18 Commits
Author | SHA1 | Message | Date |
---|---|---|---|
![]() |
8ca93b4c05 |
This is the 3.10.106 stable release
-----BEGIN PGP SIGNATURE----- iQIcBAABAgAGBQJZQspmAAoJEE44bZycYXAvLXMP/3Uqx7K7dGjHvvhGA4DhnzSp bGLpjeP1sXXnnd932PN+qkGbl2j/NPjS74DobDqGWnrwxKRzQ21F4YkWJGtb4Pe2 JKcY7y2rbKGcwhpS9qDMkSWuaUKJWF5MAsH08LnCWqlGphGwAH/uPTdqS4iI/CJM aQvaaITe5SVzvpvpyoCVdHqu8K+Ukraf91mvt7hlmrn9OnqO9us9MWulw5sSXQcd pM8ZbRkBDE5OFeVnPKJDBY+cR2ML41wekMMwvJWt7uRyrX2i5c7oQVXYoeYE4MKx Pueb7aG7LQwBUzNJCiZA6PAEFQPwNPCoxHZbAax0D6/JyDWOZukappquzjd6gLDM +U7mxeFTeNZJ5v9tUcUIOb4GaaFcccS3wdDP23V2N8iM88hFVwJn0RSy/pksX37+ ZNDiEyDeJBjz3kh/Kf40zhFIIrABMozFeX3tpSRVVqXb+T6P9l8Y88O2LGY5FCXK QBbAC+jC4X4YI+4v+QWImg9mkfTwzZyjyAlfyjPlHVSK9KDP9M6LXpr2+jKS7jOc ievMOh9ku0HIVuSWGUKZSqjvcF01Bh99tFlX+KqipomwNTwa4hKCLmnOVflF1BPE 8sfD9hvenA0e949kXrURUmqpg6Ujkrbb/lXuD7e2CakCu+XjEMf317R11TyTsHNG 10hsmPsGDVcwbyFOFHS3 =mvzl -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqfEUACgkQmXOSYMts txbJOQ/+Pce1eBSgjESWKuz0OP9BfAe9RpWFi7lBZ/EgRwJVYEx6jau9EYXAQ7YT roCIsV6eufhMplYGHJz6EHxK2Hieb1zG9ooX9ss9GxiB6qmqeqC0Slm9EQE15yGT px3fVz9r86edqjtj7UKK0/n8DJUaFh5LWOymLD3d3/115RYQsl/GowugH9F79PvN pR+OyXq7srtfCmwdhZ65012Ef10RXqBRv0fCYBH6r+jkMqb7uSDFzdR39Z7k3QFk AM4+3lTm6EEZ4xZkcMyX3GuQWslpPAlvFdEx43TjdCbseXAqURoppmxvz+Izum75 fy0oOdKl5OSpyZArRkUfZ0MnL6BHGcKxwYV4u1LupwvqPyaUT4yiT5VEUdy9EqJo Syrr0oSR2lrXqQESdxKkmOZVXyul0nF3Fh1p5QlU1/Id9oskMLYqcXegFyhr2Wyp +A4ZozljEQ4AGm4dYFdH3w8TcNDttjztYoKf8OXnaCOj3p/SEq84tk4Hm3vpoPvh 5OzsZC3UB9gJ1mXsKOVKLJFCPzmg61KOvwhopfAcC6cyiIIf/MPCneZeOzsavtQX J+atSNcLVNE3jmrXvUrwxSpZ3KCc3Ti5Q8pD9ni6/B6st2+LO8EXPrS6n2+28nvu hVpjyCXLbghdmn1mjOGW9lvMQEg/Dupj/ocpCPHJnXpbpM8Mcjo= =3eAv -----END PGP SIGNATURE----- Merge 3.10.106 into android-msm-bullhead-3.10-oreo-m5 Changes in 3.10.106: (252 commits) packet: fix race condition in packet_set_ring crypto: crypto_memneq - add equality testing of memory regions w/o timing leaks EVM: Use crypto_memneq() for digest comparisons libceph: don't set weight to IN when OSD is destroyed KVM: x86: fix emulation of "MOV SS, null selector" KVM: x86: Introduce segmented_write_std posix_acl: Clear SGID bit when setting file permissions tmpfs: clear S_ISGID when setting posix ACLs fbdev: color map copying bounds checking selinux: fix off-by-one in setprocattr tcp: avoid infinite loop in tcp_splice_read() xfrm_user: validate XFRM_MSG_NEWAE XFRMA_REPLAY_ESN_VAL replay_window xfrm_user: validate XFRM_MSG_NEWAE incoming ESN size harder KEYS: Disallow keyrings beginning with '.' to be joined as session keyrings KEYS: Change the name of the dead type to ".dead" to prevent user access KEYS: fix keyctl_set_reqkey_keyring() to not leak thread keyrings ext4: fix data exposure after a crash locking/rtmutex: Prevent dequeue vs. unlock race m68k: Fix ndelay() macro hotplug: Make register and unregister notifier API symmetric Btrfs: fix tree search logic when replaying directory entry deletes USB: serial: kl5kusb105: fix open error path block_dev: don't test bdev->bd_contains when it is not stable crypto: caam - fix AEAD givenc descriptors ext4: fix mballoc breakage with 64k block size ext4: fix stack memory corruption with 64k block size ext4: reject inodes with negative size ext4: return -ENOMEM instead of success f2fs: set ->owner for debugfs status file's file_operations block: protect iterate_bdevs() against concurrent close scsi: zfcp: fix use-after-"free" in FC ingress path after TMF scsi: zfcp: do not trace pure benign residual HBA responses at default level scsi: zfcp: fix rport unblock race with LUN recovery ftrace/x86_32: Set ftrace_stub to weak to prevent gcc from using short jumps to it IB/mad: Fix an array index check IB/multicast: Check ib_find_pkey() return value powerpc: Convert cmp to cmpd in idle enter sequence usb: gadget: composite: Test get_alt() presence instead of set_alt() USB: serial: omninet: fix NULL-derefs at open and disconnect USB: serial: quatech2: fix sleep-while-atomic in close USB: serial: pl2303: fix NULL-deref at open USB: serial: keyspan_pda: verify endpoints at probe USB: serial: spcp8x5: fix NULL-deref at open USB: serial: io_ti: fix NULL-deref at open USB: serial: io_ti: fix another NULL-deref at open USB: serial: iuu_phoenix: fix NULL-deref at open USB: serial: garmin_gps: fix memory leak on failed URB submit USB: serial: ti_usb_3410_5052: fix NULL-deref at open USB: serial: io_edgeport: fix NULL-deref at open USB: serial: oti6858: fix NULL-deref at open USB: serial: cyberjack: fix NULL-deref at open USB: serial: kobil_sct: fix NULL-deref in write USB: serial: mos7840: fix NULL-deref at open USB: serial: mos7720: fix NULL-deref at open USB: serial: mos7720: fix use-after-free on probe errors USB: serial: mos7720: fix parport use-after-free on probe errors USB: serial: mos7720: fix parallel probe usb: xhci-mem: use passed in GFP flags instead of GFP_KERNEL usb: musb: Fix trying to free already-free IRQ 4 ALSA: usb-audio: Fix bogus error return in snd_usb_create_stream() USB: serial: kl5kusb105: abort on open exception path staging: iio: ad7606: fix improper setting of oversampling pins usb: dwc3: gadget: always unmap EP0 requests cris: Only build flash rescue image if CONFIG_ETRAX_AXISFLASHMAP is selected hwmon: (ds620) Fix overflows seen when writing temperature limits clk: clk-wm831x: fix a logic error iommu/amd: Fix the left value check of cmd buffer scsi: mvsas: fix command_active typo target/iscsi: Fix double free in lio_target_tiqn_addtpg() mmc: mmc_test: Uninitialized return value powerpc/pci/rpadlpar: Fix device reference leaks ser_gigaset: return -ENOMEM on error instead of success net, sched: fix soft lockup in tc_classify net: stmmac: Fix race between stmmac_drv_probe and stmmac_open gro: Enter slow-path if there is no tailroom gro: use min_t() in skb_gro_reset_offset() gro: Disable frag0 optimization on IPv6 ext headers powerpc: Fix build warning on 32-bit PPC Input: i8042 - add Pegatron touchpad to noloop table mm/hugetlb.c: fix reservation race when freeing surplus pages USB: serial: kl5kusb105: fix line-state error handling USB: serial: ch341: fix initial modem-control state USB: serial: ch341: fix open error handling USB: serial: ch341: fix control-message error handling USB: serial: ch341: fix open and resume after B0 USB: serial: ch341: fix resume after reset USB: serial: ch341: fix modem-control and B0 handling x86/cpu: Fix bootup crashes by sanitizing the argument of the 'clearcpuid=' command-line option NFSv4.1: nfs4_fl_prepare_ds must be careful about reporting success. powerpc/ibmebus: Fix further device reference leaks powerpc/ibmebus: Fix device reference leaks in sysfs interface IB/mlx4: Set traffic class in AH IB/mlx4: Fix port query for 56Gb Ethernet links perf scripting: Avoid leaking the scripting_context variable ARM: dts: imx31: fix clock control module interrupts description svcrpc: don't leak contexts on PROC_DESTROY mmc: mxs-mmc: Fix additional cycles after transmission stop mtd: nand: xway: disable module support ubifs: Fix journal replay wrt. xattr nodes arm64/ptrace: Preserve previous registers for short regset write arm64/ptrace: Avoid uninitialised struct padding in fpr_set() arm64/ptrace: Reject attempts to set incomplete hardware breakpoint fields ARM: ux500: fix prcmu_is_cpu_in_wfi() calculation ite-cir: initialize use_demodulator before using it fuse: do not use iocb after it may have been freed crypto: caam - fix non-hmac hashes drm/i915: Don't leak edid in intel_crt_detect_ddc() s5k4ecgx: select CRC32 helper platform/x86: intel_mid_powerbtn: Set IRQ_ONESHOT net: fix harmonize_features() vs NETIF_F_HIGHDMA tcp: initialize max window for a new fastopen socket svcrpc: fix oops in absence of krb5 module ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write mac80211: Fix adding of mesh vendor IEs scsi: zfcp: fix use-after-free by not tracing WKA port open/close on failed send drm/i915: fix use-after-free in page_flip_completed() net: use a work queue to defer net_disable_timestamp() work ipv4: keep skb->dst around in presence of IP options netlabel: out of bound access in cipso_v4_validate() ip6_gre: fix ip6gre_err() invalid reads ping: fix a null pointer dereference l2tp: do not use udp_ioctl() packet: fix races in fanout_add() packet: Do not call fanout_release from atomic contexts net: socket: fix recvmmsg not returning error from sock_error USB: serial: mos7840: fix another NULL-deref at open USB: serial: ftdi_sio: fix modem-status error handling USB: serial: ftdi_sio: fix extreme low-latency setting USB: serial: ftdi_sio: fix line-status over-reporting USB: serial: spcp8x5: fix modem-status handling USB: serial: opticon: fix CTS retrieval at open USB: serial: ark3116: fix register-accessor error handling x86/platform/goldfish: Prevent unconditional loading goldfish: Sanitize the broken interrupt handler ocfs2: do not write error flag to user structure we cannot copy from/to mfd: pm8921: Potential NULL dereference in pm8921_remove() drm/nv50/disp: min/max are reversed in nv50_crtc_gamma_set() net: 6lowpan: fix lowpan_header_create non-compression memcpy call vti4: Don't count header length twice. net/sched: em_meta: Fix 'meta vlan' to correctly recognize zero VID frames MIPS: OCTEON: Fix copy_from_user fault handling for large buffers MIPS: Clear ISA bit correctly in get_frame_info() MIPS: Prevent unaligned accesses during stack unwinding MIPS: Fix get_frame_info() handling of microMIPS function size MIPS: Fix is_jump_ins() handling of 16b microMIPS instructions MIPS: Calculate microMIPS ra properly when unwinding the stack MIPS: Handle microMIPS jumps in the same way as MIPS32/MIPS64 jumps uvcvideo: Fix a wrong macro scsi: aacraid: Reorder Adapter status check ath9k: use correct OTP register offsets for the AR9340 and AR9550 fuse: add missing FR_FORCE RDMA/core: Fix incorrect structure packing for booleans NFSv4: fix getacl head length estimation s390/qdio: clear DSCI prior to scanning multiple input