Andrea Arcangeli [Tue, 25 Jul 2017 20:22:45 +0000 (22:22 +0200)]
fs/exec: fix use after free in execve
"file" can be already freed if bprm->file is NULL after
search_binary_handler() return. binfmt_script will do exactly that for
example. If the VM reuses the file after fput run(), this will result in
a use ater free.
So obtain d_is_su before search_binary_handler() runs.
This should explain this crash:
[25333.009554] Unable to handle kernel NULL pointer dereference at virtual address
00000185
[..]
[25333.009918] [2: am:21861] PC is at do_execve+0x354/0x474
Change-Id: I2a8a814d1c0aa75625be83cb30432cf13f1a0681
Signed-off-by: Kevin F. Haggerty <haggertk@lineageos.org>
Alberto97 [Tue, 23 May 2017 19:47:00 +0000 (21:47 +0200)]
fs: readdir: Fix su hide patch for non-iterate filesystems
* 3.10 doesn't normally use iterate for filesystems,
but it was backported in hopes of removing vfs_readdir()
* Because the romnt variable was only set for filesystems
using iterate, the su hide patches were broken for many
filesytems like ext4, which still use vfs_readdir()
instead of iterate_dir() like their mainline counterparts
* Remove the iterate check around setting romnt to fix this
Change-Id: I26426683df0fd199a80f053294f352e31754bec5
Tom Marshall [Fri, 19 May 2017 18:24:04 +0000 (18:24 +0000)]
kernel: Fix potential refcount leak in su check
Change-Id: I7e1ecb78bfc951bf645a1462988dcd93c4247a9b
Tom Marshall [Wed, 25 Jan 2017 17:01:03 +0000 (18:01 +0100)]
kernel: Only expose su when daemon is running
It has been claimed that the PG implementation of 'su' has security
vulnerabilities even when disabled. Unfortunately, the people that
find these vulnerabilities often like to keep them private so they
can profit from exploits while leaving users exposed to malicious
hackers.
In order to reduce the attack surface for vulnerabilites, it is
therefore necessary to make 'su' completely inaccessible when it
is not in use (except by the root and system users).
Change-Id: I79716c72f74d0b7af34ec3a8054896c6559a181d
Al Viro [Sun, 14 May 2017 09:17:29 +0000 (09:17 +0000)]
introduce ->iterate(), ctx->pos, dir_emit()
New method - ->iterate(file, ctx). That's the replacement for ->readdir();
it takes callback from ctx->actor, uses ctx->pos instead of file->f_pos and
calls dir_emit(ctx, ...) instead of filldir(data, ...). It does *not*
update file->f_pos (or look at it, for that matter); iterate_dir() does the
update.
Note that dir_emit() takes the offset from ctx->pos (and eventually
filldir_t will lose that argument).
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Al Viro [Wed, 15 May 2013 17:52:59 +0000 (13:52 -0400)]
introduce iterate_dir() and dir_context
iterate_dir(): new helper, replacing vfs_readdir().
struct dir_context: contains the readdir callback (and will get more stuff
in it), embedded into whatever data that callback wants to deal with;
eventually, we'll be passing it to ->readdir() replacement instead of
(data,filldir) pair.
Change-Id: Idb3843e77b97d52490b297b1f9e7d7efab18eaef
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Stricted [Fri, 20 Apr 2018 17:32:32 +0000 (19:32 +0200)]
security: update selinux
Jeff Vander Stoep [Fri, 10 Jul 2015 21:19:55 +0000 (17:19 -0400)]
security: add ioctl specific auditing to lsm_audit
(cherry pick from commit
671a2781ff01abf4fdc8904881fc3abd3a8279af)
Add information about ioctl calls to the LSM audit data. Log the
file path and command number.
