9533 commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
79bd4cbaf9 |
This is the 4.19.199 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmEBH+4ACgkQONu9yGCS aT7yuQ//egce5FzvmQ5PHmXL6idX4qjFlXQHGvoQaeZY30BkpnrmvfGy88i16am/ T/4btxgFaFZCW2nkU2TDuAc1eHcorfkWEoFSWiao2I+UbyHsY5k1seafjKHKtdPZ CIq3e1iK4BdUoqdqM/a3w6r1xNj38t/EJuf7uXc8EkH5V37qm2ruzw1DUKB4EIvB ScM3bpFDBxlJDdXg1uls2OnVvivnlHyVPsbVcuskh3yTqzNhQQi58h6Az/Ed2Glq ajWnZ/lB2GQXOAz+S/ugquEbU5RZBH2+v3gyUEgP7ECwVaBzq6Mv7LcwcCBlN9Dh tzJRNgA9/Om4eaBp4oL9n6bIeVTwajpbZu+lMsI81AjJqkk8/69l7u+Yh4ST8y73 /O8DCfE2YZGPOAdDCtvDtzRcimpf3uGdAQNWpQ9JKyTNb1Q0L8OTe5BEYLHbeH1c bARR/sKBJTogHBNbiRaRbIJlmyEXD5vu9/HwE8UTd7H+NyQwhSY5mxKMx4QJiooC fbXS/ATyNO0SZek1oR8DqrozQ3iieBaIMEdlD4bHHkgtIr4ZLoxFqSRoyjM2G2sX yh2V5wrxfqJRA1o8N+9/M8itkL8/TGOqkB7aBc+IKE8Et28s7/sUUcbAZWhp1ldf 304V61wqedfZIW/jAyCP8ARGTIkDHSRZcKVHRYcE+N3tQoQhgX0= =3t6U -----END PGP SIGNATURE----- Merge 4.19.199 into android-4.19-stable Changes in 4.19.199 ARM: dts: gemini: rename mdio to the right name ARM: dts: gemini: add device_type on pci ARM: dts: rockchip: fix pinctrl sleep nodename for rk3036-kylin and rk3288 arm64: dts: rockchip: fix pinctrl sleep nodename for rk3399.dtsi ARM: dts: rockchip: Fix the timer clocks order ARM: dts: rockchip: Fix IOMMU nodes properties on rk322x ARM: dts: rockchip: Fix power-controller node names for rk3288 arm64: dts: rockchip: Fix power-controller node names for rk3328 reset: ti-syscon: fix to_ti_syscon_reset_data macro ARM: brcmstb: dts: fix NAND nodes names ARM: Cygnus: dts: fix NAND nodes names ARM: NSP: dts: fix NAND nodes names ARM: dts: BCM63xx: Fix NAND nodes names ARM: dts: Hurricane 2: Fix NAND nodes names ARM: dts: imx6: phyFLEX: Fix UART hardware flow control ARM: imx: pm-imx5: Fix references to imx5_cpu_suspend_info rtc: mxc_v2: add missing MODULE_DEVICE_TABLE ARM: dts: stm32: fix gpio-keys node on STM32 MCU boards ARM: dts: stm32: fix RCC node name on stm32f429 MCU ARM: dts: stm32: fix timer nodes on STM32 MCU to prevent warnings arm64: dts: juno: Update SCPI nodes as per the YAML schema ARM: dts: rockchip: fix supply properties in io-domains nodes ARM: dts: stm32: fix i2c node name on stm32f746 to prevent warnings ARM: dts: stm32: move stmmac axi config in ethernet node on stm32mp15 soc/tegra: fuse: Fix Tegra234-only builds arm64: dts: ls208xa: remove bus-num from dspi node thermal/core: Correct function name thermal_zone_device_unregister() kbuild: mkcompile_h: consider timestamp if KBUILD_BUILD_TIMESTAMP is set rtc: max77686: Do not enforce (incorrect) interrupt trigger type scsi: aic7xxx: Fix unintentional sign extension issue on left shift of u8 scsi: libsas: Add LUN number check in .slave_alloc callback scsi: libfc: Fix array index out of bound exception sched/fair: Fix CFS bandwidth hrtimer expiry type mm: slab: fix kmem_cache_create failed when sysfs node not destroyed dm writecache: return the exact table values that were set dm writecache: fix writing beyond end of underlying device when shrinking net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz net: ipv6: fix return value of ip6_skb_dst_mtu netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo net: bridge: sync fdb to new unicast-filtering ports net: bcmgenet: Ensure all TX/RX queues DMAs are disabled net: moxa: fix UAF in moxart_mac_probe net: qcom/emac: fix UAF in emac_remove net: ti: fix UAF in tlan_remove_one net: send SYNACK packet with accepted fwmark net: validate lwtstate->data before returning from skb_tunnel_info() dma-buf/sync_file: Don't leak fences on merge failure tcp: annotate data races around tp->mtu_info ipv6: tcp: drop silly ICMPv6 packet too big messages bpftool: Properly close va_list 'ap' by va_end() on error udp: annotate data races around unix_sk(sk)->gso_size net: ip_tunnel: fix mtu calculation for ETHER tunnel devices igb: Fix use-after-free error during reset ixgbe: Fix an error handling path in 'ixgbe_probe()' igb: Fix an error handling path in 'igb_probe()' fm10k: Fix an error handling path in 'fm10k_probe()' e1000e: Fix an error handling path in 'e1000_probe()' iavf: Fix an error handling path in 'iavf_probe()' igb: Check if num of q_vectors is smaller than max before array access igb: Fix position of assignment to *ring ipv6: fix 'disable_policy' for fwd packets nvme-pci: do not call nvme_dev_remove_admin from nvme_remove perf map: Fix dso->nsinfo refcounting perf probe: Fix dso->nsinfo refcounting perf dso: Fix memory leak in dso__new_map() perf lzma: Close lzma stream on exit perf test bpf: Free obj_buf perf probe-file: Delete namelist in del_events() on the error path spi: mediatek: fix fifo rx mode liquidio: Fix unintentional sign extension issue on left shift of u16 s390/bpf: Perform r1 range checking before accessing jit->seen_reg[r1] bpftool: Check malloc return value in mount_bpffs_for_pin net: fix uninit-value in caif_seqpkt_sendmsg net: decnet: Fix sleeping inside in af_decnet KVM: PPC: Fix kvm_arch_vcpu_ioctl vcpu_load leak netrom: Decrease sock refcount when sock timers expire scsi: iscsi: Fix iface sysfs attr detection scsi: target: Fix protect handling in WRITE SAME(32) spi: cadence: Correct initialisation of runtime PM again net/tcp_fastopen: fix data races around tfo_active_disable_stamp net/sched: act_skbmod: Skip non-Ethernet packets nvme-pci: don't WARN_ON in nvme_reset_work if ctrl.state is not RESETTING Revert "USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem" sctp: update active_key for asoc when old key is being replaced net: sched: cls_api: Fix the the wrong parameter drm/panel: raspberrypi-touchscreen: Prevent double-free proc: Avoid mixing integer types in mem_rw() Revert "MIPS: add PMD table accounting into MIPS'pmd_alloc_one" s390/ftrace: fix ftrace_update_ftrace_func implementation ALSA: usb-audio: Add registration quirk for JBL Quantum headsets ALSA: sb: Fix potential ABBA deadlock in CSP driver xhci: Fix lost USB 2 remote wake KVM: PPC: Book3S: Fix H_RTAS rets buffer overflow usb: hub: Disable USB 3 device initiated lpm if exit latency is too high usb: hub: Fix link power management max exit latency (MEL) calculations USB: usb-storage: Add LaCie Rugged USB3-FW to IGNORE_UAS usb: max-3421: Prevent corruption of freed memory usb: renesas_usbhs: Fix superfluous irqs happen after usb_pkt_pop() USB: serial: option: add support for u-blox LARA-R6 family USB: serial: cp210x: fix comments for GE CS1000 USB: serial: cp210x: add ID for CEL EM3588 USB ZigBee stick usb: dwc2: gadget: Fix sending zero length packet in DDMA mode. tracing: Fix bug in rb_per_cpu_empty() that might cause deadloop. media: ngene: Fix out-of-bounds bug in ngene_command_config_free_buf() ixgbe: Fix packet corruption due to missing DMA sync selftest: use mmap instead of posix_memalign to allocate memory nds32: fix up stack guard gap drm: Return -ENOTTY for non-drm ioctls KVM: do not assume PTE is writable after follow_pfn KVM: do not allow mapping valid but non-reference-counted pages KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped() net: dsa: mv88e6xxx: use correct .stats_set_histogram() on Topaz net: bcmgenet: ensure EXT_ENERGY_DET_MASK is clear iio: accel: bma180: Use explicit member assignment iio: accel: bma180: Fix BMA25x bandwidth register values btrfs: compression: don't try to compress if we don't have enough pages PCI: Mark AMD Navi14 GPU ATS as broken spi: spi-fsl-dspi: Fix a resource leak in an error handling path xhci: add xhci_get_virt_ep() helper Linux 4.19.199 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I64b971750ef2532ef201367d980a3519b8c8a591 |
||
Eric Dumazet
|
86aef177e0 |
net/tcp_fastopen: fix data races around tfo_active_disable_stamp
[ Upstream commit 6f20c8adb1813467ea52c1296d52c4e95978cb2f ]
tfo_active_disable_stamp is read and written locklessly.
We need to annotate these accesses appropriately.
Then, we need to perform the atomic_inc(tfo_active_disable_times)
after the timestamp has been updated, and thus add barriers
to make sure tcp_fastopen_active_should_disable() wont read
a stale timestamp.
Fixes:
|
||
Hangbin Liu
|
be680f4bf7 |
net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
commit 9992a078b1771da354ac1f9737e1e639b687caa2 upstream. Commit 28e104d00281 ("net: ip_tunnel: fix mtu calculation") removed dev->hard_header_len subtraction when calculate MTU for tunnel devices as there is an overhead for device that has header_ops. But there are ETHER tunnel devices, like gre_tap or erspan, which don't have header_ops but set dev->hard_header_len during setup. This makes pkts greater than (MTU - ETH_HLEN) could not be xmited. Fix it by subtracting the ETHER tunnel devices' dev->hard_header_len for MTU calculation. Fixes: 28e104d00281 ("net: ip_tunnel: fix mtu calculation") Reported-by: Jianlin Shi <jishi@redhat.com> Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Eric Dumazet
|
dd1f607cad |
udp: annotate data races around unix_sk(sk)->gso_size
commit 18a419bad63b7f68a1979e28459782518e7b6bbe upstream.
Accesses to unix_sk(sk)->gso_size are lockless.
Add READ_ONCE()/WRITE_ONCE() around them.
BUG: KCSAN: data-race in udp_lib_setsockopt / udpv6_sendmsg
write to 0xffff88812d78f47c of 2 bytes by task 10849 on cpu 1:
udp_lib_setsockopt+0x3b3/0x710 net/ipv4/udp.c:2696
udpv6_setsockopt+0x63/0x90 net/ipv6/udp.c:1630
sock_common_setsockopt+0x5d/0x70 net/core/sock.c:3265
__sys_setsockopt+0x18f/0x200 net/socket.c:2104
__do_sys_setsockopt net/socket.c:2115 [inline]
__se_sys_setsockopt net/socket.c:2112 [inline]
__x64_sys_setsockopt+0x62/0x70 net/socket.c:2112
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
read to 0xffff88812d78f47c of 2 bytes by task 10852 on cpu 0:
udpv6_sendmsg+0x161/0x16b0 net/ipv6/udp.c:1299
inet6_sendmsg+0x5f/0x80 net/ipv6/af_inet6.c:642
sock_sendmsg_nosec net/socket.c:654 [inline]
sock_sendmsg net/socket.c:674 [inline]
____sys_sendmsg+0x360/0x4d0 net/socket.c:2337
___sys_sendmsg net/socket.c:2391 [inline]
__sys_sendmmsg+0x315/0x4b0 net/socket.c:2477
__do_sys_sendmmsg net/socket.c:2506 [inline]
__se_sys_sendmmsg net/socket.c:2503 [inline]
__x64_sys_sendmmsg+0x53/0x60 net/socket.c:2503
do_syscall_64+0x4a/0x90 arch/x86/entry/common.c:47
entry_SYSCALL_64_after_hwframe+0x44/0xae
value changed: 0x0000 -> 0x0005
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 10852 Comm: syz-executor.0 Not tainted 5.13.0-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Fixes:
|
||
Eric Dumazet
|
4818f18704 |
ipv6: tcp: drop silly ICMPv6 packet too big messages
commit c7bb4b89033b764eb07db4e060548a6311d801ee upstream.
While TCP stack scales reasonably well, there is still one part that
can be used to DDOS it.
IPv6 Packet too big messages have to lookup/insert a new route,
and if abused by attackers, can easily put hosts under high stress,
with many cpus contending on a spinlock while one is stuck in fib6_run_gc()
ip6_protocol_deliver_rcu()
icmpv6_rcv()
icmpv6_notify()
tcp_v6_err()
tcp_v6_mtu_reduced()
inet6_csk_update_pmtu()
ip6_rt_update_pmtu()
__ip6_rt_update_pmtu()
ip6_rt_cache_alloc()
ip6_dst_alloc()
dst_alloc()
ip6_dst_gc()
fib6_run_gc()
spin_lock_bh() ...
Some of our servers have been hit by malicious ICMPv6 packets
trying to _increase_ the MTU/MSS of TCP flows.
We believe these ICMPv6 packets are a result of a bug in one ISP stack,
since they were blindly sent back for _every_ (small) packet sent to them.
These packets are for one TCP flow:
09:24:36.266491 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.266509 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316688 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.316704 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
09:24:36.608151 IP6 Addr1 > Victim ICMP6, packet too big, mtu 1460, length 1240
TCP stack can filter some silly requests :
1) MTU below IPV6_MIN_MTU can be filtered early in tcp_v6_err()
2) tcp_v6_mtu_reduced() can drop requests trying to increase current MSS.
This tests happen before the IPv6 routing stack is entered, thus
removing the potential contention and route exhaustion.
Note that IPv6 stack was performing these checks, but too late
(ie : after the route has been added, and after the potential
garbage collect war)
v2: fix typo caught by Martin, thanks !
v3: exports tcp_mtu_to_mss(), caught by David, thanks !
Fixes:
|
||
Eric Dumazet
|
d694db2f90 |
tcp: annotate data races around tp->mtu_info
commit 561022acb1ce62e50f7a8258687a21b84282a4cb upstream.
While tp->mtu_info is read while socket is owned, the write
sides happen from err handlers (tcp_v[46]_mtu_reduced)
which only own the socket spinlock.
