1. 26 Apr, 2019 13 commits
  2. 25 Apr, 2019 6 commits
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-5.1-rc7' of git://github.com/ceph/ceph-client · 8113a85f
      Linus Torvalds authored
      Pull ceph fixes from Ilya Dryomov:
       "dentry name handling fixes from Jeff and a memory leak fix from Zheng.
      
        Both are old issues, marked for stable"
      
      * tag 'ceph-for-5.1-rc7' of git://github.com/ceph/ceph-client:
        ceph: fix ci->i_head_snapc leak
        ceph: handle the case where a dentry has been renamed on outstanding req
        ceph: ensure d_name stability in ceph_dentry_hash()
        ceph: only use d_name directly when parent is locked
      8113a85f
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · f6f3e747
      Linus Torvalds authored
      Pull crypto fixes from Herbert Xu:
       "This fixes a bug in xts and lrw where they may sleep in an atomic
        context"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: lrw - Fix atomic sleep when walking skcipher
        crypto: xts - Fix atomic sleep when walking skcipher
      f6f3e747
    • Nikolay Borisov's avatar
      btrfs: Switch memory allocations in async csum calculation path to kvmalloc · a3d46aea
      Nikolay Borisov authored
      Recent multi-page biovec rework allowed creation of bios that can span
      large regions - up to 128 megabytes in the case of btrfs. OTOH btrfs'
      submission path currently allocates a contiguous array to store the
      checksums for every bio submitted. This means we can request up to
      (128mb / BTRFS_SECTOR_SIZE) * 4 bytes + 32bytes of memory from kmalloc.
      On busy systems with possibly fragmented memory said kmalloc can fail
      which will trigger BUG_ON due to improper error handling IO submission
      context in btrfs.
      
      Until error handling is improved or bios in btrfs limited to a more
      manageable size (e.g. 1m) let's use kvmalloc to fallback to vmalloc for
      such large allocations. There is no hard requirement that the memory
      allocated for checksums during IO submission has to be contiguous, but
      this is a simple fix that does not require several non-contiguous
      allocations.
      
      For small writes this is unlikely to have any visible effect since
      kmalloc will still satisfy allocation requests as usual. For larger
      requests the code will just fallback to vmalloc.
      
      We've performed evaluation on several workload types and there was no
      significant difference kmalloc vs kvmalloc.
      Signed-off-by: default avatarNikolay Borisov <nborisov@suse.com>
      Reviewed-by: default avatarDavid Sterba <dsterba@suse.com>
      Signed-off-by: default avatarDavid Sterba <dsterba@suse.com>
      a3d46aea
    • Jonas Karlman's avatar
      drm/bridge: dw-hdmi: fix SCDC configuration for ddc-i2c-bus · c4cba44e
      Jonas Karlman authored
      When ddc-i2c-bus property is used, a NULL pointer dereference is reported:
      
      [   31.041669] Unable to handle kernel NULL pointer dereference at virtual address 00000008
      [   31.041671] pgd = 4d3c16f6
      [   31.041673] [00000008] *pgd=00000000
      [   31.041678] Internal error: Oops: 5 [#1] SMP ARM
      
      [   31.041711] Hardware name: Rockchip (Device Tree)
      [   31.041718] PC is at i2c_transfer+0x8/0xe4
      [   31.041721] LR is at drm_scdc_read+0x54/0x84
      [   31.041723] pc : [<c073273c>]    lr : [<c05926c4>]    psr: 280f0013
      [   31.041725] sp : edffdad0  ip : 5ccb5511  fp : 00000058
      [   31.041727] r10: 00000780  r9 : edf91608  r8 : c11b0f48
      [   31.041728] r7 : 00000438  r6 : 00000000  r5 : 00000000  r4 : 00000000
      [   31.041730] r3 : edffdae7  r2 : 00000002  r1 : edffdaec  r0 : 00000000
      
      [   31.041908] [<c073273c>] (i2c_transfer) from [<c05926c4>] (drm_scdc_read+0x54/0x84)
      [   31.041913] [<c05926c4>] (drm_scdc_read) from [<c0592858>] (drm_scdc_set_scrambling+0x30/0xbc)
      [   31.041919] [<c0592858>] (drm_scdc_set_scrambling) from [<c05cc0f4>] (dw_hdmi_update_power+0x1440/0x1610)
      [   31.041926] [<c05cc0f4>] (dw_hdmi_update_power) from [<c05cc574>] (dw_hdmi_bridge_enable+0x2c/0x70)
      [   31.041932] [<c05cc574>] (dw_hdmi_bridge_enable) from [<c05aed48>] (drm_bridge_enable+0x24/0x34)
      [   31.041938] [<c05aed48>] (drm_bridge_enable) from [<c0591060>] (drm_atomic_helper_commit_modeset_enables+0x114/0x220)
      [   31.041943] [<c0591060>] (drm_atomic_helper_commit_modeset_enables) from [<c05c3fe0>] (rockchip_atomic_helper_commit_tail_rpm+0x28/0x64)
      
      hdmi->i2c may not be set when ddc-i2c-bus property is used in device tree.
      Fix this by using hdmi->ddc as the i2c adapter when calling drm_scdc_*().
      Also report that SCDC is not supported when there is no DDC bus.
      
