Dmitry reported a crash when injecting faults in
attach_one_default_qdisc() and dev->qdisc is still
a noop_disc, the check before qdisc_hash_add() fails
to catch it because it tests NULL. We should test
against noop_qdisc since it is the default qdisc
at this point.
Fixes: 59cc1f61f0 ("net: sched: convert qdisc linked list to hashtable")
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Cc: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
inet_rtm_getroute synthesizes a skeletal ICMP skb, which is passed to
ip_route_input when iif is given. If a multipath route is present for
the designated destination, ip_multipath_icmp_hash ends up being called,
which uses the source/destination addresses within the skb to calculate
a hash. However, those are not set in the synthetic skb, causing it to
return an arbitrary and incorrect result.
Instead, use UDP, which gets no such special treatment.
Signed-off-by: Florian Larysch <fl@n621.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
Pull networking fixes from David Miller:
1) Reject invalid updates to netfilter expectation policies, from Pablo
Neira Ayuso.
2) Fix memory leak in nfnl_cthelper, from Jeffy Chen.
3) Don't do stupid things if we get a neigh_probe() on a neigh entry
whose ops lack a solicit method. From Eric Dumazet.
4) Don't transmit packets in r8152 driver when the carrier is off, from
Hayes Wang.
5) Fix ipv6 packet type detection in aquantia driver, from Pavel
Belous.
6) Don't write uninitialized data into hw registers in bna driver, from
Arnd Bergmann.
7) Fix locking in ping_unhash(), from Eric Dumazet.
8) Make BPF verifier range checks able to understand certain sequences
emitted by LLVM, from Alexei Starovoitov.
9) Fix use after free in ipconfig, from Mark Rutland.
10) Fix refcount leak on force commit in openvswitch, from Jarno
Rajahalme.
11) Fix various overflow checks in AF_PACKET, from Andrey Konovalov.
12) Fix endianness bug in be2net driver, from Suresh Reddy.
13) Don't forget to wake TX queues when processing a timeout, from
Grygorii Strashko.
14) ARP header on-stack storage is wrong in flow dissector, from Simon
Horman.
15) Lost retransmit and reordering SNMP stats in TCP can be
underreported. From Yuchung Cheng.
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (82 commits)
nfp: fix potential use after free on xdp prog
tcp: fix reordering SNMP under-counting
tcp: fix lost retransmit SNMP under-counting
sctp: get sock from transport in sctp_transport_update_pmtu
net: ethernet: ti: cpsw: fix race condition during open()
l2tp: fix PPP pseudo-wire auto-loading
bnx2x: fix spelling mistake in macros HW_INTERRUT_ASSERT_SET_*
l2tp: take reference on sessions being dumped
tcp: minimize false-positives on TCP/GRO check
sctp: check for dst and pathmtu update in sctp_packet_config
flow dissector: correct size of storage for ARP
net: ethernet: ti: cpsw: wake tx queues on ndo_tx_timeout
l2tp: take a reference on sessions used in genetlink handlers
l2tp: hold session while sending creation notifications
l2tp: fix duplicate session creation
l2tp: ensure session can't get removed during pppol2tp_session_ioctl()
l2tp: fix race in l2tp_recv_common()
sctp: use right in and out stream cnt
bpf: add various verifier test cases for self-tests
bpf, verifier: fix rejection of unaligned access checks for map_value_adj
...
We should unregister the net_device first, before we give back
our reference on xdp_prog. Otherwise xdp_prog may be freed
before .ndo_stop() disabled the datapath. Found by code inspection.
Fixes: ecd63a0217 ("nfp: add XDP support in the driver")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Currently the reordering SNMP counters only increase if a connection
sees a higher degree then it has previously seen. It ignores if the
reordering degree is not greater than the default system threshold.
This significantly under-counts the number of reordering events
and falsely convey that reordering is rare on the network.
This patch properly and faithfully records the number of reordering
events detected by the TCP stack, just like the comment says "this
exciting event is worth to be remembered". Note that even so TCP
still under-estimate the actual reordering events because TCP
requires TS options or certain packet sequences to detect reordering
(i.e. ACKing never-retransmitted sequence in recovery or disordered
state).
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The lost retransmit SNMP stat is under-counting retransmission
that uses segment offloading. This patch fixes that so all
retransmission related SNMP counters are consistent.
