Commit Graph

841811 Commits

Author SHA1 Message Date
David S. Miller 22506f488e Merge branch 'bnxt_en-Bug-fixes'
Michael Chan says:

====================
bnxt_en: Bug fixes.

Miscellaneous bug fix patches, including two resource handling fixes for
the RDMA driver, a PCI shutdown patch to add pci_disable_device(), a patch
to fix ethtool selftest crash, and the last one suppresses an unnecessry
error message.

Please also queue patches 1, 2, and 3 for -stable.  Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:26 -07:00
Michael Chan 4ca5fa39e1 bnxt_en: Suppress error messages when querying DSCP DCB capabilities.
Some firmware versions do not support this so use the silent variant
to send the message to firmware to suppress the harmless error.  This
error message is unnecessarily alarming the user.

Fixes: afdc8a8484 ("bnxt_en: Add DCBNL DSCP application protocol support.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:26 -07:00
Michael Chan 1dbc59fa4b bnxt_en: Cap the returned MSIX vectors to the RDMA driver.
In an earlier commit to improve NQ reservations on 57500 chips, we
set the resv_irqs on the 57500 VFs to the fixed value assigned by
the PF regardless of how many are actually used.  The current
code assumes that resv_irqs minus the ones used by the network driver
must be the ones for the RDMA driver.  This is no longer true and
we may return more MSIX vectors than requested, causing inconsistency.
Fix it by capping the value.

Fixes: 01989c6b69 ("bnxt_en: Improve NQ reservations.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:26 -07:00
Michael Chan d77b1ad8e8 bnxt_en: Fix statistics context reservation logic for RDMA driver.
The current logic assumes that the RDMA driver uses one statistics
context adjacent to the ones used by the network driver.  This
assumption is not true and the statistics context used by the
RDMA driver is tied to its MSIX base vector.  This wrong assumption
can cause RDMA driver failure after changing ethtool rings on the
network side.  Fix the statistics reservation logic accordingly.

Fixes: 780baad44f ("bnxt_en: Reserve 1 stat_ctx for RDMA driver.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:26 -07:00
Michael Chan d27e2ca116 bnxt_en: Fix ethtool selftest crash under error conditions.
After ethtool loopback packet tests, we re-open the nic for the next
IRQ test.  If the open fails, we must not proceed with the IRQ test
or we will crash with NULL pointer dereference.  Fix it by checking
the bnxt_open_nic() return code before proceeding.

Reported-by: Somasundaram Krishnasamy <somasundaram.krishnasamy@oracle.com>
Fixes: 67fea463fd ("bnxt_en: Add interrupt test to ethtool -t selftest.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:26 -07:00
Michael Chan c20dc142dd bnxt_en: Disable bus master during PCI shutdown and driver unload.
Some chips with older firmware can continue to perform DMA read from
context memory even after the memory has been freed.  In the PCI shutdown
method, we need to call pci_disable_device() to shutdown DMA to prevent
this DMA before we put the device into D3hot.  DMA memory request in
D3hot state will generate PCI fatal error.  Similarly, in the driver
remove method, the context memory should only be freed after DMA has
been shutdown for correctness.

Fixes: 98f04cf0f1 ("bnxt_en: Check context memory requirements from firmware.")
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-30 16:00:25 -07:00
Baruch Siach 7b75e49de4 net: dsa: mv88e6xxx: wait after reset deactivation
Add a 1ms delay after reset deactivation. Otherwise the chip returns
bogus ID value. This is observed with 88E6390 (Peridot) chip.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 12:21:18 -07:00
Guilherme G. Piccoli 3c91f25c2f bnx2x: Prevent ptp_task to be rescheduled indefinitely
Currently bnx2x ptp worker tries to read a register with timestamp
information in case of TX packet timestamping and in case it fails,
the routine reschedules itself indefinitely. This was reported as a
kworker always at 100% of CPU usage, which was narrowed down to be
bnx2x ptp_task.

By following the ioctl handler, we could narrow down the problem to
an NTP tool (chrony) requesting HW timestamping from bnx2x NIC with
RX filter zeroed; this isn't reproducible for example with ptp4l
(from linuxptp) since this tool requests a supported RX filter.
It seems NIC FW timestamp mechanism cannot work well with
RX_FILTER_NONE - driver's PTP filter init routine skips a register
write to the adapter if there's not a supported filter request.

This patch addresses the problem of bnx2x ptp thread's everlasting
reschedule by retrying the register read 10 times; between the read
attempts the thread sleeps for an increasing amount of time starting
in 1ms to give FW some time to perform the timestamping. If it still
fails after all retries, we bail out in order to prevent an unbound
resource consumption from bnx2x.

The patch also adds an ethtool statistic for accounting the skipped
TX timestamp packets and it reduces the priority of timestamping
error messages to prevent log flooding. The code was tested using
both linuxptp and chrony.

Reported-and-tested-by: Przemyslaw Hausman <przemyslaw.hausman@canonical.com>
Suggested-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
Signed-off-by: Guilherme G. Piccoli <gpiccoli@canonical.com>
Acked-by: Sudarsana Reddy Kalluru <skalluru@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 12:19:42 -07:00
Eric Dumazet e5b1c6c627 igmp: fix memory leak in igmpv3_del_delrec()
im->tomb and/or im->sources might not be NULL, but we
currently overwrite their values blindly.

Using swap() will make sure the following call to kfree_pmc(pmc)
will properly free the psf structures.

Tested with the C repro provided by syzbot, which basically does :

 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
 setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
 setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
 exit_group(0)                    = ?

BUG: memory leak
unreferenced object 0xffff88811450f140 (size 64):
  comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
    00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  backtrace:
    [<00000000c7bad083>] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [<00000000c7bad083>] slab_post_alloc_hook mm/slab.h:439 [inline]
    [<00000000c7bad083>] slab_alloc mm/slab.c:3326 [inline]
    [<00000000c7bad083>] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [<000000009acc4151>] kmalloc include/linux/slab.h:547 [inline]
    [<000000009acc4151>] kzalloc include/linux/slab.h:742 [inline]
    [<000000009acc4151>] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
    [<000000009acc4151>] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
    [<000000004ac14566>] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
    [<0000000052d8f995>] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
    [<000000004ee1e21f>] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
    [<0000000066cdfe74>] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
    [<000000009383a786>] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
    [<00000000d8ac0c94>] __sys_setsockopt+0x98/0x120 net/socket.c:2072
    [<000000001b1e9666>] __do_sys_setsockopt net/socket.c:2083 [inline]
    [<000000001b1e9666>] __se_sys_setsockopt net/socket.c:2080 [inline]
    [<000000001b1e9666>] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
    [<00000000420d395e>] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [<000000007fd83a4b>] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 24803f38a5 ("igmp: do not remove igmp souce list info when set link down")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Hangbin Liu <liuhangbin@gmail.com>
Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:16:28 -07:00
David S. Miller c09fedd6ad Merge branch 'Sub-ns-increment-fixes-in-Macb-PTP'
Harini Katakam says:

====================
Sub ns increment fixes in Macb PTP

The subns increment register fields are not captured correctly in the
driver. Fix the same and also increase the subns incr resolution.

