Commit Graph

708230 Commits

Author SHA1 Message Date
David S. Miller
5be9541a09 Merge tag 'mlx5-fixes-2017-10-26' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux
Saeed Mahameed says:

====================
Mellanox, mlx5 fixes 2017-10-26

The series includes some misc fixes for mlx5 core and etherent driver.
Please pull and let me know if there's any problem.

For -Stable:
net/mlx5e: Properly deal with encap flows add/del under neigh update (kernels >= 4.12)
net/mlx5: Fix health work queue spin lock to IRQ safe  (kernels >= 4.13)
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 22:23:41 +09:00
Ingo Molnar
90edaac627 Revert "x86/mm: Limit mmap() of /dev/mem to valid physical addresses"
This reverts commit ce56a86e2a.

There's unanticipated interaction with some boot parameters like 'mem=',
which now cause the new checks via valid_mmap_phys_addr_range() to be too
restrictive, crashing a Qemu bootup in fact, as reported by Fengguang Wu.

So while the motivation of the change is still entirely valid, we
need a few more rounds of testing to get it right - it's way too late
after -rc6, so revert it for now.

Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: Craig Bergstrom <craigb@google.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Andy Lutomirski <luto@kernel.org>
Cc: Borislav Petkov <bp@alien8.de>
Cc: Brian Gerst <brgerst@gmail.com>
Cc: Denys Vlasenko <dvlasenk@redhat.com>
Cc: H. Peter Anvin <hpa@zytor.com>
Cc: Josh Poimboeuf <jpoimboe@redhat.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Luis R. Rodriguez <mcgrof@suse.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Toshi Kani <toshi.kani@hp.com>
Cc: dsafonov@virtuozzo.com
Cc: kirill.shutemov@linux.intel.com
Cc: mhocko@suse.com
Cc: oleg@redhat.com
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-10-27 10:06:49 +02:00
Juergen Gross
8fc669ea16 maintainers: drop Chris Wright from pvops
Mails to chrisw@sous-sol.org are not deliverable since several months.
Drop him as PARAVIRT_OPS maintainer.

Signed-off-by: Juergen Gross <jgross@suse.com>
Acked-by: Chris Wright <chrisw@redhat.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
2017-10-27 08:46:41 +02:00
David S. Miller
9618aec334 Here are:
* follow-up fixes for the WoWLAN security issue, to fix a
    partial TKIP key material problem and to use crypto_memneq()
  * a change for better enforcement of FQ's memory limit
  * a disconnect/connect handling fix, and
  * a user rate mask validation fix
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAlnwmYYACgkQB8qZga/f
 l8RsaA/+JmY4UM3mf/W7PDNDxDyhXOHEboJJzQ4lDZPzouTD0AJPSRrYOw1OqUmw
 LRnHizz2P75YT0WT7Esqa68eU1y2akiA8uzEIhgczwMDGO2w9M6Ca74UPw2+GGsV
 KQGKHY/GRZ4uAD+8K+mUvHUtIpomFyt3mrM0qvxu4Sw3UAe5bS3StLwJ+jJ34cp/
 A9odYOUnCgzN7ZilPqfn5aApYI60nBtsAgbqFxoVp2rDCJXMuXA2d9q00HErCFzj
 NT4r9JfaXTMgbywxd5QJaS4b4/Xdq2sEFXBNN/ElKgA3bOGGfmW0BGIx64+D2wMi
 gPv0a7MeX45keyA0uIljxzyxMmNsI37MDCg2Px153BblI4zuxUBD/Dd9ankzW34r
 PZ1FX6txVDgE1xTshPUar2hn33Ju6rL1/+H4eQqB8vRiN73j/ri4JT+SWTtrJgXE
 yAx9AXzfOwVUV3FlmpXIuIlqgV1iOcCTR9UoramUNoqZSJmd0lX2M0I55DGjfaJe
 JYjGYofP1Cbqsw8TdI2QsRanPt9/kFgTnAkGbse3o+/X+CMAzOiIPFawR8PwbdaZ
 aH35+HQJz432IKu5i3csh3f3qV2Vgj4i1ogV2CEDBLjKDCMNZ6py0NATNMAkkjWS
 ULlHLV96YEEyh2Lv5s7pZ7HMbBc+3IQ7xmsukkczfv1cUIHnS8E=
 =6b1o
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2017-10-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
pull-request: mac80211 2017-10-25

Here are:
 * follow-up fixes for the WoWLAN security issue, to fix a
   partial TKIP key material problem and to use crypto_memneq()
 * a change for better enforcement of FQ's memory limit
 * a disconnect/connect handling fix, and
 * a user rate mask validation fix
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-27 13:50:06 +09:00
Dave Airlie
ce485df43d Merge tag 'drm-intel-fixes-2017-10-26' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
One fix for stable:

- fix perf enable/disable ioctls for 32bits (Lionel)

Plus GVT fixes:

- Fix per_ctx_bb check (Zhenyu)
- Fix GPU hang of Linux guest (Xion)
- Refine MMIO_RING_F to check for presence of VCS2 ring (Zhi)

* tag 'drm-intel-fixes-2017-10-26' of git://anongit.freedesktop.org/drm/drm-intel:
  drm/i915/gvt: Adding ACTHD mmio read handler
  drm/i915/gvt: Extract mmio_read_from_hw() common function
  drm/i915/gvt: Refine MMIO_RING_F()
  drm/i915/gvt: properly check per_ctx bb valid state
2017-10-27 11:43:17 +10:00
Linus Torvalds
15f859ae5c Fourth -rc update for 4.14 kernel
- Fix an oops issue in the new RDMA netlink code
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJZ8N4VAAoJELgmozMOVy/dy5QP/jQFbwq8TOU5yJdYUAsI7dEy
 uNXAe/A4WvaqOslXIBJ+pU+BiH53XAUSkpB6A1LdobT51DVCxuOrvilhp0YOQHGF
 qisscMTLJHsATkI7jKo3MxZ/XJ8yl7X+85NlAsNjzD4ZOEoajhqwz/I5eQve0X6Y
 TX3tUSqM1i/hEPwsiIG5HrQwVNrESTgMO3Zhg94lY0MSEgtfpJswsf+TaunfbhXC
 +SqUDIPeKo9hNlJdptB5RYbu6zSnhByHTmTdx0xRAoQ0fUDGA/V8szxDeW/znejx
 DSXyGN5k1+aBT9vAyGpDKIPLaVOFHk5PSzxr/vQPQ901m8WKlp/HGmDwqb1ognv3
 cOWoBlE6K5Z+JMdKduuiOB9/ncIHs6zjLFsXt9d6Eojc7yCX16XN+cCovzh3EEBj
 sa/GUoU3LlOrs0rfLEkEvH48kLtRtfH9i1yb4pDkQ9JNh2slOqtLwHJOSMAX2a9Z
 nULpMh4DywbQ579weQRgykA+D1GsOV71YR3zjFS7eNovn6iBRtn1X/Ym+lho3Pmk
 a001b4RXjDyez0BAjSzrnxr7KqJAUCh3qo6P4WvnAydfOnVj8HXvJypd+m5MdR4/
 T1OzfubQ6Gf1E156mMutJD/cK0Pmudxb8GnufGZf5om3L6xhWH3QKKm+ZiKYqAYv
 apXhCB2ok6FYYCzIb5E7
 =IiYe
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma

Pull rdma fix from Doug Ledford:
 "Fix an oops issue in the new RDMA netlink code"

* tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
  RDMA/netlink: OOPs in rdma_nl_rcv_msg() from misinterpreted flag
2017-10-26 23:04:14 +02:00
Sebastian Andrzej Siewior
a494ee6cfd arm/xen: don't inclide rwlock.h directly.
rwlock.h should not be included directly. Instead linux/splinlock.h
should be included. One thing it does is to break the RT build.

