2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-27 14:43:58 +08:00
Commit Graph

723334 Commits

Author SHA1 Message Date
Linus Torvalds
0fc0f18bed Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6
Pull crypto fixes from Herbert Xu:
 "This fixes the following issues:

   - fix chacha20 crash on zero-length input due to unset IV

   - fix potential race conditions in mcryptd with spinlock

   - only wait once at top of algif recvmsg to avoid inconsistencies

   - fix potential use-after-free in algif_aead/algif_skcipher"

* 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
  crypto: af_alg - fix race accessing cipher request
  crypto: mcryptd - protect the per-CPU queue with a lock
  crypto: af_alg - wait for data at beginning of recvmsg
  crypto: skcipher - set walk.iv for zero-length inputs
2017-12-22 12:22:48 -08:00
Linus Torvalds
6ed16756cc A single pin control fix for Intel machines, affecting a bunch of
Chromebooks.
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaPRcSAAoJEEEQszewGV1zfWsP/RICiFsyWIND/Yqjh/nPYIDG
 xHnP2OuKCTJWzU8VmPxHhSoDTzYp8UMpQnhDbtTtWv2f/okarSx4CZoYIO1SKr4v
 9Eheb39AOBQW84w1Bk7l7eyyZ68Wpku4RPtYrKPjYIik5U6qagFgVS/tXXXdPP4s
 I3d/zDv5023V+KcQsEOVZvuY+90W4Ujm//5Jf9AiXw9OFk1LNlbbdZKWmQGr43dG
 TEIDMKSDNKHLTP4x/2oixDLHG99aWC8z9nbU3fMXmUwSdIqLXkgWb3+JlI196Z3h
 3ahYL0zr8OExvnqW0Ng4MsIp2fbY5EdbYID5q9MXh/TFZSsV0JytBUBwAVVssUXg
 CTbzxOuoZO8zY7sb8TaU4uFcul6LA3Gynumwl0pCdJES7N+M6WiAPGygPSQRsgAp
 40o5u5jWKvmmm0LsfQAz19k3ly6RkUH/ZiJzQm8aGa1A7iXrJcR+QFdMrhh4Y6l0
 TmQly9OVDw5qCWH/X0ycQH7+5nQPZOnSZlnCqMDhGowE8IOGulwNsd8oaWhJRlwW
 H254k3VoiqGxQbDpEH4xQ5iLccKkfiNzr6yXgV9eFzTb+a+6K44bfCDO8n4YDcL2
 fm0b0t8Ah9wzc+o9dpgOEEuuUBLSGctVdB5oMJODABcwF+2Xx9UB2TI+nn5PfSRJ
 tkcOtVJbo7TDZ+TvfbUA
 =LwR+
 -----END PGP SIGNATURE-----

Merge tag 'pinctrl-v4.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl

Pull pin control fix from Linus Walleij:
 "A single pin control fix for Intel machines, affecting a bunch of
  Chromebooks. Nothing else collected up amazingly"

* tag 'pinctrl-v4.15-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
  pinctrl: cherryview: Mask all interrupts on Intel_Strago based systems
2017-12-22 12:21:12 -08:00
Linus Torvalds
e7ae59cb4b i915, nouveau, sun4i, amd, ttm and core drm fixes
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABAgAGBQJaPIcmAAoJEAx081l5xIa+kusP/RMXDXgMwSYT4pRdBnTPu5TD
 IqmKdeO5RF4+bBhYmWs/bEglnftLs8RdMCpmxR63ATF2hmDrdEUj9tjwYvaiVN1/
 qC4UoJaOPmuQlrz/Aiyax9cgsAtvHyqXf/h2j6HxEkmzTasS/o9akj0D5NBeDBZ2
 vDUpCYUv3bubE0y+8SlygWtU+O0Di7HZpMMCBq/V6Obqi8YNt7azN9OM/xOR2bhc
 KLtu7xVVzSzX1uuwQK6tuBMoJgS/6yd1EWiqsVTZhsYqYI6nM5uno0lKnD0ARSi+
 zyj/O69iYjqRny368zIG64mulCnAQQgajDNbjqJaQA29PPMbdK4JYfFv0tFM3EU1
 hC1TmWbNeO4ck7n6aVFUAzvJpr1EQkl5nRaA9x9Z0U+ZS/gtZRpFaeZ5SQYfsX+2
 r8i44jIPbWXFaaWaRcu2qJYpbhxpFiPhsZzuEOSD68Nn2YPN0rNY2tZRaSAuAfDj
 v1q0iKRXzEhAgbkOJcCzJdKY6uuGv31HwoVtOwdlXaLoLr2U3HsrjXW9t7sPyoj8
 qz/KplcyDCLxaB/wbCxald1L/hyWdrIWntHuTH0wkpiITufC1bA54iGKdD8Vws9y
 ljPBWyJh4nIqp3O7HEHyk7LoiHj9s/oX8wuFPPuA8yfPzTqrWi/7w9k0fqe67jeq
 atvNsJDUyWF6rpIwT8yo
 =yyuL
 -----END PGP SIGNATURE-----

Merge tag 'drm-fixes-for-v4.15-rc5' of git://people.freedesktop.org/~airlied/linux

Pull drm fixes from Dave Airlie:
 "I've got most of two weeks worth of fixes here due to being on
  holidays last week.

  The main things are:

  - Core:
     * Syncobj fd reference count fix
     * Leasing ioctl misuse fix

   - nouveau regression fixes

   - further amdgpu DC fixes

   - sun4i regression fixes

  I'm not sure I'll see many fixes over next couple of weeks, we'll see
  how we go"

* tag 'drm-fixes-for-v4.15-rc5' of git://people.freedesktop.org/~airlied/linux: (27 commits)
  drm/syncobj: Stop reusing the same struct file for all syncobj -> fd
  drm: move lease init after validation in drm_lease_create
  drm/plane: Make framebuffer refcounting the responsibility of setplane_internal callers
  drm/sun4i: hdmi: Move the mode_valid callback to the encoder
  drm/nouveau: fix obvious memory leak
  drm/i915: Protect DDI port to DPLL map from theoretical race.
  drm/i915/lpe: Remove double-encapsulation of info string
  drm/sun4i: Fix error path handling
  drm/nouveau: use alternate memory type for system-memory buffers with kind != 0
  drm/nouveau: avoid GPU page sizes > PAGE_SIZE for buffer objects in host memory
  drm/nouveau/mmu/gp10b: use correct implementation
  drm/nouveau/pci: do a msi rearm on init
  drm/nouveau/imem/nv50: fix refcount_t warning
  drm/nouveau/bios/dp: support DP Info Table 2.0
  drm/nouveau/fbcon: fix NULL pointer access in nouveau_fbcon_destroy
  drm/amd/display: Fix rehook MST display not light back on
  drm/amd/display: fix missing pixel clock adjustment for dongle
  drm/amd/display: set chroma taps to 1 when not scaling
  drm/amd/display: add pipe locking before front end programing
  drm/sun4i: validate modes for HDMI
  ...
2017-12-22 11:51:01 -08:00
Linus Torvalds
7edc3f20ef Here's a trio of fixes:
- The runtime PM clk patches that landed this merge window forgot to
    runtime resume devices that may be off while recalculating and setting
    rates of child clks of whatever clk is changing rates.
 
  - We had a NULL pointer deref in an old clk tracepoint when clk_set_parent()
    is called with a NULL parent pointer. This shouldn't really happen, but
    it's best to avoid this regardless.
 
