1. 27 Sep, 2018 2 commits
    • Eric Farman's avatar
      s390/cio: Refactor alloc of ccw_io_region · bf42daed
      Eric Farman authored
      If I attach a vfio-ccw device to my guest, I get the following warning
      on the host when the host kernel is CONFIG_HARDENED_USERCOPY=y
      
      [250757.595325] Bad or missing usercopy whitelist? Kernel memory overwrite attempt detected to SLUB object 'dma-kmalloc-512' (offset 64, size 124)!
      [250757.595365] WARNING: CPU: 2 PID: 10958 at mm/usercopy.c:81 usercopy_warn+0xac/0xd8
      [250757.595369] Modules linked in: kvm vhost_net vhost tap xt_CHECKSUM iptable_mangle ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack libcrc32c devlink tun bridge stp llc ebtable_filter ebtables ip6table_filter ip6_tables sunrpc dm_multipath s390_trng crc32_vx_s390 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha1_s390 eadm_sch tape_3590 tape tape_class qeth_l2 qeth ccwgroup vfio_ccw vfio_mdev zcrypt_cex4 mdev vfio_iommu_type1 zcrypt vfio sha256_s390 sha_common zfcp scsi_transport_fc qdio dasd_eckd_mod dasd_mod
      [250757.595424] CPU: 2 PID: 10958 Comm: CPU 2/KVM Not tainted 4.18.0-derp #2
      [250757.595426] Hardware name: IBM 3906 M05 780 (LPAR)
      ...snip regs...
      [250757.595523] Call Trace:
      [250757.595529] ([<0000000000349210>] usercopy_warn+0xa8/0xd8)
      [250757.595535]  [<000000000032daaa>] __check_heap_object+0xfa/0x160
      [250757.595540]  [<0000000000349396>] __check_object_size+0x156/0x1d0
      [250757.595547]  [<000003ff80332d04>] vfio_ccw_mdev_write+0x74/0x148 [vfio_ccw]
      [250757.595552]  [<000000000034ed12>] __vfs_write+0x3a/0x188
      [250757.595556]  [<000000000034f040>] vfs_write+0xa8/0x1b8
      [250757.595559]  [<000000000034f4e6>] ksys_pwrite64+0x86/0xc0
      [250757.595568]  [<00000000008959a0>] system_call+0xdc/0x2b0
      [250757.595570] Last Breaking-Event-Address:
      [250757.595573]  [<0000000000349210>] usercopy_warn+0xa8/0xd8
      
      While vfio_ccw_mdev_{write|read} validates that the input position/count
      does not run over the ccw_io_region struct, the usercopy code that does
      copy_{to|from}_user doesn't necessarily know this. It sees the variable
      length and gets worried that it's affecting a normal kmalloc'd struct,
      and generates the above warning.
      
      Adjust how the ccw_io_region is alloc'd with a whitelist to remove this
      warning. The boundary checking will continue to do its thing.
      Signed-off-by: default avatarEric Farman <farman@linux.ibm.com>
      Message-Id: <20180921204013.95804-3-farman@linux.ibm.com>
      Signed-off-by: default avatarCornelia Huck <cohuck@redhat.com>
      bf42daed
    • Eric Farman's avatar
      s390/cio: Convert ccw_io_region to pointer · c98e16b2
      Eric Farman authored
      In the event that we want to change the layout of the ccw_io_region in the
      future[1], it might be easier to work with it as a pointer within the
      vfio_ccw_private struct rather than an embedded struct.
      
      [1] https://patchwork.kernel.org/comment/22228541/Signed-off-by: default avatarEric Farman <farman@linux.ibm.com>
      Message-Id: <20180921204013.95804-2-farman@linux.ibm.com>
      Signed-off-by: default avatarCornelia Huck <cohuck@redhat.com>
      c98e16b2
  2. 20 Sep, 2018 3 commits
    • Gerald Schaefer's avatar
      s390/hibernate: fix error handling when suspend cpu != resume cpu · 55a5542a
      Gerald Schaefer authored
      The resume code checks if the resume cpu is the same as the suspend cpu.
      If not, and if it is also not possible to switch to the suspend cpu, an
      error message should be printed and the resume process should be stopped
      by loading a disabled wait psw.
      