queues IB/ipoib: Fix deadlock between rmmod and set_mode ktest: Fix child exit code processing nlm: Ensure callback code also checks that the files match dm: flush queued bios when process blocks to avoid deadlock USB: serial: digi_acceleport: fix OOB data sanity check USB: serial: digi_acceleport: fix OOB-event processing MIPS: ip27: Disable qlge driver in defconfig tracing: Add #undef to fix compile error USB: serial: safe_serial: fix information leak in completion handler USB: serial: omninet: fix reference leaks at open USB: iowarrior: fix NULL-deref at probe USB: iowarrior: fix NULL-deref in write USB: serial: io_ti: fix NULL-deref in interrupt callback USB: serial: io_ti: fix information leak in completion handler vxlan: correctly validate VXLAN ID against VXLAN_N_VID ipv4: mask tos for input route locking/static_keys: Add static_key_{en,dis}able() helpers net: net_enable_timestamp() can be called from irq contexts dccp/tcp: fix routing redirect race net sched actions: decrement module reference count after table flush. perf/core: Fix event inheritance on fork() isdn/gigaset: fix NULL-deref at probe xen: do not re-use pirq number cached in pci device msi msg data net: properly release sk_frag.page net: unix: properly re-increment inflight counter of GC discarded candidates Input: ims-pcu - validate number of endpoints before using them Input: hanwang - validate number of endpoints before using them Input: yealink - validate number of endpoints before using them Input: cm109 - validate number of endpoints before using them USB: uss720: fix NULL-deref at probe USB: idmouse: fix NULL-deref at probe USB: wusbcore: fix NULL-deref at probe uwb: i1480-dfu: fix NULL-deref at probe uwb: hwa-rc: fix NULL-deref at probe mmc: ushc: fix NULL-deref at probe ext4: mark inode dirty after converting inline directory scsi: libsas: fix ata xfer length ALSA: ctxfi: Fallback DMA mask to 32bit ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call ACPI / PNP: Avoid conflicting resource reservations ACPI / resources: free memory on error in add_region_before() ACPI / PNP: Reserve ACPI resources at the fs_initcall_sync stage USB: OHCI: Fix race between ED unlink and URB submission i2c: at91: manage unexpected RXRDY flag when starting a transfer ipv4: igmp: Allow removing groups from a removed interface ptrace: fix PTRACE_LISTEN race corrupting task->state ring-buffer: Fix return value check in test_ringbuffer() metag/usercopy: Fix alignment error checking metag/usercopy: Add early abort to copy_to_user metag/usercopy: Set flags before ADDZ metag/usercopy: Fix src fixup in from user rapf loops metag/usercopy: Add missing fixups s390/decompressor: fix initrd corruption caused by bss clear net/mlx4_en: Fix bad WQE issue net/mlx4_core: Fix racy CQ (Completion Queue) free char: Drop bogus dependency of DEVPORT on !M68K powerpc: Disable HFSCR[TM] if TM is not supported pegasus: Use heap buffers for all register access rtl8150: Use heap buffers for all register access tracing: Allocate the snapshot buffer before enabling probe ring-buffer: Have ring_buffer_iter_empty() return true when empty netfilter: arp_tables: fix invoking 32bit "iptable -P INPUT ACCEPT" failed in 64bit kernel net: phy: handle state correctly in phy_stop_machine l2tp: take reference on sessions being dumped MIPS: KGDB: Use kernel context for sleeping threads ARM: dts: imx31: move CCM device node to AIPS2 bus devices ARM: dts: imx31: fix AVIC base address tun: Fix TUN_PKT_STRIP setting Staging: vt6655-6: potential NULL dereference in hostap_disable_hostapd() net: sctp: rework multihoming retransmission path selection to rfc4960 perf trace: Use the syscall raw_syscalls:sys_enter timestamp USB: usbtmc: add missing endpoint sanity check ping: implement proper locking USB: fix problems with duplicate endpoint addresses USB: dummy-hcd: fix bug in stop_activity (handle ep0) mm/init: fix zone boundary creation can: Fix kernel panic at security_sock_rcv_skb Drivers: hv: avoid vfree() on crash xc2028: avoid use after free xc2028: unlock on error in xc2028_set_config() xc2028: Fix use-after-free bug properly ipv6: fix ip6_tnl_parse_tlv_enc_lim() ipv6: pointer math error in ip6_tnl_parse_tlv_enc_lim() ipv6: fix the use of pcpu_tstats in ip6_tunnel sctp: avoid BUG_ON on sctp_wait_for_sndbuf sctp: deny peeloff operation on asocs with threads sleeping on it KVM: x86: clear bus pointer when destroyed kvm: exclude ioeventfd from counting kvm_io_range limit KVM: kvm_io_bus_unregister_dev() should never fail TTY: n_hdlc, fix lockdep false positive tty: n_hdlc: get rid of racy n_hdlc.tbuf ipv6: handle -EFAULT from skb_copy_bits fs: exec: apply CLOEXEC before changing dumpable task flags mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp dccp/tcp: do not inherit mc_list from parent char: lp: fix possible integer overflow in lp_setup() dccp: fix freeing skb too early for IPV6_RECVPKTINFO Linux 3.10.106 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Conflicts: drivers/mfd/pm8921-core.c include/linux/cpu.h kernel/cpu.c net/ipv4/inet_connection_sock.c net/ipv4/ping.c |
