1. 26 1月, 2019 6 次提交
    • F
      IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start · 6ab4aba0
      Feras Daoud 提交于
      The following BUG was reported by kasan:
      
       BUG: KASAN: use-after-free in ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
       Read of size 80 at addr ffff88034c30bcd0 by task kworker/u16:1/24020
      
       Workqueue: ipoib_wq ipoib_cm_tx_start [ib_ipoib]
       Call Trace:
        dump_stack+0x9a/0xeb
        print_address_description+0xe3/0x2e0
        kasan_report+0x18a/0x2e0
        ? ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
        memcpy+0x1f/0x50
        ipoib_cm_tx_start+0x430/0x1390 [ib_ipoib]
        ? kvm_clock_read+0x1f/0x30
        ? ipoib_cm_skb_reap+0x610/0x610 [ib_ipoib]
        ? __lock_is_held+0xc2/0x170
        ? process_one_work+0x880/0x1960
        ? process_one_work+0x912/0x1960
        process_one_work+0x912/0x1960
        ? wq_pool_ids_show+0x310/0x310
        ? lock_acquire+0x145/0x440
        worker_thread+0x87/0xbb0
        ? process_one_work+0x1960/0x1960
        kthread+0x314/0x3d0
        ? kthread_create_worker_on_cpu+0xc0/0xc0
        ret_from_fork+0x3a/0x50
      
       Allocated by task 0:
        kasan_kmalloc+0xa0/0xd0
        kmem_cache_alloc_trace+0x168/0x3e0
        path_rec_create+0xa2/0x1f0 [ib_ipoib]
        ipoib_start_xmit+0xa98/0x19e0 [ib_ipoib]
        dev_hard_start_xmit+0x159/0x8d0
        sch_direct_xmit+0x226/0xb40
        __dev_queue_xmit+0x1d63/0x2950
        neigh_update+0x889/0x1770
        arp_process+0xc47/0x21f0
        arp_rcv+0x462/0x760
        __netif_receive_skb_core+0x1546/0x2da0
        netif_receive_skb_internal+0xf2/0x590
        napi_gro_receive+0x28e/0x390
        ipoib_ib_handle_rx_wc_rss+0x873/0x1b60 [ib_ipoib]
        ipoib_rx_poll_rss+0x17d/0x320 [ib_ipoib]
        net_rx_action+0x427/0xe30
        __do_softirq+0x28e/0xc42
      
       Freed by task 26680:
        __kasan_slab_free+0x11d/0x160
        kfree+0xf5/0x360
        ipoib_flush_paths+0x532/0x9d0 [ib_ipoib]
        ipoib_set_mode_rss+0x1ad/0x560 [ib_ipoib]
        set_mode+0xc8/0x150 [ib_ipoib]
        kernfs_fop_write+0x279/0x440
        __vfs_write+0xd8/0x5c0
        vfs_write+0x15e/0x470
        ksys_write+0xb8/0x180
        do_syscall_64+0x9b/0x420
        entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
       The buggy address belongs to the object at ffff88034c30bcc8
                      which belongs to the cache kmalloc-512 of size 512
       The buggy address is located 8 bytes inside of
                      512-byte region [ffff88034c30bcc8, ffff88034c30bec8)
       The buggy address belongs to the page:
      
      The following race between change mode and xmit flow is the reason for
      this use-after-free:
      
      Change mode     Send packet 1 to GID XX      Send packet 2 to GID XX
           |                    |                             |
         start                  |                             |
           |                    |                             |
           |                    |                             |
           |         Create new path for GID XX               |
           |           and update neigh path                  |
           |                    |                             |
           |                    |                             |
           |                    |                             |
       flush_paths              |                             |
                                |                             |
                     queue_work(cm.start_task)                |
                                |                 Path for GID XX not found
                                |                      create new path
                                |
                                |
                     start_task runs with old
                          released path
      
      There is no locking to protect the lifetime of the path through the
      ipoib_cm_tx struct, so delete it entirely and always use the newly looked
      up path under the priv->lock.
      
      Fixes: 546481c2 ("IB/ipoib: Fix memory corruption in ipoib cm mode connect flow")
      Signed-off-by: NFeras Daoud <ferasda@mellanox.com>
      Reviewed-by: NErez Shitrit <erezsh@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      6ab4aba0
    • Y
      IB/uverbs: Fix ioctl query port to consider device disassociation · f8ade8e2
      Yishai Hadas 提交于
      Methods cannot peak into the ufile, the only way to get a ucontext and
      hence a device is via the ib_uverbs_get_ucontext() call or inspecing a
      locked uobject.
      
      Otherwise during/after disassociation the pointers may be null or free'd.
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000078
       PGD 800000005ece6067 P4D 800000005ece6067 PUD 5ece7067 PMD 0
       Oops: 0000 [#1] SMP PTI
       CPU: 0 PID: 10631 Comm: ibv_ud_pingpong Tainted: GW  OE     4.20.0-rc6+ #3
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:ib_uverbs_handler_UVERBS_METHOD_QUERY_PORT+0x53/0x191 [ib_uverbs]
       Code: 80 00 00 00 31 c0 48 8b 47 40 48 8d 5c 24 38 48 8d 6c 24
                     08 48 89 df 48 8b 40 08 4c 8b a0 18 03 00 00 31 c0 f3 48 ab 48 89
                     ef <49> 83 7c 24 78 00 b1 06 f3 48 ab 0f 84 89 00 00 00 45 31  c9 31 d2
       RSP: 0018:ffffb54802ccfb10 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: ffffb54802ccfb48 RCX:0000000000000000
       RDX: fffffffffffffffa RSI: ffffb54802ccfcf8 RDI:ffffb54802ccfb18
       RBP: ffffb54802ccfb18 R08: ffffb54802ccfd18 R09:0000000000000000
       R10: 0000000000000000 R11: 00000000000000d0 R12:0000000000000000
       R13: ffffb54802ccfcb0 R14: ffffb54802ccfc48 R15:ffff9f736e0059a0
       FS:  00007f55a6bd7740(0000) GS:ffff9f737ba00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000078 CR3: 0000000064214000 CR4:00000000000006f0
       Call Trace:
        ib_uverbs_cmd_verbs.isra.5+0x94d/0xa60 [ib_uverbs]
        ? copy_port_attr_to_resp+0x120/0x120 [ib_uverbs]
        ? arch_tlb_finish_mmu+0x16/0xc0
        ? tlb_finish_mmu+0x1f/0x30
        ? unmap_region+0xd9/0x120
        ib_uverbs_ioctl+0xbc/0x120 [ib_uverbs]
        do_vfs_ioctl+0xa9/0x620
        ? __do_munmap+0x29f/0x3a0
        ksys_ioctl+0x60/0x90
        __x64_sys_ioctl+0x16/0x20
        do_syscall_64+0x5b/0x180
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7f55a62cb567
      
