4b1ee0c027
190 Commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
Greg Kroah-Hartman
|
3389e56d31 |
This is the 4.19.103 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl5Cn0wACgkQONu9yGCS aT584xAAtePSlzTxst/jukREoyrpAfTM1BeovMdsZEBpKh+/F3n1udqHeo+iNAAN qSOig012aW2qP7b5/4CrEU9ZRTvd0AM4fog7ABLJVahMYMqoJgod8TRaE4v0nVut eRans6w3NbZJCZwdw2aiu5gwFfjwJLSUckBNmj4XVYdyfh7q0BgnZV5OY0V+zhuG 1MWXaylbRqjguR/ZFk0UPAmRaqNKHbwfCJ1V0ygL9xQkJM0cUn7hX9/CqM4aYnm6 m1oux4ektLAmF1XK4NiQEuRBMeFO74XlKcsZqQHf/b4FZfcPergcPwIj8ugtCHzJ kx2QgURDjgH4Tnu+Q0ScPrjj2kjU8rWmjqlcv1PcUyOWm+MR0OK9bW7TLEntMSF8 HOEe9j6SsjQNIOoYh1YcMnuGjKNIZjl2L3VbDzpVN2GxZxwAutY6G68tV7sbA2pu wtsrAVOqdcjoo0ruRmwognBqQAdNdsbiBx7bgcNjVEXWL0N3Ddiv6CNYwnehA5Hq cvQwVQpFGP9ZGYUcCMbdwR+7kJzVy6V2S615M8GkE9FouOwTfV60zM/sZ1rFVt1J 70zxfRX5ys19aTAVkbi6pHHCUJ0ZAiTgWujp5Hp4kPt7gEz01Ur0s1kI3b7b6iWh cuycRFULvqeXCApQacs//lOVDoUV20uFcL/zqOFM33v/+YzkyjA= =3D8z -----END PGP SIGNATURE----- Merge 4.19.103 into android-4.19 Changes in 4.19.103 Revert "drm/sun4i: dsi: Change the start delay calculation" ovl: fix lseek overflow on 32bit kernel/module: Fix memleak in module_add_modinfo_attrs() media: iguanair: fix endpoint sanity check ocfs2: fix oops when writing cloned file x86/cpu: Update cached HLE state on write to TSX_CTRL_CPUID_CLEAR udf: Allow writing to 'Rewritable' partitions printk: fix exclusive_console replaying iwlwifi: mvm: fix NVM check for 3168 devices sparc32: fix struct ipc64_perm type definition cls_rsvp: fix rsvp_policy gtp: use __GFP_NOWARN to avoid memalloc warning l2tp: Allow duplicate session creation with UDP net: hsr: fix possible NULL deref in hsr_handle_frame() net_sched: fix an OOB access in cls_tcindex net: stmmac: Delete txtimer in suspend() bnxt_en: Fix TC queue mapping. tcp: clear tp->total_retrans in tcp_disconnect() tcp: clear tp->delivered in tcp_disconnect() tcp: clear tp->data_segs{in|out} in tcp_disconnect() tcp: clear tp->segs_{in|out} in tcp_disconnect() rxrpc: Fix use-after-free in rxrpc_put_local() rxrpc: Fix insufficient receive notification generation rxrpc: Fix missing active use pinning of rxrpc_local object rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect media: uvcvideo: Avoid cyclic entity chains due to malformed USB descriptors mfd: dln2: More sanity checking for endpoints ipc/msg.c: consolidate all xxxctl_down() functions tracing: Fix sched switch start/stop refcount racy updates rcu: Avoid data-race in rcu_gp_fqs_check_wake() brcmfmac: Fix memory leak in brcmf_usbdev_qinit usb: typec: tcpci: mask event interrupts when remove driver usb: gadget: legacy: set max_speed to super-speed usb: gadget: f_ncm: Use atomic_t to track in-flight request usb: gadget: f_ecm: Use atomic_t to track in-flight request ALSA: usb-audio: Fix endianess in descriptor validation ALSA: dummy: Fix PCM format loop in proc output mm/memory_hotplug: fix remove_memory() lockdep splat mm: move_pages: report the number of non-attempted pages media/v4l2-core: set pages dirty upon releasing DMA buffers media: v4l2-core: compat: ignore native command codes media: v4l2-rect.h: fix v4l2_rect_map_inside() top/left adjustments lib/test_kasan.c: fix memory leak in kmalloc_oob_krealloc_more() irqdomain: Fix a memory leak in irq_domain_push_irq() platform/x86: intel_scu_ipc: Fix interrupt support ALSA: hda: Add Clevo W65_67SB the power_save blacklist KVM: arm64: Correct PSTATE on exception entry KVM: arm/arm64: Correct CPSR on exception entry KVM: arm/arm64: Correct AArch32 SPSR on exception entry KVM: arm64: Only sign-extend MMIO up to register width MIPS: fix indentation of the 'RELOCS' message MIPS: boot: fix typo in 'vmlinux.lzma.its' target s390/mm: fix dynamic pagetable upgrade for hugetlbfs powerpc/xmon: don't access ASDR in VMs powerpc/pseries: Advance pfn if section is not present in lmb_is_removable() smb3: fix signing verification of large reads PCI: tegra: Fix return value check of pm_runtime_get_sync() mmc: spi: Toggle SPI polarity, do not hardcode it ACPI: video: Do not export a non working backlight interface on MSI MS-7721 boards ACPI / battery: Deal with design or full capacity being reported as -1 ACPI / battery: Use design-cap for capacity calculations if full-cap is not available ACPI / battery: Deal better with neither design nor full capacity not being reported alarmtimer: Unregister wakeup source when module get fails ubifs: Reject unsupported ioctl flags explicitly ubifs: don't trigger assertion on invalid no-key filename ubifs: Fix FS_IOC_SETFLAGS unexpectedly clearing encrypt flag ubifs: Fix deadlock in concurrent bulk-read and writepage crypto: geode-aes - convert to skcipher API and make thread-safe PCI: keystone: Fix link training retries initiation mmc: sdhci-of-at91: fix memleak on clk_get failure hv_balloon: Balloon up according to request page number mfd: axp20x: Mark AXP20X_VBUS_IPSOUT_MGMT as volatile crypto: api - Check spawn->alg under lock in crypto_drop_spawn crypto: ccree - fix backlog memory leak crypto: ccree - fix pm wrongful error reporting crypto: ccree - fix PM race condition scripts/find-unused-docs: Fix massive false positives scsi: qla2xxx: Fix mtcp dump collection failure power: supply: ltc2941-battery-gauge: fix use-after-free ovl: fix wrong WARN_ON() in ovl_cache_update_ino() f2fs: choose hardlimit when softlimit is larger than hardlimit in f2fs_statfs_project() f2fs: fix miscounted block limit in f2fs_statfs_project() f2fs: code cleanup for f2fs_statfs_project() PM: core: Fix handling of devices deleted during system-wide resume of: Add OF_DMA_DEFAULT_COHERENT & select it on powerpc dm zoned: support zone sizes smaller than 128MiB dm space map common: fix to ensure new block isn't already in use dm crypt: fix benbi IV constructor crash if used in authenticated mode dm: fix potential for q->make_request_fn NULL pointer dm writecache: fix incorrect flush sequence when doing SSD mode commit padata: Remove broken queue flushing tracing: Annotate ftrace_graph_hash pointer with __rcu tracing: Annotate ftrace_graph_notrace_hash pointer with __rcu ftrace: Add comment to why rcu_dereference_sched() is open coded ftrace: Protect ftrace_graph_hash with ftrace_sync samples/bpf: Don't try to remove user's homedir on clean crypto: ccp - set max RSA modulus size for v3 platform devices as well crypto: pcrypt - Do not clear MAY_SLEEP flag in original request crypto: atmel-aes - Fix counter overflow in CTR mode crypto: api - Fix race condition in crypto_spawn_alg crypto: picoxcell - adjust the position of tasklet_init and fix missed tasklet_kill scsi: qla2xxx: Fix unbound NVME response length NFS: Fix memory leaks and corruption in readdir NFS: Directory page cache pages need to be locked when read jbd2_seq_info_next should increase position index Btrfs: fix missing hole after hole punching and fsync when using NO_HOLES btrfs: set trans->drity in btrfs_commit_transaction Btrfs: fix race between adding and putting tree mod seq elements and nodes ARM: tegra: Enable PLLP bypass during Tegra124 LP1 iwlwifi: don't throw error when trying to remove IGTK mwifiex: fix unbalanced locking in mwifiex_process_country_ie() sunrpc: expiry_time should be seconds not timeval gfs2: move setting current->backing_dev_info gfs2: fix O_SYNC write handling drm/rect: Avoid division by zero media: rc: ensure lirc is initialized before registering input device tools/kvm_stat: Fix kvm_exit filter name xen/balloon: Support xend-based toolstack take two watchdog: fix UAF in reboot notifier handling in watchdog core code bcache: add readahead cache policy options via sysfs interface eventfd: track eventfd_signal() recursion depth aio: prevent potential eventfd recursion on poll KVM: x86: Refactor picdev_write() to prevent Spectre-v1/L1TF attacks KVM: x86: Refactor prefix decoding to prevent Spectre-v1/L1TF attacks KVM: x86: Protect pmu_intel.c from Spectre-v1/L1TF attacks KVM: x86: Protect DR-based index computations from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_lapic_reg_write() from Spectre-v1/L1TF attacks KVM: x86: Protect kvm_hv_msr_[get|set]_crash_data() from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_write_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in pmu.h from Spectre-v1/L1TF attacks KVM: x86: Protect ioapic_read_indirect() from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations from Spectre-v1/L1TF attacks in x86.c KVM: x86: Protect x86_decode_insn from Spectre-v1/L1TF attacks KVM: x86: Protect MSR-based index computations in fixed_msr_to_seg_unit() from Spectre-v1/L1TF attacks KVM: x86: Fix potential put_fpu() w/o load_fpu() on MPX platform KVM: PPC: Book3S HV: Uninit vCPU if vcore creation fails KVM: PPC: Book3S PR: Free shared page if mmu initialization fails x86/kvm: Be careful not to clear KVM_VCPU_FLUSH_TLB bit KVM: x86: Don't let userspace set host-reserved cr4 bits KVM: x86: Free wbinvd_dirty_mask if vCPU creation fails KVM: s390: do not clobber registers during guest reset/store status clk: tegra: Mark fuse clock as critical drm/amd/dm/mst: Ignore payload update failures percpu: Separate decrypted varaibles anytime encryption can be enabled scsi: qla2xxx: Fix the endianness of the qla82xx_get_fw_size() return type scsi: csiostor: Adjust indentation in csio_device_reset scsi: qla4xxx: Adjust indentation in qla4xxx_mem_free scsi: ufs: Recheck bkops level if bkops is disabled phy: qualcomm: Adjust indentation in read_poll_timeout ext2: Adjust indentation in ext2_fill_super powerpc/44x: Adjust indentation in ibm4xx_denali_fixup_memsize drm: msm: mdp4: Adjust indentation in mdp4_dsi_encoder_enable NFC: pn544: Adjust indentation in pn544_hci_check_presence ppp: Adjust indentation into ppp_async_input net: smc911x: Adjust indentation in smc911x_phy_configure net: tulip: Adjust indentation in {dmfe, uli526x}_init_module IB/mlx5: Fix outstanding_pi index for GSI qps IB/core: Fix ODP get user pages flow nfsd: fix delay timer on 32-bit architectures nfsd: fix jiffies/time_t mixup in LRU list nfsd: Return the correct number of bytes written to the file ubi: fastmap: Fix inverted logic in seen selfcheck ubi: Fix an error pointer dereference in error handling code mfd: da9062: Fix watchdog compatible string mfd: rn5t618: Mark ADC control register volatile bonding/alb: properly access headers in bond_alb_xmit() net: dsa: bcm_sf2: Only 7278 supports 2Gb/sec IMP port net: mvneta: move rx_dropped and rx_errors in per-cpu stats net_sched: fix a resource leak in tcindex_set_parms() net: systemport: Avoid RBUF stuck in Wake-on-LAN mode net/mlx5: IPsec, Fix esp modify function attribute net/mlx5: IPsec, fix memory leak at mlx5_fpga_ipsec_delete_sa_ctx net: macb: Remove unnecessary alignment check for TSO net: macb: Limit maximum GEM TX length in TSO net: dsa: b53: Always use dev->vlan_enabled in b53_configure_vlan() ext4: fix deadlock allocating crypto bounce page from mempool btrfs: use bool argument in free_root_pointers() btrfs: free block groups after free'ing fs trees drm: atmel-hlcdc: enable clock before configuring timing engine drm/dp_mst: Remove VCPI while disabling topology mgr btrfs: flush write bio if we loop in extent_write_cache_pages KVM: x86/mmu: Apply max PA check for MMIO sptes to 32-bit KVM KVM: x86: Use gpa_t for cr2/gpa to fix TDP support on 32-bit KVM KVM: VMX: Add non-canonical check on writes to RTIT address MSRs KVM: nVMX: vmread should not set rflags to specify success in case of #PF KVM: Use vcpu-specific gva->hva translation when querying host page size KVM: Play nice with read-only memslots when querying host page size mm: zero remaining unavailable struct pages mm: return zero_resv_unavail optimization mm/page_alloc.c: fix uninitialized memmaps on a partially populated last section cifs: fail i/o on soft mounts if sessionsetup errors out x86/apic/msi: Plug non-maskable MSI affinity race clocksource: Prevent double add_timer_on() for watchdog_timer perf/core: Fix mlock accounting in perf_mmap() rxrpc: Fix service call disconnection Linux 4.19.103 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I0d7f09085c3541373e0fd6b2e3ffacc5e34f7d55 |
||
Nathan Chancellor
|
0bde33e0a5 |
ppp: Adjust indentation into ppp_async_input
commit 08cbc75f96029d3092664213a844a5e25523aa35 upstream.