Signed-off-by: Jeff Vander Stoep <jeffv@google.com>
Acked-by: Nick Kralevich <nnk@google.com>
[PM: subject line tweak]
Signed-off-by: Paul Moore <pmoore@redhat.com>
Bug:
22846070
Change-Id: I88a6ecdd59297a315a6fb9c82c0a798bdb6bafaa
Stricted [Wed, 18 Apr 2018 17:17:45 +0000 (19:17 +0200)]
set CONFIG_LOCALVERSION_AUTO
Stricted [Wed, 18 Apr 2018 17:16:43 +0000 (19:16 +0200)]
remove is_data_mounted crap entirely
Stricted [Wed, 18 Apr 2018 13:47:34 +0000 (15:47 +0200)]
store gtp_ref.bin and gtp_clk.bin on /cache
this is safe as the files are getting generated when they dont exist
Stricted [Wed, 18 Apr 2018 12:13:11 +0000 (14:13 +0200)]
work around silly sysfs node requirement for working touch
Stricted [Thu, 22 Mar 2018 15:44:48 +0000 (16:44 +0100)]
fix mali API_VERSION grep
Stricted [Thu, 22 Mar 2018 15:29:10 +0000 (16:29 +0100)]
fix section mismatch warnings
mttkrb [Thu, 22 Mar 2018 08:13:35 +0000 (09:13 +0100)]
Update tpd_debug.c
change include statement to prevent compiler-error because header file not found
Stricted [Tue, 20 Mar 2018 15:52:11 +0000 (16:52 +0100)]
get rid of drvgen
Stricted [Wed, 21 Mar 2018 22:40:26 +0000 (23:40 +0100)]
fix compilation after merge
Stricted [Wed, 21 Mar 2018 22:07:40 +0000 (23:07 +0100)]
Merge tag 'v3.10.108' into update
This is the 3.10.108 stable release
Stricted [Wed, 21 Mar 2018 22:07:35 +0000 (23:07 +0100)]
Merge tag 'v3.10.107' into update
This is the 3.10.107 stable release
Stricted [Wed, 21 Mar 2018 22:06:23 +0000 (23:06 +0100)]
Merge tag 'v3.10.106' into update
This is the 3.10.106 stable release
Stricted [Wed, 21 Mar 2018 22:00:38 +0000 (23:00 +0100)]
Merge tag 'v3.10.105' into update
This is the 3.10.105 stable release
Stricted [Wed, 21 Mar 2018 21:58:25 +0000 (22:58 +0100)]
Merge tag 'v3.10.104' into update
This is the 3.10.104 stable release
Stricted [Wed, 21 Mar 2018 21:58:21 +0000 (22:58 +0100)]
Merge tag 'v3.10.103' into update
This is the 3.10.103 stable release
Stricted [Wed, 21 Mar 2018 21:54:09 +0000 (22:54 +0100)]
Merge tag 'v3.10.102' into update
This is the 3.10.102 stable release
Stricted [Wed, 21 Mar 2018 21:52:41 +0000 (22:52 +0100)]
Merge tag 'v3.10.101' into update
This is the 3.10.101 stable release
Stricted [Wed, 21 Mar 2018 21:52:38 +0000 (22:52 +0100)]
Merge tag 'v3.10.100' into update
This is the 3.10.100 stable release
Stricted [Wed, 21 Mar 2018 21:51:42 +0000 (22:51 +0100)]
Merge tag 'v3.10.99' into update
This is the 3.10.99 stable release
Stricted [Wed, 21 Mar 2018 21:51:37 +0000 (22:51 +0100)]
Merge tag 'v3.10.98' into update
This is the 3.10.98 stable release
Stricted [Wed, 21 Mar 2018 21:51:04 +0000 (22:51 +0100)]
Merge tag 'v3.10.97' into update
This is the 3.10.97 stable release
Stricted [Wed, 21 Mar 2018 21:51:00 +0000 (22:51 +0100)]
Merge tag 'v3.10.96' into update
This is the 3.10.96 stable release
Stricted [Wed, 21 Mar 2018 21:50:56 +0000 (22:50 +0100)]
Merge tag 'v3.10.95' into update
This is the 3.10.95 stable release
