1. 14 Jun, 2017 2 commits
    • Jiri Slaby's avatar
      fs/fcntl: f_setown, avoid undefined behaviour · fc3dc674
      Jiri Slaby authored
      fcntl(0, F_SETOWN, 0x80000000) triggers:
      UBSAN: Undefined behaviour in fs/fcntl.c:118:7
      negation of -2147483648 cannot be represented in type 'int':
      CPU: 1 PID: 18261 Comm: syz-executor Not tainted 4.8.1-0-syzkaller #1
      ...
      Call Trace:
      ...
       [<ffffffffad8f0868>] ? f_setown+0x1d8/0x200
       [<ffffffffad8f19a9>] ? SyS_fcntl+0x999/0xf30
       [<ffffffffaed1fb00>] ? entry_SYSCALL_64_fastpath+0x23/0xc1
      
      Fix that by checking the arg parameter properly (against INT_MAX) before
      "who = -who". And return immediatelly with -EINVAL in case it is wrong.
      Note that according to POSIX we can return EINVAL:
          http://pubs.opengroup.org/onlinepubs/9699919799/functions/fcntl.html
      
          [EINVAL]
              The cmd argument is F_SETOWN and the value of the argument
              is not valid as a process or process group identifier.
      
      [v2] returns an error, v1 used to fail silently
      [v3] implement proper check for the bad value INT_MIN
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Cc: Jeff Layton <jlayton@poochiereds.net>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      fc3dc674
    • Jiri Slaby's avatar
      fs/fcntl: f_setown, allow returning error · 393cc3f5
      Jiri Slaby authored
      Allow f_setown to return an error value. We will fail in the next patch
      with EINVAL for bad input to f_setown, so tile the path for the later
      patch.
      Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
      Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
      Cc: Jeff Layton <jlayton@poochiereds.net>
      Cc: "J. Bruce Fields" <bfields@fieldses.org>
      Cc: Alexander Viro <viro@zeniv.linux.org.uk>
      Cc: linux-fsdevel@vger.kernel.org
      Signed-off-by: default avatarJeff Layton <jlayton@redhat.com>
      393cc3f5
  2. 01 Jun, 2017 1 commit
  3. 27 May, 2017 2 commits
  4. 26 May, 2017 24 commits
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input · c86daad2
      Linus Torvalds authored
      Pull input layer fixes from Dmitry Torokhov:
       "Just a few fixups to a couple of drivers"
      
      * 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input:
        Input: elan_i2c - ignore signals when finishing updating firmware
        Input: elan_i2c - clear INT before resetting controller
        Input: atmel_mxt_ts - add T100 as a readable object
        Input: edt-ft5x06 - increase allowed data range for threshold parameter
      c86daad2
    • Linus Torvalds's avatar
      Merge tag 'led_fixes_for_4-12-rc3' of... · e2a9aa5a
      Linus Torvalds authored
      Merge tag 'led_fixes_for_4-12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds
      
      Pull LED fix from Jacek Anaszewski:
       "A single LED fix for 4.12-rc3.
      
        leds-pca955x driver uses only i2c_smbus API and thus it should pass
        I2C_FUNC_SMBUS_BYTE_DATA flag to i2c_check_functionality"
      
      * tag 'led_fixes_for_4-12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/j.anaszewski/linux-leds:
        leds: pca955x: Correct I2C Functionality
      e2a9aa5a
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 6741d516
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Fix state pruning in bpf verifier wrt. alignment, from Daniel
          Borkmann.
      
       2) Handle non-linear SKBs properly in SCTP ICMP parsing, from Davide
          Caratti.
      
       3) Fix bit field definitions for rss_hash_type of descriptors in mlx5
          driver, from Jesper Brouer.
      
       4) Defer slave->link updates until bonding is ready to do a full commit
          to the new settings, from Nithin Sujir.
      
       5) Properly reference count ipv4 FIB metrics to avoid use after free
          situations, from Eric Dumazet and several others including Cong Wang
          and Julian Anastasov.
      
       6) Fix races in llc_ui_bind(), from Lin Zhang.
      
       7) Fix regression of ESP UDP encapsulation for TCP packets, from
          Steffen Klassert.
      
       8) Fix mdio-octeon driver Kconfig deps, from Randy Dunlap.
      
       9) Fix regression in setting DSCP on ipv6/GRE encapsulation, from Peter
          Dawson.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (43 commits)
        ipv4: add reference counting to metrics
        net: ethernet: ax88796: don't call free_irq without request_irq first
        ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets
        sctp: fix ICMP processing if skb is non-linear
        net: llc: add lock_sock in llc_ui_bind to avoid a race condition
        bonding: Don't update slave->link until ready to commit
        test_bpf: Add a couple of tests for BPF_JSGE.
        bpf: add various verifier test cases
        bpf: fix wrong exposure of map_flags into fdinfo for lpm
        bpf: add bpf_clone_redirect to bpf_helper_changes_pkt_data
        bpf: properly reset caller saved regs after helper call and ld_abs/ind
        bpf: fix incorrect pruning decision when alignment must be tracked
        arp: fixed -Wuninitialized compiler warning
        tcp: avoid fastopen API to be used on AF_UNSPEC
        net: move somaxconn init from sysctl code
        net: fix potential null pointer dereference
        geneve: fix fill_info when using collect_metadata
        virtio-net: enable TSO/checksum offloads for Q-in-Q vlans
        be2net: Fix offload features for Q-in-Q packets
        vlan: Fix tcp checksum offloads in Q-in-Q vlans
        ...
      6741d516
    • Linus Torvalds's avatar
      Merge tag 'xfs-4.12-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux · cdbe0206
      Linus Torvalds authored
      Pull XFS fixes from Darrick Wong:
       "A few miscellaneous bug fixes & cleanups:
      