  - The sun9i-mmc clk driver didn't provide 'reset' support, just 'assert'
    and 'deassert' so the MMC driver stopped probing when the probe was changed
    to do a reset instead of assert/deassert pair. This implements the reset so
    things work again.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQIcBAABCAAGBQJaPDpGAAoJEK0CiJfG5JUlMvIP/AtbqPVztT+YvVEXZhs2bUqD
 oTxg6G0mH5kLe90D+HksXJDlorn7a2VEkEqlqTXEkHReEs8OLf5YgvKvf+YCD9Fp
 Ouvn8Hi9YMok81EYP+X/84dfHrhNiEpgnQLw4epR/8g0Q5odIHZVOpTPOUtFC7Hv
 EcEog3brXS4hcTABzbKVS2YC3eOchg3CxglGjTsogrT9IUN/R/SbXDIU2mzgVoXQ
 hJWkWC2YYIL1mREbnV9FS1jBOpMUkr6wrtFKIMB0ayy5d7bs9uXd0uw5Lh3fu5d0
 yrXstCqF5zdfnr/4garDVsp2G40ScJwepP6ixcfbf6czbT+wHNhKtahHwJCNSLh3
 t7taVnojSuBLAjgllufFq73OY8+UUGShnQz1zh37P2ndoeOra5ULUjKg6UdicS2w
 tkhgeKsZLLVmy8lNb83nqGNR/oU9zXcmvCRWW/3rvxE2RidvEqur/6GKQ1SnZuOP
 Ovp3HcLbn/pU7GcHI6ppn0RKYCyg/F67ES6UvU9/eizJRpnF+SzEOMkFH5IFn7TD
 rthPPNnpGaWiChXwzav6W+R/nS42iT9RwP+9mnDOGWtLAq7f5WBCV8ih7HSsDJzW
 4UhLswQQrW/7uPP6nezC25EQTtjPlLfiyJSwK5Suqd/6e/V4elzT3o4s3dBciLM9
 JTkXmwQCiefzwwifml58
 =kvSh
 -----END PGP SIGNATURE-----

Merge tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux

Pull clk fixes from Stephen Boyd:
 "Here's a trio of fixes:

   - The runtime PM clk patches that landed this merge window forgot to
     runtime resume devices that may be off while recalculating and
     setting rates of child clks of whatever clk is changing rates.

   - We had a NULL pointer deref in an old clk tracepoint when
     clk_set_parent() is called with a NULL parent pointer. This
     shouldn't really happen, but it's best to avoid this regardless.

   - The sun9i-mmc clk driver didn't provide 'reset' support, just
     'assert' and 'deassert' so the MMC driver stopped probing when the
     probe was changed to do a reset instead of assert/deassert pair.
     This implements the reset so things work again"

* tag 'clk-fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/clk/linux:
  clk: sunxi: sun9i-mmc: Implement reset callback for reset controls
  clk: fix a panic error caused by accessing NULL pointer
  clk: Manage proper runtime PM state in clk_change_rate()
2017-12-22 11:48:36 -08:00
Chris Wilson
e7cdf5c82f drm/syncobj: Stop reusing the same struct file for all syncobj -> fd
The vk cts test:
dEQP-VK.api.external.semaphore.opaque_fd.export_multiple_times_temporary

triggers a lot of
VFS: Close: file count is 0

Dave pointed out that clearing the syncobj->file from
drm_syncobj_file_release() was sufficient to silence the test, but that
opens a can of worm since we assumed that the syncobj->file was never
unset. Stop trying to reuse the same struct file for every fd pointing
to the drm_syncobj, and allocate one file for each fd instead.

v2: Fixup return handling of drm_syncobj_fd_to_handle
v2.1: [airlied: fix possible syncobj ref race]

Reported-by: Dave Airlie <airlied@redhat.com>
Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
Tested-by: Dave Airlie <airlied@redhat.com>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Dave Airlie <airlied@redhat.com>
2017-12-22 14:14:39 +10:00
Dave Airlie
12e412d785 Merge tag 'drm-misc-fixes-2017-12-21' of git://anongit.freedesktop.org/drm/drm-misc into drm-fixes
drm-misc-fixes before holidays:

- fixup for the lease fixup (Keith)
- fb leak in the ww mutex fallback code (Maarten)
- sun4i fixes (Maxime, Hans)

* tag 'drm-misc-fixes-2017-12-21' of git://anongit.freedesktop.org/drm/drm-misc:
  drm: move lease init after validation in drm_lease_create
  drm/plane: Make framebuffer refcounting the responsibility of setplane_internal callers
  drm/sun4i: hdmi: Move the mode_valid callback to the encoder
  drm/sun4i: Fix error path handling
  drm/sun4i: validate modes for HDMI
2017-12-22 10:00:04 +10:00
Linus Torvalds
ead68f2161 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Pull networking fixes from David Miller"
 "What's a holiday weekend without some networking bug fixes? [1]

   1) Fix some eBPF JIT bugs wrt. SKB pointers across helper function
      calls, from Daniel Borkmann.

   2) Fix regression from errata limiting change to marvell PHY driver,
      from Zhao Qiang.

   3) Fix u16 overflow in SCTP, from Xin Long.

   4) Fix potential memory leak during bridge newlink, from Nikolay
      Aleksandrov.

   5) Fix BPF selftest build on s390, from Hendrik Brueckner.

   6) Don't append to cfg80211 automatically generated certs file,
      always write new ones from scratch. From Thierry Reding.

   7) Fix sleep in atomic in mac80211 hwsim, from Jia-Ju Bai.

   8) Fix hang on tg3 MTU change with certain chips, from Brian King.

   9) Add stall detection to arc emac driver and reset chip when this
      happens, from Alexander Kochetkov.

  10) Fix MTU limitng in GRE tunnel drivers, from Xin Long.

  11) Fix stmmac timestamping bug due to mis-shifting of field. From
      Fredrik Hallenberg.

  12) Fix metrics match when deleting an ipv4 route. The kernel sets
      some internal metrics bits which the user isn't going to set when
      it makes the delete request. From Phil Sutter.

  13) mvneta driver loop over RX queues limits on "txq_number" :-) Fix
      from Yelena Krivosheev.

  14) Fix double free and memory corruption in get_net_ns_by_id, from
      Eric W. Biederman.

  15) Flush ipv4 FIB tables in the reverse order. Some tables can share
      their actual backing data, in particular this happens for the MAIN
      and LOCAL tables. We have to kill the LOCAL table first, because
      it uses MAIN's backing memory. Fix from Ido Schimmel.

  16) Several eBPF verifier value tracking fixes, from Edward Cree, Jann
      Horn, and Alexei Starovoitov.

  17) Make changes to ipv6 autoflowlabel sysctl really propagate to
      sockets, unless the socket has set the per-socket value
      explicitly. From Shaohua Li.

  18) Fix leaks and double callback invocations of zerocopy SKBs, from
      Willem de Bruijn"

[1] Is this a trick question? "Relaxing"? "Quiet"? "Fine"? - Linus.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (77 commits)
  skbuff: skb_copy_ubufs must release uarg even without user frags
  skbuff: orphan frags before zerocopy clone
  net: reevalulate autoflowlabel setting after sysctl setting
  openvswitch: Fix pop_vlan action for double tagged frames
  ipv6: Honor specified parameters in fibmatch lookup
  bpf: do not allow root to mangle valid pointers
  selftests/bpf: add tests for recent bugfixes
  bpf: fix integer overflows
  bpf: don't prune branches when a scalar is replaced with a pointer
  bpf: force strict alignment checks for stack pointers
  bpf: fix missing error return in check_stack_boundary()
  bpf: fix 32-bit ALU op verification
  bpf: fix incorrect tracking of register size truncation
  bpf: fix incorrect sign extension in check_alu_op()
  bpf/verifier: fix bounds calculation on BPF_RSH
  ipv4: Fix use-after-free when flushing FIB tables
  s390/qeth: fix error handling in checksum cmd callback
  tipc: remove joining group member from congested list
  selftests: net: Adding config fragment CONFIG_NUMA=y
  nfp: bpf: keep track of the offloaded program
  ...
2017-12-21 15:57:30 -08:00
David S. Miller
c50b7c473f Merge branch 'net-zerocopy-fixes'
Saeed Mahameed says:

===================
Mellanox, mlx5 fixes 2017-12-19

The follwoing series includes some fixes for mlx5 core and etherent
driver.