Clang warns:
../drivers/net/ppp/ppp_async.c:877:6: warning: misleading indentation;
statement is not part of the previous 'if' [-Wmisleading-indentation]
ap->rpkt = skb;
^
../drivers/net/ppp/ppp_async.c:875:5: note: previous statement is here
if (!skb)
^
1 warning generated.
This warning occurs because there is a space before the tab on this
line. Clean up this entire block's indentation so that it is consistent
with the Linux kernel coding style and clang no longer warns.
Fixes:
|
||
Greg Kroah-Hartman
|
7f1f24fed2 |
This is the 4.19.77 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl2YehoACgkQONu9yGCS aT536hAA0w6XF1ogPi23xS5BQ386c3BjWaOJddu0PFkR9utguuZaDG5AKjnkHtm2 foxKeCGyChCc1h6qFD2wLavsQMephzLWXkMw1/uXfwAPXGWY1hquD46zrFO0IYOc dsmKh5V8ZT70lmPTBHCDVowp1xUczNFhuNRHz1KzVQ3lsKMAhsRiy6vpsXWzIeOM VCrayI4jxTVZvoA9Odm9fTXpau0Qb9k4pqGGU84dz/xWfGzrz/AOmp+kWuZRGepS fQi+46HK3idmGGNBVGkJYkDdpkefdrYdjlVHkkoAZHlaB+QaOrre0trNArK+knRu jJIl8R/M50yYbkn97vVIpwoh19rV0BI7KUFKO4C4NCByOOV+9vjJ5g1FuZ7c3pmj XKZiBmFBJVqbI1uwgqEn+/Tv6DyEz4gUzo5GHOe2i/Bh2nSguHZzO+Yhat1U+J+Y 3QVfrIS10jICWBAqm147FepGtNxbCPP3plyqbJdrMwgM6GOMd83v+rY/5okB2YK4 SHhzuevQoxujjeoOgHKjIqTiCIaJMt5ZvlCFqODg8NgpjTNDAbCA/UUQWs7MlrqX 6uwH2QLwk3h+bEXUfGzsbsk5isTDpHr1ch6SI9T675JHRZCE461RoR82XpjLOyHD 90tBJk9pfKlLqSEyiaWPPpXErhoS5WCVKM5yuT/rSS/i2Ve4VH4= =Q+c9 -----END PGP SIGNATURE----- Merge 4.19.77 into android-4.19 Changes in 4.19.77 arcnet: provide a buffer big enough to actually receive packets cdc_ncm: fix divide-by-zero caused by invalid wMaxPacketSize macsec: drop skb sk before calling gro_cells_receive net/phy: fix DP83865 10 Mbps HDX loopback disable function net: qrtr: Stop rx_worker before freeing node net/sched: act_sample: don't push mac header on ip6gre ingress net_sched: add max len check for TCA_KIND nfp: flower: fix memory leak in nfp_flower_spawn_vnic_reprs openvswitch: change type of UPCALL_PID attribute to NLA_UNSPEC ppp: Fix memory leak in ppp_write sch_netem: fix a divide by zero in tabledist() skge: fix checksum byte order usbnet: ignore endpoints with invalid wMaxPacketSize usbnet: sanity checking of packet sizes and device mtu net: sched: fix possible crash in tcf_action_destroy() tcp: better handle TCP_USER_TIMEOUT in SYN_SENT state net/mlx5: Add device ID of upcoming BlueField-2 mISDN: enforce CAP_NET_RAW for raw sockets appletalk: enforce CAP_NET_RAW for raw sockets ax25: enforce CAP_NET_RAW for raw sockets ieee802154: enforce CAP_NET_RAW for raw sockets nfc: enforce CAP_NET_RAW for raw sockets nfp: flower: prevent memory leak in nfp_flower_spawn_phy_reprs ALSA: hda: Flush interrupts on disabling regulator: lm363x: Fix off-by-one n_voltages for lm3632 ldo_vpos/ldo_vneg ASoC: tlv320aic31xx: suppress error message for EPROBE_DEFER ASoC: sgtl5000: Fix of unmute outputs on probe ASoC: sgtl5000: Fix charge pump source assignment firmware: qcom_scm: Use proper types for dma mappings dmaengine: bcm2835: Print error in case setting DMA mask fails leds: leds-lp5562 allow firmware files up to the maximum length media: dib0700: fix link error for dibx000_i2c_set_speed media: mtk-cir: lower de-glitch counter for rc-mm protocol media: exynos4-is: fix leaked of_node references media: hdpvr: Add device num check and handling media: i2c: ov5640: Check for devm_gpiod_get_optional() error time/tick-broadcast: Fix tick_broadcast_offline() lockdep complaint sched/fair: Fix imbalance due to CPU affinity sched/core: Fix CPU controller for !RT_GROUP_SCHED x86/apic: Make apic_pending_intr_clear() more robust sched/deadline: Fix bandwidth accounting at all levels after offline migration x86/reboot: Always use NMI fallback when shutdown via reboot vector IPI fails x86/apic: Soft disable APIC before initializing it ALSA: hda - Show the fatal CORB/RIRB error more clearly ALSA: i2c: ak4xxx-adda: Fix a possible null pointer dereference in build_adc_controls() EDAC/mc: Fix grain_bits calculation media: iguanair: add sanity checks base: soc: Export soc_device_register/unregister APIs ALSA: usb-audio: Skip bSynchAddress endpoint check if it is invalid ia64:unwind: fix double free for mod->arch.init_unw_table EDAC/altera: Use the proper type for the IRQ status bits ASoC: rsnd: don't call clk_get_rate() under atomic context arm64/prefetch: fix a -Wtype-limits warning md/raid1: end bio when the device faulty md: don't call spare_active in md_reap_sync_thread if all member devices can't work md: don't set In_sync if array is frozen media: media/platform: fsl-viu.c: fix build for MICROBLAZE ACPI / processor: don't print errors for processorIDs == 0xff loop: Add LOOP_SET_DIRECT_IO to compat ioctl EDAC, pnd2: Fix ioremap() size in dnv_rd_reg() efi: cper: print AER info of PCIe fatal error firmware: arm_scmi: Check if platform has released shmem before using sched/fair: Use rq_lock/unlock in online_fair_sched_group idle: Prevent late-arriving interrupts from disrupting offline media: gspca: zero usb_buf on error perf config: Honour $PERF_CONFIG env var to specify alternate .perfconfig perf test vfs_getname: Disable ~/.perfconfig to get default output media: mtk-mdp: fix reference count on old device tree media: fdp1: Reduce FCP not found message level to debug media: em28xx: modules workqueue not inited for 2nd device media: rc: imon: Allow iMON RC protocol for ffdc 7e device dmaengine: iop-adma: use correct printk format strings perf record: Support aarch64 random socket_id assignment media: vsp1: fix memory leak of dl on error return path media: i2c: ov5645: Fix power sequence media: omap3isp: Don't set streaming state on random subdevs media: imx: mipi csi-2: Don't fail if initial state times-out net: lpc-enet: fix printk format strings m68k: Prevent some compiler warnings in Coldfire builds ARM: dts: imx7d: cl-som-imx7: make ethernet work again ARM: dts: imx7-colibri: disable HS400 media: radio/si470x: kill urb on error media: hdpvr: add terminating 0 at end of string ASoC: uniphier: Fix double reset assersion when transitioning to suspend state tools headers: Fixup bitsperlong per arch includes ASoC: sun4i-i2s: Don't use the oversample to calculate BCLK led: triggers: Fix a memory leak bug nbd: add missing config put media: mceusb: fix (eliminate) TX IR signal length limit media: dvb-frontends: use ida for pll number posix-cpu-timers: Sanitize bogus WARNONS media: dvb-core: fix a memory leak bug libperf: Fix alignment trap with xyarray contents in 'perf stat' EDAC/amd64: Recognize DRAM device type ECC capability EDAC/amd64: Decode syndrome before translating address PM / devfreq: passive: Use non-devm notifiers PM / devfreq: exynos-bus: Correct clock enable sequence media: cec-notifier: clear cec_adap in cec_notifier_unregister media: saa7146: add cleanup in hexium_attach() media: cpia2_usb: fix memory leaks media: saa7134: fix terminology around saa7134_i2c_eeprom_md7134_gate() perf trace beauty ioctl: Fix off-by-one error in cmd->string table media: ov9650: add a sanity check ASoC: es8316: fix headphone mixer volume table ACPI / CPPC: do not require the _PSD method sched/cpufreq: Align trace event behavior of fast switching x86/apic/vector: Warn when vector space exhaustion breaks affinity arm64: kpti: ensure patched kernel text is fetched from PoU x86/mm/pti: Do not invoke PTI functions when PTI is disabled ASoC: fsl_ssi: Fix clock control issue in master mode x86/mm/pti: Handle unaligned address gracefully in pti_clone_pagetable() nvmet: fix data units read and written counters in SMART log nvme-multipath: fix ana log nsid lookup when nsid is not found ALSA: firewire-motu: add support for MOTU 4pre iommu/amd: Silence warnings under memory pressure libata/ahci: Drop PCS quirk for Denverton and beyond iommu/iova: Avoid false sharing on fq_timer_on libtraceevent: Change users plugin directory ARM: dts: exynos: Mark LDO10 as always-on on Peach Pit/Pi Chromebooks ACPI: custom_method: fix memory leaks ACPI / PCI: fix acpi_pci_irq_enable() memory leak closures: fix a race on wakeup from closure_sync hwmon: (acpi_power_meter) Change log level for 'unsafe software power cap' md/raid1: fail run raid1 array when active disk less than one dmaengine: ti: edma: Do not reset reserved paRAM slots kprobes: Prohibit probing on BUG() and WARN() address s390/crypto: xts-aes-s390 fix extra run-time crypto self tests finding x86/cpu: Add Tiger Lake to Intel family platform/x86: intel_pmc_core: Do not ioremap RAM ASoC: dmaengine: Make the pcm->name equal to pcm->id if the name is not set raid5: don't set STRIPE_HANDLE to stripe which is in batch list mmc: core: Clarify sdio_irq_pending flag for MMC_CAP2_SDIO_IRQ_NOTHREAD mmc: sdhci: Fix incorrect switch to HS mode mmc: core: Add helper function to indicate if SDIO IRQs is enabled mmc: dw_mmc: Re-store SDIO IRQs mask at system resume raid5: don't increment read_errors on EILSEQ return libertas: Add missing sentinel at end of if_usb.c fw_table e1000e: add workaround for possible stalled packet ALSA: hda - Drop unsol event handler for Intel HDMI codecs drm/amd/powerplay/smu7: enforce minimal VBITimeout (v2) media: ttusb-dec: Fix info-leak in ttusb_dec_send_command() ALSA: hda/realtek - Blacklist PC beep for Lenovo ThinkCentre M73/93 iommu/amd: Override wrong IVRS IOAPIC on Raven Ridge systems btrfs: extent-tree: Make sure we only allocate extents from block groups with the same type media: omap3isp: Set device on omap3isp subdevs PM / devfreq: passive: fix compiler warning iwlwifi: fw: don't send GEO_TX_POWER_LIMIT command to FW version 36 ALSA: firewire-tascam: handle error code when getting current source of clock ALSA: firewire-tascam: check intermediate state of clock status and retry scsi: scsi_dh_rdac: zero cdb in send_mode_select() scsi: qla2xxx: Fix Relogin to prevent modifying scan_state flag printk: Do not lose last line in kmsg buffer dump IB/mlx5: Free mpi in mp_slave mode IB/hfi1: Define variables as unsigned long to fix KASAN warning randstruct: Check member structs in is_pure_ops_struct() Revert "ceph: use ceph_evict_inode to cleanup inode's resource" ceph: use ceph_evict_inode to cleanup inode's resource ALSA: hda/realtek - PCI quirk for Medion E4254 blk-mq: add callback of .cleanup_rq scsi: implement .cleanup_rq callback powerpc/imc: Dont create debugfs files for cpu-less nodes fuse: fix missing unlock_page in fuse_writepage() parisc: Disable HP HSC-PCI Cards to prevent kernel crash KVM: x86: always stop emulation on page fault KVM: x86: set ctxt->have_exception in x86_decode_insn() KVM: x86: Manually calculate reserved bits when loading PDPTRS media: sn9c20x: Add MSI MS-1039 laptop to flip_dmi_table media: don't drop front-end reference count for ->detach binfmt_elf: Do not move brk for INTERP-less ET_EXEC ASoC: Intel: NHLT: Fix debug print format ASoC: Intel: Skylake: Use correct function to access iomem space ASoC: Intel: Fix use of potentially uninitialized variable ARM: samsung: Fix system restart on S3C6410 ARM: zynq: Use memcpy_toio instead of memcpy on smp bring-up Revert "arm64: Remove unnecessary ISBs from set_{pte,pmd,pud}" arm64: tlb: Ensure we execute an ISB following walk cache invalidation arm64: dts: rockchip: limit clock rate of MMC controllers for RK3328 alarmtimer: Use EOPNOTSUPP instead of ENOTSUPP regulator: Defer init completion for a while after late_initcall efifb: BGRT: Improve efifb_bgrt_sanity_check gfs2: clear buf_in_tr when ending a transaction in sweep_bh_for_rgrps memcg, oom: don't require __GFP_FS when invoking memcg OOM killer memcg, kmem: do not fail __GFP_NOFAIL charges i40e: check __I40E_VF_DISABLE bit in i40e_sync_filters_subtask block: fix null pointer dereference in blk_mq_rq_timed_out() smb3: allow disabling requesting leases ovl: Fix dereferencing possible ERR_PTR() ovl: filter of trusted xattr results in audit btrfs: fix allocation of free space cache v1 bitmap pages Btrfs: fix use-after-free when using the tree modification log btrfs: Relinquish CPUs in btrfs_compare_trees btrfs: qgroup: Fix the wrong target io_tree when freeing reserved data space btrfs: qgroup: Fix reserved data space leak if we have multiple reserve calls Btrfs: fix race setting up and completing qgroup rescan workers md/raid6: Set R5_ReadError when there is read failure on parity disk md: don't report active array_state until after revalidate_disk() completes. md: only call set_in_sync() when it is expected to succeed. cfg80211: Purge frame registrations on iftype change /dev/mem: Bail out upon SIGKILL. ext4: fix warning inside ext4_convert_unwritten_extents_endio ext4: fix punch hole for inline_data file systems quota: fix wrong condition in is_quota_modification() hwrng: core - don't wait on add_early_randomness() i2c: riic: Clear NACK in tend isr CIFS: fix max ea value size CIFS: Fix oplock handling for SMB 2.1+ protocols md/raid0: avoid RAID0 data corruption due to layout confusion. fuse: fix deadlock with aio poll and fuse_iqueue::waitq.lock mm/compaction.c: clear total_{migrate,free}_scanned before scanning a new zone drm/amd/display: Restore backlight brightness after system resume Linux 4.19.77 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I2c74f09f497a4b45b244a7dd263c5116533dfccb |
||
Takeshi Misawa
|
1cd663adce |
ppp: Fix memory leak in ppp_write
[ Upstream commit 4c247de564f1ff614d11b3bb5313fb70d7b9598b ]
When ppp is closing, __ppp_xmit_process() failed to enqueue skb
and skb allocated in ppp_write() is leaked.
