Commit Graph

855659 Commits

Author SHA1 Message Date
Jiri Kosina
be2ece49e6 MAINTAINERS: mark floppy.c orphaned
I volunteered myself to maintain it quite some time ago back when I
fixed the concurrency issues which exhibited itself only with
VM-emulated devices, and at the same time I still had the physical 3.5"
reader to test all the changes.

The reader doesn't work any more though, so I guess it's time to step
down from this super-prestigious role :p and mark floppy.c as Orphaned.

Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-18 08:42:30 -07:00
Paul Walmsley
2d69fbf3d0 riscv: fix build break after macro-to-function conversion in generic cacheflush.h
Commit c296d4dc13 ("asm-generic: fix a compilation warning")
converted the various flush_*cache_* macros in
asm-generic/cacheflush.h to static inline functions.  This breaks
RISC-V builds, since RISC-V's cacheflush.h includes the generic
cacheflush.h and then undefines the macros to be overridden.

Fix by copying the subset of the no-op functions that are reused from
the generic cacheflush.h into the RISC-V cacheflush.h, and dropping
the include of the generic cacheflush.h.

Fixes: c296d4dc13 ("asm-generic: fix a compilation warning")
Signed-off-by: Paul Walmsley <paul.walmsley@sifive.com>
Cc: Qian Cai <cai@lca.pw>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-18 08:16:56 -07:00
Peter Zijlstra
cac9b9a4b0 stacktrace: Force USER_DS for stack_trace_save_user()
When walking userspace stacks, USER_DS needs to be set, otherwise
access_ok() will not function as expected.

Reported-by: Vegard Nossum <vegard.nossum@oracle.com>
Reported-by: Eiichi Tsukata <devel@etsukata.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Vegard Nossum <vegard.nossum@oracle.com>
Reviewed-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Link: https://lkml.kernel.org/r/20190718085754.GM3402@hirez.programming.kicks-ass.net
2019-07-18 16:47:24 +02:00
Rafael J. Wysocki
2c66a5b52e Merge branches 'acpi-misc' and 'acpi-video'
* acpi-misc:
  ACPI: fix false-positive -Wuninitialized warning
  ACPI: blacklist: fix clang warning for unused DMI table

* acpi-video:
  ACPI: video: Add new hw_changes_brightness quirk, set it on PB Easynote MZ35
2019-07-18 10:22:20 +02:00
Rafael J. Wysocki
918e162e6a Merge branch 'pm-cpufreq'
* pm-cpufreq:
  cpufreq: Make cpufreq_generic_init() return void
  cpufreq: imx-cpufreq-dt: Add i.MX8MN support
  cpufreq: Add QoS requests for userspace constraints
  cpufreq: intel_pstate: Reuse refresh_frequency_limits()
  cpufreq: Register notifiers with the PM QoS framework
  PM / QoS: Add support for MIN/MAX frequency constraints
  PM / QOS: Pass request type to dev_pm_qos_read_value()
  PM / QOS: Rename __dev_pm_qos_read_value() and dev_pm_qos_raw_read_value()
  PM / QOS: Pass request type to dev_pm_qos_{add|remove}_notifier()
2019-07-18 09:49:30 +02:00
Daniel Jordan
cf144f81a9 padata: use smp_mb in padata_reorder to avoid orphaned padata jobs
Testing padata with the tcrypt module on a 5.2 kernel...

    # modprobe tcrypt alg="pcrypt(rfc4106(gcm(aes)))" type=3
    # modprobe tcrypt mode=211 sec=1

...produces this splat:

    INFO: task modprobe:10075 blocked for more than 120 seconds.
          Not tainted 5.2.0-base+ #16
    modprobe        D    0 10075  10064 0x80004080
    Call Trace:
     ? __schedule+0x4dd/0x610
     ? ring_buffer_unlock_commit+0x23/0x100
     schedule+0x6c/0x90
     schedule_timeout+0x3b/0x320
     ? trace_buffer_unlock_commit_regs+0x4f/0x1f0
     wait_for_common+0x160/0x1a0
     ? wake_up_q+0x80/0x80
     { crypto_wait_req }             # entries in braces added by hand
     { do_one_aead_op }
     { test_aead_jiffies }
     test_aead_speed.constprop.17+0x681/0xf30 [tcrypt]
     do_test+0x4053/0x6a2b [tcrypt]
     ? 0xffffffffa00f4000
     tcrypt_mod_init+0x50/0x1000 [tcrypt]
     ...

The second modprobe command never finishes because in padata_reorder,
CPU0's load of reorder_objects is executed before the unlocking store in
spin_unlock_bh(pd->lock), causing CPU0 to miss CPU1's increment:

CPU0                                 CPU1

padata_reorder                       padata_do_serial
  LOAD reorder_objects  // 0
                                       INC reorder_objects  // 1
                                       padata_reorder
                                         TRYLOCK pd->lock   // failed
  UNLOCK pd->lock

CPU0 deletes the timer before returning from padata_reorder and since no
other job is submitted to padata, modprobe waits indefinitely.

Add a pair of full barriers to guarantee proper ordering:

CPU0                                 CPU1

padata_reorder                       padata_do_serial
  UNLOCK pd->lock
  smp_mb()
  LOAD reorder_objects
                                       INC reorder_objects
                                       smp_mb__after_atomic()
                                       padata_reorder
                                         TRYLOCK pd->lock

smp_mb__after_atomic is needed so the read part of the trylock operation
comes after the INC, as Andrea points out.   Thanks also to Andrea for
help with writing a litmus test.