Stricted [Wed, 21 Mar 2018 21:49:45 +0000 (22:49 +0100)]
Merge tag 'v3.10.94' into update
This is the 3.10.94 stable release
Stricted [Wed, 21 Mar 2018 21:49:39 +0000 (22:49 +0100)]
Merge tag 'v3.10.93' into update
This is the 3.10.93 stable release
Stricted [Wed, 21 Mar 2018 21:49:35 +0000 (22:49 +0100)]
Merge tag 'v3.10.92' into update
This is the 3.10.92 stable release
Stricted [Wed, 21 Mar 2018 21:48:36 +0000 (22:48 +0100)]
Merge tag 'v3.10.91' into update
This is the 3.10.91 stable release
Stricted [Wed, 21 Mar 2018 21:47:31 +0000 (22:47 +0100)]
Merge tag 'v3.10.90' into update
This is the 3.10.90 stable release
Stricted [Wed, 21 Mar 2018 21:47:28 +0000 (22:47 +0100)]
Merge tag 'v3.10.89' into update
This is the 3.10.89 stable release
Stricted [Wed, 21 Mar 2018 21:47:25 +0000 (22:47 +0100)]
Merge tag 'v3.10.88' into update
This is the 3.10.88 stable release
Stricted [Wed, 21 Mar 2018 21:47:22 +0000 (22:47 +0100)]
Merge tag 'v3.10.87' into update
This is the 3.10.87 stable release
Stricted [Wed, 21 Mar 2018 21:47:17 +0000 (22:47 +0100)]
Merge tag 'v3.10.86' into update
This is the 3.10.86 stable release
Stricted [Wed, 21 Mar 2018 21:46:39 +0000 (22:46 +0100)]
Merge tag 'v3.10.85' into update
This is the 3.10.85 stable release
Stricted [Wed, 21 Mar 2018 21:46:36 +0000 (22:46 +0100)]
Merge tag 'v3.10.84' into update
This is the 3.10.84 stable release
Stricted [Wed, 21 Mar 2018 21:46:32 +0000 (22:46 +0100)]
Merge tag 'v3.10.83' into update
This is the 3.10.83 stable release
Stricted [Wed, 21 Mar 2018 21:45:38 +0000 (22:45 +0100)]
Merge tag 'v3.10.82' into update
This is the 3.10.82 stable release
Stricted [Wed, 21 Mar 2018 21:45:35 +0000 (22:45 +0100)]
Merge tag 'v3.10.81' into update
This is the 3.10.81 stable release
Stricted [Wed, 21 Mar 2018 21:45:22 +0000 (22:45 +0100)]
Merge tag 'v3.10.80' into update
This is the 3.10.80 stable release
Stricted [Wed, 21 Mar 2018 21:44:42 +0000 (22:44 +0100)]
Merge tag 'v3.10.79' into update
This is the 3.10.79 stable release
Stricted [Wed, 21 Mar 2018 21:44:38 +0000 (22:44 +0100)]
Merge tag 'v3.10.78' into update
This is the 3.10.78 stable release
Stricted [Wed, 21 Mar 2018 21:44:34 +0000 (22:44 +0100)]
Merge tag 'v3.10.77' into update
This is the 3.10.77 stable release
Stricted [Wed, 21 Mar 2018 21:42:30 +0000 (22:42 +0100)]
Merge tag 'v3.10.76' into update
This is the 3.10.76 stable release
Stricted [Wed, 21 Mar 2018 21:41:10 +0000 (22:41 +0100)]
Merge tag 'v3.10.75' into update
This is the 3.10.75 stable release
Stricted [Wed, 21 Mar 2018 21:41:07 +0000 (22:41 +0100)]
Merge tag 'v3.10.74' into update
This is the 3.10.74 stable release
Stricted [Wed, 21 Mar 2018 21:41:03 +0000 (22:41 +0100)]
Merge tag 'v3.10.73' into update
This is the 3.10.73 stable release
Stricted [Wed, 21 Mar 2018 21:40:54 +0000 (22:40 +0100)]
Merge tag 'v3.10.72' into update
This is the 3.10.72 stable release
Stricted [Wed, 21 Mar 2018 21:40:50 +0000 (22:40 +0100)]
Merge tag 'v3.10.71' into update
