lineage-20.0
800 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Dmitry Safonov
|
533031e688 |
vm_ops: rename .split() callback to .may_split()
Rename the callback to reflect that it's not called *on* or *after* split, but rather some time before the splitting to check if it's possible. Link: https://lkml.kernel.org/r/20201013013416.390574-5-dima@arista.com Signed-off-by: Dmitry Safonov <dima@arista.com> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Andy Lutomirski <luto@kernel.org> Cc: Brian Geffon <bgeffon@google.com> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Dan Carpenter <dan.carpenter@oracle.com> Cc: Dan Williams <dan.j.williams@intel.com> Cc: Dave Jiang <dave.jiang@intel.com> Cc: Hugh Dickins <hughd@google.com> Cc: Ingo Molnar <mingo@redhat.com> Cc: Jason Gunthorpe <jgg@ziepe.ca> Cc: John Hubbard <jhubbard@nvidia.com> Cc: "Kirill A. Shutemov" <kirill.shutemov@linux.intel.com> Cc: Mike Kravetz <mike.kravetz@oracle.com> Cc: Minchan Kim <minchan@kernel.org> Cc: Ralph Campbell <rcampbell@nvidia.com> Cc: Russell King <linux@armlinux.org.uk> Cc: Thomas Bogendoerfer <tsbogend@alpha.franken.de> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Vishal Verma <vishal.l.verma@intel.com> Cc: Vlastimil Babka <vbabka@suse.cz> Cc: Will Deacon <will@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Juhyung Park <qkrwngud825@gmail.com> Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com> |
||
Peter Collingbourne
|
46d7a6624f |
mm: remove unnecessary wrapper function do_mmap_pgoff()
The current split between do_mmap() and do_mmap_pgoff() was introduced in
commit
|
||
UtsavBalar1231
|
e89cfa51e1 |
Merge tag 'ASB-2022-01-05_4.19-stable' of https://github.com/aosp-mirror/kernel_common into android12-base
https://source.android.com/security/bulletin/2022-01-01 CVE-2020-14305 CVE-2020-29368 CVE-2021-39633 CVE-2021-39634 * tag 'ASB-2022-01-05_4.19-stable' of https://github.com/aosp-mirror/kernel_common: Linux 4.19.224 net: fix use-after-free in tw_timer_handler Input: spaceball - fix parsing of movement data packets Input: appletouch - initialize work before device registration scsi: vmw_pvscsi: Set residual data length conditionally binder: fix async_free_space accounting for empty parcels usb: mtu3: set interval of FS intr and isoc endpoint usb: gadget: f_fs: Clear ffs_eventfd in ffs_data_clear. xhci: Fresco FL1100 controller should not have BROKEN_MSI quirk set. uapi: fix linux/nfc.h userspace compilation errors nfc: uapi: use kernel size_t to fix user-space builds i2c: validate user data in compat ioctl fsl/fman: Fix missing put_device() call in fman_port_probe selftests/net: udpgso_bench_tx: fix dst ip argument net/mlx5e: Fix wrong features assignment in case of error NFC: st21nfca: Fix memory leak in device probe and remove net: usb: pegasus: Do not drop long Ethernet frames sctp: use call_rcu to free endpoint selftests: Calculate udpgso segment count without header adjustment udp: using datalen to cap ipv6 udp max gso segments scsi: lpfc: Terminate string in lpfc_debugfs_nvmeio_trc_write() selinux: initialize proto variable in selinux_ip_postroute_compat() recordmcount.pl: fix typo in s390 mcount regex platform/x86: apple-gmux: use resource_size() with res Input: i8042 - enable deferred probe quirk for ASUS UM325UA Input: i8042 - add deferred probe support tee: handle lookup of shm with reference count 0 HID: asus: Add depends on USB_HID to HID_ASUS Kconfig option Linux 4.19.223 phonet/pep: refuse to enable an unbound pipe hamradio: improve the incomplete fix to avoid NPD hamradio: defer ax25 kfree after unregister_netdev ax25: NPD bug when detaching AX25 device hwmon: (lm90) Do not report 'busy' status bit as alarm KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state usb: gadget: u_ether: fix race in setting MAC address in setup phase f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines x86/pkey: Fix undefined behaviour with PKRU_WD_BIT parisc: Correct completer in lws start ipmi: fix initialization when workqueue allocation fails ipmi: bail out if init_srcu_struct fails Input: atmel_mxt_ts - fix double free in mxt_read_info_block ALSA: drivers: opl3: Fix incorrect use of vp->state ALSA: jack: Check the return value of kstrdup() hwmon: (lm90) Fix usage of CONFIG2 register in detect function sfc: falcon: Check null pointer of rx_queue->page_ring drivers: net: smc911x: Check for error irq fjes: Check for error irq bonding: fix ad_actor_system option setting to default ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module net: skip virtio_net_hdr_set_proto if protocol already set net: accept UFOv6 packages in virtio_net_hdr_to_skb qlcnic: potential dereference null pointer of rx_queue->page_ring netfilter: fix regression in looped (broad|multi)cast's MAC handling IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() spi: change clk_disable_unprepare to clk_unprepare arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode HID: holtek: fix mouse probing block, bfq: fix use after free in bfq_bfqq_expire block, bfq: fix queue removal from weights tree block, bfq: fix decrement of num_active_groups block, bfq: fix asymmetric scenarios detection block, bfq: improve asymmetric scenarios detection net: usb: lan78xx: add Allied Telesis AT29M2-AF Revert "ARM: 8800/1: use choice for kernel unwinders" Linux 4.19.222 xen/netback: don't queue unlimited number of packages xen/netback: fix rx queue stall detection xen/console: harden hvc_xen against event channel storms xen/netfront: harden netfront against event channel storms xen/blkfront: harden blkfront against event channel storms scsi: scsi_debug: Sanity check block descriptor length in resp_mode_select() ovl: fix warning in ovl_create_real() fuse: annotate lock in fuse_reverse_inval_entry() media: mxl111sf: change mutex_init() location ARM: dts: imx6ull-pinfunc: Fix CSI_DATA07__ESAI_TX0 pad name firmware: arm_scpi: Fix string overflow in SCPI genpd driver Input: touchscreen - avoid bitwise vs logical OR warning ARM: 8800/1: use choice for kernel unwinders mwifiex: Remove unnecessary braces from HostCmd_SET_SEQ_NO_BSS_INFO ARM: 8805/2: remove unneeded naked function usage net: lan78xx: Avoid unnecessary self assignment mac80211: validate extended element ID is present net: systemport: Add global locking for descriptor lifecycle drm/amdgpu: correct register access for RLC_JUMP_TABLE_RESTORE libata: if T_LENGTH is zero, dma direction should be DMA_NONE timekeeping: Really make sure wall_to_monotonic isn't positive USB: serial: option: add Telit FN990 compositions USB: serial: cp210x: fix CP2105 GPIO registration PCI/MSI: Mask MSI-X vectors only on success PCI/MSI: Clear PCI_MSIX_FLAGS_MASKALL on error USB: NO_LPM quirk Lenovo USB-C to Ethernet Adapher(RTL8153-04) USB: gadget: bRequestType is a bitfield, not a enum sit: do not call ipip6_dev_free() from sit_init_net() net/packet: rx_owner_map depends on pg_vec netdevsim: Zero-initialize memory for new map's value in function nsim_bpf_map_alloc ixgbe: set X550 MDIO speed before talking to PHY igbvf: fix double free in `igbvf_probe` igb: Fix removal of unicast MAC filters of VFs soc/tegra: fuse: Fix bitwise vs. logical OR warning rds: memory leak in __rds_conn_create() dmaengine: st_fdma: fix MODULE_ALIAS sch_cake: do not call cake_destroy() from cake_init() ARM: socfpga: dts: fix qspi node compatible mac80211: track only QoS data frames for admission control x86/sme: Explicitly map new EFI memmap table as encrypted x86: Make ARCH_USE_MEMREMAP_PROT a generic Kconfig symbol nfsd: fix use-after-free due to delegation race audit: improve robustness of the audit queue handling dm btree remove: fix use after free in rebalance_children() recordmcount.pl: look for jgnop instruction as well as bcrl on s390 mac80211: send ADDBA requests using the tid/queue of the aggregation session hwmon: (dell-smm) Fix warning on /proc/i8k creation error tracing: Fix a kmemleak false positive in tracing_map net: netlink: af_netlink: Prevent empty skb by adding a check on len. i2c: rk3x: Handle a spurious start completion interrupt flag parisc/agp: Annotate parisc agp init functions with __init net/mlx4_en: Update reported link modes for 1/10G drm/msm/dsi: set default num_data_lanes nfc: fix segfault in nfc_genl_dump_devices_done stable: clamp SUBLEVEL in 4.19 FROMGIT: USB: gadget: bRequestType is a bitfield, not a enum ANDROID: GKI: abi workaround for 4.19.221 Linux 4.19.221 net: sched: make function qdisc_free_cb() static net_sched: fix a crash in tc_new_tfilter() irqchip: nvic: Fix offset for Interrupt Priority Offsets irqchip/irq-gic-v3-its.c: Force synchronisation when issuing INVALL irqchip/armada-370-xp: Fix support for Multi-MSI interrupts irqchip/armada-370-xp: Fix return value of armada_370_xp_msi_alloc() iio: accel: kxcjk-1013: Fix possible memory leak in probe and remove iio: adc: axp20x_adc: fix charging current reporting on AXP22x iio: at91-sama5d2: Fix incorrect sign extension iio: dln2: Check return value of devm_iio_trigger_register() iio: dln2-adc: Fix lockdep complaint iio: itg3200: Call iio_trigger_notify_done() on error iio: kxsd9: Don't return error code in trigger handler iio: ltr501: Don't return error code in trigger handler iio: mma8452: Fix trigger reference couting iio: stk3310: Don't return error code in interrupt handler iio: trigger: stm32-timer: fix MODULE_ALIAS iio: trigger: Fix reference counting xhci: avoid race between disable slot command and host runtime suspend usb: core: config: using bit mask instead of individual bits xhci: Remove CONFIG_USB_DEFAULT_PERSIST to prevent xHCI from runtime suspending usb: core: config: fix validation of wMaxPacketValue entries USB: gadget: zero allocate endpoint 0 buffers USB: gadget: detect too-big endpoint 0 requests net/qla3xxx: fix an error code in ql_adapter_up() net, neigh: clear whole pneigh_entry at alloc time net: fec: only clear interrupt of handling queue in fec_enet_rx_queue() net: altera: set a couple error code in probe() net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero tools build: Remove needless libpython-version feature check that breaks test-all fast path mtd: rawnand: fsmc: Take instruction delay into account i40e: Fix pre-set max number of queues for VF ASoC: qdsp6: q6routing: Fix return value from msm_routing_put_audio_mixer qede: validate non LSO skb length block: fix ioprio_get(IOPRIO_WHO_PGRP) vs setuid(2) tracefs: Set all files to the same group ownership as the mount option aio: fix use-after-free due to missing POLLFREE handling aio: keep poll requests on waitqueue until completed signalfd: use wake_up_pollfree() binder: use wake_up_pollfree() wait: add wake_up_pollfree() libata: add horkage for ASMedia 1092 can: m_can: Disable and ignore ELO interrupt can: pch_can: pch_can_rx_normal: fix use after free clk: qcom: regmap-mux: fix parent clock lookup tracefs: Have new files inherit the ownership of their parent ALSA: pcm: oss: Handle missing errors in snd_pcm_oss_change_params*() ALSA: pcm: oss: Limit the period size to 16MB ALSA: pcm: oss: Fix negative period/buffer sizes ALSA: ctl: Fix copy of updated id with element read/write mm: bdi: initialize bdi_min_ratio when bdi is unregistered IB/hfi1: Correct guard on eager buffer deallocation udp: using datalen to cap max gso segments seg6: fix the iif in the IPv6 socket control block nfp: Fix memory leak in nfp_cpp_area_cache_add() bonding: make tx_rebalance_counter an atomic ice: ignore dropped packets during init bpf: Fix the off-by-two error in range markings nfc: fix potential NULL pointer deref in nfc_genl_dump_ses_done net: sched: use Qdisc rcu API instead of relying on rtnl lock net: sched: add helper function to take reference to Qdisc net: sched: extend Qdisc with rcu net: sched: rename qdisc_destroy() to qdisc_put() net: core: netlink: add helper refcount dec and lock function can: sja1000: fix use after free in ems_pcmcia_add_card() can: kvaser_usb: get CAN clock frequency from device HID: check for valid USB device for many HID drivers HID: wacom: fix problems when device is not a valid USB device HID: add USB_HID dependancy on some USB HID drivers HID: add USB_HID dependancy to hid-chicony HID: add USB_HID dependancy to hid-prodikeys HID: add hid_is_usb() function to make it simpler for USB detection HID: google: add eel USB id UPSTREAM: USB: gadget: zero allocate endpoint 0 buffers UPSTREAM: USB: gadget: detect too-big endpoint 0 requests Linux 4.19.220 ipmi: msghandler: Make symbol 'remove_work_wq' static parisc: Mark cr16 CPU clocksource unstable on all SMP machines serial: core: fix transmit-buffer reset and memleak serial: pl011: Add ACPI SBSA UART match id tty: serial: msm_serial: Deactivate RX DMA for polling support x86/64/mm: Map all kernel memory into trampoline_pgd usb: typec: tcpm: Wait in SNK_DEBOUNCED until disconnect USB: NO_LPM quirk Lenovo Powered USB-C Travel Hub xhci: Fix commad ring abort, write all 64 bits to CRCR register. vgacon: Propagate console boot parameters before calling `vc_resize' parisc: Fix "make install" on newer debian releases parisc: Fix KBUILD_IMAGE for self-extracting kernel drm/msm: Do hw_init() before capturing GPU state net/smc: Keep smc_close_final rc during active close net/rds: correct socket tunable error in rds_tcp_tune() net: annotate data-races on txq->xmit_lock_owner net: usb: lan78xx: lan78xx_phy_init(): use PHY_POLL instead of "0" if no IRQ is available rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() net/mlx4_en: Fix an use-after-free bug in mlx4_en_try_alloc_resources() siphash: use _unaligned version by default net: mpls: Fix notifications when deleting a device net: qlogic: qlcnic: Fix a NULL pointer dereference in qlcnic_83xx_add_rings() natsemi: xtensa: fix section mismatch warnings i2c: stm32f7: stop dma transfer in case of NACK i2c: stm32f7: recover the bus on access timeout fget: check that the fd still exists after getting a ref to it fs: add fget_many() and fput_many() sata_fsl: fix warning in remove_proc_entry when rmmod sata_fsl sata_fsl: fix UAF in sata_fsl_port_stop when rmmod sata_fsl ipmi: Move remove_work to dedicated workqueue kprobes: Limit max data_size of the kretprobe instances vrf: Reset IPCB/IP6CB when processing outbound pkts in vrf dev xmit perf hist: Fix memory leak of a perf_hpp_fmt net: ethernet: dec: tulip: de4x5: fix possible array overflows in type3_infoblock() net: tulip: de4x5: fix the problem that the array 'lp->phy[8]' may be out of bound ethernet: hisilicon: hns: hns_dsaf_misc: fix a possible array overflow in hns_dsaf_ge_srst_by_port() ata: ahci: Add Green Sardine vendor ID as board_ahci_mobile scsi: iscsi: Unblock session then wake up error handler thermal: core: Reset previous low and high trip during thermal zone init btrfs: check-integrity: fix a warning on write caching disabled disk s390/setup: avoid using memblock_enforce_memory_limit platform/x86: thinkpad_acpi: Fix WWAN device disabled issue after S3 deep net: return correct error code atlantic: Fix OOB read and write in hw_atl_utils_fw_rpc_wait gfs2: Fix length of holes reported at end-of-file of: clk: Make <linux/of_clk.h> self-contained NFSv42: Fix pagecache invalidation after COPY/CLONE shm: extend forced shm destroy to support objects from several IPC nses Change-Id: Ib3edd8f66275790a09e0b5fd3c485679119cfaa4 Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com> Conflicts: arch/Kconfig drivers/usb/gadget/composite.c fs/file_table.c |
||
UtsavBalar1231
|
0ac5096a10 |
Merge tag 'ASB-2021-12-05_4.19-stable' of https://github.com/aosp-mirror/kernel_common into android12-base
https://source.android.com/security/bulletin/2021-12-01 CVE-2021-33909 CVE-2021-38204 CVE-2021-0961 * tag 'ASB-2021-12-05_4.19-stable' of https://github.com/aosp-mirror/kernel_common: BACKPORT: arm64: vdso32: suppress error message for 'make mrproper' Linux 4.19.219 tty: hvc: replace BUG_ON() with negative return value xen/netfront: don't trust the backend response data blindly xen/netfront: disentangle tx_skb_freelist xen/netfront: don't read data from request on the ring page xen/netfront: read response from backend only once xen/blkfront: don't trust the backend response data blindly xen/blkfront: don't take local copy of a request from the ring page xen/blkfront: read response from backend only once xen: sync include/xen/interface/io/ring.h with Xen's newest version fuse: release pipe buf after last use NFC: add NCI_UNREG flag to eliminate the race hugetlbfs: flush TLBs correctly after huge_pmd_unshare s390/mm: validate VMA in PGSTE manipulation functions tracing: Check pid filtering when creating events vhost/vsock: fix incorrect used length reported to the guest net: hns3: fix VF RSS failed problem after PF enable multi-TCs net/smc: Don't call clcsock shutdown twice when smc shutdown MIPS: use 3-level pgtable for 64KB page size on MIPS_VA_BITS_48 tcp_cubic: fix spurious Hystart ACK train detections for not-cwnd-limited flows PM: hibernate: use correct mode for swsusp_close() net/smc: Ensure the active closing peer first closes clcsock ipv6: fix typos in __ip6_finish_output() drm/vc4: fix error code in vc4_create_object() scsi: mpt3sas: Fix kernel panic during drive powercycle test ARM: socfpga: Fix crash with CONFIG_FORTIRY_SOURCE NFSv42: Don't fail clone() unless the OP_CLONE operation failed firmware: arm_scmi: pm: Propagate return value to caller net: ieee802154: handle iftypes as u32 ASoC: topology: Add missing rwsem around snd_ctl_remove() calls ASoC: qdsp6: q6routing: Conditionally reset FrontEnd Mixer ARM: dts: BCM5301X: Add interrupt properties to GPIO node ARM: dts: BCM5301X: Fix I2C controller interrupt netfilter: ipvs: Fix reuse connection if RS weight is 0 arm64: dts: marvell: armada-37xx: Set pcie_reset_pin to gpio function arm64: dts: marvell: armada-37xx: declare PCIe reset pin pinctrl: armada-37xx: Correct PWM pins definitions pinctrl: armada-37xx: add missing pin: PCIe1 Wakeup pinctrl: armada-37xx: Correct mpp definitions PCI: aardvark: Fix checking for link up via LTSSM state PCI: aardvark: Fix link training PCI: aardvark: Fix PCIe Max Payload Size setting PCI: aardvark: Configure PCIe resources from 'ranges' DT property PCI: aardvark: Update comment about disabling link training PCI: aardvark: Move PCIe reset card code to advk_pcie_train_link() PCI: aardvark: Fix compilation on s390 PCI: aardvark: Don't touch PCIe registers if no card connected PCI: aardvark: Indicate error in 'val' when config read fails PCI: aardvark: Replace custom macros by standard linux/pci_regs.h macros PCI: aardvark: Issue PERST via GPIO PCI: aardvark: Improve link training PCI: aardvark: Train link immediately after enabling training PCI: aardvark: Wait for endpoint to be ready before training link PCI: aardvark: Fix a leaked reference by adding missing of_node_put() proc/vmcore: fix clearing user buffer by properly using clear_user() xtensa: use CONFIG_USE_OF instead of CONFIG_OF tracing: Fix pid filtering when triggers are attached xen: detect uninitialized xenbus in xenbus_init xen: don't continue xenstore initialization in case of errors fuse: fix page stealing staging: rtl8192e: Fix use after free in _rtl92e_pci_disconnect() HID: wacom: Use "Confidence" flag to prevent reporting invalid contacts media: cec: copy sequence field for the reply ALSA: ctxfi: Fix out-of-range access binder: fix test regression due to sender_euid change usb: hub: Fix locking issues with address0_mutex usb: hub: Fix usb enumeration issue due to address0 race usb: dwc2: hcd_queue: Fix use of floating point literal USB: serial: option: add Fibocom FM101-GL variants USB: serial: option: add Telit LE910S1 0x9200 composition Revert "net: sched: update default qdisc visibility after Tx queue cnt changes" Revert "serial: core: Fix initializing and restoring termios speed" ANDROID: GKI: disable CONFIG_FORTIFY_SOURCE Linux 4.19.218 soc/tegra: pmc: Fix imbalanced clock disabling in error code path usb: max-3421: Use driver data instead of maintaining a list of bound devices ASoC: DAPM: Cover regression by kctl change notification fix