1. 03 May, 2016 14 commits
    • Sowmini Varadhan's avatar
      RDS:TCP: Synchronize rds_tcp_accept_one with rds_send_xmit when resetting t_sock · eb192840
      Sowmini Varadhan authored
      There is a race condition between rds_send_xmit -> rds_tcp_xmit
      and the code that deals with resolution of duelling syns added
      by commit 241b2719 ("RDS-TCP: Reset tcp callbacks if re-using an
      outgoing socket in rds_tcp_accept_one()").
      
      Specifically, we may end up derefencing a null pointer in rds_send_xmit
      if we have the interleaving sequence:
                 rds_tcp_accept_one                  rds_send_xmit
      
                                                   conn is RDS_CONN_UP, so
          					 invoke rds_tcp_xmit
      
                                                   tc = conn->c_transport_data
              rds_tcp_restore_callbacks
                  /* reset t_sock */
          					 null ptr deref from tc->t_sock
      
      The race condition can be avoided without adding the overhead of
      additional locking in the xmit path: have rds_tcp_accept_one wait
      for rds_tcp_xmit threads to complete before resetting callbacks.
      The synchronization can be done in the same manner as rds_conn_shutdown().
      First set the rds_conn_state to something other than RDS_CONN_UP
      (so that new threads cannot get into rds_tcp_xmit()), then wait for
      RDS_IN_XMIT to be cleared in the conn->c_flags indicating that any
      threads in rds_tcp_xmit are done.
      
      Fixes: 241b2719 ("RDS-TCP: Reset tcp callbacks if re-using an
      outgoing socket in rds_tcp_accept_one()")
      Signed-off-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb192840
    • David S. Miller's avatar
      Merge branch 'tunnel-csum-and-sg-offloads' · 42c8819b
      David S. Miller authored
      Alexander Duyck says:
      
      ====================
      Fixes for tunnel checksum and segmentation offloads
      
      This patch series is a subset of patches I had submitted for net-next.  I
      plan to drop these two patches from the v3 of "Fix Tunnel features and
      enable GSO partial for several drivers" and I am instead submitting them
      for net since these are truly fixes and likely will need to be backported
      to stable branches.
      
      This series addresses 2 specific issues.  The first is that we could
      request TSO on a v4 inner header while not supporting checksum offload of
      the outer IPv6 header.  The second is that we could request an IPv6 inner
      checksum offload without validating that we could actually support an inner
      IPv6 checksum offload.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      42c8819b
    • Alexander Duyck's avatar
      vxlan: Add checksum check to the features check function · af67eb9e
      Alexander Duyck authored
      We need to perform an additional check on the inner headers to determine if
      we can offload the checksum for them.  Previously this check didn't occur
      so we would generate an invalid frame in the case of an IPv6 header
      encapsulated inside of an IPv4 tunnel.  To fix this I added a secondary
      check to vxlan_features_check so that we can verify that we can offload the
      inner checksum.
      Signed-off-by: default avatarAlexander Duyck <aduyck@mirantis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af67eb9e
    • Alexander Duyck's avatar
      net: Disable segmentation if checksumming is not supported · 996e8021
      Alexander Duyck authored
      In the case of the mlx4 and mlx5 driver they do not support IPv6 checksum
      offload for tunnels.  With this being the case we should disable GSO in
      addition to the checksum offload features when we find that a device cannot
      perform a checksum on a given packet type.
      Signed-off-by: default avatarAlexander Duyck <aduyck@mirantis.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      996e8021
    • Anna-Maria Gleixner's avatar
      net: mvneta: Remove superfluous SMP function call · 0e28bf93
      Anna-Maria Gleixner authored
      Since commit 3b9d6da6 ("cpu/hotplug: Fix rollback during error-out
      in __cpu_disable()") it is ensured that callbacks of CPU_ONLINE and
      CPU_DOWN_PREPARE are processed on the hotplugged CPU. Due to this SMP
      function calls are no longer required.
      
      Replace smp_call_function_single() with a direct call to
      mvneta_percpu_enable() or mvneta_percpu_disable(). The functions do
      not require to be called with interrupts disabled, therefore the
      smp_call_function_single() calling convention is not preserved.
      
      Cc: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarAnna-Maria Gleixner <anna-maria@linutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e28bf93
    • Sergei Shtylyov's avatar
      macb: fix mdiobus_scan() error check · ce24c2b8
      Sergei Shtylyov authored
      Now mdiobus_scan() returns ERR_PTR(-ENODEV) instead of NULL if the PHY
      device ID was read as all ones. As this was not  an error before, this
      value  should be filtered out now in this driver.
      
      Fixes: b74766a0 ("phylib: don't return NULL from get_phy_device()")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Acked-by: default avatarNicolas Ferre <nicolas.ferre@atmel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ce24c2b8
    • Sergei Shtylyov's avatar
      pxa168_eth: fix mdiobus_scan() error check · 6dd74542
      Sergei Shtylyov authored
      Since mdiobus_scan() returns either an error code or NULL on error, the
      driver should check  for both,  not only for NULL, otherwise a crash is
      imminent...
      Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6dd74542
    • David S. Miller's avatar
      Merge branch 'mlx5-fixes' · 3df8f4c6
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox 100G mlx5 fixes for 4.6-rc
      
      This small series provides some bug fixes for mlx5 driver.
      