Fixes: 10d3be5692 ("tcp-tso: do not split TSO packets at retransmit time")
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- Hand-off primary maintainership of Kbuild
- Fix build warnings
- Fix build error when GCOV is enabled with old compiler
- Fix HAVE_ASM_GOTO check when GCC plugin is enabled
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJY5DVaAAoJED2LAQed4NsGOvYP/2aBSxp8k4s8XphPYXlF2ITE
MlHWq9nJqlUBqv6Q6fTd8SiVU5LP9kSV54V8jCwBjjPV4ZxWTD0R2XDjdmW/Zzqu
Fpjs61TScLUmpPDCwK9Q8k/FVHnjkM5H0U/9tsVWSoCUknJ3WqFNf0KcB7HIlWaH
w5+Twt87e7dlaCbwCseWYsA3i8mkXXrdRFU+qlXHcgmfVnYEYdqjtWOKfESWGet0
1Nwi0lQXEYb4W+vLczJ6K53BHW5dtL9+jiTZb5aGu3oTSFPFasOjGwdGDH1oVqif
28ueGnPFzxl2FXzY0GT66/gRBQdtMnt2/vUVG2PUbCqa3MRZkRvFN8IntkmZz1iY
2cTZ70PjKRyCr9DUw5UQnQweNB9reZlCsEC41xG21c5CLWL0/50iPX17rVAIP2D1
GMVNWq4AEF4M98ovbyw8FEhz57ZQeVZ+dS0mmnPnL8R/a+SAiQ38ZBS18IqMPbDi
5qsBvsqL8g5wb6d9cexzZJaFmkN4zBLek1O6EMKVH4FUOYKqR6Z470l7I4+/4UGD
G9fkIAPGIBJoQ7gJZXQACdrtrhleFMX4JcnPycUsTiCkF86rBqWNjlp9nRPlxUw4
HdrjwnsHL28G1rprT0Divmtjw074dxEem5PQzSD191IP+PINnXPzCVKhGKUN3uYh
ykSDv++jHBQNGn+ivUBW
=ZHIG
-----END PGP SIGNATURE-----
Merge tag 'kbuild-fixes-v4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild
Pull Kbuild fixes from Masahiro Yamada:
- hand-off primary maintainership of Kbuild
- fix build warnings
- fix build error when GCOV is enabled with old compiler
- fix HAVE_ASM_GOTO check when GCC plugin is enabled
* tag 'kbuild-fixes-v4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/masahiroy/linux-kbuild:
gconfig: remove misleading parentheses around a condition
jump label: fix passing kbuild_cflags when checking for asm goto support
Kbuild: use cc-disable-warning consistently for maybe-uninitialized
kbuild: external module build warnings when KBUILD_OUTPUT set and W=1
MAINTAINERS: add Masahiro Yamada as a Kbuild maintainer
This patch is almost to revert commit 02f3d4ce9e ("sctp: Adjust PMTU
updates to accomodate route invalidation."). As t->asoc can't be NULL
in sctp_transport_update_pmtu, it could get sk from asoc, and no need
to pass sk into that function.
It is also to remove some duplicated codes from that function.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
For SPI, we can get up to 32 additional bytes for response preamble.
The current overhead (2 bytes) may cause problems when we try to receive
a big response. Update it to 32 bytes.
Without this fix we could see a kernel BUG when we receive a big response
from the Chrome EC when is connected via SPI.
Signed-off-by: Vic Yang <victoryang@google.com>
Tested-by: Enric Balletbo i Serra <enric.balletbo.collabora.com>
Signed-off-by: Lee Jones <lee.jones@linaro.org>
We're dealing with ACPI issues here. The first is related to
wake IRQs on Bay Trail/Cherry Trail CPUs which are common in
laptops. The second is about proper probe deferral when reading
_CRS properties.