RDMA/netlink: Add __maybe_unused to static inline in C file batman-adv: Don't always reallocate the fragmentation skb head batman-adv: Reserve needed_*room for fragments batman-adv: Consider fragmentation for needed_headroom batman-adv: mcast: fix duplicate mcast packets in BLA backbone from LAN perf/core: Avoid put_page() when GUP fails drm/amdgpu: fix set scaling mode Full/Full aspect/Center not works on vga and dvi connectors drm/udl: fix control-message timeout cfg80211: call cfg80211_stop_ap when switch from P2P_GO type parisc/sticon: fix reverse colors btrfs: fix memory ordering between normal and ordered work functions udf: Fix crash after seekdir x86/hyperv: Fix NULL deref in set_hv_tscchange_cb() if Hyper-V setup fails mm: kmemleak: slob: respect SLAB_NOLEAKTRACE flag ipc: WARN if trying to remove ipc object which is absent hexagon: export raw I/O routines for modules tun: fix bonding active backup with arp monitoring perf/x86/intel/uncore: Fix IIO event constraints for Skylake Server perf/x86/intel/uncore: Fix filter_tid mask for CHA events on Skylake Server NFC: reorder the logic in nfc_{un,}register_device NFC: reorganize the functions in nci_request i40e: Fix display error code in dmesg i40e: Fix changing previously set num_queue_pairs for PFs i40e: Fix NULL ptr dereference on VSI filter sync i40e: Fix correct max_pkt_size on VF RX queue net: virtio_net_hdr_to_skb: count transport header in UFO platform/x86: hp_accel: Fix an error handling path in 'lis3lv02d_probe()' mips: lantiq: add support for clk_get_parent() mips: bcm63xx: add support for clk_get_parent() MIPS: generic/yamon-dt: fix uninitialized variable error iavf: Fix for the false positive ASQ/ARQ errors while issuing VF reset iavf: check for null in iavf_fix_features net: bnx2x: fix variable dereferenced before check drm/nouveau: hdmigv100.c: fix corrupted HDMI Vendor InfoFrame sched/core: Mitigate race cpus_share_cache()/update_top_cache_domain() mips: BCM63XX: ensure that CPU_SUPPORTS_32BIT_KERNEL is set sh: define __BIG_ENDIAN for math-emu sh: fix kconfig unmet dependency warning for FRAME_POINTER f2fs: fix up f2fs_lookup tracepoints maple: fix wrong return value of maple_bus_init(). sh: check return code of request_irq powerpc/dcr: Use cmplwi instead of 3-argument cmpli ALSA: gus: fix null pointer dereference on pointer block powerpc/5200: dts: fix memory node unit name scsi: target: Fix alua_tg_pt_gps_count tracking scsi: target: Fix ordered tag handling MIPS: sni: Fix the build tty: tty_buffer: Fix the softlockup issue in flush_to_ldisc ALSA: ISA: not for M68K usb: host: ohci-tmio: check return value after calling platform_get_resource() ARM: dts: omap: fix gpmc,mux-add-data type firmware_loader: fix pre-allocated buf built-in firmware use scsi: advansys: Fix kernel pointer leak ASoC: nau8824: Add DMI quirk mechanism for active-high jack-detect arm64: dts: freescale: fix arm,sp805 compatible string usb: typec: tipd: Remove WARN_ON in tps6598x_block_read usb: musb: tusb6010: check return value after calling platform_get_resource() arm64: dts: hisilicon: fix arm,sp805 compatible string scsi: lpfc: Fix list_add() corruption in lpfc_drain_txq() arm64: zynqmp: Fix serial compatible string arm64: zynqmp: Do not duplicate flash partition label property erofs: fix unsafe pagevec reuse of hooked pclusters erofs: remove the occupied parameter from z_erofs_pagevec_enqueue() PCI: Add MSI masking quirk for Nvidia ION AHCI PCI/MSI: Deal with devices lying about their MSI mask capability PCI/MSI: Destroy sysfs before freeing entries parisc/entry: fix trace test in syscall exit path fortify: Explicitly disable Clang support ext4: fix lazy initialization next schedule time computation in more granular unit x86/cpu: Fix migration safety with X86_BUG_NULL_SEL fuse: truncate pagecache on atomic_o_trunc PCI: Add PCI_EXP_DEVCTL_PAYLOAD_* macros s390/tape: fix timer initialization in tape_std_assign() s390/cio: check the subchannel validity for dev_busid video: backlight: Drop maximum brightness override for brightness zero backlight: gpio-backlight: Correct initial power state handling mm, oom: do not trigger out_of_memory from the #PF mm, oom: pagefault_out_of_memory: don't force global OOM for dying tasks powerpc/bpf: Emit stf barrier instruction sequences for BPF_NOSPEC powerpc/security: Add a helper to query stf_barrier type powerpc/bpf: Fix BPF_SUB when imm == 0x80000000 powerpc/bpf: Validate branch ranges powerpc/lib: Add helper to check if offset is within conditional branch range 9p/net: fix missing error check in p9_check_errors f2fs: should use GFP_NOFS for directory inodes ARM: 9156/1: drop cc-option fallbacks for architecture selection ARM: 9155/1: fix early early_iounmap() USB: chipidea: fix interrupt deadlock cxgb4: fix eeprom len when diagnostics not implemented vsock: prevent unnecessary refcnt inc for nonblocking connect arm64: pgtable: make __pte_to_phys/__phys_to_pte_val inline functions nfc: pn533: Fix double free when pn533_fill_fragment_skbs() fails llc: fix out-of-bound array index in llc_sk_dev_hash() zram: off by one in read_block_state() mm/zsmalloc.c: close race window between zs_pool_dec_isolated() and zs_unregister_migration() bonding: Fix a use-after-free problem when bond_sysfs_slave_add() failed ACPI: PMIC: Fix intel_pmic_regs_handler() read accesses net: davinci_emac: Fix interrupt pacing disable xen-pciback: Fix return in pm_ctrl_init() i2c: xlr: Fix a resource leak in the error handling path of 'xlr_i2c_probe()' scsi: qla2xxx: Turn off target reset during issue_lip scsi: qla2xxx: Fix gnl list corruption ar7: fix kernel builds for compiler test watchdog: f71808e_wdt: fix inaccurate report in WDIOC_GETTIMEOUT m68k: set a default value for MEMORY_RESERVE dmaengine: dmaengine_desc_callback_valid(): Check for `callback_result` netfilter: nfnetlink_queue: fix OOB when mac header was cleared auxdisplay: ht16k33: Fix frame buffer device blanking auxdisplay: ht16k33: Connect backlight to fbdev auxdisplay: img-ascii-lcd: Fix lock-up when displaying empty string dmaengine: at_xdmac: fix AT_XDMAC_CC_PERID() macro mtd: spi-nor: hisi-sfc: Remove excessive clk_disable_unprepare() fs: orangefs: fix error return code of orangefs_revalidate_lookup() NFS: Fix deadlocks in nfs_scan_commit_list() PCI: aardvark: Don't spam about PIO Response Status drm/plane-helper: fix uninitialized variable reference pnfs/flexfiles: Fix misplaced barrier in nfs4_ff_layout_prepare_ds rpmsg: Fix rpmsg_create_ept return when RPMSG config is not defined apparmor: fix error check power: supply: bq27xxx: Fix kernel crash on IRQ handler register error mips: cm: Convert to bitfield API to fix out-of-bounds access serial: xilinx_uartps: Fix race condition causing stuck TX phy: qcom-qusb2: Fix a memory leak on probe ASoC: cs42l42: Defer probe if request_threaded_irq() returns EPROBE_DEFER ASoC: cs42l42: Correct some register default values RDMA/mlx4: Return missed an error if device doesn't support steering scsi: csiostor: Uninitialized data in csio_ln_vnp_read_cbfn() power: supply: rt5033_battery: Change voltage values to µV usb: gadget: hid: fix error code in do_config() serial: 8250_dw: Drop wrong use of ACPI_PTR() video: fbdev: chipsfb: use memset_io() instead of memset() memory: fsl_ifc: fix leak of irq and nand_irq in fsl_ifc_ctrl_probe soc/tegra: Fix an error handling path in tegra_powergate_power_up() arm: dts: omap3-gta04a4: accelerometer irq fix ALSA: hda: Reduce udelay() at SKL+ position reporting JFS: fix memleak in jfs_mount MIPS: loongson64: make CPU_LOONGSON64 depends on MIPS_FP_SUPPORT scsi: dc395: Fix error case unwinding ARM: dts: at91: tse850: the emac<->phy interface is rmii RDMA/bnxt_re: Fix query SRQ failure arm64: dts: rockchip: Fix GPU register width for RK3328 ARM: s3c: irq-s3c24xx: Fix return value check for s3c24xx_init_intc() RDMA/rxe: Fix wrong port_cap_flags ibmvnic: Process crqs after enabling interrupts selftests/bpf: Fix fclose/pclose mismatch in test_progs crypto: pcrypt - Delay write to padata->info net: phylink: avoid mvneta warning when setting pause parameters net: amd-xgbe: Toggle PLL settings during rate change wcn36xx: add proper DMA memory barriers in rx path libertas: Fix possible memory leak in probe and disconnect libertas_tf: Fix possible memory leak in probe and disconnect KVM: s390: Fix handle_sske page fault handling samples/kretprobes: Fix return value if register_kretprobe() failed tcp: don't free a FIN sk_buff in tcp_remove_empty_skb() irq: mips: avoid nested irq_enter() s390/gmap: don't unconditionally call pte_unmap_unlock() in __gmap_zap() smackfs: use netlbl_cfg_cipsov4_del() for deleting cipso_v4_doi drm/msm: Fix potential NULL dereference in DPU SSPP clocksource/drivers/timer-ti-dm: Select TIMER_OF PM: hibernate: fix sparse warnings nvme-rdma: fix error code in nvme_rdma_setup_ctrl phy: micrel: ksz8041nl: do not use power down mode mwifiex: Send DELBA requests according to spec rsi: stop thread firstly in rsi_91x_init() error handling platform/x86: thinkpad_acpi: Fix bitwise vs. logical warning mmc: mxs-mmc: disable regulator on error and in the remove function net: stream: don't purge sk_error_queue in sk_stream_kill_queues() drm/msm: uninitialized variable in msm_gem_import() ath10k: fix max antenna gain unit hwmon: (pmbus/lm25066) Let compiler determine outer dimension of lm25066_coeff hwmon: Fix possible memleak in __hwmon_device_register() memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() memstick: avoid out-of-range warning mmc: sdhci-omap: Fix NULL pointer exception if regulator is not configured b43: fix a lower bounds test b43legacy: fix a lower bounds test hwrng: mtk - Force runtime pm ops for sleep ops crypto: qat - disregard spurious PFVF interrupts crypto: qat - detect PFVF collision after ACK media: dvb-frontends: mn88443x: Handle errors of clk_prepare_enable() ath9k: Fix potential interrupt storm on queue reset media: em28xx: Don't use ops->suspend if it is NULL cpuidle: Fix kobject memory leaks in error paths media: cx23885: Fix snd_card_free call on null card pointer media: si470x: Avoid card name truncation media: mtk-vpu: Fix a resource leak in the error handling path of 'mtk_vpu_probe()' media: dvb-usb: fix ununit-value in az6027_rc_query media: em28xx: add missing em28xx_close_extension drm/amdgpu: fix warning for overflow check net: dsa: rtl8366rb: Fix off-by-one bug cgroup: Make rebind_subsystems() disable v2 controllers all at once Bluetooth: fix init and cleanup of sco_conn.timeout_work parisc/kgdb: add kgdb_roundup() to make kgdb work with idle polling parisc/unwind: fix unwinder when CONFIG_64BIT is enabled task_stack: Fix end_of_stack() for architectures with upwards-growing stack parisc: fix warning in flush_tlb_all x86/hyperv: Protect set_hv_tscchange_cb() against getting preempted spi: bcm-qspi: Fix missing clk_disable_unprepare() on error in bcm_qspi_probe() ARM: 9136/1: ARMv7-M uses BE-8, not BE-32 gre/sit: Don't generate link-local addr if addr_gen_mode is IN6_ADDR_GEN_MODE_NONE ARM: clang: Do not rely on lr register for stacktrace smackfs: use __GFP_NOFAIL for smk_cipso_doi() iwlwifi: mvm: disable RX-diversity in powersave PM: hibernate: Get block device exclusively in swsusp_check() mwl8k: Fix use-after-free in mwl8k_fw_state_machine() tracing/cfi: Fix cmp_entries_* functions signature mismatch workqueue: make sysfs of unbound kworker cpumask more clever lib/xz: Validate the value before assigning it to an enum variable lib/xz: Avoid overlapping memcpy() with invalid input with in-place decompression memstick: r592: Fix a UAF bug when removing the driver leaking_addresses: Always print a trailing newline ACPI: battery: Accept charges over the design capacity as full ath: dfs_pattern_detector: Fix possible null-pointer dereference in channel_detector_create() tracefs: Have tracefs directories not set OTH permission bits by default media: usb: dvd-usb: fix uninit-value bug in dibusb_read_eeprom_byte() ACPICA: Avoid evaluating methods too early during system resume media: rcar-csi2: Add checking to rcsi2_start_receiver() ia64: don't do IA64_CMPXCHG_DEBUG without CONFIG_PRINTK media: mceusb: return without resubmitting URB in case of -EPROTO error. media: s5p-mfc: Add checking to s5p_mfc_probe(). media: s5p-mfc: fix possible null-pointer dereference in s5p_mfc_probe() media: uvcvideo: Return -EIO for control errors media: uvcvideo: Set capability in s_param media: netup_unidvb: handle interrupt properly according to the firmware media: mt9p031: Fix corrupted frame after restarting stream mwifiex: Properly initialize private structure on interface type changes mwifiex: Run SET_BSS_MODE when changing from P2P to STATION vif-type x86: Increase exception stack sizes smackfs: Fix use-after-free in netlbl_catmap_walk() net: sched: update default qdisc visibility after Tx queue cnt changes locking/lockdep: Avoid RCU-induced noinstr fail MIPS: lantiq: dma: reset correct number of channel MIPS: lantiq: dma: add small delay after reset platform/x86: wmi: do not fail if disabling fails Bluetooth: fix use-after-free error in lock_sock_nested() Bluetooth: sco: Fix lock_sock() blockage by memcpy_from_msg() drm: panel-orientation-quirks: Add quirk for KD Kurio Smart C15200 2-in-1 USB: iowarrior: fix control-message timeouts USB: serial: keyspan: fix memleak on probe errors iio: dac: ad5446: Fix ad5622_write() return value pinctrl: core: fix possible memory leak in pinctrl_enable() quota: correct error number in free_dqentry() quota: check block number when reading the block in quota file PCI: aardvark: Read all 16-bits from PCIE_MSI_PAYLOAD_REG PCI: aardvark: Fix return value of MSI domain .alloc() method PCI: aardvark: Do not unmask unused interrupts PCI: aardvark: Do not clear status bits of masked interrupts xen/balloon: add late_initcall_sync() for initial ballooning done ALSA: mixer: fix deadlock in snd_mixer_oss_set_volume ALSA: mixer: oss: Fix racy access to slots serial: core: Fix initializing and restoring termios speed powerpc/85xx: Fix oops when mpc85xx_smp_guts_ids node cannot be found power: supply: max17042_battery: use VFSOC for capacity when no rsns power: supply: max17042_battery: Prevent int underflow in set_soc_threshold signal/mips: Update (_save|_restore)_fp_context to fail with -EFAULT signal: Remove the bogus sigkill_pending in ptrace_stop RDMA/qedr: Fix NULL deref for query_qp on the GSI QP rsi: Fix module dev_oper_mode parameter description rsi: fix rate mask set leading to P2P failure rsi: fix key enabled check causing unwanted encryption for vap_id > 0 rsi: fix occasional initialisation failure with BT coex wcn36xx: handle connection loss indication libata: fix checking of DMA state mwifiex: Read a PCI register after writing the TX ring write pointer wcn36xx: Fix HT40 capability for 2Ghz band evm: mark evm_fixmode as __ro_after_init rtl8187: fix control-message timeouts PCI: Mark Atheros QCA6174 to avoid bus reset ath10k: fix division by zero in send path ath10k: fix control-message timeout ath6kl: fix control-message timeout ath6kl: fix division by zero in send path mwifiex: fix division by zero in fw download path EDAC/sb_edac: Fix top-of-high-memory value for Broadwell/Haswell regulator: dt-bindings: samsung,s5m8767: correct s5m8767,pmic-buck-default-dvs-idx property regulator: s5m8767: do not use reset value as DVS voltage if GPIO DVS is disabled hwmon: (pmbus/lm25066) Add offset coefficients ia64: kprobes: Fix to pass correct trampoline address to the handler btrfs: call btrfs_check_rw_degradable only if there is a missing device btrfs: fix lost error handling when replaying directory deletes btrfs: clear MISSING device status bit in btrfs_close_one_device vmxnet3: do not stop tx queues after netif_device_detach() watchdog: Fix OMAP watchdog early handling spi: spl022: fix Microwire full duplex mode xen/netfront: stop tx queues during live migration bpf: Prevent increasing bpf_jit_limit above max drm: panel-orientation-quirks: Add quirk for Aya Neo 2021 mmc: winbond: don't build on M68K hyperv/vmbus: include linux/bitops.h sfc: Don't use netif_info before net_device setup cavium: Fix return values of the probe function scsi: qla2xxx: Fix unmap of already freed sgl cavium: Return negative value when pci_alloc_irq_vectors() fails x86/irq: Ensure PI wakeup handler is unregistered before module unload x86/sme: Use #define USE_EARLY_PGTABLE_L5 in mem_encrypt_identity.c ALSA: timer: Unconditionally unlink slave instances, too ALSA: timer: Fix use-after-free problem ALSA: synth: missing check for possible NULL after the call to kstrdup ALSA: usb-audio: Add registration quirk for JBL Quantum 400 ALSA: line6: fix control and interrupt message timeouts ALSA: 6fire: fix control and bulk message timeouts ALSA: ua101: fix division by zero at probe ALSA: hda/realtek: Add quirk for Clevo PC70HS media: ir-kbd-i2c: improve responsiveness of hauppauge zilog receivers media: ite-cir: IR receiver stop working after receive overflow crypto: s5p-sss - Add error handling in s5p_aes_probe() firmware/psci: fix application of sizeof to pointer tpm: Check for integer overflow in tpm2_map_response_body() parisc: Fix ptrace check on syscall return mmc: dw_mmc: Dont wait for DRTO on Write RSP error ocfs2: fix data corruption on truncate libata: fix read log timeout value Input: i8042 - Add quirk for Fujitsu Lifebook T725 Input: elantench - fix misreporting trackpoint coordinates binder: use cred instead of task for selinux checks binder: use euid from cred instead of using task xhci: Fix USB 3.1 enumeration issues by increasing roothub power-on-good delay ANDROID: usb: gadget: f_accessory: Mitgate handling of non-existent USB request UPSTREAM: binder: use cred instead of task for getsecid FROMGIT: binder: fix test regression due to sender_euid change BACKPORT: binder: use cred instead of task for selinux checks UPSTREAM: binder: use euid from cred instead of using task ANDROID: setlocalversion: make KMI_GENERATION optional Linux 4.19.217 rsi: fix control-message timeout staging: rtl8192u: fix control-message timeouts staging: r8712u: fix control-message timeout comedi: vmk80xx: fix bulk and interrupt message timeouts comedi: vmk80xx: fix bulk-buffer overflow comedi: vmk80xx: fix transfer-buffer overflows comedi: ni_usb6501: fix NULL-deref in command paths comedi: dt9812: fix DMA buffers on stack isofs: Fix out of bound access for corrupted isofs image printk/console: Allow to disable console output by using console="" or console=null usb-storage: Add compatibility quirk flags for iODD 2531/2541 usb: musb: Balance list entry in musb_gadget_queue usb: gadget: Mark USB_FSL_QE broken on 64-bit usb: ehci: handshake CMD_RUN instead of STS_HALT Revert "x86/kvm: fix vcpu-id indexed array sizes" Linux 4.19.216 ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" arch: pgtable: define MAX_POSSIBLE_PHYSMEM_BITS where needed sfc: Fix reading non-legacy supported link modes IB/qib: Protect from buffer overflow in struct qib_user_sdma_pkt fields IB/qib: Use struct_size() helper media: firewire: firedtv-avc: fix a buffer overflow in avc_ca_pmt() scsi: core: Put LLD module refcnt after SCSI device is released UPSTREAM: security: selinux: allow per-file labeling for bpffs Linux 4.19.215 sctp: add vtag check in sctp_sf_ootb sctp: add vtag check in sctp_sf_do_8_5_1_E_sa sctp: add vtag check in sctp_sf_violation sctp: fix the processing for COOKIE_ECHO chunk sctp: use init_tag from inithdr for ABORT chunk net: nxp: lpc_eth.c: avoid hang when bringing interface down net: ethernet: microchip: lan743x: Fix dma allocation failure by using dma_set_mask_and_coherent net: ethernet: microchip: lan743x: Fix driver crash when lan743x_pm_resume fails nios2: Make NIOS2_DTB_SOURCE_BOOL depend on !COMPILE_TEST net: Prevent infinite while loop in skb_tx_hash() net: batman-adv: fix error handling regmap: Fix possible double-free in regcache_rbtree_exit() arm64: dts: allwinner: h5: NanoPI Neo 2: Fix ethernet node RDMA/mlx5: Set user priority for DCT net: lan78xx: fix division by zero in send path mmc: sdhci-esdhc-imx: clear the buffer_read_ready to reset standard tuning circuit mmc: sdhci: Map more voltage level to SDHCI_POWER_330 mmc: dw_mmc: exynos: fix the finding clock sample value mmc: cqhci: clear HALT state after CQE enable mmc: vub300: fix control-message timeouts ipv6: make exception cache less predictible ipv6: use siphash in rt6_exception_hash() ipv4: use siphash instead of Jenkins in fnhe_hashfun() Revert "net: mdiobus: Fix memory leak in __mdiobus_register" nfc: port100: fix using -ERRNO as command type mask ata: sata_mv: Fix the error handling of mv_chip_id() usbnet: fix error return code in usbnet_probe() usbnet: sanity check for maxpacket ARM: 8819/1: Remove '-p' from LDFLAGS arm64: Avoid premature usercopy failure powerpc/bpf: Fix BPF_MOD when imm == 1 ARM: 9141/1: only warn about XIP address when not compile testing ARM: 9139/1: kprobes: fix arch_init_kprobes() prototype ARM: 9134/1: remove duplicate memcpy() definition ARM: 9133/1: mm: proc-macros: ensure *_tlb_fns are 4B aligned ANDROID: Incremental fs: Fix dentry get/put imbalance on vfs_mkdir() failure Linux 4.19.214 ARM: 9122/1: select HAVE_FUTEX_CMPXCHG tracing: Have all levels of checks prevent recursion net: mdiobus: Fix memory leak in __mdiobus_register scsi: core: Fix shost->cmd_per_lun calculation in scsi_add_host_with_dma() ALSA: hda: avoid write to STATESTS if controller is in reset platform/x86: intel_scu_ipc: Update timeout value in comment isdn: mISDN: Fix sleeping function called from invalid context ARM: dts: spear3xx: Fix gmac node net: stmmac: add support for dwmac 3.40a btrfs: deal with errors when checking if a dir entry exists during log replay gcc-plugins/structleak: add makefile var for disabling structleak netfilter: Kconfig: use 'default y' instead of 'm' for bool config option isdn: cpai: check ctr->cnr to avoid array index out of bound nfc: nci: fix the UAF of rf_conn_info object mm, slub: fix mismatch between reconstructed freelist depth and cnt ASoC: DAPM: Fix missing kctl change notifications ALSA: hda/realtek: Add quirk for Clevo PC50HS ALSA: usb-audio: Provide quirk for Sennheiser GSP670 Headset vfs: check fd has read access in kernel_read_file_from_fd() elfcore: correct reference to CONFIG_UML ocfs2: mount fails with buffer overflow in strlen ocfs2: fix data corruption after conversion from inline format can: peak_pci: peak_pci_remove(): fix UAF can: peak_usb: pcan_usb_fd_decode_status(): fix back to ERROR_ACTIVE state notification can: rcar_can: fix suspend/resume net: hns3: disable sriov before unload hclge layer net: hns3: add limit ets dwrr bandwidth cannot be 0 NIOS2: irqflags: rename a redefined register name lan78xx: select CRC32 netfilter: ipvs: make global sysctl readonly in non-init netns ASoC: wm8960: Fix clock configuration on slave mode dma-debug: fix sg checks in debug_dma_map_sg() NFSD: Keep existing listeners on portlist error xtensa: xtfpga: Try software restart before simulating CPU reset xtensa: xtfpga: use CONFIG_USE_OF instead of CONFIG_OF ARM: dts: at91: sama5d2_som1_ek: disable ISC node by default UPSTREAM: crypto: arm/blake2s - fix for big endian ANDROID: gki_defconfig: enable BLAKE2b support BACKPORT: crypto: arm/blake2b - add NEON-accelerated BLAKE2b BACKPORT: crypto: blake2b - update file comment BACKPORT: crypto: blake2b - sync with blake2s implementation UPSTREAM: wireguard: Kconfig: select CRYPTO_BLAKE2S_ARM UPSTREAM: crypto: arm/blake2s - add ARM scalar optimized BLAKE2s UPSTREAM: crypto: blake2s - include <linux/bug.h> instead of <asm/bug.h> UPSTREAM: crypto: blake2s - adjust include guard naming UPSTREAM: crypto: blake2s - add comment for blake2s_state fields UPSTREAM: crypto: blake2s - optimize blake2s initialization BACKPORT: crypto: blake2s - share the "shash" API boilerplate code UPSTREAM: crypto: blake2s - move update and final logic to internal/blake2s.h UPSTREAM: crypto: blake2s - remove unneeded includes UPSTREAM: crypto: x86/blake2s - define shash_alg structs using macros UPSTREAM: crypto: blake2s - define shash_alg structs using macros UPSTREAM: crypto: lib/blake2s - Move selftest prototype into header file UPSTREAM: crypto: blake2b - Fix clang optimization for ARMv7-M UPSTREAM: crypto: blake2b - rename tfm context and _setkey callback UPSTREAM: crypto: blake2b - merge _update to api callback UPSTREAM: crypto: blake2b - open code set last block helper UPSTREAM: crypto: blake2b - delete unused structs or members UPSTREAM: crypto: blake2b - simplify key init UPSTREAM: crypto: blake2b - merge blake2 init to api callback UPSTREAM: crypto: blake2b - merge _final implementation to callback BACKPORT: crypto: testmgr - add test vectors for blake2b BACKPORT: crypto: blake2b - add blake2b generic implementation Linux 4.19.213 r8152: select CRC32 and CRYPTO/CRYPTO_HASH/CRYPTO_SHA256 qed: Fix missing error code in qed_slowpath_start() mqprio: Correct stats in mqprio_dump_class_stats(). acpi/arm64: fix next_platform_timer() section mismatch error drm/msm/dsi: fix off by one in dsi_bus_clk_enable error handling drm/msm/dsi: Fix an error code in msm_dsi_modeset_init() drm/msm: Fix null pointer dereference on pointer edp platform/mellanox: mlxreg-io: Fix argument base in kstrtou32() call pata_legacy: fix a couple uninitialized variable bugs NFC: digital: fix possible memory leak in digital_in_send_sdd_req() NFC: digital: fix possible memory leak in digital_tg_listen_mdaa() nfc: fix error handling of nfc_proto_register() ethernet: s2io: fix setting mac address during resume net: encx24j600: check error in devm_regmap_init_encx24j600 net: korina: select CRC32 net: arc: select CRC32 sctp: account stream padding length for reconf chunk iio: dac: ti-dac5571: fix an error code in probe() iio: ssp_sensors: fix error code in ssp_print_mcu_debug() iio: ssp_sensors: add more range checking in ssp_parse_dataframe() iio: light: opt3001: Fixed timeout error when 0 lux iio: adc128s052: Fix the error handling path of 'adc128_probe()' iio: adc: aspeed: set driver data when adc probe. x86/Kconfig: Do not enable AMD_MEM_ENCRYPT_ACTIVE_BY_DEFAULT automatically nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells virtio: write back F_VERSION_1 before validate USB: serial: option: add prod. id for Quectel EG91 USB: serial: option: add Telit LE910Cx composition 0x1204 USB: serial: option: add Quectel EC200S-CN module support USB: serial: qcserial: add EM9191 QDL support Input: xpad - add support for another USB ID of Nacon GC-100 usb: musb: dsps: Fix the probe error path efi: Change down_interruptible() in virt_efi_reset_system() to down_trylock() efi/cper: use stack buffer for error record decoding cb710: avoid NULL pointer subtraction xhci: Enable trust tx length quirk for Fresco FL11 USB controller xhci: Fix command ring pointer corruption while aborting a command xhci: guard accesses to ep_state in xhci_endpoint_reset() mei: me: add Ice Lake-N device id. x86/resctrl: Free the ctrlval arrays when domain_setup_mon_state() fails btrfs: check for error when looking up inode during dir entry replay btrfs: deal with errors when adding inode reference during log replay btrfs: deal with errors when replaying dir entry during log replay s390: fix strrchr() implementation nds32/ftrace: Fix Error: invalid operands (*UND* and *UND* sections) for `^' ALSA: hda/realtek - ALC236 headset MIC recording issue ALSA: hda/realtek: Add quirk for Clevo X170KM-G ALSA: hda/realtek: Complete partial device name to avoid ambiguity ALSA: seq: Fix a potential UAF by wrong private_free call order Linux 4.19.212 sched: Always inline is_percpu_thread() perf/x86: Reset destroy callback on event init failure scsi: virtio_scsi: Fix spelling mistake "Unsupport" -> "Unsupported" scsi: ses: Fix unsigned comparison with less than zero net: sun: SUNVNET_COMMON should depend on INET mac80211: check return value of rhashtable_init net: prevent user from passing illegal stab size m68k: Handle arrivals of multiple signals correctly mac80211: Drop frames from invalid MAC address in ad-hoc mode netfilter: ip6_tables: zero-initialize fragment offset HID: apple: Fix logical maximum and usage maximum of Magic Keyboard JIS net: phy: bcm7xxx: Fixed indirect MMD operations Revert "lib/timerqueue: Rely on rbtree semantics for next timer" Linux 4.19.211 x86/Kconfig: Correct reference to MWINCHIP3D i2c: acpi: fix resource leak in reconfiguration device addition i40e: Fix freeing of uninitialized misc IRQ vector i40e: fix endless loop under rtnl rtnetlink: fix if_nlmsg_stats_size() under estimation drm/nouveau/debugfs: fix file release memory leak netlink: annotate data races around nlk->bound net: sfp: Fix typo in state machine debug string net: bridge: use nla_total_size_64bit() in br_get_linkxstats_size() ARM: imx6: disable the GIC CPU interface before calling stby-poweroff sequence ptp_pch: Load module automatically if ID matches powerpc/fsl/dts: Fix phy-connection-type for fm1mac3 net_sched: fix NULL deref in fifo_set_limit() phy: mdio: fix memory leak bpf: Fix integer overflow in prealloc_elems_and_freelist() bpf, arm: Fix register clobbering in div/mod implementation xtensa: call irqchip_init only when CONFIG_USE_OF is selected bpf, mips: Validate conditional branch offsets ARM: dts: qcom: apq8064: use compatible which contains chipid ARM: dts: omap3430-sdp: Fix NAND device node xen/balloon: fix cancelled balloon action nfsd4: Handle the NFSv4 READDIR 'dircount' hint being zero ovl: fix missing negative dentry check in ovl_rename() xen/privcmd: fix error handling in mmap-resource processing USB: cdc-acm: fix break reporting USB: cdc-acm: fix racy tty buffer accesses Partially revert "usb: Kconfig: using select for USB_COMMON dependency" ANDROID: Different fix for KABI breakage in 4.19.209 in struct sock ANDROID: GKI: update .xml file for struct sock change Linux 4.19.210 lib/timerqueue: Rely on rbtree semantics for next timer libata: Add ATA_HORKAGE_NO_NCQ_ON_ATI for Samsung 860 and 870 SSD. tools/vm/page-types: remove dependency on opt_file for idle page tracking scsi: ses: Retry failed Send/Receive Diagnostic commands selftests: be sure to make khdr before other targets usb: dwc2: check return value after calling platform_get_resource() usb: testusb: Fix for showing the connection speed scsi: sd: Free scsi_disk device via put_device() ext2: fix sleeping in atomic bugs on error sparc64: fix pci_iounmap() when CONFIG_PCI is not set xen-netback: correct success/error reporting for the SKB-with-fraglist case net: mdio: introduce a shutdown method to mdio device drivers ANDROID: Fix up KABI breakage in 4.19.209 in struct sock FROMLIST: dm-verity: skip verity_handle_error on I/O errors Linux 4.19.209 cred: allow get_cred() and put_cred() to be given NULL. HID: usbhid: free raw_report buffers in usbhid_stop netfilter: ipset: Fix oversized kvmalloc() calls HID: betop: fix slab-out-of-bounds Write in betop_probe crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd() usb: hso: remove the bailout parameter usb: hso: fix error handling code of hso_create_net_device hso: fix bailout in error case of probe ARM: 9098/1: ftrace: MODULE_PLT: Fix build problem without DYNAMIC_FTRACE ARM: 9079/1: ftrace: Add MODULE_PLTS support ARM: 9078/1: Add warn suppress parameter to arm_gen_branch_link() ARM: 9077/1: PLT: Move struct plt_entries definition to header EDAC/synopsys: Fix wrong value type assignment for edac_mode net: udp: annotate data race around udp_sk(sk)->corkflag ext4: fix potential infinite loop in ext4_dx_readdir() ipack: ipoctal: fix module reference leak ipack: ipoctal: fix missing allocation-failure check ipack: ipoctal: fix tty-registration error handling ipack: ipoctal: fix tty registration race ipack: ipoctal: fix stack information leak elf: don't use MAP_FIXED_NOREPLACE for elf interpreter mappings af_unix: fix races in sk_peer_pid and sk_peer_cred accesses scsi: csiostor: Add module softdep on cxgb4 Revert "block, bfq: honor already-setup queue merges" e100: fix buffer overrun in e100_get_regs e100: fix length calculation in e100_get_regs_len hwmon: (tmp421) fix rounding for negative values hwmon: (tmp421) report /PVLD condition as fault hwmon: (tmp421) Replace S_<PERMS> with octal values sctp: break out if skb_header_pointer returns NULL in sctp_rcv_ootb mac80211: limit injected vht mcs/nss in ieee80211_parse_tx_radiotap mac80211: Fix ieee80211_amsdu_aggregate frag_tail bug hwmon: (mlxreg-fan) Return non-zero value when fan current state is enforced from sysfs ipvs: check that ip_vs_conn_tab_bits is between 8 and 20 drm/amd/display: Pass PCI deviceid into DC x86/kvmclock: Move this_cpu_pvti into kvmclock.h mac80211: fix use-after-free in CCMP/GCMP RX cpufreq: schedutil: Destroy mutex before kobject_put() frees the memory cpufreq: schedutil: Use kobject release() method to free sugov_tunables tty: Fix out-of-bound vmalloc access in imageblit qnx4: work around gcc false positive warning bug xen/balloon: fix balloon kthread freezing tcp: adjust rto_base in retransmits_timed_out() tcp: create a helper to model exponential backoff tcp: always set retrans_stamp on recovery tcp: address problems caused by EDT misshaps PCI: aardvark: Fix checking for PIO status arm64: dts: marvell: armada-37xx: Extend PCIe MEM space erofs: fix up erofs_lookup tracepoint spi: Fix tegra20 build with CONFIG_PM=n net: 6pack: Fix tx timeout and slot time alpha: Declare virt_to_phys and virt_to_bus parameter as pointer to volatile arm64: Mark __stack_chk_guard as __ro_after_init parisc: Use absolute_pointer() to define PAGE0 qnx4: avoid stringop-overread errors sparc: avoid stringop-overread errors net: i825xx: Use absolute_pointer for memcpy from fixed memory location compiler.h: Introduce absolute_pointer macro nvme-multipath: fix ANA state updates when a namespace is not present xen/balloon: use a kernel thread instead a workqueue m68k: Double cast io functions to unsigned long net: stmmac: allow CSR clock of 300MHz net: macb: fix use after free on rmmod blktrace: Fix uaf in blk_trace access after removing by sysfs md: fix a lock order reversal in md_alloc irqchip/gic-v3-its: Fix potential VPE leak on error irqchip/goldfish-pic: Select GENERIC_IRQ_CHIP to fix build thermal/core: Potential buffer overflow in thermal_build_list_of_policies() fpga: machxo2-spi: Fix missing error code in machxo2_write_complete() fpga: machxo2-spi: Return an error on failure tty: synclink_gt: rename a conflicting function name tty: synclink_gt, drop unneeded forward declarations scsi: iscsi: Adjust iface sysfs attr detection net/mlx4_en: Don't allow aRFS for encapsulated packets gpio: uniphier: Fix void functions to remove return value net/smc: add missing error check in smc_clc_prfx_set() bnxt_en: Fix TX timeout when TX ring size is set to the smallest net: hso: fix muxed tty registration serial: mvebu-uart: fix driver's tx_empty callback mcb: fix error handling in mcb_alloc_bus() USB: serial: option: add device id for Foxconn T99W265 USB: serial: option: remove duplicate USB device ID USB: serial: option: add Telit LN920 compositions USB: serial: mos7840: remove duplicated 0xac24 device ID Re-enable UAS for LaCie Rugged USB3-FW with fk quirk staging: greybus: uart: fix tty use after free USB: cdc-acm: fix minor-number release USB: serial: cp210x: add ID for GW Instek GDM-834x Digital Multimeter usb-storage: Add quirk for ScanLogic SL11R-IDE older than 2.6c xen/x86: fix PV trap handling on secondary processors cifs: fix incorrect check for null pointer in header_assemble usb: musb: tusb6010: uninitialized data in tusb_fifo_write_unaligned() usb: dwc2: gadget: Fix ISOC transfer complete handling for DDMA usb: gadget: r8a66597: fix a loop in set_feature() ocfs2: drop acl cache for directories too ANDROID: GKI: update ABI xml ANDROID: GKI: Update aarch64 cuttlefish symbol list ANDROID: GKI: rework the ANDROID_KABI_USE() macro to not use __UNIQUE() BACKPORT: loop: Set correct device size when using LOOP_CONFIGURE Linux 4.19.208 drm/nouveau/nvkm: Replace -ENOSYS with -ENODEV blk-throttle: fix UAF by deleteing timer in blk_throtl_exit() pwm: stm32-lp: Don't modify HW state in .remove() callback pwm: rockchip: Don't modify HW state in .remove() callback pwm: img: Don't modify HW state in .remove() callback nilfs2: fix memory leak in nilfs_sysfs_delete_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_create_snapshot_group nilfs2: fix memory leak in nilfs_sysfs_delete_##name##_group nilfs2: fix memory leak in nilfs_sysfs_create_##name##_group nilfs2: fix NULL pointer in nilfs_##name##_attr_release nilfs2: fix memory leak in nilfs_sysfs_create_device_group ceph: lockdep annotations for try_nonblocking_invalidate dmaengine: xilinx_dma: Set DMA mask for coherent APIs dmaengine: ioat: depends on !UML dmaengine: sprd: Add missing MODULE_DEVICE_TABLE parisc: Move pci_dev_is_behind_card_dino to where it is used drivers: base: cacheinfo: Get rid of DEFINE_SMP_CALL_CACHE_FUNCTION() Kconfig.debug: drop selecting non-existing HARDLOCKUP_DETECTOR_ARCH pwm: lpc32xx: Don't modify HW state in .probe() after the PWM chip was registered profiling: fix shift-out-of-bounds bugs nilfs2: use refcount_dec_and_lock() to fix potential UAF prctl: allow to setup brk for et_dyn executables 9p/trans_virtio: Remove sysfs file on probe failure thermal/drivers/exynos: Fix an error code in exynos_tmu_probe() dmaengine: acpi: Avoid comparison GSI with Linux vIRQ sctp: add param size validation for SCTP_PARAM_SET_PRIMARY sctp: validate chunk size in __rcv_asconf_lookup tracing/kprobe: Fix kprobe_on_func_entry() modification crypto: talitos - fix max key size for sha384 and sha512 apparmor: remove duplicate macro list_entry_is_head() rcu: Fix missed wakeup of exp_wq waiters KVM: remember position in kvm->vcpus array s390/bpf: Fix optimizing out zero-extensions Linux 4.19.207 s390/bpf: Fix 64-bit subtraction of the -0x80000000 constant net: renesas: sh_eth: Fix freeing wrong tx descriptor ip_gre: validate csum_start only on pull qlcnic: Remove redundant unlock in qlcnic_pinit_from_rom fq_codel: reject silly quantum parameters netfilter: socket: icmp6: fix use-after-scope net: dsa: b53: Fix calculating number of switch ports ARC: export clear_user_page() for modules mtd: rawnand: cafe: Fix a resource leak in the error handling path of 'cafe_nand_probe()' PCI: Sync __pci_register_driver() stub for CONFIG_PCI=n KVM: arm64: Handle PSCI resets before userspace touches vCPU state PCI: Fix pci_dev_str_match_path() alloc while atomic bug mfd: axp20x: Update AXP288 volatile ranges NTB: perf: Fix an error code in perf_setup_inbuf() ethtool: Fix an error code in cxgb2.c block, bfq: honor already-setup queue merges net: usb: cdc_mbim: avoid altsetting toggling for Telit LN920 PCI: Add ACS quirks for Cavium multi-function devices mfd: Don't use irq_create_mapping() to resolve a mapping dt-bindings: mtd: gpmc: Fix the ECC bytes vs. OOB bytes equation KVM: s390: index kvm->arch.idle_mask by vcpu_idx mm/memory_hotplug: use "unsigned long" for PFN in zone_for_pfn_range() net: hns3: pad the short tunnel frame before sending to hardware ibmvnic: check failover_pending in login response qed: Handle management FW error tcp: fix tp->undo_retrans accounting in tcp_sacktag_one() net: dsa: destroy the phylink instance on any error in dsa_slave_phy_setup net/af_unix: fix a data-race in unix_dgram_poll events: Reuse value read using READ_ONCE instead of re-reading it net/mlx5: Fix potential sleeping in atomic context perf machine: Initialize srcline string member in add_location struct tipc: increase timeout in tipc_sk_enqueue() r6040: Restore MDIO clock frequency after MAC reset net/l2tp: Fix reference count leak in l2tp_udp_recv_core dccp: don't duplicate ccid when cloning dccp sock ptp: dp83640: don't define PAGE0 net-caif: avoid user-triggerable WARN_ON(1) tipc: fix an use-after-free issue in tipc_recvmsg x86/mm: Fix kern_addr_valid() to cope with existing but not present entries PCI: Add AMD GPU multi-function power dependencies PM: base: power: don't try to use non-existing RTC for storing data arm64/sve: Use correct size when reinitialising SVE state