      Fixes: 641d1207 ("IB/core: Move query port to ioctl")
      Signed-off-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      f8ade8e2
    • M
      RDMA/mlx5: Fix flow creation on representors · c1b03c25
      Mark Bloch 提交于
      The intention of the flow_is_supported was to disable the entire tree and
      methods that allow raw flow creation, but the grammar syntax has this
      disable the entire UVERBS_FLOW object. Since the method requires a
      MLX5_IB_OBJECT_FLOW_MATCHER there is no need to do anything, as it is
      automatically disabled when matchers are disabled.
      
      This restores the ability to create flow steering rules on representors
      via regular verbs.
      
      Fixes: a1462351 ("RDMA/mlx5: Fail early if user tries to create flows on IB representors")
      Signed-off-by: NMark Bloch <markb@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      c1b03c25
    • Y
      IB/uverbs: Fix OOPs upon device disassociation · 425784aa
      Yishai Hadas 提交于
      The async_file might be freed before the disassociation has been ended,
      causing qp shutdown to use after free on it.
      
      Since uverbs_destroy_ufile_hw is not a fence, it returns if a
      disassociation is ongoing in another thread. It has to be written this way
      to avoid deadlock. However this means that the ufile FD close cannot
      destroy anything that may still be used by an active kref, such as the the
      async_file.
      
      To fix that move the kref_put() to be in ib_uverbs_release_file().
      
       BUG: unable to handle kernel paging request at ffffffffba682787
       PGD bc80e067 P4D bc80e067 PUD bc80f063 PMD 1313df163 PTE 80000000bc682061
       Oops: 0003 [#1] SMP PTI
       CPU: 1 PID: 32410 Comm: bash Tainted: G           OE 4.20.0-rc6+ #3
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       RIP: 0010:__pv_queued_spin_lock_slowpath+0x1b3/0x2a0
       Code: 98 83 e2 60 49 89 df 48 8b 04 c5 80 18 72 ba 48 8d
      		ba 80 32 02 00 ba 00 80 00 00 4c 8d 65 14 41 bd 01 00 00 00 48 01 c7 85
      		d2 <48> 89 2f 48 89 fb 74 14 8b 45 08 85 c0 75 42 84 d2 74 6b f3 90 83
       RSP: 0018:ffffc1bbc064fb58 EFLAGS: 00010006
       RAX: ffffffffba65f4e7 RBX: ffff9f209c656c00 RCX: 0000000000000001
       RDX: 0000000000008000 RSI: 0000000000000000 RDI: ffffffffba682787
       RBP: ffff9f217bb23280 R08: 0000000000000001 R09: 0000000000000000
       R10: ffff9f209d2c7800 R11: ffffffffffffffe8 R12: ffff9f217bb23294
       R13: 0000000000000001 R14: 0000000000000000 R15: ffff9f209c656c00
       FS:  00007fac55aad740(0000) GS:ffff9f217bb00000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: ffffffffba682787 CR3: 000000012f8e0000 CR4: 00000000000006e0
       Call Trace:
        _raw_spin_lock_irq+0x27/0x30
        ib_uverbs_release_uevent+0x1e/0xa0 [ib_uverbs]
        uverbs_free_qp+0x7e/0x90 [ib_uverbs]
        destroy_hw_idr_uobject+0x1c/0x50 [ib_uverbs]
        uverbs_destroy_uobject+0x2e/0x180 [ib_uverbs]
        __uverbs_cleanup_ufile+0x73/0x90 [ib_uverbs]
        uverbs_destroy_ufile_hw+0x5d/0x120 [ib_uverbs]
        ib_uverbs_remove_one+0xea/0x240 [ib_uverbs]
        ib_unregister_device+0xfb/0x200 [ib_core]
        mlx5_ib_remove+0x51/0xe0 [mlx5_ib]
        mlx5_remove_device+0xc1/0xd0 [mlx5_core]
        mlx5_unregister_device+0x3d/0xb0 [mlx5_core]
        remove_one+0x2a/0x90 [mlx5_core]
        pci_device_remove+0x3b/0xc0
        device_release_driver_internal+0x16d/0x240
        unbind_store+0xb2/0x100
        kernfs_fop_write+0x102/0x180
        __vfs_write+0x36/0x1a0
        ? __alloc_fd+0xa9/0x170
        ? set_close_on_exec+0x49/0x70
        vfs_write+0xad/0x1a0
        ksys_write+0x52/0xc0
        do_syscall_64+0x5b/0x180
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
       RIP: 0033:0x7fac551aac60
      
      Cc: <stable@vger.kernel.org> # 4.2
      Fixes: 036b1063 ("IB/uverbs: Enable device removal when there are active user space applications")
      Signed-off-by: NYishai Hadas <yishaih@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      425784aa
    • A
      RDMA/umem: Add missing initialization of owning_mm · a2093dd3
      Artemy Kovalyov 提交于
      When allocating a umem leaf for implicit ODP MR during page fault the
      field owning_mm was not set.
      
      Initialize and take a reference on this field to avoid kernel panic when
      trying to access this field.
      