      Fixes: 264fce6c ("drm/bridge: dw-hdmi: Add SCDC and TMDS Scrambling support")
      Signed-off-by: default avatarJonas Karlman <jonas@kwiboo.se>
      Reviewed-by: default avatarHeiko Stuebner <heiko@sntech.de>
      Reviewed-by: default avatarNeil Armstrong <narmstrong@baylibre.com>
      Reviewed-by: default avatarLaurent Pinchart <laurent.pinchart@ideasonboard.com>
      Signed-off-by: default avatarAndrzej Hajda <a.hajda@samsung.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/VE1PR03MB59031814B5BCAB2152923BDAAC210@VE1PR03MB5903.eurprd03.prod.outlook.com
      c4cba44e
    • Geert Uytterhoeven's avatar
      gpio: Fix gpiochip_add_data_with_key() error path · 35779890
      Geert Uytterhoeven authored
      The err_remove_chip block is too coarse, and may perform cleanup that
      must not be done.  E.g. if of_gpiochip_add() fails, of_gpiochip_remove()
      is still called, causing:
      
          OF: ERROR: Bad of_node_put() on /soc/gpio@e6050000
          CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted 5.1.0-rc2-koelsch+ #407
          Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
          Workqueue: events deferred_probe_work_func
          [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
          [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
          [<c07c1224>] (dump_stack) from [<c07c5a80>] (kobject_put+0x94/0xbc)
          [<c07c5a80>] (kobject_put) from [<c0470420>] (gpiochip_add_data_with_key+0x8d8/0xa3c)
          [<c0470420>] (gpiochip_add_data_with_key) from [<c0473738>] (gpio_rcar_probe+0x1d4/0x314)
          [<c0473738>] (gpio_rcar_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)
      
      and later, if a GPIO consumer tries to use a GPIO from a failed
      controller:
      
          WARNING: CPU: 0 PID: 1 at lib/refcount.c:156 kobject_get+0x38/0x4c
          refcount_t: increment on 0; use-after-free.
          Modules linked in:
          CPU: 0 PID: 1 Comm: swapper/0 Not tainted 5.1.0-rc2-koelsch+ #407
          Hardware name: Generic R-Car Gen2 (Flattened Device Tree)
          [<c020ec74>] (unwind_backtrace) from [<c020ae58>] (show_stack+0x10/0x14)
          [<c020ae58>] (show_stack) from [<c07c1224>] (dump_stack+0x7c/0x9c)
          [<c07c1224>] (dump_stack) from [<c0221580>] (__warn+0xd0/0xec)
          [<c0221580>] (__warn) from [<c02215e0>] (warn_slowpath_fmt+0x44/0x6c)
          [<c02215e0>] (warn_slowpath_fmt) from [<c07c58fc>] (kobject_get+0x38/0x4c)
          [<c07c58fc>] (kobject_get) from [<c068b3ec>] (of_node_get+0x14/0x1c)
          [<c068b3ec>] (of_node_get) from [<c0686f24>] (of_find_node_by_phandle+0xc0/0xf0)
          [<c0686f24>] (of_find_node_by_phandle) from [<c0686fbc>] (of_phandle_iterator_next+0x68/0x154)
          [<c0686fbc>] (of_phandle_iterator_next) from [<c0687fe4>] (__of_parse_phandle_with_args+0x40/0xd0)
          [<c0687fe4>] (__of_parse_phandle_with_args) from [<c0688204>] (of_parse_phandle_with_args_map+0x100/0x3ac)
          [<c0688204>] (of_parse_phandle_with_args_map) from [<c0471240>] (of_get_named_gpiod_flags+0x38/0x380)
          [<c0471240>] (of_get_named_gpiod_flags) from [<c046f864>] (gpiod_get_from_of_node+0x24/0xd8)
          [<c046f864>] (gpiod_get_from_of_node) from [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child+0xa0/0x144)
          [<c0470aa4>] (devm_fwnode_get_index_gpiod_from_child) from [<c05f425c>] (gpio_keys_probe+0x418/0x7bc)
          [<c05f425c>] (gpio_keys_probe) from [<c052fca8>] (platform_drv_probe+0x48/0x94)
      
      Fix this by splitting the cleanup block, and adding a missing call to
      gpiochip_irqchip_remove().
      
      Fixes: 28355f81 ("gpio: defer probe if pinctrl cannot be found")
      Signed-off-by: default avatarGeert Uytterhoeven <geert+renesas@glider.be>
      Reviewed-by: default avatarMukesh Ojha <mojha@codeaurora.org>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      35779890
    • Thomas Hellstrom's avatar
      drm/vmwgfx: Fix dma API layer violation · 81103355
      Thomas Hellstrom authored
      Remove the check for IOMMU presence since it was considered a
      layer violation.
      This means we have no reliable way to destinguish between coherent
      hardware IOMMU DMA address translations and incoherent SWIOTLB DMA
      address translations, which we can't handle. So always presume the
      former. This means that if anybody forces SWIOTLB without also setting
      the vmw_force_coherent=1 vmwgfx option, driver operation will fail,
      like it will on most other graphics drivers.
      Signed-off-by: default avatarThomas Hellstrom <thellstrom@vmware.com>
      Reviewed-by: default avatarChristoph Hellwig <hch@lst.de>
      81103355
  3. 24 Apr, 2019 20 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · cd8dead0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Just the usual assortment of small'ish fixes:
      
         1) Conntrack timeout is sometimes not initialized properly, from
            Alexander Potapenko.
      