bnx2x: Fix enabling network interfaces without VFs xen: reset legacy rtc flag for PV domU dm thin metadata: Fix use-after-free in dm_bm_set_read_only drm/amdgpu: Fix BUG_ON assert platform/chrome: cros_ec_proto: Send command again when timeout occurs memcg: enable accounting for pids in nested pid namespaces mm/hugetlb: initialize hugetlb_usage in mm_init cpufreq: powernv: Fix init_chip_info initialization in numa=off scsi: qla2xxx: Sync queue idx with queue_pair_map idx scsi: BusLogic: Fix missing pr_cont() use ovl: fix BUG_ON() in may_delete() when called from ovl_cleanup() parisc: fix crash with signals and alloca net: w5100: check return value after calling platform_get_resource() net: fix NULL pointer reference in cipso_v4_doi_free ath9k: fix sleeping in atomic context ath9k: fix OOB read ar9300_eeprom_restore_internal parport: remove non-zero check on count ASoC: rockchip: i2s: Fixup config for DAIFMT_DSP_A/B ASoC: rockchip: i2s: Fix regmap_ops hang usbip:vhci_hcd USB port can get stuck in the disabled state usbip: give back URBs for unsent unlink requests during cleanup usb: musb: musb_dsps: request_irq() after initializing musb Revert "USB: xhci: fix U1/U2 handling for hardware with XHCI_INTEL_HOST quirk set" cifs: fix wrong release in sess_alloc_buffer() failed path mmc: core: Return correct emmc response in case of ioctl error selftests/bpf: Enlarge select() timeout for test_maps mmc: rtsx_pci: Fix long reads when clock is prescaled mmc: sdhci-of-arasan: Check return value of non-void funtions of: Don't allow __of_attached_node_sysfs() without CONFIG_SYSFS gfs2: Don't call dlm after protocol is unmounted staging: rts5208: Fix get_ms_information() heap buffer size rpc: fix gss_svc_init cleanup on failure tcp: enable data-less, empty-cookie SYN with TFO_SERVER_COOKIE_NOT_REQD serial: sh-sci: fix break handling for sysrq Bluetooth: Fix handling of LE Enhanced Connection Complete ARM: tegra: tamonten: Fix UART pad setting gpu: drm: amd: amdgpu: amdgpu_i2c: fix possible uninitialized-variable access in amdgpu_i2c_router_select_ddc_port() Bluetooth: avoid circular locks in sco_sock_connect Bluetooth: schedule SCO timeouts with delayed_work net: ethernet: stmmac: Do not use unreachable() in ipq806x_gmac_probe() arm64: dts: qcom: sdm660: use reg value for memory node ARM: dts: imx53-ppd: Fix ACHC entry media: tegra-cec: Handle errors of clk_prepare_enable() media: TDA1997x: fix tda1997x_query_dv_timings() return value media: v4l2-dv-timings.c: fix wrong condition in two for-loops media: imx258: Limit the max analogue gain to 480 media: imx258: Rectify mismatch of VTS value ASoC: Intel: bytcr_rt5640: Move "Platform Clock" routes to the maps for the matching in-/output bonding: 3ad: fix the concurrency between __bond_release_one() and bond_3ad_state_machine_handler() Bluetooth: skip invalid hci_sync_conn_complete_evt ata: sata_dwc_460ex: No need to call phy_exit() befre phy_init() samples: bpf: Fix tracex7 error raised on the missing argument staging: ks7010: Fix the initialization of the 'sleep_status' structure serial: 8250_pci: make setup_port() parameters explicitly unsigned hvsi: don't panic on tty_register_driver failure xtensa: ISS: don't panic in rs_init serial: 8250: Define RX trigger levels for OxSemi 950 devices s390/jump_label: print real address in a case of a jump label bug flow_dissector: Fix out-of-bounds warnings ipv4: ip_output.c: Fix out-of-bounds warning in ip_copy_addrs() video: fbdev: riva: Error out if 'pixclock' equals zero video: fbdev: kyro: Error out if 'pixclock' equals zero video: fbdev: asiliantfb: Error out if 'pixclock' equals zero bpf/tests: Do not PASS tests without actually testing the result bpf/tests: Fix copy-and-paste error in double word test drm/amd/amdgpu: Update debugfs link_settings output link_rate field in hex tty: serial: jsm: hold port lock when reporting modem line changes staging: board: Fix uninitialized spinlock when attaching genpd usb: gadget: composite: Allow bMaxPower=0 if self-powered usb: gadget: u_ether: fix a potential null pointer dereference usb: host: fotg210: fix the actual_length of an iso packet usb: host: fotg210: fix the endpoint's transactional opportunities calculation Smack: Fix wrong semantics in smk_access_entry() netlink: Deal with ESRCH error in nlmsg_notify() video: fbdev: kyro: fix a DoS bug by restricting user input ARM: dts: qcom: apq8064: correct clock names iio: dac: ad5624r: Fix incorrect handling of an optional regulator. tipc: keep the skb in rcv queue until the whole data is read PCI: Use pci_update_current_state() in pci_enable_device_flags() crypto: mxs-dcp - Use sg_mapping_iter to copy data media: dib8000: rewrite the init prbs logic userfaultfd: prevent concurrent API initialization MIPS: Malta: fix alignment of the devicetree buffer f2fs: fix to unmap pages from userspace process in punch_hole() f2fs: fix to account missing .skipped_gc_rwsem fscache: Fix cookie key hashing platform/x86: dell-smbios-wmi: Add missing kfree in error-exit from run_smbios_call scsi: qedi: Fix error codes in qedi_alloc_global_queues() pinctrl: single: Fix error return code in pcs_parse_bits_in_pinctrl_entry() openrisc: don't printk() unconditionally powerpc/stacktrace: Include linux/delay.h vfio: Use config not menuconfig for VFIO_NOIOMMU pinctrl: samsung: Fix pinctrl bank pin count docs: Fix infiniband uverbs minor number RDMA/iwcm: Release resources if iw_cm module initialization fails HID: input: do not report stylus battery state as "full" PCI: aardvark: Fix masking and unmasking legacy INTx interrupts PCI: aardvark: Increase polling delay to 1.5s while waiting for PIO response PCI: xilinx-nwl: Enable the clock through CCF PCI: Return ~0 data on pciconfig_read() CAP_SYS_ADMIN failure PCI: Restrict ASMedia ASM1062 SATA Max Payload Size Supported ARM: 9105/1: atags_to_fdt: don't warn about stack size libata: add ATA_HORKAGE_NO_NCQ_TRIM for Samsung 860 and 870 SSDs media: rc-loopback: return number of emitters rather than error media: uvc: don't do DMA on stack VMCI: fix NULL pointer dereference when unmapping queue pair dm crypt: Avoid percpu_counter spinlock contention in crypt_page_alloc() power: supply: max17042: handle fails of reading status register block: bfq: fix bfq_set_next_ioprio_data() crypto: public_key: fix overflow during implicit conversion arm64: head: avoid over-mapping in map_memory soc: aspeed: lpc-ctrl: Fix boundary check for mmap tools/thermal/tmon: Add cross compiling support bpf: Fix pointer arithmetic mask tightening under state pruning bpf: verifier: Allocate idmap scratch in verifier env bpf: Fix leakage due to insufficient speculative store bypass mitigation bpf: Introduce BPF nospec instruction for mitigating Spectre v4 selftests/bpf: fix tests due to const spill/fill bpf: track spill/fill of constants selftests/bpf: Test variable offset stack access bpf: Sanity check max value for var_off stack access bpf: Reject indirect var_off stack access in unpriv mode bpf: Reject indirect var_off stack access in raw mode bpf: Support variable offset stack access from helpers bpf: correct slot_type marking logic to allow more stack slot sharing bpf/verifier: per-register parent pointers 9p/xen: Fix end of loop tests for list_for_each_entry include/linux/list.h: add a macro to test if entry is pointing to the head xen: fix setting of max_pfn in shared_info powerpc/perf/hv-gpci: Fix counter value parsing PCI/MSI: Skip masking MSI-X on Xen PV blk-zoned: allow BLKREPORTZONE without CAP_SYS_ADMIN blk-zoned: allow zone management send operations without CAP_SYS_ADMIN btrfs: reset replace target device to allocation state on close rtc: tps65910: Correct driver module alias clk: kirkwood: Fix a clocking boot regression backlight: pwm_bl: Improve bootloader/kernel device handover fbmem: don't allow too huge resolutions IMA: remove the dependency on CRYPTO_MD5 IMA: remove -Wmissing-prototypes warning KVM: x86: Update vCPU's hv_clock before back to guest when tsc_offset is adjusted x86/resctrl: Fix a maybe-uninitialized build warning treated as error tty: Fix data race between tiocsti() and flush_to_ldisc() ubifs: report correct st_size for encrypted symlinks f2fs: report correct st_size for encrypted symlinks ext4: report correct st_size for encrypted symlinks fscrypt: add fscrypt_symlink_getattr() for computing st_size netns: protect netns ID lookups with RCU ipv4: fix endianness issue in inet_rtm_getroute_build_skb() net: qualcomm: fix QCA7000 checksum handling net: sched: Fix qdisc_rate_table refcount leak when get tcf_block failed ipv4: make exception cache less predictible bcma: Fix memory leak for internally-handled cores ath6kl: wmi: fix an error code in ath6kl_wmi_sync_point() tty: serial: fsl_lpuart: fix the wrong mapbase value usb: bdc: Fix an error handling path in 'bdc_probe()' when no suitable DMA config is available usb: ehci-orion: Handle errors of clk_prepare_enable() in probe i2c: mt65xx: fix IRQ check CIFS: Fix a potencially linear read overflow mmc: moxart: Fix issue with uninitialized dma_slave_config mmc: dw_mmc: Fix issue with uninitialized dma_slave_config i2c: s3c2410: fix IRQ check i2c: iop3xx: fix deferred probing Bluetooth: add timeout sanity check to hci_inquiry usb: gadget: mv_u3d: request_irq() after initializing UDC mac80211: Fix insufficient headroom issue for AMSDU usb: phy: tahvo: add IRQ check usb: host: ohci-tmio: add IRQ check Bluetooth: Move shutdown callback before flushing tx and rx queue usb: phy: twl6030: add IRQ checks usb: phy: fsl-usb: add IRQ check usb: gadget: udc: at91: add IRQ check drm/msm/dsi: Fix some reference counted resource leaks Bluetooth: fix repeated calls to sco_sock_kill arm64: dts: exynos: correct GIC CPU interfaces address range on Exynos7 drm/msm/dpu: make dpu_hw_ctl_clear_all_blendstages clear necessary LMs Bluetooth: increase BTNAMSIZ to 21 chars to fix potential buffer overflow soc: qcom: smsm: Fix missed interrupts if state changes while masked PCI: PM: Enable PME if it can be signaled from D3cold PCI: PM: Avoid forcing PCI_D0 for wakeup reasons inconsistently media: venus: venc: Fix potential null pointer dereference on pointer fmt media: em28xx-input: fix refcount bug in em28xx_usb_disconnect i2c: highlander: add IRQ check net: cipso: fix warnings in netlbl_cipsov4_add_std tcp: seq_file: Avoid skipping sk during tcp_seek_last_pos Bluetooth: sco: prevent information leak in sco_conn_defer_accept() media: go7007: remove redundant initialization media: dvb-usb: fix uninit-value in vp702x_read_mac_addr media: dvb-usb: fix uninit-value in dvb_usb_adapter_dvb_init soc: rockchip: ROCKCHIP_GRF should not default to y, unconditionally media: TDA1997x: enable EDID support spi: sprd: Fix the wrong WDG_LOAD_VAL certs: Trigger creation of RSA module signing key if it's not an RSA key crypto: qat - use proper type for vf_mask clocksource/drivers/sh_cmt: Fix wrong setting if don't request IRQ for clock source channel lib/mpi: use kcalloc in mpi_resize spi: spi-pic32: Fix issue with uninitialized dma_slave_config spi: spi-fsl-dspi: Fix issue with uninitialized dma_slave_config m68k: emu: Fix invalid free in nfeth_cleanup() udf_get_extendedattr() had no boundary checks. fcntl: fix potential deadlock for &fasync_struct.fa_lock crypto: qat - do not export adf_iov_putmsg() crypto: qat - fix naming for init/shutdown VF to PF notifications crypto: qat - fix reuse of completion variable crypto: qat - handle both source of interrupt in VF ISR crypto: qat - do not ignore errors from enable_vf2pf_comms() libata: fix ata_host_start() s390/cio: add dev_busid sysfs entry for each subchannel power: supply: max17042_battery: fix typo in MAx17042_TOFF nvme-rdma: don't update queue count when failing to set io queues bcache: add proper error unwinding in bcache_device_init isofs: joliet: Fix iocharset=utf8 mount option udf: Check LVID earlier hrtimer: Avoid double reprogramming in __hrtimer_start_range_ns() sched/deadline: Fix missing clock update in migrate_task_rq_dl() crypto: omap-sham - clear dma flags only after omap_sham_update_dma_stop() power: supply: axp288_fuel_gauge: Report register-address on readb / writeb errors sched/deadline: Fix reset_on_fork reporting of DL tasks crypto: mxs-dcp - Check for DMA mapping errors regmap: fix the offset of register error log locking/mutex: Fix HANDOFF condition PCI: Call Max Payload Size-related fixup quirks early x86/reboot: Limit Dell Optiplex 990 quirk to early BIOS versions usb: mtu3: fix the wrong HS mult value usb: mtu3: use @mult for HS isoc or intr usb: host: xhci-rcar: Don't reload firmware after the completion ALSA: usb-audio: Add registration quirk for JBL Quantum 800 Revert "btrfs: compression: don't try to compress if we don't have enough pages" mm/page_alloc: speed up the iteration of max_order net: ll_temac: Remove left-over debug message powerpc/boot: Delete unneeded .globl _zimage_start powerpc/module64: Fix comment in R_PPC64_ENTRY handling crypto: talitos - reduce max key size for SEC1 SUNRPC/nfs: Fix return value for nfs4_callback_compound() ipv4/icmp: l3mdev: Perform icmp error route lookup on source device routing table (v2) USB: serial: mos7720: improve OOM-handling in read_mos_reg() igmp: Add ip_mc_list lock in ip_check_mc_rcu ARM: imx: fix missing 3rd argument in macro imx_mmdc_perf_init ARM: imx: add missing clk_disable_unprepare() media: stkwebcam: fix memory leak in stk_camera_probe clk: fix build warning for orphan_list ALSA: pcm: fix divide error in snd_pcm_lib_ioctl ARM: 8918/2: only build return_address() if needed cryptoloop: add a deprecation warning perf/x86/amd/ibs: Work around erratum #1197 perf/x86/intel/pt: Fix mask of num_address_ranges qede: Fix memset corruption net: macb: Add a NULL check on desc_ptp qed: Fix the VF msix vectors flow gpu: ipu-v3: Fix i.MX IPU-v3 offset calculations for (semi)planar U/V formats xtensa: fix kconfig unmet dependency warning for HAVE_FUTEX_CMPXCHG ext4: fix race writing to an inline_data file while its xattrs are changing Change-Id: I08884d5bddbf0379ea1fa1b8adea086f4fd5a87d Signed-off-by: UtsavBalar1231 <utsavbalar1231@gmail.com> Conflicts: arch/arm/Makefile drivers/clk/clk.c drivers/nvmem/core.c include/trace/events/f2fs.h kernel/sched/cpufreq_schedutil.c kernel/time/hrtimer.c mm/page_alloc.c net/ipv4/tcp_timer.c |
||
Alexander Mikhalitsyn
|
4e91adc737 |
shm: extend forced shm destroy to support objects from several IPC nses
commit 85b6d24646e4125c591639841169baa98a2da503 upstream.
Currently, the exit_shm() function not designed to work properly when
task->sysvshm.shm_clist holds shm objects from different IPC namespaces.
This is a real pain when sysctl kernel.shm_rmid_forced = 1, because it
leads to use-after-free (reproducer exists).
This is an attempt to fix the problem by extending exit_shm mechanism to
handle shm's destroy from several IPC ns'es.
To achieve that we do several things:
1. add a namespace (non-refcounted) pointer to the struct shmid_kernel
2. during new shm object creation (newseg()/shmget syscall) we
initialize this pointer by current task IPC ns
3. exit_shm() fully reworked such that it traverses over all shp's in
task->sysvshm.shm_clist and gets IPC namespace not from current task
as it was before but from shp's object itself, then call
shm_destroy(shp, ns).
Note: We need to be really careful here, because as it was said before
(1), our pointer to IPC ns non-refcnt'ed. To be on the safe side we
using special helper get_ipc_ns_not_zero() which allows to get IPC ns
refcounter only if IPC ns not in the "state of destruction".
Q/A
Q: Why can we access shp->ns memory using non-refcounted pointer?
A: Because shp object lifetime is always shorther than IPC namespace
lifetime, so, if we get shp object from the task->sysvshm.shm_clist
while holding task_lock(task) nobody can steal our namespace.
Q: Does this patch change semantics of unshare/setns/clone syscalls?
A: No. It's just fixes non-covered case when process may leave IPC
namespace without getting task->sysvshm.shm_clist list cleaned up.
Link: https://lkml.kernel.org/r/67bb03e5-f79c-1815-e2bf-949c67047418@colorfullife.com
Link: https://lkml.kernel.org/r/20211109151501.4921-1-manfred@colorfullife.com
Fixes:
|
||
Alexander Mikhalitsyn
|
766e08a7af |
ipc: WARN if trying to remove ipc object which is absent
commit 126e8bee943e9926238c891e2df5b5573aee76bc upstream. Patch series "shm: shm_rmid_forced feature fixes". Some time ago I met kernel crash after CRIU restore procedure, fortunately, it was CRIU restore, so, I had dump files and could do restore many times and crash reproduced easily. After some investigation I've constructed the minimal reproducer. It was found that it's use-after-free and it happens only if sysctl kernel.shm_rmid_forced = 1. The key of the problem is that the exit_shm() function not handles shp's object destroy when task->sysvshm.shm_clist contains items from different IPC namespaces. In most cases this list will contain only items from one IPC namespace. How can this list contain object from different namespaces? The exit_shm() function is designed to clean up this list always when process leaves IPC namespace. But we made a mistake a long time ago and did not add a exit_shm() call into the setns() syscall procedures. The first idea was just to add this call to setns() syscall but it obviously changes semantics of setns() syscall and that's userspace-visible change. So, I gave up on this idea. The first real attempt to address the issue was just to omit forced destroy if we meet shp object not from current task IPC namespace [1]. But that was not the best idea because task->sysvshm.shm_clist was protected by rwsem which belongs to current task IPC namespace. It means that list corruption may occur. Second approach is just extend exit_shm() to properly handle shp's from different IPC namespaces [2]. This is really non-trivial thing, I've put a lot of effort into that but not believed that it's possible to make it fully safe, clean and clear. Thanks to the efforts of Manfred Spraul working an elegant solution was designed. Thanks a lot, Manfred! Eric also suggested the way to address the issue in ("[RFC][PATCH] shm: In shm_exit destroy all created and never attached segments") Eric's idea was to maintain a list of shm_clists one per IPC namespace, use lock-less lists. But there is some extra memory consumption-related concerns. An alternative solution which was suggested by me was implemented in ("shm: reset shm_clist on setns but omit forced shm destroy"). The idea is pretty simple, we add exit_shm() syscall to setns() but DO NOT destroy shm segments even if sysctl kernel.shm_rmid_forced = 1, we just clean up the task->sysvshm.shm_clist list. This chages semantics of setns() syscall a little bit but in comparision to the "naive" solution when we just add exit_shm() without any special exclusions this looks like a safer option. [1] https://lkml.org/lkml/2021/7/6/1108 [2] https://lkml.org/lkml/2021/7/14/736 This patch (of 2): Let's produce a warning if we trying to remove non-existing IPC object from IPC namespace kht/idr structures. This allows us to catch possible bugs when the ipc_rmid() function was called with inconsistent struct ipc_ids*, struct kern_ipc_perm* arguments. Link: https://lkml.kernel.org/r/20211027224348.611025-1-alexander.mikhalitsyn@virtuozzo.com Link: https://lkml.kernel.org/r/20211027224348.611025-2-alexander.mikhalitsyn@virtuozzo.com Co-developed-by: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Alexander Mikhalitsyn <alexander.mikhalitsyn@virtuozzo.com> Cc: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Greg KH <gregkh@linuxfoundation.org> Cc: Andrei Vagin <avagin@gmail.com> Cc: Pavel Tikhomirov <ptikhomirov@virtuozzo.com> Cc: Vasily Averin <vvs@virtuozzo.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
91d4544b24 |