Sub ns resolution was increased to 24 bits in r1p06f2 version. To my
knowledge, this PTP driver, with its current BD time stamp
implementation, is only useful to that version or above. So, I have
increased the resolution unconditionally. Please let me know if there
is any IP versions incompatible with this - there is no register to
obtain this information from.

Changes from RFC:
None
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:09:18 -07:00
Harini Katakam 7ad342bc58 net: macb: Fix SUBNS increment and increase resolution
The subns increment register has 24 bits as follows:
RegBit[15:0] = Subns[23:8]; RegBit[31:24] = Subns[7:0]

Fix the same in the driver and increase sub ns resolution to the
best capable, 24 bits. This should be the case on all GEM versions
that this PTP driver supports.

Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:09:18 -07:00
Harini Katakam a8ee4dc1b5 net: macb: Add separate definition for PPM fraction
The scaled ppm parameter passed to _adjfine() contains a 16 bit
fraction. This just happens to be the same as SUBNSINCR_SIZE now.
Hence define this separately.

Signed-off-by: Harini Katakam <harini.katakam@xilinx.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:09:18 -07:00
Jiunn Chang 79293f4967 packet: Fix undefined behavior in bit shift
Shifting signed 32-bit value by 31 bits is undefined.  Changing most
significant bit to unsigned.

Changes included in v2:
  - use subsystem specific subject lines
  - CC required mailing lists

Signed-off-by: Jiunn Chang <c0d1n61at3@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:06:17 -07:00
Florian Westphal b60a77386b net: make skb_dst_force return true when dst is refcounted
netfilter did not expect that skb_dst_force() can cause skb to lose its
dst entry.

I got a bug report with a skb->dst NULL dereference in netfilter
output path.  The backtrace contains nf_reinject(), so the dst might have
been cleared when skb got queued to userspace.

Other users were fixed via
if (skb_dst(skb)) {
	skb_dst_force(skb);
	if (!skb_dst(skb))
		goto handle_err;
}

But I think its preferable to make the 'dst might be cleared' part
of the function explicit.

In netfilter case, skb with a null dst is expected when queueing in
prerouting hook, so drop skb for the other hooks.

v2:
 v1 of this patch returned true in case skb had no dst entry.
 Eric said:
   Say if we have two skb_dst_force() calls for some reason
   on the same skb, only the first one will return false.

 This now returns false even when skb had no dst, as per Erics
 suggestion, so callers might need to check skb_dst() first before
 skb_dst_force().

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 11:01:35 -07:00
Xin Long 9b6c08878e sctp: not bind the socket in sctp_connect
Now when sctp_connect() is called with a wrong sa_family, it binds
to a port but doesn't set bp->port, then sctp_get_af_specific will
return NULL and sctp_connect() returns -EINVAL.

Then if sctp_bind() is called to bind to another port, the last
port it has bound will leak due to bp->port is NULL by then.

sctp_connect() doesn't need to bind ports, as later __sctp_connect
will do it if bp->port is NULL. So remove it from sctp_connect().
While at it, remove the unnecessary sockaddr.sa_family len check
as it's already done in sctp_inet_connect.

Fixes: 644fbdeacf ("sctp: fix the issue that flags are ignored when using kernel_connect")
Reported-by: syzbot+079bf326b38072f849d9@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-29 10:48:45 -07:00
Baruch Siach 0472301a28 bpf: fix uapi bpf_prog_info fields alignment
Merge commit 1c8c5a9d38 ("Merge
git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next") undid the
fix from commit 36f9814a49 ("bpf: fix uapi hole for 32 bit compat
applications") by taking the gpl_compatible 1-bit field definition from
commit b85fab0e67 ("bpf: Add gpl_compatible flag to struct
bpf_prog_info") as is. That breaks architectures with 16-bit alignment
like m68k. Add 31-bit pad after gpl_compatible to restore alignment of
following fields.

Thanks to Dmitry V. Levin his analysis of this bug history.

Signed-off-by: Baruch Siach <baruch@tkos.co.il>
Acked-by: Song Liu <songliubraving@fb.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: Geert Uytterhoeven <geert@linux-m68k.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2019-06-29 01:35:46 +02:00
Maxime Chevallier 8ec3ede559 net: mvpp2: prs: Don't override the sign bit in SRAM parser shift
The Header Parser allows identifying various fields in the packet
headers, used for various kind of filtering and classification
steps.

This is a re-entrant process, where the offset in the packet header
depends on the previous lookup results. This offset is represented in
the SRAM results of the TCAM, as a shift to be operated.

This shift can be negative in some cases, such as in IPv6 parsing.

This commit prevents overriding the sign bit when setting the shift
value, which could cause instabilities when parsing IPv6 flows.

Fixes: 3f518509de ("ethernet: Add new driver for Marvell Armada 375 network unit")
Suggested-by: Alan Winkowski <walan@marvell.com>
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 14:44:03 -07:00
Russell King 32e454efbb net: phylink: further documentation clarifications
Clarify the validate() behaviour in a few cases which weren't mentioned
in the documentation, but which are necessary for users to get the
correct behaviour.

Signed-off-by: Russell King <rmk+kernel@armlinux.org.uk>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 14:42:19 -07:00
Marek Vasut 337d1727a3 net: ethernet: ti: cpsw: Assign OF node to slave devices
Assign OF node to CPSW slave devices, otherwise it is not possible to
bind e.g. DSA switch to them. Without this patch, the DSA code tries
to find the ethernet device by OF match, but fails to do so because
the slave device has NULL OF node.

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: David S. Miller <davem@davemloft.net>
Cc: Ivan Khoronzhuk <ivan.khoronzhuk@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 14:32:51 -07:00
David S. Miller 7c3d310d8f Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter fixes for net:

1) Fix memleak reported by syzkaller when registering IPVS hooks,
   patch from Julian Anastasov.

2) Fix memory leak in start_sync_thread, also from Julian.

3) Fix conntrack deletion via ctnetlink, from Felix Kaechele.

4) Fix reject for ICMP due to incorrect checksum handling, from
   He Zhe.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 13:36:43 -07:00
Benedikt Spranger 75dad2520f net: dsa: b53: Disable all ports on setup
A b53 device may configured through an external EEPROM like the switch
device on the Lamobo R1 router board. The configuration of a port may
therefore differ from the reset configuration of the switch.

The switch configuration reported by the DSA subsystem is different until
the port is configured by DSA i.e. a port can be active, while the DSA
subsystem reports the port is inactive. Disable all ports and not only
the unused ones to put all ports into a well defined state.