Fixes:
|
||
Greg Kroah-Hartman
|
97fd50773c |
This is the 4.19.198 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmD22r0ACgkQONu9yGCS aT7QGBAAjVxynXPmbTuTPEXe4JXpIypErZCbUt8hUdtUcGkR3C7Kpv4zfz2Sqejc W2NOGNrU6OtUR+pWR+GwwqfFzop4LZl5jj46CiMZ9mY81LVVh7dNxXx6huIXkgy5 rI8oQAPNn5QaWHNANgdjCgdXRbA7FxBHDfaiGvwQbTW92wLV/w4ZH1coFxkkVdV1 eL3wZnVf0SNw0WTDiRDfCEH9Wx7RvVZ9KI/TqVOxYKv3LPl3faJVbjbQ8aP0lBxQ Vx+SB0w6C8f/P1KVIgU+1VluWsiQzHSxrliK2JCFqCoUFvZ02l3c6G4W2bQUcPw/ HqkozAywWftEXYFuXAGKnRQjX97vKABF/A7FZG3FrmP3zuzeRnFWrlheFSAccGww K/QH4avlk/ZO0XPghnVJhlOaYvNU90cimFVfillnuMdGrUdElsZuEIGLj/7KaQOB GryuTyB8ZTVFCiHQlGKUY+3DMC5SJ4aHb1lpQd/+OGqgkUXMWXc9ZFshcLcsBZUE 88ruExWq8fTmLXI6d4u/WZDi7e4pMtnP2N0ahMWC/EzpiLYQWpmVCDzQm09SnpiB T4NdBP5vR96M9EF68xNNgrIIwn3aw/yKm3VQzy6eQLtQ7zFVxIpa8jdUDR5pYYJv rAtawF7cgT0BkTaOE6LUDFNdR8feYvE87nuyL5pVN5ZLOefpgMM= =ijbU -----END PGP SIGNATURE----- Merge 4.19.198 into android-4.19-stable Changes in 4.19.198 scsi: core: Retry I/O for Notify (Enable Spinup) Required error ALSA: usb-audio: fix rate on Ozone Z90 USB headset ALSA: usb-audio: Fix OOB access at proc output media: dvb-usb: fix wrong definition Input: usbtouchscreen - fix control-request directions net: can: ems_usb: fix use-after-free in ems_usb_disconnect() usb: gadget: eem: fix echo command packet response issue USB: cdc-acm: blacklist Heimann USB Appset device usb: dwc3: Fix debugfs creation flow usb: typec: Add the missed altmode_id_remove() in typec_register_altmode() xhci: solve a double free problem while doing s4 ntfs: fix validity check for file name attribute iov_iter_fault_in_readable() should do nothing in xarray case Input: joydev - prevent use of not validated data in JSIOCSBTNMAP ioctl arm_pmu: Fix write counter incorrect in ARMv7 big-endian mode ARM: dts: at91: sama5d4: fix pinctrl muxing btrfs: send: fix invalid path for unlink operations after parent orphanization btrfs: clear defrag status of a root if starting transaction fails ext4: cleanup in-core orphan list if ext4_truncate() failed to get a transaction handle ext4: fix kernel infoleak via ext4_extent_header ext4: return error code when ext4_fill_flex_info() fails ext4: correct the cache_nr in tracepoint ext4_es_shrink_exit ext4: remove check for zero nr_to_scan in ext4_es_scan() ext4: fix avefreec in find_group_orlov ext4: use ext4_grp_locked_error in mb_find_extent can: bcm: delay release of struct bcm_op after synchronize_rcu() can: gw: synchronize rcu operations before removing gw job entry can: peak_pciefd: pucan_handle_status(): fix a potential starvation issue in TX path SUNRPC: Fix the batch tasks count wraparound. SUNRPC: Should wake up the privileged task firstly. s390/cio: dont call css_wait_for_slow_path() inside a lock rtc: stm32: Fix unbalanced clk_disable_unprepare() on probe error path iio: light: tcs3472: do not free unallocated IRQ iio: ltr501: mark register holding upper 8 bits of ALS_DATA{0,1} and PS_DATA as volatile, too iio: ltr501: ltr559: fix initialization of LTR501_ALS_CONTR iio: ltr501: ltr501_read_ps(): add missing endianness conversion serial: sh-sci: Stop dmaengine transfer in sci_stop_tx() serial_cs: Add Option International GSM-Ready 56K/ISDN modem serial_cs: remove wrong GLOBETROTTER.cis entry ath9k: Fix kernel NULL pointer dereference during ath_reset_internal() ssb: sdio: Don't overwrite const buffer if block_write fails rsi: Assign beacon rate settings to the correct rate_info descriptor field rsi: fix AP mode with WPA failure due to encrypted EAPOL tracing/histograms: Fix parsing of "sym-offset" modifier tracepoint: Add tracepoint_probe_register_may_exist() for BPF tracing seq_buf: Make trace_seq_putmem_hex() support data longer than 8 powerpc/stacktrace: Fix spurious "stale" traces in raise_backtrace_ipi() evm: Execute evm_inode_init_security() only when an HMAC key is loaded evm: Refuse EVM_ALLOW_METADATA_WRITES only if an HMAC key is loaded fuse: check connected before queueing on fpq->io spi: Make of_register_spi_device also set the fwnode spi: spi-loopback-test: Fix 'tx_buf' might be 'rx_buf' spi: spi-topcliff-pch: Fix potential double free in pch_spi_process_messages() spi: omap-100k: Fix the length judgment problem regulator: uniphier: Add missing MODULE_DEVICE_TABLE crypto: nx - add missing MODULE_DEVICE_TABLE media: cpia2: fix memory leak in cpia2_usb_probe media: cobalt: fix race condition in setting HPD media: pvrusb2: fix warning in pvr2_i2c_core_done crypto: qat - check return code of qat_hal_rd_rel_reg() crypto: qat - remove unused macro in FW loader sched/fair: Fix ascii art by relpacing tabs media: em28xx: Fix possible memory leak of em28xx struct media: v4l2-core: Avoid the dangling pointer in v4l2_fh_release media: bt8xx: Fix a missing check bug in bt878_probe media: st-hva: Fix potential NULL pointer dereferences media: dvd_usb: memory leak in cinergyt2_fe_attach mmc: via-sdmmc: add a check against NULL pointer dereference crypto: shash - avoid comparing pointers to exported functions under CFI media: dvb_net: avoid speculation from net slot media: siano: fix device register error path media: imx-csi: Skip first few frames from a BT.656 source btrfs: fix error handling in __btrfs_update_delayed_inode btrfs: abort transaction if we fail to update the delayed inode btrfs: disable build on platforms having page size 256K regulator: da9052: Ensure enough delay time for .set_voltage_time_sel HID: do not use down_interruptible() when unbinding devices EDAC/ti: Add missing MODULE_DEVICE_TABLE ACPI: processor idle: Fix up C-state latency if not ordered hv_utils: Fix passing zero to 'PTR_ERR' warning lib: vsprintf: Fix handling of number field widths in vsscanf ACPI: EC: Make more Asus laptops use ECDT _GPE block_dump: remove block_dump feature in mark_inode_dirty() fs: dlm: cancel work sync othercon random32: Fix implicit truncation warning in prandom_seed_state() fs: dlm: fix memory leak when fenced ACPICA: Fix memory leak caused by _CID repair function ACPI: bus: Call kobject_put() in acpi_init() error path platform/x86: toshiba_acpi: Fix missing error code in toshiba_acpi_setup_keyboard() clocksource: Retry clock read if long delays detected ACPI: tables: Add custom DSDT file as makefile prerequisite HID: wacom: Correct base usage for capacitive ExpressKey status bits ia64: mca_drv: fix incorrect array size calculation media: s5p_cec: decrement usage count if disabled crypto: ixp4xx - dma_unmap the correct address crypto: ux500 - Fix error return code in hash_hw_final() sata_highbank: fix deferred probing pata_rb532_cf: fix deferred probing media: I2C: change 'RST' to "RSET" to fix multiple build errors pata_octeon_cf: avoid WARN_ON() in ata_host_activate() evm: fix writing <securityfs>/evm overflow crypto: ccp - Fix a resource leak in an error handling path media: rc: i2c: Fix an error message pata_ep93xx: fix deferred probing media: exynos4-is: Fix a use after free in isp_video_release media: tc358743: Fix error return code in tc358743_probe_of() media: gspca/gl860: fix zero-length control requests media: siano: Fix out-of-bounds warnings in smscore_load_firmware_family2() mmc: usdhi6rol0: fix error return code in usdhi6_probe() media: s5p-g2d: Fix a memory leak on ctx->fh.m2m_ctx hwmon: (max31722) Remove non-standard ACPI device IDs hwmon: (max31790) Fix fan speed reporting for fan7..12 btrfs: clear log tree recovering status if starting transaction fails spi: spi-sun6i: Fix chipselect/clock bug crypto: nx - Fix RCU warning in nx842_OF_upd_status ACPI: sysfs: Fix a buffer overrun problem with description_show() blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() blk-wbt: make sure throttle is enabled properly ocfs2: fix snprintf() checking net: mvpp2: Put fwnode in error case during ->probe() net: pch_gbe: Propagate error from devm_gpio_request_one() drm/rockchip: cdn-dp-core: add missing clk_disable_unprepare() on error in cdn_dp_grf_write() ehea: fix error return code in ehea_restart_qps() RDMA/rxe: Fix failure during driver load drm: qxl: ensure surf.data is ininitialized tools/bpftool: Fix error return code in do_batch() wireless: carl9170: fix LEDS build errors & warnings ieee802154: hwsim: Fix possible memory leak in hwsim_subscribe_all_others wcn36xx: Move hal_buf allocation to devm_kmalloc in probe ssb: Fix error return code in ssb_bus_scan() brcmfmac: fix setting of station info chains bitmask brcmfmac: correctly report average RSSI in station info brcmsmac: mac80211_if: Fix a resource leak in an error handling path ath10k: Fix an error code in ath10k_add_interface() netlabel: Fix memory leak in netlbl_mgmt_add_common RDMA/mlx5: Don't add slave port to unaffiliated list netfilter: nft_exthdr: check for IPv6 packet before further processing netfilter: nft_osf: check for TCP packet before further processing netfilter: nft_tproxy: restrict support to TCP and UDP transport protocols RDMA/rxe: Fix qp reference counting for atomic ops samples/bpf: Fix the error return code of xdp_redirect's main() net: ethernet: aeroflex: fix UAF in greth_of_remove net: ethernet: ezchip: fix UAF in nps_enet_remove net: ethernet: ezchip: fix error handling pkt_sched: sch_qfq: fix qfq_change_class() error path vxlan: add missing rcu_read_lock() in neigh_reduce() net/ipv4: swap flow ports when validating source ieee802154: hwsim: Fix memory leak in hwsim_add_one ieee802154: hwsim: avoid possible crash in hwsim_del_edge_nl() mac80211: remove iwlwifi specific workaround NDPs of null_response net: bcmgenet: Fix attaching to PYH failed on RPi 4B ipv6: exthdrs: do not blindly use init_net bpf: Do not change gso_size during bpf_skb_change_proto() i40e: Fix error handling in i40e_vsi_open i40e: Fix autoneg disabling for non-10GBaseT links Revert "ibmvnic: remove duplicate napi_schedule call in open function" ibmvnic: free tx_pool if tso_pool alloc fails ipv6: fix out-of-bound access in ip6_parse_tlv() Bluetooth: mgmt: Fix slab-out-of-bounds in tlv_data_is_valid Bluetooth: Fix handling of HCI_LE_Advertising_Set_Terminated event writeback: fix obtain a reference to a freeing memcg css net: lwtunnel: handle MTU calculation in forwading net: sched: fix warning in tcindex_alloc_perfect_hash RDMA/mlx5: Don't access NULL-cleared mpi pointer tty: nozomi: Fix a resource leak in an error handling function mwifiex: re-fix for unaligned accesses iio: adis_buffer: do not return ints in irq handlers iio: accel: bma180: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: bma220: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: hid: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: kxcjk-1013: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8312: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: accel: stk8ba50: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: ti-ads1015: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: vf610: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: gyro: bmg160: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: humidity: am2315: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: srf08: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: pulsed-light: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: prox: as3935: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: isl29125: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: tcs3414: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: light: tcs3472: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: potentiostat: lmp91000: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() ASoC: hisilicon: fix missing clk_disable_unprepare() on error in hi6210_i2s_startup() ASoC: rsnd: tidyup loop on rsnd_adg_clk_query() Input: hil_kbd - fix error return code in hil_dev_connect() char: pcmcia: error out if 'num_bytes_read' is greater than 4 in set_protocol() tty: nozomi: Fix the error handling path of 'nozomi_card_init()' scsi: FlashPoint: Rename si_flags field fsi: core: Fix return of error values on failures fsi: scom: Reset the FSI2PIB engine for any error fsi/sbefifo: Clean up correct FIFO when receiving reset request from SBE fsi/sbefifo: Fix reset timeout visorbus: fix error return code in visorchipset_init() s390: appldata depends on PROC_SYSCTL eeprom: idt_89hpesx: Put fwnode in matching case during ->probe() eeprom: idt_89hpesx: Restore printing the unsupported fwnode name iio: adc: hx711: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: mxs-lradc: Fix buffer alignment in iio_push_to_buffers_with_timestamp() iio: adc: ti-ads8688: Fix alignment of buffer in iio_push_to_buffers_with_timestamp() staging: gdm724x: check for buffer overflow in gdm_lte_multi_sdu_pkt() staging: gdm724x: check for overflow in gdm_lte_netif_rx() staging: mt7621-dts: fix pci address for PCI memory range serial: 8250: Actually allow UPF_MAGIC_MULTIPLIER baud rates iio: prox: isl29501: Fix buffer alignment in iio_push_to_buffers_with_timestamp() ASoC: cs42l42: Correct definition of CS42L42_ADC_PDN_MASK of: Fix truncation of memory sizes on 32-bit platforms mtd: rawnand: marvell: add missing clk_disable_unprepare() on error in marvell_nfc_resume() scsi: mpt3sas: Fix error return value in _scsih_expander_add() phy: ti: dm816x: Fix the error handling path in 'dm816x_usb_phy_probe() extcon: sm5502: Drop invalid register write in sm5502_reg_data extcon: max8997: Add missing modalias string ASoC: atmel-i2s: Fix usage of capture and playback at the same time configfs: fix memleak in configfs_release_bin_file leds: as3645a: Fix error return code in as3645a_parse_node() leds: ktd2692: Fix an error handling path powerpc: Offline CPU in stop_this_cpu() serial: mvebu-uart: correctly calculate minimal possible baudrate arm64: dts: marvell: armada-37xx: Fix reg for standard variant of UART vfio/pci: Handle concurrent vma faults mm/huge_memory.c: don't discard hugepage if other processes are mapping it selftests/vm/pkeys: fix alloc_random_pkey() to make it really, really random perf llvm: Return -ENOMEM when asprintf() fails mmc: block: Disable CMDQ on the ioctl path mmc: vub3000: fix control-request direction drm/mxsfb: Don't select DRM_KMS_FB_HELPER drm/zte: Don't select DRM_KMS_FB_HELPER drm/amd/amdgpu/sriov disable all ip hw status by default net: pch_gbe: Use proper accessors to BE data in pch_ptp_match() drm/amd/display: fix use_max_lb flag for 420 pixel formats hugetlb: clear huge pte during flush function on mips platform atm: iphase: fix possible use-after-free in ia_module_exit() mISDN: fix possible use-after-free in HFC_cleanup() atm: nicstar: Fix possible use-after-free in nicstar_cleanup() net: Treat __napi_schedule_irqoff() as __napi_schedule() on PREEMPT_RT reiserfs: add check for invalid 1st journal block drm/virtio: Fix double free on probe failure udf: Fix NULL pointer dereference in udf_symlink function e100: handle eeprom as little endian clk: renesas: r8a77995: Add ZA2 clock clk: tegra: Ensure that PLLU configuration is applied properly ipv6: use prandom_u32() for ID generation RDMA/cxgb4: Fix missing error code in create_qp() dm space maps: don't reset space map allocation cursor when committing pinctrl: mcp23s08: fix race condition in irq handler ice: set the value of global config lock timeout longer virtio_net: Remove BUG() to avoid machine dead net: bcmgenet: check return value after calling platform_get_resource() net: mvpp2: check return value after calling platform_get_resource() net: micrel: check return value after calling platform_get_resource() fjes: check return value after calling platform_get_resource() selinux: use __GFP_NOWARN with GFP_NOWAIT in the AVC xfrm: Fix error reporting in xfrm_state_construct. wlcore/wl12xx: Fix wl12xx get_mac error if device is in ELP wl1251: Fix possible buffer overflow in wl1251_cmd_scan cw1200: add missing MODULE_DEVICE_TABLE net: fix mistake path for netdev_features_strings rtl8xxxu: Fix device info for RTL8192EU devices MIPS: add PMD table accounting into MIPS'pmd_alloc_one atm: nicstar: use 'dma_free_coherent' instead of 'kfree' atm: nicstar: register the interrupt handler in the right place vsock: notify server to shutdown when client has pending signal RDMA/rxe: Don't overwrite errno from ib_umem_get() iwlwifi: mvm: don't change band on bound PHY contexts iwlwifi: pcie: free IML DMA memory allocation sfc: avoid double pci_remove of VFs sfc: error code if SRIOV cannot be disabled wireless: wext-spy: Fix out-of-bounds warning media, bpf: Do not copy more entries than user space requested net: ip: avoid OOM kills with large UDP sends over loopback RDMA/cma: Fix rdma_resolve_route() memory leak Bluetooth: Fix the HCI to MGMT status conversion table Bluetooth: Shutdown controller after workqueues are flushed or cancelled Bluetooth: btusb: fix bt fiwmare downloading failure issue for qca btsoc. sctp: validate from_addr_param return sctp: add size validation when walking chunks MIPS: set mips32r5 for virt extensions fscrypt: don't ignore minor_hash when hash is 0 bdi: Do not use freezable workqueue serial: mvebu-uart: clarify the baud rate derivation serial: mvebu-uart: fix calculation of clock divisor fuse: reject internal errno powerpc/barrier: Avoid collision with clang's __lwsync macro usb: gadget: f_fs: Fix setting of device and driver data cross-references drm/radeon: Add the missed drm_gem_object_put() in radeon_user_framebuffer_create() drm/amd/display: fix incorrrect valid irq check pinctrl/amd: Add device HID for new AMD GPIO controller drm/msm/mdp4: Fix modifier support enabling mmc: sdhci: Fix warning message when accessing RPMB in HS400 mode mmc: core: clear flags before allowing to retune mmc: core: Allow UHS-I voltage switch for SDSC cards if supported ata: ahci_sunxi: Disable DIPM cpu/hotplug: Cure the cpusets trainwreck clocksource/arm_arch_timer: Improve Allwinner A64 timer workaround ASoC: tegra: Set driver_name=tegra for all machine drivers qemu_fw_cfg: Make fw_cfg_rev_attr a proper kobj_attribute ipmi/watchdog: Stop watchdog timer when the current action is 'none' power: supply: ab8500: Fix an old bug seq_buf: Fix overflow in seq_buf_putmem_hex() tracing: Simplify & fix saved_tgids logic tracing: Resize tgid_map to pid_max, not PID_MAX_DEFAULT ipack/carriers/tpci200: Fix a double free in tpci200_pci_probe coresight: tmc-etf: Fix global-out-of-bounds in tmc_update_etf_buffer() dm btree remove: assign new_root only when removal succeeds PCI: Leave Apple Thunderbolt controllers on for s2idle or standby PCI: aardvark: Fix checking for PIO Non-posted Request media: subdev: disallow ioctl for saa6588/davinci media: dtv5100: fix control-request directions media: zr364xx: fix memory leak in zr364xx_start_readpipe media: gspca/sq905: fix control-request direction media: gspca/sunplus: fix zero-length control requests media: uvcvideo: Fix pixel format change for Elgato Cam Link 4K