* refs/heads/tmp-3eb8e73
Linux 4.4.162
HV: properly delay KVP packets when negotiation is in progress
Drivers: hv: kvp: fix IP Failover
Drivers: hv: util: Pass the channel information during the init call
Drivers: hv: utils: Invoke the poll function after handshake
usb: gadget: serial: fix oops when data rx'd after close
ARC: build: Get rid of toolchain check
powerpc/tm: Avoid possible userspace r1 corruption on reclaim
powerpc/tm: Fix userspace r13 corruption
net/mlx4: Use cpumask_available for eq->affinity_mask
Input: atakbd - fix Atari CapsLock behaviour
Input: atakbd - fix Atari keymap
clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs
media: af9035: prevent buffer overflow on write
x86/fpu: Finish excising 'eagerfpu'
x86/fpu: Remove struct fpu::counter
x86/fpu: Remove use_eager_fpu()
KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch
rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
net: systemport: Fix wake-up interrupt race during resume
net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
team: Forbid enslaving team device to itself
qlcnic: fix Tx descriptor corruption on 82xx devices
net/usb: cancel pending work when unbinding smsc75xx
netlabel: check for IPV4MASK in addrinfo_get
net/ipv6: Display all addresses in output of /proc/net/if_inet6
net: ipv4: update fnhe_pmtu when first hop's MTU changes
ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
ip_tunnel: be careful when accessing the inner header
ip6_tunnel: be careful when accessing the inner header
bonding: avoid possible dead-lock
bnxt_en: Fix TX timeout during netpoll.
jffs2: return -ERANGE when xattr buffer is too small
xhci: Don't print a warning when setting link state for disabled ports
i2c: i2c-scmi: fix for i2c_smbus_write_block_data
perf script python: Fix export-to-postgresql.py occasional failure
mach64: detect the dot clock divider correctly on sparc
mm/vmstat.c: fix outdated vmstat_text
ext4: add corruption check in ext4_xattr_set_entry()
drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
ARM: dts: at91: add new compatibility string for macb on sama5d3
net: macb: disable scatter-gather for macb on sama5d3
stmmac: fix valid numbers of unicast filter entries
sound: enable interrupt after dma buffer initialization
mfd: omap-usb-host: Fix dts probe of children
selftests/efivarfs: add required kernel configs
ASoC: sigmadsp: safeload should not have lower byte limit
ASoC: wm8804: Add ACPI support
ANDROID: usb: gadget: f_mtp: Return error if count is negative
ANDROID: x86_64_cuttlefish_defconfig: disable CONFIG_MEMORY_STATE_TIME
Change-Id: Ie69fd3f90302d1ebe0c1217b46d8033fec4180a5
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlvK3sYACgkQONu9yGCS
aT6Qiw/+OxTScsntrhjtosUt2ZQxjZN4nuUQw57BId0lq/JLvUpOAjKJYCIC+O1t
Pv8EbZvErpIYVIRN7/anlYVbmIvJj694eCmJXwS/bsYcgvJztEoYjgmJTbDwu2Nb
/ZfyDWR+tc6tuPzFYe4qWKjpT9MO+RZKEE+ZiMWt1VuB8d5yRGBpGTy1NB8kbVCt
VtlZ2K8UovD51wY8T5HGCny8DucL3pASunAgSftpssRfEWWhw1ftMWT1iNaaykki
gAWLOZZdo2ChDjA0vFku2rJWcDdb5MTxLEuFuogjRxOnERqClLfabAoqaa2A9Afe
gBeQeCOW0uMqX5BoqrQZKQY2cDbJrGjrBmDQ5dTt3ZTC1OzOE5x4mKGZbZXUa61X
8bhMEYt6kvzxoIwWdK7A+/B8gTYJhwYjRtssfeR4ViXGka8bDFnKAvTSIBo+74eB
abNf06OReF/hnIEJkRNOmb8OPzPYDkvlEeZlRDVryzUGZUu2zSvwz8W21u+V86de
og+tq15KvV+5wfiwpCs++SbNFl9RAVAyKdRicgeNXekf1FnEQM/bvhB6WOUWcbmy
VT5RQjXu1lw+dhBlW7O0/qVihCG/UrgyabMh0rgwhS876evSxZWO9e5eHHDgcutq
MHQYZwtDaL9dWIqTYF9NLvvl85YoboYc+7wydo4jvZYXxbQgsEo=
=xW75
-----END PGP SIGNATURE-----
Merge 4.4.162 into android-4.4
Changes in 4.4.162
ASoC: wm8804: Add ACPI support
ASoC: sigmadsp: safeload should not have lower byte limit
selftests/efivarfs: add required kernel configs
mfd: omap-usb-host: Fix dts probe of children
sound: enable interrupt after dma buffer initialization
stmmac: fix valid numbers of unicast filter entries
net: macb: disable scatter-gather for macb on sama5d3
ARM: dts: at91: add new compatibility string for macb on sama5d3
drm/amdgpu: Fix SDMA HQD destroy error on gfx_v7
ext4: add corruption check in ext4_xattr_set_entry()
mm/vmstat.c: fix outdated vmstat_text
mach64: detect the dot clock divider correctly on sparc
perf script python: Fix export-to-postgresql.py occasional failure
i2c: i2c-scmi: fix for i2c_smbus_write_block_data
xhci: Don't print a warning when setting link state for disabled ports
jffs2: return -ERANGE when xattr buffer is too small
bnxt_en: Fix TX timeout during netpoll.
bonding: avoid possible dead-lock
ip6_tunnel: be careful when accessing the inner header
ip_tunnel: be careful when accessing the inner header
ipv4: fix use-after-free in ip_cmsg_recv_dstaddr()
net: ipv4: update fnhe_pmtu when first hop's MTU changes
net/ipv6: Display all addresses in output of /proc/net/if_inet6
netlabel: check for IPV4MASK in addrinfo_get
net/usb: cancel pending work when unbinding smsc75xx
qlcnic: fix Tx descriptor corruption on 82xx devices
team: Forbid enslaving team device to itself
net: mvpp2: Extract the correct ethtype from the skb for tx csum offload
net: systemport: Fix wake-up interrupt race during resume
rtnl: limit IFLA_NUM_TX_QUEUES and IFLA_NUM_RX_QUEUES to 4096
KVM: x86: remove eager_fpu field of struct kvm_vcpu_arch
x86/fpu: Remove use_eager_fpu()
x86/fpu: Remove struct fpu::counter
x86/fpu: Finish excising 'eagerfpu'
media: af9035: prevent buffer overflow on write
clocksource/drivers/ti-32k: Add CLOCK_SOURCE_SUSPEND_NONSTOP flag for non-am43 SoCs
Input: atakbd - fix Atari keymap
Input: atakbd - fix Atari CapsLock behaviour
net/mlx4: Use cpumask_available for eq->affinity_mask
powerpc/tm: Fix userspace r13 corruption
powerpc/tm: Avoid possible userspace r1 corruption on reclaim
ARC: build: Get rid of toolchain check
usb: gadget: serial: fix oops when data rx'd after close
Drivers: hv: utils: Invoke the poll function after handshake
Drivers: hv: util: Pass the channel information during the init call
Drivers: hv: kvp: fix IP Failover
HV: properly delay KVP packets when negotiation is in progress
Linux 4.4.162
Change-Id: Ib44f3b764a6005a2891b28315b3dbfa3f6cedcb5
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 0e1d6eca5113858ed2caea61a5adc03c595f6096 ]
We have an impressive number of syzkaller bugs that are linked
to the fact that syzbot was able to create a networking device
with millions of TX (or RX) queues.
Let's limit the number of RX/TX queues to 4096, this really should
cover all known cases.
A separate patch will add various cond_resched() in the loops
handling sysfs entries at device creation and dismantle.
Tested:
lpaa6:~# ip link add gre-4097 numtxqueues 4097 numrxqueues 4097 type ip6gretap
RTNETLINK answers: Invalid argument
lpaa6:~# time ip link add gre-4096 numtxqueues 4096 numrxqueues 4096 type ip6gretap
real 0m0.180s
user 0m0.000s
sys 0m0.107s
Fixes: 76ff5cc919 ("rtnl: allow to specify number of rx and tx queues on device creation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f88b4c01b97e09535505cf3c327fdbce55c27f00 ]
netlbl_unlabel_addrinfo_get() assumes that if it finds the
NLBL_UNLABEL_A_IPV4ADDR attribute, it must also have the
NLBL_UNLABEL_A_IPV4MASK attribute as well. However, this is
not necessarily the case as the current checks in
netlbl_unlabel_staticadd() and friends are not sufficent to
enforce this.
If passed a netlink message with NLBL_UNLABEL_A_IPV4ADDR,
NLBL_UNLABEL_A_IPV6ADDR, and NLBL_UNLABEL_A_IPV6MASK attributes,
these functions will all call netlbl_unlabel_addrinfo_get() which
will then attempt dereference NULL when fetching the non-existent
NLBL_UNLABEL_A_IPV4MASK attribute:
Unable to handle kernel NULL pointer dereference at virtual address 0
Process unlab (pid: 31762, stack limit = 0xffffff80502d8000)
Call trace:
netlbl_unlabel_addrinfo_get+0x44/0xd8
netlbl_unlabel_staticremovedef+0x98/0xe0
genl_rcv_msg+0x354/0x388
netlink_rcv_skb+0xac/0x118
genl_rcv+0x34/0x48
netlink_unicast+0x158/0x1f0
netlink_sendmsg+0x32c/0x338
sock_sendmsg+0x44/0x60
___sys_sendmsg+0x1d0/0x2a8
__sys_sendmsg+0x64/0xb4
SyS_sendmsg+0x34/0x4c
el0_svc_naked+0x34/0x38
Code: 51001149 7100113f 540000a0 f9401508 (79400108)
---[ end trace f6438a488e737143 ]---
Kernel panic - not syncing: Fatal exception
Signed-off-by: Sean Tranchetti <stranche@codeaurora.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 86f9bd1ff61c413a2a251fa736463295e4e24733 ]
The backend handling for /proc/net/if_inet6 in addrconf.c doesn't properly
handle starting/stopping the iteration. The problem is that at some point
during the iteration, an overflow is detected and the process is
subsequently stopped. The item being shown via seq_printf() when the
overflow occurs is not actually shown, though. When start() is
subsequently called to resume iterating, it returns the next item, and
thus the item that was being processed when the overflow occurred never
gets printed.
Alter the meaning of the private data member "offset". Currently, when it
is not 0 (which only happens at the very beginning), "offset" represents
the next hlist item to be printed. After this change, "offset" always
represents the current item.