Please pull and let me know if there is any problem.

This series doesn't introduce any conflict with the ongoing mlx5 for-next
submission.

For -stable:

kernels >= v4.7.y
    ("net/mlx5e: Fix possible deadlock of VXLAN lock")
    ("net/mlx5e: Add refcount to VXLAN structure")
    ("net/mlx5e: Prevent possible races in VXLAN control flow")
    ("net/mlx5e: Fix features check of IPv6 traffic")

kernels >= v4.9.y
    ("net/mlx5: Fix error flow in CREATE_QP command")
    ("net/mlx5: Fix rate limit packet pacing naming and struct")

kernels >= v4.13.y
    ("net/mlx5: FPGA, return -EINVAL if size is zero")

kernels >= v4.14.y
    ("Revert "mlx5: move affinity hints assignments to generic code")

All above patches apply and compile with no issues on corresponding -stable.
===================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 15:00:59 -05:00
Willem de Bruijn
b90ddd5687 skbuff: skb_copy_ubufs must release uarg even without user frags
skb_copy_ubufs creates a private copy of frags[] to release its hold
on user frags, then calls uarg->callback to notify the owner.

Call uarg->callback even when no frags exist. This edge case can
happen when zerocopy_sg_from_iter finds enough room in skb_headlen
to copy all the data.

Fixes: 3ece782693 ("sock: skb_copy_ubufs support for compound pages")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 15:00:58 -05:00
Willem de Bruijn
268b790679 skbuff: orphan frags before zerocopy clone
Call skb_zerocopy_clone after skb_orphan_frags, to avoid duplicate
calls to skb_uarg(skb)->callback for the same data.

skb_zerocopy_clone associates skb_shinfo(skb)->uarg from frag_skb
with each segment. This is only safe for uargs that do refcounting,
which is those that pass skb_orphan_frags without dropping their
shared frags. For others, skb_orphan_frags drops the user frags and
sets the uarg to NULL, after which sock_zerocopy_clone has no effect.

Qemu hangs were reported due to duplicate vhost_net_zerocopy_callback
calls for the same data causing the vhost_net_ubuf_ref_>refcount to
drop below zero.

Link: http://lkml.kernel.org/r/<CAF=yD-LWyCD4Y0aJ9O0e_CHLR+3JOeKicRRTEVCPxgw4XOcqGQ@mail.gmail.com>
Fixes: 1f8b977ab3 ("sock: enable MSG_ZEROCOPY")
Reported-by: Andreas Hartmann <andihartmann@01019freenet.de>
Reported-by: David Hill <dhill@redhat.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 15:00:58 -05:00
Linus Torvalds
9035a8961b Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fixes from Jens Axboe:
 "It's been a few weeks, so here's a small collection of fixes that
  should go into the current series.

  This contains:

   - NVMe pull request from Christoph, with a few important fixes.

   - kyber hang fix from Omar.

   - A blk-throttl fix from Shaohua, fixing a case where we double
     charge a bio.

   - Two call_single_data alignment fixes from me, fixing up some
     unfortunate changes that went into 4.14 without being properly
     reviewed on the block side (since nobody was CC'ed on the
     patch...).

   - A bounce buffer fix in two parts, one from me and one from Ming.

   - Revert bdi debug error handling patch. It's causing boot issues for
     some folks, and a week down the line, we're still no closer to a
     fix. Revert this patch for now until it's figured out, then we can
     retry for 4.16"

* 'for-linus' of git://git.kernel.dk/linux-block:
  Revert "bdi: add error handle for bdi_debug_register"
  null_blk: unalign call_single_data
  block: unalign call_single_data in struct request
  block-throttle: avoid double charge
  block: fix blk_rq_append_bio
  block: don't let passthrough IO go into .make_request_fn()
  nvme: setup streams after initializing namespace head
  nvme: check hw sectors before setting chunk sectors
  nvme: call blk_integrity_unregister after queue is cleaned up
  nvme-fc: remove double put reference if admin connect fails
  nvme: set discard_alignment to zero
  kyber: fix another domain token wait queue hang
2017-12-21 11:13:37 -08:00
Linus Torvalds
409232a450 ARM fixes:
- A bug in handling of SPE state for non-vhe systems
 - A fix for a crash on system shutdown
 - Three timer fixes, introduced by the timer optimizations for v4.15
 
 x86 fixes:
 - fix for a WARN that was introduced in 4.15
 - fix for SMM when guest uses PCID
 - fixes for several bugs found by syzkaller
 
 ... and a dozen papercut fixes for the kvm_stat tool.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2.0.22 (GNU/Linux)
 
 iQEcBAABAgAGBQJaO6N9AAoJEL/70l94x66DC1wH/Rf+u0Cj6ZQil6LK6Nf8bfPd
 3TqrwrxUDeXwi8GzsvK14izBr1mDzidSHIO0Q4XINFRSRdaf43h3R2im/SJqvNhP
 xktCmJI2CxN96oaC7kIExgwf3YKhFdLIADfbT8oR9p3xZG/+c97dkr3b4XtmVCDb
 ZXdUEOcKnoW4zwpfJN30FLlq4OwYvuYVz02AEfPivZRDfhhus/TYSnuSdxH8CLNf
 75ymuKyXoo/RELbimwbMk8Cm9+ey7PjlUGOgbnbXIFtmgznXhLzAOeES2B+46J5b
 sMBPlmiJrn6N//lM18CC5yOBzBLGsYOoXggtw4aU/5nM4GVcFebWedpcoD4D8Jw=
 =Bt8w
 -----END PGP SIGNATURE-----

Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm

Pull KVM fixes from Paolo Bonzini:
 "ARM fixes:
   - A bug in handling of SPE state for non-vhe systems
   - A fix for a crash on system shutdown
   - Three timer fixes, introduced by the timer optimizations for v4.15

  x86 fixes:
   - fix for a WARN that was introduced in 4.15
   - fix for SMM when guest uses PCID
   - fixes for several bugs found by syzkaller

  ... and a dozen papercut fixes for the kvm_stat tool"

* tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (22 commits)
  tools/kvm_stat: sort '-f help' output
  kvm: x86: fix RSM when PCID is non-zero
  KVM: Fix stack-out-of-bounds read in write_mmio
  KVM: arm/arm64: Fix timer enable flow
  KVM: arm/arm64: Properly handle arch-timer IRQs after vtimer_save_state
  KVM: arm/arm64: timer: Don't set irq as forwarded if no usable GIC
  KVM: arm/arm64: Fix HYP unmapping going off limits
  arm64: kvm: Prevent restoring stale PMSCR_EL1 for vcpu
  KVM/x86: Check input paging mode when cs.l is set
  tools/kvm_stat: add line for totals
  tools/kvm_stat: stop ignoring unhandled arguments
  tools/kvm_stat: suppress usage information on command line errors
  tools/kvm_stat: handle invalid regular expressions
  tools/kvm_stat: add hint on '-f help' to man page
  tools/kvm_stat: fix child trace events accounting
  tools/kvm_stat: fix extra handling of 'help' with fields filter
  tools/kvm_stat: fix missing field update after filter change
  tools/kvm_stat: fix drilldown in events-by-guests mode
  tools/kvm_stat: fix command line option '-g'
  kvm: x86: fix WARN due to uninitialized guest FPU state
  ...
2017-12-21 10:44:13 -08:00
Shaohua Li
513674b5a2 net: reevalulate autoflowlabel setting after sysctl setting
sysctl.ip6.auto_flowlabels is default 1. In our hosts, we set it to 2.
If sockopt doesn't set autoflowlabel, outcome packets from the hosts are
supposed to not include flowlabel. This is true for normal packet, but
not for reset packet.

