1. 27 Jun, 2019 2 commits
    • Neil Horman's avatar
      af_packet: Block execution of tasks waiting for transmit to complete in AF_PACKET · 89ed5b51
      Neil Horman authored
      When an application is run that:
      a) Sets its scheduler to be SCHED_FIFO
      and
      b) Opens a memory mapped AF_PACKET socket, and sends frames with the
      MSG_DONTWAIT flag cleared, its possible for the application to hang
      forever in the kernel.  This occurs because when waiting, the code in
      tpacket_snd calls schedule, which under normal circumstances allows
      other tasks to run, including ksoftirqd, which in some cases is
      responsible for freeing the transmitted skb (which in AF_PACKET calls a
      destructor that flips the status bit of the transmitted frame back to
      available, allowing the transmitting task to complete).
      
      However, when the calling application is SCHED_FIFO, its priority is
      such that the schedule call immediately places the task back on the cpu,
      preventing ksoftirqd from freeing the skb, which in turn prevents the
      transmitting task from detecting that the transmission is complete.
      
      We can fix this by converting the schedule call to a completion
      mechanism.  By using a completion queue, we force the calling task, when
      it detects there are no more frames to send, to schedule itself off the
      cpu until such time as the last transmitted skb is freed, allowing
      forward progress to be made.
      
      Tested by myself and the reporter, with good results
      
      Change Notes:
      
      V1->V2:
      	Enhance the sleep logic to support being interruptible and
      allowing for honoring to SK_SNDTIMEO (Willem de Bruijn)
      
      V2->V3:
      	Rearrage the point at which we wait for the completion queue, to
      avoid needing to check for ph/skb being null at the end of the loop.
      Also move the complete call to the skb destructor to avoid needing to
      modify __packet_set_status.  Also gate calling complete on
      packet_read_pending returning zero to avoid multiple calls to complete.
      (Willem de Bruijn)
      
      	Move timeo computation within loop, to re-fetch the socket
      timeout since we also use the timeo variable to record the return code
      from the wait_for_complete call (Neil Horman)
      
      V3->V4:
      	Willem has requested that the control flow be restored to the
      previous state.  Doing so lets us eliminate the need for the
      po->wait_on_complete flag variable, and lets us get rid of the
      packet_next_frame function, but introduces another complexity.
      Specifically, but using the packet pending count, we can, if an
      applications calls sendmsg multiple times with MSG_DONTWAIT set, each
      set of transmitted frames, when complete, will cause
      tpacket_destruct_skb to issue a complete call, for which there will
      never be a wait_on_completion call.  This imbalance will lead to any
      future call to wait_for_completion here to return early, when the frames
      they sent may not have completed.  To correct this, we need to re-init
      the completion queue on every call to tpacket_snd before we enter the
      loop so as to ensure we wait properly for the frames we send in this
      iteration.
      
      	Change the timeout and interrupted gotos to out_put rather than
      out_status so that we don't try to free a non-existant skb
      	Clean up some extra newlines (Willem de Bruijn)
      Reviewed-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Reported-by: default avatarMatteo Croce <mcroce@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      89ed5b51
    • Xin Long's avatar
      sctp: change to hold sk after auth shkey is created successfully · 25bff6d5
      Xin Long authored
      Now in sctp_endpoint_init(), it holds the sk then creates auth
      shkey. But when the creation fails, it doesn't release the sk,
      which causes a sk defcnf leak,
      
      Here to fix it by only holding the sk when auth shkey is created
      successfully.
      
      Fixes: a29a5bd4 ("[SCTP]: Implement SCTP-AUTH initializations.")
      Reported-by: syzbot+afabda3890cc2f765041@syzkaller.appspotmail.com
      Reported-by: syzbot+276ca1c77a19977c0130@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      25bff6d5
  2. 26 Jun, 2019 11 commits
  3. 25 Jun, 2019 2 commits
  4. 24 Jun, 2019 5 commits
    • Bjørn Mork's avatar
      qmi_wwan: Fix out-of-bounds read · 904d88d7
      Bjørn Mork authored
      The syzbot reported
      
