1. 19 Jan, 2018 3 commits
  2. 18 Jan, 2018 4 commits
  3. 17 Jan, 2018 21 commits
  4. 16 Jan, 2018 12 commits
    • Linus Walleij's avatar
      gpio: mmio: Also read bits that are zero · 07c7b6a5
      Linus Walleij authored
      The code for .get_multiple() has bugs:
      
      1. The simple .get_multiple() just reads a register, masks it
      and sets the return value. This is not correct: we only want to
      assign values (whether 0 or 1) to the bits that are set in the
      mask. Fix this by using &= ~mask to clear all bits in the mask
      and then |= val & mask to set the corresponding bits from the
      read.
      
      2. The bgpio_get_multiple_be() call has a similar problem: it
      uses the |= operator to set the bits, so only the bits in the
      mask are affected, but it misses to clear all returned bits
      from the mask initially, so some bits will be returned
      erroneously set to 1.
      
      3. The bgpio_get_set_multiple() again fails to clear the bits
      from the mask.
      
      4. find_next_bit() wasn't handled correctly, use a totally
      different approach for one function and change the other
      function to follow the design pattern of assigning the first
      bit to -1, then use bit + 1 in the for loop and < num_iterations
      as break condition.
      
      Fixes: 80057cb4 ("gpio-mmio: Use the new .get_multiple() callback")
      Cc: Bartosz Golaszewski <brgl@bgdev.pl>
      Reported-by: default avatarClemens Gruber <clemens.gruber@pqgruber.com>
      Tested-by: default avatarClemens Gruber <clemens.gruber@pqgruber.com>
      Reported-by: default avatarLukas Wunner <lukas@wunner.de>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      07c7b6a5
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · b45a53be
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Two read past end of buffer fixes in AF_KEY, from Eric Biggers.
      
       2) Memory leak in key_notify_policy(), from Steffen Klassert.
      
       3) Fix overflow with bpf arrays, from Daniel Borkmann.
      
       4) Fix RDMA regression with mlx5 due to mlx5 no longer using
          pci_irq_get_affinity(), from Saeed Mahameed.
      
       5) Missing RCU read locking in nl80211_send_iface() when it calls
          ieee80211_bss_get_ie(), from Dominik Brodowski.
      
       6) cfg80211 should check dev_set_name()'s return value, from Johannes
          Berg.
      
       7) Missing module license tag in 9p protocol, from Stephen Hemminger.
      
       8) Fix crash due to too small MTU in udp ipv6 sendmsg, from Mike
          Maloney.
      
       9) Fix endless loop in netlink extack code, from David Ahern.
      
      10) TLS socket layer sets inverted error codes, resulting in an endless
          loop. From Robert Hering.
      
      11) Revert openvswitch erspan tunnel support, it's mis-designed and we
          need to kill it before it goes into a real release. From William Tu.
      
      12) Fix lan78xx failures in full speed USB mode, from Yuiko Oshino.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (54 commits)
        net, sched: fix panic when updating miniq {b,q}stats
        qed: Fix potential use-after-free in qed_spq_post()
        nfp: use the correct index for link speed table
        lan78xx: Fix failure in USB Full Speed
        sctp: do not allow the v4 socket to bind a v4mapped v6 address
        sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf
        sctp: reinit stream if stream outcnt has been change by sinit in sendmsg
        ibmvnic: Fix pending MAC address changes
        netlink: extack: avoid parenthesized string constant warning
        ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY
        net: Allow neigh contructor functions ability to modify the primary_key
        sh_eth: fix dumping ARSTR
        Revert "openvswitch: Add erspan tunnel support."
        net/tls: Fix inverted error codes to avoid endless loop
        ipv6: ip6_make_skb() needs to clear cork.base.dst
        sctp: avoid compiler warning on implicit fallthru
        net: ipv4: Make "ip route get" match iif lo rules again.
        netlink: extack needs to be reset each time through loop
        tipc: fix a memory leak in tipc_nl_node_get_link()
        ipv6: fix udpv6 sendmsg crash caused by too small MTU
        ...
      b45a53be
    • Linus Torvalds's avatar
      Merge tag 'sound-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 41aa5e5d
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A few small last-minute fixes that should sneak into 4.15:
      
         - remove a spurious WARN_ON() triggered by syzkaller
      
         - fix for ioctl races in ALSA sequencer
      
         - two trivial HD-audio fixup entries"
      
      * tag 'sound-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: seq: Make ioctls race-free
        ALSA: pcm: Remove yet superfluous WARN_ON()
        ALSA: hda - Apply the existing quirk to iMac 14,1
        ALSA: hda - Apply headphone noise quirk for another Dell XPS 13 variant
      41aa5e5d
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.15-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 921d4f67
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
      
       - Bring back context level recursive protection in ring buffer.
      
