1. 05 Jul, 2018 12 commits
    • Stefano Brivio's avatar
      cifs: Fix slab-out-of-bounds in send_set_info() on SMB2 ACE setting · f46ecbd9
      Stefano Brivio authored
      A "small" CIFS buffer is not big enough in general to hold a
      setacl request for SMB2, and we end up overflowing the buffer in
      send_set_info(). For instance:
      
       # mount.cifs //127.0.0.1/test /mnt/test -o username=test,password=test,nounix,cifsacl
       # touch /mnt/test/acltest
       # getcifsacl /mnt/test/acltest
       REVISION:0x1
       CONTROL:0x9004
       OWNER:S-1-5-21-2926364953-924364008-418108241-1000
       GROUP:S-1-22-2-1001
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-22-2-1001:ALLOWED/0x0/R
       ACL:S-1-5-21-2926364953-924364008-418108241-1000:ALLOWED/0x0/0x1e01ff
       ACL:S-1-1-0:ALLOWED/0x0/R
       # setcifsacl -a "ACL:S-1-22-2-1004:ALLOWED/0x0/R" /mnt/test/acltest
      
      this setacl will cause the following KASAN splat:
      
      [  330.777927] BUG: KASAN: slab-out-of-bounds in send_set_info+0x4dd/0xc20 [cifs]
      [  330.779696] Write of size 696 at addr ffff88010d5e2860 by task setcifsacl/1012
      
      [  330.781882] CPU: 1 PID: 1012 Comm: setcifsacl Not tainted 4.18.0-rc2+ #2
      [  330.783140] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      [  330.784395] Call Trace:
      [  330.784789]  dump_stack+0xc2/0x16b
      [  330.786777]  print_address_description+0x6a/0x270
      [  330.787520]  kasan_report+0x258/0x380
      [  330.788845]  memcpy+0x34/0x50
      [  330.789369]  send_set_info+0x4dd/0xc20 [cifs]
      [  330.799511]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.801395]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.830888]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.840367]  __vfs_setxattr+0x84/0xb0
      [  330.842060]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.843848]  vfs_setxattr+0xc2/0xd0
      [  330.845519]  setxattr+0x258/0x320
      [  330.859211]  path_setxattr+0x15b/0x1b0
      [  330.864392]  __x64_sys_setxattr+0xc0/0x160
      [  330.866133]  do_syscall_64+0x14e/0x4b0
      [  330.876631]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      [  330.878503] RIP: 0033:0x7ff2e507db0a
      [  330.880151] Code: 48 8b 0d 89 93 2c 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 49 89 ca b8 bc 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 56 93 2c 00 f7 d8 64 89 01 48
      [  330.885358] RSP: 002b:00007ffdc4903c18 EFLAGS: 00000246 ORIG_RAX: 00000000000000bc
      [  330.887733] RAX: ffffffffffffffda RBX: 000055d1170de140 RCX: 00007ff2e507db0a
      [  330.890067] RDX: 000055d1170de7d0 RSI: 000055d115b39184 RDI: 00007ffdc4904818
      [  330.892410] RBP: 0000000000000001 R08: 0000000000000000 R09: 000055d1170de7e4
      [  330.894785] R10: 00000000000002b8 R11: 0000000000000246 R12: 0000000000000007
      [  330.897148] R13: 000055d1170de0c0 R14: 0000000000000008 R15: 000055d1170de550
      