Fixes: 16295bec63 ("padata: Generic parallelization/serialization interface")
Signed-off-by: Daniel Jordan <daniel.m.jordan@oracle.com>
Cc: <stable@vger.kernel.org>
Cc: Andrea Parri <andrea.parri@amarulasolutions.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Cc: Paul E. McKenney <paulmck@linux.ibm.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: linux-arch@vger.kernel.org
Cc: linux-crypto@vger.kernel.org
Cc: linux-kernel@vger.kernel.org
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-18 13:39:54 +08:00
David Rientjes
83bf42510d crypto: ccp - Fix SEV_VERSION_GREATER_OR_EQUAL
SEV_VERSION_GREATER_OR_EQUAL() will fail if upgrading from 2.2 to 3.1, for
example, because the minor version is not equal to or greater than the
major.

Fix this and move to a static inline function for appropriate type
checking.

Fixes: edd303ff0e ("crypto: ccp - Add DOWNLOAD_FIRMWARE SEV command")
Reported-by: Cfir Cohen <cfir@google.com>
Signed-off-by: David Rientjes <rientjes@google.com>
Acked-by: Tom Lendacky <thomas.lendacky@amd.com>
Acked-by: Gary R Hook <gary.hook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-18 13:39:54 +08:00
Cfir Cohen
538a5a072e crypto: ccp/gcm - use const time tag comparison.
Avoid leaking GCM tag through timing side channel.

Fixes: 36cf515b9b ("crypto: ccp - Enable support for AES GCM on v5 CCPs")
Cc: <stable@vger.kernel.org> # v4.12+
Signed-off-by: Cfir Cohen <cfir@google.com>
Acked-by: Gary R Hook <ghook@amd.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2019-07-18 13:39:54 +08:00
Trond Myklebust
7402a4fedc SUNRPC: Fix up backchannel slot table accounting
Add a per-transport maximum limit in the socket case, and add
helpers to allow the NFSv4 code to discover that limit.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2019-07-18 01:12:59 -04:00
Trond Myklebust
9f98effc19 SUNRPC: Fix initialisation of struct rpc_xprt_switch
Ensure that we do initialise the fields xps_nactive, xps_queuelen
and xps_net.

Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
2019-07-18 01:12:59 -04:00
Dave Airlie
b3c8a40cfc Pull request for drm-misc-fixes-next for v5.3:
- Revert properties exposed in komeda that need improvement before they become ABI.
 - Only add modes from the cmdline if they are valid.
 - Add orientation quirk for GPD MicroPC.
 - Reduce stack usage in drm selftests.
 - Fix bochs framebuffer setup.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEuXvWqAysSYEJGuVH/lWMcqZwE8MFAl0oRZYACgkQ/lWMcqZw
 E8PYHw//YWRRkjWyxQ2NMLDMcRg6GpOKWS7FrDrfycr+dtKvLGvU8+XAwwg97yP+
 KXczKDxoQG4cLakn/DsFv9jpZjmROx95U2R5yXFxCp7qu/Pqbeaoo8M7yH422jB2
 eEWjoDdmIv89sPr5aOVlT9MHbhOwIId1Ff5wLM6S13D2N+FSxcjKRehGUcZqZUhC
 RNYH4+v16DqJYlgPbCSQNdYhJxCiL745bsPB+L6O1O9Bekl86+2NjcbL8GauDOag
 56y7m4NuoKJRXzqhM3Daq/O3tXBnYYbcl0LMb0Mpgxd/qAauUYkWfWauGCrCgM3q
 fe2eokmGrrB0AH7q4iicUcosutj2M0KBer24o0vlzGlpsFbndHLN5CLDlfB48qOG
 Fx4BJTdyHuJFHDaLwzx9flgYRSdjkn+3qkF4J9sjhxraHo/Rtay3kHo8A9mIvclo
 Vu7Ie2KIbD6g1Xk0M0PR0QgQ+g4Sn2MoCFktSL02L547gY1PtbKoSfqMlmaqw67O
 gNgAQ8oPkGfbuJa7v73LdRAKUVvFawmZQSuu9ES3PtYrg/NpT/5e2Pvkgy2gVAzE
 PUgT27d1VDpBHp/kfukpH5zFGV/sWNSsknF9gFLB8YWN8oivzzhEOq4Zsvn0BMy3
 y6Y2sUMH2GMO+zYlv5UaTUoFW9lwXFkaJzFN0+ZNdt5j8d5YEOM=
 =oNyN
 -----END PGP SIGNATURE-----

Merge tag 'drm-misc-next-fixes-2019-07-11' of git://anongit.freedesktop.org/drm/drm-misc into drm-next

Pull request for drm-misc-fixes-next for v5.3:
- Revert properties exposed in komeda that need improvement before they become ABI.
- Only add modes from the cmdline if they are valid.
- Add orientation quirk for GPD MicroPC.
- Reduce stack usage in drm selftests.
- Fix bochs framebuffer setup.

Signed-off-by: Dave Airlie <airlied@redhat.com>

From: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/e6b84ce4-2728-fb02-87c1-6a6b87703c0b@linux.intel.com
2019-07-18 15:03:49 +10:00
Juergen Gross
a1078e821b xen: let alloc_xenballooned_pages() fail if not enough memory free
Instead of trying to allocate pages with GFP_USER in
add_ballooned_pages() check the available free memory via
si_mem_available(). GFP_USER is far less limiting memory exhaustion
than the test via si_mem_available().

This will avoid dom0 running out of memory due to excessive foreign
page mappings especially on ARM and on x86 in PVH mode, as those don't
have a pre-ballooned area which can be used for foreign mappings.

As the normal ballooning suffers from the same problem don't balloon
down more than si_mem_available() pages in one iteration. At the same
time limit the default maximum number of retries.

This is part of XSA-300.

Signed-off-by: Juergen Gross <jgross@suse.com>
2019-07-18 06:44:24 +02:00
Michael Forney
8e144797f1 objtool: Rename elf_open() to prevent conflict with libelf from elftoolchain
The elftoolchain version of libelf has a function named elf_open().

The function name isn't quite accurate anyway, since it also reads all
the ELF data.  Rename it to elf_read(), which is more accurate.

