android_vh_do_wake_up_sync:
To modify the mode value of __wake_up_sync_key
android_vh_set_wake_flags:
To modify the wake flag from a module
Bug: 181743516
Signed-off-by: Namkyu Kim <namkyu78.kim@samsung.com>
Change-Id: I972e2469c3f139373d21f1e8c85974763388a693
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmA4vAUACgkQONu9yGCS
aT5/Bw//b5dtNqRK9JOgzEXGtmUvapUY9EJDZKHyyDB3BSiominZe85anl6ujO/u
UFTI+cewjt3/Qt6GfbE+VxFxOsuWnpaH56WmAwJgArujduLC3z+3CXyfWrqECw7I
327dVo7rO8anLszWdGyAfA5KBr8GnVleaRkpMC7q1mLZVIQ91uH8j6UVi/ZH9cjv
VEwJ3nSJSMOQIPrJIt5LYXuXcRH6D3s+Y4PihfloHLJdjmtsNMjNUTf5FpB0PlMm
+pIDkUYjz/a0uqCn3qGKal2jPQP4GpL7LlTc2GTKdLS7d9Q9zGdzuZ//VcWemxqF
3YD8ef3NsFMN4O8Nsd890d0NLtlqZ7pFAkc3UCjNpAR+SrR1of19IXJMbkzUgJOt
uRsxd1SPOYEwrZc8qq3ZiCNuDEWAoJosjScIo6tKFHZ9noIXO3Yotvzz4L44MVGF
q8pUTOv1zP49BpjGZW6fErO5u/L2u1ULPAhTXLXaiNkUYb8zwLQCb1AjwB0saoKY
3dMKCFLwVQPx2MViLUKjrf05rB2/1Vs+apZ1Gdcl+2iUMMeY8Ql4CgYFVbLfb+1u
o1EPLFCqCsr0iYYO9mWJc55iohtpucj+alIewjuWzFV6LPOMxK5ER43vNtf1a7Ks
UVp4rTjST5KEPXyey7Rp/aRPtJkK2Pr2PCOSVHzVgmTT3Y1Fa7Q=
=Hc+k
-----END PGP SIGNATURE-----
Merge 5.10.19 into android-5.10
Changes in 5.10.19
bpf: Fix truncation handling for mod32 dst reg wrt zero
HID: make arrays usage and value to be the same
RDMA: Lift ibdev_to_node from rds to common code
nvme-rdma: Use ibdev_to_node instead of dereferencing ->dma_device
USB: quirks: sort quirk entries
usb: quirks: add quirk to start video capture on ELMO L-12F document camera reliable
ceph: downgrade warning from mdsmap decode to debug
ntfs: check for valid standard information attribute
Bluetooth: btusb: Some Qualcomm Bluetooth adapters stop working
arm64: tegra: Add power-domain for Tegra210 HDA
hwmon: (dell-smm) Add XPS 15 L502X to fan control blacklist
KVM: x86: Zap the oldest MMU pages, not the newest
mm: unexport follow_pte_pmd
mm: simplify follow_pte{,pmd}
KVM: do not assume PTE is writable after follow_pfn
mm: provide a saner PTE walking API for modules
KVM: Use kvm_pfn_t for local PFN variable in hva_to_pfn_remapped()
drm/xlnx: fix kmemleak by sending vblank_event in atomic_disable
NET: usb: qmi_wwan: Adding support for Cinterion MV31
cxgb4: Add new T6 PCI device id 0x6092
cifs: Set CIFS_MOUNT_USE_PREFIX_PATH flag on setting cifs_sb->prepath.
kbuild: fix CONFIG_TRIM_UNUSED_KSYMS build for ppc64
scripts/recordmcount.pl: support big endian for ARCH sh
Linux 5.10.19
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie460e26abc91311bcdd6b8484f5b42a7ffe1058f
commit 8ecfca68dc upstream.
Lift the ibdev_to_node from rds to common code and document it.
Link: https://lore.kernel.org/r/20201106181941.1878556-4-hch@lst.de
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Cc: Krishnamraju Eraparaju <krishna2@chelsio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
https://source.android.com/security/bulletin/2021-02-01
CVE-2017-18509
CVE-2020-10767
* tag 'ASB-2021-02-05_4.19-stable': (809 commits)
ANDROID: GKI: fix up abi issues with 4.19.172
Linux 4.19.172
fs: fix lazytime expiration handling in __writeback_single_inode()
writeback: Drop I_DIRTY_TIME_EXPIRE
dm integrity: conditionally disable "recalculate" feature
tools: Factor HOSTCC, HOSTLD, HOSTAR definitions
tracing: Fix race in trace_open and buffer resize call
HID: wacom: Correct NULL dereference on AES pen proximity
futex: Handle faults correctly for PI futexes
futex: Simplify fixup_pi_state_owner()
futex: Use pi_state_update_owner() in put_pi_state()
rtmutex: Remove unused argument from rt_mutex_proxy_unlock()
futex: Provide and use pi_state_update_owner()
futex: Replace pointless printk in fixup_owner()
futex: Ensure the correct return value from futex_lock_pi()
futex: Prevent exit livelock
futex: Provide distinct return value when owner is exiting
futex: Add mutex around futex exit
futex: Provide state handling for exec() as well
futex: Sanitize exit state handling
...
Change-Id: Ieba6ee3a91a05d504e1f829a84e7d364e7d983f2
Conflicts:
arch/arm64/boot/dts/rockchip/rk3328.dtsi
drivers/md/Kconfig
drivers/usb/gadget/function/f_uac2.c
Changes in 5.10.18
vdpa_sim: remove hard-coded virtq count
vdpa_sim: add struct vdpasim_dev_attr for device attributes
vdpa_sim: store parsed MAC address in a buffer
vdpa_sim: make 'config' generic and usable for any device type
vdpa_sim: add get_config callback in vdpasim_dev_attr
IB/isert: add module param to set sg_tablesize for IO cmd
net: qrtr: Fix port ID for control messages
mptcp: skip to next candidate if subflow has unacked data
net/sched: fix miss init the mru in qdisc_skb_cb
mt76: mt7915: fix endian issues
mt76: mt7615: fix rdd mcu cmd endianness
net: sched: incorrect Kconfig dependencies on Netfilter modules
net: openvswitch: fix TTL decrement exception action execution
net: bridge: Fix a warning when del bridge sysfs
net: fix proc_fs init handling in af_packet and tls
Xen/x86: don't bail early from clear_foreign_p2m_mapping()
Xen/x86: also check kernel mapping in set_foreign_p2m_mapping()
Xen/gntdev: correct dev_bus_addr handling in gntdev_map_grant_pages()
Xen/gntdev: correct error checking in gntdev_map_grant_pages()
xen/arm: don't ignore return errors from set_phys_to_machine
xen-blkback: don't "handle" error by BUG()
xen-netback: don't "handle" error by BUG()
xen-scsiback: don't "handle" error by BUG()
xen-blkback: fix error handling in xen_blkbk_map()
tty: protect tty_write from odd low-level tty disciplines
Bluetooth: btusb: Always fallback to alt 1 for WBS
btrfs: fix backport of 2175bf57dc in 5.10.13
btrfs: fix crash after non-aligned direct IO write with O_DSYNC
media: pwc: Use correct device for DMA
Linux 5.10.18
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I7ef79a45f7dc711800fb62419bee1cabfad277a7
[ Upstream commit a268e0f245 ]
proc_fs was used, in af_packet, without a surrounding #ifdef,
although there is no hard dependency on proc_fs.
That caused the initialization of the af_packet module to fail
when CONFIG_PROC_FS=n.