       Call Trace:
        __dump_stack lib/dump_stack.c:77 [inline]
        dump_stack+0xca/0x13e lib/dump_stack.c:113
        print_address_description+0x67/0x231 mm/kasan/report.c:188
        __kasan_report.cold+0x1a/0x32 mm/kasan/report.c:317
        kasan_report+0xe/0x20 mm/kasan/common.c:614
        qmi_wwan_probe+0x342/0x360 drivers/net/usb/qmi_wwan.c:1417
        usb_probe_interface+0x305/0x7a0 drivers/usb/core/driver.c:361
        really_probe+0x281/0x660 drivers/base/dd.c:509
        driver_probe_device+0x104/0x210 drivers/base/dd.c:670
        __device_attach_driver+0x1c2/0x220 drivers/base/dd.c:777
        bus_for_each_drv+0x15c/0x1e0 drivers/base/bus.c:454
      
      Caused by too many confusing indirections and casts.
      id->driver_info is a pointer stored in a long.  We want the
      pointer here, not the address of it.
      
      Thanks-to: Hillf Danton <hdanton@sina.com>
      Reported-by: syzbot+b68605d7fadd21510de1@syzkaller.appspotmail.com
      Cc: Kristian Evensen <kristian.evensen@gmail.com>
      Fixes: e4bf6348 ("qmi_wwan: Add quirk for Quectel dynamic config")
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      904d88d7
    • Xin Long's avatar
      tipc: check msg->req data len in tipc_nl_compat_bearer_disable · 4f07b80c
      Xin Long authored
      This patch is to fix an uninit-value issue, reported by syzbot:
      
        BUG: KMSAN: uninit-value in memchr+0xce/0x110 lib/string.c:981
        Call Trace:
          __dump_stack lib/dump_stack.c:77 [inline]
          dump_stack+0x191/0x1f0 lib/dump_stack.c:113
          kmsan_report+0x130/0x2a0 mm/kmsan/kmsan.c:622
          __msan_warning+0x75/0xe0 mm/kmsan/kmsan_instr.c:310
          memchr+0xce/0x110 lib/string.c:981
          string_is_valid net/tipc/netlink_compat.c:176 [inline]
          tipc_nl_compat_bearer_disable+0x2a1/0x480 net/tipc/netlink_compat.c:449
          __tipc_nl_compat_doit net/tipc/netlink_compat.c:327 [inline]
          tipc_nl_compat_doit+0x3ac/0xb00 net/tipc/netlink_compat.c:360
          tipc_nl_compat_handle net/tipc/netlink_compat.c:1178 [inline]
          tipc_nl_compat_recv+0x1b1b/0x27b0 net/tipc/netlink_compat.c:1281
      
      TLV_GET_DATA_LEN() may return a negtive int value, which will be
      used as size_t (becoming a big unsigned long) passed into memchr,
      cause this issue.
      
      Similar to what it does in tipc_nl_compat_bearer_enable(), this
      fix is to return -EINVAL when TLV_GET_DATA_LEN() is negtive in
      tipc_nl_compat_bearer_disable(), as well as in
      tipc_nl_compat_link_stat_dump() and tipc_nl_compat_link_reset_stats().
      
      v1->v2:
        - add the missing Fixes tags per Eric's request.
      
      Fixes: 0762216c ("tipc: fix uninit-value in tipc_nl_compat_bearer_enable")
      Fixes: 8b66fee7 ("tipc: fix uninit-value in tipc_nl_compat_link_reset_stats")
      Reported-by: syzbot+30eaa8bf392f7fafffaf@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4f07b80c
    • Antoine Tenart's avatar
      net: macb: do not copy the mac address if NULL · 2bf4ecbc
      Antoine Tenart authored
      This patch fixes the MAC address setup in the probe. The MAC address
      retrieved using of_get_mac_address was checked for not containing an
      error, but it may also be NULL which wasn't tested. Fix it by replacing
      IS_ERR with IS_ERR_OR_NULL.
      
      Fixes: 541ddc66 ("net: macb: support of_get_mac_address new ERR_PTR error")
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2bf4ecbc
    • Eric Dumazet's avatar
      net/packet: fix memory leak in packet_set_ring() · 55655e3d
      Eric Dumazet authored
      syzbot found we can leak memory in packet_set_ring(), if user application
      provides buggy parameters.
      
      Fixes: 7f953ab2 ("af_packet: TX_RING support for TPACKET_V3")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Sowmini Varadhan <sowmini.varadhan@oracle.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      55655e3d
    • Dirk van der Merwe's avatar
      net/tls: fix page double free on TX cleanup · 9354544c
      Dirk van der Merwe authored
      With commit 94850257 ("tls: Fix tls_device handling of partial records")
      a new path was introduced to cleanup partial records during sk_proto_close.
      This path does not handle the SW KTLS tx_list cleanup.
      