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJY44fCAAoJEEEQszewGV1z+wkP/0ySyMBUDBlnIdUHjkqXV+Up
p9KuNp8Z3VR/Zh+dN9I3RjNj0ParbkaD1sUuQLgowwMCuz+j/VdNlrStvHJjGJi2
Zf2kV6d0CHnnLo0RnsDpQgIvqFgDawMG7a9nDrRQXVso68Yzh6Pdm+JMkvNZ8C6j
RTPcPYh7WqYyiC1Y8OnuBTwVPyLOW/608PDYqrU4V76W+h1YYP9xLcEbDC+ORcj6
BJLoqA1k0csC+ySNCY6ft77O7ItLapppmQqbbktO853Epmhe3PHZ9ZEjxbgpbUg4
IBAsyIZnyayGxeowtmZZnJzSdGSpI2mzxTZPy9AQTBkWZ4Kp3hbOIjri9/UBtAu8
amvcwTeYUFE+tm7tjm1RyKVLQgWdVfxX5UCxtderBUK5Ja106QrtwzaeJiCXM7Cj
RbPYUftn0k9r3DU9HO1eGQ2sX5bFzWDcQjzSaftnP6G8BpIffAxj5MxSJmsgkO4Z
yYy0+Qo42RUsUy9gTjMbKHT8/7get+iuBPtATUrtfPMfvUCM1jrvbpvQ8L+y3Wo2
9ne1rqltZ4scBtm1ZEg8i5Ib9oF9nH3xdGr4tfjrcDmxKUza4uq2D3dPMsytlAH/
l8vZM/bhv9ryc8qnqKsMPDDeOPmDpZ3cpioC7Xvo/0thplvI2jxOgVxpyoYmzC2c
wcGMusEBFfeJZQDn6ArH
=DTy3
-----END PGP SIGNATURE-----
Merge tag 'gpio-v4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio
Pull late GPIO fixes from Linus Walleij:
"Some late coming ACPI fixes for GPIO.
We're dealing with ACPI issues here. The first is related to wake IRQs
on Bay Trail/Cherry Trail CPUs which are common in laptops. The second
is about proper probe deferral when reading _CRS properties.
For my untrained eye it seems there was some quarrel between the BIOS
and the kernel about who is supposed to deal with wakeups from GPIO
lines"
* tag 'gpio-v4.11-3' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
ACPI / gpio: do not fall back to parsing _CRS when we get a deferral
gpio: acpi: Call enable_irq_wake for _IAE GpioInts with Wake set
iwlwifi
* an RCU fix
* a fix for a potential out-of-bounds access crash
* a fix for IBSS which has been broken since DQA was enabled
rtlwifi
* fix scheduling while atomic regression
brcmfmac
* fix use-after-free bug found by KASAN
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJY4ivhAAoJEG4XJFUm622bnNQIAId7kE+dQjX/VRRCfZl5679K
pkcooXgqCBODA03phCCa9pDGx8O2JPoPJzDgqthHJcpD03nmp8TbiCfuZY6VT2HK
ohwydmwh2y614V7XrLmEJ6MRl06R2ihXZRMaasPf7LIydXHYo3JFU60XOTNRKrmE
bDvukcNeKB6s/YuMBf4247qi6mpHuWMeTBVdzUo3Ht06JH6AK2F9M81IS2AiXojY
lAQWWBBrQT6B7fiVMw4+wRux4Mirkzy/7WJIeFS5oGPFj4ha3gGQhddVHAj8Z9hA
zQKQxojNLj89tFKqXV3JvDQe20/bNGN81ushkkcy4l8pPtHoJylD3ladPbiXMH8=
=vv5x
-----END PGP SIGNATURE-----
Merge tag 'wireless-drivers-for-davem-2017-04-03' of git://git.kernel.org/pub/scm/linux/kernel/git/kvalo/wireless-drivers
Kalle Valo says:
====================
wireless-drivers fixes for 4.11
iwlwifi
* an RCU fix
* a fix for a potential out-of-bounds access crash
* a fix for IBSS which has been broken since DQA was enabled
rtlwifi
* fix scheduling while atomic regression
brcmfmac
* fix use-after-free bug found by KASAN
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
TI's cpsw driver handles both OF and non-OF case for phy
connect. Unfortunately of_phy_connect() returns NULL on
error while phy_connect() returns ERR_PTR().
To handle this, cpsw_slave_open() overrides the return value
from phy_connect() to make it NULL or error.
This leaves a small window, where cpsw_adjust_link() may be
invoked for a slave while slave->phy pointer is temporarily
set to -ENODEV (or some other error) before it is finally set
to NULL.
_cpsw_adjust_link() only handles the NULL case, and an oops
results when ERR_PTR() is seen by it.
Note that cpsw_adjust_link() checks PHY status for each
slave whenever it is invoked. It can so happen that even
though phy_connect() for a given slave returns error,
_cpsw_adjust_link() is still called for that slave because
the link status of another slave changed.
Fix this by using a temporary pointer to store return value
of {of_}phy_connect() and do a one-time write to slave->phy.