This is also consistent with the private data member "bucket", which
represents the current bucket, and also the use of "pos" as defined in
seq_file.txt:
The pos passed to start() will always be either zero, or the most
recent pos used in the previous session.
Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit af7d6cce53694a88d6a1bb60c9a239a6a5144459 ]
Since commit 5aad1de5ea ("ipv4: use separate genid for next hop
exceptions"), exceptions get deprecated separately from cached
routes. In particular, administrative changes don't clear PMTU anymore.
As Stefano described in commit e9fa1495d738 ("ipv6: Reflect MTU changes
on PMTU of exceptions for MTU-less routes"), the PMTU discovered before
the local MTU change can become stale:
- if the local MTU is now lower than the PMTU, that PMTU is now
incorrect
- if the local MTU was the lowest value in the path, and is increased,
we might discover a higher PMTU
Similarly to what commit e9fa1495d738 did for IPv6, update PMTU in those
cases.
If the exception was locked, the discovered PMTU was smaller than the
minimal accepted PMTU. In that case, if the new local MTU is smaller
than the current PMTU, let PMTU discovery figure out if locking of the
exception is still needed.
To do this, we need to know the old link MTU in the NETDEV_CHANGEMTU
notifier. By the time the notifier is called, dev->mtu has been
changed. This patch adds the old MTU as additional information in the
notifier structure, and a new call_netdevice_notifiers_u32() function.
Fixes: 5aad1de5ea ("ipv4: use separate genid for next hop exceptions")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 64199fc0a46ba211362472f7f942f900af9492fd ]
Caching ip_hdr(skb) before a call to pskb_may_pull() is buggy,
do not do it.
Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit ccfec9e5cb2d48df5a955b7bf47f7782157d3bc2]
Cong noted that we need the same checks introduced by commit 76c0ddd8c3a6
("ip6_tunnel: be careful when accessing the inner header")
even for ipv4 tunnels.
Fixes: c544193214 ("GRE: Refactor GRE tunneling code.")
Suggested-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-8e7f196
Linux 4.4.161
ebtables: arpreply: Add the standard target sanity check
ath10k: fix scan crash due to incorrect length calculation
tcp: add tcp_ooo_try_coalesce() helper
tcp: call tcp_drop() from tcp_data_queue_ofo()
tcp: free batches of packets in tcp_prune_ofo_queue()
tcp: fix a stale ooo_last_skb after a replace
tcp: use an RB tree for ooo receive queue
tcp: increment sk_drops for dropped rx packets
ubifs: Check for name being NULL while mounting
ucma: fix a use-after-free in ucma_resolve_ip()
ARC: clone syscall to setp r25 as thread pointer
powerpc/fadump: Return error when fadump registration fails
ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
cgroup: Fix deadlock in cpu hotplug path
ext4: always verify the magic number in xattr blocks
of: unittest: Disable interrupt node tests for old world MAC systems
USB: serial: simple: add Motorola Tetra MTP6550 id
xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
dm cache: fix resize crash if user doesn't reload cache table
PM / core: Clear the direct_complete flag on errors
mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
PCI: Reprogram bridge prefetch registers on resume
x86/vdso: Fix vDSO syscall fallback asm constraint regression
x86/vdso: Fix asm constraints on vDSO syscall fallbacks
fbdev/omapfb: fix omapfb_memory_read infoleak
mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
Change-Id: If31f9e57679a3b1deb1049c86aeaead5ccbd64a6
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* refs/heads/tmp-a94efb1
Linux 4.4.160
dm thin metadata: fix __udivdi3 undefined on 32-bit
ocfs2: fix locking for res->tracking and dlm->tracking_list
proc: restrict kernel stack dumps to root
crypto: mxs-dcp - Fix wait logic on chan threads
ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
smb2: fix missing files in root share directory listing
xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
xen: avoid crash in disable_hotplug_cpu
xen/manage: don't complain about an empty value in control/sysrq node
cifs: read overflow in is_valid_oplock_break()
s390/qeth: don't dump past end of unknown HW header
r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
hexagon: modify ffs() and fls() to return int
arch/hexagon: fix kernel/dma.c build warning
dm thin metadata: try to avoid ever aborting transactions
fs/cifs: suppress a string overflow warning
drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
USB: yurex: Check for truncation in yurex_read()
RDMA/ucma: check fd type in ucma_migrate_id()
perf probe powerpc: Ignore SyS symbols irrespective of endianness
usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
mm: madvise(MADV_DODUMP): allow hugetlbfs pages
tools/vm/page-types.c: fix "defined but not used" warning
tools/vm/slabinfo.c: fix sign-compare warning
mac80211: shorten the IBSS debug messages
mac80211: Fix station bandwidth setting after channel switch
mac80211: fix a race between restart and CSA flows
cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
i2c: uniphier: issue STOP only for last message or I2C_M_STOP
RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
mac80211: mesh: fix HWMP sequence numbering to follow standard
gpio: adp5588: Fix sleep-in-atomic-context bug
mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
media: v4l: event: Prevent freeing event subscriptions while accessed
arm64: KVM: Sanitize PSTATE.M when being set from userspace
arm64: cpufeature: Track 32bit EL0 support
i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
hwmon: (adt7475) Make adt7475_read_word() return errors
hwmon: (ina2xx) fix sysfs shunt resistor read access
e1000: ensure to free old tx/rx rings in set_ringparam()
e1000: check on netif_running() before calling e1000_up()
net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
thermal: of-thermal: disable passive polling when thermal zone is disabled
ext4: never move the system.data xattr out of the inode body
arm64: KVM: Tighten guest core register access from userspace
serial: imx: restore handshaking irq for imx1
scsi: target: iscsi: Use bin2hex instead of a re-implementation
IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
Input: elantech - enable middle button of touchpad on ThinkPad P72
USB: remove LPM management from usb_driver_claim_interface()
Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
USB: usbdevfs: restore warning for nonsensical flags
USB: usbdevfs: sanitize flags more
media: uvcvideo: Support realtek's UVC 1.5 device
slub: make ->cpu_partial unsigned int
USB: handle NULL config in usb_find_alt_setting()
USB: fix error handling in usb_driver_claim_interface()
spi: rspi: Fix interrupted DMA transfers
spi: rspi: Fix invalid SPI use during system suspend
spi: sh-msiof: Fix handling of write value for SISTR register
spi: sh-msiof: Fix invalid SPI use during system suspend
spi: tegra20-slink: explicitly enable/disable clock
serial: cpm_uart: return immediately from console poll
floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
ARM: dts: dra7: fix DCAN node addresses
nfsd: fix corrupted reply to badly ordered compound
module: exclude SHN_UNDEF symbols from kallsyms api
ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
EDAC, i7core: Fix memleaks and use-after-free on probe and remove
scsi: bnx2i: add error handling for ioremap_nocache
HID: hid-ntrig: add error handling for sysfs_create_group
ARM: mvebu: declare asm symbols as character arrays in pmsu.c
wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
media: tm6000: add error handling for dvb_register_adapter
drivers/tty: add error handling for pcmcia_loop_config
staging: android: ashmem: Fix mmap size validation
media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
media: soc_camera: ov772x: correct setting of banding filter
media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
ALSA: snd-aoa: add of_node_put() in error path
s390/extmem: fix gcc 8 stringop-overflow warning
alarmtimer: Prevent overflow for relative nanosleep
powerpc/powernv/ioda2: Reduce upper limit for DMA window size
usb: wusbcore: security: cast sizeof to int for comparison
scsi: ibmvscsi: Improve strings handling
scsi: klist: Make it safe to use klists in atomic context
scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
x86/entry/64: Add two more instruction suffixes
x86/tsc: Add missing header to tsc_msr.c
media: fsl-viu: fix error handling in viu_of_probe()
powerpc/kdump: Handle crashkernel memory reservation failure
media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
md-cluster: clear another node's suspend_area after the copy is finished
6lowpan: iphc: reset mac_header after decompress to fix panic
USB: serial: kobil_sct: fix modem-status error handling
Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
power: vexpress: fix corruption in notifier registration
uwb: hwa-rc: fix memory leak at probe
staging: rts5208: fix missing error check on call to rtsx_write_register
x86/numa_emulation: Fix emulated-to-physical node mapping
vmci: type promotion bug in qp_host_get_user_memory()
tsl2550: fix lux1_input error in low light
crypto: skcipher - Fix -Wstringop-truncation warnings
ANDROID: sdcardfs: Change current->fs under lock
ANDROID: sdcardfs: Don't use OVERRIDE_CRED macro
Revert "f2fs: use timespec64 for inode timestamps"
Conflicts:
arch/arm64/include/asm/cpufeature.h
Change-Id: I661204f2419f634173846d03ed4078b93aa006a1
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlvBmqgACgkQONu9yGCS
aT6HSw//fbYPMTzft+x3JsqhXNMFmRYUICk69uI1wHBMVYe3igZlQrGvXqbxOemN
lmHfQJDEcwmnlOlQvhSIn2ePsHU3OojoXMZx5ZstqQmsPolKmuZm9gitkWefnZrc
y/w5haqWRL2D1SjI0seS5Z6gnTU3OfcLV9S47oU7kxS8TuSukBdLo+y7I4hlkuIX
uXHcCo78Mapacb7SspHxSMpKoooZOr0V/Rj66LjQJpNy0cVjOSz1wBf0LyBkh4KR
D2UznLk7Ljh5Atv2O6NIu/zAmEUfbeFHrXFZ2PCsEOHkRDp5of2EpVEvXug7wPMj
alEKkhJ5LGAndGyRN6UtUMUaUEw/4jP1Y/238gJc7o0gEafYl4WmNyNX/qDI+/DV
COPi05HcM9leJNNOpSWHdtcRAP9Yz/R3ah7t5x2gVLUg9v+vmZ9FRBM2Z65bI+u6
2ynjbcTKE9bSBuiSYiJ9eSzM/mJFhCtsbkB1hpfbdaFX8dKBjbdLO6mFOw/WQ+bI
60I0CnXcfTO3kHZzu8BvS0W5AjRvegoqjV/hHY8M6w8LXmEeRWu7WXYL/5dBjgM1
hHtwGeBzarXq39fOcgpRbX75COKJCwkM5cBwWWTTUAmxMsqacIKLmj05foGSEmeZ
eNH2z70KSYKsSQYXaoamhs9jmEJyfalI63LfHfoJuOuVOfxU1os=
=1Y0A
-----END PGP SIGNATURE-----
Merge 4.4.161 into android-4.4
Changes in 4.4.161
mm/vmstat.c: skip NR_TLB_REMOTE_FLUSH* properly
fbdev/omapfb: fix omapfb_memory_read infoleak
x86/vdso: Fix asm constraints on vDSO syscall fallbacks
x86/vdso: Fix vDSO syscall fallback asm constraint regression
PCI: Reprogram bridge prefetch registers on resume
mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys
PM / core: Clear the direct_complete flag on errors
dm cache: fix resize crash if user doesn't reload cache table
xhci: Add missing CAS workaround for Intel Sunrise Point xHCI
USB: serial: simple: add Motorola Tetra MTP6550 id
of: unittest: Disable interrupt node tests for old world MAC systems
ext4: always verify the magic number in xattr blocks
cgroup: Fix deadlock in cpu hotplug path
ath10k: fix use-after-free in ath10k_wmi_cmd_send_nowait
powerpc/fadump: Return error when fadump registration fails
ARC: clone syscall to setp r25 as thread pointer
ucma: fix a use-after-free in ucma_resolve_ip()
ubifs: Check for name being NULL while mounting
tcp: increment sk_drops for dropped rx packets
tcp: use an RB tree for ooo receive queue
tcp: fix a stale ooo_last_skb after a replace
tcp: free batches of packets in tcp_prune_ofo_queue()
tcp: call tcp_drop() from tcp_data_queue_ofo()
tcp: add tcp_ooo_try_coalesce() helper
ath10k: fix scan crash due to incorrect length calculation
ebtables: arpreply: Add the standard target sanity check
Linux 4.4.161
Change-Id: I4c6607d0be0977857f966b048279590470c854c2
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit c953d63548207a085abcb12a15fefc8a11ffdf0a upstream.
