2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2024-12-20 19:23:57 +08:00
Commit Graph

651231 Commits

Author SHA1 Message Date
Linus Torvalds
be11f436a8 pci-v4.10-fixes-3
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIcBAABAgAGBQJYm19aAAoJEFmIoMA60/r8q5AQALuO3zl+fEsUD9k+vf1ernIm
 +Bzvzqe7RbmO/1Mke8ccZEJPigOx2Kyv3dcrVxvwVF/mcK7yjPp4NC040f4OBYeu
 lkeMC3+3x7k99xNHkszZkYG9wg4xEEqkMrQQcxokuE04FYSCQSyUJnVRtlhC3GWh
 I71IH9qHqCMRaIPbnbsOWaHimS2iPBcOIHE0OWlPo0VhUD+hqebQ8tdfTWykFWxU
 3YZX0tcqCFF0uZkKZ6zIiC1D2wL3AZ8QDN/FfwyrCRrCwZAJyshBxSk7jIxkvxL/
 RkA7b/tbNVug2UGtNJyV7zCc11ApruJ0H9sgHfppzdOo6tr2vov7itaCWFY0AA04
 bdEdqvqYnEdQAPXoeIGRbBPovlMjcUXI8qkrNuxZinLdwSya2oB+A+Zn33nkLjnz
 buXzbPni3FcriSDQm0l6brI4n0JXopyij6pfQv+Wq6lW/pF4Z54eksxLstZrw29o
 tQ+8cMUkmL46q++809c7jM2Mb3ZEXUL0EDbMeN96U4zjIsq/llc//pYsJbeogosa
 QSQUhAvKGHprUIhRjizLZ7h1BmYQbQ6oPI2k5wgx6zUNTn0V7MQ+gf2lYC/ogYif
 htiKNg9u/nFSqED9JZtUxsyHnlPtRui2iYr/S0JTo8AwLY7vUuXAcMQeQIw0ywW2
 QqKJgbZIUJyFKnEax1KS
 =uhbh
 -----END PGP SIGNATURE-----

Merge tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci

Pull PCI fixes from Bjorn Helgaas:

 - check MSI affinity vs. number of vectors to avoid memory corruption

 - drop runtime power management for PCIe hotplug ports for now to avoid
   regressing hotplug via sysfs

* tag 'pci-v4.10-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
  Revert "PCI: pciehp: Add runtime PM support for PCIe hotplug ports"
  PCI/MSI: Don't apply affinity if there aren't enough vectors left
2017-02-08 12:23:49 -08:00
Jiri Pirko
b05d0cfa19 mlxsw: acl: Fix mlxsw_afa_block_commit error path
No rollback is needed since the chain is in consistent state and
mlxsw_afa_block_destroy() will take care of putting it away. So remove
the one we have now which is wrong. Also move the set of 'finished' flag
to the beginning of the function, because the block is certainly unusable
for future action addition no matter if the function succeeds or not.

Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Fixes: 4cda7d8d70 ("mlxsw: core: Introduce flexible actions support")
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:13:44 -05:00
David S. Miller
9a9a7a5727 Merge branch 'stmmac-cleanups'
Corentin Labbe says:

====================
net: stmmac: misc fix

I am currently working on dwmac-sun8i glue driver for Allwinner H3/A83T/A64.
This series is the result of all minor problem found in the stmmac driver.

All patch are tested on cubieboard2 via dwmac-sunxi and on pine64/orangepis via dwmac-sun8i.

Changes since v1:
- Removed netdev_dbg() in "net: stmmac: print phy information"
- Removed patch "net: stmmac: Implement NAPI for TX", it will be reworked
- Changed error message in "Correct the error message about invalid speed"
- Added some acked-by
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:28 -05:00
LABBE Corentin
a6a3e026f0 net: stmmac: replace unsigned by u32
checkpatch complains about two unsigned without type after.
Since the value return is u32, it is simpler to replace it by u32 instead
of "unsigned int"

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:27 -05:00
LABBE Corentin
64679e565a net: stmmac: remove unused variable in sysfs_display_ring
The u64 x variable in sysfs_display_ring is unused.
This patch remove it.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:27 -05:00
LABBE Corentin
732fe78c07 net: stmmac: remove dead code in stmmac_tx_clean
Since commit cf32deec16 ("stmmac: add tx_skbuff_dma to save descriptors used by PTP"),
the struct dma_desc *p in stmmac_tx_clean was not used at all.

