1. 03 Oct, 2018 5 commits
  2. 13 Sep, 2018 1 commit
    • Jann Horn's avatar
      apparmor: don't try to replace stale label in ptrace access check · 1f8266ff
      Jann Horn authored
      As a comment above begin_current_label_crit_section() explains,
      begin_current_label_crit_section() must run in sleepable context because
      when label_is_stale() is true, aa_replace_current_label() runs, which uses
      prepare_creds(), which can sleep.
      Until now, the ptrace access check (which runs with a task lock held)
      violated this rule.
      
      Also add a might_sleep() assertion to begin_current_label_crit_section(),
      because asserts are less likely to be ignored than comments.
      
      Fixes: b2d09ae4 ("apparmor: move ptrace checks to using labels")
      Signed-off-by: default avatarJann Horn <jannh@google.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      1f8266ff
  3. 07 Sep, 2018 1 commit
    • Tony Jones's avatar
      apparmor: Fix network performance issue in aa_label_sk_perm · 5f997580
      Tony Jones authored
      The netperf benchmark shows a 5.73% reduction in throughput for
      small (64 byte) transfers by unconfined tasks.
      
      DEFINE_AUDIT_SK() in aa_label_sk_perm() should not be performed
      unconditionally, rather only when the label is confined.
      
      netperf-tcp
                                  56974a6f^              56974a6f
      Min       64         563.48 (   0.00%)      531.17 (  -5.73%)
      Min       128       1056.92 (   0.00%)      999.44 (  -5.44%)
      Min       256       1945.95 (   0.00%)     1867.97 (  -4.01%)
      Min       1024      6761.40 (   0.00%)     6364.23 (  -5.87%)
      Min       2048     11110.53 (   0.00%)    10606.20 (  -4.54%)
      Min       3312     13692.67 (   0.00%)    13158.41 (  -3.90%)
      Min       4096     14926.29 (   0.00%)    14457.46 (  -3.14%)
      Min       8192     18399.34 (   0.00%)    18091.65 (  -1.67%)
      Min       16384    21384.13 (   0.00%)    21158.05 (  -1.06%)
      Hmean     64         564.96 (   0.00%)      534.38 (  -5.41%)
      Hmean     128       1064.42 (   0.00%)     1010.12 (  -5.10%)
      Hmean     256       1965.85 (   0.00%)     1879.16 (  -4.41%)
      Hmean     1024      6839.77 (   0.00%)     6478.70 (  -5.28%)
      Hmean     2048     11154.80 (   0.00%)    10671.13 (  -4.34%)
      Hmean     3312     13838.12 (   0.00%)    13249.01 (  -4.26%)
      Hmean     4096     15009.99 (   0.00%)    14561.36 (  -2.99%)
      Hmean     8192     18975.57 (   0.00%)    18326.54 (  -3.42%)
      Hmean     16384    21440.44 (   0.00%)    21324.59 (  -0.54%)
      Stddev    64           1.24 (   0.00%)        2.85 (-130.64%)
      Stddev    128          4.51 (   0.00%)        6.53 ( -44.84%)
      Stddev    256         11.67 (   0.00%)        8.50 (  27.16%)
      Stddev    1024        48.33 (   0.00%)       75.07 ( -55.34%)
      Stddev    2048        54.82 (   0.00%)       65.16 ( -18.86%)
      Stddev    3312       153.57 (   0.00%)       56.29 (  63.35%)
      Stddev    4096       100.25 (   0.00%)       88.50 (  11.72%)
      Stddev    8192       358.13 (   0.00%)      169.99 (  52.54%)
      Stddev    16384       43.99 (   0.00%)      141.82 (-222.39%)
      Signed-off-by: default avatarTony Jones <tonyj@suse.de>
      Fixes: 56974a6f ("apparmor: add base infastructure for socket
      mediation")
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      5f997580
  4. 23 Aug, 2018 1 commit
    • John Johansen's avatar
      apparmor: remove no-op permission check in policy_unpack · c037bd61
      John Johansen authored
      The patch 736ec752: "AppArmor: policy routines for loading and
      unpacking policy" from Jul 29, 2010, leads to the following static
      checker warning:
      
