1. 02 Aug, 2020 1 commit
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 628e04df
      Linus Torvalds authored
      Pull KVM fixes from Paolo Bonzini:
       "Bugfixes and strengthening the validity checks on inputs from new
        userspace APIs.
      
        Now I know why I shouldn't prepare pull requests on the weekend, it's
        hard to concentrate if your son is shouting about his latest Minecraft
        builds in your ear. Fortunately all the patches were ready and I just
        had to check the test results..."
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        KVM: SVM: Fix disable pause loop exit/pause filtering capability on SVM
        KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled
        KVM: arm64: Don't inherit exec permission across page-table levels
        KVM: arm64: Prevent vcpu_has_ptrauth from generating OOL functions
        KVM: nVMX: check for invalid hdr.vmx.flags
        KVM: nVMX: check for required but missing VMCS12 in KVM_SET_NESTED_STATE
        selftests: kvm: do not set guest mode flag
      628e04df
  2. 01 Aug, 2020 8 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · ac3a0c84
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Encap offset calculation is incorrect in esp6, from Sabrina Dubroca.
      
       2) Better parameter validation in pfkey_dump(), from Mark Salyzyn.
      
       3) Fix several clang issues on powerpc in selftests, from Tanner Love.
      
       4) cmsghdr_from_user_compat_to_kern() uses the wrong length, from Al
          Viro.
      
       5) Out of bounds access in mlx5e driver, from Raed Salem.
      
       6) Fix transfer buffer memleak in lan78xx, from Johan Havold.
      
       7) RCU fixups in rhashtable, from Herbert Xu.
      
       8) Fix ipv6 nexthop refcnt leak, from Xiyu Yang.
      
       9) vxlan FDB dump must be done under RCU, from Ido Schimmel.
      
      10) Fix use after free in mlxsw, from Ido Schimmel.
      
      11) Fix map leak in HASH_OF_MAPS bpf code, from Andrii Nakryiko.
      
      12) Fix bug in mac80211 Tx ack status reporting, from Vasanthakumar
          Thiagarajan.
      
      13) Fix memory leaks in IPV6_ADDRFORM code, from Cong Wang.
      
      14) Fix bpf program reference count leaks in mlx5 during
          mlx5e_alloc_rq(), from Xin Xiong.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (86 commits)
        vxlan: fix memleak of fdb
        rds: Prevent kernel-infoleak in rds_notify_queue_get()
        net/sched: The error lable position is corrected in ct_init_module
        net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq
        net/mlx5e: E-Switch, Specify flow_source for rule with no in_port
        net/mlx5e: E-Switch, Add misc bit when misc fields changed for mirroring
        net/mlx5e: CT: Support restore ipv6 tunnel
        net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe()
        ionic: unlock queue mutex in error path
        atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent
        net: ethernet: mtk_eth_soc: fix MTU warnings
        net: nixge: fix potential memory leak in nixge_probe()
        devlink: ignore -EOPNOTSUPP errors on dumpit
        rxrpc: Fix race between recvmsg and sendmsg on immediate call failure
        MAINTAINERS: Replace Thor Thayer as Altera Triple Speed Ethernet maintainer
        selftests/bpf: fix netdevsim trap_flow_action_cookie read
        ipv6: fix memory leaks on IPV6_ADDRFORM path
        net/bpfilter: Initialize pos in __bpfilter_process_sockopt
        igb: reinit_locked() should be called with rtnl_lock
        e1000e: continue to init PHY even when failed to disable ULP
        ...
      ac3a0c84
    • Linus Torvalds's avatar
      Merge tag 'for-linus-2020-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux · 0ae3495b
      Linus Torvalds authored
      Pull thread fix from Christian Brauner:
       "A simple spelling fix for dequeue_synchronous_signal()"
      
      * tag 'for-linus-2020-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/brauner/linux:
        signal: fix typo in dequeue_synchronous_signal()
      0ae3495b
    • Linus Torvalds's avatar
      Merge tag 'perf-tools-fixes-2020-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux · bf121a0b
      Linus Torvalds authored
      Pull perf tooling fixes from Arnaldo Carvalho de Melo:
      
       - Fix libtraceevent build with binutils 2.35
      
       - Fix memory leak in process_dynamic_array_len in libtraceevent
      
       - Fix 'perf test 68' zstd compression for s390
      
       - Fix record failure when mixed with ARM SPE event
      
      * tag 'perf-tools-fixes-2020-08-01' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux:
        libtraceevent: Fix build with binutils 2.35
        perf tools: Fix record failure when mixed with ARM SPE event
        perf tests: Fix test 68 zstd compression for s390
        tools lib traceevent: Fix memory leak in process_dynamic_array_len
      bf121a0b
    • Taehee Yoo's avatar
      vxlan: fix memleak of fdb · fda2ec62
      Taehee Yoo authored
      When vxlan interface is deleted, all fdbs are deleted by vxlan_flush().
      vxlan_flush() flushes fdbs but it doesn't delete fdb, which contains
      all-zeros-mac because it is deleted by vxlan_uninit().
      But vxlan_uninit() deletes only the fdb, which contains both all-zeros-mac
      and default vni.
      So, the fdb, which contains both all-zeros-mac and non-default vni
      will not be deleted.
      
