1. 25 Nov, 2019 4 commits
    • Jouni Hogander's avatar
      slip: Fix use-after-free Read in slip_open · e58c1912
      Jouni Hogander authored
      Slip_open doesn't clean-up device which registration failed from the
      slip_devs device list. On next open after failure this list is iterated
      and freed device is accessed. Fix this by calling sl_free_netdev in error
      path.
      
      Here is the trace from the Syzbot:
      
      __dump_stack lib/dump_stack.c:77 [inline]
      dump_stack+0x197/0x210 lib/dump_stack.c:118
      print_address_description.constprop.0.cold+0xd4/0x30b mm/kasan/report.c:374
      __kasan_report.cold+0x1b/0x41 mm/kasan/report.c:506
      kasan_report+0x12/0x20 mm/kasan/common.c:634
      __asan_report_load8_noabort+0x14/0x20 mm/kasan/generic_report.c:132
      sl_sync drivers/net/slip/slip.c:725 [inline]
      slip_open+0xecd/0x11b7 drivers/net/slip/slip.c:801
      tty_ldisc_open.isra.0+0xa3/0x110 drivers/tty/tty_ldisc.c:469
      tty_set_ldisc+0x30e/0x6b0 drivers/tty/tty_ldisc.c:596
      tiocsetd drivers/tty/tty_io.c:2334 [inline]
      tty_ioctl+0xe8d/0x14f0 drivers/tty/tty_io.c:2594
      vfs_ioctl fs/ioctl.c:46 [inline]
      file_ioctl fs/ioctl.c:509 [inline]
      do_vfs_ioctl+0xdb6/0x13e0 fs/ioctl.c:696
      ksys_ioctl+0xab/0xd0 fs/ioctl.c:713
      __do_sys_ioctl fs/ioctl.c:720 [inline]
      __se_sys_ioctl fs/ioctl.c:718 [inline]
      __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:718
      do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290
      entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Fixes: 3b5a3997 ("slip: Fix memory leak in slip_open error path")
      Reported-by: syzbot+4d5170758f3762109542@syzkaller.appspotmail.com
      Cc: David Miller <davem@davemloft.net>
      Cc: Oliver Hartkopp <socketcan@hartkopp.net>
      Cc: Lukas Bulwahn <lukas.bulwahn@gmail.com>
      Signed-off-by: default avatarJouni Hogander <jouni.hogander@unikie.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      e58c1912
    • Oleksij Rempel's avatar
      net: dsa: sja1105: fix sja1105_parse_rgmii_delays() · 9bca3a0a
      Oleksij Rempel authored
      This function was using configuration of port 0 in devicetree for all ports.
      In case CPU port was not 0, the delay settings was ignored. This resulted not
      working communication between CPU and the switch.
      
      Fixes: f5b8631c ("net: dsa: sja1105: Error out if RGMII delays are requested in DT")
      Signed-off-by: default avatarOleksij Rempel <o.rempel@pengutronix.de>
      Reviewed-by: default avatarVladimir Oltean <olteanv@gmail.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      9bca3a0a
    • Menglong Dong's avatar
      macvlan: schedule bc_work even if error · 1d7ea556
      Menglong Dong authored
      While enqueueing a broadcast skb to port->bc_queue, schedule_work()
      is called to add port->bc_work, which processes the skbs in
      bc_queue, to "events" work queue. If port->bc_queue is full, the
      skb will be discarded and schedule_work(&port->bc_work) won't be
      called. However, if port->bc_queue is full and port->bc_work is not
      running or pending, port->bc_queue will keep full and schedule_work()
      won't be called any more, and all broadcast skbs to macvlan will be
      discarded. This case can happen:
      
      macvlan_process_broadcast() is the pending function of port->bc_work,
      it moves all the skbs in port->bc_queue to the queue "list", and
      processes the skbs in "list". During this, new skbs will keep being
      added to port->bc_queue in macvlan_broadcast_enqueue(), and
      port->bc_queue may already full when macvlan_process_broadcast()
      return. This may happen, especially when there are a lot of real-time
      threads and the process is preempted.
      
      Fix this by calling schedule_work(&port->bc_work) even if
      port->bc_work is full in macvlan_broadcast_enqueue().
      
      Fixes: 412ca155 ("macvlan: Move broadcasts into a work queue")
      Signed-off-by: default avatarMenglong Dong <dong.menglong@zte.com.cn>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      1d7ea556
    • David Bauer's avatar
      mdio_bus: don't use managed reset-controller · 32085f25
      David Bauer authored
      Geert Uytterhoeven reported that using devm_reset_controller_get leads
      to a WARNING when probing a reset-controlled PHY. This is because the
      device devm_reset_controller_get gets supplied is not actually the
      one being probed.
      
