[ Upstream commit 5bf325a53202b8728cf7013b72688c46071e212e ]
With many active TCP sockets, fat TCP sockets could fool
__sk_mem_raise_allocated() thanks to an overflow.
They would increase their share of the memory, instead
of decreasing it.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
Change-Id: I5904c40be0d5ccee1e961094d409050a35c5b2da
[ Upstream commit 355b98553789b646ed97ad801a619ff898471b92 ]
net_hash_mix() currently uses kernel address of a struct net,
and is used in many places that could be used to reveal this
address to a patient attacker, thus defeating KASLR, for
the typical case (initial net namespace, &init_net is
not dynamically allocated)
I believe the original implementation tried to avoid spending
too many cycles in this function, but security comes first.
Also provide entropy regardless of CONFIG_NET_NS.
Fixes: 0b4419162a ("netns: introduce the net_hash_mix "salt" for hashes")
Change-Id: If8819e29af0839bca9d1a5f16fb90ecb566a32b3
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Amit Klein <aksecurity@gmail.com>
Reported-by: Benny Pinkas <benny@pinkas.net>
Cc: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJZ/kCIAAoJEE44bZycYXAvRXwQAIZY4bXFnlvl8qJZLd8GV6gT
8FErDT14eHKBXZUe1a4TFFJ4FU/dVWfPEPJf2k/aotqjwEysxy5MhOApun12ZbF4
nL6ahNemhNxdIRQFVKBw6HCLyqNwbeBSD3ycLd6FNio4Xxz+3UHO1hoVEbTPSGOf
XD+100wsV3CHvoCnkmoGXH4PiD1zaNVPwJEh4Fu6yVJQPXDilszTNZgVv4oujhsZ
zp7Si3SpttfojkOcWgyqrV7jg2ALZxagf4SZ0KbbpwM/5fKEpYtC3sDDE3HyvcVm
CN0ApTIg7xnuaPsDMwHU9EGLVwlAZEAeiWtR2Byg1YoRQ7mEP9PfkP9xJv9YPxvP
Ovy7CqezRFjjscVsvrWScFaVtsdYbnT9e5uw2N3yLimHEKy+37x333gLCpbr+/0c
gsJMJMYTiq1MYUTpa+qf+rB0lQVo972+7FsjOs4ovdy+IJrpgMnKaL6U8drOns7t
Nmyf1cZTC6YPELnEA8LiRCRsi26HHA6Tknu8Nu2/uOEjeYD0y9iVivptwDB2W35Q
cECNGSJ85qCob73WDYB5ErGQCTwIm0PTdjzEvjCTxRooT164uhzfr0BdIWhIsdV5
uPNnkTYj3PkDlMGHhjVARI32In/VQyuf7hsugpVPn4/wKZV3jGJ/rMugAR2eSfTn
TFrKUsUdH0DYPZKgIhh8
=wa9B
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfQ0ACgkQmXOSYMts
txZ98RAAjyab1BYfLJMVklDBqzIIWnBqniRPOCReTZ3f+4KDwFVPl5wVT89DHci/
ooIonHqI1BKKuYDIgTL7idK6vGTFo6bTpUT8FZvsjU0V3mFYySA4Yo9aC5G6nXW9
w/dkaOpX1jtkMTukiAqENryBDs7gYXZ0sbqxnq7pgrnnDepVUStZ7ncoWYdxOADG
E6Mirskj5fE/MHsVAenYtVmJVFDlvj6P04MT5bGL9e5EIz5CP3ekOqasdsBWj6rE
yg1JOaH6eOsgSCsP7M9dGxYglKH9nfkJHRnlU3HbXrRdSupTRvs8zC6u9W0DDI2g
XlrDTIM2UAM1hhRFMhly41o+8zpGHTi8puLJsNYL6bRM33V678dNrnEr/xnzNGpR
QwC38JWJYymGTkUtW7J1T/GVlWbsF17/fJ5EBG9hSHphrtSjP0nF1i1dAo/MI6hb
IY+MxVzO3CTZ22Bwjg9DNz56V+RUg56xy//sHSz3GoI6kuFt4tYzwNmLf0Fkj5VJ
lEI6vDYW/YTlWFFGdNaycvVwj+uETKepx0MIPx2Xt/mY3YNPwMUA2EBfjew+6709
cbTkn/XxcIZTzZmqKsZ/wZkDK7hKatdlxbcqI2tzidL03MfC3nK83L3YGrJnpbXd
TU/kR3CWWFVgG574B24ssutT4nrYeHUBp+xGDcQSnwbmihig6NU=
=pENk
-----END PGP SIGNATURE-----
Merge 3.10.108 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.108: (141 commits)
ipvs: SNAT packet replies only for NATed connections
net: reduce skb_warn_bad_offload() noise
net: skb_needs_check() accepts CHECKSUM_NONE for tx
Staging: comedi: comedi_fops: Avoid orphaned proc entry
udp: consistently apply ufo or fragmentation
Bluetooth: bnep: bnep_add_connection() should verify that it's dealing with l2cap socket
Bluetooth: cmtp: cmtp_add_connection() should verify that it's dealing with l2cap socket
tcp: introduce tcp_rto_delta_us() helper for xmit timer fix
tcp: enable xmit timer fix by having TLP use time when RTO should fire
tcp: fix xmit timer to only be reset if data ACKed/SACKed
mm/page_alloc: Remove kernel address exposure in free_reserved_area()
leak in O_DIRECT readv past the EOF
usb: renesas_usbhs: fix the behavior of some usbhs_pkt_handle
usb: renesas_usbhs: fix the sequence in xfer_work()
usb: renesas_usbhs: Fix DMAC sequence for receiving zero-length packet
fs/exec.c: account for argv/envp pointers
rxrpc: Fix several cases where a padded len isn't checked in ticket decode
xfrm: policy: check policy direction value
nl80211: check for the required netlink attributes presence
ALSA: seq: Fix use-after-free at creating a port
MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
serial: ifx6x60: fix use-after-free on module unload
KEYS: fix dereferencing NULL payload with nonzero length
usb: chipidea: debug: check before accessing ci_role
cpufreq: conservative: Allow down_threshold to take values from 1 to 10
powerpc/kprobes: Pause function_graph tracing during jprobes handling
staging: comedi: fix clean-up of comedi_class in comedi_init()
brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx()
vt: fix unchecked __put_user() in tioclinux ioctls
crypto: talitos - Extend max key length for SHA384/512-HMAC and AEAD
PM / Domains: Fix unsafe iteration over modified list of device links
powerpc/64: Fix atomic64_inc_not_zero() to return an int
powerpc: Fix emulation of mfocrf in emulate_step()
powerpc/asm: Mark cr0 as clobbered in mftb()
usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
MIPS: Actually decode JALX in `__compute_return_epc_for_insn'
MIPS: Fix unaligned PC interpretation in `compute_return_epc'
MIPS: math-emu: Prevent wrong ISA mode instruction emulation
libata: array underflow in ata_find_dev()
workqueue: restore WQ_UNBOUND/max_active==1 to be ordered
ext4: fix SEEK_HOLE/SEEK_DATA for blocksize < pagesize
ext4: fix overflow caused by missing cast in ext4_resize_fs()
media: platform: davinci: return -EINVAL for VPFE_CMD_S_CCDC_RAW_PARAMS ioctl
target: Avoid mappedlun symlink creation during lun shutdown
fuse: initialize the flock flag in fuse_file on allocation
scsi: zfcp: fix queuecommand for scsi_eh commands when DIX enabled
scsi: zfcp: add handling for FCP_RESID_OVER to the fcp ingress path
scsi: zfcp: fix missing trace records for early returns in TMF eh handlers
scsi: zfcp: fix payload with full FCP_RSP IU in SCSI trace records
scsi: zfcp: trace HBA FSF response by default on dismiss or timedout late response
usb: renesas_usbhs: fix the BCLR setting condition for non-DCP pipe
usb: renesas_usbhs: fix usbhsf_fifo_clear() for RX direction
iommu/amd: Finish TLB flush in amd_iommu_unmap()
direct-io: Prevent NULL pointer access in submit_page_section
USB: serial: console: fix use-after-free after failed setup
KEYS: don't let add_key() update an uninstantiated key
FS-Cache: fix dereference of NULL user_key_payload
ext4: keep existing extra fields when inode expands
MIPS: Fix mips_atomic_set() retry condition
KEYS: prevent creating a different user's keyrings
KEYS: encrypted: fix dereference of NULL user_key_payload
md/bitmap: disable bitmap_resize for file-backed bitmaps.
lib/digsig: fix dereference of NULL user_key_payload
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
md/raid10: submit bio directly to replacement disk
md: fix super_offset endianness in super_1_rdev_size_change
lib/cmdline.c: fix get_options() overflow while parsing ranges
ext4: fix SEEK_HOLE
net: prevent sign extension in dev_get_stats()
kernel/extable.c: mark core_kernel_text notrace
wext: handle NULL extra data in iwe_stream_add_point better
netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregister
ext4: in ext4_seek_{hole,data}, return -ENXIO for negative offsets
ext4: avoid deadlock when expanding inode size
sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()
sctp: fix the check for _sctp_walk_params and _sctp_walk_errors
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
sctp: potential read out of bounds in sctp_ulpevent_type_enabled()
tcp: disallow cwnd undo when switching congestion control
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
tcp: reset sk_rx_dst in tcp_disconnect()
tcp: avoid setting cwnd to invalid ssthresh after cwnd reduction states
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0
net/packet: check length in getsockopt() called with PACKET_HDRLEN
net: Set sk_prot_creator when cloning sockets to the right proto
net/mlx4_core: Fix VF overwrite of module param which disables DMFS on new probed PFs
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
x86/io: Add "memory" clobber to insb/insw/insl/outsb/outsw/outsl
kvm: async_pf: fix rcu_irq_enter() with irqs enabled
net: ping: do not abuse udp_poll()
scsi: qla2xxx: don't disable a not previously enabled PCI device
drm/vmwgfx: Handle vmalloc() failure in vmw_local_fifo_reserve()
net: xilinx_emaclite: fix receive buffer overflow
serial: efm32: Fix parity management in 'efm32_uart_console_get_options()'
x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init()
mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode
pvrusb2: reduce stack usage pvr2_eeprom_analyze()
usb: r8a66597-hcd: select a different endpoint on timeout
usb: r8a66597-hcd: decrease timeout
drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR()
net: phy: fix marvell phy status reading
net: korina: Fix NAPI versus resources freeing
xfrm: NULL dereference on allocation failure
xfrm: Oops on error in pfkey_msg2xfrm_state()
cpufreq: s3c2416: double free on driver init error path
KVM: x86: zero base3 of unusable segments
KEYS: Fix an error code in request_master_key()
ipv6: avoid unregistering inet6_dev for loopback
cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES
cfg80211: Check if PMKID attribute is of expected size
mm: fix overflow check in expand_upwards()
crypto: caam - fix signals handling
ir-core: fix gcc-7 warning on bool arithmetic
udf: Fix deadlock between writeback and udf_setsize()
perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
net/mlx4: Remove BUG_ON from ICM allocation routine
ipv4: initialize fib_trie prior to register_netdev_notifier call.