Specifically, proc_create_net() was used in af_packet.c,
and when it fails, packet_net_init() returns -ENOMEM.
It will always fail when the kernel is compiled without proc_fs,
because, proc_create_net() for example always returns NULL.
The calling order that starts in af_packet.c is as follows:
packet_init()
register_pernet_subsys()
register_pernet_operations()
__register_pernet_operations()
ops_init()
ops->init() (packet_net_ops.init=packet_net_init())
proc_create_net()
It worked in the past because register_pernet_subsys()'s return value
wasn't checked before this Commit 36096f2f4f ("packet: Fix error path in
packet_init.").
It always returned an error, but was not checked before, so everything
was working even when CONFIG_PROC_FS=n.
The fix here is simply to add the necessary #ifdef.
This also fixes a similar error in tls_proc.c, that was found by Jakub
Kicinski.
Fixes: d26b698dd3 ("net/tls: add skeleton of MIB statistics")
Fixes: 36096f2f4f ("packet: Fix error path in packet_init")
Signed-off-by: Yonatan Linik <yonatanlinik@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 09d6217254 ]
Currently, the exception actions are not processed correctly as the wrong
dataset is passed. This change fixes this, including the misleading
comment.
In addition, a check was added to make sure we work on an IPv4 packet,
and not just assume if it's not IPv6 it's IPv4.
This was all tested using OVS with patch,
https://patchwork.ozlabs.org/project/openvswitch/list/?series=21639,
applied and sending packets with a TTL of 1 (and 0), both with IPv4
and IPv6.
Fixes: 69929d4c49 ("net: openvswitch: fix TTL decrement action netlink message format")
Signed-off-by: Eelco Chaudron <echaudro@redhat.com>
Link: https://lore.kernel.org/r/160733569860.3007.12938188180387116741.stgit@wsfd-netdev64.ntdv.lab.eng.bos.redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit aadaca9e7c ]
The mru in the qdisc_skb_cb should be init as 0. Only defrag packets in the
act_ct will set the value.
Fixes: 038ebb1a71 ("net/sched: act_ct: fix miss set mru for ovs after defrag in act_ct")
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 860975c6f8 ]
In case a subflow path is blocked, MPTCP-level retransmit may not take
place anymore because such subflow is likely to have unacked data left
in its write queue.
Ignore subflows that have experienced loss and test next candidate.
Fixes: 3b1d6210a9 ("mptcp: implement and use MPTCP-level retransmission")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit ae068f561b ]
The port ID for control messages was uncorrectly set with broadcast
node ID value, causing message to be dropped on remote side since
not passing packet filtering (cb->dst_port != QRTR_PORT_CTRL).
Fixes: d27e77a3de ("net: qrtr: Reset the node and port ID of broadcast messages")
Signed-off-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 5.10.17
objtool: Fix seg fault with Clang non-section symbols
Revert "dts: phy: add GPIO number and active state used for phy reset"
gpio: mxs: GPIO_MXS should not default to y unconditionally
gpio: ep93xx: fix BUG_ON port F usage
gpio: ep93xx: Fix single irqchip with multi gpiochips
tracing: Do not count ftrace events in top level enable output
tracing: Check length before giving out the filter buffer
drm/i915: Fix overlay frontbuffer tracking
arm/xen: Don't probe xenbus as part of an early initcall
cgroup: fix psi monitor for root cgroup
Revert "drm/amd/display: Update NV1x SR latency values"
drm/i915/tgl+: Make sure TypeC FIA is powered up when initializing it
drm/dp_mst: Don't report ports connected if nothing is attached to them
dmaengine: move channel device_node deletion to driver
tmpfs: disallow CONFIG_TMPFS_INODE64 on s390
tmpfs: disallow CONFIG_TMPFS_INODE64 on alpha
soc: ti: omap-prm: Fix boot time errors for rst_map_012 bits 0 and 1
arm64: dts: rockchip: Fix PCIe DT properties on rk3399
arm64: dts: qcom: sdm845: Reserve LPASS clocks in gcc
ARM: OMAP2+: Fix suspcious RCU usage splats for omap_enter_idle_coupled
arm64: dts: rockchip: remove interrupt-names property from rk3399 vdec node
platform/x86: hp-wmi: Disable tablet-mode reporting by default
arm64: dts: rockchip: Disable display for NanoPi R2S
ovl: perform vfs_getxattr() with mounter creds
cap: fix conversions on getxattr
ovl: skip getxattr of security labels
scsi: lpfc: Fix EEH encountering oops with NVMe traffic
x86/split_lock: Enable the split lock feature on another Alder Lake CPU
nvme-pci: ignore the subsysem NQN on Phison E16
drm/amd/display: Fix DPCD translation for LTTPR AUX_RD_INTERVAL
drm/amd/display: Add more Clock Sources to DCN2.1
drm/amd/display: Release DSC before acquiring
drm/amd/display: Fix dc_sink kref count in emulated_link_detect
drm/amd/display: Free atomic state after drm_atomic_commit
drm/amd/display: Decrement refcount of dc_sink before reassignment
riscv: virt_addr_valid must check the address belongs to linear mapping
bfq-iosched: Revert "bfq: Fix computation of shallow depth"
ARM: dts: lpc32xx: Revert set default clock rate of HCLK PLL
kallsyms: fix nonconverging kallsyms table with lld
ARM: ensure the signal page contains defined contents
ARM: kexec: fix oops after TLB are invalidated
ubsan: implement __ubsan_handle_alignment_assumption
Revert "lib: Restrict cpumask_local_spread to houskeeping CPUs"
x86/efi: Remove EFI PGD build time checks
lkdtm: don't move ctors to .rodata
KVM: x86: cleanup CR3 reserved bits checks
cgroup-v1: add disabled controller check in cgroup1_parse_param()
dmaengine: idxd: fix misc interrupt completion
ath9k: fix build error with LEDS_CLASS=m
mt76: dma: fix a possible memory leak in mt76_add_fragment()
drm/vc4: hvs: Fix buffer overflow with the dlist handling
dmaengine: idxd: check device state before issue command
bpf: Unbreak BPF_PROG_TYPE_KPROBE when kprobe is called via do_int3
bpf: Check for integer overflow when using roundup_pow_of_two()
netfilter: xt_recent: Fix attempt to update deleted entry
selftests: netfilter: fix current year
netfilter: nftables: fix possible UAF over chains from packet path in netns
netfilter: flowtable: fix tcp and udp header checksum update
xen/netback: avoid race in xenvif_rx_ring_slots_available()
net: hdlc_x25: Return meaningful error code in x25_open
net: ipa: set error code in gsi_channel_setup()
hv_netvsc: Reset the RSC count if NVSP_STAT_FAIL in netvsc_receive()
net: enetc: initialize the RFS and RSS memories
selftests: txtimestamp: fix compilation issue
net: stmmac: set TxQ mode back to DCB after disabling CBS
ibmvnic: Clear failover_pending if unable to schedule
netfilter: conntrack: skip identical origin tuple in same zone only
scsi: scsi_debug: Fix a memory leak
x86/build: Disable CET instrumentation in the kernel for 32-bit too
net: dsa: felix: implement port flushing on .phylink_mac_link_down
net: hns3: add a check for queue_id in hclge_reset_vf_queue()
net: hns3: add a check for tqp_index in hclge_get_ring_chain_from_mbx()
net: hns3: add a check for index in hclge_get_rss_key()
firmware_loader: align .builtin_fw to 8
drm/sun4i: tcon: set sync polarity for tcon1 channel
drm/sun4i: dw-hdmi: always set clock rate
drm/sun4i: Fix H6 HDMI PHY configuration
drm/sun4i: dw-hdmi: Fix max. frequency for H6
clk: sunxi-ng: mp: fix parent rate change flag check
i2c: stm32f7: fix configuration of the digital filter
h8300: fix PREEMPTION build, TI_PRE_COUNT undefined
scripts: set proper OpenSSL include dir also for sign-file
x86/pci: Create PCI/MSI irqdomain after x86_init.pci.arch_init()
arm64: mte: Allow PTRACE_PEEKMTETAGS access to the zero page
rxrpc: Fix clearance of Tx/Rx ring when releasing a call
udp: fix skb_copy_and_csum_datagram with odd segment sizes
net: dsa: call teardown method on probe failure
cpufreq: ACPI: Extend frequency tables to cover boost frequencies
cpufreq: ACPI: Update arch scale-invariance max perf ratio if CPPC is not there
net: gro: do not keep too many GRO packets in napi->rx_list
net: fix iteration for sctp transport seq_files
net/vmw_vsock: fix NULL pointer dereference
net/vmw_vsock: improve locking in vsock_connect_timeout()
net: watchdog: hold device global xmit lock during tx disable
bridge: mrp: Fix the usage of br_mrp_port_switchdev_set_state
switchdev: mrp: Remove SWITCHDEV_ATTR_ID_MRP_PORT_STAT
vsock/virtio: update credit only if socket is not closed
vsock: fix locking in vsock_shutdown()
net/rds: restrict iovecs length for RDS_CMSG_RDMA_ARGS
net/qrtr: restrict user-controlled length in qrtr_tun_write_iter()
ovl: expand warning in ovl_d_real()
kcov, usb: only collect coverage from __usb_hcd_giveback_urb in softirq
Linux 5.10.17
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Id0300681f52b51d3f466f1e66ec3a6c25f65f4d3
commit a11148e6fc upstream.