      Acquire an unmanaged reset-control as well as free the reset_control on
      unregister to fix this.
      Reported-by: default avatarGeert Uytterhoeven <geert@linux-m68k.org>
      CC: Andrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid Bauer <mail@david-bauer.net>
      Reviewed-by: default avatarAndrew Lunn <andrew@lunn.ch>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      32085f25
  2. 24 Nov, 2019 2 commits
    • Xin Long's avatar
      sctp: cache netns in sctp_ep_common · 31243461
      Xin Long authored
      This patch is to fix a data-race reported by syzbot:
      
        BUG: KCSAN: data-race in sctp_assoc_migrate / sctp_hash_obj
      
        write to 0xffff8880b67c0020 of 8 bytes by task 18908 on cpu 1:
          sctp_assoc_migrate+0x1a6/0x290 net/sctp/associola.c:1091
          sctp_sock_migrate+0x8aa/0x9b0 net/sctp/socket.c:9465
          sctp_accept+0x3c8/0x470 net/sctp/socket.c:4916
          inet_accept+0x7f/0x360 net/ipv4/af_inet.c:734
          __sys_accept4+0x224/0x430 net/socket.c:1754
          __do_sys_accept net/socket.c:1795 [inline]
          __se_sys_accept net/socket.c:1792 [inline]
          __x64_sys_accept+0x4e/0x60 net/socket.c:1792
          do_syscall_64+0xcc/0x370 arch/x86/entry/common.c:290
          entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
        read to 0xffff8880b67c0020 of 8 bytes by task 12003 on cpu 0:
          sctp_hash_obj+0x4f/0x2d0 net/sctp/input.c:894
          rht_key_get_hash include/linux/rhashtable.h:133 [inline]
          rht_key_hashfn include/linux/rhashtable.h:159 [inline]
          rht_head_hashfn include/linux/rhashtable.h:174 [inline]
          head_hashfn lib/rhashtable.c:41 [inline]
          rhashtable_rehash_one lib/rhashtable.c:245 [inline]
          rhashtable_rehash_chain lib/rhashtable.c:276 [inline]
          rhashtable_rehash_table lib/rhashtable.c:316 [inline]
          rht_deferred_worker+0x468/0xab0 lib/rhashtable.c:420
          process_one_work+0x3d4/0x890 kernel/workqueue.c:2269
          worker_thread+0xa0/0x800 kernel/workqueue.c:2415
          kthread+0x1d4/0x200 drivers/block/aoe/aoecmd.c:1253
          ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:352
      
      It was caused by rhashtable access asoc->base.sk when sctp_assoc_migrate
      is changing its value. However, what rhashtable wants is netns from asoc
      base.sk, and for an asoc, its netns won't change once set. So we can
      simply fix it by caching netns since created.
      
      Fixes: d6c0256a ("sctp: add the rhashtable apis for sctp global transport hashtable")
      Reported-by: syzbot+e3b35fe7918ff0ee474e@syzkaller.appspotmail.com
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      31243461
    • Navid Emamdoost's avatar
      sctp: Fix memory leak in sctp_sf_do_5_2_4_dupcook · b6631c60
      Navid Emamdoost authored
      In the implementation of sctp_sf_do_5_2_4_dupcook() the allocated
      new_asoc is leaked if security_sctp_assoc_request() fails. Release it
      via sctp_association_free().
      
      Fixes: 2277c7cd ("sctp: Add LSM hooks")
      Signed-off-by: default avatarNavid Emamdoost <navid.emamdoost@gmail.com>
      Acked-by: default avatarMarcelo Ricardo Leitner <marcelo.leitner@gmail.com>
      Signed-off-by: default avatarJakub Kicinski <jakub.kicinski@netronome.com>
      b6631c60
  3. 22 Nov, 2019 21 commits
    • Linus Torvalds's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 34c36f45
      Linus Torvalds authored
      Pull networking fixes from David Miller:
      
       1) Validate tunnel options length in act_tunnel_key, from Xin Long.
      
       2) Fix DMA sync bug in gve driver, from Adi Suresh.
      
       3) TSO kills performance on some r8169 chips due to HW issues, disable
          by default in that case, from Corinna Vinschen.
      
       4) Fix clock disable mismatch in fec driver, from Chubong Yuan.
      
       5) Fix interrupt status bits define in hns3 driver, from Huazhong Tan.
      
       6) Fix workqueue deadlocks in qeth driver, from Julian Wiedmann.
      
       7) Don't napi_disable() twice in r8152 driver, from Hayes Wang.
      
       8) Fix SKB extension memory leak, from Florian Westphal.
      