      This is unnecessary though since the free_resources calls for both
      SW and offload paths will cleanup a partial record.
      
      The visible effect is the following warning, but this bug also causes
      a page double free.
      
          WARNING: CPU: 7 PID: 4000 at net/core/stream.c:206 sk_stream_kill_queues+0x103/0x110
          RIP: 0010:sk_stream_kill_queues+0x103/0x110
          RSP: 0018:ffffb6df87e07bd0 EFLAGS: 00010206
          RAX: 0000000000000000 RBX: ffff8c21db4971c0 RCX: 0000000000000007
          RDX: ffffffffffffffa0 RSI: 000000000000001d RDI: ffff8c21db497270
          RBP: ffff8c21db497270 R08: ffff8c29f4748600 R09: 000000010020001a
          R10: ffffb6df87e07aa0 R11: ffffffff9a445600 R12: 0000000000000007
          R13: 0000000000000000 R14: ffff8c21f03f2900 R15: ffff8c21f03b8df0
          Call Trace:
           inet_csk_destroy_sock+0x55/0x100
           tcp_close+0x25d/0x400
           ? tcp_check_oom+0x120/0x120
           tls_sk_proto_close+0x127/0x1c0
           inet_release+0x3c/0x60
           __sock_release+0x3d/0xb0
           sock_close+0x11/0x20
           __fput+0xd8/0x210
           task_work_run+0x84/0xa0
           do_exit+0x2dc/0xb90
           ? release_sock+0x43/0x90
           do_group_exit+0x3a/0xa0
           get_signal+0x295/0x720
           do_signal+0x36/0x610
           ? SYSC_recvfrom+0x11d/0x130
           exit_to_usermode_loop+0x69/0xb0
           do_syscall_64+0x173/0x180
           entry_SYSCALL_64_after_hwframe+0x3d/0xa2
          RIP: 0033:0x7fe9b9abc10d
          RSP: 002b:00007fe9b19a1d48 EFLAGS: 00000246 ORIG_RAX: 00000000000000ca
          RAX: fffffffffffffe00 RBX: 0000000000000006 RCX: 00007fe9b9abc10d
          RDX: 0000000000000002 RSI: 0000000000000080 RDI: 00007fe948003430
          RBP: 00007fe948003410 R08: 00007fe948003430 R09: 0000000000000000
          R10: 0000000000000000 R11: 0000000000000246 R12: 00005603739d9080
          R13: 00007fe9b9ab9f90 R14: 00007fe948003430 R15: 0000000000000000
      
      Fixes: 94850257 ("tls: Fix tls_device handling of partial records")
      Signed-off-by: default avatarDirk van der Merwe <dirk.vandermerwe@netronome.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9354544c
  5. 23 Jun, 2019 1 commit
  6. 22 Jun, 2019 8 commits
    • Xin Long's avatar
      tipc: change to use register_pernet_device · c492d4c7
      Xin Long authored
      This patch is to fix a dst defcnt leak, which can be reproduced by doing:
      
        # ip net a c; ip net a s; modprobe tipc
        # ip net e s ip l a n eth1 type veth peer n eth1 netns c
        # ip net e c ip l s lo up; ip net e c ip l s eth1 up
        # ip net e s ip l s lo up; ip net e s ip l s eth1 up
        # ip net e c ip a a 1.1.1.2/8 dev eth1
        # ip net e s ip a a 1.1.1.1/8 dev eth1
        # ip net e c tipc b e m udp n u1 localip 1.1.1.2
        # ip net e s tipc b e m udp n u1 localip 1.1.1.1
        # ip net d c; ip net d s; rmmod tipc
      
      and it will get stuck and keep logging the error:
      
        unregister_netdevice: waiting for lo to become free. Usage count = 1
      
      The cause is that a dst is held by the udp sock's sk_rx_dst set on udp rx
      path with udp_early_demux == 1, and this dst (eventually holding lo dev)
      can't be released as bearer's removal in tipc pernet .exit happens after
      lo dev's removal, default_device pernet .exit.
      
       "There are two distinct types of pernet_operations recognized: subsys and
        device.  At creation all subsys init functions are called before device
        init functions, and at destruction all device exit functions are called
        before subsys exit function."
      
