1. 28 Feb, 2017 1 commit
    • Johannes Berg's avatar
      mac80211: use driver-indicated transmitter STA only for data frames · 19d19e96
      Johannes Berg authored
      When I originally introduced using the driver-indicated station as an
      optimisation to avoid the hashtable lookup/iteration, of course it
      wasn't intended to really functionally change anything.
      
      I neglected, however, to take into account VLAN interfaces, which have
      the property that management and data frames are handled differently:
      data frames go directly to the station and the VLAN while management
      frames continue to be processed over the underlying/associated AP-type
      interface. As a consequence, when a driver used this optimisation for
      management frames and the user enabled VLANs, my change broke things
      since any management frames, particularly disassoc/deauth, were missed
      by hostapd.
      
      Fix this by restoring the original code path for non-data frames, they
      aren't critical for performance to begin with.
      
      This fixes https://bugzilla.kernel.org/show_bug.cgi?id=194713.
      
      Big thanks goes to Jarek who bisected the issue and provided a very
      detailed bug report, including the crucial information that he was
      using VLANs in his configuration.
      
      Cc: stable@vger.kernel.org
      Fixes: 771e846bea9e ("mac80211: allow passing transmitter station on RX")
      Reported-and-tested-by: default avatarJarek Kamiński <jarek@freeside.be>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      19d19e96
  2. 27 Feb, 2017 19 commits
    • Johannes Berg's avatar
      mac80211_hwsim: check HWSIM_ATTR_RADIO_NAME length · ff4dd73d
      Johannes Berg authored
      Unfortunately, the nla policy was defined to have HWSIM_ATTR_RADIO_NAME
      as an NLA_STRING, rather than NLA_NUL_STRING, so we can't use it as a
      NUL-terminated string in the kernel.
      
      Rather than break the API, kasprintf() the string to a new buffer to
      guarantee NUL termination.
      Reported-by: default avatarAndrew Zaborowski <andrew.zaborowski@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      ff4dd73d
    • Sara Sharon's avatar
      mac80211: fix typo in debug print · 09e0a2fe
      Sara Sharon authored
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      09e0a2fe
    • Sara Sharon's avatar
      mac80211: shorten debug message · 2595d259
      Sara Sharon authored
      Tracing is limited to 100 characters and this message passes
      the limit when there are a few buffered frames. Shorten it.
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      2595d259
    • Emmanuel Grumbach's avatar
      mac80211: fix power saving clients handling in iwlwifi · d98937f4
      Emmanuel Grumbach authored
      iwlwifi now supports RSS and can't let mac80211 track the
      PS state based on the Rx frames since they can come out of
      order. iwlwifi is now advertising AP_LINK_PS, and uses
      explicit notifications to teach mac80211 about the PS state
      of the stations and the PS poll / uAPSD trigger frames
      coming our way from the peers.
      
      Because of that, the TIM stopped being maintained in
      mac80211. I tried to fix this in commit c68df2e7
      ("mac80211: allow using AP_LINK_PS with mac80211-generated TIM IE")
      but that was later reverted by Felix in commit 6c18a6b4
      ("Revert "mac80211: allow using AP_LINK_PS with mac80211-generated TIM IE")
      since it broke drivers that do not implement set_tim.
      
      Since none of the drivers that set AP_LINK_PS have the
      set_tim() handler set besides iwlwifi, I can bail out in
      __sta_info_recalc_tim if AP_LINK_PS AND .set_tim is not
      implemented.
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      d98937f4
    • Felix Fietkau's avatar
      mac80211: don't handle filtered frames within a BA session · 890030d3
      Felix Fietkau authored
      When running a BA session, the driver (or the hardware) already takes
      care of retransmitting failed frames, since it has to keep the receiver
      reorder window in sync.
      
      Adding another layer of retransmit around that does not improve
      anything. In fact, it can only lead to some strong reordering with huge
      latency.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarFelix Fietkau <nbd@nbd.name>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      890030d3
    • Thomas Gleixner's avatar
      mac80211_hwsim: Replace bogus hrtimer clockid · 8fbcfeb8
      Thomas Gleixner authored
      mac80211_hwsim initializes a hrtimer with clockid
      CLOCK_MONOTONIC_RAW. That's not supported.
      