This is the 3.10.71 stable release
Stricted [Wed, 21 Mar 2018 21:40:47 +0000 (22:40 +0100)]
Merge tag 'v3.10.70' into update
This is the 3.10.70 stable release
Stricted [Wed, 21 Mar 2018 21:39:46 +0000 (22:39 +0100)]
Merge tag 'v3.10.69' into update
This is the 3.10.69 stable release
Stricted [Wed, 21 Mar 2018 21:38:24 +0000 (22:38 +0100)]
Merge tag 'v3.10.68' into update
This is the 3.10.68 stable release
Stricted [Wed, 21 Mar 2018 21:36:30 +0000 (22:36 +0100)]
Merge tag 'v3.10.67' into update
This is the 3.10.67 stable release
Stricted [Wed, 21 Mar 2018 21:36:27 +0000 (22:36 +0100)]
Merge tag 'v3.10.66' into update
This is the 3.10.66 stable release
Stricted [Wed, 21 Mar 2018 21:36:23 +0000 (22:36 +0100)]
Merge tag 'v3.10.65' into update
This is the 3.10.65 stable release
Stricted [Wed, 21 Mar 2018 21:33:51 +0000 (22:33 +0100)]
Merge tag 'v3.10.64' into update
This is the 3.10.64 stable release
Stricted [Wed, 21 Mar 2018 21:33:47 +0000 (22:33 +0100)]
Merge tag 'v3.10.63' into update
This is the 3.10.63 stable release
Stricted [Wed, 21 Mar 2018 21:31:45 +0000 (22:31 +0100)]
Merge tag 'v3.10.62' into update
This is the 3.10.62 stable release
Stricted [Wed, 21 Mar 2018 21:31:40 +0000 (22:31 +0100)]
Merge tag 'v3.10.61' into update
This is the 3.10.61 stable release
Stricted [Wed, 21 Mar 2018 21:31:34 +0000 (22:31 +0100)]
Merge tag 'v3.10.60' into update
This is the 3.10.60 stable release
Stricted [Wed, 21 Mar 2018 21:31:29 +0000 (22:31 +0100)]
Merge tag 'v3.10.59' into update
This is the 3.10.59 stable release
Stricted [Wed, 21 Mar 2018 21:31:25 +0000 (22:31 +0100)]
Merge tag 'v3.10.58' into update
This is the 3.10.58 stable release
Stricted [Wed, 21 Mar 2018 21:28:46 +0000 (22:28 +0100)]
Merge tag 'v3.10.57' into update
This is the 3.10.57 stable release
Stricted [Wed, 21 Mar 2018 21:22:19 +0000 (22:22 +0100)]
Merge tag 'v3.10.56' into update
This is the 3.10.56 stable release
Stricted [Wed, 21 Mar 2018 21:13:57 +0000 (22:13 +0100)]
Merge tag 'v3.10.55' into update
This is the 3.10.55 stable release
Stricted [Wed, 21 Mar 2018 14:41:24 +0000 (15:41 +0100)]
disable some mediatekl custom warnings
Stricted [Fri, 16 Mar 2018 11:36:42 +0000 (12:36 +0100)]
scripts: kconfig: fix jump initialization
Stricted [Fri, 16 Mar 2018 11:43:09 +0000 (12:43 +0100)]
scripts: sortextable: fix relocs_size initialization
Stricted [Mon, 19 Mar 2018 16:45:11 +0000 (17:45 +0100)]
cleanup Makefile
Stricted [Mon, 19 Mar 2018 16:33:56 +0000 (17:33 +0100)]
remove useless makefiles and build script
Diogo Ferreira [Fri, 15 Apr 2016 17:34:08 +0000 (18:34 +0100)]
Add an option to multiplex AP and STA on wlan0
This adds CONFIG_MTK_COMBO_AOSP_TETHERING_SUPPORT which, when enabled,
allows ap and wlan to co-exist in the same interface, as Android
expects.
Most of this functionality is also available (albeit not compilable broken)
under CFG_TC1_FEATURE but that has larger implications around the radio
and usb stack that we do not want to adopt.
