Changes in 5.4.13
HID: hidraw, uhid: Always report EPOLLOUT
rtc: mt6397: fix alarm register overwrite
phy: mapphone-mdm6600: Fix uninitialized status value regression
RDMA/bnxt_re: Avoid freeing MR resources if dereg fails
RDMA/bnxt_re: Fix Send Work Entry state check while polling completions
IB/hfi1: Don't cancel unused work item
mtd: rawnand: stm32_fmc2: avoid to lock the CPU bus
i2c: bcm2835: Store pointer to bus clock
ASoC: SOF: imx8: fix memory allocation failure check on priv->pd_dev
ASoC: soc-core: Set dpcm_playback / dpcm_capture
ASoC: stm32: spdifrx: fix inconsistent lock state
ASoC: stm32: spdifrx: fix race condition in irq handler
ASoC: stm32: spdifrx: fix input pin state management
pinctrl: lochnagar: select GPIOLIB
netfilter: nft_flow_offload: fix underflow in flowtable reference counter
ASoC: SOF: imx8: Fix dsp_box offset
mtd: onenand: omap2: Pass correct flags for prep_dma_memcpy
gpio: zynq: Fix for bug in zynq_gpio_restore_context API
pinctrl: meson: Fix wrong shift value when get drive-strength
selftests: loopback.sh: skip this test if the driver does not support
iommu/vt-d: Unlink device if failed to add to group
iommu: Remove device link to group on failure
bpf: cgroup: prevent out-of-order release of cgroup bpf
fs: move guard_bio_eod() after bio_set_op_attrs
scsi: mpt3sas: Fix double free in attach error handling
gpio: Fix error message on out-of-range GPIO in lookup table
PM / devfreq: tegra: Add COMMON_CLK dependency
PCI: amlogic: Fix probed clock names
drm/tegra: Fix ordering of cleanup code
hsr: add hsr root debugfs directory
hsr: rename debugfs file when interface name is changed
hsr: reset network header when supervision frame is created
s390/qeth: fix qdio teardown after early init error
s390/qeth: fix false reporting of VNIC CHAR config failure
s390/qeth: Fix vnicc_is_in_use if rx_bcast not set
s390/qeth: vnicc Fix init to default
s390/qeth: fix initialization on old HW
cifs: Adjust indentation in smb2_open_file
scsi: smartpqi: Update attribute name to `driver_version`
MAINTAINERS: Append missed file to the database
ath9k: use iowrite32 over __raw_writel
can: j1939: fix address claim code example
dt-bindings: reset: Fix brcmstb-reset example
reset: brcmstb: Remove resource checks
afs: Fix missing cell comparison in afs_test_super()
perf vendor events s390: Remove name from L1D_RO_EXCL_WRITES description
syscalls/x86: Wire up COMPAT_SYSCALL_DEFINE0
syscalls/x86: Use COMPAT_SYSCALL_DEFINE0 for IA32 (rt_)sigreturn
syscalls/x86: Use the correct function type for sys_ni_syscall
syscalls/x86: Fix function types in COND_SYSCALL
hsr: fix slab-out-of-bounds Read in hsr_debugfs_rename()
btrfs: simplify inode locking for RWF_NOWAIT
netfilter: nf_tables_offload: release flow_rule on error from commit path
netfilter: nft_meta: use 64-bit time arithmetic
ASoC: dt-bindings: mt8183: add missing update
ASoC: simple_card_utils.h: Add missing include
ASoC: fsl_esai: Add spin lock to protect reset, stop and start
ASoC: SOF: Intel: Broadwell: clarify mutual exclusion with legacy driver
ASoC: core: Fix compile warning with CONFIG_DEBUG_FS=n
ASoC: rsnd: fix DALIGN register for SSIU
RDMA/hns: Prevent undefined behavior in hns_roce_set_user_sq_size()
RDMA/hns: remove a redundant le16_to_cpu
RDMA/hns: Modify return value of restrack functions
RDMA/counter: Prevent QP counter manual binding in auto mode
RDMA/siw: Fix port number endianness in a debug message
RDMA/hns: Fix build error again
RDMA/hns: Release qp resources when failed to destroy qp
xprtrdma: Add unique trace points for posting Local Invalidate WRs
xprtrdma: Connection becomes unstable after a reconnect
xprtrdma: Fix MR list handling
xprtrdma: Close window between waking RPC senders and posting Receives
RDMA/hns: Fix to support 64K page for srq
RDMA/hns: Bugfix for qpc/cqc timer configuration
rdma: Remove nes ABI header
RDMA/mlx5: Return proper error value
RDMA/srpt: Report the SCSI residual to the initiator
uaccess: Add non-pagefault user-space write function
bpf: Make use of probe_user_write in probe write helper
bpf: skmsg, fix potential psock NULL pointer dereference
bpf: Support pre-2.25-binutils objcopy for vmlinux BTF
libbpf: Fix Makefile' libbpf symbol mismatch diagnostic
afs: Fix use-after-loss-of-ref
afs: Fix afs_lookup() to not clobber the version on a new dentry
keys: Fix request_key() cache
scsi: enclosure: Fix stale device oops with hot replug
scsi: sd: Clear sdkp->protection_type if disk is reformatted without PI
platform/mellanox: fix potential deadlock in the tmfifo driver
platform/x86: asus-wmi: Fix keyboard brightness cannot be set to 0
platform/x86: GPD pocket fan: Use default values when wrong modparams are given
asm-generic/nds32: don't redefine cacheflush primitives
Documentation/ABI: Fix documentation inconsistency for mlxreg-io sysfs interfaces
Documentation/ABI: Add missed attribute for mlxreg-io sysfs interfaces
xprtrdma: Fix create_qp crash on device unload
xprtrdma: Fix completion wait during device removal
xprtrdma: Fix oops in Receive handler after device removal
dm: add dm-clone to the documentation index
scsi: ufs: Give an unique ID to each ufs-bsg
crypto: cavium/nitrox - fix firmware assignment to AE cores
crypto: hisilicon - select NEED_SG_DMA_LENGTH in qm Kconfig
crypto: arm64/aes-neonbs - add return value of skcipher_walk_done() in __xts_crypt()
crypto: virtio - implement missing support for output IVs
crypto: algif_skcipher - Use chunksize instead of blocksize
crypto: geode-aes - convert to skcipher API and make thread-safe
NFSv2: Fix a typo in encode_sattr()
nfsd: Fix cld_net->cn_tfm initialization
nfsd: v4 support requires CRYPTO_SHA256
NFSv4.x: Handle bad/dead sessions correctly in nfs41_sequence_process()
NFSv4.x: Drop the slot if nfs4_delegreturn_prepare waits for layoutreturn
iio: imu: st_lsm6dsx: fix gyro gain definitions for LSM9DS1
iio: imu: adis16480: assign bias value only if operation succeeded
mei: fix modalias documentation
clk: meson: axg-audio: fix regmap last register
clk: samsung: exynos5420: Preserve CPU clocks configuration during suspend/resume
clk: Fix memory leak in clk_unregister()
dmaengine: dw: platform: Mark 'hclk' clock optional
clk: imx: pll14xx: Fix quick switch of S/K parameter
rsi: fix potential null dereference in rsi_probe()
affs: fix a memory leak in affs_remount
pinctl: ti: iodelay: fix error checking on pinctrl_count_index_with_args call
pinctrl: sh-pfc: Fix PINMUX_IPSR_PHYS() to set GPSR
pinctrl: sh-pfc: Do not use platform_get_irq() to count interrupts
pinctrl: lewisburg: Update pin list according to v1.1v6
PCI: pciehp: Do not disable interrupt twice on suspend
Revert "drm/virtio: switch virtio_gpu_wait_ioctl() to gem helper."