|
![]() |
459f05e480 |
This is the 3.10.102 stable release
-----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQIcBAABAgAGBQJXXS5iAAoJEE44bZycYXAvDj8P/jbhmGAgW6tw2cnS90QIZDqG M/nclEId61jICNvbfP6zsioKeWyrmzr5G7NjqTThsSNhCo/DXs3ddMqLy3pOaFdq mytXtHIUpwZoplEib+ODinW40CMqnu11XSWEcee2nrsPuGNsnc7BY0wmFBa6UVCV rOZef9SN9lJcZSYY/auvgLDXOXdQ+NMxp5hau30aF5HBO8hTDXStjPRcUwCvz7aR govTQJHlS4HzLH3JOYS3Dt8IYFDOrKhQIby2nFdw7eiUxHCRy2F0asabTh3DzCw1 iLvFroozjyVXwozfWMqLCvMa+514MXJy8Nkva6xiAHraC8UrgfPtcNsTdgtkdH9T V2Am9b0L7yiBdG6hsZLxkU3akk7vU/0dtppwzvudANT6i2tGcDSBeaZq3T2pAv7B 7coY53GzHZdQnbdTZbYeS1fxebxyXw50D5OJkF8DyLhoL7Uj2Dvv0QdjKv+U/e5D VQ+ZyGcBdCLuOzflXysI10E01y0/M3FrkubgGBM4Oh0eYKCHJaHG/NCZy5JY/qxy S0phem8RbeZPbcL14z+5buWIi1lUkTiCIMG8c32ZEmDh84drnICqABA0RzKmqdkj ucQa+PzkMQ1DyhAMUl/CwpBfSqf1Zs3agLo78Kp5MTGfeAA90m0SeVqhmDgWhwqG HhSlsPFfMfmJl5S0uJpQ =UhFl -----END PGP SIGNATURE----- gpgsig -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEJDfLduVEy2qz2d/TmXOSYMtstxYFAlpqdSoACgkQmXOSYMts txbb1A/6A1pJjz3//6RsYU7G2f4WgAjqCRzQDPtVtBUwpyBtj7DuAxNGeOAvw0KM BfOTy0fhtgHfOV6F4kynIuU6scNY8zZlZ2ZCgndhiC45dlDBSto2mYgF9DmDl7m3 rRhiWmmSqFvJW+USxCETg8PxXVIs0Si+TU8AfBKJt3Mf25UyLsrm/hIDqg3FtkyP STZlpmACGQEJl6qTVTubTv6/psJc0oE7gUZ2G4TTuFxt+p3/4MPf+pnicl5jcP04 laN1k2ce8ciV8Tc7f5zM55ArLGM+M4QQNRqO6Wrl7gQvtXpn6Efno9aY2MuaXtdm 7sKKvQWj0QMS/9tei+wGS73gDsfIb1qrsaMWD9UF9zGb7miGkRr3wdDZPYurysWy 5cIL1TErJDiIVlVedL/o8EYOxCYamSQPJ35WGxSgeS9kqfTlh3C1angGy9EOpv27 ER1myFM4TUc51ziPIFlEeBu1ku4vVY7atCsZU25VqKFLAapeDG3xuK1RDmal/PTd d2JahllwPQ4Uh8OUNeHcN4Ptxf/fBVezSCZw1tv6vkAUdt6uXcbweutDw74cWlNJ KbKd5yluWVCAVsOSiVNRFX8ij/9GeJvu94eU5o7jiC578TQTRrMdKyxEqVKzz6te 39rFoX20GZ7IosRoJDp9gsJTA7GAVsCcfU9CK/SNL3jxGLFvJbo= =CaKB -----END PGP SIGNATURE----- Merge 3.10.102 into android-msm-bullhead-3.10-oreo-m5 Changes in 3.10.102: (144 commits) pipe: Fix buffer offset after partially failed read x86/iopl/64: Properly context-switch IOPL on Xen PV ext4: fix NULL pointer dereference in ext4_mark_inode_dirty() compiler-gcc: integrate the various compiler-gcc[345].h files x86: LLVMLinux: Fix "incomplete type const struct x86cpu_device_id" KVM: i8254: change PIT discard tick policy KVM: fix spin_lock_init order on x86 EDAC, amd64_edac: Shift wrapping issue in f1x_get_norm_dct_addr() PCI: Disable IO/MEM decoding for devices with non-compliant BARs linux/const.h: Add _BITUL() and _BITULL() x86: Rename X86_CR4_RDWRGSFS to X86_CR4_FSGSBASE x86, processor-flags: Fix the datatypes and add bit number defines x86/iopl: Fix iopl capability check on Xen PV sg: fix dxferp in from_to case aacraid: Fix memory leak in aac_fib_map_free be2iscsi: set the boot_kset pointer to NULL in case of failure usb: retry reset if a device times out USB: cdc-acm: more sanity checking USB: iowarrior: fix oops with malicious USB descriptors USB: usb_driver_claim_interface: add sanity checking USB: mct_u232: add sanity checking in probe USB: digi_acceleport: do sanity checking for the number of ports USB: cypress_m8: add endpoint sanity check USB: serial: cp210x: Adding GE Healthcare Device ID USB: option: add "D-Link DWM-221 B1" device id pwc: Add USB id for Philips Spc880nc webcam Input: powermate - fix oops with malicious USB descriptors net: irda: Fix use-after-free in irtty_open() 8250: use callbacks to access UART_DLL/UART_DLM bttv: Width must be a multiple of 16 when capturing planar formats media: v4l2-compat-ioctl32: fix missing length copy in put_v4l2_buffer32 ALSA: intel8x0: Add clock quirk entry for AD1981B on IBM ThinkPad X41. jbd2: fix FS corruption possibility in jbd2_journal_destroy() on umount path bcache: fix cache_set_flush() NULL pointer dereference on OOM watchdog: rc32434_wdt: fix ioctl error handling splice: handle zero nr_pages in splice_to_pipe() xtensa: ISS: don't hang if stdin EOF is reached xtensa: clear all DBREAKC registers on start md/raid5: Compare apples to apples (or sectors to sectors) rapidio/rionet: fix deadlock on SMP ipr: Fix out-of-bounds null overwrite ipr: Fix regression when loading firmware drm/radeon: Don't drop DP 2.7 Ghz link setup on some cards. tracing: Have preempt(irqs)off trace preempt disabled functions tracing: Fix crash from reading trace_pipe with sendfile tracing: Fix trace_printk() to print when not using bprintk() scripts/coccinelle: modernize & Input: ims-pcu - sanity check against missing interfaces Input: ati_remote2 - fix crashes on detecting device with invalid descriptor ocfs2/dlm: fix race between convert and recovery ocfs2/dlm: fix BUG in dlm_move_lockres_to_recovery_list mtd: onenand: fix deadlock in onenand_block_markbad sched/cputime: Fix steal time accounting vs. CPU hotplug perf/x86/intel: Fix PEBS data source interpretation on Nehalem/Westmere hwmon: (max1111) Return -ENODEV from max1111_read_channel if not instantiated parisc: Avoid function pointers for kernel exception routines