The info->target comes from userspace and it would be used directly.
So we need to add the sanity check to make sure it is a valid standard
target, although the ebtables tool has already checked it. Kernel needs
to validate anything coming from userspace.
If the target is set as an evil value, it would break the ebtables
and cause a panic. Because the non-standard target is treated as one
offset.
Now add one helper function ebt_invalid_target, and we would replace
the macro INVALID_TARGET later.
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Loic <hackurx@opensec.fr>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 58152ecbbcc6a0ce7fddd5bf5f6ee535834ece0c ]
In case skb in out_or_order_queue is the result of
multiple skbs coalescing, we would like to get a proper gso_segs
counter tracking, so that future tcp_drop() can report an accurate
number.
I chose to not implement this tracking for skbs in receive queue,
since they are not dropped, unless socket is disconnected.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8541b21e781a22dce52a74fef0b9bed00404a1cd ]
In order to be able to give better diagnostics and detect
malicious traffic, we need to have better sk->sk_drops tracking.
Fixes: 9f5afeae5152 ("tcp: use an RB tree for ooo receive queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 72cd43ba64fc172a443410ce01645895850844c8 ]
Juha-Matti Tilli reported that malicious peers could inject tiny
packets in out_of_order_queue, forcing very expensive calls
to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() for
every incoming packet. out_of_order_queue rb-tree can contain
thousands of nodes, iterating over all of them is not nice.
Before linux-4.9, we would have pruned all packets in ofo_queue
in one go, every XXXX packets. XXXX depends on sk_rcvbuf and skbs
truesize, but is about 7000 packets with tcp_rmem[2] default of 6 MB.
Since we plan to increase tcp_rmem[2] in the future to cope with
modern BDP, can not revert to the old behavior, without great pain.
Strategy taken in this patch is to purge ~12.5 % of the queue capacity.
Fixes: 36a6503fedda ("tcp: refine tcp_prune_ofo_queue() to not drop all packets")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Juha-Matti Tilli <juha-matti.tilli@iki.fi>
Acked-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 76f0dcbb5ae1a7c3dbeec13dd98233b8e6b0b32a ]
When skb replaces another one in ooo queue, I forgot to also
update tp->ooo_last_skb as well, if the replaced skb was the last one
in the queue.
To fix this, we simply can re-use the code that runs after an insertion,
trying to merge skbs at the right of current skb.
This not only fixes the bug, but also remove all small skbs that might
be a subset of the new one.
Example:
We receive segments 2001:3001, 4001:5001
Then we receive 2001:8001 : We should replace 2001:3001 with the big
skb, but also remove 4001:50001 from the queue to save space.
packetdrill test demonstrating the bug
0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3
+0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0
+0 bind(3, ..., ...) = 0
+0 listen(3, 1) = 0
+0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 7>
+0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 7>
+0.100 < . 1:1(0) ack 1 win 1024
+0 accept(3, ..., ...) = 4
+0.01 < . 1001:2001(1000) ack 1 win 1024
+0 > . 1:1(0) ack 1 <nop,nop, sack 1001:2001>
+0.01 < . 1001:3001(2000) ack 1 win 1024
+0 > . 1:1(0) ack 1 <nop,nop, sack 1001:2001 1001:3001>
Fixes: 9f5afeae5152 ("tcp: use an RB tree for ooo receive queue")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Yuchung Cheng <ycheng@google.com>
Cc: Yaogong Wang <wygivan@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 9f5afeae51526b3ad7b7cb21ee8b145ce6ea7a7a ]
Over the years, TCP BDP has increased by several orders of magnitude,
and some people are considering to reach the 2 Gbytes limit.
Even with current window scale limit of 14, ~1 Gbytes maps to ~740,000
MSS.
In presence of packet losses (or reorders), TCP stores incoming packets
into an out of order queue, and number of skbs sitting there waiting for
the missing packets to be received can be in the 10^5 range.
Most packets are appended to the tail of this queue, and when
packets can finally be transferred to receive queue, we scan the queue
from its head.
However, in presence of heavy losses, we might have to find an arbitrary
point in this queue, involving a linear scan for every incoming packet,
throwing away cpu caches.
This patch converts it to a RB tree, to get bounded latencies.
Yaogong wrote a preliminary patch about 2 years ago.
Eric did the rebase, added ofo_last_skb cache, polishing and tests.
Tested with network dropping between 1 and 10 % packets, with good
success (about 30 % increase of throughput in stress tests)
Next step would be to also use an RB tree for the write queue at sender
side ;)
Signed-off-by: Yaogong Wang <wygivan@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Acked-By: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 532182cd610782db8c18230c2747626562032205 ]
Now ss can report sk_drops, we can instruct TCP to increment
this per socket counter when it drops an incoming frame, to refine
monitoring and debugging.
Following patch takes care of listeners drops.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Mao Wenan <maowenan@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 211710ca74adf790b46ab3867fcce8047b573cd1 upstream.
key->sta is only valid after ieee80211_key_link, which is called later
in this function. Because of that, the IEEE80211_KEY_FLAG_RX_MGMT is
never set when management frame protection is enabled.
Fixes: e548c49e6d ("mac80211: add key flag for management keys")
Cc: stable@vger.kernel.org
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlu9oZ4ACgkQONu9yGCS
aT5wmw/6As7cB5ufEFIVzCU3xJdf2yrD/+iaAY4fJUFWrgsqvImvwTeGyGm05AK2
/7VHaIW3ATmfLbgE4Qsq+eP/rfNPqkfDd7rVCIfrP3r51XhmP/e6/Mnfd3NN9K+O
FbRDc5U9kirzItAUsm1z9ntCuZDRfMdbazDAHB7eFlO2DgmV+u+o5KbzoeGM4mRk
IIDbdROW3sRmoPhubHBYZmGKFL+WNMxG/V1x+3iVnM1TNeGFgfR0NXaQ4s2lqdz8
tiJ0SNxcfEy/rAa1BgyuaKCcIXrD3OjaWOLYTB8Lr2PDn3WIyvpTw3sD2puCYWB9
zKLzKL/zPo4VK4wFAXZwbEhJuYrxRv4EsqyKKIdVzHeKtyMfHzMZg2uhnT1luLd8
yFiagE66H/Nn4SUznkD/bZNn1Zvyz7ME1AXq/L5go8HfuF2qVxaq/tczTJSCKsmH
M195RmR6JJ9ZF63mvyfopdyErcPXmBjnOgVb7TNXRa3yNyjZBFXvAUQQg/ZPkidl
81WsNVRyOr2LKpHmhceEcrXICqLmederLW/ZYc3+Ti8GnCf0AVL1bcnwAFygqvfp
Liq1YTWfqZl3/LHTCn1Jp3PduCgUAIREjP4g/YaHHJs+HfnZuvZcSa5maf1TieVk
IYbVtzkeKW8nTMGQnDazMl/LVmjV0bsA8tLakDW4ClUKRxX4nNI=
=99U3
-----END PGP SIGNATURE-----
Merge 4.4.160 into android-4.4
Changes in 4.4.160
crypto: skcipher - Fix -Wstringop-truncation warnings
tsl2550: fix lux1_input error in low light
vmci: type promotion bug in qp_host_get_user_memory()
x86/numa_emulation: Fix emulated-to-physical node mapping
staging: rts5208: fix missing error check on call to rtsx_write_register
uwb: hwa-rc: fix memory leak at probe
power: vexpress: fix corruption in notifier registration
Bluetooth: Add a new Realtek 8723DE ID 0bda:b009
USB: serial: kobil_sct: fix modem-status error handling
6lowpan: iphc: reset mac_header after decompress to fix panic
md-cluster: clear another node's suspend_area after the copy is finished
media: exynos4-is: Prevent NULL pointer dereference in __isp_video_try_fmt()
powerpc/kdump: Handle crashkernel memory reservation failure
media: fsl-viu: fix error handling in viu_of_probe()
x86/tsc: Add missing header to tsc_msr.c
x86/entry/64: Add two more instruction suffixes
scsi: target/iscsi: Make iscsit_ta_authentication() respect the output buffer size
scsi: klist: Make it safe to use klists in atomic context
scsi: ibmvscsi: Improve strings handling
usb: wusbcore: security: cast sizeof to int for comparison
powerpc/powernv/ioda2: Reduce upper limit for DMA window size
alarmtimer: Prevent overflow for relative nanosleep
s390/extmem: fix gcc 8 stringop-overflow warning
ALSA: snd-aoa: add of_node_put() in error path
media: s3c-camif: ignore -ENOIOCTLCMD from v4l2_subdev_call for s_power
media: soc_camera: ov772x: correct setting of banding filter
media: omap3isp: zero-initialize the isp cam_xclk{a,b} initial data
staging: android: ashmem: Fix mmap size validation
drivers/tty: add error handling for pcmcia_loop_config
media: tm6000: add error handling for dvb_register_adapter
ALSA: hda: Add AZX_DCAPS_PM_RUNTIME for AMD Raven Ridge
ath10k: protect ath10k_htt_rx_ring_free with rx_ring.lock
rndis_wlan: potential buffer overflow in rndis_wlan_auth_indication()
wlcore: Add missing PM call for wlcore_cmd_wait_for_event_or_timeout()
ARM: mvebu: declare asm symbols as character arrays in pmsu.c
HID: hid-ntrig: add error handling for sysfs_create_group
scsi: bnx2i: add error handling for ioremap_nocache
EDAC, i7core: Fix memleaks and use-after-free on probe and remove
ASoC: dapm: Fix potential DAI widget pointer deref when linking DAIs
module: exclude SHN_UNDEF symbols from kallsyms api
nfsd: fix corrupted reply to badly ordered compound
ARM: dts: dra7: fix DCAN node addresses
floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl
serial: cpm_uart: return immediately from console poll
spi: tegra20-slink: explicitly enable/disable clock
spi: sh-msiof: Fix invalid SPI use during system suspend
spi: sh-msiof: Fix handling of write value for SISTR register
spi: rspi: Fix invalid SPI use during system suspend
