1. 09 Jun, 2017 2 commits
    • Dave Young's avatar
      efi: Fix boot panic because of invalid BGRT image address · 792ef14d
      Dave Young authored
      Maniaxx reported a kernel boot crash in the EFI code, which I emulated
      by using same invalid phys addr in code:
      
        BUG: unable to handle kernel paging request at ffffffffff280001
        IP: efi_bgrt_init+0xfb/0x153
        ...
        Call Trace:
         ? bgrt_init+0xbc/0xbc
         acpi_parse_bgrt+0xe/0x12
         acpi_table_parse+0x89/0xb8
         acpi_boot_init+0x445/0x4e2
         ? acpi_parse_x2apic+0x79/0x79
         ? dmi_ignore_irq0_timer_override+0x33/0x33
         setup_arch+0xb63/0xc82
         ? early_idt_handler_array+0x120/0x120
         start_kernel+0xb7/0x443
         ? early_idt_handler_array+0x120/0x120
         x86_64_start_reservations+0x29/0x2b
         x86_64_start_kernel+0x154/0x177
         secondary_startup_64+0x9f/0x9f
      
      There is also a similar bug filed in bugzilla.kernel.org:
      
        https://bugzilla.kernel.org/show_bug.cgi?id=195633
      
      The crash is caused by this commit:
      
        7b0a9114 efi/x86: Move the EFI BGRT init code to early init code
      
      The root cause is the firmware on those machines provides invalid BGRT
      image addresses.
      
      In a kernel before above commit BGRT initializes late and uses ioremap()
      to map the image address. Ioremap validates the address, if it is not a
      valid physical address ioremap() just fails and returns. However in current
      kernel EFI BGRT initializes early and uses early_memremap() which does not
      validate the image address, and kernel panic happens.
      
      According to ACPI spec the BGRT image address should fall into
      EFI_BOOT_SERVICES_DATA, see the section 5.2.22.4 of below document:
      
        http://www.uefi.org/sites/default/files/resources/ACPI_6_1.pdf
      
      Fix this issue by validating the image address in efi_bgrt_init(). If the
      image address does not fall into any EFI_BOOT_SERVICES_DATA areas we just
      bail out with a warning message.
      Reported-by: default avatarManiaxx <tripleshiftone@gmail.com>
      Signed-off-by: default avatarDave Young <dyoung@redhat.com>
      Signed-off-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Matt Fleming <matt@codeblueprint.co.uk>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: linux-efi@vger.kernel.org
      Fixes: 7b0a9114 ("efi/x86: Move the EFI BGRT init code to early init code")
      Link: http://lkml.kernel.org/r/20170609084558.26766-2-ard.biesheuvel@linaro.orgSigned-off-by: default avatarIngo Molnar <mingo@kernel.org>
      792ef14d
    • Linus Torvalds's avatar
      Merge tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 0d22df90
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These revert one problematic commit related to system sleep and fix
        one recent intel_pstate regression.
      
        Specifics:
      
         - Revert a recent commit that attempted to avoid spurious wakeups
           from suspend-to-idle via ACPI SCI, but introduced regressions on
           some systems (Rafael Wysocki).
      
           We will get back to the problem it tried to address in the next
           cycle.
      
         - Fix a possible division by 0 during intel_pstate initialization
           due to a missing check (Rafael Wysocki)"
      
      * tag 'pm-4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle"
        cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min()
      0d22df90
  2. 08 Jun, 2017 6 commits
    • Linus Torvalds's avatar
      Merge tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux · aea4156c
      Linus Torvalds authored
      Pull module maintainer address change from Jessica Yu:
       "A single patch that advertises my email address change"
      
      * tag 'modules-for-v4.12-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/jeyu/linux:
        MAINTAINERS: update email address for Jessica Yu
      aea4156c
    • Rafael J. Wysocki's avatar
      Merge branches 'intel_pstate' and 'pm-sleep' · fbd78afe
      Rafael J. Wysocki authored
      * intel_pstate:
        cpufreq: intel_pstate: Avoid division by 0 in min_perf_pct_min()
      
      * pm-sleep:
        Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle"
      fbd78afe
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk · dc0cf5a7
      Linus Torvalds authored
      Pull printk fix from Petr Mladek:
       "This reverts a fix added into 4.12-rc1. It caused the kernel log to be
        printed on another console when two consoles of the same type were
        defined, e.g. console=ttyS0 console=ttyS1.
      
