55758 commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
c97f22d970 |
This is the 4.19.272 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPgoxsACgkQONu9yGCS aT7P4hAAiY1TIECbi0kriTeuRmi/cGkU1eo8ODV+5h0x31cEObCZnsvU6v2LeqOJ X0H8U3MwjxyVYoK1L1SUBClgPXqBq0jI4+CrjVSQcl8kWGKhUm/JXzjcOC6wAlB7 M2BRD2z7M+K4Mem1Q6eV7UEuEBPteLquP4xPlaXKkRAoeWKXcbiRM3ns5h20Acmi igDqhzLUAiAIhL429vPAOp34aNDmaZzLXiMt9p0mYkDFP7I904FrlBAsceJV8NZ9 6oxxQspkoCf8MjBGrV6JcFwNgHjCHM+zXHWhROCE9WL7rknCJidttQKsOtzNE6Gx pFF60qFRx6JVsvm0D2lJpEW+ExdlcQ/aacByy3fXajkdyrsl9sTajiw0+1f6P4Oq hX8U+HianG4G1HgpOAUeZZBcTn7k7+pdTcogLaQW5Csch2RHMmmnPMZlZqudGUxD yJiyd9dRIEPOa8CAdCzI4/xgjEgogS1snS9jRhJ0rwRtSqL3lLrSRdeFWbVjgA54 HAF9dR76Y4sbmWv4MbUPK+lvROvWv/NtLeiHXCJCGsxWdcOYQTw8ASenaK2IQRUF 1ows0gRXX3Xzm6R8CvpJqT80ta1rUfD3INycV4kUHeRUlVsrBtu48KX325+ZUXD9 Lvcbips57QvMMigROx6HpQHbmA1fe/42mZfhf36sgzycAmIzThA= =yuwn -----END PGP SIGNATURE----- Merge 4.19.272 into android-4.19-stable Changes in 4.19.272 ARM: dts: imx6qdl-gw560x: Remove incorrect 'uart-has-rtscts' HID: intel_ish-hid: Add check for ishtp_dma_tx_map EDAC/highbank: Fix memory leak in highbank_mc_probe() tomoyo: fix broken dependency on *.conf.default IB/hfi1: Reject a zero-length user expected buffer IB/hfi1: Reserve user expected TIDs IB/hfi1: Fix expected receive setup error exit issues affs: initialize fsdata in affs_truncate() amd-xgbe: TX Flow Ctrl Registers are h/w ver dependent amd-xgbe: Delay AN timeout during KR training bpf: Fix pointer-leak due to insufficient speculative store bypass mitigation phy: rockchip-inno-usb2: Fix missing clk_disable_unprepare() in rockchip_usb2phy_power_on() net: nfc: Fix use-after-free in local_cleanup() wifi: rndis_wlan: Prevent buffer overflow in rndis_query_oid net: usb: sr9700: Handle negative len net: mdio: validate parameter addr in mdiobus_get_phy() HID: check empty report_list in hid_validate_values() usb: gadget: f_fs: Prevent race during ffs_ep0_queue_wait usb: gadget: f_fs: Ensure ep0req is dequeued before free_request net: mlx5: eliminate anonymous module_init & module_exit dmaengine: Fix double increment of client_count in dma_chan_get() net: macb: fix PTP TX timestamp failure due to packet padding HID: betop: check shape of output reports dmaengine: xilinx_dma: commonize DMA copy size calculation dmaengine: xilinx_dma: program hardware supported buffer length dmaengine: xilinx_dma: Fix devm_platform_ioremap_resource error handling dmaengine: xilinx_dma: call of_node_put() when breaking out of for_each_child_of_node() tcp: avoid the lookup process failing to get sk in ehash table w1: fix deadloop in __w1_remove_master_device() w1: fix WARNING after calling w1_process() netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state block: fix and cleanup bio_check_ro perf env: Do not return pointers to local variables fs: reiserfs: remove useless new_opts in reiserfs_remount Bluetooth: hci_sync: cancel cmd_timer if hci_open failed scsi: hpsa: Fix allocation size for scsi_host_alloc() module: Don't wait for GOING modules tracing: Make sure trace_printk() can output as soon as it can be used trace_events_hist: add check for return value of 'create_hist_field' smbd: Make upper layer decide when to destroy the transport cifs: Fix oops due to uncleared server->smbd_conn in reconnect ARM: 9280/1: mm: fix warning on phys_addr_t to void pointer assignment EDAC/device: Respect any driver-supplied workqueue polling value net: fix UaF in netns ops registration error path netfilter: nft_set_rbtree: skip elements in transaction from garbage collection netlink: remove hash::nelems check in netlink_insert netlink: annotate data races around nlk->portid netlink: annotate data races around dst_portid and dst_group netlink: annotate data races around sk_state ipv4: prevent potential spectre v1 gadget in ip_metrics_convert() netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE netrom: Fix use-after-free of a listening socket. sctp: fail if no bound addresses can be used for a given scope net: ravb: Fix possible hang if RIS2_QFF1 happen net/tg3: resolve deadlock in tg3_reset_task() during EEH Revert "Input: synaptics - switch touchpad on HP Laptop 15-da3001TU to RMI mode" x86/i8259: Mark legacy PIC interrupts with IRQ_LEVEL drm/i915/display: fix compiler warning about array overrun x86/asm: Fix an assembler warning with current binutils x86/entry/64: Add instruction suffix to SYSRET ARM: dts: imx: Fix pca9547 i2c-mux node name dmaengine: imx-sdma: Fix a possible memory leak in sdma_transfer_init sysctl: add a new register_sysctl_init() interface panic: unset panic_on_warn inside panic() exit: Add and use make_task_dead. objtool: Add a missing comma to avoid string concatenation hexagon: Fix function name in die() h8300: Fix build errors from do_exit() to make_task_dead() transition ia64: make IA64_MCA_RECOVERY bool instead of tristate exit: Put an upper limit on how often we can oops exit: Expose "oops_count" to sysfs exit: Allow oops_limit to be disabled panic: Consolidate open-coded panic_on_warn checks panic: Introduce warn_limit panic: Expose "warn_count" to sysfs docs: Fix path paste-o for /sys/kernel/warn_count exit: Use READ_ONCE() for all oops/warn limit reads ipv6: ensure sane device mtu in tunnels usb: host: xhci-plat: add wakeup entry at sysfs Linux 4.19.272 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4f9ddce1e108e81409d47e00fdeef2bc0d34f793 |
||
Eric Dumazet
|
78297d5131 |
ipv6: ensure sane device mtu in tunnels
commit d89d7ff01235f218dad37de84457717f699dee79 upstream. Another syzbot report [1] with no reproducer hints at a bug in ip6_gre tunnel (dev:ip6gretap0) Since ipv6 mcast code makes sure to read dev->mtu once and applies a sanity check on it (see commit |
||
Marcelo Ricardo Leitner
|
26436553aa |
sctp: fail if no bound addresses can be used for a given scope
[ Upstream commit 458e279f861d3f61796894cd158b780765a1569f ]
Currently, if you bind the socket to something like:
servaddr.sin6_family = AF_INET6;
servaddr.sin6_port = htons(0);
servaddr.sin6_scope_id = 0;
inet_pton(AF_INET6, "::1", &servaddr.sin6_addr);
And then request a connect to:
connaddr.sin6_family = AF_INET6;
connaddr.sin6_port = htons(20000);
connaddr.sin6_scope_id = if_nametoindex("lo");
inet_pton(AF_INET6, "fe88::1", &connaddr.sin6_addr);
What the stack does is:
- bind the socket
- create a new asoc
- to handle the connect
- copy the addresses that can be used for the given scope
- try to connect
But the copy returns 0 addresses, and the effect is that it ends up
trying to connect as if the socket wasn't bound, which is not the
desired behavior. This unexpected behavior also allows KASLR leaks
through SCTP diag interface.
The fix here then is, if when trying to copy the addresses that can
be used for the scope used in connect() it returns 0 addresses, bail
out. This is what TCP does with a similar reproducer.
Reported-by: Pietro Borrello <borrello@diag.uniroma1.it>
Fixes:
|
||
Kuniyuki Iwashima
|
a31caf5779 |
netrom: Fix use-after-free of a listening socket.
[ Upstream commit 409db27e3a2eb5e8ef7226ca33be33361b3ed1c9 ] syzbot reported a use-after-free in do_accept(), precisely nr_accept() as sk_prot_alloc() allocated the memory and sock_put() frees it. [0] The issue could happen if the heartbeat timer is fired and nr_heartbeat_expiry() calls nr_destroy_socket(), where a socket has SOCK_DESTROY or a listening socket has SOCK_DEAD. In this case, the first condition cannot be true. SOCK_DESTROY is flagged in nr_release() only when the file descriptor is close()d, but accept() is being called for the listening socket, so the second condition must be true. Usually, the AF_NETROM listener neither starts timers nor sets SOCK_DEAD. However, the condition is met if connect() fails before listen(). connect() starts the t1 timer and heartbeat timer, and t1timer calls nr_disconnect() when timeout happens. Then, SOCK_DEAD is set, and if we call listen(), the heartbeat timer calls nr_destroy_socket(). nr_connect nr_establish_data_link(sk) nr_start_t1timer(sk) nr_start_heartbeat(sk) nr_t1timer_expiry nr_disconnect(sk, ETIMEDOUT) nr_sk(sk)->state = NR_STATE_0 sk->sk_state = TCP_CLOSE sock_set_flag(sk, SOCK_DEAD) nr_listen if (sk->sk_state != TCP_LISTEN) sk->sk_state = TCP_LISTEN nr_heartbeat_expiry switch (nr->state) case NR_STATE_0 if (sk->sk_state == TCP_LISTEN && sock_flag(sk, SOCK_DEAD)) nr_destroy_socket(sk) This path seems expected, and nr_destroy_socket() is called to clean up resources. Initially, there was sock_hold() before nr_destroy_socket() so that the socket would not be freed, but the commit 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") accidentally removed it. To fix use-after-free, let's add sock_hold(). [0]: BUG: KASAN: use-after-free in do_accept+0x483/0x510 net/socket.c:1848 Read of size 8 at addr ffff88807978d398 by task syz-executor.3/5315 CPU: 0 PID: 5315 Comm: syz-executor.3 Not tainted 6.2.0-rc3-syzkaller-00165-gd9fc1511728c #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022 Call Trace: <TASK> __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:306 [inline] print_report+0x15e/0x461 mm/kasan/report.c:417 kasan_report+0xbf/0x1f0 mm/kasan/report.c:517 do_accept+0x483/0x510 net/socket.c:1848 __sys_accept4_file net/socket.c:1897 [inline] __sys_accept4+0x9a/0x120 net/socket.c:1927 __do_sys_accept net/socket.c:1944 [inline] __se_sys_accept net/socket.c:1941 [inline] __x64_sys_accept+0x75/0xb0 net/socket.c:1941 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fa436a8c0c9 Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fa437784168 EFLAGS: 00000246 ORIG_RAX: 000000000000002b RAX: ffffffffffffffda RBX: 00007fa436bac050 RCX: 00007fa436a8c0c9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000005 RBP: 00007fa436ae7ae9 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007ffebc6700df R14: 00007fa437784300 R15: 0000000000022000 </TASK> Allocated by task 5294: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 ____kasan_kmalloc mm/kasan/common.c:371 [inline] ____kasan_kmalloc mm/kasan/common.c:330 [inline] __kasan_kmalloc+0xa3/0xb0 mm/kasan/common.c:380 kasan_kmalloc include/linux/kasan.h:211 [inline] __do_kmalloc_node mm/slab_common.c:968 [inline] __kmalloc+0x5a/0xd0 mm/slab_common.c:981 kmalloc include/linux/slab.h:584 [inline] sk_prot_alloc+0x140/0x290 net/core/sock.c:2038 sk_alloc+0x3a/0x7a0 net/core/sock.c:2091 nr_create+0xb6/0x5f0 net/netrom/af_netrom.c:433 __sock_create+0x359/0x790 net/socket.c:1515 sock_create net/socket.c:1566 [inline] __sys_socket_create net/socket.c:1603 [inline] __sys_socket_create net/socket.c:1588 [inline] __sys_socket+0x133/0x250 net/socket.c:1636 __do_sys_socket net/socket.c:1649 [inline] __se_sys_socket net/socket.c:1647 [inline] __x64_sys_socket+0x73/0xb0 net/socket.c:1647 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd Freed by task 14: kasan_save_stack+0x22/0x40 mm/kasan/common.c:45 kasan_set_track+0x25/0x30 mm/kasan/common.c:52 kasan_save_free_info+0x2b/0x40 mm/kasan/generic.c:518 ____kasan_slab_free mm/kasan/common.c:236 [inline] ____kasan_slab_free+0x13b/0x1a0 mm/kasan/common.c:200 kasan_slab_free include/linux/kasan.h:177 [inline] __cache_free mm/slab.c:3394 [inline] __do_kmem_cache_free mm/slab.c:3580 [inline] __kmem_cache_free+0xcd/0x3b0 mm/slab.c:3587 sk_prot_free net/core/sock.c:2074 [inline] __sk_destruct+0x5df/0x750 net/core/sock.c:2166 sk_destruct net/core/sock.c:2181 [inline] __sk_free+0x175/0x460 net/core/sock.c:2192 sk_free+0x7c/0xa0 net/core/sock.c:2203 sock_put include/net/sock.h:1991 [inline] nr_heartbeat_expiry+0x1d7/0x460 net/netrom/nr_timer.c:148 call_timer_fn+0x1da/0x7c0 kernel/time/timer.c:1700 expire_timers+0x2c6/0x5c0 kernel/time/timer.c:1751 __run_timers kernel/time/timer.c:2022 [inline] __run_timers kernel/time/timer.c:1995 [inline] run_timer_softirq+0x326/0x910 kernel/time/timer.c:2035 __do_softirq+0x1fb/0xadc kernel/softirq.c:571 Fixes: 517a16b1a88b ("netrom: Decrease sock refcount when sock timers expire") Reported-by: syzbot+5fafd5cfe1fc91f6b352@syzkaller.appspotmail.com Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com> Link: https://lore.kernel.org/r/20230120231927.51711-1-kuniyu@amazon.com Signed-off-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Sriram Yagnaraman
|
2bcbc46e0f |
netfilter: conntrack: fix vtag checks for ABORT/SHUTDOWN_COMPLETE
[ Upstream commit a9993591fa94246b16b444eea55d84c54608282a ]
RFC 9260, Sec 8.5.1 states that for ABORT/SHUTDOWN_COMPLETE, the chunk
MUST be accepted if the vtag of the packet matches its own tag and the
T bit is not set OR if it is set to its peer's vtag and the T bit is set
in chunk flags. Otherwise the packet MUST be silently dropped.
