* refs/heads/tmp-583bdda
Linux 4.4.204
KVM: PPC: Book3S HV: Flush link stack on guest exit to host kernel
powerpc/book3s64: Fix link stack flush on context switch
powerpc/64s: support nospectre_v2 cmdline option
staging: comedi: usbduxfast: usbduxfast_ai_cmdtest rounding error
USB: serial: option: add support for Foxconn T77W968 LTE modules
USB: serial: option: add support for DW5821e with eSIM support
USB: serial: mos7840: fix remote wakeup
USB: serial: mos7720: fix remote wakeup
USB: serial: mos7840: add USB ID to support Moxa UPort 2210
appledisplay: fix error handling in the scheduled work
usb-serial: cp201x: support Mark-10 digital force gauge
virtio_console: move removal code
virtio_console: drop custom control queue cleanup
virtio_console: fix uninitialized variable use
virtio_console: allocate inbufs in add_port() only if it is needed
virtio_console: don't tie bufs to a vq
virtio_console: reset on out of memory
media: imon: invalid dereference in imon_touch_event
media: cxusb: detect cxusb_ctrl_msg error in query
media: b2c2-flexcop-usb: add sanity checking
cpufreq: Add NULL checks to show() and store() methods of cpufreq
media: vivid: Fix wrong locking that causes race conditions on streaming stop
media: vivid: Set vid_cap_streaming and vid_out_streaming to true
x86/speculation: Fix redundant MDS mitigation message
x86/speculation: Fix incorrect MDS/TAA mitigation status
x86/insn: Fix awk regexp warnings
ARC: perf: Accommodate big-endian CPU
mmc: block: Fix tag condition with packed writes
ocfs2: remove ocfs2_is_o2cb_active()
cpufreq: Skip cpufreq resume if it's not suspended
arm64: fix for bad_mode() handler to always result in panic
dm: use blk_set_queue_dying() in __dm_destroy()
ath9k_hw: fix uninitialized variable data
Bluetooth: Fix invalid-free in bcsp_close()
IB/hfi1: Ensure full Gen3 speed in a Gen4 system
spi: omap2-mcspi: Fix DMA and FIFO event trigger size mismatch
PCI: keystone: Use quirk to limit MRRS for K2G
pinctrl: zynq: Use define directive for PIN_CONFIG_IO_STANDARD
pinctrl: qcom: spmi-gpio: fix gpio-hog related boot issues
sock: Reset dst when changing sk_mark via setsockopt
net: bcmgenet: return correct value 'ret' from bcmgenet_power_down
dlm: don't leak kernel pointer to userspace
dlm: fix invalid free
scsi: lpfc: fcoe: Fix link down issue after 1000+ link bounces
scsi: megaraid_sas: Fix msleep granularity
scsi: mpt3sas: Fix driver modifying persistent data in Manufacturing page11
scsi: mpt3sas: Fix Sync cache command failure during driver unload
rtlwifi: rtl8192de: Fix misleading REG_MCUFWDL information
wireless: airo: potential buffer overflow in sprintf()
brcmsmac: never log "tid x is not agg'able" by default
rtl8xxxu: Fix missing break in switch
wlcore: Fix the return value in case of error in 'wlcore_vendor_cmd_smart_config_start()'
audit: print empty EXECVE args
sched/fair: Don't increase sd->balance_interval on newidle balance
net: do not abort bulk send on BQL status
ocfs2: fix clusters leak in ocfs2_defrag_extent()
ocfs2: don't put and assigning null to bh allocated outside
ntb: intel: fix return value for ndev_vec_mask()
ntb_netdev: fix sleep time mismatch
igb: shorten maximum PHC timecounter update interval
fs/hfs/extent.c: fix array out of bounds read of array extent
hfs: fix return value of hfs_get_block()
hfsplus: fix return value of hfsplus_get_block()
hfs: prevent btree data loss on ENOSPC
hfsplus: prevent btree data loss on ENOSPC
hfs: fix BUG on bnode parent update
hfsplus: fix BUG on bnode parent update
linux/bitmap.h: fix type of nbits in bitmap_shift_right()
linux/bitmap.h: handle constant zero-size bitmaps correctly
um: Make line/tty semantics use true write IRQ
mm/page-writeback.c: fix range_cyclic writeback vs writepages deadlock
fs/ocfs2/dlm/dlmdebug.c: fix a sleep-in-atomic-context bug in dlm_print_one_mle()
sparc64: Rework xchg() definition to avoid warnings.
thermal: rcar_thermal: Prevent hardware access during system suspend
selftests/ftrace: Fix to test kprobe $comm arg only if available
mfd: max8997: Enale irq-wakeup unconditionally
mfd: mc13xxx-core: Fix PMIC shutdown when reading ADC values
qlcnic: fix a return in qlcnic_dcb_get_capability()
mISDN: Fix type of switch control variable in ctrl_teimanager
rtc: s35390a: Change buf's type to u8 in s35390a_init
ceph: fix dentry leak in ceph_readdir_prepopulate
sparc: Fix parport build warnings.
spi: omap2-mcspi: Set FIFO DMA trigger level to word length
s390/perf: Return error when debug_register fails
atm: zatm: Fix empty body Clang warnings
SUNRPC: Fix a compile warning for cmpxchg64()
USB: misc: appledisplay: fix backlight update_status return code
macintosh/windfarm_smu_sat: Fix debug output
ALSA: i2c/cs8427: Fix int to char conversion
kprobes, x86/ptrace.h: Make regs_get_kernel_stack_nth() not fault on bad stack
net: fix warning in af_unix
scsi: dc395x: fix DMA API usage in sg_update_list
scsi: dc395x: fix dma API usage in srb_done
clk: mmp2: fix the clock id for sdh2_clk and sdh3_clk
scsi: iscsi_tcp: Explicitly cast param in iscsi_sw_tcp_host_get_param
scsi: isci: Change sci_controller_start_task's return type to sci_status
scsi: isci: Use proper enumerated type in atapi_d2h_reg_frame_handler
KVM/x86: Fix invvpid and invept register operand size in 64-bit mode
scsi: ips: fix missing break in switch
amiflop: clean up on errors during setup
misc: mic: fix a DMA pool free failure
gsmi: Fix bug in append_to_eventlog sysfs handler
btrfs: handle error of get_old_root
mmc: mediatek: fix cannot receive new request when msdc_cmd_is_ready fail
spi: sh-msiof: fix deferred probing
brcmsmac: AP mode: update beacon when TIM changes
powerpc/eeh: Fix use of EEH_PE_KEEP on wrong field
powerpc: Fix signedness bug in update_flash_db()
synclink_gt(): fix compat_ioctl()
gfs2: Fix marking bitmaps non-full
printk: fix integer overflow in setup_log_buf()
ALSA: isight: fix leak of reference to firewire unit in error path of .probe callback
mwifiex: Fix NL80211_TX_POWER_LIMITED
platform/x86: asus-wmi: add SERIO_I8042 dependency
platform/x86: asus-wmi: Only Tell EC the OS will handle display hotkeys from asus_nb_wmi
platform/x86: asus-nb-wmi: Support ALS on the Zenbook UX430UQ
platform/x86: asus-wmi: try to set als by default
asus-wmi: provide access to ALS control
platform/x86: asus-wmi: Set specified XUSB2PR value for X550LB
platform/x86: asus-wmi: fix asus ux303ub brightness issue
platform/x86: asus-wmi: Filter buggy scan codes on ASUS Q500A
asus-wmi: Add quirk_no_rfkill for the Asus Z550MA
asus-wmi: Add quirk_no_rfkill for the Asus U303LB
asus-wmi: Add quirk_no_rfkill for the Asus N552VW
asus-wmi: Add quirk_no_rfkill_wapf4 for the Asus X456UF
asus-wmi: Create quirk for airplane_mode LED
mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
net: rtnetlink: prevent underflows in do_setvfinfo()
net/sched: act_pedit: fix WARN() in the traffic path
sfc: Only cancel the PPS workqueue if it exists
net/mlx4_en: fix mlx4 ethtool -N insertion
Conflicts:
arch/arm64/kernel/traps.c
Change-Id: Ie8f88d491b2d80c031e81346687624d7b5a770f1
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
[ Upstream commit 33c4368ee2589c165aebd8d388cbd91e9adb9688 ]
This fixes the "'hash' may be used uninitialized in this function"
net/unix/af_unix.c:1041:20: warning: 'hash' may be used uninitialized in this function [-Wmaybe-uninitialized]
addr->hash = hash ^ sk->sk_type;
Signed-off-by: Kyeongdon Kim <kyeongdon.kim@lge.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
* refs/heads/tmp-0c3b8c4
Linux 4.4.177
KVM: X86: Fix residual mmio emulation request to userspace
KVM: nVMX: Ignore limit checks on VMX instructions using flat segments
KVM: nVMX: Sign extend displacements of VMX instr's mem operands
drm/radeon/evergreen_cs: fix missing break in switch statement
media: uvcvideo: Avoid NULL pointer dereference at the end of streaming
rcu: Do RCU GP kthread self-wakeup from softirq and interrupt
PM / wakeup: Rework wakeup source timer cancellation
nfsd: fix wrong check in write_v4_end_grace()
nfsd: fix memory corruption caused by readdir
NFS: Don't recoalesce on error in nfs_pageio_complete_mirror()
NFS: Fix an I/O request leakage in nfs_do_recoalesce
md: Fix failed allocation of md_register_thread
perf intel-pt: Fix overlap calculation for padding
perf auxtrace: Define auxtrace record alignment
perf intel-pt: Fix CYC timestamp calculation after OVF
NFS41: pop some layoutget errors to application
dm: fix to_sector() for 32bit
ARM: s3c24xx: Fix boolean expressions in osiris_dvs_notify
powerpc/83xx: Also save/restore SPRG4-7 during suspend
powerpc/powernv: Make opal log only readable by root
powerpc/wii: properly disable use of BATs when requested.