      A small bug fix for iounmap of a null pointer, which dumps a warning on some archs.
      
      One patch to fix the VXLAN/MLX5_EN dependency issue reported by Arnd.
      
      Two patches to fix the scheduling while atomic issue for ndo_add/del_vxlan_port
      NDOs.  The first will add an internal mlx5e workqueue and the second will
      delegate vxlan ports add/del requests to that workqueue.
      
      Note: ('net/mlx5: Kconfig: Fix MLX5_EN/VXLAN build issue') is only needed for net
      and not net-next as the issue was globally fixed for all device drivers by:
      b7aade15 ('vxlan: break dependency with netdev drivers') in net-next.
      
      Applied on top: f27337e1 ('ip_tunnel: fix preempt warning in ip tunnel creation/updating')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3df8f4c6
    • Matthew Finlay's avatar
      net/mlx5e: Use workqueue for vxlan ops · d8cf2dda
      Matthew Finlay authored
      The vxlan add/delete port NDOs are called under rcu lock.
      The current mlx5e implementation can potentially block in these
      calls, which is not allowed.  Move to using the mlx5e workqueue
      to handle these NDOs.
      
      Fixes: b3f63c3d ('net/mlx5e: Add netdev support for VXLAN tunneling')
      Signed-off-by: default avatarMatthew Finlay <matt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d8cf2dda
    • Matthew Finlay's avatar
      net/mlx5e: Implement a mlx5e workqueue · 7bb29755
      Matthew Finlay authored
      Implement a mlx5e workqueue to handle all mlx5e specific tasks.  Move
      all tasks currently using the system workqueue to the new workqueue.
      This is in preparation for vxlan using the mlx5e workqueue in order to
      schedule port add/remove operations.
      Signed-off-by: default avatarMatthew Finlay <matt@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7bb29755
    • Matthew Finlay's avatar
      net/mlx5: Kconfig: Fix MLX5_EN/VXLAN build issue · 69976fb1
      Matthew Finlay authored
      When MLX5_EN=y MLX5_CORE=y and VXLAN=m there is a linker error for
      vxlan_get_rx_port() due to the fact that VXLAN is a module. Change Kconfig
      to select VXLAN when MLX5_CORE=y. When MLX5_CORE=m there is no dependency
      on the value of VXLAN.
      
      Fixes: b3f63c3d ('net/mlx5e: Add netdev support for VXLAN tunneling')
      Signed-off-by: default avatarMatthew Finlay <matt@mellanox.com>
      Reported-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69976fb1
    • Gal Pressman's avatar
      net/mlx5: Unmap only the relevant IO memory mapping · 5f8a02a4
      Gal Pressman authored
      When freeing UAR the driver tries to unmap uar->map and uar->bf_map
      which are mutually exclusive thus always unmapping a NULL pointer.
      Make sure we only call iounmap() once, for the actual mapping.
      
      Fixes: 0ba42241 ('net/mlx5: Fix global UAR mapping')
      Signed-off-by: default avatarGal Pressman <galp@mellanox.com>
      Reported-by: default avatarDoron Tsur <doront@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5f8a02a4
    • Neil Horman's avatar
      netem: Segment GSO packets on enqueue · 6071bd1a
      Neil Horman authored
      This was recently reported to me, and reproduced on the latest net kernel,
      when attempting to run netperf from a host that had a netem qdisc attached
      to the egress interface:
      
      [  788.073771] ---------------------[ cut here ]---------------------------
      [  788.096716] WARNING: at net/core/dev.c:2253 skb_warn_bad_offload+0xcd/0xda()
      [  788.129521] bnx2: caps=(0x00000001801949b3, 0x0000000000000000) len=2962
      data_len=0 gso_size=1448 gso_type=1 ip_summed=3
      [  788.182150] Modules linked in: sch_netem kvm_amd kvm crc32_pclmul ipmi_ssif
      ghash_clmulni_intel sp5100_tco amd64_edac_mod aesni_intel lrw gf128mul
      glue_helper ablk_helper edac_mce_amd cryptd pcspkr sg edac_core hpilo ipmi_si
      i2c_piix4 k10temp fam15h_power hpwdt ipmi_msghandler shpchp acpi_power_meter
      pcc_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c
      sd_mod crc_t10dif crct10dif_generic mgag200 syscopyarea sysfillrect sysimgblt
      i2c_algo_bit drm_kms_helper ahci ata_generic pata_acpi ttm libahci
      crct10dif_pclmul pata_atiixp tg3 libata crct10dif_common drm crc32c_intel ptp
      serio_raw bnx2 r8169 hpsa pps_core i2c_core mii dm_mirror dm_region_hash dm_log
      dm_mod
      [  788.465294] CPU: 16 PID: 0 Comm: swapper/16 Tainted: G        W
      ------------   3.10.0-327.el7.x86_64 #1
      [  788.511521] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/17/2012
      [  788.542260]  ffff880437c036b8 f7afc56532a53db9 ffff880437c03670
      ffffffff816351f1
      [  788.576332]  ffff880437c036a8 ffffffff8107b200 ffff880633e74200
      ffff880231674000
      [  788.611943]  0000000000000001 0000000000000003 0000000000000000
      ffff880437c03710
      [  788.647241] Call Trace:
      [  788.658817]  <IRQ>  [<ffffffff816351f1>] dump_stack+0x19/0x1b
      [  788.686193]  [<ffffffff8107b200>] warn_slowpath_common+0x70/0xb0
      [  788.713803]  [<ffffffff8107b29c>] warn_slowpath_fmt+0x5c/0x80
      [  788.741314]  [<ffffffff812f92f3>] ? ___ratelimit+0x93/0x100
      [  788.767018]  [<ffffffff81637f49>] skb_warn_bad_offload+0xcd/0xda
      [  788.796117]  [<ffffffff8152950c>] skb_checksum_help+0x17c/0x190
      [  788.823392]  [<ffffffffa01463a1>] netem_enqueue+0x741/0x7c0 [sch_netem]
      [  788.854487]  [<ffffffff8152cb58>] dev_queue_xmit+0x2a8/0x570
      [  788.880870]  [<ffffffff8156ae1d>] ip_finish_output+0x53d/0x7d0
      ...
      