[ jpoimboe: rename to elf_read(); write commit description ]

Signed-off-by: Michael Forney <mforney@mforney.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/7ce2d1b35665edf19fd0eb6fbc0b17b81a48e62f.1562793604.git.jpoimboe@redhat.com
2019-07-18 00:50:14 +02:00
Michael Forney
3c3ea50317 objtool: Use Elf_Scn typedef instead of assuming struct name
The libelf implementation might use a different struct name, and the
Elf_Scn typedef is already used throughout the rest of objtool.

Signed-off-by: Michael Forney <mforney@mforney.org>
Signed-off-by: Josh Poimboeuf <jpoimboe@redhat.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lkml.kernel.org/r/d270e1be2835fc2a10acf67535ff2ebd2145bf43.1562793448.git.jpoimboe@redhat.com
2019-07-18 00:50:14 +02:00
Thomas Gleixner
e0c5c5e308 perf/core improvements and fixes:
perf db-export:
 
   Adrian Hunter:
 
   - Improvements in how COMM details are exported to databases for
     post processing and use in the sql-viewer.py UI.
 
   - Export switch events to the database.
 
 BPF:
 
   Arnaldo Carvalho de Melo:
 
   - Bump rlimit(MEMLOCK) for 'perf test bpf' and 'perf trace', just like
     selftests/bpf/bpf_rlimit.h do, which makes errors due to exhaustion of
     this limit, which are kinda cryptic (EPERM sometimes) less frequent.
 
 perf version:
   Ravi Bangoria:
 
   - Fix segfault due to missing OPT_END(), noticed on PowerPC.
 
 perf vendor events:
 
   Thomas Richter:
 
   - Add JSON files for IBM s/390 machine type 8561.
 
 perf cs-etm (ARM):
 
   YueHaibing:
 
   - Fix two cases of error returns not bing done properly: Invalid ERR_PTR() use
     and loss of propagation error codes.
 
 Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
 -----BEGIN PGP SIGNATURE-----
 
 iHUEABYIAB0WIQR2GiIUctdOfX2qHhGyPKLppCJ+JwUCXSzqiQAKCRCyPKLppCJ+
 J6E6AQDUJOqIQ9/AU4VnaLejy01N61TswV++EYaHsGlNoau6SQD+L68GifDgGIh1
 hbGAg/BannQONcMHk+0qFXD/AonntQA=
 =zyDe
 -----END PGP SIGNATURE-----

Merge tag 'perf-core-for-mingo-5.3-20190715' of git://git.kernel.org/pub/scm/linux/kernel/git/acme/linux into perf/urgent

Pull perf/core improvements and fixes from Arnaldo Carvalho de Melo:

 perf db-export:
  Adrian Hunter:
  - Improvements in how COMM details are exported to databases for
    post processing and use in the sql-viewer.py UI.

  - Export switch events to the database.

 BPF:
  Arnaldo Carvalho de Melo:
  - Bump rlimit(MEMLOCK) for 'perf test bpf' and 'perf trace', just like
    selftests/bpf/bpf_rlimit.h do, which makes errors due to exhaustion of
    this limit, which are kinda cryptic (EPERM sometimes) less frequent.

 perf version:
  Ravi Bangoria:
  - Fix segfault due to missing OPT_END(), noticed on PowerPC.

 perf vendor events:
  Thomas Richter:
  - Add JSON files for IBM s/390 machine type 8561.

 perf cs-etm (ARM):
  YueHaibing:
  - Fix two cases of error returns not bing done properly: Invalid ERR_PTR() use
    and loss of propagation error codes.
2019-07-18 00:32:52 +02:00
David Ahern
49d05fe2c9 ipv6: rt6_check should return NULL if 'from' is NULL
Paul reported that l2tp sessions were broken after the commit referenced
in the Fixes tag. Prior to this commit rt6_check returned NULL if the
rt6_info 'from' was NULL - ie., the dst_entry was disconnected from a FIB
entry. Restore that behavior.

Fixes: 93531c6743 ("net/ipv6: separate handling of FIB entries from dst based routes")
Reported-by: Paul Donohue <linux-kernel@PaulSD.com>
Tested-by: Paul Donohue <linux-kernel@PaulSD.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:25:54 -07:00
Jon Maloy
866e5fd8a7 tipc: initialize 'validated' field of received packets
The tipc_msg_validate() function leaves a boolean flag 'validated' in
the validated buffer's control block, to avoid performing this action
more than once. However, at reception of new packets, the position of
this field may already have been set by lower layer protocols, so
that the packet is erroneously perceived as already validated by TIPC.

We fix this by initializing the said field to 'false' before performing
the initial validation.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:24:38 -07:00
David S. Miller
7b379472bc Merge branch 'ipv4-relax-source-validation-check-for-loopback-packets'
Cong Wang says:

====================
ipv4: relax source validation check for loopback packets

This patchset fixes a corner case when loopback packets get dropped
by rp_filter when we route them from veth to lo. Patch 1 is the fix
and patch 2 provides a simplified test case for this scenario.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:23:39 -07:00
Cong Wang
adb701d6cf selftests: add a test case for rp_filter
Add a test case to simulate the loopback packet case fixed
in the previous patch.

This test gets passed after the fix:

IPv4 rp_filter tests
    TEST: rp_filter passes local packets                                [ OK ]
    TEST: rp_filter passes loopback packets                             [ OK ]

Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:23:39 -07:00
Cong Wang
66f8209547 fib: relax source validation check for loopback packets
In a rare case where we redirect local packets from veth to lo,
these packets fail to pass the source validation when rp_filter
is turned on, as the tracing shows:

  <...>-311708 [040] ..s1 7951180.957825: fib_table_lookup: table 254 oif 0 iif 1 src 10.53.180.130 dst 10.53.180.130 tos 0 scope 0 flags 0
  <...>-311708 [040] ..s1 7951180.957826: fib_table_lookup_nh: nexthop dev eth0 oif 4 src 10.53.180.130

So, the fib table lookup returns eth0 as the nexthop even though
the packets are local and should be routed to loopback nonetheless,
but they can't pass the dev match check in fib_info_nh_uses_dev()
without this patch.