      Test commands:
          ip link add vxlan0 type vxlan dstport 4789 external
          ip link set vxlan0 up
          bridge fdb add to 00:00:00:00:00:00 dst 172.0.0.1 dev vxlan0 via lo \
      	    src_vni 10000 self permanent
          ip link del vxlan0
      
      kmemleak reports as follows:
      unreferenced object 0xffff9486b25ced88 (size 96):
        comm "bridge", pid 2151, jiffies 4294701712 (age 35506.901s)
        hex dump (first 32 bytes):
          02 00 00 00 ac 00 00 01 40 00 09 b1 86 94 ff ff  ........@.......
          46 02 00 00 00 00 00 00 a7 03 00 00 12 b5 6a 6b  F.............jk
        backtrace:
          [<00000000c10cf651>] vxlan_fdb_append.part.51+0x3c/0xf0 [vxlan]
          [<000000006b31a8d9>] vxlan_fdb_create+0x184/0x1a0 [vxlan]
          [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan]
          [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan]
          [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270
          [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490
          [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110
          [<00000000dff433e7>] netlink_unicast+0x18e/0x250
          [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400
          [<000000002ed55153>] ____sys_sendmsg+0x237/0x260
          [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0
          [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80
          [<00000000a8f875d2>] do_syscall_64+0x56/0xe0
          [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      unreferenced object 0xffff9486b1c40080 (size 128):
        comm "bridge", pid 2157, jiffies 4294701754 (age 35506.866s)
        hex dump (first 32 bytes):
          00 00 00 00 00 00 00 00 f8 dc 42 b2 86 94 ff ff  ..........B.....
          6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkkkkkkkkk
        backtrace:
          [<00000000a2981b60>] vxlan_fdb_create+0x67/0x1a0 [vxlan]
          [<0000000049399045>] vxlan_fdb_update+0x12f/0x220 [vxlan]
          [<0000000090b1ef00>] vxlan_fdb_add+0x12a/0x1b0 [vxlan]
          [<0000000056633c2c>] rtnl_fdb_add+0x187/0x270
          [<00000000dd5dfb6b>] rtnetlink_rcv_msg+0x264/0x490
          [<00000000fc44dd54>] netlink_rcv_skb+0x4a/0x110
          [<00000000dff433e7>] netlink_unicast+0x18e/0x250
          [<00000000b87fb421>] netlink_sendmsg+0x2e9/0x400
          [<000000002ed55153>] ____sys_sendmsg+0x237/0x260
          [<00000000faa51c66>] ___sys_sendmsg+0x88/0xd0
          [<000000006c3982f1>] __sys_sendmsg+0x4e/0x80
          [<00000000a8f875d2>] do_syscall_64+0x56/0xe0
          [<000000003610eefa>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 3ad7a4b1 ("vxlan: support fdb and learning in COLLECT_METADATA mode")
      Signed-off-by: default avatarTaehee Yoo <ap420073@gmail.com>
      Acked-by: default avatarRoopa Prabhu <roopa@cumulusnetworks.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      fda2ec62
    • Linus Torvalds's avatar
      Merge tag 'pinctrl-v5.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · d52daa86
      Linus Torvalds authored
      Pull pin control fix from Linus Walleij:
       "A single last minute pin control fix to the Qualcomm driver fixing
        missing dual edge PCH interrupts"
      
      * tag 'pinctrl-v5.8-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: qcom: Handle broken/missing PDC dual edge IRQs on sc7180
      d52daa86
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 69138b34
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2020-07-31
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 5 non-merge commits during the last 21 day(s) which contain
      a total of 5 files changed, 126 insertions(+), 18 deletions(-).
      
      The main changes are:
      
      1) Fix a map element leak in HASH_OF_MAPS map type, from Andrii Nakryiko.
      
      2) Fix a NULL pointer dereference in __btf_resolve_helper_id() when no
         btf_vmlinux is available, from Peilin Ye.
      
      3) Init pos variable in __bpfilter_process_sockopt(), from Christoph Hellwig.
      
      4) Fix a cgroup sockopt verifier test by specifying expected attach type,
         from Jean-Philippe Brucker.
      
      Note that when net gets merged into net-next later on, there is a small
      merge conflict in kernel/bpf/btf.c between commit 5b801dfb ("bpf: Fix
      NULL pointer dereference in __btf_resolve_helper_id()") from the bpf tree
      and commit 138b9a05 ("bpf: Remove btf_id helpers resolving") from the
      net-next tree.
      
      Resolve as follows: remove the old hunk with the __btf_resolve_helper_id()
      function. Change the btf_resolve_helper_id() so it actually tests for a
      NULL btf_vmlinux and bails out:
      
      int btf_resolve_helper_id(struct bpf_verifier_log *log,
                                const struct bpf_func_proto *fn, int arg)
      {
              int id;
      
              if (fn->arg_type[arg] != ARG_PTR_TO_BTF_ID || !btf_vmlinux)
                      return -EINVAL;
              id = fn->btf_id[arg];
              if (!id || id > btf_vmlinux->nr_types)
                      return -EINVAL;
              return id;
      }
      
      Let me know if you run into any others issues (CC'ing Jiri Olsa so he's in
      the loop with regards to merge conflict resolution).
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      69138b34
    • David S. Miller's avatar
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec · 8d46215a
      David S. Miller authored
      Steffen Klassert says:
      
      ====================
      pull request (net): ipsec 2020-07-31
      
      1) Fix policy matching with mark and mask on userspace interfaces.
         From Xin Long.
      
