-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAluitjwACgkQONu9yGCS
aT7iuA/9FDL/m4yOFPh6lFP6b5JnpDoKniJM3R6eg8am9TYaCe0mwJImEy8yP8sH
BOK/LECOJqV8Waw0ANQieJYZj/GsRXk9TOwUwvOCbhNwfu+e2x4/31dRIpxSQaCs
dYROb4ISGd9wyLMKqgh0zqMxKKfb/Ija4oBjfz7xUJYoHFuc8hlfic6HUr8i/J76
kz5LJ5uPWyrBOKzQT15o0bz05LmnKBX8TyhpzzPBf/+eQ1jzh7uvpawcOz03u8iV
6VpNXCbTTUf863nmOxcEfuClI1GnCHstAHTKaEc6u5MUhkJKKqxWDTsO92qhnUne
FXB7/UeVwsGA69Oy4nInJMGI7hHlJ6LR1CBA9SmfjzUvBY9P6nT2vrU6NYg0n3Bd
tP7S69xXQUdkkvDNjphsOuexuResITJ48obg+Lx2ijCAHNosafKyN1It8t/euOAD
xCeTxfLtXMCO+3z+UvOwFnKwgLImt1Bh8fGynjpk7fvIycrm+FP0iZ+2cw4NUiMU
jKtjvQCWbfK64fZ5eIdxo/rKyX7hK3PRMw6r6rEvaW/z6Cm33Dvy+1Rn3fiXJpIS
oEt7knHsoBraHtrUvbPXMc5S0ZNvoNLD3omWm1Ot+NlP3ogIi/ZFwvwUU537FZmL
2g8V16o0IliBOqNr3vkDyInv/5+LDVI22noc3bjEoi/LsoYe4j4=
=2RHb
-----END PGP SIGNATURE-----
Merge 4.4.157 into android-4.4
Changes in 4.4.157
i2c: xiic: Make the start and the byte count write atomic
i2c: i801: fix DNV's SMBCTRL register offset
ALSA: hda - Fix cancel_work_sync() stall from jackpoll work
cfq: Give a chance for arming slice idle timer in case of group_idle
kthread: Fix use-after-free if kthread fork fails
kthread: fix boot hang (regression) on MIPS/OpenRISC
staging: rt5208: Fix a sleep-in-atomic bug in xd_copy_page
staging/rts5208: Fix read overflow in memcpy
block,blkcg: use __GFP_NOWARN for best-effort allocations in blkcg
locking/rwsem-xadd: Fix missed wakeup due to reordering of load
selinux: use GFP_NOWAIT in the AVC kmem_caches
locking/osq_lock: Fix osq_lock queue corruption
ARC: [plat-axs*]: Enable SWAP
misc: mic: SCIF Fix scif_get_new_port() error handling
ethtool: Remove trailing semicolon for static inline
Bluetooth: h5: Fix missing dependency on BT_HCIUART_SERDEV
gpio: tegra: Move driver registration to subsys_init level
scsi: target: fix __transport_register_session locking
md/raid5: fix data corruption of replacements after originals dropped
misc: ti-st: Fix memory leak in the error path of probe()
uio: potential double frees if __uio_register_device() fails
tty: rocket: Fix possible buffer overwrite on register_PCI
f2fs: do not set free of current section
perf tools: Allow overriding MAX_NR_CPUS at compile time
NFSv4.0 fix client reference leak in callback
macintosh/via-pmu: Add missing mmio accessors
ath10k: prevent active scans on potential unusable channels
MIPS: Fix ISA virt/bus conversion for non-zero PHYS_OFFSET
ata: libahci: Correct setting of DEVSLP register
scsi: 3ware: fix return 0 on the error path of probe
ath10k: disable bundle mgmt tx completion event support
Bluetooth: hidp: Fix handling of strncpy for hid->name information
x86/mm: Remove in_nmi() warning from vmalloc_fault()
gpio: ml-ioh: Fix buffer underwrite on probe error path
net: mvneta: fix mtu change on port without link
MIPS: Octeon: add missing of_node_put()
net: dcb: For wild-card lookups, use priority -1, not 0
Input: atmel_mxt_ts - only use first T9 instance
partitions/aix: append null character to print data from disk
partitions/aix: fix usage of uninitialized lv_info and lvname structures
iommu/ipmmu-vmsa: Fix allocation in atomic context
mfd: ti_am335x_tscadc: Fix struct clk memory leak
f2fs: fix to do sanity check with {sit,nat}_ver_bitmap_bytesize
MIPS: WARN_ON invalid DMA cache maintenance, not BUG_ON
RDMA/cma: Do not ignore net namespace for unbound cm_id
xhci: Fix use-after-free in xhci_free_virt_device
vmw_balloon: include asm/io.h
netfilter: x_tables: avoid stack-out-of-bounds read in xt_copy_counters_from_user
drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
net: ethernet: ti: cpsw: fix mdio device reference leak
ethernet: ti: davinci_emac: add missing of_node_put after calling of_parse_phandle
crypto: vmx - Fix sleep-in-atomic bugs
mtd: ubi: wl: Fix error return code in ubi_wl_init()
autofs: fix autofs_sbi() does not check super block type
x86/speculation/l1tf: Increase l1tf memory limit for Nehalem+
mm: get rid of vmacache_flush_all() entirely
Linux 4.4.157
Change-Id: I30fc9e099e9065aff5e53c648d822c405525bb07
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
[ Upstream commit b3cadaa485f0c20add1644a5c877b0765b285c0c ]
This fixes two issues with setting hid->name information.
CC net/bluetooth/hidp/core.o
In function ‘hidp_setup_hid’,
inlined from ‘hidp_session_dev_init’ at net/bluetooth/hidp/core.c:815:9,
inlined from ‘hidp_session_new’ at net/bluetooth/hidp/core.c:953:8,
inlined from ‘hidp_connection_add’ at net/bluetooth/hidp/core.c:1366:8:
net/bluetooth/hidp/core.c:778:2: warning: ‘strncpy’ output may be truncated copying 127 bytes from a string of length 127 [-Wstringop-truncation]
strncpy(hid->name, req->name, sizeof(req->name) - 1);
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
CC net/bluetooth/hidp/core.o
net/bluetooth/hidp/core.c: In function ‘hidp_setup_hid’:
net/bluetooth/hidp/core.c:778:38: warning: argument to ‘sizeof’ in ‘strncpy’ call is the same expression as the source; did you mean to use the size of the destination? [-Wsizeof-pointer-memaccess]
strncpy(hid->name, req->name, sizeof(req->name));
^
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 7992c18810e568b95c869b227137a2215702a805 upstream.
CVE-2018-9363
The buffer length is unsigned at all layers, but gets cast to int and
checked in hidp_process_report and can lead to a buffer overflow.
Switch len parameter to unsigned int to resolve issue.
This affects 3.18 and newer kernels.
Signed-off-by: Mark Salyzyn <salyzyn@android.com>
Fixes: a4b1b5877b ("HID: Bluetooth: hidp: make sure input buffers are big enough")
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Kees Cook <keescook@chromium.org>
Cc: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Cc: security@kernel.org
Cc: kernel-team@android.com
Acked-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAls7QB8ACgkQONu9yGCS
aT6trQ/9EO1dgc0lZO0zGCxFFiikPzzMp1auSKd99FhSaqlrCPutT5K0gBVc1rug
EvggbqWj2MBX2HZvxQR8LbGNvp7+kkM3apIdYOqyTQPvs7x03YNeuvXZUF3EFyPO
eDZ71nLuwgnEeySceJ+Z9HcVBcWR/0dEkwjhjpIJ2IO25tcecWzbqOOdzNypBIKK
EG4dGhO5JY6jLqxbEFZ9d302bGZQozOQHiDfEZz6NueI0yYVJIjQQvuLp/V0ChDg
TN+PgTOdzxIPCpZw9y4XzN4nhdsOial1xeX7agzAkZDjdbprNpbZrxjfY0NLdpQ0
4ZV3vLqIZ5rs8xuCRgNJ7yTVt6X7miw/h7TQp30qpeDuRf1SHZa4ITqMzdXJUahW
BT+XkjrrCjKxXkCH+rWy0txtouUaVwM+sKHIW0bvrOJwHM0UJXNAUppt4NrBtgtD
7Zt/FDKAHCJk1GuW3U5zXOHmgn+QkRNEndpwbUjwRowvHcE5jVSLLkH4XZkA0+SL
ucQCxOqGKrbHjhyXT+e2Kpx4Z5sqJIUHhc4iw6gi7xyaoJ55kHZ2S+sCwo3cjreq
B43SrwkQ0EJXwHzcrmvDfnvEFf7ylDVWH597lQsIQMNI7Gg04fXixYpvr6DYOBSN
AKHvoqd7VztHnX/ZogyLXp4jWiU5dU6qYXdj/zEs+tB8DYPZ4+c=
=Mli0
-----END PGP SIGNATURE-----
Merge 4.4.139 into android-4.4
Changes in 4.4.139
xfrm6: avoid potential infinite loop in _decode_session6()
netfilter: ebtables: handle string from userspace with care
ipvs: fix buffer overflow with sync daemon and service
atm: zatm: fix memcmp casting
net: qmi_wwan: Add Netgear Aircard 779S
net/sonic: Use dma_mapping_error()
Revert "Btrfs: fix scrub to repair raid6 corruption"
tcp: do not overshoot window_clamp in tcp_rcv_space_adjust()
Btrfs: make raid6 rebuild retry more
usb: musb: fix remote wakeup racing with suspend
bonding: re-evaluate force_primary when the primary slave name changes
tcp: verify the checksum of the first data segment in a new connection
ext4: update mtime in ext4_punch_hole even if no blocks are released
ext4: fix fencepost error in check for inode count overflow during resize
driver core: Don't ignore class_dir_create_and_add() failure.
