clear pending interrupt status
ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
NFS/pNFS: Report EINVAL errors from connect() to the server
ANDROID: ALSA: jack: Revert mismerge done in v4.19.291
Conflicts:
include/net/tcp.h
kernel/events/core.c
kernel/sched/idle.c
Change-Id: I141cc494dcfda5fbd11f8bd2f7166bf3bf157084
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmVLYWMACgkQONu9yGCS
aT7TWxAArWfLx5B55f2sGj/cDvs2xil315t1p/uhXCtgcstc/E+lxRipw3Bi3B0g
IwoBHoxteAhHVzscTJUypzi/lzNdKuIoNvtD/IxpIt/vcP2T/JMBVzrMTsClGkDI
xnaMq51lWT6Kpc3zt0k4EeAA9ifAeM45kIbZlPooJ15D6zuCLLMGdKiai8eYbOkM
X65dzw2FxtCvIP3FfBxr4opRsWmkXSxD7diRVe4XPE/RyLFePPMitFg/NvpK/QLW
+3aR6n0hhafvsYBE3T2+mb2A408uK7nT4aup25k9JF/RKhSzU2ZKTTZEtp92pZBr
pHiUGa2bitYryBvSt69wRRamqctonrwXcW0FCAX+JxxujcfBmSR/z1GudQEbKBm8
ALY2vgoDHeilbVxUCVGqnBpvu8NgwBw7J3z5S5m913X2CtMpeotvGzgksEE+gzdV
Dw+l6bhj0vxAveYEgA5WVritymrh9NFNPQh32zeMG6FCcQCzuUd3gZPDECjcgFji
keK3e71vjVemvgsvwAyx1WPpD0KDwjqZCAUL39Zmc7gQUzLZx8E2ujTIabefwJIA
L3RQHFsVE141FojccKFpHhF/5ne6qAv74ZlXz0DBxstgx/acUCxqN7XJSVZw7OHN
bpF3F3KNv1xOpN28rh+4Qjzds4TKQ+de9OEVJA3ZG2QuUqoFWXE=
=013M
-----END PGP SIGNATURE-----
Merge 4.19.298 into android-4.19-stable
Changes in 4.19.298
mmc: sdio: Don't re-initialize powered-on removable SDIO cards at resume
mmc: core: sdio: hold retuning if sdio in 1-bit mode
selftests/ftrace: Add new test case which checks non unique symbol
mcb: Return actual parsed size when reading chameleon table
mcb-lpc: Reallocate memory region to avoid memory overlapping
virtio_balloon: Fix endless deflation and inflation on arm64
virtio-mmio: fix memory leak of vm_dev
r8169: rename r8169.c to r8169_main.c
r8169: fix the KCSAN reported data-race in rtl_tx while reading TxDescArray[entry].opts1
r8169: fix the KCSAN reported data race in rtl_rx while reading desc->opts1
treewide: Spelling fix in comment
igb: Fix potential memory leak in igb_add_ethtool_nfc_entry
gtp: fix fragmentation needed check with gso
i40e: Fix wrong check for I40E_TXR_FLAGS_WB_ON_ITR
i2c: muxes: i2c-mux-pinctrl: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-mux-gpmux: Use of_get_i2c_adapter_by_node()
i2c: muxes: i2c-demux-pinctrl: Use of_get_i2c_adapter_by_node()
i2c: stm32f7: Fix PEC handling in case of SMBUS transfers
nvmem: imx: correct nregs for i.MX6SLL
nvmem: imx: correct nregs for i.MX6UL
perf/core: Fix potential NULL deref
iio: exynos-adc: request second interupt only when touchscreen mode is used
x86/i8259: Skip probing when ACPI/MADT advertises PCAT compatibility
NFS: Don't call generic_error_remove_page() while holding locks
ARM: 8933/1: replace Sun/Solaris style flag on section directive
drm/dp_mst: Fix NULL deref in get_mst_branch_device_by_guid_helper()
arm64: fix a concurrency issue in emulation_proc_handler()
kobject: Fix slab-out-of-bounds in fill_kobj_path()
smbdirect: missing rc checks while waiting for rdma events
f2fs: fix to do sanity check on inode type during garbage collection
nfsd: lock_rename() needs both directories to live on the same fs
x86/mm: Simplify RESERVE_BRK()
x86/mm: Fix RESERVE_BRK() for older binutils
driver: platform: Add helper for safer setting of driver_override
rpmsg: Constify local variable in field store macro
rpmsg: Fix kfree() of static memory on setting driver_override
rpmsg: Fix calling device_lock() on non-initialized device
rpmsg: glink: Release driver_override
rpmsg: Fix possible refcount leak in rpmsg_register_device_override()
x86: Fix .brk attribute in linker script
MAINTAINERS: r8169: Update path to the driver
ASoC: simple-card: fixup asoc_simple_probe() error handling
Input: i8042 - add Fujitsu Lifebook E5411 to i8042 quirk table
irqchip/stm32-exti: add missing DT IRQ flag translation
dmaengine: ste_dma40: Fix PM disable depth imbalance in d40_probe
Input: synaptics-rmi4 - handle reset delay when using SMBus trsnsport
fbdev: atyfb: only use ioremap_uc() on i386 and ia64
netfilter: nfnetlink_log: silence bogus compiler warning
ASoC: rt5650: fix the wrong result of key button
fbdev: uvesafb: Call cn_del_callback() at the end of uvesafb_exit()
scsi: mpt3sas: Fix in error path
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
net: chelsio: cxgb4: add an error code check in t4_load_phy_fw
ata: ahci: fix enum constants for gcc-13
remove the sx8 block driver
PCI: Prevent xHCI driver from claiming AMD VanGogh USB3 DRD device
usb: storage: set 1.50 as the lower bcdDevice for older "Super Top" compatibility
tty: 8250: Remove UC-257 and UC-431
tty: 8250: Add support for additional Brainboxes UC cards
tty: 8250: Add support for Brainboxes UP cards
tty: 8250: Add support for Intashield IS-100
Linux 4.19.298
Change-Id: Ifb32a27a5d614f8234d0fb282c57304fdd2ce5de
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 2e1d175410972285333193837a4250a74cd472e6 ]
net/netfilter/nfnetlink_log.c:800:18: warning: variable 'ctinfo' is uninitialized
The warning is bogus, the variable is only used if ct is non-NULL and
always initialised in that case. Init to 0 too to silence this.
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202309100514.ndBFebXN-lkp@intel.com/
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
This reverts commit 17c75411e2 which is
commit 3e4bc23926b83c3c67e5f61ae8571602754131a6 upstream.
It breaks the android ABI and if this is needed in the future, can be
brought back in an abi-safe way.
Bug: 161946584
Change-Id: I6af8ce540570c756ea9f16526c36f8815971e216
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 194ab82c1e which is
commit dcda165706b9fbfd685898d46a6749d7d397e0c0 upstream.
It breaks the android ABI and if this is needed in the future, can be
brought back in an abi-safe way.
Bug: 161946584
Change-Id: I4a64dca20bcdfe9cbe33fc23c7d3d1b252f4b873
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit d4d40dc75d which is
commit f7c4e3e5d4f6609b4725a97451948ca2e425379a upstream.
It breaks the build due to a previous abi-breaking change being dropped
from the tree. If this is needed in the future, it can come back in an
abi-safe way.
Change-Id: I5fab397dfff850ab54026e62930bec9b0655cf62
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmU43RMACgkQONu9yGCS
aT6DURAAlNjp1I2Hi2sO/hvlYcY6vkZHAIDof1SXqJkthU4Chd8fvinjxbHTcuRd
vYGBB/u+fTjKiyRYFYiK2vLVQsD2YBIuP+bQtK3v1s+62qarGf+ahbFqRRlHIoRR
dE3rglx7SMITaZPdq4KFuC1etM206+JR0yU7lTcdLocNQRmZv9DEnVTq6SGLebUB
C0l+CaHy7F1yn1uuBVJi/gJH1+obTHyAViJzKY38E2Nevq8a0rUZd6V0xfGHUFue
x41NX+pjUkaAyH8qKahFxdIuabE/oNBjt6ZqEmceu2bOrjFI36a3r2/XYfqNxkD8
HT9qEz+jY0ig2Zj4TdGcjrm58Ck3ZjTS9RBodeaYBYlqz/EnlR8Qk7kspfXGACF9
iy5WcL0iSMbC3o5dy17k2Dhh6G9ZmhLlpzXuHlLvfM3U1dlO0aa48LhAO7MTNu6N
Abdyfqv1q4tSqsixUyVe2MQqAoZ7Px1FJRq5l24xvqKljNKFOgBnw9sjKfcRfG1K
O2F1dvEzLjFNxn7P+iZMfdoyg2Hf+GQ0gtLmq9fK04uAGW8UQRu51efJmujLZ42b
XVeAI4iw+uR1bFt9YI+WeAx3vg/lzP768+2YPf0zWUDf2k7RORvnP4XUZbddajet
fhqakuVIORwc53IM5m2XtMs7N88sWFrprbqjyoUPJYcgpzQyyOo=
=0+07
-----END PGP SIGNATURE-----
Merge 4.19.297 into android-4.19-stable
Changes in 4.19.297
indirect call wrappers: helpers to speed-up indirect calls of builtin
net: use indirect calls helpers at the socket layer
net: fix kernel-doc warnings for socket.c
net: prevent rewrite of msg_name in sock_sendmsg()
RDMA/cxgb4: Check skb value for failure to allocate
HID: logitech-hidpp: Fix kernel crash on receiver USB disconnect
quota: Fix slow quotaoff
net: prevent address rewrite in kernel_bind()
drm: etvnaviv: fix bad backport leading to warning
drm/msm/dsi: skip the wait for video mode done if not applicable
ieee802154: ca8210: Fix a potential UAF in ca8210_probe
xen-netback: use default TX queue size for vifs
drm/vmwgfx: fix typo of sizeof argument
ixgbe: fix crash with empty VF macvlan list
net: nfc: fix races in nfc_llcp_sock_get() and nfc_llcp_sock_get_sn()
nfc: nci: assert requested protocol is valid
workqueue: Override implicit ordered attribute in workqueue_apply_unbound_cpumask()
sched,idle,rcu: Push rcu_idle deeper into the idle path
dmaengine: stm32-mdma: abort resume if no ongoing transfer
usb: xhci: xhci-ring: Use sysdev for mapping bounce buffer
net: usb: dm9601: fix uninitialized variable use in dm9601_mdio_read
usb: dwc3: Soft reset phy on probe for host
usb: musb: Get the musb_qh poniter after musb_giveback
usb: musb: Modify the "HWVers" register address
iio: pressure: bmp280: Fix NULL pointer exception
iio: pressure: ms5611: ms5611_prom_is_valid false negative bug
mcb: remove is_added flag from mcb_device struct
ceph: fix incorrect revoked caps assert in ceph_fill_file_size()
Input: powermate - fix use-after-free in powermate_config_complete
Input: psmouse - fix fast_reconnect function for PS/2 mode
Input: xpad - add PXN V900 support
cgroup: Remove duplicates in cgroup v1 tasks file
pinctrl: avoid unsafe code pattern in find_pinctrl()
x86/cpu: Fix AMD erratum #1485 on Zen4-based CPUs
usb: gadget: udc-xilinx: replace memcpy with memcpy_toio
usb: gadget: ncm: Handle decoding of multiple NTB's in unwrap call
powerpc/64e: Fix wrong test in __ptep_test_and_clear_young()
x86/alternatives: Disable KASAN in apply_alternatives()
dev_forward_skb: do not scrub skb mark within the same name space
usb: hub: Guard against accesses to uninitialized BOS descriptors
Bluetooth: hci_event: Ignore NULL link key
Bluetooth: Reject connection with the device which has same BD_ADDR
Bluetooth: Fix a refcnt underflow problem for hci_conn
Bluetooth: vhci: Fix race when opening vhci device
Bluetooth: hci_event: Fix coding style
Bluetooth: avoid memcmp() out of bounds warning
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
regmap: fix NULL deref on lookup
KVM: x86: Mask LVTPC when handling a PMI
netfilter: nft_payload: fix wrong mac header matching
xfrm: fix a data-race in xfrm_gen_index()
xfrm: interface: use DEV_STATS_INC()
net: ipv4: fix return value check in esp_remove_trailer
net: ipv6: fix return value check in esp_remove_trailer
net: rfkill: gpio: prevent value glitch during probe
tcp: fix excessive TLP and RACK timeouts from HZ rounding
tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
i40e: prevent crash on probe if hw registers have invalid values
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
netfilter: nft_set_rbtree: .deactivate fails if element has expired
net: pktgen: Fix interface flags printing
libceph: fix unaligned accesses in ceph_entity_addr handling
libceph: use kernel_connect()
ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
btrfs: initialize start_slot in btrfs_log_prealloc_extents
i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
overlayfs: set ctime when setting mtime and atime
gpio: timberdale: Fix potential deadlock on &tgpio->lock
ata: libata-eh: Fix compilation warning in ata_eh_link_report()
tracing: relax trace_event_eval_update() execution with cond_resched()
HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
Bluetooth: Avoid redundant authentication
Bluetooth: hci_core: Fix build warnings
wifi: mac80211: allow transmitting EAPOL frames with tainted key
wifi: cfg80211: avoid leaking stack data into trace
sky2: Make sure there is at least one frag_addr available
drm: panel-orientation-quirks: Add quirk for One Mix 2S
btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
Bluetooth: hci_event: Fix using memcmp when comparing keys
mtd: rawnand: qcom: Unmap the right resource upon probe failure
mtd: spinand: micron: correct bitmask for ecc status
mmc: core: Capture correct oemid-bits for eMMC cards
Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
ACPI: irq: Fix incorrect return value in acpi_register_gsi()
USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
USB: serial: option: add entry for Sierra EM9191 with new firmware
USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
perf: Disallow mis-matched inherited group reads
s390/pci: fix iommu bitmap allocation
gpio: vf610: set value before the direction to avoid a glitch
ASoC: pxa: fix a memory leak in probe()
phy: mapphone-mdm6600: Fix runtime PM for remove
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
xfrm6: fix inet6_dev refcount underflow problem
Linux 4.19.297
Change-Id: I495e8b8fbb6416ec3f94094fa905bdde364618b4
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b ]
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
One of the refcount underflow bugs is shown below:
(cpu 1) | (cpu 2)
xfrm6_dst_destroy() |
... |
in6_dev_put() |
| rt6_uncached_list_flush_dev()
... | ...
| in6_dev_put()
rt6_uncached_list_del() | ...