It should be safe to relax this check for this special case, as
normally packets coming out of loopback device still have skb_dst
so they won't even hit this slow path.

Cc: Julian Anastasov <ja@ssi.bg>
Cc: David Ahern <dsahern@gmail.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:23:39 -07:00
David S. Miller
f1bf3e2ab4 Merge branch 'mlxsw-Two-fixes'
Ido Schimmel says:

====================
mlxsw: Two fixes

This patchset contains two fixes for mlxsw.

Patch #1 from Petr fixes an issue in which DSCP rewrite can occur even
if the egress port was switched to Trust L2 mode where priority mapping
is based on PCP.

Patch #2 fixes a problem where packets can be learned on a non-existing
FID if a tc filter with a redirect action is configured on a bridged
port. The problem and fix are explained in detail in the commit message.

Please consider both patches for 5.2.y
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:19:46 -07:00
Ido Schimmel
577fa14d21 mlxsw: spectrum: Do not process learned records with a dummy FID
The switch periodically sends notifications about learned FDB entries.
Among other things, the notification includes the FID (Filtering
Identifier) and the port on which the MAC was learned.

In case the driver does not have the FID defined on the relevant port,
the following error will be periodically generated:

mlxsw_spectrum2 0000:06:00.0 swp32: Failed to find a matching {Port, VID} following FDB notification

This is not supposed to happen under normal conditions, but can happen
if an ingress tc filter with a redirect action is installed on a bridged
port. The redirect action will cause the packet's FID to be changed to
the dummy FID and a learning notification will be emitted with this FID
- which is not defined on the bridged port.

Fix this by having the driver ignore learning notifications generated
with the dummy FID and delete them from the device.

Another option is to chain an ignore action after the redirect action
which will cause the device to disable learning, but this means that we
need to consume another action whenever a redirect action is used. In
addition, the scenario described above is merely a corner case.

Fixes: cedbb8b259 ("mlxsw: spectrum_flower: Set dummy FID before forward action")
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reported-by: Alex Kushnarov <alexanderk@mellanox.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Tested-by: Alex Kushnarov <alexanderk@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:19:46 -07:00
Petr Machata
dedfde2fe1 mlxsw: spectrum_dcb: Configure DSCP map as the last rule is removed
Spectrum systems use DSCP rewrite map to update DSCP field in egressing
packets to correspond to priority that the packet has. Whether rewriting
will take place is determined at the point when the packet ingresses the
switch: if the port is in Trust L3 mode, packet priority is determined from
the DSCP map at the port, and DSCP rewrite will happen. If the port is in
Trust L2 mode, 802.1p is used for packet prioritization, and no DSCP
rewrite will happen.

The driver determines the port trust mode based on whether any DSCP
prioritization rules are in effect at given port. If there are any, trust
level is L3, otherwise it's L2. When the last DSCP rule is removed, the
port is switched to trust L2. Under that scenario, if DSCP of a packet
should be rewritten, it should be rewritten to 0.

However, when switching to Trust L2, the driver neglects to also update the
DSCP rewrite map. The last DSCP rule thus remains in effect, and packets
egressing through this port, if they have the right priority, will have
their DSCP set according to this rule.

Fix by first configuring the rewrite map, and only then switching to trust
L2 and bailing out.

Fixes: b2b1dab688 ("mlxsw: spectrum: Support ieee_setapp, ieee_delapp")
Signed-off-by: Petr Machata <petrm@mellanox.com>
Reported-by: Alex Veber <alexve@mellanox.com>
Tested-by: Alex Veber <alexve@mellanox.com>
Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:19:46 -07:00
Rosen Penev
a6574227a8 net: ag71xx: Add missing header
ag71xx uses devm_ioremap_nocache. This fixes usage of an implicit function

Fixes: d51b6ce441 ("net: ethernet: add ag71xx driver")
Signed-off-by: Rosen Penev <rosenp@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 15:18:02 -07:00
Denis Efremov
da99466ac2 floppy: fix out-of-bounds read in copy_buffer
This fixes a global out-of-bounds read access in the copy_buffer
function of the floppy driver.

The FDDEFPRM ioctl allows one to set the geometry of a disk.  The sect
and head fields (unsigned int) of the floppy_drive structure are used to
compute the max_sector (int) in the make_raw_rw_request function.  It is
possible to overflow the max_sector.  Next, max_sector is passed to the
copy_buffer function and used in one of the memcpy calls.

An unprivileged user could trigger the bug if the device is accessible,
but requires a floppy disk to be inserted.

The patch adds the check for the .sect * .head multiplication for not
overflowing in the set_geometry function.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:50 -07:00
Denis Efremov
9b04609b78 floppy: fix invalid pointer dereference in drive_name
This fixes the invalid pointer dereference in the drive_name function of
the floppy driver.

The native_format field of the struct floppy_drive_params is used as
floppy_type array index in the drive_name function.  Thus, the field
should be checked the same way as the autodetect field.

To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl.  Next, FDGETDRVTYP ioctl should
be used to call the drive_name.  A floppy disk is not required to be
inserted.

CAP_SYS_ADMIN is required to call FDSETDRVPRM.

The patch adds the check for a value of the native_format field to be in
the '0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array
indices.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:50 -07:00
Denis Efremov
5635f897ed floppy: fix out-of-bounds read in next_valid_format
This fixes a global out-of-bounds read access in the next_valid_format
function of the floppy driver.

The values from autodetect field of the struct floppy_drive_params are
used as indices for the floppy_type array in the next_valid_format
function 'floppy_type[DP->autodetect[probed_format]].sect'.

