1. 11 Jul, 2016 40 commits
    • Arnd Bergmann's avatar
      ASoC: s3c24xx: use const snd_soc_component_driver pointer · 0cbc7967
      Arnd Bergmann authored
      [ Upstream commit ba4bc32e ]
      
      An older patch to convert the API in the s3c i2s driver
      ended up passing a const pointer into a function that takes
      a non-const pointer, so we now get a warning:
      
      sound/soc/samsung/s3c2412-i2s.c: In function 's3c2412_iis_dev_probe':
      sound/soc/samsung/s3c2412-i2s.c:172:9: error: passing argument 3 of 's3c_i2sv2_register_component' discards 'const' qualifier from pointer target type [-Werror=discarded-qualifiers]
      
      However, the s3c_i2sv2_register_component() function again
      passes the pointer into another function taking a const, so
      we just need to change its prototype.
      
      Fixes: eca3b01d ("ASoC: switch over to use snd_soc_register_component() on s3c i2s")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarMark Brown <broonie@kernel.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0cbc7967
    • Javier Martinez Canillas's avatar
      i2c: exynos5: Fix possible ABBA deadlock by keeping I2C clock prepared · 44783088
      Javier Martinez Canillas authored
      [ Upstream commit 10ff4c52 ]
      
      The exynos5 I2C controller driver always prepares and enables a clock
      before using it and then disables unprepares it when the clock is not
      used anymore.
      
      But this can cause a possible ABBA deadlock in some scenarios since a
      driver that uses regmap to access its I2C registers, will first grab
      the regmap lock and then the I2C xfer function will grab the prepare
      lock when preparing the I2C clock. But since the clock driver also
      uses regmap for I2C accesses, preparing a clock will first grab the
      prepare lock and then the regmap lock when using the regmap API.
      
      An example of this happens on the Exynos5422 Odroid XU4 board where a
      s2mps11 PMIC is used and both the s2mps11 regulators and clk drivers
      share the same I2C regmap.
      
      The possible deadlock is reported by the kernel lockdep:
      
        Possible unsafe locking scenario:
      
              CPU0                    CPU1
              ----                    ----
         lock(sec_core:428:(regmap)->lock);
                                      lock(prepare_lock);
                                      lock(sec_core:428:(regmap)->lock);
         lock(prepare_lock);
      
        *** DEADLOCK ***
      
      Fix it by leaving the code prepared on probe and use {en,dis}able in
      the I2C transfer function.
      
      This patch is similar to commit 34e81ad5 ("i2c: s3c2410: fix ABBA
      deadlock by keeping clock prepared") that fixes the same bug in other
      driver for an I2C controller found in Samsung SoCs.
      Reported-by: default avatarAnand Moon <linux.amoon@gmail.com>
      Signed-off-by: default avatarJavier Martinez Canillas <javier@osg.samsung.com>
      Reviewed-by: default avatarAnand Moon <linux.amoon@gmail.com>
      Reviewed-by: default avatarKrzysztof Kozlowski <k.kozlowski@samsung.com>
      Signed-off-by: default avatarWolfram Sang <wsa@the-dreams.de>
      Cc: stable@kernel.org
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      44783088
    • Ville Syrjälä's avatar
      drm/i915: Cleanup phys status page too · be109716
      Ville Syrjälä authored
      [ Upstream commit 7d3fdfff ]
      
      Restore the lost phys status page cleanup.
      
      Fixes the following splat with DMA_API_DEBUG=y:
      
      WARNING: CPU: 0 PID: 21615 at ../lib/dma-debug.c:974 dma_debug_device_change+0x190/0x1f0()
      pci 0000:00:02.0: DMA-API: device driver has pending DMA allocations while released from device [count=1]
                     One of leaked entries details: [device address=0x0000000023163000] [size=4096 bytes] [mapped with DMA_BIDIRECTIONAL] [mapped as coherent]
      Modules linked in: i915(-) i2c_algo_bit drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops drm sha256_generic hmac drbg ctr ccm sch_fq_codel binfmt_misc joydev mousedev arc4 ath5k iTCO_wdt mac80211 smsc_ircc2 ath snd_intel8x0m snd_intel8x0 snd_ac97_codec ac97_bus psmouse snd_pcm input_leds i2c_i801 pcspkr snd_timer cfg80211 snd soundcore i2c_core ehci_pci firewire_ohci ehci_hcd firewire_core lpc_ich 8139too rfkill crc_itu_t mfd_core mii usbcore rng_core intel_agp intel_gtt usb_common agpgart irda crc_ccitt fujitsu_laptop led_class parport_pc video parport evdev backlight
      CPU: 0 PID: 21615 Comm: rmmod Tainted: G     U          4.4.0-rc4-mgm-ovl+ #4
      Hardware name: FUJITSU SIEMENS LIFEBOOK S6120/FJNB16C, BIOS Version 1.26  05/10/2004
       e31a3de0 e31a3de0 e31a3d9c c128d4bd e31a3dd0 c1045a0c c15e00c4 e31a3dfc
       0000546f c15dfad2 000003ce c12b3740 000003ce c12b3740 00000000 00000001
       f61fb8a0 e31a3de8 c1045a83 00000009 e31a3de0 c15e00c4 e31a3dfc e31a3e4c
      Call Trace:
       [<c128d4bd>] dump_stack+0x16/0x19
       [<c1045a0c>] warn_slowpath_common+0x8c/0xd0
       [<c12b3740>] ? dma_debug_device_change+0x190/0x1f0
       [<c12b3740>] ? dma_debug_device_change+0x190/0x1f0
       [<c1045a83>] warn_slowpath_fmt+0x33/0x40
       [<c12b3740>] dma_debug_device_change+0x190/0x1f0
       [<c1065499>] notifier_call_chain+0x59/0x70
       [<c10655af>] __blocking_notifier_call_chain+0x3f/0x80
       [<c106560f>] blocking_notifier_call_chain+0x1f/0x30
       [<c134cfb3>] __device_release_driver+0xc3/0xf0
       [<c134d0d7>] driver_detach+0x97/0xa0
       [<c134c440>] bus_remove_driver+0x40/0x90
       [<c134db18>] driver_unregister+0x28/0x60
       [<c1079e8c>] ? trace_hardirqs_on_caller+0x12c/0x1d0
       [<c12c0618>] pci_unregister_driver+0x18/0x80
       [<f83e96e7>] drm_pci_exit+0x87/0xb0 [drm]
       [<f8b3be2d>] i915_exit+0x1b/0x1ee [i915]
       [<c10b999c>] SyS_delete_module+0x14c/0x210
       [<c1079e8c>] ? trace_hardirqs_on_caller+0x12c/0x1d0
       [<c115a9bd>] ? ____fput+0xd/0x10
       [<c1002014>] do_fast_syscall_32+0xa4/0x450
       [<c149f6fa>] sysenter_past_esp+0x3b/0x5d
      ---[ end trace c2ecbc77760f10a0 ]---
      Mapped at:
       [<c12b3183>] debug_dma_alloc_coherent+0x33/0x90
       [<f83e989c>] drm_pci_alloc+0x18c/0x1e0 [drm]
       [<f8acd59f>] intel_init_ring_buffer+0x2af/0x490 [i915]
       [<f8acd8b0>] intel_init_render_ring_buffer+0x130/0x750 [i915]
       [<f8aaea4e>] i915_gem_init_rings+0x1e/0x110 [i915]
      