spi: rspi: Fix interrupted DMA transfers
USB: fix error handling in usb_driver_claim_interface()
USB: handle NULL config in usb_find_alt_setting()
slub: make ->cpu_partial unsigned int
media: uvcvideo: Support realtek's UVC 1.5 device
USB: usbdevfs: sanitize flags more
USB: usbdevfs: restore warning for nonsensical flags
Revert "usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()"
USB: remove LPM management from usb_driver_claim_interface()
Input: elantech - enable middle button of touchpad on ThinkPad P72
IB/srp: Avoid that sg_reset -d ${srp_device} triggers an infinite loop
scsi: target: iscsi: Use bin2hex instead of a re-implementation
serial: imx: restore handshaking irq for imx1
arm64: KVM: Tighten guest core register access from userspace
ext4: never move the system.data xattr out of the inode body
thermal: of-thermal: disable passive polling when thermal zone is disabled
net: hns: fix length and page_offset overflow when CONFIG_ARM64_64K_PAGES
e1000: check on netif_running() before calling e1000_up()
e1000: ensure to free old tx/rx rings in set_ringparam()
hwmon: (ina2xx) fix sysfs shunt resistor read access
hwmon: (adt7475) Make adt7475_read_word() return errors
i2c: i801: Allow ACPI AML access I/O ports not reserved for SMBus
arm64: cpufeature: Track 32bit EL0 support
arm64: KVM: Sanitize PSTATE.M when being set from userspace
media: v4l: event: Prevent freeing event subscriptions while accessed
KVM: PPC: Book3S HV: Don't truncate HPTE index in xlate function
mac80211: correct use of IEEE80211_VHT_CAP_RXSTBC_X
mac80211_hwsim: correct use of IEEE80211_VHT_CAP_RXSTBC_X
gpio: adp5588: Fix sleep-in-atomic-context bug
mac80211: mesh: fix HWMP sequence numbering to follow standard
cfg80211: nl80211_update_ft_ies() to validate NL80211_ATTR_IE
RAID10 BUG_ON in raise_barrier when force is true and conf->barrier is 0
i2c: uniphier: issue STOP only for last message or I2C_M_STOP
i2c: uniphier-f: issue STOP only for last message or I2C_M_STOP
net: cadence: Fix a sleep-in-atomic-context bug in macb_halt_tx()
fs/cifs: don't translate SFM_SLASH (U+F026) to backslash
cfg80211: fix a type issue in ieee80211_chandef_to_operating_class()
mac80211: fix a race between restart and CSA flows
mac80211: Fix station bandwidth setting after channel switch
mac80211: shorten the IBSS debug messages
tools/vm/slabinfo.c: fix sign-compare warning
tools/vm/page-types.c: fix "defined but not used" warning
mm: madvise(MADV_DODUMP): allow hugetlbfs pages
usb: gadget: fotg210-udc: Fix memory leak of fotg210->ep[i]
perf probe powerpc: Ignore SyS symbols irrespective of endianness
RDMA/ucma: check fd type in ucma_migrate_id()
USB: yurex: Check for truncation in yurex_read()
drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
fs/cifs: suppress a string overflow warning
dm thin metadata: try to avoid ever aborting transactions
arch/hexagon: fix kernel/dma.c build warning
hexagon: modify ffs() and fls() to return int
arm64: jump_label.h: use asm_volatile_goto macro instead of "asm goto"
r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
s390/qeth: don't dump past end of unknown HW header
cifs: read overflow in is_valid_oplock_break()
xen/manage: don't complain about an empty value in control/sysrq node
xen: avoid crash in disable_hotplug_cpu
xen: fix GCC warning and remove duplicate EVTCHN_ROW/EVTCHN_COL usage
smb2: fix missing files in root share directory listing
ALSA: hda/realtek - Cannot adjust speaker's volume on Dell XPS 27 7760
crypto: mxs-dcp - Fix wait logic on chan threads
proc: restrict kernel stack dumps to root
ocfs2: fix locking for res->tracking and dlm->tracking_list
dm thin metadata: fix __udivdi3 undefined on 32-bit
Linux 4.4.160
Change-Id: I54d72945f741d6b4442adcd7bc18cb5417accb0f
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 0007e94355fdb71a1cf5dba0754155cba08f0666 ]
When performing a channel switch flow for a managed interface, the
flow did not update the bandwidth of the AP station and the rate
scale algorithm. In case of a channel width downgrade, this would
result with the rate scale algorithm using a bandwidth that does not
match the interface channel configuration.
Fix this by updating the AP station bandwidth and rate scaling algorithm
before the actual channel change in case of a bandwidth downgrade, or
after the actual channel change in case of a bandwidth upgrade.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit f3ffb6c3a28963657eb8b02a795d75f2ebbd5ef4 ]
We hit a problem with iwlwifi that was caused by a bug in
mac80211. A bug in iwlwifi caused the firwmare to crash in
certain cases in channel switch. Because of that bug,
drv_pre_channel_switch would fail and trigger the restart
flow.
Now we had the hw restart worker which runs on the system's
workqueue and the csa_connection_drop_work worker that runs
on mac80211's workqueue that can run together. This is
obviously problematic since the restart work wants to
reconfigure the connection, while the csa_connection_drop_work
worker does the exact opposite: it tries to disconnect.
Fix this by cancelling the csa_connection_drop_work worker
in the restart worker.
Note that this can sound racy: we could have:
driver iface_work CSA_work restart_work
+++++++++++++++++++++++++++++++++++++++++++++
|
<--drv_cs ---|
<FW CRASH!>
-CS FAILED-->
| |
| cancel_work(CSA)
schedule |
CSA work |
| |
Race between those 2
But this is not possible because we flush the workqueue
in the restart worker before we cancel the CSA worker.
That would be bullet proof if we could guarantee that
we schedule the CSA worker only from the iface_work
which runs on the workqueue (and not on the system's
workqueue), but unfortunately we do have an instance
in which we schedule the CSA work outside the context
of the workqueue (ieee80211_chswitch_done).
Note also that we should probably cancel other workers
like beacon_connection_loss_work and possibly others
for different types of interfaces, at the very least,
IBSS should suffer from the exact same problem, but for
now, do the minimum to fix the actual bug that was actually
experienced and reproduced.
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 8442938c3a2177ba16043b3a935f2c78266ad399 ]
The "chandef->center_freq1" variable is a u32 but "freq" is a u16 so we
are truncating away the high bits. I noticed this bug because in commit
9cf0a0b4b64a ("cfg80211: Add support for 60GHz band channels 5 and 6")
we made "freq <= 56160 + 2160 * 6" a valid requency when before it was
only "freq <= 56160 + 2160 * 4" that was valid. It introduces a static
checker warning:
net/wireless/util.c:1571 ieee80211_chandef_to_operating_class()
warn: always true condition '(freq <= 56160 + 2160 * 6) => (0-u16max <= 69120)'
But really we probably shouldn't have been truncating the high bits
away to begin with.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 4f0223bfe9c3e62d8f45a85f1ef1b18a8a263ef9 ]
nl80211_update_ft_ies() tried to validate NL80211_ATTR_IE with
is_valid_ie_attr() before dereferencing it, but that helper function
returns true in case of NULL pointer (i.e., attribute not included).
This can result to dereferencing a NULL pointer. Fix that by explicitly
checking that NL80211_ATTR_IE is included.
Fixes: 355199e02b ("cfg80211: Extend support for IEEE 802.11r Fast BSS Transition")
Signed-off-by: Arunk Khandavalli <akhandav@codeaurora.org>
Signed-off-by: Jouni Malinen <jouni@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1f631c3201fe5491808df143d8fcba81b3197ffd ]
IEEE 802.11-2016 14.10.8.3 HWMP sequence numbering says:
If it is a target mesh STA, it shall update its own HWMP SN to
maximum (current HWMP SN, target HWMP SN in the PREQ element) + 1
immediately before it generates a PREP element in response to a
PREQ element.
Signed-off-by: Yuan-Chi Pang <fu3mo6goo@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 67d1ba8a6dc83d90cd58b89fa6cbf9ae35a0cf7f ]
The mod mask for VHT capabilities intends to say that you can override
the number of STBC receive streams, and it does, but only by accident.
The IEEE80211_VHT_CAP_RXSTBC_X aren't bits to be set, but values (albeit
left-shifted). ORing the bits together gets the right answer, but we
should use the _MASK macro here instead.
Signed-off-by: Danek Duvall <duvall@comfychair.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 03bc05e1a4972f73b4eb8907aa373369e825c252 ]
After decompression of 6lowpan socket data, an IPv6 header is inserted
before the existing socket payload. After this, we reset the
network_header value of the skb to account for the difference in payload
size from prior to decompression + the addition of the IPv6 header.
However, we fail to reset the mac_header value.
Leaving the mac_header value untouched here, can cause a calculation
error in net/packet/af_packet.c packet_rcv() function when an
AF_PACKET socket is opened in SOCK_RAW mode for use on a 6lowpan
interface.
On line 2088, the data pointer is moved backward by the value returned
from skb_mac_header(). If skb->data is adjusted so that it is before
the skb->head pointer (which can happen when an old value of mac_header
is left in place) the kernel generates a panic in net/core/skbuff.c
line 1717.
This panic can be generated by BLE 6lowpan interfaces (such as bt0) and
802.15.4 interfaces (such as lowpan0) as they both use the same 6lowpan
sources for compression and decompression.