         - Fix indlen block reservation accounting bug when splitting delalloc
           extent
      
         - Fix warnings about unused variables that appeared in -rc1.
      
         - Don't spew errors when bmapping a local format directory
      
         - Fix an off-by-one error in a delalloc eof assertion
      
         - Make fsmap only return inode information for CAP_SYS_ADMIN
      
         - Fix a potential mount time deadlock recovering cow extents
      
         - Fix unaligned memory access in _btree_visit_blocks
      
         - Fix various SEEK_HOLE/SEEK_DATA bugs"
      
      * tag 'xfs-4.12-fixes-2' of git://git.kernel.org/pub/scm/fs/xfs/xfs-linux:
        xfs: Move handling of missing page into one place in xfs_find_get_desired_pgoff()
        xfs: Fix off-by-in in loop termination in xfs_find_get_desired_pgoff()
        xfs: Fix missed holes in SEEK_HOLE implementation
        xfs: fix off-by-one on max nr_pages in xfs_find_get_desired_pgoff()
        xfs: fix unaligned access in xfs_btree_visit_blocks
        xfs: avoid mount-time deadlock in CoW extent recovery
        xfs: only return detailed fsmap info if the caller has CAP_SYS_ADMIN
        xfs: bad assertion for delalloc an extent that start at i_size
        xfs: fix warnings about unused stack variables
        xfs: BMAPX shouldn't barf on inline-format directories
        xfs: fix indlen accounting error on partial delalloc conversion
      cdbe0206
    • Eric Dumazet's avatar
      ipv4: add reference counting to metrics · 3fb07daf
      Eric Dumazet authored
      Andrey Konovalov reported crashes in ipv4_mtu()
      
      I could reproduce the issue with KASAN kernels, between
      10.246.7.151 and 10.246.7.152 :
      
      1) 20 concurrent netperf -t TCP_RR -H 10.246.7.152 -l 1000 &
      
      2) At the same time run following loop :
      while :
      do
       ip ro add 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
       ip ro del 10.246.7.152 dev eth0 src 10.246.7.151 mtu 1500
      done
      
      Cong Wang attempted to add back rt->fi in commit
      82486aa6 ("ipv4: restore rt->fi for reference counting")
      but this proved to add some issues that were complex to solve.
      
      Instead, I suggested to add a refcount to the metrics themselves,
      being a standalone object (in particular, no reference to other objects)
      
      I tried to make this patch as small as possible to ease its backport,
      instead of being super clean. Note that we believe that only ipv4 dst
      need to take care of the metric refcount. But if this is wrong,
      this patch adds the basic infrastructure to extend this to other
      families.
      
      Many thanks to Julian Anastasov for reviewing this patch, and Cong Wang
      for his efforts on this problem.
      
      Fixes: 2860583f ("ipv4: Kill rt->fi")
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Reviewed-by: default avatarJulian Anastasov <ja@ssi.bg>
      Acked-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3fb07daf
    • Uwe Kleine-König's avatar
      net: ethernet: ax88796: don't call free_irq without request_irq first · 82533ad9
      Uwe Kleine-König authored
      The function ax_init_dev (which is called only from the driver's .probe
      function) calls free_irq in the error path without having requested the
      irq in the first place. So drop the free_irq call in the error path.
      
      Fixes: 825a2ff1 ("AX88796 network driver")
      Signed-off-by: default avatarUwe Kleine-König <u.kleine-koenig@pengutronix.de>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      82533ad9
    • Peter Dawson's avatar
      ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets · 0e9a7095
      Peter Dawson authored
      This fix addresses two problems in the way the DSCP field is formulated
       on the encapsulating header of IPv6 tunnels.
      Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=195661
      
      1) The IPv6 tunneling code was manipulating the DSCP field of the
       encapsulating packet using the 32b flowlabel. Since the flowlabel is
       only the lower 20b it was incorrect to assume that the upper 12b
       containing the DSCP and ECN fields would remain intact when formulating
       the encapsulating header. This fix handles the 'inherit' and
       'fixed-value' DSCP cases explicitly using the extant dsfield u8 variable.
      
      2) The use of INET_ECN_encapsulate(0, dsfield) in ip6_tnl_xmit was
       incorrect and resulted in the DSCP value always being set to 0.
      
