1. 14 Jul, 2017 17 commits
    • Xin Long's avatar
      sctp: fix an array overflow when all ext chunks are set · 10b3bf54
      Xin Long authored
      Marcelo noticed an array overflow caused by commit c28445c3
      ("sctp: add reconf_enable in asoc ep and netns"), in which sctp
      would add SCTP_CID_RECONF into extensions when reconf_enable is
      set in sctp_make_init and sctp_make_init_ack.
      
      Then now when all ext chunks are set, 4 ext chunk ids can be put
      into extensions array while extensions array size is 3. It would
      cause a kernel panic because of this overflow.
      
      This patch is to fix it by defining extensions array size is 4 in
      both sctp_make_init and sctp_make_init_ack.
      
      Fixes: c28445c3 ("sctp: add reconf_enable in asoc ep and netns")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      10b3bf54
    • Arnd Bergmann's avatar
      liquidio: fix possible eeprom format string overflow · 56c0da49
      Arnd Bergmann authored
      gcc reports that the temporary buffer for computing the
      string length may be too small here:
      
      drivers/net/ethernet/cavium/liquidio/lio_ethtool.c: In function 'lio_get_eeprom_len':
      /drivers/net/ethernet/cavium/liquidio/lio_ethtool.c:345:21: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=]
        len = sprintf(buf, "boardname:%s serialnum:%s maj:%lld min:%lld\n",
                           ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/cavium/liquidio/lio_ethtool.c:345:6: note: 'sprintf' output between 35 and 167 bytes into a destination of size 128
        len = sprintf(buf, "boardname:%s serialnum:%s maj:%lld min:%lld\n",
      
      This extends it to 192 bytes, which is certainly enough. As far
      as I could tell, there are no other constraints that require a specific
      maximum size.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      56c0da49
    • Arnd Bergmann's avatar
      vmxnet3: avoid format strint overflow warning · c7673e4d
      Arnd Bergmann authored
      gcc-7 notices that "-event-%d" could be more than 11 characters long
      if we had larger 'vector' numbers:
      
      drivers/net/vmxnet3/vmxnet3_drv.c: In function 'vmxnet3_activate_dev':
      drivers/net/vmxnet3/vmxnet3_drv.c:2095:40: error: 'sprintf' may write a terminating nul past the end of the destination [-Werror=format-overflow=]
      sprintf(intr->event_msi_vector_name, "%s-event-%d",
                                           ^~~~~~~~~~~~~
      drivers/net/vmxnet3/vmxnet3_drv.c:2095:3: note: 'sprintf' output between 9 and 33 bytes into a destination of size 32
      
      The current code is safe, but making the string a little longer
      is harmless and lets gcc see that it's ok.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7673e4d
    • Arnd Bergmann's avatar
      net: thunder_bgx: avoid format string overflow warning · c41626ce
      Arnd Bergmann authored
      gcc warns that the temporary buffer might be too small here:
      
      drivers/net/ethernet/cavium/thunder/thunder_bgx.c: In function 'bgx_probe':
      drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: error: '%d' directive writing between 1 and 10 bytes into a region of size between 9 and 11 [-Werror=format-overflow=]
      sprintf(str, "BGX%d LMAC%d mode", bgx->bgx_id, lmacid);
                   ^~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:16: note: directive argument in the range [0, 2147483647]
      drivers/net/ethernet/cavium/thunder/thunder_bgx.c:1020:3: note: 'sprintf' output between 16 and 27 bytes into a destination of size 20
      
      This probably can't happen, but it can't hurt to make it long
      enough for the theoretical limit.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c41626ce
    • Arnd Bergmann's avatar
      bnx2x: fix format overflow warning · be9cdf1b
      Arnd Bergmann authored
      gcc notices that large queue numbers would overflow the queue name
      string:
      
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c: In function 'bnx2x_get_strings':
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:25: error: '%d' directive writing between 1 and 10 bytes into a region of size 5 [-Werror=format-overflow=]
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:25: note: directive argument in the range [0, 2147483647]
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_ethtool.c:3165:5: note: 'sprintf' output between 2 and 11 bytes into a destination of size 5
      