Reviewed-by: Grygorii Strashko <grygorii.strashko@ti.com>
Reported-by: Yan Liu <yan-liu@ti.com>
Signed-off-by: Sekhar Nori <nsekhar@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJY4xUcAAoJEAx081l5xIa+WJAP/iYhjkhcP3tRN/u+oCRKuAjw
EmhR6AAAmF2kqbZa30e2DCDvrB5UODxRSnIWGq7FUfwB8nWW366opU18hzwdepUJ
sCWqwtj6ZhFP4P5LZUQcjQseXmwcDnmsnY59mWKWqYDOM+5rvprN1sSBRs2Z2TfZ
ZwBQt0AdmxkxVOarEgF3ZFCZ3cweRPvFH3WjhYvLTkWtVqoMQtKwJfkL9F8qk/QR
+137vIOzVDM9NVu10+D2nTISGQKnwqPGkvYWpnsVbLR/AFtfkSS2NXiiP5yROwXK
qdaQzf1jPTLGbhMlQfahajrzncxMxVm3dNcyG9D/DWqdv24cUKaT4/OsJnS7T2YW
B1rEl12A5wsAjyOgafU6J8nCXnSdJ4VXnlI5igJCNIIuZc9DoDStpc4/7va3gyHA
QaC7zGh1QKBQbl9sTwwinl1xuTIbROCRv+1snD07pO2KCc6Y+F7Fks31lqrucwk4
bBGlyoPN21IJLyfzHGz9hwuKvuAtMxWgGG+GAFCzxKwjocFSktPetsPmnLKlxcdt
DhBIWELzQ9lyzLeNeyQIFpMwLX3CxkfGa2+2xpnI8NMNVuzsTtju/20U+YHOJZwK
C5gJRFRHlG+F2fx09cRKW1Lp37S9yN/2IDHKmkdS0JhAErBlJhMv1dRXTZXk1wNK
z3fSS7NdMMZRVXddx5mn
=pqDR
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-for-v4.11-rc6' of git://people.freedesktop.org/~airlied/linux
Pull drm fixes from Dave Airlie:
"This is just mostly stuff that missed rc5, from vmwgfx and msm
drivers"
* tag 'drm-fixes-for-v4.11-rc6' of git://people.freedesktop.org/~airlied/linux:
drm/msm: Make sure to detach the MMU during GPU cleanup
drm/msm/hdmi: redefinitions of macros not required
drm/msm/mdp5: Update SSPP_MAX value
drm/msm/dsi: Fix bug in dsi_mgr_phy_enable
drm/msm: Don't allow zero sized buffer objects
drm/msm: Fix wrong pointer check in a5xx_destroy
drm/msm: adreno: fix build error without debugfs
drm/vmwgfx: fix integer overflow in vmw_surface_define_ioctl()
drm/vmwgfx: Remove getparam error message
drm/ttm: Avoid calling drm_ht_remove from atomic context
drm/ttm, drm/vmwgfx: Relax permission checking when opening surfaces
drm/vmwgfx: avoid calling vzalloc with a 0 size in vmw_get_cap_3d_ioctl()
drm/vmwgfx: NULL pointer dereference in vmw_surface_define_ioctl()
drm/vmwgfx: Type-check lookups of fence objects
PPP pseudo-wire type is 7 (11 is L2TP_PWTYPE_IP).
Fixes: f1f39f9110 ("l2tp: auto load type modules")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Trival fix, rename HW_INTERRUT_ASSERT_SET_* to HW_INTERRUPT_ASSERT_SET_*
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Yuval Mintz <Yuval.Mintz@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Take a reference on the sessions returned by l2tp_session_find_nth()
(and rename it l2tp_session_get_nth() to reflect this change), so that
caller is assured that the session isn't going to disappear while
processing it.
For procfs and debugfs handlers, the session is held in the .start()
callback and dropped in .show(). Given that pppol2tp_seq_session_show()
dereferences the associated PPPoL2TP socket and that
l2tp_dfs_seq_session_show() might call pppol2tp_show(), we also need to
call the session's .ref() callback to prevent the socket from going
away from under us.
Fixes: fd558d186d ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Fixes: 0ad6614048 ("l2tp: Add debugfs files for dumping l2tp debug info")
Fixes: 309795f4be ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Markus Trippelsdorf reported that after commit dcb17d22e1 ("tcp: warn
on bogus MSS and try to amend it") the kernel started logging the
warning for a NIC driver that doesn't even support GRO.
It was diagnosed that it was possibly caused on connections that were
using TCP Timestamps but some packets lacked the Timestamps option. As
we reduce rcv_mss when timestamps are used, the lack of them would cause
the packets to be bigger than expected, although this is a valid case.
As this warning is more as a hint, getting a clean-cut on the
threshold is probably not worth the execution time spent on it. This
patch thus alleviates the false-positives with 2 quick checks: by
accounting for the entire TCP option space and also checking against the
interface MTU if it's available.
