1. 14 Jul, 2020 5 commits
  2. 13 Jul, 2020 2 commits
    • Linus Torvalds's avatar
      Merge tag 'iommu-fixes-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 0dc589da
      Linus Torvalds authored
      Pull iommu fixes from Joerg Roedel:
      
       - Fix a use-after-free of the device iommu-group. Found in the arm-smmu
         driver, but the fix is in generic code.
      
       - Fix for the new Allwinner IOMMU driver to use the atomic
         readl_timeout() variant in IO/TLB flushing code.
      
       - A couple of cleanups to fix various compile warnings.
      
      * tag 'iommu-fixes-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/arm-smmu: Mark qcom_smmu_client_of_match as possibly unused
        iommu: Fix use-after-free in iommu_release_device
        iommu/amd: Make amd_iommu_apply_ivrs_quirks() static inline
        iommu: SUN50I_IOMMU should depend on HAS_DMA
        iommu/sun50i: Remove unused variable
        iommu/sun50i: Change the readl timeout to the atomic variant
      0dc589da
    • Linus Torvalds's avatar
      mm: document warning in move_normal_pmd() and make it warn only once · f81fdd0c
      Linus Torvalds authored
      Naresh Kamboju reported that the LTP tests can cause warnings on i386
      going back all the way to v5.0, and bisected it to commit 2c91bd4a
      ("mm: speed up mremap by 20x on large regions").
      
      The warning in move_normal_pmd() is actually mostly correct, but we have
      a very unusual special case at process creation time, when we may move
      the stack down with an overlapping mode (kind of like a "memmove()"
      except using the page tables).
      
      And when you have just the right condition of "move a large initial
      stack by the right alignment in the end, but with the early part of the
      move being only page-aligned", we'll be in a situation where we're
      trying to move a normal PMD entry on top of an already existing - but
      now empty - PMD entry.
      
      The warning is still worth having, in case it ever triggers other cases,
      and perhaps as a reminder that we could do the stack move case more
      efficiently (although it's clearly rare enough that it probably doesn't
      matter).
      
      But make it do WARN_ON_ONCE(), so that you can't flood the logs with it.
      
      And add a *big* comment above it to explain and remind us what's going
      on, because it took some figuring out to see how this could trigger.
      Kudos to Joel Fernandes for debugging this.
      Reported-by: default avatarNaresh Kamboju <naresh.kamboju@linaro.org>
      Debugged-and-acked-by: default avatarJoel Fernandes <joel@joelfernandes.org>
      Cc: Arnd Bergmann <arnd@arndb.de>
      Cc: Kirill A. Shutemov <kirill@shutemov.name>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      f81fdd0c
  3. 12 Jul, 2020 8 commits
  4. 11 Jul, 2020 6 commits
    • Linus Torvalds's avatar
      Merge tag 'for-linus-5.8b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip · 0aea6d5c
      Linus Torvalds authored
      Pull xen fix from Juergen Gross:
       "Just one fix of a recent patch (double free in an error path)"
      
      * tag 'for-linus-5.8b-rc5-tag' of git://git.kernel.org/pub/scm/linux/kernel/git/xen/tip:
        xen/xenbus: Fix a double free in xenbus_map_ring_pv()
      0aea6d5c
    • Linus Torvalds's avatar
      Merge tag 'powerpc-5.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux · 997c4431
      Linus Torvalds authored
      Pull powerpc fix from Michael Ellerman:
       "One fix for a crash/soft lockup on Power8, caused by the exception
        rework we did in v5.7.
      