Signed-off-by: Michael Scott <michael@opensourcefoundries.com>
Acked-by: Alexander Aring <aring@mojatatu.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-624c095
Linux 4.4.159
iw_cxgb4: only allow 1 flush on user qps
HID: sony: Support DS4 dongle
HID: sony: Update device ids
arm64: Add trace_hardirqs_off annotation in ret_to_user
ext4: don't mark mmp buffer head dirty
ext4: fix online resizing for bigalloc file systems with a 1k block size
ext4: fix online resize's handling of a too-small final block group
ext4: recalucate superblock checksum after updating free blocks/inodes
ext4: avoid divide by zero fault when deleting corrupted inline directories
tty: vt_ioctl: fix potential Spectre v1
drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
ocfs2: fix ocfs2 read block panic
scsi: target: iscsi: Use hex2bin instead of a re-implementation
neighbour: confirm neigh entries when ARP packet is received
net: hp100: fix always-true check for link up state
net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
ipv6: fix possible use-after-free in ip6_xmit()
gso_segment: Reset skb->mac_len after modifying network header
mm: shmem.c: Correctly annotate new inodes for lockdep
ring-buffer: Allow for rescheduling when removing pages
xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code
xen/netfront: don't bug in case of too many frags
platform/x86: alienware-wmi: Correct a memory leak
ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO
ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping
ASoC: cs4265: fix MMTLR Data switch control
NFC: Fix the number of pipes
NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
ANDROID: restrict store of prefer_idle as boolean
f2fs: readahead encrypted block during GC
f2fs: avoid fi->i_gc_rwsem[WRITE] lock in f2fs_gc
f2fs: fix performance issue observed with multi-thread sequential read
f2fs: fix to skip verifying block address for non-regular inode
f2fs: rework fault injection handling to avoid a warning
f2fs: support fault_type mount option
f2fs: fix to return success when trimming meta area
f2fs: fix use-after-free of dicard command entry
f2fs: support discard submission error injection
f2fs: split discard command in prior to block layer
f2fs: wake up gc thread immediately when gc_urgent is set
f2fs: fix incorrect range->len in f2fs_trim_fs()
f2fs: refresh recent accessed nat entry in lru list
f2fs: fix avoid race between truncate and background GC
f2fs: avoid race between zero_range and background GC
f2fs: fix to do sanity check with block address in main area v2
f2fs: fix to do sanity check with inline flags
f2fs: fix to reset i_gc_failures correctly
f2fs: fix invalid memory access
f2fs: fix to avoid broken of dnode block list
f2fs: use true and false for boolean values
f2fs: fix to do sanity check with cp_pack_start_sum
f2fs: avoid f2fs_bug_on() in cp_error case
f2fs: fix to clear PG_checked flag in set_page_dirty()
f2fs: fix to active page in lru list for read path
f2fs: don't keep meta pages used for block migration
f2fs: fix to restrict mount condition when without CONFIG_QUOTA
f2fs: quota: do not mount as RDWR without QUOTA if quota feature enabled
f2fs: quota: fix incorrect comments
f2fs: add proc entry to show victim_secmap bitmap
f2fs: let checkpoint flush dnode page of regular
f2fs: issue discard align to section in LFS mode
f2fs: don't allow any writes on aborted atomic writes
f2fs: restrict setting up inode.i_advise
f2fs: fix wrong kernel message when recover fsync data on ro fs
f2fs: clean up ioctl interface naming
f2fs: clean up with f2fs_is_{atomic,volatile}_file()
f2fs: clean up with f2fs_encrypted_inode()
f2fs: clean up with get_current_nat_page
f2fs: kill EXT_TREE_VEC_SIZE
f2fs: avoid duplicated permission check for "trusted." xattrs
f2fs: fix to propagate error from __get_meta_page()
f2fs: fix to do sanity check with i_extra_isize
f2fs: blk_finish_plug of submit_bio in lfs mode
f2fs: do not set free of current section
f2fs: Keep alloc_valid_block_count in sync
f2fs: issue small discard by LBA order
f2fs: stop issuing discard immediately if there is queued IO
f2fs: clean up with IS_INODE()
f2fs: detect bug_on in f2fs_wait_discard_bios
f2fs: fix defined but not used build warnings
f2fs: enable real-time discard by default
f2fs: fix to detect looped node chain correctly
f2fs: fix to do sanity check with block address in main area
f2fs: fix to skip GC if type in SSA and SIT is inconsistent
f2fs: try grabbing node page lock aggressively in sync scenario
f2fs: show the fsync_mode=nobarrier mount option
f2fs: check the right return value of memory alloc function
f2fs: Replace strncpy with memcpy
f2fs: avoid the global name 'fault_name'
f2fs: fix to do sanity check with reserved blkaddr of inline inode
f2fs: fix to do sanity check with node footer and iblocks
f2fs: Allocate and stat mem used by free nid bitmap more accurately
f2fs: fix to do sanity check with user_block_count
f2fs: fix to do sanity check with extra_attr feature
f2fs: fix to correct return value of f2fs_trim_fs
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
f2fs: fix to do sanity check with secs_per_zone
f2fs: disable f2fs_check_rb_tree_consistence
f2fs: introduce and spread verify_blkaddr
f2fs: use timespec64 for inode timestamps
f2fs: fix to wait on page writeback before updating page
f2fs: assign REQ_RAHEAD to bio for ->readpages
f2fs: fix a hungtask problem caused by congestion_wait
f2fs: Fix uninitialized return in f2fs_ioc_shutdown()
f2fs: don't issue discard commands in online discard is on
f2fs: fix to propagate return value of scan_nat_page()
f2fs: support in-memory inode checksum when checking consistency
f2fs: fix error path of fill_super
f2fs: relocate readdir_ra configure initialization
f2fs: move s_res{u,g}id initialization to default_options()
f2fs: don't acquire orphan ino during recovery
f2fs: avoid potential deadlock in f2fs_sbi_store
f2fs: indicate shutdown f2fs to allow unmount successfully
f2fs: keep meta pages in cp_error state
f2fs: do checkpoint in kill_sb
f2fs: allow wrong configured dio to buffered write
f2fs: flush journal nat entries for nat_bits during unmount
Conflicts:
drivers/hid/hid-core.c
Change-Id: Idc486f778059ca65307ab08678f3b1e23c4ec15f
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluvTzgACgkQONu9yGCS
aT4cDBAAt3nIMdRL1imwklktUpNu+O8GlhoHi3Py3B5EijuaWMCrKHaONHCundtq
rZ5fSVtZkdTE6wOEJygY/w8foTmlC0iqpeOUzLXB/rPXaAwIC1EUx4/eaU3SBv3m
XN2XqKNnlF7lVoetIrS/RV2jGDM+h5p+oV0FOAMQb69/ozlpac0yIXABwiWXp7xe
v8ccCyqdc3b+nCB0x6/jMmKocPAVDfRl4oWYXKBi7qmD7n3dLXPyHNaxvfoKoZY/
Zfepjx3uaL+r7Z2nPwl3/5uiEqEDahIBCHoc/EpIHS7EnwVXD4G9lBRQPCdtZfjG
9qKz5pVgjv/c713UIbvuigxZgL39iuyMQvJn9kySoLjuBJ6auKIBJdVkzpYmUSaY
qMWVPW0l7j/VntF3hCTYYNXDU1xqI0d8BESkrA4dTQsLW8HbkNNmIPEwCZ0Fn60Y
HIzkXX+wv3N+G2uIs4aTVXYuvJ+ukiTYW5vc4a16cP62ZSyafRUn/0aiiuyaWg/q
lHI4jNnxEEkiOyH7EznBmxApWWfc8e9fVTsWva0p7ghFJ9dTbmE+eCEUzTIbE6I7
HITq7uu0VfB8WZWmL59HtZ+dI3CMN0oAzwHM0s5dbi/o0oPtiXGRkCAxjtq/+ikA
91+V3AAWkdADzKp+NQ0oV0GMe1M5lN61m19U93UCspE/Kn6UfX4=
=0NRm
-----END PGP SIGNATURE-----
Merge 4.4.159 into android-4.4
Changes in 4.4.159
NFC: Fix possible memory corruption when handling SHDLC I-Frame commands
NFC: Fix the number of pipes
ASoC: cs4265: fix MMTLR Data switch control
ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping
ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO
platform/x86: alienware-wmi: Correct a memory leak
xen/netfront: don't bug in case of too many frags
xen/x86/vpmu: Zero struct pt_regs before calling into sample handling code
ring-buffer: Allow for rescheduling when removing pages
mm: shmem.c: Correctly annotate new inodes for lockdep
gso_segment: Reset skb->mac_len after modifying network header
ipv6: fix possible use-after-free in ip6_xmit()
net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
net: hp100: fix always-true check for link up state
neighbour: confirm neigh entries when ARP packet is received
scsi: target: iscsi: Use hex2bin instead of a re-implementation
ocfs2: fix ocfs2 read block panic
drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
tty: vt_ioctl: fix potential Spectre v1
ext4: avoid divide by zero fault when deleting corrupted inline directories
ext4: recalucate superblock checksum after updating free blocks/inodes
ext4: fix online resize's handling of a too-small final block group
ext4: fix online resizing for bigalloc file systems with a 1k block size
ext4: don't mark mmp buffer head dirty
arm64: Add trace_hardirqs_off annotation in ret_to_user
HID: sony: Update device ids
HID: sony: Support DS4 dongle
iw_cxgb4: only allow 1 flush on user qps
Linux 4.4.159
Change-Id: I98239ca60783ca69147f2f11034138fc22e2af65
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit f0e0d04413fcce9bc76388839099aee93cd0d33b ]
Update 'confirmed' timestamp when ARP packet is received. It shouldn't
affect locktime logic and anyway entry can be confirmed by any higher-layer
protocol. Thus it makes sense to confirm it when ARP packet is received.
Fixes: 77d7123342dc ("neighbour: update neigh timestamps iff update is effective")
Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit bbd6528d28c1b8e80832b3b018ec402b6f5c3215 ]
In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
we need to call skb_set_owner_w() before consuming original skb,
otherwise we risk a use-after-free.
Bring IPv6 in line with what we do in IPv4 to fix this.
Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit c56cae23c6b167acc68043c683c4573b80cbcc2c ]
When splitting a GSO segment that consists of encapsulated packets, the
skb->mac_len of the segments can end up being set wrong, causing packet
drops in particular when using act_mirred and ifb interfaces in
combination with a qdisc that splits GSO packets.