These changes, specially the MTU one, might mask some real positives,
though if they are really happening, it's possible that sooner or later
it will be triggered anyway.
Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
- make __pa work with uncached KSEG addresses, it fixes DMA memory
mmapping and DMA debug;
- fix torn stack dump output;
- wire up statx syscall.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJY4tpmAAoJEFH5zJH4P6BECVsP/0VW0w0rwPS22zy0hRHQP3BQ
QEUDK7H9X1e8DWV4rEC47mSg4IYAJD8CTGsbsMHrBLm7krgbj4WZnkcuAuW+keH9
pjgY2jhn0a84MHIk/ubtya/L0HfjmDfEm41VAWg0uqVg+NspENxgdGJSq88eCEU7
up3KiM2/pBrgNiCejo6Nm8+Ct/fNMY0sgPAd83SoPdlMZY22K97NqBobdkoF43kR
KH7BqAncSIBjUnYEtxlLjqs83GVnAwDBffVObL8JEHrodV6Mmbuut3rS4buCr2xW
MZUfyWYQOuPRWLGhPZ49tFFfHakkfoOg3jLteU7FyOvX/tIPGh9jLA86ZIm7Eu+H
RuAdhr6gTvQfuHx+XSguANKaRG67mkPICNusGUd5/prdIU65StQYzxh+lzkCP4SE
UDlzbwLz9/9wiC/m6k+8outytcv89WqUtWq4l3sTc0X6SUIiMna2EDYLwV9aGELQ
Gj/3AGMSAdUsJksUBFmLJ+eT4o7ujzsonZO0aMh3IpnhnnlCbV3x/4QlVLlAyjRJ
Dp7v+++/iMkeczqtMka8ijfuOxjS0T55e4XyTfaHODYv2ai76G0K7wfu6TTwQDf6
4BKBxxg/SKYkOwbBAcCvQzhX7AJ18hkZaXioDuRT+7uK+ljyUMfFvF8e44yL0RVl
AeVWbXAXBwpw6PZOEnRo
=lq7n
-----END PGP SIGNATURE-----
Merge tag 'xtensa-20170403' of git://github.com/jcmvbkbc/linux-xtensa
Pull Xtensa fixes from Max Filippov:
- make __pa work with uncached KSEG addresses, it fixes DMA memory
mmapping and DMA debug
- fix torn stack dump output
- wire up statx syscall
* tag 'xtensa-20170403' of git://github.com/jcmvbkbc/linux-xtensa:
xtensa: wire up statx system call
xtensa: fix stack dump output
xtensa: make __pa work with uncached KSEG addresses
misc msm fixes.
* 'msm-fixes-4.11-rc6' of git://people.freedesktop.org/~robclark/linux:
drm/msm: Make sure to detach the MMU during GPU cleanup
drm/msm/hdmi: redefinitions of macros not required
drm/msm/mdp5: Update SSPP_MAX value
drm/msm/dsi: Fix bug in dsi_mgr_phy_enable
drm/msm: Don't allow zero sized buffer objects
drm/msm: Fix wrong pointer check in a5xx_destroy
drm/msm: adreno: fix build error without debugfs
This patch is to move sctp_transport_dst_check into sctp_packet_config
from sctp_packet_transmit and add pathmtu check in sctp_packet_config.
With this fix, sctp can update dst or pathmtu before appending chunks,
which can void dropping packets in sctp_packet_transmit when dst is
obsolete or dst's mtu is changed.
This patch is also to improve some other codes in sctp_packet_config.
It updates packet max_size with gso_max_size, checks for dst and
pathmtu, and appends ecne chunk only when packet is empty and asoc
is not NULL.
It makes sctp flush work better, as we only need to set up them once
for one flush schedule. It's also safe, since asoc is NULL only when
the packet is created by sctp_ootb_pkt_new in which it just gets the
new dst, no need to do more things for it other than set packet with
transport's pathmtu.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The last argument to __skb_header_pointer() should be a buffer large
enough to store struct arphdr. This can be a pointer to a struct arphdr
structure. The code was previously using a pointer to a pointer to
struct arphdr.
By my counting the storage available both before and after is 8 bytes on
x86_64.
Fixes: 55733350e5 ("flow disector: ARP support")
Reported-by: Nicolas Iooss <nicolas.iooss_linux@m4x.org>
Signed-off-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
We should be detaching the MMU before destroying the address
space. To do this cleanly, the detach has to happen in
adreno_gpu_cleanup() because it needs access to structs
in adreno_gpu.c. Plus it is better symmetry to have
the attach and detach at the same code level.