      There is a hard limit in place that makes the number at most two
      digits, so the code is fine. This changes it to use snprintf()
      to truncate instead of overflowing, which shuts up that warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      be9cdf1b
    • Arnd Bergmann's avatar
      net: niu: fix format string overflow warning: · 73066f6c
      Arnd Bergmann authored
      We get a warning for the port_name string that might be longer than
      six characters if we had more than 10 ports:
      
      drivers/net/ethernet/sun/niu.c: In function 'niu_put_parent':
      drivers/net/ethernet/sun/niu.c:9563:21: error: '%d' directive writing between 1 and 3 bytes into a region of size 2 [-Werror=format-overflow=]
        sprintf(port_name, "port%d", port);
                           ^~~~~~~~
      drivers/net/ethernet/sun/niu.c:9563:21: note: directive argument in the range [0, 255]
      drivers/net/ethernet/sun/niu.c:9563:2: note: 'sprintf' output between 6 and 8 bytes into a destination of size 6
        sprintf(port_name, "port%d", port);
        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/sun/niu.c: In function 'niu_pci_init_one':
      drivers/net/ethernet/sun/niu.c:9538:22: error: '%d' directive writing between 1 and 3 bytes into a region of size 2 [-Werror=format-overflow=]
         sprintf(port_name, "port%d", port);
                            ^~~~~~~~
      drivers/net/ethernet/sun/niu.c:9538:22: note: directive argument in the range [0, 255]
      drivers/net/ethernet/sun/niu.c:9538:3: note: 'sprintf' output between 6 and 8 bytes into a destination of size 6
      
      While we know that the port number is small, there is no harm in
      making the format string two bytes longer to avoid the warning.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      73066f6c
    • Arnd Bergmann's avatar
      isdn: divert: fix sprintf buffer overflow warning · 45e0b4b3
      Arnd Bergmann authored
      One string we pass into the cs->info buffer might be too long,
      as pointed out by gcc:
      
      drivers/isdn/divert/isdn_divert.c: In function 'll_callback':
      drivers/isdn/divert/isdn_divert.c:488:22: error: '%d' directive writing between 1 and 3 bytes into a region of size between 1 and 69 [-Werror=format-overflow=]
       sprintf(cs->info, "%d 0x%lx %s %s %s %s 0x%x 0x%x %d %d %s\n",
                         ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
      drivers/isdn/divert/isdn_divert.c:488:22: note: directive argument in the range [0, 255]
      drivers/isdn/divert/isdn_divert.c:488:4: note: 'sprintf' output 25 or more bytes (assuming 129) into a destination of size 90
      
      This is unlikely to actually cause problems, so let's use snprintf
      as a simple workaround to shut  up the warning and truncate the
      buffer instead.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45e0b4b3
    • Timur Tabi's avatar
      net: qcom/emac: fix double free of SGMII IRQ during shutdown · c98b0537
      Timur Tabi authored
      If the interface is not up, then don't try to close it during a
      shutdown.  This avoids possible double free of the IRQ, which
      can happen during a shutdown.
      
      Fixes: 03eb3eb4 ("net: qcom/emac: add shutdown function")
      Signed-off-by: default avatarTimur Tabi <timur@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c98b0537
    • Petr Kulhavy's avatar
      smsc95xx: use ethtool_op_get_ts_info() · a8f5cb9e
      Petr Kulhavy authored
      This change enables the use of SW timestamping on Raspberry PI.
      
      smsc95xx uses the usbnet transmit function usbnet_start_xmit(), which
      implements software timestamping. However the SOF_TIMESTAMPING_TX_SOFTWARE
      capability was missing and only SOF_TIMESTAMPING_RX_SOFTWARE was announced.
      By using ethtool_op_get_ts_info() as get_ts_info() also the
      SOF_TIMESTAMPING_TX_SOFTWARE is announced.
      Signed-off-by: default avatarPetr Kulhavy <brain@jikos.cz>
      Reviewed-by: default avatarWoojung Huh <Woojung.Huh@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a8f5cb9e
    • Roman Mashak's avatar
      net sched actions: rename act_get_notify() to tcf_get_notify() · c4c4290c
      Roman Mashak authored
      Make name consistent with other TC event notification routines, such as
      tcf_add_notify() and tcf_del_notify()
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4c4290c
    • Iván Briano's avatar
      net/packet: Fix Tx queue selection for AF_PACKET · ccd4eb49
      Iván Briano authored
      When PACKET_QDISC_BYPASS is not used, Tx queue selection will be done
      before the packet is enqueued, taking into account any mappings set by
      a queuing discipline such as mqprio without hardware offloading. This
      selection may be affected by a previously saved queue_mapping, either on
      the Rx path, or done before the packet reaches the device, as it's
      currently the case for AF_PACKET.
      