To trigger the bug, one could use a value out of range and set the drive
parameters with the FDSETDRVPRM ioctl.  A floppy disk is not required to
be inserted.

CAP_SYS_ADMIN is required to call FDSETDRVPRM.

The patch adds the check for values of the autodetect field to be in the
'0 <= x < ARRAY_SIZE(floppy_type)' range of the floppy_type array indices.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:49 -07:00
Denis Efremov
f3554aeb99 floppy: fix div-by-zero in setup_format_params
This fixes a divide by zero error in the setup_format_params function of
the floppy driver.

Two consecutive ioctls can trigger the bug: The first one should set the
drive geometry with such .sect and .rate values for the F_SECT_PER_TRACK
to become zero.  Next, the floppy format operation should be called.

A floppy disk is not required to be inserted.  An unprivileged user
could trigger the bug if the device is accessible.

The patch checks F_SECT_PER_TRACK for a non-zero value in the
set_geometry function.  The proper check should involve a reasonable
upper limit for the .sect and .rate fields, but it could change the
UAPI.

The patch also checks F_SECT_PER_TRACK in the setup_format_params, and
cancels the formatting operation in case of zero.

The bug was found by syzkaller.

Signed-off-by: Denis Efremov <efremov@ispras.ru>
Tested-by: Willy Tarreau <w@1wt.eu>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2019-07-17 14:45:49 -07:00
Peter Zijlstra
a0d14b8909 x86/mm, tracing: Fix CR2 corruption
Despite the current efforts to read CR2 before tracing happens there still
exist a number of possible holes:

  idtentry page_fault             do_page_fault           has_error_code=1
    call error_entry
      TRACE_IRQS_OFF
        call trace_hardirqs_off*
          #PF // modifies CR2

      CALL_enter_from_user_mode
        __context_tracking_exit()
          trace_user_exit(0)
            #PF // modifies CR2

    call do_page_fault
      address = read_cr2(); /* whoopsie */

And similar for i386.

Fix it by pulling the CR2 read into the entry code, before any of that
stuff gets a chance to run and ruin things.

Reported-by: He Zhe <zhe.he@windriver.com>
Reported-by: Eiichi Tsukata <devel@etsukata.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: bp@alien8.de
Cc: rostedt@goodmis.org
Cc: torvalds@linux-foundation.org
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: jgross@suse.com
Cc: joel@joelfernandes.org
Link: https://lkml.kernel.org/r/20190711114336.116812491@infradead.org

Debugged-by: Steven Rostedt <rostedt@goodmis.org>
2019-07-17 23:17:38 +02:00
Peter Zijlstra
4234653e88 x86/entry/64: Update comments and sanity tests for create_gap
Commit 2700fefdb2 ("x86_64: Add gap to int3 to allow for call
emulation") forgot to update the comment, do so now.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: bp@alien8.de
Cc: torvalds@linux-foundation.org
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: jgross@suse.com
Cc: zhe.he@windriver.com
Cc: joel@joelfernandes.org
Cc: devel@etsukata.com
Link: https://lkml.kernel.org/r/20190711114336.059780563@infradead.org
2019-07-17 23:17:38 +02:00
Peter Zijlstra
2fd37912cf x86/entry/64: Simplify idtentry a little
There's a bunch of duplication in idtentry, namely the
.Lfrom_usermode_switch_stack is a paranoid=0 copy of the normal flow.

Make this explicit by creating a idtentry_part helper macro.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Acked-by: Andy Lutomirski <luto@kernel.org>
Cc: bp@alien8.de
Cc: torvalds@linux-foundation.org
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: jgross@suse.com
Cc: zhe.he@windriver.com
Cc: joel@joelfernandes.org
Cc: devel@etsukata.com
Link: https://lkml.kernel.org/r/20190711114336.002429503@infradead.org
2019-07-17 23:17:37 +02:00
Peter Zijlstra
e67f1c11e5 x86/entry/32: Simplify common_exception
Adding one more option to SAVE_ALL can be used in common_exception to
simplify things. This also saves duplication later where page_fault will no
longer use common_exception.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Steven Rostedt (VMware) <rostedt@goodmis.org>
Reviewed-by: Andy Lutomirski <luto@kernel.org>
Cc: bp@alien8.de
Cc: torvalds@linux-foundation.org
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: jgross@suse.com
Cc: zhe.he@windriver.com
Cc: joel@joelfernandes.org
Cc: devel@etsukata.com
Link: https://lkml.kernel.org/r/20190711114335.945136187@infradead.org
2019-07-17 23:17:37 +02:00
Peter Zijlstra
55aedddb61 x86/paravirt: Make read_cr2() CALLEE_SAVE
The one paravirt read_cr2() implementation (Xen) is actually quite trivial
and doesn't need to clobber anything other than the return register.

Making read_cr2() CALLEE_SAVE avoids all the PUSH/POP nonsense and allows
more convenient use from assembly.

Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Reviewed-by: Juergen Gross <jgross@suse.com>
Cc: bp@alien8.de
Cc: rostedt@goodmis.org
Cc: luto@kernel.org
Cc: torvalds@linux-foundation.org
Cc: hpa@zytor.com
Cc: dave.hansen@linux.intel.com
Cc: zhe.he@windriver.com
Cc: joel@joelfernandes.org
Cc: devel@etsukata.com
Link: https://lkml.kernel.org/r/20190711114335.887392493@infradead.org
2019-07-17 23:17:37 +02:00
Helge Deller
45800fb451 parisc: Wire up clone3 syscall
Signed-off-by: Helge Deller <deller@gmx.de>
Tested-by: Sven Schnelle <svens@stackframe.org>
Acked-by: Christian Brauner <christian@brauner.io>
2019-07-17 23:11:28 +02:00
Helge Deller
59a783dbc0 parisc: Avoid kernel panic triggered by invalid kprobe
When running gdb I was able to trigger this kernel panic:

 Kernel Fault: Code=26 (Data memory access rights trap) at addr 0000000000000060
 CPU: 0 PID: 1401 Comm: gdb-crash Not tainted 5.2.0-rc7-64bit+ #1053

      YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI
 PSW: 00001000000001000000000000001111 Not tainted
 r00-03  000000000804000f 0000000040dee1a0 0000000040c78cf0 00000000b8d50160
 r04-07  0000000040d2b1a0 000000004360a098 00000000bbbe87b8 0000000000000003
 r08-11  00000000fac20a70 00000000fac24160 00000000fac1bbe0 0000000000000000
 r12-15  00000000fabfb79a 00000000fac244a4 0000000000010000 0000000000000001
 r16-19  00000000bbbe87b8 00000000f8f02910 0000000000010034 0000000000000000
 r20-23  00000000fac24630 00000000fac24630 000000006474e552 00000000fac1aa52
 r24-27  0000000000000028 00000000bbbe87b8 00000000bbbe87b8 0000000040d2b1a0
 r28-31  0000000000000000 00000000b8d501c0 00000000b8d501f0 0000000003424000
 sr00-03  0000000000423000 0000000000000000 0000000000000000 0000000000423000
 sr04-07  0000000000000000 0000000000000000 0000000000000000 0000000000000000

 IASQ: 0000000000000000 0000000000000000 IAOQ: 0000000040c78cf0 0000000040c78cf4
  IIR: 539f00c0    ISR: 0000000000000000  IOR: 0000000000000060
  CPU:        0   CR30: 00000000b8d50000 CR31: 00000000d22345e2
  ORIG_R28: 0000000040250798
  IAOQ[0]: parisc_kprobe_ss_handler+0x58/0x170
  IAOQ[1]: parisc_kprobe_ss_handler+0x5c/0x170
  RP(r2): parisc_kprobe_ss_handler+0x58/0x170
 Backtrace:
  [<0000000040206ff8>] handle_interruption+0x178/0xbb8
 Kernel panic - not syncing: Kernel Fault

Avoid this panic by checking the return value of kprobe_running() and
skip kprobe if none is currently active.

Cc: <stable@vger.kernel.org> # v5.2
Acked-by: Sven Schnelle <svens@stackframe.org>
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Signed-off-by: Helge Deller <deller@gmx.de>
2019-07-17 23:11:28 +02:00
Helge Deller
34c32fc603 parisc: Ensure userspace privilege for ptraced processes in regset functions
On parisc the privilege level of a process is stored in the lowest two bits of
the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
for the kernel and privilege level 3 for user-space. So userspace should not be
allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
level to e.g. 0 to try to gain kernel privileges.

This patch prevents such modifications in the regset support functions by
always setting the two lowest bits to one (which relates to privilege level 3
for user-space) if IAOQ0 or IAOQ1 are modified via ptrace regset calls.

Link: https://bugs.gentoo.org/481768
Cc: <stable@vger.kernel.org> # v4.7+
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Signed-off-by: Helge Deller <deller@gmx.de>
2019-07-17 23:11:27 +02:00
Helge Deller
10835c8546 parisc: Fix kernel panic due invalid values in IAOQ0 or IAOQ1
On parisc the privilege level of a process is stored in the lowest two bits of
the instruction pointers (IAOQ0 and IAOQ1). On Linux we use privilege level 0
for the kernel and privilege level 3 for user-space. So userspace should not be
allowed to modify IAOQ0 or IAOQ1 of a ptraced process to change it's privilege
level to e.g. 0 to try to gain kernel privileges.

This patch prevents such modifications by always setting the two lowest bits to
one (which relates to privilege level 3 for user-space) if IAOQ0 or IAOQ1 are
modified via ptrace calls in the native and compat ptrace paths.

Link: https://bugs.gentoo.org/481768
Reported-by: Jeroen Roovers <jer@gentoo.org>
Cc: <stable@vger.kernel.org>
Tested-by: Rolf Eike Beer <eike-kernel@sf-tec.de>
Signed-off-by: Helge Deller <deller@gmx.de>
2019-07-17 23:11:27 +02:00
Cong Wang
3f05e6886a net_sched: unset TCQ_F_CAN_BYPASS when adding filters
For qdisc's that support TC filters and set TCQ_F_CAN_BYPASS,
notably fq_codel, it makes no sense to let packets bypass the TC
filters we setup in any scenario, otherwise our packets steering
policy could not be enforced.

This can be reproduced easily with the following script:

 ip li add dev dummy0 type dummy
 ifconfig dummy0 up
 tc qd add dev dummy0 root fq_codel
 tc filter add dev dummy0 parent 8001: protocol arp basic action mirred egress redirect dev lo
 tc filter add dev dummy0 parent 8001: protocol ip basic action mirred egress redirect dev lo
 ping -I dummy0 192.168.112.1

Without this patch, packets are sent directly to dummy0 without
hitting any of the filters. With this patch, packets are redirected
to loopback as expected.

This fix is not perfect, it only unsets the flag but does not set it back
because we have to save the information somewhere in the qdisc if we
really want that. Note, both fq_codel and sfq clear this flag in their
->bind_tcf() but this is clearly not sufficient when we don't use any
class ID.

Fixes: 23624935e0 ("net_sched: TCQ_F_CAN_BYPASS generalization")
Cc: Eric Dumazet <edumazet@google.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 13:34:09 -07:00
Linus Torvalds
22051d9c4a platform-drivers-x86 for v5.3-2
Provide better naming for ABI, i.e. tell that we have fan boost mode.
 