      [  330.901057] Allocated by task 1012:
      [  330.902888]  kasan_kmalloc+0xa0/0xd0
      [  330.904714]  kmem_cache_alloc+0xc8/0x1d0
      [  330.906615]  mempool_alloc+0x11e/0x380
      [  330.908496]  cifs_small_buf_get+0x35/0x60 [cifs]
      [  330.910510]  smb2_plain_req_init+0x4a/0xd60 [cifs]
      [  330.912551]  send_set_info+0x198/0xc20 [cifs]
      [  330.914535]  SMB2_set_acl+0x76/0xa0 [cifs]
      [  330.916465]  set_smb2_acl+0x7ac/0xf30 [cifs]
      [  330.918453]  cifs_xattr_set+0x963/0xe40 [cifs]
      [  330.920426]  __vfs_setxattr+0x84/0xb0
      [  330.922284]  __vfs_setxattr_noperm+0xe6/0x370
      [  330.924213]  vfs_setxattr+0xc2/0xd0
      [  330.926008]  setxattr+0x258/0x320
      [  330.927762]  path_setxattr+0x15b/0x1b0
      [  330.929592]  __x64_sys_setxattr+0xc0/0x160
      [  330.931459]  do_syscall_64+0x14e/0x4b0
      [  330.933314]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      [  330.936843] Freed by task 0:
      [  330.938588] (stack is not available)
      
      [  330.941886] The buggy address belongs to the object at ffff88010d5e2800
       which belongs to the cache cifs_small_rq of size 448
      [  330.946362] The buggy address is located 96 bytes inside of
       448-byte region [ffff88010d5e2800, ffff88010d5e29c0)
      [  330.950722] The buggy address belongs to the page:
      [  330.952789] page:ffffea0004357880 count:1 mapcount:0 mapping:ffff880108fdca80 index:0x0 compound_mapcount: 0
      [  330.955665] flags: 0x17ffffc0008100(slab|head)
      [  330.957760] raw: 0017ffffc0008100 dead000000000100 dead000000000200 ffff880108fdca80
      [  330.960356] raw: 0000000000000000 0000000080100010 00000001ffffffff 0000000000000000
      [  330.963005] page dumped because: kasan: bad access detected
      
      [  330.967039] Memory state around the buggy address:
      [  330.969255]  ffff88010d5e2880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.971833]  ffff88010d5e2900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [  330.974397] >ffff88010d5e2980: 00 00 00 00 00 00 00 00 fc fc fc fc fc fc fc fc
      [  330.976956]                                            ^
      [  330.979226]  ffff88010d5e2a00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.981755]  ffff88010d5e2a80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [  330.984225] ==================================================================
      
      Fix this by allocating a regular CIFS buffer in
      smb2_plain_req_init() if the request command is SMB2_SET_INFO.
      Reported-by: default avatarJianhong Yin <jiyin@redhat.com>
      Fixes: 366ed846 ("cifs: Use smb 2 - 3 and cifsacl mount options setacl function")
      CC: Stable <stable@vger.kernel.org>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Reviewed-and-tested-by: default avatarAurelien Aptel <aaptel@suse.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      f46ecbd9
    • Paulo Alcantara's avatar
      cifs: Fix memory leak in smb2_set_ea() · 6aa0c114
      Paulo Alcantara authored
      This patch fixes a memory leak when doing a setxattr(2) in SMB2+.
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
      6aa0c114
    • Ronnie Sahlberg's avatar
      cifs: fix SMB1 breakage · 81f39f95
      Ronnie Sahlberg authored
      SMB1 mounting broke in commit 35e2cc1b
      ("cifs: Use correct packet length in SMB2_TRANSFORM header")
      Fix it and also rename smb2_rqst_len to smb_rqst_len
      to make it less unobvious that the function is also called from
      CIFS/SMB1
      
      Good job by Paulo reviewing and cleaning up Ronnie's original patch.
      Signed-off-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      81f39f95
    • Paulo Alcantara's avatar
      cifs: Fix validation of signed data in smb2 · 8de8c460
      Paulo Alcantara authored
      Fixes: c713c877 ("cifs: push rfc1002 generation down the stack")
      
      We failed to validate signed data returned by the server because
      __cifs_calc_signature() now expects to sign the actual data in iov but
      we were also passing down the rfc1002 length.
      
      Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
      to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
      addition, there are a few cases where no rfc1002 length is passed so we
      make sure there's one (iov_len == 4).
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      8de8c460
    • Paulo Alcantara's avatar
      cifs: Fix validation of signed data in smb3+ · 27c32b49
      Paulo Alcantara authored
      Fixes: c713c877 ("cifs: push rfc1002 generation down the stack")
      
      We failed to validate signed data returned by the server because
      __cifs_calc_signature() now expects to sign the actual data in iov but
      we were also passing down the rfc1002 length.
      
      Fix smb3_calc_signature() to calculate signature of rfc1002 length prior
      to passing only the actual data iov[1-N] to __cifs_calc_signature(). In
      addition, there are a few cases where no rfc1002 length is passed so we
      make sure there's one (iov_len == 4).
      Signed-off-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      27c32b49
    • Lars Persson's avatar
      cifs: Fix use after free of a mid_q_entry · 696e420b
      Lars Persson authored
      With protocol version 2.0 mounts we have seen crashes with corrupt mid
      entries. Either the server->pending_mid_q list becomes corrupt with a
      cyclic reference in one element or a mid object fetched by the
      demultiplexer thread becomes overwritten during use.
      
      Code review identified a race between the demultiplexer thread and the
      request issuing thread. The demultiplexer thread seems to be written
      with the assumption that it is the sole user of the mid object until
      it calls the mid callback which either wakes the issuer task or
      deletes the mid.
      
      This assumption is not true because the issuer task can be woken up
      earlier by a signal. If the demultiplexer thread has proceeded as far
      as setting the mid_state to MID_RESPONSE_RECEIVED then the issuer
      thread will happily end up calling cifs_delete_mid while the
      demultiplexer thread still is using the mid object.
      
      Inserting a delay in the cifs demultiplexer thread widens the race
      window and makes reproduction of the race very easy:
      
      		if (server->large_buf)
      			buf = server->bigbuf;
      
      +		usleep_range(500, 4000);
      
      		server->lstrp = jiffies;
      
      To resolve this I think the proper solution involves putting a
      reference count on the mid object. This patch makes sure that the
      demultiplexer thread holds a reference until it has finished
      processing the transaction.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarLars Persson <larper@axis.com>
      Acked-by: default avatarPaulo Alcantara <palcantara@suse.de>
      Reviewed-by: default avatarRonnie Sahlberg <lsahlber@redhat.com>
      Reviewed-by: default avatarPavel Shilovsky <pshilov@microsoft.com>
      Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
      696e420b
    • Linus Torvalds's avatar
      Merge tag 'acpi-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 06c85639
      Linus Torvalds authored
      Pull ACPI fixes from Rafael Wysocki:
       "These fix a recent ACPICA regression, fix a battery driver regression
        introduced during the 4.17 cycle and fix up the recently added support
        for the PPTT ACPI table.
      
        Specifics:
      
         - Revert part of a recent ACPICA regression fix that added leading
           newlines to ACPICA error messages and made the kernel log look
           broken (Rafael Wysocki).
      
         - Fix an ACPI battery driver regression introduced during the 4.17
           cycle due to incorrect error handling that made Thinkpad 13 laptops
           crash on boot (Jouke Witteveen).
      
         - Fix up the recently added PPTT ACPI table support by covering the
           case when a PPTT structure represents a processors group correctly
           (Sudeep Holla)"
      
      * tag 'acpi-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        ACPI / battery: Safe unregistering of hooks
        ACPI / PPTT: use ACPI ID whenever ACPI_PPTT_ACPI_PROCESSOR_ID_VALID is set
        ACPICA: Drop leading newlines from error messages
      06c85639
    • Linus Torvalds's avatar
      Merge tag 'pm-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · 90dc8b65
      Linus Torvalds authored
      Pull power management fixes from Rafael Wysocki:
       "These fix a PCI power management regression introduced during the 4.17
        cycle and fix up the recently added support for devices in multiple
        power domains.
      