      Commit 90427ef5 ("ipv6: fix flow labels when the traffic class
       is non-0") caused the regression by masking out the flowlabel
       which exposed the incorrect handling of the DSCP portion of the
       flowlabel in ip6_tunnel and ip6_gre.
      
      Fixes: 90427ef5 ("ipv6: fix flow labels when the traffic class is non-0")
      Signed-off-by: default avatarPeter Dawson <peter.a.dawson@boeing.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0e9a7095
    • Davide Caratti's avatar
      sctp: fix ICMP processing if skb is non-linear · 804ec7eb
      Davide Caratti authored
      sometimes ICMP replies to INIT chunks are ignored by the client, even if
      the encapsulated SCTP headers match an open socket. This happens when the
      ICMP packet is carried by a paged skb: use skb_header_pointer() to read
      packet contents beyond the SCTP header, so that chunk header and initiate
      tag are validated correctly.
      
      v2:
      - don't use skb_header_pointer() to read the transport header, since
        icmp_socket_deliver() already puts these 8 bytes in the linear area.
      - change commit message to make specific reference to INIT chunks.
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Acked-by: default avatarVlad Yasevich <vyasevich@gmail.com>
      Reviewed-by: default avatarXin Long <lucien.xin@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      804ec7eb
    • linzhang's avatar
      net: llc: add lock_sock in llc_ui_bind to avoid a race condition · 0908cf4d
      linzhang authored
      There is a race condition in llc_ui_bind if two or more processes/threads
      try to bind a same socket.
      
      If more processes/threads bind a same socket success that will lead to
      two problems, one is this action is not what we expected, another is
      will lead to kernel in unstable status or oops(in my simple test case,
      cause llc2.ko can't unload).
      
      The current code is test SOCK_ZAPPED bit to avoid a process to
      bind a same socket twice but that is can't avoid more processes/threads
      try to bind a same socket at the same time.
      
      So, add lock_sock in llc_ui_bind like others, such as llc_ui_connect.
      Signed-off-by: default avatarLin Zhang <xiaolou4617@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0908cf4d
    • Linus Torvalds's avatar
      Merge branch 'for-linus' of git://git.kernel.dk/linux-block · 1b8f2ffc
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
       "A collection of fixes that should go into this series. This contains:
      
         - A set of NVMe fixes, pulled from Christoph. This includes a set of
           fixes for the fiber channel bits from James Smart, rdma queue depth
           fix from Marta, controller removal fixes from Ming, and some more
           APST quirk updates from Andy.
      
         - A blk-mq debugfs fix from Bart, fixing a problem with the
           untangling of the sysfs and debugfs blk-mq bits that was added in
           this series.
      
         - Error code fix in add_partition() from Dan.
      
         - A small series of fixes for the new blk-throttle code from Shaohua"
      
      * 'for-linus' of git://git.kernel.dk/linux-block: (21 commits)
        blk-mq: Only register debugfs attributes for blk-mq queues
        nvme: Quirk APST on Intel 600P/P3100 devices
        nvme: only setup block integrity if supported by the driver
        nvme: replace is_flags field in nvme_ctrl_ops with a flags field
        nvme-pci: consistencly use ctrl->device for logging
        partitions/msdos: FreeBSD UFS2 file systems are not recognized
        block: fix an error code in add_partition()
        blk-throttle: force user to configure all settings for io.low
        blk-throttle: respect 0 bps/iops settings for io.low
        blk-throttle: output some debug info in trace
        blk-throttle: add hierarchy support for latency target and idle time
        nvme_fc: remove extra controller reference taken on reconnect
        nvme_fc: correct nvme status set on abort
        nvme_fc: set logging level on resets/deletes
        nvme_fc: revise comment on teardown
        nvme_fc: Support ctrl_loss_tmo
        nvme_fc: get rid of local reconnect_delay
        blk-mq: remove blk_mq_abort_requeue_list()
        nvme: avoid to use blk_mq_abort_requeue_list()
        nvme: use blk_mq_start_hw_queues() in nvme_kill_queues()
        ...
      1b8f2ffc
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.12-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · 6ce47829
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - fix PCI_ENDPOINT build error (merged for v4.12)
      
       - fix Switchtec driver (merged for v4.12)
      
       - fix imx6 config read timeouts, fallout from changing to non-postable
         reads
      
       - add PM "needs_resume" flag for i915 suspend issue
      
      * tag 'pci-v4.12-fixes-1' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI/PM: Add needs_resume flag to avoid suspend complete optimization
        PCI: imx6: Fix config read timeout handling
        switchtec: Fix minor bug with partition ID register
        switchtec: Use new cdev_device_add() helper function
        PCI: endpoint: Make PCI_ENDPOINT depend on HAS_DMA
      6ce47829
    • Linus Torvalds's avatar
      Merge tag 'ceph-for-4.12-rc3' of git://github.com/ceph/ceph-client · 80941b2a
      Linus Torvalds authored
      Pul ceph fixes from Ilya Dryomov:
       "A bunch of make W=1 and static checker fixups, a RECONNECT_SEQ
        messenger patch from Zheng and Luis' fallocate fix"
      