This happens because at the time skb_segment() is called, network_header
will point to the inner header, throwing off the calculation in
skb_reset_mac_len(). The network_header is subsequently adjust by the
outer IP gso_segment handlers, but they don't set the mac_len.
Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
gso_segment handlers, after they modify the network_header.
Many thanks to Eric Dumazet for his help in identifying the cause of
the bug.
Acked-by: Dave Taht <dave.taht@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 674d9de02aa7d521ebdf66c3958758bdd9c64e11 upstream.
When handling SHDLC I-Frame commands "pipe" field used for indexing
into an array should be checked before usage. If left unchecked it
might access memory outside of the array of size NFC_HCI_MAX_PIPES(127).
Malformed NFC HCI frames could be injected by a malicious NFC device
communicating with the device being attacked (remote attack vector),
or even by an attacker with physical access to the I2C bus such that
they could influence the data transfers on that bus (local attack vector).
skb->data is controlled by the attacker and has only been sanitized in
the most trivial ways (CRC check), therefore we can consider the
create_info struct and all of its members to tainted. 'create_info->pipe'
with max value of 255 (uint8) is used to take an offset of the
hdev->pipes array of 127 elements which can lead to OOB write.
Cc: Samuel Ortiz <sameo@linux.intel.com>
Cc: Allen Pais <allen.pais@oracle.com>
Cc: "David S. Miller" <davem@davemloft.net>
Suggested-by: Kevin Deus <kdeus@google.com>
Signed-off-by: Suren Baghdasaryan <surenb@google.com>
Acked-by: Kees Cook <keescook@chromium.org>
Cc: stable <stable@vger.kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-f9e4134
Linux 4.4.158
MIPS: VDSO: Match data page cache colouring when D$ aliases
drivers: net: cpsw: fix segfault in case of bad phy-handle
mei: bus: type promotion bug in mei_nfc_if_version()
USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
ALSA: pcm: Fix snd_interval_refine first/last with open min/max
rtc: bq4802: add error handling for devm_ioremap
drm/amdkfd: Fix error codes in kfd_get_process
gpiolib: Mark gpio_suffixes array with __maybe_unused
coresight: tpiu: Fix disabling timeouts
coresight: Handle errors in finding input/output ports
parport: sunbpp: fix error return code
drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
ARM: hisi: check of_iomap and fix missing of_node_put
ARM: hisi: fix error handling and missing of_node_put
ARM: hisi: handle of_iomap and fix missing of_node_put
MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
mtdchar: fix overflows in adjustment of `count`
audit: fix use-after-free in audit_add_watch
binfmt_elf: Respect error return from `regset->active'
CIFS: fix wrapping bugs in num_entries()
cifs: prevent integer overflow in nxt_dir_entry()
usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
USB: yurex: Fix buffer over-read in yurex_write()
usb: misc: uss720: Fix two sleep-in-atomic-context bugs
USB: serial: io_ti: fix array underflow in completion handler
USB: net2280: Fix erroneous synchronization change
USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
USB: Add quirk to support DJI CineSSD
usb: Don't die twice if PCI xhci host is not responding in resume
misc: hmc6352: fix potential Spectre v1
Tools: hv: Fix a bug in the key delete code
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
xen/netfront: fix waiting for xenbus state change
pstore: Fix incorrect persistent ram buffer mapping
RDMA/cma: Protect cma dev list with lock
xen-netfront: fix warn message as irq device name has '/'
crypto: sharah - Unregister correct algorithms for SAHARA 3
platform/x86: toshiba_acpi: Fix defined but not used build warnings
s390/qeth: reset layer2 attribute on layer switch
s390/qeth: fix race in used-buffer accounting
arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
xen-netfront: fix queue name setting
mac80211: restrict delayed tailroom needed decrement
MIPS: jz4740: Bump zload address
powerpc/powernv: opal_put_chars partial write fix
perf powerpc: Fix callchain ip filtering
ARM: exynos: Clear global variable on init error path
fbdev: Distinguish between interlaced and progressive modes
perf powerpc: Fix callchain ip filtering when return address is in a register
fbdev/via: fix defined but not used warning
video: goldfishfb: fix memory leak on driver remove
fbdev: omapfb: off by one in omapfb_register_client()
mtd/maps: fix solutionengine.c printk format warnings
media: videobuf2-core: check for q->error in vb2_core_qbuf()
MIPS: ath79: fix system restart
dmaengine: pl330: fix irq race with terminate_all
kbuild: add .DELETE_ON_ERROR special target
clk: imx6ul: fix missing of_node_put()
gfs2: Special-case rindex for gfs2_grow
xfrm: fix 'passing zero to ERR_PTR()' warning
ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
ALSA: msnd: Fix the default sample sizes
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
BACKPORT: arm/syscalls: Optimize address limit check
UPSTREAM: syscalls: Use CHECK_DATA_CORRUPTION for addr_limit_user_check
BACKPORT: arm64/syscalls: Check address limit on user-mode return
BACKPORT: x86/syscalls: Check address limit on user-mode return
BACKPORT: lkdtm: add bad USER_DS test
UPSTREAM: bug: switch data corruption check to __must_check
BACKPORT: lkdtm: Add tests for struct list corruption
UPSTREAM: bug: Provide toggle for BUG on data corruption
UPSTREAM: list: Split list_del() debug checking into separate function
UPSTREAM: rculist: Consolidate DEBUG_LIST for list_add_rcu()
BACKPORT: list: Split list_add() debug checking into separate function
FROMLIST: ANDROID: binder: Add BINDER_GET_NODE_INFO_FOR_REF ioctl.
Conflicts:
include/linux/bug.h
lib/Kconfig.debug
lib/list_debug.c
Change-Id: I9d87b6b133cac5b642e5e0c928e0bcd0eda6fbdb
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* refs/heads/tmp-c139ea66
Linux 4.4.157
mm: get rid of vmacache_flush_all() entirely
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
autofs: fix autofs_sbi() does not check super block type
mtd: ubi: wl: Fix error return code in ubi_wl_init()
crypto: vmx - Fix sleep-in-atomic bugs
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
net: ethernet: ti: cpsw: fix mdio device reference leak
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
vmw_balloon: include asm/io.h
xhci: Fix use-after-free in xhci_free_virt_device
RDMA/cma: Do not ignore net namespace for unbound cm_id
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
mfd: ti_am335x_tscadc: Fix struct clk memory leak
iommu/ipmmu-vmsa: Fix allocation in atomic context
partitions/aix: fix usage of uninitialized lv_info and lvname structures
partitions/aix: append null character to print data from disk
Input: atmel_mxt_ts - only use first T9 instance
net: dcb: For wild-card lookups, use priority -1, not 0
MIPS: Octeon: add missing of_node_put()
net: mvneta: fix mtu change on port without link
gpio: ml-ioh: Fix buffer underwrite on probe error path
x86/mm: Remove in_nmi() warning from vmalloc_fault()
Bluetooth: hidp: Fix handling of strncpy for hid->name information
ath10k: disable bundle mgmt tx completion event support
scsi: 3ware: fix return 0 on the error path of probe
ata: libahci: Correct setting of DEVSLP register
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ath10k: prevent active scans on potential unusable channels
macintosh/via-pmu: Add missing mmio accessors
NFSv4.0 fix client reference leak in callback
perf tools: Allow overriding MAX_NR_CPUS at compile time
f2fs: do not set free of current section
tty: rocket: Fix possible buffer overwrite on register_PCI
uio: potential double frees if __uio_register_device() fails
misc: ti-st: Fix memory leak in the error path of probe()
md/raid5: fix data corruption of replacements after originals dropped
scsi: target: fix __transport_register_session locking
gpio: tegra: Move driver registration to subsys_init level
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
ethtool: Remove trailing semicolon for static inline
misc: mic: SCIF Fix scif_get_new_port() error handling
ARC: [plat-axs*]: Enable SWAP
locking/osq_lock: Fix osq_lock queue corruption
selinux: use GFP_NOWAIT in the AVC kmem_caches
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
staging/rts5208: Fix read overflow in memcpy
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
kthread: fix boot hang (regression) on MIPS/OpenRISC
kthread: Fix use-after-free if kthread fork fails
cfq: Give a chance for arming slice idle timer in case of group_idle
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
i2c: i801: fix DNV's SMBCTRL register offset
i2c: xiic: Make the start and the byte count write atomic
Conflicts:
block/blk-cgroup.c
drivers/net/wireless/ath/ath10k/wmi-tlv.c
kernel/locking/rwsem-xadd.c
Change-Id: If6c24e0c16e173dc2a22e047200bbd7a4f11f713
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
* refs/heads/tmp-7eb7037
Linux 4.4.156
btrfs: use correct compare function of dirty_metadata_bytes
ASoC: wm8994: Fix missing break in switch
s390/lib: use expoline for all bcr instructions
mei: me: allow runtime pm for platform with D0i3
sch_tbf: fix two null pointer dereferences on init failure
sch_netem: avoid null pointer deref on init failure
sch_hhf: fix null pointer dereference on init failure
sch_multiq: fix double free on init failure
sch_htb: fix crash on init failure
ovl: proper cleanup of workdir
ovl: override creds with the ones from the superblock mounter
ovl: rename is_merge to is_lowest
irqchip/gic: Make interrupt ID 1020 invalid
irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
irqchip/gicv3-its: Fix memory leak in its_free_tables()
irqchip/gic-v3-its: Recompute the number of pages on page size change
genirq: Delay incrementing interrupt count if it's disabled/pending
Fixes: Commit cdbf92675f ("mm: numa: avoid waiting on freed migrated pages")
enic: do not call enic_change_mtu in enic_probe
Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
irda: Only insert new objects into the global database via setsockopt
irda: Fix memory leak caused by repeated binds of irda socket
kbuild: make missing $DEPMOD a Warning instead of an Error
x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
debugobjects: Make stack check warning more informative
btrfs: Don't remove block group that still has pinned down bytes
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: replace: Reset on-disk dev stats value after replace
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
smb3: fix reset of bytes read and written stats
selftests/powerpc: Kill child processes on SIGINT
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
dm kcopyd: avoid softlockup in run_complete_job
PCI: mvebu: Fix I/O space end address calculation
scsi: aic94xx: fix an error code in aic94xx_init()
s390/dasd: fix hanging offline processing due to canceled worker
powerpc: Fix size calculation using resource_size()
net/9p: fix error path of p9_virtio_probe
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
mfd: sm501: Set coherent_dma_mask when creating subdevices
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
mm/fadvise.c: fix signed overflow UBSAN complaint
scripts: modpost: check memory allocation results
fat: validate ->i_start before using
hfsplus: fix NULL dereference in hfsplus_lookup()
reiserfs: change j_timestamp type to time64_t
fork: don't copy inconsistent signal handler state to child
hfs: prevent crash on exit from failed search
hfsplus: don't return 0 when fill_super() failed
cifs: check if SMB2 PDU size has been padded and suppress the warning
vti6: remove !skb->ignore_df check from vti6_xmit()
tcp: do not restart timewait timer on rst reception
qlge: Fix netdev features configuration.