The reason is ipv6_pinfo.autoflowlabel is set in sock creation. Later if
we change sysctl.ip6.auto_flowlabels, the ipv6_pinfo.autoflowlabel isn't
changed, so the sock will keep the old behavior in terms of auto
flowlabel. Reset packet is suffering from this problem, because reset
packet is sent from a special control socket, which is created at boot
time. Since sysctl.ipv6.auto_flowlabels is 1 by default, the control
socket will always have its ipv6_pinfo.autoflowlabel set, even after
user set sysctl.ipv6.auto_flowlabels to 1, so reset packset will always
have flowlabel. Normal sock created before sysctl setting suffers from
the same issue. We can't even turn off autoflowlabel unless we kill all
socks in the hosts.

To fix this, if IPV6_AUTOFLOWLABEL sockopt is used, we use the
autoflowlabel setting from user, otherwise we always call
ip6_default_np_autolabel() which has the new settings of sysctl.

Note, this changes behavior a little bit. Before commit 42240901f7
(ipv6: Implement different admin modes for automatic flow labels), the
autoflowlabel behavior of a sock isn't sticky, eg, if sysctl changes,
existing connection will change autoflowlabel behavior. After that
commit, autoflowlabel behavior is sticky in the whole life of the sock.
With this patch, the behavior isn't sticky again.

Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Tom Herbert <tom@quantonium.net>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 13:07:20 -05:00
Eric Garver
c48e74736f openvswitch: Fix pop_vlan action for double tagged frames
skb_vlan_pop() expects skb->protocol to be a valid TPID for double
tagged frames. So set skb->protocol to the TPID and let skb_vlan_pop()
shift the true ethertype into position for us.

Fixes: 5108bbaddc ("openvswitch: add processing of L3 packets")
Signed-off-by: Eric Garver <e@erig.me>
Reviewed-by: Jiri Benc <jbenc@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 13:02:08 -05:00
Jens Axboe
6d0e4827b7 Revert "bdi: add error handle for bdi_debug_register"
This reverts commit a0747a859e.

It breaks some booting for some users, and more than a week
into this, there's still no good fix. Revert this commit
for now until a solution has been found.

Reported-by: Laura Abbott <labbott@redhat.com>
Reported-by: Bruno Wolff III <bruno@wolff.to>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-12-21 10:01:30 -07:00
Ido Schimmel
58acfd714e ipv6: Honor specified parameters in fibmatch lookup
Currently, parameters such as oif and source address are not taken into
account during fibmatch lookup. Example (IPv4 for reference) before
patch:

$ ip -4 route show
192.0.2.0/24 dev dummy0 proto kernel scope link src 192.0.2.1
198.51.100.0/24 dev dummy1 proto kernel scope link src 198.51.100.1

$ ip -6 route show
2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium
2001:db8:2::/64 dev dummy1 proto kernel metric 256 pref medium
fe80::/64 dev dummy0 proto kernel metric 256 pref medium
fe80::/64 dev dummy1 proto kernel metric 256 pref medium

$ ip -4 route get fibmatch 192.0.2.2 oif dummy0
192.0.2.0/24 dev dummy0 proto kernel scope link src 192.0.2.1
$ ip -4 route get fibmatch 192.0.2.2 oif dummy1
RTNETLINK answers: No route to host

$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy0
2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium
$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy1
2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium

After:

$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy0
2001:db8:1::/64 dev dummy0 proto kernel metric 256 pref medium
$ ip -6 route get fibmatch 2001:db8:1::2 oif dummy1
RTNETLINK answers: Network is unreachable

The problem stems from the fact that the necessary route lookup flags
are not set based on these parameters.

Instead of duplicating the same logic for fibmatch, we can simply
resolve the original route from its copy and dump it instead.

Fixes: 18c3a61c42 ("net: ipv6: RTM_GETROUTE: return matched fib result when requested")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-21 11:51:06 -05:00
Stefan Raspl
aa12f594f9 tools/kvm_stat: sort '-f help' output
Sort the fields returned by specifying '-f help' on the command line.
While at it, simplify the code a bit, indent the output and eliminate an
extra blank line at the beginning.

Signed-off-by: Stefan Raspl <raspl@linux.vnet.ibm.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-12-21 13:03:32 +01:00
Paolo Bonzini
fae1a3e775 kvm: x86: fix RSM when PCID is non-zero
rsm_load_state_64() and rsm_enter_protected_mode() load CR3, then
CR4 & ~PCIDE, then CR0, then CR4.

However, setting CR4.PCIDE fails if CR3[11:0] != 0.  It's probably easier
in the long run to replace rsm_enter_protected_mode() with an emulator
callback that sets all the special registers (like KVM_SET_SREGS would
do).  For now, set the PCID field of CR3 only after CR4.PCIDE is 1.

Reported-by: Laszlo Ersek <lersek@redhat.com>
Tested-by: Laszlo Ersek <lersek@redhat.com>
Fixes: 660a5d517a
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2017-12-21 12:59:54 +01:00
Keith Packard
d2a48e5254 drm: move lease init after validation in drm_lease_create
Patch bd36d3bab2 fixed a deadlock in the
failure path of drm_lease_create. This made the partially initialized
lease object visible for a short window of time.

To avoid having the lessee state appear transiently, I've rearranged
the code so that the lessor fields are not filled in until the
parameters are all validated and the function will succeed.

Signed-off-by: Keith Packard <keithp@keithp.com>
Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Link: https://patchwork.freedesktop.org/patch/msgid/20171221065424.1304-1-keithp@keithp.com
2017-12-21 09:49:40 +01:00
David S. Miller
8b6ca2bf5a Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf
Daniel Borkmann says:

====================
pull-request: bpf 2017-12-21

The following pull-request contains BPF updates for your *net* tree.

The main changes are:

1) Fix multiple security issues in the BPF verifier mostly related
   to the value and min/max bounds tracking rework in 4.14. Issues
   range from incorrect bounds calculation in some BPF_RSH cases,
   to improper sign extension and reg size handling on 32 bit
   ALU ops, missing strict alignment checks on stack pointers, and
   several others that got fixed, from Jann, Alexei and Edward.

2) Fix various build failures in BPF selftests on sparc64. More
   specifically, librt needed to be added to the libs to link
   against and few format string fixups for sizeof, from David.

3) Fix one last remaining issue from BPF selftest build that was
   still occuring on s390x from the asm/bpf_perf_event.h include
   which could not find the asm/ptrace.h copy, from Hendrik.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 23:10:29 -05:00
Alexei Starovoitov
82abbf8d2f bpf: do not allow root to mangle valid pointers
Do not allow root to convert valid pointers into unknown scalars.
In particular disallow:
 ptr &= reg
 ptr <<= reg
 ptr += ptr
and explicitly allow:
 ptr -= ptr
since pkt_end - pkt == length

1.
This minimizes amount of address leaks root can do.
In the future may need to further tighten the leaks with kptr_restrict.

2.
If program has such pointer math it's likely a user mistake and
when verifier complains about it right away instead of many instructions
later on invalid memory access it's easier for users to fix their progs.

3.
when register holding a pointer cannot change to scalar it allows JITs to
optimize better. Like 32-bit archs could use single register for pointers
instead of a pair required to hold 64-bit scalars.

4.
reduces architecture dependent behavior. Since code:
r1 = r10;
r1 &= 0xff;
if (r1 ...)
will behave differently arm64 vs x64 and offloaded vs native.

A significant chunk of ptr mangling was allowed by
commit f1174f77b5 ("bpf/verifier: rework value tracking")
yet some of it was allowed even earlier.