      The problem occurs because netem is not prepared to handle GSO packets (as it
      uses skb_checksum_help in its enqueue path, which cannot manipulate these
      frames).
      
      The solution I think is to simply segment the skb in a simmilar fashion to the
      way we do in __dev_queue_xmit (via validate_xmit_skb), with some minor changes.
      When we decide to corrupt an skb, if the frame is GSO, we segment it, corrupt
      the first segment, and enqueue the remaining ones.
      
      tested successfully by myself on the latest net kernel, to which this applies
      Signed-off-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      CC: Jamal Hadi Salim <jhs@mojatatu.com>
      CC: "David S. Miller" <davem@davemloft.net>
      CC: netem@lists.linux-foundation.org
      CC: eric.dumazet@gmail.com
      CC: stephen@networkplumber.org
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6071bd1a
    • David S. Miller's avatar
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 9b40d5aa
      David S. Miller authored
      Antonio Quartulli says:
      
      ====================
      In this small batch of patches you have:
      - a fix for our Distributed ARP Table that makes sure that the input
        provided to the hash function during a query is the same as the one
        provided during an insert (so to prevent false negatives), by Antonio
        Quartulli
      - a fix for our new protocol implementation B.A.T.M.A.N. V that ensures
        that a hard interface is properly re-activated when it is brought down
        and then up again, by Antonio Quartulli
      - two fixes respectively to the reference counting of the tt_local_entry
        and neigh_node objects, by Sven Eckelmann. Such bug is rather severe
        as it would prevent the netdev objects references by batman-adv from
        being released after shutdown.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9b40d5aa
  2. 02 May, 2016 9 commits
    • Linus Torvalds's avatar
      Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs · 33656a1f
      Linus Torvalds authored
      Pull UDF fix from Jan Kara:
       "A fix of a regression in UDF that got introduced in 4.6-rc1 by one of
        the charset encoding fixes"
      
      * 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs:
        udf: Fix conversion of 'dstring' fields to UTF8
      33656a1f
    • Linus Torvalds's avatar
      Merge tag 'gpio-v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 5f40adbc
      Linus Torvalds authored
      Pull GPIO fixes from Linus Walleij:
       "Here are some late but important fixes for the v4.6 kernel series.
        ACPI and RCAR, so two driver fixes (PM related) and a self-evident
        string lookup fix for ACPI GPIOs:
      
         - A serious ACPI fix targeted for stable: lookup strings were being
           free'd.
      
         - Revert two patches from the RCAR driver"
      
      * tag 'gpio-v4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpiolib-acpi: Duplicate con_id string when adding it to the crs lookup list
        Revert "gpio: rcar: Fine-grained Runtime PM support"
        Revert "gpio: rcar: Add Runtime PM handling for interrupts"
      5f40adbc
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 9c5d1bc2
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) MODULE_FIRMWARE firmware string not correct for iwlwifi 8000 chips,
          from Sara Sharon.
      
       2) Fix SKB size checks in batman-adv stack on receive, from Sven
          Eckelmann.
      
       3) Leak fix on mac80211 interface add error paths, from Johannes Berg.
      
       4) Cannot invoke napi_disable() with BH disabled in myri10ge driver,
          fix from Stanislaw Gruszka.
      
       5) Fix sign extension problem when computing feature masks in
          net_gso_ok(), from Marcelo Ricardo Leitner.
      
       6) lan78xx driver doesn't count packets and packet lengths in its
          statistics properly, fix from Woojung Huh.
      
       7) Fix the buffer allocation sizes in pegasus USB driver, from Petko
          Manolov.
      
       8) Fix refcount overflows in bpf, from Alexei Starovoitov.
      
       9) Unified dst cache handling introduced a preempt warning in
          ip_tunnel, fix by resetting rather then setting the cached route.
          From Paolo Abeni.
      