This patch remove this dead code.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:26 -05:00
LABBE Corentin
b05c76a1f8 net: stmmac: print phy information
When a PHY is found, printing which one was found (and which type/model) is
a good information to know.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:26 -05:00
LABBE Corentin
e0a76606d6 net: stmmac: rename rx_crc to rx_crc_errors
The ethtool stat counter rx_crc from stmmac is mis-named, the name
seems to speak about the number of RX CRC done, but in fact it is about
errors.

This patch rename it to rx_crc_errors, just like the same ifconfig
counter.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:26 -05:00
LABBE Corentin
662ec2b7e8 net: stmmac: Rewrite two test against NULL value
This patch rewrite two test against NULL value with correct style.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:25 -05:00
LABBE Corentin
cba920affb net: stmmac: Correct the error message about invalid speed
The message about invalid speed does not state 1000 as a valid speed.
It is much simpler to said that the speed is invalid.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:25 -05:00
LABBE Corentin
b2a8315a5c net: stmmac: replace ENOSYS by EINVAL
As said by checkpatch ENOSYS means 'invalid syscall nr' and nothing
else.
This patch replace ENOSYS by the more appropriate value EINVAL.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:25 -05:00
LABBE Corentin
8a70aeca80 net: stmmac: Use readl_poll_timeout
The dwmac_dma_reset function use an open coded of readl_poll_timeout().
Replace the open coded handling with the proper function.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:25 -05:00
LABBE Corentin
a5f48adc31 net: stmmac: replace stmmac_mdio_busy_wait by readl_poll_timeout
The stmmac_mdio_busy_wait() function do the same job than
readl_poll_timeout().
So is is better to replace it.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:24 -05:00
LABBE Corentin
efd89b60a3 net: stmmac: fix some code style problem
Checkpatch complains about some code style problem on stmmac_mdio.c.
This patch fix them.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:24 -05:00
LABBE Corentin
bbf8928496 net: stmmac: remplace asm/io.h by linux/io.h
This patch fix the checkpatch warning about asm/io.h.
Sorting all includes in the process.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:24 -05:00
LABBE Corentin
deeb6376ca net: stmmac: remove freesoftware address
This patch fix the checkpatch warning about free software address.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:23 -05:00
LABBE Corentin
8d45e42bab net: stmmac: fix some typos in comments
This patch fix some typos in comments.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:23 -05:00
LABBE Corentin
6a2cac549b net: stmmac: Remove the bus_setup function pointer
The bus_setup function pointer is not used at all, this patch remove it.

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:22 -05:00
LABBE Corentin
280892226b net: stmmac: fix the typo on MAC_RNABLE_RX
the define MAC_RNABLE_RX have a typo, rename it to MAC_ENABLE_RX

Signed-off-by: Corentin Labbe <clabbe.montjoie@gmail.com>
Acked-by: Giuseppe Cavallaro <peppe.cavallaro@st.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 15:11:22 -05:00
Florian Fainelli
382e1eea2d net: dsa: Do not destroy invalid network devices
dsa_slave_create() can fail, and dsa_user_port_unapply() will properly check
for the network device not being NULL before attempting to destroy it. We were
not setting the slave network device as NULL if dsa_slave_create() failed, so
we would later on be calling dsa_slave_destroy() on a now free'd and
unitialized network device, causing crashes in dsa_slave_destroy().

Fixes: 83c0afaec7 ("net: dsa: Add new binding implementation")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 14:50:51 -05:00
Daniel Borkmann
c502faf941 bpf, lpm: fix overflows in trie_alloc checks
Cap the maximum (total) value size and bail out if larger than KMALLOC_MAX_SIZE
as otherwise it doesn't make any sense to proceed further, since we're
guaranteed to fail to allocate elements anyway in lpm_trie_node_alloc();
likleyhood of failure is still high for large values, though, similarly
as with htab case in non-prealloc.

Next, make sure that cost vars are really u64 instead of size_t, so that we
don't overflow on 32 bit and charge only tiny map.pages against memlock while
allowing huge max_entries; cap also the max cost like we do with other map
types.

Fixes: b95a5c4db0 ("bpf: add a longest prefix match trie map implementation")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 14:40:03 -05:00
Roopa Prabhu
8ef9594764 bridge: vlan tunnel id info range fill size calc cleanups
This fixes a bug and cleans up tunnelid range size
calculation code by using consistent variable names
and checks in size calculation and fill functions.

tested for a few cases of vlan-vni range mappings:
(output from patched iproute2):
$bridge vlan showtunnel
port     vid        tunid
vxlan0   100-105    1000-1005
         200        2000
         210        2100
         211-213    2100-2102
         214        2104
         216-217    2108-2109
         219        2119

Fixes: efa5356b0d ("bridge: per vlan dst_metadata netlink support")
Reported-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: Roopa Prabhu <roopa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 14:39:19 -05:00
Eric Dumazet
97e219b7c1 gro_cells: move to net/core/gro_cells.c
We have many gro cells users, so lets move the code to avoid
duplication.

