Commit Graph

665158 Commits

Author SHA1 Message Date
Linus Torvalds
ea839b4174 Last minute fixes for ARC
- Build error in Mellanox nps platform
 
  - addressing lack of saving FPU regs in releavnt configs
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIbBAABAgAGBQJY/7Y9AAoJEGnX8d3iisJerOIP+OIw4iInJEycs2A1lQxMTUAa
 DFny0uv1EuWD5cC7g1O3m/SGIeN14zt6WBo40VHgxiOw/VFDsk4fze/QyfA+FFj0
 Qr7c5UDQKsWCNUNwkAfUYqp5/HWM9cO+WlUr3JbKL5sThh0SOBhb09T+Z9BEh+Ns
 jMu4VKa1Jh8RuXPd0Wb86CEhkRalTySTbY3og6g4F+HYRPvvqHvigdJ3yPI/mh0E
 ToPbZcqCNqgpJ0vyHak+QXb1gSbMjlevmjmokJR9O49Ypb8jEvQjwkZE0I81N793
 ayEftdCL9zVQ3WCcGVrhviXOMuxvDcimNUrAQiDJBqBSGEjq9AVaejEi1DIOyT3X
 InN1SmZPKno64OuZSFVDF2IuwTAumNXjp886of7LNy76lnznov2VvTXiiJSG/2ZE
 QEyhIq++DWFns+1IerJfU7QjzHEmx3StibBgPYur6K1dN49iHsFBTgRGgKzEhd0L
 iUOQQajg0RoYBhrcS/HQXBQgJhu0Fpkx6csDTtmW66hgw95I6ZoPJshk8SvouRTg
 Lif/U/qOd86Bghwj0V5pw/504LQ9i8xfSZzidM+St8XvhEa/DwuTggVuoIzOB8AH
 6qOExsN75jwExjAR71JsI33jNNTdTQ7HaHaqB1DQJ+2y12QmttNXaPy/iLYqQNsN
 iLeZ6MKdCrXKr73t2Js=
 =wA0V
 -----END PGP SIGNATURE-----

Merge tag 'arc-4.11-final' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc

Pull ARC fix from Vineet Gupta:
 "Last minute fixes for ARC:

   - build error in Mellanox nps platform

   - addressing lack of saving FPU regs in releavnt configs"

* tag 'arc-4.11-final' of git://git.kernel.org/pub/scm/linux/kernel/git/vgupta/arc:
  ARCv2: entry: save Accumulator register pair (r58:59) if present
  ARC: [plat-eznps] Fix build error
2017-04-25 14:07:24 -07:00
J. Bruce Fields
13bf9fbff0 nfsd: stricter decoding of write-like NFSv2/v3 ops
The NFSv2/v3 code does not systematically check whether we decode past
the end of the buffer.  This generally appears to be harmless, but there
are a few places where we do arithmetic on the pointers involved and
don't account for the possibility that a length could be negative.  Add
checks to catch these.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Reviewed-by: NeilBrown <neilb@suse.com>
Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-04-25 16:36:23 -04:00
J. Bruce Fields
db44bac41b nfsd4: minor NFSv2/v3 write decoding cleanup
Use a couple shortcuts that will simplify a following bugfix.

Cc: stable@vger.kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-04-25 16:36:16 -04:00
J. Bruce Fields
e6838a29ec nfsd: check for oversized NFSv2/v3 arguments
A client can append random data to the end of an NFSv2 or NFSv3 RPC call
without our complaining; we'll just stop parsing at the end of the
expected data and ignore the rest.

Encoded arguments and replies are stored together in an array of pages,
and if a call is too large it could leave inadequate space for the
reply.  This is normally OK because NFS RPC's typically have either
short arguments and long replies (like READ) or long arguments and short
replies (like WRITE).  But a client that sends an incorrectly long reply
can violate those assumptions.  This was observed to cause crashes.

Also, several operations increment rq_next_page in the decode routine
before checking the argument size, which can leave rq_next_page pointing
well past the end of the page array, causing trouble later in
svc_free_pages.

So, following a suggestion from Neil Brown, add a central check to
enforce our expectation that no NFSv2/v3 call has both a large call and
a large reply.

As followup we may also want to rewrite the encoding routines to check
more carefully that they aren't running off the end of the page array.

We may also consider rejecting calls that have any extra garbage
appended.  That would be safer, and within our rights by spec, but given
the age of our server and the NFS protocol, and the fact that we've
never enforced this before, we may need to balance that against the
possibility of breaking some oddball client.

Reported-by: Tuomas Haanpää <thaan@synopsys.com>
Reported-by: Ari Kauppi <ari@synopsys.com>
Cc: stable@vger.kernel.org
Reviewed-by: NeilBrown <neilb@suse.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
2017-04-25 16:34:37 -04:00
Yan, Zheng
8179a101eb ceph: fix recursion between ceph_set_acl() and __ceph_setattr()
ceph_set_acl() calls __ceph_setattr() if the setacl operation needs
to modify inode's i_mode. __ceph_setattr() updates inode's i_mode,
then calls posix_acl_chmod().

The problem is that __ceph_setattr() calls posix_acl_chmod() before
sending the setattr request. The get_acl() call in posix_acl_chmod()
can trigger a getxattr request. The reply of the getxattr request
can restore inode's i_mode to its old value. The set_acl() call in
posix_acl_chmod() sees old value of inode's i_mode, so it calls
__ceph_setattr() again.

Cc: stable@vger.kernel.org # needs backporting for < 4.9
Link: http://tracker.ceph.com/issues/19688
Reported-by: Jerry Lee <leisurelysw24@gmail.com>
Signed-off-by: "Yan, Zheng" <zyan@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Tested-by: Luis Henriques <lhenriques@suse.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2017-04-25 21:08:26 +02:00
Alexander Potapenko
fd2c83b357 net/packet: check length in getsockopt() called with PACKET_HDRLEN
In the case getsockopt() is called with PACKET_HDRLEN and optlen < 4
|val| remains uninitialized and the syscall may behave differently
depending on its value, and even copy garbage to userspace on certain
architectures. To fix this we now return -EINVAL if optlen is too small.

This bug has been detected with KMSAN.