      * git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (54 commits)
        r8152: avoid to call napi_disable twice
        MAINTAINERS: Add myself as maintainer of virtio-vsock
        udp: drop skb extensions before marking skb stateless
        net: rtnetlink: prevent underflows in do_setvfinfo()
        can: m_can_platform: remove unnecessary m_can_class_resume() call
        can: m_can_platform: set net_device structure as driver data
        hv_netvsc: Fix send_table offset in case of a host bug
        hv_netvsc: Fix offset usage in netvsc_send_table()
        net-ipv6: IPV6_TRANSPARENT - check NET_RAW prior to NET_ADMIN
        sfc: Only cancel the PPS workqueue if it exists
        nfc: port100: handle command failure cleanly
        net-sysfs: fix netdev_queue_add_kobject() breakage
        r8152: Re-order napi_disable in rtl8152_close
        net: qca_spi: Move reset_count to struct qcaspi
        net: qca_spi: fix receive buffer size check
        net/ibmvnic: Ignore H_FUNCTION return from H_EOI to tolerate XIVE mode
        Revert "net/ibmvnic: Fix EOI when running in XIVE mode"
        net/mlxfw: Verify FSM error code translation doesn't exceed array size
        net/mlx5: Update the list of the PCI supported devices
        net/mlx5: Fix auto group size calculation
        ...
      34c36f45
    • Marc Dionne's avatar
      afs: Fix large file support · b485275f
      Marc Dionne authored
      By default s_maxbytes is set to MAX_NON_LFS, which limits the usable
      file size to 2GB, enforced by the vfs.
      
      Commit b9b1f8d5 ("AFS: write support fixes") added support for the
      64-bit fetch and store server operations, but did not change this value.
      As a result, attempts to write past the 2G mark result in EFBIG errors:
      
       $ dd if=/dev/zero of=foo bs=1M count=1 seek=2048
       dd: error writing 'foo': File too large
      
      Set s_maxbytes to MAX_LFS_FILESIZE.
      
      Fixes: b9b1f8d5 ("AFS: write support fixes")
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      b485275f
    • Marc Dionne's avatar
      afs: Fix possible assert with callbacks from yfs servers · cd340703
      Marc Dionne authored
      Servers sending callback breaks to the YFS_CM_SERVICE service may
      send up to YFSCBMAX (1024) fids in a single RPC.  Anything over
      AFSCBMAX (50) will cause the assert in afs_break_callbacks to trigger.
      
      Remove the assert, as the count has already been checked against
      the appropriate max values in afs_deliver_cb_callback and
      afs_deliver_yfs_cb_callback.
      
      Fixes: 35dbfba3 ("afs: Implement the YFS cache manager service")
      Signed-off-by: default avatarMarc Dionne <marc.dionne@auristor.com>
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      cd340703
    • Hayes Wang's avatar
      r8152: avoid to call napi_disable twice · 5b1d9c17
      Hayes Wang authored
      Call napi_disable() twice would cause dead lock. There are three situations
      may result in the issue.
      
      1. rtl8152_pre_reset() and set_carrier() are run at the same time.
      2. Call rtl8152_set_tunable() after rtl8152_close().
      3. Call rtl8152_set_ringparam() after rtl8152_close().
      
      For #1, use the same solution as commit 84811412 ("r8152: Re-order
      napi_disable in rtl8152_close"). For #2 and #3, add checking the flag
      of IFF_UP and using napi_disable/napi_enable during mutex.
      Signed-off-by: default avatarHayes Wang <hayeswang@realtek.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5b1d9c17
    • Linus Torvalds's avatar
      Merge branch 'akpm' (patches from Andrew) · cc079039
      Linus Torvalds authored
      Merge misc fixes from Andrew Morton:
       "Three fixes"
      
      * emailed patches from Andrew Morton <akpm@linux-foundation.org>:
        mm/ksm.c: don't WARN if page is still mapped in remove_stable_node()
        mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span()
        Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()"
      cc079039
    • David S. Miller's avatar
      Merge tag 'linux-can-fixes-for-5.4-20191122' of... · 06829937
      David S. Miller authored
      Merge tag 'linux-can-fixes-for-5.4-20191122' of git://git.kernel.org/pub/scm/linux/kernel/git/mkl/linux-can
      
      Marc Kleine-Budde says:
      
      ====================
      pull-request: can 2019-11-22
      
      this is a pull request of 2 patches for net/master, if possible for the
      current release cycle. Otherwise these patches should hit v5.4 via the
      stable tree.
      
      Both patches of this pull request target the m_can driver. Pankaj Sharma
      fixes the fallout in the m_can_platform part, which appeared with the
      introduction of the m_can platform framework.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      06829937
    • Stefano Garzarella's avatar
      MAINTAINERS: Add myself as maintainer of virtio-vsock · efabb6c6
      Stefano Garzarella authored
      Since I'm actively working on vsock and virtio/vhost transports,
      Stefan suggested to help him to maintain it.
      Signed-off-by: default avatarStefano Garzarella <sgarzare@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      efabb6c6
    • Florian Westphal's avatar
      udp: drop skb extensions before marking skb stateless · 677bf08c
      Florian Westphal authored
      Once udp stack has set the UDP_SKB_IS_STATELESS flag, later skb free
      assumes all skb head state has been dropped already.
      