parisc: Fix kernel crash with reversed copy_from_user() ALSA: timer: Use mod_timer() for rearming the system timer net: jme: fix suspend/resume on JMC260 sctp: lack the check for ports in sctp_v6_cmp_addr ipv6: re-enable fragment header matching in ipv6_find_hdr cdc_ncm: toggle altsetting to force reset before setup usbnet: cleanup after bind() in probe() udp6: fix UDP/IPv6 encap resubmit path sh_eth: fix NULL pointer dereference in sh_eth_ring_format() net: Fix use after free in the recvmmsg exit path farsync: fix off-by-one bug in fst_add_one ath9k: fix buffer overrun for ar9287 qlge: Fix receive packets drop. ppp: take reference on channels netns qmi_wwan: add "D-Link DWM-221 B1" device id ipv4: l2tp: fix a potential issue in l2tp_ip_recv ipv6: l2tp: fix a potential issue in l2tp_ip6_recv ip6_tunnel: set rtnl_link_ops before calling register_netdevice usb: renesas_usbhs: avoid NULL pointer derefernce in usbhsf_pkt_handler() usb: renesas_usbhs: disable TX IRQ before starting TX DMAC transfer ext4: add lockdep annotations for i_data_sem HID: usbhid: fix inconsistent reset/resume/reset-resume behavior drm/radeon: hold reference to fences in radeon_sa_bo_new (3.17 and older) usbvision-video: fix memory leak of alt_max_pkt_size usbvision: fix leak of usb_dev on failure paths in usbvision_probe() usbvision: fix crash on detecting device with invalid configuration usb: xhci: fix wild pointers in xhci_mem_cleanup usb: hcd: out of bounds access in for_each_companion crypto: gcm - Fix rfc4543 decryption crash nl80211: check netlink protocol in socket release notification Input: gtco - fix crash on detecting device without endpoints i2c: cpm: Fix build break due to incompatible pointer types EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback ASoC: s3c24xx: use const snd_soc_component_driver pointer efi: Fix out-of-bounds read in variable_matches() workqueue: fix ghost PENDING flag while doing MQ IO USB: usbip: fix potential out-of-bounds write paride: make 'verbose' parameter an 'int' again fbdev: da8xx-fb: fix videomodes of lcd panels misc/bmp085: Enable building as a module rtc: vr41xx: Wire up alarm_irq_enable drivers/misc/ad525x_dpot: AD5274 fix RDAC read back errors include/linux/poison.h: fix LIST_POISON{1,2} offset Drivers: hv: vmbus: prevent cpu offlining on newer hypervisors perf stat: Document --detailed option ARM: OMAP3: Add cpuidle parameters table for omap3430 compiler-gcc: disable -ftracer for __noclone functions ipvs: correct initial offset of Call-ID header search in SIP persistence engine nbd: ratelimit error msgs after socket close clk: versatile: sp810: support reentrance lpfc: fix misleading indentation ARM: SoCFPGA: Fix secondary CPU startup in thumb2 kernel proc: prevent accessing /proc/<PID>/environ until it's ready batman-adv: Fix broadcast/ogm queue limit on a removed interface MAINTAINERS: Remove asterisk from EFI directory names ACPICA: Dispatcher: Update thread ID for recursive method calls USB: serial: cp210x: add ID for Link ECU USB: serial: cp210x: add Straizona Focusers device ids Input: ads7846 - correct the value got from SPI powerpc: scan_features() updates incorrect bits for REAL_LE crypto: hash - Fix page length clamping in hash walk get_rock_ridge_filename(): handle malformed NM entries Input: max8997-haptic - fix NULL pointer dereference asmlinkage, pnp: Make variables used from assembler code visible ARM: OMAP3: Fix booting with thumb2 kernel decnet: Do not build routes to devices without decnet private data. route: do not cache fib route info on local routes with oif packet: fix heap info leak in PACKET_DIAG_MCLIST sock_diag interface atl2: Disable unimplemented scatter/gather feature net: fix infoleak in llc net: fix infoleak in rtnetlink VSOCK: do not disconnect socket when peer has shutdown SEND only net: bridge: fix old ioctl unlocked net device walk net: fix a kernel infoleak in x25 module fs/cifs: correctly to anonymous authentication via NTLMSSP ring-buffer: Use long for nr_pages to avoid overflow failures ring-buffer: Prevent overflow of size in ring_buffer_resize() mfd: omap-usb-tll: Fix scheduling while atomic BUG mmc: mmc: Fix partition switch timeout for some eMMCs mmc: longer timeout for long read time quirk Bluetooth: vhci: purge unhandled skbs USB: serial: keyspan: fix use-after-free in probe error path USB: serial: quatech2: fix use-after-free in probe error path USB: serial: io_edgeport: fix memory leaks in probe error path USB: serial: option: add support for Cinterion PH8 and AHxx tty: vt, return error when con_startup fails serial: samsung: Reorder the sequence of clock control when call s3c24xx_serial_set_termios() Linux 3.10.102 Signed-off-by: Nathan Chancellor <natechancellor@gmail.com> Conflicts: drivers/media/v4l2-core/v4l2-compat-ioctl32.c fs/pipe.c kernel/trace/trace_printk.c net/core/rtnetlink.c net/socket.c |
|
![]() |
3d753377d2 |
l2tp: do not use udp_ioctl()
commit 72fb96e7bdbbdd4421b0726992496531060f3636 upstream.