          security/apparmor/policy_unpack.c:410 verify_accept()
          warn: bitwise AND condition is false here
      
          security/apparmor/policy_unpack.c:413 verify_accept()
          warn: bitwise AND condition is false here
      
      security/apparmor/policy_unpack.c
         392  #define DFA_VALID_PERM_MASK             0xffffffff
         393  #define DFA_VALID_PERM2_MASK            0xffffffff
         394
         395  /**
         396   * verify_accept - verify the accept tables of a dfa
         397   * @dfa: dfa to verify accept tables of (NOT NULL)
         398   * @flags: flags governing dfa
         399   *
         400   * Returns: 1 if valid accept tables else 0 if error
         401   */
         402  static bool verify_accept(struct aa_dfa *dfa, int flags)
         403  {
         404          int i;
         405
         406          /* verify accept permissions */
         407          for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
         408                  int mode = ACCEPT_TABLE(dfa)[i];
         409
         410                  if (mode & ~DFA_VALID_PERM_MASK)
         411                          return 0;
         412
         413                  if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
         414                          return 0;
      
      fixes: 736ec752 ("AppArmor: policy routines for loading and unpacking policy")
      Reported-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      c037bd61
  5. 21 Aug, 2018 1 commit
  6. 20 Jul, 2018 1 commit
  7. 19 Jul, 2018 6 commits
    • Tyler Hicks's avatar
      apparmor: Fully initialize aa_perms struct when answering userspace query · f4585bc2
      Tyler Hicks authored
      Fully initialize the aa_perms struct in profile_query_cb() to avoid the
      potential of using an uninitialized struct member's value in a response
      to a query from userspace.
      
      Detected by CoverityScan CID#1415126 ("Uninitialized scalar variable")
      
      Fixes: 4f3b3f2d ("apparmor: add profile permission query ability")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      f4585bc2
    • Tyler Hicks's avatar
      apparmor: Check buffer bounds when mapping permissions mask · 7f3ebcf2
      Tyler Hicks authored
      Don't read past the end of the buffer containing permissions
      characters or write past the end of the destination string.
      
      Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")
      
      Fixes: e53cfe6c ("apparmor: rework perm mapping to a slightly broader set")
      Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
      Acked-by: default avatarSerge Hallyn <serge@hallyn.com>
      Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
      7f3ebcf2
    • Linus Torvalds's avatar
      Merge tag 'pci-v4.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci · fb7d1bcf
      Linus Torvalds authored
      Pull PCI fixes from Bjorn Helgaas:
      
       - Fix crashes that happen when PHY drivers are left disabled in the V3
         Semiconductor, MediaTek, Faraday, Aardvark, DesignWare, Versatile,
         and X-Gene host controller drivers (Sergei Shtylyov)
      
       - Fix a NULL pointer dereference in the endpoint library configfs
         support (Kishon Vijay Abraham I)
      
       - Fix a race condition in Hyper-V IRQ handling (Dexuan Cui)
      
      * tag 'pci-v4.18-fixes-3' of git://git.kernel.org/pub/scm/linux/kernel/git/helgaas/pci:
        PCI: v3-semi: Fix I/O space page leak
        PCI: mediatek: Fix I/O space page leak
        PCI: faraday: Fix I/O space page leak
        PCI: aardvark: Fix I/O space page leak
        PCI: designware: Fix I/O space page leak
        PCI: versatile: Fix I/O space page leak
        PCI: xgene: Fix I/O space page leak
        PCI: OF: Fix I/O space page leak
        PCI: endpoint: Fix NULL pointer dereference error when CONFIGFS is disabled
        PCI: hv: Disable/enable IRQs rather than BH in hv_compose_msi_msg()
      fb7d1bcf
    • Linus Torvalds's avatar
      Merge tag 'sound-4.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound · f39f28ff
      Linus Torvalds authored
      Pull sound fixes from Takashi Iwai:
       "A rawmidi race fix and three trivial HD-audio quirks"
      