pinctrl: mcp23s08: Fix missing unlock on error in mcp23s08_irq() jfs: fix GPF in diFree smackfs: restrict bytes count in smk_set_cipso() KVM: x86: Use guest MAXPHYADDR from CPUID.0x8000_0008 iff TDP is enabled KVM: X86: Disable hardware breakpoints unconditionally before kvm_x86->run() scsi: core: Fix bad pointer dereference when ehandler kthread is invalid tracing: Do not reference char * as a string in histograms PCI: aardvark: Don't rely on jiffies while holding spinlock PCI: aardvark: Fix kernel panic during PIO transfer tty: serial: fsl_lpuart: fix the potential risk of division or modulo by zero misc/libmasm/module: Fix two use after free in ibmasm_init_one Revert "ALSA: bebob/oxfw: fix Kconfig entry for Mackie d.2 Pro" w1: ds2438: fixing bug that would always get page0 scsi: lpfc: Fix "Unexpected timeout" error in direct attach topology scsi: lpfc: Fix crash when lpfc_sli4_hba_setup() fails to initialize the SGLs scsi: core: Cap scsi_host cmd_per_lun at can_queue ALSA: ac97: fix PM reference leak in ac97_bus_remove() tty: serial: 8250: serial_cs: Fix a memory leak in error handling path scsi: scsi_dh_alua: Check for negative result value fs/jfs: Fix missing error code in lmLogInit() scsi: iscsi: Add iscsi_cls_conn refcount helpers scsi: iscsi: Fix conn use after free during resets scsi: iscsi: Fix shost->max_id use scsi: qedi: Fix null ref during abort handling mfd: da9052/stmpe: Add and modify MODULE_DEVICE_TABLE s390/sclp_vt220: fix console name to match device selftests: timers: rtcpie: skip test if default RTC device does not exist ALSA: sb: Fix potential double-free of CSP mixer elements powerpc/ps3: Add dma_mask to ps3_dma_region gpio: zynq: Check return value of pm_runtime_get_sync ALSA: ppc: fix error return code in snd_pmac_probe() selftests/powerpc: Fix "no_handler" EBB selftest gpio: pca953x: Add support for the On Semi pca9655 ASoC: soc-core: Fix the error return code in snd_soc_of_parse_audio_routing() Input: hideep - fix the uninitialized use in hideep_nvm_unlock() ALSA: bebob: add support for ToneWeal FW66 usb: gadget: f_hid: fix endianness issue with descriptors usb: gadget: hid: fix error return code in hid_bind() powerpc/boot: Fixup device-tree on little endian backlight: lm3630a: Fix return code of .update_status() callback ALSA: hda: Add IRQ check for platform_get_irq() staging: rtl8723bs: fix macro value for 2.4Ghz only device intel_th: Wait until port is in reset before programming it i2c: core: Disable client irq on reboot/shutdown lib/decompress_unlz4.c: correctly handle zero-padding around initrds. pwm: spear: Don't modify HW state in .remove callback power: supply: ab8500: Avoid NULL pointers power: supply: max17042: Do not enforce (incorrect) interrupt trigger type power: reset: gpio-poweroff: add missing MODULE_DEVICE_TABLE ARM: 9087/1: kprobes: test-thumb: fix for LLVM_IAS=1 watchdog: Fix possible use-after-free in wdt_startup() watchdog: sc520_wdt: Fix possible use-after-free in wdt_turnoff() watchdog: Fix possible use-after-free by calling del_timer_sync() watchdog: iTCO_wdt: Account for rebooting on second timeout x86/fpu: Return proper error codes from user access functions PCI: tegra: Add missing MODULE_DEVICE_TABLE orangefs: fix orangefs df output. ceph: remove bogus checks and WARN_ONs from ceph_set_page_dirty NFS: nfs_find_open_context() may only select open files power: supply: charger-manager: add missing MODULE_DEVICE_TABLE power: supply: ab8500: add missing MODULE_DEVICE_TABLE pwm: tegra: Don't modify HW state in .remove callback ACPI: AMBA: Fix resource name in /proc/iomem ACPI: video: Add quirk for the Dell Vostro 3350 virtio-blk: Fix memory leak among suspend/resume procedure virtio_net: Fix error handling in virtnet_restore() virtio_console: Assure used length from device is limited f2fs: add MODULE_SOFTDEP to ensure crc32 is included in the initramfs PCI/sysfs: Fix dsm_label_utf16s_to_utf8s() buffer overrun power: supply: rt5033_battery: Fix device tree enumeration NFSv4: Initialise connection to the server in nfs4_alloc_client() um: fix error return code in slip_open() um: fix error return code in winch_tramp() watchdog: aspeed: fix hardware timeout calculation nfs: fix acl memory leak of posix_acl_create() ubifs: Set/Clear I_LINKABLE under i_lock for whiteout inode PCI: iproc: Fix multi-MSI base vector number allocation PCI: iproc: Support multi-MSI only on uniprocessor kernel x86/fpu: Limit xstate copy size in xstateregs_set() virtio_net: move tx vq operation under tx queue lock ALSA: isa: Fix error return code in snd_cmi8330_probe() NFSv4/pNFS: Don't call _nfs4_pnfs_v3_ds_connect multiple times hexagon: use common DISCARDS macro reset: a10sr: add missing of_match_table reference ARM: dts: exynos: fix PWM LED max brightness on Odroid XU/XU3 ARM: dts: exynos: fix PWM LED max brightness on Odroid HC1 ARM: dts: exynos: fix PWM LED max brightness on Odroid XU4 memory: atmel-ebi: add missing of_node_put for loop iteration rtc: fix snprintf() checking in is_rtc_hctosys() arm64: dts: renesas: v3msk: Fix memory size ARM: dts: r8a7779, marzen: Fix DU clock names ARM: dts: BCM5301X: Fixup SPI binding reset: bail if try_module_get() fails memory: fsl_ifc: fix leak of IO mapping on probe failure memory: fsl_ifc: fix leak of private memory on probe failure ARM: dts: am335x: align ti,pindir-d0-out-d1-in property with dt-shema ARM: dts: am437x: align ti,pindir-d0-out-d1-in property with dt-shema ARM: dts: imx6q-dhcom: Fix ethernet reset time properties ARM: dts: imx6q-dhcom: Fix ethernet plugin detection problems ARM: dts: imx6q-dhcom: Add gpios pinctrl for i2c bus recovery scsi: be2iscsi: Fix an error handling path in beiscsi_dev_probe() mips: always link byteswap helpers into decompressor mips: disable branch profiling in boot/decompress.o MIPS: vdso: Invalid GIC access through VDSO net: bridge: multicast: fix PIM hello router port marking race scsi: scsi_dh_alua: Fix signedness bug in alua_rtpg() seq_file: disallow extremely large seq buffer allocations Linux 4.19.198 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iaa8a95c4d30ca85021bae6c60b4818038797e04e |
||
Jakub Kicinski
|
a847a5e256 |
net: ip: avoid OOM kills with large UDP sends over loopback
[ Upstream commit 6d123b81ac615072a8525c13c6c41b695270a15d ] Dave observed number of machines hitting OOM on the UDP send path. The workload seems to be sending large UDP packets over loopback. Since loopback has MTU of 64k kernel will try to allocate an skb with up to 64k of head space. This has a good chance of failing under memory pressure. What's worse if the message length is <32k the allocation may trigger an OOM killer. This is entirely avoidable, we can use an skb with page frags. af_unix solves a similar problem by limiting the head length to SKB_MAX_ALLOC. This seems like a good and simple approach. It means that UDP messages > 16kB will now use fragments if underlying device supports SG, if extra allocator pressure causes regressions in real workloads we can switch to trying the large allocation first and falling back. v4: pre-calculate all the additions to alloclen so we can be sure it won't go over order-2 Reported-by: Dave Jones <dsj@fb.com> Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Vadim Fedorenko
|
d76613a914 |
net: lwtunnel: handle MTU calculation in forwading
[ Upstream commit fade56410c22cacafb1be9f911a0afd3701d8366 ] Commit |
||
Miao Wang
|
0cb6b100b8 |
net/ipv4: swap flow ports when validating source
[ Upstream commit c69f114d09891adfa3e301a35d9e872b8b7b5a50 ]
When doing source address validation, the flowi4 struct used for
fib_lookup should be in the reverse direction to the given skb.
fl4_dport and fl4_sport returned by fib4_rules_early_flow_dissect
should thus be swapped.
Fixes:
|
||
Greg Kroah-Hartman
|
2215bae0d4 |
Linux 4.19.196
-----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE4n5dijQDou9mhzu83qZv95d3LNwFAmDcbzwACgkQ3qZv95d3 LNzv2hAAnwREyEjpd090vAeoekREYEnXoB4VIegr6X5Tp6Tyam2hn/Mcun09F07f rT5wWLi0iSgHHc8G071abaHvM1ZlGQlA+2YaswOcwn51Bh2ufQZRGx6OgNiT1wqz H/nBaYZhicXeD+EARxyaS2pnEJDMhtvV3x134pUvhLzusVWiLVGBM/esx8Xq6c+b vkTb7qforXDEoTF7OswQK9bfkAlASm9F74QCw88T6pug7gDz4tFTG//6qZ4Pu7kr 2FX3Str+FlTldhQIYABxvce4ahEhenj0rmMW2/ag+Ms+UJHmFzbxfyny9ugmQ8O8 ITks6l2cthcGXvWA9vAdu8SOHYsOIGhwyT3GyZR3SnakMe8rMorgTk3dfBfVHRj1 u4lVND/uPdE7GMySR6sxD3N+I6GPhnR++E5III9ON+gvwFG+7NZGfxOPciy16w25 7RZdalK/4nk+JmRof2vmpWcVVsOuLR5FdPs7dntnVW7RXEej4wl4Y4S6MQJ4gJ4s rGawLLcGl0EYa4XAWezlnjeLbynw6PaUdi5oj7Z1c0fQ2lR4kSCykaVSVy55huyv GS0c6BusIMek9h23NOJGIBz8Kf7/Zobj7cX1wIDizM+TwoXjl8dt00LiMl0PI6+C wn1cZWI5ONlZF+TUbFiPZgKa5N3V9gTIQ/dexKHsh1MJVgEWGtE= =6+7C -----END PGP SIGNATURE----- Merge 4.19.196 into android-4.19-stable Changes in 4.19.196 net: ieee802154: fix null deref in parse dev addr HID: quirks: Set INCREMENT_USAGE_ON_DUPLICATE for Saitek X65 HID: hid-sensor-hub: Return error for hid_set_field() failure HID: Add BUS_VIRTUAL to hid_connect logging HID: usbhid: fix info leak in hid_submit_ctrl ARM: OMAP2+: Fix build warning when mmc_omap is not built gfs2: Prevent direct-I/O write fallback errors from getting lost HID: gt683r: add missing MODULE_DEVICE_TABLE gfs2: Fix use-after-free in gfs2_glock_shrink_scan scsi: target: core: Fix warning on realtime kernels ethernet: myri10ge: Fix missing error code in myri10ge_probe() scsi: scsi_devinfo: Add blacklist entry for HPE OPEN-V nvme-loop: reset queue count to 1 in nvme_loop_destroy_io_queues() nvme-loop: clear NVME_LOOP_Q_LIVE when nvme_loop_configure_admin_queue() fails nvme-loop: check for NVME_LOOP_Q_LIVE in nvme_loop_destroy_admin_queue() net: ipconfig: Don't override command-line hostnames or domains rtnetlink: Fix missing error code in rtnl_bridge_notify() net/x25: Return the correct errno code net: Return the correct errno code fib: Return the correct errno code dmaengine: ALTERA_MSGDMA depends on HAS_IOMEM dmaengine: QCOM_HIDMA_MGMT depends on HAS_IOMEM dmaengine: stedma40: add missing iounmap() on error in d40_probe() afs: Fix an IS_ERR() vs NULL check mm/memory-failure: make sure wait for page writeback in memory_failure batman-adv: Avoid WARN_ON timing related checks net: ipv4: fix memory leak in netlbl_cipsov4_add_std net: rds: fix memory leak in rds_recvmsg udp: fix race between close() and udp_abort() rtnetlink: Fix regression in bridge VLAN configuration net/mlx5e: Remove dependency in IPsec initialization flows net/mlx5e: Block offload of outer header csum for UDP tunnels netfilter: synproxy: Fix out of bounds when parsing TCP options sch_cake: Fix out of bounds when parsing TCP options and header alx: Fix an error handling path in 'alx_probe()' net: stmmac: dwmac1000: Fix extended MAC address registers definition net: add documentation to socket.c net: make get_net_ns return error if NET_NS is disabled qlcnic: Fix an error handling path in 'qlcnic_probe()' netxen_nic: Fix an error handling path in 'netxen_nic_probe()' net: qrtr: fix OOB Read in qrtr_endpoint_post ptp: ptp_clock: Publish scaled_ppm_to_ppb ptp: improve max_adj check against unreasonable values net: cdc_ncm: switch to eth%d interface naming net: usb: fix possible use-after-free in smsc75xx_bind net: fec_ptp: fix issue caused by refactor the fec_devtype net: ipv4: fix memory leak in ip_mc_add1_src net/af_unix: fix a data-race in unix_dgram_sendmsg / unix_release_sock be2net: Fix an error handling path in 'be_probe()' net: hamradio: fix memory leak in mkiss_close net: cdc_eem: fix tx fixup skb leak icmp: don't send out ICMP messages with a source address of 0.0.0.0 net: ethernet: fix potential use-after-free in ec_bhf_remove ASoC: rt5659: Fix the lost powers for the HDA header pinctrl: ralink: rt2880: avoid to error in calls is pin is already enabled radeon: use memcpy_to/fromio for UVD fw upload hwmon: (scpi-hwmon) shows the negative temperature properly can: bcm: fix infoleak in struct bcm_msg_head can: mcba_usb: fix memory leak in mcba_usb usb: core: hub: Disable autosuspend for Cypress CY7C65632 tracing: Do not stop recording cmdlines when tracing is off tracing: Do not stop recording comms if the trace file is being read tracing: Do no increment trace_clock_global() by one PCI: Mark TI C667X to avoid bus reset PCI: Mark some NVIDIA GPUs to avoid bus reset PCI: Add ACS quirk for Broadcom BCM57414 NIC PCI: Work around Huawei Intelligent NIC VF FLR erratum ARCv2: save ABI registers across signal handling dmaengine: pl330: fix wrong usage of spinlock flags in dma_cyclc cfg80211: make certificate generation more robust net: bridge: fix vlan tunnel dst null pointer dereference net: bridge: fix vlan tunnel dst refcnt when egressing mm/slub: clarify verification reporting mm/slub.c: include swab.h net: fec_ptp: add clock rate zero check tools headers UAPI: Sync linux/in.h copy with the kernel sources KVM: arm/arm64: Fix KVM_VGIC_V3_ADDR_TYPE_REDIST read can: bcm/raw/isotp: use per module netdevice notifier inet: use bigger hash table for IP ID generation usb: dwc3: debugfs: Add and remove endpoint dirs dynamically usb: dwc3: core: fix kernel panic when do reboot x86/fpu: Reset state for all signal restore failures module: limit enabling module.sig_enforce drm/nouveau: wait for moving fence after pinning v2 drm/radeon: wait for moving fence after pinning ARM: 9081/1: fix gcc-10 thumb2-kernel regression Makefile: Move -Wno-unused-but-set-variable out of GCC only block MIPS: generic: Update node names to avoid unit addresses Revert "PCI: PM: Do not read power state in pci_enable_device_flags()" mac80211: remove warning in ieee80211_get_sband() cfg80211: call cfg80211_leave_ocb when switching away from OCB mac80211: drop multicast fragments net: ethtool: clear heap allocations for ethtool function ping: Check return value of function 'ping_queue_rcv_skb' inet: annotate date races around sk->sk_txhash net: caif: fix memory leak in ldisc_open net/packet: annotate accesses to po->bind net/packet: annotate accesses to po->ifindex r8152: Avoid memcpy() over-reading of ETH_SS_STATS sh_eth: Avoid memcpy() over-reading of ETH_SS_STATS r8169: Avoid memcpy() over-reading of ETH_SS_STATS KVM: selftests: Fix kvm_check_cap() assertion net: qed: Fix memcpy() overflow of qed_dcbx_params() PCI: Add AMD RS690 quirk to enable 64-bit DMA net: ll_temac: Avoid ndo_start_xmit returning NETDEV_TX_BUSY pinctrl: stm32: fix the reported number of GPIO lines per bank nilfs2: fix memory leak in nilfs_sysfs_delete_device_group i2c: robotfuzz-osif: fix control-request directions Linux 4.19.196 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I50d641505bc18d2dc4b4131643de3bfd8e8a8e6e |
||
Zheng Yongjun
|
1d86498c25 |
ping: Check return value of function 'ping_queue_rcv_skb'
[ Upstream commit 9d44fa3e50cc91691896934d106c86e4027e61ca ] Function 'ping_queue_rcv_skb' not always return success, which will also return fail. If not check the wrong return value of it, lead to function `ping_rcv` return success. Signed-off-by: Zheng Yongjun <zhengyongjun3@huawei.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eric Dumazet
|
7f7e23df85 |
inet: use bigger hash table for IP ID generation
commit aa6dd211e4b1dde9d5dc25d699d35f789ae7eeba upstream. In commit |
||
Toke Høiland-Jørgensen
|
3bf50dc858 |
icmp: don't send out ICMP messages with a source address of 0.0.0.0
[ Upstream commit 321827477360934dc040e9d3c626bf1de6c3ab3c ]
When constructing ICMP response messages, the kernel will try to pick a
suitable source address for the outgoing packet. However, if no IPv4
addresses are configured on the system at all, this will fail and we end up
producing an ICMP message with a source address of 0.0.0.0. This can happen
on a box routing IPv4 traffic via v6 nexthops, for instance.
Since 0.0.0.0 is not generally routable on the internet, there's a good
chance that such ICMP messages will never make it back to the sender of the
original packet that the ICMP message was sent in response to. This, in
turn, can create connectivity and PMTUd problems for senders. Fortunately,
RFC7600 reserves a dummy address to be used as a source for ICMP
messages (192.0.0.8/32), so let's teach the kernel to substitute that
address as a last resort if the regular source address selection procedure
fails.
Below is a quick example reproducing this issue with network namespaces:
ip netns add ns0
ip l add type veth peer netns ns0
ip l set dev veth0 up
ip a add 10.0.0.1/24 dev veth0
ip a add fc00:dead:cafe:42::1/64 dev veth0
ip r add 10.1.0.0/24 via inet6 fc00:dead:cafe:42::2
ip -n ns0 l set dev veth0 up
ip -n ns0 a add fc00:dead:cafe:42::2/64 dev veth0
ip -n ns0 r add 10.0.0.0/24 via inet6 fc00:dead:cafe:42::1
ip netns exec ns0 sysctl -w net.ipv4.icmp_ratelimit=0
ip netns exec ns0 sysctl -w net.ipv4.ip_forward=1
tcpdump -tpni veth0 -c 2 icmp &
ping -w 1 10.1.0.1 > /dev/null
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on veth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 29, seq 1, length 64
IP 0.0.0.0 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
2 packets captured
2 packets received by filter
0 packets dropped by kernel
With this patch the above capture changes to:
IP 10.0.0.1 > 10.1.0.1: ICMP echo request, id 31127, seq 1, length 64
IP 192.0.0.8 > 10.0.0.1: ICMP net 10.1.0.1 unreachable, length 92
Fixes:
|
||
Chengyang Fan
|
1e28018b5c |
net: ipv4: fix memory leak in ip_mc_add1_src
[ Upstream commit d8e2973029b8b2ce477b564824431f3385c77083 ] BUG: memory leak unreferenced object 0xffff888101bc4c00 (size 32): comm "syz-executor527", pid 360, jiffies 4294807421 (age 19.329s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 01 00 00 00 00 00 00 00 ac 14 14 bb 00 00 02 00 ................ backtrace: [<00000000f17c5244>] kmalloc include/linux/slab.h:558 [inline] [<00000000f17c5244>] kzalloc include/linux/slab.h:688 [inline] [<00000000f17c5244>] ip_mc_add1_src net/ipv4/igmp.c:1971 [inline] [<00000000f17c5244>] ip_mc_add_src+0x95f/0xdb0 net/ipv4/igmp.c:2095 [<000000001cb99709>] ip_mc_source+0x84c/0xea0 net/ipv4/igmp.c:2416 [<0000000052cf19ed>] do_ip_setsockopt net/ipv4/ip_sockglue.c:1294 [inline] [<0000000052cf19ed>] ip_setsockopt+0x114b/0x30c0 net/ipv4/ip_sockglue.c:1423 [<00000000477edfbc>] raw_setsockopt+0x13d/0x170 net/ipv4/raw.c:857 [<00000000e75ca9bb>] __sys_setsockopt+0x158/0x270 net/socket.c:2117 [<00000000bdb993a8>] __do_sys_setsockopt net/socket.c:2128 [inline] [<00000000bdb993a8>] __se_sys_setsockopt net/socket.c:2125 [inline] [<00000000bdb993a8>] __x64_sys_setsockopt+0xba/0x150 net/socket.c:2125 [<000000006a1ffdbd>] do_syscall_64+0x40/0x80 arch/x86/entry/common.c:47 [<00000000b11467c4>] entry_SYSCALL_64_after_hwframe+0x44/0xae In commit |
||
Paolo Abeni
|
2f73448041 |
udp: fix race between close() and udp_abort()
[ Upstream commit a8b897c7bcd47f4147d066e22cc01d1026d7640e ]
Kaustubh reported and diagnosed a panic in udp_lib_lookup().