Signed-off-by: Alexander Potapenko <glider@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 14:05:52 -04:00
David Ahern
8048ced9be net: ipv6: regenerate host route if moved to gc list
Taking down the loopback device wreaks havoc on IPv6 routing. By
extension, taking down a VRF device wreaks havoc on its table.

Dmitry and Andrey both reported heap out-of-bounds reports in the IPv6
FIB code while running syzkaller fuzzer. The root cause is a dead dst
that is on the garbage list gets reinserted into the IPv6 FIB. While on
the gc (or perhaps when it gets added to the gc list) the dst->next is
set to an IPv4 dst. A subsequent walk of the ipv6 tables causes the
out-of-bounds access.

Andrey's reproducer was the key to getting to the bottom of this.

With IPv6, host routes for an address have the dst->dev set to the
loopback device. When the 'lo' device is taken down, rt6_ifdown initiates
a walk of the fib evicting routes with the 'lo' device which means all
host routes are removed. That process moves the dst which is attached to
an inet6_ifaddr to the gc list and marks it as dead.

The recent change to keep global IPv6 addresses added a new function,
fixup_permanent_addr, that is called on admin up. That function restarts
dad for an inet6_ifaddr and when it completes the host route attached
to it is inserted into the fib. Since the route was marked dead and
moved to the gc list, re-inserting the route causes the reported
out-of-bounds accesses. If the device with the address is taken down
or the address is removed, the WARN_ON in fib6_del is triggered.

All of those faults are fixed by regenerating the host route if the
existing one has been moved to the gc list, something that can be
determined by checking if the rt6i_ref counter is 0.

Fixes: f1705ec197 ("net: ipv6: Make address flushing on ifdown optional")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 14:04:44 -04:00
Xin Long
b1b9d36602 bridge: move bridge multicast cleanup to ndo_uninit
During removing a bridge device, if the bridge is still up, a new mdb entry
still can be added in br_multicast_add_group() after all mdb entries are
removed in br_multicast_dev_del(). Like the path:

  mld_ifc_timer_expire ->
    mld_sendpack -> ...
      br_multicast_rcv ->
        br_multicast_add_group

The new mp's timer will be set up. If the timer expires after the bridge
is freed, it may cause use-after-free panic in br_multicast_group_expired.

BUG: unable to handle kernel NULL pointer dereference at 0000000000000048
IP: [<ffffffffa07ed2c8>] br_multicast_group_expired+0x28/0xb0 [bridge]
Call Trace:
 <IRQ>
 [<ffffffff81094536>] call_timer_fn+0x36/0x110
 [<ffffffffa07ed2a0>] ? br_mdb_free+0x30/0x30 [bridge]
 [<ffffffff81096967>] run_timer_softirq+0x237/0x340
 [<ffffffff8108dcbf>] __do_softirq+0xef/0x280
 [<ffffffff8169889c>] call_softirq+0x1c/0x30
 [<ffffffff8102c275>] do_softirq+0x65/0xa0
 [<ffffffff8108e055>] irq_exit+0x115/0x120
 [<ffffffff81699515>] smp_apic_timer_interrupt+0x45/0x60
 [<ffffffff81697a5d>] apic_timer_interrupt+0x6d/0x80

Nikolay also found it would cause a memory leak - the mdb hash is
reallocated and not freed due to the mdb rehash.

unreferenced object 0xffff8800540ba800 (size 2048):
  backtrace:
    [<ffffffff816e2287>] kmemleak_alloc+0x67/0xc0
    [<ffffffff81260bea>] __kmalloc+0x1ba/0x3e0
    [<ffffffffa05c60ee>] br_mdb_rehash+0x5e/0x340 [bridge]
    [<ffffffffa05c74af>] br_multicast_new_group+0x43f/0x6e0 [bridge]
    [<ffffffffa05c7aa3>] br_multicast_add_group+0x203/0x260 [bridge]
    [<ffffffffa05ca4b5>] br_multicast_rcv+0x945/0x11d0 [bridge]
    [<ffffffffa05b6b10>] br_dev_xmit+0x180/0x470 [bridge]
    [<ffffffff815c781b>] dev_hard_start_xmit+0xbb/0x3d0
    [<ffffffff815c8743>] __dev_queue_xmit+0xb13/0xc10
    [<ffffffff815c8850>] dev_queue_xmit+0x10/0x20
    [<ffffffffa02f8d7a>] ip6_finish_output2+0x5ca/0xac0 [ipv6]
    [<ffffffffa02fbfc6>] ip6_finish_output+0x126/0x2c0 [ipv6]
    [<ffffffffa02fc245>] ip6_output+0xe5/0x390 [ipv6]
    [<ffffffffa032b92c>] NF_HOOK.constprop.44+0x6c/0x240 [ipv6]
    [<ffffffffa032bd16>] mld_sendpack+0x216/0x3e0 [ipv6]
    [<ffffffffa032d5eb>] mld_ifc_timer_expire+0x18b/0x2b0 [ipv6]

This could happen when ip link remove a bridge or destroy a netns with a
bridge device inside.

With Nikolay's suggestion, this patch is to clean up bridge multicast in
ndo_uninit after bridge dev is shutdown, instead of br_dev_delete, so
that netif_running check in br_multicast_add_group can avoid this issue.

v1->v2:
  - fix this issue by moving br_multicast_dev_del to ndo_uninit, instead
    of calling dev_close in br_dev_delete.

(NOTE: Depends upon b6fe0440c6 ("bridge: implement missing ndo_uninit()"))

Fixes: e10177abf8 ("bridge: multicast: fix handling of temp and perm entries")
Reported-by: Jianwen Ji <jiji@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 14:02:39 -04:00
Christoph Hellwig
25d9baa475 nvme-lightnvm: add missing endianess conversion in nvme_nvm_end_io
Found by sparse.

Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Matias Bjørling <matias@cnexlabs.com>
2017-04-25 20:01:15 +02:00
Jon Derrick
7fad1fd46c nvme-scsi: Consider LBA format in IO splitting calculation
The current command submission code uses a sector-based value when
considering the maximum number of blocks per command. With a
4k-formatted namespace and a command exceeding max hardware limits, this
calculation doesn't split IOs which should be split and fails in the
nvme layer. This patch fixes that calculation and enables IO splitting
in these circumstances.