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
4 macros already defined in hdmi.h,
which is not required to redefine in hdmi_audio.c
Signed-off-by: Vinay Simha BN <simhavcs@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
'SSPP_MAX + 1' is the max number of hwpipes that can be present on a
MDP5 platform. Recently, 2 new cursor hwpipes were added, which
caused overflows in arrays that used SSPP_MAX to represent the number
of elements. Update the SSPP_MAX value to incorporate the extra
hwpipes.
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
A recent commit introduces a bug in dsi_mgr_phy_enable. In the non
dual DSI mode, we reset the mdsi (master DSI) PHY. This isn't right
since master and slave DSI exist only in dual DSI mode. For the normal
mode of operation, we should simply reset the PHY of the DSI device
(i.e. msm_dsi) corresponding to the current bridge.
Usage of the wrong DSI pointer also resulted in a static checker
warning. That too is resolved with this fix.
Fixes: b62aa70a98 (drm/msm/dsi: Move PHY operations out of host)
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: Archit Taneja <architt@codeaurora.org>
Reviewed-by: Rob Clark <robdclark@gmail.com>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Zero sized buffer objects tend to make various bits of the GEM
infrastructure complain:
WARNING: CPU: 1 PID: 2323 at drivers/gpu/drm/drm_mm.c:389 drm_mm_insert_node_generic+0x258/0x2f0
Modules linked in:
CPU: 1 PID: 2323 Comm: drm-api-test Tainted: G W 4.9.0-rc4-00906-g693af44 #213
Hardware name: Qualcomm Technologies, Inc. DB820c (DT)
task: ffff8000d7353400 task.stack: ffff8000d7720000
PC is at drm_mm_insert_node_generic+0x258/0x2f0
LR is at drm_vma_offset_add+0x4c/0x70
Zero sized buffers serve no appreciable value to the user so disallow
them at create time.
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Instead of checking for a5xx_gpu->gpmu_iova during destroy we
accidently check a5xx_gpu->gpmu_bo.
Signed-off-by: Jordan Crouse <jcrouse@codeaurora.org>
Signed-off-by: Rob Clark <robdclark@gmail.com>
The newly added a5xx support fails to build when debugfs is diabled:
drivers/gpu/drm/msm/adreno/a5xx_gpu.c:849:4: error: 'struct msm_gpu_funcs' has no member named 'show'
drivers/gpu/drm/msm/adreno/a5xx_gpu.c:849:11: error: 'a5xx_show' undeclared here (not in a function); did you mean 'a5xx_irq'?
This adds a missing #ifdef.
Fixes: b5f103ab98 ("drm/msm: gpu: Add A5XX target support")
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Rob Clark <robdclark@gmail.com>
Pull s390 fixes from Martin Schwidefsky:
"Four bug fixes, two of them for stable:
- avoid initrd corruptions in the kernel decompressor
- prevent inconsistent dumps if the boot CPU does not have address
zero
- fix the new pkey interface added with the merge window for 4.11
- a fix for a fix, another issue with user copy zero padding"
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/s390/linux:
s390/uaccess: get_user() should zero on failure (again)
s390/pkey: Fix wrong handling of secure key with old MKVP
s390/smp: fix ipl from cpu with non-zero address
s390/decompressor: fix initrd corruption caused by bss clear
Pull RAS fix from Thomas Gleixner:
"Prevent dmesg from being spammed when MCE logging is active"
* 'ras-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/mce: Don't print MCEs when mcelog is active
Make sure to reserve the boot memory for the flattened device tree.
Otherwise it might get overwritten, e.g. when initial_boot_params is
copied, leading to a corrupted FDT and a boot hang/crash:
bootconsole [early0] enabled
Early console on uart16650 initialized at 0xf8001600
OF: fdt: Error -11 processing FDT
Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!
---[ end Kernel panic - not syncing: setup_cpuinfo: No CPU found in devicetree!
Guenter Roeck says:
> I think I found the problem. In unflatten_and_copy_device_tree(), with added
> debug information:
>
> OF: fdt: initial_boot_params=c861e400, dt=c861f000 size=28874 (0x70ca)
>
> ... and then initial_boot_params is copied to dt, which results in corrupted
> fdt since the memory overlaps. Looks like the initial_boot_params memory
> is not reserved and (re-)allocated by early_init_dt_alloc_memory_arch().