      v2: s/BUG_ON/WARN_ON/ since dim doens't like the former anymore
      
      Cc: Chris Wilson <chris@chris-wilson.co.uk>
      Fixes: 5c6c6003 ("drm/i915: Remove DRI1 ring accessors and API")
      Signed-off-by: default avatarVille Syrjälä <ville.syrjala@linux.intel.com>
      Reviewed-by: Chris Wilson <chris@chris-wilson.co.uk> (v1)
      Link: http://patchwork.freedesktop.org/patch/msgid/1452538112-5331-1-git-send-email-ville.syrjala@linux.intel.comReviewed-by: default avatarDaniel Vetter <daniel.vetter@ffwll.ch>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      be109716
    • Keerthy's avatar
      pinctrl: single: Fix pcs_parse_bits_in_pinctrl_entry to use __ffs than ffs · 4e57736d
      Keerthy authored
      [ Upstream commit 56b367c0 ]
      
      pcs_parse_bits_in_pinctrl_entry uses ffs which gives bit indices
      ranging from 1 to MAX. This leads to a corner case where we try to request
      the pin number = MAX and fails.
      
      bit_pos value is being calculted using ffs. pin_num_from_lsb uses
      bit_pos value. pins array is populated with:
      
      pin + pin_num_from_lsb.
      
      The above is 1 more than usual bit indices as bit_pos uses ffs to compute
      first set bit. Hence the last of the pins array is populated with the MAX
      value and not MAX - 1 which causes error when we call pin_request.
      
      mask_pos is rightly calculated as ((pcs->fmask) << (bit_pos - 1))
      Consequently val_pos and submask are correct.
      
      Hence use __ffs which gives (ffs(x) - 1) as the first bit set.
      
      fixes: 4e7e8017 ("pinctrl: pinctrl-single: enhance to configure multiple pins of different modules")
      Signed-off-by: default avatarKeerthy <j-keerthy@ti.com>
      Acked-by: default avatarTony Lindgren <tony@atomide.com>
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      4e57736d
    • Arnd Bergmann's avatar
      xen kconfig: don't "select INPUT_XEN_KBDDEV_FRONTEND" · 37257413
      Arnd Bergmann authored
      [ Upstream commit 13aa38e2 ]
      
      The Xen framebuffer driver selects the xen keyboard driver, so the latter
      will be built-in if XEN_FBDEV_FRONTEND=y. However, when CONFIG_INPUT
      is a loadable module, this configuration cannot work. On mainline kernels,
      the symbol will be enabled but not used, while in combination with
      a patch I have to detect such useless configurations, we get the
      expected link failure:
      
      drivers/input/built-in.o: In function `xenkbd_remove':
      xen-kbdfront.c:(.text+0x2f0): undefined reference to `input_unregister_device'
      xen-kbdfront.c:(.text+0x30e): undefined reference to `input_unregister_device'
      
      This removes the extra "select", as it just causes more trouble than
      it helps. In theory, some defconfig file might break if it has
      XEN_FBDEV_FRONTEND in it but not INPUT_XEN_KBDDEV_FRONTEND. The Kconfig
      fragment we ship in the kernel (kernel/configs/xen.config) however
      already enables both, and anyone using an old .config file would
      keep having both enabled.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Suggested-by: default avatarDavid Vrabel <david.vrabel@citrix.com>
      Fixes: 36c1132e ("xen kconfig: fix select INPUT_XEN_KBDDEV_FRONTEND")
      Acked-by: default avatarStefano Stabellini <stefano.stabellini@eu.citrix.com>
      Signed-off-by: default avatarTomi Valkeinen <tomi.valkeinen@ti.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      37257413
    • Stephen Boyd's avatar
      Input: pmic8xxx-pwrkey - fix algorithm for converting trigger delay · e9f20ca8
      Stephen Boyd authored
      [ Upstream commit eda5ecc0 ]
      
      The trigger delay algorithm that converts from microseconds to
      the register value looks incorrect. According to most of the PMIC
      documentation, the equation is
      
      	delay (Seconds) = (1 / 1024) * 2 ^ (x + 4)
      
      except for one case where the documentation looks to have a
      formatting issue and the equation looks like
      
      	delay (Seconds) = (1 / 1024) * 2 x + 4
      
      Most likely this driver was written with the improper
      documentation to begin with. According to the downstream sources
      the valid delays are from 2 seconds to 1/64 second, and the
      latter equation just doesn't make sense for that. Let's fix the
      algorithm and the range check to match the documentation and the
      downstream sources.
      Reported-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Fixes: 92d57a73 ("input: Add support for Qualcomm PMIC8XXX power key")
      Signed-off-by: default avatarStephen Boyd <sboyd@codeaurora.org>
      Tested-by: default avatarJohn Stultz <john.stultz@linaro.org>
      Acked-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Signed-off-by: default avatarDmitry Torokhov <dmitry.torokhov@gmail.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      e9f20ca8
    • Anton Blanchard's avatar
      powerpc: Update TM user feature bits in scan_features() · f49eb503
      Anton Blanchard authored
      [ Upstream commit 4705e024 ]
      
      We need to update the user TM feature bits (PPC_FEATURE2_HTM and
      PPC_FEATURE2_HTM) to mirror what we do with the kernel TM feature
      bit.
      
