046ce7a74ee94e17bcfd957aee5d1fd6a18e1b6a
1124 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Greg Kroah-Hartman
|
046ce7a74e |
Merge 5.15.59 into android14-5.15
Changes in 5.15.59
Bluetooth: L2CAP: Fix use-after-free caused by l2cap_chan_put
Revert "ocfs2: mount shared volume without ha stack"
ntfs: fix use-after-free in ntfs_ucsncmp()
fs: sendfile handles O_NONBLOCK of out_fd
secretmem: fix unhandled fault in truncate
mm: fix page leak with multiple threads mapping the same page
hugetlb: fix memoryleak in hugetlb_mcopy_atomic_pte
asm-generic: remove a broken and needless ifdef conditional
s390/archrandom: prevent CPACF trng invocations in interrupt context
nouveau/svm: Fix to migrate all requested pages
drm/simpledrm: Fix return type of simpledrm_simple_display_pipe_mode_valid()
watch_queue: Fix missing rcu annotation
watch_queue: Fix missing locking in add_watch_to_object()
tcp: Fix data-races around sysctl_tcp_dsack.
tcp: Fix a data-race around sysctl_tcp_app_win.
tcp: Fix a data-race around sysctl_tcp_adv_win_scale.
tcp: Fix a data-race around sysctl_tcp_frto.
tcp: Fix a data-race around sysctl_tcp_nometrics_save.
tcp: Fix data-races around sysctl_tcp_no_ssthresh_metrics_save.
ice: check (DD | EOF) bits on Rx descriptor rather than (EOP | RS)
ice: do not setup vlan for loopback VSI
scsi: ufs: host: Hold reference returned by of_parse_phandle()
Revert "tcp: change pingpong threshold to 3"
octeontx2-pf: Fix UDP/TCP src and dst port tc filters
tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
tcp: Fix a data-race around sysctl_tcp_limit_output_bytes.
tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
scsi: core: Fix warning in scsi_alloc_sgtables()
scsi: mpt3sas: Stop fw fault watchdog work item during system shutdown
net: ping6: Fix memleak in ipv6_renew_options().
ipv6/addrconf: fix a null-ptr-deref bug for ip6_ptr
net/tls: Remove the context from the list in tls_device_down
igmp: Fix data-races around sysctl_igmp_qrv.
net: pcs: xpcs: propagate xpcs_read error to xpcs_get_state_c37_sgmii
net: sungem_phy: Add of_node_put() for reference returned by of_get_parent()
tcp: Fix a data-race around sysctl_tcp_min_tso_segs.
tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
tcp: Fix a data-race around sysctl_tcp_autocorking.
tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
Documentation: fix sctp_wmem in ip-sysctl.rst
macsec: fix NULL deref in macsec_add_rxsa
macsec: fix error message in macsec_add_rxsa and _txsa
macsec: limit replay window size with XPN
macsec: always read MACSEC_SA_ATTR_PN as a u64
net: macsec: fix potential resource leak in macsec_add_rxsa() and macsec_add_txsa()
net: mld: fix reference count leak in mld_{query | report}_work()
tcp: Fix data-races around sk_pacing_rate.
net: Fix data-races around sysctl_[rw]mem(_offset)?.
tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns.
tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
tcp: Fix data-races around sysctl_tcp_reflect_tos.
ipv4: Fix data-races around sysctl_fib_notify_on_flag_change.
i40e: Fix interface init with MSI interrupts (no MSI-X)
sctp: fix sleep in atomic context bug in timer handlers
octeontx2-pf: cn10k: Fix egress ratelimit configuration
netfilter: nf_queue: do not allow packet truncation below transport header offset
virtio-net: fix the race between refill work and close
perf symbol: Correct address for bss symbols
sfc: disable softirqs for ptp TX
sctp: leave the err path free in sctp_stream_init to sctp_stream_free
ARM: crypto: comment out gcc warning that breaks clang builds
mm/hmm: fault non-owner device private entries
page_alloc: fix invalid watermark check on a negative value
ARM: 9216/1: Fix MAX_DMA_ADDRESS overflow
EDAC/ghes: Set the DIMM label unconditionally
docs/kernel-parameters: Update descriptions for "mitigations=" param with retbleed
locking/rwsem: Allow slowpath writer to ignore handoff bit if not set by first waiter
x86/bugs: Do not enable IBPB at firmware entry when IBPB is not available
Linux 5.15.59
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I4f2002d38aea467e150a912f50d456c41b23de89
|
||
Kuniyuki Iwashima
|
4cc070e0ef |
tcp: Fix a data-race around sysctl_tcp_comp_sack_nr.
[ Upstream commit 79f55473bfc8ac51bd6572929a679eeb4da22251 ]
While reading sysctl_tcp_comp_sack_nr, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
34c9977b4d |
tcp: Fix a data-race around sysctl_tcp_comp_sack_slack_ns.
[ Upstream commit 22396941a7f343d704738360f9ef0e6576489d43 ]
While reading sysctl_tcp_comp_sack_slack_ns, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
6842c94de9 |
tcp: Fix a data-race around sysctl_tcp_comp_sack_delay_ns.
[ Upstream commit 4866b2b0f7672b6d760c4b8ece6fb56f965dcc8a ]
While reading sysctl_tcp_comp_sack_delay_ns, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
618116a273 |
net: Fix data-races around sysctl_[rw]mem(_offset)?.
[ Upstream commit 02739545951ad4c1215160db7fbf9b7a918d3c0b ]
While reading these sysctl variables, they can be changed concurrently.
Thus, we need to add READ_ONCE() to their readers.
- .sysctl_rmem
- .sysctl_rwmem
- .sysctl_rmem_offset
- .sysctl_wmem_offset
- sysctl_tcp_rmem[1, 2]
- sysctl_tcp_wmem[1, 2]
- sysctl_decnet_rmem[1]
- sysctl_decnet_wmem[1]
- sysctl_tipc_rmem[1]
Fixes:
|
||
|
Kuniyuki Iwashima
|
a610feb170 |
tcp: Fix data-races around sk_pacing_rate.
[ Upstream commit 59bf6c65a09fff74215517aecffbbdcd67df76e3 ]
While reading sysctl_tcp_pacing_(ss|ca)_ratio, they can be changed
concurrently. Thus, we need to add READ_ONCE() to their readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
dac5644a82 |
tcp: Fix a data-race around sysctl_tcp_invalid_ratelimit.
[ Upstream commit 2afdbe7b8de84c28e219073a6661080e1b3ded48 ]
While reading sysctl_tcp_invalid_ratelimit, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
bd07f2e70a |
tcp: Fix a data-race around sysctl_tcp_min_rtt_wlen.
[ Upstream commit 1330ffacd05fc9ac4159d19286ce119e22450ed2 ]
While reading sysctl_tcp_min_rtt_wlen, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
ff2932ac8e |
tcp: Fix a data-race around sysctl_tcp_challenge_ack_limit.
commit db3815a2fa691da145cfbe834584f31ad75df9ff upstream.
While reading sysctl_tcp_challenge_ack_limit, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
664a3311e6 |
tcp: Fix data-races around sysctl_tcp_moderate_rcvbuf.
commit 780476488844e070580bfc9e3bc7832ec1cea883 upstream.
While reading sysctl_tcp_moderate_rcvbuf, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
6e167ed689 |
tcp: Fix a data-race around sysctl_tcp_frto.
commit 706c6202a3589f290e1ef9be0584a8f4a3cc0507 upstream.
While reading sysctl_tcp_frto, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
74753ec663 |
tcp: Fix a data-race around sysctl_tcp_app_win.
commit 02ca527ac5581cf56749db9fd03d854e842253dd upstream.
While reading sysctl_tcp_app_win, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
807b028115 |
tcp: Fix data-races around sysctl_tcp_dsack.
commit 58ebb1c8b35a8ef38cd6927431e0fa7b173a632d upstream.
While reading sysctl_tcp_dsack, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Greg Kroah-Hartman
|
6d2ac8a0a4 |
Merge 5.15.58 into android14-5.15
Changes in 5.15.58 pinctrl: stm32: fix optional IRQ support to gpios riscv: add as-options for modules with assembly compontents mlxsw: spectrum_router: Fix IPv4 nexthop gateway indication lockdown: Fix kexec lockdown bypass with ima policy drm/ttm: fix locking in vmap/vunmap TTM GEM helpers bus: mhi: host: pci_generic: add Telit FN980 v1 hardware revision bus: mhi: host: pci_generic: add Telit FN990 Revert "selftest/vm: verify remap destination address in mremap_test" Revert "selftest/vm: verify mmap addr in mremap_test" PCI: hv: Fix multi-MSI to allow more than one MSI vector PCI: hv: Fix hv_arch_irq_unmask() for multi-MSI PCI: hv: Reuse existing IRTE allocation in compose_msi_msg() PCI: hv: Fix interrupt mapping for multi-MSI serial: mvebu-uart: correctly report configured baudrate value batman-adv: Use netif_rx_any_context() any. Revert "mt76: mt7921: Fix the error handling path of mt7921_pci_probe()" Revert "mt76: mt7921e: fix possible probe failure after reboot" mt76: mt7921: use physical addr to unify register access mt76: mt7921e: fix possible probe failure after reboot mt76: mt7921: Fix the error handling path of mt7921_pci_probe() xfs: fix maxlevels comparisons in the btree staging code xfs: fold perag loop iteration logic into helper function xfs: rename the next_agno perag iteration variable xfs: terminate perag iteration reliably on agcount xfs: fix perag reference leak on iteration race with growfs xfs: prevent a WARN_ONCE() in xfs_ioc_attr_list() r8152: fix a WOL issue ip: Fix data-races around sysctl_ip_default_ttl. xfrm: xfrm_policy: fix a possible double xfrm_pols_put() in xfrm_bundle_lookup() power/reset: arm-versatile: Fix refcount leak in versatile_reboot_probe RDMA/irdma: Do not advertise 1GB page size for x722 RDMA/irdma: Fix sleep from invalid context BUG pinctrl: ralink: rename MT7628(an) functions to MT76X8 pinctrl: ralink: rename pinctrl-rt2880 to pinctrl-ralink pinctrl: ralink: Check for null return of devm_kcalloc perf/core: Fix data race between perf_event_set_output() and perf_mmap_close() ipv4/tcp: do not use per netns ctl sockets net: tun: split run_ebpf_filter() and pskb_trim() into different "if statement" mm/pagealloc: sysctl: change watermark_scale_factor max limit to 30% sysctl: move some boundary constants from sysctl.c to sysctl_vals tcp: Fix data-races around sysctl_tcp_ecn. drm/amd/display: Support for DMUB HPD interrupt handling drm/amd/display: Add option to defer works of hpd_rx_irq drm/amd/display: Fork thread to offload work of hpd_rx_irq drm/amdgpu/display: add quirk handling for stutter mode drm/amd/display: Ignore First MST Sideband Message Return Error scsi: megaraid: Clear READ queue map's nr_queues scsi: ufs: core: Drop loglevel of WriteBoost message nvme: check for duplicate identifiers earlier nvme: fix block device naming collision e1000e: Enable GPT clock before sending message