... |
xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.
Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().
Fixes: 510c321b55 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cb3871b1cd135a6662b732fbc6b3db4afcdb4a64 upstream.
The code pattern of memcpy(dst, src, strlen(src)) is almost always
wrong. In this case it is wrong because it leaves memory uninitialized
if it is less than sizeof(ni->name), and overflows ni->name when longer.
Normally strtomem_pad() could be used here, but since ni->name is a
trailing array in struct hci_mon_new_index, compilers that don't support
-fstrict-flex-arrays=3 can't tell how large this array is via
__builtin_object_size(). Instead, open-code the helper and use sizeof()
since it will work correctly.
Additionally mark ni->name as __nonstring since it appears to not be a
%NUL terminated C string.
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Edward AD <twuufnxlz@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Fixes: 18f547f3fc07 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event")
Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream.
When accessing hdev->name, the actual string length should prevail
Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ]
memcmp is not consider safe to use with cryptographic secrets:
'Do not use memcmp() to compare security critical data, such as
cryptographic secrets, because the required CPU time depends on the
number of equal bytes.'
While usage of memcmp for ZERO_KEY may not be considered a security
critical data, it can lead to more usage of memcmp with pairing keys
which could introduce more security problems.
Fixes: 455c2ff0a5 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 334bf33eec5701a1e4e967bcb7cc8611a998334b ]
If the structure is not initialized then boolean types might be copied
into the tracing data without being initialised. This causes data from
the stack to leak into the trace and also triggers a UBSAN failure which
can easily be avoided here.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://lore.kernel.org/r/20230925171855.a9271ef53b05.I8180bae663984c91a3e036b87f36a640ba409817@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 61304336c67358d49a989e5e0060d8c99bad6ca8 ]
Lower layer device driver stop/wake TX by calling ieee80211_stop_queue()/
ieee80211_wake_queue() while hw scan. Sometimes hw scan and PTK rekey are
running in parallel, when M4 sent from wpa_supplicant arrive while the TX
queue is stopped, then the M4 will pending send, and then new key install
from wpa_supplicant. After TX queue wake up by lower layer device driver,
the M4 will be dropped by below call stack.
When key install started, the current key flag is set KEY_FLAG_TAINTED in
ieee80211_pairwise_rekey(), and then mac80211 wait key install complete by
lower layer device driver. Meanwhile ieee80211_tx_h_select_key() will return
TX_DROP for the M4 in step 12 below, and then ieee80211_free_txskb() called
by ieee80211_tx_dequeue(), so the M4 will not send and free, then the rekey
process failed becaue AP not receive M4. Please see details in steps below.
There are a interval between KEY_FLAG_TAINTED set for current key flag and
install key complete by lower layer device driver, the KEY_FLAG_TAINTED is
set in this interval, all packet including M4 will be dropped in this
interval, the interval is step 8~13 as below.
issue steps:
TX thread install key thread
1. stop_queue -idle-
2. sending M4 -idle-
3. M4 pending -idle-
4. -idle- starting install key from wpa_supplicant
5. -idle- =>ieee80211_key_replace()
6. -idle- =>ieee80211_pairwise_rekey() and set
currently key->flags |= KEY_FLAG_TAINTED
7. -idle- =>ieee80211_key_enable_hw_accel()
8. -idle- =>drv_set_key() and waiting key install
complete from lower layer device driver
9. wake_queue -waiting state-
10. re-sending M4 -waiting state-
11. =>ieee80211_tx_h_select_key() -waiting state-
12. drop M4 by KEY_FLAG_TAINTED -waiting state-
13. -idle- install key complete with success/fail
success: clear flag KEY_FLAG_TAINTED
fail: start disconnect
Hence add check in step 11 above to allow the EAPOL send out in the
interval. If lower layer device driver use the old key/cipher to encrypt
the M4, then AP received/decrypt M4 correctly, after M4 send out, lower
layer device driver install the new key/cipher to hardware and return
success.
If lower layer device driver use new key/cipher to send the M4, then AP
will/should drop the M4, then it is same result with this issue, AP will/
should kick out station as well as this issue.
issue log:
kworker/u16:4-5238 [000] 6456.108926: stop_queue: phy1 queue:0, reason:0
wpa_supplicant-961 [003] 6456.119737: rdev_tx_control_port: wiphy_name=phy1 name=wlan0 ifindex=6 dest=ARRAY[9e, 05, 31, 20, 9b, d0] proto=36488 unencrypted=0
wpa_supplicant-961 [003] 6456.119839: rdev_return_int_cookie: phy1, returned 0, cookie: 504
wpa_supplicant-961 [003] 6456.120287: rdev_add_key: phy1, netdev:wlan0(6), key_index: 0, mode: 0, pairwise: true, mac addr: 9e:05:31:20:9b:d0
wpa_supplicant-961 [003] 6456.120453: drv_set_key: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 cipher:0xfac04, flags=0x9, keyidx=0, hw_key_idx=0
kworker/u16:9-3829 [001] 6456.168240: wake_queue: phy1 queue:0, reason:0
kworker/u16:9-3829 [001] 6456.168255: drv_wake_tx_queue: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 ac:0 tid:7
kworker/u16:9-3829 [001] 6456.168305: cfg80211_control_port_tx_status: wdev(1), cookie: 504, ack: false
wpa_supplicant-961 [003] 6459.167982: drv_return_int: phy1 - -110
issue call stack:
nl80211_frame_tx_status+0x230/0x340 [cfg80211]
cfg80211_control_port_tx_status+0x1c/0x28 [cfg80211]
ieee80211_report_used_skb+0x374/0x3e8 [mac80211]
ieee80211_free_txskb+0x24/0x40 [mac80211]
ieee80211_tx_dequeue+0x644/0x954 [mac80211]
ath10k_mac_tx_push_txq+0xac/0x238 [ath10k_core]
ath10k_mac_op_wake_tx_queue+0xac/0xe0 [ath10k_core]
drv_wake_tx_queue+0x80/0x168 [mac80211]
__ieee80211_wake_txqs+0xe8/0x1c8 [mac80211]
_ieee80211_wake_txqs+0xb4/0x120 [mac80211]
ieee80211_wake_txqs+0x48/0x80 [mac80211]
tasklet_action_common+0xa8/0x254
tasklet_action+0x2c/0x38
__do_softirq+0xdc/0x384
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Link: https://lore.kernel.org/r/20230801064751.25803-1-quic_wgong@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit dcda165706b9fbfd685898d46a6749d7d397e0c0 ]
This fixes the following warnings:
net/bluetooth/hci_core.c: In function ‘hci_register_dev’:
net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may
be truncated writing between 1 and 10 bytes into a region of size 5
[-Wformat-truncation=]
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~
net/bluetooth/hci_core.c:2620:50: note: directive argument in the range
[0, 2147483647]
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~~~~~~
net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and
14 bytes into a destination of size 8
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 1d8e801422d66e4b8c7b187c52196bef94eed887 ]
While executing the Android 13 CTS Verifier Secure Server test on a
ChromeOS device, it was observed that the Bluetooth host initiates
authentication for an RFCOMM connection after SSP completes.
When this happens, some Intel Bluetooth controllers, like AC9560, would
disconnect with "Connection Rejected due to Security Reasons (0x0e)".
Historically, BlueZ did not mandate this authentication while an
authenticated combination key was already in use for the connection.
This behavior was changed since commit 7b5a9241b7
("Bluetooth: Introduce requirements for security level 4").
So, this patch addresses the aforementioned disconnection issue by
restoring the previous behavior.
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 7563cf17dce0a875ba3d872acdc63a78ea344019 ]
Direct calls to ops->connect() can overwrite the address parameter when
used in conjunction with BPF SOCK_ADDR hooks. Recent changes to
kernel_connect() ensure that callers are insulated from such side
effects. This patch wraps the direct call to ops->connect() with
kernel_connect() to prevent unexpected changes to the address passed to
ceph_tcp_connect().
This change was originally part of a larger patch targeting the net tree
addressing all instances of unprotected calls to ops->connect()
throughout the kernel, but this change was split up into several patches
targeting various trees.
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/netdev/20230821100007.559638-1-jrife@google.com/
Link: https://lore.kernel.org/netdev/9944248dba1bce861375fcce9de663934d933ba9.camel@redhat.com/
Fixes: d74bad4e74 ("bpf: Hooks for sys_connect")
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit cede185b1ba3118e1912385db4812a37d9e9b205 ]
GCC9 is throwing a lot of warnings about unaligned access. This patch
fixes some of them by changing most of the sockaddr handling functions
to take a pointer to struct ceph_entity_addr instead of struct
sockaddr_storage. The lower functions can then make copies or do
unaligned accesses as needed.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Stable-dep-of: 7563cf17dce0 ("libceph: use kernel_connect()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 1d30162f35c7a73fc2f8cdcdcdbd690bedb99d1a upstream.
Device flags are displayed incorrectly:
1) The comparison (i == F_FLOW_SEQ) is always false, because F_FLOW_SEQ
is equal to (1 << FLOW_SEQ_SHIFT) == 2048, and the maximum value
of the 'i' variable is (NR_PKT_FLAG - 1) == 17. It should be compared
with FLOW_SEQ_SHIFT.
2) Similarly to the F_IPSEC flag.
3) Also add spaces to the print end of the string literal "spi:%u"
to prevent the output from merging with the flag that follows.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: 99c6d3d20d ("pktgen: Remove brute-force printing of flags")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d111692a59c1470ae530cbb39bcf0346c950ecc7 upstream.
This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.
Fixes: 8d8540c4f5 ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 upstream.
Christian Theune says:
I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script,
leaving me with a non-functional uplink on a remote router.
A 'rt' curve cannot be used as a inner curve (parent class), but we were
allowing such configurations since the qdisc was introduced. Such
configurations would trigger a UAF as Budimir explains:
The parent will have vttree_insert() called on it in init_vf(),
but will not have vttree_remove() called on it in update_vf()
because it does not have the HFSC_FSC flag set.
The qdisc always assumes that inner classes have the HFSC_FSC flag set.
This is by design as it doesn't make sense 'qdisc wise' for an 'rt'
curve to be an inner curve.
Budimir's original patch disallows users to add classes with a 'rt'
parent, but this is too strict as it breaks users that have been using
'rt' as a inner class. Another approach, taken by this patch, is to
upgrade the inner 'rt' into a 'sc', warning the user in the process.
It avoids the UAF reported by Budimir while also being more permissive
to bad scripts/users/code using 'rt' as a inner class.
Users checking the `tc class ls [...]` or `tc class get [...]` dumps would
observe the curve change and are potentially breaking with this change.
v1->v2: https://lore.kernel.org/all/20231013151057.2611860-1-pctammela@mojatatu.com/
- Correct 'Fixes' tag and merge with revert (Jakub)
Cc: Christian Theune <ct@flyingcircus.io>
Cc: Budimir Markovic <markovicbudimir@gmail.com>
Fixes: b3d26c5702c7 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve")
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20231017143602.3191556-1-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f921a4a5bffa8a0005b190fb9421a7fc1fd716b6 upstream.
In commit 75eefc6c59 ("tcp: tsq: add a shortcut in tcp_small_queue_check()")
we allowed to send an skb regardless of TSQ limits being hit if rtx queue
was empty or had a single skb, in order to better fill the pipe
when/if TX completions were slow.
Then later, commit 75c119afe1 ("tcp: implement rb-tree based
retransmit queue") accidentally removed the special case for
one skb in rtx queue.
Stefan Wahren reported a regression in single TCP flow throughput
using a 100Mbit fec link, starting from commit 65466904b015 ("tcp: adjust
TSO packet sizes based on min_rtt"). This last commit only made the
regression more visible, because it locked the TCP flow on a particular
behavior where TSQ prevented two skbs being pushed downstream,
adding silences on the wire between each TSO packet.
Many thanks to Stefan for his invaluable help !
Fixes: 75c119afe1 ("tcp: implement rb-tree based retransmit queue")
Link: https://lore.kernel.org/netdev/7f31ddc8-9971-495e-a1f6-819df542e0af@gmx.net/
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20231017124526.4060202-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1c2709cfff1dedbb9591e989e2f001484208d914 upstream.
We discovered from packet traces of slow loss recovery on kernels with
the default HZ=250 setting (and min_rtt < 1ms) that after reordering,
when receiving a SACKed sequence range, the RACK reordering timer was
firing after about 16ms rather than the desired value of roughly
min_rtt/4 + 2ms. The problem is largely due to the RACK reorder timer
calculation adding in TCP_TIMEOUT_MIN, which is 2 jiffies. On kernels
with HZ=250, this is 2*4ms = 8ms. The TLP timer calculation has the
exact same issue.
This commit fixes the TLP transmit timer and RACK reordering timer
floor calculation to more closely match the intended 2ms floor even on
kernels with HZ=250. It does this by adding in a new
TCP_TIMEOUT_MIN_US floor of 2000 us and then converting to jiffies,
instead of the current approach of converting to jiffies and then
adding th TCP_TIMEOUT_MIN value of 2 jiffies.
Our testing has verified that on kernels with HZ=1000, as expected,
this does not produce significant changes in behavior, but on kernels
with the default HZ=250 the latency improvement can be large. For
example, our tests show that for HZ=250 kernels at low RTTs this fix
roughly halves the latency for the RACK reorder timer: instead of
mostly firing at 16ms it mostly fires at 8ms.