drm/amdgpu: cleanup creating BOs at fixed location (v2)
drm/amdgpu/discovery: reserve discovery data at the top of VRAM
scsi: sd: enable compat ioctls for sed-opal
arm64: dts: apq8096-db820c: Increase load on l21 for SDCARD
gfs2: add compat_ioctl support
af_unix: add compat_ioctl support
compat_ioctl: handle SIOCOUTQNSD
PCI: aardvark: Use LTSSM state to build link training flag
PCI: aardvark: Fix PCI_EXP_RTCTL register configuration
PCI: dwc: Fix find_next_bit() usage
PCI: Fix missing bridge dma_ranges resource list cleanup
PCI/PM: Clear PCIe PME Status even for legacy power management
tools: PCI: Fix fd leakage
PCI/PTM: Remove spurious "d" from granularity message
powerpc/powernv: Disable native PCIe port management
MIPS: PCI: remember nasid changed by set interrupt affinity
MIPS: Loongson: Fix return value of loongson_hwmon_init
MIPS: SGI-IP27: Fix crash, when CPUs are disabled via nr_cpus parameter
tty: serial: imx: use the sg count from dma_map_sg
tty: serial: pch_uart: correct usage of dma_unmap_sg
ARM: 8943/1: Fix topology setup in case of CPU hotplug for CONFIG_SCHED_MC
media: ov6650: Fix incorrect use of JPEG colorspace
media: ov6650: Fix some format attributes not under control
media: ov6650: Fix .get_fmt() V4L2_SUBDEV_FORMAT_TRY support
media: ov6650: Fix default format not applied on device probe
media: rcar-vin: Fix incorrect return statement in rvin_try_format()
media: hantro: h264: Fix the frame_num wraparound case
media: v4l: cadence: Fix how unsued lanes are handled in 'csi2rx_start()'
media: exynos4-is: Fix recursive locking in isp_video_release()
media: coda: fix deadlock between decoder picture run and start command
media: cedrus: Use correct H264 8x8 scaling list
media: hantro: Do not reorder H264 scaling list
media: aspeed-video: Fix memory leaks in aspeed_video_probe
media: hantro: Set H264 FIELDPIC_FLAG_E flag correctly
iommu/mediatek: Correct the flush_iotlb_all callback
iommu/mediatek: Add a new tlb_lock for tlb_flush
memory: mtk-smi: Add PM suspend and resume ops
Revert "ubifs: Fix memory leak bug in alloc_ubifs_info() error path"
ubifs: Fixed missed le64_to_cpu() in journal
ubifs: do_kill_orphans: Fix a memory leak bug
spi: sprd: Fix the incorrect SPI register
mtd: spi-nor: fix silent truncation in spi_nor_read()
mtd: spi-nor: fix silent truncation in spi_nor_read_raw()
spi: pxa2xx: Set controller->max_transfer_size in dma mode
spi: atmel: fix handling of cs_change set on non-last xfer
spi: rspi: Use platform_get_irq_byname_optional() for optional irqs
spi: lpspi: fix memory leak in fsl_lpspi_probe
iwlwifi: mvm: consider ieee80211 station max amsdu value
rtlwifi: Remove unnecessary NULL check in rtl_regd_init
iwlwifi: mvm: fix support for single antenna diversity
sch_cake: Add missing NLA policy entry TCA_CAKE_SPLIT_GSO
f2fs: fix potential overflow
NFSD fixing possible null pointer derefering in copy offload
rtc: msm6242: Fix reading of 10-hour digit
rtc: brcmstb-waketimer: add missed clk_disable_unprepare
rtc: bd70528: Add MODULE ALIAS to autoload module
gpio: mpc8xxx: Add platform device to gpiochip->parent
scsi: libcxgbi: fix NULL pointer dereference in cxgbi_device_destroy()
scsi: target/iblock: Fix protection error with blocks greater than 512B
selftests: firmware: Fix it to do root uid check and skip
rseq/selftests: Turn off timeout setting
riscv: export flush_icache_all to modules
mips: cacheinfo: report shared CPU map
mips: Fix gettimeofday() in the vdso library
tomoyo: Suppress RCU warning at list_for_each_entry_rcu().
MIPS: Prevent link failure with kcov instrumentation
drm/arm/mali: make malidp_mw_connector_helper_funcs static
rxrpc: Unlock new call in rxrpc_new_incoming_call() rather than the caller
rxrpc: Don't take call->user_mutex in rxrpc_new_incoming_call()
rxrpc: Fix missing security check on incoming calls
dmaengine: k3dma: Avoid null pointer traversal
s390/qeth: lock the card while changing its hsuid
ioat: ioat_alloc_ring() failure handling.
drm/amdgpu: enable gfxoff for raven1 refresh
media: intel-ipu3: Align struct ipu3_uapi_awb_fr_config_s to 32 bytes
kbuild/deb-pkg: annotate libelf-dev dependency as :native
hexagon: parenthesize registers in asm predicates
hexagon: work around compiler crash
ocfs2: call journal flush to mark journal as empty after journal recovery when mount
Linux 5.4.13
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I90734cd9d80f000e05a8109a529916ae641cdede
Changes in 5.4.9
drm/mcde: dsi: Fix invalid pointer dereference if panel cannot be found
nvme_fc: add module to ops template to allow module references
nvme-fc: fix double-free scenarios on hw queues
drm/amdgpu: add check before enabling/disabling broadcast mode
drm/amdgpu: add header line for power profile on Arcturus
drm/amdgpu: add cache flush workaround to gfx8 emit_fence
drm/amd/display: Map DSC resources 1-to-1 if numbers of OPPs and DSCs are equal
drm/amd/display: Fixed kernel panic when booting with DP-to-HDMI dongle
drm/amd/display: Change the delay time before enabling FEC
drm/amd/display: Reset steer fifo before unblanking the stream
drm/amd/display: update dispclk and dppclk vco frequency
nvme/pci: Fix write and poll queue types
nvme/pci: Fix read queue count
iio: st_accel: Fix unused variable warning
iio: adc: max9611: Fix too short conversion time delay
PM / devfreq: Fix devfreq_notifier_call returning errno
PM / devfreq: Set scaling_max_freq to max on OPP notifier error
PM / devfreq: Don't fail devfreq_dev_release if not in list
afs: Fix afs_find_server lookups for ipv4 peers
afs: Fix SELinux setting security label on /afs
RDMA/cma: add missed unregister_pernet_subsys in init failure
rxe: correctly calculate iCRC for unaligned payloads
scsi: lpfc: Fix memory leak on lpfc_bsg_write_ebuf_set func
scsi: qla2xxx: Use explicit LOGO in target mode
scsi: qla2xxx: Drop superfluous INIT_WORK of del_work
scsi: qla2xxx: Don't call qlt_async_event twice
scsi: qla2xxx: Fix PLOGI payload and ELS IOCB dump length
scsi: qla2xxx: Configure local loop for N2N target
scsi: qla2xxx: Send Notify ACK after N2N PLOGI
scsi: qla2xxx: Don't defer relogin unconditonally
scsi: qla2xxx: Ignore PORT UPDATE after N2N PLOGI
scsi: iscsi: qla4xxx: fix double free in probe
scsi: libsas: stop discovering if oob mode is disconnected
scsi: iscsi: Avoid potential deadlock in iscsi_if_rx func
staging/wlan-ng: add CRC32 dependency in Kconfig
drm/nouveau: Move the declaration of struct nouveau_conn_atom up a bit
drm/nouveau: Fix drm-core using atomic code-paths on pre-nv50 hardware
drm/nouveau/kms/nv50-: fix panel scaling
usb: gadget: fix wrong endpoint desc
