1. 29 Aug, 2018 4 commits
    • Daniel Borkmann's avatar
      bpf: fix sg shift repair start offset in bpf_msg_pull_data · a8cf76a9
      Daniel Borkmann authored
      When we perform the sg shift repair for the scatterlist ring, we
      currently start out at i = first_sg + 1. However, this is not
      correct since the first_sg could point to the sge sitting at slot
      MAX_SKB_FRAGS - 1, and a subsequent i = MAX_SKB_FRAGS will access
      the scatterlist ring (sg) out of bounds. Add the sk_msg_iter_var()
      helper for iterating through the ring, and apply the same rule
      for advancing to the next ring element as we do elsewhere. Later
      work will use this helper also in other places.
      
      Fixes: 015632bb ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      a8cf76a9
    • Daniel Borkmann's avatar
      bpf: fix shift upon scatterlist ring wrap-around in bpf_msg_pull_data · 2e43f95d
      Daniel Borkmann authored
      If first_sg and last_sg wraps around in the scatterlist ring, then we
      need to account for that in the shift as well. E.g. crafting such msgs
      where this is the case leads to a hang as shift becomes negative. E.g.
      consider the following scenario:
      
        first_sg := 14     |=>    shift := -12     msg->sg_start := 10
        last_sg  :=  3     |                       msg->sg_end   :=  5
      
      round  1:  i := 15, move_from :=   3, sg[15] := sg[  3]
      round  2:  i :=  0, move_from := -12, sg[ 0] := sg[-12]
      round  3:  i :=  1, move_from := -11, sg[ 1] := sg[-11]
      round  4:  i :=  2, move_from := -10, sg[ 2] := sg[-10]
      [...]
      round 13:  i := 11, move_from :=  -1, sg[ 2] := sg[ -1]
      round 14:  i := 12, move_from :=   0, sg[ 2] := sg[  0]
      round 15:  i := 13, move_from :=   1, sg[ 2] := sg[  1]
      round 16:  i := 14, move_from :=   2, sg[ 2] := sg[  2]
      round 17:  i := 15, move_from :=   3, sg[ 2] := sg[  3]
      [...]
      
      This means we will loop forever and never hit the msg->sg_end condition
      to break out of the loop. When we see that the ring wraps around, then
      the shift should be MAX_SKB_FRAGS - first_sg + last_sg - 1. Meaning,
      the remainder slots from the tail of the ring and the head until last_sg
      combined.
      
      Fixes: 015632bb ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      2e43f95d
    • Daniel Borkmann's avatar
      bpf: fix msg->data/data_end after sg shift repair in bpf_msg_pull_data · 0e06b227
      Daniel Borkmann authored
      In the current code, msg->data is set as sg_virt(&sg[i]) + start - offset
      and msg->data_end relative to it as msg->data + bytes. Using iterator i
      to point to the updated starting scatterlist element holds true for some
      cases, however not for all where we'd end up pointing out of bounds. It
      is /correct/ for these ones:
      
      1) When first finding the starting scatterlist element (sge) where we
         find that the page is already privately owned by the msg and where
         the requested bytes and headroom fit into the sge's length.
      
      However, it's /incorrect/ for the following ones:
      
      2) After we made the requested area private and updated the newly allocated
         page into first_sg slot of the scatterlist ring; when we find that no
         shift repair of the ring is needed where we bail out updating msg->data
         and msg->data_end. At that point i will point to last_sg, which in this
         case is the next elem of first_sg in the ring. The sge at that point
         might as well be invalid (e.g. i == msg->sg_end), which we use for
         setting the range of sg_virt(&sg[i]). The correct one would have been
         first_sg.
      
      3) Similar as in 2) but when we find that a shift repair of the ring is
         needed. In this case we fix up all sges and stop once we've reached the
         end. In this case i will point to will point to the new msg->sg_end,
         and the sge at that point will be invalid. Again here the requested
         range sits in first_sg.
      
