1. 21 Aug, 2018 1 commit
  2. 20 Jul, 2018 1 commit
  3. 19 Jul, 2018 6 commits
    • Tyler Hicks's avatar
      apparmor: Fully initialize aa_perms struct when answering userspace query · f4585bc2
      Tyler Hicks authored
      Fully initialize the aa_perms struct in profile_query_cb() to avoid the
      potential of using an uninitialized struct member's value in a response
      to a query from userspace.
      
      Detected by CoverityScan CID#1415126 ("Uninitialized scalar variable")
      
      Fixes: 4f3b3f2d ("apparmor: add profile permission query ability")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      f4585bc2
    • Tyler Hicks's avatar
      apparmor: Check buffer bounds when mapping permissions mask · 7f3ebcf2
      Tyler Hicks authored
      Don't read past the end of the buffer containing permissions
      characters or write past the end of the destination string.
      
      Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
      
      Fixes: e53cfe6c ("apparmor: rework perm mapping to a slightly broader set")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      7f3ebcf2
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · fb7d1bcf
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix crashes that happen when PHY drivers are left disabled in the V3
         Semiconductor, MediaTek, Faraday, Aardvark, DesignWare, Versatile,
         and X-Gene host controller drivers (Sergei Shtylyov)
      
       - Fix a NULL pointer dereference in the endpoint library configfs
         support (Kishon Vijay Abraham I)
      
       - Fix a race condition in Hyper-V IRQ handling (Dexuan Cui)
      
      * tag 'pci-v4.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: v3-semi: Fix I/O space page leak
        PCI: mediatek: Fix I/O space page leak
        PCI: faraday: Fix I/O space page leak
        PCI: aardvark: Fix I/O space page leak
        PCI: designware: Fix I/O space page leak
        PCI: versatile: Fix I/O space page leak
        PCI: xgene: Fix I/O space page leak
        PCI: OF: Fix I/O space page leak
        PCI: endpoint: Fix NULL pointer dereference error when CONFIGFS is disabled
        PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
      fb7d1bcf
    • Linus Torvalds's avatar
      Merge tag 'sound-4.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · f39f28ff
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A rawmidi race fix and three trivial HD-audio quirks"
      
      * tag 'sound-4.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Yet another Clevo P950 quirk entry
        ALSA: rawmidi: Change resized buffers atomically
        ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
        ALSA: hda: add mute led support for HP ProBook 455 G5
      f39f28ff
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · b4394c34
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes an allocation error-path bug in af_alg discovered by
        syzkaller"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: af_alg - Initialize sg_num_bytes in error code path
      b4394c34
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 024ddc0c
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Lots of fixes, here goes:
      
         1) NULL deref in qtnfmac, from Gustavo A. R. Silva.
      
         2) Kernel oops when fw download fails in rtlwifi, from Ping-Ke Shih.
      
         3) Lost completion messages in AF_XDP, from Magnus Karlsson.
      
         4) Correct bogus self-assignment in rhashtable, from Rishabh
            Bhatnagar.
      
         5) Fix regression in ipv6 route append handling, from David Ahern.
      
         6) Fix masking in __set_phy_supported(), from Heiner Kallweit.
      
         7) Missing module owner set in x_tables icmp, from Florian Westphal.
      
         8) liquidio's timeouts are HZ dependent, fix from Nicholas Mc Guire.
      
         9) Link setting fixes for sh_eth and ravb, from Vladimir Zapolskiy.
      
        10) Fix NULL deref when using chains in act_csum, from Davide Caratti.
      
        11) XDP_REDIRECT needs to check if the interface is up and whether the
            MTU is sufficient. From Toshiaki Makita.
      
        12) Net diag can do a double free when killing TCP_NEW_SYN_RECV
            connections, from Lorenzo Colitti.
      
        13) nf_defrag in ipv6 can unnecessarily hold onto dst entries for a
            full minute, delaying device unregister. From Eric Dumazet.
      
        14) Update MAC entries in the correct order in ixgbe, from Alexander
            Duyck.
      
        15) Don't leave partial mangles bpf program in jit_subprogs, from
            Daniel Borkmann.
      
        16) Fix pfmemalloc SKB state propagation, from Stefano Brivio.
      