Cc: stable@vger.kernel.org
Reported-by: Guenter Roeck <linux@roeck-us.net>
Reference: http://lkml.kernel.org/r/20170226210338.GA19476@roeck-us.net
Tested-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Tobias Klauser <tklauser@distanz.ch>
Acked-by: Ley Foon Tan <ley.foon.tan@intel.com>
In case, if TX watchdog is fired some or all netdev TX queues will be
stopped and as part of recovery it is required not only to drain and
reinitailize CPSW TX channeles, but also wake up stoppted TX queues what
doesn't happen now and netdevice will stop transmiting data until
reopenned.
Hence, add netif_tx_wake_all_queues() call in .ndo_tx_timeout() to complete
recovery and restore TX path.
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Couple of minor fixes for 4.11
- array bound fix for __get_unmap_pool()
- cyclic period splitting for bcm2835
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJY4L1bAAoJEHwUBw8lI4NHoI4P/j+t5ZiMd9LgBaEWrkQRJd0j
RiTD2ub93XRaMGCCTG9mpKy6QJ18T2Hma8e73sW6+kxG0KPP7JldvK395cO9pTgb
R0CktSA72HPlUyy+OSg5OeB9T3pdcOfwv/RuD1g4TfEyknGVTWXKd4u/v5Lupn/y
UTWIhsd/0VlIIIEKlaoelG0UsK92rqAc3dnjdVzx102XuZZYBStZxP7j7Jnuep4y
O4BNLq64/og5X8VvSGjvzkzV83X+JFxPLk1sVrcmChzttOjKWRZkTssiR6DH5qni
pz7WI3fxDFgJJwLSejAfhHo+wOwaezytymlVmfViAfDQLgDG8hrt/if1meBffrg6
VpumHcgKiDfPanji1fauC2DK9QFZZ0NuT0DXsL07csVFbqRndFp3qIhDGHy00z4k
r2MrFiGcuA5LEQotha3VKD0Z5HjeOOUKCj9hacZAuCXNUohX8KX6Yietc7oEIWco
WCodC6vQ3yICPI4bS9dUIkJRkI1qJoB5f5cVcl9NaMybXza/mvyeI7yIOWgoRBvf
O0bh1j8sxeyYyfsJ8DZ+NI3uBKm5+iMb6VsVWrso+O8+0sH3f+s8wZkemMDWCBMv
V1kx5ZVKJ+7qw4OLOm6tlom8WGdvYQAQjYoLT0Zh9yXc5CQUfpwk4tZ0WOnsoVIi
vIJGh6uu3S1rXOTeGXJR
=bNTJ
-----END PGP SIGNATURE-----
Merge tag 'dmaengine-fix-4.11-rc5' of git://git.infradead.org/users/vkoul/slave-dma
Pull dmaengine fixes from Vinod Koul:
"A couple of minor fixes for 4.11:
- array bound fix for __get_unmap_pool()
- cyclic period splitting for bcm2835"
* tag 'dmaengine-fix-4.11-rc5' of git://git.infradead.org/users/vkoul/slave-dma:
dmaengine: Fix array index out of bounds warning in __get_unmap_pool()
dmaengine: bcm2835: Fix cyclic DMA period splitting
Pull x86 fixes from Thomas Gleixner:
"This update provides:
- prevent KASLR from randomizing EFI regions
- restrict the usage of -maccumulate-outgoing-args and document when
and why it is required.
- make the Global Physical Address calculation for UV4 systems work
correctly.
- address a copy->paste->forgot-edit problem in the MCE exception
table entries.
- assign a name to AMD MCA bank 3, so the sysfs file registration
works.
- add a missing include in the boot code"
* 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
x86/boot: Include missing header file
x86/mce/AMD: Give a name to MCA bank 3 when accessed with legacy MSRs
x86/build: Mostly disable '-maccumulate-outgoing-args'
x86/mm/KASLR: Exclude EFI region from KASLR VA space randomization
x86/mce: Fix copy/paste error in exception table entries
x86/platform/uv: Fix calculation of Global Physical Address
Pull scheduler fixes from Thomas Gleixner:
"This update provides:
- make the scheduler clock switch to unstable mode smooth so the
timestamps stay at microseconds granularity instead of switching to
tick granularity.
- unbreak perf test tsc by taking the new offset into account which
was added in order to proveide better sched clock continuity
- switching sched clock to unstable mode runs all clock related
computations which affect the sched clock output itself from a work
queue. In case of preemption sched clock uses half updated data and
provides wrong timestamps. Keep the math in the protected context
and delegate only the static key switch to workqueue context.
