openwrt/staging/blogic.git
7 years agonet: hns3: add support for set_link_ksettings
Fuyun Liang [Fri, 3 Nov 2017 04:18:28 +0000 (12:18 +0800)]
net: hns3: add support for set_link_ksettings

This patch adds set_link_ksettings support for ethtool cmd.

Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: fix a bug in hns3_driv_to_eth_caps
Fuyun Liang [Fri, 3 Nov 2017 04:18:27 +0000 (12:18 +0800)]
net: hns3: fix a bug in hns3_driv_to_eth_caps

The value of link_modes.advertising and the value of link_modes.supported
is initialized to zero every time in for loop in hns3_driv_to_eth_caps().
But we just want to set specified bit for them. Initialization is
unnecessary. This patch fixes it.

Fixes: 496d03e (net: hns3: Add Ethtool support to HNS3 driver)
Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: fix for getting advertised_caps in hns3_get_link_ksettings
Fuyun Liang [Fri, 3 Nov 2017 04:18:26 +0000 (12:18 +0800)]
net: hns3: fix for getting advertised_caps in hns3_get_link_ksettings

This patch fixes a bug for ethtool's get_link_ksettings().
The advertising for autoneg is always added to advertised_caps
whether autoneg is enable or disable. This patch fixes it.

Fixes: 496d03e (net: hns3: Add Ethtool support to HNS3 driver)
Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: fix for getting autoneg in hns3_get_link_ksettings
Fuyun Liang [Fri, 3 Nov 2017 04:18:25 +0000 (12:18 +0800)]
net: hns3: fix for getting autoneg in hns3_get_link_ksettings

This patch fixes a bug for ethtool's get_link_ksettings().
When phy exists, we should get autoneg from phy rather than from mac.
Because the value of mac.autoneg is invalid when phy exists.

Fixes: 496d03e (net: hns3: Add Ethtool support to HNS3 driver)
Signed-off-by: Fuyun Liang <liangfuyun1@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'bnxt_en-next'
David S. Miller [Fri, 3 Nov 2017 12:33:31 +0000 (21:33 +0900)]
Merge branch 'bnxt_en-next'

Michael Chan says:

====================
bnxt_en: Fix IRQ coalescing regressions.

There was a typo and missing guard-rail against illegal values in the
recent code clean up.  All reported by Andy Gospodarek.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: Fix IRQ coalescing regression.
Michael Chan [Fri, 3 Nov 2017 07:32:39 +0000 (03:32 -0400)]
bnxt_en: Fix IRQ coalescing regression.

Recent IRQ coalescing clean up has removed a guard-rail for the max DMA
buffer coalescing value.  This is a 6-bit value and must not be 0.  We
already have a check for 0 but 64 is equivalent to 0 and will cause
non-stop interrupts.  Fix it by adding the proper check.

Fixes: f8503969d27b ("bnxt_en: Refactor and simplify coalescing code.")
Reported-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobnxt_en: fix typo in bnxt_set_coalesce
Andy Gospodarek [Fri, 3 Nov 2017 07:32:38 +0000 (03:32 -0400)]
bnxt_en: fix typo in bnxt_set_coalesce

Recent refactoring of coalesce settings contained a typo that prevents
receive settings from being set properly.

Fixes: 18775aa8a91f ("bnxt_en: Reorganize the coalescing parameters.")
Signed-off-by: Andy Gospodarek <gospo@broadcom.com>
Signed-off-by: Michael Chan <michael.chan@broadcom.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet_sched: check NULL in tcf_block_put()
Cong Wang [Fri, 3 Nov 2017 00:32:08 +0000 (17:32 -0700)]
net_sched: check NULL in tcf_block_put()

Callers of tcf_block_put() could pass NULL so
we can't use block->q before checking if block is
NULL or not.

tcf_block_put_ext() callers are fine, it is always
non-NULL.

Fixes: 8c4083b30e56 ("net: sched: add block bind/unbind notif. and extended block_get/put")
Reported-by: Dave Taht <dave.taht@gmail.com>
Cc: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: tcp_fragment() should not assume rtx skbs
Eric Dumazet [Fri, 3 Nov 2017 01:10:03 +0000 (18:10 -0700)]
tcp: tcp_fragment() should not assume rtx skbs

While stress testing MTU probing, we had crashes in list_del() that we root-caused
to the fact that tcp_fragment() is unconditionally inserting the freshly allocated
skb into tsorted_sent_queue list.

But this list is supposed to contain skbs that were sent.
This was mostly harmless until MTU probing was enabled.

Fortunately we can use the tcp_queue enum added later (but in same linux version)
for rtx-rb-tree to fix the bug.

Fixes: e2080072ed2d ("tcp: new list for sent but unacked skbs for RACK recovery")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Neal Cardwell <ncardwell@google.com>
Cc: Soheil Hassas Yeganeh <soheil@google.com>
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Priyaranjan Jha <priyarjha@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Acked-by: Soheil Hassas Yeganeh <soheil@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomISDN: hfcpci: Convert timers to use timer_setup()
Kees Cook [Thu, 2 Nov 2017 23:18:07 +0000 (16:18 -0700)]
mISDN: hfcpci: Convert timers to use timer_setup()

In preparation for unconditionally passing the struct timer_list pointer to
all timer callbacks, switch to using the new timer_setup() and from_timer()
to pass the timer pointer explicitly.

Cc: Karsten Keil <isdn@linux-pingi.de>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Arvind Yadav <arvind.yadav.cs@gmail.com>
Cc: Geliang Tang <geliangtang@gmail.com>
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoISDN: eicon: message: mark expected switch fall-throughs
Gustavo A. R. Silva [Thu, 2 Nov 2017 21:14:14 +0000 (16:14 -0500)]
ISDN: eicon: message: mark expected switch fall-throughs

In preparation to enabling -Wimplicit-fallthrough, mark switch cases
where we are expecting to fall through.

Addresses-Coverity-ID: 114780
Addresses-Coverity-ID: 114781
Addresses-Coverity-ID: 114782
Addresses-Coverity-ID: 114783
Addresses-Coverity-ID: 114784
Addresses-Coverity-ID: 114785
Addresses-Coverity-ID: 114786
Addresses-Coverity-ID: 114787
Addresses-Coverity-ID: 114788
Addresses-Coverity-ID: 114789
Addresses-Coverity-ID: 114790
Addresses-Coverity-ID: 114791
Addresses-Coverity-ID: 114792
Addresses-Coverity-ID: 114793
Addresses-Coverity-ID: 114794
Addresses-Coverity-ID: 114795
Addresses-Coverity-ID: 200521
Signed-off-by: Gustavo A. R. Silva <garsilva@embeddedor.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: cls_bpf: use bitwise & rather than logical && on gen_flags
Colin Ian King [Thu, 2 Nov 2017 20:04:12 +0000 (20:04 +0000)]
net: sched: cls_bpf: use bitwise & rather than logical && on gen_flags

Currently gen_flags is being operated on by a logical && operator rather
than a bitwise & operator. This looks incorrect as these should be bit
flag operations. Fix this.

Detected by CoverityScan, CID#1460305 ("Logical vs. bitwise operator")

Fixes: 3f7889c4c79b ("net: sched: cls_bpf: call block callbacks for offload)
Signed-off-by: Colin Ian King <colin.king@canonical.com>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: fix a lockdep issue in tcp_fastopen_reset_cipher()
Eric Dumazet [Thu, 2 Nov 2017 18:53:04 +0000 (11:53 -0700)]
tcp: fix a lockdep issue in tcp_fastopen_reset_cipher()

icsk_accept_queue.fastopenq.lock is only fully initialized at listen()
time.

LOCKDEP is not happy if we attempt a spin_lock_bh() on it, because
of missing annotation. (Although kernel runs just fine)

Lets use net->ipv4.tcp_fastopen_ctx_lock to protect ctx access.