        Thanks to Paul Menzel and Nicholas Piggin"
      
      * tag 'powerpc-5.8-6' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
        powerpc/64s/exception: Fix 0x1500 interrupt handler crash
      997c4431
    • Linus Torvalds's avatar
      Merge tag 'libnvdimm-fix-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm · 1df0d896
      Linus Torvalds authored
      Pull libnvdimm fix from Dan Williams:
       "A one-line Fix for key ring search permissions to address a regression
        from -rc1"
      
      * tag 'libnvdimm-fix-v5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm:
        libnvdimm/security: Fix key lookup permissions
      1df0d896
    • Linus Torvalds's avatar
      Merge tag '5.8-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6 · 5ab39e08
      Linus Torvalds authored
      Pull cifs fixes from Steve French:
       "Four cifs/smb3 fixes: the three for stable fix problems found recently
        with change notification including a reference count leak"
      
      * tag '5.8-rc4-smb3-fixes' of git://git.samba.org/sfrench/cifs-2.6:
        cifs: update internal module version number
        cifs: fix reference leak for tlink
        smb3: fix unneeded error message on change notify
        cifs: remove the retry in cifs_poxis_lock_set
        smb3: fix access denied on change notify request to some servers
      5ab39e08
    • Linus Torvalds's avatar
      Merge tag 'inclusive-terminology' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux · 49decddd
      Linus Torvalds authored
      Pull coding style terminology documentation from Dan Williams:
       "The discussion has tapered off as well as the incoming ack, review,
        and sign-off tags. I did not see a reason to wait for the next merge
        window"
      
      * tag 'inclusive-terminology' of git://git.kernel.org/pub/scm/linux/kernel/git/djbw/linux:
        CodingStyle: Inclusive Terminology
      49decddd
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 5a764898
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Restore previous behavior of CAP_SYS_ADMIN wrt loading networking
          BPF programs, from Maciej Żenczykowski.
      
       2) Fix dropped broadcasts in mac80211 code, from Seevalamuthu
          Mariappan.
      
       3) Slay memory leak in nl80211 bss color attribute parsing code, from
          Luca Coelho.
      
       4) Get route from skb properly in ip_route_use_hint(), from Miaohe Lin.
      
       5) Don't allow anything other than ARPHRD_ETHER in llc code, from Eric
          Dumazet.
      
       6) xsk code dips too deeply into DMA mapping implementation internals.
          Add dma_need_sync and use it. From Christoph Hellwig
      
       7) Enforce power-of-2 for BPF ringbuf sizes. From Andrii Nakryiko.
      
       8) Check for disallowed attributes when loading flow dissector BPF
          programs. From Lorenz Bauer.
      
       9) Correct packet injection to L3 tunnel devices via AF_PACKET, from
          Jason A. Donenfeld.
      
      10) Don't advertise checksum offload on ipa devices that don't support
          it. From Alex Elder.
      
      11) Resolve several issues in TCP MD5 signature support. Missing memory
          barriers, bogus options emitted when using syncookies, and failure
          to allow md5 key changes in established states. All from Eric
          Dumazet.
      
      12) Fix interface leak in hsr code, from Taehee Yoo.
      
      13) VF reset fixes in hns3 driver, from Huazhong Tan.
      
      14) Make loopback work again with ipv6 anycast, from David Ahern.
      
      15) Fix TX starvation under high load in fec driver, from Tobias
          Waldekranz.
      
      16) MLD2 payload lengths not checked properly in bridge multicast code,
          from Linus Lüssing.
      
      17) Packet scheduler code that wants to find the inner protocol
          currently only works for one level of VLAN encapsulation. Allow
          Q-in-Q situations to work properly here, from Toke
          Høiland-Jørgensen.
      
      18) Fix route leak in l2tp, from Xin Long.
      
      19) Resolve conflict between the sk->sk_user_data usage of bpf reuseport
          support and various protocols. From Martin KaFai Lau.
      
      20) Fix socket cgroup v2 reference counting in some situations, from
          Cong Wang.
      