btrfs: scrub: Don't use inode pages for device replace
ALSA: hda - Handle kzalloc() failure in snd_hda_attach_pcm_stream()
ALSA: hda: add dock and led support for HP EliteBook 830 G5
ALSA: hda: add dock and led support for HP ProBook 640 G4
cpufreq: Fix new policy initialization during limits updates via sysfs
libata: zpodd: make arrays cdb static, reduces object code size
libata: zpodd: small read overflow in eject_tray()
libata: Drop SanDisk SD7UB3Q*G1001 NOLPM quirk
w1: mxc_w1: Enable clock before calling clk_get_rate() on it
fs/binfmt_misc.c: do not allow offset overflow
x86/spectre_v1: Disable compiler optimizations over array_index_mask_nospec()
m68k/mm: Adjust VM area to be unmapped by gap size for __iounmap()
serial: sh-sci: Use spin_{try}lock_irqsave instead of open coding version
signal/xtensa: Consistenly use SIGBUS in do_unaligned_user
usb: do not reset if a low-speed or full-speed device timed out
1wire: family module autoload fails because of upper/lower case mismatch.
ASoC: dapm: delete dapm_kcontrol_data paths list before freeing it
ASoC: cirrus: i2s: Fix LRCLK configuration
ASoC: cirrus: i2s: Fix {TX|RX}LinCtrlData setup
lib/vsprintf: Remove atomic-unsafe support for %pCr
mips: ftrace: fix static function graph tracing
branch-check: fix long->int truncation when profiling branches
ipmi:bt: Set the timeout before doing a capabilities check
Bluetooth: hci_qca: Avoid missing rampatch failure with userspace fw loader
fuse: atomic_o_trunc should truncate pagecache
fuse: don't keep dead fuse_conn at fuse_fill_super().
fuse: fix control dir setup and teardown
powerpc/mm/hash: Add missing isync prior to kernel stack SLB switch
powerpc/ptrace: Fix setting 512B aligned breakpoints with PTRACE_SET_DEBUGREG
powerpc/ptrace: Fix enforcement of DAWR constraints
cpuidle: powernv: Fix promotion from snooze if next state disabled
powerpc/fadump: Unregister fadump on kexec down path.
ARM: 8764/1: kgdb: fix NUMREGBYTES so that gdb_regs[] is the correct size
of: unittest: for strings, account for trailing \0 in property length field
IB/qib: Fix DMA api warning with debug kernel
RDMA/mlx4: Discard unknown SQP work requests
mtd: cfi_cmdset_0002: Change write buffer to check correct value
mtd: cfi_cmdset_0002: Use right chip in do_ppb_xxlock()
mtd: cfi_cmdset_0002: fix SEGV unlocking multiple chips
mtd: cfi_cmdset_0002: Fix unlocking requests crossing a chip boudary
mtd: cfi_cmdset_0002: Avoid walking all chips when unlocking.
MIPS: BCM47XX: Enable 74K Core ExternalSync for PCIe erratum
PCI: pciehp: Clear Presence Detect and Data Link Layer Status Changed on resume
MIPS: io: Add barrier after register read in inX()
time: Make sure jiffies_to_msecs() preserves non-zero time periods
Btrfs: fix clone vs chattr NODATASUM race
iio:buffer: make length types match kfifo types
scsi: qla2xxx: Fix setting lower transfer speed if GPSC fails
scsi: zfcp: fix missing SCSI trace for result of eh_host_reset_handler
scsi: zfcp: fix missing SCSI trace for retry of abort / scsi_eh TMF
scsi: zfcp: fix misleading REC trigger trace where erp_action setup failed
scsi: zfcp: fix missing REC trigger trace on terminate_rport_io early return
scsi: zfcp: fix missing REC trigger trace on terminate_rport_io for ERP_FAILED
scsi: zfcp: fix missing REC trigger trace for all objects in ERP_FAILED
scsi: zfcp: fix missing REC trigger trace on enqueue without ERP thread
linvdimm, pmem: Preserve read-only setting for pmem devices
md: fix two problems with setting the "re-add" device state.
ubi: fastmap: Cancel work upon detach
UBIFS: Fix potential integer overflow in allocation
xfrm: Ignore socket policies when rebuilding hash tables
xfrm: skip policies marked as dead while rehashing
backlight: as3711_bl: Fix Device Tree node lookup
backlight: max8925_bl: Fix Device Tree node lookup
backlight: tps65217_bl: Fix Device Tree node lookup
mfd: intel-lpss: Program REMAP register in PIO mode
perf tools: Fix symbol and object code resolution for vdso32 and vdsox32
perf intel-pt: Fix sync_switch INTEL_PT_SS_NOT_TRACING
perf intel-pt: Fix decoding to accept CBR between FUP and corresponding TIP
perf intel-pt: Fix MTC timing after overflow
perf intel-pt: Fix "Unexpected indirect branch" error
perf intel-pt: Fix packet decoding of CYC packets
media: v4l2-compat-ioctl32: prevent go past max size
media: cx231xx: Add support for AverMedia DVD EZMaker 7
media: dvb_frontend: fix locking issues at dvb_frontend_get_event()
nfsd: restrict rd_maxcount to svc_max_payload in nfsd_encode_readdir
NFSv4: Fix possible 1-byte stack overflow in nfs_idmap_read_and_verify_message
video: uvesafb: Fix integer overflow in allocation
Input: elan_i2c - add ELAN0618 (Lenovo v330 15IKB) ACPI ID
xen: Remove unnecessary BUG_ON from __unbind_from_irq()
udf: Detect incorrect directory size
Input: elan_i2c_smbus - fix more potential stack buffer overflows
Input: elantech - enable middle button of touchpads on ThinkPad P52
Input: elantech - fix V4 report decoding for module with middle key
ALSA: hda/realtek - Add a quirk for FSC ESPRIMO U9210
Btrfs: fix unexpected cow in run_delalloc_nocow
spi: Fix scatterlist elements size in spi_map_buf
block: Fix transfer when chunk sectors exceeds max
dm thin: handle running out of data space vs concurrent discard
cdc_ncm: avoid padding beyond end of skb
Bluetooth: Fix connection if directed advertising and privacy is used
Linux 4.4.139
Change-Id: I93013bedf2ebe3e6a8718972d8854723609963cc
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrQ7ekACgkQONu9yGCS
aT6Znw//VtAP82BGP/+H6X6gt0rBRIYseEJkHOpKRu5PK+Vpx7mMQFIfBId95P6R
buq1QyzY9yz8ixbByg/w60WA2jK/I9i0tDGBnSlZzNmUvbk01oBN+cc/weZDynF7
rFbSvD3aTmPB4nm9VE+n7V/tgGeuu/bwi04zulAm/B0/zA+w9GZv/aAto3WlLdjF
ogZPSo5y6ifm6Qryq9sTR42LyDBXOy1klRSIK5EXY1OnIvPL1HSYR3ea2yj3AMXB
RPvpCCY8j7zC9yVifX1c+Gfv2tXVHb9kjgheJixP2J4M3fFlR5tjLQXtTP2S2I8G
cuMcdT6MiQw31rMoLcpej66dMtkL3k6sEpzcnSPPNenTuDIolz7BLEyaO/hhgi9J
6vIXAd4Xm9D8HkH3iG/L3GtD3JXpVPtHyli/X1M3hz/VNUSOUPENIjMmGoxfBOtQ
d7c8VGxDjnqmafri3fBAm4c603qW7O1wqJ7vLs9z7vgOIxlOLoJ/uiazoJKgW6O0
z0S/BABWqpAUAI9jgm2GvRDR2keM2mhQIgIrY0+ZpnaLSGe3MugB+GbK6xdBCuYA
anOv9VTEAPlTc8gb+GlusbUVjQyacEDwXoT6f9mELCW8cqpMgh+3TiKFihbYkUTN
ly/DxZH3jpva0dq94Mgjv1u/nlg9ac3zqGeo9buQQFC7MSoZKEM=
=LiZa
-----END PGP SIGNATURE-----
Merge 4.4.128 into android-4.4
Changes in 4.4.128
cfg80211: make RATE_INFO_BW_20 the default
md/raid5: make use of spin_lock_irq over local_irq_disable + spin_lock
rtc: snvs: fix an incorrect check of return value
x86/asm: Don't use RBP as a temporary register in csum_partial_copy_generic()
NFSv4.1: RECLAIM_COMPLETE must handle NFS4ERR_CONN_NOT_BOUND_TO_SESSION
IB/srpt: Fix abort handling
af_key: Fix slab-out-of-bounds in pfkey_compile_policy.
mac80211: bail out from prep_connection() if a reconfig is ongoing
bna: Avoid reading past end of buffer
qlge: Avoid reading past end of buffer
ipmi_ssif: unlock on allocation failure
net: cdc_ncm: Fix TX zero padding
net: ethernet: ti: cpsw: adjust cpsw fifos depth for fullduplex flow control
lockd: fix lockd shutdown race
drivers/misc/vmw_vmci/vmci_queue_pair.c: fix a couple integer overflow tests
pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
s390: move _text symbol to address higher than zero
net/mlx4_en: Avoid adding steering rules with invalid ring
NFSv4.1: Work around a Linux server bug...
