1. 31 Dec, 2017 2 commits
  2. 30 Dec, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 71ee2033
      Linus Torvalds authored
      Pull SCSI fixes from James Bottomley:
       "Two simple fixes, both of which cause I/O hangs.
      
        The storvsc one is from the hyper-v which can hang under certain hot
        add/remove conditions and the other is generally, where removing a
        target and a device in close proximity can result in the release
        method being executed twice (and subsequent list and other corruption
        and an eventual panic)"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: storvsc: Fix scsi_cmd error assignments in storvsc_handle_error
        scsi: core: check for device state in __scsi_remove_target()
      71ee2033
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid · efdd17f8
      Linus Torvalds authored
      Pull HID fixes from Jiri Kosina:
      
       - two cosmetic fixes from Daniel Axtens and Hans de Goede
      
       - fix for I2C command mismatch fix for cp2112 driver from Eudean Sun
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/hid:
        HID: core: lower log level for unknown main item tags to warnings
        HID: holtekff: move MODULE_* parameters out of #ifdef block
        HID: cp2112: Fix I2C_BLOCK_DATA transactions
      efdd17f8
    • Linus Torvalds's avatar
      kbuild: add '-fno-stack-check' to kernel build options · 3ce120b1
      Linus Torvalds authored
      It appears that hardened gentoo enables "-fstack-check" by default for
      gcc.
      
      That doesn't work _at_all_ for the kernel, because the kernel stack
      doesn't act like a user stack at all: it's much smaller, and it doesn't
      auto-expand on use.  So the extra "probe one page below the stack" code
      generated by -fstack-check just breaks the kernel in horrible ways,
      causing infinite double faults etc.
      
      [ I have to say, that the particular code gcc generates looks very
        stupid even for user space where it works, but that's a separate
        issue.  ]
      Reported-and-tested-by: default avatarAlexander Tsoy <alexander@tsoy.me>
      Reported-and-tested-by: default avatarToralf Förster <toralf.foerster@gmx.de>
      Cc: stable@kernel.org
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Jiri Kosina <jikos@kernel.org>
      Cc: Andy Lutomirski <luto@amacapital.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      3ce120b1
    • Linus Torvalds's avatar
      Merge branch 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip · 5aa90a84
      Linus Torvalds authored
      Pull x86 page table isolation updates from Thomas Gleixner:
       "This is the final set of enabling page table isolation on x86:
      
         - Infrastructure patches for handling the extra page tables.
      
         - Patches which map the various bits and pieces which are required to
           get in and out of user space into the user space visible page
           tables.
      
         - The required changes to have CR3 switching in the entry/exit code.
      
         - Optimizations for the CR3 switching along with documentation how
           the ASID/PCID mechanism works.
      
         - Updates to dump pagetables to cover the user space page tables for
           W+X scans and extra debugfs files to analyze both the kernel and
           the user space visible page tables
      
        The whole functionality is compile time controlled via a config switch
        and can be turned on/off on the command line as well"
      
      * 'x86-pti-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip: (32 commits)
        x86/ldt: Make the LDT mapping RO
        x86/mm/dump_pagetables: Allow dumping current pagetables
        x86/mm/dump_pagetables: Check user space page table for WX pages
        x86/mm/dump_pagetables: Add page table directory to the debugfs VFS hierarchy
        x86/mm/pti: Add Kconfig
        x86/dumpstack: Indicate in Oops whether PTI is configured and enabled
        x86/mm: Clarify the whole ASID/kernel PCID/user PCID naming
        x86/mm: Use INVPCID for __native_flush_tlb_single()
        x86/mm: Optimize RESTORE_CR3
        x86/mm: Use/Fix PCID to optimize user/kernel switches
        x86/mm: Abstract switching CR3
        x86/mm: Allow flushing for future ASID switches
        x86/pti: Map the vsyscall page if needed
        x86/pti: Put the LDT in its own PGD if PTI is on
        x86/mm/64: Make a full PGD-entry size hole in the memory map
        x86/events/intel/ds: Map debug buffers in cpu_entry_area
        x86/cpu_entry_area: Add debugstore entries to cpu_entry_area
        x86/mm/pti: Map ESPFIX into user space
        x86/mm/pti: Share entry text PMD
        x86/entry: Align entry text section to PMD boundary
        ...
      5aa90a84
  3. 29 Dec, 2017 6 commits
    • Linus Torvalds's avatar
      Merge tag 'pm-4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 61233580
      Linus Torvalds authored
      Pull power management fix from Rafael Wysocki:
       "This fixes a schedutil cpufreq governor regression from the 4.14 cycle
        that may cause a CPU idleness check to return incorrect results in
        some cases which leads to suboptimal decisions (Joel Fernandes)"
      