      The current logic is broken in multiple ways, the message is never printed,
      and the disabled wait psw never loaded because the kernel panics before that:
      - sam31 and SIGP_SET_ARCHITECTURE to ESA mode is wrong, this will break
        on the first 64bit instruction in sclp_early_printk().
      - The init stack should be used, but the stack pointer is not set up correctly
        (missing aghi %r15,-STACK_FRAME_OVERHEAD).
      - __sclp_early_printk() checks the sclp_init_state. If it is not
        sclp_init_state_uninitialized, it simply returns w/o printing anything.
        In the resumed kernel however, sclp_init_state will never be uninitialized.
      
      This patch fixes those issues by removing the sam31/ESA logic, adding a
      correct init stack pointer, and also introducing sclp_early_printk_force()
      to allow using sclp_early_printk() even when sclp_init_state is not
      uninitialized.
      Reviewed-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarGerald Schaefer <gerald.schaefer@de.ibm.com>
      Signed-off-by: default avatarMartin Schwidefsky <schwidefsky@de.ibm.com>
      55a5542a
    • Greg Kroah-Hartman's avatar
      Merge tag 'mtd/fixes-for-4.19-rc5' of git://git.infradead.org/linux-mtd · 4b92e7fd
      Greg Kroah-Hartman authored
      Boris writes:
        "- Fixes a bug in the ->read/write_reg() implementation of the m25p80
           driver
         - Make sure of_node_get/put() calls are balanced in the partition
           parsing code
         - Fix a race in the denali NAND controller driver
         - Fix false positive WARN_ON() in the marvell NAND controller driver"
      
      * tag 'mtd/fixes-for-4.19-rc5' of git://git.infradead.org/linux-mtd:
        mtd: devices: m25p80: Make sure the buffer passed in op is DMA-able
        mtd: partitions: fix unbalanced of_node_get/put()
        mtd: rawnand: denali: fix a race condition when DMA is kicked
        mtd: rawnand: marvell: prevent harmless warnings
      4b92e7fd
    • Greg Kroah-Hartman's avatar
      Merge tag 'sound-4.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d8292084
      Greg Kroah-Hartman authored
      Takashi writes:
        "sound fixes for 4.19-rc5
      
         here comes a collection of various fixes, mostly for stable-tree
         or regression fixes.
      
         Two relatively high LOCs are about the (rather simple) conversion of
         uapi integer types in topology API, and a regression fix about HDMI
         hotplug notification on AMD HD-audio.  The rest are all small
         individual fixes like ASoC Intel Skylake race condition, minor
         uninitialized page leak in emu10k1 ioctl, Firewire audio error paths,
         and so on."
      
      * tag 'sound-4.19-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound: (33 commits)
        ALSA: fireworks: fix memory leak of response buffer at error path
        ALSA: oxfw: fix memory leak of discovered stream formats at error path
        ALSA: oxfw: fix memory leak for model-dependent data at error path
        ALSA: bebob: fix memory leak for M-Audio FW1814 and ProjectMix I/O at error path
        ALSA: hda - Enable runtime PM only for discrete GPU
        ALSA: oxfw: fix memory leak of private data
        ALSA: firewire-tascam: fix memory leak of private data
        ALSA: firewire-digi00x: fix memory leak of private data
        sound: don't call skl_init_chip() to reset intel skl soc
        sound: enable interrupt after dma buffer initialization
        Revert "ASoC: Intel: Skylake: Acquire irq after RIRB allocation"
        ALSA: emu10k1: fix possible info leak to userspace on SNDRV_EMU10K1_IOCTL_INFO
        ASoC: cs4265: fix MMTLR Data switch control
        ASoC: AMD: Ensure reset bit is cleared before configuring
        ALSA: fireface: fix memory leak in ff400_switch_fetching_mode()
        ALSA: bebob: use address returned by kmalloc() instead of kernel stack for streaming DMA mapping
        ASoC: rsnd: don't fallback to PIO mode when -EPROBE_DEFER
        ASoC: rsnd: adg: care clock-frequency size
        ASoC: uniphier: change status to orphan
        ASoC: rsnd: fixup not to call clk_get/set under non-atomic
        ...
      d8292084
  3. 19 Sep, 2018 5 commits
  4. 18 Sep, 2018 12 commits
  5. 17 Sep, 2018 18 commits
    • Vaibhav Nagarnaik's avatar
      ring-buffer: Allow for rescheduling when removing pages · 83f36555
      Vaibhav Nagarnaik authored
      When reducing ring buffer size, pages are removed by scheduling a work
      item on each CPU for the corresponding CPU ring buffer. After the pages
      are removed from ring buffer linked list, the pages are free()d in a
      tight loop. The loop does not give up CPU until all pages are removed.
      In a worst case behavior, when lot of pages are to be freed, it can
      cause system stall.
      