      At the moment, if firmware reports TM is not available we turn off
      the kernel TM feature bit but leave the userspace ones on. Userspace
      thinks it can execute TM instructions and it dies trying.
      
      This (together with a QEMU patch) fixes PR KVM, which doesn't currently
      support TM.
      Signed-off-by: default avatarAnton Blanchard <anton@samba.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f49eb503
    • Davidlohr Bueso's avatar
      futex: Acknowledge a new waiter in counter before plist · 0ee1b6db
      Davidlohr Bueso authored
      [ Upstream commit fe1bce9e ]
      
      Otherwise an incoming waker on the dest hash bucket can miss
      the waiter adding itself to the plist during the lockless
      check optimization (small window but still the correct way
      of doing this); similarly to the decrement counterpart.
      Suggested-by: default avatarPeter Zijlstra <peterz@infradead.org>
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Cc: Davidlohr Bueso <dave@stgolabs.net>
      Cc: bigeasy@linutronix.de
      Cc: dvhart@infradead.org
      Cc: stable@kernel.org
      Link: http://lkml.kernel.org/r/1461208164-29150-1-git-send-email-dave@stgolabs.netSigned-off-by: default avatarThomas Gleixner <tglx@linutronix.de>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      0ee1b6db
    • Michal Kazior's avatar
      mac80211: fix txq queue related crashes · 17e8cd1e
      Michal Kazior authored
      [ Upstream commit 2a58d42c ]
      
      The driver can access the queue simultanously
      while mac80211 tears down the interface. Without
      spinlock protection this could lead to corrupting
      sk_buff_head and subsequently to an invalid
      pointer dereference.
      
      Fixes: ba8c3d6f ("mac80211: add an intermediate software queue implementation")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      17e8cd1e
    • Michal Kazior's avatar
      mac80211: fix unnecessary frame drops in mesh fwding · 193517ef
      Michal Kazior authored
      [ Upstream commit cf440128 ]
      
      The ieee80211_queue_stopped() expects hw queue
      number but it was given raw WMM AC number instead.
      
      This could cause frame drops and problems with
      traffic in some cases - most notably if driver
      doesn't map AC numbers to queue numbers 1:1 and
      uses ieee80211_stop_queues() and
      ieee80211_wake_queue() only without ever calling
      ieee80211_wake_queues().
      
      On ath10k it was possible to hit this problem in
      the following case:
      
        1. wlan0 uses queue 0
           (ath10k maps queues per vif)
        2. offchannel uses queue 15
        3. queues 1-14 are unused
        4. ieee80211_stop_queues()
        5. ieee80211_wake_queue(q=0)
        6. ieee80211_wake_queue(q=15)
           (other queues are not woken up because both
            driver and mac80211 know other queues are
            unused)
        7. ieee80211_rx_h_mesh_fwding()
        8. ieee80211_select_queue_80211() returns 2
        9. ieee80211_queue_stopped(q=2) returns true
       10. frame is dropped (oops!)
      
      Fixes: d3c1597b ("mac80211: fix forwarded mesh frame queue mapping")
      Signed-off-by: default avatarMichal Kazior <michal.kazior@tieto.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      193517ef
    • Sara Sharon's avatar
      mac80211: fix ibss scan parameters · bd6b2f89
      Sara Sharon authored
      [ Upstream commit d321cd01 ]
      
      When joining IBSS a full scan should be initiated in order to search
      for existing cell, unless the fixed_channel parameter was set.
      A default channel to create the IBSS on if no cell was found is
      provided as well.
      However - a scan is initiated only on the default channel provided
      regardless of whether ifibss->fixed_channel is set or not, with the
      obvious result of the cell not joining existing IBSS cell that is
      on another channel.
      
      Fixes: 76bed0f4 ("mac80211: IBSS fix scan request")
      Signed-off-by: default avatarSara Sharon <sara.sharon@intel.com>
      Signed-off-by: default avatarEmmanuel Grumbach <emmanuel.grumbach@intel.com>
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bd6b2f89
    • Arnd Bergmann's avatar
      mac80211: avoid excessive stack usage in sta_info · 6c59578f
      Arnd Bergmann authored
      [ Upstream commit 0ef049dc ]
      
      When CONFIG_OPTIMIZE_INLINING is set, the sta_info_insert_finish
      function consumes more stack than normally, exceeding the
      1024 byte limit on ARM:
      
      net/mac80211/sta_info.c: In function 'sta_info_insert_finish':
      net/mac80211/sta_info.c:561:1: error: the frame size of 1080 bytes is larger than 1024 bytes [-Werror=frame-larger-than=]
      
      It turns out that there are two functions that put a 'struct station_info'
      on the stack: __sta_info_destroy_part2 and sta_info_insert_finish, and
      this structure alone requires up to 792 bytes.
      
      Hoping that both are called rarely enough, this replaces the
      on-stack structure with a dynamic allocation, which unfortunately
      requires some suboptimal error handling for out-of-memory.
      
      The __sta_info_destroy_part2 function is actually affected by the
      stack usage twice because it calls cfg80211_del_sta_sinfo(), which
      has another instance of struct station_info on its stack.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 98b62183 ("mac80211/cfg80211: add station events")
      Fixes: 6f7a8d26 ("mac80211: send statistics with delete station event")
      Signed-off-by: default avatarJohannes Berg <johannes.berg@intel.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6c59578f
    • Laurent Pinchart's avatar
      [media] v4l: vsp1: Set the SRU CTRL0 register when starting the stream · f46752f2
      Laurent Pinchart authored
      [ Upstream commit f6acfcdc ]
      
      Commit 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity
      controllable during streaming") refactored the stream start code and
      removed the SRU CTRL0 register write by mistake. Add it back.
      