Signed-off-by: Jon Derrick <jonathan.derrick@intel.com>
Reviewed-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2017-04-25 20:01:00 +02:00
Ewan D. Milne
de41447aac nvme-fc: avoid memory corruption caused by calling nvmf_free_options() twice
Do not call nvmf_free_options() from the nvme_fc_ctlr destructor if
nvme_fc_create_ctrl() returns an error, because nvmf_create_ctrl()
frees the options when an error is returned.

Signed-off-by: Ewan D. Milne <emilne@redhat.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2017-04-25 20:00:59 +02:00
James Smart
bbe3012b73 lpfc: Fix memory corruption of the lpfc_ncmd->list pointers
lpfc was changing the private pointer that is set/maintained by
the nvme_fc transport. This caused two issues: a) the transport, on
teardown may erroneous attempt to free whatever address was set;
and b) lfpc uses any value set in lpfc_nvme_fcp_abort() and
assumes its a valid io request.

Correct issue by properly defining a context structure for lpfc.
Lpfc also updated to clear the private context structure on io
completion.

Since this bug caused scrutiny of the way lpfc moves local request
structures between lists, also cleaned up list_del()'s to
list_del_inits()'s.

This is a nvme-specific bug. The patch was cut against the
linux-block tree, for-4.12/block tree. It should be pulled in through
that tree.

Signed-off-by: Dick Kennedy <dick.kennedy@broadcom.com>
Signed-off-by: James Smart <james.smart@broadcom.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
2017-04-25 20:00:58 +02:00
Sabrina Dubroca
ec9c4215fe ipv6: fix source routing
Commit a149e7c7ce ("ipv6: sr: add support for SRH injection through
setsockopt") introduced handling of IPV6_SRCRT_TYPE_4, but at the same
time restricted it to only IPV6_SRCRT_TYPE_0 and
IPV6_SRCRT_TYPE_4. Previously, ipv6_push_exthdr() and fl6_update_dst()
would also handle other values (ie STRICT and TYPE_2).

Restore previous source routing behavior, by handling IPV6_SRCRT_STRICT
and IPV6_SRCRT_TYPE_2 the same way as IPV6_SRCRT_TYPE_0 in
ipv6_push_exthdr() and fl6_update_dst().

Fixes: a149e7c7ce ("ipv6: sr: add support for SRH injection through setsockopt")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 13:59:24 -04:00
Wei Yongjun
5136a4fd58 lightnvm: fix possible memory leak in pblk_bb_discovery()
'blks' is malloced in pblk_bb_discovery() and should be freed
before leaving from the nvm_get_tgt_bb_tbl() error handling cases,
otherwise it will cause memory leak. Also skip assign blks to
rlun->bb_list when error.

Fixes: a4bd217b43 ("lightnvm: physical block device (pblk) target")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Reviewed-by: Javier González <javier@cnexlabs.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-04-25 10:44:29 -06:00
sudarsana.kalluru@cavium.com
c8fcd133ea qed: Fix error in the dcbx app meta data initialization.
DCBX app_data array is initialized with the incorrect values for
personality field. This would  prevent offloaded protocols from
honoring the PFC.

Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:58:36 -04:00
stephen hemminger
fdfb70d275 netvsc: fix calculation of available send sections
My change (introduced in 4.11) to use find_first_clear_bit
incorrectly assumed that the size argument was words, not bits.
The effect was only a small limited number of the available send
sections were being actually used. This can cause performance loss
with some workloads.

Since map_words is now used only during initialization, it can
be on stack instead of in per-device data.

Fixes: b58a185801 ("netvsc: simplify get next send section")
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:56:59 -04:00
Andreas Kemnade
a23f6ce6d9 net: hso: fix module unloading
keep tty driver until usb driver is unregistered
rmmod hso
produces traces like this without that:

[40261.645904] usb 2-2: new high-speed USB device number 2 using ehci-omap
[40261.854644] usb 2-2: New USB device found, idVendor=0af0, idProduct=8800
[40261.862609] usb 2-2: New USB device strings: Mfr=3, Product=2, SerialNumber=0
[40261.872772] usb 2-2: Product: Globetrotter HSUPA Modem
[40261.880279] usb 2-2: Manufacturer: Option N.V.
[40262.021270] hso 2-2:1.5: Not our interface
[40265.556945] hso: unloaded
[40265.559875] usbcore: deregistering interface driver hso
[40265.595947] Unable to handle kernel NULL pointer dereference at virtual address 00000033
[40265.604522] pgd = ecb14000
[40265.611877] [00000033] *pgd=00000000
[40265.617034] Internal error: Oops: 5 [#1] PREEMPT SMP ARM
[40265.622650] Modules linked in: hso(-) bnep bluetooth ipv6 arc4 twl4030_madc_hwmon wl18xx wlcore mac80211 cfg80211 snd_soc_simple_card snd_soc_simple_card_utils snd_soc_omap_twl4030 snd_soc_gtm601 generic_adc_battery extcon_gpio omap3_isp videobuf2_dma_contig videobuf2_memops wlcore_sdio videobuf2_v4l2 videobuf2_core ov9650 bmp280_i2c v4l2_common bmp280 bmg160_i2c bmg160_core at24 nvmem_core videodev bmc150_accel_i2c bmc150_magn_i2c media bmc150_accel_core tsc2007 bmc150_magn leds_tca6507 bno055 snd_soc_omap_mcbsp industrialio_triggered_buffer snd_soc_omap kfifo_buf snd_pcm_dmaengine gpio_twl4030 snd_soc_twl4030 twl4030_vibra twl4030_madc wwan_on_off ehci_omap pwm_bl pwm_omap_dmtimer panel_tpo_td028ttec1 encoder_opa362 connector_analog_tv omapdrm drm_kms_helper cfbfillrect syscopyarea cfbimgblt sysfillrect
[40265.698211]  sysimgblt fb_sys_fops cfbcopyarea drm omapdss usb_f_ecm g_ether usb_f_rndis u_ether libcomposite configfs omap2430 phy_twl4030_usb musb_hdrc twl4030_charger industrialio w2sg0004 twl4030_pwrbutton bq27xxx_battery w1_bq27000 omap_hdq [last unloaded: hso]
[40265.723175] CPU: 0 PID: 2701 Comm: rmmod Not tainted 4.11.0-rc6-letux+ #6
[40265.730346] Hardware name: Generic OMAP36xx (Flattened Device Tree)
[40265.736938] task: ecb81100 task.stack: ecb82000
[40265.741729] PC is at cdev_del+0xc/0x2c
[40265.745666] LR is at tty_unregister_device+0x40/0x50
[40265.750915] pc : [<c027472c>]    lr : [<c04b3ecc>]    psr: 600b0113
sp : ecb83ea8  ip : eca4f898  fp : 00000000
[40265.763000] r10: 00000000  r9 : 00000000  r8 : 00000001
[40265.768493] r7 : eca4f800  r6 : 00000003  r5 : 00000000  r4 : ffffffff
[40265.775360] r3 : c1458d54  r2 : 00000000  r1 : 00000004  r0 : ffffffff
[40265.782257] Flags: nZCv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment none
[40265.789764] Control: 10c5387d  Table: acb14019  DAC: 00000051
[40265.795806] Process rmmod (pid: 2701, stack limit = 0xecb82218)
[40265.802062] Stack: (0xecb83ea8 to 0xecb84000)
[40265.806640] 3ea0:                   ec9e8100 c04b3ecc bf737378 ed5b7c00 00000003 bf7327ec
[40265.815277] 3ec0: eca4f800 00000000 ec9fd800 eca4f800 bf737070 bf7328bc eca4f820 c05a9a04
[40265.823883] 3ee0: eca4f820 00000000 00000001 eca4f820 ec9fd870 bf737070 eca4f854 ec9fd8a4
[40265.832519] 3f00: ecb82000 00000000 00000000 c04e6960 eca4f820 bf737070 bf737048 00000081
[40265.841125] 3f20: c01071e4 c04e6a60 ecb81100 bf737070 bf737070 c04e5d94 bf737020 c05a8f88
[40265.849731] 3f40: bf737100 00000800 7f5fa254 00000081 c01071e4 c01c4afc 00000000 006f7368
[40265.858367] 3f60: ecb815f4 00000000 c0cac9c4 c01071e4 ecb82000 00000000 00000000 c01512f4
[40265.866973] 3f80: ed5b3200 c01071e4 7f5fa220 7f5fa220 bea78ec9 0010711c 7f5fa220 7f5fa220
[40265.875579] 3fa0: bea78ec9 c0107040 7f5fa220 7f5fa220 7f5fa254 00000800 dd35b800 dd35b800
[40265.884216] 3fc0: 7f5fa220 7f5fa220 bea78ec9 00000081 bea78dcc 00000000 bea78bd8 00000000
[40265.892822] 3fe0: b6f70521 bea78b6c 7f5dd613 b6f70526 80070030 7f5fa254 ffffffff ffffffff
[40265.901458] [<c027472c>] (cdev_del) from [<c04b3ecc>] (tty_unregister_device+0x40/0x50)
[40265.909942] [<c04b3ecc>] (tty_unregister_device) from [<bf7327ec>] (hso_free_interface+0x80/0x144 [hso])
[40265.919982] [<bf7327ec>] (hso_free_interface [hso]) from [<bf7328bc>] (hso_disconnect+0xc/0x18 [hso])
[40265.929718] [<bf7328bc>] (hso_disconnect [hso]) from [<c05a9a04>] (usb_unbind_interface+0x84/0x200)
[40265.939239] [<c05a9a04>] (usb_unbind_interface) from [<c04e6960>] (device_release_driver_internal+0x138/0x1cc)
[40265.949798] [<c04e6960>] (device_release_driver_internal) from [<c04e6a60>] (driver_detach+0x60/0x6c)
[40265.959503] [<c04e6a60>] (driver_detach) from [<c04e5d94>] (bus_remove_driver+0x64/0x8c)
[40265.968017] [<c04e5d94>] (bus_remove_driver) from [<c05a8f88>] (usb_deregister+0x5c/0xb8)
[40265.976654] [<c05a8f88>] (usb_deregister) from [<c01c4afc>] (SyS_delete_module+0x160/0x1dc)
[40265.985443] [<c01c4afc>] (SyS_delete_module) from [<c0107040>] (ret_fast_syscall+0x0/0x1c)
[40265.994171] Code: c1458d54 e59f3020 e92d4010 e1a04000 (e5941034)
[40266.016693] ---[ end trace 9d5ac43c7e41075c ]---

Signed-off-by: Andreas Kemnade <andreas@kemnade.info>
Reviewed-by: Johan Hovold <johan@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:52:07 -04:00
Parthasarathy Bhuvaragan
05ff837897 tipc: fix socket flow control accounting error at tipc_recv_stream
Until now in tipc_recv_stream(), we update the received
unacknowledged bytes based on a stack variable and not based on the
actual message size.
If the user buffer passed at tipc_recv_stream() is smaller than the
received skb, the size variable in stack differs from the actual
message size in the skb. This leads to a flow control accounting
error causing permanent congestion.

In this commit, we fix this accounting error by always using the
size of the incoming message.

Fixes: 10724cc7bb ("tipc: redesign connection-level flow control")
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:45:38 -04:00
Parthasarathy Bhuvaragan
3364d61c92 tipc: fix socket flow control accounting error at tipc_send_stream
Until now in tipc_send_stream(), we return -1 when the socket
encounters link congestion even if the socket had successfully
sent partial data. This is incorrect as the application resends
the same the partial data leading to data corruption at
receiver's end.

In this commit, we return the partially sent bytes as the return
value at link congestion.