      * tag 'ceph-for-4.12-rc3' of git://github.com/ceph/ceph-client:
        ceph: check that the new inode size is within limits in ceph_fallocate()
        libceph: cleanup old messages according to reconnect seq
        libceph: NULL deref on crush_decode() error path
        libceph: fix error handling in process_one_ticket()
        libceph: validate blob_struct_v in process_one_ticket()
        libceph: drop version variable from ceph_monmap_decode()
        libceph: make ceph_msg_data_advance() return void
        libceph: use kbasename() and kill ceph_file_part()
      80941b2a
    • Linus Torvalds's avatar
      Merge tag 'mmc-v4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc · a38b461e
      Linus Torvalds authored
      Pull MMC fixes from Ulf Hansson:
       "This contains fixes to make the WiFi work again for the ARM64 Hikey
        board.
      
        Together with a couple of DTS updates for the Hikey board we have also
        extended the mmc pwrseq_simple, to support a new power-off-delay-us DT
        property, as that was required to enable a graceful power off sequence
        for the WiFi chip"
      
      * tag 'mmc-v4.12-rc2' of git://git.kernel.org/pub/scm/linux/kernel/git/ulfh/mmc:
        arm64: dts: hikey: Fix WiFi support
        arm64: dts: hi6220: Move board data from the dwmmc nodes to hikey dts
        arm64: dts: hikey: Add the SYS_5V and the VDD_3V3 regulators
        arm64: dts: hi6220: Move the fixed_5v_hub regulator to the hikey dts
        arm64: dts: hikey: Add clock for the pmic mfd
        mfd: dts: hi655x: Add clock binding for the pmic
        mmc: pwrseq_simple: Parse DTS for the power-off-delay-us property
        mmc: dt: pwrseq-simple: Invent power-off-delay-us
      a38b461e
    • Linus Torvalds's avatar
      Merge tag 'sound-4.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · e95806df
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "This contains a few HD-audio device-specific quirks and an endianess
        fix for USB-audio, as well as the update of quirk model list document.
        All fixes are small and trivial.
      
        The document update could have been postponed, but it's a good thing
        for user and has absolutely zero risk of breakage, so included here"
      
      * tag 'sound-4.12-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda - apply STAC_9200_DELL_M22 quirk for Dell Latitude D430
        ALSA: hda - Update the list of quirk models
        ALSA: hda - Provide dual-codecs model option for a few Realtek codecs
        ALSA: hda - Apply dual-codec quirk for MSI Z270-Gaming mobo
        ALSA: hda - No loopback on ALC299 codec
        ALSA: usb-audio: fix Amanero Combo384 quirk on big-endian hosts
      e95806df
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-for-v4.12-rc3' of git://people.freedesktop.org/~airlied/linux · 876ca8f3
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Not a whole lot happening here, a set of amdgpu fixes and one core
        deadlock fix, and some misc drivers fixes"
      
      * tag 'drm-fixes-for-v4.12-rc3' of git://people.freedesktop.org/~airlied/linux:
        drm/amdgpu: fix null point error when rmmod amdgpu.
        drm/amd/powerplay: fix a signedness bugs
        drm/amdgpu: fix NULL pointer panic of emit_gds_switch
        drm/radeon: Unbreak HPD handling for r600+
        drm/amd/powerplay/smu7: disable mclk switching for high refresh rates
        drm/amd/powerplay/smu7: add vblank check for mclk switching (v2)
        drm/radeon/ci: disable mclk switching for high refresh rates (v2)
        drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
        drm/amdgpu: fix fundamental suspend/resume issue
        drm/gma500/psb: Actually use VBT mode when it is found
        drm: Fix deadlock retry loop in page_flip_ioctl
        drm: qxl: Delay entering atomic context during cursor update
        drm/radeon: Fix oops upon driver load on PowerXpress laptops
      876ca8f3
    • Christoph Hellwig's avatar
      PCI/msi: fix the pci_alloc_irq_vectors_affinity stub · 83b4605b
      Christoph Hellwig authored
      We need to return an error for any call that asks for MSI / MSI-X
      vectors only, so that non-trivial fallback logic can work properly.
      
      Also valid dev->irq and use the "correct" errno value based on feedback
      from Linus.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reported-by: default avatarSteven Rostedt <rostedt@goodmis.org>
      Fixes: aff17164 ("PCI: Provide sensible IRQ vector alloc/free routines")
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      83b4605b
    • Jens Axboe's avatar
      Merge branch 'nvme-4.12' of git://git.infradead.org/nvme into for-linus · 8aa63829
      Jens Axboe authored
      Christoph writes:
      
      "A couple of fixes for the next rc on the nvme front. Various FC fixes
      from James, controller removal fixes from Ming (including a block layer
      patch), a APST related device quirk from Andy, a RDMA fix for small
      queue depth device from Marta, as well as fixes for the lack of
      metadata support in non-PCIe drivers and the printk logging format from
      me."
      8aa63829
    • Bart Van Assche's avatar
      blk-mq: Only register debugfs attributes for blk-mq queues · a8ecdd71
      Bart Van Assche authored
      The code in blk-mq-debugfs.c assumes that it is working on a blk-mq
      queue and is not intended to work on a blk-sq queue. Hence only
      register blk-mq debugfs attributes for blk-mq queues.
      