Cc: Stefano Stabellini <sstabellini@kernel.org>
Cc: xen-devel@lists.xenproject.org
Cc: linux-arm-kernel@lists.infradead.org
Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Reviewed-by: Stefano Stabellini <sstabellini@kernel.org>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
2017-10-26 16:58:17 -04:00
Xiong Zhang
894e287b3d drm/i915/gvt: Adding ACTHD mmio read handler
When a workload is too heavy to finish it in gpu hang check timer
intervals(1.5), gpu hang check function will check ACTHD register
value to decide whether gpu is real dead or not. On real hw,
ACTHD is updated by HW when workload is running, then host kernel
won't think it is gpu hang. while guest kernel always read a constant
ACTHD value as GVT doesn't supply ACTHD emulate handler, then
guest kernel detects a fake gpu hang.

To remove such guest fake gpu hang, this patch supply ACTHD
mmio read handler which read real HW ACTHD register directly.

Signed-off-by: Xiong Zhang <xiong.y.zhang@intel.com>
Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/b4c9a097-3e62-124e-6856-b0c37764df7b@intel.com
2017-10-26 11:29:44 -07:00
Xiong Zhang
20a2bcdec5 drm/i915/gvt: Extract mmio_read_from_hw() common function
The mmio read handler for ring timestmap / instdone register are same
as reading hw value directly.

Extract it as common function to reduce code duplications.

Signed-off-by: Xiong Zhang <xiong.y.zhang@intel.com>
Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
2017-10-27 01:39:00 +08:00
Zhi Wang
edee7ecdb4 drm/i915/gvt: Refine MMIO_RING_F()
Inspect if the host has VCS2 ring by host i915 macro in MMIO_RING_F().
Also this helps on reducing some LOCs.

Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
2017-10-27 01:38:56 +08:00
Zhenyu Wang
8f63fc2bc6 drm/i915/gvt: properly check per_ctx bb valid state
Need to check valid state for per_ctx bb and bypass batch buffer
combine for scan if necessary. Otherwise adding invalid MI batch
buffer start cmd for per_ctx bb will cause scan failure, which is
taken as -EFAULT now so vGPU would be put in failsafe. This trys
to fix that by checking per_ctx bb valid state. Also remove old
invalid WARNING that indirect ctx bb shouldn't depend on valid
per_ctx bb.

Signed-off-by: Zhenyu Wang <zhenyuw@linux.intel.com>
Signed-off-by: Zhi Wang <zhi.a.wang@intel.com>
2017-10-27 01:37:13 +08:00
Linus Torvalds
80c094a47d Revert "apparmor: add base infastructure for socket mediation"
This reverts commit 651e28c553.

This caused a regression:
 "The specific problem is that dnsmasq refuses to start on openSUSE Leap
  42.2.  The specific cause is that and attempt to open a PF_LOCAL socket
  gets EACCES.  This means that networking doesn't function on a system
  with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert.  This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-26 19:35:35 +02:00
Steve French
4587eee04e SMB3: Validate negotiate request must always be signed
According to MS-SMB2 3.2.55 validate_negotiate request must
always be signed. Some Windows can fail the request if you send it unsigned

See kernel bugzilla bug 197311

CC: Stable <stable@vger.kernel.org>
Acked-by: Ronnie Sahlberg <lsahlber.redhat.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2017-10-26 12:20:59 -05:00
Linus Torvalds
5678255027 Power management fix for v4.14-rc7
This fixes a device power management quality of service (PM QoS)
 framework implementation issue causing "no restriction" requests
 for device resume latency, including "no restriction" set by user
 space, to effectively override requests with specific device
 resume latency requirements.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJZ8bk1AAoJEILEb/54YlRx1BYP/1l7SG1e9fZZYWR38luZMWu4
 fsfr5h6Iwk0zmuHL3gOiH7KNhkMzJyFf6VMCjv0+B1XPrzWVTIFCJnmyUb1vs7fP
 TkUs66q/O3sOlxUq/oqTZrj/qnoKNgaDeJgqtPPOgJdJXoZdpiOyXJZg22lZEwuR
 07Vu49oCXgVf2b2Vr8e4L12onDytj51pzIlfh45mk2J/Qbc7tAZvgaKPIJ3HomoP
 1sEBpWvN0PCLvGw877r8barWE1plWHupo4jKv9XyM/RY+avgT9Bz4KFNXGgaLlm7
 V36ek0kZOTCKNPTs0wIEwT1dRRr01rb9YgYjvv40ncmJ9CCpWZKHsFiqUH+o84Ac
 gXQrvNrB0LdOYm0Ox7dgG/Tn6lMvPZgrJ64ukLpBX8Kv/josKaV275vBp+tneBTs
 GUqGdotc8SQIs8wPIiA1hYnAFSy6D9ZuuvIPPBqe2qyZHzRSbnacRKdCDEAW1Dql
 EEkC9NrqPsA1YxOIMbHrBnLSQTdXmJq3+aiG1AJ23ZM27gFbJ0qlSsuBChyNSfaa
 z6c2QQ3f2trcAsOX6TaKZzYSvI4H77CJkcIQh76aC88GJaxq+E5ZH3eTfyCuxc9H
 k4bgfWj5tsqWys0uZjFsxDPGuxX3oFq2nG31fVyqn9ZLY5soJ5v1yZLfNWfDatnG
 EoIzWIHTojWsV95M0TLQ
 =rWEH
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fix from Rafael Wysocki:
 "This fixes a device power management quality of service (PM QoS)
  framework implementation issue causing 'no restriction' requests for
  device resume latency, including 'no restriction' set by user space,
  to effectively override requests with specific device resume latency
  requirements.

  It is late in the cycle, but the bug in question is in the 'user space
  can trigger unexpected behavior' category and the fix is
  stable-candidate, so here it goes"

* tag 'pm-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  PM / QoS: Fix device resume latency PM QoS
2017-10-26 19:10:39 +02:00
Lorenzo Pieralisi
814eae5982 alpha/PCI: Move pci_map_irq()/pci_swizzle() out of initdata
The introduction of {map/swizzle}_irq() hooks in the struct pci_host_bridge
allowed to replace the pci_fixup_irqs() PCI IRQ allocation in alpha arch
PCI code with per-bridge map/swizzle functions with commit 0e4c2eeb75
("alpha/PCI: Replace pci_fixup_irqs() call with host bridge IRQ mapping
hooks").

