1. 16 10月, 2018 13 次提交
    • T
      tipc: fix unsafe rcu locking when accessing publication list · d3092b2e
      Tung Nguyen 提交于
      The binding table's 'cluster_scope' list is rcu protected to handle
      races between threads changing the list and those traversing the list at
      the same moment. We have now found that the function named_distribute()
      uses the regular list_for_each() macro to traverse the said list.
      Likewise, the function tipc_named_withdraw() is removing items from the
      same list using the regular list_del() call. When these two functions
      execute in parallel we see occasional crashes.
      
      This commit fixes this by adding the missing _rcu() suffixes.
      Signed-off-by: NTung Nguyen <tung.q.nguyen@dektech.com.au>
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d3092b2e
    • D
      rxrpc: Fix incorrect conditional on IPV6 · 7ec8dc96
      David Howells 提交于
      The udpv6_encap_enable() function is part of the ipv6 code, and if that is
      configured as a loadable module and rxrpc is built in then a build failure
      will occur because the conditional check is wrong:
      
        net/rxrpc/local_object.o: In function `rxrpc_lookup_local':
        local_object.c:(.text+0x2688): undefined reference to `udpv6_encap_enable'
      
      Use the correct config symbol (CONFIG_AF_RXRPC_IPV6) in the conditional
      check rather than CONFIG_IPV6 as that will do the right thing.
      
      Fixes: 5271953c ("rxrpc: Use the UDP encap_rcv hook")
      Reported-by: kbuild-all@01.org
      Reported-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Reviewed-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      7ec8dc96
    • S
      ipv6: rate-limit probes for neighbourless routes · f547fac6
      Sabrina Dubroca 提交于
      When commit 27097255 ("[IPV6]: ROUTE: Add Router Reachability
      Probing (RFC4191).") introduced router probing, the rt6_probe() function
      required that a neighbour entry existed. This neighbour entry is used to
      record the timestamp of the last probe via the ->updated field.
      
      Later, commit 2152caea ("ipv6: Do not depend on rt->n in rt6_probe().")
      removed the requirement for a neighbour entry. Neighbourless routes skip
      the interval check and are not rate-limited.
      
      This patch adds rate-limiting for neighbourless routes, by recording the
      timestamp of the last probe in the fib6_info itself.
      
      Fixes: 2152caea ("ipv6: Do not depend on rt->n in rt6_probe().")
      Signed-off-by: NSabrina Dubroca <sd@queasysnail.net>
      Reviewed-by: NStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f547fac6
    • F
      net: bcmgenet: Poll internal PHY for GENETv5 · 64bd9c81
      Florian Fainelli 提交于
      On GENETv5, there is a hardware issue which prevents the GENET hardware
      from generating a link UP interrupt when the link is operating at
      10Mbits/sec. Since we do not have any way to configure the link
      detection logic, fallback to polling in that case.
      
      Fixes: 42138085 ("net: bcmgenet: add support for the GENETv5 hardware")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      64bd9c81
    • Y
      rxrpc: use correct kvec num when sending BUSY response packet · d6672a5a
      YueHaibing 提交于
      Fixes gcc '-Wunused-but-set-variable' warning:
      
      net/rxrpc/output.c: In function 'rxrpc_reject_packets':
      net/rxrpc/output.c:527:11: warning:
       variable 'ioc' set but not used [-Wunused-but-set-variable]
      
      'ioc' is the correct kvec num when sending a BUSY (or an ABORT) response
      packet.
      
      Fixes: ece64fec ("rxrpc: Emit BUSY packets when supposed to rather than ABORTs")
      Signed-off-by: NYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d6672a5a
    • D
      rxrpc: Fix an uninitialised variable · d7b4c24f
      David Howells 提交于
      Fix an uninitialised variable introduced by the last patch.  This can cause
      a crash when a new call comes in to a local service, such as when an AFS
      fileserver calls back to the local cache manager.
      
      Fixes: c1e15b49 ("rxrpc: Fix the packet reception routine")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d7b4c24f
    • J
      tipc: initialize broadcast link stale counter correctly · 4af00f4c
      Jon Maloy 提交于
      In the commit referred to below we added link tolerance as an additional
      criteria for declaring broadcast transmission "stale" and resetting the
      unicast links to the affected node.
      
      Unfortunately, this 'improvement' introduced two bugs, which each and
      one alone cause only limited problems, but combined lead to seemingly
      stochastic unicast link resets, depending on the amount of broadcast
      traffic transmitted.
      
      The first issue, a missing initialization of the 'tolerance' field of
      the receiver broadcast link, was recently fixed by commit 047491ea
      ("tipc: set link tolerance correctly in broadcast link").
      
      Ths second issue, where we omit to reset the 'stale_cnt' field of
      the same link after a 'stale' period is over, leads to this counter
      accumulating over time, and in the absence of the 'tolerance' criteria
      leads to the above described symptoms. This commit adds the missing
      initialization.
      