workqueue: implicit ordered attribute should be overridable
packet: fix tp_reserve race in packet_set_ring
staging:iio:resolver:ad2s1210 fix negative IIO_ANGL_VEL read
ALSA: core: Fix unexpected error at replacing user TLV
ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
qlge: avoid memcpy buffer overflow
ipv6: fix memory leak with multiple tables during netns destruction
ipv6: fix typo in fib6_net_exit()
ip6_gre: fix endianness errors in ip6gre_err
crypto: AF_ALG - remove SGL terminator indicator when chaining
scsi: qla2xxx: Fix an integer overflow in sysfs code
tracing: Apply trace_clock changes to instance max buffer
tracing: Erase irqsoff trace with empty write
btrfs: prevent to set invalid default subvolid
IB/ipoib: rtnl_unlock can not come after free_netdev
team: fix memory leaks
IB/qib: fix false-postive maybe-uninitialized warning
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
scsi: scsi_dh_emc: return success in clariion_std_inquiry()
can: esd_usb2: Fix can_dlc value for received RTR, frames
x86/apic: fix build breakage caused by incomplete backport to 3.10
Linux 3.10.108
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJZQspmAAoJEE44bZycYXAvLXMP/3Uqx7K7dGjHvvhGA4DhnzSp
bGLpjeP1sXXnnd932PN+qkGbl2j/NPjS74DobDqGWnrwxKRzQ21F4YkWJGtb4Pe2
JKcY7y2rbKGcwhpS9qDMkSWuaUKJWF5MAsH08LnCWqlGphGwAH/uPTdqS4iI/CJM
aQvaaITe5SVzvpvpyoCVdHqu8K+Ukraf91mvt7hlmrn9OnqO9us9MWulw5sSXQcd
pM8ZbRkBDE5OFeVnPKJDBY+cR2ML41wekMMwvJWt7uRyrX2i5c7oQVXYoeYE4MKx
Pueb7aG7LQwBUzNJCiZA6PAEFQPwNPCoxHZbAax0D6/JyDWOZukappquzjd6gLDM
+U7mxeFTeNZJ5v9tUcUIOb4GaaFcccS3wdDP23V2N8iM88hFVwJn0RSy/pksX37+
ZNDiEyDeJBjz3kh/Kf40zhFIIrABMozFeX3tpSRVVqXb+T6P9l8Y88O2LGY5FCXK
QBbAC+jC4X4YI+4v+QWImg9mkfTwzZyjyAlfyjPlHVSK9KDP9M6LXpr2+jKS7jOc
ievMOh9ku0HIVuSWGUKZSqjvcF01Bh99tFlX+KqipomwNTwa4hKCLmnOVflF1BPE
8sfD9hvenA0e949kXrURUmqpg6Ujkrbb/lXuD7e2CakCu+XjEMf317R11TyTsHNG
10hsmPsGDVcwbyFOFHS3
=mvzl
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfEUACgkQmXOSYMts
txbJOQ/+Pce1eBSgjESWKuz0OP9BfAe9RpWFi7lBZ/EgRwJVYEx6jau9EYXAQ7YT
roCIsV6eufhMplYGHJz6EHxK2Hieb1zG9ooX9ss9GxiB6qmqeqC0Slm9EQE15yGT
px3fVz9r86edqjtj7UKK0/n8DJUaFh5LWOymLD3d3/115RYQsl/GowugH9F79PvN
pR+OyXq7srtfCmwdhZ65012Ef10RXqBRv0fCYBH6r+jkMqb7uSDFzdR39Z7k3QFk
AM4+3lTm6EEZ4xZkcMyX3GuQWslpPAlvFdEx43TjdCbseXAqURoppmxvz+Izum75
fy0oOdKl5OSpyZArRkUfZ0MnL6BHGcKxwYV4u1LupwvqPyaUT4yiT5VEUdy9EqJo
Syrr0oSR2lrXqQESdxKkmOZVXyul0nF3Fh1p5QlU1/Id9oskMLYqcXegFyhr2Wyp
+A4ZozljEQ4AGm4dYFdH3w8TcNDttjztYoKf8OXnaCOj3p/SEq84tk4Hm3vpoPvh
5OzsZC3UB9gJ1mXsKOVKLJFCPzmg61KOvwhopfAcC6cyiIIf/MPCneZeOzsavtQX
J+atSNcLVNE3jmrXvUrwxSpZ3KCc3Ti5Q8pD9ni6/B6st2+LO8EXPrS6n2+28nvu
hVpjyCXLbghdmn1mjOGW9lvMQEg/Dupj/ocpCPHJnXpbpM8Mcjo=
=3eAv
-----END PGP SIGNATURE-----
Merge 3.10.106 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.106: (252 commits)
packet: fix race condition in packet_set_ring
crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks
EVM: Use crypto_memneq() for digest comparisons
libceph: don't set weight to IN when OSD is destroyed
KVM: x86: fix emulation of "MOV SS, null selector"
KVM: x86: Introduce segmented_write_std
posix_acl: Clear SGID bit when setting file permissions
tmpfs: clear S_ISGID when setting posix ACLs
fbdev: color map copying bounds checking
selinux: fix off-by-one in setprocattr
tcp: avoid infinite loop in tcp_splice_read()
xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window
xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder
KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings
KEYS: Change the name of the dead type to ".dead" to prevent user access
KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings
ext4: fix data exposure after a crash
locking/rtmutex: Prevent dequeue vs. unlock race
m68k: Fix ndelay() macro
hotplug: Make register and unregister notifier API symmetric
Btrfs: fix tree search logic when replaying directory entry deletes
USB: serial: kl5kusb105: fix open error path
block_dev: don't test bdev->bd_contains when it is not stable
crypto: caam - fix AEAD givenc descriptors
ext4: fix mballoc breakage with 64k block size
ext4: fix stack memory corruption with 64k block size
ext4: reject inodes with negative size
ext4: return -ENOMEM instead of success
f2fs: set ->owner for debugfs status file's file_operations
block: protect iterate_bdevs() against concurrent close
scsi: zfcp: fix use-after-"free" in FC ingress path after TMF
scsi: zfcp: do not trace pure benign residual HBA responses at default level
scsi: zfcp: fix rport unblock race with LUN recovery
ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it
IB/mad: Fix an array index check
IB/multicast: Check ib_find_pkey() return value
powerpc: Convert cmp to cmpd in idle enter sequence
usb: gadget: composite: Test get_alt() presence instead of set_alt()
USB: serial: omninet: fix NULL-derefs at open and disconnect
USB: serial: quatech2: fix sleep-while-atomic in close
USB: serial: pl2303: fix NULL-deref at open
USB: serial: keyspan_pda: verify endpoints at probe
USB: serial: spcp8x5: fix NULL-deref at open
USB: serial: io_ti: fix NULL-deref at open
USB: serial: io_ti: fix another NULL-deref at open
USB: serial: iuu_phoenix: fix NULL-deref at open
USB: serial: garmin_gps: fix memory leak on failed URB submit
USB: serial: ti_usb_3410_5052: fix NULL-deref at open
USB: serial: io_edgeport: fix NULL-deref at open
USB: serial: oti6858: fix NULL-deref at open
USB: serial: cyberjack: fix NULL-deref at open
USB: serial: kobil_sct: fix NULL-deref in write
USB: serial: mos7840: fix NULL-deref at open
USB: serial: mos7720: fix NULL-deref at open
USB: serial: mos7720: fix use-after-free on probe errors
USB: serial: mos7720: fix parport use-after-free on probe errors
USB: serial: mos7720: fix parallel probe
usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL
usb: musb: Fix trying to free already-free IRQ 4
ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream()
USB: serial: kl5kusb105: abort on open exception path
staging: iio: ad7606: fix improper setting of oversampling pins
usb: dwc3: gadget: always unmap EP0 requests
cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected
hwmon: (ds620) Fix overflows seen when writing temperature limits
clk: clk-wm831x: fix a logic error
iommu/amd: Fix the left value check of cmd buffer
scsi: mvsas: fix command_active typo
target/iscsi: Fix double free in lio_target_tiqn_addtpg()
mmc: mmc_test: Uninitialized return value
powerpc/pci/rpadlpar: Fix device reference leaks
ser_gigaset: return -ENOMEM on error instead of success
net, sched: fix soft lockup in tc_classify
net: stmmac: Fix race between stmmac_drv_probe and stmmac_open
gro: Enter slow-path if there is no tailroom
gro: use min_t() in skb_gro_reset_offset()
gro: Disable frag0 optimization on IPv6 ext headers
powerpc: Fix build warning on 32-bit PPC
Input: i8042 - add Pegatron touchpad to noloop table
mm/hugetlb.c: fix reservation race when freeing surplus pages
USB: serial: kl5kusb105: fix line-state error handling
USB: serial: ch341: fix initial modem-control state
USB: serial: ch341: fix open error handling
USB: serial: ch341: fix control-message error handling
USB: serial: ch341: fix open and resume after B0
USB: serial: ch341: fix resume after reset
USB: serial: ch341: fix modem-control and B0 handling
x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option
NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success.
powerpc/ibmebus: Fix further device reference leaks
powerpc/ibmebus: Fix device reference leaks in sysfs interface
IB/mlx4: Set traffic class in AH
IB/mlx4: Fix port query for 56Gb Ethernet links
perf scripting: Avoid leaking the scripting_context variable
ARM: dts: imx31: fix clock control module interrupts description
svcrpc: don't leak contexts on PROC_DESTROY
mmc: mxs-mmc: Fix additional cycles after transmission stop
mtd: nand: xway: disable module support
ubifs: Fix journal replay wrt. xattr nodes
arm64/ptrace: Preserve previous registers for short regset write
arm64/ptrace: Avoid uninitialised struct padding in fpr_set()
arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields
ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation
ite-cir: initialize use_demodulator before using it
fuse: do not use iocb after it may have been freed
crypto: caam - fix non-hmac hashes
drm/i915: Don't leak edid in intel_crt_detect_ddc()
s5k4ecgx: select CRC32 helper
platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT
net: fix harmonize_features() vs NETIF_F_HIGHDMA
tcp: initialize max window for a new fastopen socket
svcrpc: fix oops in absence of krb5 module
ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
mac80211: Fix adding of mesh vendor IEs
scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send
drm/i915: fix use-after-free in page_flip_completed()
net: use a work queue to defer net_disable_timestamp() work
ipv4: keep skb->dst around in presence of IP options
netlabel: out of bound access in cipso_v4_validate()
ip6_gre: fix ip6gre_err() invalid reads
ping: fix a null pointer dereference
l2tp: do not use udp_ioctl()
packet: fix races in fanout_add()
packet: Do not call fanout_release from atomic contexts
net: socket: fix recvmmsg not returning error from sock_error
USB: serial: mos7840: fix another NULL-deref at open
USB: serial: ftdi_sio: fix modem-status error handling
USB: serial: ftdi_sio: fix extreme low-latency setting
USB: serial: ftdi_sio: fix line-status over-reporting
USB: serial: spcp8x5: fix modem-status handling
USB: serial: opticon: fix CTS retrieval at open
USB: serial: ark3116: fix register-accessor error handling
x86/platform/goldfish: Prevent unconditional loading
goldfish: Sanitize the broken interrupt handler
ocfs2: do not write error flag to user structure we cannot copy from/to
mfd: pm8921: Potential NULL dereference in pm8921_remove()
drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set()
net: 6lowpan: fix lowpan_header_create non-compression memcpy call
vti4: Don't count header length twice.
net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames
MIPS: OCTEON: Fix copy_from_user fault handling for large buffers
MIPS: Clear ISA bit correctly in get_frame_info()
MIPS: Prevent unaligned accesses during stack unwinding
MIPS: Fix get_frame_info() handling of microMIPS function size
MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions
MIPS: Calculate microMIPS ra properly when unwinding the stack
MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps
uvcvideo: Fix a wrong macro
scsi: aacraid: Reorder Adapter status check
ath9k: use correct OTP register offsets for the AR9340 and AR9550
fuse: add missing FR_FORCE
RDMA/core: Fix incorrect structure packing for booleans
NFSv4: fix getacl head length estimation
s390/qdio: clear DSCI prior to scanning multiple input queues
IB/ipoib: Fix deadlock between rmmod and set_mode
ktest: Fix child exit code processing
nlm: Ensure callback code also checks that the files match
dm: flush queued bios when process blocks to avoid deadlock
USB: serial: digi_acceleport: fix OOB data sanity check
USB: serial: digi_acceleport: fix OOB-event processing
MIPS: ip27: Disable qlge driver in defconfig
tracing: Add #undef to fix compile error
USB: serial: safe_serial: fix information leak in completion handler
USB: serial: omninet: fix reference leaks at open
USB: iowarrior: fix NULL-deref at probe
USB: iowarrior: fix NULL-deref in write
USB: serial: io_ti: fix NULL-deref in interrupt callback
USB: serial: io_ti: fix information leak in completion handler
vxlan: correctly validate VXLAN ID against VXLAN_N_VID
ipv4: mask tos for input route
locking/static_keys: Add static_key_{en,dis}able() helpers
net: net_enable_timestamp() can be called from irq contexts
dccp/tcp: fix routing redirect race
net sched actions: decrement module reference count after table flush.