net: make socket read/write_iter() honor IOCB_NOWAIT
afs: Fix mountpoint parsing
afs: Fix creation calls in the dynamic root to fail with EOPNOTSUPP
raid5: need to set STRIPE_HANDLE for batch head
md: raid1: check rdev before reference in raid1_sync_request func
s390/cpum_sf: Adjust sampling interval to avoid hitting sample limits
s390/cpum_sf: Avoid SBD overflow condition in irq handler
RDMA/counter: Prevent auto-binding a QP which are not tracked with res
IB/mlx4: Follow mirror sequence of device add during device removal
IB/mlx5: Fix steering rule of drop and count
xen-blkback: prevent premature module unload
xen/balloon: fix ballooned page accounting without hotplug enabled
PM / hibernate: memory_bm_find_bit(): Tighten node optimisation
ALSA: hda/realtek - Add Bass Speaker and fixed dac for bass speaker
ALSA: hda/realtek - Enable the bass speaker of ASUS UX431FLC
PCI: Add a helper to check Power Resource Requirements _PR3 existence
ALSA: hda: Allow HDA to be runtime suspended when dGPU is not bound to a driver
PCI: Fix missing inline for pci_pr3_present()
ALSA: hda - fixup for the bass speaker on Lenovo Carbon X1 7th gen
tcp: fix data-race in tcp_recvmsg()
shmem: pin the file in shmem_fault() if mmap_sem is dropped
taskstats: fix data-race
ALSA: hda - Downgrade error message for single-cmd fallback
netfilter: nft_tproxy: Fix port selector on Big Endian
block: add bio_truncate to fix guard_bio_eod
mm: drop mmap_sem before calling balance_dirty_pages() in write fault
ALSA: ice1724: Fix sleep-in-atomic in Infrasonic Quartet support code
ALSA: usb-audio: fix set_format altsetting sanity check
ALSA: usb-audio: set the interface format after resume on Dell WD19
ALSA: hda - Apply sync-write workaround to old Intel platforms, too
ALSA: hda/realtek - Add headset Mic no shutup for ALC283
drm/sun4i: hdmi: Remove duplicate cleanup calls
drm/amdgpu/smu: add metrics table lock
drm/amdgpu/smu: add metrics table lock for arcturus (v2)
drm/amdgpu/smu: add metrics table lock for navi (v2)
drm/amdgpu/smu: add metrics table lock for vega20 (v2)
MIPS: BPF: Disable MIPS32 eBPF JIT
MIPS: BPF: eBPF JIT: check for MIPS ISA compliance in Kconfig
MIPS: Avoid VDSO ABI breakage due to global register variable
media: pulse8-cec: fix lost cec_transmit_attempt_done() call
media: cec: CEC 2.0-only bcast messages were ignored
media: cec: avoid decrementing transmit_queue_sz if it is 0
media: cec: check 'transmit_in_progress', not 'transmitting'
mm/memory_hotplug: shrink zones when offlining memory
mm/zsmalloc.c: fix the migrated zspage statistics.
memcg: account security cred as well to kmemcg
mm: move_pages: return valid node id in status if the page is already on the target node
mm/oom: fix pgtables units mismatch in Killed process message
ocfs2: fix the crash due to call ocfs2_get_dlm_debug once less
pstore/ram: Write new dumps to start of recycled zones
pstore/ram: Fix error-path memory leak in persistent_ram_new() callers
gcc-plugins: make it possible to disable CONFIG_GCC_PLUGINS again
locks: print unsigned ino in /proc/locks
selftests/seccomp: Zero out seccomp_notif
seccomp: Check that seccomp_notif is zeroed out by the user
samples/seccomp: Zero out members based on seccomp_notif_sizes
selftests/seccomp: Catch garbage on SECCOMP_IOCTL_NOTIF_RECV
dmaengine: Fix access to uninitialized dma_slave_caps
dmaengine: dma-jz4780: Also break descriptor chains on JZ4725B
Btrfs: fix infinite loop during nocow writeback due to race
compat_ioctl: block: handle Persistent Reservations
compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE
compat_ioctl: block: handle BLKGETZONESZ/BLKGETNRZONES
bpf: Fix precision tracking for unbounded scalars
ata: libahci_platform: Export again ahci_platform_<en/dis>able_phys()
ata: ahci_brcm: Fix AHCI resources management
ata: ahci_brcm: Add missing clock management during recovery
ata: ahci_brcm: BCM7425 AHCI requires AHCI_HFLAG_DELAY_ENGINE
libata: Fix retrieving of active qcs
gpio: xtensa: fix driver build
gpiolib: fix up emulated open drain outputs
clocksource: riscv: add notrace to riscv_sched_clock
riscv: ftrace: correct the condition logic in function graph tracer
rseq/selftests: Fix: Namespace gettid() for compatibility with glibc 2.30
tracing: Fix lock inversion in trace_event_enable_tgid_record()
tracing: Avoid memory leak in process_system_preds()
tracing: Have the histogram compare functions convert to u64 first
tracing: Fix endianness bug in histogram trigger
samples/trace_printk: Wait for IRQ work to finish
io_uring: use current task creds instead of allocating a new one
mm/gup: fix memory leak in __gup_benchmark_ioctl
apparmor: fix aa_xattrs_match() may sleep while holding a RCU lock
dmaengine: virt-dma: Fix access after free in vchan_complete()
gen_initramfs_list.sh: fix 'bad variable name' error
ALSA: cs4236: fix error return comparison of an unsigned integer
ALSA: pcm: Yet another missing check of non-cached buffer type
ALSA: firewire-motu: Correct a typo in the clock proc string
scsi: lpfc: Fix rpi release when deleting vport
exit: panic before exit_mm() on global init exit
arm64: Revert support for execute-only user mappings
ftrace: Avoid potential division by zero in function profiler
spi: spi-fsl-dspi: Fix 16-bit word order in 32-bit XSPI mode
drm/msm: include linux/sched/task.h
PM / devfreq: Check NULL governor in available_governors_show
sunrpc: fix crash when cache_head become valid before update
arm64: dts: qcom: msm8998-clamshell: Remove retention idle state
nfsd4: fix up replay_matches_cache()
powerpc: Chunk calls to flush_dcache_range in arch_*_memory
HID: i2c-hid: Reset ALPS touchpads on resume
net/sched: annotate lockless accesses to qdisc->empty
kernel/module.c: wakeup processes in module_wq on module unload
ACPI: sysfs: Change ACPI_MASKABLE_GPE_MAX to 0x100
perf callchain: Fix segfault in thread__resolve_callchain_sample()
iommu/vt-d: Remove incorrect PSI capability check
of: overlay: add_changeset_property() memory leak
cifs: Fix potential softlockups while refreshing DFS cache
firmware: arm_scmi: Avoid double free in error flow
xfs: don't check for AG deadlock for realtime files in bunmapi
platform/x86: pmc_atom: Add Siemens CONNECT X300 to critclk_systems DMI table
netfilter: nf_queue: enqueue skbs with NULL dst
net, sysctl: Fix compiler warning when only cBPF is present
watchdog: tqmx86_wdt: Fix build error
regulator: axp20x: Fix axp20x_set_ramp_delay
regulator: bd70528: Remove .set_ramp_delay for bd70528_ldo_ops
spi: uniphier: Fix FIFO threshold
regulator: axp20x: Fix AXP22x ELDO2 regulator enable bitmask