Signed-off-by: Benedikt Spranger <b.spranger@linutronix.de>
Reviewed-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 13:34:13 -07:00
He Zhe 5d1549847c netfilter: Fix remainder of pseudo-header protocol 0
Since v5.1-rc1, some types of packets do not get unreachable reply with the
following iptables setting. Fox example,

$ iptables -A INPUT -p icmp --icmp-type 8 -j REJECT
$ ping 127.0.0.1 -c 1
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
— 127.0.0.1 ping statistics —
1 packets transmitted, 0 received, 100% packet loss, time 0ms

We should have got the following reply from command line, but we did not.
From 127.0.0.1 icmp_seq=1 Destination Port Unreachable

Yi Zhao reported it and narrowed it down to:
7fc3822536 ("netfilter: reject: skip csum verification for protocols that don't support it"),

This is because nf_ip_checksum still expects pseudo-header protocol type 0 for
packets that are of neither TCP or UDP, and thus ICMP packets are mistakenly
treated as TCP/UDP.

This patch corrects the conditions in nf_ip_checksum and all other places that
still call it with protocol 0.

Fixes: 7fc3822536 ("netfilter: reject: skip csum verification for protocols that don't support it")
Reported-by: Yi Zhao <yi.zhao@windriver.com>
Signed-off-by: He Zhe <zhe.he@windriver.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2019-06-28 19:30:50 +02:00
David S. Miller e7792df831 Just a single patch:
* 1<<31 is undefined, use 1U<<31 in nl80211.h UAPI
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEH1e1rEeCd0AIMq6MB8qZga/fl8QFAl0WJ5wACgkQB8qZga/f
 l8SsmA//dY+edYitYYgvd+y0dS5eoS0XUfOeI8aR6qhiM1niha2XnTN+uoEEAM+k
 x6FTXJuEg00PZFHgaosDbBb04X3D16cpS4A+LJ6NoO8xHURSUnWa6pArzfAD64wq
 SPu3mifevB789cN3sddXeTIoVoZosPHOuyx/oExeYb9KrngIhjrBXbPxwhbvQE7a
 4T5J9hnltot4OwtXNDsEW0cTTfK3PEtDSOAtRQUgUA5uOX8U0UpzIrbbvhY3nWie
 cigprQEZCaBgTNq4cmF4eJJyoPU69jvKou935VTHJqBMVUemsGebJ+rrD7mMzVJF
 jvncq/NTwBCxyCd4tev2wJYscenPN92oYwHlXbjufXcR2b14RJhKVItOzWEgXt2r
 wM74/C2iZK+XKSNioI6g7IjKevtxglR9cox4cb9nq7l/4PvE8zkOs0qPrptZQ/L0
 p/gumYetObXIA7Kg7Z09j7GqJgcP3MUq71VQCfp60BY8ZAH+Vagtc+HpmIuQ6sVl
 rf57kI5WK4+ldVj+XxA5RV6BEYSLkd8moVDrbie3lUWK6ca5CFuzf7ugoXeA419a
 POj0y6LECDeMIAhKCwVO9SCAvRzieAvYohyOettGDbNG/mYac5/PwKvMo2mpbNm1
 8Yod5J15Vil0j86iQ6xDAc/MCJ1v+se7CM4qzj7lx+uKa6v8N8s=
 =D1WG
 -----END PGP SIGNATURE-----

Merge tag 'mac80211-for-davem-2019-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211

Johannes Berg says:

====================
Just a single patch:
 * 1<<31 is undefined, use 1U<<31 in nl80211.h UAPI
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 09:49:56 -07:00
David S. Miller 2c377b5abc Here are some batman-adv bugfixes:
- fix a leaked TVLV handler which wasn't unregistered, by Jeremy Sowden
 
  - fix duplicated OGMs when interfaces are set UP, by Sven Eckelmann
 -----BEGIN PGP SIGNATURE-----
 
 iQJKBAABCgA0FiEE1ilQI7G+y+fdhnrfoSvjmEKSnqEFAl0Ump8WHHN3QHNpbW9u
 d3VuZGVybGljaC5kZQAKCRChK+OYQpKeoWGED/4gixPn7YQnMn16FNwYYhCPe8b0
 fy87LWDmavx3k9qfWQ7ay65e2RUjXaZcHMIjnk7cFzFE+a/2vAsqSXwqtIEiEmb5
 8RAWTBL8MVokKAg9KP3PJPCzp10nxoViT5Hm5OXgW/yvWEy1TW8Jr3PYK6zlxhiM
 bFssDG4Hep8NErwVw4qtOEAvC3m068Y8dxRDn2IXYXI5ceWplBiTlOPcQy/m8y3r
 i7GWvJlHuyOpgYA4d8F7LJ38fo0JrdXEQE1ecFk/vRVZ0uqCv10+kDNislfEjSMO
 u7aNRkGj5nI3MfvPOc4a8BUKqieMmCeJUf0KitSEKB63FjjbITRSVHwVIU3u5xQr
 J8lt9M9gBQMiuly7jemIxJyzSsiak8L4gd4QKcYLaSzH4yoiU9BPmWlSsHZF6MxG
 AYvwE7ae/OA4RaUriiNfEQhFeJt+2mgzrqH7WEW279rdBo08M5EXbEtlHomZAPFT
 3/VGgL3SezM/fMaq8pIx2NQRBXbFhPMOGObODqaY0FOLXIsX9hAQN+/6QXyYaPCx
 mGXzrlo3VUhwjHbe0gc7uEn+oApKc0kCVTrFOu35rzlDd9e6+DsrFwaqoF2e4aEV
 DXXkyEcWKmeGqymHH8NkczNkl0maPxBxCqRvOG1+2lWqw17ipqTpNySLuXI1SaTS
 hqZne1JkcQ7Yx7OrcA==
 =TqkI
 -----END PGP SIGNATURE-----

Merge tag 'batadv-net-for-davem-20190627' of git://git.open-mesh.org/linux-merge

Simon Wunderlich says:

====================
Here are some batman-adv bugfixes:

 - fix a leaked TVLV handler which wasn't unregistered, by Jeremy Sowden

 - fix duplicated OGMs when interfaces are set UP, by Sven Eckelmann
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 09:45:27 -07:00
David S. Miller e78557baa6 wireless-drivers fixes for 5.2
Hopefully the last set of fixes for 5.2. Nothing special this around,
 only small fixes and support for new cards.
 
 iwlwifi
 
 * add new cards for 22000 series and smaller fixes
 
 wl18xx
 
 * fix a clang warning about unused variables
 
 mwifiex
 
 * properly handle small vendor IEs (a regression from the recent
   security fix)
 
 ath
 
 * fix few SPDX tags
 
 mt76
 
 * fix A-MSDU aggregation which got broken in v5.2-rc1
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEcBAABAgAGBQJdFb43AAoJEG4XJFUm622bQyUH+wbr8/3mo1IQdz5Vm/UoK0P6
 SyG0I94sNPRfvPBQF9CNV8/958Yg+OMLJ8pHpqsvx6qdjyCy6C0G8Oi9qlqbmcQ6
 vT5XY2FODm/+AkmSpdjPnG9Ye77luwJ66Egkk5uTUwDHirMhiD4IaoszRwoTHce8
 o8Wu5UZ2SXwkUDnrRJmQxR/l8Bqr5QeC/xgxxS1aZEVF9uH+wDECGFCXNrFBRQcI
 2W5UZz+1gp4OoV9SemgFrBXdhS/l/shje4svAjLk4rZr+CSU1oQZCgjbkjVBHaiL
 R9iLVKq//p+LOiA9Hd5kwQwkTiILRy+mmPvhSAy4eesZEjF+le9vaitpERRfoBQ=
 =5q2s
 -----END PGP SIGNATURE-----