        This configuration was never supported by kernel itself, but it
        started to make sense with systemd. In other words, the commit broke
        userspace"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/pmladek/printk:
        Revert "printk: fix double printing with earlycon"
      dc0cf5a7
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · d0aab7d4
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a couple of places in the crypto code that were doing
        interruptible sleeps dangerously. They have been converted to use
        non-interruptible sleeps.
      
        This also fixes a bug in asymmetric_keys where it would trigger a
        use-after-free if a request returned EBUSY due to a full device queue"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: gcm - wait for crypto op not signal safe
        crypto: drbg - wait for crypto op not signal safe
        crypto: asymmetric_keys - handle EBUSY due to backlog correctly
      d0aab7d4
    • Petr Mladek's avatar
      Revert "printk: fix double printing with earlycon" · dac8bbba
      Petr Mladek authored
      This reverts commit cf39bf58.
      
      The commit regression to users that define both console=ttyS1
      and console=ttyS0 on the command line, see
      https://lkml.kernel.org/r/20170509082915.GA13236@bistromath.localdomain
      
      The kernel log messages always appeared only on one serial port. It is
      even documented in Documentation/admin-guide/serial-console.rst:
      
      "Note that you can only define one console per device type (serial,
      video)."
      
      The above mentioned commit changed the order in which the command line
      parameters are searched. As a result, the kernel log messages go to
      the last mentioned ttyS* instead of the first one.
      
      We long thought that using two console=ttyS* on the command line
      did not make sense. But then we realized that console= parameters
      were handled also by systemd, see
      http://0pointer.de/blog/projects/serial-console.html
      
      "By default systemd will instantiate one serial-getty@.service on
      the main kernel console, if it is not a virtual terminal."
      
      where
      
      "[4] If multiple kernel consoles are used simultaneously, the main
      console is the one listed first in /sys/class/tty/console/active,
      which is the last one listed on the kernel command line."
      
      This puts the original report into another light. The system is running
      in qemu. The first serial port is used to store the messages into a file.
      The second one is used to login to the system via a socket. It depends
      on systemd and the historic kernel behavior.
      
      By other words, systemd causes that it makes sense to define both
      console=ttyS1 console=ttyS0 on the command line. The kernel fix
      caused regression related to userspace (systemd) and need to be
      reverted.
      
      In addition, it went out that the fix helped only partially.
      The messages still were duplicated when the boot console was
      removed early by late_initcall(printk_late_init). Then the entire
      log was replayed when the same console was registered as a normal one.
      
      Link: 20170606160339.GC7604@pathway.suse.cz
      Cc: Aleksey Makarov <aleksey.makarov@linaro.org>
      Cc: Sabrina Dubroca <sd@queasysnail.net>
      Cc: Sudeep Holla <sudeep.holla@arm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Peter Hurley <peter@hurleysoftware.com>
      Cc: Jiri Slaby <jslaby@suse.com>
      Cc: Robin Murphy <robin.murphy@arm.com>,
      Cc: Steven Rostedt <rostedt@goodmis.org>
      Cc: "Nair, Jayachandran" <Jayachandran.Nair@cavium.com>
      Cc: linux-serial@vger.kernel.org
      Cc: linux-kernel@vger.kernel.org
      Reported-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Acked-by: default avatarSergey Senozhatsky <sergey.senozhatsky@gmail.com>
      Signed-off-by: default avatarPetr Mladek <pmladek@suse.com>
      dac8bbba
    • Jessica Yu's avatar
      MAINTAINERS: update email address for Jessica Yu · 462c5a82
      Jessica Yu authored
      I will be traveling in the upcoming months and it'll be much easier for me
      to access my kernel.org email rather than my work one. Change my email
      address in the MAINTAINERS file from jeyu@redhat.com to jeyu@kernel.org.
      Signed-off-by: default avatarJessica Yu <jeyu@redhat.com>
      462c5a82
  3. 06 Jun, 2017 28 commits
    • Rafael J. Wysocki's avatar
      Revert "ACPI / sleep: Ignore spurious SCI wakeups from suspend-to-idle" · f3b7eaae
      Rafael J. Wysocki authored
      Revert commit eed4d47e (ACPI / sleep: Ignore spurious SCI wakeups
      from suspend-to-idle) as it turned out to be premature and triggered
      a number of different issues on various systems.
      