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Fixes: bb4d991a28 ("tcp: adjust tail loss probe timeout")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231015174700.2206872-1-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b2f750c3a80b285cd60c9346f8c96bd0a2a66cde upstream.
When either reset- or shutdown-gpio have are initially deasserted,
e.g. after a reboot - or when the hardware does not include pull-down,
there will be a short toggle of both IOs to logical 0 and back to 1.
It seems that the rfkill default is unblocked, so the driver should not
glitch to output low during probe.
It can lead e.g. to unexpected lte modem reconnect:
[1] root@localhost:~# dmesg | grep "usb 2-1"
[ 2.136124] usb 2-1: new SuperSpeed USB device number 2 using xhci-hcd
[ 21.215278] usb 2-1: USB disconnect, device number 2
[ 28.833977] usb 2-1: new SuperSpeed USB device number 3 using xhci-hcd
The glitch has been discovered on an arm64 board, now that device-tree
support for the rfkill-gpio driver has finally appeared :).
Change the flags for devm_gpiod_get_optional from GPIOD_OUT_LOW to
GPIOD_ASIS to avoid any glitches.
The rfkill driver will set the intended value during rfkill_sync_work.
Fixes: 7176ba23f8 ("net: rfkill: add generic gpio rfkill driver")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Link: https://lore.kernel.org/r/20231004163928.14609-1-josua@solid-run.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit dad4e491e30b20f4dc615c9da65d2142d703b5c2 upstream.
In esp_remove_trailer(), to avoid an unexpected result returned by
pskb_trim, we should check the return value of pskb_trim().
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 513f61e2193350c7a345da98559b80f61aec4fa6 upstream.
In esp_remove_trailer(), to avoid an unexpected result returned by
pskb_trim, we should check the return value of pskb_trim().
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 upstream.
mcast packets get looped back to the local machine.
Such packets have a 0-length mac header, we should treat
this like "mac header not set" and abort rule evaluation.
As-is, we just copy data from the network header instead.
Fixes: 96518518cc ("netfilter: add nftables")
Reported-by: Blažej Krajňák <krajnak@levonet.sk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
bacmp() is a wrapper around memcpy(), which contain compile-time
checks for buffer overflow. Since the hci_conn_request_evt() also calls
bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
aware of a case where 'hdev' is NULL and treats this as meaning that
zero bytes are available:
In file included from net/bluetooth/hci_event.c:32:
In function 'bacmp',
inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
364 | return memcmp(ba1, ba2, sizeof(bdaddr_t));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add another NULL pointer check before the bacmp() to ensure the compiler
understands the code flow enough to not warn about it. Since the patch
that introduced the warning is marked for stable backports, this one
should also go that way to avoid introducing build regressions.
Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
Cc: Kees Cook <keescook@chromium.org>
Cc: "Lee, Chun-Yi" <jlee@suse.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
This fixes the following code style problem:
ERROR: that open brace { should be on the previous line
+ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+ {
Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c7f59461f5a78994613afc112cdd73688aef9076 upstream.
Syzbot reports a warning as follows:
WARNING: CPU: 1 PID: 26946 at net/bluetooth/hci_conn.c:619
hci_conn_timeout+0x122/0x210 net/bluetooth/hci_conn.c:619
...
Call Trace:
<TASK>
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
It is because the HCI_EV_SIMPLE_PAIR_COMPLETE event handler drops
hci_conn directly without check Simple Pairing whether be enabled. But
the Simple Pairing process can only be used if both sides have the
support enabled in the host stack.
Add hci_conn_ssp_enabled() for hci_conn in HCI_EV_IO_CAPA_REQUEST and
HCI_EV_SIMPLE_PAIR_COMPLETE event handlers to fix the problem.
Fixes: 0493684ed2 ("[Bluetooth] Disable disconnect timer during Simple Pairing")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1ffc6f8cc33268731fcf9629fc4438f6db1191fc upstream.
This change is used to relieve CVE-2020-26555. The description of
the CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
A condition of this attack is that attacker should change the
BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with
the target device being attacked (Host A).
Thus, we reject the connection with device which has same BD_ADDR
both on HCI_Create_Connection and HCI_Connection_Request to prevent
the attack. A similar implementation also shows in btstack project.
[3][4]
Cc: stable@vger.kernel.org
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 33155c4aae5260475def6f7438e4e35564f4f3ba upstream.
This change is used to relieve CVE-2020-26555. The description of the
CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
Thus, we can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]
v3: Drop the connection when null link key be detected.
v2:
- Used Link: tag instead of Closes:
- Used bt_dev_dbg instead of BT_DBG
- Added Fixes: tag
Cc: stable@vger.kernel.org
Fixes: 55ed8ca10f ("Bluetooth: Implement link key handling for the management interface")
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 354a6e707e29cb0c007176ee5b8db8be7bd2dee0 ]
The protocol is used in a bit mask to determine if the protocol is
supported. Assert the provided protocol is less than the maximum
defined so it doesn't potentially perform a shift-out-of-bounds and
provide a clearer error for undefined protocols vs unsupported ones.
Fixes: 6a2968aaf5 ("NFC: basic NCI protocol implementation")
Reported-and-tested-by: syzbot+0839b78e119aae1fec78@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=0839b78e119aae1fec78
Signed-off-by: Jeremy Cline <jeremy@jcline.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20231009200054.82557-1-jeremy@jcline.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 31c07dffafce914c1d1543c135382a11ff058d93 ]
Sili Luo reported a race in nfc_llcp_sock_get(), leading to UAF.
Getting a reference on the socket found in a lookup while
holding a lock should happen before releasing the lock.
nfc_llcp_sock_get_sn() has a similar problem.
Finally nfc_llcp_recv_snl() needs to make sure the socket
found by nfc_llcp_sock_from_sn() does not disappear.
Fixes: 8f50020ed9 ("NFC: LLCP late binding")
Reported-by: Sili Luo <rootlab@huawei.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willy Tarreau <w@1wt.eu>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20231009123110.3735515-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit c889a99a21bf124c3db08d09df919f0eccc5ea4c upstream.
Similar to the change in commit 0bdf399342c5("net: Avoid address
overwrite in kernel_connect"), BPF hooks run on bind may rewrite the
address passed to kernel_bind(). This change
1) Makes a copy of the bind address in kernel_bind() to insulate
callers.
2) Replaces direct calls to sock->ops->bind() in net with kernel_bind()
Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
Fixes: 4fbac77d2d ("bpf: Hooks for sys_bind")
Cc: stable@vger.kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 86a7e0b69bd5b812e48a20c66c2161744f3caa16 ]
Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel
space may observe their value of msg_name change in cases where BPF
sendmsg hooks rewrite the send address. This has been confirmed to break
NFS mounts running in UDP mode and has the potential to break other
systems.
This patch:
1) Creates a new function called __sock_sendmsg() with same logic as the
old sock_sendmsg() function.
2) Replaces calls to sock_sendmsg() made by __sys_sendto() and
__sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy,
as these system calls are already protected.
3) Modifies sock_sendmsg() so that it makes a copy of msg_name if
present before passing it down the stack to insulate callers from
changes to the send address.
Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
Fixes: 1cedee13d2 ("bpf: Hooks for sys_sendmsg")
Cc: stable@vger.kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 85806af0c6bac0feb777e255a25fd5d0cf6ad38e ]
Fix kernel-doc warnings by moving the kernel-doc notation to be
immediately above the functions that it describes.
Fixes these warnings for sock_sendmsg() and sock_recvmsg():
../net/socket.c:658: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:658: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'flags' description in 'INDIRECT_CALLABLE_DECLARE'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8c3c447b3cec27cf6f77080f4d157d53b64e9555 ]
This avoids an indirect call per {send,recv}msg syscall in
the common (IPv6 or IPv4 socket) case.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 86a7e0b69bd5 ("net: prevent rewrite of msg_name in sock_sendmsg()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
* sm8250/lineage-20:
UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve
UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
Linux 4.19.295
net/sched: Retire rsvp classifier
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
nfsd: fix change_info in NFSv4 RENAME replies
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
attr: block mode changes of symlinks
md/raid1: fix error: ISO C90 forbids mixed declarations
kobject: Add sanity check for kset->kobj.ktype in kset_register()
media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
serial: cpm_uart: Avoid suspicious locking
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
media: pci: cx23885: replace BUG with error return
media: tuners: qt1010: replace BUG_ON with a regular error
iio: core: Use min() instead of min_t() to make code more robust
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
ext2: fix datatype of block number in ext2_xattr_set2()
md: raid1: fix potential OOB in raid1_remove_disk()
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
alx: fix OOB-read compiler warning
tpm_tis: Resend command to recover from data transfer errors
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
wifi: mwifiex: fix fortify warning
wifi: ath9k: fix printk specifier
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
btrfs: output extra debug info if we failed to find an inline backref
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
parisc: Drop loops_per_jiffy from per_cpu struct
drm/amd/display: Fix a bug when searching for insert_above_mpcc
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
ixgbe: fix timestamp configuration code
kcm: Fix memory leak in error path of kcm_sendmsg()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
perf hists browser: Fix hierarchy mode header
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix crash during the panic_write
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
ata: sata_gemini: Add missing MODULE_DESCRIPTION
netfilter: nfnetlink_osf: avoid OOB read
idr: fix param name in idr_alloc_cyclic() doc
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
kcm: Destroy mutex in kcm_exit_net()
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
af_unix: Fix data race around sk->sk_err.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around user->unix_inflight.
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
veth: Fixing transmit return status for dropped packets
igb: disable virtualization features on 82580
net: read sk->sk_family once in sk_mc_loop()
pwm: lpc32xx: Remove handling of PWM channels
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
kconfig: fix possible buffer overflow
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
parisc: led: Reduce CPU overhead for disk & lan LED computation
parisc: led: Fix LAN receive and transmit LEDs
drm/ast: Fix DRAM init on AST2200
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: fix inconsistent TMF timeout
udf: initialize newblock to 0
usb: typec: tcpci: clear the fault status bit
serial: sc16is7xx: fix broken port 0 uart init
sc16is7xx: Set iobase to device index
PCI/ATS: Add inline to pci_prg_resp_pasid_required()
pstore/ram: Check start of empty przs during init
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
X.509: if signature is unsupported skip validation
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
crypto: stm32 - fix loop iterating through scatterlist for DMA
dccp: Fix out of bounds access in DCCP error handler
dlm: fix plock lookup when using multiple lockspaces
parisc: Fix /proc/cpuinfo output for lscpu
procfs: block chmod on /proc/thread-self/comm
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
ntb: Fix calculation ntb_transport_tx_free_entry()
ntb: Clean up tx tail index on link down
ntb: Drop packets when qp link is down
media: dvb: symbol fixup for dvb_attach()
backlight/lv5207lp: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/gpio_backlight: Compare against struct fb_info.device
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
ipmi_si: fix a memleak in try_smi_init()
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
PM / devfreq: Fix leak in devfreq_dev_release()
igb: set max size RX buffer when store bad packet is enabled
skbuff: skb_segment, Call zero copy functions before using skbuff frags
netfilter: xt_sctp: validate the flag_info count
netfilter: xt_u32: validate user space input
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
um: Fix hostaudio build errors
arch: um: drivers: Kconfig: pedantic formatting
rpmsg: glink: Add check for kstrdup
HID: multitouch: Correct devm device reference for hidinput input_dev name
Revert "IB/isert: Fix incorrect release of isert connection"
amba: bus: fix refcount leak
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
cgroup:namespace: Remove unused cgroup_namespaces_init()
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Remove auto-gain and auto-exposure controls
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
USB: gadget: f_mass_storage: Fix unused variable warning
media: go7007: Remove redundant if statement
IB/uverbs: Fix an potential error pointer dereference
dma-buf/sync_file: Fix docs syntax
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
x86/APM: drop the duplicate APM_MINOR_DEV macro
scsi: qla4xxx: Add length check when parsing nlattrs
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
media: mediatek: vcodec: Return NULL if no vdec_fb is found
media: cx24120: Add retval check for cx24120_message_send()
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: dib7000p: Fix potential division by zero
drivers: usb: smsusb: fix error handling code in smsusb_init_device
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
media: v4l2-fwnode: simplify v4l2_fwnode_parse_link
media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling
media: Use of_node_name_eq for node name comparisons
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
fs: lockd: avoid possible wrong NULL parameter
jfs: validate max amount of blocks before allocation.
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
nfs/blocklayout: Use the passed in gfp flags
wifi: ath10k: Use RMW accessors for changing LNKCTL
drm/radeon: Use RMW accessors for changing LNKCTL
drm/radeon: Prefer pcie_capability_read_word()
drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/radeon: Correct Transmit Margin masks
drm/amdgpu: Use RMW accessors for changing LNKCTL
drm/amdgpu: Prefer pcie_capability_read_word()
drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/amdgpu: Correct Transmit Margin masks
PCI: Add #defines for Enter Compliance, Transmit Margin
PCI: Decode PCIe 32 GT/s link speed
PCI: Cleanup register definition width and whitespace
PCI/ATS: Add pci_prg_resp_pasid_required() interface.