      Use CLOCK_MONOTONIC instead.
      Signed-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      8fbcfeb8
    • Sara Sharon's avatar
      mac80211: don't reorder frames with SN smaller than SSN · b7540d8f
      Sara Sharon authored
      When RX aggregation starts, transmitter may continue send frames
      with SN smaller than SSN until the AddBA response is received.
      However, the reorder buffer is already initialized at this point,
      which will cause the drop of such frames as duplicates since the
      head SN of the reorder buffer is set to the SSN, which is bigger.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      b7540d8f
    • Matt Chen's avatar
      mac80211: flush delayed work when entering suspend · a9e9200d
      Matt Chen authored
      The issue was found when entering suspend and resume.
      It triggers a warning in:
      mac80211/key.c: ieee80211_enable_keys()
      ...
      WARN_ON_ONCE(sdata->crypto_tx_tailroom_needed_cnt ||
                   sdata->crypto_tx_tailroom_pending_dec);
      ...
      
      It points out sdata->crypto_tx_tailroom_pending_dec isn't cleaned up successfully
      in a delayed_work during suspend. Add a flush_delayed_work to fix it.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMatt Chen <matt.chen@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      a9e9200d
    • Johannes Berg's avatar
      mac80211: fix packet statistics for fast-RX · 0328edc7
      Johannes Berg authored
      When adding per-CPU statistics, which added statistics back
      to mac80211 for the fast-RX path, I evidently forgot to add
      the "stats->packets++" line. The reason for that is likely
      that I didn't see it since it's done in defragmentation for
      the regular RX path.
      
      Add the missing line to properly count received packets in
      the fast-RX case.
      
      Fixes: c9c5962b ("mac80211: enable collecting station statistics per-CPU")
      Reported-by: default avatarOren Givon <oren.givon@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      0328edc7
    • Paul Hüber's avatar
      l2tp: avoid use-after-free caused by l2tp_ip_backlog_recv · 51fb60eb
      Paul Hüber authored
      l2tp_ip_backlog_recv may not return -1 if the packet gets dropped.
      The return value is passed up to ip_local_deliver_finish, which treats
      negative values as an IP protocol number for resubmission.
      Signed-off-by: default avatarPaul Hüber <phueber@kernsp.in>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51fb60eb
    • Julian Anastasov's avatar
      xfrm: provide correct dst in xfrm_neigh_lookup · 1ecc9ad0
      Julian Anastasov authored
      Fix xfrm_neigh_lookup to provide dst->path to the
      neigh_lookup dst_ops method.
      
      When skb is provided, the IP address in packet should already
      match the dst->path address family. But for the non-skb case,
      we should consider the last tunnel address as nexthop address.
      
      Fixes: f894cbf8 ("net: Add optional SKB arg to dst_ops->neigh_lookup().")
      Signed-off-by: default avatarJulian Anastasov <ja@ssi.bg>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ecc9ad0
    • Herbert Xu's avatar
      rhashtable: Fix RCU dereference annotation in rht_bucket_nested · c4d2603d
      Herbert Xu authored
      The current annotation is wrong as it says that we're only called
      under spinlock.  In fact it should be marked as under either
      spinlock or RCU read lock.
      
      Fixes: da20420f ("rhashtable: Add nested tables")
      Reported-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4d2603d
    • Herbert Xu's avatar
      rhashtable: Fix use before NULL check in bucket_table_free · ca435407
      Herbert Xu authored
      Dan Carpenter reported a use before NULL check bug in the function
      bucket_table_free.  In fact we don't need the NULL check at all as
      no caller can provide a NULL argument.  So this patch fixes this by
      simply removing it.
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca435407
    • Roman Mashak's avatar
      net sched actions: do not overwrite status of action creation. · 37f1c63e
      Roman Mashak authored
      nla_memdup_cookie was overwriting err value, declared at function
      scope and earlier initialized with result of ->init(). At success
      nla_memdup_cookie() returns 0, and thus module refcnt decremented,
      although the action was installed.
      