      Fixes: commit 9c1051aa ("blk-mq: untangle debugfs and sysfs")
      Signed-off-by: default avatarBart Van Assche <bart.vanassche@sandisk.com>
      Cc: Christoph Hellwig <hch@lst.de>
      Cc: Ming Lei <ming.lei@redhat.com>
      Reviewed-by: default avatarOmar Sandoval <osandov@fb.com>
      Reviewed-by: default avatarHannes Reinecke <hare@suse.com>
      Signed-off-by: default avatarJens Axboe <axboe@fb.com>
      a8ecdd71
    • Andy Lutomirski's avatar
      nvme: Quirk APST on Intel 600P/P3100 devices · 50af47d0
      Andy Lutomirski authored
      They have known firmware bugs.  A fix is apparently in the works --
      once fixed firmware is available, someone from Intel (Hi, Keith!)
      can adjust the quirk accordingly.
      
      Cc: stable@vger.kernel.org # v4.11
      Cc: Kai-Heng Feng <kai.heng.feng@canonical.com>
      Cc: Mario Limonciello <mario_limonciello@dell.com>
      Signed-off-by: default avatarAndy Lutomirski <luto@kernel.org>
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      50af47d0
    • Christoph Hellwig's avatar
      nvme: only setup block integrity if supported by the driver · c81bfba9
      Christoph Hellwig authored
      Currently only the PCIe driver supports metadata, so we should not claim
      integrity support for the other drivers.  This prevents nasty crashes
      with targets that advertise metadata support on fabrics.
      
      Also use the opportunity to factor out some code into a separate helper
      that isn't even compiled if CONFIG_BLK_DEV_INTEGRITY is disabled.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      c81bfba9
    • Christoph Hellwig's avatar
      nvme: replace is_flags field in nvme_ctrl_ops with a flags field · d3d5b87d
      Christoph Hellwig authored
      So that we can have more flags for transport-specific behavior.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      d3d5b87d
    • Christoph Hellwig's avatar
      nvme-pci: consistencly use ctrl->device for logging · 9bdcfb10
      Christoph Hellwig authored
      This is what most of the code already does and gives much more useful
      prefixes than the device embedded in the pci_dev.
      Signed-off-by: default avatarChristoph Hellwig <hch@lst.de>
      Reviewed-by: default avatarKeith Busch <keith.busch@intel.com>
      9bdcfb10
    • Dave Airlie's avatar
      Merge branch 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux into drm-fixes · bc1f0e04
      Dave Airlie authored
      A bunch of bug fixes:
      - Fix display flickering on some chips at high refresh rates
      - suspend/resume fix
      - hotplug fix
      - a couple of segfault fixes for certain cases
      
      * 'drm-fixes-4.12' of git://people.freedesktop.org/~agd5f/linux:
        drm/amdgpu: fix null point error when rmmod amdgpu.
        drm/amd/powerplay: fix a signedness bugs
        drm/amdgpu: fix NULL pointer panic of emit_gds_switch
        drm/radeon: Unbreak HPD handling for r600+
        drm/amd/powerplay/smu7: disable mclk switching for high refresh rates
        drm/amd/powerplay/smu7: add vblank check for mclk switching (v2)
        drm/radeon/ci: disable mclk switching for high refresh rates (v2)
        drm/amdgpu/ci: disable mclk switching for high refresh rates (v2)
        drm/amdgpu: fix fundamental suspend/resume issue
      bc1f0e04
    • Dave Airlie's avatar
      Merge tag 'drm-misc-fixes-2017-05-25' of git://anongit.freedesktop.org/git/drm-misc into drm-fixes · 538fd19e
      Dave Airlie authored
      Core Changes:
      - Don't drop vblank reference more than once in cases of ww retry (Daniel)
      
      Driver Changes:
      - radeon: Fix oops during radeon probe trying to reference wrong device (Lukas)
      - qxl: Avoid sleeping while in atomic context on cursor update (Gabriel)
      - gma500: Use VBT mode instead of pre-programmed mode for LVDS (Patrik)
      
      Cc: Lukas Wunner <lukas@wunner.de>
      Cc: Gabriel Krisman Bertazi <krisman@collabora.co.uk>
      Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
      Cc: Patrik Jakobsson <patrik.r.jakobsson@gmail.com>
      
      * tag 'drm-misc-fixes-2017-05-25' of git://anongit.freedesktop.org/git/drm-misc:
        drm/gma500/psb: Actually use VBT mode when it is found
        drm: Fix deadlock retry loop in page_flip_ioctl
        drm: qxl: Delay entering atomic context during cursor update
        drm/radeon: Fix oops upon driver load on PowerXpress laptops
      538fd19e
  5. 25 May, 2017 11 commits
    • Nithin Sujir's avatar
      bonding: Don't update slave->link until ready to commit · 797a9364
      Nithin Sujir authored
      In the loadbalance arp monitoring scheme, when a slave link change is
      detected, the slave->link is immediately updated and slave_state_changed
      is set. Later down the function, the rtnl_lock is acquired and the
      changes are committed, updating the bond link state.
      