 The following is an automated git shortlog grouped by driver:
 
 asus:
  -  Rename "fan mode" to "fan boost mode"
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCgAdFiEEqaflIX74DDDzMJJtb7wzTHR8rCgFAl0vSKcACgkQb7wzTHR8
 rCg4zhAAloPsy7IHNxJOwISxwhgu3v7unpKOta8V16yUfuakHNwjKQOpj4N8YYE5
 ezHsfzhf1jTjH00Bt9VuEpaXGJzWfPkXkH/713grpemSpPfI/hAdSN8lvNaA89EE
 3CEE13D+IAFu4LZE71zQmNZy77HGvPGUhSimb7rYy0ggaQVudSVysjHA7OC0sYpD
 znon8irvZurcKZxTWpWq8r5wDYTEZMAW20mOl7jpr3iD7f1rkrdZCi5q8+05h12q
 7HSjZrLjHQZw/P9PAMHnOeTLzf+Oc4KU83eUpaCIMUKK1vdZzSZDtjjhUUPm2Dm+
 klraonqVgorvRanY1cAjVq5RCDkG7kvaI9lbiWHdoRgkShQgOZsjtTsAHzGnEbzT
 c5RaSjJ9NUf9GDtoK3MGirirRVwO7SJagmSCc1Myph2cZJDR7KDSPURLxoX8n/U9
 fOJkH23vAd+HTuWTTt22pURAdZSq0Eq6yNhdEIaIhHHaS2FUipblKNZrcuUuGFmV
 oglpoYrXX3wrXKW5FxAUT/+ZFAlKk8TLSwlecZgLTzrUtIAWsw4X/uY0MgAM/Hkt
 qhtHRNLPe0qbL1GMFZUG8Uv2ONXl+gyiuSH2kibvWoZwbjQNnjAUEGZphHGX9zor
 bUmtHxCdIGGrxN74DgOPpzFY7Ep41sHeOUraioLhMT4yZEtE1/U=
 =ZhHh
 -----END PGP SIGNATURE-----

Merge tag 'platform-drivers-x86-v5.3-2' of git://git.infradead.org/linux-platform-drivers-x86

Pull another x86 platform driver update from Andy Shevchenko:
 "Provide better naming for ABI, i.e. tell that we have fan boost mode.

  It won't break any ABI, but has to be done now to avoid confusion in
  the future"

* tag 'platform-drivers-x86-v5.3-2' of git://git.infradead.org/linux-platform-drivers-x86:
  platform/x86: asus: Rename "fan mode" to "fan boost mode"
2019-07-17 13:16:30 -07:00
Linus Torvalds
aac09ce275 Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux
Pull thermal management updates from Zhang Rui:

 - Convert thermal documents to ReST (Mauro Carvalho Chehab)

 - Fix a cyclic depedency in between thermal core and governors (Daniel
   Lezcano)

 - Fix processor_thermal_device driver to re-evaluate power limits after
   resume (Srinivas Pandruvada, Zhang Rui)

* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/rzhang/linux:
  drivers: thermal: processor_thermal_device: Fix build warning
  docs: thermal: convert to ReST
  thermal/drivers/core: Use governor table to initialize
  thermal/drivers/core: Add init section table for self-encapsulation
  drivers: thermal: processor_thermal: Read PPCC on resume
2019-07-17 13:13:41 -07:00
Linus Torvalds
c3c08f939a GPIO fixes for the v5.3 merge window:
- Revert a SPIO GPIO fix that didn't fix anything instead created new
   problems.
 - Remove the EM GPIO irqdomain in a safe manner.
 - Fix a memory leak in the gpio quirks.
 - Make the DaVinci error path silent on probe deferral.
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEElDRnuGcz/wPCXQWMQRCzN7AZXXMFAl0vPEkACgkQQRCzN7AZ
 XXOL0g/8DxfjkoyS0+GQDJAx1wANj9xZP5OzDEEpzV8YHZmAK4q8ucyt5jJarO7q
 v75T5dpcqudG3oRRwLUzA8qZJBGl/M9T82T3bRu9d3KYZhkOoXp2LkyD3m8prvr6
 9bd4mjPzr78ro5EJhHFEFkjhNlpGxcFvmP3wMR1BOGCMlnv975J7RH24hOdu+CWO
 /a3CaKpPdWlPDjgclWYql3MNBvSE6M87azOQWSPJhabSmUqFUGzyo4Fk5NLxwHl1
 oixBgLXRBJ/rOtuzLW+LFi9iW9N0QvHQgQuEQm7p21+E4T0Bqdv0xADl2ThKFJUj
 Vu6gAfYxJt3hvfEW3/Vcd3MsclLCvgYveAX1hHR/OxuZv69fOpM7LkWB6g5MYanG
 238SYb13dvzDRYjh6lKiOxGMZSRBA5Bw9jf/03l1b7S3olmsoD4Zuc3mstcGdBrl
 qt4eRKCekkP7txbn2i50PLd2hGV0HjO2sNeNXdW8o+qEjDRcxLXiXv+MBDZTeEhJ
 RSMOegzyyHVPDKS+0sQAHXHKYqiw9117Fe8swbgHjkTxdtsER8spot7PdKF0Lblu
 WU2SXdbltqcufo883LG0Kzgx3xwvt/ncYoUB4gHLfx+sFxPY1wbeOHjOreWJ4QOs
 ycd21YiCdZLk9ExrOPQ4NSniXX9bzH2FlovT/bHYMpl75pKa7Ig=
 =/5s0
 -----END PGP SIGNATURE-----

Merge tag 'gpio-v5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio

Pull GPIO fixes from Linus Walleij:

 - Revert a SPIO GPIO fix that didn't fix anything but instead created
   new problems.

 - Remove the EM GPIO irqdomain in a safe manner.

 - Fix a memory leak in the gpio quirks.

 - Make the DaVinci error path silent on probe deferral.