udp_ioctl(), as its name suggests, is used by UDP protocols,
but is also used by L2TP :(
L2TP should use its own handler, because it really does not
look the same.
SIOCINQ for instance should not assume UDP checksum or headers.
Thanks to Andrey and syzkaller team for providing the report
and a nice reproducer.
While crashes only happen on recent kernels (after commit
7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")), this
probably needs to be backported to older kernels.
Fixes: 7c13f97ffde6 ("udp: do fwd memory scheduling on dequeue")
Fixes:
|
|
![]() |
415ccacc9e |
Merge branch 'android-msm-bullhead-3.10-nyc-mr2' into android-msm-bullhead-3.10
March 2017.1 Bug: 34128678 |
|
![]() |
caa816092d |
UPSTREAM: l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()
(cherry picked from commit 32c231164b762dddefa13af5a0101032c70b50ef)
Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.
BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
[<ffffffff829f835b>] dump_stack+0xb3/0x118 lib/dump_stack.c:15
[<ffffffff8174d3cc>] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
[< inline >] print_address_description mm/kasan/report.c:194
[<ffffffff8174d666>] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
[< inline >] kasan_report mm/kasan/report.c:303
[<ffffffff8174db7e>] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
[< inline >] __write_once_size ./include/linux/compiler.h:249
[< inline >] __hlist_del ./include/linux/list.h:622
[< inline >] hlist_del_init ./include/linux/list.h:637
[<ffffffff8579047e>] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
[<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
[<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
[<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
[<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
[<ffffffff813774f9>] task_work_run+0xf9/0x170
[<ffffffff81324aae>] do_exit+0x85e/0x2a00
[<ffffffff81326dc8>] do_group_exit+0x108/0x330
[<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
[<ffffffff811b49af>] do_signal+0x7f/0x18f0
[<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
[ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1116.897025] [<ffffffff8174c9ad>] kasan_kmalloc+0xad/0xe0
[ 1116.897025] [<ffffffff8174cee2>] kasan_slab_alloc+0x12/0x20
[ 1116.897025] [< inline >] slab_post_alloc_hook mm/slab.h:417
[ 1116.897025] [< inline >] slab_alloc_node mm/slub.c:2708
[ 1116.897025] [< inline >] slab_alloc mm/slub.c:2716
[ 1116.897025] [<ffffffff817476a8>] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
[ 1116.897025] [<ffffffff84c4f6a9>] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
[ 1116.897025] [<ffffffff84c58ac8>] sk_alloc+0x38/0xae0 net/core/sock.c:1388
[ 1116.897025] [<ffffffff851ddf67>] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
[ 1116.897025] [<ffffffff84c4af7b>] __sock_create+0x37b/0x640 net/socket.c:1153
[ 1116.897025] [< inline >] sock_create net/socket.c:1193
[ 1116.897025] [< inline >] SYSC_socket net/socket.c:1223
[ 1116.897025] [<ffffffff84c4b46f>] SyS_socket+0xef/0x1b0 net/socket.c:1203
[ 1116.897025] [<ffffffff85e4d685>] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
[ 1116.897025] [<ffffffff811ddcb6>] save_stack_trace+0x16/0x20
[ 1116.897025] [<ffffffff8174c736>] save_stack+0x46/0xd0
[ 1116.897025] [<ffffffff8174cf61>] kasan_slab_free+0x71/0xb0
[ 1116.897025] [< inline >] slab_free_hook mm/slub.c:1352
[ 1116.897025] [< inline >] slab_free_freelist_hook mm/slub.c:1374
[ 1116.897025] [< inline >] slab_free mm/slub.c:2951
[ 1116.897025] [<ffffffff81748b28>] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
[ 1116.897025] [< inline >] sk_prot_free net/core/sock.c:1369
[ 1116.897025] [<ffffffff84c541eb>] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
[ 1116.897025] [<ffffffff84c5aca4>] sk_destruct+0x44/0x80 net/core/sock.c:1452
[ 1116.897025] [<ffffffff84c5ad33>] __sk_free+0x53/0x220 net/core/sock.c:1460
[ 1116.897025] [<ffffffff84c5af23>] sk_free+0x23/0x30 net/core/sock.c:1471
[ 1116.897025] [<ffffffff84c5cb6c>] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
[ 1116.897025] [<ffffffff8579044e>] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
[ 1116.897025] [<ffffffff850b2dfd>] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
[ 1116.897025] [<ffffffff851dc5a0>] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
[ 1116.897025] [<ffffffff84c4581d>] sock_release+0x8d/0x1d0 net/socket.c:570
[ 1116.897025] [<ffffffff84c45976>] sock_close+0x16/0x20 net/socket.c:1017
[ 1116.897025] [<ffffffff817a108c>] __fput+0x28c/0x780 fs/file_table.c:208
[ 1116.897025] [<ffffffff817a1605>] ____fput+0x15/0x20 fs/file_table.c:244
[ 1116.897025] [<ffffffff813774f9>] task_work_run+0xf9/0x170
[ 1116.897025] [<ffffffff81324aae>] do_exit+0x85e/0x2a00
[ 1116.897025] [<ffffffff81326dc8>] do_group_exit+0x108/0x330
[ 1116.897025] [<ffffffff81348cf7>] get_signal+0x617/0x17a0 kernel/signal.c:2307
[ 1116.897025] [<ffffffff811b49af>] do_signal+0x7f/0x18f0
[ 1116.897025] [<ffffffff810039bf>] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
[ 1116.897025] [< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[ 1116.897025] [<ffffffff81006060>] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
[ 1116.897025] [<ffffffff85e4d726>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
>ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
^
ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.