      * tag 'pm-4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: schedutil: Use idle_calls counter of the remote CPU
      61233580
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 2758b3e3
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) IPv6 gre tunnels end up with different default features enabled
          depending upon whether netlink or ioctls are used to bring them up.
          Fix from Alexey Kodanev.
      
       2) Fix read past end of user control message in RDS< from Avinash
          Repaka.
      
       3) Missing RCU barrier in mini qdisc code, from Cong Wang.
      
       4) Missing policy put when reusing per-cpu route entries, from Florian
          Westphal.
      
       5) Handle nested PCI errors properly in bnx2x driver, from Guilherme G.
          Piccoli.
      
       6) Run nested transport mode IPSEC packets via tasklet, from Herbert
          Xu.
      
       7) Fix handling poll() for stream sockets in tipc, from Parthasarathy
          Bhuvaragan.
      
       8) Fix two stack-out-of-bounds issues in IPSEC, from Steffen Klassert.
      
       9) Another zerocopy ubuf handling fix, from Willem de Bruijn.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (33 commits)
        strparser: Call sock_owned_by_user_nocheck
        sock: Add sock_owned_by_user_nocheck
        skbuff: in skb_copy_ubufs unclone before releasing zerocopy
        tipc: fix hanging poll() for stream sockets
        sctp: Replace use of sockets_allocated with specified macro.
        bnx2x: Improve reliability in case of nested PCI errors
        tg3: Enable PHY reset in MTU change path for 5720
        tg3: Add workaround to restrict 5762 MRRS to 2048
        tg3: Update copyright
        net: fec: unmap the xmit buffer that are not transferred by DMA
        tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path
        tipc: error path leak fixes in tipc_enable_bearer()
        RDS: Check cmsg_len before dereferencing CMSG_DATA
        tcp: Avoid preprocessor directives in tracepoint macro args
        tipc: fix memory leak of group member when peer node is lost
        net: sched: fix possible null pointer deref in tcf_block_put
        tipc: base group replicast ack counter on number of actual receivers
        net_sched: fix a missing rcu barrier in mini_qdisc_pair_swap()
        net: phy: micrel: ksz9031: reconfigure autoneg after phy autoneg workaround
        ip6_gre: fix device features for ioctl setup
        ...
      2758b3e3
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux · fd84b751
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "nouveau and i915 regression fixes"
      
      * tag 'drm-fixes-for-v4.15-rc6' of git://people.freedesktop.org/~airlied/linux:
        drm/nouveau: fix race when adding delayed work items
        i915: Reject CCS modifiers for pipe C on Geminilake
        drm/i915/gvt: Fix pipe A enable as default for vgpu
      fd84b751
    • Linus Torvalds's avatar
      Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux · c0208a33
      Linus Torvalds authored
      Pull clk fix from Stephen Boyd:
       "One more fix for the runtime PM clk patches. We're calling a runtime
        PM API that may schedule from somewhere that we can't do that. We
        change to the async version of pm_runtime_put() to fix it"
      
      * tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
        clk: use atomic runtime pm api in clk_core_is_enabled
      c0208a33
    • Linus Torvalds's avatar
      Merge tag 'led_fixes_for_4.15-rc6' of... · 4f2382f3
      Linus Torvalds authored
      Merge tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski:
       "A single LED fix for brightness setting when delay_off is 0"
      
      * tag 'led_fixes_for_4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        led: core: Fix brightness setting when setting delay_off=0
      4f2382f3
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · 19286e4a
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "This is the next batch of for-rc patches from RDMA. It includes the
        fix for the ipoib regression I mentioned last time, and the result of
        a fairly major debugging effort to get iser working reliably on cxgb4
        hardware - it turns out the cxgb4 driver was not handling QP error
        flushing properly causing iser to fail.
      
