Commit Graph

722660 Commits

Author SHA1 Message Date
Daniel Borkmann
283ca526a9 bpf: fix corruption on concurrent perf_event_output calls
When tracing and networking programs are both attached in the
system and both use event-output helpers that eventually call
into perf_event_output(), then we could end up in a situation
where the tracing attached program runs in user context while
a cls_bpf program is triggered on that same CPU out of softirq
context.

Since both rely on the same per-cpu perf_sample_data, we could
potentially corrupt it. This can only ever happen in a combination
of the two types; all tracing programs use a bpf_prog_active
counter to bail out in case a program is already running on
that CPU out of a different context. XDP and cls_bpf programs
by themselves don't have this issue as they run in the same
context only. Therefore, split both perf_sample_data so they
cannot be accessed from each other.

Fixes: 20b9d7ac48 ("bpf: avoid excessive stack usage for perf_sample_data")
Reported-by: Alexei Starovoitov <ast@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: Song Liu <songliubraving@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2017-12-12 09:51:12 -08:00
Christoph Paasch
30791ac419 tcp md5sig: Use skb's saddr when replying to an incoming segment
The MD5-key that belongs to a connection is identified by the peer's
IP-address. When we are in tcp_v4(6)_reqsk_send_ack(), we are replying
to an incoming segment from tcp_check_req() that failed the seq-number
checks.

Thus, to find the correct key, we need to use the skb's saddr and not
the daddr.

This bug seems to have been there since quite a while, but probably got
unnoticed because the consequences are not catastrophic. We will call
tcp_v4_reqsk_send_ack only to send a challenge-ACK back to the peer,
thus the connection doesn't really fail.

Fixes: 9501f97229 ("tcp md5sig: Let the caller pass appropriate key for tcp_v{4,6}_do_calc_md5_hash().")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-12 11:15:42 -05:00
Xin Long
200809716a fou: fix some member types in guehdr
guehdr struct is used to build or parse gue packets, which
are always in big endian. It's better to define all guehdr
members as __beXX types.

Also, in validate_gue_flags it's not good to use a __be32
variable for both Standard flags(__be16) and Private flags
(__be32), and pass it to other funcions.

This patch could fix a bunch of sparse warnings from fou.

Fixes: 5024c33ac3 ("gue: Add infrastructure for flags and options")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 14:10:06 -05:00
Xin Long
2342b8d95b sctp: make sure stream nums can match optlen in sctp_setsockopt_reset_streams
Now in sctp_setsockopt_reset_streams, it only does the check
optlen < sizeof(*params) for optlen. But it's not enough, as
params->srs_number_streams should also match optlen.

If the streams in params->srs_stream_list are less than stream
nums in params->srs_number_streams, later when dereferencing
the stream list, it could cause a slab-out-of-bounds crash, as
reported by syzbot.

This patch is to fix it by also checking the stream numbers in
sctp_setsockopt_reset_streams to make sure at least it's not
greater than the streams in the list.

Fixes: 7f9d68ac94 ("sctp: implement sender-side procedures for SSN Reset Request Parameter")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 14:08:21 -05:00
Mohamed Ghannam
8f659a03a0 net: ipv4: fix for a race condition in raw_sendmsg
inet->hdrincl is racy, and could lead to uninitialized stack pointer
usage, so its value should be read only once.

Fixes: c008ba5bdc ("ipv4: Avoid reading user iov twice after raw_probe_proto_opt")
Signed-off-by: Mohamed Ghannam <simo.ghannam@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 14:05:31 -05:00
Kevin Cernekee
93c647643b netlink: Add netns check on taps
Currently, a nlmon link inside a child namespace can observe systemwide
netlink activity.  Filter the traffic so that nlmon can only sniff
netlink messages from its own netns.

Test case:

    vpnns -- bash -c "ip link add nlmon0 type nlmon; \
                      ip link set nlmon0 up; \
                      tcpdump -i nlmon0 -q -w /tmp/nlmon.pcap -U" &
    sudo ip xfrm state add src 10.1.1.1 dst 10.1.1.2 proto esp \
        spi 0x1 mode transport \
        auth sha1 0x6162633132330000000000000000000000000000 \
        enc aes 0x00000000000000000000000000000000
    grep --binary abc123 /tmp/nlmon.pcap

Signed-off-by: Kevin Cernekee <cernekee@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 11:58:18 -05:00
Thomas Petazzoni
2aab6b40b0 net: sh_eth: do not advertise Gigabit capabilities when not available
Not all variants of the sh_eth hardware have Gigabit
support. Unfortunately, the current driver doesn't tell the PHY about
the limited MAC capabilities. Due to this, if you have a Gigabit
capable PHY, the PHY will advertise its Gigabit capability and
establish a link at 1Gbit/s, even though the MAC doesn't support it.

In order to avoid this, we use the recently introduced
phy_set_max_speed() to tell the PHY to not advertise speed higher than
100 MBit/s.

Tested on a SH7786 platform, with a Gigabit PHY.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 11:53:55 -05:00
Jerome Brunet
f1e2400a80 net: phy: meson-gxl: detect LPA corruption
The purpose of this change is to fix the incorrect detection of the link
partner (LP) advertised capabilities which sometimes happens with this PHY
(roughly 1 time in a dozen)

This issue may cause the link to be negotiated at 10Mbps/Full or
10Mbps/Half when 100MBps/Full is actually possible. In some case, the link
is even completely broken and no communication is possible.

To detect the corruption, we must look for a magic undocumented bit in the
WOL bank (hint given by the SoC vendor kernel) but this is not enough to
cover all cases. We also have to look at the LPA ack. If the LP supports
Aneg but did not ack our base code when aneg is completed, we assume
something went wrong.

The detection of a corrupted LPA triggers a restart of the aneg process.
This solves the problem but may take up to 6 retries to complete.

Fixes: 7334b3e47a ("net: phy: Add Meson GXL Internal PHY driver")
Signed-off-by: Jerome Brunet <jbrunet@baylibre.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 11:18:33 -05:00
Michael S. Tsirkin
a8ceb5dbfd ptr_ring: add barriers
Users of ptr_ring expect that it's safe to give the
data structure a pointer and have it be available
to consumers, but that actually requires an smb_wmb
or a stronger barrier.

In absence of such barriers and on architectures that reorder writes,
consumer might read an un=initialized value from an skb pointer stored
in the skb array.  This was observed causing crashes.

To fix, add memory barriers.  The barrier we use is a wmb, the
assumption being that producers do not need to read the value so we do
not need to order these reads.