      Fixes: 58f896d8 ("[media] v4l: vsp1: sru: Make the intensity controllable during streaming")
      Signed-off-by: default avatarLaurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      f46752f2
    • Philipp Zabel's avatar
      [media] coda: fix error path in case of missing pdata on non-DT platform · 80a3bf1c
      Philipp Zabel authored
      [ Upstream commit bc717d5e ]
      
      If we bail out this early, v4l2_device_register() has not been called
      yet, so no need to call v4l2_device_unregister().
      
      Fixes: b7bd660a ("[media] coda: Call v4l2_device_unregister() from a single location")
      Reported-by: default avatarMichael Olbrich <m.olbrich@pengutronix.de>
      Signed-off-by: default avatarPhilipp Zabel <p.zabel@pengutronix.de>
      Reviewed-by: default avatarFabio Estevam <fabio.estevam@nxp.com>
      Signed-off-by: default avatarMauro Carvalho Chehab <mchehab@osg.samsung.com>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      80a3bf1c
    • Linus Walleij's avatar
      pinctrl: nomadik: fix pull debug print inversion · 921aa6dd
      Linus Walleij authored
      [ Upstream commit 6ee33455 ]
      
      Pull up was reported as pull down and vice versa. Fix this.
      
      Fixes: 8f1774a2 "pinctrl: nomadik: improve GPIO debug prints"
      Signed-off-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      921aa6dd
    • Thadeu Lima de Souza Cascardo's avatar
      ip6_tunnel: set rtnl_link_ops before calling register_netdevice · 80618333
      Thadeu Lima de Souza Cascardo authored
      [ Upstream commit b6ee376c ]
      
      When creating an ip6tnl tunnel with ip tunnel, rtnl_link_ops is not set
      before ip6_tnl_create2 is called. When register_netdevice is called, there
      is no linkinfo attribute in the NEWLINK message because of that.
      
      Setting rtnl_link_ops before calling register_netdevice fixes that.
      
      Fixes: 0b112457 ("ip6tnl: add support of link creation via rtnl")
      Signed-off-by: default avatarThadeu Lima de Souza Cascardo <cascardo@redhat.com>
      Acked-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      80618333
    • Haishuang Yan's avatar
      ipv6: l2tp: fix a potential issue in l2tp_ip6_recv · 1d8ad31a
      Haishuang Yan authored
      [ Upstream commit be447f30 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1d8ad31a
    • Haishuang Yan's avatar
      ipv4: l2tp: fix a potential issue in l2tp_ip_recv · a9c51077
      Haishuang Yan authored
      [ Upstream commit 5745b823 ]
      
      pskb_may_pull() can change skb->data, so we have to load ptr/optr at the
      right place.
      Signed-off-by: default avatarHaishuang Yan <yanhaishuang@cmss.chinamobile.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a9c51077
    • Nicolas Dichtel's avatar
      rtnl: fix msg size calculation in if_nlmsg_size() · 5e6a091f
      Nicolas Dichtel authored
      [ Upstream commit c57c7a95 ]
      
      Size of the attribute IFLA_PHYS_PORT_NAME was missing.
      
      Fixes: db24a904 ("net: add support for phys_port_name")
      CC: David Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarNicolas Dichtel <nicolas.dichtel@6wind.com>
      Acked-by: default avatarDavid Ahern <dsahern@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5e6a091f
    • Eric Dumazet's avatar
      ipv6: udp: fix UDP_MIB_IGNOREDMULTI updates · b95228fd
      Eric Dumazet authored
      [ Upstream commit 2d421226 ]
      
      IPv6 counters updates use a different macro than IPv4.
      
      Fixes: 36cbb245 ("udp: Increment UDP_MIB_IGNOREDMULTI for arriving unmatched multicasts")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Rick Jones <rick.jones2@hp.com>
      Cc: Willem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      b95228fd
    • Bjørn Mork's avatar
      qmi_wwan: add "D-Link DWM-221 B1" device id · 95e4695b
      Bjørn Mork authored
      [ Upstream commit e84810c7 ]
      
      Thomas reports:
      "Windows:
      
      00 diagnostics
      01 modem
      02 at-port
      03 nmea
      04 nic
      
      Linux:
      
      T:  Bus=02 Lev=01 Prnt=01 Port=03 Cnt=01 Dev#=  4 Spd=480 MxCh= 0
      D:  Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs=  1
      P:  Vendor=2001 ProdID=7e19 Rev=02.32
      S:  Manufacturer=Mobile Connect
      S:  Product=Mobile Connect
      S:  SerialNumber=0123456789ABCDEF
      C:  #Ifs= 6 Cfg#= 1 Atr=a0 MxPwr=500mA
      I:  If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
      I:  If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=00 Driver=option
      I:  If#= 4 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=qmi_wwan
      I:  If#= 5 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage"
      Reported-by: default avatarThomas Schäfer <tschaefer@t-online.de>
      Signed-off-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      95e4695b
    • subashab@codeaurora.org's avatar
      xfrm: Fix crash observed during device unregistration and decryption · a2359773
      subashab@codeaurora.org authored
      [ Upstream commit 071d36bf ]
      
      A crash is observed when a decrypted packet is processed in receive
      path. get_rps_cpus() tries to dereference the skb->dev fields but it
      appears that the device is freed from the poison pattern.
      
      [<ffffffc000af58ec>] get_rps_cpu+0x94/0x2f0
      [<ffffffc000af5f94>] netif_rx_internal+0x140/0x1cc
      [<ffffffc000af6094>] netif_rx+0x74/0x94
      [<ffffffc000bc0b6c>] xfrm_input+0x754/0x7d0
      [<ffffffc000bc0bf8>] xfrm_input_resume+0x10/0x1c
      [<ffffffc000ba6eb8>] esp_input_done+0x20/0x30
      [<ffffffc0000b64c8>] process_one_work+0x244/0x3fc
      [<ffffffc0000b7324>] worker_thread+0x2f8/0x418
      [<ffffffc0000bb40c>] kthread+0xe0/0xec
      
      -013|get_rps_cpu(
           |    dev = 0xFFFFFFC08B688000,
           |    skb = 0xFFFFFFC0C76AAC00 -> (
           |      dev = 0xFFFFFFC08B688000 -> (
           |        name =
      "......................................................
           |        name_hlist = (next = 0xAAAAAAAAAAAAAAAA, pprev =
      0xAAAAAAAAAAA
      
      Following are the sequence of events observed -
      
      - Encrypted packet in receive path from netdevice is queued
      - Encrypted packet queued for decryption (asynchronous)
      - Netdevice brought down and freed
      - Packet is decrypted and returned through callback in esp_input_done
      - Packet is queued again for process in network stack using netif_rx
      
      Since the device appears to have been freed, the dereference of
      skb->dev in get_rps_cpus() leads to an unhandled page fault
      exception.
      