      This will leak the extension memory in case the skb has extensions other
      than the ipsec secpath, e.g. bridge nf data.
      
      To fix this, set the UDP_SKB_IS_STATELESS flag only if we don't have
      extensions or if the extension space can be free'd.
      
      Fixes: 895b5c9f ("netfilter: drop bridge nf reset from nf_reset")
      Cc: Paolo Abeni <pabeni@redhat.com>
      Reported-by: default avatarByron Stanoszek <gandalf@winds.org>
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Acked-by: default avatarPaolo Abeni <pabeni@redhat.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      677bf08c
    • Dan Carpenter's avatar
      net: rtnetlink: prevent underflows in do_setvfinfo() · ff08ddba
      Dan Carpenter authored
      The "ivm->vf" variable is a u32, but the problem is that a number of
      drivers cast it to an int and then forget to check for negatives.  An
      example of this is in the cxgb4 driver.
      
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c
        2890  static int cxgb4_mgmt_get_vf_config(struct net_device *dev,
        2891                                      int vf, struct ifla_vf_info *ivi)
                                                  ^^^^^^
        2892  {
        2893          struct port_info *pi = netdev_priv(dev);
        2894          struct adapter *adap = pi->adapter;
        2895          struct vf_info *vfinfo;
        2896
        2897          if (vf >= adap->num_vfs)
                          ^^^^^^^^^^^^^^^^^^^
        2898                  return -EINVAL;
        2899          vfinfo = &adap->vfinfo[vf];
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^
      
      There are 48 functions affected.
      
      drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c:8435 hclge_set_vf_vlan_filter() warn: can 'vfid' underflow 's32min-2147483646'
      drivers/net/ethernet/freescale/enetc/enetc_pf.c:377 enetc_pf_set_vf_mac() warn: can 'vf' underflow 's32min-2147483646'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2899 cxgb4_mgmt_get_vf_config() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:2960 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3019 cxgb4_mgmt_set_vf_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3038 cxgb4_mgmt_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb4/cxgb4_main.c:3086 cxgb4_mgmt_set_vf_link_state() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/chelsio/cxgb/cxgb2.c:791 get_eeprom() warn: can 'i' underflow 's32min-(-4),0,4-s32max'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:82 bnxt_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:164 bnxt_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:186 bnxt_get_vf_config() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:228 bnxt_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:264 bnxt_set_vf_vlan() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:293 bnxt_set_vf_bw() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnxt/bnxt_sriov.c:333 bnxt_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_sriov.c:2595 bnx2x_vf_op_prep() warn: can 'vfidx' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2281 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2285 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2286 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2292 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/broadcom/bnx2x/bnx2x_vfpf.c:2297 bnx2x_post_vf_bulletin() warn: can 'vf' underflow 's32min-63'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1832 qlcnic_sriov_set_vf_mac() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1864 qlcnic_sriov_set_vf_tx_rate() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:1937 qlcnic_sriov_set_vf_vlan() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2005 qlcnic_sriov_get_vf_config() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/qlogic/qlcnic/qlcnic_sriov_pf.c:2036 qlcnic_sriov_set_vf_spoofchk() warn: can 'vf' underflow 's32min-254'
      drivers/net/ethernet/emulex/benet/be_main.c:1914 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1915 be_get_vf_config() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1922 be_set_vf_tvt() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:1951 be_clear_vf_tvt() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:2063 be_set_vf_tx_rate() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/emulex/benet/be_main.c:2091 be_set_vf_link_state() warn: can 'vf' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:2609 ice_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3050 ice_get_vf_cfg() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3103 ice_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3181 ice_set_vf_mac() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3237 ice_set_vf_trust() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/ice/ice_virtchnl_pf.c:3286 ice_set_vf_link_state() warn: can 'vf_id' underflow 's32min-65534'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3919 i40e_validate_vf() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:3957 i40e_ndo_set_vf_mac() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4104 i40e_ndo_set_vf_port_vlan() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4263 i40e_ndo_set_vf_bw() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4309 i40e_ndo_get_vf_config() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4371 i40e_ndo_set_vf_link_state() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4441 i40e_ndo_set_vf_spoofchk() warn: can 'vf_id' underflow 's32min-2147483646'
      drivers/net/ethernet/intel/i40e/i40e_virtchnl_pf.c:4504 i40e_ndo_set_vf_trust() warn: can 'vf_id' underflow 's32min-2147483646'
      Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      ff08ddba
    • Linus Torvalds's avatar
      Merge tag 'pm-5.4-final' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm · a6b0373f
      Linus Torvalds authored
      Pull power management regression fix from Rafael Wysocki:
       "Fix problems with switching cpufreq drivers on some x86 systems with
        ACPI (and with changing the operation modes of the intel_pstate driver
        on those systems) introduced by recent changes related to the
        management of frequency limits in cpufreq"
      
      * tag 'pm-5.4-final' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
        PM: QoS: Invalidate frequency QoS requests after removal
      a6b0373f
    • Linus Torvalds's avatar
      Merge tag 'drm-fixes-2019-11-22' of git://anongit.freedesktop.org/drm/drm · 5d867ab0
      Linus Torvalds authored
      Pull drm fixes from Dave Airlie:
       "Two sets of fixes in here, one for amdgpu, and one for i915.
      