perf/core: Fix event inheritance on fork()
isdn/gigaset: fix NULL-deref at probe
xen: do not re-use pirq number cached in pci device msi msg data
net: properly release sk_frag.page
net: unix: properly re-increment inflight counter of GC discarded candidates
Input: ims-pcu - validate number of endpoints before using them
Input: hanwang - validate number of endpoints before using them
Input: yealink - validate number of endpoints before using them
Input: cm109 - validate number of endpoints before using them
USB: uss720: fix NULL-deref at probe
USB: idmouse: fix NULL-deref at probe
USB: wusbcore: fix NULL-deref at probe
uwb: i1480-dfu: fix NULL-deref at probe
uwb: hwa-rc: fix NULL-deref at probe
mmc: ushc: fix NULL-deref at probe
ext4: mark inode dirty after converting inline directory
scsi: libsas: fix ata xfer length
ALSA: ctxfi: Fallback DMA mask to 32bit
ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
ACPI / PNP: Avoid conflicting resource reservations
ACPI / resources: free memory on error in add_region_before()
ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage
USB: OHCI: Fix race between ED unlink and URB submission
i2c: at91: manage unexpected RXRDY flag when starting a transfer
ipv4: igmp: Allow removing groups from a removed interface
ptrace: fix PTRACE_LISTEN race corrupting task->state
ring-buffer: Fix return value check in test_ringbuffer()
metag/usercopy: Fix alignment error checking
metag/usercopy: Add early abort to copy_to_user
metag/usercopy: Set flags before ADDZ
metag/usercopy: Fix src fixup in from user rapf loops
metag/usercopy: Add missing fixups
s390/decompressor: fix initrd corruption caused by bss clear
net/mlx4_en: Fix bad WQE issue
net/mlx4_core: Fix racy CQ (Completion Queue) free
char: Drop bogus dependency of DEVPORT on !M68K
powerpc: Disable HFSCR[TM] if TM is not supported
pegasus: Use heap buffers for all register access
rtl8150: Use heap buffers for all register access
tracing: Allocate the snapshot buffer before enabling probe
ring-buffer: Have ring_buffer_iter_empty() return true when empty
netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel
net: phy: handle state correctly in phy_stop_machine
l2tp: take reference on sessions being dumped
MIPS: KGDB: Use kernel context for sleeping threads
ARM: dts: imx31: move CCM device node to AIPS2 bus devices
ARM: dts: imx31: fix AVIC base address
tun: Fix TUN_PKT_STRIP setting
Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd()
net: sctp: rework multihoming retransmission path selection to rfc4960
perf trace: Use the syscall raw_syscalls:sys_enter timestamp
USB: usbtmc: add missing endpoint sanity check
ping: implement proper locking
USB: fix problems with duplicate endpoint addresses
USB: dummy-hcd: fix bug in stop_activity (handle ep0)
mm/init: fix zone boundary creation
can: Fix kernel panic at security_sock_rcv_skb
Drivers: hv: avoid vfree() on crash
xc2028: avoid use after free
xc2028: unlock on error in xc2028_set_config()
xc2028: Fix use-after-free bug properly
ipv6: fix ip6_tnl_parse_tlv_enc_lim()
ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim()
ipv6: fix the use of pcpu_tstats in ip6_tunnel
sctp: avoid BUG_ON on sctp_wait_for_sndbuf
sctp: deny peeloff operation on asocs with threads sleeping on it
KVM: x86: clear bus pointer when destroyed
kvm: exclude ioeventfd from counting kvm_io_range limit
KVM: kvm_io_bus_unregister_dev() should never fail
TTY: n_hdlc, fix lockdep false positive
tty: n_hdlc: get rid of racy n_hdlc.tbuf
ipv6: handle -EFAULT from skb_copy_bits
fs: exec: apply CLOEXEC before changing dumpable task flags
mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp
dccp/tcp: do not inherit mc_list from parent
char: lp: fix possible integer overflow in lp_setup()
dccp: fix freeing skb too early for IPV6_RECVPKTINFO
Linux 3.10.106
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
drivers/mfd/pm8921-core.c
include/linux/cpu.h
kernel/cpu.c
net/ipv4/inet_connection_sock.c
net/ipv4/ping.c
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJYnZNdAAoJEE44bZycYXAvJv0P/jpPc+jKb+D0FVUOiYDkY5Rw
jxsZ3oeruTIeSFAAIzusVMLm9moBJA6DThuTHU5Kt68mRaKB2lgmqwkkvQAPTSYh
tnDQwlrF7dOSVmPczJFHalpaLpRdXdQP9r8y+38PibaFZPssKdnZr3BBfdOdi5DT
lj029AGKfG7co6Hb/iAhsxuAFfPmvGHY4QNwJ2FRbU1m6MDtmCTbXzF0fc6X5AW1
qrtaWwPulJtZ/5MPk7aFyNpuCpNvIaTEqNaQsZbuz3bHfzDQVLerWze98vgHC0QM
2YOTP6TnEiHhxHGMb9SywUgSV1ylx0X542YDfxmcfyxBWRr0khlxQh1gpX+waqE3
pqdSlvN7AFzifw6kubbG2/XjkNvFtJcDTgrL3qco4utIezSijXmoOsDpKNnJuzk/
kSD5WYd+Q1CSHOkqZX29QPw1Dl/7Ftm7GPfxu7Pis1OBuPByqtRkEfmn9DpiKSs5
Aja0ljZYiQ3jy3fH+WlEzo6PVSxx0ZxKg0fOShlpgjj8KjMUdGfl9cB1OZxyWnNH
UiQ9iIWd3tJci7WbsBOfawsQpq3EIJxZKjyUmLYpBht5/YenYxOBDCr/CLJDQBGI
IQUPAs/E1JGDxGTUY3AmsaMVrcX2yOfhLzjrsVJGqSdote0um+2PdTLZHE4MMiz2
Dh6CbUVYWS1KNgmQ8T8L
=k5mW
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqeiwACgkQmXOSYMts
txaBAQ/+KqZh90YZI+gRHGdczbo3XnlryHMdpp+DTIFtN3zU+2LM352oP+haoJfr
YhNsixcMhW5TX0is5fg4SkIc0B3ooGKZLVKOPIRw+1NLBAVG5yVuYxW7I1faJgk6
F37+4rvq7KAOPCNMjAEXRt7GqZ4WZjgvgKy+u5wzKh3k5kUylqDwlP2qdgx2L5Rc
IxyxgOuaVGV6dZTyAyRlRMild5Tlz+SMY4pWoMe0sulDDXhd5/5PnGNVIgh+XqB6
m0AGkIIzPVe+wmg6n1iYs93dQO0Jmu6DL47Zv4f3ASZNL/XVSLvU9ie63FyWGZXG
e52qAPtztXInEOo15vPQSAAq7McZHDTzhHhsU/ZtkBT+LeSUU+rsxXddJ2EO5UgC
O3cVm11x1FWMzbBtFNFtkqeri2Y2OxvU4O81mfNP1oOUQBTMeSHTzQ8psbCdXeEr
ktSOtI+nakPmDE3aq4YSaz7BwSgt2tU/vZehkrTxtAQJxt0b88r2xFfThy5WScT1
v6muoqxlprjjvFld7v99P8cXxJq4QrxKUxXtEBTdB79Q5xtCC29OAcTelpPFDCED
/KpgZflubzH/Z872AW9Ru8OL9PYty6hBNDOP4aHLSFWfCu3KQxL6BMEeqi5qBjBX
mJ8JT0dCQYP6xONIWq6a3fICroNMazhNFxdpPSfsQFRhujhjGPg=
=zhKv
-----END PGP SIGNATURE-----
Merge 3.10.105 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.105: (315 commits)
sched/core: Fix a race between try_to_wake_up() and a woken up task
sched/core: Fix an SMP ordering race in try_to_wake_up() vs. schedule()
crypto: algif_skcipher - Require setkey before accept(2)
crypto: af_alg - Disallow bind/setkey/... after accept(2)
crypto: af_alg - Add nokey compatibility path
crypto: algif_skcipher - Add nokey compatibility path
crypto: hash - Add crypto_ahash_has_setkey
crypto: shash - Fix has_key setting
crypto: algif_hash - Require setkey before accept(2)
crypto: skcipher - Add crypto_skcipher_has_setkey
crypto: algif_skcipher - Add key check exception for cipher_null
crypto: af_alg - Allow af_af_alg_release_parent to be called on nokey path
crypto: algif_hash - Remove custom release parent function
crypto: algif_skcipher - Remove custom release parent function
crypto: af_alg - Forbid bind(2) when nokey child sockets are present
crypto: algif_hash - Fix race condition in hash_check_key
crypto: algif_skcipher - Fix race condition in skcipher_check_key
crypto: algif_skcipher - Load TX SG list after waiting
crypto: cryptd - initialize child shash_desc on import
crypto: skcipher - Fix blkcipher walk OOM crash
crypto: gcm - Fix IV buffer size in crypto_gcm_setkey
MIPS: KVM: Fix unused variable build warning
KVM: MIPS: Precalculate MMIO load resume PC
KVM: MIPS: Drop other CPU ASIDs on guest MMU changes
KVM: nVMX: postpone VMCS changes on MSR_IA32_APICBASE write
KVM: MIPS: Make ERET handle ERL before EXL
KVM: x86: fix wbinvd_dirty_mask use-after-free
KVM: x86: fix missed SRCU usage in kvm_lapic_set_vapic_addr
KVM: Disable irq while unregistering user notifier
PM / devfreq: Fix incorrect type issue.
ppp: defer netns reference release for ppp channel
x86/mm/xen: Suppress hugetlbfs in PV guests
xen: Add RING_COPY_REQUEST()
xen-netback: don't use last request to determine minimum Tx credit
xen-netback: use RING_COPY_REQUEST() throughout
xen-blkback: only read request operation from shared ring once
xen/pciback: Save xen_pci_op commands before processing it
xen/pciback: Save the number of MSI-X entries to be copied later.
xen/pciback: Return error on XEN_PCI_OP_enable_msi when device has MSI or MSI-X enabled
xen/pciback: Return error on XEN_PCI_OP_enable_msix when device has MSI or MSI-X enabled
xen/pciback: Do not install an IRQ handler for MSI interrupts.
xen/pciback: For XEN_PCI_OP_disable_msi[|x] only disable if device has MSI(X) enabled.
xen/pciback: Don't allow MSI-X ops if PCI_COMMAND_MEMORY is not set.
xen-pciback: Add name prefix to global 'permissive' variable
x86/xen: fix upper bound of pmd loop in xen_cleanhighmap()
x86/traps: Ignore high word of regs->cs in early_idt_handler_common
x86/mm: Disable preemption during CR3 read+write
x86/apic: Do not init irq remapping if ioapic is disabled
x86/mm/pat, /dev/mem: Remove superfluous error message
x86/paravirt: Do not trace _paravirt_ident_*() functions
x86/build: Build compressed x86 kernels as PIE
x86/um: reuse asm-generic/barrier.h
iommu/amd: Update Alias-DTE in update_device_table()
iommu/amd: Free domain id when free a domain of struct dma_ops_domain
ARM: 8616/1: dt: Respect property size when parsing CPUs
ARM: 8618/1: decompressor: reset ttbcr fields to use TTBR0 on ARMv7
ARM: sa1100: clear reset status prior to reboot
ARM: sa1111: fix pcmcia suspend/resume
arm64: avoid returning from bad_mode
arm64: Define AT_VECTOR_SIZE_ARCH for ARCH_DLINFO
arm64: spinlocks: implement smp_mb__before_spinlock() as smp_mb()
arm64: debug: avoid resetting stepping state machine when TIF_SINGLESTEP
MIPS: Malta: Fix IOCU disable switch read for MIPS64
MIPS: ptrace: Fix regs_return_value for kernel context
powerpc/mm: Don't alias user region to other regions below PAGE_OFFSET
powerpc/vdso64: Use double word compare on pointers
powerpc/powernv: Use CPU-endian PEST in pnv_pci_dump_p7ioc_diag_data()
powerpc/64: Fix incorrect return value from __copy_tofrom_user
powerpc/nvram: Fix an incorrect partition merge
avr32: fix copy_from_user()
avr32: fix 'undefined reference to `___copy_from_user'
avr32: off by one in at32_init_pio()
s390/dasd: fix hanging device after clear subchannel
parisc: Ensure consistent state when switching to kernel stack at syscall entry
microblaze: fix __get_user()
microblaze: fix copy_from_user()
mn10300: failing __get_user() and get_user() should zero
m32r: fix __get_user()
sh64: failing __get_user() should zero
score: fix __get_user/get_user
s390: get_user() should zero on failure
ARC: uaccess: get_user to zero out dest in cause of fault
asm-generic: make get_user() clear the destination on errors
frv: fix clear_user()
cris: buggered copy_from_user/copy_to_user/clear_user
blackfin: fix copy_from_user()
score: fix copy_from_user() and friends
sh: fix copy_from_user()
hexagon: fix strncpy_from_user() error return
mips: copy_from_user() must zero the destination on access_ok() failure
asm-generic: make copy_from_user() zero the destination properly
alpha: fix copy_from_user()
metag: copy_from_user() should zero the destination on access_ok() failure
parisc: fix copy_from_user()
openrisc: fix copy_from_user()
openrisc: fix the fix of copy_from_user()
mn10300: copy_from_user() should zero on access_ok() failure...