Merge tag 'wireless-drivers-for-davem-2019-06-28' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers

Kalle Valo says:

====================
wireless-drivers fixes for 5.2

Hopefully the last set of fixes for 5.2. Nothing special this around,
only small fixes and support for new cards.

iwlwifi

* add new cards for 22000 series and smaller fixes

wl18xx

* fix a clang warning about unused variables

mwifiex

* properly handle small vendor IEs (a regression from the recent
  security fix)

ath

* fix few SPDX tags

mt76

* fix A-MSDU aggregation which got broken in v5.2-rc1
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-28 09:15:02 -07:00
Jiunn Chang d2ce8d6bfc nl80211: Fix undefined behavior in bit shift
Shifting signed 32-bit value by 31 bits is undefined.  Changing most
significant bit to unsigned.

Signed-off-by: Jiunn Chang <c0d1n61at3@gmail.com>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
2019-06-28 16:07:54 +02:00
Linus Torvalds 556e2f6020 A handful of clk driver fixes and one core framework fix
- Do a DT/firmware lookup in clk_core_get() even when the DT index is a
    nonsensical value
 
  - Fix some clk data typos in the Amlogic DT headers/code
 
  - Avoid returning junk in the TI clk driver when an invalid clk is
    looked for
 
  - Fix dividers for the emac clks on Stratix10 SoCs
 
  - Fix default HDA rates on Tegra210 to correct distorted audio
 -----BEGIN PGP SIGNATURE-----
 
 iQJFBAABCAAvFiEE9L57QeeUxqYDyoaDrQKIl8bklSUFAl0VIHcRHHNib3lkQGtl
 cm5lbC5vcmcACgkQrQKIl8bklSU0Ww//XVDS0JqiWcEopLc8dLrjxn2n7W3qlbB9
 8RqkrvFK/yv9Hrd1OqTSJLnrDQKb0zYnzjzU0g7Isdk81uecRQDJksjWQ/laR5i4
 ut5QOwV8IBSRl6Mu4XoMHvt9apysXX9od8B6Iu1fhbgmQeKlVkX/PYuT+mcQtMjc
 2Zg6ILQpkFaXhB9vQxVZwwmGZyR4/pfNCltl8A1Zg9ZkWgpOvv+7wHo/5AYNIBYM
 JbynlCdOii9gNXwoXPnayNvqwKNi0NEEfzOX/RuSarwrRVKdbqbWKhKlHTRv3LwC
 myo+dh/7l1l+1ANhBedzbnSa5YHSUyZXjkO+pKBctJEOGMV9+fbGEOvxt1LPBr7X
 IrSevXYwPfgHdxxnoMM+S5OTWYyv9jOTTXEwIc3rAoDnAJWcLsg6V8MEGL/CGQ7T
 yrSRARGCowU73rJXwfTayMKSqQgaTGmB00x4lewQK29DA0uMunQTzRU7qjOAe919
 ECgdYV6WJcRCThrAfknARD/FS+J07fMqyLD9IFd2bFQuGWCq8EFT7Ky2t89bXULG
 SMvLUe9CUpURtfdrDjz8h+VzmAStoAWck63EffgymPILRhRI4xY+Mr/YyfQ07rMu
 BTSsj9wd8AywhmOgi42TVOFZS39bDCAytJ9LMaxDyNXsDVi/REC3O43z9kyHoUQB
 JIyQyHFSRD0=
 =3QYB
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "A handful of clk driver fixes and one core framework fix

   - Do a DT/firmware lookup in clk_core_get() even when the DT index is
     a nonsensical value

   - Fix some clk data typos in the Amlogic DT headers/code

   - Avoid returning junk in the TI clk driver when an invalid clk is
     looked for

   - Fix dividers for the emac clks on Stratix10 SoCs

   - Fix default HDA rates on Tegra210 to correct distorted audio"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: socfpga: stratix10: fix divider entry for the emac clocks
  clk: Do a DT parent lookup even when index < 0
  clk: tegra210: Fix default rates for HDA clocks
  clk: ti: clkctrl: Fix returning uninitialized data
  clk: meson: meson8b: fix a typo in the VPU parent names array variable
  clk: meson: fix MPLL 50M binding id typo
2019-06-28 08:50:09 +08:00
Linus Torvalds 65ee21eb63 - Fix incorrect uses of kstrndup and DM logging macros in DM's early
init code.
 
 - Fix DM log-writes target's handling of super block sectors so updates
   are made in order through use of completion.
 
 - Fix DM core's argument splitting code to avoid undefined behaviour
   reported as a side-effect of UBSAN analysis on ppc64le.
 
 - Fix DM verity target to limit the amount of error messages that can
   result from a corrupt block being found.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCAAxFiEEJfWUX4UqZ4x1O2wixSPxCi2dA1oFAl0VBp4THHNuaXR6ZXJA
 cmVkaGF0LmNvbQAKCRDFI/EKLZ0DWlLKB/9wnB1FWhVIwt5j0e3YpqToThptT22N
 sWO/vBKtIR8nbbohXeam7mgh15+D61SpY+8jdkgAlIQonPzCwFrgSWdtpbbveYw6
 gFWAdd013R+piGX40l0EztwAQ9IawwFl7JP+fBevxFQdGAVT6SpaJfBWH0XcIBbb
 udEtoeW0dVp06SFsokGq6TPSRCdxwMh9JpRplgtLmz0yhfsWeFivjw2AMIen5QqB
 Z0zcJnL8UMRdJq0EEqjQ3z9CH/Th8Nryxibo8YLnADPBfv7RyR2+wCjrbode8LAj
 LZHjHikxzt39F9PpJIPvVuvNMzrBdQPDF61O5MK7dOMl49GfIoz2ybvH
 =oEWd
 -----END PGP SIGNATURE-----

Merge tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix incorrect uses of kstrndup and DM logging macros in DM's early
   init code.

 - Fix DM log-writes target's handling of super block sectors so updates
   are made in order through use of completion.

 - Fix DM core's argument splitting code to avoid undefined behaviour
   reported as a side-effect of UBSAN analysis on ppc64le.

 - Fix DM verity target to limit the amount of error messages that can
   result from a corrupt block being found.