        The amdgpu ones are pretty small, i915's CI system seems to have a few
        problems in the last week or so, there is one major regression fix for
        fb_mmap, but there are a bunch of other issues fixed in there as well,
        oops, screen flashes and rcu related.
      
        amdgpu:
         - Remove experimental flag for navi14
         - Fix confusing power message failures on older VI parts
         - Hang fix for gfxoff when using the read register interface
         - Two stability regression fixes for Raven
      
        i915:
         - Fix kernel oops on dumb_create ioctl on no crtc situation
         - Fix bad ugly colored flash on VLV/CHV related to gamma LUT update
         - Fix unity of the frequencies reported on PMU
         - Fix kernel oops on set_page_dirty using better locks around it
         - Protect the request pointer with RCU to prevent it being freed
           while we might need still
         - Make pool objects read-only
         - Restore physical addresses for fb_map to avoid corrupted page
           table"
      
      * tag 'drm-fixes-2019-11-22' of git://anongit.freedesktop.org/drm/drm:
        drm/i915/fbdev: Restore physical addresses for fb_mmap()
        Revert "drm/amd/display: enable S/G for RAVEN chip"
        drm/amdgpu: disable gfxoff on original raven
        drm/amdgpu: disable gfxoff when using register read interface
        drm/amd/powerplay: correct fine grained dpm force level setting
        drm/amd/powerplay: issue no PPSMC_MSG_GetCurrPkgPwr on unsupported ASICs
        drm/amdgpu: remove experimental flag for Navi14
        drm/i915: make pool objects read-only
        drm/i915: Protect request peeking with RCU
        drm/i915/userptr: Try to acquire the page lock around set_page_dirty()
        drm/i915/pmu: "Frequency" is reported as accumulated cycles
        drm/i915: Preload LUTs if the hw isn't currently using them
        drm/i915: Don't oops in dumb_create ioctl if we have no crtcs
      5d867ab0
    • Andrey Ryabinin's avatar
      mm/ksm.c: don't WARN if page is still mapped in remove_stable_node() · 9a63236f
      Andrey Ryabinin authored
      It's possible to hit the WARN_ON_ONCE(page_mapped(page)) in
      remove_stable_node() when it races with __mmput() and squeezes in
      between ksm_exit() and exit_mmap().
      
        WARNING: CPU: 0 PID: 3295 at mm/ksm.c:888 remove_stable_node+0x10c/0x150
      
        Call Trace:
         remove_all_stable_nodes+0x12b/0x330
         run_store+0x4ef/0x7b0
         kernfs_fop_write+0x200/0x420
         vfs_write+0x154/0x450
         ksys_write+0xf9/0x1d0
         do_syscall_64+0x99/0x510
         entry_SYSCALL_64_after_hwframe+0x49/0xbe
      
      Remove the warning as there is nothing scary going on.
      
      Link: http://lkml.kernel.org/r/20191119131850.5675-1-aryabinin@virtuozzo.com
      Fixes: cbf86cfe ("ksm: remove old stable nodes more thoroughly")
      Signed-off-by: default avatarAndrey Ryabinin <aryabinin@virtuozzo.com>
      Acked-by: default avatarHugh Dickins <hughd@google.com>
      Cc: Andrea Arcangeli <aarcange@redhat.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      9a63236f
    • David Hildenbrand's avatar
      mm/memory_hotplug: don't access uninitialized memmaps in shrink_zone_span() · 7ce700bf
      David Hildenbrand authored
      Let's limit shrinking to !ZONE_DEVICE so we can fix the current code.
      We should never try to touch the memmap of offline sections where we
      could have uninitialized memmaps and could trigger BUGs when calling
      page_to_nid() on poisoned pages.
      
      There is no reliable way to distinguish an uninitialized memmap from an
      initialized memmap that belongs to ZONE_DEVICE, as we don't have
      anything like SECTION_IS_ONLINE we can use similar to
      pfn_to_online_section() for !ZONE_DEVICE memory.
      
      E.g., set_zone_contiguous() similarly relies on pfn_to_online_section()
      and will therefore never set a ZONE_DEVICE zone consecutive.  Stopping
      to shrink the ZONE_DEVICE therefore results in no observable changes,
      besides /proc/zoneinfo indicating different boundaries - something we
      can totally live with.
      