         2) Add a reasonable range limit to tcp_min_rtt_wlen to avoid
            undefined behavior. From ZhangXiaoxu.
      
         3) des1 field of descriptor in stmmac driver is initialized with the
            wrong variable. From Yue Haibing.
      
         4) Increase mlxsw pci sw reset timeout a little bit more, from Ido
            Schimmel.
      
         5) Match IOT2000 stmmac devices more accurately, from Su Bao Cheng.
      
         6) Fallback refcount fix in TLS code, from Jakub Kicinski.
      
         7) Fix max MTU check when using XDP in mlx5, from Maxim Mikityanskiy.
      
         8) Fix recursive locking in team driver, from Hangbin Liu.
      
         9) Fix tls_set_device_offload_Rx() deadlock, from Jakub Kicinski.
      
        10) Don't use napi_alloc_frag() outside of softiq context of socionext
            driver, from Ilias Apalodimas.
      
        11) MAC address increment overflow in ncsi, from Tao Ren.
      
        12) Fix a regression in 8K/1M pool switching of RDS, from Zhu Yanjun.
      
        13) ipv4_link_failure has to validate the headers that are actually
            there because RAW sockets can pass in arbitrary garbage, from Eric
            Dumazet"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (43 commits)
        ipv4: add sanity checks in ipv4_link_failure()
        net/rose: fix unbound loop in rose_loopback_timer()
        rxrpc: fix race condition in rxrpc_input_packet()
        net: rds: exchange of 8K and 1M pool
        net: vrf: Fix operation not supported when set vrf mac
        net/ncsi: handle overflow when incrementing mac address
        net: socionext: replace napi_alloc_frag with the netdev variant on init
        net: atheros: fix spelling mistake "underun" -> "underrun"
        spi: ST ST95HF NFC: declare missing of table
        spi: Micrel eth switch: declare missing of table
        net: stmmac: move stmmac_check_ether_addr() to driver probe
        netfilter: fix nf_l4proto_log_invalid to log invalid packets
        netfilter: never get/set skb->tstamp
        netfilter: ebtables: CONFIG_COMPAT: drop a bogus WARN_ON
        Documentation: decnet: remove reference to CONFIG_DECNET_ROUTE_FWMARK
        dt-bindings: add an explanation for internal phy-mode
        net/tls: don't leak IV and record seq when offload fails
        net/tls: avoid potential deadlock in tls_set_device_offload_rx()
        selftests/net: correct the return value for run_afpackettests
        team: fix possible recursive locking when add slaves
        ...
      cd8dead0
    • Linus Torvalds's avatar
      Merge tag 'leds-for-5.1-rc7' of... · 11bfe647
      Linus Torvalds authored
      Merge tag 'leds-for-5.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED update from Jacek Anaszewski:
       "A single change to MAINTAINERS:
      
        We announce a new LED reviewer - Dan Murphy"
      
      * tag 'leds-for-5.1-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        MAINTAINERS: LEDs: Add designated reviewer for LED subsystem
      11bfe647
    • Eric Dumazet's avatar
      ipv4: add sanity checks in ipv4_link_failure() · 20ff83f1
      Eric Dumazet authored
      Before calling __ip_options_compile(), we need to ensure the network
      header is a an IPv4 one, and that it is already pulled in skb->head.
      
      RAW sockets going through a tunnel can end up calling ipv4_link_failure()
      with total garbage in the skb, or arbitrary lengthes.
      
      syzbot report :
      
      BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:355 [inline]
      BUG: KASAN: stack-out-of-bounds in __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
      Write of size 69 at addr ffff888096abf068 by task syz-executor.4/9204
      