This creates a CONFIG_GRO_CELLS option.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 14:38:18 -05:00
Philippe Reynes
40710cf9ad net: mellanox: switchx2: use new api ethtool_{get|set}_link_ksettings
The ethtool api {get|set}_settings is deprecated.
We move this driver to new api {get|set}_link_ksettings.

As I don't have the hardware, I'd be very pleased if
someone may test this patch.

Signed-off-by: Philippe Reynes <tremyfr@gmail.com>
Reviewed-by: Ido Schimmel <idosch@mellanox.com>
Tested-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 14:35:26 -05:00
Kalle Valo
cbda794cf1 Some patches focusing on bugfixes for v4.11:
* Fix 802.11w, which was failing to due an IGTK bug;
   * A few more bugzilla bug fixes;
   * A channel-switch race condition fix;
   * Some fixes related to suspend/resume with new HW;
   * The RF-kill saga continues;
   * And some other fixes here and there...
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEF3LNfgb2BPWm68smoUecoho8xfoFAlibZVQACgkQoUecoho8
 xfp+EQ/+K1/pgC4XfjifbLVZFHVhTnTVl9Nym2LkLIH7kEQPiTQXUMXlHkQZv546
 ir1neeqKdidqQZlaM0gFpc/DWgiMxWui/e6Va1oegr0ZqcxUNN3+CXo1bTL88kmu
 CTYjPVnjOFRZLxaXt/9wBkJ2ktWNSb8BYeK6Ftj21iX9xyf2xBSCV2En+aB6dhv1
 1UbOLPn8raqubAFn1ZcwEZw2Ems4xyrOlriHNHOzhCsXG+PE0d+OxtxcVcQXF7nu
 lyqVCYgREIz0114MrLTlo5atur2LKLZqfRrkP+fgjsOekgHWMF5yyB9zpoO/TTcQ
 jVpAs2P4q5uDqMRI5BM3qVB7XPt3HDYLpTb1pyf+EL4yR/3NgN4QdB8vzZm32QgN
 0Of97AIlJOkO8FRVhHyI2z6QO6vHBVK+tzyrV1FCTc+ZQYfnj+r3hRYPCCFr/UW8
 2fB3esPiKRD6cXng8fJkFIw79e9erEgOl8hi5IbUG0zVbetDhZrtevjFrDoFzI7E
 X9LSoIcCA6J616T/k6Vi2e40xVq3u5GbYTSg8GvX+TDI0UPfKJrx6AoSImxaPGzh
 ByQ5Ib+xOQo6oZsNy27cw8cDGojWlHp2s0xj7ilgpMOlpmOP5eHlKLE0hkzOhNmg
 Zxv5GD0ar0zEW1jIiR/O0PleUGoLCdID9M2zkeUgcQ6ftB65WVQ=
 =dHzs
 -----END PGP SIGNATURE-----

Merge tag 'iwlwifi-next-for-kalle-2017-02-08' of git://git.kernel.org/pub/scm/linux/kernel/git/iwlwifi/iwlwifi-next

Some patches focusing on bugfixes for v4.11:

  * Fix 802.11w, which was failing to due an IGTK bug;
  * A few more bugzilla bug fixes;
  * A channel-switch race condition fix;
  * Some fixes related to suspend/resume with new HW;
  * The RF-kill saga continues;
  * And some other fixes here and there...
2017-02-08 21:28:36 +02:00
WANG Cong
73d2c6678e ping: fix a null pointer dereference
Andrey reported a kernel crash:

  general protection fault: 0000 [] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 2 PID: 3880 Comm: syz-executor1 Not tainted 4.10.0-rc6+ 
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
  task: ffff880060048040 task.stack: ffff880069be8000
  RIP: 0010:ping_v4_push_pending_frames net/ipv4/ping.c:647 [inline]
  RIP: 0010:ping_v4_sendmsg+0x1acd/0x23f0 net/ipv4/ping.c:837
  RSP: 0018:ffff880069bef8b8 EFLAGS: 00010206
  RAX: dffffc0000000000 RBX: ffff880069befb90 RCX: 0000000000000000
  RDX: 0000000000000018 RSI: ffff880069befa30 RDI: 00000000000000c2
  RBP: ffff880069befbb8 R08: 0000000000000008 R09: 0000000000000000
  R10: 0000000000000002 R11: 0000000000000000 R12: ffff880069befab0
  R13: ffff88006c624a80 R14: ffff880069befa70 R15: 0000000000000000
  FS:  00007f6f7c716700(0000) GS:ffff88006de00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004a6f28 CR3: 000000003a134000 CR4: 00000000000006e0
  Call Trace:
   inet_sendmsg+0x164/0x5b0 net/ipv4/af_inet.c:744
   sock_sendmsg_nosec net/socket.c:635 [inline]
   sock_sendmsg+0xca/0x110 net/socket.c:645
   SYSC_sendto+0x660/0x810 net/socket.c:1687
   SyS_sendto+0x40/0x50 net/socket.c:1655
   entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because we miss a check for NULL pointer for skb_peek() when
the queue is empty. Other places already have the same check.

Fixes: c319b4d76b ("net: ipv4: add IPPROTO_ICMP socket kind")
Reported-by: Andrey Konovalov <andreyknvl@google.com>
Tested-by: Andrey Konovalov <andreyknvl@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:58:21 -05:00
David S. Miller
9538132a9f Merge branch 'net-header-length-truncation'
Willem de Bruijn says:

====================
net: Fixes for header length truncation

Packets should not enter the stack with truncated link layer headers
and link layer headers should always be stored in the skb linear
segment.

Patch 1 ensures the first for PF_PACKET sockets
Patch 2 ensures the second for PF_PACKET GSO sockets without tx_ring
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:56:38 -05:00
Willem de Bruijn
57031eb794 packet: round up linear to header len
Link layer protocols may unconditionally pull headers, as Ethernet
does in eth_type_trans. Ensure that the entire link layer header
always lies in the skb linear segment. tpacket_snd has such a check.
Extend this to packet_snd.

Variable length link layer headers complicate the computation
somewhat. Here skb->len may be smaller than dev->hard_header_len.

Round up the linear length to be at least as long as the smallest of
the two.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:56:37 -05:00
Willem de Bruijn
217e6fa24c net: introduce device min_header_len
The stack must not pass packets to device drivers that are shorter
than the minimum link layer header length.

Previously, packet sockets would drop packets smaller than or equal
to dev->hard_header_len, but this has false positives. Zero length
payload is used over Ethernet. Other link layer protocols support
variable length headers. Support for validation of these protocols
removed the min length check for all protocols.

Introduce an explicit dev->min_header_len parameter and drop all
packets below this value. Initially, set it to non-zero only for
Ethernet and loopback. Other protocols can follow in a patch to
net-next.

Fixes: 9ed988cd59 ("packet: validate variable length ll headers")
Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Acked-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:56:37 -05:00
Bryant G. Ly
b22bc27868 ibmvscsis: Add SGL limit
This patch adds internal LIO sgl limit since the driver already
sets a max transfer limit on transport layer of 1MB to the client.

Cc: stable@vger.kernel.org
Tested-by: Steven Royer <seroyer@linux.vnet.ibm.com>
Signed-off-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2017-02-08 10:51:24 -08:00
Wu Fengguang
3c19bd6c52 net: qcom/emac: fix semicolon.cocci warnings
drivers/net/ethernet/qualcomm/emac/emac-ethtool.c:155:49-50: Unneeded semicolon

 Remove unneeded semicolon.

Generated by: scripts/coccinelle/misc/semicolon.cocci

CC: Timur Tabi <timur@codeaurora.org>
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:38:44 -05:00
Raju Lakkaraju
04d8a0a5f3 net: phy: Add LED mode driver for Microsemi PHYs.
LED Mode:
Microsemi PHY support 2 LEDs (LED[0] and LED[1]) to display different
status information that can be selected by setting LED mode.

LED Mode parameter (vsc8531, led-0-mode) and (vsc8531, led-1-mode) get
from Device Tree.

Signed-off-by: Raju Lakkaraju <Raju.Lakkaraju@microsemi.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:29:04 -05:00
Dan Carpenter
ff4cf0e5ce net: dsa: bcm_sf2: cleanup bcm_sf2_cfp_rule_get() a little
This patch doesn't affect how the code works.

My static checker complains that the mask and shift doesn't make sense
because 0xffffff << 16 goes beyond the end of 32 bits.  It should be
0xffff instead but the existing code won't cause runtime bugs.