net: bcmgenet: use MAC link status for fixed phy
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
Conflicts:
drivers/staging/android/ion/ion.c
Change-Id: I7153f61c3a676a788f64eeb8bab13e840bbbf985
[readded the function ion_handle_get_by_id() which got deleted with
commit 'staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free'
since it is used in msm/msm_ion.c]
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlurKKAACgkQONu9yGCS
aT56cg/9F4REUye5lO2uuxSnNOH56YXrZNiM77W+JzS/gog37m35W9zf1o5ggkSE
4Ow3jZIQYPRkKx9pCoHTzWUycdIWNXcntYXr4S+mKnL+YgHqApqNVtkAWCY6CyzX
sr8S/ZbgRrNHmEcltfiTIyxFIv++8tjOMJxNxEHasCa4WMH1nVk9bmDc+8hk7GEB
j6SCdlSvk/HeJDWuRnSQZjzW8X0Ua2HtPSEnrBhshP6WW4MlnsR91UdFJD5nJ5e4
+79GsxEjhNGccoPauqkuvgkAe9iUmLhuWxHU4bO987UK07f+c3GYyKg3AdryThaD
WAOoNvnNex/meke4ANEim6RxeO1Bi6UCnXMH4oeg/KGP/rzmXzb4H/5vjCrWJipH
vMMiNYXte1KdHapcXA+oe6d2Q40vH/ZjZionLC7uCjYMDZMf7gNQpHdthqlTxfh6
560XS9GchSKmJp83xfkqvwma6FqE9C5hl7JdIq6jZJPqDUIVzCL7lbLMy7kkFyoO
8yM8/1c/yIPUcwfWqe5OnRsVPVeJUEW9attEe9J767VOtsCzTec10m4Sv/vG7Wlr
UQOnXUrDSrIOJMPTl+0yjMIfRoYUAciCNUngytqH0il752FdZiEPR4TtG9jlejGA
1cTRB3A9sbHbpWBbZ1MPIS3jOK+0kspwzzdYtTwxpsd522CMCUY=
=PLD6
-----END PGP SIGNATURE-----
Merge 4.4.158 into android-4.4
Changes in 4.4.158
iommu/arm-smmu-v3: sync the OVACKFLG to PRIQ consumer register
ALSA: msnd: Fix the default sample sizes
ALSA: usb-audio: Fix multiple definitions in AU0828_DEVICE() macro
xfrm: fix 'passing zero to ERR_PTR()' warning
gfs2: Special-case rindex for gfs2_grow
clk: imx6ul: fix missing of_node_put()
kbuild: add .DELETE_ON_ERROR special target
dmaengine: pl330: fix irq race with terminate_all
MIPS: ath79: fix system restart
media: videobuf2-core: check for q->error in vb2_core_qbuf()
mtd/maps: fix solutionengine.c printk format warnings
fbdev: omapfb: off by one in omapfb_register_client()
video: goldfishfb: fix memory leak on driver remove
fbdev/via: fix defined but not used warning
perf powerpc: Fix callchain ip filtering when return address is in a register
fbdev: Distinguish between interlaced and progressive modes
ARM: exynos: Clear global variable on init error path
perf powerpc: Fix callchain ip filtering
powerpc/powernv: opal_put_chars partial write fix
MIPS: jz4740: Bump zload address
mac80211: restrict delayed tailroom needed decrement
xen-netfront: fix queue name setting
arm64: dts: qcom: db410c: Fix Bluetooth LED trigger
s390/qeth: fix race in used-buffer accounting
s390/qeth: reset layer2 attribute on layer switch
platform/x86: toshiba_acpi: Fix defined but not used build warnings
crypto: sharah - Unregister correct algorithms for SAHARA 3
xen-netfront: fix warn message as irq device name has '/'
RDMA/cma: Protect cma dev list with lock
pstore: Fix incorrect persistent ram buffer mapping
xen/netfront: fix waiting for xenbus state change
IB/ipoib: Avoid a race condition between start_xmit and cm_rep_handler
Tools: hv: Fix a bug in the key delete code
misc: hmc6352: fix potential Spectre v1
usb: Don't die twice if PCI xhci host is not responding in resume
USB: Add quirk to support DJI CineSSD
usb: Avoid use-after-free by flushing endpoints early in usb_set_interface()
usb: host: u132-hcd: Fix a sleep-in-atomic-context bug in u132_get_frame()
USB: add quirk for WORLDE Controller KS49 or Prodipe MIDI 49C USB controller
USB: net2280: Fix erroneous synchronization change
USB: serial: io_ti: fix array underflow in completion handler
usb: misc: uss720: Fix two sleep-in-atomic-context bugs
USB: yurex: Fix buffer over-read in yurex_write()
usb: cdc-wdm: Fix a sleep-in-atomic-context bug in service_outstanding_interrupt()
cifs: prevent integer overflow in nxt_dir_entry()
CIFS: fix wrapping bugs in num_entries()
binfmt_elf: Respect error return from `regset->active'
audit: fix use-after-free in audit_add_watch
mtdchar: fix overflows in adjustment of `count`
MIPS: loongson64: cs5536: Fix PCI_OHCI_INT_REG reads
ARM: hisi: handle of_iomap and fix missing of_node_put
ARM: hisi: fix error handling and missing of_node_put
ARM: hisi: check of_iomap and fix missing of_node_put
drm/nouveau: tegra: Detach from ARM DMA/IOMMU mapping
parport: sunbpp: fix error return code
coresight: Handle errors in finding input/output ports
coresight: tpiu: Fix disabling timeouts
gpiolib: Mark gpio_suffixes array with __maybe_unused
drm/amdkfd: Fix error codes in kfd_get_process
rtc: bq4802: add error handling for devm_ioremap
ALSA: pcm: Fix snd_interval_refine first/last with open min/max
selftest: timers: Tweak raw_skew to SKIP when ADJ_OFFSET/other clock adjustments are in progress
drm/panel: type promotion bug in s6e8aa0_read_mtp_id()
pinctrl: qcom: spmi-gpio: Fix pmic_gpio_config_get() to be compliant
USB: serial: ti_usb_3410_5052: fix array underflow in completion handler
mei: bus: type promotion bug in mei_nfc_if_version()
drivers: net: cpsw: fix segfault in case of bad phy-handle
MIPS: VDSO: Match data page cache colouring when D$ aliases
Linux 4.4.158
Change-Id: I1e31454733d69774fbb97398fd7756438fb8fa17
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit 133bf90dbb8b873286f8ec2e81ba26e863114b8c ]
As explained in ieee80211_delayed_tailroom_dec(), during roam,
keys of the old AP will be destroyed and new keys will be
installed. Deletion of the old key causes
crypto_tx_tailroom_needed_cnt to go from 1 to 0 and the new key
installation causes a transition from 0 to 1.
Whenever crypto_tx_tailroom_needed_cnt transitions from 0 to 1,
we invoke synchronize_net(); the reason for doing this is to avoid
a race in the TX path as explained in increment_tailroom_need_count().
This synchronize_net() operation can be slow and can affect the station
roam time. To avoid this, decrementing the crypto_tx_tailroom_needed_cnt
is delayed for a while so that upon installation of new key the
transition would be from 1 to 2 instead of 0 to 1 and thereby
improving the roam time.
This is all correct for a STA iftype, but deferring the tailroom_needed
decrement for other iftypes may be unnecessary.
For example, let's consider the case of a 4-addr client connecting to
an AP for which AP_VLAN interface is also created, let the initial
value for tailroom_needed on the AP be 1.
* 4-addr client connects to the AP (AP: tailroom_needed = 1)
* AP will clear old keys, delay decrement of tailroom_needed count
* AP_VLAN is created, it takes the tailroom count from master
(AP_VLAN: tailroom_needed = 1, AP: tailroom_needed = 1)
* Install new key for the station, assume key is plumbed in the HW,
there won't be any change in tailroom_needed count on AP iface
* Delayed decrement of tailroom_needed count on AP
(AP: tailroom_needed = 0, AP_VLAN: tailroom_needed = 1)
Because of the delayed decrement on AP iface, tailroom_needed count goes
out of sync between AP(master iface) and AP_VLAN(slave iface) and
there would be unnecessary tailroom created for the packets going
through AP_VLAN iface.
Also, WARN_ONs were observed while trying to bring down the AP_VLAN
interface:
(warn_slowpath_common) (warn_slowpath_null+0x18/0x20)
(warn_slowpath_null) (ieee80211_free_keys+0x114/0x1e4)
(ieee80211_free_keys) (ieee80211_del_virtual_monitor+0x51c/0x850)
(ieee80211_del_virtual_monitor) (ieee80211_stop+0x30/0x3c)
(ieee80211_stop) (__dev_close_many+0x94/0xb8)
(__dev_close_many) (dev_close_many+0x5c/0xc8)
Restricting delayed decrement to station interface alone fixes the problem
and it makes sense to do so because delayed decrement is done to improve
roam time which is applicable only for client devices.