      21) Cure memory leak in mlx5 connection tracking offload support, from
          Eli Britstein.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (146 commits)
        mlxsw: pci: Fix use-after-free in case of failed devlink reload
        mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON()
        net: macb: fix call to pm_runtime in the suspend/resume functions
        net: macb: fix macb_suspend() by removing call to netif_carrier_off()
        net: macb: fix macb_get/set_wol() when moving to phylink
        net: macb: mark device wake capable when "magic-packet" property present
        net: macb: fix wakeup test in runtime suspend/resume routines
        bnxt_en: fix NULL dereference in case SR-IOV configuration fails
        libbpf: Fix libbpf hashmap on (I)LP32 architectures
        net/mlx5e: CT: Fix memory leak in cleanup
        net/mlx5e: Fix port buffers cell size value
        net/mlx5e: Fix 50G per lane indication
        net/mlx5e: Fix CPU mapping after function reload to avoid aRFS RX crash
        net/mlx5e: Fix VXLAN configuration restore after function reload
        net/mlx5e: Fix usage of rcu-protected pointer
        net/mxl5e: Verify that rpriv is not NULL
        net/mlx5: E-Switch, Fix vlan or qos setting in legacy mode
        net/mlx5: Fix eeprom support for SFP module
        cgroup: Fix sock_cgroup_data on big-endian.
        selftests: bpf: Fix detach from sockmap tests
        ...
      5a764898
  5. 10 Jul, 2020 19 commits
    • Nathan Chancellor's avatar
      mips: Remove compiler check in unroll macro · 9321f1aa
      Nathan Chancellor authored
      CONFIG_CC_IS_GCC is undefined when Clang is used, which breaks the build
      (see our Travis link below).
      
      Clang 8 was chosen as a minimum version for this check because there
      were some improvements around __builtin_constant_p in that release. In
      reality, MIPS was not even buildable until clang 9 so that check was not
      technically necessary. Just remove all compiler checks and just assume
      that we have a working compiler.
      
      Fixes: d4e60453 ("Restore gcc check in mips asm/unroll.h")
      Link: https://travis-ci.com/github/ClangBuiltLinux/continuous-integration/jobs/359642821Signed-off-by: default avatarNathan Chancellor <natechancellor@gmail.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9321f1aa
    • David S. Miller's avatar
      Merge branch 'mlxsw-Various-fixes' · 1195c7ce
      David S. Miller authored
      Ido Schimmel says:
      
      ====================
      mlxsw: Various fixes
      
      Fix two issues found by syzkaller.
      
      Patch #1 removes inappropriate usage of WARN_ON() following memory
      allocation failure. Constantly triggered when syzkaller injects faults.
      
      Patch #2 fixes a use-after-free that can be triggered by 'devlink dev
      info' following a failed devlink reload.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1195c7ce
    • Ido Schimmel's avatar
      mlxsw: pci: Fix use-after-free in case of failed devlink reload · c4317b11
      Ido Schimmel authored
      In case devlink reload failed, it is possible to trigger a
      use-after-free when querying the kernel for device info via 'devlink dev
      info' [1].
      
      This happens because as part of the reload error path the PCI command
      interface is de-initialized and its mailboxes are freed. When the
      devlink '->info_get()' callback is invoked the device is queried via the
      command interface and the freed mailboxes are accessed.
      
      Fix this by initializing the command interface once during probe and not
      during every reload.
      
      This is consistent with the other bus used by mlxsw (i.e., 'mlxsw_i2c')
      and also allows user space to query the running firmware version (for
      example) from the device after a failed reload.
      
      [1]
      BUG: KASAN: use-after-free in memcpy include/linux/string.h:406 [inline]
      BUG: KASAN: use-after-free in mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
      Write of size 4096 at addr ffff88810ae32000 by task syz-executor.1/2355
      