to CSME Revert "e1000e: Fix possible HW unit hang after an s0ix exit" igc: Reinstate IGC_REMOVED logic and implement it properly ip: Fix data-races around sysctl_ip_no_pmtu_disc. ip: Fix data-races around sysctl_ip_fwd_use_pmtu. ip: Fix data-races around sysctl_ip_fwd_update_priority. ip: Fix data-races around sysctl_ip_nonlocal_bind. ip: Fix a data-race around sysctl_ip_autobind_reuse. ip: Fix a data-race around sysctl_fwmark_reflect. tcp/dccp: Fix a data-race around sysctl_tcp_fwmark_accept. tcp: sk->sk_bound_dev_if once in inet_request_bound_dev_if() tcp: Fix data-races around sysctl_tcp_l3mdev_accept. tcp: Fix data-races around sysctl_tcp_mtu_probing. tcp: Fix data-races around sysctl_tcp_base_mss. tcp: Fix data-races around sysctl_tcp_min_snd_mss. tcp: Fix a data-race around sysctl_tcp_mtu_probe_floor. tcp: Fix a data-race around sysctl_tcp_probe_threshold. tcp: Fix a data-race around sysctl_tcp_probe_interval. net: stmmac: fix pm runtime issue in stmmac_dvr_remove() net: stmmac: fix unbalanced ptp clock issue in suspend/resume flow mtd: rawnand: gpmi: validate controller clock rate mtd: rawnand: gpmi: Set WAIT_FOR_READY timeout based on program/erase times net: dsa: microchip: ksz_common: Fix refcount leak bug net: skb: introduce kfree_skb_reason() net: skb: use kfree_skb_reason() in tcp_v4_rcv() net: skb: use kfree_skb_reason() in __udp4_lib_rcv() net: socket: rename SKB_DROP_REASON_SOCKET_FILTER net: skb_drop_reason: add document for drop reasons net: netfilter: use kfree_drop_reason() for NF_DROP net: ipv4: use kfree_skb_reason() in ip_rcv_core() net: ipv4: use kfree_skb_reason() in ip_rcv_finish_core() i2c: mlxcpld: Fix register setting for 400KHz frequency i2c: cadence: Change large transfer count reset logic to be unconditional perf tests: Fix Convert perf time to TSC test for hybrid net: stmmac: fix dma queue left shift overflow issue net/tls: Fix race in TLS device down flow igmp: Fix data-races around sysctl_igmp_llm_reports. igmp: Fix a data-race around sysctl_igmp_max_memberships. igmp: Fix data-races around sysctl_igmp_max_msf. tcp: Fix data-races around keepalive sysctl knobs. tcp: Fix data-races around sysctl_tcp_syn(ack)?_retries. tcp: Fix data-races around sysctl_tcp_syncookies. tcp: Fix data-races around sysctl_tcp_migrate_req. tcp: Fix data-races around sysctl_tcp_reordering. tcp: Fix data-races around some timeout sysctl knobs. tcp: Fix a data-race around sysctl_tcp_notsent_lowat. tcp: Fix a data-race around sysctl_tcp_tw_reuse. tcp: Fix data-races around sysctl_max_syn_backlog. tcp: Fix data-races around sysctl_tcp_fastopen. tcp: Fix data-races around sysctl_tcp_fastopen_blackhole_timeout. iavf: Fix handling of dummy receive descriptors pinctrl: armada-37xx: Use temporary variable for struct device pinctrl: armada-37xx: Make use of the devm_platform_ioremap_resource() pinctrl: armada-37xx: Convert to use dev_err_probe() pinctrl: armada-37xx: use raw spinlocks for regmap to avoid invalid wait context i40e: Fix erroneous adapter reinitialization during recovery process ixgbe: Add locking to prevent panic when setting sriov_numvfs to zero net: stmmac: remove redunctant disable xPCS EEE call gpio: pca953x: only use single read/write for No AI mode gpio: pca953x: use the correct range when do regmap sync gpio: pca953x: use the correct register address when regcache sync during init be2net: Fix buffer overflow in be_get_module_eeprom net: dsa: sja1105: silent spi_device_id warnings net: dsa: vitesse-vsc73xx: silent spi_device_id warnings drm/imx/dcss: Add missing of_node_put() in fail path ipv4: Fix a data-race around sysctl_fib_multipath_use_neigh. ipv4: Fix data-races around sysctl_fib_multipath_hash_policy. ipv4: Fix data-races around sysctl_fib_multipath_hash_fields. ip: Fix data-races around sysctl_ip_prot_sock. udp: Fix a data-race around sysctl_udp_l3mdev_accept. tcp: Fix data-races around sysctl knobs related to SYN option. tcp: Fix a data-race around sysctl_tcp_early_retrans. tcp: Fix data-races around sysctl_tcp_recovery. tcp: Fix a data-race around sysctl_tcp_thin_linear_timeouts. tcp: Fix data-races around sysctl_tcp_slow_start_after_idle. tcp: Fix a data-race around sysctl_tcp_retrans_collapse. tcp: Fix a data-race around sysctl_tcp_stdurg. tcp: Fix a data-race around sysctl_tcp_rfc1337. tcp: Fix a data-race around sysctl_tcp_abort_on_overflow. tcp: Fix data-races around sysctl_tcp_max_reordering. gpio: gpio-xilinx: Fix integer overflow KVM: selftests: Fix target thread to be migrated in rseq_test spi: bcm2835: bcm2835_spi_handle_err(): fix NULL pointer deref for non DMA transfers KVM: Don't null dereference ops->destroy mm/mempolicy: fix uninit-value in mpol_rebind_policy() bpf: Make sure mac_header was set before using it sched/deadline: Fix BUG_ON condition for deboosted tasks x86/bugs: Warn when "ibrs" mitigation is selected on Enhanced IBRS parts dlm: fix pending remove if msg allocation fails x86/uaccess: Implement macros for CMPXCHG on user addresses x86/extable: Tidy up redundant handler functions x86/extable: Get rid of redundant macros x86/mce: Deduplicate exception handling x86/extable: Rework the exception table mechanics x86/extable: Provide EX_TYPE_DEFAULT_MCE_SAFE and EX_TYPE_FAULT_MCE_SAFE bitfield.h: Fix "type of reg too small for mask" test x86/entry_32: Remove .fixup usage x86/extable: Extend extable functionality x86/msr: Remove .fixup usage x86/futex: Remove .fixup usage KVM: x86: Use __try_cmpxchg_user() to emulate atomic accesses xhci: dbc: refactor xhci_dbc_init() xhci: dbc: create and remove dbc structure in dbgtty driver. xhci: dbc: Rename xhci_dbc_init and xhci_dbc_exit xhci: Set HCD flag to defer primary roothub registration mt76: fix use-after-free by removing a non-RCU wcid pointer iwlwifi: fw: uefi: add missing include guards crypto: qat - set to zero DH parameters before free crypto: qat - use pre-allocated buffers in datapath crypto: qat - refactor submission logic crypto: qat - add backlog mechanism crypto: qat - fix memory leak in RSA crypto: qat - remove dma_free_coherent() for RSA crypto: qat - remove dma_free_coherent() for DH crypto: qat - add param check for RSA crypto: qat - add param check for DH crypto: qat - re-enable registration of algorithms exfat: fix referencing wrong parent directory information after renaming tracing: Have event format check not flag %p* on __get_dynamic_array() tracing: Place trace_pid_list logic into abstract functions tracing: Fix return value of trace_pid_write() um: virtio_uml: Allow probing from devicetree um: virtio_uml: Fix broken device handling in time-travel Bluetooth: Add bt_skb_sendmsg helper Bluetooth: Add bt_skb_sendmmsg helper Bluetooth: SCO: Replace use of memcpy_from_msg with bt_skb_sendmsg Bluetooth: RFCOMM: Replace use of memcpy_from_msg with bt_skb_sendmmsg Bluetooth: Fix passing NULL to PTR_ERR Bluetooth: SCO: Fix sco_send_frame returning skb->len Bluetooth: Fix bt_skb_sendmmsg not allocating partial chunks exfat: use updated exfat_chain directly during renaming drm/amd/display: Reset DMCUB before HW init drm/amd/display: Optimize bandwidth on following fast update drm/amd/display: Fix surface optimization regression on Carrizo x86/amd: Use IBPB for firmware calls x86/alternative: Report missing return thunk details watchqueue: make sure to serialize 'wqueue->defunct' properly tty: drivers/tty/, stop using tty_schedule_flip() tty: the rest, stop using tty_schedule_flip() tty: drop tty_schedule_flip() tty: extract tty_flip_buffer_commit() from tty_flip_buffer_push() tty: use new tty_insert_flip_string_and_push_buffer() in pty_write() net: usb: ax88179_178a needs FLAG_SEND_ZLP watch-queue: remove spurious double semicolon drm/amd/display: Don't lock connection_mutex for DMUB HPD drm/amd/display: invalid parameter check in dmub_hpd_callback x86/extable: Prefer local labels in .set directives KVM: x86: fix typo in __try_cmpxchg_user causing non-atomicness x86: drop bogus "cc" clobber from __try_cmpxchg_user_asm() drm/amdgpu: Off by one in dm_dmub_outbox1_low_irq() x86/entry_32: Fix segment exceptions drm/amd/display: Fix wrong format specifier in amdgpu_dm.c Linux 5.15.58 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I6655a937b4226d3011278d13df84b25e5ab4b9ef |
||
|
Kuniyuki Iwashima
|
ce3731c615 |
tcp: Fix data-races around sysctl_tcp_max_reordering.
[ Upstream commit a11e5b3e7a59fde1a90b0eaeaa82320495cf8cae ]
While reading sysctl_tcp_max_reordering, it can be changed
concurrently. Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
d46d55e3f9 |
tcp: Fix a data-race around sysctl_tcp_stdurg.
[ Upstream commit 4e08ed41cb1194009fc1a916a59ce3ed4afd77cd ]
While reading sysctl_tcp_stdurg, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its reader.
Fixes:
|
||
|
Kuniyuki Iwashima
|
a31e2d0cb5 |
tcp: Fix data-races around sysctl_tcp_recovery.
[ Upstream commit e7d2ef837e14a971a05f60ea08c47f3fed1a36e4 ]
While reading sysctl_tcp_recovery, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
329de75b9e |
tcp: Fix data-races around sysctl knobs related to SYN option.
[ Upstream commit 3666f666e99600518ab20982af04a078bbdad277 ]
While reading these knobs, they can be changed concurrently.
Thus, we need to add READ_ONCE() to their readers.
- tcp_sack
- tcp_window_scaling
- tcp_timestamps
Fixes:
|
||
|
Kuniyuki Iwashima
|
3ae85dc62a |
tcp: Fix data-races around sysctl_max_syn_backlog.
[ Upstream commit 79539f34743d3e14cc1fa6577d326a82cc64d62f ]
While reading sysctl_max_syn_backlog, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
f6ce655695 |
tcp: Fix data-races around sysctl_tcp_reordering.
[ Upstream commit 46778cd16e6a5ad1b2e3a91f6c057c907379418e ]
While reading sysctl_tcp_reordering, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
10a9ba97a4 |
tcp: Fix data-races around sysctl_tcp_syncookies.
[ Upstream commit f2e383b5bb6bbc60a0b94b87b3e49a2b1aefd11e ]
While reading sysctl_tcp_syncookies, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Kuniyuki Iwashima
|
d1e0bbe081 |
tcp: Fix data-races around sysctl_tcp_ecn.