      Fixes: 015632bb ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      0e06b227
    • Daniel Borkmann's avatar
      bpf: fix several offset tests in bpf_msg_pull_data · 5b24109b
      Daniel Borkmann authored
      While recently going over bpf_msg_pull_data(), I noticed three
      issues which are fixed in here:
      
      1) When we attempt to find the first scatterlist element (sge)
         for the start offset, we add len to the offset before we check
         for start < offset + len, whereas it should come after when
         we iterate to the next sge to accumulate the offsets. For
         example, given a start offset of 12 with a sge length of 8
         for the first sge in the list would lead us to determine this
         sge as the first sge thinking it covers first 16 bytes where
         start is located, whereas start sits in subsequent sges so
         we would end up pulling in the wrong data.
      
      2) After figuring out the starting sge, we have a short-cut test
         in !msg->sg_copy[i] && bytes <= len. This checks whether it's
         not needed to make the page at the sge private where we can
         just exit by updating msg->data and msg->data_end. However,
         the length test is not fully correct. bytes <= len checks
         whether the requested bytes (end - start offsets) fit into the
         sge's length. The part that is missing is that start must not
         be sge length aligned. Meaning, the start offset into the sge
         needs to be accounted as well on top of the requested bytes
         as otherwise we can access the sge out of bounds. For example
         the sge could have length of 8, our requested bytes could have
         length of 8, but at a start offset of 4, so we also would need
         to pull in 4 bytes of the next sge, when we jump to the out
         label we do set msg->data to sg_virt(&sg[i]) + start - offset
         and msg->data_end to msg->data + bytes which would be oob.
      
      3) The subsequent bytes < copy test for finding the last sge has
         the same issue as in point 2) but also it tests for less than
         rather than less or equal to. Meaning if the sge length is of
         8 and requested bytes of 8 while having the start aligned with
         the sge, we would unnecessarily go and pull in the next sge as
         well to make it private.
      
      Fixes: 015632bb ("bpf: sk_msg program helper bpf_sk_msg_pull_data")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      5b24109b
  2. 28 Aug, 2018 4 commits
    • John Fastabend's avatar
      bpf: sockmap, decrement copied count correctly in redirect error case · 501ca817
      John Fastabend authored
      Currently, when a redirect occurs in sockmap and an error occurs in
      the redirect call we unwind the scatterlist once in the error path
      of bpf_tcp_sendmsg_do_redirect() and then again in sendmsg(). Then
      in the error path of sendmsg we decrement the copied count by the
      send size.
      
      However, its possible we partially sent data before the error was
      generated. This can happen if do_tcp_sendpages() partially sends the
      scatterlist before encountering a memory pressure error. If this
      happens we need to decrement the copied value (the value tracking
      how many bytes were actually sent to TCP stack) by the number of
      remaining bytes _not_ the entire send size. Otherwise we risk
      confusing userspace.
      
      Also we don't need two calls to free the scatterlist one is
      good enough. So remove the one in bpf_tcp_sendmsg_do_redirect() and
      then properly reduce copied by the number of remaining bytes which
      may in fact be the entire send size if no bytes were sent.
      
      To do this use bool to indicate if free_start_sg() should do mem
      accounting or not.
      Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      501ca817
    • Stefan Agner's avatar
      bpf: fix build error with clang · 3f6e138d
      Stefan Agner authored
      Building the newly introduced BPF_PROG_TYPE_SK_REUSEPORT leads to
      a compile time error when building with clang:
      net/core/filter.o: In function `sk_reuseport_convert_ctx_access':
        ../net/core/filter.c:7284: undefined reference to `__compiletime_assert_7284'
      
      It seems that clang has issues resolving hweight_long at compile
      time. Since SK_FL_PROTO_MASK is a constant, we can use the interface
      for known constant arguments which works fine with clang.
      
      Fixes: 2dbb9b9e ("bpf: Introduce BPF_PROG_TYPE_SK_REUSEPORT")
      Signed-off-by: default avatarStefan Agner <stefan@agner.ch>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      3f6e138d
    • Daniel Borkmann's avatar
      bpf, sockmap: fix psock refcount leak in bpf_tcp_recvmsg · 15c480ef
      Daniel Borkmann authored
      In bpf_tcp_recvmsg() we first took a reference on the psock, however
      once we find that there are skbs in the normal socket's receive queue
      we return with processing them through tcp_recvmsg(). Problem is that
      we leak the taken reference on the psock in that path. Given we don't
      really do anything with the psock at this point, move the skb_queue_empty()
      test before we fetch the psock to fix this case.
      