      Before commit d0dc12e8 ("mm/memory_hotplug: optimize memory
      hotplug"), the memmap was initialized with 0 and the node with the right
      value.  So the zone might be wrong but not garbage.  After that commit,
      both the zone and the node will be garbage when touching uninitialized
      memmaps.
      
      Toshiki reported a BUG (race between delayed initialization of
      ZONE_DEVICE memmaps without holding the memory hotplug lock and
      concurrent zone shrinking).
      
        https://lkml.org/lkml/2019/11/14/1040
      
      "Iteration of create and destroy namespace causes the panic as below:
      
            kernel BUG at mm/page_alloc.c:535!
            CPU: 7 PID: 2766 Comm: ndctl Not tainted 5.4.0-rc4 #6
            Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.11.0-0-g63451fca13-prebuilt.qemu-project.org 04/01/2014
            RIP: 0010:set_pfnblock_flags_mask+0x95/0xf0
            Call Trace:
             memmap_init_zone_device+0x165/0x17c
             memremap_pages+0x4c1/0x540
             devm_memremap_pages+0x1d/0x60
             pmem_attach_disk+0x16b/0x600 [nd_pmem]
             nvdimm_bus_probe+0x69/0x1c0
             really_probe+0x1c2/0x3e0
             driver_probe_device+0xb4/0x100
             device_driver_attach+0x4f/0x60
             bind_store+0xc9/0x110
             kernfs_fop_write+0x116/0x190
             vfs_write+0xa5/0x1a0
             ksys_write+0x59/0xd0
             do_syscall_64+0x5b/0x180
             entry_SYSCALL_64_after_hwframe+0x44/0xa9
      
        While creating a namespace and initializing memmap, if you destroy the
        namespace and shrink the zone, it will initialize the memmap outside
        the zone and trigger VM_BUG_ON_PAGE(!zone_spans_pfn(page_zone(page),
        pfn), page) in set_pfnblock_flags_mask()."
      
      This BUG is also mitigated by this commit, where we for now stop to
      shrink the ZONE_DEVICE zone until we can do it in a safe and clean way.
      
      Link: http://lkml.kernel.org/r/20191006085646.5768-5-david@redhat.com
      Fixes: f1dd2cd1 ("mm, memory_hotplug: do not associate hotadded memory to zones until online")	[visible after d0dc12e8]
      Signed-off-by: default avatarDavid Hildenbrand <david@redhat.com>
      Reported-by: default avatarAneesh Kumar K.V <aneesh.kumar@linux.ibm.com>
      Reported-by: default avatarToshiki Fukasawa <t-fukasawa@vx.jp.nec.com>
      Cc: Oscar Salvador <osalvador@suse.de>
      Cc: David Hildenbrand <david@redhat.com>
      Cc: Michal Hocko <mhocko@suse.com>
      Cc: Pavel Tatashin <pasha.tatashin@soleen.com>
      Cc: Dan Williams <dan.j.williams@intel.com>
      Cc: Alexander Duyck <alexander.h.duyck@linux.intel.com>
      Cc: Alexander Potapenko <glider@google.com>
      Cc: Andy Lutomirski <luto@kernel.org>
      Cc: Anshuman Khandual <anshuman.khandual@arm.com>
      Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
      Cc: Borislav Petkov <bp@alien8.de>
      Cc: Catalin Marinas <catalin.marinas@arm.com>
      Cc: Christian Borntraeger <borntraeger@de.ibm.com>
      Cc: Christophe Leroy <christophe.leroy@c-s.fr>
      Cc: Damian Tometzki <damian.tometzki@gmail.com>
      Cc: Dave Hansen <dave.hansen@linux.intel.com>
      Cc: Fenghua Yu <fenghua.yu@intel.com>
      Cc: Gerald Schaefer <gerald.schaefer@de.ibm.com>
      Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
      Cc: Halil Pasic <pasic@linux.ibm.com>
      Cc: Heiko Carstens <heiko.carstens@de.ibm.com>
      Cc: "H. Peter Anvin" <hpa@zytor.com>
      Cc: Ingo Molnar <mingo@redhat.com>
      Cc: Ira Weiny <ira.weiny@intel.com>
      Cc: Jason Gunthorpe <jgg@ziepe.ca>
      Cc: Jun Yao <yaojun8558363@gmail.com>
      Cc: Logan Gunthorpe <logang@deltatee.com>
      Cc: Mark Rutland <mark.rutland@arm.com>
      Cc: Masahiro Yamada <yamada.masahiro@socionext.com>
      Cc: "Matthew Wilcox (Oracle)" <willy@infradead.org>
      Cc: Mel Gorman <mgorman@techsingularity.net>
      Cc: Michael Ellerman <mpe@ellerman.id.au>
      Cc: Mike Rapoport <rppt@linux.ibm.com>
      Cc: Pankaj Gupta <pagupta@redhat.com>
      Cc: Paul Mackerras <paulus@samba.org>
      Cc: Pavel Tatashin <pavel.tatashin@microsoft.com>
      Cc: Peter Zijlstra <peterz@infradead.org>
      Cc: Qian Cai <cai@lca.pw>
      Cc: Rich Felker <dalias@libc.org>
      Cc: Robin Murphy <robin.murphy@arm.com>
      Cc: Steve Capper <steve.capper@arm.com>
      Cc: Thomas Gleixner <tglx@linutronix.de>
      Cc: Tom Lendacky <thomas.lendacky@amd.com>
      Cc: Tony Luck <tony.luck@intel.com>
      Cc: Vasily Gorbik <gor@linux.ibm.com>
      Cc: Vlastimil Babka <vbabka@suse.cz>
      Cc: Wei Yang <richard.weiyang@gmail.com>
      Cc: Wei Yang <richardw.yang@linux.intel.com>
      Cc: Will Deacon <will@kernel.org>
      Cc: Yoshinori Sato <ysato@users.sourceforge.jp>
      Cc: Yu Zhao <yuzhao@google.com>
      Cc: <stable@vger.kernel.org>	[4.13+]
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      7ce700bf
    • Joseph Qi's avatar
      Revert "fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()" · 94b07b6f
      Joseph Qi authored
      This reverts commit 56e94ea1.
      