         The simpler counter protection failed, due to a path when tracing
         with trace_clock_global() as it could not be reentrant and depended
         on the ring buffer recursive protection to keep that from happening.
      
       - Prevent branch profiling when FORTIFY_SOURCE is enabled.
      
         It causes 50 - 60 MB in warning messages. Branch profiling should
         never be run on production systems, so there's no reason that it
         needs to be enabled with FORTIFY_SOURCE.
      
      * tag 'trace-v4.15-rc4-2' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Prevent PROFILE_ALL_BRANCHES when FORTIFY_SOURCE=y
        ring-buffer: Bring back context level recursive checks
      921d4f67
    • Daniel Borkmann's avatar
      net, sched: fix panic when updating miniq {b,q}stats · 81d947e2
      Daniel Borkmann authored
      While working on fixing another bug, I ran into the following panic
      on arm64 by simply attaching clsact qdisc, adding a filter and running
      traffic on ingress to it:
      
        [...]
        [  178.188591] Unable to handle kernel read from unreadable memory at virtual address 810fb501f000
        [  178.197314] Mem abort info:
        [  178.200121]   ESR = 0x96000004
        [  178.203168]   Exception class = DABT (current EL), IL = 32 bits
        [  178.209095]   SET = 0, FnV = 0
        [  178.212157]   EA = 0, S1PTW = 0
        [  178.215288] Data abort info:
        [  178.218175]   ISV = 0, ISS = 0x00000004
        [  178.222019]   CM = 0, WnR = 0
        [  178.224997] user pgtable: 4k pages, 48-bit VAs, pgd = 0000000023cb3f33
        [  178.231531] [0000810fb501f000] *pgd=0000000000000000
        [  178.236508] Internal error: Oops: 96000004 [#1] SMP
        [...]
        [  178.311855] CPU: 73 PID: 2497 Comm: ping Tainted: G        W        4.15.0-rc7+ #5
        [  178.319413] Hardware name: FOXCONN R2-1221R-A4/C2U4N_MB, BIOS G31FB18A 03/31/2017
        [  178.326887] pstate: 60400005 (nZCv daif +PAN -UAO)
        [  178.331685] pc : __netif_receive_skb_core+0x49c/0xac8
        [  178.336728] lr : __netif_receive_skb+0x28/0x78
        [  178.341161] sp : ffff00002344b750
        [  178.344465] x29: ffff00002344b750 x28: ffff810fbdfd0580
        [  178.349769] x27: 0000000000000000 x26: ffff000009378000
        [...]
        [  178.418715] x1 : 0000000000000054 x0 : 0000000000000000
        [  178.424020] Process ping (pid: 2497, stack limit = 0x000000009f0a3ff4)
        [  178.430537] Call trace:
        [  178.432976]  __netif_receive_skb_core+0x49c/0xac8
        [  178.437670]  __netif_receive_skb+0x28/0x78
        [  178.441757]  process_backlog+0x9c/0x160
        [  178.445584]  net_rx_action+0x2f8/0x3f0
        [...]
      
      Reason is that sch_ingress and sch_clsact are doing mini_qdisc_pair_init()
      which sets up miniq pointers to cpu_{b,q}stats from the underlying qdisc.
      Problem is that this cannot work since they are actually set up right after
      the qdisc ->init() callback in qdisc_create(), so first packet going into
      sch_handle_ingress() tries to call mini_qdisc_bstats_cpu_update() and we
      therefore panic.
      
      In order to fix this, allocation of {b,q}stats needs to happen before we
      call into ->init(). In net-next, there's already such option through commit
      d59f5ffa ("net: sched: a dflt qdisc may be used with per cpu stats").
      However, the bug needs to be fixed in net still for 4.15. Thus, include
      these bits to reduce any merge churn and reuse the static_flags field to
      set TCQ_F_CPUSTATS, and remove the allocation from qdisc_create() since
      there is no other user left. Prashant Bhole ran into the same issue but
      for net-next, thus adding him below as well as co-author. Same issue was
      also reported by Sandipan Das when using bcc.
      
