Commit Graph

782789 Commits

Author SHA1 Message Date
Linus Torvalds 4624d6ea1b MMC host:
- meson-mx-sdio: Fix OF child-node lookup
  - omap_hsmmc: Fix wakeirq handling on removal
 -----BEGIN PGP SIGNATURE-----
 
 iQJLBAABCgA1FiEEugLDXPmKSktSkQsV/iaEJXNYjCkFAluae48XHHVsZi5oYW5z
 c29uQGxpbmFyby5vcmcACgkQ/iaEJXNYjCn6uhAAg2pv2tvr0+9YqikncIzIu/OE
 64PPKjC99tyjC20MPurPPMEvdIDU+XmPUPp1BSarIdd796LBgKOu28hD89zxtip9
 8F/hQrF3e1J4Q4wp0i3r36w5rzsTUiN9Zf+x9mX0sC1Ph2vRl96HwJQfyl9j9i7j
 1AC5cpwjv/id8EbdFwQeqlz3pVHkGrg/Iu/J/Uxlon5TzDvFOlHsYqx9eQX5RTdW
 3jXubNc6cXdISiNCoLEb19NFHf58AFITjEqkm2e4l5wDQYIkQq7kp1n0xIuYJzjT
 O0mbWLsrz9Gdvw4E89PXb+QGNIlqPEZGdcBgm/M3RzbawH/RW21G2Yrv4WIzvV2I
 Fnw6rrbP8n6W33MgBnYOCSISRpq8wFm2QsFAfdxBjemUnVod/o3Bcgq4VlQOhqr5
 AR9aJtTttj/EyVqvngXKbyG4ANXBi3/c4z2VMioLb7f4wbCtnL07yZCanDkIcy2B
 W2x0vO+b2FUvVXgNOg2IU09FcbFDUhxCv5a9OS/NAKxkVPmcTg2G7KLbLW7Om6si
 VEKj6ti75yf3DFJ0atcPTnVcv7vae5ghXKXYyZd5KyhU85LLA9huctMMWPSg18ZP
 slkvyFXayykI5Xh6lJ/xbl0kembEf2+QyxNjR73WY5g7s1m2Zm4XcYPWPvYmn6G7
 aSZ3duOZvjGyow2hl8o=
 =wopj
 -----END PGP SIGNATURE-----

Merge tag 'mmc-v4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc

Pull MMC host fixes from Ulf Hansson:

 - meson-mx-sdio: Fix OF child-node lookup

 - omap_hsmmc: Fix wakeirq handling on removal

* tag 'mmc-v4.19-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
  mmc: meson-mx-sdio: fix OF child-node lookup
  mmc: omap_hsmmc: fix wakeirq handling on removal
2018-09-13 18:49:23 -10:00
Linus Torvalds bd5bca1381 Pin control fixes for the v4.19 kernel cycle:
- A complicated IRQ fix for the MSM driver (see commit).
 
 - Fix the group/function check in the Ingenic driver.
 
 - Deal with a possible NULL pointer dereference in the Madera
   driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbmlOCAAoJEEEQszewGV1zXTAP+gLLyF9Txaa4t65wGYnbafoi
 6DgGHOCvgxvro8M1vlWViDLmGdHGvMqSA0kHdpur5H+91tHIsHFTvZwiUtOQrwiG
 nNJVK+ijNPLnVQNALqFbxasDCLs3FPQU+8KsQfQ/L4K3hz848+B/3Rqb/zxur/rY
 miGPgivvXqdKr//o+lh9ekK+xrc9Je1PMUoRbXaZWBVMNqRB38NnRpkcFmTnfYUS
 VGn6gXhJ33pajQCQOJLXppRP0z7hN5L1g8W2JOmZucZdRZjTVRxv99dUiFLxneEX
 r9mvAS4W0pQLZOSsmOFCc/R64W3Znr8sQaJjlH6La76zazNCE8wGYhOgFnfQgHoH
 z08WRSdd34xXGjzI0ipOHS0NdvM2V8tQQTSAzlE8qc5ItNSbyAmmHCrj9iodAQ7F
 B1N4/YQTfly8vlnO8jRWF1E3AJ6zcwLu8Irh4MiBqUPxSF9SsQvDJIoQsD0HpsT3
 bWl6dUmr96NhVwzuatITIfX8NHhR3YPTWgSir4ri4ybRuLTrA0iOH8UBfdegL0gM
 xLfAAQt1VjU4ZN2s9b+IzXjsB0N/TPCbxDFlLOGgxn1/hdU4e8+2oD6R9Ba98jLx
 e2DQ9D8raJo76069yQ0wzu92zFj5oEY71praWA3hDBa+HOzgx9xeryb9WHEzuYkR
 iCjRSnCUO3Mbf6EukIy3
 =g3Rc
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fixes from Linus Walleij:

 - A complicated IRQ fix for the MSM driver (see commit)

 - Fix the group/function check in the Ingenic driver

 - Deal with a possible NULL pointer dereference in the Madera driver

* tag 'pinctrl-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: madera: Fix possible NULL pointer with pdata config
  pinctrl: ingenic: Fix group & function error checking
  pinctrl: msm: Really mask level interrupts to prevent latching
2018-09-13 18:47:45 -10:00
Linus Torvalds f1c03a4651 Merge branch 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu
Pull percpu maintainership update from Tejun Heo:
 "This updates the MAINTAINERS file to transfer the percpu tree
  maintainership to Dennis Zhou.

  Dennis rewrote a good portion of the percpu allocator, knows most of
  percpu related code, is already listed as a co-maintainer, has been
  reliable, and now sits right behind me. I'll keep reviewing and
  involved with percpu stuff and am sure that Dennis will soon make a
  better maintainer than I ever was"

* 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/percpu:
  MAINTAINERS: Make Dennis the percpu tree maintainer
2018-09-13 16:35:25 -10:00
Linus Torvalds 72d4c6e589 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rkuo/linux-hexagon-kernel
Pull hexagon fixes from Richard Kuo:
 "Some fixes for compile warnings"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rkuo/linux-hexagon-kernel:
  hexagon: modify ffs() and fls() to return int
  arch/hexagon: fix kernel/dma.c build warning
2018-09-13 16:33:26 -10:00
Linus Torvalds 1d176582c7 s390 fixes for 4.19-rc4
One fix for the zcrypt driver to correctly handle incomplete
 encryption/decryption operations.
 
