1. 29 Mar, 2017 5 commits
    • Arnd Bergmann's avatar
      rocker: fix Wmaybe-uninitialized false-positive · 16b8b6de
      Arnd Bergmann authored
      gcc-7 reports a warning that earlier versions did not have:
      
      drivers/net/ethernet/rocker/rocker_ofdpa.c: In function 'ofdpa_port_stp_update':
      arch/x86/include/asm/string_32.h:79:22: error: '*((void *)&prev_ctrls+4)' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         *((short *)to + 2) = *((short *)from + 2);
         ~~~~~~~~~~~~~~~~~~~^~~~~~~~~~~~~~~~~~~~~~
      drivers/net/ethernet/rocker/rocker_ofdpa.c:2218:7: note: '*((void *)&prev_ctrls+4)' was declared here
      
      This is clearly a variation of the warning about 'prev_state' that
      was shut up using uninitialized_var().
      
      We can slightly simplify the code and get rid of the warning by unconditionally
      saving the prev_state and prev_ctrls variables. The inlined memcpy is not
      particularly expensive here, as it just has to read five bytes from one or
      two cache lines.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      16b8b6de
    • Talat Batheesh's avatar
      net/mlx5: Avoid dereferencing uninitialized pointer · e497ec68
      Talat Batheesh authored
      In NETDEV_CHANGEUPPER event the upper_info field is valid
      only when linking is true. Otherwise it should be ignored.
      
      Fixes: 7907f23a (net/mlx5: Implement RoCE LAG feature)
      Signed-off-by: default avatarTalat Batheesh <talatb@mellanox.com>
      Reviewed-by: default avatarAviv Heller <avivh@mellanox.com>
      Reviewed-by: default avatarMoni Shoua <monis@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e497ec68
    • Jonas Jensen's avatar
      net: moxa: fix TX overrun memory leak · c2b341a6
      Jonas Jensen authored
      moxart_mac_start_xmit() doesn't care where tx_tail is, tx_head can
      catch and pass tx_tail, which is bad because moxart_tx_finished()
      isn't guaranteed to catch up on freeing resources from tx_tail.
      
      Add a check in moxart_mac_start_xmit() stopping the queue at the
      end of the circular buffer. Also add a check in moxart_tx_finished()
      waking the queue if the buffer has TX_WAKE_THRESHOLD or more
      free descriptors.
      
      While we're at it, move spin_lock_irq() to happen before our
      descriptor pointer is assigned in moxart_mac_start_xmit().
      
      Addresses https://bugzilla.kernel.org/show_bug.cgi?id=99451Signed-off-by: default avatarJonas Jensen <jonas.jensen@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c2b341a6
    • Arnd Bergmann's avatar
      isdn: kcapi: avoid uninitialized data · af109a2c
      Arnd Bergmann authored
      gcc-7 points out that the AVMB1_ADDCARD ioctl results in an unintialized
      value ending up in the cardnr parameter:
      
      drivers/isdn/capi/kcapi.c: In function 'old_capi_manufacturer':
      drivers/isdn/capi/kcapi.c:1042:24: error: 'cdef.cardnr' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         cparams.cardnr = cdef.cardnr;
      
      This has been broken since before the start of the git history, so
      either the value is not used for anything important, or the ioctl
      command doesn't get called in practice.
      
      Setting the cardnr to zero avoids the warning and makes sure
      we have consistent behavior.
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      af109a2c
    • Xin Long's avatar
      sctp: change to save MSG_MORE flag into assoc · f9ba3501
      Xin Long authored
      David Laight noticed the support for MSG_MORE with datamsg->force_delay
      didn't really work as we expected, as the first msg with MSG_MORE set
      would always block the following chunks' dequeuing.
      
      This Patch is to rewrite it by saving the MSG_MORE flag into assoc as
      David Laight suggested.
      
      asoc->force_delay is used to save MSG_MORE flag before a msg is sent.
      All chunks in queue would not be sent out if asoc->force_delay is set
      by the msg with MSG_MORE flag, until a new msg without MSG_MORE flag
      clears asoc->force_delay.
      