        Specifics:
      
         - Resume parallel PCI (non-PCIe) bridges on suspend-to-RAM (ACP S3)
           to avoid confusing the platform firmware which started to happen
           after a core power management regression fix that went in during
           the 4.17 cycle (Rafael Wysocki).
      
         - Fix up the recently added support for devices in multiple power
           domains by avoiding to power up the entire domain unnecessarily
           when attaching a device to it (Ulf Hansson)"
      
      * tag 'pm-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM / Domains: Don't power on at attach for the multi PM domain case
        PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM
      90dc8b65
    • Linus Torvalds's avatar
      Merge tag 'riscv-for-linus-4.18-rc4' of... · b19b9282
      Linus Torvalds authored
      Merge tag 'riscv-for-linus-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux
      
      Pull RISC-V fixes from Palmer Dabbelt:
       "This contains a handful of fixes for the RISC-V port:
      
         - A fix to R_RISCV_ADD32/R_RISCV_SUB32 relocations that allows
           modules that use these to load correctly.
      
         - The removal of of_platform_populate(), which is obselete.
      
         - The removal of irq-riscv-intc.h, which is obselete.
      
         - A fix to PTRACE_SETREGSET.
      
         - Fixes that allow the RV32I kernel to build (at least for Zong, I've
           got another patch on the mailing list that's necessary on my setup :)).
      
        I've just given these a defconfig build test"
      
      * tag 'riscv-for-linus-4.18-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/palmer/riscv-linux:
        RISC-V: Fix PTRACE_SETREGSET bug.
        RISC-V: Don't include irq-riscv-intc.h
        riscv: remove unnecessary of_platform_populate call
        RISC-V: fix R_RISCV_ADD32/R_RISCV_SUB32 relocations
        RISC-V: Change variable type for 32-bit compatible
        RISC-V: Add definiion of extract symbol's index and type for 32-bit
        RISC-V: Select GENERIC_UCMPDI2 on RV32I
        RISC-V: Add conditional macro for zone of DMA32
      b19b9282
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu · 760885f2
      Linus Torvalds authored
      Pull m68knommu fix from Greg Ungerer:
       "A single fix for breakage introduced in this merge window"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/gerg/m68knommu:
        m68k: fix "bad page state" oops on ColdFire boot
      760885f2
    • Rafael J. Wysocki's avatar
      Merge branches 'acpi-tables' and 'acpica' · df958569
      Rafael J. Wysocki authored
      Merge ACPICA regression fix and a fix for the recently added PPTT
      support.
      
      * acpi-tables:
        ACPI / PPTT: use ACPI ID whenever ACPI_PPTT_ACPI_PROCESSOR_ID_VALID is set
      
      * acpica:
        ACPICA: Drop leading newlines from error messages
      df958569
    • Rafael J. Wysocki's avatar
      Merge branch 'pm-pci' · 88b96088
      Rafael J. Wysocki authored
      Merge a PCI power management regression fix.
      
      * pm-pci:
        PCI / ACPI / PM: Resume bridges w/o drivers on suspend-to-RAM
      88b96088
  2. 04 Jul, 2018 15 commits
  3. 03 Jul, 2018 2 commits
    • Linus Torvalds's avatar
      net/smc: fix up merge error with poll changes · 410da1e1
      Linus Torvalds authored
      My networking merge (commit 4e33d7d4: "Pull networking fixes from
      David Miller") got the poll() handling conflict wrong for af_smc.
      
      The conflict between my a11e1d43 ("Revert changes to convert to
      ->poll_mask() and aio IOCB_CMD_POLL") and Ursula Braun's 24ac3a08
      ("net/smc: rebuild nonblocking connect") should have left the call to
      sock_poll_wait() in place, just without the socket lock release/retake.
      
      And I really should have realized that.  But happily, I at least asked
      Ursula to double-check the merge, and she set me right.
      