Also the casting here is not needed and not consistent with the rest of
the code.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:27:06 -05:00
WANG Cong
d7426c69a1 sit: fix a double free on error path
Dmitry reported a double free in sit_init_net():

  kernel BUG at mm/percpu.c:689!
  invalid opcode: 0000 [] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 0 PID: 15692 Comm: syz-executor1 Not tainted 4.10.0-rc6-next-20170206 
  Hardware name: Google Google Compute Engine/Google Compute Engine,
  BIOS Google 01/01/2011
  task: ffff8801c9cc27c0 task.stack: ffff88017d1d8000
  RIP: 0010:pcpu_free_area+0x68b/0x810 mm/percpu.c:689
  RSP: 0018:ffff88017d1df488 EFLAGS: 00010046
  RAX: 0000000000010000 RBX: 00000000000007c0 RCX: ffffc90002829000
  RDX: 0000000000010000 RSI: ffffffff81940efb RDI: ffff8801db841d94
  RBP: ffff88017d1df590 R08: dffffc0000000000 R09: 1ffffffff0bb3bdd
  R10: dffffc0000000000 R11: 00000000000135dd R12: ffff8801db841d80
  R13: 0000000000038e40 R14: 00000000000007c0 R15: 00000000000007c0
  FS:  00007f6ea608f700(0000) GS:ffff8801dbe00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 000000002000aff8 CR3: 00000001c8d44000 CR4: 00000000001426f0
  DR0: 0000000020000000 DR1: 0000000020000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000600
  Call Trace:
   free_percpu+0x212/0x520 mm/percpu.c:1264
   ipip6_dev_free+0x43/0x60 net/ipv6/sit.c:1335
   sit_init_net+0x3cb/0xa10 net/ipv6/sit.c:1831
   ops_init+0x10a/0x530 net/core/net_namespace.c:115
   setup_net+0x2ed/0x690 net/core/net_namespace.c:291
   copy_net_ns+0x26c/0x530 net/core/net_namespace.c:396
   create_new_namespaces+0x409/0x860 kernel/nsproxy.c:106
   unshare_nsproxy_namespaces+0xae/0x1e0 kernel/nsproxy.c:205
   SYSC_unshare kernel/fork.c:2281 [inline]
   SyS_unshare+0x64e/0xfc0 kernel/fork.c:2231
   entry_SYSCALL_64_fastpath+0x1f/0xc2

This is because when tunnel->dst_cache init fails, we free dev->tstats
once in ipip6_tunnel_init() and twice in sit_init_net(). This looks
redundant but its ndo_uinit() does not seem enough to clean up everything
here. So avoid this by setting dev->tstats to NULL after the first free,
at least for -net.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 13:12:22 -05:00
Linus Torvalds
472ff5be61 ARM: SoC fixes for v4.10
- A relatively large patch restores booting on i.MX platforms that
   failed to boot after a cleanup was merged for v4.10.
 
 - A quirk for USB needs to be enabled on the STi platform
 
 - On the Meson platform, we saw memory corruption with part of
   the memory used by the secure monitor, so we have to stay out
   of that area.
 
 - The same platform also has a problem with ethernet under load,
   which is fixed by disabling EEE negotiation.
 
 - imx6dl has an incorrect pin configuration, which prevents SPI
   from working.
 
 - Two maintainers have lost their access to their email addresses, so
   we should update the MAINTAINERS file before the release
 
 - Renaming one of the orion5x linkstation models to help simplify
   the debian install.
 
 - A couple of fixes for build warnings that were introduced during
   v4.10-rc.
 -----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iQIVAwUAWJtPYGCrR//JCVInAQIrqxAA4XlWN83jn0+zDt1A7OmrXUhtycD8eJFM
 cP0Lc965pa1OVVkcIRRrgvYE9dnILuK6qPit7HbQtQcCSRxb5P2OQ0AyNBjAt6C0
 exBD/R13aImPLWWuGl65/WqBaCWaZ9KnVqzNHDXGt9d51NBsqreM9TdwLMvFMQBl
 tyvoRNK4TbIMGpOtrnLMTwHLkh4yZXik7srkuwSV0jeIVh7HrQUd2eawqWssuX7A
 idkZWBheDhQt2s1tI5wkRf4TFEI6muWpaNaU3NGi9qmQdHpJWc0ivYZtHlE29Fli
 T/nXDWmPptRIhOSIney6TwLdgN1Lg4ztRdaowHEpYXnfieUx+P86QJTXhxxo/3eT
 be30IhWX4WKAWiQkQHAsVCt6zIYRfXE5N8An6S5MfsC3n1dYAvCCf/qpToGUnoc/
 nyZQcbasHaSB3r5YMUmgH1oDowT9FsE/iaOzCr5xymiXgxR/p3gTVxcLn9jgp3Zq
 m1hSNfCACGmGLNcQBR/fz63/1b6sanXV6JOSEEB2TfpcQ0Mi0AaeZjAR9JAfQbNR
 hG/r8LC2Q0cG10zwOe1Iv60Ery7UsfCtdzEU6D3/gwtlDssSOs351cBoIKWtQxnX
 SPcUag9ZHZS1iuaZaSISmOWMyhK7CeCjk12TDFJPBrLolJOhIuHUOW/5cFwydWgp
 DLbhSBwqQKU=
 =zlTb
 -----END PGP SIGNATURE-----

