1. 19 Dec, 2017 24 commits
  2. 18 Dec, 2017 10 commits
    • Alexey Khoroshilov's avatar
      net: phy: xgene: disable clk on error paths · ab144360
      Alexey Khoroshilov authored
      There are several error paths in xgene_mdio_probe(),
      where clk is left undisabled. The patch fixes them.
      
      Found by Linux Driver Verification project (linuxtesting.org).
      Signed-off-by: default avatarAlexey Khoroshilov <khoroshilov@ispras.ru>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ab144360
    • Russell King's avatar
      net: phy: marvell: avoid pause mode on SGMII-to-Copper for 88e151x · 6623c0fb
      Russell King authored
      Observed on the 88e1512 in SGMII-to-Copper mode, negotiating pause
      is unreliable.  While the pause bits can be set in the advertisment
      register, they clear shortly after negotiation with a link partner
      commences irrespective of the cause of the negotiation.
      
      While these bits may be correctly conveyed to the link partner on the
      first negotiation, a subsequent negotiation (eg, due to negotiation
      restart by the link partner, or reconnection of the cable) will result
      in the link partner seeing these bits as zero, while the kernel
      believes that it has advertised pause modes.
      
      This leads to the local kernel evaluating (eg) symmetric pause mode,
      while the remote end evaluates that we have no pause mode capability.
      
      Since we can't guarantee the advertisment, disable pause mode support
      with this PHY when used in SGMII-to-Copper mode.
      
      The 88e1510 in RGMII-to-Copper mode appears to behave correctly.
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarRussell King <rmk+kernel@armlinux.org.uk>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6623c0fb
    • Nikolay Aleksandrov's avatar
      net: bridge: fix early call to br_stp_change_bridge_id and plug newlink leaks · 84aeb437
      Nikolay Aleksandrov authored
      The early call to br_stp_change_bridge_id in bridge's newlink can cause
      a memory leak if an error occurs during the newlink because the fdb
      entries are not cleaned up if a different lladdr was specified, also
      another minor issue is that it generates fdb notifications with
      ifindex = 0. Another unrelated memory leak is the bridge sysfs entries
      which get added on NETDEV_REGISTER event, but are not cleaned up in the
      newlink error path. To remove this special case the call to
      br_stp_change_bridge_id is done after netdev register and we cleanup the
      bridge on changelink error via br_dev_delete to plug all leaks.
      
      This patch makes netlink bridge destruction on newlink error the same as
      dellink and ioctl del which is necessary since at that point we have a
      fully initialized bridge device.
      
      To reproduce the issue:
      $ ip l add br0 address 00:11:22:33:44:55 type bridge group_fwd_mask 1
      RTNETLINK answers: Invalid argument
      
      $ rmmod bridge
      [ 1822.142525] =============================================================================
      [ 1822.143640] BUG bridge_fdb_cache (Tainted: G           O    ): Objects remaining in bridge_fdb_cache on __kmem_cache_shutdown()
      [ 1822.144821] -----------------------------------------------------------------------------
      
      [ 1822.145990] Disabling lock debugging due to kernel taint
      [ 1822.146732] INFO: Slab 0x0000000092a844b2 objects=32 used=2 fp=0x00000000fef011b0 flags=0x1ffff8000000100
      [ 1822.147700] CPU: 2 PID: 13584 Comm: rmmod Tainted: G    B      O     4.15.0-rc2+ #87
      [ 1822.148578] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014
      [ 1822.150008] Call Trace:
      [ 1822.150510]  dump_stack+0x78/0xa9
      [ 1822.151156]  slab_err+0xb1/0xd3
      [ 1822.151834]  ? __kmalloc+0x1bb/0x1ce
      [ 1822.152546]  __kmem_cache_shutdown+0x151/0x28b
      [ 1822.153395]  shutdown_cache+0x13/0x144
      [ 1822.154126]  kmem_cache_destroy+0x1c0/0x1fb
      [ 1822.154669]  SyS_delete_module+0x194/0x244
      [ 1822.155199]  ? trace_hardirqs_on_thunk+0x1a/0x1c
      [ 1822.155773]  entry_SYSCALL_64_fastpath+0x23/0x9a
      [ 1822.156343] RIP: 0033:0x7f929bd38b17
      [ 1822.156859] RSP: 002b:00007ffd160e9a98 EFLAGS: 00000202 ORIG_RAX: 00000000000000b0
      [ 1822.157728] RAX: ffffffffffffffda RBX: 00005578316ba090 RCX: 00007f929bd38b17
      [ 1822.158422] RDX: 00007f929bd9ec60 RSI: 0000000000000800 RDI: 00005578316ba0f0
      [ 1822.159114] RBP: 0000000000000003 R08: 00007f929bff5f20 R09: 00007ffd160e8a11
      [ 1822.159808] R10: 00007ffd160e9860 R11: 0000000000000202 R12: 00007ffd160e8a80
      [ 1822.160513] R13: 0000000000000000 R14: 0000000000000000 R15: 00005578316ba090
      [ 1822.161278] INFO: Object 0x000000007645de29 @offset=0
      [ 1822.161666] INFO: Object 0x00000000d5df2ab5 @offset=128
      