      Fixes: 8934ce2f ("bpf: sockmap redirect ingress support")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      15c480ef
    • Daniel Borkmann's avatar
      bpf, sockmap: fix potential use after free in bpf_tcp_close · e06fa9c1
      Daniel Borkmann authored
      bpf_tcp_close() we pop the psock linkage to a map via psock_map_pop().
      A parallel update on the sock hash map can happen between psock_map_pop()
      and lookup_elem_raw() where we override the element under link->hash /
      link->key. In bpf_tcp_close()'s lookup_elem_raw() we subsequently only
      test whether an element is present, but we do not test whether the
      element is infact the element we were looking for.
      
      We lock the sock in bpf_tcp_close() during that time, so do we hold
      the lock in sock_hash_update_elem(). However, the latter locks the
      sock which is newly updated, not the one we're purging from the hash
      table. This means that while one CPU is doing the lookup from bpf_tcp_close(),
      another CPU is doing the map update in parallel, dropped our sock from
      the hlist and released the psock.
      
      Subsequently the first CPU will find the new sock and attempts to drop
      and release the old sock yet another time. Fix is that we need to check
      the elements for a match after lookup, similar as we do in the sock map.
      Note that the hash tab elems are freed via RCU, so access to their
      link->hash / link->key is fine since we're under RCU read side there.
      
      Fixes: e9db4ef6 ("bpf: sockhash fix omitted bucket lock in sock_close")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarAlexei Starovoitov <ast@kernel.org>
      e06fa9c1
  3. 27 Aug, 2018 11 commits
  4. 26 Aug, 2018 17 commits
    • Kees Cook's avatar
      net: sched: Fix memory exposure from short TCA_U32_SEL · 98c8f125
      Kees Cook authored
      Via u32_change(), TCA_U32_SEL has an unspecified type in the netlink
      policy, so max length isn't enforced, only minimum. This means nkeys
      (from userspace) was being trusted without checking the actual size of
      nla_len(), which could lead to a memory over-read, and ultimately an
      exposure via a call to u32_dump(). Reachability is CAP_NET_ADMIN within
      a namespace.
      Reported-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
      Cc: Jamal Hadi Salim <jhs@mojatatu.com>
      Cc: Cong Wang <xiyou.wangcong@gmail.com>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      Acked-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      98c8f125
    • Linus Torvalds's avatar
      Linux 4.19-rc1 · 5b394b2d
      Linus Torvalds authored
      5b394b2d
    • Linus Torvalds's avatar
      Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · b933d6eb
      Linus Torvalds authored
      Pull timer update from Thomas Gleixner:
       "New defines for the compat time* types so they can be shared between
        32bit and 64bit builds. Not used yet, but merging them now allows the
        actual conversions to be merged through different maintainer trees
        without dependencies
      
        We still have compat interfaces for 32bit on 64bit even with the new
        2038 safe timespec/val variants because pointer size is different. And
        for the old style timespec/val interfaces we need yet another 'compat'
        interface for both 32bit native and 32bit on 64bit"
      
      * 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        y2038: Provide aliases for compat helpers
      b933d6eb
    • Linus Torvalds's avatar
      Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax · aba16dc5
      Linus Torvalds authored
      Pull IDA updates from Matthew Wilcox:
       "A better IDA API:
      
            id = ida_alloc(ida, GFP_xxx);
            ida_free(ida, id);
      
        rather than the cumbersome ida_simple_get(), ida_simple_remove().
      
        The new IDA API is similar to ida_simple_get() but better named.  The
        internal restructuring of the IDA code removes the bitmap
        preallocation nonsense.
      