Update vtag verification for ABORT/SHUTDOWN_COMPLETE based on the above
description.
Fixes:
|
||
Eric Dumazet
|
ef050cf5fb |
ipv4: prevent potential spectre v1 gadget in ip_metrics_convert()
[ Upstream commit 1d1d63b612801b3f0a39b7d4467cad0abd60e5c8 ]
if (!type)
continue;
if (type > RTAX_MAX)
return -EINVAL;
...
metrics[type - 1] = val;
@type being used as an array index, we need to prevent
cpu speculation or risk leaking kernel memory content.
Fixes:
|
||
Eric Dumazet
|
4988b4ad0f |
netlink: annotate data races around sk_state
[ Upstream commit 9b663b5cbb15b494ef132a3c937641c90646eb73 ]
netlink_getsockbyportid() reads sk_state while a concurrent
netlink_connect() can change its value.
Fixes:
|
||
Eric Dumazet
|
71bd90357e |
netlink: annotate data races around dst_portid and dst_group
[ Upstream commit 004db64d185a5f23dfb891d7701e23713b2420ee ]
netlink_getname(), netlink_sendmsg() and netlink_getsockbyportid()
can read nlk->dst_portid and nlk->dst_group while another
thread is changing them.
Fixes:
|
||
Eric Dumazet
|
a737d39273 |
netlink: annotate data races around nlk->portid
[ Upstream commit c1bb9484e3b05166880da8574504156ccbd0549e ]
syzbot reminds us netlink_getname() runs locklessly [1]
This first patch annotates the race against nlk->portid.
Following patches take care of the remaining races.
[1]
BUG: KCSAN: data-race in netlink_getname / netlink_insert
write to 0xffff88814176d310 of 4 bytes by task 2315 on cpu 1:
netlink_insert+0xf1/0x9a0 net/netlink/af_netlink.c:583
netlink_autobind+0xae/0x180 net/netlink/af_netlink.c:856
netlink_sendmsg+0x444/0x760 net/netlink/af_netlink.c:1895
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
____sys_sendmsg+0x38f/0x500 net/socket.c:2476
___sys_sendmsg net/socket.c:2530 [inline]
__sys_sendmsg+0x19a/0x230 net/socket.c:2559
__do_sys_sendmsg net/socket.c:2568 [inline]
__se_sys_sendmsg net/socket.c:2566 [inline]
__x64_sys_sendmsg+0x42/0x50 net/socket.c:2566
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88814176d310 of 4 bytes by task 2316 on cpu 0:
netlink_getname+0xcd/0x1a0 net/netlink/af_netlink.c:1144
__sys_getsockname+0x11d/0x1b0 net/socket.c:2026
__do_sys_getsockname net/socket.c:2041 [inline]
__se_sys_getsockname net/socket.c:2038 [inline]
__x64_sys_getsockname+0x3e/0x50 net/socket.c:2038
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00000000 -> 0xc9a49780
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 2316 Comm: syz-executor.2 Not tainted 6.2.0-rc3-syzkaller-00030-ge8f60cd7db24-dirty #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Fixes:
|
||
Li RongQing
|
bc6199018f |
netlink: remove hash::nelems check in netlink_insert
[ Upstream commit 0041195d55bc38df6b574cc8c36dcf2266fbee39 ] The type of hash::nelems has been changed from size_t to atom_t which in fact is int, so not need to check if BITS_PER_LONG, that is bit number of size_t, is bigger than 32 and rht_grow_above_max() will be called to check if hashtable is too big, ensure it can not bigger than 1<<31 Signed-off-by: Zhang Yu <zhangyu31@baidu.com> Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: David S. Miller <davem@davemloft.net> Stable-dep-of: c1bb9484e3b0 ("netlink: annotate data races around nlk->portid") Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Pablo Neira Ayuso
|
25f42a59ee |
netfilter: nft_set_rbtree: skip elements in transaction from garbage collection
[ Upstream commit 5d235d6ce75c12a7fdee375eb211e4116f7ab01b ]
Skip interference with an ongoing transaction, do not perform garbage
collection on inactive elements. Reset annotated previous end interval
if the expired element is marked as busy (control plane removed the
element right before expiration).
Fixes:
|
||
Paolo Abeni
|
ad0dfe9bcf |
net: fix UaF in netns ops registration error path
[ Upstream commit 71ab9c3e2253619136c31c89dbb2c69305cc89b1 ] If net_assign_generic() fails, the current error path in ops_init() tries to clear the gen pointer slot. Anyway, in such error path, the gen pointer itself has not been modified yet, and the existing and accessed one is smaller than the accessed index, causing an out-of-bounds error: BUG: KASAN: slab-out-of-bounds in ops_init+0x2de/0x320 Write of size 8 at addr ffff888109124978 by task modprobe/1018 CPU: 2 PID: 1018 Comm: modprobe Not tainted 6.2.0-rc2.mptcp_ae5ac65fbed5+ #1641 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.1-2.fc37 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6a/0x9f print_address_description.constprop.0+0x86/0x2b5 print_report+0x11b/0x1fb kasan_report+0x87/0xc0 ops_init+0x2de/0x320 register_pernet_operations+0x2e4/0x750 register_pernet_subsys+0x24/0x40 tcf_register_action+0x9f/0x560 do_one_initcall+0xf9/0x570 do_init_module+0x190/0x650 load_module+0x1fa5/0x23c0 __do_sys_finit_module+0x10d/0x1b0 do_syscall_64+0x58/0x80 entry_SYSCALL_64_after_hwframe+0x72/0xdc RIP: 0033:0x7f42518f778d Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d cb 56 2c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff96869688 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 RAX: ffffffffffffffda RBX: 00005568ef7f7c90 RCX: 00007f42518f778d RDX: 0000000000000000 RSI: 00005568ef41d796 RDI: 0000000000000003 RBP: 00005568ef41d796 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000000000 R13: 00005568ef7f7d30 R14: 0000000000040000 R15: 0000000000000000 </TASK> This change addresses the issue by skipping the gen pointer de-reference in the mentioned error-path. Found by code inspection and verified with explicit error injection on a kasan-enabled kernel. Fixes: d266935ac43d ("net: fix UAF issue in nfqnl_nf_hook_drop() when ops_init() failed") Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Simon Horman <simon.horman@corigine.com> Link: https://lore.kernel.org/r/cec4e0f3bb2c77ac03a6154a8508d3930beb5f0f.1674154348.git.pabeni@redhat.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Archie Pusaka
|
14b7058f0d |
Bluetooth: hci_sync: cancel cmd_timer if hci_open failed
commit 97dfaf073f5881c624856ef293be307b6166115c upstream. If a command is already sent, we take care of freeing it, but we also need to cancel the timeout as well. Signed-off-by: Archie Pusaka <apusaka@chromium.org> Reviewed-by: Abhishek Pandit-Subedi <abhishekpandit@google.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Fedor Pchelkin <pchelkin@ispras.ru> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Florian Westphal
|
01687e35df |
netfilter: conntrack: do not renew entry stuck in tcp SYN_SENT state
[ Upstream commit e15d4cdf27cb0c1e977270270b2cea12e0955edd ] Consider: client -----> conntrack ---> Host client sends a SYN, but $Host is unreachable/silent. Client eventually gives up and the conntrack entry will time out. However, if the client is restarted with same addr/port pair, it may prevent the conntrack entry from timing out. This is noticeable when the existing conntrack entry has no NAT transformation or an outdated one and port reuse happens either on client or due to a NAT middlebox. This change prevents refresh of the timeout for SYN retransmits, so entry is going away after nf_conntrack_tcp_timeout_syn_sent seconds (default: 60). Entry will be re-created on next connection attempt, but then nat rules will be evaluated again. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Jason Xing
|
48261e4654 |
tcp: avoid the lookup process failing to get sk in ehash table
[ Upstream commit 3f4ca5fafc08881d7a57daa20449d171f2887043 ]
While one cpu is working on looking up the right socket from ehash
table, another cpu is done deleting the request socket and is about
to add (or is adding) the big socket from the table. It means that
we could miss both of them, even though it has little chance.
Let me draw a call trace map of the server side.
CPU 0 CPU 1
----- -----
tcp_v4_rcv() syn_recv_sock()
inet_ehash_insert()
-> sk_nulls_del_node_init_rcu(osk)
__inet_lookup_established()
-> __sk_nulls_add_node_rcu(sk, list)
Notice that the CPU 0 is receiving the data after the final ack
during 3-way shakehands and CPU 1 is still handling the final ack.
Why could this be a real problem?
This case is happening only when the final ack and the first data
receiving by different CPUs. Then the server receiving data with
ACK flag tries to search one proper established socket from ehash
table, but apparently it fails as my map shows above. After that,
the server fetches a listener socket and then sends a RST because
it finds a ACK flag in the skb (data), which obeys RST definition
in RFC 793.
Besides, Eric pointed out there's one more race condition where it
handles tw socket hashdance. Only by adding to the tail of the list
before deleting the old one can we avoid the race if the reader has
already begun the bucket traversal and it would possibly miss the head.
Many thanks to Eric for great help from beginning to end.
Fixes:
|
||
Jisoo Jang
|
54f7be6158 |
net: nfc: Fix use-after-free in local_cleanup()
[ Upstream commit 4bb4db7f3187c6e3de6b229ffc87cdb30a2d22b6 ]
Fix a use-after-free that occurs in kfree_skb() called from
local_cleanup(). This could happen when killing nfc daemon (e.g. neard)
after detaching an nfc device.
When detaching an nfc device, local_cleanup() called from
nfc_llcp_unregister_device() frees local->rx_pending and decreases
local->ref by kref_put() in nfc_llcp_local_put().
In the terminating process, nfc daemon releases all sockets and it leads
to decreasing local->ref. After the last release of local->ref,
local_cleanup() called from local_release() frees local->rx_pending
again, which leads to the bug.
Setting local->rx_pending to NULL in local_cleanup() could prevent
use-after-free when local_cleanup() is called twice.
Found by a modified version of syzkaller.