The root cause is udp_abort() racing with close(). Both
racing functions acquire the socket lock, but udp{v6}_destroy_sock()
release it before performing destructive actions.
We can't easily extend the socket lock scope to avoid the race,
instead use the SOCK_DEAD flag to prevent udp_abort from doing
any action when the critical race happens.
Diagnosed-and-tested-by: Kaustubh Pandey <kapandey@codeaurora.org>
Fixes:
|
||
Nanyong Sun
|
5340858147 |
net: ipv4: fix memory leak in netlbl_cipsov4_add_std
[ Upstream commit d612c3f3fae221e7ea736d196581c2217304bbbc ]
Reported by syzkaller:
BUG: memory leak
unreferenced object 0xffff888105df7000 (size 64):
comm "syz-executor842", pid 360, jiffies 4294824824 (age 22.546s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000e67ed558>] kmalloc include/linux/slab.h:590 [inline]
[<00000000e67ed558>] kzalloc include/linux/slab.h:720 [inline]
[<00000000e67ed558>] netlbl_cipsov4_add_std net/netlabel/netlabel_cipso_v4.c:145 [inline]
[<00000000e67ed558>] netlbl_cipsov4_add+0x390/0x2340 net/netlabel/netlabel_cipso_v4.c:416
[<0000000006040154>] genl_family_rcv_msg_doit.isra.0+0x20e/0x320 net/netlink/genetlink.c:739
[<00000000204d7a1c>] genl_family_rcv_msg net/netlink/genetlink.c:783 [inline]
[<00000000204d7a1c>] genl_rcv_msg+0x2bf/0x4f0 net/netlink/genetlink.c:800
[<00000000c0d6a995>] netlink_rcv_skb+0x134/0x3d0 net/netlink/af_netlink.c:2504
[<00000000d78b9d2c>] genl_rcv+0x24/0x40 net/netlink/genetlink.c:811
[<000000009733081b>] netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
[<000000009733081b>] netlink_unicast+0x4a0/0x6a0 net/netlink/af_netlink.c:1340
[<00000000d5fd43b8>] netlink_sendmsg+0x789/0xc70 net/netlink/af_netlink.c:1929
[<000000000a2d1e40>] sock_sendmsg_nosec net/socket.c:654 [inline]
[<000000000a2d1e40>] sock_sendmsg+0x139/0x170 net/socket.c:674
[<00000000321d1969>] ____sys_sendmsg+0x658/0x7d0 net/socket.c:2350
[<00000000964e16bc>] ___sys_sendmsg+0xf8/0x170 net/socket.c:2404
[<000000001615e288>] __sys_sendmsg+0xd3/0x190 net/socket.c:2433
[<000000004ee8b6a5>] do_syscall_64+0x37/0x90 arch/x86/entry/common.c:47
[<00000000171c7cee>] entry_SYSCALL_64_after_hwframe+0x44/0xae
The memory of doi_def->map.std pointing is allocated in
netlbl_cipsov4_add_std, but no place has freed it. It should be
freed in cipso_v4_doi_free which frees the cipso DOI resource.
Fixes:
|
||
Josh Triplett
|
51c0007f4c |
net: ipconfig: Don't override command-line hostnames or domains
[ Upstream commit b508d5fb69c2211a1b860fc058aafbefc3b3c3cd ] If the user specifies a hostname or domain name as part of the ip= command-line option, preserve it and don't overwrite it with one supplied by DHCP/BOOTP. For instance, ip=::::myhostname::dhcp will use "myhostname" rather than ignoring and overwriting it. Fix the comment on ic_bootp_string that suggests it only copies a string "if not already set"; it doesn't have any such logic. Signed-off-by: Josh Triplett <josh@joshtriplett.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
011b73c995 |
This is the 4.19.191 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmCoybcACgkQONu9yGCS aT7dBQ//ZniOtxGdujpsPI6Fs7ET0E9K9Pa6hfxneiffPEgEtfA3ab9g7Y88fb9m vzXCpghzPmqk5Fd/+qDeIFxTaEQ1OoUWdx8uXF56XXh5NqTPLJ/gqmgcIqAnPrVq HefKZg3RiOLC4dT0LqALeqDF0dFrXEw+iOnlctXcjOjX6CSUtiLeyTIS5pytv1Ap rMlAkwfYuyBXs8almb6gb+JbemljgvLB9uB0RNG1YxXN5b/y6LqfDdpJIQCaWGxZ p+EYIbCp1NporUTpbWUJWaMD7krMpNhdeOMlkP4fUYmCYkFXqn1CSWVEYZjTDuah HFr57qshm7EMpjBofDCBhjCsphmcFnzkIKON8kH3HXYCb3HNYVo7rWkXg4KRS5XH kUFPmvgSmLi8Ad4dMc/xBBShB/fYaT1Ij1UB0iyKl4R/MDJ+gf6tjKQsFfK5Losr pyXEPyOWmXyWCgMUilWd2nnhkxfrBtXkxlbR1XlXfZ3Sn6GJANN7/Of2mmXFQB1E YBnL+H3bQSkdoZnoGQCktxs+hj74cG167/zSRNC/dFmBhuAmmDZXiR0ai020iyNw Grzv55owpby0HBpJXSWMBYUvV+2PfhZ69JjHc/bfoPUkeMgtW+oeDY2R5rk/enmW 0aNOycvMQujU7IzBdg8TaqHH6rIRSoFowcUXLLAwzoMt0AcE1c4= =V0VA -----END PGP SIGNATURE----- Merge 4.19.191 into android-4.19-stable Changes in 4.19.191 s390/disassembler: increase ebpf disasm buffer size ACPI: custom_method: fix potential use-after-free issue ACPI: custom_method: fix a possible memory leak ftrace: Handle commands when closing set_ftrace_filter file ARM: 9056/1: decompressor: fix BSS size calculation for LLVM ld.lld arm64: dts: marvell: armada-37xx: add syscon compatible to NB clk node arm64: dts: mt8173: fix property typo of 'phys' in dsi node ecryptfs: fix kernel panic with null dev_name mtd: spinand: core: add missing MODULE_DEVICE_TABLE() mtd: rawnand: atmel: Update ecc_stats.corrected counter spi: spi-ti-qspi: Free DMA resources scsi: qla2xxx: Fix crash in qla2xxx_mqueuecommand() mmc: sdhci-pci: Fix initialization of some SD cards for Intel BYT-based controllers mmc: block: Update ext_csd.cache_ctrl if it was written mmc: block: Issue a cache flush only when it's enabled mmc: core: Do a power cycle when the CMD11 fails mmc: core: Set read only for SD cards with permanent write protect bit erofs: add unsupported inode i_format check cifs: Return correct error code from smb2_get_enc_key btrfs: fix metadata extent leak after failure to create subvolume intel_th: pci: Add Rocket Lake CPU support fbdev: zero-fill colormap in fbcmap.c staging: wimax/i2400m: fix byte-order issue crypto: api - check for ERR pointers in crypto_destroy_tfm() usb: gadget: uvc: add bInterval checking for HS mode genirq/matrix: Prevent allocation counter corruption usb: gadget: f_uac1: validate input parameters usb: dwc3: gadget: Ignore EP queue requests during bus reset usb: xhci: Fix port minor revision PCI: PM: Do not read power state in pci_enable_device_flags() x86/build: Propagate $(CLANG_FLAGS) to $(REALMODE_FLAGS) tee: optee: do not check memref size on return from Secure World perf/arm_pmu_platform: Fix error handling usb: xhci-mtk: support quirk to disable usb2 lpm xhci: check control context is valid before dereferencing it. xhci: fix potential array out of bounds with several interrupters spi: dln2: Fix reference leak to master spi: omap-100k: Fix reference leak to master intel_th: Consistency and off-by-one fix phy: phy-twl4030-usb: Fix possible use-after-free in twl4030_usb_remove() btrfs: convert logic BUG_ON()'s in replace_path to ASSERT()'s scsi: lpfc: Fix incorrect dbde assignment when building target abts wqe scsi: lpfc: Fix pt2pt connection does not recover after LOGO scsi: target: pscsi: Fix warning in pscsi_complete_cmd() media: ite-cir: check for receive overflow media: drivers: media: pci: sta2x11: fix Kconfig dependency on GPIOLIB power: supply: bq27xxx: fix power_avg for newer ICs extcon: arizona: Fix some issues when HPDET IRQ fires after the jack has been unplugged media: media/saa7164: fix saa7164_encoder_register() memory leak bugs media: gspca/sq905.c: fix uninitialized variable power: supply: Use IRQF_ONESHOT drm/amdgpu : Fix asic reset regression issue introduce by 8f211fe8ac7c4f scsi: qla2xxx: Always check the return value of qla24xx_get_isp_stats() scsi: qla2xxx: Fix use after free in bsg scsi: scsi_dh_alua: Remove check for ASC 24h in alua_rtpg() media: em28xx: fix memory leak media: vivid: update EDID clk: socfpga: arria10: Fix memory leak of socfpga_clk on error return power: supply: generic-adc-battery: fix possible use-after-free in gab_remove() power: supply: s3c_adc_battery: fix possible use-after-free in s3c_adc_bat_remove() media: tc358743: fix possible use-after-free in tc358743_remove() media: adv7604: fix possible use-after-free in adv76xx_remove() media: i2c: adv7511-v4l2: fix possible use-after-free in adv7511_remove() media: i2c: adv7842: fix possible use-after-free in adv7842_remove() media: dvb-usb: fix memory leak in dvb_usb_adapter_init media: gscpa/stv06xx: fix memory leak drm/msm/mdp5: Configure PP_SYNC_HEIGHT to double the vtotal amdgpu: avoid incorrect %hu format string drm/amdgpu: fix NULL pointer dereference scsi: lpfc: Fix crash when a REG_RPI mailbox fails triggering a LOGO response scsi: lpfc: Remove unsupported mbox PORT_CAPABILITIES logic scsi: libfc: Fix a format specifier s390/archrandom: add parameter check for s390_arch_random_generate ALSA: emu8000: Fix a use after free in snd_emu8000_create_mixer ALSA: hda/conexant: Re-order CX5066 quirk table entries ALSA: sb: Fix two use after free in snd_sb_qsound_build ALSA: usb-audio: Explicitly set up the clock selector ALSA: usb-audio: More constifications ALSA: usb-audio: Add dB range mapping for Sennheiser Communications Headset PC 8 ALSA: hda/realtek: Add quirk for Intel Clevo PCx0Dx btrfs: fix race when picking most recent mod log operation for an old root arm64/vdso: Discard .note.gnu.property sections in vDSO ubifs: Only check replay with inode type to judge if inode linked f2fs: fix to avoid out-of-bounds memory access mlxsw: spectrum_mr: Update egress RIF list before route's action openvswitch: fix stack OOB read while fragmenting IPv4 packets ACPI: GTDT: Don't corrupt interrupt mappings on watchdow probe failure NFS: Don't discard pNFS layout segments that are marked for return NFSv4: Don't discard segments marked for return in _pnfs_return_layout() jffs2: Fix kasan slab-out-of-bounds problem powerpc/eeh: Fix EEH handling for hugepages in ioremap space. powerpc: fix EDEADLOCK redefinition error in uapi/asm/errno.h intel_th: pci: Add Alder Lake-M support tpm: vtpm_proxy: Avoid reading host log when using a virtual device md/raid1: properly indicate failure when ending a failed write request dm raid: fix inconclusive reshape layout on fast raid4/5/6 table reload sequences security: commoncap: fix -Wstringop-overread warning Fix misc new gcc warnings jffs2: check the validity of dstlen in jffs2_zlib_compress() Revert |
||
Jonathon Reinhart
|
992de06308 |
net: Only allow init netns to set default tcp cong to a restricted algo
commit 8d432592f30fcc34ef5a10aac4887b4897884493 upstream.
tcp_set_default_congestion_control() is netns-safe in that it writes
to &net->ipv4.tcp_congestion_control, but it also sets
ca->flags |= TCP_CONG_NON_RESTRICTED which is not namespaced.
This has the unintended side-effect of changing the global
net.ipv4.tcp_allowed_congestion_control sysctl, despite the fact that it
is read-only: 97684f0970f6 ("net: Make tcp_allowed_congestion_control
readonly in non-init netns")
Resolve this netns "leak" by only allowing the init netns to set the
default algorithm to one that is restricted. This restriction could be
removed if tcp_allowed_congestion_control were namespace-ified in the
future.
This bug was uncovered with
https://github.com/JonathonReinhart/linux-netns-sysctl-verify
Fixes:
|
||
Greg Kroah-Hartman
|
6b79701b0a |
This is the 4.19.188 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmB5XeQACgkQONu9yGCS aT75oQ/+KfnsxqpM1VNWt4S6iX1nthN7X/yrY9UxrCZh8zExS0GYJe8FlPimVadB yIkURRm62Caesh5MwQUFdeNisAN3Ns+YeCV9SDTfSQCdfXAsTsUpm91+Q0PlmEqc lfj33yzPdLysP52CQUT8J6oGTJk18kMVRbBnwuDXbUTaShPfjwLN9ZtNyvSLF9TS Frtj69yJuCYlX/8K4tm26h+WFQDZ7mUAAToB8hDux3+Hit4t4v2y9Fx1tFDe34qd ZFWs2HX9D95cTg4Qq6dMv4HmIwiUwe3S3wMBcZSwu/nQfRgabxe/bFutU3QZw4QP EP3afVdDt9f/L5AMpuhCVIXB2mhUd1VPl78JSyZNCzaW4PSIFPJin9QaC8RfyC/F 2JVQP8Imi25x4TPWfEC4WIqyWyegiDP9qb8lTQB1VB2VKQbLksqx9J4FFm1jEc0P iGfE0CbpP6+OfGppPejAQxeVpFv76jGEkvweSbfqvtggivh6Q+yk7+AqiUbP5xO9 /xQFxb5xJ152JFMqeJ3Wly1XW4eVQ+UOo6N6419nTWo9GoEOPtjgRbavdc7ft5VL 9U4kRXO8+q3XNOcATrMod1vaExsd2CvIDiPvRHs1183tqPBxrEHBOXCDE6PY23pi 6vn3WgLts+HMcvqGCClvga8h60gYuKZ5wVBhNejlLJydhZdvPW4= =Z0cT -----END PGP SIGNATURE----- Merge 4.19.188 into android-4.19-stable Changes in 4.19.188 KVM: arm64: Hide system instruction access to Trace registers KVM: arm64: Disable guest access to trace filter controls drm/imx: imx-ldb: fix out of bounds array access warning gfs2: report "already frozen/thawed" errors drm/tegra: dc: Don't set PLL clock to 0Hz block: only update parent bi_status when bio fail riscv,entry: fix misaligned base for excp_vect_table net: phy: broadcom: Only advertise EEE for supported modes staging: m57621-mmc: delete driver from the tree. netfilter: x_tables: fix compat match/target pad out-of-bound write driver core: Fix locking bug in deferred_probe_timeout_work_func() perf map: Tighten snprintf() string precision to pass gcc check on some 32-bit arches xen/events: fix setting irq affinity Linux 4.19.188 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I7cc3b26cb1f8929e20fbdb1e6585f888da31d1e6 |
||
Florian Westphal
|
12ec80252e |
netfilter: x_tables: fix compat match/target pad out-of-bound write
commit b29c457a6511435960115c0f548c4360d5f4801d upstream.
xt_compat_match/target_from_user doesn't check that zeroing the area
to start of next rule won't write past end of allocated ruleset blob.
Remove this code and zero the entire blob beforehand.