      * tag 'sound-4.18-rc6' of git://git.kernel.org/pub/scm/linux/kernel/git/tiwai/sound:
        ALSA: hda/realtek - Yet another Clevo P950 quirk entry
        ALSA: rawmidi: Change resized buffers atomically
        ALSA: hda/realtek - Add Panasonic CF-SZ6 headset jack quirk
        ALSA: hda: add mute led support for HP ProBook 455 G5
      f39f28ff
    • Linus Torvalds's avatar
      Merge branch 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6 · b4394c34
      Linus Torvalds authored
      Pull crypto fix from Herbert Xu:
       "This fixes an allocation error-path bug in af_alg discovered by
        syzkaller"
      
      * 'linus' of git://git.kernel.org/pub/scm/linux/kernel/git/herbert/crypto-2.6:
        crypto: af_alg - Initialize sg_num_bytes in error code path
      b4394c34
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net · 024ddc0c
      Linus Torvalds authored
      Pull networking fixes from David Miller:
       "Lots of fixes, here goes:
      
         1) NULL deref in qtnfmac, from Gustavo A. R. Silva.
      
         2) Kernel oops when fw download fails in rtlwifi, from Ping-Ke Shih.
      
         3) Lost completion messages in AF_XDP, from Magnus Karlsson.
      
         4) Correct bogus self-assignment in rhashtable, from Rishabh
            Bhatnagar.
      
         5) Fix regression in ipv6 route append handling, from David Ahern.
      
         6) Fix masking in __set_phy_supported(), from Heiner Kallweit.
      
         7) Missing module owner set in x_tables icmp, from Florian Westphal.
      
         8) liquidio's timeouts are HZ dependent, fix from Nicholas Mc Guire.
      
         9) Link setting fixes for sh_eth and ravb, from Vladimir Zapolskiy.
      
        10) Fix NULL deref when using chains in act_csum, from Davide Caratti.
      
        11) XDP_REDIRECT needs to check if the interface is up and whether the
            MTU is sufficient. From Toshiaki Makita.
      
        12) Net diag can do a double free when killing TCP_NEW_SYN_RECV
            connections, from Lorenzo Colitti.
      
        13) nf_defrag in ipv6 can unnecessarily hold onto dst entries for a
            full minute, delaying device unregister. From Eric Dumazet.
      
        14) Update MAC entries in the correct order in ixgbe, from Alexander
            Duyck.
      
        15) Don't leave partial mangles bpf program in jit_subprogs, from
            Daniel Borkmann.
      
        16) Fix pfmemalloc SKB state propagation, from Stefano Brivio.
      
        17) Fix ACK handling in DCTCP congestion control, from Yuchung Cheng.
      
        18) Use after free in tun XDP_TX, from Toshiaki Makita.
      
        19) Stale ipv6 header pointer in ipv6 gre code, from Prashant Bhole.
      
        20) Don't reuse remainder of RX page when XDP is set in mlx4, from
            Saeed Mahameed.
      
        21) Fix window probe handling of TCP rapair sockets, from Stefan
            Baranoff.
      
        22) Missing socket locking in smc_ioctl(), from Ursula Braun.
      
        23) IPV6_ILA needs DST_CACHE, from Arnd Bergmann.
      
        24) Spectre v1 fix in cxgb3, from Gustavo A. R. Silva.
      