Fixes: 10724cc7bb ("tipc: redesign connection-level flow control")
Signed-off-by: Parthasarathy Bhuvaragan <parthasarathy.bhuvaragan@ericsson.com>
Reviewed-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:45:37 -04:00
Takashi Iwai
d4a2fbcee0 ASoC: Fixes for v4.11
A few last minute fixes for v4.11, the STI fix is relatively large but
 driver specific and has been cooking in -next for a little while now:
 
  - A fix from Takashi for some suspend/resume related crashes in the
    Intel drivers.
  - A fix from Mousumi Jana for issues with incorrectly created
    enumeration controls generated from topology files which could cause
    problems for userspace.
  - Fixes from Arnaud Pouliquen for some crashes due to races with the
    interrupt handler in the STI driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlj/auUTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0JEJB/9fZoEPm2Flfp9d4tXDmNihyv/STARr
 UbIIBxJUsDG2U6nMxv1kTKRk/9puuzDfNjt4giiLyMNDMbh4G5QRbgMF53ryeTuM
 8Nqq6PEvhZ4/YftOnh4uD4PmsVKTV8OauQDzZquLPB9/lRF6wLvSskSfZXTsYbv9
 Oem4Sop1XzXt68cUIcMHQlwXrhxIaQUHiOS8QfhQXNw1y5xgGB5Rj0ak5fWdn+KY
 6j10ldQgrwYSCx4zbqLsS6Fjlo2zdUj/Rn7fQrarzsjQtrZq+k6iYvAWAblkMhWi
 7hL/RK4U0konSeo12ftIESDpZFjW2Yi9Q74+4i6soEYbOVTzMam+XMo+
 =qmpO
 -----END PGP SIGNATURE-----

Merge tag 'asoc-fix-v4.11-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus

ASoC: Fixes for v4.11

A few last minute fixes for v4.11, the STI fix is relatively large but
driver specific and has been cooking in -next for a little while now:

 - A fix from Takashi for some suspend/resume related crashes in the
   Intel drivers.
 - A fix from Mousumi Jana for issues with incorrectly created
   enumeration controls generated from topology files which could cause
   problems for userspace.
 - Fixes from Arnaud Pouliquen for some crashes due to races with the
   interrupt handler in the STI driver.
2017-04-25 17:43:56 +02:00
Paolo Abeni
b7d6df5751 ipv6: move stub initialization after ipv6 setup completion
The ipv6 stub pointer is currently initialized before the ipv6
routing subsystem: a 3rd party can access and use such stub
before the routing data is ready.
Moreover, such pointer is not cleared in case of initialization
error, possibly leading to dangling pointers usage.

This change addresses the above moving the stub initialization
at the end of ipv6 init code.

Fixes: 5f81bd2e5d ("ipv6: export a stub for IPv6 symbols used by vxlan")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:43:16 -04:00
Pan Bian
72ec0bc64b team: fix memory leaks
In functions team_nl_send_port_list_get() and
team_nl_send_options_get(), pointer skb keeps the return value of
nlmsg_new(). When the call to genlmsg_put() fails, the memory is not
freed(). This will result in memory leak bugs.

Fixes: 9b00cf2d10 ("team: implement multipart netlink messages for options transfers")
Signed-off-by: Pan Bian <bianpan2016@163.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:35:01 -04:00
Mark Brown
dc9617cb81 Merge remote-tracking branches 'asoc/fix/intel', 'asoc/fix/topology' and 'asoc/fix/sti' into asoc-linus 2017-04-25 16:25:07 +01:00
David S. Miller
fccb4422d0 linux-can-fixes-for-4.11-20170425
-----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEE4bay/IylYqM/npjQHv7KIOw4HPYFAlj/PI0THG1rbEBwZW5n
 dXRyb25peC5kZQAKCRAe/sog7Dgc9ntrCADToD6OAE2/vEPgxrLFSEqEPS4vzXkL
 6RObZRDYj0FrOo+Xkq9G8V+AKKJHH04CasQ0+XV0mCeVsx9GZTByllU8Sbej+sjO
 SXlU9ZuhJGJEBCpFPqfjwGIxpCcRUF7BFxcBQgzOVY68m4fLHPMXSS0FS14r0B6M
 GLk7nEGBUteYDDVCoWMNBt5VkIP6DXLfdvhTtj9R+BJmEwKZrXU3F6/Z5K686zf9
 xAL01tn4rgLHhtWyxDTlVQ8CREZ+4YQAasi6usgLhNWTEpfCQaD22cyClM1pCV2s
 HloB4DpOF507saJrmEz9n1BlnYXV1jqRkRHOB9UO0OvJR3Ta1XP5DOgp
 =mnla
 -----END PGP SIGNATURE-----

Merge tag 'linux-can-fixes-for-4.11-20170425' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can

Marc Kleine-Budde says:

====================
pull-request: can 2017-04-25

this is a pull request of three patches for net/master.

There are two patches by Stephane Grosjean for that add a new variant to the
PCAN-Chip USB driver. The other patch is by Maksim Salau, which swtiches the
memory for USB transfers from heap to stack.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:20:30 -04:00
Bert Kenward
a53d26eb88 sfc: tx ring can only have 2048 entries for all EF10 NICs
Fixes: dd248f1bc6 ("sfc: Add PCI ID for Solarflare 8000 series 10/40G NIC")
Reported-by: Patrick Talbert <ptalbert@redhat.com>
Signed-off-by: Bert Kenward <bkenward@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 11:19:21 -04:00
Takashi Iwai
6e4cac23c5 ASoC: intel: Fix PM and non-atomic crash in bytcr drivers
The FE setups of Intel SST bytcr_rt5640 and bytcr_rt5651 drivers carry
the ignore_suspend flag, and this prevents the suspend/resume working
properly while the stream is running, since SST core code has the
check of the running streams and returns -EBUSY.  Drop these
superfluous flags for fixing the behavior.

Also, the bytcr_rt5640 driver lacks of nonatomic flag in some FE
definitions, which leads to the kernel Oops at suspend/resume like:

  BUG: scheduling while atomic: systemd-sleep/3144/0x00000003
  Call Trace:
   dump_stack+0x5c/0x7a
   __schedule_bug+0x55/0x70
   __schedule+0x63c/0x8c0
   schedule+0x3d/0x90
   schedule_timeout+0x16b/0x320
   ? del_timer_sync+0x50/0x50
   ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
   ? sst_wait_timeout+0xa9/0x170 [snd_intel_sst_core]
   ? remove_wait_queue+0x60/0x60
   ? sst_prepare_and_post_msg+0x275/0x960 [snd_intel_sst_core]
   ? sst_pause_stream+0x9b/0x110 [snd_intel_sst_core]
   ....

This patch addresses these appropriately, too.

Signed-off-by: Takashi Iwai <tiwai@suse.de>
Acked-by: Vinod Koul <vinod.koul@intel.com>
Signed-off-by: Mark Brown <broonie@kernel.org>
Cc: <stable@vger.kernel.org> # v4.1+
2017-04-25 15:54:30 +01:00
Herbert Xu
f6478218e6 macvlan: Fix device ref leak when purging bc_queue
When a parent macvlan device is destroyed we end up purging its
broadcast queue without dropping the device reference count on
the packet source device.  This causes the source device to linger.