      After the pages are removed from the list, the free() can happen while
      the work is rescheduled. Call cond_resched() in the loop to prevent the
      system hangup.
      
      Link: http://lkml.kernel.org/r/20180907223129.71994-1-vnagarnaik@google.com
      
      Cc: stable@vger.kernel.org
      Fixes: 83f40318 ("ring-buffer: Make removal of ring buffer pages atomic")
      Reported-by: default avatarJason Behmer <jbehmer@google.com>
      Signed-off-by: default avatarVaibhav Nagarnaik <vnagarnaik@google.com>
      Signed-off-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      83f36555
    • Greg Kroah-Hartman's avatar
      Merge tag 'spi-fix-v4.19-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi · 3918c21e
      Greg Kroah-Hartman authored
      Mark writes:
        "spi: Fixes for v4.19
      
        As well as one driver fix there's a couple of fixes here which address
        issues with the use of IDRs for allocation of dynamic bus numbers,
        ensuring that dynamic bus numbers interact well with static bus numbers
        assigned via DT and otherwise."
      
      * tag 'spi-fix-v4.19-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
        spi: spi-fsl-dspi: fix broken DSPI_EOQ_MODE
        spi: Fix double IDR allocation with DT aliases
        spi: fix IDR collision on systems with both fixed and dynamic SPI bus numbers
      3918c21e
    • Takashi Iwai's avatar
      Merge tag 'asoc-v4.19-rc4' of... · 196f4eee
      Takashi Iwai authored
      Merge tag 'asoc-v4.19-rc4' of https://git.kernel.org/pub/scm/linux/kernel/git/broonie/sound into for-linus
      
      ASoC: Fixes for v4.19
      
      This is the usual set of small fixes scatterd around various drivers,
      plus one fix for DAPM and a UAPI build fix.  There's not a huge amount
      that stands out here relative to anything else.
      196f4eee
    • zhong jiang's avatar
      net: ethernet: Fix a unused function warning. · c7348091
      zhong jiang authored
      Fix the following compile warning:
      
      drivers/net/ethernet/microchip/lan743x_main.c:2964:12: warning: ‘lan743x_pm_suspend’ defined but not used [-Wunused-function]
       static int lan743x_pm_suspend(struct device *dev)
      drivers/net/ethernet/microchip/lan743x_main.c:2987:12: warning: ‘lan743x_pm_resume’ defined but not used [-Wunused-function]
       static int lan743x_pm_resume(struct device *dev)
      Signed-off-by: default avatarzhong jiang <zhongjiang@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c7348091
    • Andrew Lunn's avatar
      net: dsa: mv88e6xxx: Fix ATU Miss Violation · ddca24df
      Andrew Lunn authored
      Fix a cut/paste error and a typo which results in ATU miss violations
      not being reported.
      