Reported-by: George Cherian <george.cherian@cavium.com>
Suggested-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 10:52:23 -05:00
David S. Miller
f0f1d0166b Three fixes:
* for certificate C file generation, don't use hexdump as it's
    not always installed by default, use pure posix instead (od/sed)
  * for certificate C file generation, don't write the file if
    anything fails, so the build abort will not cause a bad build
    upon a second attempt
  * fix locking in ieee80211_sta_tear_down_BA_sessions() which had
    been causing lots of locking warnings
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAlouVRAACgkQB8qZga/f
 l8RRdg/+J6dq+Y5WmdRVniKh+XR+6wu1nMLh5LcTKhhh3e1yv2No8T3V8CxT4eGC
 YEsqjoJT4MF8WMN/qx6DqqKi8jRPuUEUIoFsM0Joz8EBXkkS3lC0Rnzp1ZlMXHwD
 aJ+aY5SrQL9isVN50traO6DPbr0fXiy4af8XLty49lmFdAO0OdxwMFu6WhkS24ej
 g7bMMW8MqHgytolhWrpaiAEcj1wa2kTyzGXmAvv0IztxLrJyRNljnJwnme3vN1b7
 E5niCdTbnHkifxHIZqgX2u5Vhn26c+kkhom6WJGv3TTsVQGeERbT3qQHksCN2sNf
 /mgiLgEQp9XW8PejYgTrGlalIX5dr2E5mU0kXYIiG1xf8Q0BwZzDRiSqZD9p5dYW
 NSbnK+ZmHc+5WyvdNZqv09rTKRFeq8QUwy53MOFeD2MMHqjn1KfUaqm+d2AGbPn0
 Trm1Vpk0NFvBvEhpfZrauye7iZkXWYdasaZDRdmRkkiWTW9tgtSH3BTUQIaRbbxh
 sgE+oY1yZxle/1atLQV70Kku7yFChjPc6qEfFEobygWzl+wbyu0ipBvCD7gyEJKy
 yPQ4kEJLqY4Vh4A/riprrjyD/06QTVUF5PgBeTfLgTI5NJ1Z4Dfw51Y65fr3stb6
 QvUj+eJiVebBRNP4C4CjLA4n65QlYFTJWQnNyreLqkjlB8tob64=
 =Mgd9
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2017-12-11' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
Three fixes:
 * for certificate C file generation, don't use hexdump as it's
   not always installed by default, use pure posix instead (od/sed)
 * for certificate C file generation, don't write the file if
   anything fails, so the build abort will not cause a bad build
   upon a second attempt
 * fix locking in ieee80211_sta_tear_down_BA_sessions() which had
   been causing lots of locking warnings
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-11 09:39:14 -05:00
Johannes Berg
0afe9d4ab9 mac80211: fix locking in ieee80211_sta_tear_down_BA_sessions
Due to overlap between
commit 1281103770 ("mac80211: Simplify locking in ieee80211_sta_tear_down_BA_sessions()")
and the way that Luca modified
commit 72e2c3438b ("mac80211: tear down RX aggregations first")
when sending it upstream from Intel's internal tree, we get
the following warning:

WARNING: CPU: 0 PID: 5472 at net/mac80211/agg-tx.c:315 ___ieee80211_stop_tx_ba_session+0x158/0x1f0

since there's no appropriate locking around the call to
___ieee80211_stop_tx_ba_session; Sara's original just had
a call to the locked __ieee80211_stop_tx_ba_session (one
less underscore) but it looks like Luca modified both of
the calls when fixing it up for upstream, leading to the
problem at hand.

Move the locking appropriately to fix this problem.

Reported-by: Kalle Valo <kvalo@codeaurora.org>
Reported-by: Pavel Machek <pavel@ucw.cz>
Tested-by: Pavel Machek <pavel@ucw.cz>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2017-12-11 10:50:00 +01:00
Michal Hocko
f335195adf kmemcheck: rip it out for real
Commit 4675ff05de ("kmemcheck: rip it out") has removed the code but
for some reason SPDX header stayed in place.  This looks like a rebase
mistake in the mmotm tree or the merge mistake.  Let's drop those
leftovers as well.

Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-12-08 13:40:17 -08:00
Linus Torvalds
e9ef1fe312 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) CAN fixes from Martin Kelly (cancel URBs properly in all the CAN usb
    drivers).

 2) Revert returning -EEXIST from __dev_alloc_name() as this propagates
    to userspace and broke some apps. From Johannes Berg.

 3) Fix conn memory leaks and crashes in TIPC, from Jon Malloc and Cong
    Wang.

 4) Gianfar MAC can't do EEE so don't advertise it by default, from
    Claudiu Manoil.

 5) Relax strict netlink attribute validation, but emit a warning. From
    David Ahern.

 6) Fix regression in checksum offload of thunderx driver, from Florian
    Westphal.

 7) Fix UAPI bpf issues on s390, from Hendrik Brueckner.

 8) New card support in iwlwifi, from Ihab Zhaika.

 9) BBR congestion control bug fixes from Neal Cardwell.

10) Fix port stats in nfp driver, from Pieter Jansen van Vuuren.

11) Fix leaks in qualcomm rmnet, from Subash Abhinov Kasiviswanathan.

12) Fix DMA API handling in sh_eth driver, from Thomas Petazzoni.

13) Fix spurious netpoll warnings in bnxt_en, from Calvin Owens.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (67 commits)
  net: mvpp2: fix the RSS table entry offset
  tcp: evaluate packet losses upon RTT change
  tcp: fix off-by-one bug in RACK
  tcp: always evaluate losses in RACK upon undo
  tcp: correctly test congestion state in RACK
  bnxt_en: Fix sources of spurious netpoll warnings
  tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
  tcp_bbr: reset full pipe detection on loss recovery undo
  tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
  sfc: pass valid pointers from efx_enqueue_unwind
  gianfar: Disable EEE autoneg by default
  tcp: invalidate rate samples during SACK reneging
  can: peak/pcie_fd: fix potential bug in restarting tx queue
  can: usb_8dev: cancel urb on -EPIPE and -EPROTO
  can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
  can: esd_usb2: cancel urb on -EPIPE and -EPROTO
  can: ems_usb: cancel urb on -EPIPE and -EPROTO
  can: mcba_usb: cancel urb on -EPROTO
  usbnet: fix alignment for frames with no ethernet header
  tcp: use current time in tcp_rcv_space_adjust()
  ...
2017-12-08 13:32:44 -08:00
Linus Torvalds
77071bc6c4 media fixes for v4.15-rc3
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaKrOpAAoJEAhfPr2O5OEVK5sP/iHWDJtRw/WWBYOqF9cGFl0o
 ssh1iXJAsOmLjaARMOkxQBPLwTvVMreux2fHow/mukrXB8BIR7OmflBaQRLM3lbW
 xm9G4yarXf7xgkxngisemQrJiweNyaNDX9P0BqJLV55Xhp+rO2Q6rutspho3xzoo
 Pmz7bgnt0FjBKz+0LWnKnzozdNinj2uhTdBOTgm9rUuUUGiAVTAQSNUq2e5Gzw3m
 DhO4UPOJDRmnZ6Rqldq2pD2wzmRfbVonirz7IEh7j2opcAoCM2TnmM+Z9C5zjlUj
 XVFagiR+XG8lsh2zvHdweter4X9DqLBlMbBDVAQ+vH+xhBuz63Yqq1pSIvXA342U
 rs1X182FSyE+pOxipuae94csHkyzlb9tmzoiUoItU+QXi8Wlg8pLH6GFQe/72t/g
 HpcXMBq2lflc2KDstx+QGs/G+1EYtz64vUXZ4pvuIitrhdbd5ulLh7Y7nb7qfEym
 WEHpaJwxh4MZh6RzB2tq+Tvy0/sD1krNjPTXtf2CuTdFNUuvk8QenRW1q2YVA06L
 UOTxRpfPYUPwhGKOoKb2IJ5g1xoztoqMaafdsUJ16H7fcuVtE9xQayVCVhaBuo08
 4g7SFCb7MhNLFG1Su291u9PKYlvGhCJaDPKE/6E+IM6szxt7h/kveYsdb05yWOoB
 di+cIWZkCRUzbO7fxz4J
 =xoHW
 -----END PGP SIGNATURE-----

Merge tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media

Pull media fixes from Mauro Carvalho Chehab:

 "A series of fixes for the media subsytem:

   - The largest amount of fixes in this series is with regards to
     comments that aren't kernel-doc, but start with "/**".