        25) Two spots in ipv6 do a rol32() on a hash value but ignore the
            result. Fixes from Colin Ian King"
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/davem/net: (176 commits)
        tcp: identify cryptic messages as TCP seq # bugs
        ptp: fix missing break in switch
        hv_netvsc: Fix napi reschedule while receive completion is busy
        MAINTAINERS: Drop inactive Vitaly Bordug's email
        net: cavium: Add fine-granular dependencies on PCI
        net: qca_spi: Fix log level if probe fails
        net: qca_spi: Make sure the QCA7000 reset is triggered
        net: qca_spi: Avoid packet drop during initial sync
        ipv6: fix useless rol32 call on hash
        ipv6: sr: fix useless rol32 call on hash
        net: sched: Using NULL instead of plain integer
        net: usb: asix: replace mii_nway_restart in resume path
        net: cxgb3_main: fix potential Spectre v1
        lib/rhashtable: consider param->min_size when setting initial table size
        net/smc: reset recv timeout after clc handshake
        net/smc: add error handling for get_user()
        net/smc: optimize consumer cursor updates
        net/nfc: Avoid stalls when nfc_alloc_send_skb() returned NULL.
        ipv6: ila: select CONFIG_DST_CACHE
        net: usb: rtl8150: demote allmulti message to dev_dbg()
        ...
      024ddc0c
  8. 18 Jul, 2018 24 commits
    • Linus Torvalds's avatar
      Merge tag 'devicetree-fixes-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux · 05df2045
      Linus Torvalds authored
      Pull DeviceTree fixes from Rob Herring:
      
       - Fix phandle cache to work with overlays
      
       - Correct the default clock-frequency for QCom geni-i2c
      
       - Binding doc quote and spelling fixes
      
      * tag 'devicetree-fixes-for-4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/robh/linux:
        of: overlay: update phandle cache on overlay apply and remove
        dt-bindings: Fix unbalanced quotation marks
        dt-bindings: soc: qcom: Fix default clock-freq for qcom,geni-i2c
        dt-bindings: w1-gpio: Remove unneeded unit address
        Documentation: devicetree: tilcdc: fix spelling mistake "suppors" -> "supports"
      05df2045
    • Randy Dunlap's avatar
      tcp: identify cryptic messages as TCP seq # bugs · e56b8ce3
      Randy Dunlap authored
      Attempt to make cryptic TCP seq number error messages clearer by
      (1) identifying the source of the message as "TCP", (2) identifying the
      errors as "seq # bug", and (3) grouping the field identifiers and values
      by separating them with commas.
      
      E.g., the following message is changed from:
      
      recvmsg bug 2: copied 73BCB6CD seq 70F17CBE rcvnxt 73BCB9AA fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:1881 tcp_recvmsg+0x649/0xb90
      
      to:
      
      TCP recvmsg seq # bug 2: copied 73BCB6CD, seq 70F17CBE, rcvnxt 73BCB9AA, fl 0
      WARNING: CPU: 2 PID: 1501 at /linux/net/ipv4/tcp.c:2011 tcp_recvmsg+0x694/0xba0
      Suggested-by: default avatar積丹尼 Dan Jacobson <jidanni@jidanni.org>
      Signed-off-by: default avatarRandy Dunlap <rdunlap@infradead.org>
      Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e56b8ce3
    • Gustavo A. R. Silva's avatar
      ptp: fix missing break in switch · 9ba8376c
      Gustavo A. R. Silva authored
      It seems that a *break* is missing in order to avoid falling through
      to the default case. Otherwise, checking *chan* makes no sense.
      
      Fixes: 72df7a72 ("ptp: Allow reassigning calibration pin function")
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Acked-by: default avatarRichard Cochran <richardcochran@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9ba8376c
    • Haiyang Zhang's avatar
      hv_netvsc: Fix napi reschedule while receive completion is busy · 6b81b193
      Haiyang Zhang authored
      If out ring is full temporarily and receive completion cannot go out,
      we may still need to reschedule napi if certain conditions are met.
      Otherwise the napi poll might be stopped forever, and cause network
      disconnect.
      
      Fixes: 7426b1a5 ("netvsc: optimize receive completions")
      Signed-off-by: default avatarStephen Hemminger <stephen@networkplumber.org>
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6b81b193
    • Krzysztof Kozlowski's avatar
      MAINTAINERS: Drop inactive Vitaly Bordug's email · a2ec9d14
      Krzysztof Kozlowski authored
      The Vitaly Bordug's email bounces ("ru.mvista.com: Name or service not
      known") and there was no activity (ack, review, sign) since 2009.
      
      Cc: Vitaly Bordug <vitb@kernel.crashing.org>
      Cc: Pantelis Antoniou <pantelis.antoniou@gmail.com>
      Cc: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarKrzysztof Kozlowski <krzk@kernel.org>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      a2ec9d14
    • Alexander Sverdlin's avatar
      net: cavium: Add fine-granular dependencies on PCI · e40562ab
      Alexander Sverdlin authored
      Add dependencies on PCI where necessary.
      