* tag 'for-5.2/dm-fixes-2' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm verity: use message limit for data block corruption message
  dm table: don't copy from a NULL pointer in realloc_argv()
  dm log writes: make sure super sector log updates are written in order
  dm init: remove trailing newline from calls to DMERR() and DMINFO()
  dm init: fix incorrect uses of kstrndup()
2019-06-28 08:48:21 +08:00
Linus Torvalds 7a702b4e82 for-linus-20190627
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEE7btrcuORLb1XUhEwjrBW1T7ssS0FAl0UnRoACgkQjrBW1T7s
 sS1T0w/+PFooDZNaKJkhJCGm0XyRDYmmuivEX9ydUR1x9/doRbDZTqfjsQBJLoVK
 PulxDiuFbQWXzhBJFEMuU6YBR2fjFqUGsXz5qAXPB0zaahWcSY/0Y8VCU/PKq7A6
 3oJPl/lYwYkLTYUKsnN08hByosUA7WeRQRAxbSFWdCTlUfIw72mDhprMGjJIVAlu
 snLA5lUoy7hyoFdXR5qNhYAcX8sASmi01hXhdnsKMOv4z2Vb5NoQsgqL1W8tAnsf
 BdJKL82Qd7vWQahlbOtur46aeJAL2ukGSTskuA2jOQqsKxmpos+hWq36gToq7usa
 XgPii0Rz7/2s6ZvhmxV5kmzqHylT9giU1DxWybSVo9IZBsU2i1o9DV+yBY50tr45
 s0bmpSA/u4DP2uT8oRvh47LbDqiQFA8dyVWQKE25smSdjekuZHTO0tgXf8mwC2CW
 hDci4z+ONOyqIQyFrhP7UaKuSK6tAAUbYKtXUIN6rnuq1FjuTA2+wtIlOPZuDZQ2
 yrsSUefh4/sFMBSAgoGTg9f+PiCejBMKcxoqhU2/27mvkiInAyDPfoc4oGQcinOy
 OVX3B0A8B88l26sDkWdv15d92E1GKzZLj8h66TlYwDpN+seevftKtpblZ9fJWsSf
 0NejoMV/GcA/KsAp1sxqWwouRob8H6pbGXWb97DYRA2IVyjK3q4=
 =APjA
 -----END PGP SIGNATURE-----

Merge tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux

Pull pidfd fixes from Christian Brauner:
 "Userspace tools and libraries such as strace or glibc need a cheap and
  reliable way to tell whether CLONE_PIDFD is supported. The easiest way
  is to pass an invalid fd value in the return argument, perform the
  syscall and verify the value in the return argument has been changed
  to a valid fd.

  However, if CLONE_PIDFD is specified we currently check if pidfd == 0
  and return EINVAL if not.

  The check for pidfd == 0 was originally added to enable us to abuse
  the return argument for passing additional flags along with
  CLONE_PIDFD in the future.

  However, extending legacy clone this way would be a terrible idea and
  with clone3 on the horizon and the ability to reuse CLONE_DETACHED
  with CLONE_PIDFD there's no real need for this clutch. So remove the
  pidfd == 0 check and help userspace out.

  Also, accordig to Al, anon_inode_getfd() should only be used past the
  point of no failure and ksys_close() should not be used at all since
  it is far too easy to get wrong. Al's motto being "basically, once
  it's in descriptor table, it's out of your control". So Al's patch
  switches back to what we already had in v1 of the original patchset
  and uses a anon_inode_getfile() + put_user() + fd_install() sequence
  in the success path and a fput() + put_unused_fd() in the failure
  path.

  The other two changes should be trivial"

* tag 'for-linus-20190627' of gitolite.kernel.org:pub/scm/linux/kernel/git/brauner/linux:
  proc: remove useless d_is_dir() check
  copy_process(): don't use ksys_close() on cleanups
  samples: make pidfd-metadata fail gracefully on older kernels
  fork: don't check parent_tidptr with CLONE_PIDFD
2019-06-28 08:41:18 +08:00
Linus Torvalds 763cf1f2d9 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid
Pull HID fixes from Jiri Kosina:

 - fix for one corner case in HID++ protocol with respect to handling
   very long reports, from Hans de Goede

 - power management fix in Intel-ISH driver, from Hyungwoo Yang

 - use-after-free fix in Intel-ISH driver, from Dan Carpenter

 - a couple of new device IDs/quirks from Kai-Heng Feng, Kyle Godbey and
   Oleksandr Natalenko

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/hid/hid:
  HID: intel-ish-hid: fix wrong driver_data usage
  HID: multitouch: Add pointstick support for ALPS Touchpad
  HID: logitech-dj: Fix forwarding of very long HID++ reports
  HID: uclogic: Add support for Huion HS64 tablet
  HID: chicony: add another quirk for PixArt mouse
  HID: intel-ish-hid: Fix a use after free in load_fw_from_host()
2019-06-28 08:39:18 +08:00
Linus Torvalds fe2da896fd ARM: SoC fixes
A smaller batch of fixes, nothing that stands out as risky or scary.
 
 Mostly DTS tweaks for a few issues:
  - GPU fixlets for Meson
  - CPU idle fix for LS1028A
  - PWM interrupt fixes for i.MX6UL
 
 Also, enable a driver (FSL_EDMA) on arm64 defconfig, and a warning and
 two MAINTAINER tweaks.
 -----BEGIN PGP SIGNATURE-----
 
 iQJDBAABCAAtFiEElf+HevZ4QCAJmMQ+jBrnPN6EHHcFAl0ULP8PHG9sb2ZAbGl4
 b20ubmV0AAoJEIwa5zzehBx3h3sP/AkPQ+18tw5r6eY01k7a+JtDIbzKUizc6qh5
 /IBOpynFVv28+VRVrmu1xqek+5iJ7pVkQrJO5Nf0ChbFjo6Hqdk/84tivccyozrY
 4eO/7BALoV57g6inDTLWvhYL3V8bwLYT/1XCP4cN1Di9WBqBhZoe+h8BQr3ztrep
 p3QDjs3WDSzsJ8Oy8NBDUFXtWnZznXaSRzXFKGaUEVIpnlV4OHNW5XbXkLFFHygO
 SmoJdJRPIoKki6Gq0GvZH4U/0U53sa927uwT/02DaxIzlPFfhQtyNw8ZCo//6adg
 tyUTJn7zzOTxFSJZ512EJ4OG6MG9T/3wDGPlT+KJ4Bgv19jSeksdnvCfZrtAuPfu
 j1APenXGRNImSDJOeDrxeKAbW29RpxQjYzvMvGT3iYqH93sD/lz6uIoObCcGzwXQ
 BGIvMKOs3luw6Bk3pJpfBmzMPBkrDWerDgL3qdHnQEYenmbeTCyKFQVOM7f+PQqg
 jKT7gitFq1bT4JXImcInEdY/2nFlBJUgdIwwK273uS0RmeOHmF8TNJpKeaYbO7ds
 fcG177RaLqPoIfx6GbT7kZRVSgBHJrUh6gRmuQcoJaaP4zXdX0+N3S1WYQkGMkos
 t0SU9YPsqDyCpmtCN7TTY5MwhR/jTGLmxArCGBf1+IrfFx1cdmaFPjnJvEI8fCJM
 CJRPfzKQ
 =Jr9u
 -----END PGP SIGNATURE-----

Merge tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc

Pull ARM SoC fixes from Olof Johansson:
 "A smaller batch of fixes, nothing that stands out as risky or scary.