      10) Listener hash collision test fix in soreuseport, from Craig Gallak
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (47 commits)
        gre: do not pull header in ICMP error processing
        net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case
        tipc: only process unicast on intended node
        cxgb3: fix out of bounds read
        net/smscx5xx: use the device tree for mac address
        soreuseport: Fix TCP listener hash collision
        net: l2tp: fix reversed udp6 checksum flags
        ip_tunnel: fix preempt warning in ip tunnel creation/updating
        samples/bpf: fix trace_output example
        bpf: fix check_map_func_compatibility logic
        bpf: fix refcnt overflow
        drivers: net: cpsw: use of_phy_connect() in fixed-link case
        dt: cpsw: phy-handle, phy_id, and fixed-link are mutually exclusive
        drivers: net: cpsw: don't ignore phy-mode if phy-handle is used
        drivers: net: cpsw: fix segfault in case of bad phy-handle
        drivers: net: cpsw: fix parsing of phy-handle DT property in dual_emac config
        MAINTAINERS: net: Change maintainer for GRETH 10/100/1G Ethernet MAC device driver
        gre: reject GUE and FOU in collect metadata mode
        pegasus: fixes reported packet length
        pegasus: fixes URB buffer allocation size;
        ...
      9c5d1bc2
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc · ba22906a
      Linus Torvalds authored
      Pull sparc fixes from David Miller:
      
       1) Fix panics with SR-IOV, from Babu Moger.
      
       2) Wire up preadv2/pwritev2.
      
       3) Allow proper auto-loading of VIO devices, from John Paul Adrian
          Glaubitz.
      
       4) Recognize Sonoma cpus, from Khalid Aziz.
      
       5) Fix bootup regressions caused by syscall trace fixes made recently.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/sparc:
        sparc64: Fix bootup regressions on some Kconfig combinations.
        sparc64: recognize and support Sonoma CPU type
        sparc: Implement and wire up vio_hotplug for vio.
        sparc: Implement and wire up modalias_show for vio.
        sparc/pci: Refactor dev_archdata initialization into pci_init_dev_archdata
        sparc/defconfigs: Remove CONFIG_IPV6_PRIVACY
        sparc: Write up preadv2/pwritev2 syscalls.
        sparc/PCI: Fix for panic while enabling SR-IOV
      ba22906a
    • Jiri Benc's avatar
      gre: do not pull header in ICMP error processing · b7f8fe25
      Jiri Benc authored
      iptunnel_pull_header expects that IP header was already pulled; with this
      expectation, it pulls the tunnel header. This is not true in gre_err.
      Furthermore, ipv4_update_pmtu and ipv4_redirect expect that skb->data points
      to the IP header.
      
      We cannot pull the tunnel header in this path. It's just a matter of not
      calling iptunnel_pull_header - we don't need any of its effects.
      
      Fixes: bda7bb46 ("gre: Allow multiple protocol listener for gre protocol.")
      Signed-off-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b7f8fe25
    • Tim Bingham's avatar
      net: Implement net_dbg_ratelimited() for CONFIG_DYNAMIC_DEBUG case · 2c94b537
      Tim Bingham authored
      Prior to commit d92cff89 ("net_dbg_ratelimited: turn into no-op
      when !DEBUG") the implementation of net_dbg_ratelimited() was buggy
      for both the DEBUG and CONFIG_DYNAMIC_DEBUG cases.
      
      The bug was that net_ratelimit() was being called and, despite
      returning true, nothing was being printed to the console. This
      resulted in messages like the following -
      
      "net_ratelimit: %d callbacks suppressed"
      
      with no other output nearby.
      
      After commit d92cff89 ("net_dbg_ratelimited: turn into no-op when
      !DEBUG") the bug is fixed for the DEBUG case. However, there's no
      output at all for CONFIG_DYNAMIC_DEBUG case.
      
      This patch restores debug output (if enabled) for the
      CONFIG_DYNAMIC_DEBUG case.
      
      Add a definition of net_dbg_ratelimited() for the CONFIG_DYNAMIC_DEBUG
      case. The implementation takes care to check that dynamic debugging is
      enabled before calling net_ratelimit().
      
      Fixes: d92cff89 ("net_dbg_ratelimited: turn into no-op when !DEBUG")
      Signed-off-by: default avatarTim Bingham <tbingham@akamai.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2c94b537
    • Hamish Martin's avatar
      tipc: only process unicast on intended node · efe79050
      Hamish Martin authored
      We have observed complete lock up of broadcast-link transmission due to
      unacknowledged packets never being removed from the 'transmq' queue. This
      is traced to nodes having their ack field set beyond the sequence number
      of packets that have actually been transmitted to them.
      Consider an example where node 1 has sent 10 packets to node 2 on a
      link and node 3 has sent 20 packets to node 2 on another link. We
      see examples of an ack from node 2 destined for node 3 being treated as
      an ack from node 2 at node 1. This leads to the ack on the node 1 to node
      2 link being increased to 20 even though we have only sent 10 packets.
      When node 1 does get around to sending further packets, none of the
      packets with sequence numbers less than 21 are actually removed from the
      transmq.
      To resolve this we reinstate some code lost in commit d999297c ("tipc:
      reduce locking scope during packet reception") which ensures that only
      messages destined for the receiving node are processed by that node. This
      prevents the sequence numbers from getting out of sync and resolves the
      packet leakage, thereby resolving the broadcast-link transmission
      lock-ups we observed.
      