sparc32: fix copy_from_user()
ppc32: fix copy_from_user()
ia64: copy_from_user() should zero the destination on access_ok() failure
fix fault_in_multipages_...() on architectures with no-op access_ok()
fix memory leaks in tracing_buffers_splice_read()
arc: don't leak bits of kernel stack into coredump
Fix potential infoleak in older kernels
swapfile: fix memory corruption via malformed swapfile
coredump: fix unfreezable coredumping task
usb: dwc3: gadget: increment request->actual once
USB: validate wMaxPacketValue entries in endpoint descriptors
USB: fix typo in wMaxPacketSize validation
usb: xhci: Fix panic if disconnect
USB: serial: fix memleak in driver-registration error path
USB: kobil_sct: fix non-atomic allocation in write path
USB: serial: mos7720: fix non-atomic allocation in write path
USB: serial: mos7840: fix non-atomic allocation in write path
usb: renesas_usbhs: fix clearing the {BRDY,BEMP}STS condition
USB: change bInterval default to 10 ms
usb: gadget: fsl_qe_udc: signedness bug in qe_get_frame()
USB: serial: cp210x: fix hardware flow-control disable
usb: misc: legousbtower: Fix NULL pointer deference
usb: gadget: function: u_ether: don't starve tx request queue
USB: serial: cp210x: fix tiocmget error handling
usb: gadget: u_ether: remove interrupt throttling
usb: chipidea: move the lock initialization to core file
Fix USB CB/CBI storage devices with CONFIG_VMAP_STACK=y
ALSA: rawmidi: Fix possible deadlock with virmidi registration
ALSA: timer: fix NULL pointer dereference in read()/ioctl() race
ALSA: timer: fix division by zero after SNDRV_TIMER_IOCTL_CONTINUE
ALSA: timer: fix NULL pointer dereference on memory allocation failure
ALSA: ali5451: Fix out-of-bound position reporting
ALSA: pcm : Call kill_fasync() in stream lock
zfcp: fix fc_host port_type with NPIV
zfcp: fix ELS/GS request&response length for hardware data router
zfcp: close window with unblocked rport during rport gone
zfcp: retain trace level for SCSI and HBA FSF response records
zfcp: restore: Dont use 0 to indicate invalid LUN in rec trace
zfcp: trace on request for open and close of WKA port
zfcp: restore tracing of handle for port and LUN with HBA records
zfcp: fix D_ID field with actual value on tracing SAN responses
zfcp: fix payload trace length for SAN request&response
zfcp: trace full payload of all SAN records (req,resp,iels)
scsi: zfcp: spin_lock_irqsave() is not nestable
scsi: mpt3sas: Fix secure erase premature termination
scsi: mpt3sas: Unblock device after controller reset
scsi: mpt3sas: fix hang on ata passthrough commands
mpt2sas: Fix secure erase premature termination
scsi: megaraid_sas: Fix data integrity failure for JBOD (passthrough) devices
scsi: megaraid_sas: fix macro MEGASAS_IS_LOGICAL to avoid regression
scsi: ibmvfc: Fix I/O hang when port is not mapped
scsi: Fix use-after-free
scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer()
scsi: scsi_debug: Fix memory leak if LBP enabled and module is unloaded
scsi: arcmsr: Send SYNCHRONIZE_CACHE command to firmware
ext4: validate that metadata blocks do not overlap superblock
ext4: avoid modifying checksum fields directly during checksum verification
ext4: use __GFP_NOFAIL in ext4_free_blocks()
ext4: reinforce check of i_dtime when clearing high fields of uid and gid
ext4: allow DAX writeback for hole punch
ext4: sanity check the block and cluster size at mount time
reiserfs: fix "new_insert_key may be used uninitialized ..."
reiserfs: Unlock superblock before calling reiserfs_quota_on_mount()
xfs: fix superblock inprogress check
libxfs: clean up _calc_dquots_per_chunk
btrfs: ensure that file descriptor used with subvol ioctls is a dir
ocfs2/dlm: fix race between convert and migration
ocfs2: fix start offset to ocfs2_zero_range_for_truncate()
ubifs: Fix assertion in layout_in_gaps()
ubifs: Fix xattr_names length in exit paths
UBIFS: Fix possible memory leak in ubifs_readdir()
ubifs: Abort readdir upon error
ubifs: Fix regression in ubifs_readdir()
UBI: fastmap: scrub PEB when bitflips are detected in a free PEB EC header
NFSv4.x: Fix a refcount leak in nfs_callback_up_net
NFSD: Using free_conn free connection
NFS: Don't drop CB requests with invalid principals
NFSv4: Open state recovery must account for file permission changes
fs/seq_file: fix out-of-bounds read
fs/super.c: fix race between freeze_super() and thaw_super()
isofs: Do not return EACCES for unknown filesystems
hostfs: Freeing an ERR_PTR in hostfs_fill_sb_common()
driver core: Delete an unnecessary check before the function call "put_device"
driver core: fix race between creating/querying glue dir and its cleanup
drm/radeon: fix radeon_move_blit on 32bit systems
drm: Reject page_flip for !DRIVER_MODESET
drm/radeon: Ensure vblank interrupt is enabled on DPMS transition to on
qxl: check for kmap failures
Input: i8042 - break load dependency between atkbd/psmouse and i8042
Input: i8042 - set up shared ps2_cmd_mutex for AUX ports
Input: ili210x - fix permissions on "calibrate" attribute
hwrng: exynos - Disable runtime PM on probe failure
hwrng: omap - Fix assumption that runtime_get_sync will always succeed
hwrng: omap - Only fail if pm_runtime_get_sync returns < 0
i2c-eg20t: fix race between i2c init and interrupt enable
em28xx-i2c: rt_mutex_trylock() returns zero on failure
i2c: core: fix NULL pointer dereference under race condition
i2c: at91: fix write transfers by clearing pending interrupt first
iio: accel: kxsd9: Fix raw read return
iio: accel: kxsd9: Fix scaling bug
thermal: hwmon: Properly report critical temperature in sysfs
cdc-acm: fix wrong pipe type on rx interrupt xfers
timers: Use proper base migration in add_timer_on()
EDAC: Increment correct counter in edac_inc_ue_error()
IB/ipoib: Fix memory corruption in ipoib cm mode connect flow
IB/core: Fix use after free in send_leave function
IB/ipoib: Don't allow MC joins during light MC flush
IB/mlx4: Fix incorrect MC join state bit-masking on SR-IOV
IB/mlx4: Fix create CQ error flow
IB/uverbs: Fix leak of XRC target QPs
IB/cm: Mark stale CM id's whenever the mad agent was unregistered
mtd: blkdevs: fix potential deadlock + lockdep warnings
mtd: pmcmsp-flash: Allocating too much in init_msp_flash()
mtd: nand: davinci: Reinitialize the HW ECC engine in 4bit hwctl
perf symbols: Fixup symbol sizes before picking best ones
perf: Tighten (and fix) the grouping condition
tty: Prevent ldisc drivers from re-using stale tty fields
tty: limit terminal size to 4M chars
tty: vt, fix bogus division in csi_J
vt: clear selection before resizing
drivers/vfio: Rework offsetofend()
include/stddef.h: Move offsetofend() from vfio.h to a generic kernel header
stddef.h: move offsetofend inside #ifndef/#endif guard, neaten
ipv6: don't call fib6_run_gc() until routing is ready
ipv6: split duplicate address detection and router solicitation timer
ipv6: move DAD and addrconf_verify processing to workqueue
ipv6: addrconf: fix dev refcont leak when DAD failed
ipv6: fix rtnl locking in setsockopt for anycast and multicast
ip6_gre: fix flowi6_proto value in ip6gre_xmit_other()
ipv6: correctly add local routes when lo goes up
ipv6: dccp: fix out of bound access in dccp_v6_err()
ipv6: dccp: add missing bind_conflict to dccp_ipv6_mapped
ip6_tunnel: Clear IP6CB in ip6tunnel_xmit()
ip6_tunnel: disable caching when the traffic class is inherited
net/irda: handle iriap_register_lsap() allocation failure
tcp: fix use after free in tcp_xmit_retransmit_queue()
tcp: properly scale window in tcp_v[46]_reqsk_send_ack()
tcp: fix overflow in __tcp_retransmit_skb()
tcp: fix wrong checksum calculation on MTU probing
tcp: take care of truncations done by sk_filter()
bonding: Fix bonding crash
net: ratelimit warnings about dst entry refcount underflow or overflow
mISDN: Support DR6 indication in mISDNipac driver
mISDN: Fixing missing validation in base_sock_bind()
net: disable fragment reassembly if high_thresh is set to zero
ipvs: count pre-established TCP states as active
iwlwifi: pcie: fix access to scratch buffer
svc: Avoid garbage replies when pc_func() returns rpc_drop_reply
brcmsmac: Free packet if dma_mapping_error() fails in dma_rxfill
brcmsmac: Initialize power in brcms_c_stf_ss_algo_channel_get()
brcmfmac: avoid potential stack overflow in brcmf_cfg80211_start_ap()
pstore: Fix buffer overflow while write offset equal to buffer size
net/mlx4_core: Allow resetting VF admin mac to zero
firewire: net: guard against rx buffer overflows
firewire: net: fix fragmented datagram_size off-by-one
netfilter: fix namespace handling in nf_log_proc_dostring
can: bcm: fix warning in bcm_connect/proc_register
net: fix sk_mem_reclaim_partial()
net: avoid sk_forward_alloc overflows
ipmr, ip6mr: fix scheduling while atomic and a deadlock with ipmr_get_route
packet: call fanout_release, while UNREGISTERING a netdev
net: sctp, forbid negative length
sctp: validate chunk len before actually using it
net: clear sk_err_soft in sk_clone_lock()
net: mangle zero checksum in skb_checksum_help()
dccp: do not send reset to already closed sockets
dccp: fix out of bound access in dccp_v4_err()
sctp: assign assoc_id earlier in __sctp_connect
neigh: check error pointer instead of NULL for ipv4_neigh_lookup()
ipv4: use new_gw for redirect neigh lookup
mac80211: fix purging multicast PS buffer queue
mac80211: discard multicast and 4-addr A-MSDUs
cfg80211: limit scan results cache size
mwifiex: printk() overflow with 32-byte SSIDs
ipv4: Set skb->protocol properly for local output
net: sky2: Fix shutdown crash
kaweth: fix firmware download
tracing: Move mutex to protect against resetting of seq data
kernel/fork: fix CLONE_CHILD_CLEARTID regression in nscd
Revert "ipc/sem.c: optimize sem_lock()"
cfq: fix starvation of asynchronous writes
drbd: Fix kernel_sendmsg() usage - potential NULL deref
lib/genalloc.c: start search from start of chunk
tools/vm/slabinfo: fix an unintentional printf
rcu: Fix soft lockup for rcu_nocb_kthread
ratelimit: fix bug in time interval by resetting right begin time
mfd: core: Fix device reference leak in mfd_clone_cell
PM / sleep: fix device reference leak in test_suspend
mmc: mxs: Initialize the spinlock prior to using it
mmc: block: don't use CMD23 with very old MMC cards
pstore/core: drop cmpxchg based updates
pstore/ram: Use memcpy_toio instead of memcpy
pstore/ram: Use memcpy_fromio() to save old buffer
mb86a20s: fix the locking logic
mb86a20s: fix demod settings
cx231xx: don't return error on success
cx231xx: fix GPIOs for Pixelview SBTVD hybrid
gpio: mpc8xxx: Correct irq handler function