CIFS: silence lockdep splat in cifs_relock_file()
blk-mq: NVMe 512B/4K+T10 DIF/DIX format returns I/O error on dd with split op
net: qca_spi: Fix alignment issues in rx path
netxen_nic: set rcode to the return status from the call to netxen_issue_cmd
Input: elan_i2c - check if device is there before really probing
Input: elantech - force relative mode on a certain module
KVM: PPC: Book3S PR: Check copy_to/from_user return values
vmxnet3: ensure that adapter is in proper state during force_close
SMB2: Fix share type handling
bus: brcmstb_gisb: Use register offsets with writes too
bus: brcmstb_gisb: correct support for 64-bit address output
PowerCap: Fix an error code in powercap_register_zone()
ARM: dts: imx53-qsrb: Pulldown PMIC IRQ pin
staging: wlan-ng: prism2mgmt.c: fixed a double endian conversion before calling hfa384x_drvr_setconfig16, also fixes relative sparse warning
x86/tsc: Provide 'tsc=unstable' boot parameter
ARM: dts: imx6qdl-wandboard: Fix audio channel swap
ipv6: avoid dad-failures for addresses with NODAD
async_tx: Fix DMA_PREP_FENCE usage in do_async_gen_syndrome()
usb: dwc3: keystone: check return value
btrfs: fix incorrect error return ret being passed to mapping_set_error
ata: libahci: properly propagate return value of platform_get_irq()
neighbour: update neigh timestamps iff update is effective
arp: honour gratuitous ARP _replies_
usb: chipidea: properly handle host or gadget initialization failure
USB: ene_usb6250: fix first command execution
net: x25: fix one potential use-after-free issue
USB: ene_usb6250: fix SCSI residue overwriting
serial: 8250: omap: Disable DMA for console UART
serial: sh-sci: Fix race condition causing garbage during shutdown
sh_eth: Use platform device for printing before register_netdev()
scsi: csiostor: fix use after free in csio_hw_use_fwconfig()
powerpc/mm: Fix virt_addr_valid() etc. on 64-bit hash
ath5k: fix memory leak on buf on failed eeprom read
selftests/powerpc: Fix TM resched DSCR test with some compilers
xfrm: fix state migration copy replay sequence numbers
iio: hi8435: avoid garbage event at first enable
iio: hi8435: cleanup reset gpio
ext4: handle the rest of ext4_mb_load_buddy() ENOMEM errors
md-cluster: fix potential lock issue in add_new_disk
ARM: davinci: da8xx: Create DSP device only when assigned memory
ray_cs: Avoid reading past end of buffer
leds: pca955x: Correct I2C Functionality
sched/numa: Use down_read_trylock() for the mmap_sem
net/mlx5: Tolerate irq_set_affinity_hint() failures
selinux: do not check open permission on sockets
block: fix an error code in add_partition()
mlx5: fix bug reading rss_hash_type from CQE
net: ieee802154: fix net_device reference release too early
libceph: NULL deref on crush_decode() error path
netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize
pNFS/flexfiles: missing error code in ff_layout_alloc_lseg()
ASoC: rsnd: SSI PIO adjust to 24bit mode
scsi: bnx2fc: fix race condition in bnx2fc_get_host_stats()
fix race in drivers/char/random.c:get_reg()
ext4: fix off-by-one on max nr_pages in ext4_find_unwritten_pgoff()
tcp: better validation of received ack sequences
net: move somaxconn init from sysctl code
Input: elan_i2c - clear INT before resetting controller
bonding: Don't update slave->link until ready to commit
KVM: nVMX: Fix handling of lmsw instruction
net: llc: add lock_sock in llc_ui_bind to avoid a race condition
ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
thermal: power_allocator: fix one race condition issue for thermal_instances list
perf probe: Add warning message if there is unexpected event name
l2tp: fix missing print session offset info
rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
hwmon: (ina2xx) Make calibration register value fixed
media: videobuf2-core: don't go out of the buffer range
ASoC: Intel: cht_bsw_rt5645: Analog Mic support
scsi: libiscsi: Allow sd_shutdown on bad transport
scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
vfb: fix video mode and line_length being set when loaded
gpio: label descriptors using the device name
ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
wl1251: check return from call to wl1251_acx_arp_ip_filter
hdlcdrv: Fix divide by zero in hdlcdrv_ioctl
ovl: filter trusted xattr for non-admin
powerpc/[booke|4xx]: Don't clobber TCR[WP] when setting TCR[DIE]
dmaengine: imx-sdma: Handle return value of clk_prepare_enable
arm64: futex: Fix undefined behaviour with FUTEX_OP_OPARG_SHIFT usage
net/mlx5: avoid build warning for uniprocessor
cxgb4: FW upgrade fixes
rtc: opal: Handle disabled TPO in opal_get_tpo_time()
rtc: interface: Validate alarm-time before handling rollover
SUNRPC: ensure correct error is reported by xs_tcp_setup_socket()
net: freescale: fix potential null pointer dereference
KVM: SVM: do not zero out segment attributes if segment is unusable or not present
clk: scpi: fix return type of __scpi_dvfs_round_rate
clk: Fix __set_clk_rates error print-string
powerpc/spufs: Fix coredump of SPU contexts
perf trace: Add mmap alias for s390
qlcnic: Fix a sleep-in-atomic bug in qlcnic_82xx_hw_write_wx_2M and qlcnic_82xx_hw_read_wx_2M
mISDN: Fix a sleep-in-atomic bug
drm/omap: fix tiled buffer stride calculations
cxgb4: fix incorrect cim_la output for T6
Fix serial console on SNI RM400 machines
bio-integrity: Do not allocate integrity context for bio w/o data
skbuff: return -EMSGSIZE in skb_to_sgvec to prevent overflow
sit: reload iphdr in ipip6_rcv
net/mlx4: Fix the check in attaching steering rules
net/mlx4: Check if Granular QoS per VF has been enabled before updating QP qos_vport
perf header: Set proper module name when build-id event found
perf report: Ensure the perf DSO mapping matches what libdw sees
tags: honor COMPILED_SOURCE with apart output directory
e1000e: fix race condition around skb_tstamp_tx()
cx25840: fix unchecked return values
mceusb: sporadic RX truncation corruption fix
net: phy: avoid genphy_aneg_done() for PHYs without clause 22 support
ARM: imx: Add MXC_CPU_IMX6ULL and cpu_is_imx6ull
e1000e: Undo e1000e_pm_freeze if __e1000_shutdown fails
perf/core: Correct event creation with PERF_FORMAT_GROUP
MIPS: mm: fixed mappings: correct initialisation
MIPS: mm: adjust PKMAP location
MIPS: kprobes: flush_insn_slot should flush only if probe initialised
Fix loop device flush before configure v3
net: emac: fix reset timeout with AR8035 phy
perf tests: Decompress kernel module before objdump
skbuff: only inherit relevant tx_flags
xen: avoid type warning in xchg_xen_ulong
bnx2x: Allow vfs to disable txvlan offload
sctp: fix recursive locking warning in sctp_do_peeloff
sparc64: ldc abort during vds iso boot
iio: magnetometer: st_magn_spi: fix spi_device_id table
Bluetooth: Send HCI Set Event Mask Page 2 command only when needed
cpuidle: dt: Add missing 'of_node_put()'
ACPICA: Events: Add runtime stub support for event APIs
ACPICA: Disassembler: Abort on an invalid/unknown AML opcode
s390/dasd: fix hanging safe offline
vxlan: dont migrate permanent fdb entries during learn
bcache: stop writeback thread after detaching
bcache: segregate flash only volume write streams
scsi: libsas: fix memory leak in sas_smp_get_phy_events()
scsi: libsas: fix error when getting phy events
scsi: libsas: initialize sas_phy status according to response of DISCOVER
blk-mq: fix kernel oops in blk_mq_tag_idle()
tty: n_gsm: Allow ADM response in addition to UA for control dlci
EDAC, mv64x60: Fix an error handling path
cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
perf tools: Fix copyfile_offset update of output offset
ipsec: check return value of skb_to_sgvec always
rxrpc: check return value of skb_to_sgvec always
virtio_net: check return value of skb_to_sgvec always
virtio_net: check return value of skb_to_sgvec in one more location
random: use lockless method of accessing and updating f->reg_idx
futex: Remove requirement for lock_page() in get_futex_key()
Kbuild: provide a __UNIQUE_ID for clang
arp: fix arp_filter on l3slave devices
net: fix possible out-of-bound read in skb_network_protocol()
net/ipv6: Fix route leaking between VRFs
netlink: make sure nladdr has correct size in netlink_connect()
net/sched: fix NULL dereference in the error path of tcf_bpf_init()
pptp: remove a buggy dst release in pptp_connect()
sctp: do not leak kernel memory to user space
sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
sky2: Increase D3 delay to sky2 stops working after suspend
vhost: correctly remove wait queue during poll failure
vlan: also check phy_driver ts_info for vlan's real device
bonding: fix the err path for dev hwaddr sync in bond_enslave
bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