      That includes, but is not limited to, premature suspend-to-RAM aborts
      on Dell XPS 13 (9343) reported by Dominik.
      
      The issue the commit in question attempted to address is real and
      will need to be taken care of going forward, but evidently more work
      is needed for this purpose.
      Reported-by: default avatarDominik Brodowski <linux@dominikbrodowski.net>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      f3b7eaae
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b29794ec
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Made TCP congestion control documentation match current reality,
          from Anmol Sarma.
      
       2) Various build warning and failure fixes from Arnd Bergmann.
      
       3) Fix SKB list leak in ipv6_gso_segment().
      
       4) Use after free in ravb driver, from Eugeniu Rosca.
      
       5) Don't use udp_poll() in ping protocol driver, from Eric Dumazet.
      
       6) Don't crash in PCI error recovery of cxgb4 driver, from Guilherme
          Piccoli.
      
       7) _SRC_NAT_DONE_BIT needs to be cleared using atomics, from Liping
          Zhang.
      
       8) Use after free in vxlan deletion, from Mark Bloch.
      
       9) Fix ordering of NAPI poll enabled in ethoc driver, from Max
          Filippov.
      
      10) Fix stmmac hangs with TSO, from Niklas Cassel.
      
      11) Fix crash in CALIPSO ipv6, from Richard Haines.
      
      12) Clear nh_flags properly on mpls link up. From Roopa Prabhu.
      
      13) Fix regression in sk_err socket error queue handling, noticed by
          ping applications. From Soheil Hassas Yeganeh.
      
      14) Update mlx4/mlx5 MAINTAINERS information.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (78 commits)
        net: stmmac: fix a broken u32 less than zero check
        net: stmmac: fix completely hung TX when using TSO
        net: ethoc: enable NAPI before poll may be scheduled
        net: bridge: fix a null pointer dereference in br_afspec
        ravb: Fix use-after-free on `ifconfig eth0 down`
        net/ipv6: Fix CALIPSO causing GPF with datagram support
        net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value
        Revert "sit: reload iphdr in ipip6_rcv"
        i40e/i40evf: proper update of the page_offset field
        i40e: Fix state flags for bit set and clean operations of PF
        iwlwifi: fix host command memory leaks
        iwlwifi: fix min API version for 7265D, 3168, 8000 and 8265
        iwlwifi: mvm: clear new beacon command template struct
        iwlwifi: mvm: don't fail when removing a key from an inexisting sta
        iwlwifi: pcie: only use d0i3 in suspend/resume if system_pm is set to d0i3
        iwlwifi: mvm: fix firmware debug restart recording
        iwlwifi: tt: move ucode_loaded check under mutex
        iwlwifi: mvm: support ibss in dqa mode
        iwlwifi: mvm: Fix command queue number on d0i3 flow
        iwlwifi: mvm: rs: start using LQ command color
        ...
      b29794ec
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · e87f327e
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) Fix TLB context wrap races, from Pavel Tatashin.
      
       2) Cure some gcc-7 build issues.
      
       3) Handle invalid setup_hugepagesz command line values properly, from
          Liam R Howlett.
      
       4) Copy TSB using the correct address shift for the huge TSB, from Mike
          Kravetz.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: delete old wrap code
        sparc64: new context wrap
        sparc64: add per-cpu mm of secondary contexts
        sparc64: redefine first version
        sparc64: combine activate_mm and switch_mm
        sparc64: reset mm cpumask after wrap
        sparc/mm/hugepages: Fix setup_hugepagesz for invalid values.
        sparc: Machine description indices can vary
        sparc64: mm: fix copy_tsb to correctly copy huge page TSBs
        arch/sparc: support NR_CPUS = 4096
        sparc64: Add __multi3 for gcc 7.x and later.
        sparc64: Fix build warnings with gcc 7.
        arch/sparc: increase CONFIG_NODES_SHIFT on SPARC64 to 5
      e87f327e
    • David Rientjes's avatar
      compiler, clang: suppress warning for unused static inline functions · abb2ea7d
      David Rientjes authored
      GCC explicitly does not warn for unused static inline functions for
      -Wunused-function.  The manual states:
      
      	Warn whenever a static function is declared but not defined or
      	a non-inline static function is unused.
      
      Clang does warn for static inline functions that are unused.
      