      Fixes: 30313a3d ("bridge: Handle IFLA_ADDRESS correctly when creating bridge device")
      Fixes: 5b8d5429 ("bridge: netlink: register netdevice before executing changelink")
      Signed-off-by: default avatarNikolay Aleksandrov <nikolay@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      84aeb437
    • Xin Long's avatar
      sctp: add SCTP_CID_RECONF conversion in sctp_cname · d1969759
      Xin Long authored
      Whenever a new type of chunk is added, the corresp conversion in
      sctp_cname should be added. Otherwise, in some places, pr_debug
      will print it as "unknown chunk".
      
      Fixes: cc16f00f ("sctp: add support for generating stream reconf ssn reset request chunk")
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo R. Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d1969759
    • Xin Long's avatar
      sctp: fix the issue that a __u16 variable may overflow in sctp_ulpq_renege · 5c468674
      Xin Long authored
      Now when reneging events in sctp_ulpq_renege(), the variable freed
      could be increased by a __u16 value twice while freed is of __u16
      type. It means freed may overflow at the second addition.
      
      This patch is to fix it by using __u32 type for 'freed', while at
      it, also to remove 'if (chunk)' check, as all renege commands are
      generated in sctp_eat_data and it can't be NULL.
      Reported-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c468674
    • Hemanth Puranik's avatar
      net: qcom/emac: Change the order of mac up and sgmii open · ac3241d5
      Hemanth Puranik authored
      This patch fixes the order of mac_up and sgmii_open for the
      reasons noted below:
      
      - If open takes more time(if the SGMII block is not responding or
        if we want to do some delay based task) in this situation we
        will hit NETDEV watchdog
      - The main reason : We should signal to upper layers that we are
        ready to receive packets "only" when the entire path is initialized
        not the other way around, this is followed in the reset path where
        we do mac_down, sgmii_reset and mac_up. This also makes the driver
        uniform across the reset and open paths.
      - In the future there may be need for delay based tasks to be done in
        sgmii open which will result in NETDEV watchdog
      - As per the documentation the order of init should be sgmii, mac, rings
        and DMA
      Signed-off-by: default avatarHemanth Puranik <hpuranik@codeaurora.org>
      Acked-by: default avatarTimur Tabi <timur@codeaurora.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac3241d5
    • Zhao Qiang's avatar
      net: phy: marvell: Limit 88m1101 autoneg errata to 88E1145 as well. · c505873e
      Zhao Qiang authored
      88E1145 also need this autoneg errata.
      
      Fixes: f2899788 ("net: phy: marvell: Limit errata to 88m1101")
      Signed-off-by: default avatarZhao Qiang <qiang.zhao@nxp.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c505873e
    • Jon Maloy's avatar
      tipc: remove leaving group member from all lists · 3f42f5fe
      Jon Maloy authored
      A group member going into state LEAVING should never go back to any
      other state before it is finally deleted. However, this might happen
      if the socket needs to send out a RECLAIM message during this interval.
      Since we forget to remove the leaving member from the group's 'active'
      or 'pending' list, the member might be selected for reclaiming, change
      state to RECLAIMING, and get stuck in this state instead of being
      deleted. This might lead to suppression of the expected 'member down'
      event to the receiver.
      