As a side effect of converting PCI IRQ allocation to the struct
pci_host_bridge {map/swizzle}_irq() hooks mechanism, the actual PCI IRQ
allocation function (ie pci_assign_irq()) is carried out per-device in
pci_device_probe() that is called when a PCI device driver is about to be
probed.

This means that, for drivers compiled as loadable modules, the actual PCI
device IRQ allocation can now happen after the system has booted so the
struct pci_host_bridge {map/swizzle}_irq() hooks pci_assign_irq() relies on
must stay valid after the system has booted so that PCI core can carry out
PCI IRQ allocation correctly.

Most of the alpha board structures pci_map_irq() and pci_swizzle() hooks
(that are used to initialize their struct pci_host_bridge equivalent
through the alpha_mv global variable - that represents the struct
alpha_machine_vector of the running kernel) are marked as
__init/__initdata; this causes freed memory dereferences when PCI IRQ
allocation is carried out after the kernel has booted (ie when loading PCI
drivers as loadable module) because when the kernel tries to bind the PCI
device to its (module) driver, the function pci_assign_irq() is called,
that in turn retrieves the struct pci_host_bridge {map/swizzle}_irq() hooks
to carry out PCI IRQ allocation; if those hooks are marked as __init
code/__initdata they point at freed/invalid memory.

Fix the issue by removing the __init/__initdata markers from all subarch
struct alpha_machine_vector.pci_map_irq()/pci_swizzle() functions (and
data).

Fixes: 0e4c2eeb75 ("alpha/PCI: Replace pci_fixup_irqs() call with host bridge IRQ mapping hooks")
Link: http://lkml.kernel.org/r/alpine.LRH.2.21.1710251043170.7098@math.ut.ee
Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: Richard Henderson <rth@twiddle.net>
Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru>
Cc: Meelis Roos <mroos@linux.ee>
Cc: Matt Turner <mattst88@gmail.com>
2017-10-26 11:53:38 -05:00
Yan Markman
cda80a82ac ARM: dts: mvebu: pl310-cache disable double-linefill
Under heavy system stress mvebu SoC using Cortex A9 sporadically
encountered instability issues.

The "double linefill" feature of L2 cache was identified as causing
dependency between read and write which lead to the deadlock.

Especially, it was the cause of deadlock seen under heavy PCIe traffic,
as this dependency violates PCIE overtaking rule.

Fixes: c8f5a878e5 ("ARM: mvebu: use DT properties to fine-tune the L2 configuration")
Cc: stable@vger.kernel.org
Signed-off-by: Yan Markman <ymarkman@marvell.com>
Signed-off-by: Igal Liberman <igall@marvell.com>
Signed-off-by: Nadav Haklai <nadavh@marvell.com>
[gregory.clement@free-electrons.com: reformulate commit log, add Armada
375 and add Fixes tag]
Signed-off-by: Gregory CLEMENT <gregory.clement@free-electrons.com>
2017-10-26 17:41:26 +02:00
Linus Torvalds
3b5a9a8e65 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
 "A few select fixes that should go into this series. Mainly for NVMe,
  but also a single stable fix for nbd from Josef"

* 'for-linus' of git://git.kernel.dk/linux-block:
  nbd: handle interrupted sendmsg with a sndtimeo set
  nvme-rdma: Fix error status return in tagset allocation failure
  nvme-rdma: Fix possible double free in reconnect flow
  nvmet: synchronize sqhd update
  nvme-fc: retry initial controller connections 3 times
  nvme-fc: fix iowait hang
2017-10-26 17:08:48 +02:00
Linus Torvalds
832c6b18f9 spi: Fixes for v4.14
There are a bunch of device specific fixes (more than I'd like, I've
 been lax sending these) plus one important core fix for the conversion
 to use an IDR for bus number allocation which avoids issues with
 collisions when some but not all of the buses in the system have a fixed
 bus number specified.
 
 The Armada changes are rather large, specificially "spi: armada-3700:
 Fix padding when sending not 4-byte aligned data", but it's a storage
 corruption issue and there's things like indentation changes which make
 it look bigger than it really is.  It's been cooking in -next for quite
 a while now and is part of the reason for the delay.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlnxrd0THGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0BAyB/4mb+sFzmPMeFsXPc+e90SriBSjPOUx
 sNg4F5gZtC4n+I2EiUUucSyTTosxcXGlteVb87hhBp6aa5vqs5Ja6XCjljqVutys
 mz0+l8U5jHoRVKcIosywn2TgJPAIMBXzuMlPD3EQBywBbvXGbAktgY/04xaqQPwz
 5+20OyHW1/IPAR+mLYtAov/MYpd7HjsQphBBz9PJefsRqySk9yWcFEWKFvuNVhEr
 WDGRRsIWfyDJvjDqhKeQGOvNeukTPaNxZRvT2+k9hVq1Vw05PYBpVDjP1Z3ina7G
 CY3rIh/G/FQd9xEkGSIRrkAGFG02BkoJho0KgwlUlgr16BVaFVHLi8Nm
 =yd2a
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "There are a bunch of device specific fixes (more than I'd like, I've
  been lax sending these) plus one important core fix for the conversion
  to use an IDR for bus number allocation which avoids issues with
  collisions when some but not all of the buses in the system have a
  fixed bus number specified.

  The Armada changes are rather large, specificially "spi: armada-3700:
  Fix padding when sending not 4-byte aligned data", but it's a storage
  corruption issue and there's things like indentation changes which
  make it look bigger than it really is. It's been cooking in -next for
  quite a while now and is part of the reason for the delay"

* tag 'spi-fix-v4.14-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: fix IDR collision on systems with both fixed and dynamic SPI bus numbers
  spi: bcm-qspi: Fix use after free in bcm_qspi_probe() in error path
  spi: a3700: Return correct value on timeout detection
  spi: uapi: spidev: add missing ioctl header
  spi: stm32: Fix logical error in stm32_spi_prepare_mbr()
  spi: armada-3700: Fix padding when sending not 4-byte aligned data
  spi: armada-3700: Fix failing commands with quad-SPI
2017-10-26 17:06:35 +02:00
Linus Torvalds
601c5c2ee9 A small lock imbalance fix, marked for stable.
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJZ8ZbOAAoJEEp/3jgCEfOLZHIIAIKTozqoCggLvSDCBO8ZNFsf
 HyvgHoZ5VkxIrznIOji602h8eNimVysBSQZG8I723fWIQg+4wknIZnM8VpDlN3BA
 R9QabSWWtiTuU45iDzBE81ehObonEWBXsmcyNEl1kI8rJVbYDnKojSWJgidLP2hV
 mr3Rdabim8aFNqpkWbgNRi9S4fr1up8OT+Rzjdf6ojzcWeArIac+zo1lp3sLrH2P
 /NqjRUW1PyAFlL+pBeP8cGhGdyhZtbSSBzH+y+28L5mql0B8+GGeCJTZ8SjZA8UP
 wL1HWltMg6Tv+XoXv1AOHUQJ/0VIdSx1jmffyvHXxAUkPg1eofGtLwui+qsLJEg=
 =T3kg
 -----END PGP SIGNATURE-----

Merge tag 'ceph-for-4.14-rc7' of git://github.com/ceph/ceph-client

Pull ceph fix from Ilya Dryomov:
 "A small lock imbalance fix, marked for stable"

* tag 'ceph-for-4.14-rc7' of git://github.com/ceph/ceph-client:
  ceph: unlock dangling spinlock in try_flush_caps()
2017-10-26 17:04:20 +02:00
Alexander Duyck
62b4c6694d i40e: Add programming descriptors to cleaned_count
This patch updates the i40e driver to include programming descriptors in
the cleaned_count. Without this change it becomes possible for us to leak
memory as we don't trigger a large enough allocation when the time comes to
allocate new buffers and we end up overwriting a number of rx_buffers equal
to the number of programming descriptors we encountered.