Bug: 33753815
Change-Id: I3313e481d3cdc4bc2c5f898f5ef933dbaf85374b
Fixes:
|
|
![]() |
807911df1c |
net: inet: Support UID-based routing in IP protocols.
- Use the UID in routing lookups made by protocol connect() and sendmsg() functions. - Make sure that routing lookups triggered by incoming packets (e.g., Path MTU discovery) take the UID of the socket into account. - For packets not associated with a userspace socket, (e.g., ping replies) use UID 0 inside the user namespace corresponding to the network namespace the socket belongs to. This allows all namespaces to apply routing and iptables rules to kernel-originated traffic in that namespaces by matching UID 0. This is better than using the UID of the kernel socket that is sending the traffic, because the UID of kernel sockets created at namespace creation time (e.g., the per-processor ICMP and TCP sockets) is the UID of the user that created the socket, which might not be mapped in the namespace. [Backport of net-next e2d118a1cb5e60d077131a09db1d81b90a5295fe] Bug: 16355602 Change-Id: I126f8359887b5b5bbac68daf0ded89e899cb7cb0 Tested: compiles allnoconfig, allyesconfig, allmodconfig Tested: https://android-review.googlesource.com/253302 Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
07bd7f369c |
ipv6: add complete rcu protection around np->opt
[ Upstream commit 45f6fad84cc305103b28d73482b344d7f5b76f39 ] This patch addresses multiple problems : UDP/RAW sendmsg() need to get a stable struct ipv6_txoptions while socket is not locked : Other threads can change np->opt concurrently. Dmitry posted a syzkaller (http://github.com/google/syzkaller) program desmonstrating use-after-free. Starting with TCP/DCCP lockless listeners, tcp_v6_syn_recv_sock() and dccp_v6_request_recv_sock() also need to use RCU protection to dereference np->opt once (before calling ipv6_dup_options()) This patch adds full RCU protection to np->opt BUG: 28746669 Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Jiri Slaby <jslaby@suse.cz> |
|
![]() |
0ad91c67ea |
ipv6: l2tp: fix a potential issue in l2tp_ip6_recv
commit be447f305494e019dfc37ea4cdf3b0e4200b4eba upstream. pskb_may_pull() can change skb->data, so we have to load ptr/optr at the right place. Signed-off-by: Haishuang Yan <yanhaishuang@cmss.chinamobile.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu> |
|
![]() |
08c62a109e |
inet: fix addr_len/msg->msg_namelen assignment in recv_error and rxpmtu functions
[ Upstream commit 85fbaa75037d0b6b786ff18658ddf0b4014ce2a4 ] Commit bceaa90240b6019ed73b49965eac7d167610be69 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") conditionally updated addr_len if the msg_name is written to. The recv_error and rxpmtu functions relied on the recvmsg functions to set up addr_len before. As this does not happen any more we have to pass addr_len to those functions as well and set it to the size of the corresponding sockaddr length. This broke traceroute and such. Fixes: bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") Reported-by: Brad Spengler <spender@grsecurity.net> Reported-by: Tom Labanowski Cc: mpb <mpb.mail@gmail.com> Cc: David S. Miller <davem@davemloft.net> Cc: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
|
![]() |
b860d3cc62 |
l2tp: fix info leak in l2tp_ip6_recvmsg()
The L2TP code for IPv6 fails to initialize the l2tp_conn_id member of struct sockaddr_l2tpip6 and therefore leaks four bytes kernel stack in l2tp_ip6_recvmsg() in case msg_name is set. Initialize l2tp_conn_id with 0 to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
936063175a |
l2tp: close sessions in ip socket destroy callback
l2tp_core hooks UDP's .destroy handler to gain advance warning of a tunnel socket being closed from userspace. We need to do the same thing for IP-encapsulation sockets. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
b67bfe0d42 |
hlist: drop the node parameter from iterators
I'm not sure why, but the hlist for each entry iterators were conceived list_for_each_entry(pos, head, member) The hlist ones were greedy and wanted an extra parameter: hlist_for_each_entry(tpos, pos, head, member) Why did they need an extra pos parameter? I'm not quite sure. Not only they don't really need it, it also prevents the iterator from looking exactly like the list iterator, which is unfortunate. Besides the semantic patch, there was some manual work required: - Fix up the actual hlist iterators in linux/list.h - Fix up the declaration of other iterators based on the hlist ones. - A very small amount of places were using the 'node' parameter, this was modified to use 'obj->member' instead. - Coccinelle didn't handle the hlist_for_each_entry_safe iterator properly, so those had to be fixed up manually. The semantic patch which is mostly the work of Peter Senna Tschudin is here: @@ iterator name hlist_for_each_entry, hlist_for_each_entry_continue, hlist_for_each_entry_from, hlist_for_each_entry_rcu, hlist_for_each_entry_rcu_bh, hlist_for_each_entry_continue_rcu_bh, for_each_busy_worker, ax25_uid_for_each, ax25_for_each, inet_bind_bucket_for_each, sctp_for_each_hentry, sk_for_each, sk_for_each_rcu, sk_for_each_from, sk_for_each_safe, sk_for_each_bound, hlist_for_each_entry_safe, hlist_for_each_entry_continue_rcu, nr_neigh_for_each, nr_neigh_for_each_safe, nr_node_for_each, nr_node_for_each_safe, for_each_gfn_indirect_valid_sp, for_each_gfn_sp, for_each_host; type