      $ sudo tc actions add action pass index 1 cookie 1234
      $ sudo tc actions ls action gact
      
              action order 0: gact action pass
               random type none pass val 0
               index 1 ref 1 bind 0
      $
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  0
      ...
      $
      $ sudo rmmod act_gact
      [   52.310283] ------------[ cut here ]------------
      [   52.312551] WARNING: CPU: 1 PID: 455 at kernel/module.c:1113
      module_put+0x99/0xa0
      [   52.316278] Modules linked in: act_gact(-) crct10dif_pclmul crc32_pclmul
      ghash_clmulni_intel psmouse pcbc evbug aesni_intel aes_x86_64 crypto_simd
      serio_raw glue_helper pcspkr cryptd
      [   52.322285] CPU: 1 PID: 455 Comm: rmmod Not tainted 4.10.0+ #11
      [   52.324261] Call Trace:
      [   52.325132]  dump_stack+0x63/0x87
      [   52.326236]  __warn+0xd1/0xf0
      [   52.326260]  warn_slowpath_null+0x1d/0x20
      [   52.326260]  module_put+0x99/0xa0
      [   52.326260]  tcf_hashinfo_destroy+0x7f/0x90
      [   52.326260]  gact_exit_net+0x27/0x40 [act_gact]
      [   52.326260]  ops_exit_list.isra.6+0x38/0x60
      [   52.326260]  unregister_pernet_operations+0x90/0xe0
      [   52.326260]  unregister_pernet_subsys+0x21/0x30
      [   52.326260]  tcf_unregister_action+0x68/0xa0
      [   52.326260]  gact_cleanup_module+0x17/0xa0f [act_gact]
      [   52.326260]  SyS_delete_module+0x1ba/0x220
      [   52.326260]  entry_SYSCALL_64_fastpath+0x1e/0xad
      [   52.326260] RIP: 0033:0x7f527ffae367
      [   52.326260] RSP: 002b:00007ffeb402a598 EFLAGS: 00000202 ORIG_RAX:
      00000000000000b0
      [   52.326260] RAX: ffffffffffffffda RBX: 0000559b069912a0 RCX: 00007f527ffae367
      [   52.326260] RDX: 000000000000000a RSI: 0000000000000800 RDI: 0000559b06991308
      [   52.326260] RBP: 0000000000000003 R08: 00007f5280264420 R09: 00007ffeb4029511
      [   52.326260] R10: 000000000000087b R11: 0000000000000202 R12: 00007ffeb4029580
      [   52.326260] R13: 0000000000000000 R14: 0000000000000000 R15: 0000559b069912a0
      [   52.354856] ---[ end trace 90d89401542b0db6 ]---
      $
      
      With the fix:
      
      $ sudo modprobe act_gact
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  0
      ...
      $ sudo tc actions add action pass index 1 cookie 1234
      $ sudo tc actions ls action gact
      
              action order 0: gact action pass
               random type none pass val 0
               index 1 ref 1 bind 0
      $
      $ lsmod
      Module                  Size  Used by
      act_gact               16384  1
      ...
      $ sudo rmmod act_gact
      rmmod: ERROR: Module act_gact is in use
      $
      $ sudo /home/mrv/bin/tc actions del action gact index 1
      $ sudo rmmod act_gact
      $ lsmod
      Module                  Size  Used by
      $
      
      Fixes: 1045ba77 ("net sched actions: Add support for user cookies")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      37f1c63e
    • David Howells's avatar
      rxrpc: Kernel calls get stuck in recvmsg · d7e15835
      David Howells authored
      Calls made through the in-kernel interface can end up getting stuck because
      of a missed variable update in a loop in rxrpc_recvmsg_data().  The problem
      is like this:
      
       (1) A new packet comes in and doesn't cause a notification to be given to
           the client as there's still another packet in the ring - the
           assumption being that if the client will keep drawing off data until
           the ring is empty.
      
       (2) The client is in rxrpc_recvmsg_data(), inside the big while loop that
           iterates through the packets.  This copies the window pointers into
           variables rather than using the information in the call struct
           because:
      
           (a) MSG_PEEK might be in effect;
      
           (b) we need a barrier after reading call->rx_top to pair with the
           	 barrier in the softirq routine that loads the buffer.
      
       (3) The reading of call->rx_top is done outside of the loop, and top is
           never updated whilst we're in the loop.  This means that even through
           there's a new packet available, we don't see it and may return -EFAULT
           to the caller - who will happily return to the scheduler and await the
           next notification.
      