      Commit 56e94ea1 ("fs: ocfs2: fix possible null-pointer dereferences
      in ocfs2_xa_prepare_entry()") introduces a regression that fail to
      create directory with mount option user_xattr and acl.  Actually the
      reported NULL pointer dereference case can be correctly handled by
      loc->xl_ops->xlo_add_entry(), so revert it.
      
      Link: http://lkml.kernel.org/r/1573624916-83825-1-git-send-email-joseph.qi@linux.alibaba.com
      Fixes: 56e94ea1 ("fs: ocfs2: fix possible null-pointer dereferences in ocfs2_xa_prepare_entry()")
      Signed-off-by: default avatarJoseph Qi <joseph.qi@linux.alibaba.com>
      Reported-by: default avatarThomas Voegtle <tv@lio96.de>
      Acked-by: default avatarChangwei Ge <gechangwei@live.cn>
      Cc: Jia-Ju Bai <baijiaju1990@gmail.com>
      Cc: Mark Fasheh <mark@fasheh.com>
      Cc: Joel Becker <jlbec@evilplan.org>
      Cc: Junxiao Bi <junxiao.bi@oracle.com>
      Cc: Gang He <ghe@suse.com>
      Cc: Jun Piao <piaojun@huawei.com>
      Cc: <stable@vger.kernel.org>
      Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
      Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
      94b07b6f
    • Pankaj Sharma's avatar
      can: m_can_platform: remove unnecessary m_can_class_resume() call · 0704c574
      Pankaj Sharma authored
      The function m_can_runtime_resume() is getting recursively called from
      m_can_class_resume(). This results in a lock up.
      
      We need not call m_can_class_resume() during m_can_runtime_resume().
      
      Fixes: f524f829 ("can: m_can: Create a m_can platform framework")
      Signed-off-by: default avatarPankaj Sharma <pankj.sharma@samsung.com>
      Signed-off-by: default avatarSriram Dash <sriram.dash@samsung.com>
      Acked-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      0704c574
    • Pankaj Sharma's avatar
      can: m_can_platform: set net_device structure as driver data · 2ea87249
      Pankaj Sharma authored
      The current code is failing during clock prepare enable because of not
      getting proper clock from platform device.
      
      [    0.852089] Call trace:
      [    0.854516]  0xffff0000fa22a668
      [    0.857638]  clk_prepare+0x20/0x34
      [    0.861019]  m_can_runtime_resume+0x2c/0xe4
      [    0.865180]  pm_generic_runtime_resume+0x28/0x38
      [    0.869770]  __rpm_callback+0x16c/0x1bc
      [    0.873583]  rpm_callback+0x24/0x78
      [    0.877050]  rpm_resume+0x428/0x560
      [    0.880517]  __pm_runtime_resume+0x7c/0xa8
      [    0.884593]  m_can_clk_start.isra.9.part.10+0x1c/0xa8
      [    0.889618]  m_can_class_register+0x138/0x370
      [    0.893950]  m_can_plat_probe+0x120/0x170
      [    0.897939]  platform_drv_probe+0x4c/0xa0
      [    0.901924]  really_probe+0xd8/0x31c
      [    0.905477]  driver_probe_device+0x58/0xe8
      [    0.909551]  device_driver_attach+0x68/0x70
      [    0.913711]  __driver_attach+0x9c/0xf8
      [    0.917437]  bus_for_each_dev+0x50/0xa0
      [    0.921251]  driver_attach+0x20/0x28
      [    0.924804]  bus_add_driver+0x148/0x1fc
      [    0.928617]  driver_register+0x6c/0x124
      [    0.932431]  __platform_driver_register+0x48/0x50
      [    0.937113]  m_can_plat_driver_init+0x18/0x20
      [    0.941446]  do_one_initcall+0x4c/0x19c
      [    0.945259]  kernel_init_freeable+0x1d0/0x280
      [    0.949591]  kernel_init+0x10/0x100
      [    0.953057]  ret_from_fork+0x10/0x18
      [    0.956614] Code: 00000000 00000000 00000000 00000000 (fa22a668)
      [    0.962681] ---[ end trace 881f71bd609de763 ]---
      [    0.967301] Kernel panic - not syncing: Attempted to kill init!
      