syzbot reported :
BUG: memory leak
unreferenced object 0xffff88812a17bc00 (size 224):
comm "syz-executor673", pid 6952, jiffies 4294942888 (age 13.040s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<00000000d110fff9>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
[<00000000d110fff9>] slab_post_alloc_hook mm/slab.h:522 [inline]
[<00000000d110fff9>] slab_alloc_node mm/slab.c:3262 [inline]
[<00000000d110fff9>] kmem_cache_alloc_node+0x163/0x2f0 mm/slab.c:3574
[<000000002d616113>] __alloc_skb+0x6e/0x210 net/core/skbuff.c:197
[<000000000167fc45>] alloc_skb include/linux/skbuff.h:1055 [inline]
[<000000000167fc45>] ppp_write+0x48/0x120 drivers/net/ppp/ppp_generic.c:502
[<000000009ab42c0b>] __vfs_write+0x43/0xa0 fs/read_write.c:494
[<00000000086b2e22>] vfs_write fs/read_write.c:558 [inline]
[<00000000086b2e22>] vfs_write+0xee/0x210 fs/read_write.c:542
[<00000000a2b70ef9>] ksys_write+0x7c/0x130 fs/read_write.c:611
[<00000000ce5e0fdd>] __do_sys_write fs/read_write.c:623 [inline]
[<00000000ce5e0fdd>] __se_sys_write fs/read_write.c:620 [inline]
[<00000000ce5e0fdd>] __x64_sys_write+0x1e/0x30 fs/read_write.c:620
[<00000000d9d7b370>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
[<0000000006e6d506>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
Fix this by freeing skb, if ppp is closing.
Fixes:
|
||
Greg Kroah-Hartman
|
487e61785a |
This is the 4.19.66 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl1NlswACgkQONu9yGCS aT6bJBAAhlElptL5xPWWrkZdYBVyfcat3VaeEmtO7ilHxyvhFMFOE8zIYEg/NU5s ySM1yqdYvZY1ANawzIEH3es7eXy++GBBIVcRUPBuEVG/yv4/XyeX6MQYlDn3LuzI KsTAkkkqy4LLieqZTF5cqavu1EuUkQWkPxKW1ps9O5Dv24FRmKhj+EiIoEGt43Ln 6d8vChzS+ZWNhWMJd4zP8x5ZXjUUTYlBxveRQQ9yatTbzrQdfkxyD7k6+1K8se8T m9koOVJC9LtbR7W2WbVVq4L6ik3l3LQTr592kZVKiwyVgJtlul3LvqS0hNXcQxSj pwfbz+4b8UP4aRgRbMxzSRLOkb+hUOvYR+CuGLKx827b9FQcLNAbseRsA0MlPENF jJJUQSDollhx4knbYU+8Y2V1WtDi7Dnjt5gRvCvQ6rdrJMp1mFdqRGxfsdBaR10N kU+LaSfIheEvuRoTv535NpxvPQhmEqY6NTGwMYDP1xlvu4vQbWF+HAMhCLmTWrif i5ITtxYxSZOHNy7lvR7dNTMWsLoYg0KvG/oqJo8kSLmlBPcga+VK1YlPsc6JrfEG d4ft7rMz/Cx2oeUQfiURqi/XPwyIBaU6MbovLuQkVx9CJcwgYcmdFD0HRHZIEwgk z0q965POxm3DUoJF8HjBFNUOmlaYn9JZBmrwg5aFgwCy5Kot8g0= =aeth -----END PGP SIGNATURE----- Merge 4.19.66 into android-4.19 Changes in 4.19.66 scsi: fcoe: Embed fc_rport_priv in fcoe_rport structure gcc-9: don't warn about uninitialized variable driver core: Establish order of operations for device_add and device_del via bitflag drivers/base: Introduce kill_device() libnvdimm/bus: Prevent duplicate device_unregister() calls libnvdimm/region: Register badblocks before namespaces libnvdimm/bus: Prepare the nd_ioctl() path to be re-entrant libnvdimm/bus: Fix wait_nvdimm_bus_probe_idle() ABBA deadlock HID: wacom: fix bit shift for Cintiq Companion 2 HID: Add quirk for HP X1200 PIXART OEM mouse IB: directly cast the sockaddr union to aockaddr atm: iphase: Fix Spectre v1 vulnerability bnx2x: Disable multi-cos feature. ife: error out when nla attributes are empty ip6_gre: reload ipv6h in prepare_ip6gre_xmit_ipv6 ip6_tunnel: fix possible use-after-free on xmit ipip: validate header length in ipip_tunnel_xmit mlxsw: spectrum: Fix error path in mlxsw_sp_module_init() mvpp2: fix panic on module removal mvpp2: refactor MTU change code net: bridge: delete local fdb on device init failure net: bridge: mcast: don't delete permanent entries when fast leave is enabled net: fix ifindex collision during namespace removal net/mlx5e: always initialize frag->last_in_page net/mlx5: Use reversed order when unregister devices net: phylink: Fix flow control for fixed-link net: qualcomm: rmnet: Fix incorrect UL checksum offload logic net: sched: Fix a possible null-pointer dereference in dequeue_func() net sched: update vlan action for batched events operations net: sched: use temporary variable for actions indexes net/smc: do not schedule tx_work in SMC_CLOSED state NFC: nfcmrvl: fix gpio-handling regression ocelot: Cancel delayed work before wq destruction tipc: compat: allow tipc commands without arguments tun: mark small packets as owned by the tap sock net/mlx5: Fix modify_cq_in alignment net/mlx5e: Prevent encap flow counter update async to user query r8169: don't use MSI before RTL8168d compat_ioctl: pppoe: fix PPPOEIOCSFWD handling cgroup: Call cgroup_release() before __exit_signal() cgroup: Implement css_task_iter_skip() cgroup: Include dying leaders with live threads in PROCS iterations cgroup: css_task_iter_skip()'d iterators must be advanced before accessed cgroup: Fix css_task_iter_advance_css_set() cset skip condition spi: bcm2835: Fix 3-wire mode if DMA is enabled Linux 4.19.66 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id33ce169af8bf14a3791040b4cf923832ce84f6c |
||
Arnd Bergmann
|
e6e9bcef12 |
compat_ioctl: pppoe: fix PPPOEIOCSFWD handling
[ Upstream commit 055d88242a6046a1ceac3167290f054c72571cd9 ]
Support for handling the PPPOEIOCSFWD ioctl in compat mode was added in
linux-2.5.69 along with hundreds of other commands, but was always broken
sincen only the structure is compatible, but the command number is not,
due to the size being sizeof(size_t), or at first sizeof(sizeof((struct
sockaddr_pppox)), which is different on 64-bit architectures.
Guillaume Nault adds:
And the implementation was broken until 2016 (see
|
||
Greg Kroah-Hartman
|
bafa20fa20 |
This is the 4.19.60 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAl00DjYACgkQONu9yGCS aT7O6hAAqqs1jm+vztbAJTyZPR+Vu7yGO1BukoyoqA3iUm7JPW0/Xamp+e/nOjq3 UrRKcn6WvIdDv22ikrR1qfFTFZYYCZfe4LWvzuUNsscr0dixW6iYoiSr5RDypH0C VIYZfEMaZ5G1R07jO7u8HWXAjAm+xqvxZRgARu9H0tk9As1+yW1kYFnQubdpIyoA 3zsTTQ+Dsyzc5mQQXBi88VnNpnI2PZGDAyaYmqfe7iuiIZ6qvjYZ245GygVb5Qlo 9yGKuxqRc7Lrd34f6t/0w2CwZuj8lbpt7twcdLXOjg/EjcouwBnX5smoq8oo5UIK kNSRsV0pfxhLt7EXViuRFduJIinViaYJY7guzWon3O9HXjO6OlUIhM65WRvwuxhz NuM1ctOfDqiyDzJ0NEp7tROsmkV3Un/DFHrePWGvcQ25lFxJMLtXUQDf/39cNkP2 iiWDSDOAXzgskfzpxmfRYyXO2/u2cjnmdUil27+/B54vYYM4XemBn07uc6zJZhJ/ spq2Hg/i/7gaAaoqRgoHvYLajlUytvetJMhdAZYhEpHL2/1gxE6SXI9LypV3096a FgdEfAghf0yY6FzaOXVb1PlqgbkigWtf8vo7Wmr25mNrg01678UTqGi2soCMhLXz OAGtOvPKcmD6wTY3gZlEzzVxoX0eCXUUVgK6TZFsMbmJb3+Y9yA= =Uqvz -----END PGP SIGNATURE----- Merge 4.19.60 into android-4.19 Changes in 4.19.60 Revert "e1000e: fix cyclic resets at link up with active tx" e1000e: start network tx queue only when link is up Input: synaptics - enable SMBUS on T480 thinkpad trackpad nilfs2: do not use unexported cpu_to_le32()/le32_to_cpu() in uapi header drivers: base: cacheinfo: Ensure cpu hotplug work is done before Intel RDT firmware: improve LSM/IMA security behaviour irqchip/gic-v3-its: Fix command queue pointer comparison bug clk: ti: clkctrl: Fix returning uninitialized data efi/bgrt: Drop BGRT status field reserved bits check perf/core: Fix perf_sample_regs_user() mm check ARM: dts: gemini Fix up DNS-313 compatible string ARM: omap2: remove incorrect __init annotation afs: Fix uninitialised spinlock afs_volume::cb_break_lock x86/apic: Fix integer overflow on 10 bit left shift of cpu_khz be2net: fix link failure after ethtool offline test ppp: mppe: Add softdep to arc4 sis900: fix TX completion ARM: dts: imx6ul: fix PWM[1-4] interrupts pinctrl: mcp23s08: Fix add_data and irqchip_add_nested call order dm table: don't copy from a NULL pointer in realloc_argv() dm verity: use message limit for data block corruption message x86/boot/64: Fix crash if kernel image crosses page table boundary x86/boot/64: Add missing fixup_pointer() for next_early_pgt access HID: chicony: add another quirk for PixArt mouse HID: multitouch: Add pointstick support for ALPS Touchpad pinctrl: mediatek: Ignore interrupts that are wake only during resume cpu/hotplug: Fix out-of-bounds read when setting fail state pinctrl: mediatek: Update cur_mask in mask/mask ops linux/kernel.h: fix overflow for DIV_ROUND_UP_ULL genirq: Delay deactivation in free_irq() genirq: Fix misleading synchronize_irq() documentation genirq: Add optional hardware synchronization for shutdown x86/ioapic: Implement irq_get_irqchip_state() callback x86/irq: Handle spurious interrupt after shutdown gracefully x86/irq: Seperate unused system vectors from spurious entry again ARC: hide unused function unw_hdr_alloc s390: fix stfle zero padding s390/qdio: (re-)initialize tiqdio list entries s390/qdio: don't touch the dsci in tiqdio_add_input_queues() crypto: talitos - move struct talitos_edesc into talitos.h crypto: talitos - fix hash on SEC1. crypto/NX: Set receive window credits to max number of CRBs in RxFIFO regmap-irq: do not write mask register if mask_base is zero drm/udl: introduce a macro to convert dev to udl. drm/udl: Replace drm_dev_unref with drm_dev_put drm/udl: move to embedding drm device inside udl device. x86/entry/32: Fix ENDPROC of common_spurious Linux 4.19.60 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I283306f8640e06b3ffe8bcdca1478a0fd3af77db |
||
Takashi Iwai
|
3232bccdde |
ppp: mppe: Add softdep to arc4
[ Upstream commit aad1dcc4f011ea409850e040363dff1e59aa4175 ] The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a softdep line, so that the corresponding module gets prepared gracefully. Without this, a simple inclusion to initrd via dracut failed due to the missing dependency, for example. Signed-off-by: Takashi Iwai <tiwai@suse.de> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org> |
||
Greg Kroah-Hartman
|
aa07ecba6f |
This is the 4.19.46 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlzpbCYACgkQONu9yGCS aT6aJhAAjh1h5q6oRAWZ7k3CTbx7abpi3FwqlGsrinxRkwdDvy6TXTo8gBn0emS0 8TEiQXLm/6M3IGyR8m7w2TGxThyk5xtUqEbxldHwzU/wsZzJ8KegnQUbpmdmJtrh BnvPygwOSldm8fqNZsFNWNCwt0m9LqPm5m57lHOj4PsxRFkr6jVYjtrynTbyDBus fT4Dec/jD/0hZbP2aeS5YWNee1ElgiiRewU5q5+Dn8yIDlaX81hkiu+J/EUS/97n 8Irn7Zs7wgjEwVe9xz1SEqAO0TtDH7wgxV2JMcXMRCbj45vmiUPh9IrSqqhvjqbf Gr36rGyuA2AIlMlzppEgP8ZiL6b5/2+e0mZFVfV4Ck3zThWq/pi8xrNk/AGVbXSA yE7j7PMVC0Pr9zFOBEsdb6HEOkwy4drGlSWiGkN5jZ5/yexGT4LhEpoMwqSd6tZ8 p12OdVmrEYZyasKOEGyOLFvUWKDT+aClFXcnB0Vi3GNtw6K4aHJU1dtPcpeD+PvO qMY2ePAj3GXKcg+r4dQPcbO+xEer8JZS/clTXNVwArGMQ/KII6hz2XCeSXe+aVnA 5SJZQnyimgaEev1Y1C7VVYBa4T+S54O+tjvKhv4fuX4vL622rLkUmMJyb2XWNSIC HagZOcEN7PY9KWqaMiP5GtcumfAUQCtNfXY0QMYhR+9B2Sl2zGg= =P21c -----END PGP SIGNATURE----- Merge 4.19.46 into android-4.19 Changes in 4.19.46 ipv6: fix src addr routing with the exception table ipv6: prevent possible fib6 leaks net: Always descend into dsa/ net: avoid weird emergency message net/mlx4_core: Change the error print to info print net: test nouarg before dereferencing zerocopy pointers net: usb: qmi_wwan: add Telit 0x1260 and 0x1261 compositions nfp: flower: add rcu locks when accessing netdev for tunnels ppp: deflate: Fix possible crash in deflate_init rtnetlink: always put IFLA_LINK for links with a link-netnsid tipc: switch order of device registration to fix a crash vsock/virtio: free packets during the socket release tipc: fix modprobe tipc failed after switch order of device registration vsock/virtio: Initialize core virtio vsock before registering the driver net/mlx5: Imply MLXFW in mlx5_core net/mlx5e: Fix ethtool rxfh commands when CONFIG_MLX5_EN_RXNFC is disabled parisc: Export running_on_qemu symbol for modules parisc: Skip registering LED when running in QEMU parisc: Use PA_ASM_LEVEL in boot code parisc: Rename LEVEL to PA_ASM_LEVEL to avoid name clash with DRBD code stm class: Fix channel free in stm output free path