       BUG: unable to handle kernel NULL pointer dereference at 0000000000000058
       PGD 800000022dfed067 P4D 800000022dfed067 PUD 22dfcf067 PMD 0
       Oops: 0000 [#1] SMP PTI
       CPU: 0 PID: 634 Comm: kworker/u33:0 Not tainted 4.20.0-rc6+ #89
       Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
       Workqueue: mlx5_ib_page_fault mlx5_ib_eqe_pf_action [mlx5_ib]
       RIP: 0010:ib_umem_odp_map_dma_pages+0xf3/0x710 [ib_core]
       Code: 45 c0 48 21 f3 48 89 75 b0 31 f6 4a 8d 04 33 48 89 45 a8 49 8b 44 24 60 48 8b 78 10 e8 66 16 a8 c5 49 8b 54 24 08 48 89 45 98 <8b> 42 58 85 c0 0f 84 8e 05 00 00 8d 48 01 48 8d 72 58 f0 0f b1 4a
       RSP: 0000:ffffb610813a7c20 EFLAGS: 00010202
       RAX: ffff95ace6e8ac80 RBX: 0000000000000000 RCX: 000000000000000c
       RDX: 0000000000000000 RSI: 0000000000000850 RDI: ffff95aceaadae80
       RBP: ffffb610813a7ce0 R08: 0000000000000000 R09: 0000000000080c77
       R10: ffff95acfffdbd00 R11: 0000000000000000 R12: ffff95aceaa20a00
       R13: 0000000000001000 R14: 0000000000001000 R15: 000000000000000c
       FS:  0000000000000000(0000) GS:ffff95acf7800000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000058 CR3: 000000022c834001 CR4: 00000000001606f0
       Call Trace:
        pagefault_single_data_segment+0x1df/0xc60 [mlx5_ib]
        mlx5_ib_eqe_pf_action+0x7bc/0xa70 [mlx5_ib]
        ? __switch_to+0xe1/0x470
        process_one_work+0x174/0x390
        worker_thread+0x4f/0x3e0
        kthread+0x102/0x140
        ? drain_workqueue+0x130/0x130
        ? kthread_stop+0x110/0x110
        ret_from_fork+0x1f/0x30
      
      Fixes: f27a0d50 ("RDMA/umem: Use umem->owning_mm inside ODP")
      Signed-off-by: NArtemy Kovalyov <artemyko@mellanox.com>
      Signed-off-by: NMoni Shoua <monis@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      a2093dd3
    • L
      RDMA/hns: Update the kernel header file of hns · 9d9d4ff7
      Lijun Ou 提交于
      The hns_roce_ib_create_srq_resp is used to interact with the user for
      data, this was open coded to use a u32 directly, instead use a properly
      sized structure.
      
      Fixes: c7bcb134 ("RDMA/hns: Add SRQ support for hip08 kernel mode")
      Signed-off-by: NLijun Ou <oulijun@huawei.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      9d9d4ff7
  2. 22 1月, 2019 7 次提交
    • J
      IB/mlx5: Fix how advise_mr() launches async work · 951d01b9
      Jason Gunthorpe 提交于
      Work must hold a kref on the ib_device otherwise the dev pointer can
      become free before the work runs. This can happen because the work is
      being pushed onto the system work queue which is not flushed during driver
      unregister.
      
      Remove the bogus use of 'reg_state':
       - While in uverbs the reg_state is guaranteed to always be
         REGISTERED
       - Testing reg_state with no locking is bogus. Use ib_device_try_get()
         to get back into a region that prevents unregistration.
      
      For now continue with a flow that is similar to the existing code.
      
      Fixes: 813e90b1 ("IB/mlx5: Add advise_mr() support")
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Reviewed-by: NMoni Shoua <monis@mellanox.com>
      951d01b9
    • J
      RDMA/device: Expose ib_device_try_get(() · d79af724
      Jason Gunthorpe 提交于
      It turns out future patches need this capability quite widely now, not
      just for netlink, so provide two global functions to manage the
      registration lock refcount.
      
      This also moves the point the lock becomes 1 to within
      ib_register_device() so that the semantics of the public API are very sane
      and clear. Calling ib_device_try_get() will fail on devices that are only
      allocated but not yet registered.
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Reviewed-by: NSteve Wise <swise@opengridcomputing.com>
      Reviewed-by: NParav Pandit <parav@mellanox.com>
      d79af724
    • M
      IB/hfi1: Add limit test for RC/UC send via loopback · 09ce351d
      Mike Marciniszyn 提交于
      Fix potential memory corruption and panic in loopback for IB_WR_SEND
      variants.
      
      The code blindly assumes the posted length will fit in the fetched rwqe,
      which is not a valid assumption.
      
      Fix by adding a limit test, and triggering the appropriate send completion
      and putting the QP in an error state.  This mimics the handling for
      non-loopback QPs.
      
      Fixes: 15703461 ("IB/{hfi1, qib, rdmavt}: Move ruc_loopback to rdmavt")
      Cc: <stable@vger.kernel.org> #v4.20+
      Reviewed-by: NMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: NMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      09ce351d
    • M
      IB/hfi1: Remove overly conservative VM_EXEC flag check · 7709b0dc
      Michael J. Ruhl 提交于
      Applications that use the stack for execution purposes cause userspace PSM
      jobs to fail during mmap().
      
      Both Fortran (non-standard format parsing) and C (callback functions
      located in the stack) applications can be written such that stack
      execution is required. The linker notes this via the gnu_stack ELF flag.
      
      This causes READ_IMPLIES_EXEC to be set which forces all PROT_READ mmaps
      to have PROT_EXEC for the process.
      
      Checking for VM_EXEC bit and failing the request with EPERM is overly
      conservative and will break any PSM application using executable stacks.
      
      Cc: <stable@vger.kernel.org> #v4.14+
      Fixes: 12220267 ("IB/hfi: Protect against writable mmap")
      Reviewed-by: NMike Marciniszyn <mike.marciniszyn@intel.com>
      Reviewed-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Reviewed-by: NIra Weiny <ira.weiny@intel.com>
      Signed-off-by: NMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      7709b0dc
    • B
      IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM · 904bba21
      Brian Welty 提交于
      The work completion length for a receiving a UD send with immediate is
      short by 4 bytes causing application using this opcode to fail.
      
      The UD receive logic incorrectly subtracts 4 bytes for immediate
      value. These bytes are already included in header length and are used to
      calculate header/payload split, so the result is these 4 bytes are
      subtracted twice, once when the header length subtracted from the overall
      length and once again in the UD opcode specific path.
      