      CPU: 1 PID: 2355 Comm: syz-executor.1 Not tainted 5.8.0-rc2+ #29
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      Call Trace:
       __dump_stack lib/dump_stack.c:77 [inline]
       dump_stack+0xf6/0x16e lib/dump_stack.c:118
       print_address_description.constprop.0+0x1c/0x250 mm/kasan/report.c:383
       __kasan_report mm/kasan/report.c:513 [inline]
       kasan_report.cold+0x1f/0x37 mm/kasan/report.c:530
       check_memory_region_inline mm/kasan/generic.c:186 [inline]
       check_memory_region+0x14e/0x1b0 mm/kasan/generic.c:192
       memcpy+0x39/0x60 mm/kasan/common.c:106
       memcpy include/linux/string.h:406 [inline]
       mlxsw_pci_cmd_exec+0x177/0xa60 drivers/net/ethernet/mellanox/mlxsw/pci.c:1675
       mlxsw_cmd_exec+0x249/0x550 drivers/net/ethernet/mellanox/mlxsw/core.c:2335
       mlxsw_cmd_access_reg drivers/net/ethernet/mellanox/mlxsw/cmd.h:859 [inline]
       mlxsw_core_reg_access_cmd drivers/net/ethernet/mellanox/mlxsw/core.c:1938 [inline]
       mlxsw_core_reg_access+0x2f6/0x540 drivers/net/ethernet/mellanox/mlxsw/core.c:1985
       mlxsw_reg_query drivers/net/ethernet/mellanox/mlxsw/core.c:2000 [inline]
       mlxsw_devlink_info_get+0x17f/0x6e0 drivers/net/ethernet/mellanox/mlxsw/core.c:1090
       devlink_nl_info_fill.constprop.0+0x13c/0x2d0 net/core/devlink.c:4588
       devlink_nl_cmd_info_get_dumpit+0x246/0x460 net/core/devlink.c:4648
       genl_lock_dumpit+0x85/0xc0 net/netlink/genetlink.c:575
       netlink_dump+0x515/0xe50 net/netlink/af_netlink.c:2245
       __netlink_dump_start+0x53d/0x830 net/netlink/af_netlink.c:2353
       genl_family_rcv_msg_dumpit.isra.0+0x296/0x300 net/netlink/genetlink.c:638
       genl_family_rcv_msg net/netlink/genetlink.c:733 [inline]
       genl_rcv_msg+0x78d/0x9d0 net/netlink/genetlink.c:753
       netlink_rcv_skb+0x152/0x440 net/netlink/af_netlink.c:2469
       genl_rcv+0x24/0x40 net/netlink/genetlink.c:764
       netlink_unicast_kernel net/netlink/af_netlink.c:1303 [inline]
       netlink_unicast+0x53a/0x750 net/netlink/af_netlink.c:1329
       netlink_sendmsg+0x850/0xd90 net/netlink/af_netlink.c:1918
       sock_sendmsg_nosec net/socket.c:652 [inline]
       sock_sendmsg+0x150/0x190 net/socket.c:672
       ____sys_sendmsg+0x6d8/0x840 net/socket.c:2363
       ___sys_sendmsg+0xff/0x170 net/socket.c:2417
       __sys_sendmsg+0xe5/0x1b0 net/socket.c:2450
       do_syscall_64+0x56/0xa0 arch/x86/entry/common.c:359
       entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: a9c8336f ("mlxsw: core: Add support for devlink info command")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c4317b11
    • Ido Schimmel's avatar
      mlxsw: spectrum_router: Remove inappropriate usage of WARN_ON() · d9d54202
      Ido Schimmel authored
      We should not trigger a warning when a memory allocation fails. Remove
      the WARN_ON().
      
      The warning is constantly triggered by syzkaller when it is injecting
      faults:
      
      [ 2230.758664] FAULT_INJECTION: forcing a failure.
      [ 2230.758664] name failslab, interval 1, probability 0, space 0, times 0
      [ 2230.762329] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
      ...
      [ 2230.898175] WARNING: CPU: 3 PID: 1407 at drivers/net/ethernet/mellanox/mlxsw/spectrum_router.c:6265 mlxsw_sp_router_fib_event+0xfad/0x13e0
      [ 2230.898179] Kernel panic - not syncing: panic_on_warn set ...
      [ 2230.898183] CPU: 3 PID: 1407 Comm: syz-executor.0 Not tainted 5.8.0-rc2+ #28
      [ 2230.898190] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58e9a3f-prebuilt.qemu.org 04/01/2014
      
      Fixes: 3057224e ("mlxsw: spectrum_router: Implement FIB offload in deferred work")
      Signed-off-by: default avatarIdo Schimmel <idosch@mellanox.com>
      Reviewed-by: default avatarJiri Pirko <jiri@mellanox.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d9d54202
    • David S. Miller's avatar
      Merge branch 'macb-WOL-fixes' · f9f41e3d
      David S. Miller authored
      Nicolas Ferre says:
      
      ====================
      net: macb: Wake-on-Lan magic packet fixes and GEM handling
      
      Here is a split series to fix WoL magic-packet on the current macb driver. Only
      fixes in this one based on current net/master.
      