 A cleanup for the aqmask/apmask parsing to avoid variable
 length arrays on the stack.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQEcBAABCAAGBQJbmkYUAAoJEDjwexyKj9rgrugH/21Uf1S0mkkRfDeYxD6lJva6
 zNmEZ3V+GXc8L/0CisFWQOcIU1fO+jozp9HPGkQxeTvAuqIfVhBRVoMMxiTRaZb3
 xdSBel8EvAGxlZq/6eq6fU59HPWGm+N53rC9J5MMQQqgpSmq8F2QeO5CoidflRh8
 bdio9cliLsjPu+3P2JU3noolhb/f577J3dgP4gKARRpOfh8vUI7NLU3Mham+7886
 ASjG8s/zr9spPnrErJusloOLDJt4M94J8KrIbB/WAT1wZv7GxClaGsCoyCuk4cDt
 TV8zIgMK9TChedwMOO0T8WMaxq+XJV+iI0dC1eZ7xNUlaIBw+UbifxCG335L3E0=
 =dHq1
 -----END PGP SIGNATURE-----

Merge tag 's390-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux

Pull s390 fixes from Martin Schwidefsky:

 - One fix for the zcrypt driver to correctly handle incomplete
   encryption/decryption operations.

 - A cleanup for the aqmask/apmask parsing to avoid variable length
   arrays on the stack.

* tag 's390-4.19-3' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
  s390/zcrypt: remove VLA usage from the AP bus
  s390/crypto: Fix return code checking in cbc_paes_crypt()
2018-09-13 16:22:24 -10:00
Linus Torvalds 7a9cdebdcc mm: get rid of vmacache_flush_all() entirely
Jann Horn points out that the vmacache_flush_all() function is not only
potentially expensive, it's buggy too.  It also happens to be entirely
unnecessary, because the sequence number overflow case can be avoided by
simply making the sequence number be 64-bit.  That doesn't even grow the
data structures in question, because the other adjacent fields are
already 64-bit.

So simplify the whole thing by just making the sequence number overflow
case go away entirely, which gets rid of all the complications and makes
the code faster too.  Win-win.

[ Oleg Nesterov points out that the VMACACHE_FULL_FLUSHES statistics
  also just goes away entirely with this ]

Reported-by: Jann Horn <jannh@google.com>
Suggested-by: Will Deacon <will.deacon@arm.com>
Acked-by: Davidlohr Bueso <dave@stgolabs.net>
Cc: Oleg Nesterov <oleg@redhat.com>
Cc: stable@kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2018-09-13 15:18:04 -10:00
Dave Airlie 2b6318a09f Merge branch 'linux-4.19' of git://github.com/skeggsb/linux into drm-fixes
One more nouveau fix to remove some debug warnings.

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Ben Skeggs <bskeggs@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/CABDvA==GF63dy8a9j611=-0x8G6FRu7uC-ZQypsLO_hqV4OAcA@mail.gmail.com
2018-09-14 09:38:42 +10:00
Dave Airlie 25824ca38e Merge branch 'drm-fixes-4.19' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
A few fixes for 4.19:
- Fix a small memory leak
- SR-IOV reset fix
- Fix locking in MMU-notifier error path
- Updated SDMA golden settings to fix a PRT hang

Signed-off-by: Dave Airlie <airlied@redhat.com>
From: Alex Deucher <alexdeucher@gmail.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180912154735.2683-1-alexander.deucher@amd.com
2018-09-14 09:36:35 +10:00
Dave Airlie db7f06d490 This contains a regression fix for video playbacks on gen 2 hardware,
a IPS timeout error suppression on Broadwell and GVT bucked with
 "Most critical one is to fix KVM's mm reference when we access guest memory,
 issue was raised by Linus [1], and another one with virtual opregion fix."
 
 [1] - https://lists.freedesktop.org/archives/intel-gvt-dev/2018-August/004130.html
 -----BEGIN PGP SIGNATURE-----
 
 iQEcBAABAgAGBQJbmEJvAAoJEPpiX2QO6xPKNNMIAItkqjJpqsGZq0Ii1/ph3D9U
 gX3Jj4H7ZoAoE/c+wx2nNADjmn8RhV7PnKrGFuXmLkRJaNJllXA8U7h7YfWqRBT9
 jQ0RIuFdbfiRrwHmqtEZ2q3XP4HCWbdSIigimO/Lk/A2l+sCY8oA+9bGB7IRxeRV
 e162GARNsxN0a8D+5i+KR0mrTezSoKOvYFtUFp76UKUDAKrK85XNQsn1TR8ZMXGC
 fIi03y6ZM66I+bzIsq15HEj/jrRcaXm7xjd94/HetqeVJaEOEs2ztfaex+v3yDnC
 meWZKWCJ5x9noqHTO3XdHJGlKnfFQxopZsINNiqpqwOKpH7oaHWyAnnUrafJfhA=
 =/IQQ
 -----END PGP SIGNATURE-----

Merge tag 'drm-intel-fixes-2018-09-11' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes

This contains a regression fix for video playbacks on gen 2 hardware,
a IPS timeout error suppression on Broadwell and GVT bucked with
"Most critical one is to fix KVM's mm reference when we access guest memory,
issue was raised by Linus [1], and another one with virtual opregion fix."

[1] - https://lists.freedesktop.org/archives/intel-gvt-dev/2018-August/004130.html

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20180911223229.GA30328@intel.com
2018-09-14 09:33:16 +10:00
Johannes Berg 1cebf8f143 socket: fix struct ifreq size in compat ioctl
As reported by Reobert O'Callahan, since Viro's commit to kill
dev_ifsioc() we attempt to copy too much data in compat mode,
which may lead to EFAULT when the 32-bit version of struct ifreq
sits at/near the end of a page boundary, and the next page isn't
mapped.

Fix this by passing the approprate compat/non-compat size to copy
and using that, as before the dev_ifsioc() removal. This works
because only the embedded "struct ifmap" has different size, and
this is only used in SIOCGIFMAP/SIOCSIFMAP which has a different
handler. All other parts of the union are naturally compatible.

This fixes https://bugzilla.kernel.org/show_bug.cgi?id=199469.