  Mostly DTS tweaks for a few issues:

   - GPU fixlets for Meson

   - CPU idle fix for LS1028A

   - PWM interrupt fixes for i.MX6UL

  Also, enable a driver (FSL_EDMA) on arm64 defconfig, and a warning and
  two MAINTAINER tweaks"

* tag 'armsoc-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc:
  ARM: dts: imx6ul: fix PWM[1-4] interrupts
  ARM: omap2: remove incorrect __init annotation
  ARM: dts: gemini Fix up DNS-313 compatible string
  ARM: dts: Blank D-Link DIR-685 console
  arm64: defconfig: Enable FSL_EDMA driver
  arm64: dts: ls1028a: Fix CPU idle fail.
  MAINTAINERS: BCM53573: Add internal Broadcom mailing list
  MAINTAINERS: BCM2835: Add internal Broadcom mailing list
  ARM: dts: meson8b: fix the operating voltage of the Mali GPU
  ARM: dts: meson8b: drop undocumented property from the Mali GPU node
  ARM: dts: meson8: fix GPU interrupts and drop an undocumented property
2019-06-28 08:37:04 +08:00
Linus Torvalds cd0f3aaebc AFS fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIVAwUAXRMn5vu3V2unywtrAQICpA/+IIINk6MJVQDzGhOnvWrbGdPnOdJEUyLN
 B9U4bLZJRg/j+Sqodn+fXIfsEO4FQflkSJD+xoBi4pzBZcr0xkLUVOog/1S7dv4J
 bPVT9p2f3ITNiatmisOrUe1InuHa6Wb/cUnQaLLRhd7NqbawKGRQG4tv4CGwKn67
 dJIOOm/iTCs1ACES4C5QOpU7/DWK38Pn3BbnN21bFzDgfbtbdDTaFFkhFtXy78oB
 Gcj5g+ULpkKBcuJThFuJUPZ9E4qICNZR4kJXEULSvykDDRzluhJmQ+v8btm6NJsq
 hMqTrT9M2y114V1OqXj3me7tA6wOEAfTQ0WzpzF2SmyFQKnSly/EkWc4HZXFD/8O
 BczCcABUbuKNE/pJSELx6k1M0+00QfeLcjHPc6joZFCni3lMdYWOncn/syyHw5P+
 rc9JQsy3+dLcFsaVQ5eGmX6NDc70dCrAlS6MllIzSBcwAVCctTKwm0meaSW6B2y6
 VymPy+cqi1RxMKyiQ0hAeU7Xe6yqFcl6rtonfCQqRLxkfzrCXkDp6/ELOXBzDft1
 ey6+N3WsmWW7YSPuM/SIZKV66rshlflj0w+FRluZEEAF1NYeYqXUDvK/S8KC9kPG
 AXUDvhI+tBpxg1AVz94JN714VmkbY23xV0g44eQsdqSQm2YvsxiFCSWZZ6L/KEWe
 kWQc6BGDCB0=
 =YTdG
 -----END PGP SIGNATURE-----

Merge tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs

Pull AFS fixes from David Howells:
 "The in-kernel AFS client has been undergoing testing on opendev.org on
  one of their mirror machines. They are using AFS to hold data that is
  then served via apache, and Ian Wienand had reported seeing oopses,
  spontaneous machine reboots and updates to volumes going missing. This
  patch series appears to have fixed the problem, very probably due to
  patch (2), but it's not 100% certain.

  (1) Fix the printing of the "vnode modified" warning to exclude checks
      on files for which we don't have a callback promise from the
      server (and so don't expect the server to tell us when it
      changes).

      Without this, for every file or directory for which we still have
      an in-core inode that gets changed on the server, we may get a
      message logged when we next look at it. This can happen in bulk
      if, for instance, someone does "vos release" to update a R/O
      volume from a R/W volume and a whole set of files are all changed
      together.

      We only really want to log a message if the file changed and the
      server didn't tell us about it or we failed to track the state
      internally.

  (2) Fix accidental corruption of either afs_vlserver struct objects or
      the the following memory locations (which could hold anything).
      The issue is caused by a union that points to two different
      structs in struct afs_call (to save space in the struct). The call
      cleanup code assumes that it can simply call the cleanup for one
      of those structs if not NULL - when it might be actually pointing
      to the other struct.

      This means that every Volume Location RPC op is going to corrupt
      something.

  (3) Fix an uninitialised spinlock. This isn't too bad, it just causes
      a one-off warning if lockdep is enabled when "vos release" is
      called, but the spinlock still behaves correctly.

  (4) Fix the setting of i_block in the inode. This causes du, for
      example, to produce incorrect results, but otherwise should not be
      dangerous to the kernel"

* tag 'afs-fixes-20190620' of git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs:
  afs: Fix setting of i_blocks
  afs: Fix uninitialised spinlock afs_volume::cb_break_lock
  afs: Fix vlserver record corruption
  afs: Fix over zealous "vnode modified" warnings
2019-06-28 08:34:12 +08:00
Linus Torvalds 139ca25805 arch/csky fixup for 5.2
Only 1 fixup patch for rt_sigframe in signal.c
 -----BEGIN PGP SIGNATURE-----
 
 iQJGBAABCAAwFiEE2KAv+isbWR/viAKHAXH1GYaIxXsFAl0TCP4SHHJlbl9ndW9A
 Yy1za3kuY29tAAoJEAFx9RmGiMV7XRYP/izEKH5Uyb5fGt62ZW+QvEQwEsXL0Az/
 YWxCFF6DjOGsO3OVh45PTTGg+2W0nGrpm8aTqfn91qA5Ak9mr/lDlbnk/9ZQ6yRz
 MI5Uzy+kTjyWA4tDHRQlohedjzFy9gNhpMjY6LWuXqUruvf1enyBezIrKUiJhdW6
 7ztTFsSZ6rVI5CSIOhXePmN3pO80YPC+6giqcqv3Yaed4oL6NLrs6yKXmZ3JMi1X
 fpa2EwR/STmPPA3mejDTezD4lriJJUAL39KBjCHT0Ej4y69PIl/wNIdFmri7cXHk
 iPcocR4SapaJNqmwnz+rvWxAoEFpPvJbZsV7ah6ZrpT6LMMoBX5y6h3XA4NXQu9t
 yLU5TCHE4osy4uUHeYMu6AUjTnAzhoUrNNP2h57I0ZNsTSYJiH3eqxAuHM6rrwot
 YMGeiXGtyF+rI0jOroF1giFDzUy7RlDbtLR3B2gV5tP4VXI9b2Gcia/GR25QBrSV
 utEcdE96Td38bPeMhvkOMhG9CHQD32s4o1rYLNndbWoqSCCFdwiC89mvSfthHP2c
 Bx3EJs1vhuIdErN+pPEvX1sAuzmfx8q41Fg93kTYfoUQyflDdNswoRV1weRgHUu3
 CmeJDpPEQH89Ddzb7HJrPCcC+diqclxNqraEcQyoX6KesLHciTB/x2arxjEJQa3c
 tTTGreAq4/+g
 =0p/x
 -----END PGP SIGNATURE-----

Merge tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux

Pull arch/csky fixup from Guo Ren:
 "A fixup patch for rt_sigframe in signal.c"

* tag 'csky-for-linus-5.2-fixup-gcc-unwind' of git://github.com/c-sky/csky-linux:
  csky: Fixup libgcc unwind error
2019-06-28 08:31:57 +08:00
Linus Torvalds c84afab02c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller:

 1) Fix ppp_mppe crypto soft dependencies, from Takashi Iawi.