Fixes: 1fba70e5b6be ("tcp: socket option to set TCP fast open key")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Yuchung Cheng <ycheng@google.com>
Cc: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: fix verifier NULL pointer dereference
Craig Gallek [Thu, 2 Nov 2017 15:18:01 +0000 (11:18 -0400)]
bpf: fix verifier NULL pointer dereference

do_check() can fail early without allocating env->cur_state under
memory pressure.  Syzkaller found the stack below on the linux-next
tree because of this.

  kasan: CONFIG_KASAN_INLINE enabled
  kasan: GPF could be caused by NULL-ptr deref or user memory access
  general protection fault: 0000 [#1] SMP KASAN
  Dumping ftrace buffer:
     (ftrace buffer empty)
  Modules linked in:
  CPU: 1 PID: 27062 Comm: syz-executor5 Not tainted 4.14.0-rc7+ #106
  Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
  task: ffff8801c2c74700 task.stack: ffff8801c3e28000
  RIP: 0010:free_verifier_state kernel/bpf/verifier.c:347 [inline]
  RIP: 0010:bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533
  RSP: 0018:ffff8801c3e2f5c8 EFLAGS: 00010202
  RAX: dffffc0000000000 RBX: 00000000fffffff4 RCX: 0000000000000000
  RDX: 0000000000000070 RSI: ffffffff817d5aa9 RDI: 0000000000000380
  RBP: ffff8801c3e2f668 R08: 0000000000000000 R09: 1ffff100387c5d9f
  R10: 00000000218c4e80 R11: ffffffff85b34380 R12: ffff8801c4dc6a28
  R13: 0000000000000000 R14: ffff8801c4dc6a00 R15: ffff8801c4dc6a20
  FS:  00007f311079b700(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 00000000004d4a24 CR3: 00000001cbcd0000 CR4: 00000000001406e0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   bpf_prog_load+0xcbb/0x18e0 kernel/bpf/syscall.c:1166
   SYSC_bpf kernel/bpf/syscall.c:1690 [inline]
   SyS_bpf+0xae9/0x4620 kernel/bpf/syscall.c:1652
   entry_SYSCALL_64_fastpath+0x1f/0xbe
  RIP: 0033:0x452869
  RSP: 002b:00007f311079abe8 EFLAGS: 00000212 ORIG_RAX: 0000000000000141
  RAX: ffffffffffffffda RBX: 0000000000758020 RCX: 0000000000452869
  RDX: 0000000000000030 RSI: 0000000020168000 RDI: 0000000000000005
  RBP: 00007f311079aa20 R08: 0000000000000000 R09: 0000000000000000
  R10: 0000000000000000 R11: 0000000000000212 R12: 00000000004b7550
  R13: 00007f311079ab58 R14: 00000000004b7560 R15: 0000000000000000
  Code: df 48 c1 ea 03 80 3c 02 00 0f 85 e6 0b 00 00 4d 8b 6e 20 48 b8 00 00 00 00 00 fc ff df 49 8d bd 80 03 00 00 48 89 fa 48 c1 ea 03 <80> 3c 02 00 0f 85 b6 0b 00 00 49 8b bd 80 03 00 00 e8 d6 0c 26
  RIP: free_verifier_state kernel/bpf/verifier.c:347 [inline] RSP: ffff8801c3e2f5c8
  RIP: bpf_check+0xcf4/0x19c0 kernel/bpf/verifier.c:4533 RSP: ffff8801c3e2f5c8
  ---[ end trace c8d37f339dc64004 ]---

Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
Fixes: 1969db47f8d0 ("bpf: fix verifier memory leaks")
Signed-off-by: Craig Gallek <kraig@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotipc: eliminate unnecessary probing
Jon Maloy [Thu, 2 Nov 2017 14:44:15 +0000 (15:44 +0100)]
tipc: eliminate unnecessary probing

The neighbor monitor employs a threshold, default set to 32 peer nodes,
where it activates the "Overlapping Neighbor Monitoring" algorithm.
Below that threshold, monitoring is full-mesh, and no "domain records"
are passed between the nodes.

Because of this, a node never received a peer's ack that it has received
the most recent update of the own domain. Hence, the field 'acked_gen'
in struct tipc_monitor_state remains permamently at zero, whereas the
own domain generation is incremented for each added or removed peer.

This has the effect that the function tipc_mon_get_state() always sets
the field 'probing' in struct tipc_monitor_state true, again leading the
tipc_link_timeout() of the link in question to always send out a probe,
even when link->silent_intv_count is zero.

This is functionally harmless, but leads to some unncessary probing,
which can easily be eliminated by setting the 'probing' field of the
said struct correctly in such cases.

At the same time, we explictly invalidate the sent domain records when
the algorithm is not activated. This will eliminate any risk that an
invalid domain record might be inadverently accepted by the peer.

Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: move block offload unbind after all chains are flushed
Jiri Pirko [Thu, 2 Nov 2017 14:07:01 +0000 (15:07 +0100)]
net: sched: move block offload unbind after all chains are flushed

Currently, the offload unbind is done before the chains are flushed.
That causes driver to unregister block callback before it can get all
the callback calls done during flush, leaving the offloaded tps inside
the HW. So fix the order to prevent this situation and restore the
original behaviour.

Reported-by: Alexander Duyck <alexander.duyck@gmail.com>
Reported-by: Jakub Kicinski <kubakici@wp.pl>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agocxgb4vf: define get_fecparam ethtool callback
Ganesh Goudar [Thu, 2 Nov 2017 13:58:20 +0000 (19:28 +0530)]
cxgb4vf: define get_fecparam ethtool callback

Add support to new ethtool operation get_fecparam to
fetch FEC parameters.

Original Work by: Casey Leedom <leedom@chelsio.com>
Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agocxgb4: add new T6 pci device id's
Ganesh Goudar [Thu, 2 Nov 2017 13:56:58 +0000 (19:26 +0530)]
cxgb4: add new T6 pci device id's

Add 0x6086 T6 device id.

Signed-off-by: Ganesh Goudar <ganeshgr@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet/ncsi: Make local function ncsi_get_filter() static
Wei Yongjun [Thu, 2 Nov 2017 11:15:28 +0000 (11:15 +0000)]
net/ncsi: Make local function ncsi_get_filter() static

Fixes the following sparse warnings:

net/ncsi/ncsi-manage.c:41:5: warning:
 symbol 'ncsi_get_filter' was not declared. Should it be static?

Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: bridge: Convert timers to use timer_setup()
Allen Pais [Fri, 3 Nov 2017 06:21:11 +0000 (11:51 +0530)]
net: bridge: Convert timers to use timer_setup()

switch to using the new timer_setup() and from_timer() api's.

Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: bridge: Convert timers to use timer_setup()
Allen Pais [Fri, 3 Nov 2017 06:21:10 +0000 (11:51 +0530)]
net: bridge: Convert timers to use timer_setup()

switch to using the new timer_setup() and from_timer() api's.

Signed-off-by: Allen Pais <allen.pais@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'mlxsw-Align-multipath-hash-parameters-with-kernels'
David S. Miller [Fri, 3 Nov 2017 06:40:42 +0000 (15:40 +0900)]
Merge branch 'mlxsw-Align-multipath-hash-parameters-with-kernels'

Jiri Pirko says:

====================
mlxsw: Align multipath hash parameters with kernel's

Ido says:

This set makes sure the device is using the same parameters as the
kernel when it computes the multipath hash during IP forwarding.

First patch adds a new netevent to let interested listeners know that
the multipath hash policy has changed.

Next two patches do small and non-functional changes in the mlxsw
driver.