Merge tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc

Pull ARM SoC fixes from Arnd Bergmann:

 - A relatively large patch restores booting on i.MX platforms that
   failed to boot after a cleanup was merged for v4.10.

 - A quirk for USB needs to be enabled on the STi platform

 - On the Meson platform, we saw memory corruption with part of the
   memory used by the secure monitor, so we have to stay out of that
   area.

 - The same platform also has a problem with ethernet under load, which
   is fixed by disabling EEE negotiation.

 - imx6dl has an incorrect pin configuration, which prevents SPI from
   working.

 - Two maintainers have lost their access to their email addresses, so
   we should update the MAINTAINERS file before the release

 - Renaming one of the orion5x linkstation models to help simplify the
   debian install.

 - A couple of fixes for build warnings that were introduced during
   v4.10-rc.

* tag 'fixes-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
  ARM: defconfigs: make NF_CT_PROTO_SCTP and NF_CT_PROTO_UDPLITE built-in
  MAINTAINERS: socfpga: update email for Dinh Nguyen
  ARM: orion5x: fix Makefile for linkstation-lschl.dtb
  ARM: dts: orion5x-lschl: More consistent naming on linkstation series
  ARM: dts: orion5x-lschl: Fix model name
  MAINTAINERS: change email address from atmel to microchip
  MAINTAINERS: at91: change email address
  ARM64: dts: meson-gx: Add firmware reserved memory zones
  ARM64: dts: meson-gxbb-odroidc2: fix GbE tx link breakage
  ARM: dts: STiH407-family: set snps,dis_u3_susphy_quirk
  ARM: dts: imx: Pass 'chosen' and 'memory' nodes
  ARM: dts: imx6dl: fix GPIO4 range
  ARM: imx: hide unused variable in #ifdef
2017-02-08 10:01:39 -08:00
Linus Torvalds
d3498fbaf3 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull selinux fix from James Morris:
 "Fix off-by-one in setprocattr"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security:
  selinux: fix off-by-one in setprocattr
2017-02-08 09:59:45 -08:00
Linus Torvalds
23fbe2cdc1 Merge branch 'for-linus' of git://git.kernel.dk/linux-block
Pull block fix from Jens Axboe:
 "A single fix that should go into 4.10, fixing a regression on some
  devices with the WRITE_SAME command"

* 'for-linus' of git://git.kernel.dk/linux-block:
  block: don't try Write Same from __blkdev_issue_zeroout
2017-02-08 09:56:15 -08:00
David Ahern
2bd137de53 lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled
An error was reported upgrading to 4.9.8:
    root@Typhoon:~# ip route add default table 210 nexthop dev eth0 via 10.68.64.1
    weight 1 nexthop dev eth0 via 10.68.64.2 weight 1
    RTNETLINK answers: Operation not supported

The problem occurs when CONFIG_LWTUNNEL is not enabled and a multipath
route is submitted.

The point of lwtunnel_valid_encap_type_attr is catch modules that
need to be loaded before any references are taken with rntl held. With
CONFIG_LWTUNNEL disabled, there will be no modules to load so the
lwtunnel_valid_encap_type_attr stub should just return 0.

Fixes: 9ed59592e3 ("lwtunnel: fix autoload of lwt modules")
Reported-by: pupilla@libero.it
Signed-off-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 12:52:11 -05:00
Leon Romanovsky
646ebd4166 RDMA: Don't reference kernel private header from UAPI header
Remove references to private kernel header and defines from exported
ib_user_verb.h file.