     A new check added for 4.15 makes it to produce a *huge* amount of
     new warnings (I'm compiling here with W=1). Most of the patches in
     this series fix those.

     No code changes - just comment changes at the source files

   - rc: some fixed in order to better handle RC repetition codes

   - v4l-async: use the v4l2_dev from the root notifier when matching
     sub-devices

   - v4l2-fwnode: Check subdev count after checking port

   - ov 13858 and et8ek8: compilation fix with randconfigs

   - usbtv: a trivial new USB ID addition

   - dibusb-common: don't do DMA on stack on firmware load

   - imx274: Fix error handling, add MAINTAINERS entry

   - sir_ir: detect presence of port"

* tag 'media/v4.15-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media: (50 commits)
  media: imx274: Fix error handling, add MAINTAINERS entry
  media: v4l: async: use the v4l2_dev from the root notifier when matching sub-devices
  media: v4l2-fwnode: Check subdev count after checking port
  media: et8ek8: select V4L2_FWNODE
  media: ov13858: Select V4L2_FWNODE
  media: rc: partial revert of "media: rc: per-protocol repeat period"
  media: dvb: i2c transfers over usb cannot be done from stack
  media: dvb-frontends: complete kernel-doc markups
  media: docs: add documentation for frontend attach info
  media: dvb_frontends: fix kernel-doc macros
  media: drivers: remove "/**" from non-kernel-doc comments
  media: lm3560: add a missing kernel-doc parameter
  media: rcar_jpu: fix two kernel-doc markups
  media: vsp1: add a missing kernel-doc parameter
  media: soc_camera: fix a kernel-doc markup
  media: mt2063: fix some kernel-doc warnings
  media: radio-wl1273: fix a parameter name at kernel-doc macro
  media: s3c-camif: add missing description at s3c_camif_find_format()
  media: mtk-vpu: add description for wdt fields at struct mtk_vpu
  media: vdec: fix some kernel-doc warnings
  ...
2017-12-08 13:18:47 -08:00
Linus Torvalds
4066aa72f9 i915, amdgpu + misc fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaKedrAAoJEAx081l5xIa+CLkP/AkLTMW17WT/aktLfq4/+NQV
 WGcLxQw+SB9iYMffFUNdQdMqv3pKsDzeatifxNuoRnjvK6rNZDUFK11SoTEFCdA+
 opI3zBPiyMVv71LtLF/r2kj3Vw5rnARdCg24FIzptGg/4j+G0EOb9uzd9qjmjof1
 r2XD1f0mjIG6SREMYCZPJj/Q/ZGfWFKXxcatmf87sAoq4o2nfoQ1Sl0T4cnMV7yp
 FzzFKA/j6OaiVa0Tb1KiJOl8VnW5f9STanUynFcPtKd2mhDcVaEP4lAfBhHgccd8
 ufmsyPJDadGQDT0iQY5E8n+ht124wg4gW8TKGqyxDfxuzTFj2k62WOUMH4eSjGSt
 x7SHEewTQLoV5kIPp0y00T2NWuA4/jmjjgllQZgqSFwnsv8fQ9/GwLNPWrUGM0+z
 6sqzj7QRyn8GGuYblqVghVYj0bX3ovmYlLzOaKZ+pNSM34hLBFRenZQ5mKJ6WrcE
 SIKzuQm3HEC8KwNw72zZ6+zz5fc7x9KuURztwEPt6vOMnxz1PtjWSdHzfvja4cH2
 6D2t0lZSqkM244FFG4ImFP6CDF+8vaY7i9YybjYteycWH7o9haVa869vCxUdNUWo
 DDghWKPRjbl7LJLJ14BxMrg0+sk+XWYcoZXjUAM0rYFFOWoFkVAlF8Sy3kgb5Pky
 wMLalQohWFbkZY60q02h
 =2f34
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "This pull is a bit larger than I'd like but a large bunch of it is
  license fixes, AMD wanted to fix the licenses for a bunch of files
  that were missing them,

 Otherwise a bunch of TTM regression fix since the hugepage support,
 some i915 and gvt fixes, a core connector free in a safe context fix,
 and one bridge fix"

* tag 'drm-fixes-for-v4.15-rc3' of git://people.freedesktop.org/~airlied/linux: (26 commits)
  drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
  Revert "drm/i915: Display WA #1133 WaFbcSkipSegments:cnl, glk"
  drm/vc4: Fix false positive WARN() backtrace on refcount_inc() usage
  drm/i915: Call i915_gem_init_userptr() before taking struct_mutex
  drm/exynos: remove unnecessary function declaration
  drm/exynos: remove unnecessary descrptions
  drm/exynos: gem: Drop NONCONTIG flag for buffers allocated without IOMMU
  drm/exynos: Fix dma-buf import
  drm/ttm: swap consecutive allocated pooled pages v4
  drm: safely free connectors from connector_iter
  drm/i915/gvt: set max priority for gvt context
  drm/i915/gvt: Don't mark vgpu context as inactive when preempted
  drm/i915/gvt: Limit read hw reg to active vgpu
  drm/i915/gvt: Export intel_gvt_render_mmio_to_ring_id()
  drm/i915/gvt: Emulate PCI expansion ROM base address register
  drm/ttm: swap consecutive allocated cached pages v3
  drm/ttm: roundup the shrink request to prevent skip huge pool
  drm/ttm: add page order support in ttm_pages_put
  drm/ttm: add set_pages_wb for handling page order more than zero
  drm/ttm: add page order in page pool
  ...
2017-12-08 13:11:57 -08:00
Linus Torvalds
7267212c80 Merge tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md
Pull md fixes from Shaohua Li:
 "Some MD fixes.

  The notable one is a raid5-cache deadlock bug with dm-raid, others are
  not significant"

* tag 'md/4.15-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
  md/raid1/10: add missed blk plug
  md: limit mdstat resync progress to max_sectors
  md/r5cache: move mddev_lock() out of r5c_journal_mode_set()
  md/raid5: correct degraded calculation in raid5_error
2017-12-08 13:03:02 -08:00
Linus Torvalds
78d9b04844 DeviceTree fixes for v4.15 (part2):
- Fixes from overlay code rework. A trifecta of fixes to the locking,
   an out of bounds access, and a memory leak in of_overlay_apply().
 