* tag 'gpio-v5.3-2' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-gpio:
  Revert "gpio/spi: Fix spi-gpio regression on active high CS"
  gpio: em: remove the gpiochip before removing the irq domain
  gpiolib: of: fix a memory leak in of_gpio_flags_quirks()
  gpio: davinci: silence error prints in case of EPROBE_DEFER
2019-07-17 13:05:21 -07:00
David S. Miller
4809bba728 Merge branch 'net-rds-RDMA-fixes'
Gerd Rausch says:

====================
net/rds: RDMA fixes

A number of net/rds fixes necessary to make "rds_rdma.ko"
pass some basic Oracle internal tests.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
aa4948937b net/rds: Initialize ic->i_fastreg_wrs upon allocation
Otherwise, if an IB connection is torn down before "rds_ib_setup_qp"
is called, the value of "ic->i_fastreg_wrs" is still at zero
(as it wasn't initialized by "rds_ib_setup_qp").
Consequently "rds_ib_conn_path_shutdown" will spin forever,
waiting for it to go back to "RDS_IB_DEFAULT_FR_WR",
which of course will never happen as there are no
outstanding work requests.

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
3a2886cca7 net/rds: Keep track of and wait for FRWR segments in use upon shutdown
Since "rds_ib_free_frmr" and "rds_ib_free_frmr_list" simply put
the FRMR memory segments on the "drop_list" or "free_list",
and it is the job of "rds_ib_flush_mr_pool" to reap those entries
by ultimately issuing a "IB_WR_LOCAL_INV" work-request,
we need to trigger and then wait for all those memory segments
attached to a particular connection to be fully released before
we can move on to release the QP, CQ, etc.

So we make "rds_ib_conn_path_shutdown" wait for one more
atomic_t called "i_fastreg_inuse_count" that keeps track of how
many FRWR memory segments are out there marked "FRMR_IS_INUSE"
(and also wake_up rds_ib_ring_empty_wait, as they go away).

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
9547dff108 net/rds: Set fr_state only to FRMR_IS_FREE if IB_WR_LOCAL_INV had been successful
Fix a bug where fr_state first goes to FRMR_IS_STALE, because of a failure
of operation IB_WR_LOCAL_INV, but then gets set back to "FRMR_IS_FREE"
uncoditionally, even though the operation failed.

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
aea01a2234 net/rds: Fix NULL/ERR_PTR inconsistency
Make function "rds_ib_try_reuse_ibmr" return NULL in case
memory region could not be allocated, since callers
simply check if the return value is not NULL.

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
5f33141d2f net/rds: Wait for the FRMR_IS_FREE (or FRMR_IS_STALE) transition after posting IB_WR_LOCAL_INV
In order to:
1) avoid a silly bouncing between "clean_list" and "drop_list"
   triggered by function "rds_ib_reg_frmr" as it is releases frmr
   regions whose state is not "FRMR_IS_FREE" right away.

2) prevent an invalid access error in a race from a pending
   "IB_WR_LOCAL_INV" operation with a teardown ("dma_unmap_sg", "put_page")
   and de-registration ("ib_dereg_mr") of the corresponding
   memory region.

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:52 -07:00
Gerd Rausch
c9467447fc net/rds: Get rid of "wait_clean_list_grace" and add locking
Waiting for activity on the "clean_list" to quiesce is no substitute
for proper locking.

We can have multiple threads competing for "llist_del_first"
via "rds_ib_reuse_mr", and a single thread competing
for "llist_del_all" and "llist_del_first" via "rds_ib_flush_mr_pool".

Since "llist_del_first" depends on "list->first->next" not to change
in the midst of the operation, simply waiting for all current calls
to "rds_ib_reuse_mr" to quiesce across all CPUs is woefully inadequate:

By the time "wait_clean_list_grace" is done iterating over all CPUs to see
that there is no concurrent caller to "rds_ib_reuse_mr", a new caller may
have just shown up on the first CPU.

Furthermore, <linux/llist.h> explicitly calls out the need for locking:
 * Cases where locking is needed:
 * If we have multiple consumers with llist_del_first used in one consumer,
 * and llist_del_first or llist_del_all used in other consumers,
 * then a lock is needed.

Also, while at it, drop the unused "pool" parameter
from "list_to_llist_nodes".

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:51 -07:00
Gerd Rausch
2c7da8e6b0 net/rds: Give fr_state a chance to transition to FRMR_IS_FREE
In the context of FRMR (ib_frmr.c):

Memory regions make it onto the "clean_list" via "rds_ib_flush_mr_pool",
after the memory region has been posted for invalidation via
"rds_ib_post_inv".

At that point in time, "fr_state" may still be in state "FRMR_IS_INUSE",
since the only place where "fr_state" transitions to "FRMR_IS_FREE"
is in "rds_ib_mr_cqe_handler", which is triggered by a tasklet.

So in case we notice that "fr_state != FRMR_IS_FREE" (see below),
we wait for "fr_inv_done" to trigger with a maximum of 10msec.
Then we check again, and only put the memory region onto the drop_list
(via "rds_ib_free_frmr") in case the situation remains unchanged.

This avoids the problem of memory-regions bouncing between "clean_list"
and "drop_list" before they even have a chance to be properly invalidated.

Signed-off-by: Gerd Rausch <gerd.rausch@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:06:51 -07:00
YueHaibing
f11fe1dae1 net/sched: Make NET_ACT_CT depends on NF_NAT
If NF_NAT is m and NET_ACT_CT is y, build fails:

net/sched/act_ct.o: In function `tcf_ct_act':
act_ct.c:(.text+0x21ac): undefined reference to `nf_ct_nat_ext_add'
act_ct.c:(.text+0x229a): undefined reference to `nf_nat_icmp_reply_translation'
act_ct.c:(.text+0x233a): undefined reference to `nf_nat_setup_info'
act_ct.c:(.text+0x234a): undefined reference to `nf_nat_alloc_null_binding'
act_ct.c:(.text+0x237c): undefined reference to `nf_nat_packet'

Reported-by: Hulk Robot <hulkci@huawei.com>
Fixes: b57dc7c13e ("net/sched: Introduce action ct")
Signed-off-by: YueHaibing <yuehaibing@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-07-17 12:02:43 -07:00