      Note that this change would not affect the flush is generated by other
      triggers, like asoc->state != ESTABLISHED, queue size > pmtu etc.
      
      v1->v2:
        Not clear asoc->force_delay after sending the msg with MSG_MORE flag.
      
      Fixes: 4ea0c32f ("sctp: add support for MSG_MORE")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarDavid Laight <david.laight@aculab.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9ba3501
  2. 28 Mar, 2017 1 commit
    • Mark Rutland's avatar
      net: ipconfig: fix ic_close_devs() use-after-free · ffefb6f4
      Mark Rutland authored
      Our chosen ic_dev may be anywhere in our list of ic_devs, and we may
      free it before attempting to close others. When we compare d->dev and
      ic_dev->dev, we're potentially dereferencing memory returned to the
      allocator. This causes KASAN to scream for each subsequent ic_dev we
      check.
      
      As there's a 1-1 mapping between ic_devs and netdevs, we can instead
      compare d and ic_dev directly, which implicitly handles the !ic_dev
      case, and avoids the use-after-free. The ic_dev pointer may be stale,
      but we will not dereference it.
      
      Original splat:
      
      [    6.487446] ==================================================================
      [    6.494693] BUG: KASAN: use-after-free in ic_close_devs+0xc4/0x154 at addr ffff800367efa708
      [    6.503013] Read of size 8 by task swapper/0/1
      [    6.507452] CPU: 5 PID: 1 Comm: swapper/0 Not tainted 4.11.0-rc3-00002-gda42158 #8
      [    6.514993] Hardware name: AppliedMicro Mustang/Mustang, BIOS 3.05.05-beta_rc Jan 27 2016
      [    6.523138] Call trace:
      [    6.525590] [<ffff200008094778>] dump_backtrace+0x0/0x570
      [    6.530976] [<ffff200008094d08>] show_stack+0x20/0x30
      [    6.536017] [<ffff200008bee928>] dump_stack+0x120/0x188
      [    6.541231] [<ffff20000856d5e4>] kasan_object_err+0x24/0xa0
      [    6.546790] [<ffff20000856d924>] kasan_report_error+0x244/0x738
      [    6.552695] [<ffff20000856dfec>] __asan_report_load8_noabort+0x54/0x80
      [    6.559204] [<ffff20000aae86ac>] ic_close_devs+0xc4/0x154
      [    6.564590] [<ffff20000aaedbac>] ip_auto_config+0x2ed4/0x2f1c
      [    6.570321] [<ffff200008084b04>] do_one_initcall+0xcc/0x370
      [    6.575882] [<ffff20000aa31de8>] kernel_init_freeable+0x5f8/0x6c4
      [    6.581959] [<ffff20000a16df00>] kernel_init+0x18/0x190
      [    6.587171] [<ffff200008084710>] ret_from_fork+0x10/0x40
      [    6.592468] Object at ffff800367efa700, in cache kmalloc-128 size: 128
      [    6.598969] Allocated:
      [    6.601324] PID = 1
      [    6.603427]  save_stack_trace_tsk+0x0/0x418
      [    6.607603]  save_stack_trace+0x20/0x30
      [    6.611430]  kasan_kmalloc+0xd8/0x188
      [    6.615087]  ip_auto_config+0x8c4/0x2f1c
      [    6.619002]  do_one_initcall+0xcc/0x370
      [    6.622832]  kernel_init_freeable+0x5f8/0x6c4
      [    6.627178]  kernel_init+0x18/0x190
      [    6.630660]  ret_from_fork+0x10/0x40
      [    6.634223] Freed:
      [    6.636233] PID = 1
      [    6.638334]  save_stack_trace_tsk+0x0/0x418
      [    6.642510]  save_stack_trace+0x20/0x30
      [    6.646337]  kasan_slab_free+0x88/0x178
      [    6.650167]  kfree+0xb8/0x478
      [    6.653131]  ic_close_devs+0x130/0x154
      [    6.656875]  ip_auto_config+0x2ed4/0x2f1c
      [    6.660875]  do_one_initcall+0xcc/0x370
      [    6.664705]  kernel_init_freeable+0x5f8/0x6c4
      [    6.669051]  kernel_init+0x18/0x190
      [    6.672534]  ret_from_fork+0x10/0x40
      [    6.676098] Memory state around the buggy address:
      [    6.680880]  ffff800367efa600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      [    6.688078]  ffff800367efa680: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.695276] >ffff800367efa700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.702469]                       ^
      [    6.705952]  ffff800367efa780: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
      [    6.713149]  ffff800367efa800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
      [    6.720343] ==================================================================
      [    6.727536] Disabling lock debugging due to kernel taint
      Signed-off-by: default avatarMark Rutland <mark.rutland@arm.com>
      Cc: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
      Cc: David S. Miller <davem@davemloft.net>
      Cc: Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>
      Cc: James Morris <jmorris@namei.org>
      Cc: Patrick McHardy <kaber@trash.net>
      Cc: netdev@vger.kernel.org
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ffefb6f4
  3. 27 Mar, 2017 1 commit
  4. 26 Mar, 2017 3 commits
    • Alexey Khoroshilov's avatar
      irda: vlsi_ir: fix check for DMA mapping errors · 6ac3b77a
      Alexey Khoroshilov authored
      vlsi_alloc_ring() checks for DMA mapping errors by comparing
      returned address with zero, while pci_dma_mapping_error() should be used.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6ac3b77a
    • Arnd Bergmann's avatar
      net: hns: avoid gcc-7.0.1 warning for uninitialized data · 834a61d4
      Arnd Bergmann authored
      hns_dsaf_set_mac_key() calls dsaf_set_field() on an uninitialized field,
      which will then change only a few of its bits, causing a warning with
      the latest gcc:
      