BUG: KASAN: use-after-free in kfree_skb()
Call Trace:
dump_stack_lvl (lib/dump_stack.c:106)
print_address_description.constprop.0.cold (mm/kasan/report.c:306)
kasan_check_range (mm/kasan/generic.c:189)
kfree_skb (net/core/skbuff.c:955)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_local_put.part.0 (net/nfc/llcp_core.c:172)
nfc_llcp_local_put (net/nfc/llcp_core.c:181)
llcp_sock_destruct (net/nfc/llcp_sock.c:959)
__sk_destruct (net/core/sock.c:2133)
sk_destruct (net/core/sock.c:2181)
__sk_free (net/core/sock.c:2192)
sk_free (net/core/sock.c:2203)
llcp_sock_release (net/nfc/llcp_sock.c:646)
__sock_release (net/socket.c:650)
sock_close (net/socket.c:1365)
__fput (fs/file_table.c:306)
task_work_run (kernel/task_work.c:179)
ptrace_notify (kernel/signal.c:2354)
syscall_exit_to_user_mode_prepare (kernel/entry/common.c:278)
syscall_exit_to_user_mode (kernel/entry/common.c:296)
do_syscall_64 (arch/x86/entry/common.c:86)
entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:106)
Allocated by task 4719:
kasan_save_stack (mm/kasan/common.c:45)
__kasan_slab_alloc (mm/kasan/common.c:325)
slab_post_alloc_hook (mm/slab.h:766)
kmem_cache_alloc_node (mm/slub.c:3497)
__alloc_skb (net/core/skbuff.c:552)
pn533_recv_response (drivers/nfc/pn533/usb.c:65)
__usb_hcd_giveback_urb (drivers/usb/core/hcd.c:1671)
usb_giveback_urb_bh (drivers/usb/core/hcd.c:1704)
tasklet_action_common.isra.0 (kernel/softirq.c:797)
__do_softirq (kernel/softirq.c:571)
Freed by task 1901:
kasan_save_stack (mm/kasan/common.c:45)
kasan_set_track (mm/kasan/common.c:52)
kasan_save_free_info (mm/kasan/genericdd.c:518)
__kasan_slab_free (mm/kasan/common.c:236)
kmem_cache_free (mm/slub.c:3809)
kfree_skbmem (net/core/skbuff.c:874)
kfree_skb (net/core/skbuff.c:931)
local_cleanup (net/nfc/llcp_core.c:159)
nfc_llcp_unregister_device (net/nfc/llcp_core.c:1617)
nfc_unregister_device (net/nfc/core.c:1179)
pn53x_unregister_nfc (drivers/nfc/pn533/pn533.c:2846)
pn533_usb_disconnect (drivers/nfc/pn533/usb.c:579)
usb_unbind_interface (drivers/usb/core/driver.c:458)
device_release_driver_internal (drivers/base/dd.c:1279)
bus_remove_device (drivers/base/bus.c:529)
device_del (drivers/base/core.c:3665)
usb_disable_device (drivers/usb/core/message.c:1420)
usb_disconnect (drivers/usb/core.c:2261)
hub_event (drivers/usb/core/hub.c:5833)
process_one_work (arch/x86/include/asm/jump_label.h:27 include/linux/jump_label.h:212 include/trace/events/workqueue.h:108 kernel/workqueue.c:2281)
worker_thread (include/linux/list.h:282 kernel/workqueue.c:2423)
kthread (kernel/kthread.c:319)
ret_from_fork (arch/x86/entry/entry_64.S:301)
Fixes:
|
||
Yu Kuai
|
3c7c6e08c9 |
BACKPORT: net: xfrm: fix memory leak in xfrm_user_policy()
if xfrm_get_translator() failed, xfrm_user_policy() return without freeing 'data', which is allocated in memdup_sockptr(). Bug: 254441685 Fixes: 96392ee5a13b ("xfrm/compat: Translate 32-bit user_policy from sockptr") Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: Yu Kuai <yukuai3@huawei.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit 48f486e13ffdb49fbb9b38c21d0e108ed60ab1a2) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I0744588549ae7ac9d11ffa6ceec4beb1962e6b4a |
||
Dmitry Safonov
|
63d464fe50 |
UPSTREAM: xfrm/compat: Don't allocate memory with __GFP_ZERO
32-bit to 64-bit messages translator zerofies needed paddings in the translation, the rest is the actual payload. Don't allocate zero pages as they are not needed. Bug: 254441685 Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") Signed-off-by: Dmitry Safonov <dima@arista.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit ad37f77fd3659e87fd9833a83692e0e4eba0f5cd) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I0b9273973be61ac311676c5a72e5b3866b082a28 |
||
Dmitry Safonov
|
c4705515c9 |
UPSTREAM: xfrm/compat: memset(0) 64-bit padding at right place
32-bit messages translated by xfrm_compat can have attributes attached. For all, but XFRMA_SA, XFRMA_POLICY the size of payload is the same in 32-bit UABI and 64-bit UABI. For XFRMA_SA (struct xfrm_usersa_info) and XFRMA_POLICY (struct xfrm_userpolicy_info) it's only tail-padding that is present in 64-bit payload, but not in 32-bit. The proper size for destination nlattr is already calculated by xfrm_user_rcv_calculate_len64() and allocated with kvmalloc(). xfrm_attr_cpy32() copies 32-bit copy_len into 64-bit attribute translated payload, zero-filling possible padding for SA/POLICY. Due to a typo, *pos already has 64-bit payload size, in a result next memset(0) is called on the memory after the translated attribute, not on the tail-padding of it. Bug: 254441685 Fixes: 5106f4a8acff ("xfrm/compat: Add 32=>64-bit messages translator") Reported-by: syzbot+c43831072e7df506a646@syzkaller.appspotmail.com Signed-off-by: Dmitry Safonov <dima@arista.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit d1949d045fd67eab8a32a579a8c1ab1681330854) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: I07cef41b67832cf4728d7c3a890d16fbeafe9387 |
||
Dmitry Safonov
|
b572cc5203 |
UPSTREAM: xfrm/compat: Translate by copying XFRMA_UNSPEC attribute
xfrm_xlate32() translates 64-bit message provided by kernel to be sent for 32-bit listener (acknowledge or monitor). Translator code doesn't expect XFRMA_UNSPEC attribute as it doesn't know its payload. Kernel never attaches such attribute, but a user can. I've searched if any opensource does it and the answer is no. Nothing on github and google finds only tfcproject that has such code commented-out. What will happen if a user sends a netlink message with XFRMA_UNSPEC attribute? Ipsec code ignores this attribute. But if there is a monitor-process or 32-bit user requested ack - kernel will try to translate such message and will hit WARN_ONCE() in xfrm_xlate64_attr(). Deal with XFRMA_UNSPEC by copying the attribute payload with xfrm_nla_cpy(). In result, the default switch-case in xfrm_xlate64_attr() becomes an unused code. Leave those 3 lines in case a new xfrm attribute will be added. Bug: 254441685 Fixes: 5461fc0c8d9f ("xfrm/compat: Add 64=>32-bit messages translator") Reported-by: syzbot+a7e701c8385bd8543074@syzkaller.appspotmail.com Signed-off-by: Dmitry Safonov <dima@arista.com> Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com> (cherry picked from commit dbd7ae5154d5fff7e84a9f3010bb06499017ef29) Signed-off-by: Lee Jones <joneslee@google.com> Change-Id: Icf7dc66cd35cf653008d30e6d203ceced8756307 |
||
Greg Kroah-Hartman
|
9621487ff4 |
This is the 4.19.271 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPPdq4ACgkQONu9yGCS aT5hnA//fZ/v8ePI4NpgcbHlZjBiYJEpCRJrbKG9ruKJpGplGUGsPK5qupCooQSt a5akzjXfZBGgVYYuXc5GxS5Rnk2XXYyLzJWxgrq1ZU+tnZ/U2T5CJYULhw/J23JM RsixAuXdDoHmNSTouye5H8cuouIHZMgPo9r4JXF/CWjF3gHu65s3uY1WqmpxbL8d Bo1Krrq0HHtvQCKeSuSV6MlRSl7pjC5Ooqhb0cmMCk/ROt9lejSEKIrCOdjQtR/i nneiwSA267ZmihRD3tnWpT+5zkFWiH3LME5ANDbC+VIoUyYeKN6jd8o8Cz7t2v3F KLBhxNtjnjaNKaF9LztWt7qCRfsrs/Dhm1ZvCZWcaWmNoNyYbW+S+SGJy1wSLyx8 h9HCvYgXfK04A/CBXuNqV4XYJ2vTQ4bCDmJYalxbiibK+9Wv8XuemLFsLuERg7I6 pY9hdl24rumdlGpI6J27GwOzC8iInyjprs5SQRTYwOqGcQ8iiAf9lyEVegJ8WAyx Y2fCK9zt5lclT/fquHGv1+5dHcFLezCceBpndVwipVoIiu9o/Px0bMknScP1ptnn lvLida2R1yJ552Le+qSbAxQTfiby4uRzK0bupbmpg3/wLi8EhWi/inh4Hii0GxDI /TVST9OjvB8SVervqVXpndWKKjqy2McW8qXHLjd61Hp5SswWKZM= =W+3p -----END PGP SIGNATURE----- Merge 4.19.271 into android-4.19-stable Changes in 4.19.271 pNFS/filelayout: Fix coalescing test for single DS net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats RDMA/srp: Move large values to a new enum for gcc13 f2fs: let's avoid panic if extent_tree is not created Add exception protection processing for vd in axi_chan_handle_err function nilfs2: fix general protection fault in nilfs_btree_insert() xhci-pci: set the dma max_seg_size usb: xhci: Check endpoint is valid before dereferencing it xhci: Fix null pointer dereference when host dies xhci: Add a flag to disable USB3 lpm on a xhci root port level. prlimit: do_prlimit needs to have a speculation check USB: serial: option: add Quectel EM05-G (GR) modem USB: serial: option: add Quectel EM05-G (CS) modem USB: serial: option: add Quectel EM05-G (RS) modem USB: serial: option: add Quectel EC200U modem USB: serial: option: add Quectel EM05CN (SG) modem USB: serial: option: add Quectel EM05CN modem USB: misc: iowarrior: fix up header size for USB_DEVICE_ID_CODEMERCS_IOW100 usb: core: hub: disable autosuspend for TI TUSB8041 comedi: adv_pci1760: Fix PWM instruction handling mmc: sunxi-mmc: Fix clock refcount imbalance during unbind cifs: do not include page data when checking signature USB: serial: cp210x: add SCALANCE LPE-9000 device id usb: host: ehci-fsl: Fix module alias usb: typec: altmodes/displayport: Add pin assignment helper usb: typec: altmodes/displayport: Fix pin assignment calculation usb: gadget: g_webcam: Send color matching descriptor per frame usb: gadget: f_ncm: fix potential NULL ptr deref in ncm_bitrate() usb-storage: apply IGNORE_UAS only for HIKSEMI MD202 on RTL9210 serial: pch_uart: Pass correct sg to dma_unmap_sg() serial: atmel: fix incorrect baudrate setup gsmi: fix null-deref in gsmi_get_variable Revert "ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline" Revert "ext4: fix reserved cluster accounting at delayed write time" Revert "ext4: add new pending reservation mechanism" Revert "ext4: generalize extents status tree search functions" x86/fpu: Use _Alignof to avoid undefined behavior in TYPE_ALIGN Linux 4.19.271 Change-Id: I4671da1d3451f065227129f08352c71aea37c854 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Daniil Tatianin
|
2cf8dd4708 |
net/ethtool/ioctl: return -EOPNOTSUPP if we have no phy stats
[ Upstream commit 9deb1e9fb88b1120a908676fa33bdf9e2eeaefce ] It's not very useful to copy back an empty ethtool_stats struct and return 0 if we didn't actually have any stats. This also allows for further simplification of this function in the future commits. Signed-off-by: Daniil Tatianin <d-tatianin@yandex-team.ru> Reviewed-by: Andrew Lunn <andrew@lunn.ch> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
f66335a3cf |
This is the 4.19.270 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmPHynkACgkQONu9yGCS aT5AtBAAsdmYCYkmKZsRcS1EUTqdwKVN7FDILDcdMjfmrSp4ZDliaD1dUc0EmDRl yy+aNGCrhbuYACk9WdQsSUrUIh1dK0H5VsioB1m0cjCgifbNjsYqjYWK5ewXKUyX yjc+NmY1HVUFQDLnYHJxSbnB/o+nobWjts8nGuWHwQmoh7UmFe7lvMqZg753x6Bw wCiaC1DrU3aKHYK7IirdWgOiDiGia8DX1nX6PmLi6JTsXj+Io0i8PXKkFzANDf/p /rOyg7j8NOXIQPZGN0Zu88QiMWsNk7u2bOORZgtFbwo7r9BFbzXfWk/x8QxzDX1B iH1p02XQvBwm44xGJZKiWEY2nZdw4mpyzLXZNOL8V7vn9xhT6HDksVAPnyIkU8Dh wsij2r27x18VI9H7sstvAHvIyg6ihmq2E6WuC4W74tUcys7MXxCFc2DuJzMMocf0 7LMTmx3/oUHvuM1riJ9STo9mzXbTmfNd6hnqRnFgGKiGGhOE+pX//RHfupaXRieQ Rq51ODFKcJdDIM7hxeyPdACYF/kso8sNEODCgQ5/+3opel1mzLdBJ1T2bV12DpQe ZhTsESPCVSoUAjCnC9Jje3g0u3qztClYq1faHOXtnjykn9mHmmedVwvdfJL/sOsr ec7NgqzM9xvMQVe4CNf0mouugaLpn2m6uQDTu+GWswRfEKuCx2Q= =ksam -----END PGP SIGNATURE----- Merge 4.19.270 into android-4.19-stable Changes in 4.19.270 mm/khugepaged: fix GUP-fast interaction by sending IPI mm/khugepaged: invoke MMU notifiers in shmem/file collapse paths block: unhash blkdev part inode when the part is deleted nfp: fix use-after-free in area_cache_get() ASoC: ops: Check bounds for second channel in snd_soc_put_volsw_sx() pinctrl: meditatek: Startup with the IRQs disabled can: sja1000: fix size of OCR_MODE_MASK define can: mcba_usb: Fix termination command argument ASoC: ops: Correct bounds check for second channel on SX controls perf script python: Remove explicit shebang from tests/attr.c udf: Discard preallocation before extending file with a hole udf: Fix preallocation discarding at indirect extent boundary udf: Do not bother looking for prealloc extents if i_lenExtents matches i_size udf: Fix extending file within last block usb: gadget: uvc: Prevent buffer overflow in setup handler USB: serial: option: add Quectel EM05-G modem USB: serial: cp210x: add Kamstrup RF sniffer PIDs USB: serial: f81534: fix division by zero on line-speed change igb: Initialize mailbox message for VF reset Bluetooth: L2CAP: Fix u8 overflow net: loopback: use NET_NAME_PREDICTABLE for name_assign_type usb: musb: remove extra check in musb_gadget_vbus_draw ARM: dts: qcom: apq8064: fix coresight compatible drivers: soc: ti: knav_qmss_queue: Mark knav_acc_firmwares as static arm: dts: spear600: Fix clcd interrupt soc: ti: smartreflex: Fix PM disable depth imbalance in omap_sr_probe perf: arm_dsu: Fix hotplug callback leak in dsu_pmu_init() arm64: dts: mt2712e: Fix unit_address_vs_reg warning for oscillators arm64: dts: mt2712e: Fix unit address for pinctrl node arm64: dts: mt2712-evb: Fix vproc fixed regulators unit names arm64: dts: mediatek: mt6797: Fix 26M oscillator unit name ARM: dts: dove: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-370: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-xp: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-375: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-38x: Fix assigned-addresses for every PCIe Root Port ARM: dts: armada-39x: Fix assigned-addresses for every PCIe Root Port ARM: dts: turris-omnia: Add ethernet aliases ARM: dts: turris-omnia: Add switch port 6 node pstore/ram: Fix error return code in ramoops_probe() ARM: mmp: fix timer_read delay pstore: Avoid kcore oops by vmap()ing with VM_IOREMAP tpm/tpm_crb: Fix error message in __crb_relinquish_locality() cpuidle: dt: Return the correct numbers of parsed idle states alpha: fix syscall entry in !AUDUT_SYSCALL case fs: don't audit the capability check in simple_xattr_list() selftests/ftrace: event_triggers: wait longer for test_event_enable perf: Fix possible memleak in pmu_dev_alloc() timerqueue: Use rb_entry_safe() in timerqueue_getnext() proc: fixup uptime selftest ocfs2: fix memory leak in ocfs2_stack_glue_init() MIPS: vpe-mt: fix possible memory leak while module exiting MIPS: vpe-cmp: fix possible memory leak while module exiting PNP: fix name memory leak in pnp_alloc_dev() perf/x86/intel/uncore: Fix reference count leak in hswep_has_limit_sbox() irqchip: gic-pm: Use pm_runtime_resume_and_get() in gic_probe() cpufreq: amd_freq_sensitivity: Add missing pci_dev_put() libfs: add DEFINE_SIMPLE_ATTRIBUTE_SIGNED for signed value lib/notifier-error-inject: fix error when writing -errno to debugfs file debugfs: fix error when writing negative value to atomic_t debugfs file rapidio: fix possible name leaks when rio_add_device() fails rapidio: rio: fix possible name leak in rio_register_mport() clocksource/drivers/sh_cmt: Make sure channel clock supply is enabled ACPICA: Fix use-after-free in acpi_ut_copy_ipackage_to_ipackage() uprobes/x86: Allow to probe a NOP instruction with 0x66 prefix xen/events: only register debug interrupt for 2-level events x86/xen: Fix memory leak in xen_smp_intr_init{_pv}() x86/xen: Fix memory leak in xen_init_lock_cpu() xen/privcmd: Fix a possible warning in privcmd_ioctl_mmap_resource() PM: runtime: Improve path in rpm_idle() when no callback PM: runtime: Do not call __rpm_callback() from rpm_idle() platform/x86: mxm-wmi: fix memleak in mxm_wmi_call_mx[ds|mx]() MIPS: BCM63xx: Add check for NULL for clk in clk_enable fs: sysv: Fix sysv_nblocks() returns wrong value rapidio: fix possible UAF when kfifo_alloc() fails eventfd: change int to __u64 in eventfd_signal() ifndef CONFIG_EVENTFD relay: fix type mismatch when allocating memory in relay_create_buf() hfs: Fix OOB Write in hfs_asc2mac rapidio: devices: fix missing put_device in mport_cdev_open wifi: ath9k: hif_usb: fix memory leak of urbs in ath9k_hif_usb_dealloc_tx_urbs() wifi: ath9k: hif_usb: Fix use-after-free in ath9k_hif_usb_reg_in_cb() wifi: rtl8xxxu: Fix reading the vendor of combo chips pata_ipx4xx_cf: Fix unsigned comparison with less than zero media: i2c: ad5820: Fix error path can: kvaser_usb: do not increase tx statistics when sending error message frames can: kvaser_usb: kvaser_usb_leaf: Get capabilities from device can: kvaser_usb: kvaser_usb_leaf: Rename {leaf,usbcan}_cmd_error_event to {leaf,usbcan}_cmd_can_error_event can: kvaser_usb: kvaser_usb_leaf: Handle CMD_ERROR_EVENT can: kvaser_usb_leaf: Set Warning state even without bus errors can: kvaser_usb_leaf: Fix improved state not being reported can: kvaser_usb_leaf: Fix wrong CAN state after stopping can: kvaser_usb_leaf: Fix bogus restart events can: kvaser_usb: Add struct kvaser_usb_busparams can: kvaser_usb: Compare requested bittiming parameters with actual parameters in do_set_{,data}_bittiming spi: Update reference to struct spi_controller media: vivid: fix compose size exceed boundary mtd: Fix device name leak when register device failed in add_mtd_device() wifi: rsi: Fix handling of 802.3 EAPOL frames sent via control port media: camss: Clean up received buffers on failed start of streaming net, proc: Provide PROC_FS=n fallback for proc_create_net_single_write() drm/radeon: Add the missed acpi_put_table() to fix memory leak ASoC: pxa: fix null-pointer dereference in filter() regulator: core: fix unbalanced of node refcount in regulator_dev_lookup() ima: Fix misuse of dereference of pointer in template_desc_init_fields() wifi: ath10k: Fix return value in ath10k_pci_init() mtd: lpddr2_nvm: Fix possible null-ptr-deref Input: elants_i2c - properly handle the reset GPIO when power is off media: solo6x10: fix possible memory leak in solo_sysfs_init() media: platform: exynos4-is: Fix error handling in fimc_md_init() HID: hid-sensor-custom: set fixed size for custom attributes ALSA: seq: fix undefined behavior in bit shift for SNDRV_SEQ_FILTER_USE_EVENT clk: rockchip: Fix memory leak in rockchip_clk_register_pll() bonding: Export skip slave logic to function mtd: maps: pxa2xx-flash: fix memory leak in probe drbd: remove call to memset before free device/resource/connection media: imon: fix a race condition in send_packet() pinctrl: pinconf-generic: add missing of_node_put() media: dvb-core: Fix ignored return value in dvb_register_frontend() media: dvb-usb: az6027: fix null-ptr-deref in az6027_i2c_xfer() media: s5p-mfc: Add variant data for MFC v7 hardware for Exynos 3250 SoC drm/tegra: Add missing clk_disable_unprepare() in tegra_dc_probe() NFSv4.2: Fix a memory stomp in decode_attr_security_label NFSv4: Fix a deadlock between nfs4_open_recover_helper() and delegreturn ALSA: asihpi: fix missing pci_disable_device() drm/radeon: Fix PCI device refcount leak in radeon_atrm_get_bios() drm/amdgpu: Fix PCI device refcount leak in amdgpu_atrm_get_bios() ASoC: pcm512x: Fix PM disable depth imbalance in pcm512x_probe bonding: uninitialized variable in bond_miimon_inspect() wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails regulator: core: fix module refcount leak in set_supply() media: saa7164: fix missing pci_disable_device() ALSA: mts64: fix possible null-ptr-defer in snd_mts64_interrupt SUNRPC: Fix missing release socket in rpc_sockname() NFSv4.x: Fail client initialisation if state manager thread can't run mmc: moxart: fix return value check of mmc_add_host() mmc: mxcmmc: fix return value check of mmc_add_host() mmc: rtsx_usb_sdmmc: fix return value check of mmc_add_host() mmc: toshsd: fix return value check of mmc_add_host() mmc: vub300: fix return value check of mmc_add_host() mmc: wmt-sdmmc: fix return value check of mmc_add_host() mmc: atmel-mci: fix return value check of mmc_add_host() mmc: meson-gx: fix return value check of mmc_add_host() mmc: via-sdmmc: fix return value check of mmc_add_host() mmc: wbsd: fix return value check of mmc_add_host() mmc: mmci: fix return value check of mmc_add_host() media: c8sectpfe: Add of_node_put() when breaking out of loop media: coda: Add check for dcoda_iram_alloc media: coda: Add check for kmalloc clk: samsung: Fix memory leak in _samsung_clk_register_pll() wifi: rtl8xxxu: Add __packed to struct rtl8723bu_c2h rtl8xxxu: add enumeration for channel bandwidth wifi: brcmfmac: Fix error return code in brcmf_sdio_download_firmware() blktrace: Fix output non-blktrace event when blk_classic option enabled clk: socfpga: clk-pll: Remove unused variable 'rc' clk: socfpga: use clk_hw_register for a5/c5 net: vmw_vsock: vmci: Check memcpy_from_msg() net: defxx: Fix missing err handling in dfx_init() drivers: net: qlcnic: Fix potential memory leak in qlcnic_sriov_init() ethernet: s2io: don't call dev_kfree_skb() under spin_lock_irqsave() net: farsync: Fix kmemleak when rmmods farsync net/tunnel: wait until all sk_user_data reader finish before releasing the sock net: apple: mace: don't call dev_kfree_skb() under spin_lock_irqsave() net: apple: bmac: don't call dev_kfree_skb() under spin_lock_irqsave() net: emaclite: don't call dev_kfree_skb() under spin_lock_irqsave() net: ethernet: dnet: don't call dev_kfree_skb() under spin_lock_irqsave() hamradio: don't call dev_kfree_skb() under spin_lock_irqsave() net: amd: lance: don't call dev_kfree_skb() under spin_lock_irqsave() net: amd-xgbe: Fix logic around active and passive cables net: amd-xgbe: Check only the minimum speed for active/passive cables net: lan9303: Fix read error execution path ntb_netdev: Use dev_kfree_skb_any() in interrupt context Bluetooth: btusb: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_qca: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_h5: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_bcsp: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave() Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave() stmmac: fix potential division by 0 apparmor: fix a memleak in multi_transaction_new() apparmor: fix lockdep warning when removing a namespace apparmor: Fix abi check to include v8 abi f2fs: fix normal discard process RDMA/nldev: Return "-EAGAIN" if the cm_id isn't from expected port scsi: scsi_debug: Fix a warning in resp_write_scat() PCI: Check for alloc failure in pci_request_irq() RDMA/hfi: Decrease PCI device reference count in error path crypto: ccree - Make cc_debugfs_global_fini() available for module init function RDMA/rxe: Fix NULL-ptr-deref in rxe_qp_do_cleanup() when socket create failed scsi: hpsa: use local workqueues instead of system workqueues scsi: hpsa: Fix possible memory leak in hpsa_init_one() crypto: tcrypt - Fix multibuffer skcipher speed test mem leak scsi: hpsa: Fix error handling in hpsa_add_sas_host() scsi: hpsa: Fix possible memory leak in hpsa_add_sas_device() scsi: fcoe: Fix possible name leak when device_register() fails scsi: ipr: Fix WARNING in ipr_init() scsi: fcoe: Fix transport not deattached when fcoe_if_init() fails scsi: snic: Fix possible UAF in snic_tgt_create() RDMA/hfi1: Fix error return code in parse_platform_config() orangefs: Fix sysfs not cleanup when dev init failed crypto: img-hash - Fix variable dereferenced before check 'hdev->req' hwrng: amd - Fix PCI device refcount leak hwrng: geode - Fix PCI device refcount leak IB/IPoIB: Fix queue count inconsistency for PKEY child interfaces drivers: dio: fix possible memory leak in dio_init() serial: tegra: avoid reg access when clk disabled serial: tegra: check for FIFO mode enabled status serial: tegra: set maximum num of uart ports to 8 serial: tegra: add support to use 8 bytes trigger serial: tegra: add support to adjust baud rate serial: tegra: report clk rate errors serial: tegra: Add PIO mode support tty: serial: tegra: Activate RX DMA transfer by request serial: tegra: Read DMA status before terminating class: fix possible memory leak in __class_register() vfio: platform: Do not pass return buffer to ACPI _RST method uio: uio_dmem_genirq: Fix missing unlock in irq configuration uio: uio_dmem_genirq: Fix deadlock between irq config and handling usb: fotg210-udc: Fix ages old endianness issues staging: vme_user: Fix possible UAF in tsi148_dma_list_add usb: typec: Check for ops->exit instead of ops->enter in altmode_exit serial: amba-pl011: avoid SBSA UART accessing DMACR register serial: pl011: Do not clear RX FIFO & RX interrupt in unthrottle. serial: pch: Fix PCI device refcount leak in pch_request_dma() tty: serial: clean up stop-tx part in altera_uart_tx_chars() tty: serial: altera_uart_{r,t}x_chars() need only uart_port serial: altera_uart: fix locking in polling mode serial: sunsab: Fix error handling in sunsab_init() test_firmware: fix memory leak in test_firmware_init() misc: tifm: fix possible memory leak in tifm_7xx1_switch_media() misc: sgi-gru: fix use-after-free error in gru_set_context_option, gru_fault and gru_handle_user_call_os cxl: fix possible null-ptr-deref in cxl_guest_init_afu|adapter() cxl: fix possible null-ptr-deref in cxl_pci_init_afu|adapter() usb: gadget: f_hid: optional SETUP/SET_REPORT mode usb: gadget: f_hid: fix f_hidg lifetime vs cdev usb: gadget: f_hid: fix refcount leak on error path drivers: mcb: fix resource leak in mcb_probe() mcb: mcb-parse: fix error handing in chameleon_parse_gdd() chardev: fix error handling in cdev_device_add() i2c: pxa-pci: fix missing pci_disable_device() on error in ce4100_i2c_probe staging: rtl8192u: Fix use after free in ieee80211_rx() staging: rtl8192e: Fix potential use-after-free in rtllib_rx_Monitor() vme: Fix error not catched in fake_init() i2c: ismt: Fix an out-of-bounds bug in ismt_access() usb: storage: Add check for kcalloc tracing/hist: Fix issue of losting command info in error_log samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe() fbdev: ssd1307fb: Drop optional dependency fbdev: pm2fb: fix missing pci_disable_device() fbdev: via: Fix error in via_core_init() fbdev: vermilion: decrease reference count in error path fbdev: uvesafb: Fixes an error handling path in uvesafb_probe() HSI: omap_ssi_core: fix unbalanced pm_runtime_disable() HSI: omap_ssi_core: fix possible memory leak in ssi_probe() power: supply: fix residue sysfs file in error handle route of __power_supply_register() perf symbol: correction while adjusting symbol HSI: omap_ssi_core: Fix error handling in ssi_init() include/uapi/linux/swab: Fix potentially missing __always_inline rtc: snvs: Allow a time difference on clock register read iommu/amd: Fix pci device refcount leak in ppr_notifier() iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe() macintosh: fix possible memory leak in macio_add_one_device() macintosh/macio-adb: check the return value of ioremap() powerpc/52xx: Fix a resource leak in an error handling path cxl: Fix refcount leak in cxl_calc_capp_routing powerpc/xive: add missing iounmap() in error path in xive_spapr_populate_irq_data() powerpc/perf: callchain validate kernel stack pointer bounds powerpc/83xx/mpc832x_rdb: call platform_device_put() in error case in of_fsl_spi_probe() powerpc/hv-gpci: Fix hv_gpci event list selftests/powerpc: Fix resource leaks rtc: st-lpc: Add missing clk_disable_unprepare in st_rtc_probe() nfsd: under NFSv4.1, fix double svc_xprt_put on rpc_create failure mISDN: hfcsusb: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcpci: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() mISDN: hfcmulti: don't call dev_kfree_skb/kfree_skb() under spin_lock_irqsave() nfc: pn533: Clear nfc_target before being used r6040: Fix kmemleak in probe and remove rtc: mxc_v2: Add missing clk_disable_unprepare() openvswitch: Fix flow lookup to use unmasked key skbuff: Account for tail adjustment during pull operations net_sched: reject TCF_EM_SIMPLE case for complex ematch module rxrpc: Fix missing unlock in rxrpc_do_sendmsg() myri10ge: Fix an error handling path in myri10ge_probe() net: stream: purge sk_error_queue in sk_stream_kill_queues() binfmt_misc: fix shift-out-of-bounds in check_special_flags fs: jfs: fix shift-out-of-bounds in dbAllocAG udf: Avoid double brelse() in udf_rename() fs: jfs: fix shift-out-of-bounds in dbDiscardAG ACPICA: Fix error code path in acpi_ds_call_control_method() nilfs2: fix shift-out-of-bounds/overflow in nilfs_sb2_bad_offset() acct: fix potential integer overflow in encode_comp_t() hfs: fix OOB Read in __hfs_brec_find wifi: ath9k: verify the expected usb_endpoints are present wifi: ar5523: Fix use-after-free on ar5523_cmd() timed out ASoC: codecs: rt298: Add quirk for KBL-R RVP platform ipmi: fix memleak when unload ipmi driver bpf: make sure skb->len != 0 when redirecting to a tunneling device net: ethernet: ti: Fix return type of netcp_ndo_start_xmit() hamradio: baycom_epp: Fix return type of baycom_send_packet() wifi: brcmfmac: Fix potential shift-out-of-bounds in brcmf_fw_alloc_request() igb: Do not free q_vector unless new one was allocated drm/amdgpu: Fix type of second parameter in trans_msg() callback s390/ctcm: Fix return type of ctc{mp,}m_tx() s390/netiucv: Fix return type of netiucv_tx() s390/lcs: Fix return type of lcs_start_xmit() drm/sti: Use drm_mode_copy() drivers/md/md-bitmap: check the return value of md_bitmap_get_counter() md/raid1: stop mdx_raid1 thread when raid1 array run failed mrp: introduce active flags to prevent UAF when applicant uninit ppp: associate skb with a device at tx media: dvb-frontends: fix leak of memory fw media: dvbdev: adopts refcnt to avoid UAF media: dvb-usb: fix memory leak in dvb_usb_adapter_init() blk-mq: fix possible memleak when register 'hctx' failed regulator: core: fix use_count leakage when handling boot-on mmc: f-sdh30: Add quirks for broken timeout clock capability media: si470x: Fix use-after-free in si470x_int_in_callback() clk: st: Fix memory leak in st_of_quadfs_setup() drm/fsl-dcu: Fix return type of fsl_dcu_drm_connector_mode_valid() drm/sti: Fix return type of sti_{dvo,hda,hdmi}_connector_mode_valid() orangefs: Fix kmemleak in orangefs_prepare_debugfs_help_string() ASoC: mediatek: mt8173-rt5650-rt5514: fix refcount leak in mt8173_rt5650_rt5514_dev_probe() ASoC: rockchip: pdm: Add missing clk_disable_unprepare() in rockchip_pdm_runtime_resume() ASoC: wm8994: Fix potential deadlock ASoC: rockchip: spdif: Add missing clk_disable_unprepare() in rk_spdif_runtime_resume() ASoC: rt5670: Remove unbalanced pm_runtime_put() pstore: Switch pmsg_lock to an rt_mutex to avoid priority inversion pstore: Make sure CONFIG_PSTORE_PMSG selects CONFIG_RT_MUTEXES usb: dwc3: core: defer probe on ulpi_read_id timeout HID: wacom: Ensure bootloader PID is usable in hidraw mode reiserfs: Add missing calls to reiserfs_security_free() iio: adc: ad_sigma_delta: do not use internal iio_dev lock gcov: add support for checksum field media: dvbdev: fix build warning due to comments media: dvbdev: fix refcnt bug ata: ahci: Fix PCS quirk application for suspend powerpc/rtas: avoid device tree lookups in rtas_os_term() powerpc/rtas: avoid scheduling in rtas_os_term() HID: plantronics: Additional PIDs for double volume key presses quirk hfsplus: fix bug causing custom uid and gid being unable to be assigned with mount ovl: Use ovl mounter's fsuid and fsgid in ovl_link() ALSA: line6: correct midi status byte when receiving data from podxt ALSA: line6: fix stack overflow in line6_midi_transmit pnode: terminate at peers of source md: fix a crash in mempool_free mmc: vub300: fix warning - do not call blocking ops when !TASK_RUNNING tpm: tpm_crb: Add the missed acpi_put_table() to fix memory leak tpm: tpm_tis: Add the missed acpi_put_table() to fix memory leak SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails media: stv0288: use explicitly signed char soc: qcom: Select REMAP_MMIO for LLCC driver ktest.pl minconfig: Unset configs instead of just removing them ARM: ux500: do not directly dereference __iomem selftests: Use optional USERCFLAGS and USERLDFLAGS binfmt: Move install_exec_creds after setup_new_exec to match binfmt_elf binfmt: Fix error return code in load_elf_fdpic_binary() dm cache: Fix ABBA deadlock between shrink_slab and dm_cache_metadata_abort dm thin: Use last transaction's pmd->root when commit failed dm thin: Fix UAF in run_timer_softirq() dm cache: Fix UAF in destroy() dm cache: set needs_check flag after aborting metadata x86/microcode/intel: Do not retry microcode reloading on the APs tracing: Fix infinite loop in tracing_read_pipe on overflowed print_trace_line ARM: 9256/1: NWFPE: avoid compiler-generated __aeabi_uldivmod media: dvb-core: Fix double free in dvb_register_device() media: dvb-core: Fix UAF due to refcount races at releasing cifs: fix confusing debug message md/bitmap: Fix bitmap chunk size overflow issues ipmi: fix long wait in unload when IPMI disconnect ima: Fix a potential NULL pointer access in ima_restore_measurement_list ipmi: fix use after free in _ipmi_destroy_user() PCI: Fix pci_device_is_present() for VFs by checking PF PCI/sysfs: Fix double free in error path crypto: n2 - add missing hash statesize iommu/amd: Fix ivrs_acpihid cmdline parsing code parisc: led: Fix potential null-ptr-deref in start_task() device_cgroup: Roll back to original exceptions after copy failure drm/connector: send hotplug uevent on connector cleanup drm/vmwgfx: Validate the box size for the snooped cursor ext4: add inode table check in __ext4_get_inode_loc to aovid possible infinite loop ext4: fix undefined behavior in bit shift for ext4_check_flag_values ext4: add helper to check quota inums ext4: fix bug_on in __es_tree_search caused by bad boot loader inode ext4: init quota for 'old.inode' in 'ext4_rename' ext4: fix corruption when online resizing a 1K bigalloc fs ext4: fix error code return to user-space in ext4_get_branch() ext4: avoid BUG_ON when creating xattrs ext4: fix inode leak in ext4_xattr_inode_create() on an error path ext4: initialize quota before expanding inode in setproject ioctl ext4: avoid unaccounted block allocation when expanding inode ext4: allocate extended attribute value in vmalloc area btrfs: send: avoid unnecessary backref lookups when finding clone source btrfs: replace strncpy() with strscpy() media: s5p-mfc: Fix to handle reference queue during finishing media: s5p-mfc: Clear workbit to handle error condition media: s5p-mfc: Fix in register read and write for H264 dm thin: resume even if in FAIL mode perf probe: Use dwarf_attr_integrate as generic DWARF attr accessor perf probe: Fix to get the DW_AT_decl_file and DW_AT_call_file as unsinged data ravb: Fix "failed to switch device to config mode" message during unbind driver core: Set deferred_probe_timeout to a longer default if CONFIG_MODULES is set ext4: goto right label 'failed_mount3a' ext4: correct inconsistent error msg in nojournal mode ext4: use kmemdup() to replace kmalloc + memcpy mbcache: don't reclaim used entries mbcache: add functions to delete entry if unused ext4: remove EA inode entry from mbcache on inode eviction ext4: unindent codeblock in ext4_xattr_block_set() ext4: fix race when reusing xattr blocks mbcache: automatically delete entries from cache on freeing ext4: fix deadlock due to mbcache entry corruption SUNRPC: ensure the matching upcall is in-flight upon downcall bpf: pull before calling skb_postpull_rcsum() qlcnic: prevent ->dcb use-after-free on qlcnic_dcb_enable() failure nfc: Fix potential resource leaks net: amd-xgbe: add missed tasklet_kill net: phy: xgmiitorgmii: Fix refcount leak in xgmiitorgmii_probe RDMA/mlx5: Fix validation of max_rd_atomic caps for DC net: sched: atm: dont intepret cls results when asked to drop usb: rndis_host: Secure rndis_query check against int overflow caif: fix memory leak in cfctrl_linkup_request() udf: Fix extension of the last extent in the file ASoC: Intel: bytcr_rt5640: Add quirk for the Advantech MICA-071 tablet x86/bugs: Flush IBP in ib_prctl_set() nfsd: fix handling of readdir in v4root vs. mount upcall timeout riscv: uaccess: fix type of 0 variable on error in get_user() ext4: don't allow journal inode to have encrypt flag hfs/hfsplus: use WARN_ON for sanity check hfs/hfsplus: avoid WARN_ON() for sanity check, use proper error handling mbcache: Avoid nesting of cache->c_list_lock under bit locks parisc: Align parisc MADV_XXX constants with all other architectures driver core: Fix bus_type.match() error handling in __driver_attach() net: sched: disallow noqueue for qdisc classes docs: Fix the docs build with Sphinx 6.0 perf auxtrace: Fix address filter duplicate symbol selection s390/percpu: add READ_ONCE() to arch_this_cpu_to_op_simple() net/ulp: prevent ULP without clone op from entering the LISTEN status ALSA: pcm: Move rwsem lock inside snd_ctl_elem_read to prevent UAF cifs: Fix uninitialized memory read for smb311 posix symlink create platform/x86: sony-laptop: Don't turn off 0x153 keyboard backlight during probe ipv6: raw: Deduct extension header length in rawv6_push_pending_frames wifi: wilc1000: sdio: fix module autoloading ALSA: hda/hdmi: fix failures at PCM open on Intel ICL and later ktest: Add support for meta characters in GRUB_MENU ktest: introduce _get_grub_index ktest: cleanup get_grub_index ktest: introduce grub2bls REBOOT_TYPE option ktest.pl: Fix incorrect reboot for grub2bls kest.pl: Fix grub2 menu handling for rebooting usb: ulpi: defer ulpi_register on ulpi_read_id timeout quota: Factor out setup of quota inode ext4: fix bug_on in __es_tree_search caused by bad quota inode ext4: lost matching-pair of trace in ext4_truncate ext4: fix use-after-free in ext4_orphan_cleanup ext4: fix uninititialized value in 'ext4_evict_inode' ext4: generalize extents status tree search functions ext4: add new pending reservation mechanism ext4: fix reserved cluster accounting at delayed write time ext4: fix delayed allocation bug in ext4_clu_mapped for bigalloc + inline netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function. x86/boot: Avoid using Intel mnemonics in AT&T syntax asm EDAC/device: Fix period calculation in edac_device_reset_delay_period() regulator: da9211: Use irq handler when ready hvc/xen: lock console list traversal nfc: pn533: Wait for out_urb's completion in pn533_usb_send_frame() net/mlx5: Rename ptp clock info net/mlx5: Fix ptp max frequency adjustment range iommu/mediatek-v1: Add error handle for mtk_iommu_probe iommu/mediatek-v1: Fix an error handling path in mtk_iommu_v1_probe() x86/resctrl: Use task_curr() instead of task_struct->on_cpu to prevent unnecessary IPI x86/resctrl: Fix task CLOSID/RMID update race drm/virtio: Fix GEM handle creation UAF arm64: cmpxchg_double*: hazard against entire exchange variable efi: fix NULL-deref in init error path Revert "usb: ulpi: defer ulpi_register on ulpi_read_id timeout" tty: serial: tegra: Handle RX transfer in PIO mode if DMA wasn't started serial: tegra: Only print FIFO error message when an error occurs serial: tegra: Change lower tolerance baud rate limit for tegra20 and tegra30 Linux 4.19.270 Change-Id: Ieb5e7f318a7e06effcc51e5f93751ec02dbb50c4 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Gavrilov Ilia
|
dfd834ccc1 |
netfilter: ipset: Fix overflow before widen in the bitmap_ip_create() function.
commit 9ea4b476cea1b7d461d16dda25ca3c7e616e2d15 upstream.