      Fixes: 0977644c ("net: dsa: mv88e6xxx: Decode ATU problem interrupt")
      Signed-off-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ddca24df
    • Daniel Borkmann's avatar
      tls: fix currently broken MSG_PEEK behavior · 50c6b58a
      Daniel Borkmann authored
      In kTLS MSG_PEEK behavior is currently failing, strace example:
      
        [pid  2430] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
        [pid  2430] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
        [pid  2430] bind(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2430] listen(4, 10)               = 0
        [pid  2430] getsockname(4, {sa_family=AF_INET, sin_port=htons(38855), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
        [pid  2430] connect(3, {sa_family=AF_INET, sin_port=htons(38855), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2430] setsockopt(3, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2430] setsockopt(3, 0x11a /* SOL_?? */, 1, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2430] accept(4, {sa_family=AF_INET, sin_port=htons(49636), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
        [pid  2430] setsockopt(5, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2430] setsockopt(5, 0x11a /* SOL_?? */, 2, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2430] close(4)                    = 0
        [pid  2430] sendto(3, "test_read_peek", 14, 0, NULL, 0) = 14
        [pid  2430] sendto(3, "_mult_recs\0", 11, 0, NULL, 0) = 11
        [pid  2430] recvfrom(5, "test_read_peektest_read_peektest"..., 64, MSG_PEEK, NULL, NULL) = 64
      
      As can be seen from strace, there are two TLS records sent,
      i) 'test_read_peek' and ii) '_mult_recs\0' where we end up
      peeking 'test_read_peektest_read_peektest'. This is clearly
      wrong, and what happens is that given peek cannot call into
      tls_sw_advance_skb() to unpause strparser and proceed with
      the next skb, we end up looping over the current one, copying
      the 'test_read_peek' over and over into the user provided
      buffer.
      
      Here, we can only peek into the currently held skb (current,
      full TLS record) as otherwise we would end up having to hold
      all the original skb(s) (depending on the peek depth) in a
      separate queue when unpausing strparser to process next
      records, minimally intrusive is to return only up to the
      current record's size (which likely was what c46234eb
      ("tls: RX path for ktls") originally intended as well). Thus,
      after patch we properly peek the first record:
      
        [pid  2046] wait4(2075,  <unfinished ...>
        [pid  2075] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 3
        [pid  2075] socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 4
        [pid  2075] bind(4, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2075] listen(4, 10)               = 0
        [pid  2075] getsockname(4, {sa_family=AF_INET, sin_port=htons(55115), sin_addr=inet_addr("0.0.0.0")}, [16]) = 0
        [pid  2075] connect(3, {sa_family=AF_INET, sin_port=htons(55115), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
        [pid  2075] setsockopt(3, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2075] setsockopt(3, 0x11a /* SOL_?? */, 1, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2075] accept(4, {sa_family=AF_INET, sin_port=htons(45732), sin_addr=inet_addr("127.0.0.1")}, [16]) = 5
        [pid  2075] setsockopt(5, SOL_TCP, 0x1f /* TCP_??? */, [7564404], 4) = 0
        [pid  2075] setsockopt(5, 0x11a /* SOL_?? */, 2, "\3\0033\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 40) = 0
        [pid  2075] close(4)                    = 0
        [pid  2075] sendto(3, "test_read_peek", 14, 0, NULL, 0) = 14
        [pid  2075] sendto(3, "_mult_recs\0", 11, 0, NULL, 0) = 11
        [pid  2075] recvfrom(5, "test_read_peek", 64, MSG_PEEK, NULL, NULL) = 14
      
      Fixes: c46234eb ("tls: RX path for ktls")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50c6b58a
    • David S. Miller's avatar
      Merge branch 'hv_netvsc-associate-VF-and-PV-device-by-serial-number' · aa079bd0
      David S. Miller authored
      Stephen Hemminger says:
      
      ====================
      hv_netvsc: associate VF and PV device by serial number
      
      The Hyper-V implementation of PCI controller has concept of 32 bit serial number
      (not to be confused with PCI-E serial number).  This value is sent in the protocol
      from the host to indicate SR-IOV VF device is attached to a synthetic NIC.
      
      Using the serial number (instead of MAC address) to associate the two devices
      avoids lots of potential problems when there are duplicate MAC addresses from
      tunnels or layered devices.
      