      Remove the extra subtraction when handling the opcode.
      
      Fixes: 77241056 ("IB/hfi1: add driver files")
      Reviewed-by: NMichael J. Ruhl <michael.j.ruhl@intel.com>
      Signed-off-by: NBrian Welty <brian.welty@intel.com>
      Signed-off-by: NMike Marciniszyn <mike.marciniszyn@intel.com>
      Signed-off-by: NDennis Dalessandro <dennis.dalessandro@intel.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      904bba21
    • J
      IB/mlx4: Fix using wrong function to destroy sqp AHs under SRIOV · f45f8edb
      Jack Morgenstein 提交于
      The commit cited below replaced rdma_create_ah with
      mlx4_ib_create_slave_ah when creating AHs for the paravirtualized special
      QPs.
      
      However, this change also required replacing rdma_destroy_ah with
      mlx4_ib_destroy_ah in the affected flows.
      
      The commit missed 3 places where rdma_destroy_ah should have been replaced
      with mlx4_ib_destroy_ah.
      
      As a result, the pd usecount was decremented when the ah was destroyed --
      although the usecount was NOT incremented when the ah was created.
      
      This caused the pd usecount to become negative, and resulted in the
      WARN_ON stack trace below when the mlx4_ib.ko module was unloaded:
      
      WARNING: CPU: 3 PID: 25303 at drivers/infiniband/core/verbs.c:329 ib_dealloc_pd+0x6d/0x80 [ib_core]
      Modules linked in: rdma_ucm rdma_cm iw_cm ib_cm ib_umad mlx4_ib(-) ib_uverbs ib_core mlx4_en mlx4_core nfsv3 nfs fscache configfs xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c ipt_REJECT nf_reject_ipv4 tun ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter bridge stp llc dm_mirror dm_region_hash dm_log dm_mod dax rndis_wlan rndis_host coretemp kvm_intel cdc_ether kvm usbnet iTCO_wdt iTCO_vendor_support cfg80211 irqbypass lpc_ich ipmi_si i2c_i801 mii pcspkr i2c_core mfd_core ipmi_devintf i7core_edac ipmi_msghandler ioatdma pcc_cpufreq dca acpi_cpufreq nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables ext4 mbcache jbd2 sr_mod cdrom ata_generic pata_acpi mptsas scsi_transport_sas mptscsih crc32c_intel ata_piix bnx2 mptbase ipv6 crc_ccitt autofs4 [last unloaded: mlx4_core]
      CPU: 3 PID: 25303 Comm: modprobe Tainted: G        W I       5.0.0-rc1-net-mlx4+ #1
      Hardware name: IBM  -[7148ZV6]-/Node 1, System Card, BIOS -[MLE170CUS-1.70]- 09/23/2011
      RIP: 0010:ib_dealloc_pd+0x6d/0x80 [ib_core]
      Code: 00 00 85 c0 75 02 5b c3 80 3d aa 87 03 00 00 75 f5 48 c7 c7 88 d7 8f a0 31 c0 c6 05 98 87 03 00 01 e8 07 4c 79 e0 0f 0b 5b c3 <0f> 0b eb be 0f 0b eb ab 90 66 2e 0f 1f 84 00 00 00 00 00 66 66 66
      RSP: 0018:ffffc90005347e30 EFLAGS: 00010282
      RAX: 00000000ffffffea RBX: ffff8888589e9540 RCX: 0000000000000006
      RDX: 0000000000000006 RSI: ffff88885d57ad40 RDI: 0000000000000000
      RBP: ffff88885b029c00 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000001 R11: 0000000000000004 R12: ffff8887f06c0000
      R13: ffff8887f06c13e8 R14: 0000000000000000 R15: 0000000000000000
      FS:  00007fd6743c6740(0000) GS:ffff88887fcc0000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 0000000000ed1038 CR3: 00000007e3156000 CR4: 00000000000006e0
      Call Trace:
       mlx4_ib_close_sriov+0x125/0x180 [mlx4_ib]
       mlx4_ib_remove+0x57/0x1f0 [mlx4_ib]
       mlx4_remove_device+0x92/0xa0 [mlx4_core]
       mlx4_unregister_interface+0x39/0x90 [mlx4_core]
       mlx4_ib_cleanup+0xc/0xd7 [mlx4_ib]
       __x64_sys_delete_module+0x17d/0x290
       ? trace_hardirqs_off_thunk+0x1a/0x1c
       ? do_syscall_64+0x12/0x180
       do_syscall_64+0x4a/0x180
       entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 5e62d5ff ("IB/mlx4: Create slave AH's directly")
      Signed-off-by: NJack Morgenstein <jackm@dev.mellanox.co.il>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      f45f8edb
    • M
      RDMA/mlx5: Fix check for supported user flags when creating a QP · 8af526e0
      Mark Bloch 提交于
      When the flags verification was added two flags were missed from the
      check:
       * MLX5_QP_FLAG_TIR_ALLOW_SELF_LB_UC
       * MLX5_QP_FLAG_TIR_ALLOW_SELF_LB_MC
      
      This causes user applications that were using these flags to break.
      
      Fixes: 2e43bb31 ("IB/mlx5: Verify that driver supports user flags")
      Signed-off-by: NMark Bloch <markb@mellanox.com>
      Signed-off-by: NLeon Romanovsky <leonro@mellanox.com>
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      8af526e0
  3. 21 1月, 2019 11 次提交
    • L
      Linux 5.0-rc3 · 49a57857
      Linus Torvalds 提交于
      49a57857
    • L
      Merge tag 'pstore-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · 1e556ba3
      Linus Torvalds 提交于
      Pull pstore fixes from Kees Cook:
      
       - Fix console ramoops to show the previous boot logs (Sai Prakash
         Ranjan)
      
       - Avoid allocation and leak of platform data
      
      * tag 'pstore-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        pstore/ram: Avoid allocation and leak of platform data
        pstore/ram: Fix console ramoops to show the previous boot logs
      1e556ba3
    • L
      Merge tag 'gcc-plugins-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux · dbcfc961
      Linus Torvalds 提交于
      Pull gcc-plugins fixes from Kees Cook:
       "Fix ARM per-task stack protector plugin under GCC 9 (Ard Biesheuvel)"
      
      * tag 'gcc-plugins-v5.0-rc4' of git://git.kernel.org/pub/scm/linux/kernel/git/kees/linux:
        gcc-plugins: arm_ssp_per_task_plugin: fix for GCC 9+
        gcc-plugins: arm_ssp_per_task_plugin: sign extend the SP mask
      dbcfc961
    • L
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 7d0ae236
      Linus Torvalds 提交于
      Pull networking fixes from David Miller:
      
       1) Fix endless loop in nf_tables, from Phil Sutter.
      