      Fix this by holding on to device reference when queueing packets
      asynchronously and releasing the reference on call back return.
      
      v2: Make the change generic to xfrm as mentioned by Steffen and
      update the title to xfrm
      Suggested-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarJerome Stanislaus <jeromes@codeaurora.org>
      Signed-off-by: default avatarSubash Abhinov Kasiviswanathan <subashab@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      a2359773
    • Guillaume Nault's avatar
      ppp: take reference on channels netns · fc74ace8
      Guillaume Nault authored
      [ Upstream commit 1f461dcd ]
      
      Let channels hold a reference on their network namespace.
      Some channel types, like ppp_async and ppp_synctty, can have their
      userspace controller running in a different namespace. Therefore they
      can't rely on them to preclude their netns from being removed from
      under them.
      
      ==================================================================
      BUG: KASAN: use-after-free in ppp_unregister_channel+0x372/0x3a0 at
      addr ffff880064e217e0
      Read of size 8 by task syz-executor/11581
      =============================================================================
      BUG net_namespace (Not tainted): kasan: bad access detected
      -----------------------------------------------------------------------------
      
      Disabling lock debugging due to kernel taint
      INFO: Allocated in copy_net_ns+0x6b/0x1a0 age=92569 cpu=3 pid=6906
      [<      none      >] ___slab_alloc+0x4c7/0x500 kernel/mm/slub.c:2440
      [<      none      >] __slab_alloc+0x4c/0x90 kernel/mm/slub.c:2469
      [<     inline     >] slab_alloc_node kernel/mm/slub.c:2532
      [<     inline     >] slab_alloc kernel/mm/slub.c:2574
      [<      none      >] kmem_cache_alloc+0x23a/0x2b0 kernel/mm/slub.c:2579
      [<     inline     >] kmem_cache_zalloc kernel/include/linux/slab.h:597
      [<     inline     >] net_alloc kernel/net/core/net_namespace.c:325
      [<      none      >] copy_net_ns+0x6b/0x1a0 kernel/net/core/net_namespace.c:360
      [<      none      >] create_new_namespaces+0x2f6/0x610 kernel/kernel/nsproxy.c:95
      [<      none      >] copy_namespaces+0x297/0x320 kernel/kernel/nsproxy.c:150
      [<      none      >] copy_process.part.35+0x1bf4/0x5760 kernel/kernel/fork.c:1451
      [<     inline     >] copy_process kernel/kernel/fork.c:1274
      [<      none      >] _do_fork+0x1bc/0xcb0 kernel/kernel/fork.c:1723
      [<     inline     >] SYSC_clone kernel/kernel/fork.c:1832
      [<      none      >] SyS_clone+0x37/0x50 kernel/kernel/fork.c:1826
      [<      none      >] entry_SYSCALL_64_fastpath+0x16/0x7a kernel/arch/x86/entry/entry_64.S:185
      
      INFO: Freed in net_drop_ns+0x67/0x80 age=575 cpu=2 pid=2631
      [<      none      >] __slab_free+0x1fc/0x320 kernel/mm/slub.c:2650
      [<     inline     >] slab_free kernel/mm/slub.c:2805
      [<      none      >] kmem_cache_free+0x2a0/0x330 kernel/mm/slub.c:2814
      [<     inline     >] net_free kernel/net/core/net_namespace.c:341
      [<      none      >] net_drop_ns+0x67/0x80 kernel/net/core/net_namespace.c:348
      [<      none      >] cleanup_net+0x4e5/0x600 kernel/net/core/net_namespace.c:448
      [<      none      >] process_one_work+0x794/0x1440 kernel/kernel/workqueue.c:2036
      [<      none      >] worker_thread+0xdb/0xfc0 kernel/kernel/workqueue.c:2170
      [<      none      >] kthread+0x23f/0x2d0 kernel/drivers/block/aoe/aoecmd.c:1303
      [<      none      >] ret_from_fork+0x3f/0x70 kernel/arch/x86/entry/entry_64.S:468
      INFO: Slab 0xffffea0001938800 objects=3 used=0 fp=0xffff880064e20000
      flags=0x5fffc0000004080
      INFO: Object 0xffff880064e20000 @offset=0 fp=0xffff880064e24200
      