Reported-by: syzbot+cfc0247ac173f597aaaa@syzkaller.appspotmail.com
Reported-by: Andy Nguyen <theflow@google.com>
Fixes:
|
||
Greg Kroah-Hartman
|
8c62f42548 |
This is the 4.19.185 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBtjk0ACgkQONu9yGCS aT67fA//b+kjELShGiGxLBK+dWFXnYn8tLJJ6G1Bq2WvBiMxSkbXgG5tCqJKAk0t yhva5Ljo7eAJ9GEQnv/UL3qnsrW4r6ThT3u0Ort2YxBi3pw2U8PyU7pRTFSnGj/C QxtGvXfh5DIsxOWppbUz5X8jWABTrYXmMEe7WCONVFTLWwHuhV4RRPycvis8wY4w 1NtGx5KVJR1EYANXHrhKsI4J9dCAXg+K9I6PyWkHDEzCgXrwdticMNOVYgZ5ByTN ofkmBX+j/AL2veXTV8sAOA/H9SQ0pJStzy99IoZQ/IzFAKqCuh+JhkMvnDQYhfx1 eDwTFG7Dl6pCbyCsb2iGXzJioTuk5LGXw7+uqVXO1YRUNpekl7x97rhn/q6PoEof OImU1+MOBPhVZVA0yYYQf6URCxh7F/s7MsbenmxZbIF9tstZC7HoezqzdFg4YF/I pKqlIBxSes+fJCZb1LiQI2KkaNtD0i/KJljGduCkPF4Axgb2/KEmePDyIeB8hr12 nT++9BIkIFM4d19IgtBnWrOIuALx15WeEQKXzbUxl9nt2peh7K6HvjcXJUOxJz2W qsdHnjGE1v6atKHD4DiDRAnliD9cJ41ImP3S8WHH1UxWNOMQ/dTlBAY7Z+XC/4eo 8+6gqAE8MHKvP62yd4zsuWXkhnUeryRtL8AGBvVxkTFa/mtaKAU= =rqGc -----END PGP SIGNATURE----- Merge 4.19.185 into android-4.19-stable Changes in 4.19.185 selinux: vsock: Set SID for socket returned by accept() tcp: relookup sock for RST+ACK packets handled by obsolete req sock ipv6: weaken the v4mapped source check ext4: fix bh ref count on error paths rpc: fix NULL dereference on kmalloc failure ASoC: rt5640: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: rt5651: Fix dac- and adc- vol-tlv values being off by a factor of 10 ASoC: sgtl5000: set DAP_AVC_CTRL register to correct default value on probe ASoC: es8316: Simplify adc_pga_gain_tlv table ASoC: cs42l42: Fix Bitclock polarity inversion ASoC: cs42l42: Fix channel width support ASoC: cs42l42: Fix mixer volume control ASoC: cs42l42: Always wait at least 3ms after reset vhost: Fix vhost_vq_reset() scsi: st: Fix a use after free in st_open() scsi: qla2xxx: Fix broken #endif placement staging: comedi: cb_pcidas: fix request_irq() warn staging: comedi: cb_pcidas64: fix request_irq() warn ASoC: rt5659: Update MCLK rate in set_sysclk() thermal/core: Add NULL pointer check before using cooling device stats locking/ww_mutex: Simplify use_ww_ctx & ww_ctx handling ext4: do not iput inode under running transaction in ext4_rename() brcmfmac: clear EAP/association status bits on linkdown events ath10k: hold RCU lock when calling ieee80211_find_sta_by_ifaddr() net: ethernet: aquantia: Handle error cleanup of start on open appletalk: Fix skb allocation size in loopback case net: wan/lmc: unregister device when no matching device is found bpf: Remove MTU check in __bpf_skb_max_len ALSA: usb-audio: Apply sample rate quirk to Logitech Connect ALSA: hda/realtek: fix a determine_headset_type issue for a Dell AIO ALSA: hda/realtek: call alc_update_headset_mode() in hp_automute_hook PM: runtime: Fix race getting/putting suppliers at probe PM: runtime: Fix ordering in pm_runtime_get_suppliers() tracing: Fix stack trace event size mm: fix race by making init_zero_pfn() early_initcall drm/amdgpu: fix offset calculation in amdgpu_vm_bo_clear_mappings() drm/amdgpu: check alignment on CPU page for bo map reiserfs: update reiserfs_xattrs_initialized() condition pinctrl: rockchip: fix restore error in resume extcon: Add stubs for extcon_register_notifier_all() functions extcon: Fix error handling in extcon_dev_register firewire: nosy: Fix a use-after-free bug in nosy_ioctl() usbip: vhci_hcd fix shift out-of-bounds in vhci_hub_control() USB: quirks: ignore remote wake-up on Fibocom L850-GL LTE modem usb: musb: Fix suspend with devices connected for a64 usb: xhci-mtk: fix broken streams issue on 0.96 xHCI cdc-acm: fix BREAK rx code path adding necessary calls USB: cdc-acm: untangle a circular dependency between callback and softint USB: cdc-acm: downgrade message to debug USB: cdc-acm: fix double free on probe failure USB: cdc-acm: fix use-after-free after probe failure usb: gadget: udc: amd5536udc_pci fix null-ptr-dereference usb: dwc2: Fix HPRT0.PrtSusp bit setting for HiKey 960 board. staging: rtl8192e: Fix incorrect source in memcpy() staging: rtl8192e: Change state information from u16 to u8 drivers: video: fbcon: fix NULL dereference in fbcon_cursor() Linux 4.19.185 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I65f4fd7d1b60193895371093882ab33943d22e7c |
||
Alexander Ovechkin
|
f9501b8da4 |
tcp: relookup sock for RST+ACK packets handled by obsolete req sock
commit 7233da86697efef41288f8b713c10c2499cffe85 upstream. Currently tcp_check_req can be called with obsolete req socket for which big socket have been already created (because of CPU race or early demux assigning req socket to multiple packets in gro batch). Commit |
||
Greg Kroah-Hartman
|
f411297402 |
Merge 4.19.184 into android-4.19-stable
Changes in 4.19.184 net: fec: ptp: avoid register access when ipg clock is disabled powerpc/4xx: Fix build errors from mfdcr() atm: eni: dont release is never initialized atm: lanai: dont run lanai_dev_close if not open Revert "r8152: adjust the settings about MAC clock speed down for RTL8153" ixgbe: Fix memleak in ixgbe_configure_clsu32 net: tehuti: fix error return code in bdx_probe() sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count gianfar: fix jumbo packets+napi+rx overrun crash gpiolib: acpi: Add missing IRQF_ONESHOT nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default NFS: Correct size calculation for create reply length net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() net: wan: fix error return code of uhdlc_init() atm: uPD98402: fix incorrect allocation atm: idt77252: fix null-ptr-dereference sparc64: Fix opcode filtering in handling of no fault loads u64_stats,lockdep: Fix u64_stats_init() vs lockdep drm/radeon: fix AGP dependency nfs: we don't support removing system.nfs4_acl block: Suppress uevent for hidden device when removed ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign netsec: restore phy power state after controller reset platform/x86: intel-vbtn: Stop reporting SW_DOCK events squashfs: fix inode lookup sanity checks squashfs: fix xattr id and id lookup sanity checks arm64: dts: ls1046a: mark crypto engine dma coherent arm64: dts: ls1012a: mark crypto engine dma coherent arm64: dts: ls1043a: mark crypto engine dma coherent ARM: dts: at91-sama5d27_som1: fix phy address to 7 dm ioctl: fix out of bounds array access when no devices bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD veth: Store queue_mapping independently of XDP prog presence libbpf: Fix INSTALL flag order macvlan: macvlan_count_rx() needs to be aware of preemption net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port e1000e: add rtnl_lock() to e1000_reset_task e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template ftgmac100: Restart MAC HW once netfilter: ctnetlink: fix dump of the expect mask attribute can: peak_usb: add forgotten supported devices can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate can: c_can_pci: c_can_pci_remove(): fix use-after-free can: c_can: move runtime PM enable/disable to c_can_platform can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning mac80211: fix rate mask reset net: cdc-phonet: fix data-interface release on probe failure net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes drm/msm: fix shutdown hook in case GPU components failed to bind arm64: kdump: update ppos when reading elfcorehdr net/mlx5e: Fix error path for ethtool set-priv-flag RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server bpf: Don't do bpf_cgroup_storage_set() for kuprobe/tp programs Revert "netfilter: x_tables: Switch synchronization to RCU" netfilter: x_tables: Use correct memory barriers. Revert "netfilter: x_tables: Update remaining dereference to RCU" ACPI: scan: Rearrange memory allocation in acpi_device_add() ACPI: scan: Use unique number for instance_no dm verity: add root hash pkcs#7 signature verification perf auxtrace: Fix auxtrace queue conflict scsi: qedi: Fix error return code of qedi_alloc_global_queues() scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() locking/mutex: Fix non debug version of mutex_lock_io_nested() x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() can: dev: Move device back to init netns on owning netns delete net: sched: validate stab values net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() mac80211: fix double free in ibss_leave ext4: add reclaim checks to xattr code can: peak_usb: Revert "can: peak_usb: add forgotten supported devices" xen-blkback: don't leak persistent grants from xen_blkbk_map() Linux 4.19.184 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I6126263d1365fef1ba4112b47b6c3013334f390a |
||
Mark Tomlinson
|
74bc0e5132 |
Revert "netfilter: x_tables: Update remaining dereference to RCU"
[ Upstream commit abe7034b9a8d57737e80cc16d60ed3666990bdbf ]
This reverts commit 443d6e86f821a165fae3fc3fc13086d27ac140b1.
This (and the following) patch basically re-implemented the RCU
mechanisms of patch
|
||
Mark Tomlinson
|
0abcfaf058 |
Revert "netfilter: x_tables: Switch synchronization to RCU"
[ Upstream commit d3d40f237480abf3268956daf18cdc56edd32834 ]
This reverts commit cc00bcaa589914096edef7fb87ca5cee4a166b5c.
This (and the preceding) patch basically re-implemented the RCU
mechanisms of patch
|
||
Greg Kroah-Hartman
|
04fd6558af |
This is the 4.19.181 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmBSI8oACgkQONu9yGCS aT7NwhAAsXPkFGT0ZgUX0t3HZUL4RB1e9j8xD2qr4CTspGiK/cF2ykd1RXWtfaY2 o5uc7wRmBBVQV33vS7djyJJMI5NgO588r0TT2DrlzIskfl+aWvTxKggh4A+DPKsu QCRX5fOOd4EFYiKyLNtPxg5z6R8yg0Ejqgjzzvc03wYn8AL5SLWH8bgPb1FCNEfm 8YzYrRIu7rTUC3PrXPq81gWWHR77eojME7K9NUKSkUnh7mbdu6CVdrYb+wRvoAnf qwlhV5Mf0GWzf/z3v9TKgKSuMjmlcoQnZD72rYClEiLBIleN/VzWhfKK/E+ODidr WImeQGLJPfDDKiiU9tNypvmWdKjuqcNcVkIWAVzEkEIhaAOI8LPFWgc/iH0+9fWk o5s/hcs1FZ9dSbEHotR5ENUFmy85/XMl+wgkOmfUwvWufqsqkS3mYipbszJ9MMBH d7dYL4CTa/+KQ/uPbFJSnnxO9KgjLNO14IAiMY9lPshT8gkTy4eP2WtmsF6MyGEs Y/p2KP0Ga4ib1b9lkmeVq3MK5vqaHQnI9BF4tyHI6RFwH29phapKzbC/AYpA69fd Jn3y7uywt/f7++V1JUDiQ0QD6jV9/xgRbFBjSj59zjrD2xzZYLQ5kWoocNnUhq+g TH5zTlyeODZTA58Ut623T30Rw5YYXpJtnGZGuOKqVAyWQHBd7Ls= =wNgO -----END PGP SIGNATURE----- Merge 4.19.181 into android-4.19-stable Changes in 4.19.181 uapi: nfnetlink_cthelper.h: fix userspace compilation error ethernet: alx: fix order of calls on resume ath9k: fix transmitting to stations in dynamic SMPS mode net: Fix gro aggregation for udp encaps with zero csum net: Introduce parse_protocol header_ops callback can: skb: can_skb_set_owner(): fix ref counting if socket was closed before setting skb ownership can: flexcan: assert FRZ bit in flexcan_chip_freeze() can: flexcan: enable RX FIFO after FRZ/HALT valid netfilter: x_tables: gpf inside xt_find_revision() mt76: dma: do not report truncated frames to mac80211 tcp: annotate tp->copied_seq lockless reads tcp: annotate tp->write_seq lockless reads tcp: add sanity tests to TCP_QUEUE_SEQ cifs: return proper error code in statfs(2) scripts/recordmcount.{c,pl}: support -ffunction-sections .text.* section names Revert "mm, slub: consider rest of partial list if acquire_slab() fails" sh_eth: fix TRSCER mask for SH771x net: check if protocol extracted by virtio_net_hdr_set_proto is correct net: avoid infinite loop in mpls_gso_segment when mpls_hlen == 0 net/mlx4_en: update moderation when config reset net: stmmac: fix incorrect DMA channel intr enable setting of EQoS v4.10 net: sched: avoid duplicates in classes dump net: usb: qmi_wwan: allow qmimux add/del with master up cipso,calipso: resolve a number of problems with the DOI refcounts net: lapbether: Remove netif_start_queue / netif_stop_queue net: davicom: Fix regulator not turned off on failed probe net: davicom: Fix regulator not turned off on driver removal net: qrtr: fix error return code of qrtr_sendmsg() net: stmmac: stop each tx channel independently net: stmmac: fix watchdog timeout during suspend/resume stress test selftests: forwarding: Fix race condition in mirror installation perf traceevent: Ensure read cmdlines are null terminated. s390/cio: return -EFAULT if copy_to_user() fails again drm/compat: Clear bounce structures drm: meson_drv add shutdown function s390/cio: return -EFAULT if copy_to_user() fails sh_eth: fix TRSCER mask for R7S9210 media: usbtv: Fix deadlock on suspend media: v4l: vsp1: Fix uif null pointer access media: v4l: vsp1: Fix bru null pointer access net: phy: fix save wrong speed and duplex problem if autoneg is on i2c: rcar: optimize cacheline to minimize HW race condition udf: fix silent AED tagLocation corruption mmc: mxs-mmc: Fix a resource leak in an error handling path in 'mxs_mmc_probe()' mmc: mediatek: fix race condition between msdc_request_timeout and irq powerpc/pci: Add ppc_md.discover_phbs() powerpc: improve handling of unrecoverable system reset powerpc/perf: Record counter overflow always if SAMPLE_IP is unset sparc32: Limit memblock allocation to low memory sparc64: Use arch_validate_flags() to validate ADI flag PCI: xgene-msi: Fix race in installing chained irq handler PCI: mediatek: Add missing of_node_put() to fix reference leak PCI: Fix pci_register_io_range() memory leak i40e: Fix memory leak in i40e_probe s390/smp: __smp_rescan_cpus() - move cpumask away from stack scsi: libiscsi: Fix iscsi_prep_scsi_cmd_pdu() error handling scsi: target: core: Add cmd length set before cmd complete scsi: target: core: Prevent underflow for service actions ALSA: usb: Add Plantronics C320-M USB ctrl msg delay quirk ALSA: hda/hdmi: Cancel pending works before suspend ALSA: hda: Drop the BATCH workaround for AMD controllers ALSA: hda: Avoid spurious unsol event handling during S3/S4 ALSA: usb-audio: Fix "cannot get freq eq" errors on Dell AE515 sound bar ALSA: usb-audio: Apply the control quirk to Plantronics headsets Revert 95ebabde382c ("capabilities: Don't allow writing ambiguous v3 file capabilities") s390/dasd: fix hanging DASD driver unbind s390/dasd: fix hanging IO request during DASD driver unbind mmc: core: Fix partition switch time for eMMC mmc: cqhci: Fix random crash when remove mmc module/card Goodix Fingerprint device is not a modem USB: gadget: u_ether: Fix a configfs return code usb: gadget: f_uac2: always increase endpoint max_packet_size by one audio slot usb: gadget: f_uac1: stop playback on function disable usb: dwc3: qcom: Honor wakeup enabled/disabled state USB: usblp: fix a hang in poll() if disconnected usb: renesas_usbhs: Clear PIPECFG for re-enabling pipe with other EPNUM xhci: Improve detection of device initiated wake signal. usb: xhci: Fix ASMedia ASM1042A and ASM3242 DMA addressing USB: serial: io_edgeport: fix memory leak in edge_startup USB: serial: ch341: add new Product ID USB: serial: cp210x: add ID for Acuity Brands nLight Air Adapter USB: serial: cp210x: add some more GE USB IDs usbip: fix stub_dev to check for stream socket usbip: fix vhci_hcd to check for stream socket usbip: fix vudc to check for stream socket usbip: fix stub_dev usbip_sockfd_store() races leading to gpf usbip: fix vhci_hcd attach_store() races leading to gpf usbip: fix vudc usbip_sockfd_store races leading to gpf staging: rtl8192u: fix ->ssid overflow in r8192_wx_set_scan() staging: rtl8188eu: prevent ->ssid overflow in rtw_wx_set_scan() staging: rtl8712: unterminated string leads to read overflow staging: rtl8188eu: fix potential memory corruption in rtw_check_beacon_data() staging: ks7010: prevent buffer overflow in ks_wlan_set_scan() staging: rtl8712: Fix possible buffer overflow in r8712_sitesurvey_cmd staging: rtl8192e: Fix possible buffer overflow in _rtl92e_wx_set_scan staging: comedi: addi_apci_1032: Fix endian problem for COS sample staging: comedi: addi_apci_1500: Fix endian problem for command sample staging: comedi: adv_pci1710: Fix endian problem for AI command data staging: comedi: das6402: Fix endian problem for AI command data staging: comedi: das800: Fix endian problem for AI command data staging: comedi: dmm32at: Fix endian problem for AI command data staging: comedi: me4000: Fix endian problem for AI command data staging: comedi: pcl711: Fix endian problem for AI command data staging: comedi: pcl818: Fix endian problem for AI command data sh_eth: fix TRSCER mask for R7S72100 NFSv4.2: fix return value of _nfs4_get_security_label() block: rsxx: fix error return code of rsxx_pci_probe() configfs: fix a use-after-free in __configfs_open_file hrtimer: Update softirq_expires_next correctly after __hrtimer_get_next_event() stop_machine: mark helpers __always_inline include/linux/sched/mm.h: use rcu_dereference in in_vfork() powerpc/64s: Fix instruction encoding for lis in ppc_function_entry() binfmt_misc: fix possible deadlock in bm_register_write x86/unwind/orc: Disable KASAN checking in the ORC unwinder, part 2 hwmon: (lm90) Fix max6658 sporadic wrong temperature reading KVM: arm64: Fix exclusive limit for IPA size xen/events: reset affinity of 2-level event when tearing it down xen/events: don't unmask an event channel when an eoi is pending xen/events: avoid handling the same event on two cpus at the same time Linux 4.19.181 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia622d8e9146f5ff0e1542780a39f83a7b6fed8d1 |
||
Paul Moore
|
a44af1c697 |
cipso,calipso: resolve a number of problems with the DOI refcounts
commit ad5d07f4a9cd671233ae20983848874731102c08 upstream. The current CIPSO and CALIPSO refcounting scheme for the DOI definitions is a bit flawed in that we: 1. Don't correctly match gets/puts in netlbl_cipsov4_list(). 2. Decrement the refcount on each attempt to remove the DOI from the DOI list, only removing it from the list once the refcount drops to zero. This patch fixes these problems by adding the missing "puts" to netlbl_cipsov4_list() and introduces a more conventional, i.e. not-buggy, refcounting mechanism to the DOI definitions. Upon the addition of a DOI to the DOI list, it is initialized with a refcount of one, removing a DOI from the list removes it from the list and drops the refcount by one; "gets" and "puts" behave as expected with respect to refcounts, increasing and decreasing the DOI's refcount by one. Fixes: |
||
Eric Dumazet
|
319f460237 |
tcp: add sanity tests to TCP_QUEUE_SEQ
[ Upstream commit 8811f4a9836e31c14ecdf79d9f3cb7c5d463265d ]
Qingyu Li reported a syzkaller bug where the repro
changes RCV SEQ _after_ restoring data in the receive queue.
mprotect(0x4aa000, 12288, PROT_READ) = 0
mmap(0x1ffff000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x1ffff000
mmap(0x20000000, 16777216, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x20000000
mmap(0x21000000, 4096, PROT_NONE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x21000000
socket(AF_INET6, SOCK_STREAM, IPPROTO_IP) = 3
setsockopt(3, SOL_TCP, TCP_REPAIR, [1], 4) = 0
connect(3, {sa_family=AF_INET6, sin6_port=htons(0), sin6_flowinfo=htonl(0), inet_pton(AF_INET6, "::1", &sin6_addr), sin6_scope_id=0}, 28) = 0
setsockopt(3, SOL_TCP, TCP_REPAIR_QUEUE, [1], 4) = 0
sendmsg(3, {msg_name=NULL, msg_namelen=0, msg_iov=[{iov_base="0x0000000000000003\0\0", iov_len=20}], msg_iovlen=1, msg_controllen=0, msg_flags=0}, 0) = 20
setsockopt(3, SOL_TCP, TCP_REPAIR, [0], 4) = 0
setsockopt(3, SOL_TCP, TCP_QUEUE_SEQ, [128], 4) = 0
recvfrom(3, NULL, 20, 0, NULL, NULL) = -1 ECONNRESET (Connection reset by peer)
syslog shows:
[ 111.205099] TCP recvmsg seq # bug 2: copied 80, seq 0, rcvnxt 80, fl 0
[ 111.207894] WARNING: CPU: 1 PID: 356 at net/ipv4/tcp.c:2343 tcp_recvmsg_locked+0x90e/0x29a0
This should not be allowed. TCP_QUEUE_SEQ should only be used
when queues are empty.