      In order for queue selection to work as expected when using traffic
      control, there can't be another selection done before that point is
      reached, so move the call to packet_pick_tx_queue to
      packet_direct_xmit, leaving the default xmit path as it was before
      PACKET_QDISC_BYPASS was introduced.
      
      A forward declaration of packet_pick_tx_queue() is introduced to avoid
      the need to reorder the functions within the file.
      
      Fixes: d346a3fa ("packet: introduce PACKET_QDISC_BYPASS socket option")
      Signed-off-by: default avatarIván Briano <ivan.briano@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ccd4eb49
    • Nikolay Aleksandrov's avatar
      net: bridge: fix dest lookup when vlan proto doesn't match · 31a4562d
      Nikolay Aleksandrov authored
      With 802.1ad support the vlan_ingress code started checking for vlan
      protocol mismatch which causes the current tag to be inserted and the
      bridge vlan protocol & pvid to be set. The vlan tag insertion changes
      the skb mac_header and thus the lookup mac dest pointer which was loaded
      prior to calling br_allowed_ingress in br_handle_frame_finish is VLAN_HLEN
      bytes off now, pointing to the last two bytes of the destination mac and
      the first four of the source mac causing lookups to always fail and
      broadcasting all such packets to all ports. Same thing happens for locally
      originated packets when passing via br_dev_xmit. So load the dest pointer
      after the vlan checks and possible skb change.
      
      Fixes: 8580e211 ("bridge: Prepare for 802.1ad vlan filtering support")
      Reported-by: default avatarAnitha Narasimha Murthy <anitha@cumulusnetworks.com>
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: default avatarToshiaki Makita <makita.toshiaki@lab.ntt.co.jp>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      31a4562d
    • Ganesh Goudar's avatar
      cxgb4: ptp_clock_register() returns error pointers · 40fbbce0
      Ganesh Goudar authored
      Check ptp_clock_register() return not only for NULL but
      also for error pointers, and also nullify adapter->ptp_clock
      if ptp_clock_register() fails.
      
      Fixes: 9c33e420 ("cxgb4: Add PTP Hardware Clock (PHC) support")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarGanesh Goudar <ganeshgr@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40fbbce0
    • LiuJian's avatar
      net: hns: add acpi function of xge led control · 1e4babee
      LiuJian authored
      The current code only support DT method to control xge led.
      This patch is the implementation of acpi method to control xge led.
      Signed-off-by: default avatarLiuJian <liujian56@huawei.com>
      Reviewed-by: default avatarJohn Garry <john.garry@huawei.com>
      Reviewed-by: default avatarYunsheng Lin <linyunsheng@huawei.com>
      Reviewed-by: default avatarDaode Huang <huangdaode@hisilicon.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1e4babee
    • WANG Cong's avatar
      netpoll: shut up a kernel warning on refcount · 230cd127
      WANG Cong authored
      When we convert atomic_t to refcount_t, a new kernel warning
      on "increment on 0" is introduced in the netpoll code,
      zap_completion_queue(). In fact for this special case, we know
      the refcount is 0 and we just have to set it to 1 to satisfy
      the following dev_kfree_skb_any(), so we can just use
      refcount_set(..., 1) instead.
      
      Fixes: 63354797 ("net: convert sk_buff.users from atomic_t to refcount_t")
      Reported-by: default avatarDave Jones <davej@codemonkey.org.uk>
      Cc: Reshetova, Elena <elena.reshetova@intel.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      230cd127
    • Enrico Mioso's avatar
      cdc_ncm: Set NTB format again after altsetting switch for Huawei devices · 2b02c20c
      Enrico Mioso authored
      Some firmwares in Huawei E3372H devices have been observed to switch back
      to NTB 32-bit format after altsetting switch.
      This patch implements a driver flag to check for the device settings and
      set NTB format to 16-bit again if needed.
      The flag has been activated for devices controlled by the huawei_cdc_ncm.c
      driver.
      