Change-Id: Ib1d1be40566f1bb9ccc7be45b49ec8d1f3b3ba58
Ticket: PORRIDGE-30
Stricted [Mon, 19 Mar 2018 13:51:56 +0000 (14:51 +0100)]
ignore all warning
i dont really want fix this mess that mediatek did here to get a clean build log
so lets disable the warning for now instead
Kees Cook [Tue, 10 Jun 2014 22:40:23 +0000 (15:40 -0700)]
ARM: add seccomp syscall
Wires up the new seccomp syscall.
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Oleg Nesterov <oleg@redhat.com>
Change-Id: I31a2d38b892e2cd81bf3998a916c7bb539a37767
Stricted [Fri, 16 Mar 2018 11:30:43 +0000 (12:30 +0100)]
replace lcm_mdelay with mdelay
Stricted [Tue, 13 Mar 2018 19:30:12 +0000 (20:30 +0100)]
import PULS_20180308
Stricted [Tue, 13 Mar 2018 19:29:02 +0000 (20:29 +0100)]
import PULS_20160108
Willy Tarreau [Sat, 4 Nov 2017 22:34:48 +0000 (23:34 +0100)]
Linux 3.10.108
Willy Tarreau [Thu, 2 Nov 2017 22:22:31 +0000 (23:22 +0100)]
x86/apic: fix build breakage caused by incomplete backport to 3.10
Commit
928a277 ("x86/apic: Do not init irq remapping if ioapic is
disabled") introduced in 3.10.105 introduced an implicit dependency of
CONFIG_X86_LOCAL_APIC to CONFIG_X86_IO_APIC which was later solved as
part of simplifications on the config dependencies in more recent kernels.
This dependency results in build failure when CONFIG_X86_LOCAL_APIC is
set without CONFIG_X86_IO_APIC (this setup requires CONFIG_SMP=n). The
reason is that skip_ioapic_setup is declared in apic.c and that the
backported code was picked from a context where the #ifdef surrounding
the function used to cover this condition.
Let's just add the appropriate #ifdef to fix the 3.10 backport.
Thanks to Christoph Biedl for reporting and diagnosing this one.
Reported-by: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Cc: Christoph Biedl <linux-kernel.bfrz@manchmal.in-ulm.de>
Cc: Jan Beulich <JBeulich@suse.com>
Cc: Wanpeng Li <wanpeng.li@hotmail.com>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Stefan Mätje [Wed, 18 Oct 2017 11:25:17 +0000 (13:25 +0200)]
can: esd_usb2: Fix can_dlc value for received RTR, frames
commit
72d92e865d1560723e1957ee3f393688c49ca5bf upstream.
The dlc member of the struct rx_msg contains also the ESD_RTR flag to
mark received RTR frames. Without the fix the can_dlc value for received
RTR frames would always be set to 8 by get_can_dlc() instead of the
received value.
Fixes:
96d8e90382dc ("can: Add driver for esd CAN-USB/2 device")
Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Dan Carpenter [Tue, 21 Feb 2017 18:46:37 +0000 (21:46 +0300)]
scsi: scsi_dh_emc: return success in clariion_std_inquiry()
commit
4d7d39a18b8b81511f0b893b7d2203790bf8a58b upstream.
We accidentally return an uninitialized variable on success.
Fixes:
b6ff1b14cdf4 ("[SCSI] scsi_dh: Update EMC handler")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Andrew Gabbasov [Sat, 30 Sep 2017 15:55:55 +0000 (08:55 -0700)]
usb: gadget: composite: Fix use-after-free in usb_composite_overwrite_options
commit
aec17e1e249567e82b26dafbb86de7d07fde8729 upstream.
KASAN enabled configuration reports an error
BUG: KASAN: use-after-free in usb_composite_overwrite_options+...
[libcomposite] at addr ...
Read of size 1 by task ...
when some driver is un-bound and then bound again.
For example, this happens with FunctionFS driver when "ffs-test"
test application is run several times in a row.