      Fixes: a4dc70d4 ("tipc: extend link reset criteria for stale packet retransmission")
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4af00f4c
    • C
      llc: set SOCK_RCU_FREE in llc_sap_add_socket() · 5a8e7aea
      Cong Wang 提交于
      WHen an llc sock is added into the sk_laddr_hash of an llc_sap,
      it is not marked with SOCK_RCU_FREE.
      
      This causes that the sock could be freed while it is still being
      read by __llc_lookup_established() with RCU read lock. sock is
      refcounted, but with RCU read lock, nothing prevents the readers
      getting a zero refcnt.
      
      Fix it by setting SOCK_RCU_FREE in llc_sap_add_socket().
      
      Reported-by: syzbot+11e05f04c15e03be5254@syzkaller.appspotmail.com
      Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5a8e7aea
    • D
      Merge tag 'mlx5-fixes-2018-10-10' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · d0f068e5
      David S. Miller 提交于
      Saeed Mahameed says:
      
      ====================
      Mellanox, mlx5 fixes 2018-10-10
      
      This pull request includes some fixes to mlx5 driver,
      Please pull and let me know if there's any problem.
      
      For -stable v4.11:
      ('net/mlx5: Take only bit 24-26 of wqe.pftype_wq for page fault type')
      For -stable v4.17:
      ('net/mlx5: Fix memory leak when setting fpga ipsec caps')
      For -stable v4.18:
      ('net/mlx5: WQ, fixes for fragmented WQ buffers API')
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d0f068e5
    • D
      net/sched: cls_api: add missing validation of netlink attributes · e331473f
      Davide Caratti 提交于
      Similarly to what has been done in 8b4c3cdd ("net: sched: Add policy
      validation for tc attributes"), fix classifier code to add validation of
      TCA_CHAIN and TCA_KIND netlink attributes.
      
      tested with:
       # ./tdc.py -c filter
      
      v2: Let sch_api and cls_api share nla_policy they have in common, thanks
          to David Ahern.
      v3: Avoid EXPORT_SYMBOL(), as validation of those attributes is not done
          by TC modules, thanks to Cong Wang.
          While at it, restore the 'Delete / get qdisc' comment to its orginal
          position, just above tc_get_qdisc() function prototype.
      
      Fixes: 5bc17018 ("net: sched: introduce multichain support for filters")
      Signed-off-by: NDavide Caratti <dcaratti@redhat.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      e331473f
    • W
      ethtool: fix a privilege escalation bug · 58f5bbe3
      Wenwen Wang 提交于
      In dev_ethtool(), the eth command 'ethcmd' is firstly copied from the
      use-space buffer 'useraddr' and checked to see whether it is
      ETHTOOL_PERQUEUE. If yes, the sub-command 'sub_cmd' is further copied from
      the user space. Otherwise, 'sub_cmd' is the same as 'ethcmd'. Next,
      according to 'sub_cmd', a permission check is enforced through the function
      ns_capable(). For example, the permission check is required if 'sub_cmd' is
      ETHTOOL_SCOALESCE, but it is not necessary if 'sub_cmd' is
      ETHTOOL_GCOALESCE, as suggested in the comment "Allow some commands to be
      done by anyone". The following execution invokes different handlers
      according to 'ethcmd'. Specifically, if 'ethcmd' is ETHTOOL_PERQUEUE,
      ethtool_set_per_queue() is called. In ethtool_set_per_queue(), the kernel
      object 'per_queue_opt' is copied again from the user-space buffer
      'useraddr' and 'per_queue_opt.sub_command' is used to determine which
      operation should be performed. Given that the buffer 'useraddr' is in the
      user space, a malicious user can race to change the sub-command between the
      two copies. In particular, the attacker can supply ETHTOOL_PERQUEUE and
      ETHTOOL_GCOALESCE to bypass the permission check in dev_ethtool(). Then
      before ethtool_set_per_queue() is called, the attacker changes
      ETHTOOL_GCOALESCE to ETHTOOL_SCOALESCE. In this way, the attacker can
      bypass the permission check and execute ETHTOOL_SCOALESCE.
      
      This patch enforces a check in ethtool_set_per_queue() after the second
      copy from 'useraddr'. If the sub-command is different from the one obtained
      in the first copy in dev_ethtool(), an error code EINVAL will be returned.
      