      2) Several fixes for the new ESP in TCP encapsulation.
         From Sabrina Dubroca.
      
      3) Fix crash when the hold queue is used. The assumption that
         xdst->path and dst->child are not a NULL pointer only if dst->xfrm
         is not a NULL pointer is true with the exception of using the
         hold queue. Fix this by checking for hold queue usage before
         dereferencing xdst->path or dst->child.
      
      4) Validate pfkey_dump parameter before sending them.
         From Mark Salyzyn.
      
      5) Fix the location of the transport header with ESP in UDPv6
         encapsulation. From Sabrina Dubroca.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8d46215a
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-07-30' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · e535d87d
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2020-07-30
      
      This small patchset introduces some fixes to mlx5 driver.
      
      Please pull and let me know if there is any problem.
      
      For -stable v4.18:
       ('net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq')
      
      For -stable v5.7:
       ('net/mlx5e: E-Switch, Add misc bit when misc fields changed for mirroring')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e535d87d
  3. 31 Jul, 2020 26 commits
    • Peilin Ye's avatar
      rds: Prevent kernel-infoleak in rds_notify_queue_get() · bbc8a99e
      Peilin Ye authored
      rds_notify_queue_get() is potentially copying uninitialized kernel stack
      memory to userspace since the compiler may leave a 4-byte hole at the end
      of `cmsg`.
      
      In 2016 we tried to fix this issue by doing `= { 0 };` on `cmsg`, which
      unfortunately does not always initialize that 4-byte hole. Fix it by using
      memset() instead.
      
      Cc: stable@vger.kernel.org
      Fixes: f037590f ("rds: fix a leak of kernel memory")
      Fixes: bdbe6fbc ("RDS: recv.c")
      Suggested-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarPeilin Ye <yepeilin.cs@gmail.com>
      Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      bbc8a99e
    • David S. Miller's avatar
      Merge branch '1GbE' of git://git.kernel.org/pub/scm/linux/kernel/git/jkirsher/net-queue · dc096288
      David S. Miller authored
      Tony Nguyen says:
      
      ====================
      Intel Wired LAN Driver Updates 2020-07-30
      
      This series contains updates to the e1000e and igb drivers.
      
      Aaron Ma allows PHY initialization to continue if ULP disable failed for
      e1000e.
      
      Francesco Ruggeri fixes race conditions in igb reset that could cause panics.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      dc096288
    • liujian's avatar
      net/sched: The error lable position is corrected in ct_init_module · 8c5c51f5
      liujian authored
      Exchange the positions of the err_tbl_init and err_register labels in
      ct_init_module function.
      
      Fixes: c34b961a ("net/sched: act_ct: Create nf flow table per zone")
      Signed-off-by: default avatarliujian <liujian56@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      8c5c51f5
    • Linus Torvalds's avatar
      Merge branch 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux · 7dc6fd0f
      Linus Torvalds authored
      Pull i2c fixes from Wolfram Sang:
       "Some I2C core improvements to prevent NULL pointer usage and a
        MAINTAINERS update"
      
      * 'i2c/for-current' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
        i2c: slave: add sanity check when unregistering
        i2c: slave: improve sanity check when registering
        MAINTAINERS: Update GENI I2C maintainers list
        i2c: also convert placeholder function to return errno
      7dc6fd0f
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.8-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · deacdb3e
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
       "Fix a bug introduced by the changes we made to lockless page table
        walking this cycle.
      
        When using the hash MMU, and perf with callchain recording, we can
        deadlock if the PMI interrupts a hash fault, and the callchain
        recording then takes a hash fault on the same page.
      
        Thanks to Nicholas Piggin, Aneesh Kumar K.V, Anton Blanchard, and
        Athira Rajeev"
      
      * tag 'powerpc-5.8-8' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/64s/hash: Fix hash_preload running with interrupts enabled
      deacdb3e
    • Linus Torvalds's avatar
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · 14aab7ee
      Linus Torvalds authored
      Pull arm64 fixes from Will Deacon:
       "The main one is to fix the build after Willy's per-cpu entropy changes
        this week. Although that was already resolved elsewhere, the arm64 fix
        here is useful cleanup anyway.
      
        Other than that, we've got a fix for building with Clang's integrated
        assembler and a fix to make our IPv4 checksumming robust against
        invalid header lengths (this only seems to be triggerable by injected
        errors).
      
         - Fix build breakage due to circular headers
      
         - Fix build regression when using Clang's integrated assembler
      
         - Fix IPv4 header checksum code to deal with invalid length field
      
         - Fix broken path for Arm PMU entry in MAINTAINERS"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        MAINTAINERS: Include drivers subdirs for ARM PMU PROFILING AND DEBUGGING entry
        arm64: csum: Fix handling of bad packets
        arm64: Drop unnecessary include from asm/smp.h
        arm64/alternatives: move length validation inside the subsection
      14aab7ee
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm · c1954ca6
      Linus Torvalds authored
      Pull ARM fixes from Russell King:
      
       - avoid invoking overflow handler for uaccess watchpoints
      
       - fix incorrect clock_gettime64 availability
      
       - fix EFI crash in create_mapping_late()
      
      * tag 'for-linus' of git://git.armlinux.org.uk/~rmk/linux-arm:
        ARM: 8988/1: mmu: fix crash in EFI calls due to p4d typo in create_mapping_late()
        ARM: 8987/1: VDSO: Fix incorrect clock_gettime64
        ARM: 8986/1: hw_breakpoint: Don't invoke overflow handler on uaccess watchpoints
      c1954ca6
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · ae2911de
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Two more merge window regressions, a corruption bug in hfi1 and a few
        other small fixes.
      