This patch fixes this case, and the tx path as well.
Fixes:
|
||
Eric Dumazet
|
92ba49b27e |
tcp: annotate tp->write_seq lockless reads
[ Upstream commit 0f31746452e6793ad6271337438af8f4defb8940 ] There are few places where we fetch tp->write_seq while this field can change from IRQ or other cpu. We need to add READ_ONCE() annotations, and also make sure write sides use corresponding WRITE_ONCE() to avoid store-tearing. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Eric Dumazet
|
7209e12096 |
tcp: annotate tp->copied_seq lockless reads
[ Upstream commit 7db48e983930285b765743ebd665aecf9850582b ] There are few places where we fetch tp->copied_seq while this field can change from IRQ or other cpu. We need to add READ_ONCE() annotations, and also make sure write sides use corresponding WRITE_ONCE() to avoid store-tearing. Note that tcp_inq_hint() was already using READ_ONCE(tp->copied_seq) Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Daniel Borkmann
|
e5008f2e91 |
net: Fix gro aggregation for udp encaps with zero csum
commit 89e5c58fc1e2857ccdaae506fb8bc5fed57ee063 upstream. We noticed a GRO issue for UDP-based encaps such as vxlan/geneve when the csum for the UDP header itself is 0. In that case, GRO aggregation does not take place on the phys dev, but instead is deferred to the vxlan/geneve driver (see trace below). The reason is essentially that GRO aggregation bails out in udp_gro_receive() for such case when drivers marked the skb with CHECKSUM_UNNECESSARY (ice, i40e, others) where for non-zero csums |
||
Greg Kroah-Hartman
|
6455a150fa |
Merge 4.19.178 into android-4.19-stable
Changes in 4.19.178 HID: make arrays usage and value to be the same USB: quirks: sort quirk entries usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable ntfs: check for valid standard information attribute arm64: tegra: Add power-domain for Tegra210 HDA scripts: use pkg-config to locate libcrypto scripts: set proper OpenSSL include dir also for sign-file block: add helper for checking if queue is registered block: split .sysfs_lock into two locks block: fix race between switching elevator and removing queues block: don't release queue's sysfs lock during switching elevator NET: usb: qmi_wwan: Adding support for Cinterion MV31 cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath. scripts/recordmcount.pl: support big endian for ARCH sh jump_label/lockdep: Assert we hold the hotplug lock for _cpuslocked() operations locking/static_key: Fix false positive warnings on concurrent dec/inc vmlinux.lds.h: add DWARF v5 sections kdb: Make memory allocations more robust PCI: qcom: Use PHY_REFCLK_USE_PAD only for ipq8064 bfq: Avoid false bfq queue merging ALSA: usb-audio: Fix PCM buffer allocation in non-vmalloc mode MIPS: vmlinux.lds.S: add missing PAGE_ALIGNED_DATA() section random: fix the RNDRESEEDCRNG ioctl ath10k: Fix error handling in case of CE pipe init failure Bluetooth: btqcomsmd: Fix a resource leak in error handling paths in the probe function Bluetooth: Fix initializing response id after clearing struct ARM: dts: exynos: correct PMIC interrupt trigger level on Artik 5 ARM: dts: exynos: correct PMIC interrupt trigger level on Monk ARM: dts: exynos: correct PMIC interrupt trigger level on Rinato ARM: dts: exynos: correct PMIC interrupt trigger level on Spring ARM: dts: exynos: correct PMIC interrupt trigger level on Arndale Octa ARM: dts: exynos: correct PMIC interrupt trigger level on Odroid XU3 family arm64: dts: exynos: correct PMIC interrupt trigger level on TM2 arm64: dts: exynos: correct PMIC interrupt trigger level on Espresso bpf: Avoid warning when re-casting __bpf_call_base into __bpf_call_base_args arm64: dts: allwinner: A64: properly connect USB PHY to port 0 arm64: dts: allwinner: Drop non-removable from SoPine/LTS SD card arm64: dts: allwinner: A64: Limit MMC2 bus frequency to 150 MHz cpufreq: brcmstb-avs-cpufreq: Free resources in error path cpufreq: brcmstb-avs-cpufreq: Fix resource leaks in ->remove() ACPICA: Fix exception code class checks usb: gadget: u_audio: Free requests only after callback Bluetooth: drop HCI device reference before return Bluetooth: Put HCI device if inquiry procedure interrupts memory: ti-aemif: Drop child node when jumping out loop ARM: dts: Configure missing thermal interrupt for 4430 usb: dwc2: Do not update data length if it is 0 on inbound transfers usb: dwc2: Abort transaction after errors with unknown reason usb: dwc2: Make "trimming xfer length" a debug message staging: rtl8723bs: wifi_regd.c: Fix incorrect number of regulatory rules ARM: dts: armada388-helios4: assign pinctrl to LEDs ARM: dts: armada388-helios4: assign pinctrl to each fan arm64: dts: msm8916: Fix reserved and rfsa nodes unit address ARM: s3c: fix fiq for clang IAS soc: aspeed: snoop: Add clock control logic bpf_lru_list: Read double-checked variable once without lock ath9k: fix data bus crash when setting nf_override via debugfs ibmvnic: Set to CLOSED state even on error bnxt_en: reverse order of TX disable and carrier off xen/netback: fix spurious event detection for common event case mac80211: fix potential overflow when multiplying to u32 integers bpf: Fix bpf_fib_lookup helper MTU check for SKB ctx tcp: fix SO_RCVLOWAT related hangs under mem pressure cxgb4/chtls/cxgbit: Keeping the max ofld immediate data size same in cxgb4 and ulds b43: N-PHY: Fix the update of coef for the PHY revision >= 3case ibmvnic: add memory barrier to protect long term buffer ibmvnic: skip send_request_unmap for timeout reset net: amd-xgbe: Reset the PHY rx data path when mailbox command timeout net: amd-xgbe: Fix NETDEV WATCHDOG transmit queue timeout warning net: amd-xgbe: Reset link when the link never comes back net: amd-xgbe: Fix network fluctuations when using 1G BELFUSE SFP net: mvneta: Remove per-cpu queue mapping for Armada 3700 fbdev: aty: SPARC64 requires FB_ATY_CT drm/gma500: Fix error return code in psb_driver_load() gma500: clean up error handling in init crypto: sun4i-ss - fix kmap usage drm/amdgpu: Fix macro name _AMDGPU_TRACE_H_ in preprocessor if condition MIPS: c-r4k: Fix section mismatch for loongson2_sc_init MIPS: lantiq: Explicitly compare LTQ_EBU_PCC_ISTAT against 0 media: i2c: ov5670: Fix PIXEL_RATE minimum value media: camss: missing error code in msm_video_register() media: vsp1: Fix an error handling path in the probe function media: em28xx: Fix use-after-free in em28xx_alloc_urbs media: media/pci: Fix memleak in empress_init media: tm6000: Fix memleak in tm6000_start_stream ASoC: cs42l56: fix up error handling in probe crypto: bcm - Rename struct device_private to bcm_device_private drm/amd/display: Fix 10/12 bpc setup in DCE output bit depth reduction. media: lmedm04: Fix misuse of comma media: qm1d1c0042: fix error return code in qm1d1c0042_init() media: cx25821: Fix a bug when reallocating some dma memory media: pxa_camera: declare variable when DEBUG is defined media: uvcvideo: Accept invalid bFormatIndex and bFrameIndex values crypto: talitos - Work around SEC6 ERRATA (AES-CTR mode data size error) ata: ahci_brcm: Add back regulators management ASoC: cpcap: fix microphone timeslot mask f2fs: fix to avoid inconsistent quota data drm/amdgpu: Prevent shift wrapping in amdgpu_read_mask() Drivers: hv: vmbus: Avoid use-after-free in vmbus_onoffer_rescind() btrfs: clarify error returns values in __load_free_space_cache hwrng: timeriomem - Fix cooldown period calculation crypto: ecdh_helper - Ensure 'len >= secret.len' in decode_key() ima: Free IMA measurement buffer on error ima: Free IMA measurement buffer after kexec syscall fs/jfs: fix potential integer overflow on shift of a int jffs2: fix use after free in jffs2_sum_write_data() capabilities: Don't allow writing ambiguous v3 file capabilities clk: meson: clk-pll: fix initializing the old rate (fallback) for a PLL quota: Fix memory leak when handling corrupted quota file spi: cadence-quadspi: Abort read if dummy cycles required are too many clk: sunxi-ng: h6: Fix CEC clock HID: core: detect and skip invalid inputs to snto32() dmaengine: fsldma: Fix a resource leak in the remove function dmaengine: fsldma: Fix a resource leak in an error handling path of the probe function dmaengine: owl-dma: Fix a resource leak in the remove function dmaengine: hsu: disable spurious interrupt mfd: bd9571mwv: Use devm_mfd_add_devices() fdt: Properly handle "no-map" field in the memory region of/fdt: Make sure no-map does not remove already reserved regions power: reset: at91-sama5d2_shdwc: fix wkupdbc mask rtc: s5m: select REGMAP_I2C clocksource/drivers/mxs_timer: Add missing semicolon when DEBUG is defined RDMA/mlx5: Use the correct obj_id upon DEVX TIR creation clk: sunxi-ng: h6: Fix clock divider range on some clocks regulator: axp20x: Fix reference cout leak certs: Fix blacklist flag type confusion spi: atmel: Put allocated master before return regulator: s5m8767: Drop regulators OF node reference isofs: release buffer head before return auxdisplay: ht16k33: Fix refresh rate handling IB/umad: Return EIO in case of when device disassociated IB/umad: Return EPOLLERR in case of when device disassociated KVM: PPC: Make the VMX instruction emulation routines static powerpc/47x: Disable 256k page size mmc: usdhi6rol0: Fix a resource leak in the error handling path of the probe mmc: renesas_sdhi_internal_dmac: Fix DMA buffer alignment from 8 to 128-bytes ARM: 9046/1: decompressor: Do not clear SCTLR.nTLSMD for ARMv7+ cores amba: Fix resource leak for drivers without .remove tracepoint: Do not fail unregistering a probe due to memory failure perf tools: Fix DSO filtering when not finding a map for a sampled address RDMA/rxe: Fix coding error in rxe_recv.c RDMA/rxe: Correct skb on loopback path spi: stm32: properly handle 0 byte transfer mfd: wm831x-auxadc: Prevent use after free in wm831x_auxadc_read_irq() powerpc/pseries/dlpar: handle ibm, configure-connector delay status powerpc/8xx: Fix software emulation interrupt clk: qcom: gcc-msm8998: Fix Alpha PLL type for all GPLLs spi: pxa2xx: Fix the controller numbering for Wildcat Point Input: sur40 - fix an error code in sur40_probe() perf intel-pt: Fix missing CYC processing in PSB perf test: Fix unaligned access in sample parsing test Input: elo - fix an error code in elo_connect() sparc64: only select COMPAT_BINFMT_ELF if BINFMT_ELF is set misc: eeprom_93xx46: Fix module alias to enable module autoprobe misc: eeprom_93xx46: Add module alias to avoid breaking support for non device tree users pwm: rockchip: rockchip_pwm_probe(): Remove superfluous clk_unprepare() VMCI: Use set_page_dirty_lock() when unregistering guest memory PCI: Align checking of syscall user config accessors drm/msm/dsi: Correct io_start for MSM8994 (20nm PHY) ext4: fix potential htree index checksum corruption regmap: sdw: use _no_pm functions in regmap_read/write i40e: Fix flow for IPv6 next header (extension header) i40e: Add zero-initialization of AQ command structures i40e: Fix overwriting flow control settings during driver loading i40e: Fix VFs not created i40e: Fix add TC filter for IPv6 net/mlx4_core: Add missed mlx4_free_cmd_mailbox() vxlan: move debug check after netdev unregister ocfs2: fix a use after free on error mm/memory.c: fix potential pte_unmap_unlock pte error mm/hugetlb: fix potential double free in hugetlb_register_node() error path r8169: fix jumbo packet handling on RTL8168e arm64: Add missing ISB after invalidating TLB in __primary_switch i2c: brcmstb: Fix brcmstd_send_i2c_cmd condition mm/rmap: fix potential pte_unmap on an not mapped pte scsi: bnx2fc: Fix Kconfig warning & CNIC build errors blk-settings: align max_sectors on "logical_block_size" boundary ACPI: property: Fix fwnode string properties matching ACPI: configfs: add missing check after configfs_register_default_group() HID: wacom: Ignore attempts to overwrite the touch_max value from HID Input: raydium_ts_i2c - do not send zero length Input: xpad - add support for PowerA Enhanced Wired Controller for Xbox Series X|S Input: joydev - prevent potential read overflow in ioctl Input: i8042 - add ASUS Zenbook Flip to noselftest list USB: serial: option: update interface mapping for ZTE P685M usb: musb: Fix runtime PM race in musb_queue_resume_work usb: dwc3: gadget: Fix setting of DEPCFG.bInterval_m1 usb: dwc3: gadget: Fix dep->interval for fullspeed interrupt USB: serial: ftdi_sio: fix FTX sub-integer prescaler USB: serial: mos7840: fix error code in mos7840_write() USB: serial: mos7720: fix error code in mos7720_write() ALSA: hda/realtek: modify EAPD in the ALC886 tpm_tis: Fix check_locality for correct locality acquisition tpm_tis: Clean up locality release KEYS: trusted: Fix migratable=1 failing btrfs: abort the transaction if we fail to inc ref in btrfs_copy_root btrfs: fix reloc root leak with 0 ref reloc roots on recovery btrfs: fix extent buffer leak on failure to copy root crypto: arm64/sha - add missing module aliases crypto: sun4i-ss - checking sg length is not sufficient crypto: sun4i-ss - handle BigEndian for cipher seccomp: Add missing return in non-void function misc: rtsx: init of rts522a add OCP power off when no card is present drivers/misc/vmw_vmci: restrict too big queue size in qp_host_alloc_queue pstore: Fix typo in compression option name dts64: mt7622: fix slow sd card access staging/mt7621-dma: mtk-hsdma.c->hsdma-mt7621.c staging: gdm724x: Fix DMA from stack staging: rtl8188eu: Add Edimax EW-7811UN V2 to device table media: ipu3-cio2: Fix mbus_code processing in cio2_subdev_set_fmt() x86/reboot: Force all cpus to exit VMX root if VMX is supported floppy: reintroduce O_NDELAY fix arm64: uprobe: Return EOPNOTSUPP for AARCH32 instruction probing watchdog: mei_wdt: request stop on unregister mtd: spi-nor: hisi-sfc: Put child node np on error path fs/affs: release old buffer head on error path seq_file: document how per-entry resources are managed. x86: fix seq_file iteration for pat/memtype.c hugetlb: fix copy_huge_page_from_user contig page struct assumption libnvdimm/dimm: Avoid race between probe and available_slots_show() arm64: Extend workaround for erratum 1024718 to all versions of Cortex-A55 module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols mmc: sdhci-esdhc-imx: fix kernel panic when remove module gpio: pcf857x: Fix missing first interrupt printk: fix deadlock when kernel panic cpufreq: intel_pstate: Get per-CPU max freq via MSR_HWP_CAPABILITIES if available f2fs: fix out-of-repair __setattr_copy() sparc32: fix a user-triggerable oops in clear_user() gfs2: Don't skip dlm unlock if glock has an lvb dm: fix deadlock when swapping to encrypted device dm era: Recover committed writeset after crash dm era: Verify the data block size hasn't changed dm era: Fix bitset memory leaks dm era: Use correct value size in equality function of writeset tree dm era: Reinitialize bitset cache before digesting a new writeset dm era: only resize metadata in preresume icmp: introduce helper for nat'd source address in network device context icmp: allow icmpv6_ndo_send to work with CONFIG_IPV6=n gtp: use icmp_ndo_send helper sunvnet: use icmp_ndo_send helper xfrm: interface: use icmp_ndo_send helper ipv6: icmp6: avoid indirect call for icmpv6_send() ipv6: silence compilation warning for non-IPV6 builds net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending dm era: Update in-core bitset after committing the metadata net: qrtr: Fix memory leak in qrtr_tun_open ARM: dts: aspeed: Add LCLK to lpc-snoop Linux 4.19.178 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I8c07c10dd29a1233f238b533622d7b32bd22bdb0 |
||
Jason A. Donenfeld
|
9efa1af186 |
net: icmp: pass zeroed opts from icmp{,v6}_ndo_send before sending
commit ee576c47db60432c37e54b1e2b43a8ca6d3a8dca upstream.
The icmp{,v6}_send functions make all sorts of use of skb->cb, casting
it with IPCB or IP6CB, assuming the skb to have come directly from the
inet layer. But when the packet comes from the ndo layer, especially
when forwarded, there's no telling what might be in skb->cb at that
point. As a result, the icmp sending code risks reading bogus memory
contents, which can result in nasty stack overflows such as this one
reported by a user:
panic+0x108/0x2ea
__stack_chk_fail+0x14/0x20
__icmp_send+0x5bd/0x5c0
icmp_ndo_send+0x148/0x160
In icmp_send, skb->cb is cast with IPCB and an ip_options struct is read
from it. The optlen parameter there is of particular note, as it can
induce writes beyond bounds. There are quite a few ways that can happen
in __ip_options_echo. For example:
// sptr/skb are attacker-controlled skb bytes
sptr = skb_network_header(skb);
// dptr/dopt points to stack memory allocated by __icmp_send
dptr = dopt->__data;
// sopt is the corrupt skb->cb in question
if (sopt->rr) {
optlen = sptr[sopt->rr+1]; // corrupt skb->cb + skb->data
soffset = sptr[sopt->rr+2]; // corrupt skb->cb + skb->data
// this now writes potentially attacker-controlled data, over
// flowing the stack:
memcpy(dptr, sptr+sopt->rr, optlen);
}
In the icmpv6_send case, the story is similar, but not as dire, as only
IP6CB(skb)->iif and IP6CB(skb)->dsthao are used. The dsthao case is
worse than the iif case, but it is passed to ipv6_find_tlv, which does
a bit of bounds checking on the value.