This is the 4.19.124 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl7Ey84ACgkQONu9yGCS aT4enA/+JsigMJOLeEtEZ4Gf97S0HnxOIqvuz7759s07vTzwPV1BfQm2eafcS8Cl 8//BO73tDe+m5shH0mFCeFsy0p1qC4+ewIyLPnjulxls1BCZ86xK44/WD6N0DgX9 Fi0HACcObuNZD7814yIyrWaI9QHZO+OwJlmjCXBiZGC4gZwAnGcgY2+ffYf/hRv2 wgEyJF2Td0rORCOM3qp8Ipdt1S8inm2yZodGC5htSPajfBLPe8narmkOXxcN+tuB BvOwdTJoplmhNwpimWacytL+jQJYKHS/izPX0JYkFDfQ/bgOYXz3CWwa2DMOVsGd CQOHp4rK/Rl/caAANe3nD87jstRbaRKp7HZELCJ+KZrHpGfefAZs6g5j+LNC7KQt 6YloSnTQsnRC6nqu+b2ieI5KoZAfwWoyHrQf7obJi6PJF4Ge4XUbaLEDH9TuxZTN tZX5ZOGZ8/i32VgYqBA4mDAbV+n5TyEYl722XxXzgim73VUDl67F7JqtDxMMb4Ic KW98luDDXgoq+kM2FqWgXtjxoP4TpjRREjwCpNDEa03ydKW+dwM21D7IoQNtXUgT uE6aFPVuhRt5MAhOdSHtkSsbOjiJZjKuPKvYyUFvAQT5JMaYZg9pabnH89E6URQ9 x7M2JOvR/GMOmPRykQoewqV0027K37TYxBfRAzLbNFv8Iol/a7I= =pHmd -----END PGP SIGNATURE----- Merge 4.19.124 into android-4.19-stable Changes in 4.19.124 net: dsa: Do not make user port errors fatal shmem: fix possible deadlocks on shmlock_user_lock net/sonic: Fix a resource leak in an error handling path in 'jazz_sonic_probe()' net: moxa: Fix a potential double 'free_irq()' drop_monitor: work around gcc-10 stringop-overflow warning virtio-blk: handle block_device_operations callbacks after hot unplug scsi: sg: add sg_remove_request in sg_write mmc: sdhci-acpi: Add SDHCI_QUIRK2_BROKEN_64_BIT_DMA for AMDI0040 net: fix a potential recursive NETDEV_FEAT_CHANGE netlabel: cope with NULL catmap net: phy: fix aneg restart in phy_ethtool_set_eee pppoe: only process PADT targeted at local interfaces Revert "ipv6: add mtu lock check in __ip6_rt_update_pmtu" tcp: fix error recovery in tcp_zerocopy_receive() virtio_net: fix lockdep warning on 32 bit hinic: fix a bug of ndo_stop net: dsa: loop: Add module soft dependency net: ipv4: really enforce backoff for redirects netprio_cgroup: Fix unlimited memory leak of v2 cgroups net: tcp: fix rx timestamp behavior for tcp_recvmsg tcp: fix SO_RCVLOWAT hangs with fat skbs riscv: fix vdso build with lld dmaengine: pch_dma.c: Avoid data race between probe and irq handler dmaengine: mmp_tdma: Reset channel error on release cpufreq: intel_pstate: Only mention the BIOS disabling turbo mode once ALSA: hda/hdmi: fix race in monitor detection during probe drm/qxl: lost qxl_bo_kunmap_atomic_page in qxl_image_init_helper() ipc/util.c: sysvipc_find_ipc() incorrectly updates position index ALSA: hda/realtek - Fix S3 pop noise on Dell Wyse gfs2: Another gfs2_walk_metadata fix pinctrl: baytrail: Enable pin configuration setting for GPIO chip pinctrl: cherryview: Add missing spinlock usage in chv_gpio_irq_handler i40iw: Fix error handling in i40iw_manage_arp_cache() mmc: core: Check request type before completing the request mmc: block: Fix request completion in the CQE timeout path NFS: Fix fscache super_cookie index_key from changing after umount nfs: fscache: use timespec64 in inode auxdata NFSv4: Fix fscache cookie aux_data to ensure change_attr is included netfilter: conntrack: avoid gcc-10 zero-length-bounds warning arm64: fix the flush_icache_range arguments in machine_kexec netfilter: nft_set_rbtree: Introduce and use nft_rbtree_interval_start() IB/mlx4: Test return value of calls to ib_get_cached_pkey hwmon: (da9052) Synchronize access with mfd pnp: Use list_for_each_entry() instead of open coding gcc-10 warnings: fix low-hanging fruit kbuild: compute false-positive -Wmaybe-uninitialized cases in Kconfig Stop the ad-hoc games with -Wno-maybe-initialized gcc-10: disable 'zero-length-bounds' warning for now gcc-10: disable 'array-bounds' warning for now gcc-10: disable 'stringop-overflow' warning for now gcc-10: disable 'restrict' warning for now gcc-10: avoid shadowing standard library 'free()' in crypto ALSA: hda/realtek - Limit int mic boost for Thinkpad T530 ALSA: rawmidi: Fix racy buffer resize under concurrent accesses ALSA: usb-audio: Add control message quirk delay for Kingston HyperX headset usb: core: hub: limit HUB_QUIRK_DISABLE_AUTOSUSPEND to USB5534B usb: host: xhci-plat: keep runtime active when removing host USB: gadget: fix illegal array access in binding with UDC usb: xhci: Fix NULL pointer dereference when enqueuing trbs from urb sg list ARM: dts: dra7: Fix bus_dma_limit for PCIe ARM: dts: imx27-phytec-phycard-s-rdk: Fix the I2C1 pinctrl entries cifs: fix leaked reference on requeued write x86: Fix early boot crash on gcc-10, third try x86/unwind/orc: Fix error handling in __unwind_start() exec: Move would_dump into flush_old_exec clk: rockchip: fix incorrect configuration of rk3228 aclk_gpu* clocks dwc3: Remove check for HWO flag in dwc3_gadget_ep_reclaim_trb_sg() usb: gadget: net2272: Fix a memory leak in an error handling path in 'net2272_plat_probe()' usb: gadget: audio: Fix a missing error return value in audio_bind() usb: gadget: legacy: fix error return code in gncm_bind() usb: gadget: legacy: fix error return code in cdc_bind() Revert "ALSA: hda/realtek: Fix pop noise on ALC225" clk: Unlink clock if failed to prepare or enable arm64: dts: rockchip: Replace RK805 PMIC node name with "pmic" on rk3328 boards arm64: dts: rockchip: Rename dwc3 device nodes on rk3399 to make dtc happy ARM: dts: r8a73a4: Add missing CMT1 interrupts arm64: dts: renesas: r8a77980: Fix IPMMU VIP[01] nodes ARM: dts: r8a7740: Add missing extal2 to CPG node KVM: x86: Fix off-by-one error in kvm_vcpu_ioctl_x86_setup_mce Makefile: disallow data races on gcc-10 as well Linux 4.19.124 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I3d253f677cc08337e64d316005a0ec0c33717940 |
||
Vasily Averin
|
15e0db6e61 |
ipc/util.c: sysvipc_find_ipc() incorrectly updates position index
[ Upstream commit 5e698222c70257d13ae0816720dde57c56f81e15 ] Commit 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") is causing this bug (seen on 5.6.8): # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages # ipcmk -Q Message queue id: 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 # ipcmk -Q Message queue id: 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x82db8127 0 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcrm -q 0 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 2 # ipcrm -q 2 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x76d1fb2a 1 root 644 0 0 0x76d1fb2a 1 root 644 0 0 # ipcmk -Q Message queue id: 3 # ipcrm -q 1 # ipcs -q ------ Message Queues -------- key msqid owner perms used-bytes messages 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 0x7c982867 3 root 644 0 0 Whenever an IPC item with a low id is deleted, the items with higher ids are duplicated, as if filling a hole. new_pos should jump through hole of unused ids, pos can be updated inside "for" cycle. Fixes: 89163f93c6f9 ("ipc/util.c: sysvipc_find_ipc() should increase position index") Reported-by: Andreas Schwab <schwab@suse.de> Reported-by: Randy Dunlap <rdunlap@infradead.org> Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Waiman Long <longman@redhat.com> Cc: NeilBrown <neilb@suse.com> Cc: Steven Rostedt <rostedt@goodmis.org> Cc: Ingo Molnar <mingo@redhat.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> Link: http://lkml.kernel.org/r/4921fe9b-9385-a2b4-1dc4-1099be6d2e39@virtuozzo.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
bedd88210d |
This is the 4.19.123 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl683cUACgkQONu9yGCS aT5x4w//UnAlC9sNBtBJwPEYwVlt5pS1+RvCbhS8MBmBvJ0f7noquOqMQ07c0lRI Ku9XUUHRYu9/EjvM7hQ319qxX5iwnfJLRnmhYuCQN1gI6w9zJNBEzQrBfr+qvvpI 2l8/io4uqqI8Yq7y9X59Vx3g+8IHiXyte6zBGpj3sdxUm5crxDyUfNnQhVDQ2Gx9 JpGre1Gf8uhlcLdzX5HwS4zeGIIpAF+P+OR4xOp2BXWdxH9BoGKCcmebaIoM5phP bfWvk/z6i4WFFqfueJS8nY4cjchPhDH6U+O/TSCw82QWRd9WXt9N/m+pg0WVRMyd MVWhyVLZbJNFL6b/xHSf810jeglmLgv/diZ/YY73qBVrAyzNHv5NvpQyJcpkxKHR UyXWcaNEOgzXogtwm5diZ6KDicHmrDADC5DsnoD7XmxzLytMcvSD/e707a3NFvBp 7oC96SI7u8tWyxnqVB7POE0DG1+daOhwvZdixe/7onoKZAuCCp/TyzAIbBn06uy4 +qOKbZqVbGbLZC7HsVtXP8jx/uC/+DCsEc+9d896uy2uIiA84QAmD94TOvYqapXV G5CfR+SuQYKAUZdFPyGJW6pyJCxULhbBJIMWgMjlaaOIEJfYP40EUM56qlN9eW4k JNBLEVpLjjf53JDUfSB5ErPb0GhLTYxvDSLc4vZBkkbiiDDd5CI= =GpM7 -----END PGP SIGNATURE----- Merge 4.19.123 into android-4.19 Changes in 4.19.123 USB: serial: qcserial: Add DW5816e support tracing/kprobes: Fix a double initialization typo vt: fix unicode console freeing with a common interface dp83640: reverse arguments to list_add_tail fq_codel: fix TCA_FQ_CODEL_DROP_BATCH_SIZE sanity checks net: macsec: preserve ingress frame ordering net/mlx4_core: Fix use of ENOSPC around mlx4_counter_alloc() net_sched: sch_skbprio: add message validation to skbprio_change() net: usb: qmi_wwan: add support for DW5816e sch_choke: avoid potential panic in choke_reset() sch_sfq: validate silly quantum values tipc: fix partial topology connection closure bnxt_en: Fix VLAN acceleration handling in bnxt_fix_features(). net/mlx5: Fix forced completion access non initialized command entry net/mlx5: Fix command entry leak in Internal Error State bnxt_en: Improve AER slot reset. bnxt_en: Fix VF anti-spoof filter setup. net: stricter validation of untrusted gso packets HID: wacom: Read HID_DG_CONTACTMAX directly for non-generic devices sctp: Fix bundling of SHUTDOWN with COOKIE-ACK HID: usbhid: Fix race between usbhid_close() and usbhid_stop() USB: uas: add quirk for LaCie 2Big Quadra USB: serial: garmin_gps: add sanity checking for data length tracing: Add a vmalloc_sync_mappings() for safe measure KVM: arm: vgic: Fix limit condition when writing to GICD_I[CS]ACTIVER KVM: arm64: Fix 32bit PC wrap-around arm64: hugetlb: avoid potential NULL dereference mm/page_alloc: fix watchdog soft lockups during set_zone_contiguous() staging: gasket: Check the return value of gasket_get_bar_index() coredump: fix crash when umh is disabled KVM: VMX: Explicitly reference RCX as the vmx_vcpu pointer in asm blobs KVM: VMX: Mark RCX, RDX and RSI as clobbered in vmx_vcpu_run()'s asm blob batman-adv: fix batadv_nc_random_weight_tq batman-adv: Fix refcnt leak in batadv_show_throughput_override batman-adv: Fix refcnt leak in batadv_store_throughput_override batman-adv: Fix refcnt leak in batadv_v_ogm_process x86/entry/64: Fix unwind hints in register clearing code x86/entry/64: Fix unwind hints in kernel exit path x86/entry/64: Fix unwind hints in rewind_stack_do_exit() x86/unwind/orc: Don't skip the first frame for inactive tasks x86/unwind/orc: Prevent unwinding before ORC initialization x86/unwind/orc: Fix error path for bad ORC entry type x86/unwind/orc: Fix premature unwind stoppage due to IRET frames netfilter: nat: never update the UDP checksum when it's 0 netfilter: nf_osf: avoid passing pointer to local var objtool: Fix stack offset tracking for indirect CFAs scripts/decodecode: fix trapping instruction formatting ipc/mqueue.c: change __do_notify() to bypass check_kill_permission() Linux 4.19.123 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ib87d493c94816aa0a0754530669a8bd688964987 |
||
Oleg Nesterov
|
c7eb87c8ba |
ipc/mqueue.c: change __do_notify() to bypass check_kill_permission()
[ Upstream commit b5f2006144c6ae941726037120fa1001ddede784 ] Commit |
||
Greg Kroah-Hartman
|
be3bb0daac |
This is the 4.19.119 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl6pj8gACgkQONu9yGCS aT5mKxAAvzC4s4XHwDDckvvu57/sED2oEtp7MgmLuyK4Ih55GyyLGx9zg1A2z+rs wQSsVW+/WeurCj4CuVciakkCvgBeY494cbnghr2lohhJZ918/XnYmPODLJhlvtcV gZ4vxk5euNqpWGsmu+X+DRBG6QuU5GYf4ox39NZdtKm5I+kt5Lw44AHSNlFP0q3y drRFc49cqSxa4WkVRixJJOTQbSHARNWiayOG4uLb4zoZFvJOTDAp7+yX5LYD7lxY 3FsQLVMSp7c/whppeGySVX0oJF/12weR9OQJZVxxhlMNggmGREwDxayBaPYqA4pa 0OO83rO1aP9j2VK3HFiK4OwatKHcu0GvGV9I4rP3u8hWvJyUzTAfdcVUXHl6of12 6hXG7F3f0TVY/OP6J2WepcQG5IbkiiAY1J0wlqbqo5MvOqESJZ/J0pGuFD1qzQ8n zaMnj2zhJHkJEfyP7Dvjo4y72eM9tWnFxKfm/PtuHWGovpP15rrsuHcs343U92Z7 zQ/Ak10tA8FpSM7dXaTd98/3FkVdQbkImkEUOpWzPjiJFGyuk8j6/ZE9rCWtlNR1 HP9cLgKB/PF/a3+kwtgGAhAHBVIA8trhSm1jRqEU7ki9sBQnV/2iR5b7UJ8xn4uA dl9HlxpiDYvIjRhHfMh6GXIhdO2T8coFzxKRztjxrM0dbaQeVKQ= =31Y5 -----END PGP SIGNATURE----- Merge 4.19.119 into android-4.19 Changes in 4.19.119 ext4: fix extent_status fragmentation for plain files drm/msm: Use the correct dma_sync calls harder bpftool: Fix printing incorrect pointer in btf_dump_ptr crypto: mxs-dcp - make symbols 'sha1_null_hash' and 'sha256_null_hash' static vti4: removed duplicate log message. arm64: Add part number for Neoverse N1 arm64: errata: Hide CTR_EL0.DIC on systems affected by Neoverse-N1 #1542419 arm64: Fake the IminLine size on systems affected by Neoverse-N1 #1542419 arm64: compat: Workaround Neoverse-N1 #1542419 for compat user-space arm64: Silence clang warning on mismatched value/register sizes watchdog: reset last_hw_keepalive time at start scsi: lpfc: Fix kasan slab-out-of-bounds error in lpfc_unreg_login scsi: lpfc: Fix crash in target side cable pulls hitting WAIT_FOR_UNREG ceph: return ceph_mdsc_do_request() errors from __get_parent() ceph: don't skip updating wanted caps when cap is stale pwm: rcar: Fix late Runtime PM enablement scsi: iscsi: Report unbind session event when the target has been removed ASoC: Intel: atom: Take the drv->lock mutex before calling sst_send_slot_map() nvme: fix deadlock caused by ANA update wrong locking kernel/gcov/fs.c: gcov_seq_next() should increase position index selftests: kmod: fix handling test numbers above 9 ipc/util.c: sysvipc_find_ipc() should increase position index kconfig: qconf: Fix a few alignment issues s390/cio: avoid duplicated 'ADD' uevents loop: Better discard support for block devices Revert "powerpc/64: irq_work avoid interrupt when called with hardware irqs enabled" pwm: renesas-tpu: Fix late Runtime PM enablement pwm: bcm2835: Dynamically allocate base perf/core: Disable page faults when getting phys address ASoC: Intel: bytcr_rt5640: Add quirk for MPMAN MPWIN895CL tablet xhci: Ensure link state is U3 after setting USB_SS_PORT_LS_U3 drm/amd/display: Not doing optimize bandwidth if flip pending. tracing/selftests: Turn off timeout setting virtio-blk: improve virtqueue error to BLK_STS scsi: smartpqi: fix call trace in device discovery PCI/ASPM: Allow re-enabling Clock PM net: ipv6: add net argument to ip6_dst_lookup_flow net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup blktrace: Protect q->blk_trace with RCU blktrace: fix dereference after null check f2fs: fix to avoid memory leakage in f2fs_listxattr KVM: VMX: Zero out *all* general purpose registers after VM-Exit KVM: nVMX: Always sync GUEST_BNDCFGS when it comes from vmcs01 KVM: Introduce a new guest mapping API kvm: fix compilation on aarch64 kvm: fix compilation on s390 kvm: fix compile on s390 part 2 KVM: Properly check if "page" is valid in kvm_vcpu_unmap x86/kvm: Introduce kvm_(un)map_gfn() x86/kvm: Cache gfn to pfn translation x86/KVM: Make sure KVM_VCPU_FLUSH_TLB flag is not missed x86/KVM: Clean up host's steal time structure cxgb4: fix adapter crash due to wrong MC size cxgb4: fix large delays in PTP synchronization ipv6: fix restrict IPV6_ADDRFORM operation macsec: avoid to set wrong mtu macvlan: fix null dereference in macvlan_device_event() net: bcmgenet: correct per TX/RX ring statistics net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node net: stmmac: dwmac-meson8b: Add missing boundary to RGMII TX clock array net/x25: Fix x25_neigh refcnt leak when receiving frame sched: etf: do not assume all sockets are full blown tcp: cache line align MAX_TCP_HEADER team: fix hang in team_mode_get() vrf: Fix IPv6 with qdisc and xfrm net: dsa: b53: Lookup VID in ARL searches when VLAN is enabled net: dsa: b53: Fix ARL register definitions net: dsa: b53: Rework ARL bin logic net: dsa: b53: b53_arl_rw_op() needs to select IVL or SVL xfrm: Always set XFRM_TRANSFORMED in xfrm{4,6}_output_finish vrf: Check skb for XFRM_TRANSFORMED flag mlxsw: Fix some IS_ERR() vs NULL bugs KEYS: Avoid false positive ENOMEM error on key read ALSA: hda: Remove ASUS ROG Zenith from the blacklist ALSA: usb-audio: Add static mapping table for ALC1220-VB-based mobos ALSA: usb-audio: Add connector notifier delegation iio: core: remove extra semi-colon from devm_iio_device_register() macro iio: st_sensors: rely on odr mask to know if odr can be set iio: adc: stm32-adc: fix sleep in atomic context iio: xilinx-xadc: Fix ADC-B powerdown iio: xilinx-xadc: Fix clearing interrupt when enabling trigger iio: xilinx-xadc: Fix sequencer configuration for aux channels in simultaneous mode iio: xilinx-xadc: Make sure not exceed maximum samplerate fs/namespace.c: fix mountpoint reference counter race USB: sisusbvga: Change port variable from signed to unsigned USB: Add USB_QUIRK_DELAY_CTRL_MSG and USB_QUIRK_DELAY_INIT for Corsair K70 RGB RAPIDFIRE USB: early: Handle AMD's spec-compliant identifiers, too USB: core: Fix free-while-in-use bug in the USB S-Glibrary USB: hub: Fix handling of connect changes during sleep vmalloc: fix remap_vmalloc_range() bounds checks mm/hugetlb: fix a addressing exception caused by huge_pte_offset mm/ksm: fix NULL pointer dereference when KSM zero page is enabled tools/vm: fix cross-compile build ALSA: usx2y: Fix potential NULL dereference ALSA: hda/realtek - Fix unexpected init_amp override ALSA: hda/realtek - Add new codec supported for ALC245 ALSA: usb-audio: Fix usb audio refcnt leak when getting spdif ALSA: usb-audio: Filter out unsupported sample rates on Focusrite devices tpm/tpm_tis: Free IRQ if probing fails tpm: ibmvtpm: retry on H_CLOSED in tpm_ibmvtpm_send() KVM: s390: Return last valid slot if approx index is out-of-bounds KVM: Check validity of resolved slot when searching memslots KVM: VMX: Enable machine check support for 32bit targets tty: hvc: fix buffer overflow during hvc_alloc(). tty: rocket, avoid OOB access usb-storage: Add unusual_devs entry for JMicron JMS566 audit: check the length of userspace generated audit records ASoC: dapm: fixup dapm kcontrol widget iwlwifi: pcie: actually release queue memory in TVQM iwlwifi: mvm: beacon statistics shouldn't go backwards ARM: imx: provide v7_cpu_resume() only on ARM_CPU_SUSPEND=y powerpc/setup_64: Set cache-line-size based on cache-block-size staging: comedi: dt2815: fix writing hi byte of analog output staging: comedi: Fix comedi_device refcnt leak in comedi_open vt: don't hardcode the mem allocation upper bound vt: don't use kmalloc() for the unicode screen buffer staging: vt6656: Don't set RCR_MULTICAST or RCR_BROADCAST by default. staging: vt6656: Fix calling conditions of vnt_set_bss_mode staging: vt6656: Fix drivers TBTT timing counter. staging: vt6656: Fix pairwise key entry save. staging: vt6656: Power save stop wake_up_count wrap around. cdc-acm: close race betrween suspend() and acm_softint cdc-acm: introduce a cool down UAS: no use logging any details in case of ENODEV UAS: fix deadlock in error handling and PM flushing work usb: dwc3: gadget: Fix request completion check usb: f_fs: Clear OS Extended descriptor counts to zero in ffs_data_reset() xhci: prevent bus suspend if a roothub port detected a over-current condition serial: sh-sci: Make sure status register SCxSR is read in correct sequence xfs: Fix deadlock between AGI and AGF with RENAME_WHITEOUT s390/mm: fix page table upgrade vs 2ndary address mode accesses Linux 4.19.119 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I4b16db8472367d135a4ff68d2863c634bf093ef5 |
||
Vasily Averin
|
cb0ab2beb9 |
ipc/util.c: sysvipc_find_ipc() should increase position index
[ Upstream commit 89163f93c6f969da5811af5377cc10173583123b ] If seq_file .next function does not change position index, read after some lseek can generate unexpected output. https://bugzilla.kernel.org/show_bug.cgi?id=206283 Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Acked-by: Waiman Long <longman@redhat.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Ingo Molnar <mingo@redhat.com> Cc: NeilBrown <neilb@suse.com> Cc: Peter Oberparleiter <oberpar@linux.ibm.com> Cc: Steven Rostedt <rostedt@goodmis.org> Link: http://lkml.kernel.org/r/b7a20945-e315-8bb0-21e6-3875c14a8494@virtuozzo.com Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
7cd2c86c50 |