      The patch set is broken into two parts, one is for the PCI controller
      and the other is for the netvsc device. Normally, these go through different
      trees but sending them together here for better review. The PCI changes
      were submitted previously, but the main review comment was "why do you
      need this?". This is why.
      
      v2 - slot name can be shorter.
           remove locking when creating pci_slots; see comment for explaination
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      aa079bd0
    • Stephen Hemminger's avatar
      hv_netvsc: pair VF based on serial number · 00d7ddba
      Stephen Hemminger authored
      Matching network device based on MAC address is problematic
      since a non VF network device can be creted with a duplicate MAC
      address causing confusion and problems.  The VMBus API does provide
      a serial number that is a better matching method.
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      00d7ddba
    • Stephen Hemminger's avatar
      PCI: hv: support reporting serial number as slot information · a15f2c08
      Stephen Hemminger authored
      The Hyper-V host API for PCI provides a unique "serial number" which
      can be used as basis for sysfs PCI slot table. This can be useful
      for cases where userspace wants to find the PCI device based on
      serial number.
      
      When an SR-IOV NIC is added, the host sends an attach message
      with serial number. The kernel doesn't use the serial number, but
      it is useful when doing the same thing in a userspace driver such
      as the DPDK. By having /sys/bus/pci/slots/N it provides a direct
      way to find the matching PCI device.
      
      There maybe some cases where serial number is not unique such
      as when using GPU's. But the PCI slot infrastructure will handle
      that.
      
      This has a side effect which may also be useful. The common udev
      network device naming policy uses the slot information (rather
      than PCI address).
      Signed-off-by: default avatarStephen Hemminger <sthemmin@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a15f2c08
    • Michael Chan's avatar
      bnxt_en: Fix VF mac address regression. · 28ea334b
      Michael Chan authored
      The recent commit to always forward the VF MAC address to the PF for
      approval may not work if the PF driver or the firmware is older.  This
      will cause the VF driver to fail during probe:
      
        bnxt_en 0000:00:03.0 (unnamed net_device) (uninitialized): hwrm req_type 0xf seq id 0x5 error 0xffff
        bnxt_en 0000:00:03.0 (unnamed net_device) (uninitialized): VF MAC address 00:00:17:02:05:d0 not approved by the PF
        bnxt_en 0000:00:03.0: Unable to initialize mac address.
        bnxt_en: probe of 0000:00:03.0 failed with error -99
      
      We fix it by treating the error as fatal only if the VF MAC address is
      locally generated by the VF.
      
      Fixes: 707e7e96 ("bnxt_en: Always forward VF MAC address to the PF.")
      Reported-by: default avatarSeth Forshee <seth.forshee@canonical.com>
      Reported-by: default avatarSiwei Liu <loseweigh@gmail.com>
      Signed-off-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      28ea334b
    • Eric Dumazet's avatar
      ipv6: fix possible use-after-free in ip6_xmit() · bbd6528d
      Eric Dumazet authored
      In the unlikely case ip6_xmit() has to call skb_realloc_headroom(),
      we need to call skb_set_owner_w() before consuming original skb,
      otherwise we risk a use-after-free.
      
      Bring IPv6 in line with what we do in IPv4 to fix this.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbd6528d
    • Colin Ian King's avatar
      net: hp100: fix always-true check for link up state · a7f38002
      Colin Ian King authored
      The operation ~(p100_inb(VG_LAN_CFG_1) & HP100_LINK_UP) returns a value
      that is always non-zero and hence the wait for the link to drop always
      terminates prematurely.  Fix this by using a logical not operator instead
      of a bitwise complement.  This issue has been in the driver since
      pre-2.6.12-rc2.
      