stm class: Fix channel bitmap on 32-bit systems brd: re-enable __GFP_HIGHMEM in brd_insert_page() proc: prevent changes to overridden credentials Revert "MD: fix lock contention for flush bios" md: batch flush requests. md: add mddev->pers to avoid potential NULL pointer dereference dcache: sort the freeing-without-RCU-delay mess for good. intel_th: msu: Fix single mode with IOMMU p54: drop device reference count if fails to enable device of: fix clang -Wunsequenced for be32_to_cpu() cifs: fix strcat buffer overflow and reduce raciness in smb21_set_oplock_level() phy: ti-pipe3: fix missing bit-wise or operator when assigning val media: ov6650: Fix sensor possibly not detected on probe media: imx: csi: Allow unknown nearest upstream entities media: imx: Clear fwnode link struct for each endpoint iteration NFS4: Fix v4.0 client state corruption when mount PNFS fallback to MDS if no deviceid found clk: hi3660: Mark clk_gate_ufs_subsys as critical clk: tegra: Fix PLLM programming on Tegra124+ when PMC overrides divider clk: mediatek: Disable tuner_en before change PLL rate clk: rockchip: fix wrong clock definitions for rk3328 udlfb: delete the unused parameter for dlfb_handle_damage udlfb: fix sleeping inside spinlock udlfb: introduce a rendering mutex fuse: fix writepages on 32bit fuse: honor RLIMIT_FSIZE in fuse_file_fallocate ovl: fix missing upper fs freeze protection on copy up for ioctl iommu/tegra-smmu: Fix invalid ASID bits on Tegra30/114 ceph: flush dirty inodes before proceeding with remount x86_64: Add gap to int3 to allow for call emulation x86_64: Allow breakpoints to emulate call instructions ftrace/x86_64: Emulate call function while updating in breakpoint handler tracing: Fix partial reading of trace event's id file memory: tegra: Fix integer overflow on tick value calculation perf intel-pt: Fix instructions sampling rate perf intel-pt: Fix improved sample timestamp perf intel-pt: Fix sample timestamp wrt non-taken branches MIPS: perf: Fix build with CONFIG_CPU_BMIPS5000 enabled objtool: Allow AR to be overridden with HOSTAR fbdev/efifb: Ignore framebuffer memmap entries that lack any memory types fbdev: sm712fb: fix brightness control on reboot, don't set SR30 fbdev: sm712fb: fix VRAM detection, don't set SR70/71/74/75 fbdev: sm712fb: fix white screen of death on reboot, don't set CR3B-CR3F fbdev: sm712fb: fix boot screen glitch when sm712fb replaces VGA fbdev: sm712fb: fix crashes during framebuffer writes by correctly mapping VRAM fbdev: sm712fb: fix support for 1024x768-16 mode fbdev: sm712fb: use 1024x768 by default on non-MIPS, fix garbled display fbdev: sm712fb: fix crashes and garbled display during DPMS modesetting PCI: Mark AMD Stoney Radeon R7 GPU ATS as broken PCI: Mark Atheros AR9462 to avoid bus reset PCI: Init PCIe feature bits for managed host bridge alloc PCI/AER: Change pci_aer_init() stub to return void PCI: rcar: Add the initialization of PCIe link in resume_noirq() PCI: Factor out pcie_retrain_link() function PCI: Work around Pericom PCIe-to-PCI bridge Retrain Link erratum dm cache metadata: Fix loading discard bitset dm zoned: Fix zone report handling dm delay: fix a crash when invalid device is specified dm integrity: correctly calculate the size of metadata area dm mpath: always free attached_handler_name in parse_path() fuse: Add FOPEN_STREAM to use stream_open() xfrm: policy: Fix out-of-bound array accesses in __xfrm_policy_unlink xfrm6_tunnel: Fix potential panic when unloading xfrm6_tunnel module vti4: ipip tunnel deregistration fixes. xfrm: clean up xfrm protocol checks esp4: add length check for UDP encapsulation xfrm: Honor original L3 slave device in xfrmi policy lookup xfrm4: Fix uninitialized memory read in _decode_session4 clk: sunxi-ng: nkmp: Avoid GENMASK(-1, 0) power: supply: cpcap-battery: Fix division by zero securityfs: fix use-after-free on symlink traversal apparmorfs: fix use-after-free on symlink traversal PCI: Fix issue with "pci=disable_acs_redir" parameter being ignored x86: kvm: hyper-v: deal with buggy TLB flush requests from WS2012 mac80211: Fix kernel panic due to use of txq after free net: ieee802154: fix missing checks for regmap_update_bits KVM: arm/arm64: Ensure vcpu target is unset on reset failure power: supply: sysfs: prevent endless uevent loop with CONFIG_POWER_SUPPLY_DEBUG bpf: Fix preempt_enable_no_resched() abuse qmi_wwan: new Wistron, ZTE and D-Link devices iwlwifi: mvm: check for length correctness in iwl_mvm_create_skb() sched/cpufreq: Fix kobject memleak x86/mm/mem_encrypt: Disable all instrumentation for early SME setup ufs: fix braino in ufs_get_inode_gid() for solaris UFS flavour perf bench numa: Add define for RUSAGE_THREAD if not present perf/x86/intel: Fix race in intel_pmu_disable_event() Revert "Don't jump to compute_result state from check_result state" md/raid: raid5 preserve the writeback action after the parity check driver core: Postpone DMA tear-down until after devres release for probe failure Revert "selftests/bpf: skip verifier tests for unsupported program types" bpf: relax inode permission check for retrieving bpf program bpf: add map_lookup_elem_sys_only for lookups from syscall side bpf, lru: avoid messing with eviction heuristics upon syscall lookup fbdev: sm712fb: fix memory frequency by avoiding a switch/case fallthrough Linux 4.19.46 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
YueHaibing
|
c73ed24c38 |
ppp: deflate: Fix possible crash in deflate_init
[ Upstream commit 3ebe1bca58c85325c97a22d4fc3f5b5420752e6f ] BUG: unable to handle kernel paging request at ffffffffa018f000 PGD 3270067 P4D 3270067 PUD 3271063 PMD 2307eb067 PTE 0 Oops: 0000 [#1] PREEMPT SMP CPU: 0 PID: 4138 Comm: modprobe Not tainted 5.1.0-rc7+ #1 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.9.3-0-ge2fc41e-prebuilt.qemu-project.org 04/01/2014 RIP: 0010:ppp_register_compressor+0x3e/0xd0 [ppp_generic] Code: 98 4a 3f e2 48 8b 15 c1 67 00 00 41 8b 0c 24 48 81 fa 40 f0 19 a0 75 0e eb 35 48 8b 12 48 81 fa 40 f0 19 a0 74 RSP: 0018:ffffc90000d93c68 EFLAGS: 00010287 RAX: ffffffffa018f000 RBX: ffffffffa01a3000 RCX: 000000000000001a RDX: ffff888230c750a0 RSI: 0000000000000000 RDI: ffffffffa019f000 RBP: ffffc90000d93c80 R08: 0000000000000001 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa0194080 R13: ffff88822ee1a700 R14: 0000000000000000 R15: ffffc90000d93e78 FS: 00007f2339557540(0000) GS:ffff888237a00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: ffffffffa018f000 CR3: 000000022bde4000 CR4: 00000000000006f0 Call Trace: ? 0xffffffffa01a3000 deflate_init+0x11/0x1000 [ppp_deflate] ? 0xffffffffa01a3000 do_one_initcall+0x6c/0x3cc ? kmem_cache_alloc_trace+0x248/0x3b0 do_init_module+0x5b/0x1f1 load_module+0x1db1/0x2690 ? m_show+0x1d0/0x1d0 __do_sys_finit_module+0xc5/0xd0 __x64_sys_finit_module+0x15/0x20 do_syscall_64+0x6b/0x1d0 entry_SYSCALL_64_after_hwframe+0x49/0xbe If ppp_deflate fails to register in deflate_init, module initialization failed out, however ppp_deflate_draft may has been regiestred and not unregistered before return. Then the seconed modprobe will trigger crash like this. Reported-by: Hulk Robot <hulkci@huawei.com> Signed-off-by: YueHaibing <yuehaibing@huawei.com> Acked-by: Guillaume Nault <gnault@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Greg Kroah-Hartman
|
4afd597192 |
This is the 4.19.30 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlyQ3LoACgkQONu9yGCS aT5Y5g/+N1arp6Uk2IsKLVnNlKeKHZpZjAtKao/XET9ZiG1f69C2C/kIQXA4++w9 tdp5giX6FfOEVOLWZx1yNWR1HjSshAGgRgantpzRVJjlobhvKqLi8m7S32+2t/wn bxXelQb3tg/xshUVKesH1Po/y0M7776rpZACJQcqPRoft4a6PULnMn8ou3D8KQ4q j0bexgW8nM/Gf2t6+dLBpITiW+v4dOc8t/9vko5Dg7/RlNpHRzo9a/JCmuZeujJZ EECisCBPOx/DY2CTshC6r4T9IeVQn8TT7845H/yuwrPrAuignrvflN800S06AfGr 2n0m2fyarXMGAVTWomxXVMYIUr+rAco+vYAgf9TRNELOYgvT0Qw2qesQSSNTvjdE C1H3i8UMlyg0L4/vn+s+2ZPR72uxgZegFEV7YBKmX8nph3lGABX1uw58mv+rAwEh ZKMyiWnNhx06iue8Tl+73qRYpV9JdxiJ1MoJXP7KWHLvSa9eXZ1G0G3RCyXeZrgn 6AczWAmLv1qX3FeiHxECXmCJZwQssSZLHq+k6F/CFjlfIVo3jQzVprA8UNdEIHZA TOImur2fWuIU4Yqn4SHspZSxPX1W+tGq797841aaqhX4T3PZSQwd6493DoMiZDbM auDrIcFhBzoRJscSkyAbj3Vdo5AzSOcAoveAJNJrsUQUzGFOdQ8= =0Uqy -----END PGP SIGNATURE----- Merge 4.19.30 into android-4.19 Changes in 4.19.30 connector: fix unsafe usage of ->real_parent gro_cells: make sure device is up in gro_cells_receive() ipv4/route: fail early when inet dev is missing l2tp: fix infoleak in l2tp_ip6_recvmsg() lan743x: Fix RX Kernel Panic lan743x: Fix TX Stall Issue net: hsr: fix memory leak in hsr_dev_finalize() net/hsr: fix possible crash in add_timer() net: sit: fix UBSAN Undefined behaviour in check_6rd net/x25: fix use-after-free in x25_device_event() net/x25: reset state in x25_connect() pptp: dst_release sk_dst_cache in pptp_sock_destruct ravb: Decrease TxFIFO depth of Q3 and Q2 to one route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race rxrpc: Fix client call queueing, waiting for channel sctp: remove sched init from sctp_stream_init tcp: do not report TCP_CM_INQ of 0 for closed connections tcp: Don't access TCP_SKB_CB before initializing it tcp: handle inet_csk_reqsk_queue_add() failures vxlan: Fix GRO cells race condition between receive and link delete vxlan: test dev->flags & IFF_UP before calling gro_cells_receive() net/mlx4_core: Fix reset flow when in command polling mode net/mlx4_core: Fix locking in SRIOV mode when switching between events and polling net/mlx4_core: Fix qp mtt size calculation net/x25: fix a race in x25_bind() mdio_bus: Fix use-after-free on device_register fails net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255 ipv6: route: purge exception on removal team: use operstate consistently for linkup ipvlan: disallow userns cap_net_admin to change global mode/flags ipv6: route: enforce RCU protection in rt6_update_exception_stamp_rt() ipv6: route: enforce RCU protection in ip6_route_check_nh_onlink() bonding: fix PACKET_ORIGDEV regression net/smc: fix smc_poll in SMC_INIT state missing barriers in some of unix_sock ->addr and ->path accesses net: sched: flower: insert new filter to idr after setting its mask f2fs: wait on atomic writes to count F2FS_CP_WB_DATA perf/x86: Fixup typo in stub functions ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56 ALSA: firewire-motu: fix construction of PCM frame for capture direction ALSA: hda: Extend i915 component bind timeout ALSA: hda - add more quirks for HP Z2 G4 and HP Z240 ALSA: hda/realtek: Enable audio jacks of ASUS UX362FA with ALC294 ALSA: hda/realtek - Reduce click noise on Dell Precision 5820 headphone ALSA: hda/realtek: Enable headset MIC of Acer TravelMate X514-51T with ALC255 perf/x86/intel: Fix memory corruption perf/x86/intel: Make dev_attr_allow_tsx_force_abort static It's wrong to add len to sector_nr in raid10 reshape twice drm: Block fb changes for async plane updates staging: erofs: fix race when the managed cache is enabled i40e: report correct statistics when XDP is enabled vhost/vsock: fix vhost vsock cid hashing inconsistent Linux 4.19.30 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Xin Long
|
34dc08b9e9 |
pptp: dst_release sk_dst_cache in pptp_sock_destruct
[ Upstream commit 9417d81f4f8adfe20a12dd1fadf73a618cbd945d ]
sk_setup_caps() is called to set sk->sk_dst_cache in pptp_connect,
so we have to dst_release(sk->sk_dst_cache) in pptp_sock_destruct,
otherwise, the dst refcnt will leak.