      However, the acquisition of the rtnl_lock can fail. The next time the
      monitor runs, since slave->link is already updated, it determines that
      link is unchanged. This results in the bond link state permanently out
      of sync with the slave link.
      
      This patch modifies bond_loadbalance_arp_mon() to handle link changes
      identical to bond_ab_arp_{inspect/commit}(). The new link state is
      maintained in slave->new_link until we're ready to commit at which point
      it's copied into slave->link.
      
      NOTE: miimon_{inspect/commit}() has a more complex state machine
      requiring the use of the bond_{propose,commit}_link_state() functions
      which maintains the intermediate state in slave->link_new_state. The arp
      monitors don't require that.
      
      Testing: This bug is very easy to reproduce with the following steps.
      1. In a loop, toggle a slave link of a bond slave interface.
      2. In a separate loop, do ifconfig up/down of an unrelated interface to
      create contention for rtnl_lock.
      Within a few iterations, the bond link goes out of sync with the slave
      link.
      Signed-off-by: default avatarNithin Nayak Sujir <nsujir@tintri.com>
      Cc: Mahesh Bandewar <maheshb@google.com>
      Cc: Jay Vosburgh <jay.vosburgh@canonical.com>
      Acked-by: default avatarMahesh Bandewar <maheshb@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      797a9364
    • David Daney's avatar
      test_bpf: Add a couple of tests for BPF_JSGE. · 791caeb0
      David Daney authored
      Some JITs can optimize comparisons with zero.  Add a couple of
      BPF_JSGE tests against immediate zero.
      Signed-off-by: default avatarDavid Daney <david.daney@cavium.com>
      Acked-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      791caeb0
    • David S. Miller's avatar
      Merge branch 'bpf-fixes' · ae08ea97
      David S. Miller authored
      Daniel Borkmann says:
      
      ====================
      Various BPF fixes
      
      Follow-up to fix incorrect pruning when alignment tracking is
      in use and to properly clear regs after call to not leave stale
      data behind, also a fix that adds bpf_clone_redirect to the
      bpf_helper_changes_pkt_data helper and exposes correct map_flags
      for lpm map into fdinfo. For details, please see individual
      patches.
      
      v1 -> v2:
        - Reworked first patch so that env->strict_alignment is the
          final indicator on whether we have to deal with strict
          alignment rather than having CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
          checks on various locations, so only checking env->strict_alignment
          is sufficient after that. Thanks for spotting, Dave!
        - Added patch 3 and 4.
        - Rest as is.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ae08ea97
    • Daniel Borkmann's avatar
      bpf: add various verifier test cases · 614d0d77
      Daniel Borkmann authored
      This patch adds various verifier test cases:
      
      1) A test case for the pruning issue when tracking alignment
         is used.
      2) Various PTR_TO_MAP_VALUE_OR_NULL tests to make sure pointer
         arithmetic turns such register into UNKNOWN_VALUE type.
      3) Test cases for the special treatment of LD_ABS/LD_IND to
         make sure verifier doesn't break calling convention here.
         Latter is needed, since f.e. arm64 JIT uses r1 - r5 for
         storing temporary data, so they really must be marked as
         NOT_INIT.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      614d0d77
    • Daniel Borkmann's avatar
      bpf: fix wrong exposure of map_flags into fdinfo for lpm · a316338c
      Daniel Borkmann authored
      trie_alloc() always needs to have BPF_F_NO_PREALLOC passed in via
      attr->map_flags, since it does not support preallocation yet. We
      check the flag, but we never copy the flag into trie->map.map_flags,
      which is later on exposed into fdinfo and used by loaders such as
      iproute2. Latter uses this in bpf_map_selfcheck_pinned() to test
      whether a pinned map has the same spec as the one from the BPF obj
      file and if not, bails out, which is currently the case for lpm
      since it exposes always 0 as flags.
      
      Also copy over flags in array_map_alloc() and stack_map_alloc().
      They always have to be 0 right now, but we should make sure to not
      miss to copy them over at a later point in time when we add actual
      flags for them to use.
      
      Fixes: b95a5c4d ("bpf: add a longest prefix match trie map implementation")
      Reported-by: default avatarJarno Rajahalme <jarno@covalent.io>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a316338c
    • Daniel Borkmann's avatar
      bpf: add bpf_clone_redirect to bpf_helper_changes_pkt_data · 41703a73
      Daniel Borkmann authored
      The bpf_clone_redirect() still needs to be listed in
      bpf_helper_changes_pkt_data() since we call into
      bpf_try_make_head_writable() from there, thus we need
      to invalidate prior pkt regs as well.
      