      CPU: 1 PID: 11581 Comm: syz-executor Tainted: G    B           4.4.0+
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS
      rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
       00000000ffffffff ffff8800662c7790 ffffffff8292049d ffff88003e36a300
       ffff880064e20000 ffff880064e20000 ffff8800662c77c0 ffffffff816f2054
       ffff88003e36a300 ffffea0001938800 ffff880064e20000 0000000000000000
      Call Trace:
       [<     inline     >] __dump_stack kernel/lib/dump_stack.c:15
       [<ffffffff8292049d>] dump_stack+0x6f/0xa2 kernel/lib/dump_stack.c:50
       [<ffffffff816f2054>] print_trailer+0xf4/0x150 kernel/mm/slub.c:654
       [<ffffffff816f875f>] object_err+0x2f/0x40 kernel/mm/slub.c:661
       [<     inline     >] print_address_description kernel/mm/kasan/report.c:138
       [<ffffffff816fb0c5>] kasan_report_error+0x215/0x530 kernel/mm/kasan/report.c:236
       [<     inline     >] kasan_report kernel/mm/kasan/report.c:259
       [<ffffffff816fb4de>] __asan_report_load8_noabort+0x3e/0x40 kernel/mm/kasan/report.c:280
       [<     inline     >] ? ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ? ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ppp_pernet kernel/include/linux/compiler.h:218
       [<ffffffff83ad71b2>] ppp_unregister_channel+0x372/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<     inline     >] ? ppp_pernet kernel/drivers/net/ppp/ppp_generic.c:293
       [<ffffffff83ad6f26>] ? ppp_unregister_channel+0xe6/0x3a0 kernel/drivers/net/ppp/ppp_generic.c:2392
       [<ffffffff83ae18f3>] ppp_asynctty_close+0xa3/0x130 kernel/drivers/net/ppp/ppp_async.c:241
       [<ffffffff83ae1850>] ? async_lcp_peek+0x5b0/0x5b0 kernel/drivers/net/ppp/ppp_async.c:1000
       [<ffffffff82c33239>] tty_ldisc_close.isra.1+0x99/0xe0 kernel/drivers/tty/tty_ldisc.c:478
       [<ffffffff82c332c0>] tty_ldisc_kill+0x40/0x170 kernel/drivers/tty/tty_ldisc.c:744
       [<ffffffff82c34943>] tty_ldisc_release+0x1b3/0x260 kernel/drivers/tty/tty_ldisc.c:772
       [<ffffffff82c1ef21>] tty_release+0xac1/0x13e0 kernel/drivers/tty/tty_io.c:1901
       [<ffffffff82c1e460>] ? release_tty+0x320/0x320 kernel/drivers/tty/tty_io.c:1688
       [<ffffffff8174de36>] __fput+0x236/0x780 kernel/fs/file_table.c:208
       [<ffffffff8174e405>] ____fput+0x15/0x20 kernel/fs/file_table.c:244
       [<ffffffff813595ab>] task_work_run+0x16b/0x200 kernel/kernel/task_work.c:115
       [<     inline     >] exit_task_work kernel/include/linux/task_work.h:21
       [<ffffffff81307105>] do_exit+0x8b5/0x2c60 kernel/kernel/exit.c:750
       [<ffffffff813fdd20>] ? debug_check_no_locks_freed+0x290/0x290 kernel/kernel/locking/lockdep.c:4123
       [<ffffffff81306850>] ? mm_update_next_owner+0x6f0/0x6f0 kernel/kernel/exit.c:357
       [<ffffffff813215e6>] ? __dequeue_signal+0x136/0x470 kernel/kernel/signal.c:550
       [<ffffffff8132067b>] ? recalc_sigpending_tsk+0x13b/0x180 kernel/kernel/signal.c:145
       [<ffffffff81309628>] do_group_exit+0x108/0x330 kernel/kernel/exit.c:880
       [<ffffffff8132b9d4>] get_signal+0x5e4/0x14f0 kernel/kernel/signal.c:2307
       [<     inline     >] ? kretprobe_table_lock kernel/kernel/kprobes.c:1113
       [<ffffffff8151d355>] ? kprobe_flush_task+0xb5/0x450 kernel/kernel/kprobes.c:1158
       [<ffffffff8115f7d3>] do_signal+0x83/0x1c90 kernel/arch/x86/kernel/signal.c:712
       [<ffffffff8151d2a0>] ? recycle_rp_inst+0x310/0x310 kernel/include/linux/list.h:655
       [<ffffffff8115f750>] ? setup_sigcontext+0x780/0x780 kernel/arch/x86/kernel/signal.c:165
       [<ffffffff81380864>] ? finish_task_switch+0x424/0x5f0 kernel/kernel/sched/core.c:2692
       [<     inline     >] ? finish_lock_switch kernel/kernel/sched/sched.h:1099
       [<ffffffff81380560>] ? finish_task_switch+0x120/0x5f0 kernel/kernel/sched/core.c:2678
       [<     inline     >] ? context_switch kernel/kernel/sched/core.c:2807
       [<ffffffff85d794e9>] ? __schedule+0x919/0x1bd0 kernel/kernel/sched/core.c:3283
       [<ffffffff81003901>] exit_to_usermode_loop+0xf1/0x1a0 kernel/arch/x86/entry/common.c:247
       [<     inline     >] prepare_exit_to_usermode kernel/arch/x86/entry/common.c:282
       [<ffffffff810062ef>] syscall_return_slowpath+0x19f/0x210 kernel/arch/x86/entry/common.c:344
       [<ffffffff85d88022>] int_ret_from_sys_call+0x25/0x9f kernel/arch/x86/entry/entry_64.S:281
      Memory state around the buggy address:
       ffff880064e21680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      >ffff880064e21780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
                                                             ^
       ffff880064e21800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
       ffff880064e21880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      ==================================================================
      
      Fixes: 273ec51d ("net: ppp_generic - introduce net-namespace functionality v2")
      Reported-by: default avatarBaozeng Ding <sploving1@gmail.com>
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fc74ace8
    • Paolo Abeni's avatar
      ipv4: fix broadcast packets reception · 263a20bc
      Paolo Abeni authored
      [ Upstream commit ad0ea198 ]
      
      Currently, ingress ipv4 broadcast datagrams are dropped since,
      in udp_v4_early_demux(), ip_check_mc_rcu() is invoked even on
      bcast packets.
      
      This patch addresses the issue, invoking ip_check_mc_rcu()
      only for mcast packets.
      
      Fixes: 6e540309 ("ipv4/udp: Verify multicast group is ours in upd_v4_early_demux()")
      Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Acked-by: default avatarHannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      263a20bc
    • Eric Dumazet's avatar
      bonding: fix bond_get_stats() · 6acfc65a
      Eric Dumazet authored
      [ Upstream commit fe30937b ]
      
      bond_get_stats() can be called from rtnetlink (with RTNL held)
      or from /proc/net/dev seq handler (with RCU held)
      
      The logic added in commit 5f0c5f73 ("bonding: make global bonding
      stats more reliable") kind of assumed only one cpu could run there.
      
      If multiple threads are reading /proc/net/dev, stats can be really
      messed up after a while.
      
      A second problem is that some fields are 32bit, so we need to properly
      handle the wrap around problem.
      
      Given that RTNL is not always held, we need to use
      bond_for_each_slave_rcu().
      