        17) Fix ACK handling in DCTCP congestion control, from Yuchung Cheng.
      
        18) Use after free in tun XDP_TX, from Toshiaki Makita.
      
        19) Stale ipv6 header pointer in ipv6 gre code, from Prashant Bhole.
      
        20) Don't reuse remainder of RX page when XDP is set in mlx4, from
            Saeed Mahameed.
      
        21) Fix window probe handling of TCP rapair sockets, from Stefan
            Baranoff.
      
        22) Missing socket locking in smc_ioctl(), from Ursula Braun.
      
        23) IPV6_ILA needs DST_CACHE, from Arnd Bergmann.
      
        24) Spectre v1 fix in cxgb3, from Gustavo A. R. Silva.
      
        25) Two spots in ipv6 do a rol32() on a hash value but ignore the
            result. Fixes from Colin Ian King"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (176 commits)
        tcp: identify cryptic messages as TCP seq # bugs
        ptp: fix missing break in switch
        hv_netvsc: Fix napi reschedule while receive completion is busy
        MAINTAINERS: Drop inactive Vitaly Bordug's email
        net: cavium: Add fine-granular dependencies on PCI
        net: qca_spi: Fix log level if probe fails
        net: qca_spi: Make sure the QCA7000 reset is triggered
        net: qca_spi: Avoid packet drop during initial sync
        ipv6: fix useless rol32 call on hash
        ipv6: sr: fix useless rol32 call on hash
        net: sched: Using NULL instead of plain integer
        net: usb: asix: replace mii_nway_restart in resume path
        net: cxgb3_main: fix potential Spectre v1
        lib/rhashtable: consider param->min_size when setting initial table size
        net/smc: reset recv timeout after clc handshake
        net/smc: add error handling for get_user()
        net/smc: optimize consumer cursor updates
        net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
        ipv6: ila: select CONFIG_DST_CACHE
        net: usb: rtl8150: demote allmulti message to dev_dbg()
        ...
      024ddc0c
  4. 18 Jul, 2018 32 commits
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 05df2045
      Linus Torvalds authored
      Pull DeviceTree fixes from Rob Herring:
      
       - Fix phandle cache to work with overlays
      
       - Correct the default clock-frequency for QCom geni-i2c
      
       - Binding doc quote and spelling fixes
      
      * tag 'devicetree-fixes-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: overlay: update phandle cache on overlay apply and remove
        dt-bindings: Fix unbalanced quotation marks
        dt-bindings: soc: qcom: Fix default clock-freq for qcom,geni-i2c
        dt-bindings: w1-gpio: Remove unneeded unit address
        Documentation: devicetree: tilcdc: fix spelling mistake "suppors" -> "supports"
      05df2045
    • Randy Dunlap's avatar
      tcp: identify cryptic messages as TCP seq # bugs · e56b8ce3
      Randy Dunlap authored
      Attempt to make cryptic TCP seq number error messages clearer by
      (1) identifying the source of the message as "TCP", (2) identifying the
      errors as "seq # bug", and (3) grouping the field identifiers and values
      by separating them with commas.
      
      E.g., the following message is changed from:
      
      recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90
      
      to:
      
      TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0
      Suggested-by: default avatar積丹尼 Dan Jacobson <jidanni@jidanni.org>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e56b8ce3
    • Gustavo A. R. Silva's avatar
      ptp: fix missing break in switch · 9ba8376c
      Gustavo A. R. Silva authored
      It seems that a *break* is missing in order to avoid falling through
      to the default case. Otherwise, checking *chan* makes no sense.
      
      Fixes: 72df7a72 ("ptp: Allow reassigning calibration pin function")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ba8376c
    • Haiyang Zhang's avatar
      hv_netvsc: Fix napi reschedule while receive completion is busy · 6b81b193
      Haiyang Zhang authored
      If out ring is full temporarily and receive completion cannot go out,
      we may still need to reschedule napi if certain conditions are met.
      Otherwise the napi poll might be stopped forever, and cause network
      disconnect.
      
      Fixes: 7426b1a5 ("netvsc: optimize receive completions")
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b81b193
    • Krzysztof Kozlowski's avatar
      MAINTAINERS: Drop inactive Vitaly Bordug's email · a2ec9d14
      Krzysztof Kozlowski authored
      The Vitaly Bordug's email bounces ("ru.mvista.com: Name or service not
      known") and there was no activity (ack, review, sign) since 2009.
      