 2) Fix TX completion to be finite, from Sergej Benilov.

 3) Use register_pernet_device to avoid a dst leak in tipc, from Xin
    Long.

 4) Double free of TX cleanup in Dirk van der Merwe.

 5) Memory leak in packet_set_ring(), from Eric Dumazet.

 6) Out of bounds read in qmi_wwan, from Bjørn Mork.

 7) Fix iif used in mcast/bcast looped back packets, from Stephen
    Suryaputra.

 8) Fix neighbour resolution on raw ipv6 sockets, from Nicolas Dichtel.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (25 commits)
  af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
  sctp: change to hold sk after auth shkey is created successfully
  ipv6: fix neighbour resolution with raw socket
  ipv6: constify rt6_nexthop()
  net: dsa: microchip: Use gpiod_set_value_cansleep()
  net: aquantia: fix vlans not working over bridged network
  ipv4: reset rt_iif for recirculated mcast/bcast out pkts
  team: Always enable vlan tx offload
  net/smc: Fix error path in smc_init
  net/smc: hold conns_lock before calling smc_lgr_register_conn()
  bonding: Always enable vlan tx offload
  net/ipv6: Fix misuse of proc_dointvec "skip_notify_on_dev_down"
  ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop
  qmi_wwan: Fix out-of-bounds read
  tipc: check msg->req data len in tipc_nl_compat_bearer_disable
  net: macb: do not copy the mac address if NULL
  net/packet: fix memory leak in packet_set_ring()
  net/tls: fix page double free on TX cleanup
  net/sched: cbs: Fix error path of cbs_module_init
  tipc: change to use register_pernet_device
  ...
2019-06-28 08:24:37 +08:00
Lorenzo Bianconi 2a92b08b18 mt76: usb: fix rx A-MSDU support
Commit f8f527b16d ("mt76: usb: use EP max packet aligned buffer sizes
for rx") breaks A-MSDU support. When A-MSDU is enable the device can
receive frames up to q->buf_size but they will be discarded in
mt76u_process_rx_entry since there is no enough room for
skb_shared_info. Fix the issue reallocating the skb and copying in the
linear area the first 128B of the received frames and in the frag_list
the remaining part

Fixes: f8f527b16d ("mt76: usb: use EP max packet aligned buffer sizes for rx")
Signed-off-by: Lorenzo Bianconi <lorenzo@kernel.org>
Signed-off-by: Kalle Valo <kvalo@codeaurora.org>
2019-06-27 19:48:36 +03:00
Christian Brauner 30d158b143
proc: remove useless d_is_dir() check
Remove the d_is_dir() check from tgid_pidfd_to_pid().

It is pointless since you should never get &proc_tgid_base_operations
for f_op on a non-directory.

Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Christian Brauner <christian@brauner.io>
2019-06-27 12:25:09 +02:00
Al Viro 6fd2fe494b
copy_process(): don't use ksys_close() on cleanups
anon_inode_getfd() should be used *ONLY* in situations when we are
guaranteed to be past the last failure point (including copying the
descriptor number to userland, at that).  And ksys_close() should
not be used for cleanups at all.

anon_inode_getfile() is there for all nontrivial cases like that.
Just use that...

Fixes: b3e5838252 ("clone: add CLONE_PIDFD")
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Jann Horn <jannh@google.com>
Signed-off-by: Christian Brauner <christian@brauner.io>
2019-06-27 12:24:03 +02:00
Neil Horman 89ed5b5190 af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET
When an application is run that:
a) Sets its scheduler to be SCHED_FIFO
and
b) Opens a memory mapped AF_PACKET socket, and sends frames with the
MSG_DONTWAIT flag cleared, its possible for the application to hang
forever in the kernel.  This occurs because when waiting, the code in
tpacket_snd calls schedule, which under normal circumstances allows
other tasks to run, including ksoftirqd, which in some cases is
responsible for freeing the transmitted skb (which in AF_PACKET calls a
destructor that flips the status bit of the transmitted frame back to
available, allowing the transmitting task to complete).

However, when the calling application is SCHED_FIFO, its priority is
such that the schedule call immediately places the task back on the cpu,
preventing ksoftirqd from freeing the skb, which in turn prevents the
transmitting task from detecting that the transmission is complete.

We can fix this by converting the schedule call to a completion
mechanism.  By using a completion queue, we force the calling task, when
it detects there are no more frames to send, to schedule itself off the
cpu until such time as the last transmitted skb is freed, allowing
forward progress to be made.

Tested by myself and the reporter, with good results

Change Notes:

V1->V2:
	Enhance the sleep logic to support being interruptible and
allowing for honoring to SK_SNDTIMEO (Willem de Bruijn)

V2->V3:
	Rearrage the point at which we wait for the completion queue, to
avoid needing to check for ph/skb being null at the end of the loop.
Also move the complete call to the skb destructor to avoid needing to
modify __packet_set_status.  Also gate calling complete on
packet_read_pending returning zero to avoid multiple calls to complete.
(Willem de Bruijn)

	Move timeo computation within loop, to re-fetch the socket
timeout since we also use the timeo variable to record the return code
from the wait_for_complete call (Neil Horman)

V3->V4:
	Willem has requested that the control flow be restored to the
previous state.  Doing so lets us eliminate the need for the
po->wait_on_complete flag variable, and lets us get rid of the
packet_next_frame function, but introduces another complexity.
Specifically, but using the packet pending count, we can, if an
applications calls sendmsg multiple times with MSG_DONTWAIT set, each
set of transmitted frames, when complete, will cause
tpacket_destruct_skb to issue a complete call, for which there will
never be a wait_on_completion call.  This imbalance will lead to any
future call to wait_for_completion here to return early, when the frames
they sent may not have completed.  To correct this, we need to re-init
the completion queue on every call to tpacket_snd before we enter the
loop so as to ensure we wait properly for the frames we send in this
iteration.

	Change the timeout and interrupted gotos to out_put rather than
out_status so that we don't try to free a non-existant skb
	Clean up some extra newlines (Willem de Bruijn)

Reviewed-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: Matteo Croce <mcroce@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 19:38:29 -07:00
Xin Long 25bff6d547 sctp: change to hold sk after auth shkey is created successfully
Now in sctp_endpoint_init(), it holds the sk then creates auth
shkey. But when the creation fails, it doesn't release the sk,
which causes a sk defcnf leak,

Here to fix it by only holding the sk when auth shkey is created
successfully.