       (4) No further notifications are forthcoming until there's an abort as the
           ring isn't empty.
      
      The fix is to move the read of call->rx_top inside the loop - but it needs
      to be done before the condition is checked.
      Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d7e15835
    • Roman Mashak's avatar
      net sched actions: decrement module reference count after table flush. · edb9d1bf
      Roman Mashak authored
      When tc actions are loaded as a module and no actions have been installed,
      flushing them would result in actions removed from the memory, but modules
      reference count not being decremented, so that the modules would not be
      unloaded.
      
      Following is example with GACT action:
      
      % sudo modprobe act_gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions ls action gact
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  1
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  2
      % sudo rmmod act_gact
      rmmod: ERROR: Module act_gact is in use
      ....
      
      After the fix:
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions add action pass index 1
      % sudo tc actions add action pass index 2
      % sudo tc actions add action pass index 3
      % lsmod
      Module                  Size  Used by
      act_gact               16384  3
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      %
      % sudo tc actions flush action gact
      % lsmod
      Module                  Size  Used by
      act_gact               16384  0
      % sudo rmmod act_gact
      % lsmod
      Module                  Size  Used by
      %
      
      Fixes: f97017cd ("net-sched: Fix actions flushing")
      Signed-off-by: default avatarRoman Mashak <mrv@mojatatu.com>
      Signed-off-by: default avatarJamal Hadi Salim <jhs@mojatatu.com>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      edb9d1bf
    • Geert Uytterhoeven's avatar
      lib: Allow compile-testing of parman · 9d25af69
      Geert Uytterhoeven authored
      This allows to enable and run the accompanying test (test_parman)
      without dependencies on other users of parman.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9d25af69
    • Xin Long's avatar
      ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt · 99253eb7
      Xin Long authored
      Commit 5e1859fb ("ipv4: ipmr: various fixes and cleanups") fixed
      the issue for ipv4 ipmr:
      
        ip_mroute_setsockopt() & ip_mroute_getsockopt() should not
        access/set raw_sk(sk)->ipmr_table before making sure the socket
        is a raw socket, and protocol is IGMP
      
      The same fix should be done for ipv6 ipmr as well.
      
      This patch can fix the panic caused by overwriting the same offset
      as ipmr_table as in raw_sk(sk) when accessing other type's socket
      by ip_mroute_setsockopt().
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99253eb7
    • Xin Long's avatar
      sctp: set sin_port for addr param when checking duplicate address · 2e3ce5bc
      Xin Long authored
      Commit b8607805 ("sctp: not copying duplicate addrs to the assoc's
      bind address list") tried to check for duplicate address before copying
      to asoc's bind_addr list from global addr list.
      
      But all the addrs' sin_ports in global addr list are 0 while the addrs'
      sin_ports are bp->port in asoc's bind_addr list. It means even if it's
      a duplicate address, af->cmp_addr will still return 0 as the their
      sin_ports are different.
      
      This patch is to fix it by setting the sin_port for addr param with
      bp->port before comparing the addrs.
      
      Fixes: b8607805 ("sctp: not copying duplicate addrs to the assoc's bind address list")
      Reported-by: default avatarWei Chen <weichen@redhat.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      2e3ce5bc
  3. 26 Feb, 2017 6 commits
  4. 24 Feb, 2017 14 commits
    • Geert Uytterhoeven's avatar
      drivers: net: xgene: Simplify xgene_enet_setup_mss() to kill warning · 1b8c1012
      Geert Uytterhoeven authored
      With gcc-4.1.2 and -Os:
      
          drivers/net/ethernet/apm/xgene/xgene_enet_main.c: In function ‘xgene_enet_start_xmit’:
          drivers/net/ethernet/apm/xgene/xgene_enet_main.c:297: warning: ‘mss_index’ may be used uninitialized in this function
      
      Using a separate variable to track success may confuse the compiler.
      Preinitialize mss_index with -EBUSY and check for negative error values
      instead to kill the warning.
      Signed-off-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b8c1012
    • Zhu Yanjun's avatar
      rds: fix memory leak error · 3b5923f0
      Zhu Yanjun authored
      When the function register_netdevice_notifier fails, the memory
      allocated by kmem_cache_create should be freed by the function
      kmem_cache_destroy.
      