        I hope the net -200 lines of code is convincing"
      
      * 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax: (29 commits)
        ida: Change ida_get_new_above to return the id
        ida: Remove old API
        test_ida: check_ida_destroy and check_ida_alloc
        test_ida: Convert check_ida_conv to new API
        test_ida: Move ida_check_max
        test_ida: Move ida_check_leaf
        idr-test: Convert ida_check_nomem to new API
        ida: Start new test_ida module
        target/iscsi: Allocate session IDs from an IDA
        iscsi target: fix session creation failure handling
        drm/vmwgfx: Convert to new IDA API
        dmaengine: Convert to new IDA API
        ppc: Convert vas ID allocation to new IDA API
        media: Convert entity ID allocation to new IDA API
        ppc: Convert mmu context allocation to new IDA API
        Convert net_namespace to new IDA API
        cb710: Convert to new IDA API
        rsxx: Convert to new IDA API
        osd: Convert to new IDA API
        sd: Convert to new IDA API
        ...
      aba16dc5
    • Linus Torvalds's avatar
      Merge tag 'gcc-plugins-v4.19-rc1-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · c4726e77
      Linus Torvalds authored
      Pull gcc plugin fix from Kees Cook:
       "Lift gcc test into Kconfig. This is for better behavior when the
        kernel is built with Clang, reported by Stefan Agner"
      
      * tag 'gcc-plugins-v4.19-rc1-fix' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        gcc-plugins: Disable when building under Clang
      c4726e77
    • Linus Torvalds's avatar
      Merge branch 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · d207ea8e
      Linus Torvalds authored
      Pull perf updates from Thomas Gleixner:
       "Kernel:
         - Improve kallsyms coverage
         - Add x86 entry trampolines to kcore
         - Fix ARM SPE handling
         - Correct PPC event post processing
      
        Tools:
         - Make the build system more robust
         - Small fixes and enhancements all over the place
         - Update kernel ABI header copies
         - Preparatory work for converting libtraceevnt to a shared library
         - License cleanups"
      
      * 'perf-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (100 commits)
        tools arch: Update arch/x86/lib/memcpy_64.S copy used in 'perf bench mem memcpy'
        tools arch x86: Update tools's copy of cpufeatures.h
        perf python: Fix pyrf_evlist__read_on_cpu() interface
        perf mmap: Store real cpu number in 'struct perf_mmap'
        perf tools: Remove ext from struct kmod_path
        perf tools: Add gzip_is_compressed function
        perf tools: Add lzma_is_compressed function
        perf tools: Add is_compressed callback to compressions array
        perf tools: Move the temp file processing into decompress_kmodule
        perf tools: Use compression id in decompress_kmodule()
        perf tools: Store compression id into struct dso
        perf tools: Add compression id into 'struct kmod_path'
        perf tools: Make is_supported_compression() static
        perf tools: Make decompress_to_file() function static
        perf tools: Get rid of dso__needs_decompress() call in __open_dso()
        perf tools: Get rid of dso__needs_decompress() call in symbol__disassemble()
        perf tools: Get rid of dso__needs_decompress() call in read_object_code()
        tools lib traceevent: Change to SPDX License format
        perf llvm: Allow passing options to llc in addition to clang
        perf parser: Improve error message for PMU address filters
        ...
      d207ea8e
    • Linus Torvalds's avatar
      Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 2a8a2b7c
      Linus Torvalds authored
      Pull x86 fixes from Thomas Gleixner:
      
       - Correct the L1TF fallout on 32bit and the off by one in the 'too much
         RAM for protection' calculation.
      
       - Add a helpful kernel message for the 'too much RAM' case
      
       - Unbreak the VDSO in case that the compiler desides to use indirect
         jumps/calls and emits retpolines which cannot be resolved because the
         kernel uses its own thunks, which does not work for the VDSO. Make it
         use the builtin thunks.
      
       - Re-export start_thread() which was unexported when the 32/64bit
         implementation was unified. start_thread() is required by modular
         binfmt handlers.
      