[ Upstream commit 4785a66702f086cf2ea84bdbe6ec921f274bd9f2 ]
While reading sysctl_tcp_ecn, it can be changed concurrently.
Thus, we need to add READ_ONCE() to its readers.
Fixes:
|
||
|
Greg Kroah-Hartman
|
7abddb6445 |
Merge 5.15.47 into android14-5.15
Changes in 5.15.47
pcmcia: db1xxx_ss: restrict to MIPS_DB1XXX boards
staging: greybus: codecs: fix type confusion of list iterator variable
iio: adc: ad7124: Remove shift from scan_type
lkdtm/bugs: Check for the NULL pointer after calling kmalloc
lkdtm/bugs: Don't expect thread termination without CONFIG_UBSAN_TRAP
tty: goldfish: Use tty_port_destroy() to destroy port
tty: serial: owl: Fix missing clk_disable_unprepare() in owl_uart_probe
tty: n_tty: Restore EOF push handling behavior
serial: 8250_aspeed_vuart: Fix potential NULL dereference in aspeed_vuart_probe
tty: serial: fsl_lpuart: fix potential bug when using both of_alias_get_id and ida_simple_get
remoteproc: imx_rproc: Ignore create mem entry for resource table
usb: usbip: fix a refcount leak in stub_probe()
usb: usbip: add missing device lock on tweak configuration cmd
USB: storage: karma: fix rio_karma_init return
usb: musb: Fix missing of_node_put() in omap2430_probe
staging: fieldbus: Fix the error handling path in anybuss_host_common_probe()
pwm: lp3943: Fix duty calculation in case period was clamped
pwm: raspberrypi-poe: Fix endianness in firmware struct
rpmsg: qcom_smd: Fix irq_of_parse_and_map() return value
usb: dwc3: gadget: Replace list_for_each_entry_safe() if using giveback
usb: dwc3: pci: Fix pm_runtime_get_sync() error checking
misc: fastrpc: fix an incorrect NULL check on list iterator
firmware: stratix10-svc: fix a missing check on list iterator
usb: typec: mux: Check dev_set_name() return value
rpmsg: virtio: Fix possible double free in rpmsg_probe()
rpmsg: virtio: Fix possible double free in rpmsg_virtio_add_ctrl_dev()
rpmsg: virtio: Fix the unregistration of the device rpmsg_ctrl
iio: adc: stmpe-adc: Fix wait_for_completion_timeout return value check
iio: proximity: vl53l0x: Fix return value check of wait_for_completion_timeout
iio: adc: sc27xx: fix read big scale voltage not right
iio: adc: sc27xx: Fine tune the scale calibration values
rpmsg: qcom_smd: Fix returning 0 if irq_of_parse_and_map() fails
pvpanic: Fix typos in the comments
misc/pvpanic: Convert regular spinlock into trylock on panic path
phy: qcom-qmp: fix pipe-clock imbalance on power-on failure
power: supply: axp288_fuel_gauge: Drop BIOS version check from "T3 MRD" DMI quirk
serial: sifive: Report actual baud base rather than fixed 115200
export: fix string handling of namespace in EXPORT_SYMBOL_NS
soundwire: intel: prevent pm_runtime resume prior to system suspend
coresight: cpu-debug: Replace mutex with mutex_trylock on panic notifier
ksmbd: fix reference count leak in smb_check_perm_dacl()
extcon: ptn5150: Add queue work sync before driver release
soc: rockchip: Fix refcount leak in rockchip_grf_init
clocksource/drivers/riscv: Events are stopped during CPU suspend
ARM: dts: aspeed: ast2600-evb: Enable RX delay for MAC0/MAC1
rtc: mt6397: check return value after calling platform_get_resource()
rtc: ftrtc010: Use platform_get_irq() to get the interrupt
rtc: ftrtc010: Fix error handling in ftrtc010_rtc_probe
staging: r8188eu: add check for kzalloc
tty: n_gsm: Don't ignore write return value in gsmld_output()
tty: n_gsm: Fix packet data hex dump output
serial: meson: acquire port->lock in startup()
serial: 8250_fintek: Check SER_RS485_RTS_* only with RS485
serial: cpm_uart: Fix build error without CONFIG_SERIAL_CPM_CONSOLE
serial: digicolor-usart: Don't allow CS5-6
serial: rda-uart: Don't allow CS5-6
serial: txx9: Don't allow CS5-6
serial: sh-sci: Don't allow CS5-6
serial: sifive: Sanitize CSIZE and c_iflag
serial: st-asc: Sanitize CSIZE and correct PARENB for CS7
serial: stm32-usart: Correct CSIZE, bits, and parity
firmware: dmi-sysfs: Fix memory leak in dmi_sysfs_register_handle
bus: ti-sysc: Fix warnings for unbind for serial
driver: base: fix UAF when driver_attach failed
driver core: fix deadlock in __device_attach
watchdog: rti-wdt: Fix pm_runtime_get_sync() error checking
watchdog: ts4800_wdt: Fix refcount leak in ts4800_wdt_probe
blk-mq: don't touch ->tagset in blk_mq_get_sq_hctx
ASoC: fsl_sai: Fix FSL_SAI_xDR/xFR definition
clocksource/drivers/oxnas-rps: Fix irq_of_parse_and_map() return value
s390/crypto: fix scatterwalk_unmap() callers in AES-GCM
net: sched: fixed barrier to prevent skbuff sticking in qdisc backlog
net: ethernet: mtk_eth_soc: out of bounds read in mtk_hwlro_get_fdir_entry()
net: ethernet: ti: am65-cpsw-nuss: Fix some refcount leaks
net: dsa: mv88e6xxx: Fix refcount leak in mv88e6xxx_mdios_register
modpost: fix removing numeric suffixes
jffs2: fix memory leak in jffs2_do_fill_super
ubi: fastmap: Fix high cpu usage of ubi_bgt by making sure wl_pool not empty
ubi: ubi_create_volume: Fix use-after-free when volume creation failed
selftests/bpf: fix selftest after random: Urandom_read tracepoint removal
selftests/bpf: fix stacktrace_build_id with missing kprobe/urandom_read
bpf: Fix probe read error in ___bpf_prog_run()
block: take destination bvec offsets into account in bio_copy_data_iter
riscv: read-only pages should not be writable
net/smc: fixes for converting from "struct smc_cdc_tx_pend **" to "struct smc_wr_tx_pend_priv *"
tcp: add accessors to read/set tp->snd_cwnd
nfp: only report pause frame configuration for physical device
sfc: fix considering that all channels have TX queues
sfc: fix wrong tx channel offset with efx_separate_tx_channels
block: make bioset_exit() fully resilient against being called twice
vdpa: Fix error logic in vdpa_nl_cmd_dev_get_doit
virtio: pci: Fix an error handling path in vp_modern_probe()
net/mlx5: Don't use already freed action pointer
net/mlx5e: TC NIC mode, fix tc chains miss table
net/mlx5: CT: Fix header-rewrite re-use for tupels
net/mlx5: correct ECE offset in query qp output
net/mlx5e: Update netdev features after changing XDP state
net: sched: add barrier to fix packet stuck problem for lockless qdisc
tcp: tcp_rtx_synack() can be called from process context
vdpa: ifcvf: set pci driver data in probe
octeontx2-af: fix error code in is_valid_offset()
s390/mcck: isolate SIE instruction when setting CIF_MCCK_GUEST flag
regulator: mt6315-regulator: fix invalid allowed mode
gpio: pca953x: use the correct register address to do regcache sync
afs: Fix infinite loop found by xfstest generic/676
scsi: sd: Fix potential NULL pointer dereference
tipc: check attribute length for bearer name
driver core: Fix wait_for_device_probe() & deferred_probe_timeout interaction
perf c2c: Fix sorting in percent_rmt_hitm_cmp()
dmaengine: idxd: set DMA_INTERRUPT cap bit
mips: cpc: Fix refcount leak in mips_cpc_default_phys_base
bootconfig: Make the bootconfig.o as a normal object file
tracing: Make tp_printk work on syscall tracepoints
tracing: Fix sleeping function called from invalid context on RT kernel
tracing: Avoid adding tracer option before update_tracer_options
iommu/arm-smmu: fix possible null-ptr-deref in arm_smmu_device_probe()
iommu/arm-smmu-v3: check return value after calling platform_get_resource()
f2fs: remove WARN_ON in f2fs_is_valid_blkaddr
i2c: cadence: Increase timeout per message if necessary
m68knommu: set ZERO_PAGE() to the allocated zeroed page
m68knommu: fix undefined reference to `_init_sp'
dmaengine: zynqmp_dma: In struct zynqmp_dma_chan fix desc_size data type
NFSv4: Don't hold the layoutget locks across multiple RPC calls
video: fbdev: hyperv_fb: Allow resolutions with size > 64 MB for Gen1
video: fbdev: pxa3xx-gcu: release the resources correctly in pxa3xx_gcu_probe/remove()
RISC-V: use memcpy for kexec_file mode
m68knommu: fix undefined reference to `mach_get_rtc_pll'
f2fs: fix to tag gcing flag on page during file defragment
xprtrdma: treat all calls not a bcall when bc_serv is NULL
drm/bridge: sn65dsi83: Fix an error handling path in sn65dsi83_probe()
drm/bridge: ti-sn65dsi83: Handle dsi_lanes == 0 as invalid
netfilter: nat: really support inet nat without l3 address
netfilter: nf_tables: use kfree_rcu(ptr, rcu) to release hooks in clean_net path
netfilter: nf_tables: delete flowtable hooks via transaction list
powerpc/kasan: Force thread size increase with KASAN
SUNRPC: Trap RDMA segment overflows
netfilter: nf_tables: always initialize flowtable hook list in transaction
ata: pata_octeon_cf: Fix refcount leak in octeon_cf_probe
netfilter: nf_tables: release new hooks on unsupported flowtable flags
netfilter: nf_tables: memleak flow rule from commit path
netfilter: nf_tables: bail out early if hardware offload is not supported
xen: unexport __init-annotated xen_xlate_map_ballooned_pages()
stmmac: intel: Fix an error handling path in intel_eth_pci_probe()
af_unix: Fix a data-race in unix_dgram_peer_wake_me().