powerpc/mm: Mark get_slice_psize() & slice_addr_is_low() as notrace
Bluetooth: btusb: fix PM leak in error case of setup
Bluetooth: delete a stray unlock
Bluetooth: Fix memory leak in hci_connect_le_scan
arm64: dts: meson-gxl-s905x-khadas-vim: fix uart_A bluetooth node
arm64: dts: meson-gxm-khadas-vim2: fix uart_A bluetooth node
media: flexcop-usb: ensure -EIO is returned on error condition
regulator: ab8500: Remove AB8505 USB regulator
media: usb: fix memory leak in af9005_identify_state
dt-bindings: clock: renesas: rcar-usb2-clock-sel: Fix typo in example
arm64: dts: meson: odroid-c2: Disable usb_otg bus to avoid power failed warning
phy: renesas: rcar-gen3-usb2: Use platform_get_irq_optional() for optional irq
tty: serial: msm_serial: Fix lockup for sysrq and oops
cifs: Fix lookup of root ses in DFS referral cache
fs: cifs: Fix atime update check vs mtime
fix compat handling of FICLONERANGE, FIDEDUPERANGE and FS_IOC_FIEMAP
ath9k_htc: Modify byte order for an error message
ath9k_htc: Discard undersized packets
drm/i915/execlists: Fix annotation for decoupling virtual request
xfs: periodically yield scrub threads to the scheduler
net: add annotations on hh->hh_len lockless accesses
ubifs: ubifs_tnc_start_commit: Fix OOB in layout_in_gaps
btrfs: get rid of unique workqueue helper functions
Btrfs: only associate the locked page with one async_chunk struct
s390/smp: fix physical to logical CPU map for SMT
mm/sparse.c: mark populate_section_memmap as __meminit
xen/blkback: Avoid unmapping unmapped grant pages
lib/ubsan: don't serialize UBSAN report
efi: Don't attempt to map RCI2 config table if it doesn't exist
perf/x86/intel/bts: Fix the use of page_private()
net: annotate lockless accesses to sk->sk_pacing_shift
hsr: avoid debugfs warning message when module is remove
hsr: fix error handling routine in hsr_dev_finalize()
hsr: fix a race condition in node list insertion and deletion
mm/hugetlb: defer freeing of huge pages if in non-task context
Linux 5.4.9
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8eebcdac421faf74f70af8e8666abfdcdc45c86b
[ Upstream commit ebfcd8955c ]
The socket read/write helpers only look at the file O_NONBLOCK. not
the iocb IOCB_NOWAIT flag. This breaks users like preadv2/pwritev2
and io_uring that rely on not having the file itself marked nonblocking,
but rather the iocb itself.
Cc: netdev@vger.kernel.org
Acked-by: David Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Changes in 5.4.2
io_uring: async workers should inherit the user creds
net: separate out the msghdr copy from ___sys_{send,recv}msg()
net: disallow ancillary data for __sys_{send,recv}msg_file()
crypto: inside-secure - Fix stability issue with Macchiatobin
driver core: platform: use the correct callback type for bus_find_device
usb: dwc2: use a longer core rest timeout in dwc2_core_reset()
staging: wilc1000: fix illegal memory access in wilc_parse_join_bss_param()
staging: rtl8192e: fix potential use after free
staging: rtl8723bs: Drop ACPI device ids
staging: rtl8723bs: Add 024c:0525 to the list of SDIO device-ids
USB: serial: ftdi_sio: add device IDs for U-Blox C099-F9P
mei: bus: prefix device names on bus with the bus name
mei: me: add comet point V device id
thunderbolt: Power cycle the router if NVM authentication fails
x86/fpu: Don't cache access to fpu_fpregs_owner_ctx
gve: Fix the queue page list allocated pages count
macvlan: schedule bc_work even if error
mdio_bus: don't use managed reset-controller
net: dsa: sja1105: fix sja1105_parse_rgmii_delays()
net: macb: add missed tasklet_kill
net: psample: fix skb_over_panic
net: sched: fix `tc -s class show` no bstats on class with nolock subqueues
openvswitch: fix flow command message size
sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook
slip: Fix use-after-free Read in slip_open
sctp: cache netns in sctp_ep_common
openvswitch: drop unneeded BUG_ON() in ovs_flow_cmd_build_info()
openvswitch: remove another BUG_ON()
net/tls: take into account that bpf_exec_tx_verdict() may free the record
net/tls: free the record on encryption error
net: skmsg: fix TLS 1.3 crash with full sk_msg
selftests/tls: add a test for fragmented messages
net/tls: remove the dead inplace_crypto code
net/tls: use sg_next() to walk sg entries
selftests: bpf: test_sockmap: handle file creation failures gracefully
selftests: bpf: correct perror strings
tipc: fix link name length check
selftests: pmtu: use -oneline for ip route list cache
r8169: fix jumbo configuration for RTL8168evl
r8169: fix resume on cable plug-in
ext4: add more paranoia checking in ext4_expand_extra_isize handling
Revert "jffs2: Fix possible null-pointer dereferences in jffs2_add_frag_to_fragtree()"
crypto: talitos - Fix build error by selecting LIB_DES
HID: core: check whether Usage Page item is after Usage ID items
platform/x86: hp-wmi: Fix ACPI errors caused by too small buffer
platform/x86: hp-wmi: Fix ACPI errors caused by passing 0 as input size
Linux 5.4.2
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Change-Id: I8d695c1db60112decd0939927ccb472eb6c5286c
[ Upstream commit d69e07793f ]
Only io_uring uses (and added) these, and we want to disallow the
use of sendmsg/recvmsg for anything but regular data transfers.
Use the newly added prep helper to split the msghdr copy out from
the core function, to check for msg_control and msg_controllen
settings. If either is set, we return -EINVAL.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
[ Upstream commit 4257c8ca13 ]
This is in preparation for enabling the io_uring helpers for sendmsg
and recvmsg to first copy the header for validation before continuing
with the operation.
There should be no functional changes in this patch.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Add a flag option to get xattr method that could have a bit flag of
XATTR_NOSECURITY passed to it. XATTR_NOSECURITY is generally then
set in the __vfs_getxattr path when called by security
infrastructure.
This handles the case of a union filesystem driver that is being
requested by the security layer to report back the xattr data.
For the use case where access is to be blocked by the security layer.
The path then could be security(dentry) ->
__vfs_getxattr(dentry...XATTR_NOSECURITY) ->
handler->get(dentry...XATTR_NOSECURITY) ->
__vfs_getxattr(lower_dentry...XATTR_NOSECURITY) ->
lower_handler->get(lower_dentry...XATTR_NOSECURITY)
which would report back through the chain data and success as
expected, the logging security layer at the top would have the
data to determine the access permissions and report back the target
context that was blocked.