       - Trivial cleanups
      
      * 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        x86/speculation/l1tf: Suggest what to do on systems with too much RAM
        x86/speculation/l1tf: Fix off-by-one error when warning that system has too much RAM
        x86/kvm/vmx: Remove duplicate l1d flush definitions
        x86/speculation/l1tf: Fix overflow in l1tf_pfn_limit() on 32bit
        x86/process: Re-export start_thread()
        x86/mce: Add notifier_block forward declaration
        x86/vdso: Fix vDSO build if a retpoline is emitted
      2a8a2b7c
    • Linus Torvalds's avatar
      Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · de375035
      Linus Torvalds authored
      Pull irq update from Thomas Gleixner:
       "A small set of updats/fixes for the irq subsystem:
      
         - Allow GICv3 interrupts to be configured as wake-up sources to
           enable wakeup from suspend
      
         - Make the error handling of the STM32 irqchip init function work
      
         - A set of small cleanups and improvements"
      
      * 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        irqchip/gic-v3: Allow interrupt to be configured as wake-up sources
        irqchip/tango: Set irq handler and data in one go
        dt-bindings: irqchip: renesas-irqc: Document r8a774a1 support
        irqchip/s3c24xx: Remove unneeded comparison of unsigned long to 0
        irqchip/stm32: Fix init error handling
        irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP
      de375035
    • Linus Torvalds's avatar
      Merge branch 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · a9ce3233
      Linus Torvalds authored
      Pull licking update from Thomas Gleixner:
       "Mark the switch cases which fall through to the next case with the
        proper comment so the fallthrough compiler checks can be enabled"
      
      * 'locking-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
        futex: Mark expected switch fall-throughs
      a9ce3233
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-for-4.19_dax-memory-failure' of... · 2923b27e
      Linus Torvalds authored
      Merge tag 'libnvdimm-for-4.19_dax-memory-failure' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm
      
      Pull libnvdimm memory-failure update from Dave Jiang:
       "As it stands, memory_failure() gets thoroughly confused by dev_pagemap
        backed mappings. The recovery code has specific enabling for several
        possible page states and needs new enabling to handle poison in dax
        mappings.
      
        In order to support reliable reverse mapping of user space addresses:
      
         1/ Add new locking in the memory_failure() rmap path to prevent races
            that would typically be handled by the page lock.
      
         2/ Since dev_pagemap pages are hidden from the page allocator and the
            "compound page" accounting machinery, add a mechanism to determine
            the size of the mapping that encompasses a given poisoned pfn.
      
         3/ Given pmem errors can be repaired, change the speculatively
            accessed poison protection, mce_unmap_kpfn(), to be reversible and
            otherwise allow ongoing access from the kernel.
      
        A side effect of this enabling is that MADV_HWPOISON becomes usable
        for dax mappings, however the primary motivation is to allow the
        system to survive userspace consumption of hardware-poison via dax.
        Specifically the current behavior is:
      
           mce: Uncorrected hardware memory error in user-access at af34214200
           {1}[Hardware Error]: It has been corrected by h/w and requires no further action
           mce: [Hardware Error]: Machine check events logged
           {1}[Hardware Error]: event severity: corrected
           Memory failure: 0xaf34214: reserved kernel page still referenced by 1 users
           [..]
           Memory failure: 0xaf34214: recovery action for reserved kernel page: Failed
           mce: Memory error not recovered
           <reboot>
      
        ...and with these changes:
      
           Injecting memory failure for pfn 0x20cb00 at process virtual address 0x7f763dd00000
           Memory failure: 0x20cb00: Killing dax-pmd:5421 due to hardware memory corruption
           Memory failure: 0x20cb00: recovery action for dax page: Recovered
      
        Given all the cross dependencies I propose taking this through
        nvdimm.git with acks from Naoya, x86/core, x86/RAS, and of course dax
        folks"
      
      * tag 'libnvdimm-for-4.19_dax-memory-failure' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm, pmem: Restore page attributes when clearing errors
        x86/memory_failure: Introduce {set, clear}_mce_nospec()
        x86/mm/pat: Prepare {reserve, free}_memtype() for "decoy" addresses
        mm, memory_failure: Teach memory_failure() about dev_pagemap pages
        filesystem-dax: Introduce dax_lock_mapping_entry()
        mm, memory_failure: Collect mapping size in collect_procs()
        mm, madvise_inject_error: Let memory_failure() optionally take a page reference
        mm, dev_pagemap: Do not clear ->mapping on final put
        mm, madvise_inject_error: Disable MADV_SOFT_OFFLINE for ZONE_DEVICE pages
        filesystem-dax: Set page->index
        device-dax: Set page->index
        device-dax: Enable page_mapping()
        device-dax: Convert to vmf_insert_mixed and vm_fault_t
      2923b27e
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-for-4.19_misc' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm · 828bf6e9
      Linus Torvalds authored
      Pull libnvdimm updates from Dave Jiang:
       "Collection of misc libnvdimm patches for 4.19 submission:
      
         - Adding support to read locked nvdimm capacity.
      