         - Missing user input validation regression in ucma
      
         - Disallowing a previously allowed user combination regression in
           mlx5
      
         - ODP prefetch memory leaking triggerable by userspace
      
         - Memory corruption in hf1 due to faulty ring buffer logic
      
         - Missed mutex initialization crash in mlx5
      
         - Two small defects with RDMA DIM"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/core: Free DIM memory in error unwind
        RDMA/core: Stop DIM before destroying CQ
        RDMA/mlx5: Initialize QP mutex for the debug kernels
        IB/rdmavt: Fix RQ counting issues causing use of an invalid RWQE
        RDMA/mlx5: Allow providing extra scatter CQE QP flag
        RDMA/mlx5: Fix prefetch memory leak if get_prefetchable_mr fails
        RDMA/cm: Add min length checks to user structure copies
      ae2911de
    • Linus Torvalds's avatar
      Merge tag 'sound-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · 78431ab7
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A few wrap-up small fixes for the usual HD-audio and USB-audio stuff:
      
         - A regression fix for S3 suspend on old Intel platforms
      
         - A fix for possible Oops in ASoC HD-audio binding
      
         - Trivial quirks for various devices"
      
      * tag 'sound-5.8' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Fixed HP right speaker no sound
        ALSA: hda: fix NULL pointer dereference during suspend
        ALSA: hda/hdmi: Fix keep_power assignment for non-component devices
        ALSA: hda: Workaround for spurious wakeups on some Intel platforms
        ALSA: hda/realtek: Fix add a "ultra_low_power" function for intel reference board (alc256)
        ALSA: hda/realtek: typo_fix: enable headset mic of ASUS ROG Zephyrus G14(GA401) series with ALC289
        ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G15(GA502) series with ALC289
        ALSA: usb-audio: Add implicit feedback quirk for SSL2
      78431ab7
    • Ben Hutchings's avatar
      libtraceevent: Fix build with binutils 2.35 · 39efdd94
      Ben Hutchings authored
      In binutils 2.35, 'nm -D' changed to show symbol versions along with
      symbol names, with the usual @@ separator.  When generating
      libtraceevent-dynamic-list we need just the names, so strip off the
      version suffix if present.
      Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
      Tested-by: default avatarSalvatore Bonaccorso <carnil@debian.org>
      Reviewed-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Cc: linux-trace-devel@vger.kernel.org
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      39efdd94
    • Wei Li's avatar
      perf tools: Fix record failure when mixed with ARM SPE event · bd3c628f
      Wei Li authored
      When recording with cache-misses and arm_spe_x event, I found that it
      will just fail without showing any error info if i put cache-misses
      after 'arm_spe_x' event.
      
        [root@localhost 0620]# perf record -e cache-misses \
      				-e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ sleep 1
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.067 MB perf.data ]
        [root@localhost 0620]#
        [root@localhost 0620]# perf record -e arm_spe_0/ts_enable=1,pct_enable=1,pa_enable=1,load_filter=1,jitter=1,store_filter=1,min_latency=0/ \
      				     -e  cache-misses sleep 1
        [root@localhost 0620]#
      
      The current code can only work if the only event to be traced is an
      'arm_spe_x', or if it is the last event to be specified. Otherwise the
      last event type will be checked against all the arm_spe_pmus[i]->types,
      none will match and an out of bound 'i' index will be used in
      arm_spe_recording_init().
      
      We don't support concurrent multiple arm_spe_x events currently, that
      is checked in arm_spe_recording_options(), and it will show the relevant
      info. So add the check and record of the first found 'arm_spe_pmu' to
      fix this issue here.
      
      Fixes: ffd3d18c ("perf tools: Add ARM Statistical Profiling Extensions (SPE) support")
      Signed-off-by: default avatarWei Li <liwei391@huawei.com>
      Reviewed-by: default avatarMathieu Poirier <mathieu.poirier@linaro.org>
      Tested-by-by: default avatarLeo Yan <leo.yan@linaro.org>
      Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
      Cc: Hanjun Guo <guohanjun@huawei.com>
      Cc: Jiri Olsa <jolsa@redhat.com>
      Cc: Kim Phillips <kim.phillips@arm.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Mike Leach <mike.leach@linaro.org>
      Cc: Namhyung Kim <namhyung@kernel.org>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Suzuki Poulouse <suzuki.poulose@arm.com>
      Cc: linux-arm-kernel@lists.infradead.org
      Link: http://lore.kernel.org/lkml/20200724071111.35593-2-liwei391@huawei.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      bd3c628f
    • Thomas Richter's avatar
      perf tests: Fix test 68 zstd compression for s390 · 463538a3
      Thomas Richter authored
      Commit 5aa98879 ("s390/cpum_sf: prohibit callchain data collection")
      prohibits call graph sampling for hardware events on s390. The
      information recorded is out of context and does not match.
      