Last patches configure the multipath hash policy upon driver
initialization and as a response to netevents.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomlxsw: spectrum_router: Update multipath hash parameters upon netevents
Ido Schimmel [Thu, 2 Nov 2017 16:14:10 +0000 (17:14 +0100)]
mlxsw: spectrum_router: Update multipath hash parameters upon netevents

Make sure the device and the kernel are performing the multipath hash
according to the same parameters by updating the device whenever the
relevant netevent is generated.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomlxsw: spectrum_router: Align multipath hash parameters with kernel's
Ido Schimmel [Thu, 2 Nov 2017 16:14:09 +0000 (17:14 +0100)]
mlxsw: spectrum_router: Align multipath hash parameters with kernel's

Up until now we used the hardware's defaults for multipath hash
computation. This patch aligns the hardware's multipath parameters with
the kernel's.

For IPv4 packets, the parameters are determined according to the
'fib_multipath_hash_policy' sysctl during module initialization. In case
L3-mode is requested, only the source and destination IP addresses are
used. There is no special handling of ICMP error packets.

In case L4-mode is requested, a 5-tuple is used: source and destination
IP addresses, source and destination ports and IP protocol. Note that
the layer 4 fields are not considered for fragmented packets.

For IPv6 packets, the source and destination IP addresses are used, as
well as the flow label and the next header fields.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomlxsw: reg: Add Router ECMP Configuration Register Version 2
Ido Schimmel [Thu, 2 Nov 2017 16:14:08 +0000 (17:14 +0100)]
mlxsw: reg: Add Router ECMP Configuration Register Version 2

The RECRv2 register is used for setting up the router's ECMP hash
configuration.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomlxsw: spectrum_router: Properly name netevent work struct
Ido Schimmel [Thu, 2 Nov 2017 16:14:07 +0000 (17:14 +0100)]
mlxsw: spectrum_router: Properly name netevent work struct

The struct containing the work item queued from the netevent handler is
named after the only event it is currently used for, which is neighbour
updates.

Use a more appropriate name for the struct, as we are going to use it
for more events.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agomlxsw: spectrum_router: Embed netevent notifier block in router struct
Ido Schimmel [Thu, 2 Nov 2017 16:14:06 +0000 (17:14 +0100)]
mlxsw: spectrum_router: Embed netevent notifier block in router struct

We are going to need to respond to netevents notifying us about
multipath hash updates by configuring the device's hash parameters.

Embed the netevent notifier in the router struct so that we could
retrieve it upon notifications and use it to configure the device.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoipv4: Send a netevent whenever multipath hash policy is changed
Ido Schimmel [Thu, 2 Nov 2017 16:14:05 +0000 (17:14 +0100)]
ipv4: Send a netevent whenever multipath hash policy is changed

Devices performing IPv4 forwarding need to update their multipath hash
policy whenever it is changed.

Inform these devices by generating a netevent.

Signed-off-by: Ido Schimmel <idosch@mellanox.com>
Reviewed-by: Petr Machata <petrm@mellanox.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Acked-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agocxgb4: fix error return code in cxgb4_set_hash_filter()
Wei Yongjun [Thu, 2 Nov 2017 11:15:07 +0000 (11:15 +0000)]
cxgb4: fix error return code in cxgb4_set_hash_filter()

Fix to return a negative error code from thecxgb4_alloc_atid()
error handling case instead of 0.

Fixes: 12b276fbf6e0 ("cxgb4: add support to create hash filters")
Signed-off-by: Wei Yongjun <weiyongjun1@huawei.com>
Acked-By: Kumar Sanghvi <kumaras@chelsio.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: fix out-of-bounds access warning in bpf_check
Arnd Bergmann [Thu, 2 Nov 2017 11:05:52 +0000 (12:05 +0100)]
bpf: fix out-of-bounds access warning in bpf_check

The bpf_verifer_ops array is generated dynamically and may be
empty depending on configuration, which then causes an out
of bounds access:

kernel/bpf/verifier.c: In function 'bpf_check':
kernel/bpf/verifier.c:4320:29: error: array subscript is above array bounds [-Werror=array-bounds]

This adds a check to the start of the function as a workaround.
I would assume that the function is never called in that configuration,
so the warning is probably harmless.

Fixes: 00176a34d9e2 ("bpf: remove the verifier ops from program structure")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: fix link error without CONFIG_NET
Arnd Bergmann [Thu, 2 Nov 2017 11:05:51 +0000 (12:05 +0100)]
bpf: fix link error without CONFIG_NET

I ran into this link error with the latest net-next plus linux-next
trees when networking is disabled:

kernel/bpf/verifier.o:(.rodata+0x2958): undefined reference to `tc_cls_act_analyzer_ops'
kernel/bpf/verifier.o:(.rodata+0x2970): undefined reference to `xdp_analyzer_ops'

It seems that the code was written to deal with varying contents of
the arrray, but the actual #ifdef was missing. Both tc_cls_act_analyzer_ops
and xdp_analyzer_ops are defined in the core networking code, so adding
a check for CONFIG_NET seems appropriate here, and I've verified this with
many randconfig builds

Fixes: 4f9218aaf8a4 ("bpf: move knowledge about post-translation offsets out of verifier")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: Define eth_stp_addr in linux/etherdevice.h
Egil Hjelmeland [Thu, 2 Nov 2017 09:36:48 +0000 (10:36 +0100)]
net: Define eth_stp_addr in linux/etherdevice.h

The lan9303 driver defines eth_stp_addr as a synonym to
eth_reserved_addr_base to get the STP ethernet address 01:80:c2:00:00:00.

eth_reserved_addr_base is also used to define the start of Bridge Reserved
ethernet address range, which happen to be the STP address.

br_dev_setup refer to eth_reserved_addr_base as a definition of STP
address.

Clean up by:
 - Move the eth_stp_addr definition to linux/etherdevice.h
 - Use eth_stp_addr instead of eth_reserved_addr_base in br_dev_setup.

Signed-off-by: Egil Hjelmeland <privat@egil-hjelmeland.no>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoliquidio: bump up driver version to 1.7.0 to match newer NIC firmware
Felix Manlunas [Thu, 2 Nov 2017 01:14:49 +0000 (18:14 -0700)]
liquidio: bump up driver version to 1.7.0 to match newer NIC firmware

Signed-off-by: Felix Manlunas <felix.manlunas@cavium.com>
Acked-by: Derek Chickles <derek.chickles@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotcp: add tracepoint trace_tcp_retransmit_synack()
Song Liu [Mon, 30 Oct 2017 21:41:35 +0000 (14:41 -0700)]
tcp: add tracepoint trace_tcp_retransmit_synack()

This tracepoint can be used to trace synack retransmits. It maintains
pointer to struct request_sock.

We cannot simply reuse trace_tcp_retransmit_skb() here, because the
sk here is the LISTEN socket. The IP addresses and ports should be
extracted from struct request_sock.

Note that, like many other tracepoints, this patch uses IS_ENABLED
in TP_fast_assign macro, which triggers sparse warning like:

./include/trace/events/tcp.h:274:1: error: directive in argument list
./include/trace/events/tcp.h:281:1: error: directive in argument list

However, there is no good solution to avoid these warnings. To the
best of our knowledge, these warnings are harmless.

Signed-off-by: Song Liu <songliubraving@fb.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoipv6: Implement limits on Hop-by-Hop and Destination options
Tom Herbert [Mon, 30 Oct 2017 21:16:00 +0000 (14:16 -0700)]
ipv6: Implement limits on Hop-by-Hop and Destination options

RFC 8200 (IPv6) defines Hop-by-Hop options and Destination options
extension headers. Both of these carry a list of TLVs which is
only limited by the maximum length of the extension header (2048
bytes). By the spec a host must process all the TLVs in these
options, however these could be used as a fairly obvious
denial of service attack. I think this could in fact be
a significant DOS vector on the Internet, one mitigating
factor might be that many FWs drop all packets with EH (and
obviously this is only IPv6) so an Internet wide attack might not
be so effective (yet!).