Fixes: 0e626ff7cc ("i40e: Fix support for flow director programming status")
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Anders K. Pedersen <akp@cohaesio.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:58 -07:00
Alexander Duyck
10781348ca i40e: Fix incorrect use of tx_itr_setting when checking for Rx ITR setup
It looks like there was either a copy/paste error or just a typo that
resulted in the Tx ITR setting being used to determine if we were using
adaptive Rx interrupt moderation or not.

This patch fixes the typo.

Fixes: 65e87c0398 ("i40evf: support queue-specific settings for interrupt moderation")
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:58 -07:00
Alexander Duyck
069db9cd0b ixgbe: Fix Tx map failure path
This patch is a partial revert of "ixgbe: Don't bother clearing buffer
memory for descriptor rings". Specifically I messed up the exception
handling path a bit and this resulted in us incorrectly adding the count
back in when we didn't need to.

In order to make this simpler I am reverting most of the exception handling
path change and instead just replacing the bit that was handled by the
unmap_and_free call.

Fixes: ffed21bcee ("ixgbe: Don't bother clearing buffer memory for descriptor rings")
Signed-off-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:58 -07:00
Jean-Philippe Brucker
104ba83363 igb: Fix TX map failure path
When the driver cannot map a TX buffer, instead of rolling back
gracefully and retrying later, we currently get a panic:

[  159.885994] igb 0000:00:00.0: TX DMA map failed
[  159.886588] Unable to handle kernel paging request at virtual address ffff00000a08c7a8
               ...
[  159.897031] PC is at igb_xmit_frame_ring+0x9c8/0xcb8

Fix the erroneous test that leads to this situation.

Signed-off-by: Jean-Philippe Brucker <jean-philippe.brucker@arm.com>
Tested-by: Andrew Bowers <andrewx.bowers@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:58 -07:00
Colin Ian King
5983587c8c e1000: avoid null pointer dereference on invalid stat type
Currently if the stat type is invalid then data[i] is being set
either by dereferencing a null pointer p, or it is reading from
an incorrect previous location if we had a valid stat type
previously.  Fix this by skipping over the read of p on an invalid
stat type.

Detected by CoverityScan, CID#113385 ("Explicit null dereferenced")

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Reviewed-by: Alexander Duyck <alexander.h.duyck@intel.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:57 -07:00
Vincenzo Maffione
44c445c3d1 e1000: fix race condition between e1000_down() and e1000_watchdog
This patch fixes a race condition that can result into the interface being
up and carrier on, but with transmits disabled in the hardware.
The bug may show up by repeatedly IFF_DOWN+IFF_UP the interface, which
allows e1000_watchdog() interleave with e1000_down().

    CPU x                           CPU y
    --------------------------------------------------------------------
    e1000_down():
        netif_carrier_off()
                                    e1000_watchdog():
                                        if (carrier == off) {
                                            netif_carrier_on();
                                            enable_hw_transmit();
                                        }
        disable_hw_transmit();
                                    e1000_watchdog():
                                        /* carrier on, do nothing */

Signed-off-by: Vincenzo Maffione <v.maffione@gmail.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
2017-10-26 07:42:57 -07:00
Juergen Gross
5266b8e444 xen: fix booting ballooned down hvm guest
Commit 96edd61dcf ("xen/balloon: don't
online new memory initially") introduced a regression when booting a
HVM domain with memory less than mem-max: instead of ballooning down
immediately the system would try to use the memory up to mem-max
resulting in Xen crashing the domain.

For HVM domains the current size will be reflected in Xenstore node
memory/static-max instead of memory/target.

Additionally we have to trigger the ballooning process at once.

Cc: <stable@vger.kernel.org> # 4.13
Fixes: 96edd61dcf ("xen/balloon: don't
       online new memory initially")

Reported-by: Simon Gaiser <hw42@ipsumj.de>
Suggested-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Juergen Gross <jgross@suse.com>
Reviewed-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
Signed-off-by: Boris Ostrovsky <boris.ostrovsky@oracle.com>
2017-10-26 08:11:44 -04:00
Girish Moodalbail
78e0ea6791 tap: double-free in error path in tap_open()
Double free of skb_array in tap module is causing kernel panic. When
tap_set_queue() fails we free skb_array right away by calling
skb_array_cleanup(). However, later on skb_array_cleanup() is called
again by tap_sock_destruct through sock_put(). This patch fixes that
issue.

Fixes: 362899b872 (macvtap: switch to use skb array)
Signed-off-by: Girish Moodalbail <girish.moodalbail@oracle.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:57:39 +09:00
Yousuk Seung
5889e2c0e4 tcp: call tcp_rate_skb_sent() when retransmit with unaligned skb->data
Current implementation calls tcp_rate_skb_sent() when tcp_transmit_skb()
is called when it clones skb only. Not calling tcp_rate_skb_sent() is OK
for all such code paths except from __tcp_retransmit_skb() which happens
when skb->data address is not aligned. This may rarely happen e.g. when
small amount of data is sent initially and the receiver partially acks
odd number of bytes for some reason, possibly malicious.

Signed-off-by: Yousuk Seung <ysseung@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:47:55 +09:00
Eric Dumazet
06f877d613 tcp/dccp: fix other lockdep splats accessing ireq_opt
In my first attempt to fix the lockdep splat, I forgot we could
enter inet_csk_route_req() with a freshly allocated request socket,
for which refcount has not yet been elevated, due to complex
SLAB_TYPESAFE_BY_RCU rules.

We either are in rcu_read_lock() section _or_ we own a refcount on the
request.

Correct RCU verb to use here is rcu_dereference_check(), although it is
not possible to prove we actually own a reference on a shared
refcount :/

In v2, I added ireq_opt_deref() helper and use in three places, to fix other
possible splats.