      Fixes: 5f0c5f73 ("bonding: make global bonding stats more reliable")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Cc: Andy Gospodarek <gospo@cumulusnetworks.com>
      Cc: Jay Vosburgh <j.vosburgh@gmail.com>
      Cc: Veaceslav Falico <vfalico@gmail.com>
      Reviewed-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      6acfc65a
    • Eric Dumazet's avatar
      net: bcmgenet: fix dma api length mismatch · 1fdc6943
      Eric Dumazet authored
      [ Upstream commit eee57723 ]
      
      When un-mapping skb->data in __bcmgenet_tx_reclaim(),
      we must use the length that was used in original dma_map_single(),
      instead of skb->len that might be bigger (includes the frags)
      
      We simply can store skb_len into tx_cb_ptr->dma_len and use it
      at unmap time.
      
      Fixes: 1c1008c7 ("net: bcmgenet: add main driver file")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Acked-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      1fdc6943
    • Manish Chopra's avatar
      qlge: Fix receive packets drop. · bb9863ec
      Manish Chopra authored
      [ Upstream commit 2c9a266a ]
      
      When running small packets [length < 256 bytes] traffic, packets were
      being dropped due to invalid data in those packets which were
      delivered by the driver upto the stack. Using pci_dma_sync_single_for_cpu
      ensures copying latest and updated data into skb from the receive buffer.
      Signed-off-by: default avatarSony Chacko <sony.chacko@qlogic.com>
      Signed-off-by: default avatarManish Chopra <manish.chopra@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      bb9863ec
    • Guillaume Nault's avatar
      ppp: ensure file->private_data can't be overridden · 827e5072
      Guillaume Nault authored
      [ Upstream commit e8e56ffd ]
      
      Locking ppp_mutex must be done before dereferencing file->private_data,
      otherwise it could be modified before ppp_unattached_ioctl() takes the
      lock. This could lead ppp_unattached_ioctl() to override ->private_data,
      thus leaking reference to the ppp_file previously pointed to.
      
      v2: lock all ppp_ioctl() instead of just checking private_data in
          ppp_unattached_ioctl(), to avoid ambiguous behaviour.
      
      Fixes: f3ff8a4d ("ppp: push BKL down into the driver")
      Signed-off-by: default avatarGuillaume Nault <g.nault@alphalink.fr>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      827e5072
    • Arnd Bergmann's avatar
      ath9k: fix buffer overrun for ar9287 · 58bcdf45
      Arnd Bergmann authored
      [ Upstream commit 83d6f1f1 ]
      
      Code that was added back in 2.6.38 has an obvious overflow
      when accessing a static array, and at the time it was added
      only a code comment was put in front of it as a reminder
      to have it reviewed properly.
      
      This has not happened, but gcc-6 now points to the specific
      overflow:
      
      drivers/net/wireless/ath/ath9k/eeprom.c: In function 'ath9k_hw_get_gain_boundaries_pdadcs':
      drivers/net/wireless/ath/ath9k/eeprom.c:483:44: error: array subscript is above array bounds [-Werror=array-bounds]
           maxPwrT4[i] = data_9287[idxL].pwrPdg[i][4];
                         ~~~~~~~~~~~~~~~~~~~~~~~~~^~~
      
      It turns out that the correct array length exists in the local
      'intercepts' variable of this function, so we can just use that
      instead of hardcoding '4', so this patch changes all three
      instances to use that variable. The other two instances were
      already correct, but it's more consistent this way.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 940cd2c1 ("ath9k_hw: merge the ar9287 version of ath9k_hw_get_gain_boundaries_pdadcs")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58bcdf45
    • Arnd Bergmann's avatar
      farsync: fix off-by-one bug in fst_add_one · 7b95465e
      Arnd Bergmann authored
      [ Upstream commit e725a66c ]
      
      gcc-6 finds an out of bounds access in the fst_add_one function
      when calculating the end of the mmio area:
      
      drivers/net/wan/farsync.c: In function 'fst_add_one':
      drivers/net/wan/farsync.c:418:53: error: index 2 denotes an offset greater than size of 'u8[2][8192] {aka unsigned char[2][8192]}' [-Werror=array-bounds]
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                                           ^
      include/linux/compiler-gcc.h:158:21: note: in definition of macro '__compiler_offsetof'
        __builtin_offsetof(a, b)
                           ^
      drivers/net/wan/farsync.c:418:37: note: in expansion of macro 'offsetof'
       #define BUF_OFFSET(X)   (BFM_BASE + offsetof(struct buf_window, X))
                                           ^~~~~~~~
      drivers/net/wan/farsync.c:2519:36: note: in expansion of macro 'BUF_OFFSET'
                                        + BUF_OFFSET ( txBuffer[i][NUM_TX_BUFFER][0]);
                                          ^~~~~~~~~~
      
      The warning is correct, but not critical because this appears
      to be a write-only variable that is set by each WAN driver but
      never accessed afterwards.
      
      I'm taking the minimal fix here, using the correct pointer by
      pointing 'mem_end' to the last byte inside of the register area
      as all other WAN drivers do, rather than the first byte outside of
      it. An alternative would be to just remove the mem_end member
      entirely.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      7b95465e
    • Arnd Bergmann's avatar
      mlx4: add missing braces in verify_qp_parameters · c7c3a321
      Arnd Bergmann authored
      [ Upstream commit baefd701 ]
      
      The implementation of QP paravirtualization back in linux-3.7 included
      some code that looks very dubious, and gcc-6 has grown smart enough
      to warn about it:
      
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c: In function 'verify_qp_parameters':
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3154:5: error: statement is indented as if it were guarded by... [-Werror=misleading-indentation]
           if (optpar & MLX4_QP_OPTPAR_ALT_ADDR_PATH) {
           ^~
      drivers/net/ethernet/mellanox/mlx4/resource_tracker.c:3144:4: note: ...this 'if' clause, but it is not
          if (slave != mlx4_master_func_num(dev))
      
      >From looking at the context, I'm reasonably sure that the indentation
      is correct but that it should have contained curly braces from the
      start, as the update_gid() function in the same patch correctly does.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Fixes: 54679e14 ("mlx4: Implement QP paravirtualization and maintain phys_pkey_cache for smp_snoop")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c7c3a321
    • Arnaldo Carvalho de Melo's avatar
      net: Fix use after free in the recvmmsg exit path · 8ca7bf09
      Arnaldo Carvalho de Melo authored
      [ Upstream commit 34b88a68 ]
      