bpf, arm64: Clear prog->jited_len along prog->jited
net: dsa: lantiq_gswip: Fix refcount leak in gswip_gphy_fw_list
net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure
i40e: xsk: Move tmp desc array from driver to pool
xsk: Fix handling of invalid descriptors in XSK TX batching API
SUNRPC: Fix the calculation of xdr->end in xdr_get_next_encode_buffer()
net: mdio: unexport __init-annotated mdio_bus_init()
net: xfrm: unexport __init-annotated xfrm4_protocol_init()
net: ipv6: unexport __init-annotated seg6_hmac_init()
net/mlx5: Lag, filter non compatible devices
net/mlx5: Fix mlx5_get_next_dev() peer device matching
net/mlx5: Rearm the FW tracer after each tracer event
net/mlx5: fs, fail conflicting actions
ip_gre: test csum_start instead of transport header
net: altera: Fix refcount leak in altera_tse_mdio_create
net: dsa: mv88e6xxx: use BMSR_ANEGCOMPLETE bit for filling an_complete
tcp: use alloc_large_system_hash() to allocate table_perturb
drm: imx: fix compiler warning with gcc-12
nfp: flower: restructure flow-key for gre+vlan combination
iov_iter: Fix iter_xarray_get_pages{,_alloc}()
iio: dummy: iio_simple_dummy: check the return value of kstrdup()
staging: rtl8712: fix a potential memory leak in r871xu_drv_init()
iio: st_sensors: Add a local lock for protecting odr
lkdtm/usercopy: Expand size of "out of frame" object
drivers: staging: rtl8723bs: Fix deadlock in rtw_surveydone_event_callback()
drivers: staging: rtl8192bs: Fix deadlock in rtw_joinbss_event_prehandle()
tty: synclink_gt: Fix null-pointer-dereference in slgt_clean()
tty: Fix a possible resource leak in icom_probe
thunderbolt: Use different lane for second DisplayPort tunnel
drivers: staging: rtl8192u: Fix deadlock in ieee80211_beacons_stop()
drivers: staging: rtl8192e: Fix deadlock in rtllib_beacons_stop()
USB: host: isp116x: check return value after calling platform_get_resource()
drivers: tty: serial: Fix deadlock in sa1100_set_termios()
drivers: usb: host: Fix deadlock in oxu_bus_suspend()
USB: hcd-pci: Fully suspend across freeze/thaw cycle
char: xillybus: fix a refcount leak in cleanup_dev()
sysrq: do not omit current cpu when showing backtrace of all active CPUs
usb: dwc2: gadget: don't reset gadget's driver->bus
soundwire: qcom: adjust autoenumeration timeout
misc: rtsx: set NULL intfdata when probe fails
extcon: Fix extcon_get_extcon_dev() error handling
extcon: Modify extcon device to be created after driver data is set
clocksource/drivers/sp804: Avoid error on multiple instances
staging: rtl8712: fix uninit-value in usb_read8() and friends
staging: rtl8712: fix uninit-value in r871xu_drv_init()
serial: msm_serial: disable interrupts in __msm_console_write()
kernfs: Separate kernfs_pr_cont_buf and rename_lock.
watchdog: wdat_wdt: Stop watchdog when rebooting the system
md: protect md_unregister_thread from reentrancy
scsi: myrb: Fix up null pointer access on myrb_cleanup()
Revert "net: af_key: add check for pfkey_broadcast in function pfkey_process"
ceph: allow ceph.dir.rctime xattr to be updatable
ceph: flush the mdlog for filesystem sync
drm/amd/display: Check if modulo is 0 before dividing.
drm/radeon: fix a possible null pointer dereference
drm/amd/pm: Fix missing thermal throttler status
um: line: Use separate IRQs per line
modpost: fix undefined behavior of is_arm_mapping_symbol()
x86/cpu: Elide KCSAN for cpu_has() and friends
jump_label,noinstr: Avoid instrumentation for JUMP_LABEL=n builds
nbd: call genl_unregister_family() first in nbd_cleanup()
nbd: fix race between nbd_alloc_config() and module removal
nbd: fix io hung while disconnecting device
s390/gmap: voluntarily schedule during key setting
cifs: version operations for smb20 unneeded when legacy support disabled
drm/amd/pm: use bitmap_{from,to}_arr32 where appropriate
nodemask: Fix return values to be unsigned
vringh: Fix loop descriptors check in the indirect cases
scripts/gdb: change kernel config dumping method
ALSA: usb-audio: Skip generic sync EP parse for secondary EP
ALSA: usb-audio: Set up (implicit) sync for Saffire 6
ALSA: hda/conexant - Fix loopback issue with CX20632
ALSA: hda/realtek: Fix for quirk to enable speaker output on the Lenovo Yoga DuetITL 2021
ALSA: hda/realtek: Add quirk for HP Dev One
cifs: return errors during session setup during reconnects
cifs: fix reconnect on smb3 mount types
KEYS: trusted: tpm2: Fix migratable logic
ata: libata-transport: fix {dma|pio|xfer}_mode sysfs files
mmc: block: Fix CQE recovery reset success
net: phy: dp83867: retrigger SGMII AN when link change
net: openvswitch: fix misuse of the cached connection on tuple changes
writeback: Fix inode->i_io_list not be protected by inode->i_lock error
nfc: st21nfca: fix incorrect validating logic in EVT_TRANSACTION
nfc: st21nfca: fix memory leaks in EVT_TRANSACTION handling
nfc: st21nfca: fix incorrect sizing calculations in EVT_TRANSACTION
ixgbe: fix bcast packets Rx on VF after promisc removal
ixgbe: fix unexpected VLAN Rx in promisc mode on VF
Input: bcm5974 - set missing URB_NO_TRANSFER_DMA_MAP urb flag
vduse: Fix NULL pointer dereference on sysfs access
powerpc: Don't select HAVE_IRQ_EXIT_ON_IRQ_STACK
drm/bridge: analogix_dp: Support PSR-exit to disable transition
drm/atomic: Force bridge self-refresh-exit on CRTC switch
drm/amdgpu: update VCN codec support for Yellow Carp
powerpc/32: Fix overread/overwrite of thread_struct via ptrace
powerpc/mm: Switch obsolete dssall to .long
drm/ast: Create threshold values for AST2600
random: avoid checking crng_ready() twice in random_init()
random: mark bootloader randomness code as __init
random: account for arch randomness in bits
md/raid0: Ignore RAID0 layout if the second zone has only one device
net/sched: act_police: more accurate MTU policing
PCI: qcom: Fix pipe clock imbalance
zonefs: fix handling of explicit_open option on mount
iov_iter: fix build issue due to possible type mis-match
dmaengine: idxd: add missing callback function to support DMA_INTERRUPT
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
xsk: Fix possible crash when multiple sockets are created
Linux 5.15.47
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I40e7672edf2bd713fee775919d062e2934d9103d
|
||
Eric Dumazet
|
90385f2b65 |
tcp: fix tcp_mtup_probe_success vs wrong snd_cwnd
commit 11825765291a93d8e7f44230da67b9f607c777bf upstream.
syzbot got a new report [1] finally pointing to a very old bug,
added in initial support for MTU probing.
tcp_mtu_probe() has checks about starting an MTU probe if
tcp_snd_cwnd(tp) >= 11.
But nothing prevents tcp_snd_cwnd(tp) to be reduced later
and before the MTU probe succeeds.
This bug would lead to potential zero-divides.
Debugging added in commit 40570375356c ("tcp: add accessors
to read/set tp->snd_cwnd") has paid off :)
While we are at it, address potential overflows in this code.
[1]
WARNING: CPU: 1 PID: 14132 at include/net/tcp.h:1219 tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Modules linked in:
CPU: 1 PID: 14132 Comm: syz-executor.2 Not tainted 5.18.0-syzkaller-07857-gbabf0bb978e3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
RIP: 0010:tcp_snd_cwnd_set include/net/tcp.h:1219 [inline]
RIP: 0010:tcp_mtup_probe_success+0x366/0x570 net/ipv4/tcp_input.c:2712
Code: 74 08 48 89 ef e8 da 80 17 f9 48 8b 45 00 65 48 ff 80 80 03 00 00 48 83 c4 30 5b 41 5c 41 5d 41 5e 41 5f 5d c3 e8 aa b0 c5 f8 <0f> 0b e9 16 fe ff ff 48 8b 4c 24 08 80 e1 07 38 c1 0f 8c c7 fc ff
RSP: 0018:ffffc900079e70f8 EFLAGS: 00010287
RAX: ffffffff88c0f7f6 RBX: ffff8880756e7a80 RCX: 0000000000040000
RDX: ffffc9000c6c4000 RSI: 0000000000031f9e RDI: 0000000000031f9f
RBP: 0000000000000000 R08: ffffffff88c0f606 R09: ffffc900079e7520
R10: ffffed101011226d R11: 1ffff1101011226c R12: 1ffff1100eadcf50
R13: ffff8880756e72c0 R14: 1ffff1100eadcf89 R15: dffffc0000000000
FS: 00007f643236e700(0000) GS:ffff8880b9b00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f1ab3f1e2a0 CR3: 0000000064fe7000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tcp_clean_rtx_queue+0x223a/0x2da0 net/ipv4/tcp_input.c:3356
tcp_ack+0x1962/0x3c90 net/ipv4/tcp_input.c:3861
tcp_rcv_established+0x7c8/0x1ac0 net/ipv4/tcp_input.c:5973
tcp_v6_do_rcv+0x57b/0x1210 net/ipv6/tcp_ipv6.c:1476
sk_backlog_rcv include/net/sock.h:1061 [inline]
__release_sock+0x1d8/0x4c0 net/core/sock.c:2849
release_sock+0x5d/0x1c0 net/core/sock.c:3404
sk_stream_wait_memory+0x700/0xdc0 net/core/stream.c:145
tcp_sendmsg_locked+0x111d/0x3fc0 net/ipv4/tcp.c:1410
tcp_sendmsg+0x2c/0x40 net/ipv4/tcp.c:1448
sock_sendmsg_nosec net/socket.c:714 [inline]
sock_sendmsg net/socket.c:734 [inline]
__sys_sendto+0x439/0x5c0 net/socket.c:2119
__do_sys_sendto net/socket.c:2131 [inline]
__se_sys_sendto net/socket.c:2127 [inline]
__x64_sys_sendto+0xda/0xf0 net/socket.c:2127
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x2b/0x70 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f6431289109
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f643236e168 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00007f643139c100 RCX: 00007f6431289109
RDX: 00000000d0d0c2ac RSI: 0000000020000080 RDI: 000000000000000a
RBP: 00007f64312e308d R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fff372533af R14: 00007f643236e300 R15: 0000000000022000
Fixes:
|
||
|
Eric Dumazet
|
3308676ec5 |
tcp: add accessors to read/set tp->snd_cwnd
[ Upstream commit 40570375356c874b1578e05c1dcc3ff7c1322dbe ]
We had various bugs over the years with code
breaking the assumption that tp->snd_cwnd is greater
than zero.