It can be reproduced by this syz log:
r1 = socket$pptp(0x18, 0x1, 0x2)
bind$pptp(r1, &(0x7f0000000100)={0x18, 0x2, {0x0, @local}}, 0x1e)
connect$pptp(r1, &(0x7f0000000000)={0x18, 0x2, {0x3, @remote}}, 0x1e)
Consecutive dmesg warnings will occur:
unregister_netdevice: waiting for lo to become free. Usage count = 1
v1->v2:
- use rcu_dereference_protected() instead of rcu_dereference_check(),
as suggested by Eric.
Fixes:
|
||
Greg Kroah-Hartman
|
18ba00a34e |
This is the 4.19.19 stable release
-----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlxSoGgACgkQONu9yGCS aT5IShAAmr4efAHaepYtsEM5q7hpYwdIXauhfmVzYS1KITQ0L+FSO6b6r18/X/Xu ZnGr87x9s7rzTwbgW9EK+cPBE7tVI3Tlem1prTSAQLneiv2zN/iTvJigWGUmifB/ +xldQxiM1S8j6dlVTu0lFl9P8voJ/zFA1II1DV4KJYiPX2lfVis77Tolcd/3TUJ4 V67abXHeAsLc+bU8kcMxamVievyQndwVlMT4XjStJyl6xy1zDozgiNwphyLqT7yc GY0H4jCbFNLfhZlMQgpHanvXzHshbJ4VtMNnjmUApplftzrVf864rgi+sRcoHWK/ Q6ER8LtgFYoqwG1ZjLUIEMChjhs/Xv+FLHWsCvCIkINyzo0PSgubnbYQVccXkBmB XSZ62YTh9sdQtdihWUly0Gr53yMvSn9+ndwJjvBDEErjC9b/D9jOLMcY1L/cCDaQ J34dp6ES+6YdQjAu0TEwuuJHMdGR+BvtKgGIL7V6ujxZhuU39eaJ0QLZktsmIO12 qWQyUKaLA450Qqiqza7foTWAVM6nFu9fd9xsZUKZV6lNnFjKYy/vWjhHsMCR8eKi aojGiRVRNnrlIwgk9h7H4EiuRkK3CJFc9jyZhA6u05NLMdIjD9YuLaMLHuSN0R+m lSgdmM3dVC4gyosKZHGdwzX/ytHTQiA8QRb4SWEnck7piKyWplg= =/rR0 -----END PGP SIGNATURE----- Merge 4.19.19 into android-4.19 Changes in 4.19.19 amd-xgbe: Fix mdio access for non-zero ports and clause 45 PHYs net: bridge: Fix ethernet header pointer before check skb forwardable net: Fix usage of pskb_trim_rcsum net: phy: marvell: Errata for mv88e6390 internal PHYs net: phy: mdio_bus: add missing device_del() in mdiobus_register() error handling net/sched: act_tunnel_key: fix memory leak in case of action replace net_sched: refetch skb protocol for each filter openvswitch: Avoid OOB read when parsing flow nlattrs vhost: log dirty page correctly mlxsw: pci: Increase PCI SW reset timeout net: ipv4: Fix memory leak in network namespace dismantle mlxsw: spectrum_fid: Update dummy FID index mlxsw: pci: Ring CQ's doorbell before RDQ's net/sched: cls_flower: allocate mask dynamically in fl_change() udp: with udp_segment release on error path ip6_gre: fix tunnel list corruption for x-netns erspan: build the header with the right proto according to erspan_ver net: phy: marvell: Fix deadlock from wrong locking ip6_gre: update version related info when changing link tcp: allow MSG_ZEROCOPY transmission also in CLOSE_WAIT state mei: me: mark LBG devices as having dma support mei: me: add denverton innovation engine device IDs USB: leds: fix regression in usbport led trigger USB: serial: simple: add Motorola Tetra TPG2200 device id USB: serial: pl2303: add new PID to support PL2303TB ceph: clear inode pointer when snap realm gets dropped by its inode ASoC: atom: fix a missing check of snd_pcm_lib_malloc_pages ASoC: rt5514-spi: Fix potential NULL pointer dereference ASoC: tlv320aic32x4: Kernel OOPS while entering DAPM standby mode clk: socfpga: stratix10: fix rate calculation for pll clocks clk: socfpga: stratix10: fix naming convention for the fixed-clocks inotify: Fix fd refcount leak in inotify_add_watch(). ALSA: hda/realtek - Fix typo for ALC225 model ALSA: hda - Add mute LED support for HP ProBook 470 G5 ARCv2: lib: memeset: fix doing prefetchw outside of buffer ARC: adjust memblock_reserve of kernel memory ARC: perf: map generic branches to correct hardware condition s390/mm: always force a load of the primary ASCE on context switch s390/early: improve machine detection s390/smp: fix CPU hotplug deadlock with CPU rescan misc: ibmvsm: Fix potential NULL pointer dereference char/mwave: fix potential Spectre v1 vulnerability mmc: dw_mmc-bluefield: : Fix the license information mmc: meson-gx: Free irq in release() callback staging: rtl8188eu: Add device code for D-Link DWA-121 rev B1 tty: Handle problem if line discipline does not have receive_buf uart: Fix crash in uart_write and uart_put_char tty/n_hdlc: fix __might_sleep warning hv_balloon: avoid touching uninitialized struct page during tail onlining Drivers: hv: vmbus: Check for ring when getting debug info vgacon: unconfuse vc_origin when using soft scrollback CIFS: Fix possible hang during async MTU reads and writes CIFS: Fix credits calculations for reads with errors CIFS: Fix credit calculation for encrypted reads with errors CIFS: Do not reconnect TCP session in add_credits() smb3: add credits we receive from oplock/break PDUs Input: xpad - add support for SteelSeries Stratus Duo Input: input_event - provide override for sparc64 Input: uinput - fix undefined behavior in uinput_validate_absinfo() acpi/nfit: Block function zero DSMs acpi/nfit: Fix command-supported detection scsi: ufs: Use explicit access size in ufshcd_dump_regs dm thin: fix passdown_double_checking_shared_status() dm crypt: fix parsing of extended IV arguments drm/amdgpu: Add APTX quirk for Lenovo laptop KVM: x86: Fix single-step debugging KVM: x86: Fix PV IPIs for 32-bit KVM host KVM: x86: WARN_ONCE if sending a PV IPI returns a fatal error kvm: x86/vmx: Use kzalloc for cached_vmcs12 KVM/nVMX: Do not validate that posted_intr_desc_addr is page aligned x86/pkeys: Properly copy pkey state at fork() x86/selftests/pkeys: Fork() to check for state being preserved x86/kaslr: Fix incorrect i8254 outb() parameters x86/entry/64/compat: Fix stack switching for XEN PV posix-cpu-timers: Unbreak timer rearming net: sun: cassini: Cleanup license conflict irqchip/gic-v3-its: Align PCI Multi-MSI allocation on their size can: dev: __can_get_echo_skb(): fix bogous check for non-existing skb by removing it can: bcm: check timer values before ktime conversion can: flexcan: fix NULL pointer exception during bringup vt: make vt_console_print() compatible with the unicode screen buffer vt: always call notifier with the console lock held vt: invoke notifier on screen size change drm/meson: Fix atomic mode switching regression bpf: improve verifier branch analysis bpf: add per-insn complexity limit bpf: move {prev_,}insn_idx into verifier env bpf: move tmp variable into ax register in interpreter bpf: enable access to ax register also from verifier rewrite bpf: restrict map value pointer arithmetic for unprivileged bpf: restrict stack pointer arithmetic for unprivileged bpf: restrict unknown scalars of mixed signed bounds for unprivileged bpf: fix check_map_access smin_value test when pointer contains offset bpf: prevent out of bounds speculation on pointer arithmetic bpf: fix sanitation of alu op with pointer / scalar type from different paths bpf: fix inner map masking to prevent oob under speculation s390/smp: Fix calling smp_call_ipl_cpu() from ipl CPU nvmet-rdma: Add unlikely for response allocated check nvmet-rdma: fix null dereference under heavy load Revert "mm, memory_hotplug: initialize struct pages for the full memory section" usb: dwc3: gadget: Clear req->needs_extra_trb flag on cleanup ide: fix a typo in the settings proc file name Input: input_event - fix the CONFIG_SPARC64 mixup Linux 4.19.19 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> |
||
Ross Lagerwall
|
40f2f08030 |
net: Fix usage of pskb_trim_rcsum
[ Upstream commit 6c57f0458022298e4da1729c67bd33ce41c14e7a ] In certain cases, pskb_trim_rcsum() may change skb pointers. Reinitialize header pointers afterwards to avoid potential use-after-frees. Add a note in the documentation of pskb_trim_rcsum(). Found by KASAN. Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Sam Protsenko
|
c29a889a73 |
UPSTREAM: ppp: Move PFC decompression to PPP generic layer
Extract "Protocol" field decompression code from transport protocols to PPP generic layer, where it actually belongs. As a consequence, this patch fixes incorrect place of PFC decompression in L2TP driver (when it's not PPPOX_BOUND) and also enables this decompression for other protocols, like PPPoE. Protocol field decompression also happens in PPP Multilink Protocol code and in PPP compression protocols implementations (bsd, deflate, mppe). It looks like there is no easy way to get rid of that, so it was decided to leave it as is, but provide those cases with appropriate comments instead. Changes in v2: - Fix the order of checking skb data room and proto decompression - Remove "inline" keyword from ppp_decompress_proto() - Don't split line before function name - Prefix ppp_decompress_proto() function with "__" - Add ppp_decompress_proto() function with skb data room checks - Add description for introduced functions - Fix comments (as per review on mailing list) Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> Reviewed-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> (cherry picked from commit 7fb1b8ca8fa1ee34ffc328f17f78da68c7cc04e6) Bug: 116424816 Change-Id: Iece88d4104e9a7acc9bfe098a20ba4efcedecad6 Signed-off-by: Sam Protsenko <semen.protsenko@linaro.org> |
||
Guillaume Nault
|
8540827eba |
pppoe: fix reception of frames with no mac header
pppoe_rcv() needs to look back at the Ethernet header in order to
lookup the PPPoE session. Therefore we need to ensure that the mac
header is big enough to contain an Ethernet header. Otherwise
eth_hdr(skb)->h_source might access invalid data.