This is the 4.19.107 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5ZNBUACgkQONu9yGCS aT6vMhAAoNfLw1JEqsOgplIUKuLJnIBOldyJeZ8HCrR9yhIEDgevHQzaWutyD6H4 2AzImhL8YBwAw+9UHq5Z1PT3PluKt78vRr1ZxDyNniHGJdDsoWTed9h+QjyRkDFl KZSV30GraO8/P6e9Ep5CgKLiCID7m2U9jYZkb6QL21wawprEi6dgSOb21prPyN1d SKCtcrhUQFqDPOgqU3Cyv9t/vxzrgBKSZRKOXZON5gBlwmFHuPk7lcSB80DKd+7S Um7oatwFBhQwKyuhJARXbrhIw2z6Y+xf1wJF+yNW9v/VpR4NE+SkzX2SaX7lercF JigVmtpth1KBa2wGw3N0XOdNG6NYrLtzeBW+o7mlZk4D2OKCeUoZEdM5RiVJNLCK Ze1soQtHoRFViqPx5Or06pOsMagKRNxzjkFPd1cfA7vpRw2KRNKCFXec/Ms8coUd /WslTHkyfryRfzFDtyyCATVXHPizkZqJyrR/3pes4sGITIpFczWVHiQ3mqUIrdXN d08CwsYS0ivQwvl5hZzxyqUlUWVhGccT1PpO6+SZp2IuGT3YWZzpQKDh0+IlIsv0 TUvEtz3xjzL5EDUmUFsRUy5hBINdzjE/iKb3KOHw0y8xik5Rp0LkHtMRPmro5+TT A4JqVfxTGdTprRXPeCS/7X1jOoOxnxm06QZ+HqbHCL5CUi6nZFk= =XhCO -----END PGP SIGNATURE----- Merge 4.19.107 into android-4.19 Changes in 4.19.107 iommu/qcom: Fix bogus detach logic ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs ALSA: hda/realtek - Apply quirk for MSI GP63, too ALSA: hda/realtek - Apply quirk for yet another MSI laptop ASoC: sun8i-codec: Fix setting DAI data format ecryptfs: fix a memory leak bug in parse_tag_1_packet() ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() thunderbolt: Prevent crash if non-active NVMem file is read USB: misc: iowarrior: add support for 2 OEMed devices USB: misc: iowarrior: add support for the 28 and 28L devices USB: misc: iowarrior: add support for the 100 device floppy: check FDC index for errors before assigning it vt: fix scrollback flushing on background consoles vt: selection, handle pending signals in paste_selection vt: vt_ioctl: fix race in VT_RESIZEX staging: android: ashmem: Disallow ashmem memory from being remapped staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi. xhci: Force Maximum Packet size for Full-speed bulk devices to valid range. xhci: fix runtime pm enabling for quirky Intel hosts xhci: Fix memory leak when caching protocol extended capability PSI tables - take 2 usb: host: xhci: update event ring dequeue pointer on purpose USB: core: add endpoint-blacklist quirk USB: quirks: blacklist duplicate ep on Sound Devices USBPre2 usb: uas: fix a plug & unplug racing USB: Fix novation SourceControl XL after suspend USB: hub: Don't record a connect-change event during reset-resume USB: hub: Fix the broken detection of USB3 device in SMSC hub usb: dwc2: Fix SET/CLEAR_FEATURE and GET_STATUS flows usb: dwc3: gadget: Check for IOC/LST bit in TRB->ctrl fields staging: rtl8188eu: Fix potential security hole staging: rtl8188eu: Fix potential overuse of kernel memory staging: rtl8723bs: Fix potential security hole staging: rtl8723bs: Fix potential overuse of kernel memory powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal delivery jbd2: fix ocfs2 corrupt when clearing block group bits x86/mce/amd: Publish the bank pointer only after setup has succeeded x86/mce/amd: Fix kobject lifetime x86/cpu/amd: Enable the fixed Instructions Retired counter IRPERF serial: 8250: Check UPF_IRQ_SHARED in advance tty/serial: atmel: manage shutdown in case of RS485 or ISO7816 mode tty: serial: imx: setup the correct sg entry for tx dma serdev: ttyport: restore client ops on deregistration MAINTAINERS: Update drm/i915 bug filing URL Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" mm/memcontrol.c: lost css_put in memcg_expand_shrinker_maps() nvme-multipath: Fix memory leak with ana_log_buf genirq/irqdomain: Make sure all irq domain flags are distinct mm/vmscan.c: don't round up scan size for online memory cgroup drm/amdgpu/soc15: fix xclk for raven xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms KVM: nVMX: Don't emulate instructions in guest mode KVM: x86: don't notify userspace IOAPIC on edge-triggered interrupt EOI tty: serial: qcom_geni_serial: Fix UART hang tty: serial: qcom_geni_serial: Remove interrupt storm tty: serial: qcom_geni_serial: Remove use of *_relaxed() and mb() tty: serial: qcom_geni_serial: Remove set_rfr_wm() and related variables tty: serial: qcom_geni_serial: Remove xfer_mode variable tty: serial: qcom_geni_serial: Fix RX cancel command failure lib/stackdepot.c: fix global out-of-bounds in stack_slabs drm/nouveau/kms/gv100-: Re-set LUT after clearing for modesets ext4: fix a data race in EXT4_I(inode)->i_disksize ext4: add cond_resched() to __ext4_find_entry() ext4: fix potential race between online resizing and write operations ext4: fix potential race between s_group_info online resizing and access ext4: fix potential race between s_flex_groups online resizing and access ext4: fix mount failure with quota configured as module ext4: rename s_journal_flag_rwsem to s_writepages_rwsem ext4: fix race between writepages and enabling EXT4_EXTENTS_FL KVM: nVMX: Refactor IO bitmap checks into helper function KVM: nVMX: Check IO instruction VM-exit conditions KVM: nVMX: handle nested posted interrupts when apicv is disabled for L1 KVM: apic: avoid calculating pending eoi from an uninitialized val btrfs: fix bytes_may_use underflow in prealloc error condtition btrfs: reset fs_root to NULL on error in open_ctree btrfs: do not check delayed items are empty for single transaction cleanup Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents Revert "dmaengine: imx-sdma: Fix memory leak" scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" usb: gadget: composite: Fix bMaxPower for SuperSpeedPlus usb: dwc2: Fix in ISOC request length checking staging: rtl8723bs: fix copy of overlapping memory staging: greybus: use after free in gb_audio_manager_remove_all() ecryptfs: replace BUG_ON with error handling code iommu/vt-d: Fix compile warning from intel-svm.h genirq/proc: Reject invalid affinity masks (again) bpf, offload: Replace bitwise AND by logical AND in bpf_prog_offload_info_fill ALSA: rawmidi: Avoid bit fields for state flags ALSA: seq: Avoid concurrent access to queue flags ALSA: seq: Fix concurrent access to queue current tick/time netfilter: xt_hashlimit: limit the max size of hashtable rxrpc: Fix call RCU cleanup using non-bh-safe locks ata: ahci: Add shutdown to freeze hardware resources of ahci xen: Enable interrupts when calling _cond_resched() s390/mm: Explicitly compare PAGE_DEFAULT_KEY against zero in storage_key_init_range Revert "char/random: silence a lockdep splat with printk()" Linux 4.19.107 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I74e3d49c54d4afcfa4049042163cb879c3de3100 |
||
Ioanna Alifieraki
|
cf85f00f87 |
Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()"
commit edf28f4061afe4c2d9eb1c3323d90e882c1d6800 upstream. This reverts commit |
||
Greg Kroah-Hartman
|
3389e56d31 |
This is the 4.19.103 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5Cn0wACgkQONu9yGCS aT584xAAtePSlzTxst/jukREoyrpAfTM1BeovMdsZEBpKh+/F3n1udqHeo+iNAAN qSOig012aW2qP7b5/4CrEU9ZRTvd0AM4fog7ABLJVahMYMqoJgod8TRaE4v0nVut eRans6w3NbZJCZwdw2aiu5gwFfjwJLSUckBNmj4XVYdyfh7q0BgnZV5OY0V+zhuG 1MWXaylbRqjguR/ZFk0UPAmRaqNKHbwfCJ1V0ygL9xQkJM0cUn7hX9/CqM4aYnm6 m1oux4ektLAmF1XK4NiQEuRBMeFO74XlKcsZqQHf/b4FZfcPergcPwIj8ugtCHzJ kx2QgURDjgH4Tnu+Q0ScPrjj2kjU8rWmjqlcv1PcUyOWm+MR0OK9bW7TLEntMSF8 HOEe9j6SsjQNIOoYh1YcMnuGjKNIZjl2L3VbDzpVN2GxZxwAutY6G68tV7sbA2pu wtsrAVOqdcjoo0ruRmwognBqQAdNdsbiBx7bgcNjVEXWL0N3Ddiv6CNYwnehA5Hq cvQwVQpFGP9ZGYUcCMbdwR+7kJzVy6V2S615M8GkE9FouOwTfV60zM/sZ1rFVt1J 70zxfRX5ys19aTAVkbi6pHHCUJ0ZAiTgWujp5Hp4kPt7gEz01Ur0s1kI3b7b6iWh cuycRFULvqeXCApQacs//lOVDoUV20uFcL/zqOFM33v/+YzkyjA= =3D8z -----END PGP SIGNATURE----- Merge 4.19.103 into android-4.19 Changes in 4.19.103 Revert "drm/sun4i: dsi: Change the start delay calculation" ovl: fix lseek overflow on 32bit kernel/module: Fix memleak in module_add_modinfo_attrs() media: iguanair: fix endpoint sanity check ocfs2: fix oops when writing cloned file x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR udf: Allow writing to 'Rewritable' partitions printk: fix exclusive_console replaying iwlwifi: mvm: fix NVM check for 3168 devices sparc32: fix struct ipc64_perm type definition cls_rsvp: fix rsvp_policy gtp: use __GFP_NOWARN to avoid memalloc warning l2tp: Allow duplicate session creation with UDP net: hsr: fix possible NULL deref in hsr_handle_frame() net_sched: fix an OOB access in cls_tcindex net: stmmac: Delete txtimer in suspend() bnxt_en: Fix TC queue mapping. tcp: clear tp->total_retrans in tcp_disconnect() tcp: clear tp->delivered in tcp_disconnect() tcp: clear tp->data_segs{in|out} in tcp_disconnect() tcp: clear tp->segs_{in|out} in tcp_disconnect() rxrpc: Fix use-after-free in rxrpc_put_local() rxrpc: Fix insufficient receive notification generation rxrpc: Fix missing active use pinning of rxrpc_local object rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors mfd: dln2: More sanity checking for endpoints ipc/msg.c: consolidate all xxxctl_down() functions tracing: Fix sched switch start/stop refcount racy updates rcu: Avoid data-race in rcu_gp_fqs_check_wake() brcmfmac: Fix memory leak in brcmf_usbdev_qinit usb: typec: tcpci: mask event interrupts when remove driver usb: gadget: legacy: set max_speed to super-speed usb: gadget: f_ncm: Use atomic_t to track in-flight request usb: gadget: f_ecm: Use atomic_t to track in-flight request ALSA: usb-audio: Fix endianess in descriptor validation ALSA: dummy: Fix PCM format loop in proc output mm/memory_hotplug: fix remove_memory() lockdep splat mm: move_pages: report the number of non-attempted pages media/v4l2-core: set pages dirty upon releasing DMA buffers media: v4l2-core: compat: ignore native command codes media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() irqdomain: Fix a memory leak in irq_domain_push_irq() platform/x86: intel_scu_ipc: Fix interrupt support ALSA: hda: Add Clevo W65_67SB the power_save blacklist KVM: arm64: Correct PSTATE on exception entry KVM: arm/arm64: Correct CPSR on exception entry KVM: arm/arm64: Correct AArch32 SPSR on exception entry KVM: arm64: Only sign-extend MMIO up to register width MIPS: fix indentation of the 'RELOCS' message MIPS: boot: fix typo in 'vmlinux.lzma.its' target s390/mm: fix dynamic pagetable upgrade for hugetlbfs powerpc/xmon: don't access ASDR in VMs powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() smb3: fix signing verification of large reads PCI: tegra: Fix return value check of pm_runtime_get_sync() mmc: spi: Toggle SPI polarity, do not hardcode it ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards ACPI / battery: Deal with design or full capacity being reported as -1 ACPI / battery: Use design-cap for capacity calculations if full-cap is not available ACPI / battery: Deal better with neither design nor full capacity not being reported alarmtimer: Unregister wakeup source when module get fails ubifs: Reject unsupported ioctl flags explicitly ubifs: don't trigger assertion on invalid no-key filename ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag ubifs: Fix deadlock in concurrent bulk-read and writepage crypto: geode-aes - convert to skcipher API and make thread-safe PCI: keystone: Fix link training retries initiation mmc: sdhci-of-at91: fix memleak on clk_get failure hv_balloon: Balloon up according to request page number mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile crypto: api - Check spawn->alg under lock in crypto_drop_spawn crypto: ccree - fix backlog memory leak crypto: ccree - fix pm wrongful error reporting crypto: ccree - fix PM race condition scripts/find-unused-docs: Fix massive false positives scsi: qla2xxx: Fix mtcp dump collection failure power: supply: ltc2941-battery-gauge: fix use-after-free ovl: fix wrong WARN_ON() in ovl_cache_update_ino() f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project() f2fs: fix miscounted block limit in f2fs_statfs_project() f2fs: code cleanup for f2fs_statfs_project() PM: core: Fix handling of devices deleted during system-wide resume of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc dm zoned: support zone sizes smaller than 128MiB dm space map common: fix to ensure new block isn't already in use dm crypt: fix benbi IV constructor crash if used in authenticated mode dm: fix potential for q->make_request_fn NULL pointer dm writecache: fix incorrect flush sequence when doing SSD mode commit padata: Remove broken queue flushing tracing: Annotate ftrace_graph_hash pointer with __rcu tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu ftrace: Add comment to why rcu_dereference_sched() is open coded ftrace: Protect ftrace_graph_hash with ftrace_sync samples/bpf: Don't try to remove user's homedir on clean crypto: ccp - set max RSA modulus size for v3 platform devices as well crypto: pcrypt - Do not clear MAY_SLEEP flag in original request crypto: atmel-aes - Fix counter overflow in CTR mode crypto: api - Fix race condition in crypto_spawn_alg crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill scsi: qla2xxx: Fix unbound NVME response length NFS: Fix memory leaks and corruption in readdir NFS: Directory page cache pages need to be locked when read jbd2_seq_info_next should increase position index Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES btrfs: set trans->drity in btrfs_commit_transaction Btrfs: fix race between adding and putting tree mod seq elements and nodes ARM: tegra: Enable PLLP bypass during Tegra124 LP1 iwlwifi: don't throw error when trying to remove IGTK mwifiex: fix unbalanced locking in mwifiex_process_country_ie() sunrpc: expiry_time should be seconds not timeval gfs2: move setting current->backing_dev_info gfs2: fix O_SYNC write handling drm/rect: Avoid division by zero media: rc: ensure lirc is initialized before registering input device tools/kvm_stat: Fix kvm_exit filter name xen/balloon: Support xend-based toolstack take two watchdog: fix UAF in reboot notifier handling in watchdog core code bcache: add readahead cache policy options via sysfs interface eventfd: track eventfd_signal() recursion depth aio: prevent potential eventfd recursion on poll KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails KVM: PPC: Book3S PR: Free shared page if mmu initialization fails x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit KVM: x86: Don't let userspace set host-reserved cr4 bits KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails KVM: s390: do not clobber registers during guest reset/store status clk: tegra: Mark fuse clock as critical drm/amd/dm/mst: Ignore payload update failures percpu: Separate decrypted varaibles anytime encryption can be enabled scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type scsi: csiostor: Adjust indentation in csio_device_reset scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free scsi: ufs: Recheck bkops level if bkops is disabled phy: qualcomm: Adjust indentation in read_poll_timeout ext2: Adjust indentation in ext2_fill_super powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable NFC: pn544: Adjust indentation in pn544_hci_check_presence ppp: Adjust indentation into ppp_async_input net: smc911x: Adjust indentation in smc911x_phy_configure net: tulip: Adjust indentation in {dmfe, uli526x}_init_module IB/mlx5: Fix outstanding_pi index for GSI qps IB/core: Fix ODP get user pages flow nfsd: fix delay timer on 32-bit architectures nfsd: fix jiffies/time_t mixup in LRU list nfsd: Return the correct number of bytes written to the file ubi: fastmap: Fix inverted logic in seen selfcheck ubi: Fix an error pointer dereference in error handling code mfd: da9062: Fix watchdog compatible string mfd: rn5t618: Mark ADC control register volatile bonding/alb: properly access headers in bond_alb_xmit() net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port net: mvneta: move rx_dropped and rx_errors in per-cpu stats net_sched: fix a resource leak in tcindex_set_parms() net: systemport: Avoid RBUF stuck in Wake-on-LAN mode net/mlx5: IPsec, Fix esp modify function attribute net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx net: macb: Remove unnecessary alignment check for TSO net: macb: Limit maximum GEM TX length in TSO net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan() ext4: fix deadlock allocating crypto bounce page from mempool btrfs: use bool argument in free_root_pointers() btrfs: free block groups after free'ing fs trees drm: atmel-hlcdc: enable clock before configuring timing engine drm/dp_mst: Remove VCPI while disabling topology mgr btrfs: flush write bio if we loop in extent_write_cache_pages KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM KVM: VMX: Add non-canonical check on writes to RTIT address MSRs KVM: nVMX: vmread should not set rflags to specify success in case of #PF KVM: Use vcpu-specific gva->hva translation when querying host page size KVM: Play nice with read-only memslots when querying host page size mm: zero remaining unavailable struct pages mm: return zero_resv_unavail optimization mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section cifs: fail i/o on soft mounts if sessionsetup errors out x86/apic/msi: Plug non-maskable MSI affinity race clocksource: Prevent double add_timer_on() for watchdog_timer perf/core: Fix mlock accounting in perf_mmap() rxrpc: Fix service call disconnection Linux 4.19.103 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d7f09085c3541373e0fd6b2e3ffacc5e34f7d55 |
||
Lu Shuaibing
|
078dd7328e |
ipc/msg.c: consolidate all xxxctl_down() functions
commit 889b331724c82c11e15ba0a60979cf7bded0a26c upstream. A use of uninitialized memory in msgctl_down() because msqid64 in ksys_msgctl hasn't been initialized. The local | msqid64 | is created in ksys_msgctl() and then passed into msgctl_down(). Along the way msqid64 is never initialized before msgctl_down() checks msqid64->msg_qbytes. KUMSAN(KernelUninitializedMemorySantizer, a new error detection tool) reports: ================================================================== BUG: KUMSAN: use of uninitialized memory in msgctl_down+0x94/0x300 Read of size 8 at addr ffff88806bb97eb8 by task syz-executor707/2022 CPU: 0 PID: 2022 Comm: syz-executor707 Not tainted 5.2.0-rc4+ #63 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 Call Trace: dump_stack+0x75/0xae __kumsan_report+0x17c/0x3e6 kumsan_report+0xe/0x20 msgctl_down+0x94/0x300 ksys_msgctl.constprop.14+0xef/0x260 do_syscall_64+0x7e/0x1f0 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4400e9 Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007ffd869e0598 EFLAGS: 00000246 ORIG_RAX: 0000000000000047 RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004400e9 RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 RBP: 00000000006ca018 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000ffffffff R11: 0000000000000246 R12: 0000000000401970 R13: 0000000000401a00 R14: 0000000000000000 R15: 0000000000000000 The buggy address belongs to the page: page:ffffea0001aee5c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 flags: 0x100000000000000() raw: 0100000000000000 0000000000000000 ffffffff01ae0101 0000000000000000 raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 page dumped because: kumsan: bad access detected ================================================================== Syzkaller reproducer: msgctl$IPC_RMID(0x0, 0x0) C reproducer: // autogenerated by syzkaller (https://github.com/google/syzkaller) int main(void) { syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); syscall(__NR_msgctl, 0, 0, 0); return 0; } [natechancellor@gmail.com: adjust indentation in ksys_msgctl] Link: https://github.com/ClangBuiltLinux/linux/issues/829 Link: http://lkml.kernel.org/r/20191218032932.37479-1-natechancellor@gmail.com Link: http://lkml.kernel.org/r/20190613014044.24234-1-shuaibinglu@126.com Signed-off-by: Lu Shuaibing <shuaibinglu@126.com> Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Suggested-by: Arnd Bergmann <arnd@arndb.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: NeilBrown <neilb@suse.com> From: Andrew Morton <akpm@linux-foundation.org> Subject: ipc/msg.c: consolidate all xxxctl_down() functions Each line here overflows 80 cols by exactly one character. Delete one tab per line to fix. Cc: Shaohua Li <shli@fb.com> Cc: Jens Axboe <axboe@kernel.dk> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
de4c70d6a9 |