       2) Fix cross namespace ip6_gre tunnel hash list corruption, from
          Olivier Matz.
      
       3) Don't be too strict in phy_start_aneg() otherwise we might not allow
          restarting auto negotiation. From Heiner Kallweit.
      
       4) Fix various KMSAN uninitialized value cases in tipc, from Ying Xue.
      
       5) Memory leak in act_tunnel_key, from Davide Caratti.
      
       6) Handle chip errata of mv88e6390 PHY, from Andrew Lunn.
      
       7) Remove linear SKB assumption in fou/fou6, from Eric Dumazet.
      
       8) Missing udplite rehash callbacks, from Alexey Kodanev.
      
       9) Log dirty pages properly in vhost, from Jason Wang.
      
      10) Use consume_skb() in neigh_probe() as this is a normal free not a
          drop, from Yang Wei. Likewise in macvlan_process_broadcast().
      
      11) Missing device_del() in mdiobus_register() error paths, from Thomas
          Petazzoni.
      
      12) Fix checksum handling of short packets in mlx5, from Cong Wang.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (96 commits)
        bpf: in __bpf_redirect_no_mac pull mac only if present
        virtio_net: bulk free tx skbs
        net: phy: phy driver features are mandatory
        isdn: avm: Fix string plus integer warning from Clang
        net/mlx5e: Fix cb_ident duplicate in indirect block register
        net/mlx5e: Fix wrong (zero) TX drop counter indication for representor
        net/mlx5e: Fix wrong error code return on FEC query failure
        net/mlx5e: Force CHECKSUM_UNNECESSARY for short ethernet frames
        tools: bpftool: Cleanup license mess
        bpf: fix inner map masking to prevent oob under speculation
        bpf: pull in pkt_sched.h header for tooling to fix bpftool build
        selftests: forwarding: Add a test case for externally learned FDB entries
        selftests: mlxsw: Test FDB offload indication
        mlxsw: spectrum_switchdev: Do not treat static FDB entries as sticky
        net: bridge: Mark FDB entries that were added by user as such
        mlxsw: spectrum_fid: Update dummy FID index
        mlxsw: pci: Return error on PCI reset timeout
        mlxsw: pci: Increase PCI SW reset timeout
        mlxsw: pci: Ring CQ's doorbell before RDQ's
        MAINTAINERS: update email addresses of liquidio driver maintainers
        ...
      7d0ae236
    • K
      pstore/ram: Avoid allocation and leak of platform data · 5631e857
      Kees Cook 提交于
      Yue Hu noticed that when parsing device tree the allocated platform data
      was never freed. Since it's not used beyond the function scope, this
      switches to using a stack variable instead.
      Reported-by: NYue Hu <huyue2@yulong.com>
      Fixes: 35da6094 ("pstore/ram: add Device Tree bindings")
      Cc: stable@vger.kernel.org
      Signed-off-by: NKees Cook <keescook@chromium.org>
      5631e857
    • A
      gcc-plugins: arm_ssp_per_task_plugin: fix for GCC 9+ · 2c88c742
      Ard Biesheuvel 提交于
      GCC 9 reworks the way the references to the stack canary are
      emitted, to prevent the value from being spilled to the stack
      before the final comparison in the epilogue, defeating the
      purpose, given that the spill slot is under control of the
      attacker that we are protecting ourselves from.
      
      Since our canary value address is obtained without accessing
      memory (as opposed to pre-v7 code that will obtain it from a
      literal pool), it is unlikely (although not guaranteed) that
      the compiler will spill the canary value in the same way, so
      let's just disable this improvement when building with GCC9+.
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      2c88c742
    • A
      gcc-plugins: arm_ssp_per_task_plugin: sign extend the SP mask · 560706d5
      Ard Biesheuvel 提交于
      The ARM per-task stack protector GCC plugin hits an assert in
      the compiler in some case, due to the fact the the SP mask
      expression is not sign-extended as it should be. So fix that.
      Suggested-by: NKugan Vivekanandarajah <kugan.vivekanandarajah@linaro.org>
      Signed-off-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NKees Cook <keescook@chromium.org>
      560706d5
    • L
      Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost · bb617b9b
      Linus Torvalds 提交于
      Pull virtio/vhost fixes and cleanups from Michael Tsirkin:
       "Fixes and cleanups all over the place"
      
      * tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost:
        vhost/scsi: Use copy_to_iter() to send control queue response
        vhost: return EINVAL if iovecs size does not match the message size
        virtio-balloon: tweak config_changed implementation
        virtio: don't allocate vqs when names[i] = NULL
        virtio_pci: use queue idx instead of array idx to set up the vq
        virtio: document virtio_config_ops restrictions
        virtio: fix virtio_config_ops description
      bb617b9b
    • L
      Merge tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 1be969f4
      Linus Torvalds 提交于
      Pull btrfs fixes from David Sterba:
       "A handful of fixes (some of them in testing for a long time):
      
         - fix some test failures regarding cleanup after transaction abort
      
         - revert of a patch that could cause a deadlock
      
         - delayed iput fixes, that can help in ENOSPC situation when there's
           low space and a lot data to write"
      