==================================================================
BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:17 [inline]
dump_stack+0x185/0x1d0 lib/dump_stack.c:53
kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
__msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
__get_item drivers/net/ppp/pppoe.c:172 [inline]
get_item drivers/net/ppp/pppoe.c:236 [inline]
pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
__netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
__netif_receive_skb net/core/dev.c:4627 [inline]
netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
netif_receive_skb+0x230/0x240 net/core/dev.c:4725
tun_rx_batched drivers/net/tun.c:1555 [inline]
tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
call_write_iter include/linux/fs.h:1782 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x7fb/0x9f0 fs/read_write.c:482
vfs_write+0x463/0x8d0 fs/read_write.c:544
SYSC_write+0x172/0x360 fs/read_write.c:589
SyS_write+0x55/0x80 fs/read_write.c:581
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4447c9
RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
Uninit was created at:
kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
slab_post_alloc_hook mm/slab.h:445 [inline]
slab_alloc_node mm/slub.c:2737 [inline]
__kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
__kmalloc_reserve net/core/skbuff.c:138 [inline]
__alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
alloc_skb include/linux/skbuff.h:984 [inline]
alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
tun_alloc_skb drivers/net/tun.c:1532 [inline]
tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
call_write_iter include/linux/fs.h:1782 [inline]
new_sync_write fs/read_write.c:469 [inline]
__vfs_write+0x7fb/0x9f0 fs/read_write.c:482
vfs_write+0x463/0x8d0 fs/read_write.c:544
SYSC_write+0x172/0x360 fs/read_write.c:589
SyS_write+0x55/0x80 fs/read_write.c:581
do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
entry_SYSCALL_64_after_hwframe+0x3d/0xa2
==================================================================
Fixes:
|
||
Kees Cook
|
a394b3af20 |
ppp: mppe: Remove VLA usage
In the quest to remove all stack VLA usage from the kernel[1], this removes the discouraged use of AHASH_REQUEST_ON_STACK (and associated VLA) by switching to shash directly and keeping the associated descriptor allocated with the regular state on the heap. [1] https://lkml.kernel.org/r/CA+55aFzCG-zNmZwX4A2FQpadafLfEzK6CC=qPXydAacU1RqZWA@mail.gmail.com Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Arnd Bergmann <arnd@arndb.de> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Linus Torvalds
|
a11e1d432b |
Revert changes to convert to ->poll_mask() and aio IOCB_CMD_POLL
The poll() changes were not well thought out, and completely unexplained. They also caused a huge performance regression, because "->poll()" was no longer a trivial file operation that just called down to the underlying file operations, but instead did at least two indirect calls. Indirect calls are sadly slow now with the Spectre mitigation, but the performance problem could at least be largely mitigated by changing the "->get_poll_head()" operation to just have a per-file-descriptor pointer to the poll head instead. That gets rid of one of the new indirections. But that doesn't fix the new complexity that is completely unwarranted for the regular case. The (undocumented) reason for the poll() changes was some alleged AIO poll race fixing, but we don't make the common case slower and more complex for some uncommon special case, so this all really needs way more explanations and most likely a fundamental redesign. [ This revert is a revert of about 30 different commits, not reverted individually because that would just be unnecessarily messy - Linus ] Cc: Al Viro <viro@zeniv.linux.org.uk> Cc: Christoph Hellwig <hch@lst.de> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Kees Cook
|
fad953ce0b |
treewide: Use array_size() in vzalloc()
The vzalloc() function has no 2-factor argument form, so multiplication factors need to be wrapped in array_size(). This patch replaces cases of: vzalloc(a * b) with: vzalloc(array_size(a, b)) as well as handling cases of: vzalloc(a * b * c) with: vzalloc(array3_size(a, b, c)) This does, however, attempt to ignore constant size factors like: vzalloc(4 * 1024) though any constants defined via macros get caught up in the conversion. Any factors with a sizeof() of "unsigned char", "char", and "u8" were dropped, since they're redundant. The Coccinelle script used for this was: // Fix redundant parens around sizeof(). @@ type TYPE; expression THING, E; @@ ( vzalloc( - (sizeof(TYPE)) * E + sizeof(TYPE) * E , ...) | vzalloc( - (sizeof(THING)) * E + sizeof(THING) * E , ...) ) // Drop single-byte sizes and redundant parens. @@ expression COUNT; typedef u8; typedef __u8; @@ ( vzalloc( - sizeof(u8) * (COUNT) + COUNT , ...) | vzalloc( - sizeof(__u8) * (COUNT) + COUNT , ...) | vzalloc( - sizeof(char) * (COUNT) + COUNT , ...) | vzalloc( - sizeof(unsigned char) * (COUNT) + COUNT , ...) | vzalloc( - sizeof(u8) * COUNT + COUNT , ...) | vzalloc( - sizeof(__u8) * COUNT + COUNT , ...) | vzalloc( - sizeof(char) * COUNT + COUNT , ...) | vzalloc( - sizeof(unsigned char) * COUNT + COUNT , ...) ) // 2-factor product with sizeof(type/expression) and identifier or constant. @@ type TYPE; expression THING; identifier COUNT_ID; constant COUNT_CONST; @@ ( vzalloc( - sizeof(TYPE) * (COUNT_ID) + array_size(COUNT_ID, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * COUNT_ID + array_size(COUNT_ID, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * (COUNT_CONST) + array_size(COUNT_CONST, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * COUNT_CONST + array_size(COUNT_CONST, sizeof(TYPE)) , ...) | vzalloc( - sizeof(THING) * (COUNT_ID) + array_size(COUNT_ID, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * COUNT_ID + array_size(COUNT_ID, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * (COUNT_CONST) + array_size(COUNT_CONST, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * COUNT_CONST + array_size(COUNT_CONST, sizeof(THING)) , ...) ) // 2-factor product, only identifiers. @@ identifier SIZE, COUNT; @@ vzalloc( - SIZE * COUNT + array_size(COUNT, SIZE) , ...) // 3-factor product with 1 sizeof(type) or sizeof(expression), with // redundant parens removed. @@ expression THING; identifier STRIDE, COUNT; type TYPE; @@ ( vzalloc( - sizeof(TYPE) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vzalloc( - sizeof(TYPE) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vzalloc( - sizeof(THING) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vzalloc( - sizeof(THING) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) ) // 3-factor product with 2 sizeof(variable), with redundant parens removed. @@ expression THING1, THING2; identifier COUNT; type TYPE1, TYPE2; @@ ( vzalloc( - sizeof(TYPE1) * sizeof(TYPE2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | vzalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | vzalloc( - sizeof(THING1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | vzalloc( - sizeof(THING1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | vzalloc( - sizeof(TYPE1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) | vzalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) ) // 3-factor product, only identifiers, with redundant parens removed. @@ identifier STRIDE, SIZE, COUNT; @@ ( vzalloc( - (COUNT) * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - COUNT * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - COUNT * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - (COUNT) * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - COUNT * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - (COUNT) * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - (COUNT) * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vzalloc( - COUNT * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) ) // Any remaining multi-factor products, first at least 3-factor products // when they're not all constants... @@ expression E1, E2, E3; constant C1, C2, C3; @@ ( vzalloc(C1 * C2 * C3, ...) | vzalloc( - E1 * E2 * E3 + array3_size(E1, E2, E3) , ...) ) // And then all remaining 2 factors products when they're not all constants. @@ expression E1, E2; constant C1, C2; @@ ( vzalloc(C1 * C2, ...) | vzalloc( - E1 * E2 + array_size(E1, E2) , ...) ) Signed-off-by: Kees Cook <keescook@chromium.org> |
||
Kees Cook
|
42bc47b353 |
treewide: Use array_size() in vmalloc()
The vmalloc() function has no 2-factor argument form, so multiplication factors need to be wrapped in array_size(). This patch replaces cases of: vmalloc(a * b) with: vmalloc(array_size(a, b)) as well as handling cases of: vmalloc(a * b * c) with: vmalloc(array3_size(a, b, c)) This does, however, attempt to ignore constant size factors like: vmalloc(4 * 1024) though any constants defined via macros get caught up in the conversion. Any factors with a sizeof() of "unsigned char", "char", and "u8" were dropped, since they're redundant. The Coccinelle script used for this was: // Fix redundant parens around sizeof(). @@ type TYPE; expression THING, E; @@ ( vmalloc( - (sizeof(TYPE)) * E + sizeof(TYPE) * E , ...) | vmalloc( - (sizeof(THING)) * E + sizeof(THING) * E , ...) ) // Drop single-byte sizes and redundant parens. @@ expression COUNT; typedef u8; typedef __u8; @@ ( vmalloc( - sizeof(u8) * (COUNT) + COUNT , ...) | vmalloc( - sizeof(__u8) * (COUNT) + COUNT , ...) | vmalloc( - sizeof(char) * (COUNT) + COUNT , ...) | vmalloc( - sizeof(unsigned char) * (COUNT) + COUNT , ...) | vmalloc( - sizeof(u8) * COUNT + COUNT , ...) | vmalloc( - sizeof(__u8) * COUNT + COUNT , ...) | vmalloc( - sizeof(char) * COUNT + COUNT , ...) | vmalloc( - sizeof(unsigned char) * COUNT + COUNT , ...) ) // 2-factor product with sizeof(type/expression) and identifier or constant. @@ type TYPE; expression THING; identifier COUNT_ID; constant COUNT_CONST; @@ ( vmalloc( - sizeof(TYPE) * (COUNT_ID) + array_size(COUNT_ID, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * COUNT_ID + array_size(COUNT_ID, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * (COUNT_CONST) + array_size(COUNT_CONST, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * COUNT_CONST + array_size(COUNT_CONST, sizeof(TYPE)) , ...) | vmalloc( - sizeof(THING) * (COUNT_ID) + array_size(COUNT_ID, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * COUNT_ID + array_size(COUNT_ID, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * (COUNT_CONST) + array_size(COUNT_CONST, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * COUNT_CONST + array_size(COUNT_CONST, sizeof(THING)) , ...) ) // 2-factor product, only identifiers. @@ identifier SIZE, COUNT; @@ vmalloc( - SIZE * COUNT + array_size(COUNT, SIZE) , ...) // 3-factor product with 1 sizeof(type) or sizeof(expression), with // redundant parens removed. @@ expression THING; identifier STRIDE, COUNT; type TYPE; @@ ( vmalloc( - sizeof(TYPE) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vmalloc( - sizeof(TYPE) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(TYPE)) , ...) | vmalloc( - sizeof(THING) * (COUNT) * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * (COUNT) * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * COUNT * (STRIDE) + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) | vmalloc( - sizeof(THING) * COUNT * STRIDE + array3_size(COUNT, STRIDE, sizeof(THING)) , ...) ) // 3-factor product with 2 sizeof(variable), with redundant parens removed. @@ expression THING1, THING2; identifier COUNT; type TYPE1, TYPE2; @@ ( vmalloc( - sizeof(TYPE1) * sizeof(TYPE2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | vmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(TYPE2)) , ...) | vmalloc( - sizeof(THING1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | vmalloc( - sizeof(THING1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(THING1), sizeof(THING2)) , ...) | vmalloc( - sizeof(TYPE1) * sizeof(THING2) * COUNT + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) | vmalloc( - sizeof(TYPE1) * sizeof(THING2) * (COUNT) + array3_size(COUNT, sizeof(TYPE1), sizeof(THING2)) , ...) ) // 3-factor product, only identifiers, with redundant parens removed. @@ identifier STRIDE, SIZE, COUNT; @@ ( vmalloc( - (COUNT) * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - COUNT * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - COUNT * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - (COUNT) * (STRIDE) * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - COUNT * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - (COUNT) * STRIDE * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - (COUNT) * (STRIDE) * (SIZE) + array3_size(COUNT, STRIDE, SIZE) , ...) | vmalloc( - COUNT * STRIDE * SIZE + array3_size(COUNT, STRIDE, SIZE) , ...) ) // Any remaining multi-factor products, first at least 3-factor products // when they're not all constants... @@ expression E1, E2, E3; constant C1, C2, C3; @@ ( vmalloc(C1 * C2 * C3, ...) | vmalloc( - E1 * E2 * E3 + array3_size(E1, E2, E3) , ...) ) // And then all remaining 2 factors products when they're not all constants. @@ expression E1, E2; constant C1, C2; @@ ( vmalloc(C1 * C2, ...) | vmalloc( - E1 * E2 + array_size(E1, E2) , ...) ) Signed-off-by: Kees Cook <keescook@chromium.org> |
||
Linus Torvalds
|
408afb8d78 |
Merge branch 'work.aio-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull aio updates from Al Viro: "Majority of AIO stuff this cycle. aio-fsync and aio-poll, mostly. The only thing I'm holding back for a day or so is Adam's aio ioprio - his last-minute fixup is trivial (missing stub in !CONFIG_BLOCK case), but let it sit in -next for decency sake..." * 'work.aio-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (46 commits) aio: sanitize the limit checking in io_submit(2) aio: fold do_io_submit() into callers aio: shift copyin of iocb into io_submit_one() aio_read_events_ring(): make a bit more readable aio: all callers of aio_{read,write,fsync,poll} treat 0 and -EIOCBQUEUED the same way aio: take list removal to (some) callers of aio_complete() aio: add missing break for the IOCB_CMD_FDSYNC case random: convert to ->poll_mask timerfd: convert to ->poll_mask eventfd: switch to ->poll_mask pipe: convert to ->poll_mask crypto: af_alg: convert to ->poll_mask net/rxrpc: convert to ->poll_mask net/iucv: convert to ->poll_mask net/phonet: convert to ->poll_mask net/nfc: convert to ->poll_mask net/caif: convert to ->poll_mask net/bluetooth: convert to ->poll_mask net/sctp: convert to ->poll_mask net/tipc: convert to ->poll_mask ... |
||
Linus Torvalds
|
cf626b0da7 |
Merge branch 'hch.procfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull procfs updates from Al Viro: "Christoph's proc_create_... cleanups series" * 'hch.procfs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (44 commits) xfs, proc: hide unused xfs procfs helpers isdn/gigaset: add back gigaset_procinfo assignment proc: update SIZEOF_PDE_INLINE_NAME for the new pde fields tty: replace ->proc_fops with ->proc_show ide: replace ->proc_fops with ->proc_show ide: remove ide_driver_proc_write isdn: replace ->proc_fops with ->proc_show atm: switch to proc_create_seq_private atm: simplify procfs code bluetooth: switch to proc_create_seq_data netfilter/x_tables: switch to proc_create_seq_private netfilter/xt_hashlimit: switch to proc_create_{seq,single}_data neigh: switch to proc_create_seq_data hostap: switch to proc_create_{seq,single}_data bonding: switch to proc_create_seq_data rtc/proc: switch to proc_create_single_data drbd: switch to proc_create_single resource: switch to proc_create_seq_data staging/rtl8192u: simplify procfs code jfs: simplify procfs code ... |
||
Christoph Hellwig
|
db5051ead6 |
net: convert datagram_poll users tp ->poll_mask
Signed-off-by: Christoph Hellwig <hch@lst.de> Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Christoph Hellwig
|
984652dd8b |
net: remove sock_no_poll
Now that sock_poll handles a NULL ->poll or ->poll_mask there is no need for a stub. Signed-off-by: Christoph Hellwig <hch@lst.de> |
||
Eric Biggers
|
af8d3c7c00 |
ppp: remove the PPPIOCDETACH ioctl
The PPPIOCDETACH ioctl effectively tries to "close" the given ppp file
before f_count has reached 0, which is fundamentally a bad idea. It
does check 'f_count < 2', which excludes concurrent operations on the
file since they would only be possible with a shared fd table, in which
case each fdget() would take a file reference. However, it fails to
account for the fact that even with 'f_count == 1' the file can still be
linked into epoll instances. As reported by syzbot, this can trivially
be used to cause a use-after-free.