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:26:29 +01:00
Daniel Borkmann
3db9128fcf Merge branch 'bpf-verifier-sec-fixes'
Alexei Starovoitov says:

====================
This patch set addresses a set of security vulnerabilities
in bpf verifier logic discovered by Jann Horn.
All of the patches are candidates for 4.14 stable.
====================

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:42 +01:00
Jann Horn
2255f8d520 selftests/bpf: add tests for recent bugfixes
These tests should cover the following cases:

 - MOV with both zero-extended and sign-extended immediates
 - implicit truncation of register contents via ALU32/MOV32
 - implicit 32-bit truncation of ALU32 output
 - oversized register source operand for ALU32 shift
 - right-shift of a number that could be positive or negative
 - map access where adding the operation size to the offset causes signed
   32-bit overflow
 - direct stack access at a ~4GiB offset

Also remove the F_LOAD_WITH_STRICT_ALIGNMENT flag from a bunch of tests
that should fail independent of what flags userspace passes.

Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Alexei Starovoitov
bb7f0f989c bpf: fix integer overflows
There were various issues related to the limited size of integers used in
the verifier:
 - `off + size` overflow in __check_map_access()
 - `off + reg->off` overflow in check_mem_access()
 - `off + reg->var_off.value` overflow or 32-bit truncation of
   `reg->var_off.value` in check_mem_access()
 - 32-bit truncation in check_stack_boundary()

Make sure that any integer math cannot overflow by not allowing
pointer math with large values.

Also reduce the scope of "scalar op scalar" tracking.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
179d1c5602 bpf: don't prune branches when a scalar is replaced with a pointer
This could be made safe by passing through a reference to env and checking
for env->allow_ptr_leaks, but it would only work one way and is probably
not worth the hassle - not doing it will not directly lead to program
rejection.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
a5ec6ae161 bpf: force strict alignment checks for stack pointers
Force strict alignment checks for stack pointers because the tracking of
stack spills relies on it; unaligned stack accesses can lead to corruption
of spilled registers, which is exploitable.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
ea25f914dc bpf: fix missing error return in check_stack_boundary()
Prevent indirect stack accesses at non-constant addresses, which would
permit reading and corrupting spilled pointers.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
468f6eafa6 bpf: fix 32-bit ALU op verification
32-bit ALU ops operate on 32-bit values and have 32-bit outputs.
Adjust the verifier accordingly.

Fixes: f1174f77b5 ("bpf/verifier: rework value tracking")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
0c17d1d2c6 bpf: fix incorrect tracking of register size truncation
Properly handle register truncation to a smaller size.

The old code first mirrors the clearing of the high 32 bits in the bitwise
tristate representation, which is correct. But then, it computes the new
arithmetic bounds as the intersection between the old arithmetic bounds and
the bounds resulting from the bitwise tristate representation. Therefore,
when coerce_reg_to_32() is called on a number with bounds
[0xffff'fff8, 0x1'0000'0007], the verifier computes
[0xffff'fff8, 0xffff'ffff] as bounds of the truncated number.
This is incorrect: The truncated number could also be in the range [0, 7],
and no meaningful arithmetic bounds can be computed in that case apart from
the obvious [0, 0xffff'ffff].

Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.

Debian assigned CVE-2017-16996 for this issue.

v2:
 - flip the mask during arithmetic bounds calculation (Ben Hutchings)
v3:
 - add CVE number (Ben Hutchings)

Fixes: b03c9f9fdc ("bpf/verifier: track signed and unsigned min/max values")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Jann Horn
95a762e2c8 bpf: fix incorrect sign extension in check_alu_op()
Distinguish between
BPF_ALU64|BPF_MOV|BPF_K (load 32-bit immediate, sign-extended to 64-bit)
and BPF_ALU|BPF_MOV|BPF_K (load 32-bit immediate, zero-padded to 64-bit);
only perform sign extension in the first case.

Starting with v4.14, this is exploitable by unprivileged users as long as
the unprivileged_bpf_disabled sysctl isn't set.

Debian assigned CVE-2017-16995 for this issue.

v3:
 - add CVE number (Ben Hutchings)

Fixes: 484611357c ("bpf: allow access into map value arrays")
Signed-off-by: Jann Horn <jannh@google.com>
Acked-by: Edward Cree <ecree@solarflare.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Edward Cree
4374f256ce bpf/verifier: fix bounds calculation on BPF_RSH
Incorrect signed bounds were being computed.
If the old upper signed bound was positive and the old lower signed bound was
negative, this could cause the new upper signed bound to be too low,
leading to security issues.

Fixes: b03c9f9fdc ("bpf/verifier: track signed and unsigned min/max values")
Reported-by: Jann Horn <jannh@google.com>
Signed-off-by: Edward Cree <ecree@solarflare.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
[jannh@google.com: changed description to reflect bug impact]
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2017-12-21 02:15:41 +01:00
Dave Airlie
5e9748cb4b Merge tag 'drm-intel-fixes-2017-12-20' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
drm/i915 fixes for v4.15-rc5

* tag 'drm-intel-fixes-2017-12-20' of git://anongit.freedesktop.org/drm/drm-intel:
  drm/i915: Protect DDI port to DPLL map from theoretical race.
  drm/i915/lpe: Remove double-encapsulation of info string
2017-12-21 11:09:36 +10:00
Dave Airlie
2480ee716a Merge branch 'linux-4.15' of git://github.com/skeggsb/linux into drm-fixes
nouveau memleak fix

* 'linux-4.15' of git://github.com/skeggsb/linux:
  drm/nouveau: fix obvious memory leak
2017-12-21 11:06:55 +10:00
Linus Torvalds
d1ce8ceb8b SCSI fixes on 20171220
Two simple fixes: one for sparse warnings that were introduced by the
 merge window conversion to blist_flags_t and the other to fix dropped
 I/O during reset in aacraid.
 
 Signed-off-by: James E.J. Bottomley <jejb@linux.vnet.ibm.com>
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABAgAGBQJaOvWtAAoJEAVr7HOZEZN4pNYQAISqS0tbDt7bgT+e6I/PGy7D
 0vxv13ELf+MV9AV2uJKDvpf73nNtzrMgEC9N2rCsQyKeietF4yW1N3tk8n5Me32g
 vCD3YdwJFBwO3UaaNFkP+wpzh60RutMeBRUFAYeQu7LqBkEp4jOGx21N0fAb89wt
 SUkwfib20XUs518Tuqsyzy0keNsH3sRNJUenoxXVnqNMqIobKpigxZORFMIJaloZ
 2VyQhYqrL75iqLRHTUUpWorQC4Db/FTyl58oG7rG8JdRN0Mww3Hp8Jv2E8cn5e2z
 Ze9J9Z/IUCxAV75muGR2GfXd9e5zgILOyLSwKcjxniElWWZbqTIYnEUlyElqBg5Z
 4eWytQUmQTixeAqnNfnEYXpUiiJR3snKYCZpGhF/a7+Kzmid64GuOEhIQsroPy60
 unO9LG50/WDsqWMFlSaJPoePnzOEDj4LrnZiedkroYQrAQq4I6QNAPcUE6ruYvka
 czzbkqhuHs/jHe0rbiYtG6YjlU6FdV4XqCdx10ijX2oUVFxZeIkUHu1uCwqhqg24
 p6UE2bEzCwpKMEOwVeNlRsC6BQKpxugJNGJPHS6WeFiVeFl/tHNpYh7L7jnzVAQH
 C1L6RIGCK6jrzG49mn9mySNf6WmSfG7L3hqaHY5ngkz5sfdhR+6kjvnv8xFkyTK7
 BJIyJBJBnDsaw/mDNRVt
 =IuyM
 -----END PGP SIGNATURE-----

Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi

Pull SCSI fixes from James Bottomley:
 "Two simple fixes: one for sparse warnings that were introduced by the
  merge window conversion to blist_flags_t and the other to fix dropped
  I/O during reset in aacraid"

* tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
  scsi: aacraid: Fix I/O drop during reset
  scsi: core: Use blist_flags_t consistently
2017-12-20 16:52:01 -08:00
Linus Torvalds
877631f360 Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm
Pull ARM fix from Russell King:
 "Just one fix for a problem in the csum_partial_copy_from_user()
  implementation when software PAN is enabled"

* 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
  ARM: 8731/1: Fix csum_partial_copy_from_user() stack mismatch
2017-12-20 16:47:14 -08:00
Linus Torvalds
1362d628cb ACPI fixes for v4.15-rc5
- Fix an error handling issue in the ACPI APEI implementation
    of the >read callback in struct pstore_info (Takashi Iwai).
 