If the driver has empty manufacturer ID string in initial static data,
it is then replaced with generated string. After driver unbinding
the generated string is freed, but the driver data still keep that
pointer. And if the driver is then bound again, that pointer
is re-used for string emptiness check.
The fix is to clean up the driver string data upon its unbinding
to drop the pointer to freed memory.
Fixes:
cc2683c318a5 ("usb: gadget: Provide a default implementation of default manufacturer string")
Cc: stable@vger.kernel.org
Signed-off-by: Andrew Gabbasov <andrew_gabbasov@mentor.com>
Signed-off-by: Felipe Balbi <felipe.balbi@linux.intel.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Haozhong Zhang [Tue, 10 Oct 2017 07:01:22 +0000 (15:01 +0800)]
KVM: nVMX: fix guest CR4 loading when emulating L2 to L1 exit
commit
8eb3f87d903168bdbd1222776a6b1e281f50513e upstream.
When KVM emulates an exit from L2 to L1, it loads L1 CR4 into the
guest CR4. Before this CR4 loading, the guest CR4 refers to L2
CR4. Because these two CR4's are in different levels of guest, we
should vmx_set_cr4() rather than kvm_set_cr4() here. The latter, which
is used to handle guest writes to its CR4, checks the guest change to
CR4 and may fail if the change is invalid.
The failure may cause trouble. Consider we start
a L1 guest with non-zero L1 PCID in use,
(i.e. L1 CR4.PCIDE == 1 && L1 CR3.PCID != 0)
and
a L2 guest with L2 PCID disabled,
(i.e. L2 CR4.PCIDE == 0)
and following events may happen:
1. If kvm_set_cr4() is used in load_vmcs12_host_state() to load L1 CR4
into guest CR4 (in VMCS01) for L2 to L1 exit, it will fail because
of PCID check. As a result, the guest CR4 recorded in L0 KVM (i.e.
vcpu->arch.cr4) is left to the value of L2 CR4.
2. Later, if L1 attempts to change its CR4, e.g., clearing VMXE bit,
kvm_set_cr4() in L0 KVM will think L1 also wants to enable PCID,
because the wrong L2 CR4 is used by L0 KVM as L1 CR4. As L1
CR3.PCID != 0, L0 KVM will inject GP to L1 guest.
Fixes:
4704d0befb072 ("KVM: nVMX: Exiting from L2 to L1")
Cc: qemu-stable@nongnu.org
Signed-off-by: Haozhong Zhang <haozhong.zhang@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Arnd Bergmann [Tue, 14 Mar 2017 12:18:45 +0000 (13:18 +0100)]
IB/qib: fix false-postive maybe-uninitialized warning
commit
f6aafac184a3e46e919769dd4faa8bf0dc436534 upstream.
aarch64-linux-gcc-7 complains about code it doesn't fully understand:
drivers/infiniband/hw/qib/qib_iba7322.c: In function 'qib_7322_txchk_change':
include/asm-generic/bitops/non-atomic.h:105:35: error: 'shadow' may be used uninitialized in this function [-Werror=maybe-uninitialized]
The code is right, and despite trying hard, I could not come up with a version
that I liked better than just adding a fake initialization here to shut up the
warning.
Fixes:
f931551bafe1 ("IB/qib: Add new qib driver for QLogic PCIe InfiniBand adapters")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Ira Weiny <ira.weiny@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Pan Bian [Mon, 24 Apr 2017 10:29:16 +0000 (18:29 +0800)]
team: fix memory leaks
commit
72ec0bc64b9a5d8e0efcb717abfc757746b101b7 upstream.
In functions team_nl_send_port_list_get() and
team_nl_send_options_get(), pointer skb keeps the return value of
nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
freed(). This will result in memory leak bugs.
Fixes:
9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Feras Daoud [Wed, 28 Dec 2016 12:47:24 +0000 (14:47 +0200)]
IB/ipoib: rtnl_unlock can not come after free_netdev
commit
89a3987ab7a923c047c6dec008e60ad6f41fac22 upstream.
The ipoib_vlan_add function calls rtnl_unlock after free_netdev,
rtnl_unlock not only releases the lock, but also calls netdev_run_todo.