By my calculation, the worse case packet with TLVs in a standard
1500 byte MTU packet that would be processed by the stack contains
1282 invidual TLVs (including pad TLVS) or 724 two byte TLVs. I
wrote a quick test program that floods a whole bunch of these
packets to a host and sure enough there is substantial time spent
in ip6_parse_tlv. These packets contain nothing but unknown TLVS
(that are ignored), TLV padding, and bogus UDP header with zero
payload length.

  25.38%  [kernel]                    [k] __fib6_clean_all
  21.63%  [kernel]                    [k] ip6_parse_tlv
   4.21%  [kernel]                    [k] __local_bh_enable_ip
   2.18%  [kernel]                    [k] ip6_pol_route.isra.39
   1.98%  [kernel]                    [k] fib6_walk_continue
   1.88%  [kernel]                    [k] _raw_write_lock_bh
   1.65%  [kernel]                    [k] dst_release

This patch adds configurable limits to Destination and Hop-by-Hop
options. There are three limits that may be set:
  - Limit the number of options in a Hop-by-Hop or Destination options
    extension header.
  - Limit the byte length of a Hop-by-Hop or Destination options
    extension header.
  - Disallow unrecognized options in a Hop-by-Hop or Destination
    options extension header.

The limits are set in corresponding sysctls:

  ipv6.sysctl.max_dst_opts_cnt
  ipv6.sysctl.max_hbh_opts_cnt
  ipv6.sysctl.max_dst_opts_len
  ipv6.sysctl.max_hbh_opts_len

If a max_*_opts_cnt is less than zero then unknown TLVs are disallowed.
The number of known TLVs that are allowed is the absolute value of
this number.

If a limit is exceeded when processing an extension header the packet is
dropped.

Default values are set to 8 for options counts, and set to INT_MAX
for maximum length. Note the choice to limit options to 8 is an
arbitrary guess (roughly based on the fact that the stack supports
three HBH options and just one destination option).

These limits have being proposed in draft-ietf-6man-rfc6434-bis.

Tested (by Martin Lau)

I tested out 1 thread (i.e. one raw_udp process).

I changed the net.ipv6.max_dst_(opts|hbh)_number between 8 to 2048.
With sysctls setting to 2048, the softirq% is packed to 100%.
With 8, the softirq% is almost unnoticable from mpstat.

v2;
  - Code and documention cleanup.
  - Change references of RFC2460 to be RFC8200.
  - Add reference to RFC6434-bis where the limits will be in standard.

Signed-off-by: Tom Herbert <tom@quantonium.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'hns3-add-support-for-reset'
David S. Miller [Thu, 2 Nov 2017 12:28:36 +0000 (21:28 +0900)]
Merge branch 'hns3-add-support-for-reset'

Lipeng says:

====================
net: hns3: add support for reset

There are 4 reset types for HNS3 PF driver, include global reset,
core reset, IMP reset, PF reset.The core reset will reset all datapath
of all functions except IMP, MAC and PCI interface. Global reset is equal
with the core reset plus all MAC reset. IMP reset is caused by watchdog
timer expiration, the same range with core reset. PF reset will reset
whole physical function.

This patchset adds reset support for hns3 driver and fix some related bugs.

---
Change log:
V1 -> V2:
1, fix some comments from Yunsheng Lin.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: hns3:fix a bug about statistic counter in reset process
qumingguang [Thu, 2 Nov 2017 12:45:23 +0000 (20:45 +0800)]
net: hns3: hns3:fix a bug about statistic counter in reset process

All member of Struct hdev->hw_stats is initialized to 0 as hdev is
allocated by devm_kzalloc. But in reset process, hdev will not be
allocated again, so need clear hdev->hw_stats in reset process, otherwise
the statistic will be wrong after reset. This patch set all of the
statistic counters to zero after reset.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Fix a misuse to devm_free_irq
qumingguang [Thu, 2 Nov 2017 12:45:22 +0000 (20:45 +0800)]
net: hns3: Fix a misuse to devm_free_irq

we should use free_irq to free the nic irq during the unloading time.
because we use request_irq to apply it when nic up. It will crash if
up net device after reset the port. This patch fixes the issue.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Add reset interface implementation in client
Lipeng [Thu, 2 Nov 2017 12:45:21 +0000 (20:45 +0800)]
net: hns3: Add reset interface implementation in client

This patch implement the interface of reset notification in hns3_enet,
it will do resetting business which include shutdown nic device,
free and initialize client side resource.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Add timeout process in hns3_enet
Lipeng [Thu, 2 Nov 2017 12:45:20 +0000 (20:45 +0800)]
net: hns3: Add timeout process in hns3_enet

This patch add timeout handler in hns3_enet.c to handle
TX side timeout event, when TX timeout event occur, it will triger
NIC driver into reset process.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Add reset process in hclge_main
Lipeng [Thu, 2 Nov 2017 12:45:19 +0000 (20:45 +0800)]
net: hns3: Add reset process in hclge_main

This patch adds reset support for PF,it include : global reset, core reset,
IMP reset, PF reset.The core reset will Reset all datapath of all functions
except IMP, MAC and PCI interface. Global reset is equal with the core
reset plus all MAC reset. IMP reset is caused by watchdog timer expiration,
the same with core reset in the reset flow. PF reset will reset whole
physical function.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Add support for misc interrupt
Lipeng [Thu, 2 Nov 2017 12:45:18 +0000 (20:45 +0800)]
net: hns3: Add support for misc interrupt

This patch adds initialization and deinitialization for misc interrupt.
This interrupt will be used to handle reset message(IRQ).

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Refactor the initialization of command queue
Lipeng [Thu, 2 Nov 2017 12:45:17 +0000 (20:45 +0800)]
net: hns3: Refactor the initialization of command queue

There is no necessary to reallocate the descriptor and remap the descriptor
memory in reset process, But there is still some other action exist in both
reset process and initialization process.

To reuse the common interface in reset process and initialization process,
This patch moves out the descriptor allocate and memory maping from
interface cmdq_init.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Refactor mac_init function
qumingguang [Thu, 2 Nov 2017 12:45:16 +0000 (20:45 +0800)]
net: hns3: Refactor mac_init function

It needs initialize mdio in initialization process, but reset process
does not reset mdio, so do not initialize mdio in reset process.
This patch move out the mdio configuration function from the mac_init.
So mac_init can be used both in reset process and initialization process.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: Refactor the mapping of tqp to vport
Lipeng [Thu, 2 Nov 2017 12:45:15 +0000 (20:45 +0800)]
net: hns3: Refactor the mapping of tqp to vport

This patch refactor the mapping of tqp to vport, making the maping function
can be used both in the reset process and initialization process.

Signed-off-by: qumingguang <qumingguang@huawei.com>
Signed-off-by: Lipeng <lipeng321@huawei.com>
Signed-off-by: Yunsheng Lin <linyunsheng@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: seeq: fix timer conversion
Arnd Bergmann [Thu, 2 Nov 2017 11:13:36 +0000 (12:13 +0100)]
net: seeq: fix timer conversion

One of the timer conversion patches evidently escaped build testing
until I ran into in on ARM randconfig builds:

drivers/net/ethernet/seeq/ether3.c: In function 'ether3_ledoff':
drivers/net/ethernet/seeq/ether3.c:175:40: error: 'priv' undeclared (first use in this function); did you mean 'pid'?
drivers/net/ethernet/seeq/ether3.c:176:27: error: initialization from incompatible pointer type [-Werror=incompatible-pointer-types]

This fixes the two small typos that caused the problems.