      Cc: Vitaly Bordug <vitb@kernel.crashing.org>
      Cc: Pantelis Antoniou <pantelis.antoniou@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2ec9d14
    • Alexander Sverdlin's avatar
      net: cavium: Add fine-granular dependencies on PCI · e40562ab
      Alexander Sverdlin authored
      Add dependencies on PCI where necessary.
      
      Fixes: 7e2bc7fb ("net: cavium: Drop dependency of NET_VENDOR_CAVIUM on PCI")
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40562ab
    • David S. Miller's avatar
      Merge branch 'net-qca_spi-Minor-bugfixes' · 0838a4ef
      David S. Miller authored
      Stefan Wahren says:
      
      ====================
      net: qca_spi: Minor bugfixes
      
      This patch series contains some minor bugfixes for
      the qca_spi driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0838a4ef
    • Stefan Wahren's avatar
      net: qca_spi: Fix log level if probe fails · 50973993
      Stefan Wahren authored
      In cases the probing fails the log level of the messages should
      be an error.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50973993
    • Stefan Wahren's avatar
      net: qca_spi: Make sure the QCA7000 reset is triggered · 711c62df
      Stefan Wahren authored
      In case the SPI thread is not running, a simple reset of sync
      state won't fix the transmit timeout. We also need to wake up the kernel
      thread.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: ed7d42e2 ("net: qca_spi: fix transmit queue timeout handling")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      711c62df
    • Stefan Wahren's avatar
      net: qca_spi: Avoid packet drop during initial sync · b2bab426
      Stefan Wahren authored
      As long as the synchronization with the QCA7000 isn't finished, we
      cannot accept packets from the upper layers. So let the SPI thread
      enable the TX queue after sync and avoid unwanted packet drop.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 291ab06e ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2bab426
    • Colin Ian King's avatar
      ipv6: fix useless rol32 call on hash · 169dc027
      Colin Ian King authored
      The rol32 call is currently rotating hash but the rol'd value is
      being discarded. I believe the current code is incorrect and hash
      should be assigned the rotated value returned from rol32.
      
      Thanks to David Lebrun for spotting this.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      169dc027
    • Colin Ian King's avatar
      ipv6: sr: fix useless rol32 call on hash · 3ee593ad
      Colin Ian King authored
      The rol32 call is currently rotating hash but the rol'd value is
      being discarded. I believe the current code is incorrect and hash
      should be assigned the rotated value returned from rol32.
      
      Detected by CoverityScan, CID#1468411 ("Useless call")
      
      Fixes: b5facfdb ("ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: dlebrun@google.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ee593ad
    • Sergei Shtylyov's avatar
      PCI: v3-semi: Fix I/O space page leak · 270ed733
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried,  finally causing the BUG due to trying to remap
      already remapped pages.
      
      The V3 Semiconductor PCI driver has the same issue.
      Replace devm_pci_remap_iospace() with its devm_ managed version to fix
      the bug.
      
      Fixes: 68a15eb7 ("PCI: v3-semi: Add V3 Semiconductor PCI host driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      270ed733
    • Sergei Shtylyov's avatar
      PCI: mediatek: Fix I/O space page leak · 438477b9
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The MediaTek PCIe driver has the same issue.
      
      Replace devm_pci_remap_iospace() with its devm_ managed counterpart
      to fix the bug.
      
      Fixes: 637cfaca ("PCI: mediatek: Add MediaTek PCIe host controller support")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      438477b9
    • Sergei Shtylyov's avatar
      PCI: faraday: Fix I/O space page leak · e3060945
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if
      the PCIe PHY driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Faraday PCI driver has the same issue. Replace pci_remap_iospace()
      with its devm_ managed version to fix the bug.
      
      Fixes: d3c68e0a ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      e3060945
    • Sergei Shtylyov's avatar
      PCI: aardvark: Fix I/O space page leak · 1df3e5b3
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Aardvark PCI controller driver has the same issue.
      Replace pci_remap_iospace() with its devm_ managed version to fix the bug.
      