powerpc/32: Clear on-stack exception marker upon exception return
jbd2: fix compile warning when using JBUFFER_TRACE
jbd2: clear dirty flag when revoking a buffer from an older transaction
serial: 8250_pci: Have ACCES cards that use the four port Pericom PI7C9X7954 chip use the pci_pericom_setup()
serial: 8250_pci: Fix number of ports for ACCES serial cards
perf bench: Copy kernel files needed to build mem{cpy,set} x86_64 benchmarks
i2c: tegra: fix maximum transfer size
parport_pc: fix find_superio io compare code, should use equal test.
intel_th: Don't reference unassigned outputs
kernel/sysctl.c: add missing range check in do_proc_dointvec_minmax_conv
mm/vmalloc: fix size check for remap_vmalloc_range_partial()
dmaengine: usb-dmac: Make DMAC system sleep callbacks explicit
clk: ingenic: Fix round_rate misbehaving with non-integer dividers
ext2: Fix underflow in ext2_max_size()
ext4: fix crash during online resizing
cpufreq: pxa2xx: remove incorrect __init annotation
cpufreq: tegra124: add missing of_node_put()
crypto: pcbc - remove bogus memcpy()s with src == dest
Btrfs: fix corruption reading shared and compressed extents after hole punching
btrfs: ensure that a DUP or RAID1 block group has exactly two stripes
m68k: Add -ffreestanding to CFLAGS
scsi: target/iscsi: Avoid iscsit_release_commands_from_conn() deadlock
scsi: virtio_scsi: don't send sc payload with tmfs
s390/virtio: handle find on invalid queue gracefully
clocksource/drivers/exynos_mct: Clear timer interrupt when shutdown
clocksource/drivers/exynos_mct: Move one-shot check from tick clear to ISR
regulator: s2mpa01: Fix step values for some LDOs
regulator: s2mps11: Fix steps for buck7, buck8 and LDO35
ACPI / device_sysfs: Avoid OF modalias creation for removed device
tracing: Do not free iter->trace in fail path of tracing_open_pipe()
CIFS: Fix read after write for files with read caching
crypto: arm64/aes-ccm - fix logical bug in AAD MAC handling
stm class: Prevent division by zero
tmpfs: fix uninitialized return value in shmem_link
net: set static variable an initial value in atl2_probe()
mac80211_hwsim: propagate genlmsg_reply return code
phonet: fix building with clang
ARC: uacces: remove lp_start, lp_end from clobber list
tmpfs: fix link accounting when a tmpfile is linked in
arm64: Relax GIC version check during early boot
ASoC: topology: free created components in tplg load error
net: mv643xx_eth: disable clk on error path in mv643xx_eth_shared_probe()
pinctrl: meson: meson8b: fix the sdxc_a data 1..3 pins
net: systemport: Fix reception of BPDUs
scsi: libiscsi: Fix race between iscsi_xmit_task and iscsi_complete_task
assoc_array: Fix shortcut creation
ARM: 8824/1: fix a migrating irq bug when hotplug cpu
Input: st-keyscan - fix potential zalloc NULL dereference
i2c: cadence: Fix the hold bit setting
Input: matrix_keypad - use flush_delayed_work()
ARM: OMAP2+: Variable "reg" in function omap4_dsi_mux_pads() could be uninitialized
s390/dasd: fix using offset into zero size array error
gpu: ipu-v3: Fix CSI offsets for imx53
gpu: ipu-v3: Fix i.MX51 CSI control registers offset
crypto: ahash - fix another early termination in hash walk
crypto: caam - fixed handling of sg list
stm class: Fix an endless loop in channel allocation
ASoC: fsl_esai: fix register setting issue in RIGHT_J mode
9p/net: fix memory leak in p9_client_create
9p: use inode->i_lock to protect i_size_write() under 32-bit
media: videobuf2-v4l2: drop WARN_ON in vb2_warn_zero_bytesused()
It's wrong to add len to sector_nr in raid10 reshape twice
fs/9p: use fscache mutex rather than spinlock
ALSA: bebob: use more identical mod_alias for Saffire Pro 10 I/O against Liquid Saffire 56
tcp/dccp: remove reqsk_put() from inet_child_forget()
gro_cells: make sure device is up in gro_cells_receive()
net/hsr: fix possible crash in add_timer()
vxlan: Fix GRO cells race condition between receive and link delete
vxlan: test dev->flags & IFF_UP before calling gro_cells_receive()
ipvlan: disallow userns cap_net_admin to change global mode/flags
missing barriers in some of unix_sock ->addr and ->path accesses
net: Set rtm_table to RT_TABLE_COMPAT for ipv6 for tables > 255
mdio_bus: Fix use-after-free on device_register fails
net/x25: fix a race in x25_bind()
net/mlx4_core: Fix qp mtt size calculation
net/mlx4_core: Fix reset flow when in command polling mode
tcp: handle inet_csk_reqsk_queue_add() failures
route: set the deleted fnhe fnhe_daddr to 0 in ip_del_fnhe to fix a race
ravb: Decrease TxFIFO depth of Q3 and Q2 to one
pptp: dst_release sk_dst_cache in pptp_sock_destruct
net/x25: reset state in x25_connect()
net/x25: fix use-after-free in x25_device_event()
net: sit: fix UBSAN Undefined behaviour in check_6rd
net: hsr: fix memory leak in hsr_dev_finalize()
l2tp: fix infoleak in l2tp_ip6_recvmsg()
KEYS: restrict /proc/keys by credentials at open time
netfilter: nf_conntrack_tcp: Fix stack out of bounds when parsing TCP options
netfilter: nfnetlink_acct: validate NFACCT_FILTER parameters
netfilter: nfnetlink_log: just returns error for unknown command
netfilter: x_tables: enforce nul-terminated table name from getsockopt GET_ENTRIES
udplite: call proper backlog handlers
ARM: dts: exynos: Do not ignore real-world fuse values for thermal zone 0 on Exynos5420
Revert "x86/platform/UV: Use efi_runtime_lock to serialise BIOS calls"
ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU
futex,rt_mutex: Restructure rt_mutex_finish_proxy_lock()
iscsi_ibft: Fix missing break in switch statement
Input: elan_i2c - add id for touchpad found in Lenovo s21e-20
Input: wacom_serial4 - add support for Wacom ArtPad II tablet
MIPS: Remove function size check in get_frame_info()
perf symbols: Filter out hidden symbols from labels
s390/qeth: fix use-after-free in error path
dmaengine: dmatest: Abort test in case of mapping error
dmaengine: at_xdmac: Fix wrongfull report of a channel as in use
irqchip/mmp: Only touch the PJ4 IRQ & FIQ bits on enable/disable
ARM: pxa: ssp: unneeded to free devm_ allocated data
autofs: fix error return in autofs_fill_super()
autofs: drop dentry reference only when it is never used
fs/drop_caches.c: avoid softlockups in drop_pagecache_sb()
mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone
mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone
x86_64: increase stack size for KASAN_EXTRA
x86/kexec: Don't setup EFI info if EFI runtime is not enabled
cifs: fix computation for MAX_SMB2_HDR_SIZE
platform/x86: Fix unmet dependency warning for SAMSUNG_Q10
scsi: libfc: free skb when receiving invalid flogi resp
nfs: Fix NULL pointer dereference of dev_name
gpio: vf610: Mask all GPIO interrupts
net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup()
net: hns: Fix wrong read accesses via Clause 45 MDIO protocol
net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case
xtensa: SMP: limit number of possible CPUs by NR_CPUS
xtensa: SMP: mark each possible CPU as present
xtensa: smp_lx200_defconfig: fix vectors clash
xtensa: SMP: fix secondary CPU initialization
xtensa: SMP: fix ccount_timer_shutdown
iommu/amd: Fix IOMMU page flush when detach device from a domain
ipvs: Fix signed integer overflow when setsockopt timeout
IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM
perf tools: Handle TOPOLOGY headers with no CPU
vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel
media: uvcvideo: Fix 'type' check leading to overflow
ip6mr: Do not call __IP6_INC_STATS() from preemptible context
net: dsa: mv88e6xxx: Fix u64 statistics
netlabel: fix out-of-bounds memory accesses
hugetlbfs: fix races and page leaks during migration
MIPS: irq: Allocate accurate order pages for irq stack
applicom: Fix potential Spectre v1 vulnerabilities
x86/CPU/AMD: Set the CPB bit unconditionally on F17h
net: phy: Micrel KSZ8061: link failure after cable connect
net: avoid use IPCB in cipso_v4_error
net: Add __icmp_send helper.