 - Clean-up at25 eeprom binding document
 
 - Remove leading '0x' in unit-addresses from binding docs
 -----BEGIN PGP SIGNATURE-----
 
 iQItBAABCAAXBQJaKrC8EBxyb2JoQGtlcm5lbC5vcmcACgkQ+vtdtY28YcPY7Q/9
 GOZDOhajewVoYo+LkKl8+1wtdih7QHOvziKY8Jn1Nd/o6ASXU5ltOxvk5iF/q4tz
 x7JFKMkUo8eyOy5p5XnkqAzOnQ+rP+aRvHxjeAiMtQZRtMcDJ6bv4FRMI4/hq610
 QocAcxzblXJayy/Ad2sbuMr34O6QBkvnicMiLHZNb2IhCgk0nxBbyiNJDr868XE6
 CwlkKgo+y0fFJKkW3y4v4jaMdMlmcxTPTY+4jOJoGnnD1LgNwNRgkTFCzRQLebBk
 E5D6XweMS7G0IOO8wLYEn70JYsNk4wRGjIvlZGR1e5REQNgT9H+1J8rXLxlWc5rk
 l2o4V3+nrBj3BpVCG5oQWBrwVsMZS8ExdnRnrGmZJ25C1EFzlRHGYtsvo6fvXsLs
 T2VfYPEDhN5IHZiUU/rcHfz1VpHjuBrtFStPQkFTSTfO52n22Q5KWBxHUqUjXbBZ
 phcPoHcDm+FfO4swkLuIP0wDAiNj8SJpJJNnHLrgIuy52UvXe/VD5BlY5RgXIZbg
 XhxAcsNKrqfH8ggfbM7ndXkUoFrDyl/dOupfwbtwzNqDQiPGvpjkr9hmE7XIL2aJ
 tyGahgkpZ3n49oGJPe5rTHKJacZBkl6rNI2CFQfERXyGYUmQSEU6AViSSyRG6ljK
 kXLmIzNPgJJF/I9YC3q8Wr6FUoOAapE7Zww/Cc83xJ8=
 =vBBN
 -----END PGP SIGNATURE-----

Merge tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux

Pull DeviceTree fixes from Rob Herring:
 "Another set of DT fixes:

   - Fixes from overlay code rework. A trifecta of fixes to the locking,
     an out of bounds access, and a memory leak in of_overlay_apply()

   - Clean-up at25 eeprom binding document

   - Remove leading '0x' in unit-addresses from binding docs"

* tag 'devicetree-fixes-for-4.15-part2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
  of: overlay: Make node skipping in init_overlay_changeset() clearer
  of: overlay: Fix out-of-bounds write in init_overlay_changeset()
  of: overlay: Fix (un)locking in of_overlay_apply()
  of: overlay: Fix memory leak in of_overlay_apply() error path
  dt-bindings: eeprom: at25: Document device-specific compatible values
  dt-bindings: eeprom: at25: Grammar s/are can/can/
  dt-bindings: Remove leading 0x from bindings notation
  of: overlay: Remove else after goto
  of: Spelling s/changset/changeset/
  of: unittest: Remove bogus overlay mutex release from overlay_data_add()
2017-12-08 13:00:51 -08:00
Linus Torvalds
900add27f5 virtio: bugfixes
A couple of minor bugfixes.
 
 Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJaKW26AAoJECgfDbjSjVRpDwIH/1tq1vcjd5i00nh+gQD7jWm2
 qWrpcKbsS0ANTvhm9UNFY24BVoPuNpNrApQpuBxmgxE/XGqx7A+8xXhwPAM5lLiG
 uDSPB2nsfjvEUOde7bgeR+t6ay+Ki2UWKzY46lSoCTcIN7BSVFWQZonsGu2xLDzz
 kKpCtlobXRnXzeWm+fh1oOZu/cn/TuAF0mbb+6TUQqSsHAt6PQ3Hwsly2EmQV5xR
 of6Si/TnxFOkhZUKpezbuTU/g/20ZkHUSzgfrOuZLGonaIvZIE6BUm8m21/IgCbw
 WnwSqe66WsWF2vd0RDLFq4L3qaRyGn+W7iYo3KPbwIPEEotSRFMUgixBWBB3IgU=
 =Pf4w
 -----END PGP SIGNATURE-----

Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost

Pull virtio bugfixes from Michael Tsirkin:
 "A couple of minor bugfixes"

* tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
  virtio_net: fix return value check in receive_mergeable()
  virtio_mmio: add cleanup for virtio_mmio_remove
  virtio_mmio: add cleanup for virtio_mmio_probe
2017-12-08 12:58:51 -08:00
Linus Torvalds
32abeb09ab xen: fixes for 4.15-rc3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABAgAGBQJaKlu/AAoJELDendYovxMvaqoH/i7gN9xry7QkUM6RkwddGwYY
 v0rqaUo4WCW27yFOE7Bzej9Y+W92/eFPJnVUhc/quTVfV+uEjbs4PiAwuxSr+lIU
 X+BhBNbEi9C5RlRL1z75J0ZySyu6WXL2hsmPbc0wrrqdQikfiZ7bnRjdGAHh5C5C
 TijKQKGZTt6ccjIPUEZTIqeajOt/p7uxkCXPWhHQA1mudf9PVhsKyYnGdYp5gp8X
 KID+8XmKtAcSwPUz+eG9vGlGwmP28mH0BfCT0suC2uUI4o+PJFPqBTlfsco2kfHO
 NqVCgnMZs31Js8mdEVz8h2ZO8m2T5m1oml1zOeyDbgTJ8yjqgADy8K6Lm38clko=
 =ZHtb
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip

Pull xen fixes from Juergen Gross:
 "Just two small fixes for the new pvcalls frontend driver"

* tag 'for-linus-4.15-rc3-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
  xen/pvcalls: Fix a check in pvcalls_front_remove()
  xen/pvcalls: check for xenbus_read() errors
2017-12-08 12:53:43 -08:00
Linus Torvalds
d90696ed61 powerpc fixes for 4.15 #4
One notable fix for kexec on Power9, where we were not clearing MMU PID properly
 which sometimes leads to hangs. Finally debugged to a root cause by Nick.
 
 A revert of a patch which tried to rework our panic handling to get more output
 on the console, but inadvertently broke reporting the panic to the hypervisor,
 which apparently people care about.
 
 Then a fix for an oops in the PMU code, and finally some s/%p/%px/ in xmon.
 