      This also fixes an incidental whitespace issue nearby that annoyed me
      while looking at this.
      Pointed-out-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Cc: David Miller <davem@davemloft.net>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      410da1e1
    • Ulf Hansson's avatar
      PM / Domains: Don't power on at attach for the multi PM domain case · 895b6612
      Ulf Hansson authored
      There are no legacy behavior in drivers to consider while attaching a
      device to genpd - for the multiple PM domain case.
      
      For that reason, let's instead require the driver to runtime resume the
      device, via calling pm_runtime_get_sync() for example, when it needs to
      power on the corresponding PM domain.
      
      This allows us to improve the situation during attach. Instead of always
      power on the PM domain, which may be unnecessary, let's leave it in its
      current state. Additionally, to avoid the PM domain to stay powered on,
      let's schedule a power off work.
      
      Fixes: 3c095f32 (PM / Domains: Add support for multi PM domains ...)
      Signed-off-by: default avatarUlf Hansson <ulf.hansson@linaro.org>
      Acked-by: default avatarViresh Kumar <viresh.kumar@linaro.org>
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      895b6612
  4. 02 Jul, 2018 11 commits
    • Sudeep Holla's avatar
      ACPI / PPTT: use ACPI ID whenever ACPI_PPTT_ACPI_PROCESSOR_ID_VALID is set · 30998033
      Sudeep Holla authored
      Currently, we use the ACPI processor ID only for the leaf/processor nodes
      as the specification states it must match the value of the ACPI processor
      ID field in the processor’s entry in the MADT.
      
      However, if a PPTT structure represents a processors group, it
      matches a processor container UID in the namespace and the
      ACPI_PPTT_ACPI_PROCESSOR_ID_VALID flag indicates whether the
      ACPI processor ID is valid.
      
      Let's use UID whenever ACPI_PPTT_ACPI_PROCESSOR_ID_VALID is set to be
      consistent instead of using table offset as it's currently done for
      non-leaf nodes.
      
      Fixes: 2bd00bcd (ACPI/PPTT: Add Processor Properties Topology Table parsing)
      Signed-off-by: default avatarSudeep Holla <sudeep.holla@arm.com>
      Acked-by: default avatarJeremy Linton <jeremy.linton@arm.com>
      [ rjw: Changelog (minor) ]
      Signed-off-by: default avatarRafael J. Wysocki <rafael.j.wysocki@intel.com>
      30998033
    • Linus Torvalds's avatar
      Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md · d0fbad0a
      Linus Torvalds authored
      Pull MD fixes from Shaohua Li:
       "Two small fixes for MD:
      
         - an error handling fix from me
      
         - a recover bug fix for raid10 from BingJing"
      
      * 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/shli/md:
        md/raid10: fix that replacement cannot complete recovery after reassemble
        MD: cleanup resources in failure
      d0fbad0a
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://github.com/stffrdhrn/linux · 8d2b6f6b
      Linus Torvalds authored
      Pull OpenRISC fixes from Stafford Horne:
       "Two fixes for issues which were breaking OpenRISC boot:
      
         - Fix bug in __pte_free_tlb() exposed in 4.18 by Matthew Wilcox's
           page table flag addition.
      
         - Fix issue booting on real hardware if delay slot detection
           emulation is disabled"
      
      * tag 'for-linus' of git://github.com/stffrdhrn/linux:
        openrisc: entry: Fix delay slot exception detection
        openrisc: Call destructor during __pte_free_tlb
      8d2b6f6b
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 4e33d7d4
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Verify netlink attributes properly in nf_queue, from Eric Dumazet.
      
       2) Need to bump memory lock rlimit for test_sockmap bpf test, from
          Yonghong Song.
      
       3) Fix VLAN handling in lan78xx driver, from Dave Stevenson.
      
       4) Fix uninitialized read in nf_log, from Jann Horn.
      
       5) Fix raw command length parsing in mlx5, from Alex Vesker.
      
       6) Cleanup loopback RDS connections upon netns deletion, from Sowmini
          Varadhan.
      