xen-netback: fix occasional leak of grant ref mappings under memory pressure
net: nfc: Fix NULL dereference on nfc_llcp_build_tlv fails
bnxt_en: Drop oversize TX packets to prevent errors.
team: Free BPF filter when unregistering netdev
sky2: Disable MSI on Dell Inspiron 1545 and Gateway P-79
net-sysfs: Fix mem leak in netdev_register_kobject
staging: lustre: fix buffer overflow of string buffer
isdn: isdn_tty: fix build warning of strncpy
ncpfs: fix build warning of strncpy
sockfs: getxattr: Fail with -EOPNOTSUPP for invalid attribute names
cpufreq: Use struct kobj_attribute instead of struct global_attr
USB: serial: ftdi_sio: add ID for Hjelmslund Electronics USB485
USB: serial: cp210x: add ID for Ingenico 3070
USB: serial: option: add Telit ME910 ECM composition
x86/uaccess: Don't leak the AC flag into __put_user() value evaluation
mm: enforce min addr even if capable() in expand_downwards()
mmc: spi: Fix card detection during probe
powerpc: Always initialize input array when calling epapr_hypercall()
KVM: arm/arm64: Fix MMIO emulation data handling
arm/arm64: KVM: Feed initialized memory to MMIO accesses
KVM: nSVM: clear events pending from svm_complete_interrupts() when exiting to L1
cfg80211: extend range deviation for DMG
mac80211: don't initiate TDLS connection if station is not associated to AP
ibmveth: Do not process frames after calling napi_reschedule
net: altera_tse: fix connect_local_phy error path
scsi: csiostor: fix NULL pointer dereference in csio_vport_set_state()
serial: fsl_lpuart: fix maximum acceptable baud rate with over-sampling
mac80211: fix miscounting of ttl-dropped frames
ARC: fix __ffs return value to avoid build warnings
ASoC: imx-audmux: change snprintf to scnprintf for possible overflow
ASoC: dapm: change snprintf to scnprintf for possible overflow
usb: gadget: Potential NULL dereference on allocation error
usb: dwc3: gadget: Fix the uninitialized link_state when udc starts
thermal: int340x_thermal: Fix a NULL vs IS_ERR() check
ALSA: compress: prevent potential divide by zero bugs
ASoC: Intel: Haswell/Broadwell: fix setting for .dynamic field
drm/msm: Unblock writer if reader closes file
scsi: libsas: Fix rphy phy_identifier for PHYs with end devices attached
libceph: handle an empty authorize reply
Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
ARCv2: Enable unaligned access in early ASM code
net/mlx4_en: Force CHECKSUM_NONE for short ethernet frames
sit: check if IPv6 enabled before calling ip6_err_gen_icmpv6_unreach()
team: avoid complex list operations in team_nl_cmd_options_set()
net/packet: fix 4gb buffer limit due to overflow check
batman-adv: fix uninit-value in batadv_interface_tx()
KEYS: always initialize keyring_index_key::desc_len
KEYS: user: Align the payload buffer
RDMA/srp: Rework SCSI device reset handling
isdn: avm: Fix string plus integer warning from Clang
leds: lp5523: fix a missing check of return value of lp55xx_read
atm: he: fix sign-extension overflow on large shift
isdn: i4l: isdn_tty: Fix some concurrency double-free bugs
MIPS: jazz: fix 64bit build
scsi: isci: initialize shost fully before calling scsi_add_host()
scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
MIPS: ath79: Enable OF serial ports in the default config
net: hns: Fix use after free identified by SLUB debug
mfd: mc13xxx: Fix a missing check of a register-read failure
mfd: wm5110: Add missing ASRC rate register
mfd: qcom_rpm: write fw_version to CTRL_REG
mfd: ab8500-core: Return zero in get_register_interruptible()
mfd: db8500-prcmu: Fix some section annotations
mfd: twl-core: Fix section annotations on {,un}protect_pm_master
mfd: ti_am335x_tscadc: Use PLATFORM_DEVID_AUTO while registering mfd cells
KEYS: allow reaching the keys quotas exactly
numa: change get_mempolicy() to use nr_node_ids instead of MAX_NUMNODES
ceph: avoid repeatedly adding inode to mdsc->snap_flush_list
Revert "ANDROID: arm: process: Add display of memory around registers when displaying regs."
ANDROID: mnt: Propagate remount correctly
ANDROID: cuttlefish_defconfig: Add support for AC97 audio
ANDROID: overlayfs: override_creds=off option bypass creator_cred
FROMGIT: binder: create node flag to request sender's security context
Conflicts:
arch/arm/kernel/irq.c
drivers/media/v4l2-core/videobuf2-v4l2.c
sound/core/compress_offload.c
Change-Id: I998f8d53b0c5b8a7102816034452b1779a3b69a3
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
[ Upstream commit ae3b564179bfd06f32d051b9e5d72ce4b2a07c37 ]
Several u->addr and u->path users are not holding any locks in
common with unix_bind(). unix_state_lock() is useless for those
purposes.
u->addr is assign-once and *(u->addr) is fully set up by the time
we set u->addr (all under unix_table_lock). u->path is also
set in the same critical area, also before setting u->addr, and
any unix_sock with ->path filled will have non-NULL ->addr.
So setting ->addr with smp_store_release() is all we need for those
"lockless" users - just have them fetch ->addr with smp_load_acquire()
and don't even bother looking at ->path if they see NULL ->addr.
Users of ->addr and ->path fall into several classes now:
1) ones that do smp_load_acquire(u->addr) and access *(u->addr)
and u->path only if smp_load_acquire() has returned non-NULL.
2) places holding unix_table_lock. These are guaranteed that
*(u->addr) is seen fully initialized. If unix_sock is in one of the
"bound" chains, so's ->path.
3) unix_sock_destructor() using ->addr is safe. All places
that set u->addr are guaranteed to have seen all stores *(u->addr)
while holding a reference to u and unix_sock_destructor() is called
when (atomic) refcount hits zero.
4) unix_release_sock() using ->path is safe. unix_bind()
is serialized wrt unix_release() (normally - by struct file
refcount), and for the instances that had ->path set by unix_bind()
unix_release_sock() comes from unix_release(), so they are fine.
Instances that had it set in unix_stream_connect() either end up
attached to a socket (in unix_accept()), in which case the call
chain to unix_release_sock() and serialization are the same as in
the previous case, or they never get accept'ed and unix_release_sock()
is called when the listener is shut down and its queue gets purged.
In that case the listener's queue lock provides the barriers needed -
unix_stream_connect() shoves our unix_sock into listener's queue
under that lock right after having set ->path and eventual
unix_release_sock() caller picks them from that queue under the
same lock right before calling unix_release_sock().
5) unix_find_other() use of ->path is pointless, but safe -
it happens with successful lookup by (abstract) name, so ->path.dentry
is guaranteed to be NULL there.
earlier-variant-reviewed-by: "Paul E. McKenney" <paulmck@linux.ibm.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-0ca3fca
Linux 4.4.163
x86/time: Correct the attribute on jiffies' definition
l2tp: hold tunnel socket when handling control frames in l2tp_ip and l2tp_ip6
cpuidle: Do not access cpuidle_devices when !CONFIG_CPU_IDLE
x86/percpu: Fix this_cpu_read()
sched/fair: Fix throttle_list starvation with low CFS quota
Input: elan_i2c - add ACPI ID for Lenovo IdeaPad 330-15IGM
USB: fix the usbfs flag sanitization for control transfers
usb: gadget: storage: Fix Spectre v1 vulnerability
cdc-acm: correct counting of UART states in serial state notification
IB/ucm: Fix Spectre v1 vulnerability
RDMA/ucma: Fix Spectre v1 vulnerability
ptp: fix Spectre v1 vulnerability
cachefiles: fix the race between cachefiles_bury_object() and rmdir(2)
ahci: don't ignore result code of ahci_reset_controller()
crypto: shash - Fix a sleep-in-atomic bug in shash_setkey_unaligned
mremap: properly flush TLB before releasing the page
rtnetlink: Disallow FDB configuration for non-Ethernet device
vhost: Fix Spectre V1 vulnerability
net: drop skb on failure in ip_check_defrag()
sctp: fix race on sctp_id2asoc
r8169: fix NAPI handling under high load
net: stmmac: Fix stmmac_mdio_reset() when building stmmac as modules
net: socket: fix a missing-check bug
net: sched: gred: pass the right attribute to gred_change_table_def()
net/ipv6: Fix index counter for unicast addresses in in6_dump_addrs
ipv6/ndisc: Preserve IPv6 control buffer if protocol error handlers are called
ipv6: mcast: fix a use-after-free in inet6_mc_check
net: bridge: remove ipv6 zero address check in mcast queries
bridge: do not add port to router list when receives query with source 0.0.0.0
perf tools: Disable parallelism for 'make clean'
mtd: spi-nor: Add support for is25wp series chips
fs/fat/fatent.c: add cond_resched() to fat_count_free_clusters()
ARM: dts: imx53-qsb: disable 1.2GHz OPP
MIPS: DEC: Fix an int-handler.S CPU_DADDI_WORKAROUNDS regression
igb: Remove superfluous reset to PHY and page 0 selection
MIPS: microMIPS: Fix decoding of swsp16 instruction
scsi: aacraid: Fix typo in blink status
bonding: avoid defaulting hard_header_len to ETH_HLEN on slave removal
PM / devfreq: tegra: fix error return code in tegra_devfreq_probe()
ASoC: spear: fix error return code in spdif_in_probe()
spi: xlp: fix error return code in xlp_spi_probe()
spi/bcm63xx: fix error return code in bcm63xx_spi_probe()
MIPS: Handle non word sized instructions when examining frame
spi/bcm63xx-hspi: fix error return code in bcm63xx_hsspi_probe()
usb: dwc3: omap: fix error return code in dwc3_omap_probe()
usb: ehci-omap: fix error return code in ehci_hcd_omap_probe()
usb: imx21-hcd: fix error return code in imx21_probe()
gpio: msic: fix error return code in platform_msic_gpio_probe()
sparc64: Fix exception handling in UltraSPARC-III memcpy.