uio: fix dmem_region_start computation
KEYS: Fix short sprintf buffer in /proc/keys show function
hv: do not lose pending heartbeat vmbus packets
staging: iio: ad5933: avoid uninitialized variable in error case
mei: bus: fix received data size check in NFC fixup
ACPI / APEI: Fix incorrect return value of ghes_proc()
PCI: Handle read-only BARs on AMD CS553x devices
tile: avoid using clocksource_cyc2ns with absolute cycle count
dm flakey: fix reads to be issued if drop_writes configured
mm,ksm: fix endless looping in allocating memory when ksm enable
can: dev: fix deadlock reported after bus-off
hwmon: (adt7411) set bit 3 in CFG1 register
mpi: Fix NULL ptr dereference in mpi_powm() [ver #3]
mfd: 88pm80x: Double shifting bug in suspend/resume
ASoC: omap-mcpdm: Fix irq resource handling
regulator: tps65910: Work around silicon erratum SWCZ010
dm: mark request_queue dead before destroying the DM device
fbdev/efifb: Fix 16 color palette entry calculation
metag: Only define atomic_dec_if_positive conditionally
Linux 3.10.105
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
arch/arm/mach-sa1100/generic.c
arch/arm64/kernel/traps.c
crypto/blkcipher.c
drivers/devfreq/devfreq.c
drivers/usb/dwc3/gadget.c
drivers/usb/gadget/u_ether.c
fs/ubifs/dir.c
include/net/if_inet6.h
lib/genalloc.c
net/ipv6/addrconf.c
net/ipv6/tcp_ipv6.c
net/wireless/scan.c
sound/core/timer.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJW2MPMAAoJEDjbvchgkmk+xlkP/3pLYC8OxOPz11sBFOWDB6Jn
+/La3kW252TMcY7K8Z6R2UJC93HxXaCySAZTrLrwUL6mqpSStiHhX/1HQMI6If4c
jMtsbgWpU+HZzprPzY8IK6rdrZJKz+Nxu3LMuV0pYTAFKLnCa4d9bSYZ52UArVnC
w13KGpk/gnWTO7A6ZNx4dcRpMqYHWcG+eJsT9zdExmyk65qBCxhhUxXh+DijmSn7
QXrFJ4zjWr1kIdsk6Moat/HCTt/zvwMiWuHdnqYIzUSmvWZWbaQsqGw0cFvKM2hL
pOJ3zf3fgUY6fsV0vG+SFdrMmL6RtL/v0c2EGM5ZlYCIPbUZcK+XMlaEqOe6UAHz
hITIE+r03l2zqagWVb/2HOen8liHIxnfqUPYgHd6vmXz2qWXg9sWTsOhr3ZAQQLA
tf0JDjmx/KCyBmiA7ZyhRLeyhx0jD/csxxo14YME8N3tJCyw5gEIOgXlOLNxhWRu
uCqSN27FDnnf6ppbX1euMeWxzqi4DCZFMDJQT743V5sJIz10BsVR9HJS6mwyUioN
ia4qVc99JfSEsXuawlZhC44Ht+Z/tTSxQPcZjWMHvftGVfxS9AZVf85BM5zNa91t
52mtJivT25N7JxHE41iEQA9t4V1shCjGmEUKD4cVMKgC18cpXD/awDlJ1Or1YuAO
ro6ElZeHj+O3YETFp31/
=GlVi
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqdM8ACgkQmXOSYMts
txacfQ//SS35oIq6UFvp2viMaloy++Ec9fBNUqMI8GLbdJ25Fwt2lA0kuhOCR+dH
bHjwCsb/lo4uf0g+gYuQU4M9XqusWbmsQouTObILBidMt1K2MavKXLqzZsQ+bVD5
pDHLK9ZJwGqTpGgPLlRo1KLIPq+Byf2T+mWiAdoR873gJAJSDPns4PhjJIRvsv52
lnqnIDcjJ//7RzZkBv1hqlA294ttEKRfDqRk+WhLHAJVtnxwpbaiMyRjZgcXvxec
rvPgnppkkhIi/EyrJPU3GkZEce8bj3WQBVDLEw+4NxXNQGANwUEo14jgbBVZaQTg
/Wrx5QR8S+qqxCeKBN825oHcsgfRdLzmX28J13m6R3hW3RMTH0cTjjLTIW/Ms/LI
wiwBW8rYIwkSFUY6r2HYzi9goC9wm1bP/rAJ5n9OdcFkyHc7sVtqkejQEdfmHRfT
UQmIzxe8nH21j88xXXmZ2OiVv0AJqZDcc6rBwvhFdxXRqySdZDKzbl6l7tNXVDBM
amOzbk6pbv245Mbr9i6BvkhUsoWkAmNpX6ZZeo98RAiGsQs9cvUPllgzNZmW0+KW
uDRHreI1ZGBdr7tFYmUCP0JeJYNXv0K3I8bsKIbC97q9xGa/T73M9PFFpQ8r0Cot
hd+rsq+fGC6CuXsYg6xAcuVDwM4ljuHwKbAnQTYSEiXvGEd0dDM=
=iIAf
-----END PGP SIGNATURE-----
Merge 3.10.99 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.99: (80 commits)
tracepoints: Do not trace when cpu is offline
drm/ast: Initialized data needed to map fbdev memory
netfilter: nf_conntrack: fix RCU race in nf_conntrack_find_get
bcache: unregister reboot notifier if bcache fails to unregister device
tools: Add a "make all" rule
drm/radeon: fix hotplug race at startup
efi: Disable interrupts around EFI calls, not in the epilog/prolog calls
dm thin metadata: fix bug when taking a metadata snapshot
dm thin: fix race condition when destroying thin pool workqueue
can: ems_usb: Fix possible tx overflow
USB: cp210x: add IDs for GE B650V3 and B850V3 boards
USB: option: add support for SIM7100E
USB: option: add "4G LTE usb-modem U901"
proc: Fix ptrace-based permission checks for accessing task maps
iw_cxgb3: Fix incorrectly returning error on success
MIPS: KVM: Fix ASID restoration logic
MIPS: KVM: Fix CACHE immediate offset sign extension
MIPS: KVM: Uninit VCPU in vcpu_create error path
splice: sendfile() at once fails for big files
Failing to send a CLOSE if file is opened WRONLY and server reboots on a 4.x mount
unix: correctly track in-flight fds in sending process user_struct
genirq: Prevent chip buslock deadlock
clocksource/drivers/vt8500: Increase the minimum delta
lockd: create NSM handles per net namespace
devres: fix a for loop bounds check
wm831x_power: Use IRQF_ONESHOT to request threaded IRQs
megaraid_sas: Do not use PAGE_SIZE for max_sectors
megaraid_sas : SMAP restriction--do not access user memory from IOCTL code
mmc: remove bondage between REQ_META and reliable write
mac: validate mac_partition is within sector
ARC: dw2 unwind: Remove falllback linear search thru FDE entries
vfs: Avoid softlockups with sendfile(2)
ring-buffer: Update read stamp with first real commit on page
virtio: fix memory leak of virtio ida cache layers
mac80211: mesh: fix call_rcu() usage
RDS: fix race condition when sending a message on unbound socket
can: sja1000: clear interrupts on start
sched/core: Remove false-positive warning from wake_up_process()
sata_sil: disable trim
dm btree: fix bufio buffer leaks in dm_btree_del() error path
vgaarb: fix signal handling in vga_get()
rfkill: copy the name into the rfkill struct
ses: Fix problems with simple enclosures
ses: fix additional element traversal bug
scripts: recordmcount: break hardlinks
Btrfs: add missing brelse when superblock checksum fails
Btrfs: igrab inode in writepage
Btrfs: send, don't BUG_ON() when an empty symlink is found
Btrfs: fix number of transaction units required to create symlink
s390: fix normalization bug in exception table sorting
s390/dasd: prevent incorrect length error under z/VM after PAV changes
s390/dasd: fix refcount for PAV reassignment
uml: flush stdout before forking
uml: fix hostfs mknod()
media: dvb-core: Don't force CAN_INVERSION_AUTO in oneshot mode
gspca: ov534/topro: prevent a division by 0
tda1004x: only update the frontend properties if locked
dm snapshot: fix hung bios when copy error occurs
posix-clock: Fix return code on the poll method's error path
mmc: mmci: fix an ages old detection error
sparc64: fix incorrect sign extension in sys_sparc64_personality
drm/vmwgfx: respect 'nomodeset'
drm/radeon: clean up fujitsu quirks
drm/radeon: hold reference to fences in radeon_sa_bo_new
drm/radeon: use post-decrement in error handling
IB/qib: fix mcast detach when qp not attached
libceph: don't bail early from try_read() when skipping a message
cdc-acm:exclude Samsung phone 04e8:685d
rfkill: fix rfkill_fop_read wait_event usage
Revert "workqueue: make sure delayed work run in local cpu"
libata: fix sff host state machine locking while polling
PCI/AER: Flush workqueue on device remove to avoid use-after-free
nfs: fix nfs_size_to_loff_t
KVM: async_pf: do not warn on page allocation failures
tracing: Fix showing function event in available_events
sunrpc/cache: fix off-by-one in qword_get()
kernel/resource.c: fix muxed resource handling in __request_region()
do_last(): don't let a bogus return value from ->open() et.al. to confuse us
xen/pcifront: Fix mysterious crashes when NUMA locality information was extracted.
Linux 3.10.99
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWowK8AAoJEDjbvchgkmk+sFIP/3HvyY47jKTX7ykzRa78wJZK
0ihPIOzV1OjgjvfRQZ4d6olGDMDuP5YbSAc0gHlIy71FO/cP7uPYSKZI9IrJAwSB
ZEovaAS05nhbA1UuJFZo9V7JVYSc4IXNH/QoMvzJS+Zrpr0v0tlnxQSvP3kaeQpL
Z5dbSd27XyzPp7gYM87Bn+OMkI1tPl+addyhqe7YwJ3MM7OUluLsZYxf30exoPjH
bdckbaXVi1U+WUzA1OI7XboOuKQZh6NT+ZixheB7EQPvbN5kxZRDQKtNJWjnk24d
ycU0KfGC1VntMULWhwJnn+elTxrQf0aVWkJcZM6xBri+g0BmGIli1DAD1WyYj3c7
NSPDlTiNFcm95SUgDpB2PvT7Bue6T/0kRadpZJNgpjZgLtVMXo0r62Lo9Y11Y9Oa
jRqSf7f7BsUJ+X3SDylcXXL60uiz5DOLpAyMp8TmI9JBh1hTymUhiHcEHR9iSUz+
0QOw6P/XKfIXVe0qhzSeWXaRCKIFZIwWrNMztfj2U/SZtAmsoQ76Lpx2jCf/nqGz
3IFAQ/dVhcfLRvOrcYPKFsMDWiLKMJNVTeKe2a9ywh8WCWajROfZvozm856dY42F
gUTUn2MsAnm2T+wNnYcFZo0y2i8EaA4FfjEYfoUeEgyIDqc3w8+YjvgCFwDldLr4
oMm63KBsozCC09L5rRpU
=8AjQ
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcIwACgkQmXOSYMts
txZYsA//V8o4K4DIOIKDba1XSfocbydB4MyS8+rfavpSyRlrRdSdsR4p29mCY97H
R3fem9CXUaRbW0gvQszYvZ7QgE/GgBeqAhuqIZzpX45F/o573XaPTFW7lSK1e4F/
zn+kn7sww21AlQVoc6EMHyTWXqNtrKwwAaItUD7M4j5ZSYZ6b6FCPABSnJWLoNdl
mkl2VmxcuOc48jgN3TV/K0igy4JxJlj94Uz3fomHcYdzCE2knHpkI2mP4ThOrmmn
VWVr3F+IuX11J5Y9iR5DEzMq8KL9K+0P7P/k8xzuriYXi58+LYtiLZ0KgPU6vkLD
1TvOlO/Katv2GOr2nHW4xo/NNtabkL0OaovuSHisbnqk1HXZHUMMvePDm45LY0Wl
h/AdFlCJbt/8lF4I9VrYHCLKMa7kRnKl15vJLiMic5IWm3GSprtg7bOWYx0koUff
ic5y/VduP6lJ6xfMDMKAO5yPFssCjxU+VBpVHF1zFe2ipeHnlCpG+q457Ic/PhRc
iMXicZtGDVQ+l3T0RvJqpB03bx9vVV5M+EOOVY/esMUXIN2zE5jBVW3D1LSdcNq3
cHeK0lILycbF0SfC3J72ASusbhu+tut4XIYXZEYWcbhxANTRhEudRqa+MwHQXBr/
VTbkaYoCXRJBVMOG7lVZPveMMzTrDhqzOklmHn3VdCcPkY+yrfE=
=SyC6
-----END PGP SIGNATURE-----
Merge 3.10.95 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.95: (36 commits)
unix: avoid use-after-free in ep_remove_wait_queue
sctp: translate host order to network order when setting a hmacid
snmp: Remove duplicate OUTMCAST stat increment
net: qmi_wwan: add XS Stick W100-2 from 4G Systems
tcp: md5: fix lockdep annotation
tcp: initialize tp->copied_seq in case of cross SYN connection
net, scm: fix PaX detected msg_controllen overflow in scm_detach_fds
net: ipmr: fix static mfc/dev leaks on table destruction
net: ip6mr: fix static mfc/dev leaks on table destruction
broadcom: fix PHY_ID_BCM5481 entry in the id table
ipv6: distinguish frag queues by device for multicast and link-local packets
ipv6: sctp: implement sctp_v6_destroy_sock()
Btrfs: fix race leading to BUG_ON when running delalloc for nodatacow
ext4, jbd2: ensure entering into panic after recording an error in superblock
firewire: ohci: fix JMicron JMB38x IT context discovery
nfs4: start callback_ident at idr 1
nfs: if we have no valid attrs, then don't declare the attribute cache valid
USB: cdc_acm: Ignore Infineon Flash Loader utility
USB: cp210x: Remove CP2110 ID from compatibility list
USB: add quirk for devices with broken LPM
USB: whci-hcd: add check for dma mapping error
usb: Use the USB_SS_MULT() macro to decode burst multiplier for log message
gre6: allow to update all parameters via rtnl
atl1c: Improve driver not to do order 4 GFP_ATOMIC allocation
sctp: update the netstamp_needed counter when copying sockets
ipv6: sctp: clone options to avoid use after free
net: add validation for the socket syscall protocol argument
sh_eth: fix kernel oops in skb_put()
pptp: verify sockaddr_len in pptp_bind() and pptp_connect()
bluetooth: Validate socket address length in sco_sock_bind().