      Fixes: 7e2bc7fb ("net: cavium: Drop dependency of NET_VENDOR_CAVIUM on PCI")
      Signed-off-by: default avatarAlexander Sverdlin <alexander.sverdlin@nokia.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e40562ab
    • David S. Miller's avatar
      Merge branch 'net-qca_spi-Minor-bugfixes' · 0838a4ef
      David S. Miller authored
      Stefan Wahren says:
      
      ====================
      net: qca_spi: Minor bugfixes
      
      This patch series contains some minor bugfixes for
      the qca_spi driver.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      0838a4ef
    • Stefan Wahren's avatar
      net: qca_spi: Fix log level if probe fails · 50973993
      Stefan Wahren authored
      In cases the probing fails the log level of the messages should
      be an error.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      50973993
    • Stefan Wahren's avatar
      net: qca_spi: Make sure the QCA7000 reset is triggered · 711c62df
      Stefan Wahren authored
      In case the SPI thread is not running, a simple reset of sync
      state won't fix the transmit timeout. We also need to wake up the kernel
      thread.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: ed7d42e2 ("net: qca_spi: fix transmit queue timeout handling")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      711c62df
    • Stefan Wahren's avatar
      net: qca_spi: Avoid packet drop during initial sync · b2bab426
      Stefan Wahren authored
      As long as the synchronization with the QCA7000 isn't finished, we
      cannot accept packets from the upper layers. So let the SPI thread
      enable the TX queue after sync and avoid unwanted packet drop.
      Signed-off-by: default avatarStefan Wahren <stefan.wahren@i2se.com>
      Fixes: 291ab06e ("net: qualcomm: new Ethernet over SPI driver for QCA7000")
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b2bab426
    • Colin Ian King's avatar
      ipv6: fix useless rol32 call on hash · 169dc027
      Colin Ian King authored
      The rol32 call is currently rotating hash but the rol'd value is
      being discarded. I believe the current code is incorrect and hash
      should be assigned the rotated value returned from rol32.
      
      Thanks to David Lebrun for spotting this.
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      169dc027
    • Colin Ian King's avatar
      ipv6: sr: fix useless rol32 call on hash · 3ee593ad
      Colin Ian King authored
      The rol32 call is currently rotating hash but the rol'd value is
      being discarded. I believe the current code is incorrect and hash
      should be assigned the rotated value returned from rol32.
      
      Detected by CoverityScan, CID#1468411 ("Useless call")
      
      Fixes: b5facfdb ("ipv6: sr: Compute flowlabel for outer IPv6 header of seg6 encap mode")
      Signed-off-by: default avatarColin Ian King <colin.king@canonical.com>
      Acked-by: dlebrun@google.com
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      3ee593ad
    • Sergei Shtylyov's avatar
      PCI: v3-semi: Fix I/O space page leak · 270ed733
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried,  finally causing the BUG due to trying to remap
      already remapped pages.
      
      The V3 Semiconductor PCI driver has the same issue.
      Replace devm_pci_remap_iospace() with its devm_ managed version to fix
      the bug.
      
      Fixes: 68a15eb7 ("PCI: v3-semi: Add V3 Semiconductor PCI host driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      270ed733
    • Sergei Shtylyov's avatar
      PCI: mediatek: Fix I/O space page leak · 438477b9
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The MediaTek PCIe driver has the same issue.
      
      Replace devm_pci_remap_iospace() with its devm_ managed counterpart
      to fix the bug.
      
      Fixes: 637cfaca ("PCI: mediatek: Add MediaTek PCIe host controller support")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      438477b9
    • Sergei Shtylyov's avatar
      PCI: faraday: Fix I/O space page leak · e3060945
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if
      the PCIe PHY driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Faraday PCI driver has the same issue. Replace pci_remap_iospace()
      with its devm_ managed version to fix the bug.
      