      CPU: 0 PID: 9204 Comm: syz-executor.4 Not tainted 5.1.0-rc5+ #77
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187
       kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
       check_memory_region_inline mm/kasan/generic.c:185 [inline]
       check_memory_region+0x123/0x190 mm/kasan/generic.c:191
       memcpy+0x38/0x50 mm/kasan/common.c:133
       memcpy include/linux/string.h:355 [inline]
       __ip_options_echo+0x294/0x1120 net/ipv4/ip_options.c:123
       __icmp_send+0x725/0x1400 net/ipv4/icmp.c:695
       ipv4_link_failure+0x29f/0x550 net/ipv4/route.c:1204
       dst_link_failure include/net/dst.h:427 [inline]
       vti6_xmit net/ipv6/ip6_vti.c:514 [inline]
       vti6_tnl_xmit+0x10d4/0x1c0c net/ipv6/ip6_vti.c:553
       __netdev_start_xmit include/linux/netdevice.h:4414 [inline]
       netdev_start_xmit include/linux/netdevice.h:4423 [inline]
       xmit_one net/core/dev.c:3292 [inline]
       dev_hard_start_xmit+0x1b2/0x980 net/core/dev.c:3308
       __dev_queue_xmit+0x271d/0x3060 net/core/dev.c:3878
       dev_queue_xmit+0x18/0x20 net/core/dev.c:3911
       neigh_direct_output+0x16/0x20 net/core/neighbour.c:1527
       neigh_output include/net/neighbour.h:508 [inline]
       ip_finish_output2+0x949/0x1740 net/ipv4/ip_output.c:229
       ip_finish_output+0x73c/0xd50 net/ipv4/ip_output.c:317
       NF_HOOK_COND include/linux/netfilter.h:278 [inline]
       ip_output+0x21f/0x670 net/ipv4/ip_output.c:405
       dst_output include/net/dst.h:444 [inline]
       NF_HOOK include/linux/netfilter.h:289 [inline]
       raw_send_hdrinc net/ipv4/raw.c:432 [inline]
       raw_sendmsg+0x1d2b/0x2f20 net/ipv4/raw.c:663
       inet_sendmsg+0x147/0x5d0 net/ipv4/af_inet.c:798
       sock_sendmsg_nosec net/socket.c:651 [inline]
       sock_sendmsg+0xdd/0x130 net/socket.c:661
       sock_write_iter+0x27c/0x3e0 net/socket.c:988
       call_write_iter include/linux/fs.h:1866 [inline]
       new_sync_write+0x4c7/0x760 fs/read_write.c:474
       __vfs_write+0xe4/0x110 fs/read_write.c:487
       vfs_write+0x20c/0x580 fs/read_write.c:549
       ksys_write+0x14f/0x2d0 fs/read_write.c:599
       __do_sys_write fs/read_write.c:611 [inline]
       __se_sys_write fs/read_write.c:608 [inline]
       __x64_sys_write+0x73/0xb0 fs/read_write.c:608
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      RIP: 0033:0x458c29
      Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00
      RSP: 002b:00007f293b44bc78 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458c29
      RDX: 0000000000000014 RSI: 00000000200002c0 RDI: 0000000000000003
      RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000000 R11: 0000000000000246 R12: 00007f293b44c6d4
      R13: 00000000004c8623 R14: 00000000004ded68 R15: 00000000ffffffff
      
      The buggy address belongs to the page:
      page:ffffea00025aafc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0
      flags: 0x1fffc0000000000()
      raw: 01fffc0000000000 0000000000000000 ffffffff025a0101 0000000000000000
      raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000
      page dumped because: kasan: bad access detected
      
      Memory state around the buggy address:
       ffff888096abef80: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 f2
       ffff888096abf000: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
      >ffff888096abf080: 00 00 f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00
                               ^
       ffff888096abf100: 00 00 00 00 f1 f1 f1 f1 00 00 f3 f3 00 00 00 00
       ffff888096abf180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      
      Fixes: ed0de45a ("ipv4: recompile ip options in ipv4_link_failure")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Stephen Suryaputra <ssuryaextr@gmail.com>
      Acked-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      20ff83f1
    • Eric Dumazet's avatar
      net/rose: fix unbound loop in rose_loopback_timer() · 0453c682
      Eric Dumazet authored
      This patch adds a limit on the number of skbs that fuzzers can queue
      into loopback_queue. 1000 packets for rose loopback seems more than enough.
      
      Then, since we now have multiple cpus in most linux hosts,
      we also need to limit the number of skbs rose_loopback_timer()
      can dequeue at each round.
      
      rose_loopback_queue() can be drop-monitor friendly, calling
      consume_skb() or kfree_skb() appropriately.
      
      Finally, use mod_timer() instead of del_timer() + add_timer()
      
      syzbot report was :
      