af_unix: Revert 'lock_interruptible' in stream receive code
KEYS: Fix race between key destruction and finding a keyring by name
KEYS: Fix crash when attempt to garbage collect an uninstantiated keyring
KEYS: Fix race between read and revoke
KEYS: Fix keyring ref leak in join_session_keyring()
Linux 3.10.95
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
net/bluetooth/sco.c
net/unix/af_unix.c
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWLskYAAoJEDjbvchgkmk+SuwP/151KbisBhxbvKfGEjdpp/CJ
4SVg8zEgRPhnlUoJKEpnWBf67I7SSz9FOpdG7x6CpA3sKbv3hiR3QYsD+L9HUIIN
MNHJyGaHkKkMoLWYj+WJXixy4gE1JLESgpxZ2JE979vdpFNzgIL+8W3DqxNO9deF
HzWv+VVX4SUeyd4O9uuVHsq7+NKgKzR2gAniRfeiYqw4Co/IMXNwV91nlS/Tt7E1
sqUw17UGLP0Jx5avI4o2P6e3nZhEAkzcPt8YIwBVN4PheNuUK5AHu5seGArUObiP
DfzFCsSgh6OJUSLawZ6Qw/zoJqDgWF8fBfDRbm+5vUJA49pF7xYG0dZFXkqHrCa1
SSYOi0H0OPnz/a5/qyW3jN8e3TEmoz6d58NetDUs6ogAoxpoCtR3m+OgfjXlRuvU
hIpA4GFa+duvatpAvYN+XFVJ1gUke1JGjBU+CKrZZFtE7M/hOWIw1FLcVkNzGun5
i/o9R05cW8muNcovFpipyW/vCpvBuG4qIiuHgn1H7iL0IxYvLxAI4RTPiLtN73Pi
MJ5E4CRpMJOvNZq01v5FD/VV6L9tgVGrdTg8PYkWGxE+e85E0ZMnqqfJ05jgxw4W
iOthNYpoIu0BFogljKXwMUjR8EzSLoe6tJoPzXWTndnCbSVii2Zigj6nFtUdZBqw
JK05rEMDE6+QVYABlhUu
=gSSH
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcFMACgkQmXOSYMts
txb2+hAAsUnK2xFlpIhAXoy9PdEfCmbcUDc6rfToTv7e4JehC81IEEDiAE3+vwJh
mMwCkI1DkBEm9ECqvZLo4YiT2RZ0mkiuKn4mHdqbOZgVrJX+CMAlunwuVfBpZIab
fKjI2sJ7xf29s+TJfFgYw53iydnOgnhrOHrRXmGOWsPQMNPqvs+Vsk3ICaXQwtlx
TzWAZBonrKME2zpBgFK89JK9oaw8pzMF6hkFDcL65ZIWfE5M9xfxqW9DZ3mDRkeD
oo/qM7W38Sp9CN5PVgeXL2s+YnwIOhV/QzN8W2DuoMkGLPzmn5HmN/iIxjVpKSqR
bGVgwToxXYMXbjLrVn7SnwnpqZGkGcnkRPDH+Zc/OOdSrJqgf4VlkwFvwx3CSyXX
nW6OGWyw2Nt6zGJxRuXZtPdCO2tg0SPliU1bMVv9S+cHLcFbV0AlZONqKAweWMIS
5HXirtajV/SwciqWoSPFyuKa60Insusq4AvG5kQ6GnD1WN2IWIhslfkfAn4nmqEi
zn891Q8HlHPVOwH8WskvZ6mzlgUZo02Ve4AnQF0dmGzW9B7vI6sivJj9MQd536P1
aTuRNwZh/epY7K10DpcY3wnj7+0RAMQGdrcYGUxu0fzN1O7m67F9h8kElOuB81U6
ZVz75nDl8cQuLsuyHS28gza/2qQZwrP8bEpdAgVI5q67wHr7ATE=
=wnEo
-----END PGP SIGNATURE-----
Merge 3.10.92 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.92: (18 commits)
l2tp: protect tunnel->del_work by ref_count
af_unix: Convert the unix_sk macro to an inline function for type safety
af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag
skbuff: Fix skb checksum flag on skb pull
skbuff: Fix skb checksum partial check.
net: add pfmemalloc check in sk_add_backlog()
ppp: don't override sk->sk_state in pppoe_flush_dev()
ethtool: Use kcalloc instead of kmalloc for ethtool_get_strings
asix: Don't reset PHY on if_up for ASIX 88772
asix: Do full reset during ax88772_bind
m68k/uaccess: Fix asm constraints for userspace access
crypto: sparc - initialize blkcipher.ivsize
crypto: ahash - ensure statesize is non-zero
i2c: rcar: enable RuntimePM before registering to the core
workqueue: make sure delayed work run in local cpu
dm thin: fix missing pool reference count decrement in pool_ctr error path
rbd: fix double free on rbd_dev->header_name
Linux 3.10.92
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJWDQYBAAoJEDjbvchgkmk+PrcQAICXm5q6InTIv16/Q2PKdny6
iydBdhM8sBUYt2fFv0hOJgEXgzQ1HeNQ4JLNrfUHocoSw6gTq4e7pFN4AsyhoZzy
DB2ZQ6cpxK6C3QPUa0C+zevoY/LsJac5TkNKT5RCxGRRolPgtTgtFw9RIXZdGPYo
3Fpt8xrwBp+SS6cXUH7j7hJEeSCpcDN3P8xq1DcAmLX1fm8At9MLOujyaILQis4U
oSaAinjg7rfTYbIpZFYix6B9F8PGqWe6/+bKLljhQhH7V7oR7aAyGKfKM53Gr1/h
Y0j+FbLxa9GNeYlR/Kw79fiX8fMpW88qGQ26rSAVIN7JtMReu7CBRHY7/hvTsyrR
wYywcHs9+zDUDlDMbp/v5ecTBkXVNRecEJpKtd7wQ7P4M79K3lR3Ar8sNxRvnP77
IHLBBNQTzOagZLQXWAYfTdmsWXjf1J4Ij673Ae1DZf2/mkSp/3wXslDYwHbrLIP4
WIYDlqc8B4+TxyJWNPXflfI6c2/nWU0ASYP/bMGGA9Kg+hReMW2DrGY0MTYCsfPg
uhu9hq8AW9JIEwA5t8sj4iebq2U1Nl1QgdpuwmgolmROwmie7zf6+yuK6e7XKpwe
A5vC7fDNTNmZOOo2tcNIH5QdHjrF/S19Re3dd1J44eBtkYiR4KM7vuBTMCrYf7r8
cknJgSXzT1VMvcpM84Zq
=w0iE
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqcAwACgkQmXOSYMts
txZtmA/+IzGuQW8ZtcxJgkca+QNgod6AW32WiH5btVRwRe0SiifT1vFSqIouKSWI
rwIG0E2qDpYMitydli5zooSF5pUGW+zzyKiNElBQhbBQvZuS2VxUBlaqRvWXIk6e
heDueAC/0OfXTuDRNf4Omj9BcI78881LTz/VUd3NKkOrf4qA6Xjjj8HGIlGgYO0h
UtkbsGP2QzWo51X1Ad2TqZbs0rFP0kO2dOHIohVd4QQKIxNctLOj2+5oYpgxyNnA
uxGOGQp5JnBOolclT2yVTuKLSHLRIzdqX+fB/swxoUjmeFMEsj8KEEtfZEIP+vP3
b0rhNReA/v0j5Z6r/0oKtwqWm4p2aBjjhmmloMNu8xmpyxCnS5o9zits3HEzJ8EL
MJ/NbRIhIGi2eLtGHn54+yS9MeX5AWurzLI+iNw8SBnDRKdbAMy0iki+puLtNP1f
OaNmH67mHXNTt5juowHAMmbqb7UAHSIpHR1AthpahRZ+nSob9Z1I8b7aTvjB96n0
sYBoe2eDIIFS6hqvkFh5pfv4uH9Ut171yu0G5fI7J9mfRsPuPhwmk0ZhBTby2a2n
u8XuJe5oOwMphYCAZELdkfU6Y8ZpNWGySV7nIxKIc7bnYsDP/PukzbGqoITgtxU8
W6CDDk8TVH0aCtnodpgiIvihYoPUc2FpodRD2aQRgcPVomO//wc=
=qmSH
-----END PGP SIGNATURE-----
Merge 3.10.90 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.90: (55 commits)
unshare: Unsharing a thread does not require unsharing a vm
rtlwifi: rtl8192cu: Add new device ID
tg3: Fix temperature reporting
mac80211: enable assoc check for mesh interfaces
arm64: kconfig: Move LIST_POISON to a safe value
arm64: compat: fix vfp save/restore across signal handlers in big-endian
arm64: head.S: initialise mdcr_el2 in el2_setup
ALSA: hda - Enable headphone jack detect on old Fujitsu laptops
ALSA: hda - Use ALC880_FIXUP_FUJITSU for FSC Amilo M1437
powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash
powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers
Add radeon suspend/resume quirk for HP Compaq dc5750.
x86/mm: Initialize pmd_idx in page_table_range_init_count()
rc-core: fix remove uevent generation
NFSv4: don't set SETATTR for O_RDONLY|O_EXCL
NFS: nfs_set_pgio_error sometimes misses errors
parisc: Filter out spurious interrupts in PA-RISC irq handler
vmscan: fix increasing nr_isolated incurred by putback unevictable pages
fs: if a coredump already exists, unlink and recreate with O_EXCL
mmc: core: fix race condition in mmc_wait_data_done
md/raid10: always set reshape_safe when initializing reshape_position.
xen/gntdev: convert priv->lock to a mutex
hfs: fix B-tree corruption after insertion at position 0
IB/uverbs: reject invalid or unknown opcodes
IB/uverbs: Fix race between ib_uverbs_open and remove_one
IB/mlx4: Forbid using sysfs to change RoCE pkeys
IB/mlx4: Use correct SL on AH query under RoCE
hfs,hfsplus: cache pages correctly between bnode_create and bnode_free
sctp: fix ASCONF list handling
vhost/scsi: potential memory corruption
x86: bpf_jit: fix compilation of large bpf programs
ipv6: Make MLD packets to only be processed locally
net/tipc: initialize security state for new connection socket
bridge: mdb: zero out the local br_ip variable before use
net: pktgen: fix race between pktgen_thread_worker() and kthread_stop()
net: call rcu_read_lock early in process_backlog
net: Clone skb before setting peeked flag
net: Fix skb csum races when peeking
net: Fix skb_set_peeked use-after-free bug
bridge: mdb: fix double add notification
isdn/gigaset: reset tty->receive_room when attaching ser_gigaset
ipv6: lock socket in ip6_datagram_connect()
bonding: fix destruction of bond with devices different from arphrd_ether
inet: frags: fix defragmented packet's IP header for af_packet
netlink: don't hold mutex in rcu callback when releasing mmapd ring
rds: fix an integer overflow test in rds_info_getsockopt()
ip6_gre: release cached dst on tunnel removal
usbnet: Get EVENT_NO_RUNTIME_PM bit before it is cleared
ipv6: fix exthdrs offload registration in out_rt path
net/ipv6: Correct PIM6 mrt_lock handling
sctp: fix race on protocol/netns initialization
fib_rules: fix fib rule dumps across multiple skbs
vfs: Remove incorrect debugging WARN in prepend_path
Revert "iio: bmg160: IIO_BUFFER and IIO_TRIGGERED_BUFFER are required"
Linux 3.10.90
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJVl0l6AAoJEDjbvchgkmk+zxsP/inK1pJeQd3q7k8/e8vg60yi
vtyuLZwcgZ5LqBeMBRYwXM5TRVgMsKYltIzLmZj/foK5cH+SrpANrFXZrjl6T32x
k1UMd/xY5yoylGmNdIUnLjgxMCQ0XCBVhASA7Xvh6OEdMinVmcgsoB8OJSrcQZy+
5HL30uBDO2QtBWLaioZikLie77JoDLQmCM83otlSsWd6f0A0eCRRJzJ7zS9UUxR1
wA1eNmhwvbGVQE1FNmBMhAdh7kSRkaR6wrOcn2qDoNXiZ87wVnKUSrKXxrXo1E3z
fFtui6dJUYlyjskfkFM+KJ8FaGkjShVWh9VJGQs3x3WGlQMZTrDhoOsKbwl8iFyl
58cJ/vojCe76pbxcL1g+koPRAe917C6yV7nR+yRi7Epsv5NwWwQfsR7OmMwIAulj
QIxqPos1a33DdNdesPYrZfUG1vcZ1JhNko4G8CIr5OmrPcZPe6QI1X3qwaM52ML0
nTDwjHxZGiruNl4OkDHfwX+aOXWKqJivqzWA239XDePz/peNL0DZJFCFc9Ado1h5
2bt1gNxn1Oiy0TPlDr3wLwjBjcYXIwICxGj0Hqh9hUv+IRL4JkfBUhG68koCgc2i
KbKZZioPamF7MvMukahF87f/SMOXYPhqs7pSKR9zzkzwLFBNpZ6h+rYvii8xB4LX
LztDlieyin8YFXI9MbM2
=YwGL
-----END PGP SIGNATURE-----
gpgsig -----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqbKIACgkQmXOSYMts
txZZPg//fMdsCYndbngE1i784SkIo80ilvQkEfIvIXA6YlT+BSW0DedZ4yE1nMED
cf3NIaIYxtId6MyTqA7HUBZnq/j2Xoa4f3Nq9cY0S3X0NJjLRD8fd9LxGy0iUWkn
BiODFt/lXB8OiMCpAsV8u7/71oTeRC3RyKOHGjkyMT1+sGzWDzdq688R4/ZmajoF
nKjL6tBwSFmWY7yyCoJB+5me4UTHmM5hh0dq8JoOUTYdhoJtN8nBK79yOd5VJazZ
B2MmSPNgnGD0ieFY6yTa0WbpbM2vZGzJSAnRFdb9WpOh5LGcQ2Tbz/+kD5uRzQNQ
lykb+jhPaNYo3v60ufVK3Jhfy1si2O36V2GibZgDiJFcN3tgi5666Ho6PnB6dFs2
V9NxBChAdeRHd5eLfDvO5mZxZtnnO45zvoVT4BVjqBFXA66RIVENw2bYvS7NFSUw
K1e6YyUjV3WAd7Rmo4/tYPVfvwecEmC/vqMyXIugl5rOZ/5i8mol9qCU8tR6+JOQ
cWKWsJIPZebSUGZ6ByTR7v22UxwRwL8vAir5UwX5Qxa6HnfcefXjrcxgn854ORr8
nVSjRsJ8Q4cdC73Uja3gXmzcQkk67INWHfGqJBfS4nKSJrxD1WE1iPXTev9wlG7a
h7m3j0XudE2dNN/8EFat8GBuedekIu0K1AYx6ESTAWMvXIzOSX4=
=8vm4
-----END PGP SIGNATURE-----
Merge 3.10.83 into android-msm-bullhead-3.10-oreo-m5
Changes in 3.10.83: (23 commits)
fput: turn "list_head delayed_fput_list" into llist_head
get rid of s_files and files_lock
config: Enable NEED_DMA_MAP_STATE by default when SWIOTLB is selected
netfilter: nfnetlink_cthelper: Remove 'const' and '&' to avoid warnings
netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
include/linux/sched.h: don't use task->pid/tgid in same_thread_group/has_group_leader_pid
__ptrace_may_access() should not deny sub-threads
ACPICA: Utilities: Cleanup to convert physical address printing formats.