      V1->V2:
      - fixed broken error checks
      - some corrections to the commit message
      V2->V3:
      - variable name changes, to clarify what's happening
      - check (and possibly set) the NTB format later in the common bind code path
      Signed-off-by: default avatarEnrico Mioso <mrkiko.rs@gmail.com>
      Reported-and-tested-by: default avatarChristian Panton <christian@panton.org>
      Reviewed-by: default avatarBjørn Mork <bjorn@mork.no>
      CC: Bjørn Mork <bjorn@mork.no>
      CC: Christian Panton <christian@panton.org>
      CC: linux-usb@vger.kernel.org
      CC: netdev@vger.kernel.org
      CC: Oliver Neukum <oliver@neukum.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2b02c20c
    • Martin Blumenstingl's avatar
      mdio: mux: fix parsing mux registers outside of the PHY address range · 457839ed
      Martin Blumenstingl authored
      mdio_mux_init parses the child nodes of the MDIO mux. When using
      "mdio-mux-mmioreg" the child nodes are describing the register value
      that is written to switch between the MDIO busses.
      
      The change which makes the error messages more verbose changed the
      parsing of the "reg" property from a simple of_property_read_u32 call
      to of_mdio_parse_addr. On a Khadas VIM (based on the Meson GXL SoC,
      which uses mdio-mux-mmioreg) this prevents registering the MDIO mux
      (because the "reg" values on the MDIO mux child nodes are 0x2009087f
      and 0xe40908ff) and leads to the following errors:
        mdio-mux-mmioreg c883455c.eth-phy-mux: /soc/periphs@c8834000/eth-phy-mux/mdio@e40908ff PHY address -469169921 is too large
        mdio-mux-mmioreg c883455c.eth-phy-mux: Error: Failed to find reg for child /soc/periphs@c8834000/eth-phy-mux/mdio@e40908ff
        mdio-mux-mmioreg c883455c.eth-phy-mux: /soc/periphs@c8834000/eth-phy-mux/mdio@2009087f PHY address 537462911 is too large
        mdio-mux-mmioreg c883455c.eth-phy-mux: Error: Failed to find reg for child /soc/periphs@c8834000/eth-phy-mux/mdio@2009087f
        mdio-mux-mmioreg c883455c.eth-phy-mux: Error: No acceptable child buses found
        mdio-mux-mmioreg c883455c.eth-phy-mux: failed to register mdio-mux bus /soc/periphs@c8834000/eth-phy-mux
      (as a result of that ethernet is not working, because the PHY which is
      connected through the mux' child MDIO bus, which is not being
      registered).
      
      Fix this by reverting the change from of_mdio_parse_addr to
      of_mdio_parse_addr.
      
      Fixes: 342fa196 ("mdio: mux: make child bus walking more permissive and errors more verbose")
      Signed-off-by: default avatarMartin Blumenstingl <martin.blumenstingl@googlemail.com>
      Acked-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      457839ed
  2. 13 Jul, 2017 12 commits
  3. 12 Jul, 2017 11 commits
    • LABBE Corentin's avatar
      net: stmmac: revert "support future possible different internal phy mode" · d93b07f8
      LABBE Corentin authored
      Since internal phy-mode is reserved for non-xMII protocol we cannot use
      it with dwmac-sun8i.
      Furthermore, all DT patchs which comes with this patch were cleaned, so
      the current state is broken.
      This reverts commit 1c2fa5f8 ("net: stmmac: support future possible different internal phy mode")
      
      Fixes: 1c2fa5f8 ("net: stmmac: support future possible different internal phy mode")
      Signed-off-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d93b07f8
    • Bert Kenward's avatar
      sfc: don't read beyond unicast address list · c70d6815
      Bert Kenward authored
      If we have more than 32 unicast MAC addresses assigned to an interface
      we will read beyond the end of the address table in the driver when
      adding filters. The next 256 entries store multicast addresses, so we
      will end up attempting to insert duplicate filters, which is mostly
      harmless. If we add more than 288 unicast addresses we will then read
      past the multicast address table, which is likely to be more exciting.
      
      Fixes: 12fb0da4 ("sfc: clean fallbacks between promisc/normal in efx_ef10_filter_sync_rx_mode")
      Signed-off-by: default avatarBert Kenward <bkenward@solarflare.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c70d6815
    • David S. Miller's avatar
      Merge branch 'net-doc-fixes' · 07b8a7cf
      David S. Miller authored
      Stephen Hemminger says:
      
      ====================
      minor net kernel-doc fixes
      
      Fix a couple of small errors in kernel-doc for networking
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      07b8a7cf
    • stephen hemminger's avatar
      datagram: fix kernel-doc comments · d3f6cd9e
      stephen hemminger authored
      An underscore in the kernel-doc comment section has special meaning
      and mis-use generates an errors.
      