Fixes: 6fd9c53f7186 ("net: seeq: Convert timers to use timer_setup()")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: dsa: lan9303: Added Documentation/networking/dsa/lan9303.txt
Egil Hjelmeland [Thu, 2 Nov 2017 09:20:58 +0000 (10:20 +0100)]
net: dsa: lan9303: Added Documentation/networking/dsa/lan9303.txt

Provide a rough overview of the state of the driver. And explain that the
driver operates in two modes: bridged and port-separated.

Signed-off-by: Egil Hjelmeland <egil.hjelmeland@zenitel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'nfp-TC-block-fixes-app-fallback-and-dev_alloc'
David S. Miller [Thu, 2 Nov 2017 11:27:12 +0000 (20:27 +0900)]
Merge branch 'nfp-TC-block-fixes-app-fallback-and-dev_alloc'

Jakub Kicinski says:

====================
nfp: TC block fixes, app fallback and dev_alloc()

This series has three parts.  First of all John and I fix some
fallout from the TC block conversion.  John also fixes sleeping
in the neigh notifier.

Secondly I reorganise the nfp_app table to make it easier to
deal with excluding apps which have unmet Kconfig dependencies.

Last but not least after the fixes which went into -net some time
ago I refactor the page allocation, add a ethtool counter for
failed allocations and clean the ethtool stat code while at it.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: improve defines for constants in ethtool
Jakub Kicinski [Thu, 2 Nov 2017 08:31:36 +0000 (01:31 -0700)]
nfp: improve defines for constants in ethtool

We split rvector stats into two categories - per queue and
stats which are added up into one total counter.  Improve
the defines denoting their number.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: use a counter instead of log message for allocation failures
Jakub Kicinski [Thu, 2 Nov 2017 08:31:35 +0000 (01:31 -0700)]
nfp: use a counter instead of log message for allocation failures

Add a counter incremented when allocation of replacement
RX page fails.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: switch to dev_alloc_page()
Jakub Kicinski [Thu, 2 Nov 2017 08:31:34 +0000 (01:31 -0700)]
nfp: switch to dev_alloc_page()

Use the dev_alloc_page() networking helper to allocate pages
for RX packets.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: bpf: fall back to core NIC app if BPF not selected
Jakub Kicinski [Thu, 2 Nov 2017 08:31:33 +0000 (01:31 -0700)]
nfp: bpf: fall back to core NIC app if BPF not selected

If kernel config does not include BPF just replace the BPF
app handler with the handler for basic NIC.  The BPF app
will now be built only if BPF infrastructure is selected
in kernel config.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: reorganize the app table
Jakub Kicinski [Thu, 2 Nov 2017 08:31:32 +0000 (01:31 -0700)]
nfp: reorganize the app table

The app table is an unordered array right now.  We have to search
apps by ID.  It also makes it harder to fall back to core NIC if
advanced functions are not compiled into the kernel (e.g. eBPF).
Make the table keyed by app id.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: bpf: reject TC offload if XDP loaded
Jakub Kicinski [Thu, 2 Nov 2017 08:31:31 +0000 (01:31 -0700)]
nfp: bpf: reject TC offload if XDP loaded

Recent TC changes dropped the check protecting us from trying
to offload a TC program if XDP programs are already loaded.

Fixes: 90d97315b3e7 ("nfp: bpf: Convert ndo_setup_tc offloads to block callbacks")
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: flower: vxlan - ensure no sleep in atomic context
John Hurley [Thu, 2 Nov 2017 08:31:30 +0000 (01:31 -0700)]
nfp: flower: vxlan - ensure no sleep in atomic context

Functions called by the netevent notifier must be in atomic context.
Change the mutex to spinlock and ensure mem allocations are done with the
atomic flag.
Also, remove unnecessary locking after notifiers are unregistered.

Signed-off-by: John Hurley <john.hurley@netronome.com>
Reviewed-by: Simon Horman <simon.horman@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: flower: app should use struct nfp_repr
John Hurley [Thu, 2 Nov 2017 08:31:29 +0000 (01:31 -0700)]
nfp: flower: app should use struct nfp_repr

Ensure priv netdev data in flower app is cast to nfp_repr and not nfp_net
as in other apps.

Fixes: 363fc53b8b58 ("nfp: flower: Convert ndo_setup_tc offloads to block callbacks")
Signed-off-by: John Hurley <john.hurley@netronome.com>
Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agotools: bpf: handle long path in jit disasm
Prashant Bhole [Thu, 2 Nov 2017 08:09:45 +0000 (17:09 +0900)]
tools: bpf: handle long path in jit disasm

Use PATH_MAX instead of hardcoded array size 256

Signed-off-by: Prashant Bhole <bhole_prashant_q7@lab.ntt.co.jp>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoliquidio: synchronize VF representor names with NIC firmware
Vijaya Mohan Guvva [Wed, 1 Nov 2017 23:19:49 +0000 (16:19 -0700)]
liquidio: synchronize VF representor names with NIC firmware

LiquidIO firmware supports a vswitch that needs to know the names of the
VF representors in the host to maintain compatibility for direct
programming using external Openflow agents.  So, for each VF representor,
send its name to the firmware when it gets registered and when its name
changes.

Signed-off-by: Vijaya Mohan Guvva <vijaya.guvva@cavium.com>
Signed-off-by: Raghu Vatsavayi <raghu.vatsavayi@cavium.com>
Signed-off-by: Felix Manlunas <felix.manlunas@cavium.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'BPF-range-marking-improvements-for-meta-data'
David S. Miller [Thu, 2 Nov 2017 08:01:39 +0000 (17:01 +0900)]
Merge branch 'BPF-range-marking-improvements-for-meta-data'

Daniel Borkmann says:

====================
BPF range marking improvements for meta data

The set contains improvements for direct packet access range
markings related to data_meta pointer and test cases for all
such access patterns that the verifier matches on.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: add test cases to bpf selftests to cover all meta tests
Daniel Borkmann [Wed, 1 Nov 2017 22:58:11 +0000 (23:58 +0100)]
bpf: add test cases to bpf selftests to cover all meta tests

Lets also add test cases to cover all possible data_meta access tests
for good/bad access cases so we keep tracking them.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: also improve pattern matches for meta access
Daniel Borkmann [Wed, 1 Nov 2017 22:58:10 +0000 (23:58 +0100)]
bpf: also improve pattern matches for meta access

Follow-up to 0fd4759c5515 ("bpf: fix pattern matches for direct
packet access") to cover also the remaining data_meta/data matches
in the verifier. The matches are also refactored a bit to simplify
handling of all the cases.

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: minor cleanups after merge
Daniel Borkmann [Wed, 1 Nov 2017 22:58:09 +0000 (23:58 +0100)]
bpf: minor cleanups after merge

Two minor cleanups after Dave's recent merge in f8ddadc4db6c
("Merge git://git.kernel.org...") of net into net-next in
order to get the code in line with what was done originally
in the net tree: i) use max() instead of max_t() since both
ranges are u16, ii) don't split the direct access test cases
in the middle with bpf_exit test cases from 390ee7e29fc
("bpf: enforce return code for cgroup-bpf programs").

Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosecurity: bpf: replace include of linux/bpf.h with forward declarations
Jakub Kicinski [Wed, 1 Nov 2017 18:48:00 +0000 (11:48 -0700)]
security: bpf: replace include of linux/bpf.h with forward declarations

Touching linux/bpf.h makes us rebuild a surprisingly large
portion of the kernel.  Remove the unnecessary dependency
from security.h, it only needs forward declarations.

Signed-off-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Acked-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: systemport: Only inspect valid switch port & queues
Florian Fainelli [Wed, 1 Nov 2017 18:29:47 +0000 (11:29 -0700)]
net: systemport: Only inspect valid switch port & queues

Hesoteric board configurations where port 0 is not available would still
make SYSTEMPORT inspect the switch port 0, queue 0, which, not being
enabled, would cause transmit timeouts over time. Just ignore those
unconfigured rings instead.