Fixes: bf4405737f ("kill dev_ifsioc()")
Reported-by: Robert O'Callahan <robert@ocallahan.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 16:01:06 -07:00
Tejun Heo 1194c41546 MAINTAINERS: Make Dennis the percpu tree maintainer
Dennis rewrote a significant portion of the percpu allocator and has
shown that he can respond in a timely and helpful manner when issues
are reported against percpu allocator.

Let's make Dennis the percpu tree maintainer.

Signed-off-by: Tejun Heo <tj@kernel.org>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Christoph Lameter <cl@linux.com>
2018-09-13 12:16:36 -07:00
Toke Høiland-Jørgensen c56cae23c6 gso_segment: Reset skb->mac_len after modifying network header
When splitting a GSO segment that consists of encapsulated packets, the
skb->mac_len of the segments can end up being set wrong, causing packet
drops in particular when using act_mirred and ifb interfaces in
combination with a qdisc that splits GSO packets.

This happens because at the time skb_segment() is called, network_header
will point to the inner header, throwing off the calculation in
skb_reset_mac_len(). The network_header is subsequently adjust by the
outer IP gso_segment handlers, but they don't set the mac_len.

Fix this by adding skb_reset_mac_len() calls to both the IPv4 and IPv6
gso_segment handlers, after they modify the network_header.

Many thanks to Eric Dumazet for his help in identifying the cause of
the bug.

Acked-by: Dave Taht <dave.taht@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:09:32 -07:00
David S. Miller bffb9b51a2 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth
Johan Hedberg says:

====================
pull request: bluetooth 2018-09-13

A few Bluetooth fixes for the 4.19-rc series:

 - Fixed rw_semaphore leak in hci_ldisc
 - Fixed local Out-of-Band pairing data handling

Let me know if there are any issues pulling. Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:06:12 -07:00
David S. Miller 79140335ac Merge branch 'tls-don-t-leave-keys-in-kernel-memory'
Sabrina Dubroca says:

====================
tls: don't leave keys in kernel memory

There are a few places where the RX/TX key for a TLS socket is copied
to kernel memory. This series clears those memory areas when they're no
longer needed.

v2: add union tls_crypto_context, following Vakul Garg's comment
    swap patch 2 and 3, using new union in patch 3
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:03:47 -07:00
Sabrina Dubroca c844eb46b7 tls: clear key material from kernel memory when do_tls_setsockopt_conf fails
Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:03:47 -07:00
Sabrina Dubroca 86029d10af tls: zero the crypto information from tls_context before freeing
This contains key material in crypto_send_aes_gcm_128 and
crypto_recv_aes_gcm_128.

Introduce union tls_crypto_context, and replace the two identical
unions directly embedded in struct tls_context with it. We can then
use this union to clean up the memory in the new tls_ctx_free()
function.

Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:03:47 -07:00
Sabrina Dubroca 7cba09c6d5 tls: don't copy the key out of tls12_crypto_info_aes_gcm_128
There's no need to copy the key to an on-stack buffer before calling
crypto_aead_setkey().

Fixes: 3c4d755915 ("tls: kernel TLS support")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:03:47 -07:00
Vasily Khoruzhick f0e0d04413 neighbour: confirm neigh entries when ARP packet is received
Update 'confirmed' timestamp when ARP packet is received. It shouldn't
affect locktime logic and anyway entry can be confirmed by any higher-layer
protocol. Thus it makes sense to confirm it when ARP packet is received.

Fixes: 77d7123342 ("neighbour: update neigh timestamps iff update is effective")
Signed-off-by: Vasily Khoruzhick <vasilykh@arista.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 12:01:29 -07:00
Roopa Prabhu 56a49d7048 net: rtnl_configure_link: fix dev flags changes arg to __dev_notify_flags
This fix addresses https://bugzilla.kernel.org/show_bug.cgi?id=201071

Commit 5025f7f7d5 wrongly relied on __dev_change_flags to notify users of
dev flag changes in the case when dev->rtnl_link_state = RTNL_LINK_INITIALIZED.
Fix it by indicating flag changes explicitly to __dev_notify_flags.

Fixes: 5025f7f7d5 ("rtnetlink: add rtnl_link_state check in rtnl_configure_link")
Reported-By: Liam mcbirnie <liam.mcbirnie@boeing.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 11:01:32 -07:00
Willy Tarreau 9824dfae57 net/appletalk: fix minor pointer leak to userspace in SIOCFINDIPDDPRT
Fields ->dev and ->next of struct ipddp_route may be copied to
userspace on the SIOCFINDIPDDPRT ioctl. This is only accessible
to CAP_NET_ADMIN though. Let's manually copy the relevant fields
instead of using memcpy().

BugLink: http://blog.infosectcbr.com.au/2018/09/linux-kernel-infoleaks.html
Cc: Jann Horn <jannh@google.com>
Signed-off-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 10:35:57 -07:00
Stephen Hemminger 018349d70f hv_netvsc: fix schedule in RCU context
When netvsc device is removed it can call reschedule in RCU context.
This happens because canceling the subchannel setup work could (in theory)
cause a reschedule when manipulating the timer.

To reproduce, run with lockdep enabled kernel and unbind
a network device from hv_netvsc (via sysfs).