      Changes in v5:
      - Addressed the error code returned by phylink_ethtool_set_wol() as suggested
        by Russell.
        If PHY handles WoL, MAC doesn't stay in the way.
      - Removed Florian's tag on 3/5 because of the above changes.
      - Correct the "Fixes" tag on 1/5.
      
      Changes in v4:
      - Pure bug fix series for 'net'. GEM addition and MACB update removed: will be
        sent later.
      
      Changes in v3:
      - Revert some of the v2 changes done in macb_resume(). Now the resume function
        supports in-depth re-configuration of the controller in order to deal with
        deeper sleep states. Basically as it was before changes introduced by this
        series
      - Tested for non-regression with our deeper Power Management mode which cuts
        power to the controller completely
      
      Changes in v2:
      - Add patch 4/7 ("net: macb: fix macb_suspend() by removing call to netif_carrier_off()")
        needed for keeping phy state consistent
      - Add patch 5/7 ("net: macb: fix call to pm_runtime in the suspend/resume functions") that prevent
        putting the macb in runtime pm suspend mode when WoL is used
      - Collect review tags on 3 first patches from Florian: Thanks!
      - Review of macb_resume() function
      - Addition of pm_wakeup_event() in both MACB and GEM WoL IRQ handlers
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      f9f41e3d
    • Nicolas Ferre's avatar
      net: macb: fix call to pm_runtime in the suspend/resume functions · 6c8f85ca
      Nicolas Ferre authored
      The calls to pm_runtime_force_suspend/resume() functions are only
      relevant if the device is not configured to act as a WoL wakeup source.
      Add the device_may_wakeup() test before calling them.
      
      Fixes: 3e2a5e15 ("net: macb: add wake-on-lan support via magic packet")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Cc: Sergio Prado <sergio.prado@e-labworks.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6c8f85ca
    • Nicolas Ferre's avatar
      net: macb: fix macb_suspend() by removing call to netif_carrier_off() · 64febc5e
      Nicolas Ferre authored
      As we now use the phylink call to phylink_stop() in the non-WoL path,
      there is no need for this call to netif_carrier_off() anymore. It can
      disturb the underlying phylink FSM.
      
      Fixes: 7897b071 ("net: macb: convert to phylink")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      64febc5e
    • Nicolas Ferre's avatar
      net: macb: fix macb_get/set_wol() when moving to phylink · 253fe094
      Nicolas Ferre authored
      Keep previous function goals and integrate phylink actions to them.
      
      phylink_ethtool_get_wol() is not enough to figure out if Ethernet driver
      supports Wake-on-Lan.
      Initialization of "supported" and "wolopts" members is done in phylink
      function, no need to keep them in calling function.
      
      phylink_ethtool_set_wol() return value is considered and determines
      if the MAC has to handle WoL or not. The case where the PHY doesn't
      implement WoL leads to the MAC configuring it to provide this feature.
      
      Fixes: 7897b071 ("net: macb: convert to phylink")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Cc: Antoine Tenart <antoine.tenart@bootlin.com>
      Cc: Florian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      253fe094
    • Nicolas Ferre's avatar
      net: macb: mark device wake capable when "magic-packet" property present · ced4799d
      Nicolas Ferre authored
      Change the way the "magic-packet" DT property is handled in the
      macb_probe() function, matching DT binding documentation.
      Now we mark the device as "wakeup capable" instead of calling the
      device_init_wakeup() function that would enable the wakeup source.
      