Without the get handler flag, the path on a union filesystem would be
the errant security(dentry) -> __vfs_getxattr(dentry) ->
handler->get(dentry) -> vfs_getxattr(lower_dentry) -> nested ->
security(lower_dentry, log off) -> lower_handler->get(lower_dentry)
which would report back through the chain no data, and -EACCES.
For selinux for both cases, this would translate to a correctly
determined blocked access. In the first case with this change a correct avc
log would be reported, in the second legacy case an incorrect avc log
would be reported against an uninitialized u:object_r:unlabeled:s0
context making the logs cosmetically useless for audit2allow.
This patch series is inert and is the wide-spread addition of the
flags option for xattr functions, and a replacement of __vfs_getxattr
with __vfs_getxattr(...XATTR_NOSECURITY).
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Acked-by: Jan Kara <jack@suse.cz>
Acked-by: Jeff Layton <jlayton@kernel.org>
Acked-by: David Sterba <dsterba@suse.com>
Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
Acked-by: Mike Marshall <hubcap@omnibond.com>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: linux-kernel@vger.kernel.org
Cc: kernel-team@android.com
Cc: linux-security-module@vger.kernel.org
(cherry picked from (rejected from archive because of too many recipients))
Signed-off-by: Mark Salyzyn <salyzyn@google.com>
Bug: 133515582
Bug: 136124883
Bug: 129319403
Change-Id: Iabbb8771939d5f66667a26bb23ddf4c562c349a1
Pull vfs mount updates from Al Viro:
"The first part of mount updates.
Convert filesystems to use the new mount API"
* 'work.mount0' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (63 commits)
mnt_init(): call shmem_init() unconditionally
constify ksys_mount() string arguments
don't bother with registering rootfs
init_rootfs(): don't bother with init_ramfs_fs()
vfs: Convert smackfs to use the new mount API
vfs: Convert selinuxfs to use the new mount API
vfs: Convert securityfs to use the new mount API
vfs: Convert apparmorfs to use the new mount API
vfs: Convert openpromfs to use the new mount API
vfs: Convert xenfs to use the new mount API
vfs: Convert gadgetfs to use the new mount API
vfs: Convert oprofilefs to use the new mount API
vfs: Convert ibmasmfs to use the new mount API
vfs: Convert qib_fs/ipathfs to use the new mount API
vfs: Convert efivarfs to use the new mount API
vfs: Convert configfs to use the new mount API
vfs: Convert binfmt_misc to use the new mount API
convenience helper: get_tree_single()
convenience helper get_tree_nodev()
vfs: Kill sget_userns()
...
Pull io_uring updates from Jens Axboe:
"This contains:
- Support for recvmsg/sendmsg as first class opcodes.
I don't envision going much further down this path, as there are
plans in progress to support potentially any system call in an
async fashion through io_uring. But I think it does make sense to
have certain core ops available directly, especially those that can
support a "try this non-blocking" flag/mode. (me)
- Handle generic short reads automatically.
This can happen fairly easily if parts of the buffered read is
cached. Since the application needs to issue another request for
the remainder, just do this internally and save kernel/user
roundtrip while providing a nicer more robust API. (me)
- Support for linked SQEs.
This allows SQEs to depend on each other, enabling an application
to eg queue a read-from-this-file,write-to-that-file pair. (me)
- Fix race in stopping SQ thread (Jackie)"
* tag 'for-5.3/io_uring-20190711' of git://git.kernel.dk/linux-block:
io_uring: fix io_sq_thread_stop running in front of io_sq_thread
io_uring: add support for recvmsg()
io_uring: add support for sendmsg()
io_uring: add support for sqe links
io_uring: punt short reads to async context
uio: make import_iovec()/compat_import_iovec() return bytes on success
This is done through IORING_OP_RECVMSG. This opcode uses the same
sqe->msg_flags that IORING_OP_SENDMSG added, and we pass in the
msghdr struct in the sqe->addr field as well.
We use MSG_DONTWAIT to force an inline fast path if recvmsg() doesn't
block, and punt to async execution if it would have.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This is done through IORING_OP_SENDMSG. There's a new sqe->msg_flags
for the flags argument, and the msghdr struct is passed in the
sqe->addr field.
We use MSG_DONTWAIT to force an inline fast path if sendmsg() doesn't
block, and punt to async execution if it would have.
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
socket->wq is assign-once, set when we are initializing both
struct socket it's in and struct socket_wq it points to. As the
matter of fact, the only reason for separate allocation was the
ability to RCU-delay freeing of socket_wq. RCU-delaying the
freeing of socket itself gets rid of that need, so we can just
fold struct socket_wq into the end of struct socket and simplify
the life both for sock_alloc_inode() (one allocation instead of
two) and for tun/tap oddballs, where we used to embed struct socket
and struct socket_wq into the same structure (now - embedding just
the struct socket).
Note that reference to struct socket_wq in struct sock does remain
a reference - that's unchanged.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
we do have an RCU-delayed part there already (freeing the wq),
so it's not like the pipe situation; moreover, it might be
worth considering coallocating wq with the rest of struct sock_alloc.
->sk_wq in struct sock would remain a pointer as it is, but
the object it normally points to would be coallocated with
struct socket...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Daniel Borkmann says:
====================
pull-request: bpf-next 2019-07-03
The following pull-request contains BPF updates for your *net-next* tree.
There is a minor merge conflict in mlx5 due to 8960b38932 ("linux/dim:
Rename externally used net_dim members") which has been pulled into your
tree in the meantime, but resolution seems not that bad ... getting current
bpf-next out now before there's coming more on mlx5. ;) I'm Cc'ing Saeed
just so he's aware of the resolution below:
** First conflict in drivers/net/ethernet/mellanox/mlx5/core/en_main.c:
<<<<<<< HEAD
static int mlx5e_open_cq(struct mlx5e_channel *c,
struct dim_cq_moder moder,
struct mlx5e_cq_param *param,
struct mlx5e_cq *cq)
=======
int mlx5e_open_cq(struct mlx5e_channel *c, struct net_dim_cq_moder moder,
struct mlx5e_cq_param *param, struct mlx5e_cq *cq)
>>>>>>> e5a3e259ef
Resolution is to take the second chunk and rename net_dim_cq_moder into
dim_cq_moder. Also the signature for mlx5e_open_cq() in ...
drivers/net/ethernet/mellanox/mlx5/core/en.h +977
... and in mlx5e_open_xsk() ...
drivers/net/ethernet/mellanox/mlx5/core/en/xsk/setup.c +64
... needs the same rename from net_dim_cq_moder into dim_cq_moder.
** Second conflict in drivers/net/ethernet/mellanox/mlx5/core/en_main.c:
<<<<<<< HEAD
int cpu = cpumask_first(mlx5_comp_irq_get_affinity_mask(priv->mdev, ix));
struct dim_cq_moder icocq_moder = {0, 0};
struct net_device *netdev = priv->netdev;
struct mlx5e_channel *c;
unsigned int irq;
=======
struct net_dim_cq_moder icocq_moder = {0, 0};
>>>>>>> e5a3e259ef
Take the second chunk and rename net_dim_cq_moder into dim_cq_moder
as well.
Let me know if you run into any issues. Anyway, the main changes are:
1) Long-awaited AF_XDP support for mlx5e driver, from Maxim.
2) Addition of two new per-cgroup BPF hooks for getsockopt and
setsockopt along with a new sockopt program type which allows more
fine-grained pass/reject settings for containers. Also add a sock_ops
callback that can be selectively enabled on a per-socket basis and is
executed for every RTT to help tracking TCP statistics, both features
from Stanislav.