PCI/ASPM: Use RMW accessors for changing LNKCTL
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
clk: sunxi-ng: Modify mismatched function name
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
ALSA: ac97: Fix possible error value of *rac97
of: unittest: Fix overlay type in apply/revert check
audit: fix possible soft lockup in __audit_inode_child()
smackfs: Prevent underflow in smk_set_cipso()
drm/msm/mdp5: Don't leak some plane state
drm/msm: Replace drm_framebuffer_{un/reference} with put, get functions
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
drm/tegra: Remove superfluous error messages around platform_get_irq()
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: s5pv210: correct ethernet unit address in SMDKV210
ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210
ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
ARM: dts: s3c64xx: align pinctrl with dtschema
ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410
ARM: dts: s3c6410: move fixed clocks under root node in Mini6410
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Drop nonexistent #usb-cells
ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
arm64: dts: msm8996: thermal: Add interrupt support
quota: fix dqput() to follow the guarantees dquot_srcu should provide
quota: add new helper dquot_active()
quota: rename dquot_active() to inode_quota_active()
quota: factor out dquot_write_dquot()
quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list
quota: add dqi_dirty_list description to comment of Dquot List Management
netrom: Deny concurrent connect().
net/sched: sch_hfsc: Ensure inner classes have fsc curve
net: arcnet: Do not call kfree_skb() under local_irq_disable()
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
wifi: mwifiex: avoid possible NULL skb pointer dereference
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
fs: ocfs2: namei: check return value of ocfs2_add_entry()
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
crypto: caam - fix unchecked return value error
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
mwifiex: switch from 'pci_' to 'dma_' API
mwifiex: drop 'set_consistent_dma_mask' log message
wifi: mwifiex: Fix OOB and integer underflow when rx packets
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
regmap: rbtree: Use alloc_flags for memory allocations
tcp: tcp_enter_quickack_mode() should be static
bpf: Clear the probe_addr for uprobe
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
fs: Fix error checking for d_hash_and_lookup()
netfilter: nf_tables: missing NFT_TRANS_PREPARE_ERROR in flowtable deactivatation
netfilter: nft_flow_offload: fix underflow in flowtable reference counter
new helper: lookup_positive_unlocked()
eventfd: prevent underflow for eventfd semaphores
eventfd: Export eventfd_ctx_do_read()
reiserfs: Check the return value from __getblk()
Revert "net: macsec: preserve ingress frame ordering"
udf: Handle error when adding extent to a file
udf: Check consistency of Space Bitmap Descriptor
powerpc/32s: Fix assembler warning about r0
powerpc/32: Include .branch_lt in data section
net: Avoid address overwrite in kernel_connect
ALSA: seq: oss: Fix racy open/close of MIDI devices
cifs: add a warning when the in-flight count goes negative
sctp: handle invalid error codes without calling BUG()
bnx2x: fix page fault following EEH recovery
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
net: usb: qmi_wwan: add Quectel EM05GV2
security: keys: perform capable check only on privileged operations
platform/x86: intel: hid: Always call BTNL ACPI method
ASoC: atmel: Fix the 8K sample parameter in I2SC master
ASoc: codecs: ES8316: Fix DMIC config
fs/nls: make load_nls() take a const parameter
s390/dasd: fix hanging device after request requeue
s390/dasd: use correct number of retries for ERP requests
m68k: Fix invalid .section syntax
vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
ethernet: atheros: fix return value check in atl1c_tso_csum()
ASoC: da7219: Check for failure reading AAD IRQ events
ASoC: da7219: Flush pending AAD IRQ when suspending
9p: virtio: make sure 'offs' is initialized in zc_request
pinctrl: amd: Don't show `Invalid config param` errors
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
serial: sc16is7xx: fix bug when first setting GPIO direction
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
HID: wacom: remove the battery when the EKR is off
USB: serial: option: add FOXCONN T99W368/T99W373 product
USB: serial: option: add Quectel EM05G variant (0x030e)
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
mmc: au1xmmc: force non-modular build and remove symbol_get usage
ARM: pxa: remove use of symbol_get()
erofs: ensure that the post-EOF tails are all zeroed
dsp: add lock in ion free to avoid use after free
mdm: dataipa: increase the size of prefetch buffer
exec: Force single empty string when argv is empty
BACKPORT: FROMLIST: mm: protect free_pgtables with mmap_lock write lock in exit_mmap
ASoC: Resolve use after free in listen sound client
qseecom: Release ion buffer in case of keymaster TA
msm: camera: cci: Optimize the processing of CCI timeout
Change-Id: I76a47c3c280485aeb05172abf54bab87a424ae80
https://source.android.com/docs/security/bulletin/2023-10-01
* tag 'ASB-2023-10-06_4.19-stable' of https://android.googlesource.com/kernel/common:
UPSTREAM: net/sched: sch_hfsc: Ensure inner classes have fsc curve
UPSTREAM: net: sched: sch_qfq: Fix UAF in qfq_dequeue()
Linux 4.19.295
net/sched: Retire rsvp classifier
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
nfsd: fix change_info in NFSv4 RENAME replies
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
attr: block mode changes of symlinks
md/raid1: fix error: ISO C90 forbids mixed declarations
kobject: Add sanity check for kset->kobj.ktype in kset_register()
media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
serial: cpm_uart: Avoid suspicious locking
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
media: pci: cx23885: replace BUG with error return
media: tuners: qt1010: replace BUG_ON with a regular error
iio: core: Use min() instead of min_t() to make code more robust
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
ext2: fix datatype of block number in ext2_xattr_set2()
md: raid1: fix potential OOB in raid1_remove_disk()
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
alx: fix OOB-read compiler warning
tpm_tis: Resend command to recover from data transfer errors
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
wifi: mwifiex: fix fortify warning
wifi: ath9k: fix printk specifier
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
btrfs: output extra debug info if we failed to find an inline backref
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
parisc: Drop loops_per_jiffy from per_cpu struct
drm/amd/display: Fix a bug when searching for insert_above_mpcc
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
ixgbe: fix timestamp configuration code
kcm: Fix memory leak in error path of kcm_sendmsg()
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
perf hists browser: Fix hierarchy mode header
mtd: rawnand: brcmnand: Fix potential false time out warning
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix crash during the panic_write
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
ata: sata_gemini: Add missing MODULE_DESCRIPTION
netfilter: nfnetlink_osf: avoid OOB read
idr: fix param name in idr_alloc_cyclic() doc
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
kcm: Destroy mutex in kcm_exit_net()
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
af_unix: Fix data race around sk->sk_err.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around user->unix_inflight.
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
veth: Fixing transmit return status for dropped packets
igb: disable virtualization features on 82580
net: read sk->sk_family once in sk_mc_loop()
pwm: lpc32xx: Remove handling of PWM channels
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
kconfig: fix possible buffer overflow
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
soc: qcom: qmi_encdec: Restrict string length in decode
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
parisc: led: Reduce CPU overhead for disk & lan LED computation
parisc: led: Fix LAN receive and transmit LEDs
drm/ast: Fix DRAM init on AST2200
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
scsi: qla2xxx: Turn off noisy message log
scsi: qla2xxx: fix inconsistent TMF timeout
udf: initialize newblock to 0
usb: typec: tcpci: clear the fault status bit
serial: sc16is7xx: fix broken port 0 uart init
sc16is7xx: Set iobase to device index
PCI/ATS: Add inline to pci_prg_resp_pasid_required()
pstore/ram: Check start of empty przs during init
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
X.509: if signature is unsupported skip validation
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
crypto: stm32 - fix loop iterating through scatterlist for DMA
dccp: Fix out of bounds access in DCCP error handler
dlm: fix plock lookup when using multiple lockspaces
parisc: Fix /proc/cpuinfo output for lscpu
procfs: block chmod on /proc/thread-self/comm
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
ntb: Fix calculation ntb_transport_tx_free_entry()
ntb: Clean up tx tail index on link down
ntb: Drop packets when qp link is down
media: dvb: symbol fixup for dvb_attach()
backlight/lv5207lp: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/gpio_backlight: Compare against struct fb_info.device
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
ipmi_si: fix a memleak in try_smi_init()
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
PM / devfreq: Fix leak in devfreq_dev_release()
igb: set max size RX buffer when store bad packet is enabled
skbuff: skb_segment, Call zero copy functions before using skbuff frags
netfilter: xt_sctp: validate the flag_info count
netfilter: xt_u32: validate user space input
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
um: Fix hostaudio build errors
arch: um: drivers: Kconfig: pedantic formatting
rpmsg: glink: Add check for kstrdup
HID: multitouch: Correct devm device reference for hidinput input_dev name
Revert "IB/isert: Fix incorrect release of isert connection"
amba: bus: fix refcount leak
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
cgroup:namespace: Remove unused cgroup_namespaces_init()
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Remove auto-gain and auto-exposure controls
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
USB: gadget: f_mass_storage: Fix unused variable warning
media: go7007: Remove redundant if statement
IB/uverbs: Fix an potential error pointer dereference
dma-buf/sync_file: Fix docs syntax
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
x86/APM: drop the duplicate APM_MINOR_DEV macro
scsi: qla4xxx: Add length check when parsing nlattrs
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
media: mediatek: vcodec: Return NULL if no vdec_fb is found
media: cx24120: Add retval check for cx24120_message_send()
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: dib7000p: Fix potential division by zero
drivers: usb: smsusb: fix error handling code in smsusb_init_device
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
media: v4l2-fwnode: simplify v4l2_fwnode_parse_link
media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling
media: Use of_node_name_eq for node name comparisons
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
fs: lockd: avoid possible wrong NULL parameter
jfs: validate max amount of blocks before allocation.
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
nfs/blocklayout: Use the passed in gfp flags
wifi: ath10k: Use RMW accessors for changing LNKCTL
drm/radeon: Use RMW accessors for changing LNKCTL
drm/radeon: Prefer pcie_capability_read_word()
drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/radeon: Correct Transmit Margin masks
drm/amdgpu: Use RMW accessors for changing LNKCTL
drm/amdgpu: Prefer pcie_capability_read_word()
drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/amdgpu: Correct Transmit Margin masks
PCI: Add #defines for Enter Compliance, Transmit Margin
PCI: Decode PCIe 32 GT/s link speed
PCI: Cleanup register definition width and whitespace
PCI/ATS: Add pci_prg_resp_pasid_required() interface.
PCI/ASPM: Use RMW accessors for changing LNKCTL
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
clk: sunxi-ng: Modify mismatched function name
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
ALSA: ac97: Fix possible error value of *rac97
of: unittest: Fix overlay type in apply/revert check
audit: fix possible soft lockup in __audit_inode_child()
smackfs: Prevent underflow in smk_set_cipso()
drm/msm/mdp5: Don't leak some plane state
drm/msm: Replace drm_framebuffer_{un/reference} with put, get functions
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
drm/tegra: Remove superfluous error messages around platform_get_irq()
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: s5pv210: correct ethernet unit address in SMDKV210
ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210
ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
ARM: dts: s3c64xx: align pinctrl with dtschema
ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410
ARM: dts: s3c6410: move fixed clocks under root node in Mini6410
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Drop nonexistent #usb-cells
ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
arm64: dts: msm8996: thermal: Add interrupt support
quota: fix dqput() to follow the guarantees dquot_srcu should provide
quota: add new helper dquot_active()
quota: rename dquot_active() to inode_quota_active()
quota: factor out dquot_write_dquot()
quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list
quota: add dqi_dirty_list description to comment of Dquot List Management
netrom: Deny concurrent connect().
net/sched: sch_hfsc: Ensure inner classes have fsc curve
net: arcnet: Do not call kfree_skb() under local_irq_disable()
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
wifi: mwifiex: avoid possible NULL skb pointer dereference
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
fs: ocfs2: namei: check return value of ocfs2_add_entry()
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
crypto: caam - fix unchecked return value error
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
mwifiex: switch from 'pci_' to 'dma_' API
mwifiex: drop 'set_consistent_dma_mask' log message
wifi: mwifiex: Fix OOB and integer underflow when rx packets
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
regmap: rbtree: Use alloc_flags for memory allocations
tcp: tcp_enter_quickack_mode() should be static
bpf: Clear the probe_addr for uprobe
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
fs: Fix error checking for d_hash_and_lookup()
netfilter: nf_tables: missing NFT_TRANS_PREPARE_ERROR in flowtable deactivatation
netfilter: nft_flow_offload: fix underflow in flowtable reference counter
new helper: lookup_positive_unlocked()
eventfd: prevent underflow for eventfd semaphores
eventfd: Export eventfd_ctx_do_read()
reiserfs: Check the return value from __getblk()
Revert "net: macsec: preserve ingress frame ordering"
udf: Handle error when adding extent to a file
udf: Check consistency of Space Bitmap Descriptor
powerpc/32s: Fix assembler warning about r0
powerpc/32: Include .branch_lt in data section
net: Avoid address overwrite in kernel_connect
ALSA: seq: oss: Fix racy open/close of MIDI devices
cifs: add a warning when the in-flight count goes negative
sctp: handle invalid error codes without calling BUG()
bnx2x: fix page fault following EEH recovery
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
net: usb: qmi_wwan: add Quectel EM05GV2
security: keys: perform capable check only on privileged operations
platform/x86: intel: hid: Always call BTNL ACPI method
ASoC: atmel: Fix the 8K sample parameter in I2SC master
ASoc: codecs: ES8316: Fix DMIC config
fs/nls: make load_nls() take a const parameter
s390/dasd: fix hanging device after request requeue
s390/dasd: use correct number of retries for ERP requests
m68k: Fix invalid .section syntax
vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
ethernet: atheros: fix return value check in atl1c_tso_csum()
ASoC: da7219: Check for failure reading AAD IRQ events
ASoC: da7219: Flush pending AAD IRQ when suspending
9p: virtio: make sure 'offs' is initialized in zc_request
pinctrl: amd: Don't show `Invalid config param` errors
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
serial: sc16is7xx: fix bug when first setting GPIO direction
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
HID: wacom: remove the battery when the EKR is off
USB: serial: option: add FOXCONN T99W368/T99W373 product
USB: serial: option: add Quectel EM05G variant (0x030e)
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
mmc: au1xmmc: force non-modular build and remove symbol_get usage
ARM: pxa: remove use of symbol_get()
erofs: ensure that the post-EOF tails are all zeroed
Conflicts:
include/net/tcp.h
Change-Id: Ia73d7be3d6cae8d4fd38da7c6d85a977840872d3
This reverts commit 2b601fcacd which is
commit 6c1c5097781f563b70a81683ea6fdac21637573b upstream.
It breaks the CRC checking for the Android KABI (doesn't really break
any actual ABI, but it isn't nice.) As this isn't needed for Android
systems at this point in time, just revert it to keep the CRC abi
stable.