[  160.682011] WARNING: suspicious RCU usage
[  160.707466] 4.19.0-rc3-uio+ #2 Not tainted
[  160.709937] -----------------------------
[  160.712352] ./include/linux/rcupdate.h:302 Illegal context switch in RCU read-side critical section!
[  160.723691]
[  160.723691] other info that might help us debug this:
[  160.723691]
[  160.730955]
[  160.730955] rcu_scheduler_active = 2, debug_locks = 1
[  160.762813] 5 locks held by rebind-eth.sh/1812:
[  160.766851]  #0: 000000008befa37a (sb_writers#6){.+.+}, at: vfs_write+0x184/0x1b0
[  160.773416]  #1: 00000000b097f236 (&of->mutex){+.+.}, at: kernfs_fop_write+0xe2/0x1a0
[  160.783766]  #2: 0000000041ee6889 (kn->count#3){++++}, at: kernfs_fop_write+0xeb/0x1a0
[  160.787465]  #3: 0000000056d92a74 (&dev->mutex){....}, at: device_release_driver_internal+0x39/0x250
[  160.816987]  #4: 0000000030f6031e (rcu_read_lock){....}, at: netvsc_remove+0x1e/0x250 [hv_netvsc]
[  160.828629]
[  160.828629] stack backtrace:
[  160.831966] CPU: 1 PID: 1812 Comm: rebind-eth.sh Not tainted 4.19.0-rc3-uio+ #2
[  160.832952] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v1.0 11/26/2012
[  160.832952] Call Trace:
[  160.832952]  dump_stack+0x85/0xcb
[  160.832952]  ___might_sleep+0x1a3/0x240
[  160.832952]  __flush_work+0x57/0x2e0
[  160.832952]  ? __mutex_lock+0x83/0x990
[  160.832952]  ? __kernfs_remove+0x24f/0x2e0
[  160.832952]  ? __kernfs_remove+0x1b2/0x2e0
[  160.832952]  ? mark_held_locks+0x50/0x80
[  160.832952]  ? get_work_pool+0x90/0x90
[  160.832952]  __cancel_work_timer+0x13c/0x1e0
[  160.832952]  ? netvsc_remove+0x1e/0x250 [hv_netvsc]
[  160.832952]  ? __lock_is_held+0x55/0x90
[  160.832952]  netvsc_remove+0x9a/0x250 [hv_netvsc]
[  160.832952]  vmbus_remove+0x26/0x30
[  160.832952]  device_release_driver_internal+0x18a/0x250
[  160.832952]  unbind_store+0xb4/0x180
[  160.832952]  kernfs_fop_write+0x113/0x1a0
[  160.832952]  __vfs_write+0x36/0x1a0
[  160.832952]  ? rcu_read_lock_sched_held+0x6b/0x80
[  160.832952]  ? rcu_sync_lockdep_assert+0x2e/0x60
[  160.832952]  ? __sb_start_write+0x141/0x1a0
[  160.832952]  ? vfs_write+0x184/0x1b0
[  160.832952]  vfs_write+0xbe/0x1b0
[  160.832952]  ksys_write+0x55/0xc0
[  160.832952]  do_syscall_64+0x60/0x1b0
[  160.832952]  entry_SYSCALL_64_after_hwframe+0x49/0xbe
[  160.832952] RIP: 0033:0x7fe48f4c8154

Resolve this by getting RTNL earlier. This is safe because the subchannel
work queue does trylock on RTNL and will detect the race.

Fixes: 7b2ee50c0c ("hv_netvsc: common detach logic")
Signed-off-by: Stephen Hemminger <sthemmin@microsoft.com>
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 10:30:26 -07:00
Bin Yang 831b624df1 pstore: Fix incorrect persistent ram buffer mapping
persistent_ram_vmap() returns the page start vaddr.
persistent_ram_iomap() supports non-page-aligned mapping.

persistent_ram_buffer_map() always adds offset-in-page to the vaddr
returned from these two functions, which causes incorrect mapping of
non-page-aligned persistent ram buffer.

By default ftrace_size is 4096 and max_ftrace_cnt is nr_cpu_ids. Without
this patch, the zone_sz in ramoops_init_przs() is 4096/nr_cpu_ids which
might not be page aligned. If the offset-in-page > 2048, the vaddr will be
in next page. If the next page is not mapped, it will cause kernel panic:

[    0.074231] BUG: unable to handle kernel paging request at ffffa19e0081b000
...
[    0.075000] RIP: 0010:persistent_ram_new+0x1f8/0x39f
...
[    0.075000] Call Trace:
[    0.075000]  ramoops_init_przs.part.10.constprop.15+0x105/0x260
[    0.075000]  ramoops_probe+0x232/0x3a0
[    0.075000]  platform_drv_probe+0x3e/0xa0
[    0.075000]  driver_probe_device+0x2cd/0x400
[    0.075000]  __driver_attach+0xe4/0x110
[    0.075000]  ? driver_probe_device+0x400/0x400
[    0.075000]  bus_for_each_dev+0x70/0xa0
[    0.075000]  driver_attach+0x1e/0x20
[    0.075000]  bus_add_driver+0x159/0x230
[    0.075000]  ? do_early_param+0x95/0x95
[    0.075000]  driver_register+0x70/0xc0
[    0.075000]  ? init_pstore_fs+0x4d/0x4d
[    0.075000]  __platform_driver_register+0x36/0x40
[    0.075000]  ramoops_init+0x12f/0x131
[    0.075000]  do_one_initcall+0x4d/0x12c
[    0.075000]  ? do_early_param+0x95/0x95
[    0.075000]  kernel_init_freeable+0x19b/0x222
[    0.075000]  ? rest_init+0xbb/0xbb
[    0.075000]  kernel_init+0xe/0xfc
[    0.075000]  ret_from_fork+0x3a/0x50

Signed-off-by: Bin Yang <bin.yang@intel.com>
[kees: add comments describing the mapping differences, updated commit log]
Fixes: 24c3d2f342 ("staging: android: persistent_ram: Make it possible to use memory outside of bootmem")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
2018-09-13 09:14:57 -07:00
Cong Wang f5b9bac745 net_sched: notify filter deletion when deleting a chain
When we delete a chain of filters, we need to notify
user-space we are deleting each filters in this chain
too.

Fixes: 32a4f5ecd7 ("net: sched: introduce chain object to uapi")
Cc: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 09:07:40 -07:00
Takashi Iwai 37a3a98ef6 ALSA: hda - Enable runtime PM only for discrete GPU
The recent change of vga_switcheroo allowed the runtime PM for
HD-audio on AMD GPUs, but this also resulted in a regression.  When
the HD-audio controller driver gets runtime-suspended, HD-audio link
is turned off, and the hotplug notification is ignored.  This leads to
the inconsistent audio state (the connection isn't notified and ELD is
ignored).

The best fix would be to implement the proper ELD notification via the
audio component, but it's still not ready.  As a quick workaround,
this patch adds the check of runtime_idle and allows the runtime
suspend only when the vga_switcheroo is bound with discrete GPU.
That is, a system with a single GPU and APU would be again without
runtime PM to keep the HD-audio link for the hotplug notification and
ELD read out.