      Cc: Joe Jin <joe.jin@oracle.com>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Signed-off-by: default avatarZhu Yanjun <yanjun.zhu@oracle.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Acked-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3b5923f0
    • Brian Russell's avatar
      vxlan: don't allow overwrite of config src addr · 1158632b
      Brian Russell authored
      When using IPv6 transport and a default dst, a pointer to the configured
      source address is passed into the route lookup. If no source address is
      configured, then the value is overwritten.
      
      IPv6 route lookup ignores egress ifindex match if the source address is set,
      so if egress ifindex match is desired, the source address must be passed
      as any. The overwrite breaks this for subsequent lookups.
      
      Avoid this by copying the configured address to an existing stack variable
      and pass a pointer to that instead.
      
      Fixes: 272d96a5 ("net: vxlan: lwt: Use source ip address during route lookup.")
      Signed-off-by: default avatarBrian Russell <brussell@brocade.com>
      Acked-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1158632b
    • David Forster's avatar
      vti6: return GRE_KEY for vti6 · 7dcdf941
      David Forster authored
      Align vti6 with vti by returning GRE_KEY flag. This enables iproute2
      to display tunnel keys on "ip -6 tunnel show"
      Signed-off-by: default avatarDavid Forster <dforster@brocade.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7dcdf941
    • Marc Dionne's avatar
      rxrpc: Fix an assertion in rxrpc_read() · 774521f3
      Marc Dionne authored
      In the rxrpc_read() function, which allows a user to read the contents of a
      key, we miscalculate the expected length of an encoded rxkad token by not
      taking into account the key length.  However, the data is stored later
      anyway with an ENCODE_DATA() call - and an assertion failure then ensues
      when the lengths are checked at the end.
      
      Fix this by including the key length in the token size estimation.
      
      The following assertion is produced:
      
      Assertion failed - 384(0x180) == 380(0x17c) is false
      ------------[ cut here ]------------
      kernel BUG at ../net/rxrpc/key.c:1221!
      invalid opcode: 0000 [#1] SMP
      Modules linked in:
      CPU: 2 PID: 2957 Comm: keyctl Not tainted 4.10.0-fscache+ #483
      Hardware name: ASUS All Series/H97-PLUS, BIOS 2306 10/09/2014
      task: ffff8804013a8500 task.stack: ffff8804013ac000
      RIP: 0010:rxrpc_read+0x10de/0x11b6
      RSP: 0018:ffff8804013afe48 EFLAGS: 00010296
      RAX: 000000000000003b RBX: 0000000000000003 RCX: 0000000000000000
      RDX: 0000000000040001 RSI: 00000000000000f6 RDI: 0000000000000300
      RBP: ffff8804013afed8 R08: 0000000000000001 R09: 0000000000000001
      R10: ffff8804013afd90 R11: 0000000000000002 R12: 00005575f7c911b4
      R13: 00005575f7c911b3 R14: 0000000000000157 R15: ffff880408a5d640
      FS:  00007f8dfbc73700(0000) GS:ffff88041fb00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00005575f7c91008 CR3: 000000040120a000 CR4: 00000000001406e0
      Call Trace:
       keyctl_read_key+0xb6/0xd7
       SyS_keyctl+0x83/0xe7
       do_syscall_64+0x80/0x191
       entry_SYSCALL64_slow_path+0x25/0x25
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      774521f3
    • Florian Fainelli's avatar
      net: phy: Add missing driver check in phy_aneg_done() · 65f2767a
      Florian Fainelli authored
      Dan's static checker caught a potential code path in phy_state_machine() where
      we were not checking phydev->drv which is in phy_aneg_done().
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Fixes: 25149ef9 ("net: phy: Check phydev->drv")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65f2767a
    • Matthias Schiffer's avatar
      vxlan: correctly validate VXLAN ID against VXLAN_N_VID · 4e37d691
      Matthias Schiffer authored
      The incorrect check caused an off-by-one error: the maximum VID 0xffffff
      was unusable.
      