- remove a duplicate header include"
* 'sched-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
sched/headers: Remove duplicate #include <linux/sched/debug.h> line
sched/clock: Fix broken stable to unstable transfer
sched/clock, x86/perf: Fix "perf test tsc"
sched/clock: Fix clear_sched_clock_stable() preempt wobbly
Pull EFI fix from Thomas Gleixner:
"Downgrade the missing ESRT header printk to warning level and remove a
useless error printk which just generates noise for no value"
* 'efi-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
efi/esrt: Cleanup bad memory map log messages
Pull timer fixes from Thomas Gleixner:
"Two small fixes for the new CLKEVT_OF infrastructure"
* 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
vmlinux.lds: Add __clkevt_of_table to kernel
clockevents: Fix syntax error in clkevt-of macro
Pull irq fixes from Thomas Gleixner:
"Two small fixlets:
- select a required Kconfig to make the MVEBU driver compile
- add the missing MIPS local GIC interrupts which prevent drivers to
probe successfully"
* 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
irqchip/mips-gic: Fix Local compare interrupt
irqchip/mvebu-odmi: Select GENERIC_MSI_IRQ_DOMAIN
Pull core fix from Thomas Gleixner:
"Prevent leaking kernel memory via /proc/$pid/syscall when the queried
task is not in a syscall"
* 'core-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip:
lib/syscall: Clear return values when no stack
Fixes the mess observed in e.g. rsync over a noisy link we'd been
seeing since last Summer. What happens is that we copy part of
a datagram before noticing a checksum mismatch. Datagram will be
resent, all right, but we want the next try go into the same place,
not after it...
All this family of primitives (copy/checksum and copy a datagram
into destination) is "all or nothing" sort of interface - either
we get 0 (meaning that copy had been successful) or we get an
error (and no way to tell how much had been copied before we ran
into whatever error it had been). Make all of them leave iterator
unadvanced in case of errors - all callers must be able to cope
with that (an error might've been caught before the iterator had
been advanced), it costs very little to arrange, it's safer for
callers and actually fixes at least one bug in said callers.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
opposite to iov_iter_advance(); the caller is responsible for never
using it to move back past the initial position.
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Guillaume Nault says:
====================
l2tp: fix usage of l2tp_session_find()
l2tp_session_find() doesn't take a reference on the session returned to
its caller. Virtually all l2tp_session_find() users are racy, either
because the session can disappear from under them or because they take
a reference too late. This leads to bugs like 'use after free' or
failure to notice duplicate session creations.
In some cases, taking a reference on the session is not enough. The
special callbacks .ref() and .deref() also have to be called in cases
where the PPP pseudo-wire uses the socket associated with the session.
Therefore, when looking up a session, we also have to pass a flag
indicating if the .ref() callback has to be called.
In the future, we probably could drop the .ref() and .deref() callbacks
entirely by protecting the .sock field of struct pppol2tp_session with
RCU, thus allowing it to be freed and set to NULL even if the L2TP
session is still alive.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Callers of l2tp_nl_session_find() need to hold a reference on the
returned session since there's no guarantee that it isn't going to
disappear from under them.
Relying on the fact that no l2tp netlink message may be processed
concurrently isn't enough: sessions can be deleted by other means
(e.g. by closing the PPPOL2TP socket of a ppp pseudowire).
l2tp_nl_cmd_session_delete() is a bit special: it runs a callback
function that may require a previous call to session->ref(). In
particular, for ppp pseudowires, the callback is l2tp_session_delete(),
which then calls pppol2tp_session_close() and dereferences the PPPOL2TP
socket. The socket might already be gone at the moment
l2tp_session_delete() calls session->ref(), so we need to take a
reference during the session lookup. So we need to pass the do_ref
variable down to l2tp_session_get() and l2tp_session_get_by_ifname().
Since all callers have to be updated, l2tp_session_find_by_ifname() and
l2tp_nl_session_find() are renamed to reflect their new behaviour.
Fixes: 309795f4be ("l2tp: Add netlink control API for L2TP")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
l2tp_session_find() doesn't take any reference on the returned session.
Therefore, the session may disappear while sending the notification.
Use l2tp_session_get() instead and decrement session's refcount once
the notification is sent.
Fixes: 33f72e6f0c ("l2tp : multicast notification to the registered listeners")
Signed-off-by: Guillaume Nault <g.nault@alphalink.fr>
Signed-off-by: David S. Miller <davem@davemloft.net>
Oliver Neukum