This is the 4.19.65 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1Js7MACgkQONu9yGCS aT4PQxAAo7xa4kYvDxc1RjUY/yIlp6lQ3rpYAAfZB0t8vN+dqivnJZ7m6JHeWX1Y CMcxg85zxLVFeuiXdP821Zj68AB5zqlWMhX0bXm2lhw/Eo9+XHzXtnrLZHhz0/Xd M5cmfIPmoyPCUQQfzSfUMvch+ZpwzEt5op5pUfSjckSpjHQZ0HFj1WJ4D8Hn9jAJ y4+DAKDZgtqhb3GvpS6MoVnBJgcPk9+mBiDkSb12L392+FvHqfeBi3tDRhvyiZAO iJrk747SPds7NlNmuRnj7YyUSDhBzaceRCz0Jsv9FT5EKXoPErXdsL3Bkfa9TREM pH0OaMgNr6WSXLO9qIMcfxMeaKVIvIbotqBTkBTzhEAGPkHA75dhi0lpixXXFExg MaqhLfmHO0dOEr9FrvYGe7f2wUA1Rdw/qRTM3KPEKmHxMqBS7eufIWMHwie1n9Oe cYoP6UkxUIvhUyFV2BlMRFdMfaDbtR0iqy8Dqh36NISD6PAYaUGSoVeSO1fEg4Jy 5GgrKPg6rcz2XNY2cVbsm2zLpqY4dY58SFK9ORfuULdKUQvScvFGrdSSW0CgX+uc F/5NmPutUoboHVxFraDPx7yo46pHf1RW0Me4xZ0aJ3e9ituLAN4fmJ9u46nofb5M thPelQlMVt30O41uViJ0ADkOjCsiBr3AxOFvc76Ct9Q/BJVxhLk= =JVBv -----END PGP SIGNATURE----- Merge 4.19.65 into android-4.19 Changes in 4.19.65 ARM: riscpc: fix DMA ARM: dts: rockchip: Make rk3288-veyron-minnie run at hs200 ARM: dts: rockchip: Make rk3288-veyron-mickey's emmc work again ARM: dts: rockchip: Mark that the rk3288 timer might stop in suspend ftrace: Enable trampoline when rec count returns back to one dmaengine: tegra-apb: Error out if DMA_PREP_INTERRUPT flag is unset arm64: dts: rockchip: fix isp iommu clocks and power domain kernel/module.c: Only return -EEXIST for modules that have finished loading firmware/psci: psci_checker: Park kthreads before stopping them MIPS: lantiq: Fix bitfield masking dmaengine: rcar-dmac: Reject zero-length slave DMA requests clk: tegra210: fix PLLU and PLLU_OUT1 fs/adfs: super: fix use-after-free bug clk: sprd: Add check for return value of sprd_clk_regmap_init() btrfs: fix minimum number of chunk errors for DUP btrfs: qgroup: Don't hold qgroup_ioctl_lock in btrfs_qgroup_inherit() cifs: Fix a race condition with cifs_echo_request ceph: fix improper use of smp_mb__before_atomic() ceph: return -ERANGE if virtual xattr value didn't fit in buffer ACPI: blacklist: fix clang warning for unused DMI table scsi: zfcp: fix GCC compiler warning emitted with -Wmaybe-uninitialized perf version: Fix segfault due to missing OPT_END() x86: kvm: avoid constant-conversion warning ACPI: fix false-positive -Wuninitialized warning be2net: Signal that the device cannot transmit during reconfiguration x86/apic: Silence -Wtype-limits compiler warnings x86: math-emu: Hide clang warnings for 16-bit overflow mm/cma.c: fail if fixed declaration can't be honored lib/test_overflow.c: avoid tainting the kernel and fix wrap size lib/test_string.c: avoid masking memset16/32/64 failures coda: add error handling for fget coda: fix build using bare-metal toolchain uapi linux/coda_psdev.h: move upc_req definition from uapi to kernel side headers drivers/rapidio/devices/rio_mport_cdev.c: NUL terminate some strings ipc/mqueue.c: only perform resource calculation if user valid mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed xen/pv: Fix a boot up hang revealed by int3 self test x86/kvm: Don't call kvm_spurious_fault() from .fixup x86/paravirt: Fix callee-saved function ELF sizes x86, boot: Remove multiple copy of static function sanitize_boot_params() drm/nouveau: fix memory leak in nouveau_conn_reset() kconfig: Clear "written" flag to avoid data loss kbuild: initialize CLANG_FLAGS correctly in the top Makefile Btrfs: fix incremental send failure after deduplication Btrfs: fix race leading to fs corruption after transaction abort mmc: dw_mmc: Fix occasional hang after tuning on eMMC mmc: meson-mx-sdio: Fix misuse of GENMASK macro gpiolib: fix incorrect IRQ requesting of an active-low lineevent IB/hfi1: Fix Spectre v1 vulnerability mtd: rawnand: micron: handle on-die "ECC-off" devices correctly selinux: fix memory leak in policydb_init() ALSA: hda: Fix 1-minute detection delay when i915 module is not available mm: vmscan: check if mem cgroup is disabled or not before calling memcg slab shrinker s390/dasd: fix endless loop after read unit address configuration cgroup: kselftest: relax fs_spec checks parisc: Fix build of compressed kernel even with debug enabled drivers/perf: arm_pmu: Fix failure path in PM notifier arm64: compat: Allow single-byte watchpoints on all addresses arm64: cpufeature: Fix feature comparison for CTR_EL0.{CWG,ERG} nbd: replace kill_bdev() with __invalidate_device() again xen/swiotlb: fix condition for calling xen_destroy_contiguous_region() IB/mlx5: Fix unreg_umr to ignore the mkey state IB/mlx5: Use direct mkey destroy command upon UMR unreg failure IB/mlx5: Move MRs to a kernel PD when freeing them to the MR cache IB/mlx5: Fix clean_mr() to work in the expected order IB/mlx5: Fix RSS Toeplitz setup to be aligned with the HW specification IB/hfi1: Check for error on call to alloc_rsm_map_table drm/i915/gvt: fix incorrect cache entry for guest page mapping eeprom: at24: make spd world-readable again ARC: enable uboot support unconditionally objtool: Support GCC 9 cold subfunction naming scheme gcc-9: properly declare the {pv,hv}clock_page storage x86/vdso: Prevent segfaults due to hoisted vclock reads scsi: mpt3sas: Use 63-bit DMA addressing on SAS35 HBA x86/cpufeatures: Carve out CQM features retrieval x86/cpufeatures: Combine word 11 and 12 into a new scattered features word x86/speculation: Prepare entry code for Spectre v1 swapgs mitigations x86/speculation: Enable Spectre v1 swapgs mitigations x86/entry/64: Use JMP instead of JMPQ x86/speculation/swapgs: Exclude ATOMs from speculation through SWAPGS Documentation: Add swapgs description to the Spectre v1 documentation Linux 4.19.65 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Iceeabdb164657e0a616db618e6aa8445d56b0dc1 |
||
Kees Cook
|
48c5c4f0a4 |
ipc/mqueue.c: only perform resource calculation if user valid
[ Upstream commit a318f12ed8843cfac53198390c74a565c632f417 ] Andreas Christoforou reported: UBSAN: Undefined behaviour in ipc/mqueue.c:414:49 signed integer overflow: 9 * 2305843009213693951 cannot be represented in type 'long int' ... Call Trace: mqueue_evict_inode+0x8e7/0xa10 ipc/mqueue.c:414 evict+0x472/0x8c0 fs/inode.c:558 iput_final fs/inode.c:1547 [inline] iput+0x51d/0x8c0 fs/inode.c:1573 mqueue_get_inode+0x8eb/0x1070 ipc/mqueue.c:320 mqueue_create_attr+0x198/0x440 ipc/mqueue.c:459 vfs_mkobj+0x39e/0x580 fs/namei.c:2892 prepare_open ipc/mqueue.c:731 [inline] do_mq_open+0x6da/0x8e0 ipc/mqueue.c:771 Which could be triggered by: struct mq_attr attr = { .mq_flags = 0, .mq_maxmsg = 9, .mq_msgsize = 0x1fffffffffffffff, .mq_curmsgs = 0, }; if (mq_open("/testing", 0x40, 3, &attr) == (mqd_t) -1) perror("mq_open"); mqueue_get_inode() was correctly rejecting the giant mq_msgsize, and preparing to return -EINVAL. During the cleanup, it calls mqueue_evict_inode() which performed resource usage tracking math for updating "user", before checking if there was a valid "user" at all (which would indicate that the calculations would be sane). Instead, delay this check to after seeing a valid "user". The overflow was real, but the results went unused, so while the flaw is harmless, it's noisy for kernel fuzzers, so just fix it by moving the calculation under the non-NULL "user" where it actually gets used. Link: http://lkml.kernel.org/r/201906072207.ECB65450@keescook Signed-off-by: Kees Cook <keescook@chromium.org> Reported-by: Andreas Christoforou <andreaschristofo@gmail.com> Acked-by: "Eric W. Biederman" <ebiederm@xmission.com> Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Arnd Bergmann <arnd@arndb.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
d1f7f3be99 |
This is the 4.19.51 stable release
-----BEGIN PGP SIGNATURE----- iQIyBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl0EwEMACgkQONu9yGCS aT4UpA/3UqmMAaHH4g20cic8YDoBkYXoQUyj/kbf1w6bXqCuLTHOFS/qXa6QtPK3 WfwNWChIob+EbfAMjreQZjT6pwBbxyCNUvsvpB0k8YhJ3v/sIZL/Wc+1ZDu+jBC9 xfqwT9+JGzgu8P4PUTr1BsGMhgiH9qoJAeq7RCuDcicMIJ4/aJVr4Cvrs+18PVUe 95T5vSn6G62QyOrUExmuuztvNM2P/kos6yJTkN80l3uPLMUjsnWCsMKu+9utd5ea ew332Z/BQs+ff4oljH1uRwsM/Z7+AKXlXatXD0sHQ8CTEqh44SgUSU96vB/h9W8I 6a0t4M2atsdaGjMHmiiPA+gIgd1rW0lsHk6ob6qgfzuRBFGN9BTUfZgQwhOW7uXt e4o5RrWELkbk/TlJzrG1dFjhfyeb7q3LHOOg8kOVU0KdPD44ekJW9qoI8tlMPI+5 mafCCS/oS6TaW20ZKmjjkIbfTndzdO3dy5EWLy3elCEyLF2gDZ6WCAL+SMngdApC /dbuBigF/+RBaEU1e56DkcYUYXjt6UO84O3dYAx69s6EhHS5CP4yCySuYpdxyg/G MWdFDhtbnFyMXqoK1ROS0hNnxpydkh+R1Ns0TeSYibJI2J2enMGIa0thu4aVLD3v +GLqHV2PsPTRQmF5ChnvNV7O53i4j4WBQQjL+80PQulJwRFb/A== =bIqz -----END PGP SIGNATURE----- Merge 4.19.51 into android-4.19 Changes in 4.19.51 rapidio: fix a NULL pointer dereference when create_workqueue() fails fs/fat/file.c: issue flush after the writeback of FAT sysctl: return -EINVAL if val violates minmax ipc: prevent lockup on alloc_msg and free_msg drm/pl111: Initialize clock spinlock early ARM: prevent tracing IPI_CPU_BACKTRACE mm/hmm: select mmu notifier when selecting HMM hugetlbfs: on restore reserve error path retain subpool reservation mem-hotplug: fix node spanned pages when we have a node with only ZONE_MOVABLE mm/cma.c: fix crash on CMA allocation if bitmap allocation fails initramfs: free initrd memory if opening /initrd.image fails mm/cma.c: fix the bitmap status to show failed allocation reason mm: page_mkclean vs MADV_DONTNEED race mm/cma_debug.c: fix the break condition in cma_maxchunk_get() mm/slab.c: fix an infinite loop in leaks_show() kernel/sys.c: prctl: fix false positive in validate_prctl_map() thermal: rcar_gen3_thermal: disable interrupt in .remove drivers: thermal: tsens: Don't print error message on -EPROBE_DEFER mfd: tps65912-spi: Add missing of table registration mfd: intel-lpss: Set the device in reset state when init drm/nouveau/disp/dp: respect sink limits when selecting failsafe link configuration mfd: twl6040: Fix device init errors for ACCCTL register perf/x86/intel: Allow PEBS multi-entry in watermark mode drm/nouveau/kms/gf119-gp10x: push HeadSetControlOutputResource() mthd when encoders change drm/bridge: adv7511: Fix low refresh rate selection objtool: Don't use ignore flag for fake jumps drm/nouveau/kms/gv100-: fix spurious window immediate interlocks bpf: fix undefined behavior in narrow load handling EDAC/mpc85xx: Prevent building as a module pwm: meson: Use the spin-lock only to protect register modifications mailbox: stm32-ipcc: check invalid irq ntp: Allow TAI-UTC offset to be set to zero f2fs: fix to avoid panic in do_recover_data() f2fs: fix to avoid panic in f2fs_inplace_write_data() f2fs: fix to avoid panic in f2fs_remove_inode_page() f2fs: fix to do sanity check on free nid f2fs: fix to clear dirty inode in error path of f2fs_iget() f2fs: fix to avoid panic in dec_valid_block_count() f2fs: fix to use inline space only if inline_xattr is enable f2fs: fix to do sanity check on valid block count of segment f2fs: fix to do checksum even if inode page is uptodate percpu: remove spurious lock dependency between percpu and sched configfs: fix possible use-after-free in configfs_register_group uml: fix a boot splat wrt use of cpu_all_mask PCI: dwc: Free MSI in dw_pcie_host_init() error path PCI: dwc: Free MSI IRQ page in dw_pcie_free_msi() ovl: do not generate duplicate fsnotify events for "fake" path mmc: mmci: Prevent polling for busy detection in IRQ context netfilter: nf_flow_table: fix missing error check for rhashtable_insert_fast netfilter: nf_conntrack_h323: restore boundary check correctness mips: Make sure dt memory regions are valid netfilter: nf_tables: fix base chain stat rcu_dereference usage watchdog: imx2_wdt: Fix set_timeout for big timeout values watchdog: fix compile time error of pretimeout governors blk-mq: move cancel of requeue_work into blk_mq_release iommu/vt-d: Set intel_iommu_gfx_mapped correctly misc: pci_endpoint_test: Fix test_reg_bar to be updated in pci_endpoint_test PCI: designware-ep: Use aligned ATU window for raising MSI interrupts nvme-pci: unquiesce admin queue on shutdown nvme-pci: shutdown on timeout during deletion netfilter: nf_flow_table: check ttl value in flow offload data path netfilter: nf_flow_table: fix netdev refcnt leak ALSA: hda - Register irq handler after the chip initialization nvmem: core: fix read buffer in place nvmem: sunxi_sid: Support SID on A83T and H5 fuse: retrieve: cap requested size to negotiated max_write nfsd: allow fh_want_write to be called twice nfsd: avoid uninitialized variable warning vfio: Fix WARNING "do not call blocking ops when !TASK_RUNNING" iommu/arm-smmu-v3: Don't disable SMMU in kdump kernel switchtec: Fix unintended mask of MRPC event net: thunderbolt: Unregister ThunderboltIP protocol handler when suspending x86/PCI: Fix PCI IRQ routing table memory leak i40e: Queues are reserved despite "Invalid argument" error platform/chrome: cros_ec_proto: check for NULL transfer function PCI: keystone: Prevent ARM32 specific code to be compiled for ARM64 soc: mediatek: pwrap: Zero initialize rdata in pwrap_init_cipher clk: rockchip: Turn on "aclk_dmac1" for suspend on rk3288 soc: rockchip: Set the proper PWM for rk3288 ARM: dts: imx51: Specify IMX5_CLK_IPG as "ahb" clock to SDMA ARM: dts: imx50: Specify IMX5_CLK_IPG as "ahb" clock to SDMA ARM: dts: imx53: Specify IMX5_CLK_IPG as "ahb" clock to SDMA ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ahb" clock to SDMA ARM: dts: imx6sll: Specify IMX6SLL_CLK_IPG as "ipg" clock to SDMA ARM: dts: imx7d: Specify IMX7D_CLK_IPG as "ipg" clock to SDMA ARM: dts: imx6ul: Specify IMX6UL_CLK_IPG as "ipg" clock to SDMA ARM: dts: imx6sx: Specify IMX6SX_CLK_IPG as "ipg" clock to SDMA ARM: dts: imx6qdl: Specify IMX6QDL_CLK_IPG as "ipg" clock to SDMA PCI: rpadlpar: Fix leaked device_node references in add/remove paths drm/amd/display: Use plane->color_space for dpp if specified ARM: OMAP2+: pm33xx-core: Do not Turn OFF CEFUSE as PPA may be using it platform/x86: intel_pmc_ipc: adding error handling power: supply: max14656: fix potential use-before-alloc net: hns3: return 0 and print warning when hit duplicate MAC PCI: rcar: Fix a potential NULL pointer dereference PCI: rcar: Fix 64bit MSI message address handling scsi: qla2xxx: Reset the FCF_ASYNC_{SENT|ACTIVE} flags video: hgafb: fix potential NULL pointer dereference video: imsttfb: fix potential NULL pointer dereferences block, bfq: increase idling for weight-raised queues PCI: xilinx: Check for __get_free_pages() failure gpio: gpio-omap: add check for off wake capable gpios ice: Add missing case in print_link_msg for printing flow control dmaengine: idma64: Use actual device for DMA transfers pwm: tiehrpwm: Update shadow register for disabling PWMs ARM: dts: exynos: Always enable necessary APIO_1V8 and ABB_1V8 regulators on Arndale Octa pwm: Fix deadlock warning when removing PWM device ARM: exynos: Fix undefined instruction during Exynos5422 resume usb: typec: fusb302: Check vconn is off when we start toggling soc: renesas: Identify R-Car M3-W ES1.3 gpio: vf610: Do not share irq_chip percpu: do not search past bitmap when allocating an area Revert "Bluetooth: Align minimum encryption key size for LE and BR/EDR connections" Revert "drm/nouveau: add kconfig option to turn off nouveau legacy contexts. (v3)" ovl: check the capability before cred overridden ovl: support stacked SEEK_HOLE/SEEK_DATA drm/vc4: fix fb references in async update ALSA: seq: Cover unsubscribe_port() in list_mutex Linux 4.19.51 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Li Rongqing
|
20de754a7d |
ipc: prevent lockup on alloc_msg and free_msg
[ Upstream commit d6a2946a88f524a47cc9b79279667137899db807 ] msgctl10 of ltp triggers the following lockup When CONFIG_KASAN is enabled on large memory SMP systems, the pages initialization can take a long time, if msgctl10 requests a huge block memory, and it will block rcu scheduler, so release cpu actively. After adding schedule() in free_msg, free_msg can not be called when holding spinlock, so adding msg to a tmp list, and free it out of spinlock rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 16-31): P32505 rcu: Tasks blocked on level-1 rcu_node (CPUs 48-63): P34978 rcu: (detected by 11, t=35024 jiffies, g=44237529, q=16542267) msgctl10 R running task 21608 32505 2794 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:__is_insn_slot_addr+0xfb/0x250 Code: 82 1d 00 48 8b 9b 90 00 00 00 4c 89 f7 49 c1 ee 03 e8 59 83 1d 00 48 b8 00 00 00 00 00 fc ff df 4c 39 eb 48 89 9d 58 ff ff ff <41> c6 04 06 f8 74 66 4c 8d 75 98 4c 89 f1 48 c1 e9 03 48 01 c8 48 RSP: 0018:ffff88bce041f758 EFLAGS: 00000246 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffffffff8471bc50 RCX: ffffffff828a2a57 RDX: dffffc0000000000 RSI: dffffc0000000000 RDI: ffff88bce041f780 RBP: ffff88bce041f828 R08: ffffed15f3f4c5b3 R09: ffffed15f3f4c5b3 R10: 0000000000000001 R11: ffffed15f3f4c5b2 R12: 000000318aee9b73 R13: ffffffff8471bc50 R14: 1ffff1179c083ef0 R15: 1ffff1179c083eec kernel_text_address+0xc1/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 create_object+0x380/0x650 __kmalloc+0x14c/0x2b0 load_msg+0x38/0x1a0 do_msgsnd+0x19e/0xcf0 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe rcu: INFO: rcu_preempt detected stalls on CPUs/tasks: rcu: Tasks blocked on level-1 rcu_node (CPUs 0-15): P32170 rcu: (detected by 14, t=35016 jiffies, g=44237525, q=12423063) msgctl10 R running task 21608 32170 32155 0x00000082 Call Trace: preempt_schedule_irq+0x4c/0xb0 retint_kernel+0x1b/0x2d RIP: 0010:lock_acquire+0x4d/0x340 Code: 48 81 ec c0 00 00 00 45 89 c6 4d 89 cf 48 8d 6c 24 20 48 89 3c 24 48 8d bb e4 0c 00 00 89 74 24 0c 48 c7 44 24 20 b3 8a b5 41 <48> c1 ed 03 48 c7 44 24 28 b4 25 18 84 48 c7 44 24 30 d0 54 7a 82 RSP: 0018:ffff88af83417738 EFLAGS: 00000282 ORIG_RAX: ffffffffffffff13 RAX: dffffc0000000000 RBX: ffff88bd335f3080 RCX: 0000000000000002 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff88bd335f3d64 RBP: ffff88af83417758 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000001 R11: ffffed13f3f745b2 R12: 0000000000000000 R13: 0000000000000002 R14: 0000000000000000 R15: 0000000000000000 is_bpf_text_address+0x32/0xe0 kernel_text_address+0xec/0x100 __kernel_text_address+0xe/0x30 unwind_get_return_address+0x2f/0x50 __save_stack_trace+0x92/0x100 save_stack+0x32/0xb0 __kasan_slab_free+0x130/0x180 kfree+0xfa/0x2d0 free_msg+0x24/0x50 do_msgrcv+0x508/0xe60 do_syscall_64+0x117/0x400 entry_SYSCALL_64_after_hwframe+0x49/0xbe Davidlohr said: "So after releasing the lock, the msg rbtree/list is empty and new calls will not see those in the newly populated tmp_msg list, and therefore they cannot access the delayed msg freeing pointers, which is good. Also the fact that the node_cache is now freed before the actual messages seems to be harmless as this is wanted for msg_insert() avoiding GFP_ATOMIC allocations, and after releasing the info->lock the thing is freed anyway so it should not change things" Link: http://lkml.kernel.org/r/1552029161-4957-1-git-send-email-lirongqing@baidu.com Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Zhang Yu <zhangyu31@baidu.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: Arnd Bergmann <arnd@arndb.de> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Daniel Rosenberg
|
e81cea2a6f |
ANDROID: vfs: Add permission2 for filesystems with per mount permissions
This allows filesystems to use their mount private data to influence the permssions they return in permission2. It has been separated into a new call to avoid disrupting current permission users. Bug: 35848445 Bug: 120446149 Change-Id: I9d416e3b8b6eca84ef3e336bd2af89ddd51df6ca Signed-off-by: Daniel Rosenberg <drosen@google.com> [AmitP: Minor refactoring of original patch to align with changes from the following upstream commit |
||
Kees Cook
|
59cf0a9339 |
ipc/shm.c: use ERR_CAST() for shm_lock() error return
This uses ERR_CAST() instead of an open-coded cast, as it is casting
across structure pointers, which upsets __randomize_layout:
ipc/shm.c: In function `shm_lock':
ipc/shm.c:209:9: note: randstruct: casting between randomized structure pointer types (ssa): `struct shmid_kernel' and `struct kern_ipc_perm'
return (void *)ipcp;
^~~~~~~~~~~~
Link: http://lkml.kernel.org/r/20180919180722.GA15073@beast
Fixes:
|
||
Davidlohr Bueso
|
9c21dae291 |
ipc/shm: properly return EIDRM in shm_lock()
When getting rid of the general ipc_lock(), this was missed furthermore,
making the comment around the ipc object validity check bogus. Under
EIDRM conditions, callers will in turn not see the error and continue
with the operation.