Lately, syzbot reported the WARN_ON_ONCE(!tp->prior_cwnd) added
in commit
|
||
|
Greg Kroah-Hartman
|
790563bee2 |
Merge 5.15.38 into android14-5.15
Changes in 5.15.38
usb: mtu3: fix USB 3.0 dual-role-switch from device to host
USB: quirks: add a Realtek card reader
USB: quirks: add STRING quirk for VCOM device
USB: serial: whiteheat: fix heap overflow in WHITEHEAT_GET_DTR_RTS
USB: serial: cp210x: add PIDs for Kamstrup USB Meter Reader
USB: serial: option: add support for Cinterion MV32-WA/MV32-WB
USB: serial: option: add Telit 0x1057, 0x1058, 0x1075 compositions
usb: xhci: tegra:Fix PM usage reference leak of tegra_xusb_unpowergate_partitions
xhci: Enable runtime PM on second Alderlake controller
xhci: stop polling roothubs after shutdown
xhci: increase usb U3 -> U0 link resume timeout from 100ms to 500ms
iio: dac: ad5592r: Fix the missing return value.
iio: dac: ad5446: Fix read_raw not returning set value
iio: magnetometer: ak8975: Fix the error handling in ak8975_power_on()
iio: imu: inv_icm42600: Fix I2C init possible nack
usb: misc: fix improper handling of refcount in uss720_probe()
usb: core: Don't hold the device lock while sleeping in do_proc_control()
usb: typec: ucsi: Fix reuse of completion structure
usb: typec: ucsi: Fix role swapping
usb: gadget: uvc: Fix crash when encoding data for usb request
usb: gadget: configfs: clear deactivation flag in configfs_composite_unbind()
usb: dwc3: Try usb-role-switch first in dwc3_drd_init
usb: dwc3: core: Fix tx/rx threshold settings
usb: dwc3: core: Only handle soft-reset in DCTL
usb: dwc3: gadget: Return proper request status
usb: dwc3: pci: add support for the Intel Meteor Lake-P
usb: cdns3: Fix issue for clear halt endpoint
usb: phy: generic: Get the vbus supply
serial: imx: fix overrun interrupts in DMA mode
serial: amba-pl011: do not time out prematurely when draining tx fifo
serial: 8250: Also set sticky MCR bits in console restoration
serial: 8250: Correct the clock for EndRun PTP/1588 PCIe device
arch_topology: Do not set llc_sibling if llc_id is invalid
ceph: fix possible NULL pointer dereference for req->r_session
bus: mhi: host: pci_generic: Add missing poweroff() PM callback
bus: mhi: host: pci_generic: Flush recovery worker during freeze
arm64: dts: imx8mm-venice: fix spi2 pin configuration
pinctrl: samsung: fix missing GPIOLIB on ARM64 Exynos config
hex2bin: make the function hex_to_bin constant-time
hex2bin: fix access beyond string end
riscv: patch_text: Fixup last cpu should be master
x86/pci/xen: Disable PCI/MSI[-X] masking for XEN_HVM guests
iocost: don't reset the inuse weight of under-weighted debtors
virtio_net: fix wrong buf address calculation when using xdp
cpufreq: qcom-hw: fix the race between LMH worker and cpuhp
cpufreq: qcom-cpufreq-hw: Fix throttle frequency value on EPSS platforms
video: fbdev: udlfb: properly check endpoint type
arm64: dts: meson: remove CPU opps below 1GHz for G12B boards
arm64: dts: meson: remove CPU opps below 1GHz for SM1 boards
iio:imu:bmi160: disable regulator in error path
mtd: rawnand: fix ecc parameters for mt7622
xsk: Fix l2fwd for copy mode + busy poll combo
arm64: dts: imx8qm: Correct SCU clock controller's compatible property
USB: Fix xhci event ring dequeue pointer ERDP update issue
ARM: dts: imx6qdl-apalis: Fix sgtl5000 detection issue
arm64: dts: imx8mn: Fix SAI nodes
arm64: dts: meson-sm1-bananapi-m5: fix wrong GPIO pin labeling for CON1
phy: samsung: Fix missing of_node_put() in exynos_sata_phy_probe
phy: samsung: exynos5250-sata: fix missing device put in probe error paths
ARM: OMAP2+: Fix refcount leak in omap_gic_of_init
bus: ti-sysc: Make omap3 gpt12 quirk handling SoC specific
ARM: dts: dra7: Fix suspend warning for vpe powerdomain
phy: ti: omap-usb2: Fix error handling in omap_usb2_enable_clocks
ARM: dts: at91: Map MCLK for wm8731 on at91sam9g20ek
ARM: dts: at91: sama5d4_xplained: fix pinctrl phandle name
ARM: dts: at91: fix pinctrl phandles
phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe
phy: ti: Add missing pm_runtime_disable() in serdes_am654_probe
interconnect: qcom: sdx55: Drop IP0 interconnects
ARM: dts: Fix mmc order for omap3-gta04
ARM: dts: am3517-evm: Fix misc pinmuxing
ARM: dts: logicpd-som-lv: Fix wrong pinmuxing on OMAP35
ipvs: correctly print the memory size of ip_vs_conn_tab
phy: amlogic: fix error path in phy_g12a_usb3_pcie_probe()
pinctrl: mediatek: moore: Fix build error
mtd: rawnand: Fix return value check of wait_for_completion_timeout
mtd: fix 'part' field data corruption in mtd_info
pinctrl: stm32: Do not call stm32_gpio_get() for edge triggered IRQs in EOI
memory: renesas-rpc-if: Fix HF/OSPI data transfer in Manual Mode
net: dsa: Add missing of_node_put() in dsa_port_link_register_of
netfilter: nft_set_rbtree: overlap detection with element re-addition after deletion
bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook
pinctrl: rockchip: fix RK3308 pinmux bits
tcp: md5: incorrect tcp_header_len for incoming connections
pinctrl: stm32: Keep pinctrl block clock enabled when LEVEL IRQ requested
tcp: ensure to use the most recently sent skb when filling the rate sample
wireguard: device: check for metadata_dst with skb_valid_dst()
sctp: check asoc strreset_chunk in sctp_generate_reconf_event
ARM: dts: imx6ull-colibri: fix vqmmc regulator
arm64: dts: imx8mn-ddr4-evk: Describe the 32.768 kHz PMIC clock
pinctrl: pistachio: fix use of irq_of_parse_and_map()
cpufreq: fix memory leak in sun50i_cpufreq_nvmem_probe
net: hns3: clear inited state and stop client after failed to register netdev
net: hns3: modify the return code of hclge_get_ring_chain_from_mbx
net: hns3: add validity check for message data length
net: hns3: add return value for mailbox handling in PF
net/smc: sync err code when tcp connection was refused
ip_gre: Make o_seqno start from 0 in native mode
ip6_gre: Make o_seqno start from 0 in native mode
ip_gre, ip6_gre: Fix race condition on o_seqno in collect_md mode
tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
tcp: make sure treq->af_specific is initialized
bus: sunxi-rsb: Fix the return value of sunxi_rsb_device_create()
clk: sunxi: sun9i-mmc: check return value after calling platform_get_resource()
cpufreq: qcom-cpufreq-hw: Clear dcvs interrupts
net: bcmgenet: hide status block before TX timestamping
net: phy: marvell10g: fix return value on error
net: dsa: mv88e6xxx: Fix port_hidden_wait to account for port_base_addr
drm/sun4i: Remove obsolete references to PHYS_OFFSET
net: dsa: lantiq_gswip: Don't set GSWIP_MII_CFG_RMII_CLK
io_uring: check reserved fields for send/sendmsg
io_uring: check reserved fields for recv/recvmsg
netfilter: conntrack: fix udp offload timeout sysctl
drm/amdkfd: Fix GWS queue count
drm/amd/display: Fix memory leak in dcn21_clock_source_create
tls: Skip tls_append_frag on zero copy size
bnx2x: fix napi API usage sequence
net: fec: add missing of_node_put() in fec_enet_init_stop_mode()
gfs2: Prevent endless loops in gfs2_file_buffered_write
gfs2: Minor retry logic cleanup
gfs2: Make sure not to return short direct writes
gfs2: No short reads or writes upon glock contention
perf arm-spe: Fix addresses of synthesized SPE events
ixgbe: ensure IPsec VF<->PF compatibility
Revert "ibmvnic: Add ethtool private flag for driver-defined queue limits"
tcp: fix F-RTO may not work correctly when receiving DSACK
ASoC: Intel: soc-acpi: correct device endpoints for max98373
ASoC: wm8731: Disable the regulator when probing fails
ext4: fix bug_on in start_this_handle during umount filesystem
arch: xtensa: platforms: Fix deadlock in rs_close()
ksmbd: increment reference count of parent fp
ksmbd: set fixed sector size to FS_SECTOR_SIZE_INFORMATION
bonding: do not discard lowest hash bit for non layer3+4 hashing
x86: __memcpy_flushcache: fix wrong alignment if size > 2^32
cifs: destage any unwritten data to the server before calling copychunk_write
drivers: net: hippi: Fix deadlock in rr_close()
powerpc/perf: Fix 32bit compile
selftest/vm: verify mmap addr in mremap_test
selftest/vm: verify remap destination address in mremap_test
Revert "ACPI: processor: idle: fix lockup regression on 32-bit ThinkPad T40"
zonefs: Fix management of open zones
zonefs: Clear inode information flags on inode creation
kasan: prevent cpu_quarantine corruption when CPU offline and cache shrink occur at same time
mtd: rawnand: qcom: fix memory corruption that causes panic
netfilter: Update ip6_route_me_harder to consider L3 domain
drm/i915: Check EDID for HDR static metadata when choosing blc
drm/i915: Fix SEL_FETCH_PLANE_*(PIPE_B+) register addresses
net: ethernet: stmmac: fix write to sgmii_adapter_base
ACPI: processor: idle: Avoid falling back to C3 type C-states
thermal: int340x: Fix attr.show callback prototype
btrfs: fix leaked plug after failure syncing log on zoned filesystems
ARM: dts: at91: sama7g5ek: enable pull-up on flexcom3 console lines
ARM: dts: imx8mm-venice-gw{71xx,72xx,73xx}: fix OTG controller OC mode
x86/cpu: Load microcode during restore_processor_state()
perf symbol: Pass is_kallsyms to symbols__fixup_end()
perf symbol: Update symbols__fixup_end()
tty: n_gsm: fix restart handling via CLD command
tty: n_gsm: fix decoupled mux resource
tty: n_gsm: fix mux cleanup after unregister tty device
tty: n_gsm: fix wrong signal octet encoding in convergence layer type 2
tty: n_gsm: fix malformed counter for out of frame data
netfilter: nft_socket: only do sk lookups when indev is available
tty: n_gsm: fix insufficient txframe size
tty: n_gsm: fix wrong DLCI release order
tty: n_gsm: fix missing explicit ldisc flush
tty: n_gsm: fix wrong command retry handling
tty: n_gsm: fix wrong command frame length field encoding
tty: n_gsm: fix wrong signal octets encoding in MSC
tty: n_gsm: fix missing tty wakeup in convergence layer type 2
tty: n_gsm: fix reset fifo race condition
tty: n_gsm: fix incorrect UA handling
tty: n_gsm: fix software flow control handling
perf symbol: Remove arch__symbols__fixup_end()
eeprom: at25: Use DMA safe buffers
objtool: Fix code relocs vs weak symbols
objtool: Fix type of reloc::addend
powerpc/64: Add UADDR64 relocation support
Linux 5.15.38
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: Icb44a1f2d2d6f7b0f10ccc59521353c6ac836b5c
|
||
Pengcheng Yang
|
27e724bf7c |
tcp: fix F-RTO may not work correctly when receiving DSACK
[ Upstream commit d9157f6806d1499e173770df1f1b234763de5c79 ]
Currently DSACK is regarded as a dupack, which may cause
F-RTO to incorrectly enter "loss was real" when receiving
DSACK.