The latter function browses the net_todo_list array and completes the
unregistration of all its net_device instances. If we call free_netdev
before rtnl_unlock, then netdev_run_todo call over the freed device causes
panic.
To fix, move rtnl_unlock call before free_netdev call.
Fixes:
9baa0b036410 ("IB/ipoib: Add rtnl_link_ops support")
Cc: Or Gerlitz <ogerlitz@mellanox.com>
Signed-off-by: Feras Daoud <ferasda@mellanox.com>
Signed-off-by: Erez Shitrit <erezsh@mellanox.com>
Reviewed-by: Yuval Shaia <yuval.shaia@oracle.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
satoru takeuchi [Tue, 12 Sep 2017 13:42:52 +0000 (22:42 +0900)]
btrfs: prevent to set invalid default subvolid
commit
6d6d282932d1a609e60dc4467677e0e863682f57 upstream.
`btrfs sub set-default` succeeds to set an ID which isn't corresponding to any
fs/file tree. If such the bad ID is set to a filesystem, we can't mount this
filesystem without specifying `subvol` or `subvolid` mount options.
Fixes:
6ef5ed0d386b ("Btrfs: add ioctl and incompat flag to set the default mount subvol")
Cc: <stable@vger.kernel.org>
Signed-off-by: Satoru Takeuchi <satoru.takeuchi@gmail.com>
Reviewed-by: Qu Wenruo <quwenruo.btrfs@gmx.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Bo Yan [Mon, 18 Sep 2017 17:03:35 +0000 (10:03 -0700)]
tracing: Erase irqsoff trace with empty write
commit
8dd33bcb7050dd6f8c1432732f930932c9d3a33e upstream.
One convenient way to erase trace is "echo > trace". However, this
is currently broken if the current tracer is irqsoff tracer. This
is because irqsoff tracer use max_buffer as the default trace
buffer.
Set the max_buffer as the one to be cleared when it's the trace
buffer currently in use.
Link: http://lkml.kernel.org/r/1505754215-29411-1-git-send-email-byan@nvidia.com
Cc: <mingo@redhat.com>
Cc: stable@vger.kernel.org
Fixes:
4acd4d00f ("tracing: give easy way to clear trace buffer")
Signed-off-by: Bo Yan <byan@nvidia.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Baohong Liu [Tue, 5 Sep 2017 21:57:19 +0000 (16:57 -0500)]
tracing: Apply trace_clock changes to instance max buffer
commit
170b3b1050e28d1ba0700e262f0899ffa4fccc52 upstream.
Currently trace_clock timestamps are applied to both regular and max
buffers only for global trace. For instance trace, trace_clock
timestamps are applied only to regular buffer. But, regular and max
buffers can be swapped, for example, following a snapshot. So, for
instance trace, bad timestamps can be seen following a snapshot.
Let's apply trace_clock timestamps to instance max buffer as well.
Link: http://lkml.kernel.org/r/ebdb168d0be042dcdf51f81e696b17fabe3609c1.1504642143.git.tom.zanussi@linux.intel.com
Cc: stable@vger.kernel.org
Fixes:
277ba0446 ("tracing: Add interface to allow multiple trace buffers")
Signed-off-by: Baohong Liu <baohong.liu@intel.com>
Signed-off-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Dan Carpenter [Wed, 30 Aug 2017 13:30:35 +0000 (16:30 +0300)]
scsi: qla2xxx: Fix an integer overflow in sysfs code
commit
e6f77540c067b48dee10f1e33678415bfcc89017 upstream.
The value of "size" comes from the user. When we add "start + size" it
could lead to an integer overflow bug.
It means we vmalloc() a lot more memory than we had intended. I believe
that on 64 bit systems vmalloc() can succeed even if we ask it to
allocate huge 4GB buffers. So we would get memory corruption and likely
a crash when we call ha->isp_ops->write_optrom() and ->read_optrom().
Only root can trigger this bug.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=194061
Cc: <stable@vger.kernel.org>
Fixes:
b7cc176c9eb3 ("[SCSI] qla2xxx: Allow region-based flash-part accesses.")