Fixes: a29a5bd4f5 ("[SCTP]: Implement SCTP-AUTH initializations.")
Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com
Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 19:29:23 -07:00
David S. Miller 13696531dc Merge branch 'ipv6-fix-neighbour-resolution-with-raw-socket'
Nicolas Dichtel says:

====================
ipv6: fix neighbour resolution with raw socket

The first patch prepares the fix, it constify rt6_nexthop().
The detail of the bug is explained in the second patch.

v1 -> v2:
 - fix compilation warnings
 - split the initial patch
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 13:26:08 -07:00
Nicolas Dichtel 2c6b55f45d ipv6: fix neighbour resolution with raw socket
The scenario is the following: the user uses a raw socket to send an ipv6
packet, destinated to a not-connected network, and specify a connected nh.
Here is the corresponding python script to reproduce this scenario:

 import socket
 IPPROTO_RAW = 255
 send_s = socket.socket(socket.AF_INET6, socket.SOCK_RAW, IPPROTO_RAW)
 # scapy
 # p = IPv6(src='fd00💯:1', dst='fd00:200::fa')/ICMPv6EchoRequest()
 # str(p)
 req = b'`\x00\x00\x00\x00\x08:@\xfd\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xfd\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xfa\x80\x00\x81\xc0\x00\x00\x00\x00'
 send_s.sendto(req, ('fd00:175::2', 0, 0, 0))

fd00:175::/64 is a connected route and fd00:200::fa is not a connected
host.

With this scenario, the kernel starts by sending a NS to resolve
fd00:175::2. When it receives the NA, it flushes its queue and try to send
the initial packet. But instead of sending it, it sends another NS to
resolve fd00:200::fa, which obvioulsy fails, thus the packet is dropped. If
the user sends again the packet, it now uses the right nh (fd00:175::2).

The problem is that ip6_dst_lookup_neigh() uses the rt6i_gateway, which is
:: because the associated route is a connected route, thus it uses the dst
addr of the packet. Let's use rt6_nexthop() to choose the right nh.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 13:26:08 -07:00
Nicolas Dichtel 9b1c1ef13b ipv6: constify rt6_nexthop()
There is no functional change in this patch, it only prepares the next one.

rt6_nexthop() will be used by ip6_dst_lookup_neigh(), which uses const
variables.

Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reported-by: kbuild test robot <lkp@intel.com>
Acked-by: Nick Desaulniers <ndesaulniers@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 13:26:08 -07:00
Marek Vasut 22e72b5e04 net: dsa: microchip: Use gpiod_set_value_cansleep()
Replace gpiod_set_value() with gpiod_set_value_cansleep(), as the switch
reset GPIO can be connected to e.g. I2C GPIO expander and it is perfectly
fine for the kernel to sleep for a bit in ksz_switch_register().

Signed-off-by: Marek Vasut <marex@denx.de>
Cc: Andrew Lunn <andrew@lunn.ch>
Cc: Florian Fainelli <f.fainelli@gmail.com>
Cc: Linus Walleij <linus.walleij@linaro.org>
Cc: Tristram Ha <Tristram.Ha@microchip.com>
Cc: Woojung Huh <Woojung.Huh@microchip.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 13:22:29 -07:00
Dmitry Bogdanov 48dd73d08d net: aquantia: fix vlans not working over bridged network
In configuration of vlan over bridge over aquantia device
it was found that vlan tagged traffic is dropped on chip.

The reason is that bridge device enables promisc mode,
but in atlantic chip vlan filters will still apply.
So we have to corellate promisc settings with vlan configuration.

The solution is to track in a separate state variable the
need of vlan forced promisc. And also consider generic
promisc configuration when doing vlan filter config.

Fixes: 7975d2aff5 ("net: aquantia: add support of rx-vlan-filter offload")
Signed-off-by: Dmitry Bogdanov <dmitry.bogdanov@aquantia.com>
Signed-off-by: Igor Russkikh <igor.russkikh@aquantia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 13:16:45 -07:00
Stephen Suryaputra 5b18f12898 ipv4: reset rt_iif for recirculated mcast/bcast out pkts
Multicast or broadcast egress packets have rt_iif set to the oif. These
packets might be recirculated back as input and lookup to the raw
sockets may fail because they are bound to the incoming interface
(skb_iif). If rt_iif is not zero, during the lookup, inet_iif() function
returns rt_iif instead of skb_iif. Hence, the lookup fails.

v2: Make it non vrf specific (David Ahern). Reword the changelog to
    reflect it.
Signed-off-by: Stephen Suryaputra <ssuryaextr@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 12:40:10 -07:00
YueHaibing ee4297420d team: Always enable vlan tx offload
We should rather have vlan_tci filled all the way down
to the transmitting netdevice and let it do the hw/sw
vlan implementation.

Suggested-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 10:14:08 -07:00
David S. Miller 8a53058bd9 Merge branch 'smc-fixes'
Ursula Braun says:

====================
net/smc: fixes 2019-06-26

here are 2 small smc fixes for the net tree.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 10:10:16 -07:00
YueHaibing 8c33bf1b0a net/smc: Fix error path in smc_init
If register_pernet_subsys success in smc_init,
we should cleanup it in case any other error.

Fixes: 64e28b52c7 (net/smc: add pnet table namespace support")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 10:10:16 -07:00
Huaping Zhou 4480879251 net/smc: hold conns_lock before calling smc_lgr_register_conn()
After smc_lgr_create(), the newly created link group is added
to smc_lgr_list, thus is accessible from other context.
Although link group creation is serialized by
smc_create_lgr_pending, the new link group may still be accessed
concurrently. For example, if ib_device is no longer active,
smc_ib_port_event_work() will call smc_port_terminate(), which
in turn will call __smc_lgr_terminate() on every link group of
this device. So conns_lock is required here.

Signed-off-by: Huaping Zhou <zhp@smail.nju.edu.cn>
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 10:10:16 -07:00
YueHaibing 30d8177e8a bonding: Always enable vlan tx offload
We build vlan on top of bonding interface, which vlan offload
is off, bond mode is 802.3ad (LACP) and xmit_hash_policy is
BOND_XMIT_POLICY_ENCAP34.

Because vlan tx offload is off, vlan tci is cleared and skb push
the vlan header in validate_xmit_vlan() while sending from vlan
devices. Then in bond_xmit_hash, __skb_flow_dissect() fails to
get information from protocol headers encapsulated within vlan,
because 'nhoff' is points to IP header, so bond hashing is based
on layer 2 info, which fails to distribute packets across slaves.

This patch always enable bonding's vlan tx offload, pass the vlan
packets to the slave devices with vlan tci, let them to handle
vlan implementation.

Fixes: 278339a42a ("bonding: propogate vlan_features to bonding master")
Suggested-by: Jiri Pirko <jiri@resnulli.us>
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-06-26 08:56:35 -07:00