      Fixes: 46209401 ("net: core: introduce mini_Qdisc and eliminate usage of tp->q for clsact fastpath")
      Reference: https://lists.iovisor.org/pipermail/iovisor-dev/2018-January/001190.htmlReported-by: default avatarSandipan Das <sandipan@linux.vnet.ibm.com>
      Co-authored-by: default avatarPrashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
      Co-authored-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Jiri Pirko <jiri@resnulli.us>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      81d947e2
    • Roland Dreier's avatar
      qed: Fix potential use-after-free in qed_spq_post() · 70eeff66
      Roland Dreier authored
      We need to check if p_ent->comp_mode is QED_SPQ_MODE_EBLOCK before
      calling qed_spq_add_entry().  The test is fine is the mode is EBLOCK,
      but if it isn't then qed_spq_add_entry() might kfree(p_ent).
      Signed-off-by: default avatarRoland Dreier <roland@purestorage.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      70eeff66
    • Jakub Kicinski's avatar
      nfp: use the correct index for link speed table · 0d9c9f0f
      Jakub Kicinski authored
      sts variable is holding link speed as well as state.  We should
      be using ls to index into ls_to_ethtool.
      
      Fixes: 265aeb51 ("nfp: add support for .get_link_ksettings()")
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0d9c9f0f
    • Yuiko Oshino's avatar
      lan78xx: Fix failure in USB Full Speed · a5b1379a
      Yuiko Oshino authored
      Fix initialize the uninitialized tx_qlen to an appropriate value when USB
      Full Speed is used.
      
      Fixes: 55d7de9d ("Microchip's LAN7800 family USB 2/3 to 10/100/1000 Ethernet device driver")
      Signed-off-by: default avatarYuiko Oshino <yuiko.oshino@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a5b1379a
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2018-01-15' of... · 161f72ed
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2018-01-15' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      More fixes:
       * hwsim:
          - properly flush deletion works at module unload
          - validate # of channels passed from userspace
       * cfg80211:
          - fix RCU locking regression
          - initialize on-stack channel data for nl80211 event
          - check dev_set_name() return value
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      161f72ed
    • Xin Long's avatar
      sctp: do not allow the v4 socket to bind a v4mapped v6 address · c5006b8a
      Xin Long authored
      The check in sctp_sockaddr_af is not robust enough to forbid binding a
      v4mapped v6 addr on a v4 socket.
      
      The worse thing is that v4 socket's bind_verify would not convert this
      v4mapped v6 addr to a v4 addr. syzbot even reported a crash as the v4
      socket bound a v6 addr.
      
      This patch is to fix it by doing the common sa.sa_family check first,
      then AF_INET check for v4mapped v6 addrs.
      
      Fixes: 7dab83de ("sctp: Support ipv6only AF_INET6 sockets.")
      Reported-by: syzbot+7b7b518b1228d2743963@syzkaller.appspotmail.com
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c5006b8a
    • Xin Long's avatar
      sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf · a0ff6600
      Xin Long authored
      After commit cea0cc80 ("sctp: use the right sk after waking up from
      wait_buf sleep"), it may change to lock another sk if the asoc has been
      peeled off in sctp_wait_for_sndbuf.
      
      However, the asoc's new sk could be already closed elsewhere, as it's in
      the sendmsg context of the old sk that can't avoid the new sk's closing.
      If the sk's last one refcnt is held by this asoc, later on after putting
      this asoc, the new sk will be freed, while under it's own lock.
      
      This patch is to revert that commit, but fix the old issue by returning
      error under the old sk's lock.
      
      Fixes: cea0cc80 ("sctp: use the right sk after waking up from wait_buf sleep")
      Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a0ff6600
    • Xin Long's avatar
      sctp: reinit stream if stream outcnt has been change by sinit in sendmsg · 625637bf
      Xin Long authored
      After introducing sctp_stream structure, sctp uses stream->outcnt as the
      out stream nums instead of c.sinit_num_ostreams.
      
      However when users use sinit in cmsg, it only updates c.sinit_num_ostreams
      in sctp_sendmsg. At that moment, stream->outcnt is still using previous
      value. If it's value is not updated, the sinit_num_ostreams of sinit could
      not really work.
      
      This patch is to fix it by updating stream->outcnt and reiniting stream
      if stream outcnt has been change by sinit in sendmsg.
      
      Fixes: a8386317 ("sctp: prepare asoc stream for stream reconf")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      625637bf