1. 14 Feb, 2017 5 commits
    • Herbert Xu's avatar
      rhashtable: Add nested tables · 40137906
      Herbert Xu authored
      This patch adds code that handles GFP_ATOMIC kmalloc failure on
      insertion.  As we cannot use vmalloc, we solve it by making our
      hash table nested.  That is, we allocate single pages at each level
      and reach our desired table size by nesting them.
      
      When a nested table is created, only a single page is allocated
      at the top-level.  Lower levels are allocated on demand during
      insertion.  Therefore for each insertion to succeed, only two
      (non-consecutive) pages are needed.
      
      After a nested table is created, a rehash will be scheduled in
      order to switch to a vmalloced table as soon as possible.  Also,
      the rehash code will never rehash into a nested table.  If we
      detect a nested table during a rehash, the rehash will be aborted
      and a new rehash will be scheduled.
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      40137906
    • Herbert Xu's avatar
      tipc: Fix tipc_sk_reinit race conditions · 9dbbfb0a
      Herbert Xu authored
      There are two problems with the function tipc_sk_reinit.  Firstly
      it's doing a manual walk over an rhashtable.  This is broken as
      an rhashtable can be resized and if you manually walk over it
      during a resize then you may miss entries.
      
      Secondly it's missing memory barriers as previously the code used
      spinlocks which provide the barriers implicitly.
      
      This patch fixes both problems.
      
      Fixes: 07f6c4bc ("tipc: convert tipc reference table to...")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Acked-by: default avatarYing Xue <ying.xue@windriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9dbbfb0a
    • Herbert Xu's avatar
      gfs2: Use rhashtable walk interface in glock_hash_walk · 6a254780
      Herbert Xu authored
      The function glock_hash_walk walks the rhashtable by hand.  This
      is broken because if it catches the hash table in the middle of
      a rehash, then it will miss entries.
      
      This patch replaces the manual walk by using the rhashtable walk
      interface.
      
      Fixes: 88ffbf3e ("GFS2: Use resizable hash table for glocks")
      Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6a254780
    • Ralf Baechle's avatar
      NET: Fix /proc/net/arp for AX.25 · 4872e57c
      Ralf Baechle authored
      When sending ARP requests over AX.25 links the hwaddress in the neighbour
      cache are not getting initialized.  For such an incomplete arp entry
      ax2asc2 will generate an empty string resulting in /proc/net/arp output
      like the following:
      
      $ cat /proc/net/arp
      IP address       HW type     Flags       HW address            Mask     Device
      192.168.122.1    0x1         0x2         52:54:00:00:5d:5f     *        ens3
      172.20.1.99      0x3         0x0              *        bpq0
      
      The missing field will confuse the procfs parsing of arp(8) resulting in
      incorrect output for the device such as the following:
      
      $ arp
      Address                  HWtype  HWaddress           Flags Mask            Iface
      gateway                  ether   52:54:00:00:5d:5f   C                     ens3
      172.20.1.99                      (incomplete)                              ens3
      
      This changes the content of /proc/net/arp to:
      
      $ cat /proc/net/arp
      IP address       HW type     Flags       HW address            Mask     Device
      172.20.1.99      0x3         0x0         *                     *        bpq0
      192.168.122.1    0x1         0x2         52:54:00:00:5d:5f     *        ens3
      
      To do so it change ax2asc to put the string "*" in buf for a NULL address
      argument.  Finally the HW address field is left aligned in a 17 character
      field (the length of an ethernet HW address in the usual hex notation) for
      readability.
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      4872e57c
    • Mart van Santen's avatar
      xen-netback: vif counters from int/long to u64 · ebf692f8
      Mart van Santen authored
      This patch fixes an issue where the type of counters in the queue(s)
      and interface are not in sync (queue counters are int, interface
      counters are long), causing incorrect reporting of tx/rx values
      of the vif interface and unclear counter overflows.
      This patch sets both counters to the u64 type.
      Signed-off-by: default avatarMart van Santen <mart@greenhost.nl>
      Reviewed-by: default avatarPaul Durrant <paul.durrant@citrix.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ebf692f8
  2. 13 Feb, 2017 3 commits
  3. 12 Feb, 2017 2 commits
  4. 10 Feb, 2017 15 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 1ee18329
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) If the timing is wrong we can indefinitely stop generating new ipv6
          temporary addresses, from Marcus Huewe.
      