      Detected by CoverityScan, CID#114157 ("Logical vs. bitwise operator")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a7f38002
    • Nicolas Ferre's avatar
      ARM: dts: at91: add new compatibility string for macb on sama5d3 · 321cc359
      Nicolas Ferre authored
      We need this new compatibility string as we experienced different behavior
      for this 10/100Mbits/s macb interface on this particular SoC.
      Backward compatibility is preserved as we keep the alternative strings.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      321cc359
    • Nicolas Ferre's avatar
      net: macb: disable scatter-gather for macb on sama5d3 · eb4ed8e2
      Nicolas Ferre authored
      Create a new configuration for the sama5d3-macb new compatibility string.
      This configuration disables scatter-gather because we experienced lock down
      of the macb interface of this particular SoC under very high load.
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      eb4ed8e2
    • Antoine Tenart's avatar
      net: mvpp2: let phylink manage the carrier state · 41948ccb
      Antoine Tenart authored
      Net drivers using phylink shouldn't mess with the link carrier
      themselves and should let phylink manage it. The mvpp2 driver wasn't
      following this best practice as the mac_config() function made calls to
      change the link carrier state. This led to wrongly reported carrier link
      state which then triggered other issues. This patch fixes this
      behaviour.
      
      But the PPv2 driver relied on this misbehaviour in two cases: for fixed
      links and when not using phylink (ACPI mode). The later was fixed by
      adding an explicit call to link_up(), which when the ACPI mode will use
      phylink should be removed.
      
      The fixed link case was relying on the mac_config() function to set the
      link up, as we found an issue in phylink_start() which assumes the
      carrier is off. If not, the link_up() function is never called. To fix
      this, a call to netif_carrier_off() is added just before phylink_start()
      so that we do not introduce a regression in the driver.
      
      Fixes: 4bb04326 ("net: mvpp2: phylink support")
      Reported-by: default avatarRussell King <linux@armlinux.org.uk>
      Signed-off-by: default avatarAntoine Tenart <antoine.tenart@bootlin.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41948ccb
    • Guillaume Nault's avatar
      pppoe: fix reception of frames with no mac header · 8540827e
      Guillaume Nault authored
      pppoe_rcv() needs to look back at the Ethernet header in order to
      lookup the PPPoE session. Therefore we need to ensure that the mac
      header is big enough to contain an Ethernet header. Otherwise
      eth_hdr(skb)->h_source might access invalid data.
      
      ==================================================================
      BUG: KMSAN: uninit-value in __get_item drivers/net/ppp/pppoe.c:172 [inline]
      BUG: KMSAN: uninit-value in get_item drivers/net/ppp/pppoe.c:236 [inline]
      BUG: KMSAN: uninit-value in pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
      CPU: 0 PID: 4543 Comm: syz-executor355 Not tainted 4.16.0+ #87
      Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
      01/01/2011
      Call Trace:
       __dump_stack lib/dump_stack.c:17 [inline]
       dump_stack+0x185/0x1d0 lib/dump_stack.c:53
       kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
       __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
       __get_item drivers/net/ppp/pppoe.c:172 [inline]
       get_item drivers/net/ppp/pppoe.c:236 [inline]
       pppoe_rcv+0xcef/0x10e0 drivers/net/ppp/pppoe.c:450
       __netif_receive_skb_core+0x47df/0x4a90 net/core/dev.c:4562
       __netif_receive_skb net/core/dev.c:4627 [inline]
       netif_receive_skb_internal+0x49d/0x630 net/core/dev.c:4701
       netif_receive_skb+0x230/0x240 net/core/dev.c:4725
       tun_rx_batched drivers/net/tun.c:1555 [inline]
       tun_get_user+0x740f/0x7c60 drivers/net/tun.c:1962
       tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
       vfs_write+0x463/0x8d0 fs/read_write.c:544
       SYSC_write+0x172/0x360 fs/read_write.c:589
       SyS_write+0x55/0x80 fs/read_write.c:581
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      RIP: 0033:0x4447c9
      RSP: 002b:00007fff64c8fc28 EFLAGS: 00000297 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00000000004447c9
      RDX: 000000000000fd87 RSI: 0000000020000600 RDI: 0000000000000004
      RBP: 00000000006cf018 R08: 00007fff64c8fda8 R09: 00007fff00006bda
      R10: 0000000000005fe7 R11: 0000000000000297 R12: 00000000004020d0
      R13: 0000000000402160 R14: 0000000000000000 R15: 0000000000000000
      