bonding: process the err returned by dev_set_allmulti properly in bond_enslave
net: fool proof dev_valid_name()
ip_tunnel: better validate user provided tunnel names
ipv6: sit: better validate user provided tunnel names
ip6_gre: better validate user provided tunnel names
ip6_tunnel: better validate user provided tunnel names
vti6: better validate user provided tunnel names
r8169: fix setting driver_data after register_netdev
net sched actions: fix dumping which requires several messages to user space
net/ipv6: Increment OUTxxx counters after netfilter hook
ipv6: the entire IPv6 header chain must fit the first fragment
vrf: Fix use after free and double free in vrf_finish_output
Revert "xhci: plat: Register shutdown for xhci_plat"
Linux 4.4.128
Change-Id: I9c1e58f634cc18f15a840c9d192c892dfcc5ff73
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrJ5kIACgkQONu9yGCS
aT5KzBAAngMB1SWSsr5BFdDMJ+hr8pWpmNiZYOrAUgc+DqTxCqI4DSc1xVroeZf3
HeL2p/hqQfrBeKGsff3a67o3iJi3irCIkZY9wR1x1o7hssPPpvKMfjh2Grde/Heo
TrxdtpZam2yt8A2WHFkbqfdWoo19Rmb4L7rNcthk4U2Ya+UxiI5oW2E6VNPd0pcM
p+tvneRuh7zZmJffI9IYz6eaSHWXe6txr/5lPf6i4wsWyK5IdWNnGegtXqNkyN5O
OumvKJZTYp6+2YS7ORGrDBtZO2oLnJSCc1XMjQNfc6VkQ94moMFMMSC6o5dWjxJ4
OtRvZ85N+NeetszDp0Koqe4DsXzdiI4O8skVaS3H7AsC9IyG7u89+RBCjYRYgERm
yUclnLiZysU1foCH6jP+fO2Tg0uGdV5Xv1eK9IyHfdxxfMUWeXtKnn3pkD9RgxP0
XdOEaG2cH3AJTvBzsagYQ9woWr/yIluN2BtMDhd7L80JiVZzDatDUJLoeGVZNj3Z
dw3O/vKmZEDAB/rbtiiNZDSpxRtAjuC23yDRzoUuc0s76HfeRK344qrQcChNofsQ
3QYpY+HoSmPbdqvbnP+o3otWS01rY4nOlw3Dd0gFAnYgVPahVDN1I9PUVe47vbKX
vph82ZUrUJpAGm2JmHUTLOZMAEgHRH26gG5lsXsRG+TvFV1bUuA=
=nbr3
-----END PGP SIGNATURE-----
Merge 4.4.127 into android-4.4
Changes in 4.4.127
mtd: jedec_probe: Fix crash in jedec_read_mfr()
ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
ALSA: pcm: potential uninitialized return values
perf/hwbp: Simplify the perf-hwbp code, fix documentation
partitions/msdos: Unable to mount UFS 44bsd partitions
usb: gadget: define free_ep_req as universal function
usb: gadget: change len to size_t on alloc_ep_req()
usb: gadget: fix usb_ep_align_maybe endianness and new usb_ep_align
usb: gadget: align buffer size when allocating for OUT endpoint
usb: gadget: f_hid: fix: Prevent accessing released memory
kprobes/x86: Fix to set RWX bits correctly before releasing trampoline
ACPI, PCI, irq: remove redundant check for null string pointer
writeback: fix the wrong congested state variable definition
PCI: Make PCI_ROM_ADDRESS_MASK a 32-bit constant
dm ioctl: remove double parentheses
Input: mousedev - fix implicit conversion warning
netfilter: nf_nat_h323: fix logical-not-parentheses warning
genirq: Use cpumask_available() for check of cpumask variable
cpumask: Add helper cpumask_available()
selinux: Remove unnecessary check of array base in selinux_set_mapping()
fs: compat: Remove warning from COMPATIBLE_IOCTL
jiffies.h: declare jiffies and jiffies_64 with ____cacheline_aligned_in_smp
frv: declare jiffies to be located in the .data section
audit: add tty field to LOGIN event
tty: provide tty_name() even without CONFIG_TTY
netfilter: ctnetlink: Make some parameters integer to avoid enum mismatch
selinux: Remove redundant check for unknown labeling behavior
arm64: avoid overflow in VA_START and PAGE_OFFSET
xfrm_user: uncoditionally validate esn replay attribute struct
RDMA/ucma: Check AF family prior resolving address
RDMA/ucma: Fix use-after-free access in ucma_close
RDMA/ucma: Ensure that CM_ID exists prior to access it
RDMA/ucma: Check that device is connected prior to access it
RDMA/ucma: Check that device exists prior to accessing it
RDMA/ucma: Don't allow join attempts for unsupported AF family
RDMA/ucma: Introduce safer rdma_addr_size() variants
net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
netfilter: bridge: ebt_among: add more missing match size checks
netfilter: x_tables: add and use xt_check_proc_name
Bluetooth: Fix missing encryption refresh on Security Request
llist: clang: introduce member_address_is_nonnull()
scsi: virtio_scsi: always read VPD pages for multiqueue too
usb: dwc2: Improve gadget state disconnection handling
USB: serial: ftdi_sio: add RT Systems VX-8 cable
USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
USB: serial: cp210x: add ELDAT Easywave RX09 id
mei: remove dev_err message on an unsupported ioctl
media: usbtv: prevent double free in error case
parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
crypto: ahash - Fix early termination in hash walk
crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
fs/proc: Stop trying to report thread stacks
staging: comedi: ni_mio_common: ack ai fifo error interrupts.
Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
vt: change SGR 21 to follow the standards
Documentation: pinctrl: palmas: Add ti,palmas-powerhold-override property definition
ARM: dts: dra7: Add power hold and power controller properties to palmas
ARM: dts: am57xx-beagle-x15-common: Add overide powerhold property
md/raid10: reset the 'first' at the end of loop
net: hns: Fix ethtool private flags
nospec: Move array_index_nospec() parameter checking into separate macro
nospec: Kill array_index_nospec_mask_check()
Revert "PCI/MSI: Stop disabling MSI/MSI-X in pci_device_shutdown()"
Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"
Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"
Revert "cpufreq: Fix governor module removal race"
Revert "mtip32xx: use runtime tag to initialize command header"
spi: davinci: fix up dma_mapping_error() incorrect patch
net: cavium: liquidio: fix up "Avoid dma_unmap_single on uninitialized ndata"
Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
Linux 4.4.127
Change-Id: Ia3b9ed0a5b2ea6c682386dbee5337ed8413d1a53
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlpfCtUACgkQONu9yGCS
aT6ZvBAAqxRZ9H5LCEVboN5KE4cvTDS7pYhJPk518ZxnSJslwUl7SZ+AOzxivV9w
YouBOEHbufSmbVJgPgsxuhlFsw+TMOYATUBVWIBrWjuD+nD+ooba0j5nb4FW2SOc
XTWv5X8t+Ho19uWcq7w9W+3Ang5f8ySNZUZIG4F/HTeRGU3//J29wfEP2nM9cVOJ
ZsOze9aK88KbLwgJRr2uCa/eyARvUeqOFomIlUhLNHgtU8xfEEKVX72r68RJ/bbU
xhoceKJHXLDnA29ZFG6hEi/EIgG6Zr9Iwp/QBe2JtcGtpXCNTR1f+VuW//rcqzka
OBXctQlObRuZ361jl+WcWg3aycK8DgSJPgC1+QTEcOULa64smu3n//ICqdPNHWSS
MIG1iVH5zKhtRyDkVZKnk66jqi04GWZ370FpmUvrmaOLFftSM7FHk/U4GDR5eOFJ
8vxARTrUF4ls2weLBwNiR7zFLiI7iaN8LYmGnjLeBvgVy4u8zZgqfrhwDrMX7dh6
mEAjNNufLTrsGo7O8tNhwI3KIn7s4gJp5u3c28I0LmB+G3OH+jIopy0o/NXXjAkm
5gYGsf5mkf0I2SbDT/wkRSAFwuhCfgWKfQiTZmdukLuRo5VaL+SP148hZBcTol0z
Jsqpy8SeAkWkPcegoMUwGQLRVU3QM1NL0NpT1TAT1Ng4lw5igxU=
=7usw
-----END PGP SIGNATURE-----
Merge 4.4.112 into android-4.4
Changes in 4.4.112
dm bufio: fix shrinker scans when (nr_to_scan < retain_target)
KVM: Fix stack-out-of-bounds read in write_mmio
can: gs_usb: fix return value of the "set_bittiming" callback
IB/srpt: Disable RDMA access by the initiator
MIPS: Validate PR_SET_FP_MODE prctl(2) requests against the ABI of the task
MIPS: Factor out NT_PRFPREG regset access helpers
MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
net/mac80211/debugfs.c: prevent build failure with CONFIG_UBSAN=y
kvm: vmx: Scrub hardware GPRs at VM-exit
x86/vsdo: Fix build on PARAVIRT_CLOCK=y, KVM_GUEST=n
x86/acpi: Handle SCI interrupts above legacy space gracefully
iommu/arm-smmu-v3: Don't free page table ops twice
ALSA: pcm: Remove incorrect snd_BUG_ON() usages
ALSA: pcm: Add missing error checks in OSS emulation plugin builder
ALSA: pcm: Abort properly at pending signal in OSS read/write loops
ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
ALSA: aloop: Release cable upon open error path
ALSA: aloop: Fix inconsistent format due to incomplete rule
ALSA: aloop: Fix racy hw constraints adjustment
x86/acpi: Reduce code duplication in mp_override_legacy_irq()
mm/compaction: fix invalid free_pfn and compact_cached_free_pfn
mm/compaction: pass only pageblock aligned range to pageblock_pfn_to_page
mm/page-writeback: fix dirty_ratelimit calculation
mm/zswap: use workqueue to destroy pool
zswap: don't param_set_charp while holding spinlock
locks: don't check for race with close when setting OFD lock
futex: Replace barrier() in unqueue_me() with READ_ONCE()
locking/mutex: Allow next waiter lockless wakeup
usbvision fix overflow of interfaces array
usb: musb: ux500: Fix NULL pointer dereference at system PM
r8152: fix the wake event
r8152: use test_and_clear_bit
r8152: adjust ALDPS function
lan78xx: use skb_cow_head() to deal with cloned skbs
sr9700: use skb_cow_head() to deal with cloned skbs
smsc75xx: use skb_cow_head() to deal with cloned skbs
cx82310_eth: use skb_cow_head() to deal with cloned skbs
x86/mm/pat, /dev/mem: Remove superfluous error message
hwrng: core - sleep interruptible in read
sysrq: Fix warning in sysrq generated crash.