      Fixes: f38d138a ("net/ethtool: support set coalesce per queue")
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Reviewed-by: NMichal Kubecek <mkubecek@suse.cz>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      58f5bbe3
    • W
      ethtool: fix a missing-check bug · 2bb3207d
      Wenwen Wang 提交于
      In ethtool_get_rxnfc(), the eth command 'cmd' is compared against
      'ETHTOOL_GRXFH' to see whether it is necessary to adjust the variable
      'info_size'. Then the whole structure of 'info' is copied from the
      user-space buffer 'useraddr' with 'info_size' bytes. In the following
      execution, 'info' may be copied again from the buffer 'useraddr' depending
      on the 'cmd' and the 'info.flow_type'. However, after these two copies,
      there is no check between 'cmd' and 'info.cmd'. In fact, 'cmd' is also
      copied from the buffer 'useraddr' in dev_ethtool(), which is the caller
      function of ethtool_get_rxnfc(). Given that 'useraddr' is in the user
      space, a malicious user can race to change the eth command in the buffer
      between these copies. By doing so, the attacker can supply inconsistent
      data and cause undefined behavior because in the following execution 'info'
      will be passed to ops->get_rxnfc().
      
      This patch adds a necessary check on 'info.cmd' and 'cmd' to confirm that
      they are still same after the two copies in ethtool_get_rxnfc(). Otherwise,
      an error code EINVAL will be returned.
      Signed-off-by: NWenwen Wang <wang6495@umn.edu>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2bb3207d
    • J
      r8169: Enable MSI-X on RTL8106e · d49c88d7
      Jian-Hong Pan 提交于
      Originally, we have an issue where r8169 MSI-X interrupt is broken after
      S3 suspend/resume on RTL8106e of ASUS X441UAR.
      
      02:00.0 Ethernet controller [0200]: Realtek Semiconductor Co., Ltd.
      RTL8101/2/6E PCI Express Fast/Gigabit Ethernet controller [10ec:8136]
      (rev 07)
      	Subsystem: ASUSTeK Computer Inc. RTL810xE PCI Express Fast
      Ethernet controller [1043:200f]
      	Flags: bus master, fast devsel, latency 0, IRQ 16
      	I/O ports at e000 [size=256]
      	Memory at ef100000 (64-bit, non-prefetchable) [size=4K]
      	Memory at e0000000 (64-bit, prefetchable) [size=16K]
      	Capabilities: [40] Power Management version 3
      	Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
      	Capabilities: [70] Express Endpoint, MSI 01
      	Capabilities: [b0] MSI-X: Enable+ Count=4 Masked-
      	Capabilities: [d0] Vital Product Data
      	Capabilities: [100] Advanced Error Reporting
      	Capabilities: [140] Virtual Channel
      	Capabilities: [160] Device Serial Number 01-00-00-00-36-4c-e0-00
      	Capabilities: [170] Latency Tolerance Reporting
      	Kernel driver in use: r8169
      	Kernel modules: r8169
      
      We found the all of the values in PCI BAR=4 of the ethernet adapter
      become 0xFF after system resumes.  That breaks the MSI-X interrupt.
      Therefore, we can only fall back to MSI interrupt to fix the issue at
      that time.
      
      However, there is a commit which resolves the drivers getting nothing in
      PCI BAR=4 after system resumes.  It is 04cb3ae895d7 "PCI: Reprogram
      bridge prefetch registers on resume" by Daniel Drake.
      
      After apply the patch, the ethernet adapter works fine before suspend
      and after resume.  So, we can revert the workaround after the commit
      "PCI: Reprogram bridge prefetch registers on resume" is merged into main
      tree.
      
      This patch reverts commit 7bb05b85
      "r8169: don't use MSI-X on RTL8106e".
      
      Buglink: https://bugzilla.kernel.org/show_bug.cgi?id=201181
      Fixes: 7bb05b85 ("r8169: don't use MSI-X on RTL8106e")
      Signed-off-by: NJian-Hong Pan <jian-hong@endlessm.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      d49c88d7
  2. 15 10月, 2018 1 次提交
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 028c99fa
      David S. Miller 提交于
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2018-10-14
      
      The following pull-request contains BPF updates for your *net* tree.
      
      The main changes are:
      
      1) Fix xsk map update and delete operation to not call synchronize_net()
         but to piggy back on SOCK_RCU_FREE for sockets instead as we are not
         allowed to sleep under RCU, from Björn.
      
      2) Do not change RLIMIT_MEMLOCK in reuseport_bpf selftest if the process
         already has unlimited RLIMIT_MEMLOCK, from Eric.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      028c99fa
  3. 12 10月, 2018 26 次提交
    • G
      Merge tag 'armsoc-fixes-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc · bab5c80b
      Greg Kroah-Hartman 提交于
      Arnd writes:
        "ARM: SoC fixes for 4.19
      
         Two last minute bugfixes, both for NXP platforms:
      
         * The Layerscape 'qbman' infrastructure suffers from probe ordering
           bugs in some configurations, a two-patch series adds a hotfix for
           this. 4.20 will have a longer set of patches to rework it.
      
         * The old imx53-qsb board regressed in 4.19 after the addition
           of cpufreq support, adding a set of explicit operating points
           fixes this."
      