Yet, the only known user of PPPIOCDETACH is pppd versions older than
ppp-2.4.2, which was released almost 15 years ago (November 2003).
Also, PPPIOCDETACH apparently stopped working reliably at around the
same time, when the f_count check was added to the kernel, e.g. see
https://lkml.org/lkml/2002/12/31/83. Also, the current 'f_count < 2'
check makes PPPIOCDETACH only work in single-threaded applications; it
always fails if called from a multithreaded application.
All pppd versions released in the last 15 years just close() the file
descriptor instead.
Therefore, instead of hacking around this bug by exporting epoll
internals to modules, and probably missing other related bugs, just
remove the PPPIOCDETACH ioctl and see if anyone actually notices. Leave
a stub in place that prints a one-time warning and returns EINVAL.
Reported-by: syzbot+16363c99d4134717c05b@syzkaller.appspotmail.com
Fixes:
|
||
Christoph Hellwig
|
c350637227 |
proc: introduce proc_create_net{,_data}
Variants of proc_create{,_data} that directly take a struct seq_operations and deal with network namespaces in ->open and ->release. All callers of proc_create + seq_open_net converted over, and seq_{open,release}_net are removed entirely. Signed-off-by: Christoph Hellwig <hch@lst.de> |
||
Guillaume Nault
|
a49e2f5d5f |
pppoe: check sockaddr length in pppoe_connect()
We must validate sockaddr_len, otherwise userspace can pass fewer data
than we expect and we end up accessing invalid data.
Fixes:
|
||
Eric Dumazet
|
bfacfb457b |
pptp: remove a buggy dst release in pptp_connect()
Once dst has been cached in socket via sk_setup_caps(), it is illegal to call ip_rt_put() (or dst_release()), since sk_setup_caps() did not change dst refcount. We can still dereference it since we hold socket lock. Caugth by syzbot : BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185 Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088 CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:17 [inline] dump_stack+0x1a7/0x27d lib/dump_stack.c:53 print_address_description+0x73/0x250 mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report+0x23c/0x360 mm/kasan/report.c:412 check_memory_region_inline mm/kasan/kasan.c:260 [inline] check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] dst_release+0x27/0xa0 net/core/dst.c:185 sk_dst_set include/net/sock.h:1812 [inline] sk_dst_reset include/net/sock.h:1824 [inline] sock_setbindtodevice net/core/sock.c:610 [inline] sock_setsockopt+0x431/0x1b20 net/core/sock.c:707 SYSC_setsockopt net/socket.c:1845 [inline] SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 RIP: 0033:0x4552d9 RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9 RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013 RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000 Allocated by task 20088: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542 dst_alloc+0x11f/0x1a0 net/core/dst.c:104 rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520 __mkroute_output net/ipv4/route.c:2265 [inline] ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493 ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322 __ip_route_output_key include/net/route.h:126 [inline] ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577 ip_route_output_ports include/net/route.h:163 [inline] pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453 SYSC_connect+0x213/0x4a0 net/socket.c:1639 SyS_connect+0x24/0x30 net/socket.c:1620 do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 entry_SYSCALL_64_after_hwframe+0x42/0xb7 Freed by task 20082: save_stack+0x43/0xd0 mm/kasan/kasan.c:447 set_track mm/kasan/kasan.c:459 [inline] __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 __cache_free mm/slab.c:3486 [inline] kmem_cache_free+0x83/0x2a0 mm/slab.c:3744 dst_destroy+0x266/0x380 net/core/dst.c:140 dst_destroy_rcu+0x16/0x20 net/core/dst.c:153 __rcu_reclaim kernel/rcu/rcu.h:178 [inline] rcu_do_batch kernel/rcu/tree.c:2675 [inline] invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline] __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline] rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914 __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 The buggy address belongs to the object at ffff8801c54dc000 which belongs to the cache ip_dst_cache of size 168 The buggy address is located 64 bytes inside of 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8) The buggy address belongs to the page: page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0 flags: 0x2fffc0000000100(slab) raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010 raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000 page dumped because: kasan: bad access detected Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Kirill Tkhai
|
2f635ceeb2 |
net: Drop pernet_operations::async
Synchronous pernet_operations are not allowed anymore. All are asynchronous. So, drop the structure member. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Joe Perches
|
d61e403856 |
drivers/net: Use octal not symbolic permissions
Prefer the direct use of octal for permissions. Done with checkpatch -f --types=SYMBOLIC_PERMS --fix-inplace and some typing. Miscellanea: o Whitespace neatening around these conversions. Signed-off-by: Joe Perches <joe@perches.com> Reviewed-by: Wei Liu <wei.liu2@citrix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
David S. Miller
|
03fe2debbb |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Fun set of conflict resolutions here... For the mac80211 stuff, these were fortunately just parallel adds. Trivially resolved. In drivers/net/phy/phy.c we had a bug fix in 'net' that moved the function phy_disable_interrupts() earlier in the file, whilst in 'net-next' the phy_error() call from this function was removed. In net/ipv4/xfrm4_policy.c, David Ahern's changes to remove the 'rt_table_id' member of rtable collided with a bug fix in 'net' that added a new struct member "rt_mtu_locked" which needs to be copied over here. The mlxsw driver conflict consisted of net-next separating the span code and definitions into separate files, whilst a 'net' bug fix made some changes to that moved code. The mlx5 infiniband conflict resolution was quite non-trivial, the RDMA tree's merge commit was used as a guide here, and here are their notes: ==================== Due to bug fixes found by the syzkaller bot and taken into the for-rc branch after development for the 4.17 merge window had already started being taken into the for-next branch, there were fairly non-trivial merge issues that would need to be resolved between the for-rc branch and the for-next branch. This merge resolves those conflicts and provides a unified base upon which ongoing development for 4.17 can be based. Conflicts: drivers/infiniband/hw/mlx5/main.c - Commit |
||
Guillaume Nault
|
6d066734e9 |
ppp: avoid loop in xmit recursion detection code
We already detect situations where a PPP channel sends packets back to
its upper PPP device. While this is enough to avoid deadlocking on xmit
locks, this doesn't prevent packets from looping between the channel
and the unit.
The problem is that ppp_start_xmit() enqueues packets in ppp->file.xq
before checking for xmit recursion. Therefore, __ppp_xmit_process()
might dequeue a packet from ppp->file.xq and send it on the channel
which, in turn, loops it back on the unit. Then ppp_start_xmit()
queues the packet back to ppp->file.xq and __ppp_xmit_process() picks
it up and sends it again through the channel. Therefore, the packet
will loop between __ppp_xmit_process() and ppp_start_xmit() until some
other part of the xmit path drops it.
For L2TP, we rapidly fill the skb's headroom and pppol2tp_xmit() drops
the packet after a few iterations. But PPTP reallocates the headroom
if necessary, letting the loop run and exhaust the machine resources
(as reported in https://bugzilla.kernel.org/show_bug.cgi?id=199109).
Fix this by letting __ppp_xmit_process() enqueue the skb to
ppp->file.xq, so that we can check for recursion before adding it to
the queue. Now ppp_xmit_process() can drop the packet when recursion is
detected.
__ppp_channel_push() is a bit special. It calls __ppp_xmit_process()
without having any actual packet to send. This is used by
ppp_output_wakeup() to re-enable transmission on the parent unit (for
implementations like ppp_async.c, where the .start_xmit() function
might not consume the skb, leaving it in ppp->xmit_pending and
disabling transmission).
Therefore, __ppp_xmit_process() needs to handle the case where skb is
NULL, dequeuing as many packets as possible from ppp->file.xq.