      Fixes: 36bbef52 ("bpf: direct packet write and access for helpers for clsact progs")
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      41703a73
    • Daniel Borkmann's avatar
      bpf: properly reset caller saved regs after helper call and ld_abs/ind · a9789ef9
      Daniel Borkmann authored
      Currently, after performing helper calls, we clear all caller saved
      registers, that is r0 - r5 and fill r0 depending on struct bpf_func_proto
      specification. The way we reset these regs can affect pruning decisions
      in later paths, since we only reset register's imm to 0 and type to
      NOT_INIT. However, we leave out clearing of other variables such as id,
      min_value, max_value, etc, which can later on lead to pruning mismatches
      due to stale data.
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a9789ef9
    • Daniel Borkmann's avatar
      bpf: fix incorrect pruning decision when alignment must be tracked · 1ad2f583
      Daniel Borkmann authored
      Currently, when we enforce alignment tracking on direct packet access,
      the verifier lets the following program pass despite doing a packet
      write with unaligned access:
      
        0: (61) r2 = *(u32 *)(r1 +76)
        1: (61) r3 = *(u32 *)(r1 +80)
        2: (61) r7 = *(u32 *)(r1 +8)
        3: (bf) r0 = r2
        4: (07) r0 += 14
        5: (25) if r7 > 0x1 goto pc+4
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=0,max_value=1 R10=fp
        6: (2d) if r0 > r3 goto pc+1
         R0=pkt(id=0,off=14,r=14) R1=ctx R2=pkt(id=0,off=0,r=14)
         R3=pkt_end R7=inv,min_value=0,max_value=1 R10=fp
        7: (63) *(u32 *)(r0 -4) = r0
        8: (b7) r0 = 0
        9: (95) exit
      
        from 6 to 8:
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=0,max_value=1 R10=fp
        8: (b7) r0 = 0
        9: (95) exit
      
        from 5 to 10:
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=2 R10=fp
        10: (07) r0 += 1
        11: (05) goto pc-6
        6: safe                           <----- here, wrongly found safe
        processed 15 insns
      
      However, if we enforce a pruning mismatch by adding state into r8
      which is then being mismatched in states_equal(), we find that for
      the otherwise same program, the verifier detects a misaligned packet
      access when actually walking that path:
      
        0: (61) r2 = *(u32 *)(r1 +76)
        1: (61) r3 = *(u32 *)(r1 +80)
        2: (61) r7 = *(u32 *)(r1 +8)
        3: (b7) r8 = 1
        4: (bf) r0 = r2
        5: (07) r0 += 14
        6: (25) if r7 > 0x1 goto pc+4
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=0,max_value=1
         R8=imm1,min_value=1,max_value=1,min_align=1 R10=fp
        7: (2d) if r0 > r3 goto pc+1
         R0=pkt(id=0,off=14,r=14) R1=ctx R2=pkt(id=0,off=0,r=14)
         R3=pkt_end R7=inv,min_value=0,max_value=1
         R8=imm1,min_value=1,max_value=1,min_align=1 R10=fp
        8: (63) *(u32 *)(r0 -4) = r0
        9: (b7) r0 = 0
        10: (95) exit
      
        from 7 to 9:
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=0,max_value=1
         R8=imm1,min_value=1,max_value=1,min_align=1 R10=fp
        9: (b7) r0 = 0
        10: (95) exit
      
        from 6 to 11:
         R0=pkt(id=0,off=14,r=0) R1=ctx R2=pkt(id=0,off=0,r=0)
         R3=pkt_end R7=inv,min_value=2
         R8=imm1,min_value=1,max_value=1,min_align=1 R10=fp
        11: (07) r0 += 1
        12: (b7) r8 = 0
        13: (05) goto pc-7                <----- mismatch due to r8
        7: (2d) if r0 > r3 goto pc+1
         R0=pkt(id=0,off=15,r=15) R1=ctx R2=pkt(id=0,off=0,r=15)
         R3=pkt_end R7=inv,min_value=2
         R8=imm0,min_value=0,max_value=0,min_align=2147483648 R10=fp
        8: (63) *(u32 *)(r0 -4) = r0
        misaligned packet access off 2+15+-4 size 4
      
      The reason why we fail to see it in states_equal() is that the
      third test in compare_ptrs_to_packet() ...
      
        if (old->off <= cur->off &&
            old->off >= old->range && cur->off >= cur->range)
                return true;
      
      ... will let the above pass. The situation we run into is that
      old->off <= cur->off (14 <= 15), meaning that prior walked paths
      went with smaller offset, which was later used in the packet
      access after successful packet range check and found to be safe
      already.
      
      For example: Given is R0=pkt(id=0,off=0,r=0). Adding offset 14
      as in above program to it, results in R0=pkt(id=0,off=14,r=0)
      before the packet range test. Now, testing this against R3=pkt_end
      with 'if r0 > r3 goto out' will transform R0 into R0=pkt(id=0,off=14,r=14)
      for the case when we're within bounds. A write into the packet
      at offset *(u32 *)(r0 -4), that is, 2 + 14 -4, is valid and
      aligned (2 is for NET_IP_ALIGN). After processing this with
      all fall-through paths, we later on check paths from branches.
      When the above skb->mark test is true, then we jump near the
      end of the program, perform r0 += 1, and jump back to the
      'if r0 > r3 goto out' test we've visited earlier already. This
      time, R0 is of type R0=pkt(id=0,off=15,r=0), and we'll prune
      that part because this time we'll have a larger safe packet
      range, and we already found that with off=14 all further insn
      were already safe, so it's safe as well with a larger off.
      However, the problem is that the subsequent write into the packet
      with 2 + 15 -4 is then unaligned, and not caught by the alignment
      tracking. Note that min_align, aux_off, and aux_off_align were
      all 0 in this example.
      
