Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 204dd19a authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Merge 4.19.136 into android-4.19-stable 



Changes in 4.19.136
	AX.25: Fix out-of-bounds read in ax25_connect()
	AX.25: Prevent out-of-bounds read in ax25_sendmsg()
	dev: Defer free of skbs in flush_backlog
	drivers/net/wan/x25_asy: Fix to make it work
	ip6_gre: fix null-ptr-deref in ip6gre_init_net()
	net-sysfs: add a newline when printing 'tx_timeout' by sysfs
	net: udp: Fix wrong clean up for IS_UDPLITE macro
	qrtr: orphan socket in qrtr_release()
	rxrpc: Fix sendmsg() returning EPIPE due to recvmsg() returning ENODATA
	tcp: allow at most one TLP probe per flight
	AX.25: Prevent integer overflows in connect and sendmsg
	sctp: shrink stream outq only when new outcnt < old outcnt
	sctp: shrink stream outq when fails to do addstream reconf
	udp: Copy has_conns in reuseport_grow().
	udp: Improve load balancing for SO_REUSEPORT.
	rtnetlink: Fix memory(net_device) leak when ->newlink fails
	regmap: debugfs: check count when read regmap file
	Linux 4.19.136

Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
Change-Id: I642a68276dffc3521d8809024f457c1049012348
parents bcf95174 13af6c74

Makefile

+1 −1
Original line number Diff line number Diff line 
# SPDX-License-Identifier: GPL-2.0

VERSION = 4

PATCHLEVEL = 19

SUBLEVEL = 135

SUBLEVEL = 136

EXTRAVERSION =

NAME = "People's Front"

drivers/base/regmap/regmap-debugfs.c

+6 −0
Original line number Diff line number Diff line
@@ -209,6 +209,9 @@ static ssize_t regmap_read_debugfs(struct regmap *map, unsigned int from, 
	if (*ppos < 0 || !count)

		return -EINVAL;



	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))

		count = PAGE_SIZE << (MAX_ORDER - 1);



	buf = kmalloc(count, GFP_KERNEL);

	if (!buf)

		return -ENOMEM;
@@ -357,6 +360,9 @@ static ssize_t regmap_reg_ranges_read_file(struct file *file, 
	if (*ppos < 0 || !count)

		return -EINVAL;



	if (count > (PAGE_SIZE << (MAX_ORDER - 1)))

		count = PAGE_SIZE << (MAX_ORDER - 1);



	buf = kmalloc(count, GFP_KERNEL);

	if (!buf)

		return -ENOMEM;

drivers/net/wan/x25_asy.c

+14 −7
Original line number Diff line number Diff line
@@ -183,7 +183,7 @@ static inline void x25_asy_unlock(struct x25_asy *sl) 
	netif_wake_queue(sl->dev);

}



/* Send one completely decapsulated IP datagram to the IP layer. */

/* Send an LAPB frame to the LAPB module to process. */



static void x25_asy_bump(struct x25_asy *sl)

{
@@ -195,13 +195,12 @@ static void x25_asy_bump(struct x25_asy *sl) 
	count = sl->rcount;

	dev->stats.rx_bytes += count;



	skb = dev_alloc_skb(count+1);

	skb = dev_alloc_skb(count);

	if (skb == NULL) {

		netdev_warn(sl->dev, "memory squeeze, dropping packet\n");

		dev->stats.rx_dropped++;

		return;

	}

	skb_push(skb, 1);	/* LAPB internal control */

	skb_put_data(skb, sl->rbuff, count);

	skb->protocol = x25_type_trans(skb, sl->dev);

	err = lapb_data_received(skb->dev, skb);
@@ -209,7 +208,6 @@ static void x25_asy_bump(struct x25_asy *sl) 
		kfree_skb(skb);

		printk(KERN_DEBUG "x25_asy: data received err - %d\n", err);

	} else {

		netif_rx(skb);

		dev->stats.rx_packets++;

	}

}
@@ -356,12 +354,21 @@ static netdev_tx_t x25_asy_xmit(struct sk_buff *skb, 
 */



/*

 *	Called when I frame data arrives. We did the work above - throw it

 *	at the net layer.