xhci: Fix ring leak in failure path of xhci_alloc_virt_device()
Revert "userfaultfd: selftest: vm: allow to build in vm/ directory"
x86/pti/efi: broken conversion from efi to kernel page table
8021q: fix a memory leak for VLAN 0 device
ip6_tunnel: disable dst caching if tunnel is dual-stack
net: core: fix module type in sock_diag_bind
RDS: Heap OOB write in rds_message_alloc_sgs()
RDS: null pointer dereference in rds_atomic_free_op
sh_eth: fix TSU resource handling
sh_eth: fix SH7757 GEther initialization
net: stmmac: enable EEE in MII, GMII or RGMII only
ipv6: fix possible mem leaks in ipv6_make_skb()
crypto: algapi - fix NULL dereference in crypto_remove_spawns()
rbd: set max_segments to USHRT_MAX
x86/microcode/intel: Extend BDW late-loading with a revision check
KVM: x86: Add memory barrier on vmcs field lookup
drm/vmwgfx: Potential off by one in vmw_view_add()
kaiser: Set _PAGE_NX only if supported
bpf: add bpf_patch_insn_single helper
bpf: don't (ab)use instructions to store state
bpf: move fixup_bpf_calls() function
bpf: refactor fixup_bpf_calls()
bpf: adjust insn_aux_data when patching insns
bpf: prevent out-of-bounds speculation
bpf, array: fix overflow in max_entries and undefined behavior in index_mask
iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
USB: serial: cp210x: add new device ID ELV ALC 8xxx
usb: misc: usb3503: make sure reset is low for at least 100us
USB: fix usbmon BUG trigger
usbip: remove kernel addresses from usb device and urb debug msgs
staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
Bluetooth: Prevent stack info leak from the EFS element.
uas: ignore UAS for Norelsys NS1068(X) chips
e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
x86/Documentation: Add PTI description
x86/cpu: Factor out application of forced CPU caps
x86/cpufeatures: Make CPU bugs sticky
x86/cpufeatures: Add X86_BUG_CPU_INSECURE
x86/pti: Rename BUG_CPU_INSECURE to BUG_CPU_MELTDOWN
x86/cpufeatures: Add X86_BUG_SPECTRE_V[12]
x86/cpu: Merge bugs.c and bugs_64.c
sysfs/cpu: Add vulnerability folder
x86/cpu: Implement CPU vulnerabilites sysfs functions
sysfs/cpu: Fix typos in vulnerability documentation
x86/alternatives: Fix optimize_nops() checking
x86/alternatives: Add missing '\n' at end of ALTERNATIVE inline asm
selftests/x86: Add test_vsyscall
Linux 4.4.112
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 06e7e776ca4d36547e503279aeff996cbb292c16 upstream.
In the function l2cap_parse_conf_rsp and in the function
l2cap_parse_conf_req the following variable is declared without
initialization:
struct l2cap_conf_efs efs;
In addition, when parsing input configuration parameters in both of
these functions, the switch case for handling EFS elements may skip the
memcpy call that will write to the efs variable:
...
case L2CAP_CONF_EFS:
if (olen == sizeof(efs))
memcpy(&efs, (void *)val, olen);
...
The olen in the above if is attacker controlled, and regardless of that
if, in both of these functions the efs variable would eventually be
added to the outgoing configuration request that is being built:
l2cap_add_conf_opt(&ptr, L2CAP_CONF_EFS, sizeof(efs), (unsigned long) &efs);
So by sending a configuration request, or response, that contains an
L2CAP_CONF_EFS element, but with an element length that is not
sizeof(efs) - the memcpy to the uninitialized efs variable can be
avoided, and the uninitialized variable would be returned to the
attacker (16 bytes).
This issue has been assigned CVE-2017-1000410
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Gustavo Padovan <gustavo@padovan.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlm5nrQACgkQONu9yGCS
aT7YkBAAuOKsiNi1UcZQY7MTr9BYM8hDi6wpLYrOltGlRGyJnlkkP5of0ukpulO6
Cfp3RlLjhJ8a/ZPm+bEudnqISR7GsIyW40QiNOHLCoLUwbz0qImSCBCP1OREg5B8
+KTsJ6UVJ5VXuqFaHAZLFtJlqmZVo9PpH0CPmL8bZylOx56dOZ8f/KkhXexBOZR3
/CCrcCqiRs/bqJ3PAcEGcMcZYKh20SlmdNgj/GxSotvJ+xKFgBaqtHI2e9ftoMWZ
RC1+h0plq7onjz2WMNe+hSbyODITGmJuti3TeJaZGtRpYRHv7S0Yuqs0QTvJCyjV
iUcT0Z5tC2a1xIhiIhABZ9sveVRiop24d7qBdxqZhqLDn/jmCETZpsUaxkHs0Nk2
bKPMT7guopS/e5xxJb0Acl8StPfv/EAogWw5XNeBlwtG1ZxsvHg2/g8jUV6k3yEc
QH+vZUtGRp/aGBmxlTHyiI3gUSUOyqBD+kG8yCq1ySfHWFFT03D6qIsZThh2GB6B
eiq4kHzhXsOI3IL8BjXmAWRa0KJydELMr+ofgQWNkFiIVnNRedS39a8t9Aulnxoc
1T6vz9+laYiHdXkaIxsWNM2WPKzvdJfiEf2MKLyxQ5jWgqh6jSemx5b3BH6z2c9J
0RZMMVNm9BH5JBTiL01/PE6m+e+EaeuB21HgmkzHENWiFlQnphE=
=SSJQ
-----END PGP SIGNATURE-----
Merge 4.4.88 into android-4.4
Changes in 4.4.88
usb: quirks: add delay init quirk for Corsair Strafe RGB keyboard
USB: serial: option: add support for D-Link DWM-157 C1
usb: Add device quirk for Logitech HD Pro Webcam C920-C
usb:xhci:Fix regression when ATI chipsets detected
USB: core: Avoid race of async_completed() w/ usbdev_release()
staging/rts5208: fix incorrect shift to extract upper nybble
driver core: bus: Fix a potential double free
intel_th: pci: Add Cannon Lake PCH-H support
intel_th: pci: Add Cannon Lake PCH-LP support
ath10k: fix memory leak in rx ring buffer allocation
Input: trackpoint - assume 3 buttons when buttons detection fails
rtlwifi: rtl_pci_probe: Fix fail path of _rtl_pci_find_adapter
Bluetooth: Add support of 13d3:3494 RTL8723BE device
dlm: avoid double-free on error path in dlm_device_{register,unregister}
mwifiex: correct channel stat buffer overflows
drm/nouveau/pci/msi: disable MSI on big-endian platforms by default
workqueue: Fix flag collision
cs5536: add support for IDE controller variant
scsi: sg: protect against races between mmap() and SG_SET_RESERVED_SIZE
scsi: sg: recheck MMAP_IO request length with lock held
drm: adv7511: really enable interrupts for EDID detection
drm/bridge: adv7511: Fix mutex deadlock when interrupts are disabled
drm/bridge: adv7511: Use work_struct to defer hotplug handing to out of irq context
drm/bridge: adv7511: Switch to using drm_kms_helper_hotplug_event()
drm/bridge: adv7511: Re-write the i2c address before EDID probing
btrfs: resume qgroup rescan on rw remount
locktorture: Fix potential memory leak with rw lock test
ALSA: msnd: Optimize / harden DSP and MIDI loops
Bluetooth: Properly check L2CAP config option output buffer length
ARM: 8692/1: mm: abort uaccess retries upon fatal signal
NFS: Fix 2 use after free issues in the I/O code
xfs: XFS_IS_REALTIME_INODE() should be false if no rt device present
Linux 4.4.88
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit e860d2c904d1a9f38a24eb44c9f34b8f915a6ea3 upstream.
Validate the output buffer length for L2CAP config requests and responses
to avoid overflowing the stack buffer used for building the option blocks.