If it is needed to come back, it can be reworked to be a CRC-abi neutral
change if so desired.
Bug: 161946584
Fixes: 2b601fcacd ("net: add atomic_long_t to net_device_stats fields")
Cc: Eric Dumazet <edumazet@google.com>
Change-Id: I9d3d9fb55ab5482a4ea92fcc4a2fb70c4471edec
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit b17d81b94d which is
commit 9b55d3f0a69af649c62cbc2633e6d695bb3cc583 upstream.
It is needed to be reverted as it relies on an abi-breaking change that
also must be reverted. It's not really needed for Android systems, but
if it is needed to come back, it can be reworked to be a CRC-abi neutral
change if so desired.
Bug: 161946584
Change-Id: I375a29e01f3758f89f74bea69183e3990e01043c
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit d2346e6beb which is
commit 44bdb313da57322c9b3c108eb66981c6ec6509f4 upstream.
It is needed to be reverted as it relies on an abi-breaking change that
also must be reverted. It's not really needed for Android systems, but
if it is needed to come back, it can be reworked to be a CRC-abi neutral
change if so desired.
Bug: 161946584
Change-Id: I8a9f35972d5ade06a3bafd6a965ac2430ad0e63d
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUlqccACgkQONu9yGCS
aT4gqQ/+MgTjBf9wQ4KfZI5RZaQJhRVuubL58TmHD0HMkGhaQhPgsswQ7Sil5nQ2
889+PhxTJ6p9tNFYdYz/urv0qM197vWFOpWvkKqBlLLkHEIU14e7OiLdZuydYPVV
iyFXNrEr5xVerYo7tTsmuOYNzgArwVxmEa/GNlpy/AJl7uP/wxt5g8sbChziM1k2
erSmRrBp0tCG2xVjLWx1LEIWqmB11rTuP0Kl5j86THnS5czzCmdQyvWypMDB+M1o
UX6SF1bFMdvh59ultJQN+SYfq+HSo66xxKNDCRRiqvBi2BvBOYKwnDZYwLuf9H8/
ELOQ//RbWv42wrhosoj637748CwWlgJQCNYR1RiV09CA/bHqlKDwfZM7sUbzeebM
5/Z+ODM/WtJ1/jdbvu1KkkurVLFaKGOmDKefiosZt+4KMXPbyy6jg6J6/moLZqJ8
hbym4x8n6KWYMBrvxQt9Ukyo/SBkcoFAJfCdks1hqtkEL7L+VAxaC1mfUqcNzhlY
RXopvFhEoMlBQ2pOQzK1lDy2m3rZS+md5UUO8G+DZ0keerK7oKVLKVstBTBzx++k
d2SZ7ijRHqqvSfCYbtNrzgBdc06Ou9zT5vOK9KuWR5CQxIwW3NTu23umg7AmMcdT
WkdxqcpO1YZCCbH9oK40ynbP4Ap0fYzZ0SGIoNuclknGX+NJ1E0=
=LBDu
-----END PGP SIGNATURE-----
Merge 4.19.296 into android-4.19-stable
Changes in 4.19.296
NFS/pNFS: Report EINVAL errors from connect() to the server
ata: ahci: Drop pointless VPRINTK() calls and convert the remaining ones
ata: libahci: clear pending interrupt status
netfilter: nf_tables: disallow element removal on anonymous sets
selftests/tls: Add {} to avoid static checker warning
selftests: tls: swap the TX and RX sockets in some tests
ipv4: fix null-deref in ipv4_link_failure
powerpc/perf/hv-24x7: Update domain value check
net: hns3: add 5ms delay before clear firmware reset irq source
net: add atomic_long_t to net_device_stats fields
net: bridge: use DEV_STATS_INC()
team: fix null-ptr-deref when team device type is changed
gpio: tb10x: Fix an error handling path in tb10x_gpio_probe()
i2c: mux: demux-pinctrl: check the return value of devm_kstrdup()
Input: i8042 - add quirk for TUXEDO Gemini 17 Gen1/Clevo PD70PN
scsi: qla2xxx: Add protection mask module parameters
scsi: qla2xxx: Remove unsupported ql2xenabledif option
scsi: megaraid_sas: Load balance completions across all MSI-X
scsi: megaraid_sas: Fix deadlock on firmware crashdump
ext4: remove the 'group' parameter of ext4_trim_extent
ext4: add new helper interface ext4_try_to_trim_range()
ext4: scope ret locally in ext4_try_to_trim_range()
ext4: change s_last_trim_minblks type to unsigned long
ext4: mark group as trimmed only if it was fully scanned
ext4: replace the traditional ternary conditional operator with with max()/min()
ext4: move setting of trimmed bit into ext4_try_to_trim_range()
ext4: do not let fstrim block system suspend
MIPS: Alchemy: only build mmc support helpers if au1xmmc is enabled
clk: tegra: fix error return case for recalc_rate
ARM: dts: ti: omap: motorola-mapphone: Fix abe_clkctrl warning on boot
gpio: pmic-eic-sprd: Add can_sleep flag for PMIC EIC chip
parisc: sba: Fix compile warning wrt list of SBA devices
parisc: iosapic.c: Fix sparse warnings
parisc: drivers: Fix sparse warning
parisc: irq: Make irq_stack_union static to avoid sparse warning
selftests/ftrace: Correctly enable event in instance-event.tc
ring-buffer: Avoid softlockup in ring_buffer_resize()
ata: libata-eh: do not clear ATA_PFLAG_EH_PENDING in ata_eh_reset()
bpf: Clarify error expectations from bpf_clone_redirect
fbdev/sh7760fb: Depend on FB=y
nvme-pci: do not set the NUMA node of device if it has none
watchdog: iTCO_wdt: No need to stop the timer in probe
watchdog: iTCO_wdt: Set NO_REBOOT if the watchdog is not already running
net: Fix unwanted sign extension in netdev_stats_to_stats64()
scsi: megaraid_sas: Enable msix_load_balance for Invader and later controllers
Smack:- Use overlay inode label in smack_inode_copy_up()
smack: Retrieve transmuting information in smack_inode_getsecurity()
smack: Record transmuting in smk_transmuted
serial: 8250_port: Check IRQ data before use
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
ALSA: hda: Disable power save for solving pop issue on Lenovo ThinkCentre M70q
ata: libata-scsi: ignore reserved bits for REPORT SUPPORTED OPERATION CODES
i2c: i801: unregister tco_pdev in i801_probe() error path
btrfs: properly report 0 avail for very full file systems
net: thunderbolt: Fix TCPv6 GSO checksum calculation
ata: libata-core: Fix ata_port_request_pm() locking
ata: libata-core: Fix port and device removal
ata: libata-core: Do not register PM operations for SAS ports
ata: libata-sata: increase PMP SRST timeout to 10s
fs: binfmt_elf_efpic: fix personality for ELF-FDPIC
ext4: fix rec_len verify error
ata: libata: disallow dev-initiated LPM transitions to unsupported states
Revert "drivers core: Use sysfs_emit and sysfs_emit_at for show(device *...) functions"
media: dvb: symbol fixup for dvb_attach() - again
Revert "PCI: qcom: Disable write access to read only registers for IP v2.3.3"
scsi: zfcp: Fix a double put in zfcp_port_enqueue()
qed/red_ll2: Fix undefined behavior bug in struct qed_ll2_info
wifi: mwifiex: Fix tlv_buf_left calculation
net: replace calls to sock->ops->connect() with kernel_connect()
ubi: Refuse attaching if mtd's erasesize is 0
wifi: mwifiex: Fix oob check condition in mwifiex_process_rx_packet
drivers/net: process the result of hdlc_open() and add call of hdlc_close() in uhdlc_close()
regmap: rbtree: Fix wrong register marked as in-cache when creating new node
scsi: target: core: Fix deadlock due to recursive locking
modpost: add missing else to the "of" check
ipv4, ipv6: Fix handling of transhdrlen in __ip{,6}_append_data()
net: usb: smsc75xx: Fix uninit-value access in __smsc75xx_read_reg
net: stmmac: dwmac-stm32: fix resume on STM32 MCU
tcp: fix quick-ack counting to count actual ACKs of new data
tcp: fix delayed ACKs for MSS boundary condition
sctp: update transport state when processing a dupcook packet
sctp: update hb timer immediately after users change hb_interval
cpupower: add Makefile dependencies for install targets
IB/mlx4: Fix the size of a buffer in add_port_entries()
gpio: aspeed: fix the GPIO number passed to pinctrl_gpio_set_config()
gpio: pxa: disable pinctrl calls for MMP_GPIO
RDMA/cma: Fix truncation compilation warning in make_cma_ports
RDMA/mlx5: Fix NULL string error
parisc: Restore __ldcw_align for PA-RISC 2.0 processors
dccp: fix dccp_v4_err()/dccp_v6_err() again
Revert "rtnetlink: Reject negative ifindexes in RTM_NEWLINK"
rtnetlink: Reject negative ifindexes in RTM_NEWLINK
xen/events: replace evtchn_rwlock with RCU
Linux 4.19.296
Change-Id: I4f76959ead91691fe9a242cb5b158fc8dc67bf39
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
This reverts commit 42c8406432 which is
commit 30188bd7838c16a98a520db1fe9df01ffc6ed368 upstream.
It was improperly backported to 4.19.y, and applied to the wrong
function, which obviously causes problems. A fixed version will be
applied as a separate commit later.
Reported-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Link: https://lore.kernel.org/r/ZSQeA8fhUT++iZvz@ostr-mac
Cc: Ido Schimmel <idosch@nvidia.com>
Cc: Jiri Pirko <jiri@nvidia.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1f4e803cd9c9166eb8b6c8b0b8e4124f7499fc07 ]
Currently, when hb_interval is changed by users, it won't take effect
until the next expiry of hb timer. As the default value is 30s, users
have to wait up to 30s to wait its hb_interval update to work.
This becomes pretty bad in containers where a much smaller value is
usually set on hb_interval. This patch improves it by resetting the
hb timer immediately once the value of hb_interval is updated by users.
Note that we don't address the already existing 'problem' when sending
a heartbeat 'on demand' if one hb has just been sent(from the timer)
mentioned in:
https://www.mail-archive.com/linux-kernel@vger.kernel.org/msg590224.html
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/r/75465785f8ee5df2fb3acdca9b8fafdc18984098.1696172660.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 2222a78075f0c19ca18db53fd6623afb4aff602d ]
During the 4-way handshake, the transport's state is set to ACTIVE in
sctp_process_init() when processing INIT_ACK chunk on client or
COOKIE_ECHO chunk on server.
In the collision scenario below:
192.168.1.2 > 192.168.1.1: sctp (1) [INIT] [init tag: 3922216408]
192.168.1.1 > 192.168.1.2: sctp (1) [INIT] [init tag: 144230885]
192.168.1.2 > 192.168.1.1: sctp (1) [INIT ACK] [init tag: 3922216408]
192.168.1.1 > 192.168.1.2: sctp (1) [COOKIE ECHO]
192.168.1.2 > 192.168.1.1: sctp (1) [COOKIE ACK]
192.168.1.1 > 192.168.1.2: sctp (1) [INIT ACK] [init tag: 3914796021]
when processing COOKIE_ECHO on 192.168.1.2, as it's in COOKIE_WAIT state,
sctp_sf_do_dupcook_b() is called by sctp_sf_do_5_2_4_dupcook() where it
creates a new association and sets its transport to ACTIVE then updates
to the old association in sctp_assoc_update().
However, in sctp_assoc_update(), it will skip the transport update if it
finds a transport with the same ipaddr already existing in the old asoc,
and this causes the old asoc's transport state not to move to ACTIVE
after the handshake.
This means if DATA retransmission happens at this moment, it won't be able
to enter PF state because of the check 'transport->state == SCTP_ACTIVE'
in sctp_do_8_2_transport_strike().
This patch fixes it by updating the transport in sctp_assoc_update() with
sctp_assoc_add_peer() where it updates the transport state if there is
already a transport with the same ipaddr exists in the old asoc.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Link: https://lore.kernel.org/r/fd17356abe49713ded425250cc1ae51e9f5846c6.1696172325.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4720852ed9afb1c5ab84e96135cb5b73d5afde6f ]
This commit fixes poor delayed ACK behavior that can cause poor TCP
latency in a particular boundary condition: when an application makes
a TCP socket write that is an exact multiple of the MSS size.
The problem is that there is painful boundary discontinuity in the
current delayed ACK behavior. With the current delayed ACK behavior,
we have:
(1) If an app reads data when > 1*MSS is unacknowledged, then
tcp_cleanup_rbuf() ACKs immediately because of:
tp->rcv_nxt - tp->rcv_wup > icsk->icsk_ack.rcv_mss ||
(2) If an app reads all received data, and the packets were < 1*MSS,
and either (a) the app is not ping-pong or (b) we received two
packets < 1*MSS, then tcp_cleanup_rbuf() ACKs immediately beecause
of:
((icsk->icsk_ack.pending & ICSK_ACK_PUSHED2) ||
((icsk->icsk_ack.pending & ICSK_ACK_PUSHED) &&
!inet_csk_in_pingpong_mode(sk))) &&
(3) *However*: if an app reads exactly 1*MSS of data,
tcp_cleanup_rbuf() does not send an immediate ACK. This is true
even if the app is not ping-pong and the 1*MSS of data had the PSH
bit set, suggesting the sending application completed an
application write.
Thus if the app is not ping-pong, we have this painful case where
>1*MSS gets an immediate ACK, and <1*MSS gets an immediate ACK, but a
write whose last skb is an exact multiple of 1*MSS can get a 40ms
delayed ACK. This means that any app that transfers data in one
direction and takes care to align write size or packet size with MSS
can suffer this problem. With receive zero copy making 4KB MSS values
more common, it is becoming more common to have application writes
naturally align with MSS, and more applications are likely to
encounter this delayed ACK problem.