       2) Don't double free per-cpu stats in ipv6 SIT tunnel driver, from Cong
          Wang.
      
       3) Put protections in place so that AF_PACKET is not able to submit
          packets which don't even have a link level header to drivers. From
          Willem de Bruijn.
      
       4) Fix memory leaks in ipv4 and ipv6 multicast code, from Hangbin Liu.
      
       5) Don't use udp_ioctl() in l2tp code, UDP version expects a UDP socket
          and that doesn't go over very well when it is passed an L2TP one.
          Fix from Eric Dumazet.
      
       6) Don't crash on NULL pointer in phy_attach_direct(), from Florian
          Fainelli.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
        l2tp: do not use udp_ioctl()
        xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend()
        NET: mkiss: Fix panic
        net: hns: Fix the device being used for dma mapping during TX
        net: phy: Initialize mdio clock at probe function
        igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()
        xen-netfront: Improve error handling during initialization
        sierra_net: Skip validating irrelevant fields for IDLE LSIs
        sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications
        kcm: fix 0-length case for kcm_sendmsg()
        xen-netfront: Rework the fix for Rx stall during OOM and network stress
        net: phy: Fix PHY module checks and NULL deref in phy_attach_direct()
        net: thunderx: Fix PHY autoneg for SGMII QLM mode
        net: dsa: Do not destroy invalid network devices
        ping: fix a null pointer dereference
        packet: round up linear to header len
        net: introduce device min_header_len
        sit: fix a double free on error path
        lwtunnel: valid encap attr check should return 0 when lwtunnel is disabled
        ipv6: addrconf: fix generation of new temporary addresses
      1ee18329
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma · a9dbf5c8
      Linus Torvalds authored
      Pull rdma fixes from Doug Ledford:
       "Third round of -rc fixes for 4.10 kernel:
      
         - two security related issues in the rxe driver
      
         - one compile issue in the RDMA uapi header"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dledford/rdma:
        RDMA: Don't reference kernel private header from UAPI header
        IB/rxe: Fix mem_check_range integer overflow
        IB/rxe: Fix resid update
      a9dbf5c8
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · aca9fa0c
      Linus Torvalds authored
      Pull i2c bugfixes from Wolfram Sang:
       "Two bugfixes (proper IO mapping and use of mutex) for a driver feature
        we introduced in this cycle"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: piix4: Request the SMBUS semaphore inside the mutex
        i2c: piix4: Fix request_region size
      aca9fa0c
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · fc6f41ba
      Linus Torvalds authored
      Pull MMC host fix from Ulf Hansson:
       "mmci: Fix hang while waiting for busy-end interrupt"
      
      * tag 'mmc-v4.10-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        mmc: mmci: avoid clearing ST Micro busy end interrupt mistakenly
      fc6f41ba
    • Linus Torvalds's avatar
      Merge tag 'sound-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 1f369d16
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "Here are some last-minute fixes: two fixes for races in ALSA sequencer
        queue spotted by syzkaller, a revert for a regression of LINE6 driver
        (since 4.9), and a trivial new codec ID addition for Nvidia HDMI"
      
      * tag 'sound-4.10' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - adding a new NV HDMI/DP codec ID in the driver
        ALSA: seq: Fix race at creating a queue
        Revert "ALSA: line6: Only determine control port properties if needed"
        ALSA: seq: Don't handle loop timeout at snd_seq_pool_done()
      1f369d16
    • Linus Torvalds's avatar
      Merge tag 'nfsd-4.10-3' of git://linux-nfs.org/~bfields/linux · 7fe654dc
      Linus Torvalds authored
      Pull nfsd revert from Bruce Fields:
       "This patch turned out to have a couple problems. The problems are
        fixable, but at least one of the fixes is a little ugly. The original
        bug has always been there, so we can wait another week or two to get
        this right"
      
      * tag 'nfsd-4.10-3' of git://linux-nfs.org/~bfields/linux:
        nfsd: Revert "nfsd: special case truncates some more"
      7fe654dc
    • Linus Torvalds's avatar
      Merge tag 'powerpc-4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 3ebc7033
      Linus Torvalds authored
      Pull powerpc fixes friom Michael Ellerman:
       "Apologies for the late pull request, but Ben has been busy finding bugs.
      