         - cxgb4 fix for an iser testing failure as debugged by Steve and
           Sagi. The problem was a driver bug in the handling of shutting down
           a QP.
      
         - Various vmw_pvrdma fixes for bogus WARN_ON, missed resource free on
           error unwind and a use after free bug
      
         - Improper congestion counter values on mlx5 when link aggregation is
           enabled
      
         - ipoib lockdep regression introduced in this merge window
      
         - hfi1 regression supporting the device in a VM introduced in a
           recent patch
      
         - Typo that breaks future uAPI compatibility in the verbs core
      
         - More SELinux related oops fixing
      
         - Fix an oops during error unwind in mlx5"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/mlx5: Fix mlx5_ib_alloc_mr error flow
        IB/core: Verify that QP is security enabled in create and destroy
        IB/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp()
        IB/mlx5: Serialize access to the VMA list
        IB/hfi: Only read capability registers if the capability exists
        IB/ipoib: Fix lockdep issue found on ipoib_ib_dev_heavy_flush
        IB/mlx5: Fix congestion counters in LAG mode
        RDMA/vmw_pvrdma: Avoid use after free due to QP/CQ/SRQ destroy
        RDMA/vmw_pvrdma: Use refcount_dec_and_test to avoid warning
        RDMA/vmw_pvrdma: Call ib_umem_release on destroy QP path
        iw_cxgb4: when flushing, complete all wrs in a chain
        iw_cxgb4: reflect the original WR opcode in drain cqes
        iw_cxgb4: Only validate the MSN for successful completions
      19286e4a
  4. 28 Dec, 2017 8 commits
  5. 27 Dec, 2017 20 commits
    • Nitzan Carmi's avatar
      IB/mlx5: Fix mlx5_ib_alloc_mr error flow · 45e6ae7e
      Nitzan Carmi authored
      ibmr.device is being set only after ib_alloc_mr() is
      (successfully) complete. Therefore, in case mlx5_core_create_mkey()
      return with error, the error flow calls mlx5_free_priv_descs()
      which uses ibmr.device (which doesn't exist yet), causing
      a NULL dereference oops.
      
      To fix this, the IB device should be set in the mr struct earlier
      stage (e.g. prior to calling mlx5_core_create_mkey()).
      
      Fixes: 8a187ee5 ("IB/mlx5: Support the new memory registration API")
      Signed-off-by: default avatarMax Gurtovoy <maxg@mellanox.com>
      Signed-off-by: default avatarNitzan Carmi <nitzanc@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      45e6ae7e
    • Moni Shoua's avatar
      IB/core: Verify that QP is security enabled in create and destroy · 4a50881b
      Moni Shoua authored
      The XRC target QP create flow sets up qp_sec only if there is an IB link with
      LSM security enabled. However, several other related uAPI entry points blindly
      follow the qp_sec NULL pointer, resulting in a possible oops.
      
      Check for NULL before using qp_sec.
      
      Cc: <stable@vger.kernel.org> # v4.12
      Fixes: d291f1a6 ("IB/core: Enforce PKey security on QPs")
      Reviewed-by: default avatarDaniel Jurgens <danielj@mellanox.com>
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      4a50881b
    • Moni Shoua's avatar
      IB/uverbs: Fix command checking as part of ib_uverbs_ex_modify_qp() · 05d14e7b
      Moni Shoua authored
      If the input command length is larger than the kernel supports an error should
      be returned in case the unsupported bytes are not cleared, instead of the
      other way aroudn. This matches what all other callers of ib_is_udata_cleared
      do and will avoid user ABI problems in the future.
      