       7) Fix regressions in FIB rule matching during create, from Jason A.
          Donenfeld and Roopa Prabhu.
      
       8) Fix mpls ether type detection in nfp, from Pieter Jansen van Vuuren.
      
       9) More bpfilter build fixes/adjustments from Masahiro Yamada.
      
      10) Fix XDP_{TX,REDIRECT} flushing in various drivers, from Jesper
          Dangaard Brouer.
      
      11) fib_tests.sh file permissions were broken, from Shuah Khan.
      
      12) Make sure BH/preemption is disabled in data path of mac80211, from
          Denis Kenzior.
      
      13) Don't ignore nla_parse_nested() return values in nl80211, from
          Johannes berg.
      
      14) Properly account sock objects ot kmemcg, from Shakeel Butt.
      
      15) Adjustments to setting bpf program permissions to read-only, from
          Daniel Borkmann.
      
      16) TCP Fast Open key endianness was broken, it always took on the host
          endiannness. Whoops. Explicitly make it little endian. From Yuching
          Cheng.
      
      17) Fix prefix route setting for link local addresses in ipv6, from
          David Ahern.
      
      18) Potential Spectre v1 in zatm driver, from Gustavo A. R. Silva.
      
      19) Various bpf sockmap fixes, from John Fastabend.
      
      20) Use after free for GRO with ESP, from Sabrina Dubroca.
      
      21) Passing bogus flags to crypto_alloc_shash() in ipv6 SR code, from
          Eric Biggers.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (87 commits)
        qede: Adverstise software timestamp caps when PHC is not available.
        qed: Fix use of incorrect size in memcpy call.
        qed: Fix setting of incorrect eswitch mode.
        qed: Limit msix vectors in kdump kernel to the minimum required count.
        ipvlan: call dev_change_flags when ipvlan mode is reset
        ipv6: sr: fix passing wrong flags to crypto_alloc_shash()
        net: fix use-after-free in GRO with ESP
        tcp: prevent bogus FRTO undos with non-SACK flows
        bpf: sockhash, add release routine
        bpf: sockhash fix omitted bucket lock in sock_close
        bpf: sockmap, fix smap_list_map_remove when psock is in many maps
        bpf: sockmap, fix crash when ipv6 sock is added
        net: fib_rules: bring back rule_exists to match rule during add
        hv_netvsc: split sub-channel setup into async and sync
        net: use dev_change_tx_queue_len() for SIOCSIFTXQLEN
        atm: zatm: Fix potential Spectre v1
        s390/qeth: consistently re-enable device features
        s390/qeth: don't clobber buffer on async TX completion
        s390/qeth: avoid using is_multicast_ether_addr_64bits on (u8 *)[6]
        s390/qeth: fix race when setting MAC address
        ...
      4e33d7d4
    • David S. Miller's avatar
      Merge branch 'qed-fixes' · e48e0979
      David S. Miller authored
      Sudarsana Reddy Kalluru says:
      
      ====================
      qed*: Fix series.
      
      The patch series addresses few issues in the qed* drivers.
      
      Please consider applying it to 'net' branch.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e48e0979
    • Sudarsana Reddy Kalluru's avatar
      qede: Adverstise software timestamp caps when PHC is not available. · 82a4e71b
      Sudarsana Reddy Kalluru authored
      When ptp clock is not available for a PF (e.g., higher PFs in NPAR mode),
      get-tsinfo() callback should return the software timestamp capabilities
      instead of returning the error.
      
      Fixes: 4c55215c ("qede: Add driver support for PTP")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82a4e71b
    • Sudarsana Reddy Kalluru's avatar
      qed: Fix use of incorrect size in memcpy call. · cc9b27cd
      Sudarsana Reddy Kalluru authored
      Use the correct size value while copying chassis/port id values.
      
