Linux Kernel https://git.stealer.net/cgit.cgi/user/sven/linux.git/atom?h=v5.6.17 2020-06-07T11:16:49Z 2020-06-07T11:16:49Z Greg Kroah-Hartman gregkh@linuxfoundation.org 2020-06-07T11:16:49Z urn:sha1:5117c0a56aeeb3ab18fb91bd611e739fec3df9c0 2020-06-07T11:16:49Z Dan Carpenter dan.carpenter@oracle.com 2020-05-27T18:48:30Z urn:sha1:5438830ea8bc7e4d3bc606844d4f2f77d6e62ad7 commit 11e7a91994c29da96d847f676be023da6a2c1359 upstream. The problem is that we always copy a minimum of ETH_ZLEN (60) bytes from skb->data even when skb->len is less than ETH_ZLEN so it leads to a read overflow. The fix is to pad skb->data to at least ETH_ZLEN bytes. Cc: <stable@vger.kernel.org> Reported-by: Hu Jiahui <kirin.say@gmail.com> Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200527184830.GA1164846@mwanda Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z DENG Qingfang dqfext@gmail.com 2020-05-13T15:37:17Z urn:sha1:897b7c720803aacf7c94a0054648210d7c737f06 commit 38152ea37d8bdaffa22603e0a5b5b86cfa8714c9 upstream. Currently, setting a bridge's self PVID to other value and deleting the default VID 1 renders untagged ports of that VLAN unable to talk to the CPU port: bridge vlan add dev br0 vid 2 pvid untagged self bridge vlan del dev br0 vid 1 self bridge vlan add dev sw0p0 vid 2 pvid untagged bridge vlan del dev sw0p0 vid 1 # br0 cannot send untagged frames out of sw0p0 anymore That is because the CPU port is set to security mode and its PVID is still 1, and untagged frames are dropped due to VLAN member violation. Set the CPU port to fallback mode so untagged frames can pass through. Fixes: 83163f7dca56 ("net: dsa: mediatek: add VLAN support for MT7530") Signed-off-by: DENG Qingfang <dqfext@gmail.com> Reviewed-by: Florian Fainelli <f.fainelli@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z Sakari Ailus sakari.ailus@linux.intel.com 2020-04-15T15:40:09Z urn:sha1:f9e1486e320b831fa5501414d403dad06e97a68e commit 8c038effd893920facedf18c2c0976cec4a33408 upstream. Move the alignment attribute of struct ipu3_uapi_awb_fr_config_s to the field in struct ipu3_uapi_4a_config, the other location where the struct is used. Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") Reported-by: Tomasz Figa <tfiga@chromium.org> Tested-by: Bingbu Cao <bingbu.cao@intel.com> Cc: stable@vger.kernel.org # for v5.3 and up Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z Sakari Ailus sakari.ailus@linux.intel.com 2020-04-15T15:34:05Z urn:sha1:75d1f73c2dcc00685169acecebe20a62fb6364c8 commit 81d1adeb52c97fbe097e8c94e36c3eb702cdb110 upstream. This reverts commit c9d52c114a9fcc61c30512c7f810247a9f2812af. The patch being reverted changed the memory layout of struct ipu3_uapi_acc_param. Revert it, and address the compiler warning issues in further patches. Fixes: commit c9d52c114a9f ("media: staging: imgu: Address a compiler warning on alignment") Reported-by: Tomasz Figa <tfiga@chromium.org> Tested-by: Bingbu Cao <bingbu.cao@intel.com> Cc: stable@vger.kernel.org # for v5.3 and up Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com> Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z Jérôme Pouiller jerome.pouiller@silabs.com 2020-05-11T16:19:02Z urn:sha1:5a8c9efd035ba8f1043de05cbdcc0bb79e516301 commit 83fc5dd57f86c3ec7d6d22565a6ff6c948853b64 upstream. The definitions of MMC_IOC_CMD and of MMC_IOC_MULTI_CMD rely on MMC_BLOCK_MAJOR: #define MMC_IOC_CMD _IOWR(MMC_BLOCK_MAJOR, 0, struct mmc_ioc_cmd) #define MMC_IOC_MULTI_CMD _IOWR(MMC_BLOCK_MAJOR, 1, struct mmc_ioc_multi_cmd) However, MMC_BLOCK_MAJOR is defined in linux/major.h and linux/mmc/ioctl.h did not include it. Signed-off-by: Jérôme Pouiller <jerome.pouiller@silabs.com> Cc: stable@vger.kernel.org Link: https://lore.kernel.org/r/20200511161902.191405-1-Jerome.Pouiller@silabs.com Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z Daniel Axtens dja@axtens.net 