         - Change test code to make DSM failure code injection an override.
      
         - Add support for calculate maximum contiguous area for namespace.
      
         - Add support for queueing a short ARS when there is on going ARS for
           nvdimm.
      
         - Allow NULL to be passed in to ->direct_access() for kaddr and pfn
           params.
      
         - Improve smart injection support for nvdimm emulation testing.
      
         - Fix test code that supports for emulating controller temperature.
      
         - Fix hang on error before devm_memremap_pages()
      
         - Fix a bug that causes user memory corruption when data returned to
           user for ars_status.
      
         - Maintainer updates for Ross Zwisler emails and adding Jan Kara to
           fsdax"
      
      * tag 'libnvdimm-for-4.19_misc' of gitolite.kernel.org:pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm: fix ars_status output length calculation
        device-dax: avoid hang on error before devm_memremap_pages()
        tools/testing/nvdimm: improve emulation of smart injection
        filesystem-dax: Do not request kaddr and pfn when not required
        md/dm-writecache: Don't request pointer dummy_addr when not required
        dax/super: Do not request a pointer kaddr when not required
        tools/testing/nvdimm: kaddr and pfn can be NULL to ->direct_access()
        s390, dcssblk: kaddr and pfn can be NULL to ->direct_access()
        libnvdimm, pmem: kaddr and pfn can be NULL to ->direct_access()
        acpi/nfit: queue issuing of ars when an uc error notification comes in
        libnvdimm: Export max available extent
        libnvdimm: Use max contiguous area for namespace size
        MAINTAINERS: Add Jan Kara for filesystem DAX
        MAINTAINERS: update Ross Zwisler's email address
        tools/testing/nvdimm: Fix support for emulating controller temperature
        tools/testing/nvdimm: Make DSM failure code injection an override
        acpi, nfit: Prefer _DSM over _LSR for namespace label reads
        libnvdimm: Introduce locked DIMM capacity support
      828bf6e9
    • Colin Ian King's avatar
      qed: fix spelling mistake "comparsion" -> "comparison" · e75d039a
      Colin Ian King authored
      Trivial fix to spelling mistake in DP_ERR error message
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e75d039a
    • Jason Wang's avatar
      vhost: correctly check the iova range when waking virtqueue · 2d66f997
      Jason Wang authored
      We don't wakeup the virtqueue if the first byte of pending iova range
      is the last byte of the range we just got updated. This will lead a
      virtqueue to wait for IOTLB updating forever. Fixing by correct the
      check and wake up the virtqueue in this case.
      
      Fixes: 6b1e6cc7 ("vhost: new device IOTLB API")
      Reported-by: default avatarPeter Xu <peterx@redhat.com>
      Signed-off-by: default avatarJason Wang <jasowang@redhat.com>
      Reviewed-by: default avatarPeter Xu <peterx@redhat.com>
      Tested-by: default avatarPeter Xu <peterx@redhat.com>
      Acked-by: default avatarMichael S. Tsirkin <mst@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2d66f997
    • Manish Chopra's avatar
      qlge: Fix netdev features configuration. · 6750c870
      Manish Chopra authored
      qlge_fix_features() is not supposed to modify hardware or
      driver state, rather it is supposed to only fix requested
      fetures bits. Currently qlge_fix_features() also goes for
      interface down and up unnecessarily if there is not even
      any change in features set.
      
      This patch changes/fixes following -
      
      1) Move reload of interface or device re-config from
         qlge_fix_features() to qlge_set_features().
      2) Reload of interface in qlge_set_features() only if
         relevant feature bit (NETIF_F_HW_VLAN_CTAG_RX) is changed.
      3) Get rid of qlge_fix_features() since driver is not really
         required to fix any features bit.
      Signed-off-by: default avatarManish <manish.chopra@cavium.com>
      Reviewed-by: default avatarBenjamin Poirier <bpoirier@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6750c870
    • Anssi Hannula's avatar
      net: macb: do not disable MDIO bus at open/close time · 0da70f80
      Anssi Hannula authored
      macb_reset_hw() is called from macb_close() and indirectly from
      macb_open(). macb_reset_hw() zeroes the NCR register, including the MPE
      (Management Port Enable) bit.
      