      rcu: INFO: rcu_preempt self-detected stall on CPU
      rcu:    0-...!: (10499 ticks this GP) idle=536/1/0x4000000000000002 softirq=103291/103291 fqs=34
      rcu:     (t=10500 jiffies g=140321 q=323)
      rcu: rcu_preempt kthread starved for 10426 jiffies! g140321 f0x0 RCU_GP_WAIT_FQS(5) ->state=0x402 ->cpu=1
      rcu: RCU grace-period kthread stack dump:
      rcu_preempt     I29168    10      2 0x80000000
      Call Trace:
       context_switch kernel/sched/core.c:2877 [inline]
       __schedule+0x813/0x1cc0 kernel/sched/core.c:3518
       schedule+0x92/0x180 kernel/sched/core.c:3562
       schedule_timeout+0x4db/0xfd0 kernel/time/timer.c:1803
       rcu_gp_fqs_loop kernel/rcu/tree.c:1971 [inline]
       rcu_gp_kthread+0x962/0x17b0 kernel/rcu/tree.c:2128
       kthread+0x357/0x430 kernel/kthread.c:253
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
      NMI backtrace for cpu 0
      CPU: 0 PID: 7632 Comm: kworker/0:4 Not tainted 5.1.0-rc5+ #172
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      Workqueue: events iterate_cleanup_work
      Call Trace:
       <IRQ>
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x172/0x1f0 lib/dump_stack.c:113
       nmi_cpu_backtrace.cold+0x63/0xa4 lib/nmi_backtrace.c:101
       nmi_trigger_cpumask_backtrace+0x1be/0x236 lib/nmi_backtrace.c:62
       arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38
       trigger_single_cpu_backtrace include/linux/nmi.h:164 [inline]
       rcu_dump_cpu_stacks+0x183/0x1cf kernel/rcu/tree.c:1223
       print_cpu_stall kernel/rcu/tree.c:1360 [inline]
       check_cpu_stall kernel/rcu/tree.c:1434 [inline]
       rcu_pending kernel/rcu/tree.c:3103 [inline]
       rcu_sched_clock_irq.cold+0x500/0xa4a kernel/rcu/tree.c:2544
       update_process_times+0x32/0x80 kernel/time/timer.c:1635
       tick_sched_handle+0xa2/0x190 kernel/time/tick-sched.c:161
       tick_sched_timer+0x47/0x130 kernel/time/tick-sched.c:1271
       __run_hrtimer kernel/time/hrtimer.c:1389 [inline]
       __hrtimer_run_queues+0x33e/0xde0 kernel/time/hrtimer.c:1451
       hrtimer_interrupt+0x314/0x770 kernel/time/hrtimer.c:1509
       local_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1035 [inline]
       smp_apic_timer_interrupt+0x120/0x570 arch/x86/kernel/apic/apic.c:1060
       apic_timer_interrupt+0xf/0x20 arch/x86/entry/entry_64.S:807
      RIP: 0010:__sanitizer_cov_trace_pc+0x0/0x50 kernel/kcov.c:95
      Code: 89 25 b4 6e ec 08 41 bc f4 ff ff ff e8 cd 5d ea ff 48 c7 05 9e 6e ec 08 00 00 00 00 e9 a4 e9 ff ff 90 90 90 90 90 90 90 90 90 <55> 48 89 e5 48 8b 75 08 65 48 8b 04 25 00 ee 01 00 65 8b 15 c8 60
      RSP: 0018:ffff8880ae807ce0 EFLAGS: 00000286 ORIG_RAX: ffffffffffffff13
      RAX: ffff88806fd40640 RBX: dffffc0000000000 RCX: ffffffff863fbc56
      RDX: 0000000000000100 RSI: ffffffff863fbc1d RDI: ffff88808cf94228
      RBP: ffff8880ae807d10 R08: ffff88806fd40640 R09: ffffed1015d00f8b
      R10: ffffed1015d00f8a R11: 0000000000000003 R12: ffff88808cf941c0
      R13: 00000000fffff034 R14: ffff8882166cd840 R15: 0000000000000000
       rose_loopback_timer+0x30d/0x3f0 net/rose/rose_loopback.c:91
       call_timer_fn+0x190/0x720 kernel/time/timer.c:1325
       expire_timers kernel/time/timer.c:1362 [inline]
       __run_timers kernel/time/timer.c:1681 [inline]
       __run_timers kernel/time/timer.c:1649 [inline]
       run_timer_softirq+0x652/0x1700 kernel/time/timer.c:1694
       __do_softirq+0x266/0x95a kernel/softirq.c:293
       do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1027
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0453c682
    • Eric Dumazet's avatar
      rxrpc: fix race condition in rxrpc_input_packet() · 032be5f1
      Eric Dumazet authored
      After commit 5271953c ("rxrpc: Use the UDP encap_rcv hook"),
      rxrpc_input_packet() is directly called from lockless UDP receive
      path, under rcu_read_lock() protection.
      
      It must therefore use RCU rules :
      
      - udp_sk->sk_user_data can be cleared at any point in this function.
        rcu_dereference_sk_user_data() is what we need here.
      
      - Also, since sk_user_data might have been set in rxrpc_open_socket()
        we must observe a proper RCU grace period before kfree(local) in
        rxrpc_lookup_local()
      
      v4: @local can be NULL in xrpc_lookup_local() as reported by kbuild test robot <lkp@intel.com>
              and Julia Lawall <julia.lawall@lip6.fr>, thanks !
      
      v3,v2 : addressed David Howells feedback, thanks !
      
      syzbot reported :
      