Signed-off-by: Ben Seri <ben@armis.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlmmdSUACgkQONu9yGCS
aT4lHg/7BJMLfX+Cu7XVaZgxNFym3gdh6+AnsSvqGqenbjRirCeh+bdK4u6iNM8v
h8rGYyp92rYJ168piFxdsRoAl2u4dZBpczOqhpEkwFDx8tI+/B+icWeILI4SX0N2
QWhim6tTTWy2Thw862M7lh5aJl2GxwJtxi/RXXzHq4u4w0NKPFUb+AfXEmUHDoXB
Q6Hz8mo6dcjsW5gyNsBvsYQwvqHpB935Ok2Juz7dwarHx7CWJ+v2fqk9cIf3Nll8
Ia04sg1HCRTePyWD0yld6jCpL51X2ZMVLa37RZCw/9WEDotFdVQO5NUg2ryCQQzN
hNmoiJ47QLBXbZR2rQn5XEtSfWZtplOnm0tB+UYRvxJxtxJGzGTdwUNFdu4iBG4+
xDSXbchTfyH7x93TxsvSZ+PS1NfFblYX8HETvoI2MO8PrGDdeHBZllVfF32xcK3L
VyU+wA1L3quPk0h3MvaFXwoOW8gUAIUyQZEXGXOWTMFDCz88UeBbvPkRAfkyIeYs
UhN8mlnM5cHhC3pPyQKFJ3kTFdQ6pZ79KLNqhvmordvfXBjTZwPt0zNYOlZKWTQR
49WFvxEGH4B68TVc2D4mHGbciqtb+GoTQx4w3HsmyS6FF3hzPqR0L4UOvhiMaDVe
kumziwhF9C6viis7dRlgXyJ5iydUJIcD5mJydfuPT2XIkG85eiU=
=SWxy
-----END PGP SIGNATURE-----
Merge 4.4.85 into android-4.4
Changes in 4.4.85
af_key: do not use GFP_KERNEL in atomic contexts
dccp: purge write queue in dccp_destroy_sock()
dccp: defer ccid_hc_tx_delete() at dismantle time
ipv4: fix NULL dereference in free_fib_info_rcu()
net_sched/sfq: update hierarchical backlog when drop packet
ipv4: better IP_MAX_MTU enforcement
sctp: fully initialize the IPv6 address in sctp_v6_to_addr()
tipc: fix use-after-free
ipv6: reset fn->rr_ptr when replacing route
ipv6: repair fib6 tree in failure case
tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP
irda: do not leak initialized list.dev to userspace
net: sched: fix NULL pointer dereference when action calls some targets
net_sched: fix order of queue length updates in qdisc_replace()
mei: me: add broxton pci device ids
mei: me: add lewisburg device ids
Input: trackpoint - add new trackpoint firmware ID
Input: elan_i2c - add ELAN0602 ACPI ID to support Lenovo Yoga310
ALSA: core: Fix unexpected error at replacing user TLV
ALSA: hda - Add stereo mic quirk for Lenovo G50-70 (17aa:3978)
ARCv2: PAE40: Explicitly set MSB counterpart of SLC region ops addresses
i2c: designware: Fix system suspend
drm: Release driver tracking before making the object available again
drm/atomic: If the atomic check fails, return its value first
drm: rcar-du: lvds: Fix PLL frequency-related configuration
drm: rcar-du: lvds: Rename PLLEN bit to PLLON
drm: rcar-du: Fix crash in encoder failure error path
drm: rcar-du: Fix display timing controller parameter
drm: rcar-du: Fix H/V sync signal polarity configuration
tracing: Fix freeing of filter in create_filter() when set_str is false
cifs: Fix df output for users with quota limits
cifs: return ENAMETOOLONG for overlong names in cifs_open()/cifs_lookup()
nfsd: Limit end of page list when decoding NFSv4 WRITE
perf/core: Fix group {cpu,task} validation
Bluetooth: hidp: fix possible might sleep error in hidp_session_thread
Bluetooth: cmtp: fix possible might sleep error in cmtp_session
Bluetooth: bnep: fix possible might sleep error in bnep_session
binder: use group leader instead of open thread
binder: Use wake up hint for synchronous transactions.
ANDROID: binder: fix proc->tsk check.
iio: imu: adis16480: Fix acceleration scale factor for adis16480
iio: hid-sensor-trigger: Fix the race with user space powering up sensors
staging: rtl8188eu: add RNX-N150NUB support
ASoC: simple-card: don't fail if sysclk setting is not supported
ASoC: rsnd: disable SRC.out only when stop timing
ASoC: rsnd: avoid pointless loop in rsnd_mod_interrupt()
ASoC: rsnd: Add missing initialization of ADG req_rate
ASoC: rsnd: ssi: 24bit data needs right-aligned settings
ASoC: rsnd: don't call update callback if it was NULL
ntb_transport: fix qp count bug
ntb_transport: fix bug calculating num_qps_mw
ACPI: ioapic: Clear on-stack resource before using it
ACPI / APEI: Add missing synchronize_rcu() on NOTIFY_SCI removal
Linux 4.4.85
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 25717382c1dd0ddced2059053e3ca5088665f7a5 upstream.
It looks like bnep_session has same pattern as the issue reported in
old rfcomm:
while (1) {
set_current_state(TASK_INTERRUPTIBLE);
if (condition)
break;
// may call might_sleep here
schedule();
}
__set_current_state(TASK_RUNNING);
Which fixed at:
dfb2fae Bluetooth: Fix nested sleeps
So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: AL Yu-Chen Cho <acho@suse.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit f06d977309d09253c744e54e75c5295ecc52b7b4 upstream.
It looks like cmtp_session has same pattern as the issue reported in
old rfcomm:
while (1) {
set_current_state(TASK_INTERRUPTIBLE);
if (condition)
break;
// may call might_sleep here
schedule();
}
__set_current_state(TASK_RUNNING);
Which fixed at:
dfb2fae Bluetooth: Fix nested sleeps
So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Reviewed-by: Brian Norris <briannorris@chromium.org>
Reviewed-by: AL Yu-Chen Cho <acho@suse.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 5da8e47d849d3d37b14129f038782a095b9ad049 upstream.
It looks like hidp_session_thread has same pattern as the issue reported in
old rfcomm:
while (1) {
set_current_state(TASK_INTERRUPTIBLE);
if (condition)
break;
// may call might_sleep here
schedule();
}
__set_current_state(TASK_RUNNING);
Which fixed at:
dfb2fae Bluetooth: Fix nested sleeps
So let's fix it at the same way, also follow the suggestion of:
https://lwn.net/Articles/628628/
Signed-off-by: Jeffy Chen <jeffy.chen@rock-chips.com>
Tested-by: AL Yu-Chen Cho <acho@suse.com>
Tested-by: Rohit Vaswani <rvaswani@nvidia.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAll6Y+kACgkQONu9yGCS
aT6XSA//fPel+8RFTgJhnfVqd66wCfmzquoHrYSCsQbP0FjSnzbn420pwuDJRRO4
CJZeJwl2Rl11X6cv09kQyoOfZD2yEBSKGkwg0XuDpAIUti5rr5NSROkOfVOuz5lK
YCMbc7ezNYBSQAo9ucKqcC3+7CIy29vodku77zs/ZJd9ZnrEoJrRPs3lbXuNIaRi
YJAqaS1yxRMDgBz6NCkraQC+HwzEdejac7ivRe9xD0fuC/NwvPCgVILDrte7Ce7V
/L4DPCp4V12QOCxniQS05S/HWQPPKpznm+rN0uw2+7wDLmVNHFA6UED5T3nz0vNb
JH6KY23Z49+24CIGIFxTG8DMn5JOgzzEO72+jIxeSB4HuxiUIvSsj11DjQ/P/iQb
XWBw2oyo5Vepzolnw+I6yQ9ggALjwLuLQMt6gBQ4o9qLbXMhLn7BOcfYlDHUlY8K
ZcYIXTK+6CgxZ4Lca6kZCR6r/SptM9USQ3rjO6EZv1deET0QmkyoSSPRHEZ3J3/a
VUXWPg7rTyShB+8cLUviI5wOwiGVvVwnQe/Ra/kW3IzyQD6NZ5XA2+mQSBLNY+cq
i9uX79UoZU6EZFBZBJkIHNM+doLbrnm/U1lIApj7n++3tPeaz4/v+YVyZTml9Zvj
paBTDmwTaC00Ub8W5xtQiXFWAw1S5jQG0g0nrUUSmFd5NcyWSpM=
=C1VH
-----END PGP SIGNATURE-----
Merge 4.4.79 into android-4.4
Changes in 4.4.79
disable new gcc-7.1.1 warnings for now
ir-core: fix gcc-7 warning on bool arithmetic
s5p-jpeg: don't return a random width/height
thermal: cpu_cooling: Avoid accessing potentially freed structures
ath9k: fix tx99 use after free
ath9k: fix tx99 bus error
NFC: fix broken device allocation
NFC: nfcmrvl_uart: add missing tty-device sanity check
NFC: nfcmrvl: do not use device-managed resources
NFC: nfcmrvl: use nfc-device for firmware download
NFC: nfcmrvl: fix firmware-management initialisation
nfc: Ensure presence of required attributes in the activate_target handler
nfc: Fix the sockaddr length sanitization in llcp_sock_connect
NFC: Add sockaddr length checks before accessing sa_family in bind handlers
perf intel-pt: Move decoder error setting into one condition
perf intel-pt: Improve sample timestamp
perf intel-pt: Fix missing stack clear
perf intel-pt: Ensure IP is zero when state is INTEL_PT_STATE_NO_IP
perf intel-pt: Clear FUP flag on error
Bluetooth: use constant time memory comparison for secret values
wlcore: fix 64K page support
ASoC: compress: Derive substream from stream based on direction
PM / Domains: Fix unsafe iteration over modified list of device links
PM / Domains: Fix unsafe iteration over modified list of domain providers
scsi: ses: do not add a device to an enclosure if enclosure_add_links() fails.