gpu: host1x: fix error return code in host1x_probe()
sparc64 mm: Fix more TSB sizing issues
video: fbdev: pxa3xx_gcu: fix error return code in pxa3xx_gcu_probe()
tty: serial: sprd: fix error return code in sprd_probe()
l2tp: hold socket before dropping lock in l2tp_ip{, 6}_recv()
brcmfmac: Fix glom_skb leak in brcmf_sdiod_recv_chain
gro: Allow tunnel stacking in the case of FOU/GUE
vti6: flush x-netns xfrm cache when vti interface is removed
ALSA: timer: Fix zero-division by continue of uninitialized instance
ixgbe: Correct X550EM_x revision check
ixgbe: fix RSS limit for X550
net/mlx5e: Correctly handle RSS indirection table when changing number of channels
net/mlx5e: Fix LRO modify
ixgbevf: Fix handling of NAPI budget when multiple queues are enabled per vector
fuse: Dont call set_page_dirty_lock() for ITER_BVEC pages for async_dio
drm/nouveau/fbcon: fix oops without fbdev emulation
bpf: generally move prog destruction to RCU deferral
usb-storage: fix bogus hardware error messages for ATA pass-thru devices
sch_red: update backlog as well
sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata
scsi: Add STARGET_CREATED_REMOVE state to scsi_target_state
xfrm: Clear sk_dst_cache when applying per-socket policy.
arm64: Fix potential race with hardware DBM in ptep_set_access_flags()
CIFS: handle guest access errors to Windows shares
ASoC: wm8940: Enable cache usage to fix crashes on resume
ASoC: ak4613: Enable cache usage to fix crashes on resume
MIPS: Fix FCSR Cause bit handling for correct SIGFPE issue
usbvision: revert commit 588afcc1
perf/core: Don't leak event in the syscall error path
aacraid: Start adapter after updating number of MSIX vectors
x86/PCI: Mark Broadwell-EP Home Agent 1 as having non-compliant BARs
tpm: fix: return rc when devm_add_action() fails
thermal: allow u8500-thermal driver to be a module
thermal: allow spear-thermal driver to be a module
btrfs: don't create or leak aliased root while cleaning up orphans
sched/cgroup: Fix cgroup entity load tracking tear-down
um: Avoid longjmp/setjmp symbol clashes with libpthread.a
ipv6: orphan skbs in reassembly unit
net/mlx4_en: Resolve dividing by zero in 32-bit system
af_iucv: Move sockaddr length checks to before accessing sa_family in bind and connect handlers
radix-tree: fix radix_tree_iter_retry() for tagged iterators.
x86/mm/pat: Prevent hang during boot when mapping pages
ARM: dts: apq8064: add ahci ports-implemented mask
tracing: Skip more functions when doing stack tracing of events
ser_gigaset: use container_of() instead of detour
net: drop write-only stack variable
ipv6: suppress sparse warnings in IP6_ECN_set_ce()
KEYS: put keyring if install_session_keyring_to_cred() fails
net: cxgb3_main: fix a missing-check bug
perf/ring_buffer: Prevent concurent ring buffer access
smsc95xx: Check for Wake-on-LAN modes
smsc75xx: Check for Wake-on-LAN modes
r8152: Check for supported Wake-on-LAN Modes
sr9800: Check for supported Wake-on-LAN modes
lan78xx: Check for supported Wake-on-LAN modes
ax88179_178a: Check for supported Wake-on-LAN modes
asix: Check for supported Wake-on-LAN modes
pxa168fb: prepare the clock
Bluetooth: SMP: fix crash in unpairing
mac80211_hwsim: do not omit multicast announce of first added radio
xfrm: validate template mode
ARM: 8799/1: mm: fix pci_ioremap_io() offset check
cfg80211: reg: Init wiphy_idx in regulatory_hint_core()
mac80211: Always report TX status
xfrm6: call kfree_skb when skb is toobig
xfrm: Validate address prefix lengths in the xfrm selector.
BACKPORT: xfrm: Allow Output Mark to be Updated Using UPDSA
ANDROID: sdcardfs: Add option to drop unused dentries
f2fs: guarantee journalled quota data by checkpoint
f2fs: cleanup dirty pages if recover failed
f2fs: fix data corruption issue with hardware encryption
f2fs: fix to recover inode->i_flags of inode block during POR
f2fs: spread f2fs_set_inode_flags()
f2fs: fix to spread clear_cold_data()
Revert "f2fs: fix to clear PG_checked flag in set_page_dirty()"
f2fs: account read IOs and use IO counts for is_idle
f2fs: fix to account IO correctly for cgroup writeback
f2fs: fix to account IO correctly
f2fs: remove request_list check in is_idle()
f2fs: allow to mount, if quota is failed
f2fs: update REQ_TIME in f2fs_cross_rename()
f2fs: do not update REQ_TIME in case of error conditions
f2fs: remove unneeded disable_nat_bits()
f2fs: remove unused sbi->trigger_ssr_threshold
f2fs: shrink sbi->sb_lock coverage in set_file_temperature()
f2fs: fix to recover cold bit of inode block during POR
f2fs: submit cached bio to avoid endless PageWriteback
f2fs: checkpoint disabling
f2fs: clear PageError on the read path
f2fs: allow out-place-update for direct IO in LFS mode
f2fs: refactor ->page_mkwrite() flow
Revert: "f2fs: check last page index in cached bio to decide submission"
f2fs: support superblock checksum
f2fs: add to account skip count of background GC
f2fs: add to account meta IO
f2fs: keep lazytime on remount
f2fs: fix missing up_read
f2fs: return correct errno in f2fs_gc
f2fs: avoid f2fs_bug_on if f2fs_get_meta_page_nofail got EIO
f2fs: mark inode dirty explicitly in recover_inode()
f2fs: fix to recover inode's crtime during POR
f2fs: fix to recover inode's i_gc_failures during POR
f2fs: fix to recover inode's i_flags during POR
f2fs: fix to recover inode's project id during POR
f2fs: update i_size after DIO completion
f2fs: report ENOENT correctly in f2fs_rename
f2fs: fix remount problem of option io_bits
f2fs: fix to recover inode's uid/gid during POR
f2fs: avoid infinite loop in f2fs_alloc_nid
f2fs: add new idle interval timing for discard and gc paths
f2fs: split IO error injection according to RW
f2fs: add SPDX license identifiers
f2fs: surround fault_injection related option parsing using CONFIG_F2FS_FAULT_INJECTION
f2fs: avoid sleeping under spin_lock
f2fs: plug readahead IO in readdir()
f2fs: fix to do sanity check with current segment number
f2fs: fix memory leak of percpu counter in fill_super()
f2fs: fix memory leak of write_io in fill_super()
f2fs: cache NULL when both default_acl and acl are NULL
f2fs: fix to flush all dirty inodes recovered in readonly fs
f2fs: report error if quota off error during umount
f2fs: submit bio after shutdown
f2fs: avoid wrong decrypted data from disk
Revert "f2fs: use printk_ratelimited for f2fs_msg"
f2fs: fix unnecessary periodic wakeup of discard thread when dev is busy
f2fs: fix to avoid NULL pointer dereference on se->discard_map
f2fs: add additional sanity check in f2fs_acl_from_disk()
Revert "BACKPORT, FROMLIST: fscrypt: add Speck128/256 support"
Build fix for 076c36fce1.