      Uninit was created at:
       kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
       kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
       kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
       kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
       slab_post_alloc_hook mm/slab.h:445 [inline]
       slab_alloc_node mm/slub.c:2737 [inline]
       __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
       __kmalloc_reserve net/core/skbuff.c:138 [inline]
       __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
       alloc_skb include/linux/skbuff.h:984 [inline]
       alloc_skb_with_frags+0x1d4/0xb20 net/core/skbuff.c:5234
       sock_alloc_send_pskb+0xb56/0x1190 net/core/sock.c:2085
       tun_alloc_skb drivers/net/tun.c:1532 [inline]
       tun_get_user+0x2242/0x7c60 drivers/net/tun.c:1829
       tun_chr_write_iter+0x1d4/0x330 drivers/net/tun.c:1990
       call_write_iter include/linux/fs.h:1782 [inline]
       new_sync_write fs/read_write.c:469 [inline]
       __vfs_write+0x7fb/0x9f0 fs/read_write.c:482
       vfs_write+0x463/0x8d0 fs/read_write.c:544
       SYSC_write+0x172/0x360 fs/read_write.c:589
       SyS_write+0x55/0x80 fs/read_write.c:581
       do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
       entry_SYSCALL_64_after_hwframe+0x3d/0xa2
      ==================================================================
      
      Fixes: 224cf5ad ("ppp: Move the PPP drivers")
      Reported-by: syzbot+f5f6080811c849739212@syzkaller.appspotmail.com
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8540827e
    • Corentin Labbe's avatar
      net: ethernet: ti: add missing GENERIC_ALLOCATOR dependency · f025571e
      Corentin Labbe authored
      This patch mades TI_DAVINCI_CPDMA select GENERIC_ALLOCATOR.
      without that, the following sparc64 build failure happen
      
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_check_free_tx_desc':
      (.text+0x278): undefined reference to `gen_pool_avail'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_chan_submit':
      (.text+0x340): undefined reference to `gen_pool_alloc'
      (.text+0x5c4): undefined reference to `gen_pool_free'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `__cpdma_chan_free':
      davinci_cpdma.c:(.text+0x64c): undefined reference to `gen_pool_free'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_desc_pool_destroy.isra.6':
      davinci_cpdma.c:(.text+0x17ac): undefined reference to `gen_pool_size'
      davinci_cpdma.c:(.text+0x17b8): undefined reference to `gen_pool_avail'
      davinci_cpdma.c:(.text+0x1824): undefined reference to `gen_pool_size'
      davinci_cpdma.c:(.text+0x1830): undefined reference to `gen_pool_avail'
      drivers/net/ethernet/ti/davinci_cpdma.o: In function `cpdma_ctlr_create':
      (.text+0x19f8): undefined reference to `devm_gen_pool_create'
      (.text+0x1a90): undefined reference to `gen_pool_add_virt'
      Makefile:1011: recipe for target 'vmlinux' failed
      Signed-off-by: default avatarCorentin Labbe <clabbe@baylibre.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f025571e
    • Miquel Raynal's avatar
      mtd: partitions: fix unbalanced of_node_get/put() · 85516a98
      Miquel Raynal authored
      While at first mtd_part_of_parse() would just call
      of_get_chil_by_name(), it has been patched to deal with sub-partitions
      and will now directly manipulate the node returned by mtd_get_of_node()
      if the MTD device is a partition.
      
      A of_node_put() was a bit below in the code, to balance the
      of_get_child_by_name(). However, despite its name, mtd_get_of_node()
      does not take a reference on the OF node. It is a simple helper hiding
      some pointer logic to retrieve the OF node related to an MTD
      device.
      
      The direct effect of such unbalanced reference counting is visible by
      rmmod'ing any module that would have added MTD partitions:
      
          OF: ERROR: Bad of_node_put() on <of_path_to_partition>
      
      As it seems normal to get a reference on the OF node during the
      of_property_for_each_string() that follows, add a call to
      of_node_get() when relevant.
      
      Fixes: 76a83225 ("mtd: partitions: use DT info for parsing partitions with "compatible" prop")
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMiquel Raynal <miquel.raynal@bootlin.com>
      Signed-off-by: default avatarBoris Brezillon <boris.brezillon@bootlin.com>
      85516a98