         - Userspace was semi-randomly segfaulting on radix due to us
           incorrectly handling a fault triggered by autonuma, caused by a
           patch we merged earlier in v4.10 to prevent the kernel executing
           userspace.
      
         - We weren't marking host IPIs properly for KVM in the OPAL ICP
           backend.
      
         - The ERAT flushing on radix was missing an isync and was incorrectly
           marked as DD1 only.
      
         - The powernv CPU hotplug code was missing a wakeup type and failing
           to flush the interrupt correctly when using OPAL ICP
      
        Thanks to Benjamin Herrenschmidt"
      
      * tag 'powerpc-4.10-4' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/powernv: Properly set "host-ipi" on IPIs
        powerpc/powernv: Fix CPU hotplug to handle waking on HVI
        powerpc/mm/radix: Update ERAT flushes when invalidating TLB
        powerpc/mm: Fix spurrious segfaults on radix with autonuma
      3ebc7033
    • Eric Dumazet's avatar
      l2tp: do not use udp_ioctl() · 72fb96e7
      Eric Dumazet authored
      udp_ioctl(), as its name suggests, is used by UDP protocols,
      but is also used by L2TP :(
      
      L2TP should use its own handler, because it really does not
      look the same.
      
      SIOCINQ for instance should not assume UDP checksum or headers.
      
      Thanks to Andrey and syzkaller team for providing the report
      and a nice reproducer.
      
      While crashes only happen on recent kernels (after commit
      7c13f97f ("udp: do fwd memory scheduling on dequeue")), this
      probably needs to be backported to older kernels.
      
      Fixes: 7c13f97f ("udp: do fwd memory scheduling on dequeue")
      Fixes: 85584672 ("udp: Fix udp_poll() and ioctl()")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      72fb96e7
    • Boris Ostrovsky's avatar
      xen-netfront: Delete rx_refill_timer in xennet_disconnect_backend() · 74470954
      Boris Ostrovsky authored
      rx_refill_timer should be deleted as soon as we disconnect from the
      backend since otherwise it is possible for the timer to go off before
      we get to xennet_destroy_queues(). If this happens we may dereference
      queue->rx.sring which is set to NULL in xennet_disconnect_backend().
      Signed-off-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      CC: stable@vger.kernel.org
      Reviewed-by: default avatarJuergen Gross <jgross@suse.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      74470954
    • Ralf Baechle's avatar
      NET: mkiss: Fix panic · 7ba1b689
      Ralf Baechle authored
      If a USB-to-serial adapter is unplugged, the driver re-initializes, with
      dev->hard_header_len and dev->addr_len set to zero, instead of the correct
      values.  If then a packet is sent through the half-dead interface, the
      kernel will panic due to running out of headroom in the skb when pushing
      for the AX.25 headers resulting in this panic:
      
      [<c0595468>] (skb_panic) from [<c0401f70>] (skb_push+0x4c/0x50)
      [<c0401f70>] (skb_push) from [<bf0bdad4>] (ax25_hard_header+0x34/0xf4 [ax25])
      [<bf0bdad4>] (ax25_hard_header [ax25]) from [<bf0d05d4>] (ax_header+0x38/0x40 [mkiss])
      [<bf0d05d4>] (ax_header [mkiss]) from [<c041b584>] (neigh_compat_output+0x8c/0xd8)
      [<c041b584>] (neigh_compat_output) from [<c043e7a8>] (ip_finish_output+0x2a0/0x914)
      [<c043e7a8>] (ip_finish_output) from [<c043f948>] (ip_output+0xd8/0xf0)
      [<c043f948>] (ip_output) from [<c043f04c>] (ip_local_out_sk+0x44/0x48)
      
      This patch makes mkiss behave like the 6pack driver. 6pack does not
      panic.  In 6pack.c sp_setup() (same function name here) the values for
      dev->hard_header_len and dev->addr_len are set to the same values as in
      my mkiss patch.
      