iscsi-target: Add login_keys_workaround attribute for non RFC initiators
powerpc/64: Fix atomic64_inc_not_zero() to return an int
powerpc: Fix emulation of mcrf in emulate_step()
powerpc: Fix emulation of mfocrf in emulate_step()
powerpc/asm: Mark cr0 as clobbered in mftb()
af_key: Fix sadb_x_ipsecrequest parsing
PCI/PM: Restore the status of PCI devices across hibernation
ipvs: SNAT packet replies only for NATed connections
xhci: fix 20000ms port resume timeout
xhci: Fix NULL pointer dereference when cleaning up streams for removed host
usb: storage: return on error to avoid a null pointer dereference
USB: cdc-acm: add device-id for quirky printer
usb: renesas_usbhs: fix usbhsc_resume() for !USBHSF_RUNTIME_PWCTRL
usb: renesas_usbhs: gadget: disable all eps when the driver stops
md: don't use flush_signals in userspace processes
x86/xen: allow userspace access during hypercalls
cx88: Fix regression in initial video standard setting
Raid5 should update rdev->sectors after reshape
s390/syscalls: Fix out of bounds arguments access
drm/amd/amdgpu: Return error if initiating read out of range on vram
drm/radeon/ci: disable mclk switching for high refresh rates (v2)
drm/radeon: Fix eDP for single-display iMac10,1 (v2)
ipmi: use rcu lock around call to intf->handlers->sender()
ipmi:ssif: Add missing unlock in error branch
f2fs: Don't clear SGID when inheriting ACLs
vfio: Fix group release deadlock
vfio: New external user group/file match
ftrace: Fix uninitialized variable in match_records()
MIPS: Fix mips_atomic_set() retry condition
MIPS: Fix mips_atomic_set() with EVA
MIPS: Negate error syscall return in trace
x86/acpi: Prevent out of bound access caused by broken ACPI tables
x86/ioapic: Pass the correct data to unmask_ioapic_irq()
MIPS: Fix MIPS I ISA /proc/cpuinfo reporting
MIPS: Save static registers before sysmips
MIPS: Actually decode JALX in `__compute_return_epc_for_insn'
MIPS: Fix unaligned PC interpretation in `compute_return_epc'
MIPS: math-emu: Prevent wrong ISA mode instruction emulation
MIPS: Send SIGILL for BPOSGE32 in `__compute_return_epc_for_insn'
MIPS: Rename `sigill_r6' to `sigill_r2r6' in `__compute_return_epc_for_insn'
MIPS: Send SIGILL for linked branches in `__compute_return_epc_for_insn'
MIPS: Fix a typo: s/preset/present/ in r2-to-r6 emulation error message
Input: i8042 - fix crash at boot time
NFS: only invalidate dentrys that are clearly invalid.
udf: Fix deadlock between writeback and udf_setsize()
target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce
perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target
Revert "perf/core: Drop kernel samples even though :u is specified"
staging: rtl8188eu: add TL-WN722N v2 support
ceph: fix race in concurrent readdir
RDMA/core: Initialize port_num in qp_attr
drm/mst: Fix error handling during MST sideband message reception
drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req()
drm/mst: Avoid processing partially received up/down message transactions
of: device: Export of_device_{get_modalias, uvent_modalias} to modules
spmi: Include OF based modalias in device uevent
tracing: Fix kmemleak in instance_rmdir
alarmtimer: don't rate limit one-shot timers
Linux 4.4.79
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit 329d82309824ff1082dc4a91a5bbed8c3bec1580 upstream.
This file is filled with complex cryptography. Thus, the comparisons of
MACs and secret keys and curve points and so forth should not add timing
attacks, which could either result in a direct forgery, or, given the
complexity, some other type of attack.
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlkgNjAACgkQONu9yGCS
aT5BNhAAvs5FwuKjmq+KLXs2ofB7REnq1xBjcm8Y7gnFo+7+slrgOyrGH4fpWArP
55pU9YelY/DZzSjZ/hYkp/fI/TCZskgV+T/IIRhPlpAHIDRCnFfVqNpY6Oijo1jw
ZcuggPUjo6OqV3yB6FRm8OKnaux4bZBi63TGom+0UpGEEzTW0LfwA8mK2yAmlgWm
huVPuHRxBSHjxaie2s/8wwmbFfJZ+MwtaRFDNFiPayVuRb2zZBfDVUVEoVNlkGNL
wfnTJ4UpjyBkMiOEoNao7DtmlLttuysAZ4LKqL2VsfcDZ7RzuwZ7okM1rxW1W7F8
TTHKz9NXfqNEPTYhHHfwnHGhpzuZEYqeXRzCoddfQMuDdTkdbpscLd4gobosQJR7
NL25MKL4wcI/7366qnq0Fa0J4pmNDd6LO1knOz4OR7sNFJ4C1TUVmzUryJuSA3UO
8OGJ0qMJzJHUgoNByHdrs9cbxiQmTRcACA9MnizBPtz+ciiyvUUfY4dTEnlQIFOl
PZhtux5wC/UdhZjfUzwBt2fD/kUHg4OHdPoEWVp0E0U/H7SbSllyeX+qKFZomfzm
UUqSU823sGe/VQtoiLtH9fSqUmfARmU64pthgOuvGk8qBLyl6mkGApj+XtkBcozG
lNE0AgWs+NnZyEPfMJIAyxxyko5Dy9I4TpX9/fjCWkQH7NrHqwM=
=eKGw
-----END PGP SIGNATURE-----
Merge 4.4.69 into android-4.4
Changes in 4.4.69
xen: adjust early dom0 p2m handling to xen hypervisor behavior
target: Fix compare_and_write_callback handling for non GOOD status
target/fileio: Fix zero-length READ and WRITE handling
target: Convert ACL change queue_depth se_session reference usage
iscsi-target: Set session_fall_back_to_erl0 when forcing reinstatement
usb: host: xhci: print correct command ring address
USB: serial: ftdi_sio: add device ID for Microsemi/Arrow SF2PLUS Dev Kit
USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously
staging: vt6656: use off stack for in buffer USB transfers.
staging: vt6656: use off stack for out buffer USB transfers.
staging: gdm724x: gdm_mux: fix use-after-free on module unload
staging: comedi: jr3_pci: fix possible null pointer dereference
staging: comedi: jr3_pci: cope with jiffies wraparound
usb: misc: add missing continue in switch
usb: Make sure usb/phy/of gets built-in
usb: hub: Fix error loop seen after hub communication errors
usb: hub: Do not attempt to autosuspend disconnected devices
x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup
selftests/x86/ldt_gdt_32: Work around a glibc sigaction() bug
x86, pmem: Fix cache flushing for iovec write < 8 bytes
um: Fix PTRACE_POKEUSER on x86_64
KVM: x86: fix user triggerable warning in kvm_apic_accept_events()
KVM: arm/arm64: fix races in kvm_psci_vcpu_on
block: fix blk_integrity_register to use template's interval_exp if not 0
crypto: algif_aead - Require setkey before accept(2)
dm era: save spacemap metadata root after the pre-commit
vfio/type1: Remove locked page accounting workqueue
IB/core: Fix sysfs registration error flow
IB/IPoIB: ibX: failed to create mcg debug file
IB/mlx4: Fix ib device initialization error flow
IB/mlx4: Reduce SRIOV multicast cleanup warning message to debug level
ext4: evict inline data when writing to memory map
fs/xattr.c: zero out memory copied to userspace in getxattr
ceph: fix memory leak in __ceph_setxattr()
fs/block_dev: always invalidate cleancache in invalidate_bdev()
Set unicode flag on cifs echo request to avoid Mac error
SMB3: Work around mount failure when using SMB3 dialect to Macs
CIFS: fix mapping of SFM_SPACE and SFM_PERIOD
cifs: fix CIFS_IOC_GET_MNT_INFO oops
CIFS: add misssing SFM mapping for doublequote
padata: free correct variable
arm64: KVM: Fix decoding of Rt/Rt2 when trapping AArch32 CP accesses
serial: samsung: Use right device for DMA-mapping calls
serial: omap: fix runtime-pm handling on unbind
serial: omap: suspend device on probe errors
tty: pty: Fix ldisc flush after userspace become aware of the data already
Bluetooth: Fix user channel for 32bit userspace on 64bit kernel
Bluetooth: hci_bcm: add missing tty-device sanity check
Bluetooth: hci_intel: add missing tty-device sanity check
mac80211: pass RX aggregation window size to driver
mac80211: pass block ack session timeout to to driver
mac80211: RX BA support for sta max_rx_aggregation_subframes
wlcore: Pass win_size taken from ieee80211_sta to FW
wlcore: Add RX_BA_WIN_SIZE_CHANGE_EVENT event
ipmi: Fix kernel panic at ipmi_ssif_thread()
Linux 4.4.69
Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
commit ab89f0bdd63a3721f7cd3f064f39fc4ac7ca14d4 upstream.