      For Ethernet WoL, enabling the wakeup_source is done by
      using ethtool and associated macb_set_wol() function that
      already calls device_set_wakeup_enable() for this purpose.
      
      That would reduce power consumption by cutting more clocks if
      "magic-packet" property is set but WoL is not configured by ethtool.
      
      Fixes: 3e2a5e15 ("net: macb: add wake-on-lan support via magic packet")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Cc: Sergio Prado <sergio.prado@e-labworks.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ced4799d
    • Nicolas Ferre's avatar
      net: macb: fix wakeup test in runtime suspend/resume routines · 515a10a7
      Nicolas Ferre authored
      Use the proper struct device pointer to check if the wakeup flag
      and wakeup source are positioned.
      Use the one passed by function call which is equivalent to
      &bp->dev->dev.parent.
      
      It's preventing the trigger of a spurious interrupt in case the
      Wake-on-Lan feature is used.
      
      Fixes: d54f89af ("net: macb: Add pm runtime support")
      Cc: Claudiu Beznea <claudiu.beznea@microchip.com>
      Cc: Harini Katakam <harini.katakam@xilinx.com>
      Reviewed-by: default avatarFlorian Fainelli <f.fainelli@gmail.com>
      Signed-off-by: default avatarNicolas Ferre <nicolas.ferre@microchip.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      515a10a7
    • Davide Caratti's avatar
      bnxt_en: fix NULL dereference in case SR-IOV configuration fails · c8b1d743
      Davide Caratti authored
      we need to set 'active_vfs' back to 0, if something goes wrong during the
      allocation of SR-IOV resources: otherwise, further VF configurations will
      wrongly assume that bp->pf.vf[x] are valid memory locations, and commands
      like the ones in the following sequence:
      
       # echo 2 >/sys/bus/pci/devices/${ADDR}/sriov_numvfs
       # ip link set dev ens1f0np0 up
       # ip link set dev ens1f0np0 vf 0 trust on
      
      will cause a kernel crash similar to this:
      
       bnxt_en 0000:3b:00.0: not enough MMIO resources for SR-IOV
       BUG: kernel NULL pointer dereference, address: 0000000000000014
       #PF: supervisor read access in kernel mode
       #PF: error_code(0x0000) - not-present page
       PGD 0 P4D 0
       Oops: 0000 [#1] SMP PTI
       CPU: 43 PID: 2059 Comm: ip Tainted: G          I       5.8.0-rc2.upstream+ #871
       Hardware name: Dell Inc. PowerEdge R740/08D89F, BIOS 2.2.11 06/13/2019
       RIP: 0010:bnxt_set_vf_trust+0x5b/0x110 [bnxt_en]
       Code: 44 24 58 31 c0 e8 f5 fb ff ff 85 c0 0f 85 b6 00 00 00 48 8d 1c 5b 41 89 c6 b9 0b 00 00 00 48 c1 e3 04 49 03 9c 24 f0 0e 00 00 <8b> 43 14 89 c2 83 c8 10 83 e2 ef 45 84 ed 49 89 e5 0f 44 c2 4c 89
       RSP: 0018:ffffac6246a1f570 EFLAGS: 00010246
       RAX: 0000000000000000 RBX: 0000000000000000 RCX: 000000000000000b
       RDX: 0000000000000001 RSI: 0000000000000000 RDI: ffff98b28f538900
       RBP: ffff98b28f538900 R08: 0000000000000000 R09: 0000000000000008
       R10: ffffffffb9515be0 R11: ffffac6246a1f678 R12: ffff98b28f538000
       R13: 0000000000000001 R14: 0000000000000000 R15: ffffffffc05451e0
       FS:  00007fde0f688800(0000) GS:ffff98baffd40000(0000) knlGS:0000000000000000
       CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
       CR2: 0000000000000014 CR3: 000000104bb0a003 CR4: 00000000007606e0
       DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
       DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
       PKRU: 55555554
       Call Trace:
        do_setlink+0x994/0xfe0
        __rtnl_newlink+0x544/0x8d0
        rtnl_newlink+0x47/0x70
        rtnetlink_rcv_msg+0x29f/0x350
        netlink_rcv_skb+0x4a/0x110
        netlink_unicast+0x21d/0x300
        netlink_sendmsg+0x329/0x450
        sock_sendmsg+0x5b/0x60
        ____sys_sendmsg+0x204/0x280
        ___sys_sendmsg+0x88/0xd0
        __sys_sendmsg+0x5e/0xa0
        do_syscall_64+0x47/0x80
        entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
      Fixes: c0c050c5 ("bnxt_en: New Broadcom ethernet driver.")
      Reported-by: default avatarFei Liu <feliu@redhat.com>
      CC: Jonathan Toppins <jtoppins@redhat.com>
      CC: Michael Chan <michael.chan@broadcom.com>
      Signed-off-by: default avatarDavide Caratti <dcaratti@redhat.com>
      Reviewed-by: default avatarMichael Chan <michael.chan@broadcom.com>
      Acked-by: default avatarJonathan Toppins <jtoppins@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      c8b1d743
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · 45ae836f
      David S. Miller authored
      Alexei Starovoitov says:
      