The fix in this commit is to refine the delayed ACK heuristics with a
simple check: immediately ACK a received 1*MSS skb with PSH bit set if
the app reads all data. Why? If an skb has a len of exactly 1*MSS and
has the PSH bit set then it is likely the end of an application
write. So more data may not be arriving soon, and yet the data sender
may be waiting for an ACK if cwnd-bound or using TX zero copy. Thus we
set ICSK_ACK_PUSHED in this case so that tcp_cleanup_rbuf() will send
an ACK immediately if the app reads all of the data and is not
ping-pong. Note that this logic is also executed for the case where
len > MSS, but in that case this logic does not matter (and does not
hurt) because tcp_cleanup_rbuf() will always ACK immediately if the
app reads data and there is more than an MSS of unACKed data.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Cc: Xin Guo <guoxin0309@gmail.com>
Link: https://lore.kernel.org/r/20231001151239.1866845-2-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 059217c18be6757b95bfd77ba53fb50b48b8a816 ]
This commit fixes quick-ack counting so that it only considers that a
quick-ack has been provided if we are sending an ACK that newly
acknowledges data.
The code was erroneously using the number of data segments in outgoing
skbs when deciding how many quick-ack credits to remove. This logic
does not make sense, and could cause poor performance in
request-response workloads, like RPC traffic, where requests or
responses can be multi-segment skbs.
When a TCP connection decides to send N quick-acks, that is to
accelerate the cwnd growth of the congestion control module
controlling the remote endpoint of the TCP connection. That quick-ack
decision is purely about the incoming data and outgoing ACKs. It has
nothing to do with the outgoing data or the size of outgoing data.
And in particular, an ACK only serves the intended purpose of allowing
the remote congestion control to grow the congestion window quickly if
the ACK is ACKing or SACKing new data.
The fix is simple: only count packets as serving the goal of the
quickack mechanism if they are ACKing/SACKing new data. We can tell
whether this is the case by checking inet_csk_ack_scheduled(), since
we schedule an ACK exactly when we are ACKing/SACKing new data.
Fixes: fc6415bcb0 ("[TCP]: Fix quick-ack decrementing with TSO.")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231001151239.1866845-1-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 9d4c75800f61e5d75c1659ba201b6c0c7ead3070 ]
Including the transhdrlen in length is a problem when the packet is
partially filled (e.g. something like send(MSG_MORE) happened previously)
when appending to an IPv4 or IPv6 packet as we don't want to repeat the
transport header or account for it twice. This can happen under some
circumstances, such as splicing into an L2TP socket.
The symptom observed is a warning in __ip6_append_data():
WARNING: CPU: 1 PID: 5042 at net/ipv6/ip6_output.c:1800 __ip6_append_data.isra.0+0x1be8/0x47f0 net/ipv6/ip6_output.c:1800
that occurs when MSG_SPLICE_PAGES is used to append more data to an already
partially occupied skbuff. The warning occurs when 'copy' is larger than
the amount of data in the message iterator. This is because the requested
length includes the transport header length when it shouldn't. This can be
triggered by, for example:
sfd = socket(AF_INET6, SOCK_DGRAM, IPPROTO_L2TP);
bind(sfd, ...); // ::1
connect(sfd, ...); // ::1 port 7
send(sfd, buffer, 4100, MSG_MORE);
sendfile(sfd, dfd, NULL, 1024);
Fix this by only adding transhdrlen into the length if the write queue is
empty in l2tp_ip6_sendmsg(), analogously to how UDP does things.
l2tp_ip_sendmsg() looks like it won't suffer from this problem as it builds
the UDP packet itself.
Fixes: a32e0eec70 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
Reported-by: syzbot+62cbf263225ae13ff153@syzkaller.appspotmail.com
Link: https://lore.kernel.org/r/0000000000001c12b30605378ce8@google.com/
Suggested-by: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Eric Dumazet <edumazet@google.com>
cc: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: David Ahern <dsahern@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: netdev@vger.kernel.org
cc: bpf@vger.kernel.org
cc: syzkaller-bugs@googlegroups.com
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 26297b4ce1ce4ea40bc9a48ec99f45da3f64d2e2 upstream.
commit 0bdf399342c5 ("net: Avoid address overwrite in kernel_connect")
ensured that kernel_connect() will not overwrite the address parameter
in cases where BPF connect hooks perform an address rewrite. This change
replaces direct calls to sock->ops->connect() in net with kernel_connect()
to make these call safe.
Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@google.com/
Fixes: d74bad4e74 ("bpf: Hooks for sys_connect")
Cc: stable@vger.kernel.org
Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Jordan Rife <jrife@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 9b55d3f0a69af649c62cbc2633e6d695bb3cc583 ]
When converting net_device_stats to rtnl_link_stats64 sign extension
is triggered on ILP32 machines as 6c1c509778 changed the previous
"ulong -> u64" conversion to "long -> u64" by accessing the
net_device_stats fields through a (signed) atomic_long_t.
This causes for example the received bytes counter to jump to 16EiB after
having received 2^31 bytes. Casting the atomic value to "unsigned long"
beforehand converting it into u64 avoids this.
Fixes: 6c1c5097781f ("net: add atomic_long_t to net_device_stats fields")
Signed-off-by: Felix Riemann <felix.riemann@sma.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 6c1c5097781f563b70a81683ea6fdac21637573b ]
Long standing KCSAN issues are caused by data-race around
some dev->stats changes.
Most performance critical paths already use per-cpu
variables, or per-queue ones.
It is reasonable (and more correct) to use atomic operations
for the slow paths.
This patch adds an union for each field of net_device_stats,
so that we can convert paths that are not yet protected
by a spinlock or a mutex.
netdev_stats_to_stats64() no longer has an #if BITS_PER_LONG==64
Note that the memcpy() we were using on 64bit arches
had no provision to avoid load-tearing,
while atomic_long_read() is providing the needed protection
at no cost.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 44bdb313da57 ("net: bridge: use DEV_STATS_INC()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 0113d9c9d1ccc07f5a3710dac4aa24b6d711278c ]
Currently, we assume the skb is associated with a device before calling
__ip_options_compile, which is not always the case if it is re-routed by
ipvs.
When skb->dev is NULL, dev_net(skb->dev) will become null-dereference.
This patch adds a check for the edge case and switch to use the net_device
from the rtable when skb->dev is NULL.
Fixes: ed0de45a1008 ("ipv4: recompile ip options in ipv4_link_failure")
Suggested-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
Cc: Vadim Fedorenko <vfedorenko@novek.ru>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 23a3bfd4ba7acd36abf52b78605f61b21bdac216 ]
Anonymous sets need to be populated once at creation and then they are
bound to rule since 938154b93be8 ("netfilter: nf_tables: reject unbound
anonymous set before commit phase"), otherwise transaction reports
EINVAL.
Userspace does not need to delete elements of anonymous sets that are
not yet bound, reject this with EOPNOTSUPP.
From flush command path, skip anonymous sets, they are expected to be
bound already. Otherwise, EINVAL is hit at the end of this transaction
for unbound sets.
Fixes: 96518518cc ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmUOpmEACgkQONu9yGCS
aT6vSQ/8D3yjJUYiUnHkiSzTMZHAtwR5qk0jCsqw1Xlr+XVouGCG/wpk8z7ckT6W
4gsG5+QvuB4SfWXmbIn/rPApqQdQSiTicOfHrev705v0U+ib+kw1vgBKv38qkOlI
EZKuo7Ir1vZUnqghw9uIGperU3kEAt2EvWK37EBryukDoxbzDGIctOvAN7KMMbAJ
jPQciVOOAJrNNdgPOSrxs1OCdAkEYlDaNuBZ+9j/HjNQLB9KtdtsJ50gerCPA4rS
oKpZhnx9VJYXI9szor3T7q71iNfpJeL+mOrnpCSFVAFCPkesXQ+MG/GdgJJQDCMJ
9VF12W6rpqVcKfYFdPX9WevkqMfHRpE4brotDQx36rpUwVFcP7HClJ2zE3p36QWV
Mfu4O31ZNkLUF8SmFXc3JXVyrwe/ARiha9nLH9VKZ7cSHoYUKlO4NeSGyHjz5J99
RErBGpea7SgHTSLk30+sHaB3zhdUZyv8ej++zjTG9QA8bRbMp97I9psQ7FWhWDng
l6f87mdta1X76OJJPkL3yZfbiB/M58e514ptbDNhu4cnH/S6aB6I3K5IYVtfZI/9
zESuavKEUks+Ng1vBUGsPGN/eHDaPWUkl7HewP7WXRDOQUjaIX/0saeaSiUFYNI7
UYa72hD9fKMblkwxIl75ybI/WZRgw9fyrQeGG0DfX3t6kt6BhHM=
=bQT4
-----END PGP SIGNATURE-----
Merge 4.19.295 into android-4.19-stable
Changes in 4.19.295
erofs: ensure that the post-EOF tails are all zeroed
ARM: pxa: remove use of symbol_get()
mmc: au1xmmc: force non-modular build and remove symbol_get usage
rtc: ds1685: use EXPORT_SYMBOL_GPL for ds1685_rtc_poweroff
modules: only allow symbol_get of EXPORT_SYMBOL_GPL modules
USB: serial: option: add Quectel EM05G variant (0x030e)
USB: serial: option: add FOXCONN T99W368/T99W373 product
HID: wacom: remove the battery when the EKR is off
Bluetooth: btsdio: fix use after free bug in btsdio_remove due to race condition
serial: sc16is7xx: fix bug when first setting GPIO direction
fsi: master-ast-cf: Add MODULE_FIRMWARE macro
nilfs2: fix general protection fault in nilfs_lookup_dirty_data_buffers()
nilfs2: fix WARNING in mark_buffer_dirty due to discarded buffer reuse
pinctrl: amd: Don't show `Invalid config param` errors
9p: virtio: make sure 'offs' is initialized in zc_request
ASoC: da7219: Flush pending AAD IRQ when suspending
ASoC: da7219: Check for failure reading AAD IRQ events
ethernet: atheros: fix return value check in atl1c_tso_csum()
vxlan: generalize vxlan_parse_gpe_hdr and remove unused args
m68k: Fix invalid .section syntax
s390/dasd: use correct number of retries for ERP requests
s390/dasd: fix hanging device after request requeue
fs/nls: make load_nls() take a const parameter
ASoc: codecs: ES8316: Fix DMIC config
ASoC: atmel: Fix the 8K sample parameter in I2SC master
platform/x86: intel: hid: Always call BTNL ACPI method
security: keys: perform capable check only on privileged operations
net: usb: qmi_wwan: add Quectel EM05GV2
idmaengine: make FSL_EDMA and INTEL_IDMA64 depends on HAS_IOMEM
scsi: qedi: Fix potential deadlock on &qedi_percpu->p_work_lock
netlabel: fix shift wrapping bug in netlbl_catmap_setlong()
bnx2x: fix page fault following EEH recovery
sctp: handle invalid error codes without calling BUG()
cifs: add a warning when the in-flight count goes negative
ALSA: seq: oss: Fix racy open/close of MIDI devices
net: Avoid address overwrite in kernel_connect
powerpc/32: Include .branch_lt in data section
powerpc/32s: Fix assembler warning about r0
udf: Check consistency of Space Bitmap Descriptor
udf: Handle error when adding extent to a file
Revert "net: macsec: preserve ingress frame ordering"
reiserfs: Check the return value from __getblk()
eventfd: Export eventfd_ctx_do_read()
eventfd: prevent underflow for eventfd semaphores
new helper: lookup_positive_unlocked()
netfilter: nft_flow_offload: fix underflow in flowtable reference counter
netfilter: nf_tables: missing NFT_TRANS_PREPARE_ERROR in flowtable deactivatation
fs: Fix error checking for d_hash_and_lookup()
cpufreq: powernow-k8: Use related_cpus instead of cpus in driver.exit()
bpf: Clear the probe_addr for uprobe
tcp: tcp_enter_quickack_mode() should be static
regmap: rbtree: Use alloc_flags for memory allocations
spi: tegra20-sflash: fix to check return value of platform_get_irq() in tegra_sflash_probe()
can: gs_usb: gs_usb_receive_bulk_callback(): count RX overflow errors also in case of OOM
wifi: mwifiex: Fix OOB and integer underflow when rx packets
mwifiex: drop 'set_consistent_dma_mask' log message
mwifiex: switch from 'pci_' to 'dma_' API
wifi: mwifiex: fix error recovery in PCIE buffer descriptor management
Bluetooth: nokia: fix value check in nokia_bluetooth_serdev_probe()
crypto: caam - fix unchecked return value error
lwt: Check LWTUNNEL_XMIT_CONTINUE strictly
fs: ocfs2: namei: check return value of ocfs2_add_entry()
wifi: mwifiex: fix memory leak in mwifiex_histogram_read()
wifi: mwifiex: Fix missed return in oob checks failed path
wifi: ath9k: fix races between ath9k_wmi_cmd and ath9k_wmi_ctrl_rx
wifi: ath9k: protect WMI command response buffer replacement with a lock
wifi: mwifiex: avoid possible NULL skb pointer dereference
wifi: ath9k: use IS_ERR() with debugfs_create_dir()
net: arcnet: Do not call kfree_skb() under local_irq_disable()
net/sched: sch_hfsc: Ensure inner classes have fsc curve
netrom: Deny concurrent connect().