      We fix this by removing the member from all lists, except the RB tree,
      at the moment it goes into state LEAVING.
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3f42f5fe
    • Jon Maloy's avatar
      tipc: fix lost member events bug · 23483399
      Jon Maloy authored
      Group messages are not supposed to be returned to sender when the
      destination socket disappears. This is done correctly for regular
      traffic messages, by setting the 'dest_droppable' bit in the header.
      But we forget to do that in group protocol messages. This has the effect
      that such messages may sometimes bounce back to the sender, be perceived
      as a legitimate peer message, and wreak general havoc for the rest of
      the session. In particular, we have seen that a member in state LEAVING
      may go back to state RECLAIMED or REMITTED, hence causing suppression
      of an otherwise expected 'member down' event to the user.
      
      We fix this by setting the 'dest_droppable' bit even in group protocol
      messages.
      Signed-off-by: default avatarJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      23483399
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · b36025b1
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2017-12-17
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a corner case in generic XDP where we have non-linear skbs
         but enough tailroom in the skb to not miss to linearizing there,
         from Song.
      
      2) Fix BPF JIT bugs in s390x and ppc64 to not recache skb data when
         BPF context is not skb, from Daniel.
      
      3) Fix a BPF JIT bug in sparc64 where recaching skb data after helper
         call would use the wrong register for the skb, from Daniel.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b36025b1
  3. 17 Dec, 2017 2 commits
    • Alexey Kodanev's avatar
      vxlan: restore dev->mtu setting based on lower device · f870c1ff
      Alexey Kodanev authored
      Stefano Brivio says:
          Commit a985343b ("vxlan: refactor verification and
          application of configuration") introduced a change in the
          behaviour of initial MTU setting: earlier, the MTU for a link
          created on top of a given lower device, without an initial MTU
          specification, was set to the MTU of the lower device minus
          headroom as a result of this path in vxlan_dev_configure():
      
      	if (!conf->mtu)
      		dev->mtu = lowerdev->mtu -
      			   (use_ipv6 ? VXLAN6_HEADROOM : VXLAN_HEADROOM);
      
          which is now gone. Now, the initial MTU, in absence of a
          configured value, is simply set by ether_setup() to ETH_DATA_LEN
          (1500 bytes).
      
          This breaks userspace expectations in case the MTU of
          the lower device is higher than 1500 bytes minus headroom.
      
      This patch restores the previous behaviour on newlink operation. Since
      max_mtu can be negative and we update dev->mtu directly, also check it
      for valid minimum.
      Reported-by: default avatarJunhan Yan <juyan@redhat.com>
      Fixes: a985343b ("vxlan: refactor verification and application of configuration")
      Signed-off-by: default avatarAlexey Kodanev <alexey.kodanev@oracle.com>
      Acked-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f870c1ff
    • Brendan McGrath's avatar
      ipv6: icmp6: Allow icmp messages to be looped back · 588753f1
      Brendan McGrath authored
      One example of when an ICMPv6 packet is required to be looped back is
      when a host acts as both a Multicast Listener and a Multicast Router.
      
      A Multicast Router will listen on address ff02::16 for MLDv2 messages.
      
      Currently, MLDv2 messages originating from a Multicast Listener running
      on the same host as the Multicast Router are not being delivered to the
      Multicast Router. This is due to dst.input being assigned the default
      value of dst_discard.
      
      This results in the packet being looped back but discarded before being
      delivered to the Multicast Router.
      
      This patch sets dst.input to ip6_input to ensure a looped back packet
      is delivered to the Multicast Router.
      Signed-off-by: default avatarBrendan McGrath <redmcg@redmandi.dyndns.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      588753f1
  4. 16 Dec, 2017 4 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · f3b5ad89
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "More fixes from testing done on the rc kernel, including more SELinux
        testing. Looking forward, lockdep found regression today in ipoib
        which is still being fixed.
      
        Summary:
      
         - Fix for SELinux on the umad SMI path. Some old hardware does not
           fill the PKey properly exposing another bug in the newer SELinux
           code.
      
         - Check the input port as we can exceed array bounds from this user
           supplied value
      
         - Users are unable to use the hash field support as they want due to
           incorrect checks on the field restrictions, correct that so the
           feature works as intended
      
         - User triggerable oops in the NETLINK_RDMA handler
      
         - cxgb4 driver fix for a bad interaction with CQ flushing in iser
           caused by patches in this merge window, and bad CQ flushing during
           normal close.
      