ACPICA: Utilities: Cleanup to remove useless ACPI_PRINTF/FORMAT_xxx helpers.
sb_edac: Fix erroneous bytes->gigabytes conversion
hpsa: refine the pci enable/disable handling
hpsa: add missing pci_set_master in kdump path
fs: take i_mutex during prepare_binprm for set[ug]id executables
x86/microcode/intel: Guard against stack overflow in the loader
Btrfs: make xattr replace operations atomic
xfrm: Increase the garbage collector threshold
ipv6: prevent fib6_run_gc() contention
ipv6: update ip6_rt_last_gc every time GC is run
d_walk() might skip too much
ARM: clk-imx6q: refine sata's parent
KVM: nSVM: Check for NRIPS support before updating control field
bus: mvebu: pass the coherency availability information at init time
Linux 3.10.83
Signed-off-by: Nathan Chancellor <natechancellor@gmail.com>
Conflicts:
fs/exec.c
fs/super.c
commit 77d4b1d36926a9b8387c6b53eeba42bcaaffcea3 upstream.
Alexander reported various KASAN messages triggered in recent kernels
The problem is that ping sockets should not use udp_poll() in the first
place, and recent changes in UDP stack finally exposed this old bug.
Fixes: c319b4d76b ("net: ipv4: add IPPROTO_ICMP socket kind")
Fixes: 6d0bfe226116 ("net: ipv6: Add IPv6 support to the ping socket.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Sasha Levin <alexander.levin@verizon.com>
Cc: Solar Designer <solar@openwall.com>
Cc: Vasiliy Kulikov <segoon@openwall.com>
Cc: Lorenzo Colitti <lorenzo@google.com>
Acked-By: Lorenzo Colitti <lorenzo@google.com>
Tested-By: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[wt: removed the parts related to ping6 as 6d0bfe226116 is not in 3.10]
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit fa5f7b51fc3080c2b195fa87c7eca7c05e56f673 upstream.
This code causes a static checker warning because Smatch doesn't trust
anything that comes from skb->data. I've reviewed this code and I do
think skb->data can be controlled by the user here.
The sctp_event_subscribe struct has 13 __u8 fields and we want to see
if ours is non-zero. sn_type can be any value in the 0-USHRT_MAX range.
We're subtracting SCTP_SN_TYPE_BASE which is 1 << 15 so we could read
either before the start of the struct or after the end.
This is a very old bug and it's surprising that it would go undetected
for so long but my theory is that it just doesn't have a big impact so
it would be hard to notice.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 6b84202c946cd3da3a8daa92c682510e9ed80321 upstream.
Commit b1f5bfc27a19 ("sctp: don't dereference ptr before leaving
_sctp_walk_{params, errors}()") tried to fix the issue that it
may overstep the chunk end for _sctp_walk_{params, errors} with
'chunk_end > offset(length) + sizeof(length)'.
But it introduced a side effect: When processing INIT, it verifies
the chunks with 'param.v == chunk_end' after iterating all params
by sctp_walk_params(). With the check 'chunk_end > offset(length)
+ sizeof(length)', it would return when the last param is not yet
accessed. Because the last param usually is fwdtsn supported param
whose size is 4 and 'chunk_end == offset(length) + sizeof(length)'
This is a badly issue even causing sctp couldn't process 4-shakes.
Client would always get abort when connecting to server, due to
the failure of INIT chunk verification on server.
The patch is to use 'chunk_end <= offset(length) + sizeof(length)'
instead of 'chunk_end < offset(length) + sizeof(length)' for both
_sctp_walk_params and _sctp_walk_errors.
Fixes: b1f5bfc27a19 ("sctp: don't dereference ptr before leaving _sctp_walk_{params, errors}()")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 93be2b74279c15c2844684b1a027fdc71dd5d9bf upstream.
gcc-7 complains that wl3501_cs passes NULL into a function that
then uses the argument as the input for memcpy:
drivers/net/wireless/wl3501_cs.c: In function 'wl3501_get_scan':
include/net/iw_handler.h:559:3: error: argument 2 null where non-null expected [-Werror=nonnull]
memcpy(stream + point_len, extra, iwe->u.data.length);
This works fine here because iwe->u.data.length is guaranteed to be 0
and the memcpy doesn't actually have an effect.
Making the length check explicit avoids the warning and should have
no other effect here.
Also check the pointer itself, since otherwise we get warnings
elsewhere in the code.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit e1a10ef7fa876f8510aaec36ea5c0cf34baba410 upstream.
Pure refactor. This helper will be required in the xmit timer fix
later in the patch series. (Because the TLP logic will want to make
this calculation.)
[This version of the commit was compiled and briefly tested
based on top of v3.10.107.]
Change-Id: I1ccfba0b00465454bf5ce22e6fef5f7b5dd94d15
Fixes: 6ba8a3b19e ("tcp: Tail loss probe (TLP)")
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Nandita Dukkipati <nanditad@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit d71b7896886345c53ef1d84bda2bc758554f5d61 upstream.
syzkaller found another out of bound access in ip_options_compile(),
or more exactly in cipso_v4_validate()
Fixes: 20e2a86485 ("cipso: handle CIPSO options correctly when NetLabel is disabled")
Fixes: 446fda4f26 ("[NetLabel]: CIPSOv4 engine")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Paul Moore <paul@paul-moore.com>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
This implements:
https://tools.ietf.org/html/rfc7559
Backoff is performed according to RFC3315 section 14:
https://tools.ietf.org/html/rfc3315#section-14
We allow setting /proc/sys/net/ipv6/conf/*/router_solicitations
to a negative value meaning an unlimited number of retransmits,
and we make this the new default (inline with the RFC).
We also add a new setting:
/proc/sys/net/ipv6/conf/*/router_solicitation_max_interval
defaulting to 1 hour (per RFC recommendation).
Signed-off-by: Maciej Żenczykowski <maze@google.com>
Acked-by: Erik Kline <ek@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bd11f0741fa5a2c296629898ad07759dd12b35bb in
DaveM's net-next/master, should make Linus' tree in 4.9-rc1)
Change-Id: Ia32cdc5c61481893ef8040734e014bf2229fc39e
Create cnss_genl driver to create a netlink family cld80211
and make it available to cld driver and applications when
they query for it.
This driver creates multicast groups to facilitate communication
from cld driver to userspace and allows cld driver to register
for different commands from user space.
Resolve compilation errors and tweak netlink family creation
Change-Id: I0795dd08b6429fad60187fee724b3fd3ccfa5603
CRs-Fixed: 1100401
Bug: 32775496
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Define macro to indicate backport support for using random MAC
addresses for scan while unassociated.
Change-Id: I2b7318ca8f6af29a9eb13d14e8c1e55bd41ae654
CRs-Fixed: 1082480
Bug: 35436707
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add the necessary feature flags and a scan flag to support using
random MAC addresses for scan while unassociated.
The configuration for this supports an arbitrary MAC address
value and mask, so that any kind of configuration (e.g. fixed
OUI or full 46-bit random) can be requested. Full 46-bit random
is the default when no other configuration is passed.
Also add a small helper function to use the addr/mask correctly.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: ad2b26abc157460ca6fac1a53a2bfeade283adfa
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211-next.git
[dasaris@codeaurora.org: backport to 3.18 excluding the changes in
nl80211_parse_wowlan_nd]
Change-Id: Id30d201358654c77a99f46500178ebf975d609d5
CRs-Fixed: 1082480
Bug: 35436707
Signed-off-by: Srinivas Dasari <dasaris@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
commit 20c64d5cd5a2bdcdc8982a06cb05e5e1bd851a3d upstream.
A malicious TCP receiver, sending SACK, can force the sender to split
skbs in write queue and increase its memory usage.
Then, when socket is closed and its write queue purged, we might
overflow sk_forward_alloc (It becomes negative)
sk_mem_reclaim() does nothing in this case, and more than 2GB
are leaked from TCP perspective (tcp_memory_allocated is not changed)
Then warnings trigger from inet_sock_destruct() and
sk_stream_kill_queues() seeing a not zero sk_forward_alloc
All TCP stack can be stuck because TCP is under memory pressure.
A simple fix is to preemptively reclaim from sk_mem_uncharge().
This makes sure a socket wont have more than 2 MB forward allocated,
after burst and idle period.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 1a24e04e4b50939daa3041682b38b82c896ca438 upstream.
sk_mem_reclaim_partial() goal is to ensure each socket has
one SK_MEM_QUANTUM forward allocation. This is needed both for
performance and better handling of memory pressure situations in
follow up patches.
SK_MEM_QUANTUM is currently a page, but might be reduced to 4096 bytes
as some arches have 64KB pages.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit ac6e780070e30e4c35bd395acfe9191e6268bdd3 upstream.
With syzkaller help, Marco Grassi found a bug in TCP stack,
crashing in tcp_collapse()
Root cause is that sk_filter() can truncate the incoming skb,
but TCP stack was not really expecting this to happen.
It probably was expecting a simple DROP or ACCEPT behavior.
We first need to make sure no part of TCP header could be removed.
Then we need to adjust TCP_SKB_CB(skb)->end_seq
Many thanks to syzkaller team and Marco for giving us a reproducer.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Marco Grassi <marco.gra@gmail.com>
Reported-by: Vladis Dronov <vdronov@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit bb1fceca22492109be12640d49f5ea5a544c6bb4 upstream.
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 23f4ffedb7d751c7e298732ba91ca75d224bc1a6 upstream.
skb->cb may contain data from previous layers. In the observed scenario,
the garbage data were misinterpreted as IP6CB(skb)->frag_max_size, so
that small packets sent through the tunnel are mistakenly fragmented.
This patch unconditionally clears the control buffer in ip6tunnel_xmit(),
which affects ip6_tunnel, ip6_udp_tunnel and ip6_gre. Currently none of
these tunnels set IP6CB(skb)->flags, otherwise it needs to be done earlier.
Cc: stable@vger.kernel.org
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit c15b1ccadb323ea50023e8f1cca2954129a62b51 upstream.
addrconf_join_solict and addrconf_join_anycast may cause actions which
need rtnl locked, especially on first address creation.
A new DAD state is introduced which defers processing of the initial
DAD processing into a workqueue.
To get rtnl lock we need to push the code paths which depend on those
calls up to workqueues, specifically addrconf_verify and the DAD
processing.
(v2)
addrconf_dad_failure needs to be queued up to the workqueue, too. This
patch introduces a new DAD state and stop the DAD processing in the
workqueue (this is because of the possible ipv6_del_addr processing
which removes the solicited multicast address from the device).
addrconf_verify_lock is removed, too. After the transition it is not
needed any more.
As we are not processing in bottom half anymore we need to be a bit more
careful about disabling bottom half out when we lock spin_locks which are also
used in bh.
Relevant backtrace:
[ 541.030090] RTNL: assertion failed at net/core/dev.c (4496)
[ 541.031143] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G O 3.10.33-1-amd64-vyatta #1
[ 541.031145] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007
[ 541.031146] ffffffff8148a9f0 000000000000002f ffffffff813c98c1 ffff88007c4451f8
[ 541.031148] 0000000000000000 0000000000000000 ffffffff813d3540 ffff88007fc03d18
[ 541.031150] 0000880000000006 ffff88007c445000 ffffffffa0194160 0000000000000000
[ 541.031152] Call Trace:
[ 541.031153] <IRQ> [<ffffffff8148a9f0>] ? dump_stack+0xd/0x17
[ 541.031180] [<ffffffff813c98c1>] ? __dev_set_promiscuity+0x101/0x180
[ 541.031183] [<ffffffff813d3540>] ? __hw_addr_create_ex+0x60/0xc0
[ 541.031185] [<ffffffff813cfe1a>] ? __dev_set_rx_mode+0xaa/0xc0
[ 541.031189] [<ffffffff813d3a81>] ? __dev_mc_add+0x61/0x90
[ 541.031198] [<ffffffffa01dcf9c>] ? igmp6_group_added+0xfc/0x1a0 [ipv6]
[ 541.031208] [<ffffffff8111237b>] ? kmem_cache_alloc+0xcb/0xd0
[ 541.031212] [<ffffffffa01ddcd7>] ? ipv6_dev_mc_inc+0x267/0x300 [ipv6]
[ 541.031216] [<ffffffffa01c2fae>] ? addrconf_join_solict+0x2e/0x40 [ipv6]
[ 541.031219] [<ffffffffa01ba2e9>] ? ipv6_dev_ac_inc+0x159/0x1f0 [ipv6]
[ 541.031223] [<ffffffffa01c0772>] ? addrconf_join_anycast+0x92/0xa0 [ipv6]
[ 541.031226] [<ffffffffa01c311e>] ? __ipv6_ifa_notify+0x11e/0x1e0 [ipv6]
[ 541.031229] [<ffffffffa01c3213>] ? ipv6_ifa_notify+0x33/0x50 [ipv6]
[ 541.031233] [<ffffffffa01c36c8>] ? addrconf_dad_completed+0x28/0x100 [ipv6]
[ 541.031241] [<ffffffff81075c1d>] ? task_cputime+0x2d/0x50
[ 541.031244] [<ffffffffa01c38d6>] ? addrconf_dad_timer+0x136/0x150 [ipv6]
[ 541.031247] [<ffffffffa01c37a0>] ? addrconf_dad_completed+0x100/0x100 [ipv6]
[ 541.031255] [<ffffffff8105313a>] ? call_timer_fn.isra.22+0x2a/0x90
[ 541.031258] [<ffffffffa01c37a0>] ? addrconf_dad_completed+0x100/0x100 [ipv6]
Hunks and backtrace stolen from a patch by Stephen Hemminger.
Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y: b7b1bfce: ipv6: split dad and rs timers
Cc: <stable@vger.kernel.org> # 3.10.y
[Mike Manning <mmanning@brocade.com>: resolved minor conflicts in addrconf.c]
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit b7b1bfce0bb68bd8f6e62a28295922785cc63781 upstream.
This patch splits the timers for duplicate address detection and router
solicitations apart. The router solicitations timer goes into inet6_dev
and the dad timer stays in inet6_ifaddr.
The reason behind this patch is to reduce the number of unneeded router
solicitations send out by the host if additional link-local addresses
are created. Currently we send out RS for every link-local address on
an interface.
If the RS timer fires we pick a source address with ipv6_get_lladdr. This
change could hurt people adding additional link-local addresses and
specifying these addresses in the radvd clients section because we
no longer guarantee that we use every ll address as source address in
router solicitations.
Cc: Flavio Leitner <fleitner@redhat.com>
Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
Cc: David Stevens <dlstevens@us.ibm.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reviewed-by: Flavio Leitner <fbl@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y
[Mike Manning <mmanning@brocade.com>: resolved conflicts with 36bddb]
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
commit 2c861cc65ef4604011a0082e4dcdba2819aa191a upstream.
When loading the ipv6 module, ndisc_init() is called before
ip6_route_init(). As the former registers a handler calling
fib6_run_gc(), this opens a window to run the garbage collector
before necessary data structures are initialized. If a network
device is initialized in this window, adding MAC address to it
triggers a NETDEV_CHANGEADDR event, leading to a crash in
fib6_clean_all().
Take the event handler registration out of ndisc_init() into a
separate function ndisc_late_init() and move it after
ip6_route_init().
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
Cc: <stable@vger.kernel.org> # 3.10.y
Signed-off-by: Mike Manning <mmanning@brocade.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
- Use the UID in routing lookups made by protocol connect() and
sendmsg() functions.
- Make sure that routing lookups triggered by incoming packets
(e.g., Path MTU discovery) take the UID of the socket into
account.
- For packets not associated with a userspace socket, (e.g., ping
replies) use UID 0 inside the user namespace corresponding to
the network namespace the socket belongs to. This allows
all namespaces to apply routing and iptables rules to
kernel-originated traffic in that namespaces by matching UID 0.
This is better than using the UID of the kernel socket that is
sending the traffic, because the UID of kernel sockets created
at namespace creation time (e.g., the per-processor ICMP and
TCP sockets) is the UID of the user that created the socket,
which might not be mapped in the namespace.
[Backport of net-next e2d118a1cb5e60d077131a09db1d81b90a5295fe]
Bug: 16355602
Change-Id: I126f8359887b5b5bbac68daf0ded89e899cb7cb0
Tested: compiles allnoconfig, allyesconfig, allmodconfig
Tested: https://android-review.googlesource.com/253302
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- Define a new FIB rule attributes, FRA_UID_RANGE, to describe a
range of UIDs.
- Define a RTA_UID attribute for per-UID route lookups and dumps.
- Support passing these attributes to and from userspace via
rtnetlink. The value INVALID_UID indicates no UID was
specified.
- Add a UID field to the flow structures.
[Backport of net-next 622ec2c9d52405973c9f1ca5116eb1c393adfc7d]
Bug: 16355602
Change-Id: I7e3ab388ed862c4b7e39dc8b0209d977cb1129ac
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Protocol sockets (struct sock) don't have UIDs, but most of the
time, they map 1:1 to userspace sockets (struct socket) which do.
Various operations such as the iptables xt_owner match need
access to the "UID of a socket", and do so by following the
backpointer to the struct socket. This involves taking
sk_callback_lock and doesn't work when there is no socket
because userspace has already called close().
Simplify this by adding a sk_uid field to struct sock whose value
matches the UID of the corresponding struct socket. The semantics
are as follows:
1. Whenever sk_socket is non-null: sk_uid is the same as the UID
in sk_socket, i.e., matches the return value of sock_i_uid.
Specifically, the UID is set when userspace calls socket(),
fchown(), or accept().
2. When sk_socket is NULL, sk_uid is defined as follows:
- For a socket that no longer has a sk_socket because
userspace has called close(): the previous UID.
- For a cloned socket (e.g., an incoming connection that is
established but on which userspace has not yet called
accept): the UID of the socket it was cloned from.
- For a socket that has never had an sk_socket: UID 0 inside
the user namespace corresponding to the network namespace
the socket belongs to.
Kernel sockets created by sock_create_kern are a special case
of #1 and sk_uid is the user that created them. For kernel
sockets created at network namespace creation time, such as the
per-processor ICMP and TCP sockets, this is the user that created
the network namespace.
[Backport of net-next 86741ec25462e4c8cdce6df2f41ead05568c7d5e]
Bug: 16355602
Change-Id: I73e1a57dfeedf672f4c2dfc9ce6867838b55974b
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This implements SOCK_DESTROY for UDP sockets similar to what was done
for TCP with commit c1e64e298b8ca ("net: diag: Support destroying TCP
sockets.") A process with a UDP socket targeted for destroy is awakened
and recvmsg fails with ECONNABORTED.
[backport of net-next 5d77dca82839ef016a93ad7acd7058b14d967752]
Change-Id: I84e71e774c859002f98dcdb5e0ca01f35227a44c
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
(cherry picked from commit bb1fceca22492109be12640d49f5ea5a544c6bb4)
When tcp_sendmsg() allocates a fresh and empty skb, it puts it at the
tail of the write queue using tcp_add_write_queue_tail()
Then it attempts to copy user data into this fresh skb.
If the copy fails, we undo the work and remove the fresh skb.
Unfortunately, this undo lacks the change done to tp->highest_sack and
we can leave a dangling pointer (to a freed skb)
Later, tcp_xmit_retransmit_queue() can dereference this pointer and
access freed memory. For regular kernels where memory is not unmapped,
this might cause SACK bugs because tcp_highest_sack_seq() is buggy,
returning garbage instead of tp->snd_nxt, but with various debug
features like CONFIG_DEBUG_PAGEALLOC, this can crash the kernel.
This bug was found by Marco Grassi thanks to syzkaller.
Fixes: 6859d49475 ("[TCP]: Abstract tp->highest_sack accessing & point to next skb")
Reported-by: Marco Grassi <marco.gra@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Change-Id: I58bb02d6e4e399612e8580b9e02d11e661df82f5
Bug: 31183296
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f94 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Bug: 29119002
(cherry picked from commit 7d267278a9ece963d77eefec61630223fce08c6c)
Signed-off-by: Aarthi Thiruvengadam <athiru@google.com>
Change-Id: Ia374ee061195088f8c777940baa75cedbe897f4e
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ]
This patch addresses multiple problems :
UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions
while socket is not locked : Other threads can change np->opt
concurrently. Dmitry posted a syzkaller
(http://github.com/google/syzkaller) program desmonstrating
use-after-free.
Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock()
and dccp_v6_request_recv_sock() also need to use RCU protection
to dereference np->opt once (before calling ipv6_dup_options())
This patch adds full RCU protection to np->opt
BUG: 28746669
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Add common api support of subsystem restart and bus
bandwidth for dual wifi. This feature redirect the cnss
export api according to the bus type SDIO/PCI.
CRs-Fixed: 986275
Change-Id: Iaf13d6c6d68ef62b7e4f6581899ec8325c5e9696
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Subsystem device add support for subsystem restart
recovery and ramdump device for cnss firmware dump
collection before the subsystem restart.
Refactor subsystem restart wrapper APIs to avoid the name
space collision in cnss platform driver compilation in dual
WiFi mode.
CRs-Fixed: 983677
Change-Id: Ib4a8d1a6d0ce8f1faa43ce0aa8312823b1ca3c15
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
PM QoS adds support to improve the wlan throughput.
The cnss platform driver export PM QoS API to wlan
host driver.
Refactor PM QoS wrapper APIs to avoid the name space
collision in cnss platform driver compilation in dual WiFi
mode.
CRs-Fixed: 983653
Change-Id: Id7a486f2f111476e73d5707eba36611a3530e9cf
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
WLAN Functional Drivers Queries cnss platform driver to get the
MAC Address. If the OEM doesn't provide the valid MAC address, the
WLAN Driver fallbacks to use other approaches to get MAC address.
This works under CONFIG_CNSS_MAC feature flag, which will be enabled
only on the OEM platforms. For internal platforms, CNSS driver doesn't
hold any valid mac addresses.
CRs-Fixed: 985585
Change-Id: I1e8a030a32a640cec84cadd6b36b37938d5fe6be
Signed-off-by: Komal Kumar <kseelam@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Make PM QoS request API generic to pass the type of latency
requirement needed by the client instead of hard coding
latency type. Add latency type as a function parameter.
CRs-Fixed: 972761
Change-Id: Ic912148d2068fe8a758b6a4b3be570ccf870f03a
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Add changes to expose dump stack functionality which can be used
by driver to dump stack information when it requires.
CRs-Fixed: 979886
Change-Id: Ib929ad0a510b996ac54d17afd2957ea487c62851
Signed-off-by: Abhishek Singh <absingh@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Define macro to indicate backport support for bssid hint connect
parameter which can be used by driver if the kernel version is
less than 3.15.
Change-Id: Ic8d2f29ca1287df8dedb7927cd444242c6ca1c27
CRs-Fixed: 919601
Signed-off-by: Edhar, Mahesh Kumar <MAHESH@codeaurora.org>
Signed-off-by: Komal Seelam <kseelam@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 upstream.
The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.
To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Separate the WLAN CNSS platform driver according to
the bus interface PCIe and SDIO. Add separate Kernel
Config file for the WLAN CNSS platform Driver and its
necessary module which has support for the CNSS
connectivity Subsystem.
Add Kernel Config flag to refactoring the CNSS platform Driver:
CONFIG_CNSS Kernel Config add support to CNSS Core
driver compilation and export Generic GPL wrappers.
CONFIG_CNSS_SDIO Kernel Config add support to CNSS
Platform Driver compilation for SDIO based WiFi Devices
and export platform driver API's based on the SDIO bus.
CONFIG_CNSS_PCI Kernel Config add support to CNSS
Platform Driver compilation for PCIe based WiFi Devices
and export platform driver API's based on the PCIe bus.
CRs-fixed: 939171
Change-Id: I8cce5bbc87e6742179a7967ccba295f55c444b28
Signed-off-by: Kai Liu <kaliu@codeaurora.org>
Signed-off-by: Sarada Prasanna Garnayak <sgarna@codeaurora.org>
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Since there are frequency bands (e.g. 5.9GHz) allowing channels
with only 10 or 5 MHz bandwidth, this patch adds attributes that
allow keeping track about this information.
When channel attributes are reported to user-space, make sure to
not break old tools, i.e. if the 'split wiphy dump' is enabled,
report the extra attributes (if present) describing the bandwidth
restrictions. If the 'split wiphy dump' is not enabled,
completely omit those channels that have flags set to either
IEEE80211_CHAN_NO_10MHZ or IEEE80211_CHAN_NO_20MHZ.
Add the check for new bandwidth restriction flags in
cfg80211_chandef_usable() to comply with the restrictions.
Signed-off-by: Rostislav Lisovy <rostislav.lisovy@fel.cvut.cz>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Git-commit: ea077c1cea36a6b5ded1256dcd56c72ff2a22c62
Git-repo: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
Change-Id: I8610e5a7594099a99a28b699c42c40a2a62ab397
CRs-Fixed: 754373
Signed-off-by: Samuel Ahn <sahn@codeaurora.org>
Signed-off-by: Sunil Dutt <usdutt@codeaurora.org>
Signed-off-by: Amarnath Hullur Subramanyam <amarnath@codeaurora.org>
Signed-off-by: Srinivas Girigowda <sgirigow@codeaurora.org>
Eric Dumazet