      * tag 'for-5.0-rc2-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: wakeup cleaner thread when adding delayed iput
        btrfs: run delayed iputs before committing
        btrfs: wait on ordered extents on abort cleanup
        btrfs: handle delayed ref head accounting cleanup in abort
        Revert "btrfs: balance dirty metadata pages in btrfs_finish_ordered_io"
      1be969f4
    • L
      Merge tags 'compiler-attributes-for-linus-v5.0-rc3' and... · 315a6d85
      Linus Torvalds 提交于
      Merge tags 'compiler-attributes-for-linus-v5.0-rc3' and 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux
      
      Pull misc clang fixes from Miguel Ojeda:
      
        - A fix for OPTIMIZER_HIDE_VAR from Michael S Tsirkin
      
        - Update clang-format with the latest for_each macro list from Jason
          Gunthorpe
      
      * tag 'compiler-attributes-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
        include/linux/compiler*.h: fix OPTIMIZER_HIDE_VAR
      
      * tag 'clang-format-for-linus-v5.0-rc3' of git://github.com/ojeda/linux:
        clang-format: Update .clang-format with the latest for_each macro list
      315a6d85
    • F
      fix int_sqrt64() for very large numbers · fbfaf851
      Florian La Roche 提交于
      If an input number x for int_sqrt64() has the highest bit set, then
      fls64(x) is 64.  (1UL << 64) is an overflow and breaks the algorithm.
      
      Subtracting 1 is a better guess for the initial value of m anyway and
      that's what also done in int_sqrt() implicitly [*].
      
      [*] Note how int_sqrt() uses __fls() with two underscores, which already
          returns the proper raw bit number.
      
          In contrast, int_sqrt64() used fls64(), and that returns bit numbers
          illogically starting at 1, because of error handling for the "no
          bits set" case. Will points out that he bug probably is due to a
          copy-and-paste error from the regular int_sqrt() case.
      Signed-off-by: NFlorian La Roche <Florian.LaRoche@googlemail.com>
      Acked-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      fbfaf851
  4. 20 1月, 2019 16 次提交
    • W
      x86: uaccess: Inhibit speculation past access_ok() in user_access_begin() · 6e693b3f
      Will Deacon 提交于
      Commit 594cc251 ("make 'user_access_begin()' do 'access_ok()'")
      makes the access_ok() check part of the user_access_begin() preceding a
      series of 'unsafe' accesses.  This has the desirable effect of ensuring
      that all 'unsafe' accesses have been range-checked, without having to
      pick through all of the callsites to verify whether the appropriate
      checking has been made.
      
      However, the consolidated range check does not inhibit speculation, so
      it is still up to the caller to ensure that they are not susceptible to
      any speculative side-channel attacks for user addresses that ultimately
      fail the access_ok() check.
      
      This is an oversight, so use __uaccess_begin_nospec() to ensure that
      speculation is inhibited until the access_ok() check has passed.
      Reported-by: NJulien Thierry <julien.thierry@arm.com>
      Signed-off-by: NWill Deacon <will.deacon@arm.com>
      Signed-off-by: NLinus Torvalds <torvalds@linux-foundation.org>
      6e693b3f
    • L
      Merge tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux · b0f3e768
      Linus Torvalds 提交于
      Pull arm64 fixes from Will Deacon:
       "Three arm64 fixes for -rc3.
      
        We've plugged a couple of nasty issues involving KASLR-enabled
        kernels, and removed a redundant #define that was introduced as part
        of the KHWASAN fixes from akpm at -rc2.
      
         - Fix broken kpti page-table rewrite in bizarre KASLR configuration
      
         - Fix module loading with KASLR
      
         - Remove redundant definition of ARCH_SLAB_MINALIGN"
      
      * tag 'arm64-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/arm64/linux:
        kasan, arm64: remove redundant ARCH_SLAB_MINALIGN define
        arm64: kaslr: ensure randomized quantities are clean to the PoC
        arm64: kpti: Update arm64_kernel_use_ng_mappings() when forced on
      b0f3e768
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 6436408e
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2019-01-20
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix a out-of-bounds access in __bpf_redirect_no_mac, from Willem.
      
      2) Fix bpf_setsockopt to reset sock dst on SO_MARK changes, from Peter.
      
      3) Fix map in map masking to prevent out-of-bounds access under
         speculative execution, from Daniel.
      
      4) Fix bpf_setsockopt's SO_MAX_PACING_RATE to support TCP internal
         pacing, from Yuchung.
      
      5) Fix json writer license in bpftool, from Thomas.
      
      6) Fix AF_XDP to check if an actually queue exists during umem
         setup, from Krzysztof.
      
      7) Several fixes to BPF stackmap's build id handling. Another fix
         for bpftool build to account for libbfd variations wrt linking
         requirements, from Stanislav.
      
      8) Fix BPF samples build with clang by working around missing asm
         goto, from Yonghong.
      
      9) Fix libbpf to retry program load on signal interrupt, from Lorenz.
      
      10) Various minor compile warning fixes in BPF code, from Mathieu.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6436408e
    • W
      bpf: in __bpf_redirect_no_mac pull mac only if present · e7c87bd6
      Willem de Bruijn 提交于
      Syzkaller was able to construct a packet of negative length by
      redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:
      
          BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
          BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942
      
          kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
          check_memory_region_inline mm/kasan/kasan.c:260 [inline]
          check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
          memcpy+0x23/0x50 mm/kasan/kasan.c:302
          memcpy include/linux/string.h:345 [inline]
          skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
          __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
          __pskb_copy include/linux/skbuff.h:1053 [inline]
          pskb_copy include/linux/skbuff.h:2904 [inline]
          skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
          ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
          sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
          __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
          netdev_start_xmit include/linux/netdevice.h:4334 [inline]
          xmit_one net/core/dev.c:3219 [inline]
          dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
          __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
          dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
          __bpf_tx_skb net/core/filter.c:2016 [inline]
          __bpf_redirect_common net/core/filter.c:2054 [inline]
          __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
          ____bpf_clone_redirect net/core/filter.c:2094 [inline]
          bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
          bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000
      
      The generated test constructs a packet with mac header, network
      header, skb->data pointing to network header and skb->len 0.
      
      Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
      mac length, even though skb->data already is at skb->network_header.
      bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.
      
      Update the offset calculation to pull only if skb->data differs
      from skb->network_header, which is not true in this case.
      