         - Unbalanced memalloc_noio in ipoib in an error path"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/ipoib: Restore MM behavior in case of tx_ring allocation failure
        iw_cxgb4: only insert drain cqes if wq is flushed
        iw_cxgb4: only clear the ARMED bit if a notification is needed
        RDMA/netlink: Fix general protection fault
        IB/mlx4: Fix RSS hash fields restrictions
        IB/core: Don't enforce PKey security on SMI MADs
        IB/core: Bound check alternate path port number
      f3b5ad89
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · f25e2295
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Two bugfixes for the AT24 I2C eeprom driver and some minor corrections
        for I2C bus drivers"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: piix4: Fix port number check on release
        i2c: stm32: Fix copyrights
        i2c-cht-wc: constify platform_device_id
        eeprom: at24: change nvmem stride to 1
        eeprom: at24: fix I2C device selection for runtime PM
      f25e2295
    • Linus Torvalds's avatar
      Merge tag 'nfs-for-4.15-3' of git://git.linux-nfs.org/projects/anna/linux-nfs · d025fbf1
      Linus Torvalds authored
      Pull NFS client fixes from Anna Schumaker:
       "This has two stable bugfixes, one to fix a BUG_ON() when
        nfs_commit_inode() is called with no outstanding commit requests and
        another to fix a race in the SUNRPC receive codepath.
      
        Additionally, there are also fixes for an NFS client deadlock and an
        xprtrdma performance regression.
      
        Summary:
      
        Stable bugfixes:
         - NFS: Avoid a BUG_ON() in nfs_commit_inode() by not waiting for a
           commit in the case that there were no commit requests.
         - SUNRPC: Fix a race in the receive code path
      
        Other fixes:
         - NFS: Fix a deadlock in nfs client initialization
         - xprtrdma: Fix a performance regression for small IOs"
      
      * tag 'nfs-for-4.15-3' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        SUNRPC: Fix a race in the receive code path
        nfs: don't wait on commit in nfs_commit_inode() if there were no commit requests
        xprtrdma: Spread reply processing over more CPUs
        nfs: fix a deadlock in nfs client initialization
      d025fbf1
    • Linus Torvalds's avatar
      Revert "mm: replace p??_write with pte_access_permitted in fault + gup paths" · f6f37321
      Linus Torvalds authored
      This reverts commits 5c9d2d5c, c7da82b8, and e7fe7b5c.
      
      We'll probably need to revisit this, but basically we should not
      complicate the get_user_pages_fast() case, and checking the actual page
      table protection key bits will require more care anyway, since the
      protection keys depend on the exact state of the VM in question.
      
      Particularly when doing a "remote" page lookup (ie in somebody elses VM,
      not your own), you need to be much more careful than this was.  Dave
      Hansen says:
      
       "So, the underlying bug here is that we now a get_user_pages_remote()
        and then go ahead and do the p*_access_permitted() checks against the
        current PKRU. This was introduced recently with the addition of the
        new p??_access_permitted() calls.
      
        We have checks in the VMA path for the "remote" gups and we avoid
        consulting PKRU for them. This got missed in the pkeys selftests
        because I did a ptrace read, but not a *write*. I also didn't
        explicitly test it against something where a COW needed to be done"
      
      It's also not entirely clear that it makes sense to check the protection
      key bits at this level at all.  But one possible eventual solution is to
      make the get_user_pages_fast() case just abort if it sees protection key
      bits set, which makes us fall back to the regular get_user_pages() case,
      which then has a vma and can do the check there if we want to.
      
      We'll see.
      
      Somewhat related to this all: what we _do_ want to do some day is to
      check the PAGE_USER bit - it should obviously always be set for user
      pages, but it would be a good check to have back.  Because we have no
      generic way to test for it, we lost it as part of moving over from the
      architecture-specific x86 GUP implementation to the generic one in
      commit e585513b ("x86/mm/gup: Switch GUP to the generic
      get_user_page_fast() implementation").
      
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Dave Hansen <dave.hansen@intel.com>
      Cc: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
      Cc: "Jérôme Glisse" <jglisse@redhat.com>
      Cc: Andrew Morton <akpm@linux-foundation.org>
      Cc: Al Viro <viro@zeniv.linux.org.uk>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f6f37321