Also, the codec->auto_runtime_pm flag is set only for the discrete GPU
at the time GPU gets bound via vga_switcheroo (i.e. only dGPU is
forcibly runtime-PM enabled), so that APU can still get the ELD
notification.

For identifying which GPU is bound, a new vga_switcheroo client
callback, gpu_bound, is implemented.  The vga_switcheroo simply calls
this when GPU is bound, and tells whether it's dGPU or APU.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=200945
Fixes: 07f4f97d7b ("vga_switcheroo: Use device link for HDA controller")
Reported-by: Jian-Hong Pan <jian-hong@endlessm.com>
Tested-by: Jian-Hong Pan <jian-hong@endlessm.com>
Acked-by: Lukas Wunner <lukas@wunner.de>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-13 17:58:30 +02:00
Juergen Gross ad4f15dc2c xen/netfront: don't bug in case of too many frags
Commit 57f230ab04 ("xen/netfront: raise max number of slots in
xennet_get_responses()") raised the max number of allowed slots by one.
This seems to be problematic in some configurations with netback using
a larger MAX_SKB_FRAGS value (e.g. old Linux kernel with MAX_SKB_FRAGS
defined as 18 instead of nowadays 17).

Instead of BUG_ON() in this case just fall back to retransmission.

Fixes: 57f230ab04 ("xen/netfront: raise max number of slots in xennet_get_responses()")
Cc: stable@vger.kernel.org
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 08:22:15 -07:00
Xin Long 22d0bd82cc ipv6: use rt6_info members when dst is set in rt6_fill_node
In inet6_rtm_getroute, since Commit 93531c6743 ("net/ipv6: separate
handling of FIB entries from dst based routes"), it has used rt->from
to dump route info instead of rt.

However for some route like cache, some of its information like flags
or gateway is not the same as that of the 'from' one. It caused 'ip
route get' to dump the wrong route information.

In Jianlin's testing, the output information even lost the expiration
time for a pmtu route cache due to the wrong fib6_flags.

So change to use rt6_info members for dst addr, src addr, flags and
gateway when it tries to dump a route entry without fibmatch set.

v1->v2:
  - not use rt6i_prefsrc.
  - also fix the gw dump issue.

Fixes: 93531c6743 ("net/ipv6: separate handling of FIB entries from dst based routes")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-13 08:20:37 -07:00
Takashi Sakamoto 498fe23aad ALSA: oxfw: fix memory leak of private data
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.

This commit fixes memory leak following to the above design.

Fixes: 6c29230e2a ('ALSA: oxfw: delayed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-13 15:15:39 +02:00
Takashi Sakamoto 8d28277c06 ALSA: firewire-tascam: fix memory leak of private data
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.

This commit fixes memory leak following to the above design.

Fixes: b610386c8a ('ALSA: firewire-tascam: deleyed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-13 15:14:39 +02:00
Takashi Sakamoto a49a83ab05 ALSA: firewire-digi00x: fix memory leak of private data
Although private data of sound card instance is usually allocated in the
tail of the instance, drivers in ALSA firewire stack allocate the private
data before allocating the instance. In this case, the private data
should be released explicitly at .private_free callback of the instance.

This commit fixes memory leak following to the above design.

Fixes: 86c8dd7f4d ('ALSA: firewire-digi00x: delayed registration of sound card')
Cc: <stable@vger.kernel.org> # v4.7+
Signed-off-by: Takashi Sakamoto <o-takashi@sakamocchi.jp>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
2018-09-13 15:12:57 +02:00
Linus Torvalds 54eda9df17 pci-v4.19-fixes-1
-----BEGIN PGP SIGNATURE-----
 
 iQJIBAABCgAyFiEEgMe7l+5h9hnxdsnuWYigwDrT+vwFAluZ1pkUHGJoZWxnYWFz
 QGdvb2dsZS5jb20ACgkQWYigwDrT+vxllw//R9UVckBvd7AUseb/8EMUt3GIqvhy
 xy9thJy9cygQF+6Ti9K9TA4aTTriyW7Ur4/lvlSnciffYiZhydaR6MJEgO9+C3wa
 v/Ev9dUHYANVT8z3Q7KVwu1KaNXcb3RBIs0rg0BAqJUzhMNZo4i5NJzxTC5DvnzB
 P8brxz8Oa+IiAdBkJyDDuJ7QK+yIiApcbYWdcnAEwuSxTh3vBSEFjr9hks6TPZUd
 Vp5k2kYOdaslBBKg2yRqK3NcUaWNVpoqXJkVnFpfd6OA3aDPQ79t20se5lkMbpK+
 CbbXWgE2LXnh0wfTDx1nexD9/PbkGHO+NxKX0LRHnedBbWGlOoQVoaXIe/7x79cX
 EWyDG+r0SC5QD5Paj/OtD+Is98PsP5AUiddxnZRUnyIZlJHe9Ja8vV0SuAus8Pjt
 E5AarnLVLrCZGU3XIqj4vy1Kh12TZp2ZaBdFnNkdW+cL7XcRHm9wTEtn4COJKKy5
 MvW2VnEMbIy+JmXZ16R67Ggc9/yU6W/qjzauw0+BkdJSHnrKWRDkfVcuSYf7LquD
 INcTpRekBEPyrgsc5IRvJc+UE7AXUYPpkJ6VkNNwXuB+AVB/3s7LjTEoboWYEp1Y
 QSC4BYClEaUVStgQQ7mTRzvIacIIoYQcEhTJOLVZ2R2o4bWJxZ8Aio2sT2MssZfL
 S6/6csccKXNLS+E=
 =oXm8
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.19-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - Add Tyrel Datwyler as maintainer for PPC64 RPA hotplug (Tyrel
   Datwyler)

 - Add Gustavo Pimentel as DesignWare PCI maintainer (Joao Pinto)

 - Fix a Switchtec Spectre v1 vulnerability (Gustavo A. R. Silva)

 - Revert an unnecessary Intel 300 ACS quirk (Mika Westerberg)

 - Fix pciehp hot-add/powerfault detection that left indicators in wrong
   state (Keith Busch)

 - Fix pci_reset_bus() logic error (Dennis Dalessandro)

 - Revert IB/hfi1 PCI reset change that caused a deadlock (Dennis
   Dalessandro)

 - Allow enabling PASID on Root Complex Integrated Endpoints (Felix
   Kuehling)