      Fixes: d3c68e0a ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      e3060945
    • Sergei Shtylyov's avatar
      PCI: aardvark: Fix I/O space page leak · 1df3e5b3
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Aardvark PCI controller driver has the same issue.
      Replace pci_remap_iospace() with its devm_ managed version to fix the bug.
      
      Fixes: 8c39d710 ("PCI: aardvark: Add Aardvark PCI host controller driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarThomas Petazzoni <thomas.petazzoni@bootlin.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      1df3e5b3
    • Sergei Shtylyov's avatar
      PCI: designware: Fix I/O space page leak · fd07f5e1
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver is left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The DesignWare PCIe controller driver has the same issue.
      
      Replace devm_pci_remap_iospace() with a devm_ managed version to fix the
      bug.
      
      Fixes: cbce7900 ("PCI: designware: Make driver arch-agnostic")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      Acked-by: default avatarJingoo Han <jingoohan1@gmail.com>
      fd07f5e1
    • Sergei Shtylyov's avatar
      PCI: versatile: Fix I/O space page leak · 0018b265
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The Versatile PCI controller driver has the same issue.
      Replace pci_remap_iospace() with the devm_ managed version to fix the bug.
      
      Fixes: b7e78170 ("PCI: versatile: Add DT-based ARM Versatile PB PCIe host driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      0018b265
    • Sergei Shtylyov's avatar
      PCI: xgene: Fix I/O space page leak · 925652d0
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      The X-Gene PCI controller driver has the same issue.
      Replace pci_remap_iospace() with the devm_ managed version so that the
      pages get unmapped automagically on any probe failure.
      
      Fixes: 5f6b6ccd ("PCI: xgene: Add APM X-Gene PCIe driver")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      925652d0
    • David S. Miller's avatar
      Merge tag 'batadv-net-for-davem-20180717' of git://git.open-mesh.org/linux-merge · 9640ccce
      David S. Miller authored
      Simon Wunderlich says:
      
      ====================
      Here are some batman-adv fixes:
      
       - Fix gateway refcounting in BATMAN IV and V, by Sven Eckelmann (2 patches)
      
       - Fix debugfs paths when renaming interfaces, by Sven Eckelmann (2 patches)
      
       - Fix TT flag issues, by Linus Luessing (2 patches)
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9640ccce
    • YueHaibing's avatar
      net: sched: Using NULL instead of plain integer · 53189183
      YueHaibing authored
      Fixes the following sparse warnings:
      
      net/sched/cls_api.c:1101:43: warning: Using plain integer as NULL pointer
      net/sched/cls_api.c:1492:75: warning: Using plain integer as NULL pointer
      Signed-off-by: default avatarYueHaibing <yuehaibing@huawei.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      53189183
    • Alexander Couzens's avatar
      net: usb: asix: replace mii_nway_restart in resume path · 5c968f48
      Alexander Couzens authored
      mii_nway_restart is not pm aware which results in a rtnl deadlock.
      Implement mii_nway_restart manual by setting BMCR_ANRESTART if
      BMCR_ANENABLE is set.
      
      To reproduce:
      * plug an asix based usb network interface
      * wait until the device enters PM (~5 sec)
      * `ip link set eth1 up` will never return
      
      Fixes: d9fe64e5 ("net: asix: Add in_pm parameter")
      Signed-off-by: default avatarAlexander Couzens <lynxis@fe80.eu>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5c968f48
    • Sergei Shtylyov's avatar
      PCI: OF: Fix I/O space page leak · a5fb9fb0
      Sergei Shtylyov authored
      When testing the R-Car PCIe driver on the Condor board, if the PCIe PHY
      driver was left disabled, the kernel crashed with this BUG:
      