Revert "BACKPORT, FROMGIT: crypto: speck - add support for the Speck block cipher"
Revert "FROMGIT: crypto: speck - export common helpers"
Revert "BACKPORT, FROMGIT: crypto: arm/speck - add NEON-accelerated implementation of Speck-XTS"
Revert "BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck128-XTS"
Revert "BACKPORT, FROMGIT: crypto: speck - add test vectors for Speck64-XTS"
Revert "BACKPORT, FROMLIST: crypto: arm64/speck - add NEON-accelerated implementation of Speck-XTS"
Revert "fscrypt: add Speck128/256 support"
UPSTREAM: loop: Add LOOP_SET_BLOCK_SIZE in compat ioctl
BACKPORT: block/loop: set hw_sectors
UPSTREAM: loop: add ioctl for changing logical block size
Conflicts:
fs/ext4/crypto.c
fs/ext4/ext4.h
Change-Id: I8cb2f70b27906879f8e8fdd90e67f438e39701b8
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
[ Upstream commit 3575dbf2cbbc8e598f17ec441aed526dbea0e1bd ]
Remove a write-only stack variable from unix_attach_fds(). This is a
left-over from the security fix in:
commit 712f4aad406bb1ed67f3f98d04c044191f0ff593
Author: willy tarreau <w@1wt.eu>
Date: Sun Jan 10 07:54:56 2016 +0100
unix: properly account for FDs passed over unix sockets
Signed-off-by: David Herrmann <dh.herrmann@gmail.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
* refs/heads/tmp-7eab308
Linux 4.4.99
misc: panel: properly restore atomic counter on error path
target: Fix node_acl demo-mode + uncached dynamic shutdown regression
target/iscsi: Fix iSCSI task reassignment handling
brcmfmac: remove setting IBSS mode when stopping AP
tipc: fix link attribute propagation bug
security/keys: add CONFIG_KEYS_COMPAT to Kconfig
tcp/dccp: fix other lockdep splats accessing ireq_opt
tcp/dccp: fix lockdep splat in inet_csk_route_req()
tcp/dccp: fix ireq->opt races
ipip: only increase err_count for some certain type icmp in ipip_err
ppp: fix race in ppp device destruction
sctp: reset owner sk for data chunks on out queues when migrating a sock
tun: allow positive return values on dev_get_valid_name() call
ip6_gre: only increase err_count for some certain type icmpv6 in ip6gre_err
net/unix: don't show information about sockets from other namespaces
ipv6: flowlabel: do not leave opt->tot_len with garbage
packet: avoid panic in packet_getsockopt()
sctp: add the missing sock_owned_by_user check in sctp_icmp_redirect
tun: call dev_get_valid_name() before register_netdevice()
l2tp: check ps->sock before running pppol2tp_session_ioctl()
tcp: fix tcp_mtu_probe() vs highest_sack
tun/tap: sanitize TUNSETSNDBUF input
ALSA: seq: Cancel pending autoload work at unbinding device
Input: ims-psu - check if CDC union descriptor is sane
usb: usbtest: fix NULL pointer dereference
mac80211: don't compare TKIP TX MIC key in reinstall prevention
mac80211: use constant time comparison with keys
mac80211: accept key reinstall without changing anything
FROMLIST: binder: fix proc->files use-after-free
Change-Id: I9aaf4f803a5da1fc983879a214b2fddda7879f41
Signed-off-by: Srinivasarao P <spathi@codeaurora.org>
[ Upstream commit 0f5da659d8f1810f44de14acf2c80cd6499623a0 ]
socket_diag shows information only about sockets from a namespace where
a diag socket lives.
But if we request information about one unix socket, the kernel don't
check that its netns is matched with a diag socket namespace, so any
user can get information about any unix socket in a system. This looks
like a bug.
v2: add a Fixes tag
Fixes: 51d7cccf07 ("net: make sock diag per-namespace")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
* refs/heads/tmp-64a73ff:
Linux 4.4.76
KVM: nVMX: Fix exception injection
KVM: x86: zero base3 of unusable segments
KVM: x86/vPMU: fix undefined shift in intel_pmu_refresh()
KVM: x86: fix emulation of RSM and IRET instructions
cpufreq: s3c2416: double free on driver init error path
iommu/amd: Fix incorrect error handling in amd_iommu_bind_pasid()
iommu: Handle default domain attach failure
iommu/vt-d: Don't over-free page table directories
ocfs2: o2hb: revert hb threshold to keep compatible
x86/mm: Fix flush_tlb_page() on Xen
x86/mpx: Correctly report do_mpx_bt_fault() failures to user-space
ARM: 8685/1: ensure memblock-limit is pmd-aligned
ARM64/ACPI: Fix BAD_MADT_GICC_ENTRY() macro implementation
sched/loadavg: Avoid loadavg spikes caused by delayed NO_HZ accounting
watchdog: bcm281xx: Fix use of uninitialized spinlock.
xfrm: Oops on error in pfkey_msg2xfrm_state()
xfrm: NULL dereference on allocation failure
xfrm: fix stack access out of bounds with CONFIG_XFRM_SUB_POLICY
jump label: fix passing kbuild_cflags when checking for asm goto support
ravb: Fix use-after-free on `ifconfig eth0 down`
sctp: check af before verify address in sctp_addr_id2transport
net/mlx4_core: Eliminate warning messages for SRQ_LIMIT under SRIOV
perf probe: Fix to show correct locations for events on modules
be2net: fix status check in be_cmd_pmac_add()
s390/ctl_reg: make __ctl_load a full memory barrier
swiotlb: ensure that page-sized mappings are page-aligned
coredump: Ensure proper size of sparse core files
x86/mpx: Use compatible types in comparison to fix sparse error
mac80211: initialize SMPS field in HT capabilities
spi: davinci: use dma_mapping_error()
scsi: lpfc: avoid double free of resource identifiers
HID: i2c-hid: Add sleep between POWER ON and RESET
kernel/panic.c: add missing \n
ibmveth: Add a proper check for the availability of the checksum features
vxlan: do not age static remote mac entries
virtio_net: fix PAGE_SIZE > 64k
vfio/spapr: fail tce_iommu_attach_group() when iommu_data is null
drm/amdgpu: check ring being ready before using
net: dsa: Check return value of phy_connect_direct()
amd-xgbe: Check xgbe_init() return code
platform/x86: ideapad-laptop: handle ACPI event 1
scsi: virtio_scsi: Reject commands when virtqueue is broken
xen-netfront: Fix Rx stall during network stress and OOM
swiotlb-xen: update dev_addr after swapping pages
virtio_console: fix a crash in config_work_handler
Btrfs: fix truncate down when no_holes feature is enabled
gianfar: Do not reuse pages from emergency reserve
powerpc/eeh: Enable IO path on permanent error
net: bgmac: Remove superflous netif_carrier_on()
net: bgmac: Start transmit queue in bgmac_open
net: bgmac: Fix SOF bit checking
bgmac: Fix reversed test of build_skb() return value.
mtd: bcm47xxpart: don't fail because of bit-flips
bgmac: fix a missing check for build_skb
mtd: bcm47xxpart: limit scanned flash area on BCM47XX (MIPS) only
MIPS: ralink: fix MT7628 wled_an pinmux gpio
MIPS: ralink: fix MT7628 pinmux typos
MIPS: ralink: Fix invalid assignment of SoC type
MIPS: ralink: fix USB frequency scaling
MIPS: ralink: MT7688 pinmux fixes
net: korina: Fix NAPI versus resources freeing
MIPS: ath79: fix regression in PCI window initialization
net: mvneta: Fix for_each_present_cpu usage
ARM: dts: BCM5301X: Correct GIC_PPI interrupt flags
qla2xxx: Fix erroneous invalid handle message
scsi: lpfc: Set elsiocb contexts to NULL after freeing it
scsi: sd: Fix wrong DPOFUA disable in sd_read_cache_type
KVM: x86: fix fixing of hypercalls
mm: numa: avoid waiting on freed migrated pages
block: fix module reference leak on put_disk() call for cgroups throttle
sysctl: enable strict writes
usb: gadget: f_fs: Fix possibe deadlock
drm/vmwgfx: Free hash table allocated by cmdbuf managed res mgr
ALSA: hda - set input_path bitmap to zero after moving it to new place
ALSA: hda - Fix endless loop of codec configure
MIPS: Fix IRQ tracing & lockdep when rescheduling
MIPS: pm-cps: Drop manual cache-line alignment of ready_count
MIPS: Avoid accidental raw backtrace
mm, swap_cgroup: reschedule when neeed in swap_cgroup_swapoff()
drm/ast: Handle configuration without P2A bridge
NFSv4: fix a reference leak caused WARNING messages
netfilter: synproxy: fix conntrackd interaction
netfilter: xt_TCPMSS: add more sanity tests on tcph->doff
rtnetlink: add IFLA_GROUP to ifla_policy
ipv6: Do not leak throw route references
sfc: provide dummy definitions of vswitch functions
net: 8021q: Fix one possible panic caused by BUG_ON in free_netdev
decnet: always not take dst->__refcnt when inserting dst into hash table
net/mlx5: Wait for FW readiness before initializing command interface
ipv6: fix calling in6_ifa_hold incorrectly for dad work
igmp: add a missing spin_lock_init()
igmp: acquire pmc lock for ip_mc_clear_src()
net: caif: Fix a sleep-in-atomic bug in cfpkt_create_pfx
Fix an intermittent pr_emerg warning about lo becoming free.
af_unix: Add sockaddr length checks before accessing sa_family in bind and connect handlers
net: Zero ifla_vf_info in rtnl_fill_vfinfo()
decnet: dn_rtmsg: Improve input length sanitization in dnrmg_receive_user_skb
net: don't call strlen on non-terminated string in dev_set_alias()
ipv6: release dst on error in ip6_dst_lookup_tail
UPSTREAM: selinux: enable genfscon labeling for tracefs
Change-Id: I05ae1d6271769a99ea3817e5066f5ab6511f3254
Signed-off-by: Blagovest Kolenichev <bkolenichev@codeaurora.org>
[ Upstream commit defbcf2decc903a28d8398aa477b6881e711e3ea ]
Verify that the caller-provided sockaddr structure is large enough to
contain the sa_family field, before accessing it in bind() and connect()
handlers of the AF_UNIX socket. Since neither syscall enforces a minimum
size of the corresponding memory region, very short sockaddrs (zero or
one byte long) result in operating on uninitialized memory while
referencing .sa_family.