[   49.844590]  lockdep_rcu_suspicious+0xea/0xf3
[   49.846487]  inet_csk_route_req+0x53/0x14d
[   49.848334]  tcp_v4_route_req+0xe/0x10
[   49.850174]  tcp_conn_request+0x31c/0x6a0
[   49.851992]  ? __lock_acquire+0x614/0x822
[   49.854015]  tcp_v4_conn_request+0x5a/0x79
[   49.855957]  ? tcp_v4_conn_request+0x5a/0x79
[   49.858052]  tcp_rcv_state_process+0x98/0xdcc
[   49.859990]  ? sk_filter_trim_cap+0x2f6/0x307
[   49.862085]  tcp_v4_do_rcv+0xfc/0x145
[   49.864055]  ? tcp_v4_do_rcv+0xfc/0x145
[   49.866173]  tcp_v4_rcv+0x5ab/0xaf9
[   49.868029]  ip_local_deliver_finish+0x1af/0x2e7
[   49.870064]  ip_local_deliver+0x1b2/0x1c5
[   49.871775]  ? inet_del_offload+0x45/0x45
[   49.873916]  ip_rcv_finish+0x3f7/0x471
[   49.875476]  ip_rcv+0x3f1/0x42f
[   49.876991]  ? ip_local_deliver_finish+0x2e7/0x2e7
[   49.878791]  __netif_receive_skb_core+0x6d3/0x950
[   49.880701]  ? process_backlog+0x7e/0x216
[   49.882589]  __netif_receive_skb+0x1d/0x5e
[   49.884122]  process_backlog+0x10c/0x216
[   49.885812]  net_rx_action+0x147/0x3df

Fixes: a6ca7abe53 ("tcp/dccp: fix lockdep splat in inet_csk_route_req()")
Fixes: c92e8c02fe ("tcp/dccp: fix ireq->opt races")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: kernel test robot <fengguang.wu@intel.com>
Reported-by: Maciej Żenczykowski <maze@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:41:32 +09:00
Håkon Bugge
a0c0865fa0 rds: Fix inaccurate accounting of unsignaled wrs
The number of unsignaled work-requests posted to the IB send queue is
tracked by a counter in the rds_ib_connection struct. When it reaches
zero, or the caller explicitly asks for it, the send-signaled bit is
set in send_flags and the counter is reset. This is performed by the
rds_ib_set_wr_signal_state() function.

However, this function is not always used which yields inaccurate
accounting. This commit fixes this, re-factors a code bloat related to
the matter, and makes the actual parameter type to the function
consistent.

Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:35:57 +09:00
Håkon Bugge
e9a0b99804 rds: ib: Fix uninitialized variable
send_flags needs to be initialized before calling
rds_ib_set_wr_signal_state().

Signed-off-by: Håkon Bugge <haakon.bugge@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:34:38 +09:00
David S. Miller
d2c2490e7e linux-can-fixes-for-4.14-20171024
-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEE4bay/IylYqM/npjQHv7KIOw4HPYFAlnvHlATHG1rbEBwZW5n
 dXRyb25peC5kZQAKCRAe/sog7Dgc9tBJB/9sLLdYdtrp0L1KlJ+PNVjNcq993ai4
 6wlh0ay+JKiMZzepkEEYjI8lFdFVxmvB9czOL3FgV6Cb2tW7/vTs3gtv1LuvA92o
 9QsOXQtH/KO+bbuPiHPRvuSMO56OMZtxrJSK0prdkodOimDWwnkLZ4jHStNjvmIt
 wuE4fYH8K9jp80qtyQ9Al0COvR+ePZtfaDWn3YhO0swEUfcClALl2OqUd2MRl3Ut
 dkfbCoGCR7PNnFDNxPACoOu0FLUl01iLDf5fWx43SLKwFhnjf6eomkukyBTzrBT4
 bHsPT4hYMkkA+YCQ5TmTDlK6IRwXfvIkgSimFItFE+t+0Rfr2XFIrnps
 =IxfN
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-4.14-20171024' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2017-10-24

here's another pull request for net/master.

The patch by Gerhard Bertelsmann fixes the CAN_CTRLMODE_LOOPBACK in the
sun4i driver. Two patches by Jimmy Assarsson for the kvaser_usb driver
fix a print in the error path of the kvaser_usb_close() and remove a
wrong warning message with the Leaf v2 firmware version v4.1.844.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:17:45 +09:00
Antoine Tenart
239dd4ee48 net: mvpp2: do not sleep in set_rx_mode
This patch replaces GFP_KERNEL by GFP_ATOMIC to avoid sleeping in the
ndo_set_rx_mode() call which is called with BH disabled.

Fixes: 3f518509de ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:07:52 +09:00
Antoine Tenart
20746d717e net: mvpp2: fix invalid parameters order when calling the tcam init
When calling mvpp2_prs_mac_multi_set() from mvpp2_prs_mac_init(), two
parameters (the port index and the table index) are inverted. Fixes
this.

Fixes: 3f518509de ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:07:52 +09:00
Antoine Tenart
ef4816f0ee net: mvpp2: fix typo in the tcam setup
This patch fixes a typo in the mvpp2_prs_tcam_data_cmp() function, as
the shift value is inverted with the data.

Fixes: 3f518509de ("ethernet: Add new driver for Marvell Armada 375 network unit")
Signed-off-by: Antoine Tenart <antoine.tenart@free-electrons.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 17:07:52 +09:00
Huy Nguyen
be0f161ef1 net/mlx5e: DCBNL, Implement tc with ets type and zero bandwidth
Previously, tc with ets type and zero bandwidth is not accepted
by driver. This behavior does not follow the IEEE802.1qaz spec.

If there are tcs with ets type and zero bandwidth, these tcs are
assigned to the lowest priority tc_group #0. We equally distribute
100% bw of the tc_group #0 to these zero bandwidth ets tcs.
Also, the non zero bandwidth ets tcs are assigned to tc_group #1.

If there is no zero bandwidth ets tc, the non zero bandwidth ets tcs
are assigned to tc_group #0.

Fixes: cdcf11212b ("net/mlx5e: Validate BW weight values of ETS")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Parav Pandit <parav@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
2017-10-26 00:47:27 -07:00
Or Gerlitz
3c37745ec6 net/mlx5e: Properly deal with encap flows add/del under neigh update
Currently, the encap action offload is handled in the actions parse
function and not in mlx5e_tc_add_fdb_flow() where we deal with all
the other aspects of offloading actions (vlan, modify header) and
the rule itself.

When the neigh update code (mlx5e_tc_encap_flows_add()) recreates the
encap entry and offloads the related flows, we wrongly call again into
mlx5e_tc_add_fdb_flow(), this for itself would cause us to handle
again the offloading of vlans and header re-write which puts things
in non consistent state and step on freed memory (e.g the modify
header parse buffer which is already freed).

Since on error, mlx5e_tc_add_fdb_flow() detaches and may release the
encap entry, it causes a corruption at the neigh update code which goes
over the list of flows associated with this encap entry, or double free
when the tc flow is later deleted by user-space.

When neigh update (mlx5e_tc_encap_flows_del()) unoffloads the flows related
to an encap entry which is now invalid, we do a partial repeat of the eswitch
flow removal code which is wrong too.

To fix things up we do the following:

(1) handle the encap action offload in the eswitch flow add function
    mlx5e_tc_add_fdb_flow() as done for the other actions and the rule itself.

(2) modify the neigh update code (mlx5e_tc_encap_flows_add/del) to only
    deal with the encap entry and rules delete/add and not with any of
    the other offloaded actions.