      So by calling register_pernet_device instead to register tipc_net_ops, the
      pernet .exit() will be invoked earlier than loopback dev's removal when a
      netns is being destroyed, as fou/gue does.
      
      Note that vxlan and geneve udp tunnels don't have this issue, as the udp
      sock is released in their device ndo_stop().
      
      This fix is also necessary for tipc dst_cache, which will hold dsts on tx
      path and I will introduce in my next patch.
      Reported-by: default avatarLi Shuang <shuali@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c492d4c7
    • Sergej Benilov's avatar
      sis900: fix TX completion · 8ac8a010
      Sergej Benilov authored
      Since commit 605ad7f1 "tcp: refine TSO autosizing",
      outbound throughput is dramatically reduced for some connections, as sis900
      is doing TX completion within idle states only.
      
      Make TX completion happen after every transmitted packet.
      
      Test:
      netperf
      
      before patch:
      > netperf -H remote -l -2000000 -- -s 1000000
      MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
      
       87380 327680 327680    253.44      0.06
      
      after patch:
      > netperf -H remote -l -10000000 -- -s 1000000
      MIGRATED TCP STREAM TEST from 0.0.0.0 () port 0 AF_INET to 95.223.112.76 () port 0 AF_INET : demo
      Recv   Send    Send
      Socket Socket  Message  Elapsed
      Size   Size    Size     Time     Throughput
      bytes  bytes   bytes    secs.    10^6bits/sec
      
       87380 327680 327680    5.38       14.89
      
      Thx to Dave Miller and Eric Dumazet for helpful hints
      Signed-off-by: default avatarSergej Benilov <sergej.benilov@googlemail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8ac8a010
    • Roland Hii's avatar
      net: stmmac: set IC bit when transmitting frames with HW timestamp · d0bb82fd
      Roland Hii authored
      When transmitting certain PTP frames, e.g. SYNC and DELAY_REQ, the
      PTP daemon, e.g. ptp4l, is polling the driver for the frame transmit
      hardware timestamp. The polling will most likely timeout if the tx
      coalesce is enabled due to the Interrupt-on-Completion (IC) bit is
      not set in tx descriptor for those frames.
      
      This patch will ignore the tx coalesce parameter and set the IC bit
      when transmitting PTP frames which need to report out the frame
      transmit hardware timestamp to user space.
      
      Fixes: f748be53 ("net: stmmac: Rework coalesce timer and fix multi-queue races")
      Signed-off-by: default avatarRoland Hii <roland.king.guan.hii@intel.com>
      Signed-off-by: default avatarOng Boon Leong <boon.leong.ong@intel.com>
      Signed-off-by: default avatarVoon Weifeng <weifeng.voon@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0bb82fd
    • Roland Hii's avatar
      net: stmmac: fixed new system time seconds value calculation · a1e5388b
      Roland Hii authored
      When ADDSUB bit is set, the system time seconds field is calculated as
      the complement of the seconds part of the update value.
      
      For example, if 3.000000001 seconds need to be subtracted from the
      system time, this field is calculated as
      2^32 - 3 = 4294967296 - 3 = 0x100000000 - 3 = 0xFFFFFFFD
      
      Previously, the 0x100000000 is mistakenly written as 100000000.
      
      This is further simplified from
        sec = (0x100000000ULL - sec);
      to
        sec = -sec;
      
      Fixes: ba1ffd74 ("stmmac: fix PTP support for GMAC4")
      Signed-off-by: default avatarRoland Hii <roland.king.guan.hii@intel.com>
      Signed-off-by: default avatarOng Boon Leong <boon.leong.ong@intel.com>
      Signed-off-by: default avatarVoon Weifeng <weifeng.voon@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a1e5388b
    • Takashi Iwai's avatar
      ppp: mppe: Add softdep to arc4 · aad1dcc4
      Takashi Iwai authored
      The arc4 crypto is mandatory at ppp_mppe probe time, so let's put a
      softdep line, so that the corresponding module gets prepared
      gracefully.  Without this, a simple inclusion to initrd via dracut
      failed due to the missing dependency, for example.
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aad1dcc4
    • Petr Oros's avatar
      be2net: fix link failure after ethtool offline test · 2e5db6eb
      Petr Oros authored
      Certain cards in conjunction with certain switches need a little more
      time for link setup that results in ethtool link test failure after
      offline test. Patch adds a loop that waits for a link setup finish.
      