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_mac_uc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
         (origin) &= (~(mask)); \
                  ^~
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_mac_mc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_add_mac_mc_port':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_del_mac_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_rm_mac_addr':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_del_mac_mc_port':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_mac_uc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_get_mac_mc_entry':
      hisilicon/hns/hns_dsaf_reg.h:1046:12: error: 'mac_key.low.bits.port_vlan' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      The code is actually correct since we always set all 16 bits of the
      port_vlan field, but gcc correctly points out that the first
      access does contain uninitialized data.
      
      This initializes the field to zero first before setting the
      individual bits.
      
      Fixes: 5483bfcb ("net: hns: modify tcam table and set mac key")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      834a61d4
    • Arnd Bergmann's avatar
      net: hns: fix uninitialized data use · a17f1861
      Arnd Bergmann authored
      When dev_dbg() is enabled, we print uninitialized data, as gcc-7.0.1
      now points out:
      
      ethernet/hisilicon/hns/hns_dsaf_main.c: In function 'hns_dsaf_set_promisc_tcam':
      ethernet/hisilicon/hns/hns_dsaf_main.c:2947:75: error: 'tbl_tcam_data.low.val' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      ethernet/hisilicon/hns/hns_dsaf_main.c:2947:75: error: 'tbl_tcam_data.high.val' may be used uninitialized in this function [-Werror=maybe-uninitialized]
      
      We also pass the data into hns_dsaf_tcam_mc_cfg(), which might later
      use it (not sure about that), so it seems safer to just always initialize
      the tbl_tcam_data structure.
      