Running 32bit userspace on 64bit kernel results in MSG_CMSG_COMPAT being
defined as 0x80000000. This results in sendmsg failure if used from 32bit
userspace running on 64bit kernel. Fix this by accounting for MSG_CMSG_COMPAT
in flags check in hci_sock_sendmsg.
Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Signed-off-by: Marko Kiiskila <marko@runtime.io>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 23bc6ab0a0912146fd674a0becc758c3162baabc upstream.
When we retrieve imtu value from userspace we should use 16 bit pointer
cast instead of 32 as it's defined that way in headers. Fixes setsockopt
calls on big-endian platforms.
Signed-off-by: Amadeusz Sławiński <amadeusz.slawinski@tieto.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 6a0e78072c2ae7b20b14e0249d8108441ea928d2 upstream.
The Add Advertising command handler does the appropriate checks for
the AD and Scan Response data, however fails to take into account the
general length of the mgmt command itself, which could lead to
potential buffer overflows. This patch adds the necessary check that
the mgmt command length is consistent with the given ad and scan_rsp
lengths.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 87f5fedb3bebbbb566f847dd0c567fcea49a36a6 upstream.
This patch fixes incorrect handling of the 6lowpan packets that contain
uncompressed IPv6 header.
RFC4944 specifies a special dispatch for 6lowpan to carry uncompressed
IPv6 header. This dispatch (1 byte long) has to be removed during
reception and skb data pointer has to be moved. To correctly point in
the beginning of the IPv6 header the dispatch byte has to be pulled off
before packet can be processed by netif_rx_in().
Test scenario: IPv6 packets are not correctly interpreted by the network
layer when IPv6 header is not compressed (e.g. ICMPv6 Echo Reply is not
propagated correctly to the ICMPv6 layer because the extra byte will make
the header look corrupted).
Similar approach is done for IEEE 802.15.4.
Signed-off-by: Lukasz Duda <lukasz.duda@nordicsemi.no>
Signed-off-by: Glenn Ruben Bakke <glenn.ruben.bakke@nordicsemi.no>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 4c58f3282e3de43d34f8955f8eca676294380bf9 upstream.
The fixes provided in this patch assigns a valid net_device structure to
skb before dispatching it for further processing.
Scenario #1:
============
Bluetooth 6lowpan receives an uncompressed IPv6 header, and dispatches it
to netif. The following error occurs:
Null pointer dereference error #1 crash log:
[ 845.854013] BUG: unable to handle kernel NULL pointer dereference at
0000000000000048
[ 845.855785] IP: [<ffffffff816e3d36>] enqueue_to_backlog+0x56/0x240
...
[ 845.909459] Call Trace:
[ 845.911678] [<ffffffff816e3f64>] netif_rx_internal+0x44/0xf0
The first modification fixes the NULL pointer dereference error by
assigning dev to the local_skb in order to set a valid net_device before
processing the skb by netif_rx_ni().
Scenario #2:
============
Bluetooth 6lowpan receives an UDP compressed message which needs further
decompression by nhc_udp. The following error occurs:
Null pointer dereference error #2 crash log:
[ 63.295149] BUG: unable to handle kernel NULL pointer dereference at
0000000000000840
[ 63.295931] IP: [<ffffffffc0559540>] udp_uncompress+0x320/0x626
[nhc_udp]
The second modification fixes the NULL pointer dereference error by
assigning dev to the local_skb in the case of a udp compressed packet.
The 6lowpan udp_uncompress function expects that the net_device is set in
the skb when checking lltype.
Signed-off-by: Glenn Ruben Bakke <glenn.ruben.bakke@nordicsemi.no>
Signed-off-by: Lukasz Duda <lukasz.duda@nordicsemi.no>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit cff10ce7b4f02718ffd25e3914e60559f5ef6ca0 upstream.
The commit cad20c2780 was supposed to
fix handling of devices first using public addresses and then
switching to RPAs after pairing. Unfortunately it missed a couple of
key places in the code.
1. When evaluating which devices should be removed from the existing
white list we also need to consider whether we have an IRK for them or
not, i.e. a call to hci_find_irk_by_addr() is needed.
2. In smp_notify_keys() we should not be requiring the knowledge of
the RPA, but should simply keep the IRK around if the other conditions
require it.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit 2f99536a5b34d5b0f54723067d68f6cef3f0fdc6 upstream.
All LE connections are now triggered through a preceding passive scan
and waiting for a connectable advertising report. This means we've got
the best possible guarantee that the device is within range and should
be able to request the controller to perform continuous scanning. This
way we minimize the risk that we miss out on any advertising packets.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
With CONFIG_ANDROID_PARANOID_NETWORK, require specific uids/gids to instantiate
network sockets.
Signed-off-by: Robert Love <rlove@google.com>
paranoid networking: Use in_egroup_p() to check group membership
The previous group_search() caused trouble for partners with module builds.
in_egroup_p() is also cleaner.
Signed-off-by: Nick Pelly <npelly@google.com>
Fix 2.6.29 build.
Signed-off-by: Arve Hjønnevåg <arve@android.com>
net: Fix compilation of the IPv6 module
Fix compilation of the IPv6 module -- current->euid does not exist anymore,
current_euid() is what needs to be used.
Signed-off-by: Steinar H. Gunderson <sesse@google.com>
net: bluetooth: Remove the AID_NET_BT* gid numbers
Removed bluetooth checks for AID_NET_BT and AID_NET_BT_ADMIN
which are not useful anymore.
This is in preparation for getting rid of all the AID_* gids.
Signed-off-by: JP Abgrall <jpa@google.com>
Johan Hedberg says:
====================
pull request: bluetooth 2015-12-01
Here's a Bluetooth fix for the 4.4-rc series that fixes a memory leak of
the Security Manager L2CAP channel that'll happen for every LE
connection.
Please let me know if there are any issues pulling. Thanks.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This patch is a cleanup to make following patch easier to
review.
Goal is to move SOCK_ASYNC_NOSPACE and SOCK_ASYNC_WAITDATA
from (struct socket)->flags to a (struct socket_wq)->flags
to benefit from RCU protection in sock_wake_async()
To ease backports, we rename both constants.
Two new helpers, sk_set_bit(int nr, struct sock *sk)
and sk_clear_bit(int net, struct sock *sk) are added so that
following patch can change their implementation.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The L2CAP core expects channel implementations to manage the reference
returned by the new_connection callback. With sockets this is already
handled with each channel being tied to the corresponding socket. With
SMP however there's no context to tie the pointer to in the
smp_new_conn_cb function. The function can also not just drop the
reference since it's the only one at that point.
For fixed channels (like SMP) the code path inside the L2CAP core from
new_connection() to ready() is short and straight-forwards. The
crucial difference is that in ready() the implementation has access to
the l2cap_conn that SMP needs associate its l2cap_chan. Instead of
taking a new reference in smp_ready_cb() we can simply assume to
already own the reference created in smp_new_conn_cb(), i.e. there is
no need to call l2cap_chan_hold().
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org # 3.19+
When receiving a connect response we should make sure that the DCID is
within the valid range and that we don't already have another channel
allocated for the same DCID.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The 'dyn_end' value is also a valid CID so it should be included in
the range of values checked.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The core spec defines specific response codes for situations when the
received CID is incorrect. Add the defines for these and return them
as appropriate from the LE Connect Request handler function.
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
The white list commands might not be implemented if the controller does
not actually support the white list. So check the supported commands
first before issuing these commands. Not supporting the white list is
the same as supporting a white list with zero size.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Jukka reported about the following warning:
"NOHZ: local_softirq_pending 08"
I remember this warning and we had a similar issue when using workqueues
and calling netif_rx. See commit 5ff3fec ("mac802154: fix NOHZ
local_softirq_pending 08 warning").
This warning occurs when calling "netif_rx" inside the wrong context
(non softirq context). The net core api offers "netif_rx_ni" to call
netif_rx inside the correct softirq context.
Reported-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Alexander Aring <alex.aring@gmail.com>
Acked-by: Jukka Rissanen <jukka.rissanen@linux.intel.com>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Lets fix this obvious coding style issues in the SCO module and bring it
in line with the rest of the Bluetooth subsystem.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
There is no point in wrapping hci_sock_dev_event around hci_notify. It
is an empty wrapper which adds no value. So remove it.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
The SKB context buffer for HCI request is really not just for requests,
information in their are preserved for the whole HCI layer. So it makes
more sense to actually rename it into bt_cb()->hci and also call it then
struct hci_ctrl.
In addition that allows moving the decoded opcode for outgoing packets
into that struct. So far it was just consuming valuable space from the
main shared items. And opcode are not valid for L2CAP packets.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
There are two checks that are still using (MSG_OOB) instead of just
MSG_OOB and so lets just fix them.
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Johan Hedberg <johan.hedberg@intel.com>
Greg Kroah-Hartman
Marcel Holtmann
Sudip Mukherjee
Mark Salyzyn
Szymon Janc
Ben Seri
Jeffy Chen
Jason A. Donenfeld
Dmitry Shmidt
Amadeusz Sławiński
Johan Hedberg
Lukasz Duda
Glenn Ruben Bakke
Robert Love
David S. Miller
Eric Dumazet
Alexander Aring
Kuba Pawlak