      [ralf@linux-mips.org: Massages original submission to conform to the usual
      standards for patch submissions.]
      Signed-off-by: default avatarThomas Osterried <thomas@osterried.de>
      Signed-off-by: default avatarRalf Baechle <ralf@linux-mips.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7ba1b689
    • Kejian Yan's avatar
      net: hns: Fix the device being used for dma mapping during TX · b85ea006
      Kejian Yan authored
      This patch fixes the device being used to DMA map skb->data.
      Erroneous device assignment causes the crash when SMMU is enabled.
      This happens during TX since buffer gets DMA mapped with device
      correspondign to net_device and gets unmapped using the device
      related to DSAF.
      Signed-off-by: default avatarKejian Yan <yankejian@huawei.com>
      Reviewed-by: default avatarYisen Zhuang <yisen.zhuang@huawei.com>
      Signed-off-by: default avatarSalil Mehta <salil.mehta@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b85ea006
    • J. Bruce Fields's avatar
      nfsd: Revert "nfsd: special case truncates some more" · 0839ffb8
      J. Bruce Fields authored
      This patch incorrectly attempted nested mnt_want_write, and incorrectly
      disabled nfsd's owner override for truncate.  We'll fix those problems
      and make another attempt soon, for the moment I think the safest is to
      revert.
      Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
      0839ffb8
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.10-rc8' of git://people.freedesktop.org/~airlied/linux · 3d88460d
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "This should be the final set of drm fixes for 4.10: one vmwgfx boot
        fix, one vc4 fix, and a few i915 fixes:
      
      * tag 'drm-fixes-for-v4.10-rc8' of git://people.freedesktop.org/~airlied/linux:
        drm: vc4: adapt to new behaviour of drm_crtc.c
        drm/i915: Always convert incoming exec offsets to non-canonical
        drm/i915: Remove overzealous fence warn on runtime suspend
        drm/i915/bxt: Add MST support when do DPLL calculation
        drm/i915: don't warn about Skylake CPU - KabyPoint PCH combo
        drm/i915: fix i915 running as dom0 under Xen
        drm/i915: Flush untouched framebuffers before display on !llc
        drm/i915: fix use-after-free in page_flip_completed()
        drm/vmwgfx: Fix depth input into drm_mode_legacy_fb_format
      3d88460d
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2017-02-09' of... · 697d3a21
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-intel into drm-fixes
      
      Hopefully final fixes for v4.10, about half of them stable material.
      
      * tag 'drm-intel-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-intel:
        drm/i915: Always convert incoming exec offsets to non-canonical
        drm/i915: Remove overzealous fence warn on runtime suspend
        drm/i915/bxt: Add MST support when do DPLL calculation
        drm/i915: don't warn about Skylake CPU - KabyPoint PCH combo
        drm/i915: fix i915 running as dom0 under Xen
        drm/i915: Flush untouched framebuffers before display on !llc
        drm/i915: fix use-after-free in page_flip_completed()
      697d3a21
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes · 811b40c8
      Dave Airlie authored
      Last-minute vc4 fix for 4.10.
      
      * tag 'drm-misc-fixes-2017-02-09' of git://anongit.freedesktop.org/git/drm-misc:
        drm: vc4: adapt to new behaviour of drm_crtc.c
      811b40c8
  5. 09 Feb, 2017 15 commits
    • Yendapally Reddy Dhananjaya Reddy's avatar
      net: phy: Initialize mdio clock at probe function · bb1a6197
      Yendapally Reddy Dhananjaya Reddy authored
      USB PHYs need the MDIO clock divisor enabled earlier to work.
      Initialize mdio clock divisor in probe function. The ext bus
      bit available in the same register will be used by mdio mux
      to enable external mdio.
      Signed-off-by: default avatarYendapally Reddy Dhananjaya Reddy <yendapally.reddy@broadcom.com>
      Fixes: ddc24ae1 ("net: phy: Broadcom iProc MDIO bus driver")
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarJon Mason <jon.mason@broadcom.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bb1a6197
    • Hangbin Liu's avatar
      igmp, mld: Fix memory leak in igmpv3/mld_del_delrec() · 9c8bb163
      Hangbin Liu authored
      In function igmpv3/mld_add_delrec() we allocate pmc and put it in
      idev->mc_tomb, so we should free it when we don't need it in del_delrec().
      But I removed kfree(pmc) incorrectly in latest two patches. Now fix it.
      