      Fixes: 1f5fa2dd ("net: hns: fix for promisc mode in HNS driver")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a17f1861
  5. 25 Mar, 2017 4 commits
  6. 24 Mar, 2017 18 commits
  7. 23 Mar, 2017 8 commits
    • Linus Torvalds's avatar
      Merge tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · d038e3dc
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This contains the collection of small fixes for 4.11 that were pending
        during my vacation:
      
         - a few HD-audio quirks (more Dell headset support, docking station
           support on HP laptops)
      
         - a regression fix for the previous ctxfi DMA mask fix
      
         - a correction of the new CONFIG_SND_X86 menu entry
      
         - a fix for the races in ALSA sequencer core spotted by syzkaller"
      
      * tag 'sound-4.11-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - Adding a group of pin definition to fix headset problem
        ALSA: seq: Fix racy cell insertions during snd_seq_pool_done()
        ALSA: x86: Make CONFIG_SND_X86 bool
        ALSA: hda - add support for docking station for HP 840 G3
        ALSA: hda - add support for docking station for HP 820 G2
        ALSA: ctxfi: Fix the incorrect check of dma_set_mask() call
      d038e3dc
    • Linus Torvalds's avatar
      Merge branch 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs · 131fbf4f
      Linus Torvalds authored
      Pull btrfs fixes from Chris Mason:
       "Zygo tracked down a very old bug with inline compressed extents.
      
        I didn't tag this one for stable because I want to do individual
        tested backports. It's a little tricky and I'd rather do some extra
        testing on it along the way"
      
      * 'for-linus-4.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs:
        btrfs: add missing memset while reading compressed inline extents
        Btrfs: fix regression in lock_delalloc_pages
        btrfs: remove btrfs_err_str function from uapi/linux/btrfs.h
      131fbf4f
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · f341d9f0
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Several netfilter fixes from Pablo and the crew:
            - Handle fragmented packets properly in netfilter conntrack, from
              Florian Westphal.
            - Fix SCTP ICMP packet handling, from Ying Xue.
            - Fix big-endian bug in nftables, from Liping Zhang.
            - Fix alignment of fake conntrack entry, from Steven Rostedt.
      
       2) Fix feature flags setting in fjes driver, from Taku Izumi.
      
       3) Openvswitch ipv6 tunnel source address not set properly, from Or
          Gerlitz.
      
       4) Fix jumbo MTU handling in amd-xgbe driver, from Thomas Lendacky.
      
       5) sk->sk_frag.page not released properly in some cases, from Eric
          Dumazet.
      
       6) Fix RTNL deadlocks in nl80211, from Johannes Berg.
      
       7) Fix erroneous RTNL lockdep splat in crypto, from Herbert Xu.
      
       8) Cure improper inflight handling during AF_UNIX GC, from Andrey
          Ulanov.
      
       9) sch_dsmark doesn't write to packet headers properly, from Eric
          Dumazet.
      
      10) Fix SCM_TIMESTAMPING_OPT_STATS handling in TCP, from Soheil Hassas
          Yeganeh.
      
      11) Add some IDs for Motorola qmi_wwan chips, from Tony Lindgren.
      
      12) Fix nametbl deadlock in tipc, from Ying Xue.
      
      13) GRO and LRO packets not counted correctly in mlx5 driver, from Gal
          Pressman.
      
      14) Fix reset of internal PHYs in bcmgenet, from Doug Berger.
      
      15) Fix hashmap allocation handling, from Alexei Starovoitov.
      
      16) nl_fib_input() needs stronger netlink message length checking, from
          Eric Dumazet.
      
      17) Fix double-free of sk->sk_filter during sock clone, from Daniel
          Borkmann.
      