      kasan: CONFIG_KASAN_INLINE enabled
      kasan: GPF could be caused by NULL-ptr deref or user memory access
      general protection fault: 0000 [#1] PREEMPT SMP KASAN
      CPU: 0 PID: 19236 Comm: syz-executor703 Not tainted 5.1.0-rc6 #79
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
      RIP: 0010:__lock_acquire+0xbef/0x3fb0 kernel/locking/lockdep.c:3573
      Code: 00 0f 85 a5 1f 00 00 48 81 c4 10 01 00 00 5b 41 5c 41 5d 41 5e 41 5f 5d c3 48 b8 00 00 00 00 00 fc ff df 4c 89 ea 48 c1 ea 03 <80> 3c 02 00 0f 85 4a 21 00 00 49 81 7d 00 20 54 9c 89 0f 84 cf f4
      RSP: 0018:ffff88809d7aef58 EFLAGS: 00010002
      RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
      RDX: 0000000000000026 RSI: 0000000000000000 RDI: 0000000000000001
      RBP: ffff88809d7af090 R08: 0000000000000001 R09: 0000000000000001
      R10: ffffed1015d05bc7 R11: ffff888089428600 R12: 0000000000000000
      R13: 0000000000000130 R14: 0000000000000001 R15: 0000000000000001
      FS:  00007f059044d700(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00000000004b6040 CR3: 00000000955ca000 CR4: 00000000001406f0
      Call Trace:
       lock_acquire+0x16f/0x3f0 kernel/locking/lockdep.c:4211
       __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
       _raw_spin_lock_irqsave+0x95/0xcd kernel/locking/spinlock.c:152
       skb_queue_tail+0x26/0x150 net/core/skbuff.c:2972
       rxrpc_reject_packet net/rxrpc/input.c:1126 [inline]
       rxrpc_input_packet+0x4a0/0x5536 net/rxrpc/input.c:1414
       udp_queue_rcv_one_skb+0xaf2/0x1780 net/ipv4/udp.c:2011
       udp_queue_rcv_skb+0x128/0x730 net/ipv4/udp.c:2085
       udp_unicast_rcv_skb.isra.0+0xb9/0x360 net/ipv4/udp.c:2245
       __udp4_lib_rcv+0x701/0x2ca0 net/ipv4/udp.c:2301
       udp_rcv+0x22/0x30 net/ipv4/udp.c:2482
       ip_protocol_deliver_rcu+0x60/0x8f0 net/ipv4/ip_input.c:208
       ip_local_deliver_finish+0x23b/0x390 net/ipv4/ip_input.c:234
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_local_deliver+0x1e9/0x520 net/ipv4/ip_input.c:255
       dst_input include/net/dst.h:450 [inline]
       ip_rcv_finish+0x1e1/0x300 net/ipv4/ip_input.c:413
       NF_HOOK include/linux/netfilter.h:289 [inline]
       NF_HOOK include/linux/netfilter.h:283 [inline]
       ip_rcv+0xe8/0x3f0 net/ipv4/ip_input.c:523
       __netif_receive_skb_one_core+0x115/0x1a0 net/core/dev.c:4987
       __netif_receive_skb+0x2c/0x1c0 net/core/dev.c:5099
       netif_receive_skb_internal+0x117/0x660 net/core/dev.c:5202
       napi_frags_finish net/core/dev.c:5769 [inline]
       napi_gro_frags+0xade/0xd10 net/core/dev.c:5843
       tun_get_user+0x2f24/0x3fb0 drivers/net/tun.c:1981
       tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2027
       call_write_iter include/linux/fs.h:1866 [inline]
       do_iter_readv_writev+0x5e1/0x8e0 fs/read_write.c:681
       do_iter_write fs/read_write.c:957 [inline]
       do_iter_write+0x184/0x610 fs/read_write.c:938
       vfs_writev+0x1b3/0x2f0 fs/read_write.c:1002
       do_writev+0x15e/0x370 fs/read_write.c:1037
       __do_sys_writev fs/read_write.c:1110 [inline]
       __se_sys_writev fs/read_write.c:1107 [inline]
       __x64_sys_writev+0x75/0xb0 fs/read_write.c:1107
       do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 5271953c ("rxrpc: Use the UDP encap_rcv hook")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Acked-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      032be5f1
    • Dan Murphy's avatar
      MAINTAINERS: LEDs: Add designated reviewer for LED subsystem · 52fb56f7
      Dan Murphy authored
      Add a designated reviewer for the LED subsystem as there
      are already two maintainers assigned.
      Signed-off-by: default avatarDan Murphy <dmurphy@ti.com>
      Acked-by: default avatarPavel Machek <pavel@ucw.cz>
      Signed-off-by: default avatarJacek Anaszewski <jacek.anaszewski@gmail.com>
      52fb56f7
    • Zhu Yanjun's avatar
      net: rds: exchange of 8K and 1M pool · 4b9fc714
      Zhu Yanjun authored
      Before the commit 490ea596 ("RDS: IB: move FMR code to its own file"),
      when the dirty_count is greater than 9/10 of max_items of 8K pool,
      1M pool is used, Vice versa. After the commit 490ea596 ("RDS: IB: move
      FMR code to its own file"), the above is removed. When we make the
      following tests.
      
      Server:
        rds-stress -r 1.1.1.16 -D 1M
      
      Client:
        rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M
      
      The following will appear.
      "
      connecting to 1.1.1.16:4000
      negotiated options, tasks will start in 2 seconds
      Starting up..header from 1.1.1.166:4001 to id 4001 bogus
      ..
      tsks  tx/s  rx/s tx+rx K/s  mbi K/s  mbo K/s tx us/c  rtt us
      cpu %
         1    0    0     0.00     0.00     0.00    0.00 0.00 -1.00
         1    0    0     0.00     0.00     0.00    0.00 0.00 -1.00
         1    0    0     0.00     0.00     0.00    0.00 0.00 -1.00
         1    0    0     0.00     0.00     0.00    0.00 0.00 -1.00
         1    0    0     0.00     0.00     0.00    0.00 0.00 -1.00
      ...
      "
      So this exchange between 8K and 1M pool is added back.
      