syzbot found WARNING in rds_rdma_extra_size [1] when RDS_CMSG_RDMA_ARGS
control message is passed with user-controlled
0x40001 bytes of args->nr_local, causing order >= MAX_ORDER condition.
The exact value 0x40001 can be checked with UIO_MAXIOV which is 0x400.
So for kcalloc() 0x400 iovecs with sizeof(struct rds_iovec) = 0x10
is the closest limit, with 0x10 leftover.
Same condition is currently done in rds_cmsg_rdma_args().
[1] WARNING: mm/page_alloc.c:5011
[..]
Call Trace:
alloc_pages_current+0x18c/0x2a0 mm/mempolicy.c:2267
alloc_pages include/linux/gfp.h:547 [inline]
kmalloc_order+0x2e/0xb0 mm/slab_common.c:837
kmalloc_order_trace+0x14/0x120 mm/slab_common.c:853
kmalloc_array include/linux/slab.h:592 [inline]
kcalloc include/linux/slab.h:621 [inline]
rds_rdma_extra_size+0xb2/0x3b0 net/rds/rdma.c:568
rds_rm_size net/rds/send.c:928 [inline]
Reported-by: syzbot+1bd2b07f93745fa38425@syzkaller.appspotmail.com
Signed-off-by: Sabyrzhan Tasbolatov <snovitoll@gmail.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Link: https://lore.kernel.org/r/20210201203233.1324704-1-snovitoll@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 1c5fae9c9a upstream.
In vsock_shutdown() we touched some socket fields without holding the
socket lock, such as 'state' and 'sk_flags'.
Also, after the introduction of multi-transport, we are accessing
'vsk->transport' in vsock_send_shutdown() without holding the lock
and this call can be made while the connection is in progress, so
the transport can change in the meantime.
To avoid issues, we hold the socket lock when we enter in
vsock_shutdown() and release it when we leave.
Among the transports that implement the 'shutdown' callback, only
hyperv_transport acquired the lock. Since the caller now holds it,
we no longer take it.
Fixes: d021c34405 ("VSOCK: Introduce VM Sockets")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit ce7536bc73 upstream.
If the socket is closed or is being released, some resources used by
virtio_transport_space_update() such as 'vsk->trans' may be released.
To avoid a use after free bug we should only update the available credit
when we are sure the socket is still open and we have the lock held.
Fixes: 06a8fc7836 ("VSOCK: Introduce virtio_vsock_common.ko")
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Link: https://lore.kernel.org/r/20210208144454.84438-1-sgarzare@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit b2bdba1cbc upstream.
The function br_mrp_port_switchdev_set_state was called both with MRP
port state and STP port state, which is an issue because they don't
match exactly.
Therefore, update the function to be used only with STP port state and
use the id SWITCHDEV_ATTR_ID_PORT_STP_STATE.
The choice of using STP over MRP is that the drivers already implement
SWITCHDEV_ATTR_ID_PORT_STP_STATE and already in SW we update the port
STP state.
Fixes: 9a9f26e8f7 ("bridge: mrp: Connect MRP API with the switchdev API")
Fixes: fadd409136 ("bridge: switchdev: mrp: Implement MRP API for switchdev")
Fixes: 2f1a11ae11 ("bridge: mrp: Add MRP interface.")
Reported-by: Rasmus Villemoes <rasmus.villemoes@prevas.dk>
Signed-off-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 3d0bc44d39 upstream.
A possible locking issue in vsock_connect_timeout() was recognized by
Eric Dumazet which might cause a null pointer dereference in
vsock_transport_cancel_pkt(). This patch assures that
vsock_transport_cancel_pkt() will be called within the lock, so a race
condition won't occur which could result in vsk->transport to be set to NULL.
Fixes: 380feae0de ("vsock: cancel packets when failing to connect")
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/trinity-f8e0937a-cf0e-4d80-a76e-d9a958ba3ef1-1612535522360@3c-app-gmx-bap12
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5d1cbcc990 upstream.
In vsock_stream_connect(), a thread will enter schedule_timeout().
While being scheduled out, another thread can enter vsock_stream_connect()
as well and set vsk->transport to NULL. In case a signal was sent, the
first thread can leave schedule_timeout() and vsock_transport_cancel_pkt()
will be called right after. Inside vsock_transport_cancel_pkt(), a null
dereference will happen on transport->cancel_pkt.
Fixes: c0cfa2d8a7 ("vsock: add multi-transports support")
Signed-off-by: Norbert Slusarek <nslusarek@gmx.net>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Link: https://lore.kernel.org/r/trinity-c2d6cede-bfb1-44e2-85af-1fbc7f541715-1612535117028@3c-app-gmx-bap12
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit af8085f3a4 upstream.
The sctp transport seq_file iterators take a reference to the transport
in the ->start and ->next functions and releases the reference in the
->show function. The preferred handling for such resources is to
release them in the subsequent ->next or ->stop function call.
Since Commit 1f4aace60b ("fs/seq_file.c: simplify seq_file iteration
code and interface") there is no guarantee that ->show will be called
after ->next, so this function can now leak references.
So move the sctp_transport_put() call to ->next and ->stop.
Fixes: 1f4aace60b ("fs/seq_file.c: simplify seq_file iteration code and interface")
Reported-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: NeilBrown <neilb@suse.de>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8dc1c444df upstream.
Commit c80794323e ("net: Fix packet reordering caused by GRO and
listified RX cooperation") had the unfortunate effect of adding
latencies in common workloads.
Before the patch, GRO packets were immediately passed to
upper stacks.
After the patch, we can accumulate quite a lot of GRO
packets (depdending on NAPI budget).
My fix is counting in napi->rx_count number of segments
instead of number of logical packets.