      Fixes: 24803f38 ("igmp: do not remove igmp souce list info when ...")
      Fixes: 1666d49e ("mld: do not remove mld souce list info when ...")
      Reported-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarHangbin Liu <liuhangbin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9c8bb163
    • Ross Lagerwall's avatar
      xen-netfront: Improve error handling during initialization · e2e004ac
      Ross Lagerwall authored
      This fixes a crash when running out of grant refs when creating many
      queues across many netdevs.
      
      * If creating queues fails (i.e. there are no grant refs available),
      call xenbus_dev_fatal() to ensure that the xenbus device is set to the
      closed state.
      * If no queues are created, don't call xennet_disconnect_backend as
      netdev->real_num_tx_queues will not have been set correctly.
      * If setup_netfront() fails, ensure that all the queues created are
      cleaned up, not just those that have been set up.
      * If any queues were set up and an error occurs, call
      xennet_destroy_queues() to clean up the napi context.
      * If any fatal error occurs, unregister and destroy the netdev to avoid
      leaving around a half setup network device.
      Signed-off-by: default avatarRoss Lagerwall <ross.lagerwall@citrix.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e2e004ac
    • David S. Miller's avatar
      Merge branch 'sierra_net-fixes' · 1b5805c2
      David S. Miller authored
      Stefan Brüns says:
      
      ====================
      Fixes for sierra_net driver
      
      When trying to initiate a dual-stack (ipv4v6) connection, a MC7710, FW
      version SWI9200X_03.05.24.00ap answers with an unsupported LSI. Add support
      for this LSI.
      Also the link_type should be ignored when going idle, otherwise the modem
      is stuck in a bad link state.
      Tested on MC7710, T-Mobile DE, APN internet.telekom, IPv4v6 PDP type. Both
      IPv4 and IPv6 connections work.
      
      v2: Do not overwrite protocol field in rx_fixup
      v3: Remove leftover struct ethhdr *eth declaration
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1b5805c2
    • Stefan Brüns's avatar
      sierra_net: Skip validating irrelevant fields for IDLE LSIs · 764895d3
      Stefan Brüns authored
      When the context is deactivated, the link_type is set to 0xff, which
      triggers a warning message, and results in a wrong link status, as
      the LSI is ignored.
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      764895d3
    • Stefan Brüns's avatar
      sierra_net: Add support for IPv6 and Dual-Stack Link Sense Indications · 5a70348e
      Stefan Brüns authored
      If a context is configured as dualstack ("IPv4v6"), the modem indicates
      the context activation with a slightly different indication message.
      The dual-stack indication omits the link_type (IPv4/v6) and adds
      additional address fields.
      IPv6 LSIs are identical to IPv4 LSIs, but have a different link type.
      Signed-off-by: default avatarStefan Brüns <stefan.bruens@rwth-aachen.de>
      Reviewed-by: default avatarBjørn Mork <bjorn@mork.no>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5a70348e
    • WANG Cong's avatar
      kcm: fix 0-length case for kcm_sendmsg() · 98e3862c
      WANG Cong authored
      Dmitry reported a kernel warning:
      