quota: add dqi_dirty_list description to comment of Dquot List Management
quota: avoid increasing DQST_LOOKUPS when iterating over dirty/inuse list
quota: factor out dquot_write_dquot()
quota: rename dquot_active() to inode_quota_active()
quota: add new helper dquot_active()
quota: fix dqput() to follow the guarantees dquot_srcu should provide
arm64: dts: msm8996: thermal: Add interrupt support
arm64: dts: qcom: msm8996: Add missing interrupt to the USB2 controller
drm/amdgpu: avoid integer overflow warning in amdgpu_device_resize_fb_bar()
ARM: dts: BCM5301X: Harmonize EHCI/OHCI DT nodes name
ARM: dts: BCM53573: Describe on-SoC BCM53125 rev 4 switch
ARM: dts: BCM53573: Drop nonexistent #usb-cells
ARM: dts: BCM53573: Add cells sizes to PCIe node
ARM: dts: BCM53573: Use updated "spi-gpio" binding properties
ARM: dts: s3c6410: move fixed clocks under root node in Mini6410
ARM: dts: s3c6410: align node SROM bus node name with dtschema in Mini6410
ARM: dts: s3c64xx: align pinctrl with dtschema
ARM: dts: samsung: s3c6410-mini6410: correct ethernet reg addresses (split)
ARM: dts: s5pv210: add RTC 32 KHz clock in SMDKV210
ARM: dts: s5pv210: use defines for IRQ flags in SMDKV210
ARM: dts: s5pv210: correct ethernet unit address in SMDKV210
ARM: dts: s5pv210: add dummy 5V regulator for backlight on SMDKv210
ARM: dts: samsung: s5pv210-smdkv210: correct ethernet reg addresses (split)
drm: adv7511: Fix low refresh rate register for ADV7533/5
ARM: dts: BCM53573: Fix Ethernet info for Luxul devices
drm/tegra: Remove superfluous error messages around platform_get_irq()
drm/tegra: dpaux: Fix incorrect return value of platform_get_irq
of: unittest: fix null pointer dereferencing in of_unittest_find_node_by_name()
drm/msm: Replace drm_framebuffer_{un/reference} with put, get functions
drm/msm/mdp5: Don't leak some plane state
smackfs: Prevent underflow in smk_set_cipso()
audit: fix possible soft lockup in __audit_inode_child()
of: unittest: Fix overlay type in apply/revert check
ALSA: ac97: Fix possible error value of *rac97
drivers: clk: keystone: Fix parameter judgment in _of_pll_clk_init()
clk: sunxi-ng: Modify mismatched function name
PCI: Mark NVIDIA T4 GPUs to avoid bus reset
PCI: pciehp: Use RMW accessors for changing LNKCTL
PCI/ASPM: Use RMW accessors for changing LNKCTL
PCI/ATS: Add pci_prg_resp_pasid_required() interface.
PCI: Cleanup register definition width and whitespace
PCI: Decode PCIe 32 GT/s link speed
PCI: Add #defines for Enter Compliance, Transmit Margin
drm/amdgpu: Correct Transmit Margin masks
drm/amdgpu: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/amdgpu: Prefer pcie_capability_read_word()
drm/amdgpu: Use RMW accessors for changing LNKCTL
drm/radeon: Correct Transmit Margin masks
drm/radeon: Replace numbers with PCI_EXP_LNKCTL2 definitions
drm/radeon: Prefer pcie_capability_read_word()
drm/radeon: Use RMW accessors for changing LNKCTL
wifi: ath10k: Use RMW accessors for changing LNKCTL
nfs/blocklayout: Use the passed in gfp flags
powerpc/iommu: Fix notifiers being shared by PCI and VIO buses
jfs: validate max amount of blocks before allocation.
fs: lockd: avoid possible wrong NULL parameter
NFSD: da_addr_body field missing in some GETDEVICEINFO replies
media: Use of_node_name_eq for node name comparisons
media: v4l2-fwnode: fix v4l2_fwnode_parse_link handling
media: v4l2-fwnode: simplify v4l2_fwnode_parse_link
media: v4l2-core: Fix a potential resource leak in v4l2_fwnode_parse_link()
drivers: usb: smsusb: fix error handling code in smsusb_init_device
media: dib7000p: Fix potential division by zero
media: dvb-usb: m920x: Fix a potential memory leak in m920x_i2c_xfer()
media: cx24120: Add retval check for cx24120_message_send()
media: mediatek: vcodec: Return NULL if no vdec_fb is found
usb: phy: mxs: fix getting wrong state with mxs_phy_is_otg_host()
scsi: iscsi: Add strlen() check in iscsi_if_set{_host}_param()
scsi: be2iscsi: Add length check when parsing nlattrs
scsi: qla4xxx: Add length check when parsing nlattrs
x86/APM: drop the duplicate APM_MINOR_DEV macro
scsi: qedf: Do not touch __user pointer in qedf_dbg_stop_io_on_error_cmd_read() directly
scsi: qedf: Do not touch __user pointer in qedf_dbg_fp_int_cmd_read() directly
dma-buf/sync_file: Fix docs syntax
IB/uverbs: Fix an potential error pointer dereference
media: go7007: Remove redundant if statement
USB: gadget: f_mass_storage: Fix unused variable warning
media: i2c: ov2680: Set V4L2_CTRL_FLAG_MODIFY_LAYOUT on flips
media: ov2680: Remove auto-gain and auto-exposure controls
media: ov2680: Fix ov2680_bayer_order()
media: ov2680: Fix vflip / hflip set functions
media: ov2680: Fix regulators being left enabled on ov2680_power_on() errors
cgroup:namespace: Remove unused cgroup_namespaces_init()
scsi: core: Use 32-bit hostnum in scsi_host_lookup()
scsi: fcoe: Fix potential deadlock on &fip->ctlr_lock
serial: tegra: handle clk prepare error in tegra_uart_hw_init()
amba: bus: fix refcount leak
Revert "IB/isert: Fix incorrect release of isert connection"
HID: multitouch: Correct devm device reference for hidinput input_dev name
rpmsg: glink: Add check for kstrdup
arch: um: drivers: Kconfig: pedantic formatting
um: Fix hostaudio build errors
dmaengine: ste_dma40: Add missing IRQ check in d40_probe
igmp: limit igmpv3_newpack() packet size to IP_MAX_MTU
netfilter: ipset: add the missing IP_SET_HASH_WITH_NET0 macro for ip_set_hash_netportnet.c
netfilter: xt_u32: validate user space input
netfilter: xt_sctp: validate the flag_info count
skbuff: skb_segment, Call zero copy functions before using skbuff frags
igb: set max size RX buffer when store bad packet is enabled
PM / devfreq: Fix leak in devfreq_dev_release()
ALSA: pcm: Fix missing fixup call in compat hw_refine ioctl
ipmi_si: fix a memleak in try_smi_init()
ARM: OMAP2+: Fix -Warray-bounds warning in _pwrdm_state_switch()
backlight/gpio_backlight: Compare against struct fb_info.device
backlight/bd6107: Compare against struct fb_info.device
backlight/lv5207lp: Compare against struct fb_info.device
media: dvb: symbol fixup for dvb_attach()
ntb: Drop packets when qp link is down
ntb: Clean up tx tail index on link down
ntb: Fix calculation ntb_transport_tx_free_entry()
Revert "PCI: Mark NVIDIA T4 GPUs to avoid bus reset"
procfs: block chmod on /proc/thread-self/comm
parisc: Fix /proc/cpuinfo output for lscpu
dlm: fix plock lookup when using multiple lockspaces
dccp: Fix out of bounds access in DCCP error handler
crypto: stm32 - fix loop iterating through scatterlist for DMA
cpufreq: brcmstb-avs-cpufreq: Fix -Warray-bounds bug
X.509: if signature is unsupported skip validation
net: handle ARPHRD_PPP in dev_is_mac_header_xmit()
pstore/ram: Check start of empty przs during init
PCI/ATS: Add inline to pci_prg_resp_pasid_required()
sc16is7xx: Set iobase to device index
serial: sc16is7xx: fix broken port 0 uart init
usb: typec: tcpci: clear the fault status bit
udf: initialize newblock to 0
scsi: qla2xxx: fix inconsistent TMF timeout
scsi: qla2xxx: Turn off noisy message log
fbdev/ep93xx-fb: Do not assign to struct fb_info.dev
drm/ast: Fix DRAM init on AST2200
parisc: led: Fix LAN receive and transmit LEDs
parisc: led: Reduce CPU overhead for disk & lan LED computation
clk: qcom: gcc-mdm9615: use proper parent for pll0_vote clock
soc: qcom: qmi_encdec: Restrict string length in decode
NFSv4/pnfs: minor fix for cleanup path in nfs4_get_device_info
kconfig: fix possible buffer overflow
x86/virt: Drop unnecessary check on extended CPUID level in cpu_has_svm()
watchdog: intel-mid_wdt: add MODULE_ALIAS() to allow auto-load
pwm: lpc32xx: Remove handling of PWM channels
net: read sk->sk_family once in sk_mc_loop()
igb: disable virtualization features on 82580
veth: Fixing transmit return status for dropped packets
net: ipv6/addrconf: avoid integer underflow in ipv6_create_tempaddr
af_unix: Fix data-races around user->unix_inflight.
af_unix: Fix data-race around unix_tot_inflight.
af_unix: Fix data-races around sk->sk_shutdown.
af_unix: Fix data race around sk->sk_err.
net: sched: sch_qfq: Fix UAF in qfq_dequeue()
kcm: Destroy mutex in kcm_exit_net()
igbvf: Change IGBVF_MIN to allow set rx/tx value between 64 and 80
igb: Change IGB_MIN to allow set rx/tx value between 64 and 80
idr: fix param name in idr_alloc_cyclic() doc
netfilter: nfnetlink_osf: avoid OOB read
ata: sata_gemini: Add missing MODULE_DESCRIPTION
ata: pata_ftide010: Add missing MODULE_DESCRIPTION
btrfs: don't start transaction when joining with TRANS_JOIN_NOSTART
mtd: rawnand: brcmnand: Fix crash during the panic_write
mtd: rawnand: brcmnand: Fix potential out-of-bounds access in oob write
mtd: rawnand: brcmnand: Fix potential false time out warning
perf hists browser: Fix hierarchy mode header
net: ethernet: mtk_eth_soc: fix possible NULL pointer dereference in mtk_hwlro_get_fdir_all()
kcm: Fix memory leak in error path of kcm_sendmsg()
ixgbe: fix timestamp configuration code
kcm: Fix error handling for SOCK_DGRAM in kcm_sendmsg().
drm/amd/display: Fix a bug when searching for insert_above_mpcc
parisc: Drop loops_per_jiffy from per_cpu struct
autofs: fix memory leak of waitqueues in autofs_catatonic_mode
btrfs: output extra debug info if we failed to find an inline backref
ACPICA: Add AML_NO_OPERAND_RESOLVE flag to Timer
ACPI: video: Add backlight=native DMI quirk for Lenovo Ideapad Z470
hw_breakpoint: fix single-stepping when using bpf_overflow_handler
wifi: ath9k: fix printk specifier
wifi: mwifiex: fix fortify warning
crypto: lib/mpi - avoid null pointer deref in mpi_cmp_ui()
tpm_tis: Resend command to recover from data transfer errors
alx: fix OOB-read compiler warning
drm/exynos: fix a possible null-pointer dereference due to data race in exynos_drm_crtc_atomic_disable()
md: raid1: fix potential OOB in raid1_remove_disk()
ext2: fix datatype of block number in ext2_xattr_set2()
fs/jfs: prevent double-free in dbUnmount() after failed jfs_remount()
jfs: fix invalid free of JFS_IP(ipimap)->i_imap in diUnmount
powerpc/pseries: fix possible memory leak in ibmebus_bus_init()
media: dvb-usb-v2: af9035: Fix null-ptr-deref in af9035_i2c_master_xfer
media: dw2102: Fix null-ptr-deref in dw2102_i2c_transfer()
media: af9005: Fix null-ptr-deref in af9005_i2c_xfer
media: anysee: fix null-ptr-deref in anysee_master_xfer
media: az6007: Fix null-ptr-deref in az6007_i2c_xfer()
iio: core: Use min() instead of min_t() to make code more robust
media: tuners: qt1010: replace BUG_ON with a regular error
media: pci: cx23885: replace BUG with error return
usb: gadget: fsl_qe_udc: validate endpoint index for ch9 udc
scsi: target: iscsi: Fix buffer overflow in lio_target_nacl_info_show()
serial: cpm_uart: Avoid suspicious locking
media: pci: ipu3-cio2: Initialise timing struct to avoid a compiler warning
kobject: Add sanity check for kset->kobj.ktype in kset_register()
md/raid1: fix error: ISO C90 forbids mixed declarations
attr: block mode changes of symlinks
btrfs: fix lockdep splat and potential deadlock after failure running delayed items
nfsd: fix change_info in NFSv4 RENAME replies
mtd: rawnand: brcmnand: Fix ECC level field setting for v7.2 controller
net/sched: cls_fw: No longer copy tcf_result on update to avoid use-after-free
net/sched: Retire rsvp classifier
Linux 4.19.295
Change-Id: I5de88dc1e8cebe5736df3023205233cb40c4aa35
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]
HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.
Don't allow non-root classes without HFSC_FSC to become parents.
Bug: 299921101
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
(cherry picked from commit 4cf994d3f4ff42d604fae2b461bdd5195a7dfabd)
Signed-off-by: Lee Jones <joneslee@google.com>
Change-Id: I5b44ae6bb340b978372ed9657ba2e23f75b850e5
commit 265b4da82dbf5df04bee5a5d46b7474b1aaf326a upstream.
The rsvp classifier has served us well for about a quarter of a century but has
has not been getting much maintenance attention due to lack of known users.
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Acked-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 76e42ae831991c828cffa8c37736ebfb831ad5ec upstream.
When fw_change() is called on an existing filter, the whole
tcf_result struct is always copied into the new instance of the filter.
This causes a problem when updating a filter bound to a class,
as tcf_unbind_filter() is always called on the old instance in the
success path, decreasing filter_cnt of the still referenced class
and allowing it to be deleted, leading to a use-after-free.
Fix this by no longer copying the tcf_result struct from the old filter.