2020-06-04T23:51:27Z urn:sha1:ea6fe1d79ad03792f6f62804274d9c5ca9fa8391 commit 54e200ab40fc14c863bcc80a51e20b7906608fce upstream. alloc_percpu() may return NULL, which means chan->buf may be set to NULL. In that case, when we do *per_cpu_ptr(chan->buf, ...), we dereference an invalid pointer: BUG: Unable to handle kernel data access at 0x7dae0000 Faulting instruction address: 0xc0000000003f3fec ... NIP relay_open+0x29c/0x600 LR relay_open+0x270/0x600 Call Trace: relay_open+0x264/0x600 (unreliable) __blk_trace_setup+0x254/0x600 blk_trace_setup+0x68/0xa0 sg_ioctl+0x7bc/0x2e80 do_vfs_ioctl+0x13c/0x1300 ksys_ioctl+0x94/0x130 sys_ioctl+0x48/0xb0 system_call+0x5c/0x68 Check if alloc_percpu returns NULL. This was found by syzkaller both on x86 and powerpc, and the reproducer it found on powerpc is capable of hitting the issue as an unprivileged user. Fixes: 017c59c042d0 ("relay: Use per CPU constructs for the relay channel buffer pointers") Reported-by: syzbot+1e925b4b836afe85a1c6@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+587b2421926808309d21@syzkaller-ppc64.appspotmail.com Reported-by: syzbot+58320b7171734bf79d26@syzkaller.appspotmail.com Reported-by: syzbot+d6074fb08bdb2e010520@syzkaller.appspotmail.com Signed-off-by: Daniel Axtens <dja@axtens.net> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Reviewed-by: Michael Ellerman <mpe@ellerman.id.au> Reviewed-by: Andrew Donnellan <ajd@linux.ibm.com> Acked-by: David Rientjes <rientjes@google.com> Cc: Akash Goel <akash.goel@intel.com> Cc: Andrew Donnellan <ajd@linux.ibm.com> Cc: Guenter Roeck <linux@roeck-us.net> Cc: Salvatore Bonaccorso <carnil@debian.org> Cc: <stable@vger.kernel.org> [4.10+] Link: http://lkml.kernel.org/r/20191219121256.26480-1-dja@axtens.net Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:49Z Herbert Xu herbert@gondor.apana.org.au 2020-04-10T06:09:42Z urn:sha1:1b6cffbf78e56d165d5b0c46c364ba77e416978b commit 6603523bf5e432c7c8490fb500793bb15d4e5f61 upstream. There are two problems in crypto_spawn_alg. First of all it may return spawn->alg even if spawn->dead is set. This results in a double-free as detected by syzbot. Secondly the setting of the DYING flag is racy because we hold the read-lock instead of the write-lock. We should instead call crypto_shoot_alg in a safe manner by gaining a refcount, dropping the lock, and then releasing the refcount. This patch fixes both problems. Reported-by: syzbot+fc0674cde00b66844470@syzkaller.appspotmail.com Fixes: 4f87ee118d16 ("crypto: api - Do not zap spawn->alg") Fixes: 73669cc55646 ("crypto: api - Fix race condition in...") Cc: <stable@vger.kernel.org> Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:48Z Matthew Garrett matthewgarrett@google.com 2020-03-18T23:07:48Z urn:sha1:9a9a8a25f2071f8abe7f94842dd754f27a74953d commit b2934279c3e9719145ff4090d4ab951e340df17e upstream. The current version has a new USB ID and reports as an 0x7632 device. Adding the IDs results in it working out of the box. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: Felix Fietkau <nbd@nbd.name> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2020-06-07T11:16:48Z Giuseppe Marco Randazzo gmrandazzo@gmail.com 2020-04-05T22:06:59Z urn:sha1:a8f56c58a4285fff89795ae3dc8b1b831082d062 commit 63e49a9fdac1b4e97ac26cb3fe953f210d83bc53 upstream. This patch adds the AirVasT USB wireless devices 124a:4026 to the list of supported devices. It's using the ISL3886 usb firmware. Without this modification, the wiki adapter is not recognized. Cc: <stable@vger.kernel.org> Signed-off-by: Giuseppe Marco Randazzo <gmrandazzo@gmail.com> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> [formatted, reworded] Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Link: https://lore.kernel.org/r/20200405220659.45621-1-chunkeey@gmail.com Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>