  - Fix a possible out-of-bounds arrar read in the ACPI CPPC
    driver (Colin Ian King).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJaOrJcAAoJEILEb/54YlRxhFAP/3urVt/pnoMUzfKX4jHX/3AG
 B2Wk0HGKwtlvVMGhs/7+gUDZQSd1s/fcKvAVP429vzwLATdLqYj5JnhlBSvuKINt
 RRsvw9Ks1YsowdmLbDm+o3nMpkSu0EZvADMDFBE4JvTvb8PHvev8NRRJD5ua110i
 w2mbbocElzxjoCD9Fwt9El0fNSVbu8eslgk4RpmiU7XUjUP3Mo7j+sv+JslyS2QO
 rY29T9qBwwVqTMBarV51ZTHgrB7LHhIXOnxUY7aVeY3aoLZi7nv1Gb8CEAec+T9x
 0n7PxMGFYDRir3zRewxJqeE0iRZ1k+y9pWVYl/oslABFr+M+wZ2lbyqOk1i5rQsq
 tkA7j6CBh8UWti/L36n/u9GK/AqwioyhH2UCBAvxLI3FGXtPgPI0F7ikZgPFxvGu
 Dg/SVMuMd1z/auPaUJt9doO12Pvudh+RwzSQPoUoxwUcv7XgEYdU6XTqYKX0bD+R
 vnXCnP/imgDC96rASoOx39t2cx7biiH1UyZS6vLLNM7VzaRi+Ox8kIyQBBc9VDBw
 ETx6jH0npx9KT6NGzhTq0cItgtOMH1a9a/CdzZ+vY9FgSVQlxukEjfxYRVA2WRyt
 y8DA5o23kZAUbi00QqP1Z42wVPVXn/2eEtdDl9GETyPcK/hmB5uiFEiwb62dQ5ok
 cfPAMq2oSFXI484r0PeK
 =jLX/
 -----END PGP SIGNATURE-----

Merge tag 'acpi-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull ACPI fixes from Rafael Wysocki:
 "These fix a recently introduced issue in the ACPI CPPC driver and an
  obscure error hanling bug in the APEI code.

  Specifics:

   - Fix an error handling issue in the ACPI APEI implementation of the
     >read callback in struct pstore_info (Takashi Iwai).

   - Fix a possible out-of-bounds arrar read in the ACPI CPPC driver
     (Colin Ian King)"

* tag 'acpi-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  ACPI: APEI / ERST: Fix missing error handling in erst_reader()
  ACPI: CPPC: remove initial assignment of pcc_ss_data
2017-12-20 13:44:21 -08:00
Linus Torvalds
9cd238ab2d Power management fixes for v4.15-rc5
- Fix an issue in the PCI handling of the "thaw" transition during
    hibernation (after creating an image), introduced by a bug fix
    from the 4.13 cycle and exposed by recent changes in the IRQ
    subsystem, that caused pci_restore_state() to be called for
    devices in low-power states in some cases which is incorrect
    and breaks MSI management on some systems (Rafael Wysocki).
 
  - Fix a recent regression in the imx6q cpufreq driver that broke
    speed grading on i.MX6 QuadPlus by omitting checks causing
    invalid operating performance points (OPPs) to be disabled on
    that SoC as appropriate (Lucas Stach).
 
  - Fix a regression introduced during the 4.14 cycle in the ondemand
    and conservative cpufreq governors that causes the sampling
    interval used by them to be shorter than the tick period in some
    cases which leads to incorrect decisions (Rafael Wysocki).
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v2
 
 iQIcBAABCAAGBQJaOrIPAAoJEILEb/54YlRxsysP/3pGtkj96iy5lyXlEv6vnCby
 /Lo/5Qcfa9pM2P32AoeML+07N6YximK6IwEReVlswudKAryTa2jKQu9xY4gOH6dK
 MprDkLPOSJL/CpxWRTOHYbZNSAopDc4ZzaVLH0P3XCoLoVWJ4z7LdK6jGkx1zJRE
 UUWazE9G/K9Zw6U3ZbcOQOwrEf36pzNT0CEmFIkgIkImz5eaXnEx0h6mwpxtxc+O
 Y4Buk+bgtojcYXC5cFj/Ik9lr0w5gFqSugLx13lK4oWBdBNdnd7+LDnVOPcCNfAe
 RyWVieqeB+8TmUtLo/dJJFqe9vaUhU0jOb55MQqRDu+vrhlvBQmRjRuyYXKvH3/R
 BQl5jOj2PbFWLZ+gsxszO6sU+PeO6DUSRe6Kbj8wx23ONzgOfLqRhbTKlwEHkjeO
 28NI4wN1Nkr9ueoTiBe/g/gtwW5ogUiHq23RN/Tqi8gV9IEPX1wHEeVZYnuhny/R
 y1HUVJhHnob1K9DLW5rre08ic7fvzOaf593roRds7iP+hnIgFyAPM2AGtZg907bK
 5tNElfck96spr5tD7OeLoN9kXIoZh2/GIJrhBiMJCi+mVvZ9mJRoIEpHQPMjRdAC
 K9h6Tb/LrRvZ4LlZQiNvReqJq/qM7zdNQL7TA/8/37fs6QOgp1mAPOGFppwqNrgc
 CTWw3ppXgCve2XdfLyno
 =fTB6
 -----END PGP SIGNATURE-----

Merge tag 'pm-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm

Pull power management fixes from Rafael Wysocki:
 "These fix a regression in the ondemand and conservative cpufreq
  governors that was introduced during the 4.13 cycle, a recent
  regression in the imx6q cpufreq driver and a regression in the PCI
  handling of hibernation from the 4.14 cycle.

  Specifics:

   - Fix an issue in the PCI handling of the "thaw" transition during
     hibernation (after creating an image), introduced by a bug fix from
     the 4.13 cycle and exposed by recent changes in the IRQ subsystem,
     that caused pci_restore_state() to be called for devices in
     low-power states in some cases which is incorrect and breaks MSI
     management on some systems (Rafael Wysocki).

   - Fix a recent regression in the imx6q cpufreq driver that broke
     speed grading on i.MX6 QuadPlus by omitting checks causing invalid
     operating performance points (OPPs) to be disabled on that SoC as
     appropriate (Lucas Stach).