      ====================
      pull-request: bpf 2020-07-09
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 4 non-merge commits during the last 1 day(s) which contain
      a total of 4 files changed, 26 insertions(+), 15 deletions(-).
      
      The main changes are:
      
      1) fix crash in libbpf on 32-bit archs, from Jakub and Andrii.
      
      2) fix crash when l2tp and bpf_sk_reuseport conflict, from Martin.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      45ae836f
    • David S. Miller's avatar
      Merge tag 'mlx5-fixes-2020-07-02' of git://git.kernel.org/pub/scm/linux/kernel/git/saeed/linux · ca68d563
      David S. Miller authored
      Saeed Mahameed says:
      
      ====================
      mlx5 fixes 2020-07-02
      
      This series introduces some fixes to mlx5 driver.
      
      V1->v2:
       - Drop "ip -s" patch and mirred device hold reference patch.
       - Will revise them in a later submission.
      
      Please pull and let me know if there is any problem.
      
      For -stable v5.2
       ('net/mlx5: Fix eeprom support for SFP module')
      
      For -stable v5.4
       ('net/mlx5e: Fix 50G per lane indication')
      
      For -stable v5.5
       ('net/mlx5e: Fix CPU mapping after function reload to avoid aRFS RX crash')
       ('net/mlx5e: Fix VXLAN configuration restore after function reload')
      
      For -stable v5.7
       ('net/mlx5e: CT: Fix memory leak in cleanup')
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ca68d563
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma · aa0c9086
      Linus Torvalds authored
      Pull rdma fixes from Jason Gunthorpe:
       "Small update, a few more merge window bugs and normal driver bug
        fixes:
      
         - Two merge window regressions in mlx5: a error path bug found by
           syzkaller and some lost code during a rework preventing ipoib from
           working in some configurations
      
         - Silence clang compilation warning in OPA related code
      
         - Fix a long standing race condition in ib_nl for ACM
      
         - Resolve when the HFI1 is shutdown"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/rdma/rdma:
        RDMA/mlx5: Set PD pointers for the error flow unwind
        IB/mlx5: Fix 50G per lane indication
        RDMA/siw: Fix reporting vendor_part_id
        IB/sa: Resolv use-after-free in ib_nl_make_request()
        IB/hfi1: Do not destroy link_wq when the device is shut down
        IB/hfi1: Do not destroy hfi1_wq when the device is shut down
        RDMA/mlx5: Fix legacy IPoIB QP initialization
        IB/hfi1: Add explicit cast OPA_MTU_8192 to 'enum ib_mtu'
      aa0c9086
    • Linus Torvalds's avatar
      Merge tag 'linux-kselftest-fixes-5.8-rc5' of... · 0f318cba
      Linus Torvalds authored
      Merge tag 'linux-kselftest-fixes-5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest
      