      Cc: <stable@vger.kernel.org> # v4.10
      Fixes: 189aba99 ("IB/uverbs: Extend modify_qp and support packet pacing")
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      05d14e7b
    • Majd Dibbiny's avatar
      IB/mlx5: Serialize access to the VMA list · ad9a3668
      Majd Dibbiny authored
      User-space applications can do mmap and munmap directly at
      any time.
      
      Since the VMA list is not protected with a mutex, concurrent
      accesses to the VMA list from the mmap and munmap can cause
      data corruption. Add a mutex around the list.
      
      Cc: <stable@vger.kernel.org> # v4.7
      Fixes: 7c2344c3 ("IB/mlx5: Implements disassociate_ucontext API")
      Reviewed-by: default avatarYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: default avatarMajd Dibbiny <majd@mellanox.com>
      Signed-off-by: default avatarLeon Romanovsky <leon@kernel.org>
      Signed-off-by: default avatarJason Gunthorpe <jgg@mellanox.com>
      ad9a3668
    • Linus Torvalds's avatar
      Merge tag 'trace-v4.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace · 5f520fc3
      Linus Torvalds authored
      Pull tracing fixes from Steven Rostedt:
       "While doing tests on tracing over the network, I found that the
        packets were getting corrupted.
      
        In the process I found three bugs.
      
        One was the culprit, but the other two scared me. After deeper
        investigation, they were not as major as I thought they were, due to a
        signed compared to an unsigned that prevented a negative number from
        doing actual harm.
      
        The two bigger bugs:
      
         - Mask the ring buffer data page length. There are data flags at the
           high bits of the length field. These were not cleared via the
           length function, and the length could return a negative number.
           (Although the number returned was unsigned, but was assigned to a
           signed number) Luckily, this value was compared to PAGE_SIZE which
           is unsigned and kept it from entering the path that could have
           caused damage.
      
         - Check the page usage before reusing the ring buffer reader page.
           TCP increments the page ref when passing the page off to the
           network. The page is passed back to the ring buffer for use on
           free. But the page could still be in use by the TCP stack.
      
        Minor bugs:
      
         - Related to the first bug. No need to clear out the unused ring
           buffer data before sending to user space. It is now done by the
           ring buffer code itself.
      
         - Reset pointers after free on error path. There were some cases in
           the error path that pointers were freed but not set to NULL, and
           could have them freed again, having a pointer freed twice"
      
      * tag 'trace-v4.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rostedt/linux-trace:
        tracing: Fix possible double free on failure of allocating trace buffer
        tracing: Fix crash when it fails to alloc ring buffer
        ring-buffer: Do no reuse reader page if still in use
        tracing: Remove extra zeroing out of the ring buffer page
        ring-buffer: Mask out the info bits when returning buffer page length
      5f520fc3
    • Linus Torvalds's avatar
      Merge tag 'sound-4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 9b957794
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "It seems that Santa overslept with a bunch of gifts; the majority of
        changes here are various device-specific ASoC fixes, most notably the
        revert of rcar IOMMU support and fsl_ssi AC97 fixes, but also lots of
        small fixes for codecs. Besides that, the usual HD-audio quirks and
        fixes are included, too"
      