      It turns out that suppressing the warnings avoids potentially complex
      #ifdef directives, which also reduces LOC.
      
      Suppress the warning for clang.
      Signed-off-by: default avatarDavid Rientjes <rientjes@google.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      abb2ea7d
    • David S. Miller's avatar
      Merge branch 'sparc64-context-wrap-fixes' · b3aefc2f
      David S. Miller authored
      Pavel Tatashin says:
      
      ====================
      sparc64: context wrap fixes
      
      This patch series contains fixes for context wrap: when we are out of
      context ids, and need to get a new version.
      
      It fixes memory corruption issues which happen when more than number of
      context ids (currently set to 8K) number of processes are started
      simultaneously, and processes can get a wrong context.
      
      sparc64: new context wrap:
      - contains explanation of new wrap method, and also explanation of races
        that it solves
      sparc64: reset mm cpumask after wrap
      - explains issue of not reseting cpu mask on a wrap
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3aefc2f
    • Pavel Tatashin's avatar
      sparc64: delete old wrap code · 0197e41c
      Pavel Tatashin authored
      The old method that is using xcall and softint to get new context id is
      deleted, as it is replaced by a method of using per_cpu_secondary_mm
      without xcall to perform the context wrap.
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0197e41c
    • Pavel Tatashin's avatar
      sparc64: new context wrap · a0582f26
      Pavel Tatashin authored
      The current wrap implementation has a race issue: it is called outside of
      the ctx_alloc_lock, and also does not wait for all CPUs to complete the
      wrap.  This means that a thread can get a new context with a new version
      and another thread might still be running with the same context. The
      problem is especially severe on CPUs with shared TLBs, like sun4v. I used
      the following test to very quickly reproduce the problem:
      - start over 8K processes (must be more than context IDs)
      - write and read values at a  memory location in every process.
      
      Very quickly memory corruptions start happening, and what we read back
      does not equal what we wrote.
      
      Several approaches were explored before settling on this one:
      
      Approach 1:
      Move smp_new_mmu_context_version() inside ctx_alloc_lock, and wait for
      every process to complete the wrap. (Note: every CPU must WAIT before
      leaving smp_new_mmu_context_version_client() until every one arrives).
      
      This approach ends up with deadlocks, as some threads own locks which other
      threads are waiting for, and they never receive softint until these threads
      exit smp_new_mmu_context_version_client(). Since we do not allow the exit,
      deadlock happens.
      
      Approach 2:
      Handle wrap right during mondo interrupt. Use etrap/rtrap to enter into
      into C code, and issue new versions to every CPU.
      This approach adds some overhead to runtime: in switch_mm() we must add
      some checks to make sure that versions have not changed due to wrap while
      we were loading the new secondary context. (could be protected by PSTATE_IE
      but that degrades performance as on M7 and older CPUs as it takes 50 cycles
      for each access). Also, we still need a global per-cpu array of MMs to know
      where we need to load new contexts, otherwise we can change context to a
      thread that is going way (if we received mondo between switch_mm() and
      switch_to() time). Finally, there are some issues with window registers in
      rtrap() when context IDs are changed during CPU mondo time.
      
      The approach in this patch is the simplest and has almost no impact on
      runtime.  We use the array with mm's where last secondary contexts were
      loaded onto CPUs and bump their versions to the new generation without
      changing context IDs. If a new process comes in to get a context ID, it
      will go through get_new_mmu_context() because of version mismatch. But the
      running processes do not need to be interrupted. And wrap is quicker as we
      do not need to xcall and wait for everyone to receive and complete wrap.
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0582f26
    • Pavel Tatashin's avatar
      sparc64: add per-cpu mm of secondary contexts · 7a5b4bbf
      Pavel Tatashin authored
      The new wrap is going to use information from this array to figure out
      mm's that currently have valid secondary contexts setup.
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7a5b4bbf
    • Pavel Tatashin's avatar
      sparc64: redefine first version · c4415235
      Pavel Tatashin authored
      CTX_FIRST_VERSION defines the first context version, but also it defines
      first context. This patch redefines it to only include the first context
      version.
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4415235
    • Pavel Tatashin's avatar
      sparc64: combine activate_mm and switch_mm · 14d0334c
      Pavel Tatashin authored
      The only difference between these two functions is that in activate_mm we
      unconditionally flush context. However, there is no need to keep this
      difference after fixing a bug where cpumask was not reset on a wrap. So, in
      this patch we combine these.
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      14d0334c
    • Pavel Tatashin's avatar
      sparc64: reset mm cpumask after wrap · 58897485
      Pavel Tatashin authored
      After a wrap (getting a new context version) a process must get a new
      context id, which means that we would need to flush the context id from
      the TLB before running for the first time with this ID on every CPU. But,
      we use mm_cpumask to determine if this process has been running on this CPU
      before, and this mask is not reset after a wrap. So, there are two possible
      fixes for this issue:
      