Packetdrill to demonstrate:
// Enable F-RTO and TLP
0 `sysctl -q net.ipv4.tcp_frto=2`
0 `sysctl -q net.ipv4.tcp_early_retrans=3`
0 `sysctl -q net.ipv4.tcp_congestion_control=cubic`
// Establish a connection
+0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
// RTT 10ms, RTO 210ms
+.1 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <...>
+.01 < . 1:1(0) ack 1 win 257
+0 accept(3, ..., ...) = 4
// Send 2 data segments
+0 write(4, ..., 2000) = 2000
+0 > P. 1:2001(2000) ack 1
// TLP
+.022 > P. 1001:2001(1000) ack 1
// Continue to send 8 data segments
+0 write(4, ..., 10000) = 10000
+0 > P. 2001:10001(8000) ack 1
// RTO
+.188 > . 1:1001(1000) ack 1
// The original data is acked and new data is sent(F-RTO step 2.b)
+0 < . 1:1(0) ack 2001 win 257
+0 > P. 10001:12001(2000) ack 1
// D-SACK caused by TLP is regarded as a dupack, this results in
// the incorrect judgment of "loss was real"(F-RTO step 3.a)
+.022 < . 1:1(0) ack 2001 win 257 <sack 1001:2001,nop,nop>
// Never-retransmitted data(3001:4001) are acked and
// expect to switch to open state(F-RTO step 3.b)
+0 < . 1:1(0) ack 4001 win 257
+0 %{ assert tcpi_ca_state == 0, tcpi_ca_state }%
Fixes:
|
||
|
Eric Dumazet
|
6c4d4334e5 |
tcp: fix potential xmit stalls caused by TCP_NOTSENT_LOWAT
[ Upstream commit 4bfe744ff1644fbc0a991a2677dc874475dd6776 ] I had this bug sitting for too long in my pile, it is time to fix it. Thanks to Doug Porter for reminding me of it! We had various attempts in the past, including commit |
||
|
Greg Kroah-Hartman
|
344a3ff87c |
Merge 5.15.20 into android13-5.15
Changes in 5.15.20 PCI: pciehp: Fix infinite loop in IRQ handler upon power fault selftests: mptcp: fix ipv6 routing setup net: ipa: use a bitmap for endpoint replenish_enabled net: ipa: prevent concurrent replenish drm/vc4: hdmi: Make sure the device is powered with CEC cgroup-v1: Require capabilities to set release_agent Revert "mm/gup: small refactoring: simplify try_grab_page()" ovl: don't fail copy up if no fileattr support on upper lockd: fix server crash on reboot of client holding lock lockd: fix failure to cleanup client locks net/mlx5e: IPsec: Fix tunnel mode crypto offload for non TCP/UDP traffic net/mlx5: Bridge, take rtnl lock in init error handler net/mlx5: Bridge, ensure dev_name is null-terminated net/mlx5e: Fix handling of wrong devices during bond netevent net/mlx5: Use del_timer_sync in fw reset flow of halting poll net/mlx5e: Fix module EEPROM query net/mlx5: Fix offloading with ESWITCH_IPV4_TTL_MODIFY_ENABLE net/mlx5e: Don't treat small ceil values as unlimited in HTB offload net/mlx5: Bridge, Fix devlink deadlock on net namespace deletion net/mlx5: E-Switch, Fix uninitialized variable modact ipheth: fix EOVERFLOW in ipheth_rcvbulk_callback i40e: Fix reset bw limit when DCB enabled with 1 TC i40e: Fix reset path while removing the driver net: amd-xgbe: ensure to reset the tx_timer_active flag net: amd-xgbe: Fix skb data length underflow fanotify: Fix stale file descriptor in copy_event_to_user() net: sched: fix use-after-free in tc_new_tfilter() rtnetlink: make sure to refresh master_dev/m_ops in __rtnl_newlink() cpuset: Fix the bug that subpart_cpus updated wrongly in update_cpumask() e1000e: Handshake with CSME starts from ADL platforms af_packet: fix data-race in packet_setsockopt / packet_setsockopt tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data() ovl: fix NULL pointer dereference in copy up warning Linux 5.15.20 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Ia50333eff81881fac62eb52455b502e6c46ff3d9 |
||
|
Eric Dumazet
|
c3d81231ab |
tcp: add missing tcp_skb_can_collapse() test in tcp_shift_skb_data()
commit b67985be400969578d4d4b17299714c0e5d2c07b upstream. tcp_shift_skb_data() might collapse three packets into a larger one. P_A, P_B, P_C -> P_ABC Historically, it used a single tcp_skb_can_collapse_to(P_A) call, because it was enough. In commit |
||
|
Greg Kroah-Hartman
|
37039d2a38 |
Merge 5.15.12 into android13-5.15
Changes in 5.15.12 arm64: vdso32: require CROSS_COMPILE_COMPAT for gcc+bfd net: usb: lan78xx: add Allied Telesis AT29M2-AF ext4: prevent partial update of the extent blocks ext4: check for out-of-order index extents in ext4_valid_extent_entries() ext4: check for inconsistent extents between index and leaf block selftests: KVM: Fix non-x86 compiling HID: holtek: fix mouse probing HID: potential dereference of null pointer NFSD: Fix READDIR buffer overflow PM: sleep: Fix error handling in dpm_prepare() arm64: dts: allwinner: orangepi-zero-plus: fix PHY mode bus: sunxi-rsb: Fix shutdown spi: change clk_disable_unprepare to clk_unprepare ucounts: Fix rlimit max values check drm/mediatek: hdmi: Perform NULL pointer check for mtk_hdmi_conf ASoC: meson: aiu: fifo: Add missing dma_coerce_mask_and_coherent() RDMA/hns: Fix RNR retransmission issue for HIP08 IB/qib: Fix memory leak in qib_user_sdma_queue_pkts() RDMA/hns: Replace kfree() with kvfree() netfilter: nf_tables: fix use-after-free in nft_set_catchall_destroy() netfilter: fix regression in looped (broad|multi)cast's MAC handling ARM: dts: imx6qdl-wandboard: Fix Ethernet support ice: Use xdp_buf instead of rx_buf for xsk zero-copy ice: xsk: return xsk buffers back to pool when cleaning the ring net: marvell: prestera: fix incorrect return of port_find net: marvell: prestera: fix incorrect structure access qlcnic: potential dereference null pointer of rx_queue->page_ring tcp: move inet->rx_dst_ifindex to sk->sk_rx_dst_ifindex ipv6: move inet6_sk(sk)->rx_dst_cookie to sk->sk_rx_dst_cookie inet: fully convert sk->sk_rx_dst to RCU rules net: accept UFOv6 packages in virtio_net_hdr_to_skb net: skip virtio_net_hdr_set_proto if protocol already set igb: fix deadlock caused by taking RTNL in RPM resume path ipmi: Fix UAF when uninstall ipmi_si and ipmi_msghandler module gpio: virtio: remove timeout bonding: fix ad_actor_system option setting to default fjes: Check for error irq drivers: net: smc911x: Check for error irq net: ks8851: Check for error irq sfc: Check null pointer of rx_queue->page_ring sfc: falcon: Check null pointer of rx_queue->page_ring asix: fix uninit-value in asix_mdio_read() asix: fix wrong return value in asix_check_host_enable() io_uring: zero iocb->ki_pos for stream file types veth: ensure skb entering GRO are not cloned. net: stmmac: ptp: fix potentially overflowing expression net: bridge: Use array_size() helper in copy_to_user() net: bridge: fix ioctl old_deviceless bridge argument r8152: fix the force speed doesn't work for RTL8156 net: stmmac: dwmac-visconti: Fix value of ETHER_CLK_SEL_FREQ_SEL_2P5M Input: elantech - fix stack out of bound access in elantech_change_report_id() pinctrl: bcm2835: Change init order for gpio hogs hwmon: (lm90) Fix usage of CONFIG2 register in detect function hwmon: (lm90) Prevent integer overflow/underflow in hysteresis calculations hwmon: (lm90) Introduce flag indicating extended temperature support hwmon: (lm90) Add basic support for TI TMP461 hwmon: (lm90) Drop critical attribute support for MAX6654 ARM: 9160/1: NOMMU: Reload __secondary_data after PROCINFO_INITFUNC uapi: Fix undefined __always_inline on non-glibc systems compiler.h: Fix annotation macro misplacement with Clang platform/x86/intel: Remove X86_PLATFORM_DRIVERS_INTEL kernel/crash_core: suppress unknown crashkernel parameter warning Revert "x86/boot: Pull up cmdline preparation and early param parsing" x86/boot: Move EFI range reservation after cmdline parsing ALSA: jack: Check the return value of kstrdup() ALSA: drivers: opl3: Fix incorrect use of vp->state ALSA: rawmidi - fix the uninitalized user_pversion ALSA: hda/hdmi: Disable silent stream on GLK ALSA: hda/realtek: Amp init fixup for HP ZBook 15 G6 ALSA: hda/realtek: Add new alc285-hp-amp-init model ALSA: hda/realtek: fix mute/micmute LEDs for a HP ProBook ALSA: hda/realtek: Fix quirk for Clevo NJ51CU ASoC: meson: aiu: Move AIU_I2S_MISC hold setting to aiu-fifo-i2s ASoC: tegra: Add DAPM switches for headphones and mic jack ASoC: tegra: Restore headphones jack name on Nyan Big Input: atmel_mxt_ts - fix double free in mxt_read_info_block ipmi: bail out if init_srcu_struct fails ipmi: ssif: initialize ssif_info->client early ipmi: fix initialization when workqueue allocation fails parisc: Correct completer in lws start parisc: Fix mask used to select futex spinlock tee: handle lookup of shm with reference count 0 x86/pkey: Fix undefined behaviour with PKRU_WD_BIT platform/x86: amd-pmc: only use callbacks for suspend platform/x86: intel_pmc_core: fix memleak on registration failure KVM: x86: Always set kvm_run->if_flag KVM: x86/mmu: Don't advance iterator after restart due to yielding KVM: nVMX: Synthesize TRIPLE_FAULT for L2 if emulation is required KVM: VMX: Always clear vmx->fail on emulation_required KVM: VMX: Wake vCPU when delivering posted IRQ even if vCPU == this vCPU pinctrl: stm32: consider the GPIO offset to expose all the GPIO lines gpio: dln2: Fix interrupts when replugging the device mmc: sdhci-tegra: Fix switch to HS400ES mode mmc: meson-mx-sdhc: Set MANUAL_STOP for multi-block SDIO commands mmc: core: Disable card detect during shutdown mmc: mmci: stm32: clear DLYB_CR after sending tuning command ARM: 9169/1: entry: fix Thumb2 bug in iWMMXt exception handling ksmbd: fix error code in ndr_read_int32() ksmbd: fix uninitialized symbol 'pntsd_size' ksmbd: disable SMB2_GLOBAL_CAP_ENCRYPTION for SMB 3.1.1 mac80211: fix locking in ieee80211_start_ap error path mm: mempolicy: fix THP allocations escaping mempolicy restrictions mm, hwpoison: fix condition in free hugetlb page path mm/hwpoison: clear MF_COUNT_INCREASED before retrying get_any_page() mm/damon/dbgfs: protect targets destructions with kdamond_lock tee: optee: Fix incorrect page free bug f2fs: fix to do sanity check on last xattr entry in __f2fs_setxattr() netfs: fix parameter of cleanup() KVM: VMX: Fix stale docs for kvm-intel.emulate_invalid_guest_state arm64: dts: lx2160a: fix scl-gpios property name kfence: fix memory leak when cat kfence objects Input: iqs626a - prohibit inlining of channel parsing functions Input: elants_i2c - do not check Remark ID on eKTH3900/eKTH5312 Input: goodix - add id->model mapping for the "9111" model ASoC: tas2770: Fix setting of high sample rates ASoC: SOF: Intel: pci-tgl: add new ADL-P variant ASoC: SOF: Intel: pci-tgl: add ADL-N support ASoC: rt5682: fix the wrong jack type detected pinctrl: mediatek: fix global-out-of-bounds issue hwmom: (lm90) Fix citical alarm status for MAX6680/MAX6681 hwmon: (lm90) Do not report 'busy' status bit as alarm r8152: sync ocp base ax25: NPD bug when detaching AX25 device hamradio: defer ax25 kfree after unregister_netdev hamradio: improve the incomplete fix to avoid NPD tun: avoid double free in tun_free_netdev phonet/pep: refuse to enable an unbound pipe Linux 5.15.12 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I5e3abccc5e4dc038ebf84e8efee6083b2c7f39d5 |
||
|
Eric Dumazet
|
0249a4b8a5 |
inet: fully convert sk->sk_rx_dst to RCU rules
[ Upstream commit 8f905c0e7354ef261360fb7535ea079b1082c105 ]
syzbot reported various issues around early demux,
one being included in this changelog [1]
sk->sk_rx_dst is using RCU protection without clearly
documenting it.