The code snippet below is used to reproduce the issue:

 #include <stdio.h>
 #include <rdma/ib_user_verb.h>

 int main(void)
 {
	printf("IB_USER_VERBS_ABI_VERSION = %d\n", IB_USER_VERBS_ABI_VERSION);
	return 0;
 }

It fails during compilation phase with an error:
➜  /tmp gcc main.c
main.c:2:31: fatal error: rdma/ib_user_verb.h: No such file or directory
 #include <rdma/ib_user_verb.h>
                               ^
compilation terminated.

Fixes: 189aba99e7 ("IB/uverbs: Extend modify_qp and support packet pacing")
CC: Bodong Wang <bodong@mellanox.com>
CC: Matan Barak <matanb@mellanox.com>
CC: Christoph Hellwig <hch@infradead.org>
Tested-by: Slava Shwartsman <slavash@mellanox.com>
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-02-08 12:28:49 -05:00
Eyal Itkin
647bf3d8a8 IB/rxe: Fix mem_check_range integer overflow
Update the range check to avoid integer-overflow in edge case.
Resolves CVE 2016-8636.

Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-02-08 12:28:30 -05:00
Eyal Itkin
628f07d33c IB/rxe: Fix resid update
Update the response's resid field when larger than MTU, instead of only
updating the local resid variable.

Fixes: 8700e3e7c4 ("Soft RoCE driver")
Signed-off-by: Eyal Itkin <eyal.itkin@gmail.com>
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Leon Romanovsky <leonro@mellanox.com>
Signed-off-by: Doug Ledford <dledford@redhat.com>
2017-02-08 12:28:30 -05:00
Marcus Huewe
a11a7f71ca ipv6: addrconf: fix generation of new temporary addresses
Under some circumstances it is possible that no new temporary addresses
will be generated.

For instance, addrconf_prefix_rcv_add_addr() indirectly calls
ipv6_create_tempaddr(), which creates a tentative temporary address and
starts dad. Next, addrconf_prefix_rcv_add_addr() indirectly calls
addrconf_verify_rtnl(). Now, assume that the previously created temporary
address has the least preferred lifetime among all existing addresses and
is still tentative (that is, dad is still running). Hence, the next run of
addrconf_verify_rtnl() is performed when the preferred lifetime of the
temporary address ends. If dad succeeds before the next run, the temporary
address becomes deprecated during the next run, but no new temporary
address is generated.

In order to fix this, schedule the next addrconf_verify_rtnl() run slightly
before the temporary address becomes deprecated, if dad succeeded.

Signed-off-by: Marcus Huewe <suse-tux@gmx.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-02-08 11:54:40 -05:00
Nicholas Bellinger
9b2792c3da target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
This patch addresses a long standing bug where the commit phase
of COMPARE_AND_WRITE would result in a se_cmd->cmd_kref reference
leak if se_cmd->scsi_status returned non SAM_STAT_GOOD.

This would manifest first as a lost SCSI response, and eventual
hung task during fabric driver logout or re-login, as existing
shutdown logic waited for the COMPARE_AND_WRITE se_cmd->cmd_kref
to reach zero.

To address this bug, compare_and_write_post() has been changed
to drop the incorrect !cmd->scsi_status conditional that was
preventing *post_ret = 1 for being set during non SAM_STAT_GOOD
status.

This patch has been tested with SAM_STAT_CHECK_CONDITION status
from normal target_complete_cmd() callback path, as well as the
incoming __target_execute_cmd() submission failure path when
se_cmd->execute_cmd() returns non zero status.

Reported-by: Donald White <dew@datera.io>
Cc: Donald White <dew@datera.io>
Tested-by: Gary Guo <ghg@datera.io>
Cc: Gary Guo <ghg@datera.io>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Cc: <stable@vger.kernel.org> # v3.12+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2017-02-08 08:25:39 -08:00
Nicholas Bellinger
01d4d67355 target: Fix multi-session dynamic se_node_acl double free OOPs
This patch addresses a long-standing bug with multi-session
(eg: iscsi-target + iser-target) se_node_acl dynamic free
withini transport_deregister_session().

This bug is caused when a storage endpoint is configured with
demo-mode (generate_node_acls = 1 + cache_dynamic_acls = 1)
initiators, and initiator login creates a new dynamic node acl
and attaches two sessions to it.

After that, demo-mode for the storage instance is disabled via
configfs (generate_node_acls = 0 + cache_dynamic_acls = 0) and
the existing dynamic acl is never converted to an explicit ACL.

The end result is dynamic acl resources are released twice when
the sessions are shutdown in transport_deregister_session().