        kernel BUG at lib/ioremap.c:72!
        Internal error: Oops - BUG: 0 [#1] PREEMPT SMP
        Modules linked in:
        CPU: 0 PID: 39 Comm: kworker/0:1 Not tainted 4.17.0-dirty #1092
        Hardware name: Renesas Condor board based on r8a77980 (DT)
        Workqueue: events deferred_probe_work_func
        pstate: 80000005 (Nzcv daif -PAN -UAO)
        pc : ioremap_page_range+0x370/0x3c8
        lr : ioremap_page_range+0x40/0x3c8
        sp : ffff000008da39e0
        x29: ffff000008da39e0 x28: 00e8000000000f07
        x27: ffff7dfffee00000 x26: 0140000000000000
        x25: ffff7dfffef00000 x24: 00000000000fe100
        x23: ffff80007b906000 x22: ffff000008ab8000
        x21: ffff000008bb1d58 x20: ffff7dfffef00000
        x19: ffff800009c30fb8 x18: 0000000000000001
        x17: 00000000000152d0 x16: 00000000014012d0
        x15: 0000000000000000 x14: 0720072007200720
        x13: 0720072007200720 x12: 0720072007200720
        x11: 0720072007300730 x10: 00000000000000ae
        x9 : 0000000000000000 x8 : ffff7dffff000000
        x7 : 0000000000000000 x6 : 0000000000000100
        x5 : 0000000000000000 x4 : 000000007b906000
        x3 : ffff80007c61a880 x2 : ffff7dfffeefffff
        x1 : 0000000040000000 x0 : 00e80000fe100f07
        Process kworker/0:1 (pid: 39, stack limit = 0x        (ptrval))
        Call trace:
         ioremap_page_range+0x370/0x3c8
         pci_remap_iospace+0x7c/0xac
         pci_parse_request_of_pci_ranges+0x13c/0x190
         rcar_pcie_probe+0x4c/0xb04
         platform_drv_probe+0x50/0xbc
         driver_probe_device+0x21c/0x308
         __device_attach_driver+0x98/0xc8
         bus_for_each_drv+0x54/0x94
         __device_attach+0xc4/0x12c
         device_initial_probe+0x10/0x18
         bus_probe_device+0x90/0x98
         deferred_probe_work_func+0xb0/0x150
         process_one_work+0x12c/0x29c
         worker_thread+0x200/0x3fc
         kthread+0x108/0x134
         ret_from_fork+0x10/0x18
        Code: f9004ba2 54000080 aa0003fb 17ffff48 (d4210000)
      
      It turned out that pci_remap_iospace() wasn't undone when the driver's
      probe failed, and since devm_phy_optional_get() returned -EPROBE_DEFER,
      the probe was retried, finally causing the BUG due to trying to remap
      already remapped pages.
      
      Introduce the devm_pci_remap_iospace() managed API and replace the
      pci_remap_iospace() call with it to fix the bug.
      
      Fixes: dbf9826d ("PCI: generic: Convert to DT resource parsing API")
      Signed-off-by: default avatarSergei Shtylyov <sergei.shtylyov@cogentembedded.com>
      [lorenzo.pieralisi@arm.com: split commit/updated the commit log]
      Signed-off-by: default avatarLorenzo Pieralisi <lorenzo.pieralisi@arm.com>
      Signed-off-by: default avatarBjorn Helgaas <bhelgaas@google.com>
      Reviewed-by: default avatarLinus Walleij <linus.walleij@linaro.org>
      a5fb9fb0
    • Gustavo A. R. Silva's avatar
      net: cxgb3_main: fix potential Spectre v1 · 676bcfec
      Gustavo A. R. Silva authored
      t.qset_idx can be indirectly controlled by user-space, hence leading to
      a potential exploitation of the Spectre variant 1 vulnerability.
      
      This issue was detected with the help of Smatch:
      
      drivers/net/ethernet/chelsio/cxgb3/cxgb3_main.c:2286 cxgb_extension_ioctl()
      warn: potential spectre issue 'adapter->msix_info'
      
      Fix this by sanitizing t.qset_idx before using it to index
      adapter->msix_info
      
      Notice that given that speculation windows are large, the policy is
      to kill the speculation on the first load and not worry if it can be
      completed with a dependent load/store [1].
      
      [1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
      
      Cc: stable@vger.kernel.org
      Signed-off-by: default avatarGustavo A. R. Silva <gustavo@embeddedor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      676bcfec