Fixes: e35a8ee599 ("net: sched: fw use RCU")
Reported-by: valis <sec@valis.email>
Reported-by: Bing-Jhong Billy Jheng <billy@starlabs.sg>
Signed-off-by: valis <sec@valis.email>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
Reviewed-by: Victor Nogueira <victor@mojatatu.com>
Reviewed-by: Pedro Tammela <pctammela@mojatatu.com>
Reviewed-by: M A Ramdhan <ramdhan@starlabs.sg>
Link: https://lore.kernel.org/r/20230729123202.72406-3-jhs@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[ Fixed small conflict as 'fnew->ifindex' assignment is not protected by
CONFIG_NET_CLS_IND on upstream since a51486266c3 ]
Signed-off-by: Luiz Capitulino <luizcap@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a22730b1b4bf437c6bbfdeff5feddf54be4aeada ]
syzkaller found a memory leak in kcm_sendmsg(), and commit c821a88bd720
("kcm: Fix memory leak in error path of kcm_sendmsg()") suppressed it by
updating kcm_tx_msg(head)->last_skb if partial data is copied so that the
following sendmsg() will resume from the skb.
However, we cannot know how many bytes were copied when we get the error.
Thus, we could mess up the MSG_MORE queue.
When kcm_sendmsg() fails for SOCK_DGRAM, we should purge the queue as we
do so for UDP by udp_flush_pending_frames().
Even without this change, when the error occurred, the following sendmsg()
resumed from a wrong skb and the queue was messed up. However, we have
yet to get such a report, and only syzkaller stumbled on it. So, this
can be changed safely.
Note this does not change SOCK_SEQPACKET behaviour.
Fixes: c821a88bd720 ("kcm: Fix memory leak in error path of kcm_sendmsg()")
Fixes: ab7ac4eb98 ("kcm: Kernel Connection Multiplexor module")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230912022753.33327-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f4f8a7803119005e87b716874bec07c751efafec ]
The opt_num field is controlled by user mode and is not currently
validated inside the kernel. An attacker can take advantage of this to
trigger an OOB read and potentially leak information.
BUG: KASAN: slab-out-of-bounds in nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
Read of size 2 at addr ffff88804bc64272 by task poc/6431
CPU: 1 PID: 6431 Comm: poc Not tainted 6.0.0-rc4 #1
Call Trace:
nf_osf_match_one+0xbed/0xd10 net/netfilter/nfnetlink_osf.c:88
nf_osf_find+0x186/0x2f0 net/netfilter/nfnetlink_osf.c:281
nft_osf_eval+0x37f/0x590 net/netfilter/nft_osf.c:47
expr_call_ops_eval net/netfilter/nf_tables_core.c:214
nft_do_chain+0x2b0/0x1490 net/netfilter/nf_tables_core.c:264
nft_do_chain_ipv4+0x17c/0x1f0 net/netfilter/nft_chain_filter.c:23
[..]
Also add validation to genre, subtype and version fields.
Fixes: 11eeef41d5 ("netfilter: passive OS fingerprint xtables match")
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 6ad40b36cd3b04209e2d6c89d252c873d8082a59 ]
kcm_exit_net() should call mutex_destroy() on knet->mutex. This is especially
needed if CONFIG_DEBUG_MUTEXES is enabled.
Fixes: ab7ac4eb98 ("kcm: Kernel Connection Multiplexor module")
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Link: https://lore.kernel.org/r/20230902170708.1727999-1-syoshida@redhat.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b192812905e4b134f7b7994b079eb647e9d2d37e ]
As with sk->sk_shutdown shown in the previous patch, sk->sk_err can be
read locklessly by unix_dgram_sendmsg().
Let's use READ_ONCE() for sk_err as well.
Note that the writer side is marked by commit cc04410af7de ("af_unix:
annotate lockless accesses to sk->sk_err").
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit f31867d0d9d82af757c1e0178b659438f4c1ea3c ]
The existing code incorrectly casted a negative value (the result of a
subtraction) to an unsigned value without checking. For example, if
/proc/sys/net/ipv6/conf/*/temp_prefered_lft was set to 1, the preferred
lifetime would jump to 4 billion seconds. On my machine and network the
shortest lifetime that avoided underflow was 3 seconds.
Fixes: 76506a986d ("IPv6: fix DESYNC_FACTOR")
Signed-off-by: Alex Henrie <alexhenrie24@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 977ad86c2a1bcaf58f01ab98df5cc145083c489c upstream.
There was a previous attempt to fix an out-of-bounds access in the DCCP
error handlers, but that fix assumed that the error handlers only want
to access the first 8 bytes of the DCCP header. Actually, they also look
at the DCCP sequence number, which is stored beyond 8 bytes, so an
explicit pskb_may_pull() is required.
Fixes: 6706a97fec ("dccp: fix out of bound access in dccp_v4_err()")
Fixes: 1aa9d1a0e7 ("ipv6: dccp: fix out of bound access in dccp_v6_err()")
Cc: stable@vger.kernel.org
Signed-off-by: Jann Horn <jannh@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2ea35288c83b3d501a88bc17f2df8f176b5cc96f upstream.
Commit bf5c25d608 ("skbuff: in skb_segment, call zerocopy functions
once per nskb") added the call to zero copy functions in skb_segment().
The change introduced a bug in skb_segment() because skb_orphan_frags()
may possibly change the number of fragments or allocate new fragments
altogether leaving nrfrags and frag to point to the old values. This can
cause a panic with stacktrace like the one below.
[ 193.894380] BUG: kernel NULL pointer dereference, address: 00000000000000bc
[ 193.895273] CPU: 13 PID: 18164 Comm: vh-net-17428 Kdump: loaded Tainted: G O 5.15.123+ #26
[ 193.903919] RIP: 0010:skb_segment+0xb0e/0x12f0
[ 194.021892] Call Trace:
[ 194.027422] <TASK>
[ 194.072861] tcp_gso_segment+0x107/0x540
[ 194.082031] inet_gso_segment+0x15c/0x3d0
[ 194.090783] skb_mac_gso_segment+0x9f/0x110
[ 194.095016] __skb_gso_segment+0xc1/0x190
[ 194.103131] netem_enqueue+0x290/0xb10 [sch_netem]
[ 194.107071] dev_qdisc_enqueue+0x16/0x70
[ 194.110884] __dev_queue_xmit+0x63b/0xb30
[ 194.121670] bond_start_xmit+0x159/0x380 [bonding]
[ 194.128506] dev_hard_start_xmit+0xc3/0x1e0
[ 194.131787] __dev_queue_xmit+0x8a0/0xb30
[ 194.138225] macvlan_start_xmit+0x4f/0x100 [macvlan]
[ 194.141477] dev_hard_start_xmit+0xc3/0x1e0
[ 194.144622] sch_direct_xmit+0xe3/0x280
[ 194.147748] __dev_queue_xmit+0x54a/0xb30
[ 194.154131] tap_get_user+0x2a8/0x9c0 [tap]
[ 194.157358] tap_sendmsg+0x52/0x8e0 [tap]
[ 194.167049] handle_tx_zerocopy+0x14e/0x4c0 [vhost_net]
[ 194.173631] handle_tx+0xcd/0xe0 [vhost_net]
[ 194.176959] vhost_worker+0x76/0xb0 [vhost]
[ 194.183667] kthread+0x118/0x140
[ 194.190358] ret_from_fork+0x1f/0x30
[ 194.193670] </TASK>
In this case calling skb_orphan_frags() updated nr_frags leaving nrfrags
local variable in skb_segment() stale. This resulted in the code hitting
i >= nrfrags prematurely and trying to move to next frag_skb using
list_skb pointer, which was NULL, and caused kernel panic. Move the call
to zero copy functions before using frags and nr_frags.
Fixes: bf5c25d608 ("skbuff: in skb_segment, call zerocopy functions once per nskb")
Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
Reported-by: Amit Goyal <agoyal@purestorage.com>
Cc: stable@vger.kernel.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit e99476497687ef9e850748fe6d232264f30bc8f9 upstream.
sctp_mt_check doesn't validate the flag_count field. An attacker can
take advantage of that to trigger a OOB read and leak memory
information.
Add the field validation in the checkentry function.
Fixes: 2e4e6a17af ("[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables")
Cc: stable@vger.kernel.org
Reported-by: Lucas Leong <wmliang@infosec.exchange>
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 69c5d284f67089b4750d28ff6ac6f52ec224b330 upstream.
The xt_u32 module doesn't validate the fields in the xt_u32 structure.
An attacker may take advantage of this to trigger an OOB read by setting
the size fields with a value beyond the arrays boundaries.
Add a checkentry function to validate the structure.
This was originally reported by the ZDI project (ZDI-CAN-18408).
Fixes: 1b50b8a371 ("[NETFILTER]: Add u32 match")
Cc: stable@vger.kernel.org
Signed-off-by: Wander Lairson Costa <wander@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 050d91c03b28ca479df13dfb02bcd2c60dd6a878 upstream.
The missing IP_SET_HASH_WITH_NET0 macro in ip_set_hash_netportnet can
lead to the use of wrong `CIDR_POS(c)` for calculating array offsets,
which can lead to integer underflow. As a result, it leads to slab
out-of-bound access.
This patch adds back the IP_SET_HASH_WITH_NET0 macro to
ip_set_hash_netportnet to address the issue.
Fixes: 886503f34d63 ("netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net")
Suggested-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Kyle Zeng <zengyhkyle@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit c3b704d4a4a265660e665df51b129e8425216ed1 upstream.
This is a follow up of commit 915d975b2ffa ("net: deal with integer
overflows in kmalloc_reserve()") based on David Laight feedback.
Back in 2010, I failed to realize malicious users could set dev->mtu
to arbitrary values. This mtu has been since limited to 0x7fffffff but
regardless of how big dev->mtu is, it makes no sense for igmpv3_newpack()
to allocate more than IP_MAX_MTU and risk various skb fields overflows.
Fixes: 57e1ab6ead ("igmp: refine skb allocations")
Link: https://lore.kernel.org/netdev/d273628df80f45428e739274ab9ecb72@AcuMS.aculab.com/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: David Laight <David.Laight@ACULAB.COM>
Cc: Kyle Zeng <zengyhkyle@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b3d26c5702c7d6c45456326e56d2ccf3f103e60f ]
HFSC assumes that inner classes have an fsc curve, but it is currently
possible for classes without an fsc curve to become parents. This leads
to bugs including a use-after-free.
Don't allow non-root classes without HFSC_FSC to become parents.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Budimir Markovic <markovicbudimir@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20230824084905.422-1-markovicbudimir@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit a171fbec88a2c730b108c7147ac5e7b2f5a02b47 ]
LWTUNNEL_XMIT_CONTINUE is implicitly assumed in ip(6)_finish_output2,
such that any positive return value from a xmit hook could cause
unexpected continue behavior, despite that related skb may have been
freed. This could be error-prone for future xmit hook ops. One of the
possible errors is to return statuses of dst_output directly.
To make the code safer, redefine LWTUNNEL_XMIT_CONTINUE value to
distinguish from dst_output statuses and check the continue
condition explicitly.
Fixes: 3a0af8fd61 ("bpf: BPF for lightweight tunnel infrastructure")
Suggested-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Yan Zhai <yan@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/96b939b85eda00e8df4f7c080f770970a4c5f698.1692326837.git.yan@cloudflare.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
commit 26b5a5712eb85e253724e56a54c17f8519bd8e4e upstream.
Missing NFT_TRANS_PREPARE_ERROR in 1df28fde1270 ("netfilter: nf_tables: add
NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19.
Fixes: 1df28fde1270 ("netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain") in 4.19
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 0bdf399342c5acbd817c9098b6c7ed21f1974312 upstream.
BPF programs that run on connect can rewrite the connect address. For
the connect system call this isn't a problem, because a copy of the address
is made when it is moved into kernel space. However, kernel_connect
simply passes through the address it is given, so the caller may observe
its address value unexpectedly change.
A practical example where this is problematic is where NFS is combined
with a system such as Cilium which implements BPF-based load balancing.
A common pattern in software-defined storage systems is to have an NFS
mount that connects to a persistent virtual IP which in turn maps to an
ephemeral server IP. This is usually done to achieve high availability:
if your server goes down you can quickly spin up a replacement and remap
the virtual IP to that endpoint. With BPF-based load balancing, mounts
will forget the virtual IP address when the address rewrite occurs
because a pointer to the only copy of that address is passed down the
stack. Server failover then breaks, because clients have forgotten the
virtual IP address. Reconnects fail and mounts remain broken. This patch
was tested by setting up a scenario like this and ensuring that NFS
reconnects worked after applying the patch.
Signed-off-by: Jordan Rife <jrife@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a0067dfcd9418fd3b0632bc59210d120d038a9c6 ]
The sctp_sf_eat_auth() function is supposed to return enum sctp_disposition
values but if the call to sctp_ulpevent_make_authkey() fails, it returns
-ENOMEM.
This results in calling BUG() inside the sctp_side_effects() function.
Calling BUG() is an over reaction and not helpful. Call WARN_ON_ONCE()
instead.
This code predates git.
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Ursula Braun
Kuniyuki Iwashima
Shigeru Yoshida
Willem de Bruijn
Yan Zhai
Eric Dumazet
Michael Bestas
Greg Kroah-Hartman
Florian Westphal
Zhang Changzhong
Kees Cook
Edward AD
Luiz Augusto von Dentz
Benjamin Berg
Wen Gong
Ying Hsu
Jordan Rife
Jeff Layton
Gavrilov Ilia
Pablo Neira Ayuso
Pedro Tammela
Neal Cardwell
Josua Mayer
Ma Ke
Krzysztof Kozlowski
Arnd Bergmann
Ziyang Xuan
Lee, Chun-Yi
Jeremy Cline
Randy Dunlap
Paolo Abeni
Ido Schimmel
Greg Kroah-Hartman
Xin Long
David Howells
Felix Riemann
Kyle Zeng
Budimir Markovic
valis
Jamal Hadi Salim
Wander Lairson Costa
Alex Henrie
Jann Horn
Mohamed Khalfella
wenxu
Dan Carpenter