      A device driver for CAN controller hardware registers itself with the
      Linux network layer as a network device. So, the driver data for m_can
      should ideally be of type net_device.
      
      Fixes: f524f829 ("can: m_can: Create a m_can platform framework")
      Signed-off-by: default avatarPankaj Sharma <pankj.sharma@samsung.com>
      Signed-off-by: default avatarSriram Dash <sriram.dash@samsung.com>
      Acked-by: default avatarDan Murphy <dmurphy@ti.com>
      Signed-off-by: default avatarMarc Kleine-Budde <mkl@pengutronix.de>
      2ea87249
    • David S. Miller's avatar
      Merge branch 'hv_netvsc-Fix-send-indirection-table-offset' · d814b67e
      David S. Miller authored
      Haiyang Zhang says:
      
      ====================
      hv_netvsc: Fix send indirection table offset
      
      Fix send indirection table offset issues related to guest and
      host bugs.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      d814b67e
    • Haiyang Zhang's avatar
      hv_netvsc: Fix send_table offset in case of a host bug · 171c1fd9
      Haiyang Zhang authored
      If negotiated NVSP version <= NVSP_PROTOCOL_VERSION_6, the offset may
      be wrong (too small) due to a host bug. This can cause missing the
      end of the send indirection table, and add multiple zero entries from
      leading zeros before the data region. This bug adds extra burden on
      channel 0.
      
      So fix the offset by computing it from the data structure sizes. This
      will ensure netvsc driver runs normally on unfixed hosts, and future
      fixed hosts.
      
      Fixes: 5b54dac8 ("hyperv: Add support for virtual Receive Side Scaling (vRSS)")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      171c1fd9
    • Haiyang Zhang's avatar
      hv_netvsc: Fix offset usage in netvsc_send_table() · 71f21959
      Haiyang Zhang authored
      To reach the data region, the existing code adds offset in struct
      nvsp_5_send_indirect_table on the beginning of this struct. But the
      offset should be based on the beginning of its container,
      struct nvsp_message. This bug causes the first table entry missing,
      and adds an extra zero from the zero pad after the data region.
      This can put extra burden on the channel 0.
      
      So, correct the offset usage. Also add a boundary check to ensure
      not reading beyond data region.
      
      Fixes: 5b54dac8 ("hyperv: Add support for virtual Receive Side Scaling (vRSS)")
      Signed-off-by: default avatarHaiyang Zhang <haiyangz@microsoft.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      71f21959
    • Maciej Żenczykowski's avatar
      net-ipv6: IPV6_TRANSPARENT - check NET_RAW prior to NET_ADMIN · 35fc59c9
      Maciej Żenczykowski authored
      NET_RAW is less dangerous, so more likely to be available to a process,
      so check it first to prevent some spurious logging.
      
      This matches IP_TRANSPARENT which checks NET_RAW first.
      Signed-off-by: default avatarMaciej Żenczykowski <maze@google.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      35fc59c9
    • Dave Airlie's avatar
      Merge tag 'drm-intel-fixes-2019-11-21' of... · 51658c04
      Dave Airlie authored
      Merge tag 'drm-intel-fixes-2019-11-21' of git://anongit.freedesktop.org/drm/drm-intel into drm-fixes
      
      - Fix kernel oops on dumb_create ioctl on no crtc situation
      - Fix bad ugly colored flash on VLV/CHV related to gamma LUT update
      - Fix unity of the frequencies reported on PMU
      - Fix kernel oops on set_page_dirty using better locks around it
      - Protect the request pointer with RCU to prevent it being freed while we might need still
      - Make pool objects read-only
      - Restore physical addresses for fb_map to avoid corrupted page table
      Signed-off-by: default avatarDave Airlie <airlied@redhat.com>
      
      From: Rodrigo Vivi <rodrigo.vivi@intel.com>
      Link: https://patchwork.freedesktop.org/patch/msgid/20191121165339.GA23920@intel.com
      51658c04
  4. 21 Nov, 2019 9 commits
  5. 20 Nov, 2019 4 commits