      Fixes: d342894c ("vxlan: virtual extensible lan")
      Signed-off-by: default avatarMatthias Schiffer <mschiffer@universe-factory.net>
      Acked-by: default avatarJiri Benc <jbenc@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4e37d691
    • Jon Paul Maloy's avatar
      tipc: move premature initilalization of stack variables · 681a55d7
      Jon Paul Maloy authored
      In the function tipc_rcv() we initialize a couple of stack variables
      from the message header before that same header has been validated.
      In rare cases when the arriving header is non-linar, the validation
      function itself may linearize the buffer by calling skb_may_pull(),
      while the wrongly initialized stack fields are not updated accordingly.
      
      We fix this in this commit.
      Reported-by: default avatarMatthew Wong <mwong@sonusnet.com>
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      681a55d7
    • LABBE Corentin's avatar
      net: stmmac: unify registers dumps methods · fbf68229
      LABBE Corentin authored
      The stmmac driver have two methods for registers dumps: via ethtool and
      at init (if NETIF_MSG_HW is enabled).
      
      It is better to keep only one method, ethtool, since the other was ugly.
      
      This patch convert all dump_regs() function from "printing regs" to
      "fill the reg_space used by ethtool".
      Signed-off-by: default avatarCorentin Labbe <clabbe.montjoie@gmail.com>
      Acked-by: default avatarGiuseppe Cavallaro <peppe.cavallaro@st.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fbf68229
    • Wu Fengguang's avatar
      RDS: IB: fix ifnullfree.cocci warnings · 77cc7aee
      Wu Fengguang authored
      net/rds/ib.c:115:2-7: WARNING: NULL check before freeing functions like kfree, debugfs_remove, debugfs_remove_recursive or usb_free_urb is not needed. Maybe consider reorganizing relevant code to avoid passing NULL values.
      
       NULL check before some freeing functions is not needed.
      
       Based on checkpatch warning
       "kfree(NULL) is safe this check is probably not required"
       and kfreeaddr.cocci by Julia Lawall.
      
      Generated by: scripts/coccinelle/free/ifnullfree.cocci
      Signed-off-by: default avatarFengguang Wu <fengguang.wu@intel.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      77cc7aee
    • Marcelo Ricardo Leitner's avatar
      sctp: deny peeloff operation on asocs with threads sleeping on it · dfcb9f4f
      Marcelo Ricardo Leitner authored
      commit 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      attempted to avoid a BUG_ON call when the association being used for a
      sendmsg() is blocked waiting for more sndbuf and another thread did a
      peeloff operation on such asoc, moving it to another socket.
      
      As Ben Hutchings noticed, then in such case it would return without
      locking back the socket and would cause two unlocks in a row.
      
      Further analysis also revealed that it could allow a double free if the
      application managed to peeloff the asoc that is created during the
      sendmsg call, because then sctp_sendmsg() would try to free the asoc
      that was created only for that call.
      
      This patch takes another approach. It will deny the peeloff operation
      if there is a thread sleeping on the asoc, so this situation doesn't
      exist anymore. This avoids the issues described above and also honors
      the syscalls that are already being handled (it can be multiple sendmsg
      calls).
      
      Joint work with Xin Long.
      
      Fixes: 2dcab598 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
      Cc: Alexander Popov <alex.popov@linux.com>
      Cc: Ben Hutchings <ben@decadent.org.uk>
      Signed-off-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dfcb9f4f
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace · f1ef09fd
      Linus Torvalds authored
      Pull namespace updates from Eric Biederman:
       "There is a lot here. A lot of these changes result in subtle user
        visible differences in kernel behavior. I don't expect anything will
        care but I will revert/fix things immediately if any regressions show
        up.
      
        From Seth Forshee there is a continuation of the work to make the vfs
        ready for unpriviled mounts. We had thought the previous changes
        prevented the creation of files outside of s_user_ns of a filesystem,
        but it turns we missed the O_CREAT path. Ooops.
      
        Pavel Tikhomirov and Oleg Nesterov worked together to fix a long
        standing bug in the implemenation of PR_SET_CHILD_SUBREAPER where only
        children that are forked after the prctl are considered and not
        children forked before the prctl. The only known user of this prctl
        systemd forks all children after the prctl. So no userspace
        regressions will occur. Holding earlier forked children to the same
        rules as later forked children creates a semantic that is sane enough
        to allow checkpoing of processes that use this feature.
      
        There is a long delayed change by Nikolay Borisov to limit inotify
        instances inside a user namespace.
      