      * tag 'armsoc-fixes-4.19' of git://git.kernel.org/pub/scm/linux/kernel/git/arm/arm-soc:
        soc: fsl: qman_portals: defer probe after qman's probe
        soc: fsl: qbman: add APIs to retrieve the probing status
        ARM: dts: imx53-qsb: disable 1.2GHz OPP
      bab5c80b
    • D
      afs: Fix afs_server struct leak · f014ffb0
      David Howells 提交于
      Fix a leak of afs_server structs.  The routine that installs them in the
      various lookup lists and trees gets a ref on leaving the function, whether
      it added the server or a server already exists.  It shouldn't increment
      the refcount if it added the server.
      
      The effect of this that "rmmod kafs" will hang waiting for the leaked
      server to become unused.
      
      Fixes: d2ddc776 ("afs: Overhaul volume and server record caching and fileserver rotation")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      f014ffb0
    • P
      MAINTAINERS: use the correct location for dt-bindings includes for mux · b40afc00
      Peter Rosin 提交于
      Just drop the "linux" part of the path, it was never correct.
      Reported-by: NJoe Perches <joe@perches.com>
      Fixes: 256ac037 ("dt-bindings: document devicetree bindings for mux-controllers and gpio-mux")
      Signed-off-by: NPeter Rosin <peda@axentia.se>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      b40afc00
    • P
      mux: adgs1408: use the correct MODULE_LICENSE · 38a12607
      Peter Rosin 提交于
      The file is GPL v2 or later.
      Acked-by: NMircea Caprioru <mircea.caprioru@analog.com>
      Signed-off-by: NPeter Rosin <peda@axentia.se>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      38a12607
    • D
      afs: Fix cell proc list · 6b3944e4
      David Howells 提交于
      Access to the list of cells by /proc/net/afs/cells has a couple of
      problems:
      
       (1) It should be checking against SEQ_START_TOKEN for the keying the
           header line.
      
       (2) It's only holding the RCU read lock, so it can't just walk over the
           list without following the proper RCU methods.
      
      Fix these by using an hlist instead of an ordinary list and using the
      appropriate accessor functions to follow it with RCU.
      
      Since the code that adds a cell to the list must also necessarily change,
      sort the list on insertion whilst we're at it.
      
      Fixes: 989782dc ("afs: Overhaul cell database management")
      Signed-off-by: NDavid Howells <dhowells@redhat.com>
      Signed-off-by: NGreg Kroah-Hartman <gregkh@linuxfoundation.org>
      6b3944e4
    • G
      Merge tag 'mmc-v4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · 4ea07abb
      Greg Kroah-Hartman 提交于
      Ulf writes:
         "MMC core:
          - Avoid fragile multiblock reads for the last sector in SPI mode
          WIFI/SDIO:
          - libertas: Fixup suspend sequence for the SDIO card"
      
      * tag 'mmc-v4.19-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        libertas: call into generic suspend code before turning off power
        mmc: block: avoid multiblock reads for the last sector in SPI mode
      4ea07abb
    • G
      Merge tag 'gpio-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio · 60bd7be7
      Greg Kroah-Hartman 提交于
      Linus writes:
        "GPIO fix for the v4.19 series:
         - Fix up the interrupt parent for the irqdomains."
      
      * tag 'gpio-v4.19-4' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
        gpio: Assign gpio_irq_chip::parents to non-stack pointer
      60bd7be7
    • G
      Merge tag 'pinctrl-v4.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl · ef0e75a4
      Greg Kroah-Hartman 提交于
      Linus writes:
        "pin control fix for v4.19:
      
         A single pin control fix for v4.19:
         - Interrupt setup in the MCP23S08 driver."
      
      * tag 'pinctrl-v4.19-5' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl:
        pinctrl: mcp23s08: fix irq and irqchip setup order
      ef0e75a4
    • G
      Merge tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd · a291ab2d
      Greg Kroah-Hartman 提交于
      Boris writes:
        "mdt: fix for 4.19-rc8
      
         * Fix a stack overflow in lib/bch.c"
      
      * tag 'mtd/fixes-for-4.19-rc8' of git://git.infradead.org/linux-mtd:
        lib/bch: fix possible stack overrun
      a291ab2d
    • G
      Merge tag 'drm-fixes-2018-10-12-1' of git://anongit.freedesktop.org/drm/drm · 62d2e531
      Greg Kroah-Hartman 提交于
      Dave writes:
        "drm fixes for 4.19-rc8
      
         single nouveau runtime reference and mst change"
      
      * tag 'drm-fixes-2018-10-12-1' of git://anongit.freedesktop.org/drm/drm:
        drm/nouveau/drm/nouveau: Grab runtime PM ref in nv50_mstc_detect()
      62d2e531
    • G
      Merge tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · c789174b
      Greg Kroah-Hartman 提交于
      Doug writes:
        "RDMA fixes:
      
         Final for-rc pull request for 4.19
      
         We only have one bug to submit this time around.  It fixes a DMA
         unmap issue where we unmapped the DMA address from the IOMMU before
         we did from the card, resulting in a DMAR error with IOMMU enabled,
         or possible crash without."
      