      On s390 this commit now breaks test case 68 Zstd perf.data
      compression/decompression.
      
      Therefore omit call graph sampling on s390 in this test.
      
      Output before:
        [root@t35lp46 perf]# ./perf test -Fv 68
        68: Zstd perf.data compression/decompression              :
        --- start ---
        Collecting compressed record file:
        Error:
        cycles: PMU Hardware doesn't support sampling/overflow-interrupts.
                                      Try 'perf stat'
        ---- end ----
        Zstd perf.data compression/decompression: FAILED!
        [root@t35lp46 perf]#
      
      Output after:
      [root@t35lp46 perf]# ./perf test -Fv 68
        68: Zstd perf.data compression/decompression              :
        --- start ---
        Collecting compressed record file:
        500+0 records in
        500+0 records out
        256000 bytes (256 kB, 250 KiB) copied, 0.00615638 s, 41.6 MB/s
        [ perf record: Woken up 1 times to write data ]
        [ perf record: Captured and wrote 0.004 MB /tmp/perf.data.X3M,
                              compressed (original 0.002 MB, ratio is 3.609) ]
        Checking compressed events stats:
        # compressed : Zstd, level = 1, ratio = 4
              COMPRESSED events:          1
        2ELIFREPh---- end ----
        Zstd perf.data compression/decompression: Ok
        [root@t35lp46 perf]#
      Signed-off-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Reviewed-by: default avatarSumanth Korikkar <sumanthk@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: Sven Schnelle <svens@linux.ibm.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Link: http://lore.kernel.org/lkml/20200729135314.91281-1-tmricht@linux.ibm.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      463538a3
    • Philippe Duplessis-Guindon's avatar
      tools lib traceevent: Fix memory leak in process_dynamic_array_len · e24c6447
      Philippe Duplessis-Guindon authored
      I compiled with AddressSanitizer and I had these memory leaks while I
      was using the tep_parse_format function:
      
          Direct leak of 28 byte(s) in 4 object(s) allocated from:
              #0 0x7fb07db49ffe in __interceptor_realloc (/lib/x86_64-linux-gnu/libasan.so.5+0x10dffe)
              #1 0x7fb07a724228 in extend_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:985
              #2 0x7fb07a724c21 in __read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1140
              #3 0x7fb07a724f78 in read_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1206
              #4 0x7fb07a725191 in __read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1291
              #5 0x7fb07a7251df in read_expect_type /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1299
              #6 0x7fb07a72e6c8 in process_dynamic_array_len /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:2849
              #7 0x7fb07a7304b8 in process_function /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3161
              #8 0x7fb07a730900 in process_arg_token /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3207
              #9 0x7fb07a727c0b in process_arg /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:1786
              #10 0x7fb07a731080 in event_read_print_args /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3285
              #11 0x7fb07a731722 in event_read_print /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:3369
              #12 0x7fb07a740054 in __tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6335
              #13 0x7fb07a74047a in __parse_event /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6389
              #14 0x7fb07a740536 in tep_parse_format /home/pduplessis/repo/linux/tools/lib/traceevent/event-parse.c:6431
              #15 0x7fb07a785acf in parse_event ../../../src/fs-src/fs.c:251
              #16 0x7fb07a785ccd in parse_systems ../../../src/fs-src/fs.c:284
              #17 0x7fb07a786fb3 in read_metadata ../../../src/fs-src/fs.c:593
              #18 0x7fb07a78760e in ftrace_fs_source_init ../../../src/fs-src/fs.c:727
              #19 0x7fb07d90c19c in add_component_with_init_method_data ../../../../src/lib/graph/graph.c:1048
              #20 0x7fb07d90c87b in add_source_component_with_initialize_method_data ../../../../src/lib/graph/graph.c:1127
              #21 0x7fb07d90c92a in bt_graph_add_source_component ../../../../src/lib/graph/graph.c:1152
              #22 0x55db11aa632e in cmd_run_ctx_create_components_from_config_components ../../../src/cli/babeltrace2.c:2252
              #23 0x55db11aa6fda in cmd_run_ctx_create_components ../../../src/cli/babeltrace2.c:2347
              #24 0x55db11aa780c in cmd_run ../../../src/cli/babeltrace2.c:2461
              #25 0x55db11aa8a7d in main ../../../src/cli/babeltrace2.c:2673
              #26 0x7fb07d5460b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2)
      
      The token variable in the process_dynamic_array_len function is
      allocated in the read_expect_type function, but is not freed before
      calling the read_token function.
      
      Free the token variable before calling read_token in order to plug the
      leak.
      Signed-off-by: default avatarPhilippe Duplessis-Guindon <pduplessis@efficios.com>
      Reviewed-by: default avatarSteven Rostedt (VMware) <rostedt@goodmis.org>
      Link: https://lore.kernel.org/linux-trace-devel/20200730150236.5392-1-pduplessis@efficios.comSigned-off-by: default avatarArnaldo Carvalho de Melo <acme@redhat.com>
      e24c6447
    • Wanpeng Li's avatar
      KVM: SVM: Fix disable pause loop exit/pause filtering capability on SVM · 830f01b0
      Wanpeng Li authored
      'Commit 8566ac8b ("KVM: SVM: Implement pause loop exit logic in SVM")'
      drops disable pause loop exit/pause filtering capability completely, I
      guess it is a merge fault by Radim since disable vmexits capabilities and
      pause loop exit for SVM patchsets are merged at the same time. This patch
      reintroduces the disable pause loop exit/pause filtering capability support.
      Reported-by: default avatarHaiwei Li <lihaiwei@tencent.com>
      Tested-by: default avatarHaiwei Li <lihaiwei@tencent.com>
      Fixes: 8566ac8b ("KVM: SVM: Implement pause loop exit logic in SVM")
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Message-Id: <1596165141-28874-3-git-send-email-wanpengli@tencent.com>
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      830f01b0
    • Wanpeng Li's avatar
      KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled · d2286ba7
      Wanpeng Li authored
      Prevent setting the tscdeadline timer if the lapic is hw disabled.
      