      Fixes: 8c39d710 ("PCI: aardvark: Add Aardvark PCI host controller driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      1df3e5b3
    • Sergei Shtylyov's avatar
      PCI: designware: Fix I/O space page leak · fd07f5e1
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver is left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The DesignWare PCIe controller driver has the same issue.
      
      Replace devm_pci_remap_iospace() with a devm_ managed version to fix the
      bug.
      
      Fixes: cbce7900 ("PCI: designware: Make driver arch-agnostic")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Acked-by: default avatarJingoo Han <jingoohan1@gmail.com>
      fd07f5e1
    • Sergei Shtylyov's avatar
      PCI: versatile: Fix I/O space page leak · 0018b265
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Versatile PCI controller driver has the same issue.
      Replace pci_remap_iospace() with the devm_ managed version to fix the bug.
      
      Fixes: b7e78170 ("PCI: versatile: Add DT-based ARM Versatile PB PCIe host driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      0018b265
    • Sergei Shtylyov's avatar
      PCI: xgene: Fix I/O space page leak · 925652d0
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The X-Gene PCI controller driver has the same issue.
      Replace pci_remap_iospace() with the devm_ managed version so that the
      pages get unmapped automagically on any probe failure.
      
      Fixes: 5f6b6ccd ("PCI: xgene: Add APM X-Gene PCIe driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      925652d0
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20180717' of git://git.open-mesh.org/linux-merge · 9640ccce
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv fixes:
      
       - Fix gateway refcounting in BATMAN IV and V, by Sven Eckelmann (2 patches)
      
       - Fix debugfs paths when renaming interfaces, by Sven Eckelmann (2 patches)
      
       - Fix TT flag issues, by Linus Luessing (2 patches)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9640ccce
    • YueHaibing's avatar
      net: sched: Using NULL instead of plain integer · 53189183
      YueHaibing authored
      Fixes the following sparse warnings:
      
      net/sched/cls_api.c:1101:43: warning: Using plain integer as NULL pointer
      net/sched/cls_api.c:1492:75: warning: Using plain integer as NULL pointer
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53189183
    • Alexander Couzens's avatar
      net: usb: asix: replace mii_nway_restart in resume path · 5c968f48
      Alexander Couzens authored
      mii_nway_restart is not pm aware which results in a rtnl deadlock.
      Implement mii_nway_restart manual by setting BMCR_ANRESTART if
      BMCR_ANENABLE is set.
      
      To reproduce:
      * plug an asix based usb network interface
      * wait until the device enters PM (~5 sec)
      * `ip link set eth1 up` will never return
      
      Fixes: d9fe64e5 ("net: asix: Add in_pm parameter")
      Signed-off-by: default avatarAlexander Couzens <lynxis@fe80.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c968f48
    • Sergei Shtylyov's avatar
      PCI: OF: Fix I/O space page leak · a5fb9fb0
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      Introduce the devm_pci_remap_iospace() managed API and replace the
      pci_remap_iospace() call with it to fix the bug.
      
      Fixes: dbf9826d ("PCI: generic: Convert to DT resource parsing API")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: split commit/updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      a5fb9fb0
    • Gustavo A. R. Silva's avatar
      net: cxgb3_main: fix potential Spectre v1 · 676bcfec
      Gustavo A. R. Silva authored
      t.qset_idx can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
      warn: potential spectre issue 'adapter->msix_info'
      
      Fix this by sanitizing t.qset_idx before using it to index
      adapter->msix_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      676bcfec
    • Davidlohr Bueso's avatar
      lib/rhashtable: consider param->min_size when setting initial table size · 107d01f5
      Davidlohr Bueso authored
      rhashtable_init() currently does not take into account the user-passed
      min_size parameter unless param->nelem_hint is set as well. As such,
      the default size (number of buckets) will always be HASH_DEFAULT_SIZE
      even if the smallest allowed size is larger than that. Remediate this
      by unconditionally calling into rounded_hashtable_size() and handling
      things accordingly.
      Signed-off-by: default avatarDavidlohr Bueso <dbueso@suse.de>
      Acked-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      107d01f5
    • Linus Torvalds's avatar
      Merge tag 'for-4.18-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux · 04a13206
      Linus Torvalds authored
      Pull btrfs fixes from David Sterba:
       "Three regression fixes. They're few-liners and fixing some corner
        cases missed in the origial patches"
      
      * tag 'for-4.18-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/kdave/linux:
        btrfs: scrub: Don't use inode page cache in scrub_handle_errored_block()
        btrfs: fix use-after-free of cmp workspace pages
        btrfs: restore uuid_mutex in btrfs_open_devices
      04a13206
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · 47f7dc4b
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "Miscellaneous bugfixes, plus a small patchlet related to Spectre v2"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm:
        kvmclock: fix TSC calibration for nested guests
        KVM: VMX: Mark VMXArea with revision_id of physical CPU even when eVMCS enabled
        KVM: irqfd: fix race between EPOLLHUP and irq_bypass_register_consumer
        KVM/Eventfd: Avoid crash when assign and deassign specific eventfd in parallel.
        x86/kvmclock: set pvti_cpu0_va after enabling kvmclock
        x86/kvm/Kconfig: Ensure CRYPTO_DEV_CCP_DD state at minimum matches KVM_AMD
        kvm: nVMX: Restore exit qual for VM-entry failure due to MSR loading
        x86/kvm/vmx: don't read current->thread.{fs,gs}base of legacy tasks
        KVM: VMX: support MSR_IA32_ARCH_CAPABILITIES as a feature MSR
      47f7dc4b
    • David S. Miller's avatar
      Merge branch 'smc-fixes' · 08239d43
      David S. Miller authored
      Ursula Braun says:
      
      ====================
      net/smc: fixes 2018-07-18
      
      here are small fixes for SMC: The first patch speeds up unidirectional
      traffic, the second patch increases security, and the third patch
      fixes a problem for fallback cases.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      08239d43
    • Karsten Graul's avatar
      net/smc: reset recv timeout after clc handshake · f6bdc42f
      Karsten Graul authored
      During clc handshake the receive timeout is set to CLC_WAIT_TIME.
      Remember and reset the original timeout value after the receive calls,
      and remove a duplicate assignment of CLC_WAIT_TIME.
      Signed-off-by: default avatarKarsten Graul <kgraul@linux.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f6bdc42f
    • Ursula Braun's avatar
      net/smc: add error handling for get_user() · ac0107ed
      Ursula Braun authored
      For security reasons the return code of get_user() should always be
      checked.
      
      Fixes: 01d2f7e2 ("net/smc: sockopts TCP_NODELAY and TCP_CORK")
      Reported-by: default avatarHeiko Carstens <heiko.carstens@de.ibm.com>
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ac0107ed
    • Ursula Braun's avatar
      net/smc: optimize consumer cursor updates · 99be51f1
      Ursula Braun authored
      The SMC protocol requires to send a separate consumer cursor update,
      if it cannot be piggybacked to updates of the producer cursor.
      Currently the decision to send a separate consumer cursor update
      just considers the amount of data already received by the socket
      program. It does not consider the amount of data already arrived, but
      not yet consumed by the receiver. Basing the decision on the
      difference between already confirmed and already arrived data
      (instead of difference between already confirmed and already consumed
      data), may lead to a somewhat earlier consumer cursor update send in
      fast unidirectional traffic scenarios, and thus to better throughput.
      Signed-off-by: default avatarUrsula Braun <ubraun@linux.ibm.com>
      Suggested-by: default avatarThomas Richter <tmricht@linux.ibm.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      99be51f1
    • Tetsuo Handa's avatar
      net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL. · 3bc53be9
      Tetsuo Handa authored
      syzbot is reporting stalls at nfc_llcp_send_ui_frame() [1]. This is
      because nfc_llcp_send_ui_frame() is retrying the loop without any delay
      when nonblocking nfc_alloc_send_skb() returned NULL.
      
      Since there is no need to use MSG_DONTWAIT if we retry until
      sock_alloc_send_pskb() succeeds, let's use blocking call.
      Also, in case an unexpected error occurred, let's break the loop
      if blocking nfc_alloc_send_skb() failed.
      
      [1] https://syzkaller.appspot.com/bug?id=4a131cc571c3733e0eff6bc673f4e36ae48f19c6Signed-off-by: default avatarTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
      Reported-by: default avatarsyzbot <syzbot+d29d18215e477cfbfbdd@syzkaller.appspotmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3bc53be9