This patch drops that reference count.

Fixes: 260916dfb4 ("macvlan: Fix potential use-after free for...")
Reported-by: Joe Ghalam <Joe.Ghalam@dell.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 10:42:10 -04:00
Roman Spychała
6f2aee0c0d usb: plusb: Add support for PL-27A1
This patch adds support for the PL-27A1 by adding the appropriate
USB ID's. This chip is used in the goobay Active USB 3.0 Data Link
and Unitek Y-3501 cables.

Signed-off-by: Roman Spychała <roed@onet.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-25 10:08:16 -04:00
Maksim Salau
b05c73bd1e net: can: usb: gs_usb: Fix buffer on stack
Allocate buffers on HEAP instead of STACK for local structures
that are to be sent using usb_control_msg().

Signed-off-by: Maksim Salau <maksim.salau@gmail.com>
Cc: linux-stable <stable@vger.kernel.org> # >= v4.8
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-04-25 14:08:35 +02:00
Stephane Grosjean
71b611562f can: usb: Kconfig: Add PCAN-USB X6 device in help text
This patch adds a text line in the help section of the CAN_PEAK_USB
config item describing the support of the PCAN-USB X6 adapter, which is
already included in the Kernel since 4.9.

Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-04-25 10:50:11 +02:00
Stephane Grosjean
ea8b65b596 can: usb: Add support of PCAN-Chip USB stamp module
This patch adds the support of the PCAN-Chip USB, a stamp module for
customer hardware designs, which communicates via USB 2.0 with the
hardware. The integrated CAN controller supports the protocols CAN 2.0 A/B
as well as CAN FD. The physical CAN connection is determined by external
wiring. The Stamp module with its single-sided mounting and plated
half-holes is suitable for automatic assembly.

Note that the chip is equipped with the same logic than the PCAN-USB FD.

Signed-off-by: Stephane Grosjean <s.grosjean@peak-system.com>
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
2017-04-25 10:50:11 +02:00
Jean Delvare
543b334d14 virtio_blk: Fix English description of VIRTIO_BLK_SCSI
Signed-off-by: Jean Delvare <jdelvare@suse.de>
Fixes: 97b50a654d ("virtio_blk: make SCSI passthrough support configurable")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-04-24 22:07:10 -06:00
Andy Lutomirski
c35e30b472 nvme: Add nvme_core.force_apst to ignore the NO_APST quirk
We're probably going to be stuck quirking APST off on an over-broad
range of devices for 4.11.  Let's make it easy to override the quirk
for testing.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-04-24 22:03:46 -06:00
Andy Lutomirski
fb0dc3993b nvme: Display raw APST configuration via DYNAMIC_DEBUG
Debugging APST is currently a bit of a pain.  This gives optional
simple log messages that describe the APST state.

The easiest way to use this is probably with the nvme_core.dyndbg=+p
module parameter.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-04-24 22:03:46 -06:00
Andy Lutomirski
76e4ad09a3 nvme: Fix APST comment
There was a typo in the description of the timeout heuristic.

Signed-off-by: Andy Lutomirski <luto@kernel.org>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@fb.com>
2017-04-24 22:03:46 -06:00
Jens Axboe
d9fd363a6c Merge branch 'master' into for-4.12/post-merge 2017-04-24 22:03:14 -06:00
Al Viro
ac4691fac8 hexagon: switch to RAW_COPY_USER
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2017-04-24 20:28:29 -04:00
Dmitry Torokhov
7c5bb4ac2b Input: i8042 - add Clevo P650RS to the i8042 reset list
Clevo P650RS and other similar devices require i8042 to be reset in order
to detect Synaptics touchpad.

Reported-by: Paweł Bylica <chfast@gmail.com>
Tested-by: Ed Bordin <edbordin@gmail.com>
Cc: stable@vger.kernel.org
Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=190301
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
2017-04-24 16:15:58 -07:00
David S. Miller
38a98bceaf Merge branch 'dsa-b53-58xx-fixes'
Florian Fainelli says:

====================
net: dsa: b53: BCM58xx devices fixes

This patch series contains fixes for the 58xx devices (Broadcom Northstar
Plus), which were identified thanks to the help of Eric Anholt.
====================

Tested-by: Eric Anholt <eric@anholt.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 18:29:11 -04:00
Florian Fainelli
bfcda65c9b net: dsa: b53: Fix CPU port for 58xx devices
The 58xx devices (Northstar Plus) do actually have their CPU port wired
at port 8, it was unfortunately set to port 5 (B53_CPU_PORT_25) which is
incorrect, since that is the second possible management port.

Fixes: 991a36bb46 ("net: dsa: b53: Add support for BCM585xx/586xx/88312 integrated switch")
Reported-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 18:28:56 -04:00
Florian Fainelli
3fb22b0534 net: dsa: b53: Implement software reset for 58xx devices
Implement the correct software reset sequence for 58xx devices by
setting all 3 reset bits and polling for the SW_RST bit to clear itself
without a given timeout. We cannot use is58xx() here because that would
also include the 7445/7278 Starfighter 2 which have their own driver
doing the reset earlier on due to the HW specific integration.

Fixes: 991a36bb46 ("net: dsa: b53: Add support for BCM585xx/586xx/88312 integrated switch")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 18:28:56 -04:00
Florian Fainelli
a424f0de61 net: dsa: b53: Include IMP/CPU port in dumb forwarding mode
Since Broadcom tags are not enabled in b53 (DSA_PROTO_TAG_NONE), we need
to make sure that the IMP/CPU port is included in the forwarding
decision.

Without this change, switching between non-management ports would work,
but not between management ports and non-management ports thus breaking
the default state in which DSA switch are brought up.