 *	Called when I frame data arrive. We add a pseudo header for upper

 *	layers and pass it to upper layers.

 */



static int x25_asy_data_indication(struct net_device *dev, struct sk_buff *skb)

{

	if (skb_cow(skb, 1)) {

		kfree_skb(skb);

		return NET_RX_DROP;

	}

	skb_push(skb, 1);

	skb->data[0] = X25_IFACE_DATA;



	skb->protocol = x25_type_trans(skb, dev);



	return netif_rx(skb);

}
@@ -657,7 +664,7 @@ static void x25_asy_unesc(struct x25_asy *sl, unsigned char s) 
	switch (s) {

	case X25_END:

		if (!test_and_clear_bit(SLF_ERROR, &sl->flags) &&

		    sl->rcount > 2)

		    sl->rcount >= 2)

			x25_asy_bump(sl);

		clear_bit(SLF_ESCAPE, &sl->flags);

		sl->rcount = 0;

include/linux/tcp.h

+3 −1
Original line number Diff line number Diff line
@@ -225,6 +225,8 @@ struct tcp_sock { 
	} rack;

	u16	advmss;		/* Advertised MSS			*/

	u8	compressed_ack;

	u8	tlp_retrans:1,	/* TLP is a retransmission */

		unused_1:7;

	u32	chrono_start;	/* Start time in jiffies of a TCP chrono */

	u32	chrono_stat[3];	/* Time in jiffies for chrono_stat stats */

	u8	chrono_type:2,	/* current chronograph type */
@@ -247,7 +249,7 @@ struct tcp_sock { 
		save_syn:1,	/* Save headers of SYN packet */

		is_cwnd_limited:1,/* forward progress limited by snd_cwnd? */

		syn_smc:1;	/* SYN includes SMC */

	u32	tlp_high_seq;	/* snd_nxt at the time of TLP retransmit. */

	u32	tlp_high_seq;	/* snd_nxt at the time of TLP */



/* RTT measurement */

	u64	tcp_mstamp;	/* most recent packet received/sent */

net/ax25/af_ax25.c

+8 −2
Original line number Diff line number Diff line
@@ -1190,7 +1190,10 @@ static int __must_check ax25_connect(struct socket *sock, 
	if (addr_len > sizeof(struct sockaddr_ax25) &&

	    fsa->fsa_ax25.sax25_ndigis != 0) {

		/* Valid number of digipeaters ? */

		if (fsa->fsa_ax25.sax25_ndigis < 1 || fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS) {

		if (fsa->fsa_ax25.sax25_ndigis < 1 ||

		    fsa->fsa_ax25.sax25_ndigis > AX25_MAX_DIGIS ||

		    addr_len < sizeof(struct sockaddr_ax25) +

		    sizeof(ax25_address) * fsa->fsa_ax25.sax25_ndigis) {

			err = -EINVAL;

			goto out_release;

		}
@@ -1510,7 +1513,10 @@ static int ax25_sendmsg(struct socket *sock, struct msghdr *msg, size_t len) 
			struct full_sockaddr_ax25 *fsa = (struct full_sockaddr_ax25 *)usax;



			/* Valid number of digipeaters ? */

			if (usax->sax25_ndigis < 1 || usax->sax25_ndigis > AX25_MAX_DIGIS) {

			if (usax->sax25_ndigis < 1 ||

			    usax->sax25_ndigis > AX25_MAX_DIGIS ||

			    addr_len < sizeof(struct sockaddr_ax25) +

			    sizeof(ax25_address) * usax->sax25_ndigis) {

				err = -EINVAL;

				goto out;

			}