* tag 'pci-v4.19-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  PCI: Fix enabling of PASID on RC integrated endpoints
  IB/hfi1,PCI: Allow bus reset while probing
  PCI: Fix faulty logic in pci_reset_bus()
  PCI: pciehp: Fix hot-add vs powerfault detection order
  switchtec: Fix Spectre v1 vulnerability
  Revert "PCI: Add ACS quirk for Intel 300 series"
  MAINTAINERS: Add Gustavo Pimentel as DesignWare PCI maintainer
  MAINTAINERS: Add entries for PPC64 RPA PCI hotplug drivers
2018-09-12 19:39:56 -10:00
Linus Torvalds d3bd5973c7 A few fixes that came around or after the merge window, except
for cd2315d "ipmi: kcs_bmc: don't change device name" which is for a
 driver that very few people use, and those people need the change.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJbmb2pAAoJEGHzjJCRm/+B73kP/j+dbKDEYJoBzHl+ni7yJNnv
 gfmmJ8mmjB0ia7Y8rAcd3VkyzUnTtRliHs8j78VLmMHHOfQYR55xWbJmV53qJnTA
 umq4SaDpmLAxnCxRlmaB6/s2HvMFVXWzgs4Ke8xVqA8cL37i/JDyHBe1wc+xkZcB
 6rj5Sg8WgJTsbybTOCDvSAN99tdo5o8TjfTLk94isVuEbFz/3qcsIxdofJQvYwJ8
 c/TC5zVY6pvUmTZEl6bIBT1GzLRnrCpijM4GBsmKCrL/ZRb+UW/vryWUcKMxs6oY
 IhCfXAM6rl83cgfH6SHZjjruDMnUFZxpyQvR+bqEnZpp3RJ5D5SQQkLNMwrR9cCV
 wdIz/n+LYATbiSOUJgJOlFsjUv1xQ4V1F92Krln8Kir/+rDkkb/75mBS7edNl606
 iPQDdrg193Rz8xEqmuf9CcmRsft+9QxcdzsSOt8ZZQSHIS1TAyQc1pwtkFeyExXP
 n1CVbx3+toX2J9LGfUq0h4ntcEcfW9qZRz8gAhZ4Gj5S4N3ih2KU2xo8lRQ+HRAk
 8XGnSy/6IidnPn/r7onvC37RoDNltSPELm1CZxt510dZWX0GQw6G5e/TParjbvqY
 3HsJZ3fGsWyzCDcblfBS010Rdz4K4vb2KFZ1da4Xrt568g1ciLY/BJrrn6ltSif/
 hmxDJ/KY4iMfwiPz/E20
 =nuBB
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-4.19' of git://github.com/cminyard/linux-ipmi

Pull IPMI bugfixes from Corey Minyard:
 "A few fixes that came around or after the merge window, except for
  commit cd2315d471 ("ipmi: kcs_bmc: don't change device name") which
  is for a driver that very few people use, and those people need the
  change"

* tag 'for-linus-4.19' of git://github.com/cminyard/linux-ipmi:
  ipmi: Fix NULL pointer dereference in ssif_probe
  ipmi: Fix I2C client removal in the SSIF driver
  ipmi: Move BT capabilities detection to the detect call
  ipmi: Rework SMI registration failure
  ipmi: kcs_bmc: don't change device name
2018-09-12 19:33:56 -10:00
Brijesh Singh 3702a0585e crypto: ccp - add timeout support in the SEV command
Currently, the CCP driver assumes that the SEV command issued to the PSP
will always return (i.e. it will never hang).  But recently, firmware bugs
have shown that a command can hang.  Since of the SEV commands are used
in probe routines, this can cause boot hangs and/or loss of virtualization
capabilities.

To protect against firmware bugs, add a timeout in the SEV command
execution flow.  If a command does not complete within the specified
timeout then return -ETIMEOUT and stop the driver from executing any
further commands since the state of the SEV firmware is unknown.

Cc: Tom Lendacky <thomas.lendacky@amd.com>
Cc: Gary Hook <Gary.Hook@amd.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Brijesh Singh <brijesh.singh@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2018-09-13 13:27:43 +08:00
Linus Torvalds 7428b2e5d0 nouveau runpm and MST race fixes.
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJbmLg2AAoJEAx081l5xIa+794QAJeBd7XnrQtMS+BWMet0G4Dh
 yY1t3LAsP75GiyI73Zbf1mWIdNk1hxli9+9+XVSrK9Yt2oh/AD+Q8BBGW7V3b17S
 BvpAhKdQNJut8NskfTKvFE5lz/oMrJCKYFYh/vwigfOXo9ELg9imUcKMQJqHLzPP
 SEiS4EgQ00h97FSodqYLj8E8sSIGx61xKkCBgczcpXq6SrxQAIZGW0Ut7cKUebl+
 VON1sccI6xKCqVHqv/mqkm/Cugc5c6bj+AUII9NvXljAKptNjb8c813XbjwCCfzC
 5OMX084ZXl94jAbqZjJXDYu640tkUpx1+o3eJZOfWz4dM7oTWU59+AHxytQWmF8P
 T73o9+r93cQSP0YUb070LkSPr/YSBldb3PFk22mzRX1kHeHPuLzMGGr37Xj/3RI9
 Uilddus6n2S7JzLdPl3RNLnDfVwRopc/E7VUbUCMDKrbHjV2tvsyZvBDDgPXCU68
 cxG/VXKQsa4yicMbXUCjl+vGwaXZLve1wGGx/ee9Ooaqa7b7L297NWpxqhl3PjhL
 G2gySbwa7gItRPw34fhNlzmEoNFk+JyAp3EOYOZQM78+IBKRSwhDVJOrbAjY+H1F
 c+sUOdBk+yLQ15MVbhFeq+1puJETnV3ZmJgHjNDUUhRcJamilqfLBNiNUfGm4Pqp
 9E8QZTq8BgZqWJE9ep0m
 =GbIW
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm

Pull drm nouveau fixes from Dave Airlie:
 "I'm sending this separately as it's a bit larger than I generally like
  for one driver, but it does contain a bunch of make my nvidia laptop
  not die (runpm) and a bunch to make my docking station and monitor
  display stuff (mst) fixes.