Fixes: 967dd82ffc ("net: dsa: b53: Add support for Broadcom RoboSwitch")
Reported-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 18:28:56 -04:00
Ingo Molnar
fd7647979a perf/core improvements and fixes:
User visible:
 
 - Fix display of data source snoop indication in 'perf mem' (Andi Kleen)
 
 - Fix the code to strip command name from /proc/PID/stat (Jiri Olsa)
 
 Infrastructure:
 
 - Continue the disentanglement of headers, specially util.h (Arnaldo Carvalho de Melo)
 
 - Synchronize some header files with the kernel (Arnaldo Carvalho de Melo)
 
 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJY/lbGAAoJENZQFvNTUqpAbfcQALIS/jQTYHq0FxYs5btEBZ32
 l3o7ZQipOR7zcKIjubSMWb+rrffk7bdjCN/3Tbe/oVVrKUVpdM1jxG4vN2/7g69Q
 z1I0fSigItZduZeXrMICC5jVDQkaUGz8V7xAprA7kryxVgTpSXxLffRYriWeuLl3
 4J7Lco33Tk+OLTN1maT+TWxUNcMBkWcZZeGivn9oCBsfsyUDQpsR6C4HQOhqJqCd
 HHWmKENYE+K6u2zMWQ4jOYByv8MXesBAGUB5CxBKzMFJIWFm5ROBc0HTWPiHTCX6
 FJFEQKxIurJvWpGJncN45cgdUuwYBftv1JbK1W0ProqT7DJ1EdotkxsnrI8/MxNU
 NfYsepMOzLgizRgxYUf3+QeVFxCCXRbjsMP4TNBPeR+Bn7KByQbycDQbNH2eBr+Y
 EGGmXtOW7ZeFkIygczPJLVI73x5S2kLCMAS+2u1zlskwopf5BgwrwX21AFfseR9L
 S8V+JicFGhp6zK3kDeTM7r8atWeSeIQdRli764KDyz+AEgeygKn9yTXdylAS1MCn
 ArefzqGmjWPwH5hsDIoDZIHcIIGNewVSXvgyyyJp4bolLEH/ZyA8Ck4hcwH0jXh6
 1F21yBEh9WtUfsHt1uwiDOhxhYp6Gb5YtX8fTjUgKtsEUoq1MJmtsaHbx7et2ltx
 vrTyuRzJVwQjsA7tsvWf
 =MY6n
 -----END PGP SIGNATURE-----

Merge tag 'perf-core-for-mingo-4.12-20170424' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/core

Pull perf/core improvements and fixes from Arnaldo Carvalho de Melo:

User visible changes:

 - Fix display of data source snoop indication in 'perf mem' (Andi Kleen)

 - Fix the code to strip command name from /proc/PID/stat (Jiri Olsa)

Infrastructure changes:

 - Continue the disentanglement of headers, specially util.h (Arnaldo Carvalho de Melo)

 - Synchronize some header files with the kernel (Arnaldo Carvalho de Melo)

Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-04-24 23:31:35 +02:00
Linus Torvalds
8f9cedc76f SCSI fixes on 20170424
Our final fix before the 4.12 release (hopefully).  It's an error leg
 again: the fix to not bug on empty DMA transfers is returning the
 wrong code and confusing the block layer.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJY/gx3AAoJEAVr7HOZEZN4ai0P/i7xr9kaKtH2trTE5d51fG1y
 Jk1ec5Ri6mqjiJY4r1u6wbEu5y1bcUlsyz71QsRbOOBiC951dpAbQwKeWa2rmQWd
 YLevigg3Jh2sM1WghYSgRGPZ9uz2+j5jHpHz55jTTr6WQKUixY/Ms6DG4Ya9tWVO
 Tuzip4Vsga/91g27Z7HDGxxg6y0n7eEAPEYZJcmpwUl2F+zscZh3RX1YDHTU+BP9
 Z7inla293PWUf4kXNP6KUT63vO5w5C0fCvqoFU5p59JyPY+nB5O0povZ9XlHw7Ez
 ug0YHVOvX+1wLc7fzrhFoV0mUEutKQnLF4sBtNFrfZFkYgbYYfmNmAAVTc7CpkNS
 tBVWCzq8v053HXIx2a8bP6wnztVeQhpXkmLfBSgXgTP6+ae1dH/F+3v9lA5RUwgx
 FJ5XgfxAtdpiJ5tao8Deb0D9KJ5NKymy0cfY8oA5nB0Oto5RrqesO8hVmF7zoaXV
 TWrPOTuFX6Zin70AwhLtZRiNirGplcEnSOU+EsBi6OBZ629pvUHNguMbR6IQRsTz
 hso15Ve++UnaG/fwWBzZPqFc1fI5PlI0YtgM8dngqkc54VKIA0MmkcI2b+Fw8C4w
 Ugir0rHlL+od36NI2J0vZIMqzwNwsJQ9fOGxuuKGy8fKB4JYiYnFTJWa7YjAmfle
 BLfWA+xZ84jcFwvNpYMj
 =tuno
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fix from James Bottomley:
 "Our final fix before the 4.12 release (hopefully).

  It's an error leg again: the fix to not bug on empty DMA transfers is
  returning the wrong code and confusing the block layer"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: return correct blkprep status code in case scsi_init_io() fails.
2017-04-24 13:31:08 -07:00
Linus Torvalds
3d339d3370 Merge branch 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus
Pull MIPS fixes from Ralf Baechle:
 "Another round of 4.11 for the MIPS architecture. This time around it's
  mostly arch but little platforms-specific code.

   - PCI: Register controllers in the right order to aoid a PCI error
   - KGDB: Use kernel context for sleeping threads
   - smp-cps: Fix potentially uninitialised value of core
   - KASLR: Fix build
   - ELF: Fix BUG() warning in arch_check_elf
   - Fix modversioning of _mcount symbol
   - fix out-of-tree defconfig target builds
   - cevt-r4k: Fix out-of-bounds array access
   - perf: fix deadlock
   - Malta: Fix i8259 irqchip setup"