      * tag 'for-gkh' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        IB/mlx5: Unmap DMA addr from HCA before IOMMU
      c789174b
    • G
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · eb81bfb2
      Greg Kroah-Hartman 提交于
      Dmitry writes:
        "Input updates for v4.19-rc7
      
         - we added a few scheduling points into various input interfaces to
           ensure that large writes will not cause RCU stalls
         - fixed configuring PS/2 keyboards as wakeup devices on newer
           platforms
         - added a new Xbox gamepad ID."
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: uinput - add a schedule point in uinput_inject_events()
        Input: evdev - add a schedule point in evdev_write()
        Input: mousedev - add a schedule point in mousedev_write()
        Input: i8042 - enable keyboard wakeups by default when s2idle is used
        Input: xpad - add support for Xbox1 PDP Camo series gamepad
      eb81bfb2
    • G
      Merge tag 'next-fixes-20181012' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes · 0c53b6a5
      Greg Kroah-Hartman 提交于
      Stephen writes:
        "A couple of warning fixes:
      
        Two fixes from Peter Oberparleiter <oberpar@linux.ibm.com>:
          Commit 6b7dca40 ("tracing: Allow gcov profiling on only ftrace subsystem")
         uncovered linker problems when using gcov kernel profiling on some
         architectures. These problems were likely introduced earlier, and are
         possibly related to compiler changes."
      
      * tag 'next-fixes-20181012' of git://git.kernel.org/pub/scm/linux/kernel/git/sfr/next-fixes:
        vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections
        vmlinux.lds.h: Fix incomplete .text.exit discards
      0c53b6a5
    • A
      lib/bch: fix possible stack overrun · f0fe77f6
      Arnd Bergmann 提交于
      The previous patch introduced very large kernel stack usage and a Makefile
      change to hide the warning about it.
      
      From what I can tell, a number of things went wrong here:
      
      - The BCH_MAX_T constant was set to the maximum value for 'n',
        not the maximum for 't', which is much smaller.
      
      - The stack usage is actually larger than the entire kernel stack
        on some architectures that can use 4KB stacks (m68k, sh, c6x), which
        leads to an immediate overrun.
      
      - The justification in the patch description claimed that nothing
        changed, however that is not the case even without the two points above:
        the configuration is machine specific, and most boards  never use the
        maximum BCH_ECC_WORDS() length but instead have something much smaller.
        That maximum would only apply to machines that use both the maximum
        block size and the maximum ECC strength.
      
      The largest value for 't' that I could find is '32', which in turn leads
      to a 60 byte array instead of 2048 bytes. Making it '64' for future
      extension seems also worthwhile, with 120 bytes for the array. Anything
      larger won't fit into the OOB area on NAND flash.
      
      With that changed, the warning can be enabled again.
      
      Only linux-4.19+ contains the breakage, so this is only needed
      as a stable backport if it does not make it into the release.
      
      Fixes: 02361bc7 ("lib/bch: Remove VLA usage")
      Reported-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Cc: stable@vger.kernel.org
      Signed-off-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NBoris Brezillon <boris.brezillon@bootlin.com>
      f0fe77f6
    • G
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 90ad1841
      Greg Kroah-Hartman 提交于
      David writes:
        "Networking
      
         1) RXRPC receive path fixes from David Howells.
      
         2) Re-export __skb_recv_udp(), from Jiri Kosina.
      
         3) Fix refcounting in u32 classificer, from Al Viro.
      
         4) Userspace netlink ABI fixes from Eugene Syromiatnikov.
      
         5) Don't double iounmap on rmmod in ena driver, from Arthur
            Kiyanovski.
      
         6) Fix devlink string attribute handling, we must pull a copy into a
            kernel buffer if the lifetime extends past the netlink request.
            From Moshe Shemesh.
      
         7) Fix hangs in RDS, from Ka-Cheong Poon.
      
         8) Fix recursive locking lockdep warnings in tipc, from Ying Xue.
      
         9) Clear RX irq correctly in socionext, from Ilias Apalodimas.
      