   - Fix a regression introduced during the 4.14 cycle in the ondemand
     and conservative cpufreq governors that causes the sampling
     interval used by them to be shorter than the tick period in some
     cases which leads to incorrect decisions (Rafael Wysocki)"

* tag 'pm-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
  cpufreq: governor: Ensure sufficiently large sampling intervals
  cpufreq: imx6q: fix speed grading regression on i.MX6 QuadPlus
  PCI / PM: Force devices to D0 in pci_pm_thaw_noirq()
2017-12-20 13:41:40 -08:00
Linus Torvalds
7887f47031 spi: Fixes for v4.15-rc4
A bunch of really small fixes here, all driver specific and mostly in
 error handling and remove paths.  The most important fixes are for the
 a3700 clock configuration and a fix for a nasty stall which could
 potentially cause data corruption with the xilinx driver.
 -----BEGIN PGP SIGNATURE-----
 
 iQFHBAABCgAxFiEEreZoqmdXGLWf4p/qJNaLcl1Uh9AFAlo6kgoTHGJyb29uaWVA
 a2VybmVsLm9yZwAKCRAk1otyXVSH0KGDB/4sweNiUfktOAN1Y86bRmyrTvJctCCY
 MAOAzDxvKjUuYEoq0LZWKEt0uIXM5+cB+YrghEn6e5lwdB0rRsifzRQ5D2iR8odf
 xhxOW4uV2+RhCDiPWnKP7cOiOxahYPSBw1RNHsAhXlcT11rRQC1QMwpWLE0ET/WG
 UreahRO1pwGOCPVCxkfDmv+DxTm3IE0TojT8GvC7QsAD2UapqbLAcCNGN8SoSKD9
 8P24pjStItA/6JQVawUIaFLHgcAGHw3WeTf2TQbP6rEF5u5je4BGtELGjSZ72bdS
 0RT3CP0eNnLPzh1XqcBGjEPDKWnnglNc0o9XSU3lTNbfgB1cQ2kFQDs/
 =ILZY
 -----END PGP SIGNATURE-----

Merge tag 'spi-fix-v4.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi

Pull spi fixes from Mark Brown:
 "A bunch of really small fixes here, all driver specific and mostly in
  error handling and remove paths.

  The most important fixes are for the a3700 clock configuration and a
  fix for a nasty stall which could potentially cause data corruption
  with the xilinx driver"

* tag 'spi-fix-v4.15-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/broonie/spi:
  spi: atmel: fixed spin_lock usage inside atmel_spi_remove
  spi: sun4i: disable clocks in the remove function
  spi: rspi: Do not set SPCR_SPE in qspi_set_config_register()
  spi: Fix double "when"
  spi: a3700: Fix clk prescaling for coefficient over 15
  spi: xilinx: Detect stall with Unknown commands
  spi: imx: Update device tree binding documentation
2017-12-20 13:38:00 -08:00
Linus Torvalds
444fec197e - Bug Fixes
- Fix message timing	issues;
       cros_ec_spi
   - Report correct state when an error	occurs;
       cros_ec_spi
   - Reorder enums used	for Power Management;
       rtsx_pci
   - Use correct OF helper for obtaining child nodes;
       twl4030-audio, twl6040
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJaOmxWAAoJEFGvii+H/Hdh7q0P/1/hilKPUkcYME7vE4ZNCVUC
 fSZpUjcw4S444TvjjVm7RtRiP0KJMjqM+xUbfoe/Ofu/jhe/+QMu+ygLcEEujssR
 qGfLHcPJDodeSwNSAl3Q53ZF8MSsZFPsWA+xKMkdjllM5n8qWPDVN/HkWZR0z9cV
 RnwPo5dC/sdc+hBjhxWKLNTAPcJET1zo6IdOoDar2uAuypJB+1vUjTObzIfB0j2a
 yUozPhJfTwVMpDvnGMW97XSjRa59KPzmMTnHDBZlqSYCRgD4bUKFp2SX579HpjIW
 J/R2AFape6I+mXc7KpTQERncl+b02Uu/LRysQSG/x/SwOGIlrPgBGNxt41YLep/u
 iFDMVfXyh4N7sZC2KESiXEQurm/r8w+YHRFf/Z6omv92kshZ/FFNhYp4CJ3WIAqD
 ni3BrTXsQqQ0FI+revvG6TE3W4wcNoIfKAI35yy3q7uzOuuL7nDp7HI55JLzYTV8
 OcLMTTuKFNUF02pQ1djwkcFxXgfLjF4QW4blLQwMVdzi9gwn9jsg7BcRXuRLScyw
 sYm92tFpPHQryX4xaHXG7JwBLeo9OVGi0rIHMxo45IJ4ILqWdcFvOqfBA/PTRbVB
 v0FVbtz53/2WLXY0MX7Ihg7Hq/HQG+FWtxEfHOGDBr99ZFR/vUK9le30Lsb7vd/o
 pFN+b/7YGMtUPO2zCa1+
 =vlCx
 -----END PGP SIGNATURE-----

Merge tag 'mfd-fixes-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd

Pull MDF bugfixes from Lee Jones:

  - Fix message timing issues and report correct state when an error
    occurs in cros_ec_spi

  - Reorder enums used for Power Management in rtsx_pci

  - Use correct OF helper for obtaining child nodes in twl4030-audio and
    twl6040

* tag 'mfd-fixes-4.15' of git://git.kernel.org/pub/scm/linux/kernel/git/lee/mfd:
  mfd: Fix RTS5227 (and others) powermanagement
  mfd: cros ec: spi: Fix "in progress" error signaling
  mfd: twl6040: Fix child-node lookup
  mfd: twl4030-audio: Fix sibling-node lookup
  mfd: cros ec: spi: Don't send first message too soon
2017-12-20 13:35:10 -08:00
Linus Torvalds
a5f89a5015 sound fixes for 4.15-rc5
All stable fixes here:
 - A regression fix of USB-audio for the previous hardening patch
 - A potential UAF fix in rawmidi
 - HD-audio and USB-audio quirks, the missing new ID
 -----BEGIN PGP SIGNATURE-----
 
 iQJCBAABCAAsFiEEIXTw5fNLNI7mMiVaLtJE4w1nLE8FAlo6JA8OHHRpd2FpQHN1
 c2UuZGUACgkQLtJE4w1nLE9dChAAvHUQUkik1F8KedxtEH+DCuaj0lz7y4vEtv+t
 H/dbUMujlh8ywFORLevGMI095KP6ZDs1lxHvTijK8JhgOLbzBCBTU8PPSnsHGz0T
 Z2Mxn1RBcaoXGK7Bcz3GVl3zxAsGRnNRrzSIui7OxfZ7fa8zNo0pP9MSz2ShXw9+
 gfDjPbBcNV7sr2YY3BQ5DfOyhr/Csa4IhAXNYfc4A+Z8YRlc+3CRGWkNmerqK+eN
 M4NZgM6ZfGV6aQCjt+fxciygSQfA+qgcilveScddnm3KTQ/GAfVxpw2IL3Q47PuC
 zbL83vVUYzSTP9V0ZtVbrQVEl4Tbr32214B+bwqYyiY2/GTNDpGTmpqSgkVlz3vQ
 VDk7rWlAQfaqXeHJo3sjGUCKqC+exEvMUUSXjJXz59eP/l2tXdK6Q8GC9U2p9H5N
 UVAyl5NbEU0Zg7t8Jgvpxt/6BDGNDWN+vrWr7rnva/leMw3VUz2mR5oNjj2uDDWE
 p8TydPKBZetYjTFqaH/H3e/5NZHyhp7jcmiZyCuq6wMsgOYnnw56eJfXXYj856UJ
 M71es/3famBhTj8j0Fj36Zsn9QJQdGFya3MgdjPgV17yUWhzVPePBO6Han3a6bH0
 ZXalibypQkvfIv8+xUbLpHznSsFjoA7dyQ4NO8gIHUpU/GDA23inyDltiM3Y5g/9
 wcWQKfA=
 =A9uJ
 -----END PGP SIGNATURE-----

Merge tag 'sound-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound

Pull sound fixes from Takashi Iwai:
 "All stable fixes here:

   - a regression fix of USB-audio for the previous hardening patch

   - a potential UAF fix in rawmidi

   - HD-audio and USB-audio quirks, the missing new ID"

* tag 'sound-4.15-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
  ALSA: usb-audio: Fix the missing ctl name suffix at parsing SU
  ALSA: hda/realtek - Fix Dell AIO LineOut issue
  ALSA: rawmidi: Avoid racy info ioctl via ctl device
  ALSA: hda - Add vendor id for Cannonlake HDMI codec
  ALSA: usb-audio: Add native DSD support for Esoteric D-05X
2017-12-20 13:03:20 -08:00
Jens Axboe
0864fe09ab null_blk: unalign call_single_data
Commit 966a967116 randomly added alignment to this structure, but
it's actually detrimental to performance of null_blk. Test case:

Running on both the home and remote node shows a ~5% degradation
in performance.