Fixes: c80794323e ("net: Fix packet reordering caused by GRO and listified RX cooperation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Bisected-by: John Sperbeck <jsperbeck@google.com>
Tested-by: Jian Yang <jianyang@google.com>
Cc: Maxim Mikityanskiy <maximmi@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Reviewed-by: Alexander Lobakin <alobakin@pm.me>
Link: https://lore.kernel.org/r/20210204213146.4192368-1-eric.dumazet@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 8fd54a73b7 upstream.
Since teardown is supposed to undo the effects of the setup method, it
should be called in the error path for dsa_switch_setup, not just in
dsa_switch_teardown.
Fixes: 5e3f847a02 ("net: dsa: Add teardown callback for drivers")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Link: https://lore.kernel.org/r/20210204163351.2929670-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 52cbd23a11 upstream.
When iteratively computing a checksum with csum_block_add, track the
offset "pos" to correctly rotate in csum_block_add when offset is odd.
The open coded implementation of skb_copy_and_csum_datagram did this.
With the switch to __skb_datagram_iter calling csum_and_copy_to_iter,
pos was reinitialized to 0 on each call.
Bring back the pos by passing it along with the csum to the callback.
Changes v1->v2
- pass csum value, instead of csump pointer (Alexander Duyck)
Link: https://lore.kernel.org/netdev/20210128152353.GB27281@optiplex/
Fixes: 950fcaecd5 ("datagram: consolidate datagram copy to iter helpers")
Reported-by: Oliver Graute <oliver.graute@gmail.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Alexander Duyck <alexanderduyck@fb.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20210203192952.1849843-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7b5eab57ca upstream.
At the end of rxrpc_release_call(), rxrpc_cleanup_ring() is called to clear
the Rx/Tx skbuff ring, but this doesn't lock the ring whilst it's accessing
it. Unfortunately, rxrpc_resend() might be trying to retransmit a packet
concurrently with this - and whilst it does lock the ring, this isn't
protection against rxrpc_cleanup_call().
Fix this by removing the call to rxrpc_cleanup_ring() from
rxrpc_release_call(). rxrpc_cleanup_ring() will be called again anyway
from rxrpc_cleanup_call(). The earlier call is just an optimisation to
recycle skbuffs more quickly.
Alternative solutions include rxrpc_release_call() could try to cancel the
work item or wait for it to complete or rxrpc_cleanup_ring() could lock
when accessing the ring (which would require a bh lock).
This can produce a report like the following:
BUG: KASAN: use-after-free in rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
Read of size 4 at addr ffff888011606e04 by task kworker/0:0/5
...
Workqueue: krxrpcd rxrpc_process_call
Call Trace:
...
kasan_report.cold+0x79/0xd5 mm/kasan/report.c:413
rxrpc_send_data_packet+0x19b4/0x1e70 net/rxrpc/output.c:372
rxrpc_resend net/rxrpc/call_event.c:266 [inline]
rxrpc_process_call+0x1634/0x1f60 net/rxrpc/call_event.c:412
process_one_work+0x98d/0x15f0 kernel/workqueue.c:2275
...
Allocated by task 2318:
...
sock_alloc_send_pskb+0x793/0x920 net/core/sock.c:2348
rxrpc_send_data+0xb51/0x2bf0 net/rxrpc/sendmsg.c:358
rxrpc_do_sendmsg+0xc03/0x1350 net/rxrpc/sendmsg.c:744
rxrpc_sendmsg+0x420/0x630 net/rxrpc/af_rxrpc.c:560
...
Freed by task 2318:
...
kfree_skb+0x140/0x3f0 net/core/skbuff.c:704
rxrpc_free_skb+0x11d/0x150 net/rxrpc/skbuff.c:78
rxrpc_cleanup_ring net/rxrpc/call_object.c:485 [inline]
rxrpc_release_call+0x5dd/0x860 net/rxrpc/call_object.c:552
rxrpc_release_calls_on_socket+0x21c/0x300 net/rxrpc/call_object.c:579
rxrpc_release_sock net/rxrpc/af_rxrpc.c:885 [inline]
rxrpc_release+0x263/0x5a0 net/rxrpc/af_rxrpc.c:916
__sock_release+0xcd/0x280 net/socket.c:597
...
The buggy address belongs to the object at ffff888011606dc0
which belongs to the cache skbuff_head_cache of size 232
Fixes: 248f219cb8 ("rxrpc: Rewrite the data and ack handling code")
Reported-by: syzbot+174de899852504e4a74a@syzkaller.appspotmail.com
Reported-by: syzbot+3d1c772efafd3c38d007@syzkaller.appspotmail.com
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Hillf Danton <hdanton@sina.com>
Link: https://lore.kernel.org/r/161234207610.653119.5287360098400436976.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 07998281c2 ]
The origin skip check needs to re-test the zone. Else, we might skip
a colliding tuple in the reply direction.
This only occurs when using 'directional zones' where origin tuples
reside in different zones but the reply tuples share the same zone.
This causes the new conntrack entry to be dropped at confirmation time
because NAT clash resolution was elided.
Fixes: 4e35c1cb94 ("netfilter: nf_nat: skip nat clash resolution for same-origin entries")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 8d6bca156e ]
When updating the tcp or udp header checksum on port nat the function
inet_proto_csum_replace2 with the last parameter pseudohdr as true.
This leads to an error in the case that GRO is used and packets are
split up in GSO. The tcp or udp checksum of all packets is incorrect.
The error is probably masked due to the fact the most network driver
implement tcp/udp checksum offloading. It also only happens when GRO is
applied and not on single packets.
The error is most visible when using a pppoe connection which is not
triggering the tcp/udp checksum offload.
Fixes: ac2a66665e ("netfilter: add generic flow table infrastructure")
Signed-off-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 767d1216bf ]
Although hooks are released via call_rcu(), chain and rule objects are
immediately released while packets are still walking over these bits.
This patch adds the .pre_exit callback which is invoked before
synchronize_rcu() in the netns framework to stay safe.
Remove a comment which is not valid anymore since the core does not use
synchronize_net() anymore since 8c873e2199 ("netfilter: core: free
hooks with call_rcu").
Suggested-by: Florian Westphal <fw@strlen.de>
Fixes: df05ef874b ("netfilter: nf_tables: release objects on netns destruction")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b1bdde33b7 ]
When both --reap and --update flag are specified, there's a code
path at which the entry to be updated is reaped beforehand,
which then leads to kernel crash. Reap only entries which won't be
updated.
Fixes kernel bugzilla #207773.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=207773
Reported-by: Reindl Harald <h.reindl@thelounge.net>
Fixes: 0079c5aee3 ("netfilter: xt_recent: add an entry reaper")
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit b64acb28da ]
When CONFIG_ATH9K is built-in but LED support is in a loadable
module, both ath9k drivers fails to link:
x86_64-linux-ld: drivers/net/wireless/ath/ath9k/gpio.o: in function `ath_deinit_leds':
gpio.c:(.text+0x36): undefined reference to `led_classdev_unregister'
x86_64-linux-ld: drivers/net/wireless/ath/ath9k/gpio.o: in function `ath_init_leds':
gpio.c:(.text+0x179): undefined reference to `led_classdev_register_ext'
The problem is that the 'imply' keyword does not enforce any dependency
but is only a weak hint to Kconfig to enable another symbol from a
defconfig file.
Change imply to a 'depends on LEDS_CLASS' that prevents the incorrect
configuration but still allows building the driver without LED support.
The 'select MAC80211_LEDS' is now ensures that the LED support is
actually used if it is present, and the added Kconfig dependency
on MAC80211_LEDS ensures that it cannot be enabled manually when it
has no effect.