       WARNING: CPU: 3 PID: 2936 at net/kcm/kcmsock.c:627
       kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
       CPU: 3 PID: 2936 Comm: a.out Not tainted 4.10.0-rc6+ #209
       Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
       Call Trace:
        __dump_stack lib/dump_stack.c:15 [inline]
        dump_stack+0x2ee/0x3ef lib/dump_stack.c:51
        panic+0x1fb/0x412 kernel/panic.c:179
        __warn+0x1c4/0x1e0 kernel/panic.c:539
        warn_slowpath_null+0x2c/0x40 kernel/panic.c:582
        kcm_write_msgs+0x12e3/0x1b90 net/kcm/kcmsock.c:627
        kcm_sendmsg+0x163a/0x2200 net/kcm/kcmsock.c:1029
        sock_sendmsg_nosec net/socket.c:635 [inline]
        sock_sendmsg+0xca/0x110 net/socket.c:645
        sock_write_iter+0x326/0x600 net/socket.c:848
        new_sync_write fs/read_write.c:499 [inline]
        __vfs_write+0x483/0x740 fs/read_write.c:512
        vfs_write+0x187/0x530 fs/read_write.c:560
        SYSC_write fs/read_write.c:607 [inline]
        SyS_write+0xfb/0x230 fs/read_write.c:599
        entry_SYSCALL_64_fastpath+0x1f/0xc2
      
      when calling syscall(__NR_write, sock2, 0x208aaf27ul, 0x0ul) on a KCM
      seqpacket socket. It appears that kcm_sendmsg() does not handle len==0
      case correctly, which causes an empty skb is allocated and queued.
      Fix this by skipping the skb allocation for len==0 case.
      Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
      Cc: Tom Herbert <tom@herbertland.com>
      Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      98e3862c
    • Vineeth Remanan Pillai's avatar
      xen-netfront: Rework the fix for Rx stall during OOM and network stress · 538d9291
      Vineeth Remanan Pillai authored
      The commit 90c311b0 ("xen-netfront: Fix Rx stall during network
      stress and OOM") caused the refill timer to be triggerred almost on
      all invocations of xennet_alloc_rx_buffers for certain workloads.
      This reworks the fix by reverting to the old behaviour and taking into
      consideration the skb allocation failure. Refill timer is now triggered
      on insufficient requests or skb allocation failure.
      Signed-off-by: default avatarVineeth Remanan Pillai <vineethp@amazon.com>
      Fixes: 90c311b0 (xen-netfront: Fix Rx stall during network stress and OOM)
      Reported-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Reviewed-by: default avatarBoris Ostrovsky <boris.ostrovsky@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      538d9291
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending · 55aac6ef
      Linus Torvalds authored
      Pull SCSI target fixes from Nicholas Bellinger:
       "This target series for v4.10 contains fixes which address a few
        long-standing bugs that DATERA's QA + automation teams have uncovered
        while putting v4.1.y target code into production usage.
      
        We've been running the top three in our nightly automated regression
        runs for the last two months, and the COMPARE_AND_WRITE fix Mr. Gary
        Guo has been manually verifying against a four node ESX cluster this
        past week.
      
        Note all of them have CC' stable tags.
      
        Summary:
      
         - Fix a bug with ESX EXTENDED_COPY + SAM_STAT_RESERVATION_CONFLICT
           status, where target_core_xcopy.c logic was incorrectly returning
           SAM_STAT_CHECK_CONDITION for all non SAM_STAT_GOOD cases (Nixon
           Vincent)
      
         - Fix a TMR LUN_RESET hung task bug while other in-flight TMRs are
           being aborted, before the new one had been dispatched into tmr_wq
           (Rob Millner)
      
         - Fix a long standing double free OOPs, where a dynamically generated
           'demo-mode' NodeACL has multiple sessions associated with it, and
           the /sys/kernel/config/target/$FABRIC/$WWN/ subsequently disables
           demo-mode, but never converts the dynamic ACL into a explicit ACL
           (Rob Millner)
      
         - Fix a long standing reference leak with ESX VAAI COMPARE_AND_WRITE
           when the second phase WRITE COMMIT command fails, resulting in
           CHECK_CONDITION response never being sent and se_cmd->cmd_kref
           never reaching zero (Gary Guo)
      
        Beyond these items on v4.1.y we've reproduced, fixed, and run through
        our regression test suite using iscsi-target exports, there are two
        additional outstanding list items:
      
         - Remove a >= v4.2 RCU conversion BUG_ON that would trigger when
           dynamic node NodeACLs where being converted to explicit NodeACLs.
           The patch drops the BUG_ON to follow how pre RCU conversion worked
           for this special case (Benjamin Estrabaud)
      