      ./net/core/datagram.c:207: ERROR: Unknown target name: "msg".
      ./net/core/datagram.c:379: ERROR: Unknown target name: "msg".
      ./net/core/datagram.c:816: ERROR: Unknown target name: "t".
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d3f6cd9e
    • stephen hemminger's avatar
      socket: add documentation for missing elements · 771edcaf
      stephen hemminger authored
      Fill in missing kernel-doc for missing elements in struct sock.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      771edcaf
    • Alexey Khoroshilov's avatar
      smsc911x: Add check for ioremap_nocache() return code · 57fe1479
      Alexey Khoroshilov authored
      There is no check for return code of smsc911x_drv_probe()
      in smsc911x_drv_probe(). The patch adds one.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      57fe1479
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 235b84fc
      Linus Torvalds authored
      Pull i2c updates from Wolfram Sang:
       "This pull request contains:
      
         - i2c core reorganization. One source file became too monolithic. It
           is now split up, yet we still have the same named object as the
           final output. This should ease maintenance.
      
         - new drivers: ZTE ZX2967 family, ASPEED 24XX/25XX
      
         - designware driver gained slave mode support
      
         - xgene-slimpro driver gained ACPI support
      
         - bigger overhaul for pca-platform driver
      
         - the algo-bit module now supports messages with enforced STOP
      
         - slightly bigger than usual set of driver updates and improvements
      
        and with much appreciated quality assurance from Andy Shevchenko"
      
      * 'i2c/for-4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux: (51 commits)
        i2c: Provide a stub for i2c_detect_slave_mode()
        i2c: designware: Let slave adapter support be optional
        i2c: designware: Make HW init functions static
        i2c: designware: fix spelling mistakes
        i2c: pca-platform: propagate error from i2c_pca_add_numbered_bus
        i2c: pca-platform: correctly set algo_data.reset_chip
        i2c: acpi: Do not create i2c-clients for LNXVIDEO ACPI devices
        i2c: designware: enable SLAVE in platform module
        i2c: designware: add SLAVE mode functions
        i2c: zx2967: drop COMPILE_TEST dependency
        i2c: zx2967: always use the same device when printing errors
        i2c: pca-platform: use dev_warn/dev_info instead of printk
        i2c: pca-platform: use device managed allocations
        i2c: pca-platform: add devicetree awareness
        i2c: pca-platform: switch to struct gpio_desc
        dt-bindings: add bindings for i2c-pca-platform
        i2c: cadance: fix ctrl/addr reg write order
        i2c: zx2967: add i2c controller driver for ZTE's zx2967 family
        dt: bindings: add documentation for zx2967 family i2c controller
        i2c: algo-bit: add support for I2C_M_STOP
        ...
      235b84fc
    • Linus Torvalds's avatar
      Merge tag 'iommu-updates-v4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · fb4e3bee
      Linus Torvalds authored
      Pull IOMMU updates from Joerg Roedel:
       "This update comes with:
      
         - Support for lockless operation in the ARM io-pgtable code.
      
           This is an important step to solve the scalability problems in the
           common dma-iommu code for ARM
      
         - Some Errata workarounds for ARM SMMU implemenations
      
         - Rewrite of the deferred IO/TLB flush code in the AMD IOMMU driver.
      
           The code suffered from very high flush rates, with the new
           implementation the flush rate is down to ~1% of what it was before
      
         - Support for amd_iommu=off when booting with kexec.
      
           The problem here was that the IOMMU driver bailed out early without
           disabling the iommu hardware, if it was enabled in the old kernel
      
         - The Rockchip IOMMU driver is now available on ARM64
      
         - Align the return value of the iommu_ops->device_group call-backs to
           not miss error values
      
         - Preempt-disable optimizations in the Intel VT-d and common IOVA
           code to help Linux-RT
      
         - Various other small cleanups and fixes"
      