When first_ip is 0, last_ip is 0xFFFFFFFF, and netmask is 31, the value of
an arithmetic expression 2 << (netmask - mask_bits - 1) is subject
to overflow due to a failure casting operands to a larger data type
before performing the arithmetic.
Note that it's harmless since the value will be checked at the next step.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes:
|
||
Herbert Xu
|
f487d636e4 |
ipv6: raw: Deduct extension header length in rawv6_push_pending_frames
commit cb3e9864cdbe35ff6378966660edbcbac955fe17 upstream.
The total cork length created by ip6_append_data includes extension
headers, so we must exclude them when comparing them against the
IPV6_CHECKSUM offset which does not include extension headers.
Reported-by: Kyle Zeng <zengyhkyle@gmail.com>
Fixes:
|
||
Paolo Abeni
|
755193f252 |
net/ulp: prevent ULP without clone op from entering the LISTEN status
commit 2c02d41d71f90a5168391b6a5f2954112ba2307c upstream.
When an ULP-enabled socket enters the LISTEN status, the listener ULP data
pointer is copied inside the child/accepted sockets by sk_clone_lock().
The relevant ULP can take care of de-duplicating the context pointer via
the clone() operation, but only MPTCP and SMC implement such op.
Other ULPs may end-up with a double-free at socket disposal time.
We can't simply clear the ULP data at clone time, as TLS replaces the
socket ops with custom ones assuming a valid TLS ULP context is
available.
Instead completely prevent clone-less ULP sockets from entering the
LISTEN status.
Fixes:
|
||
Frederick Lawler
|
0195d5ad53 |
net: sched: disallow noqueue for qdisc classes
commit 96398560f26aa07e8f2969d73c8197e6a6d10407 upstream. While experimenting with applying noqueue to a classful queue discipline, we discovered a NULL pointer dereference in the __dev_queue_xmit() path that generates a kernel OOPS: # dev=enp0s5 # tc qdisc replace dev $dev root handle 1: htb default 1 # tc class add dev $dev parent 1: classid 1:1 htb rate 10mbit # tc qdisc add dev $dev parent 1:1 handle 10: noqueue # ping -I $dev -w 1 -c 1 1.1.1.1 [ 2.172856] BUG: kernel NULL pointer dereference, address: 0000000000000000 [ 2.173217] #PF: supervisor instruction fetch in kernel mode ... [ 2.178451] Call Trace: [ 2.178577] <TASK> [ 2.178686] htb_enqueue+0x1c8/0x370 [ 2.178880] dev_qdisc_enqueue+0x15/0x90 [ 2.179093] __dev_queue_xmit+0x798/0xd00 [ 2.179305] ? _raw_write_lock_bh+0xe/0x30 [ 2.179522] ? __local_bh_enable_ip+0x32/0x70 [ 2.179759] ? ___neigh_create+0x610/0x840 [ 2.179968] ? eth_header+0x21/0xc0 [ 2.180144] ip_finish_output2+0x15e/0x4f0 [ 2.180348] ? dst_output+0x30/0x30 [ 2.180525] ip_push_pending_frames+0x9d/0xb0 [ 2.180739] raw_sendmsg+0x601/0xcb0 [ 2.180916] ? _raw_spin_trylock+0xe/0x50 [ 2.181112] ? _raw_spin_unlock_irqrestore+0x16/0x30 [ 2.181354] ? get_page_from_freelist+0xcd6/0xdf0 [ 2.181594] ? sock_sendmsg+0x56/0x60 [ 2.181781] sock_sendmsg+0x56/0x60 [ 2.181958] __sys_sendto+0xf7/0x160 [ 2.182139] ? handle_mm_fault+0x6e/0x1d0 [ 2.182366] ? do_user_addr_fault+0x1e1/0x660 [ 2.182627] __x64_sys_sendto+0x1b/0x30 [ 2.182881] do_syscall_64+0x38/0x90 [ 2.183085] entry_SYSCALL_64_after_hwframe+0x63/0xcd ... [ 2.187402] </TASK> Previously in commit |
||
Zhengchao Shao
|
3acf3783a8 |
caif: fix memory leak in cfctrl_linkup_request()
[ Upstream commit fe69230f05897b3de758427b574fc98025dfc907 ] When linktype is unknown or kzalloc failed in cfctrl_linkup_request(), pkt is not released. Add release process to error path. Fixes: |
||
Jamal Hadi Salim
|
5374c455eb |
net: sched: atm: dont intepret cls results when asked to drop
[ Upstream commit a2965c7be0522eaa18808684b7b82b248515511b ]
If asked to drop a packet via TC_ACT_SHOT it is unsafe to assume
res.class contains a valid pointer
Fixes:
|
||
Miaoqian Lin
|
d1d912e7f8 |
nfc: Fix potential resource leaks
[ Upstream commit df49908f3c52d211aea5e2a14a93bbe67a2cb3af ] nfc_get_device() take reference for the device, add missing nfc_put_device() to release it when not need anymore. Also fix the style warnning by use error EOPNOTSUPP instead of ENOTSUPP. Fixes: |
||
Jakub Kicinski
|
31f7a52168 |
bpf: pull before calling skb_postpull_rcsum()
[ Upstream commit 54c3f1a81421f85e60ae2eaae7be3727a09916ee ]
Anand hit a BUG() when pulling off headers on egress to a SW tunnel.
We get to skb_checksum_help() with an invalid checksum offset
(commit d7ea0d9df2a6 ("net: remove two BUG() from skb_checksum_help()")
converted those BUGs to WARN_ONs()).
He points out oddness in how skb_postpull_rcsum() gets used.
Indeed looks like we should pull before "postpull", otherwise
the CHECKSUM_PARTIAL fixup from skb_postpull_rcsum() will not
be able to do its job:
if (skb->ip_summed == CHECKSUM_PARTIAL &&
skb_checksum_start_offset(skb) < 0)
skb->ip_summed = CHECKSUM_NONE;
Reported-by: Anand Parthasarathy <anpartha@meta.com>
Fixes:
|
||
minoura makoto
|
4916a52341 |
SUNRPC: ensure the matching upcall is in-flight upon downcall
[ Upstream commit b18cba09e374637a0a3759d856a6bca94c133952 ] Commit |
||
Chuck Lever
|
76f2497a2f |
SUNRPC: Don't leak netobj memory when gss_read_proxy_verf() fails
commit da522b5fe1a5f8b7c20a0023e87b52a150e53bf5 upstream.
Fixes:
|
||
Schspa Shi
|
78d48bc41f |
mrp: introduce active flags to prevent UAF when applicant uninit
[ Upstream commit ab0377803dafc58f1e22296708c1c28e309414d6 ] The caller of del_timer_sync must prevent restarting of the timer, If we have no this synchronization, there is a small probability that the cancellation will not be successful. And syzbot report the fellowing crash: ================================================================== BUG: KASAN: use-after-free in hlist_add_head include/linux/list.h:929 [inline] BUG: KASAN: use-after-free in enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 Write at addr f9ff000024df6058 by task syz-fuzzer/2256 Pointer tag: [f9], memory tag: [fe] CPU: 1 PID: 2256 Comm: syz-fuzzer Not tainted 6.1.0-rc5-syzkaller-00008- ge01d50cbd6ee #0 Hardware name: linux,dummy-virt (DT) Call trace: dump_backtrace.part.0+0xe0/0xf0 arch/arm64/kernel/stacktrace.c:156 dump_backtrace arch/arm64/kernel/stacktrace.c:162 [inline] show_stack+0x18/0x40 arch/arm64/kernel/stacktrace.c:163 __dump_stack lib/dump_stack.c:88 [inline] dump_stack_lvl+0x68/0x84 lib/dump_stack.c:106 print_address_description mm/kasan/report.c:284 [inline] print_report+0x1a8/0x4a0 mm/kasan/report.c:395 kasan_report+0x94/0xb4 mm/kasan/report.c:495 __do_kernel_fault+0x164/0x1e0 arch/arm64/mm/fault.c:320 do_bad_area arch/arm64/mm/fault.c:473 [inline] do_tag_check_fault+0x78/0x8c arch/arm64/mm/fault.c:749 do_mem_abort+0x44/0x94 arch/arm64/mm/fault.c:825 el1_abort+0x40/0x60 arch/arm64/kernel/entry-common.c:367 el1h_64_sync_handler+0xd8/0xe4 arch/arm64/kernel/entry-common.c:427 el1h_64_sync+0x64/0x68 arch/arm64/kernel/entry.S:576 hlist_add_head include/linux/list.h:929 [inline] enqueue_timer+0x18/0xa4 kernel/time/timer.c:605 mod_timer+0x14/0x20 kernel/time/timer.c:1161 mrp_periodic_timer_arm net/802/mrp.c:614 [inline] mrp_periodic_timer+0xa0/0xc0 net/802/mrp.c:627 call_timer_fn.constprop.0+0x24/0x80 kernel/time/timer.c:1474 expire_timers+0x98/0xc4 kernel/time/timer.c:1519 To fix it, we can introduce a new active flags to make sure the timer will not restart. Reported-by: syzbot+6fd64001c20aa99e34a4@syzkaller.appspotmail.com Signed-off-by: Schspa Shi <schspa@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Stanislav Fomichev
|
e6a63203e5 |
bpf: make sure skb->len != 0 when redirecting to a tunneling device
[ Upstream commit 07ec7b502800ba9f7b8b15cb01dd6556bb41aaca ] syzkaller managed to trigger another case where skb->len == 0 when we enter __dev_queue_xmit: WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 skb_assert_len include/linux/skbuff.h:2576 [inline] WARNING: CPU: 0 PID: 2470 at include/linux/skbuff.h:2576 __dev_queue_xmit+0x2069/0x35e0 net/core/dev.c:4295 Call Trace: dev_queue_xmit+0x17/0x20 net/core/dev.c:4406 __bpf_tx_skb net/core/filter.c:2115 [inline] __bpf_redirect_no_mac net/core/filter.c:2140 [inline] __bpf_redirect+0x5fb/0xda0 net/core/filter.c:2163 ____bpf_clone_redirect net/core/filter.c:2447 [inline] bpf_clone_redirect+0x247/0x390 net/core/filter.c:2419 bpf_prog_48159a89cb4a9a16+0x59/0x5e bpf_dispatcher_nop_func include/linux/bpf.h:897 [inline] __bpf_prog_run include/linux/filter.h:596 [inline] bpf_prog_run include/linux/filter.h:603 [inline] bpf_test_run+0x46c/0x890 net/bpf/test_run.c:402 bpf_prog_test_run_skb+0xbdc/0x14c0 net/bpf/test_run.c:1170 bpf_prog_test_run+0x345/0x3c0 kernel/bpf/syscall.c:3648 __sys_bpf+0x43a/0x6c0 kernel/bpf/syscall.c:5005 __do_sys_bpf kernel/bpf/syscall.c:5091 [inline] __se_sys_bpf kernel/bpf/syscall.c:5089 [inline] __x64_sys_bpf+0x7c/0x90 kernel/bpf/syscall.c:5089 do_syscall_64+0x54/0x70 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x61/0xc6 The reproducer doesn't really reproduce outside of syzkaller environment, so I'm taking a guess here. It looks like we do generate correct ETH_HLEN-sized packet, but we redirect the packet to the tunneling device. Before we do so, we __skb_pull l2 header and arrive again at skb->len == 0. Doesn't seem like we can do anything better than having an explicit check after __skb_pull? Cc: Eric Dumazet <edumazet@google.com> Reported-by: syzbot+f635e86ec3fa0a37e019@syzkaller.appspotmail.com Signed-off-by: Stanislav Fomichev <sdf@google.com> Link: https://lore.kernel.org/r/20221027225537.353077-1-sdf@google.com Signed-off-by: Martin KaFai Lau <martin.lau@kernel.org> Signed-off-by: Alexei Starovoitov <ast@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eric Dumazet
|
6f00bd0402 |
net: stream: purge sk_error_queue in sk_stream_kill_queues()
[ Upstream commit e0c8bccd40fc1c19e1d246c39bcf79e357e1ada3 ] Changheon Lee reported TCP socket leaks, with a nice repro. It seems we leak TCP sockets with the following sequence: 1) SOF_TIMESTAMPING_TX_ACK is enabled on the socket. Each ACK will cook an skb put in error queue, from __skb_tstamp_tx(). __skb_tstamp_tx() is using skb_clone(), unless SOF_TIMESTAMPING_OPT_TSONLY was also requested. 2) If the application is also using MSG_ZEROCOPY, then we put in the error queue cloned skbs that had a struct ubuf_info attached to them. Whenever an struct ubuf_info is allocated, sock_zerocopy_alloc() does a sock_hold(). As long as the cloned skbs are still in sk_error_queue, socket refcount is kept elevated. 3) Application closes the socket, while error queue is not empty. Since tcp_close() no longer purges the socket error queue, we might end up with a TCP socket with at least one skb in error queue keeping the socket alive forever. This bug can be (ab)used to consume all kernel memory and freeze the host. We need to purge the error queue, with proper synchronization against concurrent writers. Fixes: 24bcbe1cc69f ("net: stream: don't purge sk_error_queue in sk_stream_kill_queues()") Reported-by: Changheon Lee <darklight2357@icloud.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
David Howells
|
72d778f688 |
rxrpc: Fix missing unlock in rxrpc_do_sendmsg()
[ Upstream commit 4feb2c44629e6f9b459b41a5a60491069d346a95 ]
One of the error paths in rxrpc_do_sendmsg() doesn't unlock the call mutex
before returning. Fix it to do this.