      This will prevent accessing any other PHYs for other Ethernet MACs on
      the MDIO bus, which remains registered at macb_reset_hw() time, until
      macb_init_hw() is called from macb_open() which sets the MPE bit again.
      
      I.e. currently the MDIO bus has a short disruption at open time and is
      disabled at close time until the interface is opened again.
      
      Fix that by only touching the RE and TE bits when enabling and disabling
      RX/TX.
      
      v2: Make macb_init_hw() NCR write a single statement.
      
      Fixes: 6c36a707 ("macb: Use generic PHY layer")
      Signed-off-by: default avatarAnssi Hannula <anssi.hannula@bitwise.fi>
      Reviewed-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Tested-by: default avatarClaudiu Beznea <claudiu.beznea@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0da70f80
    • Geert Uytterhoeven's avatar
      Revert "net: stmmac: fix build failure due to missing COMMON_CLK dependency" · f7b9e8e1
      Geert Uytterhoeven authored
      This reverts commit bde49753.
      
      All legacy clock implementations now implement clk_set_rate() (Some
      implementations may be dummies, though).
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Acked-by: default avatarArnd Bergmann <arnd@arnd.de>
      Acked-by: default avatarJose Abreu <joabreu@synopsys.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7b9e8e1
    • Ahmad Fatoum's avatar
      net: macb: Fix regression breaking non-MDIO fixed-link PHYs · ab5f1105
      Ahmad Fatoum authored
      commit 739de9a1 ("net: macb: Reorganize macb_mii bringup") broke
      initializing macb on the EVB-KSZ9477 eval board.
      There, of_mdiobus_register was called even for the fixed-link representing
      the RGMII-link to the switch with the result that the driver attempts to
      enumerate PHYs on a non-existent MDIO bus:
      
      	libphy: MACB_mii_bus: probed
      	mdio_bus f0028000.ethernet-ffffffff: fixed-link has invalid PHY address
      	mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 0
              [snip]
      	mdio_bus f0028000.ethernet-ffffffff: scan phy fixed-link at address 31
      
      The "MDIO" bus registration succeeds regardless, having claimed the reset GPIO,
      and calling of_phy_register_fixed_link later on fails because it tries
      to claim the same GPIO:
      
      	macb f0028000.ethernet: broken fixed-link specification
      
      Fix this by registering the fixed-link before calling mdiobus_register.
      
      Fixes: 739de9a1 ("net: macb: Reorganize macb_mii bringup")
      Signed-off-by: default avatarAhmad Fatoum <a.fatoum@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab5f1105
  5. 25 Aug, 2018 4 commits
    • Ido Schimmel's avatar
      mlxsw: spectrum_switchdev: Do not leak RIFs when removing bridge · 602b74ed
      Ido Schimmel authored
      When a bridge device is removed, the VLANs are flushed from each
      configured port. This causes the ports to decrement the reference count
      on the associated FIDs (filtering identifier). If the reference count of
      a FID is 1 and it has a RIF (router interface), then this RIF is
      destroyed.
      
      However, if no port is member in the VLAN for which a RIF exists, then
      the RIF will continue to exist after the removal of the bridge. To
      reproduce:
      
      # ip link add name br0 type bridge vlan_filtering 1
      # ip link set dev swp1 master br0
      # ip link add link br0 name br0.10 type vlan id 10
      # ip address add 192.0.2.0/24 dev br0.10
      # ip link del dev br0
      
      The RIF associated with br0.10 continues to exist.
      
      Fix this by iterating over all the bridge device uppers when it is
      destroyed and take care of destroying their RIFs.
      