      The test itself can be run only from commit 1cf1cae9 ("bpf:
      introduce BPF_PROG_TEST_RUN command"), but the same type of packets
      with skb at network header could already be built from lwt xmit hooks,
      so this fix is more relevant to that commit.
      
      Also set the mac header on redirect from LWT_XMIT, as even after this
      change to __bpf_redirect_no_mac that field is expected to be set, but
      is not yet in ip_finish_output2.
      
      Fixes: 3a0af8fd ("bpf: BPF for lightweight tunnel infrastructure")
      Reported-by: Nsyzbot <syzkaller@googlegroups.com>
      Signed-off-by: NWillem de Bruijn <willemb@google.com>
      Acked-by: NMartin KaFai Lau <kafai@fb.com>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      e7c87bd6
    • M
      virtio_net: bulk free tx skbs · df133f3f
      Michael S. Tsirkin 提交于
      Use napi_consume_skb() to get bulk free.  Note that napi_consume_skb is
      safe to call in a non-napi context as long as the napi_budget flag is
      correct.
      Signed-off-by: NMichael S. Tsirkin <mst@redhat.com>
      Acked-by: NJason Wang <jasowang@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      df133f3f
    • L
      Merge tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux · 5d5c303e
      Linus Torvalds 提交于
      Pull MIPS fixes from Paul Burton:
      
       - Fix IPI handling for Lantiq SoCs, which was broken by changes made
         back in v4.12.
      
       - Enable OF/DT serial support in ath79_defconfig to give us working
         serial by default.
      
       - Fix 64b builds for the Jazz platform.
      
       - Set up a struct device for the BCM47xx SoC to allow BCM47xx drivers
         to perform DMA again following the major DMA mapping changes made in
         v4.19.
      
       - Disable MSI on Cavium Octeon systems when the pcie_disable command
         line parameter introduced in v3.3 is used, in order to avoid
         inadvetently accessing PCIe controller registers despite the command
         line.
      
       - Fix a build failure for Cavium Octeon kernels with kexec enabled,
         introduced in v4.20.
      
       - Fix a regression in the behaviour of semctl/shmctl/msgctl IPC
         syscalls for kernels including n32 support but not o32 support caused
         by some cleanup in v3.19.
      
      * tag 'mips_fixes_5.0_2' of git://git.kernel.org/pub/scm/linux/kernel/git/mips/linux:
        MIPS: OCTEON: fix kexec support
        mips: fix n32 compat_ipc_parse_version
        Disable MSI also when pcie-octeon.pcie_disable on
        MIPS: BCM47XX: Setup struct device for the SoC
        MIPS: jazz: fix 64bit build
        MIPS: ath79: Enable OF serial ports in the default config
        MIPS: lantiq: Use CP0_LEGACY_COMPARE_IRQ
        MIPS: lantiq: Fix IPI interrupt handling
      5d5c303e
    • L
      Merge tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 6a0141a0
      Linus Torvalds 提交于
      Pull Devicetree fix from Rob Herring:
       "A single build fix for powerpc due to device_node.type removal"
      
      * tag 'devicetree-fixes-for-5.0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        powerpc: chrp: Use of_node_is_type to access device_type
      6a0141a0
    • L
      Merge tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 26caabbc
      Linus Torvalds 提交于
      Pull libnvdimm fixes from Dan Williams:
       "A crash fix, a build warning fix, a miscellaneous small cleanups.
      
        In case anyone is looking for them, there was a regression caught by
        testing that caused two patches to be dropped from this update.  Those
        patches have been reworked and will soak for another week / re-target
        5.0-rc4.
      
         - Fix driver initialization crash due to the inability to report an
           'error' state for a DIMM's security capability.
      
         - Build warning fix for little-endian ARM64 builds
      
         - Fix a potential race between the EDAC driver's usage of the NFIT
           SMBIOS id for a DIMM and the driver shutdown path.
      
         - A small collection of one-line benign cleanups for duplicate
           variable assignments, a duplicate header include and a mis-typed
           function argument"
      
      * tag 'libnvdimm-fixes-5.0-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm/security: Fix nvdimm_security_state() state request selection
        acpi/nfit: Remove duplicate set nd_set in acpi_nfit_init_interleave_set()
        acpi/nfit: Fix race accessing memdev in nfit_get_smbios_id()
        libnvdimm/dimm: Fix security capability detection for non-Intel NVDIMMs
        nfit: Mark some functions as __maybe_unused
        ACPI/nfit: delete the function to_acpi_nfit_desc
        ACPI/nfit: delete the redundant header file
      26caabbc
    • L
      Merge tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog · f403d718
      Linus Torvalds 提交于
      Pull watchdog fixes from Wim Van Sebroeck:
      
       - mt7621_wdt/rt2880_wdt: Fix compilation problem
      
       - tqmx86: Fix a couple IS_ERR() vs NULL bugs
      
      * tag 'linux-watchdog-5.0-rc-fixes' of git://www.linux-watchdog.org/linux-watchdog:
        watchdog: tqmx86: Fix a couple IS_ERR() vs NULL bugs
        watchdog: mt7621_wdt/rt2880_wdt: Fix compilation problem
      f403d718
    • L
      Merge tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs · b0efca46
      Linus Torvalds 提交于
      Pull NFS client fixes from Anna Schumaker:
       "These are mostly fixes for SUNRPC bugs, with a single v4.2
        copy_file_range() fix mixed in.
      