      Fixes: bce87cce (KVM: x86: consolidate different ways to test for in-kernel LAPIC)
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarWanpeng Li <wanpengli@tencent.com>
      Message-Id: <1596165141-28874-1-git-send-email-wanpengli@tencent.com>
      Signed-off-by: default avatarPaolo Bonzini <pbonzini@redhat.com>
      d2286ba7
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2020-07-31' of git://anongit.freedesktop.org/drm/drm · d8b9faec
      Linus Torvalds authored
      Pull more drm fixes from Dave Airlie:
       "As mentioned previously this contains the nouveau regression fix.
      
        amdgpu had three fixes outstanding as well, one revert, an info leak
        and use after free. The use after free is a bit trickier than I'd
        like, and I've personally gone over it to confirm I'm happy that it is
        doing what it says.
      
        nouveau:
         - final modifiers regression fix
      
        amdgpu:
         - Revert a fix which caused other regressions
         - Fix potential kernel info leak
         - Fix a use-after-free bug that was uncovered by another change in 5.7"
      
      * tag 'drm-fixes-2020-07-31' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau: Accept 'legacy' format modifiers
        Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers"
        drm/amd/display: Clear dm_state for fast updates
        drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl()
      d8b9faec
    • Dave Airlie's avatar
      Merge tag 'amd-drm-fixes-5.8-2020-07-30' of... · 887c909d
      Dave Airlie authored
      Merge tag 'amd-drm-fixes-5.8-2020-07-30' of git://people.freedesktop.org/~agd5f/linux into drm-fixes
      
      amd-drm-fixes-5.8-2020-07-30:
      
      amdgpu:
      - Revert a fix which caused other regressions
      - Fix potential kernel info leak
      - Fix a use-after-free bug that was uncovered by another change in 5.7
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      From: Alex Deucher <alexdeucher@gmail.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20200730154338.244104-1-alexander.deucher@amd.com
      887c909d
    • James Jones's avatar
      drm/nouveau: Accept 'legacy' format modifiers · faa0fcf9
      James Jones authored
      Accept the DRM_FORMAT_MOD_NVIDIA_16BX2_BLOCK()
      family of modifiers to handle broken userspace
      Xorg modesetting and Mesa drivers. Existing Mesa
      drivers are still aware of only these older
      format modifiers which do not differentiate
      between different variations of the block linear
      layout. When the format modifier support flag was
      flipped in the nouveau kernel driver, the X.org
      modesetting driver began attempting to use its
      format modifier-enabled framebuffer path. Because
      the set of format modifiers advertised by the
      kernel prior to this change do not intersect with
      the set of format modifiers advertised by Mesa,
      allocating GBM buffers using format modifiers
      fails and the modesetting driver falls back to
      non-modifier allocation. However, it still later
      queries the modifier of the GBM buffer when
      creating its DRM-KMS framebuffer object, receives
      the old-format modifier from Mesa, and attempts
      to create a framebuffer with it. Since the kernel
      is still not aware of these formats, this fails.
      
      Userspace should not be attempting to query format
      modifiers of GBM buffers allocated with a non-
      format-modifier-aware allocation path, but to
      avoid breaking existing userspace behavior, this
      change accepts the old-style format modifiers when
      creating framebuffers and applying them to planes
      by translating them to the equivalent new-style
      modifier. To accomplish this, some layout
      parameters must be assumed to match properties of
      the device targeted by the relevant ioctls. To
      avoid perpetuating misuse of the old-style
      modifiers, this change does not advertise support
      for them. Doing so would imply compatibility
      between devices with incompatible memory layouts.
      
      Tested with Xorg 1.20 modesetting driver,
      weston@c46c70dac84a4b3030cd05b380f9f410536690fc,
      gnome & KDE wayland desktops from Ubuntu 18.04,
      and sway 1.5
      Reported-by: default avatarKirill A. Shutemov <kirill@shutemov.name>
      Fixes: fa4f4c21 ("drm/nouveau/kms: Support NVIDIA format modifiers")
      Link: https://lkml.org/lkml/2020/6/30/1251Signed-off-by: default avatarJames Jones <jajones@nvidia.com>
      Acked-by: default avatarBen Skeggs <bskeggs@redhat.com>
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      faa0fcf9
    • Xin Xiong's avatar
      net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq · e692139e
      Xin Xiong authored
      The function invokes bpf_prog_inc(), which increases the reference
      count of a bpf_prog object "rq->xdp_prog" if the object isn't NULL.
      