This is easy to simulate by doing a `memset(skb->cb, 0x41,
sizeof(skb->cb));` before calling icmp{,v6}_ndo_send, and it's only by
good fortune and the rarity of icmp sending from that context that we've
avoided reports like this until now. For example, in KASAN:
BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0xa0e/0x12b0
Write of size 38 at addr ffff888006f1f80e by task ping/89
CPU: 2 PID: 89 Comm: ping Not tainted 5.10.0-rc7-debug+ #5
Call Trace:
dump_stack+0x9a/0xcc
print_address_description.constprop.0+0x1a/0x160
__kasan_report.cold+0x20/0x38
kasan_report+0x32/0x40
check_memory_region+0x145/0x1a0
memcpy+0x39/0x60
__ip_options_echo+0xa0e/0x12b0
__icmp_send+0x744/0x1700
Actually, out of the 4 drivers that do this, only gtp zeroed the cb for
the v4 case, while the rest did not. So this commit actually removes the
gtp-specific zeroing, while putting the code where it belongs in the
shared infrastructure of icmp{,v6}_ndo_send.
This commit fixes the issue by passing an empty IPCB or IP6CB along to
the functions that actually do the work. For the icmp_send, this was
already trivial, thanks to __icmp_send providing the plumbing function.
For icmpv6_send, this required a tiny bit of refactoring to make it
behave like the v4 case, after which it was straight forward.
Fixes:
|
||
Jason A. Donenfeld
|
3efde1864a |
icmp: introduce helper for nat'd source address in network device context
commit 0b41713b606694257b90d61ba7e2712d8457648b upstream. This introduces a helper function to be called only by network drivers that wraps calls to icmp[v6]_send in a conntrack transformation, in case NAT has been used. We don't want to pollute the non-driver path, though, so we introduce this as a helper to be called by places that actually make use of this, as suggested by Florian. Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com> Cc: Florian Westphal <fw@strlen.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
19d4991aa6 |
This is the 4.19.175 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAjmCsACgkQONu9yGCS aT6zjw//T/sN/vtlHmZZUD/iUcbYHUJiM82izt8yu6SsgcjiUkjwXKH373zX0EsN O7iQIWXMWxXCWc73esvJ1L8uOLmYto3fJq4bb+emsd8R6M/NQuQqSX7fvvlnpLo/ wkTkctk1l+EyVjk67M2izCK35Zz2rVvLHGYXYMj+bJZxxCrnhG06pXcV+0udX53j Nl0ejBoYLhKZW3wyfkLbORQToFATM1IxSaBqUESQj1Wkie989c4ARcJ1mUuOOW6T XMhdxazbV5I4kQzcBWmhVbGX5hv28FIeeugu2aW4bxX4up8zcq+S0Z1I5c0Q0MWL 1AI+4HDS+9/USXuQc4kqgqF893Y25hXwk3tck7boRu0OznLC3j9RTXMrDVl08ZOv 3Y9fkyEoRwwbsik5+8Sf3H0OamNaL6qcWYbJczlz50BltaVH2k960itCGlnfnJjT 9FZQMmWzx3JnZbDHD6iCYuVCnPdZn2AUK5ZwF5kjME7CcJVDWGH23uFpTw5MDXMO 1arKj615PPTKzZ+gODM4Q0H2+ek3uclKpNqDNlR4sZgRxcr+bimw7tke3Pv4L+4p iU5W9o9TBXqoeNwKCO37eoRHySpU/mJ8OslHTrf/YzXH/q9uHNnVo9sM9/SEyqr1 94OrfbKTE8InON0/jgu482i7SHODdNUoD4wDXyZDQ1jb5J/+H3k= =uSwA -----END PGP SIGNATURE----- Merge 4.19.175 into android-4.19-stable Changes in 4.19.175 USB: serial: cp210x: add pid/vid for WSDA-200-USB USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000 USB: serial: option: Adding support for Cinterion MV31 elfcore: fix building with clang Input: i8042 - unbreak Pegatron C15B rxrpc: Fix deadlock around release of dst cached on udp tunnel arm64: dts: ls1046a: fix dcfg address range net: lapb: Copy the skb before sending a packet net: mvpp2: TCAM entry enable should be written after SRAM data memblock: do not start bottom-up allocations with kernel_end USB: gadget: legacy: fix an error code in eth_bind() USB: usblp: don't call usb_set_interface if there's a single alt usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop() usb: dwc2: Fix endpoint direction check in ep_from_windex usb: dwc3: fix clock issue during resume in OTG mode ovl: fix dentry leak in ovl_get_redirect mac80211: fix station rate table updates on assoc kretprobe: Avoid re-registration of the same kretprobe earlier genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set xhci: fix bounce buffer usage for non-sg list case cifs: report error instead of invalid when revalidating a dentry fails smb3: Fix out-of-bounds bug in SMB2_negotiate() mmc: core: Limit retries when analyse of SDIO tuples fails nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs KVM: SVM: Treat SVM as unsupported when running as an SEV guest ARM: footbridge: fix dc21285 PCI configuration accessors mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page mm: hugetlb: fix a race between freeing and dissolving the page mm: hugetlb: fix a race between isolating and freeing page mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active mm: thp: fix MADV_REMOVE deadlock on shmem THP x86/build: Disable CET instrumentation in the kernel x86/apic: Add extra serialization for non-serializing MSRs Input: xpad - sync supported devices with fork on GitHub iommu/vt-d: Do not use flush-queue when caching-mode is on md: Set prev_flush_start and flush_bio in an atomic way net: ip_tunnel: fix mtu calculation net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add Linux 4.19.175 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iac6d5c4ad079946ef1c032791e8e583b9264917b |
||
Vadim Fedorenko
|
9c7b01fc3e |
net: ip_tunnel: fix mtu calculation
commit 28e104d00281ade30250b24e098bf50887671ea4 upstream. dev->hard_header_len for tunnel interface is set only when header_ops are set too and already contains full overhead of any tunnel encapsulation. That's why there is not need to use this overhead twice in mtu calc. Fixes: fdafed459998 ("ip_gre: set dev->hard_header_len and dev->needed_headroom properly") Reported-by: Slava Bacherikov <mail@slava.cc> Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru> Link: https://lore.kernel.org/r/1611959267-20536-1-git-send-email-vfedorenko@novek.ru Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
ba65a97a3b |
This is the 4.19.173 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAbIscACgkQONu9yGCS aT7PvhAAt5DPifFfFpsdbdQ5/H3tuQvgnl/WUu2bXEId0WJ3k9onw3sXbFbG0JvE Ar+xB8ODKlsutHGx9+CzfowQSOdHqrtvSpyaKJ9fy6+shEUJaFEKXqLICic/N2t+ 5ngkj29mhqCqeG7VuSQ5aJyg9zabzUiXwETuZxcJY43oA7zK1/ajNoSLM/TQUkMF HoK1LXd1fcOQrO0Rf4ZsRqPI9tHNho+7rtIFyJscO24JJRqi9f+qWCOZFHA0+NQG 2aQr/nECkaF1kWZEzz8zIUt6e7edjY+47I0tiIwg3uR2ZDo5tJUUU94y4DAahBwZ 41hkS6gWw6/c38KtircKtACfe8qsSLFrUKF+2MDv9i5Ao1g5+EDINqi2fKbE0xpn avs+r0gnyyW29LcyAfEu3foIHAi4pCppnNjmLjmAG1HZK9w6KcjrcBDO6o2GWbur eD6VcvndDJGreOXtS1eLG6Y6JhmCBsZtUKZUp7yV5oDL+lSIIAH00hu3aGpjTG7K DP9364bqJIHVLgBkoMqmocnWBuraMFs65SAr3//UDwbXBky6oX9YC5ytmsRKSmyQ BePmrzHxCM+2GNXhZ9BTAnvKngmnRVWSVH7WlQzlVugliuKdvUYokhtba/TmjIUw 1R5vo3Y1NM2LpmD1xRaeSm7QD1dgYrkfNdv/I8M2UY9/a8dzngU= =w3Q7 -----END PGP SIGNATURE----- Merge 4.19.173 into android-4.19-stable Changes in 4.19.173 nbd: freeze the queue while we're adding connections ACPI: sysfs: Prefer "compatible" modalias kernel: kexec: remove the lock operation of system_transition_mutex xen/privcmd: allow fetching resource sizes ALSA: hda/via: Apply the workaround generically for Clevo machines media: rc: ensure that uevent can be read directly after rc device register ARM: dts: imx6qdl-gw52xx: fix duplicate regulator naming wext: fix NULL-ptr-dereference with cfg80211's lack of commit() net: usb: qmi_wwan: added support for Thales Cinterion PLSx3 modem family PM: hibernate: flush swap writer after marking drivers: soc: atmel: Avoid calling at91_soc_init on non AT91 SoCs drivers: soc: atmel: add null entry at the end of at91_soc_allowed_list[] KVM: x86/pmu: Fix HW_REF_CPU_CYCLES event pseudo-encoding in intel_arch_events[] KVM: x86: get smi pending status correctly xen: Fix XenStore initialisation for XS_LOCAL leds: trigger: fix potential deadlock with libata mt7601u: fix kernel crash unplugging the device mt7601u: fix rx buffer refcounting xen-blkfront: allow discard-* nodes to be optional ARM: imx: build suspend-imx6.S with arm instruction set netfilter: nft_dynset: add timeout extension to template xfrm: Fix oops in xfrm_replay_advance_bmp xfrm: fix disable_xfrm sysctl when used on xfrm interfaces RDMA/cxgb4: Fix the reported max_recv_sge value pNFS/NFSv4: Fix a layout segment leak in pnfs_layout_process() iwlwifi: pcie: use jiffies for memory read spin time limit iwlwifi: pcie: reschedule in long-running memory reads mac80211: pause TX while changing interface type net/mlx5: Fix memory leak on flow table creation error flow can: dev: prevent potential information leak in can_fill_info() iommu/vt-d: Gracefully handle DMAR units with no supported address widths iommu/vt-d: Don't dereference iommu_device if IOMMU_API is not built rxrpc: Fix memory leak in rxrpc_lookup_local NFC: fix resource leak when target index is invalid NFC: fix possible resource leak team: protect features update by RCU to avoid deadlock tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN Linux 4.19.173 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: If4b2010c599fb95520fd0c28f9f389f35ac196cd |
||
Pengcheng Yang
|
dc7bc439a8 |
tcp: fix TLP timer not set when CA_STATE changes from DISORDER to OPEN
commit 62d9f1a6945ba69c125e548e72a36d203b30596e upstream.
Upon receiving a cumulative ACK that changes the congestion state from
Disorder to Open, the TLP timer is not set. If the sender is app-limited,
it can only wait for the RTO timer to expire and retransmit.
The reason for this is that the TLP timer is set before the congestion
state changes in tcp_ack(), so we delay the time point of calling
tcp_set_xmit_timer() until after tcp_fastretrans_alert() returns and
remove the FLAG_SET_XMIT_TIMER from ack_flag when the RACK reorder timer
is set.
This commit has two additional benefits:
1) Make sure to reset RTO according to RFC6298 when receiving ACK, to
avoid spurious RTO caused by RTO timer early expires.
2) Reduce the xmit timer reschedule once per ACK when the RACK reorder
timer is set.
Fixes:
|
||
Greg Kroah-Hartman
|
709f9b702e |
This is the 4.19.171 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAROwsACgkQONu9yGCS aT4T5w//XnQz3KLe6G/Gu641fwHbOmNmYg/Ob43DRj0JtMRDFsGm7wl5KVYXgf3l eI4/K8vMevO0XlSly8Xo8MkYoKiVbv8BX/owsZ9SUTbcGguJ79xKjJ++cXnezsFf knwiHKQRg+3KM/PZdT29mgkcYo2T6ndcmeq1Q2Q49Xn7vDdCCJuzLYccKRRaR5zm RoWn9AKtobUaFhuhkMm4gi0mkpH9viD4Su62k3EjQW8ysE5l4OPmlMcy6M+dpt5A Nh0DMsMnjuqPp1Bm5bSSY5gJ7foHZ9iNAC7UxoD+EIXPMN1jVOoCnqmfSKy+dE65 ROgex14HP1Zmrn5Zj7spc4zX2zWMbIyJgLQDpp+0dK+4wpINw97yXXoyYW+V5iyY ouf5BKXfudv4Du/PiKkAqf/s0Q5Lh19XSns0hygb+WG67h0CLJxQcH3o2wFWKzl3 JniD5BohTYpqsu5V/zSANqJuugHVxyx2N2SSWtpsYZoFX7GRCtNBOV2NSgH65jW7 S+N4Md8Hfx6rlp+BOkhKfBtDePev6orrSt4wxZ4JSRH++/ztFKo/1CY23NkLsdGN 9PIC6dawYIPTNGtrczwvmebEdBUbEYDBLyeKTcCeRLB1yP4sbb4a2yOoCmjdmAeD AKUMnx2+20Tl5k67HdrUKxA17KJ1qD5IkurfQkRpUo2uUkSEqpY= =Ao4u -----END PGP SIGNATURE----- Merge 4.19.171 into android-4.19-stable Changes in 4.19.171 i2c: bpmp-tegra: Ignore unknown I2C_M flags ALSA: seq: oss: Fix missing error check in snd_seq_oss_synth_make_info() ALSA: hda/via: Add minimum mute flag ACPI: scan: Make acpi_bus_get_device() clear return pointer on error btrfs: fix lockdep splat in btrfs_recover_relocation mmc: core: don't initialize block size from ext_csd if not present mmc: sdhci-xenon: fix 1.8v regulator stabilization dm: avoid filesystem lookup in dm_get_dev_t() dm integrity: fix a crash if "recalculate" used without "internal_hash" drm/atomic: put state on error path ASoC: Intel: haswell: Add missing pm_ops scsi: ufs: Correct the LUN used in eh_device_reset_handler() callback scsi: qedi: Correct max length of CHAP secret riscv: Fix kernel time_init() HID: Ignore battery for Elan touchscreen on ASUS UX550 clk: tegra30: Add hda clock default rates to clock driver xen: Fix event channel callback via INTX/GSI drm/nouveau/bios: fix issue shadowing expansion ROMs drm/nouveau/privring: ack interrupts the same way as RM drm/nouveau/i2c/gm200: increase width of aux semaphore owner fields drm/nouveau/mmu: fix vram heap sizing drm/nouveau/kms/nv50-: fix case where notifier buffer is at offset 0 scsi: megaraid_sas: Fix MEGASAS_IOC_FIRMWARE regression i2c: octeon: check correct size of maximum RECV_LEN packet platform/x86: intel-vbtn: Drop HP Stream x360 Convertible PC 11 from allow-list selftests: net: fib_tests: remove duplicate log test can: dev: can_restart: fix use after free bug can: vxcan: vxcan_xmit: fix use after free bug can: peak_usb: fix use after free bugs iio: ad5504: Fix setting power-down state irqchip/mips-cpu: Set IPI domain parent chip intel_th: pci: Add Alder Lake-P support stm class: Fix module init return on allocation failure serial: mvebu-uart: fix tx lost characters at power off ehci: fix EHCI host controller initialization sequence USB: ehci: fix an interrupt calltrace error usb: gadget: aspeed: fix stop dma register setting. usb: udc: core: Use lock when write to soft_connect usb: bdc: Make bdc pci driver depend on BROKEN xhci: make sure TRB is fully written before giving it to the controller xhci: tegra: Delay for disabling LFPS detector driver core: Extend device_is_dependent() netfilter: rpfilter: mask ecn bits before fib lookup sh: dma: fix kconfig dependency for G2_DMA sh_eth: Fix power down vs. is_opened flag ordering skbuff: back tiny skbs with kmalloc() in __netdev_alloc_skb() too kasan: fix unaligned address is unhandled in kasan_remove_zero_shadow kasan: fix incorrect arguments passing in kasan_add_zero_shadow udp: mask TOS bits in udp_v4_early_demux() ipv6: create multicast route with RTPROT_KERNEL net_sched: avoid shift-out-of-bounds in tcindex_set_parms() net_sched: reject silly cell_log in qdisc_get_rtab() ipv6: set multicast flag on the multicast route net: mscc: ocelot: allow offloading of bridge on top of LAG net: Disable NETIF_F_HW_TLS_RX when RXCSUM is disabled net: dsa: b53: fix an off by one in checking "vlan->vid" Linux 4.19.171 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I2be7d084a443bfc87e6a3d5753d9c233f54788ac |
||
Guillaume Nault
|
372d963821 |
udp: mask TOS bits in udp_v4_early_demux()
commit 8d2b51b008c25240914984208b2ced57d1dd25a5 upstream.
udp_v4_early_demux() is the only function that calls
ip_mc_validate_source() with a TOS that hasn't been masked with
IPTOS_RT_MASK.
This results in different behaviours for incoming multicast UDPv4
packets, depending on if ip_mc_validate_source() is called from the
early-demux path (udp_v4_early_demux) or from the regular input path
(ip_route_input_noref).
ECN would normally not be used with UDP multicast packets, so the
practical consequences should be limited on that side. However,
IPTOS_RT_MASK is used to also masks the TOS' high order bits, to align
with the non-early-demux path behaviour.
Reproducer:
Setup two netns, connected with veth:
$ ip netns add ns0
$ ip netns add ns1
$ ip -netns ns0 link set dev lo up
$ ip -netns ns1 link set dev lo up
$ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
$ ip -netns ns0 link set dev veth01 up
$ ip -netns ns1 link set dev veth10 up
$ ip -netns ns0 address add 192.0.2.10 peer 192.0.2.11/32 dev veth01
$ ip -netns ns1 address add 192.0.2.11 peer 192.0.2.10/32 dev veth10
In ns0, add route to multicast address 224.0.2.0/24 using source
address 198.51.100.10:
$ ip -netns ns0 address add 198.51.100.10/32 dev lo
$ ip -netns ns0 route add 224.0.2.0/24 dev veth01 src 198.51.100.10
In ns1, define route to 198.51.100.10, only for packets with TOS 4:
$ ip -netns ns1 route add 198.51.100.10/32 tos 4 dev veth10
Also activate rp_filter in ns1, so that incoming packets not matching
the above route get dropped:
$ ip netns exec ns1 sysctl -wq net.ipv4.conf.veth10.rp_filter=1
Now try to receive packets on 224.0.2.11:
$ ip netns exec ns1 socat UDP-RECVFROM:1111,ip-add-membership=224.0.2.11:veth10,ignoreeof -
In ns0, send packet to 224.0.2.11 with TOS 4 and ECT(0) (that is,
tos 6 for socat):
$ echo test0 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
The "test0" message is properly received by socat in ns1, because
early-demux has no cached dst to use, so source address validation
is done by ip_route_input_mc(), which receives a TOS that has the
ECN bits masked.