      Pull kselftest fixes from Shuah Khan:
       "TPM2 test changes to run on python3 and kselftest framework fix to
        incorrect return type"
      
      * tag 'linux-kselftest-fixes-5.8-rc5' of git://git.kernel.org/pub/scm/linux/kernel/git/shuah/linux-kselftest:
        kselftest: ksft_test_num return type should be unsigned
        selftests: tpm: upgrade TPM2 tests from Python 2 to Python 3
      0f318cba
    • Linus Torvalds's avatar
      Merge tag 'io_uring-5.8-2020-07-10' of git://git.kernel.dk/linux-block · a581387e
      Linus Torvalds authored
      Pull io_uring fixes from Jens Axboe:
      
       - Fix memleak for error path in registered files (Yang)
      
       - Export CQ overflow state in flags, necessary to fix a case where
         liburing doesn't know if it needs to enter the kernel (Xiaoguang)
      
       - Fix for a regression in when user memory is accounted freed, causing
         issues with back-to-back ring exit + init if the ulimit -l setting is
         very tight.
      
      * tag 'io_uring-5.8-2020-07-10' of git://git.kernel.dk/linux-block:
        io_uring: account user memory freed when exit has been queued
        io_uring: fix memleak in io_sqe_files_register()
        io_uring: fix memleak in __io_sqe_files_update()
        io_uring: export cq overflow status to userspace
      a581387e
    • Linus Torvalds's avatar
      Merge tag 'block-5.8-2020-07-10' of git://git.kernel.dk/linux-block · d33db702
      Linus Torvalds authored
      Pull block fixes from Jens Axboe:
      
       - Fix for inflight accounting, which affects only dm (Ming)
      
       - Fix documentation error for bfq (Yufen)
      
       - Fix memory leak for nbd (Zheng)
      
      * tag 'block-5.8-2020-07-10' of git://git.kernel.dk/linux-block:
        nbd: Fix memory leak in nbd_add_socket
        blk-mq: consider non-idle request as "inflight" in blk_mq_rq_inflight()
        docs: block: update and fix tiny error for bfq
      d33db702
    • Linus Torvalds's avatar
      Merge tag 'cleanup-kernel_read_write' of git://git.infradead.org/users/hch/misc · b1b11d00
      Linus Torvalds authored
      Pull in-kernel read and write op cleanups from Christoph Hellwig:
       "Cleanup in-kernel read and write operations
      
        Reshuffle the (__)kernel_read and (__)kernel_write helpers, and ensure
        all users of in-kernel file I/O use them if they don't use iov_iter
        based methods already.
      
        The new WARN_ONs in combination with syzcaller already found a missing
        input validation in 9p. The fix should be on your way through the
        maintainer ASAP".
      
      [ This is prep-work for the real changes coming 5.9 ]
      
      * tag 'cleanup-kernel_read_write' of git://git.infradead.org/users/hch/misc:
        fs: remove __vfs_read
        fs: implement kernel_read using __kernel_read
        integrity/ima: switch to using __kernel_read
        fs: add a __kernel_read helper
        fs: remove __vfs_write
        fs: implement kernel_write using __kernel_write
        fs: check FMODE_WRITE in __kernel_write
        fs: unexport __kernel_write
        bpfilter: switch to kernel_write
        autofs: switch to kernel_write
        cachefiles: switch to kernel_write
      b1b11d00
    • Linus Torvalds's avatar
      Merge tag 'dma-mapping-5.8-5' of git://git.infradead.org/users/hch/dma-mapping · 1bfde037
      Linus Torvalds authored
      Pull dma-mapping fixes from Christoph Hellwig:
      
       - add a warning when the atomic pool is depleted (David Rientjes)
      
       - protect the parameters of the new scatterlist helper macros (Marek
         Szyprowski )
      
      * tag 'dma-mapping-5.8-5' of git://git.infradead.org/users/hch/dma-mapping:
        scatterlist: protect parameters of the sg_table related macros
        dma-mapping: warn when coherent pool is depleted
      1bfde037