      The syzkaller fuzzer hit the following use-after-free:
      
        Call Trace:
         [<ffffffff8175ea0e>] __asan_report_load8_noabort+0x3e/0x40 mm/kasan/report.c:295
         [<ffffffff851cc31a>] __sys_recvmmsg+0x6fa/0x7f0 net/socket.c:2261
         [<     inline     >] SYSC_recvmmsg net/socket.c:2281
         [<ffffffff851cc57f>] SyS_recvmmsg+0x16f/0x180 net/socket.c:2270
         [<ffffffff86332bb6>] entry_SYSCALL_64_fastpath+0x16/0x7a
        arch/x86/entry/entry_64.S:185
      
      And, as Dmitry rightly assessed, that is because we can drop the
      reference and then touch it when the underlying recvmsg calls return
      some packets and then hit an error, which will make recvmmsg to set
      sock->sk->sk_err, oops, fix it.
      Reported-and-Tested-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Kostya Serebryany <kcc@google.com>
      Cc: Sasha Levin <sasha.levin@oracle.com>
      Fixes: a2e27255 ("net: Introduce recvmmsg socket syscall")
      http://lkml.kernel.org/r/20160122211644.GC2470@redhat.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      8ca7bf09
    • David S. Miller's avatar
      ipv4: Don't do expensive useless work during inetdev destroy. · 86de8271
      David S. Miller authored
      [ Upstream commit fbd40ea0 ]
      
      When an inetdev is destroyed, every address assigned to the interface
      is removed.  And in this scenerio we do two pointless things which can
      be very expensive if the number of assigned interfaces is large:
      
      1) Address promotion.  We are deleting all addresses, so there is no
         point in doing this.
      
      2) A full nf conntrack table purge for every address.  We only need to
         do this once, as is already caught by the existing
         masq_dev_notifier so masq_inet_event() can skip this.
      Reported-by: default avatarSolar Designer <solar@openwall.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Tested-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      86de8271
    • Willem de Bruijn's avatar
      macvtap: always pass ethernet header in linear · 68626392
      Willem de Bruijn authored
      [ Upstream commit 8e2ad411 ]
      
      The stack expects link layer headers in the skb linear section.
      Macvtap can create skbs with llheader in frags in edge cases:
      when (IFF_VNET_HDR is off or vnet_hdr.hdr_len < ETH_HLEN) and
      prepad + len > PAGE_SIZE and vnet_hdr.flags has no or bad csum.
      
      Add checks to ensure linear is always at least ETH_HLEN.
      At this point, len is already ensured to be >= ETH_HLEN.
      
      For backwards compatiblity, rounds up short vnet_hdr.hdr_len.
      This differs from tap and packet, which return an error.
      
      Fixes b9fb9ee0 ("macvtap: add GSO/csum offload support")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      68626392
    • Rajesh Borundia's avatar
      qlcnic: Fix mailbox completion handling during spurious interrupt · 5284ee1e
      Rajesh Borundia authored
      [ Upstream commit 819bfe76 ]
      
      o While the driver is in the middle of a MB completion processing
      and it receives a spurious MB interrupt, it is mistaken as a good MB
      completion interrupt leading to premature completion of the next MB
      request. Fix the driver to guard against this by checking the current
      state of MB processing and ignore the spurious interrupt.
      Also added a stats counter to record this condition.
      Signed-off-by: default avatarRajesh Borundia <rajesh.borundia@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      5284ee1e
    • Rajesh Borundia's avatar
      qlcnic: Remove unnecessary usage of atomic_t · fa565f53
      Rajesh Borundia authored
      [ Upstream commit 5bf93251 ]
      
      o atomic_t usage is incorrect as we are not implementing
      any atomicity.
      Signed-off-by: default avatarRajesh Borundia <rajesh.borundia@qlogic.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      fa565f53
    • Sergei Shtylyov's avatar
      sh_eth: fix RX buffer size alignment · 52643323
      Sergei Shtylyov authored
      [ Upstream commit ab857916 ]
      
      Both  Renesas R-Car and RZ/A1 manuals state that RX buffer  length must be
      a multiple of 32 bytes, while the driver  only uses 16 byte granularity...
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      52643323
    • Sergei Shtylyov's avatar
      sh_eth: fix NULL pointer dereference in sh_eth_ring_format() · c5e6283a
      Sergei Shtylyov authored
      [ Upstream commit c1b7fca6 ]
      
      In a low memory situation, if netdev_alloc_skb() fails on a first RX ring
      loop iteration  in sh_eth_ring_format(), 'rxdesc' is still NULL.  Avoid
      kernel oops by adding the 'rxdesc' check after the loop.
      Reported-by: default avatarWolfram Sang <wsa+renesas@sang-engineering.com>
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      c5e6283a
    • Willem de Bruijn's avatar
      packet: validate variable length ll headers · 795f5dc9
      Willem de Bruijn authored
      [ Upstream commit 9ed988cd ]
      
      Replace link layer header validation check ll_header_truncate with
      more generic dev_validate_header.
      
      Validation based on hard_header_len incorrectly drops valid packets
      in variable length protocols, such as AX25. dev_validate_header
      calls header_ops.validate for such protocols to ensure correctness
      below hard_header_len.
      
      See also http://comments.gmane.org/gmane.linux.network/401064
      
      Fixes 9c707762 ("packet: make packet_snd fail on len smaller than l2 header")
      Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      795f5dc9
    • Willem de Bruijn's avatar
      ax25: add link layer header validation function · 58ba5f64
      Willem de Bruijn authored
      [ Upstream commit ea47781c ]
      
      As variable length protocol, AX25 fails link layer header validation
      tests based on a minimum length. header_ops.validate allows protocols
      to validate headers that are shorter than hard_header_len. Implement
      this callback for AX25.
      
      See also http://comments.gmane.org/gmane.linux.network/401064Signed-off-by: default avatarWillem de Bruijn <willemb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
      58ba5f64