 Thanks to:
   David Gibson, Nicholas Piggin, Ravi Bangoria.
 -----BEGIN PGP SIGNATURE-----
 
 iQIwBAABCAAaBQJaKoWXExxtcGVAZWxsZXJtYW4uaWQuYXUACgkQUevqPMjhpYAp
 Rw/+KRvwt1jt3vFKrWlcXQ4Mx4UTseSaBO7FsGwyANqNGUNvkIEIAZYu6M9x0LLh
 tfVowZdJ2vQrgdZy4Rd5zhIjzVaybyENMAMZFmGCxQUidORdibP2qT+3612FmQl0
 rczQB4Ra1Jymw+42iwe4WQfyta9cvVgfk7D+1KVWaCXQ0lx8DynZ75yK+U0fensz
 FPQNdtkfC2D37IFrqtgGBS5YLkeQpfftm8C/eBG0n2tv8PO1KM5xwVU8Ovf5LoIm
 8NbWL//H+zUOoU2jCGHDMfg1qLv9owScTMRtquQSmrE1i21mE2lLOSDSM105+AP2
 7CVRMMkth8V9w/nauPq0a5OGyzJWtClI9qj2ZPWS2wPF331g58GUNJsEy7OQAJgO
 QZoqcCkpT5qarmxkcKJlYZGF6AZ/4mIBL9mucfQc/afEgRUqksaUKck0qD5SW28j
 fm3pPjlMyf2vMRKGgaE9/+by5N/Bmxy2VCoFSuhm1ZrQsIpZXtp/Mfylqz0msdhU
 VCt4T229S7rdCQTn2TyMNW+iVmjlgvR4OUXvba/eBz67gzGk4huLNB4EnEwHA/SK
 qhkTJqYbP9B/MBD9GrNLFzG5yZTTv+3OA/aehL0PEGouV7cgMEqyGtYw2afwggRC
 sf+veK/2apPMnlA5WItEa7JPWaTLsxljZ65acskb7S/4W8g=
 =wU60
 -----END PGP SIGNATURE-----

Merge tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux

Pull powerpc fixes from Michael Ellerman:

 "One notable fix for kexec on Power9, where we were not clearing MMU
  PID properly which sometimes leads to hangs. Finally debugged to a
  root cause by Nick.

  A revert of a patch which tried to rework our panic handling to get
  more output on the console, but inadvertently broke reporting the
  panic to the hypervisor, which apparently people care about.

  Then a fix for an oops in the PMU code, and finally some s/%p/%px/ in
  xmon.

  Thanks to: David Gibson, Nicholas Piggin, Ravi Bangoria"

* tag 'powerpc-4.15-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
  powerpc/xmon: Don't print hashed pointers in xmon
  powerpc/64s: Initialize ISAv3 MMU registers before setting partition table
  Revert "powerpc: Do not call ppc_md.panic in fadump panic notifier"
  powerpc/perf: Fix oops when grouping different pmu events
2017-12-08 12:52:09 -08:00
David S. Miller
fd29117aeb linux-can-fixes-for-4.15-20171208
-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEE4bay/IylYqM/npjQHv7KIOw4HPYFAloqeVYTHG1rbEBwZW5n
 dXRyb25peC5kZQAKCRAe/sog7Dgc9tiqCADK4f/QYW5q5jC93A6JZSItI8vAK2+h
 0s4MRTj9x+thBIGIhJ59uYBSTd374bvsWmrGdV7CBoGX4TnEJfGiMV77lpGnGRVG
 jpzk9cSFoAnE5UW2qZlF+JM8SNEFlU18MCQQlnMzKbSGerUAlveK+mcF5sJrqrQh
 CGZ9MH1Bp4Fz3WMRQ9hHzKWjTOhhM54qjPceCVTZM6I0RJam6I2lpVZPQeom9uVa
 r+F5Lv2ZOpNZc+8Pbu+L95YyivKKaQOPzeP4btFLNEHUyFDygHcv2iKRIn9MdEu2
 2XfaDVKk2Ey/qWc782SLBxLOihnhWltwC7Kg1ZnrLhNZ6V5UbYQ5FzF4
 =OMZE
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-4.15-20171208' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2017-12-08

this is a pull request of 6 patches for net/master.

Martin Kelly provides 5 patches for various USB based CAN drivers, that
properly cancel the URBs on adapter unplug, so that the driver doesn't
end up in an endless loop. Stephane Grosjean provides a patch to restart
the tx queue if zero length packages are transmitted.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:53:54 -05:00
David S. Miller
03afb6e43a wireless-drivers fixes for 4.15
Second set of fixes for 4.15. This time a lot of iwlwifi patches and
 two brcmfmac patches. Most important here are the MIC and IVC fixes
 for iwlwifi to unbreak 9000 series.
 
 iwlwifi
 
 * fix rate-scaling to not start lowest possible rate
 
 * fix the TX queue hang detection for AP/GO modes
 
 * fix the TX queue hang timeout in monitor interfaces
 
 * fix packet injection
 
 * remove a wrong error message when dumping PCI registers
 
 * fix race condition with RF-kill
 
 * tell mac80211 when the MIC has been stripped (9000 series)
 
 * tell mac80211 when the IVC has been stripped (9000 series)
 
 * add 2 new PCI IDs, one for 9000 and one for 22000
 
 * fix a queue hang due during a P2P Remain-on-Channel operation
 
 brcmfmac
 
 * fix a race which sometimes caused a crash during sdio unbind
 
 * fix a kernel-doc related build error
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJaKp9UAAoJEG4XJFUm622bhXgH+wTtTVEH0lAOTtK+PyBkxkRH
 Q+55Yf1XZ9lNYxmfXhYgObusSbmeL8tClMuISCcQS9gX0um1Vuuud4CLemgO2V7R
 V1xuWTKjanaKf8PouKx9SUt1Fx6CsFdwlivJX+eZTfKlKYtwNbNX4onWl9GN2jVZ
 5/2l+m3MJbTMMzarZTGLkBJqpTk8DGTNINtKeRd+VF+717SlbqpRlw1TTlbVJcR2
 nHcJ3p5JGbU/+hOTroOWUr7kGdpdYlWLfcyOL8iT3rZXtAzH/POjPAmQv9VVRaC+
 anm5zn+gZ5GH9XF+pc3nrGOEZ2Ei4LtszMQjdo4Zo9V3ngCj/0OoEnkto6VLbkw=
 =lzG8
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2017-12-08' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 4.15

Second set of fixes for 4.15. This time a lot of iwlwifi patches and
two brcmfmac patches. Most important here are the MIC and IVC fixes
for iwlwifi to unbreak 9000 series.

iwlwifi

* fix rate-scaling to not start lowest possible rate

* fix the TX queue hang detection for AP/GO modes

* fix the TX queue hang timeout in monitor interfaces

* fix packet injection

* remove a wrong error message when dumping PCI registers

* fix race condition with RF-kill

* tell mac80211 when the MIC has been stripped (9000 series)

* tell mac80211 when the IVC has been stripped (9000 series)

* add 2 new PCI IDs, one for 9000 and one for 22000

* fix a queue hang due during a P2P Remain-on-Channel operation

brcmfmac

* fix a race which sometimes caused a crash during sdio unbind

* fix a kernel-doc related build error
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:48:49 -05:00
Antoine Tenart
8a7b741e76 net: mvpp2: fix the RSS table entry offset
The macro used to access or set an RSS table entry was using an offset
of 8, while it should use an offset of 0. This lead to wrongly configure
the RSS table, not accessing the right entries.