      The refcount leak issues take place in two error handling paths. When
      either mlx5_wq_ll_create() or mlx5_wq_cyc_create() fails, the function
      simply returns the error code and forgets to drop the reference count
      increased earlier, causing a reference count leak of "rq->xdp_prog".
      
      Fix this issue by jumping to the error handling path err_rq_wq_destroy
      while either function fails.
      
      Fixes: 422d4c40 ("net/mlx5e: RX, Split WQ objects for different RQ types")
      Signed-off-by: default avatarXin Xiong <xiongx18@fudan.edu.cn>
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      e692139e
    • Jianbo Liu's avatar
      net/mlx5e: E-Switch, Specify flow_source for rule with no in_port · 6f7bbad1
      Jianbo Liu authored
      The flow_source must be specified, even for rule without matching
      source vport, because some actions are only allowed in uplink.
      Otherwise, rule can't be offloaded and firmware syndrome happens.
      
      Fixes: 6fb0701a ("net/mlx5: E-Switch, Add support for offloading rules with no in_port")
      Signed-off-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: default avatarChris Mi <chrism@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      6f7bbad1
    • Jianbo Liu's avatar
      net/mlx5e: E-Switch, Add misc bit when misc fields changed for mirroring · 0faddfe6
      Jianbo Liu authored
      The modified flow_context fields in FTE must be indicated in
      modify_enable bitmask. Previously, the misc bit in modify_enable is
      always set as source vport must be set for each rule. So, when parsing
      vxlan/gre/geneve/qinq rules, this bit is not set because those are all
      from the same misc fileds that source vport fields are located at, and
      we don't need to set the indicator twice.
      
      After adding per vport tables for mirroring, misc bit is not set, then
      firmware syndrome happens. To fix it, set the bit wherever misc fileds
      are changed. This also makes it unnecessary to check misc fields and set
      the misc bit accordingly in metadata matching, so here remove it.
      
      Besides, flow_source must be specified for uplink because firmware
      will check it and some actions are only allowed for packets received
      from uplink.
      
      Fixes: 96e32687 ("net/mlx5e: Eswitch, Use per vport tables for mirroring")
      Signed-off-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: default avatarChris Mi <chrism@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      0faddfe6
    • Jianbo Liu's avatar
      net/mlx5e: CT: Support restore ipv6 tunnel · 01cefbbe
      Jianbo Liu authored
      Currently the driver restores only IPv4 tunnel headers.
      Add support for restoring IPv6 tunnel header.
      
      Fixes: b8ce9037 ("net/mlx5e: Restore tunnel metadata on miss")
      Signed-off-by: default avatarJianbo Liu <jianbol@mellanox.com>
      Reviewed-by: default avatarRoi Dayan <roid@mellanox.com>
      Reviewed-by: default avatarOz Shlomo <ozsh@mellanox.com>
      Signed-off-by: default avatarSaeed Mahameed <saeedm@mellanox.com>
      01cefbbe
    • David S. Miller's avatar
      Merge tag 'mac80211-for-davem-2020-07-30' of... · d0c3c75d
      David S. Miller authored
      Merge tag 'mac80211-for-davem-2020-07-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211
      
      Johannes Berg says:
      
      ====================
      A couple of more changes:
       * remove a warning that can trigger in certain races
       * check a function pointer before using it
       * check before adding 6 GHz to avoid a warning in mesh
       * fix two memory leaks in mesh
       * fix a TX status bug leading to a memory leak
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d0c3c75d
    • Wang Hai's avatar
      net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() · 85496a29
      Wang Hai authored
      Fix the missing clk_disable_unprepare() before return
      from gemini_ethernet_port_probe() in the error handling case.
      
      Fixes: 4d5ae32f ("net: ethernet: Add a driver for Gemini gigabit ethernet")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarWang Hai <wanghai38@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      85496a29
    • Shannon Nelson's avatar
      ionic: unlock queue mutex in error path · 59929fbb
      Shannon Nelson authored
      On an error return, jump to the unlock at the end to be sure
      to unlock the queue_lock mutex.
      
      Fixes: 0925e9db ("ionic: use mutex to protect queue operations")
      Reported-by: default avatarkernel test robot <lkp@intel.com>
      Reported-by: default avatarJulia Lawall <julia.lawall@lip6.fr>
      Signed-off-by: default avatarShannon Nelson <snelson@pensando.io>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      59929fbb
    • Xin Xiong's avatar
      atm: fix atm_dev refcnt leaks in atmtcp_remove_persistent · 51875dad
      Xin Xiong authored
      atmtcp_remove_persistent() invokes atm_dev_lookup(), which returns a
      reference of atm_dev with increased refcount or NULL if fails.
      
      The refcount leaks issues occur in two error handling paths. If
      dev_data->persist is zero or PRIV(dev)->vcc isn't NULL, the function
      returns 0 without decreasing the refcount kept by a local variable,
      resulting in refcount leaks.
      