And following sequences in tcp_v4_do_rcv()/tcp_v6_do_rcv()
are not following standard RCU rules.
[a] dst_release(dst);
[b] sk->sk_rx_dst = NULL;
They look wrong because a delete operation of RCU protected
pointer is supposed to clear the pointer before
the call_rcu()/synchronize_rcu() guarding actual memory freeing.
In some cases indeed, dst could be freed before [b] is done.
We could cheat by clearing sk_rx_dst before calling
dst_release(), but this seems the right time to stick
to standard RCU annotations and debugging facilities.
[1]
BUG: KASAN: use-after-free in dst_check include/net/dst.h:470 [inline]
BUG: KASAN: use-after-free in tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
Read of size 2 at addr ffff88807f1cb73a by task syz-executor.5/9204
CPU: 0 PID: 9204 Comm: syz-executor.5 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
print_address_description.constprop.0.cold+0x8d/0x320 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
kasan_report.cold+0x83/0xdf mm/kasan/report.c:450
dst_check include/net/dst.h:470 [inline]
tcp_v4_early_demux+0x95b/0x960 net/ipv4/tcp_ipv4.c:1792
ip_rcv_finish_core.constprop.0+0x15de/0x1e80 net/ipv4/ip_input.c:340
ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
__netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
__netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
__netif_receive_skb_list net/core/dev.c:5608 [inline]
netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
gro_normal_list net/core/dev.c:5853 [inline]
gro_normal_list net/core/dev.c:5849 [inline]
napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
__napi_poll+0xaf/0x440 net/core/dev.c:7023
napi_poll net/core/dev.c:7090 [inline]
net_rx_action+0x801/0xb40 net/core/dev.c:7177
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
invoke_softirq kernel/softirq.c:432 [inline]
__irq_exit_rcu+0x123/0x180 kernel/softirq.c:637
irq_exit_rcu+0x5/0x20 kernel/softirq.c:649
common_interrupt+0x52/0xc0 arch/x86/kernel/irq.c:240
asm_common_interrupt+0x1e/0x40 arch/x86/include/asm/idtentry.h:629
RIP: 0033:0x7f5e972bfd57
Code: 39 d1 73 14 0f 1f 80 00 00 00 00 48 8b 50 f8 48 83 e8 08 48 39 ca 77 f3 48 39 c3 73 3e 48 89 13 48 8b 50 f8 48 89 38 49 8b 0e <48> 8b 3e 48 83 c3 08 48 83 c6 08 eb bc 48 39 d1 72 9e 48 39 d0 73
RSP: 002b:00007fff8a413210 EFLAGS: 00000283
RAX: 00007f5e97108990 RBX: 00007f5e97108338 RCX: ffffffff81d3aa45
RDX: ffffffff81d3aa45 RSI: 00007f5e97108340 RDI: ffffffff81d3aa45
RBP: 00007f5e97107eb8 R08: 00007f5e97108d88 R09: 0000000093c2e8d9
R10: 0000000000000000 R11: 0000000000000000 R12: 00007f5e97107eb0
R13: 00007f5e97108338 R14: 00007f5e97107ea8 R15: 0000000000000019
</TASK>
Allocated by task 13:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track mm/kasan/common.c:46 [inline]
set_alloc_info mm/kasan/common.c:434 [inline]
__kasan_slab_alloc+0x90/0xc0 mm/kasan/common.c:467
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x202/0x3a0 mm/slub.c:3247
dst_alloc+0x146/0x1f0 net/core/dst.c:92
rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
ip_route_input_slow+0x1817/0x3a20 net/ipv4/route.c:2340
ip_route_input_rcu net/ipv4/route.c:2470 [inline]
ip_route_input_noref+0x116/0x2a0 net/ipv4/route.c:2415
ip_rcv_finish_core.constprop.0+0x288/0x1e80 net/ipv4/ip_input.c:354
ip_list_rcv_finish.constprop.0+0x1b2/0x6e0 net/ipv4/ip_input.c:583
ip_sublist_rcv net/ipv4/ip_input.c:609 [inline]
ip_list_rcv+0x34e/0x490 net/ipv4/ip_input.c:644
__netif_receive_skb_list_ptype net/core/dev.c:5508 [inline]
__netif_receive_skb_list_core+0x549/0x8e0 net/core/dev.c:5556
__netif_receive_skb_list net/core/dev.c:5608 [inline]
netif_receive_skb_list_internal+0x75e/0xd80 net/core/dev.c:5699
gro_normal_list net/core/dev.c:5853 [inline]
gro_normal_list net/core/dev.c:5849 [inline]
napi_complete_done+0x1f1/0x880 net/core/dev.c:6590
virtqueue_napi_complete drivers/net/virtio_net.c:339 [inline]
virtnet_poll+0xca2/0x11b0 drivers/net/virtio_net.c:1557
__napi_poll+0xaf/0x440 net/core/dev.c:7023
napi_poll net/core/dev.c:7090 [inline]
net_rx_action+0x801/0xb40 net/core/dev.c:7177
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Freed by task 13:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
kasan_set_track+0x21/0x30 mm/kasan/common.c:46
kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370
____kasan_slab_free mm/kasan/common.c:366 [inline]
____kasan_slab_free mm/kasan/common.c:328 [inline]
__kasan_slab_free+0xff/0x130 mm/kasan/common.c:374
kasan_slab_free include/linux/kasan.h:235 [inline]
slab_free_hook mm/slub.c:1723 [inline]
slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1749
slab_free mm/slub.c:3513 [inline]
kmem_cache_free+0xbd/0x5d0 mm/slub.c:3530
dst_destroy+0x2d6/0x3f0 net/core/dst.c:127
rcu_do_batch kernel/rcu/tree.c:2506 [inline]
rcu_core+0x7ab/0x1470 kernel/rcu/tree.c:2741
__do_softirq+0x29b/0x9c2 kernel/softirq.c:558
Last potentially related work creation:
kasan_save_stack+0x1e/0x50 mm/kasan/common.c:38
__kasan_record_aux_stack+0xf5/0x120 mm/kasan/generic.c:348
__call_rcu kernel/rcu/tree.c:2985 [inline]
call_rcu+0xb1/0x740 kernel/rcu/tree.c:3065
dst_release net/core/dst.c:177 [inline]
dst_release+0x79/0xe0 net/core/dst.c:167
tcp_v4_do_rcv+0x612/0x8d0 net/ipv4/tcp_ipv4.c:1712
sk_backlog_rcv include/net/sock.h:1030 [inline]
__release_sock+0x134/0x3b0 net/core/sock.c:2768
release_sock+0x54/0x1b0 net/core/sock.c:3300
tcp_sendmsg+0x36/0x40 net/ipv4/tcp.c:1441
inet_sendmsg+0x99/0xe0 net/ipv4/af_inet.c:819
sock_sendmsg_nosec net/socket.c:704 [inline]
sock_sendmsg+0xcf/0x120 net/socket.c:724
sock_write_iter+0x289/0x3c0 net/socket.c:1057
call_write_iter include/linux/fs.h:2162 [inline]
new_sync_write+0x429/0x660 fs/read_write.c:503
vfs_write+0x7cd/0xae0 fs/read_write.c:590
ksys_write+0x1ee/0x250 fs/read_write.c:643
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88807f1cb700
which belongs to the cache ip_dst_cache of size 176
The buggy address is located 58 bytes inside of
176-byte region [ffff88807f1cb700, ffff88807f1cb7b0)
The buggy address belongs to the page:
page:ffffea0001fc72c0 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x7f1cb
flags: 0xfff00000000200(slab|node=0|zone=1|lastcpupid=0x7ff)
raw: 00fff00000000200 dead000000000100 dead000000000122 ffff8881413bb780
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 0, migratetype Unmovable, gfp_mask 0x112a20(GFP_ATOMIC|__GFP_NOWARN|__GFP_NORETRY|__GFP_HARDWALL), pid 5, ts 108466983062, free_ts 108048976062
prep_new_page mm/page_alloc.c:2418 [inline]
get_page_from_freelist+0xa72/0x2f50 mm/page_alloc.c:4149
__alloc_pages+0x1b2/0x500 mm/page_alloc.c:5369
alloc_pages+0x1a7/0x300 mm/mempolicy.c:2191
alloc_slab_page mm/slub.c:1793 [inline]
allocate_slab mm/slub.c:1930 [inline]
new_slab+0x32d/0x4a0 mm/slub.c:1993
___slab_alloc+0x918/0xfe0 mm/slub.c:3022
__slab_alloc.constprop.0+0x4d/0xa0 mm/slub.c:3109
slab_alloc_node mm/slub.c:3200 [inline]
slab_alloc mm/slub.c:3242 [inline]
kmem_cache_alloc+0x35c/0x3a0 mm/slub.c:3247
dst_alloc+0x146/0x1f0 net/core/dst.c:92
rt_dst_alloc+0x73/0x430 net/ipv4/route.c:1613
__mkroute_output net/ipv4/route.c:2564 [inline]
ip_route_output_key_hash_rcu+0x921/0x2d00 net/ipv4/route.c:2791
ip_route_output_key_hash+0x18b/0x300 net/ipv4/route.c:2619
__ip_route_output_key include/net/route.h:126 [inline]
ip_route_output_flow+0x23/0x150 net/ipv4/route.c:2850
ip_route_output_key include/net/route.h:142 [inline]
geneve_get_v4_rt+0x3a6/0x830 drivers/net/geneve.c:809
geneve_xmit_skb drivers/net/geneve.c:899 [inline]
geneve_xmit+0xc4a/0x3540 drivers/net/geneve.c:1082
__netdev_start_xmit include/linux/netdevice.h:4994 [inline]
netdev_start_xmit include/linux/netdevice.h:5008 [inline]
xmit_one net/core/dev.c:3590 [inline]
dev_hard_start_xmit+0x1eb/0x920 net/core/dev.c:3606
__dev_queue_xmit+0x299a/0x3650 net/core/dev.c:4229
page last free stack trace:
reset_page_owner include/linux/page_owner.h:24 [inline]
free_pages_prepare mm/page_alloc.c:1338 [inline]
free_pcp_prepare+0x374/0x870 mm/page_alloc.c:1389
free_unref_page_prepare mm/page_alloc.c:3309 [inline]
free_unref_page+0x19/0x690 mm/page_alloc.c:3388
qlink_free mm/kasan/quarantine.c:146 [inline]
qlist_free_all+0x5a/0xc0 mm/kasan/quarantine.c:165
kasan_quarantine_reduce+0x180/0x200 mm/kasan/quarantine.c:272
__kasan_slab_alloc+0xa2/0xc0 mm/kasan/common.c:444
kasan_slab_alloc include/linux/kasan.h:259 [inline]
slab_post_alloc_hook mm/slab.h:519 [inline]
slab_alloc_node mm/slub.c:3234 [inline]
kmem_cache_alloc_node+0x255/0x3f0 mm/slub.c:3270
__alloc_skb+0x215/0x340 net/core/skbuff.c:414
alloc_skb include/linux/skbuff.h:1126 [inline]
alloc_skb_with_frags+0x93/0x620 net/core/skbuff.c:6078
sock_alloc_send_pskb+0x783/0x910 net/core/sock.c:2575
mld_newpack+0x1df/0x770 net/ipv6/mcast.c:1754
add_grhead+0x265/0x330 net/ipv6/mcast.c:1857
add_grec+0x1053/0x14e0 net/ipv6/mcast.c:1995
mld_send_initial_cr.part.0+0xf6/0x230 net/ipv6/mcast.c:2242
mld_send_initial_cr net/ipv6/mcast.c:1232 [inline]
mld_dad_work+0x1d3/0x690 net/ipv6/mcast.c:2268
process_one_work+0x9b2/0x1690 kernel/workqueue.c:2298
worker_thread+0x658/0x11f0 kernel/workqueue.c:2445
Memory state around the buggy address:
ffff88807f1cb600: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88807f1cb680: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
>ffff88807f1cb700: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88807f1cb780: fb fb fb fb fb fb fc fc fc fc fc fc fc fc fc fc
ffff88807f1cb800: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
Fixes:
|
||
|
Greg Kroah-Hartman
|
d47c37b3c1 |
Merge bdb575f872 ("Merge tag 'drm-fixes-2021-09-17' of git://anongit.freedesktop.org/drm/drm") into android-mainline
Steps on the way to 5.15-rc2 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: Id7ae8fe00ef75a10c28b62553ee8cf42a6db5729 |
||
zhenggy