Fixes: 197f466e93 ("ath9k_htc: Do not select MAC80211_LEDS by default")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
Link: https://lore.kernel.org/r/20210125113654.2408057-1-arnd@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAnzLcACgkQONu9yGCS
aT5FUQ/+LUBYHpWjyV1wrnjwf3AAtcUnZGtPUOEsv9d9lAcituistag2zHXive9g
K7HGria7BVcARnAtdcOLWB7ur9Vj+Ch1XVOVhSdI8EgGPslxoWKxmM03FQtSjQak
OYZAHc/A/mrTtG+rYROx4gp+jxaiaUx8e/zleFgNeN1GU9/owR2H8+d/a2L3bnzN
mgaYG4/0GTy1JfDXwsmiNa376dIViPAkukjS8AV+dPZKFag+TmcE0d/qTtDlmiQO
gSboV/8FzwKgUIxjOt6Rw6AniCfGTew/Dy/NkRiGB4ge5+aMZe78+IZ6xzRlbVix
d1/+7Iviy40pTWOZdRxwefAj0/MS9zZeVrDSA/Ips24EfD/0qxq9QEa3cEXvQkZF
ih5AX9obPBxHRsFwn7x9siP3ZW1W2jaEYzrXxIWBJxFDVRRh3/DMo5rljSkUWxzS
8dBpxfNiRMggsbgKPBtuV5+4Dzdbx5Dn1sbaMgT9pU1f+U0LH0KjIU1evuCFqUo6
C/Y61pDjc8GotBFuKjcbCYBMWpAJ/UwqRn4HrMBRMN+ZOpBQr/2RLaM8ROla8H3W
GrhADQlDuHForKHRuiuBpaUxZGLeZw2dpZClrV0WwzHLLV0KsQC0+xE9ge0/GPtQ
rnJPxYiKg2WJctVBlH2i5uLw6s25+dq4ufSZBmr2AOg8u0YccU4=
=BFeH
-----END PGP SIGNATURE-----
Merge 5.10.16 into android12-5.10
Changes in 5.10.16
io_uring: simplify io_task_match()
io_uring: add a {task,files} pair matching helper
io_uring: don't iterate io_uring_cancel_files()
io_uring: pass files into kill timeouts/poll
io_uring: always batch cancel in *cancel_files()
io_uring: fix files cancellation
io_uring: account io_uring internal files as REQ_F_INFLIGHT
io_uring: if we see flush on exit, cancel related tasks
io_uring: fix __io_uring_files_cancel() with TASK_UNINTERRUPTIBLE
io_uring: replace inflight_wait with tctx->wait
io_uring: fix cancellation taking mutex while TASK_UNINTERRUPTIBLE
io_uring: fix flush cqring overflow list while TASK_INTERRUPTIBLE
io_uring: fix list corruption for splice file_get
io_uring: fix sqo ownership false positive warning
io_uring: reinforce cancel on flush during exit
io_uring: drop mm/files between task_work_submit
gpiolib: cdev: clear debounce period if line set to output
powerpc/64/signal: Fix regression in __kernel_sigtramp_rt64() semantics
af_key: relax availability checks for skb size calculation
regulator: core: avoid regulator_resolve_supply() race condition
ASoC: wm_adsp: Fix control name parsing for multi-fw
drm/nouveau/nvif: fix method count when pushing an array
mac80211: 160MHz with extended NSS BW in CSA
ASoC: Intel: Skylake: Zero snd_ctl_elem_value
chtls: Fix potential resource leak
pNFS/NFSv4: Try to return invalid layout in pnfs_layout_process()
pNFS/NFSv4: Improve rejection of out-of-order layouts
ALSA: hda: intel-dsp-config: add PCI id for TGL-H
ASoC: ak4458: correct reset polarity
ASoC: Intel: sof_sdw: set proper flags for Dell TGL-H SKU 0A5E
iwlwifi: mvm: skip power command when unbinding vif during CSA
iwlwifi: mvm: take mutex for calling iwl_mvm_get_sync_time()
iwlwifi: pcie: add a NULL check in iwl_pcie_txq_unmap
iwlwifi: pcie: fix context info memory leak
iwlwifi: mvm: invalidate IDs of internal stations at mvm start
iwlwifi: pcie: add rules to match Qu with Hr2
iwlwifi: mvm: guard against device removal in reprobe
iwlwifi: queue: bail out on invalid freeing
SUNRPC: Move simple_get_bytes and simple_get_netobj into private header
SUNRPC: Handle 0 length opaque XDR object data properly
i2c: mediatek: Move suspend and resume handling to NOIRQ phase
blk-cgroup: Use cond_resched() when destroy blkgs
regulator: Fix lockdep warning resolving supplies
bpf: Fix verifier jmp32 pruning decision logic
bpf: Fix 32 bit src register truncation on div/mod
bpf: Fix verifier jsgt branch analysis on max bound
drm/i915: Fix ICL MG PHY vswing handling
drm/i915: Skip vswing programming for TBT
nilfs2: make splice write available again
Revert "mm: memcontrol: avoid workload stalls when lowering memory.high"
squashfs: avoid out of bounds writes in decompressors
squashfs: add more sanity checks in id lookup
squashfs: add more sanity checks in inode lookup
squashfs: add more sanity checks in xattr id lookup
Linux 5.10.16
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Ie3d667eb0c90288b118c756a33c70c8ceb097405
[ Upstream commit ba6dfce47c ]
Remove duplicated helper functions to parse opaque XDR objects
and place inside new file net/sunrpc/auth_gss/auth_gss_internal.h.
In the new file carry the license and copyright from the source file
net/sunrpc/auth_gss/auth_gss.c. Finally, update the comment inside
include/linux/sunrpc/xdr.h since lockd is not the only user of
struct xdr_netobj.
Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit dcf3c8fb32 ]
Upon receiving CSA with 160MHz extended NSS BW from associated AP,
STA should set the HT operation_mode based on new_center_freq_seg1
because it is later used as ccfs2 in ieee80211_chandef_vht_oper().
Signed-off-by: Aviad Brikman <aviad.brikman@celeno.com>
Signed-off-by: Shay Bar <shay.bar@celeno.com>
Link: https://lore.kernel.org/r/20201222064714.24888-1-shay.bar@celeno.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit afbc293add ]
xfrm_probe_algs() probes kernel crypto modules and changes the
availability of struct xfrm_algo_desc. But there is a small window
where ealg->available and aalg->available get changed between
count_ah_combs()/count_esp_combs() and dump_ah_combs()/dump_esp_combs(),
in this case we may allocate a smaller skb but later put a larger
amount of data and trigger the panic in skb_put().
Fix this by relaxing the checks when counting the size, that is,
skipping the test of ->available. We may waste some memory for a few
of sizeof(struct sadb_comb), but it is still much better than a panic.