Fixes: 232c001398 ('net/mlx5e: Add support to neighbour update flow')
Signed-off-by: Or Gerlitz <ogerlitz@mellanox.com>
Reviewed-by: Paul Blakey <paulb@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
2017-10-26 00:47:27 -07:00
Huy Nguyen
4ca637a20a net/mlx5: Delay events till mlx5 interface's add complete for pci resume
mlx5_ib_add is called during mlx5_pci_resume after a pci error.
Before mlx5_ib_add completes, there are multiple events which trigger
function mlx5_ib_event. This cause kernel panic because mlx5_ib_event
accesses unitialized resources.

The fix is to extend Erez Shitrit's patch <97834eba7c19>
("net/mlx5: Delay events till ib registration ends") to cover
the pci resume code path.

Trace:
mlx5_core 0001:01:00.6: mlx5_pci_resume was called
mlx5_core 0001:01:00.6: firmware version: 16.20.1011
mlx5_core 0001:01:00.6: mlx5_attach_interface:164:(pid 779):
mlx5_ib_event:2996:(pid 34777): warning: event on port 1
mlx5_ib_event:2996:(pid 34782): warning: event on port 1
Unable to handle kernel paging request for data at address 0x0001c104
Faulting instruction address: 0xd000000008f411fc
Oops: Kernel access of bad area, sig: 11 [#1]
...
...
Call Trace:
[c000000fff77bb70] [d000000008f4119c] mlx5_ib_event+0x64/0x470 [mlx5_ib] (unreliable)
[c000000fff77bc60] [d000000008e67130] mlx5_core_event+0xb8/0x210 [mlx5_core]
[c000000fff77bd10] [d000000008e4bd00] mlx5_eq_int+0x528/0x860[mlx5_core]

Fixes: 97834eba7c ("net/mlx5: Delay events till ib registration ends")
Signed-off-by: Huy Nguyen <huyn@mellanox.com>
Reviewed-by: Saeed Mahameed <saeedm@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
2017-10-26 00:47:27 -07:00
Moshe Shemesh
6377ed0bba net/mlx5: Fix health work queue spin lock to IRQ safe
spin_lock/unlock of health->wq_lock should be IRQ safe.
It was changed to spin_lock_irqsave since adding commit 0179720d6b
("net/mlx5: Introduce trigger_health_work function") which uses
spin_lock from asynchronous event (IRQ) context.
Thus, all spin_lock/unlock of health->wq_lock should have been moved
to IRQ safe mode.
However, one occurrence on new code using this lock missed that
change, resulting in possible deadlock:
  kernel: Possible unsafe locking scenario:
  kernel:       CPU0
  kernel:       ----
  kernel:  lock(&(&health->wq_lock)->rlock);
  kernel:  <Interrupt>
  kernel:    lock(&(&health->wq_lock)->rlock);
  kernel: #012 *** DEADLOCK ***

Fixes: 2a0165a034 ("net/mlx5: Cancel delayed recovery work when unloading the driver")
Signed-off-by: Moshe Shemesh <moshe@mellanox.com>
Signed-off-by: Saeed Mahameed <saeedm@mellanox.com>
2017-10-26 00:47:27 -07:00
Linus Torvalds
4ed590271a Changes since last time:
- Rework nowait locking code to reduce locking overhead penalty
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABCgAGBQJZ7pgxAAoJEPh/dxk0SrTrDtcQAKPBwD1xaAS78/JtJ5cmE/ug
 sC98CzPu8tUCyx2NxUZh3I54C+Ww85UZ2RjGPdDuapLcl2mE415l9ztEoom1H4Xt
 RpHd/R0GczdHSylV8AI1sBDoSjhUyG7Wpb4OMr+8e+Tv3RvACvQw91BzyHsDOKx5
 u03ggEQzKTfkl1p+UKFkZYTd+RxZQhBZYlRakQBqWRJe0s63U+nePkEPFgq/zteN
 /20JO/ILoGS36FZ00Rf+vWim5fIIZDpDWYSZqM+LBDjgeajaka6lQrXZCQDXxMb+
 khC3OAS8fe36xX+SdmN6qAz8bSWHy7Ql/erB7go+obCrsS4Bkbf8g83Nbn7njIYK
 7U0tLXYzU/9JAG7Q/HbHgN3nGwGyIBdBt5/XJjNiHgeKR4ItmEwNDvw9RnMqqfCC
 I0EFvjizOlL5rRW5MUph52+gg+SfY8qZ8k7N4DhJPVEzYwB3f9xjiJDI6QsQM8Ne
 cVkKbqogLH3sA10iKRwdXGftPXegunjWrx/MYEY2YxTyd4Q7C6DS9o/tLjk9I3TX
 XZmCaP24DhQrat1yz31T/aeAWUMk5441+cVn5lGVPs0pQuhth3zm3UP+gHx8Vl1y
 O2o2w77Zv5P9hafiXcrw3ppq9zLMdHcXgLlkJozk8g+PuJbOhKiSO0g3YYjvPeYV
 DtSQds69R+gn08WRVV8m
 =EnkX
 -----END PGP SIGNATURE-----

Merge tag 'xfs-4.14-fixes-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux

Pull xfs fix from Darrick Wong:
 "Here's (hopefully) the last bugfix for 4.14:

   - Rework nowait locking code to reduce locking overhead penalty"

* tag 'xfs-4.14-fixes-7' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
  xfs: fix AIM7 regression
2017-10-26 08:45:40 +02:00
Jonathan Basseri
2b06cdf3e6 xfrm: Clear sk_dst_cache when applying per-socket policy.
If a socket has a valid dst cache, then xfrm_lookup_route will get
skipped. However, the cache is not invalidated when applying policy to a
socket (i.e. IPV6_XFRM_POLICY). The result is that new policies are
sometimes ignored on those sockets. (Note: This was broken for IPv4 and
IPv6 at different times.)

This can be demonstrated like so,
1. Create UDP socket.
2. connect() the socket.
3. Apply an outbound XFRM policy to the socket. (setsockopt)
4. send() data on the socket.

Packets will continue to be sent in the clear instead of matching an
xfrm or returning a no-match error (EAGAIN). This affects calls to
send() and not sendto().

Invalidating the sk_dst_cache is necessary to correctly apply xfrm
policies. Since we do this in xfrm_user_policy(), the sk_lock was
already acquired in either do_ip_setsockopt() or do_ipv6_setsockopt(),
and we may call __sk_dst_reset().

Performance impact should be negligible, since this code is only called
when changing xfrm policy, and only affects the socket in question.