      Fixes: 6ad8c632 ("qed: Add support for query/config dcbx.")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      cc9b27cd
    • Sudarsana Reddy Kalluru's avatar
      qed: Fix setting of incorrect eswitch mode. · 538f8d00
      Sudarsana Reddy Kalluru authored
      By default, driver sets the eswitch mode incorrectly as VEB (virtual
      Ethernet bridging).
      Need to set VEB eswitch mode only when sriov is enabled, and it should be
      to set NONE by default. The patch incorporates this change.
      
      Fixes: 0fefbfba ("qed*: Management firmware - notifications and defaults")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      538f8d00
    • Sudarsana Reddy Kalluru's avatar
      qed: Limit msix vectors in kdump kernel to the minimum required count. · bb7858ba
      Sudarsana Reddy Kalluru authored
      Memory size is limited in the kdump kernel environment. Allocation of more
      msix-vectors (or queues) consumes few tens of MBs of memory, which might
      lead to the kdump kernel failure.
      This patch adds changes to limit the number of MSI-X vectors in kdump
      kernel to minimum required value (i.e., 2 per engine).
      
      Fixes: fe56b9e6 ("qed: Add module with basic common support")
      Signed-off-by: default avatarSudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
      Signed-off-by: default avatarMichal Kalderon <Michal.Kalderon@cavium.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb7858ba
    • Hangbin Liu's avatar
      ipvlan: call dev_change_flags when ipvlan mode is reset · 5dc2d399
      Hangbin Liu authored
      After we change the ipvlan mode from l3 to l2, or vice versa, we only
      reset IFF_NOARP flag, but don't flush the ARP table cache, which will
      cause eth->h_dest to be equal to eth->h_source in ipvlan_xmit_mode_l2().
      Then the message will not come out of host.
      
      Here is the reproducer on local host:
      
      ip link set eth1 up
      ip addr add 192.168.1.1/24 dev eth1
      ip link add link eth1 ipvlan1 type ipvlan mode l3
      
      ip netns add net1
      ip link set ipvlan1 netns net1
      ip netns exec net1 ip link set ipvlan1 up
      ip netns exec net1 ip addr add 192.168.2.1/24 dev ipvlan1
      
      ip route add 192.168.2.0/24 via 192.168.1.2
      ping 192.168.2.2 -c 2
      
      ip netns exec net1 ip link set ipvlan1 type ipvlan mode l2
      ping 192.168.2.2 -c 2
      
      Add the same configuration on remote host. After we set the mode to l2,
      we could find that the src/dst MAC addresses are the same on eth1:
      
      21:26:06.648565 00:b7:13:ad:d3:05 > 00:b7:13:ad:d3:05, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 58356, offset 0, flags [DF], proto ICMP (1), length 84)
          192.168.2.1 > 192.168.2.2: ICMP echo request, id 22686, seq 1, length 64
      
      Fix this by calling dev_change_flags(), which will call netdevice notifier
      with flag change info.
      
      v2:
      a) As pointed out by Wang Cong, check return value for dev_change_flags() when
      change dev flags.
      b) As suggested by Stefano and Sabrina, move flags setting before l3mdev_ops.
      So we don't need to redo ipvlan_{, un}register_nf_hook() again in err path.
      Reported-by: default avatarJianlin Shi <jishi@redhat.com>
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Reviewed-by: default avatarSabrina Dubroca <sd@queasysnail.net>
      Fixes: 2ad7bf36 ("ipvlan: Initial check-in of the IPVLAN driver.")
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5dc2d399
    • Eric Biggers's avatar
      ipv6: sr: fix passing wrong flags to crypto_alloc_shash() · fc9c2029
      Eric Biggers authored
      The 'mask' argument to crypto_alloc_shash() uses the CRYPTO_ALG_* flags,
      not 'gfp_t'.  So don't pass GFP_KERNEL to it.
      
      Fixes: bf355b8d ("ipv6: sr: add core files for SR HMAC support")
      Signed-off-by: default avatarEric Biggers <ebiggers@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fc9c2029