      Since we cannot tell at this time what kind of packet access was
      performed in the prior walk and what minimal requirements it has
      (we might do so in the future, but that requires more complexity),
      fix it to disable this pruning case for strict alignment for now,
      and let the verifier do check such paths instead. With that applied,
      the test cases pass and reject the program due to misalignment.
      
      Fixes: d1174416 ("bpf: Track alignment of register values in the verifier.")
      Reference: http://patchwork.ozlabs.org/patch/761909/Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: default avatarAlexei Starovoitov <ast@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1ad2f583
    • Ihar Hrachyshka's avatar
      arp: fixed -Wuninitialized compiler warning · 5990baaa
      Ihar Hrachyshka authored
      Commit 7d472a59 ("arp: always override
      existing neigh entries with gratuitous ARP") introduced a compiler
      warning:
      
      net/ipv4/arp.c:880:35: warning: 'addr_type' may be used uninitialized in
      this function [-Wmaybe-uninitialized]
      
      While the code logic seems to be correct and doesn't allow the variable
      to be used uninitialized, and the warning is not consistently
      reproducible, it's still worth fixing it for other people not to waste
      time looking at the warning in case it pops up in the build environment.
      Yes, compiler is probably at fault, but we will need to accommodate.
      
      Fixes: 7d472a59 ("arp: always override existing neigh entries with gratuitous ARP")
      Signed-off-by: default avatarIhar Hrachyshka <ihrachys@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5990baaa
    • Wei Wang's avatar
      tcp: avoid fastopen API to be used on AF_UNSPEC · ba615f67
      Wei Wang authored
      Fastopen API should be used to perform fastopen operations on the TCP
      socket. It does not make sense to use fastopen API to perform disconnect
      by calling it with AF_UNSPEC. The fastopen data path is also prone to
      race conditions and bugs when using with AF_UNSPEC.
      
      One issue reported and analyzed by Vegard Nossum is as follows:
      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      Thread A:                            Thread B:
      ------------------------------------------------------------------------
      sendto()
       - tcp_sendmsg()
           - sk_stream_memory_free() = 0
               - goto wait_for_sndbuf
      	     - sk_stream_wait_memory()
      	        - sk_wait_event() // sleep
                |                          sendto(flags=MSG_FASTOPEN, dest_addr=AF_UNSPEC)
      	  |                           - tcp_sendmsg()
      	  |                              - tcp_sendmsg_fastopen()
      	  |                                 - __inet_stream_connect()
      	  |                                    - tcp_disconnect() //because of AF_UNSPEC
      	  |                                       - tcp_transmit_skb()// send RST
      	  |                                    - return 0; // no reconnect!
      	  |                           - sk_stream_wait_connect()
      	  |                                 - sock_error()
      	  |                                    - xchg(&sk->sk_err, 0)
      	  |                                    - return -ECONNRESET
      	- ... // wake up, see sk->sk_err == 0
          - skb_entail() on TCP_CLOSE socket
      
      If the connection is reopened then we will send a brand new SYN packet
      after thread A has already queued a buffer. At this point I think the
      socket internal state (sequence numbers etc.) becomes messed up.
      
      When the new connection is closed, the FIN-ACK is rejected because the
      sequence number is outside the window. The other side tries to
      retransmit,
      but __tcp_retransmit_skb() calls tcp_trim_head() on an empty skb which
      corrupts the skb data length and hits a BUG() in copy_and_csum_bits().
      +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
      
      Hence, this patch adds a check for AF_UNSPEC in the fastopen data path
      and return EOPNOTSUPP to user if such case happens.
      
      Fixes: cf60af03 ("tcp: Fast Open client - sendmsg(MSG_FASTOPEN)")
      Reported-by: default avatarVegard Nossum <vegard.nossum@oracle.com>
      Signed-off-by: default avatarWei Wang <weiwan@google.com>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ba615f67
    • Roman Kapl's avatar
      net: move somaxconn init from sysctl code · 7c3f1875
      Roman Kapl authored
      The default value for somaxconn is set in sysctl_core_net_init(), but this
      function is not called when kernel is configured without CONFIG_SYSCTL.
      
      This results in the kernel not being able to accept TCP connections,
      because the backlog has zero size. Usually, the user ends up with:
      "TCP: request_sock_TCP: Possible SYN flooding on port 7. Dropping request.  Check SNMP counters."
      If SYN cookies are not enabled the connection is rejected.
      
      Before ef547f2a (tcp: remove max_qlen_log), the effects were less
      severe, because the backlog was always at least eight slots long.
      Signed-off-by: default avatarRoman Kapl <roman.kapl@sysgo.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      7c3f1875