Now send another packet to 224.0.2.11, still with TOS 4 and ECT(0):
$ echo test1 | ip netns exec ns0 socat - UDP-DATAGRAM:224.0.2.11:1111,bind=:1111,tos=6
The "test1" message isn't received by socat in ns1, because, now,
early-demux has a cached dst to use and calls ip_mc_validate_source()
immediately, without masking the ECN bits.
Fixes:
|
||
Guillaume Nault
|
c9d1f70298 |
netfilter: rpfilter: mask ecn bits before fib lookup
commit 2e5a6266fbb11ae93c468dfecab169aca9c27b43 upstream.
RT_TOS() only masks one of the two ECN bits. Therefore rpfilter_mt()
treats Not-ECT or ECT(1) packets in a different way than those with
ECT(0) or CE.
Reproducer:
Create two netns, connected with a veth:
$ ip netns add ns0
$ ip netns add ns1
$ ip link add name veth01 netns ns0 type veth peer name veth10 netns ns1
$ ip -netns ns0 link set dev veth01 up
$ ip -netns ns1 link set dev veth10 up
$ ip -netns ns0 address add 192.0.2.10/32 dev veth01
$ ip -netns ns1 address add 192.0.2.11/32 dev veth10
Add a route to ns1 in ns0:
$ ip -netns ns0 route add 192.0.2.11/32 dev veth01
In ns1, only packets with TOS 4 can be routed to ns0:
$ ip -netns ns1 route add 192.0.2.10/32 tos 4 dev veth10
Ping from ns0 to ns1 works regardless of the ECN bits, as long as TOS
is 4:
$ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
... 0% packet loss ...
$ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
... 0% packet loss ...
$ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
... 0% packet loss ...
$ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
... 0% packet loss ...
Now use iptable's rpfilter module in ns1:
$ ip netns exec ns1 iptables-legacy -t raw -A PREROUTING -m rpfilter --invert -j DROP
Not-ECT and ECT(1) packets still pass:
$ ip netns exec ns0 ping -Q 4 192.0.2.11 # TOS 4, Not-ECT
... 0% packet loss ...
$ ip netns exec ns0 ping -Q 5 192.0.2.11 # TOS 4, ECT(1)
... 0% packet loss ...
But ECT(0) and ECN packets are dropped:
$ ip netns exec ns0 ping -Q 6 192.0.2.11 # TOS 4, ECT(0)
... 100% packet loss ...
$ ip netns exec ns0 ping -Q 7 192.0.2.11 # TOS 4, CE
... 100% packet loss ...
After this patch, rpfilter doesn't drop ECT(0) and CE packets anymore.
Fixes:
|
||
Greg Kroah-Hartman
|
d084fe8b5d |
This is the 4.19.170 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAMODkACgkQONu9yGCS aT5y5w/+IcTYjUeozem90e811yy0V17All0NvJyYovwvs8Jr4aapV2/P4hTAFKjl VbmUGHTsRq0yygv0Sqz7SqOw0C9F+pxZmCmG5SZzmfXV4IGSv9sT94cX1PI/Sqhn 1zes2C3AYOAmypBGV27XVMFgQNH3JkqwaFmvfyYTH+YSdCPncI3mkNsQbL3J4luT XdZ8mlg1uiHYwTm2aeM/8eFhgK01qXpUDCJXCoxx2gm4xQjX8pnqq5xJdh8iOlpH 6VPcuiPAFYlTaYyW2U8/tnQE9XmL+nrQh3QSFP638sSMdkCGEuTM3upUk+1QjC56 GQSnERDR7zt4B8l414MSZOmGHMKqwXJ585Bwx6ZZW+RWlp/vDAgxUhfjoh4Ep7CM Zb0Ydzv/AB3zuMDxudcUBuNf1xTGd8YR39ODjWCkk2qmJORgiDNLtMcacJQmjQRo SjUa4BooaeOYpJ/N8L0BXkWl32AOP04VKldO0jczhtPLwZZWRHPnw+IWVRL6W91Y H9eElJxDQvymGRJ6H4+7Q6l7qtP3QjGHyX4gTq7Ucbn/cIJvdZmH5ooIsiOGTchn GWOx2lStW7fgUd+IY3Hr+LVIa9yvnXra4RIZAD9v5X8aIJ6ol6b8F9GAmrZMyP2O SU+z4UIs9/XG2GHenQFZDeZ9wj8p7o1PaT+D9u5z9xteje2Bqfk= =ptN/ -----END PGP SIGNATURE----- Merge 4.19.170 into android-4.19-stable Changes in 4.19.170 usb: ohci: Make distrust_firmware param default to false compiler.h: Raise minimum version of GCC to 5.1 for arm64 dm integrity: fix flush with external metadata device crypto: x86/crc32c - fix building with clang ias nfsd4: readdirplus shouldn't return parent of export udp: Prevent reuseport_select_sock from reading uninitialized socks netxen_nic: fix MSI/MSI-x interrupts net: mvpp2: Remove Pause and Asym_Pause support rndis_host: set proper input size for OID_GEN_PHYSICAL_MEDIUM request esp: avoid unneeded kmap_atomic call net: dcb: Validate netlink message in DCB handler net: dcb: Accept RTM_GETDCB messages carrying set-like DCB commands rxrpc: Call state should be read with READ_ONCE() under some circumstances net: stmmac: Fixed mtu channged by cache aligned net: sit: unregister_netdevice on newlink's error path net: avoid 32 x truesize under-estimation for tiny skbs rxrpc: Fix handling of an unsupported token type in rxrpc_read() tipc: fix NULL deref in tipc_link_xmit() net: introduce skb_list_walk_safe for skb segment walking net: skbuff: disambiguate argument and member for skb_list_walk_safe helper net: ipv6: Validate GSO SKB before finish IPv6 processing spi: cadence: cache reference clock rate during probe Linux 4.19.170 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4a12e49eae7097a468161952228c57c974a1b0ac |
||
Willem de Bruijn
|
d4ede0a453 |
esp: avoid unneeded kmap_atomic call
[ Upstream commit 9bd6b629c39e3fa9e14243a6d8820492be1a5b2e ] esp(6)_output_head uses skb_page_frag_refill to allocate a buffer for the esp trailer. It accesses the page with kmap_atomic to handle highmem. But skb_page_frag_refill can return compound pages, of which kmap_atomic only maps the first underlying page. skb_page_frag_refill does not return highmem, because flag __GFP_HIGHMEM is not set. ESP uses it in the same manner as TCP. That also does not call kmap_atomic, but directly uses page_address, in skb_copy_to_page_nocache. Do the same for ESP. This issue has become easier to trigger with recent kmap local debugging feature CONFIG_DEBUG_KMAP_LOCAL_FORCE_MAP. Fixes: |
||
Greg Kroah-Hartman
|
5905c14687 |
This is the 4.19.168 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAENesACgkQONu9yGCS aT7VQg//Sr2GXQqTswXLMTMFCALNh7jSzYthMwvok9RqEeNg4bZlaXNFyylZxAgr q3WSPCtmJWlQ2L5mjae5qYnIvgrvf5uKRhVoiZ+piDPIaz1HLixO+oNosxsBVFc8 Mx0OZpTP5TPRRLEyprOyQBo0fI3v4NHKQ3PYbJPzqA5jRSU+i5r1opKh8y+6pZjN PXdpZSinHpzs7qXWpPU3xEvmqy7TbNicD/SzJm12yoyVM3e1eB12rPDvaNMqGdLZ lgGhvcIunDS+rtNWrjnG4hXpKPfrpNFmH/QUK1v+/5oZDwFNn9tf1hIar5fu6T9U 4gHhEiKlrRfJhZwgjppUTpMvt14q/XyOV3Bty3ekl6kjWalSAbffOrWongmAs5fG Xz/hPrhl2bO/WtXmyvuV8oQcuSc+7Ufu5lPAVALOtQcVqurOS/6KmylOWTuYaSqv oLzlHgHfBUf6ES1HRNb7Rn+li7c7DNzydtlr3jGxagn1ZTj6/I8GfI+UxyVPVCie Rq9C5ul6tE9bWnDCJEuTvEIKu11GysZqFk8nWKomXidc0pgWtr2nEtVzrsLXY+rp mrfmXwtHOlNmgW+kl9DFqgLUbo2kzefn62zVekbG3R7Oni3xs+YwbxZHJVkkFkXz G5ggw96v7M/kVRMzg/kuRaF3oYVJn6iQOueP+haX+YwoAUPjD0c= =zbAi -----END PGP SIGNATURE----- Merge 4.19.168 into android-4.19-stable Changes in 4.19.168 net: cdc_ncm: correct overhead in delayed_ndp_size net: hns3: fix the number of queues actually used by ARQ net: stmmac: dwmac-sun8i: Balance internal PHY resource references net: stmmac: dwmac-sun8i: Balance internal PHY power net: vlan: avoid leaks on register_vlan_dev() failures net/sonic: Fix some resource leaks in error handling paths net: ip: always refragment ip defragmented packets net: fix pmtu check in nopmtudisc mode net: ipv6: fib: flush exceptions when purging route chtls: Fix hardware tid leak chtls: Remove invalid set_tcb call chtls: Fix panic when route to peer not configured chtls: Replace skb_dequeue with skb_peek chtls: Added a check to avoid NULL pointer dereference chtls: Fix chtls resources release sequence x86/resctrl: Use an IPI instead of task_work_add() to update PQR_ASSOC MSR x86/resctrl: Don't move a task to the same resource group vmlinux.lds.h: Add PGO and AutoFDO input sections drm/i915: Fix mismatch between misplaced vma check and vma insert spi: pxa2xx: Fix use-after-free on unbind iio: imu: st_lsm6dsx: flip irq return logic iio: imu: st_lsm6dsx: fix edge-trigger interrupts HID: wacom: Fix memory leakage caused by kfifo_alloc ARM: OMAP2+: omap_device: fix idling of devices during probe i2c: sprd: use a specific timeout to avoid system hang up issue cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() spi: stm32: FIFO threshold level - fix align packet size dmaengine: mediatek: mtk-hsdma: Fix a resource leak in the error handling path of the probe function dmaengine: xilinx_dma: check dma_async_device_register return value dmaengine: xilinx_dma: fix incompatible param warning in _child_probe() dmaengine: xilinx_dma: fix mixed_enum_type coverity warning wil6210: select CONFIG_CRC32 block: rsxx: select CONFIG_CRC32 lightnvm: select CONFIG_CRC32 iommu/intel: Fix memleak in intel_irq_remapping_alloc net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups net/mlx5e: Fix two double free cases regmap: debugfs: Fix a memory leak when calling regmap_attach_dev wan: ds26522: select CONFIG_BITREVERSE KVM: arm64: Don't access PMCR_EL0 when no PMU is available block: fix use-after-free in disk_part_iter_next net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet regmap: debugfs: Fix a reversed if statement in regmap_debugfs_init() Linux 4.19.168 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia39a78431db8bf624b3d0c0940be36c514b79a77 |
||
Florian Westphal
|
8593ed480c |
net: fix pmtu check in nopmtudisc mode
[ Upstream commit 50c661670f6a3908c273503dfa206dfc7aa54c07 ]
For some reason ip_tunnel insist on setting the DF bit anyway when the
inner header has the DF bit set, EVEN if the tunnel was configured with
'nopmtudisc'.
This means that the script added in the previous commit
cannot be made to work by adding the 'nopmtudisc' flag to the
ip tunnel configuration. Doing so breaks connectivity even for the
without-conntrack/netfilter scenario.
When nopmtudisc is set, the tunnel will skip the mtu check, so no
icmp error is sent to client. Then, because inner header has DF set,
the outer header gets added with DF bit set as well.
IP stack then sends an error to itself because the packet exceeds
the device MTU.
Fixes:
|
||
Florian Westphal
|
c147585c97 |
net: ip: always refragment ip defragmented packets
[ Upstream commit bb4cc1a18856a73f0ff5137df0c2a31f4c50f6cf ]
Conntrack reassembly records the largest fragment size seen in IPCB.
However, when this gets forwarded/transmitted, fragmentation will only
be forced if one of the fragmented packets had the DF bit set.
In that case, a flag in IPCB will force fragmentation even if the
MTU is large enough.
This should work fine, but this breaks with ip tunnels.
Consider client that sends a UDP datagram of size X to another host.
The client fragments the datagram, so two packets, of size y and z, are
sent. DF bit is not set on any of these packets.
Middlebox netfilter reassembles those packets back to single size-X
packet, before routing decision.
packet-size-vs-mtu checks in ip_forward are irrelevant, because DF bit
isn't set. At output time, ip refragmentation is skipped as well
because x is still smaller than the mtu of the output device.
If ttransmit device is an ip tunnel, the packet size increases to
x+overhead.
Also, tunnel might be configured to force DF bit on outer header.
In this case, packet will be dropped (exceeds MTU) and an ICMP error is
generated back to sender.
But sender already respects the announced MTU, all the packets that
it sent did fit the announced mtu.
Force refragmentation as per original sizes unconditionally so ip tunnel
will encapsulate the fragments instead.
The only other solution I see is to place ip refragmentation in
the ip_tunnel code to handle this case.
Fixes:
|
||
Greg Kroah-Hartman
|
8ca2f0230e |
Merge 4.19.167 into android-4.19-stable
Changes in 4.19.167 kbuild: don't hardcode depmod path workqueue: Kick a worker based on the actual activation of delayed works scsi: ufs: Fix wrong print message in dev_err() scsi: ufs-pci: Ensure UFS device is in PowerDown mode for suspend-to-disk ->poweroff() scsi: ide: Do not set the RQF_PREEMPT flag for sense requests scsi: scsi_transport_spi: Set RQF_PM for domain validation commands lib/genalloc: fix the overflow when size is too big depmod: handle the case of /sbin/depmod without /sbin in PATH proc: change ->nlink under proc_subdir_lock proc: fix lookup in /proc/net subdirectories after setns(2) i40e: Fix Error I40E_AQ_RC_EINVAL when removing VFs net: mvpp2: Add TCAM entry to drop flow control pause frames net: mvpp2: prs: fix PPPoE with ipv6 packet parse ethernet: ucc_geth: fix use-after-free in ucc_geth_remove() ethernet: ucc_geth: set dev->max_mtu to 1518 atm: idt77252: call pci_disable_device() on error path net: mvpp2: Fix GoP port 3 Networking Complex Control configurations qede: fix offload for IPIP tunnel packets virtio_net: Fix recursive call to cpus_read_lock() net/ncsi: Use real net-device for response handler net: ethernet: Fix memleak in ethoc_probe net-sysfs: take the rtnl lock when storing xps_cpus net-sysfs: take the rtnl lock when accessing xps_cpus_map and num_tc net: ethernet: ti: cpts: fix ethtool output when no ptp_clock registered tun: fix return value when the number of iovs exceeds MAX_SKB_FRAGS ipv4: Ignore ECN bits for fib lookups in fib_compute_spec_dst() net: hns: fix return value check in __lb_other_process() erspan: fix version 1 check in gre_parse_header() net: hdlc_ppp: Fix issues when mod_timer is called while timer is running CDC-NCM: remove "connected" log message net: usb: qmi_wwan: add Quectel EM160R-GL r8169: work around power-saving bug on some chip versions vhost_net: fix ubuf refcount incorrectly when sendmsg fails net: sched: prevent invalid Scell_log shift count net-sysfs: take the rtnl lock when storing xps_rxqs net-sysfs: take the rtnl lock when accessing xps_rxqs_map and num_tc net: systemport: set dev->max_mtu to UMAC_MAX_MTU_SIZE Bluetooth: revert: hci_h5: close serdev device and free hu in h5_close video: hyperv_fb: Fix the mmap() regression for v5.4.y and older crypto: ecdh - avoid buffer overflow in ecdh_set_secret() staging: mt7621-dma: Fix a resource leak in an error handling path usb: gadget: enable super speed plus USB: cdc-acm: blacklist another IR Droid device USB: cdc-wdm: Fix use after free in service_outstanding_interrupt(). usb: dwc3: ulpi: Use VStsDone to detect PHY regs access completion usb: chipidea: ci_hdrc_imx: add missing put_device() call in usbmisc_get_init_data() USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set usb: usbip: vhci_hcd: protect shift size usb: uas: Add PNY USB Portable SSD to unusual_uas USB: serial: iuu_phoenix: fix DMA from stack USB: serial: option: add LongSung M5710 module support USB: serial: option: add Quectel EM160R-GL USB: yurex: fix control-URB timeout handling USB: usblp: fix DMA to stack ALSA: usb-audio: Fix UBSAN warnings for MIDI jacks usb: gadget: select CONFIG_CRC32 usb: gadget: f_uac2: reset wMaxPacketSize usb: gadget: function: printer: Fix a memory leak for interface descriptor usb: gadget: u_ether: Fix MTU size mismatch with RX packet size USB: gadget: legacy: fix return error code in acm_ms_bind() usb: gadget: Fix spinlock lockup on usb_function_deactivate usb: gadget: configfs: Preserve function ordering after bind failure usb: gadget: configfs: Fix use-after-free issue with udc_name USB: serial: keyspan_pda: remove unused variable x86/mm: Fix leak of pmd ptlock ALSA: hda/via: Fix runtime PM for Clevo W35xSS ALSA: hda/conexant: add a new hda codec CX11970 ALSA: hda/realtek - Fix speaker volume control on Lenovo C940 btrfs: send: fix wrong file path when there is an inode with a pending rmdir Revert "device property: Keep secondary firmware node secondary by type" xen/pvh: correctly setup the PV EFI interface for dom0 netfilter: x_tables: Update remaining dereference to RCU netfilter: ipset: fix shift-out-of-bounds in htable_bits() netfilter: xt_RATEEST: reject non-null terminated string from userspace x86/mtrr: Correct the range check before performing MTRR type lookups KVM: x86: fix shift out of bounds reported by UBSAN scsi: target: Fix XCOPY NAA identifier lookup Linux 4.19.167 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id204bcc705c98d3344f33de84431cc7ca0868246 |
||
Subash Abhinov Kasiviswanathan
|
954cc63f5d |
netfilter: x_tables: Update remaining dereference to RCU
commit 443d6e86f821a165fae3fc3fc13086d27ac140b1 upstream. This fixes the dereference to fetch the RCU pointer when holding the appropriate xtables lock. Reported-by: kernel test robot <lkp@intel.com> Fixes: cc00bcaa5899 ("netfilter: x_tables: Switch synchronization to RCU") Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org> Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |