Backmerge v4.9-rc8 to get at
commit e94bd1736f
Author: Michel Dänzer <michel.daenzer@amd.com>
Date: Wed Nov 30 17:30:01 2016 +0900
drm: Don't call drm_for_each_crtc with a non-KMS driver
so I can apply Michel's follow-up patch.
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Since commit 8a357d1004 ("drm: Nerf DRM_CONTROL nodes"), a
struct drm_device's ->control member is always NULL.
In the case of CONFIG_DEBUG_FS=y, amdgpu_debugfs_add_files() accesses
->control->debugfs_root though. This results in a NULL pointer
dereference.
Fix this by omitting the drm_debugfs_create_files() call for the
control minor debugfs directory which is now non-existent anyway.
Fixes: 8a357d1004 ("drm: Nerf DRM_CONTROL nodes")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=98915
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Tested-by: Mike Lothian <mike@fireburn.co.uk>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161205203022.11671-1-nicstange@gmail.com
The drm_atomic_helper_connector_dpms
will set the connector back the old DPMS state
before returning. This makes it impossible to change
DPMS state of the connector.
Fixes: 0853695c3b
v2: edit of commit message
Cc: Chris Wilson <chris@chris-wilson.co.uk>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Eric Engestrom <eric.engestrom@imgtec.com>
Cc: Sean Paul <seanpaul@chromium.org>
Cc: dri-devel@lists.freedesktop.org
Cc: <drm-intel-fixes@lists.freedesktop.org>
Signed-off-by: Marta Lofstedt <marta.lofstedt@intel.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161205120408.13056-1-marta.lofstedt@intel.com
Just refactoring HDMI driver by using infoframe helper
function, fixing GSC Kconfig dependency issue and including trivial
cleanups.
* 'exynos-drm-next' of git://git.kernel.org/pub/scm/linux/kernel/git/daeinki/drm-exynos:
drm/exynos: Use VIDEO_SAMSUNG_EXYNOS_GSC=n as GSC Kconfig dependency
drm/exynos: gsc: fix spelling mistakes
exynos-drm: Fix error messages to print flags and size
drm/exynos/hdmi: refactor infoframe code
- lots of code cleanup
- lots of bug fixes
- expose rpm based fan info via hwmon
- lots of clock and powergating fixes
- SI register header cleanup and conversion to common format used by newer asics
* 'drm-next-4.10' of git://people.freedesktop.org/~agd5f/linux: (54 commits)
drm/amdgpu: drop is_display_hung from display funcs
drm/amdgpu/uvd: reduce IB parsing overhead on UVD5+ (v2)
drm/amdgpu/uvd: consolidate code for fetching addr from ctx
drm/amdgpu: Disable DPM in virtualization
drm/amdgpu: use AMDGPU_GEM_CREATE_VRAM_CLEARED for VM PD/PTs (v2)
drm/amdgpu: improve AMDGPU_GEM_CREATE_VRAM_CLEARED handling (v2)
drm/amdgpu: fix error handling in amdgpu_bo_create_restricted
drm/amdgpu: fix amdgpu_fill_buffer (v2)
drm/amdgpu: remove amdgpu_irq_get_delayed
amdgpu: Wrap dev_err() calls on vm faults with printk_ratelimit()
amdgpu: Use dev_err() over vanilla printk() in vm_decode_fault()
drm/amd/amdgpu: port of DCE v6 to new headers (v3)
drm/amdgpu: cleanup unused iterator members for sdma v2.4
drm/amdgpu: cleanup unused iterator members for sdma v3
drm/amdgpu:impl vgt_flush for VI(V5)
drm/amdgpu: enable uvd mgcg for Fiji.
drm/amdgpu: refine cz uvd clock gate logic.
drm/amdgpu: change log level to KERN_INFO in ci_dpm.c
drm/amdgpu: always un-gate UVD REGS path.
drm/amdgpu/sdma: fix typo in packet setup
...
- fix dma-buf export path to return correct SG table
- trivially implement direct dma-buf mapping
- allow DRAW_INSTANCED commands in validator
- make the driver work on i.MX6SX, yielding a working 2D/3D stack
together with Mareks MXS DRM driver
* 'drm-etnaviv-next' of git://git.pengutronix.de/lst/linux:
MAINTAINERS: add etnaviv mailinglist
drm/etnaviv: move linear window on MC1.0 parts if necessary
drm/etnaviv: don't invoke OOM killer from dump code
drm/etnaviv: fix gem_prime_get_sg_table to return new SG table
drm/etnaviv: Allow DRAW_INSTANCED commands
drm/etnaviv: implement dma-buf mmap
- BIT_PERF_PTRS uses 32-bit pointers to its subtables, we were parsing
them as 16-bit, causing various issues on newer boards.
- Support for MXM on GM20x and up.
- More display-related fixes.
* 'linux-4.10' of git://github.com/skeggsb/linux:
drm/nouveau/mxm: warn more loudly on unsupported DCB version
drm/nouveau/mxm: handle DCB 4.1 modification
drm/nouveau/bios/mxm: handle digital connector table 1.1
drm/nouveau: Queue hpd_work on (runtime) resume
drm/nouveau: Rename acpi_work to hpd_work
drm/nouveau/kms/nv50: Fix atomic pageflip events.
drm/nouveau/fb/ram/gp100-: fix memory detection where FBP_NUM != FBPA_NUM
drm/nouveau/bios/volt: pointers are 32-bit
drm/nouveau/bios/vmap: pointers are 32-bit
drm/nouveau/bios/timing: pointers are 32-bit
drm/nouveau/bios/therm: pointers are 32-bit
drm/nouveau/bios/perf: pointers are 32-bit
drm/nouveau/bios/iccsense: pointers are 32-bit
drm/nouveau/bios/fan: pointers are 32-bit
drm/nouveau/bios/cstep: pointers are 32-bit
drm/nouveau/bios/boost: pointers are 32-bit
I suspect the version bump is just to signify that the table now specifies
pad macro/links instead of SOR/sublinks.
For our usage of the table, just recognising the new version is enough.
Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
In function qxl_release_alloc(), when kmalloc() returns a NULL pointer,
it returns value 0 and parameter *ret is uninitialized. 0 means no error
to the callers of qxl_release_alloc(). The callers keep going and will
try to reference the uninitialized variable. This patch fixes the bug,
returning "-ENOMEM" when kmalloc() fails.
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=188911
Signed-off-by: Pan Bian <bianpan2016@163.com>
[seanpaul fixed up subject prefix]
Signed-off-by: Sean Paul <seanpaul@chromium.org>
Link: http://patchwork.freedesktop.org/patch/msgid/1480777902-7648-1-git-send-email-bianpan2016@163.com
Commit aeefb36832 ("drm/exynos: gsc: add device tree support and remove
usage of static mappings") made the DRM_EXYNOS_GSC Kconfig symbol to only
be selectable if the exynos-gsc V4L2 driver isn't enabled, since both use
the same HW IP block.
But added the dependency as depends on !VIDEO_SAMSUNG_EXYNOS_GSC which is
not correct since Kconfig expressions are not boolean but tristate. So it
will only evaluate to 'n' if VIDEO_SAMSUNG_EXYNOS_GSC=y but will evaluate
to 'm' if VIDEO_SAMSUNG_EXYNOS_GSC=m.
This means that both the V4L2 and DRM drivers can be enabled if the former
is enabled as a module, which isn't what we want since otherwise 2 drivers
could attempt to use the hardware at the same time.
Signed-off-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Trivial fixes to spelling mistakes "precalser" to "prescaler"
in dev_err messages
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Javier Martinez Canillas <javier@osg.samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Fix exynos_drm_gem_create() error messages to include flags and size when
flags and size are invalid.
Signed-off-by: Shuah Khan <shuahkh@osg.samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Use core helpers to generate infoframes and generate vendor frame if necessary.
Changelog:
- changed 'ret >= 0' checks to '!ret'
Signed-off-by: Andrzej Hajda <a.hajda@samsung.com>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
They're gone since 8a357d1004 ("drm: Nerf DRM_CONTROL nodes").
Spotted while doing a full audit when revieng a similar patch from
Nicolai for radeon.
v2: Drink coffee first aka don't forget the unregister side.
Cc: Dave Airlie <airlied@redhat.com>
Fixes: 8a357d1004 ("drm: Nerf DRM_CONTROL nodes")
Cc: Nicolai Stange <nicstange@gmail.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@intel.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20161205072926.12546-1-daniel.vetter@ffwll.ch
Since commit 8a357d1004 ("drm: Nerf DRM_CONTROL nodes"), a
struct drm_device's ->control member is always NULL.
In the case of CONFIG_DEBUG_FS=y, radeon_debugfs_add_files() accesses
->control->debugfs_root though. This results in the following Oops:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000018
IP: radeon_debugfs_add_files+0x90/0x100 [radeon]
PGD 0
Oops: 0000 [#1] SMP
[...]
Call Trace:
? work_on_cpu+0xb0/0xb0
radeon_fence_driver_init+0x120/0x150 [radeon]
si_init+0x122/0xd50 [radeon]
? _raw_spin_unlock_irq+0x2c/0x40
? device_pm_check_callbacks+0xb3/0xc0
radeon_device_init+0x958/0xda0 [radeon]
radeon_driver_load_kms+0x9a/0x210 [radeon]
drm_dev_register+0xa9/0xd0 [drm]
drm_get_pci_dev+0x9c/0x1e0 [drm]
radeon_pci_probe+0xb8/0xe0 [radeon]
[...]
Fix this by omitting the drm_debugfs_create_files() call for the
control minor debugfs directory which is now non-existent anyway.
Fixes: 8a357d1004 ("drm: Nerf DRM_CONTROL nodes")
Signed-off-by: Nicolai Stange <nicstange@gmail.com>
Acked-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: http://patchwork.freedesktop.org/patch/msgid/20161203144700.2307-1-nicstange@gmail.com
-----BEGIN PGP SIGNATURE-----
iQEcBAABAgAGBQJYRIGyAAoJEHm+PkMAQRiG2ksH/jwMUT9j6glbwESxbn1YTqTM
QcBT5AMc7D0wNuidQe0hWZMtG4RbC+4ZhxzZl2wPgA2gueJ+rBnyX7bgtA7ka8ka
Fdc3u/Q1v38HPzf8iBnxcdCs40VgsoMLjFYCXrpOxuGDNKYzRd+Q8aI2TeGvzbyi
X8+6oAWifBwo2oA06jfcuUncEWbyDDyK9aQksmfKOpjHdb26yELPEhsPOlds1g7E
jYLnvUVnU2CoFaumta+rZQ0kzLdc4Ntu0wEao6WzJuQKsgoID+tS/6iudi8cUhDp
YowGAVoOfr6rAJB0mwrDVfugpamaT3386XKyocdNsK0/jR60UIJ8x+WzvvSU+lY=
=JTBj
-----END PGP SIGNATURE-----
Backmerge tag 'v4.9-rc8' into drm-next
Linux 4.9-rc8
Daniel requested this so we could apply some follow on fixes cleanly to -next.
Pull drm fixes from Dave Airlie:
"A pretty small pull request: a couple of AMD powerxpress regression
fixes and a power management fix, a couple of i915 fixes and one hdlcd
fix, along with one core don't oops because of incorrect API usage fix"
* tag 'drm-fixes-for-v4.9-rc8' of git://people.freedesktop.org/~airlied/linux:
drm/i915: drop the struct_mutex when wedged or trying to reset
drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error
drm: Don't call drm_for_each_crtc with a non-KMS driver
drm/radeon: fix check for port PM availability
drm/amdgpu: fix check for port PM availability
drm/amd/powerplay: initialize the soft_regs offset in struct smu7_hwmgr
drm: hdlcd: Fix cleanup order
2 intel fixes.
* tag 'drm-intel-fixes-2016-12-01' of git://anongit.freedesktop.org/git/drm-intel:
drm/i915: drop the struct_mutex when wedged or trying to reset
drm/i915: Don't touch NULL sg on i915_gem_object_get_pages_gtt() error
Merge more fixes from Andrew Morton:
"2 fixes"
* emailed patches from Andrew Morton <akpm@linux-foundation.org>:
mm, vmscan: add cond_resched() into shrink_node_memcg()
mm: workingset: fix NULL ptr in count_shadow_nodes
Boris Zhmurov has reported RCU stalls during the kswapd reclaim:
INFO: rcu_sched detected stalls on CPUs/tasks:
23-...: (22 ticks this GP) idle=92f/140000000000000/0 softirq=2638404/2638404 fqs=23
(detected by 4, t=6389 jiffies, g=786259, c=786258, q=42115)
Task dump for CPU 23:
kswapd1 R running task 0 148 2 0x00000008
Call Trace:
shrink_node+0xd2/0x2f0
kswapd+0x2cb/0x6a0
mem_cgroup_shrink_node+0x160/0x160
kthread+0xbd/0xe0
__switch_to+0x1fa/0x5c0
ret_from_fork+0x1f/0x40
kthread_create_on_node+0x180/0x180
a closer code inspection has shown that we might indeed miss all the
scheduling points in the reclaim path if no pages can be isolated from
the LRU list. This is a pathological case but other reports from Donald
Buczek have shown that we might indeed hit such a path:
clusterd-989 [009] .... 118023.654491: mm_vmscan_direct_reclaim_end: nr_reclaimed=193
kswapd1-86 [001] dN.. 118023.987475: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239830 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118024.320968: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239844 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118024.654375: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239858 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118024.987036: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239872 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118025.319651: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239886 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118025.652248: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239900 nr_taken=0 file=1
kswapd1-86 [001] dN.. 118025.984870: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4239914 nr_taken=0 file=1
[...]
kswapd1-86 [001] dN.. 118084.274403: mm_vmscan_lru_isolate: isolate_mode=0 classzone=0 order=0 nr_requested=32 nr_scanned=4241133 nr_taken=0 file=1
this is minute long snapshot which didn't take a single page from the
LRU. It is not entirely clear why only 1303 pages have been scanned
during that time (maybe there was a heavy IRQ activity interfering).
In any case it looks like we can really hit long periods without
scheduling on non preemptive kernels so an explicit cond_resched() in
shrink_node_memcg which is independent on the reclaim operation is due.
Link: http://lkml.kernel.org/r/20161202095841.16648-1-mhocko@kernel.org
Signed-off-by: Michal Hocko <mhocko@suse.com>
Reported-by: Boris Zhmurov <bb@kernelpanic.ru>
Tested-by: Boris Zhmurov <bb@kernelpanic.ru>
Reported-by: Donald Buczek <buczek@molgen.mpg.de>
Reported-by: "Christopher S. Aker" <caker@theshore.net>
Reported-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
When building a specific target such as bzImage, modules aren't normally
built. However if CONFIG_TRIM_UNUSED_KSYMS is enabled, no built modules
means none of the exported symbols are used and therefore they will all
be trimmed away from the final kernel. A subsequent "make modules" will
fail because modpost cannot find the needed symbols for those modules in
the kernel binary.
Let's make sure modules are also built whenever CONFIG_TRIM_UNUSED_KSYMS
is enabled and that the kernel binary is properly rebuilt accordingly.
Signed-off-by: Nicolas Pitre <nico@linaro.org>
Tested-by: Jarod Wilson <jarod@redhat.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This should be the last set of bugfixes for arm-soc in v4.9.
None of these are critical regressions, but it would be nice
to still get them merged.
- On the Juno platform, the idle latency was described wrong,
leading to suboptimal cpuidle tuning.
- Also on the same platform, PCI I/O space was set up incorrectly
and could not work.
- On the sti platform, a syntactically incorrect DT entry caused
warnings.
- The newly added 'gr8' platform has somewhat confusing file
names, which we rename for consistency.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIVAwUAWEHbGWCrR//JCVInAQKDbg//RRY2HqrkaRhEk9ZKFlWA4TiOqp61vuB9
FheAld7gwtY7fnqsfiWrXWQz6oIa/MGq0BYvvcemrUaVAjDA8PP3M8LoeC797bnP
pPsmlVgjq86wWBAgHyTTEQsmuIMAZaaVoSCrrk9GFpNstNrPBVLm/yDs0A5/Ft87
se9Mvm/X8SErDB7GcOjyaH3rYk+pFr9irDvJzup0A/JeESohdLQOsWFi+WUg9sSr
9fiAkSIHyivHoNwvNGXgg2+PV9EyAtStEvzTe60zElRVtwKeVX+CwBt56neHMzIE
yqKrayJ0ZAeTeobtYZtV+jgqFnv9h8anXostty3nlsqOxlZ/wxrQRLkly5UJFiuF
yXP0850ocIzsiBtInbbv1w4+08YP84i7CMIU1GGrPfUBguarAJrWWhfhPnMLiy0F
PZABUqeKgA+nEuM1gwTnC+pR+73CBPPn4B0Li2pRedA42rCXJIzFkEMuxEupyrcL
LZMxwK5C5iUkJMFPIM/q9par4gkIjbLoYLC1yMPY0OziaT5WHG5qpfSmbXBsLo2S
yezdNS9BKts3stOXfcH9ZeuqeaiZyZ3hi4Ry+cXoVmVs26zE0QHv4uVm5h0gc2J8
BcgovfCJd/sTPL+FwZQB8BjCGOrkZW95Lg+79kSmxZyV6hvMglu6kJ1K2M3KTO7l
7J+g5f790+k=
=0ZGG
-----END PGP SIGNATURE-----
Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc
Pull ARM SoC fixes from Arnd Bergmann:
"This should be the last set of bugfixes for arm-soc in v4.9. None of
these are critical regressions, but it would be nice to still get them
merged.
- On the Juno platform, the idle latency was described wrong, leading
to suboptimal cpuidle tuning.
- Also on the same platform, PCI I/O space was set up incorrectly and
could not work.
- On the sti platform, a syntactically incorrect DT entry caused
warnings.
- The newly added 'gr8' platform has somewhat confusing file names,
which we rename for consistency"
* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
arm64: dts: juno: fix cluster sleep state entry latency on all SoC versions
arm64: dts: juno: Correct PCI IO window
ARM: dts: STiH407-family: fix i2c nodes
ARM: gr8: Rename the DTSI and relevant DTS
Pull networking fixes from David Miller:
1) Lots more phydev and probe error path leaks in various drivers by
Johan Hovold.
2) Fix race in packet_set_ring(), from Philip Pettersson.
3) Use after free in dccp_invalid_packet(), from Eric Dumazet.
4) Signnedness overflow in SO_{SND,RCV}BUFFORCE, also from Eric
Dumazet.
5) When tunneling between ipv4 and ipv6 we can be left with the wrong
skb->protocol value as we enter the IPSEC engine and this causes all
kinds of problems. Set it before the output path does any
dst_output() calls, from Eli Cooper.
6) bcmgenet uses wrong device struct pointer in DMA API calls, fix from
Florian Fainelli.
7) Various netfilter nat bug fixes from FLorian Westphal.
8) Fix memory leak in ipvlan_link_new(), from Gao Feng.
9) Locking fixes, particularly wrt. socket lookups, in l2tp from
Guillaume Nault.
10) Avoid invoking rhash teardowns in atomic context by moving netlink
cb->done() dump completion from a worker thread. Fix from Herbert
Xu.
11) Buffer refcount problems in tun and macvtap on errors, from Jason
Wang.
12) We don't set Kconfig symbol DEFAULT_TCP_CONG properly when the user
selects BBR. Fix from Julian Wollrath.
13) Fix deadlock in transmit path on altera TSE driver, from Lino
Sanfilippo.
14) Fix unbalanced reference counting in dsa_switch_tree, from Nikita
Yushchenko.
15) tc_tunnel_key needs to be properly exported to userspace via uapi,
fix from Roi Dayan.
16) rds_tcp_init_net() doesn't unregister notifier in error path, fix
from Sowmini Varadhan.
17) Stale packet header pointer access after pskb_expand_head() in
genenve driver, fix from Sabrina Dubroca.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (103 commits)
net: avoid signed overflows for SO_{SND|RCV}BUFFORCE
geneve: avoid use-after-free of skb->data
tipc: check minimum bearer MTU
net: renesas: ravb: unintialized return value
sh_eth: remove unchecked interrupts for RZ/A1
net: bcmgenet: Utilize correct struct device for all DMA operations
NET: usb: qmi_wwan: add support for Telit LE922A PID 0x1040
cdc_ether: Fix handling connection notification
ip6_offload: check segs for NULL in ipv6_gso_segment.
RDS: TCP: unregister_netdevice_notifier() in error path of rds_tcp_init_net
Revert: "ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()"
ipv6: Set skb->protocol properly for local output
ipv4: Set skb->protocol properly for local output
packet: fix race condition in packet_set_ring
net: ethernet: altera: TSE: do not use tx queue lock in tx completion handler
net: ethernet: altera: TSE: Remove unneeded dma sync for tx buffers
net: ethernet: stmmac: fix of-node and fixed-link-phydev leaks
net: ethernet: stmmac: platform: fix outdated function header
net: ethernet: stmmac: dwmac-meson8b: fix probe error path
net: ethernet: stmmac: dwmac-generic: fix probe error path
...
CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...
Note that before commit 8298193012 ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.
This needs to be backported to all known linux kernels.
Again, many thanks to syzkaller team for discovering this gem.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
geneve{,6}_build_skb can end up doing a pskb_expand_head(), which
makes the ip_hdr(skb) reference we stashed earlier stale. Since it's
only needed as an argument to ip_tunnel_ecn_encap(), move this
directly in the function call.
Fixes: 08399efc63 ("geneve: ensure ECN info is handled properly in all tx/rx paths")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: John W. Linville <linville@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Qian Zhang (张谦) reported a potential socket buffer overflow in
tipc_msg_build() which is also known as CVE-2016-8632: due to
insufficient checks, a buffer overflow can occur if MTU is too short for
even tipc headers. As anyone can set device MTU in a user/net namespace,
this issue can be abused by a regular user.
As agreed in the discussion on Ben Hutchings' original patch, we should
check the MTU at the moment a bearer is attached rather than for each
processed packet. We also need to repeat the check when bearer MTU is
adjusted to new device MTU. UDP case also needs a check to avoid
overflow when calculating bearer MTU.
Fixes: b97bf3fd8f ("[TIPC] Initial merge")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Reported-by: Qian Zhang (张谦) <zhangqian-c@360.cn>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-----BEGIN PGP SIGNATURE-----
iQFHBAABCgAxFiEES2FAuYbJvAGobdVQPTuqJaypJWoFAlhAkJ0THG1rbEBwZW5n
dXRyb25peC5kZQAKCRA9O6olrKklarJlCACp3d7A2H/xNs+9mz0KNW/r1Dn+gwjh
ZMvcHEs0FvYjzdpgstd7I7My1iNGbNsjm4MNwyfsGoLAEivPl+tmDcvVR+rpBJRE
k5jtHUGAwkKEUubVT199Oj4YY5YVUTi7YmqedArXMdHP4kRx+efhrjtmjI2CoL/j
XS2W0YA8MmaKgyTS/UTElZ8/SlX6o1ZJp5JrEFUexyURw7qlTThKJ+jDdhrL7pUx
zxamj3umv6F5N21ZIGZTBIMEzVOSfU3nPZGC5M/K4rNNznM/X7sYM8ALjY/bSPNU
zykf/Ut5BcLaLXm/tyNZvNfv7Y8LCCImO05U8BY9yDDgigmgF62YhT8w
=iiHQ
-----END PGP SIGNATURE-----
Merge tag 'linux-can-fixes-for-4.9-20161201' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
Marc Kleine-Budde says:
====================
pull-request: can 2016-12-02
this is a pull request for net/master.
There are two patches by Stephane Grosjean, who adds support for the new
PCAN-USB X6 USB interface to the pcan_usb driver.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
We want to set the other "err" variable here so that we can return it
later. My version of GCC misses this issue but I caught it with a
static checker.
Fixes: 9f70eb339f ("net: ethernet: renesas: ravb: fix fixed-link phydev leaks")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
When streaming a lot of data and the RZ/A1 can't keep up, some status bits
will get set that are not being checked or cleared which cause the
following messages and the Ethernet driver to stop working. This
patch fixes that issue.
irq 21: nobody cared (try booting with the "irqpoll" option)
handlers:
[<c036b71c>] sh_eth_interrupt
Disabling IRQ #21
Fixes: db893473d3 ("sh_eth: Add support for r7s72100")
Signed-off-by: Chris Brandt <chris.brandt@renesas.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
__bcmgenet_tx_reclaim() and bcmgenet_free_rx_buffers() are not using the
same struct device during unmap that was used for the map operation,
which makes DMA-API debugging warn about it. Fix this by always using
&priv->pdev->dev throughout the driver, using an identical device
reference for all map/unmap calls.
Fixes: 1c1008c793 ("net: bcmgenet: add main driver file")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Ozgur Karatas reported that the very first entry in the CREDITS file had
the wrong tag for name (M: instead of N: - it happened when moving the
entry from the MAINTAINERS file, where 'M:' stands for "Maintainer").
And when I went looking, I found a couple of other cases of wrong
tagging too.
Reported-by: Ozgur Karatas <mueddib@yandex.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
This patch adds support for PID 0x1040 of Telit LE922A.
The qmi adapter requires to have DTR set for proper working,
so QMI_WWAN_QUIRK_DTR has been enabled.
Signed-off-by: Daniele Palmas <dnlplm@gmail.com>
Acked-by: Bjørn Mork <bjorn@mork.no>
Signed-off-by: David S. Miller <davem@davemloft.net>
Commit bfe9b9d2df ("cdc_ether: Improve ZTE MF823/831/910 handling")
introduced a work-around in usbnet_cdc_status() for devices that exported
cdc carrier on twice on connect. Before the commit, this behavior caused
the link state to be incorrect. It was assumed that all CDC Ethernet
devices would either export this behavior, or send one off and then one on
notification (which seems to be the default behavior).
Unfortunately, it turns out multiple devices sends a connection
notification multiple times per second (via an interrupt), even when
connection state does not change. This has been observed with several
different USB LAN dongles (at least), for example 13b1:0041 (Linksys).
After bfe9b9d2df, the link state has been set as down and then up for
each notification. This has caused a flood of Netlink NEWLINK messages and
syslog to be flooded with messages similar to:
cdc_ether 2-1:2.0 eth1: kevent 12 may have been dropped
This commit fixes the behavior by reverting usbnet_cdc_status() to how it
was before bfe9b9d2df. The work-around has been moved to a separate
status-function which is only called when a known, affect device is
detected.
v1->v2:
* Do not open-code netif_carrier_ok() (thanks Henning Schild).
* Call netif_carrier_off() instead of usb_link_change(). This prevents
calling schedule_work() twice without giving the work queue a chance to be
processed (thanks Bjørn Mork).
Fixes: bfe9b9d2df ("cdc_ether: Improve ZTE MF823/831/910 handling")
Reported-by: Henning Schild <henning.schild@siemens.com>
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The etnaviv project now has its own mailinglist, add it to the
MAINTAINERS file, so kernel patches get CC'ed to it.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
On i.MX6SX the physical memory is placed above the 2GB mark, so the GPU
linear window has to be moved for the GPU to work at all. This doesn't
mix with the FAST_CLEAR feature, as the TS unit doesn't take the linear
window offset into account and will corrupt memory when used with a
non-zero offset.