Reported-by: shqking <shqking@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Stephan Mueller [Thu, 21 Sep 2017 08:16:53 +0000 (10:16 +0200)]
crypto: AF_ALG - remove SGL terminator indicator when chaining
commit
1d4ba7f963a93a2207fd103d4a36df1b5aeefea2 upstream.
Fixed differently upstream as commit
2d97591ef43d ("crypto: af_alg - consolidation of duplicate code")
The SGL is MAX_SGL_ENTS + 1 in size. The last SG entry is used for the
chaining and is properly updated with the sg_chain invocation. During
the filling-in of the initial SG entries, sg_mark_end is called for each
SG entry. This is appropriate as long as no additional SGL is chained
with the current SGL. However, when a new SGL is chained and the last
SG entry is updated with sg_chain, the last but one entry still contains
the end marker from the sg_mark_end. This end marker must be removed as
otherwise a walk of the chained SGLs will cause a NULL pointer
dereference at the last but one SG entry, because sg_next will return
NULL.
The patch only applies to all kernels up to and including 4.13. The
patch
2d97591ef43d0587be22ad1b0d758d6df4999a0b added to 4.14-rc1
introduced a complete new code base which addresses this bug in
a different way. Yet, that patch is too invasive for stable kernels
and was therefore not marked for stable.
Fixes:
8ff590903d5fc ("crypto: algif_skcipher - User-space interface for skcipher operations")
Signed-off-by: Stephan Mueller <smueller@chronox.de>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Sabrina Dubroca [Wed, 4 Feb 2015 14:25:09 +0000 (15:25 +0100)]
ip6_gre: fix endianness errors in ip6gre_err
commit
d1e158e2d7a0a91110b206653f0e02376e809150 upstream.
info is in network byte order, change it back to host byte order
before use. In particular, the current code sets the MTU of the tunnel
to a wrong (too big) value.
Fixes:
c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Eric Dumazet [Fri, 8 Sep 2017 22:48:47 +0000 (15:48 -0700)]
ipv6: fix typo in fib6_net_exit()
commit
32a805baf0fb70b6dbedefcd7249ac7f580f9e3b upstream.
IPv6 FIB should use FIB6_TABLE_HASHSZ, not FIB_TABLE_HASHSZ.
Fixes:
ba1cc08d9488 ("ipv6: fix memory leak with multiple tables during netns destruction")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Sabrina Dubroca [Fri, 8 Sep 2017 08:26:19 +0000 (10:26 +0200)]
ipv6: fix memory leak with multiple tables during netns destruction
commit
ba1cc08d9488c94cb8d94f545305688b72a2a300 upstream.
fib6_net_exit only frees the main and local tables. If another table was
created with fib6_alloc_table, we leak it when the netns is destroyed.
Fix this in the same way ip_fib_net_exit cleans up tables, by walking
through the whole hashtable of fib6_table's. We can get rid of the
special cases for local and main, since they're also part of the
hashtable.
Reproducer:
ip netns add x
ip -net x -6 rule add from 6003:1::/64 table 100
ip netns del x
Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes:
58f09b78b730 ("[NETNS][IPV6] ip6_fib - make it per network namespace")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Arnd Bergmann [Wed, 23 Aug 2017 13:59:49 +0000 (15:59 +0200)]
qlge: avoid memcpy buffer overflow
commit
e58f95831e7468d25eb6e41f234842ecfe6f014f upstream.
gcc-8.0.0 (snapshot) points out that we copy a variable-length string
into a fixed length field using memcpy() with the destination length,
and that ends up copying whatever follows the string:
inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2:
drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=]
memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1);
Changing it to use strncpy() will instead zero-pad the destination,
which seems to be the right thing to do here.
The bug is probably harmless, but it seems like a good idea to address
it in stable kernels as well, if only for the purpose of building with
gcc-8 without warnings.
Fixes:
a61f80261306 ("qlge: Add ethtool register dump function.")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Willy Tarreau <w@1wt.eu>
projects / GitHub / mt8127 / android_kernel_alcatel_ttab.git / log