Fixes: 84ff33eeb23d ("net: systemport: Establish DSA network device queue mapping")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'nfp-bpf-rename-ALU_OP_NEG-and-support-BPF_NEG'
David S. Miller [Thu, 2 Nov 2017 07:47:30 +0000 (16:47 +0900)]
Merge branch 'nfp-bpf-rename-ALU_OP_NEG-and-support-BPF_NEG'

Jakub Kicinski says:

====================
nfp: bpf: rename ALU_OP_NEG and support BPF_NEG

Jiong says:

  Compilers are starting to use BPF_NEG, for example LLVM. However, NFP
does not support JITing it. This patch set adds this. Unit test is added
as well.

  Meanwhile, the current NFP_ALU_NEG is actually doing bitwise NOT (one's
complement) operation, so the name is misleading. This patch set corrects
this.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: bpf: support [BPF_ALU | BPF_ALU64] | BPF_NEG
Jiong Wang [Wed, 1 Nov 2017 17:38:25 +0000 (10:38 -0700)]
nfp: bpf: support [BPF_ALU | BPF_ALU64] | BPF_NEG

This patch supports BPF_NEG under both BPF_ALU64 and BPF_ALU. LLVM recently
starts to generate it.

NOTE: BPF_NEG takes single operand which is an register and serve as both
input and output.

Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonfp: bpf: rename ALU_OP_NEG to ALU_OP_NOT
Jiong Wang [Wed, 1 Nov 2017 17:38:24 +0000 (10:38 -0700)]
nfp: bpf: rename ALU_OP_NEG to ALU_OP_NOT

The current ALU_OP_NEG is Op encoding 0x4 for NPF ALU instruction. It is
actually performing "~B" operation which is bitwise NOT.

The using naming ALU_OP_NEG is misleading as NEG is -B which is not the
same as ~B.

Signed-off-by: Jiong Wang <jiong.wang@netronome.com>
Reviewed-by: Jakub Kicinski <jakub.kicinski@netronome.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'dpaa-cleanups'
David S. Miller [Thu, 2 Nov 2017 07:15:26 +0000 (16:15 +0900)]
Merge branch 'dpaa-cleanups'

yuan linyu says:

====================
net: dpaa: two minor cleanup

original i try to remove duplicate code which clean allocated per-cpu area,
thanks to David S. Miller, there are two build warning as errors.
path 1: fix old code maybe-uninitialized warning.
path 2: remove duplicate code and fix unused var warning.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: dpaa: remove init which already done in per-cpu allocation
yuan linyu [Wed, 1 Nov 2017 13:11:11 +0000 (21:11 +0800)]
net: dpaa: remove init which already done in per-cpu allocation

Signed-off-by: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: dpaa: fix maybe uninitialized var in dpaa_open()
yuan linyu [Wed, 1 Nov 2017 13:10:32 +0000 (21:10 +0800)]
net: dpaa: fix maybe uninitialized var in dpaa_open()

Signed-off-by: yuan linyu <Linyu.Yuan@alcatel-sbell.com.cn>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: cpumap micro-optimization in cpu_map_enqueue
Jesper Dangaard Brouer [Wed, 1 Nov 2017 11:44:45 +0000 (12:44 +0100)]
bpf: cpumap micro-optimization in cpu_map_enqueue

Discovered that the compiler laid-out asm code in suboptimal way
when studying perf report during benchmarking of cpumap. Help
the compiler by the marking unlikely code paths.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'net-sched-block-callbacks-follow-up'
David S. Miller [Thu, 2 Nov 2017 07:10:40 +0000 (16:10 +0900)]
Merge branch 'net-sched-block-callbacks-follow-up'

Jiri Pirko says:

====================
net: sched: block callbacks follow-up

This patchset does a bit of cleanup of leftovers after block callbacks
patchset. The main part is patch 2, which restores the original handling
of tc offload feature flag.

---
v1->v2:
- rebased on top of current net-next (bnxt changes)
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: remove ndo_setup_tc check from tc_can_offload
Jiri Pirko [Wed, 1 Nov 2017 10:47:41 +0000 (11:47 +0100)]
net: sched: remove ndo_setup_tc check from tc_can_offload

Since tc_can_offload is always called from block callback or egdev
callback, no need to check if ndo_setup_tc exists.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: remove tc_can_offload check from egdev call
Jiri Pirko [Wed, 1 Nov 2017 10:47:40 +0000 (11:47 +0100)]
net: sched: remove tc_can_offload check from egdev call

Since the only user, mlx5 driver does the check in
mlx5e_setup_tc_block_cb, no need to check here.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: move the can_offload check from binding phase to rule insertion phase
Jiri Pirko [Wed, 1 Nov 2017 10:47:39 +0000 (11:47 +0100)]
net: sched: move the can_offload check from binding phase to rule insertion phase

This restores the original behaviour before the block callbacks were
introduced. Allow the drivers to do binding of block always, no matter
if the NETIF_F_HW_TC feature is on or off. Move the check to the block
callback which is called for rule insertion.

Reported-by: Alexander Duyck <alexander.duyck@gmail.com>
Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: sched: remove unused tc_should_offload helper
Jiri Pirko [Wed, 1 Nov 2017 10:47:38 +0000 (11:47 +0100)]
net: sched: remove unused tc_should_offload helper

tc_should_offload is no longer used, remove it.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: bridge: add notifications for the bridge dev on vlan change
Nikolay Aleksandrov [Wed, 1 Nov 2017 10:18:13 +0000 (12:18 +0200)]
net: bridge: add notifications for the bridge dev on vlan change

Currently the bridge device doesn't generate any notifications upon vlan
modifications on itself because it doesn't use the generic bridge
notifications.
With the recent changes we know if anything was modified in the vlan config
thus we can generate a notification when necessary for the bridge device
so add support to br_ifinfo_notify() similar to how other combined
functions are done - if port is present it takes precedence, otherwise
notify about the bridge. I've explicitly marked the locations where the
notification should be always for the port by setting bridge to NULL.
I've also taken the liberty to rearrange each modified function's local
variables in reverse xmas tree as well.

Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: hns3: remove a couple of redundant assignments
Colin Ian King [Wed, 1 Nov 2017 10:17:15 +0000 (10:17 +0000)]
net: hns3: remove a couple of redundant assignments

The assignment to kinfo is redundant as this is a duplicate of
the initialiation of kinfo a few lines earlier, so it can be
removed.  The assignment to v_tc_info is never read, so this
variable is redundant and can be removed completely. Cleans
up two clang warnings:

drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:433:34:
warning: Value stored to 'kinfo' during its initialization is never read
drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c:775:3:
warning: Value stored to 'v_tc_info' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoliquidio: remove redundant setting of inst_processed to zero
Colin Ian King [Wed, 1 Nov 2017 09:09:13 +0000 (09:09 +0000)]
liquidio: remove redundant setting of inst_processed to zero

The zero value assigned to inst_processed at the end of each
iteration of the do-while loop is overwritten on the next iteration
and hence it is a redundant assignment and can be removed. Cleans
up clang warning:

drivers/net/ethernet/cavium/liquidio/request_manager.c:480:3:
warning: Value stored to 'inst_processed' is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agonet: dl2k: remove redundant re-assignment to np
Colin Ian King [Wed, 1 Nov 2017 08:57:37 +0000 (08:57 +0000)]
net: dl2k: remove redundant re-assignment to np

The pointer np is initialized and then re-assigned the same value
a few lines later. Remove the redundant duplicated assignment. Cleans
up clang warning:

drivers/net/ethernet/dlink/dl2k.c:314:25: warning: Value stored to
'np' during its initialization is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agowan: wanxl: remove redundant assignment to stat
Colin Ian King [Wed, 1 Nov 2017 08:49:45 +0000 (08:49 +0000)]
wan: wanxl: remove redundant assignment to stat

stat set to zero and the value is never read, instead stat is
set again in the do-loop. Hence the setting to zero is redundant
and can be removed. Cleans up clang warning:

drivers/net/wan/wanxl.c:737:2: warning: Value stored to 'stat'
is never read

Signed-off-by: Colin Ian King <colin.king@canonical.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
David S. Miller [Thu, 2 Nov 2017 05:59:52 +0000 (14:59 +0900)]
Merge git://git./linux/kernel/git/davem/net

Smooth Cong Wang's bug fix into 'net-next'.  Basically put
the bulk of the tcf_block_put() logic from 'net' into
tcf_block_put_ext(), but after the offload unbind.

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'samples-pktgen-updates'
David S. Miller [Thu, 2 Nov 2017 05:19:53 +0000 (14:19 +0900)]
Merge branch 'samples-pktgen-updates'

Jesper Dangaard Brouer says:

====================
Updates for samples/pktgen

This patchset updates samples/pktgen and synchronize with changes
maintained in https://github.com/netoptimizer/network-testing/

Features wise Robert Hoo <robert.hu@intel.com> added support for
detecting and determining dev NUMA node IRQs, and added a new script
named pktgen_sample06_numa_awared_queue_irq_affinity.sh that use these
features.

Cleanup remove last of the old sample files, as IPv6 is covered by
existing sample code.
====================

Acked-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosamples/pktgen: remove remaining old pktgen sample scripts
Jesper Dangaard Brouer [Wed, 1 Nov 2017 10:41:24 +0000 (11:41 +0100)]
samples/pktgen: remove remaining old pktgen sample scripts

Since commit 0f06a6787e05 ("samples: Add an IPv6 '-6' option to the
pktgen scripts") the newer pktgen_sampleXX script does show howto use
IPv6 with pktgen.

Thus, there is no longer a reason to keep the older sample scripts around.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosamples/pktgen: update sample03, no need for clones when bursting
Jesper Dangaard Brouer [Wed, 1 Nov 2017 10:41:19 +0000 (11:41 +0100)]
samples/pktgen: update sample03, no need for clones when bursting

Like sample05, don't use pktgen clone_skb feature when using 'burst' feature,
it is not really needed.  This brings the burst users in sync.

Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosamples/pktgen: add script pktgen_sample06_numa_awared_queue_irq_affinity.sh
Robert Hoo [Wed, 1 Nov 2017 10:41:14 +0000 (11:41 +0100)]
samples/pktgen: add script pktgen_sample06_numa_awared_queue_irq_affinity.sh

This script simply does:

* Detect $DEV's NUMA node belonging.

* Bind each thread (processor of NUMA locality) with each $DEV queue's
  irq affinity, 1:1 mapping.

* How many '-t' threads input determines how many queues will be utilized.

If '-f' designates first cpu id, then offset in the NUMA node's cpu list.

(Changes by Jesper: allow changing count from cmdline via '-n')

Signed-off-by: Robert Hoo <robert.hu@intel.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agosamples/pktgen: Add some helper functions
Robert Hoo [Wed, 1 Nov 2017 10:41:09 +0000 (11:41 +0100)]
samples/pktgen: Add some helper functions

1. given a device, get its NUMA belongings
2. given a device, get its queues' irq numbers.
3. given a NUMA node, get its cpu id list.

Signed-off-by: Robert Hoo <robert.hu@intel.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'enic-Additional-ethtool-support'
David S. Miller [Thu, 2 Nov 2017 05:17:12 +0000 (14:17 +0900)]
Merge branch 'enic-Additional-ethtool-support'

Parvi Kaustubhi says:

====================
enic: Additional ethtool support

This patch set allows the user to show or modify rx/tx ring sizes using
ethtool.

v2:
- remove unused variable to fix build warning.
- update list of maintainers for cisco vic ethernet nic driver.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMAINTAINERS: update MAINTAINERS for cisco vic
Parvi Kaustubhi [Wed, 1 Nov 2017 15:44:48 +0000 (08:44 -0700)]
MAINTAINERS: update MAINTAINERS for cisco vic

Add myself to list of maintainers for cisco vic ethernet nic driver. Remove
Neel as he left.

Signed-off-by: Parvi Kaustubhi <pkaustub@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoenic: Add support for 'ethtool -g/-G'
Parvi Kaustubhi [Wed, 1 Nov 2017 15:44:47 +0000 (08:44 -0700)]
enic: Add support for 'ethtool -g/-G'

Add support for displaying and modifying rx and tx ring sizes using
ethtool.

Also, increasing version to  2.3.0.45

Signed-off-by: Parvi Kaustubhi <pkaustub@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoenic: reset fetch index
Parvi Kaustubhi [Wed, 1 Nov 2017 15:44:46 +0000 (08:44 -0700)]
enic: reset fetch index

Since we are allowing rx ring size modification, reset fetch index
everytime. Otherwise it could have a stale value that can lead to a null
pointer dereference.

Signed-off-by: Govindarajulu Varadarajan <gvaradar@cisco.com>
Signed-off-by: Parvi Kaustubhi <pkaustub@cisco.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agoMerge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm...
Linus Torvalds [Wed, 1 Nov 2017 23:04:27 +0000 (16:04 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ebiederm/user-namespace

Pull signal bugfix from Eric Biederman:
 "When making the generic support for SIGEMT conditional on the presence
  of SIGEMT I made a typo that causes it to fail to activate. It was
  noticed comparatively quickly but the bug report just made it to me
  today"

* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace:
  signal: Fix name of SIGEMT in #if defined() check

7 years agosignal: Fix name of SIGEMT in #if defined() check
Andrew Clayton [Wed, 1 Nov 2017 15:49:59 +0000 (15:49 +0000)]
signal: Fix name of SIGEMT in #if defined() check

Commit cc731525f26a ("signal: Remove kernel interal si_code magic")
added a check for SIGMET and NSIGEMT being defined. That SIGMET should
in fact be SIGEMT, with SIGEMT being defined in
arch/{alpha,mips,sparc}/include/uapi/asm/signal.h

This was actually pointed out by BenHutchings in a lwn.net comment
here https://lwn.net/Comments/734608/

Fixes: cc731525f26a ("signal: Remove kernel interal si_code magic")
Signed-off-by: Andrew Clayton <andrew@digital-domain.net>
Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
7 years agoMerge branch 'for-linus' of git://git.kernel.dk/linux-block
Linus Torvalds [Wed, 1 Nov 2017 21:46:38 +0000 (14:46 -0700)]
Merge branch 'for-linus' of git://git.kernel.dk/linux-block

Pull block fixes from Jens Axboe:
 "A few fixes that should go into this series:

   - Regression fix for ide-cd, ensuring that a request is fully
     initialized. From Hongxu.

   - Ditto fix for virtio_blk, from Bart.

   - NVMe fix from Keith, ensuring that we set the right block size on
     revalidation. If the block size changed, we'd be in trouble without
     it.

   - NVMe rdma fix from Sagi, fixing a potential hang while the
     controller is being removed"

* 'for-linus' of git://git.kernel.dk/linux-block:
  ide:ide-cd: fix kernel panic resulting from missing scsi_req_init
  nvme: Fix setting logical block format when revalidating
  virtio_blk: Fix an SG_IO regression
  nvme-rdma: fix possible hang when issuing commands during ctrl removal

7 years agoMerge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net
Linus Torvalds [Wed, 1 Nov 2017 15:29:01 +0000 (08:29 -0700)]
Merge git://git./linux/kernel/git/davem/net

Pull networking fixes from David Miller:

 1) Fix refcounting in xfrm_bundle_lookup() when using a dummy bundle,
    from Steffen Klassert.