Fixes: 1d7d15d79f ("net: mvpp2: initialize the RSS tables")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:35:15 -05:00
David S. Miller
b7e445a1c8 Merge branch 'tcp-RACK-loss-recovery-bug-fixes'
Yuchung Cheng says:

====================
tcp: RACK loss recovery bug fixes

This patch set has four minor bug fixes in TCP RACK loss recovery.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:12 -05:00
Yuchung Cheng
6065fd0d17 tcp: evaluate packet losses upon RTT change
RACK skips an ACK unless it advances the most recently delivered
TX timestamp (rack.mstamp). Since RACK also uses the most recent
RTT to decide if a packet is lost, RACK should still run the
loss detection whenever the most recent RTT changes. For example,
an ACK that does not advance the timestamp but triggers the cwnd
undo due to reordering, would then use the most recent (higher)
RTT measurement to detect further losses.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng
428aec5e69 tcp: fix off-by-one bug in RACK
RACK should mark a packet lost when remaining wait time is zero.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng
cd1fc85b43 tcp: always evaluate losses in RACK upon undo
When sender detects spurious retransmission, all packets
marked lost are remarked to be in-flight. However some may
be considered lost based on its timestamps in RACK. This patch
forces RACK to re-evaluate, which may be skipped previously if
the ACK does not advance RACK timestamp.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Yuchung Cheng
0ce294d884 tcp: correctly test congestion state in RACK
RACK does not test the loss recovery state correctly to compute
the reordering window. It assumes if lost_out is zero then TCP is
not in loss recovery. But it can be zero during recovery before
calling tcp_rack_detect_loss(): when an ACK acknowledges all
packets marked lost before receiving this ACK, but has not yet
to discover new ones by tcp_rack_detect_loss(). The fix is to
simply test the congestion state directly.

Signed-off-by: Yuchung Cheng <ycheng@google.com>
Reviewed-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Priyaranjan Jha <priyarjha@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:14:11 -05:00
Calvin Owens
2edbdb3159 bnxt_en: Fix sources of spurious netpoll warnings
After applying 2270bc5da3 ("bnxt_en: Fix netpoll handling") and
903649e718 ("bnxt_en: Improve -ENOMEM logic in NAPI poll loop."),
we still see the following WARN fire:

  ------------[ cut here ]------------
  WARNING: CPU: 0 PID: 1875170 at net/core/netpoll.c:165 netpoll_poll_dev+0x15a/0x160
  bnxt_poll+0x0/0xd0 exceeded budget in poll
  <snip>
  Call Trace:
   [<ffffffff814be5cd>] dump_stack+0x4d/0x70
   [<ffffffff8107e013>] __warn+0xd3/0xf0
   [<ffffffff8107e07f>] warn_slowpath_fmt+0x4f/0x60
   [<ffffffff8179519a>] netpoll_poll_dev+0x15a/0x160
   [<ffffffff81795f38>] netpoll_send_skb_on_dev+0x168/0x250
   [<ffffffff817962fc>] netpoll_send_udp+0x2dc/0x440
   [<ffffffff815fa9be>] write_ext_msg+0x20e/0x250
   [<ffffffff810c8125>] call_console_drivers.constprop.23+0xa5/0x110
   [<ffffffff810c9549>] console_unlock+0x339/0x5b0
   [<ffffffff810c9a88>] vprintk_emit+0x2c8/0x450
   [<ffffffff810c9d5f>] vprintk_default+0x1f/0x30
   [<ffffffff81173df5>] printk+0x48/0x50
   [<ffffffffa0197713>] edac_raw_mc_handle_error+0x563/0x5c0 [edac_core]
   [<ffffffffa0197b9b>] edac_mc_handle_error+0x42b/0x6e0 [edac_core]
   [<ffffffffa01c3a60>] sbridge_mce_output_error+0x410/0x10d0 [sb_edac]
   [<ffffffffa01c47cc>] sbridge_check_error+0xac/0x130 [sb_edac]
   [<ffffffffa0197f3c>] edac_mc_workq_function+0x3c/0x90 [edac_core]
   [<ffffffff81095f8b>] process_one_work+0x19b/0x480
   [<ffffffff810967ca>] worker_thread+0x6a/0x520
   [<ffffffff8109c7c4>] kthread+0xe4/0x100
   [<ffffffff81884c52>] ret_from_fork+0x22/0x40

This happens because we increment rx_pkts on -ENOMEM and -EIO, resulting
in rx_pkts > 0. Fix this by only bumping rx_pkts if we were actually
given a non-zero budget.

Signed-off-by: Calvin Owens <calvinowens@fb.com>
Acked-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 14:07:19 -05:00
David S. Miller
b25b3e2fd9 Merge branch 'tcp-bbr-sampling-fixes'
Neal Cardwell says:

====================
TCP BBR sampling fixes for loss recovery undo

This patch series has a few minor bug fixes for cases where spurious
loss recoveries can trick BBR estimators into estimating that the
available bandwidth is much lower than the true available bandwidth.
In both cases the fix here is to just reset the estimator upon loss
recovery undo.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:44 -05:00
Neal Cardwell
600647d467 tcp_bbr: reset long-term bandwidth sampling on loss recovery undo
Fix BBR so that upon notification of a loss recovery undo BBR resets
long-term bandwidth sampling.

Under high reordering, reordering events can be interpreted as loss.
If the reordering and spurious loss estimates are high enough, this
can cause BBR to spuriously estimate that we are seeing loss rates
high enough to trigger long-term bandwidth estimation. To avoid that
problem, this commit resets long-term bandwidth sampling on loss
recovery undo events.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Neal Cardwell
2f6c498e4f tcp_bbr: reset full pipe detection on loss recovery undo
Fix BBR so that upon notification of a loss recovery undo BBR resets
the full pipe detection (STARTUP exit) state machine.

Under high reordering, reordering events can be interpreted as loss.
If the reordering and spurious loss estimates are high enough, this
could previously cause BBR to spuriously estimate that the pipe is
full.

Since spurious loss recovery means that our overall sending will have
slowed down spuriously, this commit gives a flow more time to probe
robustly for bandwidth and decide the pipe is really full.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Neal Cardwell
c589e69b50 tcp_bbr: record "full bw reached" decision in new full_bw_reached bit
This commit records the "full bw reached" decision in a new
full_bw_reached bit. This is a pure refactor that does not change the
current behavior, but enables subsequent fixes and improvements.

In particular, this enables simple and clean fixes because the full_bw
and full_bw_cnt can be unconditionally zeroed without worrying about
forgetting that we estimated we filled the pipe in Startup. And it
enables future improvements because multiple code paths can be used
for estimating that we filled the pipe in Startup; any new code paths
only need to set this bit when they think the pipe is full.

Note that this fix intentionally reduces the width of the full_bw_cnt
counter, since we have never used the most significant bit.

Signed-off-by: Neal Cardwell <ncardwell@google.com>
Reviewed-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:27:43 -05:00
Bert Kenward
d4a7a8893d sfc: pass valid pointers from efx_enqueue_unwind
The bytes_compl and pkts_compl pointers passed to efx_dequeue_buffers
cannot be NULL. Add a paranoid warning to check this condition and fix
the one case where they were NULL.

efx_enqueue_unwind() is called very rarely, during error handling.
Without this fix it would fail with a NULL pointer dereference in
efx_dequeue_buffer, with efx_enqueue_skb in the call stack.

Fixes: e9117e5099 ("sfc: Firmware-Assisted TSO version 2")
Reported-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Bert Kenward <bkenward@solarflare.com>
Tested-by: Jarod Wilson <jarod@redhat.com>
Acked-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:25:39 -05:00
Claudiu Manoil
b6b5e8a691 gianfar: Disable EEE autoneg by default
This controller does not support EEE, but it may connect to a PHY
which supports EEE and advertises EEE by default, while its link
partner also advertises EEE. If this happens, the PHY enters low
power mode when the traffic rate is low and causes packet loss.
This patch disables EEE advertisement by default for any PHY that
gianfar connects to, to prevent the above unwanted outcome.