  Lyude has spent a lot of time on these, and we are putting the fixes
  into distro kernels as well asap, as it helps a bunch of standard
  Lenovo laptops, so I'm fairly happy things are better than they were
  before these patches, but I decided to split them out just for
  clarification"

* tag 'drm-fixes-2018-09-12' of git://anongit.freedesktop.org/drm/drm:
  drm/nouveau/disp/gm200-: enforce identity-mapped SOR assignment for LVDS/eDP panels
  drm/nouveau/disp: fix DP disable race
  drm/nouveau/disp: move eDP panel power handling
  drm/nouveau/disp: remove unused struct member
  drm/nouveau/TBDdevinit: don't fail when PMU/PRE_OS is missing from VBIOS
  drm/nouveau/mmu: don't attempt to dereference vmm without valid instance pointer
  drm/nouveau: fix oops in client init failure path
  drm/nouveau: Fix nouveau_connector_ddc_detect()
  drm/nouveau/drm/nouveau: Don't forget to cancel hpd_work on suspend/unload
  drm/nouveau/drm/nouveau: Prevent handling ACPI HPD events too early
  drm/nouveau: Reset MST branching unit before enabling
  drm/nouveau: Only write DP_MSTM_CTRL when needed
  drm/nouveau: Remove useless poll_enable() call in drm_load()
  drm/nouveau: Remove useless poll_disable() call in switcheroo_set_state()
  drm/nouveau: Remove useless poll_enable() call in switcheroo_set_state()
  drm/nouveau: Fix deadlocks in nouveau_connector_detect()
  drm/nouveau/drm/nouveau: Use pm_runtime_get_noresume() in connector_detect()
  drm/nouveau/drm/nouveau: Fix deadlock with fb_helper with async RPM requests
  drm/nouveau: Remove duplicate poll_enable() in pmops_runtime_suspend()
  drm/nouveau/drm/nouveau: Fix bogus drm_kms_helper_poll_enable() placement
2018-09-12 17:36:47 -10:00
Linus Torvalds 67b076095d Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix up several Kconfig dependencies in netfilter, from Martin Willi
    and Florian Westphal.

 2) Memory leak in be2net driver, from Petr Oros.

 3) Memory leak in E-Switch handling of mlx5 driver, from Raed Salem.

 4) mlx5_attach_interface needs to check for errors, from Huy Nguyen.

 5) tipc_release() needs to orphan the sock, from Cong Wang.

 6) Need to program TxConfig register after TX/RX is enabled in r8169
    driver, not beforehand, from Maciej S. Szmigiero.

 7) Handle 64K PAGE_SIZE properly in ena driver, from Netanel Belgazal.

 8) Fix crash regression in ip_do_fragment(), from Taehee Yoo.

 9) syzbot can create conditions where kernel log is flooded with
    synflood warnings due to creation of many listening sockets, fix
    that. From Willem de Bruijn.

10) Fix RCU issues in rds socket layer, from Cong Wang.

11) Fix vlan matching in nfp driver, from Pieter Jansen van Vuuren.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (59 commits)
  nfp: flower: reject tunnel encap with ipv6 outer headers for offloading
  nfp: flower: fix vlan match by checking both vlan id and vlan pcp
  tipc: check return value of __tipc_dump_start()
  s390/qeth: don't dump past end of unknown HW header
  s390/qeth: use vzalloc for QUERY OAT buffer
  s390/qeth: switch on SG by default for IQD devices
  s390/qeth: indicate error when netdev allocation fails
  rds: fix two RCU related problems
  r8169: Clear RTL_FLAG_TASK_*_PENDING when clearing RTL_FLAG_TASK_ENABLED
  erspan: fix error handling for erspan tunnel
  erspan: return PACKET_REJECT when the appropriate tunnel is not found
  tcp: rate limit synflood warnings further
  MIPS: lantiq: dma: add dev pointer
  netfilter: xt_hashlimit: use s->file instead of s->private
  netfilter: nfnetlink_queue: Solve the NFQUEUE/conntrack clash for NF_REPEAT
  netfilter: cttimeout: ctnl_timeout_find_get() returns incorrect pointer to type
  netfilter: conntrack: timeout interface depend on CONFIG_NF_CONNTRACK_TIMEOUT
  netfilter: conntrack: reset tcp maxwin on re-register
  qmi_wwan: Support dynamic config on Quectel EP06
  ethernet: renesas: convert to SPDX identifiers
  ...
2018-09-12 17:32:50 -10:00
Ben Skeggs 3483f08106 drm/nouveau/devinit: fix warning when PMU/PRE_OS is missing
Messed up when sending pull request and sent an outdated version of
previous patch, this fixes it up to remove warnings.

Signed-off-by: Ben Skeggs <bskeggs@redhat.com>
2018-09-13 10:56:58 +10:00
Jens Axboe b228ba1cb9 null_blk: fix zoned support for non-rq based operation
The supported added for zones in null_blk seem to assume that only rq
based operation is possible. But this depends on the queue_mode setting,
if this is set to 0, then cmd->bio is what we need to be operating on.
Right now any attempt to load null_blk with queue_mode=0 will
insta-crash, since cmd->rq is NULL and null_handle_cmd() assumes it to
always be set.

Make the zoned code deal with bio's instead, or pass in the
appropriate sector/nr_sectors instead.

Fixes: ca4b2a0119 ("null_blk: add zone support")
Tested-by: Omar Sandoval <osandov@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-09-12 18:21:11 -06:00
Dan Carpenter 097f5863b1 cifs: read overflow in is_valid_oplock_break()
We need to verify that the "data_offset" is within bounds.

Reported-by: Dr Silvio Cesare of InfoSect <silvio.cesare@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
2018-09-12 17:13:34 -05:00
Tushar Dave 4c3d795cb0 bpf: use __GFP_COMP while allocating page
Helper bpg_msg_pull_data() can allocate multiple pages while
linearizing multiple scatterlist elements into one shared page.
However, if the shared page has size > PAGE_SIZE, using
copy_page_to_iter() causes below warning.

e.g.
[ 6367.019832] WARNING: CPU: 2 PID: 7410 at lib/iov_iter.c:825
page_copy_sane.part.8+0x0/0x8

To avoid above warning, use __GFP_COMP while allocating multiple
contiguous pages.