|
4f884f3962 |
tcp: fix tp->undo_retrans accounting in tcp_sacktag_one()
Commit |
||
|
Greg Kroah-Hartman
|
bc2f6edebd |
Merge 9e9fb7655e ("Merge tag 'net-next-5.15' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next") into android-mainline
Steps on the way to 5.15-rc1 Signed-off-by: Greg Kroah-Hartman <gregkh@google.com> Change-Id: I49577d606b2710975407eae3fee60bc331397810 |
||
Neal Cardwell
|
a657db0350 |
tcp: more accurately check DSACKs to grow RACK reordering window
Previously, a DSACK could expand the RACK reordering window when no reordering has been seen, and/or when the DSACK was due to an unnecessary TLP retransmit (rather than a spurious fast recovery due to reordering). This could result in unnecessarily growing the RACK reordering window and thus unnecessarily delaying RACK-based fast recovery episodes. To avoid these issues, this commit tightens the conditions under which a DSACK triggers the RACK reordering window to grow, so that a connection only expands its RACK reordering window if: (a) reordering has been seen in the connection (b) a DSACKed range does not match the most recent TLP retransmit Signed-off-by: Neal Cardwell <ncardwell@google.com> Acked-by: Yuchung Cheng <ycheng@google.com> Acked-by: Priyaranjan Jha <priyarjha@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Yuchung Cheng
|
63f367d9de |
tcp: more accurately detect spurious TLP probes
Previously TLP is considered spurious if the sender receives any DSACK during a TLP episode. This patch further checks the DSACK sequences match the TLP's to improve accuracy. Signed-off-by: Yuchung Cheng <ycheng@google.com> Acked-by: Neal Cardwell <ncardwell@google.com> Acked-by: Priyaranjan Jha <priyarjha@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Lee Jones
|
946e465c81 |
Merge tag 'v5.14-rc2' into android-mainline
Linux 5.14-rc2 Signed-off-by: Lee Jones <lee.jones@linaro.org> Change-Id: Ia2131de59daa96610741f5a0ff267b0d08697023 |
||
|
Eric Dumazet
|
240bfd134c |
tcp: tweak len/truesize ratio for coalesce candidates
tcp_grow_window() is using skb->len/skb->truesize to increase tp->rcv_ssthresh which has a direct impact on advertized window sizes. We added TCP coalescing in linux-3.4 & linux-3.5: Instead of storing skbs with one or two MSS in receive queue (or OFO queue), we try to append segments together to reduce memory overhead. High performance network drivers tend to cook skb with 3 parts : 1) sk_buff structure (256 bytes) 2) skb->head contains room to copy headers as needed, and skb_shared_info 3) page fragment(s) containing the ~1514 bytes frame (or more depending on MTU) Once coalesced into a previous skb, 1) and 2) are freed. We can therefore tweak the way we compute len/truesize ratio knowing that skb->truesize is inflated by 1) and 2) soon to be freed. This is done only for in-order skb, or skb coalesced into OFO queue. The result is that low rate flows no longer pay the memory price of having low GRO aggregation factor. Same result for drivers not using GRO. This is critical to allow a big enough receiver window, typically tcp_rmem[2] / 2. We have been using this at Google for about 5 years, it is due time to make it upstream. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Soheil Hassas Yeganeh <soheil@google.com> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Acked-by: Soheil Hassas Yeganeh <soheil@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Eric Dumazet
|
739b2adf99 |
tcp: avoid indirect call in tcp_new_space()
For tcp sockets, sk->sk_write_space is most probably sk_stream_write_space(). Other sk->sk_write_space() calls in TCP are slow path and do not deserve any change. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Lee Jones
|
8e658623d4 |
Merge commit c288d9cd71 ("Merge tag 'for-5.14/io_uring-2021-06-30' of git://git.kernel.dk/linux-block") into android-mainline
Another small step en route to v5.14-rc1 Change-Id: I24899ab78da7d367574ed69ceaa82ab0837d9556 Signed-off-by: Lee Jones <lee.jones@linaro.org> |
||
Jianguo Wu
|
6787b7e350 |
mptcp: avoid processing packet if a subflow reset
If check_fully_established() causes a subflow reset, it should not
continue to process the packet in tcp_data_queue().
Add a return value to mptcp_incoming_options(), and return false if a
subflow has been reset, else return true. Then drop the packet in
tcp_data_queue()/tcp_rcv_state_process() if mptcp_incoming_options()
return false.
Fixes:
|
||
Bae Soukjin
|
1da7910c1d |
ANDROID: vendor_hooks: Add vendor hook to the net
android_vh_ptype_head:
To add a debugging chain to ptype list
android_vh_kfree_skb
To sniff the dropped packet at kernel network
Bug: 163716381
Signed-off-by: Bae Soukjin <soukjin.bae@samsung.com>
Change-Id: Ide80bf0a129da31a1824d4a33026ac42be327361
(cherry picked from commit
|
||
Nguyen Dinh Phi
|
be5d1b61a2 |
tcp: fix tcp_init_transfer() to not reset icsk_ca_initialized
This commit fixes a bug (found by syzkaller) that could cause spurious
double-initializations for congestion control modules, which could cause
memory leaks or other problems for congestion control modules (like CDG)
that allocate memory in their init functions.
The buggy scenario constructed by syzkaller was something like:
(1) create a TCP socket
(2) initiate a TFO connect via sendto()
(3) while socket is in TCP_SYN_SENT, call setsockopt(TCP_CONGESTION),
which calls:
tcp_set_congestion_control() ->
tcp_reinit_congestion_control() ->
tcp_init_congestion_control()
(4) receive ACK, connection is established, call tcp_init_transfer(),
set icsk_ca_initialized=0 (without first calling cc->release()),
call tcp_init_congestion_control() again.
Note that in this sequence tcp_init_congestion_control() is called
twice without a cc->release() call in between. Thus, for CC modules
that allocate memory in their init() function, e.g, CDG, a memory leak
may occur. The syzkaller tool managed to find a reproducer that
triggered such a leak in CDG.
The bug was introduced when that commit
|
||
Alexander Aring
|
e3ae2365ef |
net: sock: introduce sk_error_report
This patch introduces a function wrapper to call the sk_error_report callback. That will prepare to add additional handling whenever sk_error_report is called, for example to trace socket errors. Signed-off-by: Alexander Aring <aahringo@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Yuchung Cheng
|
a29cb69146 |
net: tcp better handling of reordering then loss cases
This patch aims to improve the situation when reordering and loss are ocurring in the same flight of packets. Previously the reordering would first induce a spurious recovery, then the subsequent ACK may undo the cwnd (based on the timestamps e.g.). However the current loss recovery does not proceed to invoke RACK to install a reordering timer. If some packets are also lost, this may lead to a long RTO-based recovery. An example is https://groups.google.com/g/bbr-dev/c/OFHADvJbTEI The solution is to after reverting the recovery, always invoke RACK to either mount the RACK timer to fast retransmit after the reordering window, or restarts the recovery if new loss is identified. Hence it is possible the sender may go from Recovery to Disorder/Open to Recovery again in one ACK. Reported-by: mingkun bian <bianmingkun@gmail.com> Signed-off-by: Yuchung Cheng <ycheng@google.com> Signed-off-by: Neal Cardwell <ncardwell@google.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
Jakub Kicinski
|
709c031423 |
tcp: add tracepoint for checksum errors
Add a tracepoint for capturing TCP segments with a bad checksum. This makes it easy to identify sources of bad frames in the fleet (e.g. machines with faulty NICs). It should also help tools like IOvisor's tcpdrop.py which are used today to get detailed information about such packets. We don't have a socket in many cases so we must open code the address extraction based just on the skb. v2: add missing export for ipv6=m Signed-off-by: Jakub Kicinski <kuba@kernel.org> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Eric Dumazet
|
a7abf3cd76 |
tcp: consider using standard rtx logic in tcp_rcv_fastopen_synack()
Jakub reported Data included in a Fastopen SYN that had to be retransmit would have to wait for an RTO if TX completions are slow, even with prior fix. This is because tcp_rcv_fastopen_synack() does not use standard rtx logic, meaning TSQ handler exits early in tcp_tsq_write() because tp->lost_out == tp->retrans_out Lets make tcp_rcv_fastopen_synack() use standard rtx logic, by using tcp_mark_skb_lost() on the skb thats needs to be sent again. Not this raised a warning in tcp_fastretrans_alert() during my tests since we consider the data not being aknowledged by the receiver does not mean packet was lost on the network. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Jakub Kicinski <kuba@kernel.org> Cc: Neal Cardwell <ncardwell@google.com> Cc: Yuchung Cheng <ycheng@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|
Eric Dumazet
|
39354eb29f |
tcp: tcp_data_ready() must look at SOCK_DONE
My prior cleanup missed that tcp_data_ready() has to look at SOCK_DONE.
Otherwise, an application using SO_RCVLOWAT will not get EPOLLIN event
if a FIN is received in the middle of expected payload.
The reason SOCK_DONE is not examined in tcp_epollin_ready()
is that tcp_poll() catches the FIN because tcp_fin()
is also setting RCV_SHUTDOWN into sk->sk_shutdown
Fixes:
|
||
|
Eric Dumazet
|
05dc72aba3 |
tcp: factorize logic into tcp_epollin_ready()
Both tcp_data_ready() and tcp_stream_is_readable() share the same logic. Add tcp_epollin_ready() helper to avoid duplication. Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Arjun Roy <arjunroy@google.com> Cc: Wei Wang <weiwan@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |