pool can be indirectly controlled by user-space, hence leading to
a potential exploitation of the Spectre variant 1 vulnerability.
This issue was detected with the help of Smatch:
drivers/atm/zatm.c:1491 zatm_ioctl() warn: potential spectre issue
'zatm_dev->pool_info' (local cap)
Fix this by sanitizing pool before using it to index
zatm_dev->pool_info
Notice that given that speculation windows are large, the policy is
to kill the speculation on the first load and not worry if it can be
completed with a dependent load/store [1].
[1] https://marc.info/?l=linux-kernel&m=152449131114778&w=2
Signed-off-by: Gustavo A. R. Silva <gustavo@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Julian Wiedmann says:
====================
s390/qeth: fixes 2018-06-29
please apply a few qeth fixes for -net and your 4.17 stable queue.
Patches 1-3 fix several issues wrt to MAC address management that were
introduced during the 4.17 cycle.
Patch 4 tackles a long-standing issue with busy multi-connection workloads
on devices in af_iucv mode.
Patch 5 makes sure to re-enable all active HW offloads, after a card was
previously set offline and thus lost its HW context.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
commit e830baa9c3 ("qeth: restore device features after recovery") and
commit ce34435641 ("s390/qeth: rely on kernel for feature recovery")
made sure that the HW functions for device features get re-programmed
after recovery.
But we missed that the same handling is also required when a card is
first set offline (destroying all HW context), and then online again.
Fix this by moving the re-enable action out of the recovery-only path.
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
If qeth_qdio_output_handler() detects that a transmit requires async
completion, it replaces the pending buffer's metadata object
(qeth_qdio_out_buffer) so that this queue buffer can be re-used while
the data is pending completion.
Later when the CQ indicates async completion of such a metadata object,
qeth_qdio_cq_handler() tries to free any data associated with this
object (since HW has now completed the transfer). By calling
qeth_clear_output_buffer(), it erronously operates on the queue buffer
that _previously_ belonged to this transfer ... but which has been
potentially re-used several times by now.
This results in double-free's of the buffer's data, and failing
transmits as the buffer descriptor is scrubbed in mid-air.
The correct way of handling this situation is to
1. scrub the queue buffer when it is prepared for re-use, and
2. later obtain the data addresses from the async-completion notifier
(ie. the AOB), instead of the queue buffer.
All this only affects qeth devices used for af_iucv HiperTransport.
Fixes: 0da9581ddb ("qeth: exploit asynchronous delivery of storage blocks")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
*ether_addr*_64bits functions have been introduced to optimize
performance critical paths, which access 6-byte ethernet address as u64
value to get "nice" assembly. A harmless hack works nicely on ethernet
addresses shoved into a structure or a larger buffer, until busted by
Kasan on smth like plain (u8 *)[6].
qeth_l2_set_mac_address calls qeth_l2_remove_mac passing
u8 old_addr[ETH_ALEN] as an argument.
Adding/removing macs for an ethernet adapter is not that performance
critical. Moreover is_multicast_ether_addr_64bits itself on s390 is not
faster than is_multicast_ether_addr:
is_multicast_ether_addr(%r2) -> %r2
llc %r2,0(%r2)
risbg %r2,%r2,63,191,0
is_multicast_ether_addr_64bits(%r2) -> %r2
llgc %r2,0(%r2)
risbg %r2,%r2,63,191,0
So, let's just use is_multicast_ether_addr instead of
is_multicast_ether_addr_64bits.
Fixes: bcacfcbc82 ("s390/qeth: fix MAC address update sequence")
Reviewed-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
When qeth_l2_set_mac_address() finds the card in a non-reachable state,
it merely copies the new MAC address into dev->dev_addr so that
__qeth_l2_set_online() can later register it with the HW.
But __qeth_l2_set_online() may very well be running concurrently, so we
can't trust the card state without appropriate locking:
If the online sequence is past the point where it registers
dev->dev_addr (but not yet in SOFTSETUP state), any address change needs
to be properly programmed into the HW. Otherwise the netdevice ends up
with a different MAC address than what's set in the HW, and inbound
traffic is not forwarded as expected.
This is most likely to occur for OSD in LPAR, where
commit 21b1702af1 ("s390/qeth: improve fallback to random MAC address")
now triggers eg. systemd to immediately change the MAC when the netdevice
is registered with a NET_ADDR_RANDOM address.
Fixes: bcacfcbc82 ("s390/qeth: fix MAC address update sequence")
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This reverts commit b7493e91c1.
On its own, querying RDEV for a MAC address works fine. But when upgrading
from a qeth that previously queried DDEV on a z/VM NIC (ie. any kernel with
commit ec61bd2fd2), the RDEV query now returns a _different_ MAC address
than the DDEV query.
If the NIC is configured with MACPROTECT, z/VM apparently requires us to
use the MAC that was initially returned (on DDEV) and registered. So after
upgrading to a kernel that uses RDEV, the SETVMAC registration cmd for the
new MAC address fails and we end up with a non-operabel interface.
To avoid regressions on upgrade, switch back to using DDEV for the MAC
address query. The downgrade path (first RDEV, later DDEV) is fine, in this
case both queries return the same MAC address.
Fixes: b7493e91c1 ("s390/qeth: use Read device to query hypervisor for MAC")
Reported-by: Michal Kubecek <mkubecek@suse.com>
Tested-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The __alx_open function can be called from ndo_open, which is called
under RTNL, or from alx_resume, which isn't. Since commit d768319cd4,
we're calling the netif_set_real_num_{tx,rx}_queues functions, which
need to be called under RTNL.
This is similar to commit 0c2cc02e57 ("igb: Move the calls to set the
Tx and Rx queues into igb_open").
Fixes: d768319cd4 ("alx: enable multiple tx queues")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fixes: fc7a6c287f ("sfc: use a semaphore to lock farch filters too")
Suggested-by: Joseph Korty <joe.korty@concurrent-rt.com>
Signed-off-by: Bert Kenward <bkenward@solarflare.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fix a bug where INT_STAT1 was written twice and
INT_STAT2 was ignored when disabling interrupts.
Fixes: b753a9faaf ("net: phy: DP83TC811: Introduce support for the DP83TC811 phy")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Dan Murphy <dmurphy@ti.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Sowmini reported that a recent commit broke prefix routes for linklocal
addresses. The newly added modify_prefix_route is attempting to add a
new prefix route when the ifp priority does not match the route metric
however the check needs to account for the default priority. In addition,
the route add fails because the route already exists, and then the delete
removes the one that exists. Flip the order to do the delete first.
Fixes: 8308f3ff17 ("net/ipv6: Add support for specifying metric of connected routes")
Reported-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Tested-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
alloc_skb_with_frags uses __GFP_NORETRY for non-sleeping allocations
which is just a noop and a little bit confusing.
__GFP_NORETRY was added by ed98df3361 ("net: use __GFP_NORETRY for
high order allocations") to prevent from the OOM killer. Yet this was
not enough because fb05e7a89f ("net: don't wait for order-3 page
allocation") didn't want an excessive reclaim for non-costly orders
so it made it completely NOWAIT while it preserved __GFP_NORETRY in
place which is now redundant.
Drop the pointless __GFP_NORETRY because this function is used as
copy&paste source for other places.
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Michal Hocko <mhocko@suse.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Madalin Bucur says:
====================
DPAA fixes
A couple of fixes for the DPAA drivers, addressing an issue
with short UDP or TCP frames (with padding) that were marked
as having a wrong checksum and dropped by the FMan hardware
and a problem with the buffer used for the scatter-gather
table being too small as per the hardware requirements.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
The DPAA HW requires that at least 256 bytes from the start of the
first scatter-gather table entry are allocated and accessible. The
hardware reads the maximum size the table can have in one access,
thus requiring that the allocation and mapping to be done for the
maximum size of 256B even if there is a smaller number of entries
in the table.
Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The FMan hardware parser needs to be configured to remove the
short frame padding from the checksum calculation, otherwise
short UDP and TCP frames are likely to be marked as having a
bad checksum.
Signed-off-by: Madalin Bucur <madalin.bucur@nxp.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Driver performs the internal reload when it receives tx-timeout event from
the OS. Internal reload might fail in some scenarios e.g., fatal HW issues.
In such cases OS still see the link, which would result in undesirable
functionalities such as re-generation of tx-timeouts.
The patch addresses this issue by indicating the link-down to OS when
tx-timeout is detected, and keeping the link in down state till the
internal reload is successful.
Please consider applying it to 'net' branch.
Signed-off-by: Sudarsana Reddy Kalluru <Sudarsana.Kalluru@cavium.com>
Signed-off-by: Ariel Elior <ariel.elior@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Static checkers complain that id_tbl->table points to longs and 4 bytes
is smaller than sizeof(long). But the since other side is dividing by
32 instead of sizeof(long), that means the current code works fine.
Anyway, it's more conventional to use the BITS_TO_LONGS() macro when
we're allocating a bitmap.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
The code assumes that there is 4 bytes in a pointer and it doesn't
allocate enough memory.
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Fast Open key could be stored in different endian based on the CPU.
Previously hosts in different endianness in a server farm using
the same key config (sysctl value) would produce different cookies.
This patch fixes it by always storing it as little endian to keep
same API for LE hosts.
Reported-by: Daniele Iamartino <danielei@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Two regression fixes, and a new syscall wire-up.
A fix for the recent conversion to time64_t in the powermac RTC routines, which
caused time to go backward.
Another fix for fallout from the split PMD PTL conversion.
Wire up the new io_pgetevents() syscall.
Thanks to:
Aneesh Kumar K.V, Arnd Bergmann, Breno Leitao, Mathieu Malaterre.
-----BEGIN PGP SIGNATURE-----
iQIwBAABCAAaBQJbNt7oExxtcGVAZWxsZXJtYW4uaWQuYXUACgkQUevqPMjhpYDJ
CA//QZuarC+Hy4j4MrQL5RDdHThGWsQwPPv087efKnMRObp5Fxs+IdZO+dzwqpFg
2nbIXfKWmkIOvHQF5bo0LK8IIpoz8rIcduobzSTttgMQJ2i4u6uShtU6oa4Hg9JR
ULxjvySi2zWYDtsVXvpxid1ox39VhoPptMizStxSnCvvQKoZksGZzAUMYQkOrIUc
RS/BbREpdcXRyYeqGiOCEKENUBWJFgxOy8WOPszAqKkdwtaGv28Ory6hOI9I5iFF
7LeFFS/EJIF/BnHAgp8X+hCt3yVVFcKH0Ipitvqp3usKb3D08u56oxTINyI2BNc0
zgAUcuuYFJ0Nl6jHOo2bzBn+Wxl1KIXbQt4lTZsFJwOJiw1+QYq5ivDpBPn2pc91
PBKZ1jIY+QwbJQPogVAKt4hSZDiss0Bpxg1gHT6WY7oNoeYOSKlKrkWn+e/GLzXb
Xid0hvytQTaKIuST3SgDaixk+cLjzxY/Pm+rRdBOot+sCfG4eIMRPL8jDQ1E3+jK
bIXnKCtwr+rz1T8OaRlEJMoDGqU42hxSyW1yHoKs36oJo1e7GQoSpffENqE2fJbH
9AqlrCV0WVBmr9PQsisf9noRdktlkPHw0wy7HZOE1PIEx2Rl+n5WD0z0YOoYAk7h
LvNNYZATZvhgw8dvvyRKNtwEST9DowXzTLvS8thLc/UsdDk=
=kHJC
-----END PGP SIGNATURE-----
Merge tag 'powerpc-4.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux
Pull powerpc fixes from Michael Ellerman:
"Two regression fixes, and a new syscall wire-up:
- A fix for the recent conversion to time64_t in the powermac RTC
routines, which caused time to go backward.
- Another fix for fallout from the split PMD PTL conversion.
- Wire up the new io_pgetevents() syscall.
Thanks to: Aneesh Kumar K.V, Arnd Bergmann, Breno Leitao, Mathieu
Malaterre"
* tag 'powerpc-4.18-3' of git://git.kernel.org/pub/scm/linux/kernel/git/powerpc/linux:
powerpc/powermac: Fix rtc read/write functions
powerpc/mm/32: Fix pgtable_page_dtor call
powerpc: Wire up io_pgetevents
and fixes interrupt property for DA850 SoC GPIO as defined in
device-tree.
Both of these are not introduced with v4.18 merge but have
existed prior.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJbNjeIAAoJEGFBu2jqvgRN3lgP+wbdjEoDTTss8H5Sdu1VSe8Z
dDn1H4CCOsVqDW23Azu1WsL0WufRZx/fe8DayZ4y1AuLh3I1LvoI1KSEWipMxeub
WmdYJ+jAwhXy45FqXnSvMnGJITzHruwr6qDMCysp0hR3aVXA4DhTKw95Tc2QBbZP
RvhEV/t0tFeuMT138UIPQqecoWCdFaz24MU3ZPh+0NeLtmHLwZnRFWdSmieGMlx1
gQZAiMb6mkOzZ0u3YILNCFA8gMhm3WO2eJU8bVILDbuPpARMTR71VvuOjpHgBJz7
eqamjsHB+5epnxEUXcEuf3gAuED3fTY4+cMImMdSkVhfLZFbNx0eMiXDDEnrfE7e
J869UGz7fH+2gxs1XHrlF45w5KgOPte3Am4x9plrlpvFxB874ZjCW3d8XoU6Yc2c
WFJAtUHYWpAqwDRxZYHjFmbnHftaw4DtsnGXDjjQ8uv/Trls48SmCBQnyOcxQyQa
THhJJiRG9TXoSY88N3UHSpfDby3UJE63KKvxYEqzwnrBNYsqQUcorjb24RZnuh5t
0pBYZs7BVIEyyQEQgOJ4hjGZ6XEue/nvT5WZaTP7kYeKUOg1RjRs7rCO8G5Uu5nt
q1HEBp7EXdOV89swt5t1vQQQDHyJG0YO+hzHI10XUqSP+uR3hX1AWzli1CKZ9hAB
75hIihEhWRIk5HTgVlHo
=AENA
-----END PGP SIGNATURE-----
Merge tag 'davinci-fixes-for-v4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci into fixes
This fixes polarity of SD card write-protect pin on DA850 EVM
and fixes interrupt property for DA850 SoC GPIO as defined in
device-tree.
Both of these are not introduced with v4.18 merge but have
existed prior.
* tag 'davinci-fixes-for-v4.18' of git://git.kernel.org/pub/scm/linux/kernel/git/nsekhar/linux-davinci:
ARM: dts: da850: Fix interrups property for gpio
ARM: davinci: board-da850-evm: fix WP pin polarity for MMC/SD
Signed-off-by: Olof Johansson <olof@lixom.net>
- Added power capabilities for the mmc host controller on the
hikey and hikey960 boards to avoid broken wifi.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAABAgAGBQJbNUZNAAoJEAvIV27ZiWZcRy8P/1z1LnU8CaxaxJo2yD02pq1X
EauFEMVOQP6zoV6+nrLRoMdZ8RSif4joOK5W+mv+9ZIkEeDZ7n5iL23ZNujcUYWH
a+B2zJ6jNMmpnTHADsadQBCtkX+OLlDFqCMmspV/equMgJNIEd8gPQg07jYklZZs
JG9Gb/ZvfILaX6/h3DfYiyc6+ILroxSdH1VgCfXVAA8umzDu5Sn6eakl1NbEYCTe
Wx1vfP0jbaxwPwLB0V6VVV5O/ByykVbf13iNVQMLXGn9bYQzbJ0DCzhZxlXsr2iH
Wrx1ur9oRaGCGsnPq2Koj0oy9mX1wfuDyEedN94SzQezAXUXiQh1yLr6RJitnSkP
cE/UJgNbLOccpzC9/px8ff7igAfLfFVEoFKRYLXmNu45wL7FEiPxrgS4IW4z5IcS
nXH8VBG8KYLWlurJsaHIvf4L4Iaga1Grz1fZrOISdUu9gOpSMrBrVy/u2DSJORWZ
ZG2LCfELPl62XnsE7NGxAV3198ui0SOB75/bdU2emEBwjqB+d7ljrBhPoWrFYk1u
EZ35wWxBwveGXYa7oiRZL7uo4mKHfKY1BAAPGqrK3Q91c+upMgx9+klkFZrRQt1f
FcP5sOPPLUISSvz8jG9mL7SHB7VDWSuN7iV/sWtdz6ayi4WimTX4dR5HIDKiweAF
IFKNuzJr09hEa+9kwH65
=mr1l
-----END PGP SIGNATURE-----
Merge tag 'hisi-fixes-for-4.18' of git://github.com/hisilicon/linux-hisi into fixes
ARM64: hisi fixes for 4.18
- Added power capabilities for the mmc host controller on the
hikey and hikey960 boards to avoid broken wifi.
* tag 'hisi-fixes-for-4.18' of git://github.com/hisilicon/linux-hisi:
arm64: dts: hikey960: Define wl1837 power capabilities
arm64: dts: hikey: Define wl1835 power capabilities
Signed-off-by: Olof Johansson <olof@lixom.net>
Before 8d85a7a4f2 ("PCI/IOV: Allow PF drivers to limit total_VFs to 0"),
pci_sriov_set_totalvfs(pdev, 0) meant "we can enable TotalVFs virtual
functions". After 8d85a7a4f2, it means "we can't enable *any* VFs".
That broke this scenario where nfp intends to remove any limit on the
number of VFs that can be enabled:
nfp_pci_probe
nfp_pcie_sriov_read_nfd_limit
nfp_rtsym_read_le("nfd_vf_cfg_max_vfs", &err)
pci_sriov_set_totalvfs(pf->pdev, 0) # if FW didn't expose a limit
...
# userspace writes N to sysfs "sriov_numvfs":
sriov_numvfs_store
pci_sriov_get_totalvfs # now returns 0
return -ERANGE
Prior to 8d85a7a4f2, pci_sriov_get_totalvfs() returned TotalVFs, but it
now returns 0.
Remove the pci_sriov_set_totalvfs(pdev, 0) calls so we don't limit the
number of VFs that can be enabled.
Fixes: 8d85a7a4f2 ("PCI/IOV: Allow PF drivers to limit total_VFs to 0")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
[bhelgaas: changelog]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
The TotalVFs register in the SR-IOV capability is the hardware limit on the
number of VFs. A PF driver can limit the number of VFs further with
pci_sriov_set_totalvfs(). When the PF driver is removed, reset any VF
limit that was imposed by the driver because that limit may not apply to
other drivers.
Before 8d85a7a4f2 ("PCI/IOV: Allow PF drivers to limit total_VFs to 0"),
pci_sriov_set_totalvfs(pdev, 0) meant "we can enable TotalVFs virtual
functions", and the nfp driver used that to remove the VF limit when the
driver unloads.
8d85a7a4f2 broke that because instead of removing the VF limit,
pci_sriov_set_totalvfs(pdev, 0) actually sets the limit to zero, and that
limit persists even if another driver is loaded.
We could fix that by making the nfp driver reset the limit when it unloads,
but it seems more robust to do it in the PCI core instead of relying on the
driver.
The regression scenario is:
nfp_pci_probe (driver 1)
...
nfp_pci_remove
pci_sriov_set_totalvfs(pf->pdev, 0) # limits VFs to 0
...
nfp_pci_probe (driver 2)
nfp_rtsym_read_le("nfd_vf_cfg_max_vfs")
# no VF limit from firmware
Now driver 2 is broken because the VF limit is still 0 from driver 1.
Fixes: 8d85a7a4f2 ("PCI/IOV: Allow PF drivers to limit total_VFs to 0")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
[bhelgaas: changelog, rename functions]
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Pull i2c fixes from Wolfram Sang:
- a revert because of bugzilla #200045 (and some documentation about
it)
- another regression fix in the i2c-gpio driver
- a leak fix for the i2c core
* 'i2c/for-current-fixed' of git://git.kernel.org/pub/scm/linux/kernel/git/wsa/linux:
i2c: gpio: initialize SCL to HIGH again
i2c: smbus: kill memory leak on emulated and failed DMA SMBus xfers
i2c: algos: bit: mention our experience about initial states
Revert "i2c: algo-bit: init the bus to a known state"
The call to of_get_next_child() returns a node pointer with refcount
incremented thus it must be explicitly decremented here in the error
path and after the last usage.
Fixes: d3c68e0a7e ("PCI: faraday: Add Faraday Technology FTPCI100 PCI Host Bridge driver")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
The call to of_get_next_child() returns a node pointer with
refcount incremented thus it must be explicitly decremented
here after the last usage.
Fixes: ab597d35ef ("PCI: xilinx-nwl: Add support for Xilinx NWL PCIe Host Controller")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
The call to of_get_next_child() returns a node pointer with refcount
incremented thus it must be explicitly decremented here after the last
usage.
Fixes: 8961def568 ("PCI: xilinx: Add Xilinx AXI PCIe Host Bridge IP driver")
Signed-off-by: Nicholas Mc Guire <hofrat@osadl.org>
[lorenzo.pieralisi@arm.com: reworked commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
We need to use list_for_each_entry_safe() because the
pci_ep_cfs_remove_epf_group() function frees "group".
Fixes: ef1433f717 ("PCI: endpoint: Create configfs entry for each pci_epf_device_id table entry")
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
[lorenzo.pieralisi@arm.com: updated commit log]
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Kishon Vijay Abraham I <kishon@ti.com>
PCIE_DW_PLAT_HOST does not have any platform dependency, so it should
not default to yes.
Fixes: 1d906b2207 ("PCI: dwc: Add support for EP mode")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Acked-by: Gustavo Pimentel <gustavo.pimentel@synopsys.com>
If the Gen3 PHY fails to power up, the code does not undo the
initialization caused by phy_init(). Add the missing failure
handling to the rcar_pcie_phy_init_gen3() function.
Fixes: 517ca93a71 ("PCI: rcar: Add R-Car gen3 PHY support")
Reported-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Phil Edworthy <phil.edworthy@renesas.com>
Cc: Wolfram Sang <wsa@the-dreams.de>
If anything fails past phy_init_fn() and the system is a Gen3 with
a PHY, the PHY will be left on and inited. This is caused by the
phy_init_fn, which is in fact a pointer to rcar_pcie_phy_init_gen3()
function, which starts the PHY, yet has no counterpart in the failpath.
Add that counterpart.
Fixes: 517ca93a71 ("PCI: rcar: Add R-Car gen3 PHY support")
Signed-off-by: Marek Vasut <marek.vasut+renesas@gmail.com>
Signed-off-by: Lorenzo Pieralisi <lorenzo.pieralisi@arm.com>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Acked-by: Simon Horman <horms+renesas@verge.net.au>
Cc: Geert Uytterhoeven <geert+renesas@glider.be>
Cc: Phil Edworthy <phil.edworthy@renesas.com>
Cc: Wolfram Sang <wsa@the-dreams.de>
Commit f5a4670de9 ("clk: imx: Add new clo01 and clo2 controlled
by CCOSR") introduced the CLK_CLKO definitions, but didn't put them
at the end of the list, which may cause dtb breakage when running an old
dtb with a newer kernel.
In order to avoid that, simply add the new CLK_CKO clock definitions
at the end of the list.
Fixes: f5a4670de9 ("clk: imx: Add new clo01 and clo2 controlled by CCOSR")
Reported-by: Stefan Wahren <stefan.wahren@i2se.com>
Signed-off-by: Fabio Estevam <fabio.estevam@nxp.com>
Acked-by: Rob Herring <robh@kernel.org>
Reviewed-by: Stefan Agner <stefan@agner.ch>
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Daniel Borkmann says:
====================
This set contains three fixes that are mostly JIT and set_memory_*()
related. The third in the series in particular fixes the syzkaller
bugs that were still pending; aside from local reproduction & testing,
also 'syz test' wasn't able to trigger them anymore. I've tested this
series on x86_64, arm64 and s390x, and kbuild bot wasn't yelling either
for the rest. For details, please see patches as usual, thanks!
====================
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Partially undo commit 9facc33687 ("bpf: reject any prog that failed
read-only lock") since it caused a regression, that is, syzkaller was
able to manage to cause a panic via fault injection deep in set_memory_ro()
path by letting an allocation fail: In x86's __change_page_attr_set_clr()
it was able to change the attributes of the primary mapping but not in
the alias mapping via cpa_process_alias(), so the second, inner call
to the __change_page_attr() via __change_page_attr_set_clr() had to split
a larger page and failed in the alloc_pages() with the artifically triggered
allocation error which is then propagated down to the call site.
Thus, for set_memory_ro() this means that it returned with an error, but
from debugging a probe_kernel_write() revealed EFAULT on that memory since
the primary mapping succeeded to get changed. Therefore the subsequent
hdr->locked = 0 reset triggered the panic as it was performed on read-only
memory, so call-site assumptions were infact wrong to assume that it would
either succeed /or/ not succeed at all since there's no such rollback in
set_memory_*() calls from partial change of mappings, in other words, we're
left in a state that is "half done". A later undo via set_memory_rw() is
succeeding though due to matching permissions on that part (aka due to the
try_preserve_large_page() succeeding). While reproducing locally with
explicitly triggering this error, the initial splitting only happens on
rare occasions and in real world it would additionally need oom conditions,
but that said, it could partially fail. Therefore, it is definitely wrong
to bail out on set_memory_ro() error and reject the program with the
set_memory_*() semantics we have today. Shouldn't have gone the extra mile
since no other user in tree today infact checks for any set_memory_*()
errors, e.g. neither module_enable_ro() / module_disable_ro() for module
RO/NX handling which is mostly default these days nor kprobes core with
alloc_insn_page() / free_insn_page() as examples that could be invoked long
after bootup and original 314beb9bca ("x86: bpf_jit_comp: secure bpf jit
against spraying attacks") did neither when it got first introduced to BPF
so "improving" with bailing out was clearly not right when set_memory_*()
cannot handle it today.
Kees suggested that if set_memory_*() can fail, we should annotate it with
__must_check, and all callers need to deal with it gracefully given those
set_memory_*() markings aren't "advisory", but they're expected to actually
do what they say. This might be an option worth to move forward in future
but would at the same time require that set_memory_*() calls from supporting
archs are guaranteed to be "atomic" in that they provide rollback if part
of the range fails, once that happened, the transition from RW -> RO could
be made more robust that way, while subsequent RO -> RW transition /must/
continue guaranteeing to always succeed the undo part.
Reported-by: syzbot+a4eb8c7766952a1ca872@syzkaller.appspotmail.com
Reported-by: syzbot+d866d1925855328eac3b@syzkaller.appspotmail.com
Fixes: 9facc33687 ("bpf: reject any prog that failed read-only lock")
Cc: Laura Abbott <labbott@redhat.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
If we would ever fail in the bpf_jit_prog() pass that writes the
actual insns to the image after we got header via bpf_jit_binary_alloc()
then we also need to make sure to free it through bpf_jit_binary_free()
again when bailing out. Given we had prior bpf_jit_prog() passes to
initially probe for clobbered registers, program size and to fill in
addrs arrray for jump targets, this is more of a theoretical one,
but at least make sure this doesn't break with future changes.
Fixes: 0546231057 ("s390/bpf: Add s390x eBPF JIT compiler backend")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Martin Schwidefsky <schwidefsky@de.ibm.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Any eBPF JIT that where its underlying arch supports ARCH_HAS_SET_MEMORY
would need to use bpf_jit_binary_{un,}lock_ro() pair instead of the
set_memory_{ro,rw}() pair directly as otherwise changes to the former
might break. arm32's eBPF conversion missed to change it, so fix this
up here.
Fixes: 39c13c204b ("arm: eBPF JIT compiler")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
As suggested by Nick Piggin it seems we can drop the -ffunction-sections
compile flag, now that the kernel uses thin archives. Testing with 32-
and 64-bit kernel showed no difference in kernel size.
Suggested-by: Nicholas Piggin <npiggin@gmail.com>
Signed-off-by: Helge Deller <deller@gmx.de>
This was introduced more than a decade ago when sg chaining was
added, but we never really caught anything with it. The scatterlist
entry size can be critical, since drivers allocate it, so remove
the magic member. Recently it's been triggering allocation stalls
and failures in NVMe.
Tested-by: Jordan Glover <Golden_Miller83@protonmail.ch>
Acked-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
- Fix the initialization time error handling in the recently added
Kryo cpufreq driver (Dan Carpenter).
- Fix up the recently added coverage of performance states in the
generic power domains (genpd) framework (Viresh Kumar).
- Add missing documentation of the new hwp_dynamic_boost sysfs knob
in the intel_pstate driver (Rafael Wysocki).
- Fix incorrect sysfs path in the intel_pstate driver documentation
(Rafael Wysocki).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAABCAAGBQJbNefKAAoJEILEb/54YlRxOgoQALdhhtDm7fDHEh+TJhN4Y8X8
9PfvRwLQEypyQi2uBl1dQHXjCjt6IYhBzHXN8nMgxPBHQDsMqMmk+lQa5KB2RazM
xXdMTb6nO4Rd333rsm6hSN+hRFGIOnzFYLmEMMV7nYNIGK6y3Xfo+XFlIBpoLE/h
mHh4A75mFDIf5bABx+mYVhCfQ4ADwDXqdadkdYKVN4RwmnbLw80dV1FrfBGF+JnS
9oUPkdueG13q4QA3DveAxtTrO3X7DnlMXbOYDrNoQia2rHKtxzy3ubkTAsbvWn91
AuEWYWGTbutdBY+ga7smLBGzXUA7iIjNQfvMNZiqB0CGSpD0TzdVXJ9/+h0w+ru7
Dkw/3ytV7k8LLFO3wZvIc6DQ7Hsq2PxL/Rbm0WNvfv6JhdVmiw4tuP2F8TV9uv28
ej1w2n1NGUM0Yfi7wL7AyICZMOiwzxZgBpY63AGpk7mNvhZ7oqHzC/ENvJ3l6SLb
lCviClAeBM+c/VOEXjleMtmf7VSRfvRhrKAl0dL7xLqbW2BrTw3vCmpuYKqMIlQB
5rpCslgiOqufBvHHdca7UU+9iwuaI66nD6o4KV6VnB1a01THs7D0kgvV0Wj+Xocb
xdKQ7TbzI6VdYZJ4pPM2ub1rb+fWnQ7d/ASNy/O3C3lV3FYfxPw82idBdfdRq3sa
0kIEAQLHJIC1TrrZzNsg
=842O
-----END PGP SIGNATURE-----
Merge tag 'pm-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm
Pull power management fixes from Rafael Wysocki:
"These fix up recently added features (the Kryo cpufreq driver and
performance states coverage in the generic power domains framework),
add missing documentation for a recently added sysfs knob in the
intel_pstate driver and fix an error in its documentation.
Specifics:
- Fix the initialization time error handling in the recently added
Kryo cpufreq driver (Dan Carpenter).
- Fix up the recently added coverage of performance states in the
generic power domains (genpd) framework (Viresh Kumar).
- Add missing documentation of the new hwp_dynamic_boost sysfs knob
in the intel_pstate driver (Rafael Wysocki).
- Fix incorrect sysfs path in the intel_pstate driver documentation
(Rafael Wysocki)"
* tag 'pm-4.18-rc3' of git://git.kernel.org/pub/scm/linux/kernel/git/rafael/linux-pm:
Documentation: intel_pstate: Describe hwp_dynamic_boost sysfs knob
Documentation: admin-guide: intel_pstate: Fix sysfs path
PM / Domains: Rename opp_node to np
PM / Domains: Fix return value of of_genpd_opp_to_performance_state()
cpufreq: qcom-kryo: Fix error handling in probe()
-----BEGIN PGP SIGNATURE-----
iQIcBAABAgAGBQJbNa7EAAoJEAx081l5xIa+HssP/iiJ0DnEojSKANbHwk9ZHC9u
TbRReQ4EwcrVAvUazJOit+MOb/S1aHluWG48hqqcyMAktB0Hx+3E1Dglnm72n/ND
wdtYpuCvtIbeutLVQbUzYgSR7DC8G4uFVZSgCiNBh+Xw8a2staKi9cI4H9CmZJBb
0B7dSoGj9Z4HCMaxJ28ORwn2fsD/Y6465PHqKq1Zu5P3diXHPmc91YIlqvDsaPEl
UzY4BGMnMIeLKamSN3wmhOH7SGwIUjgWPwR/56pLXq55Wy84UqKfQHvjotg6czpl
jonUtDdbOMfnYDywc+5hmiUFXYRkn8rAatIjOa0U4/fBEI5+u8GHgJCAve0tfA21
sIRBSnacA5Y2/MOEna5iJVs43AuVSJUGpTzzlZwvvbqyqs84kyyqe9GHpaelXY+b
8xDL8IuWvR8s+WbtmuCLFefcFP+j9LoelPPY3v73uploycP/dzpXV+CoUB049Ext
dTT6Kf+qTo4/196TcMAGCLyT4UGYOs1TCQ71+NCvraECs3PyT6WjJ7UTbIwSZEvT
oEXbQIHBQewonoghVcXLARXsTAqXHXqIOKuBmInETeqn5Ib5+ovfEmcYwOjII29c
nipTLprSdHgNrSvhk4zbqohavaE31paZO85D5ayHjrvGudOF8A12lBpyPX1JzrbX
aYhmdk10Dlk6oHxdsVb1
=Em+E
-----END PGP SIGNATURE-----
Merge tag 'drm-fixes-2018-06-29' of git://anongit.freedesktop.org/drm/drm
Pull drm fixes from Dave Airlie:
"Nothing too major this round:
- small set of mali-dp fixes
- single meson fix
- a bunch of amdgpu fixes (one makes non-4k page sizes not be a bad
experience)"
* tag 'drm-fixes-2018-06-29' of git://anongit.freedesktop.org/drm/drm:
drm/amd/display: release spinlock before committing updates to stream
drm/amdgpu:Support new VCN FW version naming convention
drm/amdgpu: fix UBSAN: Undefined behaviour for amdgpu_fence.c
drm/meson: Fix an un-handled error path in 'meson_drv_bind_master()'
drm/amdgpu: GPU vs CPU page size fixes in amdgpu_vm_bo_split_mapping
drm/amdgpu: Count disabled CRTCs in commit tail earlier
drm/mali-dp: Rectify the width and height passed to rotmem_required()
drm/arm/malidp: Preserve LAYER_FORMAT contents when setting format
drm: mali-dp: Enable Global SE interrupts mask for DP500
drm/arm/malidp: Ensure that the crtcs are shutdown before removing any encoder/connector
bio_clone_bioset(). Also fixes splitting bio that has integrity
payload.
- Three fixes related to properly validating DAX capabilities of a
stacked DM device that will advertise DAX support.
- Update DM writecache target to use 2-factor allocator arguments. Kees
says this is the last related change for 4.18.
- Fix DM zoned target to use GFP_NOIO to avoid triggering reclaim during
IO submission (caught by lockdep).
- Fix DM thinp to gracefully recover from running out of data space
while a previous async discard completes (whereby freeing space).
- Fix DM thinp's metadata transaction commit to avoid needless work.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQEcBAABAgAGBQJbNURXAAoJEMUj8QotnQNaPVYIAISzFYsSLEEYiGF5CDn2A07/
vd4TBIk7sAVQ/zouNGSNUHepoPJZR8E75SLO4lqZ214fyeYl9/48Za3dlyXeHldR
ziCCYFyHKvKgfZpBpbO43HbZbWvcVplIAt+GhhXepHy9jJC7+XQzMOqGwcvK2pW4
qCOqLTLaTGdzx5UaoLCG2Yg3E1TrYH0kZei/WLRBGW12WAsCzqNqUsZ5TgeilxCt
r/5ajPsXkcNjV9BrUNwY43J+WX8eKIuFKRSbnVdjHBEoVCeCwnP1R8WJnMm5/BTh
KZpyYTlFsBZ+Gvzojt2XI80ttviXtSUoJJNZgze9JT2xR4jMfn4yFQr/odxJucE=
=ZGTy
-----END PGP SIGNATURE-----
Merge tag 'for-4.18/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm
Pull device mapper fixes from Mike Snitzer:
- Fix dm core to use more efficient bio_split() instead of
bio_clone_bioset(). Also fixes splitting bio that has integrity
payload.
- Three fixes related to properly validating DAX capabilities of a
stacked DM device that will advertise DAX support.
- Update DM writecache target to use 2-factor allocator arguments. Kees
says this is the last related change for 4.18.
- Fix DM zoned target to use GFP_NOIO to avoid triggering reclaim
during IO submission (caught by lockdep).
- Fix DM thinp to gracefully recover from running out of data space
while a previous async discard completes (whereby freeing space).
- Fix DM thinp's metadata transaction commit to avoid needless work.
* tag 'for-4.18/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
dm: prevent DAX mounts if not supported
dax: check for QUEUE_FLAG_DAX in bdev_dax_supported()
pmem: only set QUEUE_FLAG_DAX for fsdax mode
dm thin: handle running out of data space vs concurrent discard
dm raid: don't use 'const' in function return
dm zoned: avoid triggering reclaim from inside dmz_map()
dm writecache: use 2-factor allocator arguments
dm thin metadata: remove needless work from __commit_transaction
dm: use bio_split() when splitting out the already processed bio
Pull single NVMe fix from Christoph.
* 'nvme-4.18' of git://git.infradead.org/nvme:
nvme-rdma: fix possible double free of controller async event buffer
Fix the test that verifies whether bio_op(bio) represents a discard
or write zeroes operation. Compile-tested only.
Cc: Philipp Reisner <philipp.reisner@linbit.com>
Cc: Lars Ellenberg <lars.ellenberg@linbit.com>
Fixes: 7435e9018f ("drbd: zero-out partial unaligned discards on local backend")
Signed-off-by: Bart Van Assche <bart.vanassche@wdc.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Some devices have different queue limits depending on the type of IO. A
classic case is SATA NCQ, where some commands can queue, but others
cannot. If we have NCQ commands inflight and encounter a non-queueable
command, the driver returns busy. Currently we attempt to dispatch more
from the scheduler, if we were able to queue some commands. But for the
case where we ended up stopping due to BUSY, we should not attempt to
retrieve more from the scheduler. If we do, we can get into a situation
where we attempt to queue a non-queueable command, get BUSY, then
successfully retrieve more commands from that scheduler and queue those.
This can repeat forever, starving the non-queuable command indefinitely.
Fix this by NOT attempting to pull more commands from the scheduler, if
we get a BUSY return. This should also be more optimal in terms of
letting requests stay in the scheduler for as long as possible, if we
get a BUSY due to the regular out-of-tags condition.
Reviewed-by: Omar Sandoval <osandov@fb.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