Signed-off-by: Mateusz Jurczyk <mjurczyk@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
These are all driver changes needed for disablement of
CONFIG_CC_OPTIMIZE_FOR_SIZE. CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE
is enabled by default once CONFIG_CC_OPTIMIZE_FOR_SIZE is disabled.
Change-Id: Ia46a1f24e8a082a29ea6151e41e6d3a85a05fd4f
Signed-off-by: Prasad Sodagudi <psodagud@codeaurora.org>
Signed-off-by: Sridhar Parasuram <sridhar@codeaurora.org>
[ Upstream commit 7df9c24625b9981779afb8fcdbe2bb4765e61147 ]
Dmitry has reported that a BUG_ON() condition in unix_notinflight()
may be triggered by a simple code that forwards unix socket in an
SCM_RIGHTS message.
That is caused by incorrect unix socket GC implementation in unix_gc().
The GC first collects list of candidates, then (a) decrements their
"children's" inflight counter, (b) checks which inflight counters are
now 0, and then (c) increments all inflight counters back.
(a) and (c) are done by calling scan_children() with inc_inflight or
dec_inflight as the second argument.
Commit 6209344f5a ("net: unix: fix inflight counting bug in garbage
collector") changed scan_children() such that it no longer considers
sockets that do not have UNIX_GC_CANDIDATE flag. It also added a block
of code that that unsets this flag _before_ invoking
scan_children(, dec_iflight, ). This may lead to incorrect inflight
counters for some sockets.
This change fixes this bug by changing order of operations:
UNIX_GC_CANDIDATE is now unset only after all inflight counters are
restored to the original state.
kernel BUG at net/unix/garbage.c:149!
RIP: 0010:[<ffffffff8717ebf4>] [<ffffffff8717ebf4>]
unix_notinflight+0x3b4/0x490 net/unix/garbage.c:149
Call Trace:
[<ffffffff8716cfbf>] unix_detach_fds.isra.19+0xff/0x170 net/unix/af_unix.c:1487
[<ffffffff8716f6a9>] unix_destruct_scm+0xf9/0x210 net/unix/af_unix.c:1496
[<ffffffff86a90a01>] skb_release_head_state+0x101/0x200 net/core/skbuff.c:655
[<ffffffff86a9808a>] skb_release_all+0x1a/0x60 net/core/skbuff.c:668
[<ffffffff86a980ea>] __kfree_skb+0x1a/0x30 net/core/skbuff.c:684
[<ffffffff86a98284>] kfree_skb+0x184/0x570 net/core/skbuff.c:705
[<ffffffff871789d5>] unix_release_sock+0x5b5/0xbd0 net/unix/af_unix.c:559
[<ffffffff87179039>] unix_release+0x49/0x90 net/unix/af_unix.c:836
[<ffffffff86a694b2>] sock_release+0x92/0x1f0 net/socket.c:570
[<ffffffff86a6962b>] sock_close+0x1b/0x20 net/socket.c:1017
[<ffffffff81a76b8e>] __fput+0x34e/0x910 fs/file_table.c:208
[<ffffffff81a771da>] ____fput+0x1a/0x20 fs/file_table.c:244
[<ffffffff81483ab0>] task_work_run+0x1a0/0x280 kernel/task_work.c:116
[< inline >] exit_task_work include/linux/task_work.h:21
[<ffffffff8141287a>] do_exit+0x183a/0x2640 kernel/exit.c:828
[<ffffffff8141383e>] do_group_exit+0x14e/0x420 kernel/exit.c:931
[<ffffffff814429d3>] get_signal+0x663/0x1880 kernel/signal.c:2307
[<ffffffff81239b45>] do_signal+0xc5/0x2190 arch/x86/kernel/signal.c:807
[<ffffffff8100666a>] exit_to_usermode_loop+0x1ea/0x2d0
arch/x86/entry/common.c:156
[< inline >] prepare_exit_to_usermode arch/x86/entry/common.c:190
[<ffffffff81009693>] syscall_return_slowpath+0x4d3/0x570
arch/x86/entry/common.c:259
[<ffffffff881478e6>] entry_SYSCALL_64_fastpath+0xc4/0xc6
Link: https://lkml.org/lkml/2017/3/6/252
Signed-off-by: Andrey Ulanov <andreyu@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Fixes: 6209344 ("net: unix: fix inflight counting bug in garbage collector")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 0fb44559ffd67de8517098b81f675fa0210f13f0 ]
Dmitry reported a deadlock scenario:
unix_bind() path:
u->bindlock ==> sb_writer
do_splice() path:
sb_writer ==> pipe->mutex ==> u->bindlock
In the unix_bind() code path, unix_mknod() does not have to
be done with u->bindlock held, since it is a pure fs operation,
so we can just move unix_mknod() out.
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 06a77b07e3b44aea2b3c0e64de420ea2cfdcbaa9 ]
Commit 2b15af6f95 ("af_unix: use freezable blocking calls in read")
converts schedule_timeout() to its freezable version, it was probably
correct at that time, but later, commit 2b514574f7
("net: af_unix: implement splice for stream af_unix sockets") breaks
the strong requirement for a freezable sleep, according to
commit 0f9548ca10:
We shouldn't try_to_freeze if locks are held. Holding a lock can cause a
deadlock if the lock is later acquired in the suspend or hibernate path
(e.g. by dpm). Holding a lock can also cause a deadlock in the case of
cgroup_freezer if a lock is held inside a frozen cgroup that is later
acquired by a process outside that group.
The pipe_lock is still held at that point.
So use freezable version only for the recvmsg call path, avoid impact for
Android.
Fixes: 2b514574f7 ("net: af_unix: implement splice for stream af_unix sockets")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Tejun Heo <tj@kernel.org>
Cc: Colin Cross <ccross@android.com>
Cc: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6e1ce3c3451291142a57c4f3f6f999a29fb5b3bc upstream.
Right now we use the 'readlock' both for protecting some of the af_unix
IO path and for making the bind be single-threaded.
The two are independent, but using the same lock makes for a nasty
deadlock due to ordering with regards to filesystem locking. The bind
locking would want to nest outside the VSF pathname locking, but the IO
locking wants to nest inside some of those same locks.
We tried to fix this earlier with commit c845acb324 ("af_unix: Fix
splice-bind deadlock") which moved the readlock inside the vfs locks,
but that caused problems with overlayfs that will then call back into
filesystem routines that take the lock in the wrong order anyway.
Splitting the locks means that we can go back to having the bind lock be
the outermost lock, and we don't have any deadlocks with lock ordering.
Acked-by: Rainer Weikusat <rweikusat@cyberadapt.com>
Acked-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 38f7bd94a97b542de86a2be9229289717e33a7a4 upstream.
This reverts commit c845acb324.
It turns out that it just replaces one deadlock with another one: we can
still get the wrong lock ordering with the readlock due to overlayfs
calling back into the filesystem layer and still taking the vfs locks
after the readlock.
The proper solution ends up being to just split the readlock into two
pieces: the bind lock (taken *outside* the vfs locks) and the IO lock
(taken *inside* the filesystem locks). The two locks are independent
anyway.
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Reviewed-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit eb0a4a47ae89aaa0674ab3180de6a162f3be2ddf upstream.
Overlayfs uses separate inodes even in the case of hard links on the
underlying filesystems. This is a problem for AF_UNIX socket
implementation which indexes sockets based on the inode. This resulted in
hard linked sockets not working.
The fix is to use the real, underlying inode.
Test case follows:
-- ovl-sock-test.c --
#include <unistd.h>
#include <err.h>
#include <sys/socket.h>
#include <sys/un.h>
#define SOCK "test-sock"
#define SOCK2 "test-sock2"
int main(void)
{
int fd, fd2;
struct sockaddr_un addr = {
.sun_family = AF_UNIX,
.sun_path = SOCK,
};
struct sockaddr_un addr2 = {
.sun_family = AF_UNIX,
.sun_path = SOCK2,
};
unlink(SOCK);
unlink(SOCK2);
if ((fd = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
err(1, "socket");
if (bind(fd, (struct sockaddr *) &addr, sizeof(addr)) == -1)
err(1, "bind");
if (listen(fd, 0) == -1)
err(1, "listen");
if (link(SOCK, SOCK2) == -1)
err(1, "link");
if ((fd2 = socket(AF_UNIX, SOCK_STREAM, 0)) == -1)
err(1, "socket");
if (connect(fd2, (struct sockaddr *) &addr2, sizeof(addr2)) == -1)
err (1, "connect");
return 0;
}
----
Reported-by: Alexander Morozov <alexandr.morozov@docker.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit b5f0549231ffb025337be5a625b0ff9f52b016f0 ]
The value passed by unix_diag_get_exact to unix_lookup_by_ino has type
__u32, but unix_lookup_by_ino's argument ino has type int, which is not
a problem yet.
However, when ino is compared with sock_i_ino return value of type
unsigned long, ino is sign extended to signed long, and this results
to incorrect comparison on 64-bit architectures for inode numbers
greater than INT_MAX.
This bug was found by strace test suite.