      * tag 'sound-4.15-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (31 commits)
        ALSA: hda - Fix missing COEF init for ALC225/295/299
        ALSA: hda: Drop useless WARN_ON()
        ALSA: hda - change the location for one mic on a Lenovo machine
        ALSA: hda - fix headset mic detection issue on a Dell machine
        ALSA: hda - Add MIC_NO_PRESENCE fixup for 2 HP machines
        ASoC: rsnd: fixup ADG register mask
        ASoC: rt5514-spi: only enable wakeup when fully initialized
        ASoC: nau8825: fix issue that pop noise when start capture
        ASoC: rt5663: Fix the wrong result of the first jack detection
        ASoC: rsnd: ssi: fix race condition in rsnd_ssi_pointer_update
        ASoC: Intel: Change kern log level to avoid unwanted messages
        ASoC: atmel-classd: select correct Kconfig symbol
        ASoC: wm_adsp: Fix validation of firmware and coeff lengths
        ASoC: Intel: Skylake: Do not check dev_type for dmic link type
        ASoC: rockchip: disable clock on error
        ASoC: tlv320aic31xx: Fix GPIO1 register definition
        ASoC: codecs: msm8916-wcd: Fix supported formats
        ASoC: fsl_asrc: Fix typo in a field define
        ASoC: rsnd: ssiu: clear SSI_MODE for non TDM Extended modes
        ASoC: da7218: Correct IRQ level in DT binding example
        ...
      9b957794
    • Matthieu CASTET's avatar
      led: core: Fix brightness setting when setting delay_off=0 · 2b83ff96
      Matthieu CASTET authored
      With the current code, the following sequence won't work :
      echo timer > trigger
      
      echo 0 >  delay_off
      * at this point we call
      ** led_delay_off_store
      ** led_blink_set
      *** stop timer
      ** led_blink_setup
      ** led_set_software_blink
      *** if !delay_on, led off
      *** if !delay_off, set led_set_brightness_nosleep <--- LED_BLINK_SW is set but timer is stop
      *** otherwise start timer/set LED_BLINK_SW flag
      
      echo xxx > brightness
      * led_set_brightness
      ** if LED_BLINK_SW
      *** if brightness=0, led off
      *** else apply brightness if next timer <--- timer is stop, and will never apply new setting
      ** otherwise set led_set_brightness_nosleep
      
      To fix that, when we delete the timer, we should clear LED_BLINK_SW.
      
      Cc: linux-leds@vger.kernel.org
      Signed-off-by: default avatarMatthieu CASTET <matthieu.castet@parrot.com>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      2b83ff96
    • Steven Rostedt (VMware)'s avatar
      tracing: Fix possible double free on failure of allocating trace buffer · 4397f045
      Steven Rostedt (VMware) authored
      Jing Xia and Chunyan Zhang reported that on failing to allocate part of the
      tracing buffer, memory is freed, but the pointers that point to them are not
      initialized back to NULL, and later paths may try to free the freed memory
      again. Jing and Chunyan fixed one of the locations that does this, but
      missed a spot.
      
      Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com
      
      Cc: stable@vger.kernel.org
      Fixes: 737223fb ("tracing: Consolidate buffer allocation code")
      Reported-by: default avatarJing Xia <jing.xia@spreadtrum.com>
      Reported-by: default avatarChunyan Zhang <chunyan.zhang@spreadtrum.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      4397f045
    • Jing Xia's avatar
      tracing: Fix crash when it fails to alloc ring buffer · 24f2aaf9
      Jing Xia authored
      Double free of the ring buffer happens when it fails to alloc new
      ring buffer instance for max_buffer if TRACER_MAX_TRACE is configured.
      The root cause is that the pointer is not set to NULL after the buffer
      is freed in allocate_trace_buffers(), and the freeing of the ring
      buffer is invoked again later if the pointer is not equal to Null,
      as:
      
      instance_mkdir()
          |-allocate_trace_buffers()
              |-allocate_trace_buffer(tr, &tr->trace_buffer...)
      	|-allocate_trace_buffer(tr, &tr->max_buffer...)
      
                // allocate fail(-ENOMEM),first free
                // and the buffer pointer is not set to null
              |-ring_buffer_free(tr->trace_buffer.buffer)
      
             // out_free_tr
          |-free_trace_buffers()
              |-free_trace_buffer(&tr->trace_buffer);
      
      	      //if trace_buffer is not null, free again
      	    |-ring_buffer_free(buf->buffer)
                      |-rb_free_cpu_buffer(buffer->buffers[cpu])
                          // ring_buffer_per_cpu is null, and
                          // crash in ring_buffer_per_cpu->pages
      
      Link: http://lkml.kernel.org/r/20171226071253.8968-1-chunyan.zhang@spreadtrum.com
      