      Fix the issue by adding atm_dev_put() before returning 0 both when
      dev_data->persist is zero or PRIV(dev)->vcc isn't NULL.
      Signed-off-by: default avatarXin Xiong <xiongx18@fudan.edu.cn>
      Signed-off-by: default avatarXiyu Yang <xiyuyang19@fudan.edu.cn>
      Signed-off-by: default avatarXin Tan <tanxin.ctf@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      51875dad
  4. 30 Jul, 2020 5 commits
    • Landen Chao's avatar
      net: ethernet: mtk_eth_soc: fix MTU warnings · 555a8933
      Landen Chao authored
      in recent kernel versions there are warnings about incorrect MTU size
      like these:
      
      eth0: mtu greater than device maximum
      mtk_soc_eth 1b100000.ethernet eth0: error -22 setting MTU to include DSA overhead
      
      Fixes: bfcb8132 ("net: dsa: configure the MTU for switch ports")
      Fixes: 72579e14 ("net: dsa: don't fail to probe if we couldn't set the MTU")
      Fixes: 7a4c53be ("net: report invalid mtu value via netlink extack")
      Signed-off-by: default avatarLanden Chao <landen.chao@mediatek.com>
      Signed-off-by: default avatarFrank Wunderlich <frank-w@public-files.de>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      555a8933
    • Lu Wei's avatar
      net: nixge: fix potential memory leak in nixge_probe() · 366228ed
      Lu Wei authored
      If some processes in nixge_probe() fail, free_netdev(dev)
      needs to be called to aviod a memory leak.
      
      Fixes: 87ab2079 ("net: nixge: Separate ctrl and dma resources")
      Fixes: abcd3d6f ("net: nixge: Fix error path for obtaining mac address")
      Reported-by: default avatarHulk Robot <hulkci@huawei.com>
      Signed-off-by: default avatarLu Wei <luwei32@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      366228ed
    • Jakub Kicinski's avatar
      devlink: ignore -EOPNOTSUPP errors on dumpit · 82274d07
      Jakub Kicinski authored
      Number of .dumpit functions try to ignore -EOPNOTSUPP errors.
      Recent change missed that, and started reporting all errors
      but -EMSGSIZE back from dumps. This leads to situation like
      this:
      
      $ devlink dev info
      devlink answers: Operation not supported
      
      Dump should not report an error just because the last device
      to be queried could not provide an answer.
      
      To fix this and avoid similar confusion make sure we clear
      err properly, and not leave it set to an error if we don't
      terminate the iteration.
      
      Fixes: c62c2cfb ("net: devlink: don't ignore errors during dumpit")
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82274d07
    • David Howells's avatar
      rxrpc: Fix race between recvmsg and sendmsg on immediate call failure · 65550098
      David Howells authored
      There's a race between rxrpc_sendmsg setting up a call, but then failing to
      send anything on it due to an error, and recvmsg() seeing the call
      completion occur and trying to return the state to the user.
      
      An assertion fails in rxrpc_recvmsg() because the call has already been
      released from the socket and is about to be released again as recvmsg deals
      with it.  (The recvmsg_q queue on the socket holds a ref, so there's no
      problem with use-after-free.)
      
      We also have to be careful not to end up reporting an error twice, in such
      a way that both returns indicate to userspace that the user ID supplied
      with the call is no longer in use - which could cause the client to
      malfunction if it recycles the user ID fast enough.
      
      Fix this by the following means:
      
       (1) When sendmsg() creates a call after the point that the call has been
           successfully added to the socket, don't return any errors through
           sendmsg(), but rather complete the call and let recvmsg() retrieve
           them.  Make sendmsg() return 0 at this point.  Further calls to
           sendmsg() for that call will fail with ESHUTDOWN.
      
           Note that at this point, we haven't send any packets yet, so the
           server doesn't yet know about the call.
      
       (2) If sendmsg() returns an error when it was expected to create a new
           call, it means that the user ID wasn't used.
      
       (3) Mark the call disconnected before marking it completed to prevent an
           oops in rxrpc_release_call().
      
       (4) recvmsg() will then retrieve the error and set MSG_EOR to indicate
           that the user ID is no longer known by the kernel.
      
      An oops like the following is produced:
      
      	kernel BUG at net/rxrpc/recvmsg.c:605!
      	...
      	RIP: 0010:rxrpc_recvmsg+0x256/0x5ae
      	...
      	Call Trace:
      	 ? __init_waitqueue_head+0x2f/0x2f
      	 ____sys_recvmsg+0x8a/0x148
      	 ? import_iovec+0x69/0x9c
      	 ? copy_msghdr_from_user+0x5c/0x86
      	 ___sys_recvmsg+0x72/0xaa
      	 ? __fget_files+0x22/0x57
      	 ? __fget_light+0x46/0x51
      	 ? fdget+0x9/0x1b
      	 do_recvmmsg+0x15e/0x232
      	 ? _raw_spin_unlock+0xa/0xb
      	 ? vtime_delta+0xf/0x25
      	 __x64_sys_recvmmsg+0x2c/0x2f
      	 do_syscall_64+0x4c/0x78
      	 entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: 357f5ef6 ("rxrpc: Call rxrpc_release_call() on error in rxrpc_new_client_call()")
      Reported-by: syzbot+b54969381df354936d96@syzkaller.appspotmail.com
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Reviewed-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      65550098
    • Joyce Ooi's avatar
      MAINTAINERS: Replace Thor Thayer as Altera Triple Speed Ethernet maintainer · 591eee6d
      Joyce Ooi authored
      This patch is to replace Thor Thayer as Altera Triple Speed Ethernet
      maintainer as he is moving to a different role.
      Signed-off-by: default avatarJoyce Ooi <joyce.ooi@intel.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      591eee6d