3) Follow-up fix from loops in precision tracking which was not propagating
precision marks and as a result verifier assumed that some branches were
not taken and therefore wrongly removed as dead code, from Alexei.
4) Fix BPF cgroup release synchronization race which could lead to a
double-free if a leaf's cgroup_bpf object is released and a new BPF
program is attached to the one of ancestor cgroups in parallel, from Roman.
5) Support for bulking XDP_TX on veth devices which improves performance
in some cases by around 9%, from Toshiaki.
6) Allow for lookups into BPF devmap and improve feedback when calling into
bpf_redirect_map() as lookup is now performed right away in the helper
itself, from Toke.
7) Add support for fq's Earliest Departure Time to the Host Bandwidth
Manager (HBM) sample BPF program, from Lawrence.
8) Various cleanups and minor fixes all over the place from many others.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
After the previous patch we have ipv{6,4} variants for {recv,send}msg,
we should use the generic _INET ICW variant to call into the proper
build-in.
This also allows dropping the now unused and rather ugly _INET4 ICW macro
v1 -> v2:
- use ICW macro to declare inet6_{recv,send}msg
- fix a couple of checkpatch offender in the code context
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Implement new BPF_PROG_TYPE_CGROUP_SOCKOPT program type and
BPF_CGROUP_{G,S}ETSOCKOPT cgroup hooks.
BPF_CGROUP_SETSOCKOPT can modify user setsockopt arguments before
passing them down to the kernel or bypass kernel completely.
BPF_CGROUP_GETSOCKOPT can can inspect/modify getsockopt arguments that
kernel returns.
Both hooks reuse existing PTR_TO_PACKET{,_END} infrastructure.
The buffer memory is pre-allocated (because I don't think there is
a precedent for working with __user memory from bpf). This might be
slow to do for each {s,g}etsockopt call, that's why I've added
__cgroup_bpf_prog_array_is_empty that exits early if there is nothing
attached to a cgroup. Note, however, that there is a race between
__cgroup_bpf_prog_array_is_empty and BPF_PROG_RUN_ARRAY where cgroup
program layout might have changed; this should not be a problem
because in general there is a race between multiple calls to
{s,g}etsocktop and user adding/removing bpf progs from a cgroup.
The return code of the BPF program is handled as follows:
* 0: EPERM
* 1: success, continue with next BPF program in the cgroup chain
v9:
* allow overwriting setsockopt arguments (Alexei Starovoitov):
* use set_fs (same as kernel_setsockopt)
* buffer is always kzalloc'd (no small on-stack buffer)
v8:
* use s32 for optlen (Andrii Nakryiko)
v7:
* return only 0 or 1 (Alexei Starovoitov)
* always run all progs (Alexei Starovoitov)
* use optval=0 as kernel bypass in setsockopt (Alexei Starovoitov)
(decided to use optval=-1 instead, optval=0 might be a valid input)
* call getsockopt hook after kernel handlers (Alexei Starovoitov)
v6:
* rework cgroup chaining; stop as soon as bpf program returns
0 or 2; see patch with the documentation for the details
* drop Andrii's and Martin's Acked-by (not sure they are comfortable
with the new state of things)
v5:
* skip copy_to_user() and put_user() when ret == 0 (Martin Lau)
v4:
* don't export bpf_sk_fullsock helper (Martin Lau)
* size != sizeof(__u64) for uapi pointers (Martin Lau)
* offsetof instead of bpf_ctx_range when checking ctx access (Martin Lau)
v3:
* typos in BPF_PROG_CGROUP_SOCKOPT_RUN_ARRAY comments (Andrii Nakryiko)
* reverse christmas tree in BPF_PROG_CGROUP_SOCKOPT_RUN_ARRAY (Andrii
Nakryiko)
* use __bpf_md_ptr instead of __u32 for optval{,_end} (Martin Lau)
* use BPF_FIELD_SIZEOF() for consistency (Martin Lau)
* new CG_SOCKOPT_ACCESS macro to wrap repeated parts
v2:
* moved bpf_sockopt_kern fields around to remove a hole (Martin Lau)
* aligned bpf_sockopt_kern->buf to 8 bytes (Martin Lau)
* bpf_prog_array_is_empty instead of bpf_prog_array_length (Martin Lau)
* added [0,2] return code check to verifier (Martin Lau)
* dropped unused buf[64] from the stack (Martin Lau)
* use PTR_TO_SOCKET for bpf_sockopt->sk (Martin Lau)
* dropped bpf_target_off from ctx rewrites (Martin Lau)
* use return code for kernel bypass (Martin Lau & Andrii Nakryiko)
Cc: Andrii Nakryiko <andriin@fb.com>
Cc: Martin Lau <kafai@fb.com>
Signed-off-by: Stanislav Fomichev <sdf@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Some ISDN files that got removed in net-next had some changes
done in mainline, take the removals.
Signed-off-by: David S. Miller <davem@davemloft.net>
IS_ERR() already calls unlikely(), so this extra likely() call
around the !IS_ERR() is not needed.
Signed-off-by: Enrico Weigelt <info@metux.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently these functions return < 0 on error, and 0 for success.
Change that so that we return < 0 on error, but number of bytes
for success.
Some callers already treat the return value that way, others need a
slight tweak.
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Based on 1 normalized pattern(s):
this program is free software you can redistribute it and or modify
it under the terms of the gnu general public license as published by
the free software foundation either version 2 of the license or at
your option any later version
extracted by the scancode license scanner the SPDX license identifier
GPL-2.0-or-later
has been chosen to replace the boilerplate/reference in 3029 file(s).
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Allison Randal <allison@lohutok.net>
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Convert the sockfs filesystem to the new internal mount API as the old
one will be obsoleted and removed. This allows greater flexibility in
communication of mount parameters between userspace, the VFS and the
filesystem.
See Documentation/filesystems/mount_api.txt for more information.
Signed-off-by: David Howells <dhowells@redhat.com>
cc: netdev@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Once upon a time we used to set ->d_name of e.g. pipefs root
so that d_path() on pipes would work. These days it's
completely pointless - dentries of pipes are not even connected
to pipefs root. However, mount_pseudo() had set the root
dentry name (passed as the second argument) and callers
kept inventing names to pass to it. Including those that
didn't *have* any non-root dentries to start with...
All of that had been pointless for about 8 years now; it's
time to get rid of that cargo-culting...
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Fix kernel-doc warnings by moving the kernel-doc notation to be
immediately above the functions that it describes.
Fixes these warnings for sock_sendmsg() and sock_recvmsg():
../net/socket.c:658: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:658: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'sock' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'msg' description in 'INDIRECT_CALLABLE_DECLARE'
../net/socket.c:889: warning: Excess function parameter 'flags' description in 'INDIRECT_CALLABLE_DECLARE'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This avoids an indirect call per {send,recv}msg syscall in
the common (IPv6 or IPv4 socket) case.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Add missing break statement in order to prevent the code from falling
through to cases SIOCGSTAMP_NEW and SIOCGSTAMPNS_NEW.
This bug was found thanks to the ongoing efforts to enable
-Wimplicit-fallthrough.
Fixes: 0768e17073 ("net: socket: implement 64-bit timestamps")
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
The 'timeval' and 'timespec' data structures used for socket timestamps
are going to be redefined in user space based on 64-bit time_t in future
versions of the C library to deal with the y2038 overflow problem,
which breaks the ABI definition.