Signed-off-by: Shaohui Xie <Shaohui.Xie@nxp.com>
Tested-by: Yangbo Lu <Yangbo.lu@nxp.com>
Signed-off-by: Claudiu Manoil <claudiu.manoil@nxp.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 13:23:01 -05:00
Linus Torvalds
c6b3e9693f Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux
Pull s390 fixes from Martin Schwidefsky:

 - three more patches in regard to the SPDX license tags. The missing
   tags for the files in arch/s390/kvm will be merged via the KVM tree.
   With that all s390 related files should have their SPDX tags.

 - a patch to get rid of 'struct timespec' in the DASD driver.

 - bug fixes

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390: fix compat system call table
  s390/mm: fix off-by-one bug in 5-level page table handling
  s390: Remove redudant license text
  s390: add a few more SPDX identifiers
  s390/dasd: prevent prefix I/O error
  s390: always save and restore all registers on context switch
  s390/dasd: remove 'struct timespec' usage
  s390/qdio: restrict target-full handling to IQDIO
  s390/qdio: consider ERROR buffers for inbound-full condition
  s390/virtio: add BSD license to virtio-ccw
2017-12-08 10:10:17 -08:00
Linus Torvalds
6e7e7f4ddc arm64 fixes:
- Fix SW PAN pgd shadowing for kernel threads, EFI and exiting user tasks
 
 - Fix FP register leak when a task_struct is re-allocated
 
 - Fix potential use-after-free in FP state tracking used by KVM
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABCgAGBQJaKUT9AAoJELescNyEwWM0AdIH/RmM1E3LIbOga+9DyqeQ4i8/
 +8AVV0wFEyIYZY3APrFEnasrjuunWvCUZMOT5HwkfcWpBUmxKHmgG/Jy0dgvZ9at
 xC5WAgYZuN2Z1U9smrCWVBiUlojrxbaEPS/RR4QqB0ViHg2xBL8TW6Dolm8Rt4ei
 UMXyhLAzUPgTIzN+xiW10dg5VqwLv2y1HvbbaF3bUhidrccMeyz+7bpwYfk26n+c
 2N7XJqc9t7DxqBpr1ZSwUzAz89wVDI7cCll+9nTS0/UBDeYXSHwTqO8MbmoRVPo9
 Mlf0NdFwTqKE0YS/4q2QBfMog4fzJQmQrcrsoHUy/ZA2IBuUxKsBVn4SCG0Y9Q8=
 =Esv9
 -----END PGP SIGNATURE-----

Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux

Pull arm64 fixes from Will Deacon:
 "Fix some more FP register fallout from the SVE patches and also some
  problems with the PGD tracking in our software PAN emulation code,
  after we received a crash report from a 3.18 kernel running a
  backport.

  Summary:

   - fix SW PAN pgd shadowing for kernel threads, EFI and exiting user
     tasks

   - fix FP register leak when a task_struct is re-allocated

   - fix potential use-after-free in FP state tracking used by KVM"

* tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
  arm64/sve: Avoid dereference of dead task_struct in KVM guest entry
  arm64: SW PAN: Update saved ttbr0 value on enter_lazy_tlb
  arm64: SW PAN: Point saved ttbr0 at the zero page when switching to init_mm
  arm64: fpsimd: Abstract out binding of task's fpsimd context to the cpu.
  arm64: fpsimd: Prevent registers leaking from dead tasks
2017-12-08 10:08:23 -08:00
Linus Torvalds
3625de4b28 ACPI fix for v4.15-rc3
This fixes an out of bounds warning from KASAN in the ACPI
 CPPC driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJaKXLtAAoJEILEb/54YlRxEmUQAJ1MnvVoCIpB/NC/gcp8wBwZ
 Y9rOJhnsgTiAA8Or7YJCOhPAHCa2S16m/nCkgrZfSjNgYJ/nHT8SB5vw8Fkc/PIz
 Jmc3E/yVvn446c9ozSa3NALth5Ov90ys4HFsF3jjetTr7aDwmwjaC2pIGRBd6pUK
 nk1MBMdu4wsGYssCV3dMjH4B1TmnU3rLyCl95yFFI8jgjA4slVk+I3EtxrlSOOHy
 9wnbHOWch2UbJBDQLIhhgXKcUXDxnwfBJ8aoEGQ2LokTU1pdXMJG2RFPKG1Dtuqh
 JBhSRXe7jA7jkdGda6sXFOWc7hXMscf0FMOvf3+x7q91OIumtNqxIm45nTEdMOBl
 vT5eFsAUOD8HzaA9BYt/QVIFR9jG0leofVpgK+xGVzISWrLSavaEcuX1gblJ120I
 iJMd0zuPnrktjYRn6VWxVKXpGKr4/EqCuVRE3EHG9aERJtKsfN9vIh66m97JfI2D
 Eb8ifaL7nVIALoWPlq53Lhjllf/cCwvoUNMLhnnoqZU5HWOfolTyGQHeI0DjhQv2
 UCxjuKFCtBKQyMNNyWXF1MWOGcgky3v/4HdkYjfly1h0eO6l5owilj+OW4cxss9l
 NtUCuT2IsQ6dO5oooz+fHzvz0AkgtB+pYLZie28+b3Y5CgvnKTYsnxeMVchkcmo1
 XnL6KGvGgX68z/0AVrMt
 =35fs
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fix from Rafael Wysocki:
 "This fixes an out of bounds warning from KASAN in the ACPI CPPC
  driver"

* tag 'acpi-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI / CPPC: Fix KASAN global out of bounds warning
2017-12-08 10:05:53 -08:00
Linus Torvalds
7ed9fd2e29 Power management fix for v4.15-rc3
This fixes an issue in the device runtime PM framework that prevents
 customer devices from resuming if runtime PM is disabled for one or
 more of their supplier devices (as reflected by device links between
 those devices).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIbBAABCAAGBQJaKXG3AAoJEILEb/54YlRxBjQP90QAzPd1hg8bTmn9OQc3aB1q
 IRR6AZDx/ZQ4ORn1P5IVcjxB9hrnsRbfOi1saeiFrkNZfdr7i0X+ViF/4hjcQfuK
 mc//rKxGhUCqlT9mX4i0wY7quxglZWjFh3ld+qlQNNCip0D4JZEo8mYF4BFbjkg4
 s3940XvXxgx1RRB5b1PsfWrlnAc/LgE4o4+1HvVVPKQdZZPsDHWJkDGuhI4in+fS
 lIoiAzx8dkh6O1JRAQQoaurygtfCd4/ni552DhaiKPxXmoLK5dKl1RJqku2PxMk9
 4GdU2k/JFyQZOx1EMWWiINjqivUBq+dIbK2wo4kike5mAh7v71/PT5lIC2mNG8td
 xd/o9zFG8qZ9USZHFKQmQk7kftCebipYlEZkJiUueUQa3uXDt6BGUhZ/YUoEL/dv
 Svy3fx4iCz3eX98aoJIL9ng0O98BJdV0m9cxBm10qXVlBnsrP1gBp43OaNoxNUDz
 duh4/kJJ3EC0lnYdIOyP3Wl1pzQKO8ZLBr5iA+3Fnm6XWfx2/nKaUijIFu73oHJq
 0ZJaApH52yh00uL4Rwy0CKx2cZi67G7HVMoiZ/DpZFA6XEKrnfvBb/tHrZ/Z61rC
 BLSdBDgZZ2ZyitZgHrttKJV5cBgC8EIcewTGYDwU+s17KgtWsXermktYYWXigBFq
 fgcz+26Gzrv8mnpWk+M=
 =/T0U
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fix from Rafael Wysocki:
 "This fixes an issue in the device runtime PM framework that prevents
  customer devices from resuming if runtime PM is disabled for one or
  more of their supplier devices (as reflected by device links between
  those devices)"