      18) Fix RX checksum offloading in aquantia driver, from Pavel Belous.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (85 commits)
        net:ethernet:aquantia: Fix for RX checksum offload.
        amd-xgbe: Fix the ECC-related bit position definitions
        sfc: cleanup a condition in efx_udp_tunnel_del()
        Bluetooth: btqcomsmd: fix compile-test dependency
        inet: frag: release spinlock before calling icmp_send()
        tcp: initialize icsk_ack.lrcvtime at session start time
        genetlink: fix counting regression on ctrl_dumpfamily()
        socket, bpf: fix sk_filter use after free in sk_clone_lock
        ipv4: provide stronger user input validation in nl_fib_input()
        bpf: fix hashmap extra_elems logic
        enic: update enic maintainers
        net: bcmgenet: remove bcmgenet_internal_phy_setup()
        ipv6: make sure to initialize sockc.tsflags before first use
        fjes: Do not load fjes driver if extended socket device is not power on.
        fjes: Do not load fjes driver if system does not have extended socket device.
        net/mlx5e: Count LRO packets correctly
        net/mlx5e: Count GSO packets correctly
        net/mlx5: Increase number of max QPs in default profile
        net/mlx5e: Avoid supporting udp tunnel port ndo for VF reps
        net/mlx5e: Use the proper UAPI values when offloading TC vlan actions
        ...
      f341d9f0
    • Hui Wang's avatar
      ALSA: hda - Adding a group of pin definition to fix headset problem · 3f307834
      Hui Wang authored
      A new Dell laptop needs to apply ALC269_FIXUP_DELL1_MIC_NO_PRESENCE to
      fix the headset problem, and the pin definiton of this machine is not
      in the pin quirk table yet, now adding it to the table.
      Signed-off-by: default avatarHui Wang <hui.wang@canonical.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarTakashi Iwai <tiwai@suse.de>
      3f307834
    • Pavel Belous's avatar
      net:ethernet:aquantia: Fix for RX checksum offload. · 68c38659
      Pavel Belous authored
      Since AQC-100/107/108 chips supports hardware checksums for RX we should indicate this
      via NETIF_F_RXCSUM flag.
      
      v1->v2: 'Signed-off-by' tag added.
      Signed-off-by: default avatarPavel Belous <pavel.belous@aquantia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      68c38659
    • Lendacky, Thomas's avatar
      amd-xgbe: Fix the ECC-related bit position definitions · f43feef4
      Lendacky, Thomas authored
      The ECC bit positions that describe whether the ECC interrupt is for
      Tx, Rx or descriptor memory and whether the it is a single correctable
      or double detected error were defined in incorrectly (reversed order).
      Fix the bit position definitions for these settings so that the proper
      ECC handling is performed.
      Signed-off-by: default avatarTom Lendacky <thomas.lendacky@amd.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f43feef4
    • Dan Carpenter's avatar
      sfc: cleanup a condition in efx_udp_tunnel_del() · c04ca616
      Dan Carpenter authored
      Presumably if there is an "add" function, there is also a "del"
      function.  But it causes a static checker warning because it looks like
      a common cut and paste bug.
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Acked-by: default avatarJarod Wilson <jarod@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c04ca616
    • Arnd Bergmann's avatar
      Bluetooth: btqcomsmd: fix compile-test dependency · 6e9e6cc8
      Arnd Bergmann authored
      compile-testing fails when QCOM_SMD is a loadable module:
      
      drivers/bluetooth/built-in.o: In function `btqcomsmd_send':
      btqca.c:(.text+0xa8): undefined reference to `qcom_smd_send'
      drivers/bluetooth/built-in.o: In function `btqcomsmd_probe':
      btqca.c:(.text+0x3ec): undefined reference to `qcom_wcnss_open_channel'
      btqca.c:(.text+0x46c): undefined reference to `qcom_smd_set_drvdata'
      
      This clarifies the dependency to allow compile-testing only when
      SMD is completely disabled, otherwise the dependency on QCOM_SMD
      will make sure we can link against it.
      
      Fixes: e27ee2b1 ("Bluetooth: btqcomsmd: Allow driver to build if COMPILE_TEST is enabled")
      Signed-off-by: default avatarArnd Bergmann <arnd@arndb.de>
      [bjorn: Restructure and clarify dependency to QCOM_WCNSS_CTRL]
      Signed-off-by: default avatarBjorn Andersson <bjorn.andersson@linaro.org>
      Acked-by: default avatarMarcel Holtmann <marcel@holtmann.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6e9e6cc8