         10) bcm_sf2 fixes from Florian Fainelli."
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (38 commits)
        net: dsa: bcm_sf2: Call setup during switch resume
        net: dsa: bcm_sf2: Fix unbind ordering
        net: phy: sfp: remove sfp_mutex's definition
        r8169: set RX_MULTI_EN bit in RxConfig for 8168F-family chips
        net: socionext: clear rx irq correctly
        net/mlx4_core: Fix warnings during boot on driverinit param set failures
        tipc: eliminate possible recursive locking detected by LOCKDEP
        selftests: udpgso_bench.sh explicitly requires bash
        selftests: rtnetlink.sh explicitly requires bash.
        qmi_wwan: Added support for Gemalto's Cinterion ALASxx WWAN interface
        tipc: queue socket protocol error messages into socket receive buffer
        tipc: set link tolerance correctly in broadcast link
        net: ipv4: don't let PMTU updates increase route MTU
        net: ipv4: update fnhe_pmtu when first hop's MTU changes
        net/ipv6: stop leaking percpu memory in fib6 info
        rds: RDS (tcp) hangs on sendto() to unresponding address
        net: make skb_partial_csum_set() more robust against overflows
        devlink: Add helper function for safely copy string param
        devlink: Fix param cmode driverinit for string type
        devlink: Fix param set handling for string type
        ...
      90ad1841
    • D
      Merge branch 'net-dsa-bcm_sf2-Couple-of-fixes' · 6b9bab55
      David S. Miller 提交于
      Florian Fainelli says:
      
      ====================
      net: dsa: bcm_sf2: Couple of fixes
      
      Here are two fixes for the bcm_sf2 driver that were found during
      testing unbind and analysing another issue during system
      suspend/resume.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6b9bab55
    • F
      net: dsa: bcm_sf2: Call setup during switch resume · 54baca09
      Florian Fainelli 提交于
      There is no reason to open code what the switch setup function does, in
      fact, because we just issued a switch reset, we would make all the
      register get their default values, including for instance, having unused
      port be enabled again and wasting power and leading to an inappropriate
      switch core clock being selected.
      
      Fixes: 8cfa9498 ("net: dsa: bcm_sf2: add suspend/resume callbacks")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      54baca09
    • F
      net: dsa: bcm_sf2: Fix unbind ordering · bf3b452b
      Florian Fainelli 提交于
      The order in which we release resources is unfortunately leading to bus
      errors while dismantling the port. This is because we set
      priv->wol_ports_mask to 0 to tell bcm_sf2_sw_suspend() that it is now
      permissible to clock gate the switch. Later on, when dsa_slave_destroy()
      comes in from dsa_unregister_switch() and calls
      dsa_switch_ops::port_disable, we perform the same dismantling again, and
      this time we hit registers that are clock gated.
      
      Make sure that dsa_unregister_switch() is the first thing that happens,
      which takes care of releasing all user visible resources, then proceed
      with clock gating hardware. We still need to set priv->wol_ports_mask to
      0 to make sure that an enabled port properly gets disabled in case it
      was previously used as part of Wake-on-LAN.
      
      Fixes: d9338023 ("net: dsa: bcm_sf2: Make it a real platform device driver")
      Signed-off-by: NFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      bf3b452b
    • P
      vmlinux.lds.h: Fix linker warnings about orphan .LPBX sections · 52c8ee5b
      Peter Oberparleiter 提交于
      Enabling both CONFIG_LD_DEAD_CODE_DATA_ELIMINATION=y and
      CONFIG_GCOV_PROFILE_ALL=y results in linker warnings:
      
        warning: orphan section `.data..LPBX1' being placed in
        section `.data..LPBX1'.
      
      LD_DEAD_CODE_DATA_ELIMINATION adds compiler flag -fdata-sections. This
      option causes GCC to create separate data sections for data objects,
      including those generated by GCC internally for gcov profiling. The
      names of these objects start with a dot (.LPBX0, .LPBX1), resulting in
      section names starting with 'data..'.
      
      As section names starting with 'data..' are used for specific purposes
      in the Linux kernel, the linker script does not automatically include
      them in the output data section, resulting in the "orphan section"
      linker warnings.
      
      Fix this by specifically including sections named "data..LPBX*" in the
      data section.
      Reported-by: NStephen Rothwell <sfr@canb.auug.org.au>
      Tested-by: NStephen Rothwell <sfr@canb.auug.org.au>
      Tested-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NArnd Bergmann <arnd@arndb.de>
      Signed-off-by: NPeter Oberparleiter <oberpar@linux.ibm.com>
      Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
      52c8ee5b
    • P
      vmlinux.lds.h: Fix incomplete .text.exit discards · 8dcf86ca
      Peter Oberparleiter 提交于
      Enabling CONFIG_GCOV_PROFILE_ALL=y causes linker errors on ARM:
      
        `.text.exit' referenced in section `.ARM.exidx.text.exit':
        defined in discarded section `.text.exit'
      
        `.text.exit' referenced in section `.fini_array.00100':
        defined in discarded section `.text.exit'
      
      And related errors on NDS32:
      
        `.text.exit' referenced in section `.dtors.65435':
        defined in discarded section `.text.exit'
      
      The gcov compiler flags cause certain compiler versions to generate
      additional destructor-related sections that are not yet handled by the
      linker script, resulting in references between discarded and
      non-discarded sections.
      