Fixes: 5d3cae8bc3 ("unix_diag: Dumping exact socket core")
Signed-off-by: Dmitry V. Levin <ldv@altlinux.org>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit a5527dda344fff0514b7989ef7a755729769daa1 ]
The unix_dgram_sendmsg routine use the following test
if (unlikely(unix_peer(other) != sk && unix_recvq_full(other))) {
to determine if sk and other are in an n:1 association (either
established via connect or by using sendto to send messages to an
unrelated socket identified by address). This isn't correct as the
specified address could have been bound to the sending socket itself or
because this socket could have been connected to itself by the time of
the unix_peer_get but disconnected before the unix_state_lock(other). In
both cases, the if-block would be entered despite other == sk which
might either block the sender unintentionally or lead to trying to unlock
the same spin lock twice for a non-blocking send. Add a other != sk
check to guard against this.
Fixes: 7d267278a9 ("unix: avoid use-after-free in ep_remove_wait_queue")
Reported-By: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Tested-by: Philipp Hahn <pmhahn@pmhahn.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 1b92ee3d03af6643df395300ba7748f19ecdb0c5 ]
The present unix_stream_read_generic contains various code sequences of
the form
err = -EDISASTER;
if (<test>)
goto out;
This has the unfortunate side effect of possibly causing the error code
to bleed through to the final
out:
return copied ? : err;
and then to be wrongly returned if no data was copied because the caller
didn't supply a data buffer, as demonstrated by the program available at
http://pad.lv/1540731
Change it such that err is only set if an error condition was detected.
Fixes: 3822b5c2fc ("af_unix: Revert 'lock_interruptible' in stream receive code")
Reported-by: Joseph Salisbury <joseph.salisbury@canonical.com>
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 415e3d3e90ce9e18727e8843ae343eda5a58fad6 ]
The commit referenced in the Fixes tag incorrectly accounted the number
of in-flight fds over a unix domain socket to the original opener
of the file-descriptor. This allows another process to arbitrary
deplete the original file-openers resource limit for the maximum of
open files. Instead the sending processes and its struct cred should
be credited.
To do so, we add a reference counted struct user_struct pointer to the
scm_fp_list and use it to account for the number of inflight unix fds.
Fixes: 712f4aad406bb1 ("unix: properly account for FDs passed over unix sockets")
Reported-by: David Herrmann <dh.herrmann@gmail.com>
Cc: David Herrmann <dh.herrmann@gmail.com>
Cc: Willy Tarreau <w@1wt.eu>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit fa0dc04df259ba2df3ce1920e9690c7842f8fa4b ]
Dmitry reported a struct pid leak detected by a syzkaller program.
Bug happens in unix_stream_recvmsg() when we break the loop when a
signal is pending, without properly releasing scm.
Fixes: b3ca9b02b0 ("net: fix multithreaded signal handling in unix recv routines")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
[ Upstream commit 712f4aad406bb1ed67f3f98d04c044191f0ff593 ]
It is possible for a process to allocate and accumulate far more FDs than
the process' limit by sending them over a unix socket then closing them
to keep the process' fd count low.
This change addresses this problem by keeping track of the number of FDs
in flight per user and preventing non-privileged processes from having
more FDs in flight than their configured FD limit.
Reported-by: socketpair@gmail.com
Reported-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Mitigates: CVE-2013-4312 (Linux 2.0+)
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
On 2015/11/06, Dmitry Vyukov reported a deadlock involving the splice
system call and AF_UNIX sockets,
http://lists.openwall.net/netdev/2015/11/06/24
The situation was analyzed as
(a while ago) A: socketpair()
B: splice() from a pipe to /mnt/regular_file
does sb_start_write() on /mnt
C: try to freeze /mnt
wait for B to finish with /mnt
A: bind() try to bind our socket to /mnt/new_socket_name
lock our socket, see it not bound yet
decide that it needs to create something in /mnt
try to do sb_start_write() on /mnt, block (it's
waiting for C).
D: splice() from the same pipe to our socket
lock the pipe, see that socket is connected
try to lock the socket, block waiting for A
B: get around to actually feeding a chunk from
pipe to file, try to lock the pipe. Deadlock.
on 2015/11/10 by Al Viro,
http://lists.openwall.net/netdev/2015/11/10/4
The patch fixes this by removing the kern_path_create related code from
unix_mknod and executing it as part of unix_bind prior acquiring the
readlock of the socket in question. This means that A (as used above)
will sb_start_write on /mnt before it acquires the readlock, hence, it
won't indirectly block B which first did a sb_start_write and then
waited for a thread trying to acquire the readlock. Consequently, A
being blocked by C waiting for B won't cause a deadlock anymore
(effectively, both A and B acquire two locks in opposite order in the
situation described above).
Dmitry Vyukov(<dvyukov@google.com>) tested the original patch.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
With b3ca9b02b0, the AF_UNIX SOCK_STREAM
receive code was changed from using mutex_lock(&u->readlock) to
mutex_lock_interruptible(&u->readlock) to prevent signals from being
delayed for an indefinite time if a thread sleeping on the mutex
happened to be selected for handling the signal. But this was never a
problem with the stream receive code (as opposed to its datagram
counterpart) as that never went to sleep waiting for new messages with the
mutex held and thus, wouldn't cause secondary readers to block on the
mutex waiting for the sleeping primary reader. As the interruptible
locking makes the code more complicated in exchange for no benefit,
change it back to using mutex_lock.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch is a cleanup to make following patch easier to
review.
Goal is to move SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA
from (struct socket)->flags to a (struct socket_wq)->flags
to benefit from RCU protection in sock_wake_async()
To ease backports, we rename both constants.
Two new helpers, sk_set_bit(int nr, struct sock *sk)
and sk_clear_bit(int net, struct sock *sk) are added so that
following patch can change their implementation.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
sendpage did not care about credentials at all. This could lead to
situations in which because of fd passing between processes we could
append data to skbs with different scm data. It is illegal to splice those
skbs together. Instead we have to allocate a new skb and if requested
fill out the scm details.
Fixes: 869e7c6248 ("net: af_unix: implement stream sendpage support")
Reported-by: Al Viro <viro@zeniv.linux.org.uk>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Rainer Weikusat <rweikusat@mobileactivedefense.com> writes:
An AF_UNIX datagram socket being the client in an n:1 association with
some server socket is only allowed to send messages to the server if the
receive queue of this socket contains at most sk_max_ack_backlog
datagrams. This implies that prospective writers might be forced to go
to sleep despite none of the message presently enqueued on the server
receive queue were sent by them. In order to ensure that these will be
woken up once space becomes again available, the present unix_dgram_poll
routine does a second sock_poll_wait call with the peer_wait wait queue
of the server socket as queue argument (unix_dgram_recvmsg does a wake
up on this queue after a datagram was received). This is inherently
problematic because the server socket is only guaranteed to remain alive
for as long as the client still holds a reference to it. In case the
connection is dissolved via connect or by the dead peer detection logic
in unix_dgram_sendmsg, the server socket may be freed despite "the
polling mechanism" (in particular, epoll) still has a pointer to the
corresponding peer_wait queue. There's no way to forcibly deregister a
wait queue with epoll.
Based on an idea by Jason Baron, the patch below changes the code such
that a wait_queue_t belonging to the client socket is enqueued on the
peer_wait queue of the server whenever the peer receive queue full
condition is detected by either a sendmsg or a poll. A wake up on the
peer queue is then relayed to the ordinary wait queue of the client
socket via wake function. The connection to the peer wait queue is again
dissolved if either a wake up is about to be relayed or the client
socket reconnects or a dead peer is detected or the client socket is
itself closed. This enables removing the second sock_poll_wait from
unix_dgram_poll, thus avoiding the use-after-free, while still ensuring
that no blocked writer sleeps forever.
Signed-off-by: Rainer Weikusat <rweikusat@mobileactivedefense.com>
Fixes: ec0d215f94 ("af_unix: fix 'poll for write'/connected DGRAM sockets")
Reviewed-by: Jason Baron <jbaron@akamai.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
While possibly in future we don't necessarily need to use
sk_buff_head.lock this is a rather larger change, as it affects the
af_unix fd garbage collector, diag and socket cleanups. This is too much
for a stable patch.
For the time being grab sk_buff_head.lock without disabling bh and irqs,
so don't use locked skb_queue_tail.
Fixes: 869e7c6248 ("net: af_unix: implement stream sendpage support")
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Reported-by: Eric Dumazet <edumazet@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In case multiple writes to a unix stream socket race we could end up in a
situation where we pre-allocate a new skb for use in unix_stream_sendpage
but have to free it again in the locked section because another skb
has been appended meanwhile, which we must use. Accidentally we didn't
clear the pointer after consuming it and so we touched freed memory
while appending it to the sk_receive_queue. So, clear the pointer after
consuming the skb.
This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.
Fixes: 869e7c6248 ("net: af_unix: implement stream sendpage support")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
During splicing an af-unix socket to a pipe we have to drop all
af-unix socket locks. While doing so we allow another reader to enter
unix_stream_read_generic which can read, copy and finally free another
skb. If exactly this skb is just in process of being spliced we get a
use-after-free report by kasan.
First, we must make sure to not have a free while the skb is used during
the splice operation. We simply increment its use counter before unlocking
the reader lock.
Stream sockets have the nice characteristic that we don't care about
zero length writes and they never reach the peer socket's queue. That
said, we can take the UNIXCB.consumed field as the indicator if the
skb was already freed from the socket's receive queue. If the skb was
fully consumed after we locked the reader side again we know it has been
dropped by a second reader. We indicate a short read to user space and
abort the current splice operation.