      While we are aware that this change only patches over a root problem that
      we still haven't identified, this is a sanity test that it is always
      legitimate to do. It will remain in the code even after we identify and
      fix the real problem.
      Reviewed-by: default avatarChris Packham <chris.packham@alliedtelesis.co.nz>
      Reviewed-by: default avatarJohn Thompson <john.thompson@alliedtelesis.co.nz>
      Signed-off-by: default avatarHamish Martin <hamish.martin@alliedtelesis.co.nz>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efe79050
    • Michal Schmidt's avatar
      cxgb3: fix out of bounds read · 0b86a2a1
      Michal Schmidt authored
      An out of bounds read of 2 bytes was discovered in cxgb3 with KASAN.
      
      t3_config_rss() expects both arrays it gets as parameters to have
      terminators. setup_rss(), the caller, forgets to add a terminator to
      one of the arrays. Thankfully the iteration in t3_config_rss() stops
      anyway, but in the last iteration the check for the terminator
      is an out of bounds read.
      
      Add the missing terminator to rspq_map[].
      Reported-by: default avatarJan Stancek <jstancek@redhat.com>
      Signed-off-by: default avatarMichal Schmidt <mschmidt@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0b86a2a1
    • Arnd Bergmann's avatar
      net/smscx5xx: use the device tree for mac address · c489565b
      Arnd Bergmann authored
      This takes the MAC address for smsc75xx/smsc95xx USB network devices
      from a the device tree. This is required to get a usable persistent
      address on the popular beagleboard, whose hardware designers
      accidentally forgot that an ethernet device really requires an a
      MAC address to be functional.
      
      The Raspberry Pi also ships smsc9514 without a serial EEPROM, stores
      the MAC address in ROM accessible via VC4 firmware.
      
      The smsc75xx and smsc95xx drivers are just two copies of the
      same code, so better fix both.
      
      [lkundrak@v3.sk: updated to use of_get_property() as per suggestion from
      Arnd, reworded the message and comments a bit]
      Tested-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarLubomir Rintel <lkundrak@v3.sk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c489565b
  3. 01 May, 2016 4 commits
  4. 30 Apr, 2016 7 commits
    • Ville Syrjälä's avatar
      gpiolib-acpi: Duplicate con_id string when adding it to the crs lookup list · 7df89e92
      Ville Syrjälä authored
      Calling gpiod_get() from a module and then unloading the module leads to an
      oops due to acpi_can_fallback_to_crs() storing the pointer to the passed
      'con_id' string onto acpi_crs_lookup_list. The next guy to come along will then
      try to access the string but the memory may now be gone with the module.
      Make a copy of the passed string instead, and store the copy on the list.
      