      Cc: stable@vger.kernel.org
      Fixes: 737223fb ("tracing: Consolidate buffer allocation code")
      Signed-off-by: default avatarJing Xia <jing.xia@spreadtrum.com>
      Signed-off-by: default avatarChunyan Zhang <chunyan.zhang@spreadtrum.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      24f2aaf9
    • Steven Rostedt (VMware)'s avatar
      ring-buffer: Do no reuse reader page if still in use · ae415fa4
      Steven Rostedt (VMware) authored
      To free the reader page that is allocated with ring_buffer_alloc_read_page(),
      ring_buffer_free_read_page() must be called. For faster performance, this
      page can be reused by the ring buffer to avoid having to free and allocate
      new pages.
      
      The issue arises when the page is used with a splice pipe into the
      networking code. The networking code may up the page counter for the page,
      and keep it active while sending it is queued to go to the network. The
      incrementing of the page ref does not prevent it from being reused in the
      ring buffer, and this can cause the page that is being sent out to the
      network to be modified before it is sent by reading new data.
      
      Add a check to the page ref counter, and only reuse the page if it is not
      being used anywhere else.
      
      Cc: stable@vger.kernel.org
      Fixes: 73a757e6 ("ring-buffer: Return reader page back into existing ring buffer")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      ae415fa4
    • Steven Rostedt (VMware)'s avatar
      tracing: Remove extra zeroing out of the ring buffer page · 6b7e633f
      Steven Rostedt (VMware) authored
      The ring_buffer_read_page() takes care of zeroing out any extra data in the
      page that it returns. There's no need to zero it out again from the
      consumer. It was removed from one consumer of this function, but
      read_buffers_splice_read() did not remove it, and worse, it contained a
      nasty bug because of it.
      
      Cc: stable@vger.kernel.org
      Fixes: 2711ca23 ("ring-buffer: Move zeroing out excess in page to ring buffer code")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      6b7e633f
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2017-12-22-1' of... · 03bfd4e1
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2017-12-22-1' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      GLK pipe C related fix, and a gvt fix.
      
      * tag 'drm-intel-fixes-2017-12-22-1' of git://anongit.freedesktop.org/drm/drm-intel:
        i915: Reject CCS modifiers for pipe C on Geminilake
        drm/i915/gvt: Fix pipe A enable as default for vgpu
      03bfd4e1
    • Steven Rostedt (VMware)'s avatar
      ring-buffer: Mask out the info bits when returning buffer page length · 45d8b80c
      Steven Rostedt (VMware) authored
      Two info bits were added to the "commit" part of the ring buffer data page
      when returned to be consumed. This was to inform the user space readers that
      events have been missed, and that the count may be stored at the end of the
      page.
      
      What wasn't handled, was the splice code that actually called a function to
      return the length of the data in order to zero out the rest of the page
      before sending it up to user space. These data bits were returned with the
      length making the value negative, and that negative value was not checked.
      It was compared to PAGE_SIZE, and only used if the size was less than
      PAGE_SIZE. Luckily PAGE_SIZE is unsigned long which made the compare an
      unsigned compare, meaning the negative size value did not end up causing a
      large portion of memory to be randomly zeroed out.
      
      Cc: stable@vger.kernel.org
      Fixes: 66a8cb95 ("ring-buffer: Add place holder recording of dropped events")
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      45d8b80c
    • Tonghao Zhang's avatar
      sctp: Replace use of sockets_allocated with specified macro. · 8cb38a60
      Tonghao Zhang authored
      The patch(180d8cd9) replaces all uses of struct sock fields'
      memory_pressure, memory_allocated, sockets_allocated, and sysctl_mem
      to accessor macros. But the sockets_allocated field of sctp sock is
      not replaced at all. Then replace it now for unifying the code.
      