Note that this still doesn't get rid of the checker warning:
../net/rxrpc/sendmsg.c:617:5: warning: context imbalance in 'rxrpc_do_sendmsg' - wrong count at exit
I think the interplay between the socket lock and the call's user_mutex may
be too complicated for checker to analyse, especially as
rxrpc_new_client_call_for_sendmsg(), which it calls, returns with the
call's user_mutex if successful but unconditionally drops the socket lock.
Fixes:
|
||
Cong Wang
|
134b529db4 |
net_sched: reject TCF_EM_SIMPLE case for complex ematch module
[ Upstream commit 9cd3fd2054c3b3055163accbf2f31a4426f10317 ]
When TCF_EM_SIMPLE was introduced, it is supposed to be convenient
for ematch implementation:
https://lore.kernel.org/all/20050105110048.GO26856@postel.suug.ch/
"You don't have to, providing a 32bit data chunk without TCF_EM_SIMPLE
set will simply result in allocating & copy. It's an optimization,
nothing more."
So if an ematch module provides ops->datalen that means it wants a
complex data structure (saved in its em->data) instead of a simple u32
value. We should simply reject such a combination, otherwise this u32
could be misinterpreted as a pointer.
Fixes:
|
||
Subash Abhinov Kasiviswanathan
|
2d59f0ca15 |
skbuff: Account for tail adjustment during pull operations
[ Upstream commit 2d7afdcbc9d32423f177ee12b7c93783aea338fb ] Extending the tail can have some unexpected side effects if a program uses a helper like BPF_FUNC_skb_pull_data to read partial content beyond the head skb headlen when all the skbs in the gso frag_list are linear with no head_frag - kernel BUG at net/core/skbuff.c:4219! pc : skb_segment+0xcf4/0xd2c lr : skb_segment+0x63c/0xd2c Call trace: skb_segment+0xcf4/0xd2c __udp_gso_segment+0xa4/0x544 udp4_ufo_fragment+0x184/0x1c0 inet_gso_segment+0x16c/0x3a4 skb_mac_gso_segment+0xd4/0x1b0 __skb_gso_segment+0xcc/0x12c udp_rcv_segment+0x54/0x16c udp_queue_rcv_skb+0x78/0x144 udp_unicast_rcv_skb+0x8c/0xa4 __udp4_lib_rcv+0x490/0x68c udp_rcv+0x20/0x30 ip_protocol_deliver_rcu+0x1b0/0x33c ip_local_deliver+0xd8/0x1f0 ip_rcv+0x98/0x1a4 deliver_ptype_list_skb+0x98/0x1ec __netif_receive_skb_core+0x978/0xc60 Fix this by marking these skbs as GSO_DODGY so segmentation can handle the tail updates accordingly. Fixes: 3dcbdb134f32 ("net: gso: Fix skb_segment splat when splitting gso_size mangled skb having linear-headed frag_list") Signed-off-by: Sean Tranchetti <quic_stranche@quicinc.com> Signed-off-by: Subash Abhinov Kasiviswanathan <quic_subashab@quicinc.com> Reviewed-by: Alexander Duyck <alexanderduyck@fb.com> Link: https://lore.kernel.org/r/1671084718-24796-1-git-send-email-quic_subashab@quicinc.com Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Eelco Chaudron
|
ee27d70556 |
openvswitch: Fix flow lookup to use unmasked key
[ Upstream commit 68bb10101e6b0a6bb44e9c908ef795fc4af99eae ]
The commit mentioned below causes the ovs_flow_tbl_lookup() function
to be called with the masked key. However, it's supposed to be called
with the unmasked key. This due to the fact that the datapath supports
installing wider flows, and OVS relies on this behavior. For example
if ipv4(src=1.1.1.1/192.0.0.0, dst=1.1.1.2/192.0.0.0) exists, a wider
flow (smaller mask) of ipv4(src=192.1.1.1/128.0.0.0,dst=192.1.1.2/
128.0.0.0) is allowed to be added.
However, if we try to add a wildcard rule, the installation fails:
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=1.1.1.1/192.0.0.0,dst=1.1.1.2/192.0.0.0,frag=no)" 2
$ ovs-appctl dpctl/add-flow system@myDP "in_port(1),eth_type(0x0800), \
ipv4(src=192.1.1.1/0.0.0.0,dst=49.1.1.2/0.0.0.0,frag=no)" 2
ovs-vswitchd: updating flow table (File exists)
The reason is that the key used to determine if the flow is already
present in the system uses the original key ANDed with the mask.
This results in the IP address not being part of the (miniflow) key,
i.e., being substituted with an all-zero value. When doing the actual
lookup, this results in the key wrongfully matching the first flow,
and therefore the flow does not get installed.
This change reverses the commit below, but rather than having the key
on the stack, it's allocated.
Fixes:
|
||
Yang Yingliang
|
edfce2c29f |
Bluetooth: RFCOMM: don't call kfree_skb() under spin_lock_irqsave()
[ Upstream commit 0ba18967d4544955b2eff2fbc4f2a8750c4df90a ] It is not allowed to call kfree_skb() from hardware interrupt context or with interrupts being disabled. So replace kfree_skb() with dev_kfree_skb_irq() under spin_lock_irqsave(). Fixes: 81be03e026dc ("Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg") Signed-off-by: Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Yang Yingliang
|
1d675a3177 |
Bluetooth: hci_core: don't call kfree_skb() under spin_lock_irqsave()
[ Upstream commit 39c1eb6fcbae8ce9bb71b2ac5cb609355a2b181b ]
It is not allowed to call kfree_skb() from hardware interrupt
context or with interrupts being disabled. So replace kfree_skb()
with dev_kfree_skb_irq() under spin_lock_irqsave().
Fixes:
|
||
Hangbin Liu
|
be34e79e0a |
net/tunnel: wait until all sk_user_data reader finish before releasing the sock
[ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ]
There is a race condition in vxlan that when deleting a vxlan device
during receiving packets, there is a possibility that the sock is
released after getting vxlan_sock vs from sk_user_data. Then in
later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got
NULL pointer dereference. e.g.
#0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757
#1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d
#2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48
#3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b
#4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb
#5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542
#6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62
[exception RIP: vxlan_ecn_decapsulate+0x3b]
RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246
RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000
RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700
RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae
R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700
R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae
ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018
#7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan]
#8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507
#9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45
#10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807
#11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951
#12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde
#13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b
#14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139
#15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a
#16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3
#17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca
#18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3
Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh
Fix this by waiting for all sk_user_data reader to finish before
releasing the sock.
Reported-by: Jianlin Shi <jishi@redhat.com>
Suggested-by: Jakub Sitnicki <jakub@cloudflare.com>
Fixes:
|
||
Artem Chernyshev
|
37ba9bef15 |
net: vmw_vsock: vmci: Check memcpy_from_msg()
[ Upstream commit 44aa5a6dba8283bfda28b1517af4de711c5652a4 ]
vmci_transport_dgram_enqueue() does not check the return value
of memcpy_from_msg(). If memcpy_from_msg() fails, it is possible that
uninitialized memory contents are sent unintentionally instead of user's
message in the datagram to the destination. Return with an error if
memcpy_from_msg() fails.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes:
|
||
Wang ShaoBo
|
1f356afe52 |
SUNRPC: Fix missing release socket in rpc_sockname()
[ Upstream commit 50fa355bc0d75911fe9d5072a5ba52cdb803aff7 ]
socket dynamically created is not released when getting an unintended
address family type in rpc_sockname(), direct to out_release for calling
sock_release().
Fixes:
|
||
Chen Zhongjin
|
39464007d0 |
wifi: cfg80211: Fix not unregister reg_pdev when load_builtin_regdb_keys() fails
[ Upstream commit 833a9fd28c9b7ccb39a334721379e992dc1c0c89 ]
In regulatory_init_db(), when it's going to return a error, reg_pdev
should be unregistered. When load_builtin_regdb_keys() fails it doesn't
do it and makes cfg80211 can't be reload with report:
sysfs: cannot create duplicate filename '/devices/platform/regulatory.0'
...
<TASK>
dump_stack_lvl+0x79/0x9b
sysfs_warn_dup.cold+0x1c/0x29
sysfs_create_dir_ns+0x22d/0x290
kobject_add_internal+0x247/0x800
kobject_add+0x135/0x1b0
device_add+0x389/0x1be0
platform_device_add+0x28f/0x790
platform_device_register_full+0x376/0x4b0
regulatory_init+0x9a/0x4b2 [cfg80211]
cfg80211_init+0x84/0x113 [cfg80211]
...
Fixes:
|
||
Sungwoo Kim
|
ad528fde07 |
Bluetooth: L2CAP: Fix u8 overflow
[ Upstream commit bcd70260ef56e0aee8a4fc6cd214a419900b0765 ] By keep sending L2CAP_CONF_REQ packets, chan->num_conf_rsp increases multiple times and eventually it will wrap around the maximum number (i.e., 255). This patch prevents this by adding a boundary check with L2CAP_MAX_CONF_RSP Btmon log: Bluetooth monitor ver 5.64 = Note: Linux version 6.1.0-rc2 (x86_64) 0.264594 = Note: Bluetooth subsystem version 2.22 0.264636 @ MGMT Open: btmon (privileged) version 1.22 {0x0001} 0.272191 = New Index: 00:00:00:00:00:00 (Primary,Virtual,hci0) [hci0] 13.877604 @ RAW Open: 9496 (privileged) version 2.22 {0x0002} 13.890741 = Open Index: 00:00:00:00:00:00 [hci0] 13.900426 (...) > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #32 [hci0] 14.273106 invalid packet size (12 != 1033) 08 00 01 00 02 01 04 00 01 10 ff ff ............ > ACL Data RX: Handle 200 flags 0x00 dlen 1547 #33 [hci0] 14.273561 invalid packet size (14 != 1547) 0a 00 01 00 04 01 06 00 40 00 00 00 00 00 ........@..... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #34 [hci0] 14.274390 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 00 00 00 04 ........@....... > ACL Data RX: Handle 200 flags 0x00 dlen 2061 #35 [hci0] 14.274932 invalid packet size (16 != 2061) 0c 00 01 00 04 01 08 00 40 00 00 00 07 00 03 00 ........@....... = bluetoothd: Bluetooth daemon 5.43 14.401828 > ACL Data RX: Handle 200 flags 0x00 dlen 1033 #36 [hci0] 14.275753 invalid packet size (12 != 1033) 08 00 01 00 04 01 04 00 40 00 00 00 ........@... Signed-off-by: Sungwoo Kim <iam@sung-woo.kim> Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
6369256a83 |
This is the 4.19.269 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmOZpXYACgkQONu9yGCS aT4m+Q/+M0SowWVPoh9LH0aATI1ozgQ55IlN2Cb4r+gre98khTqsIS3Me6vUs3r0 2SjMcIvgOa9bJHukn4VXdwsPK9EBFxY5DpLRyJ1rr0y71xCQ9msf9NcnINcDpL8s 8A8zOk+A+dSnsG+Ci+Rg86+ktkwXxx3jc6+xQiRt6Mh6cv7kptl8DKlSvPTts6ku GJo0oMzbmXJfa4vSYGUSAvTsnVQKt4+kpDBocBPowZhIh42mrlo4h4Ent/HWOXlh N9qNc2pXA40pB57lYkcbMANSE6DSVd2cvng2LR8634rom5jeDH66y12sL7y3qvYO 3ANs/j1SSVjd35b857gyNCAsAXrxyg/Dyo66eQt6qcWcWJhB48FIUyyhF0n3VsxX QTyr3R3NKx/4eXulumaZJK2U45wB+6z8JnMLmj2V/D+Gw0E2oLnYVRJLpFKquHWq SXqN7O+WC1VN5kIlJqk3UW3CzDR/jAwlQND/zizSHvrh1XQvyfE1NRuwpZNur973 zNB4zcawRTVGkfOr/9tqzDsccgOVEcrAdrXN8nF3UjuVGFXF0x6jTTRj3oDFq659 hj3/JGX4ZQKPs8/a5aOKRgNCoKyX6dp8/NvInHa9G8k98saJ3Cf2EhkLvNiOeSWr zVp6bJzchDonMkxM91PG2tzmXVDTxWR3BEi9Qx1I45GHCrJj2Wk= =VXRI -----END PGP SIGNATURE----- Merge 4.19.269 into android-4.19-stable Changes in 4.19.269 arm: dts: rockchip: fix node name for hym8563 rtc ARM: dts: rockchip: fix ir-receiver node names ARM: 9251/1: perf: Fix stacktraces for tracepoint events in THUMB2 kernels ARM: 9266/1: mm: fix no-MMU ZERO_PAGE() implementation ARM: dts: rockchip: disable arm_global_timer on rk3066 and rk3188 9p/fd: Use P9_HDRSZ for header size ALSA: seq: Fix function prototype mismatch in snd_seq_expand_var_event ASoC: soc-pcm: Add NULL check in BE reparenting regulator: twl6030: fix get status of twl6032 regulators fbcon: Use kzalloc() in fbcon_prepare_logo() 9p/xen: check logical size for buffer size net: usb: qmi_wwan: add u-blox 0x1342 composition xen/netback: Ensure protocol headers don't fall in the non-linear area xen/netback: do some code cleanup xen/netback: don't call kfree_skb() with interrupts disabled rcutorture: Automatically create initrd directory media: v4l2-dv-timings.c: fix too strict blanking sanity checks memcg: fix possible use-after-free in memcg_write_event_control() KVM: s390: vsie: Fix the initialization of the epoch extension (epdx) field HID: hid-lg4ff: Add check for empty lbuf HID: core: fix shift-out-of-bounds in hid_report_raw_event ieee802154: cc2520: Fix error return code in cc2520_hw_init() ca8210: Fix crash by zero initializing data gpio: amd8111: Fix PCI device reference count leak e1000e: Fix TX dispatch condition igb: Allocate MSI-X vector when testing Bluetooth: 6LoWPAN: add missing hci_dev_put() in get_l2cap_conn() Bluetooth: Fix not cleanup led when bt_init fails selftests: rtnetlink: correct xfrm policy rule in kci_test_ipsec_offload mac802154: fix missing INIT_LIST_HEAD in ieee802154_if_add() net: encx24j600: Add parentheses to fix precedence net: encx24j600: Fix invalid logic in reading of MISTAT register xen-netfront: Fix NULL sring after live migration net: mvneta: Prevent out of bounds read in mvneta_config_rss() i40e: Fix not setting default xps_cpus after reset i40e: Fix for VF MAC address 0 i40e: Disallow ip4 and ip6 l4_4_bytes NFC: nci: Bounds check struct nfc_target arrays nvme initialize core quirks before calling nvme_init_subsystem net: stmmac: fix "snps,axi-config" node property parsing net: hisilicon: Fix potential use-after-free in hisi_femac_rx() net: hisilicon: Fix potential use-after-free in hix5hd2_rx() tipc: Fix potential OOB in tipc_link_proto_rcv() ethernet: aeroflex: fix potential skb leak in greth_init_rings() xen/netback: fix build warning net: plip: don't call kfree_skb/dev_kfree_skb() under spin_lock_irq() ipv6: avoid use-after-free in ip6_fragment() net: mvneta: Fix an out of bounds check can: esd_usb: Allow REC and TEC to return to zero Linux 4.19.269 Change-Id: Ie79e55bad6376d2314d44479ef1ec3c546d24030 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Eric Dumazet
|
7e0dcd5f3a |
ipv6: avoid use-after-free in ip6_fragment()
[ Upstream commit 803e84867de59a1e5d126666d25eb4860cfd2ebe ]
Blamed commit claimed rcu_read_lock() was held by ip6_fragment() callers.