      1. Clear mm cpumask whenever mm gets a new context id
      2. Unconditionally flush context every time process is running on a CPU
      
      This patch implements the first solution
      Signed-off-by: default avatarPavel Tatashin <pasha.tatashin@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarSteven Sistare <steven.sistare@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      58897485
    • Liam R. Howlett's avatar
      sparc/mm/hugepages: Fix setup_hugepagesz for invalid values. · f322980b
      Liam R. Howlett authored
      hugetlb_bad_size needs to be called on invalid values.  Also change the
      pr_warn to a pr_err to better align with other platforms.
      Signed-off-by: default avatarLiam R. Howlett <Liam.Howlett@Oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f322980b
    • James Clarke's avatar
      sparc: Machine description indices can vary · c982aa9c
      James Clarke authored
      VIO devices were being looked up by their index in the machine
      description node block, but this often varies over time as devices are
      added and removed. Instead, store the ID and look up using the type,
      config handle and ID.
      Signed-off-by: default avatarJames Clarke <jrtc27@jrtc27.com>
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=112541Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c982aa9c
    • Mike Kravetz's avatar
      sparc64: mm: fix copy_tsb to correctly copy huge page TSBs · 654f4807
      Mike Kravetz authored
      When a TSB grows beyond its current capacity, a new TSB is allocated
      and copy_tsb is called to copy entries from the old TSB to the new.
      A hash shift based on page size is used to calculate the index of an
      entry in the TSB.  copy_tsb has hard coded PAGE_SHIFT in these
      calculations.  However, for huge page TSBs the value REAL_HPAGE_SHIFT
      should be used.  As a result, when copy_tsb is called for a huge page
      TSB the entries are placed at the incorrect index in the newly
      allocated TSB.  When doing hardware table walk, the MMU does not
      match these entries and we end up in the TSB miss handling code.
      This code will then create and write an entry to the correct index
      in the TSB.  We take a performance hit for the table walk miss and
      recreation of these entries.
      
      Pass a new parameter to copy_tsb that is the page size shift to be
      used when copying the TSB.
      Suggested-by: default avatarAnthony Yznaga <anthony.yznaga@oracle.com>
      Signed-off-by: default avatarMike Kravetz <mike.kravetz@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      654f4807
    • Jane Chu's avatar
      arch/sparc: support NR_CPUS = 4096 · c79a1373
      Jane Chu authored
      Linux SPARC64 limits NR_CPUS to 4064 because init_cpu_send_mondo_info()
      only allocates a single page for NR_CPUS mondo entries. Thus we cannot
      use all 4096 CPUs on some SPARC platforms.
      
      To fix, allocate (2^order) pages where order is set according to the size
      of cpu_list for possible cpus. Since cpu_list_pa and cpu_mondo_block_pa
      are not used in asm code, there are no imm13 offsets from the base PA
      that will break because they can only reach one page.
      
      Orabug: 25505750
      Signed-off-by: default avatarJane Chu <jane.chu@oracle.com>
      Reviewed-by: default avatarBob Picco <bob.picco@oracle.com>
      Reviewed-by: default avatarAtish Patra <atish.patra@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c79a1373
    • Colin Ian King's avatar
      net: stmmac: fix a broken u32 less than zero check · 1d3028f4
      Colin Ian King authored
      The check that queue is less or equal to zero is always true
      because queue is a u32; queue is decremented and will wrap around
      and never go -ve. Fix this by making queue an int.
      
      Detected by CoverityScan, CID#1428988 ("Unsigned compared against 0")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d3028f4
    • Niklas Cassel's avatar
      net: stmmac: fix completely hung TX when using TSO · 426849e6
      Niklas Cassel authored
      stmmac_tso_allocator can fail to set the Last Descriptor bit
      on a descriptor that actually was the last descriptor.
      
      This happens when the buffer of the last descriptor ends
      up having a size of exactly TSO_MAX_BUFF_SIZE.
      
      When the IP eventually reaches the next last descriptor,
      which actually has the bit set, the DMA will hang.
      
      When the DMA hangs, we get a tx timeout, however,
      since stmmac does not do a complete reset of the IP
      in stmmac_tx_timeout, we end up in a state with
      completely hung TX.
      Signed-off-by: default avatarNiklas Cassel <niklas.cassel@axis.com>
      Acked-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Acked-by: default avatarAlexandre TORGUE <alexandre.torgue@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      426849e6
    • Max Filippov's avatar
      net: ethoc: enable NAPI before poll may be scheduled · d220b942
      Max Filippov authored
      ethoc_reset enables device interrupts, ethoc_interrupt may schedule a
      NAPI poll before NAPI is enabled in the ethoc_open, which results in
      device being unable to send or receive anything until it's closed and
      reopened. In case the device is flooded with ingress packets it may be
      unable to recover at all.
      Move napi_enable above ethoc_reset in the ethoc_open to fix that.
      
      Fixes: a1702857 ("net: Add support for the OpenCores 10/100 Mbps Ethernet MAC.")
      Signed-off-by: default avatarMax Filippov <jcmvbkbc@gmail.com>
      Reviewed-by: default avatarTobias Klauser <tklauser@distanz.ch>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d220b942
    • Nikolay Aleksandrov's avatar
      net: bridge: fix a null pointer dereference in br_afspec · 1020ce31
      Nikolay Aleksandrov authored
      We might call br_afspec() with p == NULL which is a valid use case if
      the action is on the bridge device itself, but the bridge tunnel code
      dereferences the p pointer without checking, so check if p is null
      first.
      Reported-by: default avatarGustavo A. R. Silva <garsilva@embeddedor.com>
      Fixes: efa5356b ("bridge: per vlan dst_metadata netlink support")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1020ce31
    • Eugeniu Rosca's avatar
      ravb: Fix use-after-free on `ifconfig eth0 down` · 79514ef6
      Eugeniu Rosca authored
      Commit a47b70ea ("ravb: unmap descriptors when freeing rings") has
      introduced the issue seen in [1] reproduced on H3ULCB board.
      
      Fix this by relocating the RX skb ringbuffer free operation, so that
      swiotlb page unmapping can be done first. Freeing of aligned TX buffers
      is not relevant to the issue seen in [1]. Still, reposition TX free
      calls as well, to have all kfree() operations performed consistently
      _after_ dma_unmap_*()/dma_free_*().
      
      [1] Console screenshot with the problem reproduced:
      
      salvator-x login: root
      root@salvator-x:~# ifconfig eth0 up
      Micrel KSZ9031 Gigabit PHY e6800000.ethernet-ffffffff:00: \
             attached PHY driver [Micrel KSZ9031 Gigabit PHY]   \
             (mii_bus:phy_addr=e6800000.ethernet-ffffffff:00, irq=235)
      IPv6: ADDRCONF(NETDEV_UP): eth0: link is not ready
      root@salvator-x:~#
      root@salvator-x:~# ifconfig eth0 down
      
      ==================================================================
      BUG: KASAN: use-after-free in swiotlb_tbl_unmap_single+0xc4/0x35c
      Write of size 1538 at addr ffff8006d884f780 by task ifconfig/1649
      
      CPU: 0 PID: 1649 Comm: ifconfig Not tainted 4.12.0-rc4-00004-g112eb072 #32
      Hardware name: Renesas H3ULCB board based on r8a7795 (DT)
      Call trace:
      [<ffff20000808f11c>] dump_backtrace+0x0/0x3a4
      [<ffff20000808f4d4>] show_stack+0x14/0x1c
      [<ffff20000865970c>] dump_stack+0xf8/0x150
      [<ffff20000831f8b0>] print_address_description+0x7c/0x330
      [<ffff200008320010>] kasan_report+0x2e0/0x2f4
      [<ffff20000831eac0>] check_memory_region+0x20/0x14c
      [<ffff20000831f054>] memcpy+0x48/0x68
      [<ffff20000869ed50>] swiotlb_tbl_unmap_single+0xc4/0x35c
      [<ffff20000869fcf4>] unmap_single+0x90/0xa4
      [<ffff20000869fd14>] swiotlb_unmap_page+0xc/0x14
      [<ffff2000080a2974>] __swiotlb_unmap_page+0xcc/0xe4
      [<ffff2000088acdb8>] ravb_ring_free+0x514/0x870
      [<ffff2000088b25dc>] ravb_close+0x288/0x36c
      [<ffff200008aaf8c4>] __dev_close_many+0x14c/0x174
      [<ffff200008aaf9b4>] __dev_close+0xc8/0x144
      [<ffff200008ac2100>] __dev_change_flags+0xd8/0x194
      [<ffff200008ac221c>] dev_change_flags+0x60/0xb0
      [<ffff200008ba2dec>] devinet_ioctl+0x484/0x9d4
      [<ffff200008ba7b78>] inet_ioctl+0x190/0x194
      [<ffff200008a78c44>] sock_do_ioctl+0x78/0xa8
      [<ffff200008a7a128>] sock_ioctl+0x110/0x3c4
      [<ffff200008365a70>] vfs_ioctl+0x90/0xa0
      [<ffff200008365dbc>] do_vfs_ioctl+0x148/0xc38
      [<ffff2000083668f0>] SyS_ioctl+0x44/0x74
      [<ffff200008083770>] el0_svc_naked+0x24/0x28
      
      The buggy address belongs to the page:
      page:ffff7e001b6213c0 count:0 mapcount:0 mapping:          (null) index:0x0
      flags: 0x4000000000000000()
      raw: 4000000000000000 0000000000000000 0000000000000000 00000000ffffffff
      raw: 0000000000000000 ffff7e001b6213e0 0000000000000000 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff8006d884f680: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff8006d884f700: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      >ffff8006d884f780: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
                         ^
       ffff8006d884f800: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
       ffff8006d884f880: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
      ==================================================================
      Disabling lock debugging due to kernel taint
      root@salvator-x:~#
      
      Fixes: a47b70ea ("ravb: unmap descriptors when freeing rings")
      Signed-off-by: default avatarEugeniu Rosca <erosca@de.adit-jv.com>
      Acked-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      79514ef6
    • Richard Haines's avatar
      net/ipv6: Fix CALIPSO causing GPF with datagram support · e3ebdb20
      Richard Haines authored
      When using CALIPSO with IPPROTO_UDP it is possible to trigger a GPF as the
      IP header may have moved.
      
      Also update the payload length after adding the CALIPSO option.
      Signed-off-by: default avatarRichard Haines <richard_c_haines@btinternet.com>
      Acked-by: default avatarPaul Moore <paul@paul-moore.com>
      Signed-off-by: default avatarHuw Davies <huw@codeweavers.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e3ebdb20
    • Colin Ian King's avatar
      net: stmmac: ensure jumbo_frm error return is correctly checked for -ve value · 59423815
      Colin Ian King authored
      The current comparison of entry < 0 will never be true since entry is an
      unsigned integer. Make entry an int to ensure -ve error return values
      from the call to jumbo_frm are correctly being caught.
      
      Detected by CoverityScan, CID#1238760 ("Macro compares unsigned to 0")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59423815
    • David S. Miller's avatar
      Merge tag 'wireless-drivers-for-davem-2017-06-06' of... · 7b868fed
      David S. Miller authored
      Merge tag 'wireless-drivers-for-davem-2017-06-06' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
      
      Kalle Valo says:
      
      ====================
      wireless-drivers fixes for 4.12
      
      It has been a slow start of cycle and this the first set of fixes for
      4.12. Nothing really major here.
      
      wcn36xx
      
      * fix an issue with module reload
      
      brcmfmac
      
      * fix aligment regression on 64 bit systems
      
      iwlwifi
      
      * fixes for memory leaks, runtime PM, memory initialisation and other
        smaller problems
      
      * fix IBSS on devices using DQA mode (7260 and up)
      
      * fix the minimum firmware API requirement for 7265D, 3168, 8000 and
        8265
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7b868fed
    • Linus Torvalds's avatar
      Merge tag 'media/v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media · 84c6c303
      Linus Torvalds authored
      Pull media fixes from Mauro Carvalho Chehab:
       "Some bug fixes:
      
         - Don't fail build if atomisp has warnings
      
         - Some CEC Kconfig changes to allow it to be used by DRM without
           media dependencies
      
         - A race fix at RC initialization code
      
         - A driver fix at rainshadow-cec
      
        IMHO, the one that affects most people in this series is a build fix:
        if you try to build the Kernel with W=1 or using gcc7 and
        all[yes|mod]config, build will fail due to -Werror at atomisp
        makefiles"
      
      * tag 'media/v4.12-2' of git://git.kernel.org/pub/scm/linux/kernel/git/mchehab/linux-media:
        [media] rc-core: race condition during ir_raw_event_register()
        [media] cec: drop MEDIA_CEC_DEBUG
        [media] cec: rename MEDIA_CEC_NOTIFIER to CEC_NOTIFIER
        [media] cec: select CEC_CORE instead of depend on it
        [media] rainshadow-cec: ensure exit_loop is intialized
        [media] atomisp: don't treat warnings as errors
      84c6c303
    • David S. Miller's avatar
      Merge branch '40GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · 80971dfb
      David S. Miller authored
      Jeff Kirsher says:
      
      ====================
      Intel Wired LAN Driver Updates 2017-06-06
      
      This series contains fixes to i40e and i40evf only.
      
      Mauro S. M. Rodrigues fixes a flood in the kernel log which was introduced
      in a previous commit because of a mistaken substitution of __I40E_VSI_DOWN
      instead of __I40E_DOWN when testing the state of the PF.
      
      Björn Töpel fixes an issue introduced in a previous commit where the
      offset was incorrect and could lead to data corruption for architectures
      using PAGE_SIZE larger than 8191.  Fixed the issue by updating the
      page_offset correctly using the proper setting for truesize.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      80971dfb
    • David S. Miller's avatar
      Revert "sit: reload iphdr in ipip6_rcv" · f4eb17e1
      David S. Miller authored
      This reverts commit b699d003.
      
      As per Eric Dumazet, the pskb_may_pull() is a NOP in this
      particular case, so the 'iph' reload is unnecessary.
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f4eb17e1
    • Björn Töpel's avatar
      i40e/i40evf: proper update of the page_offset field · 2aae918c
      Björn Töpel authored
      In f8b45b74 ("i40e/i40evf: Use build_skb to build frames")
      i40e_build_skb updates the page_offset field with an incorrect offset,
      which can lead to data corruption. This patch updates page_offset
      correctly, by properly setting truesize.
      
      Note that the bug only appears on architectures where PAGE_SIZE is
      8192 or larger.
      
      Fixes: f8b45b74 ("i40e/i40evf: Use build_skb to build frames")
      Signed-off-by: default avatarBjörn Töpel <bjorn.topel@intel.com>
      Acked-by: default avatarAlexander Duyck <alexander.h.duyck@intel.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      2aae918c
    • Mauro S. M. Rodrigues's avatar
      i40e: Fix state flags for bit set and clean operations of PF · 9e6c9c0f
      Mauro S. M. Rodrigues authored
      Commit 0da36b97 ("i40e: use DECLARE_BITMAP for state fields")
      introduced changes in the way i40e works with state flags converting
      them to bitmaps using kernel bitmap API. This change introduced a
      regression due to a mistaken substitution using __I40E_VSI_DOWN instead
      of __I40E_DOWN when testing state of a PF at i40e_reset_subtask()
      function. This caused a flood in the kernel log with the follow message:
      
      [49.013] i40e 0002:01:00.0: bad reset request 0x00000020
      
      Commit d19cb64b ("i40e: separate PF and VSI state flags")
      also introduced some misuse of the VSI and PF flags, so both could be
      considered as the offenders.
      
      This patch simply fixes the flags where it makes sense by changing
      __I40E_VSI_DOWN to __I40E_DOWN.
      
      Fixes: 0da36b97 ("i40e: use DECLARE_BITMAP for state fields")
      Fixes: d19cb64b ("i40e: separate PF and VSI state flags")
      Reviewed-by: default avatar"Guilherme G. Piccoli" <gpiccoli@linux.vnet.ibm.com>
      Signed-off-by: default avatar"Mauro S. M. Rodrigues" <maurosr@linux.vnet.ibm.com>
      Tested-by: default avatarAndrew Bowers <andrewx.bowers@intel.com>
      Signed-off-by: default avatarJeff Kirsher <jeffrey.t.kirsher@intel.com>
      9e6c9c0f
  4. 05 Jun, 2017 4 commits