Move the linear window if it's necessary for the GPU to work, but avoid
announcing FAST_CLEAR support to userspace in this case.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Tested-by: Marek Vasut <marex@denx.de>
The dumper is only a debugging aid so we don't want to invoke the OOM
killer if buffer for the potentially large GPU state can't be vmalloced.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
The object internal SG table must not be returned, as the caller
will take ownership of the returned table.
Construct a new table from the object pages and return this one
instead.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Vivante GPUs with HALTI0 feature support a DRAW_INSTANCED command in the
command stream to draw a number of instances of the same geometry.
The information that has been figured out about the command can be found
here: https://github.com/etnaviv/etna_viv/blob/master/rnndb/cmdstream.xml#L270
This command is not allowed currently by the DRM driver because it
was not known before. This patch enables parsing it in command
streams and allows using it by userspace drivers.
Signed-off-by: Wladimir J. van der Laan <laanwj@gmail.com>
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
This adds the required boilerplate to allow direct mmap of exported
etnaviv BOs.
Signed-off-by: Lucas Stach <l.stach@pengutronix.de>
Tested-by: Philipp Zabel <p.zabel@pengutronix.de>
If some error is encountered in rds_tcp_init_net, make sure to
unregister_netdevice_notifier(), else we could trigger a panic
later on, when the modprobe from a netns fails.
Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit ae148b0858
("ip6_tunnel: Update skb->protocol to ETH_P_IPV6 in ip6_tnl_xmit()").
skb->protocol is now set in __ip_local_out() and __ip6_local_out() before
dst_output() is called. It is no longer necessary to do it for each tunnel.
Cc: stable@vger.kernel.org
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When xfrm is applied to TSO/GSO packets, it follows this path:
xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
where skb_gso_segment() relies on skb->protocol to function properly.
This patch sets skb->protocol to ETH_P_IPV6 before dst_output() is called,
fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
when xfrm is involved.
Cc: stable@vger.kernel.org
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When xfrm is applied to TSO/GSO packets, it follows this path:
xfrm_output() -> xfrm_output_gso() -> skb_gso_segment()
where skb_gso_segment() relies on skb->protocol to function properly.
This patch sets skb->protocol to ETH_P_IP before dst_output() is called,
fixing a bug where GSO packets sent through a sit tunnel are dropped
when xfrm is involved.
Cc: stable@vger.kernel.org
Signed-off-by: Eli Cooper <elicooper@gmx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.
This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.
The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.
Fixes: f6fb8f100b ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson <philip.pettersson@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
All architectures avoid memory corruption in an error path.
ARM prevents bogus acknowledgement of interrupts.
-----BEGIN PGP SIGNATURE-----
iQEcBAABCAAGBQJYQaDPAAoJEED/6hsPKofoq8gH/iJR/fcYg1ovboEaDIDdm/PI
XzbNgrYZID8Nk04chU2Dh1eD8k3DG64txuOEs+jf3XBPYNnU8TAlw6qHVMG6kzGJ
zA0CLGgH62DKXLuvnDJ75mpiJmzioGd4hdk0G8CIb9W2ySSUgrcmXMI3AoVP44lY
LKTCITKq6ePfQ7AIbd3a6YXaR0ZTNP52e1Y4vx+Hsl9WcrMUGKyCmd9IcDI9DrZr
ahMn+wx3Wzvb/NzH25OYkMAC9X5C7+b6O0IZm0ie8F8iU+JLlgGNiAHxQ5yAbu28
hzINTTUnwIxgoi/ZN0M8i+fo0RLKq5OCzPMTnUUgdloBL786XREW2t3Ca0kqavg=
=XdK2
-----END PGP SIGNATURE-----
Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm
Pull KVM fixes from Radim Krčmář:
"All architectures avoid memory corruption in an error path. ARM
prevents bogus acknowledgement of interrupts"
* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
KVM: use after free in kvm_ioctl_create_device()
KVM: arm/arm64: vgic: Don't notify EOI for non-SPIs