      * tag 'iommu-updates-v4.13' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu: (60 commits)
        iommu/vt-d: Constify intel_dma_ops
        iommu: Warn once when device_group callback returns NULL
        iommu/omap: Return ERR_PTR in device_group call-back
        iommu: Return ERR_PTR() values from device_group call-backs
        iommu/s390: Use iommu_group_get_for_dev() in s390_iommu_add_device()
        iommu/vt-d: Don't disable preemption while accessing deferred_flush()
        iommu/iova: Don't disable preempt around this_cpu_ptr()
        iommu/arm-smmu-v3: Add workaround for Cavium ThunderX2 erratum #126
        iommu/arm-smmu-v3: Enable ACPI based HiSilicon CMD_PREFETCH quirk(erratum 161010701)
        iommu/arm-smmu-v3: Add workaround for Cavium ThunderX2 erratum #74
        ACPI/IORT: Fixup SMMUv3 resource size for Cavium ThunderX2 SMMUv3 model
        iommu/arm-smmu-v3, acpi: Add temporary Cavium SMMU-V3 IORT model number definitions
        iommu/io-pgtable-arm: Use dma_wmb() instead of wmb() when publishing table
        iommu/io-pgtable: depend on !GENERIC_ATOMIC64 when using COMPILE_TEST with LPAE
        iommu/arm-smmu-v3: Remove io-pgtable spinlock
        iommu/arm-smmu: Remove io-pgtable spinlock
        iommu/io-pgtable-arm-v7s: Support lockless operation
        iommu/io-pgtable-arm: Support lockless operation
        iommu/io-pgtable: Introduce explicit coherency
        iommu/io-pgtable-arm-v7s: Refactor split_blk_unmap
        ...
      fb4e3bee
    • Linus Torvalds's avatar
      Merge branch 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs · 6b1c776d
      Linus Torvalds authored
      Pull overlayfs updates from Miklos Szeredi:
       "This work from Amir introduces the inodes index feature, which
        provides:
      
         - hardlinks are not broken on copy up
      
         - infrastructure for overlayfs NFS export
      
        This also fixes constant st_ino for samefs case for lower hardlinks"
      
      * 'overlayfs-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs: (33 commits)
        ovl: mark parent impure and restore timestamp on ovl_link_up()
        ovl: document copying layers restrictions with inodes index
        ovl: cleanup orphan index entries
        ovl: persistent overlay inode nlink for indexed inodes
        ovl: implement index dir copy up
        ovl: move copy up lock out
        ovl: rearrange copy up
        ovl: add flag for upper in ovl_entry
        ovl: use struct copy_up_ctx as function argument
        ovl: base tmpfile in workdir too
        ovl: factor out ovl_copy_up_inode() helper
        ovl: extract helper to get temp file in copy up
        ovl: defer upper dir lock to tempfile link
        ovl: hash overlay non-dir inodes by copy up origin
        ovl: cleanup bad and stale index entries on mount
        ovl: lookup index entry for copy up origin
        ovl: verify index dir matches upper dir
        ovl: verify upper root dir matches lower root dir
        ovl: introduce the inodes index dir feature
        ovl: generalize ovl_create_workdir()
        ...
      6b1c776d
    • Al Viro's avatar
      fix a braino in compat_sys_getrlimit() · 58c7ffc0
      Al Viro authored
      Reported-and-tested-by: default avatarMeelis Roos <mroos@linux.ee>
      Fixes: commit d9e968cb "getrlimit()/setrlimit(): move compat to native"
      Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Acked-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      58c7ffc0
    • Arend van Spriel's avatar
      brcmfmac: fix possible buffer overflow in brcmf_cfg80211_mgmt_tx() · 8f44c9a4
      Arend van Spriel authored
      The lower level nl80211 code in cfg80211 ensures that "len" is between
      25 and NL80211_ATTR_FRAME (2304).  We subtract DOT11_MGMT_HDR_LEN (24) from
      "len" so thats's max of 2280.  However, the action_frame->data[] buffer is
      only BRCMF_FIL_ACTION_FRAME_SIZE (1800) bytes long so this memcpy() can
      overflow.
      
      	memcpy(action_frame->data, &buf[DOT11_MGMT_HDR_LEN],
      	       le16_to_cpu(action_frame->len));
      
      Cc: stable@vger.kernel.org # 3.9.x
      Fixes: 18e2f61d ("brcmfmac: P2P action frame tx.")
      Reported-by: default avatar"freenerguo(郭大兴)" <freenerguo@tencent.com>
      Signed-off-by: default avatarArend van Spriel <arend.vanspriel@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8f44c9a4