It seems to not be always true, at least for UDP stack.
syzbot reported:
BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:245 [inline]
BUG: KASAN: use-after-free in ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
Read of size 8 at addr ffff88801d403e80 by task syz-executor.3/7618
CPU: 1 PID: 7618 Comm: syz-executor.3 Not tainted 6.1.0-rc6-syzkaller-00012-g4312098baf37 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xd1/0x138 lib/dump_stack.c:106
print_address_description mm/kasan/report.c:284 [inline]
print_report+0x15e/0x45d mm/kasan/report.c:395
kasan_report+0xbf/0x1f0 mm/kasan/report.c:495
ip6_dst_idev include/net/ip6_fib.h:245 [inline]
ip6_fragment+0x2724/0x2770 net/ipv6/ip6_output.c:951
__ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
sock_write_iter+0x295/0x3d0 net/socket.c:1108
call_write_iter include/linux/fs.h:2191 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x9ed/0xdd0 fs/read_write.c:584
ksys_write+0x1ec/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7fde3588c0d9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 f1 19 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fde365b6168 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007fde359ac050 RCX: 00007fde3588c0d9
RDX: 000000000000ffdc RSI: 00000000200000c0 RDI: 000000000000000a
RBP: 00007fde358e7ae9 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fde35acfb1f R14: 00007fde365b6300 R15: 0000000000022000
</TASK>
Allocated by task 7618:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
__kasan_slab_alloc+0x82/0x90 mm/kasan/common.c:325
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x2b4/0x3d0 mm/slub.c:3422
dst_alloc+0x14a/0x1f0 net/core/dst.c:92
ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
ip6_rt_pcpu_alloc net/ipv6/route.c:1369 [inline]
rt6_make_pcpu_route net/ipv6/route.c:1417 [inline]
ip6_pol_route+0x901/0x1190 net/ipv6/route.c:2254
pol_lookup_func include/net/ip6_fib.h:582 [inline]
fib6_rule_lookup+0x52e/0x6f0 net/ipv6/fib6_rules.c:121
ip6_route_output_flags_noref+0x2e6/0x380 net/ipv6/route.c:2625
ip6_route_output_flags+0x76/0x320 net/ipv6/route.c:2638
ip6_route_output include/net/ip6_route.h:98 [inline]
ip6_dst_lookup_tail+0x5ab/0x1620 net/ipv6/ip6_output.c:1092
ip6_dst_lookup_flow+0x90/0x1d0 net/ipv6/ip6_output.c:1222
ip6_sk_dst_lookup_flow+0x553/0x980 net/ipv6/ip6_output.c:1260
udpv6_sendmsg+0x151d/0x2c80 net/ipv6/udp.c:1554
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
__sys_sendto+0x23a/0x340 net/socket.c:2117
__do_sys_sendto net/socket.c:2129 [inline]
__se_sys_sendto net/socket.c:2125 [inline]
__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Freed by task 7599:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
kasan_set_track+0x25/0x30 mm/kasan/common.c:52
kasan_save_free_info+0x2e/0x40 mm/kasan/generic.c:511
____kasan_slab_free mm/kasan/common.c:236 [inline]
____kasan_slab_free+0x160/0x1c0 mm/kasan/common.c:200
kasan_slab_free include/linux/kasan.h:177 [inline]
slab_free_hook mm/slub.c:1724 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1750
slab_free mm/slub.c:3661 [inline]
kmem_cache_free+0xee/0x5c0 mm/slub.c:3683
dst_destroy+0x2ea/0x400 net/core/dst.c:127
rcu_do_batch kernel/rcu/tree.c:2250 [inline]
rcu_core+0x81f/0x1980 kernel/rcu/tree.c:2510
__do_softirq+0x1fb/0xadc kernel/softirq.c:571
Last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
dst_release net/core/dst.c:177 [inline]
dst_release+0x7d/0xe0 net/core/dst.c:167
refdst_drop include/net/dst.h:256 [inline]
skb_dst_drop include/net/dst.h:268 [inline]
skb_release_head_state+0x250/0x2a0 net/core/skbuff.c:838
skb_release_all net/core/skbuff.c:852 [inline]
__kfree_skb net/core/skbuff.c:868 [inline]
kfree_skb_reason+0x151/0x4b0 net/core/skbuff.c:891
kfree_skb_list_reason+0x4b/0x70 net/core/skbuff.c:901
kfree_skb_list include/linux/skbuff.h:1227 [inline]
ip6_fragment+0x2026/0x2770 net/ipv6/ip6_output.c:949
__ip6_finish_output net/ipv6/ip6_output.c:193 [inline]
ip6_finish_output+0x9a3/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
ip6_local_out+0xb3/0x1a0 net/ipv6/output_core.c:161
ip6_send_skb+0xbb/0x340 net/ipv6/ip6_output.c:1966
udp_v6_send_skb+0x82a/0x18a0 net/ipv6/udp.c:1286
udp_v6_push_pending_frames+0x140/0x200 net/ipv6/udp.c:1313
udpv6_sendmsg+0x18da/0x2c80 net/ipv6/udp.c:1606
inet6_sendmsg+0x9d/0xe0 net/ipv6/af_inet6.c:665
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
sock_write_iter+0x295/0x3d0 net/socket.c:1108
call_write_iter include/linux/fs.h:2191 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x9ed/0xdd0 fs/read_write.c:584
ksys_write+0x1ec/0x250 fs/read_write.c:637
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Second to last potentially related work creation:
kasan_save_stack+0x22/0x40 mm/kasan/common.c:45
__kasan_record_aux_stack+0xbc/0xd0 mm/kasan/generic.c:481
call_rcu+0x9d/0x820 kernel/rcu/tree.c:2798
dst_release net/core/dst.c:177 [inline]
dst_release+0x7d/0xe0 net/core/dst.c:167
refdst_drop include/net/dst.h:256 [inline]
skb_dst_drop include/net/dst.h:268 [inline]
__dev_queue_xmit+0x1b9d/0x3ba0 net/core/dev.c:4211
dev_queue_xmit include/linux/netdevice.h:3008 [inline]
neigh_resolve_output net/core/neighbour.c:1552 [inline]
neigh_resolve_output+0x51b/0x840 net/core/neighbour.c:1532
neigh_output include/net/neighbour.h:546 [inline]
ip6_finish_output2+0x56c/0x1530 net/ipv6/ip6_output.c:134
__ip6_finish_output net/ipv6/ip6_output.c:195 [inline]
ip6_finish_output+0x694/0x1170 net/ipv6/ip6_output.c:206
NF_HOOK_COND include/linux/netfilter.h:291 [inline]
ip6_output+0x1f1/0x540 net/ipv6/ip6_output.c:227
dst_output include/net/dst.h:445 [inline]
NF_HOOK include/linux/netfilter.h:302 [inline]
NF_HOOK include/linux/netfilter.h:296 [inline]
mld_sendpack+0xa09/0xe70 net/ipv6/mcast.c:1820
mld_send_cr net/ipv6/mcast.c:2121 [inline]
mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
worker_thread+0x669/0x1090 kernel/workqueue.c:2436
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
The buggy address belongs to the object at ffff88801d403dc0
which belongs to the cache ip6_dst_cache of size 240
The buggy address is located 192 bytes inside of
240-byte region [ffff88801d403dc0, ffff88801d403eb0)
The buggy address belongs to the physical page:
page:ffffea00007500c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x1d403
memcg:ffff888022f49c81
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 ffffea0001ef6580 dead000000000002 ffff88814addf640
raw: 0000000000000000 00000000800c000c 00000001ffffffff ffff888022f49c81
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 3719, tgid 3719 (kworker/0:6), ts 136223432244, free_ts 136222971441
prep_new_page mm/page_alloc.c:2539 [inline]
get_page_from_freelist+0x10b5/0x2d50 mm/page_alloc.c:4288
__alloc_pages+0x1cb/0x5b0 mm/page_alloc.c:5555
alloc_pages+0x1aa/0x270 mm/mempolicy.c:2285
alloc_slab_page mm/slub.c:1794 [inline]
allocate_slab+0x213/0x300 mm/slub.c:1939
new_slab mm/slub.c:1992 [inline]
___slab_alloc+0xa91/0x1400 mm/slub.c:3180
__slab_alloc.constprop.0+0x56/0xa0 mm/slub.c:3279
slab_alloc_node mm/slub.c:3364 [inline]
slab_alloc mm/slub.c:3406 [inline]
__kmem_cache_alloc_lru mm/slub.c:3413 [inline]
kmem_cache_alloc+0x31a/0x3d0 mm/slub.c:3422
dst_alloc+0x14a/0x1f0 net/core/dst.c:92
ip6_dst_alloc+0x32/0xa0 net/ipv6/route.c:344
icmp6_dst_alloc+0x71/0x680 net/ipv6/route.c:3261
mld_sendpack+0x5de/0xe70 net/ipv6/mcast.c:1809
mld_send_cr net/ipv6/mcast.c:2121 [inline]
mld_ifc_work+0x720/0xdc0 net/ipv6/mcast.c:2653
process_one_work+0x9bf/0x1710 kernel/workqueue.c:2289
worker_thread+0x669/0x1090 kernel/workqueue.c:2436
kthread+0x2e8/0x3a0 kernel/kthread.c:376
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1459 [inline]
free_pcp_prepare+0x65c/0xd90 mm/page_alloc.c:1509
free_unref_page_prepare mm/page_alloc.c:3387 [inline]
free_unref_page+0x1d/0x4d0 mm/page_alloc.c:3483
__unfreeze_partials+0x17c/0x1a0 mm/slub.c:2586
qlink_free mm/kasan/quarantine.c:168 [inline]
qlist_free_all+0x6a/0x170 mm/kasan/quarantine.c:187
kasan_quarantine_reduce+0x184/0x210 mm/kasan/quarantine.c:294
__kasan_slab_alloc+0x66/0x90 mm/kasan/common.c:302
kasan_slab_alloc include/linux/kasan.h:201 [inline]
slab_post_alloc_hook mm/slab.h:737 [inline]
slab_alloc_node mm/slub.c:3398 [inline]
kmem_cache_alloc_node+0x304/0x410 mm/slub.c:3443
__alloc_skb+0x214/0x300 net/core/skbuff.c:497
alloc_skb include/linux/skbuff.h:1267 [inline]
netlink_alloc_large_skb net/netlink/af_netlink.c:1191 [inline]
netlink_sendmsg+0x9a6/0xe10 net/netlink/af_netlink.c:1896
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg+0xd3/0x120 net/socket.c:734
__sys_sendto+0x23a/0x340 net/socket.c:2117
__do_sys_sendto net/socket.c:2129 [inline]
__se_sys_sendto net/socket.c:2125 [inline]
__x64_sys_sendto+0xe1/0x1b0 net/socket.c:2125
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x39/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes:
|
||
YueHaibing
|
8abe4a2398 |
tipc: Fix potential OOB in tipc_link_proto_rcv()
[ Upstream commit 743117a997bbd4840e827295c07e59bcd7f7caa3 ]
Fix the potential risk of OOB if skb_linearize() fails in
tipc_link_proto_rcv().
Fixes:
|