        Michael Kerrisk extends the API for files used to maniuplate
        namespaces with two new trivial ioctls to allow discovery of the
        hierachy and properties of namespaces.
      
        Konstantin Khlebnikov with the help of Al Viro adds code that when a
        network namespace exits purges it's sysctl entries from the dcache. As
        in some circumstances this could use a lot of memory.
      
        Vivek Goyal fixed a bug with stacked filesystems where the permissions
        on the wrong inode were being checked.
      
        I continue previous work on ptracing across exec. Allowing a file to
        be setuid across exec while being ptraced if the tracer has enough
        credentials in the user namespace, and if the process has CAP_SETUID
        in it's own namespace. Proc files for setuid or otherwise undumpable
        executables are now owned by the root in the user namespace of their
        mm. Allowing debugging of setuid applications in containers to work
        better.
      
        A bug I introduced with permission checking and automount is now
        fixed. The big change is to mark the mounts that the kernel initiates
        as a result of an automount. This allows the permission checks in sget
        to be safely suppressed for this kind of mount. As the permission
        check happened when the original filesystem was mounted.
      
        Finally a special case in the mount namespace is removed preventing
        unbounded chains in the mount hash table, and making the semantics
        simpler which benefits CRIU.
      
        The vfs fix along with related work in ima and evm I believe makes us
        ready to finish developing and merge fully unprivileged mounts of the
        fuse filesystem. The cleanups of the mount namespace makes discussing
        how to fix the worst case complexity of umount. The stacked filesystem
        fixes pave the way for adding multiple mappings for the filesystem
        uids so that efficient and safer containers can be implemented"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
        proc/sysctl: Don't grab i_lock under sysctl_lock.
        vfs: Use upper filesystem inode in bprm_fill_uid()
        proc/sysctl: prune stale dentries during unregistering
        mnt: Tuck mounts under others instead of creating shadow/side mounts.
        prctl: propagate has_child_subreaper flag to every descendant
        introduce the walk_process_tree() helper
        nsfs: Add an ioctl() to return owner UID of a userns
        fs: Better permission checking for submounts
        exit: fix the setns() && PR_SET_CHILD_SUBREAPER interaction
        vfs: open() with O_CREAT should not create inodes with unknown ids
        nsfs: Add an ioctl() to return the namespace type
        proc: Better ownership of files for non-dumpable tasks in user namespaces
        exec: Remove LSM_UNSAFE_PTRACE_CAP
        exec: Test the ptracer's saved cred to see if the tracee can gain caps
        exec: Don't reset euid and egid when the tracee has CAP_SETUID
        inotify: Convert to using per-namespace limits
      f1ef09fd
    • Linus Torvalds's avatar
      Merge tag 'drm-for-v4.11-less-shouty' of git://people.freedesktop.org/~airlied/linux · ef96152e
      Linus Torvalds authored
      Pull drm updates from Dave Airlie:
       "This is the main drm pull request for v4.11.
      
        Nothing too major, the tinydrm and mmu-less support should make
        writing smaller drivers easier for some of the simpler platforms, and
        there are a bunch of documentation updates.
      
        Intel grew displayport MST audio support which is hopefully useful to
        people, and FBC is on by default for GEN9+ (so people know where to
        look for regressions). AMDGPU has a lot of fixes that would like new
        firmware files installed for some GPUs.
      
        Other than that it's pretty scattered all over.
      
        I may have a follow up pull request as I know BenH has a bunch of AST
        rework and fixes and I'd like to get those in once they've been tested
        by AST, and I've got at least one pull request I'm just trying to get
        the author to fix up.
      
        Core:
         - drm_mm reworked
         - Connector list locking and iterators
         - Documentation updates
         - Format handling rework
         - MMU-less support for fbdev helpers
         - drm_crtc_from_index helper
         - Core CRC API
         - Remove drm_framebuffer_unregister_private
         - Debugfs cleanup
         - EDID/Infoframe fixes
         - Release callback
         - Tinydrm support (smaller drivers for simple hw)
      
        panel:
         - Add support for some new simple panels
      
        i915:
         - FBC by default for gen9+
         - Shared dpll cleanups and docs
         - GEN8 powerdomain cleanup
         - DMC support on GLK
         - DP MST audio support
         - HuC loading support
         - GVT init ordering fixes
         - GVT IOMMU workaround fix
      