* 'upstream' of git://git.linux-mips.org/pub/scm/ralf/upstream-linus:
  MIPS: PCI: add controllers before the specified head
  MIPS: KGDB: Use kernel context for sleeping threads
  MIPS: smp-cps: Fix potentially uninitialised value of core
  MIPS: KASLR: Add missing header files
  MIPS: Avoid BUG warning in arch_check_elf
  MIPS: Fix modversioning of _mcount symbol
  MIPS: generic: fix out-of-tree defconfig target builds
  MIPS: cevt-r4k: Fix out-of-bounds array access
  MIPS: perf: fix deadlock
  MIPS: Malta: Fix i8259 irqchip setup
2017-04-24 13:20:33 -07:00
David S. Miller
38baf3a68b mlx5-fixes-2017-04-22
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJY+9NgAAoJEEg/ir3gV/o+/RIH/2Ua/FvxWtnaXhLj9GPELdGx
 4Q2+ub43Q/F2cU2rIP0S/Ki3fEeOfk+IR87bvKBc+KTcLwUcBQloLjiLTxVOXSNY
 +NmE7T1gl7Sb4NzJ9lDVYbmUlDzWZixbFkQdZ6nZJTKecXuN+xooL7EWosyZKuFd
 FlDpIMacWlH2bMb/1U4lClg9MMPz8e37B9kJ0Vy/lert7NkVdXgYbPI2pKxweF9i
 7yH0pNLKYvIQOubZZ9A7gPhk+OGp6xLAo9pJF6xG8tQuXI59Fz6tcKGbNb8GdzZu
 g12EY2c75BxWJofPtvsDDM5i8ypwF3tfCqxDjw4h9F0wHGJv6tlh51vyuYA8ceg=
 =KnUF
 -----END PGP SIGNATURE-----

Merge tag 'mlx5-fixes-2017-04-22' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

Saeed Mahameed says:

====================
Mellanox, mlx5 fixes 2017-04-22

This series contains some mlx5 fixes for net.

For your convenience, the series doesn't introduce any conflict with
the ongoing net-next pull request.

Please pull and let me know if there's any problem.

For -stable:
("net/mlx5: E-Switch, Correctly deal with inline mode on ConnectX-5") kernels >= 4.10
("net/mlx5e: Fix ETHTOOL_GRXCLSRLALL handling") kernels >= 4.8
("net/mlx5e: Fix small packet threshold")       kernels >= 4.7
("net/mlx5: Fix driver load bad flow when having fw initializing timeout") kernels >= 4.4
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 15:58:03 -04:00
David Ahern
fc1f8f4f31 net: ipv6: send unsolicited NA if enabled for all interfaces
When arp_notify is set to 1 for either a specific interface or for 'all'
interfaces, gratuitous arp requests are sent. Since ndisc_notify is the
ipv6 equivalent to arp_notify, it should follow the same semantics.
Commit 4a6e3c5def ("net: ipv6: send unsolicited NA on admin up") sends
the NA on admin up. The final piece is checking devconf_all->ndisc_notify
in addition to the per device setting. Add it.

Fixes: 5cb04436ee ("ipv6: add knob to send unsolicited ND on link-layer address change")
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 14:07:18 -04:00
Dan Carpenter
9199cb7677 ravb: Double free on error in ravb_start_xmit()
If skb_put_padto() fails then it frees the skb.  I shifted that code
up a bit to make my error handling a little simpler.

Fixes: a0d2f20650 ("Renesas Ethernet AVB PTP clock driver")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Acked-by: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 13:58:49 -04:00
Ansis Atteka
b40c5f4fde udp: disable inner UDP checksum offloads in IPsec case
Otherwise, UDP checksum offloads could corrupt ESP packets by attempting
to calculate UDP checksum when this inner UDP packet is already protected
by IPsec.

One way to reproduce this bug is to have a VM with virtio_net driver (UFO
set to ON in the guest VM); and then encapsulate all guest's Ethernet
frames in Geneve; and then further encrypt Geneve with IPsec.  In this
case following symptoms are observed:
1. If using ixgbe NIC, then it will complain with following error message:
   ixgbe 0000:01:00.1: partial checksum but l4 proto=32!
2. Receiving IPsec stack will drop all the corrupted ESP packets and
   increase XfrmInStateProtoError counter in /proc/net/xfrm_stat.
3. iperf UDP test from the VM with packet sizes above MTU will not work at
   all.
4. iperf TCP test from the VM will get ridiculously low performance because.

Signed-off-by: Ansis Atteka <aatteka@ovn.org>
Co-authored-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 13:48:54 -04:00
Jason A. Donenfeld
4d6fa57b4d macsec: avoid heap overflow in skb_to_sgvec
While this may appear as a humdrum one line change, it's actually quite
important. An sk_buff stores data in three places:

1. A linear chunk of allocated memory in skb->data. This is the easiest
   one to work with, but it precludes using scatterdata since the memory
   must be linear.
2. The array skb_shinfo(skb)->frags, which is of maximum length
   MAX_SKB_FRAGS. This is nice for scattergather, since these fragments
   can point to different pages.
3. skb_shinfo(skb)->frag_list, which is a pointer to another sk_buff,
   which in turn can have data in either (1) or (2).

The first two are rather easy to deal with, since they're of a fixed
maximum length, while the third one is not, since there can be
potentially limitless chains of fragments. Fortunately dealing with
frag_list is opt-in for drivers, so drivers don't actually have to deal
with this mess. For whatever reason, macsec decided it wanted pain, and
so it explicitly specified NETIF_F_FRAGLIST.

Because dealing with (1), (2), and (3) is insane, most users of sk_buff
doing any sort of crypto or paging operation calls a convenient function
called skb_to_sgvec (which happens to be recursive if (3) is in use!).
This takes a sk_buff as input, and writes into its output pointer an
array of scattergather list items. Sometimes people like to declare a
fixed size scattergather list on the stack; othertimes people like to
allocate a fixed size scattergather list on the heap. However, if you're
doing it in a fixed-size fashion, you really shouldn't be using
NETIF_F_FRAGLIST too (unless you're also ensuring the sk_buff and its
frag_list children arent't shared and then you check the number of
fragments in total required.)

Macsec specifically does this:

        size += sizeof(struct scatterlist) * (MAX_SKB_FRAGS + 1);
        tmp = kmalloc(size, GFP_ATOMIC);
        *sg = (struct scatterlist *)(tmp + sg_offset);
	...
        sg_init_table(sg, MAX_SKB_FRAGS + 1);
        skb_to_sgvec(skb, sg, 0, skb->len);

Specifying MAX_SKB_FRAGS + 1 is the right answer usually, but not if you're
using NETIF_F_FRAGLIST, in which case the call to skb_to_sgvec will
overflow the heap, and disaster ensues.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Cc: stable@vger.kernel.org
Cc: security@kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-04-24 13:46:58 -04:00