Reported-by: syzbot+b2bf2652983d23734c5c@syzkaller.appspotmail.com
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAmAjmYgACgkQONu9yGCS
aT6bohAAiRtT6WoMrzEFXvs44tWxB4JPXJR290RmmO+fZGj+HoujKbhnWCwNMD5q
s2PGELPybWaii7schjuXqUl0vhatUnVLs04A59hGKKHHlvpWTznQYT7Urt8C6c8I
sm2zAB6oeGwkwG8vQnujq2srxdgZVzffx09Tm1l+PtFGudROVixuthw21Q0QhRt0
2z2O5lcJC7utlUIudI/pe7WECgMIZHS2lRZyz8EKJ6ynMuNpQl2WuchPWuLgVhYB
hiHV0yRLIHRzi3wNDMy8GJzjjfS1dkMuwnDK+3rZNZH+IVV3wvs/8mdr8p5d/VYU
kfPDP1EMjnik0sBLvavl9d4ixnUcCn05HjGnFrqSbfpi8j88npqKriV3jkDrhQpO
cLlMcVTN3ufpcrr6BIDgL6uCVCul+txeaPkUuafP6y3yNtQXDWbLxlgfm7u+TwAB
nIr12H8cgMR6zK2iQFSZk4rGt1eXUIZkZYLcoINW88Zey9jsTImg9ZgAA+BJJMzs
4A3UKAOthCCyGJYju3hoTUVyS0QPJVuplAODIMSklUjnxQT4JfPJ9Jk2BRw5cY4K
Xecpb/+6vxKj7Zl6HFvcZCkU8+pul5wboDnCIgpIGOLUhq8OTyu5716Q7c9T6MbO
R6ftZosij+bmuapo4HZhnYzybzHb7LHLsa+B/5DzK0CwTTmV1JM=
=YVjW
-----END PGP SIGNATURE-----
Merge 5.10.15 into android12-5.10
Changes in 5.10.15
USB: serial: cp210x: add pid/vid for WSDA-200-USB
USB: serial: cp210x: add new VID/PID for supporting Teraoka AD2000
USB: serial: option: Adding support for Cinterion MV31
usb: host: xhci: mvebu: make USB 3.0 PHY optional for Armada 3720
USB: gadget: legacy: fix an error code in eth_bind()
usb: gadget: aspeed: add missing of_node_put
USB: usblp: don't call usb_set_interface if there's a single alt
usb: renesas_usbhs: Clear pipe running flag in usbhs_pkt_pop()
usb: dwc2: Fix endpoint direction check in ep_from_windex
usb: dwc3: fix clock issue during resume in OTG mode
usb: xhci-mtk: fix unreleased bandwidth data
usb: xhci-mtk: skip dropping bandwidth of unchecked endpoints
usb: xhci-mtk: break loop when find the endpoint to drop
ARM: OMAP1: OSK: fix ohci-omap breakage
arm64: dts: qcom: c630: keep both touchpad devices enabled
Input: i8042 - unbreak Pegatron C15B
arm64: dts: amlogic: meson-g12: Set FL-adj property value
arm64: dts: rockchip: fix vopl iommu irq on px30
arm64: dts: rockchip: Use only supported PCIe link speed on Pinebook Pro
ARM: dts: stm32: Fix polarity of the DH DRC02 uSD card detect
ARM: dts: stm32: Connect card-detect signal on DHCOM
ARM: dts: stm32: Disable WP on DHCOM uSD slot
ARM: dts: stm32: Disable optional TSC2004 on DRC02 board
ARM: dts: stm32: Fix GPIO hog flags on DHCOM DRC02
vdpa/mlx5: Fix memory key MTT population
bpf, cgroup: Fix optlen WARN_ON_ONCE toctou
bpf, cgroup: Fix problematic bounds check
bpf, inode_storage: Put file handler if no storage was found
um: virtio: free vu_dev only with the contained struct device
bpf, preload: Fix build when $(O) points to a relative path
arm64: dts: meson: switch TFLASH_VDD_EN pin to open drain on Odroid-C4
r8169: work around RTL8125 UDP hw bug
rxrpc: Fix deadlock around release of dst cached on udp tunnel
arm64: dts: ls1046a: fix dcfg address range
SUNRPC: Fix NFS READs that start at non-page-aligned offsets
igc: set the default return value to -IGC_ERR_NVM in igc_write_nvm_srwr
igc: check return value of ret_val in igc_config_fc_after_link_up
i40e: Revert "i40e: don't report link up for a VF who hasn't enabled queues"
ibmvnic: device remove has higher precedence over reset
net/mlx5: Fix function calculation for page trees
net/mlx5: Fix leak upon failure of rule creation
net/mlx5e: Update max_opened_tc also when channels are closed
net/mlx5e: Release skb in case of failure in tc update skb
net: lapb: Copy the skb before sending a packet
net: mvpp2: TCAM entry enable should be written after SRAM data
r8169: fix WoL on shutdown if CONFIG_DEBUG_SHIRQ is set
net: ipa: pass correct dma_handle to dma_free_coherent()
ARM: dts: sun7i: a20: bananapro: Fix ethernet phy-mode
nvmet-tcp: fix out-of-bounds access when receiving multiple h2cdata PDUs
vdpa/mlx5: Restore the hardware used index after change map
memblock: do not start bottom-up allocations with kernel_end
kbuild: fix duplicated flags in DEBUG_CFLAGS
thunderbolt: Fix possible NULL pointer dereference in tb_acpi_add_link()
ovl: fix dentry leak in ovl_get_redirect
ovl: avoid deadlock on directory ioctl
ovl: implement volatile-specific fsync error behaviour
mac80211: fix station rate table updates on assoc
gpiolib: free device name on error path to fix kmemleak
fgraph: Initialize tracing_graph_pause at task creation
tracing/kprobe: Fix to support kretprobe events on unloaded modules
kretprobe: Avoid re-registration of the same kretprobe earlier
tracing: Use pause-on-trace with the latency tracers
tracepoint: Fix race between tracing and removing tracepoint
libnvdimm/namespace: Fix visibility of namespace resource attribute
libnvdimm/dimm: Avoid race between probe and available_slots_show()
genirq: Prevent [devm_]irq_alloc_desc from returning irq 0
genirq/msi: Activate Multi-MSI early when MSI_FLAG_ACTIVATE_EARLY is set
scripts: use pkg-config to locate libcrypto
xhci: fix bounce buffer usage for non-sg list case
RISC-V: Define MAXPHYSMEM_1GB only for RV32
cifs: report error instead of invalid when revalidating a dentry fails
iommu: Check dev->iommu in dev_iommu_priv_get() before dereferencing it
smb3: Fix out-of-bounds bug in SMB2_negotiate()
smb3: fix crediting for compounding when only one request in flight
mmc: sdhci-pltfm: Fix linking err for sdhci-brcmstb
mmc: core: Limit retries when analyse of SDIO tuples fails
Fix unsynchronized access to sev members through svm_register_enc_region
drm/dp/mst: Export drm_dp_get_vc_payload_bw()
drm/i915: Fix the MST PBN divider calculation
drm/i915/gem: Drop lru bumping on display unpinning
drm/i915/gt: Close race between enable_breadcrumbs and cancel_breadcrumbs
drm/i915/display: Prevent double YUV range correction on HDR planes
drm/i915: Extract intel_ddi_power_up_lanes()
drm/i915: Power up combo PHY lanes for for HDMI as well
drm/amd/display: Revert "Fix EDID parsing after resume from suspend"
io_uring: don't modify identity's files uncess identity is cowed
nvme-pci: avoid the deepest sleep state on Kingston A2000 SSDs
KVM: SVM: Treat SVM as unsupported when running as an SEV guest
KVM: x86/mmu: Fix TDP MMU zap collapsible SPTEs
KVM: x86: Allow guests to see MSR_IA32_TSX_CTRL even if tsx=off
KVM: x86: fix CPUID entries returned by KVM_GET_CPUID2 ioctl
KVM: x86: Update emulator context mode if SYSENTER xfers to 64-bit mode
KVM: x86: Set so called 'reserved CR3 bits in LM mask' at vCPU reset
DTS: ARM: gta04: remove legacy spi-cs-high to make display work again
ARM: dts; gta04: SPI panel chip select is active low
ARM: footbridge: fix dc21285 PCI configuration accessors
ARM: 9043/1: tegra: Fix misplaced tegra_uart_config in decompressor
mm: hugetlbfs: fix cannot migrate the fallocated HugeTLB page
mm: hugetlb: fix a race between freeing and dissolving the page
mm: hugetlb: fix a race between isolating and freeing page
mm: hugetlb: remove VM_BUG_ON_PAGE from page_huge_active
mm, compaction: move high_pfn to the for loop scope
mm/vmalloc: separate put pages and flush VM flags
mm: thp: fix MADV_REMOVE deadlock on shmem THP
mm/filemap: add missing mem_cgroup_uncharge() to __add_to_page_cache_locked()
x86/build: Disable CET instrumentation in the kernel
x86/debug: Fix DR6 handling
x86/debug: Prevent data breakpoints on __per_cpu_offset
x86/debug: Prevent data breakpoints on cpu_dr7
x86/apic: Add extra serialization for non-serializing MSRs
Input: goodix - add support for Goodix GT9286 chip
Input: xpad - sync supported devices with fork on GitHub
Input: ili210x - implement pressure reporting for ILI251x
md: Set prev_flush_start and flush_bio in an atomic way
igc: Report speed and duplex as unknown when device is runtime suspended
neighbour: Prevent a dead entry from updating gc_list
net: ip_tunnel: fix mtu calculation
udp: ipv4: manipulate network header of NATed UDP GRO fraglist
net: dsa: mv88e6xxx: override existent unicast portvec in port_fdb_add
net: sched: replaced invalid qdisc tree flush helper in qdisc_replace
Linux 5.10.15
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I15750357b4c30739515fdc0bbbd0e04b7c986171
commit c3df39ac9b upstream.