This bug has been found with syzkaller
(http://github.com/google/syzkaller) by Dmitry Vyukov.
Fixes: 2b514574f7 ("net: af_unix: implement splice for stream af_unix sockets")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Dmitry Vyukov <dvyukov@google.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
poll(POLLOUT) on a listener should not report fd is ready for
a write().
This would break some applications using poll() and pfd.events = -1,
as they would not block in poll()
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Alan Burlison <Alan.Burlison@oracle.com>
Tested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Now send with MSG_PEEK can return data from multiple SKBs.
Unfortunately we take into account the peek offset for each skb,
that is wrong. We need to apply the peek offset only once.
In addition, the peek offset should be used only if MSG_PEEK is set.
Cc: "David S. Miller" <davem@davemloft.net> (maintainer:NETWORKING
Cc: Eric Dumazet <edumazet@google.com> (commit_signer:1/14=7%)
Cc: Aaron Conole <aconole@bytheb.org>
Fixes: 9f389e3567 ("af_unix: return data from multiple SKBs on recv() with MSG_PEEK flag")
Signed-off-by: Andrey Vagin <avagin@openvz.org>
Tested-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
AF_UNIX sockets now return multiple skbs from recv() when MSG_PEEK flag
is set.
This is referenced in kernel bugzilla #12323 @
https://bugzilla.kernel.org/show_bug.cgi?id=12323
As described both in the BZ and lkml thread @
http://lkml.org/lkml/2008/1/8/444 calling recv() with MSG_PEEK on an
AF_UNIX socket only reads a single skb, where the desired effect is
to return as much skb data has been queued, until hitting the recv
buffer size (whichever comes first).
The modified MSG_PEEK path will now move to the next skb in the tree
and jump to the again: label, rather than following the natural loop
structure. This requires duplicating some of the loop head actions.
This was tested using the python socketpair python code attached to
the bugzilla issue.
Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
SCM_SECURITY was originally only implemented for datagram sockets,
not for stream sockets. However, SCM_CREDENTIALS is supported on
Unix stream sockets. For consistency, implement Unix stream support
for SCM_SECURITY as well. Also clean up the existing code and get
rid of the superfluous UNIXSID macro.
Motivated by https://bugzilla.redhat.com/show_bug.cgi?id=1224211,
where systemd was using SCM_CREDENTIALS and assumed wrongly that
SCM_SECURITY was also supported on Unix stream sockets.
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Conflicts:
drivers/net/phy/amd-xgbe-phy.c
drivers/net/wireless/iwlwifi/Kconfig
include/net/mac80211.h
iwlwifi/Kconfig and mac80211.h were both trivial overlapping
changes.
The drivers/net/phy/amd-xgbe-phy.c file got removed in 'net-next' and
the bug fix that happened on the 'net' side is already integrated
into the rest of the amd-xgbe driver.
Signed-off-by: David S. Miller <davem@davemloft.net>
got a rare NULL pointer dereference in clear_bit
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
----
v2: switch to sock_flag(sk, SOCK_DEAD) and added net/caif/caif_socket.c
v3: return -ECONNRESET in upstream caller of wait function for SOCK_DEAD
Signed-off-by: David S. Miller <davem@davemloft.net>
unix_stream_recvmsg is refactored to unix_stream_read_generic in this
patch and enhanced to deal with pipe splicing. The refactoring is
inneglible, we mostly have to deal with a non-existing struct msghdr
argument.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch implements sendpage support for AF_UNIX SOCK_STREAM
sockets. This is also required for a complete splice implementation.
The implementation is a bit tricky because we append to already existing
skbs and so have to hold unix_sk->readlock to protect the reading side
from either advancing UNIXCB.consumed or freeing the skb at the socket
receive tail.
Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
In preparation for changing how struct net is refcounted
on kernel sockets pass the knowledge that we are creating
a kernel socket from sock_create_kern through to sk_alloc.
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull networking fixes from David Miller:
1) mlx4 doesn't check fully for supported valid RSS hash function, fix
from Amir Vadai
2) Off by one in ibmveth_change_mtu(), from David Gibson
3) Prevent altera chip from reporting false error interrupts in some
circumstances, from Chee Nouk Phoon
4) Get rid of that stupid endless loop trying to allocate a FIN packet
in TCP, and in the process kill deadlocks. From Eric Dumazet
5) Fix get_rps_cpus() crash due to wrong invalid-cpu value, also from
Eric Dumazet
6) Fix two bugs in async rhashtable resizing, from Thomas Graf
7) Fix topology server listener socket namespace bug in TIPC, from Ying
Xue
8) Add some missing HAS_DMA kconfig dependencies, from Geert
Uytterhoeven
9) bgmac driver intends to force re-polling but does so by returning
the wrong value from it's ->poll() handler. Fix from Rafał Miłecki
10) When the creater of an rhashtable configures a max size for it,
don't bark in the logs and drop insertions when that is exceeded.
Fix from Johannes Berg
11) Recover from out of order packets in ppp mppe properly, from Sylvain
Rochet
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (41 commits)
bnx2x: really disable TPA if 'disable_tpa' option is set
net:treewide: Fix typo in drivers/net
net/mlx4_en: Prevent setting invalid RSS hash function
mdio-mux-gpio: use new gpiod_get_array and gpiod_put_array functions
netfilter; Add some missing default cases to switch statements in nft_reject.
ppp: mppe: discard late packet in stateless mode
ppp: mppe: sanity error path rework
net/bonding: Make DRV macros private
net: rfs: fix crash in get_rps_cpus()
altera tse: add support for fixed-links.
pxa168: fix double deallocation of managed resources
net: fix crash in build_skb()
net: eth: altera: Resolve false errors from MSGDMA to TSE
ehea: Fix memory hook reference counting crashes
net/tg3: Release IRQs on permanent error
net: mdio-gpio: support access that may sleep
inet: fix possible panic in reqsk_queue_unlink()
rhashtable: don't attempt to grow when at max_size
bgmac: fix requests for extra polling calls from NAPI
tcp: avoid looping in tcp_send_fin()
...
fixed several comment and whitespace style issues
Signed-off-by: Jason Eastman <eastman.jason.linux@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
places where we are dealing with S_ISSOCK file creation/lookups.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
AF_UNIX sockets should call mknod on the top layer only and should not attempt
to modify the lower layer in a layered filesystem such as overlayfs.
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
After TIPC doesn't depend on iocb argument in its internal
implementations of sendmsg() and recvmsg() hooks defined in proto
structure, no any user is using iocb argument in them at all now.
Then we can drop the redundant iocb argument completely from kinds of
implementations of both sendmsg() and recvmsg() in the entire
networking stack.
Cc: Christoph Hellwig <hch@lst.de>
Suggested-by: Al Viro <viro@ZenIV.linux.org.uk>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The sock_iocb structure is allocate on stack for each read/write-like
operation on sockets, and contains various fields of which only the
embedded msghdr and sometimes a pointer to the scm_cookie is ever used.
Get rid of the sock_iocb and put a msghdr directly on the stack and pass
the scm_cookie explicitly to netlink_mmap_sendmsg.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Contrary to common expectations for an "int" return, these functions
return only a positive value -- if used correctly they cannot even
return 0 because the message header will necessarily be in the skb.
This makes the very common pattern of
if (genlmsg_end(...) < 0) { ... }
be a whole bunch of dead code. Many places also simply do
return nlmsg_end(...);
and the caller is expected to deal with it.
This also commonly (at least for me) causes errors, because it is very
common to write
if (my_function(...))
/* error condition */
and if my_function() does "return nlmsg_end()" this is of course wrong.
Additionally, there's not a single place in the kernel that actually
needs the message length returned, and if anyone needs it later then
it'll be very easy to just use skb->len there.
Remove this, and make the functions void. This removes a bunch of dead
code as described above. The patch adds lines because I did
- return nlmsg_end(...);
+ nlmsg_end(...);
+ return 0;
I could have preserved all the function's return values by returning
skb->len, but instead I've audited all the places calling the affected
functions and found that none cared. A few places actually compared
the return value with <= 0 in dump functionality, but that could just
be changed to < 0 with no change in behaviour, so I opted for the more
efficient version.
One instance of the error I've made numerous times now is also present
in net/phonet/pn_netlink.c in the route_dumpit() function - it didn't
check for <0 or <=0 and thus broke out of the loop every single time.
I've preserved this since it will (I think) have caused the messages to
userspace to be formatted differently with just a single message for
every SKB returned to userspace. It's possible that this isn't needed
for the tools that actually use this, but I don't even know what they
are so couldn't test that changing this behaviour would be acceptable.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Note that the code _using_ ->msg_iter at that point will be very
unhappy with anything other than unshifted iovec-backed iov_iter.
We still need to convert users to proper primitives.
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
This encapsulates all of the skb_copy_datagram_iovec() callers
with call argument signature "skb, offset, msghdr->msg_iov, length".
When we move to iov_iters in the networking, the iov_iter object will
sit in the msghdr.
Having a helper like this means there will be less places to touch
during that transformation.
Based upon descriptions and patch from Al Viro.
Signed-off-by: David S. Miller <davem@davemloft.net>