 2) Fix crypto header handling in rx data frames in ath10k driver, from
    Vasanthakumar Thiagarajan.

 3) Fix use after free of qdisc when we defer tcp_chain_flush() to a
    workqueue. From Cong Wang.

 4) Fix double free in lapbether driver, from Pan Bian.

 5) Sanitize TUNSETSNDBUF values, from Craig Gallek.

 6) Fix refcounting when addrconf_permanent_addr() calls
    ipv6_del_addr(). From Eric Dumazet.

 7) Fix MTU probing bug in TCP that goes back to 2007, from Eric
    Dumazet.

* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net:
  tcp: fix tcp_mtu_probe() vs highest_sack
  ipv6: addrconf: increment ifp refcount before ipv6_del_addr()
  tun/tap: sanitize TUNSETSNDBUF input
  mlxsw: i2c: Fix buffer increment counter for write transaction
  mlxsw: reg: Add high and low temperature thresholds
  MAINTAINERS: Remove Yotam from mlxfw
  MAINTAINERS: Update Yotam's E-mail
  net: hns: set correct return value
  net: lapbether: fix double free
  bpf: remove SK_REDIRECT from UAPI
  net: phy: marvell: Only configure RGMII delays when using RGMII
  xfrm: Fix GSO for IPsec with GRE tunnel.
  tc-testing: fix arg to ip command: -s -> -n
  net_sched: remove tcf_block_put_deferred()
  l2tp: hold tunnel in pppol2tp_connect()
  Revert "ath10k: fix napi_poll budget overflow"
  ath10k: rebuild crypto header in rx data frames
  wcn36xx: Remove unnecessary rcu_read_unlock in wcn36xx_bss_info_changed
  xfrm: Clear sk_dst_cache when applying per-socket policy.
  xfrm: Fix xfrm_dst_cache memleak

7 years agox86/mm: fix use-after-free of vma during userfaultfd fault
Vlastimil Babka [Wed, 1 Nov 2017 07:21:25 +0000 (08:21 +0100)]
x86/mm: fix use-after-free of vma during userfaultfd fault

Syzkaller with KASAN has reported a use-after-free of vma->vm_flags in
__do_page_fault() with the following reproducer:

  mmap(&(0x7f0000000000/0xfff000)=nil, 0xfff000, 0x3, 0x32, 0xffffffffffffffff, 0x0)
  mmap(&(0x7f0000011000/0x3000)=nil, 0x3000, 0x1, 0x32, 0xffffffffffffffff, 0x0)
  r0 = userfaultfd(0x0)
  ioctl$UFFDIO_API(r0, 0xc018aa3f, &(0x7f0000002000-0x18)={0xaa, 0x0, 0x0})
  ioctl$UFFDIO_REGISTER(r0, 0xc020aa00, &(0x7f0000019000)={{&(0x7f0000012000/0x2000)=nil, 0x2000}, 0x1, 0x0})
  r1 = gettid()
  syz_open_dev$evdev(&(0x7f0000013000-0x12)="2f6465762f696e7075742f6576656e742300", 0x0, 0x0)
  tkill(r1, 0x7)

The vma should be pinned by mmap_sem, but handle_userfault() might (in a
return to userspace scenario) release it and then acquire again, so when
we return to __do_page_fault() (with other result than VM_FAULT_RETRY),
the vma might be gone.

Specifically, per Andrea the scenario is
 "A return to userland to repeat the page fault later with a
  VM_FAULT_NOPAGE retval (potentially after handling any pending signal
  during the return to userland). The return to userland is identified
  whenever FAULT_FLAG_USER|FAULT_FLAG_KILLABLE are both set in
  vmf->flags"

However, since commit a3c4fb7c9c2e ("x86/mm: Fix fault error path using
unsafe vma pointer") there is a vma_pkey() read of vma->vm_flags after
that point, which can thus become use-after-free.  Fix this by moving
the read before calling handle_mm_fault().

Reported-by: syzbot <bot+6a5269ce759a7bb12754ed9622076dc93f65a1f6@syzkaller.appspotmail.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Suggested-by: Kirill A. Shutemov <kirill@shutemov.name>
Fixes: 3c4fb7c9c2e ("x86/mm: Fix fault error path using unsafe vma pointer")
Reviewed-by: Andrea Arcangeli <aarcange@redhat.com>
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
7 years agoMerge tag 'smb3-file-name-too-long-fix' of git://git.samba.org/sfrench/cifs-2.6
Linus Torvalds [Wed, 1 Nov 2017 14:59:39 +0000 (07:59 -0700)]
Merge tag 'smb3-file-name-too-long-fix' of git://git.samba.org/sfrench/cifs-2.6

Pull cifs fix from Steve French:
 "smb3 file name too long fix"

* tag 'smb3-file-name-too-long-fix' of git://git.samba.org/sfrench/cifs-2.6:
  cifs: check MaxPathNameComponentLength != 0 before using it

7 years agoide:ide-cd: fix kernel panic resulting from missing scsi_req_init
Hongxu Jia [Tue, 31 Oct 2017 07:39:40 +0000 (15:39 +0800)]
ide:ide-cd: fix kernel panic resulting from missing scsi_req_init

Since we split the scsi_request out of struct request, while the
standard prep_rq_fn builds 10 byte cmds, it missed to invoke
scsi_req_init() to initialize certain fields of a scsi_request
structure (.__cmd[], .cmd, .cmd_len and .sense_len but no other
members of struct scsi_request).

An example panic on virtual machines (qemu/virtualbox) to boot
from IDE cdrom:
...
[    8.754381] Call Trace:
[    8.755419]  blk_peek_request+0x182/0x2e0
[    8.755863]  blk_fetch_request+0x1c/0x40
[    8.756148]  ? ktime_get+0x40/0xa0
[    8.756385]  do_ide_request+0x37d/0x660
[    8.756704]  ? cfq_group_service_tree_add+0x98/0xc0
[    8.757011]  ? cfq_service_tree_add+0x1e5/0x2c0
[    8.757313]  ? ktime_get+0x40/0xa0
[    8.757544]  __blk_run_queue+0x3d/0x60
[    8.757837]  queue_unplugged+0x2f/0xc0
[    8.758088]  blk_flush_plug_list+0x1f4/0x240
[    8.758362]  blk_finish_plug+0x2c/0x40
...
[    8.770906] RIP: ide_cdrom_prep_fn+0x63/0x180 RSP: ffff92aec018bae8
[    8.772329] ---[ end trace 6408481e551a85c9 ]---
...

Fixes: 82ed4db499b8 ("block: split scsi_request out of struct request")
Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
7 years agoMerge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetoot...
David S. Miller [Wed, 1 Nov 2017 13:08:48 +0000 (22:08 +0900)]
Merge branch 'for-upstream' of git://git./linux/kernel/git/bluetooth/bluetooth-next

Johan Hedberg says:

====================
pull request: bluetooth-next 2017-11-01

Here's one more bluetooth-next pull request for the 4.15 kernel.

 - New NFA344A device entry for btusb drvier
 - Fix race conditions in hci_ldisc
 - Fix for isochronous interface assignments in btusb driver
 - A few other smaller fixes & improvements

Please let me know if there are any issues pulling. Thanks.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
7 years agobpf: fix verifier memory leaks
Alexei Starovoitov [Wed, 1 Nov 2017 07:08:04 +0000 (00:08 -0700)]
bpf: fix verifier memory leaks

fix verifier memory leaks

Fixes: 638f5b90d460 ("bpf: reduce verifier memory consumption")
Signed-off-by: Alexei Starovoitov <ast@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>