      Changes in v2:
      - added fixes header
      
      Fixes: 4276e47e ("be2net: Add link test to list of ethtool self tests.")
      Signed-off-by: default avatarPetr Oros <poros@redhat.com>
      Reviewed-by: default avatarIvan Vecera <ivecera@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e5db6eb
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · c356dc4b
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix leak of unqueued fragments in ipv6 nf_defrag, from Guillaume
          Nault.
      
       2) Don't access the DDM interface unless the transceiver implements it
          in bnx2x, from Mauro S. M. Rodrigues.
      
       3) Don't double fetch 'len' from userspace in sock_getsockopt(), from
          JingYi Hou.
      
       4) Sign extension overflow in lio_core, from Colin Ian King.
      
       5) Various netem bug fixes wrt. corrupted packets from Jakub Kicinski.
      
       6) Fix epollout hang in hvsock, from Sunil Muthuswamy.
      
       7) Fix regression in default fib6_type, from David Ahern.
      
       8) Handle memory limits in tcp_fragment more appropriately, from Eric
          Dumazet.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (24 commits)
        tcp: refine memory limit test in tcp_fragment()
        inet: clear num_timeout reqsk_alloc()
        net: mvpp2: debugfs: Add pmap to fs dump
        ipv6: Default fib6_type to RTN_UNICAST when not set
        net: hns3: Fix inconsistent indenting
        net/af_iucv: always register net_device notifier
        net/af_iucv: build proper skbs for HiperTransport
        net/af_iucv: remove GFP_DMA restriction for HiperTransport
        net: dsa: mv88e6xxx: fix shift of FID bits in mv88e6185_g1_vtu_loadpurge()
        hvsock: fix epollout hang from race condition
        net/udp_gso: Allow TX timestamp with UDP GSO
        net: netem: fix use after free and double free with packet corruption
        net: netem: fix backlog accounting for corrupted GSO frames
        net: lio_core: fix potential sign-extension overflow on large shift
        tipc: pass tunnel dev as NULL to udp_tunnel(6)_xmit_skb
        ip6_tunnel: allow not to count pkts on tstats by passing dev as NULL
        ip_tunnel: allow not to count pkts on tstats by setting skb's dev to NULL
        tun: wake up waitqueues after IFF_UP is set
        net: remove duplicate fetch in sock_getsockopt
        tipc: fix issues with early FAILOVER_MSG from peer
        ...
      c356dc4b
    • Eric Dumazet's avatar
      tcp: refine memory limit test in tcp_fragment() · b6653b36
      Eric Dumazet authored
      tcp_fragment() might be called for skbs in the write queue.
      
      Memory limits might have been exceeded because tcp_sendmsg() only
      checks limits at full skb (64KB) boundaries.
      
      Therefore, we need to make sure tcp_fragment() wont punish applications
      that might have setup very low SO_SNDBUF values.
      
      Fixes: f070ef2a ("tcp: tcp_fragment() should apply sane memory limits")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Tested-by: default avatarChristoph Paasch <cpaasch@apple.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b6653b36
  7. 21 Jun, 2019 11 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 121bddf3
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "This is probably our last -rc pull request. We don't have anything
        else outstanding at the moment anyway, and with the summer months on
        us and people taking trips, I expect the next weeks leading up to the
        merge window to be pretty calm and sedate.
      
        This has two simple, no brainer fixes for the EFA driver.
      
        Then it has ten not quite so simple fixes for the hfi1 driver. The
        problem with them is that they aren't simply one liner typo fixes.
        They're still fixes, but they're more complex issues like livelock
        under heavy load where the answer was to change work queue usage and
        spinlock usage to resolve the problem, or issues with orphaned
        requests during certain types of failures like link down which
        required some more complex work to fix too. They all look like
        legitimate fixes to me, they just aren't small like I wish they were.
      
        Summary:
      
         - 2 minor EFA fixes
      
         - 10 hfi1 fixes related to scaling issues"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/efa: Handle mmap insertions overflow
        RDMA/efa: Fix success return value in case of error
        IB/hfi1: Handle port down properly in pio
        IB/hfi1: Handle wakeup of orphaned QPs for pio
        IB/hfi1: Wakeup QPs orphaned on wait list after flush
        IB/hfi1: Use aborts to trigger RC throttling
        IB/hfi1: Create inline to get extended headers
        IB/hfi1: Silence txreq allocation warnings
        IB/hfi1: Avoid hardlockup with flushlist_lock
        IB/hfi1: Correct tid qp rcd to match verbs context
        IB/hfi1: Close PSM sdma_progress sleep window
        IB/hfi1: Validate fault injection opcode user input
      121bddf3
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-5.2-3' of git://git.linux-nfs.org/projects/anna/linux-nfs · c036f7da
      Linus Torvalds authored
      Pull more NFS client fixes from Anna Schumaker:
       "These are mostly refcounting issues that people have found recently.
        The revert fixes a suspend recovery performance issue.
      
         - SUNRPC: Fix a credential refcount leak
      
         - Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE"
      
         - SUNRPC: Fix xps refcount imbalance on the error path
      
         - NFS4: Only set creation opendata if O_CREAT"
      
      * tag 'nfs-for-5.2-3' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        SUNRPC: Fix a credential refcount leak
        Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE"
        net :sunrpc :clnt :Fix xps refcount imbalance on the error path
        NFS4: Only set creation opendata if O_CREAT
      c036f7da
    • Andy Lutomirski's avatar
      x86/vdso: Prevent segfaults due to hoisted vclock reads · ff17bbe0
      Andy Lutomirski authored
      GCC 5.5.0 sometimes cleverly hoists reads of the pvclock and/or hvclock
      pages before the vclock mode checks.  This creates a path through
      vclock_gettime() in which no vclock is enabled at all (due to disabled
      TSC on old CPUs, for example) but the pvclock or hvclock page
      nevertheless read.  This will segfault on bare metal.
      
      This fixes commit 459e3a21 ("gcc-9: properly declare the
      {pv,hv}clock_page storage") in the sense that, before that commit, GCC
      didn't seem to generate the offending code.  There was nothing wrong
      with that commit per se, and -stable maintainers should backport this to
      all supported kernels regardless of whether the offending commit was
      present, since the same crash could just as easily be triggered by the
      phase of the moon.
      
      On GCC 9.1.1, this doesn't seem to affect the generated code at all, so
      I'm not too concerned about performance regressions from this fix.
      
      Cc: stable@vger.kernel.org
      Cc: x86@kernel.org
      Cc: Borislav Petkov <bp@alien8.de>
      Reported-by: default avatarDuncan Roe <duncan_roe@optusnet.com.au>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      ff17bbe0
    • Trond Myklebust's avatar
      SUNRPC: Fix a credential refcount leak · 19d55046
      Trond Myklebust authored
      All callers of __rpc_clone_client() pass in a value for args->cred,
      meaning that the credential gets assigned and referenced in
      the call to rpc_new_client().
      Reported-by: default avatarIdo Schimmel <idosch@idosch.org>
      Fixes: 79caa5fa ("SUNRPC: Cache cred of process creating the rpc_client")
      Signed-off-by: default avatarTrond Myklebust <trond.myklebust@hammerspace.com>
      Tested-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      19d55046
    • Anna Schumaker's avatar
      Revert "SUNRPC: Declare RPC timers as TIMER_DEFERRABLE" · 502980e8
      Anna Schumaker authored
      Jon Hunter reports:
        "I have been noticing intermittent failures with a system suspend test on
         some of our machines that have a NFS mounted root file-system. Bisecting
         this issue points to your commit 43123581 ("SUNRPC: Declare RPC
         timers as TIMER_DEFERRABLE") and reverting this on top of v5.2-rc3 does
         appear to resolve the problem.
      
         The cause of the suspend failure appears to be a long delay observed
         sometimes when resuming from suspend, and this is causing our test to
         timeout."
      
      This reverts commit 43123581.
      Reported-by: default avatarJon Hunter <jonathanh@nvidia.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      502980e8
    • Lin Yi's avatar
      net :sunrpc :clnt :Fix xps refcount imbalance on the error path · b9622614
      Lin Yi authored
      rpc_clnt_add_xprt take a reference to struct rpc_xprt_switch, but forget
      to release it before return, may lead to a memory leak.
      Signed-off-by: default avatarLin Yi <teroincn@163.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      b9622614
    • Benjamin Coddington's avatar
      NFS4: Only set creation opendata if O_CREAT · 90910519
      Benjamin Coddington authored
      We can end up in nfs4_opendata_alloc during task exit, in which case
      current->fs has already been cleaned up.  This leads to a crash in
      current_umask().
      
      Fix this by only setting creation opendata if we are actually doing an open
      with O_CREAT.  We can drop the check for NULL nfs4_open_createattrs, since
      O_CREAT will never be set for the recovery path.
      Suggested-by: default avatarTrond Myklebust <trondmy@hammerspace.com>
      Signed-off-by: default avatarBenjamin Coddington <bcodding@redhat.com>
      Signed-off-by: default avatarAnna Schumaker <Anna.Schumaker@Netapp.com>
      90910519
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · a4c33bbb
      Linus Torvalds authored
      Pull ARM fix from Russell King:
       "Just one ARM fix this time around for Jason Donenfeld, fixing a
        problem with the VDSO generation on big endian"
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8867/1: vdso: pass --be8 to linker if necessary
      a4c33bbb
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-06-21' of git://anongit.freedesktop.org/drm/drm · 0728f6c3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Just catching up on the week since back from holidays, everything
        seems quite sane.
      
        core:
         - copy_to_user fix for really legacy codepaths.
      
        vmwgfx:
         - two dma fixes
         - one virt hw interaction fix
      
        i915:
         - modesetting fix
         - gvt fix
      
        panfrost:
         - BO unmapping fix
      
        imx:
         - image converter fixes"
      
      * tag 'drm-fixes-2019-06-21' of git://anongit.freedesktop.org/drm/drm:
        drm/i915: Don't clobber M/N values during fastset check
        drm: return -EFAULT if copy_to_user() fails
        drm/panfrost: Make sure a BO is only unmapped when appropriate
        drm/i915/gvt: ignore unexpected pvinfo write
        gpu: ipu-v3: image-convert: Fix image downsize coefficients
        gpu: ipu-v3: image-convert: Fix input bytesperline for packed formats
        gpu: ipu-v3: image-convert: Fix input bytesperline width/height align
        drm/vmwgfx: fix a warning due to missing dma_parms
        drm/vmwgfx: Honor the sg list segment size limitation
        drm/vmwgfx: Use the backdoor port if the HB port is not available
      0728f6c3
    • Linus Torvalds's avatar
      Merge tag 'staging-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging · db54615e
      Linus Torvalds authored
      Pull staging/IIO/counter fixes from Greg KH:
       "Here are some small driver bugfixes for some staging/iio/counter
        drivers.
      
        Staging and IIO have been lumped together for a while, as those
        subsystems cross the areas a log, and counter is used by IIO, so
        that's why they are all in one pull request here.
      
        These are small fixes for reported issues in some iio drivers, the
        erofs filesystem, and a build issue for counter code.
      
        All have been in linux-next with no reported issues"
      
      * tag 'staging-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/staging:
        staging: erofs: add requirements field in superblock
        counter/ftm-quaddec: Add missing dependencies in Kconfig
        staging: iio: adt7316: Fix build errors when GPIOLIB is not set
        iio: temperature: mlx90632 Relax the compatibility check
        iio: imu: st_lsm6dsx: fix PM support for st_lsm6dsx i2c controller
        staging:iio:ad7150: fix threshold mode config bit
      db54615e
    • Linus Torvalds's avatar
      Merge tag 'char-misc-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc · b7b8a44f
      Linus Torvalds authored
      Pull char/misc driver fixes from Greg KH:
       "Here are a number of small driver fixes for 5.2-rc6
      
        Nothing major, just fixes for reported issues:
         - soundwire fixes
         - thunderbolt fixes
         - MAINTAINERS update for fpga maintainer change
         - binder bugfix
         - habanalabs 64bit pointer fix
         - documentation updates
      
        All of these have been in linux-next with no reported issues"
      
      * tag 'char-misc-5.2-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/char-misc:
        habanalabs: use u64_to_user_ptr() for reading user pointers
        doc: fix documentation about UIO_MEM_LOGICAL using
        MAINTAINERS / Documentation: Thorsten Scherer is the successor of Gavin Schenk
        docs: fb: Add TER16x32 to the available font names
        MAINTAINERS: fpga: hand off maintainership to Moritz
        thunderbolt: Implement CIO reset correctly for Titan Ridge
        binder: fix possible UAF when freeing buffer
        thunderbolt: Make sure device runtime resume completes before taking domain lock
        soundwire: intel: set dai min and max channels correctly
        soundwire: stream: fix bad unlock balance
        soundwire: stream: fix out of boundary access on port properties
      b7b8a44f