Reported-by: xu heng <xuheng333@zoho.com>
Fixes:
|
||
David S. Miller
|
0f3e9c97eb |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
All of the conflicts were cases of overlapping changes. In net/core/devlink.c, we have to make care that the resouce size_params have become a struct member rather than a pointer to such an object. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Guillaume Nault
|
77f840e3e5 |
ppp: prevent unregistered channels from connecting to PPP units
PPP units don't hold any reference on the channels connected to it. It is the channel's responsibility to ensure that it disconnects from its unit before being destroyed. In practice, this is ensured by ppp_unregister_channel() disconnecting the channel from the unit before dropping a reference on the channel. However, it is possible for an unregistered channel to connect to a PPP unit: register a channel with ppp_register_net_channel(), attach a /dev/ppp file to it with ioctl(PPPIOCATTCHAN), unregister the channel with ppp_unregister_channel() and finally connect the /dev/ppp file to a PPP unit with ioctl(PPPIOCCONNECT). Once in this situation, the channel is only held by the /dev/ppp file, which can be released at anytime and free the channel without letting the parent PPP unit know. Then the ppp structure ends up with dangling pointers in its ->channels list. Prevent this scenario by forbidding unregistered channels from connecting to PPP units. This maintains the code logic by keeping ppp_unregister_channel() responsible from disconnecting the channel if necessary and avoids modification on the reference counting mechanism. This issue seems to predate git history (successfully reproduced on Linux 2.6.26 and earlier PPP commits are unrelated). Signed-off-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Kirill Tkhai
|
cd59b28ce9 |
net: Convert ppp_net_ops
These pernet_operations are similar to bond_net_ops. Exit method unregisters all net ppp devices, and it looks like another pernet_operations are not interested in foreign net ppp list. So, it's possible to mark them async. Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Kirill Tkhai
|
c80afa026a |
net: Convert /proc creating and destroying pernet_operations
These pernet_operations just create and destroy /proc entries, and they can safely marked as async: pppoe_net_ops vlan_net_ops canbcm_pernet_ops kcm_net_ops pfkey_net_ops pppol2tp_net_ops phonet_net_ops Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Denys Vlasenko
|
9b2c45d479 |
net: make getname() functions return length rather than use int* parameter
Changes since v1: Added changes in these files: drivers/infiniband/hw/usnic/usnic_transport.c drivers/staging/lustre/lnet/lnet/lib-socket.c drivers/target/iscsi/iscsi_target_login.c drivers/vhost/net.c fs/dlm/lowcomms.c fs/ocfs2/cluster/tcp.c security/tomoyo/network.c Before: All these functions either return a negative error indicator, or store length of sockaddr into "int *socklen" parameter and return zero on success. "int *socklen" parameter is awkward. For example, if caller does not care, it still needs to provide on-stack storage for the value it does not need. None of the many FOO_getname() functions of various protocols ever used old value of *socklen. They always just overwrite it. This change drops this parameter, and makes all these functions, on success, return length of sockaddr. It's always >= 0 and can be differentiated from an error. Tests in callers are changed from "if (err)" to "if (err < 0)", where needed. rpc_sockname() lost "int buflen" parameter, since its only use was to be passed to kernel_getsockname() as &buflen and subsequently not used in any way. Userspace API is not changed. text data bss dec hex filename 30108430 2633624 873672 33615726 200ef6e vmlinux.before.o 30108109 2633612 873672 33615393 200ee21 vmlinux.o Signed-off-by: Denys Vlasenko <dvlasenk@redhat.com> CC: David S. Miller <davem@davemloft.net> CC: linux-kernel@vger.kernel.org CC: netdev@vger.kernel.org CC: linux-bluetooth@vger.kernel.org CC: linux-decnet-user@lists.sourceforge.net CC: linux-wireless@vger.kernel.org CC: linux-rdma@vger.kernel.org CC: linux-sctp@vger.kernel.org CC: linux-nfs@vger.kernel.org CC: linux-x25@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Linus Torvalds
|
a9a08845e9 |
vfs: do bulk POLL* -> EPOLL* replacement
This is the mindless scripted replacement of kernel use of POLL* variables as described by Al, done by this script: for V in IN OUT PRI ERR RDNORM RDBAND WRNORM WRBAND HUP RDHUP NVAL MSG; do L=`git grep -l -w POLL$V | grep -v '^t' | grep -v /um/ | grep -v '^sa' | grep -v '/poll.h$'|grep -v '^D'` for f in $L; do sed -i "-es/^\([^\"]*\)\(\<POLL$V\>\)/\\1E\\2/" $f; done done with de-mangling cleanups yet to come. NOTE! On almost all architectures, the EPOLL* constants have the same values as the POLL* constants do. But they keyword here is "almost". For various bad reasons they aren't the same, and epoll() doesn't actually work quite correctly in some cases due to this on Sparc et al. The next patch from Al will sort out the final differences, and we should be all done. Scripted-by: Al Viro <viro@zeniv.linux.org.uk> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
||
Linus Torvalds
|
168fe32a07 |
Merge branch 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs
Pull poll annotations from Al Viro: "This introduces a __bitwise type for POLL### bitmap, and propagates the annotations through the tree. Most of that stuff is as simple as 'make ->poll() instances return __poll_t and do the same to local variables used to hold the future return value'. Some of the obvious brainos found in process are fixed (e.g. POLLIN misspelled as POLL_IN). At that point the amount of sparse warnings is low and most of them are for genuine bugs - e.g. ->poll() instance deciding to return -EINVAL instead of a bitmap. I hadn't touched those in this series - it's large enough as it is. Another problem it has caught was eventpoll() ABI mess; select.c and eventpoll.c assumed that corresponding POLL### and EPOLL### were equal. That's true for some, but not all of them - EPOLL### are arch-independent, but POLL### are not. The last commit in this series separates userland POLL### values from the (now arch-independent) kernel-side ones, converting between them in the few places where they are copied to/from userland. AFAICS, this is the least disruptive fix preserving poll(2) ABI and making epoll() work on all architectures. As it is, it's simply broken on sparc - try to give it EPOLLWRNORM and it will trigger only on what would've triggered EPOLLWRBAND on other architectures. EPOLLWRBAND and EPOLLRDHUP, OTOH, are never triggered at all on sparc. With this patch they should work consistently on all architectures" * 'misc.poll' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (37 commits) make kernel-side POLL... arch-independent eventpoll: no need to mask the result of epi_item_poll() again eventpoll: constify struct epoll_event pointers debugging printk in sg_poll() uses %x to print POLL... bitmap annotate poll(2) guts 9p: untangle ->poll() mess ->si_band gets POLL... bitmap stored into a user-visible long field ring_buffer_poll_wait() return value used as return value of ->poll() the rest of drivers/*: annotate ->poll() instances media: annotate ->poll() instances fs: annotate ->poll() instances ipc, kernel, mm: annotate ->poll() instances net: annotate ->poll() instances apparmor: annotate ->poll() instances tomoyo: annotate ->poll() instances sound: annotate ->poll() instances acpi: annotate ->poll() instances crypto: annotate ->poll() instances block: annotate ->poll() instances x86: annotate ->poll() instances ... |
||
Guillaume Nault
|
02612bb05e |
pppoe: take ->needed_headroom of lower device into account on xmit
In pppoe_sendmsg(), reserving dev->hard_header_len bytes of headroom was probably fine before the introduction of ->needed_headroom in commit |
||
Guillaume Nault
|
0171c41835 |
ppp: unlock all_ppp_mutex before registering device
ppp_dev_uninit(), which is the .ndo_uninit() handler of PPP devices,
needs to lock pn->all_ppp_mutex. Therefore we mustn't call
register_netdevice() with pn->all_ppp_mutex already locked, or we'd
deadlock in case register_netdevice() fails and calls .ndo_uninit().
Fortunately, we can unlock pn->all_ppp_mutex before calling
register_netdevice(). This lock protects pn->units_idr, which isn't
used in the device registration process.
However, keeping pn->all_ppp_mutex locked during device registration
did ensure that no device in transient state would be published in
pn->units_idr. In practice, unlocking it before calling
register_netdevice() doesn't change this property: ppp_unit_register()
is called with 'ppp_mutex' locked and all searches done in
pn->units_idr hold this lock too.
Fixes:
|
||
Al Viro
|
afc9a42b74 |
the rest of drivers/*: annotate ->poll() instances
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> |
||
Vasily Averin
|
e6675000f9 |
ppp: exit_net cleanup checks added
Be sure that lists initialized in net_init hook were return to initial state. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
David S. Miller
|
2a171788ba |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Files removed in 'net-next' had their license header updated in 'net'. We take the remove from 'net-next'. Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Greg Kroah-Hartman
|
b24413180f |
License cleanup: add SPDX GPL-2.0 license identifier to files with no license
Many source files in the tree are missing licensing information, which makes it harder for compliance tools to determine the correct license. By default all files without license information are under the default license of the kernel, which is GPL version 2. Update the files which contain no license information with the 'GPL-2.0' SPDX license identifier. The SPDX identifier is a legally binding shorthand, which can be used instead of the full boiler plate text. This patch is based on work done by Thomas Gleixner and Kate Stewart and Philippe Ombredanne. How this work was done: Patches were generated and checked against linux-4.14-rc6 for a subset of the use cases: - file had no licensing information it it. - file was a */uapi/* one with no licensing information in it, - file was a */uapi/* one with existing licensing information, Further patches will be generated in subsequent months to fix up cases where non-standard license headers were used, and references to license had to be inferred by heuristics based on keywords. The analysis to determine which SPDX License Identifier to be applied to a file was done in a spreadsheet of side by side results from of the output of two independent scanners (ScanCode & Windriver) producing SPDX tag:value files created by Philippe Ombredanne. Philippe prepared the base worksheet, and did an initial spot review of a few 1000 files. The 4.13 kernel was the starting point of the analysis with 60,537 files assessed. Kate Stewart did a file by file comparison of the scanner results in the spreadsheet to determine which SPDX license identifier(s) to be applied to the file. She confirmed any determination that was not immediately clear with lawyers working with the Linux Foundation. Criteria used to select files for SPDX license identifier tagging was: - Files considered eligible had to be source code files. - Make and config files were included as candidates if they contained >5 lines of source - File already had some variant of a license header in it (even if <5 lines). All documentation files were explicitly excluded. The following heuristics were used to determine which SPDX license identifiers to apply. - when both scanners couldn't find any license traces, file was considered to have no license information in it, and the top level COPYING file license applied. For non */uapi/* files that summary was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 11139 and resulted in the first patch in this series. If that file was a */uapi/* path one, it was "GPL-2.0 WITH Linux-syscall-note" otherwise it was "GPL-2.0". Results of that was: SPDX license identifier # files ---------------------------------------------------|------- GPL-2.0 WITH Linux-syscall-note 930 and resulted in the second patch in this series. - if a file had some form of licensing information in it, and was one of the */uapi/* ones, it was denoted with the Linux-syscall-note if any GPL family license was found in the file or had no licensing in it (per prior point). Results summary: SPDX license identifier # files ---------------------------------------------------|------ GPL-2.0 WITH Linux-syscall-note 270 GPL-2.0+ WITH Linux-syscall-note 169 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-2-Clause) 21 ((GPL-2.0 WITH Linux-syscall-note) OR BSD-3-Clause) 17 LGPL-2.1+ WITH Linux-syscall-note 15 GPL-1.0+ WITH Linux-syscall-note 14 ((GPL-2.0+ WITH Linux-syscall-note) OR BSD-3-Clause) 5 LGPL-2.0+ WITH Linux-syscall-note 4 LGPL-2.1 WITH Linux-syscall-note 3 ((GPL-2.0 WITH Linux-syscall-note) OR MIT) 3 ((GPL-2.0 WITH Linux-syscall-note) AND MIT) 1 and that resulted in the third patch in this series. - when the two scanners agreed on the detected license(s), that became the concluded license(s). - when there was disagreement between the two scanners (one detected a license but the other didn't, or they both detected different licenses) a manual inspection of the file occurred. - In most cases a manual inspection of the information in the file resulted in a clear resolution of the license that should apply (and which scanner probably needed to revisit its heuristics). - When it was not immediately clear, the license identifier was confirmed with lawyers working with the Linux Foundation. - If there was any question as to the appropriate license identifier, the file was flagged for further research and to be revisited later in time. In total, over 70 hours of logged manual review was done on the spreadsheet to determine the SPDX license identifiers to apply to the source files by Kate, Philippe, Thomas and, in some cases, confirmation by lawyers working with the Linux Foundation. Kate also obtained a third independent scan of the 4.13 code base from FOSSology, and compared selected files where the other two scanners disagreed against that SPDX file, to see if there was new insights. The Windriver scanner is based on an older version of FOSSology in part, so they are related. Thomas did random spot checks in about 500 files from the spreadsheets for the uapi headers and agreed with SPDX license identifier in the files he inspected. For the non-uapi files Thomas did random spot checks in about 15000 files. In initial set of patches against 4.14-rc6, 3 files were found to have copy/paste license identifier errors, and have been fixed to reflect the correct identifier. Additionally Philippe spent 10 hours this week doing a detailed manual inspection and review of the 12,461 patched files from the initial patch version early this week with: - a full scancode scan run, collecting the matched texts, detected license ids and scores - reviewing anything where there was a license detected (about 500+ files) to ensure that the applied SPDX license was correct - reviewing anything where there was no detection but the patch license was not GPL-2.0 WITH Linux-syscall-note to ensure that the applied SPDX license was correct This produced a worksheet with 20 files needing minor correction. This worksheet was then exported into 3 different .csv files for the different types of files to be modified. These .csv files were then reviewed by Greg. Thomas wrote a script to parse the csv files and add the proper SPDX tag to the file, in the format that the file expected. This script was further refined by Greg based on the output to detect more types of files automatically and to distinguish between header and source .c files (which need different comment types.) Finally Greg ran the script using the .csv files to generate the patches. Reviewed-by: Kate Stewart <kstewart@linuxfoundation.org> Reviewed-by: Philippe Ombredanne <pombredanne@nexb.com> Reviewed-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
||
Gao Feng
|
f02b2320b2 |
ppp: Destroy the mutex when cleanup
The mutex_destroy only makes sense when enable DEBUG_MUTEX. For the good readbility, it's better to invoke it in exit func when the init func invokes mutex_init. Signed-off-by: Gao Feng <gfree.wind@vip.163.com> Acked-by: Guillaume Nault <g.nault@alphalink.fr> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Matteo Croce
|
90e229ef61 |
ppp: allow usage in namespaces
Check for CAP_NET_ADMIN with ns_capable() instead of capable() to allow usage of ppp in user namespace other than the init one. Signed-off-by: Matteo Croce <mcroce@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Elena Reshetova
|
709c89b45b |
drivers, net, ppp: convert syncppp.refcnt from atomic_t to refcount_t
atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable syncppp.refcnt is used as pure reference counter. Convert it to refcount_t and fix up the operations. Suggested-by: Kees Cook <keescook@chromium.org> Reviewed-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Elena Reshetova
|
d780cd44e3 |
drivers, net, ppp: convert ppp_file.refcnt from atomic_t to refcount_t
atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable ppp_file.refcnt is used as pure reference counter. Convert it to refcount_t and fix up the operations. Suggested-by: Kees Cook <keescook@chromium.org> Reviewed-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Elena Reshetova
|
313a912155 |
drivers, net, ppp: convert asyncppp.refcnt from atomic_t to refcount_t
atomic_t variables are currently used to implement reference counters with the following properties: - counter is initialized to 1 using atomic_set() - a resource is freed upon counter reaching zero - once counter reaches zero, its further increments aren't allowed - counter schema uses basic atomic operations (set, inc, inc_not_zero, dec_and_test, etc.) Such atomic variables should be converted to a newly provided refcount_t type and API that prevents accidental counter overflows and underflows. This is important since overflows and underflows can lead to use-after-free situation and be exploitable. The variable asyncppp.refcnt is used as pure reference counter. Convert it to refcount_t and fix up the operations. Suggested-by: Kees Cook <keescook@chromium.org> Reviewed-by: David Windsor <dwindsor@gmail.com> Reviewed-by: Hans Liljestrand <ishkamiel@gmail.com> Signed-off-by: Elena Reshetova <elena.reshetova@intel.com> Signed-off-by: David S. Miller <davem@davemloft.net> |