      Fixes: 180d8cd9 ("foundations of per-cgroup memory pressure controlling.")
      Cc: Glauber Costa <glommer@parallels.com>
      Signed-off-by: default avatarTonghao Zhang <zhangtonghao@didichuxing.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8cb38a60
    • Guilherme G. Piccoli's avatar
      bnx2x: Improve reliability in case of nested PCI errors · f7084059
      Guilherme G. Piccoli authored
      While in recovery process of PCI error (called EEH on PowerPC arch),
      another PCI transaction could be corrupted causing a situation of
      nested PCI errors. Also, this scenario could be reproduced with
      error injection mechanisms (for debug purposes).
      
      We observe that in case of nested PCI errors, bnx2x might attempt to
      initialize its shmem and cause a kernel crash due to bad addresses
      read from MCP. Multiple different stack traces were observed depending
      on the point the second PCI error happens.
      
      This patch avoids the crashes by:
      
       * failing PCI recovery in case of nested errors (since multiple
       PCI errors in a row are not expected to lead to a functional
       adapter anyway), and by,
      
       * preventing access to adapter FW when MCP is failed (we mark it as
       failed when shmem cannot get initialized properly).
      Reported-by: default avatarAbdul Haleem <abdhalee@linux.vnet.ibm.com>
      Signed-off-by: default avatarGuilherme G. Piccoli <gpiccoli@linux.vnet.ibm.com>
      Acked-by: default avatarShahed Shaikh <Shahed.Shaikh@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f7084059
    • David S. Miller's avatar
      Merge branch 'tg3-fixes' · 67538790
      David S. Miller authored
      Siva Reddy Kallam says:
      
      ====================
      tg3: update on copyright and couple of fixes
      
      First patch:
      	Update copyright
      
      Second patch:
      	Add workaround to restrict 5762 MRRS
      
      Third patch:
      	Add PHY reset in change MTU path for 5720
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      67538790
    • Siva Reddy Kallam's avatar
      tg3: Enable PHY reset in MTU change path for 5720 · e60ee41a
      Siva Reddy Kallam authored
      A customer noticed RX path hang when MTU is changed on the fly while
      running heavy traffic with NCSI enabled for 5717 and 5719. Since 5720
      belongs to same ASIC family, we observed same issue and same fix
      could solve this problem for 5720.
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e60ee41a
    • Siva Reddy Kallam's avatar
      tg3: Add workaround to restrict 5762 MRRS to 2048 · 4419bb1c
      Siva Reddy Kallam authored
      One of AMD based server with 5762 hangs with jumbo frame traffic.
      This AMD platform has southbridge limitation which is restricting MRRS
      to 4000. As a work around, driver to restricts the MRRS to 2048 for
      this particular 5762 NX1 card.
      Signed-off-by: default avatarSiva Reddy Kallam <siva.kallam@broadcom.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4419bb1c
    • Siva Reddy Kallam's avatar
      5a8bae97
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 65bbbf6c
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2017-12-22
      
      1) Check for valid id proto in validate_tmpl(), otherwise
         we may trigger a warning in xfrm_state_fini().
         From Cong Wang.
      
      2) Fix a typo on XFRMA_OUTPUT_MARK policy attribute.
         From Michal Kubecek.
      
      3) Verify the state is valid when encap_type < 0,
         otherwise we may crash on IPsec GRO .
         From Aviv Heller.
      
      4) Fix stack-out-of-bounds read on socket policy lookup.
         We access the flowi of the wrong address family in the
         IPv4 mapped IPv6 case, fix this by catching address
         family missmatches before we do the lookup.
      
      5) fix xfrm_do_migrate() with AEAD to copy the geniv
         field too. Otherwise the state is not fully initialized
         and migration fails. From Antony Antony.
      
      6) Fix stack-out-of-bounds with misconfigured transport
         mode policies. Our policy template validation is not
         strict enough. It is possible to configure policies
         with transport mode template where the address family
         of the template does not match the selectors address
         family. Fix this by refusing such a configuration,
         address family can not change on transport mode.
      
      7) Fix a policy reference leak when reusing pcpu xdst
         entry. From Florian Westphal.
      
      8) Reinject transport-mode packets through tasklet,
         otherwise it is possible to reate a recursion
         loop. From Herbert Xu.
      
      Please pull or let me know if there are problems.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65bbbf6c