        Stable bugfixes:
         - Fix TCP receive code on archs with flush_dcache_page()
      
        Other bugfixes:
         - Fix error code in rpcrdma_buffer_create()
         - Fix a double free in rpcrdma_send_ctxs_create()
         - Fix kernel BUG at kernel/cred.c:825
         - Fix unnecessary retry in nfs42_proc_copy_file_range()
         - Ensure rq_bytes_sent is reset before request transmission
         - Ensure we respect the RPCSEC_GSS sequence number limit
         - Address Kerberos performance/behavior regression"
      
      * tag 'nfs-for-5.0-2' of git://git.linux-nfs.org/projects/anna/linux-nfs:
        SUNRPC: Address Kerberos performance/behavior regression
        SUNRPC: Ensure we respect the RPCSEC_GSS sequence number limit
        SUNRPC: Ensure rq_bytes_sent is reset before request transmission
        NFSv4.2 fix unnecessary retry in nfs4_copy_file_range
        sunrpc: kernel BUG at kernel/cred.c:825!
        SUNRPC: Fix TCP receive code on archs with flush_dcache_page()
        xprtrdma: Double free in rpcrdma_sendctxs_create()
        xprtrdma: Fix error code in rpcrdma_buffer_create()
      b0efca46
    • L
      Merge tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi · 4d5f6e02
      Linus Torvalds 提交于
      Pull SCSI fixes from James Bottomley:
       "A set of 17 fixes. Most of these are minor or trivial.
      
        The one fix that may be serious is the isci one: the bug can cause hba
        parameters to be set from uninitialized memory. I don't think it's
        exploitable, but you never know"
      
      * tag 'scsi-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/jejb/scsi:
        scsi: cxgb4i: add wait_for_completion()
        scsi: qla1280: set 64bit coherent mask
        scsi: ufs: Fix geometry descriptor size
        scsi: megaraid_sas: Retry reads of outbound_intr_status reg
        scsi: qedi: Add ep_state for login completion on un-reachable targets
        scsi: ufs: Fix system suspend status
        scsi: qla2xxx: Use correct number of vectors for online CPUs
        scsi: hisi_sas: Set protection parameters prior to adding SCSI host
        scsi: tcmu: avoid cmd/qfull timers updated whenever a new cmd comes
        scsi: isci: initialize shost fully before calling scsi_add_host()
        scsi: lpfc: lpfc_sli: Mark expected switch fall-throughs
        scsi: smartpqi_init: fix boolean expression in pqi_device_remove_start
        scsi: core: Synchronize request queue PM status only on successful resume
        scsi: pm80xx: reduce indentation
        scsi: qla4xxx: check return code of qla4xxx_copy_from_fwddb_param
        scsi: megaraid_sas: correct an info message
        scsi: target/iscsi: fix error msg typo when create lio_qr_cache failed
        scsi: sd: Fix cache_type_store()
      4d5f6e02
    • L
      Merge tag 'for-linus-20190118' of git://git.kernel.dk/linux-block · 0facb892
      Linus Torvalds 提交于
      Pull block fixes from Jens Axboe:
      
       - block size setting fixes for loop/nbd (Jan Kara)
      
       - md bio_alloc_mddev() cleanup (Marcos)
      
       - Ensure we don't lose the REQ_INTEGRITY flag (Ming)
      
       - Two NVMe fixes by way of Christoph:
          - Fix NVMe IRQ calculation (Ming)
          - Uninitialized variable in nvmet-tcp (Sagi)
      
       - BFQ comment fix (Paolo)
      
       - License cleanup for recently added blk-mq-debugfs-zoned (Thomas)
      
      * tag 'for-linus-20190118' of git://git.kernel.dk/linux-block:
        block: Cleanup license notice
        nvme-pci: fix nvme_setup_irqs()
        nvmet-tcp: fix uninitialized variable access
        block: don't lose track of REQ_INTEGRITY flag
        blockdev: Fix livelocks on loop device
        nbd: Use set_blocksize() to set device blocksize
        md: Make bio_alloc_mddev use bio_alloc_bioset
        block, bfq: fix comments on __bfq_deactivate_entity
      0facb892
    • J
      clang-format: Update .clang-format with the latest for_each macro list · 99e309b6
      Jason Gunthorpe 提交于
      Re-run the shell fragment that generated the original list. In particular
      this adds the missing xarray related functions.
      Signed-off-by: NJason Gunthorpe <jgg@mellanox.com>
      Signed-off-by: NMiguel Ojeda <miguel.ojeda.sandonis@gmail.com>
      99e309b6
    • C
      net: phy: phy driver features are mandatory · 3e64cf7a
      Camelia Groza 提交于
      Since phy driver features became a link_mode bitmap, phy drivers that
      don't have a list of features configured will cause the kernel to crash
      when probed.
      
      Prevent the phy driver from registering if the features field is missing.
      
      Fixes: 719655a1 ("net: phy: Replace phy driver features u32 with link_mode bitmap")
      Reported-by: NScott Wood <oss@buserror.net>
      Signed-off-by: NCamelia Groza <camelia.groza@nxp.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      3e64cf7a
    • N
      isdn: avm: Fix string plus integer warning from Clang · 7afa81c5
      Nathan Chancellor 提交于
      A recent commit in Clang expanded the -Wstring-plus-int warning, showing
      some odd behavior in this file.
      
      drivers/isdn/hardware/avm/b1.c:426:30: warning: adding 'int' to a string does not append to the string [-Wstring-plus-int]
                      cinfo->version[j] = "\0\0" + 1;
                                          ~~~~~~~^~~
      drivers/isdn/hardware/avm/b1.c:426:30: note: use array indexing to silence this warning
                      cinfo->version[j] = "\0\0" + 1;
                                                 ^
                                          &      [  ]
      1 warning generated.
      
      This is equivalent to just "\0". Nick pointed out that it is smarter to
      use "" instead of "\0" because "" is used elsewhere in the kernel and
      can be deduplicated at the linking stage.
      
      Link: https://github.com/ClangBuiltLinux/linux/issues/309Suggested-by: NNick Desaulniers <ndesaulniers@google.com>
      Signed-off-by: NNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7afa81c5
    • R
      powerpc: chrp: Use of_node_is_type to access device_type · 75a080cd
      Rob Herring 提交于
      Commit 8ce5f841 ("of: Remove struct device_node.type pointer")
      removed struct device_node.type pointer, but the conversion to use
      of_node_is_type() accessor was missed in chrp_init_IRQ().
      
      Fixes: 8ce5f841 ("of: Remove struct device_node.type pointer")
      Reported-by: Nkbuild test robot <lkp@intel.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: linuxppc-dev@lists.ozlabs.org
      Acked-by: NMichael Ellerman <mpe@ellerman.id.au>
      Signed-off-by: NRob Herring <robh@kernel.org>
      75a080cd