Fixes: 00bc0ef588 ("ipv6: Skip XFRM lookup if dst_entry in socket cache is valid")
Tested: https://android-review.googlesource.com/517555
Tested: https://android-review.googlesource.com/418659
Signed-off-by: Jonathan Basseri <misterikkit@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
2017-10-26 08:19:03 +02:00
Linus Torvalds
035bcf88d5 hwmon fixes for v4.14-rc7
- Fix initial temperature readings for TMP102
 - Fix timeouts in DA9052 driver by increasing its sampling rate
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJZ8UcSAAoJEMsfJm/On5mBSHUQAIHtZzl7m5H1aFhPFQIU1VTk
 SsT2Cu3nYmBQ05gExJRSAm+cKVhZcOJSX0iR5vBQbz+E6yDFY3v0m/2ZUUN1lEY8
 JYKWUJj8gXMTxSCHYEDJ2i4VezjFbXg7GWdSgY1KVMK6zCkJPM6XtfJTYhj8/hGF
 cLUgPipgwMYkFi19fser4ulcH2wF3A8FwDstYhQlDBnhM927sVqVNv6qstgSFW6F
 6F0YCD0MzhTg3d1mxzZIfXF5Z9iL5Wygvy2s6oe4jrGgKT9+dzzI2rJh9RSenxIQ
 7JJUUurCjazRsERVBJNqYQdRxzLhwN6zHekAQ1ul/0e19InMij2HBFXYmko6FyXs
 RK2nWotebI43UH0WBIoHhEWKWtPdoW4Ye9SDX0q9PAUbCGbF87Iu73c1sWVLGLsT
 MMdo1TCUkAW9qzyb7vV6KV3NaV+kQ99y03BoN26vwN6glVtmm4yyL4eky31tQhrk
 TpRPWx28IOALA0mvfG2H9qNO6Hsd16fkswam7TItuKmiqKWpAeEMmTYH/iZtx8fJ
 OBDxRLdi1aW626kESyqtjirO+/HyUtpqFYR1TeMXgmeS1A6Ut/y8qV56T9BOpwQt
 3HCntJs+Kuid3tpViV6IROnMdhbgnKyhe5IkK5ybZOct8FxcSqhagw6ArAxJfBKo
 HI/PswOiS9IejE0IDRIh
 =E7Dv
 -----END PGP SIGNATURE-----

Merge tag 'hwmon-for-linus-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging

Pull hwmon fixes from Guenter Roeck:

 - Fix initial temperature readings for TMP102

 - Fix timeouts in DA9052 driver by increasing its sampling rate

* tag 'hwmon-for-linus-v4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/groeck/linux-staging:
  hwmon: (tmp102) Fix first temperature reading
  hwmon: (da9052) Increase sample rate when using TSI
2017-10-26 08:11:44 +02:00
Linus Torvalds
ecda3d95ec sound fixes for 4.14-rc7
Just two HD-audio fixups for a recent Realtek codec model.
 It's pretty safe to apply (and unsurprisingly boring).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJZ8PZOAAoJEGwxgFQ9KSmkHhsQAI1akd7kucJYqMtbLfnVly+k
 GjcOWNCVFDkgWgHoivICKYn5qgciLhE68ldoXecq0waicWpk0vuvtfC1b9loTWxn
 W8ZX3QdXM9oAWfoGRA21yHXA3Db7GcoDNVqAyp4Sd5EVtxoiNbr8QygvBoYFvlF1
 7WtElf8awYKw5CsnlCtMWp3KQ3LAME3qNAONvuDOWuX9AbpTRQ+thfksfK7lUvNs
 12AvA2SZXe1C81kbMZDNetaKmv7DqwBx2F1vwaC65aCVJ3Sxcf9k2GXjijq6gVV9
 yChaqbHw8/+XMhddWeluO0/E9hyY/L6Gs61JQ3ohILPQ8mp1iHDAbWlmvQwztYOJ
 8E3029f22r8lEhGCGbdc9Wl8XK1/73ZgX7WnjKixGvZktHxqR/YoJpLVXSTz0Fvt
 7R7Bi2ZZEn30X5FDwNrUo4opSZolsn1NwgJmPcLWi1eZQv6RgJ5I4JRcbJ2dXRFq
 RuBOdaRgknqX3UM3m0aWFC5PCcPgAeu5zxkjXs7Cyy2klTjtbxu4kEYAjR4sH8Et
 FF+DER5XEONZLdo0TPFBjm5diY+ZuDcpwNwrv413fV4R/ySjC2mAkUa9snR5ICqN
 MmLHXTextquDJY6OEyl0q5qNDkpVYFCwlZo74PXSrZL1JSIWtBdVzPp0tVUMf/zz
 lanZlysgFWvpzzCqUEp4
 =EtI1
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "Just two HD-audio fixups for a recent Realtek codec model. It's pretty
  safe to apply (and unsurprisingly boring)"

* tag 'sound-4.14-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: hda - fix headset mic problem for Dell machines with alc236
  ALSA: hda/realtek - Add support for ALC236/ALC3204
2017-10-26 08:02:42 +02:00
Julien Gomes
5c25f65fd1 tun: allow positive return values on dev_get_valid_name() call
If the name argument of dev_get_valid_name() contains "%d", it will try
to assign it a unit number in __dev__alloc_name() and return either the
unit number (>= 0) or an error code (< 0).
Considering positive values as error values prevent tun device creations
relying this mechanism, therefor we should only consider negative values
as errors here.

Signed-off-by: Julien Gomes <julien@arista.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 10:10:03 +09:00
Pieter Jansen van Vuuren
d309ae5c6a nfp: refuse offloading filters that redirects to upper devices
Previously we did not ensure that a netdev is a representative netdev
before dereferencing its private data. This can occur when an upper netdev
is created on a representative netdev. This patch corrects this by first
ensuring that the netdev is a representative netdev before using it.
Checking only switchdev_port_same_parent_id is not sufficient to ensure
that we can safely use the netdev. Failing to check that the netdev is also
a representative netdev would result in incorrect dereferencing.

Fixes: 1a1e586f54 ("nfp: add basic action capabilities to flower offloads")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 10:07:14 +09:00
Andrei Vagin
0f5da659d8 net/unix: don't show information about sockets from other namespaces
socket_diag shows information only about sockets from a namespace where
a diag socket lives.

But if we request information about one unix socket, the kernel don't
check that its netns is matched with a diag socket namespace, so any
user can get information about any unix socket in a system. This looks
like a bug.

v2: add a Fixes tag

Fixes: 51d7cccf07 ("net: make sock diag per-namespace")
Signed-off-by: Andrei Vagin <avagin@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-26 10:05:59 +09:00
Dave Airlie
522dbb354e Merge tag 'drm-intel-fixes-2017-10-25' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
drm-intel-fixes-2017-10-25:

only 1 fix for stable:

- fix perf enable/disable ioctls for 32bits (lionel)

* tag 'drm-intel-fixes-2017-10-25' of git://anongit.freedesktop.org/drm/drm-intel:
  drm/i915/perf: fix perf enable/disable ioctls with 32bits userspace
2017-10-26 10:25:31 +10:00
Dave Airlie
5a28747b4a Merge branch 'drm-fixes-4.14' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
two suspend/resume regression fixes.

* 'drm-fixes-4.14' of git://people.freedesktop.org/~agd5f/linux:
  drm/amd/amdgpu: Remove workaround check for UVD6 on APUs
  drm/amd/powerplay: fix uninitialized variable
2017-10-26 05:30:39 +10:00
Michael J. Ruhl
b4d91aeb6e RDMA/netlink: OOPs in rdma_nl_rcv_msg() from misinterpreted flag
rdma_nl_rcv_msg() checks to see if it should use the .dump() callback
or the .doit() callback.  The check is done with this check:

if (flags & NLM_F_DUMP) ...

The NLM_F_DUMP flag is two bits (NLM_F_ROOT | NLM_F_MATCH).

When an RDMA_NL_LS message (response) is received, the bit used for
indicating an error is the same bit as NLM_F_ROOT.