        amdgpu/radeon:
         - Power/clockgating improvements
         - Preliminary SR-IOV support
         - TTM buffer priority and eviction fixes
         - SI DPM quirks removed due to firmware fixes
         - Powerplay improvements
         - VCE/UVD powergating fixes
         - Cleanup SI GFX code to match CI/VI
         - Support for > 2 displays on 3/5 crtc asics
         - SI headless fixes
      
        nouveau:
         - Rework securre boot code in prep for GP10x secure boot
         - Channel recovery improvements
         - Initial power budget code
         - MMU rework preperation
      
        vmwgfx:
         - Bunch of fixes and cleanups
      
        exynos:
         - Runtime PM support for MIC driver
         - Cleanups to use atomic helpers
         - UHD Support for TM2/TM2E boards
         - Trigger mode fix for Rinato board
      
        etnaviv:
         - Shader performance fix
         - Command stream validator fixes
         - Command buffer suballocator
      
        rockchip:
         - CDN DisplayPort support
         - IOMMU support for arm64 platform
      
        imx-drm:
         - Fix i.MX5 TV encoder probing
         - Remove lower fb size limits
      
        msm:
         - Support for HW cursor on MDP5 devices
         - DSI encoder cleanup
         - GPU DT bindings cleanup
      
        sti:
         - stih410 cleanups
         - Create fbdev at binding
         - HQVDP fixes
         - Remove stih416 chip functionality
         - DVI/HDMI mode selection fixes
         - FPS statistic reporting
      
        omapdrm:
         - IRQ code cleanup
      
        dwi-hdmi bridge:
         - Cleanups and fixes
      
        adv-bridge:
         - Updates for nexus
      
        sii8520 bridge:
         - Add interlace mode support
         - Rework HDMI and lots of fixes
      
        qxl:
         - probing/teardown cleanups
      
        ZTE drm:
         - HDMI audio via SPDIF interface
         - Video Layer overlay plane support
         - Add TV encoder output device
      
        atmel-hlcdc:
         - Rework fbdev creation logic
      
        tegra:
         - OF node fix
      
        fsl-dcu:
         - Minor fixes
      
        mali-dp:
         - Assorted fixes
      
        sunxi:
         - Minor fix"
      
      [ This was the "fixed" pull, that still had build warnings due to people
        not even having build tested the result. I'm not a happy camper
      
        I've fixed the things I noticed up in this merge.      - Linus ]
      
      * tag 'drm-for-v4.11-less-shouty' of git://people.freedesktop.org/~airlied/linux: (1177 commits)
        lib/Kconfig: make PRIME_NUMBERS not user selectable
        drm/tinydrm: helpers: Properly fix backlight dependency
        drm/tinydrm: mipi-dbi: Fix field width specifier warning
        drm/tinydrm: mipi-dbi: Silence: ‘cmd’ may be used uninitialized
        drm/sti: fix build warnings in sti_drv.c and sti_vtg.c files
        drm/amd/powerplay: fix PSI feature on Polars12
        drm/amdgpu: refuse to reserve io mem for split VRAM buffers
        drm/ttm: fix use-after-free races in vm fault handling
        drm/tinydrm: Add support for Multi-Inno MI0283QT display
        dt-bindings: Add Multi-Inno MI0283QT binding
        dt-bindings: display/panel: Add common rotation property
        of: Add vendor prefix for Multi-Inno
        drm/tinydrm: Add MIPI DBI support
        drm/tinydrm: Add helper functions
        drm: Add DRM support for tiny LCD displays
        drm/amd/amdgpu: post card if there is real hw resetting performed
        drm/nouveau/tmr: provide backtrace when a timeout is hit
        drm/nouveau/pci/g92: Fix rearm
        drm/nouveau/drm/therm/fan: add a fallback if no fan control is specified in the vbios
        drm/nouveau/hwmon: expose power_max and power_crit
        ..
      ef96152e
    • Dave Airlie's avatar
      lib/Kconfig: make PRIME_NUMBERS not user selectable. · 64a57719
      Dave Airlie authored
      Linus doesn't like it user selectable, so kill it until
      someone needs it for something else.
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      64a57719