      Since destructors are not used in the Linux kernel, fix this by
      discarding these additional sections.
      Reported-by: NArnd Bergmann <arnd@arndb.de>
      Tested-by: NArnd Bergmann <arnd@arndb.de>
      Acked-by: NArnd Bergmann <arnd@arndb.de>
      Reported-by: NGreentime Hu <green.hu@gmail.com>
      Tested-by: NMasami Hiramatsu <mhiramat@kernel.org>
      Signed-off-by: NPeter Oberparleiter <oberpar@linux.ibm.com>
      Signed-off-by: NStephen Rothwell <sfr@canb.auug.org.au>
      8dcf86ca
    • S
      net: phy: sfp: remove sfp_mutex's definition · 05285866
      Sebastian Andrzej Siewior 提交于
      The sfp_mutex variable is defined but never used in this file. Not even
      in the commit that introduced that variable.
      
      Remove sfp_mutex, it has no purpose.
      
      Cc: Andrew Lunn <andrew@lunn.ch>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: NSebastian Andrzej Siewior <bigeasy@linutronix.de>
      Reviewed-by: NAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      05285866
    • M
      r8169: set RX_MULTI_EN bit in RxConfig for 8168F-family chips · 511cfd58
      Maciej S. Szmigiero 提交于
      It has been reported that since
      commit 05212ba8 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices")
      at least RTL_GIGA_MAC_VER_38 NICs work erratically after a resume from
      suspend.
      The problem has been traced to a missing RX_MULTI_EN bit in the RxConfig
      register.
      We already set this bit for RTL_GIGA_MAC_VER_35 NICs of the same 8168F
      chip family so let's do it also for its other siblings: RTL_GIGA_MAC_VER_36
      and RTL_GIGA_MAC_VER_38.
      
      Curiously, the NIC seems to work fine after a system boot without having
      this bit set as long as the system isn't suspended and resumed.
      
      Fixes: 05212ba8 ("r8169: set RxConfig after tx/rx is enabled for RTL8169sb/8110sb devices")
      Reported-by: NChris Clayton <chris2553@googlemail.com>
      Signed-off-by: NMaciej S. Szmigiero <mail@maciej.szmigiero.name>
      Reviewed-by: NHeiner Kallweit <hkallweit1@gmail.com>
      Tested-by: NChris Clayton <chris2553@googlemail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      511cfd58
    • I
      net: socionext: clear rx irq correctly · 2a1e89df
      Ilias Apalodimas 提交于
      commit 63ae7949 ("net: socionext: Use descriptor info instead of MMIO reads on Rx")
      removed constant mmio reads from the driver and started using a descriptor
      field to check if packet should be processed.
      This lead the napi rx handler being constantly called while no packets
      needed processing and ksoftirq getting 100% cpu usage. Issue one mmio read
      to clear the irq correcty after processing packets
      Signed-off-by: NIlias Apalodimas <ilias.apalodimas@linaro.org>
      Reported-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Tested-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Acked-by: NArd Biesheuvel <ard.biesheuvel@linaro.org>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      2a1e89df
    • M
      net/mlx4_core: Fix warnings during boot on driverinit param set failures · 26450608
      Moshe Shemesh 提交于
      During boot, mlx4_core sets the driverinit configuration parameters and
      updates the devlink module on the initial values calling
      devlink_param_driverinit_value_set().
      If devlink_param_driverinit_value_set() returns an error mlx4_core
      reports kernel module warning.
      
      This caused false alarm during boot in case kernel was compiled with
      CONFIG_NET_DEVLINK off.
      Fix by removing warning reported in case
      devlink_param_driverinit_value_set() fails.
      
      This actually makes the function mlx4_devlink_set_init_value()
      redundant to using directly devlink_param_driverinit_value_set() and so
      removed.
      
      It fixes the following kernel trace:
      
       mlx4_core 0000:00:06.0: devlink set parameter 0 value failed (err = -95)
       mlx4_core 0000:00:06.0: devlink set parameter 1 value failed (err = -95)
       mlx4_core 0000:00:06.0: devlink set parameter 4 value failed (err = -95)
       mlx4_core 0000:00:06.0: devlink set parameter 5 value failed (err = -95)
       mlx4_core 0000:00:06.0: devlink set parameter 3 value failed (err = -95)
      
      Fixes: bd1b51dc ("mlx4: Add mlx4 initial parameters table and register it")
      Signed-off-by: NMoshe Shemesh <moshe@mellanox.com>
      Signed-off-by: NTariq Toukan <tariqt@mellanox.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      26450608
    • G
      Merge branch 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup · 0778a9f2
      Greg Kroah-Hartman 提交于
      Tejun writes:
        "cgroup fixes for v4.19-rc7
      
         One cgroup2 threaded mode fix for v4.19-rc7.  While threaded mode
         isn't used widely (yet) and the bug requires somewhat convoluted
         sequence of operations, it causes a userland visible malfunction -
         EINVAL on a valid attempt to enable threaded mode.  This pull request
         contains the fix"
      
      * 'for-4.19-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/tj/cgroup:
        cgroup: Fix dom_cgrp propagation when enabling threaded mode
      0778a9f2
    • Y
      tipc: eliminate possible recursive locking detected by LOCKDEP · a1f8dd34
      Ying Xue 提交于
      When booting kernel with LOCKDEP option, below warning info was found:
      
      WARNING: possible recursive locking detected
      4.19.0-rc7+ #14 Not tainted
      --------------------------------------------
      swapper/0/1 is trying to acquire lock:
      00000000dcfc0fc8 (&(&list->lock)->rlock#4){+...}, at: spin_lock_bh
      include/linux/spinlock.h:334 [inline]
      00000000dcfc0fc8 (&(&list->lock)->rlock#4){+...}, at:
      tipc_link_reset+0x125/0xdf0 net/tipc/link.c:850
      
      but task is already holding lock:
      00000000cbb9b036 (&(&list->lock)->rlock#4){+...}, at: spin_lock_bh
      include/linux/spinlock.h:334 [inline]
      00000000cbb9b036 (&(&list->lock)->rlock#4){+...}, at:
      tipc_link_reset+0xfa/0xdf0 net/tipc/link.c:849
      
      other info that might help us debug this:
       Possible unsafe locking scenario:
      
             CPU0
             ----
        lock(&(&list->lock)->rlock#4);
        lock(&(&list->lock)->rlock#4);
      
       *** DEADLOCK ***
      
       May be due to missing lock nesting notation
      
      2 locks held by swapper/0/1:
       #0: 00000000f7539d34 (pernet_ops_rwsem){+.+.}, at:
      register_pernet_subsys+0x19/0x40 net/core/net_namespace.c:1051
       #1: 00000000cbb9b036 (&(&list->lock)->rlock#4){+...}, at:
      spin_lock_bh include/linux/spinlock.h:334 [inline]
       #1: 00000000cbb9b036 (&(&list->lock)->rlock#4){+...}, at:
      tipc_link_reset+0xfa/0xdf0 net/tipc/link.c:849
      
      stack backtrace:
      CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0-rc7+ #14
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0x1af/0x295 lib/dump_stack.c:113
       print_deadlock_bug kernel/locking/lockdep.c:1759 [inline]
       check_deadlock kernel/locking/lockdep.c:1803 [inline]
       validate_chain kernel/locking/lockdep.c:2399 [inline]
       __lock_acquire+0xf1e/0x3c60 kernel/locking/lockdep.c:3411
       lock_acquire+0x1db/0x520 kernel/locking/lockdep.c:3900
       __raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
       _raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:168
       spin_lock_bh include/linux/spinlock.h:334 [inline]
       tipc_link_reset+0x125/0xdf0 net/tipc/link.c:850
       tipc_link_bc_create+0xb5/0x1f0 net/tipc/link.c:526
       tipc_bcast_init+0x59b/0xab0 net/tipc/bcast.c:521
       tipc_init_net+0x472/0x610 net/tipc/core.c:82
       ops_init+0xf7/0x520 net/core/net_namespace.c:129
       __register_pernet_operations net/core/net_namespace.c:940 [inline]
       register_pernet_operations+0x453/0xac0 net/core/net_namespace.c:1011
       register_pernet_subsys+0x28/0x40 net/core/net_namespace.c:1052
       tipc_init+0x83/0x104 net/tipc/core.c:140
       do_one_initcall+0x109/0x70a init/main.c:885
       do_initcall_level init/main.c:953 [inline]
       do_initcalls init/main.c:961 [inline]
       do_basic_setup init/main.c:979 [inline]
       kernel_init_freeable+0x4bd/0x57f init/main.c:1144
       kernel_init+0x13/0x180 init/main.c:1063
       ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:413
      
      The reason why the noise above was complained by LOCKDEP is because we
      nested to hold l->wakeupq.lock and l->inputq->lock in tipc_link_reset
      function. In fact it's unnecessary to move skb buffer from l->wakeupq
      queue to l->inputq queue while holding the two locks at the same time.
      Instead, we can move skb buffers in l->wakeupq queue to a temporary
      list first and then move the buffers of the temporary list to l->inputq
      queue, which is also safe for us.
      
      Fixes: 3f32d0be ("tipc: lock wakeup & inputq at tipc_link_reset()")
      Reported-by: NDmitry Vyukov <dvyukov@google.com>
      Signed-off-by: NYing Xue <ying.xue@windriver.com>
      Acked-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a1f8dd34