      Fixes: commit 490ea596 ("RDS: IB: move FMR code to its own file")
      Signed-off-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4b9fc714
    • Miaohe Lin's avatar
      net: vrf: Fix operation not supported when set vrf mac · 6819e3f6
      Miaohe Lin authored
      Vrf device is not able to change mac address now because lack of
      ndo_set_mac_address. Complete this in case some apps need to do
      this.
      Reported-by: default avatarHui Wang <wanghui104@huawei.com>
      Signed-off-by: default avatarMiaohe Lin <linmiaohe@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6819e3f6
    • Jérôme Glisse's avatar
      cifs: fix page reference leak with readv/writev · 13f5938d
      Jérôme Glisse authored
      CIFS can leak pages reference gotten through GUP (get_user_pages*()
      through iov_iter_get_pages()). This happen if cifs_send_async_read()
      or cifs_write_from_iter() calls fail from within __cifs_readv() and
      __cifs_writev() respectively. This patch move page unreference to
      cifs_aio_ctx_release() which will happens on all code paths this is
      all simpler to follow for correctness.
      Signed-off-by: default avatarJérôme Glisse <jglisse@redhat.com>
      Cc: Steve French <sfrench@samba.org>
      Cc: linux-cifs@vger.kernel.org
      Cc: samba-technical@lists.samba.org
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: linux-fsdevel@vger.kernel.org
      Cc: Linus Torvalds <torvalds@linux-foundation.org>
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      13f5938d
    • Frank Sorenson's avatar
      cifs: do not attempt cifs operation on smb2+ rename error · 652727bb
      Frank Sorenson authored
      A path-based rename returning EBUSY will incorrectly try opening
      the file with a cifs (NT Create AndX) operation on an smb2+ mount,
      which causes the server to force a session close.
      
      If the mount is smb2+, skip the fallback.
      Signed-off-by: default avatarFrank Sorenson <sorenson@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      CC: Stable <stable@vger.kernel.org>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      652727bb
    • Ronnie Sahlberg's avatar
      cifs: fix memory leak in SMB2_read · 05fd5c2c
      Ronnie Sahlberg authored
      Commit 088aaf17 introduced a leak where
      if SMB2_read() returned an error we would return without freeing the
      request buffer.
      
      Cc: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      05fd5c2c
    • Maarten Lankhorst's avatar
      drm/vc4: Fix compilation error reported by kbuild test bot · 462ce5d9
      Maarten Lankhorst authored
      A pointer to crtc was missing, resulting in the following build error:
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse: sparse: incorrect type in argument 1 (different base types)
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse:    expected struct drm_crtc *crtc
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:44: sparse:    got struct drm_crtc_state *state
      drivers/gpu/drm/vc4/vc4_crtc.c:1045:39: sparse: sparse: not enough arguments for function vc4_crtc_destroy_state
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Reported-by: default avatarkbuild test robot <lkp@intel.com>
      Cc: Eric Anholt <eric@anholt.net>
      Link: https://patchwork.freedesktop.org/patch/msgid/2b6ed5e6-81b0-4276-8860-870b54ca3262@linux.intel.com
      Fixes: d0810679 ("drm/vc4: Fix memory leak during gpu reset.")
      Cc: <stable@vger.kernel.org> # v4.6+
      Acked-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      462ce5d9
    • Paul Kocialkowski's avatar
      drm/sun4i: Unbind components before releasing DRM and memory · e02bc29b
      Paul Kocialkowski authored
      Our components may still be using the DRM device driver (if only to
      access our driver's private data), so make sure to unbind them before
      the final drm_dev_put.
      
      Also release our reserved memory after component unbind instead of
      before to match reverse creation order.
      
      Fixes: f5a9ed86 ("drm/sun4i: Fix component unbinding and component master deletion")
      Signed-off-by: default avatarPaul Kocialkowski <paul.kocialkowski@bootlin.com>
      Reviewed-by: default avatarChen-Yu Tsai <wens@csie.org>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190424090413.6918-1-paul.kocialkowski@bootlin.com
      e02bc29b
    • Maarten Lankhorst's avatar
      drm/vc4: Fix memory leak during gpu reset. · d0810679
      Maarten Lankhorst authored
      __drm_atomic_helper_crtc_destroy_state does not free memory, it only
      cleans it up. Fix this by calling the functions own destroy function.
      
      Fixes: 6d6e5003 ("drm/vc4: Allocate the right amount of space for boot-time CRTC state.")
      Cc: Eric Anholt <eric@anholt.net>
      Cc: <stable@vger.kernel.org> # v4.6+
      Reviewed-by: default avatarEric Anholt <eric@anholt.net>
      Signed-off-by: default avatarMaarten Lankhorst <maarten.lankhorst@linux.intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20190301125627.7285-2-maarten.lankhorst@linux.intel.com
      d0810679
    • Tao Ren's avatar
      net/ncsi: handle overflow when incrementing mac address · 1c5c12ee
      Tao Ren authored
      Previously BMC's MAC address is calculated by simply adding 1 to the
      last byte of network controller's MAC address, and it produces incorrect
      result when network controller's MAC address ends with 0xFF.
      