Signed-off-by: Manikanta Pubbisetty <mpubbise@codeaurora.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluitjwACgkQONu9yGCS
aT7iuA/9FDL/m4yOFPh6lFP6b5JnpDoKniJM3R6eg8am9TYaCe0mwJImEy8yP8sH
BOK/LECOJqV8Waw0ANQieJYZj/GsRXk9TOwUwvOCbhNwfu+e2x4/31dRIpxSQaCs
dYROb4ISGd9wyLMKqgh0zqMxKKfb/Ija4oBjfz7xUJYoHFuc8hlfic6HUr8i/J76
kz5LJ5uPWyrBOKzQT15o0bz05LmnKBX8TyhpzzPBf/+eQ1jzh7uvpawcOz03u8iV
6VpNXCbTTUf863nmOxcEfuClI1GnCHstAHTKaEc6u5MUhkJKKqxWDTsO92qhnUne
FXB7/UeVwsGA69Oy4nInJMGI7hHlJ6LR1CBA9SmfjzUvBY9P6nT2vrU6NYg0n3Bd
tP7S69xXQUdkkvDNjphsOuexuResITJ48obg+Lx2ijCAHNosafKyN1It8t/euOAD
xCeTxfLtXMCO+3z+UvOwFnKwgLImt1Bh8fGynjpk7fvIycrm+FP0iZ+2cw4NUiMU
jKtjvQCWbfK64fZ5eIdxo/rKyX7hK3PRMw6r6rEvaW/z6Cm33Dvy+1Rn3fiXJpIS
oEt7knHsoBraHtrUvbPXMc5S0ZNvoNLD3omWm1Ot+NlP3ogIi/ZFwvwUU537FZmL
2g8V16o0IliBOqNr3vkDyInv/5+LDVI22noc3bjEoi/LsoYe4j4=
=2RHb
-----END PGP SIGNATURE-----
Merge 4.4.157 into android-4.4
Changes in 4.4.157
i2c: xiic: Make the start and the byte count write atomic
i2c: i801: fix DNV's SMBCTRL register offset
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
cfq: Give a chance for arming slice idle timer in case of group_idle
kthread: Fix use-after-free if kthread fork fails
kthread: fix boot hang (regression) on MIPS/OpenRISC
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
staging/rts5208: Fix read overflow in memcpy
block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
selinux: use GFP_NOWAIT in the AVC kmem_caches
locking/osq_lock: Fix osq_lock queue corruption
ARC: [plat-axs*]: Enable SWAP
misc: mic: SCIF Fix scif_get_new_port() error handling
ethtool: Remove trailing semicolon for static inline
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
gpio: tegra: Move driver registration to subsys_init level
scsi: target: fix __transport_register_session locking
md/raid5: fix data corruption of replacements after originals dropped
misc: ti-st: Fix memory leak in the error path of probe()
uio: potential double frees if __uio_register_device() fails
tty: rocket: Fix possible buffer overwrite on register_PCI
f2fs: do not set free of current section
perf tools: Allow overriding MAX_NR_CPUS at compile time
NFSv4.0 fix client reference leak in callback
macintosh/via-pmu: Add missing mmio accessors
ath10k: prevent active scans on potential unusable channels
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ata: libahci: Correct setting of DEVSLP register
scsi: 3ware: fix return 0 on the error path of probe
ath10k: disable bundle mgmt tx completion event support
Bluetooth: hidp: Fix handling of strncpy for hid->name information
x86/mm: Remove in_nmi() warning from vmalloc_fault()
gpio: ml-ioh: Fix buffer underwrite on probe error path
net: mvneta: fix mtu change on port without link
MIPS: Octeon: add missing of_node_put()
net: dcb: For wild-card lookups, use priority -1, not 0
Input: atmel_mxt_ts - only use first T9 instance
partitions/aix: append null character to print data from disk
partitions/aix: fix usage of uninitialized lv_info and lvname structures
iommu/ipmmu-vmsa: Fix allocation in atomic context
mfd: ti_am335x_tscadc: Fix struct clk memory leak
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
RDMA/cma: Do not ignore net namespace for unbound cm_id
xhci: Fix use-after-free in xhci_free_virt_device
vmw_balloon: include asm/io.h
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
net: ethernet: ti: cpsw: fix mdio device reference leak
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
crypto: vmx - Fix sleep-in-atomic bugs
mtd: ubi: wl: Fix error return code in ubi_wl_init()
autofs: fix autofs_sbi() does not check super block type
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
mm: get rid of vmacache_flush_all() entirely
Linux 4.4.157
Change-Id: I30fc9e099e9065aff5e53c648d822c405525bb07
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e466af75c074e76107ae1cd5a2823e9c61894ffb upstream.
syzkaller reports an out of bound read in strlcpy(), triggered
by xt_copy_counters_from_user()
Fix this by using memcpy(), then forcing a zero byte at the last position
of the destination, as Florian did for the non COMPAT code.
Fixes: d7591f0c41ce ("netfilter: x_tables: introduce and use xt_copy_counters_from_user")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 08193d1a893c802c4b807e4d522865061f4e9f4f ]
The function dcb_app_lookup walks the list of specified DCB APP entries,
looking for one that matches a given criteria: ifindex, selector,
protocol ID and optionally also priority. The "don't care" value for
priority is set to 0, because that priority has not been allowed under
CEE regime, which predates the IEEE standardization.
Under IEEE, 0 is a valid priority number. But because dcb_app_lookup
considers zero a wild card, attempts to add an APP entry with priority 0
fail when other entries exist for a given ifindex / selector / PID
triplet.
Fix by changing the wild-card value to -1.
Signed-off-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ]
This fixes two issues with setting hid->name information.
CC net/bluetooth/hidp/core.o
In function ‘hidp_setup_hid’,
inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9,
inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8,
inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8:
net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation]
strncpy(hid->name, req->name, sizeof(req->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CC net/bluetooth/hidp/core.o
net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’:
net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess]
strncpy(hid->name, req->name, sizeof(req->name));
^
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluct34ACgkQONu9yGCS
aT70pA/7BywAtLPUPyLTGsWGJLzM++Kfn/Z2HFL3aEA+F7pmhjbC+49tpk07hCyV
LRczYt0GFUWX8bqr80EdojbwQHKLi68VYJLskgzA3YtCDFtUMBsoVSaUS8dK4lTs
xBWfyccndk4RQffY8zSP50z3cQCTYPb/cmwDqUiXdQ2hinpoxPZJy/v4o4JFnkug
gHS9U01dH5xlfY5YhI+r+KTvoc9+lvTc+NneK4RkE1CUv4hVO9cdRS/SMLF04L2s
2ffBOEOtvgT9SvR7WspzGFf6TdZkM9/+nolomoPdmH6ZLbTY+30tks3COWUn0vEI
l6Ut86aDnjukNz2l7Bdf05lo2vkYcP5YxdFiWypFjLRufb5QXVm1h7Jp8J5WP9Ub
VM3sNZpE/GTX+y8AqGJaPmnxaSKAhPsc8qxKJ+wyYjMhjgiLNmMiYnCi9mc2VtGp
xW62OtKu8HuBnM3hlaLtgmb/TUQE7pNZqBn6rb+SJlgrYrz+qjpl9xR9xwGHnmFU
Ll8u+Ytn01eGvkqElOYzoGJh48iC/SOLPwPMoYC0hr2ReSAnQHWFlUFarFVmHzoA
CCSSRQLFR0otb5jlHlCmKDnzsEOUQqg5IIu3IfpX/eLMSbgrpc8BdvY98yzeAbcM
uTKK6a/TUPma05G9mcxZTKSxUQqixeoM4BOtrE1thqeqNa4dJZ0=
=7Z2j
-----END PGP SIGNATURE-----
Merge 4.4.156 into android-4.4
Changes in 4.4.156
x86/speculation/l1tf: Fix up pte->pfn conversion for PAE
staging: android: ion: fix ION_IOC_{MAP,SHARE} use-after-free
net: bcmgenet: use MAC link status for fixed phy
qlge: Fix netdev features configuration.
tcp: do not restart timewait timer on rst reception
vti6: remove !skb->ignore_df check from vti6_xmit()
cifs: check if SMB2 PDU size has been padded and suppress the warning
hfsplus: don't return 0 when fill_super() failed
hfs: prevent crash on exit from failed search
fork: don't copy inconsistent signal handler state to child
reiserfs: change j_timestamp type to time64_t
hfsplus: fix NULL dereference in hfsplus_lookup()
fat: validate ->i_start before using
scripts: modpost: check memory allocation results
mm/fadvise.c: fix signed overflow UBSAN complaint
fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot()
ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()
mfd: sm501: Set coherent_dma_mask when creating subdevices
platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360
irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
net/9p: fix error path of p9_virtio_probe
powerpc: Fix size calculation using resource_size()
s390/dasd: fix hanging offline processing due to canceled worker
scsi: aic94xx: fix an error code in aic94xx_init()
PCI: mvebu: Fix I/O space end address calculation
dm kcopyd: avoid softlockup in run_complete_job
staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice
selftests/powerpc: Kill child processes on SIGINT
smb3: fix reset of bytes read and written stats
SMB3: Number of requests sent should be displayed for SMB3 not just CIFS
powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX.
btrfs: replace: Reset on-disk dev stats value after replace
btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized
btrfs: Don't remove block group that still has pinned down bytes
debugobjects: Make stack check warning more informative
x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear
kbuild: make missing $DEPMOD a Warning instead of an Error
irda: Fix memory leak caused by repeated binds of irda socket
irda: Only insert new objects into the global database via setsockopt
Revert "ARM: imx_v6_v7_defconfig: Select ULPI support"
enic: do not call enic_change_mtu in enic_probe
Fixes: Commit cdbf92675f ("mm: numa: avoid waiting on freed migrated pages")
genirq: Delay incrementing interrupt count if it's disabled/pending
irqchip/gic-v3-its: Recompute the number of pages on page size change
irqchip/gicv3-its: Fix memory leak in its_free_tables()
irqchip/gicv3-its: Avoid cache flush beyond ITS_BASERn memory size
irqchip/gic-v3: Add missing barrier to 32bit version of gic_read_iar()
irqchip/gic: Make interrupt ID 1020 invalid
ovl: rename is_merge to is_lowest
ovl: override creds with the ones from the superblock mounter
ovl: proper cleanup of workdir
sch_htb: fix crash on init failure
sch_multiq: fix double free on init failure
sch_hhf: fix null pointer dereference on init failure
sch_netem: avoid null pointer deref on init failure
sch_tbf: fix two null pointer dereferences on init failure
mei: me: allow runtime pm for platform with D0i3
s390/lib: use expoline for all bcr instructions
ASoC: wm8994: Fix missing break in switch
btrfs: use correct compare function of dirty_metadata_bytes
Linux 4.4.156
Change-Id: Ia12d5f0a8ae43215e26b67f5db492738496635b7
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
Srinivasarao P
Greg Kroah-Hartman
Eric Dumazet
Sean Tranchetti
Jeff Barnhill
Sabrina Dubroca
Paolo Abeni
Gao Feng
Yaogong Wang
Felix Fietkau
Emmanuel Grumbach
Ilan Peer
Dan Carpenter
Arunk Khandavalli
Yuan-Chi Pang
Danek Duvall
Michael Scott
Vasily Khoruzhick
Toke Høiland-Jørgensen
Suren Baghdasaryan
Manikanta Pubbisetty
YueHaibing
Petr Machata
Marcel Holtmann
Nikolay Aleksandrov