If the storage instance is not changed to disable demo-mode,
or the dynamic acl is converted to an explict ACL, or there
is only a single session associated with the dynamic ACL,
the bug is not triggered.

To address this big, move the release of dynamic se_node_acl
memory into target_complete_nacl() so it's only freed once
when se_node_acl->acl_kref reaches zero.

(Drop unnecessary list_del_init usage - HCH)

Reported-by: Rob Millner <rlm@daterainc.com>
Tested-by: Rob Millner <rlm@daterainc.com>
Cc: Rob Millner <rlm@daterainc.com>
Cc: stable@vger.kernel.org # 4.1+
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
2017-02-08 08:25:23 -08:00
Golan Ben-Ami
0c8d0a4770 iwlwifi: mvm: avoid exceeding the allowed print length
Divide a mfuart related print so it won't exceed the allowed
MAX_MSG_LEN (110 bytes) per print.

Fixes: 19f63c531b ("iwlwifi: mvm: support v2 of mfuart load notification")
Signed-off-by: Golan Ben-Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:23 +02:00
Ilan Peer
cd4d23c1ea iwlwifi: mvm: Fix removal of IGTK
When removing an IGTK, iwl_mvm_send_sta_igtk() was
called before station ID was retrieved, so the function
was invoked with an invalid station ID. Fix this by first
getting the station ID.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=192411
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:23 +02:00
Goodstein, Mordechay
735a0045f9 iwlwifi: mvm: avoid race condition in ADD_STA.
The race happens when we send ADD_STA(auth->assoc) -> LQ_CMD
between the commands the FW sometimes loses the medium for AUX, and
sends a ndp to the AP and the flow becomes, ADD_STA -> send ndp -> LQ_CMD
the problem is that there's no rates yet defined for sending the ndp and
FW generates an assert.

The fix: change the order of the commands to LQ_CMD -> ADD_STA

Signed-off-by: Mordechay Goodstein <mordechay.goodstein@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:22 +02:00
Avraham Stern
b45242c99f iwlwifi: mvm: Fix CSA received immediately after association
The session protection set for association is only removed when
BSS_CHANGED_BEACON_INFO is set and BSS_CHANGED_ASSOC is not set.

However, mac80211 may set both on association (in case a beacon was
already received). In this case, mac80211 will not set
BSS_CHANGED_BEACON_INFO on the next beacons because it has already
notified the beacon change, so the session protection is never removed
(until the session protection ends).

When a CSA is received within this time, the station will fail to
folllow the channel switch because it cannot schedule the time event.

Fix this by removing the session protection when
BSS_CHANGED_BEACON_INFO and BSS_CHANGED_ASSOC are both set.

Signed-off-by: Avraham Stern <avraham.stern@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:22 +02:00
Golan Ben Ami
2b18824a5d iwlwifi: pcie: set STATUS_RFKILL immediately after interrupt
Currently, when getting a RFKILL interrupt, the transport enters a flow
in which it stops the device, disables other interrupts, etc. After
stopping the device, the transport resets the hw, and sleeps. During
the sleep, a context switch occurs and host commands are sent by upper
layers (e.g. mvm) to the fw. This is possible since the op_mode layer
and the transport layer hold different mutexes.

Since the STATUS_RFKILL bit isn't set, the transport layer doesn't
recognize that RFKILL was toggled on, and no commands can actually be
sent, so it enqueues the command to the tx queue and sets a timer on
the queue.

After switching context back to stopping the device, STATUS_RFKILL is
set, and then the transport can't send the command to the fw.
This eventually results in a queue hang.

Fix this by setting STATUS_RFKILL immediately when
the interrupt is fired.

Signed-off-by: Golan Ben-Ami <golan.ben.ami@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:21 +02:00
Emmanuel Grumbach
43d59a4ce7 iwlwifi: mvm: don't call << operator with a negative value
In https://bugzilla.kernel.org/show_bug.cgi?id=177341 Bob
reported a UBSAN WARNING on rs.c in iwldvm.
Fix the same bug in iwlmvm.

This because
	i = index - 1;
	for (mask = (1 << i); i >= 0; i--, mask >>= 1)

is unsafe: i could be negative and hence we can call <<
on a negative value.
This bug doesn't have any real impact since the condition
of the for loop will prevent any usage of mask.

Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=177341
Signed-off-by: Emmanuel Grumbach <emmanuel.grumbach@intel.com>
Signed-off-by: Luca Coelho <luciano.coelho@intel.com>
2017-02-08 17:54:21 +02:00