      The problem can be fixed by calling eth_addr_inc() function to increment
      MAC address; besides, the MAC address is also validated before assigning
      to BMC.
      
      Fixes: cb10c7c0 ("net/ncsi: Add NCSI Broadcom OEM command")
      Signed-off-by: default avatarTao Ren <taoren@fb.com>
      Acked-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      Acked-by: default avatarSamuel Mendoza-Jonas <sam@mendozajonas.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1c5c12ee
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-04-24' of git://anongit.freedesktop.org/drm/drm · ba25b50d
      Linus Torvalds authored
      Pull drm regression fixes from Dave Airlie:
       "We interrupt your regularly scheduled drm fixes for a regression
        special.
      
        The first is for a fix in i915 that had unexpected side effects
        fallout in the userspace X.org modesetting driver where X would no
        longer start. I got tired of the nitpicking and issued a large hammer
        on it. The X.org driver is buggy, but blackscreen regressions are
        worse.
      
        The second was an oversight that myself and Gerd should have noticed
        better, Gerd is trying to fix this properly, but the regression is too
        large to leave, even if the original behaviour is bad in some cases,
        it's clearly bad to break a bunch of working use cases.
      
        I'll likely have a regular fixes pull later, but I really wanted to
        highlight these"
      
      * tag 'drm-fixes-2019-04-24' of git://anongit.freedesktop.org/drm/drm:
        Revert "drm/virtio: drop prime import/export callbacks"
        Revert "drm/i915/fbdev: Actually configure untiled displays"
      ba25b50d
    • Ilias Apalodimas's avatar
      net: socionext: replace napi_alloc_frag with the netdev variant on init · ffbf9870
      Ilias Apalodimas authored
      The netdev variant is usable on any context since it disables interrupts.
      The napi variant of the call should only be used within softirq context.
      Replace napi_alloc_frag on driver init with the correct netdev_alloc_frag
      call
      
      Changes since v1:
      - Adjusted commit message
      Acked-by: default avatarArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: default avatarJassi Brar <jaswinder.singh@linaro.org>
      Fixes: 4acb20b4 ("net: socionext: different approach on DMA")
      Signed-off-by: default avatarIlias Apalodimas <ilias.apalodimas@linaro.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffbf9870
    • Colin Ian King's avatar
      net: atheros: fix spelling mistake "underun" -> "underrun" · 66c03171
      Colin Ian King authored
      There are spelling mistakes in structure elements, fix these.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      66c03171
    • Dave Airlie's avatar
      Revert "drm/virtio: drop prime import/export callbacks" · a0cecc23
      Dave Airlie authored
      This patch does more harm than good, as it breaks both Xwayland and
      gnome-shell with X11.
      
      Xwayland requires DRI3 & DRI3 requires PRIME.
      
      X11 crash for obscure double-free reason which are hard to debug
      (starting X11 by hand doesn't trigger the crash).
      
      I don't see an apparent problem implementing those stub prime
      functions, they may return an error at run-time, and it seems to be
      handled fine by GNOME at least.
      
      This reverts commit b318e3ff.
      [airlied:
      This broke userspace for virtio-gpus, and regressed things from DRI3 to DRI2.
      
      This brings back the original problem, but it's better than regressions.]
      
      Fixes: b318e3ff ("drm/virtio: drop prime import/export callbacks")
      Signed-off-by: default avatarMarc-André Lureau <marcandre.lureau@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      a0cecc23
    • Dave Airlie's avatar
      Revert "drm/i915/fbdev: Actually configure untiled displays" · 9fa24625
      Dave Airlie authored
      This reverts commit d179b88d.
      
      This commit is documented to break userspace X.org modesetting driver in certain configurations.
      
      The X.org modesetting userspace driver is broken. No fixes are available yet. In order for this patch to be applied it either needs a config option or a workaround developed.
      
      This has been reported a few times, saying it's a userspace problem is clearly against the regression rules.
      
      Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=109806Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      Cc: <stable@vger.kernel.org> # v3.19+
      9fa24625
  4. 23 Apr, 2019 1 commit
    • Linus Torvalds's avatar
      Merge tag 'nfsd-5.1-1' of git://linux-nfs.org/~bfields/linux · 12a54b15
      Linus Torvalds authored
      Pull nfsd bugfixes from Bruce Fields:
       "Fix miscellaneous nfsd bugs, in NFSv4.1 callbacks, NFSv4.1
        lock-notification callbacks, NFSv3 readdir encoding, and the
        cache/upcall code"
      
      * tag 'nfsd-5.1-1' of git://linux-nfs.org/~bfields/linux:
        nfsd: wake blocked file lock waiters before sending callback
        nfsd: wake waiters blocked on file_lock before deleting it
        nfsd: Don't release the callback slot unless it was actually held
        nfsd/nfsd3_proc_readdir: fix buffer count and page pointers
        sunrpc: don't mark uninitialised items as VALID.
      12a54b15