      BUG: unable to handle kernel paging request at ffffffffa03e7855
      IP: [<ffffffff81338322>] strcmp+0x12/0x30
      PGD 2a07067 PUD 2a08063 PMD 74720067 PTE 0
      Oops: 0000 [#1] PREEMPT SMP
      Modules linked in: i915(+) drm_kms_helper drm intel_gtt snd_hda_codec snd_hda_core i2c_algo_bit syscopya
      rea sysfillrect sysimgblt fb_sys_fops agpgart snd_soc_sst_bytcr_rt5640 coretemp hwmon intel_rapl intel_soc_dts_thermal
      punit_atom_debug snd_soc_rt5640 snd_soc_rl6231 serio snd_intel_sst_acpi snd_intel_sst_core video snd_soc_sst_mfld_platf
      orm snd_soc_sst_match backlight int3402_thermal processor_thermal_device int3403_thermal int3400_thermal acpi_thermal_r
      el snd_soc_core intel_soc_dts_iosf int340x_thermal_zone snd_compress i2c_hid hid snd_pcm snd_timer snd soundcore evdev
      sch_fq_codel efivarfs ipv6 autofs4 [last unloaded: drm]
      CPU: 2 PID: 3064 Comm: modprobe Tainted: G     U  W       4.6.0-rc3-ffrd-ipvr+ #302
      Hardware name: Intel Corp. VALLEYVIEW C0 PLATFORM/BYT-T FFD8, BIOS BLAKFF81.X64.0088.R10.1403240443 FFD8
      _X64_R_2014_13_1_00 03/24/2014
      task: ffff8800701cd200 ti: ffff880070034000 task.ti: ffff880070034000
      RIP: 0010:[<ffffffff81338322>]  [<ffffffff81338322>] strcmp+0x12/0x30
      RSP: 0000:ffff880070037748  EFLAGS: 00010286
      RAX: 0000000080000000 RBX: ffff88007a342800 RCX: 0000000000000006
      RDX: 0000000000000006 RSI: ffffffffa054f856 RDI: ffffffffa03e7856
      RBP: ffff880070037748 R08: 0000000000000000 R09: 0000000000000001
      R10: 0000000000000000 R11: 0000000000000000 R12: ffffffffa054f855
      R13: ffff88007281cae0 R14: 0000000000000010 R15: ffffffffffffffea
      FS:  00007faa51447700(0000) GS:ffff880079300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: ffffffffa03e7855 CR3: 0000000041eba000 CR4: 00000000001006e0
      Stack:
       ffff880070037770 ffffffff8136ad28 ffffffffa054f855 0000000000000000
       ffff88007a0a2098 ffff8800700377e8 ffffffff8136852e ffff88007a342800
       00000007700377a0 ffff8800700377a0 ffffffff81412442 70672d6c656e6170
      Call Trace:
       [<ffffffff8136ad28>] acpi_can_fallback_to_crs+0x88/0x100
       [<ffffffff8136852e>] gpiod_get_index+0x25e/0x310
       [<ffffffff81412442>] ? mipi_dsi_attach+0x22/0x30
       [<ffffffff813685f2>] gpiod_get+0x12/0x20
       [<ffffffffa04fcf41>] intel_dsi_init+0x421/0x480 [i915]
       [<ffffffffa04d3783>] intel_modeset_init+0x853/0x16b0 [i915]
       [<ffffffffa0504864>] ? intel_setup_gmbus+0x214/0x260 [i915]
       [<ffffffffa0510158>] i915_driver_load+0xdc8/0x19b0 [i915]
       [<ffffffff8160fb53>] ? _raw_spin_unlock_irqrestore+0x43/0x70
       [<ffffffffa026b13b>] drm_dev_register+0xab/0xc0 [drm]
       [<ffffffffa026d7b3>] drm_get_pci_dev+0x93/0x1f0 [drm]
       [<ffffffff8160fb53>] ? _raw_spin_unlock_irqrestore+0x43/0x70
       [<ffffffffa043f1f4>] i915_pci_probe+0x34/0x50 [i915]
       [<ffffffff81379751>] pci_device_probe+0x91/0x100
       [<ffffffff8141a75a>] driver_probe_device+0x20a/0x2d0
       [<ffffffff8141a8be>] __driver_attach+0x9e/0xb0
       [<ffffffff8141a820>] ? driver_probe_device+0x2d0/0x2d0
       [<ffffffff81418439>] bus_for_each_dev+0x69/0xa0
       [<ffffffff8141a04e>] driver_attach+0x1e/0x20
       [<ffffffff81419c20>] bus_add_driver+0x1c0/0x240
       [<ffffffff8141b6d0>] driver_register+0x60/0xe0
       [<ffffffff81377d20>] __pci_register_driver+0x60/0x70
       [<ffffffffa026d9f4>] drm_pci_init+0xe4/0x110 [drm]
       [<ffffffff810ce04e>] ? trace_hardirqs_on+0xe/0x10
       [<ffffffffa02f1000>] ? 0xffffffffa02f1000
       [<ffffffffa02f1094>] i915_init+0x94/0x9b [i915]
       [<ffffffff810003bb>] do_one_initcall+0x8b/0x1c0
       [<ffffffff810eb616>] ? rcu_read_lock_sched_held+0x86/0x90
       [<ffffffff811de6d6>] ? kmem_cache_alloc_trace+0x1f6/0x270
       [<ffffffff81183826>] do_init_module+0x60/0x1dc
       [<ffffffff81115a8d>] load_module+0x1d0d/0x2390
       [<ffffffff811120b0>] ? __symbol_put+0x70/0x70
       [<ffffffff811f41b2>] ? kernel_read_file+0x92/0x120
       [<ffffffff811162f4>] SYSC_finit_module+0xa4/0xb0
       [<ffffffff8111631e>] SyS_finit_module+0xe/0x10
       [<ffffffff81001ff3>] do_syscall_64+0x63/0x350
       [<ffffffff816103da>] entry_SYSCALL64_slow_path+0x25/0x25
      Code: f7 48 8d 76 01 48 8d 52 01 0f b6 4e ff 84 c9 88 4a ff 75 ed 5d c3 0f 1f 00 55 48 89 e5 eb 04 84 c0
       74 18 48 8d 7f 01 48 8d 76 01 <0f> b6 47 ff 3a 46 ff 74 eb 19 c0 83 c8 01 5d c3 31 c0 5d c3 66
      RIP  [<ffffffff81338322>] strcmp+0x12/0x30
       RSP <ffff880070037748>
      CR2: ffffffffa03e7855
      
      v2: Make the copied con_id const
      
      Cc: Dmitry Torokhov <dmitry.torokhov@gmail.com>
      Cc: Mika Westerberg <mika.westerberg@linux.intel.com>
      Cc: Alexandre Courbot <gnurou@gmail.com>
      Cc: stable@vger.kernel.org
      Fixes: 10cf4899 ("gpiolib: tighten up ACPI legacy gpio lookups")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Acked-by: default avatarMika Westerberg <mika.westerberg@linux.intel.com>
      Reviewed-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      7df89e92
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 1b46bac6
      Linus Torvalds authored
      Pull powerpc fixes from Michael Ellerman:
       "A few more powerpc fixes for 4.6:
      
         - cxl: Keep IRQ mappings on context teardown from Michael Neuling
      
         - cxl: Poll for outstanding IRQs when detaching a context from
           Michael Neuling
      
         - Wire up preadv2 and pwritev2 syscalls from Rui Salvaterra"
      
      * tag 'powerpc-4.6-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc: wire up preadv2 and pwritev2 syscalls
        cxl: Poll for outstanding IRQs when detaching a context
        cxl: Keep IRQ mappings on context teardown
      1b46bac6
    • Linus Torvalds's avatar
      Merge tag 'edac_fix_for_4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp · 65c4cbeb
      Linus Torvalds authored
      Pull EDAC fix from Borislav Petkov:
       "Make sure sb_edac and i7core_edac do not terminate MCE processing on
        the decoding callchain prematurely"
      
      * tag 'edac_fix_for_4.6' of git://git.kernel.org/pub/scm/linux/kernel/git/bp/bp:
        EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback
      65c4cbeb
    • Linus Torvalds's avatar
      Merge tag 'pm+acpi-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · b49a5195
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "One revert of a recent cpufreq commit that introduced a regression and
        a fix for intel_pstate's Turbo Activation Ratio handling code.
      