* tag 'pm-4.15-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / runtime: Fix handling of suppliers with disabled runtime PM
2017-12-08 09:58:10 -08:00
Geert Uytterhoeven
589b754df3 of: overlay: Make node skipping in init_overlay_changeset() clearer
Make it more clear that nodes without "__overlay__" subnodes are
skipped, by reverting the logic and using continue.
This also reduces indentation level.

Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-12-08 09:32:18 -06:00
Geert Uytterhoeven
35e691eddc of: overlay: Fix out-of-bounds write in init_overlay_changeset()
If an overlay has no "__symbols__" node, but it has nodes without
"__overlay__" subnodes at the end (e.g. a "__fixups__" node), after
filling in all fragments for nodes with "__overlay__" subnodes,
"fragment = &fragments[cnt]" will point beyond the end of the allocated
array.

Hence writing to "fragment->overlay" will overwrite unallocated memory,
which may lead to a crash later.

Fix this by deferring both the assignment to "fragment" and the
offending write afterwards until we know for sure the node has an
"__overlay__" subnode, and thus a valid entry in "fragments[]".

Fixes: 61b4de4e0b ("of: overlay: minor restructuring")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Rob Herring <robh@kernel.org>
2017-12-08 09:32:10 -06:00
Yousuk Seung
d4761754b4 tcp: invalidate rate samples during SACK reneging
Mark tcp_sock during a SACK reneging event and invalidate rate samples
while marked. Such rate samples may overestimate bw by including packets
that were SACKed before reneging.

< ack 6001 win 10000 sack 7001:38001
< ack 7001 win 0 sack 8001:38001 // Reneg detected
> seq 7001:8001 // RTO, SACK cleared.
< ack 38001 win 10000

In above example the rate sample taken after the last ack will count
7001-38001 as delivered while the actual delivery rate likely could
be much lower i.e. 7001-8001.

This patch adds a new field tcp_sock.sack_reneg and marks it when we
declare SACK reneging and entering TCP_CA_Loss, and unmarks it after
the last rate sample was taken before moving back to TCP_CA_Open. This
patch also invalidates rate samples taken while tcp_sock.is_sack_reneg
is set.

Fixes: b9f64820fb ("tcp: track data delivery rate for a TCP connection")
Signed-off-by: Yousuk Seung <ysseung@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Priyaranjan Jha <priyarjha@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-08 10:07:02 -05:00
Stephane Grosjean
91785de6f9 can: peak/pcie_fd: fix potential bug in restarting tx queue
Don't rely on can_get_echo_skb() return value to wake the network tx
queue up: can_get_echo_skb() returns 0 if the echo array slot was not
occupied, but also when the DLC of the released echo frame was 0.

Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:51:53 +01:00
Martin Kelly
12147edc43 can: usb_8dev: cancel urb on -EPIPE and -EPROTO
In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:45:11 +01:00
Martin Kelly
6aa8d59455 can: kvaser_usb: cancel urb on -EPIPE and -EPROTO
In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:45:11 +01:00
Martin Kelly
7a31ced3de can: esd_usb2: cancel urb on -EPIPE and -EPROTO
In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:45:11 +01:00
Martin Kelly
bd352e1adf can: ems_usb: cancel urb on -EPIPE and -EPROTO
In mcba_usb, we have observed that when you unplug the device, the driver will
endlessly resubmit failing URBs, which can cause CPU stalls. This issue
is fixed in mcba_usb by catching the codes seen on device disconnect
(-EPIPE and -EPROTO).

This driver also resubmits in the case of -EPIPE and -EPROTO, so fix it
in the same way.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:45:11 +01:00
Martin Kelly
c7f3302330 can: mcba_usb: cancel urb on -EPROTO
When we unplug the device, we can see both -EPIPE and -EPROTO depending
on exact timing and what system we run on. If we continue to resubmit
URBs, they will immediately fail, and they can cause stalls, especially
on slower CPUs.

Fix this by not resubmitting on -EPROTO, as we already do on -EPIPE.

Signed-off-by: Martin Kelly <mkelly@xevo.com>
Cc: linux-stable <stable@vger.kernel.org>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-12-08 10:45:11 +01:00
Dave Airlie
90eeb3aa34 Merge tag 'drm-misc-fixes-2017-12-07' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
regression fix for vc4 + rpm stable fix for analogix bridge

* tag 'drm-misc-fixes-2017-12-07' of git://anongit.freedesktop.org/drm/drm-misc:
  drm/bridge: analogix dp: Fix runtime PM state in get_modes() callback
  drm/vc4: Fix false positive WARN() backtrace on refcount_inc() usage
2017-12-08 08:17:53 +10:00
Dave Airlie
96980844bb Merge tag 'drm-intel-fixes-2017-12-07' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
- Fix for fd.o bug #103997 CNL eDP + HDMI causing a machine hard hang (James)
- Fix to allow suspending with a wedged GPU to hopefully unwedge it (Chris)
- Fix for Gen2 vblank timestap/frame counter jumps (Ville)
- Revert of a W/A for enabling FBC on CNL/GLK for certain images
  and sizes (Rodrigo)
- Lockdep fix for i915 userptr code (Chris)

gvt-fixes-2017-12-06

- Fix invalid hw reg read value for vGPU (Xiong)
- Fix qemu warning on PCI ROM bar missing (Changbin)
- Workaround preemption regression (Zhenyu)

* tag 'drm-intel-fixes-2017-12-07' of git://anongit.freedesktop.org/drm/drm-intel:
  Revert "drm/i915: Display WA #1133 WaFbcSkipSegments:cnl, glk"
  drm/i915: Call i915_gem_init_userptr() before taking struct_mutex
  drm/i915/gvt: set max priority for gvt context
  drm/i915/gvt: Don't mark vgpu context as inactive when preempted
  drm/i915/gvt: Limit read hw reg to active vgpu
  drm/i915/gvt: Export intel_gvt_render_mmio_to_ring_id()
  drm/i915/gvt: Emulate PCI expansion ROM base address register
  drm/i915/cnl: Mask previous DDI - PLL mapping
  drm/i915: Fix vblank timestamp/frame counter jumps on gen2
  drm/i915: Skip switch-to-kernel-context on suspend when wedged
2017-12-08 08:17:09 +10:00