Unlike many modern ioctl commands, SIOCGSTAMP and SIOCGSTAMPNS do not
use the _IOR() macro to encode the size of the transferred data, so it
remains ambiguous whether the application uses the old or new layout.
The best workaround I could find is rather ugly: we redefine the command
code based on the size of the respective data structure with a ternary
operator. This lets it get evaluated as late as possible, hopefully after
that structure is visible to the caller. We cannot use an #ifdef here,
because inux/sockios.h might have been included before any libc header
that could determine the size of time_t.
The ioctl implementation now interprets the new command codes as always
referring to the 64-bit structure on all architectures, while the old
architecture specific command code still refers to the old architecture
specific layout. The new command number is only used when they are
actually different.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
The SIOCGSTAMP/SIOCGSTAMPNS ioctl commands are implemented by many
socket protocol handlers, and all of those end up calling the same
sock_get_timestamp()/sock_get_timestampns() helper functions, which
results in a lot of duplicate code.
With the introduction of 64-bit time_t on 32-bit architectures, this
gets worse, as we then need four different ioctl commands in each
socket protocol implementation.
To simplify that, let's add a new .gettstamp() operation in
struct proto_ops, and move ioctl implementation into the common
sock_ioctl()/compat_sock_ioctl_trans() functions that these all go
through.
We can reuse the sock_get_timestamp() implementation, but generalize
it so it can deal with both native and compat mode, as well as
timeval and timespec structures.
Acked-by: Stefan Schmidt <stefan@datenfreihafen.org>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marc Kleine-Budde <mkl@pengutronix.de>
Link: https://lore.kernel.org/lkml/CAK8P3a038aDQQotzua_QtKGhq8O9n+rdiz2=WDCp82ys8eUT+A@mail.gmail.com/
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Adds missing sphinx documentation to the
socket.c's functions. Also fixes some whitespaces.
I also changed the style of older documentation as an
effort to have an uniform documentation style.
Signed-off-by: Pedro Tammela <pctammela@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit 9060cb719e ("net: crypto set sk to NULL when af_alg_release.")
fixed a use-after-free in sockfs_setattr() when an AF_ALG socket is
closed concurrently with fchownat(). However, it ignored that many
other proto_ops::release() methods don't set sock->sk to NULL and
therefore allow the same use-after-free:
- base_sock_release
- bnep_sock_release
- cmtp_sock_release
- data_sock_release
- dn_release
- hci_sock_release
- hidp_sock_release
- iucv_sock_release
- l2cap_sock_release
- llcp_sock_release
- llc_ui_release
- rawsock_release
- rfcomm_sock_release
- sco_sock_release
- svc_release
- vcc_release
- x25_release
Rather than fixing all these and relying on every socket type to get
this right forever, just make __sock_release() set sock->sk to NULL
itself after calling proto_ops::release().
Reproducer that produces the KASAN splat when any of these socket types
are configured into the kernel:
#include <pthread.h>
#include <stdlib.h>
#include <sys/socket.h>
#include <unistd.h>
pthread_t t;
volatile int fd;
void *close_thread(void *arg)
{
for (;;) {
usleep(rand() % 100);
close(fd);
}
}
int main()
{
pthread_create(&t, NULL, close_thread, NULL);
for (;;) {
fd = socket(rand() % 50, rand() % 11, 0);
fchownat(fd, "", 1000, 1000, 0x1000);
close(fd);
}
}
Fixes: 86741ec254 ("net: core: Add a UID field to struct sock.")
Signed-off-by: Eric Biggers <ebiggers@google.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
An ipvlan bug fix in 'net' conflicted with the abstraction away
of the IPV6 specific support in 'net-next'.
Similarly, a bug fix for mlx5 in 'net' conflicted with the flow
action conversion in 'net-next'.
Signed-off-by: David S. Miller <davem@davemloft.net>
As part of y2038 solution, all internal uses of
struct timeval are replaced by struct __kernel_old_timeval
and struct compat_timeval by struct old_timeval32.
Make socket timestamps use these new types.
This is mainly to be able to verify that the kernel build
is y2038 safe when such non y2038 safe types are not
supported anymore.
Signed-off-by: Deepa Dinamani <deepa.kernel@gmail.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Cc: isdn@linux-pingi.de
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit 1cebf8f143 ("socket: fix struct ifreq
size in compat ioctl"), it's a bugfix for another commit that
I'll revert next.
This is not a 'perfect' revert, I'm keeping some coding style
intact rather than revert to the state with indentation errors.
Cc: stable@vger.kernel.org
Fixes: 1cebf8f143 ("socket: fix struct ifreq size in compat ioctl")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull y2038 updates from Arnd Bergmann:
"More syscalls and cleanups
This concludes the main part of the system call rework for 64-bit
time_t, which has spread over most of year 2018, the last six system
calls being
- ppoll
- pselect6
- io_pgetevents
- recvmmsg
- futex
- rt_sigtimedwait
As before, nothing changes for 64-bit architectures, while 32-bit
architectures gain another entry point that differs only in the layout
of the timespec structure. Hopefully in the next release we can wire
up all 22 of those system calls on all 32-bit architectures, which
gives us a baseline version for glibc to start using them.
This does not include the clock_adjtime, getrusage/waitid, and
getitimer/setitimer system calls. I still plan to have new versions of
those as well, but they are not required for correct operation of the
C library since they can be emulated using the old 32-bit time_t based
system calls.
Aside from the system calls, there are also a few cleanups here,
removing old kernel internal interfaces that have become unused after
all references got removed. The arch/sh cleanups are part of this,
there were posted several times over the past year without a reaction
from the maintainers, while the corresponding changes made it into all
other architectures"
* tag 'y2038-for-4.21' of ssh://gitolite.kernel.org:/pub/scm/linux/kernel/git/arnd/playground:
timekeeping: remove obsolete time accessors
vfs: replace current_kernel_time64 with ktime equivalent
timekeeping: remove timespec_add/timespec_del
timekeeping: remove unused {read,update}_persistent_clock
sh: remove board_time_init() callback
sh: remove unused rtc_sh_get/set_time infrastructure
sh: sh03: rtc: push down rtc class ops into driver
sh: dreamcast: rtc: push down rtc class ops into driver
y2038: signal: Add compat_sys_rt_sigtimedwait_time64
y2038: signal: Add sys_rt_sigtimedwait_time32
y2038: socket: Add compat_sys_recvmmsg_time64
y2038: futex: Add support for __kernel_timespec
y2038: futex: Move compat implementation into futex.c
io_pgetevents: use __kernel_timespec
pselect6: use __kernel_timespec
ppoll: use __kernel_timespec
signal: Add restore_user_sigmask()
signal: Add set_user_sigmask()
recvmmsg() takes two arguments to pointers of structures that differ
between 32-bit and 64-bit architectures: mmsghdr and timespec.
For y2038 compatbility, we are changing the native system call from
timespec to __kernel_timespec with a 64-bit time_t (in another patch),
and use the existing compat system call on both 32-bit and 64-bit
architectures for compatibility with traditional 32-bit user space.
As we now have two variants of recvmmsg() for 32-bit tasks that are both
different from the variant that we use on 64-bit tasks, this means we
also require two compat system calls!