UDP/IP header of UDP GROed frag_skbs are not updated even after NAT
forwarding. Only the header of head_skb from ip_finish_output_gso ->
skb_gso_segment is updated but following frag_skbs are not updated.
A call path skb_mac_gso_segment -> inet_gso_segment ->
udp4_ufo_fragment -> __udp_gso_segment -> __udp_gso_segment_list
does not try to update UDP/IP header of the segment list but copy
only the MAC header.
Update port, addr and check of each skb of the segment list in
__udp_gso_segment_list. It covers both SNAT and DNAT.
Fixes: 9fd1ff5d2a (udp: Support UDP fraglist GRO/GSO.)
Signed-off-by: Dongseok Yi <dseok.yi@samsung.com>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Link: https://lore.kernel.org/r/1611962007-80092-1-git-send-email-dseok.yi@samsung.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 28e104d002 upstream.
dev->hard_header_len for tunnel interface is set only when header_ops
are set too and already contains full overhead of any tunnel encapsulation.
That's why there is not need to use this overhead twice in mtu calc.
Fixes: fdafed4599 ("ip_gre: set dev->hard_header_len and dev->needed_headroom properly")
Reported-by: Slava Bacherikov <mail@slava.cc>
Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
Link: https://lore.kernel.org/r/1611959267-20536-1-git-send-email-vfedorenko@novek.ru
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit eb4e8fac00 upstream.
Following race condition was detected:
<CPU A, t0> - neigh_flush_dev() is under execution and calls
neigh_mark_dead(n) marking the neighbour entry 'n' as dead.
<CPU B, t1> - Executing: __netif_receive_skb() ->
__netif_receive_skb_core() -> arp_rcv() -> arp_process().arp_process()
calls __neigh_lookup() which takes a reference on neighbour entry 'n'.
<CPU A, t2> - Moves further along neigh_flush_dev() and calls
neigh_cleanup_and_release(n), but since reference count increased in t2,
'n' couldn't be destroyed.
<CPU B, t3> - Moves further along, arp_process() and calls
neigh_update()-> __neigh_update() -> neigh_update_gc_list(), which adds
the neighbour entry back in gc_list(neigh_mark_dead(), removed it
earlier in t0 from gc_list)
<CPU B, t4> - arp_process() finally calls neigh_release(n), destroying
the neighbour entry.
This leads to 'n' still being part of gc_list, but the actual
neighbour structure has been freed.
The situation can be prevented from happening if we disallow a dead
entry to have any possibility of updating gc_list. This is what the
patch intends to achieve.
Fixes: 9c29a2f55e ("neighbor: Fix locking order for gc_list changes")
Signed-off-by: Chinmay Agarwal <chinagar@codeaurora.org>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20210127165453.GA20514@chinagar-linux.qualcomm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 18fe0fae61 upstream.
If the driver uses .sta_add, station entries are only uploaded after the sta
is in assoc state. Fix early station rate table updates by deferring them
until the sta has been uploaded.
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20210201083324.3134-1-nbd@nbd.name
[use rcu_access_pointer() instead since we won't dereference here]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 88c7a9fd9b ]
When sending a packet, we will prepend it with an LAPB header.
This modifies the shared parts of a cloned skb, so we should copy the
skb rather than just clone it, before we prepend the header.
In "Documentation/networking/driver.rst" (the 2nd point), it states
that drivers shouldn't modify the shared parts of a cloned skb when
transmitting.
The "dev_queue_xmit_nit" function in "net/core/dev.c", which is called
when an skb is being sent, clones the skb and sents the clone to
AF_PACKET sockets. Because the LAPB drivers first remove a 1-byte
pseudo-header before handing over the skb to us, if we don't copy the
skb before prepending the LAPB header, the first byte of the packets
received on AF_PACKET sockets can be corrupted.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Xie He <xie.he.0141@gmail.com>
Acked-by: Martin Schiller <ms@dev.tdt.de>
Link: https://lore.kernel.org/r/20210201055706.415842-1-xie.he.0141@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit bad4c6eb5e ]
Anj Duvnjak reports that the Kodi.tv NFS client is not able to read
video files from a v5.10.11 Linux NFS server.
The new sendpage-based TCP sendto logic was not attentive to non-
zero page_base values. nfsd_splice_read() sets that field when a
READ payload starts in the middle of a page.
The Linux NFS client rarely emits an NFS READ that is not page-
aligned. All of my testing so far has been with Linux clients, so I
missed this one.
Reported-by: A. Duvnjak <avian@extremenerds.net>
BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=211471
Fixes: 4a85a6a332 ("SUNRPC: Handle TCP socket sends with kernel_sendpage() again")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Tested-by: A. Duvnjak <avian@extremenerds.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 5399d52233 ]
AF_RXRPC sockets use UDP ports in encap mode. This causes socket and dst
from an incoming packet to get stolen and attached to the UDP socket from
whence it is leaked when that socket is closed.
When a network namespace is removed, the wait for dst records to be cleaned
up happens before the cleanup of the rxrpc and UDP socket, meaning that the
wait never finishes.
Fix this by moving the rxrpc (and, by dependence, the afs) private
per-network namespace registrations to the device group rather than subsys
group. This allows cached rxrpc local endpoints to be cleared and their
UDP sockets closed before we try waiting for the dst records.
The symptom is that lines looking like the following:
unregister_netdevice: waiting for lo to become free
get emitted at regular intervals after running something like the
referenced syzbot test.
Thanks to Vadim for tracking this down and work out the fix.
Reported-by: syzbot+df400f2f24a1677cd7e0@syzkaller.appspotmail.com
Reported-by: Vadim Fedorenko <vfedorenko@novek.ru>
Fixes: 5271953cad ("rxrpc: Use the UDP encap_rcv hook")
Signed-off-by: David Howells <dhowells@redhat.com>
Acked-by: Vadim Fedorenko <vfedorenko@novek.ru>
Link: https://lore.kernel.org/r/161196443016.3868642.5577440140646403533.stgit@warthog.procyon.org.uk
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
and associated inet_is_local_unbindable_port() helper function:
use it to make explicitly binding to an unbindable port return
-EPERM 'Operation not permitted'.