        Specifics:
      
         - Revert cpufreq commit that attempted to fix a problem in the
           ondemand/conservative governor code, but did that incorrectly and
           introduced another problem instead (Rafael Wysocki).
      
         - Fix incorrect decoding of MSR contents related to the Turbo
           Activation Ratio (TAR) handling in the intel_pstate driver
           (Srinivas Pandruvada)"
      
      * tag 'pm+acpi-4.6-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        cpufreq: intel_pstate: Fix processing for turbo activation ratio
        Revert "cpufreq: governor: Fix negative idle_time when configured with CONFIG_HZ_PERIODIC"
      b49a5195
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.6-rc4' of git://git.linaro.org/people/ulf.hansson/mmc · a8feb782
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "Here are a two MMC host fixes:
      
        - sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs
      
        - sunxi: Disable eMMC HS-DDR for Allwinner A80"
      
      * tag 'mmc-v4.6-rc4' of git://git.linaro.org/people/ulf.hansson/mmc:
        mmc: sunxi: Disable eMMC HS-DDR (MMC_CAP_1_8V_DDR) for Allwinner A80
        mmc: sdhci-acpi: Reduce Baytrail eMMC/SD/SDIO hangs
      a8feb782
    • Linus Torvalds's avatar
      Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux · b9cc335f
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "A few fixes all over the place:
      
        radeon is probably the biggest standout, it's a fix for screen
        corruption or hung black outputs so I thought it was worth pulling in.
      
        Otherwise some amdgpu power control fixes, some misc vmwgfx fixes, one
        etnaviv fix, one virtio-gpu fix, two DP MST fixes, and a single TTM
        fix"
      
      * 'drm-fixes' of git://people.freedesktop.org/~airlied/linux:
        drm/vmwgfx: Fix order of operation
        drm/vmwgfx: use vmw_cmd_dx_cid_check for query commands.
        drm/vmwgfx: Enable SVGA_3D_CMD_DX_SET_PREDICATION
        drm/amdgpu: disable vm interrupts with vm_fault_stop=2
        drm/amdgpu: print a message if ATPX dGPU power control is missing
        Revert "drm/amdgpu: disable runtime pm on PX laptops without dGPU power control"
        drm/radeon: fix vertical bars appear on monitor (v2)
        drm/ttm: fix kref count mess in ttm_bo_move_to_lru_tail
        drm/virtio: send vblank event after crtc updates
        drm/dp/mst: Restore primary hub guid on resume
        drm/dp/mst: Get validated port ref in drm_dp_update_payload_part1()
        drm/etnaviv: don't move linear memory window on 3D cores without MC2.0
      b9cc335f
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · 925d96a0
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "Final set of -rc fixes for 4.6.
      
        I've collected up a number of patches that are all pretty small with
        the exception of only a couple.  The hfi1 driver has a number of
        important patches, and it is what really drives the line count of this
        pull request up.  These are all small and I've got this kernel built
        and running in the test lab (I have most of the hardware, I think nes
        is the only thing in this patch set that I can't say I've personally
        tested and have up and running).
      
        Summary:
      
         - A number of collected fixes for oopses, memory corruptions,
           deadlocks, etc.  All of these fixes are small (many only 5-10
           lines), obvious, and tested.
      
         - Fix for the security issue related to the use of write for
           bi-directional communications"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA/nes: don't leak skb if carrier down
        IB/security: Restrict use of the write() interface
        IB/hfi1: Use kernel default llseek for ui device
        IB/hfi1: Don't attempt to free resources if initialization failed
        IB/hfi1: Fix missing lock/unlock in verbs drain callback
        IB/rdmavt: Fix send scheduling
        IB/hfi1: Prevent unpinning of wrong pages
        IB/hfi1: Fix deadlock caused by locking with wrong scope
        IB/hfi1: Prevent NULL pointer deferences in caching code
        MAINTAINERS: Update iser/isert maintainer contact info
        IB/mlx5: Expose correct max_sge_rd limit
        RDMA/iw_cxgb4: Fix bar2 virt addr calculation for T4 chips
        iw_cxgb4: handle draining an idle qp
        iw_cxgb3: initialize ibdev.iwcm->ifname for port mapping
        iw_cxgb4: initialize ibdev.iwcm->ifname for port mapping
        IB/core: Don't drain non-existent rq queue-pair
        IB/core: Fix oops in ib_cache_gid_set_default_gid
      925d96a0
  5. 29 Apr, 2016 6 commits
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · 1d003af2
      Linus Torvalds authored
      Merge fixes from Andrew Morton:
       "20 fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        Documentation/sysctl/vm.txt: update numa_zonelist_order description
        lib/stackdepot.c: allow the stack trace hash to be zero
        rapidio: fix potential NULL pointer dereference
        mm/memory-failure: fix race with compound page split/merge
        ocfs2/dlm: return zero if deref_done message is successfully handled
        Ananth has moved
        kcov: don't profile branches in kcov
        kcov: don't trace the code coverage code
        mm: wake kcompactd before kswapd's short sleep
        .mailmap: add Frank Rowand
        mm/hwpoison: fix wrong num_poisoned_pages accounting
        mm: call swap_slot_free_notify() with page lock held
        mm: vmscan: reclaim highmem zone if buffer_heads is over limit
        numa: fix /proc/<pid>/numa_maps for THP
        mm/huge_memory: replace VM_NO_THP VM_BUG_ON with actual VMA check
        mailmap: fix Krzysztof Kozlowski's misspelled name
        thp: keep huge zero page pinned until tlb flush
        mm: exclude HugeTLB pages from THP page_mapped() logic
        kexec: export OFFSET(page.compound_head) to find out compound tail page
        kexec: update VMCOREINFO for compound_order/dtor
      1d003af2
    • Paolo Abeni's avatar
      ip_tunnel: fix preempt warning in ip tunnel creation/updating · f27337e1
      Paolo Abeni authored
      After the commit e09acddf ("ip_tunnel: replace dst_cache with generic
      implementation"), a preemption debug warning is triggered on ip4
      tunnels updating; the dst cache helper needs to be invoked in unpreemptible
      context.
      