         - Add ibmvscsis target_core_fabric_ops->max_data_sg_nent assignment
           to match what IBM's Virtual SCSI hypervisor is already enforcing at
           transport layer. (Bryant Ly + Steven Royer)"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/nab/target-pending:
        ibmvscsis: Add SGL limit
        target: Fix COMPARE_AND_WRITE ref leak for non GOOD status
        target: Fix multi-session dynamic se_node_acl double free OOPs
        target: Fix early transport_generic_handle_tmr abort scenario
        target: Use correct SCSI status during EXTENDED_COPY exception
        target: Don't BUG_ON during NodeACL dynamic -> explicit conversion
      55aac6ef
    • Florian Fainelli's avatar
      net: phy: Fix PHY module checks and NULL deref in phy_attach_direct() · 6d9f66ac
      Florian Fainelli authored
      The Generic PHY drivers gets assigned after we checked that the current
      PHY driver is NULL, so we need to check a few things before we can
      safely dereference d->driver. This would be causing a NULL deference to
      occur when a system binds to the Generic PHY driver. Update
      phy_attach_direct() to do the following:
      
      - grab the driver module reference after we have assigned the Generic
        PHY drivers accordingly, and remember we came from the generic PHY
        path
      
      - update the error path to clean up the module reference in case the
        Generic PHY probe function fails
      
      - split the error path involving phy_detacht() to avoid double free/put
        since phy_detach() does all the clean up
      
      - finally, have phy_detach() drop the module reference count before we
        call device_release_driver() for the Generic PHY driver case
      
      Fixes: cafe8df8 ("net: phy: Fix lack of reference count on PHY driver")
      Signed-off-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6d9f66ac
    • Linus Torvalds's avatar
      Merge tag 'pstore-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 2b369478
      Linus Torvalds authored
      Pull pstore fix from Kees Cook:
       "Fix pstore regression (boot Oops) when ftrace disabled, from Brian
        Norris"
      
      * tag 'pstore-v4.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore: don't OOPS when there are no ftrace zones
      2b369478
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · 99378fd2
      Linus Torvalds authored
      Pull input fixes from Dmitry Torokhov:
       "A fix for a crash in uinput, and a fix for build errors when HID-RMI
        is built-in but SERIO is a module"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: synaptics-rmi4 - select 'SERIO' when needed
        Input: uinput - fix crash when mixing old and new init style
      99378fd2
    • Brian Norris's avatar
      pstore: don't OOPS when there are no ftrace zones · 8672aed7
      Brian Norris authored
      We'll OOPS in ramoops_get_next_prz() if the platform didn't ask for any
      ftrace zones (i.e., cxt->fprzs will be NULL). Let's just skip this
      entire FTRACE section if there's no 'fprzs'.
      
      Regression seen on a coreboot/depthcharge-based Chromebook.
      
      Fixes: 2fbea82b ("pstore: Merge per-CPU ftrace records into one")
      Cc: Joel Fernandes <joelaf@google.com>
      Cc: Kees Cook <keescook@chromium.org>
      Signed-off-by: default avatarBrian Norris <briannorris@chromium.org>
      Signed-off-by: default avatarKees Cook <keescook@chromium.org>
      8672aed7
    • Linus Torvalds's avatar
      Merge tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio · 189addce
      Linus Torvalds authored
      Pull VFIO fix from Alex Williamson:
       "Fix regression in attaching groups to existing container for SPAPR
        IOMMU backend (Alexey Kardashevskiy)"
      
      * tag 'vfio-v4.10-final' of git://github.com/awilliam/linux-vfio:
        vfio/spapr_tce: Set window when adding additional groups to container
      189addce
    • Linus Torvalds's avatar
      Merge branch 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm · 59e8f10a
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
       "A couple more fixes for 4.10:
      
         - fix addressing the short regset write issue (Dave Martin)
      
         - fix for LPAE systems which leave a pending imprecise data abort
           before entering the kernel (Alexander Sverdlin)"
      
      * 'fixes' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8643/3: arm/ptrace: Preserve previous registers for short regset write
        ARM: 8642/1: LPAE: catch pending imprecise abort on unmask
      59e8f10a