Link: http://lkml.kernel.org/r/20180824030920.GD3677@linux-r8p5
Link: http://lkml.kernel.org/r/20180823024051.GC13343@shao2-debian
Fixes:
|
||
Manfred Spraul
|
2a9d648100 |
ipc/util.c: update return value of ipc_getref from int to bool
ipc_getref has still a return value of type "int", matching the atomic_t interface of atomic_inc_not_zero()/atomic_add_unless(). ipc_getref now uses refcount_inc_not_zero, which has a return value of type "bool". Therefore, update the return code to avoid implicit conversions. Link: http://lkml.kernel.org/r/20180712185241.4017-13-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
27c331a174 |
ipc/util.c: further variable name cleanups
The varable names got a mess, thus standardize them again: id: user space id. Called semid, shmid, msgid if the type is known. Most functions use "id" already. idx: "index" for the idr lookup Right now, some functions use lid, ipc_addid() already uses idx as the variable name. seq: sequence number, to avoid quick collisions of the user space id key: user space key, used for the rhash tree Link: http://lkml.kernel.org/r/20180712185241.4017-12-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Davidlohr Bueso
|
eae04d25a7 |
ipc: simplify ipc initialization
Now that we know that rhashtable_init() will not fail, we can get rid of a lot of the unnecessary cleanup paths when the call errored out. [manfred@colorfullife.com: variable name added to util.h to resolve checkpatch warning] Link: http://lkml.kernel.org/r/20180712185241.4017-11-manfred@colorfullife.com Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Davidlohr Bueso
|
dc2c8c84de |
ipc: get rid of ids->tables_initialized hack
In sysvipc we have an ids->tables_initialized regarding the rhashtable,
introduced in
|
||
Davidlohr Bueso
|
82061c57ce |
ipc: drop ipc_lock()
ipc/util.c contains multiple functions to get the ipc object pointer given an id number. There are two sets of function: One set verifies the sequence counter part of the id number, other functions do not check the sequence counter. The standard for function names in ipc/util.c is - ..._check() functions verify the sequence counter - ..._idr() functions do not verify the sequence counter ipc_lock() is an exception: It does not verify the sequence counter value, but this is not obvious from the function name. Furthermore, shm.c is the only user of this helper. Thus, we can simply move the logic into shm_lock() and get rid of the function altogether. [manfred@colorfullife.com: most of changelog] Link: http://lkml.kernel.org/r/20180712185241.4017-7-manfred@colorfullife.com Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
2e5ceb452c |
ipc/util.c: correct comment in ipc_obtain_object_check
The comment that explains ipc_obtain_object_check is wrong: The function checks the sequence number, not the reference counter. Note that checking the reference counter would be meaningless: The reference counter is decreased without holding any locks, thus an object with kern_ipc_perm.deleted=true may disappear at the end of the next rcu grace period. Link: http://lkml.kernel.org/r/20180712185241.4017-6-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
4241c1a304 |
ipc: rename ipcctl_pre_down_nolock()
Both the comment and the name of ipcctl_pre_down_nolock() are misleading: The function must be called while holdling the rw semaphore. Therefore the patch renames the function to ipcctl_obtain_check(): This name matches the other names used in util.c: - "obtain" function look up a pointer in the idr, without acquiring the object lock. - The caller is responsible for locking. - _check means that the sequence number is checked. Link: http://lkml.kernel.org/r/20180712185241.4017-5-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Kees Cook <keescook@chromium.org> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
39cfffd774 |
ipc/util.c: use ipc_rcu_putref() for failues in ipc_addid()
ipc_addid() is impossible to use: - for certain failures, the caller must not use ipc_rcu_putref(), because the reference counter is not yet initialized. - for other failures, the caller must use ipc_rcu_putref(), because parallel operations could be ongoing already. The patch cleans that up, by initializing the refcount early, and by modifying all callers. The issues is related to the finding of syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com: syzbot found an issue with reading kern_ipc_perm.seq, here both read and write to already released memory could happen. Link: http://lkml.kernel.org/r/20180712185241.4017-4-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
e2652ae6bd |
ipc: reorganize initialization of kern_ipc_perm.seq
ipc_addid() initializes kern_ipc_perm.seq after having called idr_alloc() (within ipc_idr_alloc()). Thus a parallel semop() or msgrcv() that uses ipc_obtain_object_check() may see an uninitialized value. The patch moves the initialization of kern_ipc_perm.seq before the calls of idr_alloc(). Notes: 1) This patch has a user space visible side effect: If /proc/sys/kernel/*_next_id is used (i.e.: checkpoint/restore) and if semget()/msgget()/shmget() fails in the final step of adding the id to the rhash tree, then .._next_id is cleared. Before the patch, is remained unmodified. There is no change of the behavior after a successful ..get() call: It always clears .._next_id, there is no impact to non checkpoint/restore code as that code does not use .._next_id. 2) The patch correctly documents that after a call to ipc_idr_alloc(), the full tear-down sequence must be used. The callers of ipc_addid() do not fullfill that, i.e. more bugfixes are required. The patch is a squash of a patch from Dmitry and my own changes. Link: http://lkml.kernel.org/r/20180712185241.4017-3-manfred@colorfullife.com Reported-by: syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Davidlohr Bueso <dbueso@suse.de> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Manfred Spraul
|
615c999cd8 |
ipc: compute kern_ipc_perm.id under the ipc lock
ipc_addid() initializes kern_ipc_perm.id after having called ipc_idr_alloc(). Thus a parallel semctl() or msgctl() that uses e.g. MSG_STAT may use this unitialized value as the return code. The patch moves all accesses to kern_ipc_perm.id under the spin_lock(). The issues is related to the finding of syzbot+2827ef6b3385deb07eaf@syzkaller.appspotmail.com: syzbot found an issue with kern_ipc_perm.seq Link: http://lkml.kernel.org/r/20180712185241.4017-2-manfred@colorfullife.com Signed-off-by: Manfred Spraul <manfred@colorfullife.com> Reviewed-by: Davidlohr Bueso <dbueso@suse.de> Cc: Dmitry Vyukov <dvyukov@google.com> Cc: Kees Cook <keescook@chromium.org> Cc: Davidlohr Bueso <dave@stgolabs.net> Cc: Herbert Xu <herbert@gondor.apana.org.au> Cc: Michael Kerrisk <mtk.manpages@gmail.com> Cc: Michal Hocko <mhocko@suse.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Linus Torvalds
|
9a76aba02a |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next
Pull networking updates from David Miller: "Highlights: - Gustavo A. R. Silva keeps working on the implicit switch fallthru changes. - Support 802.11ax High-Efficiency wireless in cfg80211 et al, From Luca Coelho. - Re-enable ASPM in r8169, from Kai-Heng Feng. - Add virtual XFRM interfaces, which avoids all of the limitations of existing IPSEC tunnels. From Steffen Klassert. - Convert GRO over to use a hash table, so that when we have many flows active we don't traverse a long list during accumluation. - Many new self tests for routing, TC, tunnels, etc. Too many contributors to mention them all, but I'm really happy to keep seeing this stuff. - Hardware timestamping support for dpaa_eth/fsl-fman from Yangbo Lu. - Lots of cleanups and fixes in L2TP code from Guillaume Nault. - Add IPSEC offload support to netdevsim, from Shannon Nelson. - Add support for slotting with non-uniform distribution to netem packet scheduler, from Yousuk Seung. - Add UDP GSO support to mlx5e, from Boris Pismenny. - Support offloading of Team LAG in NFP, from John Hurley. - Allow to configure TX queue selection based upon RX queue, from Amritha Nambiar. - Support ethtool ring size configuration in aquantia, from Anton Mikaev. - Support DSCP and flowlabel per-transport in SCTP, from Xin Long. - Support list based batching and stack traversal of SKBs, this is very exciting work. From Edward Cree. - Busyloop optimizations in vhost_net, from Toshiaki Makita. - Introduce the ETF qdisc, which allows time based transmissions. IGB can offload this in hardware. From Vinicius Costa Gomes. - Add parameter support to devlink, from Moshe Shemesh. - Several multiplication and division optimizations for BPF JIT in nfp driver, from Jiong Wang. - Lots of prepatory work to make more of the packet scheduler layer lockless, when possible, from Vlad Buslov. - Add ACK filter and NAT awareness to sch_cake packet scheduler, from Toke Høiland-Jørgensen. - Support regions and region snapshots in devlink, from Alex Vesker. - Allow to attach XDP programs to both HW and SW at the same time on a given device, with initial support in nfp. From Jakub Kicinski. - Add TLS RX offload and support in mlx5, from Ilya Lesokhin. - Use PHYLIB in r8169 driver, from Heiner Kallweit. - All sorts of changes to support Spectrum 2 in mlxsw driver, from Ido Schimmel. - PTP support in mv88e6xxx DSA driver, from Andrew Lunn. - Make TCP_USER_TIMEOUT socket option more accurate, from Jon Maxwell. - Support for templates in packet scheduler classifier, from Jiri Pirko. - IPV6 support in RDS, from Ka-Cheong Poon. - Native tproxy support in nf_tables, from Máté Eckl. - Maintain IP fragment queue in an rbtree, but optimize properly for in-order frags. From Peter Oskolkov. - Improvde handling of ACKs on hole repairs, from Yuchung Cheng" * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next: (1996 commits) bpf: test: fix spelling mistake "REUSEEPORT" -> "REUSEPORT" hv/netvsc: Fix NULL dereference at single queue mode fallback net: filter: mark expected switch fall-through xen-netfront: fix warn message as irq device name has '/' cxgb4: Add new T5 PCI device ids 0x50af and 0x50b0 net: dsa: mv88e6xxx: missing unlock on error path rds: fix building with IPV6=m inet/connection_sock: prefer _THIS_IP_ to current_text_addr net: dsa: mv88e6xxx: bitwise vs logical bug net: sock_diag: Fix spectre v1 gadget in __sock_diag_cmd() ieee802154: hwsim: using right kind of iteration net: hns3: Add vlan filter setting by ethtool command -K net: hns3: Set tx ring' tc info when netdev is up net: hns3: Remove tx ring BD len register in hns3_enet net: hns3: Fix desc num set to default when setting channel net: hns3: Fix for phy link issue when using marvell phy driver net: hns3: Fix for information of phydev lost problem when down/up net: hns3: Fix for command format parsing error in hclge_is_all_function_id_zero net: hns3: Add support for serdes loopback selftest bnxt_en: take coredump_record structure off stack ... |
||
Linus Torvalds
|
a66b4cd1e7 |
Merge branch 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull vfs open-related updates from Al Viro: - "do we need fput() or put_filp()" rules are gone - it's always fput() now. We keep track of that state where it belongs - in ->f_mode. - int *opened mess killed - in finish_open(), in ->atomic_open() instances and in fs/namei.c code around do_last()/lookup_open()/atomic_open(). - alloc_file() wrappers with saner calling conventions are introduced (alloc_file_clone() and alloc_file_pseudo()); callers converted, with much simplification. - while we are at it, saner calling conventions for path_init() and link_path_walk(), simplifying things inside fs/namei.c (both on open-related paths and elsewhere). * 'work.open3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (40 commits) few more cleanups of link_path_walk() callers allow link_path_walk() to take ERR_PTR() make path_init() unconditionally paired with terminate_walk() document alloc_file() changes make alloc_file() static do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone() new helper: alloc_file_clone() create_pipe_files(): switch the first allocation to alloc_file_pseudo() anon_inode_getfile(): switch to alloc_file_pseudo() hugetlb_file_setup(): switch to alloc_file_pseudo() ocxlflash_getfile(): switch to alloc_file_pseudo() cxl_getfile(): switch to alloc_file_pseudo() ... and switch shmem_file_setup() to alloc_file_pseudo() __shmem_file_setup(): reorder allocations new wrapper: alloc_file_pseudo() kill FILE_{CREATED,OPENED} switch atomic_open() and lookup_open() to returning 0 in all success cases document ->atomic_open() changes ->atomic_open(): return 0 in all success cases get rid of 'opened' in path_openat() and the helpers downstream ... |
||
David S. Miller
|
c1c8626fce |
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
Lots of overlapping changes, mostly trivial in nature. The mlxsw conflict was resolving using the example resolution at: https://github.com/jpirko/linux_mlxsw/blob/combined_queue/drivers/net/ethernet/mellanox/mlxsw/core_acl_flex_actions.c Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Jane Chu
|
eec3636ad1 |
ipc/shm.c add ->pagesize function to shm_vm_ops
Commit |
||
David S. Miller
|
89b1698c93 |
Merge ra.kernel.org:/pub/scm/linux/kernel/git/davem/net
The BTF conflicts were simple overlapping changes. The virtio_net conflict was an overlap of a fix of statistics counter, happening alongisde a move over to a bonafide statistics structure rather than counting value on the stack. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Davidlohr Bueso
|
f075faa300 |
ipc/sem.c: prevent queue.status tearing in semop
In order for load/store tearing prevention to work, _all_ accesses to the variable in question need to be done around READ and WRITE_ONCE() macros. Ensure everyone does so for q->status variable for semtimedop(). Link: http://lkml.kernel.org/r/20180717052654.676-1-dave@stgolabs.net Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Al Viro
|
4f089acc5f |
do_shmat(): grab shp->shm_file earlier, switch to alloc_file_clone()
Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
Al Viro
|
c9c554f214 |
alloc_file(): switch to passing O_... flags instead of FMODE_... mode
... so that it could set both ->f_flags and ->f_mode, without callers having to set ->f_flags manually. Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
NeilBrown
|
0eb71a9da5 |
rhashtable: split rhashtable.h
Due to the use of rhashtables in net namespaces, rhashtable.h is included in lots of the kernel, so a small changes can required a large recompilation. This makes development painful. This patch splits out rhashtable-types.h which just includes the major type declarations, and does not include (non-trivial) inline code. rhashtable.h is no longer included by anything in the include/ directory. Common include files only include rhashtable-types.h so a large recompilation is only triggered when that changes. Acked-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: NeilBrown <neilb@suse.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Souptick Joarder
|
14f28f5776 |
ipc: use new return type vm_fault_t
Use new return type vm_fault_t for fault handler. For now, this is just
documenting that the function returns a VM_FAULT value rather than an
errno. Once all instances are converted, vm_fault_t will become a
distinct type.
Commit
|
||
Davidlohr Bueso
|
ec67aaa46d |
sysvipc/sem: mitigate semnum index against spectre v1
Both smatch and coverity are reporting potential issues with spectre variant 1 with the 'semnum' index within the sma->sems array, ie: ipc/sem.c:388 sem_lock() warn: potential spectre issue 'sma->sems' ipc/sem.c:641 perform_atomic_semop_slow() warn: potential spectre issue 'sma->sems' ipc/sem.c:721 perform_atomic_semop() warn: potential spectre issue 'sma->sems' Avoid any possible speculation by using array_index_nospec() thus ensuring the semnum value is bounded to [0, sma->sem_nsems). With the exception of sem_lock() all of these are slowpaths. Link: http://lkml.kernel.org/r/20180423171131.njs4rfm2yzyeg6do@linux-n805 Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Reported-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Peter Zijlstra <peterz@infradead.org> Cc: "Gustavo A. R. Silva" <gustavo@embeddedor.com> Cc: Manfred Spraul <manfred@colorfullife.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Kees Cook
|
344476e16a |
treewide: kvmalloc() -> kvmalloc_array()
The kvmalloc() function has a 2-factor argument form, kvmalloc_array(). This patch replaces cases of: kvmalloc(a * b, gfp) with: kvmalloc_array(a * b, gfp) as well as handling cases of: kvmalloc(a * b * c, gfp) with: kvmalloc(array3_size(a, b, c), gfp) as it's slightly less ugly than: kvmalloc_array(array_size(a, b), c, gfp) This does, however, attempt to ignore constant size factors like: kvmalloc(4 * 1024, gfp) though any constants defined via macros get caught up in the conversion. Any factors with a sizeof() of "unsigned char", "char", and "u8" were dropped, since they're redundant. The Coccinelle script used for this was: // Fix redundant parens around sizeof(). @@ type TYPE; expression THING, E; @@ ( kvmalloc( - (sizeof(TYPE)) * E + sizeof(TYPE) * E , ...) | kvmalloc( - (sizeof(THING)) * E + sizeof(THING) * E , ...) ) // Drop single-byte sizes and redundant parens. @@ expression COUNT; typedef u8; typedef __u8; @@ ( kvmalloc( - sizeof(u8) * (COUNT) + COUNT , ...) | kvmalloc( - sizeof(__u8) * (COUNT) + COUNT , ...) | kvmalloc( - sizeof(char) * (COUNT) + COUNT , ...) | kvmalloc( - sizeof(unsigned char) * (COUNT) + COUNT , ...) | kvmalloc( - sizeof(u8) * COUNT + COUNT , ...) | kvmalloc( - sizeof(__u8) * COUNT + COUNT , ...) | kvmalloc( - sizeof(char) * COUNT + COUNT , ...) | kvmalloc( - sizeof(unsigned char) * COUNT + COUNT , ...) ) // 2-factor product with sizeof(type/expression) and identifier or constant. @@ type TYPE; expression THING; identifier COUNT_ID; constant COUNT_CONST; @@ ( - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * (COUNT_ID) + COUNT_ID, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * COUNT_ID + COUNT_ID, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * (COUNT_CONST) + COUNT_CONST, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * COUNT_CONST + COUNT_CONST, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * (COUNT_ID) + COUNT_ID, sizeof(THING) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * COUNT_ID + COUNT_ID, sizeof(THING) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * (COUNT_CONST) + COUNT_CONST, sizeof(THING) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * COUNT_CONST + COUNT_CONST, sizeof(THING) , ...) ) // 2-factor product, only identifiers. @@ identifier SIZE, COUNT; @@ - kvmalloc + kvmalloc_array ( - SIZE * COUNT + COUNT, SIZE , ...) // 3-factor product with 1 sizeof(type) or sizeof(expression), with // redundant parens removed. @@ expression THING; identifier STRIDE, COUNT; type TYPE; @@ ( kvmalloc( - sizeof(TYPE) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kvmalloc( - sizeof(TYPE) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kvmalloc( - sizeof(TYPE) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kvmalloc( - sizeof(TYPE) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | kvmalloc( - sizeof(THING) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kvmalloc( - sizeof(THING) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kvmalloc( - sizeof(THING) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | kvmalloc( - sizeof(THING) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) ) // 3-factor product with 2 sizeof(variable), with redundant parens removed. @@ expression THING1, THING2; identifier COUNT; type TYPE1, TYPE2; @@ ( kvmalloc( - sizeof(TYPE1) * sizeof(TYPE2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | kvmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | kvmalloc( - sizeof(THING1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | kvmalloc( - sizeof(THING1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | kvmalloc( - sizeof(TYPE1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) | kvmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) ) // 3-factor product, only identifiers, with redundant parens removed. @@ identifier STRIDE, SIZE, COUNT; @@ ( kvmalloc( - (COUNT) * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - COUNT * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - COUNT * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - (COUNT) * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - COUNT * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - (COUNT) * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - (COUNT) * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | kvmalloc( - COUNT * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) ) // Any remaining multi-factor products, first at least 3-factor products, // when they're not all constants... @@ expression E1, E2, E3; constant C1, C2, C3; @@ ( kvmalloc(C1 * C2 * C3, ...) | kvmalloc( - (E1) * E2 * E3 + array3_size(E1, E2, E3) , ...) | kvmalloc( - (E1) * (E2) * E3 + array3_size(E1, E2, E3) , ...) | kvmalloc( - (E1) * (E2) * (E3) + array3_size(E1, E2, E3) , ...) | kvmalloc( - E1 * E2 * E3 + array3_size(E1, E2, E3) , ...) ) // And then all remaining 2 factors products when they're not all constants, // keeping sizeof() as the second factor argument. @@ expression THING, E1, E2; type TYPE; constant C1, C2, C3; @@ ( kvmalloc(sizeof(THING) * C2, ...) | kvmalloc(sizeof(TYPE) * C2, ...) | kvmalloc(C1 * C2 * C3, ...) | kvmalloc(C1 * C2, ...) | - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * (E2) + E2, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(TYPE) * E2 + E2, sizeof(TYPE) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * (E2) + E2, sizeof(THING) , ...) | - kvmalloc + kvmalloc_array ( - sizeof(THING) * E2 + E2, sizeof(THING) , ...) | - kvmalloc + kvmalloc_array ( - (E1) * E2 + E1, E2 , ...) | - kvmalloc + kvmalloc_array ( - (E1) * (E2) + E1, E2 , ...) | - kvmalloc + kvmalloc_array ( - E1 * E2 + E1, E2 , ...) ) Signed-off-by: Kees Cook <keescook@chromium.org> |
||
Linus Torvalds
|
ba252f16e4 |
Merge branch 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip
Pull time/Y2038 updates from Thomas Gleixner: - Consolidate SySV IPC UAPI headers - Convert SySV IPC to the new COMPAT_32BIT_TIME mechanism - Cleanup the core interfaces and standardize on the ktime_get_* naming convention. - Convert the X86 platform ops to timespec64 - Remove the ugly temporary timespec64 hack * 'timers-2038-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (22 commits) x86: Convert x86_platform_ops to timespec64 timekeeping: Add more coarse clocktai/boottime interfaces timekeeping: Add ktime_get_coarse_with_offset timekeeping: Standardize on ktime_get_*() naming timekeeping: Clean up ktime_get_real_ts64 timekeeping: Remove timespec64 hack y2038: ipc: Redirect ipc(SEMTIMEDOP, ...) to compat_ksys_semtimedop y2038: ipc: Enable COMPAT_32BIT_TIME y2038: ipc: Use __kernel_timespec y2038: ipc: Report long times to user space y2038: ipc: Use ktime_get_real_seconds consistently y2038: xtensa: Extend sysvipc data structures y2038: powerpc: Extend sysvipc data structures y2038: sparc: Extend sysvipc data structures y2038: parisc: Extend sysvipc data structures y2038: mips: Extend sysvipc data structures y2038: arm64: Extend sysvipc compat data structures y2038: s390: Remove unneeded ipc uapi header files y2038: ia64: Remove unneeded ipc uapi header files y2038: alpha: Remove unneeded ipc uapi header files ... |
||
Davidlohr Bueso
|
8f89c007b6 |
ipc/shm: fix shmat() nil address after round-down when remapping
shmat()'s SHM_REMAP option forbids passing a nil address for; this is in fact the very first thing we check for. Andrea reported that for SHM_RND|SHM_REMAP cases we can end up bypassing the initial addr check, but we need to check again if the address was rounded down to nil. As of this patch, such cases will return -EINVAL. Link: http://lkml.kernel.org/r/20180503204934.kk63josdu6u53fbd@linux-n805 Signed-off-by: Davidlohr Bueso <dbueso@suse.de> Reported-by: Andrea Arcangeli <aarcange@redhat.com> Cc: Joe Lawrence <joe.lawrence@redhat.com> Cc: Manfred Spraul <manfred@colorfullife.com> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Davidlohr Bueso
|
a73ab244f0 |
Revert "ipc/shm: Fix shmat mmap nil-page protection"
Patch series "ipc/shm: shmat() fixes around nil-page". These patches fix two issues reported[1] a while back by Joe and Andrea around how shmat(2) behaves with nil-page. The first reverts a commit that it was incorrectly thought that mapping nil-page (address=0) was a no no with MAP_FIXED. This is not the case, with the exception of SHM_REMAP; which is address in the second patch. I chose two patches because it is easier to backport and it explicitly reverts bogus behaviour. Both patches ought to be in -stable and ltp testcases need updated (the added testcase around the cve can be modified to just test for SHM_RND|SHM_REMAP). [1] lkml.kernel.org/r/20180430172152.nfa564pvgpk3ut7p@linux-n805 This patch (of 2): Commit |
||
Arnd Bergmann
|
5dc0b1529d |
y2038: ipc: Redirect ipc(SEMTIMEDOP, ...) to compat_ksys_semtimedop
32-bit architectures implementing 64BIT_TIME and COMPAT_32BIT_TIME need to have the traditional semtimedop() behavior with 32-bit timestamps for sys_ipc() by calling compat_ksys_semtimedop(), while those that are not yet converted need to keep using ksys_semtimedop() like 64-bit architectures do. Note that I chose to not implement a new SEMTIMEDOP64 function that corresponds to the new sys_semtimedop() with 64-bit timeouts. The reason here is that sys_ipc() should no longer be used for new system calls, and libc should just call the semtimedop syscall directly. One open question remain to whether we want to completely avoid the sys_ipc() system call for architectures that do not yet have all the individual calls as they get converted to 64-bit time_t. Doing that would require adding several extra system calls on m68k, mips, powerpc, s390, sh, sparc, and x86-32. Signed-off-by: Arnd Bergmann <arnd@arndb.de> |
||
Arnd Bergmann
|
b0d175781a |
y2038: ipc: Enable COMPAT_32BIT_TIME
Three ipc syscalls (mq_timedsend, mq_timedreceive and and semtimedop) take a timespec argument. After we move 32-bit architectures over to useing 64-bit time_t based syscalls, we need seperate entry points for the old 32-bit based interfaces. This changes the #ifdef guards for the existing 32-bit compat syscalls to check for CONFIG_COMPAT_32BIT_TIME instead, which will then be enabled on all existing 32-bit architectures. Signed-off-by: Arnd Bergmann <arnd@arndb.de> |