While in there, move blk_status_t to the hole after the integer tag
in the nullb_cmd structure. After this patch, we shrink the size
from 192 to 152 bytes.

Fixes: 966a967116 ("smp: Avoid using two cache lines for struct call_single_data")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-12-20 13:16:33 -07:00
Jens Axboe
4ccafe0320 block: unalign call_single_data in struct request
A previous change blindly added massive alignment to the
call_single_data structure in struct request. This ballooned it in size
from 296 to 320 bytes on my setup, for no valid reason at all.

Use the unaligned struct __call_single_data variant instead.

Fixes: 966a967116 ("smp: Avoid using two cache lines for struct call_single_data")
Cc: stable@vger.kernel.org # v4.14
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-12-20 13:16:33 -07:00
Ido Schimmel
b4681c2829 ipv4: Fix use-after-free when flushing FIB tables
Since commit 0ddcf43d5d ("ipv4: FIB Local/MAIN table collapse") the
local table uses the same trie allocated for the main table when custom
rules are not in use.

When a net namespace is dismantled, the main table is flushed and freed
(via an RCU callback) before the local table. In case the callback is
invoked before the local table is iterated, a use-after-free can occur.

Fix this by iterating over the FIB tables in reverse order, so that the
main table is always freed after the local table.

v3: Reworded comment according to Alex's suggestion.
v2: Add a comment to make the fix more explicit per Dave's and Alex's
feedback.

Fixes: 0ddcf43d5d ("ipv4: FIB Local/MAIN table collapse")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Fengguang Wu <fengguang.wu@intel.com>
Acked-by: Alexander Duyck <alexander.h.duyck@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 15:12:39 -05:00
Julian Wiedmann
ad3cbf6133 s390/qeth: fix error handling in checksum cmd callback
Make sure to check both return code fields before processing the
response. Otherwise we risk operating on invalid data.

Fixes: c9475369bd ("s390/qeth: rework RX/TX checksum offload")
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 15:11:49 -05:00
Jon Maloy
bb25c3855a tipc: remove joining group member from congested list
When we receive a JOIN message from a peer member, the message may
contain an advertised window value ADV_IDLE that permits removing the
member in question from the tipc_group::congested list. However, since
the removal has been made conditional on that the advertised window is
*not* ADV_IDLE, we miss this case. This has the effect that a sender
sometimes may enter a state of permanent, false, broadcast congestion.

We fix this by unconditinally removing the member from the congested
list before calling tipc_member_update(), which might potentially sort
it into the list again.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 14:56:48 -05:00
Naresh Kamboju
1c8e77fb36 selftests: net: Adding config fragment CONFIG_NUMA=y
kernel config fragement CONFIG_NUMA=y is need for reuseport_bpf_numa.

Signed-off-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 14:25:34 -05:00
David S. Miller
932f8c77a9 mlx5-fixes-2017-12-19
Misc fixes for mlx5 core and mlx5 netdev driver.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQEbBAABAgAGBQJaOYOtAAoJEEg/ir3gV/o+1/0H+I9yY/HYQIU0Cl08yNvYKBcS
 KuhGpeJCH20rPQPrcPTG3zN0KF6DZKjwsQOwxdE5pUXqQNUuyuogUZCuLYB4OElL
 P4b1o5G377sTcDQ7jH2YAWD5hO8c5vKxsDbvN+kJaUkK+SHvjhLdvC5teUPf58rx
 tlDcWzdp3w1nBWeoLbASXTiqPYyA8vGkjOWWiQxBZoD4A4U7QpRKsEKaWd6g3mtH
 mnKVd8sczIFCHoHCQ3e+efJMz478YvX2rzdKZ8eycAMkQHBIny0fZzc4IiFy5ZXN
 L2CUGesr8x1CZ9dtK+OEw1STpalD0kpCfjRhYd2B7X0KgY/FN+7vgnpmBtxdzA==
 =G//q
 -----END PGP SIGNATURE-----

Merge tag 'mlx5-fixes-2017-12-19' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux

Saeed Mahameed says:

===================
Mellanox, mlx5 fixes 2017-12-19

The follwoing series includes some fixes for mlx5 core and etherent
driver.

Please pull and let me know if there is any problem.

This series doesn't introduce any conflict with the ongoing mlx5 for-next
submission.

For -stable:

kernels >= v4.7.y
    ("net/mlx5e: Fix possible deadlock of VXLAN lock")
    ("net/mlx5e: Add refcount to VXLAN structure")
    ("net/mlx5e: Prevent possible races in VXLAN control flow")
    ("net/mlx5e: Fix features check of IPv6 traffic")

kernels >= v4.9.y
    ("net/mlx5: Fix error flow in CREATE_QP command")
    ("net/mlx5: Fix rate limit packet pacing naming and struct")

kernels >= v4.13.y
    ("net/mlx5: FPGA, return -EINVAL if size is zero")

kernels >= v4.14.y
    ("Revert "mlx5: move affinity hints assignments to generic code")

All above patches apply and compile with no issues on corresponding -stable.
===================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 13:41:05 -05:00
Shaohua Li
111be88398 block-throttle: avoid double charge
If a bio is throttled and split after throttling, the bio could be
resubmited and enters the throttling again. This will cause part of the
bio to be charged multiple times. If the cgroup has an IO limit, the
double charge will significantly harm the performance. The bio split
becomes quite common after arbitrary bio size change.

To fix this, we always set the BIO_THROTTLED flag if a bio is throttled.
If the bio is cloned/split, we copy the flag to new bio too to avoid a
double charge. However, cloned bio could be directed to a new disk,
keeping the flag be a problem. The observation is we always set new disk
for the bio in this case, so we can clear the flag in bio_set_dev().

This issue exists for a long time, arbitrary bio size change just makes
it worse, so this should go into stable at least since v4.2.

V1-> V2: Not add extra field in bio based on discussion with Tejun

Cc: Vivek Goyal <vgoyal@redhat.com>
Cc: stable@vger.kernel.org
Acked-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Shaohua Li <shli@fb.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2017-12-20 11:10:17 -07:00
David S. Miller
a8fcefe88b Merge branch 'cls_bpf-fix-offload-state-tracking-with-block-callbacks'
Jakub Kicinski says:

===================
cls_bpf: fix offload state tracking with block callbacks

After introduction of block callbacks classifiers can no longer track
offload state.  cls_bpf used to do that in an attempt to move common
code from drivers to the core.  Remove that functionality and fix
drivers.

The user-visible bug this is fixing is that trying to offload a second
filter would trigger a spurious DESTROY and in turn disable the already
installed one.
===================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 13:08:19 -05:00
Jakub Kicinski
d3f89b98e3 nfp: bpf: keep track of the offloaded program
After TC offloads were converted to callbacks we have no choice
but keep track of the offloaded filter in the driver.

The check for nn->dp.bpf_offload_xdp was a stop gap solution
to make sure failed TC offload won't disable XDP, it's no longer
necessary.  nfp_net_bpf_offload() will return -EBUSY on
TC vs XDP conflicts.

Fixes: 3f7889c4c7 ("net: sched: cls_bpf: call block callbacks for offload")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-12-20 13:08:18 -05:00