      We don't need to load the cache on tunnel update, so this commit fixes
      the warning replacing the load with a dst cache reset, which is
      preempt safe.
      
      Fixes: e09acddf ("ip_tunnel: replace dst_cache with generic implementation")
      Reported-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f27337e1
    • Tony Luck's avatar
      EDAC: i7core, sb_edac: Don't return NOTIFY_BAD from mce_decoder callback · c4fc1956
      Tony Luck authored
      Both of these drivers can return NOTIFY_BAD, but this terminates
      processing other callbacks that were registered later on the chain.
      Since the driver did nothing to log the error it seems wrong to prevent
      other interested parties from seeing it. E.g. neither of them had even
      bothered to check the type of the error to see if it was a memory error
      before the return NOTIFY_BAD.
      Signed-off-by: default avatarTony Luck <tony.luck@intel.com>
      Acked-by: default avatarAristeu Rozanski <aris@redhat.com>
      Acked-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Cc: linux-edac <linux-edac@vger.kernel.org>
      Cc: <stable@vger.kernel.org>
      Link: http://lkml.kernel.org/r/72937355dd92318d2630979666063f8a2853495b.1461864507.git.tony.luck@intel.comSigned-off-by: default avatarBorislav Petkov <bp@suse.de>
      c4fc1956
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-cpufreq-fixes' · 81be193b
      Rafael J. Wysocki authored
      * pm-cpufreq-fixes:
        cpufreq: intel_pstate: Fix processing for turbo activation ratio
        Revert "cpufreq: governor: Fix negative idle_time when configured with CONFIG_HZ_PERIODIC"
      81be193b
    • Sven Eckelmann's avatar
      batman-adv: Fix reference counting of hardif_neigh_node object for neigh_node · abe59c65
      Sven Eckelmann authored
      The batadv_neigh_node was specific to a batadv_hardif_neigh_node and held
      an implicit reference to it. But this reference was never stored in form of
      a pointer in the batadv_neigh_node itself. Instead
      batadv_neigh_node_release depends on a consistent state of
      hard_iface->neigh_list and that batadv_hardif_neigh_get always returns the
      batadv_hardif_neigh_node object which it has a reference for. But
      batadv_hardif_neigh_get cannot guarantee that because it is working only
      with rcu_read_lock on this list. It can therefore happen that a neigh_addr
      is in this list twice or that batadv_hardif_neigh_get cannot find the
      batadv_hardif_neigh_node for an neigh_addr due to some other list
      operations taking place at the same time.
      
      Instead add a batadv_hardif_neigh_node pointer directly in
      batadv_neigh_node which will be used for the reference counter decremented
      on release of batadv_neigh_node.
      
      Fixes: cef63419 ("batman-adv: add list of unique single hop neighbors per hard-interface")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      abe59c65
    • Sven Eckelmann's avatar
      batman-adv: Fix reference counting of vlan object for tt_local_entry · a33d970d
      Sven Eckelmann authored
      The batadv_tt_local_entry was specific to a batadv_softif_vlan and held an
      implicit reference to it. But this reference was never stored in form of a
      pointer in the tt_local_entry itself. Instead batadv_tt_local_remove,
      batadv_tt_local_table_free and batadv_tt_local_purge_pending_clients depend
      on a consistent state of bat_priv->softif_vlan_list and that
      batadv_softif_vlan_get always returns the batadv_softif_vlan object which
      it has a reference for. But batadv_softif_vlan_get cannot guarantee that
      because it is working only with rcu_read_lock on this list. It can
      therefore happen that an vid is in this list twice or that
      batadv_softif_vlan_get cannot find the batadv_softif_vlan for an vid due to
      some other list operations taking place at the same time.
      
      Instead add a batadv_softif_vlan pointer directly in batadv_tt_local_entry
      which will be used for the reference counter decremented on release of
      batadv_tt_local_entry.
      
      Fixes: 35df3b29 ("batman-adv: fix TT VLAN inconsistency on VLAN re-add")
      Signed-off-by: default avatarSven Eckelmann <sven@narfation.org>
      Acked-by: default avatarAntonio Quartulli <a@unstable.cc>
      Signed-off-by: default avatarMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: default avatarAntonio Quartulli <a@unstable.cc>
      a33d970d