The solution I picked is to flip things around: The existing
compat_sys_recvmmsg() call gets moved from net/compat.c into net/socket.c
and now handles the case for old user space on all architectures that
have set CONFIG_COMPAT_32BIT_TIME. A new compat_sys_recvmmsg_time64()
call gets added in the old place for 64-bit architectures only, this
one handles the case of a compat mmsghdr structure combined with
__kernel_timespec.
In the indirect sys_socketcall(), we now need to call either
do_sys_recvmmsg() or __compat_sys_recvmmsg(), depending on what kind of
architecture we are on. For compat_sys_socketcall(), no such change is
needed, we always call __compat_sys_recvmmsg().
I decided to not add a new SYS_RECVMMSG_TIME64 socketcall: Any libc
implementation for 64-bit time_t will need significant changes including
an updated asm/unistd.h, and it seems better to consistently use the
separate syscalls that configuration, leaving the socketcall only for
backward compatibility with 32-bit time_t based libc.
The naming is asymmetric for the moment, so both existing syscalls
entry points keep their names, while the new ones are recvmmsg_time32
and compat_recvmmsg_time64 respectively. I expect that we will rename
the compat syscalls later as we start using generated syscall tables
everywhere and add these entry points.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
splice(2) fails with -EINVAL when called reading on a socket with no splice_read
set in its proto_ops (such as vsock sockets). Switch this to fallbacks to a
generic_file_splice_read instead.
Signed-off-by: Slavomir Kaslev <kaslevs@vmware.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull AFS updates from Al Viro:
"AFS series, with some iov_iter bits included"
* 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs: (26 commits)
missing bits of "iov_iter: Separate type from direction and use accessor functions"
afs: Probe multiple fileservers simultaneously
afs: Fix callback handling
afs: Eliminate the address pointer from the address list cursor
afs: Allow dumping of server cursor on operation failure
afs: Implement YFS support in the fs client
afs: Expand data structure fields to support YFS
afs: Get the target vnode in afs_rmdir() and get a callback on it
afs: Calc callback expiry in op reply delivery
afs: Fix FS.FetchStatus delivery from updating wrong vnode
afs: Implement the YFS cache manager service
afs: Remove callback details from afs_callback_break struct
afs: Commit the status on a new file/dir/symlink
afs: Increase to 64-bit volume ID and 96-bit vnode ID for YFS
afs: Don't invoke the server to read data beyond EOF
afs: Add a couple of tracepoints to log I/O errors
afs: Handle EIO from delivery function
afs: Fix TTL on VL server and address lists
afs: Implement VL server rotation
afs: Improve FS server rotation error handling
...
Pull timekeeping updates from Thomas Gleixner:
"The timers and timekeeping departement provides:
- Another large y2038 update with further preparations for providing
the y2038 safe timespecs closer to the syscalls.
- An overhaul of the SHCMT clocksource driver
- SPDX license identifier updates
- Small cleanups and fixes all over the place"
* 'timers-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (31 commits)
tick/sched : Remove redundant cpu_online() check
clocksource/drivers/dw_apb: Add reset control
clocksource: Remove obsolete CLOCKSOURCE_OF_DECLARE
clocksource/drivers: Unify the names to timer-* format
clocksource/drivers/sh_cmt: Add R-Car gen3 support
dt-bindings: timer: renesas: cmt: document R-Car gen3 support
clocksource/drivers/sh_cmt: Properly line-wrap sh_cmt_of_table[] initializer
clocksource/drivers/sh_cmt: Fix clocksource width for 32-bit machines
clocksource/drivers/sh_cmt: Fixup for 64-bit machines
clocksource/drivers/sh_tmu: Convert to SPDX identifiers
clocksource/drivers/sh_mtu2: Convert to SPDX identifiers
clocksource/drivers/sh_cmt: Convert to SPDX identifiers
clocksource/drivers/renesas-ostm: Convert to SPDX identifiers
clocksource: Convert to using %pOFn instead of device_node.name
tick/broadcast: Remove redundant check
RISC-V: Request newstat syscalls
y2038: signal: Change rt_sigtimedwait to use __kernel_timespec
y2038: socket: Change recvmmsg to use __kernel_timespec
y2038: sched: Change sched_rr_get_interval to use __kernel_timespec
y2038: utimes: Rework #ifdef guards for compat syscalls
...
In the iov_iter struct, separate the iterator type from the iterator
direction and use accessor functions to access them in most places.
Convert a bunch of places to use switch-statements to access them rather
then chains of bitwise-AND statements. This makes it easier to add further
iterator types. Also, this can be more efficient as to implement a switch
of small contiguous integers, the compiler can use ~50% fewer compare
instructions than it has to use bitwise-and instructions.
Further, cease passing the iterator type into the iterator setup function.
The iterator function can set that itself. Only the direction is required.
Signed-off-by: David Howells <dhowells@redhat.com>
net/sched/cls_api.c has overlapping changes to a call to
nlmsg_parse(), one (from 'net') added rtm_tca_policy instead of NULL
to the 5th argument, and another (from 'net-next') added cb->extack
instead of NULL to the 6th argument.
net/ipv4/ipmr_base.c is a case of a bug fix in 'net' being done to
code which moved (to mr_table_dump)) in 'net-next'. Thanks to David
Ahern for the heads up.
Signed-off-by: David S. Miller <davem@davemloft.net>
In ethtool_ioctl(), the ioctl command 'ethcmd' is checked through a switch
statement to see whether it is necessary to pre-process the ethtool
structure, because, as mentioned in the comment, the structure
ethtool_rxnfc is defined with padding. If yes, a user-space buffer 'rxnfc'
is allocated through compat_alloc_user_space(). One thing to note here is
that, if 'ethcmd' is ETHTOOL_GRXCLSRLALL, the size of the buffer 'rxnfc' is
partially determined by 'rule_cnt', which is actually acquired from the
user-space buffer 'compat_rxnfc', i.e., 'compat_rxnfc->rule_cnt', through
get_user(). After 'rxnfc' is allocated, the data in the original user-space
buffer 'compat_rxnfc' is then copied to 'rxnfc' through copy_in_user(),
including the 'rule_cnt' field. However, after this copy, no check is
re-enforced on 'rxnfc->rule_cnt'. So it is possible that a malicious user
race to change the value in the 'compat_rxnfc->rule_cnt' between these two
copies. Through this way, the attacker can bypass the previous check on
'rule_cnt' and inject malicious data. This can cause undefined behavior of
the kernel and introduce potential security risk.
This patch avoids the above issue via copying the value acquired by
get_user() to 'rxnfc->rule_cn', if 'ethcmd' is ETHTOOL_GRXCLSRLALL.
Signed-off-by: Wenwen Wang <wang6495@umn.edu>
Signed-off-by: David S. Miller <davem@davemloft.net>
move_addr_to_kernel() returns only negative values on error, or zero on
success. Rewrite the error check to an idiomatic form to avoid confusing
the reader.
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
As reported by Reobert O'Callahan, since Viro's commit to kill
dev_ifsioc() we attempt to copy too much data in compat mode,
which may lead to EFAULT when the 32-bit version of struct ifreq
sits at/near the end of a page boundary, and the next page isn't
mapped.
Fix this by passing the approprate compat/non-compat size to copy
and using that, as before the dev_ifsioc() removal. This works
because only the embedded "struct ifmap" has different size, and
this is only used in SIOCGIFMAP/SIOCSIFMAP which has a different
handler. All other parts of the union are naturally compatible.
This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199469.
Fixes: bf4405737f ("kill dev_ifsioc()")
Reported-by: Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