      Fixes: 99f44bb3 ("mlxsw: spectrum: Enable L3 interfaces on top of bridge devices")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarPetr Machata <petrm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      602b74ed
    • Linus Torvalds's avatar
      Merge tag 'armsoc-late' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · b3262720
      Linus Torvalds authored
      Pull ARM SoC late updates from Olof Johansson:
       "A couple of late-merged changes that would be useful to get in this
        merge window:
      
         - Driver support for reset of audio complex on Meson platforms. The
           audio driver went in this merge window, and these changes have been
           in -next for a while (just not in our tree).
      
         - Power management fixes for IOMMU on Rockchip platforms, getting
           closer to kexec working on them, including Chromebooks.
      
         - Another pass updating "arm,psci" -> "psci" for some properties that
           have snuck in since last time it was done"
      
      * tag 'armsoc-late' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        iommu/rockchip: Move irq request past pm_runtime_enable
        iommu/rockchip: Handle errors returned from PM framework
        arm64: rockchip: Force CONFIG_PM on Rockchip systems
        ARM: rockchip: Force CONFIG_PM on Rockchip systems
        arm64: dts: Fix various entry-method properties to reflect documentation
        reset: imx7: Fix always writing bits as 0
        reset: meson: add meson audio arb driver
        reset: meson: add dt-bindings for meson-axg audio arb
      b3262720
    • Linus Torvalds's avatar
      Merge tag 'kbuild-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild · 1bc27677
      Linus Torvalds authored
      Pull more Kbuild updates from Masahiro Yamada:
      
       - add build_{menu,n,g,x}config targets for compile-testing Kconfig
      
       - fix and improve recursive dependency detection in Kconfig
      
       - fix parallel building of menuconfig/nconfig
      
       - fix syntax error in clang-version.sh
      
       - suppress distracting log from syncconfig
      
       - remove obsolete "rpm" target
      
       - remove VMLINUX_SYMBOL(_STR) macro entirely
      
       - fix microblaze build with CONFIG_DYNAMIC_FTRACE
      
       - move compiler test for dead code/data elimination to Kconfig
      
       - rename well-known LDFLAGS variable to KBUILD_LDFLAGS
      
       - misc fixes and cleanups
      
      * tag 'kbuild-v4.19-2' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
        kbuild: rename LDFLAGS to KBUILD_LDFLAGS
        kbuild: pass LDFLAGS to recordmcount.pl
        kbuild: test dead code/data elimination support in Kconfig
        initramfs: move gen_initramfs_list.sh from scripts/ to usr/
        vmlinux.lds.h: remove stale <linux/export.h> include
        export.h: remove VMLINUX_SYMBOL() and VMLINUX_SYMBOL_STR()
        Coccinelle: remove pci_alloc_consistent semantic to detect in zalloc-simple.cocci
        kbuild: make sorting initramfs contents independent of locale
        kbuild: remove "rpm" target, which is alias of "rpm-pkg"
        kbuild: Fix LOADLIBES rename in Documentation/kbuild/makefiles.txt
        kconfig: suppress "configuration written to .config" for syncconfig
        kconfig: fix "Can't open ..." in parallel build
        kbuild: Add a space after `!` to prevent parsing as file pattern
        scripts: modpost: check memory allocation results
        kconfig: improve the recursive dependency report
        kconfig: report recursive dependency involving 'imply'
        kconfig: error out when seeing recursive dependency
        kconfig: add build-only configurator targets
        scripts/dtc: consolidate include path options in Makefile
      1bc27677
    • Linus Torvalds's avatar
      Merge tag 'for-linus-20180825' of git://git.kernel.dk/linux-block · b8dcdab3
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A few small fixes for this merge window:
      
         - Locking imbalance fix for bcache (Shan Hai)
      
         - A few small fixes for wbt. One is a cleanup/prep, one is a fix for
           an existing issue, and the last two are fixes for changes that went
           into this merge window (me)"
      
      * tag 'for-linus-20180825' of git://git.kernel.dk/linux-block:
        blk-wbt: don't maintain inflight counts if disabled
        blk-wbt: fix has-sleeper queueing check
        blk-wbt: use wq_has_sleeper() for wq active check
        blk-wbt: move disable check into get_limit()
        bcache: release dc->writeback_lock properly in bch_writeback_thread()
      b8dcdab3