Autobind doesn't honour this new sysctl since:
(a) you can simply set both if that's the behaviour you desire
(b) there could be a use for preventing explicit while allowing auto
(c) it's faster in the relatively critical path of doing port selection
during connect() to only check one bitmap instead of both
Various ports may have special use cases which are not suitable for
use by general userspace applications. Currently, ports specified in
ip_local_reserved_ports sysctl will not be returned only in case of
automatic port assignment, but nothing prevents you from explicitly
binding to them - even from an entirely unprivileged process.
In certain cases it is desirable to prevent the host from assigning the
ports even in case of explicit binds, even from superuser processes.
Example use cases might be:
- a port being stolen by the nic for remote serial console, remote
power management or some other sort of debugging functionality
(crash collection, gdb, direct access to some other microcontroller
on the nic or motherboard, remote management of the nic itself).
- a transparent proxy where packets are being redirected: in case
a socket matches this connection, packets from this application
would be incorrectly sent to one of the endpoints.
Initially I wanted to solve this problem via the simple one line:
static inline bool inet_port_requires_bind_service(struct net *net, unsigned short port) {
- return port < net->ipv4.sysctl_ip_prot_sock;
+ return port < net->ipv4.sysctl_ip_prot_sock || inet_is_local_reserved_port(net, port);
}
However, this doesn't work for two reasons:
(a) it changes userspace visible behaviour of the existing local
reserved ports sysctl, and there appears to be enough documentation
on the internet talking about setting it to make this a bad idea
(b) it doesn't prevent privileged apps from using these ports,
CAP_BIND_SERVICE is relatively likely to be available to, for example,
a recursive DNS server so it can listed on port 53, which also needs
to do src port randomization for outgoing queries due to security
reasons (and it thus does manual port binding).
If we *know* that certain ports are simply unusable, then it's better
nothing even gets the opportunity to try to use them. This way we at
least get a quick failure, instead of some sort of timeout (or possibly
even corruption of the data stream of the non-kernel based use case).
Test:
vm:~# cat /proc/sys/net/ipv4/ip_local_unbindable_ports
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0); s.bind(("::", 3967))'
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, 0); s.bind(("::", 3967))'
vm:~# echo 3967 > /proc/sys/net/ipv4/ip_local_unbindable_ports
vm:~# cat /proc/sys/net/ipv4/ip_local_unbindable_ports
3967
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_STREAM, 0); s.bind(("::", 3967))'
socket.error: (1, 'Operation not permitted')
vm:~# python -c 'import socket; s = socket.socket(socket.AF_INET6, socket.SOCK_DGRAM, 0); s.bind(("::", 3967))'
socket.error: (1, 'Operation not permitted')
Cc: Sean Tranchetti <stranche@codeaurora.org>
Cc: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Linux SCTP <linux-sctp@vger.kernel.org>
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Bug: 140404597
Change-Id: Ie96207bea90ae1345adf7b45724d0caf4d6e52c2
Signed-off-by: Todd Kjos <tkjos@google.com>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Changes in 5.10.14
net: dsa: microchip: Adjust reset release timing to match reference reset circuit
net: stmmac: dwmac-intel-plat: remove config data on error
net: fec: put child node on error path
net: octeontx2: Make sure the buffer is 128 byte aligned
stmmac: intel: Configure EHL PSE0 GbE and PSE1 GbE to 32 bits DMA addressing
mlxsw: spectrum_span: Do not overwrite policer configuration
net: dsa: bcm_sf2: put device node before return
net: switchdev: don't set port_obj_info->handled true when -EOPNOTSUPP
ibmvnic: Ensure that CRQ entry read are correctly ordered
iommu/io-pgtable-arm: Support coherency for Mali LPAE
drm/panfrost: Support cache-coherent integrations
arm64: dts: meson: Describe G12b GPU as coherent
arm64: Fix kernel address detection of __is_lm_address()
arm64: Do not pass tagged addresses to __is_lm_address()
Revert "x86/setup: don't remove E820_TYPE_RAM for pfn 0"
ARM: 9025/1: Kconfig: CPU_BIG_ENDIAN depends on !LD_IS_LLD
iommu/vt-d: Do not use flush-queue when caching-mode is on
phy: cpcap-usb: Fix warning for missing regulator_disable
tools/power/x86/intel-speed-select: Set scaling_max_freq to base_frequency
tools/power/x86/intel-speed-select: Set higher of cpuinfo_max_freq or base_frequency
platform/x86: touchscreen_dmi: Add swap-x-y quirk for Goodix touchscreen on Estar Beauty HD tablet
platform/x86: intel-vbtn: Support for tablet mode on Dell Inspiron 7352
habanalabs: fix dma_addr passed to dma_mmap_coherent
locking/lockdep: Avoid noinstr warning for DEBUG_LOCKDEP
x86: __always_inline __{rd,wr}msr()
scsi: scsi_transport_srp: Don't block target in failfast state
scsi: libfc: Avoid invoking response handler twice if ep is already completed
scsi: fnic: Fix memleak in vnic_dev_init_devcmd2
ASoC: SOF: Intel: hda: Resume codec to do jack detection
ALSA: hda: Add AlderLake-P PCI ID and HDMI codec vid
objtool: Don't add empty symbols to the rbtree
mac80211: fix incorrect strlen of .write in debugfs
mac80211: fix fast-rx encryption check
mac80211: fix encryption key selection for 802.3 xmit
scsi: ibmvfc: Set default timeout to avoid crash during migration
ALSA: hda: Add Cometlake-R PCI ID
i2c: tegra: Create i2c_writesl_vi() to use with VI I2C for filling TX FIFO
udf: fix the problem that the disc content is not displayed
nvme: check the PRINFO bit before deciding the host buffer length
nvme-rdma: avoid request double completion for concurrent nvme_rdma_timeout
nvme-tcp: avoid request double completion for concurrent nvme_tcp_timeout
nvme-pci: allow use of cmb on v1.4 controllers
nvmet: set right status on error in id-ns handler
platform/x86: thinkpad_acpi: Add P53/73 firmware to fan_quirk_table for dual fan control
selftests/powerpc: Only test lwm/stmw on big endian
drm/amd/display: Update dram_clock_change_latency for DCN2.1
drm/amd/display: Allow PSTATE chnage when no displays are enabled
drm/amd/display: Change function decide_dp_link_settings to avoid infinite looping
drm/amd/display: Use hardware sequencer functions for PG control
drm/amd/display: Fixed corruptions on HPDRX link loss restore
habanalabs: zero pci counters packet before submit to FW
habanalabs: fix backward compatibility of idle check
habanalabs: disable FW events on device removal
objtool: Don't fail the kernel build on fatal errors
x86/cpu: Add another Alder Lake CPU to the Intel family
kthread: Extract KTHREAD_IS_PER_CPU
workqueue: Restrict affinity change to rescuer
Linux 5.10.14
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I14bb472e4128e97ea84e91547b9223d1157b93c8
[ Upstream commit b101dd2d22 ]
When using WEP, the default unicast key needs to be selected, instead of
the STA PTK.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20201218184718.93650-4-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 622d3b4e39 ]
When using WEP, the default unicast key needs to be selected, instead of
the STA PTK.
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Link: https://lore.kernel.org/r/20201218184718.93650-5-nbd@nbd.name
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