T; expression a,c,d,e; identifier b; statement S; @@ -T b; <+... when != b ( hlist_for_each_entry(a, - b, c, d) S | hlist_for_each_entry_continue(a, - b, c) S | hlist_for_each_entry_from(a, - b, c) S | hlist_for_each_entry_rcu(a, - b, c, d) S | hlist_for_each_entry_rcu_bh(a, - b, c, d) S | hlist_for_each_entry_continue_rcu_bh(a, - b, c) S | for_each_busy_worker(a, c, - b, d) S | ax25_uid_for_each(a, - b, c) S | ax25_for_each(a, - b, c) S | inet_bind_bucket_for_each(a, - b, c) S | sctp_for_each_hentry(a, - b, c) S | sk_for_each(a, - b, c) S | sk_for_each_rcu(a, - b, c) S | sk_for_each_from -(a, b) +(a) S + sk_for_each_from(a) S | sk_for_each_safe(a, - b, c, d) S | sk_for_each_bound(a, - b, c) S | hlist_for_each_entry_safe(a, - b, c, d, e) S | hlist_for_each_entry_continue_rcu(a, - b, c) S | nr_neigh_for_each(a, - b, c) S | nr_neigh_for_each_safe(a, - b, c, d) S | nr_node_for_each(a, - b, c) S | nr_node_for_each_safe(a, - b, c, d) S | - for_each_gfn_sp(a, c, d, b) S + for_each_gfn_sp(a, c, d) S | - for_each_gfn_indirect_valid_sp(a, c, d, b) S + for_each_gfn_indirect_valid_sp(a, c, d) S | for_each_host(a, - b, c) S | for_each_host_safe(a, - b, c, d) S | for_each_mesh_entry(a, - b, c, d) S ) ...+> [akpm@linux-foundation.org: drop bogus change from net/ipv4/raw.c] [akpm@linux-foundation.org: drop bogus hunk from net/ipv6/raw.c] [akpm@linux-foundation.org: checkpatch fixes] [akpm@linux-foundation.org: fix warnings] [akpm@linux-foudnation.org: redo intrusive kvm changes] Tested-by: Peter Senna Tschudin <peter.senna@gmail.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Cc: Wu Fengguang <fengguang.wu@intel.com> Cc: Marcelo Tosatti <mtosatti@redhat.com> Cc: Gleb Natapov <gleb@redhat.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> |
|
![]() |
700163db3d |
l2tp: correctly handle ancillary data in the ip6 recv path
l2tp_ip6 is incorrectly using the IPv4-specific ip_cmsg_recv to handle ancillary data. This means that socket options such as IPV6_RECVPKTINFO are not honoured in userspace. Convert l2tp_ip6 to use the IPv6-specific handler. Ref: net/ipv6/udp.c Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: Chris Elston <celston@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
73df66f8b1 |
ipv6: rename datagram_send_ctl and datagram_recv_ctl
The datagram_*_ctl functions in net/ipv6/datagram.c are IPv6-specific. Since datagram_send_ctl is publicly exported it should be appropriately named to reflect the fact that it's for IPv6 only. Signed-off-by: Tom Parkin <tparkin@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
04d4fbca10 |
l2tp: fix info leak via getsockname()
The L2TP code for IPv6 fails to initialize the l2tp_unused member of struct sockaddr_l2tpip6 and that for leaks two bytes kernel stack via the getsockname() syscall. Initialize l2tp_unused with 0 to avoid the info leak. Signed-off-by: Mathias Krause <minipli@googlemail.com> Cc: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
c51ce49735 |
l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case
An application may call connect() to disconnect a socket using an address with family AF_UNSPEC. The L2TP IP sockets were not handling this case when the socket is not bound and an attempt to connect() using AF_UNSPEC in such cases would result in an oops. This patch addresses the problem by protecting the sk_prot->disconnect() call against trying to unhash the socket before it is bound. The L2TP IPv4 and IPv6 sockets have the same problem. Both are fixed by this patch. The patch also adds more checks that the sockaddr supplied to bind() and connect() calls is valid. RIP: 0010:[<ffffffff82e133b0>] [<ffffffff82e133b0>] inet_unhash+0x50/0xd0 RSP: 0018:ffff88001989be28 EFLAGS: 00010293 Stack: ffff8800407a8000 0000000000000000 ffff88001989be78 ffffffff82e3a249 ffffffff82e3a050 ffff88001989bec8 ffff88001989be88 ffff8800407a8000 0000000000000010 ffff88001989bec8 ffff88001989bea8 ffffffff82e42639 Call Trace: [<ffffffff82e3a249>] udp_disconnect+0x1f9/0x290 [<ffffffff82e42639>] inet_dgram_connect+0x29/0x80 [<ffffffff82d012fc>] sys_connect+0x9c/0x100 Reported-by: Sasha Levin <levinsasha928@gmail.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
a4ca44fa57 |
net: l2tp: Standardize logging styles
Use more current logging styles. Add pr_fmt to prefix output appropriately. Convert printks to pr_<level>. Convert PRINTK macros to new l2tp_<level> macros. Neaten some <foo>_refcount debugging macros. Use print_hex_dump_bytes instead of hand-coded loops. Coalesce formats and align arguments. Some KERN_DEBUG output is not now emitted unless dynamic_debugging is enabled. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
|
![]() |
a32e0eec70 |
l2tp: introduce L2TPv3 IP encapsulation support for IPv6
L2TPv3 defines an IP encapsulation packet format where data is carried directly over IP (no UDP). The kernel already has support for L2TP IP encapsulation over IPv4 (l2tp_ip). This patch introduces support for L2TP IP encapsulation over IPv6. The implementation is derived from ipv6/raw and ipv4/l2tp_ip. Signed-off-by: Chris Elston <celston@katalix.com> Signed-off-by: James Chapman <jchapman@katalix.com> Signed-off-by: David S. Miller <davem@davemloft.net> |