NLM_F_ROOT == (0x100) == RDMA_NL_LS_F_ERR.

ibacm sends a response with the RDMA_NL_LS_F_ERR bit set if an error
occurs in the service.  The current code then misinterprets the
NLM_F_DUMP bit and trys to call the .dump() callback.

If the .dump() callback for the specified request is not available
(which is true for the RDMA_NL_LS messages) the following Oops occurs:

[ 4555.960256] BUG: unable to handle kernel NULL pointer dereference at
   (null)
[ 4555.969046] IP:           (null)
[ 4555.972664] PGD 10543f1067 P4D 10543f1067 PUD 1033f93067 PMD 0
[ 4555.979287] Oops: 0010 [#1] SMP
[ 4555.982809] Modules linked in: rpcrdma ib_isert iscsi_target_mod
target_core_mod ib_iser libiscsi scsi_transport_iscsi ib_ipoib rdma_ucm ib_ucm
ib_uverbs ib_umad rdma_cm ib_cm iw_cm dm_mirror dm_region_hash dm_log dm_mod
dax sb_edac x86_pkg_temp_thermal intel_powerclamp coretemp kvm irqbypass
crct10dif_pclmul crc32_pclmul ghash_clmulni_intel pcbc aesni_intel crypto_simd
glue_helper cryptd hfi1 rdmavt iTCO_wdt iTCO_vendor_support ib_core mei_me
lpc_ich pcspkr mei ioatdma sg shpchp i2c_i801 mfd_core wmi ipmi_si ipmi_devintf
ipmi_msghandler acpi_power_meter acpi_pad nfsd auth_rpcgss nfs_acl lockd grace
sunrpc ip_tables ext4 mbcache jbd2 sd_mod mgag200 drm_kms_helper syscopyarea
sysfillrect sysimgblt fb_sys_fops ttm igb ahci crc32c_intel ptp libahci
pps_core drm dca libata i2c_algo_bit i2c_core
[ 4556.061190] CPU: 54 PID: 9841 Comm: ibacm Tainted: G          I
4.14.0-rc2+ #6
[ 4556.069667] Hardware name: Intel Corporation S2600WT2/S2600WT2, BIOS
SE5C610.86B.01.01.0008.021120151325 02/11/2015
[ 4556.081339] task: ffff880855f42d00 task.stack: ffffc900246b4000
[ 4556.087967] RIP: 0010:          (null)
[ 4556.092166] RSP: 0018:ffffc900246b7bc8 EFLAGS: 00010246
[ 4556.098018] RAX: ffffffff81dbe9e0 RBX: ffff881058bb1000 RCX:
0000000000000000
[ 4556.105997] RDX: 0000000000001100 RSI: ffff881058bb1320 RDI:
ffff881056362000
[ 4556.113984] RBP: ffffc900246b7bf8 R08: 0000000000000ec0 R09:
0000000000001100
[ 4556.121971] R10: ffff8810573a5000 R11: 0000000000000000 R12:
ffff881056362000
[ 4556.129957] R13: 0000000000000ec0 R14: ffff881058bb1320 R15:
0000000000000ec0
[ 4556.137945] FS:  00007fe0ba5a38c0(0000) GS:ffff88105f080000(0000)
knlGS:0000000000000000
[ 4556.147000] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 4556.153433] CR2: 0000000000000000 CR3: 0000001056f5d003 CR4:
00000000001606e0
[ 4556.161419] Call Trace:
[ 4556.164167]  ? netlink_dump+0x12c/0x290
[ 4556.168468]  __netlink_dump_start+0x186/0x1f0
[ 4556.173357]  rdma_nl_rcv_msg+0x193/0x1b0 [ib_core]
[ 4556.178724]  rdma_nl_rcv+0xdc/0x130 [ib_core]
[ 4556.183604]  netlink_unicast+0x181/0x240
[ 4556.187998]  netlink_sendmsg+0x2c2/0x3b0
[ 4556.192392]  sock_sendmsg+0x38/0x50
[ 4556.196299]  SYSC_sendto+0x102/0x190
[ 4556.200308]  ? __audit_syscall_entry+0xaf/0x100
[ 4556.205387]  ? syscall_trace_enter+0x1d0/0x2b0
[ 4556.210366]  ? __audit_syscall_exit+0x209/0x290
[ 4556.215442]  SyS_sendto+0xe/0x10
[ 4556.219060]  do_syscall_64+0x67/0x1b0
[ 4556.223165]  entry_SYSCALL64_slow_path+0x25/0x25
[ 4556.228328] RIP: 0033:0x7fe0b9db2a63
[ 4556.232333] RSP: 002b:00007ffc55edc260 EFLAGS: 00000293 ORIG_RAX:
000000000000002c
[ 4556.240808] RAX: ffffffffffffffda RBX: 0000000000000010 RCX:
00007fe0b9db2a63
[ 4556.248796] RDX: 0000000000000010 RSI: 00007ffc55edc280 RDI:
000000000000000d
[ 4556.256782] RBP: 00007ffc55edc670 R08: 00007ffc55edc270 R09:
000000000000000c
[ 4556.265321] R10: 0000000000000000 R11: 0000000000000293 R12:
00007ffc55edc280
[ 4556.273846] R13: 000000000260b400 R14: 000000000000000d R15:
0000000000000001
[ 4556.282368] Code:  Bad RIP value.
[ 4556.286629] RIP:           (null) RSP: ffffc900246b7bc8
[ 4556.293013] CR2: 0000000000000000
[ 4556.297292] ---[ end trace 8d67abcfd10ec209 ]---
[ 4556.305465] Kernel panic - not syncing: Fatal exception
[ 4556.313786] Kernel Offset: disabled
[ 4556.321563] ---[ end Kernel panic - not syncing: Fatal exception
[ 4556.328960] ------------[ cut here ]------------

Special case RDMA_NL_LS response messages to call the appropriate
callback.

Additionally, make sure that the .dump() callback is not NULL
before calling it.

Fixes: 647c75ac59 ("RDMA/netlink: Convert LS to doit callback")
Reviewed-by: Mike Marciniszyn <mike.marciniszyn@intel.com>
Reviewed-by: Kaike Wan <kaike.wan@intel.com>
Reviewed-by: Alex Estrin <alex.estrin@intel.com>
Signed-off-by: Michael J. Ruhl <michael.j.ruhl@intel.com>
Reviewed-by: Shiraz Saleem <shiraz.saleem@intel.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-10-25 14:54:43 -04:00
David Disseldorp
a2d9daad1d SMB: fix validate negotiate info uninitialised memory use
An undersize validate negotiate info server response causes the client
to use uninitialised memory for struct validate_negotiate_info_rsp
comparisons of Dialect, SecurityMode and/or Capabilities members.

Link: https://bugzilla.samba.org/show_bug.cgi?id=13092
Fixes: 7db0a6efdc ("SMB3: Work around mount failure when using SMB3 dialect to Macs")
Signed-off-by: David Disseldorp <ddiss@suse.de>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Signed-off-by: Steve French <smfrench@gmail.com>
2017-10-25 13:04:25 -05:00