Fixes: 015632bb30 ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
Signed-off-by: Tushar Dave <tushar.n.dave@oracle.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-09-12 23:47:28 +02:00
Alexei Starovoitov dd066823db bpf/verifier: disallow pointer subtraction
Subtraction of pointers was accidentally allowed for unpriv programs
by commit 82abbf8d2f. Revert that part of commit.

Fixes: 82abbf8d2f ("bpf: do not allow root to mangle valid pointers")
Reported-by: Jann Horn <jannh@google.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-09-12 23:30:02 +02:00
David S. Miller 4851bfd64d Merge branch 'nfp-flower-fixes'
Jakub Kicinski says:

====================
nfp: flower: fixes for flower offload

Two fixes for flower matching and tunnel encap.  Pieter fixes
VLAN matching if the entire VLAN id is masked out and match
is only performed on the PCP field.  Louis adds validation of
tunnel flags for encap, most importantly we should not offload
actions on IPv6 tunnels if it's not supported.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:18:30 -07:00
Louis Peens 224de549f0 nfp: flower: reject tunnel encap with ipv6 outer headers for offloading
This fixes a bug where ipv6 tunnels would report that it is
getting offloaded to hardware but would actually be rejected
by hardware.

Fixes: b27d6a95a7 ("nfp: compile flower vxlan tunnel set actions")
Signed-off-by: Louis Peens <louis.peens@netronome.com>
Reviewed-by: John Hurley <john.hurley@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:18:30 -07:00
Pieter Jansen van Vuuren db191db813 nfp: flower: fix vlan match by checking both vlan id and vlan pcp
Previously we only checked if the vlan id field is present when trying
to match a vlan tag. The vlan id and vlan pcp field should be treated
independently.

Fixes: 5571e8c9f2 ("nfp: extend flower matching capabilities")
Signed-off-by: Pieter Jansen van Vuuren <pieter.jansenvanvuuren@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:18:30 -07:00
Cong Wang 12a78b026f tipc: check return value of __tipc_dump_start()
When __tipc_dump_start() fails with running out of memory,
we have no reason to continue, especially we should avoid
calling tipc_dump_done().

Fixes: 8f5c5fcf35 ("tipc: call start and done ops directly in __tipc_nl_compat_dumpit()")
Reported-and-tested-by: syzbot+3f8324abccfbf8c74a9f@syzkaller.appspotmail.com
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:15:04 -07:00
David S. Miller 6b4d24de29 Merge branch 'qeth-fixes'
Julian Wiedmann says:

====================
s390/qeth: fixes 2018-09-12

please apply the following qeth fixes for -net.

Patch 1 resolves a regression in an error path, while patch 2 enables
the SG support by default that was newly introduced with 4.19.
Patch 3 takes care of a longstanding problem with large-order
allocations, and patch 4 fixes a potential out-of-bounds access.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:12:52 -07:00
Julian Wiedmann 0ac1487c4b s390/qeth: don't dump past end of unknown HW header
For inbound data with an unsupported HW header format, only dump the
actual HW header. We have no idea how much payload follows it, and what
it contains. Worst case, we dump past the end of the Inbound Buffer and
access whatever is located next in memory.

Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:12:51 -07:00
Wenjia Zhang aec45e857c s390/qeth: use vzalloc for QUERY OAT buffer
qeth_query_oat_command() currently allocates the kernel buffer for
the SIOC_QETH_QUERY_OAT ioctl with kzalloc. So on systems with
fragmented memory, large allocations may fail (eg. the qethqoat tool by
default uses 132KB).

Solve this issue by using vzalloc, backing the allocation with
non-contiguous memory.

Signed-off-by: Wenjia Zhang <wenjia@linux.ibm.com>
Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:12:51 -07:00
Julian Wiedmann 04db741d0d s390/qeth: switch on SG by default for IQD devices
Scatter-gather transmit brings a nice performance boost. Considering the
rather large MTU sizes at play, it's also totally the Right Thing To Do.

Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:12:51 -07:00
Julian Wiedmann 778b1ac737 s390/qeth: indicate error when netdev allocation fails
Bailing out on allocation error is nice, but we also need to tell the
ccwgroup core that creating the qeth groupdev failed.

Fixes: d3d1b205e8 ("s390/qeth: allocate netdevice early")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-09-12 13:12:51 -07:00
Martin KaFai Lau 4b1c5d917d bpf: btf: Fix end boundary calculation for type section
The end boundary math for type section is incorrect in
btf_check_all_metas().  It just happens that hdr->type_off
is always 0 for now because there are only two sections
(type and string) and string section must be at the end (ensured
in btf_parse_str_sec).

However, type_off may not be 0 if a new section would be added later.
This patch fixes it.

Fixes: f80442a4cd ("bpf: btf: Change how section is supported in btf_header")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Martin KaFai Lau <kafai@fb.com>
Acked-by: Yonghong Song <yhs@fb.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-09-12 22:00:23 +02:00
Guenter Roeck cf40361ede x86/efi: Load fixmap GDT in efi_call_phys_epilog() before setting %cr3
Commit eeb89e2bb1 ("x86/efi: Load fixmap GDT in efi_call_phys_epilog()")
moved loading the fixmap in efi_call_phys_epilog() after load_cr3() since
it was assumed to be more logical.

Turns out this is incorrect: In efi_call_phys_prolog(), the gdt with its
physical address is loaded first, and when the %cr3 is reloaded in _epilog
from initial_page_table to swapper_pg_dir again the gdt is no longer
mapped.  This results in a triple fault if an interrupt occurs after
load_cr3() and before load_fixmap_gdt(0). Calling load_fixmap_gdt(0) first
restores the execution order prior to commit eeb89e2bb1 and fixes the
problem.

Fixes: eeb89e2bb1 ("x86/efi: Load fixmap GDT in efi_call_phys_epilog()")
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Acked-by: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Ard Biesheuvel <ard.biesheuvel@linaro.org>
Cc: linux-efi@vger.kernel.org
Cc: Andy Lutomirski <luto@amacapital.net>
Cc: Joerg Roedel <jroedel@suse.de>
Link: https://lkml.kernel.org/r/1536689892-21538-1-git-send-email-linux@roeck-us.net
2018-09-12 21:53:34 +02:00